svn commit: samba r21159 - in branches: SAMBA_3_0/source/nsswitch SAMBA_3_0_25/source/nsswitch

gd at samba.org gd at samba.org
Mon Feb 5 17:35:26 GMT 2007 

Author: gd
Date: 2007-02-05 17:35:25 +0000 (Mon, 05 Feb 2007)
New Revision: 21159

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=21159

Log:
Cleanup pam_sm_chauthtok() in pam_winbind:

Set info3 strings, krb5ccname and returned username after we changed a
password and sucessfully re-authenticated afterwards. In that case we
ended up without this information.

Guenther

Modified:
   branches/SAMBA_3_0/source/nsswitch/pam_winbind.c
   branches/SAMBA_3_0/source/nsswitch/pam_winbind.h
   branches/SAMBA_3_0_25/source/nsswitch/pam_winbind.c
   branches/SAMBA_3_0_25/source/nsswitch/pam_winbind.h


Changeset:
Modified: branches/SAMBA_3_0/source/nsswitch/pam_winbind.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/pam_winbind.c	2007-02-05 17:28:55 UTC (rev 21158)
+++ branches/SAMBA_3_0/source/nsswitch/pam_winbind.c	2007-02-05 17:35:25 UTC (rev 21159)
@@ -1813,7 +1813,11 @@
 	
 	int retry = 0;
 	dictionary *d = NULL;
+	char *username_ret = NULL;
+	struct winbindd_response response;
 
+	ZERO_STRUCT(response);
+
 	ctrl = _pam_parse(pamh, flags, argc, argv, &d);
 	if (ctrl == -1) {
 		ret = PAM_SYSTEM_ERR;
@@ -1862,7 +1866,6 @@
 	 */
 
 	if (flags & PAM_PRELIM_CHECK) {
-		struct winbindd_response response;
 		time_t pwdlastset_prelim = 0;
 		
 		/* instruct user what is happening */
@@ -1901,20 +1904,7 @@
 		    ret != PAM_NEW_AUTHTOK_REQD &&
 		    ret != PAM_SUCCESS) {
 			pass_old = NULL;
-			if (d) {
-				iniparser_freedict(d);
-			}
-			/* Deal with offline errors. */
-			PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh, ctrl,
-						response,
-						"NT_STATUS_NO_LOGON_SERVERS");
-			PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh, ctrl,
-						response,
-						"NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND");
-			PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh, ctrl,
-						response,
-						"NT_STATUS_ACCESS_DENIED");
-			return ret;
+			goto out;
 		}
 		
 		pam_set_data(pamh, PAM_WINBIND_PWD_LAST_SET, (void *)pwdlastset_prelim, NULL);
@@ -1998,30 +1988,32 @@
 		/* just in case we need krb5 creds after a password change over msrpc */
 
 		if (ctrl & WINBIND_KRB5_AUTH) {
-			struct winbindd_response response;
 
 			const char *member = get_member_from_config(pamh, argc, argv, ctrl, d);
 			const char *cctype = get_krb5_cc_type_from_config(pamh, argc, argv, ctrl, d);
 
 			ret = winbind_auth_request(pamh, ctrl, user, pass_new,
-							member, cctype, &response, NULL, NULL);
+							member, cctype, &response, NULL, &username_ret);
 			_pam_overwrite(pass_new);
 			_pam_overwrite(pass_old);
 			pass_old = pass_new = NULL;
-			if (d) {
-				iniparser_freedict(d);
+
+			if (ret == PAM_SUCCESS) {
+			
+				/* set some info3 info for other modules in the stack */
+				_pam_set_data_info3(pamh, ctrl, &response);
+
+				/* put krb5ccname into env */
+				_pam_setup_krb5_env(pamh, ctrl, response.data.auth.krb5ccname);
+
+				if (username_ret) {
+					pam_set_item (pamh, PAM_USER, username_ret);
+					_pam_log_debug(pamh, ctrl, LOG_INFO, "Returned user was '%s'", username_ret);
+					free(username_ret);
+				}
 			}
-			/* Deal with offline errors. */
-			PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh, ctrl,
-						response,
-						"NT_STATUS_NO_LOGON_SERVERS");
-			PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh, ctrl,
-						response,
-						"NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND");
-			PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh, ctrl,
-						response,
-						"NT_STATUS_ACCESS_DENIED");
-			return ret;
+
+			goto out;
 		}
 	} else {
 		ret = PAM_SERVICE_ERR;
@@ -2032,6 +2024,11 @@
 		iniparser_freedict(d);
 	}
 
+	/* Deal with offline errors. */
+	PAM_WB_REMARK_CHECK_RESPONSE(pamh, ctrl, response, "NT_STATUS_NO_LOGON_SERVERS");
+	PAM_WB_REMARK_CHECK_RESPONSE(pamh, ctrl, response, "NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND");
+	PAM_WB_REMARK_CHECK_RESPONSE(pamh, ctrl, response, "NT_STATUS_ACCESS_DENIED");
+
 	_PAM_LOG_FUNCTION_LEAVE("pam_sm_chauthtok", pamh, ctrl, ret);
 	
 	return ret;

Modified: branches/SAMBA_3_0/source/nsswitch/pam_winbind.h
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/pam_winbind.h	2007-02-05 17:28:55 UTC (rev 21158)
+++ branches/SAMBA_3_0/source/nsswitch/pam_winbind.h	2007-02-05 17:35:25 UTC (rev 21159)
@@ -133,7 +133,23 @@
 	_make_remark(h, f, PAM_ERROR_MSG, x);\
 	return ret;\
 };
-	
+
+#define PAM_WB_REMARK_CHECK_RESPONSE(h,f,x,y)\
+{\
+	const char *ntstatus = x.data.auth.nt_status_string; \
+	const char *error_string = NULL; \
+	if (!strcasecmp(ntstatus,y)) {\
+		error_string = _get_ntstatus_error_string(y);\
+		if (error_string != NULL) {\
+			_make_remark(h, f, PAM_ERROR_MSG, error_string);\
+		};\
+		if (x.data.auth.error_string[0] != '\0') {\
+			_make_remark(h, f, PAM_ERROR_MSG, x.data.auth.error_string);\
+		};\
+		_make_remark(h, f, PAM_ERROR_MSG, y);\
+	};\
+};
+
 #define PAM_WB_REMARK_CHECK_RESPONSE_RET(h,f,x,y)\
 {\
 	const char *ntstatus = x.data.auth.nt_status_string; \

Modified: branches/SAMBA_3_0_25/source/nsswitch/pam_winbind.c
===================================================================
--- branches/SAMBA_3_0_25/source/nsswitch/pam_winbind.c	2007-02-05 17:28:55 UTC (rev 21158)
+++ branches/SAMBA_3_0_25/source/nsswitch/pam_winbind.c	2007-02-05 17:35:25 UTC (rev 21159)
@@ -1537,7 +1537,11 @@
 	
 	int retry = 0;
 	dictionary *d = NULL;
+	char *username_ret = NULL;
+	struct winbindd_response response;
 
+	ZERO_STRUCT(response);
+
 	ctrl = _pam_parse(pamh, flags, argc, argv, &d);
 	if (ctrl == -1) {
 		ret = PAM_SYSTEM_ERR;
@@ -1586,7 +1590,6 @@
 	 */
 
 	if (flags & PAM_PRELIM_CHECK) {
-		struct winbindd_response response;
 		time_t pwdlastset_prelim = 0;
 		
 		/* instruct user what is happening */
@@ -1625,20 +1628,7 @@
 		    ret != PAM_NEW_AUTHTOK_REQD &&
 		    ret != PAM_SUCCESS) {
 			pass_old = NULL;
-			if (d) {
-				iniparser_freedict(d);
-			}
-			/* Deal with offline errors. */
-			PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh, ctrl,
-						response,
-						"NT_STATUS_NO_LOGON_SERVERS");
-			PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh, ctrl,
-						response,
-						"NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND");
-			PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh, ctrl,
-						response,
-						"NT_STATUS_ACCESS_DENIED");
-			return ret;
+			goto out;
 		}
 		
 		pam_set_data(pamh, PAM_WINBIND_PWD_LAST_SET, (void *)pwdlastset_prelim, NULL);
@@ -1722,30 +1712,32 @@
 		/* just in case we need krb5 creds after a password change over msrpc */
 
 		if (ctrl & WINBIND_KRB5_AUTH) {
-			struct winbindd_response response;
 
 			const char *member = get_member_from_config(pamh, argc, argv, ctrl, d);
 			const char *cctype = get_krb5_cc_type_from_config(pamh, argc, argv, ctrl, d);
 
 			ret = winbind_auth_request(pamh, ctrl, user, pass_new,
-							member, cctype, &response, NULL, NULL);
+							member, cctype, &response, NULL, &username_ret);
 			_pam_overwrite(pass_new);
 			_pam_overwrite(pass_old);
 			pass_old = pass_new = NULL;
-			if (d) {
-				iniparser_freedict(d);
+
+			if (ret == PAM_SUCCESS) {
+			
+				/* set some info3 info for other modules in the stack */
+				_pam_set_data_info3(pamh, ctrl, &response);
+
+				/* put krb5ccname into env */
+				_pam_setup_krb5_env(pamh, ctrl, response.data.auth.krb5ccname);
+
+				if (username_ret) {
+					pam_set_item (pamh, PAM_USER, username_ret);
+					_pam_log_debug(pamh, ctrl, LOG_INFO, "Returned user was '%s'", username_ret);
+					free(username_ret);
+				}
 			}
-			/* Deal with offline errors. */
-			PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh, ctrl,
-						response,
-						"NT_STATUS_NO_LOGON_SERVERS");
-			PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh, ctrl,
-						response,
-						"NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND");
-			PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh, ctrl,
-						response,
-						"NT_STATUS_ACCESS_DENIED");
-			return ret;
+
+			goto out;
 		}
 	} else {
 		ret = PAM_SERVICE_ERR;
@@ -1755,6 +1747,12 @@
 	if (d) {
 		iniparser_freedict(d);
 	}
+
+	/* Deal with offline errors. */
+ 	PAM_WB_REMARK_CHECK_RESPONSE(pamh, ctrl, response, "NT_STATUS_NO_LOGON_SERVERS");
+ 	PAM_WB_REMARK_CHECK_RESPONSE(pamh, ctrl, response, "NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND");
+ 	PAM_WB_REMARK_CHECK_RESPONSE(pamh, ctrl, response, "NT_STATUS_ACCESS_DENIED");
+
 	return ret;
 }
 

Modified: branches/SAMBA_3_0_25/source/nsswitch/pam_winbind.h
===================================================================
--- branches/SAMBA_3_0_25/source/nsswitch/pam_winbind.h	2007-02-05 17:28:55 UTC (rev 21158)
+++ branches/SAMBA_3_0_25/source/nsswitch/pam_winbind.h	2007-02-05 17:35:25 UTC (rev 21159)
@@ -132,7 +132,23 @@
 	_make_remark(h, f, PAM_ERROR_MSG, x);\
 	return ret;\
 };
-	
+
+#define PAM_WB_REMARK_CHECK_RESPONSE(h,f,x,y)\
+{\
+	const char *ntstatus = x.data.auth.nt_status_string; \
+	const char *error_string = NULL; \
+	if (!strcasecmp(ntstatus,y)) {\
+		error_string = _get_ntstatus_error_string(y);\
+		if (error_string != NULL) {\
+			_make_remark(h, f, PAM_ERROR_MSG, error_string);\
+		};\
+		if (x.data.auth.error_string[0] != '\0') {\
+			_make_remark(h, f, PAM_ERROR_MSG, x.data.auth.error_string);\
+		};\
+		_make_remark(h, f, PAM_ERROR_MSG, y);\
+	};\
+};
+
 #define PAM_WB_REMARK_CHECK_RESPONSE_RET(h,f,x,y)\
 {\
 	const char *ntstatus = x.data.auth.nt_status_string; \

More information about the samba-cvs mailing list