Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

source: branches/samba-3.3.x/source/auth/pampass.c@ 461

Visit:

Last change on this file since 461 was 206, checked in by Herwig Bauernfeind, 16 years ago
Import Samba 3.3 branch at 3.0.0 level (psmedley's port)
File size: 24.2 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	PAM Password checking
4	Copyright (C) Andrew Tridgell 1992-2001
5	Copyright (C) John H Terpsta 1999-2001
6	Copyright (C) Andrew Bartlett 2001
7	Copyright (C) Jeremy Allison 2001
8
9	This program is free software; you can redistribute it and/or modify
10	it under the terms of the GNU General Public License as published by
11	the Free Software Foundation; either version 3 of the License, or
12	(at your option) any later version.
13
14	This program is distributed in the hope that it will be useful,
15	but WITHOUT ANY WARRANTY; without even the implied warranty of
16	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	GNU General Public License for more details.
18
19	You should have received a copy of the GNU General Public License
20	along with this program. If not, see <http://www.gnu.org/licenses/>.
21	*/
22
23	/*
24	* This module provides PAM based functions for validation of
25	* username/password pairs, account managment, session and access control.
26	* Note: SMB password checking is done in smbpass.c
27	*/
28
29	#include "includes.h"
30
31	#undef DBGC_CLASS
32	#define DBGC_CLASS DBGC_AUTH
33
34	#ifdef WITH_PAM
35
36	/*******************************************************************
37	* Handle PAM authentication
38	* - Access, Authentication, Session, Password
39	* Note: See PAM Documentation and refer to local system PAM implementation
40	* which determines what actions/limitations/allowances become affected.
41	*********************************************************************/
42
43	#if defined(HAVE_SECURITY_PAM_APPL_H)
44	#include <security/pam_appl.h>
45	#elif defined(HAVE_PAM_PAM_APPL_H)
46	#include <pam/pam_appl.h>
47	#endif
48
49	/*
50	* Structure used to communicate between the conversation function
51	* and the server_login/change password functions.
52	*/
53
54	struct smb_pam_userdata {
55	const char *PAM_username;
56	const char *PAM_password;
57	const char *PAM_newpassword;
58	};
59
60	typedef int (smb_pam_conv_fn)(int, const struct pam_message , struct pam_response , void appdata_ptr);
61
62	/*
63	* Macros to help make life easy
64	*/
65	#define COPY_STRING(s) (s) ? SMB_STRDUP(s) : NULL
66	#define COPY_FSTRING(s) (s[0]) ? SMB_STRDUP(s) : NULL
67
68	/*******************************************************************
69	PAM error handler.
70	*********************************************************************/
71
72	static bool smb_pam_error_handler(pam_handle_t pamh, int pam_error, const char msg, int dbglvl)
73	{
74
75	if( pam_error != PAM_SUCCESS) {
76	DEBUG(dbglvl, ("smb_pam_error_handler: PAM: %s : %s\n",
77	msg, pam_strerror(pamh, pam_error)));
78
79	return False;
80	}
81	return True;
82	}
83
84	/*******************************************************************
85	This function is a sanity check, to make sure that we NEVER report
86	failure as sucess.
87	*********************************************************************/
88
89	static bool smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error,
90	const char *msg, int dbglvl,
91	NTSTATUS *nt_status)
92	{
93	*nt_status = pam_to_nt_status(pam_error);
94
95	if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl))
96	return True;
97
98	if (NT_STATUS_IS_OK(*nt_status)) {
99	/* Complain LOUDLY */
100	DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \
101	error MISMATCH, forcing to NT_STATUS_LOGON_FAILURE"));
102	*nt_status = NT_STATUS_LOGON_FAILURE;
103	}
104	return False;
105	}
106
107	/*
108	* PAM conversation function
109	* Here we assume (for now, at least) that echo on means login name, and
110	* echo off means password.
111	*/
112
113	static int smb_pam_conv(int num_msg,
114	const struct pam_message **msg,
115	struct pam_response **resp,
116	void *appdata_ptr)
117	{
118	int replies = 0;
119	struct pam_response *reply = NULL;
120	struct smb_pam_userdata udp = (struct smb_pam_userdata )appdata_ptr;
121
122	*resp = NULL;
123
124	if (num_msg <= 0)
125	return PAM_CONV_ERR;
126
127	/*
128	* Apparantly HPUX has a buggy PAM that doesn't support the
129	* appdata_ptr. Fail if this is the case. JRA.
130	*/
131
132	if (udp == NULL) {
133	DEBUG(0,("smb_pam_conv: PAM on this system is broken - appdata_ptr == NULL !\n"));
134	return PAM_CONV_ERR;
135	}
136
137	reply = SMB_MALLOC_ARRAY(struct pam_response, num_msg);
138	if (!reply)
139	return PAM_CONV_ERR;
140
141	memset(reply, '\0', sizeof(struct pam_response) * num_msg);
142
143	for (replies = 0; replies < num_msg; replies++) {
144	switch (msg[replies]->msg_style) {
145	case PAM_PROMPT_ECHO_ON:
146	reply[replies].resp_retcode = PAM_SUCCESS;
147	reply[replies].resp = COPY_STRING(udp->PAM_username);
148	/* PAM frees resp */
149	break;
150
151	case PAM_PROMPT_ECHO_OFF:
152	reply[replies].resp_retcode = PAM_SUCCESS;
153	reply[replies].resp = COPY_STRING(udp->PAM_password);
154	/* PAM frees resp */
155	break;
156
157	case PAM_TEXT_INFO:
158	/* fall through */
159
160	case PAM_ERROR_MSG:
161	/* ignore it... */
162	reply[replies].resp_retcode = PAM_SUCCESS;
163	reply[replies].resp = NULL;
164	break;
165
166	default:
167	/* Must be an error of some sort... */
168	SAFE_FREE(reply);
169	return PAM_CONV_ERR;
170	}
171	}
172	if (reply)
173	*resp = reply;
174	return PAM_SUCCESS;
175	}
176
177	/*
178	* PAM password change conversation function
179	* Here we assume (for now, at least) that echo on means login name, and
180	* echo off means password.
181	*/
182
183	static void special_char_sub(char *buf)
184	{
185	all_string_sub(buf, "\\n", "", 0);
186	all_string_sub(buf, "\\r", "", 0);
187	all_string_sub(buf, "\\s", " ", 0);
188	all_string_sub(buf, "\\t", "\t", 0);
189	}
190
191	static void pwd_sub(char buf, const char username, const char oldpass, const char newpass)
192	{
193	fstring_sub(buf, "%u", username);
194	all_string_sub(buf, "%o", oldpass, sizeof(fstring));
195	all_string_sub(buf, "%n", newpass, sizeof(fstring));
196	}
197
198
199	struct chat_struct {
200	struct chat_struct next, prev;
201	fstring prompt;
202	fstring reply;
203	};
204
205	/**************************************************************
206	Create a linked list containing chat data.
207	***************************************************************/
208
209	static struct chat_struct make_pw_chat(const char p)
210	{
211	char *prompt;
212	char *reply;
213	struct chat_struct *list = NULL;
214	struct chat_struct *t;
215	TALLOC_CTX *frame = talloc_stackframe();
216
217	while (1) {
218	t = SMB_MALLOC_P(struct chat_struct);
219	if (!t) {
220	DEBUG(0,("make_pw_chat: malloc failed!\n"));
221	TALLOC_FREE(frame);
222	return NULL;
223	}
224
225	ZERO_STRUCTP(t);
226
227	DLIST_ADD_END(list, t, struct chat_struct*);
228
229	if (!next_token_talloc(frame, &p, &prompt, NULL)) {
230	break;
231	}
232
233	if (strequal(prompt,".")) {
234	fstrcpy(prompt,"*");
235	}
236
237	special_char_sub(prompt);
238	fstrcpy(t->prompt, prompt);
239	strlower_m(t->prompt);
240	trim_char(t->prompt, ' ', ' ');
241
242	if (!next_token_talloc(frame, &p, &reply, NULL)) {
243	break;
244	}
245
246	if (strequal(reply,".")) {
247	fstrcpy(reply,"");
248	}
249
250	special_char_sub(reply);
251	fstrcpy(t->reply, reply);
252	strlower_m(t->reply);
253	trim_char(t->reply, ' ', ' ');
254
255	}
256	TALLOC_FREE(frame);
257	return list;
258	}
259
260	static void free_pw_chat(struct chat_struct *list)
261	{
262	while (list) {
263	struct chat_struct *old_head = list;
264	DLIST_REMOVE(list, list);
265	SAFE_FREE(old_head);
266	}
267	}
268
269	static int smb_pam_passchange_conv(int num_msg,
270	const struct pam_message **msg,
271	struct pam_response **resp,
272	void *appdata_ptr)
273	{
274	int replies = 0;
275	struct pam_response *reply = NULL;
276	fstring current_prompt;
277	fstring current_reply;
278	struct smb_pam_userdata udp = (struct smb_pam_userdata )appdata_ptr;
279	struct chat_struct *pw_chat= make_pw_chat(lp_passwd_chat());
280	struct chat_struct *t;
281	bool found;
282	*resp = NULL;
283
284	DEBUG(10,("smb_pam_passchange_conv: starting converstation for %d messages\n", num_msg));
285
286	if (num_msg <= 0)
287	return PAM_CONV_ERR;
288
289	if (pw_chat == NULL)
290	return PAM_CONV_ERR;
291
292	/*
293	* Apparantly HPUX has a buggy PAM that doesn't support the
294	* appdata_ptr. Fail if this is the case. JRA.
295	*/
296
297	if (udp == NULL) {
298	DEBUG(0,("smb_pam_passchange_conv: PAM on this system is broken - appdata_ptr == NULL !\n"));
299	free_pw_chat(pw_chat);
300	return PAM_CONV_ERR;
301	}
302
303	reply = SMB_MALLOC_ARRAY(struct pam_response, num_msg);
304	if (!reply) {
305	DEBUG(0,("smb_pam_passchange_conv: malloc for reply failed!\n"));
306	free_pw_chat(pw_chat);
307	return PAM_CONV_ERR;
308	}
309
310	for (replies = 0; replies < num_msg; replies++) {
311	found = False;
312	DEBUG(10,("smb_pam_passchange_conv: Processing message %d\n", replies));
313	switch (msg[replies]->msg_style) {
314	case PAM_PROMPT_ECHO_ON:
315	DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: PAM said: %s\n", msg[replies]->msg));
316	fstrcpy(current_prompt, msg[replies]->msg);
317	trim_char(current_prompt, ' ', ' ');
318	for (t=pw_chat; t; t=t->next) {
319
320	DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: trying to match \|%s\| to \|%s\|\n",
321	t->prompt, current_prompt ));
322
323	if (unix_wild_match(t->prompt, current_prompt)) {
324	fstrcpy(current_reply, t->reply);
325	DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We sent: %s\n", current_reply));
326	pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword);
327	#ifdef DEBUG_PASSWORD
328	DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We actualy sent: %s\n", current_reply));
329	#endif
330	reply[replies].resp_retcode = PAM_SUCCESS;
331	reply[replies].resp = COPY_FSTRING(current_reply);
332	found = True;
333	break;
334	}
335	}
336	/* PAM frees resp */
337	if (!found) {
338	DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg));
339	free_pw_chat(pw_chat);
340	SAFE_FREE(reply);
341	return PAM_CONV_ERR;
342	}
343	break;
344
345	case PAM_PROMPT_ECHO_OFF:
346	DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: %s\n", msg[replies]->msg));
347	fstrcpy(current_prompt, msg[replies]->msg);
348	trim_char(current_prompt, ' ', ' ');
349	for (t=pw_chat; t; t=t->next) {
350
351	DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match \|%s\| to \|%s\|\n",
352	t->prompt, current_prompt ));
353
354	if (unix_wild_match(t->prompt, current_prompt)) {
355	fstrcpy(current_reply, t->reply);
356	DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply));
357	pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword);
358	reply[replies].resp_retcode = PAM_SUCCESS;
359	reply[replies].resp = COPY_FSTRING(current_reply);
360	#ifdef DEBUG_PASSWORD
361	DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We actualy sent: %s\n", current_reply));
362	#endif
363	found = True;
364	break;
365	}
366	}
367	/* PAM frees resp */
368
369	if (!found) {
370	DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg));
371	free_pw_chat(pw_chat);
372	SAFE_FREE(reply);
373	return PAM_CONV_ERR;
374	}
375	break;
376
377	case PAM_TEXT_INFO:
378	/* fall through */
379
380	case PAM_ERROR_MSG:
381	/* ignore it... */
382	reply[replies].resp_retcode = PAM_SUCCESS;
383	reply[replies].resp = NULL;
384	break;
385
386	default:
387	/* Must be an error of some sort... */
388	free_pw_chat(pw_chat);
389	SAFE_FREE(reply);
390	return PAM_CONV_ERR;
391	}
392	}
393
394	free_pw_chat(pw_chat);
395	if (reply)
396	*resp = reply;
397	return PAM_SUCCESS;
398	}
399
400	/***************************************************************************
401	Free up a malloced pam_conv struct.
402	****************************************************************************/
403
404	static void smb_free_pam_conv(struct pam_conv *pconv)
405	{
406	if (pconv)
407	SAFE_FREE(pconv->appdata_ptr);
408
409	SAFE_FREE(pconv);
410	}
411
412	/***************************************************************************
413	Allocate a pam_conv struct.
414	****************************************************************************/
415
416	static struct pam_conv smb_setup_pam_conv(smb_pam_conv_fn smb_pam_conv_fnptr, const char user,
417	const char passwd, const char newpass)
418	{
419	struct pam_conv *pconv = SMB_MALLOC_P(struct pam_conv);
420	struct smb_pam_userdata *udp = SMB_MALLOC_P(struct smb_pam_userdata);
421
422	if (pconv == NULL \|\| udp == NULL) {
423	SAFE_FREE(pconv);
424	SAFE_FREE(udp);
425	return NULL;
426	}
427
428	udp->PAM_username = user;
429	udp->PAM_password = passwd;
430	udp->PAM_newpassword = newpass;
431
432	pconv->conv = smb_pam_conv_fnptr;
433	pconv->appdata_ptr = (void *)udp;
434	return pconv;
435	}
436
437	/*
438	* PAM Closing out cleanup handler
439	*/
440
441	static bool smb_pam_end(pam_handle_t pamh, struct pam_conv smb_pam_conv_ptr)
442	{
443	int pam_error;
444
445	smb_free_pam_conv(smb_pam_conv_ptr);
446
447	if( pamh != NULL ) {
448	pam_error = pam_end(pamh, 0);
449	if(smb_pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) {
450	DEBUG(4, ("smb_pam_end: PAM: PAM_END OK.\n"));
451	return True;
452	}
453	}
454	DEBUG(2,("smb_pam_end: PAM: not initialised"));
455	return False;
456	}
457
458	/*
459	* Start PAM authentication for specified account
460	*/
461
462	static bool smb_pam_start(pam_handle_t *pamh, const char user, const char rhost, struct pam_conv pconv)
463	{
464	int pam_error;
465	#ifdef PAM_RHOST
466	const char *our_rhost;
467	#endif
468	char addr[INET6_ADDRSTRLEN];
469
470	pamh = (pam_handle_t )NULL;
471
472	DEBUG(4,("smb_pam_start: PAM: Init user: %s\n", user));
473
474	pam_error = pam_start("samba", user, pconv, pamh);
475	if( !smb_pam_error_handler(*pamh, pam_error, "Init Failed", 0)) {
476	pamh = (pam_handle_t )NULL;
477	return False;
478	}
479
480	#ifdef PAM_RHOST
481	if (rhost == NULL) {
482	our_rhost = client_name(get_client_fd());
483	if (strequal(our_rhost,"UNKNOWN"))
484	our_rhost = client_addr(get_client_fd(),addr,sizeof(addr));
485	} else {
486	our_rhost = rhost;
487	}
488
489	DEBUG(4,("smb_pam_start: PAM: setting rhost to: %s\n", our_rhost));
490	pam_error = pam_set_item(*pamh, PAM_RHOST, our_rhost);
491	if(!smb_pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) {
492	smb_pam_end(*pamh, pconv);
493	pamh = (pam_handle_t )NULL;
494	return False;
495	}
496	#endif
497	#ifdef PAM_TTY
498	DEBUG(4,("smb_pam_start: PAM: setting tty\n"));
499	pam_error = pam_set_item(*pamh, PAM_TTY, "samba");
500	if (!smb_pam_error_handler(*pamh, pam_error, "set tty failed", 0)) {
501	smb_pam_end(*pamh, pconv);
502	pamh = (pam_handle_t )NULL;
503	return False;
504	}
505	#endif
506	DEBUG(4,("smb_pam_start: PAM: Init passed for user: %s\n", user));
507	return True;
508	}
509
510	/*
511	* PAM Authentication Handler
512	*/
513	static NTSTATUS smb_pam_auth(pam_handle_t pamh, const char user)
514	{
515	int pam_error;
516	NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
517
518	/*
519	* To enable debugging set in /etc/pam.d/samba:
520	* auth required /lib/security/pam_pwdb.so nullok shadow audit
521	*/
522
523	DEBUG(4,("smb_pam_auth: PAM: Authenticate User: %s\n", user));
524	pam_error = pam_authenticate(pamh, PAM_SILENT \| lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK);
525	switch( pam_error ){
526	case PAM_AUTH_ERR:
527	DEBUG(2, ("smb_pam_auth: PAM: Authentication Error for user %s\n", user));
528	break;
529	case PAM_CRED_INSUFFICIENT:
530	DEBUG(2, ("smb_pam_auth: PAM: Insufficient Credentials for user %s\n", user));
531	break;
532	case PAM_AUTHINFO_UNAVAIL:
533	DEBUG(2, ("smb_pam_auth: PAM: Authentication Information Unavailable for user %s\n", user));
534	break;
535	case PAM_USER_UNKNOWN:
536	DEBUG(2, ("smb_pam_auth: PAM: Username %s NOT known to Authentication system\n", user));
537	break;
538	case PAM_MAXTRIES:
539	DEBUG(2, ("smb_pam_auth: PAM: One or more authentication modules reports user limit for user %s exceeeded\n", user));
540	break;
541	case PAM_ABORT:
542	DEBUG(0, ("smb_pam_auth: PAM: One or more PAM modules failed to load for user %s\n", user));
543	break;
544	case PAM_SUCCESS:
545	DEBUG(4, ("smb_pam_auth: PAM: User %s Authenticated OK\n", user));
546	break;
547	default:
548	DEBUG(0, ("smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user %s\n", user));
549	break;
550	}
551
552	smb_pam_nt_status_error_handler(pamh, pam_error, "Authentication Failure", 2, &nt_status);
553	return nt_status;
554	}
555
556	/*
557	* PAM Account Handler
558	*/
559	static NTSTATUS smb_pam_account(pam_handle_t pamh, const char user)
560	{
561	int pam_error;
562	NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED;
563
564	DEBUG(4,("smb_pam_account: PAM: Account Management for User: %s\n", user));
565	pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */
566	switch( pam_error ) {
567	case PAM_AUTHTOK_EXPIRED:
568	DEBUG(2, ("smb_pam_account: PAM: User %s is valid but password is expired\n", user));
569	break;
570	case PAM_ACCT_EXPIRED:
571	DEBUG(2, ("smb_pam_account: PAM: User %s no longer permitted to access system\n", user));
572	break;
573	case PAM_AUTH_ERR:
574	DEBUG(2, ("smb_pam_account: PAM: There was an authentication error for user %s\n", user));
575	break;
576	case PAM_PERM_DENIED:
577	DEBUG(0, ("smb_pam_account: PAM: User %s is NOT permitted to access system at this time\n", user));
578	break;
579	case PAM_USER_UNKNOWN:
580	DEBUG(0, ("smb_pam_account: PAM: User \"%s\" is NOT known to account management\n", user));
581	break;
582	case PAM_SUCCESS:
583	DEBUG(4, ("smb_pam_account: PAM: Account OK for User: %s\n", user));
584	break;
585	default:
586	DEBUG(0, ("smb_pam_account: PAM: UNKNOWN PAM ERROR (%d) during Account Management for User: %s\n", pam_error, user));
587	break;
588	}
589
590	smb_pam_nt_status_error_handler(pamh, pam_error, "Account Check Failed", 2, &nt_status);
591	return nt_status;
592	}
593
594	/*
595	* PAM Credential Setting
596	*/
597
598	static NTSTATUS smb_pam_setcred(pam_handle_t pamh, const char user)
599	{
600	int pam_error;
601	NTSTATUS nt_status = NT_STATUS_NO_TOKEN;
602
603	/*
604	* This will allow samba to aquire a kerberos token. And, when
605	* exporting an AFS cell, be able to /write/ to this cell.
606	*/
607
608	DEBUG(4,("PAM: Account Management SetCredentials for User: %s\n", user));
609	pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED\|PAM_SILENT));
610	switch( pam_error ) {
611	case PAM_CRED_UNAVAIL:
612	DEBUG(0, ("smb_pam_setcred: PAM: Credentials not found for user:%s\n", user ));
613	break;
614	case PAM_CRED_EXPIRED:
615	DEBUG(0, ("smb_pam_setcred: PAM: Credentials for user: \"%s\" EXPIRED!\n", user ));
616	break;
617	case PAM_USER_UNKNOWN:
618	DEBUG(0, ("smb_pam_setcred: PAM: User: \"%s\" is NOT known so can not set credentials!\n", user ));
619	break;
620	case PAM_CRED_ERR:
621	DEBUG(0, ("smb_pam_setcred: PAM: Unknown setcredentials error - unable to set credentials for %s\n", user ));
622	break;
623	case PAM_SUCCESS:
624	DEBUG(4, ("smb_pam_setcred: PAM: SetCredentials OK for User: %s\n", user));
625	break;
626	default:
627	DEBUG(0, ("smb_pam_setcred: PAM: UNKNOWN PAM ERROR (%d) during SetCredentials for User: %s\n", pam_error, user));
628	break;
629	}
630
631	smb_pam_nt_status_error_handler(pamh, pam_error, "Set Credential Failure", 2, &nt_status);
632	return nt_status;
633	}
634
635	/*
636	* PAM Internal Session Handler
637	*/
638	static bool smb_internal_pam_session(pam_handle_t pamh, const char user, const char *tty, bool flag)
639	{
640	int pam_error;
641
642	#ifdef PAM_TTY
643	DEBUG(4,("smb_internal_pam_session: PAM: tty set to: %s\n", tty));
644	pam_error = pam_set_item(pamh, PAM_TTY, tty);
645	if (!smb_pam_error_handler(pamh, pam_error, "set tty failed", 0))
646	return False;
647	#endif
648
649	if (flag) {
650	pam_error = pam_open_session(pamh, PAM_SILENT);
651	if (!smb_pam_error_handler(pamh, pam_error, "session setup failed", 0))
652	return False;
653	} else {
654	pam_setcred(pamh, (PAM_DELETE_CRED\|PAM_SILENT)); /* We don't care if this fails */
655	pam_error = pam_close_session(pamh, PAM_SILENT); /* This will probably pick up the error anyway */
656	if (!smb_pam_error_handler(pamh, pam_error, "session close failed", 0))
657	return False;
658	}
659	return (True);
660	}
661
662	/*
663	* Internal PAM Password Changer.
664	*/
665
666	static bool smb_pam_chauthtok(pam_handle_t pamh, const char user)
667	{
668	int pam_error;
669
670	DEBUG(4,("smb_pam_chauthtok: PAM: Password Change for User: %s\n", user));
671
672	pam_error = pam_chauthtok(pamh, PAM_SILENT); /* Change Password */
673
674	switch( pam_error ) {
675	case PAM_AUTHTOK_ERR:
676	DEBUG(2, ("PAM: unable to obtain the new authentication token - is password to weak?\n"));
677	break;
678
679	/* This doesn't seem to be defined on Solaris. JRA */
680	#ifdef PAM_AUTHTOK_RECOVER_ERR
681	case PAM_AUTHTOK_RECOVER_ERR:
682	DEBUG(2, ("PAM: unable to obtain the old authentication token - was the old password wrong?.\n"));
683	break;
684	#endif
685
686	case PAM_AUTHTOK_LOCK_BUSY:
687	DEBUG(2, ("PAM: unable to change the authentication token since it is currently locked.\n"));
688	break;
689	case PAM_AUTHTOK_DISABLE_AGING:
690	DEBUG(2, ("PAM: Authentication token aging has been disabled.\n"));
691	break;
692	case PAM_PERM_DENIED:
693	DEBUG(0, ("PAM: Permission denied.\n"));
694	break;
695	case PAM_TRY_AGAIN:
696	DEBUG(0, ("PAM: Could not update all authentication token(s). No authentication tokens were updated.\n"));
697	break;
698	case PAM_USER_UNKNOWN:
699	DEBUG(0, ("PAM: User not known to PAM\n"));
700	break;
701	case PAM_SUCCESS:
702	DEBUG(4, ("PAM: Account OK for User: %s\n", user));
703	break;
704	default:
705	DEBUG(0, ("PAM: UNKNOWN PAM ERROR (%d) for User: %s\n", pam_error, user));
706	}
707
708	if(!smb_pam_error_handler(pamh, pam_error, "Password Change Failed", 2)) {
709	return False;
710	}
711
712	/* If this point is reached, the password has changed. */
713	return True;
714	}
715
716	/*
717	* PAM Externally accessible Session handler
718	*/
719
720	bool smb_pam_claim_session(char user, char tty, char *rhost)
721	{
722	pam_handle_t *pamh = NULL;
723	struct pam_conv *pconv = NULL;
724
725	/* Ignore PAM if told to. */
726
727	if (!lp_obey_pam_restrictions())
728	return True;
729
730	if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
731	return False;
732
733	if (!smb_pam_start(&pamh, user, rhost, pconv))
734	return False;
735
736	if (!smb_internal_pam_session(pamh, user, tty, True)) {
737	smb_pam_end(pamh, pconv);
738	return False;
739	}
740
741	return smb_pam_end(pamh, pconv);
742	}
743
744	/*
745	* PAM Externally accessible Session handler
746	*/
747
748	bool smb_pam_close_session(char user, char tty, char *rhost)
749	{
750	pam_handle_t *pamh = NULL;
751	struct pam_conv *pconv = NULL;
752
753	/* Ignore PAM if told to. */
754
755	if (!lp_obey_pam_restrictions())
756	return True;
757
758	if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
759	return False;
760
761	if (!smb_pam_start(&pamh, user, rhost, pconv))
762	return False;
763
764	if (!smb_internal_pam_session(pamh, user, tty, False)) {
765	smb_pam_end(pamh, pconv);
766	return False;
767	}
768
769	return smb_pam_end(pamh, pconv);
770	}
771
772	/*
773	* PAM Externally accessible Account handler
774	*/
775
776	NTSTATUS smb_pam_accountcheck(const char * user)
777	{
778	NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED;
779	pam_handle_t *pamh = NULL;
780	struct pam_conv *pconv = NULL;
781
782	/* Ignore PAM if told to. */
783
784	if (!lp_obey_pam_restrictions())
785	return NT_STATUS_OK;
786
787	if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
788	return NT_STATUS_NO_MEMORY;
789
790	if (!smb_pam_start(&pamh, user, NULL, pconv))
791	return NT_STATUS_ACCOUNT_DISABLED;
792
793	if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user)))
794	DEBUG(0, ("smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User %s!\n", user));
795
796	smb_pam_end(pamh, pconv);
797	return nt_status;
798	}
799
800	/*
801	* PAM Password Validation Suite
802	*/
803
804	NTSTATUS smb_pam_passcheck(const char * user, const char * password)
805	{
806	pam_handle_t *pamh = NULL;
807	NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
808	struct pam_conv *pconv = NULL;
809
810	/*
811	* Note we can't ignore PAM here as this is the only
812	* way of doing auths on plaintext passwords when
813	* compiled --with-pam.
814	*/
815
816	if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, password, NULL)) == NULL)
817	return NT_STATUS_LOGON_FAILURE;
818
819	if (!smb_pam_start(&pamh, user, NULL, pconv))
820	return NT_STATUS_LOGON_FAILURE;
821
822	if (!NT_STATUS_IS_OK(nt_status = smb_pam_auth(pamh, user))) {
823	DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User %s !\n", user));
824	smb_pam_end(pamh, pconv);
825	return nt_status;
826	}
827
828	if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user))) {
829	DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_account failed - Rejecting User %s !\n", user));
830	smb_pam_end(pamh, pconv);
831	return nt_status;
832	}
833
834	if (!NT_STATUS_IS_OK(nt_status = smb_pam_setcred(pamh, user))) {
835	DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_setcred failed - Rejecting User %s !\n", user));
836	smb_pam_end(pamh, pconv);
837	return nt_status;
838	}
839
840	smb_pam_end(pamh, pconv);
841	return nt_status;
842	}
843
844	/*
845	* PAM Password Change Suite
846	*/
847
848	bool smb_pam_passchange(const char * user, const char * oldpassword, const char * newpassword)
849	{
850	/* Appropriate quantities of root should be obtained BEFORE calling this function */
851	struct pam_conv *pconv = NULL;
852	pam_handle_t *pamh = NULL;
853
854	if ((pconv = smb_setup_pam_conv(smb_pam_passchange_conv, user, oldpassword, newpassword)) == NULL)
855	return False;
856
857	if(!smb_pam_start(&pamh, user, NULL, pconv))
858	return False;
859
860	if (!smb_pam_chauthtok(pamh, user)) {
861	DEBUG(0, ("smb_pam_passchange: PAM: Password Change Failed for user %s!\n", user));
862	smb_pam_end(pamh, pconv);
863	return False;
864	}
865
866	return smb_pam_end(pamh, pconv);
867	}
868
869	#else
870
871	/* If PAM not used, no PAM restrictions on accounts. */
872	NTSTATUS smb_pam_accountcheck(const char * user)
873	{
874	return NT_STATUS_OK;
875	}
876
877	/* If PAM not used, also no PAM restrictions on sessions. */
878	bool smb_pam_claim_session(char user, char tty, char *rhost)
879	{
880	return True;
881	}
882
883	/* If PAM not used, also no PAM restrictions on sessions. */
884	bool smb_pam_close_session(char in_user, char tty, char *rhost)
885	{
886	return True;
887	}
888	#endif /* WITH_PAM */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: