search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
pam_winbind: translate some more string.
[Samba.git] / source / nsswitch / pam_winbind.c
blobcc6bf229e1813dde1a9eadacd8df828b4805d10a
1 /* pam_winbind module
2
3 Copyright Andrew Tridgell <tridge@samba.org> 2000
4 Copyright Tim Potter <tpot@samba.org> 2000
5 Copyright Andrew Bartlett <abartlet@samba.org> 2002
6 Copyright Guenther Deschner <gd@samba.org> 2005-2008
7
8 largely based on pam_userdb by Cristian Gafton <gafton@redhat.com> also
9 contains large slabs of code from pam_unix by Elliot Lee
10 <sopwith@redhat.com> (see copyright below for full details)
11 */
12
13 #include "pam_winbind.h"
14
15 static const char *_pam_error_code_str(int err)
16 {
17 switch (err) {
18 case PAM_SUCCESS:
19 return "PAM_SUCCESS";
20 case PAM_OPEN_ERR:
21 return "PAM_OPEN_ERR";
22 case PAM_SYMBOL_ERR:
23 return "PAM_SYMBOL_ERR";
24 case PAM_SERVICE_ERR:
25 return "PAM_SERVICE_ERR";
26 case PAM_SYSTEM_ERR:
27 return "PAM_SYSTEM_ERR";
28 case PAM_BUF_ERR:
29 return "PAM_BUF_ERR";
30 case PAM_PERM_DENIED:
31 return "PAM_PERM_DENIED";
32 case PAM_AUTH_ERR:
33 return "PAM_AUTH_ERR";
34 case PAM_CRED_INSUFFICIENT:
35 return "PAM_CRED_INSUFFICIENT";
36 case PAM_AUTHINFO_UNAVAIL:
37 return "PAM_AUTHINFO_UNAVAIL";
38 case PAM_USER_UNKNOWN:
39 return "PAM_USER_UNKNOWN";
40 case PAM_MAXTRIES:
41 return "PAM_MAXTRIES";
42 case PAM_NEW_AUTHTOK_REQD:
43 return "PAM_NEW_AUTHTOK_REQD";
44 case PAM_ACCT_EXPIRED:
45 return "PAM_ACCT_EXPIRED";
46 case PAM_SESSION_ERR:
47 return "PAM_SESSION_ERR";
48 case PAM_CRED_UNAVAIL:
49 return "PAM_CRED_UNAVAIL";
50 case PAM_CRED_EXPIRED:
51 return "PAM_CRED_EXPIRED";
52 case PAM_CRED_ERR:
53 return "PAM_CRED_ERR";
54 case PAM_NO_MODULE_DATA:
55 return "PAM_NO_MODULE_DATA";
56 case PAM_CONV_ERR:
57 return "PAM_CONV_ERR";
58 case PAM_AUTHTOK_ERR:
59 return "PAM_AUTHTOK_ERR";
60 case PAM_AUTHTOK_RECOVERY_ERR:
61 return "PAM_AUTHTOK_RECOVERY_ERR";
62 case PAM_AUTHTOK_LOCK_BUSY:
63 return "PAM_AUTHTOK_LOCK_BUSY";
64 case PAM_AUTHTOK_DISABLE_AGING:
65 return "PAM_AUTHTOK_DISABLE_AGING";
66 case PAM_TRY_AGAIN:
67 return "PAM_TRY_AGAIN";
68 case PAM_IGNORE:
69 return "PAM_IGNORE";
70 case PAM_ABORT:
71 return "PAM_ABORT";
72 case PAM_AUTHTOK_EXPIRED:
73 return "PAM_AUTHTOK_EXPIRED";
74 #ifdef PAM_MODULE_UNKNOWN
75 case PAM_MODULE_UNKNOWN:
76 return "PAM_MODULE_UNKNOWN";
77 #endif
78 #ifdef PAM_BAD_ITEM
79 case PAM_BAD_ITEM:
80 return "PAM_BAD_ITEM";
81 #endif
82 #ifdef PAM_CONV_AGAIN
83 case PAM_CONV_AGAIN:
84 return "PAM_CONV_AGAIN";
85 #endif
86 #ifdef PAM_INCOMPLETE
87 case PAM_INCOMPLETE:
88 return "PAM_INCOMPLETE";
89 #endif
90 default:
91 return NULL;
92 }
93 }
94
95 #define _PAM_LOG_FUNCTION_ENTER(function, ctx) \
96 do { \
97 _pam_log_debug(ctx, LOG_DEBUG, "[pamh: %p] ENTER: " \
98 function " (flags: 0x%04x)", ctx->pamh, ctx->flags); \
99 _pam_log_state(ctx); \
100 } while (0)
101
102 #define _PAM_LOG_FUNCTION_LEAVE(function, ctx, retval) \
103 do { \
104 _pam_log_debug(ctx, LOG_DEBUG, "[pamh: %p] LEAVE: " \
105 function " returning %d (%s)", ctx->pamh, retval, \
106 _pam_error_code_str(retval)); \
107 _pam_log_state(ctx); \
108 } while (0)
109
110 /* data tokens */
111
112 #define MAX_PASSWD_TRIES 3
113
114 #ifdef HAVE_GETTEXT
115 static char initialized = 0;
116
117 static inline void textdomain_init(void);
118 static inline void textdomain_init(void)
119 {
120 if (!initialized) {
121 bindtextdomain(MODULE_NAME, dyn_LOCALEDIR);
122 initialized = 1;
123 }
124 return;
125 }
126 #endif
127
128
129 /*
130 * Work around the pam API that has functions with void ** as parameters
131 * These lead to strict aliasing warnings with gcc.
132 */
133 static int _pam_get_item(const pam_handle_t *pamh,
134 int item_type,
135 const void *_item)
136 {
137 const void **item = (const void **)_item;
138 return pam_get_item(pamh, item_type, item);
139 }
140 static int _pam_get_data(const pam_handle_t *pamh,
141 const char *module_data_name,
142 const void *_data)
143 {
144 const void **data = (const void **)_data;
145 return pam_get_data(pamh, module_data_name, data);
146 }
147
148 /* some syslogging */
149
150 #ifdef HAVE_PAM_VSYSLOG
151 static void _pam_log_int(const pam_handle_t *pamh,
152 int err,
153 const char *format,
154 va_list args)
155 {
156 pam_vsyslog(pamh, err, format, args);
157 }
158 #else
159 static void _pam_log_int(const pam_handle_t *pamh,
160 int err,
161 const char *format,
162 va_list args)
163 {
164 char *format2 = NULL;
165 const char *service;
166
167 _pam_get_item(pamh, PAM_SERVICE, &service);
168
169 format2 = (char *)malloc(strlen(MODULE_NAME)+strlen(format)+strlen(service)+5);
170 if (format2 == NULL) {
171 /* what else todo ? */
172 vsyslog(err, format, args);
173 return;
174 }
175
176 sprintf(format2, "%s(%s): %s", MODULE_NAME, service, format);
177 vsyslog(err, format2, args);
178 SAFE_FREE(format2);
179 }
180 #endif /* HAVE_PAM_VSYSLOG */
181
182 static bool _pam_log_is_silent(int ctrl)
183 {
184 return on(ctrl, WINBIND_SILENT);
185 }
186
187 static void _pam_log(struct pwb_context *r, int err, const char *format, ...) PRINTF_ATTRIBUTE(3,4);
188 static void _pam_log(struct pwb_context *r, int err, const char *format, ...)
189 {
190 va_list args;
191
192 if (_pam_log_is_silent(r->ctrl)) {
193 return;
194 }
195
196 va_start(args, format);
197 _pam_log_int(r->pamh, err, format, args);
198 va_end(args);
199 }
200 static void __pam_log(const pam_handle_t *pamh, int ctrl, int err, const char *format, ...) PRINTF_ATTRIBUTE(4,5);
201 static void __pam_log(const pam_handle_t *pamh, int ctrl, int err, const char *format, ...)
202 {
203 va_list args;
204
205 if (_pam_log_is_silent(ctrl)) {
206 return;
207 }
208
209 va_start(args, format);
210 _pam_log_int(pamh, err, format, args);
211 va_end(args);
212 }
213
214 static bool _pam_log_is_debug_enabled(int ctrl)
215 {
216 if (ctrl == -1) {
217 return false;
218 }
219
220 if (_pam_log_is_silent(ctrl)) {
221 return false;
222 }
223
224 if (!(ctrl & WINBIND_DEBUG_ARG)) {
225 return false;
226 }
227
228 return true;
229 }
230
231 static bool _pam_log_is_debug_state_enabled(int ctrl)
232 {
233 if (!(ctrl & WINBIND_DEBUG_STATE)) {
234 return false;
235 }
236
237 return _pam_log_is_debug_enabled(ctrl);
238 }
239
240 static void _pam_log_debug(struct pwb_context *r, int err, const char *format, ...) PRINTF_ATTRIBUTE(3,4);
241 static void _pam_log_debug(struct pwb_context *r, int err, const char *format, ...)
242 {
243 va_list args;
244
245 if (!_pam_log_is_debug_enabled(r->ctrl)) {
246 return;
247 }
248
249 va_start(args, format);
250 _pam_log_int(r->pamh, err, format, args);
251 va_end(args);
252 }
253 static void __pam_log_debug(const pam_handle_t *pamh, int ctrl, int err, const char *format, ...) PRINTF_ATTRIBUTE(4,5);
254 static void __pam_log_debug(const pam_handle_t *pamh, int ctrl, int err, const char *format, ...)
255 {
256 va_list args;
257
258 if (!_pam_log_is_debug_enabled(ctrl)) {
259 return;
260 }
261
262 va_start(args, format);
263 _pam_log_int(pamh, err, format, args);
264 va_end(args);
265 }
266
267 static void _pam_log_state_datum(struct pwb_context *ctx,
268 int item_type,
269 const char *key,
270 int is_string)
271 {
272 const void *data = NULL;
273 if (item_type != 0) {
274 pam_get_item(ctx->pamh, item_type, &data);
275 } else {
276 pam_get_data(ctx->pamh, key, &data);
277 }
278 if (data != NULL) {
279 const char *type = (item_type != 0) ? "ITEM" : "DATA";
280 if (is_string != 0) {
281 _pam_log_debug(ctx, LOG_DEBUG,
282 "[pamh: %p] STATE: %s(%s) = \"%s\" (%p)",
283 ctx->pamh, type, key, (const char *)data,
284 data);
285 } else {
286 _pam_log_debug(ctx, LOG_DEBUG,
287 "[pamh: %p] STATE: %s(%s) = %p",
288 ctx->pamh, type, key, data);
289 }
290 }
291 }
292
293 #define _PAM_LOG_STATE_DATA_POINTER(ctx, module_data_name) \
294 _pam_log_state_datum(ctx, 0, module_data_name, 0)
295
296 #define _PAM_LOG_STATE_DATA_STRING(ctx, module_data_name) \
297 _pam_log_state_datum(ctx, 0, module_data_name, 1)
298
299 #define _PAM_LOG_STATE_ITEM_POINTER(ctx, item_type) \
300 _pam_log_state_datum(ctx, item_type, #item_type, 0)
301
302 #define _PAM_LOG_STATE_ITEM_STRING(ctx, item_type) \
303 _pam_log_state_datum(ctx, item_type, #item_type, 1)
304
305 #ifdef DEBUG_PASSWORD
306 #define _LOG_PASSWORD_AS_STRING 1
307 #else
308 #define _LOG_PASSWORD_AS_STRING 0
309 #endif
310
311 #define _PAM_LOG_STATE_ITEM_PASSWORD(ctx, item_type) \
312 _pam_log_state_datum(ctx, item_type, #item_type, \
313 _LOG_PASSWORD_AS_STRING)
314
315 static void _pam_log_state(struct pwb_context *ctx)
316 {
317 if (!_pam_log_is_debug_state_enabled(ctx->ctrl)) {
318 return;
319 }
320
321 _PAM_LOG_STATE_ITEM_STRING(ctx, PAM_SERVICE);
322 _PAM_LOG_STATE_ITEM_STRING(ctx, PAM_USER);
323 _PAM_LOG_STATE_ITEM_STRING(ctx, PAM_TTY);
324 _PAM_LOG_STATE_ITEM_STRING(ctx, PAM_RHOST);
325 _PAM_LOG_STATE_ITEM_STRING(ctx, PAM_RUSER);
326 _PAM_LOG_STATE_ITEM_PASSWORD(ctx, PAM_OLDAUTHTOK);
327 _PAM_LOG_STATE_ITEM_PASSWORD(ctx, PAM_AUTHTOK);
328 _PAM_LOG_STATE_ITEM_STRING(ctx, PAM_USER_PROMPT);
329 _PAM_LOG_STATE_ITEM_POINTER(ctx, PAM_CONV);
330 #ifdef PAM_FAIL_DELAY
331 _PAM_LOG_STATE_ITEM_POINTER(ctx, PAM_FAIL_DELAY);
332 #endif
333 #ifdef PAM_REPOSITORY
334 _PAM_LOG_STATE_ITEM_POINTER(ctx, PAM_REPOSITORY);
335 #endif
336
337 _PAM_LOG_STATE_DATA_STRING(ctx, PAM_WINBIND_HOMEDIR);
338 _PAM_LOG_STATE_DATA_STRING(ctx, PAM_WINBIND_LOGONSCRIPT);
339 _PAM_LOG_STATE_DATA_STRING(ctx, PAM_WINBIND_LOGONSERVER);
340 _PAM_LOG_STATE_DATA_STRING(ctx, PAM_WINBIND_PROFILEPATH);
341 _PAM_LOG_STATE_DATA_STRING(ctx,
342 PAM_WINBIND_NEW_AUTHTOK_REQD);
343 /* Use atoi to get PAM result code */
344 _PAM_LOG_STATE_DATA_STRING(ctx,
345 PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH);
346 _PAM_LOG_STATE_DATA_POINTER(ctx, PAM_WINBIND_PWD_LAST_SET);
347 }
348
349 static int _pam_parse(const pam_handle_t *pamh,
350 int flags,
351 int argc,
352 const char **argv,
353 dictionary **result_d)
354 {
355 int ctrl = 0;
356 const char *config_file = NULL;
357 int i;
358 const char **v;
359 dictionary *d = NULL;
360
361 if (flags & PAM_SILENT) {
362 ctrl |= WINBIND_SILENT;
363 }
364
365 for (i=argc,v=argv; i-- > 0; ++v) {
366 if (!strncasecmp(*v, "config", strlen("config"))) {
367 ctrl |= WINBIND_CONFIG_FILE;
368 config_file = v[i];
369 break;
370 }
371 }
372
373 if (config_file == NULL) {
374 config_file = PAM_WINBIND_CONFIG_FILE;
375 }
376
377 d = iniparser_load(config_file);
378 if (d == NULL) {
379 goto config_from_pam;
380 }
381
382 if (iniparser_getboolean(d, "global:debug", false)) {
383 ctrl |= WINBIND_DEBUG_ARG;
384 }
385
386 if (iniparser_getboolean(d, "global:debug_state", false)) {
387 ctrl |= WINBIND_DEBUG_STATE;
388 }
389
390 if (iniparser_getboolean(d, "global:cached_login", false)) {
391 ctrl |= WINBIND_CACHED_LOGIN;
392 }
393
394 if (iniparser_getboolean(d, "global:krb5_auth", false)) {
395 ctrl |= WINBIND_KRB5_AUTH;
396 }
397
398 if (iniparser_getboolean(d, "global:silent", false)) {
399 ctrl |= WINBIND_SILENT;
400 }
401
402 if (iniparser_getstr(d, "global:krb5_ccache_type") != NULL) {
403 ctrl |= WINBIND_KRB5_CCACHE_TYPE;
404 }
405
406 if ((iniparser_getstr(d, "global:require-membership-of") != NULL) ||
407 (iniparser_getstr(d, "global:require_membership_of") != NULL)) {
408 ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
409 }
410
411 if (iniparser_getboolean(d, "global:try_first_pass", false)) {
412 ctrl |= WINBIND_TRY_FIRST_PASS_ARG;
413 }
414
415 if (iniparser_getint(d, "global:warn_pwd_expire", 0)) {
416 ctrl |= WINBIND_WARN_PWD_EXPIRE;
417 }
418
419 config_from_pam:
420 /* step through arguments */
421 for (i=argc,v=argv; i-- > 0; ++v) {
422
423 /* generic options */
424 if (!strcmp(*v,"debug"))
425 ctrl |= WINBIND_DEBUG_ARG;
426 else if (!strcasecmp(*v, "debug_state"))
427 ctrl |= WINBIND_DEBUG_STATE;
428 else if (!strcasecmp(*v, "silent"))
429 ctrl |= WINBIND_SILENT;
430 else if (!strcasecmp(*v, "use_authtok"))
431 ctrl |= WINBIND_USE_AUTHTOK_ARG;
432 else if (!strcasecmp(*v, "use_first_pass"))
433 ctrl |= WINBIND_USE_FIRST_PASS_ARG;
434 else if (!strcasecmp(*v, "try_first_pass"))
435 ctrl |= WINBIND_TRY_FIRST_PASS_ARG;
436 else if (!strcasecmp(*v, "unknown_ok"))
437 ctrl |= WINBIND_UNKNOWN_OK_ARG;
438 else if (!strncasecmp(*v, "require_membership_of",
439 strlen("require_membership_of")))
440 ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
441 else if (!strncasecmp(*v, "require-membership-of",
442 strlen("require-membership-of")))
443 ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
444 else if (!strcasecmp(*v, "krb5_auth"))
445 ctrl |= WINBIND_KRB5_AUTH;
446 else if (!strncasecmp(*v, "krb5_ccache_type",
447 strlen("krb5_ccache_type")))
448 ctrl |= WINBIND_KRB5_CCACHE_TYPE;
449 else if (!strcasecmp(*v, "cached_login"))
450 ctrl |= WINBIND_CACHED_LOGIN;
451 else {
452 __pam_log(pamh, ctrl, LOG_ERR,
453 "pam_parse: unknown option: %s", *v);
454 return -1;
455 }
456
457 }
458
459 if (result_d) {
460 *result_d = d;
461 } else {
462 if (d) {
463 iniparser_freedict(d);
464 }
465 }
466
467 return ctrl;
468 };
469
470 static void _pam_winbind_free_context(struct pwb_context *ctx)
471 {
472 if (ctx->dict) {
473 iniparser_freedict(ctx->dict);
474 }
475
476 SAFE_FREE(ctx);
477 }
478
479 static int _pam_winbind_init_context(pam_handle_t *pamh,
480 int flags,
481 int argc,
482 const char **argv,
483 struct pwb_context **ctx_p)
484 {
485 struct pwb_context *r = NULL;
486
487 #ifdef HAVE_GETTEXT
488 textdomain_init();
489 #endif
490
491 r = (struct pwb_context *)malloc(sizeof(struct pwb_context));
492 if (!r) {
493 return PAM_BUF_ERR;
494 }
495
496 ZERO_STRUCTP(r);
497
498 r->pamh = pamh;
499 r->flags = flags;
500 r->argc = argc;
501 r->argv = argv;
502 r->ctrl = _pam_parse(pamh, flags, argc, argv, &r->dict);
503 if (r->ctrl == -1) {
504 _pam_winbind_free_context(r);
505 return PAM_SYSTEM_ERR;
506 }
507
508 *ctx_p = r;
509
510 return PAM_SUCCESS;
511 }
512
513 static void _pam_winbind_cleanup_func(pam_handle_t *pamh,
514 void *data,
515 int error_status)
516 {
517 int ctrl = _pam_parse(pamh, 0, 0, NULL, NULL);
518 if (_pam_log_is_debug_state_enabled(ctrl)) {
519 __pam_log_debug(pamh, ctrl, LOG_DEBUG,
520 "[pamh: %p] CLEAN: cleaning up PAM data %p "
521 "(error_status = %d)", pamh, data,
522 error_status);
523 }
524 SAFE_FREE(data);
525 }
526
527
528 static const struct ntstatus_errors {
529 const char *ntstatus_string;
530 const char *error_string;
531 } ntstatus_errors[] = {
532 {"NT_STATUS_OK",
533 N_("Success")},
534 {"NT_STATUS_BACKUP_CONTROLLER",
535 N_("No primary Domain Controler available")},
536 {"NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND",
537 N_("No domain controllers found")},
538 {"NT_STATUS_NO_LOGON_SERVERS",
539 N_("No logon servers")},
540 {"NT_STATUS_PWD_TOO_SHORT",
541 N_("Password too short")},
542 {"NT_STATUS_PWD_TOO_RECENT",
543 N_("The password of this user is too recent to change")},
544 {"NT_STATUS_PWD_HISTORY_CONFLICT",
545 N_("Password is already in password history")},
546 {"NT_STATUS_PASSWORD_EXPIRED",
547 N_("Your password has expired")},
548 {"NT_STATUS_PASSWORD_MUST_CHANGE",
549 N_("You need to change your password now")},
550 {"NT_STATUS_INVALID_WORKSTATION",
551 N_("You are not allowed to logon from this workstation")},
552 {"NT_STATUS_INVALID_LOGON_HOURS",
553 N_("You are not allowed to logon at this time")},
554 {"NT_STATUS_ACCOUNT_EXPIRED",
555 N_("Your account has expired. ")
556 N_("Please contact your System administrator")}, /* SCNR */
557 {"NT_STATUS_ACCOUNT_DISABLED",
558 N_("Your account is disabled. ")
559 N_("Please contact your System administrator")}, /* SCNR */
560 {"NT_STATUS_ACCOUNT_LOCKED_OUT",
561 N_("Your account has been locked. ")
562 N_("Please contact your System administrator")}, /* SCNR */
563 {"NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT",
564 N_("Invalid Trust Account")},
565 {"NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT",
566 N_("Invalid Trust Account")},
567 {"NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT",
568 N_("Invalid Trust Account")},
569 {"NT_STATUS_ACCESS_DENIED",
570 N_("Access is denied")},
571 {NULL, NULL}
572 };
573
574 static const char *_get_ntstatus_error_string(const char *nt_status_string)
575 {
576 int i;
577 for (i=0; ntstatus_errors[i].ntstatus_string != NULL; i++) {
578 if (!strcasecmp(ntstatus_errors[i].ntstatus_string,
579 nt_status_string)) {
580 return _(ntstatus_errors[i].error_string);
581 }
582 }
583 return NULL;
584 }
585
586 /* --- authentication management functions --- */
587
588 /* Attempt a conversation */
589
590 static int converse(const pam_handle_t *pamh,
591 int nargs,
592 struct pam_message **message,
593 struct pam_response **response)
594 {
595 int retval;
596 struct pam_conv *conv;
597
598 retval = _pam_get_item(pamh, PAM_CONV, &conv);
599 if (retval == PAM_SUCCESS) {
600 retval = conv->conv(nargs,
601 (const struct pam_message **)message,
602 response, conv->appdata_ptr);
603 }
604
605 return retval; /* propagate error status */
606 }
607
608
609 static int _make_remark(struct pwb_context *ctx,
610 int type,
611 const char *text)
612 {
613 int retval = PAM_SUCCESS;
614
615 struct pam_message *pmsg[1], msg[1];
616 struct pam_response *resp;
617
618 if (ctx->flags & WINBIND_SILENT) {
619 return PAM_SUCCESS;
620 }
621
622 pmsg[0] = &msg[0];
623 msg[0].msg = discard_const_p(char, text);
624 msg[0].msg_style = type;
625
626 resp = NULL;
627 retval = converse(ctx->pamh, 1, pmsg, &resp);
628
629 if (resp) {
630 _pam_drop_reply(resp, 1);
631 }
632 return retval;
633 }
634
635 static int _make_remark_v(struct pwb_context *ctx,
636 int type,
637 const char *format,
638 va_list args)
639 {
640 char *var;
641 int ret;
642
643 ret = vasprintf(&var, format, args);
644 if (ret < 0) {
645 _pam_log(ctx, LOG_ERR, "memory allocation failure");
646 return ret;
647 }
648
649 ret = _make_remark(ctx, type, var);
650 SAFE_FREE(var);
651 return ret;
652 }
653
654 static int _make_remark_format(struct pwb_context *ctx, int type, const char *format, ...) PRINTF_ATTRIBUTE(3,4);
655 static int _make_remark_format(struct pwb_context *ctx, int type, const char *format, ...)
656 {
657 int ret;
658 va_list args;
659
660 va_start(args, format);
661 ret = _make_remark_v(ctx, type, format, args);
662 va_end(args);
663 return ret;
664 }
665
666 static int pam_winbind_request(struct pwb_context *ctx,
667 enum winbindd_cmd req_type,
668 struct winbindd_request *request,
669 struct winbindd_response *response)
670 {
671 /* Fill in request and send down pipe */
672 winbindd_init_request(request, req_type);
673
674 if (winbind_write_sock(request, sizeof(*request), 0, 0) == -1) {
675 _pam_log(ctx, LOG_ERR,
676 "pam_winbind_request: write to socket failed!");
677 winbind_close_sock();
678 return PAM_SERVICE_ERR;
679 }
680
681 /* Wait for reply */
682 if (winbindd_read_reply(response) == -1) {
683 _pam_log(ctx, LOG_ERR,
684 "pam_winbind_request: read from socket failed!");
685 winbind_close_sock();
686 return PAM_SERVICE_ERR;
687 }
688
689 /* We are done with the socket - close it and avoid mischeif */
690 winbind_close_sock();
691
692 /* Copy reply data from socket */
693 if (response->result == WINBINDD_OK) {
694 return PAM_SUCCESS;
695 }
696
697 /* no need to check for pam_error codes for getpwnam() */
698 switch (req_type) {
699
700 case WINBINDD_GETPWNAM:
701 case WINBINDD_LOOKUPNAME:
702 if (strlen(response->data.auth.nt_status_string) > 0) {
703 _pam_log(ctx, LOG_ERR,
704 "request failed, NT error was %s",
705 response->data.auth.nt_status_string);
706 } else {
707 _pam_log(ctx, LOG_ERR, "request failed");
708 }
709 return PAM_USER_UNKNOWN;
710 default:
711 break;
712 }
713
714 if (response->data.auth.pam_error != PAM_SUCCESS) {
715 _pam_log(ctx, LOG_ERR,
716 "request failed: %s, "
717 "PAM error was %s (%d), NT error was %s",
718 response->data.auth.error_string,
719 pam_strerror(ctx->pamh, response->data.auth.pam_error),
720 response->data.auth.pam_error,
721 response->data.auth.nt_status_string);
722 return response->data.auth.pam_error;
723 }
724
725 _pam_log(ctx, LOG_ERR, "request failed, but PAM error 0!");
726
727 return PAM_SERVICE_ERR;
728 }
729
730 static int pam_winbind_request_log(struct pwb_context *ctx,
731 enum winbindd_cmd req_type,
732 struct winbindd_request *request,
733 struct winbindd_response *response,
734 const char *user)
735 {
736 int retval;
737
738 retval = pam_winbind_request(ctx, req_type, request, response);
739
740 switch (retval) {
741 case PAM_AUTH_ERR:
742 /* incorrect password */
743 _pam_log(ctx, LOG_WARNING, "user '%s' denied access "
744 "(incorrect password or invalid membership)", user);
745 return retval;
746 case PAM_ACCT_EXPIRED:
747 /* account expired */
748 _pam_log(ctx, LOG_WARNING, "user '%s' account expired",
749 user);
750 return retval;
751 case PAM_AUTHTOK_EXPIRED:
752 /* password expired */
753 _pam_log(ctx, LOG_WARNING, "user '%s' password expired",
754 user);
755 return retval;
756 case PAM_NEW_AUTHTOK_REQD:
757 /* new password required */
758 _pam_log(ctx, LOG_WARNING, "user '%s' new password "
759 "required", user);
760 return retval;
761 case PAM_USER_UNKNOWN:
762 /* the user does not exist */
763 _pam_log_debug(ctx, LOG_NOTICE, "user '%s' not found",
764 user);
765 if (ctx->ctrl & WINBIND_UNKNOWN_OK_ARG) {
766 return PAM_IGNORE;
767 }
768 return retval;
769 case PAM_SUCCESS:
770 /* Otherwise, the authentication looked good */
771 switch (req_type) {
772 case WINBINDD_INFO:
773 break;
774 case WINBINDD_PAM_AUTH:
775 _pam_log(ctx, LOG_NOTICE,
776 "user '%s' granted access", user);
777 break;
778 case WINBINDD_PAM_CHAUTHTOK:
779 _pam_log(ctx, LOG_NOTICE,
780 "user '%s' password changed", user);
781 break;
782 default:
783 _pam_log(ctx, LOG_NOTICE,
784 "user '%s' OK", user);
785 break;
786 }
787
788 return retval;
789 default:
790 /* we don't know anything about this return value */
791 _pam_log(ctx, LOG_ERR,
792 "internal module error (retval = %d, user = '%s')",
793 retval, user);
794 return retval;
795 }
796 }
797
798 /**
799 * send a password expiry message if required
800 *
801 * @param ctx PAM winbind context.
802 * @param next_change expected (calculated) next expiry date.
803 * @param already_expired pointer to a boolean to indicate if the password is
804 * already expired.
805 *
806 * @return boolean Returns true if message has been sent, false if not.
807 */
808
809 static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
810 time_t next_change,
811 time_t now,
812 int warn_pwd_expire,
813 bool *already_expired)
814 {
815 int days = 0;
816 struct tm tm_now, tm_next_change;
817
818 if (already_expired) {
819 *already_expired = false;
820 }
821
822 if (next_change <= now) {
823 PAM_WB_REMARK_DIRECT(ctx, "NT_STATUS_PASSWORD_EXPIRED");
824 if (already_expired) {
825 *already_expired = true;
826 }
827 return true;
828 }
829
830 if ((next_change < 0) ||
831 (next_change > now + warn_pwd_expire * SECONDS_PER_DAY)) {
832 return false;
833 }
834
835 if ((localtime_r(&now, &tm_now) == NULL) ||
836 (localtime_r(&next_change, &tm_next_change) == NULL)) {
837 return false;
838 }
839
840 days = (tm_next_change.tm_yday+tm_next_change.tm_year*365) -
841 (tm_now.tm_yday+tm_now.tm_year*365);
842
843 if (days == 0) {
844 _make_remark(ctx, PAM_TEXT_INFO,
845 _("Your password expires today"));
846 return true;
847 }
848
849 if (days > 0 && days < warn_pwd_expire) {
850 _make_remark_format(ctx, PAM_TEXT_INFO,
851 _("Your password will expire in %d %s"),
852 days, (days > 1) ? _("days"):_("day"));
853 return true;
854 }
855
856 return false;
857 }
858
859 /**
860 * Send a warning if the password expires in the near future
861 *
862 * @param ctx PAM winbind context.
863 * @param response The full authentication response structure.
864 * @param already_expired boolean, is the pwd already expired?
865 *
866 * @return void.
867 */
868
869 static void _pam_warn_password_expiry(struct pwb_context *ctx,
870 const struct winbindd_response *response,
871 int warn_pwd_expire,
872 bool *already_expired)
873 {
874 time_t now = time(NULL);
875 time_t next_change = 0;
876
877 if (already_expired) {
878 *already_expired = false;
879 }
880
881 /* accounts with ACB_PWNOEXP set never receive a warning */
882 if (response->data.auth.info3.acct_flags & ACB_PWNOEXP) {
883 return;
884 }
885
886 /* no point in sending a warning if this is a grace logon */
887 if (PAM_WB_GRACE_LOGON(response->data.auth.info3.user_flgs)) {
888 return;
889 }
890
891 /* check if the info3 must change timestamp has been set */
892 next_change = response->data.auth.info3.pass_must_change_time;
893
894 if (_pam_send_password_expiry_message(ctx, next_change, now,
895 warn_pwd_expire,
896 already_expired)) {
897 return;
898 }
899
900 /* now check for the global password policy */
901 /* good catch from Ralf Haferkamp: an expiry of "never" is translated
902 * to -1 */
903 if (response->data.auth.policy.expire <= 0) {
904 return;
905 }
906
907 next_change = response->data.auth.info3.pass_last_set_time +
908 response->data.auth.policy.expire;
909
910 if (_pam_send_password_expiry_message(ctx, next_change, now,
911 warn_pwd_expire,
912 already_expired)) {
913 return;
914 }
915
916 /* no warning sent */
917 }
918
919 #define IS_SID_STRING(name) (strncmp("S-", name, 2) == 0)
920
921 /**
922 * Append a string, making sure not to overflow and to always return a
923 * NULL-terminated string.
924 *
925 * @param dest Destination string buffer (must already be NULL-terminated).
926 * @param src Source string buffer.
927 * @param dest_buffer_size Size of dest buffer in bytes.
928 *
929 * @return false if dest buffer is not big enough (no bytes copied), true on
930 * success.
931 */
932
933 static bool safe_append_string(char *dest,
934 const char *src,
935 int dest_buffer_size)
936 {
937 int dest_length = strlen(dest);
938 int src_length = strlen(src);
939
940 if (dest_length + src_length + 1 > dest_buffer_size) {
941 return false;
942 }
943
944 memcpy(dest + dest_length, src, src_length + 1);
945 return true;
946 }
947
948 /**
949 * Convert a names into a SID string, appending it to a buffer.
950 *
951 * @param ctx PAM winbind context.
952 * @param user User in PAM request.
953 * @param name Name to convert.
954 * @param sid_list_buffer Where to append the string sid.
955 * @param sid_list_buffer Size of sid_list_buffer (in bytes).
956 *
957 * @return false on failure, true on success.
958 */
959 static bool winbind_name_to_sid_string(struct pwb_context *ctx,
960 const char *user,
961 const char *name,
962 char *sid_list_buffer,
963 int sid_list_buffer_size)
964 {
965 const char* sid_string;
966 struct winbindd_response sid_response;
967
968 /* lookup name? */
969 if (IS_SID_STRING(name)) {
970 sid_string = name;
971 } else {
972 struct winbindd_request sid_request;
973
974 ZERO_STRUCT(sid_request);
975 ZERO_STRUCT(sid_response);
976
977 _pam_log_debug(ctx, LOG_DEBUG,
978 "no sid given, looking up: %s\n", name);
979
980 /* fortunatly winbindd can handle non-separated names */
981 strncpy(sid_request.data.name.name, name,
982 sizeof(sid_request.data.name.name) - 1);
983
984 if (pam_winbind_request_log(ctx, WINBINDD_LOOKUPNAME,
985 &sid_request, &sid_response,
986 user)) {
987 _pam_log(ctx, LOG_INFO,
988 "could not lookup name: %s\n", name);
989 return false;
990 }
991
992 sid_string = sid_response.data.sid.sid;
993 }
994
995 if (!safe_append_string(sid_list_buffer, sid_string,
996 sid_list_buffer_size)) {
997 return false;
998 }
999
1000 return true;
1001 }
1002
1003 /**
1004 * Convert a list of names into a list of sids.
1005 *
1006 * @param ctx PAM winbind context.
1007 * @param user User in PAM request.
1008 * @param name_list List of names or string sids, separated by commas.
1009 * @param sid_list_buffer Where to put the list of string sids.
1010 * @param sid_list_buffer Size of sid_list_buffer (in bytes).
1011 *
1012 * @return false on failure, true on success.
1013 */
1014 static bool winbind_name_list_to_sid_string_list(struct pwb_context *ctx,
1015 const char *user,
1016 const char *name_list,
1017 char *sid_list_buffer,
1018 int sid_list_buffer_size)
1019 {
1020 bool result = false;
1021 char *current_name = NULL;
1022 const char *search_location;
1023 const char *comma;
1024
1025 if (sid_list_buffer_size > 0) {
1026 sid_list_buffer[0] = 0;
1027 }
1028
1029 search_location = name_list;
1030 while ((comma = strstr(search_location, ",")) != NULL) {
1031 current_name = strndup(search_location,
1032 comma - search_location);
1033 if (NULL == current_name) {
1034 goto out;
1035 }
1036
1037 if (!winbind_name_to_sid_string(ctx, user,
1038 current_name,
1039 sid_list_buffer,
1040 sid_list_buffer_size)) {
1041 goto out;
1042 }
1043
1044 SAFE_FREE(current_name);
1045
1046 if (!safe_append_string(sid_list_buffer, ",",
1047 sid_list_buffer_size)) {
1048 goto out;
1049 }
1050
1051 search_location = comma + 1;
1052 }
1053
1054 if (!winbind_name_to_sid_string(ctx, user, search_location,
1055 sid_list_buffer,
1056 sid_list_buffer_size)) {
1057 goto out;
1058 }
1059
1060 result = true;
1061
1062 out:
1063 SAFE_FREE(current_name);
1064 return result;
1065 }
1066
1067 /**
1068 * put krb5ccname variable into environment
1069 *
1070 * @param ctx PAM winbind context.
1071 * @param krb5ccname env variable retrieved from winbindd.
1072 *
1073 * @return void.
1074 */
1075
1076 static void _pam_setup_krb5_env(struct pwb_context *ctx,
1077 const char *krb5ccname)
1078 {
1079 char var[PATH_MAX];
1080 int ret;
1081
1082 if (off(ctx->ctrl, WINBIND_KRB5_AUTH)) {
1083 return;
1084 }
1085
1086 if (!krb5ccname || (strlen(krb5ccname) == 0)) {
1087 return;
1088 }
1089
1090 _pam_log_debug(ctx, LOG_DEBUG,
1091 "request returned KRB5CCNAME: %s", krb5ccname);
1092
1093 if (snprintf(var, sizeof(var), "KRB5CCNAME=%s", krb5ccname) == -1) {
1094 return;
1095 }
1096
1097 ret = pam_putenv(ctx->pamh, var);
1098 if (ret) {
1099 _pam_log(ctx, LOG_ERR,
1100 "failed to set KRB5CCNAME to %s: %s",
1101 var, pam_strerror(ctx->pamh, ret));
1102 }
1103 }
1104
1105 /**
1106 * Set string into the PAM stack.
1107 *
1108 * @param ctx PAM winbind context.
1109 * @param data_name Key name for pam_set_data.
1110 * @param value String value.
1111 *
1112 * @return void.
1113 */
1114
1115 static void _pam_set_data_string(struct pwb_context *ctx,
1116 const char *data_name,
1117 const char *value)
1118 {
1119 int ret;
1120
1121 if (!data_name || !value || (strlen(data_name) == 0) ||
1122 (strlen(value) == 0)) {
1123 return;
1124 }
1125
1126 ret = pam_set_data(ctx->pamh, data_name, (void *)strdup(value),
1127 _pam_winbind_cleanup_func);
1128 if (ret) {
1129 _pam_log_debug(ctx, LOG_DEBUG,
1130 "Could not set data %s: %s\n",
1131 data_name, pam_strerror(ctx->pamh, ret));
1132 }
1133
1134 }
1135
1136 /**
1137 * Set info3 strings into the PAM stack.
1138 *
1139 * @param ctx PAM winbind context.
1140 * @param data_name Key name for pam_set_data.
1141 * @param value String value.
1142 *
1143 * @return void.
1144 */
1145
1146 static void _pam_set_data_info3(struct pwb_context *ctx,
1147 struct winbindd_response *response)
1148 {
1149 _pam_set_data_string(ctx, PAM_WINBIND_HOMEDIR,
1150 response->data.auth.info3.home_dir);
1151 _pam_set_data_string(ctx, PAM_WINBIND_LOGONSCRIPT,
1152 response->data.auth.info3.logon_script);
1153 _pam_set_data_string(ctx, PAM_WINBIND_LOGONSERVER,
1154 response->data.auth.info3.logon_srv);
1155 _pam_set_data_string(ctx, PAM_WINBIND_PROFILEPATH,
1156 response->data.auth.info3.profile_path);
1157 }
1158
1159 /**
1160 * Free info3 strings in the PAM stack.
1161 *
1162 * @param pamh PAM handle
1163 *
1164 * @return void.
1165 */
1166
1167 static void _pam_free_data_info3(pam_handle_t *pamh)
1168 {
1169 pam_set_data(pamh, PAM_WINBIND_HOMEDIR, NULL, NULL);
1170 pam_set_data(pamh, PAM_WINBIND_LOGONSCRIPT, NULL, NULL);
1171 pam_set_data(pamh, PAM_WINBIND_LOGONSERVER, NULL, NULL);
1172 pam_set_data(pamh, PAM_WINBIND_PROFILEPATH, NULL, NULL);
1173 }
1174
1175 /**
1176 * Send PAM_ERROR_MSG for cached or grace logons.
1177 *
1178 * @param ctx PAM winbind context.
1179 * @param username User in PAM request.
1180 * @param info3_user_flgs Info3 flags containing logon type bits.
1181 *
1182 * @return void.
1183 */
1184
1185 static void _pam_warn_logon_type(struct pwb_context *ctx,
1186 const char *username,
1187 uint32_t info3_user_flgs)
1188 {
1189 /* inform about logon type */
1190 if (PAM_WB_GRACE_LOGON(info3_user_flgs)) {
1191
1192 _make_remark(ctx, PAM_ERROR_MSG,
1193 _("Grace login. "
1194 "Please change your password as soon you're "
1195 "online again"));
1196 _pam_log_debug(ctx, LOG_DEBUG,
1197 "User %s logged on using grace logon\n",
1198 username);
1199
1200 } else if (PAM_WB_CACHED_LOGON(info3_user_flgs)) {
1201
1202 _make_remark(ctx, PAM_ERROR_MSG,
1203 _("Domain Controller unreachable, "
1204 "using cached credentials instead. "
1205 "Network resources may be unavailable"));
1206 _pam_log_debug(ctx, LOG_DEBUG,
1207 "User %s logged on using cached credentials\n",
1208 username);
1209 }
1210 }
1211
1212 /**
1213 * Send PAM_ERROR_MSG for krb5 errors.
1214 *
1215 * @param ctx PAM winbind context.
1216 * @param username User in PAM request.
1217 * @param info3_user_flgs Info3 flags containing logon type bits.
1218 *
1219 * @return void.
1220 */
1221
1222 static void _pam_warn_krb5_failure(struct pwb_context *ctx,
1223 const char *username,
1224 uint32_t info3_user_flgs)
1225 {
1226 if (PAM_WB_KRB5_CLOCK_SKEW(info3_user_flgs)) {
1227 _make_remark(ctx, PAM_ERROR_MSG,
1228 _("Failed to establish your Kerberos Ticket cache "
1229 "due time differences\n"
1230 "with the domain controller. "
1231 "Please verify the system time.\n"));
1232 _pam_log_debug(ctx, LOG_DEBUG,
1233 "User %s: Clock skew when getting Krb5 TGT\n",
1234 username);
1235 }
1236 }
1237
1238 /**
1239 * Compose Password Restriction String for a PAM_ERROR_MSG conversation.
1240 *
1241 * @param response The struct winbindd_response.
1242 *
1243 * @return string (caller needs to free).
1244 */
1245
1246 static char *_pam_compose_pwd_restriction_string(struct winbindd_response *response)
1247 {
1248 char *str = NULL;
1249 size_t offset = 0, ret = 0, str_size = 1024;
1250
1251 str = (char *)malloc(str_size);
1252 if (!str) {
1253 return NULL;
1254 }
1255
1256 memset(str, '\0', str_size);
1257
1258 offset = snprintf(str, str_size, _("Your password "));
1259 if (offset == -1) {
1260 goto failed;
1261 }
1262
1263 if (response->data.auth.policy.min_length_password > 0) {
1264 ret = snprintf(str+offset, str_size-offset,
1265 _("must be at least %d characters; "),
1266 response->data.auth.policy.min_length_password);
1267 if (ret == -1) {
1268 goto failed;
1269 }
1270 offset += ret;
1271 }
1272
1273 if (response->data.auth.policy.password_history > 0) {
1274 ret = snprintf(str+offset, str_size-offset,
1275 _("cannot repeat any of your previous %d "
1276 "passwords; "),
1277 response->data.auth.policy.password_history);
1278 if (ret == -1) {
1279 goto failed;
1280 }
1281 offset += ret;
1282 }
1283
1284 if (response->data.auth.policy.password_properties &
1285 DOMAIN_PASSWORD_COMPLEX) {
1286 ret = snprintf(str+offset, str_size-offset,
1287 _("must contain capitals, numerals "
1288 "or punctuation; "
1289 "and cannot contain your account "
1290 "or full name; "));
1291 if (ret == -1) {
1292 goto failed;
1293 }
1294 offset += ret;
1295 }
1296
1297 ret = snprintf(str+offset, str_size-offset,
1298 _("Please type a different password. "
1299 "Type a password which meets these requirements in "
1300 "both text boxes."));
1301 if (ret == -1) {
1302 goto failed;
1303 }
1304
1305 return str;
1306
1307 failed:
1308 SAFE_FREE(str);
1309 return NULL;
1310 }
1311
1312 /* talk to winbindd */
1313 static int winbind_auth_request(struct pwb_context *ctx,
1314 const char *user,
1315 const char *pass,
1316 const char *member,
1317 const char *cctype,
1318 const int warn_pwd_expire,
1319 struct winbindd_response *p_response,
1320 time_t *pwd_last_set,
1321 char **user_ret)
1322 {
1323 struct winbindd_request request;
1324 struct winbindd_response response;
1325 int ret;
1326 bool already_expired = false;
1327
1328 ZERO_STRUCT(request);
1329 ZERO_STRUCT(response);
1330
1331 if (pwd_last_set) {
1332 *pwd_last_set = 0;
1333 }
1334
1335 strncpy(request.data.auth.user, user,
1336 sizeof(request.data.auth.user)-1);
1337
1338 strncpy(request.data.auth.pass, pass,
1339 sizeof(request.data.auth.pass)-1);
1340
1341 request.data.auth.krb5_cc_type[0] = '\0';
1342 request.data.auth.uid = -1;
1343
1344 request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_GET_PWD_POLICY;
1345
1346 /* Krb5 auth always has to go against the KDC of the user's realm */
1347
1348 if (ctx->ctrl & WINBIND_KRB5_AUTH) {
1349 request.flags |= WBFLAG_PAM_CONTACT_TRUSTDOM;
1350 }
1351
1352 if (ctx->ctrl & (WINBIND_KRB5_AUTH|WINBIND_CACHED_LOGIN)) {
1353 struct passwd *pwd = NULL;
1354
1355 pwd = getpwnam(user);
1356 if (pwd == NULL) {
1357 return PAM_USER_UNKNOWN;
1358 }
1359 request.data.auth.uid = pwd->pw_uid;
1360 }
1361
1362 if (ctx->ctrl & WINBIND_KRB5_AUTH) {
1363
1364 _pam_log_debug(ctx, LOG_DEBUG,
1365 "enabling krb5 login flag\n");
1366
1367 request.flags |= WBFLAG_PAM_KRB5 |
1368 WBFLAG_PAM_FALLBACK_AFTER_KRB5;
1369 }
1370
1371 if (ctx->ctrl & WINBIND_CACHED_LOGIN) {
1372 _pam_log_debug(ctx, LOG_DEBUG,
1373 "enabling cached login flag\n");
1374 request.flags |= WBFLAG_PAM_CACHED_LOGIN;
1375 }
1376
1377 if (user_ret) {
1378 *user_ret = NULL;
1379 request.flags |= WBFLAG_PAM_UNIX_NAME;
1380 }
1381
1382 if (cctype != NULL) {
1383 strncpy(request.data.auth.krb5_cc_type, cctype,
1384 sizeof(request.data.auth.krb5_cc_type) - 1);
1385 _pam_log_debug(ctx, LOG_DEBUG,
1386 "enabling request for a %s krb5 ccache\n",
1387 cctype);
1388 }
1389
1390 request.data.auth.require_membership_of_sid[0] = '\0';
1391
1392 if (member != NULL) {
1393
1394 if (!winbind_name_list_to_sid_string_list(ctx, user,
1395 member,
1396 request.data.auth.require_membership_of_sid,
1397 sizeof(request.data.auth.require_membership_of_sid))) {
1398
1399 _pam_log_debug(ctx, LOG_ERR,
1400 "failed to serialize membership of sid "
1401 "\"%s\"\n", member);
1402 return PAM_AUTH_ERR;
1403 }
1404 }
1405
1406 ret = pam_winbind_request_log(ctx, WINBINDD_PAM_AUTH,
1407 &request, &response, user);
1408
1409 if (pwd_last_set) {
1410 *pwd_last_set = response.data.auth.info3.pass_last_set_time;
1411 }
1412
1413 if (p_response) {
1414 /* We want to process the response in the caller. */
1415 *p_response = response;
1416 return ret;
1417 }
1418
1419 if (ret) {
1420 PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1421 "NT_STATUS_PASSWORD_EXPIRED");
1422 PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1423 "NT_STATUS_PASSWORD_MUST_CHANGE");
1424 PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1425 "NT_STATUS_INVALID_WORKSTATION");
1426 PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1427 "NT_STATUS_INVALID_LOGON_HOURS");
1428 PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1429 "NT_STATUS_ACCOUNT_EXPIRED");
1430 PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1431 "NT_STATUS_ACCOUNT_DISABLED");
1432 PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1433 "NT_STATUS_ACCOUNT_LOCKED_OUT");
1434 PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1435 "NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT");
1436 PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1437 "NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT");
1438 PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1439 "NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT");
1440 PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1441 "NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND");
1442 PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1443 "NT_STATUS_NO_LOGON_SERVERS");
1444 PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1445 "NT_STATUS_WRONG_PASSWORD");
1446 PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1447 "NT_STATUS_ACCESS_DENIED");
1448 }
1449
1450 if (ret == PAM_SUCCESS) {
1451
1452 /* warn a user if the password is about to expire soon */
1453 _pam_warn_password_expiry(ctx, &response,
1454 warn_pwd_expire,
1455 &already_expired);
1456
1457 if (already_expired == true) {
1458 SMB_TIME_T last_set;
1459 last_set = response.data.auth.info3.pass_last_set_time;
1460 _pam_log_debug(ctx, LOG_DEBUG,
1461 "Password has expired "
1462 "(Password was last set: %lld, "
1463 "the policy says it should expire here "
1464 "%lld (now it's: %lu))\n",
1465 (long long int)last_set,
1466 (long long int)last_set +
1467 response.data.auth.policy.expire,
1468 time(NULL));
1469
1470 return PAM_AUTHTOK_EXPIRED;
1471 }
1472
1473 /* inform about logon type */
1474 _pam_warn_logon_type(ctx, user,
1475 response.data.auth.info3.user_flgs);
1476
1477 /* inform about krb5 failures */
1478 _pam_warn_krb5_failure(ctx, user,
1479 response.data.auth.info3.user_flgs);
1480
1481 /* set some info3 info for other modules in the stack */
1482 _pam_set_data_info3(ctx, &response);
1483
1484 /* put krb5ccname into env */
1485 _pam_setup_krb5_env(ctx, response.data.auth.krb5ccname);
1486
1487 /* If winbindd returned a username, return the pointer to it
1488 * here. */
1489 if (user_ret && response.data.auth.unix_username[0]) {
1490 /* We have to trust it's a null terminated string. */
1491 *user_ret = strndup(response.data.auth.unix_username,
1492 sizeof(response.data.auth.unix_username) - 1);
1493 }
1494 }
1495
1496 return ret;
1497 }
1498
1499 /* talk to winbindd */
1500 static int winbind_chauthtok_request(struct pwb_context *ctx,
1501 const char *user,
1502 const char *oldpass,
1503 const char *newpass,
1504 time_t pwd_last_set)
1505 {
1506 struct winbindd_request request;
1507 struct winbindd_response response;
1508 int ret;
1509
1510 ZERO_STRUCT(request);
1511 ZERO_STRUCT(response);
1512
1513 if (request.data.chauthtok.user == NULL) {
1514 return -2;
1515 }
1516
1517 strncpy(request.data.chauthtok.user, user,
1518 sizeof(request.data.chauthtok.user) - 1);
1519
1520 if (oldpass != NULL) {
1521 strncpy(request.data.chauthtok.oldpass, oldpass,
1522 sizeof(request.data.chauthtok.oldpass) - 1);
1523 } else {
1524 request.data.chauthtok.oldpass[0] = '\0';
1525 }
1526
1527 if (newpass != NULL) {
1528 strncpy(request.data.chauthtok.newpass, newpass,
1529 sizeof(request.data.chauthtok.newpass) - 1);
1530 } else {
1531 request.data.chauthtok.newpass[0] = '\0';
1532 }
1533
1534 if (ctx->ctrl & WINBIND_KRB5_AUTH) {
1535 request.flags = WBFLAG_PAM_KRB5 |
1536 WBFLAG_PAM_CONTACT_TRUSTDOM;
1537 }
1538
1539 if (ctx->ctrl & WINBIND_CACHED_LOGIN) {
1540 request.flags |= WBFLAG_PAM_CACHED_LOGIN;
1541 }
1542
1543 ret = pam_winbind_request_log(ctx, WINBINDD_PAM_CHAUTHTOK,
1544 &request, &response, user);
1545
1546 if (ret == PAM_SUCCESS) {
1547 return ret;
1548 }
1549
1550 PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1551 "NT_STATUS_BACKUP_CONTROLLER");
1552 PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1553 "NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND");
1554 PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1555 "NT_STATUS_NO_LOGON_SERVERS");
1556 PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1557 "NT_STATUS_ACCESS_DENIED");
1558
1559 /* TODO: tell the min pwd length ? */
1560 PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1561 "NT_STATUS_PWD_TOO_SHORT");
1562
1563 /* TODO: tell the minage ? */
1564 PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1565 "NT_STATUS_PWD_TOO_RECENT");
1566
1567 /* TODO: tell the history length ? */
1568 PAM_WB_REMARK_CHECK_RESPONSE_RET(ctx, response,
1569 "NT_STATUS_PWD_HISTORY_CONFLICT");
1570
1571 if (!strcasecmp(response.data.auth.nt_status_string,
1572 "NT_STATUS_PASSWORD_RESTRICTION")) {
1573
1574 char *pwd_restriction_string = NULL;
1575 SMB_TIME_T min_pwd_age;
1576 uint32_t reject_reason = response.data.auth.reject_reason;
1577 min_pwd_age = response.data.auth.policy.min_passwordage;
1578
1579 /* FIXME: avoid to send multiple PAM messages after another */
1580 switch (reject_reason) {
1581 case -1:
1582 break;
1583 case SAMR_REJECT_OTHER:
1584 if ((min_pwd_age > 0) &&
1585 (pwd_last_set + min_pwd_age > time(NULL))) {
1586 PAM_WB_REMARK_DIRECT(ctx,
1587 "NT_STATUS_PWD_TOO_RECENT");
1588 }
1589 break;
1590 case SAMR_REJECT_TOO_SHORT:
1591 PAM_WB_REMARK_DIRECT(ctx,
1592 "NT_STATUS_PWD_TOO_SHORT");
1593 break;
1594 case SAMR_REJECT_IN_HISTORY:
1595 PAM_WB_REMARK_DIRECT(ctx,
1596 "NT_STATUS_PWD_HISTORY_CONFLICT");
1597 break;
1598 case SAMR_REJECT_COMPLEXITY:
1599 _make_remark(ctx, PAM_ERROR_MSG,
1600 _("Password does not meet "
1601 "complexity requirements"));
1602 break;
1603 default:
1604 _pam_log_debug(ctx, LOG_DEBUG,
1605 "unknown password change "
1606 "reject reason: %d",
1607 reject_reason);
1608 break;
1609 }
1610
1611 pwd_restriction_string =
1612 _pam_compose_pwd_restriction_string(&response);
1613 if (pwd_restriction_string) {
1614 _make_remark(ctx, PAM_ERROR_MSG,
1615 pwd_restriction_string);
1616 SAFE_FREE(pwd_restriction_string);
1617 }
1618 }
1619
1620 return ret;
1621 }
1622
1623 /*
1624 * Checks if a user has an account
1625 *
1626 * return values:
1627 * 1 = User not found
1628 * 0 = OK
1629 * -1 = System error
1630 */
1631 static int valid_user(struct pwb_context *ctx,
1632 const char *user)
1633 {
1634 /* check not only if the user is available over NSS calls, also make
1635 * sure it's really a winbind user, this is important when stacking PAM
1636 * modules in the 'account' or 'password' facility. */
1637
1638 struct passwd *pwd = NULL;
1639 struct winbindd_request request;
1640 struct winbindd_response response;
1641 int ret;
1642
1643 ZERO_STRUCT(request);
1644 ZERO_STRUCT(response);
1645
1646 pwd = getpwnam(user);
1647 if (pwd == NULL) {
1648 return 1;
1649 }
1650
1651 strncpy(request.data.username, user,
1652 sizeof(request.data.username) - 1);
1653
1654 ret = pam_winbind_request_log(ctx, WINBINDD_GETPWNAM,
1655 &request, &response, user);
1656
1657 switch (ret) {
1658 case PAM_USER_UNKNOWN:
1659 return 1;
1660 case PAM_SUCCESS:
1661 return 0;
1662 default:
1663 break;
1664 }
1665 return -1;
1666 }
1667
1668 static char *_pam_delete(register char *xx)
1669 {
1670 _pam_overwrite(xx);
1671 _pam_drop(xx);
1672 return NULL;
1673 }
1674
1675 /*
1676 * obtain a password from the user
1677 */
1678
1679 static int _winbind_read_password(struct pwb_context *ctx,
1680 unsigned int ctrl,
1681 const char *comment,
1682 const char *prompt1,
1683 const char *prompt2,
1684 const char **pass)
1685 {
1686 int authtok_flag;
1687 int retval;
1688 const char *item;
1689 char *token;
1690
1691 _pam_log(ctx, LOG_DEBUG, "getting password (0x%08x)", ctrl);
1692
1693 /*
1694 * make sure nothing inappropriate gets returned
1695 */
1696
1697 *pass = token = NULL;
1698
1699 /*
1700 * which authentication token are we getting?
1701 */
1702
1703 if (on(WINBIND__OLD_PASSWORD, ctrl)) {
1704 authtok_flag = PAM_OLDAUTHTOK;
1705 } else {
1706 authtok_flag = PAM_AUTHTOK;
1707 }
1708
1709 /*
1710 * should we obtain the password from a PAM item ?
1711 */
1712
1713 if (on(WINBIND_TRY_FIRST_PASS_ARG, ctrl) ||
1714 on(WINBIND_USE_FIRST_PASS_ARG, ctrl)) {
1715 retval = _pam_get_item(ctx->pamh, authtok_flag, &item);
1716 if (retval != PAM_SUCCESS) {
1717 /* very strange. */
1718 _pam_log(ctx, LOG_ALERT,
1719 "pam_get_item returned error "
1720 "to unix-read-password");
1721 return retval;
1722 } else if (item != NULL) { /* we have a password! */
1723 *pass = item;
1724 item = NULL;
1725 _pam_log(ctx, LOG_DEBUG,
1726 "pam_get_item returned a password");
1727 return PAM_SUCCESS;
1728 } else if (on(WINBIND_USE_FIRST_PASS_ARG, ctrl)) {
1729 return PAM_AUTHTOK_RECOVER_ERR; /* didn't work */
1730 } else if (on(WINBIND_USE_AUTHTOK_ARG, ctrl)
1731 && off(WINBIND__OLD_PASSWORD, ctrl)) {
1732 return PAM_AUTHTOK_RECOVER_ERR;
1733 }
1734 }
1735 /*
1736 * getting here implies we will have to get the password from the
1737 * user directly.
1738 */
1739
1740 {
1741 struct pam_message msg[3], *pmsg[3];
1742 struct pam_response *resp;
1743 int i, replies;
1744
1745 /* prepare to converse */
1746
1747 if (comment != NULL && off(ctrl, WINBIND_SILENT)) {
1748 pmsg[0] = &msg[0];
1749 msg[0].msg_style = PAM_TEXT_INFO;
1750 msg[0].msg = discard_const_p(char, comment);
1751 i = 1;
1752 } else {
1753 i = 0;
1754 }
1755
1756 pmsg[i] = &msg[i];
1757 msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
1758 msg[i++].msg = discard_const_p(char, prompt1);
1759 replies = 1;
1760
1761 if (prompt2 != NULL) {
1762 pmsg[i] = &msg[i];
1763 msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
1764 msg[i++].msg = discard_const_p(char, prompt2);
1765 ++replies;
1766 }
1767 /* so call the conversation expecting i responses */
1768 resp = NULL;
1769 retval = converse(ctx->pamh, i, pmsg, &resp);
1770 if (resp == NULL) {
1771 if (retval == PAM_SUCCESS) {
1772 retval = PAM_AUTHTOK_RECOVER_ERR;
1773 }
1774 goto done;
1775 }
1776 if (retval != PAM_SUCCESS) {
1777 _pam_drop_reply(resp, i);
1778 goto done;
1779 }
1780
1781 /* interpret the response */
1782
1783 token = x_strdup(resp[i - replies].resp);
1784 if (!token) {
1785 _pam_log(ctx, LOG_NOTICE,
1786 "could not recover "
1787 "authentication token");
1788 retval = PAM_AUTHTOK_RECOVER_ERR;
1789 goto done;
1790 }
1791
1792 if (replies == 2) {
1793 /* verify that password entered correctly */
1794 if (!resp[i - 1].resp ||
1795 strcmp(token, resp[i - 1].resp)) {
1796 _pam_delete(token); /* mistyped */
1797 retval = PAM_AUTHTOK_RECOVER_ERR;
1798 _make_remark(ctx, PAM_ERROR_MSG,
1799 MISTYPED_PASS);
1800 }
1801 }
1802
1803 /*
1804 * tidy up the conversation (resp_retcode) is ignored
1805 * -- what is it for anyway? AGM
1806 */
1807 _pam_drop_reply(resp, i);
1808 }
1809
1810 done:
1811 if (retval != PAM_SUCCESS) {
1812 _pam_log_debug(ctx, LOG_DEBUG,
1813 "unable to obtain a password");
1814 return retval;
1815 }
1816 /* 'token' is the entered password */
1817
1818 /* we store this password as an item */
1819
1820 retval = pam_set_item(ctx->pamh, authtok_flag, token);
1821 _pam_delete(token); /* clean it up */
1822 if (retval != PAM_SUCCESS ||
1823 (retval = _pam_get_item(ctx->pamh, authtok_flag, &item)) != PAM_SUCCESS) {
1824
1825 _pam_log(ctx, LOG_CRIT, "error manipulating password");
1826 return retval;
1827
1828 }
1829
1830 *pass = item;
1831 item = NULL; /* break link to password */
1832
1833 return PAM_SUCCESS;
1834 }
1835
1836 static const char *get_conf_item_string(struct pwb_context *ctx,
1837 const char *item,
1838 int config_flag)
1839 {
1840 int i = 0;
1841 const char *parm_opt = NULL;
1842
1843 if (!(ctx->ctrl & config_flag)) {
1844 goto out;
1845 }
1846
1847 /* let the pam opt take precedence over the pam_winbind.conf option */
1848 for (i=0; i<ctx->argc; i++) {
1849
1850 if ((strncmp(ctx->argv[i], item, strlen(item)) == 0)) {
1851 char *p;
1852
1853 if ((p = strchr(ctx->argv[i], '=')) == NULL) {
1854 _pam_log(ctx, LOG_INFO,
1855 "no \"=\" delimiter for \"%s\" found\n",
1856 item);
1857 goto out;
1858 }
1859 _pam_log_debug(ctx, LOG_INFO,
1860 "PAM config: %s '%s'\n", item, p+1);
1861 return p + 1;
1862 }
1863 }
1864
1865 if (ctx->dict) {
1866 char *key = NULL;
1867
1868 if (!asprintf(&key, "global:%s", item)) {
1869 goto out;
1870 }
1871
1872 parm_opt = iniparser_getstr(ctx->dict, key);
1873 SAFE_FREE(key);
1874
1875 _pam_log_debug(ctx, LOG_INFO, "CONFIG file: %s '%s'\n",
1876 item, parm_opt);
1877 }
1878 out:
1879 return parm_opt;
1880 }
1881
1882 static int get_config_item_int(struct pwb_context *ctx,
1883 const char *item,
1884 int config_flag)
1885 {
1886 int i, parm_opt = -1;
1887
1888 if (!(ctx->ctrl & config_flag)) {
1889 goto out;
1890 }
1891
1892 /* let the pam opt take precedence over the pam_winbind.conf option */
1893 for (i = 0; i < ctx->argc; i++) {
1894
1895 if ((strncmp(ctx->argv[i], item, strlen(item)) == 0)) {
1896 char *p;
1897
1898 if ((p = strchr(ctx->argv[i], '=')) == NULL) {
1899 _pam_log(ctx, LOG_INFO,
1900 "no \"=\" delimiter for \"%s\" found\n",
1901 item);
1902 goto out;
1903 }
1904 parm_opt = atoi(p + 1);
1905 _pam_log_debug(ctx, LOG_INFO,
1906 "PAM config: %s '%d'\n",
1907 item, parm_opt);
1908 return parm_opt;
1909 }
1910 }
1911
1912 if (ctx->dict) {
1913 char *key = NULL;
1914
1915 if (!asprintf(&key, "global:%s", item)) {
1916 goto out;
1917 }
1918
1919 parm_opt = iniparser_getint(ctx->dict, key, -1);
1920 SAFE_FREE(key);
1921
1922 _pam_log_debug(ctx, LOG_INFO,
1923 "CONFIG file: %s '%d'\n",
1924 item, parm_opt);
1925 }
1926 out:
1927 return parm_opt;
1928 }
1929
1930 static const char *get_krb5_cc_type_from_config(struct pwb_context *ctx)
1931 {
1932 return get_conf_item_string(ctx, "krb5_ccache_type",
1933 WINBIND_KRB5_CCACHE_TYPE);
1934 }
1935
1936 static const char *get_member_from_config(struct pwb_context *ctx)
1937 {
1938 const char *ret = NULL;
1939 ret = get_conf_item_string(ctx, "require_membership_of",
1940 WINBIND_REQUIRED_MEMBERSHIP);
1941 if (ret) {
1942 return ret;
1943 }
1944 return get_conf_item_string(ctx, "require-membership-of",
1945 WINBIND_REQUIRED_MEMBERSHIP);
1946 }
1947
1948 static int get_warn_pwd_expire_from_config(struct pwb_context *ctx)
1949 {
1950 int ret;
1951 ret = get_config_item_int(ctx, "warn_pwd_expire",
1952 WINBIND_WARN_PWD_EXPIRE);
1953 /* no or broken setting */
1954 if (ret <= 0) {
1955 return DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES;
1956 }
1957 return ret;
1958 }
1959
1960 /**
1961 * Retrieve the winbind separator.
1962 *
1963 * @param ctx PAM winbind context.
1964 *
1965 * @return string separator character. NULL on failure.
1966 */
1967
1968 static char winbind_get_separator(struct pwb_context *ctx)
1969 {
1970 struct winbindd_request request;
1971 struct winbindd_response response;
1972
1973 ZERO_STRUCT(request);
1974 ZERO_STRUCT(response);
1975
1976 if (pam_winbind_request_log(ctx, WINBINDD_INFO,
1977 &request, &response, NULL)) {
1978 return '\0';
1979 }
1980
1981 return response.data.info.winbind_separator;
1982 }
1983
1984 /**
1985 * Convert a upn to a name.
1986 *
1987 * @param ctx PAM winbind context.
1988 * @param upn USer UPN to be trabslated.
1989 *
1990 * @return converted name. NULL pointer on failure. Caller needs to free.
1991 */
1992
1993 static char* winbind_upn_to_username(struct pwb_context *ctx,
1994 const char *upn)
1995 {
1996 struct winbindd_request req;
1997 struct winbindd_response resp;
1998 int retval;
1999 char *account_name;
2000 int account_name_len;
2001 char sep;
2002
2003 /* This cannot work when the winbind separator = @ */
2004
2005 sep = winbind_get_separator(ctx);
2006 if (!sep || sep == '@') {
2007 return NULL;
2008 }
2009
2010 /* Convert the UPN to a SID */
2011
2012 ZERO_STRUCT(req);
2013 ZERO_STRUCT(resp);
2014
2015 strncpy(req.data.name.dom_name, "",
2016 sizeof(req.data.name.dom_name) - 1);
2017 strncpy(req.data.name.name, upn,
2018 sizeof(req.data.name.name) - 1);
2019 retval = pam_winbind_request_log(ctx, WINBINDD_LOOKUPNAME,
2020 &req, &resp, upn);
2021 if (retval != PAM_SUCCESS) {
2022 return NULL;
2023 }
2024
2025 /* Convert the the SID back to the sAMAccountName */
2026
2027 ZERO_STRUCT(req);
2028 strncpy(req.data.sid, resp.data.sid.sid, sizeof(req.data.sid)-1);
2029 ZERO_STRUCT(resp);
2030 retval = pam_winbind_request_log(ctx, WINBINDD_LOOKUPSID,
2031 &req, &resp, upn);
2032 if (retval != PAM_SUCCESS) {
2033 return NULL;
2034 }
2035
2036 account_name_len = asprintf(&account_name, "%s\\%s",
2037 resp.data.name.dom_name,
2038 resp.data.name.name);
2039
2040 return account_name;
2041 }
2042
2043 PAM_EXTERN
2044 int pam_sm_authenticate(pam_handle_t *pamh, int flags,
2045 int argc, const char **argv)
2046 {
2047 const char *username;
2048 const char *password;
2049 const char *member = NULL;
2050 const char *cctype = NULL;
2051 int warn_pwd_expire;
2052 int retval = PAM_AUTH_ERR;
2053 char *username_ret = NULL;
2054 char *new_authtok_required = NULL;
2055 char *real_username = NULL;
2056 struct pwb_context *ctx = NULL;
2057
2058 retval = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
2059 if (retval) {
2060 goto out;
2061 }
2062
2063 _PAM_LOG_FUNCTION_ENTER("pam_sm_authenticate", ctx);
2064
2065 /* Get the username */
2066 retval = pam_get_user(pamh, &username, NULL);
2067 if ((retval != PAM_SUCCESS) || (!username)) {
2068 _pam_log_debug(ctx, LOG_DEBUG,
2069 "can not get the username");
2070 retval = PAM_SERVICE_ERR;
2071 goto out;
2072 }
2073
2074
2075 #if defined(AIX)
2076 /* Decode the user name since AIX does not support logn user
2077 names by default. The name is encoded as _#uid. */
2078
2079 if (username[0] == '_') {
2080 uid_t id = atoi(&username[1]);
2081 struct passwd *pw = NULL;
2082
2083 if ((id!=0) && ((pw = getpwuid(id)) != NULL)) {
2084 real_username = strdup(pw->pw_name);
2085 }
2086 }
2087 #endif
2088
2089 if (!real_username) {
2090 /* Just making a copy of the username we got from PAM */
2091 if ((real_username = strdup(username)) == NULL) {
2092 _pam_log_debug(ctx, LOG_DEBUG,
2093 "memory allocation failure when copying "
2094 "username");
2095 retval = PAM_SERVICE_ERR;
2096 goto out;
2097 }
2098 }
2099
2100 /* Maybe this was a UPN */
2101
2102 if (strchr(real_username, '@') != NULL) {
2103 char *samaccountname = NULL;
2104
2105 samaccountname = winbind_upn_to_username(ctx,
2106 real_username);
2107 if (samaccountname) {
2108 free(real_username);
2109 real_username = samaccountname;
2110 }
2111 }
2112
2113 retval = _winbind_read_password(ctx, ctx->ctrl, NULL,
2114 _("Password: "), NULL,
2115 &password);
2116
2117 if (retval != PAM_SUCCESS) {
2118 _pam_log(ctx, LOG_ERR,
2119 "Could not retrieve user's password");
2120 retval = PAM_AUTHTOK_ERR;
2121 goto out;
2122 }
2123
2124 /* Let's not give too much away in the log file */
2125
2126 #ifdef DEBUG_PASSWORD
2127 _pam_log_debug(ctx, LOG_INFO,
2128 "Verify user '%s' with password '%s'",
2129 real_username, password);
2130 #else
2131 _pam_log_debug(ctx, LOG_INFO,
2132 "Verify user '%s'", real_username);
2133 #endif
2134
2135 member = get_member_from_config(ctx);
2136 cctype = get_krb5_cc_type_from_config(ctx);
2137 warn_pwd_expire = get_warn_pwd_expire_from_config(ctx);
2138
2139 /* Now use the username to look up password */
2140 retval = winbind_auth_request(ctx, real_username, password,
2141 member, cctype, warn_pwd_expire, NULL,
2142 NULL, &username_ret);
2143
2144 if (retval == PAM_NEW_AUTHTOK_REQD ||
2145 retval == PAM_AUTHTOK_EXPIRED) {
2146
2147 char *new_authtok_required_during_auth = NULL;
2148
2149 if (!asprintf(&new_authtok_required, "%d", retval)) {
2150 retval = PAM_BUF_ERR;
2151 goto out;
2152 }
2153
2154 pam_set_data(pamh, PAM_WINBIND_NEW_AUTHTOK_REQD,
2155 new_authtok_required,
2156 _pam_winbind_cleanup_func);
2157
2158 retval = PAM_SUCCESS;
2159
2160 if (!asprintf(&new_authtok_required_during_auth, "%d", true)) {
2161 retval = PAM_BUF_ERR;
2162 goto out;
2163 }
2164
2165 pam_set_data(pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH,
2166 new_authtok_required_during_auth,
2167 _pam_winbind_cleanup_func);
2168
2169 goto out;
2170 }
2171
2172 out:
2173 if (username_ret) {
2174 pam_set_item (pamh, PAM_USER, username_ret);
2175 _pam_log_debug(ctx, LOG_INFO,
2176 "Returned user was '%s'", username_ret);
2177 free(username_ret);
2178 }
2179
2180 if (real_username) {
2181 free(real_username);
2182 }
2183
2184 if (!new_authtok_required) {
2185 pam_set_data(pamh, PAM_WINBIND_NEW_AUTHTOK_REQD, NULL, NULL);
2186 }
2187
2188 if (retval != PAM_SUCCESS) {
2189 _pam_free_data_info3(pamh);
2190 }
2191
2192 _PAM_LOG_FUNCTION_LEAVE("pam_sm_authenticate", ctx, retval);
2193
2194 _pam_winbind_free_context(ctx);
2195
2196 return retval;
2197 }
2198
2199 PAM_EXTERN
2200 int pam_sm_setcred(pam_handle_t *pamh, int flags,
2201 int argc, const char **argv)
2202 {
2203 int ret = PAM_SYSTEM_ERR;
2204 struct pwb_context *ctx = NULL;
2205
2206 ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
2207 if (ret) {
2208 goto out;
2209 }
2210
2211 _PAM_LOG_FUNCTION_ENTER("pam_sm_setcred", ctx);
2212
2213 switch (flags & ~PAM_SILENT) {
2214
2215 case PAM_DELETE_CRED:
2216 ret = pam_sm_close_session(pamh, flags, argc, argv);
2217 break;
2218 case PAM_REFRESH_CRED:
2219 _pam_log_debug(ctx, LOG_WARNING,
2220 "PAM_REFRESH_CRED not implemented");
2221 ret = PAM_SUCCESS;
2222 break;
2223 case PAM_REINITIALIZE_CRED:
2224 _pam_log_debug(ctx, LOG_WARNING,
2225 "PAM_REINITIALIZE_CRED not implemented");
2226 ret = PAM_SUCCESS;
2227 break;
2228 case PAM_ESTABLISH_CRED:
2229 _pam_log_debug(ctx, LOG_WARNING,
2230 "PAM_ESTABLISH_CRED not implemented");
2231 ret = PAM_SUCCESS;
2232 break;
2233 default:
2234 ret = PAM_SYSTEM_ERR;
2235 break;
2236 }
2237
2238 out:
2239
2240 _PAM_LOG_FUNCTION_LEAVE("pam_sm_setcred", ctx, ret);
2241
2242 _pam_winbind_free_context(ctx);
2243
2244 return ret;
2245 }
2246
2247 /*
2248 * Account management. We want to verify that the account exists
2249 * before returning PAM_SUCCESS
2250 */
2251 PAM_EXTERN
2252 int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
2253 int argc, const char **argv)
2254 {
2255 const char *username;
2256 int ret = PAM_USER_UNKNOWN;
2257 void *tmp = NULL;
2258 struct pwb_context *ctx = NULL;
2259
2260 ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
2261 if (ret) {
2262 goto out;
2263 }
2264
2265 _PAM_LOG_FUNCTION_ENTER("pam_sm_acct_mgmt", ctx);
2266
2267
2268 /* Get the username */
2269 ret = pam_get_user(pamh, &username, NULL);
2270 if ((ret != PAM_SUCCESS) || (!username)) {
2271 _pam_log_debug(ctx, LOG_DEBUG,
2272 "can not get the username");
2273 ret = PAM_SERVICE_ERR;
2274 goto out;
2275 }
2276
2277 /* Verify the username */
2278 ret = valid_user(ctx, username);
2279 switch (ret) {
2280 case -1:
2281 /* some sort of system error. The log was already printed */
2282 ret = PAM_SERVICE_ERR;
2283 goto out;
2284 case 1:
2285 /* the user does not exist */
2286 _pam_log_debug(ctx, LOG_NOTICE, "user '%s' not found",
2287 username);
2288 if (ctx->ctrl & WINBIND_UNKNOWN_OK_ARG) {
2289 ret = PAM_IGNORE;
2290 goto out;
2291 }
2292 ret = PAM_USER_UNKNOWN;
2293 goto out;
2294 case 0:
2295 pam_get_data(pamh, PAM_WINBIND_NEW_AUTHTOK_REQD,
2296 (const void **)&tmp);
2297 if (tmp != NULL) {
2298 ret = atoi((const char *)tmp);
2299 switch (ret) {
2300 case PAM_AUTHTOK_EXPIRED:
2301 /* fall through, since new token is required in this case */
2302 case PAM_NEW_AUTHTOK_REQD:
2303 _pam_log(ctx, LOG_WARNING,
2304 "pam_sm_acct_mgmt success but %s is set",
2305 PAM_WINBIND_NEW_AUTHTOK_REQD);
2306 _pam_log(ctx, LOG_NOTICE,
2307 "user '%s' needs new password",
2308 username);
2309 /* PAM_AUTHTOKEN_REQD does not exist, but is documented in the manpage */
2310 ret = PAM_NEW_AUTHTOK_REQD;
2311 goto out;
2312 default:
2313 _pam_log(ctx, LOG_WARNING,
2314 "pam_sm_acct_mgmt success");
2315 _pam_log(ctx, LOG_NOTICE,
2316 "user '%s' granted access", username);
2317 ret = PAM_SUCCESS;
2318 goto out;
2319 }
2320 }
2321
2322 /* Otherwise, the authentication looked good */
2323 _pam_log(ctx, LOG_NOTICE,
2324 "user '%s' granted access", username);
2325 ret = PAM_SUCCESS;
2326 goto out;
2327 default:
2328 /* we don't know anything about this return value */
2329 _pam_log(ctx, LOG_ERR,
2330 "internal module error (ret = %d, user = '%s')",
2331 ret, username);
2332 ret = PAM_SERVICE_ERR;
2333 goto out;
2334 }
2335
2336 /* should not be reached */
2337 ret = PAM_IGNORE;
2338
2339 out:
2340
2341 _PAM_LOG_FUNCTION_LEAVE("pam_sm_acct_mgmt", ctx, ret);
2342
2343 _pam_winbind_free_context(ctx);
2344
2345 return ret;
2346 }
2347
2348 PAM_EXTERN
2349 int pam_sm_open_session(pam_handle_t *pamh, int flags,
2350 int argc, const char **argv)
2351 {
2352 int ret = PAM_SYSTEM_ERR;
2353 struct pwb_context *ctx = NULL;
2354
2355 ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
2356 if (ret) {
2357 goto out;
2358 }
2359
2360 _PAM_LOG_FUNCTION_ENTER("pam_sm_open_session", ctx);
2361
2362 ret = PAM_SUCCESS;
2363
2364 out:
2365 _PAM_LOG_FUNCTION_LEAVE("pam_sm_open_session", ctx, ret);
2366
2367 _pam_winbind_free_context(ctx);
2368
2369 return ret;
2370 }
2371
2372 PAM_EXTERN
2373 int pam_sm_close_session(pam_handle_t *pamh, int flags,
2374 int argc, const char **argv)
2375 {
2376 int retval = PAM_SUCCESS;
2377 struct pwb_context *ctx = NULL;
2378
2379 retval = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
2380 if (retval) {
2381 goto out;
2382 }
2383
2384 _PAM_LOG_FUNCTION_ENTER("pam_sm_close_session", ctx);
2385
2386 if (!(flags & PAM_DELETE_CRED)) {
2387 retval = PAM_SUCCESS;
2388 goto out;
2389 }
2390
2391 if (ctx->ctrl & WINBIND_KRB5_AUTH) {
2392
2393 /* destroy the ccache here */
2394 struct winbindd_request request;
2395 struct winbindd_response response;
2396 const char *user;
2397 const char *ccname = NULL;
2398 struct passwd *pwd = NULL;
2399
2400 ZERO_STRUCT(request);
2401 ZERO_STRUCT(response);
2402
2403 retval = pam_get_user(pamh, &user, _("Username: "));
2404 if (retval) {
2405 _pam_log(ctx, LOG_ERR,
2406 "could not identify user");
2407 goto out;
2408 }
2409
2410 if (user == NULL) {
2411 _pam_log(ctx, LOG_ERR,
2412 "username was NULL!");
2413 retval = PAM_USER_UNKNOWN;
2414 goto out;
2415 }
2416
2417 _pam_log_debug(ctx, LOG_DEBUG,
2418 "username [%s] obtained", user);
2419
2420 ccname = pam_getenv(pamh, "KRB5CCNAME");
2421 if (ccname == NULL) {
2422 _pam_log_debug(ctx, LOG_DEBUG,
2423 "user has no KRB5CCNAME environment");
2424 }
2425
2426 strncpy(request.data.logoff.user, user,
2427 sizeof(request.data.logoff.user) - 1);
2428
2429 if (ccname) {
2430 strncpy(request.data.logoff.krb5ccname, ccname,
2431 sizeof(request.data.logoff.krb5ccname) - 1);
2432 }
2433
2434 pwd = getpwnam(user);
2435 if (pwd == NULL) {
2436 retval = PAM_USER_UNKNOWN;
2437 goto out;
2438 }
2439 request.data.logoff.uid = pwd->pw_uid;
2440
2441 request.flags = WBFLAG_PAM_KRB5 |
2442 WBFLAG_PAM_CONTACT_TRUSTDOM;
2443
2444 retval = pam_winbind_request_log(ctx,
2445 WINBINDD_PAM_LOGOFF,
2446 &request, &response, user);
2447 }
2448
2449 out:
2450 /*
2451 * Delete the krb5 ccname variable from the PAM environment
2452 * if it was set by winbind.
2453 */
2454 if (ctx->ctrl & WINBIND_KRB5_AUTH) {
2455 pam_putenv(pamh, "KRB5CCNAME");
2456 }
2457
2458 _PAM_LOG_FUNCTION_LEAVE("pam_sm_close_session", ctx, retval);
2459
2460 _pam_winbind_free_context(ctx);
2461
2462 return retval;
2463 }
2464
2465 /**
2466 * evaluate whether we need to re-authenticate with kerberos after a
2467 * password change
2468 *
2469 * @param ctx PAM winbind context.
2470 * @param user The username
2471 *
2472 * @return boolean Returns true if required, false if not.
2473 */
2474
2475 static bool _pam_require_krb5_auth_after_chauthtok(struct pwb_context *ctx,
2476 const char *user)
2477 {
2478
2479 /* Make sure that we only do this if a) the chauthtok got initiated
2480 * during a logon attempt (authenticate->acct_mgmt->chauthtok) b) any
2481 * later password change via the "passwd" command if done by the user
2482 * itself
2483 * NB. If we login from gdm or xdm and the password expires,
2484 * we change the password, but there is no memory cache.
2485 * Thus, even for passthrough login, we should do the
2486 * authentication again to update memory cache.
2487 * --- BoYang
2488 * */
2489
2490 char *new_authtok_reqd_during_auth = NULL;
2491 struct passwd *pwd = NULL;
2492
2493 _pam_get_data(ctx->pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH,
2494 &new_authtok_reqd_during_auth);
2495 pam_set_data(ctx->pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH,
2496 NULL, NULL);
2497
2498 if (new_authtok_reqd_during_auth) {
2499 return true;
2500 }
2501
2502 pwd = getpwnam(user);
2503 if (!pwd) {
2504 return false;
2505 }
2506
2507 if (getuid() == pwd->pw_uid) {
2508 return true;
2509 }
2510
2511 return false;
2512 }
2513
2514
2515 PAM_EXTERN
2516 int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
2517 int argc, const char **argv)
2518 {
2519 unsigned int lctrl;
2520 int ret;
2521 bool cached_login = false;
2522
2523 /* <DO NOT free() THESE> */
2524 const char *user;
2525 char *pass_old, *pass_new;
2526 /* </DO NOT free() THESE> */
2527
2528 char *Announce;
2529
2530 int retry = 0;
2531 char *username_ret = NULL;
2532 struct winbindd_response response;
2533 struct pwb_context *ctx = NULL;
2534
2535 ZERO_STRUCT(response);
2536
2537 ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
2538 if (ret) {
2539 goto out;
2540 }
2541
2542 _PAM_LOG_FUNCTION_ENTER("pam_sm_chauthtok", ctx);
2543
2544 cached_login = (ctx->ctrl & WINBIND_CACHED_LOGIN);
2545
2546 /* clearing offline bit for auth */
2547 ctx->ctrl &= ~WINBIND_CACHED_LOGIN;
2548
2549 /*
2550 * First get the name of a user
2551 */
2552 ret = pam_get_user(pamh, &user, _("Username: "));
2553 if (ret) {
2554 _pam_log(ctx, LOG_ERR,
2555 "password - could not identify user");
2556 goto out;
2557 }
2558
2559 if (user == NULL) {
2560 _pam_log(ctx, LOG_ERR, "username was NULL!");
2561 ret = PAM_USER_UNKNOWN;
2562 goto out;
2563 }
2564
2565 _pam_log_debug(ctx, LOG_DEBUG, "username [%s] obtained", user);
2566
2567 /* check if this is really a user in winbindd, not only in NSS */
2568 ret = valid_user(ctx, user);
2569 switch (ret) {
2570 case 1:
2571 ret = PAM_USER_UNKNOWN;
2572 goto out;
2573 case -1:
2574 ret = PAM_SYSTEM_ERR;
2575 goto out;
2576 default:
2577 break;
2578 }
2579
2580 /*
2581 * obtain and verify the current password (OLDAUTHTOK) for
2582 * the user.
2583 */
2584
2585 if (flags & PAM_PRELIM_CHECK) {
2586 time_t pwdlastset_prelim = 0;
2587
2588 /* instruct user what is happening */
2589 #define greeting _("Changing password for ")
2590 Announce = (char *) malloc(sizeof(greeting) + strlen(user));
2591 if (Announce == NULL) {
2592 _pam_log(ctx, LOG_CRIT,
2593 "password - out of memory");
2594 ret = PAM_BUF_ERR;
2595 goto out;
2596 }
2597 (void) strcpy(Announce, greeting);
2598 (void) strcpy(Announce + sizeof(greeting) - 1, user);
2599 #undef greeting
2600
2601 lctrl = ctx->ctrl | WINBIND__OLD_PASSWORD;
2602 ret = _winbind_read_password(ctx, lctrl,
2603 Announce,
2604 _("(current) NT password: "),
2605 NULL,
2606 (const char **) &pass_old);
2607 if (ret != PAM_SUCCESS) {
2608 _pam_log(ctx, LOG_NOTICE,
2609 "password - (old) token not obtained");
2610 goto out;
2611 }
2612
2613 /* verify that this is the password for this user */
2614
2615 ret = winbind_auth_request(ctx, user, pass_old,
2616 NULL, NULL, 0, &response,
2617 &pwdlastset_prelim, NULL);
2618
2619 if (ret != PAM_ACCT_EXPIRED &&
2620 ret != PAM_AUTHTOK_EXPIRED &&
2621 ret != PAM_NEW_AUTHTOK_REQD &&
2622 ret != PAM_SUCCESS) {
2623 pass_old = NULL;
2624 goto out;
2625 }
2626
2627 pam_set_data(pamh, PAM_WINBIND_PWD_LAST_SET,
2628 (void *)pwdlastset_prelim, NULL);
2629
2630 ret = pam_set_item(pamh, PAM_OLDAUTHTOK,
2631 (const void *) pass_old);
2632 pass_old = NULL;
2633 if (ret != PAM_SUCCESS) {
2634 _pam_log(ctx, LOG_CRIT,
2635 "failed to set PAM_OLDAUTHTOK");
2636 }
2637 } else if (flags & PAM_UPDATE_AUTHTOK) {
2638
2639 time_t pwdlastset_update = 0;
2640
2641 /*
2642 * obtain the proposed password
2643 */
2644
2645 /*
2646 * get the old token back.
2647 */
2648
2649 ret = _pam_get_item(pamh, PAM_OLDAUTHTOK, &pass_old);
2650
2651 if (ret != PAM_SUCCESS) {
2652 _pam_log(ctx, LOG_NOTICE,
2653 "user not authenticated");
2654 goto out;
2655 }
2656
2657 lctrl = ctx->ctrl & ~WINBIND_TRY_FIRST_PASS_ARG;
2658
2659 if (on(WINBIND_USE_AUTHTOK_ARG, lctrl)) {
2660 lctrl |= WINBIND_USE_FIRST_PASS_ARG;
2661 }
2662 retry = 0;
2663 ret = PAM_AUTHTOK_ERR;
2664 while ((ret != PAM_SUCCESS) && (retry++ < MAX_PASSWD_TRIES)) {
2665 /*
2666 * use_authtok is to force the use of a previously entered
2667 * password -- needed for pluggable password strength checking
2668 */
2669
2670 ret = _winbind_read_password(ctx, lctrl,
2671 NULL,
2672 _("Enter new NT password: "),
2673 _("Retype new NT password: "),
2674 (const char **)&pass_new);
2675
2676 if (ret != PAM_SUCCESS) {
2677 _pam_log_debug(ctx, LOG_ALERT,
2678 "password - "
2679 "new password not obtained");
2680 pass_old = NULL;/* tidy up */
2681 goto out;
2682 }
2683
2684 /*
2685 * At this point we know who the user is and what they
2686 * propose as their new password. Verify that the new
2687 * password is acceptable.
2688 */
2689
2690 if (pass_new[0] == '\0') {/* "\0" password = NULL */
2691 pass_new = NULL;
2692 }
2693 }
2694
2695 /*
2696 * By reaching here we have approved the passwords and must now
2697 * rebuild the password database file.
2698 */
2699 _pam_get_data(pamh, PAM_WINBIND_PWD_LAST_SET,
2700 &pwdlastset_update);
2701
2702 /*
2703 * if cached creds were enabled, make sure to set the
2704 * WINBIND_CACHED_LOGIN bit here in order to have winbindd
2705 * update the cached creds storage - gd
2706 */
2707 if (cached_login) {
2708 ctx->ctrl |= WINBIND_CACHED_LOGIN;
2709 }
2710
2711 ret = winbind_chauthtok_request(ctx, user, pass_old,
2712 pass_new, pwdlastset_update);
2713 if (ret) {
2714 _pam_overwrite(pass_new);
2715 _pam_overwrite(pass_old);
2716 pass_old = pass_new = NULL;
2717 goto out;
2718 }
2719
2720 if (_pam_require_krb5_auth_after_chauthtok(ctx, user)) {
2721
2722 const char *member = NULL;
2723 const char *cctype = NULL;
2724 int warn_pwd_expire;
2725
2726 member = get_member_from_config(ctx);
2727 cctype = get_krb5_cc_type_from_config(ctx);
2728 warn_pwd_expire = get_warn_pwd_expire_from_config(ctx);
2729
2730 /* Keep WINBIND_CACHED_LOGIN bit for
2731 * authentication after changing the password.
2732 * This will update the cached credentials in case
2733 * that winbindd_dual_pam_chauthtok() fails
2734 * to update them.
2735 * --- BoYang
2736 * */
2737
2738 ret = winbind_auth_request(ctx, user, pass_new,
2739 member, cctype, 0, &response,
2740 NULL, &username_ret);
2741 _pam_overwrite(pass_new);
2742 _pam_overwrite(pass_old);
2743 pass_old = pass_new = NULL;
2744
2745 if (ret == PAM_SUCCESS) {
2746
2747 /* warn a user if the password is about to
2748 * expire soon */
2749 _pam_warn_password_expiry(ctx, &response,
2750 warn_pwd_expire,
2751 NULL);
2752
2753 /* set some info3 info for other modules in the
2754 * stack */
2755 _pam_set_data_info3(ctx, &response);
2756
2757 /* put krb5ccname into env */
2758 _pam_setup_krb5_env(ctx,
2759 response.data.auth.krb5ccname);
2760
2761 if (username_ret) {
2762 pam_set_item(pamh, PAM_USER,
2763 username_ret);
2764 _pam_log_debug(ctx, LOG_INFO,
2765 "Returned user was '%s'",
2766 username_ret);
2767 free(username_ret);
2768 }
2769 }
2770
2771 goto out;
2772 }
2773 } else {
2774 ret = PAM_SERVICE_ERR;
2775 }
2776
2777 out:
2778
2779 /* Deal with offline errors. */
2780 PAM_WB_REMARK_CHECK_RESPONSE(ctx, response,
2781 "NT_STATUS_NO_LOGON_SERVERS");
2782 PAM_WB_REMARK_CHECK_RESPONSE(ctx, response,
2783 "NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND");
2784 PAM_WB_REMARK_CHECK_RESPONSE(ctx, response,
2785 "NT_STATUS_ACCESS_DENIED");
2786
2787 _PAM_LOG_FUNCTION_LEAVE("pam_sm_chauthtok", ctx, ret);
2788
2789 _pam_winbind_free_context(ctx);
2790
2791 return ret;
2792 }
2793
2794 #ifdef PAM_STATIC
2795
2796 /* static module data */
2797
2798 struct pam_module _pam_winbind_modstruct = {
2799 MODULE_NAME,
2800 pam_sm_authenticate,
2801 pam_sm_setcred,
2802 pam_sm_acct_mgmt,
2803 pam_sm_open_session,
2804 pam_sm_close_session,
2805 pam_sm_chauthtok
2806 };
2807
2808 #endif
2809
2810 /*
2811 * Copyright (c) Andrew Tridgell <tridge@samba.org> 2000
2812 * Copyright (c) Tim Potter <tpot@samba.org> 2000
2813 * Copyright (c) Andrew Bartlettt <abartlet@samba.org> 2002
2814 * Copyright (c) Guenther Deschner <gd@samba.org> 2005-2008
2815 * Copyright (c) Jan Rêkorajski 1999.
2816 * Copyright (c) Andrew G. Morgan 1996-8.
2817 * Copyright (c) Alex O. Yuriev, 1996.
2818 * Copyright (c) Cristian Gafton 1996.
2819 * Copyright (C) Elliot Lee <sopwith@redhat.com> 1996, Red Hat Software.
2820 *
2821 * Redistribution and use in source and binary forms, with or without
2822 * modification, are permitted provided that the following conditions
2823 * are met:
2824 * 1. Redistributions of source code must retain the above copyright
2825 * notice, and the entire permission notice in its entirety,
2826 * including the disclaimer of warranties.
2827 * 2. Redistributions in binary form must reproduce the above copyright
2828 * notice, this list of conditions and the following disclaimer in the
2829 * documentation and/or other materials provided with the distribution.
2830 * 3. The name of the author may not be used to endorse or promote
2831 * products derived from this software without specific prior
2832 * written permission.
2833 *
2834 * ALTERNATIVELY, this product may be distributed under the terms of
2835 * the GNU Public License, in which case the provisions of the GPL are
2836 * required INSTEAD OF the above restrictions. (This clause is
2837 * necessary due to a potential bad interaction between the GPL and
2838 * the restrictions contained in a BSD-style copyright.)
2839 *
2840 * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED
2841 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
2842 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
2843 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
2844 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
2845 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
2846 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
2847 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
2848 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
2849 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
2850 * OF THE POSSIBILITY OF SUCH DAMAGE.
2851 */
Samba GIT mirror