95 lines
4.1 KiB
Diff
95 lines
4.1 KiB
Diff
From ffb9ad1331ac5f5d9bf237666aff19f1def77871 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
Date: Fri, 26 Jun 2020 12:07:48 +0200
|
|
Subject: [PATCH] proxy: use 'x' as default pwfield only for sssd-shadowutils
|
|
target
|
|
|
|
To avoid regression for case where files is used for proxy but authentication
|
|
is handled by other module then pam_unix. E.g. auth_provider = krb
|
|
|
|
This provides different solution to the ticket and improves the documentation.
|
|
|
|
Resolves:
|
|
https://github.com/SSSD/sssd/issues/5129
|
|
|
|
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
---
|
|
src/confdb/confdb.c | 25 ++++++++++++++++++++-----
|
|
src/man/sssd.conf.5.xml | 12 +++++++++---
|
|
2 files changed, 29 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
|
index 65ad18dcf..c2daa9a2c 100644
|
|
--- a/src/confdb/confdb.c
|
|
+++ b/src/confdb/confdb.c
|
|
@@ -872,7 +872,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
|
struct sss_domain_info *domain;
|
|
struct ldb_result *res;
|
|
TALLOC_CTX *tmp_ctx;
|
|
- const char *tmp;
|
|
+ const char *tmp, *tmp_pam_target, *tmp_auth;
|
|
int ret, val;
|
|
uint32_t entry_cache_timeout;
|
|
char *default_domain;
|
|
@@ -1030,13 +1030,28 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
|
}
|
|
|
|
if (domain->provider != NULL && strcasecmp(domain->provider, "proxy") == 0) {
|
|
- /* The password field must be reported as 'x' for proxy provider
|
|
- * using files library, else pam_unix won't
|
|
- * authenticate this entry. */
|
|
+ /* The password field must be reported as 'x' for proxy provider
|
|
+ * using files library, else pam_unix won't authenticate this entry.
|
|
+ * We set this only for sssd-shadowutils target which can be used
|
|
+ * to authenticate with pam_unix only. Otherwise we let administrator
|
|
+ * to overwrite default * value with pwfield option to avoid regression
|
|
+ * on more common use case where remote authentication is required. */
|
|
tmp = ldb_msg_find_attr_as_string(res->msgs[0],
|
|
CONFDB_PROXY_LIBNAME,
|
|
NULL);
|
|
- if (tmp != NULL && strcasecmp(tmp, "files") == 0) {
|
|
+
|
|
+ tmp_auth = ldb_msg_find_attr_as_string(res->msgs[0],
|
|
+ CONFDB_DOMAIN_AUTH_PROVIDER,
|
|
+ NULL);
|
|
+
|
|
+ tmp_pam_target = ldb_msg_find_attr_as_string(res->msgs[0],
|
|
+ CONFDB_PROXY_PAM_TARGET,
|
|
+ NULL);
|
|
+
|
|
+ if (tmp != NULL && tmp_pam_target != NULL
|
|
+ && strcasecmp(tmp, "files") == 0
|
|
+ && (tmp_auth == NULL || strcasecmp(tmp_auth, "proxy") == 0)
|
|
+ && strcmp(tmp_pam_target, "sssd-shadowutils") == 0) {
|
|
domain->pwfield = "x";
|
|
}
|
|
}
|
|
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
index cae24bb63..44b3b8f20 100644
|
|
--- a/src/man/sssd.conf.5.xml
|
|
+++ b/src/man/sssd.conf.5.xml
|
|
@@ -1135,11 +1135,17 @@ fallback_homedir = /home/%u
|
|
<quote>password</quote> field.
|
|
</para>
|
|
<para>
|
|
- This option can also be set per-domain.
|
|
+ Default: <quote>*</quote>
|
|
</para>
|
|
<para>
|
|
- Default: <quote>*</quote> (remote domains)
|
|
- or <quote>x</quote> (the files domain)
|
|
+ Note: This option can also be set per-domain which
|
|
+ overwrites the value in [nss] section.
|
|
+ </para>
|
|
+ <para>
|
|
+ Default: <quote>not set</quote> (remote domains),
|
|
+ <quote>x</quote> (the files domain),
|
|
+ <quote>x</quote> (proxy domain with nss_files
|
|
+ and sssd-shadowutils target)
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
--
|
|
2.21.3
|
|
|