From 2b62d5a414b8b7dba4f714dc5033e28dc4b1f4fe Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 15 Mar 2016 14:29:02 +0100 Subject: PAM: Use qualified names internally in the PAM responder The name is converted from whatever we receive on input to the internal format before processing the data further. Reviewed-by: Sumit Bose --- src/responder/pam/pamsrv_cmd.c | 42 +++++++++++++++++++++++++++--------------- src/responder/pam/pamsrv_p11.c | 17 +++++++++++++---- 2 files changed, 40 insertions(+), 19 deletions(-) (limited to 'src/responder/pam') diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 22a1872a2..3a35c3f08 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -1096,6 +1096,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) struct pam_ctx *pctx = talloc_get_type(cctx->rctx->pvt_ctx, struct pam_ctx); struct tevent_req *req; + char *name = NULL; preq = talloc_zero(cctx, struct pam_auth_req); if (!preq) { @@ -1147,8 +1148,16 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) goto done; } + name = sss_resp_create_fqname(preq, pctx->rctx, preq->domain, + preq->pd->name_is_upn, + preq->pd->user); + if (name == NULL) { + return ENOMEM; + } + ncret = sss_ncache_check_user(pctx->rctx->ncache, - preq->domain, pd->user); + preq->domain, name); + talloc_free(name); if (ncret == EEXIST) { /* User found in the negative cache */ ret = ENOENT; @@ -1160,8 +1169,16 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) dom = get_next_domain(dom, 0)) { if (dom->fqnames) continue; + name = sss_resp_create_fqname(preq, pctx->rctx, dom, + preq->pd->name_is_upn, + preq->pd->user); + if (name == NULL) { + return ENOMEM; + } + ncret = sss_ncache_check_user(pctx->rctx->ncache, - dom, pd->user); + dom, name); + talloc_free(name); if (ncret == ENOENT) { /* User not found in the negative cache * Proceed with PAM actions @@ -1441,17 +1458,11 @@ static int pam_check_user_search(struct pam_auth_req *preq) preq->domain = dom; talloc_free(name); - name = sss_get_cased_name(preq, preq->pd->user, - dom->case_sensitive); - if (!name) { - return ENOMEM; - } - name = sss_reverse_replace_space(preq, name, - pctx->rctx->override_space); + name = sss_resp_create_fqname(preq, pctx->rctx, dom, + preq->pd->name_is_upn, + preq->pd->user); if (name == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, - "sss_reverse_replace_space failed\n"); return ENOMEM; } @@ -1474,8 +1485,7 @@ static int pam_check_user_search(struct pam_auth_req *preq) /* Entry is still valid, get it from the sysdb */ } - DEBUG(SSSDBG_CONF_SETTINGS, - "Requesting info for [%s@%s]\n", name, dom->name); + DEBUG(SSSDBG_CONF_SETTINGS, "Requesting info for [%s]\n", name); if (dom->sysdb == NULL) { DEBUG(SSSDBG_FATAL_FAILURE, @@ -1511,7 +1521,8 @@ static int pam_check_user_search(struct pam_auth_req *preq) if (ret == ENOENT) { if (preq->check_provider == false) { /* set negative cache only if not result of cache check */ - ret = sss_ncache_set_user(pctx->rctx->ncache, false, dom, name); + ret = sss_ncache_set_user(pctx->rctx->ncache, + false, dom, preq->pd->user); if (ret != EOK) { /* Should not be fatal, just slower next time */ DEBUG(SSSDBG_MINOR_FAILURE, @@ -1834,7 +1845,8 @@ static void pam_dom_forwarder(struct pam_auth_req *preq) } /* pam_check_user_search() calls pd_set_primary_name() is the search - * was successful, so pd->user contains the canonical name as well */ + * was successful, so pd->user contains the canonical sysdb name + * as well */ if (strcmp(cert_user, preq->pd->user) == 0) { preq->pd->pam_status = PAM_SUCCESS; diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c index 8a9497a09..a2514f6a1 100644 --- a/src/responder/pam/pamsrv_p11.c +++ b/src/responder/pam/pamsrv_p11.c @@ -508,7 +508,7 @@ errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, * Settings Daemon to determine the name of the token used for login */ #define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME" -errno_t add_pam_cert_response(struct pam_data *pd, const char *user, +errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username, const char *token_name) { uint8_t *msg = NULL; @@ -517,24 +517,33 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *user, size_t msg_len; size_t slot_len; int ret; + char *username; - if (user == NULL || token_name == NULL) { + if (sysdb_username == NULL || token_name == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Missing mandatory user or slot name.\n"); return EINVAL; } - user_len = strlen(user) + 1; + ret = sss_parse_internal_fqname(pd, sysdb_username, &username, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot parse [%s]\n", sysdb_username); + return ret; + } + + user_len = strlen(username) + 1; slot_len = strlen(token_name) + 1; msg_len = user_len + slot_len; msg = talloc_zero_size(pd, msg_len); if (msg == NULL) { DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_size failed.\n"); + talloc_free(username); return ENOMEM; } - memcpy(msg, user, user_len); + memcpy(msg, username, user_len); memcpy(msg + user_len, token_name, slot_len); + talloc_free(username); ret = pam_add_response(pd, SSS_PAM_CERT_INFO, msg_len, msg); talloc_free(msg); -- cgit