diff options
author | Günther Deschner <gd@samba.org> | 2007-02-05 17:35:25 +0000 |
---|---|---|
committer | Günther Deschner <gd@samba.org> | 2007-02-05 17:35:25 +0000 |
commit | 0e672ccc14e23d9d897413f8fc1629efc74fb314 (patch) | |
tree | b5274318f1bc3b269aca0c16c61ed8a0ae367f8a | |
parent | 488537af04ba9308dfbaf5b6bebe98a0189cb8cc (diff) | |
download | samba-0e672ccc14e23d9d897413f8fc1629efc74fb314.tar.gz samba-0e672ccc14e23d9d897413f8fc1629efc74fb314.tar.xz samba-0e672ccc14e23d9d897413f8fc1629efc74fb314.zip |
r21159: Cleanup pam_sm_chauthtok() in pam_winbind:
Set info3 strings, krb5ccname and returned username after we changed a
password and sucessfully re-authenticated afterwards. In that case we
ended up without this information.
Guenther
-rw-r--r-- | source/nsswitch/pam_winbind.c | 58 | ||||
-rw-r--r-- | source/nsswitch/pam_winbind.h | 18 |
2 files changed, 45 insertions, 31 deletions
diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c index ed47058750e..cf431abb8d0 100644 --- a/source/nsswitch/pam_winbind.c +++ b/source/nsswitch/pam_winbind.c @@ -1537,6 +1537,10 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, int retry = 0; dictionary *d = NULL; + char *username_ret = NULL; + struct winbindd_response response; + + ZERO_STRUCT(response); ctrl = _pam_parse(pamh, flags, argc, argv, &d); if (ctrl == -1) { @@ -1586,7 +1590,6 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, */ if (flags & PAM_PRELIM_CHECK) { - struct winbindd_response response; time_t pwdlastset_prelim = 0; /* instruct user what is happening */ @@ -1625,20 +1628,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, ret != PAM_NEW_AUTHTOK_REQD && ret != PAM_SUCCESS) { pass_old = NULL; - if (d) { - iniparser_freedict(d); - } - /* Deal with offline errors. */ - PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh, ctrl, - response, - "NT_STATUS_NO_LOGON_SERVERS"); - PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh, ctrl, - response, - "NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND"); - PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh, ctrl, - response, - "NT_STATUS_ACCESS_DENIED"); - return ret; + goto out; } pam_set_data(pamh, PAM_WINBIND_PWD_LAST_SET, (void *)pwdlastset_prelim, NULL); @@ -1722,30 +1712,32 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, /* just in case we need krb5 creds after a password change over msrpc */ if (ctrl & WINBIND_KRB5_AUTH) { - struct winbindd_response response; const char *member = get_member_from_config(pamh, argc, argv, ctrl, d); const char *cctype = get_krb5_cc_type_from_config(pamh, argc, argv, ctrl, d); ret = winbind_auth_request(pamh, ctrl, user, pass_new, - member, cctype, &response, NULL, NULL); + member, cctype, &response, NULL, &username_ret); _pam_overwrite(pass_new); _pam_overwrite(pass_old); pass_old = pass_new = NULL; - if (d) { - iniparser_freedict(d); + + if (ret == PAM_SUCCESS) { + + /* set some info3 info for other modules in the stack */ + _pam_set_data_info3(pamh, ctrl, &response); + + /* put krb5ccname into env */ + _pam_setup_krb5_env(pamh, ctrl, response.data.auth.krb5ccname); + + if (username_ret) { + pam_set_item (pamh, PAM_USER, username_ret); + _pam_log_debug(pamh, ctrl, LOG_INFO, "Returned user was '%s'", username_ret); + free(username_ret); + } } - /* Deal with offline errors. */ - PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh, ctrl, - response, - "NT_STATUS_NO_LOGON_SERVERS"); - PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh, ctrl, - response, - "NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND"); - PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh, ctrl, - response, - "NT_STATUS_ACCESS_DENIED"); - return ret; + + goto out; } } else { ret = PAM_SERVICE_ERR; @@ -1755,6 +1747,12 @@ out: if (d) { iniparser_freedict(d); } + + /* Deal with offline errors. */ + PAM_WB_REMARK_CHECK_RESPONSE(pamh, ctrl, response, "NT_STATUS_NO_LOGON_SERVERS"); + PAM_WB_REMARK_CHECK_RESPONSE(pamh, ctrl, response, "NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND"); + PAM_WB_REMARK_CHECK_RESPONSE(pamh, ctrl, response, "NT_STATUS_ACCESS_DENIED"); + return ret; } diff --git a/source/nsswitch/pam_winbind.h b/source/nsswitch/pam_winbind.h index 40c47bdb3c7..c06b27ebd01 100644 --- a/source/nsswitch/pam_winbind.h +++ b/source/nsswitch/pam_winbind.h @@ -132,7 +132,23 @@ do { \ _make_remark(h, f, PAM_ERROR_MSG, x);\ return ret;\ }; - + +#define PAM_WB_REMARK_CHECK_RESPONSE(h,f,x,y)\ +{\ + const char *ntstatus = x.data.auth.nt_status_string; \ + const char *error_string = NULL; \ + if (!strcasecmp(ntstatus,y)) {\ + error_string = _get_ntstatus_error_string(y);\ + if (error_string != NULL) {\ + _make_remark(h, f, PAM_ERROR_MSG, error_string);\ + };\ + if (x.data.auth.error_string[0] != '\0') {\ + _make_remark(h, f, PAM_ERROR_MSG, x.data.auth.error_string);\ + };\ + _make_remark(h, f, PAM_ERROR_MSG, y);\ + };\ +}; + #define PAM_WB_REMARK_CHECK_RESPONSE_RET(h,f,x,y)\ {\ const char *ntstatus = x.data.auth.nt_status_string; \ |