#3341 implicit_files domain should not try authentication because /etc/shadow is not supported.

Created 11 days ago by lslebodn
Modified 4 days ago

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1429843

Description of problem:
Update of sssd from 1.15.0-3 to 1.15.0-4 breaks my system (the same applies for
1.15.1). I cannot login anymore using my Kerberos password.


Version-Release number of selected component (if applicable):
$ rpm -q sssd
sssd-1.15.0-4.fc26.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
Can't login using Kerberos password.


Expected results:
I can use Kerberos password.


Additional info:
# cat /etc/sysconfig/authconfig
CACHECREDENTIALS=yes
FORCELEGACY=no
FORCESMARTCARD=no
PASSWDALGORITHM=sha512
USEECRYPTFS=no
USEFPRINTD=yes
USEKERBEROS=no
USELDAP=no
USELDAPAUTH=no
USELOCAUTHORIZE=yes
USEMKHOMEDIR=no
USENIS=yes
USEPAMACCESS=no
USEPASSWDQC=no
USEPWQUALITY=yes
USESHADOW=yes
USESMARTCARD=no
USESSSD=yes
USESSSDAUTH=yes
USESYSNETAUTH=no
USEWINBIND=no
USEWINBINDAUTH=no
WINBINDKRB5=no

# cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:
shadow:
group:

#hosts:     db files nisplus nis dns
hosts:      files nis dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files nis sss

publickey:  nisplus

automount:  files nis sss
aliases:    files nisplus

# cat /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only
retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nis nullok try_first_pass
use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
11 days ago

Metadata Update from @lslebodn:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1429843

11 days ago

Metadata Update from @lslebodn:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1429843

4 days ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.15.4

we just document the expectations

Login to comment on this ticket.

https://bugzilla.redhat.com/show_bug.cgi?id=1429843

cancel