74 lines
3.0 KiB
Diff
74 lines
3.0 KiB
Diff
|
From e9457990c14446fc46b72f7f927e6d5fc776d490 Mon Sep 17 00:00:00 2001
|
||
|
From: Sumit Bose <sbose@redhat.com>
|
||
|
Date: Thu, 5 Mar 2015 15:10:43 +0100
|
||
|
Subject: [PATCH 27/99] PAM: use the logon_name as the key for the PAM initgr
|
||
|
cache
|
||
|
|
||
|
Currently the name member of the pam_data struct is used as a key but it
|
||
|
can change during a request. Especially for sub-domain users the name is
|
||
|
changed from the short to the fully-qualified version before the cache
|
||
|
entry is created. As a result the cache searches are always done with
|
||
|
the short name while the entry was written with the fully-qualified name.
|
||
|
|
||
|
The logon_name member of the pam_data struct contains the name which was
|
||
|
send by the PAM client and is never changed during the request.
|
||
|
|
||
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||
|
(cherry picked from commit 7bbf9d1d054f0571fa90ff5dd400a6f4a5a7f6c8)
|
||
|
---
|
||
|
src/responder/pam/pamsrv_cmd.c | 16 +++-------------
|
||
|
1 file changed, 3 insertions(+), 13 deletions(-)
|
||
|
|
||
|
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||
|
index 86e763f825096edc0c07adbe2e02820e5f2bdac9..0b54402729e77f22391c6bd17fd8c937ddea3592 100644
|
||
|
--- a/src/responder/pam/pamsrv_cmd.c
|
||
|
+++ b/src/responder/pam/pamsrv_cmd.c
|
||
|
@@ -1140,7 +1140,8 @@ static int pam_check_user_search(struct pam_auth_req *preq)
|
||
|
* the number of updates within a reasonable timeout
|
||
|
*/
|
||
|
if (preq->check_provider) {
|
||
|
- ret = pam_initgr_check_timeout(pctx->id_table, name);
|
||
|
+ ret = pam_initgr_check_timeout(pctx->id_table,
|
||
|
+ preq->pd->logon_name);
|
||
|
if (ret != EOK
|
||
|
&& ret != ENOENT) {
|
||
|
DEBUG(SSSDBG_OP_FAILURE,
|
||
|
@@ -1334,7 +1335,6 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
|
||
|
int ret;
|
||
|
struct pam_ctx *pctx =
|
||
|
talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
|
||
|
- char *name;
|
||
|
|
||
|
if (err_maj) {
|
||
|
DEBUG(SSSDBG_OP_FAILURE,
|
||
|
@@ -1346,17 +1346,8 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
|
||
|
ret = pam_check_user_search(preq);
|
||
|
if (ret == EOK) {
|
||
|
/* Make sure we don't go to the ID provider too often */
|
||
|
- name = preq->domain->case_sensitive ?
|
||
|
- talloc_strdup(preq, preq->pd->user) :
|
||
|
- sss_tc_utf8_str_tolower(preq, preq->pd->user);
|
||
|
- if (!name) {
|
||
|
- ret = ENOMEM;
|
||
|
- goto done;
|
||
|
- }
|
||
|
-
|
||
|
ret = pam_initgr_cache_set(pctx->rctx->ev, pctx->id_table,
|
||
|
- name, pctx->id_timeout);
|
||
|
- talloc_free(name);
|
||
|
+ preq->pd->logon_name, pctx->id_timeout);
|
||
|
if (ret != EOK) {
|
||
|
DEBUG(SSSDBG_OP_FAILURE,
|
||
|
"Could not save initgr timestamp. "
|
||
|
@@ -1371,7 +1362,6 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
|
||
|
|
||
|
ret = pam_check_user_done(preq, ret);
|
||
|
|
||
|
-done:
|
||
|
if (ret) {
|
||
|
preq->pd->pam_status = PAM_SYSTEM_ERR;
|
||
|
pam_reply(preq);
|
||
|
--
|
||
|
2.4.0
|
||
|
|