search

ghoneycutt / puppet-module-pam

Puppet module to manage PAM
Other
18 stars 79 forks source link

pam::allowed_users removes user from multiple files, and only adds back to access_conf #154

Closed lukehinds closed 6 years ago

lukehinds commented 7 years ago

Using allowed_users revokes rights across several files, but then adding the user back only applies changes to File[access_conf]

[vagrant@puppet]$ cat hieradata/common.yaml 
    pam::allowed_users:
        - root
[vagrant@puppet ]$ sudo puppet apply -e 'include pam'

Notice: Compiled catalog for puppet.example.com in environment production in 0.47 seconds
Notice: /Stage[main]/Nsswitch/File[nsswitch_config_file]/content: content changed '{md5}d41798b95255e94c56c1959938059fc0' to '{md5}e7ea28fc3682b370384c9a7bdde14ff9'
Notice: /Stage[main]/Pam::Limits/File[limits_conf]/content: content changed '{md5}03e886ce446289e291df588a96ee5c56' to '{md5}d0c3c2d42490c423e92e8827514b778b'
Notice: /Stage[main]/Pam::Limits/File[limits_conf]/mode: mode changed '0644' to '0640'
Notice: /Stage[main]/Pam/File[pam_d_login]/content: content changed '{md5}0e8c66d8879a5f4c55b82e2fcc19459a' to '{md5}77748eda5f97df8563d291116752fc48'
Notice: /Stage[main]/Pam/File[pam_d_sshd]/content: content changed '{md5}ca51dcdb22404ef8cfb875583388c9de' to '{md5}fff49064681a02f15cc57943b8fb57c1'
Notice: /Stage[main]/Pam/File[pam_system_auth_ac]/content: content changed '{md5}94bd9b77cca20444082ca42870d16f47' to '{md5}3193655aa417fb1f75c08e120ad896db'
Notice: /Stage[main]/Pam/File[pam_system_auth]/target: target changed 'system-auth-ac' to '/etc/pam.d/system-auth-ac'
Notice: /Stage[main]/Pam/File[pam_password_auth_ac]/content: content changed '{md5}94bd9b77cca20444082ca42870d16f47' to '{md5}d8ba7dd00ddcfb1f311d2c635074f8be'
Notice: /Stage[main]/Pam/File[pam_password_auth]/target: target changed 'password-auth-ac' to '/etc/pam.d/password-auth-ac'
Notice: /Stage[main]/Pam::Accesslogin/File[access_conf]/content: content changed '{md5}13ec4d189f0ed9acf3433977a53d446b' to '{md5}ec70595296bcbf3658bcdc3381ddd0e6'
Notice: /Stage[main]/Pam::Limits/File[limits_d]/mode: mode changed '0755' to '0750'
Notice: Applied catalog in 0.24 seconds

 [vagrant@puppet]$ sudo touch test
     sudo: Unable to dlopen /usr/lib64/libsss_sudo.so: (null)
     sudo: Unable to initialize SSS source. Is SSSD installed on your machine?

Add vagrant user back:

[vagrant@puppet ]$ cat hieradata/common.yaml 
    pam::allowed_users:
        - root
        - vagrant
[vagrant@puppet ]$ sudo puppet apply -e 'include pam'

Notice: Compiled catalog for puppet.example.com in environment production in 0.47 seconds
Notice: /Stage[main]/Pam::Accesslogin/File[access_conf]/content: content changed '{md5}ec70595296bcbf3658bcdc3381ddd0e6' to '{md5}575745f1f5bfedfe8c5c68d34e671a6c'
Notice: Applied catalog in 0.19 seconds
[vagrant@puppet production]$ sudo touch test_two
sudo: Unable to dlopen /usr/lib64/libsss_sudo.so: (null)
sudo: Unable to initialize SSS source. Is SSSD installed on your machine?
ghoneycutt commented 7 years ago

The pam module is changing other things on your system that are not related to the allowed users because when you specify pam::allowed_users the code contains include ::pam. Everything is working as expected in regards to specifying allowed_users.

This is the change from allowed_users Notice: /Stage[main]/Pam::Accesslogin/File[access_conf]/content: content changed

I am curious about the SSSD errors. Which OS and version are you using?

lukehinds commented 7 years ago

Makes sense now, so its applying the parameter defaults?

I am curious about the SSSD errors. Which OS and version are you using?

[vagrant@puppet ~]$ cat /etc/os-release 
NAME="CentOS Linux"
VERSION="7 (Core)"

[vagrant@puppet ~]$ uname -r
3.10.0-514.6.2.el7.x86_64