mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
Pam prompt for Pin if hello enrolled and enabled
Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
This commit is contained in:
parent
948d0fcfe1
commit
e3715ba548
@ -72,20 +72,33 @@ pub(crate) enum AuthSession {
|
|||||||
|
|
||||||
impl Resolver {
|
impl Resolver {
|
||||||
pub(crate) fn pam_auth_init(
|
pub(crate) fn pam_auth_init(
|
||||||
&self,
|
&mut self,
|
||||||
account_id: &str,
|
account_id: &str,
|
||||||
) -> Result<(AuthSession, Response), Box<NTSTATUS>> {
|
) -> Result<(AuthSession, Response), Box<NTSTATUS>> {
|
||||||
let auth_session = AuthSession::InProgress {
|
let auth_session = AuthSession::InProgress {
|
||||||
account_id: account_id.to_string(),
|
account_id: account_id.to_string(),
|
||||||
cred_handler: AuthCredHandler::None,
|
cred_handler: AuthCredHandler::None,
|
||||||
};
|
};
|
||||||
// TODO: Check for Hello Key in the Cache
|
let hello_key = self.pcache.loadable_hello_key_fetch(account_id);
|
||||||
|
// Skip Hello authentication if it is disabled by config
|
||||||
// Send a password request to the client
|
let hello_enabled =
|
||||||
Ok((
|
self.lp.himmelblaud_hello_enabled().map_err(|e| {
|
||||||
auth_session,
|
DBG_ERR!("{:?}", e);
|
||||||
Response::PamAuthStepResponse(PamAuthResponse::Password),
|
Box::new(NT_STATUS_LOGON_FAILURE)
|
||||||
))
|
})?;
|
||||||
|
if !self.is_domain_joined() || hello_key.is_none() || !hello_enabled {
|
||||||
|
// Send a password request to the client
|
||||||
|
Ok((
|
||||||
|
auth_session,
|
||||||
|
Response::PamAuthStepResponse(PamAuthResponse::Password),
|
||||||
|
))
|
||||||
|
} else {
|
||||||
|
// Send a pin request to the client
|
||||||
|
Ok((
|
||||||
|
auth_session,
|
||||||
|
Response::PamAuthStepResponse(PamAuthResponse::Pin),
|
||||||
|
))
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(crate) async fn pam_auth_step(
|
pub(crate) async fn pam_auth_step(
|
||||||
@ -96,7 +109,7 @@ impl Resolver {
|
|||||||
) -> Result<Response, Box<NTSTATUS>> {
|
) -> Result<Response, Box<NTSTATUS>> {
|
||||||
macro_rules! enroll_and_obtain_enrolled_token {
|
macro_rules! enroll_and_obtain_enrolled_token {
|
||||||
($token:ident) => {{
|
($token:ident) => {{
|
||||||
if !self.is_domain_joined().await {
|
if !self.is_domain_joined() {
|
||||||
DBG_DEBUG!("Device is not enrolled. Enrolling now.");
|
DBG_DEBUG!("Device is not enrolled. Enrolling now.");
|
||||||
self.join_domain(&$token)
|
self.join_domain(&$token)
|
||||||
.await
|
.await
|
||||||
@ -754,7 +767,7 @@ impl Resolver {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn is_domain_joined(&mut self) -> bool {
|
fn is_domain_joined(&mut self) -> bool {
|
||||||
/* If we have access to tpm keys, and the domain device_id is
|
/* If we have access to tpm keys, and the domain device_id is
|
||||||
* configured, we'll assume we are domain joined. */
|
* configured, we'll assume we are domain joined. */
|
||||||
let device_id = self.pcache.device_id(&self.realm);
|
let device_id = self.pcache.device_id(&self.realm);
|
||||||
|
Loading…
Reference in New Issue
Block a user