sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-03 01:18:10 +03:00
Code
8bc58990a4
samba-mirror/source3/lib/pam_errors.c

140 lines
4.9 KiB
C
Raw Normal View History

Drastic impromvents to pam_winbind. This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
2002-02-05 12:40:36 +03:00
/*
* Unix SMB/CIFS implementation.
* PAM error mapping functions
* Copyright (C) Andrew Bartlett 2002
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-07-09 23:25:36 +04:00
* the Free Software Foundation; either version 3 of the License, or
Drastic impromvents to pam_winbind. This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
2002-02-05 12:40:36 +03:00
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
r23801: The FSF has moved around a lot. This fixes their Mass Ave address. (This used to be commit 87c91e4362c51819032bfbebbb273c52e203b227)
2007-07-10 09:23:25 +04:00
* along with this program; if not, see <http://www.gnu.org/licenses/>.
Drastic impromvents to pam_winbind. This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
2002-02-05 12:40:36 +03:00
*/
#include "includes.h"
#ifdef WITH_PAM
r23095: Support systems that have their PAM headers in /usr/include/pam. (This used to be commit f1e8de4b576b3954d456cb64c02417908bab8da4)
2007-05-24 00:31:28 +04:00
#if defined(HAVE_SECURITY_PAM_APPL_H)
Drastic impromvents to pam_winbind. This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
2002-02-05 12:40:36 +03:00
#include <security/pam_appl.h>
r23095: Support systems that have their PAM headers in /usr/include/pam. (This used to be commit f1e8de4b576b3954d456cb64c02417908bab8da4)
2007-05-24 00:31:28 +04:00
#elif defined(HAVE_PAM_PAM_APPL_H)
#include <pam/pam_appl.h>
#endif
Drastic impromvents to pam_winbind. This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
2002-02-05 12:40:36 +03:00
cope with a missing PAM define (This used to be commit e5c3648fe721d659c8b90a6987998ada4790592b)
2002-04-01 11:16:06 +04:00
#if defined(PAM_AUTHTOK_RECOVERY_ERR) && !defined(PAM_AUTHTOK_RECOVER_ERR)
#define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
#endif
Drastic impromvents to pam_winbind. This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
2002-02-05 12:40:36 +03:00
/* PAM -> NT_STATUS map */
Merge from HEAD - make Samba compile with -Wwrite-strings without additional warnings. (Adds a lot of const). Andrew Bartlett (This used to be commit 3a7458f9472432ef12c43008414925fd1ce8ea0c)
2003-01-03 11:28:12 +03:00
static const struct {
Drastic impromvents to pam_winbind. This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
2002-02-05 12:40:36 +03:00
int pam_code;
NTSTATUS ntstatus;
} pam_to_nt_status_map[] = {
{PAM_OPEN_ERR, NT_STATUS_UNSUCCESSFUL},
{PAM_SYMBOL_ERR, NT_STATUS_UNSUCCESSFUL},
{PAM_SERVICE_ERR, NT_STATUS_UNSUCCESSFUL},
{PAM_SYSTEM_ERR, NT_STATUS_UNSUCCESSFUL},
Add a few more NTSTATUS <=> PAM error mappings. Andrew Bartlett (This used to be commit 7495cafd42617c0aa2ba9de69f87426ecacc1297)
2004-01-26 11:38:34 +03:00
{PAM_BUF_ERR, NT_STATUS_NO_MEMORY},
Drastic impromvents to pam_winbind. This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
2002-02-05 12:40:36 +03:00
{PAM_PERM_DENIED, NT_STATUS_ACCESS_DENIED},
{PAM_AUTH_ERR, NT_STATUS_WRONG_PASSWORD},
{PAM_CRED_INSUFFICIENT, NT_STATUS_INSUFFICIENT_LOGON_INFO}, /* FIXME: Is this correct? */
{PAM_AUTHINFO_UNAVAIL, NT_STATUS_LOGON_FAILURE},
{PAM_USER_UNKNOWN, NT_STATUS_NO_SUCH_USER},
{PAM_MAXTRIES, NT_STATUS_REMOTE_SESSION_LIMIT}, /* FIXME: Is this correct? */
{PAM_NEW_AUTHTOK_REQD, NT_STATUS_PASSWORD_MUST_CHANGE},
{PAM_ACCT_EXPIRED, NT_STATUS_ACCOUNT_EXPIRED},
{PAM_SESSION_ERR, NT_STATUS_INSUFFICIENT_RESOURCES},
{PAM_CRED_UNAVAIL, NT_STATUS_NO_TOKEN}, /* FIXME: Is this correct? */
{PAM_CRED_EXPIRED, NT_STATUS_PASSWORD_EXPIRED}, /* FIXME: Is this correct? */
{PAM_CRED_ERR, NT_STATUS_UNSUCCESSFUL},
{PAM_AUTHTOK_ERR, NT_STATUS_UNSUCCESSFUL},
cope with a missing PAM define (This used to be commit e5c3648fe721d659c8b90a6987998ada4790592b)
2002-04-01 11:16:06 +04:00
#ifdef PAM_AUTHTOK_RECOVER_ERR
Drastic impromvents to pam_winbind. This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
2002-02-05 12:40:36 +03:00
{PAM_AUTHTOK_RECOVER_ERR, NT_STATUS_UNSUCCESSFUL},
cope with a missing PAM define (This used to be commit e5c3648fe721d659c8b90a6987998ada4790592b)
2002-04-01 11:16:06 +04:00
#endif
Drastic impromvents to pam_winbind. This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
2002-02-05 12:40:36 +03:00
{PAM_AUTHTOK_EXPIRED, NT_STATUS_PASSWORD_EXPIRED},
{PAM_SUCCESS, NT_STATUS_OK}
};
/* NT_STATUS -> PAM map */
Merge from HEAD - make Samba compile with -Wwrite-strings without additional warnings. (Adds a lot of const). Andrew Bartlett (This used to be commit 3a7458f9472432ef12c43008414925fd1ce8ea0c)
2003-01-03 11:28:12 +03:00
static const struct {
Drastic impromvents to pam_winbind. This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
2002-02-05 12:40:36 +03:00
NTSTATUS ntstatus;
int pam_code;
} nt_status_to_pam_map[] = {
{NT_STATUS_UNSUCCESSFUL, PAM_SYSTEM_ERR},
{NT_STATUS_NO_SUCH_USER, PAM_USER_UNKNOWN},
{NT_STATUS_WRONG_PASSWORD, PAM_AUTH_ERR},
{NT_STATUS_LOGON_FAILURE, PAM_AUTH_ERR},
{NT_STATUS_ACCOUNT_EXPIRED, PAM_ACCT_EXPIRED},
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
{NT_STATUS_PASSWORD_EXPIRED, PAM_AUTHTOK_EXPIRED},
Drastic impromvents to pam_winbind. This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
2002-02-05 12:40:36 +03:00
{NT_STATUS_PASSWORD_MUST_CHANGE, PAM_NEW_AUTHTOK_REQD},
Add a few more NTSTATUS <=> PAM error mappings. Andrew Bartlett (This used to be commit 7495cafd42617c0aa2ba9de69f87426ecacc1297)
2004-01-26 11:38:34 +03:00
{NT_STATUS_ACCOUNT_LOCKED_OUT, PAM_MAXTRIES},
{NT_STATUS_NO_MEMORY, PAM_BUF_ERR},
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
{NT_STATUS_PASSWORD_RESTRICTION, PAM_PERM_DENIED},
r20183: Fix the build. Guenther (This used to be commit fe3ed63d29e7a68413bffc11d634b61a664ed1a2)
2006-12-15 15:35:20 +03:00
{NT_STATUS_BACKUP_CONTROLLER, PAM_AUTHINFO_UNAVAIL},
{NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, PAM_AUTHINFO_UNAVAIL},
{NT_STATUS_NO_LOGON_SERVERS, PAM_AUTHINFO_UNAVAIL},
r20181: Improve NT status to pam error mapping. Jeremy. (This used to be commit 794ebd8a84115a636d8fa4a9f859f8a999135e5e)
2006-12-15 09:44:16 +03:00
{NT_STATUS_INVALID_WORKSTATION, PAM_PERM_DENIED},
r20183: Fix the build. Guenther (This used to be commit fe3ed63d29e7a68413bffc11d634b61a664ed1a2)
2006-12-15 15:35:20 +03:00
{NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT, PAM_AUTHINFO_UNAVAIL},
{NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT, PAM_AUTHINFO_UNAVAIL},
{NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT, PAM_AUTHINFO_UNAVAIL},
Drastic impromvents to pam_winbind. This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
2002-02-05 12:40:36 +03:00
{NT_STATUS_OK, PAM_SUCCESS}
};
/*****************************************************************************
convert a PAM error to a NT status32 code
*****************************************************************************/
NTSTATUS pam_to_nt_status(int pam_error)
{
int i;
if (pam_error == 0) return NT_STATUS_OK;
for (i=0; NT_STATUS_V(pam_to_nt_status_map[i].ntstatus); i++) {
if (pam_error == pam_to_nt_status_map[i].pam_code)
return pam_to_nt_status_map[i].ntstatus;
}
return NT_STATUS_UNSUCCESSFUL;
}
/*****************************************************************************
convert an NT status32 code to a PAM error
*****************************************************************************/
int nt_status_to_pam(NTSTATUS nt_status)
{
int i;
if NT_STATUS_IS_OK(nt_status) return PAM_SUCCESS;
for (i=0; NT_STATUS_V(nt_status_to_pam_map[i].ntstatus); i++) {
if (NT_STATUS_EQUAL(nt_status,nt_status_to_pam_map[i].ntstatus))
return nt_status_to_pam_map[i].pam_code;
}
return PAM_SYSTEM_ERR;
}
#else
/*****************************************************************************
convert a PAM error to a NT status32 code
*****************************************************************************/
Try to get this finally working. (Note to self: *always* check build farm...) :-) Andrew Bartlett (This used to be commit 542e0e37455e6bcd8e0c248b3bb6ede8306d1656)
2002-02-06 23:31:26 +03:00
NTSTATUS pam_to_nt_status(int pam_error)
Drastic impromvents to pam_winbind. This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
2002-02-05 12:40:36 +03:00
{
See if we can get slightly valid C for the non-PAM case here. Andrew Bartlett (This used to be commit 59afc3d6daad2770219dba1ca113869967eefc23)
2002-02-06 00:05:04 +03:00
if (pam_error == 0) return NT_STATUS_OK;
Drastic impromvents to pam_winbind. This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
2002-02-05 12:40:36 +03:00
return NT_STATUS_UNSUCCESSFUL;
}
/*****************************************************************************
convert an NT status32 code to a PAM error
*****************************************************************************/
Try to get this finally working. (Note to self: *always* check build farm...) :-) Andrew Bartlett (This used to be commit 542e0e37455e6bcd8e0c248b3bb6ede8306d1656)
2002-02-06 23:31:26 +03:00
int nt_status_to_pam(NTSTATUS nt_status)
Drastic impromvents to pam_winbind. This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
2002-02-05 12:40:36 +03:00
{
See if we can get slightly valid C for the non-PAM case here. Andrew Bartlett (This used to be commit 59afc3d6daad2770219dba1ca113869967eefc23)
2002-02-06 00:05:04 +03:00
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_OK)) return 0;
Drastic impromvents to pam_winbind. This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
2002-02-05 12:40:36 +03:00
return 4; /* PAM_SYSTEM_ERR */
}
#endif
Copy Permalink