From 24837959ed0972a4706f3008fe7622aa2c5f6c5e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <anschneider@suse.de>
Date: Mon, 20 Oct 2008 16:30:45 +0200
Subject: [PATCH] Create a function out of pam_sm_close_session to delete the
 credentials.

This is the way the creds should be deleted. Now we have back a
close_session function which can be used for other things.
---
 source3/nsswitch/pam_winbind.c | 255 ++++++++++++++++++++++-------------------
 1 file changed, 135 insertions(+), 120 deletions(-)

diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index 2967770d8d0..1c927259e52 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -2285,6 +2285,135 @@ static char* winbind_upn_to_username(struct pwb_context *ctx,
 	return talloc_asprintf(ctx, "%s\\%s", domain, name);
 }
 
+static int _pam_delete_cred(pam_handle_t *pamh, int flags,
+			 int argc, const char **argv)
+{
+	int retval = PAM_SUCCESS;
+	struct pwb_context *ctx = NULL;
+	struct wbcLogoffUserParams logoff;
+	struct wbcAuthErrorInfo *error = NULL;
+	const char *user;
+	wbcErr wbc_status;
+
+	retval = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+	if (retval) {
+		goto out;
+	}
+
+	_PAM_LOG_FUNCTION_ENTER("_pam_delete_cred", ctx);
+
+	if (ctx->ctrl & WINBIND_KRB5_AUTH) {
+
+		/* destroy the ccache here */
+
+		uint32_t wbc_flags = 0;
+		const char *ccname = NULL;
+		struct passwd *pwd = NULL;
+
+		retval = pam_get_user(pamh, &user, "Username: ");
+		if (retval) {
+			_pam_log(ctx, LOG_ERR,
+				 "could not identify user");
+			goto out;
+		}
+
+		if (user == NULL) {
+			_pam_log(ctx, LOG_ERR,
+				 "username was NULL!");
+			retval = PAM_USER_UNKNOWN;
+			goto out;
+		}
+
+		_pam_log_debug(ctx, LOG_DEBUG,
+			       "username [%s] obtained", user);
+
+		ccname = pam_getenv(pamh, "KRB5CCNAME");
+		if (ccname == NULL) {
+			_pam_log_debug(ctx, LOG_DEBUG,
+				       "user has no KRB5CCNAME environment");
+		}
+
+		pwd = getpwnam(user);
+		if (pwd == NULL) {
+			retval = PAM_USER_UNKNOWN;
+			goto out;
+		}
+
+		wbc_flags = WBFLAG_PAM_KRB5 |
+			WBFLAG_PAM_CONTACT_TRUSTDOM;
+
+		ZERO_STRUCT(logoff);
+
+		logoff.username		= user;
+
+		wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
+					     &logoff.blobs,
+					     "ccfilename",
+					     0,
+					     (uint8_t *)ccname,
+					     strlen(ccname)+1);
+		if (!WBC_ERROR_IS_OK(wbc_status)) {
+			goto out;
+		}
+
+		wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
+					     &logoff.blobs,
+					     "flags",
+					     0,
+					     (uint8_t *)&wbc_flags,
+					     sizeof(wbc_flags));
+		if (!WBC_ERROR_IS_OK(wbc_status)) {
+			goto out;
+		}
+
+		wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
+					     &logoff.blobs,
+					     "user_uid",
+					     0,
+					     (uint8_t *)&pwd->pw_uid,
+					     sizeof(pwd->pw_uid));
+		if (!WBC_ERROR_IS_OK(wbc_status)) {
+			goto out;
+		}
+
+		wbc_status = wbcLogoffUserEx(&logoff, &error);
+		retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
+						     user, "wbcLogoffUser");
+		wbcFreeMemory(error);
+		wbcFreeMemory(logoff.blobs);
+
+		if (!WBC_ERROR_IS_OK(wbc_status)) {
+			_pam_log(ctx, LOG_INFO,
+				 "failed to logoff user %s: %s\n",
+					 user, wbcErrorString(wbc_status));
+		}
+	}
+
+out:
+	if (logoff.blobs) {
+		wbcFreeMemory(logoff.blobs);
+	}
+
+	if (!WBC_ERROR_IS_OK(wbc_status)) {
+		retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
+		     user, "wbcLogoffUser");
+	}
+
+	/*
+	 * Delete the krb5 ccname variable from the PAM environment
+	 * if it was set by winbind.
+	 */
+	if (ctx->ctrl & WINBIND_KRB5_AUTH) {
+		pam_putenv(pamh, "KRB5CCNAME");
+	}
+
+	_PAM_LOG_FUNCTION_LEAVE("_pam_delete_cred", ctx, retval);
+
+	TALLOC_FREE(ctx);
+
+	return retval;
+}
+
 PAM_EXTERN
 int pam_sm_authenticate(pam_handle_t *pamh, int flags,
 			int argc, const char **argv)
@@ -2461,7 +2590,7 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags,
 	switch (flags & ~PAM_SILENT) {
 
 		case PAM_DELETE_CRED:
-			ret = pam_sm_close_session(pamh, flags, argc, argv);
+			ret = _pam_delete_cred(pamh, flags, argc, argv);
 			break;
 		case PAM_REFRESH_CRED:
 			_pam_log_debug(ctx, LOG_WARNING,
@@ -2623,136 +2752,22 @@ PAM_EXTERN
 int pam_sm_close_session(pam_handle_t *pamh, int flags,
 			 int argc, const char **argv)
 {
-	int retval = PAM_SUCCESS;
+	int ret = PAM_SUCCESS;
 	struct pwb_context *ctx = NULL;
-	struct wbcLogoffUserParams logoff;
 
-	retval = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
-	if (retval) {
+	ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+	if (ret) {
 		goto out;
 	}
 
 	_PAM_LOG_FUNCTION_ENTER("pam_sm_close_session", ctx);
 
-	if (!(flags & PAM_DELETE_CRED)) {
-		retval = PAM_SUCCESS;
-		goto out;
-	}
-
-	if (ctx->ctrl & WINBIND_KRB5_AUTH) {
-
-		/* destroy the ccache here */
-
-		wbcErr wbc_status;
-		struct wbcAuthErrorInfo *error = NULL;
-
-		uint32_t flags = 0;
-		const char *user;
-		const char *ccname = NULL;
-		struct passwd *pwd = NULL;
-
-		retval = pam_get_user(pamh, &user, "Username: ");
-		if (retval) {
-			_pam_log(ctx, LOG_ERR,
-				 "could not identify user");
-			goto out;
-		}
-
-		if (user == NULL) {
-			_pam_log(ctx, LOG_ERR,
-				 "username was NULL!");
-			retval = PAM_USER_UNKNOWN;
-			goto out;
-		}
-
-		_pam_log_debug(ctx, LOG_DEBUG,
-			       "username [%s] obtained", user);
-
-		ccname = pam_getenv(pamh, "KRB5CCNAME");
-		if (ccname == NULL) {
-			_pam_log_debug(ctx, LOG_DEBUG,
-				       "user has no KRB5CCNAME environment");
-		}
-
-		pwd = getpwnam(user);
-		if (pwd == NULL) {
-			retval = PAM_USER_UNKNOWN;
-			goto out;
-		}
-
-		flags = WBFLAG_PAM_KRB5 |
-			WBFLAG_PAM_CONTACT_TRUSTDOM;
-
-		ZERO_STRUCT(logoff);
-
-		logoff.username		= user;
-
-		wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
-					     &logoff.blobs,
-					     "ccfilename",
-					     0,
-					     (uint8_t *)ccname,
-					     strlen(ccname)+1);
-		if (!WBC_ERROR_IS_OK(wbc_status)) {
-			goto out;
-		}
-
-		wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
-					     &logoff.blobs,
-					     "flags",
-					     0,
-					     (uint8_t *)&flags,
-					     sizeof(flags));
-		if (!WBC_ERROR_IS_OK(wbc_status)) {
-			goto out;
-		}
-
-		wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
-					     &logoff.blobs,
-					     "user_uid",
-					     0,
-					     (uint8_t *)&pwd->pw_uid,
-					     sizeof(pwd->pw_uid));
-		if (!WBC_ERROR_IS_OK(wbc_status)) {
-			goto out;
-		}
-
-		wbc_status = wbcLogoffUserEx(&logoff, &error);
-		retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
-						     user, "wbcLogoffUser");
-		wbcFreeMemory(error);
-		wbcFreeMemory(logoff.blobs);
-
-		if (!WBC_ERROR_IS_OK(wbc_status)) {
-			_pam_log(ctx, LOG_INFO,
-				 "failed to logoff user %s: %s\n",
-					 user, wbcErrorString(wbc_status));
-		}
-	}
-
 out:
-	if (logoff.blobs) {
-		wbcFreeMemory(logoff.blobs);
-	}
-
-	if (!WBC_ERROR_IS_OK(wbc_status)) {
-		retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
-		     user, "wbcLogoffUser");
-	}
-
-	/*
-	 * Delete the krb5 ccname variable from the PAM environment
-	 * if it was set by winbind.
-	 */
-	if (ctx->ctrl & WINBIND_KRB5_AUTH) {
-		pam_putenv(pamh, "KRB5CCNAME");
-	}
-
-	_PAM_LOG_FUNCTION_LEAVE("pam_sm_close_session", ctx, retval);
+	_PAM_LOG_FUNCTION_LEAVE("pam_sm_close_session", ctx, ret);
 
 	TALLOC_FREE(ctx);
 
-	return retval;
+	return ret;
 }
 
 /**
-- 
2.11.4.GIT