URL:
https://github.com/SSSD/sssd/pull/804
Title: #804: PAM: Also cache SSS_PAM_PREAUTH
jhrozek commented:
"""
On 5/3/19 1:24 PM, sumit-bose wrote:
Hi Jakub,
the patch is working as expected, I only added a minor comment to the
code.
While testing I came across two issues where I wonder if you would
like to fix them with this patch as well.
First, if a wrong password is given cached authentication currently
does not fail but falls back to online authentication. I think this
behavior make sense, but might be unexpected. A sentence in the man
page describing this behavior would be useful imo.
OK, added.
Second, there is no clear debug message from the PAM responder that
cached authentication is used. Instead there is
|(Fri May 3 13:05:11 2019) [sssd[pam]] [pam_reply] (0x0200): pam_reply
called with result [4]: Systemfehler. |
|I thought the message might be sometimes useful, so I only changed its
level to be lowest debug level and reworded the message to make it clear
that this is an intermediate result only.|
||
and later on there are some message from |sysdb_cache_auth()|. Maybe
in |pam_reply()| the |called with result| message can be skipped for
cached auth and a more suitable message can be shown?
Both are not related to the issue at hand so feel free to open a new
ticket or ignore them.
I also added PREAUTH to the list of PAM commands that just return
PAM_SUCCESS during cached authentication. I hope that's correct.
"""
See the full comment at
https://github.com/SSSD/sssd/pull/804#issuecomment-493043523