URL: https://github.com/SSSD/sssd/pull/435 Author: sumit-bose Title: #435: krb5: call krb5_auth_cache_creds() if a pssword is available Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/435/head:pr435 git checkout pr435
From 0757b0000603dbe920a2da0f562bcc23a211beee Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Wed, 1 Nov 2017 18:21:40 +0100 Subject: [PATCH] krb5: call krb5_auth_cache_creds() if a pssword is available The delayed online authentication feature is only available for password authentication and krb5_auth_cache_creds() should only be called if a password is available. Otherwise the error coded returned by krb5_auth_cache_creds() will prevent proper offline authentication with other methods e.g. Smartcard authentication. Resolves https://pagure.io/SSSD/sssd/issue/3564 --- src/providers/krb5/krb5_auth.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 03ea9d88c..d40d2afed 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -253,17 +253,12 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx, const char *password = NULL; errno_t ret; - if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { - DEBUG(SSSDBG_MINOR_FAILURE, - "Delayed authentication is only available for password " - "authentication (single factor).\n"); - return; - } - ret = sss_authtok_get_password(pd->authtok, &password, NULL); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, - "Failed to get password [%d] %s\n", ret, strerror(ret)); + "Failed to get password [%d] %s. Delayed authentication is only " + "available for password authentication (single factor).\n", + ret, strerror(ret)); *pam_status = PAM_SYSTEM_ERR; *dp_err = DP_ERR_OK; return; @@ -1138,7 +1133,9 @@ static void krb5_auth_done(struct tevent_req *subreq) if (kr->is_offline) { if (dp_opt_get_bool(kr->krb5_ctx->opts, - KRB5_STORE_PASSWORD_IF_OFFLINE)) { + KRB5_STORE_PASSWORD_IF_OFFLINE) + && sss_authtok_get_type(pd->authtok) + == SSS_AUTHTOK_TYPE_PASSWORD) { krb5_auth_cache_creds(state->kr->krb5_ctx, state->domain, state->be_ctx->cdb,
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org