summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2006-09-06 10:59:39 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:43:29 -0500
commit030cf71d618e5522f948b32292e3612c9dd4ef24 (patch)
treede85e23169e2eebb1cc6b839cd1306c92bcb3306
parentbf7fcdffa34fa151b9940516c300a61ca17df0b5 (diff)
downloadsamba-030cf71d618e5522f948b32292e3612c9dd4ef24.tar.gz
samba-030cf71d618e5522f948b32292e3612c9dd4ef24.tar.bz2
samba-030cf71d618e5522f948b32292e3612c9dd4ef24.zip
r18158: Stop winbindd from accumulating memory creds infinitely when doing
pam offline logons. Guenther (This used to be commit 95788cb291b89b431972e29e148b412992cc32a5)
-rw-r--r--source3/nsswitch/pam_winbind.c8
-rw-r--r--source3/nsswitch/winbindd_pam.c33
2 files changed, 25 insertions, 16 deletions
diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index 78b0e8c28b..bcc4d7e795 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -1152,15 +1152,15 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags,
ccname = pam_getenv(pamh, "KRB5CCNAME");
if (ccname == NULL) {
_pam_log_debug(ctrl, LOG_DEBUG, "user has no KRB5CCNAME environment");
- retval = PAM_SUCCESS;
- goto out;
}
strncpy(request.data.logoff.user, user,
sizeof(request.data.logoff.user) - 1);
- strncpy(request.data.logoff.krb5ccname, ccname,
- sizeof(request.data.logoff.krb5ccname) - 1);
+ if (ccname) {
+ strncpy(request.data.logoff.krb5ccname, ccname,
+ sizeof(request.data.logoff.krb5ccname) - 1);
+ }
pwd = getpwnam(user);
if (pwd == NULL) {
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 9bad738d51..efdd0e874f 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -1865,22 +1865,26 @@ void winbindd_pam_logoff(struct winbindd_cli_state *state)
state->request.data.logoff.krb5ccname
[sizeof(state->request.data.logoff.krb5ccname)-1]='\0';
- parse_domain_user(state->request.data.logoff.user, name_domain, user);
-
- domain = find_auth_domain(state, name_domain);
+ if (!parse_domain_user(state->request.data.logoff.user, name_domain, user)) {
+ goto failed;
+ }
- if (domain == NULL) {
- set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
- DEBUG(5, ("Pam Logoff for %s returned %s "
- "(PAM: %d)\n",
- state->request.data.auth.user,
- state->response.data.auth.nt_status_string,
- state->response.data.auth.pam_error));
- request_error(state);
- return;
+ if ((domain = find_auth_domain(state, name_domain)) == NULL) {
+ goto failed;
}
sendto_domain(state, domain);
+ return;
+
+ failed:
+ set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
+ DEBUG(5, ("Pam Logoff for %s returned %s "
+ "(PAM: %d)\n",
+ state->request.data.auth.user,
+ state->response.data.auth.nt_status_string,
+ state->response.data.auth.pam_error));
+ request_error(state);
+ return;
}
enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
@@ -1899,6 +1903,11 @@ enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
goto process_result;
}
+ if (state->request.data.logoff.krb5ccname[0] == '\0') {
+ result = NT_STATUS_OK;
+ goto process_result;
+ }
+
#ifdef HAVE_KRB5
if (state->request.data.logoff.uid < 0) {