When RHEL/CentOS 7.2 was released there was a change in PAM configs which
For most people this won’t have made any difference, but if you occasionally use entries in
/etc/passwd to override user information from other sources (e.g. NIS, LDAP) then this can bite you.
The RHEL bug here shows the difference and discussion around it, which can be summarised in the following small change.
In CentOS 7.1 you see this line in the PAM configs:
auth sufficient pam_unix.so nullok try_first_pass
…whilst in 7.2 it changes to this:
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
The difference here is that the `pam_unix` entry essentially changes from (in PAM terms) “sufficient” to “required”, and any failure there means that authentication is denied.
“Well, my users are in LDAP so this won’t affect me!”
Probably, but if you happen to add an entry to
/etc/passwd to override something for a user, such as their shell, home directory or (in this case) their UID (yes, hacky I know, but old NIS habits die hard…):
..then this means that your user is defined as being a target for the pam_unix module (since it’s a local user defined in the local passwd file), and from 7.2 you hit that modified pam_unix line and get auth failures. In 7.1 you’d get entries in the logs saying that pam_unix denied access but it would continue on through the subsequent possibilities (pam_ldap, pam_sss or whatever else you have in there) and check the password against those.
The bug referenced above suggests a workaround of using
authconfig --enablenis, as this happens to set the pam_unix line back to the old version, but that has a bunch of other unwanted effects (like enabling NIS in
Obviously the real fix for our particular case is to not change the UID (which was a terrible hack anyway) but to reduce the
UID_MIN used in
/etc/logins.def to below the minimum UID required, and hope that there aren’t any clashes between users in LDAP and users which have already been created by packages being added (possibly ages ago…).
Hopefully this saves someone else some trouble with this surprise change in behaviour when upgrades are applied to existing machines and authconfig runs!
Some additional notes:
- This won’t change until you next run authconfig, which in this case was loooong after the 7.2 update…
- Not recommended : Putting pam_sss or pam_ldap before pam_unix as a workaround for the pam_unix failures in 7.2. Terrible problems happen with trying to use local users (including root!) if the network goes away.
- Adding the
UID_MINchange as early as possible is a good idea, so in your bootstrap process would be sensible, to avoid package-created users getting added with UIDs near to 1000.
- These Puppet modules were used in creation of this blog post:
This also affects if you have any locally-defined users, even if not overriding attributes.
For example, we have some users defined in Active Directory but then add them explicitly to the local /etc/passwd file, but with their password handled via krb5 to AD (with pam_krb5). This also breaks because the pam_unix module fails and is now “required” rather than just “sufficient”. Ugh 🙁