static inline void textdomain_init(void)
{
if (!initialized) {
- bindtextdomain(MODULE_NAME, dyn_LOCALEDIR);
+ bindtextdomain(MODULE_NAME, LOCALEDIR);
initialized = 1;
}
return;
return pam_winbind_request_log(ctx, ret, username, fn);
}
+#if defined(HAVE_PAM_RADIO_TYPE)
+static bool _pam_winbind_change_pwd(struct pwb_context *ctx)
+{
+ struct pam_message msg, *pmsg;
+ struct pam_response *resp = NULL;
+ const char *prompt;
+ int ret;
+ bool retval = false;
+ prompt = _("Do you want to change your password now?");
+ pmsg = &msg;
+ msg.msg_style = PAM_RADIO_TYPE;
+ msg.msg = prompt;
+ ret = converse(ctx->pamh, 1, &pmsg, &resp);
+ if (resp == NULL) {
+ if (ret == PAM_SUCCESS) {
+ _pam_log(ctx, LOG_CRIT, "pam_winbind: system error!\n");
+ return false;
+ }
+ }
+ if (ret != PAM_SUCCESS) {
+ return false;
+ }
+ _pam_log(ctx, LOG_CRIT, "Received [%s] reply from application.\n", resp->resp);
+
+ if (strcasecmp(resp->resp, "yes") == 0) {
+ retval = true;
+ }
+
+ _pam_drop_reply(resp, 1);
+ return retval;
+}
+#else
+static bool _pam_winbind_change_pwd(struct pwb_context *ctx)
+{
+ return false;
+}
+#endif
/**
* send a password expiry message if required
time_t next_change,
time_t now,
int warn_pwd_expire,
- bool *already_expired)
+ bool *already_expired,
+ bool *change_pwd)
{
int days = 0;
struct tm tm_now, tm_next_change;
+ bool retval = false;
+ int ret;
if (already_expired) {
*already_expired = false;
}
+ if (change_pwd) {
+ *change_pwd = false;
+ }
+
if (next_change <= now) {
PAM_WB_REMARK_DIRECT(ctx, "NT_STATUS_PASSWORD_EXPIRED");
if (already_expired) {
(tm_now.tm_yday+tm_now.tm_year*365);
if (days == 0) {
- _make_remark(ctx, PAM_TEXT_INFO,
- _("Your password expires today"));
+ ret = _make_remark(ctx, PAM_TEXT_INFO,
+ _("Your password expires today.\n"));
+
+ /*
+ * If change_pwd and already_expired is null.
+ * We are just sending a notification message.
+ * We don't expect any response in this case.
+ */
+
+ if (!change_pwd && !already_expired) {
+ return true;
+ }
+
+ /*
+ * successfully sent the warning message.
+ * Give the user a chance to change pwd.
+ */
+ if (ret == PAM_SUCCESS) {
+ if (change_pwd) {
+ retval = _pam_winbind_change_pwd(ctx);
+ if (retval) {
+ *change_pwd = true;
+ }
+ }
+ }
return true;
}
if (days > 0 && days < warn_pwd_expire) {
- _make_remark_format(ctx, PAM_TEXT_INFO,
- _("Your password will expire in %d %s"),
- days, (days > 1) ? _("days"):_("day"));
+
+ ret = _make_remark_format(ctx, PAM_TEXT_INFO,
+ _("Your password will expire in %d %s.\n"),
+ days, (days > 1) ? _("days"):_("day"));
+ /*
+ * If change_pwd and already_expired is null.
+ * We are just sending a notification message.
+ * We don't expect any response in this case.
+ */
+
+ if (!change_pwd && !already_expired) {
+ return true;
+ }
+
+ /*
+ * successfully sent the warning message.
+ * Give the user a chance to change pwd.
+ */
+ if (ret == PAM_SUCCESS) {
+ if (change_pwd) {
+ retval = _pam_winbind_change_pwd(ctx);
+ if (retval) {
+ *change_pwd = true;
+ }
+ }
+ }
return true;
}
const struct wbcAuthUserInfo *info,
const struct wbcUserPasswordPolicyInfo *policy,
int warn_pwd_expire,
- bool *already_expired)
+ bool *already_expired,
+ bool *change_pwd)
{
time_t now = time(NULL);
time_t next_change = 0;
*already_expired = false;
}
+ if (change_pwd) {
+ *change_pwd = false;
+ }
+
/* accounts with WBC_ACB_PWNOEXP set never receive a warning */
if (info->acct_flags & WBC_ACB_PWNOEXP) {
return;
if (_pam_send_password_expiry_message(ctx, next_change, now,
warn_pwd_expire,
- already_expired)) {
+ already_expired,
+ change_pwd)) {
return;
}
if (_pam_send_password_expiry_message(ctx, next_change, now,
warn_pwd_expire,
- already_expired)) {
+ already_expired,
+ change_pwd)) {
return;
}
char *sid_list_buffer,
int sid_list_buffer_size)
{
- const char* sid_string;
+ const char* sid_string = NULL;
+ char *sid_str = NULL;
/* lookup name? */
if (IS_SID_STRING(name)) {
wbcErr wbc_status;
struct wbcDomainSid sid;
enum wbcSidType type;
- char *sid_str;
_pam_log_debug(ctx, LOG_DEBUG,
"no sid given, looking up: %s\n", name);
return false;
}
- wbcFreeMemory(sid_str);
sid_string = sid_str;
}
if (!safe_append_string(sid_list_buffer, sid_string,
sid_list_buffer_size)) {
+ wbcFreeMemory(sid_str);
return false;
}
+ wbcFreeMemory(sid_str);
return true;
}
char *current_name = NULL;
const char *search_location;
const char *comma;
+ int len;
if (sid_list_buffer_size > 0) {
sid_list_buffer[0] = 0;
}
search_location = name_list;
- while ((comma = strstr(search_location, ",")) != NULL) {
+ while ((comma = strchr(search_location, ',')) != NULL) {
current_name = strndup(search_location,
comma - search_location);
if (NULL == current_name) {
current_name,
sid_list_buffer,
sid_list_buffer_size)) {
- goto out;
+ /*
+ * If one group name failed, we must not fail
+ * the authentication totally, continue with
+ * the following group names. If user belongs to
+ * one of the valid groups, we must allow it
+ * login. -- BoYang
+ */
+
+ _pam_log(ctx, LOG_INFO, "cannot convert group %s to sid, "
+ "check if group %s is valid group.", current_name,
+ current_name);
+ _make_remark_format(ctx, PAM_TEXT_INFO, _("Cannot convert group %s "
+ "to sid, please contact your administrator to see "
+ "if group %s is valid."), current_name, current_name);
+ SAFE_FREE(current_name);
+ search_location = comma + 1;
+ continue;
}
SAFE_FREE(current_name);
if (!winbind_name_to_sid_string(ctx, user, search_location,
sid_list_buffer,
sid_list_buffer_size)) {
- goto out;
+ _pam_log(ctx, LOG_INFO, "cannot convert group %s to sid, "
+ "check if group %s is valid group.", search_location,
+ search_location);
+ _make_remark_format(ctx, PAM_TEXT_INFO, _("Cannot convert group %s "
+ "to sid, please contact your administrator to see "
+ "if group %s is valid."), search_location, search_location);
+ /*
+ * The lookup of the last name failed..
+ * It results in require_member_of_sid ends with ','
+ * It is malformated parameter here, overwrite the last ','.
+ */
+ len = strlen(sid_list_buffer);
+ if ((len != 0) && (sid_list_buffer[len - 1] == ',')) {
+ sid_list_buffer[len - 1] = '\0';
+ }
}
result = true;
static bool _pam_check_remark_auth_err(struct pwb_context *ctx,
const struct wbcAuthErrorInfo *e,
const char *nt_status_string,
- int *pam_error)
+ int *pam_err)
{
const char *ntstatus = NULL;
const char *error_string = NULL;
- if (!e || !pam_error) {
+ if (!e || !pam_err) {
return false;
}
error_string = _get_ntstatus_error_string(nt_status_string);
if (error_string) {
_make_remark(ctx, PAM_ERROR_MSG, error_string);
- *pam_error = e->pam_error;
+ *pam_err = e->pam_error;
return true;
}
if (e->display_string) {
- _make_remark(ctx, PAM_ERROR_MSG, e->display_string);
- *pam_error = e->pam_error;
+ _make_remark(ctx, PAM_ERROR_MSG, _(e->display_string));
+ *pam_err = e->pam_error;
return true;
}
_make_remark(ctx, PAM_ERROR_MSG, nt_status_string);
- *pam_error = e->pam_error;
+ *pam_err = e->pam_error;
return true;
}
if ((ret == PAM_SUCCESS) && user_info && policy && info) {
bool already_expired = false;
+ bool change_pwd = false;
/* warn a user if the password is about to expire soon */
_pam_warn_password_expiry(ctx, user_info, policy,
warn_pwd_expire,
- &already_expired);
+ &already_expired,
+ &change_pwd);
if (already_expired == true) {
"Password has expired "
"(Password was last set: %lld, "
"the policy says it should expire here "
- "%lld (now it's: %lu))\n",
+ "%lld (now it's: %ld))\n",
(long long int)last_set,
(long long int)last_set +
policy->expire,
- time(NULL));
+ (long)time(NULL));
return PAM_AUTHTOK_EXPIRED;
}
+ if (change_pwd) {
+ ret = PAM_NEW_AUTHTOK_REQD;
+ goto done;
+ }
+
/* inform about logon type */
_pam_warn_logon_type(ctx, user, user_info->user_flags);
if (logon.blobs) {
wbcFreeMemory(logon.blobs);
}
- if (info && info->blobs) {
+ if (info && info->blobs && !p_info) {
wbcFreeMemory(info->blobs);
}
if (error && !p_error) {
switch (reject_reason) {
case -1:
break;
- case WBC_PWD_CHANGE_REJECT_OTHER:
+ case WBC_PWD_CHANGE_NO_ERROR:
if ((min_pwd_age > 0) &&
(pwd_last_set + min_pwd_age > time(NULL))) {
PAM_WB_REMARK_DIRECT(ctx,
"NT_STATUS_PWD_TOO_RECENT");
}
break;
- case WBC_PWD_CHANGE_REJECT_TOO_SHORT:
+ case WBC_PWD_CHANGE_PASSWORD_TOO_SHORT:
PAM_WB_REMARK_DIRECT(ctx,
"NT_STATUS_PWD_TOO_SHORT");
break;
- case WBC_PWD_CHANGE_REJECT_IN_HISTORY:
+ case WBC_PWD_CHANGE_PWD_IN_HISTORY:
PAM_WB_REMARK_DIRECT(ctx,
"NT_STATUS_PWD_HISTORY_CONFLICT");
break;
- case WBC_PWD_CHANGE_REJECT_COMPLEXITY:
+ case WBC_PWD_CHANGE_NOT_COMPLEX:
_make_remark(ctx, PAM_ERROR_MSG,
_("Password does not meet "
"complexity requirements"));
wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
struct wbcDomainSid sid;
enum wbcSidType type;
- char *domain;
+ char *domain = NULL;
char *name;
char *p;
* expire soon */
_pam_warn_password_expiry(ctx, user_info, policy,
warn_pwd_expire,
- NULL);
+ NULL, NULL);
/* set some info3 info for other modules in the
* stack */
free(username_ret);
}
- wbcFreeMemory(info);
- wbcFreeMemory(policy);
}
+ if (info && info->blobs) {
+ wbcFreeMemory(info->blobs);
+ }
+ wbcFreeMemory(info);
+ wbcFreeMemory(policy);
+
goto out;
}
} else {
git.samba.org / samba.git / blobdiff