s3: Don't fail authentication when one or some group of require-membership-of is...
authorBo Yang <boyang@samba.org>
Wed, 14 Oct 2009 22:23:48 +0000 (06:23 +0800)
committerBo Yang <boyang@samba.org>
Mon, 19 Oct 2009 18:05:58 +0000 (02:05 +0800)
Signed-off-by: Bo Yang <boyang@samba.org>
nsswitch/pam_winbind.c

index fdb5be32238187b37953805da254d766bc432b0b..a2d372990cac690d7ec79af0807368b8e3c0f909 100644 (file)
@@ -1057,7 +1057,23 @@ static bool winbind_name_list_to_sid_string_list(struct pwb_context *ctx,
                                                current_name,
                                                sid_list_buffer,
                                                sid_list_buffer_size)) {
                                                current_name,
                                                sid_list_buffer,
                                                sid_list_buffer_size)) {
-                       goto out;
+                       /*
+                        * If one group name failed, we must not fail
+                        * the authentication totally, continue with
+                        * the following group names. If user belongs to
+                        * one of the valid groups, we must allow it
+                        * login. -- BoYang
+                        */
+
+                       _pam_log(ctx, LOG_INFO, "cannot convert group %s to sid, "
+                                "check if group %s is valid group.", current_name,
+                                current_name);
+                       _make_remark_format(ctx, PAM_TEXT_INFO, _("Cannot convert group %s "
+                                       "to sid, please contact your administrator to see "
+                                       "if group %s is valid."), current_name, current_name);
+                       SAFE_FREE(current_name);
+                       search_location = comma + 1;
+                       continue;
                }
 
                SAFE_FREE(current_name);
                }
 
                SAFE_FREE(current_name);
@@ -1073,7 +1089,12 @@ static bool winbind_name_list_to_sid_string_list(struct pwb_context *ctx,
        if (!winbind_name_to_sid_string(ctx, user, search_location,
                                        sid_list_buffer,
                                        sid_list_buffer_size)) {
        if (!winbind_name_to_sid_string(ctx, user, search_location,
                                        sid_list_buffer,
                                        sid_list_buffer_size)) {
-               goto out;
+               _pam_log(ctx, LOG_INFO, "cannot convert group %s to sid, "
+                        "check if group %s is valid group.", search_location,
+                        search_location);
+               _make_remark_format(ctx, PAM_TEXT_INFO, _("Cannot convert group %s "
+                               "to sid, please contact your administrator to see "
+                               "if group %s is valid."), search_location, search_location);
        }
 
        result = true;
        }
 
        result = true;