1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

Pam prompt for Pin if hello enrolled and enabled

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
This commit is contained in:
David Mulder 2024-08-05 13:05:52 -06:00
parent 948d0fcfe1
commit e3715ba548

View File

@ -72,20 +72,33 @@ pub(crate) enum AuthSession {
impl Resolver { impl Resolver {
pub(crate) fn pam_auth_init( pub(crate) fn pam_auth_init(
&self, &mut self,
account_id: &str, account_id: &str,
) -> Result<(AuthSession, Response), Box<NTSTATUS>> { ) -> Result<(AuthSession, Response), Box<NTSTATUS>> {
let auth_session = AuthSession::InProgress { let auth_session = AuthSession::InProgress {
account_id: account_id.to_string(), account_id: account_id.to_string(),
cred_handler: AuthCredHandler::None, cred_handler: AuthCredHandler::None,
}; };
// TODO: Check for Hello Key in the Cache let hello_key = self.pcache.loadable_hello_key_fetch(account_id);
// Skip Hello authentication if it is disabled by config
// Send a password request to the client let hello_enabled =
Ok(( self.lp.himmelblaud_hello_enabled().map_err(|e| {
auth_session, DBG_ERR!("{:?}", e);
Response::PamAuthStepResponse(PamAuthResponse::Password), Box::new(NT_STATUS_LOGON_FAILURE)
)) })?;
if !self.is_domain_joined() || hello_key.is_none() || !hello_enabled {
// Send a password request to the client
Ok((
auth_session,
Response::PamAuthStepResponse(PamAuthResponse::Password),
))
} else {
// Send a pin request to the client
Ok((
auth_session,
Response::PamAuthStepResponse(PamAuthResponse::Pin),
))
}
} }
pub(crate) async fn pam_auth_step( pub(crate) async fn pam_auth_step(
@ -96,7 +109,7 @@ impl Resolver {
) -> Result<Response, Box<NTSTATUS>> { ) -> Result<Response, Box<NTSTATUS>> {
macro_rules! enroll_and_obtain_enrolled_token { macro_rules! enroll_and_obtain_enrolled_token {
($token:ident) => {{ ($token:ident) => {{
if !self.is_domain_joined().await { if !self.is_domain_joined() {
DBG_DEBUG!("Device is not enrolled. Enrolling now."); DBG_DEBUG!("Device is not enrolled. Enrolling now.");
self.join_domain(&$token) self.join_domain(&$token)
.await .await
@ -754,7 +767,7 @@ impl Resolver {
} }
} }
async fn is_domain_joined(&mut self) -> bool { fn is_domain_joined(&mut self) -> bool {
/* If we have access to tpm keys, and the domain device_id is /* If we have access to tpm keys, and the domain device_id is
* configured, we'll assume we are domain joined. */ * configured, we'll assume we are domain joined. */
let device_id = self.pcache.device_id(&self.realm); let device_id = self.pcache.device_id(&self.realm);