sssd/0025-PAM-add-certificate-matching-rules-from-all-domains.patch
Michal Židek cbb93511cb Backport a bunch of upstream fixes
- Resolves: upstream#3821 - crash related to sbus_router_destructor()
- Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref
- Resolves: upstream#3819 - sssd only sets the SELinux login context if it
                            differs from the default
- Resolves: upstream#3807 - The sbus codegen script relies on "python" which
                            might not be available on all distributions
- Resolves: upstream#3820 - sudo: search with lower cased name for case
                            insensitive domains
- Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from
                            an allow-any default to a deny-any default when it
                            can't find any GPOs to apply to a user login.
- Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort
                            startup
- Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11
                            also for local account authentication
- Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup
- Resolves: upstream#3826 - Remove references of sss_user/group/add/del
                            commands in man pages since local provider is
                            deprecated
- Resolves: upstream#3827 - SSSD should log to syslog if a domain is not
                            started due to a misconfiguration
- Resolves: upstream#3830 - Printing incorrect information about domain with
                            sssctl utility
- Resolves: upstream#3489 - p11_child should work wit openssl1.0+
- Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary
                            changes in nsswitch.conf
- Resovles: upstream#3650 - RFE: Require smartcard authentication
- Resolves: upstream#3334 - sssctl config-check does not check any special
                            characters in domain name of domain section
- Resolves: upstream#3849 - Files: The files provider always enumerates
                            which causes duplicate when running getent passwd
- Related: upstream#3855 - session not recording for local user when groups
                           defined
- Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb
- Related: upstream#3493 - Remove the pysss.local interface

(cherry picked from commit c0971b7e39)
2018-10-24 17:16:28 +02:00

167 lines
6.5 KiB
Diff

From d42f44d54453d3ddb54875374c1b61dc1e7cd821 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 9 Jul 2018 18:56:26 +0200
Subject: [PATCH 30/83] PAM: add certificate matching rules from all domains
Currently the PAM responder only reads the certificate mapping and
matching rules from the first domain. To support Smartcard
authentication for local and remote users all configured domains must be
taken into account.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/pam/pamsrv.h | 2 +-
src/responder/pam/pamsrv_cmd.c | 2 +-
src/responder/pam/pamsrv_p11.c | 77 +++++++++++++++++++++++++++---------------
3 files changed, 51 insertions(+), 30 deletions(-)
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index d189ccc..5d87756 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -114,7 +114,7 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd);
errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
- struct certmap_info **certmap_list);
+ struct sss_domain_info *domains);
errno_t
pam_set_last_online_auth_with_curr_token(struct sss_domain_info *domain,
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index a6bb289..ed9ad57 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1737,7 +1737,7 @@ static void pam_forwarder_cb(struct tevent_req *req)
goto done;
}
- ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains->certmaps);
+ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"p11_refresh_certmap_ctx failed, "
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index bf72207..ffa6787 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -142,11 +142,14 @@ static void ext_debug(void *private, const char *file, long line,
}
errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
- struct certmap_info **certmap_list)
+ struct sss_domain_info *domains)
{
int ret;
struct sss_certmap_ctx *sss_certmap_ctx = NULL;
size_t c;
+ struct sss_domain_info *dom;
+ bool certmap_found = false;
+ struct certmap_info **certmap_list;
ret = sss_certmap_init(pctx, ext_debug, NULL, &sss_certmap_ctx);
if (ret != EOK) {
@@ -154,7 +157,15 @@ errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
goto done;
}
- if (certmap_list == NULL || *certmap_list == NULL) {
+ DLIST_FOR_EACH(dom, domains) {
+ certmap_list = dom->certmaps;
+ if (certmap_list != NULL && *certmap_list != NULL) {
+ certmap_found = true;
+ break;
+ }
+ }
+
+ if (!certmap_found) {
/* Try to add default matching rule */
ret = sss_certmap_add_rule(sss_certmap_ctx, SSS_CERTMAP_MIN_PRIO,
CERT_AUTH_DEFAULT_MATCHING_RULE, NULL, NULL);
@@ -166,24 +177,32 @@ errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
goto done;
}
- for (c = 0; certmap_list[c] != NULL; c++) {
- DEBUG(SSSDBG_TRACE_ALL,
- "Trying to add rule [%s][%d][%s][%s].\n",
- certmap_list[c]->name, certmap_list[c]->priority,
- certmap_list[c]->match_rule, certmap_list[c]->map_rule);
-
- ret = sss_certmap_add_rule(sss_certmap_ctx, certmap_list[c]->priority,
- certmap_list[c]->match_rule,
- certmap_list[c]->map_rule,
- certmap_list[c]->domains);
- if (ret != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "sss_certmap_add_rule failed for rule [%s] "
- "with error [%d][%s], skipping. "
- "Please check for typos and if rule syntax is supported.\n",
- certmap_list[c]->name, ret, sss_strerror(ret));
+ DLIST_FOR_EACH(dom, domains) {
+ certmap_list = dom->certmaps;
+ if (certmap_list == NULL || *certmap_list == NULL) {
continue;
}
+
+ for (c = 0; certmap_list[c] != NULL; c++) {
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Trying to add rule [%s][%d][%s][%s].\n",
+ certmap_list[c]->name, certmap_list[c]->priority,
+ certmap_list[c]->match_rule, certmap_list[c]->map_rule);
+
+ ret = sss_certmap_add_rule(sss_certmap_ctx,
+ certmap_list[c]->priority,
+ certmap_list[c]->match_rule,
+ certmap_list[c]->map_rule,
+ certmap_list[c]->domains);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "sss_certmap_add_rule failed for rule [%s] "
+ "with error [%d][%s], skipping. "
+ "Please check for typos and if rule syntax is supported.\n",
+ certmap_list[c]->name, ret, sss_strerror(ret));
+ continue;
+ }
+ }
}
ret = EOK;
@@ -204,19 +223,21 @@ errno_t p11_child_init(struct pam_ctx *pctx)
int ret;
struct certmap_info **certmaps;
bool user_name_hint;
- struct sss_domain_info *dom = pctx->rctx->domains;
+ struct sss_domain_info *dom;
- ret = sysdb_get_certmap(dom, dom->sysdb, &certmaps, &user_name_hint);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
- return ret;
- }
+ DLIST_FOR_EACH(dom, pctx->rctx->domains) {
+ ret = sysdb_get_certmap(dom, dom->sysdb, &certmaps, &user_name_hint);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
+ return ret;
+ }
- dom->user_name_hint = user_name_hint;
- talloc_free(dom->certmaps);
- dom->certmaps = certmaps;
+ dom->user_name_hint = user_name_hint;
+ talloc_free(dom->certmaps);
+ dom->certmaps = certmaps;
+ }
- ret = p11_refresh_certmap_ctx(pctx, dom->certmaps);
+ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "p11_refresh_certmap_ctx failed.\n");
return ret;
--
2.9.5