– Enabling Session Recording On RHEL9 Disables OddJob From Pam.D

– Env : *rhel9.3
sssd: sssd-2.9.1-4.el9_3.5.x86_64*

Problem Description:
===================
When session login feature is enabled , and then pick the option to exclude the root account it makes changes to files in pam.d At this point the oddjob lines are removed. hence first tme user who want to login does not get home directory.

How reproducible:

1) Bring up a fresh VM with RHEL9 installed
2) Go into /etc/pam.d and note that password-auth and system-auth files have oddjob enabled
3) yum install cockpit -y
4) yum install tlog cockpit-session-recording -y
5) systemctl start cockpit.socket
6) systemctl enable cockpit.socket --now
7) [ At this point port 9090 is active for cockpit ]
8) Log into cockpit on tcp/9090 and become administrator
9) Click on Session Recording on left edge
10) Click on Gear icon (preferences)
11) Under SSSD Config, select 'All'
12) Under Exclude Users put in a few users not to record including root
13) Select [Save]
14) Go back into /etc/pam.d and the oddjob lines are removed from password-auth and system-auth

Steps to reproduce

1. [root@shasrhel9 sshadmin]# cat /etc/pam.d/system-auth
2. Generated by authselect on Tue Feb 6 16:27:11 2024
3. Do not modify this file manually.

auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password [success=1 default=ignore] pam_localuser.so
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
[root@shasrhel9 sshadmin]# authselect current
Profile ID: sssd
Enabled features:

• with-mkhomedir
• with-sudo
  [root@shasrhel9 sshadmin]#

[root@shasrhel9 sshadmin]# cat /etc/redhat-release
Red Hat Enterprise Linux release 9.3 (Plow)

[root@shasrhel9 sshadmin]# yum install cockpit -y
Updating Subscription Management repositories.
Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs) 3.4 kB/s | 4.5 kB 00:01
Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs) 2.8 MB/s | 35 MB 00:12
Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs) 6.8 kB/s | 4.1 kB 00:00
Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs) 3.1 MB/s | 22 MB 00:07
Last metadata expiration check: 0:00:02 ago on Fri 24 May 2024 09:57:17 PM IST.
Package cockpit-300.3-1.el9_3.x86_64 is already installed.
Dependencies resolved.
===================================================================================================================================================================================================================
Package Architecture Version Repository Size
===================================================================================================================================================================================================================
Upgrading:
cockpit x86_64 311.1-1.el9 rhel-9-for-x86_64-baseos-rpms 43 k

Transaction Summary
===================================================================================================================================================================================================================
Upgrade 1 Package

Total download size: 43 k
Downloading Packages:
cockpit-311.1-1.el9.x86_64.rpm 11 kB/s | 43 kB 00:03
............
................
...............

Installed:
cockpit-session-recording-16-1.el9.noarch tlog-14-1.el9.x86_64

Complete!
[root@shasrhel9 sshadmin]#

[root@shasrhel9 sshadmin]# systemctl start cockpit.socket
[root@shasrhel9 sshadmin]# systemctl enable cockpit.socket --now
Created symlink /etc/systemd/system/sockets.target.wants/cockpit.socket → /usr/lib/systemd/system/cockpit.socket.
[root@shasrhel9 sshadmin]#

------------------------------------
Logged into cockpit on tcp/9090 and become administrator
Click on Session Recording on left edge
Click on Gear icon (preferences)
Under SSSD Config, select 'All'
Under Exclude Users put in a few users not to record including root- I entered root
Select [Save]
Now back to terminal
-------------------------------------

[root@shasrhel9 sshadmin]# cat /etc/pam.d/system-auth

1. Generated by authselect on Fri May 24 22:02:26 2024
2. Do not modify this file manually.

auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password [success=1 default=ignore] pam_localuser.so
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
[root@shasrhel9 sshadmin]#

Expected results

Actual results