URL: https://github.com/SSSD/sssd/pull/5234
Author: sumit-bose
Title: #5234: pam: use requested_domains to restrict cache_req searches
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5234/head:pr5234
git checkout pr5234
From 72fb2669992d2bdab80693a8a61e900df5e46f2b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 7 Jul 2020 16:27:32 +0200
Subject: [PATCH 1/5] cache_req: allow to restrict the domains an object is
search
With the new call cache_req_data_set_requested_domains() a
NULL-terminated list of domain names can be added to to cache_req so
that the object is only searched in the listed domains. If the list only
contains unknown domains the cache_req will return with an error.
---
src/responder/common/cache_req/cache_req.c | 22 +++++++++++++------
src/responder/common/cache_req/cache_req.h | 3 +++
.../common/cache_req/cache_req_data.c | 12 ++++++++++
.../common/cache_req/cache_req_domain.c | 18 +++++++++++++++
.../common/cache_req/cache_req_domain.h | 1 +
.../common/cache_req/cache_req_private.h | 3 +++
6 files changed, 52 insertions(+), 7 deletions(-)
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
index f492e9f612..afb0e7cdac 100644
--- a/src/responder/common/cache_req/cache_req.c
+++ b/src/responder/common/cache_req/cache_req.c
@@ -1059,7 +1059,8 @@ static void cache_req_domains_updated(struct tevent_req *subreq);
static void cache_req_input_parsed(struct tevent_req *subreq);
static errno_t cache_req_select_domains(struct tevent_req *req,
- const char *domain_name);
+ const char *domain_name,
+ char **requested_domains);
static errno_t
cache_req_search_domains(struct tevent_req *req,
@@ -1117,7 +1118,8 @@ struct tevent_req *cache_req_send(TALLOC_CTX *mem_ctx,
goto done;
}
- ret = cache_req_select_domains(req, state->domain_name);
+ ret = cache_req_select_domains(req, state->domain_name,
+ cr->data->requested_domains);
done:
if (ret == EOK) {
@@ -1230,7 +1232,8 @@ static void cache_req_domains_updated(struct tevent_req *subreq)
}
immediately:
- ret = cache_req_select_domains(req, state->domain_name);
+ ret = cache_req_select_domains(req, state->domain_name,
+ state->cr->data->requested_domains);
done:
if (ret != EOK && ret != EAGAIN) {
@@ -1275,7 +1278,8 @@ static void cache_req_input_parsed(struct tevent_req *subreq)
}
state->domain_name = domain;
- ret = cache_req_select_domains(req, domain);
+ ret = cache_req_select_domains(req, domain,
+ state->cr->data->requested_domains);
if (ret != EAGAIN) {
tevent_req_error(req, ret);
return;
@@ -1283,7 +1287,8 @@ static void cache_req_input_parsed(struct tevent_req *subreq)
}
static errno_t cache_req_select_domains(struct tevent_req *req,
- const char *domain_name)
+ const char *domain_name,
+ char **requested_domains)
{
struct cache_req_state *state = NULL;
struct cache_req_domain *cr_domain;
@@ -1303,6 +1308,7 @@ static errno_t cache_req_select_domains(struct tevent_req *req,
ret = cache_req_domain_copy_cr_domains(state,
state->cr->rctx->cr_domains,
+ requested_domains,
&state->cr_domains);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "cache_req_copy_cr_domains() failed\n");
@@ -1391,7 +1397,8 @@ static void cache_req_process_result(struct tevent_req *subreq)
if (ret == ENOENT && state->first_iteration) {
/* Try again different search schema. */
state->first_iteration = false;
- ret = cache_req_select_domains(req, state->domain_name);
+ ret = cache_req_select_domains(req, state->domain_name,
+ state->cr->data->requested_domains);
if (ret == EOK) {
/* We're done searching and we have found nothing. */
ret = ENOENT;
@@ -1404,7 +1411,8 @@ static void cache_req_process_result(struct tevent_req *subreq)
if (cache_req_assume_upn(state->cr)) {
/* Try UPN now. */
state->first_iteration = true;
- ret = cache_req_select_domains(req, NULL);
+ ret = cache_req_select_domains(req, NULL,
+ state->cr->data->requested_domains);
}
}
}
diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h
index 44305fb2ec..72d4abe5ec 100644
--- a/src/responder/common/cache_req/cache_req.h
+++ b/src/responder/common/cache_req/cache_req.h
@@ -167,6 +167,9 @@ void
cache_req_data_set_bypass_dp(struct cache_req_data *data,
bool bypass_dp);
+void
+cache_req_data_set_requested_domains(struct cache_req_data *data,
+ char **requested_domains);
enum cache_req_type
cache_req_data_get_type(struct cache_req_data *data);
diff --git a/src/responder/common/cache_req/cache_req_data.c b/src/responder/common/cache_req/cache_req_data.c
index 03b775449f..14c4ad14f0 100644
--- a/src/responder/common/cache_req/cache_req_data.c
+++ b/src/responder/common/cache_req/cache_req_data.c
@@ -443,6 +443,18 @@ cache_req_data_set_bypass_dp(struct cache_req_data *data,
data->bypass_dp = bypass_dp;
}
+void
+cache_req_data_set_requested_domains(struct cache_req_data *data,
+ char **requested_domains)
+{
+ if (data == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "cache_req_data should never be NULL\n");
+ return;
+ }
+
+ data->requested_domains = requested_domains;
+}
+
enum cache_req_type
cache_req_data_get_type(struct cache_req_data *data)
{
diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c
index d1621cbabd..9e22f7d6b2 100644
--- a/src/responder/common/cache_req/cache_req_domain.c
+++ b/src/responder/common/cache_req/cache_req_domain.c
@@ -50,6 +50,7 @@ cache_req_domain_get_domain_by_name(struct cache_req_domain *domains,
errno_t
cache_req_domain_copy_cr_domains(TALLOC_CTX *mem_ctx,
struct cache_req_domain *src,
+ char **requested_domains,
struct cache_req_domain **_dest)
{
struct cache_req_domain *cr_domains = NULL;
@@ -62,6 +63,12 @@ cache_req_domain_copy_cr_domains(TALLOC_CTX *mem_ctx,
}
DLIST_FOR_EACH(iter, src) {
+ if (requested_domains != NULL
+ && !string_in_list(iter->domain->name, requested_domains,
+ false)) {
+ continue;
+ }
+
cr_domain = talloc_zero(mem_ctx, struct cache_req_domain);
if (cr_domain == NULL) {
ret = ENOMEM;
@@ -74,6 +81,17 @@ cache_req_domain_copy_cr_domains(TALLOC_CTX *mem_ctx,
DLIST_ADD_END(cr_domains, cr_domain, struct cache_req_domain *);
}
+ if (cr_domains == NULL) {
+ if (requested_domains != NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "No requested domains found, "
+ "please check pam_sss domain option for typos.\n");
+ } else {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to copy domains.\n");
+ }
+ ret = EINVAL;
+ goto done;
+ }
+
*_dest = cr_domains;
ret = EOK;
diff --git a/src/responder/common/cache_req/cache_req_domain.h b/src/responder/common/cache_req/cache_req_domain.h
index 5769b6aee3..72e499575c 100644
--- a/src/responder/common/cache_req/cache_req_domain.h
+++ b/src/responder/common/cache_req/cache_req_domain.h
@@ -54,6 +54,7 @@ cache_req_domain_new_list_from_domain_resolution_order(
errno_t
cache_req_domain_copy_cr_domains(TALLOC_CTX *mem_ctx,
struct cache_req_domain *src,
+ char **requested_domains,
struct cache_req_domain **_dest);
void cache_req_domain_list_zfree(struct cache_req_domain **cr_domains);
diff --git a/src/responder/common/cache_req/cache_req_private.h b/src/responder/common/cache_req/cache_req_private.h
index 8f20616be7..bfca688b92 100644
--- a/src/responder/common/cache_req/cache_req_private.h
+++ b/src/responder/common/cache_req/cache_req_private.h
@@ -100,6 +100,9 @@ struct cache_req_data {
bool bypass_cache;
bool bypass_dp;
+
+ /* if set, only search in the listed domains */
+ char **requested_domains;
};
struct tevent_req *
From 2b9f253bfcd89af6d86fa439893ee6c02c5c6f4c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 25 Aug 2020 10:36:18 +0200
Subject: [PATCH 2/5] tests: add unit-test for
cache_req_data_set_requested_domains
---
src/tests/cmocka/test_responder_cache_req.c | 97 +++++++++++++++++++++
1 file changed, 97 insertions(+)
diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
index 37638137df..258bc78943 100644
--- a/src/tests/cmocka/test_responder_cache_req.c
+++ b/src/tests/cmocka/test_responder_cache_req.c
@@ -289,6 +289,44 @@ static void run_user_by_id(struct cache_req_test_ctx *test_ctx,
cache_refresh_percent, users[0].uid, exp_ret);
}
+static void
+run_user_by_name_with_requested_domains(struct cache_req_test_ctx *test_ctx,
+ struct sss_domain_info *domain,
+ char **requested_domains,
+ int cache_refresh_percent,
+ errno_t exp_ret)
+{
+ TALLOC_CTX *req_mem_ctx;
+ struct tevent_req *req;
+ errno_t ret;
+ struct cache_req_data *data;
+
+ req_mem_ctx = talloc_new(global_talloc_context);
+ check_leaks_push(req_mem_ctx);
+
+ data = cache_req_data_name(req_mem_ctx, CACHE_REQ_USER_BY_NAME,
+ users[0].short_name);
+ assert_non_null(data);
+
+ cache_req_data_set_requested_domains(data, requested_domains);
+
+ req = cache_req_send(req_mem_ctx, test_ctx->tctx->ev, test_ctx->rctx,
+ test_ctx->ncache, cache_refresh_percent,
+ CACHE_REQ_POSIX_DOM,
+ (domain == NULL ? NULL : domain->name), data);
+ assert_non_null(req);
+ talloc_steal(req, data);
+
+ assert_non_null(req);
+ tevent_req_set_callback(req, cache_req_user_by_name_test_done, test_ctx);
+
+ ret = test_ev_loop(test_ctx->tctx);
+ assert_int_equal(ret, exp_ret);
+ assert_true(check_leaks_pop(req_mem_ctx));
+
+ talloc_free(req_mem_ctx);
+}
+
static void assert_msg_has_shortname(struct cache_req_test_ctx *test_ctx,
struct ldb_message *msg,
const char *check_name)
@@ -940,6 +978,63 @@ void test_user_by_name_missing_notfound(void **state)
assert_true(test_ctx->dp_called);
}
+void test_user_by_name_multiple_domains_requested_domains_found(void **state)
+{
+ struct cache_req_test_ctx *test_ctx = NULL;
+ struct sss_domain_info *domain = NULL;
+ char *requested_domains[2] = { discard_const("responder_cache_req_test_d"),
+ NULL};
+
+ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+
+ /* Setup user. */
+ domain = find_domain_by_name(test_ctx->tctx->dom,
+ "responder_cache_req_test_d", true);
+ assert_non_null(domain);
+
+ prepare_user(domain, &users[0], 1000, time(NULL));
+
+ /* Mock values. */
+ mock_parse_inp(users[0].short_name, NULL, ERR_OK);
+
+ /* Test. */
+ run_user_by_name_with_requested_domains(test_ctx, NULL, requested_domains,
+ 0, ERR_OK);
+ /* The backend will not be called during this test because the user is
+ * already cached in the requested domain. */
+ check_user(test_ctx, &users[0], domain);
+}
+
+void test_user_by_name_multiple_domains_requested_domains_notfound(void **state)
+{
+ struct cache_req_test_ctx *test_ctx = NULL;
+ struct sss_domain_info *domain = NULL;
+ char *requested_domains[2] = { discard_const("responder_cache_req_test_a"),
+ NULL};
+
+ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+
+ /* Setup user. */
+ domain = find_domain_by_name(test_ctx->tctx->dom,
+ "responder_cache_req_test_d", true);
+ assert_non_null(domain);
+
+ prepare_user(domain, &users[0], 1000, time(NULL));
+
+ /* Mock values. */
+ will_return_always(__wrap_sss_dp_get_account_send, test_ctx);
+ will_return_always(sss_dp_get_account_recv, 0);
+ mock_parse_inp(users[0].short_name, NULL, ERR_OK);
+
+ /* Test. */
+ run_user_by_name_with_requested_domains(test_ctx, NULL, requested_domains,
+ 0, ENOENT);
+ /* The requested domain is not the domain the user was added to, so we
+ * expect ENOENT and that the backend is called. */
+ assert_true(test_ctx->dp_called);
+}
+
+
void test_user_by_upn_multiple_domains_found(void **state)
{
struct cache_req_test_ctx *test_ctx = NULL;
@@ -4127,6 +4222,8 @@ int main(int argc, const char *argv[])
new_multi_domain_test(user_by_name_multiple_domains_found),
new_multi_domain_test(user_by_name_multiple_domains_notfound),
new_multi_domain_test(user_by_name_multiple_domains_parse),
+ new_multi_domain_test(user_by_name_multiple_domains_requested_domains_found),
+ new_multi_domain_test(user_by_name_multiple_domains_requested_domains_notfound),
new_single_domain_test(user_by_upn_cache_valid),
new_single_domain_test(user_by_upn_cache_expired),
From 2735a552567bebfdc7c2d414c1cbd805455ef56c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 7 Jul 2020 16:30:58 +0200
Subject: [PATCH 3/5] pam: use requested_domains to restrict cache_req searches
If the 'domains' is used with pam_sss.so it is expected that only users
from the given domains are allowed. Currently it is checked after the
user is searched if the result is from one of those domains.
To speed things up and to allow more flexible setups this patch
restricts the list of domains already in the cache_req. The check after
the search is kept as an additional safe-guard although the cache_req
should now only return users from the given domains or an error.
---
src/responder/pam/pamsrv_cmd.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index d76ade943a..1b0cd55480 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1902,6 +1902,7 @@ static int pam_check_user_search(struct pam_auth_req *preq)
cache_req_data_set_bypass_cache(data, false);
cache_req_data_set_bypass_dp(data, true);
+ cache_req_data_set_requested_domains(data, preq->pd->requested_domains);
dpreq = cache_req_send(preq,
preq->cctx->rctx->ev,
@@ -2010,6 +2011,7 @@ static void pam_check_user_search_next(struct tevent_req *req)
}
cache_req_data_set_bypass_cache(data, true);
cache_req_data_set_bypass_dp(data, false);
+ cache_req_data_set_requested_domains(data, preq->pd->requested_domains);
dpreq = cache_req_send(preq,
preq->cctx->rctx->ev,
From 8f095125e44b618eb69c056c8e490dcbbe0c5ddc Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 25 Aug 2020 09:40:05 +0200
Subject: [PATCH 4/5] intg: krb5 auth and pam_sss domains option test
New integration tests for Kerberos authentication and the handling of
the 'domains' option of pam_sss are added. The purpose of the latter
test is to make sure that the 'domains' option is properly evaluated
even if multiple domains with the same user base are configure in
sssd.conf.
---
src/tests/intg/Makefile.am | 13 +-
src/tests/intg/test_pam_responder.py | 196 +++++++++++++++++++++++++++
2 files changed, 208 insertions(+), 1 deletion(-)
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 7e1f969472..725ec54987 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -142,6 +142,17 @@ pam_sss_allow_missing_name:
echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+pam_sss_domains:
+ $(MKDIR_P) $(PAM_SERVICE_DIR)
+ echo "auth sufficient $(DESTDIR)$(pammoddir)/pam_sss.so forward_pass domains=wrong.dom1" > $(PAM_SERVICE_DIR)/$@
+ echo "auth sufficient $(DESTDIR)$(pammoddir)/pam_sss.so forward_pass domains=wrong.dom2" >> $(PAM_SERVICE_DIR)/$@
+ echo "auth sufficient $(DESTDIR)$(pammoddir)/pam_sss.so forward_pass domains=wrong.dom3" >> $(PAM_SERVICE_DIR)/$@
+ echo "auth sufficient $(DESTDIR)$(pammoddir)/pam_sss.so forward_pass domains=krb5_auth" >> $(PAM_SERVICE_DIR)/$@
+ echo "auth required pam_deny.so" >> $(PAM_SERVICE_DIR)/$@
+ echo "account required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+ echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+ echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+
CLEANFILES=config.py config.pyc passwd group
clean-local:
@@ -158,7 +169,7 @@ SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
USE_NSS=0
endif
-intgcheck-installed: config.py passwd group pam_sss_service pam_sss_alt_service pam_sss_sc_required pam_sss_try_sc pam_sss_allow_missing_name
+intgcheck-installed: config.py passwd group pam_sss_service pam_sss_alt_service pam_sss_sc_required pam_sss_try_sc pam_sss_allow_missing_name pam_sss_domains
pipepath="$(DESTDIR)$(pipepath)"; \
if test $${#pipepath} -gt 80; then \
echo "error: Pipe directory path too long," \
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
index 7a2458339e..aa3783d714 100644
--- a/src/tests/intg/test_pam_responder.py
+++ b/src/tests/intg/test_pam_responder.py
@@ -31,6 +31,7 @@
import config
import intg.ds_openldap
+import kdc
import pytest
@@ -177,6 +178,78 @@ def format_pam_cert_auth_conf_name_format(config):
""").format(**locals())
+def format_pam_krb5_auth(config, kdc_instance):
+ """Format SSSD configuration for krb5 authentication"""
+ return unindent("""\
+ [sssd]
+ debug_level = 10
+ domains = krb5_auth
+ services = pam, nss
+
+ [nss]
+ debug_level = 10
+
+ [pam]
+ debug_level = 10
+
+ [domain/krb5_auth]
+ debug_level = 10
+ id_provider = files
+ auth_provider = krb5
+
+ krb5_realm = PAMKRB5TEST
+ krb5_server = localhost:{kdc_instance.kdc_port}
+ """).format(**locals())
+
+
+def format_pam_krb5_auth_domains(config, kdc_instance):
+ """Format SSSD configuration for krb5 authentication"""
+ return unindent("""\
+ [sssd]
+ debug_level = 10
+ domains = wrong.dom1, wrong.dom2, krb5_auth, wrong.dom3
+ services = pam, nss
+
+ [nss]
+ debug_level = 10
+
+ [pam]
+ debug_level = 10
+
+ [domain/wrong.dom1]
+ debug_level = 10
+ id_provider = files
+ auth_provider = krb5
+
+ krb5_realm = WRONG1REALM
+ krb5_server = localhost:{kdc_instance.kdc_port}
+
+ [domain/wrong.dom2]
+ debug_level = 10
+ id_provider = files
+ auth_provider = krb5
+
+ krb5_realm = WRONG2REALM
+ krb5_server = localhost:{kdc_instance.kdc_port}
+
+ [domain/wrong.dom3]
+ debug_level = 10
+ id_provider = files
+ auth_provider = krb5
+
+ krb5_realm = WRONG3REALM
+ krb5_server = localhost:{kdc_instance.kdc_port}
+
+ [domain/krb5_auth]
+ debug_level = 10
+ id_provider = files
+ auth_provider = krb5
+
+ krb5_realm = PAMKRB5TEST
+ krb5_server = localhost:{kdc_instance.kdc_port}
+ """).format(**locals())
+
+
def create_conf_file(contents):
"""Create sssd.conf with specified contents"""
conf = open(config.CONF_PATH, "w")
@@ -675,3 +748,126 @@ def test_sc_auth_name_format(simple_pam_cert_auth_name_format, env_for_sssctl):
assert err.find(r"pam_authenticate for user [auth_only\user1]: " +
"Success") != -1
+
+
+@pytest.fixture
+def kdc_instance(request):
+ """Kerberos server instance fixture"""
+ kdc_instance = kdc.KDC(config.PREFIX, "PAMKRB5TEST")
+ try:
+ kdc_instance.set_up()
+ kdc_instance.start_kdc()
+ except:
+ kdc_instance.teardown()
+ raise
+ request.addfinalizer(kdc_instance.teardown)
+ return kdc_instance
+
+
+@pytest.fixture
+def setup_krb5(request, kdc_instance, passwd_ops_setup):
+ """
+ Setup SSSD for Kerberos authentication with 2 users with different
+ passwords
+ """
+ conf = format_pam_krb5_auth(config, kdc_instance)
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ passwd_ops_setup.useradd(**USER1)
+ passwd_ops_setup.useradd(**USER2)
+ kdc_instance.add_principal("user1", "Secret123User1")
+ kdc_instance.add_principal("user2", "Secret123User2")
+ return None
+
+
+def test_krb5_auth(setup_krb5, env_for_sssctl):
+ """
+ Test basic Kerberos authentication, check for authentication failure when
+ a wrong password is used
+ """
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
+ "--action=auth",
+ "--service=pam_sss_service"],
+ universal_newlines=True,
+ env=env_for_sssctl, stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+ try:
+ out, err = sssctl.communicate(input="Secret123User1")
+ except:
+ sssctl.kill()
+ out, err = sssctl.communicate()
+
+ sssctl.stdin.close()
+ sssctl.stdout.close()
+
+ if sssctl.wait() != 0:
+ raise Exception("sssctl failed")
+
+ assert err.find(r"pam_authenticate for user [user1]: Success") != -1
+
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user2",
+ "--action=auth",
+ "--service=pam_sss_service"],
+ universal_newlines=True,
+ env=env_for_sssctl, stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+ try:
+ out, err = sssctl.communicate(input="Secret123User1")
+ except:
+ sssctl.kill()
+ out, err = sssctl.communicate()
+
+ sssctl.stdin.close()
+ sssctl.stdout.close()
+
+ if sssctl.wait() != 0:
+ raise Exception("sssctl failed")
+
+ assert err.find(r"pam_authenticate for user [user2]: " +
+ "Authentication failure") != -1
+
+
+@pytest.fixture
+def setup_krb5_domains(request, kdc_instance, passwd_ops_setup):
+ """
+ Setup SSSD for Kerberos authentication with 2 users with different
+ passwords and multiple domains configured in sssd.conf
+ """
+ conf = format_pam_krb5_auth_domains(config, kdc_instance)
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ passwd_ops_setup.useradd(**USER1)
+ passwd_ops_setup.useradd(**USER2)
+ kdc_instance.add_principal("user1", "Secret123User1")
+ kdc_instance.add_principal("user2", "Secret123User2")
+ return None
+
+
+def test_krb5_auth_domains(setup_krb5_domains, env_for_sssctl):
+ """
+ Test basic Kerberos authentication with pam_sss 'domains' option, make
+ sure not-matching domains are skipped even if the user exists in that
+ domain
+ """
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
+ "--action=auth",
+ "--service=pam_sss_domains"],
+ universal_newlines=True,
+ env=env_for_sssctl, stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+ try:
+ out, err = sssctl.communicate(input="Secret123User1")
+ except:
+ sssctl.kill()
+ out, err = sssctl.communicate()
+
+ sssctl.stdin.close()
+ sssctl.stdout.close()
+
+ if sssctl.wait() != 0:
+ raise Exception("sssctl failed")
+
+ assert err.find(r"pam_authenticate for user [user1]: Success") != -1
From 29b6cf730287b50efe9900637a628b7fa3fa5655 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 7 Jul 2020 17:08:32 +0200
Subject: [PATCH 5/5] pam_sss: clarify man page entry of domains option
Resolves: https://github.com/SSSD/sssd/issues/3987
---
src/man/pam_sss.8.xml | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
index cc20e51616..ff9be59072 100644
--- a/src/man/pam_sss.8.xml
+++ b/src/man/pam_sss.8.xml
@@ -155,8 +155,9 @@
SSSD domain names, as specified in the sssd.conf file.
</para>
<para>
- NOTE: Must be used in conjunction with the
- <quote>pam_trusted_users</quote> and
+ NOTE: If this is used for a service not running as root
+ user, e.g. a web-server, it must be used in conjunction
+ with the <quote>pam_trusted_users</quote> and
<quote>pam_public_domains</quote> options.
Please see the
<citerefentry>
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
