Updates to winbind's PAM client and server - make the debug logs

work a bit better for password changing.

Andrew Bartlett

diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c
index f95caefb4cd409fd63ba20666ff5f7ca06939f64..7d0353664f26172c89ad49c6a0eb170b1ce5b1bc 100644 (file)
--- a/source/nsswitch/pam_winbind.c
+++ b/source/nsswitch/pam_winbind.c
@@ -134,22 +134,15 @@ static int pam_winbind_request(enum winbindd_cmd req_type,
        return PAM_SUCCESS;
 }
 
-/* talk to winbindd */
-static int winbind_auth_request(const char *user, const char *pass, int ctrl)
+static int pam_winbind_request_log(enum winbindd_cmd req_type,
+                              struct winbindd_request *request,
+                              struct winbindd_response *response,
+                                  int ctrl,
+                                  const char *user)
 {
-       struct winbindd_request request;
-       struct winbindd_response response;
        int retval;
 
-       ZERO_STRUCT(request);
-
-       strncpy(request.data.auth.user, user, 
-                sizeof(request.data.auth.user)-1);
-
-       strncpy(request.data.auth.pass, pass, 
-                sizeof(request.data.auth.pass)-1);
-       
-        retval = pam_winbind_request(WINBINDD_PAM_AUTH, &request, &response);
+        retval = pam_winbind_request(req_type, request, response);
 
        switch (retval) {
        case PAM_AUTH_ERR:
@@ -178,8 +171,16 @@ static int winbind_auth_request(const char *user, const char *pass, int ctrl)
                }        
                return retval;
        case PAM_SUCCESS:
-               /* Otherwise, the authentication looked good */
-               _pam_log(LOG_NOTICE, "user '%s' granted acces", user);
+               if (req_type == WINBINDD_PAM_AUTH) {
+                       /* Otherwise, the authentication looked good */
+                       _pam_log(LOG_NOTICE, "user '%s' granted acces", user);
+               } else if (req_type == WINBINDD_PAM_CHAUTHTOK) {
+                       /* Otherwise, the authentication looked good */
+                       _pam_log(LOG_NOTICE, "user '%s' password changed", user);
+               } else { 
+                       /* Otherwise, the authentication looked good */
+                       _pam_log(LOG_NOTICE, "user '%s' OK", user);
+               }
                return retval;
        default:
                /* we don't know anything about this return value */
@@ -187,12 +188,29 @@ static int winbind_auth_request(const char *user, const char *pass, int ctrl)
                         retval, user);
                return retval;
        }
-     /* should not be reached */
+}
+
+/* talk to winbindd */
+static int winbind_auth_request(const char *user, const char *pass, int ctrl)
+{
+       struct winbindd_request request;
+       struct winbindd_response response;
+
+       ZERO_STRUCT(request);
+
+       strncpy(request.data.auth.user, user, 
+                sizeof(request.data.auth.user)-1);
+
+       strncpy(request.data.auth.pass, pass, 
+                sizeof(request.data.auth.pass)-1);
+       
+       
+        return pam_winbind_request_log(WINBINDD_PAM_AUTH, &request, &response, ctrl, user);
 }
 
 /* talk to winbindd */
 static int winbind_chauthtok_request(const char *user, const char *oldpass,
-                                     const char *newpass)
+                                     const char *newpass, int ctrl)
 {
        struct winbindd_request request;
        struct winbindd_response response;
@@ -218,7 +236,7 @@ static int winbind_chauthtok_request(const char *user, const char *oldpass,
             request.data.chauthtok.newpass[0] = '\0';
         }
        
-        return pam_winbind_request(WINBINDD_PAM_CHAUTHTOK, &request, &response);
+        return pam_winbind_request_log(WINBINDD_PAM_CHAUTHTOK, &request, &response, ctrl, user);
 }
 
 /*
@@ -665,7 +683,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                 * rebuild the password database file.
                 */
 
-               retval = winbind_chauthtok_request(user, pass_old, pass_new);
+               retval = winbind_chauthtok_request(user, pass_old, pass_new, ctrl);
                _pam_overwrite(pass_new);
                _pam_overwrite(pass_old);
                pass_old = pass_new = NULL;

diff --git a/source/nsswitch/winbindd_pam.c b/source/nsswitch/winbindd_pam.c
index 3e7a8ad97139fada6e6423df24b476a09e67846f..969cf272a37f6d1acc93bf69421257029bb2294c 100644 (file)
--- a/source/nsswitch/winbindd_pam.c
+++ b/source/nsswitch/winbindd_pam.c
@@ -354,5 +354,12 @@ done:
        fstrcpy(state->response.data.auth.error_string, nt_errstr(result));
        state->response.data.auth.pam_error = nt_status_to_pam(result);
 
+       DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, 
+             ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n", 
+              domain,
+              user,
+              state->response.data.auth.nt_status_string,
+              state->response.data.auth.pam_error));         
+
        return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
 }