You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
FreeIPA uses authselect to enforce various system policies, such as creating a home directory or enabling sudo support for users. dev-sec.os_hardening unconditionally overrides various system links such as:
/etc/pam.d/rhel_auth.j2
/etc/pam.d/password-auth
/etc/pam.d/system-auth
This breaks FreeIPA, as the authselect tool expects the system to be in a particular state. This makes use of dev-sec-os_hardening tricky when used in conjunction with FreeIPA domain management.
Solution
Add additional flags to control this behaviour as FreeIPA assumes it has control over pam.d once deployed.
Alternatives
Add additional variables to supply a path that overrides the pam.d links.
Additional information
This is the output of sudo authselect enable-feature with-mkhomedir on a AlmaLinux 9.3 Server after joining a FreeIPA domain:
[error] Link [/etc/pam.d/system-auth] does not point to [/etc/authselect/system-auth]
[error] [/etc/pam.d/system-auth] was not created by authselect!
[error] Link [/etc/pam.d/password-auth] does not point to [/etc/authselect/password-auth]
[error] [/etc/pam.d/password-auth] was not created by authselect!
[error] Unexpected changes to the configuration were detected.
[error] Refusing to activate profile unless those changes are removed or overwrite is requested.
Unable to enable feature [17]: File exists
The text was updated successfully, but these errors were encountered:
I should also add, existing variables such as os_auth_pam_oddjob_mkhomedir are insufficient, as commands such as authselect enable-feature with-sudo are also required to manage practical deployments. authselect also controls smart cards, finger print readers setc.
Description
FreeIPA uses authselect to enforce various system policies, such as creating a home directory or enabling sudo support for users. dev-sec.os_hardening unconditionally overrides various system links such as:
/etc/pam.d/rhel_auth.j2
/etc/pam.d/password-auth
/etc/pam.d/system-auth
This breaks FreeIPA, as the authselect tool expects the system to be in a particular state. This makes use of dev-sec-os_hardening tricky when used in conjunction with FreeIPA domain management.
Solution
Add additional flags to control this behaviour as FreeIPA assumes it has control over pam.d once deployed.
Alternatives
Add additional variables to supply a path that overrides the pam.d links.
Additional information
This is the output of
sudo authselect enable-feature with-mkhomedir
on a AlmaLinux 9.3 Server after joining a FreeIPA domain:The text was updated successfully, but these errors were encountered: