svn commit: samba r21318 - in branches: SAMBA_3_0/source/nsswitch
SAMBA_3_0_25/source/nsswitch
gd at samba.org
gd at samba.org
Tue Feb 13 15:56:09 GMT 2007
Author: gd
Date: 2007-02-13 15:56:09 +0000 (Tue, 13 Feb 2007)
New Revision: 21318
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=21318
Log:
Fix Bug #4225.
Cached logon with pam_winbind should work now also for NT4 and samba3
domains.
Guenther
Modified:
branches/SAMBA_3_0/source/nsswitch/pam_winbind.c
branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
branches/SAMBA_3_0_25/source/nsswitch/pam_winbind.c
branches/SAMBA_3_0_25/source/nsswitch/winbindd_pam.c
Changeset:
Modified: branches/SAMBA_3_0/source/nsswitch/pam_winbind.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/pam_winbind.c 2007-02-13 15:20:44 UTC (rev 21317)
+++ branches/SAMBA_3_0/source/nsswitch/pam_winbind.c 2007-02-13 15:56:09 UTC (rev 21318)
@@ -1029,14 +1029,9 @@
request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_CONTACT_TRUSTDOM;
- if (ctrl & WINBIND_KRB5_AUTH) {
-
+ if (ctrl & (WINBIND_KRB5_AUTH|WINBIND_CACHED_LOGIN)) {
struct passwd *pwd = NULL;
- _pam_log_debug(pamh, ctrl, LOG_DEBUG, "enabling krb5 login flag\n");
-
- request.flags |= WBFLAG_PAM_KRB5 | WBFLAG_PAM_FALLBACK_AFTER_KRB5;
-
pwd = getpwnam(user);
if (pwd == NULL) {
return PAM_USER_UNKNOWN;
@@ -1044,6 +1039,13 @@
request.data.auth.uid = pwd->pw_uid;
}
+ if (ctrl & WINBIND_KRB5_AUTH) {
+
+ _pam_log_debug(pamh, ctrl, LOG_DEBUG, "enabling krb5 login flag\n");
+
+ request.flags |= WBFLAG_PAM_KRB5 | WBFLAG_PAM_FALLBACK_AFTER_KRB5;
+ }
+
if (ctrl & WINBIND_CACHED_LOGIN) {
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "enabling cached login flag\n");
request.flags |= WBFLAG_PAM_CACHED_LOGIN;
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c 2007-02-13 15:20:44 UTC (rev 21317)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c 2007-02-13 15:56:09 UTC (rev 21318)
@@ -866,15 +866,12 @@
return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
}
- /* The info3 acct_flags in NT4's samlogon reply don't have
- * ACB_NORMAL set. */
-#if 0
if (!(my_info3->acct_flags & ACB_NORMAL)) {
- DEBUG(10,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
+ DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
my_info3->acct_flags));
return NT_STATUS_LOGON_FAILURE;
}
-#endif
+
kickoff_time = nt_time_to_unix(my_info3->kickoff_time);
if (kickoff_time != 0 && time(NULL) > kickoff_time) {
return NT_STATUS_ACCOUNT_EXPIRED;
@@ -1242,6 +1239,65 @@
} while ( (attempts < 2) && retry );
+ /* handle the case where a NT4 DC does not fill in the acct_flags in
+ * the samlogon reply info3. When accurate info3 is required by the
+ * caller, we look up the account flags ourselve - gd */
+
+ if ((state->request.flags & WBFLAG_PAM_INFO3_TEXT) &&
+ (my_info3->acct_flags == 0) && NT_STATUS_IS_OK(result)) {
+
+ struct rpc_pipe_client *samr_pipe;
+ POLICY_HND samr_domain_handle, user_pol;
+ SAM_USERINFO_CTR *user_ctr;
+ NTSTATUS status_tmp;
+ uint32 acct_flags;
+
+ ZERO_STRUCT(user_ctr);
+
+ status_tmp = cm_connect_sam(contact_domain, state->mem_ctx,
+ &samr_pipe, &samr_domain_handle);
+
+ if (!NT_STATUS_IS_OK(status_tmp)) {
+ DEBUG(3, ("could not open handle to SAMR pipe: %s\n",
+ nt_errstr(status_tmp)));
+ goto done;
+ }
+
+ status_tmp = rpccli_samr_open_user(samr_pipe, state->mem_ctx,
+ &samr_domain_handle,
+ MAXIMUM_ALLOWED_ACCESS,
+ my_info3->user_rid, &user_pol);
+
+ if (!NT_STATUS_IS_OK(status_tmp)) {
+ DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
+ nt_errstr(status_tmp)));
+ goto done;
+ }
+
+ status_tmp = rpccli_samr_query_userinfo(samr_pipe, state->mem_ctx,
+ &user_pol, 16, &user_ctr);
+
+ if (!NT_STATUS_IS_OK(status_tmp)) {
+ DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
+ nt_errstr(status_tmp)));
+ rpccli_samr_close(samr_pipe, state->mem_ctx, &user_pol);
+ goto done;
+ }
+
+ acct_flags = user_ctr->info.id16->acb_info;
+
+ if (acct_flags == 0) {
+ rpccli_samr_close(samr_pipe, state->mem_ctx, &user_pol);
+ goto done;
+ }
+
+ my_info3->acct_flags = acct_flags;
+
+ DEBUG(10,("successfully retrieved acct_flags 0x%x\n", acct_flags));
+
+ rpccli_samr_close(samr_pipe, state->mem_ctx, &user_pol);
+ }
+
*info3 = my_info3;
done:
return result;
Modified: branches/SAMBA_3_0_25/source/nsswitch/pam_winbind.c
===================================================================
--- branches/SAMBA_3_0_25/source/nsswitch/pam_winbind.c 2007-02-13 15:20:44 UTC (rev 21317)
+++ branches/SAMBA_3_0_25/source/nsswitch/pam_winbind.c 2007-02-13 15:56:09 UTC (rev 21318)
@@ -1029,14 +1029,9 @@
request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_CONTACT_TRUSTDOM;
- if (ctrl & WINBIND_KRB5_AUTH) {
-
+ if (ctrl & (WINBIND_KRB5_AUTH|WINBIND_CACHED_LOGIN)) {
struct passwd *pwd = NULL;
- _pam_log_debug(pamh, ctrl, LOG_DEBUG, "enabling krb5 login flag\n");
-
- request.flags |= WBFLAG_PAM_KRB5 | WBFLAG_PAM_FALLBACK_AFTER_KRB5;
-
pwd = getpwnam(user);
if (pwd == NULL) {
return PAM_USER_UNKNOWN;
@@ -1044,6 +1039,13 @@
request.data.auth.uid = pwd->pw_uid;
}
+ if (ctrl & WINBIND_KRB5_AUTH) {
+
+ _pam_log_debug(pamh, ctrl, LOG_DEBUG, "enabling krb5 login flag\n");
+
+ request.flags |= WBFLAG_PAM_KRB5 | WBFLAG_PAM_FALLBACK_AFTER_KRB5;
+ }
+
if (ctrl & WINBIND_CACHED_LOGIN) {
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "enabling cached login flag\n");
request.flags |= WBFLAG_PAM_CACHED_LOGIN;
Modified: branches/SAMBA_3_0_25/source/nsswitch/winbindd_pam.c
===================================================================
--- branches/SAMBA_3_0_25/source/nsswitch/winbindd_pam.c 2007-02-13 15:20:44 UTC (rev 21317)
+++ branches/SAMBA_3_0_25/source/nsswitch/winbindd_pam.c 2007-02-13 15:56:09 UTC (rev 21318)
@@ -866,15 +866,12 @@
return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
}
- /* The info3 acct_flags in NT4's samlogon reply don't have
- * ACB_NORMAL set. */
-#if 0
if (!(my_info3->acct_flags & ACB_NORMAL)) {
- DEBUG(10,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
+ DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
my_info3->acct_flags));
return NT_STATUS_LOGON_FAILURE;
}
-#endif
+
kickoff_time = nt_time_to_unix(my_info3->kickoff_time);
if (kickoff_time != 0 && time(NULL) > kickoff_time) {
return NT_STATUS_ACCOUNT_EXPIRED;
@@ -1242,6 +1239,65 @@
} while ( (attempts < 2) && retry );
+ /* handle the case where a NT4 DC does not fill in the acct_flags in
+ * the samlogon reply info3. When accurate info3 is required by the
+ * caller, we look up the account flags ourselve - gd */
+
+ if ((state->request.flags & WBFLAG_PAM_INFO3_TEXT) &&
+ (my_info3->acct_flags == 0) && NT_STATUS_IS_OK(result)) {
+
+ struct rpc_pipe_client *samr_pipe;
+ POLICY_HND samr_domain_handle, user_pol;
+ SAM_USERINFO_CTR *user_ctr;
+ NTSTATUS status_tmp;
+ uint32 acct_flags;
+
+ ZERO_STRUCT(user_ctr);
+
+ status_tmp = cm_connect_sam(contact_domain, state->mem_ctx,
+ &samr_pipe, &samr_domain_handle);
+
+ if (!NT_STATUS_IS_OK(status_tmp)) {
+ DEBUG(3, ("could not open handle to SAMR pipe: %s\n",
+ nt_errstr(status_tmp)));
+ goto done;
+ }
+
+ status_tmp = rpccli_samr_open_user(samr_pipe, state->mem_ctx,
+ &samr_domain_handle,
+ MAXIMUM_ALLOWED_ACCESS,
+ my_info3->user_rid, &user_pol);
+
+ if (!NT_STATUS_IS_OK(status_tmp)) {
+ DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
+ nt_errstr(status_tmp)));
+ goto done;
+ }
+
+ status_tmp = rpccli_samr_query_userinfo(samr_pipe, state->mem_ctx,
+ &user_pol, 16, &user_ctr);
+
+ if (!NT_STATUS_IS_OK(status_tmp)) {
+ DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
+ nt_errstr(status_tmp)));
+ rpccli_samr_close(samr_pipe, state->mem_ctx, &user_pol);
+ goto done;
+ }
+
+ acct_flags = user_ctr->info.id16->acb_info;
+
+ if (acct_flags == 0) {
+ rpccli_samr_close(samr_pipe, state->mem_ctx, &user_pol);
+ goto done;
+ }
+
+ my_info3->acct_flags = acct_flags;
+
+ DEBUG(10,("successfully retrieved acct_flags 0x%x\n", acct_flags));
+
+ rpccli_samr_close(samr_pipe, state->mem_ctx, &user_pol);
+ }
+
*info3 = my_info3;
done:
return result;
More information about the samba-cvs
mailing list