source/pam_smbpass/pam_smb_auth.c

   1 /* Unix NT password database implementation, version 0.7.5.
   2  *
   3  * This program is free software; you can redistribute it and/or modify it under
   4  * the terms of the GNU General Public License as published by the Free
   5  * Software Foundation; either version 2 of the License, or (at your option)
   6  * any later version.
   7  *
   8  * This program is distributed in the hope that it will be useful, but WITHOUT
   9  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  10  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
  11  * more details.
  12  *
  13  * You should have received a copy of the GNU General Public License along with
  14  * this program; if not, write to the Free Software Foundation, Inc., 675
  15  * Mass Ave, Cambridge, MA 02139, USA.
  16 */
  17
  18 /* indicate the following groups are defined */
  19 #define PAM_SM_AUTH
  20
  21 #include "includes.h"
  22 #include "debug.h"
  23
  24 #ifndef LINUX
  25
  26 /* This is only used in the Sun implementation. */
  27 #include <security/pam_appl.h>
  28
  29 #endif  /* LINUX */
  30
  31 #include <security/pam_modules.h>
  32
  33 #include "general.h"
  34
  35 #include "support.h"
  36
  37 #define AUTH_RETURN                                             \
  38 do {                                                            \
  39         if(ret_data) {                                          \
  40                 *ret_data = retval;                             \
  41                 pam_set_data( pamh, "smb_setcred_return"        \
  42                               , (void *) ret_data, NULL );      \
  43         }                                                       \
  44         return retval;                                          \
  45 } while (0)
  46
  47 static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl,
  48                          const char *name, SAM_ACCOUNT *sampass, BOOL exist);
  49
  50
  51 /*
  52  * pam_sm_authenticate() authenticates users against the samba password file.
  53  *
  54  *      First, obtain the password from the user. Then use a
  55  *      routine in 'support.c' to authenticate the user.
  56  */
  57
  58 #define _SMB_AUTHTOK  "-SMB-PASS"
  59
  60 int pam_sm_authenticate(pam_handle_t *pamh, int flags,
  61                         int argc, const char **argv)
  62 {
  63     unsigned int ctrl;
  64     int retval, *ret_data = NULL;
  65     SAM_ACCOUNT *sampass = NULL;
  66     extern BOOL in_client;
  67     const char *name;
  68     BOOL found;
  69
  70     /* Points to memory managed by the PAM library. Do not free. */
  71     char *p = NULL;
  72
  73
  74     /* Samba initialization. */
  75     setup_logging("pam_smbpass",False);
  76     in_client = True;
  77
  78     ctrl = set_ctrl(flags, argc, argv);
  79
  80     /* Get a few bytes so we can pass our return value to
  81        pam_sm_setcred(). */
  82     ret_data = malloc(sizeof(int));
  83
  84     /* get the username */
  85     retval = pam_get_user( pamh, &name, "Username: " );
  86     if ( retval != PAM_SUCCESS ) {
  87         if (on( SMB_DEBUG, ctrl )) {
  88             _log_err(LOG_DEBUG, "auth: could not identify user");
  89         }
  90         AUTH_RETURN;
  91     }
  92     if (on( SMB_DEBUG, ctrl )) {
  93         _log_err( LOG_DEBUG, "username [%s] obtained", name );
  94     }
  95
  96     if (!initialize_password_db(True)) {
  97         _log_err( LOG_ALERT, "Cannot access samba password database" );
  98         retval = PAM_AUTHINFO_UNAVAIL;
  99         AUTH_RETURN;
 100     }
 101
 102     pdb_init_sam(&sampass);
 103
 104     found = pdb_getsampwnam( sampass, name );
 105
 106     if (on( SMB_MIGRATE, ctrl )) {
 107         retval = _smb_add_user(pamh, ctrl, name, sampass, found);
 108         pdb_free_sam(&sampass);
 109         AUTH_RETURN;
 110     }
 111
 112     if (!found) {
 113         _log_err(LOG_ALERT, "Failed to find entry for user %s.", name);
 114         retval = PAM_USER_UNKNOWN;
 115         pdb_free_sam(&sampass);
 116         sampass = NULL;
 117         AUTH_RETURN;
 118     }
 119
 120     /* if this user does not have a password... */
 121
 122     if (_smb_blankpasswd( ctrl, sampass )) {
 123         pdb_free_sam(&sampass);
 124         retval = PAM_SUCCESS;
 125         AUTH_RETURN;
 126     }
 127
 128     /* get this user's authentication token */
 129
 130     retval = _smb_read_password(pamh, ctrl, NULL, "Password: ", NULL, _SMB_AUTHTOK, &p);
 131     if (retval != PAM_SUCCESS ) {
 132         _log_err(LOG_CRIT, "auth: no password provided for [%s]"
 133                  , name);
 134         pdb_free_sam(&sampass);
 135         AUTH_RETURN;
 136     }
 137
 138     /* verify the password of this user */
 139
 140     retval = _smb_verify_password( pamh, sampass, p, ctrl );
 141     pdb_free_sam(&sampass);
 142     p = NULL;
 143     AUTH_RETURN;
 144 }
 145
 146 /*
 147  * This function is for setting samba credentials.  If anyone comes up
 148  * with any credentials they think should be set, let me know.
 149  */
 150
 151 int pam_sm_setcred(pam_handle_t *pamh, int flags,
 152                    int argc, const char **argv)
 153 {
 154     int retval, *pretval = NULL;
 155
 156     retval = PAM_SUCCESS;
 157
 158     pam_get_data(pamh, "smb_setcred_return", (const void **) &pretval);
 159     if(pretval) {
 160         retval = *pretval;
 161         SAFE_FREE(pretval);
 162     }
 163     pam_set_data(pamh, "smb_setcred_return", NULL, NULL);
 164
 165     return retval;
 166 }
 167
 168
 169 /* Helper function for adding a user to the db. */
 170 static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl,
 171                          const char *name, SAM_ACCOUNT *sampass, BOOL exist)
 172 {
 173     pstring err_str;
 174     pstring msg_str;
 175     const char *pass = NULL;
 176     int retval;
 177
 178     err_str[0] = '\0';
 179     msg_str[0] = '\0';
 180
 181     /* Get the authtok; if we don't have one, silently fail. */
 182     retval = pam_get_item( pamh, PAM_AUTHTOK, (const void **) &pass );
 183
 184     if (retval != PAM_SUCCESS) {
 185         _log_err( LOG_ALERT
 186                   , "pam_get_item returned error to pam_sm_authenticate" );
 187         return PAM_AUTHTOK_RECOVER_ERR;
 188     } else if (pass == NULL) {
 189         return PAM_AUTHTOK_RECOVER_ERR;
 190     }
 191
 192     /* Add the user to the db if they aren't already there. */
 193    if (!exist) {
 194         retval = local_password_change( name, LOCAL_ADD_USER,
 195                                          pass, err_str,
 196                                          sizeof(err_str),
 197                                          msg_str, sizeof(msg_str) );
 198         if (!retval && *err_str)
 199         {
 200             err_str[PSTRING_LEN-1] = '\0';
 201             make_remark( pamh, ctrl, PAM_ERROR_MSG, err_str );
 202         }
 203         else if (*msg_str)
 204         {
 205             msg_str[PSTRING_LEN-1] = '\0';
 206             make_remark( pamh, ctrl, PAM_TEXT_INFO, msg_str );
 207         }
 208         pass = NULL;
 209
 210         return PAM_IGNORE;
 211    }
 212    else {
 213     /* Change the user's password IFF it's null. */
 214     if ((pdb_get_lanman_passwd(sampass) == NULL) && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
 215     {
 216         retval = local_password_change( name, 0, pass, err_str, sizeof(err_str),
 217                                          msg_str, sizeof(msg_str) );
 218         if (!retval && *err_str)
 219         {
 220             err_str[PSTRING_LEN-1] = '\0';
 221             make_remark( pamh, ctrl, PAM_ERROR_MSG, err_str );
 222         }
 223         else if (*msg_str)
 224         {
 225             msg_str[PSTRING_LEN-1] = '\0';
 226             make_remark( pamh, ctrl, PAM_TEXT_INFO, msg_str );
 227         }
 228     }
 229    }
 230
 231     pass = NULL;
 232
 233     return PAM_IGNORE;
 234 }
 235
 236
 237 /* static module data */
 238 #ifdef PAM_STATIC
 239 struct pam_module _pam_smbpass_auth_modstruct = {
 240      "pam_smbpass",
 241      pam_sm_authenticate,
 242      pam_sm_setcred,
 243      NULL,
 244      NULL,
 245      NULL,
 246      NULL
 247 };
 248 #endif
 249