diff options
Diffstat (limited to 'source/nsswitch')
| -rw-r--r-- | source/nsswitch/libwbclient/wbc_idmap.c | 2 | ||||
| -rw-r--r-- | source/nsswitch/libwbclient/wbc_pam.c | 324 | ||||
| -rw-r--r-- | source/nsswitch/libwbclient/wbc_pwd.c | 2 | ||||
| -rw-r--r-- | source/nsswitch/libwbclient/wbc_sid.c | 26 | ||||
| -rw-r--r-- | source/nsswitch/libwbclient/wbc_util.c | 62 | ||||
| -rw-r--r-- | source/nsswitch/libwbclient/wbclient.c | 6 | ||||
| -rw-r--r-- | source/nsswitch/libwbclient/wbclient.h | 120 | ||||
| -rw-r--r-- | source/nsswitch/pam_winbind.c | 119 | ||||
| -rw-r--r-- | source/nsswitch/pam_winbind.h | 28 | ||||
| -rw-r--r-- | source/nsswitch/wbinfo.c | 142 | ||||
| -rw-r--r-- | source/nsswitch/winbind_krb5_locator.c | 20 |
11 files changed, 88 insertions, 763 deletions
diff --git a/source/nsswitch/libwbclient/wbc_idmap.c b/source/nsswitch/libwbclient/wbc_idmap.c index 1615fd33ee..e32d66cd71 100644 --- a/source/nsswitch/libwbclient/wbc_idmap.c +++ b/source/nsswitch/libwbclient/wbc_idmap.c @@ -394,7 +394,7 @@ wbcErr wbcSetUidHwm(uid_t uid_hwm) /** @brief Set the highwater mark for allocated gids. * - * @param gid_hwm The new gid highwater mark value + * @param uid_hwm The new gid highwater mark value * * @return #wbcErr **/ diff --git a/source/nsswitch/libwbclient/wbc_pam.c b/source/nsswitch/libwbclient/wbc_pam.c index 20b42b6efb..5427ddb46a 100644 --- a/source/nsswitch/libwbclient/wbc_pam.c +++ b/source/nsswitch/libwbclient/wbc_pam.c @@ -236,30 +236,6 @@ done: return wbc_status; } -static wbcErr wbc_create_password_policy_info(TALLOC_CTX *mem_ctx, - const struct winbindd_response *resp, - struct wbcUserPasswordPolicyInfo **_i) -{ - wbcErr wbc_status = WBC_ERR_SUCCESS; - struct wbcUserPasswordPolicyInfo *i; - - i = talloc(mem_ctx, struct wbcUserPasswordPolicyInfo); - BAIL_ON_PTR_ERROR(i, wbc_status); - - i->min_passwordage = resp->data.auth.policy.min_passwordage; - i->min_length_password = resp->data.auth.policy.min_length_password; - i->password_history = resp->data.auth.policy.password_history; - i->password_properties = resp->data.auth.policy.password_properties; - i->expire = resp->data.auth.policy.expire; - - *_i = i; - i = NULL; - -done: - talloc_free(i); - return wbc_status; -} - /** @brief Authenticate with more detailed information * * @param params Input parameters, WBC_AUTH_USER_LEVEL_HASH @@ -333,7 +309,7 @@ wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params, } strncpy(request.data.auth.pass, params->password.plaintext, - sizeof(request.data.auth.pass)-1); + sizeof(request.data.auth.user)-1); break; case WBC_AUTH_USER_LEVEL_HASH: @@ -496,301 +472,3 @@ wbcErr wbcCheckTrustCredentials(const char *domain, done: return wbc_status; } - -/** @brief Trigger a logoff notification to Winbind for a specific user - * - * @param username Name of user to remove from Winbind's list of - * logged on users. - * @param uid Uid assigned to the username - * @param ccfilename Absolute path to the Krb5 credentials cache to - * be removed - * - * @return #wbcErr - * - **/ - -wbcErr wbcLogoffUser(const char *username, - uid_t uid, - const char *ccfilename) -{ - struct winbindd_request request; - struct winbindd_response response; - wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; - - /* validate input */ - - if (!username) { - wbc_status = WBC_ERR_INVALID_PARAM; - BAIL_ON_WBC_ERROR(wbc_status); - } - - ZERO_STRUCT(request); - ZERO_STRUCT(response); - - strncpy(request.data.logoff.user, username, - sizeof(request.data.logoff.user)-1); - request.data.logoff.uid = uid; - - if (ccfilename) { - strncpy(request.data.logoff.krb5ccname, ccfilename, - sizeof(request.data.logoff.krb5ccname)-1); - } - - /* Send request */ - - wbc_status = wbcRequestResponse(WINBINDD_PAM_LOGOFF, - &request, - &response); - - /* Take the response above and return it to the caller */ - - done: - return wbc_status; -} - -/** @brief Change a password for a user with more detailed information upon - * failure - * @param params Input parameters - * @param error User output details on WBC_ERR_PWD_CHANGE_FAILED - * @param reject_reason New password reject reason on WBC_ERR_PWD_CHANGE_FAILED - * @param policy Password policy output details on WBC_ERR_PWD_CHANGE_FAILED - * - * @return #wbcErr - **/ - -wbcErr wbcChangeUserPasswordEx(const struct wbcChangePasswordParams *params, - struct wbcAuthErrorInfo **error, - enum wbcPasswordChangeRejectReason *reject_reason, - struct wbcUserPasswordPolicyInfo **policy) -{ - struct winbindd_request request; - struct winbindd_response response; - wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; - int cmd = 0; - - /* validate input */ - - if (!params->account_name) { - wbc_status = WBC_ERR_INVALID_PARAM; - BAIL_ON_WBC_ERROR(wbc_status); - } - - if (error) { - *error = NULL; - } - - if (policy) { - *policy = NULL; - } - - if (reject_reason) { - *reject_reason = -1; - } - - ZERO_STRUCT(request); - ZERO_STRUCT(response); - - switch (params->level) { - case WBC_CHANGE_PASSWORD_LEVEL_PLAIN: - cmd = WINBINDD_PAM_CHAUTHTOK; - - if (!params->account_name) { - wbc_status = WBC_ERR_INVALID_PARAM; - BAIL_ON_WBC_ERROR(wbc_status); - } - - strncpy(request.data.chauthtok.user, params->account_name, - sizeof(request.data.chauthtok.user) - 1); - - if (params->old_password.plaintext) { - strncpy(request.data.chauthtok.oldpass, - params->old_password.plaintext, - sizeof(request.data.chauthtok.oldpass) - 1); - } - - if (params->new_password.plaintext) { - strncpy(request.data.chauthtok.newpass, - params->new_password.plaintext, - sizeof(request.data.chauthtok.newpass) - 1); - } - break; - - case WBC_CHANGE_PASSWORD_LEVEL_RESPONSE: - cmd = WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP; - - if (!params->account_name || !params->domain_name) { - wbc_status = WBC_ERR_INVALID_PARAM; - BAIL_ON_WBC_ERROR(wbc_status); - } - - if (params->old_password.response.old_lm_hash_enc_length && - !params->old_password.response.old_lm_hash_enc_data) { - wbc_status = WBC_ERR_INVALID_PARAM; - BAIL_ON_WBC_ERROR(wbc_status); - } - - if (params->old_password.response.old_lm_hash_enc_length == 0 && - params->old_password.response.old_lm_hash_enc_data) { - wbc_status = WBC_ERR_INVALID_PARAM; - BAIL_ON_WBC_ERROR(wbc_status); - } - - if (params->old_password.response.old_nt_hash_enc_length && - !params->old_password.response.old_nt_hash_enc_data) { - wbc_status = WBC_ERR_INVALID_PARAM; - BAIL_ON_WBC_ERROR(wbc_status); - } - - if (params->old_password.response.old_nt_hash_enc_length == 0 && - params->old_password.response.old_nt_hash_enc_data) { - wbc_status = WBC_ERR_INVALID_PARAM; - BAIL_ON_WBC_ERROR(wbc_status); - } - - if (params->new_password.response.lm_length && - !params->new_password.response.lm_data) { - wbc_status = WBC_ERR_INVALID_PARAM; - BAIL_ON_WBC_ERROR(wbc_status); - } - - if (params->new_password.response.lm_length == 0 && - params->new_password.response.lm_data) { - wbc_status = WBC_ERR_INVALID_PARAM; - BAIL_ON_WBC_ERROR(wbc_status); - } - - if (params->new_password.response.nt_length && - !params->new_password.response.nt_data) { - wbc_status = WBC_ERR_INVALID_PARAM; - BAIL_ON_WBC_ERROR(wbc_status); - } - - if (params->new_password.response.nt_length == 0 && - params->new_password.response.nt_data) { - wbc_status = WBC_ERR_INVALID_PARAM; - BAIL_ON_WBC_ERROR(wbc_status); - } - - strncpy(request.data.chng_pswd_auth_crap.user, - params->account_name, - sizeof(request.data.chng_pswd_auth_crap.user) - 1); - - strncpy(request.data.chng_pswd_auth_crap.domain, - params->domain_name, - sizeof(request.data.chng_pswd_auth_crap.domain) - 1); - - if (params->new_password.response.nt_data) { - memcpy(request.data.chng_pswd_auth_crap.new_nt_pswd, - params->new_password.response.nt_data, - request.data.chng_pswd_auth_crap.new_nt_pswd_len); - request.data.chng_pswd_auth_crap.new_nt_pswd_len = - params->new_password.response.nt_length; - } - - if (params->new_password.response.lm_data) { - memcpy(request.data.chng_pswd_auth_crap.new_lm_pswd, - params->new_password.response.lm_data, - request.data.chng_pswd_auth_crap.new_lm_pswd_len); - request.data.chng_pswd_auth_crap.new_lm_pswd_len = - params->new_password.response.lm_length; - } - - if (params->old_password.response.old_nt_hash_enc_data) { - memcpy(request.data.chng_pswd_auth_crap.old_nt_hash_enc, - params->old_password.response.old_nt_hash_enc_data, - request.data.chng_pswd_auth_crap.old_nt_hash_enc_len); - request.data.chng_pswd_auth_crap.old_nt_hash_enc_len = - params->old_password.response.old_nt_hash_enc_length; - } - - if (params->old_password.response.old_lm_hash_enc_data) { - memcpy(request.data.chng_pswd_auth_crap.old_lm_hash_enc, - params->old_password.response.old_lm_hash_enc_data, - request.data.chng_pswd_auth_crap.old_lm_hash_enc_len); - request.data.chng_pswd_auth_crap.old_lm_hash_enc_len = - params->old_password.response.old_lm_hash_enc_length; - } - - break; - default: - wbc_status = WBC_ERR_INVALID_PARAM; - BAIL_ON_WBC_ERROR(wbc_status); - break; - } - - if (cmd == 0) { - wbc_status = WBC_ERR_INVALID_PARAM; - BAIL_ON_WBC_ERROR(wbc_status); - } - - /* Send request */ - - wbc_status = wbcRequestResponse(cmd, - &request, - &response); - if (WBC_ERROR_IS_OK(wbc_status)) { - goto done; - } - - /* Take the response above and return it to the caller */ - - if (response.data.auth.nt_status != 0) { - if (error) { - wbc_status = wbc_create_error_info(NULL, - &response, - error); - BAIL_ON_WBC_ERROR(wbc_status); - } - - } - - if (policy) { - wbc_status = wbc_create_password_policy_info(NULL, - &response, - policy); - BAIL_ON_WBC_ERROR(wbc_status); - } - - if (reject_reason) { - *reject_reason = response.data.auth.reject_reason; - } - - wbc_status = WBC_ERR_PWD_CHANGE_FAILED; - BAIL_ON_WBC_ERROR(wbc_status); - - done: - return wbc_status; -} - -/** @brief Change a password for a user - * - * @param username Name of user to authenticate - * @param old_password Old clear text password of user - * @param new_password New clear text password of user - * - * @return #wbcErr - **/ - -wbcErr wbcChangeUserPassword(const char *username, - const char *old_password, - const char *new_password) -{ - wbcErr wbc_status = WBC_ERR_SUCCESS; - struct wbcChangePasswordParams params; - - ZERO_STRUCT(params); - - params.account_name = username; - params.level = WBC_CHANGE_PASSWORD_LEVEL_PLAIN; - params.old_password.plaintext = old_password; - params.new_password.plaintext = new_password; - - wbc_status = wbcChangeUserPasswordEx(¶ms, - NULL, - NULL, - NULL); - BAIL_ON_WBC_ERROR(wbc_status); - -done: - return wbc_status; -} diff --git a/source/nsswitch/libwbclient/wbc_pwd.c b/source/nsswitch/libwbclient/wbc_pwd.c index 0d17b312ef..b5f167369c 100644 --- a/source/nsswitch/libwbclient/wbc_pwd.c +++ b/source/nsswitch/libwbclient/wbc_pwd.c @@ -380,7 +380,7 @@ wbcErr wbcGetgrent(struct group **grp) * * @param *account The given user name * @param *num_groups Number of elements returned in the groups array - * @param **_groups Pointer to resulting gid_t array. + * @param **groups Pointer to resulting gid_t array. * * @return #wbcErr **/ diff --git a/source/nsswitch/libwbclient/wbc_sid.c b/source/nsswitch/libwbclient/wbc_sid.c index 4cfdd792b5..ca5eab4ea3 100644 --- a/source/nsswitch/libwbclient/wbc_sid.c +++ b/source/nsswitch/libwbclient/wbc_sid.c @@ -102,7 +102,8 @@ wbcErr wbcStringToSid(const char *str, if (!str || (str[0]!='S' && str[0]!='s') - || (str[1]!='-')) + || (str[1]!='-') + || (strlen(str)<2)) { wbc_status = WBC_ERR_INVALID_PARAM; BAIL_ON_WBC_ERROR(wbc_status); @@ -142,13 +143,9 @@ wbcErr wbcStringToSid(const char *str, x=(uint32_t)strtoul(p, &q, 10); if (p == q) break; - if (q == NULL) { - wbc_status = WBC_ERR_INVALID_SID; - BAIL_ON_WBC_ERROR(wbc_status); - } sid->sub_auths[sid->num_auths++] = x; - if ((*q!='-') || (*q=='\0')) + if (q && ((*q!='-') || (*q=='\0'))) break; p = q + 1; } @@ -223,9 +220,9 @@ wbcErr wbcLookupName(const char *domain, /** @brief Convert a SID to a domain and name * * @param *sid Pointer to the domain SID to be resolved - * @param pdomain Resolved Domain name (possibly "") - * @param pname Resolved User or group name - * @param *pname_type Pointet to the resolved SID type + * @param domain Resolved Domain name (possibly "") + * @param name Resolved User or group name + * @param *name_type Pointet to the resolved SID type * * @return #wbcErr * @@ -242,7 +239,7 @@ wbcErr wbcLookupSid(const struct wbcDomainSid *sid, char *sid_string = NULL; char *domain = NULL; char *name = NULL; - enum wbcSidType name_type = WBC_SID_NAME_USE_NONE; + enum wbcSidType name_type; if (!sid) { wbc_status = WBC_ERR_INVALID_PARAM; @@ -294,18 +291,9 @@ wbcErr wbcLookupSid(const struct wbcDomainSid *sid, } } else { -#if 0 - /* - * Found by Coverity: In this particular routine we can't end - * up here with a non-NULL name. Further up there are just two - * exit paths that lead here, neither of which leave an - * allocated name. If you add more paths up there, re-activate - * this. - */ if (name != NULL) { talloc_free(name); } -#endif if (domain != NULL) { talloc_free(domain); } diff --git a/source/nsswitch/libwbclient/wbc_util.c b/source/nsswitch/libwbclient/wbc_util.c index 8e01e6e719..3afd8a29d3 100644 --- a/source/nsswitch/libwbclient/wbc_util.c +++ b/source/nsswitch/libwbclient/wbc_util.c @@ -272,7 +272,7 @@ wbcErr wbcResolveWinsByIP(const char *ip, char **name) /** */ -static wbcErr process_domain_info_string(TALLOC_CTX *ctx, +static wbcErr process_domain_info_string(TALLOC_CTX *ctx, struct wbcDomainInfo *info, char *info_string) { @@ -437,7 +437,7 @@ wbcErr wbcListTrusts(struct wbcDomainInfo **domains, size_t *num_domains) p = (char *)response.extra_data.data; if (strlen(p) == 0) { - /* We should always at least get back our + /* We should always at least get back our own SAM domain */ wbc_status = WBC_ERR_DOMAIN_NOT_FOUND; @@ -492,61 +492,3 @@ wbcErr wbcListTrusts(struct wbcDomainInfo **domains, size_t *num_domains) return wbc_status; } - -/** @brief Enumerate the domain trusts known by Winbind - * - * @param domain Name of the domain to query for a DC - * @param flags Bit flags used to control the domain location query - * @param *dc_info Pointer to the returned domain controller information - * - * @return #wbcErr - * - **/ - - - -wbcErr wbcLookupDomainController(const char *domain, - uint32_t flags, - struct wbcDomainControllerInfo **dc_info) -{ - wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; - struct winbindd_request request; - struct winbindd_response response; - struct wbcDomainControllerInfo *dc = NULL; - - /* validate input params */ - - if (!domain || !dc_info) { - wbc_status = WBC_ERR_INVALID_PARAM; - BAIL_ON_WBC_ERROR(wbc_status); - } - - ZERO_STRUCT(request); - ZERO_STRUCT(response); - - strncpy(request.domain_name, domain, sizeof(request.domain_name)-1); - - request.flags = flags; - - dc = talloc(NULL, struct wbcDomainControllerInfo); - BAIL_ON_PTR_ERROR(dc, wbc_status); - - /* Send request */ - - wbc_status = wbcRequestResponse(WINBINDD_DSGETDCNAME, - &request, - &response); - BAIL_ON_WBC_ERROR(wbc_status); - - dc->dc_name = talloc_strdup(dc, response.data.dc_name); - BAIL_ON_PTR_ERROR(dc->dc_name, wbc_status); - - *dc_info = dc; - -done: - if (!WBC_ERROR_IS_OK(wbc_status)) { - talloc_free(dc); - } - - return wbc_status; -} diff --git a/source/nsswitch/libwbclient/wbclient.c b/source/nsswitch/libwbclient/wbclient.c index bdde562a93..215b61e960 100644 --- a/source/nsswitch/libwbclient/wbclient.c +++ b/source/nsswitch/libwbclient/wbclient.c @@ -110,14 +110,8 @@ const char *wbcErrorString(wbcErr error) return "WBC_ERR_INVALID_RESPONSE"; case WBC_ERR_NSS_ERROR: return "WBC_ERR_NSS_ERROR"; - case WBC_ERR_UNKNOWN_USER: - return "WBC_ERR_UNKNOWN_USER"; - case WBC_ERR_UNKNOWN_GROUP: - return "WBC_ERR_UNKNOWN_GROUP"; case WBC_ERR_AUTH_ERROR: return "WBC_ERR_AUTH_ERROR"; - case WBC_ERR_PWD_CHANGE_FAILED: - return "WBC_ERR_PWD_CHANGE_FAILED"; } return "unknown wbcErr value"; diff --git a/source/nsswitch/libwbclient/wbclient.h b/source/nsswitch/libwbclient/wbclient.h index cae3feec5b..e594f3c01c 100644 --- a/source/nsswitch/libwbclient/wbclient.h +++ b/source/nsswitch/libwbclient/wbclient.h @@ -42,10 +42,7 @@ enum _wbcErrType { WBC_ERR_DOMAIN_NOT_FOUND, /**< Domain is not trusted or cannot be found **/ WBC_ERR_INVALID_RESPONSE, /**< Winbind returned an invalid response **/ WBC_ERR_NSS_ERROR, /**< NSS_STATUS error **/ - WBC_ERR_AUTH_ERROR, /**< Authentication failed **/ - WBC_ERR_UNKNOWN_USER, /**< User account cannot be found */ - WBC_ERR_UNKNOWN_GROUP, /**< Group account cannot be found */ - WBC_ERR_PWD_CHANGE_FAILED /**< Password Change has failed */ + WBC_ERR_AUTH_ERROR /**< Authentication failed **/ }; typedef enum _wbcErrType wbcErr; @@ -205,41 +202,6 @@ struct wbcAuthUserParams { } password; }; -/** - * @brief ChangePassword Parameters - **/ - -struct wbcChangePasswordParams { - const char *account_name; - const char *domain_name; - - uint32_t flags; - - enum wbcChangePasswordLevel { - WBC_CHANGE_PASSWORD_LEVEL_PLAIN = 1, - WBC_CHANGE_PASSWORD_LEVEL_RESPONSE = 2 - } level; - - union { - const char *plaintext; - struct { - uint32_t old_nt_hash_enc_length; - uint8_t *old_nt_hash_enc_data; - uint32_t old_lm_hash_enc_length; - uint8_t *old_lm_hash_enc_data; - } response; - } old_password; - union { - const char *plaintext; - struct { - uint32_t nt_length; - uint8_t *nt_data; - uint32_t lm_length; - uint8_t *lm_data; - } response; - } new_password; -}; - /* wbcAuthUserParams->parameter_control */ #define WBC_MSV1_0_CLEARTEXT_PASSWORD_ALLOWED 0x00000002 @@ -340,47 +302,6 @@ struct wbcAuthErrorInfo { char *display_string; }; -/** - * @brief User Password Policy Information - **/ - -/* wbcUserPasswordPolicyInfo->password_properties */ - -#define WBC_DOMAIN_PASSWORD_COMPLEX 0x00000001 -#define WBC_DOMAIN_PASSWORD_NO_ANON_CHANGE 0x00000002 -#define WBC_DOMAIN_PASSWORD_NO_CLEAR_CHANGE 0x00000004 -#define WBC_DOMAIN_PASSWORD_LOCKOUT_ADMINS 0x00000008 -#define WBC_DOMAIN_PASSWORD_STORE_CLEARTEXT 0x00000010 -#define WBC_DOMAIN_REFUSE_PASSWORD_CHANGE 0x00000020 - -struct wbcUserPasswordPolicyInfo { - uint32_t min_length_password; - uint32_t password_history; - uint32_t password_properties; - uint64_t expire; - uint64_t min_passwordage; -}; - -/** - * @brief Change Password Reject Reason - **/ - -enum wbcPasswordChangeRejectReason { - WBC_PWD_CHANGE_REJECT_OTHER=0, - WBC_PWD_CHANGE_REJECT_TOO_SHORT=1, - WBC_PWD_CHANGE_REJECT_IN_HISTORY=2, - WBC_PWD_CHANGE_REJECT_COMPLEXITY=5 -}; - -/* - * DomainControllerInfo struct - */ -struct wbcDomainControllerInfo { - char *dc_name; -}; - - - /* * Memory Management */ @@ -505,31 +426,6 @@ wbcErr wbcDomainInfo(const char *domain, wbcErr wbcListTrusts(struct wbcDomainInfo **domains, size_t *num_domains); -/* Flags for wbcLookupDomainController */ - -#define WBC_LOOKUP_DC_FORCE_REDISCOVERY 0x00000001 -#define WBC_LOOKUP_DC_DS_REQUIRED 0x00000010 -#define WBC_LOOKUP_DC_DS_PREFERRED 0x00000020 -#define WBC_LOOKUP_DC_GC_SERVER_REQUIRED 0x00000040 -#define WBC_LOOKUP_DC_PDC_REQUIRED 0x00000080 -#define WBC_LOOKUP_DC_BACKGROUND_ONLY 0x00000100 -#define WBC_LOOKUP_DC_IP_REQUIRED 0x00000200 -#define WBC_LOOKUP_DC_KDC_REQUIRED 0x00000400 -#define WBC_LOOKUP_DC_TIMESERV_REQUIRED 0x00000800 -#define WBC_LOOKUP_DC_WRITABLE_REQUIRED 0x00001000 -#define WBC_LOOKUP_DC_GOOD_TIMESERV_PREFERRED 0x00002000 -#define WBC_LOOKUP_DC_AVOID_SELF 0x00004000 -#define WBC_LOOKUP_DC_ONLY_LDAP_NEEDED 0x00008000 -#define WBC_LOOKUP_DC_IS_FLAT_NAME 0x00010000 -#define WBC_LOOKUP_DC_IS_DNS_NAME 0x00020000 -#define WBC_LOOKUP_DC_TRY_NEXTCLOSEST_SITE 0x00040000 -#define WBC_LOOKUP_DC_DS_6_REQUIRED 0x00080000 -#define WBC_LOOKUP_DC_RETURN_DNS_NAME 0x40000000 -#define WBC_LOOKUP_DC_RETURN_FLAT_NAME 0x80000000 - -wbcErr wbcLookupDomainController(const char *domain, - uint32_t flags, - struct wbcDomainControllerInfo **dc_info); /* * Athenticate functions @@ -542,19 +438,6 @@ wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params, struct wbcAuthUserInfo **info, struct wbcAuthErrorInfo **error); -wbcErr wbcLogoffUser(const char *username, - uid_t uid, - const char *ccfilename); - -wbcErr wbcChangeUserPassword(const char *username, - const char *old_password, - const char *new_password); - -wbcErr wbcChangeUserPasswordEx(const struct wbcChangePasswordParams *params, - struct wbcAuthErrorInfo **error, - enum wbcPasswordChangeRejectReason *reject_reason, - struct wbcUserPasswordPolicyInfo **policy); - /* * Resolve functions */ @@ -567,5 +450,4 @@ wbcErr wbcResolveWinsByIP(const char *ip, char **name); wbcErr wbcCheckTrustCredentials(const char *domain, struct wbcAuthErrorInfo **error); - #endif /* _WBCLIENT_H */ diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c index beb0d47baa..95b3d23dd4 100644 --- a/source/nsswitch/pam_winbind.c +++ b/source/nsswitch/pam_winbind.c @@ -12,86 +12,6 @@ #include "pam_winbind.h" -static const char *_pam_error_code_str(int err) -{ - switch (err) { - case PAM_SUCCESS: - return "PAM_SUCCESS"; - case PAM_OPEN_ERR: - return "PAM_OPEN_ERR"; - case PAM_SYMBOL_ERR: - return "PAM_SYMBOL_ERR"; - case PAM_SERVICE_ERR: - return "PAM_SERVICE_ERR"; - case PAM_SYSTEM_ERR: - return "PAM_SYSTEM_ERR"; - case PAM_BUF_ERR: - return "PAM_BUF_ERR"; - case PAM_PERM_DENIED: - return "PAM_PERM_DENIED"; - case PAM_AUTH_ERR: - return "PAM_AUTH_ERR"; - case PAM_CRED_INSUFFICIENT: - return "PAM_CRED_INSUFFICIENT"; - case PAM_AUTHINFO_UNAVAIL: - return "PAM_AUTHINFO_UNAVAIL"; - case PAM_USER_UNKNOWN: - return "PAM_USER_UNKNOWN"; - case PAM_MAXTRIES: - return "PAM_MAXTRIES"; - case PAM_NEW_AUTHTOK_REQD: - return "PAM_NEW_AUTHTOK_REQD"; - case PAM_ACCT_EXPIRED: - return "PAM_ACCT_EXPIRED"; - case PAM_SESSION_ERR: - return "PAM_SESSION_ERR"; - case PAM_CRED_UNAVAIL: - return "PAM_CRED_UNAVAIL"; - case PAM_CRED_EXPIRED: - return "PAM_CRED_EXPIRED"; - case PAM_CRED_ERR: - return "PAM_CRED_ERR"; - case PAM_NO_MODULE_DATA: - return "PAM_NO_MODULE_DATA"; - case PAM_CONV_ERR: - return "PAM_CONV_ERR"; - case PAM_AUTHTOK_ERR: - return "PAM_AUTHTOK_ERR"; - case PAM_AUTHTOK_RECOVERY_ERR: - return "PAM_AUTHTOK_RECOVERY_ERR"; - case PAM_AUTHTOK_LOCK_BUSY: - return "PAM_AUTHTOK_LOCK_BUSY"; - case PAM_AUTHTOK_DISABLE_AGING: - return "PAM_AUTHTOK_DISABLE_AGING"; - case PAM_TRY_AGAIN: - return "PAM_TRY_AGAIN"; - case PAM_IGNORE: - return "PAM_IGNORE"; - case PAM_ABORT: - return "PAM_ABORT"; - case PAM_AUTHTOK_EXPIRED: - return "PAM_AUTHTOK_EXPIRED"; -#ifdef PAM_MODULE_UNKNOWN - case PAM_MODULE_UNKNOWN: - return "PAM_MODULE_UNKNOWN"; -#endif -#ifdef PAM_BAD_ITEM - case PAM_BAD_ITEM: - return "PAM_BAD_ITEM"; -#endif -#ifdef PAM_CONV_AGAIN - case PAM_CONV_AGAIN: - return "PAM_CONV_AGAIN"; -#endif -#ifdef PAM_INCOMPLETE - case PAM_INCOMPLETE: - return "PAM_INCOMPLETE"; -#endif - default: - return NULL; - } -} - #define _PAM_LOG_FUNCTION_ENTER(function, ctx) \ do { \ _pam_log_debug(ctx, LOG_DEBUG, "[pamh: %p] ENTER: " \ @@ -102,8 +22,7 @@ static const char *_pam_error_code_str(int err) #define _PAM_LOG_FUNCTION_LEAVE(function, ctx, retval) \ do { \ _pam_log_debug(ctx, LOG_DEBUG, "[pamh: %p] LEAVE: " \ - function " returning %d (%s)", ctx->pamh, retval, \ - _pam_error_code_str(retval)); \ + function " returning %d", ctx->pamh, retval); \ _pam_log_state(ctx); \ } while (0) @@ -779,7 +698,8 @@ static int pam_winbind_request_log(struct pwb_context *ctx, /** * send a password expiry message if required * - * @param ctx PAM winbind context. + * @param pamh PAM handle + * @param ctrl PAM winbind options. * @param next_change expected (calculated) next expiry date. * @param already_expired pointer to a boolean to indicate if the password is * already expired. @@ -840,7 +760,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx, /** * Send a warning if the password expires in the near future * - * @param ctx PAM winbind context. + * @param pamh PAM handle + * @param ctrl PAM winbind options. * @param response The full authentication response structure. * @param already_expired boolean, is the pwd already expired? * @@ -929,7 +850,8 @@ static bool safe_append_string(char *dest, /** * Convert a names into a SID string, appending it to a buffer. * - * @param ctx PAM winbind context. + * @param pamh PAM handle + * @param ctrl PAM winbind options. * @param user User in PAM request. * @param name Name to convert. * @param sid_list_buffer Where to append the string sid. @@ -984,7 +906,8 @@ static bool winbind_name_to_sid_string(struct pwb_context *ctx, /** * Convert a list of names into a list of sids. * - * @param ctx PAM winbind context. + * @param pamh PAM handle + * @param ctrl PAM winbind options. * @param user User in PAM request. * @param name_list List of names or string sids, separated by commas. * @param sid_list_buffer Where to put the list of string sids. @@ -1048,7 +971,8 @@ out: /** * put krb5ccname variable into environment * - * @param ctx PAM winbind context. + * @param pamh PAM handle + * @param ctrl PAM winbind options. * @param krb5ccname env variable retrieved from winbindd. * * @return void. @@ -1086,7 +1010,8 @@ static void _pam_setup_krb5_env(struct pwb_context *ctx, /** * Set string into the PAM stack. * - * @param ctx PAM winbind context. + * @param pamh PAM handle + * @param ctrl PAM winbind options. * @param data_name Key name for pam_set_data. * @param value String value. * @@ -1117,7 +1042,8 @@ static void _pam_set_data_string(struct pwb_context *ctx, /** * Set info3 strings into the PAM stack. * - * @param ctx PAM winbind context. + * @param pamh PAM handle + * @param ctrl PAM winbind options. * @param data_name Key name for pam_set_data. * @param value String value. * @@ -1156,7 +1082,8 @@ static void _pam_free_data_info3(pam_handle_t *pamh) /** * Send PAM_ERROR_MSG for cached or grace logons. * - * @param ctx PAM winbind context. + * @param pamh PAM handle + * @param ctrl PAM winbind options. * @param username User in PAM request. * @param info3_user_flgs Info3 flags containing logon type bits. * @@ -1193,7 +1120,8 @@ static void _pam_warn_logon_type(struct pwb_context *ctx, /** * Send PAM_ERROR_MSG for krb5 errors. * - * @param ctx PAM winbind context. + * @param pamh PAM handle + * @param ctrl PAM winbind options. * @param username User in PAM request. * @param info3_user_flgs Info3 flags containing logon type bits. * @@ -1941,7 +1869,8 @@ static int get_warn_pwd_expire_from_config(struct pwb_context *ctx) /** * Retrieve the winbind separator. * - * @param ctx PAM winbind context. + * @param pamh PAM handle + * @param ctrl PAM winbind options. * * @return string separator character. NULL on failure. */ @@ -1965,7 +1894,8 @@ static char winbind_get_separator(struct pwb_context *ctx) /** * Convert a upn to a name. * - * @param ctx PAM winbind context. + * @param pamh PAM handle + * @param ctrl PAM winbind options. * @param upn USer UPN to be trabslated. * * @return converted name. NULL pointer on failure. Caller needs to free. @@ -2440,7 +2370,8 @@ out: * evaluate whether we need to re-authenticate with kerberos after a * password change * - * @param ctx PAM winbind context. + * @param pamh PAM handle + * @param ctrl PAM winbind options. * @param user The username * * @return boolean Returns true if required, false if not. diff --git a/source/nsswitch/pam_winbind.h b/source/nsswitch/pam_winbind.h index c8c1910641..be17a6fe45 100644 --- a/source/nsswitch/pam_winbind.h +++ b/source/nsswitch/pam_winbind.h @@ -83,20 +83,20 @@ do { \ #include <security/pam_ext.h> #endif -#define WINBIND_DEBUG_ARG 0x00000001 -#define WINBIND_USE_AUTHTOK_ARG 0x00000002 -#define WINBIND_UNKNOWN_OK_ARG 0x00000004 -#define WINBIND_TRY_FIRST_PASS_ARG 0x00000008 -#define WINBIND_USE_FIRST_PASS_ARG 0x00000010 -#define WINBIND__OLD_PASSWORD 0x00000020 -#define WINBIND_REQUIRED_MEMBERSHIP 0x00000040 -#define WINBIND_KRB5_AUTH 0x00000080 -#define WINBIND_KRB5_CCACHE_TYPE 0x00000100 -#define WINBIND_CACHED_LOGIN 0x00000200 -#define WINBIND_CONFIG_FILE 0x00000400 -#define WINBIND_SILENT 0x00000800 -#define WINBIND_DEBUG_STATE 0x00001000 -#define WINBIND_WARN_PWD_EXPIRE 0x00002000 +#define WINBIND_DEBUG_ARG (1<<0) +#define WINBIND_USE_AUTHTOK_ARG (1<<1) +#define WINBIND_UNKNOWN_OK_ARG (1<<2) +#define WINBIND_TRY_FIRST_PASS_ARG (1<<3) +#define WINBIND_USE_FIRST_PASS_ARG (1<<4) +#define WINBIND__OLD_PASSWORD (1<<5) +#define WINBIND_REQUIRED_MEMBERSHIP (1<<6) +#define WINBIND_KRB5_AUTH (1<<7) +#define WINBIND_KRB5_CCACHE_TYPE (1<<8) +#define WINBIND_CACHED_LOGIN (1<<9) +#define WINBIND_CONFIG_FILE (1<<10) +#define WINBIND_SILENT (1<<11) +#define WINBIND_DEBUG_STATE (1<<12) +#define WINBIND_WARN_PWD_EXPIRE (1<<13) /* * here is the string to inform the user that the new passwords they diff --git a/source/nsswitch/wbinfo.c b/source/nsswitch/wbinfo.c index 60524d1d1b..32c6315cce 100644 --- a/source/nsswitch/wbinfo.c +++ b/source/nsswitch/wbinfo.c @@ -879,61 +879,21 @@ static bool wbinfo_lookupname(const char *full_name) return true; } -static char *wbinfo_prompt_pass(const char *prefix, - const char *username) -{ - char *prompt; - const char *ret = NULL; - - prompt = talloc_asprintf(talloc_tos(), "Enter %s's ", username); - if (!prompt) { - return NULL; - } - if (prefix) { - prompt = talloc_asprintf_append(prompt, "%s ", prefix); - if (!prompt) { - return NULL; - } - } - prompt = talloc_asprintf_append(prompt, "password: "); - if (!prompt) { - return NULL; - } - - ret = getpass(prompt); - TALLOC_FREE(prompt); - - return SMB_STRDUP(ret); -} - /* Authenticate a user with a plaintext password */ -static bool wbinfo_auth_krb5(char *username, const char *cctype, uint32 flags) +static bool wbinfo_auth_krb5(char *username, const char *pass, const char *cctype, uint32 flags) { struct winbindd_request request; struct winbindd_response response; NSS_STATUS result; - char *p; - char *password; /* Send off request */ ZERO_STRUCT(request); ZERO_STRUCT(response); - p = strchr(username, '%'); - - if (p) { - *p = 0; - fstrcpy(request.data.auth.user, username); - fstrcpy(request.data.auth.pass, p + 1); - *p = '%'; - } else { - fstrcpy(request.data.auth.user, username); - password = wbinfo_prompt_pass(NULL, username); - fstrcpy(request.data.auth.pass, password); - SAFE_FREE(password); - } + fstrcpy(request.data.auth.user, username); + fstrcpy(request.data.auth.pass, pass); request.flags = flags; @@ -974,29 +934,11 @@ static bool wbinfo_auth_krb5(char *username, const char *cctype, uint32 flags) /* Authenticate a user with a plaintext password */ -static bool wbinfo_auth(char *username) +static bool wbinfo_auth(char *username, const char *pass) { wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; - char *s = NULL; - char *p = NULL; - char *password = NULL; - char *name = NULL; - - if ((s = SMB_STRDUP(username)) == NULL) { - return false; - } - - if ((p = strchr(s, '%')) != NULL) { - *p = 0; - p++; - password = SMB_STRDUP(p); - } else { - password = wbinfo_prompt_pass(NULL, username); - } - - name = s; - wbc_status = wbcAuthenticateUser(name, password); + wbc_status = wbcAuthenticateUser(username, pass); d_printf("plaintext password authentication %s\n", WBC_ERROR_IS_OK(wbc_status) ? "succeeded" : "failed"); @@ -1009,15 +951,12 @@ static bool wbinfo_auth(char *username) response.data.auth.error_string); #endif - SAFE_FREE(s); - SAFE_FREE(password); - return WBC_ERROR_IS_OK(wbc_status); } /* Authenticate a user with a challenge/response */ -static bool wbinfo_auth_crap(char *username) +static bool wbinfo_auth_crap(char *username, const char *pass) { wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; struct wbcAuthUserParams params; @@ -1027,17 +966,6 @@ static bool wbinfo_auth_crap(char *username) DATA_BLOB nt = data_blob_null; fstring name_user; fstring name_domain; - char *pass; - char *p; - - p = strchr(username, '%'); - - if (p) { - *p = 0; - pass = SMB_STRDUP(p + 1); - } else { - pass = wbinfo_prompt_pass(NULL, username); - } parse_wbinfo_domain_user(username, name_domain, name_user); @@ -1067,7 +995,6 @@ static bool wbinfo_auth_crap(char *username) &lm, &nt, NULL)) { data_blob_free(&names_blob); data_blob_free(&server_chal); - SAFE_FREE(pass); return false; } data_blob_free(&names_blob); @@ -1112,7 +1039,6 @@ static bool wbinfo_auth_crap(char *username) data_blob_free(&nt); data_blob_free(&lm); - SAFE_FREE(pass); return WBC_ERROR_IS_OK(wbc_status); } @@ -1341,28 +1267,6 @@ static bool wbinfo_ping(void) return WBC_ERROR_IS_OK(wbc_status); } -static bool wbinfo_change_user_password(const char *username) -{ - wbcErr wbc_status; - char *old_password = NULL; - char *new_password = NULL; - - old_password = wbinfo_prompt_pass("old", username); - new_password = wbinfo_prompt_pass("new", username); - - wbc_status = wbcChangeUserPassword(username, old_password, new_password); - - /* Display response */ - - d_printf("Password change for user %s %s\n", username, - WBC_ERROR_IS_OK(wbc_status) ? "succeeded" : "failed"); - - SAFE_FREE(old_password); - SAFE_FREE(new_password); - - return WBC_ERROR_IS_OK(wbc_status); -} - /* Main program */ enum { @@ -1382,8 +1286,7 @@ enum { OPT_UID_INFO, OPT_GROUP_INFO, OPT_VERBOSE, - OPT_ONLINESTATUS, - OPT_CHANGE_USER_PASSWORD + OPT_ONLINESTATUS }; int main(int argc, char **argv, char **envp) @@ -1450,7 +1353,6 @@ int main(int argc, char **argv, char **envp) #endif { "separator", 0, POPT_ARG_NONE, 0, OPT_SEPARATOR, "Get the active winbind separator", NULL }, { "verbose", 0, POPT_ARG_NONE, 0, OPT_VERBOSE, "Print additional information per command", NULL }, - { "change-user-password", 0, POPT_ARG_STRING, &string_arg, OPT_CHANGE_USER_PASSWORD, "Change the password for a user", NULL }, POPT_COMMON_CONFIGFILE POPT_COMMON_VERSION POPT_TABLEEND @@ -1653,14 +1555,22 @@ int main(int argc, char **argv, char **envp) break; case 'a': { bool got_error = false; + char *pass; - if (!wbinfo_auth(string_arg)) { + if ((pass = strchr(string_arg, '%')) != NULL) { + *pass = 0; + pass++; + } else { + pass = (char *)""; + } + + if (!wbinfo_auth(string_arg, pass)) { d_fprintf(stderr, "Could not authenticate user %s with " "plaintext password\n", string_arg); got_error = true; } - if (!wbinfo_auth_crap(string_arg)) { + if (!wbinfo_auth_crap(string_arg, pass)) { d_fprintf(stderr, "Could not authenticate user %s with " "challenge/response\n", string_arg); got_error = true; @@ -1675,8 +1585,16 @@ int main(int argc, char **argv, char **envp) WBFLAG_PAM_CACHED_LOGIN | WBFLAG_PAM_FALLBACK_AFTER_KRB5 | WBFLAG_PAM_INFO3_TEXT; + char *pass; + + if ((pass = strchr(string_arg, '%')) != NULL) { + *pass = 0; + pass++; + } else { + pass = (char *)""; + } - if (!wbinfo_auth_krb5(string_arg, "FILE", flags)) { + if (!wbinfo_auth_krb5(string_arg, pass, "FILE", flags)) { d_fprintf(stderr, "Could not authenticate user [%s] with " "Kerberos (ccache: %s)\n", string_arg, "FILE"); goto done; @@ -1731,14 +1649,6 @@ int main(int argc, char **argv, char **envp) goto done; } break; - case OPT_CHANGE_USER_PASSWORD: - if (!wbinfo_change_user_password(string_arg)) { - d_fprintf(stderr, "Could not change user password " - "for user %s\n", string_arg); - goto done; - } - break; - /* generic configuration options */ case OPT_DOMAIN_NAME: break; diff --git a/source/nsswitch/winbind_krb5_locator.c b/source/nsswitch/winbind_krb5_locator.c index 990c2cae50..33a68f0cdc 100644 --- a/source/nsswitch/winbind_krb5_locator.c +++ b/source/nsswitch/winbind_krb5_locator.c @@ -222,8 +222,8 @@ static krb5_error_code smb_krb5_locator_call_cbfunc(const char *name, * @return krb5_error_code. */ -static krb5_error_code smb_krb5_locator_init(krb5_context context, - void **private_data) +krb5_error_code smb_krb5_locator_init(krb5_context context, + void **private_data) { return 0; } @@ -236,7 +236,7 @@ static krb5_error_code smb_krb5_locator_init(krb5_context context, * @return void. */ -static void smb_krb5_locator_close(void *private_data) +void smb_krb5_locator_close(void *private_data) { return; } @@ -292,13 +292,13 @@ static bool ask_winbind(const char *realm, char **dcname) * @return krb5_error_code. */ -static krb5_error_code smb_krb5_locator_lookup(void *private_data, - enum locate_service_type svc, - const char *realm, - int socktype, - int family, - int (*cbfunc)(void *, int, struct sockaddr *), - void *cbdata) +krb5_error_code smb_krb5_locator_lookup(void *private_data, + enum locate_service_type svc, + const char *realm, + int socktype, + int family, + int (*cbfunc)(void *, int, struct sockaddr *), + void *cbdata) { krb5_error_code ret; struct addrinfo aihints; |