git.samba.org / obnox / samba / samba-obnox.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
nwrap: Fix the build on FreeBSD
[obnox/samba/samba-obnox.git] / nsswitch / pam_winbind.c
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 9a5367ba2e224fe45d5aa913eb67e4d82d9f544c..a2d9f3bde9e9e0ad482df6b8f22c314f1919b27a 100644 (file)
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -10,10 +10,19 @@
    <sopwith@redhat.com> (see copyright below for full details)
 */
 
-#define UID_WRAPPER_NOT_REPLACE
-
 #include "pam_winbind.h"
 
+enum pam_winbind_request_type 
+{
+       PAM_WINBIND_AUTHENTICATE,
+       PAM_WINBIND_SETCRED,
+       PAM_WINBIND_ACCT_MGMT,
+       PAM_WINBIND_OPEN_SESSION,
+       PAM_WINBIND_CLOSE_SESSION,
+       PAM_WINBIND_CHAUTHTOK,
+       PAM_WINBIND_CLEANUP
+};
+
 static int wbc_error_to_pam_error(wbcErr status)
 {
        switch (status) {
@@ -336,10 +345,14 @@ static void _pam_log_state_datum(struct pwb_context *ctx,
  *    key =
  * for a key like above newer iniparser will return a zero-length
  * string, previously iniparser would return NULL
+ *
+ * JRA: For compatibility, tiniparser behaves like iniparser.
  */
-static char *iniparser_getstring_nonempty(dictionary *d, char *key, char *def)
+static const char *tiniparser_getstring_nonempty(struct tiniparser_dictionary *d,
+                       const char *key,
+                       const char *def)
 {
-       char *ret = iniparser_getstring(d, key, def);
+       const char *ret = tiniparser_getstring(d, key, def);
        if (ret && strlen(ret) == 0) {
                ret = NULL;
        }
@@ -384,13 +397,14 @@ static int _pam_parse(const pam_handle_t *pamh,
                      int flags,
                      int argc,
                      const char **argv,
-                     dictionary **result_d)
+                     enum pam_winbind_request_type type,
+                     struct tiniparser_dictionary **result_d)
 {
        int ctrl = 0;
        const char *config_file = NULL;
        int i;
        const char **v;
-       dictionary *d = NULL;
+       struct tiniparser_dictionary *d = NULL;
 
        if (flags & PAM_SILENT) {
                ctrl |= WINBIND_SILENT;
@@ -408,51 +422,51 @@ static int _pam_parse(const pam_handle_t *pamh,
                config_file = PAM_WINBIND_CONFIG_FILE;
        }
 
-       d = iniparser_load(discard_const_p(char, config_file));
+       d = tiniparser_load(config_file);
        if (d == NULL) {
                goto config_from_pam;
        }
 
-       if (iniparser_getboolean(d, discard_const_p(char, "global:debug"), false)) {
+       if (tiniparser_getboolean(d, "global:debug", false)) {
                ctrl |= WINBIND_DEBUG_ARG;
        }
 
-       if (iniparser_getboolean(d, discard_const_p(char, "global:debug_state"), false)) {
+       if (tiniparser_getboolean(d, "global:debug_state", false)) {
                ctrl |= WINBIND_DEBUG_STATE;
        }
 
-       if (iniparser_getboolean(d, discard_const_p(char, "global:cached_login"), false)) {
+       if (tiniparser_getboolean(d, "global:cached_login", false)) {
                ctrl |= WINBIND_CACHED_LOGIN;
        }
 
-       if (iniparser_getboolean(d, discard_const_p(char, "global:krb5_auth"), false)) {
+       if (tiniparser_getboolean(d, "global:krb5_auth", false)) {
                ctrl |= WINBIND_KRB5_AUTH;
        }
 
-       if (iniparser_getboolean(d, discard_const_p(char, "global:silent"), false)) {
+       if (tiniparser_getboolean(d, "global:silent", false)) {
                ctrl |= WINBIND_SILENT;
        }
 
-       if (iniparser_getstring_nonempty(d, discard_const_p(char, "global:krb5_ccache_type"), NULL) != NULL) {
+       if (tiniparser_getstring_nonempty(d, "global:krb5_ccache_type", NULL) != NULL) {
                ctrl |= WINBIND_KRB5_CCACHE_TYPE;
        }
 
-       if ((iniparser_getstring_nonempty(d, discard_const_p(char, "global:require-membership-of"), NULL)
+       if ((tiniparser_getstring_nonempty(d, "global:require-membership-of", NULL)
             != NULL) ||
-           (iniparser_getstring_nonempty(d, discard_const_p(char, "global:require_membership_of"), NULL)
+           (tiniparser_getstring_nonempty(d, "global:require_membership_of", NULL)
             != NULL)) {
                ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
        }
 
-       if (iniparser_getboolean(d, discard_const_p(char, "global:try_first_pass"), false)) {
+       if (tiniparser_getboolean(d, "global:try_first_pass", false)) {
                ctrl |= WINBIND_TRY_FIRST_PASS_ARG;
        }
 
-       if (iniparser_getint(d, discard_const_p(char, "global:warn_pwd_expire"), 0)) {
+       if (tiniparser_getint(d, "global:warn_pwd_expire", 0)) {
                ctrl |= WINBIND_WARN_PWD_EXPIRE;
        }
 
-       if (iniparser_getboolean(d, discard_const_p(char, "global:mkhomedir"), false)) {
+       if (tiniparser_getboolean(d, "global:mkhomedir", false)) {
                ctrl |= WINBIND_MKHOMEDIR;
        }
 
@@ -475,11 +489,15 @@ config_from_pam:
                        ctrl |= WINBIND_TRY_FIRST_PASS_ARG;
                else if (!strcasecmp(*v, "unknown_ok"))
                        ctrl |= WINBIND_UNKNOWN_OK_ARG;
-               else if (!strncasecmp(*v, "require_membership_of",
-                                     strlen("require_membership_of")))
+               else if ((type == PAM_WINBIND_AUTHENTICATE
+                         || type == PAM_WINBIND_SETCRED) 
+                        && !strncasecmp(*v, "require_membership_of",
+                                        strlen("require_membership_of")))
                        ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
-               else if (!strncasecmp(*v, "require-membership-of",
-                                     strlen("require-membership-of")))
+               else if ((type == PAM_WINBIND_AUTHENTICATE 
+                         || type == PAM_WINBIND_SETCRED) 
+                        && !strncasecmp(*v, "require-membership-of",
+                                        strlen("require-membership-of")))
                        ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
                else if (!strcasecmp(*v, "krb5_auth"))
                        ctrl |= WINBIND_KRB5_AUTH;
@@ -490,7 +508,10 @@ config_from_pam:
                        ctrl |= WINBIND_CACHED_LOGIN;
                else if (!strcasecmp(*v, "mkhomedir"))
                        ctrl |= WINBIND_MKHOMEDIR;
-               else {
+               else if (!strncasecmp(*v, "warn_pwd_expire",
+                       strlen("warn_pwd_expire")))
+                       ctrl |= WINBIND_WARN_PWD_EXPIRE;
+               else if (type != PAM_WINBIND_CLEANUP) {
                        __pam_log(pamh, ctrl, LOG_ERR,
                                 "pam_parse: unknown option: %s", *v);
                        return -1;
@@ -502,7 +523,7 @@ config_from_pam:
                *result_d = d;
        } else {
                if (d) {
-                       iniparser_freedict(d);
+                       tiniparser_freedict(d);
                }
        }
 
@@ -516,7 +537,7 @@ static int _pam_winbind_free_context(struct pwb_context *ctx)
        }
 
        if (ctx->dict) {
-               iniparser_freedict(ctx->dict);
+               tiniparser_freedict(ctx->dict);
        }
 
        return 0;
@@ -526,6 +547,7 @@ static int _pam_winbind_init_context(pam_handle_t *pamh,
                                     int flags,
                                     int argc,
                                     const char **argv,
+                                    enum pam_winbind_request_type type,
                                     struct pwb_context **ctx_p)
 {
        struct pwb_context *r = NULL;
@@ -545,7 +567,7 @@ static int _pam_winbind_init_context(pam_handle_t *pamh,
        r->flags = flags;
        r->argc = argc;
        r->argv = argv;
-       r->ctrl = _pam_parse(pamh, flags, argc, argv, &r->dict);
+       r->ctrl = _pam_parse(pamh, flags, argc, argv, type, &r->dict);
        if (r->ctrl == -1) {
                TALLOC_FREE(r);
                return PAM_SYSTEM_ERR;
@@ -560,7 +582,7 @@ static void _pam_winbind_cleanup_func(pam_handle_t *pamh,
                                      void *data,
                                      int error_status)
 {
-       int ctrl = _pam_parse(pamh, 0, 0, NULL, NULL);
+       int ctrl = _pam_parse(pamh, 0, 0, NULL, PAM_WINBIND_CLEANUP, NULL);
        if (_pam_log_is_debug_state_enabled(ctrl)) {
                __pam_log_debug(pamh, ctrl, LOG_DEBUG,
                               "[pamh: %p] CLEAN: cleaning up PAM data %p "
@@ -644,7 +666,7 @@ static int converse(const pam_handle_t *pamh,
        retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv);
        if (retval == PAM_SUCCESS) {
                retval = conv->conv(nargs,
-                                   (const struct pam_message **)message,
+                                   discard_const_p(const struct pam_message *, message),
                                    response, conv->appdata_ptr);
        }
 
@@ -1979,7 +2001,7 @@ static int winbind_chauthtok_request(struct pwb_context *ctx,
                }
 
                /* FIXME: avoid to send multiple PAM messages after another */
-               switch (reject_reason) {
+               switch ((int)reject_reason) {
                        case -1:
                                break;
                        case WBC_PWD_CHANGE_NO_ERROR:
@@ -2277,7 +2299,7 @@ static const char *get_conf_item_string(struct pwb_context *ctx,
                        goto out;
                }
 
-               parm_opt = iniparser_getstring_nonempty(ctx->dict, key, NULL);
+               parm_opt = tiniparser_getstring_nonempty(ctx->dict, key, NULL);
                TALLOC_FREE(key);
 
                _pam_log_debug(ctx, LOG_INFO, "CONFIG file: %s '%s'\n",
@@ -2325,7 +2347,7 @@ static int get_config_item_int(struct pwb_context *ctx,
                        goto out;
                }
 
-               parm_opt = iniparser_getint(ctx->dict, key, -1);
+               parm_opt = tiniparser_getint(ctx->dict, key, -1);
                TALLOC_FREE(key);
 
                _pam_log_debug(ctx, LOG_INFO,
@@ -2360,7 +2382,7 @@ static int get_warn_pwd_expire_from_config(struct pwb_context *ctx)
        ret = get_config_item_int(ctx, "warn_pwd_expire",
                                  WINBIND_WARN_PWD_EXPIRE);
        /* no or broken setting */
-       if (ret <= 0) {
+       if (ret < 0) {
                return DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES;
        }
        return ret;
@@ -2399,7 +2421,7 @@ static char winbind_get_separator(struct pwb_context *ctx)
  * Convert a upn to a name.
  *
  * @param ctx PAM winbind context.
- * @param upn  USer UPN to be trabslated.
+ * @param upn  User UPN to be translated.
  *
  * @return converted name. NULL pointer on failure. Caller needs to free.
  */
@@ -2414,6 +2436,7 @@ static char* winbind_upn_to_username(struct pwb_context *ctx,
        char *domain = NULL;
        char *name;
        char *p;
+       char *result;
 
        /* This cannot work when the winbind separator = @ */
 
@@ -2445,11 +2468,15 @@ static char* winbind_upn_to_username(struct pwb_context *ctx,
                return NULL;
        }
 
-       return talloc_asprintf(ctx, "%s%c%s", domain, sep, name);
+       result = talloc_asprintf(ctx, "%s%c%s", domain, sep, name);
+       wbcFreeMemory(domain);
+       wbcFreeMemory(name);
+       return result;
 }
 
 static int _pam_delete_cred(pam_handle_t *pamh, int flags,
-                        int argc, const char **argv)
+                           int argc, enum pam_winbind_request_type type, 
+                           const char **argv)
 {
        int retval = PAM_SUCCESS;
        struct pwb_context *ctx = NULL;
@@ -2460,9 +2487,9 @@ static int _pam_delete_cred(pam_handle_t *pamh, int flags,
 
        ZERO_STRUCT(logoff);
 
-       retval = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+       retval = _pam_winbind_init_context(pamh, flags, argc, argv, type, &ctx);
        if (retval) {
-               goto out;
+               return retval;
        }
 
        _PAM_LOG_FUNCTION_ENTER("_pam_delete_cred", ctx);
@@ -2595,9 +2622,10 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
        char *real_username = NULL;
        struct pwb_context *ctx = NULL;
 
-       retval = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+       retval = _pam_winbind_init_context(pamh, flags, argc, argv,
+                                          PAM_WINBIND_AUTHENTICATE, &ctx);
        if (retval) {
-               goto out;
+               return retval;
        }
 
        _PAM_LOG_FUNCTION_ENTER("pam_sm_authenticate", ctx);
@@ -2732,10 +2760,9 @@ out:
                _pam_free_data_info3(pamh);
        }
 
-       if (ctx != NULL) {
-               _PAM_LOG_FUNCTION_LEAVE("pam_sm_authenticate", ctx, retval);
-               TALLOC_FREE(ctx);
-       }
+       _PAM_LOG_FUNCTION_LEAVE("pam_sm_authenticate", ctx, retval);
+
+       TALLOC_FREE(ctx);
 
        return retval;
 }
@@ -2747,9 +2774,10 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags,
        int ret = PAM_SYSTEM_ERR;
        struct pwb_context *ctx = NULL;
 
-       ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+       ret = _pam_winbind_init_context(pamh, flags, argc, argv,
+                                       PAM_WINBIND_SETCRED, &ctx);
        if (ret) {
-               goto out;
+               return ret;
        }
 
        _PAM_LOG_FUNCTION_ENTER("pam_sm_setcred", ctx);
@@ -2757,7 +2785,8 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags,
        switch (flags & ~PAM_SILENT) {
 
                case PAM_DELETE_CRED:
-                       ret = _pam_delete_cred(pamh, flags, argc, argv);
+                       ret = _pam_delete_cred(pamh, flags, argc,
+                                              PAM_WINBIND_SETCRED, argv);
                        break;
                case PAM_REFRESH_CRED:
                        _pam_log_debug(ctx, LOG_WARNING,
@@ -2779,8 +2808,6 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags,
                        break;
        }
 
- out:
-
        _PAM_LOG_FUNCTION_LEAVE("pam_sm_setcred", ctx, ret);
 
        TALLOC_FREE(ctx);
@@ -2801,9 +2828,10 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
        const char *tmp = NULL;
        struct pwb_context *ctx = NULL;
 
-       ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+       ret = _pam_winbind_init_context(pamh, flags, argc, argv,
+                                       PAM_WINBIND_ACCT_MGMT, &ctx);
        if (ret) {
-               goto out;
+               return ret;
        }
 
        _PAM_LOG_FUNCTION_ENTER("pam_sm_acct_mgmt", ctx);
@@ -2896,9 +2924,10 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
        int ret = PAM_SUCCESS;
        struct pwb_context *ctx = NULL;
 
-       ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+       ret = _pam_winbind_init_context(pamh, flags, argc, argv,
+                                       PAM_WINBIND_OPEN_SESSION, &ctx);
        if (ret) {
-               goto out;
+               return ret;
        }
 
        _PAM_LOG_FUNCTION_ENTER("pam_sm_open_session", ctx);
@@ -2907,7 +2936,7 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
                /* check and create homedir */
                ret = _pam_mkhomedir(ctx);
        }
- out:
+
        _PAM_LOG_FUNCTION_LEAVE("pam_sm_open_session", ctx, ret);
 
        TALLOC_FREE(ctx);
@@ -2922,14 +2951,14 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags,
        int ret = PAM_SUCCESS;
        struct pwb_context *ctx = NULL;
 
-       ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+       ret = _pam_winbind_init_context(pamh, flags, argc, argv,
+                                       PAM_WINBIND_CLOSE_SESSION, &ctx);
        if (ret) {
-               goto out;
+               return ret;
        }
 
        _PAM_LOG_FUNCTION_ENTER("pam_sm_close_session", ctx);
 
-out:
        _PAM_LOG_FUNCTION_LEAVE("pam_sm_close_session", ctx, ret);
 
        TALLOC_FREE(ctx);
@@ -3008,9 +3037,10 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
        struct wbcAuthErrorInfo *error = NULL;
        struct pwb_context *ctx = NULL;
 
-       ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+       ret = _pam_winbind_init_context(pamh, flags, argc, argv,
+                                       PAM_WINBIND_CHAUTHTOK, &ctx);
        if (ret) {
-               goto out;
+               return ret;
        }
 
        _PAM_LOG_FUNCTION_ENTER("pam_sm_chauthtok", ctx);
Michael's Samba GIT