How To Fix Login Issue For UIDs Less Than 1000 On RHEL/CentOS
In the world of Linux systems, user account management is a critical aspect of server administration. From time to time, administrators may encounter issues with user accounts, such as login failures. One common issue is related to user IDs (UIDs) that are less than 1000, which can cause problems with logging into the system. If you’re facing this issue on your Red Hat Enterprise Linux (RHEL) or CentOS server, don’t worry. In this blog post, we’ll guide you through the steps to resolve the login issue for UIDs less than 1000 on RHEL/CentOS. We’ll cover the underlying causes of this issue and provide you with a simple and straightforward solution that you can implement to regain access to your server. Whether you’re a new or experienced administrator, this guide will give you the tools and knowledge to resolve login issues with confidence.
For this fix I’ve made a short Ansible playbook to configure PAM with the required entries. The 2 files we need to edit are system-auth and password-auth.
By default the contents of the files will both start out something like this:
# Generated by authselect on Tue Mar 1 12:09:44 2022
# Do not modify this file manually.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
This playbook will comment out the auth pam_usertype.so entries and then add two additional lines to the auth block on both files. I’ve chosen to go as low as UIDs starting at 700.
## Fix for issue where users with a UID < 1000 cannot login on RedHat 8 family ##
- name: configure system-auth and password-auth for uids < 1000
block:
- replace:
dest: /etc/pam.d/{{ item }}
regexp: '(^auth.+pam_usertype.+$)'
replace: '#\1'
loop:
- system-auth
- password-auth
- lineinfile:
dest: /etc/pam.d/{{ item[0] }}
insertafter: '(^auth(?:.(?!\\))+$)'
line: '{{ item[1] }}'
state: present
with_nested:
- ["system-auth", "password-auth"]
- ["auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 700 quiet", "auth requisite pam_succeed_if.so uid >= 700 quiet_success"]
when:
- ansible_os_family == "RedHat"
- ansible_distribution_version|float >= 8
If run successfully the files will now look something like this:
# Generated by authselect on Tue Mar 1 12:09:44 2022
# Do not modify this file manually.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
#auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
#auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 700 quiet
auth requisite pam_succeed_if.so uid >= 700 quiet_success
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
Of course, these changes could also be made manually but where’s the fun in that.