From e9457990c14446fc46b72f7f927e6d5fc776d490 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 5 Mar 2015 15:10:43 +0100 Subject: [PATCH 27/99] PAM: use the logon_name as the key for the PAM initgr cache Currently the name member of the pam_data struct is used as a key but it can change during a request. Especially for sub-domain users the name is changed from the short to the fully-qualified version before the cache entry is created. As a result the cache searches are always done with the short name while the entry was written with the fully-qualified name. The logon_name member of the pam_data struct contains the name which was send by the PAM client and is never changed during the request. Reviewed-by: Jakub Hrozek (cherry picked from commit 7bbf9d1d054f0571fa90ff5dd400a6f4a5a7f6c8) --- src/responder/pam/pamsrv_cmd.c | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 86e763f825096edc0c07adbe2e02820e5f2bdac9..0b54402729e77f22391c6bd17fd8c937ddea3592 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -1140,7 +1140,8 @@ static int pam_check_user_search(struct pam_auth_req *preq) * the number of updates within a reasonable timeout */ if (preq->check_provider) { - ret = pam_initgr_check_timeout(pctx->id_table, name); + ret = pam_initgr_check_timeout(pctx->id_table, + preq->pd->logon_name); if (ret != EOK && ret != ENOENT) { DEBUG(SSSDBG_OP_FAILURE, @@ -1334,7 +1335,6 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, int ret; struct pam_ctx *pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); - char *name; if (err_maj) { DEBUG(SSSDBG_OP_FAILURE, @@ -1346,17 +1346,8 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, ret = pam_check_user_search(preq); if (ret == EOK) { /* Make sure we don't go to the ID provider too often */ - name = preq->domain->case_sensitive ? - talloc_strdup(preq, preq->pd->user) : - sss_tc_utf8_str_tolower(preq, preq->pd->user); - if (!name) { - ret = ENOMEM; - goto done; - } - ret = pam_initgr_cache_set(pctx->rctx->ev, pctx->id_table, - name, pctx->id_timeout); - talloc_free(name); + preq->pd->logon_name, pctx->id_timeout); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Could not save initgr timestamp. " @@ -1371,7 +1362,6 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, ret = pam_check_user_done(preq, ret); -done: if (ret) { preq->pd->pam_status = PAM_SYSTEM_ERR; pam_reply(preq); -- 2.4.0