summaryrefslogtreecommitdiff
path: root/src/providers/krb5/krb5_auth.c
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2012-10-19 18:28:41 +0200
committerSumit Bose <sbose@redhat.com>2012-10-26 10:32:05 +0200
commitd29e91321d175dce94d87c23a44ced40d265de2c (patch)
tree66025c86ad9a2ae8a76b37603c6db091aba70d6f /src/providers/krb5/krb5_auth.c
parentd9137b153f1266ee5659405b2d7bc11787dad817 (diff)
downloadsssd-d29e91321d175dce94d87c23a44ced40d265de2c.tar.gz
sssd-d29e91321d175dce94d87c23a44ced40d265de2c.tar.bz2
sssd-d29e91321d175dce94d87c23a44ced40d265de2c.zip
krb5_auth_send: check for sub-domains
If there is an authentication request for a user from a sub-domain a temporary sysdb context is generated to allow lookups in the corresponding sub-tree in the cache.
Diffstat (limited to 'src/providers/krb5/krb5_auth.c')
-rw-r--r--src/providers/krb5/krb5_auth.c20
1 files changed, 15 insertions, 5 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index e244cea5..c98535b1 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -281,6 +281,7 @@ struct krb5_auth_state {
struct tevent_context *ev;
struct be_ctx *be_ctx;
struct pam_data *pd;
+ struct sysdb_ctx *sysdb;
struct krb5_ctx *krb5_ctx;
struct krb5child_req *kr;
@@ -318,6 +319,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
struct tevent_req *req;
struct tevent_req *subreq;
int ret;
+ struct sss_domain_info *dom;
req = tevent_req_create(mem_ctx, &state, struct krb5_auth_state);
if (req == NULL) {
@@ -333,6 +335,14 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
state->pam_status = PAM_SYSTEM_ERR;
state->dp_err = DP_ERR_FATAL;
+ ret = get_domain_or_subdomain(state, be_ctx, pd->domain, &dom);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, ("get_domain_or_subdomain failed.\n"));
+ goto done;
+ }
+
+ state->sysdb = dom->sysdb;
+
switch (pd->cmd) {
case SSS_PAM_AUTHENTICATE:
case SSS_CMD_RENEW:
@@ -386,7 +396,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
}
kr = state->kr;
- ret = sysdb_get_user_attr(state, be_ctx->sysdb, state->pd->user, attrs,
+ ret = sysdb_get_user_attr(state, state->sysdb, state->pd->user, attrs,
&res);
if (ret) {
DEBUG(5, ("sysdb search for upn of user [%s] failed.\n", pd->user));
@@ -793,7 +803,7 @@ static void krb5_child_done(struct tevent_req *subreq)
"please remove it manually.\n", kr->old_ccname));
}
- ret = krb5_delete_ccname(state, state->be_ctx->sysdb,
+ ret = krb5_delete_ccname(state, state->sysdb,
pd->user, kr->old_ccname);
if (ret != EOK) {
DEBUG(1, ("krb5_delete_ccname failed.\n"));
@@ -882,7 +892,7 @@ static void krb5_child_done(struct tevent_req *subreq)
"please remove it manually.\n", kr->old_ccname));
}
- ret = krb5_save_ccname(state, state->be_ctx->sysdb,
+ ret = krb5_save_ccname(state, state->sysdb,
pd->user, store_ccname);
if (ret) {
DEBUG(1, ("krb5_save_ccname failed.\n"));
@@ -1048,7 +1058,7 @@ static void krb5_save_ccname_done(struct tevent_req *req)
talloc_set_destructor((TALLOC_CTX *)password, password_destructor);
- ret = sysdb_cache_password(state->be_ctx->sysdb, pd->user, password);
+ ret = sysdb_cache_password(state->sysdb, pd->user, password);
if (ret) {
DEBUG(2, ("Failed to cache password, offline auth may not work."
" (%d)[%s]!?\n", ret, strerror(ret)));
@@ -1076,7 +1086,7 @@ static void krb5_pam_handler_cache_auth_step(struct tevent_req *req)
struct krb5_ctx *krb5_ctx = state->kr->krb5_ctx;
int ret;
- ret = sysdb_cache_auth(state->be_ctx->sysdb, pd->user, pd->authtok,
+ ret = sysdb_cache_auth(state->sysdb, pd->user, pd->authtok,
pd->authtok_size, state->be_ctx->cdb, true, NULL,
NULL);
if (ret != EOK) {
generated by cgit (git 2.34.1) at 2024-05-02 04:36:04 +0000