[SOLVED] Promox PAM Authentication not working against SSSD

[absolutesantaja]

I'm trying to get Promox PAM Authentication working against FreeIPA. I've joined the Promox nodes to FreeIPA and I'm able to ssh into each of the nodes using both my password and ssh keys from FreeIPA. What seems to be going on is the order of operations in the PAM modules.

Here are two different things that work but I don't think this is correct and I'm just not understanding PAM module order.

1. I moved the line account [default=bad success=ok user_unknown=ignore] pam_sss.so from /etc/pam.d/common-account to /etc/pam.d/common-auth
2. I commented out pam_deny.so in /etc/pam/common-account

Here is the exception I'm seeing and related to the account not existing local which is to be expected but it should be also checking pam_sss.so and instead is failing immediately after checking pam_unix.so

Jul 27 05:38:13 cloud10 IPCC.xs[4226]: pam_unix(common-auth:auth): check pass; user unknown
Jul 27 05:38:13 cloud10 IPCC.xs[4226]: pam_unix(common-auth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jul 27 05:38:14 cloud10 IPCC.xs[4226]: pam_sss(common-auth:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=sweeks
Jul 27 05:38:14 cloud10 IPCC.xs[4226]: pam_unix(common-auth:account): could not identify user (from getpwnam(sweeks))

 

[danielb]

You can take a look at the files here : https://git.fws.fr/fws/ansible-roles/src/branch/master/roles/sssd_ad_auth/templates (the various deb_xxx files). I'm using those to auth my PVE hosts against a Samba4 domain with sssd.

Cheers,
Daniel

 

[absolutesantaja]

Thanks, it looks like I just need to remove the pam_deny.so from common-account. Reading some documentation from Debian also shows that removed from common-account https://wiki.debian.org/LDAP/PAM so that must be it.

 

[J. Radel]

Although following the principle of reducing side effects and manual changes to automatically managed configuration files, rather than modifying /etc/pam.d/common-account, it might be better to create the file /etc/pam.d/proxmox-ve-auth with contents along the lines of:

@include common-auth
@include common-session
@include common-password

# After the install of sssd PAM modules, the Proxmox VE webgui PAM authentication
# did not work with users configured into the webgui in the pam realm (necessary)
# but not in the local /etc/passwd.  Fix discussed a number of places, was to
# not have the pam_deny.so in place.
#
# Below copied from common-account and the one line commented out.
#

# here are the per-package modules (the "Primary" block)
account    [success=1 new_authtok_reqd=done default=ignore]    pam_unix.so
# here's the fallback if no module succeeds
#account    requisite            pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
account    sufficient            pam_localuser.so
account    [default=bad success=ok user_unknown=ignore]    pam_sss.so
# end of pam-auth-update config

This way the change applies only to the PVE GUI and there's less chance that some future package install or update fails to update common-account.