On Thu, Jun 13, 2013 at 04:40:43PM +0200, Ondrej Kos wrote:
On 06/12/2013 05:51 PM, Jakub Hrozek wrote:
>On Fri, May 24, 2013 at 04:52:49PM +0200, Lukas Slebodnik wrote:
>>ehlo,
>>
>>Commit c6872e79e8496fd075e20aec0343ade99cca725c caused that password migration
>>doesn't work using sssd.
>>
>>If pre authentication failed then we should send message to backend,
>>so password migration could be detected.
>>
>>https://fedorahosted.org/sssd/ticket/1873
>>
>>Patch is attached.
>>
>>LS
>
>Hi,
>
>sorry the review took such a long time. However, this is not the correct
>approach. If you take a look at ipa_auth.c and how the migration is
>performed in src/providers/ipa/ipa_auth.c:
>
>263 if (state->pd->cmd == SSS_PAM_AUTHENTICATE &&
>264 state->pd->pam_status == PAM_CRED_ERR) {
>265
>266 req = get_password_migration_flag_send(state, state->ev,
>
>The migration is attempted if the krb5_auth request returns PAM_CRED_ERR
>as the PAM error. Now the PAM error is converted from an error code the
>Kerberos child process sends to the krb5_auth request in
>krb5_auth_done().
>
>When a user is migrated from LDAP then the authentication would fail
>with KRB5_PREAUTH_FAILED in the krb5_child process and the krb5_child
>would return ERR_AUTH_FAILED (see src/providers/krb5/krb5_child.c:1201).
>
>ERR_AUTH_FAILED is then converted in krb5_auth_done() into PAM_AUTH_ERR.
>
>So I see two options here:
> 1) change the condition in ipa_auth.c from detecting PAM_CRED_ERR to
> detecting PAM_AUTH_ERR. I don't like this because any authentication
> failure would then check the migration flag.
> 2) Add a new ERR_AUTH code, maybe ERR_PREAUTH_FAILED to krb5_child,
> return that instead of ERR_AUTH_FAILED from the krb5_child and
> convert ERR_PREAUTH_FAILED into PAM_CRED_ERR in krb5_auth_done.
>
>BTW to prove this was indeed the root cause, I tested by implementing 1)
>option above:
>
>diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
>index 651196a..03576eb 100644
>--- a/src/providers/ipa/ipa_auth.c
>+++ b/src/providers/ipa/ipa_auth.c
>@@ -261,7 +261,7 @@ static void ipa_auth_handler_done(struct tevent_req *req)
> }
>
> if (state->pd->cmd == SSS_PAM_AUTHENTICATE &&
>- state->pd->pam_status == PAM_CRED_ERR) {
>+ state->pd->pam_status == PAM_AUTH_ERR) {
>
> req = get_password_migration_flag_send(state, state->ev,
>
state->ipa_auth_ctx->sdap_id_ctx,
>
>And the migration worked like a charm.
>_______________________________________________
>sssd-devel mailing list
>sssd-devel(a)lists.fedorahosted.org
>https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
>
Hi,
Attached is a patch witch fixes this issue correctly, following Jakub's
second provided option.
The patch works fine, thank you. Some comments about the error code
below:
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -1032,8 +1032,8 @@ static void krb5_auth_done(struct tevent_req *subreq)
ret = EOK;
goto done;
- case ERR_AUTH_FAILED:
- state->pam_status = PAM_AUTH_ERR;
+ case ERR_PREAUTH_FAILED:
+ state->pam_status = PAM_CRED_ERR;
state->dp_err = DP_ERR_OK;
we want to keep both cases here, ERR_AUTH_FAILED is still returned if
authentication fails with wrong password.
ret = EOK;
goto done;
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 8f746a8db561928349ffed8b7434db2a113a1f86..dc1f06dd1e86954ca1f4c90e97d9eb95022e07fd
100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1174,7 +1174,7 @@ static errno_t map_krb5_error(krb5_error_code kerr)
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
BAD_INTEGRITY should still return AUTH_FAILED.
case KRB5_PREAUTH_FAILED:
case KRB5KDC_ERR_PREAUTH_FAILED:
- return ERR_AUTH_FAILED;
+ return ERR_PREAUTH_FAILED;
default:
return ERR_INTERNAL;
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index b617f540691a245d1132469a1f019bcb0eb6e775..096ac532fc7b9c8deb025ef9e948bc04ed0e0959
100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -35,6 +35,7 @@ struct err_string error_to_str[] = {
{ "Cached credentials are expired" }, /* ERR_CACHED_CREDS_EXPIRED */
{ "Authentication Denied" }, /* ERR_AUTH_DENIED */
{ "Authentication Failed" }, /* ERR_AUTH_FAILED */
I know I suggested ERR_PREAUTH_FAILED but now I'm thinking it might not
be the best code, because it's too Kerberos specific. So what about
using more generic ERR_CRED_INVALID ?
+ { "Preauthentication Failed"}, /* ERR_PREAUTH_FAILED
*/
{ "Password Change Denied" }, /* ERR_CHPASS_DENIED */
{ "Password Change Failed" }, /* ERR_CHPASS_FAILED */
{ "Network I/O Error" }, /* ERR_NETWORK_IO */
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index a602a6ea92f72a51f5e21342940b2072bbe9296d..2143774c3a2113e5ad372aa97770220c4cf3f859
100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -57,6 +57,7 @@ enum sssd_errors {
ERR_CACHED_CREDS_EXPIRED,
ERR_AUTH_DENIED,
ERR_AUTH_FAILED,
+ ERR_PREAUTH_FAILED,
The new error code would have to be updated here, too.
ERR_CHPASS_DENIED,
ERR_CHPASS_FAILED,
ERR_NETWORK_IO,
--
1.8.1.4