On 02/09/2016 08:09 AM, Jakub Hrozek wrote:
On Mon, Feb 08, 2016 at 01:56:07PM +0100, Pavel Reichl wrote:
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index
73a21bfa0049bc4d3cfacb49201707868c87e533..2dbc58a451686beda0faa9e9366bbc3b3b4c253e
100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1040,6 +1040,27 @@ pam_account_expired_message = Account expired, please
call help desk.
</listitem>
</varlistentry>
<varlistentry>
+ <term>pam_account_locked_message (string)</term>
+ <listitem>
+ <para>
+ If user is authenticating and
Please ask someone for an English review (I know Dan started, but I
didn't see a fixed version yet). At the very least, this should read "a
user".
I attached Dan's patch. I took the liberty of adding note regarding pam
verbosity. Hope it's fine by Dan.
+ account is locked then by default
+ 'Permission denied' is output. This output will
+ be changed to content of this variable if it is
+ set.
+ </para>
+ <para>
+ example:
+ <programlisting>
+pam_account_locked_message = Account locked, please call help desk.
+ </programlisting>
+ </para>
+ <para>
+ Default: none
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term>p11_child_timeout (integer)</term>
<listitem>
<para>
The rest of the patch looks good to me and seems to work as advertized.
Thanks.
>From 2d634a7d72afc5116031803c3004e47884901c7a Mon Sep 17 00:00:00 2001
From: Pavel Reichl <prei...@redhat.com>
Date: Fri, 5 Feb 2016 07:27:38 -0500
Subject: [PATCH 1/3] SDAP: Add return code ERR_ACCOUNT_LOCKED
Add code to distinquish state when account is locked in Active
Directory server.
Tested against Windows Server 2012
Resolves:
https://fedorahosted.org/sssd/ticket/2839
---
src/providers/data_provider.h | 2 ++
src/providers/ldap/ldap_auth.c | 4 ++++
src/providers/ldap/sdap_async_connection.c | 3 +++
3 files changed, 9 insertions(+)
diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
index 39051b90c3aad96f62dcbb86a20bcfd8c954879b..7332b677d19f70f4736e4d0b68d55cdd3c67a4af 100644
--- a/src/providers/data_provider.h
+++ b/src/providers/data_provider.h
@@ -182,6 +182,8 @@ struct pam_data {
bool offline_auth;
bool last_auth_saved;
int priv;
+ int account_locked;
+
#ifdef USE_KEYRING
key_serial_t key_serial;
#endif
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index c94ba15bb17aa1641eb36781cc59ce158d48ca66..8d6a37b2ceb3347cb8092858889d07e5615e5c77 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -1302,6 +1302,10 @@ static void sdap_pam_auth_done(struct tevent_req *req)
case ERR_PASSWORD_EXPIRED:
state->pd->pam_status = PAM_NEW_AUTHTOK_REQD;
break;
+ case ERR_ACCOUNT_LOCKED:
+ state->pd->account_locked = true;
+ state->pd->pam_status = PAM_PERM_DENIED;
+ break;
default:
state->pd->pam_status = PAM_SYSTEM_ERR;
dp_err = DP_ERR_FATAL;
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 2d9b1184f5d30b9df7f1d3e4b980a7e0107c6830..c1735513ff6dcc755daf06cb97da546eaded7eb9 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -754,6 +754,9 @@ static void simple_bind_done(struct sdap_op *op,
if (result == LDAP_SUCCESS) {
ret = EOK;
+ } else if (result == LDAP_INVALID_CREDENTIALS
+ && errmsg != NULL && strstr(errmsg, "data 775,") != NULL) {
+ ret = ERR_ACCOUNT_LOCKED;
} else {
ret = ERR_AUTH_FAILED;
}
--
2.4.3
>From 9b11ae7485723742b1172bacb5062207e2361588 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <prei...@redhat.com>
Date: Fri, 5 Feb 2016 07:31:45 -0500
Subject: [PATCH 2/3] PAM: Pass account lockout status and display message
Tested against Windows Server 2012.
Resolves:
https://fedorahosted.org/sssd/ticket/2839
---
src/confdb/confdb.h | 1 +
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/etc/sssd.api.conf | 1 +
src/man/sssd.conf.5.xml | 21 +++++++++++++++++++++
src/providers/dp_auth_util.c | 20 ++++++++++++++++++++
src/responder/pam/pamsrv_cmd.c | 31 +++++++++++++++++++++++--------
6 files changed, 67 insertions(+), 8 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index fcffcb5a6ff8b3f766ed9a693db874c7c6e3d9b9..e6789c8665cf677712d8e7fb72b6f0a41bca80b1 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -118,6 +118,7 @@
#define CONFDB_PAM_TRUSTED_USERS "pam_trusted_users"
#define CONFDB_PAM_PUBLIC_DOMAINS "pam_public_domains"
#define CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE "pam_account_expired_message"
+#define CONFDB_PAM_ACCOUNT_LOCKED_MESSAGE "pam_account_locked_message"
#define CONFDB_PAM_CERT_AUTH "pam_cert_auth"
#define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path"
#define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 1fdb907c5d010323c22b18b4c371c61e5928c40f..495cb650ee86e50031962a4fcf0c21aa79dc0142 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -91,6 +91,7 @@ option_strings = {
'pam_trusted_users' : _('List of trusted uids or user\'s name'),
'pam_public_domains' : _('List of domains accessible even for untrusted users.'),
'pam_account_expired_message' : _('Message printed when user account is expired.'),
+ 'pam_account_locked_message' : _('Message printed when user account is locked.'),
'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
# [sudo]
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 89cf8634ffb8115d9e65cf66dc9b1ed630415c15..baa15539cbb5a925b19bac0452cde43ca9f71033 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -61,6 +61,7 @@ get_domains_timeout = int, None, false
pam_trusted_users = str, None, false
pam_public_domains = str, None, false
pam_account_expired_message = str, None, false
+pam_account_locked_message = str, None, false
p11_child_timeout = int, None, false
[sudo]
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 73a21bfa0049bc4d3cfacb49201707868c87e533..2dbc58a451686beda0faa9e9366bbc3b3b4c253e 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1040,6 +1040,27 @@ pam_account_expired_message = Account expired, please call help desk.
</listitem>
</varlistentry>
<varlistentry>
+ <term>pam_account_locked_message (string)</term>
+ <listitem>
+ <para>
+ If user is authenticating and
+ account is locked then by default
+ 'Permission denied' is output. This output will
+ be changed to content of this variable if it is
+ set.
+ </para>
+ <para>
+ example:
+ <programlisting>
+pam_account_locked_message = Account locked, please call help desk.
+ </programlisting>
+ </para>
+ <para>
+ Default: none
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term>p11_child_timeout (integer)</term>
<listitem>
<para>
diff --git a/src/providers/dp_auth_util.c b/src/providers/dp_auth_util.c
index f8a30c5d4e6da7ce6ac28723032241e2458ea473..647ab4889759dabe1a09cb522f9b7b4ffb8fae96 100644
--- a/src/providers/dp_auth_util.c
+++ b/src/providers/dp_auth_util.c
@@ -160,6 +160,15 @@ bool dp_pack_pam_response(DBusMessage *msg, struct pam_data *pd)
return false;
}
+
+ /* Append the lockout of account */
+ dbret = dbus_message_iter_append_basic(&iter,
+ DBUS_TYPE_UINT32,
+ &pd->account_locked);
+ if (!dbret) {
+ return false;
+ }
+
/* Create an array of response structures */
dbret = dbus_message_iter_open_container(&iter,
DBUS_TYPE_ARRAY, "(uay)",
@@ -246,6 +255,17 @@ bool dp_unpack_pam_response(DBusMessage *msg, struct pam_data *pd, DBusError *db
return false;
}
+ if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_UINT32) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "pam response format error.\n");
+ return false;
+ }
+ dbus_message_iter_get_basic(&iter, &(pd->account_locked));
+
+ if (!dbus_message_iter_next(&iter)) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "pam response has too few arguments.\n");
+ return false;
+ }
+
/* After this point will be an array of pam data */
if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_ARRAY) {
DEBUG(SSSDBG_CRIT_FAILURE, "pam response format error.\n");
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index bfc534f577cf80d5acfab81db30550ab5b5bdd2b..d86807e79f98b04d9ab14505ad8b2e92677bd292 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -53,10 +53,10 @@ pam_get_last_online_auth_with_curr_token(struct sss_domain_info *domain,
static void pam_reply(struct pam_auth_req *preq);
-static errno_t pack_user_info_account_expired(TALLOC_CTX *mem_ctx,
- const char *user_error_message,
- size_t *resp_len,
- uint8_t **_resp)
+static errno_t pack_user_info_msg(TALLOC_CTX *mem_ctx,
+ const char *user_error_message,
+ size_t *resp_len,
+ uint8_t **_resp)
{
uint32_t resp_type = SSS_PAM_USER_INFO_ACCOUNT_EXPIRED;
size_t err_len;
@@ -83,14 +83,13 @@ static errno_t pack_user_info_account_expired(TALLOC_CTX *mem_ctx,
return EOK;
}
-static void inform_account_expired(struct pam_data* pd,
- const char *pam_message)
+static void inform_user(struct pam_data* pd, const char *pam_message)
{
size_t msg_len;
uint8_t *msg;
errno_t ret;
- ret = pack_user_info_account_expired(pd, pam_message, &msg_len, &msg);
+ ret = pack_user_info_msg(pd, pam_message, &msg_len, &msg);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"pack_user_info_account_expired failed.\n");
@@ -601,6 +600,7 @@ static void pam_reply(struct pam_auth_req *preq)
time_t exp_date = -1;
time_t delay_until = -1;
char* pam_account_expired_message;
+ char* pam_account_locked_message;
int pam_verbosity;
pd = preq->pd;
@@ -762,7 +762,22 @@ static void pam_reply(struct pam_auth_req *preq)
goto done;
}
- inform_account_expired(pd, pam_account_expired_message);
+ inform_user(pd, pam_account_expired_message);
+ }
+
+ if (pd->account_locked) {
+
+ ret = confdb_get_string(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_ACCOUNT_LOCKED_MESSAGE, "",
+ &pam_account_locked_message);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Failed to get expiration message: %d:[%s].\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+
+ inform_user(pd, pam_account_locked_message);
}
ret = filter_responses(pctx->rctx->cdb, pd->resp_list);
--
2.4.3
>From 2ac10aa04abed8f831446d1314762e9864c7c301 Mon Sep 17 00:00:00 2001
From: Dan Lavu <dl...@redhat.com>
Date: Fri, 5 Feb 2016 09:28:41 -0500
Subject: [PATCH 3/3] PAM: Fix man for pam_account_{expired,locked}_message
---
src/man/sssd.conf.5.xml | 35 +++++++++++++++++++++++++++++------
1 file changed, 29 insertions(+), 6 deletions(-)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 2dbc58a451686beda0faa9e9366bbc3b3b4c253e..e03580bf7814c8e3a297dcfbcb5b50092cc3a8c7 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1022,16 +1022,39 @@ fallback_homedir = /home/%u
<term>pam_account_expired_message (string)</term>
<listitem>
<para>
- If user is authenticating using SSH keys and
- account is expired then by default
- 'Permission denied' is output. This output will
- be changed to content of this variable if it is
- set.
+ Allows a custom expiration message to be set,
+ replacing the default 'Permission denied'
+ message.
+ </para>
+ <para>
+ Note: Please be aware that message is only
+ printed for the SSH service unless pam_verbostiy
+ is set to 3 (show all messages and debug
+ information).
+ </para>
+ <para>
+ example:
+ <programlisting>
+pam_account_expired_message = Account expired, please contact help desk.
+ </programlisting>
+ </para>
+ <para>
+ Default: none
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>pam_account_locked_message (string)</term>
+ <listitem>
+ <para>
+ Allows a custom lockout message to be set,
+ replacing the default 'Permission denied'
+ message.
</para>
<para>
example:
<programlisting>
-pam_account_expired_message = Account expired, please call help desk.
+pam_account_locked_message = Account locked, please contact help desk.
</programlisting>
</para>
<para>
--
2.4.3
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
