summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/nsswitch/libwbclient/wbc_sid.c4
-rw-r--r--source3/nsswitch/pam_winbind.c242
2 files changed, 137 insertions, 109 deletions
diff --git a/source3/nsswitch/libwbclient/wbc_sid.c b/source3/nsswitch/libwbclient/wbc_sid.c
index 4cfdd792b5..54f6e705b3 100644
--- a/source3/nsswitch/libwbclient/wbc_sid.c
+++ b/source3/nsswitch/libwbclient/wbc_sid.c
@@ -172,7 +172,7 @@ done:
* @param domain Domain name (possibly "")
* @param name User or group name
* @param *sid Pointer to the resolved domain SID
- * @param *name_type Pointet to the SID type
+ * @param *name_type Pointer to the SID type
*
* @return #wbcErr
*
@@ -225,7 +225,7 @@ wbcErr wbcLookupName(const char *domain,
* @param *sid Pointer to the domain SID to be resolved
* @param pdomain Resolved Domain name (possibly "")
* @param pname Resolved User or group name
- * @param *pname_type Pointet to the resolved SID type
+ * @param *pname_type Pointer to the resolved SID type
*
* @return #wbcErr
*
diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index 8d8868d0ef..1c927259e5 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -2285,6 +2285,135 @@ static char* winbind_upn_to_username(struct pwb_context *ctx,
return talloc_asprintf(ctx, "%s\\%s", domain, name);
}
+static int _pam_delete_cred(pam_handle_t *pamh, int flags,
+ int argc, const char **argv)
+{
+ int retval = PAM_SUCCESS;
+ struct pwb_context *ctx = NULL;
+ struct wbcLogoffUserParams logoff;
+ struct wbcAuthErrorInfo *error = NULL;
+ const char *user;
+ wbcErr wbc_status;
+
+ retval = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+ if (retval) {
+ goto out;
+ }
+
+ _PAM_LOG_FUNCTION_ENTER("_pam_delete_cred", ctx);
+
+ if (ctx->ctrl & WINBIND_KRB5_AUTH) {
+
+ /* destroy the ccache here */
+
+ uint32_t wbc_flags = 0;
+ const char *ccname = NULL;
+ struct passwd *pwd = NULL;
+
+ retval = pam_get_user(pamh, &user, "Username: ");
+ if (retval) {
+ _pam_log(ctx, LOG_ERR,
+ "could not identify user");
+ goto out;
+ }
+
+ if (user == NULL) {
+ _pam_log(ctx, LOG_ERR,
+ "username was NULL!");
+ retval = PAM_USER_UNKNOWN;
+ goto out;
+ }
+
+ _pam_log_debug(ctx, LOG_DEBUG,
+ "username [%s] obtained", user);
+
+ ccname = pam_getenv(pamh, "KRB5CCNAME");
+ if (ccname == NULL) {
+ _pam_log_debug(ctx, LOG_DEBUG,
+ "user has no KRB5CCNAME environment");
+ }
+
+ pwd = getpwnam(user);
+ if (pwd == NULL) {
+ retval = PAM_USER_UNKNOWN;
+ goto out;
+ }
+
+ wbc_flags = WBFLAG_PAM_KRB5 |
+ WBFLAG_PAM_CONTACT_TRUSTDOM;
+
+ ZERO_STRUCT(logoff);
+
+ logoff.username = user;
+
+ wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
+ &logoff.blobs,
+ "ccfilename",
+ 0,
+ (uint8_t *)ccname,
+ strlen(ccname)+1);
+ if (!WBC_ERROR_IS_OK(wbc_status)) {
+ goto out;
+ }
+
+ wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
+ &logoff.blobs,
+ "flags",
+ 0,
+ (uint8_t *)&wbc_flags,
+ sizeof(wbc_flags));
+ if (!WBC_ERROR_IS_OK(wbc_status)) {
+ goto out;
+ }
+
+ wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
+ &logoff.blobs,
+ "user_uid",
+ 0,
+ (uint8_t *)&pwd->pw_uid,
+ sizeof(pwd->pw_uid));
+ if (!WBC_ERROR_IS_OK(wbc_status)) {
+ goto out;
+ }
+
+ wbc_status = wbcLogoffUserEx(&logoff, &error);
+ retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
+ user, "wbcLogoffUser");
+ wbcFreeMemory(error);
+ wbcFreeMemory(logoff.blobs);
+
+ if (!WBC_ERROR_IS_OK(wbc_status)) {
+ _pam_log(ctx, LOG_INFO,
+ "failed to logoff user %s: %s\n",
+ user, wbcErrorString(wbc_status));
+ }
+ }
+
+out:
+ if (logoff.blobs) {
+ wbcFreeMemory(logoff.blobs);
+ }
+
+ if (!WBC_ERROR_IS_OK(wbc_status)) {
+ retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
+ user, "wbcLogoffUser");
+ }
+
+ /*
+ * Delete the krb5 ccname variable from the PAM environment
+ * if it was set by winbind.
+ */
+ if (ctx->ctrl & WINBIND_KRB5_AUTH) {
+ pam_putenv(pamh, "KRB5CCNAME");
+ }
+
+ _PAM_LOG_FUNCTION_LEAVE("_pam_delete_cred", ctx, retval);
+
+ TALLOC_FREE(ctx);
+
+ return retval;
+}
+
PAM_EXTERN
int pam_sm_authenticate(pam_handle_t *pamh, int flags,
int argc, const char **argv)
@@ -2461,7 +2590,7 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags,
switch (flags & ~PAM_SILENT) {
case PAM_DELETE_CRED:
- ret = pam_sm_close_session(pamh, flags, argc, argv);
+ ret = _pam_delete_cred(pamh, flags, argc, argv);
break;
case PAM_REFRESH_CRED:
_pam_log_debug(ctx, LOG_WARNING,
@@ -2623,123 +2752,22 @@ PAM_EXTERN
int pam_sm_close_session(pam_handle_t *pamh, int flags,
int argc, const char **argv)
{
- int retval = PAM_SUCCESS;
+ int ret = PAM_SUCCESS;
struct pwb_context *ctx = NULL;
- struct wbcLogoffUserParams logoff;
- retval = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
- if (retval) {
+ ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+ if (ret) {
goto out;
}
_PAM_LOG_FUNCTION_ENTER("pam_sm_close_session", ctx);
- if (!(flags & PAM_DELETE_CRED)) {
- retval = PAM_SUCCESS;
- goto out;
- }
-
- if (ctx->ctrl & WINBIND_KRB5_AUTH) {
-
- /* destroy the ccache here */
-
- wbcErr wbc_status;
- struct wbcAuthErrorInfo *error = NULL;
-
- uint32_t flags = 0;
- const char *user;
- const char *ccname = NULL;
- struct passwd *pwd = NULL;
-
- retval = pam_get_user(pamh, &user, "Username: ");
- if (retval) {
- _pam_log(ctx, LOG_ERR,
- "could not identify user");
- goto out;
- }
-
- if (user == NULL) {
- _pam_log(ctx, LOG_ERR,
- "username was NULL!");
- retval = PAM_USER_UNKNOWN;
- goto out;
- }
-
- _pam_log_debug(ctx, LOG_DEBUG,
- "username [%s] obtained", user);
-
- ccname = pam_getenv(pamh, "KRB5CCNAME");
- if (ccname == NULL) {
- _pam_log_debug(ctx, LOG_DEBUG,
- "user has no KRB5CCNAME environment");
- }
-
- pwd = getpwnam(user);
- if (pwd == NULL) {
- retval = PAM_USER_UNKNOWN;
- goto out;
- }
-
- flags = WBFLAG_PAM_KRB5 |
- WBFLAG_PAM_CONTACT_TRUSTDOM;
-
- ZERO_STRUCT(logoff);
-
- logoff.username = user;
-
- wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
- &logoff.blobs,
- "ccfilename",
- 0,
- (uint8_t *)ccname,
- strlen(ccname)+1);
- if (!WBC_ERROR_IS_OK(wbc_status)) {
- goto out;
- }
-
- wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
- &logoff.blobs,
- "flags",
- 0,
- (uint8_t *)&flags,
- sizeof(flags));
- if (!WBC_ERROR_IS_OK(wbc_status)) {
- goto out;
- }
-
- wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
- &logoff.blobs,
- "user_uid",
- 0,
- (uint8_t *)&pwd->pw_uid,
- sizeof(pwd->pw_uid));
- if (!WBC_ERROR_IS_OK(wbc_status)) {
- goto out;
- }
-
- wbc_status = wbcLogoffUserEx(&logoff, &error);
- retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
- user, "wbcLogoffUser");
- wbcFreeMemory(error);
- wbcFreeMemory(logoff.blobs);
-
- if (!WBC_ERROR_IS_OK(wbc_status)) {
- _pam_log(ctx, LOG_INFO,
- "failed to logoff user %s: %s\n",
- user, wbcErrorString(wbc_status));
- }
- }
-
out:
- if (logoff.blobs) {
- wbcFreeMemory(logoff.blobs);
- }
-
- _PAM_LOG_FUNCTION_LEAVE("pam_sm_close_session", ctx, retval);
+ _PAM_LOG_FUNCTION_LEAVE("pam_sm_close_session", ctx, ret);
TALLOC_FREE(ctx);
- return retval;
+ return ret;
}
/**