Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-38860

Enabling Session Recording On RHEL9 Disables OddJob From Pam.D

    • cockpit-session-recording-17-1.el9
    • None
    • Moderate
    • rhel-sst-idm-sssd
    • ssg_idm
    • 0
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • x86_64
    • None

      – Enabling Session Recording On RHEL9 Disables OddJob From Pam.D

      – Env : *rhel9.3
      sssd: sssd-2.9.1-4.el9_3.5.x86_64*

      Problem Description:
      ===================
      When session login feature is enabled , and then pick the option to exclude the root account it makes changes to files in pam.d At this point the oddjob lines are removed. hence first tme user who want to login does not get home directory.

      How reproducible:

      1) Bring up a fresh VM with RHEL9 installed
      2) Go into /etc/pam.d and note that password-auth and system-auth files have oddjob enabled
      3) yum install cockpit -y
      4) yum install tlog cockpit-session-recording -y
      5) systemctl start cockpit.socket
      6) systemctl enable cockpit.socket --now
      7) [ At this point port 9090 is active for cockpit ]
      8) Log into cockpit on tcp/9090 and become administrator
      9) Click on Session Recording on left edge
      10) Click on Gear icon (preferences)
      11) Under SSSD Config, select 'All'
      12) Under Exclude Users put in a few users not to record including root
      13) Select [Save]
      14) Go back into /etc/pam.d and the oddjob lines are removed from password-auth and system-auth

      Steps to reproduce

      1. [root@shasrhel9 sshadmin]# cat /etc/pam.d/system-auth
      2. Generated by authselect on Tue Feb 6 16:27:11 2024
      3. Do not modify this file manually.

      auth required pam_env.so
      auth required pam_faildelay.so delay=2000000
      auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
      auth [default=1 ignore=ignore success=ok] pam_localuser.so
      auth sufficient pam_unix.so nullok
      auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
      auth sufficient pam_sss.so forward_pass
      auth required pam_deny.so

      account required pam_unix.so
      account sufficient pam_localuser.so
      account sufficient pam_usertype.so issystem
      account [default=bad success=ok user_unknown=ignore] pam_sss.so
      account required pam_permit.so

      password requisite pam_pwquality.so local_users_only
      password sufficient pam_unix.so sha512 shadow nullok use_authtok
      password [success=1 default=ignore] pam_localuser.so
      password sufficient pam_sss.so use_authtok
      password required pam_deny.so

      session optional pam_keyinit.so revoke
      session required pam_limits.so
      -session optional pam_systemd.so
      session optional pam_oddjob_mkhomedir.so
      session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
      session required pam_unix.so
      session optional pam_sss.so
      [root@shasrhel9 sshadmin]# authselect current
      Profile ID: sssd
      Enabled features:

      • with-mkhomedir
      • with-sudo
        [root@shasrhel9 sshadmin]#

      [root@shasrhel9 sshadmin]# cat /etc/redhat-release
      Red Hat Enterprise Linux release 9.3 (Plow)

      [root@shasrhel9 sshadmin]# yum install cockpit -y
      Updating Subscription Management repositories.
      Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs) 3.4 kB/s | 4.5 kB 00:01
      Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs) 2.8 MB/s | 35 MB 00:12
      Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs) 6.8 kB/s | 4.1 kB 00:00
      Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs) 3.1 MB/s | 22 MB 00:07
      Last metadata expiration check: 0:00:02 ago on Fri 24 May 2024 09:57:17 PM IST.
      Package cockpit-300.3-1.el9_3.x86_64 is already installed.
      Dependencies resolved.
      ===================================================================================================================================================================================================================
      Package Architecture Version Repository Size
      ===================================================================================================================================================================================================================
      Upgrading:
      cockpit x86_64 311.1-1.el9 rhel-9-for-x86_64-baseos-rpms 43 k

      Transaction Summary
      ===================================================================================================================================================================================================================
      Upgrade 1 Package

      Total download size: 43 k
      Downloading Packages:
      cockpit-311.1-1.el9.x86_64.rpm 11 kB/s | 43 kB 00:03
      ............
      ................
      ...............

      Installed:
      cockpit-session-recording-16-1.el9.noarch tlog-14-1.el9.x86_64

      Complete!
      [root@shasrhel9 sshadmin]#

      [root@shasrhel9 sshadmin]# systemctl start cockpit.socket
      [root@shasrhel9 sshadmin]# systemctl enable cockpit.socket --now
      Created symlink /etc/systemd/system/sockets.target.wants/cockpit.socket → /usr/lib/systemd/system/cockpit.socket.
      [root@shasrhel9 sshadmin]#

      ------------------------------------
      Logged into cockpit on tcp/9090 and become administrator
      Click on Session Recording on left edge
      Click on Gear icon (preferences)
      Under SSSD Config, select 'All'
      Under Exclude Users put in a few users not to record including root- I entered root
      Select [Save]
      Now back to terminal
      -------------------------------------

      [root@shasrhel9 sshadmin]# cat /etc/pam.d/system-auth

      1. Generated by authselect on Fri May 24 22:02:26 2024
      2. Do not modify this file manually.

      auth required pam_env.so
      auth required pam_faildelay.so delay=2000000
      auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
      auth [default=1 ignore=ignore success=ok] pam_localuser.so
      auth sufficient pam_unix.so nullok
      auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
      auth sufficient pam_sss.so forward_pass
      auth required pam_deny.so

      account required pam_unix.so
      account sufficient pam_localuser.so
      account sufficient pam_usertype.so issystem
      account [default=bad success=ok user_unknown=ignore] pam_sss.so
      account required pam_permit.so

      password requisite pam_pwquality.so local_users_only
      password sufficient pam_unix.so sha512 shadow nullok use_authtok
      password [success=1 default=ignore] pam_localuser.so
      password sufficient pam_sss.so use_authtok
      password required pam_deny.so

      session optional pam_keyinit.so revoke
      session required pam_limits.so
      -session optional pam_systemd.so
      session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
      session required pam_unix.so
      session optional pam_sss.so
      [root@shasrhel9 sshadmin]#

      Expected results

      Actual results

              rhn-support-jstephen Justin Stephenson
              rhn-support-rakkumar Rakesh Kumar
              Justin Stephenson Justin Stephenson
              Anuj Borah Anuj Borah
              Votes:
              0 Vote for this issue
              Watchers:
              16 Start watching this issue

                Created:
                Updated: