URL: https://github.com/SSSD/sssd/pull/271 Author: sumit-bose Title: #271: pam: properly support UPN logon names Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/271/head:pr271 git checkout pr271
From f3711337a75a2b8e4029b73b4dc02ae7a58114e9 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Mon, 22 May 2017 14:58:01 +0200 Subject: [PATCH 1/3] cache_req: use the right negative cache for initgroups by upn --- src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c index b6fb43ee0..dfb21ac1a 100644 --- a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +++ b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c @@ -66,7 +66,7 @@ cache_req_initgroups_by_upn_ncache_check(struct sss_nc_ctx *ncache, struct sss_domain_info *domain, struct cache_req_data *data) { - return sss_ncache_check_user(ncache, domain, data->name.lookup); + return sss_ncache_check_upn(ncache, domain, data->name.lookup); } static errno_t @@ -74,7 +74,7 @@ cache_req_initgroups_by_upn_ncache_add(struct sss_nc_ctx *ncache, struct sss_domain_info *domain, struct cache_req_data *data) { - return sss_ncache_set_user(ncache, false, domain, data->name.lookup); + return sss_ncache_set_upn(ncache, false, domain, data->name.lookup); } static errno_t From 6f17b099da8bc695aad9770572666b1b506e4c76 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Mon, 22 May 2017 15:04:17 +0200 Subject: [PATCH 2/3] test: make sure p11_child is build for pam-srv-tests --- Makefile.am | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Makefile.am b/Makefile.am index c947e31e5..b1e478e93 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2357,6 +2357,9 @@ nss_srv_tests_LDADD = \ EXTRA_pam_srv_tests_DEPENDENCIES = \ $(ldblib_LTLIBRARIES) \ $(NULL) +if HAVE_NSS +EXTRA_pam_srv_tests_DEPENDENCIES += p11_child +endif pam_srv_tests_SOURCES = \ $(TEST_MOCK_RESP_OBJ) \ src/tests/cmocka/test_pam_srv.c \ From 254d32cfba3a47439a391c0a881237004319b4d7 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Fri, 12 May 2017 10:40:21 +0200 Subject: [PATCH 3/3] pam: properly support UPN logon names Many logon applications like /bin/login or sshd canonicalize the user name before they call pam_start() and hence the UPN is not seen by SSSD's pam responder. But some like e.g. gdm don't and authentication might fail if a UPN is used. The reason is that currently the already parsed short name of the user was used in the cache_req and hence the cache_req was not able to fall back to the UPN lookup code. This patch uses the name originally provided by the user as input to allow the fallback to the UPN lookup. Resolves https://pagure.io/SSSD/sssd/issue/3240 --- src/responder/pam/pamsrv_cmd.c | 4 +-- src/tests/cmocka/test_pam_srv.c | 79 ++++++++++++++++++++++++++++++++++++++++- 2 files changed, 80 insertions(+), 3 deletions(-) diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 10a178f83..36dba3796 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -1560,7 +1560,7 @@ static int pam_check_user_search(struct pam_auth_req *preq) data = cache_req_data_name(preq, CACHE_REQ_INITGROUPS, - preq->pd->user); + preq->pd->logon_name); if (data == NULL) { return ENOMEM; } @@ -1589,7 +1589,7 @@ static int pam_check_user_search(struct pam_auth_req *preq) preq->cctx->rctx->ncache, 0, preq->req_dom_type, - preq->pd->domain, + NULL, data); if (!dpreq) { DEBUG(SSSDBG_CRIT_FAILURE, diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c index d249b8f1e..4d351a370 100644 --- a/src/tests/cmocka/test_pam_srv.c +++ b/src/tests/cmocka/test_pam_srv.c @@ -518,6 +518,8 @@ static void mock_input_pam_ex(TALLOC_CTX *mem_ctx, int ret; size_t needed_size; uint8_t *authtok; + char *s_name; + char *dom; if (name != NULL) { pi.pam_user = name; @@ -574,7 +576,13 @@ static void mock_input_pam_ex(TALLOC_CTX *mem_ctx, will_return(__wrap_sss_packet_get_body, buf); will_return(__wrap_sss_packet_get_body, buf_size); - mock_parse_inp(name, NULL, EOK); + if (strrchr(name, '@') == NULL) { + mock_parse_inp(name, NULL, EOK); + } else { + ret = sss_parse_internal_fqname(mem_ctx, name, &s_name, &dom); + mock_parse_inp(s_name, dom, EOK); + } + if (contact_dp) { mock_account_recv_simple(); } @@ -1582,6 +1590,71 @@ void test_pam_preauth_no_logon_name(void **state) assert_int_equal(ret, EOK); } +void test_pam_auth_no_upn_logon_name(void **state) +{ + int ret; + + ret = sysdb_cache_password(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345"); + assert_int_equal(ret, EOK); + + mock_input_pam_ex(pam_test_ctx, "upn@"TEST_DOM_NAME, "12345", NULL, NULL, + true); + mock_account_recv_simple(); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + pam_test_ctx->exp_pam_status = PAM_USER_UNKNOWN; + set_cmd_cb(test_pam_simple_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_auth_upn_logon_name(void **state) +{ + int ret; + struct sysdb_attrs *attrs; + + ret = sysdb_cache_password(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345"); + assert_int_equal(ret, EOK); + attrs = sysdb_new_attrs(pam_test_ctx); + assert_non_null(attrs); + ret = sysdb_attrs_add_string(attrs, SYSDB_UPN, "upn@"TEST_DOM_NAME); + assert_int_equal(ret, EOK); + + ret = sysdb_set_user_attr(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + attrs, + LDB_FLAG_MOD_ADD); + assert_int_equal(ret, EOK); + + mock_input_pam_ex(pam_test_ctx, "upn@"TEST_DOM_NAME, "12345", NULL, NULL, + true); + mock_account_recv_simple(); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_successful_offline_auth_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + + static void set_cert_auth_param(struct pam_ctx *pctx, const char *dbpath) { pam_test_ctx->pctx->cert_auth = true; @@ -2312,6 +2385,10 @@ int main(int argc, const char *argv[]) pam_test_setup, pam_test_teardown), cmocka_unit_test_setup_teardown(test_pam_preauth_no_logon_name, pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_auth_no_upn_logon_name, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_auth_upn_logon_name, + pam_test_setup, pam_test_teardown), cmocka_unit_test_setup_teardown(test_pam_cached_auth_success, pam_cached_test_setup, pam_test_teardown),
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
