cbb93511cb
- Resolves: upstream#3821 - crash related to sbus_router_destructor()
- Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref
- Resolves: upstream#3819 - sssd only sets the SELinux login context if it
differs from the default
- Resolves: upstream#3807 - The sbus codegen script relies on "python" which
might not be available on all distributions
- Resolves: upstream#3820 - sudo: search with lower cased name for case
insensitive domains
- Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from
an allow-any default to a deny-any default when it
can't find any GPOs to apply to a user login.
- Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort
startup
- Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11
also for local account authentication
- Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup
- Resolves: upstream#3826 - Remove references of sss_user/group/add/del
commands in man pages since local provider is
deprecated
- Resolves: upstream#3827 - SSSD should log to syslog if a domain is not
started due to a misconfiguration
- Resolves: upstream#3830 - Printing incorrect information about domain with
sssctl utility
- Resolves: upstream#3489 - p11_child should work wit openssl1.0+
- Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary
changes in nsswitch.conf
- Resovles: upstream#3650 - RFE: Require smartcard authentication
- Resolves: upstream#3334 - sssctl config-check does not check any special
characters in domain name of domain section
- Resolves: upstream#3849 - Files: The files provider always enumerates
which causes duplicate when running getent passwd
- Related: upstream#3855 - session not recording for local user when groups
defined
- Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb
- Related: upstream#3493 - Remove the pysss.local interface
(cherry picked from commit c0971b7e39
)
167 lines
6.5 KiB
Diff
167 lines
6.5 KiB
Diff
From d42f44d54453d3ddb54875374c1b61dc1e7cd821 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Mon, 9 Jul 2018 18:56:26 +0200
|
|
Subject: [PATCH 30/83] PAM: add certificate matching rules from all domains
|
|
|
|
Currently the PAM responder only reads the certificate mapping and
|
|
matching rules from the first domain. To support Smartcard
|
|
authentication for local and remote users all configured domains must be
|
|
taken into account.
|
|
|
|
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
---
|
|
src/responder/pam/pamsrv.h | 2 +-
|
|
src/responder/pam/pamsrv_cmd.c | 2 +-
|
|
src/responder/pam/pamsrv_p11.c | 77 +++++++++++++++++++++++++++---------------
|
|
3 files changed, 51 insertions(+), 30 deletions(-)
|
|
|
|
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
|
index d189ccc..5d87756 100644
|
|
--- a/src/responder/pam/pamsrv.h
|
|
+++ b/src/responder/pam/pamsrv.h
|
|
@@ -114,7 +114,7 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
|
bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd);
|
|
|
|
errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
|
|
- struct certmap_info **certmap_list);
|
|
+ struct sss_domain_info *domains);
|
|
|
|
errno_t
|
|
pam_set_last_online_auth_with_curr_token(struct sss_domain_info *domain,
|
|
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
|
index a6bb289..ed9ad57 100644
|
|
--- a/src/responder/pam/pamsrv_cmd.c
|
|
+++ b/src/responder/pam/pamsrv_cmd.c
|
|
@@ -1737,7 +1737,7 @@ static void pam_forwarder_cb(struct tevent_req *req)
|
|
goto done;
|
|
}
|
|
|
|
- ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains->certmaps);
|
|
+ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_OP_FAILURE,
|
|
"p11_refresh_certmap_ctx failed, "
|
|
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
|
index bf72207..ffa6787 100644
|
|
--- a/src/responder/pam/pamsrv_p11.c
|
|
+++ b/src/responder/pam/pamsrv_p11.c
|
|
@@ -142,11 +142,14 @@ static void ext_debug(void *private, const char *file, long line,
|
|
}
|
|
|
|
errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
|
|
- struct certmap_info **certmap_list)
|
|
+ struct sss_domain_info *domains)
|
|
{
|
|
int ret;
|
|
struct sss_certmap_ctx *sss_certmap_ctx = NULL;
|
|
size_t c;
|
|
+ struct sss_domain_info *dom;
|
|
+ bool certmap_found = false;
|
|
+ struct certmap_info **certmap_list;
|
|
|
|
ret = sss_certmap_init(pctx, ext_debug, NULL, &sss_certmap_ctx);
|
|
if (ret != EOK) {
|
|
@@ -154,7 +157,15 @@ errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
|
|
goto done;
|
|
}
|
|
|
|
- if (certmap_list == NULL || *certmap_list == NULL) {
|
|
+ DLIST_FOR_EACH(dom, domains) {
|
|
+ certmap_list = dom->certmaps;
|
|
+ if (certmap_list != NULL && *certmap_list != NULL) {
|
|
+ certmap_found = true;
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (!certmap_found) {
|
|
/* Try to add default matching rule */
|
|
ret = sss_certmap_add_rule(sss_certmap_ctx, SSS_CERTMAP_MIN_PRIO,
|
|
CERT_AUTH_DEFAULT_MATCHING_RULE, NULL, NULL);
|
|
@@ -166,24 +177,32 @@ errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
|
|
goto done;
|
|
}
|
|
|
|
- for (c = 0; certmap_list[c] != NULL; c++) {
|
|
- DEBUG(SSSDBG_TRACE_ALL,
|
|
- "Trying to add rule [%s][%d][%s][%s].\n",
|
|
- certmap_list[c]->name, certmap_list[c]->priority,
|
|
- certmap_list[c]->match_rule, certmap_list[c]->map_rule);
|
|
-
|
|
- ret = sss_certmap_add_rule(sss_certmap_ctx, certmap_list[c]->priority,
|
|
- certmap_list[c]->match_rule,
|
|
- certmap_list[c]->map_rule,
|
|
- certmap_list[c]->domains);
|
|
- if (ret != 0) {
|
|
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
- "sss_certmap_add_rule failed for rule [%s] "
|
|
- "with error [%d][%s], skipping. "
|
|
- "Please check for typos and if rule syntax is supported.\n",
|
|
- certmap_list[c]->name, ret, sss_strerror(ret));
|
|
+ DLIST_FOR_EACH(dom, domains) {
|
|
+ certmap_list = dom->certmaps;
|
|
+ if (certmap_list == NULL || *certmap_list == NULL) {
|
|
continue;
|
|
}
|
|
+
|
|
+ for (c = 0; certmap_list[c] != NULL; c++) {
|
|
+ DEBUG(SSSDBG_TRACE_ALL,
|
|
+ "Trying to add rule [%s][%d][%s][%s].\n",
|
|
+ certmap_list[c]->name, certmap_list[c]->priority,
|
|
+ certmap_list[c]->match_rule, certmap_list[c]->map_rule);
|
|
+
|
|
+ ret = sss_certmap_add_rule(sss_certmap_ctx,
|
|
+ certmap_list[c]->priority,
|
|
+ certmap_list[c]->match_rule,
|
|
+ certmap_list[c]->map_rule,
|
|
+ certmap_list[c]->domains);
|
|
+ if (ret != 0) {
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ "sss_certmap_add_rule failed for rule [%s] "
|
|
+ "with error [%d][%s], skipping. "
|
|
+ "Please check for typos and if rule syntax is supported.\n",
|
|
+ certmap_list[c]->name, ret, sss_strerror(ret));
|
|
+ continue;
|
|
+ }
|
|
+ }
|
|
}
|
|
|
|
ret = EOK;
|
|
@@ -204,19 +223,21 @@ errno_t p11_child_init(struct pam_ctx *pctx)
|
|
int ret;
|
|
struct certmap_info **certmaps;
|
|
bool user_name_hint;
|
|
- struct sss_domain_info *dom = pctx->rctx->domains;
|
|
+ struct sss_domain_info *dom;
|
|
|
|
- ret = sysdb_get_certmap(dom, dom->sysdb, &certmaps, &user_name_hint);
|
|
- if (ret != EOK) {
|
|
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
|
|
- return ret;
|
|
- }
|
|
+ DLIST_FOR_EACH(dom, pctx->rctx->domains) {
|
|
+ ret = sysdb_get_certmap(dom, dom->sysdb, &certmaps, &user_name_hint);
|
|
+ if (ret != EOK) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
|
|
+ return ret;
|
|
+ }
|
|
|
|
- dom->user_name_hint = user_name_hint;
|
|
- talloc_free(dom->certmaps);
|
|
- dom->certmaps = certmaps;
|
|
+ dom->user_name_hint = user_name_hint;
|
|
+ talloc_free(dom->certmaps);
|
|
+ dom->certmaps = certmaps;
|
|
+ }
|
|
|
|
- ret = p11_refresh_certmap_ctx(pctx, dom->certmaps);
|
|
+ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_OP_FAILURE, "p11_refresh_certmap_ctx failed.\n");
|
|
return ret;
|
|
--
|
|
2.9.5
|
|
|