Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

pam_smb_auth.c

Visit:

Last change on this file was 745, checked in by Silvan Scherrer, 13 years ago
Samba Server: updated trunk to 3.6.0
File size: 6.8 KB

Line
1	/* Unix NT password database implementation, version 0.7.5.
2	*
3	* This program is free software; you can redistribute it and/or modify it under
4	* the terms of the GNU General Public License as published by the Free
5	* Software Foundation; either version 3 of the License, or (at your option)
6	* any later version.
7	*
8	* This program is distributed in the hope that it will be useful, but WITHOUT
9	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
11	* more details.
12	*
13	* You should have received a copy of the GNU General Public License along with
14	* this program; if not, see <http://www.gnu.org/licenses/>.
15	*/
16
17	/* indicate the following groups are defined */
18	#define PAM_SM_AUTH
19
20	#include "includes.h"
21	#include "lib/util/debug.h"
22
23	#ifndef LINUX
24
25	/* This is only used in the Sun implementation. */
26	#if defined(HAVE_SECURITY_PAM_APPL_H)
27	#include <security/pam_appl.h>
28	#elif defined(HAVE_PAM_PAM_APPL_H)
29	#include <pam/pam_appl.h>
30	#endif
31
32	#endif /* LINUX */
33
34	#if defined(HAVE_SECURITY_PAM_MODULES_H)
35	#include <security/pam_modules.h>
36	#elif defined(HAVE_PAM_PAM_MODULES_H)
37	#include <pam/pam_modules.h>
38	#endif
39
40	#include "general.h"
41
42	#include "support.h"
43
44	#define AUTH_RETURN \
45	do { \
46	/* Restore application signal handler */ \
47	CatchSignal(SIGPIPE, oldsig_handler); \
48	if(ret_data) { \
49	*ret_data = retval; \
50	pam_set_data( pamh, "smb_setcred_return" \
51	, (void *) ret_data, NULL ); \
52	} \
53	return retval; \
54	} while (0)
55
56	static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl,
57	const char name, struct samu sampass, bool exist);
58
59
60	/*
61	* pam_sm_authenticate() authenticates users against the samba password file.
62	*
63	* First, obtain the password from the user. Then use a
64	* routine in 'support.c' to authenticate the user.
65	*/
66
67	#define _SMB_AUTHTOK "-SMB-PASS"
68
69	int pam_sm_authenticate(pam_handle_t *pamh, int flags,
70	int argc, const char **argv)
71	{
72	unsigned int ctrl;
73	int retval, *ret_data = NULL;
74	struct samu *sampass = NULL;
75	const char *name;
76	void (*oldsig_handler)(int) = NULL;
77	bool found;
78
79	/* Points to memory managed by the PAM library. Do not free. */
80	char *p = NULL;
81
82	/* Samba initialization. */
83	load_case_tables_library();
84	lp_set_in_client(True);
85
86	ctrl = set_ctrl(pamh, flags, argc, argv);
87
88	/* Get a few bytes so we can pass our return value to
89	pam_sm_setcred(). */
90	ret_data = SMB_MALLOC_P(int);
91
92	/* we need to do this before we call AUTH_RETURN */
93	/* Getting into places that might use LDAP -- protect the app
94	from a SIGPIPE it's not expecting */
95	oldsig_handler = CatchSignal(SIGPIPE, SIG_IGN);
96
97	/* get the username */
98	retval = pam_get_user( pamh, &name, "Username: " );
99	if ( retval != PAM_SUCCESS ) {
100	if (on( SMB_DEBUG, ctrl )) {
101	_log_err(pamh, LOG_DEBUG, "auth: could not identify user");
102	}
103	AUTH_RETURN;
104	}
105	if (on( SMB_DEBUG, ctrl )) {
106	_log_err(pamh, LOG_DEBUG, "username [%s] obtained", name );
107	}
108
109	if (geteuid() != 0) {
110	_log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root.");
111	retval = PAM_AUTHINFO_UNAVAIL;
112	AUTH_RETURN;
113	}
114
115	if (!initialize_password_db(True, NULL)) {
116	_log_err(pamh, LOG_ALERT, "Cannot access samba password database" );
117	retval = PAM_AUTHINFO_UNAVAIL;
118	AUTH_RETURN;
119	}
120
121	sampass = samu_new( NULL );
122	if (!sampass) {
123	_log_err(pamh, LOG_ALERT, "Cannot talloc a samu struct" );
124	retval = nt_status_to_pam(NT_STATUS_NO_MEMORY);
125	AUTH_RETURN;
126	}
127
128	found = pdb_getsampwnam( sampass, name );
129
130	if (on( SMB_MIGRATE, ctrl )) {
131	retval = _smb_add_user(pamh, ctrl, name, sampass, found);
132	TALLOC_FREE(sampass);
133	AUTH_RETURN;
134	}
135
136	if (!found) {
137	_log_err(pamh, LOG_ALERT, "Failed to find entry for user %s.", name);
138	retval = PAM_USER_UNKNOWN;
139	TALLOC_FREE(sampass);
140	sampass = NULL;
141	AUTH_RETURN;
142	}
143
144	/* if this user does not have a password... */
145
146	if (_smb_blankpasswd( ctrl, sampass )) {
147	TALLOC_FREE(sampass);
148	retval = PAM_SUCCESS;
149	AUTH_RETURN;
150	}
151
152	/* get this user's authentication token */
153
154	retval = _smb_read_password(pamh, ctrl, NULL, "Password: ", NULL, _SMB_AUTHTOK, &p);
155	if (retval != PAM_SUCCESS ) {
156	_log_err(pamh,LOG_CRIT, "auth: no password provided for [%s]", name);
157	TALLOC_FREE(sampass);
158	AUTH_RETURN;
159	}
160
161	/* verify the password of this user */
162
163	retval = _smb_verify_password( pamh, sampass, p, ctrl );
164	TALLOC_FREE(sampass);
165	p = NULL;
166	AUTH_RETURN;
167	}
168
169	/*
170	* This function is for setting samba credentials. If anyone comes up
171	* with any credentials they think should be set, let me know.
172	*/
173
174	int pam_sm_setcred(pam_handle_t *pamh, int flags,
175	int argc, const char **argv)
176	{
177	int retval, *pretval = NULL;
178
179	retval = PAM_SUCCESS;
180
181	_pam_get_data(pamh, "smb_setcred_return", &pretval);
182	if(pretval) {
183	retval = *pretval;
184	SAFE_FREE(pretval);
185	}
186	pam_set_data(pamh, "smb_setcred_return", NULL, NULL);
187
188	return retval;
189	}
190
191	/* Helper function for adding a user to the db. */
192	static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl,
193	const char name, struct samu sampass, bool exist)
194	{
195	char *err_str = NULL;
196	char *msg_str = NULL;
197	const char *pass = NULL;
198	int retval;
199
200	/* Get the authtok; if we don't have one, silently fail. */
201	retval = _pam_get_item( pamh, PAM_AUTHTOK, &pass );
202
203	if (retval != PAM_SUCCESS) {
204	_log_err(pamh, LOG_ALERT
205	, "pam_get_item returned error to pam_sm_authenticate" );
206	return PAM_AUTHTOK_RECOVER_ERR;
207	} else if (pass == NULL) {
208	return PAM_AUTHTOK_RECOVER_ERR;
209	}
210
211	/* Add the user to the db if they aren't already there. */
212	if (!exist) {
213	retval = NT_STATUS_IS_OK(local_password_change(name, LOCAL_ADD_USER\|LOCAL_SET_PASSWORD,
214	pass, &err_str, &msg_str));
215	if (!retval && err_str) {
216	make_remark(pamh, ctrl, PAM_ERROR_MSG, err_str );
217	} else if (msg_str) {
218	make_remark(pamh, ctrl, PAM_TEXT_INFO, msg_str );
219	}
220	pass = NULL;
221
222	SAFE_FREE(err_str);
223	SAFE_FREE(msg_str);
224	return PAM_IGNORE;
225	} else {
226	/* mimick 'update encrypted' as long as the 'no pw req' flag is not set */
227	if ( pdb_get_acct_ctrl(sampass) & ~ACB_PWNOTREQ ) {
228	retval = NT_STATUS_IS_OK(local_password_change(name, LOCAL_SET_PASSWORD,
229	pass, &err_str, &msg_str));
230	if (!retval && err_str) {
231	make_remark(pamh, ctrl, PAM_ERROR_MSG, err_str );
232	} else if (msg_str) {
233	make_remark(pamh, ctrl, PAM_TEXT_INFO, msg_str );
234	}
235	}
236	}
237
238	SAFE_FREE(err_str);
239	SAFE_FREE(msg_str);
240	pass = NULL;
241	return PAM_IGNORE;
242	}
243
244	/* static module data */
245	#ifdef PAM_STATIC
246	struct pam_module _pam_smbpass_auth_modstruct = {
247	"pam_smbpass",
248	pam_sm_authenticate,
249	pam_sm_setcred,
250	NULL,
251	NULL,
252	NULL,
253	NULL
254	};
255	#endif

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/server/source3/pam_smbpass/pam_smb_auth.c

Download in other formats: