Project

General

Profile

Bug #31635

Correct PAM constants for AFP users authenticating as local user in LDAP environment

Added by Andrew Walker over 2 years ago. Updated over 2 years ago.

Status:
Done
Priority:
No priority
Assignee:
John Hixson
Category:
OS
Target version:
Seen in:
TrueNAS - TrueNAS 11.1-U4
Severity:
Low
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
VYJ-392-56686
Hardware Configuration:
ChangeLog Required:
No

Related projects 1 project

Description

Behavior regarding this changed between 9.3 and 11.1. In 9.3, when a local user (AFP) authenticates in an LDAP environment, no entry is generated in /var/log/auth.log. In 11.1, errors are generated. This is relevant in the use case where users access AFP shares with ldap credentials but time machine backups use local user account credentials on the TrueNAS server. This configuration is designed to eliminate potential point of failure in backup design (what happens if LDAP goes down). Unfortunately, it now results in spam in /var/log/auth.log.

Example:

Feb 13 23:51:29 truenasbck afpd[40009]: authentication failure; logname=root uid=0 euid=0 tty=afpd ruser=tmbackup rhost=10.87.24.32 user=tmbackup Feb 13 23:57:56 truenasbck afpd[40466]: authentication failure; logname=root uid=0 euid=0 tty=afpd ruser=tmbackup rhost=10.87.24.52 user=tmbackup

pam_sss is same version in 9.3 and 11.1, and /etc/pam.d/netatalk look functionally identical.
Packet captures of authentication in both server versions follow the same sequence of

FPLoginExt request
FPLoginExt reply: logincont (-5001)

FPLoginCont request
FPLoginCont reply: logincont (-5001)

FPLoginCont request
FPLoginCont reply: success (0)


Related issues

Copied to FreeNAS - Bug #35218: Correct PAM constants for AFP users authenticating as local user in LDAP environmentDone

Associated revisions

Revision 5d79069f (diff)
Added by John Hixson over 2 years ago

Use correct pam constants Ticket: #31635

Revision 1e429543 (diff)
Added by John Hixson over 2 years ago

Bump sssd port revision Ticket: #31635

Revision 234f951b (diff)
Added by John Hixson over 2 years ago

Shut pam_sss up when authenticating local users Ticket: #31635

Revision c92ed477 (diff)
Added by John Hixson over 2 years ago

Shut pam_sss up when authenticating local users Ticket: #31635 (cherry picked from commit 234f951b016b3209697d394e86ee6f03ee9ce360)

Revision adc4ac13 (diff)
Added by John Hixson over 2 years ago

Use correct pam constants Ticket: #31635 (cherry picked from commit 5d79069f17c8814458ba2dcc06eb34d2a7a7a5a2)

Revision 78d8b0d3 (diff)
Added by John Hixson over 2 years ago

Bump sssd port revision Ticket: #31635 (cherry picked from commit 1e4295431bcc8e1de3af6913145fa2c099cdc98c)

Revision acfcf331 (diff)
Added by John Hixson about 2 years ago

Use correct pam constants Ticket: #31635

Revision e6fdede6 (diff)
Added by John Hixson about 2 years ago

Use correct pam constants Ticket: #31635

Revision 2daf3fb0 (diff)
Added by John Hixson about 2 years ago

Use correct pam constants Ticket: #31635

Revision 228ad97b (diff)
Added by John Hixson about 2 years ago

Use correct pam constants Ticket: #31635

Revision 1946cd16 (diff)
Added by John Hixson over 1 year ago

Use correct pam constants Ticket: #31635

History

#1 Updated by Dru Lavigne over 2 years ago

  • Assignee changed from Release Council to John Hixson
  • Target version set to 11.2-RC2

#2 Updated by John Hixson over 2 years ago

  • Status changed from Unscreened to Screened
  • Severity set to Low

#3 Updated by John Hixson over 2 years ago

I can reproduce this issue... with the caveat that I can't auth a local user at all ;-)

#4 Updated by John Hixson over 2 years ago

After modifying pam files, I can authenticate and see the auth failure logged. I believe this is due to trying LDAP auth first before trying local user auth. I'm pretty sure there is a quiet option to the pam_sss module that keeps it from logging auth failures.

#5 Updated by John Hixson over 2 years ago

I think I've found the problem. I can confirm this is pam_sss causing these error messages. pam_sss in its infinite wisdom is using magic numbers rather than pam constants to determine when to print messages, even in quiet mode:

        case SSS_PAM_ACCT_MGMT:
            if (pam_status != PAM_SUCCESS) {
                /* don't log if quiet_mode is on and pam_status is
                 * User not known to the underlying authentication module
                 */
                if (!quiet_mode || pam_status != 10) {
                   logger(pamh, LOG_NOTICE,
                          "Access denied for user %s: %d (%s)",
                          pi->pam_user, pam_status,
                          pam_strerror(pamh,pam_status));
                }
            }

The pam status of 10 on Linux is PAM_USER_UNKNOWN, where as PAM_USER_UNKNOWN on FreeBSD is 13. I will patch this and verify. Perhaps we should fork SSSD as well? ;-) It really needs to be updated badly.

#6 Updated by John Hixson over 2 years ago

I also verified that in older versions of pam_sss, pam_status only checked for PAM_SUCCESSFUL.

#7 Updated by John Hixson over 2 years ago

sssd fix PR: https://github.com/freenas/ports/pull/106

I'll wait to test out the module before making other pam fixes.

#8 Updated by Dru Lavigne over 2 years ago

  • Subject changed from AFP - authentication failure messages generated in /var/log/auth.log when authenticating as local user in LDAP environment to Correct PAM constants for AFP users authenticating as local user in LDAP environment
  • Target version changed from 11.2-RC2 to 11.2-BETA1
  • Needs Doc changed from Yes to No
  • Needs Merging changed from Yes to No

#10 Updated by John Hixson over 2 years ago

  • Status changed from Screened to Done

#11 Updated by John Hixson over 2 years ago

  • Target version changed from 11.2-BETA1 to 11.1-U5

#13 Updated by Andrew Walker over 2 years ago

  • Status changed from Done to Unscreened

#14 Updated by Andrew Walker over 2 years ago

  • Target version changed from 11.1-U5 to N/A

#15 Updated by Joe Maloney over 2 years ago

  • Status changed from Unscreened to Done

Open a new bug. Do not reopen an existing one.

#16 Updated by Joe Maloney over 2 years ago

We missed this in QA because the status was changed from Screened to Done. In order to be visible to QA, and docs we need future tickets set to ready for testing.

#17 Updated by Dru Lavigne over 2 years ago

  • Target version changed from N/A to 11.1-U5

#18 Updated by Dru Lavigne over 2 years ago

  • Copied to Bug #35218: Correct PAM constants for AFP users authenticating as local user in LDAP environment added

Also available in: Atom PDF