Blame SOURCES/0047-PAM-return-short-name-for-files-provider-users.patch

71e593
From f743c82d11ffafa1a48f9b7108eff072ecc9ab1c Mon Sep 17 00:00:00 2001
71e593
From: Sumit Bose <sbose@redhat.com>
71e593
Date: Tue, 9 Oct 2018 13:25:35 +0200
71e593
Subject: [PATCH 47/47] PAM: return short name for files provider users
71e593
71e593
If the 'allow_missing_name' option is used with pam_sss and the user
71e593
name will be determined based on the certificate content and the mapping
71e593
rules the PAM responder will by default return the fully-qualified name
71e593
of the user which is then later used by other PAM modules as well.
71e593
71e593
For local users which are configured to use SSSD for Smartcard
71e593
authentication this might cause issues in other PAM modules because they
71e593
are not aware of the fully-qualified name and will treat the user as
71e593
unknown.
71e593
71e593
With this patch the PAM responder will return the short name for all
71e593
users handled by the files provider.
71e593
71e593
Related to https://pagure.io/SSSD/sssd/issue/3848
71e593
71e593
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
71e593
(cherry picked from commit dbd717fe5b7d8dd640b6ade435b49edb3db5280a)
71e593
---
71e593
 src/responder/pam/pamsrv.h     |  3 ++-
71e593
 src/responder/pam/pamsrv_cmd.c | 13 +++++++++----
71e593
 src/responder/pam/pamsrv_p11.c | 32 +++++++++++++++++++++++++++++---
71e593
 3 files changed, 40 insertions(+), 8 deletions(-)
71e593
71e593
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
71e593
index 60aa97967456b9b7ab35e64f103c1c9a17bef3a9..3a927bb39b1e03735c237cc6b5a33234c2f4e2ef 100644
71e593
--- a/src/responder/pam/pamsrv.h
71e593
+++ b/src/responder/pam/pamsrv.h
71e593
@@ -108,7 +108,8 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
71e593
 errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
71e593
                             struct cert_auth_info **cert_list);
71e593
 
71e593
-errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
71e593
+errno_t add_pam_cert_response(struct pam_data *pd, struct sss_domain_info *dom,
71e593
+                              const char *sysdb_username,
71e593
                               struct cert_auth_info *cert_info,
71e593
                               enum response_type type);
71e593
 
71e593
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
71e593
index a22afd225894872847a0fb13e202f927fd2ae124..553bf8fbbdb485f4a7b2610b894b1a78b4e47317 100644
71e593
--- a/src/responder/pam/pamsrv_cmd.c
71e593
+++ b/src/responder/pam/pamsrv_cmd.c
71e593
@@ -1645,7 +1645,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
71e593
                      preq->current_cert != NULL;
71e593
                      preq->current_cert = sss_cai_get_next(preq->current_cert)) {
71e593
 
71e593
-                    ret = add_pam_cert_response(preq->pd, "",
71e593
+                    ret = add_pam_cert_response(preq->pd,
71e593
+                                       preq->cctx->rctx->domains, "",
71e593
                                        preq->current_cert,
71e593
                                        preq->cctx->rctx->domains->user_name_hint
71e593
                                             ? SSS_PAM_CERT_INFO_WITH_HINT
71e593
@@ -1699,7 +1700,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
71e593
 
71e593
             if (preq->cctx->rctx->domains->user_name_hint
71e593
                     && preq->pd->cmd == SSS_PAM_PREAUTH) {
71e593
-                ret = add_pam_cert_response(preq->pd, cert_user,
71e593
+                ret = add_pam_cert_response(preq->pd,
71e593
+                                            preq->cctx->rctx->domains, cert_user,
71e593
                                             preq->cert_list,
71e593
                                             SSS_PAM_CERT_INFO_WITH_HINT);
71e593
                 preq->pd->pam_status = PAM_SUCCESS;
71e593
@@ -1725,7 +1727,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
71e593
              * SSS_PAM_CERT_INFO message to send the name to the caller. */
71e593
             if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
71e593
                     && preq->pd->logon_name == NULL) {
71e593
-                ret = add_pam_cert_response(preq->pd, cert_user,
71e593
+                ret = add_pam_cert_response(preq->pd,
71e593
+                                            preq->cctx->rctx->domains, cert_user,
71e593
                                             preq->cert_list,
71e593
                                             SSS_PAM_CERT_INFO);
71e593
                 if (ret != EOK) {
71e593
@@ -2117,7 +2120,9 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
71e593
                                   "the backend.\n");
71e593
                         }
71e593
 
71e593
-                        ret = add_pam_cert_response(preq->pd, cert_user,
71e593
+                        ret = add_pam_cert_response(preq->pd,
71e593
+                                                    preq->cctx->rctx->domains,
71e593
+                                                    cert_user,
71e593
                                                     preq->current_cert,
71e593
                                                     SSS_PAM_CERT_INFO);
71e593
                         if (ret != EOK) {
71e593
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
71e593
index 491bd2b01d7bf9137b37c35f9da9eca1eed95a6d..785b29c99a65ec7167b31f746fd9a897b038d817 100644
71e593
--- a/src/responder/pam/pamsrv_p11.c
71e593
+++ b/src/responder/pam/pamsrv_p11.c
71e593
@@ -1145,7 +1145,8 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
71e593
  * used when running gdm-password. */
71e593
 #define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"
71e593
 
71e593
-errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
71e593
+errno_t add_pam_cert_response(struct pam_data *pd, struct sss_domain_info *dom,
71e593
+                              const char *sysdb_username,
71e593
                               struct cert_auth_info *cert_info,
71e593
                               enum response_type type)
71e593
 {
71e593
@@ -1153,6 +1154,10 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
71e593
     char *env = NULL;
71e593
     size_t msg_len;
71e593
     int ret;
71e593
+    char *short_name = NULL;
71e593
+    char *domain_name = NULL;
71e593
+    const char *cert_info_name = sysdb_username;
71e593
+
71e593
 
71e593
     if (type != SSS_PAM_CERT_INFO && type != SSS_PAM_CERT_INFO_WITH_HINT) {
71e593
         DEBUG(SSSDBG_CRIT_FAILURE, "Invalid response type [%d].\n", type);
71e593
@@ -1174,9 +1179,30 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
71e593
      * Smartcard. If this type of name is irritating at the PIN prompt or the
71e593
      * re_expression config option was set in a way that user@domain cannot be
71e593
      * handled anymore some more logic has to be added here. But for the time
71e593
-     * being I think using sysdb_username is fine. */
71e593
+     * being I think using sysdb_username is fine.
71e593
+     * As special case is the files provider which handles local users which
71e593
+     * by definition only have a short name. To avoid confusion by other
71e593
+     * modules on the PAM stack the short name is returned in this case. */
71e593
 
71e593
-    ret = pack_cert_data(pd, sysdb_username, cert_info, &msg, &msg_len);
71e593
+    if (sysdb_username != NULL) {
71e593
+        ret = sss_parse_internal_fqname(pd, sysdb_username,
71e593
+                                        &short_name, &domain_name);
71e593
+        if (ret != EOK) {
71e593
+            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name '%s' [%d]: %s, "
71e593
+                                       "using full name.\n",
71e593
+                                        sysdb_username, ret, sss_strerror(ret));
71e593
+        } else {
71e593
+            if (domain_name != NULL
71e593
+                    &&  is_files_provider(find_domain_by_name(dom, domain_name,
71e593
+                                                              false))) {
71e593
+                cert_info_name = short_name;
71e593
+            }
71e593
+        }
71e593
+    }
71e593
+
71e593
+    ret = pack_cert_data(pd, cert_info_name, cert_info, &msg, &msg_len);
71e593
+    talloc_free(short_name);
71e593
+    talloc_free(domain_name);
71e593
     if (ret != EOK) {
71e593
         DEBUG(SSSDBG_OP_FAILURE, "pack_cert_data failed.\n");
71e593
         return ret;
71e593
-- 
71e593
2.14.4
71e593