[SSSD] [sssd PR#5503][synchronized] pam_sss: Don't fail on deskprofiles phase for AD users

Mon, 15 Feb 2021 07:02:17 -0800 

   URL: https://github.com/SSSD/sssd/pull/5503
Author: stanislavlevin
 Title: #5503: pam_sss: Don't fail on deskprofiles phase for AD users
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5503/head:pr5503
git checkout pr5503

From bf0e5cd843db155a83daf0a8e7b8bd5d4d4a4d35 Mon Sep 17 00:00:00 2001
From: Stanislav Levin <s...@altlinux.org>
Date: Fri, 12 Feb 2021 10:51:30 +0300
Subject: [PATCH] pam_sss: Don't fail on deskprofiles phase for AD users

By default (if session_provider is not none) during session setup
pam_sss attempts to fetch desktop rules and profiles for user from
IPA domain. As part of this job, the data provider looks for the
user info(uid and gid) in IPA domain but fails to do that for AD
user from a trusted domain returning PAM_SESSION_ERR.

The requested target domain has been already found in `dp_req_new`
and may be referenced as `params->domain`. This change doesn't
introduce the possibility to fetch deskprofiles for AD users, but
at least, doesn't break PAM authentication for them.

Fixes: https://github.com/SSSD/sssd/issues/5499
Signed-off-by: Stanislav Levin <s...@altlinux.org>
---
 src/providers/ipa/ipa_session.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/providers/ipa/ipa_session.c b/src/providers/ipa/ipa_session.c
index 935393ccd6..267c978afe 100644
--- a/src/providers/ipa/ipa_session.c
+++ b/src/providers/ipa/ipa_session.c
@@ -510,7 +510,7 @@ ipa_pam_session_handler_send(TALLOC_CTX *mem_ctx,
      * that this operation is done. */
     ret = ipa_pam_session_handler_get_deskprofile_user_info(
                                                         state,
-                                                        state->be_ctx->domain,
+                                                        params->domain,
                                                         pd->user,
                                                         &state->shortname,
                                                         &state->domain,

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to