The Samba-Bugzilla – Attachment 2141 Details for
Bug 4094
pam_winbind always logs errors for unknown users
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
don't check response.data.auth.pam_error for winbind-requests that don't provide auth data
samba-3.0.23-pam_winbind-validuser.patch (text/plain), 4.29 KB, created by
Lars Heete
on 2006-09-14 06:57:15 UTC
(
hide
)
Description:
don't check response.data.auth.pam_error for winbind-requests that don't provide auth data
Filename:
MIME Type:
Creator:
Lars Heete
Created:
2006-09-14 06:57:15 UTC
Size:
4.29 KB
patch
obsolete
>--- samba-3.0.23c/source/nsswitch/pam_winbind.c.validuser 2006-08-23 18:16:37.000000000 +0200 >+++ samba-3.0.23c/source/nsswitch/pam_winbind.c 2006-09-14 13:45:27.000000000 +0200 >@@ -130,6 +130,40 @@ > SAFE_FREE(data); > } > >+/* >+ * send a winbind request. >+ * >+ * return values: >+ * 1 = request error >+ * 0 = OK >+ * -1 = System error >+ */ >+static int _pam_do_winbind_request(enum winbindd_cmd req_type, struct winbindd_request *request, struct winbindd_response *response) { >+ /* Fill in request and send down pipe */ >+ init_request(request, req_type); >+ >+ if (write_sock(request, sizeof(*request), 0) == -1) { >+ _pam_log(LOG_ERR, "write to socket failed!"); >+ close_sock(); >+ return -1; >+ } >+ >+ /* Wait for reply */ >+ if (read_reply(response) == -1) { >+ _pam_log(LOG_ERR, "read from socket failed!"); >+ close_sock(); >+ return -1; >+ } >+ >+ /* We are done with the socket - close it and avoid mischeif */ >+ close_sock(); >+ >+ if (response->result != WINBINDD_OK) >+ return 1; >+ >+ return 0; >+} >+ > static const struct ntstatus_errors { > const char *ntstatus_string; > const char *error_string; >@@ -225,41 +259,24 @@ > struct winbindd_request *request, > struct winbindd_response *response) > { >- /* Fill in request and send down pipe */ >- init_request(request, req_type); >- >- if (write_sock(request, sizeof(*request), 0) == -1) { >- _pam_log(LOG_ERR, "write to socket failed!"); >- close_sock(); >- return PAM_SERVICE_ERR; >- } >- >- /* Wait for reply */ >- if (read_reply(response) == -1) { >- _pam_log(LOG_ERR, "read from socket failed!"); >- close_sock(); >- return PAM_SERVICE_ERR; >- } >+ int ret; >+ if ((ret = _pam_do_winbind_request(req_type, request, response)) == 0) >+ return PAM_SUCCESS; > >- /* We are done with the socket - close it and avoid mischeif */ >- close_sock(); >+ if (ret < 0) >+ return PAM_SERVICE_ERR; > >- /* Copy reply data from socket */ >- if (response->result != WINBINDD_OK) { >- if (response->data.auth.pam_error != PAM_SUCCESS) { >- _pam_log(LOG_ERR, "request failed: %s, PAM error was %s (%d), NT error was %s", >- response->data.auth.error_string, >- pam_strerror(pamh, response->data.auth.pam_error), >- response->data.auth.pam_error, >- response->data.auth.nt_status_string); >- return response->data.auth.pam_error; >- } else { >- _pam_log(LOG_ERR, "request failed, but PAM error 0!"); >- return PAM_SERVICE_ERR; >- } >- } >+ if (response->data.auth.pam_error != PAM_SUCCESS) { >+ _pam_log(LOG_DEBUG, "request failed: %s, PAM error was %s (%d), NT error was %s", >+ response->data.auth.error_string, >+ pam_strerror(pamh, response->data.auth.pam_error), >+ response->data.auth.pam_error, >+ response->data.auth.nt_status_string); >+ return response->data.auth.pam_error; >+ } > >- return PAM_SUCCESS; >+ _pam_log(LOG_ERR, "request failed, but PAM error 0!"); >+ return PAM_SERVICE_ERR; > } > > static int pam_winbind_request_log(pam_handle_t * pamh, >@@ -398,7 +415,7 @@ > strncpy(sid_request.data.name.name, member, > sizeof(sid_request.data.name.name) - 1); > >- if (pam_winbind_request_log(pamh, ctrl, WINBINDD_LOOKUPNAME, &sid_request, &sid_response, user)) { >+ if (_pam_do_winbind_request(WINBINDD_LOOKUPNAME, &sid_request, &sid_response) != 0) { > _pam_log(LOG_INFO, "could not lookup name: %s\n", member); > return PAM_AUTH_ERR; > } >@@ -612,6 +629,7 @@ > return ret; > } > >+ > /* > * Checks if a user has an account > * >@@ -626,33 +644,16 @@ > * sure it's really a winbind user, this is important when stacking PAM > * modules in the 'account' or 'password' facility. */ > >- struct passwd *pwd = NULL; > struct winbindd_request request; > struct winbindd_response response; >- int ret; > > ZERO_STRUCT(request); > ZERO_STRUCT(response); > >- pwd = getpwnam(user); >- if (pwd == NULL) { >- return 1; >- } >- > strncpy(request.data.username, user, > sizeof(request.data.username) - 1); > >- ret = pam_winbind_request_log(pamh, ctrl, WINBINDD_GETPWNAM, &request, &response, user); >- >- switch (ret) { >- case PAM_USER_UNKNOWN: >- return 1; >- case PAM_SUCCESS: >- return 0; >- default: >- break; >- } >- return -1; >+ return _pam_do_winbind_request(WINBINDD_GETPWNAM, &request, &response); > } > > static char *_pam_delete(register char *xx)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2141">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 4094
:
2131
| 2141