Bug 4094 - pam_winbind always logs errors for unknown users
Summary: pam_winbind always logs errors for unknown users
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.23b
Hardware: Other Linux
: P3 major
Target Milestone: none
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-09-08 10:37 UTC by Lars Heete
Modified: 2007-02-05 08:49 UTC (History)
1 user (show)

See Also:


Attachments
dont use pam_winbind_request for WINBINDD_GETPWNAM (1.57 KB, patch)
2006-09-08 10:40 UTC, Lars Heete
no flags Details
don't check response.data.auth.pam_error for winbind-requests that don't provide auth data (4.29 KB, patch)
2006-09-14 06:57 UTC, Lars Heete
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Heete 2006-09-08 10:37:10 UTC
in nsswitch/pam_winbind.c:valid_user pam_winbind_request is called with a WINBINDD_GETPWNAM request. The problem is, that pam_winbind_request checks response.data.auth.pam_status, but WINBINDD_GETPWNAM uses the response.data.name union part.

regards,
Lars Heete
Comment 1 Lars Heete 2006-09-08 10:40:53 UTC
Created attachment 2131 [details]
dont use pam_winbind_request for WINBINDD_GETPWNAM
Comment 2 Guenther Deschner 2006-09-14 05:29:06 UTC
Shouldn't that be an easier fix?

Index: nsswitch/winbindd_user.c
===================================================================
--- nsswitch/winbindd_user.c    (revision 18508)
+++ nsswitch/winbindd_user.c    (working copy)
@@ -331,6 +331,7 @@
                               username)) {
                DEBUG(5, ("Could not parse domain user: %s\n",
                          state->request.data.username));
+               set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
                request_error(state);
                return;
        }
Comment 3 Lars Heete 2006-09-14 05:49:29 UTC
No, winbindd_getpwnam fills in the "pw" part of the response.data union,
set_auth_errors the "auth_reply" part.
Actually there are other places in pam_winbind too, that check for auth errors
(using pam_winbind_request) for requests that don't provide auth_info.
Comment 4 Lars Heete 2006-09-14 06:57:15 UTC
Created attachment 2141 [details]
don't check response.data.auth.pam_error for winbind-requests that don't provide auth data

pam_winbind_response was also used for WINBINDD_LOOKUPNAME (provides response.data.sid)
Comment 5 Guenther Deschner 2007-02-05 08:34:41 UTC
Fixed with -r21143.