diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/providers/data_provider_be.c | 8 | ||||
-rw-r--r-- | src/providers/dp_auth_util.c | 2 | ||||
-rw-r--r-- | src/providers/ipa/ipa_auth.c | 6 |
3 files changed, 13 insertions, 3 deletions
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c index 101bd3b2..f550c4ea 100644 --- a/src/providers/data_provider_be.c +++ b/src/providers/data_provider_be.c @@ -813,10 +813,12 @@ static int be_pam_handler(DBusMessage *message, struct sbus_connection *conn) } pd->pam_status = PAM_SYSTEM_ERR; - pd->domain = talloc_strdup(pd, becli->bectx->domain->name); if (pd->domain == NULL) { - talloc_free(be_req); - return ENOMEM; + pd->domain = talloc_strdup(pd, becli->bectx->domain->name); + if (pd->domain == NULL) { + talloc_free(be_req); + return ENOMEM; + } } diff --git a/src/providers/dp_auth_util.c b/src/providers/dp_auth_util.c index 7c3541b0..9a67564b 100644 --- a/src/providers/dp_auth_util.c +++ b/src/providers/dp_auth_util.c @@ -35,6 +35,7 @@ bool dp_pack_pam_request(DBusMessage *msg, struct pam_data *pd) db_ret = dbus_message_append_args(msg, DBUS_TYPE_INT32, &(pd->cmd), DBUS_TYPE_STRING, &(pd->user), + DBUS_TYPE_STRING, &(pd->domain), DBUS_TYPE_STRING, &(pd->service), DBUS_TYPE_STRING, &(pd->tty), DBUS_TYPE_STRING, &(pd->ruser), @@ -66,6 +67,7 @@ bool dp_unpack_pam_request(DBusMessage *msg, TALLOC_CTX *mem_ctx, db_ret = dbus_message_get_args(msg, dbus_error, DBUS_TYPE_INT32, &(pd.cmd), DBUS_TYPE_STRING, &(pd.user), + DBUS_TYPE_STRING, &(pd.domain), DBUS_TYPE_STRING, &(pd.service), DBUS_TYPE_STRING, &(pd.tty), DBUS_TYPE_STRING, &(pd.ruser), diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c index eb62f029..2bd313b3 100644 --- a/src/providers/ipa/ipa_auth.c +++ b/src/providers/ipa/ipa_auth.c @@ -210,6 +210,12 @@ void ipa_auth(struct be_req *be_req) state->pd = pd; + if (strcasecmp(pd->domain, be_req->be_ctx->domain->name) != 0 && + state->pd->cmd != SSS_PAM_ACCT_MGMT) { + DEBUG(SSSDBG_OP_FAILURE, ("This operation is not allowed for subdomains!\n")); + goto fail; + } + switch (state->pd->cmd) { case SSS_PAM_AUTHENTICATE: state->ipa_auth_ctx = talloc_get_type( |