On Fri, May 30, 2014 at 09:36:08AM -0400, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Mon 26 May 2014 06:18:08 PM EDT, Lukas Slebodnik wrote: > > On (14/03/14 14:22), Jakub Hrozek wrote: > >> On Fri, Mar 14, 2014 at 02:14:04PM +0100, Lukas Slebodnik wrote: > >>> On (13/03/14 15:24), Pete Fritchman wrote: > >>>> On Thu, Mar 13, 2014 at 1:28 PM, Jakub Hrozek > >>>> <jhro...@redhat.com> wrote: > >>>>> would you like any help amending the patch ? Are you still > >>>>> planning on re-sending it? > >>>> > >>>> Hi Jakub, > >>>> > >>>> Sorry - I forgot to follow up to this thread. I attached a > >>>> new patch to the ticket that includes the case where > >>>> send_and_receive returns PAM_IGNORE and also updates the > >>>> pam_sss man page. > >>>> > >>>> https://fedorahosted.org/sssd/ticket/2232 > >>>> https://fedorahosted.org/sssd/attachment/ticket/2232/0001-PAM-add-ignore_unknown_user-option.patch > >>>> > >>>> > >>>> > thanks, > >>> ndex > >>> d45b2e88f16b030b81b180cef233bc024347f5d8..32558fac9b18e5f62b8968f6fbfbada6c9b3f504 > >>> 100644 > >>> > >>>> Index: src/sss_client/pam_sss.c > >>>> =================================================================== > >>>> > >>>> > - --- a/src/sss_client/pam_sss.c > >>>> +++ b/src/sss_client/pam_sss.c @@ -47,6 +47,7 @@ #define > >>>> FLAGS_USE_FIRST_PASS (1 << 0) #define FLAGS_FORWARD_PASS (1 > >>>> << 1) #define FLAGS_USE_AUTHTOK (1 << 2) +#define > >>>> FLAGS_IGNORE_UNKNOWN_USER (1 << 3) > >>>> > >>>> #define PWEXP_FLAG "pam_sss:password_expired_flag" #define > >>>> FD_DESTRUCTOR "pam_sss:fd_destructor" @@ -1284,6 +1285,8 @@ > >>>> static void eval_argv(pam_handle_t *pamh, int argc, const > >>>> char **argv, } } else if (strcmp(*argv, "quiet") == 0) { > >>>> *quiet_mode = true; + } else if (strcmp(*argv, > >>>> "ignore_unknown_user") == 0) { + *flags |= > >>>> FLAGS_IGNORE_UNKNOWN_USER; } else { logger(pamh, LOG_WARNING, > >>>> "unknown option: %s", *argv); } @@ -1425,6 +1428,9 @@ static > >>>> int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, > >>>> ret = get_pam_items(pamh, &pi); if (ret != PAM_SUCCESS) { > >>>> D(("get items returned error: %s", pam_strerror(pamh,ret))); > >>>> + if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == > >>>> PAM_USER_UNKNOWN) { + ret = PAM_IGNORE; + > >>>> } return ret; } > >>>> > >>>> @@ -1463,6 +1469,11 @@ static int pam_sss(enum > >>>> sss_cli_command task, pam_handle_t *pamh, > >>>> > >>>> pam_status = send_and_receive(pamh, &pi, task, quiet_mode); > >>>> > >>>> + if (flags & FLAGS_IGNORE_UNKNOWN_USER + > >>>> && pam_status == PAM_USER_UNKNOWN) { + pam_status > >>>> = PAM_IGNORE; > >>> I think you can immediatelly return PAM_IGNORE > >> > >> I think it's cleaner not to create more exit points from the > >> function. > >> > >>>> > >>>> + } + switch (task) { case SSS_PAM_AUTHENTICATE: /* We > >>>> allow sssd to send the return code PAM_NEW_AUTHTOK_REQD > >>>> during > >>>> > >>> > >>> But you did not implement the same behavoiour like pam-ldap > >>> with argument ignore_authinfo_unavaile. > >>> > >>> If sssd is stopped sss_pam will return PAM_AUTHINFO_UNAVAIL an > >>> local user cannot authenticate. > >>> > >>> LS > >> > >> Hm, that's true, I only tested with SSSD running. Feel free to > >> send a follow-up patch. > > > > follow-up patch is attached. > > > > How to test on linux? > > > > Use following pam configuration in /etc/pam.d/password-auth # hbac > > will work, local user can connect to the machine with ssh # but > > local user will not be able to connect if sssd is down # e.g. > > service sssd stop > > > > account required pam_unix.so broken_shadow account > > sufficient pam_succeed_if.so uid < 1000 quiet account > > required pam_sss.so debug ignore_unknown_user account > > required pam_permit.so > > > > > > This change should fix the problem if sssd is down. -account > > required pam_sss.so debug ignore_unknown_user +account > > required pam_sss.so debug ignore_unknown_user > > ignore_authinfo_unavail > > > > Arguments ignore_unknown_user ignore_authinfo_unavail are also > > implemented in pam_ldap. > > > > > Not a full review, just a grammar review of the manpage. > > Ack to the manpage phrasing.
I tested the patch and it is working as expected. ACK bye, Sumit > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlOIiUgACgkQeiVVYja6o6NrkQCghWlzhpNJs1k5BTKvDXZT69HR > TlQAoJz4+Qz+Shm5sMOKO4jfDUTjW66J > =/Dot > -----END PGP SIGNATURE----- > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
