2024-12-31 17:18:04 +03:00 · 2008-10-21 15:53:28 +02:00 · 2008-10-21 15:53:28 +02:00 · febd55b1bf
commit febd55b1bf
parent fdf0d9bbb8 5cc4a84583
2 changed files with 137 additions and 109 deletions
--- a/source3/nsswitch/libwbclient/wbc_sid.c
+++ b/source3/nsswitch/libwbclient/wbc_sid.c
@ -172,7 +172,7 @@ done:
 * @param domain      Domain name (possibly "")
 * @param name        User or group name
 * @param *sid        Pointer to the resolved domain SID
- * @param *name_type  Pointet to the SID type
+ * @param *name_type  Pointer to the SID type
 *
 * @return #wbcErr
 *
@ -225,7 +225,7 @@ wbcErr wbcLookupName(const char *domain,
 * @param *sid        Pointer to the domain SID to be resolved
 * @param pdomain     Resolved Domain name (possibly "")
 * @param pname       Resolved User or group name
- * @param *pname_type Pointet to the resolved SID type
+ * @param *pname_type Pointer to the resolved SID type
 *
 * @return #wbcErr
 *
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@ -2285,6 +2285,135 @@ static char* winbind_upn_to_username(struct pwb_context *ctx,
 	return talloc_asprintf(ctx, "%s\\%s", domain, name);
 }

+static int _pam_delete_cred(pam_handle_t *pamh, int flags,
+			 int argc, const char **argv)
+{
+	int retval = PAM_SUCCESS;
+	struct pwb_context *ctx = NULL;
+	struct wbcLogoffUserParams logoff;
+	struct wbcAuthErrorInfo *error = NULL;
+	const char *user;
+	wbcErr wbc_status;
+
+	retval = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+	if (retval) {
+		goto out;
+	}
+
+	_PAM_LOG_FUNCTION_ENTER("_pam_delete_cred", ctx);
+
+	if (ctx->ctrl & WINBIND_KRB5_AUTH) {
+
+		/* destroy the ccache here */
+
+		uint32_t wbc_flags = 0;
+		const char *ccname = NULL;
+		struct passwd *pwd = NULL;
+
+		retval = pam_get_user(pamh, &user, "Username: ");
+		if (retval) {
+			_pam_log(ctx, LOG_ERR,
+				 "could not identify user");
+			goto out;
+		}
+
+		if (user == NULL) {
+			_pam_log(ctx, LOG_ERR,
+				 "username was NULL!");
+			retval = PAM_USER_UNKNOWN;
+			goto out;
+		}
+
+		_pam_log_debug(ctx, LOG_DEBUG,
+			       "username [%s] obtained", user);
+
+		ccname = pam_getenv(pamh, "KRB5CCNAME");
+		if (ccname == NULL) {
+			_pam_log_debug(ctx, LOG_DEBUG,
+				       "user has no KRB5CCNAME environment");
+		}
+
+		pwd = getpwnam(user);
+		if (pwd == NULL) {
+			retval = PAM_USER_UNKNOWN;
+			goto out;
+		}
+
+		wbc_flags = WBFLAG_PAM_KRB5 |
+			WBFLAG_PAM_CONTACT_TRUSTDOM;
+
+		ZERO_STRUCT(logoff);
+
+		logoff.username		= user;
+
+		wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
+					     &logoff.blobs,
+					     "ccfilename",
+					     0,
+					     (uint8_t *)ccname,
+					     strlen(ccname)+1);
+		if (!WBC_ERROR_IS_OK(wbc_status)) {
+			goto out;
+		}
+
+		wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
+					     &logoff.blobs,
+					     "flags",
+					     0,
+					     (uint8_t *)&wbc_flags,
+					     sizeof(wbc_flags));
+		if (!WBC_ERROR_IS_OK(wbc_status)) {
+			goto out;
+		}
+
+		wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
+					     &logoff.blobs,
+					     "user_uid",
+					     0,
+					     (uint8_t *)&pwd->pw_uid,
+					     sizeof(pwd->pw_uid));
+		if (!WBC_ERROR_IS_OK(wbc_status)) {
+			goto out;
+		}
+
+		wbc_status = wbcLogoffUserEx(&logoff, &error);
+		retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
+						     user, "wbcLogoffUser");
+		wbcFreeMemory(error);
+		wbcFreeMemory(logoff.blobs);
+
+		if (!WBC_ERROR_IS_OK(wbc_status)) {
+			_pam_log(ctx, LOG_INFO,
+				 "failed to logoff user %s: %s\n",
+					 user, wbcErrorString(wbc_status));
+		}
+	}
+
+out:
+	if (logoff.blobs) {
+		wbcFreeMemory(logoff.blobs);
+	}
+
+	if (!WBC_ERROR_IS_OK(wbc_status)) {
+		retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
+		     user, "wbcLogoffUser");
+	}
+
+	/*
+	 * Delete the krb5 ccname variable from the PAM environment
+	 * if it was set by winbind.
+	 */
+	if (ctx->ctrl & WINBIND_KRB5_AUTH) {
+		pam_putenv(pamh, "KRB5CCNAME");
+	}
+
+	_PAM_LOG_FUNCTION_LEAVE("_pam_delete_cred", ctx, retval);
+
+	TALLOC_FREE(ctx);
+
+	return retval;
+}
+
 PAM_EXTERN
 int pam_sm_authenticate(pam_handle_t *pamh, int flags,
 			int argc, const char **argv)
@ -2461,7 +2590,7 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags,
 	switch (flags & ~PAM_SILENT) {

 		case PAM_DELETE_CRED:
-			ret = pam_sm_close_session(pamh, flags, argc, argv);
+			ret = _pam_delete_cred(pamh, flags, argc, argv);
 			break;
 		case PAM_REFRESH_CRED:
 			_pam_log_debug(ctx, LOG_WARNING,
@ -2623,123 +2752,22 @@ PAM_EXTERN
 int pam_sm_close_session(pam_handle_t *pamh, int flags,
 			 int argc, const char **argv)
 {
-	int retval = PAM_SUCCESS;
+	int ret = PAM_SUCCESS;
 	struct pwb_context *ctx = NULL;
-	struct wbcLogoffUserParams logoff;

-	retval = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
-	if (retval) {
+	ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+	if (ret) {
 		goto out;
 	}

 	_PAM_LOG_FUNCTION_ENTER("pam_sm_close_session", ctx);

-	if (!(flags & PAM_DELETE_CRED)) {
-		retval = PAM_SUCCESS;
-		goto out;
-	}
-
-	if (ctx->ctrl & WINBIND_KRB5_AUTH) {
-
-		/* destroy the ccache here */
-
-		wbcErr wbc_status;
-		struct wbcAuthErrorInfo *error = NULL;
-
-		uint32_t flags = 0;
-		const char *user;
-		const char *ccname = NULL;
-		struct passwd *pwd = NULL;
-
-		retval = pam_get_user(pamh, &user, "Username: ");
-		if (retval) {
-			_pam_log(ctx, LOG_ERR,
-				 "could not identify user");
-			goto out;
-		}
-
-		if (user == NULL) {
-			_pam_log(ctx, LOG_ERR,
-				 "username was NULL!");
-			retval = PAM_USER_UNKNOWN;
-			goto out;
-		}
-
-		_pam_log_debug(ctx, LOG_DEBUG,
-			       "username [%s] obtained", user);
-
-		ccname = pam_getenv(pamh, "KRB5CCNAME");
-		if (ccname == NULL) {
-			_pam_log_debug(ctx, LOG_DEBUG,
-				       "user has no KRB5CCNAME environment");
-		}
-
-		pwd = getpwnam(user);
-		if (pwd == NULL) {
-			retval = PAM_USER_UNKNOWN;
-			goto out;
-		}
-
-		flags = WBFLAG_PAM_KRB5 |
-			WBFLAG_PAM_CONTACT_TRUSTDOM;
-
-		ZERO_STRUCT(logoff);
-
-		logoff.username		= user;
-
-		wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
-					     &logoff.blobs,
-					     "ccfilename",
-					     0,
-					     (uint8_t *)ccname,
-					     strlen(ccname)+1);
-		if (!WBC_ERROR_IS_OK(wbc_status)) {
-			goto out;
-		}
-
-		wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
-					     &logoff.blobs,
-					     "flags",
-					     0,
-					     (uint8_t *)&flags,
-					     sizeof(flags));
-		if (!WBC_ERROR_IS_OK(wbc_status)) {
-			goto out;
-		}
-
-		wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
-					     &logoff.blobs,
-					     "user_uid",
-					     0,
-					     (uint8_t *)&pwd->pw_uid,
-					     sizeof(pwd->pw_uid));
-		if (!WBC_ERROR_IS_OK(wbc_status)) {
-			goto out;
-		}
-
-		wbc_status = wbcLogoffUserEx(&logoff, &error);
-		retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
-						     user, "wbcLogoffUser");
-		wbcFreeMemory(error);
-		wbcFreeMemory(logoff.blobs);
-
-		if (!WBC_ERROR_IS_OK(wbc_status)) {
-			_pam_log(ctx, LOG_INFO,
-				 "failed to logoff user %s: %s\n",
-					 user, wbcErrorString(wbc_status));
-		}
-	}
-
 out:
-	if (logoff.blobs) {
-		wbcFreeMemory(logoff.blobs);
-	}
-
-	_PAM_LOG_FUNCTION_LEAVE("pam_sm_close_session", ctx, retval);
+	_PAM_LOG_FUNCTION_LEAVE("pam_sm_close_session", ctx, ret);

 	TALLOC_FREE(ctx);

-	return retval;
+	return ret;
 }

 /**