pam_winbind: no longer use wbcUserPasswordPolicyInfo when authenticating
authorStefan Metzmacher <metze@samba.org>
Sun, 2 Apr 2017 22:19:25 +0000 (00:19 +0200)
committerStefan Metzmacher <metze@samba.org>
Thu, 6 Apr 2017 08:07:39 +0000 (10:07 +0200)
The expiry time for the specific user comes from
info->pass_must_change_time and nothing else.

The authenticating DC knows which password policy applies
to the user, that's nothing the client can do, as
domain trusts and fine-grained password policies makes
this a very complex task.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12725

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
nsswitch/pam_winbind.c

index 746b157..4ae6464 100644 (file)
@@ -1004,7 +1004,6 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
 
 static void _pam_warn_password_expiry(struct pwb_context *ctx,
                                      const struct wbcAuthUserInfo *info,
-                                     const struct wbcUserPasswordPolicyInfo *policy,
                                      int warn_pwd_expire,
                                      bool *already_expired,
                                      bool *change_pwd)
@@ -1012,7 +1011,7 @@ static void _pam_warn_password_expiry(struct pwb_context *ctx,
        time_t now = time(NULL);
        time_t next_change = 0;
 
-       if (!info || !policy) {
+       if (info == NULL) {
                return;
        }
 
@@ -1044,23 +1043,6 @@ static void _pam_warn_password_expiry(struct pwb_context *ctx,
                return;
        }
 
-       /* now check for the global password policy */
-       /* good catch from Ralf Haferkamp: an expiry of "never" is translated
-        * to -1 */
-       if ((policy->expire == (int64_t)-1) ||
-           (policy->expire == 0)) {
-               return;
-       }
-
-       next_change = info->pass_last_set_time + policy->expire;
-
-       if (_pam_send_password_expiry_message(ctx, next_change, now,
-                                             warn_pwd_expire,
-                                             already_expired,
-                                             change_pwd)) {
-               return;
-       }
-
        /* no warning sent */
 }
 
@@ -1696,23 +1678,17 @@ static int winbind_auth_request(struct pwb_context *ctx,
                                const int warn_pwd_expire,
                                struct wbcAuthErrorInfo **p_error,
                                struct wbcLogonUserInfo **p_info,
-                               struct wbcUserPasswordPolicyInfo **p_policy,
                                time_t *pwd_last_set,
                                char **user_ret)
 {
        wbcErr wbc_status;
-
        struct wbcLogonUserParams logon;
        char membership_of[1024];
        uid_t user_uid = -1;
-       uint32_t flags = WBFLAG_PAM_INFO3_TEXT |
-                        WBFLAG_PAM_GET_PWD_POLICY;
-
+       uint32_t flags = WBFLAG_PAM_INFO3_TEXT;
        struct wbcLogonUserInfo *info = NULL;
        struct wbcAuthUserInfo *user_info = NULL;
        struct wbcAuthErrorInfo *error = NULL;
-       struct wbcUserPasswordPolicyInfo *policy = NULL;
-
        int ret = PAM_AUTH_ERR;
        int i;
        const char *codes[] = {
@@ -1845,7 +1821,7 @@ static int winbind_auth_request(struct pwb_context *ctx,
                                     &logon,
                                     &info,
                                     &error,
-                                    &policy);
+                                    NULL);
        ret = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
                                          user, "wbcLogonUser");
        wbcFreeMemory(logon.blobs);
@@ -1863,10 +1839,6 @@ static int winbind_auth_request(struct pwb_context *ctx,
                *p_info = info;
        }
 
-       if (p_policy && policy) {
-               *p_policy = policy;
-       }
-
        if (p_error && error) {
                /* We want to process the error in the caller. */
                *p_error = error;
@@ -1881,13 +1853,13 @@ static int winbind_auth_request(struct pwb_context *ctx,
                }
        }
 
-       if ((ret == PAM_SUCCESS) && user_info && policy && info) {
+       if ((ret == PAM_SUCCESS) && user_info && info) {
 
                bool already_expired = false;
                bool change_pwd = false;
 
                /* warn a user if the password is about to expire soon */
-               _pam_warn_password_expiry(ctx, user_info, policy,
+               _pam_warn_password_expiry(ctx, user_info,
                                          warn_pwd_expire,
                                          &already_expired,
                                          &change_pwd);
@@ -1895,15 +1867,15 @@ static int winbind_auth_request(struct pwb_context *ctx,
                if (already_expired == true) {
 
                        SMB_TIME_T last_set = user_info->pass_last_set_time;
+                       SMB_TIME_T must_set = user_info->pass_must_change_time;
 
                        _pam_log_debug(ctx, LOG_DEBUG,
                                       "Password has expired "
                                       "(Password was last set: %lld, "
-                                      "the policy says it should expire here "
+                                      "it must be changed here "
                                       "%lld (now it's: %ld))\n",
                                       (long long int)last_set,
-                                      (long long int)last_set +
-                                      policy->expire,
+                                      (long long int)must_set,
                                       (long)time(NULL));
 
                        return PAM_AUTHTOK_EXPIRED;
@@ -1942,9 +1914,6 @@ static int winbind_auth_request(struct pwb_context *ctx,
        if (info && !p_info) {
                wbcFreeMemory(info);
        }
-       if (policy && !p_policy) {
-               wbcFreeMemory(policy);
-       }
 
        return ret;
 }
@@ -2741,8 +2710,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
        /* Now use the username to look up password */
        retval = winbind_auth_request(ctx, real_username, password,
                                      member, cctype, warn_pwd_expire,
-                                     NULL, NULL, NULL,
-                                     NULL, &username_ret);
+                                     NULL, NULL, NULL, &username_ret);
 
        if (retval == PAM_NEW_AUTHTOK_REQD ||
            retval == PAM_AUTHTOK_EXPIRED) {
@@ -3152,7 +3120,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 
                ret = winbind_auth_request(ctx, user, pass_old,
                                           NULL, NULL, 0,
-                                          &error, NULL, NULL,
+                                          &error, NULL,
                                           &pwdlastset_prelim, NULL);
 
                if (ret != PAM_ACCT_EXPIRED &&
@@ -3260,7 +3228,6 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                        const char *cctype = NULL;
                        int warn_pwd_expire;
                        struct wbcLogonUserInfo *info = NULL;
-                       struct wbcUserPasswordPolicyInfo *policy = NULL;
 
                        member = get_member_from_config(ctx);
                        cctype = get_krb5_cc_type_from_config(ctx);
@@ -3276,7 +3243,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 
                        ret = winbind_auth_request(ctx, user, pass_new,
                                                   member, cctype, 0,
-                                                  &error, &info, &policy,
+                                                  &error, &info,
                                                   NULL, &username_ret);
                        pass_old = pass_new = NULL;
 
@@ -3290,7 +3257,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 
                                /* warn a user if the password is about to
                                 * expire soon */
-                               _pam_warn_password_expiry(ctx, user_info, policy,
+                               _pam_warn_password_expiry(ctx, user_info,
                                                          warn_pwd_expire,
                                                          NULL, NULL);
 
@@ -3316,7 +3283,6 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                                wbcFreeMemory(info->blobs);
                        }
                        wbcFreeMemory(info);
-                       wbcFreeMemory(policy);
 
                        goto out;
                }