dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0135-pam-properly-support-UPN-logon-names.patch

bb7cd1
From b6ba8bc43a0b5a448e4cd30bc406bd08c389e365 Mon Sep 17 00:00:00 2001
bb7cd1
From: Sumit Bose <sbose@redhat.com>
bb7cd1
Date: Fri, 12 May 2017 10:40:21 +0200
bb7cd1
Subject: [PATCH 135/135] pam: properly support UPN logon names
bb7cd1
MIME-Version: 1.0
bb7cd1
Content-Type: text/plain; charset=UTF-8
bb7cd1
Content-Transfer-Encoding: 8bit
bb7cd1
bb7cd1
Many logon applications like /bin/login or sshd canonicalize the user
bb7cd1
name before they call pam_start() and hence the UPN is not seen by
bb7cd1
SSSD's pam responder. But some like e.g. gdm don't and authentication
bb7cd1
might fail if a UPN is used.
bb7cd1
bb7cd1
The reason is that currently the already parsed short name of the user
bb7cd1
was used in the cache_req and hence the cache_req was not able to fall
bb7cd1
back to the UPN lookup code. This patch uses the name originally
bb7cd1
provided by the user as input to allow the fallback to the UPN lookup.
bb7cd1
bb7cd1
Resolves https://pagure.io/SSSD/sssd/issue/3240
bb7cd1
bb7cd1
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
bb7cd1
(cherry picked from commit 29d063505c07127f7747405b1a61d8f782673645)
bb7cd1
---
bb7cd1
 src/responder/pam/pamsrv_cmd.c  |  4 +--
bb7cd1
 src/tests/cmocka/test_pam_srv.c | 79 ++++++++++++++++++++++++++++++++++++++++-
bb7cd1
 2 files changed, 80 insertions(+), 3 deletions(-)
bb7cd1
bb7cd1
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
bb7cd1
index 10a178f839ec011c09a6da4575efbb026f3f7700..36dba37964b71153435b4df5d5328de4361926e6 100644
bb7cd1
--- a/src/responder/pam/pamsrv_cmd.c
bb7cd1
+++ b/src/responder/pam/pamsrv_cmd.c
bb7cd1
@@ -1560,7 +1560,7 @@ static int pam_check_user_search(struct pam_auth_req *preq)
bb7cd1
 
bb7cd1
     data = cache_req_data_name(preq,
bb7cd1
                                CACHE_REQ_INITGROUPS,
bb7cd1
-                               preq->pd->user);
bb7cd1
+                               preq->pd->logon_name);
bb7cd1
     if (data == NULL) {
bb7cd1
         return ENOMEM;
bb7cd1
     }
bb7cd1
@@ -1589,7 +1589,7 @@ static int pam_check_user_search(struct pam_auth_req *preq)
bb7cd1
                            preq->cctx->rctx->ncache,
bb7cd1
                            0,
bb7cd1
                            preq->req_dom_type,
bb7cd1
-                           preq->pd->domain,
bb7cd1
+                           NULL,
bb7cd1
                            data);
bb7cd1
     if (!dpreq) {
bb7cd1
         DEBUG(SSSDBG_CRIT_FAILURE,
bb7cd1
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
bb7cd1
index d249b8f1ea48f1c17b461c3add9e8c63774e5f88..4d351a3707d2a49604595b728fff7705560c871a 100644
bb7cd1
--- a/src/tests/cmocka/test_pam_srv.c
bb7cd1
+++ b/src/tests/cmocka/test_pam_srv.c
bb7cd1
@@ -518,6 +518,8 @@ static void mock_input_pam_ex(TALLOC_CTX *mem_ctx,
bb7cd1
     int ret;
bb7cd1
     size_t needed_size;
bb7cd1
     uint8_t *authtok;
bb7cd1
+    char *s_name;
bb7cd1
+    char *dom;
bb7cd1
 
bb7cd1
     if (name != NULL) {
bb7cd1
         pi.pam_user = name;
bb7cd1
@@ -574,7 +576,13 @@ static void mock_input_pam_ex(TALLOC_CTX *mem_ctx,
bb7cd1
     will_return(__wrap_sss_packet_get_body, buf);
bb7cd1
     will_return(__wrap_sss_packet_get_body, buf_size);
bb7cd1
 
bb7cd1
-    mock_parse_inp(name, NULL, EOK);
bb7cd1
+    if (strrchr(name, '@') == NULL) {
bb7cd1
+        mock_parse_inp(name, NULL, EOK);
bb7cd1
+    } else {
bb7cd1
+        ret = sss_parse_internal_fqname(mem_ctx, name, &s_name, &dom;;
bb7cd1
+        mock_parse_inp(s_name, dom, EOK);
bb7cd1
+    }
bb7cd1
+
bb7cd1
     if (contact_dp) {
bb7cd1
         mock_account_recv_simple();
bb7cd1
     }
bb7cd1
@@ -1582,6 +1590,71 @@ void test_pam_preauth_no_logon_name(void **state)
bb7cd1
     assert_int_equal(ret, EOK);
bb7cd1
 }
bb7cd1
 
bb7cd1
+void test_pam_auth_no_upn_logon_name(void **state)
bb7cd1
+{
bb7cd1
+    int ret;
bb7cd1
+
bb7cd1
+    ret = sysdb_cache_password(pam_test_ctx->tctx->dom,
bb7cd1
+                               pam_test_ctx->pam_user_fqdn,
bb7cd1
+                               "12345");
bb7cd1
+    assert_int_equal(ret, EOK);
bb7cd1
+
bb7cd1
+    mock_input_pam_ex(pam_test_ctx, "upn@"TEST_DOM_NAME, "12345", NULL, NULL,
bb7cd1
+                      true);
bb7cd1
+    mock_account_recv_simple();
bb7cd1
+
bb7cd1
+    will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
bb7cd1
+    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
bb7cd1
+
bb7cd1
+    pam_test_ctx->exp_pam_status = PAM_USER_UNKNOWN;
bb7cd1
+    set_cmd_cb(test_pam_simple_check);
bb7cd1
+    ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
bb7cd1
+                          pam_test_ctx->pam_cmds);
bb7cd1
+    assert_int_equal(ret, EOK);
bb7cd1
+
bb7cd1
+    /* Wait until the test finishes with EOK */
bb7cd1
+    ret = test_ev_loop(pam_test_ctx->tctx);
bb7cd1
+    assert_int_equal(ret, EOK);
bb7cd1
+}
bb7cd1
+
bb7cd1
+void test_pam_auth_upn_logon_name(void **state)
bb7cd1
+{
bb7cd1
+    int ret;
bb7cd1
+    struct sysdb_attrs *attrs;
bb7cd1
+
bb7cd1
+    ret = sysdb_cache_password(pam_test_ctx->tctx->dom,
bb7cd1
+                               pam_test_ctx->pam_user_fqdn,
bb7cd1
+                               "12345");
bb7cd1
+    assert_int_equal(ret, EOK);
bb7cd1
+    attrs = sysdb_new_attrs(pam_test_ctx);
bb7cd1
+    assert_non_null(attrs);
bb7cd1
+    ret = sysdb_attrs_add_string(attrs, SYSDB_UPN, "upn@"TEST_DOM_NAME);
bb7cd1
+    assert_int_equal(ret, EOK);
bb7cd1
+
bb7cd1
+    ret = sysdb_set_user_attr(pam_test_ctx->tctx->dom,
bb7cd1
+                              pam_test_ctx->pam_user_fqdn,
bb7cd1
+                              attrs,
bb7cd1
+                              LDB_FLAG_MOD_ADD);
bb7cd1
+    assert_int_equal(ret, EOK);
bb7cd1
+
bb7cd1
+    mock_input_pam_ex(pam_test_ctx, "upn@"TEST_DOM_NAME, "12345", NULL, NULL,
bb7cd1
+                      true);
bb7cd1
+    mock_account_recv_simple();
bb7cd1
+
bb7cd1
+    will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
bb7cd1
+    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
bb7cd1
+
bb7cd1
+    set_cmd_cb(test_pam_successful_offline_auth_check);
bb7cd1
+    ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
bb7cd1
+                          pam_test_ctx->pam_cmds);
bb7cd1
+    assert_int_equal(ret, EOK);
bb7cd1
+
bb7cd1
+    /* Wait until the test finishes with EOK */
bb7cd1
+    ret = test_ev_loop(pam_test_ctx->tctx);
bb7cd1
+    assert_int_equal(ret, EOK);
bb7cd1
+}
bb7cd1
+
bb7cd1
+
bb7cd1
 static void set_cert_auth_param(struct pam_ctx *pctx, const char *dbpath)
bb7cd1
 {
bb7cd1
     pam_test_ctx->pctx->cert_auth = true;
bb7cd1
@@ -2312,6 +2385,10 @@ int main(int argc, const char *argv[])
bb7cd1
                                         pam_test_setup, pam_test_teardown),
bb7cd1
         cmocka_unit_test_setup_teardown(test_pam_preauth_no_logon_name,
bb7cd1
                                         pam_test_setup, pam_test_teardown),
bb7cd1
+        cmocka_unit_test_setup_teardown(test_pam_auth_no_upn_logon_name,
bb7cd1
+                                        pam_test_setup, pam_test_teardown),
bb7cd1
+        cmocka_unit_test_setup_teardown(test_pam_auth_upn_logon_name,
bb7cd1
+                                        pam_test_setup, pam_test_teardown),
bb7cd1
         cmocka_unit_test_setup_teardown(test_pam_cached_auth_success,
bb7cd1
                                         pam_cached_test_setup,
bb7cd1
                                         pam_test_teardown),
bb7cd1
-- 
bb7cd1
2.9.3
bb7cd1