diff options
-rw-r--r-- | source3/Makefile.in | 1 | ||||
-rw-r--r-- | source3/winbindd/winbindd.c | 3 | ||||
-rw-r--r-- | source3/winbindd/winbindd_pam.c | 66 | ||||
-rw-r--r-- | source3/winbindd/winbindd_pam_logoff.c | 139 | ||||
-rw-r--r-- | source3/winbindd/winbindd_proto.h | 8 |
5 files changed, 149 insertions, 68 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index d05c57d52d..c28dec466c 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -1240,6 +1240,7 @@ WINBINDD_OBJ1 = \ winbindd/winbindd_pam_auth.o \ winbindd/winbindd_pam_auth_crap.o \ winbindd/winbindd_pam_chauthtok.o \ + winbindd/winbindd_pam_logoff.o \ auth/token_util.o \ auth/check_samsec.o \ auth/server_info.o \ diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c index cc273eb50e..3bd2ad7c09 100644 --- a/source3/winbindd/winbindd.c +++ b/source3/winbindd/winbindd.c @@ -444,7 +444,6 @@ static struct winbindd_dispatch_table { /* PAM auth functions */ - { WINBINDD_PAM_LOGOFF, winbindd_pam_logoff, "PAM_LOGOFF" }, { WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP, winbindd_pam_chng_pswd_auth_crap, "CHNG_PSWD_AUTH_CRAP" }, /* Enumeration functions */ @@ -551,6 +550,8 @@ static struct winbindd_async_dispatch_table async_nonpriv_table[] = { winbindd_ping_dc_send, winbindd_ping_dc_recv }, { WINBINDD_PAM_AUTH, "PAM_AUTH", winbindd_pam_auth_send, winbindd_pam_auth_recv }, + { WINBINDD_PAM_LOGOFF, "PAM_LOGOFF", + winbindd_pam_logoff_send, winbindd_pam_logoff_recv }, { WINBINDD_PAM_CHAUTHTOK, "PAM_CHAUTHTOK", winbindd_pam_chauthtok_send, winbindd_pam_chauthtok_recv }, diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 61c8c298f1..6aeeb2d143 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -2051,72 +2051,6 @@ process_result: return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; } -void winbindd_pam_logoff(struct winbindd_cli_state *state) -{ - struct winbindd_domain *domain; - fstring name_domain, user; - uid_t caller_uid = (uid_t)-1; - uid_t request_uid = state->request->data.logoff.uid; - - /* Ensure null termination */ - state->request->data.logoff.user - [sizeof(state->request->data.logoff.user)-1]='\0'; - - state->request->data.logoff.krb5ccname - [sizeof(state->request->data.logoff.krb5ccname)-1]='\0'; - - DEBUG(3, ("[%5lu]: pam logoff %s\n", (unsigned long)state->pid, - state->request->data.logoff.user)); - - if (request_uid == (uid_t)-1) { - goto failed; - } - - if (!canonicalize_username(state->request->data.logoff.user, name_domain, user)) { - goto failed; - } - - if ((domain = find_auth_domain(state->request->flags, - name_domain)) == NULL) { - goto failed; - } - - if ((sys_getpeereid(state->sock, &caller_uid)) != 0) { - DEBUG(1,("winbindd_pam_logoff: failed to check peerid: %s\n", - strerror(errno))); - goto failed; - } - - switch (caller_uid) { - case -1: - goto failed; - case 0: - /* root must be able to logoff any user - gd */ - state->request->data.logoff.uid = request_uid; - break; - default: - if (caller_uid != request_uid) { - DEBUG(1,("winbindd_pam_logoff: caller requested invalid uid\n")); - goto failed; - } - state->request->data.logoff.uid = caller_uid; - break; - } - - sendto_domain(state, domain); - return; - - failed: - set_auth_errors(state->response, NT_STATUS_NO_SUCH_USER); - DEBUG(5, ("Pam Logoff for %s returned %s " - "(PAM: %d)\n", - state->request->data.logoff.user, - state->response->data.auth.nt_status_string, - state->response->data.auth.pam_error)); - request_error(state); - return; -} - enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain, struct winbindd_cli_state *state) { diff --git a/source3/winbindd/winbindd_pam_logoff.c b/source3/winbindd/winbindd_pam_logoff.c new file mode 100644 index 0000000000..9cf7f17d13 --- /dev/null +++ b/source3/winbindd/winbindd_pam_logoff.c @@ -0,0 +1,139 @@ +/* + Unix SMB/CIFS implementation. + async implementation of WINBINDD_PAM_LOGOFF + Copyright (C) Volker Lendecke 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "winbindd.h" + +struct winbindd_pam_logoff_state { + struct winbindd_response *response; +}; + +static void winbindd_pam_logoff_done(struct tevent_req *subreq); + +struct tevent_req *winbindd_pam_logoff_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct winbindd_cli_state *cli, + struct winbindd_request *request) +{ + struct tevent_req *req, *subreq; + struct winbindd_pam_logoff_state *state; + struct winbindd_domain *domain; + fstring name_domain, user; + uid_t caller_uid; + int res; + + req = tevent_req_create(mem_ctx, &state, + struct winbindd_pam_logoff_state); + if (req == NULL) { + return NULL; + } + + /* Ensure null termination */ + /* Ensure null termination */ + request->data.logoff.user[sizeof(request->data.logoff.user)-1]='\0'; + request->data.logoff.krb5ccname[ + sizeof(request->data.logoff.krb5ccname)-1]='\0'; + + DEBUG(3, ("[%5lu]: pam auth %s\n", (unsigned long)cli->pid, + request->data.auth.user)); + + if (request->data.logoff.uid == (uid_t)-1) { + goto failed; + } + + if (!canonicalize_username(request->data.logoff.user, name_domain, + user)) { + goto failed; + } + + domain = find_auth_domain(request->flags, name_domain); + if (domain == NULL) { + goto failed; + } + + caller_uid = (uid_t)-1; + + res = sys_getpeereid(cli->sock, &caller_uid); + if (res != 0) { + DEBUG(1,("winbindd_pam_logoff: failed to check peerid: %s\n", + strerror(errno))); + goto failed; + } + + switch (caller_uid) { + case -1: + goto failed; + case 0: + /* root must be able to logoff any user - gd */ + break; + default: + if (caller_uid != request->data.logoff.uid) { + DEBUG(1,("winbindd_pam_logoff: caller requested " + "invalid uid\n")); + goto failed; + } + break; + } + + subreq = wb_domain_request_send(state, winbind_event_context(), domain, + request); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, winbindd_pam_logoff_done, req); + return req; + +failed: + tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); + return tevent_req_post(req, ev); +} + +static void winbindd_pam_logoff_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct winbindd_pam_logoff_state *state = tevent_req_data( + req, struct winbindd_pam_logoff_state); + int res, err; + + res = wb_domain_request_recv(subreq, state, &state->response, &err); + TALLOC_FREE(subreq); + if (res == -1) { + tevent_req_nterror(req, map_nt_error_from_unix(err)); + return; + } + tevent_req_done(req); +} + +NTSTATUS winbindd_pam_logoff_recv(struct tevent_req *req, + struct winbindd_response *response) +{ + struct winbindd_pam_logoff_state *state = tevent_req_data( + req, struct winbindd_pam_logoff_state); + NTSTATUS status; + + if (tevent_req_is_nterror(req, &status)) { + set_auth_errors(response, status); + return status; + } + *response = *state->response; + response->result = WINBINDD_PENDING; + state->response = talloc_move(response, &state->response); + return NT_STATUS(response->data.auth.nt_status); +} diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index c72a1fe81d..e47f300ab7 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -388,7 +388,6 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, struct winbindd_cli_state *state) ; enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact_domain, struct winbindd_cli_state *state); -void winbindd_pam_logoff(struct winbindd_cli_state *state); enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain, struct winbindd_cli_state *state) ; void winbindd_pam_chng_pswd_auth_crap(struct winbindd_cli_state *state); @@ -872,4 +871,11 @@ struct tevent_req *winbindd_pam_chauthtok_send( NTSTATUS winbindd_pam_chauthtok_recv(struct tevent_req *req, struct winbindd_response *response); +struct tevent_req *winbindd_pam_logoff_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct winbindd_cli_state *cli, + struct winbindd_request *request); +NTSTATUS winbindd_pam_logoff_recv(struct tevent_req *req, + struct winbindd_response *response); + #endif /* _WINBINDD_PROTO_H_ */ |