pam_sss: PAM_USER_UNKNOWN if socket is missing
If SSSD used without explicit configuration in the files-only mode and
pam_sss is also used in the PAM configuration, as e.g. in recent Fedora
systems, users handled by other NSS modules might get an 'Access Denied'
when trying to log in.
The culprit is the line like
account [default=bad success=ok user_unknown=ignore] pam_sss.so
in the PAM configuration which can only grant access if pam_sss.so
returns PAM_SUCCESS or PAM_USER_UNKNOWN. Even PAM_IGNORE causes a
rejection because of 'default=bad'.
Of the PAM responder is running PAM_USER_UNKNOWN is returned for users
from other NSS modules. With this patch PAM_USER_UNKNOWN is returned as
well during the 'account' step if the PAM responder socket is not
available.
Related to https://pagure.io/SSSD/sssd/issue/3988
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>