Context Navigation

source: branches/samba-3.2.x/source/nsswitch/pam_winbind.c

Visit:

Last change on this file was 335, checked in by Herwig Bauernfeind, 16 years ago
Update 3.2 to 3.2.14 (final)
File size: 69.3 KB

Line
1	/* pam_winbind module
2
3	Copyright Andrew Tridgell <tridge@samba.org> 2000
4	Copyright Tim Potter <tpot@samba.org> 2000
5	Copyright Andrew Bartlett <abartlet@samba.org> 2002
6	Copyright Guenther Deschner <gd@samba.org> 2005-2008
7
8	largely based on pam_userdb by Cristian Gafton <gafton@redhat.com> also
9	contains large slabs of code from pam_unix by Elliot Lee
10	<sopwith@redhat.com> (see copyright below for full details)
11	*/
12
13	#include "pam_winbind.h"
14
15	#define _PAM_LOG_FUNCTION_ENTER(function, ctx) \
16	do { \
17	_pam_log_debug(ctx, LOG_DEBUG, "[pamh: %p] ENTER: " \
18	function " (flags: 0x%04x)", ctx->pamh, ctx->flags); \
19	_pam_log_state(ctx); \
20	} while (0)
21
22	#define _PAM_LOG_FUNCTION_LEAVE(function, ctx, retval) \
23	do { \
24	_pam_log_debug(ctx, LOG_DEBUG, "[pamh: %p] LEAVE: " \
25	function " returning %d", ctx->pamh, retval); \
26	_pam_log_state(ctx); \
27	} while (0)
28
29	/* data tokens */
30
31	#define MAX_PASSWD_TRIES 3
32
33	/*
34	* Work around the pam API that has functions with void ** as parameters
35	* These lead to strict aliasing warnings with gcc.
36	*/
37	static int _pam_get_item(const pam_handle_t *pamh,
38	int item_type,
39	const void *_item)
40	{
41	const void item = (const void )_item;
42	return pam_get_item(pamh, item_type, item);
43	}
44	static int _pam_get_data(const pam_handle_t *pamh,
45	const char *module_data_name,
46	const void *_data)
47	{
48	const void data = (const void )_data;
49	return pam_get_data(pamh, module_data_name, data);
50	}
51
52	/* some syslogging */
53
54	#ifdef HAVE_PAM_VSYSLOG
55	static void _pam_log_int(const pam_handle_t *pamh,
56	int err,
57	const char *format,
58	va_list args)
59	{
60	pam_vsyslog(pamh, err, format, args);
61	}
62	#else
63	static void _pam_log_int(const pam_handle_t *pamh,
64	int err,
65	const char *format,
66	va_list args)
67	{
68	char *format2 = NULL;
69	const char *service;
70
71	_pam_get_item(pamh, PAM_SERVICE, &service);
72
73	format2 = (char *)malloc(strlen(MODULE_NAME)+strlen(format)+strlen(service)+5);
74	if (format2 == NULL) {
75	/* what else todo ? */
76	vsyslog(err, format, args);
77	return;
78	}
79
80	sprintf(format2, "%s(%s): %s", MODULE_NAME, service, format);
81	vsyslog(err, format2, args);
82	SAFE_FREE(format2);
83	}
84	#endif /* HAVE_PAM_VSYSLOG */
85
86	static bool _pam_log_is_silent(int ctrl)
87	{
88	return on(ctrl, WINBIND_SILENT);
89	}
90
91	static void _pam_log(struct pwb_context r, int err, const char format, ...) PRINTF_ATTRIBUTE(3,4);
92	static void _pam_log(struct pwb_context r, int err, const char format, ...)
93	{
94	va_list args;
95
96	if (_pam_log_is_silent(r->ctrl)) {
97	return;
98	}
99
100	va_start(args, format);
101	_pam_log_int(r->pamh, err, format, args);
102	va_end(args);
103	}
104	static void __pam_log(const pam_handle_t pamh, int ctrl, int err, const char format, ...) PRINTF_ATTRIBUTE(4,5);
105	static void __pam_log(const pam_handle_t pamh, int ctrl, int err, const char format, ...)
106	{
107	va_list args;
108
109	if (_pam_log_is_silent(ctrl)) {
110	return;
111	}
112
113	va_start(args, format);
114	_pam_log_int(pamh, err, format, args);
115	va_end(args);
116	}
117
118	static bool _pam_log_is_debug_enabled(int ctrl)
119	{
120	if (ctrl == -1) {
121	return false;
122	}
123
124	if (_pam_log_is_silent(ctrl)) {
125	return false;
126	}
127
128	if (!(ctrl & WINBIND_DEBUG_ARG)) {
129	return false;
130	}
131
132	return true;
133	}
134
135	static bool _pam_log_is_debug_state_enabled(int ctrl)
136	{
137	if (!(ctrl & WINBIND_DEBUG_STATE)) {
138	return false;
139	}
140
141	return _pam_log_is_debug_enabled(ctrl);
142	}
143
144	static void _pam_log_debug(struct pwb_context r, int err, const char format, ...) PRINTF_ATTRIBUTE(3,4);
145	static void _pam_log_debug(struct pwb_context r, int err, const char format, ...)
146	{
147	va_list args;
148
149	if (!_pam_log_is_debug_enabled(r->ctrl)) {
150	return;
151	}
152
153	va_start(args, format);
154	_pam_log_int(r->pamh, err, format, args);
155	va_end(args);
156	}
157	static void __pam_log_debug(const pam_handle_t pamh, int ctrl, int err, const char format, ...) PRINTF_ATTRIBUTE(4,5);
158	static void __pam_log_debug(const pam_handle_t pamh, int ctrl, int err, const char format, ...)
159	{
160	va_list args;
161
162	if (!_pam_log_is_debug_enabled(ctrl)) {
163	return;
164	}
165
166	va_start(args, format);
167	_pam_log_int(pamh, err, format, args);
168	va_end(args);
169	}
170
171	static void _pam_log_state_datum(struct pwb_context *ctx,
172	int item_type,
173	const char *key,
174	int is_string)
175	{
176	const void *data = NULL;
177	if (item_type != 0) {
178	pam_get_item(ctx->pamh, item_type, &data);
179	} else {
180	pam_get_data(ctx->pamh, key, &data);
181	}
182	if (data != NULL) {
183	const char *type = (item_type != 0) ? "ITEM" : "DATA";
184	if (is_string != 0) {
185	_pam_log_debug(ctx, LOG_DEBUG,
186	"[pamh: %p] STATE: %s(%s) = \"%s\" (%p)",
187	ctx->pamh, type, key, (const char *)data,
188	data);
189	} else {
190	_pam_log_debug(ctx, LOG_DEBUG,
191	"[pamh: %p] STATE: %s(%s) = %p",
192	ctx->pamh, type, key, data);
193	}
194	}
195	}
196
197	#define _PAM_LOG_STATE_DATA_POINTER(ctx, module_data_name) \
198	_pam_log_state_datum(ctx, 0, module_data_name, 0)
199
200	#define _PAM_LOG_STATE_DATA_STRING(ctx, module_data_name) \
201	_pam_log_state_datum(ctx, 0, module_data_name, 1)
202
203	#define _PAM_LOG_STATE_ITEM_POINTER(ctx, item_type) \
204	_pam_log_state_datum(ctx, item_type, #item_type, 0)
205
206	#define _PAM_LOG_STATE_ITEM_STRING(ctx, item_type) \
207	_pam_log_state_datum(ctx, item_type, #item_type, 1)
208
209	#ifdef DEBUG_PASSWORD
210	#define _LOG_PASSWORD_AS_STRING 1
211	#else
212	#define _LOG_PASSWORD_AS_STRING 0
213	#endif
214
215	#define _PAM_LOG_STATE_ITEM_PASSWORD(ctx, item_type) \
216	_pam_log_state_datum(ctx, item_type, #item_type, \
217	_LOG_PASSWORD_AS_STRING)
218
219	static void _pam_log_state(struct pwb_context *ctx)
220	{
221	if (!_pam_log_is_debug_state_enabled(ctx->ctrl)) {
222	return;
223	}
224
225	_PAM_LOG_STATE_ITEM_STRING(ctx, PAM_SERVICE);
226	_PAM_LOG_STATE_ITEM_STRING(ctx, PAM_USER);
227	_PAM_LOG_STATE_ITEM_STRING(ctx, PAM_TTY);
228	_PAM_LOG_STATE_ITEM_STRING(ctx, PAM_RHOST);
229	_PAM_LOG_STATE_ITEM_STRING(ctx, PAM_RUSER);
230	_PAM_LOG_STATE_ITEM_PASSWORD(ctx, PAM_OLDAUTHTOK);
231	_PAM_LOG_STATE_ITEM_PASSWORD(ctx, PAM_AUTHTOK);
232	_PAM_LOG_STATE_ITEM_STRING(ctx, PAM_USER_PROMPT);
233	_PAM_LOG_STATE_ITEM_POINTER(ctx, PAM_CONV);
234	#ifdef PAM_FAIL_DELAY
235	_PAM_LOG_STATE_ITEM_POINTER(ctx, PAM_FAIL_DELAY);
236	#endif
237	#ifdef PAM_REPOSITORY
238	_PAM_LOG_STATE_ITEM_POINTER(ctx, PAM_REPOSITORY);
239	#endif
240
241	_PAM_LOG_STATE_DATA_STRING(ctx, PAM_WINBIND_HOMEDIR);
242	_PAM_LOG_STATE_DATA_STRING(ctx, PAM_WINBIND_LOGONSCRIPT);
243	_PAM_LOG_STATE_DATA_STRING(ctx, PAM_WINBIND_LOGONSERVER);
244	_PAM_LOG_STATE_DATA_STRING(ctx, PAM_WINBIND_PROFILEPATH);
245	_PAM_LOG_STATE_DATA_STRING(ctx,
246	PAM_WINBIND_NEW_AUTHTOK_REQD);
247	/* Use atoi to get PAM result code */
248	_PAM_LOG_STATE_DATA_STRING(ctx,
249	PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH);
250	_PAM_LOG_STATE_DATA_POINTER(ctx, PAM_WINBIND_PWD_LAST_SET);
251	}
252
253	static int _pam_parse(const pam_handle_t *pamh,
254	int flags,
255	int argc,
256	const char **argv,
257	dictionary **result_d)
258	{
259	int ctrl = 0;
260	const char *config_file = NULL;
261	int i;
262	const char **v;
263	dictionary *d = NULL;
264
265	if (flags & PAM_SILENT) {
266	ctrl \|= WINBIND_SILENT;
267	}
268
269	for (i=argc,v=argv; i-- > 0; ++v) {
270	if (!strncasecmp(*v, "config", strlen("config"))) {
271	ctrl \|= WINBIND_CONFIG_FILE;
272	config_file = v[i];
273	break;
274	}
275	}
276
277	if (config_file == NULL) {
278	config_file = PAM_WINBIND_CONFIG_FILE;
279	}
280
281	d = iniparser_load(config_file);
282	if (d == NULL) {
283	goto config_from_pam;
284	}
285
286	if (iniparser_getboolean(d, "global:debug", false)) {
287	ctrl \|= WINBIND_DEBUG_ARG;
288	}
289
290	if (iniparser_getboolean(d, "global:debug_state", false)) {
291	ctrl \|= WINBIND_DEBUG_STATE;
292	}
293
294	if (iniparser_getboolean(d, "global:cached_login", false)) {
295	ctrl \|= WINBIND_CACHED_LOGIN;
296	}
297
298	if (iniparser_getboolean(d, "global:krb5_auth", false)) {
299	ctrl \|= WINBIND_KRB5_AUTH;
300	}
301
302	if (iniparser_getboolean(d, "global:silent", false)) {
303	ctrl \|= WINBIND_SILENT;
304	}
305
306	if (iniparser_getstr(d, "global:krb5_ccache_type") != NULL) {
307	ctrl \|= WINBIND_KRB5_CCACHE_TYPE;
308	}
309
310	if ((iniparser_getstr(d, "global:require-membership-of") != NULL) \|\|
311	(iniparser_getstr(d, "global:require_membership_of") != NULL)) {
312	ctrl \|= WINBIND_REQUIRED_MEMBERSHIP;
313	}
314
315	if (iniparser_getboolean(d, "global:try_first_pass", false)) {
316	ctrl \|= WINBIND_TRY_FIRST_PASS_ARG;
317	}
318
319	if (iniparser_getint(d, "global:warn_pwd_expire", 0)) {
320	ctrl \|= WINBIND_WARN_PWD_EXPIRE;
321	}
322
323	config_from_pam:
324	/* step through arguments */
325	for (i=argc,v=argv; i-- > 0; ++v) {
326
327	/* generic options */
328	if (!strcmp(*v,"debug"))
329	ctrl \|= WINBIND_DEBUG_ARG;
330	else if (!strcasecmp(*v, "debug_state"))
331	ctrl \|= WINBIND_DEBUG_STATE;
332	else if (!strcasecmp(*v, "silent"))
333	ctrl \|= WINBIND_SILENT;
334	else if (!strcasecmp(*v, "use_authtok"))
335	ctrl \|= WINBIND_USE_AUTHTOK_ARG;
336	else if (!strcasecmp(*v, "use_first_pass"))
337	ctrl \|= WINBIND_USE_FIRST_PASS_ARG;
338	else if (!strcasecmp(*v, "try_first_pass"))
339	ctrl \|= WINBIND_TRY_FIRST_PASS_ARG;
340	else if (!strcasecmp(*v, "unknown_ok"))
341	ctrl \|= WINBIND_UNKNOWN_OK_ARG;
342	else if (!strncasecmp(*v, "require_membership_of",
343	strlen("require_membership_of")))
344	ctrl \|= WINBIND_REQUIRED_MEMBERSHIP;
345	else if (!strncasecmp(*v, "require-membership-of",
346	strlen("require-membership-of")))
347	ctrl \|= WINBIND_REQUIRED_MEMBERSHIP;
348	else if (!strcasecmp(*v, "krb5_auth"))
349	ctrl \|= WINBIND_KRB5_AUTH;
350	else if (!strncasecmp(*v, "krb5_ccache_type",
351	strlen("krb5_ccache_type")))
352	ctrl \|= WINBIND_KRB5_CCACHE_TYPE;
353	else if (!strcasecmp(*v, "cached_login"))
354	ctrl \|= WINBIND_CACHED_LOGIN;
355	else {
356	__pam_log(pamh, ctrl, LOG_ERR,
357	"pam_parse: unknown option: %s", *v);
358	return -1;
359	}
360
361	}
362
363	if (result_d) {
364	*result_d = d;
365	} else {
366	if (d) {
367	iniparser_freedict(d);
368	}
369	}
370
371	return ctrl;
372	};
373
374	static void _pam_winbind_free_context(struct pwb_context *ctx)
375	{
376	if (ctx->dict) {
377	iniparser_freedict(ctx->dict);
378	}
379
380	SAFE_FREE(ctx);
381	}
382
383	static int _pam_winbind_init_context(pam_handle_t *pamh,
384	int flags,
385	int argc,
386	const char **argv,
387	struct pwb_context **ctx_p)
388	{
389	struct pwb_context *r = NULL;
390
391	r = (struct pwb_context *)malloc(sizeof(struct pwb_context));
392	if (!r) {
393	return PAM_BUF_ERR;
394	}
395
396	ZERO_STRUCTP(r);
397
398	r->pamh = pamh;
399	r->flags = flags;
400	r->argc = argc;
401	r->argv = argv;
402	r->ctrl = _pam_parse(pamh, flags, argc, argv, &r->dict);
403	if (r->ctrl == -1) {
404	_pam_winbind_free_context(r);
405	return PAM_SYSTEM_ERR;
406	}
407
408	*ctx_p = r;
409
410	return PAM_SUCCESS;
411	}
412
413	static void _pam_winbind_cleanup_func(pam_handle_t *pamh,
414	void *data,
415	int error_status)
416	{
417	int ctrl = _pam_parse(pamh, 0, 0, NULL, NULL);
418	if (_pam_log_is_debug_state_enabled(ctrl)) {
419	__pam_log_debug(pamh, ctrl, LOG_DEBUG,
420	"[pamh: %p] CLEAN: cleaning up PAM data %p "
421	"(error_status = %d)", pamh, data,
422	error_status);
423	}
424	SAFE_FREE(data);
425	}
426
427
428	static const struct ntstatus_errors {
429	const char *ntstatus_string;
430	const char *error_string;
431	} ntstatus_errors[] = {
432	{"NT_STATUS_OK",
433	"Success"},
434	{"NT_STATUS_BACKUP_CONTROLLER",
435	"No primary Domain Controler available"},
436	{"NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND",
437	"No domain controllers found"},
438	{"NT_STATUS_NO_LOGON_SERVERS",
439	"No logon servers"},
440	{"NT_STATUS_PWD_TOO_SHORT",
441	"Password too short"},
442	{"NT_STATUS_PWD_TOO_RECENT",
443	"The password of this user is too recent to change"},
444	{"NT_STATUS_PWD_HISTORY_CONFLICT",
445	"Password is already in password history"},
446	{"NT_STATUS_PASSWORD_EXPIRED",
447	"Your password has expired"},
448	{"NT_STATUS_PASSWORD_MUST_CHANGE",
449	"You need to change your password now"},
450	{"NT_STATUS_INVALID_WORKSTATION",
451	"You are not allowed to logon from this workstation"},
452	{"NT_STATUS_INVALID_LOGON_HOURS",
453	"You are not allowed to logon at this time"},
454	{"NT_STATUS_ACCOUNT_EXPIRED",
455	"Your account has expired. "
456	"Please contact your System administrator"}, /* SCNR */
457	{"NT_STATUS_ACCOUNT_DISABLED",
458	"Your account is disabled. "
459	"Please contact your System administrator"}, /* SCNR */
460	{"NT_STATUS_ACCOUNT_LOCKED_OUT",
461	"Your account has been locked. "
462	"Please contact your System administrator"}, /* SCNR */
463	{"NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT",
464	"Invalid Trust Account"},
465	{"NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT",
466	"Invalid Trust Account"},
467	{"NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT",
468	"Invalid Trust Account"},
469	{"NT_STATUS_ACCESS_DENIED",
470	"Access is denied"},
471	{NULL, NULL}
472	};
473
474	static const char _get_ntstatus_error_string(const char nt_status_string)
475	{
476	int i;
477	for (i=0; ntstatus_errors[i].ntstatus_string != NULL; i++) {
478	if (!strcasecmp(ntstatus_errors[i].ntstatus_string,
479	nt_status_string)) {
480	return ntstatus_errors[i].error_string;
481	}
482	}
483	return NULL;
484	}
485
486	/* --- authentication management functions --- */
487
488	/* Attempt a conversation */
489
490	static int converse(const pam_handle_t *pamh,
491	int nargs,
492	struct pam_message **message,
493	struct pam_response **response)
494	{
495	int retval;
496	struct pam_conv *conv;
497
498	retval = _pam_get_item(pamh, PAM_CONV, &conv);
499	if (retval == PAM_SUCCESS) {
500	retval = conv->conv(nargs,
501	(const struct pam_message **)message,
502	response, conv->appdata_ptr);
503	}
504
505	return retval; /* propagate error status */
506	}
507
508
509	static int _make_remark(struct pwb_context *ctx,
510	int type,
511	const char *text)
512	{
513	int retval = PAM_SUCCESS;
514
515	struct pam_message *pmsg[1], msg[1];
516	struct pam_response *resp;
517
518	if (ctx->flags & WINBIND_SILENT) {
519	return PAM_SUCCESS;
520	}
521
522	pmsg[0] = &msg[0];
523	msg[0].msg = discard_const_p(char, text);
524	msg[0].msg_style = type;
525
526	resp = NULL;
527	retval = converse(ctx->pamh, 1, pmsg, &resp);
528
529	if (resp) {
530	_pam_drop_reply(resp, 1);
531	}
532	return retval;
533	}
534
535	static int _make_remark_v(struct pwb_context *ctx,
536	int type,
537	const char *format,
538	va_list args)
539	{
540	char *var;
541	int ret;
542
543	ret = vasprintf(&var, format, args);
544	if (ret < 0) {
545	_pam_log(ctx, LOG_ERR, "memory allocation failure");
546	return ret;
547	}
548
549	ret = _make_remark(ctx, type, var);
550	SAFE_FREE(var);
551	return ret;
552	}
553
554	static int _make_remark_format(struct pwb_context ctx, int type, const char format, ...) PRINTF_ATTRIBUTE(3,4);
555	static int _make_remark_format(struct pwb_context ctx, int type, const char format, ...)
556	{
557	int ret;
558	va_list args;
559
560	va_start(args, format);
561	ret = _make_remark_v(ctx, type, format, args);
562	va_end(args);
563	return ret;
564	}
565
566	static int pam_winbind_request(struct pwb_context *ctx,
567	enum winbindd_cmd req_type,
568	struct winbindd_request *request,
569	struct winbindd_response *response)
570	{
571	/* Fill in request and send down pipe */
572	winbindd_init_request(request, req_type);
573
574	if (winbind_write_sock(request, sizeof(*request), 0, 0) == -1) {
575	_pam_log(ctx, LOG_ERR,
576	"pam_winbind_request: write to socket failed!");
577	winbind_close_sock();
578	return PAM_SERVICE_ERR;
579	}
580
581	/* Wait for reply */
582	if (winbindd_read_reply(response) == -1) {
583	_pam_log(ctx, LOG_ERR,
584	"pam_winbind_request: read from socket failed!");
585	winbind_close_sock();
586	return PAM_SERVICE_ERR;
587	}
588
589	/* We are done with the socket - close it and avoid mischeif */
590	winbind_close_sock();
591
592	/* Copy reply data from socket */
593	if (response->result == WINBINDD_OK) {
594	return PAM_SUCCESS;
595	}
596
597	/* no need to check for pam_error codes for getpwnam() */
598	switch (req_type) {
599
600	case WINBINDD_GETPWNAM:
601	case WINBINDD_LOOKUPNAME:
602	if (strlen(response->data.auth.nt_status_string) > 0) {
603	_pam_log(ctx, LOG_ERR,
604	"request failed, NT error was %s",
605	response->data.auth.nt_status_string);
606	} else {
607	_pam_log(ctx, LOG_ERR, "request failed");
608	}
609	return PAM_USER_UNKNOWN;
610	default:
611	break;
612	}
613
614	if (response->data.auth.pam_error != PAM_SUCCESS) {
615	_pam_log(ctx, LOG_ERR,
616	"request failed: %s, "
617	"PAM error was %s (%d), NT error was %s",
618	response->data.auth.error_string,
619	pam_strerror(ctx->pamh, response->data.auth.pam_error),
620	response->data.auth.pam_error,
621	response->data.auth.nt_status_string);
622	return response->data.auth.pam_error;
623	}
624
625	_pam_log(ctx, LOG_ERR, "request failed, but PAM error 0!");
626
627	return PAM_SERVICE_ERR;
628	}
629
630	static int pam_winbind_request_log(struct pwb_context *ctx,
631	enum winbindd_cmd req_type,
632	struct winbindd_request *request,
633	struct winbindd_response *response,
634	const char *user)
635	{
636	int retval;
637
638	retval = pam_winbind_request(ctx, req_type, request, response);
639
640	switch (retval) {
641	case PAM_AUTH_ERR:
642	/* incorrect password */
643	_pam_log(ctx, LOG_WARNING, "user '%s' denied access "
644	"(incorrect password or invalid membership)", user);
645	return retval;
646	case PAM_ACCT_EXPIRED:
647	/* account expired */
648	_pam_log(ctx, LOG_WARNING, "user '%s' account expired",
649	user);
650	return retval;
651	case PAM_AUTHTOK_EXPIRED:
652	/* password expired */
653	_pam_log(ctx, LOG_WARNING, "user '%s' password expired",
654	user);
655	return retval;
656	case PAM_NEW_AUTHTOK_REQD:
657	/* new password required */
658	_pam_log(ctx, LOG_WARNING, "user '%s' new password "
659	"required", user);
660	return retval;
661	case PAM_USER_UNKNOWN:
662	/* the user does not exist */
663	_pam_log_debug(ctx, LOG_NOTICE, "user '%s' not found",
664	user);
665	if (ctx->ctrl & WINBIND_UNKNOWN_OK_ARG) {
666	return PAM_IGNORE;
667	}
668	return retval;
669	case PAM_SUCCESS:
670	/* Otherwise, the authentication looked good */
671	switch (req_type) {
672	case WINBINDD_INFO:
673	break;
674	case WINBINDD_PAM_AUTH:
675	_pam_log(ctx, LOG_NOTICE,
676	"user '%s' granted access", user);
677	break;
678	case WINBINDD_PAM_CHAUTHTOK:
679	_pam_log(ctx, LOG_NOTICE,
680	"user '%s' password changed", user);
681	break;
682	default:
683	_pam_log(ctx, LOG_NOTICE,
684	"user '%s' OK", user);
685	break;
686	}
687
688	return retval;
689	default:
690	/* we don't know anything about this return value */
691	_pam_log(ctx, LOG_ERR,
692	"internal module error (retval = %d, user = '%s')",
693	retval, user);
694	return retval;
695	}
696	}
697
698	/**
699	* send a password expiry message if required
700	*
701	* @param pamh PAM handle
702	* @param ctrl PAM winbind options.
703	* @param next_change expected (calculated) next expiry date.
704	* @param already_expired pointer to a boolean to indicate if the password is
705	* already expired.
706	*
707	* @return boolean Returns true if message has been sent, false if not.
708	*/
709
710	static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
711	time_t next_change,
712	time_t now,
713	int warn_pwd_expire,
714	bool *already_expired)
715	{
716	int days = 0;
717	struct tm tm_now, tm_next_change;
718
719	if (already_expired) {
720	*already_expired = false;
721	}
722
723	if (next_change <= now) {
724	PAM_WB_REMARK_DIRECT(ctx, "NT_STATUS_PASSWORD_EXPIRED");
725	if (already_expired) {
726	*already_expired = true;
727	}
728	return true;
729	}
730
731	if ((next_change < 0) \|\|
732	(next_change > now + warn_pwd_expire * SECONDS_PER_DAY)) {
733	return false;
734	}
735
736	if ((localtime_r(&now, &tm_now) == NULL) \|\|
737	(localtime_r(&next_change, &tm_next_change) == NULL)) {
738	return false;
739	}
740
741	days = (tm_next_change.tm_yday+tm_next_change.tm_year*365) -
742	(tm_now.tm_yday+tm_now.tm_year*365);
743
744	if (days == 0) {
745	_make_remark(ctx, PAM_TEXT_INFO,
746	"Your password expires today");
747	return true;
748	}
749
750	if (days > 0 && days < warn_pwd_expire) {
751	_make_remark_format(ctx, PAM_TEXT_INFO,
752	"Your password will expire in %d %s",
753	days, (days > 1) ? "days":"day");
754	return true;
755	}
756
757	return false;
758	}
759
760	/**
761	* Send a warning if the password expires in the near future
762	*
763	* @param pamh PAM handle
764	* @param ctrl PAM winbind options.
765	* @param response The full authentication response structure.
766	* @param already_expired boolean, is the pwd already expired?
767	*
768	* @return void.
769	*/
770
771	static void _pam_warn_password_expiry(struct pwb_context *ctx,
772	const struct winbindd_response *response,
773	int warn_pwd_expire,
774	bool *already_expired)
775	{
776	time_t now = time(NULL);
777	time_t next_change = 0;
778
779	if (already_expired) {
780	*already_expired = false;
781	}
782
783	/* accounts with ACB_PWNOEXP set never receive a warning */
784	if (response->data.auth.info3.acct_flags & ACB_PWNOEXP) {
785	return;
786	}
787
788	/* no point in sending a warning if this is a grace logon */
789	if (PAM_WB_GRACE_LOGON(response->data.auth.info3.user_flgs)) {
790	return;
791	}
792
793	/* check if the info3 must change timestamp has been set */
794	next_change = response->data.auth.info3.pass_must_change_time;
795
796	if (_pam_send_password_expiry_message(ctx, next_change, now,
797	warn_pwd_expire,
798	already_expired)) {
799	return;
800	}
801
802	/* now check for the global password policy */
803	/* good catch from Ralf Haferkamp: an expiry of "never" is translated
804	* to -1 */
805	if (response->data.auth.policy.expire <= 0) {
806	return;
807	}
808
809	next_change = response->data.auth.info3.pass_last_set_time +
810	response->data.auth.policy.expire;
811
812	if (_pam_send_password_expiry_message(ctx, next_change, now,
813	warn_pwd_expire,
814	already_expired)) {
815	return;
816	}
817
818	/* no warning sent */
819	}
820
821	#define IS_SID_STRING(name) (strncmp("S-", name, 2) == 0)
822
823	/**
824	* Append a string, making sure not to overflow and to always return a
825	* NULL-terminated string.
826	*
827	* @param dest Destination string buffer (must already be NULL-terminated).
828	* @param src Source string buffer.
829	* @param dest_buffer_size Size of dest buffer in bytes.
830	*
831	* @return false if dest buffer is not big enough (no bytes copied), true on
832	* success.
833	*/
834
835	static bool safe_append_string(char *dest,
836	const char *src,
837	int dest_buffer_size)
838	{
839	int dest_length = strlen(dest);
840	int src_length = strlen(src);
841
842	if (dest_length + src_length + 1 > dest_buffer_size) {
843	return false;
844	}
845
846	memcpy(dest + dest_length, src, src_length + 1);
847	return true;
848	}
849
850	/**
851	* Convert a names into a SID string, appending it to a buffer.
852	*
853	* @param pamh PAM handle
854	* @param ctrl PAM winbind options.
855	* @param user User in PAM request.
856	* @param name Name to convert.
857	* @param sid_list_buffer Where to append the string sid.
858	* @param sid_list_buffer Size of sid_list_buffer (in bytes).
859	*
860	* @return false on failure, true on success.
861	*/
862	static bool winbind_name_to_sid_string(struct pwb_context *ctx,
863	const char *user,
864	const char *name,
865	char *sid_list_buffer,
866	int sid_list_buffer_size)
867	{
868	const char* sid_string;
869	struct winbindd_response sid_response;
870
871	/* lookup name? */
872	if (IS_SID_STRING(name)) {
873	sid_string = name;
874	} else {
875	struct winbindd_request sid_request;
876
877	ZERO_STRUCT(sid_request);
878	ZERO_STRUCT(sid_response);
879
880	_pam_log_debug(ctx, LOG_DEBUG,
881	"no sid given, looking up: %s\n", name);
882
883	/* fortunatly winbindd can handle non-separated names */
884	strncpy(sid_request.data.name.name, name,
885	sizeof(sid_request.data.name.name) - 1);
886
887	if (pam_winbind_request_log(ctx, WINBINDD_LOOKUPNAME,
888	&sid_request, &sid_response,
889	user)) {
890	_pam_log(ctx, LOG_INFO,
891	"could not lookup name: %s\n", name);
892	return false;
893	}
894
895	sid_string = sid_response.data.sid.sid;
896	}
897
898	if (!safe_append_string(sid_list_buffer, sid_string,
899	sid_list_buffer_size)) {
900	return false;
901	}
902
903	return true;
904	}
905
906	/**
907	* Convert a list of names into a list of sids.
908	*
909	* @param pamh PAM handle
910	* @param ctrl PAM winbind options.
911	* @param user User in PAM request.
912	* @param name_list List of names or string sids, separated by commas.
913	* @param sid_list_buffer Where to put the list of string sids.
914	* @param sid_list_buffer Size of sid_list_buffer (in bytes).
915	*
916	* @return false on failure, true on success.
917	*/
918	static bool winbind_name_list_to_sid_string_list(struct pwb_context *ctx,
919	const char *user,
920	const char *name_list,
921	char *sid_list_buffer,
922	int sid_list_buffer_size)
923	{
924	bool result = false;
925	char *current_name = NULL;
926	const char *search_location;
927	const char *comma;
928
929	if (sid_list_buffer_size > 0) {
930	sid_list_buffer[0] = 0;
931	}
932
933	search_location = name_list;
934	while ((comma = strstr(search_location, ",")) != NULL) {
935	current_name = strndup(search_location,
936	comma - search_location);
937	if (NULL == current_name) {
938	goto out;
939	}
940
941	if (!winbind_name_to_sid_string(ctx, user,
942	current_name,
943	sid_list_buffer,
944	sid_list_buffer_size)) {
945	goto out;
946	}
947
948	SAFE_FREE(current_name);
949
950	if (!safe_append_string(sid_list_buffer, ",",
951	sid_list_buffer_size)) {
952	goto out;
953	}
954
955	search_location = comma + 1;
956	}
957
958	if (!winbind_name_to_sid_string(ctx, user, search_location,
959	sid_list_buffer,
960	sid_list_buffer_size)) {
961	goto out;
962	}
963
964	result = true;
965
966	out:
967	SAFE_FREE(current_name);
968	return result;
969	}
970
971	/**
972	* put krb5ccname variable into environment
973	*
974	* @param pamh PAM handle
975	* @param ctrl PAM winbind options.
976	* @param krb5ccname env variable retrieved from winbindd.
977	*
978	* @return void.
979	*/
980
981	static void _pam_setup_krb5_env(struct pwb_context *ctx,
982	const char *krb5ccname)
983	{
984	char var[PATH_MAX];
985	int ret;
986
987	if (off(ctx->ctrl, WINBIND_KRB5_AUTH)) {
988	return;
989	}
990
991	if (!krb5ccname \|\| (strlen(krb5ccname) == 0)) {
992	return;
993	}
994
995	_pam_log_debug(ctx, LOG_DEBUG,
996	"request returned KRB5CCNAME: %s", krb5ccname);
997
998	if (snprintf(var, sizeof(var), "KRB5CCNAME=%s", krb5ccname) == -1) {
999	return;
1000	}
1001
1002	ret = pam_putenv(ctx->pamh, var);
1003	if (ret) {
1004	_pam_log(ctx, LOG_ERR,
1005	"failed to set KRB5CCNAME to %s: %s",
1006	var, pam_strerror(ctx->pamh, ret));
1007	}
1008	}
1009
1010	/**
1011	* Set string into the PAM stack.
1012	*
1013	* @param pamh PAM handle
1014	* @param ctrl PAM winbind options.
1015	* @param data_name Key name for pam_set_data.
1016	* @param value String value.
1017	*
1018	* @return void.
1019	*/
1020
1021	static void _pam_set_data_string(struct pwb_context *ctx,
1022	const char *data_name,
1023	const char *value)
1024	{
1025	int ret;
1026
1027	if (!data_name \|\| !value \|\| (strlen(data_name) == 0) \|\|
1028	(strlen(value) == 0)) {
1029	return;
1030	}
1031
1032	ret = pam_set_data(ctx->pamh, data_name, (void *)strdup(value),
1033	_pam_winbind_cleanup_func);
1034	if (ret) {
1035	_pam_log_debug(ctx, LOG_DEBUG,
1036	"Could not set data %s: %s\n",
1037	data_name, pam_strerror(ctx->pamh, ret));
1038	}
1039
1040	}
1041
1042	/**
1043	* Set info3 strings into the PAM stack.
1044	*
1045	* @param pamh PAM handle
1046	* @param ctrl PAM winbind options.
1047	* @param data_name Key name for pam_set_data.
1048	* @param value String value.
1049	*
1050	* @return void.
1051	*/
1052
1053	static void _pam_set_data_info3(struct pwb_context *ctx,
1054	struct winbindd_response *response)
1055	{
1056	_pam_set_data_string(ctx, PAM_WINBIND_HOMEDIR,
1057	response->data.auth.info3.home_dir);
1058	_pam_set_data_string(ctx, PAM_WINBIND_LOGONSCRIPT,
1059	response->data.auth.info3.logon_script);
1060	_pam_set_data_string(ctx, PAM_WINBIND_LOGONSERVER,
1061	response->data.auth.info3.logon_srv);
1062	_pam_set_data_string(ctx, PAM_WINBIND_PROFILEPATH,
1063	response->data.auth.info3.profile_path);
1064	}
1065
1066	/**
1067	* Free info3 strings in the PAM stack.
1068	*
1069	* @param pamh PAM handle
1070	*
1071	* @return void.
1072	*/
1073
1074	static void _pam_free_data_info3(pam_handle_t *pamh)
1075	{
1076	pam_set_data(pamh, PAM_WINBIND_HOMEDIR, NULL, NULL);
1077	pam_set_data(pamh, PAM_WINBIND_LOGONSCRIPT, NULL, NULL);
1078	pam_set_data(pamh, PAM_WINBIND_LOGONSERVER, NULL, NULL);
1079	pam_set_data(pamh, PAM_WINBIND_PROFILEPATH, NULL, NULL);
1080	}
1081
1082	/**
1083	* Send PAM_ERROR_MSG for cached or grace logons.
1084	*
1085	* @param pamh PAM handle
1086	* @param ctrl PAM winbind options.
1087	* @param username User in PAM request.
1088	* @param info3_user_flgs Info3 flags containing logon type bits.
1089	*
1090	* @return void.
1091	*/
1092
1093	static void _pam_warn_logon_type(struct pwb_context *ctx,
1094	const char *username,
1095	uint32_t info3_user_flgs)
1096	{
1097	/* inform about logon type */
1098	if (PAM_WB_GRACE_LOGON(info3_user_flgs)) {
1099
1100	_make_remark(ctx, PAM_ERROR_MSG,
1101	"Grace login. "
1102	"Please change your password as soon you're "
1103	"online again");
1104	_pam_log_debug(ctx, LOG_DEBUG,
1105	"User %s logged on using grace logon\n",
1106	username);
1107
1108	} else if (PAM_WB_CACHED_LOGON(info3_user_flgs)) {
1109
1110	_make_remark(ctx, PAM_ERROR_MSG,
1111	"Domain Controller unreachable, "
1112	"using cached credentials instead. "
1113	"Network resources may be unavailable");
1114	_pam_log_debug(ctx, LOG_DEBUG,
1115	"User %s logged on using cached credentials\n",
1116	username);
1117	}
1118	}
1119
1120	/**
1121	* Send PAM_ERROR_MSG for krb5 errors.
1122	*
1123	* @param pamh PAM handle
1124	* @param ctrl PAM winbind options.
1125	* @param username User in PAM request.
1126	* @param info3_user_flgs Info3 flags containing logon type bits.
1127	*
1128	* @return void.
1129	*/
1130
1131	static void _pam_warn_krb5_failure(struct pwb_context *ctx,
1132	const char *username,
1133	uint32_t info3_user_flgs)
1134	{
1135	if (PAM_WB_KRB5_CLOCK_SKEW(info3_user_flgs)) {
1136	_make_remark(ctx, PAM_ERROR_MSG,
1137	"Failed to establish your Kerberos Ticket cache "
1138	"due time differences\n"
1139	"with the domain controller. "
1140	"Please verify the system time.\n");
1141	_pam_log_debug(ctx, LOG_DEBUG,
1142	"User %s: Clock skew when getting Krb5 TGT\n",
1143	username);
1144	}
1145	}
1146
1147	/**
1148	* Compose Password Restriction String for a PAM_ERROR_MSG conversation.
1149	*
1150	* @param response The struct winbindd_response.
1151	*
1152	* @return string (caller needs to free).
1153	*/
1154
1155	static char _pam_compose_pwd_restriction_string(struct winbindd_response response)
1156	{
1157	char *str = NULL;
1158	size_t offset = 0, ret = 0, str_size = 1024;
1159
1160	str = (char *)malloc(str_size);
1161	if (!str) {
1162	return NULL;
1163	}
1164
1165	memset(str, '\0', str_size);
1166
1167	offset = snprintf(str, str_size, "Your password ");
1168	if (offset == -1) {
1169	goto failed;
1170	}
1171
1172	if (response->data.auth.policy.min_length_password > 0) {
1173	ret = snprintf(str+offset, str_size-offset,
1174	"must be at least %d characters; ",
1175	response->data.auth.policy.min_length_password);
1176	if (ret == -1) {
1177	goto failed;
1178	}
1179	offset += ret;
1180	}
1181
1182	if (response->data.auth.policy.password_history > 0) {
1183	ret = snprintf(str+offset, str_size-offset,
1184	"cannot repeat any of your previous %d "
1185	"passwords; ",
1186	response->data.auth.policy.password_history);
1187	if (ret == -1) {
1188	goto failed;
1189	}
1190	offset += ret;
1191	}
1192
1193	if (response->data.auth.policy.password_properties &
1194	DOMAIN_PASSWORD_COMPLEX) {
1195	ret = snprintf(str+offset, str_size-offset,
1196	"must contain capitals, numerals "
1197	"or punctuation; "
1198	"and cannot contain your account "
1199	"or full name; ");
1200	if (ret == -1) {
1201	goto failed;
1202	}
1203	offset += ret;
1204	}
1205
1206	ret = snprintf(str+offset, str_size-offset,
1207	"Please type a different password. "
1208	"Type a password which meets these requirements in "
1209	"both text boxes.");
1210	if (ret == -1) {
1211	goto failed;
1212	}
1213
1214	return str;
1215
1216	failed:
1217	SAFE_FREE(str);
1218	return NULL;
1219	}
1220
1221	/* talk to winbindd */
1222	static int winbind_auth_request(struct pwb_context *ctx,
1223	const char *user,
1224	const char *pass,
1225	const char *member,
1226	const char *cctype,
1227	const int warn_pwd_expire,
1228	struct winbindd_response *p_response,
1229	time_t *pwd_last_set,
1230	char **user_ret)
1231	{
1232	struct winbindd_request request;
1233	struct winbindd_response response;
1234	int ret;
1235	bool already_expired = false;
1236
1237	ZERO_STRUCT(request);
1238	ZERO_STRUCT(response);
1239
1240	if (pwd_last_set) {
1241	*pwd_last_set = 0;
1242	}
1243
1244	strncpy(request.data.auth.user, user,
1245	sizeof(request.data.auth.user)-1);
1246
1247	strncpy(request.data.auth.pass, pass,
1248	sizeof(request.data.auth.pass)-1);
1249
1250	request.data.auth.krb5_cc_type[0] = '\0';
1251	request.data.auth.uid = -1;
1252
1253	request.flags = WBFLAG_PAM_INFO3_TEXT \| WBFLAG_PAM_GET_PWD_POLICY;
1254
1255	/* Krb5 auth always has to go against the KDC of the user's realm */
1256
1257	if (ctx->ctrl & WINBIND_KRB5_AUTH) {
1258	request.flags \|= WBFLAG_PAM_CONTACT_TRUSTDOM;
1259	}
1260
1261	if (ctx->ctrl & (WINBIND_KRB5_AUTH\|WINBIND_CACHED_LOGIN)) {
1262	struct passwd *pwd = NULL;
1263
1264	pwd = getpwnam(user);
1265	if (pwd == NULL) {
1266	return PAM_USER_UNKNOWN;
1267	}
1268	request.data.auth.uid = pwd->pw_uid;
1269	}
1270
1271	if (ctx->ctrl & WINBIND_KRB5_AUTH) {
1272
1273	_pam_log_debug(ctx, LOG_DEBUG,
1274	"enabling krb5 login flag\n");
1275
1276	request.flags \|= WBFLAG_PAM_KRB5 \|
1277	WBFLAG_PAM_FALLBACK_AFTER_KRB5;
1278	}
1279
1280	if (ctx->ctrl & WINBIND_CACHED_LOGIN) {
1281	_pam_log_debug(ctx, LOG_DEBUG,
1282	"enabling cached login flag\n");
1283	request.flags \|= WBFLAG_PAM_CACHED_LOGIN;
1284	}
1285
1286	if (user_ret) {
1287	*user_ret = NULL;
1288	request.flags \|= WBFLAG_PAM_UNIX_NAME;
1289	}
1290
1291	if (cctype != NULL) {
1292	strncpy(request.data.auth.krb5_cc_type, cctype,
1293	sizeof(request.data.auth.krb5_cc_type) - 1);
1294	_pam_log_debug(ctx, LOG_DEBUG,
1295	"enabling request for a %s krb5 ccache\n",
1296	cctype);
1297	}
1298
1299	request.data.auth.require_membership_of_sid[0] = '\0';
1300
1301	if (member != NULL) {
1302
1303	if (!winbind_name_list_to_sid_string_list(ctx, user,
1304	member,
1305	request.data.auth.require_membership_of_sid,
1306	sizeof(request.data.auth.require_membership_of_sid))) {
1307
1308	_pam_log_debug(ctx, LOG_ERR,
1309	"failed to serialize membership of sid "
1310	"\"%s\"\n", member);
1311	return PAM_AUTH_ERR;
1312	}
1313	}
1314
1315	ret = pam_winbind_request_log(ctx, WINBINDD_PAM_AUTH,
1316	&request, &response, user);
1317
1318	if (pwd_last_set) {
1319	*pwd_last_set = response.data.auth.info3.pass_last_set_time;
1320	}
1321
1322	if (p_response) {
1323	/* We want to process the response in the caller. */
1324	*p_response = response;
1325	return ret;
1326	}
1327
1328	if (ret) {
1329	PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1330	"NT_STATUS_PASSWORD_EXPIRED");
1331	PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1332	"NT_STATUS_PASSWORD_MUST_CHANGE");
1333	PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1334	"NT_STATUS_INVALID_WORKSTATION");
1335	PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1336	"NT_STATUS_INVALID_LOGON_HOURS");
1337	PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1338	"NT_STATUS_ACCOUNT_EXPIRED");
1339	PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1340	"NT_STATUS_ACCOUNT_DISABLED");
1341	PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1342	"NT_STATUS_ACCOUNT_LOCKED_OUT");
1343	PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1344	"NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT");
1345	PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1346	"NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT");
1347	PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1348	"NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT");
1349	PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1350	"NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND");
1351	PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1352	"NT_STATUS_NO_LOGON_SERVERS");
1353	PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1354	"NT_STATUS_WRONG_PASSWORD");
1355	PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1356	"NT_STATUS_ACCESS_DENIED");
1357	}
1358
1359	if (ret == PAM_SUCCESS) {
1360
1361	/* warn a user if the password is about to expire soon */
1362	_pam_warn_password_expiry(ctx, &response,
1363	warn_pwd_expire,
1364	&already_expired);
1365
1366	if (already_expired == true) {
1367	SMB_TIME_T last_set;
1368	last_set = response.data.auth.info3.pass_last_set_time;
1369	_pam_log_debug(ctx, LOG_DEBUG,
1370	"Password has expired "
1371	"(Password was last set: %lld, "
1372	"the policy says it should expire here "
1373	"%lld (now it's: %lu))\n",
1374	(long long int)last_set,
1375	(long long int)last_set +
1376	response.data.auth.policy.expire,
1377	time(NULL));
1378
1379	return PAM_AUTHTOK_EXPIRED;
1380	}
1381
1382	/* inform about logon type */
1383	_pam_warn_logon_type(ctx, user,
1384	response.data.auth.info3.user_flgs);
1385
1386	/* inform about krb5 failures */
1387	_pam_warn_krb5_failure(ctx, user,
1388	response.data.auth.info3.user_flgs);
1389
1390	/* set some info3 info for other modules in the stack */
1391	_pam_set_data_info3(ctx, &response);
1392
1393	/* put krb5ccname into env */
1394	_pam_setup_krb5_env(ctx, response.data.auth.krb5ccname);
1395
1396	/* If winbindd returned a username, return the pointer to it
1397	* here. */
1398	if (user_ret && response.data.auth.unix_username[0]) {
1399	/* We have to trust it's a null terminated string. */
1400	*user_ret = strndup(response.data.auth.unix_username,
1401	sizeof(response.data.auth.unix_username) - 1);
1402	}
1403	}
1404
1405	return ret;
1406	}
1407
1408	/* talk to winbindd */
1409	static int winbind_chauthtok_request(struct pwb_context *ctx,
1410	const char *user,
1411	const char *oldpass,
1412	const char *newpass,
1413	time_t pwd_last_set)
1414	{
1415	struct winbindd_request request;
1416	struct winbindd_response response;
1417	int ret;
1418
1419	ZERO_STRUCT(request);
1420	ZERO_STRUCT(response);
1421
1422	if (request.data.chauthtok.user == NULL) {
1423	return -2;
1424	}
1425
1426	strncpy(request.data.chauthtok.user, user,
1427	sizeof(request.data.chauthtok.user) - 1);
1428
1429	if (oldpass != NULL) {
1430	strncpy(request.data.chauthtok.oldpass, oldpass,
1431	sizeof(request.data.chauthtok.oldpass) - 1);
1432	} else {
1433	request.data.chauthtok.oldpass[0] = '\0';
1434	}
1435
1436	if (newpass != NULL) {
1437	strncpy(request.data.chauthtok.newpass, newpass,
1438	sizeof(request.data.chauthtok.newpass) - 1);
1439	} else {
1440	request.data.chauthtok.newpass[0] = '\0';
1441	}
1442
1443	if (ctx->ctrl & WINBIND_KRB5_AUTH) {
1444	request.flags = WBFLAG_PAM_KRB5 \|
1445	WBFLAG_PAM_CONTACT_TRUSTDOM;
1446	}
1447
1448	if (ctx->ctrl & WINBIND_CACHED_LOGIN) {
1449	request.flags \|= WBFLAG_PAM_CACHED_LOGIN;
1450	}
1451
1452	ret = pam_winbind_request_log(ctx, WINBINDD_PAM_CHAUTHTOK,
1453	&request, &response, user);
1454
1455	if (ret == PAM_SUCCESS) {
1456	return ret;
1457	}
1458
1459	PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1460	"NT_STATUS_BACKUP_CONTROLLER");
1461	PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1462	"NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND");
1463	PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1464	"NT_STATUS_NO_LOGON_SERVERS");
1465	PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1466	"NT_STATUS_ACCESS_DENIED");
1467
1468	/* TODO: tell the min pwd length ? */
1469	PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1470	"NT_STATUS_PWD_TOO_SHORT");
1471
1472	/* TODO: tell the minage ? */
1473	PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1474	"NT_STATUS_PWD_TOO_RECENT");
1475
1476	/* TODO: tell the history length ? */
1477	PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1478	"NT_STATUS_PWD_HISTORY_CONFLICT");
1479
1480	if (!strcasecmp(response.data.auth.nt_status_string,
1481	"NT_STATUS_PASSWORD_RESTRICTION")) {
1482
1483	char *pwd_restriction_string = NULL;
1484	SMB_TIME_T min_pwd_age;
1485	uint32_t reject_reason = response.data.auth.reject_reason;
1486	min_pwd_age = response.data.auth.policy.min_passwordage;
1487
1488	/* FIXME: avoid to send multiple PAM messages after another */
1489	switch (reject_reason) {
1490	case -1:
1491	break;
1492	case SAMR_REJECT_OTHER:
1493	if ((min_pwd_age > 0) &&
1494	(pwd_last_set + min_pwd_age > time(NULL))) {
1495	PAM_WB_REMARK_DIRECT(ctx,
1496	"NT_STATUS_PWD_TOO_RECENT");
1497	}
1498	break;
1499	case SAMR_REJECT_TOO_SHORT:
1500	PAM_WB_REMARK_DIRECT(ctx,
1501	"NT_STATUS_PWD_TOO_SHORT");
1502	break;
1503	case SAMR_REJECT_IN_HISTORY:
1504	PAM_WB_REMARK_DIRECT(ctx,
1505	"NT_STATUS_PWD_HISTORY_CONFLICT");
1506	break;
1507	case SAMR_REJECT_COMPLEXITY:
1508	_make_remark(ctx, PAM_ERROR_MSG,
1509	"Password does not meet "
1510	"complexity requirements");
1511	break;
1512	default:
1513	_pam_log_debug(ctx, LOG_DEBUG,
1514	"unknown password change "
1515	"reject reason: %d",
1516	reject_reason);
1517	break;
1518	}
1519
1520	pwd_restriction_string =
1521	_pam_compose_pwd_restriction_string(&response);
1522	if (pwd_restriction_string) {
1523	_make_remark(ctx, PAM_ERROR_MSG,
1524	pwd_restriction_string);
1525	SAFE_FREE(pwd_restriction_string);
1526	}
1527	}
1528
1529	return ret;
1530	}
1531
1532	/*
1533	* Checks if a user has an account
1534	*
1535	* return values:
1536	* 1 = User not found
1537	* 0 = OK
1538	* -1 = System error
1539	*/
1540	static int valid_user(struct pwb_context *ctx,
1541	const char *user)
1542	{
1543	/* check not only if the user is available over NSS calls, also make
1544	* sure it's really a winbind user, this is important when stacking PAM
1545	* modules in the 'account' or 'password' facility. */
1546
1547	struct passwd *pwd = NULL;
1548	struct winbindd_request request;
1549	struct winbindd_response response;
1550	int ret;
1551
1552	ZERO_STRUCT(request);
1553	ZERO_STRUCT(response);
1554
1555	pwd = getpwnam(user);
1556	if (pwd == NULL) {
1557	return 1;
1558	}
1559
1560	strncpy(request.data.username, user,
1561	sizeof(request.data.username) - 1);
1562
1563	ret = pam_winbind_request_log(ctx, WINBINDD_GETPWNAM,
1564	&request, &response, user);
1565
1566	switch (ret) {
1567	case PAM_USER_UNKNOWN:
1568	return 1;
1569	case PAM_SUCCESS:
1570	return 0;
1571	default:
1572	break;
1573	}
1574	return -1;
1575	}
1576
1577	static char _pam_delete(register char xx)
1578	{
1579	_pam_overwrite(xx);
1580	_pam_drop(xx);
1581	return NULL;
1582	}
1583
1584	/*
1585	* obtain a password from the user
1586	*/
1587
1588	static int _winbind_read_password(struct pwb_context *ctx,
1589	unsigned int ctrl,
1590	const char *comment,
1591	const char *prompt1,
1592	const char *prompt2,
1593	const char **pass)
1594	{
1595	int authtok_flag;
1596	int retval;
1597	const char *item;
1598	char *token;
1599
1600	_pam_log(ctx, LOG_DEBUG, "getting password (0x%08x)", ctrl);
1601
1602	/*
1603	* make sure nothing inappropriate gets returned
1604	*/
1605
1606	*pass = token = NULL;
1607
1608	/*
1609	* which authentication token are we getting?
1610	*/
1611
1612	if (on(WINBIND__OLD_PASSWORD, ctrl)) {
1613	authtok_flag = PAM_OLDAUTHTOK;
1614	} else {
1615	authtok_flag = PAM_AUTHTOK;
1616	}
1617
1618	/*
1619	* should we obtain the password from a PAM item ?
1620	*/
1621
1622	if (on(WINBIND_TRY_FIRST_PASS_ARG, ctrl) \|\|
1623	on(WINBIND_USE_FIRST_PASS_ARG, ctrl)) {
1624	retval = _pam_get_item(ctx->pamh, authtok_flag, &item);
1625	if (retval != PAM_SUCCESS) {
1626	/* very strange. */
1627	_pam_log(ctx, LOG_ALERT,
1628	"pam_get_item returned error "
1629	"to unix-read-password");
1630	return retval;
1631	} else if (item != NULL) { /* we have a password! */
1632	*pass = item;
1633	item = NULL;
1634	_pam_log(ctx, LOG_DEBUG,
1635	"pam_get_item returned a password");
1636	return PAM_SUCCESS;
1637	} else if (on(WINBIND_USE_FIRST_PASS_ARG, ctrl)) {
1638	return PAM_AUTHTOK_RECOVER_ERR; /* didn't work */
1639	} else if (on(WINBIND_USE_AUTHTOK_ARG, ctrl)
1640	&& off(WINBIND__OLD_PASSWORD, ctrl)) {
1641	return PAM_AUTHTOK_RECOVER_ERR;
1642	}
1643	}
1644	/*
1645	* getting here implies we will have to get the password from the
1646	* user directly.
1647	*/
1648
1649	{
1650	struct pam_message msg[3], *pmsg[3];
1651	struct pam_response *resp;
1652	int i, replies;
1653
1654	/* prepare to converse */
1655
1656	if (comment != NULL && off(ctrl, WINBIND_SILENT)) {
1657	pmsg[0] = &msg[0];
1658	msg[0].msg_style = PAM_TEXT_INFO;
1659	msg[0].msg = discard_const_p(char, comment);
1660	i = 1;
1661	} else {
1662	i = 0;
1663	}
1664
1665	pmsg[i] = &msg[i];
1666	msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
1667	msg[i++].msg = discard_const_p(char, prompt1);
1668	replies = 1;
1669
1670	if (prompt2 != NULL) {
1671	pmsg[i] = &msg[i];
1672	msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
1673	msg[i++].msg = discard_const_p(char, prompt2);
1674	++replies;
1675	}
1676	/* so call the conversation expecting i responses */
1677	resp = NULL;
1678	retval = converse(ctx->pamh, i, pmsg, &resp);
1679	if (resp == NULL) {
1680	if (retval == PAM_SUCCESS) {
1681	retval = PAM_AUTHTOK_RECOVER_ERR;
1682	}
1683	goto done;
1684	}
1685	if (retval != PAM_SUCCESS) {
1686	_pam_drop_reply(resp, i);
1687	goto done;
1688	}
1689
1690	/* interpret the response */
1691
1692	token = x_strdup(resp[i - replies].resp);
1693	if (!token) {
1694	_pam_log(ctx, LOG_NOTICE,
1695	"could not recover "
1696	"authentication token");
1697	retval = PAM_AUTHTOK_RECOVER_ERR;
1698	goto done;
1699	}
1700
1701	if (replies == 2) {
1702	/* verify that password entered correctly */
1703	if (!resp[i - 1].resp \|\|
1704	strcmp(token, resp[i - 1].resp)) {
1705	_pam_delete(token); /* mistyped */
1706	retval = PAM_AUTHTOK_RECOVER_ERR;
1707	_make_remark(ctx, PAM_ERROR_MSG,
1708	MISTYPED_PASS);
1709	}
1710	}
1711
1712	/*
1713	* tidy up the conversation (resp_retcode) is ignored
1714	* -- what is it for anyway? AGM
1715	*/
1716	_pam_drop_reply(resp, i);
1717	}
1718
1719	done:
1720	if (retval != PAM_SUCCESS) {
1721	_pam_log_debug(ctx, LOG_DEBUG,
1722	"unable to obtain a password");
1723	return retval;
1724	}
1725	/* 'token' is the entered password */
1726
1727	/* we store this password as an item */
1728
1729	retval = pam_set_item(ctx->pamh, authtok_flag, token);
1730	_pam_delete(token); /* clean it up */
1731	if (retval != PAM_SUCCESS \|\|
1732	(retval = _pam_get_item(ctx->pamh, authtok_flag, &item)) != PAM_SUCCESS) {
1733
1734	_pam_log(ctx, LOG_CRIT, "error manipulating password");
1735	return retval;
1736
1737	}
1738
1739	*pass = item;
1740	item = NULL; /* break link to password */
1741
1742	return PAM_SUCCESS;
1743	}
1744
1745	static const char get_conf_item_string(struct pwb_context ctx,
1746	const char *item,
1747	int config_flag)
1748	{
1749	int i = 0;
1750	const char *parm_opt = NULL;
1751
1752	if (!(ctx->ctrl & config_flag)) {
1753	goto out;
1754	}
1755
1756	/* let the pam opt take precedence over the pam_winbind.conf option */
1757	for (i=0; i<ctx->argc; i++) {
1758
1759	if ((strncmp(ctx->argv[i], item, strlen(item)) == 0)) {
1760	char *p;
1761
1762	if ((p = strchr(ctx->argv[i], '=')) == NULL) {
1763	_pam_log(ctx, LOG_INFO,
1764	"no \"=\" delimiter for \"%s\" found\n",
1765	item);
1766	goto out;
1767	}
1768	_pam_log_debug(ctx, LOG_INFO,
1769	"PAM config: %s '%s'\n", item, p+1);
1770	return p + 1;
1771	}
1772	}
1773
1774	if (ctx->dict) {
1775	char *key = NULL;
1776
1777	if (!asprintf(&key, "global:%s", item)) {
1778	goto out;
1779	}
1780
1781	parm_opt = iniparser_getstr(ctx->dict, key);
1782	SAFE_FREE(key);
1783
1784	_pam_log_debug(ctx, LOG_INFO, "CONFIG file: %s '%s'\n",
1785	item, parm_opt);
1786	}
1787	out:
1788	return parm_opt;
1789	}
1790
1791	static int get_config_item_int(struct pwb_context *ctx,
1792	const char *item,
1793	int config_flag)
1794	{
1795	int i, parm_opt = -1;
1796
1797	if (!(ctx->ctrl & config_flag)) {
1798	goto out;
1799	}
1800
1801	/* let the pam opt take precedence over the pam_winbind.conf option */
1802	for (i = 0; i < ctx->argc; i++) {
1803
1804	if ((strncmp(ctx->argv[i], item, strlen(item)) == 0)) {
1805	char *p;
1806
1807	if ((p = strchr(ctx->argv[i], '=')) == NULL) {
1808	_pam_log(ctx, LOG_INFO,
1809	"no \"=\" delimiter for \"%s\" found\n",
1810	item);
1811	goto out;
1812	}
1813	parm_opt = atoi(p + 1);
1814	_pam_log_debug(ctx, LOG_INFO,
1815	"PAM config: %s '%d'\n",
1816	item, parm_opt);
1817	return parm_opt;
1818	}
1819	}
1820
1821	if (ctx->dict) {
1822	char *key = NULL;
1823
1824	if (!asprintf(&key, "global:%s", item)) {
1825	goto out;
1826	}
1827
1828	parm_opt = iniparser_getint(ctx->dict, key, -1);
1829	SAFE_FREE(key);
1830
1831	_pam_log_debug(ctx, LOG_INFO,
1832	"CONFIG file: %s '%d'\n",
1833	item, parm_opt);
1834	}
1835	out:
1836	return parm_opt;
1837	}
1838
1839	static const char get_krb5_cc_type_from_config(struct pwb_context ctx)
1840	{
1841	return get_conf_item_string(ctx, "krb5_ccache_type",
1842	WINBIND_KRB5_CCACHE_TYPE);
1843	}
1844
1845	static const char get_member_from_config(struct pwb_context ctx)
1846	{
1847	const char *ret = NULL;
1848	ret = get_conf_item_string(ctx, "require_membership_of",
1849	WINBIND_REQUIRED_MEMBERSHIP);
1850	if (ret) {
1851	return ret;
1852	}
1853	return get_conf_item_string(ctx, "require-membership-of",
1854	WINBIND_REQUIRED_MEMBERSHIP);
1855	}
1856
1857	static int get_warn_pwd_expire_from_config(struct pwb_context *ctx)
1858	{
1859	int ret;
1860	ret = get_config_item_int(ctx, "warn_pwd_expire",
1861	WINBIND_WARN_PWD_EXPIRE);
1862	/* no or broken setting */
1863	if (ret <= 0) {
1864	return DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES;
1865	}
1866	return ret;
1867	}
1868
1869	/**
1870	* Retrieve the winbind separator.
1871	*
1872	* @param pamh PAM handle
1873	* @param ctrl PAM winbind options.
1874	*
1875	* @return string separator character. NULL on failure.
1876	*/
1877
1878	static char winbind_get_separator(struct pwb_context *ctx)
1879	{
1880	struct winbindd_request request;
1881	struct winbindd_response response;
1882
1883	ZERO_STRUCT(request);
1884	ZERO_STRUCT(response);
1885
1886	if (pam_winbind_request_log(ctx, WINBINDD_INFO,
1887	&request, &response, NULL)) {
1888	return '\0';
1889	}
1890
1891	return response.data.info.winbind_separator;
1892	}
1893
1894	/**
1895	* Convert a upn to a name.
1896	*
1897	* @param pamh PAM handle
1898	* @param ctrl PAM winbind options.
1899	* @param upn USer UPN to be trabslated.
1900	*
1901	* @return converted name. NULL pointer on failure. Caller needs to free.
1902	*/
1903
1904	static char* winbind_upn_to_username(struct pwb_context *ctx,
1905	const char *upn)
1906	{
1907	struct winbindd_request req;
1908	struct winbindd_response resp;
1909	int retval;
1910	char *account_name;
1911	int account_name_len;
1912	char sep;
1913	char *p;
1914	char *name;
1915	char *domain;
1916
1917	/* This cannot work when the winbind separator = @ */
1918
1919	sep = winbind_get_separator(ctx);
1920	if (!sep \|\| sep == '@') {
1921	return NULL;
1922	}
1923
1924	name = strdup(upn);
1925	if (!name) {
1926	return NULL;
1927	}
1928	if ((p = strchr(name, '@')) != NULL) {
1929	*p = 0;
1930	domain = p + 1;
1931	}
1932
1933	/* Convert the UPN to a SID */
1934
1935	ZERO_STRUCT(req);
1936	ZERO_STRUCT(resp);
1937
1938	strncpy(req.data.name.dom_name, domain,
1939	sizeof(req.data.name.dom_name) - 1);
1940	strncpy(req.data.name.name, name,
1941	sizeof(req.data.name.name) - 1);
1942	retval = pam_winbind_request_log(ctx, WINBINDD_LOOKUPNAME,
1943	&req, &resp, upn);
1944	if (retval != PAM_SUCCESS) {
1945	return NULL;
1946	}
1947
1948	/* Convert the the SID back to the sAMAccountName */
1949
1950	ZERO_STRUCT(req);
1951	strncpy(req.data.sid, resp.data.sid.sid, sizeof(req.data.sid)-1);
1952	ZERO_STRUCT(resp);
1953	retval = pam_winbind_request_log(ctx, WINBINDD_LOOKUPSID,
1954	&req, &resp, upn);
1955	if (retval != PAM_SUCCESS) {
1956	return NULL;
1957	}
1958
1959	account_name_len = asprintf(&account_name, "%s\\%s",
1960	resp.data.name.dom_name,
1961	resp.data.name.name);
1962	SAFE_FREE(name);
1963
1964	return account_name;
1965	}
1966
1967	PAM_EXTERN
1968	int pam_sm_authenticate(pam_handle_t *pamh, int flags,
1969	int argc, const char **argv)
1970	{
1971	const char *username;
1972	const char *password;
1973	const char *member = NULL;
1974	const char *cctype = NULL;
1975	int warn_pwd_expire;
1976	int retval = PAM_AUTH_ERR;
1977	char *username_ret = NULL;
1978	char *new_authtok_required = NULL;
1979	char *real_username = NULL;
1980	struct pwb_context *ctx = NULL;
1981
1982	retval = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
1983	if (retval) {
1984	goto out;
1985	}
1986
1987	_PAM_LOG_FUNCTION_ENTER("pam_sm_authenticate", ctx);
1988
1989	/* Get the username */
1990	retval = pam_get_user(pamh, &username, NULL);
1991	if ((retval != PAM_SUCCESS) \|\| (!username)) {
1992	_pam_log_debug(ctx, LOG_DEBUG,
1993	"can not get the username");
1994	retval = PAM_SERVICE_ERR;
1995	goto out;
1996	}
1997
1998
1999	#if defined(AIX)
2000	/* Decode the user name since AIX does not support logn user
2001	names by default. The name is encoded as _#uid. */
2002
2003	if (username[0] == '_') {
2004	uid_t id = atoi(&username[1]);
2005	struct passwd *pw = NULL;
2006
2007	if ((id!=0) && ((pw = getpwuid(id)) != NULL)) {
2008	real_username = strdup(pw->pw_name);
2009	}
2010	}
2011	#endif
2012
2013	if (!real_username) {
2014	/* Just making a copy of the username we got from PAM */
2015	if ((real_username = strdup(username)) == NULL) {
2016	_pam_log_debug(ctx, LOG_DEBUG,
2017	"memory allocation failure when copying "
2018	"username");
2019	retval = PAM_SERVICE_ERR;
2020	goto out;
2021	}
2022	}
2023
2024	/* Maybe this was a UPN */
2025
2026	if (strchr(real_username, '@') != NULL) {
2027	char *samaccountname = NULL;
2028
2029	samaccountname = winbind_upn_to_username(ctx,
2030	real_username);
2031	if (samaccountname) {
2032	free(real_username);
2033	real_username = samaccountname;
2034	}
2035	}
2036
2037	retval = _winbind_read_password(ctx, ctx->ctrl, NULL,
2038	"Password: ", NULL,
2039	&password);
2040
2041	if (retval != PAM_SUCCESS) {
2042	_pam_log(ctx, LOG_ERR,
2043	"Could not retrieve user's password");
2044	retval = PAM_AUTHTOK_ERR;
2045	goto out;
2046	}
2047
2048	/* Let's not give too much away in the log file */
2049
2050	#ifdef DEBUG_PASSWORD
2051	_pam_log_debug(ctx, LOG_INFO,
2052	"Verify user '%s' with password '%s'",
2053	real_username, password);
2054	#else
2055	_pam_log_debug(ctx, LOG_INFO,
2056	"Verify user '%s'", real_username);
2057	#endif
2058
2059	member = get_member_from_config(ctx);
2060	cctype = get_krb5_cc_type_from_config(ctx);
2061	warn_pwd_expire = get_warn_pwd_expire_from_config(ctx);
2062
2063	/* Now use the username to look up password */
2064	retval = winbind_auth_request(ctx, real_username, password,
2065	member, cctype, warn_pwd_expire, NULL,
2066	NULL, &username_ret);
2067
2068	if (retval == PAM_NEW_AUTHTOK_REQD \|\|
2069	retval == PAM_AUTHTOK_EXPIRED) {
2070
2071	char *new_authtok_required_during_auth = NULL;
2072
2073	if (!asprintf(&new_authtok_required, "%d", retval)) {
2074	retval = PAM_BUF_ERR;
2075	goto out;
2076	}
2077
2078	pam_set_data(pamh, PAM_WINBIND_NEW_AUTHTOK_REQD,
2079	new_authtok_required,
2080	_pam_winbind_cleanup_func);
2081
2082	retval = PAM_SUCCESS;
2083
2084	if (!asprintf(&new_authtok_required_during_auth, "%d", true)) {
2085	retval = PAM_BUF_ERR;
2086	goto out;
2087	}
2088
2089	pam_set_data(pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH,
2090	new_authtok_required_during_auth,
2091	_pam_winbind_cleanup_func);
2092
2093	goto out;
2094	}
2095
2096	out:
2097	if (username_ret) {
2098	pam_set_item (pamh, PAM_USER, username_ret);
2099	_pam_log_debug(ctx, LOG_INFO,
2100	"Returned user was '%s'", username_ret);
2101	free(username_ret);
2102	}
2103
2104	if (real_username) {
2105	free(real_username);
2106	}
2107
2108	if (!new_authtok_required) {
2109	pam_set_data(pamh, PAM_WINBIND_NEW_AUTHTOK_REQD, NULL, NULL);
2110	}
2111
2112	if (retval != PAM_SUCCESS) {
2113	_pam_free_data_info3(pamh);
2114	}
2115
2116	_PAM_LOG_FUNCTION_LEAVE("pam_sm_authenticate", ctx, retval);
2117
2118	_pam_winbind_free_context(ctx);
2119
2120	return retval;
2121	}
2122
2123	PAM_EXTERN
2124	int pam_sm_setcred(pam_handle_t *pamh, int flags,
2125	int argc, const char **argv)
2126	{
2127	int ret = PAM_SYSTEM_ERR;
2128	struct pwb_context *ctx = NULL;
2129
2130	ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
2131	if (ret) {
2132	goto out;
2133	}
2134
2135	_PAM_LOG_FUNCTION_ENTER("pam_sm_setcred", ctx);
2136
2137	switch (flags & ~PAM_SILENT) {
2138
2139	case PAM_DELETE_CRED:
2140	ret = pam_sm_close_session(pamh, flags, argc, argv);
2141	break;
2142	case PAM_REFRESH_CRED:
2143	_pam_log_debug(ctx, LOG_WARNING,
2144	"PAM_REFRESH_CRED not implemented");
2145	ret = PAM_SUCCESS;
2146	break;
2147	case PAM_REINITIALIZE_CRED:
2148	_pam_log_debug(ctx, LOG_WARNING,
2149	"PAM_REINITIALIZE_CRED not implemented");
2150	ret = PAM_SUCCESS;
2151	break;
2152	case PAM_ESTABLISH_CRED:
2153	_pam_log_debug(ctx, LOG_WARNING,
2154	"PAM_ESTABLISH_CRED not implemented");
2155	ret = PAM_SUCCESS;
2156	break;
2157	default:
2158	ret = PAM_SYSTEM_ERR;
2159	break;
2160	}
2161
2162	out:
2163
2164	_PAM_LOG_FUNCTION_LEAVE("pam_sm_setcred", ctx, ret);
2165
2166	_pam_winbind_free_context(ctx);
2167
2168	return ret;
2169	}
2170
2171	/*
2172	* Account management. We want to verify that the account exists
2173	* before returning PAM_SUCCESS
2174	*/
2175	PAM_EXTERN
2176	int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
2177	int argc, const char **argv)
2178	{
2179	const char *username;
2180	int ret = PAM_USER_UNKNOWN;
2181	void *tmp = NULL;
2182	struct pwb_context *ctx = NULL;
2183
2184	ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
2185	if (ret) {
2186	goto out;
2187	}
2188
2189	_PAM_LOG_FUNCTION_ENTER("pam_sm_acct_mgmt", ctx);
2190
2191
2192	/* Get the username */
2193	ret = pam_get_user(pamh, &username, NULL);
2194	if ((ret != PAM_SUCCESS) \|\| (!username)) {
2195	_pam_log_debug(ctx, LOG_DEBUG,
2196	"can not get the username");
2197	ret = PAM_SERVICE_ERR;
2198	goto out;
2199	}
2200
2201	/* Verify the username */
2202	ret = valid_user(ctx, username);
2203	switch (ret) {
2204	case -1:
2205	/* some sort of system error. The log was already printed */
2206	ret = PAM_SERVICE_ERR;
2207	goto out;
2208	case 1:
2209	/* the user does not exist */
2210	_pam_log_debug(ctx, LOG_NOTICE, "user '%s' not found",
2211	username);
2212	if (ctx->ctrl & WINBIND_UNKNOWN_OK_ARG) {
2213	ret = PAM_IGNORE;
2214	goto out;
2215	}
2216	ret = PAM_USER_UNKNOWN;
2217	goto out;
2218	case 0:
2219	pam_get_data(pamh, PAM_WINBIND_NEW_AUTHTOK_REQD,
2220	(const void **)&tmp);
2221	if (tmp != NULL) {
2222	ret = atoi((const char *)tmp);
2223	switch (ret) {
2224	case PAM_AUTHTOK_EXPIRED:
2225	/* fall through, since new token is required in this case */
2226	case PAM_NEW_AUTHTOK_REQD:
2227	_pam_log(ctx, LOG_WARNING,
2228	"pam_sm_acct_mgmt success but %s is set",
2229	PAM_WINBIND_NEW_AUTHTOK_REQD);
2230	_pam_log(ctx, LOG_NOTICE,
2231	"user '%s' needs new password",
2232	username);
2233	/* PAM_AUTHTOKEN_REQD does not exist, but is documented in the manpage */
2234	ret = PAM_NEW_AUTHTOK_REQD;
2235	goto out;
2236	default:
2237	_pam_log(ctx, LOG_WARNING,
2238	"pam_sm_acct_mgmt success");
2239	_pam_log(ctx, LOG_NOTICE,
2240	"user '%s' granted access", username);
2241	ret = PAM_SUCCESS;
2242	goto out;
2243	}
2244	}
2245
2246	/* Otherwise, the authentication looked good */
2247	_pam_log(ctx, LOG_NOTICE,
2248	"user '%s' granted access", username);
2249	ret = PAM_SUCCESS;
2250	goto out;
2251	default:
2252	/* we don't know anything about this return value */
2253	_pam_log(ctx, LOG_ERR,
2254	"internal module error (ret = %d, user = '%s')",
2255	ret, username);
2256	ret = PAM_SERVICE_ERR;
2257	goto out;
2258	}
2259
2260	/* should not be reached */
2261	ret = PAM_IGNORE;
2262
2263	out:
2264
2265	_PAM_LOG_FUNCTION_LEAVE("pam_sm_acct_mgmt", ctx, ret);
2266
2267	_pam_winbind_free_context(ctx);
2268
2269	return ret;
2270	}
2271
2272	PAM_EXTERN
2273	int pam_sm_open_session(pam_handle_t *pamh, int flags,
2274	int argc, const char **argv)
2275	{
2276	int ret = PAM_SYSTEM_ERR;
2277	struct pwb_context *ctx = NULL;
2278
2279	ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
2280	if (ret) {
2281	goto out;
2282	}
2283
2284	_PAM_LOG_FUNCTION_ENTER("pam_sm_open_session", ctx);
2285
2286	ret = PAM_SUCCESS;
2287
2288	out:
2289	_PAM_LOG_FUNCTION_LEAVE("pam_sm_open_session", ctx, ret);
2290
2291	_pam_winbind_free_context(ctx);
2292
2293	return ret;
2294	}
2295
2296	PAM_EXTERN
2297	int pam_sm_close_session(pam_handle_t *pamh, int flags,
2298	int argc, const char **argv)
2299	{
2300	int retval = PAM_SUCCESS;
2301	struct pwb_context *ctx = NULL;
2302
2303	retval = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
2304	if (retval) {
2305	goto out;
2306	}
2307
2308	_PAM_LOG_FUNCTION_ENTER("pam_sm_close_session", ctx);
2309
2310	if (!(flags & PAM_DELETE_CRED)) {
2311	retval = PAM_SUCCESS;
2312	goto out;
2313	}
2314
2315	if (ctx->ctrl & WINBIND_KRB5_AUTH) {
2316
2317	/* destroy the ccache here */
2318	struct winbindd_request request;
2319	struct winbindd_response response;
2320	const char *user;
2321	const char *ccname = NULL;
2322	struct passwd *pwd = NULL;
2323
2324	ZERO_STRUCT(request);
2325	ZERO_STRUCT(response);
2326
2327	retval = pam_get_user(pamh, &user, "Username: ");
2328	if (retval) {
2329	_pam_log(ctx, LOG_ERR,
2330	"could not identify user");
2331	goto out;
2332	}
2333
2334	if (user == NULL) {
2335	_pam_log(ctx, LOG_ERR,
2336	"username was NULL!");
2337	retval = PAM_USER_UNKNOWN;
2338	goto out;
2339	}
2340
2341	_pam_log_debug(ctx, LOG_DEBUG,
2342	"username [%s] obtained", user);
2343
2344	ccname = pam_getenv(pamh, "KRB5CCNAME");
2345	if (ccname == NULL) {
2346	_pam_log_debug(ctx, LOG_DEBUG,
2347	"user has no KRB5CCNAME environment");
2348	}
2349
2350	strncpy(request.data.logoff.user, user,
2351	sizeof(request.data.logoff.user) - 1);
2352
2353	if (ccname) {
2354	strncpy(request.data.logoff.krb5ccname, ccname,
2355	sizeof(request.data.logoff.krb5ccname) - 1);
2356	}
2357
2358	pwd = getpwnam(user);
2359	if (pwd == NULL) {
2360	retval = PAM_USER_UNKNOWN;
2361	goto out;
2362	}
2363	request.data.logoff.uid = pwd->pw_uid;
2364
2365	request.flags = WBFLAG_PAM_KRB5 \|
2366	WBFLAG_PAM_CONTACT_TRUSTDOM;
2367
2368	retval = pam_winbind_request_log(ctx,
2369	WINBINDD_PAM_LOGOFF,
2370	&request, &response, user);
2371	}
2372
2373	out:
2374	/*
2375	* Delete the krb5 ccname variable from the PAM environment
2376	* if it was set by winbind.
2377	*/
2378	if ((ctx->ctrl & WINBIND_KRB5_AUTH) && pam_getenv(pamh, "KRB5CCNAME")) {
2379	pam_putenv(pamh, "KRB5CCNAME");
2380	}
2381
2382	_PAM_LOG_FUNCTION_LEAVE("pam_sm_close_session", ctx, retval);
2383
2384	_pam_winbind_free_context(ctx);
2385
2386	return retval;
2387	}
2388
2389	/**
2390	* evaluate whether we need to re-authenticate with kerberos after a
2391	* password change
2392	*
2393	* @param pamh PAM handle
2394	* @param ctrl PAM winbind options.
2395	* @param user The username
2396	*
2397	* @return boolean Returns true if required, false if not.
2398	*/
2399
2400	static bool _pam_require_krb5_auth_after_chauthtok(struct pwb_context *ctx,
2401	const char *user)
2402	{
2403
2404	/* Make sure that we only do this if a) the chauthtok got initiated
2405	* during a logon attempt (authenticate->acct_mgmt->chauthtok) b) any
2406	* later password change via the "passwd" command if done by the user
2407	* itself
2408	* NB. If we login from gdm or xdm and the password expires,
2409	* we change the password, but there is no memory cache.
2410	* Thus, even for passthrough login, we should do the
2411	* authentication again to update memory cache.
2412	* --- BoYang
2413	* */
2414
2415	char *new_authtok_reqd_during_auth = NULL;
2416	struct passwd *pwd = NULL;
2417
2418	_pam_get_data(ctx->pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH,
2419	&new_authtok_reqd_during_auth);
2420	pam_set_data(ctx->pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH,
2421	NULL, NULL);
2422
2423	if (new_authtok_reqd_during_auth) {
2424	return true;
2425	}
2426
2427	pwd = getpwnam(user);
2428	if (!pwd) {
2429	return false;
2430	}
2431
2432	if (getuid() == pwd->pw_uid) {
2433	return true;
2434	}
2435
2436	return false;
2437	}
2438
2439
2440	PAM_EXTERN
2441	int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
2442	int argc, const char **argv)
2443	{
2444	unsigned int lctrl;
2445	int ret;
2446	bool cached_login = false;
2447
2448	/* <DO NOT free() THESE> */
2449	const char *user;
2450	char pass_old, pass_new;
2451	/* </DO NOT free() THESE> */
2452
2453	char *Announce;
2454
2455	int retry = 0;
2456	char *username_ret = NULL;
2457	struct winbindd_response response;
2458	struct pwb_context *ctx = NULL;
2459
2460	ZERO_STRUCT(response);
2461
2462	ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
2463	if (ret) {
2464	goto out;
2465	}
2466
2467	_PAM_LOG_FUNCTION_ENTER("pam_sm_chauthtok", ctx);
2468
2469	cached_login = (ctx->ctrl & WINBIND_CACHED_LOGIN);
2470
2471	/* clearing offline bit for auth */
2472	ctx->ctrl &= ~WINBIND_CACHED_LOGIN;
2473
2474	/*
2475	* First get the name of a user
2476	*/
2477	ret = pam_get_user(pamh, &user, "Username: ");
2478	if (ret) {
2479	_pam_log(ctx, LOG_ERR,
2480	"password - could not identify user");
2481	goto out;
2482	}
2483
2484	if (user == NULL) {
2485	_pam_log(ctx, LOG_ERR, "username was NULL!");
2486	ret = PAM_USER_UNKNOWN;
2487	goto out;
2488	}
2489
2490	_pam_log_debug(ctx, LOG_DEBUG, "username [%s] obtained", user);
2491
2492	/* check if this is really a user in winbindd, not only in NSS */
2493	ret = valid_user(ctx, user);
2494	switch (ret) {
2495	case 1:
2496	ret = PAM_USER_UNKNOWN;
2497	goto out;
2498	case -1:
2499	ret = PAM_SYSTEM_ERR;
2500	goto out;
2501	default:
2502	break;
2503	}
2504
2505	/*
2506	* obtain and verify the current password (OLDAUTHTOK) for
2507	* the user.
2508	*/
2509
2510	if (flags & PAM_PRELIM_CHECK) {
2511	time_t pwdlastset_prelim = 0;
2512
2513	/* instruct user what is happening */
2514	#define greeting "Changing password for "
2515	Announce = (char *) malloc(sizeof(greeting) + strlen(user));
2516	if (Announce == NULL) {
2517	_pam_log(ctx, LOG_CRIT,
2518	"password - out of memory");
2519	ret = PAM_BUF_ERR;
2520	goto out;
2521	}
2522	(void) strcpy(Announce, greeting);
2523	(void) strcpy(Announce + sizeof(greeting) - 1, user);
2524	#undef greeting
2525
2526	lctrl = ctx->ctrl \| WINBIND__OLD_PASSWORD;
2527	ret = _winbind_read_password(ctx, lctrl,
2528	Announce,
2529	"(current) NT password: ",
2530	NULL,
2531	(const char **) &pass_old);
2532	if (ret != PAM_SUCCESS) {
2533	_pam_log(ctx, LOG_NOTICE,
2534	"password - (old) token not obtained");
2535	goto out;
2536	}
2537
2538	/* verify that this is the password for this user */
2539
2540	ret = winbind_auth_request(ctx, user, pass_old,
2541	NULL, NULL, 0, &response,
2542	&pwdlastset_prelim, NULL);
2543
2544	if (ret != PAM_ACCT_EXPIRED &&
2545	ret != PAM_AUTHTOK_EXPIRED &&
2546	ret != PAM_NEW_AUTHTOK_REQD &&
2547	ret != PAM_SUCCESS) {
2548	pass_old = NULL;
2549	goto out;
2550	}
2551
2552	pam_set_data(pamh, PAM_WINBIND_PWD_LAST_SET,
2553	(void *)pwdlastset_prelim, NULL);
2554
2555	ret = pam_set_item(pamh, PAM_OLDAUTHTOK,
2556	(const void *) pass_old);
2557	pass_old = NULL;
2558	if (ret != PAM_SUCCESS) {
2559	_pam_log(ctx, LOG_CRIT,
2560	"failed to set PAM_OLDAUTHTOK");
2561	}
2562	} else if (flags & PAM_UPDATE_AUTHTOK) {
2563
2564	time_t pwdlastset_update = 0;
2565
2566	/*
2567	* obtain the proposed password
2568	*/
2569
2570	/*
2571	* get the old token back.
2572	*/
2573
2574	ret = _pam_get_item(pamh, PAM_OLDAUTHTOK, &pass_old);
2575
2576	if (ret != PAM_SUCCESS) {
2577	_pam_log(ctx, LOG_NOTICE,
2578	"user not authenticated");
2579	goto out;
2580	}
2581
2582	lctrl = ctx->ctrl & ~WINBIND_TRY_FIRST_PASS_ARG;
2583
2584	if (on(WINBIND_USE_AUTHTOK_ARG, lctrl)) {
2585	lctrl \|= WINBIND_USE_FIRST_PASS_ARG;
2586	}
2587	retry = 0;
2588	ret = PAM_AUTHTOK_ERR;
2589	while ((ret != PAM_SUCCESS) && (retry++ < MAX_PASSWD_TRIES)) {
2590	/*
2591	* use_authtok is to force the use of a previously entered
2592	* password -- needed for pluggable password strength checking
2593	*/
2594
2595	ret = _winbind_read_password(ctx, lctrl,
2596	NULL,
2597	"Enter new NT password: ",
2598	"Retype new NT password: ",
2599	(const char **)&pass_new);
2600
2601	if (ret != PAM_SUCCESS) {
2602	_pam_log_debug(ctx, LOG_ALERT,
2603	"password - "
2604	"new password not obtained");
2605	pass_old = NULL;/* tidy up */
2606	goto out;
2607	}
2608
2609	/*
2610	* At this point we know who the user is and what they
2611	* propose as their new password. Verify that the new
2612	* password is acceptable.
2613	*/
2614
2615	if (pass_new[0] == '\0') {/* "\0" password = NULL */
2616	pass_new = NULL;
2617	}
2618	}
2619
2620	/*
2621	* By reaching here we have approved the passwords and must now
2622	* rebuild the password database file.
2623	*/
2624	_pam_get_data(pamh, PAM_WINBIND_PWD_LAST_SET,
2625	&pwdlastset_update);
2626
2627	/*
2628	* if cached creds were enabled, make sure to set the
2629	* WINBIND_CACHED_LOGIN bit here in order to have winbindd
2630	* update the cached creds storage - gd
2631	*/
2632	if (cached_login) {
2633	ctx->ctrl \|= WINBIND_CACHED_LOGIN;
2634	}
2635
2636	ret = winbind_chauthtok_request(ctx, user, pass_old,
2637	pass_new, pwdlastset_update);
2638	if (ret) {
2639	_pam_overwrite(pass_new);
2640	_pam_overwrite(pass_old);
2641	pass_old = pass_new = NULL;
2642	goto out;
2643	}
2644
2645	if (_pam_require_krb5_auth_after_chauthtok(ctx, user)) {
2646
2647	const char *member = NULL;
2648	const char *cctype = NULL;
2649	int warn_pwd_expire;
2650
2651	member = get_member_from_config(ctx);
2652	cctype = get_krb5_cc_type_from_config(ctx);
2653	warn_pwd_expire = get_warn_pwd_expire_from_config(ctx);
2654
2655	/* Keep WINBIND_CACHED_LOGIN bit for
2656	* authentication after changing the password.
2657	* This will update the cached credentials in case
2658	* that winbindd_dual_pam_chauthtok() fails
2659	* to update them.
2660	* --- BoYang
2661	* */
2662
2663	ret = winbind_auth_request(ctx, user, pass_new,
2664	member, cctype, 0, &response,
2665	NULL, &username_ret);
2666	_pam_overwrite(pass_new);
2667	_pam_overwrite(pass_old);
2668	pass_old = pass_new = NULL;
2669
2670	if (ret == PAM_SUCCESS) {
2671
2672	/* warn a user if the password is about to
2673	* expire soon */
2674	_pam_warn_password_expiry(ctx, &response,
2675	warn_pwd_expire,
2676	NULL);
2677
2678	/* set some info3 info for other modules in the
2679	* stack */
2680	_pam_set_data_info3(ctx, &response);
2681
2682	/* put krb5ccname into env */
2683	_pam_setup_krb5_env(ctx,
2684	response.data.auth.krb5ccname);
2685
2686	if (username_ret) {
2687	pam_set_item(pamh, PAM_USER,
2688	username_ret);
2689	_pam_log_debug(ctx, LOG_INFO,
2690	"Returned user was '%s'",
2691	username_ret);
2692	free(username_ret);
2693	}
2694	}
2695
2696	goto out;
2697	}
2698	} else {
2699	ret = PAM_SERVICE_ERR;
2700	}
2701
2702	out:
2703
2704	/* Deal with offline errors. */
2705	PAM_WB_REMARK_CHECK_RESPONSE(ctx, response,
2706	"NT_STATUS_NO_LOGON_SERVERS");
2707	PAM_WB_REMARK_CHECK_RESPONSE(ctx, response,
2708	"NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND");
2709	PAM_WB_REMARK_CHECK_RESPONSE(ctx, response,
2710	"NT_STATUS_ACCESS_DENIED");
2711
2712	_PAM_LOG_FUNCTION_LEAVE("pam_sm_chauthtok", ctx, ret);
2713
2714	_pam_winbind_free_context(ctx);
2715
2716	return ret;
2717	}
2718
2719	#ifdef PAM_STATIC
2720
2721	/* static module data */
2722
2723	struct pam_module _pam_winbind_modstruct = {
2724	MODULE_NAME,
2725	pam_sm_authenticate,
2726	pam_sm_setcred,
2727	pam_sm_acct_mgmt,
2728	pam_sm_open_session,
2729	pam_sm_close_session,
2730	pam_sm_chauthtok
2731	};
2732
2733	#endif
2734
2735	/*
2736	* Copyright (c) Andrew Tridgell <tridge@samba.org> 2000
2737	* Copyright (c) Tim Potter <tpot@samba.org> 2000
2738	* Copyright (c) Andrew Bartlettt <abartlet@samba.org> 2002
2739	* Copyright (c) Guenther Deschner <gd@samba.org> 2005-2008
2740	* Copyright (c) Jan RÃªkorajski 1999.
2741	* Copyright (c) Andrew G. Morgan 1996-8.
2742	* Copyright (c) Alex O. Yuriev, 1996.
2743	* Copyright (c) Cristian Gafton 1996.
2744	* Copyright (C) Elliot Lee <sopwith@redhat.com> 1996, Red Hat Software.
2745	*
2746	* Redistribution and use in source and binary forms, with or without
2747	* modification, are permitted provided that the following conditions
2748	* are met:
2749	* 1. Redistributions of source code must retain the above copyright
2750	* notice, and the entire permission notice in its entirety,
2751	* including the disclaimer of warranties.
2752	* 2. Redistributions in binary form must reproduce the above copyright
2753	* notice, this list of conditions and the following disclaimer in the
2754	* documentation and/or other materials provided with the distribution.
2755	* 3. The name of the author may not be used to endorse or promote
2756	* products derived from this software without specific prior
2757	* written permission.
2758	*
2759	* ALTERNATIVELY, this product may be distributed under the terms of
2760	* the GNU Public License, in which case the provisions of the GPL are
2761	* required INSTEAD OF the above restrictions. (This clause is
2762	* necessary due to a potential bad interaction between the GPL and
2763	* the restrictions contained in a BSD-style copyright.)
2764	*
2765	* THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED
2766	* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
2767	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
2768	* DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
2769	* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
2770	* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
2771	* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
2772	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
2773	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
2774	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
2775	* OF THE POSSIBILITY OF SUCH DAMAGE.
2776	*/

Note: See TracBrowser for help on using the repository browser.

Download in other formats: