summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2007-02-05 14:43:06 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:17:42 -0500
commit0b2bbb2704aa10a52b6fb111bd3549b1a36ad680 (patch)
tree49ca162f3cf915e5779c805af28927f71bc895c8
parent4aa7205c3da08b6efb322980bf7cf2ebe12c67a8 (diff)
downloadsamba-0b2bbb2704aa10a52b6fb111bd3549b1a36ad680.tar.gz
samba-0b2bbb2704aa10a52b6fb111bd3549b1a36ad680.tar.bz2
samba-0b2bbb2704aa10a52b6fb111bd3549b1a36ad680.zip
r21144: Create more accurate warning message when the pam_winbind chauthtok has
received NT_STATUS_PASSWORD_RESTRICTION. Guenther (This used to be commit 2ac9cb3bbd1980df54f1b6cc2cfb823be43f3230)
-rw-r--r--source3/nsswitch/pam_winbind.c88
1 files changed, 76 insertions, 12 deletions
diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index 2b8e9be528..a8344db338 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -737,6 +737,75 @@ out:
return result;
}
+/**
+ * Compose Password Restriction String for a PAM_ERROR_MSG conversation.
+ *
+ * @param response The struct winbindd_response.
+ *
+ * @return string (caller needs to free).
+ */
+
+static char *_pam_compose_pwd_restriction_string(struct winbindd_response *response)
+{
+ char *str = NULL;
+ size_t offset = 0, ret = 0, str_size = 1024;
+
+ str = (char *)malloc(str_size);
+ if (!str) {
+ return NULL;
+ }
+
+ memset(str, '\0', str_size);
+
+ offset = snprintf(str, str_size, "Your password ");
+ if (offset == -1) {
+ goto failed;
+ }
+
+ if (response->data.auth.policy.min_length_password > 0) {
+ ret = snprintf(str+offset, str_size-offset,
+ "must be at least %d characters; ",
+ response->data.auth.policy.min_length_password);
+ if (ret == -1) {
+ goto failed;
+ }
+ offset += ret;
+ }
+
+ if (response->data.auth.policy.password_history > 0) {
+ ret = snprintf(str+offset, str_size-offset,
+ "cannot repeat any of your previous %d passwords; ",
+ response->data.auth.policy.password_history);
+ if (ret == -1) {
+ goto failed;
+ }
+ offset += ret;
+ }
+
+ if (response->data.auth.policy.password_properties & DOMAIN_PASSWORD_COMPLEX) {
+ ret = snprintf(str+offset, str_size-offset,
+ "must contain capitals, numerals or punctuation; "
+ "and cannot contain your account or full name; ");
+ if (ret == -1) {
+ goto failed;
+ }
+ offset += ret;
+ }
+
+ ret = snprintf(str+offset, str_size-offset,
+ "Please type a different password. "
+ "Type a password which meets these requirements in both text boxes.");
+ if (ret == -1) {
+ goto failed;
+ }
+
+ return str;
+
+ failed:
+ SAFE_FREE(str);
+ return NULL;
+}
+
/* talk to winbindd */
static int winbind_auth_request(pam_handle_t * pamh,
int ctrl,
@@ -1002,6 +1071,8 @@ static int winbind_chauthtok_request(pam_handle_t * pamh,
if (!strcasecmp(response.data.auth.nt_status_string, "NT_STATUS_PASSWORD_RESTRICTION")) {
+ char *pwd_restriction_string = NULL;
+
/* FIXME: avoid to send multiple PAM messages after another */
switch (response.data.auth.reject_reason) {
case -1:
@@ -1028,18 +1099,11 @@ static int winbind_chauthtok_request(pam_handle_t * pamh,
break;
}
- _make_remark_format(pamh, PAM_ERROR_MSG,
- "Your password must be at least %d characters; "
- "cannot repeat any of the your previous %d passwords"
- "%s. "
- "Please type a different password. "
- "Type a password which meets these requirements in both text boxes.",
- response.data.auth.policy.min_length_password,
- response.data.auth.policy.password_history,
- (response.data.auth.policy.password_properties & DOMAIN_PASSWORD_COMPLEX) ?
- "; must contain capitals, numerals or punctuation; and cannot contain your account or full name" :
- "");
-
+ pwd_restriction_string = _pam_compose_pwd_restriction_string(&response);
+ if (pwd_restriction_string) {
+ _make_remark(pamh, PAM_ERROR_MSG, pwd_restriction_string);
+ SAFE_FREE(pwd_restriction_string);
+ }
}
return ret;