--- loncom/lond	2005/06/03 18:23:19	1.284
+++ loncom/lond	2005/06/27 10:27:02	1.287
@@ -2,7 +2,7 @@
 # The LearningOnline Network
 # lond "LON Daemon" Server (port "LOND" 5663)
 #
-# $Id: lond,v 1.284 2005/06/03 18:23:19 raeburn Exp $
+# $Id: lond,v 1.287 2005/06/27 10:27:02 foxr Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -58,7 +58,7 @@ my $DEBUG = 0;		       # Non zero to ena
 my $status='';
 my $lastlog='';
 
-my $VERSION='$Revision: 1.284 $'; #' stupid emacs
+my $VERSION='$Revision: 1.287 $'; #' stupid emacs
 my $remoteVERSION;
 my $currenthostid="default";
 my $currentdomainid;
@@ -112,20 +112,20 @@ my %Dispatcher;
 #
 my $lastpwderror    = 13;		# Largest error number from lcpasswd.
 my @passwderrors = ("ok",
-		   "lcpasswd must be run as user 'www'",
-		   "lcpasswd got incorrect number of arguments",
-		   "lcpasswd did not get the right nubmer of input text lines",
-		   "lcpasswd too many simultaneous pwd changes in progress",
-		   "lcpasswd User does not exist.",
-		   "lcpasswd Incorrect current passwd",
-		   "lcpasswd Unable to su to root.",
-		   "lcpasswd Cannot set new passwd.",
-		   "lcpasswd Username has invalid characters",
-		   "lcpasswd Invalid characters in password",
-		   "lcpasswd User already exists", 
-                   "lcpasswd Something went wrong with user addition.",
-		    "lcpasswd Password mismatch",
-		    "lcpasswd Error filename is invalid");
+		   "pwchange_failure - lcpasswd must be run as user 'www'",
+		   "pwchange_failure - lcpasswd got incorrect number of arguments",
+		   "pwchange_failure - lcpasswd did not get the right nubmer of input text lines",
+		   "pwchange_failure - lcpasswd too many simultaneous pwd changes in progress",
+		   "pwchange_failure - lcpasswd User does not exist.",
+		   "pwchange_failure - lcpasswd Incorrect current passwd",
+		   "pwchange_failure - lcpasswd Unable to su to root.",
+		   "pwchange_failure - lcpasswd Cannot set new passwd.",
+		   "pwchange_failure - lcpasswd Username has invalid characters",
+		   "pwchange_failure - lcpasswd Invalid characters in password",
+		   "pwchange_failure - lcpasswd User already exists", 
+                   "pwchange_failure - lcpasswd Something went wrong with user addition.",
+		   "pwchange_failure - lcpasswd Password mismatch",
+		   "pwchange_failure - lcpasswd Error filename is invalid");
 
 
 #  The array below are lcuseradd error strings.:
@@ -1701,19 +1701,9 @@ sub change_password_handler {
 		&Failure( $client, "non_authorized\n",$userinput);
 	    }
 	} elsif ($howpwd eq 'unix') {
-	    # Unix means we have to access /etc/password
-	    &Debug("auth is unix");
-	    my $execdir=$perlvar{'lonDaemons'};
-	    &Debug("Opening lcpasswd pipeline");
-	    my $pf = IO::File->new("|$execdir/lcpasswd > "
-				   ."$perlvar{'lonDaemons'}"
-				   ."/logs/lcpasswd.log");
-	    print $pf "$uname\n$npass\n$npass\n";
-	    close $pf;
-	    my $err = $?;
-	    my $result = ($err>0 ? 'pwchange_failure' : 'ok');
+	    my $result = &change_unix_password($uname, $npass);
 	    &logthis("Result of password change for $uname: ".
-		     &lcpasswdstrerror($?));
+		     $result);
 	    &Reply($client, "$result\n", $userinput);
 	} else {
 	    # this just means that the current password mode is not
@@ -1812,6 +1802,9 @@ sub add_user_handler {
 # Implicit inputs:
 #    The authentication systems describe above have their own forms of implicit
 #    input into the authentication process that are described above.
+# NOTE:
+#   This is also used to change the authentication credential values (e.g. passwd).
+#   
 #
 sub change_authentication_handler {
 
@@ -1831,24 +1824,43 @@ sub change_authentication_handler {
 	my $oldauth = &get_auth_type($udom, $uname); # Get old auth info.
 	my $passfilename = &password_path($udom, $uname);
 	if ($passfilename) {	# Not allowed to create a new user!!
-	    my $result=&make_passwd_file($uname, $umode,$npass,$passfilename);
-	    #
-	    #  If the current auth mode is internal, and the old auth mode was
-	    #  unix, or krb*,  and the user is an author for this domain,
-	    #  re-run manage_permissions for that role in order to be able
-	    #  to take ownership of the construction space back to www:www
-	    #
-
-	    if( (($oldauth =~ /^unix/) && ($umode eq "internal")) ||
-		(($oldauth =~ /^internal/) && ($umode eq "unix")) ) { 
-		if(&is_author($udom, $uname)) {
-		    &Debug(" Need to manage author permissions...");
-		    &manage_permissions("/$udom/_au", $udom, $uname, "$umode:");
+	    # If just changing the unix passwd. need to arrange to run
+	    # passwd since otherwise make_passwd_file will run
+	    # lcuseradd which fails if an account already exists
+	    # (to prevent an unscrupulous LONCAPA admin from stealing
+	    # an existing account by overwriting it as a LonCAPA account).
+
+	    if(($oldauth =~/^unix/) && ($umode eq "unix")) {
+		my $result = &change_unix_password($uname, $npass);
+		&logthis("Result of password change for $uname: ".$result);
+		if ($result eq "ok") {
+		    &Reply($client, "$result\n")
+		}
+		else {
+		    &Failure($client, "$result\n");
 		}
 	    }
+	    else {
+		my $result=&make_passwd_file($uname, $umode,$npass,$passfilename);
+		#
+		#  If the current auth mode is internal, and the old auth mode was
+		#  unix, or krb*,  and the user is an author for this domain,
+		#  re-run manage_permissions for that role in order to be able
+		#  to take ownership of the construction space back to www:www
+		#
+		
+		
+		if( (($oldauth =~ /^unix/) && ($umode eq "internal")) ||
+		    (($oldauth =~ /^internal/) && ($umode eq "unix")) ) { 
+		    if(&is_author($udom, $uname)) {
+			&Debug(" Need to manage author permissions...");
+			&manage_permissions("/$udom/_au", $udom, $uname, "$umode:");
+		    }
+		}
+		&Reply($client, $result, $userinput);
+	    }
 	       
 
-	    &Reply($client, $result, $userinput);
 	} else {	       
 	    &Failure($client, "non_authorized\n", $userinput); # Fail the user now.
 	}
@@ -4768,6 +4780,8 @@ $SIG{USR2} = \&UpdateHosts;
 
 ReadHostTable;
 
+my $dist=`$perlvar{'lonDaemons'}/distprobe`;
+
 # --------------------------------------------------------------
 #   Accept connections.  When a connection comes in, it is validated
 #   and if good, a child process is created to process transactions
@@ -4843,7 +4857,9 @@ sub make_new_child {
 #        my $tmpsnum=0;            # Now global
 #---------------------------------------------------- kerberos 5 initialization
         &Authen::Krb5::init_context();
-        &Authen::Krb5::init_ets();
+	if ($dist ne 'fedora4') {
+	    &Authen::Krb5::init_ets();
+	}
 
 	&status('Accepted connection');
 # =============================================================================
@@ -5499,6 +5515,35 @@ sub subscribe {
     }
     return $result;
 }
+#  Change the passwd of a unix user.  The caller must have
+#  first verified that the user is a loncapa user.
+#
+# Parameters:
+#    user      - Unix user name to change.
+#    pass      - New password for the user.
+# Returns:
+#    ok    - if success
+#    other - Some meaningfule error message string.
+# NOTE:
+#    invokes a setuid script to change the passwd.
+sub change_unix_password {
+    my ($user, $pass) = @_;
+
+    &Debug("change_unix_password");
+    my $execdir=$perlvar{'lonDaemons'};
+    &Debug("Opening lcpasswd pipeline");
+    my $pf = IO::File->new("|$execdir/lcpasswd > "
+			   ."$perlvar{'lonDaemons'}"
+			   ."/logs/lcpasswd.log");
+    print $pf "$user\n$pass\n$pass\n";
+    close $pf;
+    my $err = $?;
+    return ($err < @passwderrors) ? $passwderrors[$err] : 
+	"pwchange_falure - unknown error";
+
+    
+}
+
 
 sub make_passwd_file {
     my ($uname, $umode,$npass,$passfilename)=@_;
@@ -5558,24 +5603,30 @@ sub make_passwd_file {
 		print $se "$npass\n";
 		print $se "$lc_error_file\n"; # Status -> unique file.
 	    }
-	    my $error = IO::File->new("< $lc_error_file");
-	    my $useraddok = <$error>;
-	    $error->close;
-	    unlink($lc_error_file);
-
-	    chomp $useraddok;
-
-	    if($useraddok > 0) {
-		my $error_text = &lcuseraddstrerror($useraddok);
-		&logthis("Failed lcuseradd: $error_text");
-		$result = "lcuseradd_failed:$error_text\n";
-	    }  else {
-		my $pf = IO::File->new(">$passfilename");
-		if($pf) {
-		    print $pf "unix:\n";
-		} else {
-		    $result = "pass_file_failed_error";
+	    if (-r $lc_error_file) {
+		&Debug("Opening error file: $lc_error_file");
+		my $error = IO::File->new("< $lc_error_file");
+		my $useraddok = <$error>;
+		$error->close;
+		unlink($lc_error_file);
+		
+		chomp $useraddok;
+	
+		if($useraddok > 0) {
+		    my $error_text = &lcuseraddstrerror($useraddok);
+		    &logthis("Failed lcuseradd: $error_text");
+		    $result = "lcuseradd_failed:$error_text\n";
+		}  else {
+		    my $pf = IO::File->new(">$passfilename");
+		    if($pf) {
+			print $pf "unix:\n";
+		    } else {
+			$result = "pass_file_failed_error";
+		    }
 		}
+	    }  else {
+		&Debug("Could not locate lcuseradd error: $lc_error_file");
+		$result="bug_lcuseradd_no_output_file";
 	    }
 	}
     } elsif ($umode eq 'none') {
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at 
 root@localhost to inform them of the time this error occurred,
 and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>