#2530 MAN: Document that only usernames are checked for pam_trusted_uids
Closed: Fixed None Opened 4 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1173482

Description of problem:

The man page suggests "if there is a user name in pam_trusted_users list which
fails to be resolved it will cause that SSSD will not be started." When an
unresolved username is assigned to pam_trusted_users, as expected SSSD service
fails to start which means the userid for trusted user should exist for SSSD
service to function. Now, when a non-existent id is directly assigned to
pam_trusted_users, SSSD service works fine. I think using a non-existing userid
is similar to using an unresolved user. So, SSSD should either verify the
existence of userid before startup OR man page should be updated accordingly.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Assign any numeric id which doesn't exist in local system or your ldap
server to pam_trusted_users.

2. Start sssd service

Actual results:
SSSD Service starts successfully.

Expected results:
Service should fail to start OR man page to be updated accordingly.

Additional info:

Required by downstream, moving to 1.12.3. Just the man page will be fixed.

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
milestone: NEEDS_TRIAGE => SSSD 1.12.3
owner: somebody => jhrozek
review: True => 0
selected: =>
status: new => assigned
testsupdated: => 0

Fields changed

summary: pam_sss domains option: SSSD service should fail to start when pam_trusted_users = non-existing-id => MAN: Document that only usernames are checked for pam_trusted_uids

Fields changed

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.12.3

2 years ago

Login to comment on this ticket.