summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2009-05-11 09:08:31 -0400
committerSimo Sorce <ssorce@redhat.com>2009-05-18 15:27:48 -0400
commit66c727e0e7b34d19cdb8dbdc0a0fae15d9d5ff25 (patch)
tree35caa2b93baa413e516c1834626a14e36c811017
parent3594dff371450e4530bf26f3bc4b2ea195270bcd (diff)
downloadsssd-66c727e0e7b34d19cdb8dbdc0a0fae15d9d5ff25.tar.gz
sssd-66c727e0e7b34d19cdb8dbdc0a0fae15d9d5ff25.tar.bz2
sssd-66c727e0e7b34d19cdb8dbdc0a0fae15d9d5ff25.zip
Move actual password caching into sysdb
Convert auth modules to do the caching themselves
-rw-r--r--server/Makefile.in2
-rw-r--r--server/db/sysdb.h1
-rw-r--r--server/db/sysdb_ops.c50
-rw-r--r--server/infopipe/infopipe_users.c2
-rw-r--r--server/providers/ldap/ldap_auth.c123
-rw-r--r--server/providers/proxy.c124
-rw-r--r--server/responder/pam/pam_LOCAL_domain.c2
-rw-r--r--server/responder/pam/pamsrv.h1
-rw-r--r--server/responder/pam/pamsrv_cache.c112
-rw-r--r--server/responder/pam/pamsrv_cmd.c13
-rw-r--r--server/server.mk11
-rw-r--r--server/tools/sss_usermod.c1
12 files changed, 286 insertions, 156 deletions
diff --git a/server/Makefile.in b/server/Makefile.in
index 07208df2..fb455362 100644
--- a/server/Makefile.in
+++ b/server/Makefile.in
@@ -84,7 +84,7 @@ SHLD_FLAGS = @SHLD_FLAGS@
SONAMEFLAG = @SONAMEFLAG@
LDFLAGS += @LDFLAGS@ -L$(srcdir)/lib
-LIBS = @LIBS@ $(TALLOC_LIBS) $(TDB_LIBS) $(TEVENT_LIBS) $(POPT_LIBS) $(LDB_LIBS) $(DBUS_LIBS) $(PCRE_LIBS)
+LIBS = @LIBS@ $(TALLOC_LIBS) $(TDB_LIBS) $(TEVENT_LIBS) $(POPT_LIBS) $(LDB_LIBS) $(DBUS_LIBS) $(PCRE_LIBS) $(NSS_LIBS)
PICFLAG = @PICFLAG@
CFLAGS := -I$(srcdir)/include -Iinclude -I$(srcdir) -I$(srcdir)/.. \
diff --git a/server/db/sysdb.h b/server/db/sysdb.h
index 336c9600..916f8e21 100644
--- a/server/db/sysdb.h
+++ b/server/db/sysdb.h
@@ -269,7 +269,6 @@ int sysdb_delete_group_by_gid(struct sysdb_req *sysreq,
sysdb_callback_t fn, void *pvt);
int sysdb_set_user_attr(struct sysdb_req *sysreq,
- struct sysdb_ctx *ctx,
struct sss_domain_info *domain,
const char *name,
struct sysdb_attrs *attributes,
diff --git a/server/db/sysdb_ops.c b/server/db/sysdb_ops.c
index 041e10b7..769d5f61 100644
--- a/server/db/sysdb_ops.c
+++ b/server/db/sysdb_ops.c
@@ -21,6 +21,7 @@
#include "util/util.h"
#include "db/sysdb_private.h"
+#include "util/nss_sha512crypt.h"
#include <time.h>
struct sysdb_cb_ctx {
@@ -456,12 +457,12 @@ int sysdb_delete_group_by_gid(struct sysdb_req *sysreq,
}
int sysdb_set_user_attr(struct sysdb_req *sysreq,
- struct sysdb_ctx *ctx,
struct sss_domain_info *domain,
const char *name,
struct sysdb_attrs *attrs,
sysdb_callback_t fn, void *pvt)
{
+ struct sysdb_ctx *ctx;
struct sysdb_cb_ctx *cbctx;
struct ldb_message *msg;
struct ldb_request *req;
@@ -474,6 +475,8 @@ int sysdb_set_user_attr(struct sysdb_req *sysreq,
if (attrs->num == 0) return EINVAL;
+ ctx = sysdb_req_get_ctx(sysreq);
+
cbctx = talloc_zero(sysreq, struct sysdb_cb_ctx);
if (!cbctx) return ENOMEM;
@@ -1832,3 +1835,48 @@ int sysdb_legacy_remove_group_member(struct sysdb_req *sysreq,
return EOK;
}
+int sysdb_set_cached_password(struct sysdb_req *sysreq,
+ struct sss_domain_info *domain,
+ const char *user,
+ const char *password,
+ sysdb_callback_t fn, void *pvt)
+{
+ struct sysdb_ctx *ctx;
+ struct sysdb_attrs *attrs;
+ char *hash = NULL;
+ char *salt;
+ int ret;
+
+ ctx = sysdb_req_get_ctx(sysreq);
+ if (!ctx) return EFAULT;
+
+ ret = s3crypt_gen_salt(sysreq, &salt);
+ if (ret) {
+ DEBUG(4, ("Failed to generate random salt.\n"));
+ return ret;
+ }
+
+ ret = s3crypt_sha512(sysreq, password, salt, &hash);
+ if (ret) {
+ DEBUG(4, ("Failed to create password hash.\n"));
+ return ret;
+ }
+
+ attrs = sysdb_new_attrs(sysreq);
+ if (!attrs) {
+ return ENOMEM;
+ }
+
+ ret = sysdb_attrs_add_string(attrs, SYSDB_CACHEDPWD, hash);
+ if (ret) return ret;
+
+ /* FIXME: should we use a different attribute for chache passwords ?? */
+ ret = sysdb_attrs_add_long(attrs, "lastCachedPasswordChange",
+ (long)time(NULL));
+ if (ret) return ret;
+
+ ret = sysdb_set_user_attr(sysreq, domain, user, attrs, fn, pvt);
+ if (ret) return ret;
+
+ return EOK;
+}
diff --git a/server/infopipe/infopipe_users.c b/server/infopipe/infopipe_users.c
index 326e3222..ee513712 100644
--- a/server/infopipe/infopipe_users.c
+++ b/server/infopipe/infopipe_users.c
@@ -1349,7 +1349,6 @@ static void infp_do_user_set_attr(struct sysdb_req *req, void *pvt)
DEBUG(9, ("Setting attributes for user [%s]\n", infp_setattr_req->usernames[infp_setattr_req->index]));
ret = sysdb_set_user_attr(infp_setattr_req->sysdb_req,
- infp_setattr_req->infp_req->infp->sysdb,
infp_setattr_req->infp_req->domain,
infp_setattr_req->usernames[infp_setattr_req->index],
infp_setattr_req->changes[infp_setattr_req->index],
@@ -1714,7 +1713,6 @@ static void infp_do_user_set_uid(struct sysdb_req *req, void *pvt)
DEBUG(9, ("Setting UID for user [%s]\n", infp_setuid_req->username));
ret = sysdb_set_user_attr(infp_setuid_req->sysdb_req,
- infp_setuid_req->infp_req->infp->sysdb,
infp_setuid_req->infp_req->domain,
infp_setuid_req->username,
infp_setuid_req->uid_attr,
diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c
index 6a4dc895..0c2541f1 100644
--- a/server/providers/ldap/ldap_auth.c
+++ b/server/providers/ldap/ldap_auth.c
@@ -283,6 +283,8 @@ static int sdap_bind(struct sdap_req *lr)
return LDAP_SUCCESS;
}
+static void sdap_cache_password(struct sdap_req *lr);
+
static void sdap_pam_loop(struct tevent_context *ev, struct tevent_fd *te,
uint16_t fd, void *pvt)
{
@@ -290,7 +292,6 @@ static void sdap_pam_loop(struct tevent_context *ev, struct tevent_fd *te,
int pam_status=PAM_SUCCESS;
int ldap_ret;
struct sdap_req *lr;
- struct pam_data *pd;
struct be_req *req;
LDAPMessage *result=NULL;
LDAPMessage *msg=NULL;
@@ -573,11 +574,17 @@ done:
talloc_free(filter);
if (lr->ldap != NULL) ldap_unbind_ext(lr->ldap, NULL, NULL);
req = lr->req;
- pd = talloc_get_type(lr->req->req_data, struct pam_data);
- pd->pam_status = pam_status;
+ lr->pd->pam_status = pam_status;
+
+ if (((lr->pd->cmd == SSS_PAM_AUTHENTICATE) ||
+ (lr->pd->cmd == SSS_PAM_CHAUTHTOK)) &&
+ (lr->pd->pam_status == PAM_SUCCESS) &&
+ lr->req->be_ctx->domain->cache_credentials) {
+ sdap_cache_password(lr);
+ return;
+ }
talloc_free(lr);
-
req->fn(req, pam_status, NULL);
}
@@ -617,8 +624,7 @@ static void sdap_start(struct tevent_context *ev, struct tevent_timer *te,
done:
if (lr->ldap != NULL ) ldap_unbind_ext(lr->ldap, NULL, NULL);
req = lr->req;
- pd = talloc_get_type(lr->req->req_data, struct pam_data);
- pd->pam_status = pam_status;
+ lr->pd->pam_status = pam_status;
talloc_free(lr);
@@ -666,6 +672,111 @@ done:
req->fn(req, pam_status, NULL);
}
+struct sdap_pw_cache {
+ struct sysdb_req *sysreq;
+ struct sdap_req *lr;
+};
+
+static int password_destructor(void *memctx)
+{
+ char *password = (char *)memctx;
+ int i;
+
+ /* zero out password */
+ for (i = 0; password[i]; i++) password[i] = '\0';
+
+ return 0;
+}
+
+static void sdap_reply(struct be_req *req, int ret, char *errstr)
+{
+ req->fn(req, ret, errstr);
+}
+
+static void sdap_cache_pw_callback(void *pvt, int error,
+ struct ldb_result *ignore)
+{
+ struct sdap_pw_cache *data = talloc_get_type(pvt, struct sdap_pw_cache);
+ if (error != EOK) {
+ DEBUG(2, ("Failed to cache password (%d)[%s]!?\n",
+ error, strerror(error)));
+ }
+
+ sysdb_transaction_done(data->sysreq, error);
+
+ /* password caching failures are not fatal errors */
+ sdap_reply(data->lr->req, data->lr->pd->pam_status, NULL);
+}
+
+static void sdap_cache_pw_op(struct sysdb_req *req, void *pvt)
+{
+ struct sdap_pw_cache *data = talloc_get_type(pvt, struct sdap_pw_cache);
+ struct pam_data *pd;
+ const char *username;
+ const char *password;
+ int ret;
+
+ data->sysreq = req;
+
+ pd = data->lr->pd;
+ username = pd->user;
+
+ if (pd->cmd == SSS_PAM_AUTHENTICATE) {
+ password = talloc_strndup(data, pd->authtok, pd->authtok_size);
+ }
+ else if (pd->cmd == SSS_PAM_CHAUTHTOK) {
+ password = talloc_strndup(data, pd->newauthtok, pd->newauthtok_size);
+ }
+ else {
+ DEBUG(1, ("Attempting password caching on invalid Op!\n"));
+ /* password caching failures are not fatal errors */
+ sdap_reply(data->lr->req, data->lr->pd->pam_status, NULL);
+ return;
+ }
+
+ if (!password) {
+ DEBUG(2, ("Out of Memory!\n"));
+ /* password caching failures are not fatal errors */
+ sdap_reply(data->lr->req, data->lr->pd->pam_status, NULL);
+ return;
+ }
+
+ ret = sysdb_set_cached_password(req,
+ data->lr->req->be_ctx->domain,
+ username,
+ password,
+ sdap_cache_pw_callback, data);
+ if (ret != EOK) {
+ /* password caching failures are not fatal errors */
+ sdap_reply(data->lr->req, data->lr->pd->pam_status, NULL);
+ }
+}
+
+static void sdap_cache_password(struct sdap_req *lr)
+{
+ struct sdap_pw_cache *data;
+ int ret;
+
+ data = talloc_zero(lr, struct sdap_pw_cache);
+ if (!data) {
+ DEBUG(2, ("Out of Memory!\n"));
+ /* password caching failures are not fatal errors */
+ sdap_reply(data->lr->req, lr->pd->pam_status, NULL);
+ return;
+ }
+ data->lr = lr;
+
+ ret = sysdb_transaction(data, lr->req->be_ctx->sysdb,
+ sdap_cache_pw_op, data);
+
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to start transaction (%d)[%s]!?\n",
+ ret, strerror(ret)));
+ /* password caching failures are not fatal errors */
+ sdap_reply(data->lr->req, lr->pd->pam_status, NULL);
+ }
+}
+
static void sdap_shutdown(struct be_req *req)
{
/* TODO: Clean up any internal data */
diff --git a/server/providers/proxy.c b/server/providers/proxy.c
index 0fea89df..175670ad 100644
--- a/server/providers/proxy.c
+++ b/server/providers/proxy.c
@@ -70,6 +70,12 @@ struct authtok_conv {
uint8_t *authtok;
};
+static void cache_password(struct be_req *req,
+ char *username,
+ struct authtok_conv *ac);
+static void proxy_reply(struct be_req *req,
+ int error, const char *errstr);
+
static int proxy_internal_conv(int num_msg, const struct pam_message **msgm,
struct pam_response **response,
void *appdata_ptr) {
@@ -121,12 +127,13 @@ static void proxy_pam_handler(struct be_req *req) {
struct pam_conv conv;
struct pam_data *pd;
struct proxy_auth_ctx *ctx;;
+ bool cache_auth_data = false;
ctx = talloc_get_type(req->be_ctx->pvt_auth_data, struct proxy_auth_ctx);
pd = talloc_get_type(req->req_data, struct pam_data);
conv.conv=proxy_internal_conv;
- auth_data = talloc_zero(req->be_ctx, struct authtok_conv);
+ auth_data = talloc_zero(req, struct authtok_conv);
conv.appdata_ptr=auth_data;
ret = pam_start(ctx->pam_target, pd->user, &conv, &pamh);
@@ -148,7 +155,11 @@ static void proxy_pam_handler(struct be_req *req) {
case SSS_PAM_AUTHENTICATE:
auth_data->authtok_size = pd->authtok_size;
auth_data->authtok = pd->authtok;
- pam_status=pam_authenticate(pamh, 0);
+ pam_status = pam_authenticate(pamh, 0);
+ if ((pam_status == PAM_SUCCESS) &&
+ (req->be_ctx->domain->cache_credentials)) {
+ cache_auth_data = true;
+ }
break;
case SSS_PAM_SETCRED:
pam_status=pam_setcred(pamh, 0);
@@ -166,12 +177,16 @@ static void proxy_pam_handler(struct be_req *req) {
if (pd->priv != 1) {
auth_data->authtok_size = pd->authtok_size;
auth_data->authtok = pd->authtok;
- pam_status=pam_authenticate(pamh, 0);
+ pam_status = pam_authenticate(pamh, 0);
if (pam_status != PAM_SUCCESS) break;
}
auth_data->authtok_size = pd->newauthtok_size;
auth_data->authtok = pd->newauthtok;
- pam_status=pam_chauthtok(pamh, 0);
+ pam_status = pam_chauthtok(pamh, 0);
+ if ((pam_status == PAM_SUCCESS) &&
+ (req->be_ctx->domain->cache_credentials)) {
+ cache_auth_data = true;
+ }
break;
default:
DEBUG(1, ("unknown PAM call"));
@@ -191,15 +206,14 @@ static void proxy_pam_handler(struct be_req *req) {
pam_status = PAM_SYSTEM_ERR;
}
- talloc_free(auth_data);
-
pd->pam_status = pam_status;
- req->fn(req, EOK, NULL);
-}
-static void proxy_reply(struct be_req *req, int error, const char *errstr)
-{
- return req->fn(req, error, errstr);
+ if (cache_auth_data) {
+ cache_password(req, pd->user, auth_data);
+ return;
+ }
+
+ proxy_reply(req, EOK, NULL);
}
struct proxy_data {
@@ -222,6 +236,94 @@ struct proxy_data {
sysdb_callback_t next_fn;
};
+static void proxy_reply(struct be_req *req, int error, const char *errstr)
+{
+ return req->fn(req, error, errstr);
+}
+
+static void cache_pw_return(void *pvt, int error, struct ldb_result *ignore)
+{
+ struct proxy_data *data = talloc_get_type(pvt, struct proxy_data);
+ const char *err = "Success";
+
+ if (error != EOK) {
+ DEBUG(2, ("Failed to cache password (%d)[%s]!?\n",
+ error, strerror(error)));
+ }
+
+ sysdb_transaction_done(data->sysreq, error);
+
+ /* password caching failures are not fatal errors */
+ return proxy_reply(data->req, EOK, NULL);
+}
+
+static void cache_pw_op(struct sysdb_req *req, void *pvt)
+{
+ struct proxy_data *data = talloc_get_type(pvt, struct proxy_data);
+ int ret;
+
+ data->sysreq = req;
+
+ ret = sysdb_set_cached_password(req,
+ data->req->be_ctx->domain,
+ data->pwd->pw_name,
+ data->pwd->pw_passwd,
+ cache_pw_return, data);
+ if (ret != EOK) {
+ /* password caching failures are not fatal errors */
+ proxy_reply(data->req, EOK, NULL);
+ }
+}
+
+static int password_destructor(void *memctx)
+{
+ char *password = (char *)memctx;
+ int i;
+
+ /* zero out password */
+ for (i = 0; password[i]; i++) password[i] = '\0';
+
+ return 0;
+}
+
+static void cache_password(struct be_req *req,
+ char *username,
+ struct authtok_conv *ac)
+{
+ struct proxy_data *data;
+ struct proxy_ctx *ctx;
+ int ret;
+
+ ctx = talloc_get_type(req->be_ctx->pvt_id_data, struct proxy_ctx);
+
+ data = talloc_zero(req, struct proxy_data);
+ if (!data)
+ return proxy_reply(req, ENOMEM, "Out of memory");
+ data->req = req;
+ data->ctx = ctx;
+ data->pwd = talloc(data, struct passwd);
+ if (!data->pwd)
+ return proxy_reply(req, ENOMEM, "Out of memory");
+ data->pwd->pw_name = username;
+ data->pwd->pw_passwd = talloc_size(data, ac->authtok_size + 1);
+ if (!data->pwd->pw_passwd)
+ return proxy_reply(req, ENOMEM, "Out of memory");
+ memcpy(data->pwd->pw_passwd, ac->authtok, ac->authtok_size);
+ data->pwd->pw_passwd[ac->authtok_size] = '\0';
+
+ talloc_set_destructor((TALLOC_CTX *)data->pwd->pw_passwd,
+ password_destructor);
+
+ ret = sysdb_transaction(data, req->be_ctx->sysdb, cache_pw_op, data);
+
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to start transaction (%d)[%s]!?\n",
+ ret, strerror(ret)));
+ /* password caching failures are not fatal errors */
+ return proxy_reply(req, EOK, NULL);
+ }
+}
+
static void proxy_return(void *pvt, int error, struct ldb_result *ignore)
{
struct proxy_data *data = talloc_get_type(pvt, struct proxy_data);
diff --git a/server/responder/pam/pam_LOCAL_domain.c b/server/responder/pam/pam_LOCAL_domain.c
index 614d640e..010bd8d4 100644
--- a/server/responder/pam/pam_LOCAL_domain.c
+++ b/server/responder/pam/pam_LOCAL_domain.c
@@ -115,7 +115,7 @@ static void set_user_attr_req(struct sysdb_req *req, void *pvt)
lreq->sysdb_req = req;
- ret = sysdb_set_user_attr(req, lreq->dbctx, lreq->preq->domain,
+ ret = sysdb_set_user_attr(req, lreq->preq->domain,
lreq->preq->pd->user, lreq->mod_attrs,
set_user_attr_callback, lreq);
if (ret != EOK)
diff --git a/server/responder/pam/pamsrv.h b/server/responder/pam/pamsrv.h
index d95df169..fa688fe1 100644
--- a/server/responder/pam/pamsrv.h
+++ b/server/responder/pam/pamsrv.h
@@ -27,7 +27,6 @@ struct sss_cmd_table *register_sss_cmds(void);
int pam_dp_send_req(struct pam_auth_req *preq, int timeout);
-int pam_cache_credentials(struct pam_auth_req *preq);
int pam_cache_auth(struct pam_auth_req *preq);
int LOCAL_pam_handler(struct pam_auth_req *preq);
diff --git a/server/responder/pam/pamsrv_cache.c b/server/responder/pam/pamsrv_cache.c
index ed18f6a1..d1c34e5f 100644
--- a/server/responder/pam/pamsrv_cache.c
+++ b/server/responder/pam/pamsrv_cache.c
@@ -53,120 +53,10 @@ static int authtok2str(const void *mem_ctx,
struct set_attrs_ctx {
struct pam_auth_req *preq;
- struct sysdb_attrs *attrs;
struct sysdb_req *sysreq;
+ char *password;
};
-static void pc_set_user_attr_callback(void *pvt,
- int ldb_status,
- struct ldb_result *res)
-{
- struct set_attrs_ctx *ctx;
- int error;
-
- ctx = talloc_get_type(pvt, struct set_attrs_ctx);
- error = sysdb_error_to_errno(ldb_status);
-
- sysdb_transaction_done(ctx->sysreq, error);
-
- if (ldb_status != LDB_SUCCESS) {
- DEBUG(2, ("Failed to cache credentials for user [%s] (%d)!\n",
- ctx->preq->pd->user, error, strerror(error)));
- }
-
- ctx->preq->callback(ctx->preq);
-}
-
-static void pc_set_user_attr_req(struct sysdb_req *req, void *pvt)
-{
- struct set_attrs_ctx *ctx;
- int ret;
-
- DEBUG(4, ("entering pc_set_user_attr_req\n"));
-
- ctx = talloc_get_type(pvt, struct set_attrs_ctx);
-
- ctx->sysreq = req;
-
- ret = sysdb_set_user_attr(req, ctx->preq->cctx->rctx->sysdb,
- ctx->preq->domain,
- ctx->preq->pd->user,
- ctx->attrs,
- pc_set_user_attr_callback, ctx);
- if (ret != EOK) {
- sysdb_transaction_done(ctx->sysreq, ret);
- }
-
- if (ret != EOK) {
- DEBUG(2, ("Failed to cache credentials for user [%s] (%d)!\n",
- ctx->preq->pd->user, ret, strerror(ret)));
- ctx->preq->callback(ctx->preq);
- }
-}
-
-int pam_cache_credentials(struct pam_auth_req *preq)
-{
- struct set_attrs_ctx *ctx;
- struct pam_data *pd;
- char *password = NULL;
- char *comphash = NULL;
- char *salt;
- int i, ret;
-
- pd = preq->pd;
-
- ret = authtok2str(preq, pd->authtok, pd->authtok_size, &password);
- if (ret) {
- DEBUG(4, ("Invalid auth token.\n"));
- ret = EINVAL;
- goto done;
- }
-
- ret = s3crypt_gen_salt(preq, &salt);
- if (ret) {
- DEBUG(4, ("Failed to generate random salt.\n"));
- goto done;
- }
-
- ret = s3crypt_sha512(preq, password, salt, &comphash);
- if (ret) {
- DEBUG(4, ("Failed to create password hash.\n"));
- goto done;
- }
-
- ctx = talloc_zero(preq, struct set_attrs_ctx);
- if (!ctx) {
- ret = ENOMEM;
- goto done;
- }
- ctx->preq = preq;
-
- ctx->attrs = sysdb_new_attrs(ctx);
- if (!ctx->attrs) {
- ret = ENOMEM;
- goto done;
- }
-
- ret = sysdb_attrs_add_string(ctx->attrs, SYSDB_CACHEDPWD, comphash);
- if (ret) goto done;
-
- /* FIXME: should we use a different attribute for chache passwords ?? */
- ret = sysdb_attrs_add_long(ctx->attrs, "lastCachedPasswordChange",
- (long)time(NULL));
- if (ret) goto done;
-
- ret = sysdb_transaction(ctx, preq->cctx->rctx->sysdb,
- pc_set_user_attr_req, ctx);
-
-done:
- if (password) for (i = 0; password[i]; i++) password[i] = 0;
- if (ret != EOK) {
- DEBUG(2, ("Failed to cache credentials for user [%s] (%d)!\n",
- pd->user, ret, strerror(ret)));
- }
- return ret;
-}
-
static void pam_cache_auth_return(struct pam_auth_req *preq, int error)
{
preq->pd->pam_status = error;
diff --git a/server/responder/pam/pamsrv_cmd.c b/server/responder/pam/pamsrv_cmd.c
index 00765d47..40cccffb 100644
--- a/server/responder/pam/pamsrv_cmd.c
+++ b/server/responder/pam/pamsrv_cmd.c
@@ -263,19 +263,6 @@ static void pam_reply(struct pam_auth_req *preq)
(preq->domain->cache_credentials == true) &&
(pd->offline_auth == false)) {
- if (pd->pam_status == PAM_SUCCESS) {
- pd->offline_auth = true;
- preq->callback = pam_reply;
- ret = pam_cache_credentials(preq);
- if (ret == EOK) {
- return;
- }
- else {
- DEBUG(0, ("Failed to cache credentials"));
- /* this error is not fatal, continue */
- }
- }
-
if (pd->pam_status == PAM_AUTHINFO_UNAVAIL) {
/* do auth with offline credentials */
pd->offline_auth = true;
diff --git a/server/server.mk b/server/server.mk
index f61cdf28..416d36e5 100644
--- a/server/server.mk
+++ b/server/server.mk
@@ -5,6 +5,7 @@ UTIL_OBJ = \
util/memory.o \
util/btreemap.o \
util/usertools.o \
+ util/nss_sha512crypt.o \
monitor/monitor_sbus.o \
providers/dp_sbus.o \
providers/dp_auth_util.o \
@@ -68,9 +69,6 @@ INFP_TEST_OBJ = \
STRESS_TEST_OBJ = \
tests/stress-tests.o
-CRYPT_OBJ = \
- util/nss_sha512crypt.o
-
PAMSRV_OBJ = \
responder/pam/pamsrv.o \
responder/pam/pamsrv_cmd.o \
@@ -79,8 +77,7 @@ PAMSRV_OBJ = \
responder/pam/pamsrv_dp.o
$(LDAP_BE_OBJ): CFLAGS += $(LDAP_CFLAGS)
-$(CRYPT_OBJ): CFLAGS += $(NSS_CFLAGS)
-
+$(UTIL_OBJ): CFLAGS += $(NSS_CFLAGS)
TOOLS_OBJ = \
tools/tools_util.o
@@ -109,8 +106,8 @@ sbin/sssd: $(SERVER_OBJ) $(UTIL_OBJ)
sbin/sssd_nss: $(NSSSRV_OBJ) $(UTIL_OBJ) $(RESPONDER_UTIL_OBJ)
$(CC) -o sbin/sssd_nss $(NSSSRV_OBJ) $(UTIL_OBJ) $(RESPONDER_UTIL_OBJ) $(LDFLAGS) $(LIBS)
-sbin/sssd_pam: $(PAMSRV_OBJ) $(UTIL_OBJ) $(RESPONDER_UTIL_OBJ) $(CRYPT_OBJ)
- $(CC) -o sbin/sssd_pam $(PAMSRV_OBJ) $(UTIL_OBJ) $(RESPONDER_UTIL_OBJ) $(CRYPT_OBJ) $(LDFLAGS) $(LIBS) $(NSS_LIBS)
+sbin/sssd_pam: $(PAMSRV_OBJ) $(UTIL_OBJ) $(RESPONDER_UTIL_OBJ)
+ $(CC) -o sbin/sssd_pam $(PAMSRV_OBJ) $(UTIL_OBJ) $(RESPONDER_UTIL_OBJ) $(LDFLAGS) $(LIBS)
sbin/sssd_dp: $(DP_OBJ) $(UTIL_OBJ)
$(CC) -o sbin/sssd_dp $(DP_OBJ) $(UTIL_OBJ) $(LDFLAGS) $(LIBS)
diff --git a/server/tools/sss_usermod.c b/server/tools/sss_usermod.c
index 113879fb..d19fe9d8 100644
--- a/server/tools/sss_usermod.c
+++ b/server/tools/sss_usermod.c
@@ -125,7 +125,6 @@ static void mod_user(struct sysdb_req *req, void *pvt)
add_to_groups(user_ctx, EOK, NULL);
} else {
ret = sysdb_set_user_attr(req,
- sysdb_req_get_ctx(req),
user_ctx->domain,
user_ctx->username,
user_ctx->attrs,