From 0c78e6fc3e8df9ad9480d3b1b6b2d5a3eb19bf45 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 5 Jan 2004 23:38:49 +0000 Subject: (merge from 3.0) Changes to our PAM code to cope with the fact that we can't handle some domains (in particular, the domain of the current machine, if it is not a PDC) By changing the error codes, we now return values that PAM can correctly use for better stacking of PAM modules - in particular of the password change module. This allows pam_winbind to co-exist with other pam modules for password changes. Andrew Bartlett (This used to be commit 06b4eb4b9f867998c8faf9a91830ba3181cdf605) --- source3/nsswitch/winbindd_pam.c | 48 +++++++++++++++++++++++++++++----------- source3/nsswitch/winbindd_util.c | 4 +--- 2 files changed, 36 insertions(+), 16 deletions(-) diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index d58c9dcc38..3ca91b1c07 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -95,11 +95,6 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) /* Parse domain and username */ parse_domain_user(state->request.data.auth.user, name_domain, name_user); - if ( !*name_domain ) { - DEBUG(5,("no domain separator (%s) in username (%s) - failing auth\n", lp_winbind_separator(), state->request.data.auth.user)); - result = NT_STATUS_INVALID_PARAMETER; - goto done; - } /* do password magic */ @@ -118,11 +113,23 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) /* what domain should we contact? */ - if ( IS_DC ) + if ( IS_DC ) { + if (!find_domain_from_name(name_domain)) { + DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n", + state->request.data.auth.user, name_domain, name_user, name_domain)); + result = NT_STATUS_NO_SUCH_USER; + goto done; + } contact_domain = name_domain; - else - contact_domain = lp_workgroup(); + } else { + if (is_myname(name_domain)) { + DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain)); + result = NT_STATUS_NO_SUCH_USER; + goto done; + } + contact_domain = lp_workgroup(); + } /* check authentication loop */ do { @@ -304,11 +311,23 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) /* what domain should we contact? */ - if ( IS_DC ) + if ( IS_DC ) { + if (!find_domain_from_name(domain)) { + DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n", + state->request.data.auth.user, domain, user, domain)); + result = NT_STATUS_NO_SUCH_USER; + goto done; + } contact_domain = domain; - else + } else { + if (is_myname(domain)) { + DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", domain)); + result = NT_STATUS_NO_SUCH_USER; + goto done; + } contact_domain = lp_workgroup(); - + } + do { ZERO_STRUCT(info3); ZERO_STRUCT(ret_creds); @@ -446,8 +465,11 @@ enum winbindd_result winbindd_pam_chauthtok(struct winbindd_cli_state *state) return WINBINDD_ERROR; parse_domain_user(state->request.data.chauthtok.user, domain, user); - if ( !*domain ) { - result = NT_STATUS_INVALID_PARAMETER; + + if (!find_domain_from_name(domain)) { + DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n", + state->request.data.chauthtok.user, domain, user, domain)); + result = NT_STATUS_NO_SUCH_USER; goto done; } diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c index 318da4a63a..0f14a7e413 100644 --- a/source3/nsswitch/winbindd_util.c +++ b/source3/nsswitch/winbindd_util.c @@ -525,10 +525,8 @@ BOOL parse_domain_user(const char *domuser, fstring domain, fstring user) if ( assume_domain(lp_workgroup())) { fstrcpy(domain, lp_workgroup()); - } else if (assume_domain(get_global_sam_name())) { - fstrcpy( domain, get_global_sam_name() ); } else { - fstrcpy( domain, ""); + fstrcpy( domain, get_global_sam_name() ); } } else { -- cgit