Attachment #143375 for bug #184464

View | Details | Raw Unified | Return to bug 184464
Collapse All | Expand All




From 4f866ccca80bb8ed4013bc8ed48ab9ae2b9587ff Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lukas.slebodnik@intrak.sk>
Date: Tue, 3 Jun 2014 22:10:50 +0200
Subject: [PATCH 1/2] patch-src__man__pam_sss.8.xml

---
 src/man/pam_sss.8.xml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git src/man/pam_sss.8.xml src/man/pam_sss.8.xml
index 72b497ab34a520d21964824080c7f276b26706f4..69678dac5874067fc95ec47f72ed894854c5d569 100644
--- src/man/pam_sss.8.xml
+++ src/man/pam_sss.8.xml
@@ -37,6 +37,12 @@
             <arg choice='opt'>
                 <replaceable>retry=N</replaceable>
             </arg>

+            <arg choice='opt'>
+                <replaceable>ignore_unknown_user</replaceable>
+            </arg>
+            <arg choice='opt'>
+                <replaceable>ignore_authinfo_unavail</replaceable>
+            </arg>
         </cmdsynopsis>
     </refsynopsisdiv>
 
@@ -103,6 +109,27 @@
                     <option>PasswordAuthentication</option>.</para>
                 </listitem>
             </varlistentry>

+                    the PAM framework to ignore this module.</para>
+                </listitem>
+            </varlistentry>
+            <varlistentry>
+                <term>
+                    <option>ignore_authinfo_unavail</option>
+                </term>
+                <listitem>
+                    <para>
+                    Specifies  that  the  PAM module should return PAM_IGNORE
+                    if it cannot contact the SSSD daemon. This causes
+                    the PAM framework to ignore this module.</para>
+                </listitem>
+            </varlistentry>
         </variablelist>
     </refsect1>
 
-- 
1.9.3





From 18bce9f12311c6e7a7fe4350150120a98b3ec106 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lukas.slebodnik@intrak.sk>
Date: Wed, 6 Nov 2013 22:01:21 +0100
Subject: [PATCH 2/2] patch-src__sss_client__pam_sss.c

---
 src/sss_client/pam_sss.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git src/sss_client/pam_sss.c src/sss_client/pam_sss.c
index 5fd276ccba15da1f689b1939a02288dda7a09d89..e35552f7e612d3e68f957845998a8105437af301 100644
--- src/sss_client/pam_sss.c
+++ src/sss_client/pam_sss.c
@@ -52,6 +52,8 @@
 #define FLAGS_USE_FIRST_PASS (1 << 0)
 #define FLAGS_FORWARD_PASS   (1 << 1)
 #define FLAGS_USE_AUTHTOK    (1 << 2)
+#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
+#define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
 
 #define PWEXP_FLAG "pam_sss:password_expired_flag"
 #define FD_DESTRUCTOR "pam_sss:fd_destructor"
@@ -125,10 +127,12 @@ static void free_exp_data(pam_handle_t *pamh, void *ptr, int err)
 
 static void close_fd(pam_handle_t *pamh, void *ptr, int err)
 {

 
     D(("Closing the fd"));
     sss_pam_close_fd();
@@ -1292,6 +1296,10 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
             }
         } else if (strcmp(*argv, "quiet") == 0) {
             *quiet_mode = true;
+        } else if (strcmp(*argv, "ignore_unknown_user") == 0) {
+            *flags |= FLAGS_IGNORE_UNKNOWN_USER;
+        } else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) {
+            *flags |= FLAGS_IGNORE_AUTHINFO_UNAVAIL;
         } else {
             logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
         }
@@ -1429,6 +1437,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
     ret = get_pam_items(pamh, &pi);
     if (ret != PAM_SUCCESS) {
         D(("get items returned error: %s", pam_strerror(pamh,ret)));

+        if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
+            ret = PAM_IGNORE;
+        }
+        if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
+                && ret == PAM_AUTHINFO_UNAVAIL) {
+            ret = PAM_IGNORE;
+        }
         return ret;
     }
 
@@ -1467,6 +1482,15 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
 
         pam_status = send_and_receive(pamh, &pi, task, quiet_mode);
 

+                && pam_status == PAM_USER_UNKNOWN) {
+            pam_status = PAM_IGNORE;
+        }
+        if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
+                && pam_status == PAM_AUTHINFO_UNAVAIL) {
+            pam_status = PAM_IGNORE;
+        }
+
         switch (task) {
             case SSS_PAM_AUTHENTICATE:
                 /* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD during
-- 
1.9.3


Return to bug 184464

Lines 1-17 Link Here

(-)files/patch-src__man__pam_sss.8.xml (-9 / +23 lines)
1	From 1a7794d0e3c9fa47f7b0256518186ce214e93504 Mon Sep 17 00:00:00 2001	1	From 4f866ccca80bb8ed4013bc8ed48ab9ae2b9587ff Mon Sep 17 00:00:00 2001
2	From: Lukas Slebodnik <lslebodn@redhat.com>	2	From: Lukas Slebodnik <lukas.slebodnik@intrak.sk>
3	Date: Sat, 22 Mar 2014 15:09:34 +0100	3	Date: Tue, 3 Jun 2014 22:10:50 +0200
4	Subject: [PATCH 1/2] patch-src__man__pam_sss.8.xml	4	Subject: [PATCH 1/2] patch-src__man__pam_sss.8.xml
5		5
6	---	6	---
7	src/man/pam_sss.8.xml \| 13 +++++++++++++	7	src/man/pam_sss.8.xml \| 27 +++++++++++++++++++++++++++
8	1 file changed, 13 insertions(+)	8	1 file changed, 27 insertions(+)
9		9
10	diff --git src/man/pam_sss.8.xml src/man/pam_sss.8.xml	10	diff --git src/man/pam_sss.8.xml src/man/pam_sss.8.xml
11	index 72b497ab34a520d21964824080c7f276b26706f4..5b4e456e2b0b7469a233d7bd98d296bec2d8e739 100644	11	index 72b497ab34a520d21964824080c7f276b26706f4..69678dac5874067fc95ec47f72ed894854c5d569 100644
12	--- src/man/pam_sss.8.xml	12	--- src/man/pam_sss.8.xml
13	+++ src/man/pam_sss.8.xml	13	+++ src/man/pam_sss.8.xml
14	@@ -37,6 +37,9 @@	14	@@ -37,6 +37,12 @@
15	<arg choice='opt'>	15	<arg choice='opt'>
16	<replaceable>retry=N</replaceable>	16	<replaceable>retry=N</replaceable>
17	</arg>	17	</arg>
Lines 18-27 Link Here
18	+ <arg choice='opt'>	18	+ <arg choice='opt'>
19	+ <replaceable>ignore_unknown_user</replaceable>	19	+ <replaceable>ignore_unknown_user</replaceable>
20	+ </arg>	20	+ </arg>
		21	+ <arg choice='opt'>
		22	+ <replaceable>ignore_authinfo_unavail</replaceable>
		23	+ </arg>
21	</cmdsynopsis>	24	</cmdsynopsis>
22	</refsynopsisdiv>	25	</refsynopsisdiv>
23		26
24	@@ -103,6 +106,16 @@	27	@@ -103,6 +109,27 @@
25	<option>PasswordAuthentication</option>.</para>	28	<option>PasswordAuthentication</option>.</para>
26	</listitem>	29	</listitem>
27	</varlistentry>	30	</varlistentry>
Lines 35-43 Link Here
35	+ the PAM framework to ignore this module.</para>	38	+ the PAM framework to ignore this module.</para>
36	+ </listitem>	39	+ </listitem>
37	+ </varlistentry>	40	+ </varlistentry>
		41	+ <varlistentry>
		42	+ <term>
		43	+ <option>ignore_authinfo_unavail</option>
		44	+ </term>
		45	+ <listitem>
		46	+ <para>
		47	+ Specifies that the PAM module should return PAM_IGNORE
		48	+ if it cannot contact the SSSD daemon. This causes
		49	+ the PAM framework to ignore this module.</para>
		50	+ </listitem>
		51	+ </varlistentry>
38	</variablelist>	52	</variablelist>
39	</refsect1>	53	</refsect1>
40		54
41	--	55	--
42	1.8.5.3	56	1.9.3
43		57

Lines 1-25 Link Here

(-)files/patch-src__sss_client__pam_sss.c (-11 / +22 lines)
1	From 68fcd5f830b6451de5fd9d697fa6602dc3ca9972 Mon Sep 17 00:00:00 2001	1	From 18bce9f12311c6e7a7fe4350150120a98b3ec106 Mon Sep 17 00:00:00 2001
2	From: Lukas Slebodnik <lukas.slebodnik@intrak.sk>	2	From: Lukas Slebodnik <lukas.slebodnik@intrak.sk>
3	Date: Sat, 27 Jul 2013 15:02:31 +0200	3	Date: Wed, 6 Nov 2013 22:01:21 +0100
4	Subject: [PATCH 2/2] patch-src__sss_client__pam_sss.c	4	Subject: [PATCH 2/2] patch-src__sss_client__pam_sss.c
5		5
6	---	6	---
7	src/sss_client/pam_sss.c \| 13 +++++++++++++	7	src/sss_client/pam_sss.c \| 24 ++++++++++++++++++++++++
8	1 file changed, 13 insertions(+)	8	1 file changed, 24 insertions(+)
9		9
10	diff --git src/sss_client/pam_sss.c src/sss_client/pam_sss.c	10	diff --git src/sss_client/pam_sss.c src/sss_client/pam_sss.c
11	index 5fd276ccba15da1f689b1939a02288dda7a09d89..4cb976cf28eba5c14168a91eb23fe4101d2268f3 100644	11	index 5fd276ccba15da1f689b1939a02288dda7a09d89..e35552f7e612d3e68f957845998a8105437af301 100644
12	--- src/sss_client/pam_sss.c	12	--- src/sss_client/pam_sss.c
13	+++ src/sss_client/pam_sss.c	13	+++ src/sss_client/pam_sss.c
14	@@ -52,6 +52,7 @@	14	@@ -52,6 +52,8 @@
15	#define FLAGS_USE_FIRST_PASS (1 << 0)	15	#define FLAGS_USE_FIRST_PASS (1 << 0)
16	#define FLAGS_FORWARD_PASS (1 << 1)	16	#define FLAGS_FORWARD_PASS (1 << 1)
17	#define FLAGS_USE_AUTHTOK (1 << 2)	17	#define FLAGS_USE_AUTHTOK (1 << 2)
18	+#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)	18	+#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
		19	+#define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
19		20
20	#define PWEXP_FLAG "pam_sss:password_expired_flag"	21	#define PWEXP_FLAG "pam_sss:password_expired_flag"
21	#define FD_DESTRUCTOR "pam_sss:fd_destructor"	22	#define FD_DESTRUCTOR "pam_sss:fd_destructor"
22	@@ -125,10 +126,12 @@ static void free_exp_data(pam_handle_t pamh, void ptr, int err)	23	@@ -125,10 +127,12 @@ static void free_exp_data(pam_handle_t pamh, void ptr, int err)
23		24
24	static void close_fd(pam_handle_t pamh, void ptr, int err)	25	static void close_fd(pam_handle_t pamh, void ptr, int err)
25	{	26	{
Lines 32-47 Link Here
32		33
33	D(("Closing the fd"));	34	D(("Closing the fd"));
34	sss_pam_close_fd();	35	sss_pam_close_fd();
35	@@ -1292,6 +1295,8 @@ static void eval_argv(pam_handle_t pamh, int argc, const char *argv,	36	@@ -1292,6 +1296,10 @@ static void eval_argv(pam_handle_t pamh, int argc, const char *argv,
36	}	37	}
37	} else if (strcmp(*argv, "quiet") == 0) {	38	} else if (strcmp(*argv, "quiet") == 0) {
38	*quiet_mode = true;	39	*quiet_mode = true;
39	+ } else if (strcmp(*argv, "ignore_unknown_user") == 0) {	40	+ } else if (strcmp(*argv, "ignore_unknown_user") == 0) {
40	+ *flags \|= FLAGS_IGNORE_UNKNOWN_USER;	41	+ *flags \|= FLAGS_IGNORE_UNKNOWN_USER;
		42	+ } else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) {
		43	+ *flags \|= FLAGS_IGNORE_AUTHINFO_UNAVAIL;
41	} else {	44	} else {
42	logger(pamh, LOG_WARNING, "unknown option: %s", *argv);	45	logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
43	}	46	}
44	@@ -1429,6 +1434,9 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,	47	@@ -1429,6 +1437,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
45	ret = get_pam_items(pamh, &pi);	48	ret = get_pam_items(pamh, &pi);
46	if (ret != PAM_SUCCESS) {	49	if (ret != PAM_SUCCESS) {
47	D(("get items returned error: %s", pam_strerror(pamh,ret)));	50	D(("get items returned error: %s", pam_strerror(pamh,ret)));
Lines 48-57 Link Here
48	+ if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {	51	+ if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
49	+ ret = PAM_IGNORE;	52	+ ret = PAM_IGNORE;
50	+ }	53	+ }
		54	+ if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
		55	+ && ret == PAM_AUTHINFO_UNAVAIL) {
		56	+ ret = PAM_IGNORE;
		57	+ }
51	return ret;	58	return ret;
52	}	59	}
53		60
54	@@ -1467,6 +1475,11 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,	61	@@ -1467,6 +1482,15 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
55		62
56	pam_status = send_and_receive(pamh, &pi, task, quiet_mode);	63	pam_status = send_and_receive(pamh, &pi, task, quiet_mode);
57		64
Lines 59-68 Link Here
59	+ && pam_status == PAM_USER_UNKNOWN) {	66	+ && pam_status == PAM_USER_UNKNOWN) {
60	+ pam_status = PAM_IGNORE;	67	+ pam_status = PAM_IGNORE;
61	+ }	68	+ }
		69	+ if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
		70	+ && pam_status == PAM_AUTHINFO_UNAVAIL) {
		71	+ pam_status = PAM_IGNORE;
		72	+ }
62	+	73	+
63	switch (task) {	74	switch (task) {
64	case SSS_PAM_AUTHENTICATE:	75	case SSS_PAM_AUTHENTICATE:
65	/* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD during	76	/* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD during
66	--	77	--
67	1.8.5.3	78	1.9.3
68		79