mirror of
https://github.com/samba-team/samba.git
synced 2025-01-08 21:18:16 +03:00
r18484: Start some cleanup on pam_winbind's syslogging:
* as openlog() is non-reentrant and pam_winbind thereby overrides the
syslog settings of the calling application, directly call syslog (or
pam_vsyslog if available)
* support the PAM_SILENT flag to avoid any log messages beeing created
Guenther
(This used to be commit 0f7e37ffc4
)
This commit is contained in:
parent
b3b207e966
commit
1f0b2e84d7
@ -872,6 +872,7 @@ AC_CHECK_HEADERS(sys/sysmacros.h security/_pam_macros.h dlfcn.h)
|
||||
AC_CHECK_HEADERS(sys/syslog.h syslog.h)
|
||||
AC_CHECK_HEADERS(langinfo.h locale.h)
|
||||
AC_CHECK_HEADERS(xfs/libxfs.h)
|
||||
AC_CHECK_HEADERS(security/pam_ext.h)
|
||||
|
||||
AC_CHECK_HEADERS(rpcsvc/yp_prot.h,,,[[
|
||||
#if HAVE_RPC_RPC_H
|
||||
@ -3973,6 +3974,7 @@ AC_ARG_WITH(pam,
|
||||
|
||||
# we can't build a pam module if we don't have pam.
|
||||
AC_CHECK_LIB(pam, pam_get_data, [AC_DEFINE(HAVE_LIBPAM,1,[Whether libpam is available])])
|
||||
AC_CHECK_LIB(pam, pam_vsyslog, [AC_DEFINE(HAVE_PAM_VSYSLOG,1,[Whether pam_vsyslog is available])])
|
||||
|
||||
#################################################
|
||||
# check for pam_smbpass support
|
||||
|
@ -16,40 +16,93 @@
|
||||
|
||||
#define MAX_PASSWD_TRIES 3
|
||||
|
||||
/* some syslogging */
|
||||
static void _pam_log(int err, const char *format, ...)
|
||||
/*
|
||||
* Work around the pam API that has functions with void ** as parameters.
|
||||
* These lead to strict aliasing warnings with gcc.
|
||||
*/
|
||||
static int _pam_get_item(const pam_handle_t *pamh, int item_type,
|
||||
const void *_item)
|
||||
{
|
||||
va_list args;
|
||||
|
||||
va_start(args, format);
|
||||
openlog(MODULE_NAME, LOG_CONS|LOG_PID, LOG_AUTH);
|
||||
vsyslog(err, format, args);
|
||||
va_end(args);
|
||||
closelog();
|
||||
const void **item = (const void **)_item;
|
||||
return pam_get_item(pamh, item_type, item);
|
||||
}
|
||||
static int _pam_get_data(const pam_handle_t *pamh,
|
||||
const char *module_data_name, const void *_data)
|
||||
{
|
||||
const void **data = (const void **)_data;
|
||||
return pam_get_data(pamh, module_data_name, data);
|
||||
}
|
||||
|
||||
static void _pam_log_debug(int ctrl, int err, const char *format, ...)
|
||||
/* some syslogging */
|
||||
|
||||
static void _pam_log_int(const pam_handle_t *pamh, int err, const char *format, va_list args)
|
||||
{
|
||||
|
||||
#ifdef HAVE_PAM_VSYSLOG
|
||||
pam_vsyslog(pamh, err, format, args);
|
||||
#else
|
||||
{
|
||||
|
||||
char *format2 = NULL;
|
||||
const char *service;
|
||||
|
||||
_pam_get_item(pamh, PAM_SERVICE, &service);
|
||||
|
||||
format2 = malloc(strlen(MODULE_NAME)+strlen(format)+strlen(service)+5);
|
||||
if (format2 == NULL) {
|
||||
/* what else todo ? */
|
||||
vsyslog(err, format, args);
|
||||
return;
|
||||
}
|
||||
|
||||
sprintf(format2, "%s(%s): %s", MODULE_NAME, service, format);
|
||||
vsyslog(err, format2, args);
|
||||
SAFE_FREE(format2);
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
static void _pam_log(const pam_handle_t *pamh, int ctrl, int err, const char *format, ...)
|
||||
{
|
||||
va_list args;
|
||||
|
||||
if (ctrl & WINBIND_SILENT) {
|
||||
return;
|
||||
}
|
||||
|
||||
va_start(args, format);
|
||||
_pam_log_int(pamh, err, format, args);
|
||||
va_end(args);
|
||||
}
|
||||
|
||||
static void _pam_log_debug(const pam_handle_t *pamh, int ctrl, int err, const char *format, ...)
|
||||
{
|
||||
va_list args;
|
||||
|
||||
if (ctrl & WINBIND_SILENT) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (!(ctrl & WINBIND_DEBUG_ARG)) {
|
||||
return;
|
||||
}
|
||||
|
||||
va_start(args, format);
|
||||
openlog(MODULE_NAME, LOG_CONS|LOG_PID, LOG_AUTH);
|
||||
vsyslog(err, format, args);
|
||||
_pam_log_int(pamh, err, format, args);
|
||||
va_end(args);
|
||||
closelog();
|
||||
}
|
||||
|
||||
static int _pam_parse(int argc, const char **argv, dictionary **d)
|
||||
static int _pam_parse(const pam_handle_t *pamh, int flags, int argc, const char **argv, dictionary **d)
|
||||
{
|
||||
int ctrl = 0;
|
||||
const char *config_file = NULL;
|
||||
int i;
|
||||
const char **v;
|
||||
|
||||
if (flags & PAM_SILENT) {
|
||||
ctrl |= WINBIND_SILENT;
|
||||
}
|
||||
|
||||
if (d == NULL) {
|
||||
goto config_from_pam;
|
||||
}
|
||||
@ -83,6 +136,10 @@ static int _pam_parse(int argc, const char **argv, dictionary **d)
|
||||
ctrl |= WINBIND_KRB5_AUTH;
|
||||
}
|
||||
|
||||
if (iniparser_getboolean(*d, CONST_DISCARD(char *, "global:silent"), False)) {
|
||||
ctrl |= WINBIND_SILENT;
|
||||
}
|
||||
|
||||
if (iniparser_getstr(*d, CONST_DISCARD(char *,"global:krb5_ccache_type")) != NULL) {
|
||||
ctrl |= WINBIND_KRB5_CCACHE_TYPE;
|
||||
}
|
||||
@ -118,7 +175,7 @@ config_from_pam:
|
||||
else if (!strcasecmp(*v, "cached_login"))
|
||||
ctrl |= WINBIND_CACHED_LOGIN;
|
||||
else {
|
||||
_pam_log(LOG_ERR, "pam_parse: unknown option; %s", *v);
|
||||
_pam_log(pamh, ctrl, LOG_ERR, "pam_parse: unknown option; %s", *v);
|
||||
}
|
||||
|
||||
}
|
||||
@ -130,23 +187,6 @@ static void _pam_winbind_cleanup_func(pam_handle_t *pamh, void *data, int error_
|
||||
SAFE_FREE(data);
|
||||
}
|
||||
|
||||
/*
|
||||
* Work around the pam API that has functions with void ** as parameters.
|
||||
* These lead to strict aliasing warnings with gcc.
|
||||
*/
|
||||
static int _pam_get_item(const pam_handle_t *pamh, int item_type,
|
||||
const void *_item)
|
||||
{
|
||||
const void **item = (const void **)_item;
|
||||
return pam_get_item(pamh, item_type, item);
|
||||
}
|
||||
static int _pam_get_data(const pam_handle_t *pamh,
|
||||
const char *module_data_name, const void *_data)
|
||||
{
|
||||
const void **data = (const void **)_data;
|
||||
return pam_get_data(pamh, module_data_name, data);
|
||||
}
|
||||
|
||||
|
||||
static const struct ntstatus_errors {
|
||||
const char *ntstatus_string;
|
||||
@ -247,14 +287,14 @@ static int pam_winbind_request(pam_handle_t * pamh, int ctrl,
|
||||
init_request(request, req_type);
|
||||
|
||||
if (write_sock(request, sizeof(*request), 0) == -1) {
|
||||
_pam_log(LOG_ERR, "write to socket failed!");
|
||||
_pam_log(pamh, ctrl, LOG_ERR, "pam_winbind_request: write to socket failed!");
|
||||
close_sock();
|
||||
return PAM_SERVICE_ERR;
|
||||
}
|
||||
|
||||
/* Wait for reply */
|
||||
if (read_reply(response) == -1) {
|
||||
_pam_log(LOG_ERR, "read from socket failed!");
|
||||
_pam_log(pamh, ctrl, LOG_ERR, "pam_winbind_request: read from socket failed!");
|
||||
close_sock();
|
||||
return PAM_SERVICE_ERR;
|
||||
}
|
||||
@ -265,14 +305,14 @@ static int pam_winbind_request(pam_handle_t * pamh, int ctrl,
|
||||
/* Copy reply data from socket */
|
||||
if (response->result != WINBINDD_OK) {
|
||||
if (response->data.auth.pam_error != PAM_SUCCESS) {
|
||||
_pam_log(LOG_ERR, "request failed: %s, PAM error was %s (%d), NT error was %s",
|
||||
_pam_log(pamh, ctrl, LOG_ERR, "request failed: %s, PAM error was %s (%d), NT error was %s",
|
||||
response->data.auth.error_string,
|
||||
pam_strerror(pamh, response->data.auth.pam_error),
|
||||
response->data.auth.pam_error,
|
||||
response->data.auth.nt_status_string);
|
||||
return response->data.auth.pam_error;
|
||||
} else {
|
||||
_pam_log(LOG_ERR, "request failed, but PAM error 0!");
|
||||
_pam_log(pamh, ctrl, LOG_ERR, "request failed, but PAM error 0!");
|
||||
return PAM_SERVICE_ERR;
|
||||
}
|
||||
}
|
||||
@ -294,23 +334,23 @@ static int pam_winbind_request_log(pam_handle_t * pamh,
|
||||
switch (retval) {
|
||||
case PAM_AUTH_ERR:
|
||||
/* incorrect password */
|
||||
_pam_log(LOG_WARNING, "user `%s' denied access (incorrect password or invalid membership)", user);
|
||||
_pam_log(pamh, ctrl, LOG_WARNING, "user '%s' denied access (incorrect password or invalid membership)", user);
|
||||
return retval;
|
||||
case PAM_ACCT_EXPIRED:
|
||||
/* account expired */
|
||||
_pam_log(LOG_WARNING, "user `%s' account expired", user);
|
||||
_pam_log(pamh, ctrl, LOG_WARNING, "user '%s' account expired", user);
|
||||
return retval;
|
||||
case PAM_AUTHTOK_EXPIRED:
|
||||
/* password expired */
|
||||
_pam_log(LOG_WARNING, "user `%s' password expired", user);
|
||||
_pam_log(pamh, ctrl, LOG_WARNING, "user '%s' password expired", user);
|
||||
return retval;
|
||||
case PAM_NEW_AUTHTOK_REQD:
|
||||
/* new password required */
|
||||
_pam_log(LOG_WARNING, "user `%s' new password required", user);
|
||||
_pam_log(pamh, ctrl, LOG_WARNING, "user '%s' new password required", user);
|
||||
return retval;
|
||||
case PAM_USER_UNKNOWN:
|
||||
/* the user does not exist */
|
||||
_pam_log_debug(ctrl, LOG_NOTICE, "user `%s' not found", user);
|
||||
_pam_log_debug(pamh, ctrl, LOG_NOTICE, "user '%s' not found", user);
|
||||
if (ctrl & WINBIND_UNKNOWN_OK_ARG) {
|
||||
return PAM_IGNORE;
|
||||
}
|
||||
@ -318,19 +358,19 @@ static int pam_winbind_request_log(pam_handle_t * pamh,
|
||||
case PAM_SUCCESS:
|
||||
if (req_type == WINBINDD_PAM_AUTH) {
|
||||
/* Otherwise, the authentication looked good */
|
||||
_pam_log(LOG_NOTICE, "user '%s' granted access", user);
|
||||
_pam_log(pamh, ctrl, LOG_NOTICE, "user '%s' granted access", user);
|
||||
} else if (req_type == WINBINDD_PAM_CHAUTHTOK) {
|
||||
/* Otherwise, the authentication looked good */
|
||||
_pam_log(LOG_NOTICE, "user '%s' password changed", user);
|
||||
_pam_log(pamh, ctrl, LOG_NOTICE, "user '%s' password changed", user);
|
||||
} else {
|
||||
/* Otherwise, the authentication looked good */
|
||||
_pam_log(LOG_NOTICE, "user '%s' OK", user);
|
||||
_pam_log(pamh, ctrl, LOG_NOTICE, "user '%s' OK", user);
|
||||
}
|
||||
|
||||
return retval;
|
||||
default:
|
||||
/* we don't know anything about this return value */
|
||||
_pam_log(LOG_ERR, "internal module error (retval = %d, user = `%s')",
|
||||
_pam_log(pamh, ctrl, LOG_ERR, "internal module error (retval = %d, user = '%s')",
|
||||
retval, user);
|
||||
return retval;
|
||||
}
|
||||
@ -373,7 +413,7 @@ static int winbind_auth_request(pam_handle_t * pamh,
|
||||
|
||||
struct passwd *pwd = NULL;
|
||||
|
||||
_pam_log_debug(ctrl, LOG_DEBUG, "enabling krb5 login flag\n");
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "enabling krb5 login flag\n");
|
||||
|
||||
request.flags |= WBFLAG_PAM_KRB5 | WBFLAG_PAM_FALLBACK_AFTER_KRB5;
|
||||
|
||||
@ -385,7 +425,7 @@ static int winbind_auth_request(pam_handle_t * pamh,
|
||||
}
|
||||
|
||||
if (ctrl & WINBIND_CACHED_LOGIN) {
|
||||
_pam_log_debug(ctrl, LOG_DEBUG, "enabling cached login flag\n");
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "enabling cached login flag\n");
|
||||
request.flags |= WBFLAG_PAM_CACHED_LOGIN;
|
||||
}
|
||||
|
||||
@ -397,7 +437,7 @@ static int winbind_auth_request(pam_handle_t * pamh,
|
||||
if (cctype != NULL) {
|
||||
strncpy(request.data.auth.krb5_cc_type, cctype,
|
||||
sizeof(request.data.auth.krb5_cc_type) - 1);
|
||||
_pam_log_debug(ctrl, LOG_DEBUG, "enabling request for a %s krb5 ccache\n", cctype);
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "enabling request for a %s krb5 ccache\n", cctype);
|
||||
}
|
||||
|
||||
request.data.auth.require_membership_of_sid[0] = '\0';
|
||||
@ -416,14 +456,14 @@ static int winbind_auth_request(pam_handle_t * pamh,
|
||||
ZERO_STRUCT(sid_request);
|
||||
ZERO_STRUCT(sid_response);
|
||||
|
||||
_pam_log_debug(ctrl, LOG_DEBUG, "no sid given, looking up: %s\n", member);
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "no sid given, looking up: %s\n", member);
|
||||
|
||||
/* fortunatly winbindd can handle non-separated names */
|
||||
strncpy(sid_request.data.name.name, member,
|
||||
sizeof(sid_request.data.name.name) - 1);
|
||||
|
||||
if (pam_winbind_request_log(pamh, ctrl, WINBINDD_LOOKUPNAME, &sid_request, &sid_response, user)) {
|
||||
_pam_log(LOG_INFO, "could not lookup name: %s\n", member);
|
||||
_pam_log(pamh, ctrl, LOG_INFO, "could not lookup name: %s\n", member);
|
||||
return PAM_AUTH_ERR;
|
||||
}
|
||||
|
||||
@ -444,14 +484,14 @@ static int winbind_auth_request(pam_handle_t * pamh,
|
||||
|
||||
char var[PATH_MAX];
|
||||
|
||||
_pam_log_debug(ctrl, LOG_DEBUG, "request returned KRB5CCNAME: %s",
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "request returned KRB5CCNAME: %s",
|
||||
response.data.auth.krb5ccname);
|
||||
|
||||
snprintf(var, sizeof(var), "KRB5CCNAME=%s", response.data.auth.krb5ccname);
|
||||
|
||||
ret = pam_putenv(pamh, var);
|
||||
if (ret != PAM_SUCCESS) {
|
||||
_pam_log(LOG_ERR, "failed to set KRB5CCNAME to %s", var);
|
||||
_pam_log(pamh, ctrl, LOG_ERR, "failed to set KRB5CCNAME to %s", var);
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
@ -481,7 +521,7 @@ static int winbind_auth_request(pam_handle_t * pamh,
|
||||
|
||||
ret = PAM_AUTHTOK_EXPIRED;
|
||||
|
||||
_pam_log_debug(ctrl, LOG_DEBUG,"Password has expired (Password was last set: %d, "
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG,"Password has expired (Password was last set: %d, "
|
||||
"the policy says it should expire here %d (now it's: %d)\n",
|
||||
response.data.auth.info3.pass_last_set_time,
|
||||
response.data.auth.info3.pass_last_set_time + response.data.auth.policy.expire,
|
||||
@ -504,7 +544,7 @@ static int winbind_auth_request(pam_handle_t * pamh,
|
||||
|
||||
if (response.data.auth.info3.user_flgs & LOGON_CACHED_ACCOUNT) {
|
||||
_make_remark(pamh, PAM_ERROR_MSG, "Logging on using cached account. Network ressources can be unavailable");
|
||||
_pam_log_debug(ctrl, LOG_DEBUG,"User %s logged on using cached account\n", user);
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG,"User %s logged on using cached account\n", user);
|
||||
}
|
||||
|
||||
/* save the CIFS homedir for pam_cifs / pam_mount */
|
||||
@ -514,7 +554,7 @@ static int winbind_auth_request(pam_handle_t * pamh,
|
||||
(void *) strdup(response.data.auth.info3.home_dir),
|
||||
_pam_winbind_cleanup_func);
|
||||
if (ret2) {
|
||||
_pam_log_debug(ctrl, LOG_DEBUG, "Could not set data: %s",
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "Could not set data: %s",
|
||||
pam_strerror(pamh, ret2));
|
||||
}
|
||||
|
||||
@ -527,7 +567,7 @@ static int winbind_auth_request(pam_handle_t * pamh,
|
||||
(void *) strdup(response.data.auth.info3.logon_script),
|
||||
_pam_winbind_cleanup_func);
|
||||
if (ret2) {
|
||||
_pam_log_debug(ctrl, LOG_DEBUG, "Could not set data: %s",
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "Could not set data: %s",
|
||||
pam_strerror(pamh, ret2));
|
||||
}
|
||||
}
|
||||
@ -619,7 +659,7 @@ static int winbind_chauthtok_request(pam_handle_t * pamh,
|
||||
_make_remark(pamh, PAM_ERROR_MSG, "Password does not meet complexity requirements");
|
||||
break;
|
||||
default:
|
||||
_pam_log_debug(ctrl, LOG_DEBUG,
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG,
|
||||
"unknown password change reject reason: %d",
|
||||
response.data.auth.reject_reason);
|
||||
break;
|
||||
@ -650,7 +690,7 @@ static int winbind_chauthtok_request(pam_handle_t * pamh,
|
||||
* 0 = OK
|
||||
* -1 = System error
|
||||
*/
|
||||
static int valid_user(const char *user, pam_handle_t *pamh, int ctrl)
|
||||
static int valid_user(pam_handle_t *pamh, int ctrl, const char *user)
|
||||
{
|
||||
/* check not only if the user is available over NSS calls, also make
|
||||
* sure it's really a winbind user, this is important when stacking PAM
|
||||
@ -728,7 +768,7 @@ static int _winbind_read_password(pam_handle_t * pamh,
|
||||
retval = _pam_get_item(pamh, authtok_flag, &item);
|
||||
if (retval != PAM_SUCCESS) {
|
||||
/* very strange. */
|
||||
_pam_log(LOG_ALERT,
|
||||
_pam_log(pamh, ctrl, LOG_ALERT,
|
||||
"pam_get_item returned error to unix-read-password"
|
||||
);
|
||||
return retval;
|
||||
@ -797,7 +837,7 @@ static int _winbind_read_password(pam_handle_t * pamh,
|
||||
}
|
||||
}
|
||||
} else {
|
||||
_pam_log(LOG_NOTICE, "could not recover authentication token");
|
||||
_pam_log(pamh, ctrl, LOG_NOTICE, "could not recover authentication token");
|
||||
retval = PAM_AUTHTOK_RECOVER_ERR;
|
||||
}
|
||||
|
||||
@ -816,7 +856,7 @@ static int _winbind_read_password(pam_handle_t * pamh,
|
||||
}
|
||||
|
||||
if (retval != PAM_SUCCESS) {
|
||||
_pam_log_debug(ctrl, LOG_DEBUG,
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG,
|
||||
"unable to obtain a password");
|
||||
return retval;
|
||||
}
|
||||
@ -829,7 +869,7 @@ static int _winbind_read_password(pam_handle_t * pamh,
|
||||
if (retval != PAM_SUCCESS ||
|
||||
(retval = _pam_get_item(pamh, authtok_flag, &item)) != PAM_SUCCESS) {
|
||||
|
||||
_pam_log(LOG_CRIT, "error manipulating password");
|
||||
_pam_log(pamh, ctrl, LOG_CRIT, "error manipulating password");
|
||||
return retval;
|
||||
|
||||
}
|
||||
@ -840,19 +880,20 @@ static int _winbind_read_password(pam_handle_t * pamh,
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
const char *get_conf_item_string(int argc,
|
||||
const char *get_conf_item_string(const pam_handle_t *pamh,
|
||||
int argc,
|
||||
const char **argv,
|
||||
int ctrl,
|
||||
dictionary *d,
|
||||
const char *item,
|
||||
int flag)
|
||||
int config_flag)
|
||||
{
|
||||
int i = 0;
|
||||
char *parm = NULL;
|
||||
const char *parm_opt = NULL;
|
||||
char *key = NULL;
|
||||
|
||||
if (!(ctrl & flag)) {
|
||||
if (!(ctrl & config_flag)) {
|
||||
goto out;
|
||||
}
|
||||
|
||||
@ -876,36 +917,36 @@ const char *get_conf_item_string(int argc,
|
||||
parm = strdup(argv[i]);
|
||||
|
||||
if ( (p = strchr( parm, '=' )) == NULL) {
|
||||
_pam_log(LOG_INFO, "no \"=\" delimiter for \"%s\" found\n", item);
|
||||
_pam_log(pamh, ctrl, LOG_INFO, "no \"=\" delimiter for \"%s\" found\n", item);
|
||||
goto out;
|
||||
}
|
||||
SAFE_FREE(parm);
|
||||
_pam_log_debug(ctrl, LOG_INFO, "PAM config: %s '%s'\n", item, p+1);
|
||||
_pam_log_debug(pamh, ctrl, LOG_INFO, "PAM config: %s '%s'\n", item, p+1);
|
||||
return p + 1;
|
||||
}
|
||||
}
|
||||
|
||||
if (d != NULL) {
|
||||
_pam_log_debug(ctrl, LOG_INFO, "CONFIG file: %s '%s'\n", item, parm_opt);
|
||||
_pam_log_debug(pamh, ctrl, LOG_INFO, "CONFIG file: %s '%s'\n", item, parm_opt);
|
||||
}
|
||||
out:
|
||||
SAFE_FREE(parm);
|
||||
return parm_opt;
|
||||
}
|
||||
|
||||
const char *get_krb5_cc_type_from_config(int argc, const char **argv, int ctrl, dictionary *d)
|
||||
const char *get_krb5_cc_type_from_config(const pam_handle_t *pamh, int argc, const char **argv, int ctrl, dictionary *d)
|
||||
{
|
||||
return get_conf_item_string(argc, argv, ctrl, d, "krb5_ccache_type", WINBIND_KRB5_CCACHE_TYPE);
|
||||
return get_conf_item_string(pamh, argc, argv, ctrl, d, "krb5_ccache_type", WINBIND_KRB5_CCACHE_TYPE);
|
||||
}
|
||||
|
||||
const char *get_member_from_config(int argc, const char **argv, int ctrl, dictionary *d)
|
||||
const char *get_member_from_config(const pam_handle_t *pamh, int argc, const char **argv, int ctrl, dictionary *d)
|
||||
{
|
||||
const char *ret = NULL;
|
||||
ret = get_conf_item_string(argc, argv, ctrl, d, "require_membership_of", WINBIND_REQUIRED_MEMBERSHIP);
|
||||
ret = get_conf_item_string(pamh, argc, argv, ctrl, d, "require_membership_of", WINBIND_REQUIRED_MEMBERSHIP);
|
||||
if (ret) {
|
||||
return ret;
|
||||
}
|
||||
return get_conf_item_string(argc, argv, ctrl, d, "require-membership-of", WINBIND_REQUIRED_MEMBERSHIP);
|
||||
return get_conf_item_string(pamh, argc, argv, ctrl, d, "require-membership-of", WINBIND_REQUIRED_MEMBERSHIP);
|
||||
}
|
||||
|
||||
PAM_EXTERN
|
||||
@ -921,18 +962,18 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
|
||||
char *username_ret = NULL;
|
||||
|
||||
/* parse arguments */
|
||||
int ctrl = _pam_parse(argc, argv, &d);
|
||||
int ctrl = _pam_parse(pamh, flags, argc, argv, &d);
|
||||
if (ctrl == -1) {
|
||||
retval = PAM_SYSTEM_ERR;
|
||||
goto out;
|
||||
}
|
||||
|
||||
_pam_log_debug(ctrl, LOG_DEBUG,"pam_winbind: pam_sm_authenticate (flags: 0x%04x)", flags);
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "pam_winbind: pam_sm_authenticate (flags: 0x%04x)", flags);
|
||||
|
||||
/* Get the username */
|
||||
retval = pam_get_user(pamh, &username, NULL);
|
||||
if ((retval != PAM_SUCCESS) || (!username)) {
|
||||
_pam_log_debug(ctrl, LOG_DEBUG, "can not get the username");
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "can not get the username");
|
||||
retval = PAM_SERVICE_ERR;
|
||||
goto out;
|
||||
}
|
||||
@ -942,7 +983,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
|
||||
&password);
|
||||
|
||||
if (retval != PAM_SUCCESS) {
|
||||
_pam_log(LOG_ERR, "Could not retrieve user's password");
|
||||
_pam_log(pamh, ctrl, LOG_ERR, "Could not retrieve user's password");
|
||||
retval = PAM_AUTHTOK_ERR;
|
||||
goto out;
|
||||
}
|
||||
@ -950,15 +991,15 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
|
||||
/* Let's not give too much away in the log file */
|
||||
|
||||
#ifdef DEBUG_PASSWORD
|
||||
_pam_log_debug(ctrl, LOG_INFO, "Verify user `%s' with password `%s'",
|
||||
_pam_log_debug(pamh, ctrl, LOG_INFO, "Verify user '%s' with password '%s'",
|
||||
username, password);
|
||||
#else
|
||||
_pam_log_debug(ctrl, LOG_INFO, "Verify user `%s'", username);
|
||||
_pam_log_debug(pamh, ctrl, LOG_INFO, "Verify user '%s'", username);
|
||||
#endif
|
||||
|
||||
member = get_member_from_config(argc, argv, ctrl, d);
|
||||
member = get_member_from_config(pamh, argc, argv, ctrl, d);
|
||||
|
||||
cctype = get_krb5_cc_type_from_config(argc, argv, ctrl, d);
|
||||
cctype = get_krb5_cc_type_from_config(pamh, argc, argv, ctrl, d);
|
||||
|
||||
/* Now use the username to look up password */
|
||||
retval = winbind_auth_request(pamh, ctrl, username, password, member,
|
||||
@ -997,12 +1038,12 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags,
|
||||
int argc, const char **argv)
|
||||
{
|
||||
/* parse arguments */
|
||||
int ctrl = _pam_parse(argc, argv, NULL);
|
||||
int ctrl = _pam_parse(pamh, flags, argc, argv, NULL);
|
||||
if (ctrl == -1) {
|
||||
return PAM_SYSTEM_ERR;
|
||||
}
|
||||
|
||||
_pam_log_debug(ctrl, LOG_DEBUG,"pam_winbind: pam_sm_setcred (flags: 0x%04x)", flags);
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "pam_winbind: pam_sm_setcred (flags: 0x%04x)", flags);
|
||||
|
||||
if (flags & PAM_DELETE_CRED) {
|
||||
return pam_sm_close_session(pamh, flags, argc, argv);
|
||||
@ -1024,30 +1065,30 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
|
||||
void *tmp = NULL;
|
||||
|
||||
/* parse arguments */
|
||||
int ctrl = _pam_parse(argc, argv, NULL);
|
||||
int ctrl = _pam_parse(pamh, flags, argc, argv, NULL);
|
||||
if (ctrl == -1) {
|
||||
return PAM_SYSTEM_ERR;
|
||||
}
|
||||
|
||||
_pam_log_debug(ctrl, LOG_DEBUG,"pam_winbind: pam_sm_acct_mgmt (flags: 0x%04x)", flags);
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "pam_winbind: pam_sm_acct_mgmt (flags: 0x%04x)", flags);
|
||||
|
||||
|
||||
/* Get the username */
|
||||
retval = pam_get_user(pamh, &username, NULL);
|
||||
if ((retval != PAM_SUCCESS) || (!username)) {
|
||||
_pam_log_debug(ctrl, LOG_DEBUG,"can not get the username");
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG,"can not get the username");
|
||||
return PAM_SERVICE_ERR;
|
||||
}
|
||||
|
||||
/* Verify the username */
|
||||
retval = valid_user(username, pamh, ctrl);
|
||||
retval = valid_user(pamh, ctrl, username);
|
||||
switch (retval) {
|
||||
case -1:
|
||||
/* some sort of system error. The log was already printed */
|
||||
return PAM_SERVICE_ERR;
|
||||
case 1:
|
||||
/* the user does not exist */
|
||||
_pam_log_debug(ctrl, LOG_NOTICE, "user `%s' not found", username);
|
||||
_pam_log_debug(pamh, ctrl, LOG_NOTICE, "user '%s' not found", username);
|
||||
if (ctrl & WINBIND_UNKNOWN_OK_ARG) {
|
||||
return PAM_IGNORE;
|
||||
}
|
||||
@ -1060,24 +1101,24 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
|
||||
case PAM_AUTHTOK_EXPIRED:
|
||||
/* fall through, since new token is required in this case */
|
||||
case PAM_NEW_AUTHTOK_REQD:
|
||||
_pam_log(LOG_WARNING, "pam_sm_acct_mgmt success but %s is set",
|
||||
_pam_log(pamh, ctrl, LOG_WARNING, "pam_sm_acct_mgmt success but %s is set",
|
||||
PAM_WINBIND_NEW_AUTHTOK_REQD);
|
||||
_pam_log(LOG_NOTICE, "user '%s' needs new password", username);
|
||||
_pam_log(pamh, ctrl, LOG_NOTICE, "user '%s' needs new password", username);
|
||||
/* PAM_AUTHTOKEN_REQD does not exist, but is documented in the manpage */
|
||||
return PAM_NEW_AUTHTOK_REQD;
|
||||
default:
|
||||
_pam_log(LOG_WARNING, "pam_sm_acct_mgmt success");
|
||||
_pam_log(LOG_NOTICE, "user '%s' granted access", username);
|
||||
_pam_log(pamh, ctrl, LOG_WARNING, "pam_sm_acct_mgmt success");
|
||||
_pam_log(pamh, ctrl, LOG_NOTICE, "user '%s' granted access", username);
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
}
|
||||
|
||||
/* Otherwise, the authentication looked good */
|
||||
_pam_log(LOG_NOTICE, "user '%s' granted access", username);
|
||||
_pam_log(pamh, ctrl, LOG_NOTICE, "user '%s' granted access", username);
|
||||
return PAM_SUCCESS;
|
||||
default:
|
||||
/* we don't know anything about this return value */
|
||||
_pam_log(LOG_ERR, "internal module error (retval = %d, user = `%s')",
|
||||
_pam_log(pamh, ctrl, LOG_ERR, "internal module error (retval = %d, user = '%s')",
|
||||
retval, username);
|
||||
return PAM_SERVICE_ERR;
|
||||
}
|
||||
@ -1091,12 +1132,12 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
|
||||
int argc, const char **argv)
|
||||
{
|
||||
/* parse arguments */
|
||||
int ctrl = _pam_parse(argc, argv, NULL);
|
||||
int ctrl = _pam_parse(pamh, flags, argc, argv, NULL);
|
||||
if (ctrl == -1) {
|
||||
return PAM_SYSTEM_ERR;
|
||||
}
|
||||
|
||||
_pam_log_debug(ctrl, LOG_DEBUG,"pam_winbind: pam_sm_open_session handler (flags: 0x%04x)", flags);
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "pam_winbind: pam_sm_open_session handler (flags: 0x%04x)", flags);
|
||||
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
@ -1109,13 +1150,13 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags,
|
||||
int retval = PAM_SUCCESS;
|
||||
|
||||
/* parse arguments */
|
||||
int ctrl = _pam_parse(argc, argv, &d);
|
||||
int ctrl = _pam_parse(pamh, flags, argc, argv, &d);
|
||||
if (ctrl == -1) {
|
||||
retval = PAM_SYSTEM_ERR;
|
||||
goto out;
|
||||
}
|
||||
|
||||
_pam_log_debug(ctrl, LOG_DEBUG,"pam_winbind: pam_sm_close_session handler (flags: 0x%04x)", flags);
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "pam_winbind: pam_sm_close_session handler (flags: 0x%04x)", flags);
|
||||
|
||||
if (!(flags & PAM_DELETE_CRED)) {
|
||||
retval = PAM_SUCCESS;
|
||||
@ -1137,21 +1178,21 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags,
|
||||
retval = pam_get_user(pamh, &user, "Username: ");
|
||||
if (retval == PAM_SUCCESS) {
|
||||
if (user == NULL) {
|
||||
_pam_log(LOG_ERR, "username was NULL!");
|
||||
_pam_log(pamh, ctrl, LOG_ERR, "username was NULL!");
|
||||
retval = PAM_USER_UNKNOWN;
|
||||
goto out;
|
||||
}
|
||||
if (retval == PAM_SUCCESS) {
|
||||
_pam_log_debug(ctrl, LOG_DEBUG, "username [%s] obtained", user);
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "username [%s] obtained", user);
|
||||
}
|
||||
} else {
|
||||
_pam_log_debug(ctrl, LOG_DEBUG, "could not identify user");
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "could not identify user");
|
||||
goto out;
|
||||
}
|
||||
|
||||
ccname = pam_getenv(pamh, "KRB5CCNAME");
|
||||
if (ccname == NULL) {
|
||||
_pam_log_debug(ctrl, LOG_DEBUG, "user has no KRB5CCNAME environment");
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "user has no KRB5CCNAME environment");
|
||||
}
|
||||
|
||||
strncpy(request.data.logoff.user, user,
|
||||
@ -1201,13 +1242,13 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
|
||||
int retry = 0;
|
||||
dictionary *d;
|
||||
|
||||
ctrl = _pam_parse(argc, argv, &d);
|
||||
ctrl = _pam_parse(pamh, flags, argc, argv, &d);
|
||||
if (ctrl == -1) {
|
||||
retval = PAM_SYSTEM_ERR;
|
||||
goto out;
|
||||
}
|
||||
|
||||
_pam_log_debug(ctrl, LOG_DEBUG,"pam_winbind: pam_sm_chauthtok (flags: 0x%04x)", flags);
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "pam_winbind: pam_sm_chauthtok (flags: 0x%04x)", flags);
|
||||
|
||||
/* clearing offline bit for the auth in the password change */
|
||||
ctrl &= ~WINBIND_CACHED_LOGIN;
|
||||
@ -1218,22 +1259,22 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
|
||||
retval = pam_get_user(pamh, &user, "Username: ");
|
||||
if (retval == PAM_SUCCESS) {
|
||||
if (user == NULL) {
|
||||
_pam_log(LOG_ERR, "username was NULL!");
|
||||
_pam_log(pamh, ctrl, LOG_ERR, "username was NULL!");
|
||||
retval = PAM_USER_UNKNOWN;
|
||||
goto out;
|
||||
}
|
||||
if (retval == PAM_SUCCESS) {
|
||||
_pam_log_debug(ctrl, LOG_DEBUG, "username [%s] obtained",
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG, "username [%s] obtained",
|
||||
user);
|
||||
}
|
||||
} else {
|
||||
_pam_log_debug(ctrl, LOG_DEBUG,
|
||||
_pam_log_debug(pamh, ctrl, LOG_DEBUG,
|
||||
"password - could not identify user");
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* check if this is really a user in winbindd, not only in NSS */
|
||||
retval = valid_user(user, pamh, ctrl);
|
||||
retval = valid_user(pamh, ctrl, user);
|
||||
switch (retval) {
|
||||
case 1:
|
||||
retval = PAM_USER_UNKNOWN;
|
||||
@ -1258,7 +1299,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
|
||||
#define greeting "Changing password for "
|
||||
Announce = (char *) malloc(sizeof(greeting) + strlen(user));
|
||||
if (Announce == NULL) {
|
||||
_pam_log(LOG_CRIT, "password - out of memory");
|
||||
_pam_log(pamh, ctrl, LOG_CRIT, "password - out of memory");
|
||||
retval = PAM_BUF_ERR;
|
||||
goto out;
|
||||
}
|
||||
@ -1273,7 +1314,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
|
||||
NULL,
|
||||
(const char **) &pass_old);
|
||||
if (retval != PAM_SUCCESS) {
|
||||
_pam_log(LOG_NOTICE, "password - (old) token not obtained");
|
||||
_pam_log(pamh, ctrl, LOG_NOTICE, "password - (old) token not obtained");
|
||||
goto out;
|
||||
}
|
||||
/* verify that this is the password for this user */
|
||||
@ -1294,7 +1335,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
|
||||
retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old);
|
||||
pass_old = NULL;
|
||||
if (retval != PAM_SUCCESS) {
|
||||
_pam_log(LOG_CRIT, "failed to set PAM_OLDAUTHTOK");
|
||||
_pam_log(pamh, ctrl, LOG_CRIT, "failed to set PAM_OLDAUTHTOK");
|
||||
}
|
||||
} else if (flags & PAM_UPDATE_AUTHTOK) {
|
||||
|
||||
@ -1311,7 +1352,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
|
||||
retval = _pam_get_item(pamh, PAM_OLDAUTHTOK, &pass_old);
|
||||
|
||||
if (retval != PAM_SUCCESS) {
|
||||
_pam_log(LOG_NOTICE, "user not authenticated");
|
||||
_pam_log(pamh, ctrl, LOG_NOTICE, "user not authenticated");
|
||||
goto out;
|
||||
}
|
||||
|
||||
@ -1335,7 +1376,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
|
||||
(const char **) &pass_new);
|
||||
|
||||
if (retval != PAM_SUCCESS) {
|
||||
_pam_log_debug(ctrl, LOG_ALERT
|
||||
_pam_log_debug(pamh, ctrl, LOG_ALERT
|
||||
,"password - new password not obtained");
|
||||
pass_old = NULL;/* tidy up */
|
||||
goto out;
|
||||
@ -1371,8 +1412,8 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
|
||||
|
||||
if (ctrl & WINBIND_KRB5_AUTH) {
|
||||
|
||||
const char *member = get_member_from_config(argc, argv, ctrl, d);
|
||||
const char *cctype = get_krb5_cc_type_from_config(argc, argv, ctrl, d);
|
||||
const char *member = get_member_from_config(pamh, argc, argv, ctrl, d);
|
||||
const char *cctype = get_krb5_cc_type_from_config(pamh, argc, argv, ctrl, d);
|
||||
|
||||
retval = winbind_auth_request(pamh, ctrl, user, pass_new,
|
||||
member, cctype, False, NULL, NULL);
|
||||
|
@ -43,7 +43,7 @@
|
||||
#define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
|
||||
#endif
|
||||
|
||||
#endif
|
||||
#endif /* defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) */
|
||||
|
||||
#ifdef HAVE_SECURITY_PAM_MODULES_H
|
||||
#include <security/pam_modules.h>
|
||||
@ -82,6 +82,10 @@ do { \
|
||||
#define _pam_drop(X) SAFE_FREE(X)
|
||||
|
||||
#define x_strdup(s) ( (s) ? strdup(s):NULL )
|
||||
#endif /* HAVE_SECURITY__PAM_MACROS_H */
|
||||
|
||||
#ifdef HAVE_SECURITY_PAM_EXT_H
|
||||
#include <security/pam_ext.h>
|
||||
#endif
|
||||
|
||||
#define WINBIND_DEBUG_ARG (1<<0)
|
||||
@ -95,6 +99,7 @@ do { \
|
||||
#define WINBIND_KRB5_CCACHE_TYPE (1<<8)
|
||||
#define WINBIND_CACHED_LOGIN (1<<9)
|
||||
#define WINBIND_CONFIG_FILE (1<<10)
|
||||
#define WINBIND_SILENT (1<<11)
|
||||
|
||||
/*
|
||||
* here is the string to inform the user that the new passwords they
|
||||
|
Loading…
Reference in New Issue
Block a user