rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0025-proxy-use-x-as-default-pwfield-only-for-sssd-shadowu.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   8aada9fb517c01eed050eb50115d9716c03073c3
  2.   SOURCES
  3.   0025-proxy-use-x-as-default-pwfield-only-for-sssd-shadowu.patch
Blob History Raw
8aada9 
From ffb9ad1331ac5f5d9bf237666aff19f1def77871 Mon Sep 17 00:00:00 2001
8aada9 
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
8aada9 
Date: Fri, 26 Jun 2020 12:07:48 +0200
8aada9 
Subject: [PATCH] proxy: use 'x' as default pwfield only for sssd-shadowutils
8aada9 
 target
8aada9
8aada9 
To avoid regression for case where files is used for proxy but authentication
8aada9 
is handled by other module then pam_unix. E.g. auth_provider = krb
8aada9
8aada9 
This provides different solution to the ticket and improves the documentation.
8aada9
8aada9 
Resolves:
8aada9 
https://github.com/SSSD/sssd/issues/5129
8aada9
8aada9 
Reviewed-by: Sumit Bose <sbose@redhat.com>
8aada9 
---
8aada9 
 src/confdb/confdb.c     | 25 ++++++++++++++++++++-----
8aada9 
 src/man/sssd.conf.5.xml | 12 +++++++++---
8aada9 
 2 files changed, 29 insertions(+), 8 deletions(-)
8aada9
8aada9 
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
8aada9 
index 65ad18dcf..c2daa9a2c 100644
8aada9 
--- a/src/confdb/confdb.c
8aada9 
+++ b/src/confdb/confdb.c
8aada9 
@@ -872,7 +872,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
8aada9 
     struct sss_domain_info *domain;
8aada9 
     struct ldb_result *res;
8aada9 
     TALLOC_CTX *tmp_ctx;
8aada9 
-    const char *tmp;
8aada9 
+    const char *tmp, *tmp_pam_target, *tmp_auth;
8aada9 
     int ret, val;
8aada9 
     uint32_t entry_cache_timeout;
8aada9 
     char *default_domain;
8aada9 
@@ -1030,13 +1030,28 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
8aada9 
     }
8aada9
8aada9 
     if (domain->provider != NULL && strcasecmp(domain->provider, "proxy") == 0) {
8aada9 
-        /* The password field must be  reported as 'x' for proxy provider
8aada9 
-         * using files library, else pam_unix won't
8aada9 
-         * authenticate this entry. */
8aada9 
+        /* The password field must be reported as 'x' for proxy provider
8aada9 
+         * using files library, else pam_unix won't authenticate this entry.
8aada9 
+         * We set this only for sssd-shadowutils target which can be used
8aada9 
+         * to authenticate with pam_unix only. Otherwise we let administrator
8aada9 
+         * to overwrite default * value with pwfield option to avoid regression
8aada9 
+         * on more common use case where remote authentication is required. */
8aada9 
         tmp = ldb_msg_find_attr_as_string(res->msgs[0],
8aada9 
                                           CONFDB_PROXY_LIBNAME,
8aada9 
                                           NULL);
8aada9 
-        if (tmp != NULL && strcasecmp(tmp, "files") == 0) {
8aada9 
+
8aada9 
+        tmp_auth = ldb_msg_find_attr_as_string(res->msgs[0],
8aada9 
+                                                CONFDB_DOMAIN_AUTH_PROVIDER,
8aada9 
+                                                NULL);
8aada9 
+
8aada9 
+        tmp_pam_target = ldb_msg_find_attr_as_string(res->msgs[0],
8aada9 
+                                                     CONFDB_PROXY_PAM_TARGET,
8aada9 
+                                                     NULL);
8aada9 
+
8aada9 
+        if (tmp != NULL && tmp_pam_target != NULL
8aada9 
+            && strcasecmp(tmp, "files") == 0
8aada9 
+            && (tmp_auth == NULL || strcasecmp(tmp_auth, "proxy") == 0)
8aada9 
+            && strcmp(tmp_pam_target, "sssd-shadowutils") == 0) {
8aada9 
             domain->pwfield = "x";
8aada9 
         }
8aada9 
     }
8aada9 
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
8aada9 
index cae24bb63..44b3b8f20 100644
8aada9 
--- a/src/man/sssd.conf.5.xml
8aada9 
+++ b/src/man/sssd.conf.5.xml
8aada9 
@@ -1135,11 +1135,17 @@ fallback_homedir = /home/%u
8aada9 
                             <quote>password</quote> field.
8aada9 
                         </para>
8aada9 
                         <para>
8aada9 
-                            This option can also be set per-domain.
8aada9 
+                            Default: <quote>*</quote>
8aada9 
                         </para>
8aada9 
                         <para>
8aada9 
-                            Default: <quote>*</quote> (remote domains)
8aada9 
-                            or <quote>x</quote> (the files domain)
8aada9 
+                            Note: This option can also be set per-domain which
8aada9 
+                            overwrites the value in [nss] section.
8aada9 
+                        </para>
8aada9 
+                        <para>
8aada9 
+                            Default: <quote>not set</quote> (remote domains),
8aada9 
+                            <quote>x</quote> (the files domain),
8aada9 
+                            <quote>x</quote> (proxy domain with nss_files
8aada9 
+                            and sssd-shadowutils target)
8aada9 
                         </para>
8aada9 
                     </listitem>
8aada9 
                 </varlistentry>
8aada9 
--
8aada9 
2.21.3
8aada9

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation