[PATCH] pam_winbind: error msg. for NT_STATUS_ERR_* which don't have mapped PAM errors

Narayana Pattipati narayana.pattipati at wipro.com
Tue Dec 28 04:54:00 GMT 2004 

Hi,

Thanks for the information.

On Tue, 2004-12-21 at 04:35, Andrew Bartlett wrote:
> > Error messages like NT_STATUS_ACCOUNT_DISABLED,
> > NT_STATUS_PASSWORD_RESTRICTION does not have mapped PAM errors. So, when
> > an application receives them, the PAM error will be "4", which is
> > PAM_SYS_ERROR. 
> > The attached patch writes such error messages (which don't have PAM
> > error mapping) onto conversation pipe, so that  application can read
> > them make sense out of them. 
> > 
> > I am new to samba. Please let me know if this is correct approach or
> > suggest any  better approach.
> 
> Close, but instead of putting the strings there, put them in
> libsmb/nterr.c and pull response.data.auth.error_string into the
> message.
nterr.c already has entries for NT_STATUS_ACCOUNT_DISABLED and
NT_STATUS_PASSWORD_RESTRICTION.
> Is there any reason we can't/should not always print the message?  Or
> always for the 'generic error' pam code?
> 
> Also, see if there is a good PAM error code to switch on - the current
> table is just a start.

I thought that, I should not be disturbing the present NT to PAM
mapping. NT to PAM mapping in lib/pam_errors.c does not have mappings
for NT_STATUS_ACCOUNT_DISABLED and NT_STATUS_PASSWORD_RESTRICTION.
In many pam modules, NT_STATUS_ACCOUNT_DISABLED is mapped to
PAM_ACCOUNT_EXPIRED and NT_STATUS_PASSWORD_RESTRICTION is mapped to
PAM_AUTHTOK_ERR. Hence, attached patch does the same. Also, I made few
changes to pam_winbind to add log message or make them more clear for
these two errors.

Please have a look at the patch. If you find it Ok, then could you
please commit it, as I don't have access.

Thanks,
Narayana




Confidentiality Notice 

The information contained in this electronic message and any attachments to this message are intended
for the exclusive use of the addressee(s) and may contain confidential or privileged information. If
you are not the intended recipient, please notify the sender at Wipro or Mailadmin at wipro.com immediately
and destroy all copies of this message and any attachments.
-------------- next part --------------
--- source/lib/pam_errors.c	2004-12-28 10:04:50.406078880 +0530
+++ source-new/lib/pam_errors.c	2004-12-28 10:04:31.047021904 +0530
@@ -67,8 +67,10 @@ static const struct {
 	{NT_STATUS_WRONG_PASSWORD, PAM_AUTH_ERR},
 	{NT_STATUS_LOGON_FAILURE, PAM_AUTH_ERR},
 	{NT_STATUS_ACCOUNT_EXPIRED, PAM_ACCT_EXPIRED},
+	{NT_STATUS_ACCOUNT_DISABLED, PAM_ACCT_EXPIRED},
 	{NT_STATUS_PASSWORD_EXPIRED, PAM_AUTHTOK_EXPIRED},
 	{NT_STATUS_PASSWORD_MUST_CHANGE, PAM_NEW_AUTHTOK_REQD},
+	{NT_STATUS_PASSWORD_RESTRICTION, PAM_AUTHTOK_ERR},
 	{NT_STATUS_ACCOUNT_LOCKED_OUT, PAM_MAXTRIES},
 	{NT_STATUS_NO_MEMORY, PAM_BUF_ERR},
 	{NT_STATUS_OK, PAM_SUCCESS}
--- source/nsswitch/pam_winbind.c	2004-12-28 10:06:02.134174552 +0530
+++ source-new/nsswitch/pam_winbind.c	2004-12-28 10:05:47.173448928 +0530
@@ -156,7 +156,7 @@ static int pam_winbind_request_log(enum 
 		return retval;
 	case PAM_ACCT_EXPIRED:
 		/* account expired */
-		_pam_log(LOG_WARNING, "user `%s' account expired", user);
+		_pam_log(LOG_WARNING, "user `%s' account expired (or disabled)", user);
 		return retval;
 	case PAM_AUTHTOK_EXPIRED:
 		/* password expired */
@@ -175,6 +175,10 @@ static int pam_winbind_request_log(enum 
 			return PAM_IGNORE;
 		}	 
 		return retval;
+	case PAM_AUTHTOK_ERR:
+		/* Authentication token manipulation error */ 
+		_pam_log(LOG_WARNING, "user `%s' authentication token change failed (may be, password complexity rule is not met)", user);
+		return retval;
 	case PAM_SUCCESS:
 		if (req_type == WINBINDD_PAM_AUTH) {
 			/* Otherwise, the authentication looked good */

More information about the samba-technical mailing list