-
Notifications
You must be signed in to change notification settings - Fork 725
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add pam.d flags to maintain compatiblity with FreeIPA deployments. #753
Labels
Comments
I should also add, existing variables such as |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
FreeIPA uses authselect to enforce various system policies, such as creating a home directory or enabling sudo support for users. dev-sec.os_hardening unconditionally overrides various system links such as:
/etc/pam.d/rhel_auth.j2
/etc/pam.d/password-auth
/etc/pam.d/system-auth
This breaks FreeIPA, as the authselect tool expects the system to be in a particular state. This makes use of dev-sec-os_hardening tricky when used in conjunction with FreeIPA domain management.
Solution
Add additional flags to control this behaviour as FreeIPA assumes it has control over pam.d once deployed.
Alternatives
Add additional variables to supply a path that overrides the pam.d links.
Additional information
This is the output of
sudo authselect enable-feature with-mkhomedir
on a AlmaLinux 9.3 Server after joining a FreeIPA domain:The text was updated successfully, but these errors were encountered: