From daved@jabber.net.tamu.edu  Tue Jan 25 19:57:49 2005
Return-Path: <daved@jabber.net.tamu.edu>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6742316A4ED
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 25 Jan 2005 19:57:49 +0000 (GMT)
Received: from jabber.net.tamu.edu (jabber.net.tamu.edu [165.91.22.148])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0B86743D54
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 25 Jan 2005 19:57:49 +0000 (GMT)
	(envelope-from daved@jabber.net.tamu.edu)
Received: from jabber.net.tamu.edu (localhost [127.0.0.1])
	by jabber.net.tamu.edu (8.13.1/8.13.1) with ESMTP id j0PJvk8c051311
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 25 Jan 2005 13:57:46 -0600 (CST)
	(envelope-from daved@jabber.net.tamu.edu)
Received: (from root@localhost)
	by jabber.net.tamu.edu (8.13.1/8.13.1/Submit) id j0PJvkZM051310;
	Tue, 25 Jan 2005 13:57:46 -0600 (CST)
	(envelope-from daved)
Message-Id: <200501251957.j0PJvkZM051310@jabber.net.tamu.edu>
Date: Tue, 25 Jan 2005 13:57:46 -0600 (CST)
From: David Duchscher <daved@tamu.edu>
Reply-To: David Duchscher <daved@tamu.edu>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Allow pam_krb5 to authenticate no local users for other services.
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         76678
>Category:       kern
>Synopsis:       [libpam] [patch] Allow pam_krb5 to authenticate no local users for other services.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    dfr
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 25 20:00:45 GMT 2005
>Closed-Date:    
>Last-Modified:  Tue Aug  7 06:50:01 UTC 2012
>Originator:     David Duchscher
>Release:        FreeBSD 5.3-RELEASE-p4 i386
>Organization:
Texas A&M University
>Environment:
System: FreeBSD jabber.net.tamu.edu 5.3-RELEASE-p4 FreeBSD 5.3-RELEASE-p4 #0: Fri Jan 7 15:28:40 UTC 2005 root@jabber.net.tamu.edu:/usr/obj/usr/src/sys/GENERIC i386


>Description:

	Many services (web, jabber, etc) have the ability to
	authenticate via pam.  The pam_krb5 module will only allow
	authentication if a user is in the local password file.
	It would be nice if the pam_krb5 module had the ability to
	turn this requirment off.

	For your consideration, I have included  a patch that allows
	the local user requirement to be removed so other services
	that have no need for a local account can use the pam_krb5
	module.

>How-To-Repeat:
	
>Fix:

--- pam_krb5.c.orig	Tue Feb 10 10:13:20 2004
+++ pam_krb5.c	Sun Jan  9 23:58:36 2005
@@ -89,6 +89,7 @@
 #define PAM_OPT_FORWARDABLE	"forwardable"
 #define PAM_OPT_NO_CCACHE	"no_ccache"
 #define PAM_OPT_REUSE_CCACHE	"reuse_ccache"
+#define PAM_OPT_NO_USER_CHECK	"no_user_check"
 
 /*
  * authentication management
@@ -213,11 +214,13 @@
 		PAM_LOG("PAM_USER Redone");
 	}
 
-	pwd = getpwnam(user);
-	if (pwd == NULL) {
-		retval = PAM_USER_UNKNOWN;
-		goto cleanup2;
-	}
+	if (!openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) {
+	        pwd = getpwnam(user);
+	        if (pwd == NULL) {
+		        retval = PAM_USER_UNKNOWN;
+		        goto cleanup2;
+	        }
+        }
 
 	PAM_LOG("Done getpwnam()");
 
>Release-Note:
>Audit-Trail:

From: Mark Linimon <linimon@lonesome.com>
To: David Duchscher <daved@tamu.edu>
Cc: FreeBSD-gnats-submit@FreeBSD.org, <freebsd-bugs@FreeBSD.org>
Subject: Re: misc/76678: Allow pam_krb5 to authenticate no local users for
 other services.
Date: Tue, 25 Jan 2005 14:05:43 -0600 (CST)

 Does this apply to the port, or the base system, or ... ?
 
 mcl
 
 
Responsible-Changed-From-To: freebsd-bugs->rwatson 
Responsible-Changed-By: rwatson 
Responsible-Changed-When: Tue Jan 25 20:44:19 GMT 2005 
Responsible-Changed-Why:  
Grab ownership of this as I've recently been frobbing pam_krb5 and am 
happy to take a look. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=76678 

From: Andrew Thompson <andy@fud.org.nz>
To: bug-followup@FreeBSD.org, daved@tamu.edu, rwatson@FreeBSD.org
Cc:  
Subject: Re: misc/76678: Allow pam_krb5 to authenticate no local users for other services.
Date: Tue, 17 May 2005 13:57:38 +1200

 I have tested this with using pam_krb5 to authenticate radius users with
 no local account and it works well. 
 
 I am very keen to see this committed.
 

From: David Duchscher <daved@tamu.edu>
To: bug-followup@FreeBSD.org, David Duchscher <daved@tamu.edu>
Cc:  
Subject: Re: kern/76678: Allow pam_krb5 to authenticate no local users for other services.
Date: Sat, 2 Jul 2005 20:08:02 -0500

 System, /usr/src/lib/libpam/modules/pam_krb5/pam_krb5.c
 
 --
 DaveD
 
Responsible-Changed-From-To: rwatson->dfr 
Responsible-Changed-By: rwatson 
Responsible-Changed-When: Sun Aug 3 16:11:10 UTC 2008 
Responsible-Changed-Why:  
Assign to Doug, who has most recently worked with Kerberos. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=76678 

From: Martin Schweizer <schweizer.martin@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: kern/76678 not in base system
Date: Thu, 3 Sep 2009 13:56:32 GMT

 >Submitter-Id:	current-users
 >Originator:	Martin Schweizer
 >Organization:	
 >Confidential:	no
 >Synopsis:	kern/76678 not in base system
 >Severity:	serious
 >Priority:	low
 >Category:	kern
 >Class:		change-request
 >Release:	FreeBSD 7.2-RELEASE
 >Environment:	FreeBSD acsvfbsd06.acutronic.ch 7.2-RELEASE FreeBSD 7.2-RELEASE #1: Thu Jun 11 16:16:57 CEST 2009  martin@acsvfbsd06.acutronic.ch:/usr/obj/usr/src/sys/GENERIC  amd64
 >Description:
 The above patch is not implemented in the base system until now. The full describtion you'll find under kern/76678. For useing in a mail server environement with a central Kerberos server (in our case a Windows domain) it is an important patch. I suppose I'm not the only one... 
 Thank you in advance. 
 >How-To-Repeat:
 
 >Fix:
 
 

From: Martin Schweizer <schweizer.martin@gmail.com>
To: daved@tamu.edu, bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/76678: [libpam] [patch] Allow pam_krb5 to authenticate no 
	local users for other services.
Date: Fri, 4 Sep 2009 08:13:36 +0200

 Hello
 
 Sorry for anoying. Since I'm not get a confirmation mail from GNATS
 I'm not shure that my pr which I send regarding this pr has arrived.
 Did it?
 
 Regards,
 
 
 -- 
 Martin Schweizer
 schweizer.martin@gmail.com
 Tel.: +41 32 512 48 54 (VoIP)
 Fax: +1 619 3300587

From: Martin Schweizer <office@pc-service.ch>
To: bug-followup@FreeBSD.org, daved@tamu.edu
Cc:  
Subject: Re: kern/76678: [libpam] [patch] Allow pam_krb5 to authenticate no
 local users for other services.
Date: Wed, 16 Dec 2009 18:07:29 +0100

 PAM/Kerberos5: Some users which can not authenticate
 
 17:53:59 CEST 2009
 martin@acsvfbsd06.acutronic.ch:/usr/obj/usr/src/sys/GENERIC  amd64
 
 Hello
 
 I use saslauthd (with -a pam) for authentication against Windows 2003
 Active directory. In the PAM files I use the module pam_krb5. So far all
 works. In some rare cases this topology does not work. By try and error
 I find out that the problem is the module pam_krb5. The problem is, that
 some users can not authenticate (I tried this also with testsaslauth
 intensivly). To solve the problem I have to use saslauthd with -a
 kerberos5, then all works as expected. I have no idea where I can look
 or how I can get more additional debug information.
 
 I did this post as a follow up because it's the same module as the
 previous post describe.
 
 Regards,
 
 -- 
 Martin Schweizer
 
 PC-Service M. Schweizer GmbH; Bannholzstrasse 6; Postfach 132;
 CH-8608 Bubikon; Tel. +41 55 243 30 00; Fax: +41 55 243 33 22;
 http://www.pc-service.ch
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/76678: commit references a PR
Date: Sun,  5 Aug 2012 13:40:46 +0000 (UTC)

 Author: dfr
 Date: Sun Aug  5 13:40:35 2012
 New Revision: 239062
 URL: http://svn.freebsd.org/changeset/base/239062
 
 Log:
   Add an option for pam_krb5 to allow it to authenticate users which don't have
   a local account.
   
   PR:		76678
   Submitted by:	daved at tamu.edu
   MFC after:	2 weeks
 
 Modified:
   head/lib/libpam/modules/pam_krb5/pam_krb5.c
 
 Modified: head/lib/libpam/modules/pam_krb5/pam_krb5.c
 ==============================================================================
 --- head/lib/libpam/modules/pam_krb5/pam_krb5.c	Sun Aug  5 13:38:15 2012	(r239061)
 +++ head/lib/libpam/modules/pam_krb5/pam_krb5.c	Sun Aug  5 13:40:35 2012	(r239062)
 @@ -91,6 +91,7 @@ static void	compat_free_data_contents(kr
  #define PAM_OPT_NO_CCACHE	"no_ccache"
  #define PAM_OPT_NO_USER_CHECK	"no_user_check"
  #define PAM_OPT_REUSE_CCACHE	"reuse_ccache"
 +#define PAM_OPT_NO_USER_CHECK	"no_user_check"
  
  #define	PAM_LOG_KRB5_ERR(ctx, rv, fmt, ...)				\
  	do {								\
 @@ -218,10 +219,12 @@ pam_sm_authenticate(pam_handle_t *pamh, 
  			PAM_LOG("PAM_USER Redone");
  		}
  
 -		pwd = getpwnam(user);
 -		if (pwd == NULL) {
 -			retval = PAM_USER_UNKNOWN;
 -			goto cleanup2;
 +		if (!openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) {
 +			pwd = getpwnam(user);
 +			if (pwd == NULL) {
 +				retval = PAM_USER_UNKNOWN;
 +				goto cleanup2;
 +			}
  		}
  
  		PAM_LOG("Done getpwnam()");
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
