The branch, master has been updated
via 8531921... s3: Turn two macros into functions
via 177e394... s3: Pass the rhost through smb_pam_accountcheck
via 265f0b7... s3: Rename auth.c:backends to auth_backends
via 6ff012a... s3: Fix some nonemtpy blank lines
from 8bc5899... s4: Only install testparm to /usr/bin/, no longer to
/usr/sbin.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8531921e3d4bba30ed6d10bf671b0b70d2f4f3f7
Author: Volker Lendecke <v...@samba.org>
Date: Sun Aug 22 20:00:46 2010 +0200
s3: Turn two macros into functions
commit 177e394f93278407557702d9f53bae65fd5fc434
Author: Volker Lendecke <v...@samba.org>
Date: Wed Aug 18 18:23:49 2010 +0200
s3: Pass the rhost through smb_pam_accountcheck
commit 265f0b7745b811d6ba1575eb277213f707215a3b
Author: Volker Lendecke <v...@samba.org>
Date: Wed Aug 18 17:31:39 2010 +0200
s3: Rename auth.c:backends to auth_backends
commit 6ff012a777889de5066fa77de9ed766f8421b1d5
Author: Volker Lendecke <v...@samba.org>
Date: Sun Aug 22 18:41:39 2010 +0200
s3: Fix some nonemtpy blank lines
-----------------------------------------------------------------------
Summary of changes:
source3/auth/auth.c | 13 ++++++---
source3/auth/pampass.c | 55 ++++++++++++++++++++++++++--------------
source3/include/proto.h | 3 +-
source3/lib/pam_errors.c | 4 +-
source3/smbd/sesssetup.c | 2 +-
source3/smbd/smb2_sesssetup.c | 3 +-
6 files changed, 50 insertions(+), 30 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index ed8888f..cabff53 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -18,19 +18,20 @@
*/
#include "includes.h"
+#include "smbd/globals.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
static_decl_auth;
-static struct auth_init_function_entry *backends = NULL;
+static struct auth_init_function_entry *auth_backends = NULL;
static struct auth_init_function_entry *auth_find_backend_entry(const char
*name);
NTSTATUS smb_register_auth(int version, const char *name, auth_init_function
init)
{
- struct auth_init_function_entry *entry = backends;
+ struct auth_init_function_entry *entry = auth_backends;
if (version != AUTH_INTERFACE_VERSION) {
DEBUG(0,("Can't register auth_method!\n"
@@ -54,14 +55,14 @@ NTSTATUS smb_register_auth(int version, const char *name,
auth_init_function ini
entry->name = smb_xstrdup(name);
entry->init = init;
- DLIST_ADD(backends, entry);
+ DLIST_ADD(auth_backends, entry);
DEBUG(5,("Successfully added auth method '%s'\n", name));
return NT_STATUS_OK;
}
static struct auth_init_function_entry *auth_find_backend_entry(const char
*name)
{
- struct auth_init_function_entry *entry = backends;
+ struct auth_init_function_entry *entry = auth_backends;
while(entry) {
if (strcmp(entry->name, name)==0) return entry;
@@ -284,7 +285,9 @@ static NTSTATUS check_ntlm_password(const struct
auth_context *auth_context,
if (!(*server_info)->guest) {
/* We might not be root if we are an RPC call */
become_root();
- nt_status = smb_pam_accountcheck(unix_username);
+ nt_status = smb_pam_accountcheck(
+ unix_username,
+ smbd_server_conn->client_id.name);
unbecome_root();
if (NT_STATUS_IS_OK(nt_status)) {
diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c
index 6c7294d..f2e30b2 100644
--- a/source3/auth/pampass.c
+++ b/source3/auth/pampass.c
@@ -5,17 +5,17 @@
Copyright (C) John H Terpsta 1999-2001
Copyright (C) Andrew Bartlett 2001
Copyright (C) Jeremy Allison 2001
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -62,8 +62,22 @@ typedef int (*smb_pam_conv_fn)(int, const struct pam_message
**, struct pam_resp
/*
* Macros to help make life easy
*/
-#define COPY_STRING(s) (s) ? SMB_STRDUP(s) : NULL
-#define COPY_FSTRING(s) (s[0]) ? SMB_STRDUP(s) : NULL
+
+static char *smb_pam_copy_string(const char *s)
+{
+ if (s == NULL) {
+ return NULL;
+ }
+ return SMB_STRDUP(s);
+}
+
+static char *smb_pam_copy_fstring(const char *s)
+{
+ if (s[0] == '\0') {
+ return NULL;
+ }
+ return SMB_STRDUP(s);
+}
/*******************************************************************
PAM error handler.
@@ -75,7 +89,6 @@ static bool smb_pam_error_handler(pam_handle_t *pamh, int
pam_error, const char
if( pam_error != PAM_SUCCESS) {
DEBUG(dbglvl, ("smb_pam_error_handler: PAM: %s : %s\n",
msg, pam_strerror(pamh, pam_error)));
-
return False;
}
return True;
@@ -144,13 +157,15 @@ static int smb_pam_conv(int num_msg,
switch (msg[replies]->msg_style) {
case PAM_PROMPT_ECHO_ON:
reply[replies].resp_retcode = PAM_SUCCESS;
- reply[replies].resp =
COPY_STRING(udp->PAM_username);
+ reply[replies].resp = smb_pam_copy_string(
+ udp->PAM_username);
/* PAM frees resp */
break;
case PAM_PROMPT_ECHO_OFF:
reply[replies].resp_retcode = PAM_SUCCESS;
- reply[replies].resp =
COPY_STRING(udp->PAM_password);
+ reply[replies].resp = smb_pam_copy_string(
+ udp->PAM_password);
/* PAM frees resp */
break;
@@ -280,7 +295,7 @@ static int smb_pam_passchange_conv(int num_msg,
struct chat_struct *t;
bool found;
*resp = NULL;
-
+
DEBUG(10,("smb_pam_passchange_conv: starting converstation for %d
messages\n", num_msg));
if (num_msg <= 0)
@@ -328,7 +343,8 @@ static int smb_pam_passchange_conv(int num_msg,
DEBUG(100,("smb_pam_passchange_conv:
PAM_PROMPT_ECHO_ON: We actualy sent: %s\n", current_reply));
#endif
reply[replies].resp_retcode =
PAM_SUCCESS;
- reply[replies].resp =
COPY_FSTRING(current_reply);
+ reply[replies].resp =
smb_pam_copy_fstring(
+ current_reply);
found = True;
break;
}
@@ -356,7 +372,8 @@ static int smb_pam_passchange_conv(int num_msg,
DEBUG(10,("smb_pam_passchange_conv:
PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply));
pwd_sub(current_reply,
udp->PAM_username, udp->PAM_password, udp->PAM_newpassword);
reply[replies].resp_retcode =
PAM_SUCCESS;
- reply[replies].resp =
COPY_FSTRING(current_reply);
+ reply[replies].resp =
smb_pam_copy_fstring(
+ current_reply);
#ifdef DEBUG_PASSWORD
DEBUG(100,("smb_pam_passchange_conv:
PAM_PROMPT_ECHO_OFF: We actualy sent: %s\n", current_reply));
#endif
@@ -365,7 +382,7 @@ static int smb_pam_passchange_conv(int num_msg,
}
}
/* PAM frees resp */
-
+
if (!found) {
DEBUG(3,("smb_pam_passchange_conv: Could not
find reply for PAM prompt: %s\n",msg[replies]->msg));
free_pw_chat(pw_chat);
@@ -382,7 +399,7 @@ static int smb_pam_passchange_conv(int num_msg,
reply[replies].resp_retcode = PAM_SUCCESS;
reply[replies].resp = NULL;
break;
-
+
default:
/* Must be an error of some sort... */
free_pw_chat(pw_chat);
@@ -390,7 +407,7 @@ static int smb_pam_passchange_conv(int num_msg,
return PAM_CONV_ERR;
}
}
-
+
free_pw_chat(pw_chat);
if (reply)
*resp = reply;
@@ -443,7 +460,7 @@ static bool smb_pam_end(pam_handle_t *pamh, struct pam_conv
*smb_pam_conv_ptr)
int pam_error;
smb_free_pam_conv(smb_pam_conv_ptr);
-
+
if( pamh != NULL ) {
pam_error = pam_end(pamh, 0);
if(smb_pam_error_handler(pamh, pam_error, "End Cleanup Failed",
2) == True) {
@@ -520,7 +537,7 @@ static NTSTATUS smb_pam_auth(pam_handle_t *pamh, const char
*user)
* To enable debugging set in /etc/pam.d/samba:
* auth required /lib/security/pam_pwdb.so nullok shadow audit
*/
-
+
DEBUG(4,("smb_pam_auth: PAM: Authenticate User: %s\n", user));
pam_error = pam_authenticate(pamh, PAM_SILENT | lp_null_passwords() ? 0
: PAM_DISALLOW_NULL_AUTHTOK);
switch( pam_error ){
@@ -774,7 +791,7 @@ bool smb_pam_close_session(char *user, char *tty, char
*rhost)
* PAM Externally accessible Account handler
*/
-NTSTATUS smb_pam_accountcheck(const char * user)
+NTSTATUS smb_pam_accountcheck(const char *user, const char *rhost)
{
NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED;
pam_handle_t *pamh = NULL;
@@ -788,7 +805,7 @@ NTSTATUS smb_pam_accountcheck(const char * user)
if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) ==
NULL)
return NT_STATUS_NO_MEMORY;
- if (!smb_pam_start(&pamh, user, NULL, pconv))
+ if (!smb_pam_start(&pamh, user, rhost, pconv))
return NT_STATUS_ACCOUNT_DISABLED;
if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user)))
@@ -870,7 +887,7 @@ bool smb_pam_passchange(const char * user, const char *
oldpassword, const char
#else
/* If PAM not used, no PAM restrictions on accounts. */
-NTSTATUS smb_pam_accountcheck(const char * user)
+NTSTATUS smb_pam_accountcheck(const char *user, const char *rhost)
{
return NT_STATUS_OK;
}
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 50309a9..43a510b 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -221,10 +221,9 @@ NTSTATUS auth_wbc_init(void);
bool smb_pam_claim_session(char *user, char *tty, char *rhost);
bool smb_pam_close_session(char *user, char *tty, char *rhost);
-NTSTATUS smb_pam_accountcheck(const char * user);
+NTSTATUS smb_pam_accountcheck(const char *user, const char *rhost);
NTSTATUS smb_pam_passcheck(const char * user, const char * password);
bool smb_pam_passchange(const char * user, const char * oldpassword, const
char * newpassword);
-NTSTATUS smb_pam_accountcheck(const char * user);
bool smb_pam_claim_session(char *user, char *tty, char *rhost);
bool smb_pam_close_session(char *in_user, char *tty, char *rhost);
diff --git a/source3/lib/pam_errors.c b/source3/lib/pam_errors.c
index 1073f26..e55d7a0 100644
--- a/source3/lib/pam_errors.c
+++ b/source3/lib/pam_errors.c
@@ -92,7 +92,7 @@ NTSTATUS pam_to_nt_status(int pam_error)
{
int i;
if (pam_error == 0) return NT_STATUS_OK;
-
+
for (i=0; NT_STATUS_V(pam_to_nt_status_map[i].ntstatus); i++) {
if (pam_error == pam_to_nt_status_map[i].pam_code)
return pam_to_nt_status_map[i].ntstatus;
@@ -107,7 +107,7 @@ int nt_status_to_pam(NTSTATUS nt_status)
{
int i;
if NT_STATUS_IS_OK(nt_status) return PAM_SUCCESS;
-
+
for (i=0; NT_STATUS_V(nt_status_to_pam_map[i].ntstatus); i++) {
if (NT_STATUS_EQUAL(nt_status,nt_status_to_pam_map[i].ntstatus))
return nt_status_to_pam_map[i].pam_code;
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index a476ed4..9ff5d55 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -427,7 +427,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
/* if a real user check pam account restrictions */
/* only really perfomed if "obey pam restriction" is true */
/* do this before an eventual mapping to guest occurs */
- ret = smb_pam_accountcheck(pw->pw_name);
+ ret = smb_pam_accountcheck(pw->pw_name, sconn->client_id.name);
if ( !NT_STATUS_IS_OK(ret)) {
DEBUG(1,("PAM account restriction "
"prevents user login\n"));
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index df00b4f..4a91e84 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -294,7 +294,8 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct
smbd_smb2_session *session,
/* if a real user check pam account restrictions */
/* only really perfomed if "obey pam restriction" is true */
/* do this before an eventual mapping to guest occurs */
- status = smb_pam_accountcheck(pw->pw_name);
+ status = smb_pam_accountcheck(
+ pw->pw_name, smb2req->sconn->client_id.name);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1,("smb2: PAM account restriction "
"prevents user login\n"));
--
Samba Shared Repository
