From 0f0480dd1c227a841542d621a778e23cf637a644 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 7 Sep 2016 12:07:36 +0200 Subject: [PATCH 135/135] KRB5: Send the output username, not internal fqname to krb5_child MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit krb5_child calls krb5_kuserok() during the access phase which checks if a particular user is allowed to authenticate as a particular principal. We used to pass the internal fqname to krb5_kuserok() which broke the functionality and all users were denied access. This patch changes that to send the 'output' username to krb5_child, because that's the username the system receives through getpwnam() or getpwuid() anyway. The patch also adds a new structure member fo the krb5child_req structure to avoid reusing the pd->user variable but have an explicit one that serves as the input for the child process. Resolves: https://fedorahosted.org/sssd/ticket/3172 Reviewed-by: Lukáš Slebodník --- src/providers/krb5/krb5_access.c | 10 ++++++++-- src/providers/krb5/krb5_auth.c | 18 ++++++++++++++---- src/providers/krb5/krb5_auth.h | 9 ++++++--- src/providers/krb5/krb5_child_handler.c | 4 ++-- 4 files changed, 30 insertions(+), 11 deletions(-) diff --git a/src/providers/krb5/krb5_access.c b/src/providers/krb5/krb5_access.c index 3afb90150d77ef4ab2c1b5b79abb95d68eb131f6..be9068c0f9180f8de0de259aae368534effaf7fb 100644 --- a/src/providers/krb5/krb5_access.c +++ b/src/providers/krb5/krb5_access.c @@ -51,6 +51,7 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx, int ret; const char **attrs; struct ldb_result *res; + struct sss_domain_info *dom; req = tevent_req_create(mem_ctx, &state, struct krb5_access_state); if (req == NULL) { @@ -64,8 +65,13 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx, state->krb5_ctx = krb5_ctx; state->access_allowed = false; - ret = krb5_setup(state, pd, krb5_ctx, be_ctx->domain->case_sensitive, - &state->kr); + ret = get_domain_or_subdomain(be_ctx, pd->domain, &dom); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_domain_or_subdomain failed.\n"); + goto done; + } + + ret = krb5_setup(state, pd, dom, krb5_ctx, &state->kr); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "krb5_setup failed.\n"); goto done; diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index dabf55cf24a8afda16fee6697120c7c6f088b796..f0f2280022a3ee951ccfa0040b616c48c3b25706 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -174,8 +174,10 @@ done: return ret; } -errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd, - struct krb5_ctx *krb5_ctx, bool cs, +errno_t krb5_setup(TALLOC_CTX *mem_ctx, + struct pam_data *pd, + struct sss_domain_info *dom, + struct krb5_ctx *krb5_ctx, struct krb5child_req **_krb5_req) { struct krb5child_req *kr; @@ -201,13 +203,21 @@ errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd, kr->krb5_ctx = krb5_ctx; ret = get_krb_primary(krb5_ctx->name_to_primary, - pd->user, cs, &mapped_name); + pd->user, dom->case_sensitive, &mapped_name); if (ret == EOK) { DEBUG(SSSDBG_TRACE_FUNC, "Setting mapped name to: %s\n", mapped_name); kr->user = mapped_name; + kr->kuserok_user = mapped_name; } else if (ret == ENOENT) { DEBUG(SSSDBG_TRACE_ALL, "No mapping for: %s\n", pd->user); kr->user = pd->user; + + kr->kuserok_user = sss_output_name(kr, kr->user, + dom->case_sensitive, 0); + if (kr->kuserok_user == NULL) { + ret = ENOMEM; + goto done; + } } else { DEBUG(SSSDBG_CRIT_FAILURE, "get_krb_primary failed - %s:[%d]\n", sss_strerror(ret), ret); @@ -534,7 +544,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, attrs[6] = SYSDB_AUTH_TYPE; attrs[7] = NULL; - ret = krb5_setup(state, pd, krb5_ctx, state->domain->case_sensitive, + ret = krb5_setup(state, pd, state->domain, krb5_ctx, &state->kr); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "krb5_setup failed.\n"); diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h index dbad061f0203b6383daeeab506bf9950d892ea4b..11bb595833269177b7e2c5fc6372d6a6fb6d93d2 100644 --- a/src/providers/krb5/krb5_auth.h +++ b/src/providers/krb5/krb5_auth.h @@ -57,11 +57,14 @@ struct krb5child_req { bool send_pac; const char *user; + const char *kuserok_user; }; -errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd, - struct krb5_ctx *krb5_ctx, bool case_sensitive, - struct krb5child_req **krb5_req); +errno_t krb5_setup(TALLOC_CTX *mem_ctx, + struct pam_data *pd, + struct sss_domain_info *dom, + struct krb5_ctx *krb5_ctx, + struct krb5child_req **_krb5_req); struct tevent_req * krb5_pam_handler_send(TALLOC_CTX *mem_ctx, diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index 09a1e5f59494a5c07d5c9eefb94919ca9389cb27..1eec7261f00976b3725fee9323755edecd5409a5 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -161,7 +161,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr, } if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) { - username_len = strlen(kr->pd->user); + username_len = strlen(kr->kuserok_user); buf->size += sizeof(uint32_t) + username_len; } @@ -217,7 +217,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr, if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) { SAFEALIGN_SET_UINT32(&buf->data[rp], username_len, &rp); - safealign_memcpy(&buf->data[rp], kr->pd->user, username_len, &rp); + safealign_memcpy(&buf->data[rp], kr->kuserok_user, username_len, &rp); } *io_buf = buf; -- 2.7.4