From 5eb9a4430f4beab41aed7d5d77414ceea6b2eb1c Mon Sep 17 00:00:00 2001
From: Jinna Kiisuo <jinnak@nocturnal.fi>
Date: Wed, 1 Jan 2025 00:40:14 +0200
Subject: [PATCH] fix: PAM on Debian, enable use_first_pass by default (#3326)

Since we use Debian's PAM autoconf, pam_unix isn't disabled and remains active.
This means pam_unix triggers first and pam_kanidm should use the password it already tried to match to a local user.

This change also moves the postinst hook for PAM config correctly to the libpam-kanidm package,
since that's the one that delivers the config that needs a reinstall!
---
 unix_integration/pam_kanidm/Cargo.toml        |  1 +
 unix_integration/pam_kanidm/debian/kanidm.pam |  2 +-
 unix_integration/pam_kanidm/debian/postinst   | 29 +++++++++++++++++++
 unix_integration/resolver/debian/postinst     |  3 +-
 4 files changed, 32 insertions(+), 3 deletions(-)
 create mode 100644 unix_integration/pam_kanidm/debian/postinst

diff --git a/unix_integration/pam_kanidm/Cargo.toml b/unix_integration/pam_kanidm/Cargo.toml
index 984a6b703..56f6ae3c9 100644
--- a/unix_integration/pam_kanidm/Cargo.toml
+++ b/unix_integration/pam_kanidm/Cargo.toml
@@ -35,6 +35,7 @@ maintainer = "James Hodgkinson <james@terminaloutcomes.com>"
 depends = ["libc6", "libpam0g"]
 section = "network"
 priority = "optional"
+maintainer-scripts = "debian/"
 assets = [
 	# Empty on purpose
 ]
diff --git a/unix_integration/pam_kanidm/debian/kanidm.pam b/unix_integration/pam_kanidm/debian/kanidm.pam
index 17da012b3..f2e5f4dc1 100644
--- a/unix_integration/pam_kanidm/debian/kanidm.pam
+++ b/unix_integration/pam_kanidm/debian/kanidm.pam
@@ -4,7 +4,7 @@ Priority: 128
 
 Auth-Type: Primary
 Auth:
-  [success=end new_authtok_reqd=done default=ignore]    pam_kanidm.so ignore_unknown_user
+  [success=end new_authtok_reqd=done default=ignore]    pam_kanidm.so ignore_unknown_user use_first_pass
 
 Account-Type: Primary
 Account:
diff --git a/unix_integration/pam_kanidm/debian/postinst b/unix_integration/pam_kanidm/debian/postinst
new file mode 100644
index 000000000..ecd061d5a
--- /dev/null
+++ b/unix_integration/pam_kanidm/debian/postinst
@@ -0,0 +1,29 @@
+#!/bin/sh
+# postinst script for libpam-kanidm
+#
+# see: dh_installdeb(1)
+
+set -e
+
+
+case "$1" in
+    configure)
+        echo "Updating PAM configuration"
+        pam-auth-update --package
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff --git a/unix_integration/resolver/debian/postinst b/unix_integration/resolver/debian/postinst
index cc7c10be6..d5d5b9562 100644
--- a/unix_integration/resolver/debian/postinst
+++ b/unix_integration/resolver/debian/postinst
@@ -8,13 +8,12 @@ set -e
 
 case "$1" in
     configure)
-        pam-auth-update --package
         echo "============================="
         echo "Thanks for installing Kanidm!"
         echo "============================="
         echo "Please ensure you modify the configuration files at /etc/kanidm/unixd and /etc/kanidm/config"
         echo "Full examples are in /usr/share/kanidm-unixd/"
-        echo "To configure nsswitch, please follow instructions in https://kanidm.github.io/kanidm/master/integrations/pam_and_nsswitch.html"
+        echo "PAM has already been autoconfigured by the libpam-kanidm package. To configure nsswitch, please follow instructions in https://kanidm.github.io/kanidm/master/integrations/pam_and_nsswitch.html"
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)