[SSSD] [sssd PR#435][synchronized] krb5: call krb5_auth_cache_creds() if a pssword is available

Thu, 15 Feb 2018 03:29:20 -0800 

   URL: https://github.com/SSSD/sssd/pull/435
Author: sumit-bose
 Title: #435: krb5: call krb5_auth_cache_creds() if a pssword is available
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/435/head:pr435
git checkout pr435

From 0757b0000603dbe920a2da0f562bcc23a211beee Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Wed, 1 Nov 2017 18:21:40 +0100
Subject: [PATCH] krb5: call krb5_auth_cache_creds() if a pssword is available

The delayed online authentication feature is only available for password
authentication and krb5_auth_cache_creds() should only be called if a
password is available. Otherwise the error coded returned by
krb5_auth_cache_creds() will prevent proper offline authentication with
other methods e.g. Smartcard authentication.

Resolves https://pagure.io/SSSD/sssd/issue/3564
---
 src/providers/krb5/krb5_auth.c | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 03ea9d88c..d40d2afed 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -253,17 +253,12 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx,
     const char *password = NULL;
     errno_t ret;
 
-    if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
-        DEBUG(SSSDBG_MINOR_FAILURE,
-              "Delayed authentication is only available for password "
-              "authentication (single factor).\n");
-        return;
-    }
-
     ret = sss_authtok_get_password(pd->authtok, &password, NULL);
     if (ret != EOK) {
         DEBUG(SSSDBG_FATAL_FAILURE,
-              "Failed to get password [%d] %s\n", ret, strerror(ret));
+              "Failed to get password [%d] %s. Delayed authentication is only "
+              "available for password authentication (single factor).\n",
+              ret, strerror(ret));
         *pam_status = PAM_SYSTEM_ERR;
         *dp_err = DP_ERR_OK;
         return;
@@ -1138,7 +1133,9 @@ static void krb5_auth_done(struct tevent_req *subreq)
 
     if (kr->is_offline) {
         if (dp_opt_get_bool(kr->krb5_ctx->opts,
-                            KRB5_STORE_PASSWORD_IF_OFFLINE)) {
+                            KRB5_STORE_PASSWORD_IF_OFFLINE)
+                && sss_authtok_get_type(pd->authtok)
+                            == SSS_AUTHTOK_TYPE_PASSWORD) {
             krb5_auth_cache_creds(state->kr->krb5_ctx,
                                   state->domain,
                                   state->be_ctx->cdb,

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to