diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2016-09-07 12:07:36 +0200 |
---|---|---|
committer | Lukas Slebodnik <lslebodn@redhat.com> | 2016-09-08 23:04:30 +0200 |
commit | fedfb7c62b4efa89d18d0d3a7895a2a34ec4ce42 (patch) | |
tree | 5e4ee5e7b3b3f6ef9a38ef6e257e550d296e76c0 /src/providers/krb5 | |
parent | f2d1d90a14267c01155eab7bb95b8eb34128acc9 (diff) | |
download | sssd-fedfb7c62b4efa89d18d0d3a7895a2a34ec4ce42.tar.gz sssd-fedfb7c62b4efa89d18d0d3a7895a2a34ec4ce42.tar.xz sssd-fedfb7c62b4efa89d18d0d3a7895a2a34ec4ce42.zip |
KRB5: Send the output username, not internal fqname to krb5_child
krb5_child calls krb5_kuserok() during the access phase which checks if
a particular user is allowed to authenticate as a particular principal.
We used to pass the internal fqname to krb5_kuserok() which broke the
functionality and all users were denied access.
This patch changes that to send the 'output' username to krb5_child,
because that's the username the system receives through getpwnam() or
getpwuid() anyway. The patch also adds a new structure member fo the
krb5child_req structure to avoid reusing the pd->user variable but have
an explicit one that serves as the input for the child process.
Resolves:
https://fedorahosted.org/sssd/ticket/3172
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Diffstat (limited to 'src/providers/krb5')
-rw-r--r-- | src/providers/krb5/krb5_access.c | 10 | ||||
-rw-r--r-- | src/providers/krb5/krb5_auth.c | 18 | ||||
-rw-r--r-- | src/providers/krb5/krb5_auth.h | 9 | ||||
-rw-r--r-- | src/providers/krb5/krb5_child_handler.c | 4 |
4 files changed, 30 insertions, 11 deletions
diff --git a/src/providers/krb5/krb5_access.c b/src/providers/krb5/krb5_access.c index 3afb90150..be9068c0f 100644 --- a/src/providers/krb5/krb5_access.c +++ b/src/providers/krb5/krb5_access.c @@ -51,6 +51,7 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx, int ret; const char **attrs; struct ldb_result *res; + struct sss_domain_info *dom; req = tevent_req_create(mem_ctx, &state, struct krb5_access_state); if (req == NULL) { @@ -64,8 +65,13 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx, state->krb5_ctx = krb5_ctx; state->access_allowed = false; - ret = krb5_setup(state, pd, krb5_ctx, be_ctx->domain->case_sensitive, - &state->kr); + ret = get_domain_or_subdomain(be_ctx, pd->domain, &dom); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_domain_or_subdomain failed.\n"); + goto done; + } + + ret = krb5_setup(state, pd, dom, krb5_ctx, &state->kr); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "krb5_setup failed.\n"); goto done; diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index dabf55cf2..f0f228002 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -174,8 +174,10 @@ done: return ret; } -errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd, - struct krb5_ctx *krb5_ctx, bool cs, +errno_t krb5_setup(TALLOC_CTX *mem_ctx, + struct pam_data *pd, + struct sss_domain_info *dom, + struct krb5_ctx *krb5_ctx, struct krb5child_req **_krb5_req) { struct krb5child_req *kr; @@ -201,13 +203,21 @@ errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd, kr->krb5_ctx = krb5_ctx; ret = get_krb_primary(krb5_ctx->name_to_primary, - pd->user, cs, &mapped_name); + pd->user, dom->case_sensitive, &mapped_name); if (ret == EOK) { DEBUG(SSSDBG_TRACE_FUNC, "Setting mapped name to: %s\n", mapped_name); kr->user = mapped_name; + kr->kuserok_user = mapped_name; } else if (ret == ENOENT) { DEBUG(SSSDBG_TRACE_ALL, "No mapping for: %s\n", pd->user); kr->user = pd->user; + + kr->kuserok_user = sss_output_name(kr, kr->user, + dom->case_sensitive, 0); + if (kr->kuserok_user == NULL) { + ret = ENOMEM; + goto done; + } } else { DEBUG(SSSDBG_CRIT_FAILURE, "get_krb_primary failed - %s:[%d]\n", sss_strerror(ret), ret); @@ -534,7 +544,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, attrs[6] = SYSDB_AUTH_TYPE; attrs[7] = NULL; - ret = krb5_setup(state, pd, krb5_ctx, state->domain->case_sensitive, + ret = krb5_setup(state, pd, state->domain, krb5_ctx, &state->kr); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "krb5_setup failed.\n"); diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h index dbad061f0..11bb59583 100644 --- a/src/providers/krb5/krb5_auth.h +++ b/src/providers/krb5/krb5_auth.h @@ -57,11 +57,14 @@ struct krb5child_req { bool send_pac; const char *user; + const char *kuserok_user; }; -errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd, - struct krb5_ctx *krb5_ctx, bool case_sensitive, - struct krb5child_req **krb5_req); +errno_t krb5_setup(TALLOC_CTX *mem_ctx, + struct pam_data *pd, + struct sss_domain_info *dom, + struct krb5_ctx *krb5_ctx, + struct krb5child_req **_krb5_req); struct tevent_req * krb5_pam_handler_send(TALLOC_CTX *mem_ctx, diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index 09a1e5f59..1eec7261f 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -161,7 +161,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr, } if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) { - username_len = strlen(kr->pd->user); + username_len = strlen(kr->kuserok_user); buf->size += sizeof(uint32_t) + username_len; } @@ -217,7 +217,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr, if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) { SAFEALIGN_SET_UINT32(&buf->data[rp], username_len, &rp); - safealign_memcpy(&buf->data[rp], kr->pd->user, username_len, &rp); + safealign_memcpy(&buf->data[rp], kr->kuserok_user, username_len, &rp); } *io_buf = buf; |