|
 |
b2d430 |
From 0f0480dd1c227a841542d621a778e23cf637a644 Mon Sep 17 00:00:00 2001
|
|
|
b2d430 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
b2d430 |
Date: Wed, 7 Sep 2016 12:07:36 +0200
|
|
|
b2d430 |
Subject: [PATCH 135/135] KRB5: Send the output username, not internal fqname
|
|
|
b2d430 |
to krb5_child
|
|
|
b2d430 |
MIME-Version: 1.0
|
|
|
b2d430 |
Content-Type: text/plain; charset=UTF-8
|
|
|
b2d430 |
Content-Transfer-Encoding: 8bit
|
|
|
b2d430 |
|
|
|
b2d430 |
krb5_child calls krb5_kuserok() during the access phase which checks if
|
|
|
b2d430 |
a particular user is allowed to authenticate as a particular principal.
|
|
|
b2d430 |
We used to pass the internal fqname to krb5_kuserok() which broke the
|
|
|
b2d430 |
functionality and all users were denied access.
|
|
|
b2d430 |
|
|
|
b2d430 |
This patch changes that to send the 'output' username to krb5_child,
|
|
|
b2d430 |
because that's the username the system receives through getpwnam() or
|
|
|
b2d430 |
getpwuid() anyway. The patch also adds a new structure member fo the
|
|
|
b2d430 |
krb5child_req structure to avoid reusing the pd->user variable but have
|
|
|
b2d430 |
an explicit one that serves as the input for the child process.
|
|
|
b2d430 |
|
|
|
b2d430 |
Resolves:
|
|
|
b2d430 |
https://fedorahosted.org/sssd/ticket/3172
|
|
|
b2d430 |
|
|
|
b2d430 |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
b2d430 |
---
|
|
|
b2d430 |
src/providers/krb5/krb5_access.c | 10 ++++++++--
|
|
|
b2d430 |
src/providers/krb5/krb5_auth.c | 18 ++++++++++++++----
|
|
|
b2d430 |
src/providers/krb5/krb5_auth.h | 9 ++++++---
|
|
|
b2d430 |
src/providers/krb5/krb5_child_handler.c | 4 ++--
|
|
|
b2d430 |
4 files changed, 30 insertions(+), 11 deletions(-)
|
|
|
b2d430 |
|
|
|
b2d430 |
diff --git a/src/providers/krb5/krb5_access.c b/src/providers/krb5/krb5_access.c
|
|
|
b2d430 |
index 3afb90150d77ef4ab2c1b5b79abb95d68eb131f6..be9068c0f9180f8de0de259aae368534effaf7fb 100644
|
|
|
b2d430 |
--- a/src/providers/krb5/krb5_access.c
|
|
|
b2d430 |
+++ b/src/providers/krb5/krb5_access.c
|
|
|
b2d430 |
@@ -51,6 +51,7 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx,
|
|
|
b2d430 |
int ret;
|
|
|
b2d430 |
const char **attrs;
|
|
|
b2d430 |
struct ldb_result *res;
|
|
|
b2d430 |
+ struct sss_domain_info *dom;
|
|
|
b2d430 |
|
|
|
b2d430 |
req = tevent_req_create(mem_ctx, &state, struct krb5_access_state);
|
|
|
b2d430 |
if (req == NULL) {
|
|
|
b2d430 |
@@ -64,8 +65,13 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx,
|
|
|
b2d430 |
state->krb5_ctx = krb5_ctx;
|
|
|
b2d430 |
state->access_allowed = false;
|
|
|
b2d430 |
|
|
|
b2d430 |
- ret = krb5_setup(state, pd, krb5_ctx, be_ctx->domain->case_sensitive,
|
|
|
b2d430 |
- &state->kr);
|
|
|
b2d430 |
+ ret = get_domain_or_subdomain(be_ctx, pd->domain, &dom;;
|
|
|
b2d430 |
+ if (ret != EOK) {
|
|
|
b2d430 |
+ DEBUG(SSSDBG_OP_FAILURE, "get_domain_or_subdomain failed.\n");
|
|
|
b2d430 |
+ goto done;
|
|
|
b2d430 |
+ }
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ ret = krb5_setup(state, pd, dom, krb5_ctx, &state->kr);
|
|
|
b2d430 |
if (ret != EOK) {
|
|
|
b2d430 |
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_setup failed.\n");
|
|
|
b2d430 |
goto done;
|
|
|
b2d430 |
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
|
|
b2d430 |
index dabf55cf24a8afda16fee6697120c7c6f088b796..f0f2280022a3ee951ccfa0040b616c48c3b25706 100644
|
|
|
b2d430 |
--- a/src/providers/krb5/krb5_auth.c
|
|
|
b2d430 |
+++ b/src/providers/krb5/krb5_auth.c
|
|
|
b2d430 |
@@ -174,8 +174,10 @@ done:
|
|
|
b2d430 |
return ret;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
-errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd,
|
|
|
b2d430 |
- struct krb5_ctx *krb5_ctx, bool cs,
|
|
|
b2d430 |
+errno_t krb5_setup(TALLOC_CTX *mem_ctx,
|
|
|
b2d430 |
+ struct pam_data *pd,
|
|
|
b2d430 |
+ struct sss_domain_info *dom,
|
|
|
b2d430 |
+ struct krb5_ctx *krb5_ctx,
|
|
|
b2d430 |
struct krb5child_req **_krb5_req)
|
|
|
b2d430 |
{
|
|
|
b2d430 |
struct krb5child_req *kr;
|
|
|
b2d430 |
@@ -201,13 +203,21 @@ errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd,
|
|
|
b2d430 |
kr->krb5_ctx = krb5_ctx;
|
|
|
b2d430 |
|
|
|
b2d430 |
ret = get_krb_primary(krb5_ctx->name_to_primary,
|
|
|
b2d430 |
- pd->user, cs, &mapped_name);
|
|
|
b2d430 |
+ pd->user, dom->case_sensitive, &mapped_name);
|
|
|
b2d430 |
if (ret == EOK) {
|
|
|
b2d430 |
DEBUG(SSSDBG_TRACE_FUNC, "Setting mapped name to: %s\n", mapped_name);
|
|
|
b2d430 |
kr->user = mapped_name;
|
|
|
b2d430 |
+ kr->kuserok_user = mapped_name;
|
|
|
b2d430 |
} else if (ret == ENOENT) {
|
|
|
b2d430 |
DEBUG(SSSDBG_TRACE_ALL, "No mapping for: %s\n", pd->user);
|
|
|
b2d430 |
kr->user = pd->user;
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ kr->kuserok_user = sss_output_name(kr, kr->user,
|
|
|
b2d430 |
+ dom->case_sensitive, 0);
|
|
|
b2d430 |
+ if (kr->kuserok_user == NULL) {
|
|
|
b2d430 |
+ ret = ENOMEM;
|
|
|
b2d430 |
+ goto done;
|
|
|
b2d430 |
+ }
|
|
|
b2d430 |
} else {
|
|
|
b2d430 |
DEBUG(SSSDBG_CRIT_FAILURE, "get_krb_primary failed - %s:[%d]\n",
|
|
|
b2d430 |
sss_strerror(ret), ret);
|
|
|
b2d430 |
@@ -534,7 +544,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
|
|
|
b2d430 |
attrs[6] = SYSDB_AUTH_TYPE;
|
|
|
b2d430 |
attrs[7] = NULL;
|
|
|
b2d430 |
|
|
|
b2d430 |
- ret = krb5_setup(state, pd, krb5_ctx, state->domain->case_sensitive,
|
|
|
b2d430 |
+ ret = krb5_setup(state, pd, state->domain, krb5_ctx,
|
|
|
b2d430 |
&state->kr);
|
|
|
b2d430 |
if (ret != EOK) {
|
|
|
b2d430 |
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_setup failed.\n");
|
|
|
b2d430 |
diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h
|
|
|
b2d430 |
index dbad061f0203b6383daeeab506bf9950d892ea4b..11bb595833269177b7e2c5fc6372d6a6fb6d93d2 100644
|
|
|
b2d430 |
--- a/src/providers/krb5/krb5_auth.h
|
|
|
b2d430 |
+++ b/src/providers/krb5/krb5_auth.h
|
|
|
b2d430 |
@@ -57,11 +57,14 @@ struct krb5child_req {
|
|
|
b2d430 |
bool send_pac;
|
|
|
b2d430 |
|
|
|
b2d430 |
const char *user;
|
|
|
b2d430 |
+ const char *kuserok_user;
|
|
|
b2d430 |
};
|
|
|
b2d430 |
|
|
|
b2d430 |
-errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd,
|
|
|
b2d430 |
- struct krb5_ctx *krb5_ctx, bool case_sensitive,
|
|
|
b2d430 |
- struct krb5child_req **krb5_req);
|
|
|
b2d430 |
+errno_t krb5_setup(TALLOC_CTX *mem_ctx,
|
|
|
b2d430 |
+ struct pam_data *pd,
|
|
|
b2d430 |
+ struct sss_domain_info *dom,
|
|
|
b2d430 |
+ struct krb5_ctx *krb5_ctx,
|
|
|
b2d430 |
+ struct krb5child_req **_krb5_req);
|
|
|
b2d430 |
|
|
|
b2d430 |
struct tevent_req *
|
|
|
b2d430 |
krb5_pam_handler_send(TALLOC_CTX *mem_ctx,
|
|
|
b2d430 |
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
|
|
|
b2d430 |
index 09a1e5f59494a5c07d5c9eefb94919ca9389cb27..1eec7261f00976b3725fee9323755edecd5409a5 100644
|
|
|
b2d430 |
--- a/src/providers/krb5/krb5_child_handler.c
|
|
|
b2d430 |
+++ b/src/providers/krb5/krb5_child_handler.c
|
|
|
b2d430 |
@@ -161,7 +161,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) {
|
|
|
b2d430 |
- username_len = strlen(kr->pd->user);
|
|
|
b2d430 |
+ username_len = strlen(kr->kuserok_user);
|
|
|
b2d430 |
buf->size += sizeof(uint32_t) + username_len;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
@@ -217,7 +217,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
|
|
|
b2d430 |
|
|
|
b2d430 |
if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) {
|
|
|
b2d430 |
SAFEALIGN_SET_UINT32(&buf->data[rp], username_len, &rp);
|
|
|
b2d430 |
- safealign_memcpy(&buf->data[rp], kr->pd->user, username_len, &rp);
|
|
|
b2d430 |
+ safealign_memcpy(&buf->data[rp], kr->kuserok_user, username_len, &rp);
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
*io_buf = buf;
|
|
|
b2d430 |
--
|
|
|
b2d430 |
2.7.4
|
|
|
b2d430 |
|