pam-config and sssd

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

pam-config and sssd

Markus Gaugusch
Hi all,

I'm using openSUSE Leap 15.1 on a machine which was previously configured
with samba/winbind for enumeration of users from a Microsoft AD. It was
also possible for those users to login to the machine.

After upgrades and changes to the domain controllers (Windows Server
2019), I got lots of winbind errors in the logs.

I decided to do a fresh start and use sssd instead of winbind. I
configured it using realmd (realmd join mydomain.xxx --user myadminuser),
and it worked quite well. I also configured ssh login in the following
way (/etc/pam.d):
(please forgive the strange stuff in the auth section, but after some
fighting it worked :))

sshd:
auth        requisite   pam_nologin.so
auth        required        pam_env.so
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet
auth        sufficient    pam_sss.so
account     requisite   pam_nologin.so
account     include     common-account <===== check this
[... password, session omitted ...]

common-account:
account    required    pam_unix.so try_first_pass
account    sufficient  pam_sss.so forward_pass


Now I installed recent upgrades, which obviously executed pam-config. The
common-account was updated and contained only the following lines:

account    requisite   pam_unix.so try_first_pass
account    sufficient  pam_localuser.so
account    required    pam_sss.so  use_first_pass

My users could no longer login, because the pam_unix requisite kills the
login before pam_sss is even called. I checked the source of pam-config
and it is doing exactly that:

https://github.com/SUSE/pam-config/blob/master/src/mod_pam_unix.c#L64

     case ACCOUNT:
       if (with_krb5 || with_ldap || with_lum || with_winbind || with_sss)
  fprintf (fp, "account\trequisite\tpam_unix.so\t");
       else
  fprintf (fp, "account\trequired\tpam_unix.so\t");
       break;


QUESTION: Why does pam-config use account "requisite" for pam_unix.so in
case of pam_sss presence? I'd expect "required", and that also works
if I change it manually. But unfortunately, my changes are lost every time
pam-config is run again ...

Also, pam_sss should be "sufficient" afterwards, not "required" ...
(At least that works, and while I've learned a lot about PAM during the
last days, I'm not there yet I think :)

thanks!
Markus
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]