Author: gd Date: 2006-09-06 10:59:39 +0000 (Wed, 06 Sep 2006) New Revision: 18158
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=18158 Log: Stop winbindd from accumulating memory creds infinitely when doing pam offline logons. Guenther Modified: branches/SAMBA_3_0/source/nsswitch/pam_winbind.c branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c Changeset: Modified: branches/SAMBA_3_0/source/nsswitch/pam_winbind.c =================================================================== --- branches/SAMBA_3_0/source/nsswitch/pam_winbind.c 2006-09-06 10:50:52 UTC (rev 18157) +++ branches/SAMBA_3_0/source/nsswitch/pam_winbind.c 2006-09-06 10:59:39 UTC (rev 18158) @@ -1152,15 +1152,15 @@ ccname = pam_getenv(pamh, "KRB5CCNAME"); if (ccname == NULL) { _pam_log_debug(ctrl, LOG_DEBUG, "user has no KRB5CCNAME environment"); - retval = PAM_SUCCESS; - goto out; } strncpy(request.data.logoff.user, user, sizeof(request.data.logoff.user) - 1); - strncpy(request.data.logoff.krb5ccname, ccname, - sizeof(request.data.logoff.krb5ccname) - 1); + if (ccname) { + strncpy(request.data.logoff.krb5ccname, ccname, + sizeof(request.data.logoff.krb5ccname) - 1); + } pwd = getpwnam(user); if (pwd == NULL) { Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c =================================================================== --- branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c 2006-09-06 10:50:52 UTC (rev 18157) +++ branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c 2006-09-06 10:59:39 UTC (rev 18158) @@ -1865,22 +1865,26 @@ state->request.data.logoff.krb5ccname [sizeof(state->request.data.logoff.krb5ccname)-1]='\0'; - parse_domain_user(state->request.data.logoff.user, name_domain, user); + if (!parse_domain_user(state->request.data.logoff.user, name_domain, user)) { + goto failed; + } - domain = find_auth_domain(state, name_domain); - - if (domain == NULL) { - set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER); - DEBUG(5, ("Pam Logoff for %s returned %s " - "(PAM: %d)\n", - state->request.data.auth.user, - state->response.data.auth.nt_status_string, - state->response.data.auth.pam_error)); - request_error(state); - return; + if ((domain = find_auth_domain(state, name_domain)) == NULL) { + goto failed; } sendto_domain(state, domain); + return; + + failed: + set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER); + DEBUG(5, ("Pam Logoff for %s returned %s " + "(PAM: %d)\n", + state->request.data.auth.user, + state->response.data.auth.nt_status_string, + state->response.data.auth.pam_error)); + request_error(state); + return; } enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain, @@ -1899,6 +1903,11 @@ goto process_result; } + if (state->request.data.logoff.krb5ccname[0] == '\0') { + result = NT_STATUS_OK; + goto process_result; + } + #ifdef HAVE_KRB5 if (state->request.data.logoff.uid < 0) {
