We managed to get a system here in to a state where it was not possible to log in using web access. There were no errors given to the user, and no errors in the server log. The user just got the login page again.
With some debug lines added we found that pamtester sends back the following lines:
> pamtester: performing operation - acct_mgmt
> pamtester: Permission denied
But all lines starting with "pamtester: " are ignored, so neither of these lines result in an error to the user or the log.
We don't know yet why the system is throwing these errors.
It is sssd that is denying login in for the thinlinc service:
From sssd's logs (after enabling debug output):
> (Thu Mar 8 15:13:51 2018) [sssd[be[lab.lkpg.cendio.se]]] [ad_gpo_access_send] (0x0400): service thinlinc maps to Denied
> Mar 8 15:13:51 ubuntu1604 pamtester: pam_sss(thinlinc:account): Access denied for user ossman: 6 (Permission denied)
See bug 7125 for why sssd was denying things.
After a closer look, we need a clean up here. We had a look at how sshd behaves and we will try to mimic that behavior.
The previous commit also broke some cases.
These are the cases we could think of:
A: auth failed, message from PAM
B: auth failed, no message from PAM
C: account failed, message from PAM
D: account failed, no message from PAM
The expected behavior is to get generic Auth or Access failed log messages in all cases. The user should see the PAM message if we got one, or a generic message otherwise.
Unfortunately we couldn't find any PAM module that allowed us to test B, so we will have to settle for a code review for this case.
Created attachment 870 [details]
pam_tester module to inject messages and error codes for testing
Created a PAM module to inject errors of different kinds. One can also make it silent so there is no pam_conv() of error messages available to the application.
(In reply to comment #12)
> A: auth failed, message from PAM
A generic message is viewed, expected view of PAM message
> B: auth failed, no message from PAM
A generic message is viewed
> C: account failed, message from PAM
Message from PAM module is displayed
> D: account failed, no message from PAM
A generic messages is viewed
(In reply to comment #14)
> (In reply to comment #12)
> > A: auth failed, message from PAM
> A generic message is viewed, expected view of PAM message
This can apparently be broken down a bit:
1. Error message, no prompt, auth failed
2. Error message, then prompt, auth failed
3. Error message, then prompt, auth succeeded
4. Prompt, then error message, auth failed
5. Prompt, then error message, auth succeeded
2., 3. and 5. will be handled on bug 5086 as we need that fixed to handle messages that are part of an ongoing conversation.
4. works fine right now.
So that leaves 1., which is indeed broken.
Should be fixed now.
Tester should also check authentication without any password (using pam_permit.so) as that was affected by this change.
Verified using build 5807
- Error message with no prompt
- Pam permit with and without error message
Works as expected