| 1 | /*
|
|---|
| 2 | Unix SMB/CIFS implementation.
|
|---|
| 3 | Password and authentication handling
|
|---|
| 4 | Copyright (C) Andrew Bartlett 2001
|
|---|
| 5 |
|
|---|
| 6 | This program is free software; you can redistribute it and/or modify
|
|---|
| 7 | it under the terms of the GNU General Public License as published by
|
|---|
| 8 | the Free Software Foundation; either version 2 of the License, or
|
|---|
| 9 | (at your option) any later version.
|
|---|
| 10 |
|
|---|
| 11 | This program is distributed in the hope that it will be useful,
|
|---|
| 12 | but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|---|
| 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|---|
| 14 | GNU General Public License for more details.
|
|---|
| 15 |
|
|---|
| 16 | You should have received a copy of the GNU General Public License
|
|---|
| 17 | along with this program; if not, write to the Free Software
|
|---|
| 18 | Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|---|
| 19 | */
|
|---|
| 20 |
|
|---|
| 21 | #include "includes.h"
|
|---|
| 22 |
|
|---|
| 23 | #undef DBGC_CLASS
|
|---|
| 24 | #define DBGC_CLASS DBGC_AUTH
|
|---|
| 25 |
|
|---|
| 26 | /**
|
|---|
| 27 | * update the encrypted smbpasswd file from the plaintext username and password
|
|---|
| 28 | *
|
|---|
| 29 | * this ugly hack needs to die, but not quite yet, I think people still use it...
|
|---|
| 30 | **/
|
|---|
| 31 | static BOOL update_smbpassword_file(const char *user, const char *password)
|
|---|
| 32 | {
|
|---|
| 33 | struct samu *sampass;
|
|---|
| 34 | BOOL ret;
|
|---|
| 35 |
|
|---|
| 36 | if ( !(sampass = samu_new( NULL )) ) {
|
|---|
| 37 | return False;
|
|---|
| 38 | }
|
|---|
| 39 |
|
|---|
| 40 | become_root();
|
|---|
| 41 | ret = pdb_getsampwnam(sampass, user);
|
|---|
| 42 | unbecome_root();
|
|---|
| 43 |
|
|---|
| 44 | if(ret == False) {
|
|---|
| 45 | DEBUG(0,("pdb_getsampwnam returned NULL\n"));
|
|---|
| 46 | TALLOC_FREE(sampass);
|
|---|
| 47 | return False;
|
|---|
| 48 | }
|
|---|
| 49 |
|
|---|
| 50 | /*
|
|---|
| 51 | * Remove the account disabled flag - we are updating the
|
|---|
| 52 | * users password from a login.
|
|---|
| 53 | */
|
|---|
| 54 | if (!pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED, PDB_CHANGED)) {
|
|---|
| 55 | TALLOC_FREE(sampass);
|
|---|
| 56 | return False;
|
|---|
| 57 | }
|
|---|
| 58 |
|
|---|
| 59 | if (!pdb_set_plaintext_passwd (sampass, password)) {
|
|---|
| 60 | TALLOC_FREE(sampass);
|
|---|
| 61 | return False;
|
|---|
| 62 | }
|
|---|
| 63 |
|
|---|
| 64 | /* Now write it into the file. */
|
|---|
| 65 | become_root();
|
|---|
| 66 |
|
|---|
| 67 | ret = NT_STATUS_IS_OK(pdb_update_sam_account (sampass));
|
|---|
| 68 |
|
|---|
| 69 | unbecome_root();
|
|---|
| 70 |
|
|---|
| 71 | if (ret) {
|
|---|
| 72 | DEBUG(3,("pdb_update_sam_account returned %d\n",ret));
|
|---|
| 73 | }
|
|---|
| 74 |
|
|---|
| 75 | TALLOC_FREE(sampass);
|
|---|
| 76 | return ret;
|
|---|
| 77 | }
|
|---|
| 78 |
|
|---|
| 79 |
|
|---|
| 80 | /** Check a plaintext username/password
|
|---|
| 81 | *
|
|---|
| 82 | * Cannot deal with an encrupted password in any manner whatsoever,
|
|---|
| 83 | * unless the account has a null password.
|
|---|
| 84 | **/
|
|---|
| 85 |
|
|---|
| 86 | static NTSTATUS check_unix_security(const struct auth_context *auth_context,
|
|---|
| 87 | void *my_private_data,
|
|---|
| 88 | TALLOC_CTX *mem_ctx,
|
|---|
| 89 | const auth_usersupplied_info *user_info,
|
|---|
| 90 | auth_serversupplied_info **server_info)
|
|---|
| 91 | {
|
|---|
| 92 | NTSTATUS nt_status;
|
|---|
| 93 | struct passwd *pass = NULL;
|
|---|
| 94 |
|
|---|
| 95 | become_root();
|
|---|
| 96 | pass = Get_Pwnam(user_info->internal_username);
|
|---|
| 97 |
|
|---|
| 98 |
|
|---|
| 99 | /** @todo This call assumes a ASCII password, no charset transformation is
|
|---|
| 100 | done. We may need to revisit this **/
|
|---|
| 101 | nt_status = pass_check(pass,
|
|---|
| 102 | pass ? pass->pw_name : user_info->internal_username,
|
|---|
| 103 | (char *)user_info->plaintext_password.data,
|
|---|
| 104 | user_info->plaintext_password.length-1,
|
|---|
| 105 | lp_update_encrypted() ?
|
|---|
| 106 | update_smbpassword_file : NULL,
|
|---|
| 107 | True);
|
|---|
| 108 |
|
|---|
| 109 | unbecome_root();
|
|---|
| 110 |
|
|---|
| 111 | if (NT_STATUS_IS_OK(nt_status)) {
|
|---|
| 112 | if (pass) {
|
|---|
| 113 | /* if a real user check pam account restrictions */
|
|---|
| 114 | /* only really perfomed if "obey pam restriction" is true */
|
|---|
| 115 | nt_status = smb_pam_accountcheck(pass->pw_name);
|
|---|
| 116 | if ( !NT_STATUS_IS_OK(nt_status)) {
|
|---|
| 117 | DEBUG(1, ("PAM account restriction prevents user login\n"));
|
|---|
| 118 | } else {
|
|---|
| 119 | make_server_info_pw(server_info, pass->pw_name, pass);
|
|---|
| 120 | }
|
|---|
| 121 | } else {
|
|---|
| 122 | /* we need to do somthing more useful here */
|
|---|
| 123 | nt_status = NT_STATUS_NO_SUCH_USER;
|
|---|
| 124 | }
|
|---|
| 125 | }
|
|---|
| 126 |
|
|---|
| 127 | return nt_status;
|
|---|
| 128 | }
|
|---|
| 129 |
|
|---|
| 130 | /* module initialisation */
|
|---|
| 131 | static NTSTATUS auth_init_unix(struct auth_context *auth_context, const char* param, auth_methods **auth_method)
|
|---|
| 132 | {
|
|---|
| 133 | if (!make_auth_methods(auth_context, auth_method)) {
|
|---|
| 134 | return NT_STATUS_NO_MEMORY;
|
|---|
| 135 | }
|
|---|
| 136 |
|
|---|
| 137 | (*auth_method)->name = "unix";
|
|---|
| 138 | (*auth_method)->auth = check_unix_security;
|
|---|
| 139 | return NT_STATUS_OK;
|
|---|
| 140 | }
|
|---|
| 141 |
|
|---|
| 142 | NTSTATUS auth_unix_init(void)
|
|---|
| 143 | {
|
|---|
| 144 | return smb_register_auth(AUTH_INTERFACE_VERSION, "unix", auth_init_unix);
|
|---|
| 145 | }
|
|---|
