search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-pfm_verify: fix usage string
[Samba.git] / source3 / auth / pampass.c
blobdfeeb22588e7d32d6fe01c204b0937f82634873a
1 /*
2 Unix SMB/CIFS implementation.
3 PAM Password checking
4 Copyright (C) Andrew Tridgell 1992-2001
5 Copyright (C) John H Terpsta 1999-2001
6 Copyright (C) Andrew Bartlett 2001
7 Copyright (C) Jeremy Allison 2001
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 /*
24 * This module provides PAM based functions for validation of
25 * username/password pairs, account managment, session and access control.
26 * Note: SMB password checking is done in smbpass.c
27 */
28
29 #include "includes.h"
30
31 #undef DBGC_CLASS
32 #define DBGC_CLASS DBGC_AUTH
33
34 #ifdef WITH_PAM
35
36 /*******************************************************************
37 * Handle PAM authentication
38 * - Access, Authentication, Session, Password
39 * Note: See PAM Documentation and refer to local system PAM implementation
40 * which determines what actions/limitations/allowances become affected.
41 *********************************************************************/
42
43 #if defined(HAVE_SECURITY_PAM_APPL_H)
44 #include <security/pam_appl.h>
45 #elif defined(HAVE_PAM_PAM_APPL_H)
46 #include <pam/pam_appl.h>
47 #endif
48
49 /*
50 * Structure used to communicate between the conversation function
51 * and the server_login/change password functions.
52 */
53
54 struct smb_pam_userdata {
55 const char *PAM_username;
56 const char *PAM_password;
57 const char *PAM_newpassword;
58 };
59
60 typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_response **, void *appdata_ptr);
61
62 static char *smb_pam_copy_string(const char *s)
63 {
64 if (s == NULL) {
65 return NULL;
66 }
67 return SMB_STRDUP(s);
68 }
69
70 static char *smb_pam_copy_fstring(const char *s)
71 {
72 if (s[0] == '\0') {
73 return NULL;
74 }
75 return SMB_STRDUP(s);
76 }
77
78 /*******************************************************************
79 PAM error handler.
80 *********************************************************************/
81
82 static bool smb_pam_error_handler(pam_handle_t *pamh, int pam_error, const char *msg, int dbglvl)
83 {
84
85 if( pam_error != PAM_SUCCESS) {
86 DEBUG(dbglvl, ("smb_pam_error_handler: PAM: %s : %s\n",
87 msg, pam_strerror(pamh, pam_error)));
88 return False;
89 }
90 return True;
91 }
92
93 /*******************************************************************
94 This function is a sanity check, to make sure that we NEVER report
95 failure as sucess.
96 *********************************************************************/
97
98 static bool smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error,
99 const char *msg, int dbglvl,
100 NTSTATUS *nt_status)
101 {
102 *nt_status = pam_to_nt_status(pam_error);
103
104 if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl))
105 return True;
106
107 if (NT_STATUS_IS_OK(*nt_status)) {
108 /* Complain LOUDLY */
109 DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \
110 error MISMATCH, forcing to NT_STATUS_LOGON_FAILURE"));
111 *nt_status = NT_STATUS_LOGON_FAILURE;
112 }
113 return False;
114 }
115
116 /*
117 * PAM conversation function
118 * Here we assume (for now, at least) that echo on means login name, and
119 * echo off means password.
120 */
121
122 static int smb_pam_conv(int num_msg,
123 const struct pam_message **msg,
124 struct pam_response **resp,
125 void *appdata_ptr)
126 {
127 int replies = 0;
128 struct pam_response *reply = NULL;
129 struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr;
130
131 *resp = NULL;
132
133 if (num_msg <= 0)
134 return PAM_CONV_ERR;
135
136 /*
137 * Apparantly HPUX has a buggy PAM that doesn't support the
138 * appdata_ptr. Fail if this is the case. JRA.
139 */
140
141 if (udp == NULL) {
142 DEBUG(0,("smb_pam_conv: PAM on this system is broken - appdata_ptr == NULL !\n"));
143 return PAM_CONV_ERR;
144 }
145
146 reply = SMB_MALLOC_ARRAY(struct pam_response, num_msg);
147 if (!reply)
148 return PAM_CONV_ERR;
149
150 memset(reply, '\0', sizeof(struct pam_response) * num_msg);
151
152 for (replies = 0; replies < num_msg; replies++) {
153 switch (msg[replies]->msg_style) {
154 case PAM_PROMPT_ECHO_ON:
155 reply[replies].resp_retcode = PAM_SUCCESS;
156 reply[replies].resp = smb_pam_copy_string(
157 udp->PAM_username);
158 /* PAM frees resp */
159 break;
160
161 case PAM_PROMPT_ECHO_OFF:
162 reply[replies].resp_retcode = PAM_SUCCESS;
163 reply[replies].resp = smb_pam_copy_string(
164 udp->PAM_password);
165 /* PAM frees resp */
166 break;
167
168 case PAM_TEXT_INFO:
169 /* fall through */
170
171 case PAM_ERROR_MSG:
172 /* ignore it... */
173 reply[replies].resp_retcode = PAM_SUCCESS;
174 reply[replies].resp = NULL;
175 break;
176
177 default:
178 /* Must be an error of some sort... */
179 SAFE_FREE(reply);
180 return PAM_CONV_ERR;
181 }
182 }
183 if (reply)
184 *resp = reply;
185 return PAM_SUCCESS;
186 }
187
188 /*
189 * PAM password change conversation function
190 * Here we assume (for now, at least) that echo on means login name, and
191 * echo off means password.
192 */
193
194 static void special_char_sub(char *buf)
195 {
196 all_string_sub(buf, "\\n", "", 0);
197 all_string_sub(buf, "\\r", "", 0);
198 all_string_sub(buf, "\\s", " ", 0);
199 all_string_sub(buf, "\\t", "\t", 0);
200 }
201
202 static void pwd_sub(char *buf, const char *username, const char *oldpass, const char *newpass)
203 {
204 fstring_sub(buf, "%u", username);
205 all_string_sub(buf, "%o", oldpass, sizeof(fstring));
206 all_string_sub(buf, "%n", newpass, sizeof(fstring));
207 }
208
209
210 struct chat_struct {
211 struct chat_struct *next, *prev;
212 fstring prompt;
213 fstring reply;
214 };
215
216 /**************************************************************
217 Create a linked list containing chat data.
218 ***************************************************************/
219
220 static struct chat_struct *make_pw_chat(const char *p)
221 {
222 char *prompt;
223 char *reply;
224 struct chat_struct *list = NULL;
225 struct chat_struct *t;
226 TALLOC_CTX *frame = talloc_stackframe();
227
228 while (1) {
229 t = SMB_MALLOC_P(struct chat_struct);
230 if (!t) {
231 DEBUG(0,("make_pw_chat: malloc failed!\n"));
232 TALLOC_FREE(frame);
233 return NULL;
234 }
235
236 ZERO_STRUCTP(t);
237
238 DLIST_ADD_END(list, t, struct chat_struct*);
239
240 if (!next_token_talloc(frame, &p, &prompt, NULL)) {
241 break;
242 }
243
244 if (strequal(prompt,".")) {
245 fstrcpy(prompt,"*");
246 }
247
248 special_char_sub(prompt);
249 fstrcpy(t->prompt, prompt);
250 strlower_m(t->prompt);
251 trim_char(t->prompt, ' ', ' ');
252
253 if (!next_token_talloc(frame, &p, &reply, NULL)) {
254 break;
255 }
256
257 if (strequal(reply,".")) {
258 fstrcpy(reply,"");
259 }
260
261 special_char_sub(reply);
262 fstrcpy(t->reply, reply);
263 strlower_m(t->reply);
264 trim_char(t->reply, ' ', ' ');
265
266 }
267 TALLOC_FREE(frame);
268 return list;
269 }
270
271 static void free_pw_chat(struct chat_struct *list)
272 {
273 while (list) {
274 struct chat_struct *old_head = list;
275 DLIST_REMOVE(list, list);
276 SAFE_FREE(old_head);
277 }
278 }
279
280 static int smb_pam_passchange_conv(int num_msg,
281 const struct pam_message **msg,
282 struct pam_response **resp,
283 void *appdata_ptr)
284 {
285 int replies = 0;
286 struct pam_response *reply = NULL;
287 fstring current_prompt;
288 fstring current_reply;
289 struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr;
290 struct chat_struct *pw_chat;
291 struct chat_struct *t;
292 bool found;
293 *resp = NULL;
294
295 DEBUG(10,("smb_pam_passchange_conv: starting converstation for %d messages\n", num_msg));
296
297 if (num_msg <= 0)
298 return PAM_CONV_ERR;
299
300 if ((pw_chat = make_pw_chat(lp_passwd_chat())) == NULL)
301 return PAM_CONV_ERR;
302
303 /*
304 * Apparantly HPUX has a buggy PAM that doesn't support the
305 * appdata_ptr. Fail if this is the case. JRA.
306 */
307
308 if (udp == NULL) {
309 DEBUG(0,("smb_pam_passchange_conv: PAM on this system is broken - appdata_ptr == NULL !\n"));
310 free_pw_chat(pw_chat);
311 return PAM_CONV_ERR;
312 }
313
314 reply = SMB_MALLOC_ARRAY(struct pam_response, num_msg);
315 if (!reply) {
316 DEBUG(0,("smb_pam_passchange_conv: malloc for reply failed!\n"));
317 free_pw_chat(pw_chat);
318 return PAM_CONV_ERR;
319 }
320
321 for (replies = 0; replies < num_msg; replies++) {
322 found = False;
323 DEBUG(10,("smb_pam_passchange_conv: Processing message %d\n", replies));
324 switch (msg[replies]->msg_style) {
325 case PAM_PROMPT_ECHO_ON:
326 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: PAM said: %s\n", msg[replies]->msg));
327 fstrcpy(current_prompt, msg[replies]->msg);
328 trim_char(current_prompt, ' ', ' ');
329 for (t=pw_chat; t; t=t->next) {
330
331 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: trying to match |%s| to |%s|\n",
332 t->prompt, current_prompt ));
333
334 if (unix_wild_match(t->prompt, current_prompt)) {
335 fstrcpy(current_reply, t->reply);
336 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We sent: %s\n", current_reply));
337 pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword);
338 #ifdef DEBUG_PASSWORD
339 DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We actually sent: %s\n", current_reply));
340 #endif
341 reply[replies].resp_retcode = PAM_SUCCESS;
342 reply[replies].resp = smb_pam_copy_fstring(
343 current_reply);
344 found = True;
345 break;
346 }
347 }
348 /* PAM frees resp */
349 if (!found) {
350 DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg));
351 free_pw_chat(pw_chat);
352 SAFE_FREE(reply);
353 return PAM_CONV_ERR;
354 }
355 break;
356
357 case PAM_PROMPT_ECHO_OFF:
358 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: %s\n", msg[replies]->msg));
359 fstrcpy(current_prompt, msg[replies]->msg);
360 trim_char(current_prompt, ' ', ' ');
361 for (t=pw_chat; t; t=t->next) {
362
363 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |%s| to |%s|\n",
364 t->prompt, current_prompt ));
365
366 if (unix_wild_match(t->prompt, current_prompt)) {
367 fstrcpy(current_reply, t->reply);
368 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply));
369 pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword);
370 reply[replies].resp_retcode = PAM_SUCCESS;
371 reply[replies].resp = smb_pam_copy_fstring(
372 current_reply);
373 #ifdef DEBUG_PASSWORD
374 DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We actually sent: %s\n", current_reply));
375 #endif
376 found = True;
377 break;
378 }
379 }
380 /* PAM frees resp */
381
382 if (!found) {
383 DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg));
384 free_pw_chat(pw_chat);
385 SAFE_FREE(reply);
386 return PAM_CONV_ERR;
387 }
388 break;
389
390 case PAM_TEXT_INFO:
391 /* fall through */
392
393 case PAM_ERROR_MSG:
394 /* ignore it... */
395 reply[replies].resp_retcode = PAM_SUCCESS;
396 reply[replies].resp = NULL;
397 break;
398
399 default:
400 /* Must be an error of some sort... */
401 free_pw_chat(pw_chat);
402 SAFE_FREE(reply);
403 return PAM_CONV_ERR;
404 }
405 }
406
407 free_pw_chat(pw_chat);
408 if (reply)
409 *resp = reply;
410 return PAM_SUCCESS;
411 }
412
413 /***************************************************************************
414 Free up a malloced pam_conv struct.
415 ****************************************************************************/
416
417 static void smb_free_pam_conv(struct pam_conv *pconv)
418 {
419 if (pconv)
420 SAFE_FREE(pconv->appdata_ptr);
421
422 SAFE_FREE(pconv);
423 }
424
425 /***************************************************************************
426 Allocate a pam_conv struct.
427 ****************************************************************************/
428
429 static struct pam_conv *smb_setup_pam_conv(smb_pam_conv_fn smb_pam_conv_fnptr, const char *user,
430 const char *passwd, const char *newpass)
431 {
432 struct pam_conv *pconv = SMB_MALLOC_P(struct pam_conv);
433 struct smb_pam_userdata *udp = SMB_MALLOC_P(struct smb_pam_userdata);
434
435 if (pconv == NULL || udp == NULL) {
436 SAFE_FREE(pconv);
437 SAFE_FREE(udp);
438 return NULL;
439 }
440
441 udp->PAM_username = user;
442 udp->PAM_password = passwd;
443 udp->PAM_newpassword = newpass;
444
445 pconv->conv = smb_pam_conv_fnptr;
446 pconv->appdata_ptr = (void *)udp;
447 return pconv;
448 }
449
450 /*
451 * PAM Closing out cleanup handler
452 */
453
454 static bool smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr)
455 {
456 int pam_error;
457
458 smb_free_pam_conv(smb_pam_conv_ptr);
459
460 if( pamh != NULL ) {
461 pam_error = pam_end(pamh, 0);
462 if(smb_pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) {
463 DEBUG(4, ("smb_pam_end: PAM: PAM_END OK.\n"));
464 return True;
465 }
466 }
467 DEBUG(2,("smb_pam_end: PAM: not initialised"));
468 return False;
469 }
470
471 /*
472 * Start PAM authentication for specified account
473 */
474
475 static bool smb_pam_start(pam_handle_t **pamh, const char *user, const char *rhost, struct pam_conv *pconv)
476 {
477 int pam_error;
478
479 *pamh = (pam_handle_t *)NULL;
480
481 DEBUG(4,("smb_pam_start: PAM: Init user: %s\n", user));
482
483 pam_error = pam_start("samba", user, pconv, pamh);
484 if( !smb_pam_error_handler(*pamh, pam_error, "Init Failed", 0)) {
485 *pamh = (pam_handle_t *)NULL;
486 return False;
487 }
488
489 #if HAVE_PAM_RHOST
490 DEBUG(4,("smb_pam_start: PAM: setting rhost to: %s\n", rhost));
491 pam_error = pam_set_item(*pamh, PAM_RHOST, rhost);
492 if(!smb_pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) {
493 smb_pam_end(*pamh, pconv);
494 *pamh = (pam_handle_t *)NULL;
495 return False;
496 }
497 #endif
498 #if HAVE_PAM_TTY
499 DEBUG(4,("smb_pam_start: PAM: setting tty\n"));
500 pam_error = pam_set_item(*pamh, PAM_TTY, "samba");
501 if (!smb_pam_error_handler(*pamh, pam_error, "set tty failed", 0)) {
502 smb_pam_end(*pamh, pconv);
503 *pamh = (pam_handle_t *)NULL;
504 return False;
505 }
506 #endif
507 DEBUG(4,("smb_pam_start: PAM: Init passed for user: %s\n", user));
508 return True;
509 }
510
511 /*
512 * PAM Authentication Handler
513 */
514 static NTSTATUS smb_pam_auth(pam_handle_t *pamh, const char *user)
515 {
516 int pam_error;
517 NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
518
519 /*
520 * To enable debugging set in /etc/pam.d/samba:
521 * auth required /lib/security/pam_pwdb.so nullok shadow audit
522 */
523
524 DEBUG(4,("smb_pam_auth: PAM: Authenticate User: %s\n", user));
525 pam_error = pam_authenticate(pamh, PAM_SILENT | lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK);
526 switch( pam_error ){
527 case PAM_AUTH_ERR:
528 DEBUG(2, ("smb_pam_auth: PAM: Authentication Error for user %s\n", user));
529 break;
530 case PAM_CRED_INSUFFICIENT:
531 DEBUG(2, ("smb_pam_auth: PAM: Insufficient Credentials for user %s\n", user));
532 break;
533 case PAM_AUTHINFO_UNAVAIL:
534 DEBUG(2, ("smb_pam_auth: PAM: Authentication Information Unavailable for user %s\n", user));
535 break;
536 case PAM_USER_UNKNOWN:
537 DEBUG(2, ("smb_pam_auth: PAM: Username %s NOT known to Authentication system\n", user));
538 break;
539 case PAM_MAXTRIES:
540 DEBUG(2, ("smb_pam_auth: PAM: One or more authentication modules reports user limit for user %s exceeeded\n", user));
541 break;
542 case PAM_ABORT:
543 DEBUG(0, ("smb_pam_auth: PAM: One or more PAM modules failed to load for user %s\n", user));
544 break;
545 case PAM_SUCCESS:
546 DEBUG(4, ("smb_pam_auth: PAM: User %s Authenticated OK\n", user));
547 break;
548 default:
549 DEBUG(0, ("smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user %s\n", user));
550 break;
551 }
552
553 smb_pam_nt_status_error_handler(pamh, pam_error, "Authentication Failure", 2, &nt_status);
554 return nt_status;
555 }
556
557 /*
558 * PAM Account Handler
559 */
560 static NTSTATUS smb_pam_account(pam_handle_t *pamh, const char * user)
561 {
562 int pam_error;
563 NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED;
564
565 DEBUG(4,("smb_pam_account: PAM: Account Management for User: %s\n", user));
566 pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */
567 switch( pam_error ) {
568 case PAM_AUTHTOK_EXPIRED:
569 DEBUG(2, ("smb_pam_account: PAM: User %s is valid but password is expired\n", user));
570 break;
571 case PAM_ACCT_EXPIRED:
572 DEBUG(2, ("smb_pam_account: PAM: User %s no longer permitted to access system\n", user));
573 break;
574 case PAM_AUTH_ERR:
575 DEBUG(2, ("smb_pam_account: PAM: There was an authentication error for user %s\n", user));
576 break;
577 case PAM_PERM_DENIED:
578 DEBUG(0, ("smb_pam_account: PAM: User %s is NOT permitted to access system at this time\n", user));
579 break;
580 case PAM_USER_UNKNOWN:
581 DEBUG(0, ("smb_pam_account: PAM: User \"%s\" is NOT known to account management\n", user));
582 break;
583 case PAM_SUCCESS:
584 DEBUG(4, ("smb_pam_account: PAM: Account OK for User: %s\n", user));
585 break;
586 default:
587 DEBUG(0, ("smb_pam_account: PAM: UNKNOWN PAM ERROR (%d) during Account Management for User: %s\n", pam_error, user));
588 break;
589 }
590
591 smb_pam_nt_status_error_handler(pamh, pam_error, "Account Check Failed", 2, &nt_status);
592 return nt_status;
593 }
594
595 /*
596 * PAM Credential Setting
597 */
598
599 static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, const char * user)
600 {
601 int pam_error;
602 NTSTATUS nt_status = NT_STATUS_NO_TOKEN;
603
604 /*
605 * This will allow samba to aquire a kerberos token. And, when
606 * exporting an AFS cell, be able to /write/ to this cell.
607 */
608
609 DEBUG(4,("PAM: Account Management SetCredentials for User: %s\n", user));
610 pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT));
611 switch( pam_error ) {
612 case PAM_CRED_UNAVAIL:
613 DEBUG(0, ("smb_pam_setcred: PAM: Credentials not found for user:%s\n", user ));
614 break;
615 case PAM_CRED_EXPIRED:
616 DEBUG(0, ("smb_pam_setcred: PAM: Credentials for user: \"%s\" EXPIRED!\n", user ));
617 break;
618 case PAM_USER_UNKNOWN:
619 DEBUG(0, ("smb_pam_setcred: PAM: User: \"%s\" is NOT known so can not set credentials!\n", user ));
620 break;
621 case PAM_CRED_ERR:
622 DEBUG(0, ("smb_pam_setcred: PAM: Unknown setcredentials error - unable to set credentials for %s\n", user ));
623 break;
624 case PAM_SUCCESS:
625 DEBUG(4, ("smb_pam_setcred: PAM: SetCredentials OK for User: %s\n", user));
626 break;
627 default:
628 DEBUG(0, ("smb_pam_setcred: PAM: UNKNOWN PAM ERROR (%d) during SetCredentials for User: %s\n", pam_error, user));
629 break;
630 }
631
632 smb_pam_nt_status_error_handler(pamh, pam_error, "Set Credential Failure", 2, &nt_status);
633 return nt_status;
634 }
635
636 /*
637 * PAM Internal Session Handler
638 */
639 static bool smb_internal_pam_session(pam_handle_t *pamh, const char *user, const char *tty, bool flag)
640 {
641 int pam_error;
642
643 #if HAVE_PAM_TTY
644 DEBUG(4,("smb_internal_pam_session: PAM: tty set to: %s\n", tty));
645 pam_error = pam_set_item(pamh, PAM_TTY, tty);
646 if (!smb_pam_error_handler(pamh, pam_error, "set tty failed", 0))
647 return False;
648 #endif
649
650 if (flag) {
651 pam_error = pam_open_session(pamh, PAM_SILENT);
652 if (!smb_pam_error_handler(pamh, pam_error, "session setup failed", 0))
653 return False;
654 } else {
655 pam_setcred(pamh, (PAM_DELETE_CRED|PAM_SILENT)); /* We don't care if this fails */
656 pam_error = pam_close_session(pamh, PAM_SILENT); /* This will probably pick up the error anyway */
657 if (!smb_pam_error_handler(pamh, pam_error, "session close failed", 0))
658 return False;
659 }
660 return (True);
661 }
662
663 /*
664 * Internal PAM Password Changer.
665 */
666
667 static bool smb_pam_chauthtok(pam_handle_t *pamh, const char * user)
668 {
669 int pam_error;
670
671 DEBUG(4,("smb_pam_chauthtok: PAM: Password Change for User: %s\n", user));
672
673 pam_error = pam_chauthtok(pamh, PAM_SILENT); /* Change Password */
674
675 switch( pam_error ) {
676 case PAM_AUTHTOK_ERR:
677 DEBUG(2, ("PAM: unable to obtain the new authentication token - is password to weak?\n"));
678 break;
679
680 /* This doesn't seem to be defined on Solaris. JRA */
681 #ifdef PAM_AUTHTOK_RECOVER_ERR
682 case PAM_AUTHTOK_RECOVER_ERR:
683 DEBUG(2, ("PAM: unable to obtain the old authentication token - was the old password wrong?.\n"));
684 break;
685 #endif
686
687 case PAM_AUTHTOK_LOCK_BUSY:
688 DEBUG(2, ("PAM: unable to change the authentication token since it is currently locked.\n"));
689 break;
690 case PAM_AUTHTOK_DISABLE_AGING:
691 DEBUG(2, ("PAM: Authentication token aging has been disabled.\n"));
692 break;
693 case PAM_PERM_DENIED:
694 DEBUG(0, ("PAM: Permission denied.\n"));
695 break;
696 case PAM_TRY_AGAIN:
697 DEBUG(0, ("PAM: Could not update all authentication token(s). No authentication tokens were updated.\n"));
698 break;
699 case PAM_USER_UNKNOWN:
700 DEBUG(0, ("PAM: User not known to PAM\n"));
701 break;
702 case PAM_SUCCESS:
703 DEBUG(4, ("PAM: Account OK for User: %s\n", user));
704 break;
705 default:
706 DEBUG(0, ("PAM: UNKNOWN PAM ERROR (%d) for User: %s\n", pam_error, user));
707 }
708
709 if(!smb_pam_error_handler(pamh, pam_error, "Password Change Failed", 2)) {
710 return False;
711 }
712
713 /* If this point is reached, the password has changed. */
714 return True;
715 }
716
717 /*
718 * PAM Externally accessible Session handler
719 */
720
721 bool smb_pam_claim_session(char *user, char *tty, char *rhost)
722 {
723 pam_handle_t *pamh = NULL;
724 struct pam_conv *pconv = NULL;
725
726 /* Ignore PAM if told to. */
727
728 if (!lp_obey_pam_restrictions())
729 return True;
730
731 if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
732 return False;
733
734 if (!smb_pam_start(&pamh, user, rhost, pconv))
735 return False;
736
737 if (!smb_internal_pam_session(pamh, user, tty, True)) {
738 smb_pam_end(pamh, pconv);
739 return False;
740 }
741
742 return smb_pam_end(pamh, pconv);
743 }
744
745 /*
746 * PAM Externally accessible Session handler
747 */
748
749 bool smb_pam_close_session(char *user, char *tty, char *rhost)
750 {
751 pam_handle_t *pamh = NULL;
752 struct pam_conv *pconv = NULL;
753
754 /* Ignore PAM if told to. */
755
756 if (!lp_obey_pam_restrictions())
757 return True;
758
759 if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
760 return False;
761
762 if (!smb_pam_start(&pamh, user, rhost, pconv))
763 return False;
764
765 if (!smb_internal_pam_session(pamh, user, tty, False)) {
766 smb_pam_end(pamh, pconv);
767 return False;
768 }
769
770 return smb_pam_end(pamh, pconv);
771 }
772
773 /*
774 * PAM Externally accessible Account handler
775 */
776
777 NTSTATUS smb_pam_accountcheck(const char *user, const char *rhost)
778 {
779 NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED;
780 pam_handle_t *pamh = NULL;
781 struct pam_conv *pconv = NULL;
782
783 /* Ignore PAM if told to. */
784
785 if (!lp_obey_pam_restrictions())
786 return NT_STATUS_OK;
787
788 if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
789 return NT_STATUS_NO_MEMORY;
790
791 if (!smb_pam_start(&pamh, user, rhost, pconv))
792 return NT_STATUS_ACCOUNT_DISABLED;
793
794 if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user)))
795 DEBUG(0, ("smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User %s!\n", user));
796
797 smb_pam_end(pamh, pconv);
798 return nt_status;
799 }
800
801 /*
802 * PAM Password Validation Suite
803 */
804
805 NTSTATUS smb_pam_passcheck(const char * user, const char * rhost,
806 const char * password)
807 {
808 pam_handle_t *pamh = NULL;
809 NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
810 struct pam_conv *pconv = NULL;
811
812 /*
813 * Note we can't ignore PAM here as this is the only
814 * way of doing auths on plaintext passwords when
815 * compiled --with-pam.
816 */
817
818 if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, password, NULL)) == NULL)
819 return NT_STATUS_LOGON_FAILURE;
820
821 if (!smb_pam_start(&pamh, user, rhost, pconv))
822 return NT_STATUS_LOGON_FAILURE;
823
824 if (!NT_STATUS_IS_OK(nt_status = smb_pam_auth(pamh, user))) {
825 DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User %s !\n", user));
826 smb_pam_end(pamh, pconv);
827 return nt_status;
828 }
829
830 if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user))) {
831 DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_account failed - Rejecting User %s !\n", user));
832 smb_pam_end(pamh, pconv);
833 return nt_status;
834 }
835
836 if (!NT_STATUS_IS_OK(nt_status = smb_pam_setcred(pamh, user))) {
837 DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_setcred failed - Rejecting User %s !\n", user));
838 smb_pam_end(pamh, pconv);
839 return nt_status;
840 }
841
842 smb_pam_end(pamh, pconv);
843 return nt_status;
844 }
845
846 /*
847 * PAM Password Change Suite
848 */
849
850 bool smb_pam_passchange(const char *user, const char *rhost,
851 const char *oldpassword, const char *newpassword)
852 {
853 /* Appropriate quantities of root should be obtained BEFORE calling this function */
854 struct pam_conv *pconv = NULL;
855 pam_handle_t *pamh = NULL;
856
857 if ((pconv = smb_setup_pam_conv(smb_pam_passchange_conv, user, oldpassword, newpassword)) == NULL)
858 return False;
859
860 if(!smb_pam_start(&pamh, user, rhost, pconv))
861 return False;
862
863 if (!smb_pam_chauthtok(pamh, user)) {
864 DEBUG(0, ("smb_pam_passchange: PAM: Password Change Failed for user %s!\n", user));
865 smb_pam_end(pamh, pconv);
866 return False;
867 }
868
869 return smb_pam_end(pamh, pconv);
870 }
871
872 #else
873
874 /* If PAM not used, no PAM restrictions on accounts. */
875 NTSTATUS smb_pam_accountcheck(const char *user, const char *rhost)
876 {
877 return NT_STATUS_OK;
878 }
879
880 /* If PAM not used, also no PAM restrictions on sessions. */
881 bool smb_pam_claim_session(char *user, char *tty, char *rhost)
882 {
883 return True;
884 }
885
886 /* If PAM not used, also no PAM restrictions on sessions. */
887 bool smb_pam_close_session(char *in_user, char *tty, char *rhost)
888 {
889 return True;
890 }
891 #endif /* WITH_PAM */
Samba GIT mirror