[PATCH] pam_winbind: error msg. for NT_STATUS_ERR_* which don't have mapped PAM errors

Narayana Pattipati narayana.pattipati at wipro.com
Fri Dec 10 14:16:03 GMT 2004 

Hi,

Error messages like NT_STATUS_ACCOUNT_DISABLED,
NT_STATUS_PASSWORD_RESTRICTION does not have mapped PAM errors. So, when
an application receives them, the PAM error will be "4", which is
PAM_SYS_ERROR. 

So, the end user will not know what went wrong even though pam_winbind
returns errors like "account disabled", "password restriction" etc. 

The attached patch writes such error messages (which don't have PAM
error mapping) onto conversation pipe, so that  application can read
them make sense out of them. 

I am new to samba. Please let me know if this is correct approach or
suggest any  better approach.

Thanks,
Narayana




Confidentiality Notice 

The information contained in this electronic message and any attachments to this message are intended
for the exclusive use of the addressee(s) and may contain confidential or privileged information. If
you are not the intended recipient, please notify the sender at Wipro or Mailadmin at wipro.com immediately
and destroy all copies of this message and any attachments.
-------------- next part --------------
--- nsswitch/pam_winbind.c	2004-12-15 19:14:49.000000000 +0530
+++ nsswitch-new/pam_winbind.c	2004-12-15 19:04:09.000000000 +0530
@@ -192,8 +192,10 @@ static int pam_winbind_request_log(enum 
 }
 
 /* talk to winbindd */
-static int winbind_auth_request(const char *user, const char *pass, int ctrl)
+static int winbind_auth_request(pam_handle_t *pamh, const char *user, 
+				const char *pass, int ctrl)
 {
+	int retval;
 	struct winbindd_request request;
 	struct winbindd_response response;
 
@@ -206,13 +208,28 @@ static int winbind_auth_request(const ch
                 sizeof(request.data.auth.pass)-1);
 	
 	
-        return pam_winbind_request_log(WINBINDD_PAM_AUTH, &request, &response, ctrl, user);
+        retval = pam_winbind_request_log(WINBINDD_PAM_AUTH, &request, &response, ctrl, user);
+	if (retval != PAM_SUCCESS) {
+		/* Inform users of account disabling error
+		 * as NT_STATUS_ACCOUNT_DISABLED error doesn't have 
+		 * direct mapping to any PAM error.
+		 */
+		if (response.data.auth.nt_status_string && strcmp(response.data.auth.nt_status_string, "NT_STATUS_ACCOUNT_DISABLED") == 0) {
+				_make_remark(pamh,
+					     PAM_ERROR_MSG,
+					     ACCT_DISABLED_ERR_MSG);
+		}
+		/* Any other relavent errors to be informed to user ? */
+	}
+	return retval;
 }
 
 /* talk to winbindd */
-static int winbind_chauthtok_request(const char *user, const char *oldpass,
-                                     const char *newpass, int ctrl)
+static int winbind_chauthtok_request(pam_handle_t *pamh, const char *user, 
+				     const char *oldpass, const char *newpass, 
+				     int ctrl)
 {
+	int retval;
 	struct winbindd_request request;
 	struct winbindd_response response;
 
@@ -236,8 +253,21 @@ static int winbind_chauthtok_request(con
         } else {
             request.data.chauthtok.newpass[0] = '\0';
         }
-	
-        return pam_winbind_request_log(WINBINDD_PAM_CHAUTHTOK, &request, &response, ctrl, user);
+
+	retval = pam_winbind_request_log(WINBINDD_PAM_CHAUTHTOK, &request, &response, ctrl, user);
+	if (retval != PAM_SUCCESS) {
+		/* Inform the users of auth token change errors as
+		 * some NT_STATUS_PASSWORD_ errors don't have direct mapping 
+		 * to PAM errors.
+		 */
+		if (response.data.auth.nt_status_string && strcmp(response.data.auth.nt_status_string, "NT_STATUS_PASSWORD_RESTRICTION") == 0) {
+				_make_remark(pamh,
+					     PAM_ERROR_MSG,
+					     PASS_RESTRICTION_ERR_MSG);
+		}
+		/* Any other relavant errors to be informed to user ? */
+	}
+	return retval;
 }
 
 /*
@@ -454,7 +484,7 @@ int pam_sm_authenticate(pam_handle_t *pa
      }
 
      /* Now use the username to look up password */
-     return winbind_auth_request(username, password, ctrl);
+     return winbind_auth_request(pamh, username, password, ctrl);
 }
 
 PAM_EXTERN
@@ -606,7 +636,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
 		}
 		/* verify that this is the password for this user */
 		
-		retval = winbind_auth_request(user, pass_old, ctrl);
+		retval = winbind_auth_request(pamh, user, pass_old, ctrl);
 		
 		if (retval != PAM_ACCT_EXPIRED 
 		    && retval != PAM_AUTHTOK_EXPIRED
@@ -684,7 +714,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
 		 * rebuild the password database file.
 		 */
 
-		retval = winbind_chauthtok_request(user, pass_old, pass_new, ctrl);
+		retval = winbind_chauthtok_request(pamh, user, pass_old, pass_new, ctrl);
 		_pam_overwrite(pass_new);
 		_pam_overwrite(pass_old);
 		pass_old = pass_new = NULL;
--- nsswitch/pam_winbind.h	2004-12-15 19:14:43.000000000 +0530
+++ nsswitch-new/pam_winbind.h	2004-12-15 19:12:44.000000000 +0530
@@ -90,6 +90,9 @@ do {                             \
 
 #define MISTYPED_PASS "Sorry, passwords do not match"
 
+#define PASS_RESTRICTION_ERR_MSG "New password does not meet complexity requirements. Please try again or contact system administrator."
+#define ACCT_DISABLED_ERR_MSG "The system administrator has disabled your account."
+
 #define on(x, y) (x & y)
 #define off(x, y) (!(x & y))

More information about the samba-technical mailing list