[SCM] Samba Shared Repository - branch master updated

Björn Jacke bjacke at samba.org
Tue Dec 13 17:02:03 UTC 2016 

The branch, master has been updated
       via  01c8631 pam: strip trailing whitespaces in pam_winbind.c
       via  69f1008 pam: map more NT password errors to PAM errors
      from  dcd4fed talloc: Add tests for talloc destructor behaviour after talloc_realloc()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 01c8631df5ec998f6eaab09af300842412c33da4
Author: Björn Jacke <bj at sernet.de>
Date:   Tue Dec 13 09:00:58 2016 +0100

    pam: strip trailing whitespaces in pam_winbind.c
    
    Signed-off-by: Bjoern Jacke <bj at sernet.de>
    Reviewed-by: Karolin Seeger <ks at sernet.de>
    
    Autobuild-User(master): Björn Jacke <bj at sernet.de>
    Autobuild-Date(master): Tue Dec 13 18:01:21 CET 2016 on sn-devel-144

commit 69f10080c3765a9b139fbad7f3dc633066fdded2
Author: Björn Jacke <bj at sernet.de>
Date:   Wed Nov 25 14:04:24 2015 +0100

    pam: map more NT password errors to PAM errors
    
    NT_STATUS_ACCOUNT_DISABLED,
    NT_STATUS_PASSWORD_RESTRICTION,
    NT_STATUS_PWD_HISTORY_CONFLICT,
    NT_STATUS_PWD_TOO_RECENT,
    NT_STATUS_PWD_TOO_SHORT
    
    now map to PAM_AUTHTOK_ERR (Authentication token manipulation error), which is
    the closest match.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=2210
    
    Signed-off-by: Bjoern Jacke <bj at sernet.de>
    Reviewed by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 libcli/auth/pam_errors.c |  6 +++++-
 nsswitch/pam_winbind.c   | 15 ++++++++++-----
 2 files changed, 15 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/auth/pam_errors.c b/libcli/auth/pam_errors.c
index 978f8ff..5592d39 100644
--- a/libcli/auth/pam_errors.c
+++ b/libcli/auth/pam_errors.c
@@ -71,11 +71,15 @@ static const struct {
 	{NT_STATUS_WRONG_PASSWORD, PAM_AUTH_ERR},
 	{NT_STATUS_LOGON_FAILURE, PAM_AUTH_ERR},
 	{NT_STATUS_ACCOUNT_EXPIRED, PAM_ACCT_EXPIRED},
+	{NT_STATUS_ACCOUNT_DISABLED, PAM_ACCT_EXPIRED},
 	{NT_STATUS_PASSWORD_EXPIRED, PAM_AUTHTOK_EXPIRED},
 	{NT_STATUS_PASSWORD_MUST_CHANGE, PAM_NEW_AUTHTOK_REQD},
 	{NT_STATUS_ACCOUNT_LOCKED_OUT, PAM_MAXTRIES},
 	{NT_STATUS_NO_MEMORY, PAM_BUF_ERR},
-	{NT_STATUS_PASSWORD_RESTRICTION, PAM_PERM_DENIED},
+	{NT_STATUS_PASSWORD_RESTRICTION, PAM_AUTHTOK_ERR},
+	{NT_STATUS_PWD_HISTORY_CONFLICT, PAM_AUTHTOK_ERR},
+	{NT_STATUS_PWD_TOO_RECENT, PAM_AUTHTOK_ERR},
+	{NT_STATUS_PWD_TOO_SHORT, PAM_AUTHTOK_ERR},
 	{NT_STATUS_BACKUP_CONTROLLER, PAM_AUTHINFO_UNAVAIL},
 	{NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, PAM_AUTHINFO_UNAVAIL},
 	{NT_STATUS_NO_LOGON_SERVERS, PAM_AUTHINFO_UNAVAIL},
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 42c4f8e..40f4f7a 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -12,7 +12,7 @@
 
 #include "pam_winbind.h"
 
-enum pam_winbind_request_type 
+enum pam_winbind_request_type
 {
 	PAM_WINBIND_AUTHENTICATE,
 	PAM_WINBIND_SETCRED,
@@ -490,12 +490,12 @@ config_from_pam:
 		else if (!strcasecmp(*v, "unknown_ok"))
 			ctrl |= WINBIND_UNKNOWN_OK_ARG;
 		else if ((type == PAM_WINBIND_AUTHENTICATE
-			  || type == PAM_WINBIND_SETCRED) 
+			  || type == PAM_WINBIND_SETCRED)
 			 && !strncasecmp(*v, "require_membership_of",
 					 strlen("require_membership_of")))
 			ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
-		else if ((type == PAM_WINBIND_AUTHENTICATE 
-			  || type == PAM_WINBIND_SETCRED) 
+		else if ((type == PAM_WINBIND_AUTHENTICATE
+			  || type == PAM_WINBIND_SETCRED)
 			 && !strncasecmp(*v, "require-membership-of",
 					 strlen("require-membership-of")))
 			ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
@@ -775,6 +775,11 @@ static int pam_winbind_request_log(struct pwb_context *ctx,
 			return PAM_IGNORE;
 		}
 		return retval;
+	case PAM_AUTHTOK_ERR:
+		/* Authentication token manipulation error */
+		_pam_log(ctx, LOG_WARNING, "user `%s' authentication token change failed "
+			"(pwd complexity/history/min_age not met?)", user);
+		return retval;
 	case PAM_SUCCESS:
 		/* Otherwise, the authentication looked good */
 		if (strcmp(fn, "wbcLogonUser") == 0) {
@@ -2497,7 +2502,7 @@ static char* winbind_upn_to_username(struct pwb_context *ctx,
 }
 
 static int _pam_delete_cred(pam_handle_t *pamh, int flags,
-			    int argc, enum pam_winbind_request_type type, 
+			    int argc, enum pam_winbind_request_type type,
 			    const char **argv)
 {
 	int retval = PAM_SUCCESS;


-- 
Samba Shared Repository

More information about the samba-cvs mailing list