On Wed, Feb 12, 2014 at 11:39:28AM +0100, Jakub Hrozek wrote: > On Tue, Feb 11, 2014 at 11:00:08AM -0500, Pete Fritchman wrote: > > https://fedorahosted.org/sssd/ticket/2232 > > > > FreeBSD's openpam doesn't have a built in way of ignoring an unknown > > user (e.g. treating PAM_USER_UNKNOWN as a pass for a required module, > > like Linux's user_unknown=ignore tag), so there needs to be an > > ignore_unknown_user flag built in to the PAM module. This patch makes > > pam_sss return PAM_IGNORE instead of PAM_USER_UNKNOWN when > > ignore_unknown_user is passed in from the PAM config. FWIW, this is > > how pam_ldap works on FreeBSD with local accounts, too. > > > > This patch allows us to keep pam_sss marked as required for the PAM > > "account" facility (to enforce HBAC rules) but still allow local users > > to log in. > > > > jhrozek suggested posting the patch here for review, so thanks in > > advance for looking it over! > > Thanks for the patch! > > I wonder if there is another place that might need fixing, at least I've > been hitting it during my testing with semi-broken PAM config. In my > case, I got past get_pam_items() and only received USER_UNKNOWN from > send_and_receive. So I amended the pam_sss code further with: > > @@ -1464,6 +1466,9 @@ static int pam_sss(enum sss_cli_command task, > pam_handle_t *pamh, > } > > pam_status = send_and_receive(pamh, &pi, task, quiet_mode); > + if (flags & FLAGS_IGNORE_UNKNOWN_USER > + && pam_status == PAM_USER_UNKNOWN) { > + pam_status = PAM_IGNORE; > + } > > switch (task) { > case SSS_PAM_AUTHENTICATE: > > > Also, I think the new option should be documented in the pam_sss man > page. We use XML as the man page source, the pam_sss man page is located at: > src/man/pam_sss.8.xml
Hi Pete, would you like any help amending the patch ? Are you still planning on re-sending it? _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
