samba/samba-3.0.24-pam_winbind-fixes.patch

------------------------------------------------------------------------
r21143 | gd | 2007-02-05 15:34:12 +0100 (Mon, 05 Feb 2007) | 7 lines

Fix wrong check for pam error codes for getpwnam and lookup winbind
requests in pam_winbind (Bug #4094).

Inspired by fix from Lars Heete.

Guenther

------------------------------------------------------------------------
Index: source/nsswitch/pam_winbind.c
===================================================================
--- source/nsswitch/pam_winbind.c	(revision 21142)
+++ source/nsswitch/pam_winbind.c	(revision 21143)
@@ -444,21 +444,34 @@ static int pam_winbind_request(pam_handl
 	close_sock();
 
 	/* Copy reply data from socket */
-	if (response->result != WINBINDD_OK) {
-		if (response->data.auth.pam_error != PAM_SUCCESS) {
-			_pam_log(LOG_ERR, "request failed: %s, PAM error was %s (%d), NT error was %s", 
-				 response->data.auth.error_string,
-				 pam_strerror(pamh, response->data.auth.pam_error),
-				 response->data.auth.pam_error,
-				 response->data.auth.nt_status_string);
-			return response->data.auth.pam_error;
-		} else {
-			_pam_log(LOG_ERR, "request failed, but PAM error 0!");
-			return PAM_SERVICE_ERR;
-		}
+	if (response->result == WINBINDD_OK) {
+		return PAM_SUCCESS;
 	}
 
-	return PAM_SUCCESS;
+	/* no need to check for pam_error codes for getpwnam() */
+	switch (req_type) {
+
+		case WINBINDD_GETPWNAM:
+		case WINBINDD_LOOKUPNAME:
+			_pam_log(LOG_ERR, "request failed: %s, NT error was %s", 
+				response->data.auth.nt_status_string);
+			return PAM_USER_UNKNOWN;
+		default:
+			break;
+	}
+
+	if (response->data.auth.pam_error != PAM_SUCCESS) {
+		_pam_log(LOG_ERR, "request failed: %s, PAM error was %s (%d), NT error was %s", 
+			 response->data.auth.error_string,
+			 pam_strerror(pamh, response->data.auth.pam_error),
+			 response->data.auth.pam_error,
+			 response->data.auth.nt_status_string);
+		return response->data.auth.pam_error;
+	} 
+	
+	_pam_log(LOG_ERR, "request failed, but PAM error 0!");
+
+	return PAM_SERVICE_ERR;
 }
 
 static int pam_winbind_request_log(pam_handle_t * pamh,
------------------------------------------------------------------------
r21310 | gd | 2007-02-13 12:04:10 +0100 (Tue, 13 Feb 2007) | 4 lines

Fix invalid printfs in pam_winbind.

Guenther

------------------------------------------------------------------------
Index: source/nsswitch/pam_winbind.c
===================================================================
--- source/nsswitch/pam_winbind.c	(revision 21309)
+++ source/nsswitch/pam_winbind.c	(revision 21310)
@@ -461,8 +461,12 @@ static int pam_winbind_request(pam_handl
 
 		case WINBINDD_GETPWNAM:
 		case WINBINDD_LOOKUPNAME:
-			_pam_log(LOG_ERR, "request failed: %s, NT error was %s", 
+			if (strlen(response->data.auth.nt_status_string) > 0) {
+				_pam_log(LOG_ERR, "request failed, NT error was %s", 
 				response->data.auth.nt_status_string);
+			} else {
+				_pam_log(LOG_ERR, "request failed");
+			}
 			return PAM_USER_UNKNOWN;
 		default:
 			break;
@@ -518,15 +522,19 @@ static int pam_winbind_request_log(pam_h
 		}	 
 		return retval;
 	case PAM_SUCCESS:
-		if (req_type == WINBINDD_PAM_AUTH) {
-			/* Otherwise, the authentication looked good */
-			_pam_log(LOG_NOTICE, "user '%s' granted access", user);
-		} else if (req_type == WINBINDD_PAM_CHAUTHTOK) {
-			/* Otherwise, the authentication looked good */
-			_pam_log(LOG_NOTICE, "user '%s' password changed", user);
-		} else { 
-			/* Otherwise, the authentication looked good */
-			_pam_log(LOG_NOTICE, "user '%s' OK", user);
+		/* Otherwise, the authentication looked good */
+		switch (req_type) {
+			case WINBINDD_INFO:
+				break;
+			case WINBINDD_PAM_AUTH:
+				_pam_log(LOG_NOTICE, "user '%s' granted access", user);
+				break;
+			case WINBINDD_PAM_CHAUTHTOK:
+				_pam_log(LOG_NOTICE, "user '%s' password changed", user);
+				break;
+			default:
+				_pam_log(LOG_NOTICE, "user '%s' OK", user);
+				break;
 		}
 	
 		return retval;