-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon 26 May 2014 06:18:08 PM EDT, Lukas Slebodnik wrote: > On (14/03/14 14:22), Jakub Hrozek wrote: >> On Fri, Mar 14, 2014 at 02:14:04PM +0100, Lukas Slebodnik wrote: >>> On (13/03/14 15:24), Pete Fritchman wrote: >>>> On Thu, Mar 13, 2014 at 1:28 PM, Jakub Hrozek >>>> <jhro...@redhat.com> wrote: >>>>> would you like any help amending the patch ? Are you still >>>>> planning on re-sending it? >>>> >>>> Hi Jakub, >>>> >>>> Sorry - I forgot to follow up to this thread. I attached a >>>> new patch to the ticket that includes the case where >>>> send_and_receive returns PAM_IGNORE and also updates the >>>> pam_sss man page. >>>> >>>> https://fedorahosted.org/sssd/ticket/2232 >>>> https://fedorahosted.org/sssd/attachment/ticket/2232/0001-PAM-add-ignore_unknown_user-option.patch >>>> >>>> >>>> thanks, >>> ndex >>> d45b2e88f16b030b81b180cef233bc024347f5d8..32558fac9b18e5f62b8968f6fbfbada6c9b3f504 >>> 100644 >>> >>>> Index: src/sss_client/pam_sss.c >>>> =================================================================== >>>> >>>> - --- a/src/sss_client/pam_sss.c >>>> +++ b/src/sss_client/pam_sss.c @@ -47,6 +47,7 @@ #define >>>> FLAGS_USE_FIRST_PASS (1 << 0) #define FLAGS_FORWARD_PASS (1 >>>> << 1) #define FLAGS_USE_AUTHTOK (1 << 2) +#define >>>> FLAGS_IGNORE_UNKNOWN_USER (1 << 3) >>>> >>>> #define PWEXP_FLAG "pam_sss:password_expired_flag" #define >>>> FD_DESTRUCTOR "pam_sss:fd_destructor" @@ -1284,6 +1285,8 @@ >>>> static void eval_argv(pam_handle_t *pamh, int argc, const >>>> char **argv, } } else if (strcmp(*argv, "quiet") == 0) { >>>> *quiet_mode = true; + } else if (strcmp(*argv, >>>> "ignore_unknown_user") == 0) { + *flags |= >>>> FLAGS_IGNORE_UNKNOWN_USER; } else { logger(pamh, LOG_WARNING, >>>> "unknown option: %s", *argv); } @@ -1425,6 +1428,9 @@ static >>>> int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, >>>> ret = get_pam_items(pamh, &pi); if (ret != PAM_SUCCESS) { >>>> D(("get items returned error: %s", pam_strerror(pamh,ret))); >>>> + if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == >>>> PAM_USER_UNKNOWN) { + ret = PAM_IGNORE; + >>>> } return ret; } >>>> >>>> @@ -1463,6 +1469,11 @@ static int pam_sss(enum >>>> sss_cli_command task, pam_handle_t *pamh, >>>> >>>> pam_status = send_and_receive(pamh, &pi, task, quiet_mode); >>>> >>>> + if (flags & FLAGS_IGNORE_UNKNOWN_USER + >>>> && pam_status == PAM_USER_UNKNOWN) { + pam_status >>>> = PAM_IGNORE; >>> I think you can immediatelly return PAM_IGNORE >> >> I think it's cleaner not to create more exit points from the >> function. >> >>>> >>>> + } + switch (task) { case SSS_PAM_AUTHENTICATE: /* We >>>> allow sssd to send the return code PAM_NEW_AUTHTOK_REQD >>>> during >>>> >>> >>> But you did not implement the same behavoiour like pam-ldap >>> with argument ignore_authinfo_unavaile. >>> >>> If sssd is stopped sss_pam will return PAM_AUTHINFO_UNAVAIL an >>> local user cannot authenticate. >>> >>> LS >> >> Hm, that's true, I only tested with SSSD running. Feel free to >> send a follow-up patch. > > follow-up patch is attached. > > How to test on linux? > > Use following pam configuration in /etc/pam.d/password-auth # hbac > will work, local user can connect to the machine with ssh # but > local user will not be able to connect if sssd is down # e.g. > service sssd stop > > account required pam_unix.so broken_shadow account > sufficient pam_succeed_if.so uid < 1000 quiet account > required pam_sss.so debug ignore_unknown_user account > required pam_permit.so > > > This change should fix the problem if sssd is down. -account > required pam_sss.so debug ignore_unknown_user +account > required pam_sss.so debug ignore_unknown_user > ignore_authinfo_unavail > > Arguments ignore_unknown_user ignore_authinfo_unavail are also > implemented in pam_ldap. >
Not a full review, just a grammar review of the manpage. Ack to the manpage phrasing. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlOIiUgACgkQeiVVYja6o6NrkQCghWlzhpNJs1k5BTKvDXZT69HR TlQAoJz4+Qz+Shm5sMOKO4jfDUTjW66J =/Dot -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
