summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2006-08-22 22:53:08 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:38:46 -0500
commit975b15949013f86ffa43675537183b20f3519ed2 (patch)
tree190bd943a4f4105de27822967194a21028af9a1f
parent21e35f8e73a5d63e17486b286827a06a6029afbe (diff)
downloadsamba-975b15949013f86ffa43675537183b20f3519ed2.tar.gz
samba-975b15949013f86ffa43675537183b20f3519ed2.tar.bz2
samba-975b15949013f86ffa43675537183b20f3519ed2.zip
r17723: * BUG 3969: Fix unsigned time comparison with expiration policy from AD DC
* Merge patches from SLES10 to make sure we talk to the correct winbindd process when performing pam_auth (and pull the password policy info). (This used to be commit 43bd8c00abb38eb23a1497a255d194fb1bbffffb)
-rw-r--r--source3/include/includes.h8
-rw-r--r--source3/nsswitch/pam_winbind.c8
-rw-r--r--source3/nsswitch/winbind_nss_config.h13
-rw-r--r--source3/nsswitch/winbindd_nss.h6
-rw-r--r--source3/nsswitch/winbindd_pam.c47
5 files changed, 35 insertions, 47 deletions
diff --git a/source3/include/includes.h b/source3/include/includes.h
index bd65edbab0..524e6ab8d2 100644
--- a/source3/include/includes.h
+++ b/source3/include/includes.h
@@ -671,6 +671,14 @@ typedef int socklen_t;
#endif /* don't lie. If we don't have it, then don't use it */
#endif
+#if !defined(int64)
+#if (SIZEOF_LONG == 8)
+#define int64 long
+#elif (SIZEOF_LONG_LONG == 8)
+#define int64 long long
+#endif /* don't lie. If we don't have it, then don't use it */
+#endif
+
/*
* Types for devices, inodes and offsets.
diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index f2dacf241e..ea50b1ac74 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -366,7 +366,7 @@ static int winbind_auth_request(pam_handle_t * pamh,
request.data.auth.krb5_cc_type[0] = '\0';
request.data.auth.uid = -1;
- request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_GET_PWD_POLICY;
+ request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_CONTACT_TRUSTDOM;
if (ctrl & WINBIND_KRB5_AUTH) {
@@ -564,7 +564,7 @@ static int winbind_chauthtok_request(pam_handle_t * pamh,
}
if (ctrl & WINBIND_KRB5_AUTH) {
- request.flags = WBFLAG_PAM_KRB5;
+ request.flags = WBFLAG_PAM_KRB5 | WBFLAG_PAM_CONTACT_TRUSTDOM;
}
ret = pam_winbind_request_log(pamh, ctrl, WINBINDD_PAM_CHAUTHTOK, &request, &response, user);
@@ -1150,7 +1150,7 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags,
}
request.data.logoff.uid = pwd->pw_uid;
- request.flags = WBFLAG_PAM_KRB5;
+ request.flags = WBFLAG_PAM_KRB5 | WBFLAG_PAM_CONTACT_TRUSTDOM;
retval = pam_winbind_request_log(pamh, ctrl, WINBINDD_PAM_LOGOFF, &request, &response, user);
}
@@ -1391,7 +1391,7 @@ struct pam_module _pam_winbind_modstruct = {
* Copyright (c) Tim Potter <tpot@samba.org> 2000
* Copyright (c) Andrew Bartlettt <abartlet@samba.org> 2002
* Copyright (c) Guenther Deschner <gd@samba.org> 2005-2006
- * Copyright (c) Jan Rêkorajski 1999.
+ * Copyright (c) Jan Rêkorajski 1999.
* Copyright (c) Andrew G. Morgan 1996-8.
* Copyright (c) Alex O. Yuriev, 1996.
* Copyright (c) Cristian Gafton 1996.
diff --git a/source3/nsswitch/winbind_nss_config.h b/source3/nsswitch/winbind_nss_config.h
index 66e38513fd..f9d3852660 100644
--- a/source3/nsswitch/winbind_nss_config.h
+++ b/source3/nsswitch/winbind_nss_config.h
@@ -24,12 +24,12 @@
#ifndef _WINBIND_NSS_CONFIG_H
#define _WINBIND_NSS_CONFIG_H
-/* shutup the compiler warnings due to krb5.h on i
- 64-bit sles9 */
+/* shutup the compiler warnings due to krb5.h on 64-bit sles9 */
#ifdef SIZEOF_LONG
#undef SIZEOF_LONG
#endif
+
/* Include header files from data in config.h file */
#ifndef NO_CONFIG_H
@@ -137,6 +137,15 @@ typedef int BOOL;
#endif /* don't lie. If we don't have it, then don't use it */
#endif
+#if !defined(int64)
+#if (SIZEOF_LONG == 8)
+#define int64 long
+#elif (SIZEOF_LONG_LONG == 8)
+#define int64 long long
+#endif /* don't lie. If we don't have it, then don't use it */
+#endif
+
+
/* zero a structure */
#ifndef ZERO_STRUCT
diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h
index f393512b72..c6b6be33ed 100644
--- a/source3/nsswitch/winbindd_nss.h
+++ b/source3/nsswitch/winbindd_nss.h
@@ -42,8 +42,8 @@
between /lib/libnss_winbind.so.2 and /li64/libnss_winbind.so.2.
The easiest way to do this is to always use 8byte values for time_t. */
-#if defined(uint64)
-# define SMB_TIME_T uint64
+#if defined(int64)
+# define SMB_TIME_T int64
#else
# define SMB_TIME_T time_t
#endif
@@ -198,7 +198,7 @@ typedef struct winbindd_gr {
#define WBFLAG_PAM_KRB5 0x1000
#define WBFLAG_PAM_FALLBACK_AFTER_KRB5 0x2000
#define WBFLAG_PAM_CACHED_LOGIN 0x4000
-#define WBFLAG_PAM_GET_PWD_POLICY 0x8000
+#define WBFLAG_PAM_GET_PWD_POLICY 0x8000 /* not used */
#define WINBINDD_MAX_EXTRA_DATA (128*1024)
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 8931b1373e..c93f4c98b6 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -6,7 +6,7 @@
Copyright (C) Andrew Tridgell 2000
Copyright (C) Tim Potter 2001
Copyright (C) Andrew Bartlett 2001-2002
- Copyright (C) Guenther Deschner 2005-2006
+ Copyright (C) Guenther Deschner 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -222,44 +222,18 @@ struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state,
return NULL;
}
- if (strequal(domain_name, lp_workgroup())) {
- return find_our_domain();
- }
-
-#ifdef HAVE_ADS
-
- /* when trying to login using krb5 with a trusted domain account, we
- * need to make sure that our and the remote domain are AD */
-
- if ((state->request.flags & WBFLAG_PAM_KRB5) &&
- (lp_security() == SEC_ADS)) {
-
- struct winbindd_domain *our_domain = find_our_domain();
-
- if (!our_domain->active_directory) {
- DEBUG(3,("find_auth_domain: out domain is not AD\n"));
- return NULL;
- }
-
- if ((domain = find_domain_from_name_noinit(domain_name)) == NULL) {
- return NULL;
- }
-
- /* do we already know it's AD ? */
- if (domain->active_directory) {
+ /* we can auth against trusted domains */
+ if (state->request.flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
+ domain = find_domain_from_name_noinit(domain_name);
+ if (domain == NULL) {
+ DEBUG(3, ("Authentication for domain [%s] skipped "
+ "as it is not a trusted domain\n",
+ domain_name));
+ } else {
return domain;
}
-
- set_dc_type_and_flags(domain);
-
- if (!domain->active_directory) {
- DEBUG(3,("find_auth_domain: remote domain is not AD\n"));
- return NULL;
}
- return domain;
- }
-#endif
return find_our_domain();
}
@@ -1306,15 +1280,12 @@ process_result:
}
- /* this is required to provide password expiry warning */
- if (state->request.flags & WBFLAG_PAM_GET_PWD_POLICY) {
result = fillup_password_policy(domain, state);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result)));
goto done;
}
- }
}