No functionality changes, just make the code respect the tevent_req style and naming conventions and enhance readability by adding some helper functions.
Signed-off-by: Simo Sorce <s...@redhat.com> --- src/providers/krb5/krb5_access.c | 6 +- src/providers/krb5/krb5_auth.c | 556 ++++++++++++++++------------------- src/providers/krb5/krb5_auth.h | 2 +- src/providers/krb5/krb5_wait_queue.c | 12 +- 4 files changed, 268 insertions(+), 308 deletions(-) diff --git a/src/providers/krb5/krb5_access.c b/src/providers/krb5/krb5_access.c index afa3a89df2932ec18984733009f3339e62046673..6073debdcdebd5a9f423b1087c5c5a691959a257 100644 --- a/src/providers/krb5/krb5_access.c +++ b/src/providers/krb5/krb5_access.c @@ -37,7 +37,7 @@ struct krb5_access_state { bool access_allowed; }; -static void krb5_access_child_done(struct tevent_req *subreq); +static void krb5_access_done(struct tevent_req *subreq); struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct be_ctx *be_ctx, @@ -143,7 +143,7 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx, goto done; } - tevent_req_set_callback(subreq, krb5_access_child_done, req); + tevent_req_set_callback(subreq, krb5_access_done, req); return req; done: @@ -156,7 +156,7 @@ done: return req; } -static void krb5_access_child_done(struct tevent_req *subreq) +static void krb5_access_done(struct tevent_req *subreq) { struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); struct krb5_access_state *state = tevent_req_data(req, diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index e244cea5a1716d094e261eacbd1ae7d817ec046f..70dd988a7d28d19fe09946eedd90d713b35a4621 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -270,12 +270,116 @@ errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd, return EOK; } -static void krb5_resolve_kdc_done(struct tevent_req *subreq); -static void krb5_resolve_kpasswd_done(struct tevent_req *subreq); -static void krb5_find_ccache_step(struct tevent_req *req); -static void krb5_save_ccname_done(struct tevent_req *req); -static void krb5_child_done(struct tevent_req *req); -static void krb5_pam_handler_cache_auth_step(struct tevent_req *req); + +static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx, + struct sysdb_ctx *sysdb, + struct confdb_ctx *cdb, + struct pam_data *pd, uid_t uid, + int *pam_status, int *dp_err) +{ + errno_t ret; + + ret = sysdb_cache_auth(sysdb, pd->user, pd->authtok, + pd->authtok_size, cdb, true, NULL, + NULL); + if (ret != EOK) { + DEBUG(1, ("Offline authentication failed\n")); + *pam_status = PAM_SYSTEM_ERR; + *dp_err = DP_ERR_OK; + return; + } + + ret = add_user_to_delayed_online_authentication(krb5_ctx, pd, uid); + if (ret != EOK) { + /* This error is not fatal */ + DEBUG(1, ("add_user_to_delayed_online_authentication failed.\n")); + } + *pam_status = PAM_AUTHINFO_UNAVAIL; + *dp_err = DP_ERR_OFFLINE; +} + +static errno_t krb5_auth_prepare_ccache_file(struct krb5child_req *kr, + struct be_ctx *be_ctx, + int *pam_status, int *dp_err) +{ + const char *ccname_template; + bool private_path = false; + errno_t ret; + + if (!kr->is_offline) { + kr->is_offline = be_is_offline(be_ctx); + } + if (kr->is_offline) { + DEBUG(9, ("Preparing for offline operation.\n")); + } + + /* The ccache file should be (re)created if one of the following conditions + * is true: + * - it doesn't exist (kr->ccname == NULL) + * - the backend is online and the current ccache file is not used, i.e + * the related user is currently not logged in and it is not a renewal + * request + * (!kr->is_offline && !kr->active_ccache_present && + * kr->pd->cmd != SSS_CMD_RENEW) + * - the backend is offline and the current cache file not used and + * it does not contain a valid tgt + * (kr->is_offline && + * !kr->active_ccache_present && !kr->valid_tgt_present) + */ + if (kr->ccname == NULL || + (kr->is_offline && + !kr->active_ccache_present && + !kr->valid_tgt_present) || + (!kr->is_offline && + !kr->active_ccache_present && + kr->pd->cmd != SSS_CMD_RENEW)) { + DEBUG(9, ("Recreating ccache file.\n")); + ccname_template = dp_opt_get_cstring(kr->krb5_ctx->opts, + KRB5_CCNAME_TMPL); + kr->ccname = expand_ccname_template(kr, kr, ccname_template, true, + be_ctx->domain->case_sensitive, + &private_path); + if (kr->ccname == NULL) { + DEBUG(1, ("expand_ccname_template failed.\n")); + return ENOMEM; + } + + if (kr->cc_be == NULL) { + kr->cc_be = get_cc_be_ops_ccache(kr->ccname); + } + if (kr->cc_be == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Cannot get operations on new ccache %s\n", kr->ccname)); + return EINVAL; + } + + ret = kr->cc_be->create(kr->ccname, + kr->krb5_ctx->illegal_path_re, + kr->uid, kr->gid, private_path); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("ccache creation failed.\n")); + return ret; + } + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Saved ccache %s if of different type than ccache in " + "configuration file, reusing the old ccache\n", + kr->old_ccname)); + + kr->cc_be = get_cc_be_ops_ccache(kr->old_ccname); + if (kr->cc_be == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Cannot get operations on saved ccache %s\n", + kr->old_ccname)); + return EINVAL; + } + } + + return EOK; +} + + +/* krb5_auth request */ struct krb5_auth_state { struct tevent_context *ev; @@ -284,24 +388,14 @@ struct krb5_auth_state { struct krb5_ctx *krb5_ctx; struct krb5child_req *kr; + bool search_kpasswd; + int pam_status; int dp_err; }; -int krb5_auth_recv(struct tevent_req *req, int *pam_status, int *dp_err) -{ - struct krb5_auth_state *state = tevent_req_data(req, struct krb5_auth_state); - - *pam_status = state->pam_status; - *dp_err = state->dp_err; - - TEVENT_REQ_RETURN_ON_ERROR(req); - - return EOK; -} - -static struct tevent_req *krb5_next_kdc(struct tevent_req *req); -static struct tevent_req *krb5_next_kpasswd(struct tevent_req *req); +static void krb5_auth_resolve_done(struct tevent_req *subreq); +static void krb5_auth_done(struct tevent_req *subreq); struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, @@ -488,12 +582,16 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, kr->srv = NULL; kr->kpasswd_srv = NULL; - subreq = krb5_next_kdc(req); + state->search_kpasswd = false; + subreq = be_resolve_server_send(state, state->ev, state->be_ctx, + state->krb5_ctx->service->name, + state->kr->srv == NULL ? true : false); if (!subreq) { - DEBUG(SSSDBG_CRIT_FAILURE, ("krb5_next_kdc failed.\n")); + DEBUG(SSSDBG_CRIT_FAILURE, ("Failed resolver request.\n")); ret = EIO; goto done; } + tevent_req_set_callback(subreq, krb5_auth_resolve_done, req); return req; @@ -507,153 +605,70 @@ done: return req; } -static void krb5_resolve_kdc_done(struct tevent_req *subreq) +static void krb5_auth_resolve_done(struct tevent_req *subreq) { struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); struct krb5_auth_state *state = tevent_req_data(req, struct krb5_auth_state); struct krb5child_req *kr = state->kr; + char *msg; int ret; ret = be_resolve_server_recv(subreq, &kr->srv); talloc_zfree(subreq); - if (ret) { - /* all servers have been tried and none - * was found good, setting offline, - * but we still have to call the child to setup - * the ccache file if we are performing auth */ - be_mark_offline(state->be_ctx); - kr->is_offline = true; - if (kr->pd->cmd == SSS_PAM_CHAUTHTOK || - kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) { - DEBUG(SSSDBG_TRACE_FUNC, - ("No KDC suitable for password change is available\n")); + if (state->search_kpasswd) { + if ((ret != EOK) && + (kr->pd->cmd == SSS_PAM_CHAUTHTOK || + kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM)) { + /* all kpasswd servers have been tried and none was found good, + * but the kdc seems ok. Password changes are not possible but + * authentication is. We return an PAM error here, but do not + * mark the backend offline. */ state->pam_status = PAM_AUTHTOK_LOCK_BUSY; state->dp_err = DP_ERR_OK; - tevent_req_done(req); - return; + ret = EOK; + goto done; } } else { - if (kr->krb5_ctx->kpasswd_service != NULL) { - subreq = krb5_next_kpasswd(req); - if (subreq == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, ("krb5_next_kpasswd failed.\n")); - ret = EIO; - goto failed; - } - return; - } - } - - krb5_find_ccache_step(req); - return; - -failed: - tevent_req_error(req, ret); -} - -static void krb5_resolve_kpasswd_done(struct tevent_req *subreq) -{ - struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); - struct krb5_auth_state *state = tevent_req_data(req, struct krb5_auth_state); - int ret; - - ret = be_resolve_server_recv(subreq, &state->kr->kpasswd_srv); - talloc_zfree(subreq); - if (ret != EOK && - (state->kr->pd->cmd == SSS_PAM_CHAUTHTOK || - state->kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM)) { - /* all kpasswd servers have been tried and none was found good, but the - * kdc seems ok. Password changes are not possible but - * authentication is. We return an PAM error here, but do not mark the - * backend offline. */ - state->pam_status = PAM_AUTHTOK_LOCK_BUSY; - state->dp_err = DP_ERR_OK; - tevent_req_done(req); - return; - } - - krb5_find_ccache_step(req); -} - -static void krb5_find_ccache_step(struct tevent_req *req) -{ - struct krb5_auth_state *state = tevent_req_data(req, struct krb5_auth_state); - int ret; - struct krb5child_req *kr = state->kr; - struct pam_data *pd = kr->pd; - char *msg; - bool private_path = false; - struct tevent_req *subreq = NULL; - - if (!kr->is_offline) { - kr->is_offline = be_is_offline(state->be_ctx); - } - - /* The ccache file should be (re)created if one of the following conditions - * is true: - * - it doesn't exist (kr->ccname == NULL) - * - the backend is online and the current ccache file is not used, i.e - * the related user is currently not logged in and it is not a renewal - * request - * (!kr->is_offline && !kr->active_ccache_present && - * pd->cmd != SSS_CMD_RENEW) - * - the backend is offline and the current cache file not used and - * it does not contain a valid tgt - * (kr->is_offline && - * !kr->active_ccache_present && !kr->valid_tgt_present) - */ - if (kr->ccname == NULL || - (kr->is_offline && !kr->active_ccache_present && - !kr->valid_tgt_present) || - (!kr->is_offline && !kr->active_ccache_present && - pd->cmd != SSS_CMD_RENEW)) { - DEBUG(9, ("Recreating ccache file.\n")); - kr->ccname = expand_ccname_template(kr, kr, - dp_opt_get_cstring(kr->krb5_ctx->opts, - KRB5_CCNAME_TMPL), - true, - state->be_ctx->domain->case_sensitive, - &private_path); - if (kr->ccname == NULL) { - DEBUG(1, ("expand_ccname_template failed.\n")); - ret = ENOMEM; + if (ret != EOK) { + /* all servers have been tried and none + * was found good, setting offline, + * but we still have to call the child to setup + * the ccache file if we are performing auth */ + be_mark_offline(state->be_ctx); + kr->is_offline = true; + + if (kr->pd->cmd == SSS_PAM_CHAUTHTOK || + kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) { + DEBUG(SSSDBG_TRACE_FUNC, + ("No KDC suitable for password change is available\n")); + state->pam_status = PAM_AUTHTOK_LOCK_BUSY; + state->dp_err = DP_ERR_OK; + ret = EOK; goto done; } - - if (!kr->cc_be) { - kr->cc_be = get_cc_be_ops_ccache(kr->ccname); - if (kr->cc_be == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, - ("Cannot get operations on new ccache %s\n", - kr->ccname)); - ret = EINVAL; + } else { + if (kr->krb5_ctx->kpasswd_service != NULL) { + state->search_kpasswd = true; + subreq = be_resolve_server_send(state, + state->ev, state->be_ctx, + state->krb5_ctx->kpasswd_service->name, + kr->kpasswd_srv == NULL ? true : false); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Resolver request failed.\n")); + ret = EIO; goto done; } + tevent_req_set_callback(subreq, krb5_auth_resolve_done, req); + return; } - - ret = kr->cc_be->create(kr->ccname, - kr->krb5_ctx->illegal_path_re, - kr->uid, kr->gid, private_path); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, ("ccache creation failed.\n")); - goto done; - } - } else { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Saved ccache %s if of different type than ccache in " - "configuration file, reusing the old ccache\n", - kr->old_ccname)); - - kr->cc_be = get_cc_be_ops_ccache(kr->old_ccname); - if (kr->cc_be == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, - ("Cannot get operations on saved ccache %s\n", - kr->old_ccname)); - ret = EINVAL; - goto done; } + } + ret = krb5_auth_prepare_ccache_file(kr, state->be_ctx, + &state->pam_status, &state->dp_err); + if (ret) { + goto done; } if (kr->is_offline) { @@ -663,12 +678,13 @@ static void krb5_find_ccache_step(struct tevent_req *req) DEBUG(9, ("Valid TGT available or " "ccache file is already in use.\n")); kr->ccname = kr->old_ccname; - msg = talloc_asprintf(pd, "%s=%s", CCACHE_ENV_NAME, kr->ccname); + msg = talloc_asprintf(kr->pd, + "%s=%s", CCACHE_ENV_NAME, kr->ccname); if (msg == NULL) { DEBUG(1, ("talloc_asprintf failed.\n")); } else { - ret = pam_add_response(pd, SSS_PAM_ENV_ITEM, strlen(msg) + 1, - (uint8_t *) msg); + ret = pam_add_response(kr->pd, SSS_PAM_ENV_ITEM, + strlen(msg) + 1, (uint8_t *) msg); if (ret != EOK) { DEBUG(1, ("pam_add_response failed.\n")); } @@ -676,12 +692,15 @@ static void krb5_find_ccache_step(struct tevent_req *req) if (dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_STORE_PASSWORD_IF_OFFLINE)) { - krb5_pam_handler_cache_auth_step(req); - return; + krb5_auth_cache_creds(state->kr->krb5_ctx, + state->be_ctx->sysdb, + state->be_ctx->cdb, + kr->pd, kr->uid, + &state->pam_status, &state->dp_err); + } else { + state->pam_status = PAM_AUTHINFO_UNAVAIL; + state->dp_err = DP_ERR_OFFLINE; } - - state->pam_status = PAM_AUTHINFO_UNAVAIL; - state->dp_err = DP_ERR_OFFLINE; ret = EOK; goto done; @@ -695,7 +714,7 @@ static void krb5_find_ccache_step(struct tevent_req *req) * case we can drop the privileges, too. */ if ((dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_VALIDATE) || kr->krb5_ctx->use_fast) && - !kr->is_offline) { + (!kr->is_offline)) { kr->run_as_user = false; } else { kr->run_as_user = true; @@ -707,8 +726,7 @@ static void krb5_find_ccache_step(struct tevent_req *req) ret = ENOMEM; goto done; } - - tevent_req_set_callback(subreq, krb5_child_done, req); + tevent_req_set_callback(subreq, krb5_auth_done, req); return; done: @@ -719,14 +737,10 @@ done: } } -static struct tevent_req *krb5_next_server(struct tevent_req *req); -static struct tevent_req *krb5_next_kpasswd(struct tevent_req *req); - -static void krb5_child_done(struct tevent_req *subreq) +static void krb5_auth_done(struct tevent_req *subreq) { struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); struct krb5_auth_state *state = tevent_req_data(req, struct krb5_auth_state); - struct krb5child_req *kr = state->kr; struct pam_data *pd = state->pd; int ret; @@ -734,18 +748,54 @@ static void krb5_child_done(struct tevent_req *subreq) ssize_t len = -1; struct krb5_child_response *res; const char *store_ccname; + struct fo_server *search_srv; + char *password = NULL; ret = handle_child_recv(subreq, pd, &buf, &len); talloc_zfree(subreq); - if (ret != EOK) { + if (ret != EOK && ret != ETIMEDOUT) { DEBUG(1, ("child failed (%d [%s])\n", ret, strerror(ret))); - if (ret == ETIMEDOUT) { - if (krb5_next_server(req) == NULL) { - tevent_req_error(req, ENOMEM); + tevent_req_error(req, ret); + return; + } + if (ret == ETIMEDOUT) { + + DEBUG(1, ("child timed out!\n")); + + switch (pd->cmd) { + case SSS_PAM_AUTHENTICATE: + case SSS_CMD_RENEW: + state->search_kpasswd = false; + search_srv = kr->srv; + break; + case SSS_PAM_CHAUTHTOK: + case SSS_PAM_CHAUTHTOK_PRELIM: + if (state->kr->kpasswd_srv) { + state->search_kpasswd = true; + search_srv = kr->kpasswd_srv; + break; + } else { + state->search_kpasswd = false; + search_srv = kr->srv; + break; } - } else { - tevent_req_error(req, ret); + default: + DEBUG(1, ("Unexpected PAM task\n")); + tevent_req_error(req, EINVAL); + return; } + + be_fo_set_port_status(state->be_ctx, state->krb5_ctx->service->name, + search_srv, PORT_NOT_WORKING); + subreq = be_resolve_server_send(state, state->ev, state->be_ctx, + state->krb5_ctx->kpasswd_service->name, + search_srv == NULL ? true : false); + if (subreq == NULL) { + DEBUG(1, ("Failed resolved request.\n")); + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, krb5_auth_resolve_done, req); return; } @@ -825,9 +875,16 @@ static void krb5_child_done(struct tevent_req *subreq) state->krb5_ctx->service->name, kr->kpasswd_srv, PORT_NOT_WORKING); /* ..try to resolve next kpasswd server */ - if (krb5_next_kpasswd(req) == NULL) { + state->search_kpasswd = true; + subreq = be_resolve_server_send(state, state->ev, state->be_ctx, + state->krb5_ctx->kpasswd_service->name, + state->kr->kpasswd_srv == NULL ? true : false); + if (subreq == NULL) { + DEBUG(1, ("Resolver request failed.\n")); tevent_req_error(req, ENOMEM); + return; } + tevent_req_set_callback(subreq, krb5_auth_resolve_done, req); return; } else { be_fo_set_port_status(state->be_ctx, @@ -845,9 +902,16 @@ static void krb5_child_done(struct tevent_req *subreq) be_fo_set_port_status(state->be_ctx, state->krb5_ctx->service->name, kr->srv, PORT_NOT_WORKING); /* ..try to resolve next KDC */ - if (krb5_next_kdc(req) == NULL) { + state->search_kpasswd = false; + subreq = be_resolve_server_send(state, state->ev, state->be_ctx, + state->krb5_ctx->service->name, + kr->srv == NULL ? true : false); + if (subreq == NULL) { + DEBUG(1, ("Resolver request failed.\n")); tevent_req_error(req, ENOMEM); + return; } + tevent_req_set_callback(subreq, krb5_auth_resolve_done, req); return; } } else if (kr->srv != NULL) { @@ -903,104 +967,19 @@ static void krb5_child_done(struct tevent_req *subreq) } } - krb5_save_ccname_done(req); - - return; - -done: - if (ret == EOK) { - tevent_req_done(req); - } else { - tevent_req_error(req, ret); - } -} - -static struct tevent_req *krb5_next_server(struct tevent_req *req) -{ - struct krb5_auth_state *state = tevent_req_data(req, struct krb5_auth_state); - struct pam_data *pd = state->pd; - struct tevent_req *next_req = NULL; - - switch (pd->cmd) { - case SSS_PAM_AUTHENTICATE: - case SSS_CMD_RENEW: - be_fo_set_port_status(state->be_ctx, state->krb5_ctx->service->name, - state->kr->srv, PORT_NOT_WORKING); - next_req = krb5_next_kdc(req); - break; - case SSS_PAM_CHAUTHTOK: - case SSS_PAM_CHAUTHTOK_PRELIM: - if (state->kr->kpasswd_srv) { - be_fo_set_port_status(state->be_ctx, state->krb5_ctx->service->name, - state->kr->kpasswd_srv, PORT_NOT_WORKING); - next_req = krb5_next_kpasswd(req); - break; - } else { - be_fo_set_port_status(state->be_ctx, state->krb5_ctx->service->name, - state->kr->srv, PORT_NOT_WORKING); - next_req = krb5_next_kdc(req); - break; - } - default: - DEBUG(1, ("Unexpected PAM task\n")); - } - - return next_req; -} - -static struct tevent_req *krb5_next_kdc(struct tevent_req *req) -{ - struct tevent_req *next_req; - struct krb5_auth_state *state = tevent_req_data(req, struct krb5_auth_state); - - next_req = be_resolve_server_send(state, state->ev, - state->be_ctx, - state->krb5_ctx->service->name, - state->kr->srv == NULL ? true : false); - if (next_req == NULL) { - DEBUG(1, ("be_resolve_server_send failed.\n")); - return NULL; - } - tevent_req_set_callback(next_req, krb5_resolve_kdc_done, req); - - return next_req; -} - -static struct tevent_req *krb5_next_kpasswd(struct tevent_req *req) -{ - struct tevent_req *next_req; - struct krb5_auth_state *state = tevent_req_data(req, struct krb5_auth_state); - - next_req = be_resolve_server_send(state, state->ev, - state->be_ctx, - state->krb5_ctx->kpasswd_service->name, - state->kr->kpasswd_srv == NULL ? true : false); - if (next_req == NULL) { - DEBUG(1, ("be_resolve_server_send failed.\n")); - return NULL; - } - tevent_req_set_callback(next_req, krb5_resolve_kpasswd_done, req); - - return next_req; -} - -static void krb5_save_ccname_done(struct tevent_req *req) -{ - struct krb5_auth_state *state = tevent_req_data(req, struct krb5_auth_state); - struct krb5child_req *kr = state->kr; - struct pam_data *pd = state->pd; - int ret; - char *password = NULL; - if (kr->is_offline) { - if (dp_opt_get_bool(kr->krb5_ctx->opts,KRB5_STORE_PASSWORD_IF_OFFLINE)) { - krb5_pam_handler_cache_auth_step(req); - return; + if (dp_opt_get_bool(kr->krb5_ctx->opts, + KRB5_STORE_PASSWORD_IF_OFFLINE)) { + krb5_auth_cache_creds(state->kr->krb5_ctx, + state->be_ctx->sysdb, + state->be_ctx->cdb, + state->pd, state->kr->uid, + &state->pam_status, &state->dp_err); + } else { + DEBUG(4, ("Backend is marked offline, retry later!\n")); + state->pam_status = PAM_AUTHINFO_UNAVAIL; + state->dp_err = DP_ERR_OFFLINE; } - - DEBUG(4, ("Backend is marked offline, retry later!\n")); - state->pam_status = PAM_AUTHINFO_UNAVAIL; - state->dp_err = DP_ERR_OFFLINE; ret = EOK; goto done; } @@ -1069,32 +1048,15 @@ done: } -static void krb5_pam_handler_cache_auth_step(struct tevent_req *req) +int krb5_auth_recv(struct tevent_req *req, int *pam_status, int *dp_err) { struct krb5_auth_state *state = tevent_req_data(req, struct krb5_auth_state); - struct pam_data *pd = state->pd; - struct krb5_ctx *krb5_ctx = state->kr->krb5_ctx; - int ret; + *pam_status = state->pam_status; + *dp_err = state->dp_err; - ret = sysdb_cache_auth(state->be_ctx->sysdb, pd->user, pd->authtok, - pd->authtok_size, state->be_ctx->cdb, true, NULL, - NULL); - if (ret != EOK) { - DEBUG(1, ("Offline authentication failed\n")); - state->pam_status = PAM_SYSTEM_ERR; - state->dp_err = DP_ERR_OK; - } else { - ret = add_user_to_delayed_online_authentication(krb5_ctx, pd, - state->kr->uid); - if (ret != EOK) { - /* This error is not fatal */ - DEBUG(1, ("add_user_to_delayed_online_authentication failed.\n")); - } - state->pam_status = PAM_AUTHINFO_UNAVAIL; - state->dp_err = DP_ERR_OFFLINE; - } + TEVENT_REQ_RETURN_ON_ERROR(req); - tevent_req_done(req); + return EOK; } static void krb_reply(struct be_req *req, int dp_err, int result) @@ -1102,8 +1064,8 @@ static void krb_reply(struct be_req *req, int dp_err, int result) req->fn(req, dp_err, result, NULL); } -void krb5_auth_done(struct tevent_req *req); -static void krb5_access_done(struct tevent_req *req); +void krb5_pam_handler_auth_done(struct tevent_req *req); +static void krb5_pam_handler_access_done(struct tevent_req *req); void krb5_pam_handler(struct be_req *be_req) { @@ -1147,7 +1109,7 @@ void krb5_pam_handler(struct be_req *be_req) goto done; } - tevent_req_set_callback(req, krb5_auth_done, be_req); + tevent_req_set_callback(req, krb5_pam_handler_auth_done, be_req); break; case SSS_PAM_ACCT_MGMT: req = krb5_access_send(be_req, be_req->be_ctx->ev, be_req->be_ctx, @@ -1157,7 +1119,7 @@ void krb5_pam_handler(struct be_req *be_req) goto done; } - tevent_req_set_callback(req, krb5_access_done, be_req); + tevent_req_set_callback(req, krb5_pam_handler_access_done, be_req); break; case SSS_PAM_SETCRED: case SSS_PAM_OPEN_SESSION: @@ -1179,7 +1141,7 @@ done: krb_reply(be_req, dp_err, pd->pam_status); } -void krb5_auth_done(struct tevent_req *req) +void krb5_pam_handler_auth_done(struct tevent_req *req) { int ret; struct be_req *be_req = tevent_req_callback_data(req, struct be_req); @@ -1209,7 +1171,7 @@ void krb5_auth_done(struct tevent_req *req) krb_reply(be_req, dp_err, pd->pam_status); } -static void krb5_access_done(struct tevent_req *req) +static void krb5_pam_handler_access_done(struct tevent_req *req) { int ret; struct be_req *be_req = tevent_req_callback_data(req, struct be_req); diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h index cc079ba9352092a2b2dbcfe46ab4538bd120b567..80a9bb5fcb8fe9c59b33023f8f1be6b4905a79f1 100644 --- a/src/providers/krb5/krb5_auth.h +++ b/src/providers/krb5/krb5_auth.h @@ -60,6 +60,7 @@ errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd, struct krb5_ctx *krb5_ctx, struct krb5child_req **krb5_req); void krb5_pam_handler(struct be_req *be_req); +void krb5_pam_handler_auth_done(struct tevent_req *req); struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, @@ -67,7 +68,6 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, struct pam_data *pd, struct krb5_ctx *krb5_ctx); int krb5_auth_recv(struct tevent_req *req, int *pam_status, int *dp_err); -void krb5_auth_done(struct tevent_req *req); struct tevent_req *handle_child_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, diff --git a/src/providers/krb5/krb5_wait_queue.c b/src/providers/krb5/krb5_wait_queue.c index 3863b1bdc1386739ca0651278c9d941d85e46909..da1e35b7db8956950e9b1164ae983d21994dde69 100644 --- a/src/providers/krb5/krb5_wait_queue.c +++ b/src/providers/krb5/krb5_wait_queue.c @@ -41,20 +41,18 @@ struct queue_entry { static void wait_queue_auth(struct tevent_context *ev, struct tevent_timer *te, struct timeval current_time, void *private_data) { - struct queue_entry *queue_entry = talloc_get_type(private_data, - struct queue_entry); + struct queue_entry *qe = talloc_get_type(private_data, struct queue_entry); struct tevent_req *req; - req = krb5_auth_send(queue_entry->be_req, queue_entry->be_req->be_ctx->ev, - queue_entry->be_req->be_ctx, queue_entry->pd, - queue_entry->krb5_ctx); + req = krb5_auth_send(qe->be_req, qe->be_req->be_ctx->ev, + qe->be_req->be_ctx, qe->pd, qe->krb5_ctx); if (req == NULL) { DEBUG(1, ("krb5_auth_send failed.\n")); } else { - tevent_req_set_callback(req, krb5_auth_done, queue_entry->be_req); + tevent_req_set_callback(req, krb5_pam_handler_auth_done, qe->be_req); } - talloc_zfree(queue_entry); + talloc_zfree(qe); } static void wait_queue_del_cb(hash_entry_t *entry, hash_destroy_enum type, -- 1.7.11.4 _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel