sssd/0003-krb5-return-to-responder-that-pkinit-is-not-availabl.patch

From 1c551b1373799643f3e9ba4f696d21b8fc57dafd Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 16 Mar 2017 20:43:08 +0100
Subject: [PATCH] krb5: return to responder that pkinit is not available
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If pkinit is not available for a user but other authentication methods
are SSSD should still fall back to local certificate based
authentication if Smartcard credentials are provided.

Resolves https://pagure.io/SSSD/sssd/issue/3343

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
 src/providers/krb5/krb5_child.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 777a25f2a0ea434dde12d2396f6a35c2a1b86cd0..a4128dda6b0861a95dba223047d66c4158b1afb6 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -42,6 +42,10 @@
 
 #define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw"
 
+#define IS_SC_AUTHTOK(tok) ( \
+    sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \
+        || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD)
+
 enum k5c_fast_opt {
     K5C_FAST_NEVER,
     K5C_FAST_TRY,
@@ -1529,12 +1533,17 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
              * pre-auth module is missing or no Smartcard is inserted and only
              * pkinit is available KRB5_PREAUTH_FAILED is returned.
              * ERR_NO_AUTH_METHOD_AVAILABLE is used to indicate to the
-             * frontend that local authentication might be tried. */
+             * frontend that local authentication might be tried.
+             * Same is true if Smartcard credentials are given but only other
+             * authentication methods are available. */
             if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
                     && kerr == KRB5_PREAUTH_FAILED
-                    && kr->password_prompting == false
-                    && kr->otp == false
-                    && kr->pkinit_prompting == false) {
+                    && kr->pkinit_prompting == false
+                    && (( kr->password_prompting == false
+                              && kr->otp == false)
+                            || ((kr->otp == true
+                                    || kr->password_prompting == true)
+                              && IS_SC_AUTHTOK(kr->pd->authtok))) ) {
                 return ERR_NO_AUTH_METHOD_AVAILABLE;
             }
             return kerr;
-- 
2.12.2
Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with file from package sssd-common-1.15.1-1.fc25.x86_64 Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4 (cherry picked from commit 9c949c17eb6a2e2d0bdae295752d7b397ee987a9) 2017-04-29 21:56:40 +00:00			`From 1c551b1373799643f3e9ba4f696d21b8fc57dafd Mon Sep 17 00:00:00 2001`
			`From: Sumit Bose <sbose@redhat.com>`
			`Date: Thu, 16 Mar 2017 20:43:08 +0100`
			`Subject: [PATCH] krb5: return to responder that pkinit is not available`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`If pkinit is not available for a user but other authentication methods`
			`are SSSD should still fall back to local certificate based`
			`authentication if Smartcard credentials are provided.`

			`Resolves https://pagure.io/SSSD/sssd/issue/3343`

			`Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>`
			`Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>`
			`---`
			`src/providers/krb5/krb5_child.c \| 17 +++++++++++++----`
			`1 file changed, 13 insertions(+), 4 deletions(-)`

			`diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c`
			`index 777a25f2a0ea434dde12d2396f6a35c2a1b86cd0..a4128dda6b0861a95dba223047d66c4158b1afb6 100644`
			`--- a/src/providers/krb5/krb5_child.c`
			`+++ b/src/providers/krb5/krb5_child.c`
			`@@ -42,6 +42,10 @@`

			`#define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw"`

			`+#define IS_SC_AUTHTOK(tok) ( \`
			`+ sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \`
			`+ \|\| sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD)`
			`+`
			`enum k5c_fast_opt {`
			`K5C_FAST_NEVER,`
			`K5C_FAST_TRY,`
			`@@ -1529,12 +1533,17 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,`
			`* pre-auth module is missing or no Smartcard is inserted and only`
			`* pkinit is available KRB5_PREAUTH_FAILED is returned.`
			`* ERR_NO_AUTH_METHOD_AVAILABLE is used to indicate to the`
			`- * frontend that local authentication might be tried. */`
			`+ * frontend that local authentication might be tried.`
			`+ * Same is true if Smartcard credentials are given but only other`
			`+ * authentication methods are available. */`
			`if (kr->pd->cmd == SSS_PAM_AUTHENTICATE`
			`&& kerr == KRB5_PREAUTH_FAILED`
			`- && kr->password_prompting == false`
			`- && kr->otp == false`
			`- && kr->pkinit_prompting == false) {`
			`+ && kr->pkinit_prompting == false`
			`+ && (( kr->password_prompting == false`
			`+ && kr->otp == false)`
			`+ \|\| ((kr->otp == true`
			`+ \|\| kr->password_prompting == true)`
			`+ && IS_SC_AUTHTOK(kr->pd->authtok))) ) {`
			`return ERR_NO_AUTH_METHOD_AVAILABLE;`
			`}`
			`return kerr;`
			`--`
			`2.12.2`