diff options
| author | Günther Deschner <gd@samba.org> | 2006-09-06 10:59:39 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:43:29 -0500 |
| commit | 030cf71d618e5522f948b32292e3612c9dd4ef24 (patch) | |
| tree | de85e23169e2eebb1cc6b839cd1306c92bcb3306 | |
| parent | bf7fcdffa34fa151b9940516c300a61ca17df0b5 (diff) | |
| download | samba-030cf71d618e5522f948b32292e3612c9dd4ef24.tar.gz samba-030cf71d618e5522f948b32292e3612c9dd4ef24.tar.bz2 samba-030cf71d618e5522f948b32292e3612c9dd4ef24.zip | |
r18158: Stop winbindd from accumulating memory creds infinitely when doing
pam offline logons.
Guenther
(This used to be commit 95788cb291b89b431972e29e148b412992cc32a5)
| -rw-r--r-- | source3/nsswitch/pam_winbind.c | 8 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd_pam.c | 33 |
2 files changed, 25 insertions, 16 deletions
diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c index 78b0e8c28b..bcc4d7e795 100644 --- a/source3/nsswitch/pam_winbind.c +++ b/source3/nsswitch/pam_winbind.c @@ -1152,15 +1152,15 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags, ccname = pam_getenv(pamh, "KRB5CCNAME"); if (ccname == NULL) { _pam_log_debug(ctrl, LOG_DEBUG, "user has no KRB5CCNAME environment"); - retval = PAM_SUCCESS; - goto out; } strncpy(request.data.logoff.user, user, sizeof(request.data.logoff.user) - 1); - strncpy(request.data.logoff.krb5ccname, ccname, - sizeof(request.data.logoff.krb5ccname) - 1); + if (ccname) { + strncpy(request.data.logoff.krb5ccname, ccname, + sizeof(request.data.logoff.krb5ccname) - 1); + } pwd = getpwnam(user); if (pwd == NULL) { diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 9bad738d51..efdd0e874f 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -1865,22 +1865,26 @@ void winbindd_pam_logoff(struct winbindd_cli_state *state) state->request.data.logoff.krb5ccname [sizeof(state->request.data.logoff.krb5ccname)-1]='\0'; - parse_domain_user(state->request.data.logoff.user, name_domain, user); - - domain = find_auth_domain(state, name_domain); + if (!parse_domain_user(state->request.data.logoff.user, name_domain, user)) { + goto failed; + } - if (domain == NULL) { - set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER); - DEBUG(5, ("Pam Logoff for %s returned %s " - "(PAM: %d)\n", - state->request.data.auth.user, - state->response.data.auth.nt_status_string, - state->response.data.auth.pam_error)); - request_error(state); - return; + if ((domain = find_auth_domain(state, name_domain)) == NULL) { + goto failed; } sendto_domain(state, domain); + return; + + failed: + set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER); + DEBUG(5, ("Pam Logoff for %s returned %s " + "(PAM: %d)\n", + state->request.data.auth.user, + state->response.data.auth.nt_status_string, + state->response.data.auth.pam_error)); + request_error(state); + return; } enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain, @@ -1899,6 +1903,11 @@ enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain, goto process_result; } + if (state->request.data.logoff.krb5ccname[0] == '\0') { + result = NT_STATUS_OK; + goto process_result; + } + #ifdef HAVE_KRB5 if (state->request.data.logoff.uid < 0) { |