From ffb9ad1331ac5f5d9bf237666aff19f1def77871 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Fri, 26 Jun 2020 12:07:48 +0200 Subject: [PATCH] proxy: use 'x' as default pwfield only for sssd-shadowutils target To avoid regression for case where files is used for proxy but authentication is handled by other module then pam_unix. E.g. auth_provider = krb This provides different solution to the ticket and improves the documentation. Resolves: https://github.com/SSSD/sssd/issues/5129 Reviewed-by: Sumit Bose --- src/confdb/confdb.c | 25 ++++++++++++++++++++----- src/man/sssd.conf.5.xml | 12 +++++++++--- 2 files changed, 29 insertions(+), 8 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index 65ad18dcf..c2daa9a2c 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -872,7 +872,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, struct sss_domain_info *domain; struct ldb_result *res; TALLOC_CTX *tmp_ctx; - const char *tmp; + const char *tmp, *tmp_pam_target, *tmp_auth; int ret, val; uint32_t entry_cache_timeout; char *default_domain; @@ -1030,13 +1030,28 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, } if (domain->provider != NULL && strcasecmp(domain->provider, "proxy") == 0) { - /* The password field must be reported as 'x' for proxy provider - * using files library, else pam_unix won't - * authenticate this entry. */ + /* The password field must be reported as 'x' for proxy provider + * using files library, else pam_unix won't authenticate this entry. + * We set this only for sssd-shadowutils target which can be used + * to authenticate with pam_unix only. Otherwise we let administrator + * to overwrite default * value with pwfield option to avoid regression + * on more common use case where remote authentication is required. */ tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PROXY_LIBNAME, NULL); - if (tmp != NULL && strcasecmp(tmp, "files") == 0) { + + tmp_auth = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_DOMAIN_AUTH_PROVIDER, + NULL); + + tmp_pam_target = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_PROXY_PAM_TARGET, + NULL); + + if (tmp != NULL && tmp_pam_target != NULL + && strcasecmp(tmp, "files") == 0 + && (tmp_auth == NULL || strcasecmp(tmp_auth, "proxy") == 0) + && strcmp(tmp_pam_target, "sssd-shadowutils") == 0) { domain->pwfield = "x"; } } diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index cae24bb63..44b3b8f20 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -1135,11 +1135,17 @@ fallback_homedir = /home/%u password field. - This option can also be set per-domain. + Default: * - Default: * (remote domains) - or x (the files domain) + Note: This option can also be set per-domain which + overwrites the value in [nss] section. + + + Default: not set (remote domains), + x (the files domain), + x (proxy domain with nss_files + and sssd-shadowutils target) -- 2.21.3