Hi All,
I am wondering if anyone can help...well i'm hoping someone can
I currently have an issue where the pam_sss file is reporting false positives to /var/log/secure. The user1 account is a local account and as such is able to log in fine however the pam_sss tries to authenticate the account even though I have set the 'quiet', 'ignore_unknown_user' and told pam_succeed_if.so to ignore users with uid's over 500.
So far I have tried to following:
changing the flags to quiet and ignore_unknown_user
changing the stacking order
Nothing I have tried has stopped pam_sss from reporting false positives to the secure log. What am i doing wrong? Can anyone help???
I am currently on RHEL 7
The alert from the secure log:
Code:
server1 oninit: pam_sss(pam_informix:auth): authentication failure; logname= uid=12000 euid=0 tty= ruser=user1 rhost=hostserver1 user=user1
My pam_informix file:
Code:
auth sufficient pam_rhosts.so silent
auth sufficient pam_sss.so quiet
auth required pam_unix.so
account required pam_oddjob_mkhomedir.so
account sufficient pam_permit.so
My system-auth-ac file:
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
My password-auth-ac file:
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
Any help will be greatly appreciated!!!