Two pam resource edits with same module value compete and produce unexpected results

[btoohey]

Using the following code

 pam { 'faillock_1' :
    ensure    => present,
    service   => 'password-auth',
    type      => 'auth',
    control   => 'required',
    module    => 'pam_faillock.so',
    arguments => ['preauth', 'audit', 'silent', 'deny=5', 'unlock_time=900'],
    position  => 'before *[type="auth" and module="pam_deny.so"]', 
  } ->

  pam { 'faillock_2' :
    ensure           => present,
    service          => 'password-auth',
    type             => 'auth',
    control          => 'sufficient',
    module           => 'pam_faillock.so',
    arguments        => ['authfail', 'audit', 'deny=5', 'unlock_time=900'],
    position         => 'before *[type="auth" and module="pam_deny.so"]', 
  } 

Produces the following puppet notices:

Notice: /Stage[main]/Hdn_pam::Password_auth/Pam[faillock_1]/ensure: created
Notice: /Stage[main]/Hdn_pam::Password_auth/Pam[faillock_2]/arguments: arguments changed ['preauth', 'audit', 'silent', 'deny=5', 'unlock_time=900'] to 'authfail audit deny=5 unlock_time=900'
Notice: /Stage[main]/Hdn_pam::Password_auth/Pam[faillock_2]/control: control changed 'required' to 'sufficient'

And the faillock_2 resource overwrites the faillock_1 resource when they really should create two lines in password-auth:

auth    sufficient      pam_faillock.so authfail        audit   deny=5  unlock_time=900
auth    required        pam_deny.so

What I would expect to see is:

auth    required      pam_faillock.so  preauth       audit silent deny=5 unlock_time=900
auth    sufficient      pam_faillock.so authfail        audit   deny=5  unlock_time=900
auth    required        pam_deny.so

[raphink]

Is the line created in /etc/pam.conf or in a /etc/pam.d/* file?

[btoohey]

Line created in /etc/pam.d/password-auth-ac (RHEL 6)

[raphink]

Since you want to manage two resources with the same service, module and control values, control needs to be considered as a parameter (not a property). Try with:

 pam { 'faillock_1' :
    ensure    => present,
    service   => 'password-auth',
    type      => 'auth',
    control   => 'required',
    control_is_param => true,
    module    => 'pam_faillock.so',
    arguments => ['preauth', 'audit', 'silent', 'deny=5', 'unlock_time=900'],
    position  => 'before *[type="auth" and module="pam_deny.so"]', 
  } ->

  pam { 'faillock_2' :
    ensure           => present,
    service          => 'password-auth',
    type             => 'auth',
    control          => 'sufficient',
    control_is_param => true,
    module           => 'pam_faillock.so',
    arguments        => ['authfail', 'audit', 'deny=5', 'unlock_time=900'],
    position         => 'before *[type="auth" and module="pam_deny.so"]', 
  } 

As a note, the resource ordering (using ->) will ensure the right positioning of the entries if they don't exist, but if faillock_2 already exists, faillock_1 will be added after it.

[btoohey]

Thank you. That corrected the overwriting issue. I am a bit stumped though on how to accomplish the ordering. As you mention, faillock_1 gets added after faillock_2.

What I want to do is add these four lines:

auth        required      pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth        [success=1 default=bad] pam_unix.so
auth        [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth        sufficient    pam_faillock.so authsucc audit deny=5 unlock_time=900

in this order just above the following line:

auth        required pam_deny.so

[raphink]

You can order them relatively to one another.

[btoohey]

Thank you. I was able to find a relative ordering scheme using position that works. I didn't think I was going to be able use position in relation to a entry that is created in the same module.

[raphink]

Can we close that issue then?

[btoohey]

This can be closed. Thank you.