|
 |
bac598 |
From cb936e92041d63f79a74c30bae8140c74a18dbc0 Mon Sep 17 00:00:00 2001
|
|
|
bac598 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
bac598 |
Date: Wed, 20 Jan 2021 18:25:04 +0100
|
|
|
bac598 |
Subject: [PATCH 42/42] pam: refresh certificate maps at the end of initial
|
|
|
bac598 |
domains lookup
|
|
|
bac598 |
MIME-Version: 1.0
|
|
|
bac598 |
Content-Type: text/plain; charset=UTF-8
|
|
|
bac598 |
Content-Transfer-Encoding: 8bit
|
|
|
bac598 |
|
|
|
bac598 |
During startup SSSD's responders send a getDomains request to all
|
|
|
bac598 |
backends to refresh some domain related needed by the responders.
|
|
|
bac598 |
|
|
|
bac598 |
The PAM responder specifically needs the certificate mapping and
|
|
|
bac598 |
matching rules when Smartcard authentication is enable. Currently the
|
|
|
bac598 |
rules are not refreshed at the end of the initial request but the code
|
|
|
bac598 |
assumed that the related structures are initialized after the request
|
|
|
bac598 |
finished.
|
|
|
bac598 |
|
|
|
bac598 |
To avoid a race condition this patch adds a callback to the end of the
|
|
|
bac598 |
request to make sure the rules are properly refreshed even if they are
|
|
|
bac598 |
already initialized before.
|
|
|
bac598 |
|
|
|
bac598 |
Resolves: https://github.com/SSSD/sssd/issues/5469
|
|
|
bac598 |
|
|
|
bac598 |
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
|
|
bac598 |
---
|
|
|
bac598 |
src/responder/pam/pamsrv.c | 14 +++++++++++++-
|
|
|
bac598 |
1 file changed, 13 insertions(+), 1 deletion(-)
|
|
|
bac598 |
|
|
|
bac598 |
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
|
|
|
bac598 |
index 8b1ce2e92..65370662d 100644
|
|
|
bac598 |
--- a/src/responder/pam/pamsrv.c
|
|
|
bac598 |
+++ b/src/responder/pam/pamsrv.c
|
|
|
bac598 |
@@ -154,6 +154,18 @@ static errno_t get_app_services(struct pam_ctx *pctx)
|
|
|
bac598 |
return EOK;
|
|
|
bac598 |
}
|
|
|
bac598 |
|
|
|
bac598 |
+static void pam_get_domains_callback(void *pvt)
|
|
|
bac598 |
+{
|
|
|
bac598 |
+ struct pam_ctx *pctx;
|
|
|
bac598 |
+ int ret;
|
|
|
bac598 |
+
|
|
|
bac598 |
+ pctx = talloc_get_type(pvt, struct pam_ctx);
|
|
|
bac598 |
+ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);
|
|
|
bac598 |
+ if (ret != EOK) {
|
|
|
bac598 |
+ DEBUG(SSSDBG_OP_FAILURE, "p11_refresh_certmap_ctx failed.\n");
|
|
|
bac598 |
+ }
|
|
|
bac598 |
+}
|
|
|
bac598 |
+
|
|
|
bac598 |
static int pam_process_init(TALLOC_CTX *mem_ctx,
|
|
|
bac598 |
struct tevent_context *ev,
|
|
|
bac598 |
struct confdb_ctx *cdb,
|
|
|
bac598 |
@@ -247,7 +259,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
|
|
|
bac598 |
responder_set_fd_limit(fd_limit);
|
|
|
bac598 |
|
|
|
bac598 |
ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache,
|
|
|
bac598 |
- NULL, NULL);
|
|
|
bac598 |
+ pam_get_domains_callback, pctx);
|
|
|
bac598 |
if (ret != EOK) {
|
|
|
bac598 |
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
|
|
|
bac598 |
goto done;
|
|
|
bac598 |
--
|
|
|
bac598 |
2.21.3
|
|
|
bac598 |
|