Hi, I was playing with different offline krb5 authentication ways today when testing Sumit's patches and I don't think the offline authentication of subdomain users was correct. Attached are two patches -- one is just a better error code, the other actually makes the SSSD search for the right user entry during krb5 offline auth.
To test the first one, pause of shutdown a trusted AD while remaining connected to the root domain AD.
>From ce17fcc025652e29631d3f5d0d7f400df365171a Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <[email protected]> Date: Sun, 22 Sep 2013 18:24:43 +0200 Subject: [PATCH 1/2] KRB5: Return ERR_NETWORK_IO when trusted AD server can't be resolved --- src/providers/krb5/krb5_child.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 032f5020ebe4c2ab5505c6f77e52d201366e50d8..16ab4dbbbdd12650adcbfb60f856e66c0e6077a7 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -988,6 +988,7 @@ static errno_t map_krb5_error(krb5_error_code kerr) return ERR_NO_CREDS; case KRB5_KDC_UNREACH: + case KRB5_REALM_CANT_RESOLVE: return ERR_NETWORK_IO; case KRB5KDC_ERR_KEY_EXP: -- 1.8.3.1
>From 6ac81ef938692541a0fe35bd67513223c43dbe49 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <[email protected]> Date: Sun, 22 Sep 2013 20:48:10 +0200 Subject: [PATCH 2/2] KRB5: Use the correct domain when authenticating with cached password --- src/providers/krb5/krb5_auth.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index b373cb4c387706dfd897ad5ed34b712f27a5a0ce..49e8931186578034b9b446d44c405a87edca6806 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -757,8 +757,8 @@ static void krb5_auth_resolve_done(struct tevent_req *subreq) if (dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_STORE_PASSWORD_IF_OFFLINE)) { krb5_auth_cache_creds(state->kr->krb5_ctx, - state->be_ctx->domain->sysdb, - state->be_ctx->domain, + state->domain->sysdb, + state->domain, state->be_ctx->cdb, kr->pd, kr->uid, &state->pam_status, &state->dp_err); @@ -1103,8 +1103,8 @@ static void krb5_auth_done(struct tevent_req *subreq) if (dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_STORE_PASSWORD_IF_OFFLINE)) { krb5_auth_cache_creds(state->kr->krb5_ctx, - state->be_ctx->domain->sysdb, - state->be_ctx->domain, + state->domain->sysdb, + state->domain, state->be_ctx->cdb, state->pd, state->kr->uid, &state->pam_status, &state->dp_err); -- 1.8.3.1
_______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
