On 02/09/2016 08:17 AM, Jakub Hrozek wrote:
> On Fri, Jan 29, 2016 at 02:30:36PM +0100, Pavel Reichl wrote:
>> Hello, please see trivial patch attached. Thanks.
>
>> From 6d5f6b71c2d2f891470dc1c9f08ae67f5b6c02f5 Mon Sep 17 00:00:00 2001
>> From: Pavel Reichl <preichl(a)redhat.com>
>> Date: Fri, 29 Jan 2016 08:27:01 -0500
>> Subject: [PATCH] PAM: Clarify man page for domains option
>>
>> Resolves:
>>
https://fedorahosted.org/sssd/ticket/2946
>> ---
>> src/man/pam_sss.8.xml | 8 +++++---
>> 1 file changed, 5 insertions(+), 3 deletions(-)
>>
>> diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
>> index
>>
7794d3acfdfdbde491a3e1ada44481b73588e41f..278126c14d0a574a1e120762af264ef653deb0b0
>> 100644
>> --- a/src/man/pam_sss.8.xml
>> +++ b/src/man/pam_sss.8.xml
>> @@ -145,9 +145,11 @@
>> SSSD domain names, as specified in the
>> sssd.conf file.
>> </para>
>> <para>
>> - NOTE: Must be used in conjunction with the
>> - <quote>pam_trusted_users</quote> and
>> - <quote>pam_public_domains</quote> options.
>> + NOTE: If PAM service is being run by
>> untrusted user
>> + (<quote>pam_trusted_users</quote> option)
>> + then please make
>> + sure that restricted domains are public
>> + (<quote>pam_public_domains</quote> option).
>> Please see the
>> <citerefentry>
>>
<refentrytitle>sssd.conf</refentrytitle>
>> --
>> 2.4.3
>>
>
> I'm sorry, but this doesn't read any better to me. Especially I don't
> understand "restricted domains are public", sounds like an oxymoron to
> me.
Oh, sorry. By "restricted domain" I thought only the domains you are
restricting access to - like the only ones you can use. It's used in the
context of the first paragraph of domains option.
I'll try to rephrase.
"""
If PAM service is being run by untrusted
user(<quote>pam_trusted_users</quote> option) then please make sure that
domains entered into domains option are actually public
(<quote>pam_public_domains</quote> option). Otherwise access will be
denied because untrusted user would be trying to access non-public domain.
"""
Does it sound any better? Would you propose some other wording? Or we
can drop the note completely.
Thanks!
I think any description will be confusing without the knowledge of
pam_trusted_users and pam_public_domains options. Since the default is
that all users are considered to be trusted I don't think we need to
mentioned it here. How about:
domains
Allows the administrator to restrict the domains a particular PAM
service is allowed to authenticate against. The format is a comma-
separated list of SSSD domain names, as specified in the sssd.conf
file.
See also: pam_public_domains, pam_trusted_users in sssd.conf(5)
manual page