Learn more about these different git repos.
Other Git URLs
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=590134
Description of problem:
Using SSSD in my PAM stack, I've found that when I set auth_provider = proxy and reference a new PAM configuration (proxy_pam_target = ncsu-proxy) that new PAM stack doesn;t work at all.
I've confirmed this with sgallagh in #freeipa and his testing shows that the pam_proxy_target doesn't work for any library. They all return "User not known to the underlying authentication module"
In my case I'm using the ncsu-proxy config which looks like this:
auth required pam_krb5.so password required pam_krb5.so use_authtok session optional pam_krb5.so
With SSSD running this config I get errors:
May 7 15:26:47 kvmguest02 sssd_be: pam_krb5[2023]: error resolving user name 'jjneely' to uid/gid pair May 7 15:26:47 kvmguest02 sssd_be: pam_krb5[2023]: error getting information about 'jjneely' May 7 15:26:47 kvmguest02 sshd[2027]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=foo.bar user=jjneely May 7 15:26:47 kvmguest02 sshd[2027]: pam_sss(sshd:auth): received for user jjneely: 10 (User not known to the underlying authentication module)
Of course, getent passwd jjneely returns correct results (also provided by SSSD)
My workaround for the time being is to simply replace pam_sss in my PAM stack with pam_krb5.
Version-Release number of selected component (if applicable): sssd-1.0.2-1.el6.i686
Sumit and I performed a basic triage today and discovered that the cause of the problem is that loop detection in the sss_client code (using the environment variable _SSS_LOOPS) means that the proxied PAM libraries can't make getpw() and getgr() calls. Thus, pretty much every one of them returns "User not known to the underlying authentication module"
Marking as blocker to 1.2.0
owner: simo => sgallagh
Fields changed
owner: sgallagh => sbose
The idea to solve this is to create a separate process that unsets _SSS_LOOPS and calls the pam modules. It will communicate with the proxy provider via SBus. The proxy provider will queue the pam requests and sends them one at a time to the new process.
This solution allows the pam modules to use the getpw() and getgr() calls and removes all synchronous pam operations from the proxy provider.
owner: sbose => sgallagh status: new => assigned
Fixed by: - ce145e5 - 7bd53da - 3f51e7a
fixedin: => 1.2.0 resolution: => fixed status: assigned => closed
coverity: => patch: => 0 tests: 1 => 0 testsupdated: 0 => 1 upgrade: => 0
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=590134 590134]
Metadata Update from @sgallagh: - Issue assigned to sgallagh - Issue set to the milestone: SSSD 1.2.0
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/1513
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.