[SCM] Samba Shared Repository - branch master updated

Ralph Böhme slow at samba.org
Tue Jun 23 08:09:06 UTC 2020 

The branch, master has been updated
       via  1a6b714605a nsswitch: silence openpam error messages about unexpected responses
      from  d473df78fb4 third_party/socket_wrapper: Update socket_wrapper to version 1.2.5

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 1a6b714605ac5f08f671c89fd1762ed7391667fb
Author: Andrew <awalker at ixsystems.com>
Date:   Fri Jun 19 13:11:48 2020 -0400

    nsswitch: silence openpam error messages about unexpected responses
    
    Openpam will log an error message when it receives an unexpected
    response. On servers using openpam, convert an unexpected response
    into PAM_SERVICE_ERR and log what we're doing so that logging behavior
    is more user-configurable.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14416
    
    Signed-off-by: Andrew <awalker at ixsystems.com>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Ralph Böhme <slow at samba.org>
    Autobuild-Date(master): Tue Jun 23 08:08:29 UTC 2020 on sn-devel-184

-----------------------------------------------------------------------

Summary of changes:
 nsswitch/pam_winbind.c | 84 +++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 79 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 7af03fe2bd0..61ce4fd6b21 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -2645,6 +2645,80 @@ out:
 	return retval;
 }
 
+#ifdef SECURITY_OPENPAM_H_INCLUDED
+/*
+ * Logic below is copied from openpam_check_error_code() in
+ *./contrib/openpam/lib/libpam/openpam_dispatch.c on FreeBSD.
+ */
+static int openpam_convert_error_code(struct pwb_context *ctx,
+				      enum pam_winbind_request_type req,
+				      int r)
+{
+	if (r == PAM_SUCCESS ||
+	    r == PAM_SYSTEM_ERR ||
+	    r == PAM_SERVICE_ERR ||
+	    r == PAM_BUF_ERR ||
+	    r == PAM_CONV_ERR ||
+	    r == PAM_PERM_DENIED ||
+	    r == PAM_ABORT) {
+		return r;
+	}
+
+	/* specific winbind request types */
+	switch (req) {
+	case PAM_WINBIND_AUTHENTICATE:
+		if (r == PAM_AUTH_ERR ||
+		    r == PAM_CRED_INSUFFICIENT ||
+		    r == PAM_AUTHINFO_UNAVAIL ||
+		    r == PAM_USER_UNKNOWN ||
+		    r == PAM_MAXTRIES) {
+			return r;
+		}
+		break;
+	case PAM_WINBIND_SETCRED:
+		if (r == PAM_CRED_UNAVAIL ||
+		    r == PAM_CRED_EXPIRED ||
+		    r == PAM_USER_UNKNOWN ||
+		    r == PAM_CRED_ERR) {
+			return r;
+		}
+		break;
+	case PAM_WINBIND_ACCT_MGMT:
+		if (r == PAM_USER_UNKNOWN ||
+		    r == PAM_AUTH_ERR ||
+		    r == PAM_NEW_AUTHTOK_REQD ||
+		    r == PAM_ACCT_EXPIRED) {
+			return r;
+		}
+		break;
+	case PAM_WINBIND_OPEN_SESSION:
+	case PAM_WINBIND_CLOSE_SESSION:
+		if (r == PAM_SESSION_ERR) {
+			return r;
+		}
+		break;
+	case PAM_WINBIND_CHAUTHTOK:
+		if (r == PAM_PERM_DENIED ||
+		    r == PAM_AUTHTOK_ERR ||
+		    r == PAM_AUTHTOK_RECOVERY_ERR ||
+		    r == PAM_AUTHTOK_LOCK_BUSY ||
+		    r == PAM_AUTHTOK_DISABLE_AGING ||
+		    r == PAM_TRY_AGAIN) {
+			return r;
+		}
+		break;
+	default:
+		break;
+	}
+	_pam_log(ctx, LOG_INFO,
+		 "Converting PAM error [%d] to PAM_SERVICE_ERR.\n", r);
+	return PAM_SERVICE_ERR;
+};
+#define pam_error_code(a, b, c) openpam_convert_error_code(a, b, c)
+#else
+#define pam_error_code(a, b, c) (c)
+#endif
+
 PAM_EXTERN
 int pam_sm_authenticate(pam_handle_t *pamh, int flags,
 			int argc, const char **argv)
@@ -2849,7 +2923,7 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags,
 
 	TALLOC_FREE(ctx);
 
-	return ret;
+	return pam_error_code(ctx, PAM_WINBIND_SETCRED, ret);
 }
 
 /*
@@ -2952,7 +3026,7 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
 
 	TALLOC_FREE(ctx);
 
-	return ret;
+	return pam_error_code(ctx, PAM_WINBIND_ACCT_MGMT, ret);
 }
 
 PAM_EXTERN
@@ -2979,7 +3053,7 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
 
 	TALLOC_FREE(ctx);
 
-	return ret;
+	return pam_error_code(ctx, PAM_WINBIND_OPEN_SESSION, ret);
 }
 
 PAM_EXTERN
@@ -3001,7 +3075,7 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags,
 
 	TALLOC_FREE(ctx);
 
-	return ret;
+	return pam_error_code(ctx, PAM_WINBIND_CLOSE_SESSION, ret);
 }
 
 /**
@@ -3353,7 +3427,7 @@ out:
 
 	TALLOC_FREE(ctx);
 
-	return ret;
+	return pam_error_code(ctx, PAM_WINBIND_CHAUTHTOK, ret);
 }
 
 #ifdef PAM_STATIC


-- 
Samba Shared Repository

More information about the samba-cvs mailing list