From 9dc76c9405860004ebbaeb7da944e06e7767780d Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 8 Feb 2010 11:53:43 +0100 Subject: Make return values more specific during password change - return PAM_AUTHTOK_ERR instead of PAM_SYSTEM_ERR if the password change operation fails - send a message to the user if the system is offline and the password cannot be changed --- server/responder/pam/pamsrv_cmd.c | 86 +++++++++++++++++++++++---------------- 1 file changed, 52 insertions(+), 34 deletions(-) (limited to 'server/responder/pam/pamsrv_cmd.c') diff --git a/server/responder/pam/pamsrv_cmd.c b/server/responder/pam/pamsrv_cmd.c index 3172a97dd..c204e0a88 100644 --- a/server/responder/pam/pamsrv_cmd.c +++ b/server/responder/pam/pamsrv_cmd.c @@ -484,50 +484,68 @@ static void pam_reply(struct pam_auth_req *preq) struct tevent_req *req; struct sysdb_ctx *sysdb; struct pam_ctx *pctx; + uint32_t user_info_type; pd = preq->pd; DEBUG(4, ("pam_reply get called.\n")); - if ((pd->cmd == SSS_PAM_AUTHENTICATE) && - (preq->domain != NULL) && - (preq->domain->cache_credentials == true) && - (pd->offline_auth == false)) { + if (pd->pam_status == PAM_AUTHINFO_UNAVAIL) { + switch(pd->cmd) { + case SSS_PAM_AUTHENTICATE: + if ((preq->domain != NULL) && + (preq->domain->cache_credentials == true) && + (pd->offline_auth == false)) { - if (pd->pam_status == PAM_AUTHINFO_UNAVAIL) { - /* do auth with offline credentials */ - pd->offline_auth = true; + /* do auth with offline credentials */ + pd->offline_auth = true; - ret = sysdb_get_ctx_from_list(preq->cctx->rctx->db_list, - preq->domain, &sysdb); - if (ret != EOK) { - DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n")); - goto done; - } - - pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); - - req = sysdb_cache_auth_send(preq, preq->cctx->ev, sysdb, - preq->domain, pd->user, pd->authtok, - pd->authtok_size, pctx->rctx->cdb); - if (req == NULL) { - DEBUG(1, ("Failed to setup offline auth")); - /* this error is not fatal, continue */ - } else { - tevent_req_set_callback(req, pam_cache_auth_done, preq); - return; - } - } - } + ret = sysdb_get_ctx_from_list(preq->cctx->rctx->db_list, + preq->domain, &sysdb); + if (ret != EOK) { + DEBUG(0, ("Fatal: Sysdb CTX not found for " + "domain [%s]!\n", preq->domain->name)); + goto done; + } + pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, + struct pam_ctx); + + req = sysdb_cache_auth_send(preq, preq->cctx->ev, sysdb, + preq->domain, pd->user, + pd->authtok, pd->authtok_size, + pctx->rctx->cdb); + if (req == NULL) { + DEBUG(1, ("Failed to setup offline auth.\n")); + /* this error is not fatal, continue */ + } else { + tevent_req_set_callback(req, pam_cache_auth_done, preq); + return; + } + } + break; + case SSS_PAM_CHAUTHTOK_PRELIM: + case SSS_PAM_CHAUTHTOK: + DEBUG(5, ("Password change not possible while offline.\n")); + pd->pam_status = PAM_AUTHTOK_ERR; + user_info_type = SSS_PAM_USER_INFO_OFFLINE_CHPASS; + pam_add_response(pd, SSS_PAM_USER_INFO, sizeof(uint32_t), + (const uint8_t *) &user_info_type); + break; /* TODO: we need the pam session cookie here to make sure that cached * authentication was successful */ - if ((pd->cmd == SSS_PAM_SETCRED || pd->cmd == SSS_PAM_ACCT_MGMT || - pd->cmd == SSS_PAM_OPEN_SESSION || pd->cmd == SSS_PAM_CLOSE_SESSION) && - pd->pam_status == PAM_AUTHINFO_UNAVAIL) { - DEBUG(2, ("Assuming offline authentication " - "setting status for pam call %d to PAM_SUCCESS.\n", pd->cmd)); - pd->pam_status = PAM_SUCCESS; + case SSS_PAM_SETCRED: + case SSS_PAM_ACCT_MGMT: + case SSS_PAM_OPEN_SESSION: + case SSS_PAM_CLOSE_SESSION: + DEBUG(2, ("Assuming offline authentication setting status for " + "pam call %d to PAM_SUCCESS.\n", pd->cmd)); + pd->pam_status = PAM_SUCCESS; + break; + default: + DEBUG(1, ("Unknown PAM call [%d].\n", pd->cmd)); + pd->pam_status = PAM_MODULE_UNKNOWN; + } } cctx = preq->cctx; -- cgit