Attachment #67690 for bug #149021

View | Details | Raw Unified | Return to bug 149021
Collapse All | Expand All

Lines 835-844 Link Here

(-)nsswitch/winbindd_util.c (-4 / +6 lines)
835	if ( assume_domain(lp_workgroup())) {	835	if ( assume_domain(lp_workgroup())) {
836	fstrcpy(domain, lp_workgroup());	836	fstrcpy(domain, lp_workgroup());
837	} else {	837	} else {
838	fstrcpy( domain, get_global_sam_name() );	838	fstrcpy(domain, "");
		839	return False;
839	}	840	}
840	}	841	} else {
841	else {
842	fstrcpy(user, p+1);	842	fstrcpy(user, p+1);
843	fstrcpy(domain, domuser);	843	fstrcpy(domain, domuser);
844	domain[PTR_DIFF(p, domuser)] = 0;	844	domain[PTR_DIFF(p, domuser)] = 0;
Lines 853-859 Link Here
853	char domain, char user)	853	char domain, char user)
854	{	854	{
855	fstring fstr_domain, fstr_user;	855	fstring fstr_domain, fstr_user;
856	parse_domain_user(domuser, fstr_domain, fstr_user);	856	if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
		857	return False;
		858	}
857	*domain = talloc_strdup(mem_ctx, fstr_domain);	859	*domain = talloc_strdup(mem_ctx, fstr_domain);
858	*user = talloc_strdup(mem_ctx, fstr_user);	860	*user = talloc_strdup(mem_ctx, fstr_user);
859	return ((domain != NULL) && (user != NULL));	861	return ((domain != NULL) && (user != NULL));

Lines 337-343 Link Here

(-)nsswitch/winbindd_user.c (-1 / +1 lines)
337		337
338	if (!parse_domain_user(state->request.data.username, domname,	338	if (!parse_domain_user(state->request.data.username, domname,
339	username)) {	339	username)) {
340	DEBUG(0, ("Could not parse domain user: %s\n",	340	DEBUG(1, ("Could not parse domain user: %s\n",
341	state->request.data.username));	341	state->request.data.username));
342	request_error(state);	342	request_error(state);
343	return;	343	return;

Lines 992-998 Link Here

(-)nsswitch/winbindd_group.c (-1 / +1 lines)
992	if (!parse_domain_user_talloc(state->mem_ctx,	992	if (!parse_domain_user_talloc(state->mem_ctx,
993	state->request.data.username,	993	state->request.data.username,
994	&s->domname, &s->username)) {	994	&s->domname, &s->username)) {
995	DEBUG(0, ("Could not parse domain user: %s\n",	995	DEBUG(1, ("Could not parse domain user: %s\n",
996	state->request.data.username));	996	state->request.data.username));
997	request_error(state);	997	request_error(state);
998	return;	998	return;




 *	 0  = OK
 * 	-1  = System error
 */
static int valid_user(const char *user, pam_handle_t *pamh, int ctrl)
{
	/* check not only if the user is available over NSS calls, also make
	 * sure it's really a winbind user, this is important when stacking PAM
	 * modules in the 'account' or 'password' facility. */

	struct passwd *pwd = NULL;
	struct winbindd_request request;
	struct winbindd_response response;
	int ret;

	ZERO_STRUCT(request);
	ZERO_STRUCT(response);

	pwd = getpwnam(user);
	if (pwd == NULL) {
		return 1;
	}

	fstrcpy(request.data.username, user);

	ret = pam_winbind_request_log(pamh, ctrl, WINBINDD_GETPWNAM, &request, &response, user);

	switch (ret) {
		case PAM_USER_UNKNOWN:
			return 1;
		case PAM_SUCCESS:
			return 0;
		default:
			break;
	}
	return -1;
}

static char *_pam_delete(register char *xx)

	}

	/* Verify the username */
	retval = valid_user(username, pamh, ctrl);
	switch (retval) {
	case -1:
		/* some sort of system error. The log was already printed */

		return retval;
	}

	/* check if this is really a user in winbindd, not only in NSS */
	retval = valid_user(user, pamh, ctrl);
	switch (retval) {
		case 1:
			return PAM_USER_UNKNOWN;
		case -1:
			return PAM_SYSTEM_ERR;
		default:
			break;
	}
		
	/*
	 * obtain and verify the current password (OLDAUTHTOK) for
	 * the user.





	/* Parse domain and username */
	
	if (!parse_domain_user(state->request.data.auth.user,
			       name_domain, name_user)) {
		set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
		DEBUG(5, ("Plain text authentication for %s returned %s "
			  "(PAM: %d)\n",
			  state->request.data.auth.user, 
			  state->response.data.auth.nt_status_string,
			  state->response.data.auth.pam_error));
		request_error(state);
		return;
	}

	domain = find_auth_domain(state, name_domain);


Return to bug 149021

Lines 566-575 Link Here

(-)nsswitch/pam_winbind.c (-4 / +43 lines)
566	* 0 = OK	569	* 0 = OK
567	* -1 = System error	570	* -1 = System error
568	*/	571	*/
569	static int valid_user(const char *user)	572	static int valid_user(const char user, pam_handle_t pamh, int ctrl)
570	{	573	{
571	if (getpwnam(user)) return 0;	574	/* check not only if the user is available over NSS calls, also make
572	return 1;	575	* sure it's really a winbind user, this is important when stacking PAM
		576	* modules in the 'account' or 'password' facility. */
		577
		578	struct passwd *pwd = NULL;
		579	struct winbindd_request request;
		580	struct winbindd_response response;
		581	int ret;
		582
		583	ZERO_STRUCT(request);
		584	ZERO_STRUCT(response);
		585
		586	pwd = getpwnam(user);
		587	if (pwd == NULL) {
		588	return 1;
		589	}
		590
		591	fstrcpy(request.data.username, user);
		592
		593	ret = pam_winbind_request_log(pamh, ctrl, WINBINDD_GETPWNAM, &request, &response, user);
		594
		595	switch (ret) {
		596	case PAM_USER_UNKNOWN:
		597	return 1;
		598	case PAM_SUCCESS:
		599	return 0;
		600	default:
		601	break;
		602	}
		603	return -1;
573	}	604	}
574		605
575	static char _pam_delete(register char xx)	606	static char _pam_delete(register char xx)
Lines 897-903 Link Here
897	}	972	}
898		973
899	/* Verify the username */	974	/* Verify the username */
900	retval = valid_user(username);	975	retval = valid_user(username, pamh, ctrl);
901	switch (retval) {	976	switch (retval) {
902	case -1:	977	case -1:
903	/* some sort of system error. The log was already printed */	978	/* some sort of system error. The log was already printed */
Lines 1123-1128 Link Here
1123	return retval;	1198	return retval;
1124	}	1199	}
1125		1200
		1201	/* check if this is really a user in winbindd, not only in NSS */
		1202	retval = valid_user(user, pamh, ctrl);
		1203	switch (retval) {
		1204	case 1:
		1205	return PAM_USER_UNKNOWN;
		1206	case -1:
		1207	return PAM_SYSTEM_ERR;
		1208	default:
		1209	break;
		1210	}
		1211
1126	/*	1212	/*
1127	* obtain and verify the current password (OLDAUTHTOK) for	1213	* obtain and verify the current password (OLDAUTHTOK) for
1128	* the user.	1214	* the user.

Lines 633-640 Link Here

(-)nsswitch/winbindd_pam.c (-2 / +11 lines)
633		633
634	/* Parse domain and username */	634	/* Parse domain and username */
635		635
636	parse_domain_user(state->request.data.auth.user,	636	if (!parse_domain_user(state->request.data.auth.user,
637	name_domain, name_user);	637	name_domain, name_user)) {
		638	set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
		639	DEBUG(5, ("Plain text authentication for %s returned %s "
		640	"(PAM: %d)\n",
		641	state->request.data.auth.user,
		642	state->response.data.auth.nt_status_string,
		643	state->response.data.auth.pam_error));
		644	request_error(state);
		645	return;
		646	}
638		647
639	domain = find_auth_domain(state, name_domain);	648	domain = find_auth_domain(state, name_domain);
640		649