# HG changeset patch

# User Tomas Mraz <tmraz@redhat.com>

# Date 1427477516 -3600

#      Fri Mar 27 18:31:56 2015 +0100

# Node ID 8c4cdeb97a91c7b959234eccc6ad216691529c3d

# Parent  93a10a7118a58f3fe0d8d8f7c4e81fed57f29c15

Support pam_sss.so prompting for password for non-local users.

See bug 1195817

diff -r 93a10a7118a5 -r 8c4cdeb97a91 authinfo.py

--- a/authinfo.py	Fri Mar 27 16:16:53 2015 +0100

+++ b/authinfo.py	Fri Mar 27 18:31:56 2015 +0100

@@ -136,6 +136,7 @@

 LOGIC_SKIPNEXT = "[success=1 default=ignore]"

 LOGIC_SKIPNEXT3 = "[success=3 default=ignore]"

 LOGIC_ALWAYS_SKIP = "[default=1]"

+LOGIC_SKIPNEXT_ON_FAILURE = "[default=1 success=ok]"

 # Snip off line terminators and final whitespace from a passed-in string.

 def snipString(s):

@@ -464,6 +465,8 @@

 	 "permit",		[]],

 	[False,  AUTH,          LOGIC_SUFFICIENT,

 	 "fprintd",		[]],

+	[False, AUTH,		LOGIC_SKIPNEXT_ON_FAILURE,

+	 "localuser",		[]],

 	[True,  AUTH,		LOGIC_SUFFICIENT,

 	 "unix",		argv_unix_auth],

 	[False, AUTH,		LOGIC_REQUISITE,

@@ -587,6 +590,8 @@

 	 "env",			[]],

 	[False, AUTH,		LOGIC_REQUIRED,

 	 "deny",		[]],

+	[False, AUTH,		LOGIC_SKIPNEXT_ON_FAILURE,

+	 "localuser",		[]],

 	[True,  AUTH,		LOGIC_SUFFICIENT,

 	 "unix",		argv_unix_auth],

 	[False, AUTH,		LOGIC_REQUISITE,

@@ -3814,6 +3819,10 @@

 						argv = module[ARGV][0:] # shallow copy

 						argv[1] = self.uidMin

 						args = " ".join(argv)

+			# do not continue to following modules if authentication fails

+			if name == "unix" and stack == "auth" and (self.enableSSSDAuth or

+				self.implicitSSSDAuth or self.enableIPAv2) and (not self.enableNIS):

+				logic = LOGIC_FORCE_PKCS11 # make it or break it logic

 			# use oddjob_mkhomedir if available

 			if name == "mkhomedir" and os.access("%s/pam_%s.so"

 				% (AUTH_MODULE_DIR, "oddjob_mkhomedir"), os.X_OK):

@@ -3841,6 +3850,8 @@

 				args = self.mkhomedirArgs

 			if name == "systemd":

 				args = self.systemdArgs

+			if name == "sss" and stack == "auth" and not self.enableNIS:

+				args = "forward_pass"

 			if not args and module[ARGV]:

 				args = " ".join(module[ARGV])

 			if name == "winbind" and self.winbindOffline and stack != "password":

@@ -3945,7 +3956,9 @@

 					(self.enablePasswdQC and module[NAME] == "passwdqc") or

 					(self.enableWinbindAuth and module[NAME] == "winbind") or

 					((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and module[NAME] == "sss") or

-					(self.enableLocAuthorize and module[NAME] == "localuser") or

+					((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and

+						(not self.enableNIS) and module[NAME] == "localuser" and module[STACK] == AUTH) or

+					(self.enableLocAuthorize and module[NAME] == "localuser" and module[STACK] == ACCOUNT) or

 					(self.enablePAMAccess and module[NAME] == "access") or

 					(self.enableMkHomeDir and module[NAME] == "mkhomedir") or

 					(not self.enableSysNetAuth and module[STACK] == AUTH and