On Fri, Apr 08, 2016 at 07:31:59PM +0300, Nikolai Kondrashov wrote:
> On 04/06/2016 02:06 PM, Sumit Bose wrote:
> >On Wed, Apr 06, 2016 at 12:59:32PM +0300, Nikolai Kondrashov wrote:
> >>On 03/18/2016 07:56 PM, Nikolai Kondrashov wrote:
> >>>The attached patch adds exporting of the original (non-overridden) user 
> >>>shell
> >>>to tlog-rec, during the PAM session opening. The shell is exported via 
> >>>adding
> >>>variable "TLOG_REC_SHELL" to the user's environment.
> >>
> >>Bump, tlog still needs this!
> >
> >Hi Nikolai,
> >
> >sorry for the delay. The patch looks good in general and is working as
> >expected. Currently the environment variable is set unconditionally which
> >is good for testing but it might be irritating for some users that there
> >is a new environment variable they do not know about and might be useless
> >for them. Would it be possible to set the variable only if tloc is
> >enabled?
> 
> Sure, it should be possible. However, we don't have any "tlog enabling" so far
> and my impression was that it's undesirable at this stage. Jakub, what are
> your thoughts on this?
> 
> >I wonder if it would makes sense to add the cached user object to preq
> >in pam_check_user_search() to avoid the lookup in
> >pam_reply_export_shell(). The data is already allocated on preq and as
> >far as I can see never freed explicitly, so it wouldn't even cost more
> >memory.
> 
> Sure, that would be nice. However it's really hard for me to tell where that
> would come from, where it's actually retrieved and what's the lifetime would
> be. I really miss documentation there.
> 
> Could you suggest the change, perhaps?

sure, please have a look at attached (untested) patch. With this you start in
pam_reply_export_shell() with

+    shell = ldb_msg_find_attr_as_string(preq->user_obj, SYSDB_SHELL, NULL);
+    if (shell == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "user has no shell\n");
+        ret = ENOENT;
+        goto done;
+    }
....

HTH

bye,
Sumit

> 
> Thank you!
> 
> Nick
> _______________________________________________
> sssd-devel mailing list
> [email protected]
> https://lists.fedorahosted.org/admin/lists/[email protected]
From 6e73a56b7f43a5dc89848eca1321c979d5cd223f Mon Sep 17 00:00:00 2001
From: Sumit Bose <[email protected]>
Date: Mon, 11 Apr 2016 18:41:07 +0200
Subject: [PATCH] example

---
 src/responder/pam/pamsrv.h     |  1 +
 src/responder/pam/pamsrv_cmd.c | 10 +++++-----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 
b44e1c3378817aa169fa1fe8995bdb223f593cb0..54d455c3566ec76bb29f9c8e37907e6addec5e84
 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -72,6 +72,7 @@ struct pam_auth_req {
 
     struct ldb_message *cert_user_obj;
     char *token_name;
+    struct ldb_message *user_obj;
 };
 
 struct sss_cmd_table *get_pam_cmds(void);
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 
0c7b31ad325321f950c9ef2a020f63290775cf8b..6d7f796845555306e9a397e642ab6a009598d5da
 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1519,7 +1519,6 @@ static int pam_check_user_search(struct pam_auth_req 
*preq)
     struct pam_ctx *pctx =
             talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
     static const char *user_attrs[] = SYSDB_PW_ATTRS;
-    struct ldb_message *msg;
     struct ldb_result *res;
 
     while (dom) {
@@ -1586,7 +1585,8 @@ static int pam_check_user_search(struct pam_auth_req 
*preq)
         }
 
         if (preq->pd->name_is_upn) {
-            ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs, &msg);
+            ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs,
+                                           &preq->user_obj);
         } else {
             ret = sysdb_getpwnam_with_views(preq, dom, name, &res);
             if (res->count > 1) {
@@ -1600,7 +1600,7 @@ static int pam_check_user_search(struct pam_auth_req 
*preq)
             } else if (res->count == 0) {
                 ret = ENOENT;
             } else {
-                msg = res->msgs[0];
+                preq->user_obj = res->msgs[0];
             }
         }
         if (ret != EOK && ret != ENOENT) {
@@ -1638,7 +1638,7 @@ static int pam_check_user_search(struct pam_auth_req 
*preq)
 
         /* if we need to check the remote account go on */
         if (preq->check_provider) {
-            cacheExpire = ldb_msg_find_attr_as_uint64(msg,
+            cacheExpire = ldb_msg_find_attr_as_uint64(preq->user_obj,
                                                       SYSDB_CACHE_EXPIRE, 0);
             if (cacheExpire < time(NULL)) {
                 break;
@@ -1649,7 +1649,7 @@ static int pam_check_user_search(struct pam_auth_req 
*preq)
               "Returning info for user [%s@%s]\n", name, dom->name);
 
         /* We might have searched by alias. Pass on the primary name */
-        ret = pd_set_primary_name(msg, preq->pd);
+        ret = pd_set_primary_name(preq->user_obj, preq->pd);
         if (ret != EOK) {
             DEBUG(SSSDBG_CRIT_FAILURE, "Could not canonicalize username\n");
             return ret;
-- 
2.1.0

_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/admin/lists/[email protected]

Reply via email to