-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon 26 May 2014 06:18:08 PM EDT, Lukas Slebodnik wrote:
On (14/03/14 14:22), Jakub Hrozek wrote:
> On Fri, Mar 14, 2014 at 02:14:04PM +0100, Lukas Slebodnik wrote:
>> On (13/03/14 15:24), Pete Fritchman wrote:
>>> On Thu, Mar 13, 2014 at 1:28 PM, Jakub Hrozek
>>> <jhrozek(a)redhat.com> wrote:
>>>> would you like any help amending the patch ? Are you still
>>>> planning on re-sending it?
>>>
>>> Hi Jakub,
>>>
>>> Sorry - I forgot to follow up to this thread. I attached a
>>> new patch to the ticket that includes the case where
>>> send_and_receive returns PAM_IGNORE and also updates the
>>> pam_sss man page.
>>>
>>>
https://fedorahosted.org/sssd/ticket/2232
>>>
https://fedorahosted.org/sssd/attachment/ticket/2232/0001-PAM-add-ignore_...
>>>
>>>
>>>
thanks,
>> ndex
>>
d45b2e88f16b030b81b180cef233bc024347f5d8..32558fac9b18e5f62b8968f6fbfbada6c9b3f504
>> 100644
>>
>>> Index: src/sss_client/pam_sss.c
>>> ===================================================================
>>>
>>>
- --- a/src/sss_client/pam_sss.c
>>> +++ b/src/sss_client/pam_sss.c @@ -47,6 +47,7 @@ #define
>>> FLAGS_USE_FIRST_PASS (1 << 0) #define FLAGS_FORWARD_PASS (1
>>> << 1) #define FLAGS_USE_AUTHTOK (1 << 2) +#define
>>> FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
>>>
>>> #define PWEXP_FLAG "pam_sss:password_expired_flag" #define
>>> FD_DESTRUCTOR "pam_sss:fd_destructor" @@ -1284,6 +1285,8 @@
>>> static void eval_argv(pam_handle_t *pamh, int argc, const
>>> char **argv, } } else if (strcmp(*argv, "quiet") == 0) {
>>> *quiet_mode = true; + } else if (strcmp(*argv,
>>> "ignore_unknown_user") == 0) { + *flags |=
>>> FLAGS_IGNORE_UNKNOWN_USER; } else { logger(pamh, LOG_WARNING,
>>> "unknown option: %s", *argv); } @@ -1425,6 +1428,9 @@ static
>>> int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
>>> ret = get_pam_items(pamh, &pi); if (ret != PAM_SUCCESS) {
>>> D(("get items returned error: %s", pam_strerror(pamh,ret)));
>>> + if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret ==
>>> PAM_USER_UNKNOWN) { + ret = PAM_IGNORE; +
>>> } return ret; }
>>>
>>> @@ -1463,6 +1469,11 @@ static int pam_sss(enum
>>> sss_cli_command task, pam_handle_t *pamh,
>>>
>>> pam_status = send_and_receive(pamh, &pi, task, quiet_mode);
>>>
>>> + if (flags & FLAGS_IGNORE_UNKNOWN_USER +
>>> && pam_status == PAM_USER_UNKNOWN) { + pam_status
>>> = PAM_IGNORE;
>> I think you can immediatelly return PAM_IGNORE
>
> I think it's cleaner not to create more exit points from the
> function.
>
>>>
>>> + } + switch (task) { case SSS_PAM_AUTHENTICATE: /* We
>>> allow sssd to send the return code PAM_NEW_AUTHTOK_REQD
>>> during
>>>
>>
>> But you did not implement the same behavoiour like pam-ldap
>> with argument ignore_authinfo_unavaile.
>>
>> If sssd is stopped sss_pam will return PAM_AUTHINFO_UNAVAIL an
>> local user cannot authenticate.
>>
>> LS
>
> Hm, that's true, I only tested with SSSD running. Feel free to
> send a follow-up patch.
follow-up patch is attached.
How to test on linux?
Use following pam configuration in /etc/pam.d/password-auth # hbac
will work, local user can connect to the machine with ssh # but
local user will not be able to connect if sssd is down # e.g.
service sssd stop
account required pam_unix.so broken_shadow account
sufficient pam_succeed_if.so uid < 1000 quiet account
required pam_sss.so debug ignore_unknown_user account
required pam_permit.so
This change should fix the problem if sssd is down. -account
required pam_sss.so debug ignore_unknown_user +account
required pam_sss.so debug ignore_unknown_user
ignore_authinfo_unavail
Arguments ignore_unknown_user ignore_authinfo_unavail are also
implemented in pam_ldap.
Not a full review, just a grammar review of the manpage.
Ack to the manpage phrasing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlOIiUgACgkQeiVVYja6o6NrkQCghWlzhpNJs1k5BTKvDXZT69HR
TlQAoJz4+Qz+Shm5sMOKO4jfDUTjW66J
=/Dot
-----END PGP SIGNATURE-----