I'm playing around with PAM authentication using a small C program:
#include <security/pam_appl.h>
#include <security/pam_misc.h>
#include <stdlib.h>
int main()
{
pam_handle_t* pamh;
struct pam_conv pamc;
pamc.conv = &misc_conv;
pamc.appdata_ptr = NULL;
pam_start("su", getenv("USER"), &pamc, &pamh);
if (pam_authenticate(pamh, 0) != PAM_SUCCESS) {
fprintf(stderr, "Auth failed!\n");
} else {
fprintf(stderr, "Auth succeeded!\n");
}
pam_end(pamh, 0);
return 0;
}
Two kinds of users have access on my system, those created in the local shadow db, and those who traverse a configured sssd process to authenticate with LDAP against a remote active directory.
I've configured sssd to plug into PAM, which I'm able to confirm via a number of logs on the system and debug output from sssd, but the above program only works for local users. Users that would require authentication against sss get a PAM_AUTH_ERROR back from pam_authenticate whether they enter the correct credentials or not.
I'm surely missing something obvious. How can I access sss via PAM in a C program?
According to
pam_start("su", getenv("USER"), &pamc, &pamh);
^^^^
you are using the su PAM service.
On a typical default configuration, the su PAM stack might not be configured to use the pam_sss responder.
Possible solutions:
If using su is appropriate for your application, update /etc/pam.d/su to use pam_sss.
Use a different PAM service that is already configured to use pam_sss; login for example.
Create a dedicated PAM service for your app in /etc/pam.d/<service-name>