From 6711f86f7a4e59e9dfa8e7a1a5dd85bba9aacba4 Mon Sep 17 00:00:00 2001 From: Pavel Březina Date: Apr 21 2017 09:33:17 +0000 Subject: sssd: do not write SSSD PAM if there is no sssd.conf present The expectation of authconfig is to write sssd.conf only if there is no domain present and the authconfig options imply an implicit SSSD configuration. In this case, the authconfig writes a default domain into the sssd.conf to create a vlid configuration. However, we broke this behaviour by introducing writeSSSDPam to write smartcard options into sssd.conf and we end up creating an invalid sssd.conf when the file did not exist and this is not an implicit configuration. Now, if the file does not exist and authconfig does not create a domain (implicit configuration) we do not write the options into sssd.conf to comply with expected behaviour of previous version. If the file does exist we write the PAM option in every case so the administrator can use authconfig to enable and disable smartcard support for sssd. --- diff --git a/authinfo.py b/authinfo.py index 510e6d5..35f967e 100644 --- a/authinfo.py +++ b/authinfo.py @@ -1341,6 +1341,7 @@ class AuthInfo: self.sssdConfig = None self.sssdDomain = None self.forceSSSDUpdate = None + self.sssdConfigPresent = False if SSSDConfig: try: self.sssdConfig = SSSDConfig.SSSDConfig() @@ -1804,6 +1805,7 @@ class AuthInfo: self.sssdConfig = SSSDConfig.SSSDConfig() try: self.sssdConfig.import_config(all_configs[CFG_SSSD].origPath) + self.sssdConfigPresent = True except (IOError, SSSDConfig.ParsingError): self.sssdConfig = SSSDConfig.SSSDConfig() self.sssdConfig.new_config() @@ -3109,9 +3111,14 @@ class AuthInfo: domain.remove_provider(subtype) domain.add_provider(newprovider, subtype) - def writeSSSDPAM(self): + def writeSSSDPAM(self, write_config): if not self.sssdConfig: return True + + if not self.sssdConfigPresent and not self.implicitSSSD: + # do not write to sssd.conf since the file does not exist yet and + # we are not creating the domain ourselves + return True try: pam = self.sssdConfig.get_service('pam') @@ -3127,10 +3134,11 @@ class AuthInfo: pass self.sssdConfig.save_service(pam) - try: - self.sssdConfig.write(all_configs[CFG_SSSD].origPath) - except IOError: - pass + if write_config: + try: + self.sssdConfig.write(all_configs[CFG_SSSD].origPath) + except IOError: + pass return True @@ -3139,8 +3147,9 @@ class AuthInfo: return True all_configs[CFG_SSSD].backup(self.backupDir) - - self.writeSSSDPAM() + + # do not write to the file yet since we will write all changes at ones + self.writeSSSDPAM(False) if not self.sssdDomain: if not self.implicitSSSD: @@ -3151,7 +3160,7 @@ class AuthInfo: except SSSDConfig.DomainAlreadyExistsError: self.sssdDomain = self.sssdConfig.get_domain(SSSD_AUTHCONFIG_DOMAIN) domain = self.sssdDomain - + try: self.sssdConfig.get_service('autofs') except SSSDConfig.NoServiceError: @@ -3916,7 +3925,7 @@ class AuthInfo: if self.implicitSSSD or self.implicitSSSDAuth: ret = ret and self.writeSSSD() elif self.enableSSSDAuth: - ret = ret and self.writeSSSDPAM() + ret = ret and self.writeSSSDPAM(True) ret = ret and self.writeNSS() ret = ret and self.writePAM() ret = ret and self.writeSysconfig()