pam-config and sssd

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

pam-config and sssd

Markus Gaugusch
Hi all,

I'm using openSUSE Leap 15.1 on a machine which was previously configured
with samba/winbind for enumeration of users from a Microsoft AD. It was
also possible for those users to login to the machine.

After upgrades and changes to the domain controllers (Windows Server
2019), I got lots of winbind errors in the logs.

I decided to do a fresh start and use sssd instead of winbind. I
configured it using realmd (realmd join --user myadminuser),
and it worked quite well. I also configured ssh login in the following
way (/etc/pam.d):
(please forgive the strange stuff in the auth section, but after some
fighting it worked :))

auth        requisite
auth        required
auth        [default=1 ignore=ignore success=ok] uid >= 1000 quiet
auth        [default=1 success=ok]
auth        sufficient nullok try_first_pass
auth        requisite uid >= 1000 quiet
auth        sufficient
account     requisite
account     include     common-account <===== check this
[... password, session omitted ...]

account    required try_first_pass
account    sufficient forward_pass

Now I installed recent upgrades, which obviously executed pam-config. The
common-account was updated and contained only the following lines:

account    requisite try_first_pass
account    sufficient
account    required  use_first_pass

My users could no longer login, because the pam_unix requisite kills the
login before pam_sss is even called. I checked the source of pam-config
and it is doing exactly that:

     case ACCOUNT:
       if (with_krb5 || with_ldap || with_lum || with_winbind || with_sss)
  fprintf (fp, "account\trequisite\\t");
  fprintf (fp, "account\trequired\\t");

QUESTION: Why does pam-config use account "requisite" for in
case of pam_sss presence? I'd expect "required", and that also works
if I change it manually. But unfortunately, my changes are lost every time
pam-config is run again ...

Also, pam_sss should be "sufficient" afterwards, not "required" ...
(At least that works, and while I've learned a lot about PAM during the
last days, I'm not there yet I think :)

To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]