On Fri, Mar 14, 2014 at 02:14:04PM +0100, Lukas Slebodnik wrote:
On (13/03/14 15:24), Pete Fritchman wrote:
>On Thu, Mar 13, 2014 at 1:28 PM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
>> would you like any help amending the patch ? Are you still planning on
>> re-sending it?
>
>Hi Jakub,
>
>Sorry - I forgot to follow up to this thread. I attached a new patch
>to the ticket that includes the case where send_and_receive returns
>PAM_IGNORE and also updates the pam_sss man page.
>
>https://fedorahosted.org/sssd/ticket/2232
>https://fedorahosted.org/sssd/attachment/ticket/2232/0001-PAM-add-ignore_unknown_user-option.patch
>
>thanks,
ndex d45b2e88f16b030b81b180cef233bc024347f5d8..32558fac9b18e5f62b8968f6fbfbada6c9b3f504
100644
>Index: src/sss_client/pam_sss.c
>===================================================================
>--- a/src/sss_client/pam_sss.c
>+++ b/src/sss_client/pam_sss.c
>@@ -47,6 +47,7 @@
> #define FLAGS_USE_FIRST_PASS (1 << 0)
> #define FLAGS_FORWARD_PASS (1 << 1)
> #define FLAGS_USE_AUTHTOK (1 << 2)
>+#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
>
> #define PWEXP_FLAG "pam_sss:password_expired_flag"
> #define FD_DESTRUCTOR "pam_sss:fd_destructor"
>@@ -1284,6 +1285,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char
**argv,
> }
> } else if (strcmp(*argv, "quiet") == 0) {
> *quiet_mode = true;
>+ } else if (strcmp(*argv, "ignore_unknown_user") == 0) {
>+ *flags |= FLAGS_IGNORE_UNKNOWN_USER;
> } else {
> logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
> }
>@@ -1425,6 +1428,9 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t
*pamh,
> ret = get_pam_items(pamh, &pi);
> if (ret != PAM_SUCCESS) {
> D(("get items returned error: %s", pam_strerror(pamh,ret)));
>+ if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret ==
PAM_USER_UNKNOWN) {
>+ ret = PAM_IGNORE;
>+ }
> return ret;
> }
>
>@@ -1463,6 +1469,11 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t
*pamh,
>
> pam_status = send_and_receive(pamh, &pi, task, quiet_mode);
>
>+ if (flags & FLAGS_IGNORE_UNKNOWN_USER
>+ && pam_status == PAM_USER_UNKNOWN) {
>+ pam_status = PAM_IGNORE;
I think you can immediatelly return PAM_IGNORE
I think it's cleaner not to create more exit points from the function.
>
>+ }
>+
> switch (task) {
> case SSS_PAM_AUTHENTICATE:
> /* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD
during
>
But you did not implement the same behavoiour like pam-ldap with
argument ignore_authinfo_unavaile.
If sssd is stopped sss_pam will return PAM_AUTHINFO_UNAVAIL an local user
cannot authenticate.
LS
Hm, that's true, I only tested with SSSD running. Feel free to send a
follow-up patch.