[SCM] Samba Shared Repository - branch v3-3-test updated -
release-3-2-0pre2-3782-g2985eeb
Günther Deschner
gd at samba.org
Thu Aug 21 10:26:15 GMT 2008
The branch, v3-3-test has been updated
via 2985eebbecd6da17ed628e01664b1cad08ab3285 (commit)
via 25417a1af56236807b0be70fb8b1237ebdbb0f45 (commit)
via 29a2b8d585863e449ee09aca38fea122f9386f4f (commit)
via ba3a68e17ba991b173925fb45e8db6aaa17a6bf9 (commit)
via 135e1d72ccfee32665ff3686147ea67ef7b7ef64 (commit)
via fd65b8a4312c5672a29ccbd8c72f363d078c1f89 (commit)
via 9d35ad449dd5be133490e131c848184b9b3dd84f (commit)
via 8f84afadf2ade599294d37d1c87e1f62801e1975 (commit)
via 88b9737fe31d60916a34b8c7e9191be34b44b26c (commit)
via 4522e687e91da043de1da23c284a4814ccda547c (commit)
from 1d87a36cb08f1aca093164d7ddb9ba1f077ebf61 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test
- Log -----------------------------------------------------------------
commit 2985eebbecd6da17ed628e01664b1cad08ab3285
Author: Günther Deschner <gd at samba.org>
Date: Tue Aug 19 18:03:13 2008 +0200
winbindd: consistently use false/true.
Guenther
(cherry picked from commit e8619121d16d086f1ab186051d0ecdc83c02e5b5)
commit 25417a1af56236807b0be70fb8b1237ebdbb0f45
Author: Günther Deschner <gd at samba.org>
Date: Tue Aug 19 18:31:35 2008 +0200
winbindd: use set_auth_errors (avoid code duplication).
Guenther
(cherry picked from commit ae35a5110ea03d8ff27f320cdc685e5623715a2a)
commit 29a2b8d585863e449ee09aca38fea122f9386f4f
Author: Günther Deschner <gd at samba.org>
Date: Tue Aug 19 18:31:10 2008 +0200
winbindd: fill_in_password_policy (to avoid redundant code).
Guenther
(cherry picked from commit dbfa7ba14c9f1a4d7a1e7205dd0b3ea2fc2e6131)
commit ba3a68e17ba991b173925fb45e8db6aaa17a6bf9
Author: Günther Deschner <gd at samba.org>
Date: Tue Aug 19 16:19:54 2008 +0200
pam_winbind: some doxygen fixes.
Guenther
(cherry picked from commit f2a2ed315e393353110aa7760b4eca4f1f49ca21)
commit 135e1d72ccfee32665ff3686147ea67ef7b7ef64
Author: Günther Deschner <gd at samba.org>
Date: Tue Aug 19 15:09:12 2008 +0200
wbinfo: use wbinfo_prompt_pass() everywhere.
Guenther
(cherry picked from commit 687ef28874eb311b3e3919c3a38a22e5186d4c1b)
commit fd65b8a4312c5672a29ccbd8c72f363d078c1f89
Author: Günther Deschner <gd at samba.org>
Date: Tue Aug 19 15:32:37 2008 +0200
wbinfo: add wbinfo_prompt_pass.
Guenther
(cherry picked from commit 7cf6ed68236e7dd64657cb1087a5a687d6f59ad1)
commit 9d35ad449dd5be133490e131c848184b9b3dd84f
Author: Günther Deschner <gd at samba.org>
Date: Thu Aug 14 20:56:47 2008 +0200
pam_winbind: use pam error string function to display result.
Guenther
(cherry picked from commit 8504a92ac55d6936df051be66207a59a76bf32a3)
commit 8f84afadf2ade599294d37d1c87e1f62801e1975
Author: Günther Deschner <gd at samba.org>
Date: Thu Aug 14 17:40:26 2008 +0200
pam_winbind: add _pam_error_code_str().
Guenther
(cherry picked from commit 693f90fd2394309ce40d3ca5fc007543058b342a)
commit 88b9737fe31d60916a34b8c7e9191be34b44b26c
Author: Günther Deschner <gd at samba.org>
Date: Thu Aug 14 13:07:51 2008 +0200
pam_winbind: use integer constants.
Guenther
(cherry picked from commit 8d19b2ceb131ca2a0fd983cdb4fd17acdad9c26e)
commit 4522e687e91da043de1da23c284a4814ccda547c
Author: Günther Deschner <gd at samba.org>
Date: Tue Aug 19 01:18:24 2008 +0200
winbindd: kill some trailing/leading whitespace.
Guenther
(cherry picked from commit b5bb7844952a87b123551b478b60bfe232afc308)
-----------------------------------------------------------------------
Summary of changes:
source/nsswitch/pam_winbind.c | 111 ++++++++---
source/nsswitch/pam_winbind.h | 28 ++--
source/nsswitch/wbinfo.c | 66 ++++--
source/winbindd/winbindd_pam.c | 440 +++++++++++++++++++---------------------
4 files changed, 351 insertions(+), 294 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c
index 95b3d23..c28c5d2 100644
--- a/source/nsswitch/pam_winbind.c
+++ b/source/nsswitch/pam_winbind.c
@@ -12,6 +12,78 @@
#include "pam_winbind.h"
+static const char *_pam_error_code_str(int err)
+{
+ switch (err) {
+ case PAM_SUCCESS:
+ return "PAM_SUCCESS";
+ case PAM_OPEN_ERR:
+ return "PAM_OPEN_ERR";
+ case PAM_SYMBOL_ERR:
+ return "PAM_SYMBOL_ERR";
+ case PAM_SERVICE_ERR:
+ return "PAM_SERVICE_ERR";
+ case PAM_SYSTEM_ERR:
+ return "PAM_SYSTEM_ERR";
+ case PAM_BUF_ERR:
+ return "PAM_BUF_ERR";
+ case PAM_PERM_DENIED:
+ return "PAM_PERM_DENIED";
+ case PAM_AUTH_ERR:
+ return "PAM_AUTH_ERR";
+ case PAM_CRED_INSUFFICIENT:
+ return "PAM_CRED_INSUFFICIENT";
+ case PAM_AUTHINFO_UNAVAIL:
+ return "PAM_AUTHINFO_UNAVAIL";
+ case PAM_USER_UNKNOWN:
+ return "PAM_USER_UNKNOWN";
+ case PAM_MAXTRIES:
+ return "PAM_MAXTRIES";
+ case PAM_NEW_AUTHTOK_REQD:
+ return "PAM_NEW_AUTHTOK_REQD";
+ case PAM_ACCT_EXPIRED:
+ return "PAM_ACCT_EXPIRED";
+ case PAM_SESSION_ERR:
+ return "PAM_SESSION_ERR";
+ case PAM_CRED_UNAVAIL:
+ return "PAM_CRED_UNAVAIL";
+ case PAM_CRED_EXPIRED:
+ return "PAM_CRED_EXPIRED";
+ case PAM_CRED_ERR:
+ return "PAM_CRED_ERR";
+ case PAM_NO_MODULE_DATA:
+ return "PAM_NO_MODULE_DATA";
+ case PAM_CONV_ERR:
+ return "PAM_CONV_ERR";
+ case PAM_AUTHTOK_ERR:
+ return "PAM_AUTHTOK_ERR";
+ case PAM_AUTHTOK_RECOVERY_ERR:
+ return "PAM_AUTHTOK_RECOVERY_ERR";
+ case PAM_AUTHTOK_LOCK_BUSY:
+ return "PAM_AUTHTOK_LOCK_BUSY";
+ case PAM_AUTHTOK_DISABLE_AGING:
+ return "PAM_AUTHTOK_DISABLE_AGING";
+ case PAM_TRY_AGAIN:
+ return "PAM_TRY_AGAIN";
+ case PAM_IGNORE:
+ return "PAM_IGNORE";
+ case PAM_ABORT:
+ return "PAM_ABORT";
+ case PAM_AUTHTOK_EXPIRED:
+ return "PAM_AUTHTOK_EXPIRED";
+ case PAM_MODULE_UNKNOWN:
+ return "PAM_MODULE_UNKNOWN";
+ case PAM_BAD_ITEM:
+ return "PAM_BAD_ITEM";
+ case PAM_CONV_AGAIN:
+ return "PAM_CONV_AGAIN";
+ case PAM_INCOMPLETE:
+ return "PAM_INCOMPLETE";
+ default:
+ return NULL;
+ }
+}
+
#define _PAM_LOG_FUNCTION_ENTER(function, ctx) \
do { \
_pam_log_debug(ctx, LOG_DEBUG, "[pamh: %p] ENTER: " \
@@ -22,7 +94,8 @@
#define _PAM_LOG_FUNCTION_LEAVE(function, ctx, retval) \
do { \
_pam_log_debug(ctx, LOG_DEBUG, "[pamh: %p] LEAVE: " \
- function " returning %d", ctx->pamh, retval); \
+ function " returning %d (%s)", ctx->pamh, retval, \
+ _pam_error_code_str(retval)); \
_pam_log_state(ctx); \
} while (0)
@@ -698,8 +771,7 @@ static int pam_winbind_request_log(struct pwb_context *ctx,
/**
* send a password expiry message if required
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param next_change expected (calculated) next expiry date.
* @param already_expired pointer to a boolean to indicate if the password is
* already expired.
@@ -760,8 +832,7 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
/**
* Send a warning if the password expires in the near future
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param response The full authentication response structure.
* @param already_expired boolean, is the pwd already expired?
*
@@ -850,8 +921,7 @@ static bool safe_append_string(char *dest,
/**
* Convert a names into a SID string, appending it to a buffer.
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param user User in PAM request.
* @param name Name to convert.
* @param sid_list_buffer Where to append the string sid.
@@ -906,8 +976,7 @@ static bool winbind_name_to_sid_string(struct pwb_context *ctx,
/**
* Convert a list of names into a list of sids.
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param user User in PAM request.
* @param name_list List of names or string sids, separated by commas.
* @param sid_list_buffer Where to put the list of string sids.
@@ -971,8 +1040,7 @@ out:
/**
* put krb5ccname variable into environment
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param krb5ccname env variable retrieved from winbindd.
*
* @return void.
@@ -1010,8 +1078,7 @@ static void _pam_setup_krb5_env(struct pwb_context *ctx,
/**
* Set string into the PAM stack.
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param data_name Key name for pam_set_data.
* @param value String value.
*
@@ -1042,8 +1109,7 @@ static void _pam_set_data_string(struct pwb_context *ctx,
/**
* Set info3 strings into the PAM stack.
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param data_name Key name for pam_set_data.
* @param value String value.
*
@@ -1082,8 +1148,7 @@ static void _pam_free_data_info3(pam_handle_t *pamh)
/**
* Send PAM_ERROR_MSG for cached or grace logons.
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param username User in PAM request.
* @param info3_user_flgs Info3 flags containing logon type bits.
*
@@ -1120,8 +1185,7 @@ static void _pam_warn_logon_type(struct pwb_context *ctx,
/**
* Send PAM_ERROR_MSG for krb5 errors.
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param username User in PAM request.
* @param info3_user_flgs Info3 flags containing logon type bits.
*
@@ -1869,8 +1933,7 @@ static int get_warn_pwd_expire_from_config(struct pwb_context *ctx)
/**
* Retrieve the winbind separator.
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
*
* @return string separator character. NULL on failure.
*/
@@ -1894,8 +1957,7 @@ static char winbind_get_separator(struct pwb_context *ctx)
/**
* Convert a upn to a name.
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param upn USer UPN to be trabslated.
*
* @return converted name. NULL pointer on failure. Caller needs to free.
@@ -2370,8 +2432,7 @@ out:
* evaluate whether we need to re-authenticate with kerberos after a
* password change
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param user The username
*
* @return boolean Returns true if required, false if not.
diff --git a/source/nsswitch/pam_winbind.h b/source/nsswitch/pam_winbind.h
index be17a6f..c8c1910 100644
--- a/source/nsswitch/pam_winbind.h
+++ b/source/nsswitch/pam_winbind.h
@@ -83,20 +83,20 @@ do { \
#include <security/pam_ext.h>
#endif
-#define WINBIND_DEBUG_ARG (1<<0)
-#define WINBIND_USE_AUTHTOK_ARG (1<<1)
-#define WINBIND_UNKNOWN_OK_ARG (1<<2)
-#define WINBIND_TRY_FIRST_PASS_ARG (1<<3)
-#define WINBIND_USE_FIRST_PASS_ARG (1<<4)
-#define WINBIND__OLD_PASSWORD (1<<5)
-#define WINBIND_REQUIRED_MEMBERSHIP (1<<6)
-#define WINBIND_KRB5_AUTH (1<<7)
-#define WINBIND_KRB5_CCACHE_TYPE (1<<8)
-#define WINBIND_CACHED_LOGIN (1<<9)
-#define WINBIND_CONFIG_FILE (1<<10)
-#define WINBIND_SILENT (1<<11)
-#define WINBIND_DEBUG_STATE (1<<12)
-#define WINBIND_WARN_PWD_EXPIRE (1<<13)
+#define WINBIND_DEBUG_ARG 0x00000001
+#define WINBIND_USE_AUTHTOK_ARG 0x00000002
+#define WINBIND_UNKNOWN_OK_ARG 0x00000004
+#define WINBIND_TRY_FIRST_PASS_ARG 0x00000008
+#define WINBIND_USE_FIRST_PASS_ARG 0x00000010
+#define WINBIND__OLD_PASSWORD 0x00000020
+#define WINBIND_REQUIRED_MEMBERSHIP 0x00000040
+#define WINBIND_KRB5_AUTH 0x00000080
+#define WINBIND_KRB5_CCACHE_TYPE 0x00000100
+#define WINBIND_CACHED_LOGIN 0x00000200
+#define WINBIND_CONFIG_FILE 0x00000400
+#define WINBIND_SILENT 0x00000800
+#define WINBIND_DEBUG_STATE 0x00001000
+#define WINBIND_WARN_PWD_EXPIRE 0x00002000
/*
* here is the string to inform the user that the new passwords they
diff --git a/source/nsswitch/wbinfo.c b/source/nsswitch/wbinfo.c
index c1d41a5..463d923 100644
--- a/source/nsswitch/wbinfo.c
+++ b/source/nsswitch/wbinfo.c
@@ -879,6 +879,33 @@ static bool wbinfo_lookupname(const char *full_name)
return true;
}
+static char *wbinfo_prompt_pass(const char *prefix,
+ const char *username)
+{
+ char *prompt;
+ const char *ret = NULL;
+
+ prompt = talloc_asprintf(talloc_tos(), "Enter %s's ", username);
+ if (!prompt) {
+ return NULL;
+ }
+ if (prefix) {
+ prompt = talloc_asprintf_append(prompt, "%s ", prefix);
+ if (!prompt) {
+ return NULL;
+ }
+ }
+ prompt = talloc_asprintf_append(prompt, "password: ");
+ if (!prompt) {
+ return NULL;
+ }
+
+ ret = getpass(prompt);
+ TALLOC_FREE(prompt);
+
+ return SMB_STRDUP(ret);
+}
+
/* Authenticate a user with a plaintext password */
static bool wbinfo_auth_krb5(char *username, const char *cctype, uint32 flags)
@@ -887,6 +914,7 @@ static bool wbinfo_auth_krb5(char *username, const char *cctype, uint32 flags)
struct winbindd_response response;
NSS_STATUS result;
char *p;
+ char *password;
/* Send off request */
@@ -900,8 +928,12 @@ static bool wbinfo_auth_krb5(char *username, const char *cctype, uint32 flags)
fstrcpy(request.data.auth.user, username);
fstrcpy(request.data.auth.pass, p + 1);
*p = '%';
- } else
+ } else {
fstrcpy(request.data.auth.user, username);
+ password = wbinfo_prompt_pass(NULL, username);
+ fstrcpy(request.data.auth.pass, password);
+ SAFE_FREE(password);
+ }
request.flags = flags;
@@ -947,7 +979,7 @@ static bool wbinfo_auth(char *username)
wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
char *s = NULL;
char *p = NULL;
- const char *password = NULL;
+ char *password = NULL;
char *name = NULL;
if ((s = SMB_STRDUP(username)) == NULL) {
@@ -957,16 +989,9 @@ static bool wbinfo_auth(char *username)
if ((p = strchr(s, '%')) != NULL) {
*p = 0;
p++;
- password = p;
+ password = SMB_STRDUP(p);
} else {
- char *prompt;
- asprintf(&prompt, "Enter %s's password:", username);
- if (!prompt) {
- return false;
- }
-
- password = getpass(prompt);
- SAFE_FREE(prompt);
+ password = wbinfo_prompt_pass(NULL, username);
}
name = s;
@@ -985,6 +1010,7 @@ static bool wbinfo_auth(char *username)
#endif
SAFE_FREE(s);
+ SAFE_FREE(password);
return WBC_ERROR_IS_OK(wbc_status);
}
@@ -1001,26 +1027,18 @@ static bool wbinfo_auth_crap(char *username)
DATA_BLOB nt = data_blob_null;
fstring name_user;
fstring name_domain;
- fstring pass;
+ char *pass;
char *p;
p = strchr(username, '%');
if (p) {
*p = 0;
- fstrcpy(pass, p + 1);
+ pass = SMB_STRDUP(p + 1);
} else {
- char *prompt;
- asprintf(&prompt, "Enter %s's password:", username);
- if (!prompt) {
- return false;
- }
-
- fstrcpy(pass, getpass(prompt));
- SAFE_FREE(prompt);
-
+ pass = wbinfo_prompt_pass(NULL, username);
}
-
+
parse_wbinfo_domain_user(username, name_domain, name_user);
params.account_name = name_user;
@@ -1049,6 +1067,7 @@ static bool wbinfo_auth_crap(char *username)
&lm, &nt, NULL)) {
data_blob_free(&names_blob);
data_blob_free(&server_chal);
+ SAFE_FREE(pass);
return false;
}
data_blob_free(&names_blob);
@@ -1093,6 +1112,7 @@ static bool wbinfo_auth_crap(char *username)
data_blob_free(&nt);
data_blob_free(&lm);
+ SAFE_FREE(pass);
return WBC_ERROR_IS_OK(wbc_status);
}
diff --git a/source/winbindd/winbindd_pam.c b/source/winbindd/winbindd_pam.c
index 0f9f1e1..4beef85 100644
--- a/source/winbindd/winbindd_pam.c
+++ b/source/winbindd/winbindd_pam.c
@@ -176,7 +176,7 @@ static NTSTATUS append_unix_username(TALLOC_CTX *mem_ctx,
}
fill_domain_username(state->response.data.auth.unix_username,
- nt_domain, nt_username, True);
+ nt_domain, nt_username, true);
DEBUG(5,("Setting unix username to [%s]\n",
state->response.data.auth.unix_username));
@@ -310,8 +310,8 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
TALLOC_FREE(frame);
- status = sid_array_from_info3(mem_ctx, info3,
- &token->user_sids,
+ status = sid_array_from_info3(mem_ctx, info3,
+ &token->user_sids,
&token->num_sids,
true, false);
if (!NT_STATUS_IS_OK(status)) {
@@ -338,13 +338,13 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
}
-
+
/* Do not distinguish this error from a wrong username/pw */
return NT_STATUS_LOGON_FAILURE;
}
-struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state,
+struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state,
const char *domain_name)
{
struct winbindd_domain *domain;
@@ -353,7 +353,7 @@ struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state,
domain = find_domain_from_name_noinit(domain_name);
if (domain == NULL) {
DEBUG(3, ("Authentication for domain [%s] refused "
- "as it is not a trusted domain\n",
+ "as it is not a trusted domain\n",
domain_name));
}
return domain;
@@ -370,12 +370,12 @@ struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state,
if (state->request.flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
domain = find_domain_from_name_noinit(domain_name);
if (domain == NULL) {
- DEBUG(3, ("Authentication for domain [%s] skipped "
- "as it is not a trusted domain\n",
+ DEBUG(3, ("Authentication for domain [%s] skipped "
+ "as it is not a trusted domain\n",
domain_name));
} else {
return domain;
- }
+ }
}
return find_our_domain();
@@ -387,12 +387,27 @@ static void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
/* we might have given a more useful error above */
- if (*resp->data.auth.error_string == '\0')
+ if (*resp->data.auth.error_string == '\0')
fstrcpy(resp->data.auth.error_string,
get_friendly_nt_error_msg(result));
resp->data.auth.pam_error = nt_status_to_pam(result);
}
+static void fill_in_password_policy(struct winbindd_response *r,
+ const struct samr_DomInfo1 *p)
+{
+ r->data.auth.policy.min_length_password =
+ p->min_password_length;
+ r->data.auth.policy.password_history =
+ p->password_history_length;
+ r->data.auth.policy.password_properties =
+ p->password_properties;
+ r->data.auth.policy.expire =
+ nt_time_to_unix_abs((NTTIME *)&(p->max_password_age));
+ r->data.auth.policy.min_passwordage =
+ nt_time_to_unix_abs((NTTIME *)&(p->min_password_age));
+}
+
static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
struct winbindd_cli_state *state)
{
@@ -402,9 +417,9 @@ static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(5,("fillup_password_policy: No inbound trust to "
- "contact domain %s\n", domain->name));
+ "contact domain %s\n", domain->name));
return NT_STATUS_NOT_SUPPORTED;
- }
+ }
methods = domain->methods;
--
Samba Shared Repository
More information about the samba-cvs
mailing list