From 35ac9d287f000c27dc864789b341bebe7acb4c74 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Sat, 26 Oct 2002 02:20:59 +0000
Subject: Try to catch up on the code I've put into HEAD that should be in 3.0:

 - vorlan's hosts allow with DNS names patch
 - use x_fileno() in debug.c, not the struct directly.
 - check for server timeout on password change (was reporting success)
 - better error/status loggin in both the pam_winbind client and winbindd_pam
server code.
 - (pdb_ldap) don't set the ldap version twice - we do it on every bind anyway.
(This used to be commit 9fa1863d8e7788eda83911ca2610754486b33069)
---
 source3/lib/access.c            |  6 ++---
 source3/lib/debug.c             |  2 +-
 source3/lib/util_sock.c         |  6 ++---
 source3/libsmb/clirap.c         | 12 ++++++---
 source3/nsswitch/pam_winbind.c  | 56 +++++++++++++++++++++++++++--------------
 source3/nsswitch/winbindd_pam.c |  7 ++++++
 source3/passdb/pdb_ldap.c       |  7 ------
 source3/web/cgi.c               |  2 +-
 8 files changed, 60 insertions(+), 38 deletions(-)

(limited to 'source3')

diff --git a/source3/lib/access.c b/source3/lib/access.c
index 4e524735e4..a39bc6df76 100644
--- a/source3/lib/access.c
+++ b/source3/lib/access.c
@@ -316,20 +316,20 @@ BOOL check_access(int sock, char **allow_list, char **deny_list)
 		else
 		{
 			DEBUG (3, ("check_access: hostnames in host allow/deny list.\n"));
-			ret = allow_access(deny_list,allow_list, get_socket_name(sock),
+			ret = allow_access(deny_list,allow_list, get_socket_name(sock,True),
 					   get_socket_addr(sock));
 		}
 		
 		if (ret) 
 		{
 			DEBUG(2,("Allowed connection from %s (%s)\n",
-				 only_ip ? "" : get_socket_name(sock),
+				 only_ip ? "" : get_socket_name(sock,True),
 				 get_socket_addr(sock)));
 		} 
 		else 
 		{
 			DEBUG(0,("Denied connection from %s (%s)\n",
-				 only_ip ? "" : get_socket_name(sock),
+				 only_ip ? "" : get_socket_name(sock,True),
 				 get_socket_addr(sock)));
 		}
 	}
diff --git a/source3/lib/debug.c b/source3/lib/debug.c
index f4f3ee2f9f..483db71b85 100644
--- a/source3/lib/debug.c
+++ b/source3/lib/debug.c
@@ -603,7 +603,7 @@ BOOL reopen_logs( void )
 	(void)umask(oldumask);
 
 	/* Take over stderr to catch ouput into logs */
-	if (dbf && sys_dup2(dbf->fd, 2) == -1) {
+	if (dbf && sys_dup2(x_fileno(dbf), 2) == -1) {
 		close_low_fds(True); /* Close stderr too, if dup2 can't point it
 					at the logfile */
 	}
diff --git a/source3/lib/util_sock.c b/source3/lib/util_sock.c
index fc2abf976f..04c20f6596 100644
--- a/source3/lib/util_sock.c
+++ b/source3/lib/util_sock.c
@@ -832,7 +832,7 @@ void client_setfd(int fd)
 
 char *client_name(void)
 {
-	return get_socket_name(client_fd);
+	return get_socket_name(client_fd,False);
 }
 
 char *client_addr(void)
@@ -890,7 +890,7 @@ static BOOL matchname(char *remotehost,struct in_addr  addr)
 /*******************************************************************
  return the DNS name of the remote end of a socket
  ******************************************************************/
-char *get_socket_name(int fd)
+char *get_socket_name(int fd, BOOL force_lookup)
 {
 	static pstring name_buf;
 	static fstring addr_buf;
@@ -902,7 +902,7 @@ char *get_socket_name(int fd)
 	   situations won't work because many networks don't link dhcp
 	   with dns. To avoid the delay we avoid the lookup if
 	   possible */
-	if (!lp_hostname_lookups()) {
+	if (!lp_hostname_lookups() && (force_lookup == False)) {
 		return get_socket_addr(fd);
 	}
 	
diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c
index 2064e14954..b4924fd773 100644
--- a/source3/libsmb/clirap.c
+++ b/source3/libsmb/clirap.c
@@ -343,13 +343,17 @@ BOOL cli_oem_change_password(struct cli_state *cli, const char *user, const char
     return False;
   }
 
-  if (cli_receive_trans(cli,SMBtrans,
+  if (!cli_receive_trans(cli,SMBtrans,
                        &rparam, &rprcnt,
                        &rdata, &rdrcnt)) {
-    if (rparam)
-      cli->rap_error = SVAL(rparam,0);
+	  DEBUG(0,("cli_oem_change_password: Failed to recieve reply to password change for user %s\n",
+		   user ));
+	  return False;
   }
-
+  
+  if (rparam)
+	  cli->rap_error = SVAL(rparam,0);
+  
   SAFE_FREE(rparam);
   SAFE_FREE(rdata);
 
diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index f95caefb4c..7d0353664f 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -134,22 +134,15 @@ static int pam_winbind_request(enum winbindd_cmd req_type,
 	return PAM_SUCCESS;
 }
 
-/* talk to winbindd */
-static int winbind_auth_request(const char *user, const char *pass, int ctrl)
+static int pam_winbind_request_log(enum winbindd_cmd req_type,
+			       struct winbindd_request *request,
+			       struct winbindd_response *response,
+				   int ctrl,
+				   const char *user)
 {
-	struct winbindd_request request;
-	struct winbindd_response response;
 	int retval;
 
-	ZERO_STRUCT(request);
-
-	strncpy(request.data.auth.user, user, 
-                sizeof(request.data.auth.user)-1);
-
-	strncpy(request.data.auth.pass, pass, 
-                sizeof(request.data.auth.pass)-1);
-	
-        retval = pam_winbind_request(WINBINDD_PAM_AUTH, &request, &response);
+        retval = pam_winbind_request(req_type, request, response);
 
 	switch (retval) {
 	case PAM_AUTH_ERR:
@@ -178,8 +171,16 @@ static int winbind_auth_request(const char *user, const char *pass, int ctrl)
 		}	 
 		return retval;
 	case PAM_SUCCESS:
-		/* Otherwise, the authentication looked good */
-		_pam_log(LOG_NOTICE, "user '%s' granted acces", user);
+		if (req_type == WINBINDD_PAM_AUTH) {
+			/* Otherwise, the authentication looked good */
+			_pam_log(LOG_NOTICE, "user '%s' granted acces", user);
+		} else if (req_type == WINBINDD_PAM_CHAUTHTOK) {
+			/* Otherwise, the authentication looked good */
+			_pam_log(LOG_NOTICE, "user '%s' password changed", user);
+		} else { 
+			/* Otherwise, the authentication looked good */
+			_pam_log(LOG_NOTICE, "user '%s' OK", user);
+		}
 		return retval;
 	default:
 		/* we don't know anything about this return value */
@@ -187,12 +188,29 @@ static int winbind_auth_request(const char *user, const char *pass, int ctrl)
 			 retval, user);
 		return retval;
 	}
-     /* should not be reached */
+}
+
+/* talk to winbindd */
+static int winbind_auth_request(const char *user, const char *pass, int ctrl)
+{
+	struct winbindd_request request;
+	struct winbindd_response response;
+
+	ZERO_STRUCT(request);
+
+	strncpy(request.data.auth.user, user, 
+                sizeof(request.data.auth.user)-1);
+
+	strncpy(request.data.auth.pass, pass, 
+                sizeof(request.data.auth.pass)-1);
+	
+	
+        return pam_winbind_request_log(WINBINDD_PAM_AUTH, &request, &response, ctrl, user);
 }
 
 /* talk to winbindd */
 static int winbind_chauthtok_request(const char *user, const char *oldpass,
-                                     const char *newpass)
+                                     const char *newpass, int ctrl)
 {
 	struct winbindd_request request;
 	struct winbindd_response response;
@@ -218,7 +236,7 @@ static int winbind_chauthtok_request(const char *user, const char *oldpass,
             request.data.chauthtok.newpass[0] = '\0';
         }
 	
-        return pam_winbind_request(WINBINDD_PAM_CHAUTHTOK, &request, &response);
+        return pam_winbind_request_log(WINBINDD_PAM_CHAUTHTOK, &request, &response, ctrl, user);
 }
 
 /*
@@ -665,7 +683,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 		 * rebuild the password database file.
 		 */
 
-		retval = winbind_chauthtok_request(user, pass_old, pass_new);
+		retval = winbind_chauthtok_request(user, pass_old, pass_new, ctrl);
 		_pam_overwrite(pass_new);
 		_pam_overwrite(pass_old);
 		pass_old = pass_new = NULL;
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 3e7a8ad971..969cf272a3 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -354,5 +354,12 @@ done:
 	fstrcpy(state->response.data.auth.error_string, nt_errstr(result));
 	state->response.data.auth.pam_error = nt_status_to_pam(result);
 
+	DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, 
+	      ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n", 
+	       domain,
+	       user,
+	       state->response.data.auth.nt_status_string,
+	       state->response.data.auth.pam_error));	      
+
 	return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
 }
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index a10e6f2989..2121c335a0 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -1420,13 +1420,6 @@ static NTSTATUS ldapsam_modify_entry(LDAP *ldap_struct,SAM_ACCOUNT *newpwd,char
 		char *retoid;
 		struct berval *retdata;
 
-		if (ldap_get_option(ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS) {
-			if (version != LDAP_VERSION3) {
-				version = LDAP_VERSION3;
-				ldap_set_option (ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
-			}
-		}
-
 		if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) {
 			DEBUG(0,("ber_alloc_t returns NULL\n"));
 			return ret;
diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index 684086f61e..c9cb78f6f1 100644
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -636,7 +636,7 @@ return the hostname of the client
 char *cgi_remote_host(void)
 {
 	if (inetd_server) {
-		return get_socket_name(1);
+		return get_socket_name(1,False);
 	}
 	return getenv("REMOTE_HOST");
 }
-- 
cgit