Learn more about these different git repos.
Other Git URLs
FreeBSD's openpam doesn't have a built in way of ignoring an unknown user (e.g. treating PAM_USER_UNKNOWN as a pass for a required module, like Linux's user_unknown=ignore tag), so there needs to be an ignore_unknown_user flag built in to the PAM module. This patch makes pam_sss return PAM_IGNORE instead of PAM_USER_UNKNOWN when ignore_unknown_user is passed in from the PAM config. FWIW, this is how pam_ldap works on FreeBSD with local accounts, too.
This patch allows us to keep pam_sss marked as required for the PAM "account" facility (to enforce HBAC rules) but still allow local users to log in.
attachment pam_sss.c.diff
Thanks a lot for the patch! It looks OK to me, builds fine and the intent looks fine as well. Can you send the patch to sssd-devel so other developers can take a look as well?
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.11.5 rhbz: => 0
attachment 0001-PAM-add-ignore_unknown_user-option.patch
Updated patch (0001-PAM-add-ignore_unknown_user-option.patch)
owner: somebody => jhrozek
owner: jhrozek => somebody
resolution: => fixed status: new => closed
Lukas implemented additional improvement for cases when sssd is not running:
Metadata Update from @petef: - Issue set to the milestone: SSSD 1.11.5
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3274
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.