Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 100504 - authconfig addition to pam.d/system-auth prevents local users from logging in when ldap server cannot be contacted
Summary: authconfig addition to pam.d/system-auth prevents local users from logging in...
Keywords:
Status: CLOSED DUPLICATE of bug 55193
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: authconfig
Version: 9
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-07-22 23:24 UTC by Brad Smith
Modified: 2007-04-18 16:55 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-10-15 07:44:36 UTC


Attachments (Terms of Use)

Description Brad Smith 2003-07-22 23:24:31 UTC
Description of problem:
No users, including local users, including root, can log in to the system if it
has been configured by authconfig to use ldap and the ldap server becomes
unavailable.

Version-Release number of selected component (if applicable):
RH9 

Steps to Reproduce:
1. Use authconfig to set up a system to use ldap authentication (not just user
info), but give it a bogus ldap server
2. Attempt to log in as root (or anyone else)
3. Hope that you remembered to keep an already logged-in session open. =:)
    
Additional info:
Bug has shown up under a number of other components, ex: bug #77575.

Proposed solution:
The solution to this problem was found by one of my students. Authconfig adds
the following line to /etc/pam.d/system-auth:

account [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/$ISA/pam_ldap.so

That line should read: 

account [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore authinfo_unavail=ignore] /lib/security/$ISA/pam_ldap.so

The addition of 'authinfo_unavail=ignore' to the line will cause pam_ldap.so to
return an 'ignore' value instead of the default 'bad' when it cannot contact the
server.

Comment 1 Brad Smith 2003-09-12 12:56:16 UTC
This problem seems to be in the process of being dealt with as bug #55193.
Additional commentary should probably be added to that thread.

Comment 2 Tomas Mraz 2004-10-15 07:37:47 UTC

*** This bug has been marked as a duplicate of 55193 ***


Note You need to log in before you can comment on or make changes to this bug.