summaryrefslogtreecommitdiff
path: root/source3/nsswitch
diff options
context:
space:
mode:
Diffstat (limited to 'source3/nsswitch')
-rw-r--r--source3/nsswitch/pam_winbind.c101
1 files changed, 70 insertions, 31 deletions
diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index ce98b44b56..44b37b6238 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -743,6 +743,42 @@ out:
}
/**
+ * put krb5ccname variable into environment
+ *
+ * @param pamh PAM handle
+ * @param ctrl PAM winbind options.
+ * @param krb5ccname env variable retrieved from winbindd.
+ *
+ * @return void.
+ */
+
+static void _pam_setup_krb5_env(pam_handle_t *pamh, int ctrl, const char *krb5ccname)
+{
+ char var[PATH_MAX];
+ int ret;
+
+ if (off(ctrl, WINBIND_KRB5_AUTH)) {
+ return;
+ }
+
+ if (!krb5ccname || (strlen(krb5ccname) == 0)) {
+ return;
+ }
+
+ _pam_log_debug(pamh, ctrl, LOG_DEBUG, "request returned KRB5CCNAME: %s", krb5ccname);
+
+ if (snprintf(var, sizeof(var), "KRB5CCNAME=%s", krb5ccname) == -1) {
+ return;
+ }
+
+ ret = pam_putenv(pamh, var);
+ if (ret) {
+ _pam_log(pamh, ctrl, LOG_ERR, "failed to set KRB5CCNAME to %s: %s",
+ var, pam_strerror(pamh, ret));
+ }
+}
+
+/**
* Set string into the PAM stack.
*
* @param pamh PAM handle
@@ -805,6 +841,36 @@ static void _pam_free_data_info3(pam_handle_t *pamh)
}
/**
+ * Send PAM_ERROR_MSG for cached or grace logons.
+ *
+ * @param pamh PAM handle
+ * @param ctrl PAM winbind options.
+ * @param username User in PAM request.
+ * @param info3_user_flgs Info3 flags containing logon type bits.
+ *
+ * @return void.
+ */
+
+static void _pam_warn_logon_type(pam_handle_t *pamh, int ctrl, const char *username, uint32 info3_user_flgs)
+{
+ /* inform about logon type */
+ if (PAM_WB_GRACE_LOGON(info3_user_flgs)) {
+
+ _make_remark(pamh, ctrl, PAM_ERROR_MSG,
+ "Grace login. Please change your password as soon you're online again");
+ _pam_log_debug(pamh, ctrl, LOG_DEBUG,
+ "User %s logged on using grace logon\n", username);
+
+ } else if (PAM_WB_CACHED_LOGON(info3_user_flgs)) {
+
+ _make_remark(pamh, ctrl, PAM_ERROR_MSG,
+ "Logging on using cached account. Network resources can be unavailable");
+ _pam_log_debug(pamh, ctrl, LOG_DEBUG,
+ "User %s logged on using cached account\n", username);
+ }
+}
+
+/**
* Compose Password Restriction String for a PAM_ERROR_MSG conversation.
*
* @param response The struct winbindd_response.
@@ -956,23 +1022,6 @@ static int winbind_auth_request(pam_handle_t * pamh,
*pwd_last_set = response.data.auth.info3.pass_last_set_time;
}
- if ((ctrl & WINBIND_KRB5_AUTH) &&
- response.data.auth.krb5ccname[0] != '\0') {
-
- char var[PATH_MAX];
-
- _pam_log_debug(pamh, ctrl, LOG_DEBUG, "request returned KRB5CCNAME: %s",
- response.data.auth.krb5ccname);
-
- snprintf(var, sizeof(var), "KRB5CCNAME=%s", response.data.auth.krb5ccname);
-
- ret = pam_putenv(pamh, var);
- if (ret != PAM_SUCCESS) {
- _pam_log(pamh, ctrl, LOG_ERR, "failed to set KRB5CCNAME to %s", var);
- return ret;
- }
- }
-
if (p_response) {
/* We want to process the response in the caller. */
*p_response = response;
@@ -1017,24 +1066,14 @@ static int winbind_auth_request(pam_handle_t * pamh,
_pam_warn_password_expires_in_future(pamh, ctrl, &response);
/* inform about logon type */
- if (PAM_WB_GRACE_LOGON(response.data.auth.info3.user_flgs)) {
-
- _make_remark(pamh, ctrl, PAM_ERROR_MSG,
- "Grace login. Please change your password as soon you're online again");
- _pam_log_debug(pamh, ctrl, LOG_DEBUG,
- "User %s logged on using grace logon\n", user);
-
- } else if (PAM_WB_CACHED_LOGON(response.data.auth.info3.user_flgs)) {
-
- _make_remark(pamh, ctrl, PAM_ERROR_MSG,
- "Logging on using cached account. Network resources can be unavailable");
- _pam_log_debug(pamh, ctrl, LOG_DEBUG,
- "User %s logged on using cached account\n", user);
- }
+ _pam_warn_logon_type(pamh, ctrl, user, response.data.auth.info3.user_flgs);
/* set some info3 info for other modules in the stack */
_pam_set_data_info3(pamh, ctrl, &response);
+ /* put krb5ccname into env */
+ _pam_setup_krb5_env(pamh, ctrl, response.data.auth.krb5ccname);
+
/* If winbindd returned a username, return the pointer to it here. */
if (user_ret && response.extra_data.data) {
/* We have to trust it's a null terminated string. */