dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity

r/system-auth: skip session winbind for local users 

If winbind is unable to communicate with any domain controller, the
`pam_winbind.so` module will time out.  In _auth_ and _account_ context,
this was not an issue, at least for local users, because other modules
terminated the stack before `pam_winbind.so` was called.  In _session_
context, though, nothing terminated the stack at all, so
`pam_winbind.so` was called unconditionally.  This prevented even _root_
from logging in on the console.  This made troubleshooting difficult,
especially for the VM hosts, when the domain controllers were down.
frigate-exporter
Dustin 2024-08-13 21:04:42 -05:00
parent f51e0fe2a9
commit 27b172f083
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
roles/system-auth/templates/password-auth.j2
View File

@ -36,5 +36,6 @@ session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so session required pam_unix.so
{% if pam_winbind %} {% if pam_winbind %}
session sufficient pam_localuser.so
session optional pam_winbind.so krb5_auth krb5_ccache_type=KEYRING session optional pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
{% endif %} {% endif %}