summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2003-12-31 08:45:03 +0000
committerAndrew Bartlett <abartlet@samba.org>2003-12-31 08:45:03 +0000
commit5d55674b52a516536a03e7f6d710a53efe7f5b8d (patch)
tree93581800930be104f2c71dfec109cb1599519cdb
parentb34401b48ae96da278977bdf6d309a851386cf1c (diff)
downloadsamba-5d55674b52a516536a03e7f6d710a53efe7f5b8d.tar.gz
samba-5d55674b52a516536a03e7f6d710a53efe7f5b8d.tar.bz2
samba-5d55674b52a516536a03e7f6d710a53efe7f5b8d.zip
Changes to our PAM code to cope with the fact that we can't handle some
domains (in particular, the domain of the current machine, if it is not a PDC) By changing the error codes, we now return values that PAM can correctly use for better stacking of PAM modules - in particular of the password change module. This allows pam_winbind to co-exist with other pam modules for password changes. Andrew Bartlett (This used to be commit 6a8cc7f0122ac4dd5b10ff1160735ef1a177d448)
-rw-r--r--source3/nsswitch/winbindd_pam.c48
-rw-r--r--source3/nsswitch/winbindd_util.c4
2 files changed, 36 insertions, 16 deletions
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 94f9bf9464..54513b1bc1 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -96,11 +96,6 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
/* Parse domain and username */
parse_domain_user(state->request.data.auth.user, name_domain, name_user);
- if ( !*name_domain ) {
- DEBUG(5,("no domain separator (%s) in username (%s) - failing auth\n", lp_winbind_separator(), state->request.data.auth.user));
- result = NT_STATUS_INVALID_PARAMETER;
- goto done;
- }
/* do password magic */
@@ -119,11 +114,23 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
/* what domain should we contact? */
- if ( IS_DC )
+ if ( IS_DC ) {
+ if (!find_domain_from_name(name_domain)) {
+ DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
+ state->request.data.auth.user, name_domain, name_user, name_domain));
+ result = NT_STATUS_NO_SUCH_USER;
+ goto done;
+ }
contact_domain = name_domain;
- else
- contact_domain = lp_workgroup();
+ } else {
+ if (is_myname(name_domain)) {
+ DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
+ result = NT_STATUS_NO_SUCH_USER;
+ goto done;
+ }
+ contact_domain = lp_workgroup();
+ }
/* check authentication loop */
do {
@@ -305,11 +312,23 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
/* what domain should we contact? */
- if ( IS_DC )
+ if ( IS_DC ) {
+ if (!find_domain_from_name(domain)) {
+ DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
+ state->request.data.auth.user, domain, user, domain));
+ result = NT_STATUS_NO_SUCH_USER;
+ goto done;
+ }
contact_domain = domain;
- else
+ } else {
+ if (is_myname(domain)) {
+ DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", domain));
+ result = NT_STATUS_NO_SUCH_USER;
+ goto done;
+ }
contact_domain = lp_workgroup();
-
+ }
+
do {
ZERO_STRUCT(info3);
ZERO_STRUCT(ret_creds);
@@ -447,8 +466,11 @@ enum winbindd_result winbindd_pam_chauthtok(struct winbindd_cli_state *state)
return WINBINDD_ERROR;
parse_domain_user(state->request.data.chauthtok.user, domain, user);
- if ( !*domain ) {
- result = NT_STATUS_INVALID_PARAMETER;
+
+ if (!find_domain_from_name(domain)) {
+ DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
+ state->request.data.chauthtok.user, domain, user, domain));
+ result = NT_STATUS_NO_SUCH_USER;
goto done;
}
diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index a9bb851a7a..1f9537ac25 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -526,10 +526,8 @@ BOOL parse_domain_user(const char *domuser, fstring domain, fstring user)
if ( assume_domain(lp_workgroup())) {
fstrcpy(domain, lp_workgroup());
- } else if (assume_domain(get_global_sam_name())) {
- fstrcpy( domain, get_global_sam_name() );
} else {
- fstrcpy( domain, "");
+ fstrcpy( domain, get_global_sam_name() );
}
}
else {