Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-88001

pam_access does not match domain user with @ sign

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • rhel-9.5.z
    • pam
    • None
    • No
    • Low
    • rhel-idm-zta
    • ssg_idm
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Use pam_access for access control to restrict users from AD domain.

      If fully-qualified name (with "@" sympol) is specified, domain user is denied:

       

      +:bob@ad.example.com:ALL
-:ALL:ALL

       

       

       

      Apr 22 08:31:29 rhel9 crontab[15312]: pam_access(crond:account): login_access: user=bob@ad.example.com, from=cron, file=/etc/security/access.conf
Apr 22 08:31:29 rhel9 crontab[15312]: pam_access(crond:account): line 124: + : bob@ad.example.com : ALL
Apr 22 08:31:29 rhel9 crontab[15312]: pam_access(crond:account): list_match: list=bob@ad.example.com, item=bob@ad.example.com
Apr 22 08:31:29 rhel9 crontab[15312]: pam_access(crond:account): user_match: tok=bob@ad.example.com, item=bob@ad.example.com
Apr 22 08:31:29 rhel9 crontab[15312]: pam_access(crond:account): user_match: tok=bob, item=bob@ad.example.com
Apr 22 08:31:29 rhel9 crontab[15312]: pam_access(crond:account): string_match: tok=bob, item=bob@ad.example.com
Apr 22 08:31:29 rhel9 crontab[15312]: pam_access(crond:account): user_match=0, "bob@ad.example.com"
Apr 22 08:31:29 rhel9 crontab[15312]: pam_access(crond:account): line 125: - : ALL : ALL
Apr 22 08:31:29 rhel9 crontab[15312]: pam_access(crond:account): list_match: list=ALL, item=bob@ad.example.com
Apr 22 08:31:29 rhel9 crontab[15312]: pam_access(crond:account): user_match: tok=ALL, item=bob@ad.example.com
Apr 22 08:31:29 rhel9 crontab[15312]: pam_access(crond:account): string_match: tok=ALL, item=bob@ad.example.com
Apr 22 08:31:29 rhel9 crontab[15312]: pam_access(crond:account): user_match=2, "bob@ad.example.com"
Apr 22 08:31:29 rhel9 crontab[15312]: pam_access(crond:account): list_match: list=ALL, item=bob@ad.example.com
Apr 22 08:31:29 rhel9 crontab[15312]: pam_access(crond:account): from_match: tok=ALL, item=cron
Apr 22 08:31:29 rhel9 crontab[15312]: pam_access(crond:account): string_match: tok=ALL, item=cron
Apr 22 08:31:29 rhel9 crontab[15312]: pam_access(crond:account): from_match=2, "cron"
Apr 22 08:31:29 rhel9 crontab[15312]: pam_access(crond:account): access denied for user `bob@ad.example.com' from `cron'

       

       

      If fully-qualified group name (with "@" symbol) is defined, domain group is matched:

      +:(domain users@ad.example.com):ALL
-:ALL:ALL

       

      Apr 22 08:33:04 rhel9 crontab[15341]: pam_access(crond:account): login_access: user=bob@ad.example.com, from=cron, file=/etc/security/access.conf
Apr 22 08:33:04 rhel9 crontab[15341]: pam_access(crond:account): line 124: + : (domain users@ad.example.com) : ALL
Apr 22 08:33:04 rhel9 crontab[15341]: pam_access(crond:account): list_match: list=(domain users@ad.example.com), item=bob@ad.example.com
Apr 22 08:33:04 rhel9 crontab[15341]: pam_access(crond:account): user_match: tok=(domain users@ad.example.com), item=bob@ad.example.com
Apr 22 08:33:04 rhel9 crontab[15341]: pam_access(crond:account): group_match: grp=(domain users@ad.example.com), user=bob@ad.example.com
Apr 22 08:33:04 rhel9 crontab[15341]: pam_access(crond:account): user_match=1, "bob@ad.example.com"
Apr 22 08:33:04 rhel9 crontab[15341]: pam_access(crond:account): list_match: list=ALL, item=bob@ad.example.com
Apr 22 08:33:04 rhel9 crontab[15341]: pam_access(crond:account): from_match: tok=ALL, item=cron
Apr 22 08:33:04 rhel9 crontab[15341]: pam_access(crond:account): string_match: tok=ALL, item=cron
Apr 22 08:33:04 rhel9 crontab[15341]: pam_access(crond:account): from_match=2, "cron"

      The man page describes the second field should contain login names/group names, in the format of "user@host". 

      # The second field should be a list of one or more login names, group
# names, or ALL (always matches). A pattern of the form user@host is
# matched when the login name matches the "user" part, and when the
# "host" part matches the local machine name.

      Therefore, according to the man page, user "bob" from host "ad.example.com" should be matched. That explains the denial of the user. However, the same logic cannot explain the behaviour when domain group is matched. This logic is not consistently applied.

      What is the impact of this issue to you?

      Domain user is not matched in pam_access

      Please provide the package NVR for which the bug is seen:

      pam-1.5.1-22.el9_5.x86_64

      How reproducible is this bug?:

      Always, when fully-qualified username is defined in access.conf

      Expected results:

      Domain username and domain groupname with "@" symbol can be matched by pam_access.

      Actual results

      Domain username with "@" symbol cannot be matched by pam_access. However, domain groupname with "@" symbol can be matched.

              ipedrosa@redhat.com Iker Pedrosa
              rhn-support-suwu Sunny Wu
              Iker Pedrosa Iker Pedrosa
              Anuj Borah Anuj Borah
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: