diff options
author | Simo Sorce <ssorce@redhat.com> | 2009-05-11 09:08:31 -0400 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2009-05-18 15:27:48 -0400 |
commit | 66c727e0e7b34d19cdb8dbdc0a0fae15d9d5ff25 (patch) | |
tree | 35caa2b93baa413e516c1834626a14e36c811017 | |
parent | 3594dff371450e4530bf26f3bc4b2ea195270bcd (diff) | |
download | sssd-66c727e0e7b34d19cdb8dbdc0a0fae15d9d5ff25.tar.gz sssd-66c727e0e7b34d19cdb8dbdc0a0fae15d9d5ff25.tar.bz2 sssd-66c727e0e7b34d19cdb8dbdc0a0fae15d9d5ff25.zip |
Move actual password caching into sysdb
Convert auth modules to do the caching themselves
-rw-r--r-- | server/Makefile.in | 2 | ||||
-rw-r--r-- | server/db/sysdb.h | 1 | ||||
-rw-r--r-- | server/db/sysdb_ops.c | 50 | ||||
-rw-r--r-- | server/infopipe/infopipe_users.c | 2 | ||||
-rw-r--r-- | server/providers/ldap/ldap_auth.c | 123 | ||||
-rw-r--r-- | server/providers/proxy.c | 124 | ||||
-rw-r--r-- | server/responder/pam/pam_LOCAL_domain.c | 2 | ||||
-rw-r--r-- | server/responder/pam/pamsrv.h | 1 | ||||
-rw-r--r-- | server/responder/pam/pamsrv_cache.c | 112 | ||||
-rw-r--r-- | server/responder/pam/pamsrv_cmd.c | 13 | ||||
-rw-r--r-- | server/server.mk | 11 | ||||
-rw-r--r-- | server/tools/sss_usermod.c | 1 |
12 files changed, 286 insertions, 156 deletions
diff --git a/server/Makefile.in b/server/Makefile.in index 07208df2..fb455362 100644 --- a/server/Makefile.in +++ b/server/Makefile.in @@ -84,7 +84,7 @@ SHLD_FLAGS = @SHLD_FLAGS@ SONAMEFLAG = @SONAMEFLAG@ LDFLAGS += @LDFLAGS@ -L$(srcdir)/lib -LIBS = @LIBS@ $(TALLOC_LIBS) $(TDB_LIBS) $(TEVENT_LIBS) $(POPT_LIBS) $(LDB_LIBS) $(DBUS_LIBS) $(PCRE_LIBS) +LIBS = @LIBS@ $(TALLOC_LIBS) $(TDB_LIBS) $(TEVENT_LIBS) $(POPT_LIBS) $(LDB_LIBS) $(DBUS_LIBS) $(PCRE_LIBS) $(NSS_LIBS) PICFLAG = @PICFLAG@ CFLAGS := -I$(srcdir)/include -Iinclude -I$(srcdir) -I$(srcdir)/.. \ diff --git a/server/db/sysdb.h b/server/db/sysdb.h index 336c9600..916f8e21 100644 --- a/server/db/sysdb.h +++ b/server/db/sysdb.h @@ -269,7 +269,6 @@ int sysdb_delete_group_by_gid(struct sysdb_req *sysreq, sysdb_callback_t fn, void *pvt); int sysdb_set_user_attr(struct sysdb_req *sysreq, - struct sysdb_ctx *ctx, struct sss_domain_info *domain, const char *name, struct sysdb_attrs *attributes, diff --git a/server/db/sysdb_ops.c b/server/db/sysdb_ops.c index 041e10b7..769d5f61 100644 --- a/server/db/sysdb_ops.c +++ b/server/db/sysdb_ops.c @@ -21,6 +21,7 @@ #include "util/util.h" #include "db/sysdb_private.h" +#include "util/nss_sha512crypt.h" #include <time.h> struct sysdb_cb_ctx { @@ -456,12 +457,12 @@ int sysdb_delete_group_by_gid(struct sysdb_req *sysreq, } int sysdb_set_user_attr(struct sysdb_req *sysreq, - struct sysdb_ctx *ctx, struct sss_domain_info *domain, const char *name, struct sysdb_attrs *attrs, sysdb_callback_t fn, void *pvt) { + struct sysdb_ctx *ctx; struct sysdb_cb_ctx *cbctx; struct ldb_message *msg; struct ldb_request *req; @@ -474,6 +475,8 @@ int sysdb_set_user_attr(struct sysdb_req *sysreq, if (attrs->num == 0) return EINVAL; + ctx = sysdb_req_get_ctx(sysreq); + cbctx = talloc_zero(sysreq, struct sysdb_cb_ctx); if (!cbctx) return ENOMEM; @@ -1832,3 +1835,48 @@ int sysdb_legacy_remove_group_member(struct sysdb_req *sysreq, return EOK; } +int sysdb_set_cached_password(struct sysdb_req *sysreq, + struct sss_domain_info *domain, + const char *user, + const char *password, + sysdb_callback_t fn, void *pvt) +{ + struct sysdb_ctx *ctx; + struct sysdb_attrs *attrs; + char *hash = NULL; + char *salt; + int ret; + + ctx = sysdb_req_get_ctx(sysreq); + if (!ctx) return EFAULT; + + ret = s3crypt_gen_salt(sysreq, &salt); + if (ret) { + DEBUG(4, ("Failed to generate random salt.\n")); + return ret; + } + + ret = s3crypt_sha512(sysreq, password, salt, &hash); + if (ret) { + DEBUG(4, ("Failed to create password hash.\n")); + return ret; + } + + attrs = sysdb_new_attrs(sysreq); + if (!attrs) { + return ENOMEM; + } + + ret = sysdb_attrs_add_string(attrs, SYSDB_CACHEDPWD, hash); + if (ret) return ret; + + /* FIXME: should we use a different attribute for chache passwords ?? */ + ret = sysdb_attrs_add_long(attrs, "lastCachedPasswordChange", + (long)time(NULL)); + if (ret) return ret; + + ret = sysdb_set_user_attr(sysreq, domain, user, attrs, fn, pvt); + if (ret) return ret; + + return EOK; +} diff --git a/server/infopipe/infopipe_users.c b/server/infopipe/infopipe_users.c index 326e3222..ee513712 100644 --- a/server/infopipe/infopipe_users.c +++ b/server/infopipe/infopipe_users.c @@ -1349,7 +1349,6 @@ static void infp_do_user_set_attr(struct sysdb_req *req, void *pvt) DEBUG(9, ("Setting attributes for user [%s]\n", infp_setattr_req->usernames[infp_setattr_req->index])); ret = sysdb_set_user_attr(infp_setattr_req->sysdb_req, - infp_setattr_req->infp_req->infp->sysdb, infp_setattr_req->infp_req->domain, infp_setattr_req->usernames[infp_setattr_req->index], infp_setattr_req->changes[infp_setattr_req->index], @@ -1714,7 +1713,6 @@ static void infp_do_user_set_uid(struct sysdb_req *req, void *pvt) DEBUG(9, ("Setting UID for user [%s]\n", infp_setuid_req->username)); ret = sysdb_set_user_attr(infp_setuid_req->sysdb_req, - infp_setuid_req->infp_req->infp->sysdb, infp_setuid_req->infp_req->domain, infp_setuid_req->username, infp_setuid_req->uid_attr, diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c index 6a4dc895..0c2541f1 100644 --- a/server/providers/ldap/ldap_auth.c +++ b/server/providers/ldap/ldap_auth.c @@ -283,6 +283,8 @@ static int sdap_bind(struct sdap_req *lr) return LDAP_SUCCESS; } +static void sdap_cache_password(struct sdap_req *lr); + static void sdap_pam_loop(struct tevent_context *ev, struct tevent_fd *te, uint16_t fd, void *pvt) { @@ -290,7 +292,6 @@ static void sdap_pam_loop(struct tevent_context *ev, struct tevent_fd *te, int pam_status=PAM_SUCCESS; int ldap_ret; struct sdap_req *lr; - struct pam_data *pd; struct be_req *req; LDAPMessage *result=NULL; LDAPMessage *msg=NULL; @@ -573,11 +574,17 @@ done: talloc_free(filter); if (lr->ldap != NULL) ldap_unbind_ext(lr->ldap, NULL, NULL); req = lr->req; - pd = talloc_get_type(lr->req->req_data, struct pam_data); - pd->pam_status = pam_status; + lr->pd->pam_status = pam_status; + + if (((lr->pd->cmd == SSS_PAM_AUTHENTICATE) || + (lr->pd->cmd == SSS_PAM_CHAUTHTOK)) && + (lr->pd->pam_status == PAM_SUCCESS) && + lr->req->be_ctx->domain->cache_credentials) { + sdap_cache_password(lr); + return; + } talloc_free(lr); - req->fn(req, pam_status, NULL); } @@ -617,8 +624,7 @@ static void sdap_start(struct tevent_context *ev, struct tevent_timer *te, done: if (lr->ldap != NULL ) ldap_unbind_ext(lr->ldap, NULL, NULL); req = lr->req; - pd = talloc_get_type(lr->req->req_data, struct pam_data); - pd->pam_status = pam_status; + lr->pd->pam_status = pam_status; talloc_free(lr); @@ -666,6 +672,111 @@ done: req->fn(req, pam_status, NULL); } +struct sdap_pw_cache { + struct sysdb_req *sysreq; + struct sdap_req *lr; +}; + +static int password_destructor(void *memctx) +{ + char *password = (char *)memctx; + int i; + + /* zero out password */ + for (i = 0; password[i]; i++) password[i] = '\0'; + + return 0; +} + +static void sdap_reply(struct be_req *req, int ret, char *errstr) +{ + req->fn(req, ret, errstr); +} + +static void sdap_cache_pw_callback(void *pvt, int error, + struct ldb_result *ignore) +{ + struct sdap_pw_cache *data = talloc_get_type(pvt, struct sdap_pw_cache); + if (error != EOK) { + DEBUG(2, ("Failed to cache password (%d)[%s]!?\n", + error, strerror(error))); + } + + sysdb_transaction_done(data->sysreq, error); + + /* password caching failures are not fatal errors */ + sdap_reply(data->lr->req, data->lr->pd->pam_status, NULL); +} + +static void sdap_cache_pw_op(struct sysdb_req *req, void *pvt) +{ + struct sdap_pw_cache *data = talloc_get_type(pvt, struct sdap_pw_cache); + struct pam_data *pd; + const char *username; + const char *password; + int ret; + + data->sysreq = req; + + pd = data->lr->pd; + username = pd->user; + + if (pd->cmd == SSS_PAM_AUTHENTICATE) { + password = talloc_strndup(data, pd->authtok, pd->authtok_size); + } + else if (pd->cmd == SSS_PAM_CHAUTHTOK) { + password = talloc_strndup(data, pd->newauthtok, pd->newauthtok_size); + } + else { + DEBUG(1, ("Attempting password caching on invalid Op!\n")); + /* password caching failures are not fatal errors */ + sdap_reply(data->lr->req, data->lr->pd->pam_status, NULL); + return; + } + + if (!password) { + DEBUG(2, ("Out of Memory!\n")); + /* password caching failures are not fatal errors */ + sdap_reply(data->lr->req, data->lr->pd->pam_status, NULL); + return; + } + + ret = sysdb_set_cached_password(req, + data->lr->req->be_ctx->domain, + username, + password, + sdap_cache_pw_callback, data); + if (ret != EOK) { + /* password caching failures are not fatal errors */ + sdap_reply(data->lr->req, data->lr->pd->pam_status, NULL); + } +} + +static void sdap_cache_password(struct sdap_req *lr) +{ + struct sdap_pw_cache *data; + int ret; + + data = talloc_zero(lr, struct sdap_pw_cache); + if (!data) { + DEBUG(2, ("Out of Memory!\n")); + /* password caching failures are not fatal errors */ + sdap_reply(data->lr->req, lr->pd->pam_status, NULL); + return; + } + data->lr = lr; + + ret = sysdb_transaction(data, lr->req->be_ctx->sysdb, + sdap_cache_pw_op, data); + + if (ret != EOK) { + DEBUG(1, ("Failed to start transaction (%d)[%s]!?\n", + ret, strerror(ret))); + /* password caching failures are not fatal errors */ + sdap_reply(data->lr->req, lr->pd->pam_status, NULL); + } +} + static void sdap_shutdown(struct be_req *req) { /* TODO: Clean up any internal data */ diff --git a/server/providers/proxy.c b/server/providers/proxy.c index 0fea89df..175670ad 100644 --- a/server/providers/proxy.c +++ b/server/providers/proxy.c @@ -70,6 +70,12 @@ struct authtok_conv { uint8_t *authtok; }; +static void cache_password(struct be_req *req, + char *username, + struct authtok_conv *ac); +static void proxy_reply(struct be_req *req, + int error, const char *errstr); + static int proxy_internal_conv(int num_msg, const struct pam_message **msgm, struct pam_response **response, void *appdata_ptr) { @@ -121,12 +127,13 @@ static void proxy_pam_handler(struct be_req *req) { struct pam_conv conv; struct pam_data *pd; struct proxy_auth_ctx *ctx;; + bool cache_auth_data = false; ctx = talloc_get_type(req->be_ctx->pvt_auth_data, struct proxy_auth_ctx); pd = talloc_get_type(req->req_data, struct pam_data); conv.conv=proxy_internal_conv; - auth_data = talloc_zero(req->be_ctx, struct authtok_conv); + auth_data = talloc_zero(req, struct authtok_conv); conv.appdata_ptr=auth_data; ret = pam_start(ctx->pam_target, pd->user, &conv, &pamh); @@ -148,7 +155,11 @@ static void proxy_pam_handler(struct be_req *req) { case SSS_PAM_AUTHENTICATE: auth_data->authtok_size = pd->authtok_size; auth_data->authtok = pd->authtok; - pam_status=pam_authenticate(pamh, 0); + pam_status = pam_authenticate(pamh, 0); + if ((pam_status == PAM_SUCCESS) && + (req->be_ctx->domain->cache_credentials)) { + cache_auth_data = true; + } break; case SSS_PAM_SETCRED: pam_status=pam_setcred(pamh, 0); @@ -166,12 +177,16 @@ static void proxy_pam_handler(struct be_req *req) { if (pd->priv != 1) { auth_data->authtok_size = pd->authtok_size; auth_data->authtok = pd->authtok; - pam_status=pam_authenticate(pamh, 0); + pam_status = pam_authenticate(pamh, 0); if (pam_status != PAM_SUCCESS) break; } auth_data->authtok_size = pd->newauthtok_size; auth_data->authtok = pd->newauthtok; - pam_status=pam_chauthtok(pamh, 0); + pam_status = pam_chauthtok(pamh, 0); + if ((pam_status == PAM_SUCCESS) && + (req->be_ctx->domain->cache_credentials)) { + cache_auth_data = true; + } break; default: DEBUG(1, ("unknown PAM call")); @@ -191,15 +206,14 @@ static void proxy_pam_handler(struct be_req *req) { pam_status = PAM_SYSTEM_ERR; } - talloc_free(auth_data); - pd->pam_status = pam_status; - req->fn(req, EOK, NULL); -} -static void proxy_reply(struct be_req *req, int error, const char *errstr) -{ - return req->fn(req, error, errstr); + if (cache_auth_data) { + cache_password(req, pd->user, auth_data); + return; + } + + proxy_reply(req, EOK, NULL); } struct proxy_data { @@ -222,6 +236,94 @@ struct proxy_data { sysdb_callback_t next_fn; }; +static void proxy_reply(struct be_req *req, int error, const char *errstr) +{ + return req->fn(req, error, errstr); +} + +static void cache_pw_return(void *pvt, int error, struct ldb_result *ignore) +{ + struct proxy_data *data = talloc_get_type(pvt, struct proxy_data); + const char *err = "Success"; + + if (error != EOK) { + DEBUG(2, ("Failed to cache password (%d)[%s]!?\n", + error, strerror(error))); + } + + sysdb_transaction_done(data->sysreq, error); + + /* password caching failures are not fatal errors */ + return proxy_reply(data->req, EOK, NULL); +} + +static void cache_pw_op(struct sysdb_req *req, void *pvt) +{ + struct proxy_data *data = talloc_get_type(pvt, struct proxy_data); + int ret; + + data->sysreq = req; + + ret = sysdb_set_cached_password(req, + data->req->be_ctx->domain, + data->pwd->pw_name, + data->pwd->pw_passwd, + cache_pw_return, data); + if (ret != EOK) { + /* password caching failures are not fatal errors */ + proxy_reply(data->req, EOK, NULL); + } +} + +static int password_destructor(void *memctx) +{ + char *password = (char *)memctx; + int i; + + /* zero out password */ + for (i = 0; password[i]; i++) password[i] = '\0'; + + return 0; +} + +static void cache_password(struct be_req *req, + char *username, + struct authtok_conv *ac) +{ + struct proxy_data *data; + struct proxy_ctx *ctx; + int ret; + + ctx = talloc_get_type(req->be_ctx->pvt_id_data, struct proxy_ctx); + + data = talloc_zero(req, struct proxy_data); + if (!data) + return proxy_reply(req, ENOMEM, "Out of memory"); + data->req = req; + data->ctx = ctx; + data->pwd = talloc(data, struct passwd); + if (!data->pwd) + return proxy_reply(req, ENOMEM, "Out of memory"); + data->pwd->pw_name = username; + data->pwd->pw_passwd = talloc_size(data, ac->authtok_size + 1); + if (!data->pwd->pw_passwd) + return proxy_reply(req, ENOMEM, "Out of memory"); + memcpy(data->pwd->pw_passwd, ac->authtok, ac->authtok_size); + data->pwd->pw_passwd[ac->authtok_size] = '\0'; + + talloc_set_destructor((TALLOC_CTX *)data->pwd->pw_passwd, + password_destructor); + + ret = sysdb_transaction(data, req->be_ctx->sysdb, cache_pw_op, data); + + if (ret != EOK) { + DEBUG(1, ("Failed to start transaction (%d)[%s]!?\n", + ret, strerror(ret))); + /* password caching failures are not fatal errors */ + return proxy_reply(req, EOK, NULL); + } +} + static void proxy_return(void *pvt, int error, struct ldb_result *ignore) { struct proxy_data *data = talloc_get_type(pvt, struct proxy_data); diff --git a/server/responder/pam/pam_LOCAL_domain.c b/server/responder/pam/pam_LOCAL_domain.c index 614d640e..010bd8d4 100644 --- a/server/responder/pam/pam_LOCAL_domain.c +++ b/server/responder/pam/pam_LOCAL_domain.c @@ -115,7 +115,7 @@ static void set_user_attr_req(struct sysdb_req *req, void *pvt) lreq->sysdb_req = req; - ret = sysdb_set_user_attr(req, lreq->dbctx, lreq->preq->domain, + ret = sysdb_set_user_attr(req, lreq->preq->domain, lreq->preq->pd->user, lreq->mod_attrs, set_user_attr_callback, lreq); if (ret != EOK) diff --git a/server/responder/pam/pamsrv.h b/server/responder/pam/pamsrv.h index d95df169..fa688fe1 100644 --- a/server/responder/pam/pamsrv.h +++ b/server/responder/pam/pamsrv.h @@ -27,7 +27,6 @@ struct sss_cmd_table *register_sss_cmds(void); int pam_dp_send_req(struct pam_auth_req *preq, int timeout); -int pam_cache_credentials(struct pam_auth_req *preq); int pam_cache_auth(struct pam_auth_req *preq); int LOCAL_pam_handler(struct pam_auth_req *preq); diff --git a/server/responder/pam/pamsrv_cache.c b/server/responder/pam/pamsrv_cache.c index ed18f6a1..d1c34e5f 100644 --- a/server/responder/pam/pamsrv_cache.c +++ b/server/responder/pam/pamsrv_cache.c @@ -53,120 +53,10 @@ static int authtok2str(const void *mem_ctx, struct set_attrs_ctx { struct pam_auth_req *preq; - struct sysdb_attrs *attrs; struct sysdb_req *sysreq; + char *password; }; -static void pc_set_user_attr_callback(void *pvt, - int ldb_status, - struct ldb_result *res) -{ - struct set_attrs_ctx *ctx; - int error; - - ctx = talloc_get_type(pvt, struct set_attrs_ctx); - error = sysdb_error_to_errno(ldb_status); - - sysdb_transaction_done(ctx->sysreq, error); - - if (ldb_status != LDB_SUCCESS) { - DEBUG(2, ("Failed to cache credentials for user [%s] (%d)!\n", - ctx->preq->pd->user, error, strerror(error))); - } - - ctx->preq->callback(ctx->preq); -} - -static void pc_set_user_attr_req(struct sysdb_req *req, void *pvt) -{ - struct set_attrs_ctx *ctx; - int ret; - - DEBUG(4, ("entering pc_set_user_attr_req\n")); - - ctx = talloc_get_type(pvt, struct set_attrs_ctx); - - ctx->sysreq = req; - - ret = sysdb_set_user_attr(req, ctx->preq->cctx->rctx->sysdb, - ctx->preq->domain, - ctx->preq->pd->user, - ctx->attrs, - pc_set_user_attr_callback, ctx); - if (ret != EOK) { - sysdb_transaction_done(ctx->sysreq, ret); - } - - if (ret != EOK) { - DEBUG(2, ("Failed to cache credentials for user [%s] (%d)!\n", - ctx->preq->pd->user, ret, strerror(ret))); - ctx->preq->callback(ctx->preq); - } -} - -int pam_cache_credentials(struct pam_auth_req *preq) -{ - struct set_attrs_ctx *ctx; - struct pam_data *pd; - char *password = NULL; - char *comphash = NULL; - char *salt; - int i, ret; - - pd = preq->pd; - - ret = authtok2str(preq, pd->authtok, pd->authtok_size, &password); - if (ret) { - DEBUG(4, ("Invalid auth token.\n")); - ret = EINVAL; - goto done; - } - - ret = s3crypt_gen_salt(preq, &salt); - if (ret) { - DEBUG(4, ("Failed to generate random salt.\n")); - goto done; - } - - ret = s3crypt_sha512(preq, password, salt, &comphash); - if (ret) { - DEBUG(4, ("Failed to create password hash.\n")); - goto done; - } - - ctx = talloc_zero(preq, struct set_attrs_ctx); - if (!ctx) { - ret = ENOMEM; - goto done; - } - ctx->preq = preq; - - ctx->attrs = sysdb_new_attrs(ctx); - if (!ctx->attrs) { - ret = ENOMEM; - goto done; - } - - ret = sysdb_attrs_add_string(ctx->attrs, SYSDB_CACHEDPWD, comphash); - if (ret) goto done; - - /* FIXME: should we use a different attribute for chache passwords ?? */ - ret = sysdb_attrs_add_long(ctx->attrs, "lastCachedPasswordChange", - (long)time(NULL)); - if (ret) goto done; - - ret = sysdb_transaction(ctx, preq->cctx->rctx->sysdb, - pc_set_user_attr_req, ctx); - -done: - if (password) for (i = 0; password[i]; i++) password[i] = 0; - if (ret != EOK) { - DEBUG(2, ("Failed to cache credentials for user [%s] (%d)!\n", - pd->user, ret, strerror(ret))); - } - return ret; -} - static void pam_cache_auth_return(struct pam_auth_req *preq, int error) { preq->pd->pam_status = error; diff --git a/server/responder/pam/pamsrv_cmd.c b/server/responder/pam/pamsrv_cmd.c index 00765d47..40cccffb 100644 --- a/server/responder/pam/pamsrv_cmd.c +++ b/server/responder/pam/pamsrv_cmd.c @@ -263,19 +263,6 @@ static void pam_reply(struct pam_auth_req *preq) (preq->domain->cache_credentials == true) && (pd->offline_auth == false)) { - if (pd->pam_status == PAM_SUCCESS) { - pd->offline_auth = true; - preq->callback = pam_reply; - ret = pam_cache_credentials(preq); - if (ret == EOK) { - return; - } - else { - DEBUG(0, ("Failed to cache credentials")); - /* this error is not fatal, continue */ - } - } - if (pd->pam_status == PAM_AUTHINFO_UNAVAIL) { /* do auth with offline credentials */ pd->offline_auth = true; diff --git a/server/server.mk b/server/server.mk index f61cdf28..416d36e5 100644 --- a/server/server.mk +++ b/server/server.mk @@ -5,6 +5,7 @@ UTIL_OBJ = \ util/memory.o \ util/btreemap.o \ util/usertools.o \ + util/nss_sha512crypt.o \ monitor/monitor_sbus.o \ providers/dp_sbus.o \ providers/dp_auth_util.o \ @@ -68,9 +69,6 @@ INFP_TEST_OBJ = \ STRESS_TEST_OBJ = \ tests/stress-tests.o -CRYPT_OBJ = \ - util/nss_sha512crypt.o - PAMSRV_OBJ = \ responder/pam/pamsrv.o \ responder/pam/pamsrv_cmd.o \ @@ -79,8 +77,7 @@ PAMSRV_OBJ = \ responder/pam/pamsrv_dp.o $(LDAP_BE_OBJ): CFLAGS += $(LDAP_CFLAGS) -$(CRYPT_OBJ): CFLAGS += $(NSS_CFLAGS) - +$(UTIL_OBJ): CFLAGS += $(NSS_CFLAGS) TOOLS_OBJ = \ tools/tools_util.o @@ -109,8 +106,8 @@ sbin/sssd: $(SERVER_OBJ) $(UTIL_OBJ) sbin/sssd_nss: $(NSSSRV_OBJ) $(UTIL_OBJ) $(RESPONDER_UTIL_OBJ) $(CC) -o sbin/sssd_nss $(NSSSRV_OBJ) $(UTIL_OBJ) $(RESPONDER_UTIL_OBJ) $(LDFLAGS) $(LIBS) -sbin/sssd_pam: $(PAMSRV_OBJ) $(UTIL_OBJ) $(RESPONDER_UTIL_OBJ) $(CRYPT_OBJ) - $(CC) -o sbin/sssd_pam $(PAMSRV_OBJ) $(UTIL_OBJ) $(RESPONDER_UTIL_OBJ) $(CRYPT_OBJ) $(LDFLAGS) $(LIBS) $(NSS_LIBS) +sbin/sssd_pam: $(PAMSRV_OBJ) $(UTIL_OBJ) $(RESPONDER_UTIL_OBJ) + $(CC) -o sbin/sssd_pam $(PAMSRV_OBJ) $(UTIL_OBJ) $(RESPONDER_UTIL_OBJ) $(LDFLAGS) $(LIBS) sbin/sssd_dp: $(DP_OBJ) $(UTIL_OBJ) $(CC) -o sbin/sssd_dp $(DP_OBJ) $(UTIL_OBJ) $(LDFLAGS) $(LIBS) diff --git a/server/tools/sss_usermod.c b/server/tools/sss_usermod.c index 113879fb..d19fe9d8 100644 --- a/server/tools/sss_usermod.c +++ b/server/tools/sss_usermod.c @@ -125,7 +125,6 @@ static void mod_user(struct sysdb_req *req, void *pvt) add_to_groups(user_ctx, EOK, NULL); } else { ret = sysdb_set_user_attr(req, - sysdb_req_get_ctx(req), user_ctx->domain, user_ctx->username, user_ctx->attrs, |