source/pam_smbpass/pam_smb_auth.c

   1 /* Unix NT password database implementation, version 0.7.5.
   2  *
   3  * This program is free software; you can redistribute it and/or modify it under
   4  * the terms of the GNU General Public License as published by the Free
   5  * Software Foundation; either version 2 of the License, or (at your option)
   6  * any later version.
   7  *
   8  * This program is distributed in the hope that it will be useful, but WITHOUT
   9  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  10  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
  11  * more details.
  12  *
  13  * You should have received a copy of the GNU General Public License along with
  14  * this program; if not, write to the Free Software Foundation, Inc., 675
  15  * Mass Ave, Cambridge, MA 02139, USA.
  16 */
  17
  18 /* indicate the following groups are defined */
  19 #define PAM_SM_AUTH
  20
  21 #include "includes.h"
  22 #include "debug.h"
  23
  24 #ifndef LINUX
  25
  26 /* This is only used in the Sun implementation. */
  27 #include <security/pam_appl.h>
  28
  29 #endif  /* LINUX */
  30
  31 #include <security/pam_modules.h>
  32
  33 #include "general.h"
  34
  35 #include "support.h"
  36
  37 #define AUTH_RETURN                                             \
  38 do {                                                            \
  39         if(ret_data) {                                          \
  40                 *ret_data = retval;                             \
  41                 pam_set_data( pamh, "smb_setcred_return"        \
  42                               , (void *) ret_data, NULL );      \
  43         }                                                       \
  44         return retval;                                          \
  45 } while (0)
  46
  47 static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl,
  48                          const char *name, struct smb_passwd *smb_pwent);
  49
  50 /*
  51  * pam_sm_authenticate() authenticates users against the samba password file.
  52  *
  53  *      First, obtain the password from the user. Then use a
  54  *      routine in 'support.c' to authenticate the user.
  55  */
  56
  57 #define _SMB_AUTHTOK  "-SMB-PASS"
  58
  59 int pam_sm_authenticate(pam_handle_t *pamh, int flags,
  60                         int argc, const char **argv)
  61 {
  62     unsigned int ctrl;
  63     int retval, *ret_data = NULL;
  64
  65     const char *name;
  66
  67     /* Points to memory managed by the PAM library. Do not free. */
  68     const char *p = NULL;
  69
  70     struct smb_passwd *smb_pwent = NULL;
  71
  72     extern BOOL in_client;
  73
  74     /* Samba initialization. */
  75     setup_logging("pam_smbpass",False);
  76     charset_initialise();
  77     in_client = True;
  78
  79     ctrl = set_ctrl(flags, argc, argv);
  80
  81     /* Get a few bytes so we can pass our return value to
  82        pam_sm_setcred(). */
  83     ret_data = malloc(sizeof(int));
  84
  85     /* get the username */
  86     retval = pam_get_user( pamh, &name, "Username: " );
  87     if ( retval != PAM_SUCCESS ) {
  88         if (on( SMB_DEBUG, ctrl )) {
  89             _log_err(LOG_DEBUG, "auth: could not identify user");
  90         }
  91         AUTH_RETURN;
  92     }
  93     if (on( SMB_DEBUG, ctrl )) {
  94         _log_err( LOG_DEBUG, "username [%s] obtained", name );
  95     }
  96
  97     if (!initialize_password_db()) {
  98         _log_err( LOG_ALERT, "Cannot access samba password database" );
  99         retval = PAM_AUTHINFO_UNAVAIL;
 100         AUTH_RETURN;
 101     }
 102
 103     smb_pwent = getsmbpwnam( name );
 104
 105     if (on( SMB_MIGRATE, ctrl )) {
 106         retval = _smb_add_user(pamh, ctrl, name, smb_pwent);
 107         AUTH_RETURN;
 108     }
 109
 110     if (smb_pwent == NULL) {
 111         _log_err(LOG_ALERT, "Failed to find entry for user %s.", name);
 112         retval = PAM_USER_UNKNOWN;
 113         AUTH_RETURN;
 114     }
 115
 116     /* if this user does not have a password... */
 117
 118     if (_smb_blankpasswd( ctrl, smb_pwent )) {
 119         smb_pwent = NULL;
 120         retval = PAM_SUCCESS;
 121         AUTH_RETURN;
 122     }
 123
 124     /* get this user's authentication token */
 125
 126     retval = _smb_read_password(pamh, ctrl, NULL, "Password: ", NULL
 127                                  , _SMB_AUTHTOK, &p);
 128     if (retval != PAM_SUCCESS ) {
 129         _log_err(LOG_CRIT, "auth: no password provided for [%s]"
 130                  , name);
 131         smb_pwent = NULL;
 132         AUTH_RETURN;
 133     }
 134
 135     /* verify the password of this user */
 136
 137     retval = _smb_verify_password( pamh, smb_pwent, p, ctrl );
 138     smb_pwent = NULL;
 139     p = NULL;
 140     AUTH_RETURN;
 141 }
 142
 143 /*
 144  * This function is for setting samba credentials.  If anyone comes up
 145  * with any credentials they think should be set, let me know.
 146  */
 147
 148 int pam_sm_setcred(pam_handle_t *pamh, int flags,
 149                    int argc, const char **argv)
 150 {
 151     int retval, *pretval = NULL;
 152
 153     retval = PAM_SUCCESS;
 154
 155     pam_get_data(pamh, "smb_setcred_return", (const void **) &pretval);
 156     if(pretval) {
 157         retval = *pretval;
 158         free(pretval);
 159     }
 160     pam_set_data(pamh, "smb_setcred_return", NULL, NULL);
 161
 162     return retval;
 163 }
 164
 165
 166 /* Helper function for adding a user to the db. */
 167 static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl,
 168                          const char *name, struct smb_passwd *smb_pwent)
 169 {
 170     pstring err_str;
 171     pstring msg_str;
 172     const char *pass = NULL;
 173     int retval;
 174
 175     err_str[0] = '\0';
 176     msg_str[0] = '\0';
 177
 178     /* Get the authtok; if we don't have one, silently fail. */
 179     retval = pam_get_item( pamh, PAM_AUTHTOK, (const void **) &pass );
 180
 181     if (retval != PAM_SUCCESS) {
 182         _log_err( LOG_ALERT
 183                   , "pam_get_item returned error to pam_sm_authenticate" );
 184         return PAM_AUTHTOK_RECOVER_ERR;
 185     } else if (pass == NULL) {
 186         return PAM_AUTHTOK_RECOVER_ERR;
 187     }
 188
 189     /* Add the user to the db if they aren't already there. */
 190     if (smb_pwent == NULL) {
 191         retval = local_password_change( name, LOCAL_ADD_USER,
 192                                          pass, err_str,
 193                                          sizeof(err_str),
 194                                          msg_str, sizeof(msg_str) );
 195         if (!retval && *err_str)
 196         {
 197             err_str[PSTRING_LEN-1] = '\0';
 198             make_remark( pamh, ctrl, PAM_ERROR_MSG, err_str );
 199         }
 200         else if (*msg_str)
 201         {
 202             msg_str[PSTRING_LEN-1] = '\0';
 203             make_remark( pamh, ctrl, PAM_TEXT_INFO, msg_str );
 204         }
 205         pass = NULL;
 206
 207         return PAM_IGNORE;
 208     }
 209
 210     /* Change the user's password IFF it's null. */
 211     if (smb_pwent->smb_passwd == NULL && (smb_pwent->acct_ctrl & ACB_PWNOTREQ))
 212     {
 213         retval = local_password_change( name, 0,
 214                                          pass, err_str,
 215                                          sizeof(err_str),
 216                                          msg_str, sizeof(msg_str) );
 217         if (!retval && *err_str)
 218         {
 219             err_str[PSTRING_LEN-1] = '\0';
 220             make_remark( pamh, ctrl, PAM_ERROR_MSG, err_str );
 221         }
 222         else if (*msg_str)
 223         {
 224             msg_str[PSTRING_LEN-1] = '\0';
 225             make_remark( pamh, ctrl, PAM_TEXT_INFO, msg_str );
 226         }
 227     }
 228     pass = NULL;
 229
 230     return PAM_IGNORE;
 231 }
 232
 233
 234 /* static module data */
 235 #ifdef PAM_STATIC
 236 struct pam_module _pam_smbpass_auth_modstruct = {
 237      "pam_smbpass",
 238      pam_sm_authenticate,
 239      pam_sm_setcred,
 240      NULL,
 241      NULL,
 242      NULL,
 243      NULL
 244 };
 245 #endif
 246