diff options
| author | Günther Deschner <gd@samba.org> | 2006-02-13 15:12:22 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:10:06 -0500 |
| commit | f0ed0440c4d3b8736eb5e1ceba8b9257eb29cee3 (patch) | |
| tree | 35bff7daa4d9c393e03eeb07bb2c2ac564330ff1 /source3/nsswitch/pam_winbind.c | |
| parent | 6791180b8175a3f580b911f6b07a990d3559412d (diff) | |
| download | samba-f0ed0440c4d3b8736eb5e1ceba8b9257eb29cee3.tar.gz samba-f0ed0440c4d3b8736eb5e1ceba8b9257eb29cee3.tar.bz2 samba-f0ed0440c4d3b8736eb5e1ceba8b9257eb29cee3.zip | |
r13492: As noone objected on the mailing-list:
Fix parse_domain_user to fail when splitting a full name like "DOM\user"
when "winbind use default domain" and "winbind trusted domains only" are
not enabled.
This allows pam_winbind to behave correctly when more modules are
stacked in the "account" or "password" PAM facility. pam_winbindd calls
WINBINDD_GETPWNAM which can decide whether or not a user is a winbind
user and return correct PAM error codes.
Guenther
(This used to be commit e6d52c1e9d8cec7be6d552c2a67a392df21c3ec9)
Diffstat (limited to 'source3/nsswitch/pam_winbind.c')
| -rw-r--r-- | source3/nsswitch/pam_winbind.c | 47 |
1 files changed, 43 insertions, 4 deletions
diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c index 3848612c47..35f0efbcbd 100644 --- a/source3/nsswitch/pam_winbind.c +++ b/source3/nsswitch/pam_winbind.c @@ -566,10 +566,38 @@ static int winbind_chauthtok_request(pam_handle_t * pamh, * 0 = OK * -1 = System error */ -static int valid_user(const char *user) +static int valid_user(const char *user, pam_handle_t *pamh, int ctrl) { - if (getpwnam(user)) return 0; - return 1; + /* check not only if the user is available over NSS calls, also make + * sure it's really a winbind user, this is important when stacking PAM + * modules in the 'account' or 'password' facility. */ + + struct passwd *pwd = NULL; + struct winbindd_request request; + struct winbindd_response response; + int ret; + + ZERO_STRUCT(request); + ZERO_STRUCT(response); + + pwd = getpwnam(user); + if (pwd == NULL) { + return 1; + } + + fstrcpy(request.data.username, user); + + ret = pam_winbind_request_log(pamh, ctrl, WINBINDD_GETPWNAM, &request, &response, user); + + switch (ret) { + case PAM_USER_UNKNOWN: + return 1; + case PAM_SUCCESS: + return 0; + default: + break; + } + return -1; } static char *_pam_delete(register char *xx) @@ -897,7 +925,7 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, } /* Verify the username */ - retval = valid_user(username); + retval = valid_user(username, pamh, ctrl); switch (retval) { case -1: /* some sort of system error. The log was already printed */ @@ -1123,6 +1151,17 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, return retval; } + /* check if this is really a user in winbindd, not only in NSS */ + retval = valid_user(user, pamh, ctrl); + switch (retval) { + case 1: + return PAM_USER_UNKNOWN; + case -1: + return PAM_SYSTEM_ERR; + default: + break; + } + /* * obtain and verify the current password (OLDAUTHTOK) for * the user. |