64 lines
2.5 KiB
Diff
64 lines
2.5 KiB
Diff
From 45e322191c7aa9390798b64ccb158ee800489945 Mon Sep 17 00:00:00 2001
|
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
Date: Tue, 13 Jun 2017 12:26:51 +0200
|
|
Subject: [PATCH 84/93] IPA: Only attempt migration for the joined domain
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
After the recent changes in commit a5e134b22aa27ff6cd66a7ff47089788ebc098a1
|
|
to fix ticket #3394, the PAM_CRED_ERR error would try to start migration
|
|
for any account. Further down the request, a sysdb search would try to find
|
|
the user in the joined domain only because the migration code presumes the
|
|
user is in the IPA domain which would error out and return System Error
|
|
to the PAM client.
|
|
|
|
This patch changes the migration somewhat to only attempt the migration
|
|
for IPA users.
|
|
|
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
---
|
|
src/providers/ipa/ipa_auth.c | 12 +++++++++++-
|
|
1 file changed, 11 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
|
|
index 80a9987277d7a298f703a8efb584ca428b67c94f..ef89c7177f2250547beb785d8cec836f893b039a 100644
|
|
--- a/src/providers/ipa/ipa_auth.c
|
|
+++ b/src/providers/ipa/ipa_auth.c
|
|
@@ -172,6 +172,7 @@ struct ipa_pam_auth_handler_state {
|
|
struct ipa_auth_ctx *auth_ctx;
|
|
struct be_ctx *be_ctx;
|
|
struct pam_data *pd;
|
|
+ struct sss_domain_info *dom;
|
|
};
|
|
|
|
static void ipa_pam_auth_handler_krb5_done(struct tevent_req *subreq);
|
|
@@ -201,6 +202,14 @@ ipa_pam_auth_handler_send(TALLOC_CTX *mem_ctx,
|
|
state->ev = params->ev;
|
|
state->auth_ctx = auth_ctx;
|
|
state->be_ctx = params->be_ctx;
|
|
+ state->dom = find_domain_by_name(state->be_ctx->domain,
|
|
+ state->pd->domain,
|
|
+ true);
|
|
+ if (state->dom == NULL) {
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE, "Uknown domain %s\n", state->pd->domain);
|
|
+ pd->pam_status = PAM_SYSTEM_ERR;
|
|
+ goto immediately;
|
|
+ }
|
|
|
|
pd->pam_status = PAM_SYSTEM_ERR;
|
|
|
|
@@ -248,7 +257,8 @@ static void ipa_pam_auth_handler_krb5_done(struct tevent_req *subreq)
|
|
}
|
|
|
|
if (state->pd->cmd == SSS_PAM_AUTHENTICATE
|
|
- && state->pd->pam_status == PAM_CRED_ERR) {
|
|
+ && state->pd->pam_status == PAM_CRED_ERR
|
|
+ && !IS_SUBDOMAIN(state->dom)) {
|
|
realm = dp_opt_get_string(state->auth_ctx->ipa_options, IPA_KRB5_REALM);
|
|
subreq = get_password_migration_flag_send(state, state->ev,
|
|
state->auth_ctx->sdap_id_ctx,
|
|
--
|
|
2.14.1
|
|
|