diff options
author | Sumit Bose <sbose@redhat.com> | 2014-10-01 15:22:45 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-10-01 17:29:17 +0200 |
commit | 95ef1bd1c06163492e285fa9d8e2fa81f99d39d2 (patch) | |
tree | 1a03bde2d92b39a19ddd8a99cd15ba608d6683d4 /src/responder/pam/pamsrv_cmd.c | |
parent | b6e1f016e300fa5bd33bfedc1e57f9f83de19e79 (diff) | |
download | sssd-95ef1bd1c06163492e285fa9d8e2fa81f99d39d2.tar.gz sssd-95ef1bd1c06163492e285fa9d8e2fa81f99d39d2.tar.xz sssd-95ef1bd1c06163492e285fa9d8e2fa81f99d39d2.zip |
pam: sub-domain authentication fix
With a recent patch sysdb_getpwnam() was replaced by
sysdb_get_user_by_name() in the PAM responder. Unfortunately both behave
differently with respect to sub-domain users. As a consequence the PAM
responder was not able to resolve users from sub-domains. This patch
reverts this change and uses sysdb_getpwnam() again.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'src/responder/pam/pamsrv_cmd.c')
-rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index c135e3c49..ffec17b46 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -1051,6 +1051,7 @@ static int pam_check_user_search(struct pam_auth_req *preq) talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); static const char *user_attrs[] = SYSDB_PW_ATTRS; struct ldb_message *msg; + struct ldb_result *res; while (dom) { /* if it is a domainless search, skip domains that require fully @@ -1122,7 +1123,16 @@ static int pam_check_user_search(struct pam_auth_req *preq) if (preq->pd->name_is_upn) { ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs, &msg); } else { - ret = sysdb_search_user_by_name(preq, dom, name, user_attrs, &msg); + ret = sysdb_getpwnam(preq, dom, name, &res); + if (res->count > 1) { + DEBUG(SSSDBG_FATAL_FAILURE, + "getpwnam call returned more than one result !?!\n"); + return ENOENT; + } else if (res->count == 0) { + ret = ENOENT; + } else { + msg = res->msgs[0]; + } } if (ret != EOK && ret != ENOENT) { DEBUG(SSSDBG_CRIT_FAILURE, |