#2501 pam_sss domains option: Untrusted users from the same domain are allowed to auth.
Closed: Fixed None Opened 5 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1166727

Description of problem:
SSSD should allow only the user's listed in pam_trusted_users to authenticate,
when pam_public_domains = none. This way other users from the same domain
become untrusted users who shouldn't be allowed to auth. However, untrusted
users from the same domain are also allowed to authenticate.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Setup openldap server and add two users, user1 & user2.
2. Configure sssd as given below:

config_file_version = 2
domains = LDAP
services = nss, pam
sbus_timeout = 30

debug_level = 0xFFF0
pam_trusted_users = user1
pam_public_domains = none

id_provider = ldap
auth_provider = ldap
debug_level = 5
cache_credentials = FALSE
ldap_uri = ldaps://seaspray.lab.eng.pnq.redhat.com
ldap_tls_cacert = /etc/openldap/certs/server.pem
ldap_search_base = dc=example,dc=com

3. Setup auth section of /etc/pam.d/password-auth-ac as given below:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so use_first_pass domains=LDAP
auth        required      pam_deny.so

4. Execute authentication for both users, user1 and user2.

Actual results:

1. Auth succeeds for both the users.

Expected results:

1. Authentication should succeed for user1.

2. Authentication should fail for user2.

Additional info:

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => jhrozek
priority: major => critical
review: True => 0
selected: =>
testsupdated: => 0

Downstream needs this fix.

milestone: NEEDS_TRIAGE => SSSD 1.12.3

Fields changed

patch: 0 => 1

resolution: => fixed
status: new => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.12.3

2 years ago

Login to comment on this ticket.