search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
if we are adding a new sambaAccount, make sure that we add a
[Samba.git] / source / auth / pampass.c
blob018eae3a07e05e2a10c8a20c1c7d7625b75b4186
1 /*
2 Unix SMB/Netbios implementation.
3 Version 2.2.
4 PAM Password checking
5 Copyright (C) Andrew Tridgell 1992-2001
6 Copyright (C) John H Terpsta 1999-2001
7 Copyright (C) Andrew Bartlett 2001
8 Copyright (C) Jeremy Allison 2001
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 /*
26 * This module provides PAM based functions for validation of
27 * username/password pairs, account managment, session and access control.
28 * Note: SMB password checking is done in smbpass.c
29 */
30
31 #include "includes.h"
32
33 #ifdef WITH_PAM
34
35 /*******************************************************************
36 * Handle PAM authentication
37 * - Access, Authentication, Session, Password
38 * Note: See PAM Documentation and refer to local system PAM implementation
39 * which determines what actions/limitations/allowances become affected.
40 *********************************************************************/
41
42 #include <security/pam_appl.h>
43
44 /*
45 * Structure used to communicate between the conversation function
46 * and the server_login/change password functions.
47 */
48
49 struct smb_pam_userdata {
50 const char *PAM_username;
51 const char *PAM_password;
52 const char *PAM_newpassword;
53 };
54
55 typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_response **, void *appdata_ptr);
56
57 /*
58 * Macros to help make life easy
59 */
60 #define COPY_STRING(s) (s) ? strdup(s) : NULL
61
62 /*******************************************************************
63 PAM error handler.
64 *********************************************************************/
65
66 static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl)
67 {
68
69 if( pam_error != PAM_SUCCESS) {
70 DEBUG(dbglvl, ("smb_pam_error_handler: PAM: %s : %s\n",
71 msg, pam_strerror(pamh, pam_error)));
72
73 return False;
74 }
75 return True;
76 }
77
78 /*******************************************************************
79 This function is a sanity check, to make sure that we NEVER report
80 failure as sucess.
81 *********************************************************************/
82
83 static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error,
84 char *msg, int dbglvl,
85 NTSTATUS *nt_status)
86 {
87 if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl))
88 return True;
89
90 if (NT_STATUS_IS_OK(*nt_status)) {
91 /* Complain LOUDLY */
92 DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \
93 error MISMATCH, forcing to NT_STATUS_LOGON_FAILURE"));
94 *nt_status = NT_STATUS_LOGON_FAILURE;
95 }
96 return False;
97 }
98
99 /*
100 * PAM conversation function
101 * Here we assume (for now, at least) that echo on means login name, and
102 * echo off means password.
103 */
104
105 static int smb_pam_conv(int num_msg,
106 const struct pam_message **msg,
107 struct pam_response **resp,
108 void *appdata_ptr)
109 {
110 int replies = 0;
111 struct pam_response *reply = NULL;
112 struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr;
113
114 *resp = NULL;
115
116 if (num_msg <= 0)
117 return PAM_CONV_ERR;
118
119 /*
120 * Apparantly HPUX has a buggy PAM that doesn't support the
121 * appdata_ptr. Fail if this is the case. JRA.
122 */
123
124 if (udp == NULL) {
125 DEBUG(0,("smb_pam_conv: PAM on this system is broken - appdata_ptr == NULL !\n"));
126 return PAM_CONV_ERR;
127 }
128
129 reply = malloc(sizeof(struct pam_response) * num_msg);
130 if (!reply)
131 return PAM_CONV_ERR;
132
133 memset(reply, '\0', sizeof(struct pam_response) * num_msg);
134
135 for (replies = 0; replies < num_msg; replies++) {
136 switch (msg[replies]->msg_style) {
137 case PAM_PROMPT_ECHO_ON:
138 reply[replies].resp_retcode = PAM_SUCCESS;
139 reply[replies].resp = COPY_STRING(udp->PAM_username);
140 /* PAM frees resp */
141 break;
142
143 case PAM_PROMPT_ECHO_OFF:
144 reply[replies].resp_retcode = PAM_SUCCESS;
145 reply[replies].resp = COPY_STRING(udp->PAM_password);
146 /* PAM frees resp */
147 break;
148
149 case PAM_TEXT_INFO:
150 /* fall through */
151
152 case PAM_ERROR_MSG:
153 /* ignore it... */
154 reply[replies].resp_retcode = PAM_SUCCESS;
155 reply[replies].resp = NULL;
156 break;
157
158 default:
159 /* Must be an error of some sort... */
160 SAFE_FREE(reply);
161 return PAM_CONV_ERR;
162 }
163 }
164 if (reply)
165 *resp = reply;
166 return PAM_SUCCESS;
167 }
168
169 /*
170 * PAM password change conversation function
171 * Here we assume (for now, at least) that echo on means login name, and
172 * echo off means password.
173 */
174
175 static void special_char_sub(char *buf)
176 {
177 all_string_sub(buf, "\\n", "", 0);
178 all_string_sub(buf, "\\r", "", 0);
179 all_string_sub(buf, "\\s", " ", 0);
180 all_string_sub(buf, "\\t", "\t", 0);
181 }
182
183 static void pwd_sub(char *buf, const char *username, const char *oldpass, const char *newpass)
184 {
185 pstring_sub(buf, "%u", username);
186 all_string_sub(buf, "%o", oldpass, sizeof(fstring));
187 all_string_sub(buf, "%n", newpass, sizeof(fstring));
188 }
189
190
191 struct chat_struct {
192 struct chat_struct *next, *prev;
193 fstring prompt;
194 fstring reply;
195 };
196
197 /**************************************************************
198 Create a linked list containing chat data.
199 ***************************************************************/
200
201 static struct chat_struct *make_pw_chat(char *p)
202 {
203 fstring prompt;
204 fstring reply;
205 struct chat_struct *list = NULL;
206 struct chat_struct *t;
207 struct chat_struct *tmp;
208
209 while (1) {
210 t = (struct chat_struct *)malloc(sizeof(*t));
211 if (!t) {
212 DEBUG(0,("make_pw_chat: malloc failed!\n"));
213 return NULL;
214 }
215
216 ZERO_STRUCTP(t);
217
218 DLIST_ADD_END(list, t, tmp);
219
220 if (!next_token(&p, prompt, NULL, sizeof(fstring)))
221 break;
222
223 if (strequal(prompt,"."))
224 fstrcpy(prompt,"*");
225
226 special_char_sub(prompt);
227 fstrcpy(t->prompt, prompt);
228 strlower(t->prompt);
229 trim_string(t->prompt, " ", " ");
230
231 if (!next_token(&p, reply, NULL, sizeof(fstring)))
232 break;
233
234 if (strequal(reply,"."))
235 fstrcpy(reply,"");
236
237 special_char_sub(reply);
238 fstrcpy(t->reply, reply);
239 strlower(t->reply);
240 trim_string(t->reply, " ", " ");
241
242 }
243 return list;
244 }
245
246 static void free_pw_chat(struct chat_struct *list)
247 {
248 while (list) {
249 struct chat_struct *old_head = list;
250 DLIST_REMOVE(list, list);
251 SAFE_FREE(old_head);
252 }
253 }
254
255 static int smb_pam_passchange_conv(int num_msg,
256 const struct pam_message **msg,
257 struct pam_response **resp,
258 void *appdata_ptr)
259 {
260 int replies = 0;
261 struct pam_response *reply = NULL;
262 fstring current_prompt;
263 fstring current_reply;
264 struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr;
265 struct chat_struct *pw_chat= make_pw_chat(lp_passwd_chat());
266 struct chat_struct *t;
267 BOOL found;
268 *resp = NULL;
269
270 DEBUG(10,("smb_pam_passchange_conv: starting converstation for %d messages\n", num_msg));
271
272 if (num_msg <= 0)
273 return PAM_CONV_ERR;
274
275 if (pw_chat == NULL)
276 return PAM_CONV_ERR;
277
278 /*
279 * Apparantly HPUX has a buggy PAM that doesn't support the
280 * appdata_ptr. Fail if this is the case. JRA.
281 */
282
283 if (udp == NULL) {
284 DEBUG(0,("smb_pam_passchange_conv: PAM on this system is broken - appdata_ptr == NULL !\n"));
285 free_pw_chat(pw_chat);
286 return PAM_CONV_ERR;
287 }
288
289 reply = malloc(sizeof(struct pam_response) * num_msg);
290 if (!reply) {
291 DEBUG(0,("smb_pam_passchange_conv: malloc for reply failed!\n"));
292 free_pw_chat(pw_chat);
293 return PAM_CONV_ERR;
294 }
295
296 for (replies = 0; replies < num_msg; replies++) {
297 found = False;
298 DEBUG(10,("smb_pam_passchange_conv: Processing message %d\n", replies));
299 switch (msg[replies]->msg_style) {
300 case PAM_PROMPT_ECHO_ON:
301 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: PAM said: %s\n", msg[replies]->msg));
302 fstrcpy(current_prompt, msg[replies]->msg);
303 trim_string(current_prompt, " ", " ");
304 for (t=pw_chat; t; t=t->next) {
305
306 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: trying to match |%s| to |%s|\n",
307 t->prompt, current_prompt ));
308
309 if (unix_wild_match(t->prompt, current_prompt) == 0) {
310 fstrcpy(current_reply, t->reply);
311 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We sent: %s\n", current_reply));
312 pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword);
313 #ifdef DEBUG_PASSWORD
314 DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We actualy sent: %s\n", current_reply));
315 #endif
316 reply[replies].resp_retcode = PAM_SUCCESS;
317 reply[replies].resp = COPY_STRING(current_reply);
318 found = True;
319 break;
320 }
321 }
322 /* PAM frees resp */
323 if (!found) {
324 DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg));
325 free_pw_chat(pw_chat);
326 SAFE_FREE(reply);
327 return PAM_CONV_ERR;
328 }
329 break;
330
331 case PAM_PROMPT_ECHO_OFF:
332 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: %s\n", msg[replies]->msg));
333 fstrcpy(current_prompt, msg[replies]->msg);
334 trim_string(current_prompt, " ", " ");
335 for (t=pw_chat; t; t=t->next) {
336
337 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |%s| to |%s|\n",
338 t->prompt, current_prompt ));
339
340 if (unix_wild_match(t->prompt, current_prompt) == 0) {
341 fstrcpy(current_reply, t->reply);
342 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply));
343 pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword);
344 reply[replies].resp_retcode = PAM_SUCCESS;
345 reply[replies].resp = COPY_STRING(current_reply);
346 #ifdef DEBUG_PASSWORD
347 DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We actualy sent: %s\n", current_reply));
348 #endif
349 found = True;
350 break;
351 }
352 }
353 /* PAM frees resp */
354
355 if (!found) {
356 DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg));
357 free_pw_chat(pw_chat);
358 SAFE_FREE(reply);
359 return PAM_CONV_ERR;
360 }
361 break;
362
363 case PAM_TEXT_INFO:
364 /* fall through */
365
366 case PAM_ERROR_MSG:
367 /* ignore it... */
368 reply[replies].resp_retcode = PAM_SUCCESS;
369 reply[replies].resp = NULL;
370 break;
371
372 default:
373 /* Must be an error of some sort... */
374 free_pw_chat(pw_chat);
375 SAFE_FREE(reply);
376 return PAM_CONV_ERR;
377 }
378 }
379
380 free_pw_chat(pw_chat);
381 if (reply)
382 *resp = reply;
383 return PAM_SUCCESS;
384 }
385
386 /***************************************************************************
387 Free up a malloced pam_conv struct.
388 ****************************************************************************/
389
390 static void smb_free_pam_conv(struct pam_conv *pconv)
391 {
392 if (pconv)
393 SAFE_FREE(pconv->appdata_ptr);
394
395 SAFE_FREE(pconv);
396 }
397
398 /***************************************************************************
399 Allocate a pam_conv struct.
400 ****************************************************************************/
401
402 static struct pam_conv *smb_setup_pam_conv(smb_pam_conv_fn smb_pam_conv_fnptr, const char *user,
403 const char *passwd, const char *newpass)
404 {
405 struct pam_conv *pconv = (struct pam_conv *)malloc(sizeof(struct pam_conv));
406 struct smb_pam_userdata *udp = (struct smb_pam_userdata *)malloc(sizeof(struct smb_pam_userdata));
407
408 if (pconv == NULL || udp == NULL) {
409 SAFE_FREE(pconv);
410 SAFE_FREE(udp);
411 return NULL;
412 }
413
414 udp->PAM_username = user;
415 udp->PAM_password = passwd;
416 udp->PAM_newpassword = newpass;
417
418 pconv->conv = smb_pam_conv_fnptr;
419 pconv->appdata_ptr = (void *)udp;
420 return pconv;
421 }
422
423 /*
424 * PAM Closing out cleanup handler
425 */
426
427 static BOOL smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr)
428 {
429 int pam_error;
430
431 smb_free_pam_conv(smb_pam_conv_ptr);
432
433 if( pamh != NULL ) {
434 pam_error = pam_end(pamh, 0);
435 if(smb_pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) {
436 DEBUG(4, ("smb_pam_end: PAM: PAM_END OK.\n"));
437 return True;
438 }
439 }
440 DEBUG(2,("smb_pam_end: PAM: not initialised"));
441 return False;
442 }
443
444 /*
445 * Start PAM authentication for specified account
446 */
447
448 static BOOL smb_pam_start(pam_handle_t **pamh, const char *user, const char *rhost, struct pam_conv *pconv)
449 {
450 int pam_error;
451 const char *our_rhost;
452
453 *pamh = (pam_handle_t *)NULL;
454
455 DEBUG(4,("smb_pam_start: PAM: Init user: %s\n", user));
456
457 pam_error = pam_start("samba", user, pconv, pamh);
458 if( !smb_pam_error_handler(*pamh, pam_error, "Init Failed", 0)) {
459 *pamh = (pam_handle_t *)NULL;
460 return False;
461 }
462
463 if (rhost == NULL) {
464 our_rhost = client_name();
465 if (strequal(rhost,"UNKNOWN"))
466 our_rhost = client_addr();
467 } else {
468 our_rhost = rhost;
469 }
470
471 #ifdef PAM_RHOST
472 DEBUG(4,("smb_pam_start: PAM: setting rhost to: %s\n", our_rhost));
473 pam_error = pam_set_item(*pamh, PAM_RHOST, our_rhost);
474 if(!smb_pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) {
475 smb_pam_end(*pamh, pconv);
476 *pamh = (pam_handle_t *)NULL;
477 return False;
478 }
479 #endif
480 #ifdef PAM_TTY
481 DEBUG(4,("smb_pam_start: PAM: setting tty\n"));
482 pam_error = pam_set_item(*pamh, PAM_TTY, "samba");
483 if (!smb_pam_error_handler(*pamh, pam_error, "set tty failed", 0)) {
484 smb_pam_end(*pamh, pconv);
485 *pamh = (pam_handle_t *)NULL;
486 return False;
487 }
488 #endif
489 DEBUG(4,("smb_pam_start: PAM: Init passed for user: %s\n", user));
490 return True;
491 }
492
493 /*
494 * PAM Authentication Handler
495 */
496 static NTSTATUS smb_pam_auth(pam_handle_t *pamh, char *user)
497 {
498 int pam_error;
499 NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
500
501 /*
502 * To enable debugging set in /etc/pam.d/samba:
503 * auth required /lib/security/pam_pwdb.so nullok shadow audit
504 */
505
506 DEBUG(4,("smb_pam_auth: PAM: Authenticate User: %s\n", user));
507 pam_error = pam_authenticate(pamh, PAM_SILENT | lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK);
508 switch( pam_error ){
509 case PAM_AUTH_ERR:
510 DEBUG(2, ("smb_pam_auth: PAM: Athentication Error for user %s\n", user));
511 nt_status = NT_STATUS_WRONG_PASSWORD;
512 break;
513 case PAM_CRED_INSUFFICIENT:
514 DEBUG(2, ("smb_pam_auth: PAM: Insufficient Credentials for user %s\n", user));
515 nt_status = NT_STATUS_INSUFFICIENT_LOGON_INFO;
516 break;
517 case PAM_AUTHINFO_UNAVAIL:
518 DEBUG(2, ("smb_pam_auth: PAM: Authentication Information Unavailable for user %s\n", user));
519 nt_status = NT_STATUS_LOGON_FAILURE;
520 break;
521 case PAM_USER_UNKNOWN:
522 DEBUG(2, ("smb_pam_auth: PAM: Username %s NOT known to Authentication system\n", user));
523 nt_status = NT_STATUS_NO_SUCH_USER;
524 break;
525 case PAM_MAXTRIES:
526 DEBUG(2, ("smb_pam_auth: PAM: One or more authentication modules reports user limit for user %s exceeeded\n", user));
527 nt_status = NT_STATUS_REMOTE_SESSION_LIMIT;
528 break;
529 case PAM_ABORT:
530 DEBUG(0, ("smb_pam_auth: PAM: One or more PAM modules failed to load for user %s\n", user));
531 nt_status = NT_STATUS_LOGON_FAILURE;
532 break;
533 case PAM_SUCCESS:
534 DEBUG(4, ("smb_pam_auth: PAM: User %s Authenticated OK\n", user));
535 nt_status = NT_STATUS_OK;
536 break;
537 default:
538 DEBUG(0, ("smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user %s\n", user));
539 nt_status = NT_STATUS_LOGON_FAILURE;
540 break;
541 }
542
543 smb_pam_nt_status_error_handler(pamh, pam_error, "Authentication Failure", 2, &nt_status);
544 return nt_status;
545 }
546
547 /*
548 * PAM Account Handler
549 */
550 static NTSTATUS smb_pam_account(pam_handle_t *pamh, const char * user)
551 {
552 int pam_error;
553 NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED;
554
555 DEBUG(4,("smb_pam_account: PAM: Account Management for User: %s\n", user));
556 pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */
557 switch( pam_error ) {
558 case PAM_AUTHTOK_EXPIRED:
559 DEBUG(2, ("smb_pam_account: PAM: User %s is valid but password is expired\n", user));
560 nt_status = NT_STATUS_PASSWORD_EXPIRED;
561 break;
562 case PAM_ACCT_EXPIRED:
563 DEBUG(2, ("smb_pam_account: PAM: User %s no longer permitted to access system\n", user));
564 nt_status = NT_STATUS_ACCOUNT_EXPIRED;
565 break;
566 case PAM_AUTH_ERR:
567 DEBUG(2, ("smb_pam_account: PAM: There was an authentication error for user %s\n", user));
568 nt_status = NT_STATUS_LOGON_FAILURE;
569 break;
570 case PAM_PERM_DENIED:
571 DEBUG(0, ("smb_pam_account: PAM: User %s is NOT permitted to access system at this time\n", user));
572 nt_status = NT_STATUS_ACCOUNT_RESTRICTION;
573 break;
574 case PAM_USER_UNKNOWN:
575 DEBUG(0, ("smb_pam_account: PAM: User \"%s\" is NOT known to account management\n", user));
576 nt_status = NT_STATUS_NO_SUCH_USER;
577 break;
578 case PAM_SUCCESS:
579 DEBUG(4, ("smb_pam_account: PAM: Account OK for User: %s\n", user));
580 nt_status = NT_STATUS_OK;
581 break;
582 default:
583 nt_status = NT_STATUS_ACCOUNT_DISABLED;
584 DEBUG(0, ("smb_pam_account: PAM: UNKNOWN PAM ERROR (%d) during Account Management for User: %s\n", pam_error, user));
585 break;
586 }
587
588 smb_pam_nt_status_error_handler(pamh, pam_error, "Account Check Failed", 2, &nt_status);
589 return nt_status;
590 }
591
592 /*
593 * PAM Credential Setting
594 */
595
596 static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, char * user)
597 {
598 int pam_error;
599 NTSTATUS nt_status = NT_STATUS_NO_TOKEN;
600
601 /*
602 * This will allow samba to aquire a kerberos token. And, when
603 * exporting an AFS cell, be able to /write/ to this cell.
604 */
605
606 DEBUG(4,("PAM: Account Management SetCredentials for User: %s\n", user));
607 pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT));
608 switch( pam_error ) {
609 case PAM_CRED_UNAVAIL:
610 DEBUG(0, ("smb_pam_setcred: PAM: Credentials not found for user:%s\n", user ));
611 nt_status = NT_STATUS_NO_TOKEN;
612 break;
613 case PAM_CRED_EXPIRED:
614 DEBUG(0, ("smb_pam_setcred: PAM: Credentials for user: \"%s\" EXPIRED!\n", user ));
615 nt_status = NT_STATUS_PASSWORD_EXPIRED;
616 break;
617 case PAM_USER_UNKNOWN:
618 DEBUG(0, ("smb_pam_setcred: PAM: User: \"%s\" is NOT known so can not set credentials!\n", user ));
619 nt_status = NT_STATUS_NO_SUCH_USER;
620 break;
621 case PAM_CRED_ERR:
622 DEBUG(0, ("smb_pam_setcred: PAM: Unknown setcredentials error - unable to set credentials for %s\n", user ));
623 nt_status = NT_STATUS_LOGON_FAILURE;
624 break;
625 case PAM_SUCCESS:
626 DEBUG(4, ("smb_pam_setcred: PAM: SetCredentials OK for User: %s\n", user));
627 nt_status = NT_STATUS_OK;
628 break;
629 default:
630 DEBUG(0, ("smb_pam_setcred: PAM: UNKNOWN PAM ERROR (%d) during SetCredentials for User: %s\n", pam_error, user));
631 nt_status = NT_STATUS_NO_TOKEN;
632 break;
633 }
634
635 smb_pam_nt_status_error_handler(pamh, pam_error, "Set Credential Failure", 2, &nt_status);
636 return nt_status;
637 }
638
639 /*
640 * PAM Internal Session Handler
641 */
642 static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag)
643 {
644 int pam_error;
645
646 #ifdef PAM_TTY
647 DEBUG(4,("smb_internal_pam_session: PAM: tty set to: %s\n", tty));
648 pam_error = pam_set_item(pamh, PAM_TTY, tty);
649 if (!smb_pam_error_handler(pamh, pam_error, "set tty failed", 0))
650 return False;
651 #endif
652
653 if (flag) {
654 pam_error = pam_open_session(pamh, PAM_SILENT);
655 if (!smb_pam_error_handler(pamh, pam_error, "session setup failed", 0))
656 return False;
657 } else {
658 pam_setcred(pamh, (PAM_DELETE_CRED|PAM_SILENT)); /* We don't care if this fails */
659 pam_error = pam_close_session(pamh, PAM_SILENT); /* This will probably pick up the error anyway */
660 if (!smb_pam_error_handler(pamh, pam_error, "session close failed", 0))
661 return False;
662 }
663 return (True);
664 }
665
666 /*
667 * Internal PAM Password Changer.
668 */
669
670 static BOOL smb_pam_chauthtok(pam_handle_t *pamh, const char * user)
671 {
672 int pam_error;
673
674 DEBUG(4,("smb_pam_chauthtok: PAM: Password Change for User: %s\n", user));
675
676 pam_error = pam_chauthtok(pamh, PAM_SILENT); /* Change Password */
677
678 switch( pam_error ) {
679 case PAM_AUTHTOK_ERR:
680 DEBUG(2, ("PAM: unable to obtain the new authentication token - is password to weak?\n"));
681 break;
682
683 /* This doesn't seem to be defined on Solaris. JRA */
684 #ifdef PAM_AUTHTOK_RECOVER_ERR
685 case PAM_AUTHTOK_RECOVER_ERR:
686 DEBUG(2, ("PAM: unable to obtain the old authentication token - was the old password wrong?.\n"));
687 break;
688 #endif
689
690 case PAM_AUTHTOK_LOCK_BUSY:
691 DEBUG(2, ("PAM: unable to change the authentication token since it is currently locked.\n"));
692 break;
693 case PAM_AUTHTOK_DISABLE_AGING:
694 DEBUG(2, ("PAM: Authentication token aging has been disabled.\n"));
695 break;
696 case PAM_PERM_DENIED:
697 DEBUG(0, ("PAM: Permission denied.\n"));
698 break;
699 case PAM_TRY_AGAIN:
700 DEBUG(0, ("PAM: Could not update all authentication token(s). No authentication tokens were updated.\n"));
701 break;
702 case PAM_USER_UNKNOWN:
703 DEBUG(0, ("PAM: User not known to PAM\n"));
704 break;
705 case PAM_SUCCESS:
706 DEBUG(4, ("PAM: Account OK for User: %s\n", user));
707 break;
708 default:
709 DEBUG(0, ("PAM: UNKNOWN PAM ERROR (%d) for User: %s\n", pam_error, user));
710 }
711
712 if(!smb_pam_error_handler(pamh, pam_error, "Password Change Failed", 2)) {
713 return False;
714 }
715
716 /* If this point is reached, the password has changed. */
717 return True;
718 }
719
720 /*
721 * PAM Externally accessible Session handler
722 */
723
724 BOOL smb_pam_claim_session(char *user, char *tty, char *rhost)
725 {
726 pam_handle_t *pamh = NULL;
727 struct pam_conv *pconv = NULL;
728
729 /* Ignore PAM if told to. */
730
731 if (!lp_obey_pam_restrictions())
732 return True;
733
734 if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
735 return False;
736
737 if (!smb_pam_start(&pamh, user, rhost, pconv))
738 return False;
739
740 if (!smb_internal_pam_session(pamh, user, tty, True)) {
741 smb_pam_end(pamh, pconv);
742 return False;
743 }
744
745 return smb_pam_end(pamh, pconv);
746 }
747
748 /*
749 * PAM Externally accessible Session handler
750 */
751
752 BOOL smb_pam_close_session(char *user, char *tty, char *rhost)
753 {
754 pam_handle_t *pamh = NULL;
755 struct pam_conv *pconv = NULL;
756
757 /* Ignore PAM if told to. */
758
759 if (!lp_obey_pam_restrictions())
760 return True;
761
762 if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
763 return False;
764
765 if (!smb_pam_start(&pamh, user, rhost, pconv))
766 return False;
767
768 if (!smb_internal_pam_session(pamh, user, tty, False)) {
769 smb_pam_end(pamh, pconv);
770 return False;
771 }
772
773 return smb_pam_end(pamh, pconv);
774 }
775
776 /*
777 * PAM Externally accessible Account handler
778 */
779
780 NTSTATUS smb_pam_accountcheck(const char * user)
781 {
782 NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED;
783 pam_handle_t *pamh = NULL;
784 struct pam_conv *pconv = NULL;
785
786 /* Ignore PAM if told to. */
787
788 if (!lp_obey_pam_restrictions())
789 return NT_STATUS_OK;
790
791 if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
792 return NT_STATUS_NO_MEMORY;
793
794 if (!smb_pam_start(&pamh, user, NULL, pconv))
795 return NT_STATUS_ACCOUNT_DISABLED;
796
797 if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user)))
798 DEBUG(0, ("smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User %s!\n", user));
799
800 smb_pam_end(pamh, pconv);
801 return nt_status;
802 }
803
804 /*
805 * PAM Password Validation Suite
806 */
807
808 NTSTATUS smb_pam_passcheck(char * user, char * password)
809 {
810 pam_handle_t *pamh = NULL;
811 NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
812 struct pam_conv *pconv = NULL;
813
814 /*
815 * Note we can't ignore PAM here as this is the only
816 * way of doing auths on plaintext passwords when
817 * compiled --with-pam.
818 */
819
820 if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, password, NULL)) == NULL)
821 return NT_STATUS_LOGON_FAILURE;
822
823 if (!smb_pam_start(&pamh, user, NULL, pconv))
824 return NT_STATUS_LOGON_FAILURE;
825
826 if (!NT_STATUS_IS_OK(nt_status = smb_pam_auth(pamh, user))) {
827 DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User %s !\n", user));
828 smb_pam_end(pamh, pconv);
829 return nt_status;
830 }
831
832 if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user))) {
833 DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_account failed - Rejecting User %s !\n", user));
834 smb_pam_end(pamh, pconv);
835 return nt_status;
836 }
837
838 if (!NT_STATUS_IS_OK(nt_status = smb_pam_setcred(pamh, user))) {
839 DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_setcred failed - Rejecting User %s !\n", user));
840 smb_pam_end(pamh, pconv);
841 return nt_status;
842 }
843
844 smb_pam_end(pamh, pconv);
845 return nt_status;
846 }
847
848 /*
849 * PAM Password Change Suite
850 */
851
852 BOOL smb_pam_passchange(const char * user, const char * oldpassword, const char * newpassword)
853 {
854 /* Appropriate quantities of root should be obtained BEFORE calling this function */
855 struct pam_conv *pconv = NULL;
856 pam_handle_t *pamh = NULL;
857
858 if ((pconv = smb_setup_pam_conv(smb_pam_passchange_conv, user, oldpassword, newpassword)) == NULL)
859 return False;
860
861 if(!smb_pam_start(&pamh, user, NULL, pconv))
862 return False;
863
864 if (!smb_pam_chauthtok(pamh, user)) {
865 DEBUG(0, ("smb_pam_passchange: PAM: Password Change Failed for user %s!\n", user));
866 smb_pam_end(pamh, pconv);
867 return False;
868 }
869
870 return smb_pam_end(pamh, pconv);
871 }
872
873 #else
874
875 /* If PAM not used, no PAM restrictions on accounts. */
876 NTSTATUS smb_pam_accountcheck(const char * user)
877 {
878 return NT_STATUS_OK;
879 }
880
881 /* If PAM not used, also no PAM restrictions on sessions. */
882 BOOL smb_pam_claim_session(char *user, char *tty, char *rhost)
883 {
884 return True;
885 }
886
887 /* If PAM not used, also no PAM restrictions on sessions. */
888 BOOL smb_pam_close_session(char *in_user, char *tty, char *rhost)
889 {
890 return True;
891 }
892 #endif /* WITH_PAM */
Samba GIT mirror