Blame SOURCES/authconfig-6.2.8-sssd-smartcard-1.patch

7a7bf9
diff -Naur old/authinfo.py new/authinfo.py
7a7bf9
--- old/authinfo.py	2017-03-28 13:38:56.610467419 +0200
7a7bf9
+++ new/authinfo.py	2017-03-28 13:55:43.626505569 +0200
7a7bf9
@@ -334,6 +334,10 @@
7a7bf9
 	"wait_for_card"
7a7bf9
 ]
7a7bf9
 
7a7bf9
+argv_sssd_missing_name = [
7a7bf9
+   "allow_missing_name"
7a7bf9
+]
7a7bf9
+
7a7bf9
 argv_krb5_auth = [
7a7bf9
 	"use_first_pass"
7a7bf9
 ]
7a7bf9
@@ -736,6 +740,8 @@
7a7bf9
 pam_modules[SMARTCARD] = [
7a7bf9
 	[True,  AUTH,		LOGIC_REQUIRED,
7a7bf9
 	 "env",			[]],
7a7bf9
+	[False,  AUTH,		LOGIC_SUFFICIENT,
7a7bf9
+	 "sss",			argv_sssd_missing_name],
7a7bf9
 	[False,  AUTH,		LOGIC_PKCS11,
7a7bf9
 	 "pkcs11",		argv_force_pkcs11_auth],
7a7bf9
 	[False, AUTH,		LOGIC_OPTIONAL,
7a7bf9
@@ -1428,7 +1434,7 @@
7a7bf9
 		("kerberosAdminServer", "i"), ("kerberosRealmviaDNS", "b"),
7a7bf9
 		("kerberosKDCviaDNS", "b")]),
7a7bf9
 	SaveGroup(self.writeSSSD, self.toggleSSSDService, [("ldapServer", "i"), ("ldapBaseDN", "c"), ("enableLDAPS", "b"),
7a7bf9
-		("ldapSchema", "c"), ("ldapCacertDir", "c"), ("enableCacheCreds", "b"),
7a7bf9
+		("ldapSchema", "c"), ("ldapCacertDir", "c"), ("enableCacheCreds", "b"), ("enableSmartcard", "b"),
7a7bf9
 		("kerberosRealm", "c"), ("kerberosKDC", "i"), ("kerberosAdminServer", "i"),
7a7bf9
 		("forceSSSDUpdate", "b"), ("enableLDAP", "b"), ("enableKerberos", "b"),
7a7bf9
 		("enableLDAPAuth", "b"), ("enableIPAv2", "b")]),
7a7bf9
@@ -3281,11 +3287,35 @@
7a7bf9
 				domain.remove_provider(subtype)
7a7bf9
 			domain.add_provider(newprovider, subtype)
7a7bf9
 
7a7bf9
+	def writeSSSDPAM(self):
7a7bf9
+		if not self.sssdConfig:
7a7bf9
+			return True
7a7bf9
+
7a7bf9
+		pam = self.sssdConfig.get_service('pam')
7a7bf9
+
7a7bf9
+		if self.enableSmartcard and self.enableSSSDAuth and self.smartcardModule == "sssd" :
7a7bf9
+			pam.set_option('pam_cert_auth', 'True')
7a7bf9
+		else:
7a7bf9
+			try:
7a7bf9
+				pam.remove_option('pam_cert_auth')
7a7bf9
+			except SSSDConfig.NoOptionError:
7a7bf9
+				pass
7a7bf9
+
7a7bf9
+		self.sssdConfig.save_service(pam)
7a7bf9
+		try:
7a7bf9
+			self.sssdConfig.write(all_configs[CFG_SSSD].origPath)
7a7bf9
+		except IOError:
7a7bf9
+			pass
7a7bf9
+
7a7bf9
+		return True
7a7bf9
+
7a7bf9
 	def writeSSSD(self):
7a7bf9
 		if not self.sssdConfig:
7a7bf9
 			return True
7a7bf9
 
7a7bf9
 		all_configs[CFG_SSSD].backup(self.backupDir)
7a7bf9
+		
7a7bf9
+		self.writeSSSDPAM()
7a7bf9
 
7a7bf9
 		if self.enableIPAv2:
7a7bf9
 			# just save the backup
7a7bf9
@@ -3855,7 +3885,7 @@
7a7bf9
 				args = self.mkhomedirArgs
7a7bf9
 			if name == "systemd":
7a7bf9
 				args = self.systemdArgs
7a7bf9
-			if name == "sss" and stack == "auth" and not self.enableNIS:
7a7bf9
+			if name == "sss" and stack == "auth" and not self.enableNIS and not module[ARGV] == argv_sssd_missing_name:
7a7bf9
 				args = "forward_pass"
7a7bf9
 			if not args and module[ARGV]:
7a7bf9
 				args = " ".join(module[ARGV])
7a7bf9
@@ -3935,6 +3965,10 @@
7a7bf9
 				enableSmartcard = True
7a7bf9
 				forceSmartcard = True
7a7bf9
 
7a7bf9
+			# configure SSSD Smartcard support instead of
7a7bf9
+			# pam_pkcs11 if SSSD is used for authentication and no
7a7bf9
+			# Smartcard module is set, e.g. if pam_pkcs11 is not installed.
7a7bf9
+			use_sssd_smartcard_support = self.enableSSSDAuth and self.smartcardModule == "sssd"
7a7bf9
 			prevmodule = []
7a7bf9
 			for module in pam_modules[service]:
7a7bf9
 				if prevmodule and module[STACK] != prevmodule[STACK]:
7a7bf9
@@ -3952,15 +3986,17 @@
7a7bf9
 					    ((module[NAME] == "krb5" and module[ARGV] == argv_krb5_sc_auth) or
7a7bf9
 					    (module[NAME] == "permit" and module[STACK] == AUTH))) or
7a7bf9
 					((self.enableLDAPAuth and not self.implicitSSSDAuth) and module[NAME] == "ldap") or
7a7bf9
-					(enableSmartcard and module[STACK] == AUTH and
7a7bf9
+					(enableSmartcard and use_sssd_smartcard_support and module[NAME] == "sss" and module[ARGV] == argv_sssd_missing_name) or
7a7bf9
+					(enableSmartcard and not use_sssd_smartcard_support and module[STACK] == AUTH and
7a7bf9
 						module[NAME] == "succeed_if" and module[LOGIC] == LOGIC_SKIPNEXT) or
7a7bf9
-					(enableSmartcard and module[NAME] == "pkcs11") or 
7a7bf9
+					(enableSmartcard and not use_sssd_smartcard_support and module[NAME] == "pkcs11") or
7a7bf9
+					(enableSmartcard and not use_sssd_smartcard_support and forceSmartcard and module[NAME] == "deny") or
7a7bf9
 					(enableSmartcard and forceSmartcard and module[NAME] == "deny") or 
7a7bf9
 					(enableFprintd and module[NAME] == "fprintd") or
7a7bf9
 					(self.enableOTP and module[NAME] == "otp") or
7a7bf9
 					(self.enablePasswdQC and module[NAME] == "passwdqc") or
7a7bf9
 					(self.enableWinbindAuth and module[NAME] == "winbind") or
7a7bf9
-					((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and module[NAME] == "sss") or
7a7bf9
+					((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and module[NAME] == "sss" and module[ARGV] != argv_sssd_missing_name) or
7a7bf9
 					((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and
7a7bf9
 						(not self.enableNIS) and module[NAME] == "localuser" and module[STACK] == AUTH) or
7a7bf9
 					(self.enableLocAuthorize and module[NAME] == "localuser" and module[STACK] == ACCOUNT) or
7a7bf9
@@ -4093,6 +4129,8 @@
7a7bf9
 				ret = ret and self.writeWinbind()
7a7bf9
 			if self.implicitSSSD or self.implicitSSSDAuth:
7a7bf9
 				ret = ret and self.writeSSSD()
7a7bf9
+			elif self.enableSSSDAuth:
7a7bf9
+				ret = ret and self.writeSSSDPAM()
7a7bf9
 			ret = ret and self.writeNSS()
7a7bf9
 			ret = ret and self.writePAM()
7a7bf9
 			ret = ret and self.writeSysconfig()
7a7bf9
@@ -4250,7 +4288,8 @@
7a7bf9
 		print " LDAP server = \"%s\"" % self.ldapServer
7a7bf9
 		print " LDAP base DN = \"%s\"" % self.ldapBaseDN
7a7bf9
 		print " LDAP schema = \"%s\"" % (self.ldapSchema or "rfc2307")
7a7bf9
-		print "pam_pkcs11 is %s" % formatBool(self.enableSmartcard)
7a7bf9
+		print "pam_pkcs11 is %s" % formatBool(self.enableSmartcard and not (self.enableSSSDAuth and self.smartcardModule == "sssd"))
7a7bf9
+		print "SSSD smartcard support is %s" % formatBool(self.enableSmartcard and (self.enableSSSDAuth and self.smartcardModule == "sssd"))
7a7bf9
 		print " use only smartcard for login is %s" % formatBool(self.forceSmartcard)
7a7bf9
 		print " smartcard module = \"%s\"" % self.smartcardModule
7a7bf9
 		print " smartcard removal action = \"%s\"" % self.smartcardAction