#2501 pam_sss domains option: Untrusted users from the same domain are allowed to auth.
Closed: Fixed None Opened 5 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1166727

Description of problem:
SSSD should allow only the user's listed in pam_trusted_users to authenticate,
when pam_public_domains = none. This way other users from the same domain
become untrusted users who shouldn't be allowed to auth. However, untrusted
users from the same domain are also allowed to authenticate.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Setup openldap server and add two users, user1 & user2.
2. Configure sssd as given below:

config_file_version = 2
domains = LDAP
services = nss, pam
sbus_timeout = 30

debug_level = 0xFFF0
pam_trusted_users = user1
pam_public_domains = none

id_provider = ldap
auth_provider = ldap
debug_level = 5
cache_credentials = FALSE
ldap_uri = ldaps://seaspray.lab.eng.pnq.redhat.com
ldap_tls_cacert = /etc/openldap/certs/server.pem
ldap_search_base = dc=example,dc=com

3. Setup auth section of /etc/pam.d/password-auth-ac as given below:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so use_first_pass domains=LDAP
auth        required      pam_deny.so

4. Execute authentication for both users, user1 and user2.

Actual results:

1. Auth succeeds for both the users.

Expected results:

1. Authentication should succeed for user1.

2. Authentication should fail for user2.

Additional info:

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => jhrozek
priority: major => critical
review: True => 0
selected: =>
testsupdated: => 0

Downstream needs this fix.

milestone: NEEDS_TRIAGE => SSSD 1.12.3

Fields changed

patch: 0 => 1

resolution: => fixed
status: new => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.12.3

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3543

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.