如何在 C 程序中通过 PAM 查询 sssd？

Question

I'm playing around with PAM authentication using a small C program:

#include <security/pam_appl.h>
#include <security/pam_misc.h>
#include <stdlib.h>

int main()
{
    pam_handle_t* pamh;
    struct pam_conv pamc;

    pamc.conv = &misc_conv;
    pamc.appdata_ptr = NULL;
    pam_start("su", getenv("USER"), &pamc, &pamh);
    if (pam_authenticate(pamh, 0) != PAM_SUCCESS) {
        fprintf(stderr, "Auth failed!\n");
    } else {
        fprintf(stderr, "Auth succeeded!\n");
    }
    pam_end(pamh, 0);
    return 0;
}

Two kinds of users have access on my system, those created in the local shadow db, and those who traverse a configured sssd process to authenticate with LDAP against a remote active directory.

I've configured sssd to plug into PAM, which I'm able to confirm via a number of logs on the system and debug output from sssd , but the above program only works for local users. Users that would require authentication against sss get a PAM_AUTH_ERROR back from pam_authenticate whether they enter the correct credentials or not.

I'm surely missing something obvious. How can I access sss via PAM in a C program?

Answer 1

According to

pam_start("su", getenv("USER"), &pamc, &pamh);
          ^^^^

you are using the su PAM service.

On a typical default configuration, the su PAM stack might not be configured to use the pam_sss responder.

Possible solutions:

• If using su is appropriate for your application, update /etc/pam.d/su to use pam_sss .

• Use a different PAM service that is already configured to use pam_sss ; login for example.

• Create a dedicated PAM service for your app in /etc/pam.d/<service-name>