Fixing Fedora's default FreeIPA config
I periodically re-install Fedora on my laptops. Now that I have a fairly stable FreeIPA setup, I’ve been joining my laptops to FreeIPA during installation:
This works great for the first user, i.e. the one that is specified in the installer. However, other users are not able to log in after installation.
To make reading easier, I’ve put firstuser
and seconduser
as my
two users. I’ve also clipped out hostnames and timestamps from
journalctl
output.
If attempting to log in as one of these other users via ssh
, the
following messages are logged in the journal:
sshd[928089]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.31.0.50 user=seconduser
sshd[928089]: pam_sss(sshd:account): Access denied for user seconduser: 6 (Permission denied)
sshd[928089]: Failed password for seconduser from 172.31.0.50 port 42840 ssh2
sshd[928089]: fatal: Access denied for user seconduser by PAM account configuration [preauth]
Failed password for seconduser
makes this seem like a password issue, but
it’s not. An actual bad password looks like this:
krb5_child[979500]: Preauthentication failed
krb5_child[979500]: Preauthentication failed
sshd[979494]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.31.0.50 user=seconduser
sshd[979494]: pam_sss(sshd:auth): received for user seconduser: 7 (Authentication failure)
sshd[979494]: Failed password for seconduser from 172.31.0.50 port 39754 ssh2
The real error, is actually coming from PAM and we can see the difference from my scenario vs the true wrong password. If we look at the first example, the real error is:
pam_sss(sshd:account): Access denied for user seconduser: 6 (Permission denied)
compare to the wrong password scenario, where the error is this:
pam_sss(sshd:auth): received for user seconduser: 7 (Authentication failure)
From this, we can see that a true wrong password fails in the auth
modules of PAM (as is expected), but my error happens in the account
modules.
So, one of the PAM account
modules is denying my user.
Looking at /etc/pam.d/password-auth
, which is a symlink to /etc/authselect/password-auth
, we see:
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
Don’t really see anything that would allow one user, but deny an other.
pam_sss.so
is the module that interfaces with FreeIPA via sssd
.
It sources it’s configuration in /etc/sssd/sssd.conf
, and there we
find our culprit:
From sssd.conf
:
[domain/mydomain.example.com]
simple_allow_users = $, firstuser
sssd-simple(5)
, provides very simple user and group allow/deny
lists. In this case, if a user is not listed in simple_allow_users
,
then they are not allowed to login.
What this means is, only firstuser
is allowed to log in. Adding
seconduser
to the list will allow them to log in, and so forth.
This seems like a bug. At the least it’s very unexpected behavior!