Index: files/patch-src__man__pam_sss.8.xml =================================================================== --- files/patch-src__man__pam_sss.8.xml (revision 356406) +++ files/patch-src__man__pam_sss.8.xml (working copy) @@ -1,17 +1,17 @@ -From 1a7794d0e3c9fa47f7b0256518186ce214e93504 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 22 Mar 2014 15:09:34 +0100 +From 4f866ccca80bb8ed4013bc8ed48ab9ae2b9587ff Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Tue, 3 Jun 2014 22:10:50 +0200 Subject: [PATCH 1/2] patch-src__man__pam_sss.8.xml --- - src/man/pam_sss.8.xml | 13 +++++++++++++ - 1 file changed, 13 insertions(+) + src/man/pam_sss.8.xml | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) diff --git src/man/pam_sss.8.xml src/man/pam_sss.8.xml -index 72b497ab34a520d21964824080c7f276b26706f4..5b4e456e2b0b7469a233d7bd98d296bec2d8e739 100644 +index 72b497ab34a520d21964824080c7f276b26706f4..69678dac5874067fc95ec47f72ed894854c5d569 100644 --- src/man/pam_sss.8.xml +++ src/man/pam_sss.8.xml -@@ -37,6 +37,9 @@ +@@ -37,6 +37,12 @@ retry=N @@ -18,10 +18,13 @@ + + ignore_unknown_user + ++ ++ ignore_authinfo_unavail ++ -@@ -103,6 +106,16 @@ +@@ -103,6 +109,27 @@ . @@ -35,9 +38,20 @@ + the PAM framework to ignore this module. + + ++ ++ ++ ++ ++ ++ ++ Specifies that the PAM module should return PAM_IGNORE ++ if it cannot contact the SSSD daemon. This causes ++ the PAM framework to ignore this module. ++ ++ -- -1.8.5.3 +1.9.3 Index: files/patch-src__sss_client__pam_sss.c =================================================================== --- files/patch-src__sss_client__pam_sss.c (revision 356406) +++ files/patch-src__sss_client__pam_sss.c (working copy) @@ -1,25 +1,26 @@ -From 68fcd5f830b6451de5fd9d697fa6602dc3ca9972 Mon Sep 17 00:00:00 2001 +From 18bce9f12311c6e7a7fe4350150120a98b3ec106 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik -Date: Sat, 27 Jul 2013 15:02:31 +0200 +Date: Wed, 6 Nov 2013 22:01:21 +0100 Subject: [PATCH 2/2] patch-src__sss_client__pam_sss.c --- - src/sss_client/pam_sss.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) + src/sss_client/pam_sss.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) diff --git src/sss_client/pam_sss.c src/sss_client/pam_sss.c -index 5fd276ccba15da1f689b1939a02288dda7a09d89..4cb976cf28eba5c14168a91eb23fe4101d2268f3 100644 +index 5fd276ccba15da1f689b1939a02288dda7a09d89..e35552f7e612d3e68f957845998a8105437af301 100644 --- src/sss_client/pam_sss.c +++ src/sss_client/pam_sss.c -@@ -52,6 +52,7 @@ +@@ -52,6 +52,8 @@ #define FLAGS_USE_FIRST_PASS (1 << 0) #define FLAGS_FORWARD_PASS (1 << 1) #define FLAGS_USE_AUTHTOK (1 << 2) +#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3) ++#define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4) #define PWEXP_FLAG "pam_sss:password_expired_flag" #define FD_DESTRUCTOR "pam_sss:fd_destructor" -@@ -125,10 +126,12 @@ static void free_exp_data(pam_handle_t *pamh, void *ptr, int err) +@@ -125,10 +127,12 @@ static void free_exp_data(pam_handle_t *pamh, void *ptr, int err) static void close_fd(pam_handle_t *pamh, void *ptr, int err) { @@ -32,16 +33,18 @@ D(("Closing the fd")); sss_pam_close_fd(); -@@ -1292,6 +1295,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv, +@@ -1292,6 +1296,10 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv, } } else if (strcmp(*argv, "quiet") == 0) { *quiet_mode = true; + } else if (strcmp(*argv, "ignore_unknown_user") == 0) { + *flags |= FLAGS_IGNORE_UNKNOWN_USER; ++ } else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) { ++ *flags |= FLAGS_IGNORE_AUTHINFO_UNAVAIL; } else { logger(pamh, LOG_WARNING, "unknown option: %s", *argv); } -@@ -1429,6 +1434,9 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, +@@ -1429,6 +1437,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, ret = get_pam_items(pamh, &pi); if (ret != PAM_SUCCESS) { D(("get items returned error: %s", pam_strerror(pamh,ret))); @@ -48,10 +51,14 @@ + if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) { + ret = PAM_IGNORE; + } ++ if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL ++ && ret == PAM_AUTHINFO_UNAVAIL) { ++ ret = PAM_IGNORE; ++ } return ret; } -@@ -1467,6 +1475,11 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, +@@ -1467,6 +1482,15 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, pam_status = send_and_receive(pamh, &pi, task, quiet_mode); @@ -59,10 +66,14 @@ + && pam_status == PAM_USER_UNKNOWN) { + pam_status = PAM_IGNORE; + } ++ if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL ++ && pam_status == PAM_AUTHINFO_UNAVAIL) { ++ pam_status = PAM_IGNORE; ++ } + switch (task) { case SSS_PAM_AUTHENTICATE: /* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD during -- -1.8.5.3 +1.9.3