From a87658e5382a6ad119058d22b118a29eaae7a365 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Feb 16 2018 19:53:13 +0000 Subject: krb5: call krb5_auth_cache_creds() if a password is available The delayed online authentication feature is only available for password authentication and krb5_auth_cache_creds() should only be called if a password is available. Otherwise the error coded returned by krb5_auth_cache_creds() will prevent proper offline authentication with other methods e.g. Smartcard authentication. Resolves: https://pagure.io/SSSD/sssd/issue/3564 Reviewed-by: Lukáš Slebodník --- diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 03ea9d8..d40d2af 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -253,17 +253,12 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx, const char *password = NULL; errno_t ret; - if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { - DEBUG(SSSDBG_MINOR_FAILURE, - "Delayed authentication is only available for password " - "authentication (single factor).\n"); - return; - } - ret = sss_authtok_get_password(pd->authtok, &password, NULL); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, - "Failed to get password [%d] %s\n", ret, strerror(ret)); + "Failed to get password [%d] %s. Delayed authentication is only " + "available for password authentication (single factor).\n", + ret, strerror(ret)); *pam_status = PAM_SYSTEM_ERR; *dp_err = DP_ERR_OK; return; @@ -1138,7 +1133,9 @@ static void krb5_auth_done(struct tevent_req *subreq) if (kr->is_offline) { if (dp_opt_get_bool(kr->krb5_ctx->opts, - KRB5_STORE_PASSWORD_IF_OFFLINE)) { + KRB5_STORE_PASSWORD_IF_OFFLINE) + && sss_authtok_get_type(pd->authtok) + == SSS_AUTHTOK_TYPE_PASSWORD) { krb5_auth_cache_creds(state->kr->krb5_ctx, state->domain, state->be_ctx->cdb,