Context Navigation

source: branches/samba-3.3.x/source/pam_smbpass/pam_smb_auth.c@ 342

Visit:

Last change on this file since 342 was 342, checked in by Herwig Bauernfeind, 16 years ago
Update 3.3 to 3.3.9
File size: 6.8 KB

Line
1	/* Unix NT password database implementation, version 0.7.5.
2	*
3	* This program is free software; you can redistribute it and/or modify it under
4	* the terms of the GNU General Public License as published by the Free
5	* Software Foundation; either version 3 of the License, or (at your option)
6	* any later version.
7	*
8	* This program is distributed in the hope that it will be useful, but WITHOUT
9	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
11	* more details.
12	*
13	* You should have received a copy of the GNU General Public License along with
14	* this program; if not, see <http://www.gnu.org/licenses/>.
15	*/
16
17	/* indicate the following groups are defined */
18	#define PAM_SM_AUTH
19
20	#include "includes.h"
21	#include "debug.h"
22
23	#ifndef LINUX
24
25	/* This is only used in the Sun implementation. */
26	#if defined(HAVE_SECURITY_PAM_APPL_H)
27	#include <security/pam_appl.h>
28	#elif defined(HAVE_PAM_PAM_APPL_H)
29	#include <pam/pam_appl.h>
30	#endif
31
32	#endif /* LINUX */
33
34	#if defined(HAVE_SECURITY_PAM_MODULES_H)
35	#include <security/pam_modules.h>
36	#elif defined(HAVE_PAM_PAM_MODULES_H)
37	#include <pam/pam_modules.h>
38	#endif
39
40	#include "general.h"
41
42	#include "support.h"
43
44	#define AUTH_RETURN \
45	do { \
46	/* Restore application signal handler */ \
47	CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); \
48	if(ret_data) { \
49	*ret_data = retval; \
50	pam_set_data( pamh, "smb_setcred_return" \
51	, (void *) ret_data, NULL ); \
52	} \
53	return retval; \
54	} while (0)
55
56	static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl,
57	const char name, struct samu sampass, bool exist);
58
59
60	/*
61	* pam_sm_authenticate() authenticates users against the samba password file.
62	*
63	* First, obtain the password from the user. Then use a
64	* routine in 'support.c' to authenticate the user.
65	*/
66
67	#define _SMB_AUTHTOK "-SMB-PASS"
68
69	int pam_sm_authenticate(pam_handle_t *pamh, int flags,
70	int argc, const char **argv)
71	{
72	unsigned int ctrl;
73	int retval, *ret_data = NULL;
74	struct samu *sampass = NULL;
75	const char *name;
76	void (*oldsig_handler)(int) = NULL;
77	bool found;
78
79	/* Points to memory managed by the PAM library. Do not free. */
80	char *p = NULL;
81
82	/* Samba initialization. */
83	load_case_tables();
84	setup_logging("pam_smbpass",False);
85	lp_set_in_client(True);
86
87	ctrl = set_ctrl(flags, argc, argv);
88
89	/* Get a few bytes so we can pass our return value to
90	pam_sm_setcred(). */
91	ret_data = SMB_MALLOC_P(int);
92
93	/* we need to do this before we call AUTH_RETURN */
94	/* Getting into places that might use LDAP -- protect the app
95	from a SIGPIPE it's not expecting */
96	oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN);
97
98	/* get the username */
99	retval = pam_get_user( pamh, &name, "Username: " );
100	if ( retval != PAM_SUCCESS ) {
101	if (on( SMB_DEBUG, ctrl )) {
102	_log_err(LOG_DEBUG, "auth: could not identify user");
103	}
104	AUTH_RETURN;
105	}
106	if (on( SMB_DEBUG, ctrl )) {
107	_log_err( LOG_DEBUG, "username [%s] obtained", name );
108	}
109
110	if (geteuid() != 0) {
111	_log_err( LOG_DEBUG, "Cannot access samba password database, not running as root.");
112	retval = PAM_AUTHINFO_UNAVAIL;
113	AUTH_RETURN;
114	}
115
116	if (!initialize_password_db(True, NULL)) {
117	_log_err( LOG_ALERT, "Cannot access samba password database" );
118	retval = PAM_AUTHINFO_UNAVAIL;
119	AUTH_RETURN;
120	}
121
122	sampass = samu_new( NULL );
123	if (!sampass) {
124	_log_err( LOG_ALERT, "Cannot talloc a samu struct" );
125	retval = nt_status_to_pam(NT_STATUS_NO_MEMORY);
126	AUTH_RETURN;
127	}
128
129	found = pdb_getsampwnam( sampass, name );
130
131	if (on( SMB_MIGRATE, ctrl )) {
132	retval = _smb_add_user(pamh, ctrl, name, sampass, found);
133	TALLOC_FREE(sampass);
134	AUTH_RETURN;
135	}
136
137	if (!found) {
138	_log_err(LOG_ALERT, "Failed to find entry for user %s.", name);
139	retval = PAM_USER_UNKNOWN;
140	TALLOC_FREE(sampass);
141	sampass = NULL;
142	AUTH_RETURN;
143	}
144
145	/* if this user does not have a password... */
146
147	if (_smb_blankpasswd( ctrl, sampass )) {
148	TALLOC_FREE(sampass);
149	retval = PAM_SUCCESS;
150	AUTH_RETURN;
151	}
152
153	/* get this user's authentication token */
154
155	retval = _smb_read_password(pamh, ctrl, NULL, "Password: ", NULL, _SMB_AUTHTOK, &p);
156	if (retval != PAM_SUCCESS ) {
157	_log_err(LOG_CRIT, "auth: no password provided for [%s]", name);
158	TALLOC_FREE(sampass);
159	AUTH_RETURN;
160	}
161
162	/* verify the password of this user */
163
164	retval = _smb_verify_password( pamh, sampass, p, ctrl );
165	TALLOC_FREE(sampass);
166	p = NULL;
167	AUTH_RETURN;
168	}
169
170	/*
171	* This function is for setting samba credentials. If anyone comes up
172	* with any credentials they think should be set, let me know.
173	*/
174
175	int pam_sm_setcred(pam_handle_t *pamh, int flags,
176	int argc, const char **argv)
177	{
178	int retval, *pretval = NULL;
179
180	retval = PAM_SUCCESS;
181
182	_pam_get_data(pamh, "smb_setcred_return", &pretval);
183	if(pretval) {
184	retval = *pretval;
185	SAFE_FREE(pretval);
186	}
187	pam_set_data(pamh, "smb_setcred_return", NULL, NULL);
188
189	return retval;
190	}
191
192	/* Helper function for adding a user to the db. */
193	static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl,
194	const char name, struct samu sampass, bool exist)
195	{
196	char *err_str = NULL;
197	char *msg_str = NULL;
198	const char *pass = NULL;
199	int retval;
200
201	/* Get the authtok; if we don't have one, silently fail. */
202	retval = _pam_get_item( pamh, PAM_AUTHTOK, &pass );
203
204	if (retval != PAM_SUCCESS) {
205	_log_err( LOG_ALERT
206	, "pam_get_item returned error to pam_sm_authenticate" );
207	return PAM_AUTHTOK_RECOVER_ERR;
208	} else if (pass == NULL) {
209	return PAM_AUTHTOK_RECOVER_ERR;
210	}
211
212	/* Add the user to the db if they aren't already there. */
213	if (!exist) {
214	retval = NT_STATUS_IS_OK(local_password_change(name, LOCAL_ADD_USER\|LOCAL_SET_PASSWORD,
215	pass, &err_str, &msg_str));
216	if (!retval && err_str) {
217	make_remark(pamh, ctrl, PAM_ERROR_MSG, err_str );
218	} else if (msg_str) {
219	make_remark(pamh, ctrl, PAM_TEXT_INFO, msg_str );
220	}
221	pass = NULL;
222
223	SAFE_FREE(err_str);
224	SAFE_FREE(msg_str);
225	return PAM_IGNORE;
226	} else {
227	/* mimick 'update encrypted' as long as the 'no pw req' flag is not set */
228	if ( pdb_get_acct_ctrl(sampass) & ~ACB_PWNOTREQ ) {
229	retval = NT_STATUS_IS_OK(local_password_change(name, LOCAL_SET_PASSWORD,
230	pass, &err_str, &msg_str));
231	if (!retval && err_str) {
232	make_remark(pamh, ctrl, PAM_ERROR_MSG, err_str );
233	} else if (msg_str) {
234	make_remark(pamh, ctrl, PAM_TEXT_INFO, msg_str );
235	}
236	}
237	}
238
239	SAFE_FREE(err_str);
240	SAFE_FREE(msg_str);
241	pass = NULL;
242	return PAM_IGNORE;
243	}
244
245	/* static module data */
246	#ifdef PAM_STATIC
247	struct pam_module _pam_smbpass_auth_modstruct = {
248	"pam_smbpass",
249	pam_sm_authenticate,
250	pam_sm_setcred,
251	NULL,
252	NULL,
253	NULL,
254	NULL
255	};
256	#endif

Note: See TracBrowser for help on using the repository browser.

Download in other formats: