Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1815584
Description of problem: The sssd.conf(5) says: pwfield (string) The value that NSS operations that return users or groups will return for the “password” field. This option can also be set per-domain. Default: “*” (remote domains) or “x” (the files domain) However, for users returned via proxy files id_provider, * is returned. That in turn breaks PAM authentication. Version-Release number of selected component (if applicable): sssd-2.2.3-20.el8.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. Have system without SSSD configured and started. 2. Set password for user test: passwd test 3. Test that PAM authentication or user test works: echo $THE_PASSWORD | pamtester sssd-shadowutils test authenticate If you don't like to use pamtester from EPEL, just use ssh test@localhost. 4. getent passwd test, check that the output is test:x:1000:1000::/home/test:/bin/bash 5. Configure SSSD, create /etc/sssd/sssd.conf with: [sssd] domains = PROXY_PROXY services = nss [domain/PROXY_PROXY] id_provider = proxy proxy_lib_name = files proxy_pam_target = sssd-shadowutils 6. chmod 600 /etc/sssd/sssd.conf or SSSD refuses to start. 7. systemctl restart sssd 8. getent passwd test 9. echo $THE_PASSWORD | pamtester sssd-shadowutils test authenticate Actual results: test:*:1000:1000::/home/test:/bin/bash Password: pamtester: Authentication failure Expected results: test:x:1000:1000::/home/test:/bin/bash Password: pamtester: successfully authenticated Additional info: It is possible to force the expected behaviour by adding line pwfield = x to the [domain/...] section. But SSSD should obey what it says in the man page, and it should not as easily break PAM authentication of unrelated services.
Metadata Update from @pbrezina: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1815584
Metadata Update from @pbrezina: - Issue assigned to pbrezina
master
Metadata Update from @pbrezina: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/5129
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.