[SCM] Samba Shared Repository - branch master updated - b1282d720cffeb4b89bc5276b827e60ccef3f110

Günther Deschner gd at samba.org
Fri Oct 10 13:39:09 GMT 2008 

The branch, master has been updated
       via  b1282d720cffeb4b89bc5276b827e60ccef3f110 (commit)
       via  0566164db03a19b98d4aec5cca63ece2a01acbec (commit)
       via  0532291fe9650f968aab0fb6b60e08f41b334c24 (commit)
       via  7817ad4ae0c462429f176ddf94bebcd44a3d6619 (commit)
      from  3bbffb96646bda732c21c7c418e80ddc63f16de4 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit b1282d720cffeb4b89bc5276b827e60ccef3f110
Author: Günther Deschner <gd at samba.org>
Date:   Tue Aug 19 13:36:39 2008 +0200

    pam_winbind: add _pam_check_remark_auth_err().
    
    Guenther

commit 0566164db03a19b98d4aec5cca63ece2a01acbec
Author: Günther Deschner <gd at samba.org>
Date:   Tue Aug 19 10:59:18 2008 +0200

    pam_winbind: add wbc_auth_error_to_pam_error().
    
    Guenther

commit 0532291fe9650f968aab0fb6b60e08f41b334c24
Author: Günther Deschner <gd at samba.org>
Date:   Fri Aug 15 03:13:18 2008 +0200

    pam_winbind: add wbc_error_to_pam_error().
    
    Guenther

commit 7817ad4ae0c462429f176ddf94bebcd44a3d6619
Author: Günther Deschner <gd at samba.org>
Date:   Thu Aug 14 18:15:00 2008 +0200

    pam_winbind: prepare to use libwbclient inside pam_winbind.
    
    Guenther

-----------------------------------------------------------------------

Summary of changes:
 source3/Makefile.in            |    4 +-
 source3/nsswitch/pam_winbind.c |  130 +++++++++++++++++++++++++++++++++++++---
 source3/nsswitch/pam_winbind.h |    1 +
 3 files changed, 125 insertions(+), 10 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/Makefile.in b/source3/Makefile.in
index d3cb86e..8bee54d 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -2182,10 +2182,10 @@ bin/winbind_krb5_locator. at SHLIBEXT@: $(BINARY_PREREQS) $(WINBIND_KRB5_LOCATOR_OB
 	@$(SHLD) $(LDSHFLAGS) -o $@ $(WINBIND_KRB5_LOCATOR_OBJ) $(WINBIND_LIBS) \
 		@SONAMEFLAG@`basename $@`
 
-bin/pam_winbind. at SHLIBEXT@: $(BINARY_PREREQS) $(PAM_WINBIND_OBJ) @LIBTALLOC_SHARED@
+bin/pam_winbind. at SHLIBEXT@: $(BINARY_PREREQS) $(PAM_WINBIND_OBJ) @LIBTALLOC_SHARED@ @LIBWBCLIENT_SHARED@
 	@echo "Linking shared library $@"
 	@$(SHLD) $(LDSHFLAGS) -o $@ $(PAM_WINBIND_OBJ) -lpam @INIPARSERLIBS@ \
-		$(PAM_WINBIND_EXTRA_LIBS) $(LIBTALLOC_LIBS) @SONAMEFLAG@`basename $@`
+		$(PAM_WINBIND_EXTRA_LIBS) $(LIBTALLOC_LIBS) $(WINBIND_LIBS) @SONAMEFLAG@`basename $@`
 
 bin/builtin. at SHLIBEXT@: $(BINARY_PREREQS) $(AUTH_BUILTIN_OBJ)
 	@echo "Building plugin $@"
diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index cdb30ed..41dacd7 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -12,6 +12,42 @@
 
 #include "pam_winbind.h"
 
+static int wbc_error_to_pam_error(wbcErr status)
+{
+	switch (status) {
+		case WBC_ERR_SUCCESS:
+			return PAM_SUCCESS;
+		case WBC_ERR_NOT_IMPLEMENTED:
+			return PAM_SERVICE_ERR;
+		case WBC_ERR_UNKNOWN_FAILURE:
+			break;
+		case WBC_ERR_NO_MEMORY:
+			return PAM_BUF_ERR;
+		case WBC_ERR_INVALID_SID:
+		case WBC_ERR_INVALID_PARAM:
+			break;
+		case WBC_ERR_WINBIND_NOT_AVAILABLE:
+			return PAM_AUTHINFO_UNAVAIL;
+		case WBC_ERR_DOMAIN_NOT_FOUND:
+			return PAM_AUTHINFO_UNAVAIL;
+		case WBC_ERR_INVALID_RESPONSE:
+			return PAM_BUF_ERR;
+		case WBC_ERR_NSS_ERROR:
+			return PAM_USER_UNKNOWN;
+		case WBC_ERR_AUTH_ERROR:
+			return PAM_AUTH_ERR;
+		case WBC_ERR_UNKNOWN_USER:
+			return PAM_USER_UNKNOWN;
+		case WBC_ERR_UNKNOWN_GROUP:
+			return PAM_USER_UNKNOWN;
+		case WBC_ERR_PWD_CHANGE_FAILED:
+			break;
+	}
+
+	/* be paranoid */
+	return PAM_AUTH_ERR;
+}
+
 static const char *_pam_error_code_str(int err)
 {
 	switch (err) {
@@ -713,15 +749,9 @@ static int pam_winbind_request(struct pwb_context *ctx,
 }
 
 static int pam_winbind_request_log(struct pwb_context *ctx,
-				   enum winbindd_cmd req_type,
-				   struct winbindd_request *request,
-				   struct winbindd_response *response,
+				   int retval,
 				   const char *user)
 {
-	int retval;
-
-	retval = pam_winbind_request(ctx, req_type, request, response);
-
 	switch (retval) {
 	case PAM_AUTH_ERR:
 		/* incorrect password */
@@ -753,6 +783,7 @@ static int pam_winbind_request_log(struct pwb_context *ctx,
 		return retval;
 	case PAM_SUCCESS:
 		/* Otherwise, the authentication looked good */
+#if 0
 		switch (req_type) {
 			case WINBINDD_INFO:
 				break;
@@ -769,7 +800,7 @@ static int pam_winbind_request_log(struct pwb_context *ctx,
 					 "user '%s' OK", user);
 				break;
 		}
-
+#endif
 		return retval;
 	default:
 		/* we don't know anything about this return value */
@@ -780,6 +811,48 @@ static int pam_winbind_request_log(struct pwb_context *ctx,
 	}
 }
 
+static int wbc_auth_error_to_pam_error(struct pwb_context *ctx,
+				       struct wbcAuthErrorInfo *e,
+				       wbcErr status,
+				       const char *username,
+				       const char *fn)
+{
+	int ret = PAM_AUTH_ERR;
+
+	if (WBC_ERROR_IS_OK(status)) {
+		_pam_log_debug(ctx, LOG_DEBUG, "request %s succeeded",
+			fn);
+		ret = PAM_SUCCESS;
+		return pam_winbind_request_log(ctx, ret, username);
+	}
+
+	if (e) {
+		if (e->pam_error != PAM_SUCCESS) {
+			_pam_log(ctx, LOG_ERR,
+				 "request %s failed: %s, "
+				 "PAM error: %s (%d), NTSTATUS: %s, "
+				 "Error message was: %s",
+				 fn,
+				 wbcErrorString(status),
+				 _pam_error_code_str(e->pam_error),
+				 e->pam_error,
+				 e->nt_string,
+				 e->display_string);
+			ret = e->pam_error;
+			return pam_winbind_request_log(ctx, ret, username);
+		}
+
+		_pam_log(ctx, LOG_ERR, "request %s failed, but PAM error 0!", fn);
+
+		ret = PAM_SERVICE_ERR;
+		return pam_winbind_request_log(ctx, ret, username);
+	}
+
+	ret = wbc_error_to_pam_error(status);
+	return pam_winbind_request_log(ctx, ret, username);
+}
+
+
 /**
  * send a password expiry message if required
  *
@@ -1219,6 +1292,47 @@ static void _pam_warn_krb5_failure(struct pwb_context *ctx,
 	}
 }
 
+static bool _pam_check_remark_auth_err(struct pwb_context *ctx,
+				       const struct wbcAuthErrorInfo *e,
+				       const char *nt_status_string,
+				       int *pam_error)
+{
+	const char *ntstatus = NULL;
+	const char *error_string = NULL;
+
+	if (!e || !pam_error) {
+		return false;
+	}
+
+	ntstatus = e->nt_string;
+	if (!ntstatus) {
+		return false;
+	}
+
+	if (strcasecmp(ntstatus, nt_status_string) == 0) {
+
+		error_string = _get_ntstatus_error_string(nt_status_string);
+		if (error_string) {
+			_make_remark(ctx, PAM_ERROR_MSG, error_string);
+			*pam_error = e->pam_error;
+			return true;
+		}
+
+		if (e->display_string) {
+			_make_remark(ctx, PAM_ERROR_MSG, e->display_string);
+			*pam_error = e->pam_error;
+			return true;
+		}
+
+		_make_remark(ctx, PAM_ERROR_MSG, nt_status_string);
+		*pam_error = e->pam_error;
+
+		return true;
+	}
+
+	return false;
+};
+
 /**
  * Compose Password Restriction String for a PAM_ERROR_MSG conversation.
  *
diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h
index 425471d..ea7055a 100644
--- a/source3/nsswitch/pam_winbind.h
+++ b/source3/nsswitch/pam_winbind.h
@@ -8,6 +8,7 @@
 #include "system/syslog.h"
 #include "system/time.h"
 #include <talloc.h>
+#include "libwbclient/wbclient.h"
 
 #define MODULE_NAME "pam_winbind"
 #define PAM_SM_AUTH


-- 
Samba Shared Repository

More information about the samba-cvs mailing list