Context Navigation

source: branches/samba-3.0/source/pam_smbpass/pam_smb_auth.c@ 693

Visit:

Last change on this file since 693 was 134, checked in by Paul Smedley, 18 years ago
Update source to 3.0.29
File size: 7.1 KB

Line
1	/* Unix NT password database implementation, version 0.7.5.
2	*
3	* This program is free software; you can redistribute it and/or modify it under
4	* the terms of the GNU General Public License as published by the Free
5	* Software Foundation; either version 2 of the License, or (at your option)
6	* any later version.
7	*
8	* This program is distributed in the hope that it will be useful, but WITHOUT
9	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
11	* more details.
12	*
13	* You should have received a copy of the GNU General Public License along with
14	* this program; if not, write to the Free Software Foundation, Inc., 675
15	* Mass Ave, Cambridge, MA 02139, USA.
16	*/
17
18	/* indicate the following groups are defined */
19	#define PAM_SM_AUTH
20
21	#include "includes.h"
22	#include "debug.h"
23
24	#ifndef LINUX
25
26	/* This is only used in the Sun implementation. */
27	#include <security/pam_appl.h>
28
29	#endif /* LINUX */
30
31	#include <security/pam_modules.h>
32
33	#include "general.h"
34
35	#include "support.h"
36
37	#define AUTH_RETURN \
38	do { \
39	/* Restore application signal handler */ \
40	CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); \
41	if(ret_data) { \
42	*ret_data = retval; \
43	pam_set_data( pamh, "smb_setcred_return" \
44	, (void *) ret_data, NULL ); \
45	} \
46	return retval; \
47	} while (0)
48
49	static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl,
50	const char name, struct samu sampass, BOOL exist);
51
52
53	/*
54	* pam_sm_authenticate() authenticates users against the samba password file.
55	*
56	* First, obtain the password from the user. Then use a
57	* routine in 'support.c' to authenticate the user.
58	*/
59
60	#define _SMB_AUTHTOK "-SMB-PASS"
61
62	int pam_sm_authenticate(pam_handle_t *pamh, int flags,
63	int argc, const char **argv)
64	{
65	unsigned int ctrl;
66	int retval, *ret_data = NULL;
67	struct samu *sampass = NULL;
68	extern BOOL in_client;
69	const char *name;
70	void (*oldsig_handler)(int) = NULL;
71	BOOL found;
72
73	/* Points to memory managed by the PAM library. Do not free. */
74	char *p = NULL;
75
76	/* Samba initialization. */
77	load_case_tables();
78	setup_logging("pam_smbpass",False);
79	in_client = True;
80
81	ctrl = set_ctrl(flags, argc, argv);
82
83	/* Get a few bytes so we can pass our return value to
84	pam_sm_setcred(). */
85	ret_data = SMB_MALLOC_P(int);
86
87	/* we need to do this before we call AUTH_RETURN */
88	/* Getting into places that might use LDAP -- protect the app
89	from a SIGPIPE it's not expecting */
90	oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN);
91
92	/* get the username */
93	retval = pam_get_user( pamh, &name, "Username: " );
94	if ( retval != PAM_SUCCESS ) {
95	if (on( SMB_DEBUG, ctrl )) {
96	_log_err(LOG_DEBUG, "auth: could not identify user");
97	}
98	AUTH_RETURN;
99	}
100	if (on( SMB_DEBUG, ctrl )) {
101	_log_err( LOG_DEBUG, "username [%s] obtained", name );
102	}
103
104	if (geteuid() != 0) {
105	_log_err(LOG_DEBUG, "Cannot access samba password database, not running as root.");
106	retval = PAM_AUTHINFO_UNAVAIL;
107	AUTH_RETURN;
108	}
109
110	if (!initialize_password_db(True)) {
111	_log_err( LOG_ALERT, "Cannot access samba password database" );
112	retval = PAM_AUTHINFO_UNAVAIL;
113	AUTH_RETURN;
114	}
115
116	sampass = samu_new( NULL );
117	if (!sampass) {
118	_log_err( LOG_ALERT, "Cannot talloc a samu struct" );
119	retval = nt_status_to_pam(NT_STATUS_NO_MEMORY);
120	AUTH_RETURN;
121	}
122
123	found = pdb_getsampwnam( sampass, name );
124
125	if (on( SMB_MIGRATE, ctrl )) {
126	retval = _smb_add_user(pamh, ctrl, name, sampass, found);
127	TALLOC_FREE(sampass);
128	AUTH_RETURN;
129	}
130
131	if (!found) {
132	_log_err(LOG_ALERT, "Failed to find entry for user %s.", name);
133	retval = PAM_USER_UNKNOWN;
134	TALLOC_FREE(sampass);
135	sampass = NULL;
136	AUTH_RETURN;
137	}
138
139	/* if this user does not have a password... */
140
141	if (_smb_blankpasswd( ctrl, sampass )) {
142	TALLOC_FREE(sampass);
143	retval = PAM_SUCCESS;
144	AUTH_RETURN;
145	}
146
147	/* get this user's authentication token */
148
149	retval = _smb_read_password(pamh, ctrl, NULL, "Password: ", NULL, _SMB_AUTHTOK, &p);
150	if (retval != PAM_SUCCESS ) {
151	_log_err(LOG_CRIT, "auth: no password provided for [%s]", name);
152	TALLOC_FREE(sampass);
153	AUTH_RETURN;
154	}
155
156	/* verify the password of this user */
157
158	retval = _smb_verify_password( pamh, sampass, p, ctrl );
159	TALLOC_FREE(sampass);
160	p = NULL;
161	AUTH_RETURN;
162	}
163
164	/*
165	* This function is for setting samba credentials. If anyone comes up
166	* with any credentials they think should be set, let me know.
167	*/
168
169	int pam_sm_setcred(pam_handle_t *pamh, int flags,
170	int argc, const char **argv)
171	{
172	int retval, *pretval = NULL;
173
174	retval = PAM_SUCCESS;
175
176	pam_get_data(pamh, "smb_setcred_return", (const void **) &pretval);
177	if(pretval) {
178	retval = *pretval;
179	SAFE_FREE(pretval);
180	}
181	pam_set_data(pamh, "smb_setcred_return", NULL, NULL);
182
183	return retval;
184	}
185
186
187	/* Helper function for adding a user to the db. */
188	static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl,
189	const char name, struct samu sampass, BOOL exist)
190	{
191	pstring err_str;
192	pstring msg_str;
193	const char *pass = NULL;
194	int retval;
195
196	err_str[0] = '\0';
197	msg_str[0] = '\0';
198
199	/* Get the authtok; if we don't have one, silently fail. */
200	retval = pam_get_item( pamh, PAM_AUTHTOK, (const void **) &pass );
201
202	if (retval != PAM_SUCCESS) {
203	_log_err( LOG_ALERT
204	, "pam_get_item returned error to pam_sm_authenticate" );
205	return PAM_AUTHTOK_RECOVER_ERR;
206	} else if (pass == NULL) {
207	return PAM_AUTHTOK_RECOVER_ERR;
208	}
209
210	/* Add the user to the db if they aren't already there. */
211	if (!exist) {
212	retval = NT_STATUS_IS_OK(local_password_change( name, LOCAL_ADD_USER\|LOCAL_SET_PASSWORD,
213	pass, err_str,
214	sizeof(err_str),
215	msg_str, sizeof(msg_str) ));
216	if (!retval && *err_str)
217	{
218	err_str[PSTRING_LEN-1] = '\0';
219	make_remark( pamh, ctrl, PAM_ERROR_MSG, err_str );
220	}
221	else if (*msg_str)
222	{
223	msg_str[PSTRING_LEN-1] = '\0';
224	make_remark( pamh, ctrl, PAM_TEXT_INFO, msg_str );
225	}
226	pass = NULL;
227
228	return PAM_IGNORE;
229	}
230	else {
231	/* mimick 'update encrypted' as long as the 'no pw req' flag is not set */
232	if ( pdb_get_acct_ctrl(sampass) & ~ACB_PWNOTREQ )
233	{
234	retval = NT_STATUS_IS_OK(local_password_change( name, LOCAL_SET_PASSWORD, pass, err_str, sizeof(err_str),
235	msg_str, sizeof(msg_str) ));
236	if (!retval && *err_str)
237	{
238	err_str[PSTRING_LEN-1] = '\0';
239	make_remark( pamh, ctrl, PAM_ERROR_MSG, err_str );
240	}
241	else if (*msg_str)
242	{
243	msg_str[PSTRING_LEN-1] = '\0';
244	make_remark( pamh, ctrl, PAM_TEXT_INFO, msg_str );
245	}
246	}
247	}
248
249	pass = NULL;
250
251	return PAM_IGNORE;
252	}
253
254
255	/* static module data */
256	#ifdef PAM_STATIC
257	struct pam_module _pam_smbpass_auth_modstruct = {
258	"pam_smbpass",
259	pam_sm_authenticate,
260	pam_sm_setcred,
261	NULL,
262	NULL,
263	NULL,
264	NULL
265	};
266	#endif

Note: See TracBrowser for help on using the repository browser.

Download in other formats: