#2691 GPO: PAM system error returned for PAM_ACCT_MGMT and offline mode
Closed: Fixed None Opened 3 years ago by lslebodn.

It's reproducible with test for ticket #2060
Cached credentials aren't working with sssd-ad UPN logins

Reproducer:

  • enable gpo enforcing mode
  • create user in AD (without any GPO rules) and
  • authenticate whilst connected to the network
  • disconnect network cable (add iptables rules)
  • authenticate one more time.

The first authentication failed but the second works.


Marking as blocker because I would like to backport 1.13 to fedora 22 with GPO in enforcing mode.

priority: major => blocker
version: 1.12.5 => 1.13 Alpha

Domain log file with pam system error
domain.log

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13

Fields changed

milestone: SSSD 1.13.2 => SSSD 1.13.1
owner: somebody => lslebodn

Fields changed

owner: lslebodn =>

Replying to [ticket:2691 lslebodn]:

The first authentication failed but the second works.

Please rephrase this; it's extremely ambiguous. Does this mean:

  • "Authenticating while connected to the network returned PAM_SYSTEM_ERROR, but the offline credentials returned the expected result"
  • "Authenticating while connected to the network returned denied appropriately, but offline credentials allowed the user in"

cc: => sgallagh

IIRC the second attempt worked because sss was already in offline mode. I do not remember exactly. But there is an attached log file.

The most important thing in reproducer is create user in AD (without any GPO rules). So user shoudl be able to authenticate.

Fields changed

owner: => sgallagh
status: new => assigned

Fields changed

patch: 0 => 1

Fields changed

rhbz: => todo

resolution: => fixed
status: assigned => closed

Fields changed

rhbz: todo => 0

Metadata Update from @lslebodn:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.13.1

2 years ago

Login to comment on this ticket.

Metadata