[SCM] Samba Shared Repository - branch master updated -
b1282d720cffeb4b89bc5276b827e60ccef3f110
Günther Deschner
gd at samba.org
Fri Oct 10 13:39:09 GMT 2008
The branch, master has been updated
via b1282d720cffeb4b89bc5276b827e60ccef3f110 (commit)
via 0566164db03a19b98d4aec5cca63ece2a01acbec (commit)
via 0532291fe9650f968aab0fb6b60e08f41b334c24 (commit)
via 7817ad4ae0c462429f176ddf94bebcd44a3d6619 (commit)
from 3bbffb96646bda732c21c7c418e80ddc63f16de4 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit b1282d720cffeb4b89bc5276b827e60ccef3f110
Author: Günther Deschner <gd at samba.org>
Date: Tue Aug 19 13:36:39 2008 +0200
pam_winbind: add _pam_check_remark_auth_err().
Guenther
commit 0566164db03a19b98d4aec5cca63ece2a01acbec
Author: Günther Deschner <gd at samba.org>
Date: Tue Aug 19 10:59:18 2008 +0200
pam_winbind: add wbc_auth_error_to_pam_error().
Guenther
commit 0532291fe9650f968aab0fb6b60e08f41b334c24
Author: Günther Deschner <gd at samba.org>
Date: Fri Aug 15 03:13:18 2008 +0200
pam_winbind: add wbc_error_to_pam_error().
Guenther
commit 7817ad4ae0c462429f176ddf94bebcd44a3d6619
Author: Günther Deschner <gd at samba.org>
Date: Thu Aug 14 18:15:00 2008 +0200
pam_winbind: prepare to use libwbclient inside pam_winbind.
Guenther
-----------------------------------------------------------------------
Summary of changes:
source3/Makefile.in | 4 +-
source3/nsswitch/pam_winbind.c | 130 +++++++++++++++++++++++++++++++++++++---
source3/nsswitch/pam_winbind.h | 1 +
3 files changed, 125 insertions(+), 10 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/Makefile.in b/source3/Makefile.in
index d3cb86e..8bee54d 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -2182,10 +2182,10 @@ bin/winbind_krb5_locator. at SHLIBEXT@: $(BINARY_PREREQS) $(WINBIND_KRB5_LOCATOR_OB
@$(SHLD) $(LDSHFLAGS) -o $@ $(WINBIND_KRB5_LOCATOR_OBJ) $(WINBIND_LIBS) \
@SONAMEFLAG@`basename $@`
-bin/pam_winbind. at SHLIBEXT@: $(BINARY_PREREQS) $(PAM_WINBIND_OBJ) @LIBTALLOC_SHARED@
+bin/pam_winbind. at SHLIBEXT@: $(BINARY_PREREQS) $(PAM_WINBIND_OBJ) @LIBTALLOC_SHARED@ @LIBWBCLIENT_SHARED@
@echo "Linking shared library $@"
@$(SHLD) $(LDSHFLAGS) -o $@ $(PAM_WINBIND_OBJ) -lpam @INIPARSERLIBS@ \
- $(PAM_WINBIND_EXTRA_LIBS) $(LIBTALLOC_LIBS) @SONAMEFLAG@`basename $@`
+ $(PAM_WINBIND_EXTRA_LIBS) $(LIBTALLOC_LIBS) $(WINBIND_LIBS) @SONAMEFLAG@`basename $@`
bin/builtin. at SHLIBEXT@: $(BINARY_PREREQS) $(AUTH_BUILTIN_OBJ)
@echo "Building plugin $@"
diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index cdb30ed..41dacd7 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -12,6 +12,42 @@
#include "pam_winbind.h"
+static int wbc_error_to_pam_error(wbcErr status)
+{
+ switch (status) {
+ case WBC_ERR_SUCCESS:
+ return PAM_SUCCESS;
+ case WBC_ERR_NOT_IMPLEMENTED:
+ return PAM_SERVICE_ERR;
+ case WBC_ERR_UNKNOWN_FAILURE:
+ break;
+ case WBC_ERR_NO_MEMORY:
+ return PAM_BUF_ERR;
+ case WBC_ERR_INVALID_SID:
+ case WBC_ERR_INVALID_PARAM:
+ break;
+ case WBC_ERR_WINBIND_NOT_AVAILABLE:
+ return PAM_AUTHINFO_UNAVAIL;
+ case WBC_ERR_DOMAIN_NOT_FOUND:
+ return PAM_AUTHINFO_UNAVAIL;
+ case WBC_ERR_INVALID_RESPONSE:
+ return PAM_BUF_ERR;
+ case WBC_ERR_NSS_ERROR:
+ return PAM_USER_UNKNOWN;
+ case WBC_ERR_AUTH_ERROR:
+ return PAM_AUTH_ERR;
+ case WBC_ERR_UNKNOWN_USER:
+ return PAM_USER_UNKNOWN;
+ case WBC_ERR_UNKNOWN_GROUP:
+ return PAM_USER_UNKNOWN;
+ case WBC_ERR_PWD_CHANGE_FAILED:
+ break;
+ }
+
+ /* be paranoid */
+ return PAM_AUTH_ERR;
+}
+
static const char *_pam_error_code_str(int err)
{
switch (err) {
@@ -713,15 +749,9 @@ static int pam_winbind_request(struct pwb_context *ctx,
}
static int pam_winbind_request_log(struct pwb_context *ctx,
- enum winbindd_cmd req_type,
- struct winbindd_request *request,
- struct winbindd_response *response,
+ int retval,
const char *user)
{
- int retval;
-
- retval = pam_winbind_request(ctx, req_type, request, response);
-
switch (retval) {
case PAM_AUTH_ERR:
/* incorrect password */
@@ -753,6 +783,7 @@ static int pam_winbind_request_log(struct pwb_context *ctx,
return retval;
case PAM_SUCCESS:
/* Otherwise, the authentication looked good */
+#if 0
switch (req_type) {
case WINBINDD_INFO:
break;
@@ -769,7 +800,7 @@ static int pam_winbind_request_log(struct pwb_context *ctx,
"user '%s' OK", user);
break;
}
-
+#endif
return retval;
default:
/* we don't know anything about this return value */
@@ -780,6 +811,48 @@ static int pam_winbind_request_log(struct pwb_context *ctx,
}
}
+static int wbc_auth_error_to_pam_error(struct pwb_context *ctx,
+ struct wbcAuthErrorInfo *e,
+ wbcErr status,
+ const char *username,
+ const char *fn)
+{
+ int ret = PAM_AUTH_ERR;
+
+ if (WBC_ERROR_IS_OK(status)) {
+ _pam_log_debug(ctx, LOG_DEBUG, "request %s succeeded",
+ fn);
+ ret = PAM_SUCCESS;
+ return pam_winbind_request_log(ctx, ret, username);
+ }
+
+ if (e) {
+ if (e->pam_error != PAM_SUCCESS) {
+ _pam_log(ctx, LOG_ERR,
+ "request %s failed: %s, "
+ "PAM error: %s (%d), NTSTATUS: %s, "
+ "Error message was: %s",
+ fn,
+ wbcErrorString(status),
+ _pam_error_code_str(e->pam_error),
+ e->pam_error,
+ e->nt_string,
+ e->display_string);
+ ret = e->pam_error;
+ return pam_winbind_request_log(ctx, ret, username);
+ }
+
+ _pam_log(ctx, LOG_ERR, "request %s failed, but PAM error 0!", fn);
+
+ ret = PAM_SERVICE_ERR;
+ return pam_winbind_request_log(ctx, ret, username);
+ }
+
+ ret = wbc_error_to_pam_error(status);
+ return pam_winbind_request_log(ctx, ret, username);
+}
+
+
/**
* send a password expiry message if required
*
@@ -1219,6 +1292,47 @@ static void _pam_warn_krb5_failure(struct pwb_context *ctx,
}
}
+static bool _pam_check_remark_auth_err(struct pwb_context *ctx,
+ const struct wbcAuthErrorInfo *e,
+ const char *nt_status_string,
+ int *pam_error)
+{
+ const char *ntstatus = NULL;
+ const char *error_string = NULL;
+
+ if (!e || !pam_error) {
+ return false;
+ }
+
+ ntstatus = e->nt_string;
+ if (!ntstatus) {
+ return false;
+ }
+
+ if (strcasecmp(ntstatus, nt_status_string) == 0) {
+
+ error_string = _get_ntstatus_error_string(nt_status_string);
+ if (error_string) {
+ _make_remark(ctx, PAM_ERROR_MSG, error_string);
+ *pam_error = e->pam_error;
+ return true;
+ }
+
+ if (e->display_string) {
+ _make_remark(ctx, PAM_ERROR_MSG, e->display_string);
+ *pam_error = e->pam_error;
+ return true;
+ }
+
+ _make_remark(ctx, PAM_ERROR_MSG, nt_status_string);
+ *pam_error = e->pam_error;
+
+ return true;
+ }
+
+ return false;
+};
+
/**
* Compose Password Restriction String for a PAM_ERROR_MSG conversation.
*
diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h
index 425471d..ea7055a 100644
--- a/source3/nsswitch/pam_winbind.h
+++ b/source3/nsswitch/pam_winbind.h
@@ -8,6 +8,7 @@
#include "system/syslog.h"
#include "system/time.h"
#include <talloc.h>
+#include "libwbclient/wbclient.h"
#define MODULE_NAME "pam_winbind"
#define PAM_SM_AUTH
--
Samba Shared Repository
More information about the samba-cvs
mailing list