The branch, master has been updated via 8531921... s3: Turn two macros into functions via 177e394... s3: Pass the rhost through smb_pam_accountcheck via 265f0b7... s3: Rename auth.c:backends to auth_backends via 6ff012a... s3: Fix some nonemtpy blank lines from 8bc5899... s4: Only install testparm to /usr/bin/, no longer to /usr/sbin.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 8531921e3d4bba30ed6d10bf671b0b70d2f4f3f7 Author: Volker Lendecke <v...@samba.org> Date: Sun Aug 22 20:00:46 2010 +0200 s3: Turn two macros into functions commit 177e394f93278407557702d9f53bae65fd5fc434 Author: Volker Lendecke <v...@samba.org> Date: Wed Aug 18 18:23:49 2010 +0200 s3: Pass the rhost through smb_pam_accountcheck commit 265f0b7745b811d6ba1575eb277213f707215a3b Author: Volker Lendecke <v...@samba.org> Date: Wed Aug 18 17:31:39 2010 +0200 s3: Rename auth.c:backends to auth_backends commit 6ff012a777889de5066fa77de9ed766f8421b1d5 Author: Volker Lendecke <v...@samba.org> Date: Sun Aug 22 18:41:39 2010 +0200 s3: Fix some nonemtpy blank lines ----------------------------------------------------------------------- Summary of changes: source3/auth/auth.c | 13 ++++++--- source3/auth/pampass.c | 55 ++++++++++++++++++++++++++-------------- source3/include/proto.h | 3 +- source3/lib/pam_errors.c | 4 +- source3/smbd/sesssetup.c | 2 +- source3/smbd/smb2_sesssetup.c | 3 +- 6 files changed, 50 insertions(+), 30 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/auth/auth.c b/source3/auth/auth.c index ed8888f..cabff53 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -18,19 +18,20 @@ */ #include "includes.h" +#include "smbd/globals.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH static_decl_auth; -static struct auth_init_function_entry *backends = NULL; +static struct auth_init_function_entry *auth_backends = NULL; static struct auth_init_function_entry *auth_find_backend_entry(const char *name); NTSTATUS smb_register_auth(int version, const char *name, auth_init_function init) { - struct auth_init_function_entry *entry = backends; + struct auth_init_function_entry *entry = auth_backends; if (version != AUTH_INTERFACE_VERSION) { DEBUG(0,("Can't register auth_method!\n" @@ -54,14 +55,14 @@ NTSTATUS smb_register_auth(int version, const char *name, auth_init_function ini entry->name = smb_xstrdup(name); entry->init = init; - DLIST_ADD(backends, entry); + DLIST_ADD(auth_backends, entry); DEBUG(5,("Successfully added auth method '%s'\n", name)); return NT_STATUS_OK; } static struct auth_init_function_entry *auth_find_backend_entry(const char *name) { - struct auth_init_function_entry *entry = backends; + struct auth_init_function_entry *entry = auth_backends; while(entry) { if (strcmp(entry->name, name)==0) return entry; @@ -284,7 +285,9 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, if (!(*server_info)->guest) { /* We might not be root if we are an RPC call */ become_root(); - nt_status = smb_pam_accountcheck(unix_username); + nt_status = smb_pam_accountcheck( + unix_username, + smbd_server_conn->client_id.name); unbecome_root(); if (NT_STATUS_IS_OK(nt_status)) { diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 6c7294d..f2e30b2 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -5,17 +5,17 @@ Copyright (C) John H Terpsta 1999-2001 Copyright (C) Andrew Bartlett 2001 Copyright (C) Jeremy Allison 2001 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ @@ -62,8 +62,22 @@ typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_resp /* * Macros to help make life easy */ -#define COPY_STRING(s) (s) ? SMB_STRDUP(s) : NULL -#define COPY_FSTRING(s) (s[0]) ? SMB_STRDUP(s) : NULL + +static char *smb_pam_copy_string(const char *s) +{ + if (s == NULL) { + return NULL; + } + return SMB_STRDUP(s); +} + +static char *smb_pam_copy_fstring(const char *s) +{ + if (s[0] == '\0') { + return NULL; + } + return SMB_STRDUP(s); +} /******************************************************************* PAM error handler. @@ -75,7 +89,6 @@ static bool smb_pam_error_handler(pam_handle_t *pamh, int pam_error, const char if( pam_error != PAM_SUCCESS) { DEBUG(dbglvl, ("smb_pam_error_handler: PAM: %s : %s\n", msg, pam_strerror(pamh, pam_error))); - return False; } return True; @@ -144,13 +157,15 @@ static int smb_pam_conv(int num_msg, switch (msg[replies]->msg_style) { case PAM_PROMPT_ECHO_ON: reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies].resp = COPY_STRING(udp->PAM_username); + reply[replies].resp = smb_pam_copy_string( + udp->PAM_username); /* PAM frees resp */ break; case PAM_PROMPT_ECHO_OFF: reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies].resp = COPY_STRING(udp->PAM_password); + reply[replies].resp = smb_pam_copy_string( + udp->PAM_password); /* PAM frees resp */ break; @@ -280,7 +295,7 @@ static int smb_pam_passchange_conv(int num_msg, struct chat_struct *t; bool found; *resp = NULL; - + DEBUG(10,("smb_pam_passchange_conv: starting converstation for %d messages\n", num_msg)); if (num_msg <= 0) @@ -328,7 +343,8 @@ static int smb_pam_passchange_conv(int num_msg, DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We actualy sent: %s\n", current_reply)); #endif reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies].resp = COPY_FSTRING(current_reply); + reply[replies].resp = smb_pam_copy_fstring( + current_reply); found = True; break; } @@ -356,7 +372,8 @@ static int smb_pam_passchange_conv(int num_msg, DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply)); pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies].resp = COPY_FSTRING(current_reply); + reply[replies].resp = smb_pam_copy_fstring( + current_reply); #ifdef DEBUG_PASSWORD DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We actualy sent: %s\n", current_reply)); #endif @@ -365,7 +382,7 @@ static int smb_pam_passchange_conv(int num_msg, } } /* PAM frees resp */ - + if (!found) { DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg)); free_pw_chat(pw_chat); @@ -382,7 +399,7 @@ static int smb_pam_passchange_conv(int num_msg, reply[replies].resp_retcode = PAM_SUCCESS; reply[replies].resp = NULL; break; - + default: /* Must be an error of some sort... */ free_pw_chat(pw_chat); @@ -390,7 +407,7 @@ static int smb_pam_passchange_conv(int num_msg, return PAM_CONV_ERR; } } - + free_pw_chat(pw_chat); if (reply) *resp = reply; @@ -443,7 +460,7 @@ static bool smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr) int pam_error; smb_free_pam_conv(smb_pam_conv_ptr); - + if( pamh != NULL ) { pam_error = pam_end(pamh, 0); if(smb_pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) { @@ -520,7 +537,7 @@ static NTSTATUS smb_pam_auth(pam_handle_t *pamh, const char *user) * To enable debugging set in /etc/pam.d/samba: * auth required /lib/security/pam_pwdb.so nullok shadow audit */ - + DEBUG(4,("smb_pam_auth: PAM: Authenticate User: %s\n", user)); pam_error = pam_authenticate(pamh, PAM_SILENT | lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK); switch( pam_error ){ @@ -774,7 +791,7 @@ bool smb_pam_close_session(char *user, char *tty, char *rhost) * PAM Externally accessible Account handler */ -NTSTATUS smb_pam_accountcheck(const char * user) +NTSTATUS smb_pam_accountcheck(const char *user, const char *rhost) { NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED; pam_handle_t *pamh = NULL; @@ -788,7 +805,7 @@ NTSTATUS smb_pam_accountcheck(const char * user) if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL) return NT_STATUS_NO_MEMORY; - if (!smb_pam_start(&pamh, user, NULL, pconv)) + if (!smb_pam_start(&pamh, user, rhost, pconv)) return NT_STATUS_ACCOUNT_DISABLED; if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user))) @@ -870,7 +887,7 @@ bool smb_pam_passchange(const char * user, const char * oldpassword, const char #else /* If PAM not used, no PAM restrictions on accounts. */ -NTSTATUS smb_pam_accountcheck(const char * user) +NTSTATUS smb_pam_accountcheck(const char *user, const char *rhost) { return NT_STATUS_OK; } diff --git a/source3/include/proto.h b/source3/include/proto.h index 50309a9..43a510b 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -221,10 +221,9 @@ NTSTATUS auth_wbc_init(void); bool smb_pam_claim_session(char *user, char *tty, char *rhost); bool smb_pam_close_session(char *user, char *tty, char *rhost); -NTSTATUS smb_pam_accountcheck(const char * user); +NTSTATUS smb_pam_accountcheck(const char *user, const char *rhost); NTSTATUS smb_pam_passcheck(const char * user, const char * password); bool smb_pam_passchange(const char * user, const char * oldpassword, const char * newpassword); -NTSTATUS smb_pam_accountcheck(const char * user); bool smb_pam_claim_session(char *user, char *tty, char *rhost); bool smb_pam_close_session(char *in_user, char *tty, char *rhost); diff --git a/source3/lib/pam_errors.c b/source3/lib/pam_errors.c index 1073f26..e55d7a0 100644 --- a/source3/lib/pam_errors.c +++ b/source3/lib/pam_errors.c @@ -92,7 +92,7 @@ NTSTATUS pam_to_nt_status(int pam_error) { int i; if (pam_error == 0) return NT_STATUS_OK; - + for (i=0; NT_STATUS_V(pam_to_nt_status_map[i].ntstatus); i++) { if (pam_error == pam_to_nt_status_map[i].pam_code) return pam_to_nt_status_map[i].ntstatus; @@ -107,7 +107,7 @@ int nt_status_to_pam(NTSTATUS nt_status) { int i; if NT_STATUS_IS_OK(nt_status) return PAM_SUCCESS; - + for (i=0; NT_STATUS_V(nt_status_to_pam_map[i].ntstatus); i++) { if (NT_STATUS_EQUAL(nt_status,nt_status_to_pam_map[i].ntstatus)) return nt_status_to_pam_map[i].pam_code; diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index a476ed4..9ff5d55 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -427,7 +427,7 @@ static void reply_spnego_kerberos(struct smb_request *req, /* if a real user check pam account restrictions */ /* only really perfomed if "obey pam restriction" is true */ /* do this before an eventual mapping to guest occurs */ - ret = smb_pam_accountcheck(pw->pw_name); + ret = smb_pam_accountcheck(pw->pw_name, sconn->client_id.name); if ( !NT_STATUS_IS_OK(ret)) { DEBUG(1,("PAM account restriction " "prevents user login\n")); diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index df00b4f..4a91e84 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -294,7 +294,8 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session, /* if a real user check pam account restrictions */ /* only really perfomed if "obey pam restriction" is true */ /* do this before an eventual mapping to guest occurs */ - status = smb_pam_accountcheck(pw->pw_name); + status = smb_pam_accountcheck( + pw->pw_name, smb2req->sconn->client_id.name); if (!NT_STATUS_IS_OK(status)) { DEBUG(1,("smb2: PAM account restriction " "prevents user login\n")); -- Samba Shared Repository