I noticed these PAM messages in the dom0 logs, along the lines of:
[...] PAM unable to dlopen(/usr/lib64/security/pam_sss.so): /usr/lib64/security/pam_sss.so: cannot open shared object file: No such file or directory
And, no surprise, that file does not exist.
A quick dnf query shows that the file is part of the sssd-client rpm, which is not installed in dom0! Nor is sssd, the respective daemon.
On further digging:
[user@dom0 ~]$ authselect list
- minimal Local users only for minimal installations
- nis Enable NIS for system authentication
- sssd Enable SSSD for system authentication (also for local users only)
- winbind Enable winbind for system authentication
[user@dom0 ~]$ authselect current
Profile ID: sssd
Enabled features:
- with-silent-lastlog
[user@dom0 ~]$
Now this is a weird configuration choice for a system like dom0, when you don’t plan on using network/ldap authentication… so probably it is just a bug.
Solutions: switching to the “minimal” profile (sudo authselect select minimal) or installing sssd-client (sudo qubes-dom0-update --releasever=4.2 sssd-client) or installing the full sssd system (sudo qubes-dom0-update --releasever=4.2 sssd)
Is it only a R4.2 issue ?
Because I don’t see these traces in my logs, and my current auth profile is local, not sssd.
ser@dom0:~$ authselect list
- local Local users only
- nis Enable NIS for system authentication
- sssd Enable SSSD for system authentication (also for local users only)
- winbind Enable winbind for system authentication
user@dom0:~$ authselect current
Profile ID: local
Enabled features:
- with-silent-lastlog
- with-fingerprint
user@dom0:~$ cat /etc/qubes-release
Qubes release 4.3-rc3 (R4.3)
I don’t know, I never ran the 4.3 Release Candidates.
And that’s why I put in the thread title “[R4.2.4]” because it is where I discovered the issue.
Oh yes, you have to fix this all over the place, in every template that uses PAM…
Note that newer Fedora versions call the simple/simplest auth profile “local”, not “minimal”.
