mirror of
https://github.com/samba-team/samba.git
synced 2025-03-29 02:50:28 +03:00
Winbind merges from HEAD:
- fix winbindd_pam bugs - give a better error message for unauthorized access to auth_crap - show this message in wbinfo - fix spelling: privilaged -> privileged ** This changes the location of the winbindd privileged pipe ** (thanks to tpot) Andrew Bartlett (This used to be commit 92c2a33483cc9ddd1dd627224192a3023f8caff8)
This commit is contained in:
Andrew Bartlett
parent
6dce8c678a
commit
d23b35a65f
@ -447,9 +447,10 @@ static BOOL wbinfo_auth(char *username)
|
||||
(result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed");
|
||||
|
||||
if (response.data.auth.nt_status)
|
||||
d_printf("error code was %s (0x%x)\n",
|
||||
d_printf("error code was %s (0x%x)\nerror messsage was: %s\n",
|
||||
response.data.auth.nt_status_string,
|
||||
response.data.auth.nt_status);
|
||||
response.data.auth.nt_status,
|
||||
response.data.auth.error_string);
|
||||
|
||||
return result == NSS_STATUS_SUCCESS;
|
||||
}
|
||||
@ -502,9 +503,10 @@ static BOOL wbinfo_auth_crap(char *username)
|
||||
(result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed");
|
||||
|
||||
if (response.data.auth.nt_status)
|
||||
d_printf("error code was %s (0x%x)\n",
|
||||
d_printf("error code was %s (0x%x)\nerror messsage was: %s\n",
|
||||
response.data.auth.nt_status_string,
|
||||
response.data.auth.nt_status);
|
||||
response.data.auth.nt_status,
|
||||
response.data.auth.error_string);
|
||||
|
||||
return result == NSS_STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
@ -312,7 +312,7 @@ static void process_request(struct winbindd_cli_state *state)
|
||||
|
||||
/* Process a new connection by adding it to the client connection list */
|
||||
|
||||
static void new_connection(int listen_sock, BOOL privilaged)
|
||||
static void new_connection(int listen_sock, BOOL privileged)
|
||||
{
|
||||
struct sockaddr_un sunaddr;
|
||||
struct winbindd_cli_state *state;
|
||||
@ -343,7 +343,7 @@ static void new_connection(int listen_sock, BOOL privilaged)
|
||||
|
||||
state->last_access = time(NULL);
|
||||
|
||||
state->privilaged = privilaged;
|
||||
state->privileged = privileged;
|
||||
|
||||
/* Add to connection list */
|
||||
|
||||
@ -664,7 +664,7 @@ static void process_loop(void)
|
||||
break;
|
||||
}
|
||||
}
|
||||
/* new, non-privilaged connection */
|
||||
/* new, non-privileged connection */
|
||||
new_connection(listen_sock, False);
|
||||
}
|
||||
|
||||
@ -678,7 +678,7 @@ static void process_loop(void)
|
||||
break;
|
||||
}
|
||||
}
|
||||
/* new, privilaged connection */
|
||||
/* new, privileged connection */
|
||||
new_connection(listen_priv_sock, True);
|
||||
}
|
||||
|
||||
|
||||
@ -42,7 +42,7 @@ struct winbindd_cli_state {
|
||||
BOOL finished; /* Can delete from list */
|
||||
BOOL write_extra_data; /* Write extra_data field */
|
||||
time_t last_access; /* Time of last access (read or write) */
|
||||
BOOL privilaged; /* Is the client 'privilaged' */
|
||||
BOOL privileged; /* Is the client 'privileged' */
|
||||
|
||||
struct winbindd_request request; /* Request from client */
|
||||
struct winbindd_response response; /* Respose to client */
|
||||
|
||||
@ -239,7 +239,7 @@ enum winbindd_result winbindd_netbios_name(struct winbindd_cli_state *state)
|
||||
enum winbindd_result winbindd_priv_pipe_dir(struct winbindd_cli_state *state)
|
||||
{
|
||||
|
||||
DEBUG(3, ("[%5d]: request location of privilaged pipe\n", state->pid));
|
||||
DEBUG(3, ("[%5d]: request location of privileged pipe\n", state->pid));
|
||||
|
||||
state->response.extra_data = strdup(get_winbind_priv_pipe_dir());
|
||||
if (!state->response.extra_data)
|
||||
|
||||
@ -30,7 +30,7 @@
|
||||
|
||||
#define WINBINDD_SOCKET_NAME "pipe" /* Name of PF_UNIX socket */
|
||||
#define WINBINDD_SOCKET_DIR "/tmp/.winbindd" /* Name of PF_UNIX dir */
|
||||
#define WINBINDD_PRIV_SOCKET_SUBDIR "winbindd_privilaged" /* name of subdirectory of lp_lockdir() to hold the 'privilaged' pipe */
|
||||
#define WINBINDD_PRIV_SOCKET_SUBDIR "winbindd_privileged" /* name of subdirectory of lp_lockdir() to hold the 'privileged' pipe */
|
||||
#define WINBINDD_DOMAIN_ENV "WINBINDD_DOMAIN" /* Environment variables */
|
||||
#define WINBINDD_DONT_ENV "_NO_WINBINDD"
|
||||
|
||||
@ -105,7 +105,7 @@ enum winbindd_cmd {
|
||||
WINBINDD_NETBIOS_NAME, /* The netbios name of the server */
|
||||
/* Placeholder for end of cmd list */
|
||||
|
||||
/* find the location of our privilaged pipe */
|
||||
/* find the location of our privileged pipe */
|
||||
WINBINDD_PRIV_PIPE_DIR,
|
||||
|
||||
WINBINDD_NUM_CMDS
|
||||
|
||||
@ -140,7 +140,12 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
|
||||
|
||||
uni_group_cache_store_netlogon(mem_ctx, &info3);
|
||||
done:
|
||||
|
||||
|
||||
/* give us a more useful (more correct?) error code */
|
||||
if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) || (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
|
||||
result = NT_STATUS_NO_LOGON_SERVERS;
|
||||
}
|
||||
|
||||
state->response.data.auth.nt_status = NT_STATUS_V(result);
|
||||
fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
|
||||
fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
|
||||
@ -174,8 +179,10 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
|
||||
|
||||
DATA_BLOB lm_resp, nt_resp;
|
||||
|
||||
if (!state->privilaged) {
|
||||
DEBUG(2, ("winbindd_pam_auth_crap: non-privilaged access denied!\n"));
|
||||
if (!state->privileged) {
|
||||
DEBUG(2, ("winbindd_pam_auth_crap: non-privileged access denied!\n"));
|
||||
/* send a better message than ACCESS_DENIED */
|
||||
push_utf8_fstring(state->response.data.auth.error_string, "winbind client not authorized to use winbindd_pam_auth_crap");
|
||||
result = NT_STATUS_ACCESS_DENIED;
|
||||
goto done;
|
||||
}
|
||||
@ -282,15 +289,21 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
|
||||
memcpy(state->response.data.auth.nt_session_key, info3.user_sess_key, sizeof(state->response.data.auth.nt_session_key) /* 16 */);
|
||||
}
|
||||
if (state->request.data.auth_crap.flags & WINBIND_PAM_LMKEY) {
|
||||
memcpy(state->response.data.auth.first_8_lm_hash, info3.padding, sizeof(state->response.data.auth.nt_session_key) /* 16 */);
|
||||
memcpy(state->response.data.auth.first_8_lm_hash, info3.padding, sizeof(state->response.data.auth.first_8_lm_hash) /* 8 */);
|
||||
}
|
||||
}
|
||||
|
||||
done:
|
||||
|
||||
/* give us a more useful (more correct?) error code */
|
||||
if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) || (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
|
||||
result = NT_STATUS_NO_LOGON_SERVERS;
|
||||
}
|
||||
|
||||
state->response.data.auth.nt_status = NT_STATUS_V(result);
|
||||
push_utf8_fstring(state->response.data.auth.nt_status_string, nt_errstr(result));
|
||||
push_utf8_fstring(state->response.data.auth.error_string, nt_errstr(result));
|
||||
if (!*state->response.data.auth.error_string)
|
||||
push_utf8_fstring(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
|
||||
state->response.data.auth.pam_error = nt_status_to_pam(result);
|
||||
|
||||
DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user