lslebodn / SSSD / sssd

Forked from SSSD/sssd 7 years ago
Clone
Source Code
GIT

0479c6f pam_sss: PAM_USER_UNKNOWN if socket is missing

4 files Authored by sbose 5 years ago, Committed by jhrozek 5 years ago,
raw patch tree parent
4 files changed. 37 lines added. 3 lines removed.
src/man/pam_sss.8.xml
file modified
+4 -0
src/sss_client/common.c
file modified
+18 -0
src/sss_client/pam_sss.c
file modified
+13 -3
src/sss_client/sss_cli.h
file modified
+2 -0 
    pam_sss: PAM_USER_UNKNOWN if socket is missing
    
    If SSSD used without explicit configuration in the files-only mode and
    pam_sss is also used in the PAM configuration, as e.g. in recent Fedora
    systems, users handled by other NSS modules might get an 'Access Denied'
    when trying to log in.
    
    The culprit is the line like
    
        account     [default=bad success=ok user_unknown=ignore] pam_sss.so
    
    in the PAM configuration which can only grant access if pam_sss.so
    returns PAM_SUCCESS or PAM_USER_UNKNOWN. Even PAM_IGNORE causes a
    rejection because of 'default=bad'.
    
    Of the PAM responder is running PAM_USER_UNKNOWN is returned for users
    from other NSS modules. With this patch PAM_USER_UNKNOWN is returned as
    well during the 'account' step if the PAM responder socket is not
    available.
    
    Related to https://pagure.io/SSSD/sssd/issue/3988
    
    Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
file modified
+4 -0
file modified
+18 -0
file modified
+13 -3
file modified
+2 -0
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.