Hello community, here is the log from the commit of package pam_csync checked in at Tue Oct 28 18:11:38 CET 2008. -------- --- pam_csync/pam_csync.changes 2008-09-10 11:37:21.000000000 +0200 +++ /mounts/work_src_done/STABLE/pam_csync/pam_csync.changes 2008-10-28 12:53:54.000000000 +0100 @@ -1,0 +2,9 @@ +Tue Oct 28 12:07:10 CET 2008 - anschneider@suse.de + +- update to version 0.42.0 beta2 + + Improved debugging output + + Fixed some PAM problems introduce by buggy gdm, su, openssh + + Fixed kerberos support + + Code cleanups + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- pam_csync-0.41.93.tar.bz2 New: ---- pam_csync-0.41.94.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam_csync.spec ++++++ --- /var/tmp/diff_new_pack.DU7880/_old 2008-10-28 18:09:42.000000000 +0100 +++ /var/tmp/diff_new_pack.DU7880/_new 2008-10-28 18:09:42.000000000 +0100 @@ -1,5 +1,5 @@ # -# spec file for package pam_csync (Version 0.41.93) +# spec file for package pam_csync (Version 0.41.94) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -22,7 +22,7 @@ BuildRequires: cmake libcsync-devel libiniparser-devel pam-devel License: GPL v2 or later Group: System/Libraries -Version: 0.41.93 +Version: 0.41.94 Release: 1 Summary: A PAM module for roaming home directories Url: http://www.csync.org/ @@ -73,12 +73,19 @@ %files %defattr(-,root,root) +%doc COPYING FAQ README /%{_lib}/security/pam_csync.so %dir %{_sysconfdir}/security %config(noreplace) %{_sysconfdir}/security/pam_csync.conf %{_mandir}/man?/pam_csync.* %changelog +* Tue Oct 28 2008 anschneider@suse.de +- update to version 0.42.0 beta2 + + Improved debugging output + + Fixed some PAM problems introduce by buggy gdm, su, openssh + + Fixed kerberos support + + Code cleanups * Wed Sep 10 2008 anschneider@suse.de - update to version 0.42.0 beta1 + Fixed return codes of the forked child process ++++++ pam_csync-0.41.93.tar.bz2 -> pam_csync-0.41.94.tar.bz2 ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_csync-0.41.93/ChangeLog new/pam_csync-0.41.94/ChangeLog --- old/pam_csync-0.41.93/ChangeLog 2008-09-10 11:35:02.000000000 +0200 +++ new/pam_csync-0.41.94/ChangeLog 2008-10-27 16:09:41.000000000 +0100 @@ -1,6 +1,13 @@ ChangeLog ========== +version 0.42.0 beta2 (released 2008-10-28) + + * Improved debugging output + * Fixed some PAM problems introduce by buggy gdm, su, openssh + * Fixed kerberos support + * Code cleanups + version 0.42.0 beta1 (released 2008-09-10) * Fixed return codes of the forked child process diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_csync-0.41.93/config/pam_csync.conf new/pam_csync-0.41.94/config/pam_csync.conf --- old/pam_csync-0.41.93/config/pam_csync.conf 2008-09-10 11:35:02.000000000 +0200 +++ new/pam_csync-0.41.94/config/pam_csync.conf 2008-10-27 16:09:41.000000000 +0100 @@ -16,11 +16,11 @@ # the PAM configuration files (/etc/pam.d/), it will have to ask for a # password. This is also the case if pam_mount is the first auth module # in the block. -msg_authpw = "pam_mount password: " +msg_authpw = "pam_csync password: " # In case the 'session' PAM block does not have the password (e.g. on su # from root to user), it will ask again. -msg_sessionpw = "reenter password for pam_mount: " +msg_sessionpw = "reenter password for pam_csync: " # exclude list for the users we should not synchronize the home # directory. diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_csync-0.41.93/CPackConfig.cmake new/pam_csync-0.41.94/CPackConfig.cmake --- old/pam_csync-0.41.93/CPackConfig.cmake 2008-09-10 11:35:02.000000000 +0200 +++ new/pam_csync-0.41.94/CPackConfig.cmake 2008-10-27 16:09:41.000000000 +0100 @@ -13,7 +13,7 @@ ### versions set(CPACK_PACKAGE_VERSION_MAJOR "0") set(CPACK_PACKAGE_VERSION_MINOR "41") -set(CPACK_PACKAGE_VERSION_PATCH "93") +set(CPACK_PACKAGE_VERSION_PATCH "94") set(CPACK_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION_MAJOR}.${CPACK_PACKAGE_VERSION_MINOR}.${CPACK_PACKAGE_VERSION_PATCH}") set(CPACK_GENERATOR "TGZ") diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_csync-0.41.93/doc/pam_csync.txt new/pam_csync-0.41.94/doc/pam_csync.txt --- old/pam_csync-0.41.93/doc/pam_csync.txt 2008-09-10 11:35:02.000000000 +0200 +++ new/pam_csync-0.41.94/doc/pam_csync.txt 2008-10-27 16:09:41.000000000 +0100 @@ -116,6 +116,11 @@ *silent*:: Don't print any logging messages. +TROUBLESHOOTING +--------------- + +Read the FAQ shipped with pam_csync. + BUGS ---- diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_csync-0.41.93/FAQ new/pam_csync-0.41.94/FAQ --- old/pam_csync-0.41.93/FAQ 1970-01-01 01:00:00.000000000 +0100 +++ new/pam_csync-0.41.94/FAQ 2008-10-27 16:09:41.000000000 +0100 @@ -0,0 +1,59 @@ + Frequently asked questions + ========================== + + +----------------------------------------------------------------------- + +Q. What does the following error mean: pam_csync: error trying to + +A. This often means that the pam_csync module was not executed as an + auth type module. This error is usually due to a misconfigured auth + PAM stack (/etc/pam.d/<service>). For example, if you use an auth + PAM module configured with the control flag of sufficient, then + pam_csync needs to be executed before it. + +----------------------------------------------------------------------- + +Q. Why does pam_csync not work right with OpenSSH? + +A. As of version 3.3, sshd has a feature called privilege separation + that is incompatible with PAM modules needing root privileges. In + addition, OpenSSH does not use PAM by default. OpenSSH before 4.9 + does not properly deal with PAM. See bugs.txt. + + [...] + + Finally, Darren Tucker has explained: + + OK, here is what is happening: sshd forks when doing + challenge-response authentication, and the pam_authenticate + call happens in the child (the authentication "thread", + although it is normally a process). + + This, BTW, is because pam_authenticate blocks while waiting for + responses from the conversation function. In sshd this blocking + means that the dispatch loop (which is needed to communicate + with the user) is not running until pam_authenticate completes, + but it cannot complete until because the dispatch loop is not + running. Another process is used to prevent this deadlock. + + It would appear that pam_csync relies on either module-private + data set during the pam_authenticate or the PAM_AUTHTOK item, + both of which are lost when the the authentication "thread" + exits. pam_csync goes looking for them during session + initialization in order to authenticate to the SMB server, + cannot get them and fails. + + Since you have OpenSSH 3.9p1, you can set + "ChallengeResponseAuthentication no" and + "PasswordAuthentication yes" in sshd_config and it ought to + work (with or without privsep). + + If you absolutely *must* have challenge-response authentication + then you can build OpenSSH with the pthread hack, but this it + not recommended. + + If you have trouble with it not dismounting then you will need + to apply the patch in this bug (this one only works with + privsep=no, and I cannot see a good way to fix this for the + general case): http://bugzilla.mindrot.org/show_bug.cgi?id=926 diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_csync-0.41.93/src/config.c new/pam_csync-0.41.94/src/config.c --- old/pam_csync-0.41.93/src/config.c 2008-09-10 11:35:02.000000000 +0200 +++ new/pam_csync-0.41.94/src/config.c 2008-10-27 16:09:41.000000000 +0100 @@ -27,6 +27,7 @@ #include "cstdlib.h" void config_init(config_t *c) { + c->krb5_set = 0; c->uri = NULL; c->user = NULL; c->msg_authpw = c_strdup("pam_csync password: "); diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_csync-0.41.93/src/config.h new/pam_csync-0.41.94/src/config.h --- old/pam_csync-0.41.93/src/config.h 2008-09-10 11:35:02.000000000 +0200 +++ new/pam_csync-0.41.94/src/config.h 2008-10-27 16:09:41.000000000 +0100 @@ -24,6 +24,7 @@ #define _P_CONIFG_H typedef struct config_s { + int krb5_set; char *uri; char *user; char *msg_authpw; diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_csync-0.41.93/src/pam_csync.c new/pam_csync-0.41.94/src/pam_csync.c --- old/pam_csync-0.41.93/src/pam_csync.c 2008-09-10 11:35:02.000000000 +0200 +++ new/pam_csync-0.41.94/src/pam_csync.c 2008-10-27 16:09:41.000000000 +0100 @@ -63,6 +63,104 @@ config_t pc_config; args_t pc_args; +static const char *_pam_error_code_str(int err) { + switch (err) { + case PAM_SUCCESS: + return "PAM_SUCCESS"; + case PAM_OPEN_ERR: + return "PAM_OPEN_ERR"; + case PAM_SYMBOL_ERR: + return "PAM_SYMBOL_ERR"; + case PAM_SERVICE_ERR: + return "PAM_SERVICE_ERR"; + case PAM_SYSTEM_ERR: + return "PAM_SYSTEM_ERR"; + case PAM_BUF_ERR: + return "PAM_BUF_ERR"; + case PAM_PERM_DENIED: + return "PAM_PERM_DENIED"; + case PAM_AUTH_ERR: + return "PAM_AUTH_ERR"; + case PAM_CRED_INSUFFICIENT: + return "PAM_CRED_INSUFFICIENT"; + case PAM_AUTHINFO_UNAVAIL: + return "PAM_AUTHINFO_UNAVAIL"; + case PAM_USER_UNKNOWN: + return "PAM_USER_UNKNOWN"; + case PAM_MAXTRIES: + return "PAM_MAXTRIES"; + case PAM_NEW_AUTHTOK_REQD: + return "PAM_NEW_AUTHTOK_REQD"; + case PAM_ACCT_EXPIRED: + return "PAM_ACCT_EXPIRED"; + case PAM_SESSION_ERR: + return "PAM_SESSION_ERR"; + case PAM_CRED_UNAVAIL: + return "PAM_CRED_UNAVAIL"; + case PAM_CRED_EXPIRED: + return "PAM_CRED_EXPIRED"; + case PAM_CRED_ERR: + return "PAM_CRED_ERR"; + case PAM_NO_MODULE_DATA: + return "PAM_NO_MODULE_DATA"; + case PAM_CONV_ERR: + return "PAM_CONV_ERR"; + case PAM_AUTHTOK_ERR: + return "PAM_AUTHTOK_ERR"; + case PAM_AUTHTOK_RECOVERY_ERR: + return "PAM_AUTHTOK_RECOVERY_ERR"; + case PAM_AUTHTOK_LOCK_BUSY: + return "PAM_AUTHTOK_LOCK_BUSY"; + case PAM_AUTHTOK_DISABLE_AGING: + return "PAM_AUTHTOK_DISABLE_AGING"; + case PAM_TRY_AGAIN: + return "PAM_TRY_AGAIN"; + case PAM_IGNORE: + return "PAM_IGNORE"; + case PAM_ABORT: + return "PAM_ABORT"; + case PAM_AUTHTOK_EXPIRED: + return "PAM_AUTHTOK_EXPIRED"; + case PAM_MODULE_UNKNOWN: + return "PAM_MODULE_UNKNOWN"; + case PAM_BAD_ITEM: + return "PAM_BAD_ITEM"; + case PAM_CONV_AGAIN: + return "PAM_CONV_AGAIN"; + case PAM_INCOMPLETE: + return "PAM_INCOMPLETE"; + default: + return NULL; + } +} + +static void pc_enter_function_log(pam_handle_t *pamh, const char *function) { + const void *item = NULL; + const char *service = "unkown"; + + pam_get_item(pamh, PAM_SERVICE, &item); + if (item != NULL) { + service = (const char *) item; + } + + pc_log("ENTER: %s called by %s, pamh: %p, pid: %d\n", + function, service, pamh, getpid()); +} + +static void pc_leave_function_log(pam_handle_t *pamh, const char *function, + int retval) { + const void *item = NULL; + const char *service = "unkown"; + + pam_get_item(pamh, PAM_SERVICE, &item); + if (item != NULL) { + service = (const char *) item; + } + + pc_log("LEAVE: %s called by %s, retval: %s (%d)\n", + function, service, _pam_error_code_str(retval), retval); +} + /* cleanup functions */ static void _cleanup_authtok(pam_handle_t *pamh, void *data, int err) { assert(pamh != NULL); @@ -157,7 +255,7 @@ */ rc = pam_get_user(pamh, &pam_user, NULL); if (rc != PAM_SUCCESS) { - pc_log("could not get user\n"); + pc_log("ERROR: could not get user\n"); /* * do NOT return PAM_SERVICE_ERR or root will not be able to * su to other users. @@ -180,7 +278,7 @@ static int _pam_converse(pam_handle_t *pamh, int nargs, const struct pam_message **message, struct pam_response **resp) { int rc; - const void *item; + const void *item = NULL; struct pam_conv *conv = NULL; assert(pamh != NULL); @@ -191,25 +289,23 @@ rc = pam_get_item(pamh, PAM_CONV, &item); - if (rc == PAM_SUCCESS && conv != NULL) { + /* This could happen in some strange cases */ + if (item == NULL && rc == PAM_SUCCESS) { + rc = PAM_SYSTEM_ERR; + } + + if (rc == PAM_SUCCESS) { conv = (struct pam_conv *) item; rc = conv->conv(nargs, message, resp, conv->appdata_ptr); if (rc != PAM_SUCCESS) { - pc_log("conv->conv(...): %s\n", + pc_log("ERROR: conversation failure: %s\n", pam_strerror(pamh, rc)); } - } else { - pc_log("pam_get_item: %s\n", + } else if (rc != PAM_CONV_AGAIN) { + pc_log("ERROR: could not obtain conversation fucntions: %s\n", pam_strerror(pamh, rc)); } - if (resp == NULL || *resp == NULL || (*resp)->resp == NULL) { - rc = PAM_AUTH_ERR; - } - - assert(rc != PAM_SUCCESS || (resp != NULL && *resp != NULL && - (*resp)->resp != NULL)); - return rc; } @@ -226,7 +322,7 @@ assert(pamh != NULL); assert(pass != NULL); - pc_log("entering _pam_read_password\n"); + pc_log("INFO: entering _pam_read_password\n"); *pass = NULL; msg.msg_style = PAM_PROMPT_ECHO_OFF; @@ -253,7 +349,7 @@ char cwd[PATH_MAX] = {0}; assert(user != NULL); - pc_log("calling csync %s <-> %s\n", source, dest); + pc_log("INFO: calling csync %s <-> %s\n", source, dest); new_dest = c_strdup(dest); if (new_dest == NULL) { @@ -264,7 +360,7 @@ if (pwd) { new_dest = c_strreplace(new_dest, "%(PASS)", pwd); if (new_dest == NULL) { - pc_log("error expanding password\n"); + pc_log("ERROR: expanding password\n"); status = PAM_SYSTEM_ERR; goto err; } @@ -279,7 +375,7 @@ if (childpid == 0) { int rc = PAM_SYSTEM_ERR; - pc_log("child pid running csync: %d\n", getpid()); + pc_log("INFO: child pid running csync: %d\n", getpid()); pc_setuid(user); pc_print_ids("child running with ids"); @@ -287,7 +383,7 @@ if (chdir(source) < 0) { pc_warn("chhdir failed\n"); } - pc_log("child pwd: %s\n", getcwd(cwd, PATH_MAX - 1)); + pc_log("INFO: child pwd: %s\n", getcwd(cwd, PATH_MAX - 1)); rc = csync_create(&csync, source, new_dest); if (rc < 0) { @@ -296,34 +392,34 @@ goto out; } - pc_log("Initializing csync.\n"); + pc_log("INFO: initializing csync.\n"); rc = csync_init(csync); if (rc < 0) { - pc_warn("unable to initialize csync.\n"); + pc_warn("ERROR: unable to initialize csync.\n"); rc = PAM_SUCCESS; goto out; } - pc_log("Running update detection.\n"); + pc_log("INFO: running update detection.\n"); rc = csync_update(csync); if (rc < 0) { - pc_warn("update detection failed.\n"); + pc_warn("ERROR: update detection failed.\n"); rc = PAM_SUCCESS; goto out; } - pc_log("Running reconciliation.\n"); + pc_log("INFO: running reconciliation.\n"); rc = csync_reconcile(csync); if (rc < 0) { - pc_warn("reconciliation failed.\n"); + pc_warn("ERROR: reconciliation failed.\n"); rc = PAM_SUCCESS; goto out; } - pc_log("Running propagation.\n"); + pc_log("INFO: running propagation.\n"); rc = csync_propagate(csync); if (rc < 0) { - pc_warn("propagation failed.\n"); + pc_warn("ERROR: propagation failed.\n"); rc = PAM_SUCCESS; goto out; } @@ -335,17 +431,17 @@ } else { wait(&status); - pc_log("child's exit status: %d\n", + pc_log("INFO: child's exit status: %d\n", WEXITSTATUS(status)); if (WIFSIGNALED(status)) { - pc_warn("child's term signal: %d\n", + pc_warn("INFO: child's term signal: %d\n", WTERMSIG(status)); } } /* fork returns -1 on failure */ } else { - pc_warn("fork failed: %s\n", strerror(errno)); + pc_warn("ERROR: fork failed: %s\n", strerror(errno)); status = PAM_SYSTEM_ERR; } err: @@ -363,7 +459,6 @@ */ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { - int rc = PAM_SUCCESS; const void *tmp = NULL; char *authtok = NULL; @@ -371,13 +466,13 @@ (void) tmp; assert(pamh != NULL); + pc_enter_function_log(pamh, "pam_sm_authenticate"); + rc = _pam_init(pamh, flags, argc, argv); if (rc != -1) { return rc; } - pc_log("entered pam_csync authenticaten stage\n"); - /* get password from PAM system */ if (pc_args.auth_type != GET_PASS) { const void *item = NULL; @@ -389,7 +484,7 @@ if (rc == PAM_SUCCESS && ptr == NULL && ! pc_args.nullok) { rc = PAM_AUTHINFO_UNAVAIL; } - pc_log("could not get password from PAM system\n"); + pc_log("ERROR: could not get password from PAM system\n"); if (pc_args.auth_type == USE_FIRST_PASS) { rc = PAM_AUTHINFO_UNAVAIL; goto out; @@ -408,83 +503,57 @@ rc = _pam_read_password(pamh, pc_config.msg_authpw, &authtok); if (rc != PAM_SUCCESS) { - pc_log("error trying to read password\n"); + pc_log("ERROR: trying to read password\n"); goto out; } /* pam_set_item() copies to PAM-internal memory */ rc = pam_set_item(pamh, PAM_AUTHTOK, authtok); if (rc != PAM_SUCCESS) { - pc_log("error trying to export password\n"); + pc_log("ERROR: trying to export password\n"); goto out; } } if (strlen(authtok) > PAM_CSYNC_MAX_PWLEN) { - pc_warn("password too long\n"); - rc = PAM_AUTH_ERR; - goto out; - } - - pc_log("saving authtok for session code\n"); - - if (mlock(authtok, strlen(authtok) + 1) < 0) { - pc_warn("authtok: %s\n", strerror(errno)); + pc_warn("ERROR: password too long\n"); rc = PAM_AUTH_ERR; goto out; } + pc_log("INFO: saving authtok for session code\n"); rc = pam_set_data(pamh, PAM_CSYNC_AUTHTOK, authtok, _cleanup_authtok); if (rc != PAM_SUCCESS) { - pc_warn("error trying to save authtok for session code\n"); + pc_warn("ERROR: trying to save authtok for session code\n"); goto out; } - assert(rc != PAM_SUCCESS || - pam_get_data(pamh, PAM_CSYNC_AUTHTOK, &tmp) == PAM_SUCCESS); - assert(rc != PAM_SUCCESS || tmp != NULL); + if (mlock(authtok, strlen(authtok) + 1) < 0) { + pc_warn("ERROR: authtok %s\n", strerror(errno)); + rc = PAM_AUTH_ERR; + goto out; + } - rc = PAM_SUCCESS; out: + pc_leave_function_log(pamh, "pam_sm_authenticate", rc); + return rc; } -/* - * This function has to call the open and close session function - * of pam. Especially the close call is requried or we don't - * have a kerberos cache to synchronize during logout. - */ PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) { int rc = PAM_SUCCESS; - pc_log("pam_sm_setcred (%s) called\n", + pc_enter_function_log(pamh, "pam_sm_setcred"); + + pc_log("INFO: pam_sm_setcred (%s) called\n", (flags & PAM_ESTABLISH_CRED) ? "establish credential" : (flags & PAM_REINITIALIZE_CRED) ? "reinitialize credential" : (flags & PAM_REFRESH_CRED) ? "refresh credential" : (flags & PAM_DELETE_CRED) ? "delete credential" : "unknown flag"); - switch (flags & ~PAM_SILENT) { - case PAM_ESTABLISH_CRED: - rc = pam_sm_open_session(pamh, flags, argc, argv); - break; - case PAM_REINITIALIZE_CRED: - rc = PAM_SUCCESS; - break; - case PAM_REFRESH_CRED: - rc = PAM_SUCCESS; - break; - case PAM_DELETE_CRED: - rc = pam_sm_close_session(pamh, flags, argc, argv); - break; - default: - rc = PAM_SYSTEM_ERR; - break; - } - -out: - pc_warn("pam_sm_setcred() called with no flags\n"); + pc_leave_function_log(pamh, "pam_sm_setcred", rc); return rc; } @@ -502,9 +571,9 @@ int rc = PAM_SUCCESS; int val = PAM_SUCCESS; int count = 0; - int krb5_set = 0; struct stat sb; const char *authtok = NULL; + const char *ccache = NULL; char *pam_home = NULL; const void *tmp = NULL; @@ -515,54 +584,44 @@ return rc; } - pc_log("entered pam_csync session stage\n"); + pc_enter_function_log(pamh, "pam_sm_open_session"); if (pc_user_excluded(&pc_config)) { - pc_log("user %s excluded from synchronization\n", pc_config.user); + pc_log("INFO: user %s excluded from synchronization\n", pc_config.user); rc = PAM_SUCCESS; goto out; } /* Get the Kerberos CCNAME so we can make it available to csync. */ - krb5_set = getenv("KRB5CCNAME") == NULL ? 0 : 1; - if (setenv("KRB5CCNAME", pam_getenv(pamh, "KRB5CCNAME"), 1) < 0) { - pc_log("KRB5CCNAME setenv failed\n"); + ccache = pam_getenv(pamh, "KRB5CCNAME"); + if (ccache == NULL) { + pc_config.krb5_set = 0; } else { - pc_log("KRB5CCNAME=%s\n", getenv("KRB5CCNAME")); + if (setenv("KRB5CCNAME", ccache, 1) < 0) { + pc_log("ERROR: KRB5CCNAME setenv failed\n"); + } else { + pc_log("INFO: KRB5CCNAME=%s\n", getenv("KRB5CCNAME")); + pc_config.krb5_set = 1; + } } + pc_log("INFO: kerberos support is %s\n", pc_config.krb5_set ? "enabled" : "disabled"); /* Store initialized config as PAM data */ val = pam_get_data(pamh, "pam_csync_config", &tmp); if (val == PAM_NO_MODULE_DATA) { rc = pam_set_data(pamh, "pam_csync_config", &pc_config, _cleanup_config); if (rc != PAM_SUCCESS) { - pc_log("error trying to save config structure\n"); + pc_log("ERROR: trying to save config structure\n"); goto out; } } /* check uri */ if (pc_config.uri == NULL) { - pc_log("error no uri specified\n"); + pc_log("ERROR: no uri specified\n"); goto out; } - /* if uri is set to winbind, get the path from pam_winbind */ - if (strcmp(pc_config.uri, "winbind") == 0) { - char *winbind = NULL; - val = pam_get_data(pamh, PAM_WINBIND_PROFILEPATH, &tmp); - if (val == PAM_NO_MODULE_DATA) { - pc_log("error trying to get winbind profile path\n"); - goto out; - } - winbind = (char *) tmp; - val = pc_winbind_uri(&pc_config.uri, winbind, krb5_set); - if (val < 0) { - pc_log("error creating smb uri with winbind profile path\n"); - goto out; - } - } - /* get the authtok */ rc = pam_get_data(pamh, PAM_CSYNC_AUTHTOK, &tmp); authtok = (const char *) tmp; @@ -571,25 +630,19 @@ rc = PAM_SUCCESS; goto out; } - pc_log("error trying to retrieve authtok from auth code\n"); + pc_log("ERROR: trying to retrieve authtok from auth code\n"); rc = _pam_read_password(pamh, pc_config.msg_sessionpw, &authtok); if (rc != PAM_SUCCESS) { - pc_log("error trying to read password\n"); + pc_log("ERROR: trying to read password %s\n", pam_strerror(pamh, rc)); goto out; } } pc_print_ids("session open"); - pc_config.uri = c_strreplace(pc_config.uri, "%(USER)", pc_config.user); - if (pc_config.uri == NULL) { - pc_log("error expanding user\n"); - goto out; - } - rc = pc_get_home(&pam_home, pc_config.user); if (rc != PAM_SUCCESS) { - pc_log("could not get home\n"); + pc_log("ERROR: could not get home\n"); goto out; } @@ -603,9 +656,31 @@ } if (count == 0) { + /* if uri is set to winbind, get the path from pam_winbind */ + if (strcmp(pc_config.uri, "winbind") == 0) { + val = pam_get_data(pamh, PAM_WINBIND_PROFILEPATH, &tmp); + if (val == PAM_NO_MODULE_DATA) { + pc_log("ERROR: trying to get winbind profile path\n"); + goto out; + } + val = pc_winbind_uri(&pc_config.uri, tmp, !pc_config.krb5_set); + pc_log("INFO: use pam_winbind support; server: %s\n", pc_config.uri); + if (val < 0) { + pc_log("ERROR: creating smb uri with winbind profile path\n"); + goto out; + } + } + + pc_log("INFO: expanding uri: %s ", pc_config.uri); + pc_config.uri = c_strreplace(pc_config.uri, "%(USER)", pc_config.user); + if (pc_config.uri == NULL) { + pc_log("ERROR: expanding user\n"); + goto out; + } + rc = _csync(pc_config.user, authtok, pam_home, pc_config.uri); if (rc != PAM_SUCCESS) { - pc_log("synchronization failed\n"); + pc_log("ERROR: synchronization failed\n"); goto out; } } @@ -620,11 +695,8 @@ } out: - if (krb5_set) { - unsetenv("KRB5CCNAME"); - } - pc_log("done opening session (ret=%d)\n", rc); + pc_leave_function_log(pamh, "pam_sm_open_session", rc); SAFE_FREE(pam_home); @@ -634,22 +706,25 @@ PAM_EXTERN int pam_sm_close_session (pam_handle_t * pamh, int flags, int argc, const char **argv) { int rc = PAM_SUCCESS; + int val = PAM_SUCCESS; int count = 0; - int krb5_set = 0; const void *tmp = NULL; const char *pam_user = NULL; const char *authtok = NULL; + const char *ccache = NULL; char *pam_home = NULL; assert(pamh != NULL); + pc_enter_function_log(pamh, "pam_sm_close_session"); + /* * call pam_get_user() again because ssh calls PAM fns from seperate * processes. */ rc = pam_get_user(pamh, &pam_user, NULL); if (rc != PAM_SUCCESS) { - pc_log("could not get user\n"); + pc_log("ERROR: could not get user\n"); /* * do NOT return PAM_SERVICE_ERR or root will not be able to * su to other users. @@ -657,12 +732,13 @@ goto out; } - /* Get the Kerberos CCNAME so we can make it available to csync. */ - krb5_set = getenv("KRB5CCNAME") == NULL ? 0 : 1; - if (setenv("KRB5CCNAME", pam_getenv(pamh, "KRB5CCNAME"), 1) < 0) { - pc_log("KRB5CCNAME setenv failed\n"); - } else { - pc_log("KRB5CCNAME=%s\n", getenv("KRB5CCNAME")); + SAFE_FREE(pc_config.user); + pc_config.user = c_strdup(pam_user); + + if (pc_user_excluded(&pc_config)) { + pc_log("INFO: user %s excluded from synchronization\n", pc_config.user); + rc = PAM_SUCCESS; + goto out; } /* get the authtok */ @@ -673,23 +749,17 @@ rc = PAM_SUCCESS; goto out; } - pc_log("error trying to retrieve authtok from auth code\n"); + pc_log("ERROR: trying to retrieve authtok from auth code\n"); rc = _pam_read_password(pamh, pc_config.msg_sessionpw, &authtok); if (rc != PAM_SUCCESS) { - pc_log("error trying to read password\n"); + pc_log("ERROR: trying to read password\n"); goto out; } } - if (pc_user_excluded(&pc_config)) { - pc_log("user %s excluded from synchronization\n", pc_config.user); - rc = PAM_SUCCESS; - goto out; - } - rc = pc_get_home(&pam_home, pam_user); if (rc != PAM_SUCCESS) { - pc_log("could not get home\n"); + pc_log("ERROR: could not get home\n"); /* * do NOT return PAM_SERVICE_ERR or root will not be able to * su to other users. @@ -716,17 +786,41 @@ } if (count == 0) { + /* if uri is set to winbind, get the path from pam_winbind */ + if (strcmp(pc_config.uri, "winbind") == 0) { + val = pam_get_data(pamh, PAM_WINBIND_PROFILEPATH, &tmp); + if (val == PAM_NO_MODULE_DATA) { + pc_log("ERROR: trying to get winbind profile path\n"); + goto out; + } + val = pc_winbind_uri(&pc_config.uri, tmp, !pc_config.krb5_set); + pc_log("INFO: use pam_winbind support; server: %s\n", pc_config.uri); + if (val < 0) { + pc_log("ERROR: creating smb uri with winbind profile path\n"); + goto out; + } + } + + pc_log("INFO: expanding uri: %s ", pc_config.uri); + pc_config.uri = c_strreplace(pc_config.uri, "%(USER)", pc_config.user); + pc_log("to %s\n", pc_config.uri); + if (pc_config.uri == NULL) { + pc_log("ERROR: expanding user\n"); + goto out; + } + /* the config is still in memory */ rc = _csync(pam_user, authtok, pam_home, pc_config.uri); } out: - if (krb5_set) { + if (pc_config.krb5_set) { unsetenv("KRB5CCNAME"); } /* pc_config is automatically freed. PAM calls _cleanup_config(). */ - pc_log("pam_csync execution complete\n"); + + pc_leave_function_log(pamh, "pam_sm_close_session", rc); SAFE_FREE(pam_home); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org