ctdb-tests: Add sock daemon test for do_fork
[metze/samba/wip.git] / nsswitch / pam_winbind.c
index 42c4f8e59649f05a065a3913789b2733da0fd3f6..4ae646442f8af15b368a4ea1857d778036cda09e 100644 (file)
@@ -12,7 +12,7 @@
 
 #include "pam_winbind.h"
 
-enum pam_winbind_request_type 
+enum pam_winbind_request_type
 {
        PAM_WINBIND_AUTHENTICATE,
        PAM_WINBIND_SETCRED,
@@ -490,12 +490,12 @@ config_from_pam:
                else if (!strcasecmp(*v, "unknown_ok"))
                        ctrl |= WINBIND_UNKNOWN_OK_ARG;
                else if ((type == PAM_WINBIND_AUTHENTICATE
-                         || type == PAM_WINBIND_SETCRED) 
+                         || type == PAM_WINBIND_SETCRED)
                         && !strncasecmp(*v, "require_membership_of",
                                         strlen("require_membership_of")))
                        ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
-               else if ((type == PAM_WINBIND_AUTHENTICATE 
-                         || type == PAM_WINBIND_SETCRED) 
+               else if ((type == PAM_WINBIND_AUTHENTICATE
+                         || type == PAM_WINBIND_SETCRED)
                         && !strncasecmp(*v, "require-membership-of",
                                         strlen("require-membership-of")))
                        ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
@@ -610,7 +610,7 @@ static const struct ntstatus_errors {
        {"NT_STATUS_OK",
                N_("Success")},
        {"NT_STATUS_BACKUP_CONTROLLER",
-               N_("No primary Domain Controler available")},
+               N_("No primary Domain Controller available")},
        {"NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND",
                N_("No domain controllers found")},
        {"NT_STATUS_NO_LOGON_SERVERS",
@@ -667,7 +667,7 @@ static const char *_get_ntstatus_error_string(const char *nt_status_string)
 
 static int converse(const pam_handle_t *pamh,
                    int nargs,
-                   struct pam_message **message,
+                   const struct pam_message **message,
                    struct pam_response **response)
 {
        int retval;
@@ -690,7 +690,8 @@ static int _make_remark(struct pwb_context *ctx,
 {
        int retval = PAM_SUCCESS;
 
-       struct pam_message *pmsg[1], msg[1];
+       const struct pam_message *pmsg[1];
+       struct pam_message msg[1];
        struct pam_response *resp;
 
        if (ctx->flags & WINBIND_SILENT) {
@@ -775,6 +776,11 @@ static int pam_winbind_request_log(struct pwb_context *ctx,
                        return PAM_IGNORE;
                }
                return retval;
+       case PAM_AUTHTOK_ERR:
+               /* Authentication token manipulation error */
+               _pam_log(ctx, LOG_WARNING, "user `%s' authentication token change failed "
+                       "(pwd complexity/history/min_age not met?)", user);
+               return retval;
        case PAM_SUCCESS:
                /* Otherwise, the authentication looked good */
                if (strcmp(fn, "wbcLogonUser") == 0) {
@@ -838,7 +844,8 @@ static int wbc_auth_error_to_pam_error(struct pwb_context *ctx,
 #if defined(HAVE_PAM_RADIO_TYPE)
 static bool _pam_winbind_change_pwd(struct pwb_context *ctx)
 {
-       struct pam_message msg, *pmsg;
+       struct pam_message msg;
+       const struct pam_message *pmsg;
        struct pam_response *resp = NULL;
        int ret;
        bool retval = false;
@@ -997,7 +1004,6 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
 
 static void _pam_warn_password_expiry(struct pwb_context *ctx,
                                      const struct wbcAuthUserInfo *info,
-                                     const struct wbcUserPasswordPolicyInfo *policy,
                                      int warn_pwd_expire,
                                      bool *already_expired,
                                      bool *change_pwd)
@@ -1005,7 +1011,7 @@ static void _pam_warn_password_expiry(struct pwb_context *ctx,
        time_t now = time(NULL);
        time_t next_change = 0;
 
-       if (!info || !policy) {
+       if (info == NULL) {
                return;
        }
 
@@ -1037,23 +1043,6 @@ static void _pam_warn_password_expiry(struct pwb_context *ctx,
                return;
        }
 
-       /* now check for the global password policy */
-       /* good catch from Ralf Haferkamp: an expiry of "never" is translated
-        * to -1 */
-       if ((policy->expire == (int64_t)-1) ||
-           (policy->expire == 0)) {
-               return;
-       }
-
-       next_change = info->pass_last_set_time + policy->expire;
-
-       if (_pam_send_password_expiry_message(ctx, next_change, now,
-                                             warn_pwd_expire,
-                                             already_expired,
-                                             change_pwd)) {
-               return;
-       }
-
        /* no warning sent */
 }
 
@@ -1689,23 +1678,17 @@ static int winbind_auth_request(struct pwb_context *ctx,
                                const int warn_pwd_expire,
                                struct wbcAuthErrorInfo **p_error,
                                struct wbcLogonUserInfo **p_info,
-                               struct wbcUserPasswordPolicyInfo **p_policy,
                                time_t *pwd_last_set,
                                char **user_ret)
 {
        wbcErr wbc_status;
-
        struct wbcLogonUserParams logon;
        char membership_of[1024];
        uid_t user_uid = -1;
-       uint32_t flags = WBFLAG_PAM_INFO3_TEXT |
-                        WBFLAG_PAM_GET_PWD_POLICY;
-
+       uint32_t flags = WBFLAG_PAM_INFO3_TEXT;
        struct wbcLogonUserInfo *info = NULL;
        struct wbcAuthUserInfo *user_info = NULL;
        struct wbcAuthErrorInfo *error = NULL;
-       struct wbcUserPasswordPolicyInfo *policy = NULL;
-
        int ret = PAM_AUTH_ERR;
        int i;
        const char *codes[] = {
@@ -1838,7 +1821,7 @@ static int winbind_auth_request(struct pwb_context *ctx,
                                     &logon,
                                     &info,
                                     &error,
-                                    &policy);
+                                    NULL);
        ret = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
                                          user, "wbcLogonUser");
        wbcFreeMemory(logon.blobs);
@@ -1856,10 +1839,6 @@ static int winbind_auth_request(struct pwb_context *ctx,
                *p_info = info;
        }
 
-       if (p_policy && policy) {
-               *p_policy = policy;
-       }
-
        if (p_error && error) {
                /* We want to process the error in the caller. */
                *p_error = error;
@@ -1874,13 +1853,13 @@ static int winbind_auth_request(struct pwb_context *ctx,
                }
        }
 
-       if ((ret == PAM_SUCCESS) && user_info && policy && info) {
+       if ((ret == PAM_SUCCESS) && user_info && info) {
 
                bool already_expired = false;
                bool change_pwd = false;
 
                /* warn a user if the password is about to expire soon */
-               _pam_warn_password_expiry(ctx, user_info, policy,
+               _pam_warn_password_expiry(ctx, user_info,
                                          warn_pwd_expire,
                                          &already_expired,
                                          &change_pwd);
@@ -1888,15 +1867,15 @@ static int winbind_auth_request(struct pwb_context *ctx,
                if (already_expired == true) {
 
                        SMB_TIME_T last_set = user_info->pass_last_set_time;
+                       SMB_TIME_T must_set = user_info->pass_must_change_time;
 
                        _pam_log_debug(ctx, LOG_DEBUG,
                                       "Password has expired "
                                       "(Password was last set: %lld, "
-                                      "the policy says it should expire here "
+                                      "it must be changed here "
                                       "%lld (now it's: %ld))\n",
                                       (long long int)last_set,
-                                      (long long int)last_set +
-                                      policy->expire,
+                                      (long long int)must_set,
                                       (long)time(NULL));
 
                        return PAM_AUTHTOK_EXPIRED;
@@ -1935,9 +1914,6 @@ static int winbind_auth_request(struct pwb_context *ctx,
        if (info && !p_info) {
                wbcFreeMemory(info);
        }
-       if (policy && !p_policy) {
-               wbcFreeMemory(policy);
-       }
 
        return ret;
 }
@@ -2189,7 +2165,8 @@ static int _winbind_read_password(struct pwb_context *ctx,
         */
 
        {
-               struct pam_message msg[3], *pmsg[3];
+               struct pam_message msg[3];
+               const struct pam_message *pmsg[3];
                struct pam_response *resp;
                int i, replies;
 
@@ -2471,10 +2448,14 @@ static char* winbind_upn_to_username(struct pwb_context *ctx,
        if (!name) {
                return NULL;
        }
-       if ((p = strchr(name, '@')) != NULL) {
-               *p = 0;
-               domain = p + 1;
+
+       p = strchr(name, '@');
+       if (p == NULL) {
+               TALLOC_FREE(name);
+               return NULL;
        }
+       *p = '\0';
+       domain = p + 1;
 
        /* Convert the UPN to a SID */
 
@@ -2497,7 +2478,7 @@ static char* winbind_upn_to_username(struct pwb_context *ctx,
 }
 
 static int _pam_delete_cred(pam_handle_t *pamh, int flags,
-                           int argc, enum pam_winbind_request_type type, 
+                           int argc, enum pam_winbind_request_type type,
                            const char **argv)
 {
        int retval = PAM_SUCCESS;
@@ -2729,8 +2710,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
        /* Now use the username to look up password */
        retval = winbind_auth_request(ctx, real_username, password,
                                      member, cctype, warn_pwd_expire,
-                                     NULL, NULL, NULL,
-                                     NULL, &username_ret);
+                                     NULL, NULL, NULL, &username_ret);
 
        if (retval == PAM_NEW_AUTHTOK_REQD ||
            retval == PAM_AUTHTOK_EXPIRED) {
@@ -3140,7 +3120,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 
                ret = winbind_auth_request(ctx, user, pass_old,
                                           NULL, NULL, 0,
-                                          &error, NULL, NULL,
+                                          &error, NULL,
                                           &pwdlastset_prelim, NULL);
 
                if (ret != PAM_ACCT_EXPIRED &&
@@ -3248,7 +3228,6 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                        const char *cctype = NULL;
                        int warn_pwd_expire;
                        struct wbcLogonUserInfo *info = NULL;
-                       struct wbcUserPasswordPolicyInfo *policy = NULL;
 
                        member = get_member_from_config(ctx);
                        cctype = get_krb5_cc_type_from_config(ctx);
@@ -3264,7 +3243,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 
                        ret = winbind_auth_request(ctx, user, pass_new,
                                                   member, cctype, 0,
-                                                  &error, &info, &policy,
+                                                  &error, &info,
                                                   NULL, &username_ret);
                        pass_old = pass_new = NULL;
 
@@ -3278,7 +3257,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 
                                /* warn a user if the password is about to
                                 * expire soon */
-                               _pam_warn_password_expiry(ctx, user_info, policy,
+                               _pam_warn_password_expiry(ctx, user_info,
                                                          warn_pwd_expire,
                                                          NULL, NULL);
 
@@ -3304,7 +3283,6 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                                wbcFreeMemory(info->blobs);
                        }
                        wbcFreeMemory(info);
-                       wbcFreeMemory(policy);
 
                        goto out;
                }