pam_sss reporting false positives to /var/log/secure - PLEASE HELP!!!
 

Hi All,

I am wondering if anyone can help...well i'm hoping someone can :)

I currently have an issue where the pam_sss file is reporting false positives to /var/log/secure. The user1 account is a local account and as such is able to log in fine however the pam_sss tries to authenticate the account even though I have set the 'quiet', 'ignore_unknown_user' and told pam_succeed_if.so to ignore users with uid's over 500.

So far I have tried to following:

changing the flags to quiet and ignore_unknown_user
changing the stacking order

Nothing I have tried has stopped pam_sss from reporting false positives to the secure log. What am i doing wrong? Can anyone help???

I am currently on RHEL 7

The alert from the secure log:
My pam_informix file:
My system-auth-ac file:
My password-auth-ac file:
Any help will be greatly appreciated!!!

Open a ticket with RedHat support?

server1 oninit: pam_sss(pam_informix:auth): authentication failure; logname= uid=12000 euid=0 tty= ruser=user1 rhost=hostserver1 user=user1

-------------------------------

i'm rusty on pam and haven't used rehat in a while (though i like it). pam is modular. you can disable security altogether if you use the right settings, login with no password

my best guess: if you want, just create a new user (guest user) and use passwd(1) to set that no password is required (instead of having a user where password is required and trying to disable reporting on it)


did you get logged in? you didn't say but indicated "yes". if your logged in your issue might be "logging level" or "debug level". that is: pam might be reporting it all the time even though it allowed it as a security precaution, and that if you reduce the "logging level" you won't see the message.


also (in old pam anyway) there is more than one config directory to worry about (/etc/login.defs /etc/pam/, /etc/securetty /etc/security) the second is for pam settings of device permissions, and perhaps a few more in /etc somewhere related to older unix file (like /etc/login.defs login is edited to support pam login - possibly "exclusively").

you have to identify the "entry point" of pam config files (1st read file), modules (very first module read), exit point (when pam believes no more modules need be tried). you have to make sure you know what each modules does. the pam .conf files are read for this kind of login: meaning the entry point depends on how pam is started (ie, for cron auth or sessoin? for what?). if you can't, you have to disable passwords/auth in all of pam by using only the dummy module: which you don't want to do.

i'd have to run man(1) pages on your system to see what pam file is read first, and manpage upon what modules are for/do.

i have no idea if your trying to log in as root or a normal user, remotely or locally, on a console or terminal.

i don't even know if your trying to disable password for an account or some other objective.

i do re-suggest you consider creating a user for each purpose if not for each app you run (that is not supposed to share memory). and remind that it's simple as pie when creating a user to choose that the user doesn't need a password

(you then want to go in /etc/securetty and limit this user to console so you don't get remote logins)

that's all "the old way to do it"

i'm unsure with your linux if you want to be editing your pam files that way. you may want to use your desktop tools. i have no idea if you have an active directory (NIS, LDAP) enabled and should be using it.

if i want to change the world on how passwords work on an apple: i'm going into settings->sharing->properties and using a property sheet editor to edit NIS settings - and pam is in there somewheres, and there's more settings than i can shake a stick at. apple releases directions on how to do about anything users usually want.

here's the rundown i just described:

https://support.apple.com/en-us/HT204012