Merge pull request #3696 from flatcar/tormath1/pam-sssd

tormath1 · web-flow · commit d79e5424e080 · 2026-02-13T09:52:27.000+01:00
package.use: enable back sssd for pambase
diff --git a/changelog/bugfixes/2026-02-10-sssd.md b/changelog/bugfixes/2026-02-10-sssd.md
@@ -0,0 +1 @@
+- Enabled back PAM sssd support for LDAP authentication ([scripts#3696](https://github.com/flatcar/scripts/pull/3696))
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0001-Reorganize-the-login-sessions.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0001-Reorganize-the-login-sessions.patch
@@ -1,4 +1,4 @@
-From 3eb1fea6104cd4bbc978e11974f337549edaf2e4 Mon Sep 17 00:00:00 2001
+From 7dce3aef1c67e5884aa7962c5c34a51d9760bd13 Mon Sep 17 00:00:00 2001
 From: Krzesimir Nowak <knowak@microsoft.com>
 Date: Thu, 9 Oct 2025 17:32:38 +0200
 Subject: [PATCH 1/2] Reorganize the login sessions
@@ -163,5 +163,5 @@ index 150061f..690396f 100644
  
  {% if sssd %}
 -- 
-2.51.0
+2.52.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0002-Flatcar-modifications.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0002-Flatcar-modifications.patch
@@ -1,14 +1,14 @@
-From 55c811bb55334a9c5ba19e5c7ec61a9ede365a37 Mon Sep 17 00:00:00 2001
+From 41efbef049829f738d1e6ad172f4b1a8bc6a6e6d Mon Sep 17 00:00:00 2001
 From: Krzesimir Nowak <knowak@microsoft.com>
 Date: Fri, 10 Oct 2025 11:47:43 +0200
 Subject: [PATCH 2/2] Flatcar modifications
 
 ---
- templates/system-auth.tpl | 20 ++++++++++++++------
- 1 file changed, 14 insertions(+), 6 deletions(-)
+ templates/system-auth.tpl | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
 
 diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
-index 905d04f..c78f9d6 100644
+index 905d04f..b211abb 100644
 --- a/templates/system-auth.tpl
 +++ b/templates/system-auth.tpl
 @@ -9,11 +9,15 @@ auth		[default={{ 3 + homed + (sssd * 3) }}]	pam_permit.so
@@ -30,7 +30,22 @@ index 905d04f..c78f9d6 100644
  
  {% if homed %}
  auth		[success=2 default=ignore]	pam_systemd_home.so
-@@ -45,9 +49,13 @@ account		[success={{ 2 if sssd else 1 }} default=ignore]	pam_systemd_home.so
+@@ -21,13 +25,11 @@ auth		[success=2 default=ignore]	pam_systemd_home.so
+ 
+ {% if sssd %}
+ auth		sufficient	pam_unix.so {{ nullok }} {{ debug }}
++auth		sufficient	pam_sss.so forward_pass {{ debug }}
+ {% else %}
+ auth		[success=1 new_authtok_reqd=1 ignore=ignore default=bad]	pam_unix.so {{ nullok }} {{ debug }} try_first_pass
+ {% endif %}
+ auth		[default=die]	pam_faillock.so authfail
+-{% if sssd %}
+-auth		sufficient	pam_sss.so forward_pass {{ debug }}
+-{% endif %}
+ {% if caps %}
+ auth		optional	pam_cap.so
+ {% endif %}
+@@ -45,9 +47,13 @@ account		[success={{ 2 if sssd else 1 }} default=ignore]	pam_systemd_home.so
  account		required	pam_unix.so {{ debug }}
  account		required	pam_faillock.so
  {% if sssd %}
@@ -48,5 +63,5 @@ index 905d04f..c78f9d6 100644
  {% endif %}
  
 -- 
-2.51.0
+2.52.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
@@ -193,7 +193,7 @@ sys-apps/gawk -mpfr
 
 # We never had passwdqc stuff in old pam sys configs, so disable it
 # for now. Maybe this is something to enable later.
-sys-auth/pambase securetty -passwdqc
+sys-auth/pambase securetty -passwdqc sssd
 
 # We run the server in a container.
 dev-db/etcd -server

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+- Enabled back PAM sssd support for LDAP authentication ([scripts#3696](https://github.com/flatcar/scripts/pull/3696))`