|
 |
ecf709 |
From 3f32e79858f268ce6501de44e5158e8c12f688dd Mon Sep 17 00:00:00 2001
|
|
|
ecf709 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
ecf709 |
Date: Wed, 22 Mar 2017 13:01:18 +0100
|
|
|
ecf709 |
Subject: [PATCH 72/72] KRB5: Authenticate users in a non-POSIX domain using a
|
|
|
ecf709 |
MEMORY ccache
|
|
|
ecf709 |
|
|
|
ecf709 |
Related to:
|
|
|
ecf709 |
https://pagure.io/SSSD/sssd/issue/3310
|
|
|
ecf709 |
|
|
|
ecf709 |
The following changes were done to the Kerberos authentication code
|
|
|
ecf709 |
in order to support authentication in a non-POSIX environment:
|
|
|
ecf709 |
- delayed authentication is disabled in non-POSIX domains
|
|
|
ecf709 |
- when a user logs in in a non-POSIX domain, SSSD uses a
|
|
|
ecf709 |
MEMORY:$username ccache and destroys is then krb5_child finishes
|
|
|
ecf709 |
so that just the numeric result is used
|
|
|
ecf709 |
- krb5_child doesn't drop privileges in this configuration because
|
|
|
ecf709 |
there is nothing to drop privileges to
|
|
|
ecf709 |
|
|
|
ecf709 |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
ecf709 |
---
|
|
|
ecf709 |
src/providers/krb5/krb5_auth.c | 62 ++++++++++++++++------
|
|
|
ecf709 |
src/providers/krb5/krb5_auth.h | 2 +
|
|
|
ecf709 |
src/providers/krb5/krb5_child.c | 32 +++++++++--
|
|
|
ecf709 |
src/providers/krb5/krb5_child_handler.c | 15 +++++-
|
|
|
ecf709 |
.../krb5/krb5_delayed_online_authentication.c | 7 +++
|
|
|
ecf709 |
src/providers/krb5/krb5_init.c | 3 ++
|
|
|
ecf709 |
6 files changed, 99 insertions(+), 22 deletions(-)
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
|
|
ecf709 |
index c2d6d7eeacc1f766024c4d629f25fd0f0be24e5e..2faf18d17a735476c20f9cc27b15be4a39cadc5c 100644
|
|
|
ecf709 |
--- a/src/providers/krb5/krb5_auth.c
|
|
|
ecf709 |
+++ b/src/providers/krb5/krb5_auth.c
|
|
|
ecf709 |
@@ -42,6 +42,8 @@
|
|
|
ecf709 |
#include "providers/krb5/krb5_utils.h"
|
|
|
ecf709 |
#include "providers/krb5/krb5_ccache.h"
|
|
|
ecf709 |
|
|
|
ecf709 |
+#define NON_POSIX_CCNAME_FMT "MEMORY:sssd_nonposix_dummy_%u"
|
|
|
ecf709 |
+
|
|
|
ecf709 |
static int krb5_mod_ccname(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
struct sysdb_ctx *sysdb,
|
|
|
ecf709 |
struct sss_domain_info *domain,
|
|
|
ecf709 |
@@ -200,6 +202,7 @@ errno_t krb5_setup(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
talloc_set_destructor((TALLOC_CTX *) kr, krb5_cleanup);
|
|
|
ecf709 |
|
|
|
ecf709 |
kr->pd = pd;
|
|
|
ecf709 |
+ kr->dom = dom;
|
|
|
ecf709 |
kr->krb5_ctx = krb5_ctx;
|
|
|
ecf709 |
|
|
|
ecf709 |
ret = get_krb_primary(krb5_ctx->name_to_primary,
|
|
|
ecf709 |
@@ -275,8 +278,11 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx,
|
|
|
ecf709 |
return;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
- ret = add_user_to_delayed_online_authentication(krb5_ctx, pd, uid);
|
|
|
ecf709 |
- if (ret != EOK) {
|
|
|
ecf709 |
+ ret = add_user_to_delayed_online_authentication(krb5_ctx, domain, pd, uid);
|
|
|
ecf709 |
+ if (ret == ENOTSUP) {
|
|
|
ecf709 |
+ /* This error is not fatal */
|
|
|
ecf709 |
+ DEBUG(SSSDBG_MINOR_FAILURE, "Delayed authentication not supported\n");
|
|
|
ecf709 |
+ } else if (ret != EOK) {
|
|
|
ecf709 |
/* This error is not fatal */
|
|
|
ecf709 |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
ecf709 |
"add_user_to_delayed_online_authentication failed.\n");
|
|
|
ecf709 |
@@ -291,21 +297,43 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr,
|
|
|
ecf709 |
{
|
|
|
ecf709 |
const char *ccname_template;
|
|
|
ecf709 |
|
|
|
ecf709 |
- ccname_template = dp_opt_get_cstring(kr->krb5_ctx->opts, KRB5_CCNAME_TMPL);
|
|
|
ecf709 |
+ switch (kr->dom->type) {
|
|
|
ecf709 |
+ case DOM_TYPE_POSIX:
|
|
|
ecf709 |
+ ccname_template = dp_opt_get_cstring(kr->krb5_ctx->opts, KRB5_CCNAME_TMPL);
|
|
|
ecf709 |
|
|
|
ecf709 |
- kr->ccname = expand_ccname_template(kr, kr, ccname_template,
|
|
|
ecf709 |
- kr->krb5_ctx->illegal_path_re, true,
|
|
|
ecf709 |
- be_ctx->domain->case_sensitive);
|
|
|
ecf709 |
- if (kr->ccname == NULL) {
|
|
|
ecf709 |
- DEBUG(SSSDBG_CRIT_FAILURE, "expand_ccname_template failed.\n");
|
|
|
ecf709 |
- return ENOMEM;
|
|
|
ecf709 |
- }
|
|
|
ecf709 |
+ kr->ccname = expand_ccname_template(kr, kr, ccname_template,
|
|
|
ecf709 |
+ kr->krb5_ctx->illegal_path_re, true,
|
|
|
ecf709 |
+ be_ctx->domain->case_sensitive);
|
|
|
ecf709 |
+ if (kr->ccname == NULL) {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "expand_ccname_template failed.\n");
|
|
|
ecf709 |
+ return ENOMEM;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
|
|
|
ecf709 |
- kr->old_ccname = ldb_msg_find_attr_as_string(user_msg,
|
|
|
ecf709 |
- SYSDB_CCACHE_FILE, NULL);
|
|
|
ecf709 |
- if (kr->old_ccname == NULL) {
|
|
|
ecf709 |
- DEBUG(SSSDBG_TRACE_LIBS,
|
|
|
ecf709 |
- "No ccache file for user [%s] found.\n", kr->pd->user);
|
|
|
ecf709 |
+ kr->old_ccname = ldb_msg_find_attr_as_string(user_msg,
|
|
|
ecf709 |
+ SYSDB_CCACHE_FILE, NULL);
|
|
|
ecf709 |
+ if (kr->old_ccname == NULL) {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_TRACE_LIBS,
|
|
|
ecf709 |
+ "No ccache file for user [%s] found.\n", kr->pd->user);
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+ break;
|
|
|
ecf709 |
+ case DOM_TYPE_APPLICATION:
|
|
|
ecf709 |
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
|
ecf709 |
+ "Domain type application, will use in-memory ccache\n");
|
|
|
ecf709 |
+ /* We don't care about using cryptographic randomness, just
|
|
|
ecf709 |
+ * a non-predictable ccname, so using rand() here is fine
|
|
|
ecf709 |
+ */
|
|
|
ecf709 |
+ kr->ccname = talloc_asprintf(kr,
|
|
|
ecf709 |
+ NON_POSIX_CCNAME_FMT,
|
|
|
ecf709 |
+ rand() % UINT_MAX);
|
|
|
ecf709 |
+ if (kr->ccname == NULL) {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
|
|
ecf709 |
+ return ENOMEM;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ break;
|
|
|
ecf709 |
+ default:
|
|
|
ecf709 |
+ DEBUG(SSSDBG_FATAL_FAILURE, "Unsupported domain type\n");
|
|
|
ecf709 |
+ return EINVAL;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
return EOK;
|
|
|
ecf709 |
@@ -617,7 +645,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
kr->uid = sss_view_ldb_msg_find_attr_as_uint64(state->domain,
|
|
|
ecf709 |
res->msgs[0],
|
|
|
ecf709 |
SYSDB_UIDNUM, 0);
|
|
|
ecf709 |
- if (kr->uid == 0) {
|
|
|
ecf709 |
+ if (kr->uid == 0 && state->domain->type == DOM_TYPE_POSIX) {
|
|
|
ecf709 |
DEBUG(SSSDBG_CONF_SETTINGS,
|
|
|
ecf709 |
"UID for user [%s] not known.\n", pd->user);
|
|
|
ecf709 |
ret = ENOENT;
|
|
|
ecf709 |
@@ -627,7 +655,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
kr->gid = sss_view_ldb_msg_find_attr_as_uint64(state->domain,
|
|
|
ecf709 |
res->msgs[0],
|
|
|
ecf709 |
SYSDB_GIDNUM, 0);
|
|
|
ecf709 |
- if (kr->gid == 0) {
|
|
|
ecf709 |
+ if (kr->gid == 0 && state->domain->type == DOM_TYPE_POSIX) {
|
|
|
ecf709 |
DEBUG(SSSDBG_CONF_SETTINGS,
|
|
|
ecf709 |
"GID for user [%s] not known.\n", pd->user);
|
|
|
ecf709 |
ret = ENOENT;
|
|
|
ecf709 |
diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h
|
|
|
ecf709 |
index 75ad916e79b29043120543ab3c4c1bd27e09d913..8ad3aeff21e58f9055ae144eaa450992c6391ba6 100644
|
|
|
ecf709 |
--- a/src/providers/krb5/krb5_auth.h
|
|
|
ecf709 |
+++ b/src/providers/krb5/krb5_auth.h
|
|
|
ecf709 |
@@ -50,6 +50,7 @@
|
|
|
ecf709 |
struct krb5child_req {
|
|
|
ecf709 |
struct pam_data *pd;
|
|
|
ecf709 |
struct krb5_ctx *krb5_ctx;
|
|
|
ecf709 |
+ struct sss_domain_info *dom;
|
|
|
ecf709 |
|
|
|
ecf709 |
const char *ccname;
|
|
|
ecf709 |
const char *old_ccname;
|
|
|
ecf709 |
@@ -118,6 +119,7 @@ parse_krb5_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf, ssize_t len,
|
|
|
ecf709 |
struct krb5_child_response **_res);
|
|
|
ecf709 |
|
|
|
ecf709 |
errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
|
|
|
ecf709 |
+ struct sss_domain_info *domain,
|
|
|
ecf709 |
struct pam_data *pd,
|
|
|
ecf709 |
uid_t uid);
|
|
|
ecf709 |
errno_t init_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
|
|
|
ecf709 |
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
|
|
ecf709 |
index a4128dda6b0861a95dba223047d66c4158b1afb6..cbbc892bee0365892ac66d3654c974d325166b60 100644
|
|
|
ecf709 |
--- a/src/providers/krb5/krb5_child.c
|
|
|
ecf709 |
+++ b/src/providers/krb5/krb5_child.c
|
|
|
ecf709 |
@@ -80,6 +80,7 @@ struct krb5_req {
|
|
|
ecf709 |
char *ccname;
|
|
|
ecf709 |
char *keytab;
|
|
|
ecf709 |
bool validate;
|
|
|
ecf709 |
+ bool posix_domain;
|
|
|
ecf709 |
bool send_pac;
|
|
|
ecf709 |
bool use_enterprise_princ;
|
|
|
ecf709 |
char *fast_ccname;
|
|
|
ecf709 |
@@ -102,6 +103,16 @@ struct krb5_req {
|
|
|
ecf709 |
static krb5_context krb5_error_ctx;
|
|
|
ecf709 |
#define KRB5_CHILD_DEBUG(level, error) KRB5_DEBUG(level, krb5_error_ctx, error)
|
|
|
ecf709 |
|
|
|
ecf709 |
+static errno_t k5c_become_user(uid_t uid, gid_t gid, bool is_posix)
|
|
|
ecf709 |
+{
|
|
|
ecf709 |
+ if (is_posix == false) {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
|
ecf709 |
+ "Will not drop privileges for a non-POSIX user\n");
|
|
|
ecf709 |
+ return EOK;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+ return become_user(uid, gid);
|
|
|
ecf709 |
+}
|
|
|
ecf709 |
+
|
|
|
ecf709 |
static krb5_error_code set_lifetime_options(struct cli_opts *cli_opts,
|
|
|
ecf709 |
krb5_get_init_creds_opt *options)
|
|
|
ecf709 |
{
|
|
|
ecf709 |
@@ -1561,6 +1572,15 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
|
|
|
ecf709 |
DEBUG(SSSDBG_CONF_SETTINGS, "TGT validation is disabled.\n");
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
+ /* In a non-POSIX environment, we only care about the return code from
|
|
|
ecf709 |
+ * krb5_child, so let's not even attempt to create the ccache
|
|
|
ecf709 |
+ */
|
|
|
ecf709 |
+ if (kr->posix_domain == false) {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_TRACE_LIBS,
|
|
|
ecf709 |
+ "Finished authentication in a non-POSIX domain\n");
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
/* If kr->ccname is cache collection (DIR:/...), we want to work
|
|
|
ecf709 |
* directly with file ccache (DIR::/...), but cache collection
|
|
|
ecf709 |
* should be returned back to back end.
|
|
|
ecf709 |
@@ -2146,6 +2166,7 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size,
|
|
|
ecf709 |
size_t p = 0;
|
|
|
ecf709 |
uint32_t len;
|
|
|
ecf709 |
uint32_t validate;
|
|
|
ecf709 |
+ uint32_t posix_domain;
|
|
|
ecf709 |
uint32_t send_pac;
|
|
|
ecf709 |
uint32_t use_enterprise_princ;
|
|
|
ecf709 |
struct pam_data *pd;
|
|
|
ecf709 |
@@ -2167,6 +2188,8 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size,
|
|
|
ecf709 |
SAFEALIGN_COPY_UINT32_CHECK(&kr->gid, buf + p, size, &p);
|
|
|
ecf709 |
SAFEALIGN_COPY_UINT32_CHECK(&validate, buf + p, size, &p);
|
|
|
ecf709 |
kr->validate = (validate == 0) ? false : true;
|
|
|
ecf709 |
+ SAFEALIGN_COPY_UINT32_CHECK(&posix_domain, buf + p, size, &p);
|
|
|
ecf709 |
+ kr->posix_domain = (posix_domain == 0) ? false : true;
|
|
|
ecf709 |
SAFEALIGN_COPY_UINT32_CHECK(offline, buf + p, size, &p);
|
|
|
ecf709 |
SAFEALIGN_COPY_UINT32_CHECK(&send_pac, buf + p, size, &p);
|
|
|
ecf709 |
kr->send_pac = (send_pac == 0) ? false : true;
|
|
|
ecf709 |
@@ -2331,6 +2354,7 @@ static krb5_error_code check_fast_ccache(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
krb5_context ctx,
|
|
|
ecf709 |
uid_t fast_uid,
|
|
|
ecf709 |
gid_t fast_gid,
|
|
|
ecf709 |
+ bool posix_domain,
|
|
|
ecf709 |
struct cli_opts *cli_opts,
|
|
|
ecf709 |
const char *primary,
|
|
|
ecf709 |
const char *realm,
|
|
|
ecf709 |
@@ -2420,7 +2444,7 @@ static krb5_error_code check_fast_ccache(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
/* Try to carry on */
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
- kerr = become_user(fast_uid, fast_gid);
|
|
|
ecf709 |
+ kerr = k5c_become_user(fast_uid, fast_gid, posix_domain);
|
|
|
ecf709 |
if (kerr != 0) {
|
|
|
ecf709 |
DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed: %d\n", kerr);
|
|
|
ecf709 |
exit(1);
|
|
|
ecf709 |
@@ -2572,7 +2596,7 @@ static int k5c_setup_fast(struct krb5_req *kr, bool demand)
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
kerr = check_fast_ccache(kr, kr->ctx, kr->fast_uid, kr->fast_gid,
|
|
|
ecf709 |
- kr->cli_opts,
|
|
|
ecf709 |
+ kr->posix_domain, kr->cli_opts,
|
|
|
ecf709 |
fast_principal, fast_principal_realm,
|
|
|
ecf709 |
kr->keytab, &kr->fast_ccname);
|
|
|
ecf709 |
if (kerr != 0) {
|
|
|
ecf709 |
@@ -2773,7 +2797,7 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline)
|
|
|
ecf709 |
* the user who is logging in. The same applies to the offline case
|
|
|
ecf709 |
* the user who is logging in. The same applies to the offline case.
|
|
|
ecf709 |
*/
|
|
|
ecf709 |
- kerr = become_user(kr->uid, kr->gid);
|
|
|
ecf709 |
+ kerr = k5c_become_user(kr->uid, kr->gid, kr->posix_domain);
|
|
|
ecf709 |
if (kerr != 0) {
|
|
|
ecf709 |
DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n");
|
|
|
ecf709 |
return kerr;
|
|
|
ecf709 |
@@ -3075,7 +3099,7 @@ int main(int argc, const char *argv[])
|
|
|
ecf709 |
if ((sss_authtok_get_type(kr->pd->authtok) != SSS_AUTHTOK_TYPE_SC_PIN
|
|
|
ecf709 |
&& sss_authtok_get_type(kr->pd->authtok)
|
|
|
ecf709 |
!= SSS_AUTHTOK_TYPE_SC_KEYPAD)) {
|
|
|
ecf709 |
- kerr = become_user(kr->uid, kr->gid);
|
|
|
ecf709 |
+ kerr = k5c_become_user(kr->uid, kr->gid, kr->posix_domain);
|
|
|
ecf709 |
if (kerr != 0) {
|
|
|
ecf709 |
DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n");
|
|
|
ecf709 |
ret = EFAULT;
|
|
|
ecf709 |
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
|
|
|
ecf709 |
index 680e67b089fcb32280352af24aae35af133a52f3..87e79a06e917aadb622455bccfc2e9c6769f70c2 100644
|
|
|
ecf709 |
--- a/src/providers/krb5/krb5_child_handler.c
|
|
|
ecf709 |
+++ b/src/providers/krb5/krb5_child_handler.c
|
|
|
ecf709 |
@@ -107,6 +107,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
|
|
|
ecf709 |
uint32_t validate;
|
|
|
ecf709 |
uint32_t send_pac;
|
|
|
ecf709 |
uint32_t use_enterprise_principal;
|
|
|
ecf709 |
+ uint32_t posix_domain;
|
|
|
ecf709 |
size_t username_len = 0;
|
|
|
ecf709 |
errno_t ret;
|
|
|
ecf709 |
|
|
|
ecf709 |
@@ -131,6 +132,17 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
|
|
|
ecf709 |
break;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
+ switch (kr->dom->type) {
|
|
|
ecf709 |
+ case DOM_TYPE_POSIX:
|
|
|
ecf709 |
+ posix_domain = 1;
|
|
|
ecf709 |
+ break;
|
|
|
ecf709 |
+ case DOM_TYPE_APPLICATION:
|
|
|
ecf709 |
+ posix_domain = 0;
|
|
|
ecf709 |
+ break;
|
|
|
ecf709 |
+ default:
|
|
|
ecf709 |
+ return EINVAL;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
if (kr->pd->cmd == SSS_CMD_RENEW || kr->is_offline) {
|
|
|
ecf709 |
use_enterprise_principal = false;
|
|
|
ecf709 |
} else {
|
|
|
ecf709 |
@@ -151,7 +163,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
|
|
|
ecf709 |
kr->pd->cmd == SSS_CMD_RENEW ||
|
|
|
ecf709 |
kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM ||
|
|
|
ecf709 |
kr->pd->cmd == SSS_PAM_CHAUTHTOK) {
|
|
|
ecf709 |
- buf->size += 4*sizeof(uint32_t) + strlen(kr->ccname) + strlen(keytab) +
|
|
|
ecf709 |
+ buf->size += 5*sizeof(uint32_t) + strlen(kr->ccname) + strlen(keytab) +
|
|
|
ecf709 |
sss_authtok_get_size(kr->pd->authtok);
|
|
|
ecf709 |
|
|
|
ecf709 |
buf->size += sizeof(uint32_t);
|
|
|
ecf709 |
@@ -182,6 +194,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
|
|
|
ecf709 |
SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->uid, &rp);
|
|
|
ecf709 |
SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->gid, &rp);
|
|
|
ecf709 |
SAFEALIGN_COPY_UINT32(&buf->data[rp], &validate, &rp);
|
|
|
ecf709 |
+ SAFEALIGN_COPY_UINT32(&buf->data[rp], &posix_domain, &rp);
|
|
|
ecf709 |
SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->is_offline, &rp);
|
|
|
ecf709 |
SAFEALIGN_COPY_UINT32(&buf->data[rp], &send_pac, &rp);
|
|
|
ecf709 |
SAFEALIGN_COPY_UINT32(&buf->data[rp], &use_enterprise_principal, &rp);
|
|
|
ecf709 |
diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c
|
|
|
ecf709 |
index bf2ef775573ba6bad79a99ad43b5d9748516e794..1cb7eade0e4cb9afbc4d031a07b3519ba08456d6 100644
|
|
|
ecf709 |
--- a/src/providers/krb5/krb5_delayed_online_authentication.c
|
|
|
ecf709 |
+++ b/src/providers/krb5/krb5_delayed_online_authentication.c
|
|
|
ecf709 |
@@ -234,6 +234,7 @@ static void delayed_online_authentication_callback(void *private_data)
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
|
|
|
ecf709 |
+ struct sss_domain_info *domain,
|
|
|
ecf709 |
struct pam_data *pd,
|
|
|
ecf709 |
uid_t uid)
|
|
|
ecf709 |
{
|
|
|
ecf709 |
@@ -242,6 +243,12 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
|
|
|
ecf709 |
hash_value_t value;
|
|
|
ecf709 |
struct pam_data *new_pd;
|
|
|
ecf709 |
|
|
|
ecf709 |
+ if (domain->type != DOM_TYPE_POSIX) {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
|
|
ecf709 |
+ "Domain type does not support delayed authentication\n");
|
|
|
ecf709 |
+ return ENOTSUP;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
if (krb5_ctx->deferred_auth_ctx == NULL) {
|
|
|
ecf709 |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
ecf709 |
"Missing context for delayed online authentication.\n");
|
|
|
ecf709 |
diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c
|
|
|
ecf709 |
index 12c8dfcc49af75de619ec0858aaff81504698273..66ae68fb4773af3987f2062246bc6493107c74d5 100644
|
|
|
ecf709 |
--- a/src/providers/krb5/krb5_init.c
|
|
|
ecf709 |
+++ b/src/providers/krb5/krb5_init.c
|
|
|
ecf709 |
@@ -136,6 +136,9 @@ errno_t sssm_krb5_init(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
return ENOMEM;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
+ /* Only needed to generate random ccache names for non-POSIX domains */
|
|
|
ecf709 |
+ srand(time(NULL) * getpid());
|
|
|
ecf709 |
+
|
|
|
ecf709 |
ret = sss_krb5_get_options(ctx, be_ctx->cdb, be_ctx->conf_path, &ctx->opts);
|
|
|
ecf709 |
if (ret != EOK) {
|
|
|
ecf709 |
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get krb5 options [%d]: %s\n",
|
|
|
ecf709 |
--
|
|
|
ecf709 |
2.9.3
|
|
|
ecf709 |
|