summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/providers/data_provider_be.c8
-rw-r--r--src/providers/dp_auth_util.c2
-rw-r--r--src/providers/ipa/ipa_auth.c6
3 files changed, 13 insertions, 3 deletions
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 101bd3b2..f550c4ea 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -813,10 +813,12 @@ static int be_pam_handler(DBusMessage *message, struct sbus_connection *conn)
}
pd->pam_status = PAM_SYSTEM_ERR;
- pd->domain = talloc_strdup(pd, becli->bectx->domain->name);
if (pd->domain == NULL) {
- talloc_free(be_req);
- return ENOMEM;
+ pd->domain = talloc_strdup(pd, becli->bectx->domain->name);
+ if (pd->domain == NULL) {
+ talloc_free(be_req);
+ return ENOMEM;
+ }
}
diff --git a/src/providers/dp_auth_util.c b/src/providers/dp_auth_util.c
index 7c3541b0..9a67564b 100644
--- a/src/providers/dp_auth_util.c
+++ b/src/providers/dp_auth_util.c
@@ -35,6 +35,7 @@ bool dp_pack_pam_request(DBusMessage *msg, struct pam_data *pd)
db_ret = dbus_message_append_args(msg,
DBUS_TYPE_INT32, &(pd->cmd),
DBUS_TYPE_STRING, &(pd->user),
+ DBUS_TYPE_STRING, &(pd->domain),
DBUS_TYPE_STRING, &(pd->service),
DBUS_TYPE_STRING, &(pd->tty),
DBUS_TYPE_STRING, &(pd->ruser),
@@ -66,6 +67,7 @@ bool dp_unpack_pam_request(DBusMessage *msg, TALLOC_CTX *mem_ctx,
db_ret = dbus_message_get_args(msg, dbus_error,
DBUS_TYPE_INT32, &(pd.cmd),
DBUS_TYPE_STRING, &(pd.user),
+ DBUS_TYPE_STRING, &(pd.domain),
DBUS_TYPE_STRING, &(pd.service),
DBUS_TYPE_STRING, &(pd.tty),
DBUS_TYPE_STRING, &(pd.ruser),
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
index eb62f029..2bd313b3 100644
--- a/src/providers/ipa/ipa_auth.c
+++ b/src/providers/ipa/ipa_auth.c
@@ -210,6 +210,12 @@ void ipa_auth(struct be_req *be_req)
state->pd = pd;
+ if (strcasecmp(pd->domain, be_req->be_ctx->domain->name) != 0 &&
+ state->pd->cmd != SSS_PAM_ACCT_MGMT) {
+ DEBUG(SSSDBG_OP_FAILURE, ("This operation is not allowed for subdomains!\n"));
+ goto fail;
+ }
+
switch (state->pd->cmd) {
case SSS_PAM_AUTHENTICATE:
state->ipa_auth_ctx = talloc_get_type(