From 975b15949013f86ffa43675537183b20f3519ed2 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 22 Aug 2006 22:53:08 +0000 Subject: r17723: * BUG 3969: Fix unsigned time comparison with expiration policy from AD DC * Merge patches from SLES10 to make sure we talk to the correct winbindd process when performing pam_auth (and pull the password policy info). (This used to be commit 43bd8c00abb38eb23a1497a255d194fb1bbffffb) --- source3/include/includes.h | 8 ++++++ source3/nsswitch/pam_winbind.c | 8 +++--- source3/nsswitch/winbind_nss_config.h | 13 ++++++++-- source3/nsswitch/winbindd_nss.h | 6 ++--- source3/nsswitch/winbindd_pam.c | 47 +++++++---------------------------- 5 files changed, 35 insertions(+), 47 deletions(-) diff --git a/source3/include/includes.h b/source3/include/includes.h index bd65edbab0..524e6ab8d2 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -671,6 +671,14 @@ typedef int socklen_t; #endif /* don't lie. If we don't have it, then don't use it */ #endif +#if !defined(int64) +#if (SIZEOF_LONG == 8) +#define int64 long +#elif (SIZEOF_LONG_LONG == 8) +#define int64 long long +#endif /* don't lie. If we don't have it, then don't use it */ +#endif + /* * Types for devices, inodes and offsets. diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c index f2dacf241e..ea50b1ac74 100644 --- a/source3/nsswitch/pam_winbind.c +++ b/source3/nsswitch/pam_winbind.c @@ -366,7 +366,7 @@ static int winbind_auth_request(pam_handle_t * pamh, request.data.auth.krb5_cc_type[0] = '\0'; request.data.auth.uid = -1; - request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_GET_PWD_POLICY; + request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_CONTACT_TRUSTDOM; if (ctrl & WINBIND_KRB5_AUTH) { @@ -564,7 +564,7 @@ static int winbind_chauthtok_request(pam_handle_t * pamh, } if (ctrl & WINBIND_KRB5_AUTH) { - request.flags = WBFLAG_PAM_KRB5; + request.flags = WBFLAG_PAM_KRB5 | WBFLAG_PAM_CONTACT_TRUSTDOM; } ret = pam_winbind_request_log(pamh, ctrl, WINBINDD_PAM_CHAUTHTOK, &request, &response, user); @@ -1150,7 +1150,7 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags, } request.data.logoff.uid = pwd->pw_uid; - request.flags = WBFLAG_PAM_KRB5; + request.flags = WBFLAG_PAM_KRB5 | WBFLAG_PAM_CONTACT_TRUSTDOM; retval = pam_winbind_request_log(pamh, ctrl, WINBINDD_PAM_LOGOFF, &request, &response, user); } @@ -1391,7 +1391,7 @@ struct pam_module _pam_winbind_modstruct = { * Copyright (c) Tim Potter 2000 * Copyright (c) Andrew Bartlettt 2002 * Copyright (c) Guenther Deschner 2005-2006 - * Copyright (c) Jan Rêkorajski 1999. + * Copyright (c) Jan Rêkorajski 1999. * Copyright (c) Andrew G. Morgan 1996-8. * Copyright (c) Alex O. Yuriev, 1996. * Copyright (c) Cristian Gafton 1996. diff --git a/source3/nsswitch/winbind_nss_config.h b/source3/nsswitch/winbind_nss_config.h index 66e38513fd..f9d3852660 100644 --- a/source3/nsswitch/winbind_nss_config.h +++ b/source3/nsswitch/winbind_nss_config.h @@ -24,12 +24,12 @@ #ifndef _WINBIND_NSS_CONFIG_H #define _WINBIND_NSS_CONFIG_H -/* shutup the compiler warnings due to krb5.h on i - 64-bit sles9 */ +/* shutup the compiler warnings due to krb5.h on 64-bit sles9 */ #ifdef SIZEOF_LONG #undef SIZEOF_LONG #endif + /* Include header files from data in config.h file */ #ifndef NO_CONFIG_H @@ -137,6 +137,15 @@ typedef int BOOL; #endif /* don't lie. If we don't have it, then don't use it */ #endif +#if !defined(int64) +#if (SIZEOF_LONG == 8) +#define int64 long +#elif (SIZEOF_LONG_LONG == 8) +#define int64 long long +#endif /* don't lie. If we don't have it, then don't use it */ +#endif + + /* zero a structure */ #ifndef ZERO_STRUCT diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h index f393512b72..c6b6be33ed 100644 --- a/source3/nsswitch/winbindd_nss.h +++ b/source3/nsswitch/winbindd_nss.h @@ -42,8 +42,8 @@ between /lib/libnss_winbind.so.2 and /li64/libnss_winbind.so.2. The easiest way to do this is to always use 8byte values for time_t. */ -#if defined(uint64) -# define SMB_TIME_T uint64 +#if defined(int64) +# define SMB_TIME_T int64 #else # define SMB_TIME_T time_t #endif @@ -198,7 +198,7 @@ typedef struct winbindd_gr { #define WBFLAG_PAM_KRB5 0x1000 #define WBFLAG_PAM_FALLBACK_AFTER_KRB5 0x2000 #define WBFLAG_PAM_CACHED_LOGIN 0x4000 -#define WBFLAG_PAM_GET_PWD_POLICY 0x8000 +#define WBFLAG_PAM_GET_PWD_POLICY 0x8000 /* not used */ #define WINBINDD_MAX_EXTRA_DATA (128*1024) diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 8931b1373e..c93f4c98b6 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -6,7 +6,7 @@ Copyright (C) Andrew Tridgell 2000 Copyright (C) Tim Potter 2001 Copyright (C) Andrew Bartlett 2001-2002 - Copyright (C) Guenther Deschner 2005-2006 + Copyright (C) Guenther Deschner 2005 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -222,44 +222,18 @@ struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state, return NULL; } - if (strequal(domain_name, lp_workgroup())) { - return find_our_domain(); - } - -#ifdef HAVE_ADS - - /* when trying to login using krb5 with a trusted domain account, we - * need to make sure that our and the remote domain are AD */ - - if ((state->request.flags & WBFLAG_PAM_KRB5) && - (lp_security() == SEC_ADS)) { - - struct winbindd_domain *our_domain = find_our_domain(); - - if (!our_domain->active_directory) { - DEBUG(3,("find_auth_domain: out domain is not AD\n")); - return NULL; - } - - if ((domain = find_domain_from_name_noinit(domain_name)) == NULL) { - return NULL; - } - - /* do we already know it's AD ? */ - if (domain->active_directory) { + /* we can auth against trusted domains */ + if (state->request.flags & WBFLAG_PAM_CONTACT_TRUSTDOM) { + domain = find_domain_from_name_noinit(domain_name); + if (domain == NULL) { + DEBUG(3, ("Authentication for domain [%s] skipped " + "as it is not a trusted domain\n", + domain_name)); + } else { return domain; } - - set_dc_type_and_flags(domain); - - if (!domain->active_directory) { - DEBUG(3,("find_auth_domain: remote domain is not AD\n")); - return NULL; } - return domain; - } -#endif return find_our_domain(); } @@ -1306,15 +1280,12 @@ process_result: } - /* this is required to provide password expiry warning */ - if (state->request.flags & WBFLAG_PAM_GET_PWD_POLICY) { result = fillup_password_policy(domain, state); if (!NT_STATUS_IS_OK(result)) { DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result))); goto done; } - } } -- cgit