On 02/12/2016 02:19 PM, Pavel Reichl wrote:
On 02/09/2016 04:25 PM, Pavel Reichl wrote:
On 02/09/2016 08:09 AM, Jakub Hrozek wrote:
On Mon, Feb 08, 2016 at 01:56:07PM +0100, Pavel Reichl wrote:
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index
73a21bfa0049bc4d3cfacb49201707868c87e533..2dbc58a451686beda0faa9e9366bbc3b3b4c253e
100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1040,6 +1040,27 @@ pam_account_expired_message = Account expired, please
call help desk.
</listitem>
</varlistentry>
<varlistentry>
+ <term>pam_account_locked_message (string)</term>
+ <listitem>
+ <para>
+ If user is authenticating and
Please ask someone for an English review (I know Dan started, but I
didn't see a fixed version yet). At the very least, this should read "a
user".
I attached Dan's patch. I took the liberty of adding note regarding pam
verbosity. Hope it's fine by Dan.
+ account is locked then by default
+ 'Permission denied' is output. This output will
+ be changed to content of this variable if it is
+ set.
+ </para>
+ <para>
+ example:
+ <programlisting>
+pam_account_locked_message = Account locked, please call help desk.
+ </programlisting>
+ </para>
+ <para>
+ Default: none
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term>p11_child_timeout (integer)</term>
<listitem>
<para>
The rest of the patch looks good to me and seems to work as advertized.
Thanks.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
Patch set with amended commit message. Commit message was acked by AB.
Lukas asked me for adding comment regarding documenting '775' string to the
code. Please see updated patch set. Thanks.
>From 642eba8061f3e58f7885e030f4e30a3f59896142 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <prei...@redhat.com>
Date: Fri, 5 Feb 2016 07:27:38 -0500
Subject: [PATCH 1/3] SDAP: Add return code ERR_ACCOUNT_LOCKED
Add code to distinquish state when account is locked in Active
Directory server.
Tested against Windows Server 2012
This patch is best effort only as decision whether account is actually
locked is based on parsing error message returned by AD. The format and
content of this error message might be subject of change in future
releases and also can be modified by AD administrators.
If account is locked bind operation is expected to return following
error message:
-----------------------------------------------------------------------
Invalid credentials(49), 80090308: LdapErr: DSID-0C0903C5, comment:
AcceptSecurityContext error, data 775, v23f0
-----------------------------------------------------------------------
Where sub string 'data 775' implies that account is locked
(ERROR_ACCOUNT_LOCKED_OUT) [1]. However the 80090308 (error code
0x80090308, SEC_E_INVALID_TOKEN) is the only guaranteed part of error
string [2].
Error message is described in further detail as [3]:
-----------------------------------------------------------------------
When the server fails an LDAP operation with an error, and the server
has sufficient resources to compute a string value for the errorMessage
field of the LDAPResult, it includes a string in the errorMessage field
of the LDAPResult (see [RFC2251] section 4.1.10). The string contains
further information about the error.
The first eight characters of the errorMessage string are a 32-bit
integer, expressed in hexadecimal. Where protocol specifies the extended
error code "<unrestricted>" there is no restriction on the value of the
32-bit integer. It is recommended that implementations use a Windows
error code for the 32-bit integer in this case in order to improve
usability of the directory for clients. Where protocol specifies an
extended error code which is a Windows error code, the 32-bit integer is
the specified Windows error code. Any data after the eighth character
is strictly informational and used only for debugging. Conformant
implementations need not put any value beyond the eighth character of
the errorMessage field.
-----------------------------------------------------------------------
[1] https://msdn.microsoft.com/en-us/library/windows/desktop/ms681386%28v=vs.85%29.aspx
[2] https://social.msdn.microsoft.com/Forums/en-US/e1d600c8-60b7-4ed0-94cb-20ddd6c1a1c6/msadts-user-locking-password-policies?forum=os_windowsprotocols
[3] MS-ADTS 3.1.1.3.1.9
https://msdn.microsoft.com/en-us/library/cc223253.aspx
Resolves:
https://fedorahosted.org/sssd/ticket/2839
---
src/providers/data_provider.h | 2 ++
src/providers/ldap/ldap_auth.c | 4 ++++
src/providers/ldap/sdap_async_connection.c | 6 ++++++
3 files changed, 12 insertions(+)
diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
index 39051b90c3aad96f62dcbb86a20bcfd8c954879b..7332b677d19f70f4736e4d0b68d55cdd3c67a4af 100644
--- a/src/providers/data_provider.h
+++ b/src/providers/data_provider.h
@@ -182,6 +182,8 @@ struct pam_data {
bool offline_auth;
bool last_auth_saved;
int priv;
+ int account_locked;
+
#ifdef USE_KEYRING
key_serial_t key_serial;
#endif
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index c94ba15bb17aa1641eb36781cc59ce158d48ca66..8d6a37b2ceb3347cb8092858889d07e5615e5c77 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -1302,6 +1302,10 @@ static void sdap_pam_auth_done(struct tevent_req *req)
case ERR_PASSWORD_EXPIRED:
state->pd->pam_status = PAM_NEW_AUTHTOK_REQD;
break;
+ case ERR_ACCOUNT_LOCKED:
+ state->pd->account_locked = true;
+ state->pd->pam_status = PAM_PERM_DENIED;
+ break;
default:
state->pd->pam_status = PAM_SYSTEM_ERR;
dp_err = DP_ERR_FATAL;
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 2d9b1184f5d30b9df7f1d3e4b980a7e0107c6830..f9074afb0c1340c7c2a50d4df0021eee4ae0d076 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -754,6 +754,12 @@ static void simple_bind_done(struct sdap_op *op,
if (result == LDAP_SUCCESS) {
ret = EOK;
+ } else if (result == LDAP_INVALID_CREDENTIALS
+ && errmsg != NULL && strstr(errmsg, "data 775,") != NULL) {
+ /* Value 775 is described in
+ * https://msdn.microsoft.com/en-us/library/windows/desktop/ms681386%28v=vs.85%29.aspx
+ * for more details please see commit message. */
+ ret = ERR_ACCOUNT_LOCKED;
} else {
ret = ERR_AUTH_FAILED;
}
--
2.4.3
>From ceefc66c3a5632775c44ede3490843f1af14f26d Mon Sep 17 00:00:00 2001
From: Pavel Reichl <prei...@redhat.com>
Date: Fri, 5 Feb 2016 07:31:45 -0500
Subject: [PATCH 2/3] PAM: Pass account lockout status and display message
Tested against Windows Server 2012.
Resolves:
https://fedorahosted.org/sssd/ticket/2839
---
src/confdb/confdb.h | 1 +
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/etc/sssd.api.conf | 1 +
src/man/sssd.conf.5.xml | 21 +++++++++++++++++++++
src/providers/dp_auth_util.c | 20 ++++++++++++++++++++
src/responder/pam/pamsrv_cmd.c | 31 +++++++++++++++++++++++--------
6 files changed, 67 insertions(+), 8 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index fcffcb5a6ff8b3f766ed9a693db874c7c6e3d9b9..e6789c8665cf677712d8e7fb72b6f0a41bca80b1 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -118,6 +118,7 @@
#define CONFDB_PAM_TRUSTED_USERS "pam_trusted_users"
#define CONFDB_PAM_PUBLIC_DOMAINS "pam_public_domains"
#define CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE "pam_account_expired_message"
+#define CONFDB_PAM_ACCOUNT_LOCKED_MESSAGE "pam_account_locked_message"
#define CONFDB_PAM_CERT_AUTH "pam_cert_auth"
#define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path"
#define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 1fdb907c5d010323c22b18b4c371c61e5928c40f..495cb650ee86e50031962a4fcf0c21aa79dc0142 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -91,6 +91,7 @@ option_strings = {
'pam_trusted_users' : _('List of trusted uids or user\'s name'),
'pam_public_domains' : _('List of domains accessible even for untrusted users.'),
'pam_account_expired_message' : _('Message printed when user account is expired.'),
+ 'pam_account_locked_message' : _('Message printed when user account is locked.'),
'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
# [sudo]
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 89cf8634ffb8115d9e65cf66dc9b1ed630415c15..baa15539cbb5a925b19bac0452cde43ca9f71033 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -61,6 +61,7 @@ get_domains_timeout = int, None, false
pam_trusted_users = str, None, false
pam_public_domains = str, None, false
pam_account_expired_message = str, None, false
+pam_account_locked_message = str, None, false
p11_child_timeout = int, None, false
[sudo]
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 73a21bfa0049bc4d3cfacb49201707868c87e533..2dbc58a451686beda0faa9e9366bbc3b3b4c253e 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1040,6 +1040,27 @@ pam_account_expired_message = Account expired, please call help desk.
</listitem>
</varlistentry>
<varlistentry>
+ <term>pam_account_locked_message (string)</term>
+ <listitem>
+ <para>
+ If user is authenticating and
+ account is locked then by default
+ 'Permission denied' is output. This output will
+ be changed to content of this variable if it is
+ set.
+ </para>
+ <para>
+ example:
+ <programlisting>
+pam_account_locked_message = Account locked, please call help desk.
+ </programlisting>
+ </para>
+ <para>
+ Default: none
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term>p11_child_timeout (integer)</term>
<listitem>
<para>
diff --git a/src/providers/dp_auth_util.c b/src/providers/dp_auth_util.c
index f8a30c5d4e6da7ce6ac28723032241e2458ea473..647ab4889759dabe1a09cb522f9b7b4ffb8fae96 100644
--- a/src/providers/dp_auth_util.c
+++ b/src/providers/dp_auth_util.c
@@ -160,6 +160,15 @@ bool dp_pack_pam_response(DBusMessage *msg, struct pam_data *pd)
return false;
}
+
+ /* Append the lockout of account */
+ dbret = dbus_message_iter_append_basic(&iter,
+ DBUS_TYPE_UINT32,
+ &pd->account_locked);
+ if (!dbret) {
+ return false;
+ }
+
/* Create an array of response structures */
dbret = dbus_message_iter_open_container(&iter,
DBUS_TYPE_ARRAY, "(uay)",
@@ -246,6 +255,17 @@ bool dp_unpack_pam_response(DBusMessage *msg, struct pam_data *pd, DBusError *db
return false;
}
+ if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_UINT32) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "pam response format error.\n");
+ return false;
+ }
+ dbus_message_iter_get_basic(&iter, &(pd->account_locked));
+
+ if (!dbus_message_iter_next(&iter)) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "pam response has too few arguments.\n");
+ return false;
+ }
+
/* After this point will be an array of pam data */
if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_ARRAY) {
DEBUG(SSSDBG_CRIT_FAILURE, "pam response format error.\n");
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index bfc534f577cf80d5acfab81db30550ab5b5bdd2b..d86807e79f98b04d9ab14505ad8b2e92677bd292 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -53,10 +53,10 @@ pam_get_last_online_auth_with_curr_token(struct sss_domain_info *domain,
static void pam_reply(struct pam_auth_req *preq);
-static errno_t pack_user_info_account_expired(TALLOC_CTX *mem_ctx,
- const char *user_error_message,
- size_t *resp_len,
- uint8_t **_resp)
+static errno_t pack_user_info_msg(TALLOC_CTX *mem_ctx,
+ const char *user_error_message,
+ size_t *resp_len,
+ uint8_t **_resp)
{
uint32_t resp_type = SSS_PAM_USER_INFO_ACCOUNT_EXPIRED;
size_t err_len;
@@ -83,14 +83,13 @@ static errno_t pack_user_info_account_expired(TALLOC_CTX *mem_ctx,
return EOK;
}
-static void inform_account_expired(struct pam_data* pd,
- const char *pam_message)
+static void inform_user(struct pam_data* pd, const char *pam_message)
{
size_t msg_len;
uint8_t *msg;
errno_t ret;
- ret = pack_user_info_account_expired(pd, pam_message, &msg_len, &msg);
+ ret = pack_user_info_msg(pd, pam_message, &msg_len, &msg);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"pack_user_info_account_expired failed.\n");
@@ -601,6 +600,7 @@ static void pam_reply(struct pam_auth_req *preq)
time_t exp_date = -1;
time_t delay_until = -1;
char* pam_account_expired_message;
+ char* pam_account_locked_message;
int pam_verbosity;
pd = preq->pd;
@@ -762,7 +762,22 @@ static void pam_reply(struct pam_auth_req *preq)
goto done;
}
- inform_account_expired(pd, pam_account_expired_message);
+ inform_user(pd, pam_account_expired_message);
+ }
+
+ if (pd->account_locked) {
+
+ ret = confdb_get_string(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_ACCOUNT_LOCKED_MESSAGE, "",
+ &pam_account_locked_message);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Failed to get expiration message: %d:[%s].\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+
+ inform_user(pd, pam_account_locked_message);
}
ret = filter_responses(pctx->rctx->cdb, pd->resp_list);
--
2.4.3
>From 1efcdc932ebd3220f6974a854f67fc19d06ffa9b Mon Sep 17 00:00:00 2001
From: Dan Lavu <dl...@redhat.com>
Date: Fri, 5 Feb 2016 09:28:41 -0500
Subject: [PATCH 3/3] PAM: Fix man for pam_account_{expired,locked}_message
---
src/man/sssd.conf.5.xml | 35 +++++++++++++++++++++++++++++------
1 file changed, 29 insertions(+), 6 deletions(-)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 2dbc58a451686beda0faa9e9366bbc3b3b4c253e..e03580bf7814c8e3a297dcfbcb5b50092cc3a8c7 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1022,16 +1022,39 @@ fallback_homedir = /home/%u
<term>pam_account_expired_message (string)</term>
<listitem>
<para>
- If user is authenticating using SSH keys and
- account is expired then by default
- 'Permission denied' is output. This output will
- be changed to content of this variable if it is
- set.
+ Allows a custom expiration message to be set,
+ replacing the default 'Permission denied'
+ message.
+ </para>
+ <para>
+ Note: Please be aware that message is only
+ printed for the SSH service unless pam_verbostiy
+ is set to 3 (show all messages and debug
+ information).
+ </para>
+ <para>
+ example:
+ <programlisting>
+pam_account_expired_message = Account expired, please contact help desk.
+ </programlisting>
+ </para>
+ <para>
+ Default: none
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>pam_account_locked_message (string)</term>
+ <listitem>
+ <para>
+ Allows a custom lockout message to be set,
+ replacing the default 'Permission denied'
+ message.
</para>
<para>
example:
<programlisting>
-pam_account_expired_message = Account expired, please call help desk.
+pam_account_locked_message = Account locked, please contact help desk.
</programlisting>
</para>
<para>
--
2.4.3
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
