errno_t check_if_cached_upn_needs_update(struct sysdb_ctx *sysdb,
struct sss_domain_info *domain,
const char *user,
const char *upn)
{
TALLOC_CTX *tmp_ctx;
int ret;
int sret;
const char *attrs[] = {SYSDB_UPN, SYSDB_CANONICAL_UPN, NULL};
struct sysdb_attrs *new_attrs;
struct ldb_result *res;
bool in_transaction = false;
const char *cached_upn;
const char *cached_canonical_upn;
if (sysdb == NULL || user == NULL || upn == NULL) {
return EINVAL;
}
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
return ENOMEM;
}
ret = sysdb_get_user_attr(tmp_ctx, domain, user, attrs, &res);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_user_attr failed.\n");
goto done;
}
if (res->count != 1) {
DEBUG(SSSDBG_OP_FAILURE, "[%d] user objects for name [%s] found, " \
"expected 1.\n", res->count, user);
ret = EINVAL;
goto done;
}
cached_upn = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_UPN, NULL);
if (cached_upn != NULL && strcmp(cached_upn, upn) == 0) {
DEBUG(SSSDBG_TRACE_ALL, "Cached UPN and new one match, "
"nothing to do.\n");
ret = EOK;
goto done;
}
cached_canonical_upn = ldb_msg_find_attr_as_string(res->msgs[0],
SYSDB_CANONICAL_UPN,
NULL);
if (cached_canonical_upn != NULL
&& strcmp(cached_canonical_upn, upn) == 0) {
DEBUG(SSSDBG_TRACE_ALL, "Cached canonical UPN and new one match, "
"nothing to do.\n");
ret = EOK;
goto done;
}
DEBUG(SSSDBG_TRACE_LIBS, "Replacing canonical UPN [%s] with [%s] " \
"for user [%s].\n",
cached_canonical_upn == NULL ?
"empty" : cached_canonical_upn,
upn, user);
new_attrs = sysdb_new_attrs(tmp_ctx);
if (new_attrs == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n");
ret = ENOMEM;
goto done;
}
ret = sysdb_attrs_add_string(new_attrs, SYSDB_CANONICAL_UPN, upn);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string failed.\n");
goto done;
}
ret = sysdb_transaction_start(sysdb);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"Error %d starting transaction (%s)\n", ret, strerror(ret));
goto done;
}
in_transaction = true;
ret = sysdb_set_entry_attr(sysdb, res->msgs[0]->dn, new_attrs,
cached_canonical_upn == NULL ? SYSDB_MOD_ADD :
SYSDB_MOD_REP);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed [%d][%s].\n",
ret, strerror(ret));
goto done;
}
ret = sysdb_transaction_commit(sysdb);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to commit transaction!\n");
goto done;
}
in_transaction = false;
ret = EOK;
done:
if (in_transaction) {
sret = sysdb_transaction_cancel(sysdb);
if (sret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n");
}
}
talloc_free(tmp_ctx);
return ret;
}
int LOCAL_pam_handler(struct pam_auth_req *preq)
{
struct LOCAL_request *lreq;
static const char *attrs[] = {SYSDB_NAME,
SYSDB_PWD,
SYSDB_DISABLED,
SYSDB_LAST_LOGIN,
"lastPasswordChange",
"accountExpires",
SYSDB_FAILED_LOGIN_ATTEMPTS,
"passwordHint",
"passwordHistory",
SYSDB_LAST_FAILED_LOGIN,
NULL};
struct ldb_result *res;
const char *username = NULL;
const char *pwdhash = NULL;
char *new_hash = NULL;
const char *password;
struct pam_data *pd = preq->pd;
int ret;
DEBUG(4, ("LOCAL pam handler.\n"));
lreq = talloc_zero(preq, struct LOCAL_request);
if (!lreq) {
return ENOMEM;
}
lreq->dbctx = preq->domain->sysdb;
if (lreq->dbctx == NULL) {
DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n"));
talloc_free(lreq);
return ENOENT;
}
lreq->domain = preq->domain;
lreq->ev = preq->cctx->ev;
lreq->preq = preq;
pd->pam_status = PAM_SUCCESS;
ret = sysdb_get_user_attr(lreq, lreq->dbctx, preq->domain,
preq->pd->user, attrs, &res);
if (ret != EOK) {
DEBUG(1, ("sysdb_get_user_attr failed.\n"));
talloc_free(lreq);
return ret;
}
if (res->count < 1) {
DEBUG(4, ("No user found with filter ["SYSDB_PWNAM_FILTER"]\n",
pd->user, pd->user));
pd->pam_status = PAM_USER_UNKNOWN;
goto done;
} else if (res->count > 1) {
DEBUG(4, ("More than one object found with filter ["SYSDB_PWNAM_FILTER"]\n",
pd->user, pd->user));
lreq->error = EFAULT;
goto done;
}
username = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, NULL);
if (strcmp(username, pd->user) != 0) {
DEBUG(1, ("Expected username [%s] get [%s].\n", pd->user, username));
lreq->error = EINVAL;
goto done;
}
lreq->res = res;
switch (pd->cmd) {
case SSS_PAM_AUTHENTICATE:
case SSS_PAM_CHAUTHTOK:
case SSS_PAM_CHAUTHTOK_PRELIM:
if ((pd->cmd == SSS_PAM_CHAUTHTOK ||
pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) &&
lreq->preq->cctx->priv == 1) {
/* TODO: maybe this is a candiate for an explicit audit message. */
DEBUG(4, ("allowing root to reset a password.\n"));
break;
}
ret = sss_authtok_get_password(pd->authtok, &password, NULL);
NEQ_CHECK_OR_JUMP(ret, EOK, ("Failed to get password.\n"),
lreq->error, ret, done);
pwdhash = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_PWD, NULL);
NULL_CHECK_OR_JUMP(pwdhash, ("No password stored.\n"),
lreq->error, LDB_ERR_NO_SUCH_ATTRIBUTE, done);
DEBUG(4, ("user: [%s], password hash: [%s]\n", username, pwdhash));
ret = s3crypt_sha512(lreq, password, pwdhash, &new_hash);
NEQ_CHECK_OR_JUMP(ret, EOK, ("nss_sha512_crypt failed.\n"),
lreq->error, ret, done);
DEBUG(4, ("user: [%s], new hash: [%s]\n", username, new_hash));
if (strcmp(new_hash, pwdhash) != 0) {
DEBUG(1, ("Passwords do not match.\n"));
do_failed_login(lreq);
goto done;
}
break;
}
switch (pd->cmd) {
case SSS_PAM_AUTHENTICATE:
do_successful_login(lreq);
break;
case SSS_PAM_CHAUTHTOK:
do_pam_chauthtok(lreq);
break;
case SSS_PAM_ACCT_MGMT:
do_pam_acct_mgmt(lreq);
break;
case SSS_PAM_SETCRED:
break;
case SSS_PAM_OPEN_SESSION:
break;
case SSS_PAM_CLOSE_SESSION:
break;
case SSS_PAM_CHAUTHTOK_PRELIM:
break;
default:
lreq->error = EINVAL;
DEBUG(1, ("Unknown PAM task [%d].\n"));
}
done:
sss_authtok_set_empty(pd->newauthtok);
sss_authtok_set_empty(pd->authtok);
prepare_reply(lreq);
return EOK;
}
