The branch, master has been updated
via 01c8631 pam: strip trailing whitespaces in pam_winbind.c
via 69f1008 pam: map more NT password errors to PAM errors
from dcd4fed talloc: Add tests for talloc destructor behaviour after
talloc_realloc()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 01c8631df5ec998f6eaab09af300842412c33da4
Author: Björn Jacke <[email protected]>
Date: Tue Dec 13 09:00:58 2016 +0100
pam: strip trailing whitespaces in pam_winbind.c
Signed-off-by: Bjoern Jacke <[email protected]>
Reviewed-by: Karolin Seeger <[email protected]>
Autobuild-User(master): Björn Jacke <[email protected]>
Autobuild-Date(master): Tue Dec 13 18:01:21 CET 2016 on sn-devel-144
commit 69f10080c3765a9b139fbad7f3dc633066fdded2
Author: Björn Jacke <[email protected]>
Date: Wed Nov 25 14:04:24 2015 +0100
pam: map more NT password errors to PAM errors
NT_STATUS_ACCOUNT_DISABLED,
NT_STATUS_PASSWORD_RESTRICTION,
NT_STATUS_PWD_HISTORY_CONFLICT,
NT_STATUS_PWD_TOO_RECENT,
NT_STATUS_PWD_TOO_SHORT
now map to PAM_AUTHTOK_ERR (Authentication token manipulation error), which
is
the closest match.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2210
Signed-off-by: Bjoern Jacke <[email protected]>
Reviewed by: Jeremy Allison <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
libcli/auth/pam_errors.c | 6 +++++-
nsswitch/pam_winbind.c | 15 ++++++++++-----
2 files changed, 15 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/auth/pam_errors.c b/libcli/auth/pam_errors.c
index 978f8ff..5592d39 100644
--- a/libcli/auth/pam_errors.c
+++ b/libcli/auth/pam_errors.c
@@ -71,11 +71,15 @@ static const struct {
{NT_STATUS_WRONG_PASSWORD, PAM_AUTH_ERR},
{NT_STATUS_LOGON_FAILURE, PAM_AUTH_ERR},
{NT_STATUS_ACCOUNT_EXPIRED, PAM_ACCT_EXPIRED},
+ {NT_STATUS_ACCOUNT_DISABLED, PAM_ACCT_EXPIRED},
{NT_STATUS_PASSWORD_EXPIRED, PAM_AUTHTOK_EXPIRED},
{NT_STATUS_PASSWORD_MUST_CHANGE, PAM_NEW_AUTHTOK_REQD},
{NT_STATUS_ACCOUNT_LOCKED_OUT, PAM_MAXTRIES},
{NT_STATUS_NO_MEMORY, PAM_BUF_ERR},
- {NT_STATUS_PASSWORD_RESTRICTION, PAM_PERM_DENIED},
+ {NT_STATUS_PASSWORD_RESTRICTION, PAM_AUTHTOK_ERR},
+ {NT_STATUS_PWD_HISTORY_CONFLICT, PAM_AUTHTOK_ERR},
+ {NT_STATUS_PWD_TOO_RECENT, PAM_AUTHTOK_ERR},
+ {NT_STATUS_PWD_TOO_SHORT, PAM_AUTHTOK_ERR},
{NT_STATUS_BACKUP_CONTROLLER, PAM_AUTHINFO_UNAVAIL},
{NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, PAM_AUTHINFO_UNAVAIL},
{NT_STATUS_NO_LOGON_SERVERS, PAM_AUTHINFO_UNAVAIL},
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 42c4f8e..40f4f7a 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -12,7 +12,7 @@
#include "pam_winbind.h"
-enum pam_winbind_request_type
+enum pam_winbind_request_type
{
PAM_WINBIND_AUTHENTICATE,
PAM_WINBIND_SETCRED,
@@ -490,12 +490,12 @@ config_from_pam:
else if (!strcasecmp(*v, "unknown_ok"))
ctrl |= WINBIND_UNKNOWN_OK_ARG;
else if ((type == PAM_WINBIND_AUTHENTICATE
- || type == PAM_WINBIND_SETCRED)
+ || type == PAM_WINBIND_SETCRED)
&& !strncasecmp(*v, "require_membership_of",
strlen("require_membership_of")))
ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
- else if ((type == PAM_WINBIND_AUTHENTICATE
- || type == PAM_WINBIND_SETCRED)
+ else if ((type == PAM_WINBIND_AUTHENTICATE
+ || type == PAM_WINBIND_SETCRED)
&& !strncasecmp(*v, "require-membership-of",
strlen("require-membership-of")))
ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
@@ -775,6 +775,11 @@ static int pam_winbind_request_log(struct pwb_context *ctx,
return PAM_IGNORE;
}
return retval;
+ case PAM_AUTHTOK_ERR:
+ /* Authentication token manipulation error */
+ _pam_log(ctx, LOG_WARNING, "user `%s' authentication token
change failed "
+ "(pwd complexity/history/min_age not met?)", user);
+ return retval;
case PAM_SUCCESS:
/* Otherwise, the authentication looked good */
if (strcmp(fn, "wbcLogonUser") == 0) {
@@ -2497,7 +2502,7 @@ static char* winbind_upn_to_username(struct pwb_context
*ctx,
}
static int _pam_delete_cred(pam_handle_t *pamh, int flags,
- int argc, enum pam_winbind_request_type type,
+ int argc, enum pam_winbind_request_type type,
const char **argv)
{
int retval = PAM_SUCCESS;
--
Samba Shared Repository
