Context Navigation

source: branches/samba-3.2.x/source/auth/pampass.c@ 352

Visit:

Last change on this file since 352 was 228, checked in by Herwig Bauernfeind, 16 years ago
Update 3.2 branch to 3.2.6
File size: 25.0 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	PAM Password checking
4	Copyright (C) Andrew Tridgell 1992-2001
5	Copyright (C) John H Terpsta 1999-2001
6	Copyright (C) Andrew Bartlett 2001
7	Copyright (C) Jeremy Allison 2001
8
9	This program is free software; you can redistribute it and/or modify
10	it under the terms of the GNU General Public License as published by
11	the Free Software Foundation; either version 3 of the License, or
12	(at your option) any later version.
13
14	This program is distributed in the hope that it will be useful,
15	but WITHOUT ANY WARRANTY; without even the implied warranty of
16	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	GNU General Public License for more details.
18
19	You should have received a copy of the GNU General Public License
20	along with this program. If not, see <http://www.gnu.org/licenses/>.
21	*/
22
23	/*
24	* This module provides PAM based functions for validation of
25	* username/password pairs, account managment, session and access control.
26	* Note: SMB password checking is done in smbpass.c
27	*/
28
29	#include "includes.h"
30
31	#undef DBGC_CLASS
32	#define DBGC_CLASS DBGC_AUTH
33
34	#ifdef WITH_PAM
35
36	/*******************************************************************
37	* Handle PAM authentication
38	* - Access, Authentication, Session, Password
39	* Note: See PAM Documentation and refer to local system PAM implementation
40	* which determines what actions/limitations/allowances become affected.
41	*********************************************************************/
42
43	#if defined(HAVE_SECURITY_PAM_APPL_H)
44	#include <security/pam_appl.h>
45	#elif defined(HAVE_PAM_PAM_APPL_H)
46	#include <pam/pam_appl.h>
47	#endif
48
49	/*
50	* Structure used to communicate between the conversation function
51	* and the server_login/change password functions.
52	*/
53
54	struct smb_pam_userdata {
55	const char *PAM_username;
56	const char *PAM_password;
57	const char *PAM_newpassword;
58	};
59
60	typedef int (smb_pam_conv_fn)(int, const struct pam_message , struct pam_response , void appdata_ptr);
61
62	/*
63	* Macros to help make life easy
64	*/
65	#define COPY_STRING(s) (s) ? SMB_STRDUP(s) : NULL
66	#define COPY_FSTRING(s) (s[0]) ? SMB_STRDUP(s) : NULL
67
68	/*******************************************************************
69	PAM error handler.
70	*********************************************************************/
71
72	static bool smb_pam_error_handler(pam_handle_t pamh, int pam_error, const char msg, int dbglvl)
73	{
74
75	if( pam_error != PAM_SUCCESS) {
76	DEBUG(dbglvl, ("smb_pam_error_handler: PAM: %s : %s\n",
77	msg, pam_strerror(pamh, pam_error)));
78
79	return False;
80	}
81	return True;
82	}
83
84	/*******************************************************************
85	This function is a sanity check, to make sure that we NEVER report
86	failure as sucess.
87	*********************************************************************/
88
89	static bool smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error,
90	const char *msg, int dbglvl,
91	NTSTATUS *nt_status)
92	{
93	*nt_status = pam_to_nt_status(pam_error);
94
95	if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl))
96	return True;
97
98	if (NT_STATUS_IS_OK(*nt_status)) {
99	/* Complain LOUDLY */
100	DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \
101	error MISMATCH, forcing to NT_STATUS_LOGON_FAILURE"));
102	*nt_status = NT_STATUS_LOGON_FAILURE;
103	}
104	return False;
105	}
106
107	/*
108	* PAM conversation function
109	* Here we assume (for now, at least) that echo on means login name, and
110	* echo off means password.
111	*/
112
113	static int smb_pam_conv(int num_msg,
114	const struct pam_message **msg,
115	struct pam_response **resp,
116	void *appdata_ptr)
117	{
118	int replies = 0;
119	struct pam_response *reply = NULL;
120	struct smb_pam_userdata udp = (struct smb_pam_userdata )appdata_ptr;
121
122	*resp = NULL;
123
124	if (num_msg <= 0)
125	return PAM_CONV_ERR;
126
127	/*
128	* Apparantly HPUX has a buggy PAM that doesn't support the
129	* appdata_ptr. Fail if this is the case. JRA.
130	*/
131
132	if (udp == NULL) {
133	DEBUG(0,("smb_pam_conv: PAM on this system is broken - appdata_ptr == NULL !\n"));
134	return PAM_CONV_ERR;
135	}
136
137	reply = SMB_MALLOC_ARRAY(struct pam_response, num_msg);
138	if (!reply)
139	return PAM_CONV_ERR;
140
141	memset(reply, '\0', sizeof(struct pam_response) * num_msg);
142
143	for (replies = 0; replies < num_msg; replies++) {
144	switch (msg[replies]->msg_style) {
145	case PAM_PROMPT_ECHO_ON:
146	reply[replies].resp_retcode = PAM_SUCCESS;
147	reply[replies].resp = COPY_STRING(udp->PAM_username);
148	/* PAM frees resp */
149	break;
150
151	case PAM_PROMPT_ECHO_OFF:
152	reply[replies].resp_retcode = PAM_SUCCESS;
153	reply[replies].resp = COPY_STRING(udp->PAM_password);
154	/* PAM frees resp */
155	break;
156
157	case PAM_TEXT_INFO:
158	/* fall through */
159
160	case PAM_ERROR_MSG:
161	/* ignore it... */
162	reply[replies].resp_retcode = PAM_SUCCESS;
163	reply[replies].resp = NULL;
164	break;
165
166	default:
167	/* Must be an error of some sort... */
168	SAFE_FREE(reply);
169	return PAM_CONV_ERR;
170	}
171	}
172	if (reply)
173	*resp = reply;
174	return PAM_SUCCESS;
175	}
176
177	/*
178	* PAM password change conversation function
179	* Here we assume (for now, at least) that echo on means login name, and
180	* echo off means password.
181	*/
182
183	static void special_char_sub(char *buf)
184	{
185	all_string_sub(buf, "\\n", "", 0);
186	all_string_sub(buf, "\\r", "", 0);
187	all_string_sub(buf, "\\s", " ", 0);
188	all_string_sub(buf, "\\t", "\t", 0);
189	}
190
191	static void pwd_sub(char buf, const char username, const char oldpass, const char newpass)
192	{
193	fstring_sub(buf, "%u", username);
194	all_string_sub(buf, "%o", oldpass, sizeof(fstring));
195	all_string_sub(buf, "%n", newpass, sizeof(fstring));
196	}
197
198
199	struct chat_struct {
200	struct chat_struct next, prev;
201	fstring prompt;
202	fstring reply;
203	};
204
205	/**************************************************************
206	Create a linked list containing chat data.
207	***************************************************************/
208
209	static struct chat_struct make_pw_chat(const char p)
210	{
211	char *prompt;
212	char *reply;
213	struct chat_struct *list = NULL;
214	struct chat_struct *t;
215	TALLOC_CTX *frame = talloc_stackframe();
216
217	while (1) {
218	t = SMB_MALLOC_P(struct chat_struct);
219	if (!t) {
220	DEBUG(0,("make_pw_chat: malloc failed!\n"));
221	TALLOC_FREE(frame);
222	return NULL;
223	}
224
225	ZERO_STRUCTP(t);
226
227	DLIST_ADD_END(list, t, struct chat_struct*);
228
229	if (!next_token_talloc(frame, &p, &prompt, NULL)) {
230	break;
231	}
232
233	if (strequal(prompt,".")) {
234	fstrcpy(prompt,"*");
235	}
236
237	special_char_sub(prompt);
238	fstrcpy(t->prompt, prompt);
239	strlower_m(t->prompt);
240	trim_char(t->prompt, ' ', ' ');
241
242	if (!next_token_talloc(frame, &p, &reply, NULL)) {
243	break;
244	}
245
246	if (strequal(reply,".")) {
247	fstrcpy(reply,"");
248	}
249
250	special_char_sub(reply);
251	fstrcpy(t->reply, reply);
252	strlower_m(t->reply);
253	trim_char(t->reply, ' ', ' ');
254
255	}
256	TALLOC_FREE(frame);
257	return list;
258	}
259
260	static void free_pw_chat(struct chat_struct *list)
261	{
262	while (list) {
263	struct chat_struct *old_head = list;
264	DLIST_REMOVE(list, list);
265	SAFE_FREE(old_head);
266	}
267	}
268
269	static int smb_pam_passchange_conv(int num_msg,
270	const struct pam_message **msg,
271	struct pam_response **resp,
272	void *appdata_ptr)
273	{
274	int replies = 0;
275	struct pam_response *reply = NULL;
276	fstring current_prompt;
277	fstring current_reply;
278	struct smb_pam_userdata udp = (struct smb_pam_userdata )appdata_ptr;
279	struct chat_struct *pw_chat= make_pw_chat(lp_passwd_chat());
280	struct chat_struct *t;
281	bool found;
282	*resp = NULL;
283
284	DEBUG(10,("smb_pam_passchange_conv: starting converstation for %d messages\n", num_msg));
285
286	if (num_msg <= 0)
287	return PAM_CONV_ERR;
288
289	if (pw_chat == NULL)
290	return PAM_CONV_ERR;
291
292	/*
293	* Apparantly HPUX has a buggy PAM that doesn't support the
294	* appdata_ptr. Fail if this is the case. JRA.
295	*/
296
297	if (udp == NULL) {
298	DEBUG(0,("smb_pam_passchange_conv: PAM on this system is broken - appdata_ptr == NULL !\n"));
299	free_pw_chat(pw_chat);
300	return PAM_CONV_ERR;
301	}
302
303	reply = SMB_MALLOC_ARRAY(struct pam_response, num_msg);
304	if (!reply) {
305	DEBUG(0,("smb_pam_passchange_conv: malloc for reply failed!\n"));
306	free_pw_chat(pw_chat);
307	return PAM_CONV_ERR;
308	}
309
310	for (replies = 0; replies < num_msg; replies++) {
311	found = False;
312	DEBUG(10,("smb_pam_passchange_conv: Processing message %d\n", replies));
313	switch (msg[replies]->msg_style) {
314	case PAM_PROMPT_ECHO_ON:
315	DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: PAM said: %s\n", msg[replies]->msg));
316	fstrcpy(current_prompt, msg[replies]->msg);
317	trim_char(current_prompt, ' ', ' ');
318	for (t=pw_chat; t; t=t->next) {
319
320	DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: trying to match \|%s\| to \|%s\|\n",
321	t->prompt, current_prompt ));
322
323	if (unix_wild_match(t->prompt, current_prompt)) {
324	fstrcpy(current_reply, t->reply);
325	DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We sent: %s\n", current_reply));
326	pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword);
327	#ifdef DEBUG_PASSWORD
328	DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We actualy sent: %s\n", current_reply));
329	#endif
330	reply[replies].resp_retcode = PAM_SUCCESS;
331	reply[replies].resp = COPY_FSTRING(current_reply);
332	found = True;
333	break;
334	}
335	}
336	/* PAM frees resp */
337	if (!found) {
338	DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg));
339	free_pw_chat(pw_chat);
340	SAFE_FREE(reply);
341	return PAM_CONV_ERR;
342	}
343	break;
344
345	case PAM_PROMPT_ECHO_OFF:
346	DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: %s\n", msg[replies]->msg));
347	fstrcpy(current_prompt, msg[replies]->msg);
348	trim_char(current_prompt, ' ', ' ');
349	for (t=pw_chat; t; t=t->next) {
350
351	DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match \|%s\| to \|%s\|\n",
352	t->prompt, current_prompt ));
353
354	if (unix_wild_match(t->prompt, current_prompt)) {
355	fstrcpy(current_reply, t->reply);
356	DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply));
357	pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword);
358	reply[replies].resp_retcode = PAM_SUCCESS;
359	reply[replies].resp = COPY_FSTRING(current_reply);
360	#ifdef DEBUG_PASSWORD
361	DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We actualy sent: %s\n", current_reply));
362	#endif
363	found = True;
364	break;
365	}
366	}
367	/* PAM frees resp */
368
369	if (!found) {
370	DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg));
371	free_pw_chat(pw_chat);
372	SAFE_FREE(reply);
373	return PAM_CONV_ERR;
374	}
375	break;
376
377	case PAM_TEXT_INFO:
378	/* fall through */
379
380	case PAM_ERROR_MSG:
381	/* ignore it... */
382	reply[replies].resp_retcode = PAM_SUCCESS;
383	reply[replies].resp = NULL;
384	break;
385
386	default:
387	/* Must be an error of some sort... */
388	free_pw_chat(pw_chat);
389	SAFE_FREE(reply);
390	return PAM_CONV_ERR;
391	}
392	}
393
394	free_pw_chat(pw_chat);
395	if (reply)
396	*resp = reply;
397	return PAM_SUCCESS;
398	}
399
400	/***************************************************************************
401	Free up a malloced pam_conv struct.
402	****************************************************************************/
403
404	static void smb_free_pam_conv(struct pam_conv *pconv)
405	{
406	if (pconv)
407	SAFE_FREE(pconv->appdata_ptr);
408
409	SAFE_FREE(pconv);
410	}
411
412	/***************************************************************************
413	Allocate a pam_conv struct.
414	****************************************************************************/
415
416	static struct pam_conv smb_setup_pam_conv(smb_pam_conv_fn smb_pam_conv_fnptr, const char user,
417	const char passwd, const char newpass)
418	{
419	struct pam_conv *pconv = SMB_MALLOC_P(struct pam_conv);
420	struct smb_pam_userdata *udp = SMB_MALLOC_P(struct smb_pam_userdata);
421
422	if (pconv == NULL \|\| udp == NULL) {
423	SAFE_FREE(pconv);
424	SAFE_FREE(udp);
425	return NULL;
426	}
427
428	udp->PAM_username = user;
429	udp->PAM_password = passwd;
430	udp->PAM_newpassword = newpass;
431
432	pconv->conv = smb_pam_conv_fnptr;
433	pconv->appdata_ptr = (void *)udp;
434	return pconv;
435	}
436
437	/*
438	* PAM Closing out cleanup handler
439	*/
440
441	static bool smb_pam_end(pam_handle_t pamh, struct pam_conv smb_pam_conv_ptr)
442	{
443	int pam_error;
444
445	smb_free_pam_conv(smb_pam_conv_ptr);
446
447	if( pamh != NULL ) {
448	pam_error = pam_end(pamh, 0);
449	if(smb_pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) {
450	DEBUG(4, ("smb_pam_end: PAM: PAM_END OK.\n"));
451	return True;
452	}
453	}
454	DEBUG(2,("smb_pam_end: PAM: not initialised"));
455	return False;
456	}
457
458	/*
459	* Start PAM authentication for specified account
460	*/
461
462	static bool smb_pam_start(pam_handle_t *pamh, const char user, const char rhost, struct pam_conv pconv)
463	{
464	int pam_error;
465	const char *our_rhost;
466	char addr[INET6_ADDRSTRLEN];
467
468	pamh = (pam_handle_t )NULL;
469
470	DEBUG(4,("smb_pam_start: PAM: Init user: %s\n", user));
471
472	pam_error = pam_start("samba", user, pconv, pamh);
473	if( !smb_pam_error_handler(*pamh, pam_error, "Init Failed", 0)) {
474	pamh = (pam_handle_t )NULL;
475	return False;
476	}
477
478	if (rhost == NULL) {
479	our_rhost = client_name(get_client_fd());
480	if (strequal(our_rhost,"UNKNOWN"))
481	our_rhost = client_addr(get_client_fd(),addr,sizeof(addr));
482	} else {
483	our_rhost = rhost;
484	}
485
486	#ifdef PAM_RHOST
487	DEBUG(4,("smb_pam_start: PAM: setting rhost to: %s\n", our_rhost));
488	pam_error = pam_set_item(*pamh, PAM_RHOST, our_rhost);
489	if(!smb_pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) {
490	smb_pam_end(*pamh, pconv);
491	pamh = (pam_handle_t )NULL;
492	return False;
493	}
494	#endif
495	#ifdef PAM_TTY
496	DEBUG(4,("smb_pam_start: PAM: setting tty\n"));
497	pam_error = pam_set_item(*pamh, PAM_TTY, "samba");
498	if (!smb_pam_error_handler(*pamh, pam_error, "set tty failed", 0)) {
499	smb_pam_end(*pamh, pconv);
500	pamh = (pam_handle_t )NULL;
501	return False;
502	}
503	#endif
504	DEBUG(4,("smb_pam_start: PAM: Init passed for user: %s\n", user));
505	return True;
506	}
507
508	/*
509	* PAM Authentication Handler
510	*/
511	static NTSTATUS smb_pam_auth(pam_handle_t pamh, const char user)
512	{
513	int pam_error;
514	NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
515
516	/*
517	* To enable debugging set in /etc/pam.d/samba:
518	* auth required /lib/security/pam_pwdb.so nullok shadow audit
519	*/
520
521	DEBUG(4,("smb_pam_auth: PAM: Authenticate User: %s\n", user));
522	pam_error = pam_authenticate(pamh, PAM_SILENT \| lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK);
523	switch( pam_error ){
524	case PAM_AUTH_ERR:
525	DEBUG(2, ("smb_pam_auth: PAM: Authentication Error for user %s\n", user));
526	break;
527	case PAM_CRED_INSUFFICIENT:
528	DEBUG(2, ("smb_pam_auth: PAM: Insufficient Credentials for user %s\n", user));
529	break;
530	case PAM_AUTHINFO_UNAVAIL:
531	DEBUG(2, ("smb_pam_auth: PAM: Authentication Information Unavailable for user %s\n", user));
532	break;
533	case PAM_USER_UNKNOWN:
534	DEBUG(2, ("smb_pam_auth: PAM: Username %s NOT known to Authentication system\n", user));
535	break;
536	case PAM_MAXTRIES:
537	DEBUG(2, ("smb_pam_auth: PAM: One or more authentication modules reports user limit for user %s exceeeded\n", user));
538	break;
539	case PAM_ABORT:
540	DEBUG(0, ("smb_pam_auth: PAM: One or more PAM modules failed to load for user %s\n", user));
541	break;
542	case PAM_SUCCESS:
543	DEBUG(4, ("smb_pam_auth: PAM: User %s Authenticated OK\n", user));
544	break;
545	default:
546	DEBUG(0, ("smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user %s\n", user));
547	break;
548	}
549
550	smb_pam_nt_status_error_handler(pamh, pam_error, "Authentication Failure", 2, &nt_status);
551	return nt_status;
552	}
553
554	/*
555	* PAM Account Handler
556	*/
557	static NTSTATUS smb_pam_account(pam_handle_t pamh, const char user)
558	{
559	int pam_error;
560	NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED;
561
562	DEBUG(4,("smb_pam_account: PAM: Account Management for User: %s\n", user));
563	pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */
564	switch( pam_error ) {
565	case PAM_AUTHTOK_EXPIRED:
566	DEBUG(2, ("smb_pam_account: PAM: User %s is valid but password is expired\n", user));
567	break;
568	case PAM_ACCT_EXPIRED:
569	DEBUG(2, ("smb_pam_account: PAM: User %s no longer permitted to access system\n", user));
570	break;
571	case PAM_AUTH_ERR:
572	DEBUG(2, ("smb_pam_account: PAM: There was an authentication error for user %s\n", user));
573	break;
574	case PAM_PERM_DENIED:
575	DEBUG(0, ("smb_pam_account: PAM: User %s is NOT permitted to access system at this time\n", user));
576	break;
577	case PAM_USER_UNKNOWN:
578	DEBUG(0, ("smb_pam_account: PAM: User \"%s\" is NOT known to account management\n", user));
579	break;
580	case PAM_SUCCESS:
581	DEBUG(4, ("smb_pam_account: PAM: Account OK for User: %s\n", user));
582	break;
583	default:
584	DEBUG(0, ("smb_pam_account: PAM: UNKNOWN PAM ERROR (%d) during Account Management for User: %s\n", pam_error, user));
585	break;
586	}
587
588	smb_pam_nt_status_error_handler(pamh, pam_error, "Account Check Failed", 2, &nt_status);
589	return nt_status;
590	}
591
592	/*
593	* PAM Credential Setting
594	*/
595
596	static NTSTATUS smb_pam_setcred(pam_handle_t pamh, const char user)
597	{
598	int pam_error;
599	NTSTATUS nt_status = NT_STATUS_NO_TOKEN;
600
601	/*
602	* This will allow samba to aquire a kerberos token. And, when
603	* exporting an AFS cell, be able to /write/ to this cell.
604	*/
605
606	DEBUG(4,("PAM: Account Management SetCredentials for User: %s\n", user));
607	pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED\|PAM_SILENT));
608	switch( pam_error ) {
609	case PAM_CRED_UNAVAIL:
610	DEBUG(0, ("smb_pam_setcred: PAM: Credentials not found for user:%s\n", user ));
611	break;
612	case PAM_CRED_EXPIRED:
613	DEBUG(0, ("smb_pam_setcred: PAM: Credentials for user: \"%s\" EXPIRED!\n", user ));
614	break;
615	case PAM_USER_UNKNOWN:
616	DEBUG(0, ("smb_pam_setcred: PAM: User: \"%s\" is NOT known so can not set credentials!\n", user ));
617	break;
618	case PAM_CRED_ERR:
619	DEBUG(0, ("smb_pam_setcred: PAM: Unknown setcredentials error - unable to set credentials for %s\n", user ));
620	break;
621	case PAM_SUCCESS:
622	DEBUG(4, ("smb_pam_setcred: PAM: SetCredentials OK for User: %s\n", user));
623	break;
624	default:
625	DEBUG(0, ("smb_pam_setcred: PAM: UNKNOWN PAM ERROR (%d) during SetCredentials for User: %s\n", pam_error, user));
626	break;
627	}
628
629	smb_pam_nt_status_error_handler(pamh, pam_error, "Set Credential Failure", 2, &nt_status);
630	return nt_status;
631	}
632
633	/*
634	* PAM Internal Session Handler
635	*/
636	static bool smb_internal_pam_session(pam_handle_t pamh, const char user, const char *tty, bool flag)
637	{
638	int pam_error;
639
640	#ifdef PAM_TTY
641	DEBUG(4,("smb_internal_pam_session: PAM: tty set to: %s\n", tty));
642	pam_error = pam_set_item(pamh, PAM_TTY, tty);
643	if (!smb_pam_error_handler(pamh, pam_error, "set tty failed", 0))
644	return False;
645	#endif
646
647	if (flag) {
648	pam_error = pam_open_session(pamh, PAM_SILENT);
649	if (!smb_pam_error_handler(pamh, pam_error, "session setup failed", 0))
650	return False;
651	} else {
652	pam_setcred(pamh, (PAM_DELETE_CRED\|PAM_SILENT)); /* We don't care if this fails */
653	pam_error = pam_close_session(pamh, PAM_SILENT); /* This will probably pick up the error anyway */
654	if (!smb_pam_error_handler(pamh, pam_error, "session close failed", 0))
655	return False;
656	}
657	return (True);
658	}
659
660	/*
661	* Internal PAM Password Changer.
662	*/
663
664	static bool smb_pam_chauthtok(pam_handle_t pamh, const char user)
665	{
666	int pam_error;
667
668	DEBUG(4,("smb_pam_chauthtok: PAM: Password Change for User: %s\n", user));
669
670	pam_error = pam_chauthtok(pamh, PAM_SILENT); /* Change Password */
671
672	switch( pam_error ) {
673	case PAM_AUTHTOK_ERR:
674	DEBUG(2, ("PAM: unable to obtain the new authentication token - is password to weak?\n"));
675	break;
676
677	/* This doesn't seem to be defined on Solaris. JRA */
678	#ifdef PAM_AUTHTOK_RECOVER_ERR
679	case PAM_AUTHTOK_RECOVER_ERR:
680	DEBUG(2, ("PAM: unable to obtain the old authentication token - was the old password wrong?.\n"));
681	break;
682	#endif
683
684	case PAM_AUTHTOK_LOCK_BUSY:
685	DEBUG(2, ("PAM: unable to change the authentication token since it is currently locked.\n"));
686	break;
687	case PAM_AUTHTOK_DISABLE_AGING:
688	DEBUG(2, ("PAM: Authentication token aging has been disabled.\n"));
689	break;
690	case PAM_PERM_DENIED:
691	DEBUG(0, ("PAM: Permission denied.\n"));
692	break;
693	case PAM_TRY_AGAIN:
694	DEBUG(0, ("PAM: Could not update all authentication token(s). No authentication tokens were updated.\n"));
695	break;
696	case PAM_USER_UNKNOWN:
697	DEBUG(0, ("PAM: User not known to PAM\n"));
698	break;
699	case PAM_SUCCESS:
700	DEBUG(4, ("PAM: Account OK for User: %s\n", user));
701	break;
702	default:
703	DEBUG(0, ("PAM: UNKNOWN PAM ERROR (%d) for User: %s\n", pam_error, user));
704	}
705
706	if(!smb_pam_error_handler(pamh, pam_error, "Password Change Failed", 2)) {
707	return False;
708	}
709
710	/* If this point is reached, the password has changed. */
711	return True;
712	}
713
714	/*
715	* PAM Externally accessible Session handler
716	*/
717
718	bool smb_pam_claim_session(char user, char tty, char *rhost)
719	{
720	pam_handle_t *pamh = NULL;
721	struct pam_conv *pconv = NULL;
722
723	/* Ignore PAM if told to. */
724
725	if (!lp_obey_pam_restrictions())
726	return True;
727
728	if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
729	return False;
730
731	if (!smb_pam_start(&pamh, user, rhost, pconv))
732	return False;
733
734	if (!smb_internal_pam_session(pamh, user, tty, True)) {
735	smb_pam_end(pamh, pconv);
736	return False;
737	}
738
739	return smb_pam_end(pamh, pconv);
740	}
741
742	/*
743	* PAM Externally accessible Session handler
744	*/
745
746	bool smb_pam_close_session(char user, char tty, char *rhost)
747	{
748	pam_handle_t *pamh = NULL;
749	struct pam_conv *pconv = NULL;
750
751	/* Ignore PAM if told to. */
752
753	if (!lp_obey_pam_restrictions())
754	return True;
755
756	if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
757	return False;
758
759	if (!smb_pam_start(&pamh, user, rhost, pconv))
760	return False;
761
762	if (!smb_internal_pam_session(pamh, user, tty, False)) {
763	smb_pam_end(pamh, pconv);
764	return False;
765	}
766
767	return smb_pam_end(pamh, pconv);
768	}
769
770	/*
771	* PAM Externally accessible Account handler
772	*/
773
774	NTSTATUS smb_pam_accountcheck(const char * user)
775	{
776	NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED;
777	pam_handle_t *pamh = NULL;
778	struct pam_conv *pconv = NULL;
779
780	/* Ignore PAM if told to. */
781
782	if (!lp_obey_pam_restrictions())
783	return NT_STATUS_OK;
784
785	if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
786	return NT_STATUS_NO_MEMORY;
787
788	if (!smb_pam_start(&pamh, user, NULL, pconv))
789	return NT_STATUS_ACCOUNT_DISABLED;
790
791	if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user)))
792	DEBUG(0, ("smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User %s!\n", user));
793
794	smb_pam_end(pamh, pconv);
795	return nt_status;
796	}
797
798	/*
799	* PAM Password Validation Suite
800	*/
801
802	NTSTATUS smb_pam_passcheck(const char * user, const char * password)
803	{
804	pam_handle_t *pamh = NULL;
805	NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
806	struct pam_conv *pconv = NULL;
807
808	/*
809	* Note we can't ignore PAM here as this is the only
810	* way of doing auths on plaintext passwords when
811	* compiled --with-pam.
812	*/
813
814	if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, password, NULL)) == NULL)
815	return NT_STATUS_LOGON_FAILURE;
816
817	if (!smb_pam_start(&pamh, user, NULL, pconv))
818	return NT_STATUS_LOGON_FAILURE;
819
820	if (!NT_STATUS_IS_OK(nt_status = smb_pam_auth(pamh, user))) {
821	DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User %s !\n", user));
822	smb_pam_end(pamh, pconv);
823	return nt_status;
824	}
825
826	if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user))) {
827	DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_account failed - Rejecting User %s !\n", user));
828	smb_pam_end(pamh, pconv);
829	return nt_status;
830	}
831
832	if (!NT_STATUS_IS_OK(nt_status = smb_pam_setcred(pamh, user))) {
833	DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_setcred failed - Rejecting User %s !\n", user));
834	smb_pam_end(pamh, pconv);
835	return nt_status;
836	}
837
838	smb_pam_end(pamh, pconv);
839	return nt_status;
840	}
841
842	/*
843	* PAM Password Change Suite
844	*/
845
846	bool smb_pam_passchange(const char * user, const char * oldpassword, const char * newpassword)
847	{
848	/* Appropriate quantities of root should be obtained BEFORE calling this function */
849	struct pam_conv *pconv = NULL;
850	pam_handle_t *pamh = NULL;
851
852	if ((pconv = smb_setup_pam_conv(smb_pam_passchange_conv, user, oldpassword, newpassword)) == NULL)
853	return False;
854
855	if(!smb_pam_start(&pamh, user, NULL, pconv))
856	return False;
857
858	if (!smb_pam_chauthtok(pamh, user)) {
859	DEBUG(0, ("smb_pam_passchange: PAM: Password Change Failed for user %s!\n", user));
860	smb_pam_end(pamh, pconv);
861	return False;
862	}
863
864	return smb_pam_end(pamh, pconv);
865	}
866
867	#else
868
869	/* If PAM not used, no PAM restrictions on accounts. */
870	NTSTATUS smb_pam_accountcheck(const char * user)
871	{
872	return NT_STATUS_OK;
873	}
874
875	/* If PAM not used, also no PAM restrictions on sessions. */
876	bool smb_pam_claim_session(char user, char tty, char *rhost)
877	{
878	return True;
879	}
880
881	/* If PAM not used, also no PAM restrictions on sessions. */
882	bool smb_pam_close_session(char in_user, char tty, char *rhost)
883	{
884	return True;
885	}
886	#endif /* WITH_PAM */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: