svn commit: samba r12987 - in trunk/source: include nsswitch

gd at samba.org gd at samba.org
Tue Jan 17 21:26:42 GMT 2006 

Author: gd
Date: 2006-01-17 21:26:42 +0000 (Tue, 17 Jan 2006)
New Revision: 12987

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=12987

Log:
Flip order of pam_conversation messages on failed password change.

Also add REJECT_REASON_NOT_COMPLEX.

Guenther


Modified:
   trunk/source/include/rpc_samr.h
   trunk/source/nsswitch/pam_winbind.c


Changeset:
Modified: trunk/source/include/rpc_samr.h
===================================================================
--- trunk/source/include/rpc_samr.h	2006-01-17 21:22:00 UTC (rev 12986)
+++ trunk/source/include/rpc_samr.h	2006-01-17 21:26:42 UTC (rev 12987)
@@ -1845,6 +1845,7 @@
 
 #define REJECT_REASON_TOO_SHORT		0x00000001
 #define REJECT_REASON_IN_HISTORY	0x00000002
+#define REJECT_REASON_NOT_COMPLEX	0x00000005
 
 /* SAMR_CHANGE_REJECT */
 typedef struct samr_change_reject

Modified: trunk/source/nsswitch/pam_winbind.c
===================================================================
--- trunk/source/nsswitch/pam_winbind.c	2006-01-17 21:22:00 UTC (rev 12986)
+++ trunk/source/nsswitch/pam_winbind.c	2006-01-17 21:26:42 UTC (rev 12987)
@@ -514,6 +514,26 @@
 
 	if (strequal(response.data.auth.nt_status_string, "NT_STATUS_PASSWORD_RESTRICTION")) {
 
+		/* FIXME: avoid to send multiple PAM messages after another */
+		switch (response.data.auth.reject_reason) {
+			case 0:
+				break;
+			case REJECT_REASON_TOO_SHORT:
+				PAM_WB_REMARK_DIRECT(pamh, "NT_STATUS_PWD_TOO_SHORT");
+				break;
+			case REJECT_REASON_IN_HISTORY:
+				PAM_WB_REMARK_DIRECT(pamh, "NT_STATUS_PWD_HISTORY_CONFLICT");
+				break;
+			case REJECT_REASON_NOT_COMPLEX:
+				_make_remark_format(pamh, PAM_ERROR_MSG, "Password does not meet complexity requirements");
+				break;
+			default:
+				_pam_log_debug(ctrl, LOG_DEBUG,
+					       "unknown password change reject reason: %d", 
+					       response.data.auth.reject_reason);
+				break;
+		}
+
 		_make_remark_format(pamh, PAM_ERROR_MSG,  
 			"Your password must be at least %d characters; "
 			"cannot repeat any of the your previous %d passwords"
@@ -526,15 +546,6 @@
 				"; must contain capitals, numerals or punctuation; and cannot contain your account or full name" : 
 				"");
 
-		/* FIXME: avoid to send multiple PAM messages after another */
-		if (response.data.auth.reject_reason) {
-			if (response.data.auth.reject_reason & REJECT_REASON_TOO_SHORT) {
-				PAM_WB_REMARK_DIRECT(pamh, "NT_STATUS_PWD_TOO_SHORT");
-			}
-			if (response.data.auth.reject_reason & REJECT_REASON_IN_HISTORY) {
-				PAM_WB_REMARK_DIRECT(pamh, "NT_STATUS_PWD_HISTORY_CONFLICT");
-			}
-		}
 	}
 
 	return ret;
@@ -907,7 +918,7 @@
 		return PAM_SUCCESS;
 	default:
 		/* we don't know anything about this return value */
-		_pam_log(LOG_ERR, "internal module error (retval = %d, user = `%s'", 
+		_pam_log(LOG_ERR, "internal module error (retval = %d, user = `%s')", 
 			 retval, username);
 		return PAM_SERVICE_ERR;
 	}

More information about the samba-cvs mailing list