URL: https://github.com/SSSD/sssd/pull/271 Author: sumit-bose Title: #271: pam: properly support UPN logon names Action: opened
PR body: """ Many logon applications like /bin/login or sshd canonicalize the user name before they call pam_start() and hence the UPN is not seen by SSSD's pam responder. But some like e.g. gdm don't and authentication might fail if a UPN is used. The reason is that currently the already parsed short name of the user was used in the cache_req and hence the cache_req was not able to fall back to the UPN lookup code. This patch uses the name originally provided by the user as input to allow the fallback to the UPN lookup. Resolves https://pagure.io/SSSD/sssd/issue/3240 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/271/head:pr271 git checkout pr271
From 99cef5ef2c8033dae506ce1e959e3a38e29a267b Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Fri, 12 May 2017 10:40:21 +0200 Subject: [PATCH] pam: properly support UPN logon names Many logon applications like /bin/login or sshd canonicalize the user name before they call pam_start() and hence the UPN is not seen by SSSD's pam responder. But some like e.g. gdm don't and authentication might fail if a UPN is used. The reason is that currently the already parsed short name of the user was used in the cache_req and hence the cache_req was not able to fall back to the UPN lookup code. This patch uses the name originally provided by the user as input to allow the fallback to the UPN lookup. Resolves https://pagure.io/SSSD/sssd/issue/3240 --- src/responder/pam/pamsrv_cmd.c | 2 +- src/tests/cmocka/test_pam_srv.c | 90 +++++++++++++++++++++++++++++++++++++---- 2 files changed, 84 insertions(+), 8 deletions(-) diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 10a178f..2fe77fa 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -1560,7 +1560,7 @@ static int pam_check_user_search(struct pam_auth_req *preq) data = cache_req_data_name(preq, CACHE_REQ_INITGROUPS, - preq->pd->user); + preq->pd->logon_name); if (data == NULL) { return ENOMEM; } diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c index d249b8f..5ca0c92 100644 --- a/src/tests/cmocka/test_pam_srv.c +++ b/src/tests/cmocka/test_pam_srv.c @@ -509,7 +509,8 @@ static void mock_input_pam_ex(TALLOC_CTX *mem_ctx, const char *pwd, const char *fa2, const char *svc, - bool contact_dp) + bool contact_dp, + bool parse_input) { size_t buf_size; uint8_t *m_buf; @@ -574,7 +575,9 @@ static void mock_input_pam_ex(TALLOC_CTX *mem_ctx, will_return(__wrap_sss_packet_get_body, buf); will_return(__wrap_sss_packet_get_body, buf_size); - mock_parse_inp(name, NULL, EOK); + if (parse_input) { + mock_parse_inp(name, NULL, EOK); + } if (contact_dp) { mock_account_recv_simple(); } @@ -585,7 +588,7 @@ static void mock_input_pam(TALLOC_CTX *mem_ctx, const char *pwd, const char *fa2) { - return mock_input_pam_ex(mem_ctx, name, pwd, fa2, NULL, true); + return mock_input_pam_ex(mem_ctx, name, pwd, fa2, NULL, true, true); } static void mock_input_pam_cert(TALLOC_CTX *mem_ctx, const char *name, @@ -1582,6 +1585,71 @@ void test_pam_preauth_no_logon_name(void **state) assert_int_equal(ret, EOK); } +void test_pam_auth_no_upn_logon_name(void **state) +{ + int ret; + + ret = sysdb_cache_password(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345"); + assert_int_equal(ret, EOK); + + mock_input_pam_ex(pam_test_ctx, "upn@"TEST_DOM_NAME, "12345", NULL, NULL, + true, false); + mock_account_recv_simple(); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + pam_test_ctx->exp_pam_status = PAM_USER_UNKNOWN; + set_cmd_cb(test_pam_simple_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_auth_upn_logon_name(void **state) +{ + int ret; + struct sysdb_attrs *attrs; + + ret = sysdb_cache_password(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345"); + assert_int_equal(ret, EOK); + attrs = sysdb_new_attrs(pam_test_ctx); + assert_non_null(attrs); + ret = sysdb_attrs_add_string(attrs, SYSDB_UPN, "upn@"TEST_DOM_NAME); + assert_int_equal(ret, EOK); + + ret = sysdb_set_user_attr(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + attrs, + LDB_FLAG_MOD_ADD); + assert_int_equal(ret, EOK); + + mock_input_pam_ex(pam_test_ctx, "upn@"TEST_DOM_NAME, "12345", NULL, NULL, + true, false); + mock_account_recv_simple(); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_successful_offline_auth_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + + static void set_cert_auth_param(struct pam_ctx *pctx, const char *dbpath) { pam_test_ctx->pctx->cert_auth = true; @@ -2144,7 +2212,8 @@ void test_appsvc_posix_dom(void **state) int ret; /* The domain is POSIX, the request will skip over it */ - mock_input_pam_ex(pam_test_ctx, "pamuser", NULL, NULL, "app_svc", false); + mock_input_pam_ex(pam_test_ctx, "pamuser", NULL, NULL, "app_svc", false, + true); pam_test_ctx->exp_pam_status = PAM_USER_UNKNOWN; will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); @@ -2164,7 +2233,8 @@ void test_not_appsvc_posix_dom(void **state) int ret; /* A different service than the app one can authenticate against a POSIX domain */ - mock_input_pam_ex(pam_test_ctx, "pamuser", NULL, NULL, "not_app_svc", true); + mock_input_pam_ex(pam_test_ctx, "pamuser", NULL, NULL, "not_app_svc", true, + true); will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); @@ -2208,7 +2278,8 @@ void test_appsvc_app_dom(void **state) int ret; /* The domain is POSIX, the request will skip over it */ - mock_input_pam_ex(pam_test_ctx, "pamuser", NULL, NULL, "app_svc", true); + mock_input_pam_ex(pam_test_ctx, "pamuser", NULL, NULL, "app_svc", true, + true); will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); @@ -2228,7 +2299,8 @@ void test_not_appsvc_app_dom(void **state) int ret; /* A different service than the app one can authenticate against a POSIX domain */ - mock_input_pam_ex(pam_test_ctx, "pamuser", NULL, NULL, "not_app_svc", false); + mock_input_pam_ex(pam_test_ctx, "pamuser", NULL, NULL, "not_app_svc", false, + true); pam_test_ctx->exp_pam_status = PAM_USER_UNKNOWN; @@ -2312,6 +2384,10 @@ int main(int argc, const char *argv[]) pam_test_setup, pam_test_teardown), cmocka_unit_test_setup_teardown(test_pam_preauth_no_logon_name, pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_auth_no_upn_logon_name, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_auth_upn_logon_name, + pam_test_setup, pam_test_teardown), cmocka_unit_test_setup_teardown(test_pam_cached_auth_success, pam_cached_test_setup, pam_test_teardown),
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
