[SOLVED] Promox PAM Authentication not working against SSSD

absolutesantaja

New Member
Apr 17, 2020
29
4
3
38
I'm trying to get Promox PAM Authentication working against FreeIPA. I've joined the Promox nodes to FreeIPA and I'm able to ssh into each of the nodes using both my password and ssh keys from FreeIPA. What seems to be going on is the order of operations in the PAM modules.

Here are two different things that work but I don't think this is correct and I'm just not understanding PAM module order.

1. I moved the line account [default=bad success=ok user_unknown=ignore] pam_sss.so from /etc/pam.d/common-account to /etc/pam.d/common-auth
2. I commented out pam_deny.so in /etc/pam/common-account

Here is the exception I'm seeing and related to the account not existing local which is to be expected but it should be also checking pam_sss.so and instead is failing immediately after checking pam_unix.so

Code:
Jul 27 05:38:13 cloud10 IPCC.xs[4226]: pam_unix(common-auth:auth): check pass; user unknown
Jul 27 05:38:13 cloud10 IPCC.xs[4226]: pam_unix(common-auth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jul 27 05:38:14 cloud10 IPCC.xs[4226]: pam_sss(common-auth:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=sweeks
Jul 27 05:38:14 cloud10 IPCC.xs[4226]: pam_unix(common-auth:account): could not identify user (from getpwnam(sweeks))
 
Dec 7, 2020
4
0
1
61
Although following the principle of reducing side effects and manual changes to automatically managed configuration files, rather than modifying /etc/pam.d/common-account, it might be better to create the file /etc/pam.d/proxmox-ve-auth with contents along the lines of:
Code:
@include common-auth
@include common-session
@include common-password

# After the install of sssd PAM modules, the Proxmox VE webgui PAM authentication
# did not work with users configured into the webgui in the pam realm (necessary)
# but not in the local /etc/passwd.  Fix discussed a number of places, was to
# not have the pam_deny.so in place.
#
# Below copied from common-account and the one line commented out.
#

# here are the per-package modules (the "Primary" block)
account    [success=1 new_authtok_reqd=done default=ignore]    pam_unix.so
# here's the fallback if no module succeeds
#account    requisite            pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
account    sufficient            pam_localuser.so
account    [default=bad success=ok user_unknown=ignore]    pam_sss.so
# end of pam-auth-update config

This way the change applies only to the PVE GUI and there's less chance that some future package install or update fails to update common-account.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!