diff options
| author | Sumit Bose <sbose@redhat.com> | 2013-05-10 09:55:31 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-06 23:58:56 +0200 |
| commit | 92af6f25864b5c389b57d0f659686801b45ca58c (patch) | |
| tree | 739bd3da9da35820d45c2b2c4bdb0c65ae8777d4 /src/sss_client | |
| parent | 3680bb9c72ea5c60e6ac2fd2cf500b801341ca59 (diff) | |
| download | sssd-92af6f25864b5c389b57d0f659686801b45ca58c.tar.gz sssd-92af6f25864b5c389b57d0f659686801b45ca58c.tar.xz sssd-92af6f25864b5c389b57d0f659686801b45ca58c.zip | |
Enhance PAC responder for AD users
This patch modifies the PAC responder so that it can be used with the AD
provider as well. The main difference is that the POSIX UIDs and GIDs
are now lookup up with the help of the SID instead of being calculated
algorithmically. This was necessary because the AD provider allows
either algorithmic mapping or reading the value from attributes stored
in AD.
Fixes https://fedorahosted.org/sssd/ticket/1558
Diffstat (limited to 'src/sss_client')
| -rw-r--r-- | src/sss_client/sssd_pac.c | 62 |
1 files changed, 47 insertions, 15 deletions
diff --git a/src/sss_client/sssd_pac.c b/src/sss_client/sssd_pac.c index 0cce43dd7..469758a65 100644 --- a/src/sss_client/sssd_pac.c +++ b/src/sss_client/sssd_pac.c @@ -2,7 +2,7 @@ Authors: Sumit Bose <sbose@redhat.com> - Copyright (C) 2011 Red Hat + Copyright (C) 2011, 2012, 2013 Red Hat This program is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by @@ -45,7 +45,7 @@ sssdpac_flags(krb5_context kcontext, krb5_authdatatype ad_type, krb5_flags *flags) { - *flags = AD_USAGE_KDC_ISSUED | AD_INFORMATIONAL | AD_USAGE_TGS_REQ; + *flags = AD_USAGE_KDC_ISSUED | AD_USAGE_TGS_REQ; } static void @@ -81,9 +81,6 @@ sssdpac_import_authdata(krb5_context kcontext, krb5_boolean kdc_issued, krb5_const_principal kdc_issuer) { - struct sss_cli_req_data sss_data; - int ret; - int errnop; char *data = NULL; struct sssd_context *sssdctx = (struct sssd_context *)request_context; @@ -91,15 +88,6 @@ sssdpac_import_authdata(krb5_context kcontext, return EINVAL; } - sss_data.len = authdata[0]->length; - sss_data.data = authdata[0]->contents; - - ret = sss_pac_make_request(SSS_PAC_ADD_PAC_USER, &sss_data, - NULL, NULL, &errnop); - if (ret != 0) { - /* Ignore the error */ - } - if (authdata[0]->length > 0) { data = malloc(sizeof(char) * authdata[0]->length); if (data == NULL) { @@ -134,6 +122,50 @@ sssdpac_request_fini(krb5_context kcontext, } } +static krb5_error_code sssdpac_verify(krb5_context kcontext, + krb5_authdata_context context, + void *plugin_context, + void *request_context, + const krb5_auth_context *auth_context, + const krb5_keyblock *key, + const krb5_ap_req *req) +{ + krb5_error_code kerr; + int ret; + krb5_pac pac; + struct sssd_context *sssdctx = (struct sssd_context *)request_context; + struct sss_cli_req_data sss_data; + int errnop; + + if (sssdctx == NULL || sssdctx->data.data == NULL) { + return EINVAL; + } + + kerr = krb5_pac_parse(kcontext, sssdctx->data.data, + sssdctx->data.length, &pac); + if (kerr != 0) { + return EINVAL; + } + + kerr = krb5_pac_verify(kcontext, pac, + req->ticket->enc_part2->times.authtime, + req->ticket->enc_part2->client, key, NULL); + if (kerr != 0) { + return EINVAL; + } + + sss_data.len = sssdctx->data.length; + sss_data.data = sssdctx->data.data; + + ret = sss_pac_make_request(SSS_PAC_ADD_PAC_USER, &sss_data, + NULL, NULL, &errnop); + if (ret != 0) { + /* Ignore the error */ + } + + return 0; +} + static krb5_error_code sssdpac_size(krb5_context kcontext, krb5_authdata_context context, @@ -272,7 +304,7 @@ krb5plugin_authdata_client_ftable_v0 authdata_client_0 = { sssdpac_import_authdata, NULL, NULL, - NULL, + sssdpac_verify, sssdpac_size, sssdpac_externalize, sssdpac_internalize, |