From ffb9ad1331ac5f5d9bf237666aff19f1def77871 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 26 Jun 2020 12:07:48 +0200
Subject: [PATCH] proxy: use 'x' as default pwfield only for sssd-shadowutils
target
To avoid regression for case where files is used for proxy but authentication
is handled by other module then pam_unix. E.g. auth_provider = krb
This provides different solution to the ticket and improves the documentation.
Resolves:
https://github.com/SSSD/sssd/issues/5129
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/confdb/confdb.c | 25 ++++++++++++++++++++-----
src/man/sssd.conf.5.xml | 12 +++++++++---
2 files changed, 29 insertions(+), 8 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 65ad18dcf..c2daa9a2c 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -872,7 +872,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
struct sss_domain_info *domain;
struct ldb_result *res;
TALLOC_CTX *tmp_ctx;
- const char *tmp;
+ const char *tmp, *tmp_pam_target, *tmp_auth;
int ret, val;
uint32_t entry_cache_timeout;
char *default_domain;
@@ -1030,13 +1030,28 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
}
if (domain->provider != NULL && strcasecmp(domain->provider, "proxy") == 0) {
- /* The password field must be reported as 'x' for proxy provider
- * using files library, else pam_unix won't
- * authenticate this entry. */
+ /* The password field must be reported as 'x' for proxy provider
+ * using files library, else pam_unix won't authenticate this entry.
+ * We set this only for sssd-shadowutils target which can be used
+ * to authenticate with pam_unix only. Otherwise we let administrator
+ * to overwrite default * value with pwfield option to avoid regression
+ * on more common use case where remote authentication is required. */
tmp = ldb_msg_find_attr_as_string(res->msgs[0],
CONFDB_PROXY_LIBNAME,
NULL);
- if (tmp != NULL && strcasecmp(tmp, "files") == 0) {
+
+ tmp_auth = ldb_msg_find_attr_as_string(res->msgs[0],
+ CONFDB_DOMAIN_AUTH_PROVIDER,
+ NULL);
+
+ tmp_pam_target = ldb_msg_find_attr_as_string(res->msgs[0],
+ CONFDB_PROXY_PAM_TARGET,
+ NULL);
+
+ if (tmp != NULL && tmp_pam_target != NULL
+ && strcasecmp(tmp, "files") == 0
+ && (tmp_auth == NULL || strcasecmp(tmp_auth, "proxy") == 0)
+ && strcmp(tmp_pam_target, "sssd-shadowutils") == 0) {
domain->pwfield = "x";
}
}
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index cae24bb63..44b3b8f20 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1135,11 +1135,17 @@ fallback_homedir = /home/%u
<quote>password</quote> field.
</para>
<para>
- This option can also be set per-domain.
+ Default: <quote>*</quote>
</para>
<para>
- Default: <quote>*</quote> (remote domains)
- or <quote>x</quote> (the files domain)
+ Note: This option can also be set per-domain which
+ overwrites the value in [nss] section.
+ </para>
+ <para>
+ Default: <quote>not set</quote> (remote domains),
+ <quote>x</quote> (the files domain),
+ <quote>x</quote> (proxy domain with nss_files
+ and sssd-shadowutils target)
</para>
</listitem>
</varlistentry>
--
2.21.3