[SCM] Samba Shared Repository - branch master updated

Volker Lendecke vlendec at samba.org
Sun Aug 22 14:42:58 MDT 2010


The branch, master has been updated
       via  8531921... s3: Turn two macros into functions
       via  177e394... s3: Pass the rhost through smb_pam_accountcheck
       via  265f0b7... s3: Rename auth.c:backends to auth_backends
       via  6ff012a... s3: Fix some nonemtpy blank lines
      from  8bc5899... s4: Only install testparm to /usr/bin/, no longer to /usr/sbin.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 8531921e3d4bba30ed6d10bf671b0b70d2f4f3f7
Author: Volker Lendecke <vl at samba.org>
Date:   Sun Aug 22 20:00:46 2010 +0200

    s3: Turn two macros into functions

commit 177e394f93278407557702d9f53bae65fd5fc434
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Aug 18 18:23:49 2010 +0200

    s3: Pass the rhost through smb_pam_accountcheck

commit 265f0b7745b811d6ba1575eb277213f707215a3b
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Aug 18 17:31:39 2010 +0200

    s3: Rename auth.c:backends to auth_backends

commit 6ff012a777889de5066fa77de9ed766f8421b1d5
Author: Volker Lendecke <vl at samba.org>
Date:   Sun Aug 22 18:41:39 2010 +0200

    s3: Fix some nonemtpy blank lines

-----------------------------------------------------------------------

Summary of changes:
 source3/auth/auth.c           |   13 ++++++---
 source3/auth/pampass.c        |   55 ++++++++++++++++++++++++++--------------
 source3/include/proto.h       |    3 +-
 source3/lib/pam_errors.c      |    4 +-
 source3/smbd/sesssetup.c      |    2 +-
 source3/smbd/smb2_sesssetup.c |    3 +-
 6 files changed, 50 insertions(+), 30 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index ed8888f..cabff53 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -18,19 +18,20 @@
 */
 
 #include "includes.h"
+#include "smbd/globals.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
 
 static_decl_auth;
 
-static struct auth_init_function_entry *backends = NULL;
+static struct auth_init_function_entry *auth_backends = NULL;
 
 static struct auth_init_function_entry *auth_find_backend_entry(const char *name);
 
 NTSTATUS smb_register_auth(int version, const char *name, auth_init_function init)
 {
-	struct auth_init_function_entry *entry = backends;
+	struct auth_init_function_entry *entry = auth_backends;
 
 	if (version != AUTH_INTERFACE_VERSION) {
 		DEBUG(0,("Can't register auth_method!\n"
@@ -54,14 +55,14 @@ NTSTATUS smb_register_auth(int version, const char *name, auth_init_function ini
 	entry->name = smb_xstrdup(name);
 	entry->init = init;
 
-	DLIST_ADD(backends, entry);
+	DLIST_ADD(auth_backends, entry);
 	DEBUG(5,("Successfully added auth method '%s'\n", name));
 	return NT_STATUS_OK;
 }
 
 static struct auth_init_function_entry *auth_find_backend_entry(const char *name)
 {
-	struct auth_init_function_entry *entry = backends;
+	struct auth_init_function_entry *entry = auth_backends;
 
 	while(entry) {
 		if (strcmp(entry->name, name)==0) return entry;
@@ -284,7 +285,9 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
 		if (!(*server_info)->guest) {
 			/* We might not be root if we are an RPC call */
 			become_root();
-			nt_status = smb_pam_accountcheck(unix_username);
+			nt_status = smb_pam_accountcheck(
+				unix_username,
+				smbd_server_conn->client_id.name);
 			unbecome_root();
 
 			if (NT_STATUS_IS_OK(nt_status)) {
diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c
index 6c7294d..f2e30b2 100644
--- a/source3/auth/pampass.c
+++ b/source3/auth/pampass.c
@@ -5,17 +5,17 @@
    Copyright (C) John H Terpsta 1999-2001
    Copyright (C) Andrew Bartlett 2001
    Copyright (C) Jeremy Allison 2001
-   
+
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 3 of the License, or
    (at your option) any later version.
-   
+
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
-   
+
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
@@ -62,8 +62,22 @@ typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_resp
 /*
  *  Macros to help make life easy
  */
-#define COPY_STRING(s) (s) ? SMB_STRDUP(s) : NULL
-#define COPY_FSTRING(s) (s[0]) ? SMB_STRDUP(s) : NULL
+
+static char *smb_pam_copy_string(const char *s)
+{
+	if (s == NULL) {
+		return NULL;
+	}
+	return SMB_STRDUP(s);
+}
+
+static char *smb_pam_copy_fstring(const char *s)
+{
+	if (s[0] == '\0') {
+		return NULL;
+	}
+	return SMB_STRDUP(s);
+}
 
 /*******************************************************************
  PAM error handler.
@@ -75,7 +89,6 @@ static bool smb_pam_error_handler(pam_handle_t *pamh, int pam_error, const char
 	if( pam_error != PAM_SUCCESS) {
 		DEBUG(dbglvl, ("smb_pam_error_handler: PAM: %s : %s\n",
 				msg, pam_strerror(pamh, pam_error)));
-		
 		return False;
 	}
 	return True;
@@ -144,13 +157,15 @@ static int smb_pam_conv(int num_msg,
 		switch (msg[replies]->msg_style) {
 			case PAM_PROMPT_ECHO_ON:
 				reply[replies].resp_retcode = PAM_SUCCESS;
-				reply[replies].resp = COPY_STRING(udp->PAM_username);
+				reply[replies].resp = smb_pam_copy_string(
+					udp->PAM_username);
 				/* PAM frees resp */
 				break;
 
 			case PAM_PROMPT_ECHO_OFF:
 				reply[replies].resp_retcode = PAM_SUCCESS;
-				reply[replies].resp = COPY_STRING(udp->PAM_password);
+				reply[replies].resp = smb_pam_copy_string(
+					udp->PAM_password);
 				/* PAM frees resp */
 				break;
 
@@ -280,7 +295,7 @@ static int smb_pam_passchange_conv(int num_msg,
 	struct chat_struct *t;
 	bool found; 
 	*resp = NULL;
-	
+
 	DEBUG(10,("smb_pam_passchange_conv: starting converstation for %d messages\n", num_msg));
 
 	if (num_msg <= 0)
@@ -328,7 +343,8 @@ static int smb_pam_passchange_conv(int num_msg,
 					DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We actualy sent: %s\n", current_reply));
 #endif
 					reply[replies].resp_retcode = PAM_SUCCESS;
-					reply[replies].resp = COPY_FSTRING(current_reply);
+					reply[replies].resp = smb_pam_copy_fstring(
+						current_reply);
 					found = True;
 					break;
 				}
@@ -356,7 +372,8 @@ static int smb_pam_passchange_conv(int num_msg,
 					DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply));
 					pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword);
 					reply[replies].resp_retcode = PAM_SUCCESS;
-					reply[replies].resp = COPY_FSTRING(current_reply);
+					reply[replies].resp = smb_pam_copy_fstring(
+						current_reply);
 #ifdef DEBUG_PASSWORD
 					DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We actualy sent: %s\n", current_reply));
 #endif
@@ -365,7 +382,7 @@ static int smb_pam_passchange_conv(int num_msg,
 				}
 			}
 			/* PAM frees resp */
-			
+
 			if (!found) {
 				DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg));
 				free_pw_chat(pw_chat);
@@ -382,7 +399,7 @@ static int smb_pam_passchange_conv(int num_msg,
 			reply[replies].resp_retcode = PAM_SUCCESS;
 			reply[replies].resp = NULL;
 			break;
-			
+
 		default:
 			/* Must be an error of some sort... */
 			free_pw_chat(pw_chat);
@@ -390,7 +407,7 @@ static int smb_pam_passchange_conv(int num_msg,
 			return PAM_CONV_ERR;
 		}
 	}
-		
+
 	free_pw_chat(pw_chat);
 	if (reply)
 		*resp = reply;
@@ -443,7 +460,7 @@ static bool smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr)
 	int pam_error;
 
 	smb_free_pam_conv(smb_pam_conv_ptr);
-       
+
 	if( pamh != NULL ) {
 		pam_error = pam_end(pamh, 0);
 		if(smb_pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) {
@@ -520,7 +537,7 @@ static NTSTATUS smb_pam_auth(pam_handle_t *pamh, const char *user)
 	 * To enable debugging set in /etc/pam.d/samba:
 	 *	auth required /lib/security/pam_pwdb.so nullok shadow audit
 	 */
-	
+
 	DEBUG(4,("smb_pam_auth: PAM: Authenticate User: %s\n", user));
 	pam_error = pam_authenticate(pamh, PAM_SILENT | lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK);
 	switch( pam_error ){
@@ -774,7 +791,7 @@ bool smb_pam_close_session(char *user, char *tty, char *rhost)
  * PAM Externally accessible Account handler
  */
 
-NTSTATUS smb_pam_accountcheck(const char * user)
+NTSTATUS smb_pam_accountcheck(const char *user, const char *rhost)
 {
 	NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED;
 	pam_handle_t *pamh = NULL;
@@ -788,7 +805,7 @@ NTSTATUS smb_pam_accountcheck(const char * user)
 	if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
 		return NT_STATUS_NO_MEMORY;
 
-	if (!smb_pam_start(&pamh, user, NULL, pconv))
+	if (!smb_pam_start(&pamh, user, rhost, pconv))
 		return NT_STATUS_ACCOUNT_DISABLED;
 
 	if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user)))
@@ -870,7 +887,7 @@ bool smb_pam_passchange(const char * user, const char * oldpassword, const char
 #else
 
 /* If PAM not used, no PAM restrictions on accounts. */
-NTSTATUS smb_pam_accountcheck(const char * user)
+NTSTATUS smb_pam_accountcheck(const char *user, const char *rhost)
 {
 	return NT_STATUS_OK;
 }
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 50309a9..43a510b 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -221,10 +221,9 @@ NTSTATUS auth_wbc_init(void);
 
 bool smb_pam_claim_session(char *user, char *tty, char *rhost);
 bool smb_pam_close_session(char *user, char *tty, char *rhost);
-NTSTATUS smb_pam_accountcheck(const char * user);
+NTSTATUS smb_pam_accountcheck(const char *user, const char *rhost);
 NTSTATUS smb_pam_passcheck(const char * user, const char * password);
 bool smb_pam_passchange(const char * user, const char * oldpassword, const char * newpassword);
-NTSTATUS smb_pam_accountcheck(const char * user);
 bool smb_pam_claim_session(char *user, char *tty, char *rhost);
 bool smb_pam_close_session(char *in_user, char *tty, char *rhost);
 
diff --git a/source3/lib/pam_errors.c b/source3/lib/pam_errors.c
index 1073f26..e55d7a0 100644
--- a/source3/lib/pam_errors.c
+++ b/source3/lib/pam_errors.c
@@ -92,7 +92,7 @@ NTSTATUS pam_to_nt_status(int pam_error)
 {
 	int i;
 	if (pam_error == 0) return NT_STATUS_OK;
-	
+
 	for (i=0; NT_STATUS_V(pam_to_nt_status_map[i].ntstatus); i++) {
 		if (pam_error == pam_to_nt_status_map[i].pam_code)
 			return pam_to_nt_status_map[i].ntstatus;
@@ -107,7 +107,7 @@ int nt_status_to_pam(NTSTATUS nt_status)
 {
 	int i;
 	if NT_STATUS_IS_OK(nt_status) return PAM_SUCCESS;
-	
+
 	for (i=0; NT_STATUS_V(nt_status_to_pam_map[i].ntstatus); i++) {
 		if (NT_STATUS_EQUAL(nt_status,nt_status_to_pam_map[i].ntstatus))
 			return nt_status_to_pam_map[i].pam_code;
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index a476ed4..9ff5d55 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -427,7 +427,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
 		/* if a real user check pam account restrictions */
 		/* only really perfomed if "obey pam restriction" is true */
 		/* do this before an eventual mapping to guest occurs */
-		ret = smb_pam_accountcheck(pw->pw_name);
+		ret = smb_pam_accountcheck(pw->pw_name, sconn->client_id.name);
 		if (  !NT_STATUS_IS_OK(ret)) {
 			DEBUG(1,("PAM account restriction "
 				"prevents user login\n"));
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index df00b4f..4a91e84 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -294,7 +294,8 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
 		/* if a real user check pam account restrictions */
 		/* only really perfomed if "obey pam restriction" is true */
 		/* do this before an eventual mapping to guest occurs */
-		status = smb_pam_accountcheck(pw->pw_name);
+		status = smb_pam_accountcheck(
+			pw->pw_name, smb2req->sconn->client_id.name);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(1,("smb2: PAM account restriction "
 				"prevents user login\n"));


-- 
Samba Shared Repository


More information about the samba-cvs mailing list