svn commit: samba r20687 - in branches: SAMBA_3_0/source/nsswitch SAMBA_3_0_24/source/nsswitch

gd at samba.org gd at samba.org
Thu Jan 11 15:41:03 GMT 2007 

Author: gd
Date: 2007-01-11 15:41:02 +0000 (Thu, 11 Jan 2007)
New Revision: 20687

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=20687

Log:
Implement grace logons for offline authentications in pam_winbind.

In case a user authenticated sucessfully and his password just expired
while beeing disconnected, we should allow a user to logon (given a
clear warning). We currently forced the user into a password change
dialogue in that scenario; this did not make much sense while offline.

Guenther

Modified:
   branches/SAMBA_3_0/source/nsswitch/pam_winbind.c
   branches/SAMBA_3_0/source/nsswitch/pam_winbind.h
   branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
   branches/SAMBA_3_0_24/source/nsswitch/pam_winbind.c
   branches/SAMBA_3_0_24/source/nsswitch/pam_winbind.h
   branches/SAMBA_3_0_24/source/nsswitch/winbindd_pam.c


Changeset:
Modified: branches/SAMBA_3_0/source/nsswitch/pam_winbind.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/pam_winbind.c	2007-01-11 14:21:23 UTC (rev 20686)
+++ branches/SAMBA_3_0/source/nsswitch/pam_winbind.c	2007-01-11 15:41:02 UTC (rev 20687)
@@ -420,6 +420,11 @@
 		return;
 	}
 
+	/* no point in sending a warning if this is a grace logon */
+	if (PAM_WB_GRACE_LOGON(response->data.auth.info3.user_flgs)) {
+		return;
+	}
+
 	/* check if the info3 must change timestamp has been set */
 	next_change = response->data.auth.info3.pass_must_change_time;
 
@@ -586,6 +591,7 @@
 	/* handle the case where the auth was ok, but the password must expire right now */
 	/* good catch from Ralf Haferkamp: an expiry of "never" is translated to -1 */
 	if ( ! (response.data.auth.info3.acct_flags & ACB_PWNOEXP) &&
+	     ! (PAM_WB_GRACE_LOGON(response.data.auth.info3.user_flgs)) &&
 	    (response.data.auth.policy.expire > 0) && 
 	    (response.data.auth.info3.pass_last_set_time + response.data.auth.policy.expire < time(NULL))) {
 
@@ -604,9 +610,20 @@
 	/* warn a user if the password is about to expire soon */
 	_pam_warn_password_expires_in_future(pamh, &response);
 
-	if (response.data.auth.info3.user_flgs & LOGON_CACHED_ACCOUNT) {
-		_make_remark(pamh, PAM_ERROR_MSG, "Logging on using cached account. Network ressources can be unavailable");
-		_pam_log_debug(pamh, ctrl, LOG_DEBUG,"User %s logged on using cached account\n", user);
+	/* inform about logon type */
+	if (PAM_WB_GRACE_LOGON(response.data.auth.info3.user_flgs)) {
+
+		_make_remark(pamh, PAM_ERROR_MSG, 
+			"Grace login. Please change your password as soon you're online again");
+		_pam_log_debug(pamh, ctrl, LOG_DEBUG,
+			"User %s logged on using grace logon\n", user);
+
+	} else if (PAM_WB_CACHED_LOGON(response.data.auth.info3.user_flgs)) {
+
+		_make_remark(pamh, PAM_ERROR_MSG, 
+			"Logging on using cached account. Network ressources can be unavailable");
+		_pam_log_debug(pamh, ctrl, LOG_DEBUG,
+			"User %s logged on using cached account\n", user);
 	}
 
 	/* save the CIFS homedir for pam_cifs / pam_mount */

Modified: branches/SAMBA_3_0/source/nsswitch/pam_winbind.h
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/pam_winbind.h	2007-01-11 14:21:23 UTC (rev 20686)
+++ branches/SAMBA_3_0/source/nsswitch/pam_winbind.h	2007-01-11 15:41:02 UTC (rev 20687)
@@ -164,4 +164,7 @@
 
 /* from include/rpc_netlogon.h */
 #define LOGON_CACHED_ACCOUNT		0x00000004
+#define LOGON_GRACE_LOGON		0x01000000
 
+#define PAM_WB_CACHED_LOGON(x) (x & LOGON_CACHED_ACCOUNT)
+#define PAM_WB_GRACE_LOGON(x)  ((LOGON_CACHED_ACCOUNT|LOGON_GRACE_LOGON) == ( x & (LOGON_CACHED_ACCOUNT|LOGON_GRACE_LOGON)))

Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c	2007-01-11 14:21:23 UTC (rev 20686)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c	2007-01-11 15:41:02 UTC (rev 20687)
@@ -826,26 +826,12 @@
 
 		must_change_time = nt_time_to_unix(my_info3->pass_must_change_time);
 		if (must_change_time != 0 && must_change_time < time(NULL)) {
-			return NT_STATUS_PASSWORD_EXPIRED;
+			/* we allow grace logons when the password has expired */
+			my_info3->user_flgs |= LOGON_GRACE_LOGON;
+			/* return NT_STATUS_PASSWORD_EXPIRED; */
+			goto success;
 		}
 	
-		/* FIXME: we possibly should handle logon hours as well (does xp when
-		 * offline?) see auth/auth_sam.c:sam_account_ok for details */
-
-		unix_to_nt_time(&my_info3->logon_time, time(NULL));
-		my_info3->bad_pw_count = 0;
-
-		result = winbindd_update_creds_by_info3(domain,
-							state->mem_ctx,
-							state->request.data.auth.user,
-							state->request.data.auth.pass,
-							my_info3);
-		if (!NT_STATUS_IS_OK(result)) {
-			DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
-				nt_errstr(result)));
-			return result;
-		}
-
 #ifdef HAVE_KRB5
 		/* FIXME: what else points out that the remote domain is AD ? */
 		if (!strequal(domain->name, domain->alt_name) &&
@@ -909,6 +895,24 @@
 			}
 		}
 #endif /* HAVE_KRB5 */
+ success:
+		/* FIXME: we possibly should handle logon hours as well (does xp when
+		 * offline?) see auth/auth_sam.c:sam_account_ok for details */
+
+		unix_to_nt_time(&my_info3->logon_time, time(NULL));
+		my_info3->bad_pw_count = 0;
+
+		result = winbindd_update_creds_by_info3(domain,
+							state->mem_ctx,
+							state->request.data.auth.user,
+							state->request.data.auth.pass,
+							my_info3);
+		if (!NT_STATUS_IS_OK(result)) {
+			DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
+				nt_errstr(result)));
+			return result;
+		}
+
 		return NT_STATUS_OK;
 
 	}

Modified: branches/SAMBA_3_0_24/source/nsswitch/pam_winbind.c
===================================================================
--- branches/SAMBA_3_0_24/source/nsswitch/pam_winbind.c	2007-01-11 14:21:23 UTC (rev 20686)
+++ branches/SAMBA_3_0_24/source/nsswitch/pam_winbind.c	2007-01-11 15:41:02 UTC (rev 20687)
@@ -420,6 +420,11 @@
 		return;
 	}
 
+	/* no point in sending a warning if this is a grace logon */
+	if (PAM_WB_GRACE_LOGON(response->data.auth.info3.user_flgs)) {
+		return;
+	}
+
 	/* check if the info3 must change timestamp has been set */
 	next_change = response->data.auth.info3.pass_must_change_time;
 
@@ -586,6 +591,7 @@
 	/* handle the case where the auth was ok, but the password must expire right now */
 	/* good catch from Ralf Haferkamp: an expiry of "never" is translated to -1 */
 	if ( ! (response.data.auth.info3.acct_flags & ACB_PWNOEXP) &&
+	     ! (PAM_WB_GRACE_LOGON(response.data.auth.info3.user_flgs)) &&
 	    (response.data.auth.policy.expire > 0) && 
 	    (response.data.auth.info3.pass_last_set_time + response.data.auth.policy.expire < time(NULL))) {
 
@@ -604,9 +610,20 @@
 	/* warn a user if the password is about to expire soon */
 	_pam_warn_password_expires_in_future(pamh, &response);
 
-	if (response.data.auth.info3.user_flgs & LOGON_CACHED_ACCOUNT) {
-		_make_remark(pamh, PAM_ERROR_MSG, "Logging on using cached account. Network ressources can be unavailable");
-		_pam_log_debug(pamh, ctrl, LOG_DEBUG,"User %s logged on using cached account\n", user);
+	/* inform about logon type */
+	if (PAM_WB_GRACE_LOGON(response.data.auth.info3.user_flgs)) {
+
+		_make_remark(pamh, PAM_ERROR_MSG, 
+			"Grace login. Please change your password as soon you're online again");
+		_pam_log_debug(pamh, ctrl, LOG_DEBUG,
+			"User %s logged on using grace logon\n", user);
+
+	} else if (PAM_WB_CACHED_LOGON(response.data.auth.info3.user_flgs)) {
+
+		_make_remark(pamh, PAM_ERROR_MSG, 
+			"Logging on using cached account. Network ressources can be unavailable");
+		_pam_log_debug(pamh, ctrl, LOG_DEBUG,
+			"User %s logged on using cached account\n", user);
 	}
 
 	/* save the CIFS homedir for pam_cifs / pam_mount */

Modified: branches/SAMBA_3_0_24/source/nsswitch/pam_winbind.h
===================================================================
--- branches/SAMBA_3_0_24/source/nsswitch/pam_winbind.h	2007-01-11 14:21:23 UTC (rev 20686)
+++ branches/SAMBA_3_0_24/source/nsswitch/pam_winbind.h	2007-01-11 15:41:02 UTC (rev 20687)
@@ -164,4 +164,7 @@
 
 /* from include/rpc_netlogon.h */
 #define LOGON_CACHED_ACCOUNT		0x00000004
+#define LOGON_GRACE_LOGON		0x01000000
 
+#define PAM_WB_CACHED_LOGON(x) (x & LOGON_CACHED_ACCOUNT)
+#define PAM_WB_GRACE_LOGON(x)  ((LOGON_CACHED_ACCOUNT|LOGON_GRACE_LOGON) == ( x & (LOGON_CACHED_ACCOUNT|LOGON_GRACE_LOGON)))

Modified: branches/SAMBA_3_0_24/source/nsswitch/winbindd_pam.c
===================================================================
--- branches/SAMBA_3_0_24/source/nsswitch/winbindd_pam.c	2007-01-11 14:21:23 UTC (rev 20686)
+++ branches/SAMBA_3_0_24/source/nsswitch/winbindd_pam.c	2007-01-11 15:41:02 UTC (rev 20687)
@@ -826,26 +826,12 @@
 
 		must_change_time = nt_time_to_unix(my_info3->pass_must_change_time);
 		if (must_change_time != 0 && must_change_time < time(NULL)) {
-			return NT_STATUS_PASSWORD_EXPIRED;
+			/* we allow grace logons when the password has expired */
+			my_info3->user_flgs |= LOGON_GRACE_LOGON;
+			/* return NT_STATUS_PASSWORD_EXPIRED; */
+			goto success;
 		}
 	
-		/* FIXME: we possibly should handle logon hours as well (does xp when
-		 * offline?) see auth/auth_sam.c:sam_account_ok for details */
-
-		unix_to_nt_time(&my_info3->logon_time, time(NULL));
-		my_info3->bad_pw_count = 0;
-
-		result = winbindd_update_creds_by_info3(domain,
-							state->mem_ctx,
-							state->request.data.auth.user,
-							state->request.data.auth.pass,
-							my_info3);
-		if (!NT_STATUS_IS_OK(result)) {
-			DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
-				nt_errstr(result)));
-			return result;
-		}
-
 #ifdef HAVE_KRB5
 		/* FIXME: what else points out that the remote domain is AD ? */
 		if (!strequal(domain->name, domain->alt_name) &&
@@ -909,6 +895,24 @@
 			}
 		}
 #endif /* HAVE_KRB5 */
+ success:
+		/* FIXME: we possibly should handle logon hours as well (does xp when
+		 * offline?) see auth/auth_sam.c:sam_account_ok for details */
+
+		unix_to_nt_time(&my_info3->logon_time, time(NULL));
+		my_info3->bad_pw_count = 0;
+
+		result = winbindd_update_creds_by_info3(domain,
+							state->mem_ctx,
+							state->request.data.auth.user,
+							state->request.data.auth.pass,
+							my_info3);
+		if (!NT_STATUS_IS_OK(result)) {
+			DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
+				nt_errstr(result)));
+			return result;
+		}
+
 		return NT_STATUS_OK;
 
 	}

More information about the samba-cvs mailing list