From cb7e16f9fbb989d06b6b01e0a21e69a749dffa08 Mon Sep 17 00:00:00 2001
From: Pete Fritchman <pfritchman@fxcm.com>
Date: Mar 14 2014 13:12:30 +0000
Subject: PAM: add ignore_unknown_user option


https://fedorahosted.org/sssd/ticket/2232

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit d987dba42894aceff106d557b13812092028cc29)

---

diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
index 954f696..e42cb2d 100644
--- a/src/man/pam_sss.8.xml
+++ b/src/man/pam_sss.8.xml
@@ -37,6 +37,9 @@
             <arg choice='opt'>
                 <replaceable>retry=N</replaceable>
             </arg>
+            <arg choice='opt'>
+                <replaceable>ignore_unknown_user</replaceable>
+            </arg>
         </cmdsynopsis>
     </refsynopsisdiv>
 
@@ -103,6 +106,16 @@
                     <option>PasswordAuthentication</option>.</para>
                 </listitem>
             </varlistentry>
+            <varlistentry>
+                <term>
+                    <option>ignore_unknown_user</option>
+                </term>
+                <listitem>
+                    <para>If this option is specified and the user does not
+                    exist, the PAM module will return PAM_IGNORE. This causes
+                    the PAM framework to ignore this module.</para>
+                </listitem>
+            </varlistentry>
         </variablelist>
     </refsect1>
 
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 3734c8f..4ff38f2 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -52,6 +52,7 @@
 #define FLAGS_USE_FIRST_PASS (1 << 0)
 #define FLAGS_FORWARD_PASS   (1 << 1)
 #define FLAGS_USE_AUTHTOK    (1 << 2)
+#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
 
 #define PWEXP_FLAG "pam_sss:password_expired_flag"
 #define FD_DESTRUCTOR "pam_sss:fd_destructor"
@@ -1292,6 +1293,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
             }
         } else if (strcmp(*argv, "quiet") == 0) {
             *quiet_mode = true;
+        } else if (strcmp(*argv, "ignore_unknown_user") == 0) {
+            *flags |= FLAGS_IGNORE_UNKNOWN_USER;
         } else {
             logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
         }
@@ -1429,6 +1432,9 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
     ret = get_pam_items(pamh, &pi);
     if (ret != PAM_SUCCESS) {
         D(("get items returned error: %s", pam_strerror(pamh,ret)));
+        if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
+            ret = PAM_IGNORE;
+        }
         return ret;
     }
 
@@ -1467,6 +1473,11 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
 
         pam_status = send_and_receive(pamh, &pi, task, quiet_mode);
 
+        if (flags & FLAGS_IGNORE_UNKNOWN_USER
+                && pam_status == PAM_USER_UNKNOWN) {
+            pam_status = PAM_IGNORE;
+        }
+
         switch (task) {
             case SSS_PAM_AUTHENTICATE:
                 /* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD during