|
 |
7a7bf9 |
diff -Naur old/authinfo.py new/authinfo.py
|
|
|
7a7bf9 |
--- old/authinfo.py 2017-03-28 13:38:56.610467419 +0200
|
|
|
7a7bf9 |
+++ new/authinfo.py 2017-03-28 13:55:43.626505569 +0200
|
|
|
7a7bf9 |
@@ -334,6 +334,10 @@
|
|
|
7a7bf9 |
"wait_for_card"
|
|
|
7a7bf9 |
]
|
|
|
7a7bf9 |
|
|
|
7a7bf9 |
+argv_sssd_missing_name = [
|
|
|
7a7bf9 |
+ "allow_missing_name"
|
|
|
7a7bf9 |
+]
|
|
|
7a7bf9 |
+
|
|
|
7a7bf9 |
argv_krb5_auth = [
|
|
|
7a7bf9 |
"use_first_pass"
|
|
|
7a7bf9 |
]
|
|
|
7a7bf9 |
@@ -736,6 +740,8 @@
|
|
|
7a7bf9 |
pam_modules[SMARTCARD] = [
|
|
|
7a7bf9 |
[True, AUTH, LOGIC_REQUIRED,
|
|
|
7a7bf9 |
"env", []],
|
|
|
7a7bf9 |
+ [False, AUTH, LOGIC_SUFFICIENT,
|
|
|
7a7bf9 |
+ "sss", argv_sssd_missing_name],
|
|
|
7a7bf9 |
[False, AUTH, LOGIC_PKCS11,
|
|
|
7a7bf9 |
"pkcs11", argv_force_pkcs11_auth],
|
|
|
7a7bf9 |
[False, AUTH, LOGIC_OPTIONAL,
|
|
|
7a7bf9 |
@@ -1428,7 +1434,7 @@
|
|
|
7a7bf9 |
("kerberosAdminServer", "i"), ("kerberosRealmviaDNS", "b"),
|
|
|
7a7bf9 |
("kerberosKDCviaDNS", "b")]),
|
|
|
7a7bf9 |
SaveGroup(self.writeSSSD, self.toggleSSSDService, [("ldapServer", "i"), ("ldapBaseDN", "c"), ("enableLDAPS", "b"),
|
|
|
7a7bf9 |
- ("ldapSchema", "c"), ("ldapCacertDir", "c"), ("enableCacheCreds", "b"),
|
|
|
7a7bf9 |
+ ("ldapSchema", "c"), ("ldapCacertDir", "c"), ("enableCacheCreds", "b"), ("enableSmartcard", "b"),
|
|
|
7a7bf9 |
("kerberosRealm", "c"), ("kerberosKDC", "i"), ("kerberosAdminServer", "i"),
|
|
|
7a7bf9 |
("forceSSSDUpdate", "b"), ("enableLDAP", "b"), ("enableKerberos", "b"),
|
|
|
7a7bf9 |
("enableLDAPAuth", "b"), ("enableIPAv2", "b")]),
|
|
|
7a7bf9 |
@@ -3281,11 +3287,35 @@
|
|
|
7a7bf9 |
domain.remove_provider(subtype)
|
|
|
7a7bf9 |
domain.add_provider(newprovider, subtype)
|
|
|
7a7bf9 |
|
|
|
7a7bf9 |
+ def writeSSSDPAM(self):
|
|
|
7a7bf9 |
+ if not self.sssdConfig:
|
|
|
7a7bf9 |
+ return True
|
|
|
7a7bf9 |
+
|
|
|
7a7bf9 |
+ pam = self.sssdConfig.get_service('pam')
|
|
|
7a7bf9 |
+
|
|
|
7a7bf9 |
+ if self.enableSmartcard and self.enableSSSDAuth and self.smartcardModule == "sssd" :
|
|
|
7a7bf9 |
+ pam.set_option('pam_cert_auth', 'True')
|
|
|
7a7bf9 |
+ else:
|
|
|
7a7bf9 |
+ try:
|
|
|
7a7bf9 |
+ pam.remove_option('pam_cert_auth')
|
|
|
7a7bf9 |
+ except SSSDConfig.NoOptionError:
|
|
|
7a7bf9 |
+ pass
|
|
|
7a7bf9 |
+
|
|
|
7a7bf9 |
+ self.sssdConfig.save_service(pam)
|
|
|
7a7bf9 |
+ try:
|
|
|
7a7bf9 |
+ self.sssdConfig.write(all_configs[CFG_SSSD].origPath)
|
|
|
7a7bf9 |
+ except IOError:
|
|
|
7a7bf9 |
+ pass
|
|
|
7a7bf9 |
+
|
|
|
7a7bf9 |
+ return True
|
|
|
7a7bf9 |
+
|
|
|
7a7bf9 |
def writeSSSD(self):
|
|
|
7a7bf9 |
if not self.sssdConfig:
|
|
|
7a7bf9 |
return True
|
|
|
7a7bf9 |
|
|
|
7a7bf9 |
all_configs[CFG_SSSD].backup(self.backupDir)
|
|
|
7a7bf9 |
+
|
|
|
7a7bf9 |
+ self.writeSSSDPAM()
|
|
|
7a7bf9 |
|
|
|
7a7bf9 |
if self.enableIPAv2:
|
|
|
7a7bf9 |
# just save the backup
|
|
|
7a7bf9 |
@@ -3855,7 +3885,7 @@
|
|
|
7a7bf9 |
args = self.mkhomedirArgs
|
|
|
7a7bf9 |
if name == "systemd":
|
|
|
7a7bf9 |
args = self.systemdArgs
|
|
|
7a7bf9 |
- if name == "sss" and stack == "auth" and not self.enableNIS:
|
|
|
7a7bf9 |
+ if name == "sss" and stack == "auth" and not self.enableNIS and not module[ARGV] == argv_sssd_missing_name:
|
|
|
7a7bf9 |
args = "forward_pass"
|
|
|
7a7bf9 |
if not args and module[ARGV]:
|
|
|
7a7bf9 |
args = " ".join(module[ARGV])
|
|
|
7a7bf9 |
@@ -3935,6 +3965,10 @@
|
|
|
7a7bf9 |
enableSmartcard = True
|
|
|
7a7bf9 |
forceSmartcard = True
|
|
|
7a7bf9 |
|
|
|
7a7bf9 |
+ # configure SSSD Smartcard support instead of
|
|
|
7a7bf9 |
+ # pam_pkcs11 if SSSD is used for authentication and no
|
|
|
7a7bf9 |
+ # Smartcard module is set, e.g. if pam_pkcs11 is not installed.
|
|
|
7a7bf9 |
+ use_sssd_smartcard_support = self.enableSSSDAuth and self.smartcardModule == "sssd"
|
|
|
7a7bf9 |
prevmodule = []
|
|
|
7a7bf9 |
for module in pam_modules[service]:
|
|
|
7a7bf9 |
if prevmodule and module[STACK] != prevmodule[STACK]:
|
|
|
7a7bf9 |
@@ -3952,15 +3986,17 @@
|
|
|
7a7bf9 |
((module[NAME] == "krb5" and module[ARGV] == argv_krb5_sc_auth) or
|
|
|
7a7bf9 |
(module[NAME] == "permit" and module[STACK] == AUTH))) or
|
|
|
7a7bf9 |
((self.enableLDAPAuth and not self.implicitSSSDAuth) and module[NAME] == "ldap") or
|
|
|
7a7bf9 |
- (enableSmartcard and module[STACK] == AUTH and
|
|
|
7a7bf9 |
+ (enableSmartcard and use_sssd_smartcard_support and module[NAME] == "sss" and module[ARGV] == argv_sssd_missing_name) or
|
|
|
7a7bf9 |
+ (enableSmartcard and not use_sssd_smartcard_support and module[STACK] == AUTH and
|
|
|
7a7bf9 |
module[NAME] == "succeed_if" and module[LOGIC] == LOGIC_SKIPNEXT) or
|
|
|
7a7bf9 |
- (enableSmartcard and module[NAME] == "pkcs11") or
|
|
|
7a7bf9 |
+ (enableSmartcard and not use_sssd_smartcard_support and module[NAME] == "pkcs11") or
|
|
|
7a7bf9 |
+ (enableSmartcard and not use_sssd_smartcard_support and forceSmartcard and module[NAME] == "deny") or
|
|
|
7a7bf9 |
(enableSmartcard and forceSmartcard and module[NAME] == "deny") or
|
|
|
7a7bf9 |
(enableFprintd and module[NAME] == "fprintd") or
|
|
|
7a7bf9 |
(self.enableOTP and module[NAME] == "otp") or
|
|
|
7a7bf9 |
(self.enablePasswdQC and module[NAME] == "passwdqc") or
|
|
|
7a7bf9 |
(self.enableWinbindAuth and module[NAME] == "winbind") or
|
|
|
7a7bf9 |
- ((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and module[NAME] == "sss") or
|
|
|
7a7bf9 |
+ ((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and module[NAME] == "sss" and module[ARGV] != argv_sssd_missing_name) or
|
|
|
7a7bf9 |
((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and
|
|
|
7a7bf9 |
(not self.enableNIS) and module[NAME] == "localuser" and module[STACK] == AUTH) or
|
|
|
7a7bf9 |
(self.enableLocAuthorize and module[NAME] == "localuser" and module[STACK] == ACCOUNT) or
|
|
|
7a7bf9 |
@@ -4093,6 +4129,8 @@
|
|
|
7a7bf9 |
ret = ret and self.writeWinbind()
|
|
|
7a7bf9 |
if self.implicitSSSD or self.implicitSSSDAuth:
|
|
|
7a7bf9 |
ret = ret and self.writeSSSD()
|
|
|
7a7bf9 |
+ elif self.enableSSSDAuth:
|
|
|
7a7bf9 |
+ ret = ret and self.writeSSSDPAM()
|
|
|
7a7bf9 |
ret = ret and self.writeNSS()
|
|
|
7a7bf9 |
ret = ret and self.writePAM()
|
|
|
7a7bf9 |
ret = ret and self.writeSysconfig()
|
|
|
7a7bf9 |
@@ -4250,7 +4288,8 @@
|
|
|
7a7bf9 |
print " LDAP server = \"%s\"" % self.ldapServer
|
|
|
7a7bf9 |
print " LDAP base DN = \"%s\"" % self.ldapBaseDN
|
|
|
7a7bf9 |
print " LDAP schema = \"%s\"" % (self.ldapSchema or "rfc2307")
|
|
|
7a7bf9 |
- print "pam_pkcs11 is %s" % formatBool(self.enableSmartcard)
|
|
|
7a7bf9 |
+ print "pam_pkcs11 is %s" % formatBool(self.enableSmartcard and not (self.enableSSSDAuth and self.smartcardModule == "sssd"))
|
|
|
7a7bf9 |
+ print "SSSD smartcard support is %s" % formatBool(self.enableSmartcard and (self.enableSSSDAuth and self.smartcardModule == "sssd"))
|
|
|
7a7bf9 |
print " use only smartcard for login is %s" % formatBool(self.forceSmartcard)
|
|
|
7a7bf9 |
print " smartcard module = \"%s\"" % self.smartcardModule
|
|
|
7a7bf9 |
print " smartcard removal action = \"%s\"" % self.smartcardAction
|