[SSSD-users] Re: Is it possible to use the full username+domain name when using proxy_pam_target ?
On Wed, Apr 24, 2019 at 09:21:08PM -0000, David Fournier wrote:
Hi,
I'm sorry there is no such switch or options. Currently SSSD explicitly
uses a short name (without the '@...' part) because typically other PAM
modules are confused by this type of name.
Feel free to open a RFE on https://pagure.io/SSSD/sssd/ to add an optino
to use the unmodified name from the login prompt here.
If you are interested in trying it on your own have a look at
src/providers/proxy/proxy_child.c:
212 ret = sss_parse_internal_fqname(auth_data, pd->user, &shortname, NULL);
213 if (ret != EOK) {
214 goto fail;
215 }
216
217 ret = pam_start(pam_target, shortname, &conv, &pamh);
218 if (ret == PAM_SUCCESS) {
If you replace 'shortname' in line 217 with 'pd->user' it might
already
work. Even better would be 'pd->logon_name' because this contains the
unmodified name given at the login prompt. But here you have to add this
member to the PAM data send and received in
src/sss_iface/sss_iface_types.c which is a bit more complicated.
bye,
Sumit
Thank you very much Sumit, I'll open an RFE and will definitely try the modification
you suggest. I'll report the results once it's done.
For now I'm using a workaround where we created a PAM module that appends the domain
name to the user, which we insert at the top of our proxy_pam_target file. The downside is
that we need a different proxy_pam_target configuration for every domain. A switch within
sssd configuration file would be nicer.
Thanks again for your precise answer!