Public bug reported:
If you install sssd on a machine and then stop the service. Logins as
local users fail (until sssd is started back up).
e.g. When trying to login using the correct password for 'localadmin', the
login fails with the auth logs recording messages like;
pam_sss(login:auth): Request to sssd failed. Connection refused
FAILED LOGIN (1) on '/dev/tty1' FOR 'localadmin', Authentication failure
pam_sss(login:account): Request to sssd failed. Connection refused
login[31397]: Authentication service cannot retrieve authentication info
>From what I've found in testing. The problem comes from
>/etc/pam.d/common-account
which by default specifies;
account [default=bad success=ok user_unknown=ignore] pam_sss.so
If that is changed to
account [default=ignore success=ok user_unknown=ignore] pam_sss.so
The pam stack doesn't exit out straight away when sssd can't be
connected to, and instead pam_unix.so is still used.
So far in my testing I've not found any problems from the change,
network logins with bad passwords are still rejected etc. As is
understand it the change is making pam skip over pam_sss.so if it
returns a result other than successful login. So I'm not seeing how it
could cause problems.
Can the default pam configuration set by the sssd package please be
updated to change the default=bad to default=ignore so that a broken
sssd daemon doesn't stop all local account logins from working as well?
Thanks
-J
** Affects: sssd (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1906739
Title:
default sssd pam config breaks local user logins if sssd isn't running
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1906739/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
