Bug 2210 - Some NT_STATUS_* errors don't have mapped PAM errors
Some NT_STATUS_* errors don't have mapped PAM errors
Status: REOPENED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
unspecified
x86 Linux
: P3 normal
: 4.4
Assigned To: Karolin Seeger
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-05 06:58 UTC by Narayana Pattipati
Modified: 2017-01-11 07:49 UTC (History)
3 users (show)

See Also:


Attachments
Patch to map some NT_STATUS_* errors to PAM errors (1.52 KB, patch)
2005-01-05 07:22 UTC, Narayana Pattipati
no flags Details
patch to add/fix error code mappings (2.26 KB, patch)
2016-12-08 17:31 UTC, Björn Jacke
no flags Details
cherry-picked patch for 4.4 and 4.5 (2.26 KB, patch)
2016-12-13 20:20 UTC, Björn Jacke
bjacke: review+
vl: review+
Details
the right one (2.38 KB, patch)
2017-01-10 09:00 UTC, Björn Jacke
bjacke: review+
jra: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Narayana Pattipati 2005-01-05 06:58:17 UTC
Error messages like NT_STATUS_ACCOUNT_DISABLED, NT_STATUS_PASSWORD_RESTRICTION
does not have mapped PAM errors. So, when an application receives them, the PAM 
error will be "4", which is PAM_SYS_ERROR. 

So, the end user will not know what went wrong even though pam_winbind returns 
errors like "account disabled", "password restriction" etc. 

These errors should be mapped to known PAM errors, so that applications can
interpret them in a better way and convey the same to end user.
Comment 1 Narayana Pattipati 2005-01-05 07:22:58 UTC
Created attachment 877 [details]
Patch to map some NT_STATUS_* errors to PAM errors
Comment 2 Narayana Pattipati 2005-01-05 07:23:53 UTC
The patch attached above was discussed in samba-technical mailing list @
http://lists.samba.org/archive/samba-technical/2004-December/038398.html
Comment 3 Gerald (Jerry) Carter 2005-03-21 19:42:39 UTC
moving back to 3.0
Comment 4 Andrew Bartlett 2016-08-01 10:13:37 UTC
This looks like it has been fixed in the meantime.  It should be fixed in all current versions.
Comment 5 Björn Jacke 2016-12-08 17:31:16 UTC
Created attachment 12751 [details]
patch to add/fix error code mappings

I don't see where this should have been fixed.

Attached patch fixes this for current master.
Comment 6 Björn Jacke 2016-12-13 20:20:09 UTC
Created attachment 12769 [details]
cherry-picked patch for 4.4 and 4.5

this patch should go into the maintained release branches
Comment 7 Karolin Seeger 2016-12-20 09:02:42 UTC
(In reply to Björn Jacke from comment #6)
Pushed to autobuild-v4-{5,4}-test.
Comment 8 Karolin Seeger 2017-01-02 09:33:15 UTC
(In reply to Karolin Seeger from comment #7)
Patch seems to break the build.
More investigation needed.
Will not be included in Samba 4.4.9.
Comment 9 Karolin Seeger 2017-01-10 08:12:55 UTC
This patch breaks the build on both branches:

[2073/4033] Compiling nsswitch/pam_winbind.c
../nsswitch/pam_winbind.c: In function ‘pam_winbind_request_log’:
../nsswitch/pam_winbind.c:770:74: error: ‘pwd’ undeclared (first use in this function)
   _pam_log(LOG_WARNING, "user `%s' authentication token change failed " (pwd complexity/history/min_age not met?)", user);
                                                                          ^
../nsswitch/pam_winbind.c:770:74: note: each undeclared identifier is reported only once for each function it appears in
../nsswitch/pam_winbind.c:770:78: error: expected ‘)’ before ‘complexity’
   _pam_log(LOG_WARNING, "user `%s' authentication token change failed " (pwd complexity/history/min_age not met?)", user);
                                                                              ^
../nsswitch/pam_winbind.c:770:73: error: called object is not a function or function pointer
   _pam_log(LOG_WARNING, "user `%s' authentication token change failed " (pwd complexity/history/min_age not met?)", user);
                                                                         ^
../nsswitch/pam_winbind.c:770:114: error: missing terminating " character [-Werror]
   _pam_log(LOG_WARNING, "user `%s' authentication token change failed " (pwd complexity/history/min_age not met?)", user);
                                                                                                                  ^
../nsswitch/pam_winbind.c:770:78: error: missing terminating " character
   _pam_log(LOG_WARNING, "user `%s' authentication token change failed " (pwd complexity/history/min_age not met?)", user);
                                                                              ^
../nsswitch/pam_winbind.c:771:3: error: expected ‘)’ before ‘return’
   return retval;
   ^
../nsswitch/pam_winbind.c:788:2: error: passing argument 1 of ‘_pam_log’ makes pointer from integer without a cast [-Werror]
  }
  ^
../nsswitch/pam_winbind.c:216:13: note: expected ‘struct pwb_context *’ but argument is of type ‘int’
 static void _pam_log(struct pwb_context *r, int err, const char *format, ...)
             ^
../nsswitch/pam_winbind.c:788:2: error: too few arguments to function ‘_pam_log’
  }
  ^
../nsswitch/pam_winbind.c:216:13: note: declared here
 static void _pam_log(struct pwb_context *r, int err, const char *format, ...)
             ^
../nsswitch/pam_winbind.c:788:2: error: expected ‘;’ before ‘}’ token
  }
  ^
../nsswitch/pam_winbind.c:789:1: error: control reaches end of non-void function [-Werror=return-type]
 }
 ^
cc1: all warnings being treated as errors
Waf: Leaving directory `/memdisk/kseeger/a44/b192620/samba/bin'
Build failed:  -> task failed (err #1): 
	{task: cc pam_winbind.c -> pam_winbind_15.o}
make: *** [all] Error 1
Comment 10 Karolin Seeger 2017-01-10 08:13:40 UTC
Re-assigning to Björn.
Comment 11 Björn Jacke 2017-01-10 09:00:15 UTC
Created attachment 12813 [details]
the right one

sorry, the previous wasn't the right cherry picked file attached.
Comment 12 Jeremy Allison 2017-01-11 01:00:04 UTC
Comment on attachment 12813 [details]
the right one

LGTM.
Comment 13 Karolin Seeger 2017-01-11 07:49:59 UTC
(In reply to Jeremy Allison from comment #12)
Pushed to autobuild-v4-{5,4}-test.
Thanks!