diff options
| author | Günther Deschner <gd@samba.org> | 2006-09-13 16:39:52 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:51:44 -0500 |
| commit | 1f0b2e84d71e2a7b06de288dbb54d2f12b6ca0e1 (patch) | |
| tree | 8357edee1de0240cd2693da269ad9b4253ae74f3 /source3 | |
| parent | b3b207e9668fb3378350afef42820ffdc1dd6271 (diff) | |
| download | samba-1f0b2e84d71e2a7b06de288dbb54d2f12b6ca0e1.tar.gz samba-1f0b2e84d71e2a7b06de288dbb54d2f12b6ca0e1.tar.bz2 samba-1f0b2e84d71e2a7b06de288dbb54d2f12b6ca0e1.zip | |
r18484: Start some cleanup on pam_winbind's syslogging:
* as openlog() is non-reentrant and pam_winbind thereby overrides the
syslog settings of the calling application, directly call syslog (or
pam_vsyslog if available)
* support the PAM_SILENT flag to avoid any log messages beeing created
Guenther
(This used to be commit 0f7e37ffc4759a4e29f63ab83f39ddb31c8240f6)
Diffstat (limited to 'source3')
| -rw-r--r-- | source3/configure.in | 2 | ||||
| -rw-r--r-- | source3/nsswitch/pam_winbind.c | 267 | ||||
| -rw-r--r-- | source3/nsswitch/pam_winbind.h | 7 |
3 files changed, 162 insertions, 114 deletions
diff --git a/source3/configure.in b/source3/configure.in index fe994e2ece..5bea72e224 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -872,6 +872,7 @@ AC_CHECK_HEADERS(sys/sysmacros.h security/_pam_macros.h dlfcn.h) AC_CHECK_HEADERS(sys/syslog.h syslog.h) AC_CHECK_HEADERS(langinfo.h locale.h) AC_CHECK_HEADERS(xfs/libxfs.h) +AC_CHECK_HEADERS(security/pam_ext.h) AC_CHECK_HEADERS(rpcsvc/yp_prot.h,,,[[ #if HAVE_RPC_RPC_H @@ -3973,6 +3974,7 @@ AC_ARG_WITH(pam, # we can't build a pam module if we don't have pam. AC_CHECK_LIB(pam, pam_get_data, [AC_DEFINE(HAVE_LIBPAM,1,[Whether libpam is available])]) +AC_CHECK_LIB(pam, pam_vsyslog, [AC_DEFINE(HAVE_PAM_VSYSLOG,1,[Whether pam_vsyslog is available])]) ################################################# # check for pam_smbpass support diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c index bcc4d7e795..64356e579a 100644 --- a/source3/nsswitch/pam_winbind.c +++ b/source3/nsswitch/pam_winbind.c @@ -16,40 +16,93 @@ #define MAX_PASSWD_TRIES 3 +/* + * Work around the pam API that has functions with void ** as parameters. + * These lead to strict aliasing warnings with gcc. + */ +static int _pam_get_item(const pam_handle_t *pamh, int item_type, + const void *_item) +{ + const void **item = (const void **)_item; + return pam_get_item(pamh, item_type, item); +} +static int _pam_get_data(const pam_handle_t *pamh, + const char *module_data_name, const void *_data) +{ + const void **data = (const void **)_data; + return pam_get_data(pamh, module_data_name, data); +} + /* some syslogging */ -static void _pam_log(int err, const char *format, ...) + +static void _pam_log_int(const pam_handle_t *pamh, int err, const char *format, va_list args) +{ + +#ifdef HAVE_PAM_VSYSLOG + pam_vsyslog(pamh, err, format, args); +#else + { + + char *format2 = NULL; + const char *service; + + _pam_get_item(pamh, PAM_SERVICE, &service); + + format2 = malloc(strlen(MODULE_NAME)+strlen(format)+strlen(service)+5); + if (format2 == NULL) { + /* what else todo ? */ + vsyslog(err, format, args); + return; + } + + sprintf(format2, "%s(%s): %s", MODULE_NAME, service, format); + vsyslog(err, format2, args); + SAFE_FREE(format2); + } +#endif +} + +static void _pam_log(const pam_handle_t *pamh, int ctrl, int err, const char *format, ...) { va_list args; + if (ctrl & WINBIND_SILENT) { + return; + } + va_start(args, format); - openlog(MODULE_NAME, LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); + _pam_log_int(pamh, err, format, args); va_end(args); - closelog(); } -static void _pam_log_debug(int ctrl, int err, const char *format, ...) +static void _pam_log_debug(const pam_handle_t *pamh, int ctrl, int err, const char *format, ...) { va_list args; + if (ctrl & WINBIND_SILENT) { + return; + } + if (!(ctrl & WINBIND_DEBUG_ARG)) { return; } va_start(args, format); - openlog(MODULE_NAME, LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); + _pam_log_int(pamh, err, format, args); va_end(args); - closelog(); } -static int _pam_parse(int argc, const char **argv, dictionary **d) +static int _pam_parse(const pam_handle_t *pamh, int flags, int argc, const char **argv, dictionary **d) { int ctrl = 0; const char *config_file = NULL; int i; const char **v; + if (flags & PAM_SILENT) { + ctrl |= WINBIND_SILENT; + } + if (d == NULL) { goto config_from_pam; } @@ -83,6 +136,10 @@ static int _pam_parse(int argc, const char **argv, dictionary **d) ctrl |= WINBIND_KRB5_AUTH; } + if (iniparser_getboolean(*d, CONST_DISCARD(char *, "global:silent"), False)) { + ctrl |= WINBIND_SILENT; + } + if (iniparser_getstr(*d, CONST_DISCARD(char *,"global:krb5_ccache_type")) != NULL) { ctrl |= WINBIND_KRB5_CCACHE_TYPE; } @@ -118,7 +175,7 @@ config_from_pam: else if (!strcasecmp(*v, "cached_login")) ctrl |= WINBIND_CACHED_LOGIN; else { - _pam_log(LOG_ERR, "pam_parse: unknown option; %s", *v); + _pam_log(pamh, ctrl, LOG_ERR, "pam_parse: unknown option; %s", *v); } } @@ -130,23 +187,6 @@ static void _pam_winbind_cleanup_func(pam_handle_t *pamh, void *data, int error_ SAFE_FREE(data); } -/* - * Work around the pam API that has functions with void ** as parameters. - * These lead to strict aliasing warnings with gcc. - */ -static int _pam_get_item(const pam_handle_t *pamh, int item_type, - const void *_item) -{ - const void **item = (const void **)_item; - return pam_get_item(pamh, item_type, item); -} -static int _pam_get_data(const pam_handle_t *pamh, - const char *module_data_name, const void *_data) -{ - const void **data = (const void **)_data; - return pam_get_data(pamh, module_data_name, data); -} - static const struct ntstatus_errors { const char *ntstatus_string; @@ -247,14 +287,14 @@ static int pam_winbind_request(pam_handle_t * pamh, int ctrl, init_request(request, req_type); if (write_sock(request, sizeof(*request), 0) == -1) { - _pam_log(LOG_ERR, "write to socket failed!"); + _pam_log(pamh, ctrl, LOG_ERR, "pam_winbind_request: write to socket failed!"); close_sock(); return PAM_SERVICE_ERR; } /* Wait for reply */ if (read_reply(response) == -1) { - _pam_log(LOG_ERR, "read from socket failed!"); + _pam_log(pamh, ctrl, LOG_ERR, "pam_winbind_request: read from socket failed!"); close_sock(); return PAM_SERVICE_ERR; } @@ -265,14 +305,14 @@ static int pam_winbind_request(pam_handle_t * pamh, int ctrl, /* Copy reply data from socket */ if (response->result != WINBINDD_OK) { if (response->data.auth.pam_error != PAM_SUCCESS) { - _pam_log(LOG_ERR, "request failed: %s, PAM error was %s (%d), NT error was %s", + _pam_log(pamh, ctrl, LOG_ERR, "request failed: %s, PAM error was %s (%d), NT error was %s", response->data.auth.error_string, pam_strerror(pamh, response->data.auth.pam_error), response->data.auth.pam_error, response->data.auth.nt_status_string); return response->data.auth.pam_error; } else { - _pam_log(LOG_ERR, "request failed, but PAM error 0!"); + _pam_log(pamh, ctrl, LOG_ERR, "request failed, but PAM error 0!"); return PAM_SERVICE_ERR; } } @@ -280,7 +320,7 @@ static int pam_winbind_request(pam_handle_t * pamh, int ctrl, return PAM_SUCCESS; } -static int pam_winbind_request_log(pam_handle_t * pamh, +static int pam_winbind_request_log(pam_handle_t * pamh, int ctrl, enum winbindd_cmd req_type, struct winbindd_request *request, @@ -294,23 +334,23 @@ static int pam_winbind_request_log(pam_handle_t * pamh, switch (retval) { case PAM_AUTH_ERR: /* incorrect password */ - _pam_log(LOG_WARNING, "user `%s' denied access (incorrect password or invalid membership)", user); + _pam_log(pamh, ctrl, LOG_WARNING, "user '%s' denied access (incorrect password or invalid membership)", user); return retval; case PAM_ACCT_EXPIRED: /* account expired */ - _pam_log(LOG_WARNING, "user `%s' account expired", user); + _pam_log(pamh, ctrl, LOG_WARNING, "user '%s' account expired", user); return retval; case PAM_AUTHTOK_EXPIRED: /* password expired */ - _pam_log(LOG_WARNING, "user `%s' password expired", user); + _pam_log(pamh, ctrl, LOG_WARNING, "user '%s' password expired", user); return retval; case PAM_NEW_AUTHTOK_REQD: /* new password required */ - _pam_log(LOG_WARNING, "user `%s' new password required", user); + _pam_log(pamh, ctrl, LOG_WARNING, "user '%s' new password required", user); return retval; case PAM_USER_UNKNOWN: /* the user does not exist */ - _pam_log_debug(ctrl, LOG_NOTICE, "user `%s' not found", user); + _pam_log_debug(pamh, ctrl, LOG_NOTICE, "user '%s' not found", user); if (ctrl & WINBIND_UNKNOWN_OK_ARG) { return PAM_IGNORE; } @@ -318,26 +358,26 @@ static int pam_winbind_request_log(pam_handle_t * pamh, case PAM_SUCCESS: if (req_type == WINBINDD_PAM_AUTH) { /* Otherwise, the authentication looked good */ - _pam_log(LOG_NOTICE, "user '%s' granted access", user); + _pam_log(pamh, ctrl, LOG_NOTICE, "user '%s' granted access", user); } else if (req_type == WINBINDD_PAM_CHAUTHTOK) { /* Otherwise, the authentication looked good */ - _pam_log(LOG_NOTICE, "user '%s' password changed", user); + _pam_log(pamh, ctrl, LOG_NOTICE, "user '%s' password changed", user); } else { /* Otherwise, the authentication looked good */ - _pam_log(LOG_NOTICE, "user '%s' OK", user); + _pam_log(pamh, ctrl, LOG_NOTICE, "user '%s' OK", user); } return retval; default: /* we don't know anything about this return value */ - _pam_log(LOG_ERR, "internal module error (retval = %d, user = `%s')", + _pam_log(pamh, ctrl, LOG_ERR, "internal module error (retval = %d, user = '%s')", retval, user); return retval; } } /* talk to winbindd */ -static int winbind_auth_request(pam_handle_t * pamh, +static int winbind_auth_request(pam_handle_t * pamh, int ctrl, const char *user, const char *pass, @@ -373,7 +413,7 @@ static int winbind_auth_request(pam_handle_t * pamh, struct passwd *pwd = NULL; - _pam_log_debug(ctrl, LOG_DEBUG, "enabling krb5 login flag\n"); + _pam_log_debug(pamh, ctrl, LOG_DEBUG, "enabling krb5 login flag\n"); request.flags |= WBFLAG_PAM_KRB5 | WBFLAG_PAM_FALLBACK_AFTER_KRB5; @@ -385,7 +425,7 @@ static int winbind_auth_request(pam_handle_t * pamh, } if (ctrl & WINBIND_CACHED_LOGIN) { - _pam_log_debug(ctrl, LOG_DEBUG, "enabling cached login flag\n"); + _pam_log_debug(pamh, ctrl, LOG_DEBUG, "enabling cached login flag\n"); request.flags |= WBFLAG_PAM_CACHED_LOGIN; } @@ -397,7 +437,7 @@ static int winbind_auth_request(pam_handle_t * pamh, if (cctype != NULL) { strncpy(request.data.auth.krb5_cc_type, cctype, sizeof(request.data.auth.krb5_cc_type) - 1); - _pam_log_debug(ctrl, LOG_DEBUG, "enabling request for a %s krb5 ccache\n", cctype); + _pam_log_debug(pamh, ctrl, LOG_DEBUG, "enabling request for a %s krb5 ccache\n", cctype); } request.data.auth.require_membership_of_sid[0] = '\0'; @@ -416,14 +456,14 @@ static int winbind_auth_request(pam_handle_t * pamh, ZERO_STRUCT(sid_request); ZERO_STRUCT(sid_response); - _pam_log_debug(ctrl, LOG_DEBUG, "no sid given, looking up: %s\n", member); + _pam_log_debug(pamh, ctrl, LOG_DEBUG, "no sid given, looking up: %s\n", member); /* fortunatly winbindd can handle non-separated names */ strncpy(sid_request.data.name.name, member, sizeof(sid_request.data.name.name) - 1); if (pam_winbind_request_log(pamh, ctrl, WINBINDD_LOOKUPNAME, &sid_request, &sid_response, user)) { - _pam_log(LOG_INFO, "could not lookup name: %s\n", member); + _pam_log(pamh, ctrl, LOG_INFO, "could not lookup name: %s\n", member); return PAM_AUTH_ERR; } @@ -444,14 +484,14 @@ static int winbind_auth_request(pam_handle_t * pamh, char var[PATH_MAX]; - _pam_log_debug(ctrl, LOG_DEBUG, "request returned KRB5CCNAME: %s", + _pam_log_debug(pamh, ctrl, LOG_DEBUG, "request returned KRB5CCNAME: %s", response.data.auth.krb5ccname); snprintf(var, sizeof(var), "KRB5CCNAME=%s", response.data.auth.krb5ccname); ret = pam_putenv(pamh, var); if (ret != PAM_SUCCESS) { - _pam_log(LOG_ERR, "failed to set KRB5CCNAME to %s", var); + _pam_log(pamh, ctrl, LOG_ERR, "failed to set KRB5CCNAME to %s", var); return ret; } } @@ -481,7 +521,7 @@ static int winbind_auth_request(pam_handle_t * pamh, ret = PAM_AUTHTOK_EXPIRED; - _pam_log_debug(ctrl, LOG_DEBUG,"Password has expired (Password was last set: %d, " + _pam_log_debug(pamh, ctrl, LOG_DEBUG,"Password has expired (Password was last set: %d, " "the policy says it should expire here %d (now it's: %d)\n", response.data.auth.info3.pass_last_set_time, response.data.auth.info3.pass_last_set_time + response.data.auth.policy.expire, @@ -504,7 +544,7 @@ static int winbind_auth_request(pam_handle_t * pamh, if (response.data.auth.info3.user_flgs & LOGON_CACHED_ACCOUNT) { _make_remark(pamh, PAM_ERROR_MSG, "Logging on using cached account. Network ressources can be unavailable"); - _pam_log_debug(ctrl, LOG_DEBUG,"User %s logged on using cached account\n", user); + _pam_log_debug(pamh, ctrl, LOG_DEBUG,"User %s logged on using cached account\n", user); } /* save the CIFS homedir for pam_cifs / pam_mount */ @@ -514,7 +554,7 @@ static int winbind_auth_request(pam_handle_t * pamh, (void *) strdup(response.data.auth.info3.home_dir), _pam_winbind_cleanup_func); if (ret2) { - _pam_log_debug(ctrl, LOG_DEBUG, "Could not set data: %s", + _pam_log_debug(pamh, ctrl, LOG_DEBUG, "Could not set data: %s", pam_strerror(pamh, ret2)); } @@ -527,7 +567,7 @@ static int winbind_auth_request(pam_handle_t * pamh, (void *) strdup(response.data.auth.info3.logon_script), _pam_winbind_cleanup_func); if (ret2) { - _pam_log_debug(ctrl, LOG_DEBUG, "Could not set data: %s", + _pam_log_debug(pamh, ctrl, LOG_DEBUG, "Could not set data: %s", pam_strerror(pamh, ret2)); } } @@ -619,7 +659,7 @@ static int winbind_chauthtok_request(pam_handle_t * pamh, _make_remark(pamh, PAM_ERROR_MSG, "Password does not meet complexity requirements"); break; default: - _pam_log_debug(ctrl, LOG_DEBUG, + _pam_log_debug(pamh, ctrl, LOG_DEBUG, "unknown password change reject reason: %d", response.data.auth.reject_reason); break; @@ -650,7 +690,7 @@ static int winbind_chauthtok_request(pam_handle_t * pamh, * 0 = OK * -1 = System error */ -static int valid_user(const char *user, pam_handle_t *pamh, int ctrl) +static int valid_user(pam_handle_t *pamh, int ctrl, const char *user) { /* check not only if the user is available over NSS calls, also make * sure it's really a winbind user, this is important when stacking PAM @@ -728,7 +768,7 @@ static int _winbind_read_password(pam_handle_t * pamh, retval = _pam_get_item(pamh, authtok_flag, &item); if (retval != PAM_SUCCESS) { /* very strange. */ - _pam_log(LOG_ALERT, + _pam_log(pamh, ctrl, LOG_ALERT, "pam_get_item returned error to unix-read-password" ); return retval; @@ -797,7 +837,7 @@ static int _winbind_read_password(pam_handle_t * pamh, } } } else { - _pam_log(LOG_NOTICE, "could not recover authentication token"); + _pam_log(pamh, ctrl, LOG_NOTICE, "could not recover authentication token"); retval = PAM_AUTHTOK_RECOVER_ERR; } @@ -816,7 +856,7 @@ static int _winbind_read_password(pam_handle_t * pamh, } if (retval != PAM_SUCCESS) { - _pam_log_debug(ctrl, LOG_DEBUG, + _pam_log_debug(pamh, ctrl, LOG_DEBUG, "unable to obtain a password"); return retval; } @@ -829,7 +869,7 @@ static int _winbind_read_password(pam_handle_t * pamh, if (retval != PAM_SUCCESS || (retval = _pam_get_item(pamh, authtok_flag, &item)) != PAM_SUCCESS) { - _pam_log(LOG_CRIT, "error manipulating password"); + _pam_log(pamh, ctrl, LOG_CRIT, "error manipulating password"); return retval; } @@ -840,19 +880,20 @@ static int _winbind_read_password(pam_handle_t * pamh, return PAM_SUCCESS; } -const char *get_conf_item_string(int argc, +const char *get_conf_item_string(const pam_handle_t *pamh, + int argc, const char **argv, int ctrl, dictionary *d, const char *item, - int flag) + int config_flag) { int i = 0; char *parm = NULL; const char *parm_opt = NULL; char *key = NULL; - if (!(ctrl & flag)) { + if (!(ctrl & config_flag)) { goto out; } @@ -876,36 +917,36 @@ const char *get_conf_item_string(int argc, parm = strdup(argv[i]); if ( (p = strchr( parm, '=' )) == NULL) { - _pam_log(LOG_INFO, "no \"=\" delimiter for \"%s\" found\n", item); + _pam_log(pamh, ctrl, LOG_INFO, "no \"=\" delimiter for \"%s\" found\n", item); goto out; } SAFE_FREE(parm); - _pam_log_debug(ctrl, LOG_INFO, "PAM config: %s '%s'\n", item, p+1); + _pam_log_debug(pamh, ctrl, LOG_INFO, "PAM config: %s '%s'\n", item, p+1); return p + 1; } } if (d != NULL) { - _pam_log_debug(ctrl, LOG_INFO, "CONFIG file: %s '%s'\n", item, parm_opt); + _pam_log_debug(pamh, ctrl, LOG_INFO, "CONFIG file: %s '%s'\n", item, parm_opt); } out: SAFE_FREE(parm); return parm_opt; } -const char *get_krb5_cc_type_from_config(int argc, const char **argv, int ctrl, dictionary *d) +const char *get_krb5_cc_type_from_config(const pam_handle_t *pamh, int argc, const char **argv, int ctrl, dictionary *d) { - return get_conf_item_string(argc, argv, ctrl, d, "krb5_ccache_type", WINBIND_KRB5_CCACHE_TYPE); + return get_conf_item_string(pamh, argc, argv, ctrl, d, "krb5_ccache_type", WINBIND_KRB5_CCACHE_TYPE); } -const char *get_member_from_config(int argc, const char **argv, int ctrl, dictionary *d) +const char *get_member_from_config(const pam_handle_t *pamh, int argc, const char **argv, int ctrl, dictionary *d) { const char *ret = NULL; - ret = get_conf_item_string(argc, argv, ctrl, d, "require_membership_of", WINBIND_REQUIRED_MEMBERSHIP); + ret = get_conf_item_string(pamh, argc, argv, ctrl, d, "require_membership_of", WINBIND_REQUIRED_MEMBERSHIP); if (ret) { return ret; } - return get_conf_item_string(argc, argv, ctrl, d, "require-membership-of", WINBIND_REQUIRED_MEMBERSHIP); + return get_conf_item_string(pamh, argc, argv, ctrl, d, "require-membership-of", WINBIND_REQUIRED_MEMBERSHIP); } PAM_EXTERN @@ -921,18 +962,18 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, char *username_ret = NULL; /* parse arguments */ - int ctrl = _pam_parse(argc, argv, &d); + int ctrl = _pam_parse(pamh, flags, argc, argv, &d); if (ctrl == -1) { retval = PAM_SYSTEM_ERR; goto out; } - _pam_log_debug(ctrl, LOG_DEBUG,"pam_winbind: pam_sm_authenticate (flags: 0x%04x)", flags); + _pam_log_debug(pamh, ctrl, LOG_DEBUG, "pam_winbind: pam_sm_authenticate (flags: 0x%04x)", flags); /* Get the username */ retval = pam_get_user(pamh, &username, NULL); if ((retval != PAM_SUCCESS) || (!username)) { - _pam_log_debug(ctrl, LOG_DEBUG, "can not get the username"); + _pam_log_debug(pamh, ctrl, LOG_DEBUG, "can not get the username"); retval = PAM_SERVICE_ERR; goto out; } @@ -942,7 +983,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, &password); if (retval != PAM_SUCCESS) { - _pam_log(LOG_ERR, "Could not retrieve user's password"); + _pam_log(pamh, ctrl, LOG_ERR, "Could not retrieve user's password"); retval = PAM_AUTHTOK_ERR; goto out; } @@ -950,19 +991,19 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, /* Let's not give too much away in the log file */ #ifdef DEBUG_PASSWORD - _pam_log_debug(ctrl, LOG_INFO, "Verify user `%s' with password `%s'", + _pam_log_debug(pamh, ctrl, LOG_INFO, "Verify user '%s' with password '%s'", username, password); #else - _pam_log_debug(ctrl, LOG_INFO, "Verify user `%s'", username); + _pam_log_debug(pamh, ctrl, LOG_INFO, "Verify user '%s'", username); #endif - member = get_member_from_config(argc, argv, ctrl, d); + member = get_member_from_config(pamh, argc, argv, ctrl, d); - cctype = get_krb5_cc_type_from_config(argc, argv, ctrl, d); + cctype = get_krb5_cc_type_from_config(pamh, argc, argv, ctrl, d); /* Now use the username to look up password */ retval = winbind_auth_request(pamh, ctrl, username, password, member, - cctype, True, NULL, &username_ret); + cctype, True, NULL, &username_ret); if (retval == PAM_NEW_AUTHTOK_REQD || retval == PAM_AUTHTOK_EXPIRED) { @@ -997,12 +1038,12 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) { /* parse arguments */ - int ctrl = _pam_parse(argc, argv, NULL); + int ctrl = _pam_parse(pamh, flags, argc, argv, NULL); if (ctrl == -1) { return PAM_SYSTEM_ERR; } - _pam_log_debug(ctrl, LOG_DEBUG,"pam_winbind: pam_sm_setcred (flags: 0x%04x)", flags); + _pam_log_debug(pamh, ctrl, LOG_DEBUG, "pam_winbind: pam_sm_setcred (flags: 0x%04x)", flags); if (flags & PAM_DELETE_CRED) { return pam_sm_close_session(pamh, flags, argc, argv); @@ -1024,30 +1065,30 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, void *tmp = NULL; /* parse arguments */ - int ctrl = _pam_parse(argc, argv, NULL); + int ctrl = _pam_parse(pamh, flags, argc, argv, NULL); if (ctrl == -1) { return PAM_SYSTEM_ERR; } - _pam_log_debug(ctrl, LOG_DEBUG,"pam_winbind: pam_sm_acct_mgmt (flags: 0x%04x)", flags); + _pam_log_debug(pamh, ctrl, LOG_DEBUG, "pam_winbind: pam_sm_acct_mgmt (flags: 0x%04x)", flags); /* Get the username */ retval = pam_get_user(pamh, &username, NULL); if ((retval != PAM_SUCCESS) || (!username)) { - _pam_log_debug(ctrl, LOG_DEBUG,"can not get the username"); + _pam_log_debug(pamh, ctrl, LOG_DEBUG,"can not get the username"); return PAM_SERVICE_ERR; } /* Verify the username */ - retval = valid_user(username, pamh, ctrl); + retval = valid_user(pamh, ctrl, username); switch (retval) { case -1: /* some sort of system error. The log was already printed */ return PAM_SERVICE_ERR; case 1: /* the user does not exist */ - _pam_log_debug(ctrl, LOG_NOTICE, "user `%s' not found", username); + _pam_log_debug(pamh, ctrl, LOG_NOTICE, "user '%s' not found", username); if (ctrl & WINBIND_UNKNOWN_OK_ARG) { return PAM_IGNORE; } @@ -1060,24 +1101,24 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, case PAM_AUTHTOK_EXPIRED: /* fall through, since new token is required in this case */ case PAM_NEW_AUTHTOK_REQD: - _pam_log(LOG_WARNING, "pam_sm_acct_mgmt success but %s is set", + _pam_log(pamh, ctrl, LOG_WARNING, "pam_sm_acct_mgmt success but %s is set", PAM_WINBIND_NEW_AUTHTOK_REQD); - _pam_log(LOG_NOTICE, "user '%s' needs new password", username); + _pam_log(pamh, ctrl, LOG_NOTICE, "user '%s' needs new password", username); /* PAM_AUTHTOKEN_REQD does not exist, but is documented in the manpage */ return PAM_NEW_AUTHTOK_REQD; default: - _pam_log(LOG_WARNING, "pam_sm_acct_mgmt success"); - _pam_log(LOG_NOTICE, "user '%s' granted access", username); + _pam_log(pamh, ctrl, LOG_WARNING, "pam_sm_acct_mgmt success"); + _pam_log(pamh, ctrl, LOG_NOTICE, "user '%s' granted access", username); return PAM_SUCCESS; } } /* Otherwise, the authentication looked good */ - _pam_log(LOG_NOTICE, "user '%s' granted access", username); + _pam_log(pamh, ctrl, LOG_NOTICE, "user '%s' granted access", username); return PAM_SUCCESS; default: /* we don't know anything about this return value */ - _pam_log(LOG_ERR, "internal module error (retval = %d, user = `%s')", + _pam_log(pamh, ctrl, LOG_ERR, "internal module error (retval = %d, user = '%s')", retval, username); return PAM_SERVICE_ERR; } @@ -1091,12 +1132,12 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { /* parse arguments */ - int ctrl = _pam_parse(argc, argv, NULL); + int ctrl = _pam_parse(pamh, flags, argc, argv, NULL); if (ctrl == -1) { return PAM_SYSTEM_ERR; } - _pam_log_debug(ctrl, LOG_DEBUG,"pam_winbind: pam_sm_open_session handler (flags: 0x%04x)", flags); + _pam_log_debug(pamh, ctrl, LOG_DEBUG, "pam_winbind: pam_sm_open_session handler (flags: 0x%04x)", flags); return PAM_SUCCESS; } @@ -1109,13 +1150,13 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags, int retval = PAM_SUCCESS; /* parse arguments */ - int ctrl = _pam_parse(argc, argv, &d); + int ctrl = _pam_parse(pamh, flags, argc, argv, &d); if (ctrl == -1) { retval = PAM_SYSTEM_ERR; goto out; } - _pam_log_debug(ctrl, LOG_DEBUG,"pam_winbind: pam_sm_close_session handler (flags: 0x%04x)", flags); + _pam_log_debug(pamh, ctrl, LOG_DEBUG, "pam_winbind: pam_sm_close_session handler (flags: 0x%04x)", flags); if (!(flags & PAM_DELETE_CRED)) { retval = PAM_SUCCESS; @@ -1137,21 +1178,21 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags, retval = pam_get_user(pamh, &user, "Username: "); if (retval == PAM_SUCCESS) { if (user == NULL) { - _pam_log(LOG_ERR, "username was NULL!"); + _pam_log(pamh, ctrl, LOG_ERR, "username was NULL!"); retval = PAM_USER_UNKNOWN; goto out; } if (retval == PAM_SUCCESS) { - _pam_log_debug(ctrl, LOG_DEBUG, "username [%s] obtained", user); + _pam_log_debug(pamh, ctrl, LOG_DEBUG, "username [%s] obtained", user); } } else { - _pam_log_debug(ctrl, LOG_DEBUG, "could not identify user"); + _pam_log_debug(pamh, ctrl, LOG_DEBUG, "could not identify user"); goto out; } ccname = pam_getenv(pamh, "KRB5CCNAME"); if (ccname == NULL) { - _pam_log_debug(ctrl, LOG_DEBUG, "user has no KRB5CCNAME environment"); + _pam_log_debug(pamh, ctrl, LOG_DEBUG, "user has no KRB5CCNAME environment"); } strncpy(request.data.logoff.user, user, @@ -1201,13 +1242,13 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, int retry = 0; dictionary *d; - ctrl = _pam_parse(argc, argv, &d); + ctrl = _pam_parse(pamh, flags, argc, argv, &d); if (ctrl == -1) { retval = PAM_SYSTEM_ERR; goto out; } - _pam_log_debug(ctrl, LOG_DEBUG,"pam_winbind: pam_sm_chauthtok (flags: 0x%04x)", flags); + _pam_log_debug(pamh, ctrl, LOG_DEBUG, "pam_winbind: pam_sm_chauthtok (flags: 0x%04x)", flags); /* clearing offline bit for the auth in the password change */ ctrl &= ~WINBIND_CACHED_LOGIN; @@ -1218,22 +1259,22 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, retval = pam_get_user(pamh, &user, "Username: "); if (retval == PAM_SUCCESS) { if (user == NULL) { - _pam_log(LOG_ERR, "username was NULL!"); + _pam_log(pamh, ctrl, LOG_ERR, "username was NULL!"); retval = PAM_USER_UNKNOWN; goto out; } if (retval == PAM_SUCCESS) { - _pam_log_debug(ctrl, LOG_DEBUG, "username [%s] obtained", + _pam_log_debug(pamh, ctrl, LOG_DEBUG, "username [%s] obtained", user); } } else { - _pam_log_debug(ctrl, LOG_DEBUG, + _pam_log_debug(pamh, ctrl, LOG_DEBUG, "password - could not identify user"); goto out; } /* check if this is really a user in winbindd, not only in NSS */ - retval = valid_user(user, pamh, ctrl); + retval = valid_user(pamh, ctrl, user); switch (retval) { case 1: retval = PAM_USER_UNKNOWN; @@ -1258,7 +1299,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, #define greeting "Changing password for " Announce = (char *) malloc(sizeof(greeting) + strlen(user)); if (Announce == NULL) { - _pam_log(LOG_CRIT, "password - out of memory"); + _pam_log(pamh, ctrl, LOG_CRIT, "password - out of memory"); retval = PAM_BUF_ERR; goto out; } @@ -1273,7 +1314,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, NULL, (const char **) &pass_old); if (retval != PAM_SUCCESS) { - _pam_log(LOG_NOTICE, "password - (old) token not obtained"); + _pam_log(pamh, ctrl, LOG_NOTICE, "password - (old) token not obtained"); goto out; } /* verify that this is the password for this user */ @@ -1294,7 +1335,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old); pass_old = NULL; if (retval != PAM_SUCCESS) { - _pam_log(LOG_CRIT, "failed to set PAM_OLDAUTHTOK"); + _pam_log(pamh, ctrl, LOG_CRIT, "failed to set PAM_OLDAUTHTOK"); } } else if (flags & PAM_UPDATE_AUTHTOK) { @@ -1311,7 +1352,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, retval = _pam_get_item(pamh, PAM_OLDAUTHTOK, &pass_old); if (retval != PAM_SUCCESS) { - _pam_log(LOG_NOTICE, "user not authenticated"); + _pam_log(pamh, ctrl, LOG_NOTICE, "user not authenticated"); goto out; } @@ -1335,7 +1376,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, (const char **) &pass_new); if (retval != PAM_SUCCESS) { - _pam_log_debug(ctrl, LOG_ALERT + _pam_log_debug(pamh, ctrl, LOG_ALERT ,"password - new password not obtained"); pass_old = NULL;/* tidy up */ goto out; @@ -1371,8 +1412,8 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, if (ctrl & WINBIND_KRB5_AUTH) { - const char *member = get_member_from_config(argc, argv, ctrl, d); - const char *cctype = get_krb5_cc_type_from_config(argc, argv, ctrl, d); + const char *member = get_member_from_config(pamh, argc, argv, ctrl, d); + const char *cctype = get_krb5_cc_type_from_config(pamh, argc, argv, ctrl, d); retval = winbind_auth_request(pamh, ctrl, user, pass_new, member, cctype, False, NULL, NULL); diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 2b7080182b..eea4328105 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -43,7 +43,7 @@ #define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR #endif -#endif +#endif /* defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) */ #ifdef HAVE_SECURITY_PAM_MODULES_H #include <security/pam_modules.h> @@ -82,6 +82,10 @@ do { \ #define _pam_drop(X) SAFE_FREE(X) #define x_strdup(s) ( (s) ? strdup(s):NULL ) +#endif /* HAVE_SECURITY__PAM_MACROS_H */ + +#ifdef HAVE_SECURITY_PAM_EXT_H +#include <security/pam_ext.h> #endif #define WINBIND_DEBUG_ARG (1<<0) @@ -95,6 +99,7 @@ do { \ #define WINBIND_KRB5_CCACHE_TYPE (1<<8) #define WINBIND_CACHED_LOGIN (1<<9) #define WINBIND_CONFIG_FILE (1<<10) +#define WINBIND_SILENT (1<<11) /* * here is the string to inform the user that the new passwords they |