These patches provide support for shipping a default configuration file that the monitor will automatically copy to /etc/sssd/sssd.conf if none already exists. The idea is for distributions to be able to provide a default (and resettable) configuration for out-of-the-box behavior.
I considered writing the patch to check /etc/sssd and then check /usr/lib*/sssd
in turn, but I realized that this would be too complicated with the infopipe
interactions (which would need to be updated to do a copy-on-write the first
time they changed something). It was simpler to just always create the /etc
version and use that.
Patch 0001: Create a secure copy function that can be used to duplicate the
default configuration
Patch 0002: Cosmetic patch; changes the name of an internal macro variable to
make it clear that it's the active configuration file, not the default one.
Patch 0003: Add the logic to confdb_setup.c to copy over the default
configuration if and only if our attempt to load the configuration came up with
ERR_MISSING_CONF. It will then try to load it again and proceed or fail from
there.
The default configuration provided here is to load the SSSD with a single proxy
provider that reads from nss_files (and supports authentication through
pam_unix). This does not have to be shipped with any downstream package; the
idea is that downstreams would be expected to modify this configuration to their
own needs. This would need to be called out in the release announcement for
whatever version of SSSD incorporates this change.
These patches will require a change to the SELinux policy, since the monitor
needs to be able to write to the /etc/sssd directory.
type=AVC msg=audit(1461088081.353:550): avc: denied { write } for pid=3721
comm="sssd" name="sssd" dev="dm-0" ino=4600013
scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0
tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
From 0ec3577f3cc543b2d9b0b8edc47705e679327ee4 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher <[email protected]> Date: Tue, 19 Apr 2016 09:17:52 -0400 Subject: [PATCH 1/3] UTIL: Add secure copy function This is a precursor to supporting a static default configuration file. We need to be able to copy the default into the mutable location if the infopipe is asked to modify it. This patch opens both the source and destination files together in order to avoid time-of-check/time-of-use bugs. --- src/tests/files-tests.c | 45 +++++++++++++++- src/tools/files.c | 141 +++++++++++++++++++++++++++++++++++------------- src/tools/tools_util.h | 6 +++ 3 files changed, 152 insertions(+), 40 deletions(-) diff --git a/src/tests/files-tests.c b/src/tests/files-tests.c index 09df5cbd48ae056c7d089204f15c6d3b32d98477..769e058fa44c9ac0dde35a2ab33a202ee64575d2 100644 --- a/src/tests/files-tests.c +++ b/src/tests/files-tests.c @@ -45,12 +45,12 @@ static TALLOC_CTX *test_ctx = NULL; static void setup_files_test(void) { /* create a temporary directory that we fill with stuff later on */ test_ctx = talloc_new(NULL); - dir_path = mkdtemp(talloc_strdup(test_ctx, tpl_dir)); - dst_path = mkdtemp(talloc_strdup(test_ctx, tpl_dir)); + dir_path = mkdtemp(talloc_asprintf(test_ctx, "%s/%s", TEST_DIR, tpl_dir)); + dst_path = mkdtemp(talloc_asprintf(test_ctx, "%s/%s", TEST_DIR, tpl_dir)); uid = getuid(); gid = getgid(); } @@ -197,10 +197,50 @@ START_TEST(test_simple_copy) close(fd); talloc_free(tmp); } END_TEST +START_TEST(test_copy_file) +{ + TALLOC_CTX *tmp_ctx = talloc_new(test_ctx); + int ret; + char origpath[PATH_MAX+1]; + char *foo_path; + char *bar_path; + int fd = -1; + + errno = 0; + fail_unless(getcwd(origpath, PATH_MAX) == origpath, "Cannot getcwd\n"); + fail_unless(errno == 0, "Cannot getcwd\n"); + + /* create a file */ + ret = chdir(dir_path); + fail_if(ret == -1, "Cannot chdir1\n"); + + ret = create_simple_file("foo", "foo"); + fail_if(ret == -1, "Cannot create foo\n"); + foo_path = talloc_asprintf(tmp_ctx, "%s/foo", dir_path); + bar_path = talloc_asprintf(tmp_ctx, "%s/bar", dst_path); + + + /* Copy this file to a new file */ + DEBUG(SSSDBG_FUNC_DATA, + "Will copy from 'foo' to 'bar'\n"); + ret = copy_file_secure(foo_path, bar_path, 0700, uid, gid, 0); + fail_unless(ret == EOK, "copy_file_secure failed\n"); + + /* check if really copied */ + ret = access(bar_path, F_OK); + fail_unless(ret == 0, "destination file 'bar' not there\n"); + + ret = check_and_open_readonly(bar_path, &fd, uid, gid, S_IFREG|S_IRWXU, 0); + fail_unless(ret == EOK, "Cannot open %s\n", bar_path); + close(fd); + talloc_free(tmp_ctx); +} +END_TEST + START_TEST(test_copy_symlink) { int ret; char origpath[PATH_MAX+1]; char *tmp; @@ -289,10 +329,11 @@ static Suite *files_suite(void) setup_files_test, teardown_files_test); tcase_add_test(tc_files, test_remove_tree); tcase_add_test(tc_files, test_simple_copy); + tcase_add_test(tc_files, test_copy_file); tcase_add_test(tc_files, test_copy_symlink); tcase_add_test(tc_files, test_copy_node); suite_add_tcase(s, tc_files); return s; diff --git a/src/tools/files.c b/src/tools/files.c index 5b3f9d103120aa5c06d9a453b279aca19258947d..012205f9e7b0dac60c2470ac67ff3f12bb45d3c0 100644 --- a/src/tools/files.c +++ b/src/tools/files.c @@ -349,46 +349,20 @@ copy_symlink(int src_dir_fd, } return EOK; } -/* Copy bytes from input file descriptor ifd into file named - * dst_named under directory with dest_dir_fd. Own the new file - * by uid/gid - */ static int -copy_file(int ifd, - int dest_dir_fd, - const char *file_name, - const char *full_path, - const struct stat *statp, - uid_t uid, gid_t gid) +copy_file_contents(int ifd, + int ofd, + mode_t mode, + uid_t uid, gid_t gid) { - int ofd = -1; errno_t ret; char buf[1024]; ssize_t cnt, written; - ret = selinux_file_context(full_path); - if (ret != 0) { - DEBUG(SSSDBG_MINOR_FAILURE, - "Failed to set SELinux context for [%s]\n", full_path); - /* Not fatal */ - } - - /* Start with absolutely restrictive permissions */ - ofd = openat(dest_dir_fd, file_name, - O_EXCL | O_CREAT | O_WRONLY | O_NOFOLLOW, - 0); - if (ofd < 0 && errno != EEXIST) { - ret = errno; - DEBUG(SSSDBG_OP_FAILURE, - "Cannot open() destination file '%s': [%d][%s].\n", - full_path, ret, strerror(ret)); - goto done; - } - while ((cnt = sss_atomic_read_s(ifd, buf, sizeof(buf))) != 0) { if (cnt == -1) { ret = errno; DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read() from source file: [%d][%s].\n", @@ -417,40 +391,131 @@ copy_file(int ifd, * restrictive. */ ret = fchown(ofd, uid, gid); if (ret == -1 && errno != EPERM) { ret = errno; DEBUG(SSSDBG_OP_FAILURE, - "Error changing owner of '%s': %s\n", - full_path, strerror(ret)); + "Error changing owner: %s\n", + strerror(ret)); goto done; } /* Set the desired mode. */ - ret = fchmod(ofd, statp->st_mode); + ret = fchmod(ofd, mode); if (ret == -1) { ret = errno; - DEBUG(SSSDBG_OP_FAILURE, "Error changing owner of '%s': %s\n", - full_path, strerror(ret)); + DEBUG(SSSDBG_OP_FAILURE, "Error changing mode: %s\n", + strerror(ret)); goto done; } + ret = EOK; + +done: + return ret; +} + + +/* Copy bytes from input file descriptor ifd into file named + * dst_named under directory with dest_dir_fd. Own the new file + * by uid/gid + */ +static int +copy_file(int ifd, + int dest_dir_fd, + const char *file_name, + const char *full_path, + const struct stat *statp, + uid_t uid, gid_t gid) +{ + int ofd = -1; + errno_t ret; + + ret = selinux_file_context(full_path); + if (ret != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to set SELinux context for [%s]\n", full_path); + /* Not fatal */ + } + + /* Start with absolutely restrictive permissions */ + ofd = openat(dest_dir_fd, file_name, + O_EXCL | O_CREAT | O_WRONLY | O_NOFOLLOW, + 0); + if (ofd < 0 && errno != EEXIST) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, + "Cannot open() destination file '%s': [%d][%s].\n", + full_path, ret, strerror(ret)); + goto done; + } + + ret = copy_file_contents(ifd, ofd, statp->st_mode, uid, gid); + if (ret != EOK) goto done; + + ret = sss_futime_set(ofd, statp); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, "sss_futime_set failed [%d]: %s\n", ret, strerror(ret)); /* Do not fail */ } - - close(ofd); - ofd = -1; ret = EOK; done: if (ofd != -1) close(ofd); return ret; } +int +copy_file_secure(const char *src, + const char *dest, + mode_t mode, + uid_t uid, gid_t gid, + bool force) +{ + int ifd = -1; + int ofd = -1; + int dest_flags = 0; + errno_t ret; + + ret = selinux_file_context(dest); + if (ret != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to set SELinux context for [%s]\n", dest); + /* Not fatal */ + } + + /* Start with absolutely restrictive permissions */ + dest_flags = O_CREAT | O_WRONLY | O_NOFOLLOW; + if (!force) { + dest_flags |= O_EXCL; + } + + ofd = open(dest, dest_flags, mode); + if (ofd < 0) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot open() destination file '%s': [%d][%s].\n", + dest, errno, strerror(errno)); + goto done; + } + + ifd = sss_open_cloexec(src, O_RDONLY | O_NOFOLLOW, &ret); + if (ifd < 0) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot open() source file '%s': [%d][%s].\n", + src, ret, strerror(ret)); + goto done; + } + + ret = copy_file_contents(ifd, ofd, mode, uid, gid); + +done: + if (ifd != -1) close(ifd); + if (ofd != -1) close(ofd); + return ret; +} + static errno_t copy_dir(struct copy_ctx *cctx, int src_dir_fd, const char *src_dir_path, int dest_parent_fd, const char *dest_dir_name, const char *dest_dir_path, diff --git a/src/tools/tools_util.h b/src/tools/tools_util.h index c5990b012892a25b315d744a056861e7b2130410..f914e9a73b817873f18cd2c2ea70e830460e4539 100644 --- a/src/tools/tools_util.h +++ b/src/tools/tools_util.h @@ -117,10 +117,16 @@ errno_t sss_mc_refresh_grouplist(struct tools_ctx *tctx, /* from files.c */ int remove_tree(const char *root); int copy_tree(const char *src_root, const char *dst_root, mode_t mode_root, uid_t uid, gid_t gid); +int +copy_file_secure(const char *src, + const char *dest, + mode_t mode, + uid_t uid, gid_t gid, + bool force); /* from selinux.c */ int selinux_file_context(const char *dst_name); int reset_selinux_file_context(void); -- 2.7.3
From cadd451c1743d9cb2a8d951e544d791181921a2e Mon Sep 17 00:00:00 2001 From: Stephen Gallagher <[email protected]> Date: Tue, 19 Apr 2016 10:16:15 -0400 Subject: [PATCH 2/3] Internal: Rename CONFDB_DEFAULT_CONFIG_FILE New name is SSSD_CONFIG_FILE. This is done because we will start to ship a static default configuration in addition to the runtime configuration. --- src/confdb/confdb.h | 2 +- src/monitor/monitor.c | 2 +- src/responder/ifp/ifp_components.c | 8 ++++---- src/tools/sss_debuglevel.c | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index c478ef0978b2d1ce302a86a3d536f0447c27fefa..b90ced2bb3c7ded76950ce2b16586c995cda798d 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -38,11 +38,11 @@ * @{ */ #define CONFDB_DEFAULT_CFG_FILE_VER 2 #define CONFDB_FILE "config.ldb" -#define CONFDB_DEFAULT_CONFIG_FILE SSSD_CONF_DIR"/sssd.conf" +#define SSSD_CONFIG_FILE SSSD_CONF_DIR"/sssd.conf" #define SSSD_MIN_ID 1 #define SSSD_LOCAL_MINID 1000 #define CONFDB_DEFAULT_SHELL_FALLBACK "/bin/sh" diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index ac3af282d82d79a046fe0a9227a3cd14946ac595..6b2cb55d68429d4a8776642e84a5dc1dcd7205f3 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -3112,11 +3112,11 @@ int main(int argc, const char *argv[]) } if (opt_config_file) { config_file = talloc_strdup(tmp_ctx, opt_config_file); } else { - config_file = talloc_strdup(tmp_ctx, CONFDB_DEFAULT_CONFIG_FILE); + config_file = talloc_strdup(tmp_ctx, SSSD_CONFIG_FILE); } if (!config_file) { return 6; } diff --git a/src/responder/ifp/ifp_components.c b/src/responder/ifp/ifp_components.c index b143d1e4fd99b55fa5d68f063957e54792992e9c..38707c1145a981ef716edcdf2ced122708bcf4c7 100644 --- a/src/responder/ifp/ifp_components.c +++ b/src/responder/ifp/ifp_components.c @@ -487,11 +487,11 @@ int ifp_component_enable(struct sbus_request *dbus_req, void *data) path, &type, &name); if (ret != EOK) { goto done; } - config_ctx = sss_config_open(dbus_req, NULL, CONFDB_DEFAULT_CONFIG_FILE); + config_ctx = sss_config_open(dbus_req, NULL, SSSD_CONFIG_FILE); if (config_ctx == NULL) { ret = ENOMEM; goto done; } @@ -558,11 +558,11 @@ int ifp_component_disable(struct sbus_request *dbus_req, void *data) path, &type, &name); if (ret != EOK) { goto done; } - config_ctx = sss_config_open(dbus_req, NULL, CONFDB_DEFAULT_CONFIG_FILE); + config_ctx = sss_config_open(dbus_req, NULL, SSSD_CONFIG_FILE); if (config_ctx == NULL) { ret = ENOMEM; goto done; } @@ -649,11 +649,11 @@ int ifp_component_change_debug_level(struct sbus_request *dbus_req, if (section == NULL) { ret = ENOMEM; goto done; } - config_ctx = sss_config_open(dbus_req, NULL, CONFDB_DEFAULT_CONFIG_FILE); + config_ctx = sss_config_open(dbus_req, NULL, SSSD_CONFIG_FILE); if (config_ctx == NULL) { ret = ENOMEM; goto done; } @@ -713,11 +713,11 @@ int ifp_component_change_debug_level_tmp(struct sbus_request *dbus_req, if (ret != EOK) { goto done; } /* Touch configuration file to make sure debug level is reloaded. */ - if (utime(CONFDB_DEFAULT_CONFIG_FILE, NULL) == -1) { + if (utime(SSSD_CONFIG_FILE, NULL) == -1) { ret = errno; goto done; } ret = EOK; diff --git a/src/tools/sss_debuglevel.c b/src/tools/sss_debuglevel.c index e1467c01fc859871a5008b508d5c3ff0fde8198f..1de1d59942b1d939c852a5eb77c763a847d36668 100644 --- a/src/tools/sss_debuglevel.c +++ b/src/tools/sss_debuglevel.c @@ -105,11 +105,11 @@ int main(int argc, const char **argv) /* get config file */ if (pc_config_file) { config_file = talloc_strdup(ctx, pc_config_file); } else { - config_file = talloc_strdup(ctx, CONFDB_DEFAULT_CONFIG_FILE); + config_file = talloc_strdup(ctx, SSSD_CONFIG_FILE); } if (config_file == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n"); ret = ENOMEM; -- 2.7.3
From 5509ced1f4082c9864f669ee19d727f15f57ecff Mon Sep 17 00:00:00 2001 From: Stephen Gallagher <[email protected]> Date: Tue, 19 Apr 2016 11:58:35 -0400 Subject: [PATCH 3/3] CONFIG: Use default config when none provided This patch makes SSSD possibly useful "out of the box" by allowing packagers to provide a default config file located in $LIBDIR/sssd/conf that will be copied by the monitor to /etc/sssd if no file already exists in that location. This will make it possible to have SSSD set up to have distribution-specific default configuration, such as enabling the proxy provider to cache /etc/passwd (such as in the provided example in this patch). --- Makefile.am | 12 +++++++++++- contrib/sssd.spec.in | 3 +++ src/confdb/confdb.h | 1 + src/confdb/confdb_setup.c | 40 ++++++++++++++++++++++++++++++++++++---- src/examples/sssd-shadowutils | 6 ++++++ src/examples/sssd.conf | 17 +++++++++++++++++ 6 files changed, 74 insertions(+), 5 deletions(-) create mode 100644 src/examples/sssd-shadowutils create mode 100644 src/examples/sssd.conf diff --git a/Makefile.am b/Makefile.am index 85c1256684b96406cabcf4c0f10f25ce9c7aa82b..178ee2507649b3b0208a9135b48c3aaa9f6b7ec7 100644 --- a/Makefile.am +++ b/Makefile.am @@ -31,10 +31,11 @@ if HAVE_DEBIAN DISTSETUPOPTS += --install-layout=deb endif sssdlibexecdir = $(libexecdir)/sssd sssdlibdir = $(libdir)/sssd +sssddefaultconfdir = $(sssdlibdir)/conf ldblibdir = @ldblibdir@ if BUILD_KRB5_LOCATOR_PLUGIN krb5plugindir = @krb5pluginpath@ endif if BUILD_KRB5_LOCALAUTH_PLUGIN @@ -75,10 +76,11 @@ gpocachepath = @gpocachepath@ keytabdir = $(sss_statedir)/keytabs pkgconfigdir = $(libdir)/pkgconfig krb5rcachedir = @krb5rcachedir@ sudolibdir = @sudolibpath@ polkitdir = @polkitdir@ +pamconfdir = $(sysconfdir)/pam.d UNICODE_LIBS=@UNICODE_LIBS@ MKDIR_P = @MKDIR_P@ INSTALL = @INSTALL@ @@ -430,10 +432,11 @@ AM_CPPFLAGS = \ -DSSS_STATEDIR=\"$(sss_statedir)\" \ -DSYSCONFDIR=\"$(sysconfdir)\" \ -DSHLIBEXT=\"$(SHLIBEXT)\" \ -DSSSD_LIBEXEC_PATH=\"$(sssdlibexecdir)\" \ -DSSSD_CONF_DIR=\"$(sssdconfdir)\" \ + -DSSSD_DEFAULT_CONF_DIR=\"$(sssddefaultconfdir)\" \ -DSSS_NSS_MCACHE_DIR=\"$(mcpath)\" \ -DSSS_NSS_SOCKET_NAME=\"$(pipepath)/nss\" \ -DSSS_PAM_SOCKET_NAME=\"$(pipepath)/pam\" \ -DSSS_PAC_SOCKET_NAME=\"$(pipepath)/pac\" \ -DSSS_PAM_PRIV_SOCKET_NAME=\"$(pipepath)/private/pam\" \ @@ -1100,12 +1103,12 @@ BUILT_SOURCES = $(CODEGEN_CODE) #################### sssd_SOURCES = \ src/monitor/monitor.c \ src/monitor/monitor_netlink.c \ src/confdb/confdb_setup.c \ - src/util/nscd.c \ src/monitor/monitor_iface_generated.c \ + $(SSSD_TOOLS_OBJ) \ $(NULL) sssd_LDADD = \ $(SSSD_LIBS) \ $(INOTIFY_LIBS) \ $(LIBNL_LIBS) \ @@ -1264,10 +1267,16 @@ dist_noinst_DATA += \ src/providers/sssd_be.exports \ src/sss_client/COPYING \ src/sss_client/COPYING.LESSER \ src/m4 +dist_sssddefaultconf_DATA = \ + src/examples/sssd.conf + +dist_pamconf_DATA = \ + src/examples/sssd-shadowutils + ###################### # Command-line Tools # ###################### sss_useradd_SOURCES = \ src/tools/sss_useradd.c \ @@ -3547,10 +3556,11 @@ SSSD_USER_DIRS = \ $(DESTDIR)$(pipepath)/private \ $(DESTDIR)$(pubconfpath) \ $(DESTDIR)$(pubconfpath)/krb5.include.d \ $(DESTDIR)$(gpocachepath) \ $(DESTDIR)$(sssdconfdir) \ + $(DESTDIR)$(sssddefaultconfdir) \ $(DESTDIR)$(logpath) \ $(NULL) installsssddirs:: $(MKDIR_P) \ diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 2ba6a4d4c919a0697b18c4293f5e33e12b996cac..355b9510994b2f5ea470febca670d8982ad4bfce 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -764,10 +764,13 @@ done %dir %{_sysconfdir}/logrotate.d %config(noreplace) %{_sysconfdir}/logrotate.d/sssd %dir %{_sysconfdir}/rwtab.d %config(noreplace) %{_sysconfdir}/rwtab.d/sssd %dir %{_datadir}/sssd +%{_sysconfdir}/pam.d/sssd-shadowutils +%{_libdir}/%{name}/conf/sssd.conf + %{_datadir}/sssd/sssd.api.conf %{_datadir}/sssd/sssd.api.d %{_mandir}/man1/sss_ssh_authorizedkeys.1* %{_mandir}/man1/sss_ssh_knownhostsproxy.1* %{_mandir}/man5/sssd.conf.5* diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index b90ced2bb3c7ded76950ce2b16586c995cda798d..a9b1c4362b5c0c6b158830b1bf2ef68db09d8d06 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -38,10 +38,11 @@ * @{ */ #define CONFDB_DEFAULT_CFG_FILE_VER 2 #define CONFDB_FILE "config.ldb" +#define SSSD_DEFAULT_CONFIG_FILE SSSD_DEFAULT_CONF_DIR"/sssd.conf" #define SSSD_CONFIG_FILE SSSD_CONF_DIR"/sssd.conf" #define SSSD_MIN_ID 1 #define SSSD_LOCAL_MINID 1000 #define CONFDB_DEFAULT_SHELL_FALLBACK "/bin/sh" diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c index 694a7f0161304f3c7ac94bb9307181f56ca25f05..dfdcae56697123c414968cfaaabe3e1cd68ca21f 100644 --- a/src/confdb/confdb_setup.c +++ b/src/confdb/confdb_setup.c @@ -19,16 +19,18 @@ along with this program. If not, see <http://www.gnu.org/licenses/>. */ #include "config.h" #include <sys/stat.h> +#include <unistd.h> #include "util/util.h" #include "db/sysdb.h" #include "confdb.h" #include "confdb_private.h" #include "confdb_setup.h" #include "util/sss_ini.h" +#include "tools/tools_util.h" int confdb_test(struct confdb_ctx *cdb) { char **values; @@ -157,15 +159,45 @@ int confdb_init_db(const char *config_file, struct confdb_ctx *cdb) ret = sss_ini_config_file_open(init_data, config_file); if (ret != EOK) { DEBUG(SSSDBG_TRACE_FUNC, "sss_ini_config_file_open failed: %s [%d]\n", strerror(ret), ret); - if (ret == ENOENT) { - /* sss specific error denoting missing configuration file */ - ret = ERR_MISSING_CONF; + if (ret != ENOENT) { + /* Anything other than ENOENT is unrecoverable */ + goto done; + } else { + /* Copy the default configuration file to the standard location + * and then retry + */ + ret = copy_file_secure(SSSD_DEFAULT_CONFIG_FILE, + SSSD_CONFIG_FILE, + 0600, + getuid(), + getgid(), + false); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not copy default configuration: %s", + sss_strerror(ret)); + /* sss specific error denoting missing configuration file */ + ret = ERR_MISSING_CONF; + goto done; + } + + /* Try again */ + ret = sss_ini_config_file_open(init_data, config_file); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "sss_ini_config_file_open(default) failed: %s [%d]\n", + strerror(ret), ret); + if (ret == ENOENT) { + /* sss specific error denoting missing configuration file */ + ret = ERR_MISSING_CONF; + } + goto done; + } } - goto done; } ret = sss_ini_config_access_check(init_data); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, diff --git a/src/examples/sssd-shadowutils b/src/examples/sssd-shadowutils new file mode 100644 index 0000000000000000000000000000000000000000..626c7d075dfbf97dd91e259f94c6061689c83e9e --- /dev/null +++ b/src/examples/sssd-shadowutils @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass +auth required pam_deny.so + +account required pam_unix.so +account required pam_permit.so diff --git a/src/examples/sssd.conf b/src/examples/sssd.conf new file mode 100644 index 0000000000000000000000000000000000000000..a851dbb7ecd5c3220fbd6a946a6c7be2822dbd27 --- /dev/null +++ b/src/examples/sssd.conf @@ -0,0 +1,17 @@ +[sssd] +config_file_version = 2 +services = nss, pam +domains = shadowutils + +[nss] + +[pam] + +[domain/shadowutils] +id_provider = proxy +proxy_lib_name = files + +auth_provider = proxy +proxy_pam_target = sssd-shadowutils + +proxy_fast_alias = True -- 2.7.3
signature.asc
Description: OpenPGP digital signature
_______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
