pam provider ignores password-auth

[raphink]

I have configuration like this

class add_radius_config {
  pam { "Add radius authentication to system-auth":
    ensure => present,
    service => "system-auth",
    type => "auth",
    module => "pam_radius_auth.so",
    position => "after module pam_env.so",
    arguments => ["try_first_pass", "localifdown", "conf=/etc/sysconfig/raddb", "client_id=tacacs"],
    control => "sufficient"
  }

  pam { "Add radius authentication password-auth":
    ensure => present,
    service => "password-auth-ac",
    type => "auth",
    module => "pam_radius_auth.so",
    position => "after module pam_env.so",
    arguments => ["try_first_pass", "localifdown", "conf=/etc/sysconfig/raddb", "client_id=tacacs"],
    control => "sufficient",
  }
}

For some strange reason, it only applies system-auth, and ignores password-auth
completely. I cannot see anything in logs about it. If I change system-auth, it will repair the settings, but not for password-auth.

[hdeadman]

I was having a similar problem where I would reference service => password-auth and the change would go in system-auth. I got around it by specify the full path to the target file:

pam { 'Set cracklib limits in password-auth':
  ensure    => present,
  target    => '/etc/pam.d/password-auth',
  type      => 'password',
  module    => 'pam_cracklib.so',
  arguments => ['try_first_pass','retry=3','maxrepeat=3','minlen=10','dcredit=-1','ucredit=-1','ocredit=-1','lcredit=-1','difok=4'],
}

[cmouse]

Did not help, unfortunately. password-auth file remains untouched. Also puppet agent --test --debug does not appear to show any information about pam being ran at all.

[raphink]

I can confirm this bug, although in my case, it behaves slightly differently:

$ puppet apply ticket_105.pp 
notice: /Stage[main]//Pam[Add radius authentication password-auth]/ensure: created
notice: Finished catalog run in 0.26 seconds

actually created (I'm using a fakeroot) /etc/pam.d/system-auth:

auth    sufficient  pam_radius_auth.so  try_first_pass  localifdown conf=/etc/sysconfig/raddb   client_id=tacacs

[raphink]

If I comment either of the resources, I get the exact same result, so it seems that the provider sees them as exactly equivalent.

[raphink]

Forcing the target parameter like @hdeadman suggested fixed it for me.

[raphink]

I've attached a commit to this ticket. Could you check if the attached branch fixes the bug for you please?

[cmouse]

Interestingly enough, forcing the target did nothing on my system. I'll try the patch once travis is happy.

[raphink]

Rspec 3 was just released. The Travis errors come from this (RSpec::Expectations::Differ::Encoding errors), not from the patch.

[raphink]

My bad, it's actually my code that fails. Travis is running again.

[cmouse]

This seems to work.

[raphink]

Fixed in 42ea31c

[raphink]

@domcleal Do you want to merge this into the 1.X branch?

[domcleal]

@raphink er, you've already merged it to master, so it's a bit late. I guess I'll cherry pick to do a 1.1, else we'd have to revert, merge to a stable branch and then merge through to master again.

[raphink]

I was thinking of a cherry-pick. What would be your preferred way of doing it?

[domcleal]

Cherry pick's fine, I'll do it nearer the time. The other way of doing it is to commit to the stable branch first and merge that into master, but I don't much care.