-
-
Notifications
You must be signed in to change notification settings - Fork 14.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PAM service configuration blocks login
for AD users
#128116
Comments
Update: This seems to be related to the section following this line in the pam module. Namely, if any of |
I marked this as stale due to inactivity. → More info |
This is not stale. |
At least for sssd, it looks like gnome keyring would be propagated correctly (sssd 2.2.2 release notes). So probably the comment
from nixpkgs/nixos/modules/security/pam.nix Line 413 in d1aa855
|
Previously, `pam_unix.so` was `required` to set PAM_AUTHTOK so that dependent pam modules (such as gnome keyering) could use the password (for example to unlock a keyring) upon login of the user. This however broke any additional auth providers (such as AD or LDAP): for any non-local user `pam_unix.so` will not yield success, thus eventually the auth would fail (even the following auth providers were actually executed, they could not overrule the already failed auth). This change replaces `required` by `optional`. Therefore, the `pam_unix.so` is executed and can set the PAM_AUTHTOK for the following optional modules, _even_ if the user is not a local user. Therefore, the gnome keyring for example is unlocked both for local and additional users upon login, and login is working for non-local users via LDAP/AD.
Fixed by #173495. |
Describe the bug
When using krb5 together with samba & winbind for login in an AD, login works everywhere except
login
. Sosu
orsshd
for example work just fine. However, whenlogin
is used (either through the binary in the shell or through a tty or display manager), I get:Up on further inspection, I noticed a difference in the respective pam service files. Most of these files have
with one notable difference:
/etc/pam.d/login
hasIf I change the
required
in/etc/pam.d/login
bysufficient
, I can login to AD accounts without problem even usinglogin
ortty
.To Reproduce
Steps to reproduce the behavior:
(It's not realistically possible to reproduce the full setup)
Expected behavior
Login works for AD users with
su
,sshd
andlogin
all the same.Additional Notes
I'm by no means an expert in the domain of domains. What I however wonder is, how others solved this issue when integrating NixOS machines in an AD.
Metadata
"x86_64-linux"
Linux 5.12.11, NixOS, 21.05.20210620.6613a30 (Okapi)
yes
yes
nix-env (Nix) 2.4pre20210601_5985b8b
"nixos-21.05.1076.bad3ccd099e"
/nix/var/nix/profiles/per-user/root/channels/nixos
Maintainer information:
The text was updated successfully, but these errors were encountered: