sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-08 21:18:16 +03:00
Code

r18484: Start some cleanup on pam_winbind's syslogging:

Browse Source 
* as openlog() is non-reentrant and pam_winbind thereby overrides the
  syslog settings of the calling application, directly call syslog (or
  pam_vsyslog if available)

* support the PAM_SILENT flag to avoid any log messages beeing created

Guenther
(This used to be commit 0f7e37ffc4)
This commit is contained in:
Günther Deschner 2006-09-13 16:39:52 +00:00 committed by Gerald (Jerry) Carter
parent b3b207e966
commit 1f0b2e84d7
3 changed files with 167 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
source3/configure.in
View File

@ -872,6 +872,7 @@ AC_CHECK_HEADERS(sys/sysmacros.h security/_pam_macros.h dlfcn.h)
AC_CHECK_HEADERS(sys/syslog.h syslog.h)
AC_CHECK_HEADERS(langinfo.h locale.h)
AC_CHECK_HEADERS(xfs/libxfs.h)
AC_CHECK_HEADERS(security/pam_ext.h)
AC_CHECK_HEADERS(rpcsvc/yp_prot.h,,,[[
#if HAVE_RPC_RPC_H
@ -3973,6 +3974,7 @@ AC_ARG_WITH(pam,
# we can't build a pam module if we don't have pam.
AC_CHECK_LIB(pam, pam_get_data, [AC_DEFINE(HAVE_LIBPAM,1,[Whether libpam is available])])
AC_CHECK_LIB(pam, pam_vsyslog, [AC_DEFINE(HAVE_PAM_VSYSLOG,1,[Whether pam_vsyslog is available])])
#################################################
# check for pam_smbpass support

277
source3/nsswitch/pam_winbind.c
View File

@ -16,40 +16,93 @@
#define MAX_PASSWD_TRIES 3
/* some syslogging */
static void _pam_log(int err, const char *format, ...)
/*
* Work around the pam API that has functions with void ** as parameters.
* These lead to strict aliasing warnings with gcc.
*/
static int _pam_get_item(const pam_handle_t *pamh, int item_type,
const void *_item)
{
va_list args;
va_start(args, format);
openlog(MODULE_NAME, LOG_CONS|LOG_PID, LOG_AUTH);
vsyslog(err, format, args);
va_end(args);
closelog();
const void **item = (const void **)_item;
return pam_get_item(pamh, item_type, item);
}
static int _pam_get_data(const pam_handle_t *pamh,
const char *module_data_name, const void *_data)
{
const void **data = (const void **)_data;
return pam_get_data(pamh, module_data_name, data);
}
static void _pam_log_debug(int ctrl, int err, const char *format, ...)
/* some syslogging */
static void _pam_log_int(const pam_handle_t *pamh, int err, const char *format, va_list args)
{
#ifdef HAVE_PAM_VSYSLOG
pam_vsyslog(pamh, err, format, args);
#else
{
char *format2 = NULL;
const char *service;
_pam_get_item(pamh, PAM_SERVICE, &service);
format2 = malloc(strlen(MODULE_NAME)+strlen(format)+strlen(service)+5);
if (format2 == NULL) {
/* what else todo ? */
vsyslog(err, format, args);
return;
}
sprintf(format2, "%s(%s): %s", MODULE_NAME, service, format);
vsyslog(err, format2, args);
SAFE_FREE(format2);
}
#endif
}
static void _pam_log(const pam_handle_t *pamh, int ctrl, int err, const char *format, ...)
{
va_list args;
if (ctrl & WINBIND_SILENT) {
return;
}
va_start(args, format);
_pam_log_int(pamh, err, format, args);
va_end(args);
}
static void _pam_log_debug(const pam_handle_t *pamh, int ctrl, int err, const char *format, ...)
{
va_list args;
if (ctrl & WINBIND_SILENT) {
return;
}
if (!(ctrl & WINBIND_DEBUG_ARG)) {
return;
}
va_start(args, format);
openlog(MODULE_NAME, LOG_CONS|LOG_PID, LOG_AUTH);
vsyslog(err, format, args);
_pam_log_int(pamh, err, format, args);
va_end(args);
closelog();
}
static int _pam_parse(int argc, const char **argv, dictionary **d)
static int _pam_parse(const pam_handle_t *pamh, int flags, int argc, const char **argv, dictionary **d)
{
int ctrl = 0;
const char *config_file = NULL;
int i;
const char **v;
if (flags & PAM_SILENT) {
ctrl |= WINBIND_SILENT;
}
if (d == NULL) {
goto config_from_pam;
}
@ -83,6 +136,10 @@ static int _pam_parse(int argc, const char **argv, dictionary **d)
ctrl |= WINBIND_KRB5_AUTH;
}
if (iniparser_getboolean(*d, CONST_DISCARD(char *, "global:silent"), False)) {
ctrl |= WINBIND_SILENT;
}
if (iniparser_getstr(*d, CONST_DISCARD(char *,"global:krb5_ccache_type")) != NULL) {
ctrl |= WINBIND_KRB5_CCACHE_TYPE;
}
@ -118,7 +175,7 @@ config_from_pam:
else if (!strcasecmp(*v, "cached_login"))
ctrl |= WINBIND_CACHED_LOGIN;
else {
_pam_log(LOG_ERR, "pam_parse: unknown option; %s", *v);
_pam_log(pamh, ctrl, LOG_ERR, "pam_parse: unknown option; %s", *v);
}
}
@ -130,23 +187,6 @@ static void _pam_winbind_cleanup_func(pam_handle_t *pamh, void *data, int error_
SAFE_FREE(data);
}
/*
* Work around the pam API that has functions with void ** as parameters.
* These lead to strict aliasing warnings with gcc.
*/
static int _pam_get_item(const pam_handle_t *pamh, int item_type,
const void *_item)
{
const void **item = (const void **)_item;
return pam_get_item(pamh, item_type, item);
}
static int _pam_get_data(const pam_handle_t *pamh,
const char *module_data_name, const void *_data)
{
const void **data = (const void **)_data;
return pam_get_data(pamh, module_data_name, data);
}
static const struct ntstatus_errors {
const char *ntstatus_string;
@ -247,14 +287,14 @@ static int pam_winbind_request(pam_handle_t * pamh, int ctrl,
init_request(request, req_type);
if (write_sock(request, sizeof(*request), 0) == -1) {
_pam_log(LOG_ERR, "write to socket failed!");
_pam_log(pamh, ctrl, LOG_ERR, "pam_winbind_request: write to socket failed!");
close_sock();
return PAM_SERVICE_ERR;
}
/* Wait for reply */
if (read_reply(response) == -1) {
_pam_log(LOG_ERR, "read from socket failed!");
_pam_log(pamh, ctrl, LOG_ERR, "pam_winbind_request: read from socket failed!");
close_sock();
return PAM_SERVICE_ERR;
}
@ -265,14 +305,14 @@ static int pam_winbind_request(pam_handle_t * pamh, int ctrl,
/* Copy reply data from socket */
if (response->result != WINBINDD_OK) {
if (response->data.auth.pam_error != PAM_SUCCESS) {
_pam_log(LOG_ERR, "request failed: %s, PAM error was %s (%d), NT error was %s",
_pam_log(pamh, ctrl, LOG_ERR, "request failed: %s, PAM error was %s (%d), NT error was %s",
response->data.auth.error_string,
pam_strerror(pamh, response->data.auth.pam_error),
response->data.auth.pam_error,
response->data.auth.nt_status_string);
return response->data.auth.pam_error;
} else {
_pam_log(LOG_ERR, "request failed, but PAM error 0!");
_pam_log(pamh, ctrl, LOG_ERR, "request failed, but PAM error 0!");
return PAM_SERVICE_ERR;
}
}
@ -280,7 +320,7 @@ static int pam_winbind_request(pam_handle_t * pamh, int ctrl,
return PAM_SUCCESS;
}
static int pam_winbind_request_log(pam_handle_t * pamh,
static int pam_winbind_request_log(pam_handle_t * pamh,
int ctrl,
enum winbindd_cmd req_type,
struct winbindd_request *request,
@ -294,23 +334,23 @@ static int pam_winbind_request_log(pam_handle_t * pamh,
switch (retval) {
case PAM_AUTH_ERR:
/* incorrect password */
_pam_log(LOG_WARNING, "user `%s' denied access (incorrect password or invalid membership)", user);
_pam_log(pamh, ctrl, LOG_WARNING, "user '%s' denied access (incorrect password or invalid membership)", user);
return retval;
case PAM_ACCT_EXPIRED:
/* account expired */
_pam_log(LOG_WARNING, "user `%s' account expired", user);
_pam_log(pamh, ctrl, LOG_WARNING, "user '%s' account expired", user);
return retval;
case PAM_AUTHTOK_EXPIRED:
/* password expired */
_pam_log(LOG_WARNING, "user `%s' password expired", user);
_pam_log(pamh, ctrl, LOG_WARNING, "user '%s' password expired", user);
return retval;
case PAM_NEW_AUTHTOK_REQD:
/* new password required */
_pam_log(LOG_WARNING, "user `%s' new password required", user);
_pam_log(pamh, ctrl, LOG_WARNING, "user '%s' new password required", user);
return retval;
case PAM_USER_UNKNOWN:
/* the user does not exist */
_pam_log_debug(ctrl, LOG_NOTICE, "user `%s' not found", user);
_pam_log_debug(pamh, ctrl, LOG_NOTICE, "user '%s' not found", user);
if (ctrl & WINBIND_UNKNOWN_OK_ARG) {
return PAM_IGNORE;
}
@ -318,26 +358,26 @@ static int pam_winbind_request_log(pam_handle_t * pamh,
case PAM_SUCCESS:
if (req_type == WINBINDD_PAM_AUTH) {
/* Otherwise, the authentication looked good */
_pam_log(LOG_NOTICE, "user '%s' granted access", user);
_pam_log(pamh, ctrl, LOG_NOTICE, "user '%s' granted access", user);
} else if (req_type == WINBINDD_PAM_CHAUTHTOK) {
/* Otherwise, the authentication looked good */
_pam_log(LOG_NOTICE, "user '%s' password changed", user);
_pam_log(pamh, ctrl, LOG_NOTICE, "user '%s' password changed", user);
} else {
/* Otherwise, the authentication looked good */
_pam_log(LOG_NOTICE, "user '%s' OK", user);
_pam_log(pamh, ctrl, LOG_NOTICE, "user '%s' OK", user);
}
return retval;
default:
/* we don't know anything about this return value */
_pam_log(LOG_ERR, "internal module error (retval = %d, user = `%s')",
_pam_log(pamh, ctrl, LOG_ERR, "internal module error (retval = %d, user = '%s')",
retval, user);
return retval;
}
}
/* talk to winbindd */
static int winbind_auth_request(pam_handle_t * pamh,
static int winbind_auth_request(pam_handle_t * pamh,
int ctrl,
const char *user,
const char *pass,
@ -373,7 +413,7 @@ static int winbind_auth_request(pam_handle_t * pamh,
struct passwd *pwd = NULL;
_pam_log_debug(ctrl, LOG_DEBUG, "enabling krb5 login flag\n");
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "enabling krb5 login flag\n");
request.flags |= WBFLAG_PAM_KRB5 | WBFLAG_PAM_FALLBACK_AFTER_KRB5;
@ -385,7 +425,7 @@ static int winbind_auth_request(pam_handle_t * pamh,
}
if (ctrl & WINBIND_CACHED_LOGIN) {
_pam_log_debug(ctrl, LOG_DEBUG, "enabling cached login flag\n");
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "enabling cached login flag\n");
request.flags |= WBFLAG_PAM_CACHED_LOGIN;
}
@ -397,7 +437,7 @@ static int winbind_auth_request(pam_handle_t * pamh,
if (cctype != NULL) {
strncpy(request.data.auth.krb5_cc_type, cctype,
sizeof(request.data.auth.krb5_cc_type) - 1);
_pam_log_debug(ctrl, LOG_DEBUG, "enabling request for a %s krb5 ccache\n", cctype);
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "enabling request for a %s krb5 ccache\n", cctype);
}
request.data.auth.require_membership_of_sid[0] = '\0';
@ -416,14 +456,14 @@ static int winbind_auth_request(pam_handle_t * pamh,
ZERO_STRUCT(sid_request);
ZERO_STRUCT(sid_response);
_pam_log_debug(ctrl, LOG_DEBUG, "no sid given, looking up: %s\n", member);
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "no sid given, looking up: %s\n", member);
/* fortunatly winbindd can handle non-separated names */
strncpy(sid_request.data.name.name, member,
sizeof(sid_request.data.name.name) - 1);
if (pam_winbind_request_log(pamh, ctrl, WINBINDD_LOOKUPNAME, &sid_request, &sid_response, user)) {
_pam_log(LOG_INFO, "could not lookup name: %s\n", member);
_pam_log(pamh, ctrl, LOG_INFO, "could not lookup name: %s\n", member);
return PAM_AUTH_ERR;
}
@ -444,14 +484,14 @@ static int winbind_auth_request(pam_handle_t * pamh,
char var[PATH_MAX];
_pam_log_debug(ctrl, LOG_DEBUG, "request returned KRB5CCNAME: %s",
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "request returned KRB5CCNAME: %s",
response.data.auth.krb5ccname);
snprintf(var, sizeof(var), "KRB5CCNAME=%s", response.data.auth.krb5ccname);
ret = pam_putenv(pamh, var);
if (ret != PAM_SUCCESS) {
_pam_log(LOG_ERR, "failed to set KRB5CCNAME to %s", var);
_pam_log(pamh, ctrl, LOG_ERR, "failed to set KRB5CCNAME to %s", var);
return ret;
}
}
@ -481,7 +521,7 @@ static int winbind_auth_request(pam_handle_t * pamh,
ret = PAM_AUTHTOK_EXPIRED;
_pam_log_debug(ctrl, LOG_DEBUG,"Password has expired (Password was last set: %d, "
_pam_log_debug(pamh, ctrl, LOG_DEBUG,"Password has expired (Password was last set: %d, "
"the policy says it should expire here %d (now it's: %d)\n",
response.data.auth.info3.pass_last_set_time,
response.data.auth.info3.pass_last_set_time + response.data.auth.policy.expire,
@ -504,7 +544,7 @@ static int winbind_auth_request(pam_handle_t * pamh,
if (response.data.auth.info3.user_flgs & LOGON_CACHED_ACCOUNT) {
_make_remark(pamh, PAM_ERROR_MSG, "Logging on using cached account. Network ressources can be unavailable");
_pam_log_debug(ctrl, LOG_DEBUG,"User %s logged on using cached account\n", user);
_pam_log_debug(pamh, ctrl, LOG_DEBUG,"User %s logged on using cached account\n", user);
}
/* save the CIFS homedir for pam_cifs / pam_mount */
@ -514,7 +554,7 @@ static int winbind_auth_request(pam_handle_t * pamh,
(void *) strdup(response.data.auth.info3.home_dir),
_pam_winbind_cleanup_func);
if (ret2) {
_pam_log_debug(ctrl, LOG_DEBUG, "Could not set data: %s",
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "Could not set data: %s",
pam_strerror(pamh, ret2));
}
@ -527,7 +567,7 @@ static int winbind_auth_request(pam_handle_t * pamh,
(void *) strdup(response.data.auth.info3.logon_script),
_pam_winbind_cleanup_func);
if (ret2) {
_pam_log_debug(ctrl, LOG_DEBUG, "Could not set data: %s",
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "Could not set data: %s",
pam_strerror(pamh, ret2));
}
}
@ -619,7 +659,7 @@ static int winbind_chauthtok_request(pam_handle_t * pamh,
_make_remark(pamh, PAM_ERROR_MSG, "Password does not meet complexity requirements");
break;
default:
_pam_log_debug(ctrl, LOG_DEBUG,
_pam_log_debug(pamh, ctrl, LOG_DEBUG,
"unknown password change reject reason: %d",
response.data.auth.reject_reason);
break;
@ -650,7 +690,7 @@ static int winbind_chauthtok_request(pam_handle_t * pamh,
* 0 = OK
* -1 = System error
*/
static int valid_user(const char *user, pam_handle_t *pamh, int ctrl)
static int valid_user(pam_handle_t *pamh, int ctrl, const char *user)
{
/* check not only if the user is available over NSS calls, also make
* sure it's really a winbind user, this is important when stacking PAM
@ -728,7 +768,7 @@ static int _winbind_read_password(pam_handle_t * pamh,
retval = _pam_get_item(pamh, authtok_flag, &item);
if (retval != PAM_SUCCESS) {
/* very strange. */
_pam_log(LOG_ALERT,
_pam_log(pamh, ctrl, LOG_ALERT,
"pam_get_item returned error to unix-read-password"
);
return retval;
@ -797,7 +837,7 @@ static int _winbind_read_password(pam_handle_t * pamh,
}
}
} else {
_pam_log(LOG_NOTICE, "could not recover authentication token");
_pam_log(pamh, ctrl, LOG_NOTICE, "could not recover authentication token");
retval = PAM_AUTHTOK_RECOVER_ERR;
}
@ -816,7 +856,7 @@ static int _winbind_read_password(pam_handle_t * pamh,
}
if (retval != PAM_SUCCESS) {
_pam_log_debug(ctrl, LOG_DEBUG,
_pam_log_debug(pamh, ctrl, LOG_DEBUG,
"unable to obtain a password");
return retval;
}
@ -829,7 +869,7 @@ static int _winbind_read_password(pam_handle_t * pamh,
if (retval != PAM_SUCCESS ||
(retval = _pam_get_item(pamh, authtok_flag, &item)) != PAM_SUCCESS) {
_pam_log(LOG_CRIT, "error manipulating password");
_pam_log(pamh, ctrl, LOG_CRIT, "error manipulating password");
return retval;
}
@ -840,19 +880,20 @@ static int _winbind_read_password(pam_handle_t * pamh,
return PAM_SUCCESS;
}
const char *get_conf_item_string(int argc,
const char *get_conf_item_string(const pam_handle_t *pamh,
int argc,
const char **argv,
int ctrl,
dictionary *d,
const char *item,
int flag)
int config_flag)
{
int i = 0;
char *parm = NULL;
const char *parm_opt = NULL;
char *key = NULL;
if (!(ctrl & flag)) {
if (!(ctrl & config_flag)) {
goto out;
}
@ -876,36 +917,36 @@ const char *get_conf_item_string(int argc,
parm = strdup(argv[i]);
if ( (p = strchr( parm, '=' )) == NULL) {
_pam_log(LOG_INFO, "no \"=\" delimiter for \"%s\" found\n", item);
_pam_log(pamh, ctrl, LOG_INFO, "no \"=\" delimiter for \"%s\" found\n", item);
goto out;
}
SAFE_FREE(parm);
_pam_log_debug(ctrl, LOG_INFO, "PAM config: %s '%s'\n", item, p+1);
_pam_log_debug(pamh, ctrl, LOG_INFO, "PAM config: %s '%s'\n", item, p+1);
return p + 1;
}
}
if (d != NULL) {
_pam_log_debug(ctrl, LOG_INFO, "CONFIG file: %s '%s'\n", item, parm_opt);
_pam_log_debug(pamh, ctrl, LOG_INFO, "CONFIG file: %s '%s'\n", item, parm_opt);
}
out:
SAFE_FREE(parm);
return parm_opt;
}
const char *get_krb5_cc_type_from_config(int argc, const char **argv, int ctrl, dictionary *d)
const char *get_krb5_cc_type_from_config(const pam_handle_t *pamh, int argc, const char **argv, int ctrl, dictionary *d)
{
return get_conf_item_string(argc, argv, ctrl, d, "krb5_ccache_type", WINBIND_KRB5_CCACHE_TYPE);
return get_conf_item_string(pamh, argc, argv, ctrl, d, "krb5_ccache_type", WINBIND_KRB5_CCACHE_TYPE);
}
const char *get_member_from_config(int argc, const char **argv, int ctrl, dictionary *d)
const char *get_member_from_config(const pam_handle_t *pamh, int argc, const char **argv, int ctrl, dictionary *d)
{
const char *ret = NULL;
ret = get_conf_item_string(argc, argv, ctrl, d, "require_membership_of", WINBIND_REQUIRED_MEMBERSHIP);
ret = get_conf_item_string(pamh, argc, argv, ctrl, d, "require_membership_of", WINBIND_REQUIRED_MEMBERSHIP);
if (ret) {
return ret;
}
return get_conf_item_string(argc, argv, ctrl, d, "require-membership-of", WINBIND_REQUIRED_MEMBERSHIP);
return get_conf_item_string(pamh, argc, argv, ctrl, d, "require-membership-of", WINBIND_REQUIRED_MEMBERSHIP);
}
PAM_EXTERN
@ -921,18 +962,18 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
char *username_ret = NULL;
/* parse arguments */
int ctrl = _pam_parse(argc, argv, &d);
int ctrl = _pam_parse(pamh, flags, argc, argv, &d);
if (ctrl == -1) {
retval = PAM_SYSTEM_ERR;
goto out;
}
_pam_log_debug(ctrl, LOG_DEBUG,"pam_winbind: pam_sm_authenticate (flags: 0x%04x)", flags);
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "pam_winbind: pam_sm_authenticate (flags: 0x%04x)", flags);
/* Get the username */
retval = pam_get_user(pamh, &username, NULL);
if ((retval != PAM_SUCCESS) || (!username)) {
_pam_log_debug(ctrl, LOG_DEBUG, "can not get the username");
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "can not get the username");
retval = PAM_SERVICE_ERR;
goto out;
}
@ -942,7 +983,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
&password);
if (retval != PAM_SUCCESS) {
_pam_log(LOG_ERR, "Could not retrieve user's password");
_pam_log(pamh, ctrl, LOG_ERR, "Could not retrieve user's password");
retval = PAM_AUTHTOK_ERR;
goto out;
}
@ -950,19 +991,19 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
/* Let's not give too much away in the log file */
#ifdef DEBUG_PASSWORD
_pam_log_debug(ctrl, LOG_INFO, "Verify user `%s' with password `%s'",
_pam_log_debug(pamh, ctrl, LOG_INFO, "Verify user '%s' with password '%s'",
username, password);
#else
_pam_log_debug(ctrl, LOG_INFO, "Verify user `%s'", username);
_pam_log_debug(pamh, ctrl, LOG_INFO, "Verify user '%s'", username);
#endif
member = get_member_from_config(argc, argv, ctrl, d);
member = get_member_from_config(pamh, argc, argv, ctrl, d);
cctype = get_krb5_cc_type_from_config(argc, argv, ctrl, d);
cctype = get_krb5_cc_type_from_config(pamh, argc, argv, ctrl, d);
/* Now use the username to look up password */
retval = winbind_auth_request(pamh, ctrl, username, password, member,
cctype, True, NULL, &username_ret);
cctype, True, NULL, &username_ret);
if (retval == PAM_NEW_AUTHTOK_REQD ||
retval == PAM_AUTHTOK_EXPIRED) {
@ -997,12 +1038,12 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags,
int argc, const char **argv)
{
/* parse arguments */
int ctrl = _pam_parse(argc, argv, NULL);
int ctrl = _pam_parse(pamh, flags, argc, argv, NULL);
if (ctrl == -1) {
return PAM_SYSTEM_ERR;
}
_pam_log_debug(ctrl, LOG_DEBUG,"pam_winbind: pam_sm_setcred (flags: 0x%04x)", flags);
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "pam_winbind: pam_sm_setcred (flags: 0x%04x)", flags);
if (flags & PAM_DELETE_CRED) {
return pam_sm_close_session(pamh, flags, argc, argv);
@ -1024,30 +1065,30 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
void *tmp = NULL;
/* parse arguments */
int ctrl = _pam_parse(argc, argv, NULL);
int ctrl = _pam_parse(pamh, flags, argc, argv, NULL);
if (ctrl == -1) {
return PAM_SYSTEM_ERR;
}
_pam_log_debug(ctrl, LOG_DEBUG,"pam_winbind: pam_sm_acct_mgmt (flags: 0x%04x)", flags);
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "pam_winbind: pam_sm_acct_mgmt (flags: 0x%04x)", flags);
/* Get the username */
retval = pam_get_user(pamh, &username, NULL);
if ((retval != PAM_SUCCESS) || (!username)) {
_pam_log_debug(ctrl, LOG_DEBUG,"can not get the username");
_pam_log_debug(pamh, ctrl, LOG_DEBUG,"can not get the username");
return PAM_SERVICE_ERR;
}
/* Verify the username */
retval = valid_user(username, pamh, ctrl);
retval = valid_user(pamh, ctrl, username);
switch (retval) {
case -1:
/* some sort of system error. The log was already printed */
return PAM_SERVICE_ERR;
case 1:
/* the user does not exist */
_pam_log_debug(ctrl, LOG_NOTICE, "user `%s' not found", username);
_pam_log_debug(pamh, ctrl, LOG_NOTICE, "user '%s' not found", username);
if (ctrl & WINBIND_UNKNOWN_OK_ARG) {
return PAM_IGNORE;
}
@ -1060,24 +1101,24 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
case PAM_AUTHTOK_EXPIRED:
/* fall through, since new token is required in this case */
case PAM_NEW_AUTHTOK_REQD:
_pam_log(LOG_WARNING, "pam_sm_acct_mgmt success but %s is set",
_pam_log(pamh, ctrl, LOG_WARNING, "pam_sm_acct_mgmt success but %s is set",
PAM_WINBIND_NEW_AUTHTOK_REQD);
_pam_log(LOG_NOTICE, "user '%s' needs new password", username);
_pam_log(pamh, ctrl, LOG_NOTICE, "user '%s' needs new password", username);
/* PAM_AUTHTOKEN_REQD does not exist, but is documented in the manpage */
return PAM_NEW_AUTHTOK_REQD;
default:
_pam_log(LOG_WARNING, "pam_sm_acct_mgmt success");
_pam_log(LOG_NOTICE, "user '%s' granted access", username);
_pam_log(pamh, ctrl, LOG_WARNING, "pam_sm_acct_mgmt success");
_pam_log(pamh, ctrl, LOG_NOTICE, "user '%s' granted access", username);
return PAM_SUCCESS;
}
}
/* Otherwise, the authentication looked good */
_pam_log(LOG_NOTICE, "user '%s' granted access", username);
_pam_log(pamh, ctrl, LOG_NOTICE, "user '%s' granted access", username);
return PAM_SUCCESS;
default:
/* we don't know anything about this return value */
_pam_log(LOG_ERR, "internal module error (retval = %d, user = `%s')",
_pam_log(pamh, ctrl, LOG_ERR, "internal module error (retval = %d, user = '%s')",
retval, username);
return PAM_SERVICE_ERR;
}
@ -1091,12 +1132,12 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
int argc, const char **argv)
{
/* parse arguments */
int ctrl = _pam_parse(argc, argv, NULL);
int ctrl = _pam_parse(pamh, flags, argc, argv, NULL);
if (ctrl == -1) {
return PAM_SYSTEM_ERR;
}
_pam_log_debug(ctrl, LOG_DEBUG,"pam_winbind: pam_sm_open_session handler (flags: 0x%04x)", flags);
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "pam_winbind: pam_sm_open_session handler (flags: 0x%04x)", flags);
return PAM_SUCCESS;
}
@ -1109,13 +1150,13 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags,
int retval = PAM_SUCCESS;
/* parse arguments */
int ctrl = _pam_parse(argc, argv, &d);
int ctrl = _pam_parse(pamh, flags, argc, argv, &d);
if (ctrl == -1) {
retval = PAM_SYSTEM_ERR;
goto out;
}
_pam_log_debug(ctrl, LOG_DEBUG,"pam_winbind: pam_sm_close_session handler (flags: 0x%04x)", flags);
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "pam_winbind: pam_sm_close_session handler (flags: 0x%04x)", flags);
if (!(flags & PAM_DELETE_CRED)) {
retval = PAM_SUCCESS;
@ -1137,21 +1178,21 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags,
retval = pam_get_user(pamh, &user, "Username: ");
if (retval == PAM_SUCCESS) {
if (user == NULL) {
_pam_log(LOG_ERR, "username was NULL!");
_pam_log(pamh, ctrl, LOG_ERR, "username was NULL!");
retval = PAM_USER_UNKNOWN;
goto out;
}
if (retval == PAM_SUCCESS) {
_pam_log_debug(ctrl, LOG_DEBUG, "username [%s] obtained", user);
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "username [%s] obtained", user);
}
} else {
_pam_log_debug(ctrl, LOG_DEBUG, "could not identify user");
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "could not identify user");
goto out;
}
ccname = pam_getenv(pamh, "KRB5CCNAME");
if (ccname == NULL) {
_pam_log_debug(ctrl, LOG_DEBUG, "user has no KRB5CCNAME environment");
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "user has no KRB5CCNAME environment");
}
strncpy(request.data.logoff.user, user,
@ -1201,13 +1242,13 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
int retry = 0;
dictionary *d;
ctrl = _pam_parse(argc, argv, &d);
ctrl = _pam_parse(pamh, flags, argc, argv, &d);
if (ctrl == -1) {
retval = PAM_SYSTEM_ERR;
goto out;
}
_pam_log_debug(ctrl, LOG_DEBUG,"pam_winbind: pam_sm_chauthtok (flags: 0x%04x)", flags);
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "pam_winbind: pam_sm_chauthtok (flags: 0x%04x)", flags);
/* clearing offline bit for the auth in the password change */
ctrl &= ~WINBIND_CACHED_LOGIN;
@ -1218,22 +1259,22 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
retval = pam_get_user(pamh, &user, "Username: ");
if (retval == PAM_SUCCESS) {
if (user == NULL) {
_pam_log(LOG_ERR, "username was NULL!");
_pam_log(pamh, ctrl, LOG_ERR, "username was NULL!");
retval = PAM_USER_UNKNOWN;
goto out;
}
if (retval == PAM_SUCCESS) {
_pam_log_debug(ctrl, LOG_DEBUG, "username [%s] obtained",
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "username [%s] obtained",
user);
}
} else {
_pam_log_debug(ctrl, LOG_DEBUG,
_pam_log_debug(pamh, ctrl, LOG_DEBUG,
"password - could not identify user");
goto out;
}
/* check if this is really a user in winbindd, not only in NSS */
retval = valid_user(user, pamh, ctrl);
retval = valid_user(pamh, ctrl, user);
switch (retval) {
case 1:
retval = PAM_USER_UNKNOWN;
@ -1258,7 +1299,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
#define greeting "Changing password for "
Announce = (char *) malloc(sizeof(greeting) + strlen(user));
if (Announce == NULL) {
_pam_log(LOG_CRIT, "password - out of memory");
_pam_log(pamh, ctrl, LOG_CRIT, "password - out of memory");
retval = PAM_BUF_ERR;
goto out;
}
@ -1273,7 +1314,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
NULL,
(const char **) &pass_old);
if (retval != PAM_SUCCESS) {
_pam_log(LOG_NOTICE, "password - (old) token not obtained");
_pam_log(pamh, ctrl, LOG_NOTICE, "password - (old) token not obtained");
goto out;
}
/* verify that this is the password for this user */
@ -1294,7 +1335,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old);
pass_old = NULL;
if (retval != PAM_SUCCESS) {
_pam_log(LOG_CRIT, "failed to set PAM_OLDAUTHTOK");
_pam_log(pamh, ctrl, LOG_CRIT, "failed to set PAM_OLDAUTHTOK");
}
} else if (flags & PAM_UPDATE_AUTHTOK) {
@ -1311,7 +1352,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
retval = _pam_get_item(pamh, PAM_OLDAUTHTOK, &pass_old);
if (retval != PAM_SUCCESS) {
_pam_log(LOG_NOTICE, "user not authenticated");
_pam_log(pamh, ctrl, LOG_NOTICE, "user not authenticated");
goto out;
}
@ -1335,7 +1376,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
(const char **) &pass_new);
if (retval != PAM_SUCCESS) {
_pam_log_debug(ctrl, LOG_ALERT
_pam_log_debug(pamh, ctrl, LOG_ALERT
,"password - new password not obtained");
pass_old = NULL;/* tidy up */
goto out;
@ -1371,8 +1412,8 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
if (ctrl & WINBIND_KRB5_AUTH) {
const char *member = get_member_from_config(argc, argv, ctrl, d);
const char *cctype = get_krb5_cc_type_from_config(argc, argv, ctrl, d);
const char *member = get_member_from_config(pamh, argc, argv, ctrl, d);
const char *cctype = get_krb5_cc_type_from_config(pamh, argc, argv, ctrl, d);
retval = winbind_auth_request(pamh, ctrl, user, pass_new,
member, cctype, False, NULL, NULL);

7
source3/nsswitch/pam_winbind.h
View File

@ -43,7 +43,7 @@
#define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
#endif
#endif
#endif /* defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) */
#ifdef HAVE_SECURITY_PAM_MODULES_H
#include <security/pam_modules.h>
@ -82,6 +82,10 @@ do { \
#define _pam_drop(X) SAFE_FREE(X)
#define x_strdup(s) ( (s) ? strdup(s):NULL )
#endif /* HAVE_SECURITY__PAM_MACROS_H */
#ifdef HAVE_SECURITY_PAM_EXT_H
#include <security/pam_ext.h>
#endif
#define WINBIND_DEBUG_ARG (1<<0)
@ -95,6 +99,7 @@ do { \
#define WINBIND_KRB5_CCACHE_TYPE (1<<8)
#define WINBIND_CACHED_LOGIN (1<<9)
#define WINBIND_CONFIG_FILE (1<<10)
#define WINBIND_SILENT (1<<11)
/*
* here is the string to inform the user that the new passwords they