Fields changed

description: Add sss to nsswitch.conf
Add pam_sss.so to pam.d/system-auth

Verify that both return appropriate responses when SSSD is not running.

For NSS, this means that it should skip over sss and check the next service in the list.

For PAM, it should return PASS if SSSD is not running. (While this seems counter-intuitive, if it returns failure, no auth will succeed) => PAM does not allow user access to non-SSSD users when the sssd service is not running.

I used the following configuration in /etc/pam.d/system-auth:

{{{

%PAM-1.0

auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_sss.so use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account required pam_sss.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_first_pass
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session sufficient pam_unix.so
session required pam_sss.so
}}}

I disabled the sssd service (service sssd stop).

I then attempted to shell into the machine using SSH and a local files-backed user account (user was provided by /etc/passwd and /etc/shadow)

The password was accepted, but the user was not permitted to connect. The following error appeared in /var/log/secure:
{{{
Jun 15 15:47:27 localhost sshd[2055]: pam_sss(sshd:account): Request to sssd failed.
Jun 15 15:47:27 localhost sshd[2056]: fatal: Access denied for user sgallagh by PAM account configuration
Jun 15 15:47:27 localhost sshd[2055]: Failed password for sgallagh from 192.168.122.1 port 50169 ssh2
}}}

Tested with Fedora 11 RPM: sssd-0.4.1-1.fc11.x86_64
owner: sgallagh => sbose
priority: major => blocker
summary: Verify that nss_sss and pam_sss behave properly when SSSD is not running => pam_sss behaves improperly when SSSD is not running

Steve,
if you set pam_sss as required this outcome is normal.
pam_sss can be ignored by the pam stack only if it is just "sufficient"

I agree with Simo. I have also done the following test_

• enable LDAP authentication in authtool
• s/pam_ldap/pam_sss/ in system-auth-ac

For me everything is working fine without delay.

I have looked at pam_ldap source code. It returns PAM_SERVICE_ERR if the LDAP server is not available. pam_sss currently returns PAM_SYSTEM_ERR if the sssd socket is not available. Shall I change this?

My configuration was incorrect, as simo implied above.

However, I think the correct configuration should be

account sufficient pam_unix.so
account sufficient pam_sss.so

Changing just one or the other would likely lead to incorrect results. I will update the HOWTO on the wiki.

resolution: => invalid
status: new => closed

sbose and I discussed this on IRC, and we came up with the following approach:
Only the pam_unix.so should be "sufficient", pam_sss.so needs to be "required", but we will also need "broken_shadow" on the pam_unix.so entry. I have updated the HOWTO on the wiki, and I'm including the final layout below (mostly for convenience for https://bugzilla.redhat.com/show_bug.cgi?id=239055 which is monitoring this bug).

#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok
auth        sufficient    pam_sss.so use_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_sss.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok use_authtok
password    sufficient    pam_sss.so use_first_pass
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     sufficient    pam_unix.so
session     required      pam_sss.so

fixedin: => Doc

Sorry, I mistyped that above. The included example is correct, pam_sss.so should be "sufficient", pam_unix.so should be "required".

Fields changed

rhbz: => 0

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/1100

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.