svn commit: samba r12347 - in trunk/source/nsswitch: .
gd at samba.org
gd at samba.org
Mon Dec 19 04:15:34 GMT 2005
Author: gd
Date: 2005-12-19 04:15:33 +0000 (Mon, 19 Dec 2005)
New Revision: 12347
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=12347
Log:
Add WINBINDD_PAM_LOGOFF to destroy a krb5 ccache we created, again uses
an ugly seteuid pair (I just don't know how to avoid that...) to let
krb5 library work with the correct permissions.
Guenther
Modified:
trunk/source/nsswitch/winbindd.c
trunk/source/nsswitch/winbindd_dual.c
trunk/source/nsswitch/winbindd_nss.h
trunk/source/nsswitch/winbindd_pam.c
Changeset:
Modified: trunk/source/nsswitch/winbindd.c
===================================================================
--- trunk/source/nsswitch/winbindd.c 2005-12-19 04:10:02 UTC (rev 12346)
+++ trunk/source/nsswitch/winbindd.c 2005-12-19 04:15:33 UTC (rev 12347)
@@ -254,6 +254,7 @@
{ WINBINDD_PAM_AUTH, winbindd_pam_auth, "PAM_AUTH" },
{ WINBINDD_PAM_AUTH_CRAP, winbindd_pam_auth_crap, "AUTH_CRAP" },
{ WINBINDD_PAM_CHAUTHTOK, winbindd_pam_chauthtok, "CHAUTHTOK" },
+ { WINBINDD_PAM_LOGOFF, winbindd_pam_logoff, "PAM_LOGOFF" },
/* Enumeration functions */
Modified: trunk/source/nsswitch/winbindd_dual.c
===================================================================
--- trunk/source/nsswitch/winbindd_dual.c 2005-12-19 04:10:02 UTC (rev 12346)
+++ trunk/source/nsswitch/winbindd_dual.c 2005-12-19 04:15:33 UTC (rev 12347)
@@ -350,6 +350,7 @@
{ WINBINDD_SHOW_SEQUENCE, winbindd_dual_show_sequence, "SHOW_SEQUENCE" },
{ WINBINDD_PAM_AUTH, winbindd_dual_pam_auth, "PAM_AUTH" },
{ WINBINDD_PAM_AUTH_CRAP, winbindd_dual_pam_auth_crap, "AUTH_CRAP" },
+ { WINBINDD_PAM_LOGOFF, winbindd_dual_pam_logoff, "PAM_LOGOFF" },
{ WINBINDD_CHECK_MACHACC, winbindd_dual_check_machine_acct, "CHECK_MACHACC" },
{ WINBINDD_DUAL_SID2UID, winbindd_dual_sid2uid, "DUAL_SID2UID" },
{ WINBINDD_DUAL_SID2GID, winbindd_dual_sid2gid, "DUAL_SID2GID" },
Modified: trunk/source/nsswitch/winbindd_nss.h
===================================================================
--- trunk/source/nsswitch/winbindd_nss.h 2005-12-19 04:10:02 UTC (rev 12346)
+++ trunk/source/nsswitch/winbindd_nss.h 2005-12-19 04:15:33 UTC (rev 12347)
@@ -64,6 +64,7 @@
WINBINDD_PAM_AUTH,
WINBINDD_PAM_AUTH_CRAP,
WINBINDD_PAM_CHAUTHTOK,
+ WINBINDD_PAM_LOGOFF,
/* List various things */
@@ -225,6 +226,11 @@
fstring oldpass;
fstring newpass;
} chauthtok; /* pam_winbind passwd module */
+ struct {
+ fstring user;
+ fstring krb5ccname;
+ uid_t uid;
+ } logoff; /* pam_winbind session module */
fstring sid; /* lookupsid, sid_to_[ug]id */
struct {
fstring dom_name; /* lookupname */
Modified: trunk/source/nsswitch/winbindd_pam.c
===================================================================
--- trunk/source/nsswitch/winbindd_pam.c 2005-12-19 04:10:02 UTC (rev 12346)
+++ trunk/source/nsswitch/winbindd_pam.c 2005-12-19 04:15:33 UTC (rev 12347)
@@ -1451,3 +1451,112 @@
else
request_error(state);
}
+
+void winbindd_pam_logoff(struct winbindd_cli_state *state)
+{
+ struct winbindd_domain *domain;
+ fstring name_domain, user;
+
+ DEBUG(3, ("[%5lu]: pam logoff %s\n", (unsigned long)state->pid,
+ state->request.data.logoff.user));
+
+ /* Ensure null termination */
+ state->request.data.logoff.user
+ [sizeof(state->request.data.logoff.user)-1]='\0';
+
+ state->request.data.logoff.krb5ccname
+ [sizeof(state->request.data.logoff.krb5ccname)-1]='\0';
+
+ parse_domain_user(state->request.data.logoff.user, name_domain, user);
+
+ domain = find_auth_domain(state, name_domain);
+
+ if (domain == NULL) {
+ set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
+ DEBUG(5, ("Pam Logoff for %s returned %s "
+ "(PAM: %d)\n",
+ state->request.data.auth.user,
+ state->response.data.auth.nt_status_string,
+ state->response.data.auth.pam_error));
+ request_error(state);
+ return;
+ }
+
+ sendto_domain(state, domain);
+}
+
+enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
+ struct winbindd_cli_state *state)
+{
+ NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
+ struct WINBINDD_CCACHE_ENTRY *entry;
+ int ret;
+
+ DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state->pid,
+ state->request.data.logoff.user));
+
+ if (!(state->request.flags & WBFLAG_PAM_KRB5)) {
+ result = NT_STATUS_OK;
+ goto process_result;
+ }
+
+#ifdef HAVE_KRB5
+
+ /* what we need here is to find the corresponding krb5 ccache name *we*
+ * created for a given username and destroy it (as the user who created it) */
+
+ entry = get_ccache_from_list_by_name(state->request.data.logoff.user);
+ if (entry == NULL) {
+ DEBUG(10,("winbindd_pam_logoff: could not get ccname for user %s\n",
+ state->request.data.logoff.user));
+ goto process_result;
+ }
+
+ DEBUG(10,("winbindd_pam_logoff: found ccache [%s]\n", entry->ccname));
+
+ if (entry->uid < 0 || state->request.data.logoff.uid < 0) {
+ DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
+ goto process_result;
+ }
+
+ if (entry->uid != state->request.data.logoff.uid) {
+ DEBUG(0,("winbindd_pam_logoff: uid's differ: %d != %d\n",
+ entry->uid, state->request.data.logoff.uid));
+ goto process_result;
+ }
+
+ if (!strcsequal(entry->ccname, state->request.data.logoff.krb5ccname)) {
+ DEBUG(0,("winbindd_pam_logoff: krb5ccnames differ: %s != %s\n",
+ entry->ccname, state->request.data.logoff.krb5ccname));
+ goto process_result;
+ }
+
+ seteuid(entry->uid);
+
+ ret = ads_kdestroy(entry->ccname);
+
+ seteuid(0);
+
+ if (ret) {
+ DEBUG(0,("winbindd_pam_logoff: failed to destroy user ccache %s with: %s\n",
+ entry->ccname, error_message(ret)));
+ } else {
+ DEBUG(10,("winbindd_pam_logoff: successfully destroyed ccache %s for user %s\n",
+ entry->ccname, state->request.data.logoff.user));
+ remove_ccache_from_list_by_name(entry->ccname);
+ }
+
+ result = krb5_to_nt_status(ret);
+#else
+ result = NT_STATUS_NOT_SUPPORTED;
+#endif
+
+process_result:
+ state->response.data.auth.nt_status = NT_STATUS_V(result);
+ fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
+ fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
+ state->response.data.auth.pam_error = nt_status_to_pam(result);
+
+ return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
+}
+
More information about the samba-cvs
mailing list