Context Navigation

source: branches/samba-3.0/source/auth/pampass.c@ 411

Visit:

Last change on this file since 411 was 165, checked in by Paul Smedley, 16 years ago
Add 'missing' 3.0.34 diffs
File size: 23.9 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	PAM Password checking
4	Copyright (C) Andrew Tridgell 1992-2001
5	Copyright (C) John H Terpsta 1999-2001
6	Copyright (C) Andrew Bartlett 2001
7	Copyright (C) Jeremy Allison 2001
8
9	This program is free software; you can redistribute it and/or modify
10	it under the terms of the GNU General Public License as published by
11	the Free Software Foundation; either version 2 of the License, or
12	(at your option) any later version.
13
14	This program is distributed in the hope that it will be useful,
15	but WITHOUT ANY WARRANTY; without even the implied warranty of
16	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	GNU General Public License for more details.
18
19	You should have received a copy of the GNU General Public License
20	along with this program; if not, write to the Free Software
21	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22	*/
23
24	/*
25	* This module provides PAM based functions for validation of
26	* username/password pairs, account managment, session and access control.
27	* Note: SMB password checking is done in smbpass.c
28	*/
29
30	#include "includes.h"
31
32	#undef DBGC_CLASS
33	#define DBGC_CLASS DBGC_AUTH
34
35	#ifdef WITH_PAM
36
37	/*******************************************************************
38	* Handle PAM authentication
39	* - Access, Authentication, Session, Password
40	* Note: See PAM Documentation and refer to local system PAM implementation
41	* which determines what actions/limitations/allowances become affected.
42	*********************************************************************/
43
44	#include <security/pam_appl.h>
45
46	/*
47	* Structure used to communicate between the conversation function
48	* and the server_login/change password functions.
49	*/
50
51	struct smb_pam_userdata {
52	const char *PAM_username;
53	const char *PAM_password;
54	const char *PAM_newpassword;
55	};
56
57	typedef int (smb_pam_conv_fn)(int, const struct pam_message , struct pam_response , void appdata_ptr);
58
59	/*
60	* Macros to help make life easy
61	*/
62	#define COPY_STRING(s) (s) ? SMB_STRDUP(s) : NULL
63	#define COPY_FSTRING(s) (s[0]) ? SMB_STRDUP(s) : NULL
64
65	/*******************************************************************
66	PAM error handler.
67	*********************************************************************/
68
69	static BOOL smb_pam_error_handler(pam_handle_t pamh, int pam_error, const char msg, int dbglvl)
70	{
71
72	if( pam_error != PAM_SUCCESS) {
73	DEBUG(dbglvl, ("smb_pam_error_handler: PAM: %s : %s\n",
74	msg, pam_strerror(pamh, pam_error)));
75
76	return False;
77	}
78	return True;
79	}
80
81	/*******************************************************************
82	This function is a sanity check, to make sure that we NEVER report
83	failure as sucess.
84	*********************************************************************/
85
86	static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error,
87	const char *msg, int dbglvl,
88	NTSTATUS *nt_status)
89	{
90	*nt_status = pam_to_nt_status(pam_error);
91
92	if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl))
93	return True;
94
95	if (NT_STATUS_IS_OK(*nt_status)) {
96	/* Complain LOUDLY */
97	DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \
98	error MISMATCH, forcing to NT_STATUS_LOGON_FAILURE"));
99	*nt_status = NT_STATUS_LOGON_FAILURE;
100	}
101	return False;
102	}
103
104	/*
105	* PAM conversation function
106	* Here we assume (for now, at least) that echo on means login name, and
107	* echo off means password.
108	*/
109
110	static int smb_pam_conv(int num_msg,
111	const struct pam_message **msg,
112	struct pam_response **resp,
113	void *appdata_ptr)
114	{
115	int replies = 0;
116	struct pam_response *reply = NULL;
117	struct smb_pam_userdata udp = (struct smb_pam_userdata )appdata_ptr;
118
119	*resp = NULL;
120
121	if (num_msg <= 0)
122	return PAM_CONV_ERR;
123
124	/*
125	* Apparantly HPUX has a buggy PAM that doesn't support the
126	* appdata_ptr. Fail if this is the case. JRA.
127	*/
128
129	if (udp == NULL) {
130	DEBUG(0,("smb_pam_conv: PAM on this system is broken - appdata_ptr == NULL !\n"));
131	return PAM_CONV_ERR;
132	}
133
134	reply = SMB_MALLOC_ARRAY(struct pam_response, num_msg);
135	if (!reply)
136	return PAM_CONV_ERR;
137
138	memset(reply, '\0', sizeof(struct pam_response) * num_msg);
139
140	for (replies = 0; replies < num_msg; replies++) {
141	switch (msg[replies]->msg_style) {
142	case PAM_PROMPT_ECHO_ON:
143	reply[replies].resp_retcode = PAM_SUCCESS;
144	reply[replies].resp = COPY_STRING(udp->PAM_username);
145	/* PAM frees resp */
146	break;
147
148	case PAM_PROMPT_ECHO_OFF:
149	reply[replies].resp_retcode = PAM_SUCCESS;
150	reply[replies].resp = COPY_STRING(udp->PAM_password);
151	/* PAM frees resp */
152	break;
153
154	case PAM_TEXT_INFO:
155	/* fall through */
156
157	case PAM_ERROR_MSG:
158	/* ignore it... */
159	reply[replies].resp_retcode = PAM_SUCCESS;
160	reply[replies].resp = NULL;
161	break;
162
163	default:
164	/* Must be an error of some sort... */
165	SAFE_FREE(reply);
166	return PAM_CONV_ERR;
167	}
168	}
169	if (reply)
170	*resp = reply;
171	return PAM_SUCCESS;
172	}
173
174	/*
175	* PAM password change conversation function
176	* Here we assume (for now, at least) that echo on means login name, and
177	* echo off means password.
178	*/
179
180	static void special_char_sub(char *buf)
181	{
182	all_string_sub(buf, "\\n", "", 0);
183	all_string_sub(buf, "\\r", "", 0);
184	all_string_sub(buf, "\\s", " ", 0);
185	all_string_sub(buf, "\\t", "\t", 0);
186	}
187
188	static void pwd_sub(char buf, const char username, const char oldpass, const char newpass)
189	{
190	fstring_sub(buf, "%u", username);
191	all_string_sub(buf, "%o", oldpass, sizeof(fstring));
192	all_string_sub(buf, "%n", newpass, sizeof(fstring));
193	}
194
195
196	struct chat_struct {
197	struct chat_struct next, prev;
198	fstring prompt;
199	fstring reply;
200	};
201
202	/**************************************************************
203	Create a linked list containing chat data.
204	***************************************************************/
205
206	static struct chat_struct make_pw_chat(const char p)
207	{
208	fstring prompt;
209	fstring reply;
210	struct chat_struct *list = NULL;
211	struct chat_struct *t;
212
213	while (1) {
214	t = SMB_MALLOC_P(struct chat_struct);
215	if (!t) {
216	DEBUG(0,("make_pw_chat: malloc failed!\n"));
217	return NULL;
218	}
219
220	ZERO_STRUCTP(t);
221
222	DLIST_ADD_END(list, t, struct chat_struct*);
223
224	if (!next_token(&p, prompt, NULL, sizeof(fstring)))
225	break;
226
227	if (strequal(prompt,"."))
228	fstrcpy(prompt,"*");
229
230	special_char_sub(prompt);
231	fstrcpy(t->prompt, prompt);
232	strlower_m(t->prompt);
233	trim_char(t->prompt, ' ', ' ');
234
235	if (!next_token(&p, reply, NULL, sizeof(fstring)))
236	break;
237
238	if (strequal(reply,"."))
239	fstrcpy(reply,"");
240
241	special_char_sub(reply);
242	fstrcpy(t->reply, reply);
243	strlower_m(t->reply);
244	trim_char(t->reply, ' ', ' ');
245
246	}
247	return list;
248	}
249
250	static void free_pw_chat(struct chat_struct *list)
251	{
252	while (list) {
253	struct chat_struct *old_head = list;
254	DLIST_REMOVE(list, list);
255	SAFE_FREE(old_head);
256	}
257	}
258
259	static int smb_pam_passchange_conv(int num_msg,
260	const struct pam_message **msg,
261	struct pam_response **resp,
262	void *appdata_ptr)
263	{
264	int replies = 0;
265	struct pam_response *reply = NULL;
266	fstring current_prompt;
267	fstring current_reply;
268	struct smb_pam_userdata udp = (struct smb_pam_userdata )appdata_ptr;
269	struct chat_struct *pw_chat= make_pw_chat(lp_passwd_chat());
270	struct chat_struct *t;
271	BOOL found;
272	*resp = NULL;
273
274	DEBUG(10,("smb_pam_passchange_conv: starting converstation for %d messages\n", num_msg));
275
276	if (num_msg <= 0)
277	return PAM_CONV_ERR;
278
279	if (pw_chat == NULL)
280	return PAM_CONV_ERR;
281
282	/*
283	* Apparantly HPUX has a buggy PAM that doesn't support the
284	* appdata_ptr. Fail if this is the case. JRA.
285	*/
286
287	if (udp == NULL) {
288	DEBUG(0,("smb_pam_passchange_conv: PAM on this system is broken - appdata_ptr == NULL !\n"));
289	free_pw_chat(pw_chat);
290	return PAM_CONV_ERR;
291	}
292
293	reply = SMB_MALLOC_ARRAY(struct pam_response, num_msg);
294	if (!reply) {
295	DEBUG(0,("smb_pam_passchange_conv: malloc for reply failed!\n"));
296	free_pw_chat(pw_chat);
297	return PAM_CONV_ERR;
298	}
299
300	for (replies = 0; replies < num_msg; replies++) {
301	found = False;
302	DEBUG(10,("smb_pam_passchange_conv: Processing message %d\n", replies));
303	switch (msg[replies]->msg_style) {
304	case PAM_PROMPT_ECHO_ON:
305	DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: PAM said: %s\n", msg[replies]->msg));
306	fstrcpy(current_prompt, msg[replies]->msg);
307	trim_char(current_prompt, ' ', ' ');
308	for (t=pw_chat; t; t=t->next) {
309
310	DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: trying to match \|%s\| to \|%s\|\n",
311	t->prompt, current_prompt ));
312
313	if (unix_wild_match(t->prompt, current_prompt)) {
314	fstrcpy(current_reply, t->reply);
315	DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We sent: %s\n", current_reply));
316	pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword);
317	#ifdef DEBUG_PASSWORD
318	DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We actualy sent: %s\n", current_reply));
319	#endif
320	reply[replies].resp_retcode = PAM_SUCCESS;
321	reply[replies].resp = COPY_FSTRING(current_reply);
322	found = True;
323	break;
324	}
325	}
326	/* PAM frees resp */
327	if (!found) {
328	DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg));
329	free_pw_chat(pw_chat);
330	SAFE_FREE(reply);
331	return PAM_CONV_ERR;
332	}
333	break;
334
335	case PAM_PROMPT_ECHO_OFF:
336	DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: %s\n", msg[replies]->msg));
337	fstrcpy(current_prompt, msg[replies]->msg);
338	trim_char(current_prompt, ' ', ' ');
339	for (t=pw_chat; t; t=t->next) {
340
341	DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match \|%s\| to \|%s\|\n",
342	t->prompt, current_prompt ));
343
344	if (unix_wild_match(t->prompt, current_prompt)) {
345	fstrcpy(current_reply, t->reply);
346	DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply));
347	pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword);
348	reply[replies].resp_retcode = PAM_SUCCESS;
349	reply[replies].resp = COPY_FSTRING(current_reply);
350	#ifdef DEBUG_PASSWORD
351	DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We actualy sent: %s\n", current_reply));
352	#endif
353	found = True;
354	break;
355	}
356	}
357	/* PAM frees resp */
358
359	if (!found) {
360	DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg));
361	free_pw_chat(pw_chat);
362	SAFE_FREE(reply);
363	return PAM_CONV_ERR;
364	}
365	break;
366
367	case PAM_TEXT_INFO:
368	/* fall through */
369
370	case PAM_ERROR_MSG:
371	/* ignore it... */
372	reply[replies].resp_retcode = PAM_SUCCESS;
373	reply[replies].resp = NULL;
374	break;
375
376	default:
377	/* Must be an error of some sort... */
378	free_pw_chat(pw_chat);
379	SAFE_FREE(reply);
380	return PAM_CONV_ERR;
381	}
382	}
383
384	free_pw_chat(pw_chat);
385	if (reply)
386	*resp = reply;
387	return PAM_SUCCESS;
388	}
389
390	/***************************************************************************
391	Free up a malloced pam_conv struct.
392	****************************************************************************/
393
394	static void smb_free_pam_conv(struct pam_conv *pconv)
395	{
396	if (pconv)
397	SAFE_FREE(pconv->appdata_ptr);
398
399	SAFE_FREE(pconv);
400	}
401
402	/***************************************************************************
403	Allocate a pam_conv struct.
404	****************************************************************************/
405
406	static struct pam_conv smb_setup_pam_conv(smb_pam_conv_fn smb_pam_conv_fnptr, const char user,
407	const char passwd, const char newpass)
408	{
409	struct pam_conv *pconv = SMB_MALLOC_P(struct pam_conv);
410	struct smb_pam_userdata *udp = SMB_MALLOC_P(struct smb_pam_userdata);
411
412	if (pconv == NULL \|\| udp == NULL) {
413	SAFE_FREE(pconv);
414	SAFE_FREE(udp);
415	return NULL;
416	}
417
418	udp->PAM_username = user;
419	udp->PAM_password = passwd;
420	udp->PAM_newpassword = newpass;
421
422	pconv->conv = smb_pam_conv_fnptr;
423	pconv->appdata_ptr = (void *)udp;
424	return pconv;
425	}
426
427	/*
428	* PAM Closing out cleanup handler
429	*/
430
431	static BOOL smb_pam_end(pam_handle_t pamh, struct pam_conv smb_pam_conv_ptr)
432	{
433	int pam_error;
434
435	smb_free_pam_conv(smb_pam_conv_ptr);
436
437	if( pamh != NULL ) {
438	pam_error = pam_end(pamh, 0);
439	if(smb_pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) {
440	DEBUG(4, ("smb_pam_end: PAM: PAM_END OK.\n"));
441	return True;
442	}
443	}
444	DEBUG(2,("smb_pam_end: PAM: not initialised"));
445	return False;
446	}
447
448	/*
449	* Start PAM authentication for specified account
450	*/
451
452	static BOOL smb_pam_start(pam_handle_t *pamh, const char user, const char rhost, struct pam_conv pconv)
453	{
454	int pam_error;
455	const char *our_rhost;
456
457	pamh = (pam_handle_t )NULL;
458
459	DEBUG(4,("smb_pam_start: PAM: Init user: %s\n", user));
460
461	pam_error = pam_start("samba", user, pconv, pamh);
462	if( !smb_pam_error_handler(*pamh, pam_error, "Init Failed", 0)) {
463	pamh = (pam_handle_t )NULL;
464	return False;
465	}
466
467	if (rhost == NULL) {
468	our_rhost = client_name();
469	if (strequal(our_rhost,"UNKNOWN"))
470	our_rhost = client_addr();
471	} else {
472	our_rhost = rhost;
473	}
474
475	#ifdef PAM_RHOST
476	DEBUG(4,("smb_pam_start: PAM: setting rhost to: %s\n", our_rhost));
477	pam_error = pam_set_item(*pamh, PAM_RHOST, our_rhost);
478	if(!smb_pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) {
479	smb_pam_end(*pamh, pconv);
480	pamh = (pam_handle_t )NULL;
481	return False;
482	}
483	#endif
484	#ifdef PAM_TTY
485	DEBUG(4,("smb_pam_start: PAM: setting tty\n"));
486	pam_error = pam_set_item(*pamh, PAM_TTY, "samba");
487	if (!smb_pam_error_handler(*pamh, pam_error, "set tty failed", 0)) {
488	smb_pam_end(*pamh, pconv);
489	pamh = (pam_handle_t )NULL;
490	return False;
491	}
492	#endif
493	DEBUG(4,("smb_pam_start: PAM: Init passed for user: %s\n", user));
494	return True;
495	}
496
497	/*
498	* PAM Authentication Handler
499	*/
500	static NTSTATUS smb_pam_auth(pam_handle_t pamh, const char user)
501	{
502	int pam_error;
503	NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
504
505	/*
506	* To enable debugging set in /etc/pam.d/samba:
507	* auth required /lib/security/pam_pwdb.so nullok shadow audit
508	*/
509
510	DEBUG(4,("smb_pam_auth: PAM: Authenticate User: %s\n", user));
511	pam_error = pam_authenticate(pamh, PAM_SILENT \| lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK);
512	switch( pam_error ){
513	case PAM_AUTH_ERR:
514	DEBUG(2, ("smb_pam_auth: PAM: Authentication Error for user %s\n", user));
515	break;
516	case PAM_CRED_INSUFFICIENT:
517	DEBUG(2, ("smb_pam_auth: PAM: Insufficient Credentials for user %s\n", user));
518	break;
519	case PAM_AUTHINFO_UNAVAIL:
520	DEBUG(2, ("smb_pam_auth: PAM: Authentication Information Unavailable for user %s\n", user));
521	break;
522	case PAM_USER_UNKNOWN:
523	DEBUG(2, ("smb_pam_auth: PAM: Username %s NOT known to Authentication system\n", user));
524	break;
525	case PAM_MAXTRIES:
526	DEBUG(2, ("smb_pam_auth: PAM: One or more authentication modules reports user limit for user %s exceeeded\n", user));
527	break;
528	case PAM_ABORT:
529	DEBUG(0, ("smb_pam_auth: PAM: One or more PAM modules failed to load for user %s\n", user));
530	break;
531	case PAM_SUCCESS:
532	DEBUG(4, ("smb_pam_auth: PAM: User %s Authenticated OK\n", user));
533	break;
534	default:
535	DEBUG(0, ("smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user %s\n", user));
536	break;
537	}
538
539	smb_pam_nt_status_error_handler(pamh, pam_error, "Authentication Failure", 2, &nt_status);
540	return nt_status;
541	}
542
543	/*
544	* PAM Account Handler
545	*/
546	static NTSTATUS smb_pam_account(pam_handle_t pamh, const char user)
547	{
548	int pam_error;
549	NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED;
550
551	DEBUG(4,("smb_pam_account: PAM: Account Management for User: %s\n", user));
552	pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */
553	switch( pam_error ) {
554	case PAM_AUTHTOK_EXPIRED:
555	DEBUG(2, ("smb_pam_account: PAM: User %s is valid but password is expired\n", user));
556	break;
557	case PAM_ACCT_EXPIRED:
558	DEBUG(2, ("smb_pam_account: PAM: User %s no longer permitted to access system\n", user));
559	break;
560	case PAM_AUTH_ERR:
561	DEBUG(2, ("smb_pam_account: PAM: There was an authentication error for user %s\n", user));
562	break;
563	case PAM_PERM_DENIED:
564	DEBUG(0, ("smb_pam_account: PAM: User %s is NOT permitted to access system at this time\n", user));
565	break;
566	case PAM_USER_UNKNOWN:
567	DEBUG(0, ("smb_pam_account: PAM: User \"%s\" is NOT known to account management\n", user));
568	break;
569	case PAM_SUCCESS:
570	DEBUG(4, ("smb_pam_account: PAM: Account OK for User: %s\n", user));
571	break;
572	default:
573	DEBUG(0, ("smb_pam_account: PAM: UNKNOWN PAM ERROR (%d) during Account Management for User: %s\n", pam_error, user));
574	break;
575	}
576
577	smb_pam_nt_status_error_handler(pamh, pam_error, "Account Check Failed", 2, &nt_status);
578	return nt_status;
579	}
580
581	/*
582	* PAM Credential Setting
583	*/
584
585	static NTSTATUS smb_pam_setcred(pam_handle_t pamh, const char user)
586	{
587	int pam_error;
588	NTSTATUS nt_status = NT_STATUS_NO_TOKEN;
589
590	/*
591	* This will allow samba to aquire a kerberos token. And, when
592	* exporting an AFS cell, be able to /write/ to this cell.
593	*/
594
595	DEBUG(4,("PAM: Account Management SetCredentials for User: %s\n", user));
596	pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED\|PAM_SILENT));
597	switch( pam_error ) {
598	case PAM_CRED_UNAVAIL:
599	DEBUG(0, ("smb_pam_setcred: PAM: Credentials not found for user:%s\n", user ));
600	break;
601	case PAM_CRED_EXPIRED:
602	DEBUG(0, ("smb_pam_setcred: PAM: Credentials for user: \"%s\" EXPIRED!\n", user ));
603	break;
604	case PAM_USER_UNKNOWN:
605	DEBUG(0, ("smb_pam_setcred: PAM: User: \"%s\" is NOT known so can not set credentials!\n", user ));
606	break;
607	case PAM_CRED_ERR:
608	DEBUG(0, ("smb_pam_setcred: PAM: Unknown setcredentials error - unable to set credentials for %s\n", user ));
609	break;
610	case PAM_SUCCESS:
611	DEBUG(4, ("smb_pam_setcred: PAM: SetCredentials OK for User: %s\n", user));
612	break;
613	default:
614	DEBUG(0, ("smb_pam_setcred: PAM: UNKNOWN PAM ERROR (%d) during SetCredentials for User: %s\n", pam_error, user));
615	break;
616	}
617
618	smb_pam_nt_status_error_handler(pamh, pam_error, "Set Credential Failure", 2, &nt_status);
619	return nt_status;
620	}
621
622	/*
623	* PAM Internal Session Handler
624	*/
625	static BOOL smb_internal_pam_session(pam_handle_t pamh, const char user, const char *tty, BOOL flag)
626	{
627	int pam_error;
628
629	#ifdef PAM_TTY
630	DEBUG(4,("smb_internal_pam_session: PAM: tty set to: %s\n", tty));
631	pam_error = pam_set_item(pamh, PAM_TTY, tty);
632	if (!smb_pam_error_handler(pamh, pam_error, "set tty failed", 0))
633	return False;
634	#endif
635
636	if (flag) {
637	pam_error = pam_open_session(pamh, PAM_SILENT);
638	if (!smb_pam_error_handler(pamh, pam_error, "session setup failed", 0))
639	return False;
640	} else {
641	pam_setcred(pamh, (PAM_DELETE_CRED\|PAM_SILENT)); /* We don't care if this fails */
642	pam_error = pam_close_session(pamh, PAM_SILENT); /* This will probably pick up the error anyway */
643	if (!smb_pam_error_handler(pamh, pam_error, "session close failed", 0))
644	return False;
645	}
646	return (True);
647	}
648
649	/*
650	* Internal PAM Password Changer.
651	*/
652
653	static BOOL smb_pam_chauthtok(pam_handle_t pamh, const char user)
654	{
655	int pam_error;
656
657	DEBUG(4,("smb_pam_chauthtok: PAM: Password Change for User: %s\n", user));
658
659	pam_error = pam_chauthtok(pamh, PAM_SILENT); /* Change Password */
660
661	switch( pam_error ) {
662	case PAM_AUTHTOK_ERR:
663	DEBUG(2, ("PAM: unable to obtain the new authentication token - is password to weak?\n"));
664	break;
665
666	/* This doesn't seem to be defined on Solaris. JRA */
667	#ifdef PAM_AUTHTOK_RECOVER_ERR
668	case PAM_AUTHTOK_RECOVER_ERR:
669	DEBUG(2, ("PAM: unable to obtain the old authentication token - was the old password wrong?.\n"));
670	break;
671	#endif
672
673	case PAM_AUTHTOK_LOCK_BUSY:
674	DEBUG(2, ("PAM: unable to change the authentication token since it is currently locked.\n"));
675	break;
676	case PAM_AUTHTOK_DISABLE_AGING:
677	DEBUG(2, ("PAM: Authentication token aging has been disabled.\n"));
678	break;
679	case PAM_PERM_DENIED:
680	DEBUG(0, ("PAM: Permission denied.\n"));
681	break;
682	case PAM_TRY_AGAIN:
683	DEBUG(0, ("PAM: Could not update all authentication token(s). No authentication tokens were updated.\n"));
684	break;
685	case PAM_USER_UNKNOWN:
686	DEBUG(0, ("PAM: User not known to PAM\n"));
687	break;
688	case PAM_SUCCESS:
689	DEBUG(4, ("PAM: Account OK for User: %s\n", user));
690	break;
691	default:
692	DEBUG(0, ("PAM: UNKNOWN PAM ERROR (%d) for User: %s\n", pam_error, user));
693	}
694
695	if(!smb_pam_error_handler(pamh, pam_error, "Password Change Failed", 2)) {
696	return False;
697	}
698
699	/* If this point is reached, the password has changed. */
700	return True;
701	}
702
703	/*
704	* PAM Externally accessible Session handler
705	*/
706
707	BOOL smb_pam_claim_session(char user, char tty, char *rhost)
708	{
709	pam_handle_t *pamh = NULL;
710	struct pam_conv *pconv = NULL;
711
712	/* Ignore PAM if told to. */
713
714	if (!lp_obey_pam_restrictions())
715	return True;
716
717	if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
718	return False;
719
720	if (!smb_pam_start(&pamh, user, rhost, pconv))
721	return False;
722
723	if (!smb_internal_pam_session(pamh, user, tty, True)) {
724	smb_pam_end(pamh, pconv);
725	return False;
726	}
727
728	return smb_pam_end(pamh, pconv);
729	}
730
731	/*
732	* PAM Externally accessible Session handler
733	*/
734
735	BOOL smb_pam_close_session(char user, char tty, char *rhost)
736	{
737	pam_handle_t *pamh = NULL;
738	struct pam_conv *pconv = NULL;
739
740	/* Ignore PAM if told to. */
741
742	if (!lp_obey_pam_restrictions())
743	return True;
744
745	if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
746	return False;
747
748	if (!smb_pam_start(&pamh, user, rhost, pconv))
749	return False;
750
751	if (!smb_internal_pam_session(pamh, user, tty, False)) {
752	smb_pam_end(pamh, pconv);
753	return False;
754	}
755
756	return smb_pam_end(pamh, pconv);
757	}
758
759	/*
760	* PAM Externally accessible Account handler
761	*/
762
763	NTSTATUS smb_pam_accountcheck(const char * user)
764	{
765	NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED;
766	pam_handle_t *pamh = NULL;
767	struct pam_conv *pconv = NULL;
768
769	/* Ignore PAM if told to. */
770
771	if (!lp_obey_pam_restrictions())
772	return NT_STATUS_OK;
773
774	if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
775	return NT_STATUS_NO_MEMORY;
776
777	if (!smb_pam_start(&pamh, user, NULL, pconv))
778	return NT_STATUS_ACCOUNT_DISABLED;
779
780	if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user)))
781	DEBUG(0, ("smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User %s!\n", user));
782
783	smb_pam_end(pamh, pconv);
784	return nt_status;
785	}
786
787	/*
788	* PAM Password Validation Suite
789	*/
790
791	NTSTATUS smb_pam_passcheck(const char * user, const char * password)
792	{
793	pam_handle_t *pamh = NULL;
794	NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
795	struct pam_conv *pconv = NULL;
796
797	/*
798	* Note we can't ignore PAM here as this is the only
799	* way of doing auths on plaintext passwords when
800	* compiled --with-pam.
801	*/
802
803	if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, password, NULL)) == NULL)
804	return NT_STATUS_LOGON_FAILURE;
805
806	if (!smb_pam_start(&pamh, user, NULL, pconv))
807	return NT_STATUS_LOGON_FAILURE;
808
809	if (!NT_STATUS_IS_OK(nt_status = smb_pam_auth(pamh, user))) {
810	DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User %s !\n", user));
811	smb_pam_end(pamh, pconv);
812	return nt_status;
813	}
814
815	if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user))) {
816	DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_account failed - Rejecting User %s !\n", user));
817	smb_pam_end(pamh, pconv);
818	return nt_status;
819	}
820
821	if (!NT_STATUS_IS_OK(nt_status = smb_pam_setcred(pamh, user))) {
822	DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_setcred failed - Rejecting User %s !\n", user));
823	smb_pam_end(pamh, pconv);
824	return nt_status;
825	}
826
827	smb_pam_end(pamh, pconv);
828	return nt_status;
829	}
830
831	/*
832	* PAM Password Change Suite
833	*/
834
835	BOOL smb_pam_passchange(const char * user, const char * oldpassword, const char * newpassword)
836	{
837	/* Appropriate quantities of root should be obtained BEFORE calling this function */
838	struct pam_conv *pconv = NULL;
839	pam_handle_t *pamh = NULL;
840
841	if ((pconv = smb_setup_pam_conv(smb_pam_passchange_conv, user, oldpassword, newpassword)) == NULL)
842	return False;
843
844	if(!smb_pam_start(&pamh, user, NULL, pconv))
845	return False;
846
847	if (!smb_pam_chauthtok(pamh, user)) {
848	DEBUG(0, ("smb_pam_passchange: PAM: Password Change Failed for user %s!\n", user));
849	smb_pam_end(pamh, pconv);
850	return False;
851	}
852
853	return smb_pam_end(pamh, pconv);
854	}
855
856	#else
857
858	/* If PAM not used, no PAM restrictions on accounts. */
859	NTSTATUS smb_pam_accountcheck(const char * user)
860	{
861	return NT_STATUS_OK;
862	}
863
864	/* If PAM not used, also no PAM restrictions on sessions. */
865	BOOL smb_pam_claim_session(char user, char tty, char *rhost)
866	{
867	return True;
868	}
869
870	/* If PAM not used, also no PAM restrictions on sessions. */
871	BOOL smb_pam_close_session(char in_user, char tty, char *rhost)
872	{
873	return True;
874	}
875	#endif /* WITH_PAM */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: