source/pam_smbpass/pam_smb_auth.c

   1 /* Unix NT password database implementation, version 0.7.5.
   2  *
   3  * This program is free software; you can redistribute it and/or modify it under
   4  * the terms of the GNU General Public License as published by the Free
   5  * Software Foundation; either version 2 of the License, or (at your option)
   6  * any later version.
   7  *
   8  * This program is distributed in the hope that it will be useful, but WITHOUT
   9  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  10  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
  11  * more details.
  12  *
  13  * You should have received a copy of the GNU General Public License along with
  14  * this program; if not, write to the Free Software Foundation, Inc., 675
  15  * Mass Ave, Cambridge, MA 02139, USA.
  16 */
  17
  18 /* indicate the following groups are defined */
  19 #define PAM_SM_AUTH
  20
  21 #include "includes.h"
  22 #include "debug.h"
  23
  24 #ifndef LINUX
  25
  26 /* This is only used in the Sun implementation. */
  27 #include <security/pam_appl.h>
  28
  29 #endif  /* LINUX */
  30
  31 #include <security/pam_modules.h>
  32
  33 #include "general.h"
  34
  35 #include "support.h"
  36
  37 #define AUTH_RETURN                                             \
  38 do {                                                            \
  39         if(ret_data) {                                          \
  40                 *ret_data = retval;                             \
  41                 pam_set_data( pamh, "smb_setcred_return"        \
  42                               , (void *) ret_data, NULL );      \
  43         }                                                       \
  44         return retval;                                          \
  45 } while (0)
  46
  47 static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl,
  48                          const char *name, SAM_ACCOUNT *sampass, BOOL exist);
  49
  50 int make_remark(pam_handle_t *, unsigned int, int, const char *);
  51
  52
  53 /*
  54  * pam_sm_authenticate() authenticates users against the samba password file.
  55  *
  56  *      First, obtain the password from the user. Then use a
  57  *      routine in 'support.c' to authenticate the user.
  58  */
  59
  60 #define _SMB_AUTHTOK  "-SMB-PASS"
  61
  62 int pam_sm_authenticate(pam_handle_t *pamh, int flags,
  63                         int argc, const char **argv)
  64 {
  65     unsigned int ctrl;
  66     int retval, *ret_data = NULL;
  67     SAM_ACCOUNT *sampass = NULL;
  68     extern BOOL in_client;
  69     const char *name;
  70     BOOL found;
  71
  72     /* Points to memory managed by the PAM library. Do not free. */
  73     char *p = NULL;
  74
  75
  76     /* Samba initialization. */
  77     setup_logging("pam_smbpass",False);
  78     charset_initialise();
  79     codepage_initialise(lp_client_code_page());
  80     in_client = True;
  81
  82     ctrl = set_ctrl(flags, argc, argv);
  83
  84     /* Get a few bytes so we can pass our return value to
  85        pam_sm_setcred(). */
  86     ret_data = malloc(sizeof(int));
  87
  88     /* get the username */
  89     retval = pam_get_user( pamh, &name, "Username: " );
  90     if ( retval != PAM_SUCCESS ) {
  91         if (on( SMB_DEBUG, ctrl )) {
  92             _log_err(LOG_DEBUG, "auth: could not identify user");
  93         }
  94         AUTH_RETURN;
  95     }
  96     if (on( SMB_DEBUG, ctrl )) {
  97         _log_err( LOG_DEBUG, "username [%s] obtained", name );
  98     }
  99
 100     if (!initialize_password_db(True)) {
 101         _log_err( LOG_ALERT, "Cannot access samba password database" );
 102         retval = PAM_AUTHINFO_UNAVAIL;
 103         AUTH_RETURN;
 104     }
 105
 106     pdb_init_sam(&sampass);
 107
 108     found = pdb_getsampwnam( sampass, name );
 109
 110     if (on( SMB_MIGRATE, ctrl )) {
 111         retval = _smb_add_user(pamh, ctrl, name, sampass, found);
 112         pdb_free_sam(sampass);
 113         AUTH_RETURN;
 114     }
 115
 116     if (!found) {
 117         _log_err(LOG_ALERT, "Failed to find entry for user %s.", name);
 118         retval = PAM_USER_UNKNOWN;
 119         pdb_free_sam(sampass);
 120         sampass = NULL;
 121         AUTH_RETURN;
 122     }
 123
 124     /* if this user does not have a password... */
 125
 126     if (_smb_blankpasswd( ctrl, sampass )) {
 127         pdb_free_sam(sampass);
 128         retval = PAM_SUCCESS;
 129         AUTH_RETURN;
 130     }
 131
 132     /* get this user's authentication token */
 133
 134     retval = _smb_read_password(pamh, ctrl, NULL, "Password: ", NULL, _SMB_AUTHTOK, &p);
 135     if (retval != PAM_SUCCESS ) {
 136         _log_err(LOG_CRIT, "auth: no password provided for [%s]"
 137                  , name);
 138         pdb_free_sam(sampass);
 139         AUTH_RETURN;
 140     }
 141
 142     /* verify the password of this user */
 143
 144     retval = _smb_verify_password( pamh, sampass, p, ctrl );
 145     pdb_free_sam(sampass);
 146     p = NULL;
 147     AUTH_RETURN;
 148 }
 149
 150 /*
 151  * This function is for setting samba credentials.  If anyone comes up
 152  * with any credentials they think should be set, let me know.
 153  */
 154
 155 int pam_sm_setcred(pam_handle_t *pamh, int flags,
 156                    int argc, const char **argv)
 157 {
 158     int retval, *pretval = NULL;
 159
 160     retval = PAM_SUCCESS;
 161
 162     pam_get_data(pamh, "smb_setcred_return", (const void **) &pretval);
 163     if(pretval) {
 164         retval = *pretval;
 165         SAFE_FREE(pretval);
 166     }
 167     pam_set_data(pamh, "smb_setcred_return", NULL, NULL);
 168
 169     return retval;
 170 }
 171
 172
 173 /* Helper function for adding a user to the db. */
 174 static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl,
 175                          const char *name, SAM_ACCOUNT *sampass, BOOL exist)
 176 {
 177     pstring err_str;
 178     pstring msg_str;
 179     char *pass = NULL;
 180     int retval;
 181
 182     err_str[0] = '\0';
 183     msg_str[0] = '\0';
 184
 185     /* Get the authtok; if we don't have one, silently fail. */
 186     retval = pam_get_item( pamh, PAM_AUTHTOK, (const void **) &pass );
 187
 188     if (retval != PAM_SUCCESS) {
 189         _log_err( LOG_ALERT
 190                   , "pam_get_item returned error to pam_sm_authenticate" );
 191         return PAM_AUTHTOK_RECOVER_ERR;
 192     } else if (pass == NULL) {
 193         return PAM_AUTHTOK_RECOVER_ERR;
 194     }
 195
 196     /* Add the user to the db if they aren't already there. */
 197    if (!exist) {
 198         retval = local_password_change( name, LOCAL_ADD_USER,
 199                                          pass, err_str,
 200                                          sizeof(err_str),
 201                                          msg_str, sizeof(msg_str) );
 202         if (!retval && *err_str)
 203         {
 204             err_str[PSTRING_LEN-1] = '\0';
 205             make_remark( pamh, ctrl, PAM_ERROR_MSG, err_str );
 206         }
 207         else if (*msg_str)
 208         {
 209             msg_str[PSTRING_LEN-1] = '\0';
 210             make_remark( pamh, ctrl, PAM_TEXT_INFO, msg_str );
 211         }
 212         pass = NULL;
 213
 214         return PAM_IGNORE;
 215    }
 216    else {
 217     /* Change the user's password IFF it's null. */
 218     if ((pdb_get_lanman_passwd(sampass) == NULL) && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
 219     {
 220         retval = local_password_change( name, 0, pass, err_str, sizeof(err_str),
 221                                          msg_str, sizeof(msg_str) );
 222         if (!retval && *err_str)
 223         {
 224             err_str[PSTRING_LEN-1] = '\0';
 225             make_remark( pamh, ctrl, PAM_ERROR_MSG, err_str );
 226         }
 227         else if (*msg_str)
 228         {
 229             msg_str[PSTRING_LEN-1] = '\0';
 230             make_remark( pamh, ctrl, PAM_TEXT_INFO, msg_str );
 231         }
 232     }
 233    }
 234
 235     pass = NULL;
 236
 237     return PAM_IGNORE;
 238 }
 239
 240
 241 /* static module data */
 242 #ifdef PAM_STATIC
 243 struct pam_module _pam_smbpass_auth_modstruct = {
 244      "pam_smbpass",
 245      pam_sm_authenticate,
 246      pam_sm_setcred,
 247      NULL,
 248      NULL,
 249      NULL,
 250      NULL
 251 };
 252 #endif
 253