dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Source Code
GIT

Blame SOURCES/0025-proxy-use-x-as-default-pwfield-only-for-sssd-shadowu.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s
  1.   1bb59547f916a26aeb39c414aab131c9f260e8e2
  2.   SOURCES
  3.   0025-proxy-use-x-as-default-pwfield-only-for-sssd-shadowu.patch
Blob History Raw
1bb595 
From ffb9ad1331ac5f5d9bf237666aff19f1def77871 Mon Sep 17 00:00:00 2001
1bb595 
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
1bb595 
Date: Fri, 26 Jun 2020 12:07:48 +0200
1bb595 
Subject: [PATCH] proxy: use 'x' as default pwfield only for sssd-shadowutils
1bb595 
 target
1bb595
1bb595 
To avoid regression for case where files is used for proxy but authentication
1bb595 
is handled by other module then pam_unix. E.g. auth_provider = krb
1bb595
1bb595 
This provides different solution to the ticket and improves the documentation.
1bb595
1bb595 
Resolves:
1bb595 
https://github.com/SSSD/sssd/issues/5129
1bb595
1bb595 
Reviewed-by: Sumit Bose <sbose@redhat.com>
1bb595 
---
1bb595 
 src/confdb/confdb.c     | 25 ++++++++++++++++++++-----
1bb595 
 src/man/sssd.conf.5.xml | 12 +++++++++---
1bb595 
 2 files changed, 29 insertions(+), 8 deletions(-)
1bb595
1bb595 
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
1bb595 
index 65ad18dcf..c2daa9a2c 100644
1bb595 
--- a/src/confdb/confdb.c
1bb595 
+++ b/src/confdb/confdb.c
1bb595 
@@ -872,7 +872,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
1bb595 
     struct sss_domain_info *domain;
1bb595 
     struct ldb_result *res;
1bb595 
     TALLOC_CTX *tmp_ctx;
1bb595 
-    const char *tmp;
1bb595 
+    const char *tmp, *tmp_pam_target, *tmp_auth;
1bb595 
     int ret, val;
1bb595 
     uint32_t entry_cache_timeout;
1bb595 
     char *default_domain;
1bb595 
@@ -1030,13 +1030,28 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
1bb595 
     }
1bb595
1bb595 
     if (domain->provider != NULL && strcasecmp(domain->provider, "proxy") == 0) {
1bb595 
-        /* The password field must be  reported as 'x' for proxy provider
1bb595 
-         * using files library, else pam_unix won't
1bb595 
-         * authenticate this entry. */
1bb595 
+        /* The password field must be reported as 'x' for proxy provider
1bb595 
+         * using files library, else pam_unix won't authenticate this entry.
1bb595 
+         * We set this only for sssd-shadowutils target which can be used
1bb595 
+         * to authenticate with pam_unix only. Otherwise we let administrator
1bb595 
+         * to overwrite default * value with pwfield option to avoid regression
1bb595 
+         * on more common use case where remote authentication is required. */
1bb595 
         tmp = ldb_msg_find_attr_as_string(res->msgs[0],
1bb595 
                                           CONFDB_PROXY_LIBNAME,
1bb595 
                                           NULL);
1bb595 
-        if (tmp != NULL && strcasecmp(tmp, "files") == 0) {
1bb595 
+
1bb595 
+        tmp_auth = ldb_msg_find_attr_as_string(res->msgs[0],
1bb595 
+                                                CONFDB_DOMAIN_AUTH_PROVIDER,
1bb595 
+                                                NULL);
1bb595 
+
1bb595 
+        tmp_pam_target = ldb_msg_find_attr_as_string(res->msgs[0],
1bb595 
+                                                     CONFDB_PROXY_PAM_TARGET,
1bb595 
+                                                     NULL);
1bb595 
+
1bb595 
+        if (tmp != NULL && tmp_pam_target != NULL
1bb595 
+            && strcasecmp(tmp, "files") == 0
1bb595 
+            && (tmp_auth == NULL || strcasecmp(tmp_auth, "proxy") == 0)
1bb595 
+            && strcmp(tmp_pam_target, "sssd-shadowutils") == 0) {
1bb595 
             domain->pwfield = "x";
1bb595 
         }
1bb595 
     }
1bb595 
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
1bb595 
index cae24bb63..44b3b8f20 100644
1bb595 
--- a/src/man/sssd.conf.5.xml
1bb595 
+++ b/src/man/sssd.conf.5.xml
1bb595 
@@ -1135,11 +1135,17 @@ fallback_homedir = /home/%u
1bb595 
                             <quote>password</quote> field.
1bb595 
                         </para>
1bb595 
                         <para>
1bb595 
-                            This option can also be set per-domain.
1bb595 
+                            Default: <quote>*</quote>
1bb595 
                         </para>
1bb595 
                         <para>
1bb595 
-                            Default: <quote>*</quote> (remote domains)
1bb595 
-                            or <quote>x</quote> (the files domain)
1bb595 
+                            Note: This option can also be set per-domain which
1bb595 
+                            overwrites the value in [nss] section.
1bb595 
+                        </para>
1bb595 
+                        <para>
1bb595 
+                            Default: <quote>not set</quote> (remote domains),
1bb595 
+                            <quote>x</quote> (the files domain),
1bb595 
+                            <quote>x</quote> (proxy domain with nss_files
1bb595 
+                            and sssd-shadowutils target)
1bb595 
                         </para>
1bb595 
                     </listitem>
1bb595 
                 </varlistentry>
1bb595 
--
1bb595 
2.21.3
1bb595

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation