Create a function out of pam_sm_close_session to delete the credentials.
authorAndreas Schneider <anschneider@suse.de>
Mon, 20 Oct 2008 14:30:45 +0000 (16:30 +0200)
committerGünther Deschner <gd@samba.org>
Tue, 21 Oct 2008 13:26:39 +0000 (15:26 +0200)
This is the way the creds should be deleted. Now we have back a
close_session function which can be used for other things.

source3/nsswitch/pam_winbind.c

index 2967770d8d0493d72b523302049af7195799fb34..1c927259e529cffe80660d204d2b845956c49281 100644 (file)
@@ -2285,6 +2285,135 @@ static char* winbind_upn_to_username(struct pwb_context *ctx,
        return talloc_asprintf(ctx, "%s\\%s", domain, name);
 }
 
        return talloc_asprintf(ctx, "%s\\%s", domain, name);
 }
 
+static int _pam_delete_cred(pam_handle_t *pamh, int flags,
+                        int argc, const char **argv)
+{
+       int retval = PAM_SUCCESS;
+       struct pwb_context *ctx = NULL;
+       struct wbcLogoffUserParams logoff;
+       struct wbcAuthErrorInfo *error = NULL;
+       const char *user;
+       wbcErr wbc_status;
+
+       retval = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+       if (retval) {
+               goto out;
+       }
+
+       _PAM_LOG_FUNCTION_ENTER("_pam_delete_cred", ctx);
+
+       if (ctx->ctrl & WINBIND_KRB5_AUTH) {
+
+               /* destroy the ccache here */
+
+               uint32_t wbc_flags = 0;
+               const char *ccname = NULL;
+               struct passwd *pwd = NULL;
+
+               retval = pam_get_user(pamh, &user, "Username: ");
+               if (retval) {
+                       _pam_log(ctx, LOG_ERR,
+                                "could not identify user");
+                       goto out;
+               }
+
+               if (user == NULL) {
+                       _pam_log(ctx, LOG_ERR,
+                                "username was NULL!");
+                       retval = PAM_USER_UNKNOWN;
+                       goto out;
+               }
+
+               _pam_log_debug(ctx, LOG_DEBUG,
+                              "username [%s] obtained", user);
+
+               ccname = pam_getenv(pamh, "KRB5CCNAME");
+               if (ccname == NULL) {
+                       _pam_log_debug(ctx, LOG_DEBUG,
+                                      "user has no KRB5CCNAME environment");
+               }
+
+               pwd = getpwnam(user);
+               if (pwd == NULL) {
+                       retval = PAM_USER_UNKNOWN;
+                       goto out;
+               }
+
+               wbc_flags = WBFLAG_PAM_KRB5 |
+                       WBFLAG_PAM_CONTACT_TRUSTDOM;
+
+               ZERO_STRUCT(logoff);
+
+               logoff.username         = user;
+
+               wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
+                                            &logoff.blobs,
+                                            "ccfilename",
+                                            0,
+                                            (uint8_t *)ccname,
+                                            strlen(ccname)+1);
+               if (!WBC_ERROR_IS_OK(wbc_status)) {
+                       goto out;
+               }
+
+               wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
+                                            &logoff.blobs,
+                                            "flags",
+                                            0,
+                                            (uint8_t *)&wbc_flags,
+                                            sizeof(wbc_flags));
+               if (!WBC_ERROR_IS_OK(wbc_status)) {
+                       goto out;
+               }
+
+               wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
+                                            &logoff.blobs,
+                                            "user_uid",
+                                            0,
+                                            (uint8_t *)&pwd->pw_uid,
+                                            sizeof(pwd->pw_uid));
+               if (!WBC_ERROR_IS_OK(wbc_status)) {
+                       goto out;
+               }
+
+               wbc_status = wbcLogoffUserEx(&logoff, &error);
+               retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
+                                                    user, "wbcLogoffUser");
+               wbcFreeMemory(error);
+               wbcFreeMemory(logoff.blobs);
+
+               if (!WBC_ERROR_IS_OK(wbc_status)) {
+                       _pam_log(ctx, LOG_INFO,
+                                "failed to logoff user %s: %s\n",
+                                        user, wbcErrorString(wbc_status));
+               }
+       }
+
+out:
+       if (logoff.blobs) {
+               wbcFreeMemory(logoff.blobs);
+       }
+
+       if (!WBC_ERROR_IS_OK(wbc_status)) {
+               retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
+                    user, "wbcLogoffUser");
+       }
+
+       /*
+        * Delete the krb5 ccname variable from the PAM environment
+        * if it was set by winbind.
+        */
+       if (ctx->ctrl & WINBIND_KRB5_AUTH) {
+               pam_putenv(pamh, "KRB5CCNAME");
+       }
+
+       _PAM_LOG_FUNCTION_LEAVE("_pam_delete_cred", ctx, retval);
+
+       TALLOC_FREE(ctx);
+
+       return retval;
+}
+
 PAM_EXTERN
 int pam_sm_authenticate(pam_handle_t *pamh, int flags,
                        int argc, const char **argv)
 PAM_EXTERN
 int pam_sm_authenticate(pam_handle_t *pamh, int flags,
                        int argc, const char **argv)
@@ -2461,7 +2590,7 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags,
        switch (flags & ~PAM_SILENT) {
 
                case PAM_DELETE_CRED:
        switch (flags & ~PAM_SILENT) {
 
                case PAM_DELETE_CRED:
-                       ret = pam_sm_close_session(pamh, flags, argc, argv);
+                       ret = _pam_delete_cred(pamh, flags, argc, argv);
                        break;
                case PAM_REFRESH_CRED:
                        _pam_log_debug(ctx, LOG_WARNING,
                        break;
                case PAM_REFRESH_CRED:
                        _pam_log_debug(ctx, LOG_WARNING,
@@ -2623,136 +2752,22 @@ PAM_EXTERN
 int pam_sm_close_session(pam_handle_t *pamh, int flags,
                         int argc, const char **argv)
 {
 int pam_sm_close_session(pam_handle_t *pamh, int flags,
                         int argc, const char **argv)
 {
-       int retval = PAM_SUCCESS;
+       int ret = PAM_SUCCESS;
        struct pwb_context *ctx = NULL;
        struct pwb_context *ctx = NULL;
-       struct wbcLogoffUserParams logoff;
 
 
-       retval = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
-       if (retval) {
+       ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+       if (ret) {
                goto out;
        }
 
        _PAM_LOG_FUNCTION_ENTER("pam_sm_close_session", ctx);
 
                goto out;
        }
 
        _PAM_LOG_FUNCTION_ENTER("pam_sm_close_session", ctx);
 
-       if (!(flags & PAM_DELETE_CRED)) {
-               retval = PAM_SUCCESS;
-               goto out;
-       }
-
-       if (ctx->ctrl & WINBIND_KRB5_AUTH) {
-
-               /* destroy the ccache here */
-
-               wbcErr wbc_status;
-               struct wbcAuthErrorInfo *error = NULL;
-
-               uint32_t flags = 0;
-               const char *user;
-               const char *ccname = NULL;
-               struct passwd *pwd = NULL;
-
-               retval = pam_get_user(pamh, &user, "Username: ");
-               if (retval) {
-                       _pam_log(ctx, LOG_ERR,
-                                "could not identify user");
-                       goto out;
-               }
-
-               if (user == NULL) {
-                       _pam_log(ctx, LOG_ERR,
-                                "username was NULL!");
-                       retval = PAM_USER_UNKNOWN;
-                       goto out;
-               }
-
-               _pam_log_debug(ctx, LOG_DEBUG,
-                              "username [%s] obtained", user);
-
-               ccname = pam_getenv(pamh, "KRB5CCNAME");
-               if (ccname == NULL) {
-                       _pam_log_debug(ctx, LOG_DEBUG,
-                                      "user has no KRB5CCNAME environment");
-               }
-
-               pwd = getpwnam(user);
-               if (pwd == NULL) {
-                       retval = PAM_USER_UNKNOWN;
-                       goto out;
-               }
-
-               flags = WBFLAG_PAM_KRB5 |
-                       WBFLAG_PAM_CONTACT_TRUSTDOM;
-
-               ZERO_STRUCT(logoff);
-
-               logoff.username         = user;
-
-               wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
-                                            &logoff.blobs,
-                                            "ccfilename",
-                                            0,
-                                            (uint8_t *)ccname,
-                                            strlen(ccname)+1);
-               if (!WBC_ERROR_IS_OK(wbc_status)) {
-                       goto out;
-               }
-
-               wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
-                                            &logoff.blobs,
-                                            "flags",
-                                            0,
-                                            (uint8_t *)&flags,
-                                            sizeof(flags));
-               if (!WBC_ERROR_IS_OK(wbc_status)) {
-                       goto out;
-               }
-
-               wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
-                                            &logoff.blobs,
-                                            "user_uid",
-                                            0,
-                                            (uint8_t *)&pwd->pw_uid,
-                                            sizeof(pwd->pw_uid));
-               if (!WBC_ERROR_IS_OK(wbc_status)) {
-                       goto out;
-               }
-
-               wbc_status = wbcLogoffUserEx(&logoff, &error);
-               retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
-                                                    user, "wbcLogoffUser");
-               wbcFreeMemory(error);
-               wbcFreeMemory(logoff.blobs);
-
-               if (!WBC_ERROR_IS_OK(wbc_status)) {
-                       _pam_log(ctx, LOG_INFO,
-                                "failed to logoff user %s: %s\n",
-                                        user, wbcErrorString(wbc_status));
-               }
-       }
-
 out:
 out:
-       if (logoff.blobs) {
-               wbcFreeMemory(logoff.blobs);
-       }
-
-       if (!WBC_ERROR_IS_OK(wbc_status)) {
-               retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
-                    user, "wbcLogoffUser");
-       }
-
-       /*
-        * Delete the krb5 ccname variable from the PAM environment
-        * if it was set by winbind.
-        */
-       if (ctx->ctrl & WINBIND_KRB5_AUTH) {
-               pam_putenv(pamh, "KRB5CCNAME");
-       }
-
-       _PAM_LOG_FUNCTION_LEAVE("pam_sm_close_session", ctx, retval);
+       _PAM_LOG_FUNCTION_LEAVE("pam_sm_close_session", ctx, ret);
 
        TALLOC_FREE(ctx);
 
 
        TALLOC_FREE(ctx);
 
-       return retval;
+       return ret;
 }
 
 /**
 }
 
 /**