[SCM] Samba Shared Repository - branch master updated -
d3afd534291fc7bb9ed7326c7ecf22433441191d
Günther Deschner
gd at samba.org
Fri Oct 10 13:41:37 GMT 2008
The branch, master has been updated
via d3afd534291fc7bb9ed7326c7ecf22433441191d (commit)
via 3eae89dd7729c08a40d97dc1b095011bf2933dce (commit)
from ed2b94c1a29017013a8eb773755c051f4c2a2eb0 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d3afd534291fc7bb9ed7326c7ecf22433441191d
Author: Günther Deschner <gd at samba.org>
Date: Fri Aug 15 14:00:20 2008 +0200
pam_winbind: use libwbclient for WINBINDD_PAM_LOGOFF.
Guenther
commit 3eae89dd7729c08a40d97dc1b095011bf2933dce
Author: Günther Deschner <gd at samba.org>
Date: Fri Aug 15 02:34:22 2008 +0200
pam_winbind: use libwbclient for WINBINDD_PAM_CHAUTHTOK.
Guenther
-----------------------------------------------------------------------
Summary of changes:
source3/nsswitch/pam_winbind.c | 219 +++++++++++++++++++++++-----------------
source3/nsswitch/pam_winbind.h | 8 --
2 files changed, 127 insertions(+), 100 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index 9448890..defdbdb 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -772,10 +772,6 @@ static int pam_winbind_request_log(struct pwb_context *ctx,
_pam_log(ctx, LOG_NOTICE,
"user '%s' granted access", user);
break;
- case WINBINDD_PAM_CHAUTHTOK:
- _pam_log(ctx, LOG_NOTICE,
- "user '%s' password changed", user);
- break;
default:
_pam_log(ctx, LOG_NOTICE,
"user '%s' OK", user);
@@ -1317,42 +1313,45 @@ static bool _pam_check_remark_auth_err(struct pwb_context *ctx,
/**
* Compose Password Restriction String for a PAM_ERROR_MSG conversation.
*
- * @param response The struct winbindd_response.
+ * @param i The wbcUserPasswordPolicyInfo struct.
*
- * @return string (caller needs to free).
+ * @return string (caller needs to talloc_free).
*/
static char *_pam_compose_pwd_restriction_string(struct pwb_context *ctx,
- struct winbindd_response *response)
+ struct wbcUserPasswordPolicyInfo *i)
{
char *str = NULL;
+ if (!i) {
+ goto failed;
+ }
+
str = talloc_asprintf(ctx, "Your password ");
if (!str) {
goto failed;
}
- if (response->data.auth.policy.min_length_password > 0) {
+ if (i->min_length_password > 0) {
str = talloc_asprintf_append(str,
"must be at least %d characters; ",
- response->data.auth.policy.min_length_password);
+ i->min_length_password);
if (!str) {
goto failed;
}
}
- if (response->data.auth.policy.password_history > 0) {
+ if (i->password_history > 0) {
str = talloc_asprintf_append(str,
"cannot repeat any of your previous %d "
"passwords; ",
- response->data.auth.policy.password_history);
+ i->password_history);
if (!str) {
goto failed;
}
}
- if (response->data.auth.policy.password_properties &
- DOMAIN_PASSWORD_COMPLEX) {
+ if (i->password_properties & WBC_DOMAIN_PASSWORD_COMPLEX) {
str = talloc_asprintf_append(str,
"must contain capitals, numerals "
"or punctuation; "
@@ -1572,99 +1571,95 @@ static int winbind_chauthtok_request(struct pwb_context *ctx,
const char *newpass,
time_t pwd_last_set)
{
- struct winbindd_request request;
- struct winbindd_response response;
- int ret;
-
- ZERO_STRUCT(request);
- ZERO_STRUCT(response);
-
- if (request.data.chauthtok.user == NULL) {
- return -2;
- }
-
- strncpy(request.data.chauthtok.user, user,
- sizeof(request.data.chauthtok.user) - 1);
+ wbcErr wbc_status;
+ struct wbcChangePasswordParams params;
+ struct wbcAuthErrorInfo *error = NULL;
+ struct wbcUserPasswordPolicyInfo *policy = NULL;
+ enum wbcPasswordChangeRejectReason reject_reason = -1;
+ uint32_t flags = 0;
- if (oldpass != NULL) {
- strncpy(request.data.chauthtok.oldpass, oldpass,
- sizeof(request.data.chauthtok.oldpass) - 1);
- } else {
- request.data.chauthtok.oldpass[0] = '\0';
- }
+ int i;
+ const char *codes[] = {
+ "NT_STATUS_BACKUP_CONTROLLER",
+ "NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND",
+ "NT_STATUS_NO_LOGON_SERVERS",
+ "NT_STATUS_ACCESS_DENIED",
+ "NT_STATUS_PWD_TOO_SHORT", /* TODO: tell the min pwd length ? */
+ "NT_STATUS_PWD_TOO_RECENT", /* TODO: tell the minage ? */
+ "NT_STATUS_PWD_HISTORY_CONFLICT" /* TODO: tell the history length ? */
+ };
+ int ret = PAM_AUTH_ERR;
- if (newpass != NULL) {
- strncpy(request.data.chauthtok.newpass, newpass,
- sizeof(request.data.chauthtok.newpass) - 1);
- } else {
- request.data.chauthtok.newpass[0] = '\0';
- }
+ ZERO_STRUCT(params);
if (ctx->ctrl & WINBIND_KRB5_AUTH) {
- request.flags = WBFLAG_PAM_KRB5 |
- WBFLAG_PAM_CONTACT_TRUSTDOM;
+ flags |= WBFLAG_PAM_KRB5 |
+ WBFLAG_PAM_CONTACT_TRUSTDOM;
}
if (ctx->ctrl & WINBIND_CACHED_LOGIN) {
- request.flags |= WBFLAG_PAM_CACHED_LOGIN;
+ flags |= WBFLAG_PAM_CACHED_LOGIN;
}
- ret = pam_winbind_request_log(ctx, WINBINDD_PAM_CHAUTHTOK,
- &request, &response, user);
-
- if (ret == PAM_SUCCESS) {
- return ret;
- }
+ params.account_name = user;
+ params.level = WBC_AUTH_USER_LEVEL_PLAIN;
+ params.old_password.plaintext = oldpass;
+ params.new_password.plaintext = newpass;
+ params.flags = flags;
- PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
- "NT_STATUS_BACKUP_CONTROLLER");
- PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
- "NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND");
- PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
- "NT_STATUS_NO_LOGON_SERVERS");
- PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
- "NT_STATUS_ACCESS_DENIED");
+ wbc_status = wbcChangeUserPasswordEx(¶ms, &error, &reject_reason, &policy);
+ ret = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
+ user, "wbcChangeUserPasswordEx");
- /* TODO: tell the min pwd length ? */
- PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
- "NT_STATUS_PWD_TOO_SHORT");
+ if (WBC_ERROR_IS_OK(wbc_status)) {
+ _pam_log(ctx, LOG_NOTICE,
+ "user '%s' password changed", user);
+ return PAM_SUCCESS;
+ }
- /* TODO: tell the minage ? */
- PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
- "NT_STATUS_PWD_TOO_RECENT");
+ if (!error) {
+ wbcFreeMemory(policy);
+ return ret;
+ }
- /* TODO: tell the history length ? */
- PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
- "NT_STATUS_PWD_HISTORY_CONFLICT");
+ for (i=0; i<ARRAY_SIZE(codes); i++) {
+ int _ret = ret;
+ if (_pam_check_remark_auth_err(ctx, error, codes[i], &_ret)) {
+ ret = _ret;
+ goto done;
+ }
+ }
- if (!strcasecmp(response.data.auth.nt_status_string,
+ if (!strcasecmp(error->nt_string,
"NT_STATUS_PASSWORD_RESTRICTION")) {
char *pwd_restriction_string = NULL;
- SMB_TIME_T min_pwd_age;
- uint32_t reject_reason = response.data.auth.reject_reason;
- min_pwd_age = response.data.auth.policy.min_passwordage;
+ SMB_TIME_T min_pwd_age = 0;
+
+ if (policy) {
+ min_pwd_age = policy->min_passwordage;
+ }
/* FIXME: avoid to send multiple PAM messages after another */
switch (reject_reason) {
case -1:
break;
- case SAMR_REJECT_OTHER:
+ case WBC_PWD_CHANGE_REJECT_OTHER:
if ((min_pwd_age > 0) &&
(pwd_last_set + min_pwd_age > time(NULL))) {
PAM_WB_REMARK_DIRECT(ctx,
"NT_STATUS_PWD_TOO_RECENT");
}
break;
- case SAMR_REJECT_TOO_SHORT:
+ case WBC_PWD_CHANGE_REJECT_TOO_SHORT:
PAM_WB_REMARK_DIRECT(ctx,
"NT_STATUS_PWD_TOO_SHORT");
break;
- case SAMR_REJECT_IN_HISTORY:
+ case WBC_PWD_CHANGE_REJECT_IN_HISTORY:
PAM_WB_REMARK_DIRECT(ctx,
"NT_STATUS_PWD_HISTORY_CONFLICT");
break;
- case SAMR_REJECT_COMPLEXITY:
+ case WBC_PWD_CHANGE_REJECT_COMPLEXITY:
_make_remark(ctx, PAM_ERROR_MSG,
"Password does not meet "
"complexity requirements");
@@ -1678,13 +1673,16 @@ static int winbind_chauthtok_request(struct pwb_context *ctx,
}
pwd_restriction_string =
- _pam_compose_pwd_restriction_string(ctx, &response);
+ _pam_compose_pwd_restriction_string(ctx, policy);
if (pwd_restriction_string) {
_make_remark(ctx, PAM_ERROR_MSG,
pwd_restriction_string);
TALLOC_FREE(pwd_restriction_string);
}
}
+ done:
+ wbcFreeMemory(error);
+ wbcFreeMemory(policy);
return ret;
}
@@ -2434,6 +2432,7 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags,
{
int retval = PAM_SUCCESS;
struct pwb_context *ctx = NULL;
+ struct wbcLogoffUserParams logoff;
retval = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
if (retval) {
@@ -2450,15 +2449,15 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags,
if (ctx->ctrl & WINBIND_KRB5_AUTH) {
/* destroy the ccache here */
- struct winbindd_request request;
- struct winbindd_response response;
+
+ wbcErr wbc_status;
+ struct wbcAuthErrorInfo *error = NULL;
+
+ uint32_t flags = 0;
const char *user;
const char *ccname = NULL;
struct passwd *pwd = NULL;
- ZERO_STRUCT(request);
- ZERO_STRUCT(response);
-
retval = pam_get_user(pamh, &user, "Username: ");
if (retval) {
_pam_log(ctx, LOG_ERR,
@@ -2482,30 +2481,66 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags,
"user has no KRB5CCNAME environment");
}
- strncpy(request.data.logoff.user, user,
- sizeof(request.data.logoff.user) - 1);
-
- if (ccname) {
- strncpy(request.data.logoff.krb5ccname, ccname,
- sizeof(request.data.logoff.krb5ccname) - 1);
- }
-
pwd = getpwnam(user);
if (pwd == NULL) {
retval = PAM_USER_UNKNOWN;
goto out;
}
- request.data.logoff.uid = pwd->pw_uid;
- request.flags = WBFLAG_PAM_KRB5 |
- WBFLAG_PAM_CONTACT_TRUSTDOM;
+ flags = WBFLAG_PAM_KRB5 |
+ WBFLAG_PAM_CONTACT_TRUSTDOM;
+
+ ZERO_STRUCT(logoff);
+
+ logoff.username = user;
+
+ wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
+ &logoff.blobs,
+ "ccfilename",
+ 0,
+ (uint8_t *)ccname,
+ strlen(ccname)+1);
+ if (!WBC_ERROR_IS_OK(wbc_status)) {
+ goto out;
+ }
+
+ wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
+ &logoff.blobs,
+ "flags",
+ 0,
+ (uint8_t *)&flags,
+ sizeof(flags));
+ if (!WBC_ERROR_IS_OK(wbc_status)) {
+ goto out;
+ }
+
+ wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
+ &logoff.blobs,
+ "user_uid",
+ 0,
+ (uint8_t *)&pwd->pw_uid,
+ sizeof(pwd->pw_uid));
+ if (!WBC_ERROR_IS_OK(wbc_status)) {
+ goto out;
+ }
+
+ wbc_status = wbcLogoffUserEx(&logoff, &error);
+ retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
+ user, "wbcLogoffUser");
+ wbcFreeMemory(error);
+ wbcFreeMemory(logoff.blobs);
- retval = pam_winbind_request_log(ctx,
- WINBINDD_PAM_LOGOFF,
- &request, &response, user);
+ if (!WBC_ERROR_IS_OK(wbc_status)) {
+ _pam_log(ctx, LOG_INFO,
+ "failed to logoff user %s: %s\n",
+ user, wbcErrorString(wbc_status));
+ }
}
out:
+ if (logoff.blobs) {
+ wbcFreeMemory(logoff.blobs);
+ }
_PAM_LOG_FUNCTION_LEAVE("pam_sm_close_session", ctx, retval);
diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h
index ea7055a..f05f2d7 100644
--- a/source3/nsswitch/pam_winbind.h
+++ b/source3/nsswitch/pam_winbind.h
@@ -182,14 +182,6 @@ do { \
};\
};
-/* from samr.idl */
-#define DOMAIN_PASSWORD_COMPLEX 0x00000001
-
-#define SAMR_REJECT_OTHER 0x00000000
-#define SAMR_REJECT_TOO_SHORT 0x00000001
-#define SAMR_REJECT_IN_HISTORY 0x00000002
-#define SAMR_REJECT_COMPLEXITY 0x00000005
-
#define ACB_PWNOEXP 0x00000200
/* from netlogon.idl */
--
Samba Shared Repository
More information about the samba-cvs
mailing list