Package: winbind
Version: 3.0.5-1mtech
Followup-For: Bug #258302
I've attached a patch that I submitted to buzgilla.samba.org back in
February. I've been running with this patch since then, and everything
is working fine.
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11-ruby
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages winbind depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libcomerr2 1.37-2sarge1 common error description library
ii libkrb53 1.3.6-2sarge2 MIT Kerberos runtime libraries
ii libldap2 2.1.30-8 OpenLDAP libraries
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libpopt0 1.7-5 lib for parsing cmdline parameters
ii libssl0.9.6 0.9.6m-1 SSL shared libraries (old version)
-- no debconf information
--- samba/source/nsswitch/pam_winbind.c Sun Apr 4 00:37:18 2004
+++ samba.mtech/source/nsswitch/pam_winbind.c Tue Jul 13 10:30:41 2004
@@ -420,6 +420,7 @@
const char *username;
const char *password;
int retval = PAM_AUTH_ERR;
+ static char buf[256] = {0};
/* parse arguments */
int ctrl = _pam_parse(argc, argv);
@@ -454,7 +455,23 @@
}
/* Now use the username to look up password */
- return winbind_auth_request(username, password, ctrl);
+ retval = winbind_auth_request(username, password, ctrl);
+
+ sprintf(buf, "%d", retval);
+ if(pam_set_data(pamh, "winbind_auth_retval", buf, NULL) != PAM_SUCCESS) {
+ _pam_log(LOG_WARNING, "pam_sm_authenticate return code %d cannot be saved for pam_sm_acct_mgmt", retval);
+ return PAM_BAD_ITEM;
+ }
+ switch (retval) {
+ case PAM_AUTHTOK_EXPIRED:
+ _pam_log(LOG_WARNING, "pam_sm_authenticate would return PAM_AUTHTOK_EXPIRED, returning PAM_SUCCESS instead");
+ return PAM_SUCCESS;
+ case PAM_NEW_AUTHTOK_REQD:
+ _pam_log(LOG_WARNING, "pam_sm_authenticate would return PAM_NEW_AUTHTOK_REQD, returning PAM_SUCCESS instead");
+ return PAM_SUCCESS;
+ default:
+ return retval;
+ }
}
PAM_EXTERN
@@ -474,6 +491,7 @@
{
const char *username;
int retval = PAM_USER_UNKNOWN;
+ char *ptr = NULL;
/* parse arguments */
int ctrl = _pam_parse(argc, argv);
@@ -503,7 +521,7 @@
case 0:
/* Otherwise, the authentication looked good */
_pam_log(LOG_NOTICE, "user '%s' granted acces", username);
- return PAM_SUCCESS;
+ break;
default:
/* we don't know anything about this return value */
_pam_log(LOG_ERR, "internal module error (retval = %d, user = `%s'",
@@ -511,6 +529,23 @@
return PAM_SERVICE_ERR;
}
+ if( pam_get_data(pamh, "winbind_auth_retval", (const void **)&ptr) != PAM_SUCCESS ) {
+ _pam_log(LOG_WARNING, "pam_sm_acct_mgmt cannot retrieve pam_sm_authenticate return value");
+ return retval;
+ }
+
+ retval = atoi( ptr );
+ switch (retval) {
+ case PAM_AUTHTOK_EXPIRED:
+ _pam_log(LOG_WARNING, "pam_sm_acct_mgmt would return PAM_AUTHTOK_EXPIRED");
+ /* fall through, since new token is required in this case */
+ case PAM_NEW_AUTHTOK_REQD:
+ _pam_log(LOG_WARNING, "pam_sm_acct_mgmt returning PAM_NEW_AUTHTOK_REQD");
+ return retval;
+ default:
+ return PAM_SUCCESS;
+ }
+
/* should not be reached */
return PAM_IGNORE;
}
