summaryrefslogtreecommitdiff
path: root/src/sss_client
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2013-05-10 09:55:31 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-06-06 23:58:56 +0200
commit92af6f25864b5c389b57d0f659686801b45ca58c (patch)
tree739bd3da9da35820d45c2b2c4bdb0c65ae8777d4 /src/sss_client
parent3680bb9c72ea5c60e6ac2fd2cf500b801341ca59 (diff)
downloadsssd-92af6f25864b5c389b57d0f659686801b45ca58c.tar.gz
sssd-92af6f25864b5c389b57d0f659686801b45ca58c.tar.bz2
sssd-92af6f25864b5c389b57d0f659686801b45ca58c.zip
Enhance PAC responder for AD users
This patch modifies the PAC responder so that it can be used with the AD provider as well. The main difference is that the POSIX UIDs and GIDs are now lookup up with the help of the SID instead of being calculated algorithmically. This was necessary because the AD provider allows either algorithmic mapping or reading the value from attributes stored in AD. Fixes https://fedorahosted.org/sssd/ticket/1558
Diffstat (limited to 'src/sss_client')
-rw-r--r--src/sss_client/sssd_pac.c62
1 files changed, 47 insertions, 15 deletions
diff --git a/src/sss_client/sssd_pac.c b/src/sss_client/sssd_pac.c
index 0cce43dd..469758a6 100644
--- a/src/sss_client/sssd_pac.c
+++ b/src/sss_client/sssd_pac.c
@@ -2,7 +2,7 @@
Authors:
Sumit Bose <sbose@redhat.com>
- Copyright (C) 2011 Red Hat
+ Copyright (C) 2011, 2012, 2013 Red Hat
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU Lesser General Public License as published by
@@ -45,7 +45,7 @@ sssdpac_flags(krb5_context kcontext,
krb5_authdatatype ad_type,
krb5_flags *flags)
{
- *flags = AD_USAGE_KDC_ISSUED | AD_INFORMATIONAL | AD_USAGE_TGS_REQ;
+ *flags = AD_USAGE_KDC_ISSUED | AD_USAGE_TGS_REQ;
}
static void
@@ -81,9 +81,6 @@ sssdpac_import_authdata(krb5_context kcontext,
krb5_boolean kdc_issued,
krb5_const_principal kdc_issuer)
{
- struct sss_cli_req_data sss_data;
- int ret;
- int errnop;
char *data = NULL;
struct sssd_context *sssdctx = (struct sssd_context *)request_context;
@@ -91,15 +88,6 @@ sssdpac_import_authdata(krb5_context kcontext,
return EINVAL;
}
- sss_data.len = authdata[0]->length;
- sss_data.data = authdata[0]->contents;
-
- ret = sss_pac_make_request(SSS_PAC_ADD_PAC_USER, &sss_data,
- NULL, NULL, &errnop);
- if (ret != 0) {
- /* Ignore the error */
- }
-
if (authdata[0]->length > 0) {
data = malloc(sizeof(char) * authdata[0]->length);
if (data == NULL) {
@@ -134,6 +122,50 @@ sssdpac_request_fini(krb5_context kcontext,
}
}
+static krb5_error_code sssdpac_verify(krb5_context kcontext,
+ krb5_authdata_context context,
+ void *plugin_context,
+ void *request_context,
+ const krb5_auth_context *auth_context,
+ const krb5_keyblock *key,
+ const krb5_ap_req *req)
+{
+ krb5_error_code kerr;
+ int ret;
+ krb5_pac pac;
+ struct sssd_context *sssdctx = (struct sssd_context *)request_context;
+ struct sss_cli_req_data sss_data;
+ int errnop;
+
+ if (sssdctx == NULL || sssdctx->data.data == NULL) {
+ return EINVAL;
+ }
+
+ kerr = krb5_pac_parse(kcontext, sssdctx->data.data,
+ sssdctx->data.length, &pac);
+ if (kerr != 0) {
+ return EINVAL;
+ }
+
+ kerr = krb5_pac_verify(kcontext, pac,
+ req->ticket->enc_part2->times.authtime,
+ req->ticket->enc_part2->client, key, NULL);
+ if (kerr != 0) {
+ return EINVAL;
+ }
+
+ sss_data.len = sssdctx->data.length;
+ sss_data.data = sssdctx->data.data;
+
+ ret = sss_pac_make_request(SSS_PAC_ADD_PAC_USER, &sss_data,
+ NULL, NULL, &errnop);
+ if (ret != 0) {
+ /* Ignore the error */
+ }
+
+ return 0;
+}
+
static krb5_error_code
sssdpac_size(krb5_context kcontext,
krb5_authdata_context context,
@@ -272,7 +304,7 @@ krb5plugin_authdata_client_ftable_v0 authdata_client_0 = {
sssdpac_import_authdata,
NULL,
NULL,
- NULL,
+ sssdpac_verify,
sssdpac_size,
sssdpac_externalize,
sssdpac_internalize,