diff options
author | Günther Deschner <gd@samba.org> | 2006-09-06 10:59:39 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:43:29 -0500 |
commit | 95788cb291b89b431972e29e148b412992cc32a5 (patch) | |
tree | 6ebed92f2792aa289eb567c421aabfff676d42cd | |
parent | 8c78386e8da72108551cff72a6cc9da89264ddee (diff) | |
download | samba-95788cb291b89b431972e29e148b412992cc32a5.tar.gz samba-95788cb291b89b431972e29e148b412992cc32a5.tar.xz samba-95788cb291b89b431972e29e148b412992cc32a5.zip |
r18158: Stop winbindd from accumulating memory creds infinitely when doing
pam offline logons.
Guenther
-rw-r--r-- | source/nsswitch/pam_winbind.c | 8 | ||||
-rw-r--r-- | source/nsswitch/winbindd_pam.c | 33 |
2 files changed, 25 insertions, 16 deletions
diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c index 78b0e8c28bf..bcc4d7e7955 100644 --- a/source/nsswitch/pam_winbind.c +++ b/source/nsswitch/pam_winbind.c @@ -1152,15 +1152,15 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags, ccname = pam_getenv(pamh, "KRB5CCNAME"); if (ccname == NULL) { _pam_log_debug(ctrl, LOG_DEBUG, "user has no KRB5CCNAME environment"); - retval = PAM_SUCCESS; - goto out; } strncpy(request.data.logoff.user, user, sizeof(request.data.logoff.user) - 1); - strncpy(request.data.logoff.krb5ccname, ccname, - sizeof(request.data.logoff.krb5ccname) - 1); + if (ccname) { + strncpy(request.data.logoff.krb5ccname, ccname, + sizeof(request.data.logoff.krb5ccname) - 1); + } pwd = getpwnam(user); if (pwd == NULL) { diff --git a/source/nsswitch/winbindd_pam.c b/source/nsswitch/winbindd_pam.c index 9bad738d519..efdd0e874fd 100644 --- a/source/nsswitch/winbindd_pam.c +++ b/source/nsswitch/winbindd_pam.c @@ -1865,22 +1865,26 @@ void winbindd_pam_logoff(struct winbindd_cli_state *state) state->request.data.logoff.krb5ccname [sizeof(state->request.data.logoff.krb5ccname)-1]='\0'; - parse_domain_user(state->request.data.logoff.user, name_domain, user); - - domain = find_auth_domain(state, name_domain); + if (!parse_domain_user(state->request.data.logoff.user, name_domain, user)) { + goto failed; + } - if (domain == NULL) { - set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER); - DEBUG(5, ("Pam Logoff for %s returned %s " - "(PAM: %d)\n", - state->request.data.auth.user, - state->response.data.auth.nt_status_string, - state->response.data.auth.pam_error)); - request_error(state); - return; + if ((domain = find_auth_domain(state, name_domain)) == NULL) { + goto failed; } sendto_domain(state, domain); + return; + + failed: + set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER); + DEBUG(5, ("Pam Logoff for %s returned %s " + "(PAM: %d)\n", + state->request.data.auth.user, + state->response.data.auth.nt_status_string, + state->response.data.auth.pam_error)); + request_error(state); + return; } enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain, @@ -1899,6 +1903,11 @@ enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain, goto process_result; } + if (state->request.data.logoff.krb5ccname[0] == '\0') { + result = NT_STATUS_OK; + goto process_result; + } + #ifdef HAVE_KRB5 if (state->request.data.logoff.uid < 0) { |