summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_pam.c
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2004-01-05 23:38:49 +0000
committerAndrew Bartlett <abartlet@samba.org>2004-01-05 23:38:49 +0000
commit0c78e6fc3e8df9ad9480d3b1b6b2d5a3eb19bf45 (patch)
tree51c2a4591d71de1e2e1e85c70062007d0af05632 /source3/nsswitch/winbindd_pam.c
parentb46ec1aac99454fff4419f5db1f460543597ebe4 (diff)
downloadsamba-0c78e6fc3e8df9ad9480d3b1b6b2d5a3eb19bf45.tar.gz
samba-0c78e6fc3e8df9ad9480d3b1b6b2d5a3eb19bf45.tar.bz2
samba-0c78e6fc3e8df9ad9480d3b1b6b2d5a3eb19bf45.zip
(merge from 3.0)
Changes to our PAM code to cope with the fact that we can't handle some domains (in particular, the domain of the current machine, if it is not a PDC) By changing the error codes, we now return values that PAM can correctly use for better stacking of PAM modules - in particular of the password change module. This allows pam_winbind to co-exist with other pam modules for password changes. Andrew Bartlett (This used to be commit 06b4eb4b9f867998c8faf9a91830ba3181cdf605)
Diffstat (limited to 'source3/nsswitch/winbindd_pam.c')
-rw-r--r--source3/nsswitch/winbindd_pam.c48
1 files changed, 35 insertions, 13 deletions
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index d58c9dcc38..3ca91b1c07 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -95,11 +95,6 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
/* Parse domain and username */
parse_domain_user(state->request.data.auth.user, name_domain, name_user);
- if ( !*name_domain ) {
- DEBUG(5,("no domain separator (%s) in username (%s) - failing auth\n", lp_winbind_separator(), state->request.data.auth.user));
- result = NT_STATUS_INVALID_PARAMETER;
- goto done;
- }
/* do password magic */
@@ -118,11 +113,23 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
/* what domain should we contact? */
- if ( IS_DC )
+ if ( IS_DC ) {
+ if (!find_domain_from_name(name_domain)) {
+ DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
+ state->request.data.auth.user, name_domain, name_user, name_domain));
+ result = NT_STATUS_NO_SUCH_USER;
+ goto done;
+ }
contact_domain = name_domain;
- else
- contact_domain = lp_workgroup();
+ } else {
+ if (is_myname(name_domain)) {
+ DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
+ result = NT_STATUS_NO_SUCH_USER;
+ goto done;
+ }
+ contact_domain = lp_workgroup();
+ }
/* check authentication loop */
do {
@@ -304,11 +311,23 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
/* what domain should we contact? */
- if ( IS_DC )
+ if ( IS_DC ) {
+ if (!find_domain_from_name(domain)) {
+ DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
+ state->request.data.auth.user, domain, user, domain));
+ result = NT_STATUS_NO_SUCH_USER;
+ goto done;
+ }
contact_domain = domain;
- else
+ } else {
+ if (is_myname(domain)) {
+ DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", domain));
+ result = NT_STATUS_NO_SUCH_USER;
+ goto done;
+ }
contact_domain = lp_workgroup();
-
+ }
+
do {
ZERO_STRUCT(info3);
ZERO_STRUCT(ret_creds);
@@ -446,8 +465,11 @@ enum winbindd_result winbindd_pam_chauthtok(struct winbindd_cli_state *state)
return WINBINDD_ERROR;
parse_domain_user(state->request.data.chauthtok.user, domain, user);
- if ( !*domain ) {
- result = NT_STATUS_INVALID_PARAMETER;
+
+ if (!find_domain_from_name(domain)) {
+ DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
+ state->request.data.chauthtok.user, domain, user, domain));
+ result = NT_STATUS_NO_SUCH_USER;
goto done;
}