Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1167324
Description of problem: Set nothing to pam_sss option "domains=" in /etc/pam.d/password-auth-ac file. Try to authenticate a trusted user and authentication succeeds. Also, following message gets logged in /var/log/secure file: sshd[21815]: pam_sss(sshd:setcred): Missing argument to option domains. Ideally trusted user auth should fail as arguments to domains option are missing and it is not clear which restricted domain pam service should authenticate against. An alternate solution is to provide information in man page as to what happens when domains=<empty value>. Version-Release number of selected component (if applicable): sssd-1.12.2-12.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Configure SSSD client with LDAP domain and set empty value to "domains=" option in pam file. Edit the sssd.conf file as given below: [sssd] config_file_version = 2 domains = LDAP services = nss, pam sbus_timeout = 30 [pam] debug_level = 0xFFF0 pam_trusted_users = user1 pam_public_domains = all [domain/LDAP] id_provider = ldap auth_provider = ldap debug_level = 5 cache_credentials = FALSE ldap_uri = ldaps://seaspray.lab.eng.pnq.redhat.com ldap_tls_cacert = /etc/openldap/certs/server.pem ldap_search_base = dc=example,dc=com 2. Also, edit "auth" section of the /etc/pam.d/password-auth-ac in SSSD client as given below: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so use_first_pass domains= auth required pam_deny.so 3. Execute trusted user auth as given below: # ssh -l user1 localhost usr1@localhost's password: Last login: Mon Nov 24 20:12:07 2014 from localhost Could not chdir to home directory /home/usr1: No such file or directory id: cannot find name for group ID 11111 -sh-4.2$ logout Actual results: User auth successful with the following message in secure file: sshd[21815]: pam_sss(sshd:setcred): Missing argument to option domains. Expected results: Either user auth should fail with the above message OR Man page should be updated with relevant information as to which domain, PAM service is allowed to authenticate against when domains=<empty> Additional info:
Fields changed
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => mark: no => 0 milestone: NEEDS_TRIAGE => SSSD 1.13 beta owner: somebody => jhrozek review: True => 0 selected: => testsupdated: => 0
I'm sorry, this ticket was misplaced, it belongs to 1.12!
milestone: SSSD 1.13 beta => SSSD 1.12.3
patch: 0 => 1
resolution: => fixed status: new => closed
Metadata Update from @jhrozek: - Issue assigned to jhrozek - Issue set to the milestone: SSSD 1.12.3
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3558
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.