From 5d55674b52a516536a03e7f6d710a53efe7f5b8d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 31 Dec 2003 08:45:03 +0000 Subject: Changes to our PAM code to cope with the fact that we can't handle some domains (in particular, the domain of the current machine, if it is not a PDC) By changing the error codes, we now return values that PAM can correctly use for better stacking of PAM modules - in particular of the password change module. This allows pam_winbind to co-exist with other pam modules for password changes. Andrew Bartlett (This used to be commit 6a8cc7f0122ac4dd5b10ff1160735ef1a177d448) --- source3/nsswitch/winbindd_pam.c | 48 +++++++++++++++++++++++++++++----------- source3/nsswitch/winbindd_util.c | 4 +--- 2 files changed, 36 insertions(+), 16 deletions(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 94f9bf9464..54513b1bc1 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -96,11 +96,6 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) /* Parse domain and username */ parse_domain_user(state->request.data.auth.user, name_domain, name_user); - if ( !*name_domain ) { - DEBUG(5,("no domain separator (%s) in username (%s) - failing auth\n", lp_winbind_separator(), state->request.data.auth.user)); - result = NT_STATUS_INVALID_PARAMETER; - goto done; - } /* do password magic */ @@ -119,11 +114,23 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) /* what domain should we contact? */ - if ( IS_DC ) + if ( IS_DC ) { + if (!find_domain_from_name(name_domain)) { + DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n", + state->request.data.auth.user, name_domain, name_user, name_domain)); + result = NT_STATUS_NO_SUCH_USER; + goto done; + } contact_domain = name_domain; - else - contact_domain = lp_workgroup(); + } else { + if (is_myname(name_domain)) { + DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain)); + result = NT_STATUS_NO_SUCH_USER; + goto done; + } + contact_domain = lp_workgroup(); + } /* check authentication loop */ do { @@ -305,11 +312,23 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) /* what domain should we contact? */ - if ( IS_DC ) + if ( IS_DC ) { + if (!find_domain_from_name(domain)) { + DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n", + state->request.data.auth.user, domain, user, domain)); + result = NT_STATUS_NO_SUCH_USER; + goto done; + } contact_domain = domain; - else + } else { + if (is_myname(domain)) { + DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", domain)); + result = NT_STATUS_NO_SUCH_USER; + goto done; + } contact_domain = lp_workgroup(); - + } + do { ZERO_STRUCT(info3); ZERO_STRUCT(ret_creds); @@ -447,8 +466,11 @@ enum winbindd_result winbindd_pam_chauthtok(struct winbindd_cli_state *state) return WINBINDD_ERROR; parse_domain_user(state->request.data.chauthtok.user, domain, user); - if ( !*domain ) { - result = NT_STATUS_INVALID_PARAMETER; + + if (!find_domain_from_name(domain)) { + DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n", + state->request.data.chauthtok.user, domain, user, domain)); + result = NT_STATUS_NO_SUCH_USER; goto done; } diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c index a9bb851a7a..1f9537ac25 100644 --- a/source3/nsswitch/winbindd_util.c +++ b/source3/nsswitch/winbindd_util.c @@ -526,10 +526,8 @@ BOOL parse_domain_user(const char *domuser, fstring domain, fstring user) if ( assume_domain(lp_workgroup())) { fstrcpy(domain, lp_workgroup()); - } else if (assume_domain(get_global_sam_name())) { - fstrcpy( domain, get_global_sam_name() ); } else { - fstrcpy( domain, ""); + fstrcpy( domain, get_global_sam_name() ); } } else { -- cgit