pam: gate PAC indicator code on BUILD_SAMBA

[padelsbach]

Commit 1f680ed added ad_pac_common.c and $(NDR_KRB5PAC_LIBS) to sssd_pam unconditionally. So when building --without-samba, sssd_pam fails to link with undefined references to ndr_pull_init_blob and ndr_pull_PAC_DATA.

This change qualifies those additions with BUILD_SAMBA so the PAC indicator feature is compiled in only when samba support is enabled.

[gemini-code-assist]

Code Review

This pull request makes the Samba-related PAC handling and idmapping dependencies optional for the PAM responder and its associated tests. It introduces conditional build logic in Makefile.am and preprocessor guards in src/responder/pam/pamsrv_gssapi.c using the BUILD_SAMBA flag. I have no feedback to provide.

[sssd-bot]

Review done using Claude Code / claude-opus-4-6

Functional Issues

No functional issues found. The BUILD_SAMBA guards in pamsrv_gssapi.c correctly wrap all code that depends on Samba-provided symbols (ad_pac.h, handle_pac, idmap_talloc/idmap_free, exported_from_pac variable), and the Makefile.am changes correctly gate ad_pac_common.c, $(NDR_KRB5PAC_CFLAGS), and $(NDR_KRB5PAC_LIBS) behind BUILD_SAMBA for all three targets (sssd_pam, pam_srv_tests, test_pamsrv_json). The libsss_idmap.la linkage was only gated for sssd_pam (where it was added by commit 1f680ed), while correctly left unconditional for the test targets (where it pre-existed).

Nits & Non-functional Issues

1. Unnecessary MSPAC attribute processing without Samba (src/responder/pam/pamsrv_gssapi.c:679-693): When BUILD_SAMBA is not defined, the MSPAC tag detection code (lines 679–683) still identifies MSPAC attributes and enters the while (more != 0) loop (line 697), calling gss_get_name_attribute() to extract PAC data that is then silently discarded (the PAC handling block on line 714 is gated, and is_auth_indicator is false). This is functionally harmless but wastes GSSAPI calls. Consider gating the MSPAC detection itself:

   #ifndef BUILD_SAMBA
           } else {
   #else
           } else if (attrs->elements[i].length == (sizeof(MSPAC_TAG) - 1)
                           && strncmp(MSPAC_TAG, attrs->elements[i].value,
                                      sizeof(MSPAC_TAG) - 1) == 0) {
               is_mspac = true;
               is_auth_indicator = false;
           } else {
   #endif

   Or more simply, add a continue after the MSPAC detection when BUILD_SAMBA is not defined.

2. Indentation inconsistency in Makefile.am: Within the same sssd_pam target, SOURCES additions inside if BUILD_SAMBA blocks are indented with 4 spaces (e.g., Makefile.am:1530), but CFLAGS and LDADD additions are not indented (e.g., Makefile.am:1537, Makefile.am:1551). The same inconsistency appears in the pam_srv_tests and test_pamsrv_json targets. The BUILD_PASSKEY conditional just above (line 1527) uses indented content, so the indented style appears to be the local convention:

   # Line 1536-1538: not indented
   if BUILD_SAMBA
   sssd_pam_CFLAGS += $(NDR_KRB5PAC_CFLAGS)
   endif
   
   # vs Line 1529-1531: indented (matches BUILD_PASSKEY above)
   if BUILD_SAMBA
       sssd_pam_SOURCES += src/providers/ad/ad_pac_common.c
   endif

3. Unconditional gssapi_get_apply_sid_list call (src/responder/pam/pamsrv_gssapi.c:870): The function at line 787 and its call at line 870 are not gated behind BUILD_SAMBA. Without Samba, state->indicators_apply_sid is populated but never consumed (the only consumer at line 716 is inside the BUILD_SAMBA guard). This wastes a small amount of memory and config parsing. Low priority since it compiles and runs correctly in all configurations.

Confirmed Issues from Existing Review Comments

No inline review comments were submitted on this PR.

[sumit-bose]

Hi,

thank you for the fixes, I have to admit that I didn't thought of the non-Samba use-case when writing the offending patches.

I agree with our changes but I wonder if you can add the following changes as well:

diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index 5a15a014a..deb50317f 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -64,9 +64,12 @@ endif
 if HAVE_GDM_CUSTOM_JSON_PAM_EXTENSION
 JSON_PAM_CONDS = ;build_json_pam
 endif
+if BUILD_SAMBA
+SAMBA_CONDS = ;with_samba
+endif
 
 
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index 5a15a014a..deb50317f 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -64,9 +64,12 @@ endif
 if HAVE_GDM_CUSTOM_JSON_PAM_EXTENSION
 JSON_PAM_CONDS = ;build_json_pam
 endif
+if BUILD_SAMBA
+SAMBA_CONDS = ;with_samba
+endif
 
 
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(SUBID_CONDS)$(PASSKEY_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(LIBNL_CONDS)$(IDP_CONDS)$(JSON_PAM_CONDS)
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(SUBID_CONDS)$(PASSKEY_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(LIBNL_CONDS)$(IDP_CONDS)$(JSON_PAM_CONDS)$(SAMBA_CONDS)
 
 
 #Special Rules:
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index eee31997d..952389e41 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1981,7 +1981,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
                         </para>
                     </listitem>
                 </varlistentry>
-                <varlistentry>
+                <varlistentry condition="with_samba">
                     <term>pam_gssapi_indicators_apply</term>
                     <listitem>
                         <para>

which removes the related option from the man page and

diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index be95d7251..e43d54c51 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -415,6 +415,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
                                  CONFDB_PAM_GSSAPI_INDICATORS_APPLY);
 
     if (tmpstr != NULL) {
+#ifdef BUILD_SAMBA
         ret = split_on_separator(pctx, tmpstr, ',', true, true,
                                  &pctx->gssapi_indicators_apply, NULL);
         if (ret != EOK) {
@@ -423,6 +424,13 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
                   sss_strerror(ret));
             goto done;
         }
+#else
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "This build does not support the [%s] option.\n",
+              CONFDB_PAM_GSSAPI_INDICATORS_APPLY);
+        ret = ENOTSUP;
+        goto done;
+#endif
     }
 
     /* Check if JSON authentication selection method is enabled for any PAM

which will error out during startup if the option is used.

I think this will make the build without Samba more consistent.

bye,
Sumit

[padelsbach]

@sumit-bose, I've applied the diffs you requested.

[sumit-bose]

Hi,

thank you for including the additional patches, I have no further comments, ACK.

bye,
Sumit

[thalman]

LGTM

[sssd-bot]

The pull request was accepted by @thalman with the following PR CI status:

---

🟢 CodeQL (success)
🟢 osh-diff-scan:fedora-rawhide-x86_64:upstream (success)
🟢 rpm-build:centos-stream-10-x86_64:upstream (success)
🟢 rpm-build:fedora-42-x86_64:upstream (success)
🟢 rpm-build:fedora-43-x86_64:upstream (success)
🟢 rpm-build:fedora-44-x86_64:upstream (success)
🟢 rpm-build:fedora-rawhide-x86_64:upstream (success)
🟢 Analyze (target) / cppcheck (success)
🟢 Build / freebsd (success)
🟢 Build / make-distcheck (success)
🟢 ci / intgcheck (centos-10) (success)
🟢 ci / intgcheck (fedora-42) (success)
🟢 ci / intgcheck (fedora-43) (success)
🟢 ci / intgcheck (fedora-44) (success)
🟢 ci / intgcheck (fedora-45) (success)
🟢 ci / prepare (success)
🟢 ci / system (centos-10) (success)
🟢 ci / system (fedora-42) (success)
🟢 ci / system (fedora-43) (success)
🟢 ci / system (fedora-44) (success)
🟢 ci / system (fedora-45) (success)
🟡 Coverity scan / coverity (in_progress)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

---

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.