From 4aa7205c3da08b6efb322980bf7cf2ebe12c67a8 Mon Sep 17 00:00:00 2001
From: Günther Deschner <gd@samba.org>
Date: Mon, 5 Feb 2007 14:34:12 +0000
Subject: r21143: Fix wrong check for pam error codes for getpwnam and lookup
 winbind requests in pam_winbind (Bug #4094).

Inspired by fix from Lars Heete.

Guenther
(This used to be commit 88e2185d2913e835e074dc3cc4ab1c631c3296a5)
---
 source3/nsswitch/pam_winbind.c | 39 ++++++++++++++++++++++++++-------------
 1 file changed, 26 insertions(+), 13 deletions(-)

diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index d7fb838d9a..2b8e9be528 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -444,21 +444,34 @@ static int pam_winbind_request(pam_handle_t * pamh, int ctrl,
 	close_sock();
 
 	/* Copy reply data from socket */
-	if (response->result != WINBINDD_OK) {
-		if (response->data.auth.pam_error != PAM_SUCCESS) {
-			_pam_log(pamh, ctrl, LOG_ERR, "request failed: %s, PAM error was %s (%d), NT error was %s", 
-				 response->data.auth.error_string,
-				 pam_strerror(pamh, response->data.auth.pam_error),
-				 response->data.auth.pam_error,
-				 response->data.auth.nt_status_string);
-			return response->data.auth.pam_error;
-		} else {
-			_pam_log(pamh, ctrl, LOG_ERR, "request failed, but PAM error 0!");
-			return PAM_SERVICE_ERR;
-		}
+	if (response->result == WINBINDD_OK) {
+		return PAM_SUCCESS;
 	}
 
-	return PAM_SUCCESS;
+	/* no need to check for pam_error codes for getpwnam() */
+	switch (req_type) {
+
+		case WINBINDD_GETPWNAM:
+		case WINBINDD_LOOKUPNAME:
+			_pam_log(pamh, ctrl, LOG_ERR, "request failed: %s, NT error was %s", 
+				response->data.auth.nt_status_string);
+			return PAM_USER_UNKNOWN;
+		default:
+			break;
+	}
+
+	if (response->data.auth.pam_error != PAM_SUCCESS) {
+		_pam_log(pamh, ctrl, LOG_ERR, "request failed: %s, PAM error was %s (%d), NT error was %s", 
+			 response->data.auth.error_string,
+			 pam_strerror(pamh, response->data.auth.pam_error),
+			 response->data.auth.pam_error,
+			 response->data.auth.nt_status_string);
+		return response->data.auth.pam_error;
+	} 
+	
+	_pam_log(pamh, ctrl, LOG_ERR, "request failed, but PAM error 0!");
+
+	return PAM_SERVICE_ERR;
 }
 
 static int pam_winbind_request_log(pam_handle_t * pamh,
-- 
cgit