dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Blob Blame History Raw
From ffb9ad1331ac5f5d9bf237666aff19f1def77871 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 26 Jun 2020 12:07:48 +0200
Subject: [PATCH] proxy: use 'x' as default pwfield only for sssd-shadowutils
 target

To avoid regression for case where files is used for proxy but authentication
is handled by other module then pam_unix. E.g. auth_provider = krb

This provides different solution to the ticket and improves the documentation.

Resolves:
https://github.com/SSSD/sssd/issues/5129

Reviewed-by: Sumit Bose <sbose@redhat.com>
---
 src/confdb/confdb.c     | 25 ++++++++++++++++++++-----
 src/man/sssd.conf.5.xml | 12 +++++++++---
 2 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 65ad18dcf..c2daa9a2c 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -872,7 +872,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
     struct sss_domain_info *domain;
     struct ldb_result *res;
     TALLOC_CTX *tmp_ctx;
-    const char *tmp;
+    const char *tmp, *tmp_pam_target, *tmp_auth;
     int ret, val;
     uint32_t entry_cache_timeout;
     char *default_domain;
@@ -1030,13 +1030,28 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
     }
 
     if (domain->provider != NULL && strcasecmp(domain->provider, "proxy") == 0) {
-        /* The password field must be  reported as 'x' for proxy provider
-         * using files library, else pam_unix won't
-         * authenticate this entry. */
+        /* The password field must be reported as 'x' for proxy provider
+         * using files library, else pam_unix won't authenticate this entry.
+         * We set this only for sssd-shadowutils target which can be used
+         * to authenticate with pam_unix only. Otherwise we let administrator
+         * to overwrite default * value with pwfield option to avoid regression
+         * on more common use case where remote authentication is required. */
         tmp = ldb_msg_find_attr_as_string(res->msgs[0],
                                           CONFDB_PROXY_LIBNAME,
                                           NULL);
-        if (tmp != NULL && strcasecmp(tmp, "files") == 0) {
+
+        tmp_auth = ldb_msg_find_attr_as_string(res->msgs[0],
+                                                CONFDB_DOMAIN_AUTH_PROVIDER,
+                                                NULL);
+
+        tmp_pam_target = ldb_msg_find_attr_as_string(res->msgs[0],
+                                                     CONFDB_PROXY_PAM_TARGET,
+                                                     NULL);
+
+        if (tmp != NULL && tmp_pam_target != NULL
+            && strcasecmp(tmp, "files") == 0
+            && (tmp_auth == NULL || strcasecmp(tmp_auth, "proxy") == 0)
+            && strcmp(tmp_pam_target, "sssd-shadowutils") == 0) {
             domain->pwfield = "x";
         }
     }
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index cae24bb63..44b3b8f20 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1135,11 +1135,17 @@ fallback_homedir = /home/%u
                             <quote>password</quote> field.
                         </para>
                         <para>
-                            This option can also be set per-domain.
+                            Default: <quote>*</quote>
                         </para>
                         <para>
-                            Default: <quote>*</quote> (remote domains)
-                            or <quote>x</quote> (the files domain)
+                            Note: This option can also be set per-domain which
+                            overwrites the value in [nss] section.
+                        </para>
+                        <para>
+                            Default: <quote>not set</quote> (remote domains),
+                            <quote>x</quote> (the files domain),
+                            <quote>x</quote> (proxy domain with nss_files
+                            and sssd-shadowutils target)
                         </para>
                     </listitem>
                 </varlistentry>
-- 
2.21.3