svn commit: samba r14493 - branches/SAMBA_3_0/source/nsswitch trunk/source/nsswitch

[gd at samba.org]

Author: gd
Date: 2006-03-16 22:17:03 +0000 (Thu, 16 Mar 2006)
New Revision: 14493

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=14493

Log:
There is no point in falling back to a samlogon when a krb5login has
failed with a clear error indication. This prevents the bad logon count
beeing increased on the DC.

Guenther

Modified:
   branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
   trunk/source/nsswitch/winbindd_pam.c


Changeset:
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c	2006-03-16 21:36:36 UTC (rev 14492)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c	2006-03-16 22:17:03 UTC (rev 14493)
@@ -1088,6 +1088,23 @@
 			DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
 			domain->online = False;
 		}
+
+		/* there are quite some NT_STATUS errors where there is no
+		 * point in retrying with a samlogon, we explictly have to take
+		 * care not to increase the bad logon counter on the DC */
+
+		if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) ||
+		    NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) ||
+		    NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) ||
+		    NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) ||
+		    NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) ||
+		    NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) ||
+		    NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) ||
+		    NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) ||
+		    NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) ||
+		    NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
+			goto process_result;
+		}
 		
 		if (state->request.flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
 			DEBUG(3,("falling back to samlogon\n"));

Modified: trunk/source/nsswitch/winbindd_pam.c
===================================================================
--- trunk/source/nsswitch/winbindd_pam.c	2006-03-16 21:36:36 UTC (rev 14492)
+++ trunk/source/nsswitch/winbindd_pam.c	2006-03-16 22:17:03 UTC (rev 14493)
@@ -1088,6 +1088,23 @@
 			DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
 			domain->online = False;
 		}
+
+		/* there are quite some NT_STATUS errors where there is no
+		 * point in retrying with a samlogon, we explictly have to take
+		 * care not to increase the bad logon counter on the DC */
+
+		if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) ||
+		    NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) ||
+		    NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) ||
+		    NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) ||
+		    NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) ||
+		    NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) ||
+		    NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) ||
+		    NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) ||
+		    NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) ||
+		    NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
+			goto process_result;
+		}
 		
 		if (state->request.flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
 			DEBUG(3,("falling back to samlogon\n"));