3 Copyright Andrew Tridgell <tridge@samba.org> 2000
4 Copyright Tim Potter <tpot@samba.org> 2000
5 Copyright Andrew Bartlett <abartlet@samba.org> 2002
6 Copyright Guenther Deschner <gd@samba.org> 2005-2007
8 largely based on pam_userdb by Cristian Gafton <gafton@redhat.com>
9 also contains large slabs of code from pam_unix by Elliot Lee <sopwith@redhat.com>
10 (see copyright below for full details)
13 #include "pam_winbind.h"
15 #define _PAM_LOG_FUNCTION_ENTER(function, pamh, ctrl, flags) \
17 _pam_log_debug(pamh, ctrl, LOG_DEBUG, "[pamh: 0x%08x] ENTER: " function " (flags: 0x%04x)", (uint32) pamh, flags); \
18 _pam_log_state(pamh, ctrl); \
21 #define _PAM_LOG_FUNCTION_LEAVE(function, pamh, ctrl, retval) \
23 _pam_log_debug(pamh, ctrl, LOG_DEBUG, "[pamh: 0x%08x] LEAVE: " function " returning %d", (uint32) pamh, retval); \
24 _pam_log_state(pamh, ctrl); \
29 #define MAX_PASSWD_TRIES 3
32 * Work around the pam API that has functions with void ** as parameters.
33 * These lead to strict aliasing warnings with gcc.
35 static int _pam_get_item(const pam_handle_t
*pamh
, int item_type
,
38 const void **item
= (const void **)_item
;
39 return pam_get_item(pamh
, item_type
, item
);
41 static int _pam_get_data(const pam_handle_t
*pamh
,
42 const char *module_data_name
, const void *_data
)
44 const void **data
= (const void **)_data
;
45 return pam_get_data(pamh
, module_data_name
, data
);
50 #ifdef HAVE_PAM_VSYSLOG
51 static void _pam_log_int(const pam_handle_t
*pamh
, int err
, const char *format
, va_list args
)
53 pam_vsyslog(pamh
, err
, format
, args
);
56 static void _pam_log_int(const pam_handle_t
*pamh
, int err
, const char *format
, va_list args
)
61 _pam_get_item(pamh
, PAM_SERVICE
, &service
);
63 format2
= malloc(strlen(MODULE_NAME
)+strlen(format
)+strlen(service
)+5);
64 if (format2
== NULL
) {
65 /* what else todo ? */
66 vsyslog(err
, format
, args
);
70 sprintf(format2
, "%s(%s): %s", MODULE_NAME
, service
, format
);
71 vsyslog(err
, format2
, args
);
74 #endif /* HAVE_PAM_VSYSLOG */
76 static BOOL
_pam_log_is_silent(int ctrl
)
78 return on(ctrl
, WINBIND_SILENT
);
81 static void _pam_log(const pam_handle_t
*pamh
, int ctrl
, int err
, const char *format
, ...)
85 if (_pam_log_is_silent(ctrl
)) {
89 va_start(args
, format
);
90 _pam_log_int(pamh
, err
, format
, args
);
94 static BOOL
_pam_log_is_debug_enabled(int ctrl
)
100 if (_pam_log_is_silent(ctrl
)) {
104 if (!(ctrl
& WINBIND_DEBUG_ARG
)) {
111 static BOOL
_pam_log_is_debug_state_enabled(int ctrl
)
113 if (!(ctrl
& WINBIND_DEBUG_STATE
)) {
117 return _pam_log_is_debug_enabled(ctrl
);
120 static void _pam_log_debug(const pam_handle_t
*pamh
, int ctrl
, int err
, const char *format
, ...)
124 if (!_pam_log_is_debug_enabled(ctrl
)) {
128 va_start(args
, format
);
129 _pam_log_int(pamh
, err
, format
, args
);
133 static void _pam_log_state_datum(const pam_handle_t
*pamh
, int ctrl
, int item_type
, const char *key
, int is_string
)
135 const void *data
= NULL
;
136 if (item_type
!= 0) {
137 pam_get_item(pamh
, item_type
, &data
);
139 pam_get_data(pamh
, key
, &data
);
142 const char *type
= (item_type
!= 0) ? "ITEM" : "DATA";
143 if (is_string
!= 0) {
144 _pam_log_debug(pamh
, ctrl
, LOG_DEBUG
, "[pamh: 0x%08x] STATE: %s(%s) = \"%s\" (0x%08x)", (uint32
) pamh
, type
, key
, (const char *) data
, (uint32
) data
);
146 _pam_log_debug(pamh
, ctrl
, LOG_DEBUG
, "[pamh: 0x%08x] STATE: %s(%s) = 0x%08x", (uint32
) pamh
, type
, key
, (uint32
) data
);
151 #define _PAM_LOG_STATE_DATA_POINTER(pamh, ctrl, module_data_name) \
152 _pam_log_state_datum(pamh, ctrl, 0, module_data_name, 0)
154 #define _PAM_LOG_STATE_DATA_STRING(pamh, ctrl, module_data_name) \
155 _pam_log_state_datum(pamh, ctrl, 0, module_data_name, 1)
157 #define _PAM_LOG_STATE_ITEM_POINTER(pamh, ctrl, item_type) \
158 _pam_log_state_datum(pamh, ctrl, item_type, #item_type, 0)
160 #define _PAM_LOG_STATE_ITEM_STRING(pamh, ctrl, item_type) \
161 _pam_log_state_datum(pamh, ctrl, item_type, #item_type, 1)
163 #ifdef DEBUG_PASSWORD
164 #define _LOG_PASSWORD_AS_STRING 1
166 #define _LOG_PASSWORD_AS_STRING 0
169 #define _PAM_LOG_STATE_ITEM_PASSWORD(pamh, ctrl, item_type) \
170 _pam_log_state_datum(pamh, ctrl, item_type, #item_type, _LOG_PASSWORD_AS_STRING)
172 static void _pam_log_state(const pam_handle_t
*pamh
, int ctrl
)
174 if (!_pam_log_is_debug_state_enabled(ctrl
)) {
178 _PAM_LOG_STATE_ITEM_STRING(pamh
, ctrl
, PAM_SERVICE
);
179 _PAM_LOG_STATE_ITEM_STRING(pamh
, ctrl
, PAM_USER
);
180 _PAM_LOG_STATE_ITEM_STRING(pamh
, ctrl
, PAM_TTY
);
181 _PAM_LOG_STATE_ITEM_STRING(pamh
, ctrl
, PAM_RHOST
);
182 _PAM_LOG_STATE_ITEM_STRING(pamh
, ctrl
, PAM_RUSER
);
183 _PAM_LOG_STATE_ITEM_PASSWORD(pamh
, ctrl
, PAM_OLDAUTHTOK
);
184 _PAM_LOG_STATE_ITEM_PASSWORD(pamh
, ctrl
, PAM_AUTHTOK
);
185 _PAM_LOG_STATE_ITEM_STRING(pamh
, ctrl
, PAM_USER_PROMPT
);
186 _PAM_LOG_STATE_ITEM_POINTER(pamh
, ctrl
, PAM_CONV
);
187 #ifdef PAM_FAIL_DELAY
188 _PAM_LOG_STATE_ITEM_POINTER(pamh
, ctrl
, PAM_FAIL_DELAY
);
190 #ifdef PAM_REPOSITORY
191 _PAM_LOG_STATE_ITEM_POINTER(pamh
, ctrl
, PAM_REPOSITORY
);
194 _PAM_LOG_STATE_DATA_STRING(pamh
, ctrl
, PAM_WINBIND_HOMEDIR
);
195 _PAM_LOG_STATE_DATA_STRING(pamh
, ctrl
, PAM_WINBIND_LOGONSCRIPT
);
196 _PAM_LOG_STATE_DATA_STRING(pamh
, ctrl
, PAM_WINBIND_LOGONSERVER
);
197 _PAM_LOG_STATE_DATA_STRING(pamh
, ctrl
, PAM_WINBIND_PROFILEPATH
);
198 _PAM_LOG_STATE_DATA_STRING(pamh
, ctrl
, PAM_WINBIND_NEW_AUTHTOK_REQD
); /* Use atoi to get PAM result code */
199 _PAM_LOG_STATE_DATA_POINTER(pamh
, ctrl
, PAM_WINBIND_PWD_LAST_SET
);
202 static int _pam_parse(const pam_handle_t
*pamh
, int flags
, int argc
, const char **argv
, dictionary
**result_d
)
205 const char *config_file
= NULL
;
208 dictionary
*d
= NULL
;
210 if (flags
& PAM_SILENT
) {
211 ctrl
|= WINBIND_SILENT
;
214 for (i
=argc
,v
=argv
; i
-- > 0; ++v
) {
215 if (!strncasecmp(*v
, "config", strlen("config"))) {
216 ctrl
|= WINBIND_CONFIG_FILE
;
222 if (config_file
== NULL
) {
223 config_file
= PAM_WINBIND_CONFIG_FILE
;
226 d
= iniparser_load(config_file
);
228 goto config_from_pam
;
231 if (iniparser_getboolean(d
, "global:debug", False
)) {
232 ctrl
|= WINBIND_DEBUG_ARG
;
235 if (iniparser_getboolean(d
, "global:debug_state", False
)) {
236 ctrl
|= WINBIND_DEBUG_STATE
;
239 if (iniparser_getboolean(d
, "global:cached_login", False
)) {
240 ctrl
|= WINBIND_CACHED_LOGIN
;
243 if (iniparser_getboolean(d
, "global:krb5_auth", False
)) {
244 ctrl
|= WINBIND_KRB5_AUTH
;
247 if (iniparser_getboolean(d
, "global:silent", False
)) {
248 ctrl
|= WINBIND_SILENT
;
251 if (iniparser_getstr(d
, "global:krb5_ccache_type") != NULL
) {
252 ctrl
|= WINBIND_KRB5_CCACHE_TYPE
;
255 if ((iniparser_getstr(d
, "global:require-membership-of") != NULL
) ||
256 (iniparser_getstr(d
, "global:require_membership_of") != NULL
)) {
257 ctrl
|= WINBIND_REQUIRED_MEMBERSHIP
;
260 if (iniparser_getboolean(d
, "global:try_first_pass", False
)) {
261 ctrl
|= WINBIND_TRY_FIRST_PASS_ARG
;
265 /* step through arguments */
266 for (i
=argc
,v
=argv
; i
-- > 0; ++v
) {
268 /* generic options */
269 if (!strcmp(*v
,"debug"))
270 ctrl
|= WINBIND_DEBUG_ARG
;
271 else if (!strcasecmp(*v
, "debug_state"))
272 ctrl
|= WINBIND_DEBUG_STATE
;
273 else if (!strcasecmp(*v
, "use_authtok"))
274 ctrl
|= WINBIND_USE_AUTHTOK_ARG
;
275 else if (!strcasecmp(*v
, "use_first_pass"))
276 ctrl
|= WINBIND_USE_FIRST_PASS_ARG
;
277 else if (!strcasecmp(*v
, "try_first_pass"))
278 ctrl
|= WINBIND_TRY_FIRST_PASS_ARG
;
279 else if (!strcasecmp(*v
, "unknown_ok"))
280 ctrl
|= WINBIND_UNKNOWN_OK_ARG
;
281 else if (!strncasecmp(*v
, "require_membership_of", strlen("require_membership_of")))
282 ctrl
|= WINBIND_REQUIRED_MEMBERSHIP
;
283 else if (!strncasecmp(*v
, "require-membership-of", strlen("require-membership-of")))
284 ctrl
|= WINBIND_REQUIRED_MEMBERSHIP
;
285 else if (!strcasecmp(*v
, "krb5_auth"))
286 ctrl
|= WINBIND_KRB5_AUTH
;
287 else if (!strncasecmp(*v
, "krb5_ccache_type", strlen("krb5_ccache_type")))
288 ctrl
|= WINBIND_KRB5_CCACHE_TYPE
;
289 else if (!strcasecmp(*v
, "cached_login"))
290 ctrl
|= WINBIND_CACHED_LOGIN
;
292 _pam_log(pamh
, ctrl
, LOG_ERR
, "pam_parse: unknown option: %s", *v
);
302 iniparser_freedict(d
);
309 static void _pam_winbind_cleanup_func(pam_handle_t
*pamh
, void *data
, int error_status
)
311 int ctrl
= _pam_parse(pamh
, 0, 0, NULL
, NULL
);
312 if (_pam_log_is_debug_state_enabled(ctrl
)) {
313 _pam_log_debug(pamh
, ctrl
, LOG_DEBUG
, "[pamh: 0x%08x] CLEAN: cleaning up PAM data 0x%08x (error_status = %d)", (uint32
) pamh
, (uint32
) data
, error_status
);
319 static const struct ntstatus_errors
{
320 const char *ntstatus_string
;
321 const char *error_string
;
322 } ntstatus_errors
[] = {
323 {"NT_STATUS_OK", "Success"},
324 {"NT_STATUS_BACKUP_CONTROLLER", "No primary Domain Controler available"},
325 {"NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND", "No domain controllers found"},
326 {"NT_STATUS_NO_LOGON_SERVERS", "No logon servers"},
327 {"NT_STATUS_PWD_TOO_SHORT", "Password too short"},
328 {"NT_STATUS_PWD_TOO_RECENT", "The password of this user is too recent to change"},
329 {"NT_STATUS_PWD_HISTORY_CONFLICT", "Password is already in password history"},
330 {"NT_STATUS_PASSWORD_EXPIRED", "Your password has expired"},
331 {"NT_STATUS_PASSWORD_MUST_CHANGE", "You need to change your password now"},
332 {"NT_STATUS_INVALID_WORKSTATION", "You are not allowed to logon from this workstation"},
333 {"NT_STATUS_INVALID_LOGON_HOURS", "You are not allowed to logon at this time"},
334 {"NT_STATUS_ACCOUNT_EXPIRED", "Your account has expired. Please contact your System administrator"}, /* SCNR */
335 {"NT_STATUS_ACCOUNT_DISABLED", "Your account is disabled. Please contact your System administrator"}, /* SCNR */
336 {"NT_STATUS_ACCOUNT_LOCKED_OUT", "Your account has been locked. Please contact your System administrator"}, /* SCNR */
337 {"NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT", "Invalid Trust Account"},
338 {"NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT", "Invalid Trust Account"},
339 {"NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT", "Invalid Trust Account"},
340 {"NT_STATUS_ACCESS_DENIED", "Access is denied"},
344 const char *_get_ntstatus_error_string(const char *nt_status_string
)
347 for (i
=0; ntstatus_errors
[i
].ntstatus_string
!= NULL
; i
++) {
348 if (!strcasecmp(ntstatus_errors
[i
].ntstatus_string
, nt_status_string
)) {
349 return ntstatus_errors
[i
].error_string
;
355 /* --- authentication management functions --- */
357 /* Attempt a conversation */
359 static int converse(pam_handle_t
*pamh
, int nargs
,
360 struct pam_message
**message
,
361 struct pam_response
**response
)
364 struct pam_conv
*conv
;
366 retval
= _pam_get_item(pamh
, PAM_CONV
, &conv
);
367 if (retval
== PAM_SUCCESS
) {
368 retval
= conv
->conv(nargs
, (const struct pam_message
**)message
,
369 response
, conv
->appdata_ptr
);
372 return retval
; /* propagate error status */
376 static int _make_remark(pam_handle_t
* pamh
, int flags
, int type
, const char *text
)
378 int retval
= PAM_SUCCESS
;
380 struct pam_message
*pmsg
[1], msg
[1];
381 struct pam_response
*resp
;
383 if (flags
& WINBIND_SILENT
) {
388 msg
[0].msg
= CONST_DISCARD(char *, text
);
389 msg
[0].msg_style
= type
;
392 retval
= converse(pamh
, 1, pmsg
, &resp
);
395 _pam_drop_reply(resp
, 1);
400 static int _make_remark_v(pam_handle_t
* pamh
, int flags
, int type
, const char *format
, va_list args
)
405 ret
= vasprintf(&var
, format
, args
);
407 _pam_log(pamh
, 0, LOG_ERR
, "memory allocation failure");
411 ret
= _make_remark(pamh
, flags
, type
, var
);
416 static int _make_remark_format(pam_handle_t
* pamh
, int flags
, int type
, const char *format
, ...)
421 va_start(args
, format
);
422 ret
= _make_remark_v(pamh
, flags
, type
, format
, args
);
427 static int pam_winbind_request(pam_handle_t
* pamh
, int ctrl
,
428 enum winbindd_cmd req_type
,
429 struct winbindd_request
*request
,
430 struct winbindd_response
*response
)
432 /* Fill in request and send down pipe */
433 init_request(request
, req_type
);
435 if (write_sock(request
, sizeof(*request
), 0) == -1) {
436 _pam_log(pamh
, ctrl
, LOG_ERR
, "pam_winbind_request: write to socket failed!");
438 return PAM_SERVICE_ERR
;
442 if (read_reply(response
) == -1) {
443 _pam_log(pamh
, ctrl
, LOG_ERR
, "pam_winbind_request: read from socket failed!");
445 return PAM_SERVICE_ERR
;
448 /* We are done with the socket - close it and avoid mischeif */
451 /* Copy reply data from socket */
452 if (response
->result
== WINBINDD_OK
) {
456 /* no need to check for pam_error codes for getpwnam() */
459 case WINBINDD_GETPWNAM
:
460 case WINBINDD_LOOKUPNAME
:
461 _pam_log(pamh
, ctrl
, LOG_ERR
, "request failed: %s, NT error was %s",
462 response
->data
.auth
.nt_status_string
);
463 return PAM_USER_UNKNOWN
;
468 if (response
->data
.auth
.pam_error
!= PAM_SUCCESS
) {
469 _pam_log(pamh
, ctrl
, LOG_ERR
, "request failed: %s, PAM error was %s (%d), NT error was %s",
470 response
->data
.auth
.error_string
,
471 pam_strerror(pamh
, response
->data
.auth
.pam_error
),
472 response
->data
.auth
.pam_error
,
473 response
->data
.auth
.nt_status_string
);
474 return response
->data
.auth
.pam_error
;
477 _pam_log(pamh
, ctrl
, LOG_ERR
, "request failed, but PAM error 0!");
479 return PAM_SERVICE_ERR
;
482 static int pam_winbind_request_log(pam_handle_t
* pamh
,
484 enum winbindd_cmd req_type
,
485 struct winbindd_request
*request
,
486 struct winbindd_response
*response
,
491 retval
= pam_winbind_request(pamh
, ctrl
, req_type
, request
, response
);
495 /* incorrect password */
496 _pam_log(pamh
, ctrl
, LOG_WARNING
, "user '%s' denied access (incorrect password or invalid membership)", user
);
498 case PAM_ACCT_EXPIRED
:
499 /* account expired */
500 _pam_log(pamh
, ctrl
, LOG_WARNING
, "user '%s' account expired", user
);
502 case PAM_AUTHTOK_EXPIRED
:
503 /* password expired */
504 _pam_log(pamh
, ctrl
, LOG_WARNING
, "user '%s' password expired", user
);
506 case PAM_NEW_AUTHTOK_REQD
:
507 /* new password required */
508 _pam_log(pamh
, ctrl
, LOG_WARNING
, "user '%s' new password required", user
);
510 case PAM_USER_UNKNOWN
:
511 /* the user does not exist */
512 _pam_log_debug(pamh
, ctrl
, LOG_NOTICE
, "user '%s' not found", user
);
513 if (ctrl
& WINBIND_UNKNOWN_OK_ARG
) {
518 if (req_type
== WINBINDD_PAM_AUTH
) {
519 /* Otherwise, the authentication looked good */
520 _pam_log(pamh
, ctrl
, LOG_NOTICE
, "user '%s' granted access", user
);
521 } else if (req_type
== WINBINDD_PAM_CHAUTHTOK
) {
522 /* Otherwise, the authentication looked good */
523 _pam_log(pamh
, ctrl
, LOG_NOTICE
, "user '%s' password changed", user
);
525 /* Otherwise, the authentication looked good */
526 _pam_log(pamh
, ctrl
, LOG_NOTICE
, "user '%s' OK", user
);
531 /* we don't know anything about this return value */
532 _pam_log(pamh
, ctrl
, LOG_ERR
, "internal module error (retval = %d, user = '%s')",
538 static BOOL
_pam_send_password_expiry_message(pam_handle_t
*pamh
, int ctrl
, time_t next_change
, time_t now
)
541 struct tm tm_now
, tm_next_change
;
543 if ((next_change
< 0) ||
544 (next_change
< now
) ||
545 (next_change
> now
+ DAYS_TO_WARN_BEFORE_PWD_EXPIRES
* SECONDS_PER_DAY
)) {
549 if ((localtime_r(&now
, &tm_now
) == NULL
) ||
550 (localtime_r(&next_change
, &tm_next_change
) == NULL
)) {
554 days
= (tm_next_change
.tm_yday
+tm_next_change
.tm_year
*365) - (tm_now
.tm_yday
+tm_now
.tm_year
*365);
557 _make_remark(pamh
, ctrl
, PAM_TEXT_INFO
, "Your password expires today");
561 if (days
> 0 && days
< DAYS_TO_WARN_BEFORE_PWD_EXPIRES
) {
562 _make_remark_format(pamh
, ctrl
, PAM_TEXT_INFO
, "Your password will expire in %d %s",
563 days
, (days
> 1) ? "days":"day");
570 static void _pam_warn_password_expires_in_future(pam_handle_t
*pamh
, int ctrl
, struct winbindd_response
*response
)
572 time_t now
= time(NULL
);
573 time_t next_change
= 0;
575 /* accounts with ACB_PWNOEXP set never receive a warning */
576 if (response
->data
.auth
.info3
.acct_flags
& ACB_PWNOEXP
) {
580 /* no point in sending a warning if this is a grace logon */
581 if (PAM_WB_GRACE_LOGON(response
->data
.auth
.info3
.user_flgs
)) {
585 /* check if the info3 must change timestamp has been set */
586 next_change
= response
->data
.auth
.info3
.pass_must_change_time
;
588 if (_pam_send_password_expiry_message(pamh
, ctrl
, next_change
, now
)) {
592 /* now check for the global password policy */
593 if (response
->data
.auth
.policy
.expire
<= 0) {
597 next_change
= response
->data
.auth
.info3
.pass_last_set_time
+
598 response
->data
.auth
.policy
.expire
;
600 if (_pam_send_password_expiry_message(pamh
, ctrl
, next_change
, now
)) {
604 /* no warning sent */
607 #define IS_SID_STRING(name) (strncmp("S-", name, 2) == 0)
609 static BOOL
safe_append_string(char *dest
,
611 int dest_buffer_size
)
613 * Append a string, making sure not to overflow and to always return a NULL-terminated
616 * @param dest Destination string buffer (must already be NULL-terminated).
617 * @param src Source string buffer.
618 * @param dest_buffer_size Size of dest buffer in bytes.
620 * @return False if dest buffer is not big enough (no bytes copied), True on success.
623 int dest_length
= strlen(dest
);
624 int src_length
= strlen(src
);
626 if ( dest_length
+ src_length
+ 1 > dest_buffer_size
) {
630 memcpy(dest
+ dest_length
, src
, src_length
+ 1);
634 static BOOL
winbind_name_to_sid_string(pam_handle_t
*pamh
,
638 char *sid_list_buffer
,
639 int sid_list_buffer_size
)
641 * Convert a names into a SID string, appending it to a buffer.
643 * @param pamh PAM handle
644 * @param ctrl PAM winbind options.
645 * @param user User in PAM request.
646 * @param name Name to convert.
647 * @param sid_list_buffer Where to append the string sid.
648 * @param sid_list_buffer Size of sid_list_buffer (in bytes).
650 * @return False on failure, True on success.
653 const char* sid_string
;
654 struct winbindd_response sid_response
;
657 if (IS_SID_STRING(name
)) {
660 struct winbindd_request sid_request
;
662 ZERO_STRUCT(sid_request
);
663 ZERO_STRUCT(sid_response
);
665 _pam_log_debug(pamh
, ctrl
, LOG_DEBUG
, "no sid given, looking up: %s\n", name
);
667 /* fortunatly winbindd can handle non-separated names */
668 strncpy(sid_request
.data
.name
.name
, name
,
669 sizeof(sid_request
.data
.name
.name
) - 1);
671 if (pam_winbind_request_log(pamh
, ctrl
, WINBINDD_LOOKUPNAME
, &sid_request
, &sid_response
, user
)) {
672 _pam_log(pamh
, ctrl
, LOG_INFO
, "could not lookup name: %s\n", name
);
676 sid_string
= sid_response
.data
.sid
.sid
;
679 if (!safe_append_string(sid_list_buffer
, sid_string
, sid_list_buffer_size
)) {
686 static BOOL
winbind_name_list_to_sid_string_list(pam_handle_t
*pamh
,
689 const char *name_list
,
690 char *sid_list_buffer
,
691 int sid_list_buffer_size
)
693 * Convert a list of names into a list of sids.
695 * @param pamh PAM handle
696 * @param ctrl PAM winbind options.
697 * @param user User in PAM request.
698 * @param name_list List of names or string sids, separated by commas.
699 * @param sid_list_buffer Where to put the list of string sids.
700 * @param sid_list_buffer Size of sid_list_buffer (in bytes).
702 * @return False on failure, True on success.
706 char *current_name
= NULL
;
707 const char *search_location
;
710 if ( sid_list_buffer_size
> 0 ) {
711 sid_list_buffer
[0] = 0;
714 search_location
= name_list
;
715 while ( (comma
= strstr(search_location
, ",")) != NULL
) {
716 current_name
= strndup(search_location
, comma
- search_location
);
717 if (NULL
== current_name
) {
721 if (!winbind_name_to_sid_string(pamh
, ctrl
, user
, current_name
, sid_list_buffer
, sid_list_buffer_size
)) {
725 SAFE_FREE(current_name
);
727 if (!safe_append_string(sid_list_buffer
, ",", sid_list_buffer_size
)) {
731 search_location
= comma
+ 1;
734 if (!winbind_name_to_sid_string(pamh
, ctrl
, user
, search_location
, sid_list_buffer
, sid_list_buffer_size
)) {
741 SAFE_FREE(current_name
);
746 * Set string into the PAM stack.
748 * @param pamh PAM handle
749 * @param ctrl PAM winbind options.
750 * @param data_name Key name for pam_set_data.
751 * @param value String value.
756 static void _pam_set_data_string(pam_handle_t
*pamh
, int ctrl
, const char *data_name
, const char *value
)
760 if ( !data_name
|| !value
|| (strlen(data_name
) == 0) || (strlen(value
) == 0) ) {
764 ret
= pam_set_data(pamh
, data_name
, (void *)strdup(value
), _pam_winbind_cleanup_func
);
766 _pam_log_debug(pamh
, ctrl
, LOG_DEBUG
, "Could not set data %s: %s\n",
767 data_name
, pam_strerror(pamh
, ret
));
773 * Set info3 strings into the PAM stack.
775 * @param pamh PAM handle
776 * @param ctrl PAM winbind options.
777 * @param data_name Key name for pam_set_data.
778 * @param value String value.
783 static void _pam_set_data_info3(pam_handle_t
*pamh
, int ctrl
, struct winbindd_response
*response
)
785 _pam_set_data_string(pamh
, ctrl
, PAM_WINBIND_HOMEDIR
, response
->data
.auth
.info3
.home_dir
);
786 _pam_set_data_string(pamh
, ctrl
, PAM_WINBIND_LOGONSCRIPT
, response
->data
.auth
.info3
.logon_script
);
787 _pam_set_data_string(pamh
, ctrl
, PAM_WINBIND_LOGONSERVER
, response
->data
.auth
.info3
.logon_srv
);
788 _pam_set_data_string(pamh
, ctrl
, PAM_WINBIND_PROFILEPATH
, response
->data
.auth
.info3
.profile_path
);
792 * Free info3 strings in the PAM stack.
794 * @param pamh PAM handle
799 static void _pam_free_data_info3(pam_handle_t
*pamh
)
801 pam_set_data(pamh
, PAM_WINBIND_HOMEDIR
, NULL
, NULL
);
802 pam_set_data(pamh
, PAM_WINBIND_LOGONSCRIPT
, NULL
, NULL
);
803 pam_set_data(pamh
, PAM_WINBIND_LOGONSERVER
, NULL
, NULL
);
804 pam_set_data(pamh
, PAM_WINBIND_PROFILEPATH
, NULL
, NULL
);
808 * Compose Password Restriction String for a PAM_ERROR_MSG conversation.
810 * @param response The struct winbindd_response.
812 * @return string (caller needs to free).
815 static char *_pam_compose_pwd_restriction_string(struct winbindd_response
*response
)
818 size_t offset
= 0, ret
= 0, str_size
= 1024;
820 str
= (char *)malloc(str_size
);
825 memset(str
, '\0', str_size
);
827 offset
= snprintf(str
, str_size
, "Your password ");
832 if (response
->data
.auth
.policy
.min_length_password
> 0) {
833 ret
= snprintf(str
+offset
, str_size
-offset
,
834 "must be at least %d characters; ",
835 response
->data
.auth
.policy
.min_length_password
);
842 if (response
->data
.auth
.policy
.password_history
> 0) {
843 ret
= snprintf(str
+offset
, str_size
-offset
,
844 "cannot repeat any of your previous %d passwords; ",
845 response
->data
.auth
.policy
.password_history
);
852 if (response
->data
.auth
.policy
.password_properties
& DOMAIN_PASSWORD_COMPLEX
) {
853 ret
= snprintf(str
+offset
, str_size
-offset
,
854 "must contain capitals, numerals or punctuation; "
855 "and cannot contain your account or full name; ");
862 ret
= snprintf(str
+offset
, str_size
-offset
,
863 "Please type a different password. "
864 "Type a password which meets these requirements in both text boxes.");
876 /* talk to winbindd */
877 static int winbind_auth_request(pam_handle_t
* pamh
,
883 struct winbindd_response
*p_response
,
884 time_t *pwd_last_set
,
887 struct winbindd_request request
;
888 struct winbindd_response response
;
891 ZERO_STRUCT(request
);
892 ZERO_STRUCT(response
);
898 strncpy(request
.data
.auth
.user
, user
,
899 sizeof(request
.data
.auth
.user
)-1);
901 strncpy(request
.data
.auth
.pass
, pass
,
902 sizeof(request
.data
.auth
.pass
)-1);
904 request
.data
.auth
.krb5_cc_type
[0] = '\0';
905 request
.data
.auth
.uid
= -1;
907 request
.flags
= WBFLAG_PAM_INFO3_TEXT
| WBFLAG_PAM_CONTACT_TRUSTDOM
;
909 if (ctrl
& WINBIND_KRB5_AUTH
) {
911 struct passwd
*pwd
= NULL
;
913 _pam_log_debug(pamh
, ctrl
, LOG_DEBUG
, "enabling krb5 login flag\n");
915 request
.flags
|= WBFLAG_PAM_KRB5
| WBFLAG_PAM_FALLBACK_AFTER_KRB5
;
917 pwd
= getpwnam(user
);
919 return PAM_USER_UNKNOWN
;
921 request
.data
.auth
.uid
= pwd
->pw_uid
;
924 if (ctrl
& WINBIND_CACHED_LOGIN
) {
925 _pam_log_debug(pamh
, ctrl
, LOG_DEBUG
, "enabling cached login flag\n");
926 request
.flags
|= WBFLAG_PAM_CACHED_LOGIN
;
931 request
.flags
|= WBFLAG_PAM_UNIX_NAME
;
934 if (cctype
!= NULL
) {
935 strncpy(request
.data
.auth
.krb5_cc_type
, cctype
,
936 sizeof(request
.data
.auth
.krb5_cc_type
) - 1);
937 _pam_log_debug(pamh
, ctrl
, LOG_DEBUG
, "enabling request for a %s krb5 ccache\n", cctype
);
940 request
.data
.auth
.require_membership_of_sid
[0] = '\0';
942 if (member
!= NULL
) {
944 if (!winbind_name_list_to_sid_string_list(pamh
, ctrl
, user
, member
,
945 request
.data
.auth
.require_membership_of_sid
,
946 sizeof(request
.data
.auth
.require_membership_of_sid
))) {
948 _pam_log_debug(pamh
, ctrl
, LOG_ERR
, "failed to serialize membership of sid \"%s\"\n", member
);
953 ret
= pam_winbind_request_log(pamh
, ctrl
, WINBINDD_PAM_AUTH
, &request
, &response
, user
);
956 *pwd_last_set
= response
.data
.auth
.info3
.pass_last_set_time
;
959 if ((ctrl
& WINBIND_KRB5_AUTH
) &&
960 response
.data
.auth
.krb5ccname
[0] != '\0') {
964 _pam_log_debug(pamh
, ctrl
, LOG_DEBUG
, "request returned KRB5CCNAME: %s",
965 response
.data
.auth
.krb5ccname
);
967 snprintf(var
, sizeof(var
), "KRB5CCNAME=%s", response
.data
.auth
.krb5ccname
);
969 ret
= pam_putenv(pamh
, var
);
970 if (ret
!= PAM_SUCCESS
) {
971 _pam_log(pamh
, ctrl
, LOG_ERR
, "failed to set KRB5CCNAME to %s", var
);
977 /* We want to process the response in the caller. */
978 *p_response
= response
;
983 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
, response
, "NT_STATUS_PASSWORD_EXPIRED");
984 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
, response
, "NT_STATUS_PASSWORD_MUST_CHANGE");
985 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
, response
, "NT_STATUS_INVALID_WORKSTATION");
986 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
, response
, "NT_STATUS_INVALID_LOGON_HOURS");
987 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
, response
, "NT_STATUS_ACCOUNT_EXPIRED");
988 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
, response
, "NT_STATUS_ACCOUNT_DISABLED");
989 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
, response
, "NT_STATUS_ACCOUNT_LOCKED_OUT");
990 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
, response
, "NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT");
991 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
, response
, "NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT");
992 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
, response
, "NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT");
993 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
, response
, "NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND");
994 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
, response
, "NT_STATUS_NO_LOGON_SERVERS");
997 /* handle the case where the auth was ok, but the password must expire right now */
998 /* good catch from Ralf Haferkamp: an expiry of "never" is translated to -1 */
999 if ( ! (response
.data
.auth
.info3
.acct_flags
& ACB_PWNOEXP
) &&
1000 ! (PAM_WB_GRACE_LOGON(response
.data
.auth
.info3
.user_flgs
)) &&
1001 (response
.data
.auth
.policy
.expire
> 0) &&
1002 (response
.data
.auth
.info3
.pass_last_set_time
+ response
.data
.auth
.policy
.expire
< time(NULL
))) {
1004 ret
= PAM_AUTHTOK_EXPIRED
;
1006 _pam_log_debug(pamh
, ctrl
, LOG_DEBUG
,"Password has expired (Password was last set: %d, "
1007 "the policy says it should expire here %d (now it's: %d)\n",
1008 response
.data
.auth
.info3
.pass_last_set_time
,
1009 response
.data
.auth
.info3
.pass_last_set_time
+ response
.data
.auth
.policy
.expire
,
1012 PAM_WB_REMARK_DIRECT_RET(pamh
, ctrl
, "NT_STATUS_PASSWORD_EXPIRED");
1016 /* warn a user if the password is about to expire soon */
1017 _pam_warn_password_expires_in_future(pamh
, ctrl
, &response
);
1019 /* inform about logon type */
1020 if (PAM_WB_GRACE_LOGON(response
.data
.auth
.info3
.user_flgs
)) {
1022 _make_remark(pamh
, ctrl
, PAM_ERROR_MSG
,
1023 "Grace login. Please change your password as soon you're online again");
1024 _pam_log_debug(pamh
, ctrl
, LOG_DEBUG
,
1025 "User %s logged on using grace logon\n", user
);
1027 } else if (PAM_WB_CACHED_LOGON(response
.data
.auth
.info3
.user_flgs
)) {
1029 _make_remark(pamh
, ctrl
, PAM_ERROR_MSG
,
1030 "Logging on using cached account. Network resources can be unavailable");
1031 _pam_log_debug(pamh
, ctrl
, LOG_DEBUG
,
1032 "User %s logged on using cached account\n", user
);
1035 /* set some info3 info for other modules in the stack */
1036 _pam_set_data_info3(pamh
, ctrl
, &response
);
1038 /* If winbindd returned a username, return the pointer to it here. */
1039 if (user_ret
&& response
.extra_data
.data
) {
1040 /* We have to trust it's a null terminated string. */
1041 *user_ret
= (char *)response
.extra_data
.data
;
1047 /* talk to winbindd */
1048 static int winbind_chauthtok_request(pam_handle_t
* pamh
,
1051 const char *oldpass
,
1052 const char *newpass
,
1053 time_t pwd_last_set
)
1055 struct winbindd_request request
;
1056 struct winbindd_response response
;
1059 ZERO_STRUCT(request
);
1060 ZERO_STRUCT(response
);
1062 if (request
.data
.chauthtok
.user
== NULL
) return -2;
1064 strncpy(request
.data
.chauthtok
.user
, user
,
1065 sizeof(request
.data
.chauthtok
.user
) - 1);
1067 if (oldpass
!= NULL
) {
1068 strncpy(request
.data
.chauthtok
.oldpass
, oldpass
,
1069 sizeof(request
.data
.chauthtok
.oldpass
) - 1);
1071 request
.data
.chauthtok
.oldpass
[0] = '\0';
1074 if (newpass
!= NULL
) {
1075 strncpy(request
.data
.chauthtok
.newpass
, newpass
,
1076 sizeof(request
.data
.chauthtok
.newpass
) - 1);
1078 request
.data
.chauthtok
.newpass
[0] = '\0';
1081 if (ctrl
& WINBIND_KRB5_AUTH
) {
1082 request
.flags
= WBFLAG_PAM_KRB5
| WBFLAG_PAM_CONTACT_TRUSTDOM
;
1085 ret
= pam_winbind_request_log(pamh
, ctrl
, WINBINDD_PAM_CHAUTHTOK
, &request
, &response
, user
);
1087 if (ret
== PAM_SUCCESS
) {
1091 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
, response
, "NT_STATUS_BACKUP_CONTROLLER");
1092 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
, response
, "NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND");
1093 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
, response
, "NT_STATUS_NO_LOGON_SERVERS");
1094 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
, response
, "NT_STATUS_ACCESS_DENIED");
1096 /* TODO: tell the min pwd length ? */
1097 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
, response
, "NT_STATUS_PWD_TOO_SHORT");
1099 /* TODO: tell the minage ? */
1100 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
, response
, "NT_STATUS_PWD_TOO_RECENT");
1102 /* TODO: tell the history length ? */
1103 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
, response
, "NT_STATUS_PWD_HISTORY_CONFLICT");
1105 if (!strcasecmp(response
.data
.auth
.nt_status_string
, "NT_STATUS_PASSWORD_RESTRICTION")) {
1107 char *pwd_restriction_string
= NULL
;
1109 /* FIXME: avoid to send multiple PAM messages after another */
1110 switch (response
.data
.auth
.reject_reason
) {
1113 case REJECT_REASON_OTHER
:
1114 if ((response
.data
.auth
.policy
.min_passwordage
> 0) &&
1115 (pwd_last_set
+ response
.data
.auth
.policy
.min_passwordage
> time(NULL
))) {
1116 PAM_WB_REMARK_DIRECT(pamh
, ctrl
, "NT_STATUS_PWD_TOO_RECENT");
1119 case REJECT_REASON_TOO_SHORT
:
1120 PAM_WB_REMARK_DIRECT(pamh
, ctrl
, "NT_STATUS_PWD_TOO_SHORT");
1122 case REJECT_REASON_IN_HISTORY
:
1123 PAM_WB_REMARK_DIRECT(pamh
, ctrl
, "NT_STATUS_PWD_HISTORY_CONFLICT");
1125 case REJECT_REASON_NOT_COMPLEX
:
1126 _make_remark(pamh
, ctrl
, PAM_ERROR_MSG
, "Password does not meet complexity requirements");
1129 _pam_log_debug(pamh
, ctrl
, LOG_DEBUG
,
1130 "unknown password change reject reason: %d",
1131 response
.data
.auth
.reject_reason
);
1135 pwd_restriction_string
= _pam_compose_pwd_restriction_string(&response
);
1136 if (pwd_restriction_string
) {
1137 _make_remark(pamh
, ctrl
, PAM_ERROR_MSG
, pwd_restriction_string
);
1138 SAFE_FREE(pwd_restriction_string
);
1146 * Checks if a user has an account
1149 * 1 = User not found
1153 static int valid_user(pam_handle_t
*pamh
, int ctrl
, const char *user
)
1155 /* check not only if the user is available over NSS calls, also make
1156 * sure it's really a winbind user, this is important when stacking PAM
1157 * modules in the 'account' or 'password' facility. */
1159 struct passwd
*pwd
= NULL
;
1160 struct winbindd_request request
;
1161 struct winbindd_response response
;
1164 ZERO_STRUCT(request
);
1165 ZERO_STRUCT(response
);
1167 pwd
= getpwnam(user
);
1172 strncpy(request
.data
.username
, user
,
1173 sizeof(request
.data
.username
) - 1);
1175 ret
= pam_winbind_request_log(pamh
, ctrl
, WINBINDD_GETPWNAM
, &request
, &response
, user
);
1178 case PAM_USER_UNKNOWN
:
1188 static char *_pam_delete(register char *xx
)
1196 * obtain a password from the user
1199 static int _winbind_read_password(pam_handle_t
* pamh
,
1201 const char *comment
,
1202 const char *prompt1
,
1203 const char *prompt2
,
1211 _pam_log(pamh
, ctrl
, LOG_DEBUG
, "getting password (0x%08x)", ctrl
);
1214 * make sure nothing inappropriate gets returned
1217 *pass
= token
= NULL
;
1220 * which authentication token are we getting?
1223 authtok_flag
= on(WINBIND__OLD_PASSWORD
, ctrl
) ? PAM_OLDAUTHTOK
: PAM_AUTHTOK
;
1226 * should we obtain the password from a PAM item ?
1229 if (on(WINBIND_TRY_FIRST_PASS_ARG
, ctrl
) || on(WINBIND_USE_FIRST_PASS_ARG
, ctrl
)) {
1230 retval
= _pam_get_item(pamh
, authtok_flag
, &item
);
1231 if (retval
!= PAM_SUCCESS
) {
1233 _pam_log(pamh
, ctrl
, LOG_ALERT
,
1234 "pam_get_item returned error to unix-read-password"
1237 } else if (item
!= NULL
) { /* we have a password! */
1240 _pam_log(pamh
, ctrl
, LOG_DEBUG
,
1241 "pam_get_item returned a password");
1243 } else if (on(WINBIND_USE_FIRST_PASS_ARG
, ctrl
)) {
1244 return PAM_AUTHTOK_RECOVER_ERR
; /* didn't work */
1245 } else if (on(WINBIND_USE_AUTHTOK_ARG
, ctrl
)
1246 && off(WINBIND__OLD_PASSWORD
, ctrl
)) {
1247 return PAM_AUTHTOK_RECOVER_ERR
;
1251 * getting here implies we will have to get the password from the
1256 struct pam_message msg
[3], *pmsg
[3];
1257 struct pam_response
*resp
;
1260 /* prepare to converse */
1262 if (comment
!= NULL
&& off(ctrl
, WINBIND_SILENT
)) {
1264 msg
[0].msg_style
= PAM_TEXT_INFO
;
1265 msg
[0].msg
= CONST_DISCARD(char *, comment
);
1272 msg
[i
].msg_style
= PAM_PROMPT_ECHO_OFF
;
1273 msg
[i
++].msg
= CONST_DISCARD(char *, prompt1
);
1276 if (prompt2
!= NULL
) {
1278 msg
[i
].msg_style
= PAM_PROMPT_ECHO_OFF
;
1279 msg
[i
++].msg
= CONST_DISCARD(char *, prompt2
);
1282 /* so call the conversation expecting i responses */
1284 retval
= converse(pamh
, i
, pmsg
, &resp
);
1288 /* interpret the response */
1290 if (retval
== PAM_SUCCESS
) { /* a good conversation */
1292 token
= x_strdup(resp
[i
- replies
].resp
);
1293 if (token
!= NULL
) {
1295 /* verify that password entered correctly */
1296 if (!resp
[i
- 1].resp
1297 || strcmp(token
, resp
[i
- 1].resp
)) {
1298 _pam_delete(token
); /* mistyped */
1299 retval
= PAM_AUTHTOK_RECOVER_ERR
;
1300 _make_remark(pamh
, ctrl
, PAM_ERROR_MSG
, MISTYPED_PASS
);
1304 _pam_log(pamh
, ctrl
, LOG_NOTICE
, "could not recover authentication token");
1305 retval
= PAM_AUTHTOK_RECOVER_ERR
;
1310 * tidy up the conversation (resp_retcode) is ignored
1311 * -- what is it for anyway? AGM
1314 _pam_drop_reply(resp
, i
);
1317 retval
= (retval
== PAM_SUCCESS
)
1318 ? PAM_AUTHTOK_RECOVER_ERR
: retval
;
1322 if (retval
!= PAM_SUCCESS
) {
1323 _pam_log_debug(pamh
, ctrl
, LOG_DEBUG
,
1324 "unable to obtain a password");
1327 /* 'token' is the entered password */
1329 /* we store this password as an item */
1331 retval
= pam_set_item(pamh
, authtok_flag
, token
);
1332 _pam_delete(token
); /* clean it up */
1333 if (retval
!= PAM_SUCCESS
||
1334 (retval
= _pam_get_item(pamh
, authtok_flag
, &item
)) != PAM_SUCCESS
) {
1336 _pam_log(pamh
, ctrl
, LOG_CRIT
, "error manipulating password");
1342 item
= NULL
; /* break link to password */
1347 const char *get_conf_item_string(const pam_handle_t
*pamh
,
1356 const char *parm_opt
= NULL
;
1359 if (!(ctrl
& config_flag
)) {
1363 /* let the pam opt take precedence over the pam_winbind.conf option */
1367 if (!asprintf(&key
, "global:%s", item
)) {
1371 parm_opt
= iniparser_getstr(d
, key
);
1375 for ( i
=0; i
<argc
; i
++ ) {
1377 if ((strncmp(argv
[i
], item
, strlen(item
)) == 0)) {
1380 if ( (p
= strchr( argv
[i
], '=' )) == NULL
) {
1381 _pam_log(pamh
, ctrl
, LOG_INFO
, "no \"=\" delimiter for \"%s\" found\n", item
);
1384 _pam_log_debug(pamh
, ctrl
, LOG_INFO
, "PAM config: %s '%s'\n", item
, p
+1);
1390 _pam_log_debug(pamh
, ctrl
, LOG_INFO
, "CONFIG file: %s '%s'\n", item
, parm_opt
);
1396 const char *get_krb5_cc_type_from_config(const pam_handle_t
*pamh
, int argc
, const char **argv
, int ctrl
, dictionary
*d
)
1398 return get_conf_item_string(pamh
, argc
, argv
, ctrl
, d
, "krb5_ccache_type", WINBIND_KRB5_CCACHE_TYPE
);
1401 const char *get_member_from_config(const pam_handle_t
*pamh
, int argc
, const char **argv
, int ctrl
, dictionary
*d
)
1403 const char *ret
= NULL
;
1404 ret
= get_conf_item_string(pamh
, argc
, argv
, ctrl
, d
, "require_membership_of", WINBIND_REQUIRED_MEMBERSHIP
);
1408 return get_conf_item_string(pamh
, argc
, argv
, ctrl
, d
, "require-membership-of", WINBIND_REQUIRED_MEMBERSHIP
);
1412 int pam_sm_authenticate(pam_handle_t
*pamh
, int flags
,
1413 int argc
, const char **argv
)
1415 const char *username
;
1416 const char *password
;
1417 const char *member
= NULL
;
1418 const char *cctype
= NULL
;
1419 int retval
= PAM_AUTH_ERR
;
1420 dictionary
*d
= NULL
;
1421 char *username_ret
= NULL
;
1422 char *new_authtok_required
= NULL
;
1424 /* parse arguments */
1425 int ctrl
= _pam_parse(pamh
, flags
, argc
, argv
, &d
);
1427 retval
= PAM_SYSTEM_ERR
;
1431 _PAM_LOG_FUNCTION_ENTER("pam_sm_authenticate", pamh
, ctrl
, flags
);
1433 /* Get the username */
1434 retval
= pam_get_user(pamh
, &username
, NULL
);
1435 if ((retval
!= PAM_SUCCESS
) || (!username
)) {
1436 _pam_log_debug(pamh
, ctrl
, LOG_DEBUG
, "can not get the username");
1437 retval
= PAM_SERVICE_ERR
;
1441 retval
= _winbind_read_password(pamh
, ctrl
, NULL
,
1445 if (retval
!= PAM_SUCCESS
) {
1446 _pam_log(pamh
, ctrl
, LOG_ERR
, "Could not retrieve user's password");
1447 retval
= PAM_AUTHTOK_ERR
;
1451 /* Let's not give too much away in the log file */
1453 #ifdef DEBUG_PASSWORD
1454 _pam_log_debug(pamh
, ctrl
, LOG_INFO
, "Verify user '%s' with password '%s'",
1455 username
, password
);
1457 _pam_log_debug(pamh
, ctrl
, LOG_INFO
, "Verify user '%s'", username
);
1460 member
= get_member_from_config(pamh
, argc
, argv
, ctrl
, d
);
1462 cctype
= get_krb5_cc_type_from_config(pamh
, argc
, argv
, ctrl
, d
);
1464 /* Now use the username to look up password */
1465 retval
= winbind_auth_request(pamh
, ctrl
, username
, password
, member
,
1466 cctype
, NULL
, NULL
, &username_ret
);
1468 if (retval
== PAM_NEW_AUTHTOK_REQD
||
1469 retval
== PAM_AUTHTOK_EXPIRED
) {
1471 if (!asprintf(&new_authtok_required
, "%d", retval
)) {
1472 retval
= PAM_BUF_ERR
;
1476 pam_set_data(pamh
, PAM_WINBIND_NEW_AUTHTOK_REQD
, new_authtok_required
, _pam_winbind_cleanup_func
);
1478 retval
= PAM_SUCCESS
;
1484 pam_set_item (pamh
, PAM_USER
, username_ret
);
1485 _pam_log_debug(pamh
, ctrl
, LOG_INFO
, "Returned user was '%s'", username_ret
);
1490 iniparser_freedict(d
);
1493 if (!new_authtok_required
) {
1494 pam_set_data(pamh
, PAM_WINBIND_NEW_AUTHTOK_REQD
, NULL
, NULL
);
1497 if (retval
!= PAM_SUCCESS
) {
1498 _pam_free_data_info3(pamh
);
1501 _PAM_LOG_FUNCTION_LEAVE("pam_sm_authenticate", pamh
, ctrl
, retval
);
1507 int pam_sm_setcred(pam_handle_t
*pamh
, int flags
,
1508 int argc
, const char **argv
)
1510 int ret
= PAM_SYSTEM_ERR
;
1511 dictionary
*d
= NULL
;
1513 /* parse arguments */
1514 int ctrl
= _pam_parse(pamh
, flags
, argc
, argv
, &d
);
1516 ret
= PAM_SYSTEM_ERR
;
1520 _PAM_LOG_FUNCTION_ENTER("pam_sm_setcred", pamh
, ctrl
, flags
);
1522 switch (flags
& ~PAM_SILENT
) {
1524 case PAM_DELETE_CRED
:
1525 ret
= pam_sm_close_session(pamh
, flags
, argc
, argv
);
1527 case PAM_REFRESH_CRED
:
1528 _pam_log_debug(pamh
, ctrl
, LOG_WARNING
, "PAM_REFRESH_CRED not implemented");
1531 case PAM_REINITIALIZE_CRED
:
1532 _pam_log_debug(pamh
, ctrl
, LOG_WARNING
, "PAM_REINITIALIZE_CRED not implemented");
1535 case PAM_ESTABLISH_CRED
:
1536 _pam_log_debug(pamh
, ctrl
, LOG_WARNING
, "PAM_ESTABLISH_CRED not implemented");
1540 ret
= PAM_SYSTEM_ERR
;
1546 iniparser_freedict(d
);
1549 _PAM_LOG_FUNCTION_LEAVE("pam_sm_setcred", pamh
, ctrl
, ret
);
1555 * Account management. We want to verify that the account exists
1556 * before returning PAM_SUCCESS
1559 int pam_sm_acct_mgmt(pam_handle_t
*pamh
, int flags
,
1560 int argc
, const char **argv
)
1562 const char *username
;
1563 int ret
= PAM_USER_UNKNOWN
;
1565 dictionary
*d
= NULL
;
1567 /* parse arguments */
1568 int ctrl
= _pam_parse(pamh
, flags
, argc
, argv
, &d
);
1570 return PAM_SYSTEM_ERR
;
1573 _PAM_LOG_FUNCTION_ENTER("pam_sm_acct_mgmt", pamh
, ctrl
, flags
);
1576 /* Get the username */
1577 ret
= pam_get_user(pamh
, &username
, NULL
);
1578 if ((ret
!= PAM_SUCCESS
) || (!username
)) {
1579 _pam_log_debug(pamh
, ctrl
, LOG_DEBUG
,"can not get the username");
1580 ret
= PAM_SERVICE_ERR
;
1584 /* Verify the username */
1585 ret
= valid_user(pamh
, ctrl
, username
);
1588 /* some sort of system error. The log was already printed */
1589 ret
= PAM_SERVICE_ERR
;
1592 /* the user does not exist */
1593 _pam_log_debug(pamh
, ctrl
, LOG_NOTICE
, "user '%s' not found", username
);
1594 if (ctrl
& WINBIND_UNKNOWN_OK_ARG
) {
1598 ret
= PAM_USER_UNKNOWN
;
1601 pam_get_data( pamh
, PAM_WINBIND_NEW_AUTHTOK_REQD
, (const void **)&tmp
);
1603 ret
= atoi((const char *)tmp
);
1605 case PAM_AUTHTOK_EXPIRED
:
1606 /* fall through, since new token is required in this case */
1607 case PAM_NEW_AUTHTOK_REQD
:
1608 _pam_log(pamh
, ctrl
, LOG_WARNING
, "pam_sm_acct_mgmt success but %s is set",
1609 PAM_WINBIND_NEW_AUTHTOK_REQD
);
1610 _pam_log(pamh
, ctrl
, LOG_NOTICE
, "user '%s' needs new password", username
);
1611 /* PAM_AUTHTOKEN_REQD does not exist, but is documented in the manpage */
1612 ret
= PAM_NEW_AUTHTOK_REQD
;
1615 _pam_log(pamh
, ctrl
, LOG_WARNING
, "pam_sm_acct_mgmt success");
1616 _pam_log(pamh
, ctrl
, LOG_NOTICE
, "user '%s' granted access", username
);
1622 /* Otherwise, the authentication looked good */
1623 _pam_log(pamh
, ctrl
, LOG_NOTICE
, "user '%s' granted access", username
);
1627 /* we don't know anything about this return value */
1628 _pam_log(pamh
, ctrl
, LOG_ERR
, "internal module error (ret = %d, user = '%s')",
1630 ret
= PAM_SERVICE_ERR
;
1634 /* should not be reached */
1640 iniparser_freedict(d
);
1643 _PAM_LOG_FUNCTION_LEAVE("pam_sm_acct_mgmt", pamh
, ctrl
, ret
);
1649 int pam_sm_open_session(pam_handle_t
*pamh
, int flags
,
1650 int argc
, const char **argv
)
1652 int ret
= PAM_SYSTEM_ERR
;
1653 dictionary
*d
= NULL
;
1655 /* parse arguments */
1656 int ctrl
= _pam_parse(pamh
, flags
, argc
, argv
, &d
);
1658 ret
= PAM_SYSTEM_ERR
;
1662 _PAM_LOG_FUNCTION_ENTER("pam_sm_open_session", pamh
, ctrl
, flags
);
1668 iniparser_freedict(d
);
1671 _PAM_LOG_FUNCTION_LEAVE("pam_sm_open_session", pamh
, ctrl
, ret
);
1677 int pam_sm_close_session(pam_handle_t
*pamh
, int flags
,
1678 int argc
, const char **argv
)
1680 dictionary
*d
= NULL
;
1681 int retval
= PAM_SUCCESS
;
1683 /* parse arguments */
1684 int ctrl
= _pam_parse(pamh
, flags
, argc
, argv
, &d
);
1686 retval
= PAM_SYSTEM_ERR
;
1690 _PAM_LOG_FUNCTION_ENTER("pam_sm_close_session", pamh
, ctrl
, flags
);
1692 if (!(flags
& PAM_DELETE_CRED
)) {
1693 retval
= PAM_SUCCESS
;
1697 if (ctrl
& WINBIND_KRB5_AUTH
) {
1699 /* destroy the ccache here */
1700 struct winbindd_request request
;
1701 struct winbindd_response response
;
1703 const char *ccname
= NULL
;
1704 struct passwd
*pwd
= NULL
;
1706 ZERO_STRUCT(request
);
1707 ZERO_STRUCT(response
);
1709 retval
= pam_get_user(pamh
, &user
, "Username: ");
1711 _pam_log(pamh
, ctrl
, LOG_ERR
, "could not identify user");
1716 _pam_log(pamh
, ctrl
, LOG_ERR
, "username was NULL!");
1717 retval
= PAM_USER_UNKNOWN
;
1721 _pam_log_debug(pamh
, ctrl
, LOG_DEBUG
, "username [%s] obtained", user
);
1723 ccname
= pam_getenv(pamh
, "KRB5CCNAME");
1724 if (ccname
== NULL
) {
1725 _pam_log_debug(pamh
, ctrl
, LOG_DEBUG
, "user has no KRB5CCNAME environment");
1728 strncpy(request
.data
.logoff
.user
, user
,
1729 sizeof(request
.data
.logoff
.user
) - 1);
1732 strncpy(request
.data
.logoff
.krb5ccname
, ccname
,
1733 sizeof(request
.data
.logoff
.krb5ccname
) - 1);
1736 pwd
= getpwnam(user
);
1738 retval
= PAM_USER_UNKNOWN
;
1741 request
.data
.logoff
.uid
= pwd
->pw_uid
;
1743 request
.flags
= WBFLAG_PAM_KRB5
| WBFLAG_PAM_CONTACT_TRUSTDOM
;
1745 retval
= pam_winbind_request_log(pamh
, ctrl
, WINBINDD_PAM_LOGOFF
, &request
, &response
, user
);
1750 iniparser_freedict(d
);
1753 _PAM_LOG_FUNCTION_LEAVE("pam_sm_close_session", pamh
, ctrl
, retval
);
1761 int pam_sm_chauthtok(pam_handle_t
* pamh
, int flags
,
1762 int argc
, const char **argv
)
1768 /* <DO NOT free() THESE> */
1770 char *pass_old
, *pass_new
;
1771 /* </DO NOT free() THESE> */
1776 dictionary
*d
= NULL
;
1778 ctrl
= _pam_parse(pamh
, flags
, argc
, argv
, &d
);
1780 ret
= PAM_SYSTEM_ERR
;
1784 _PAM_LOG_FUNCTION_ENTER("pam_sm_chauthtok", pamh
, ctrl
, flags
);
1786 /* clearing offline bit for the auth in the password change */
1787 ctrl
&= ~WINBIND_CACHED_LOGIN
;
1790 * First get the name of a user
1792 ret
= pam_get_user(pamh
, &user
, "Username: ");
1794 _pam_log(pamh
, ctrl
, LOG_ERR
,
1795 "password - could not identify user");
1800 _pam_log(pamh
, ctrl
, LOG_ERR
, "username was NULL!");
1801 ret
= PAM_USER_UNKNOWN
;
1805 _pam_log_debug(pamh
, ctrl
, LOG_DEBUG
, "username [%s] obtained", user
);
1807 /* check if this is really a user in winbindd, not only in NSS */
1808 ret
= valid_user(pamh
, ctrl
, user
);
1811 ret
= PAM_USER_UNKNOWN
;
1814 ret
= PAM_SYSTEM_ERR
;
1821 * obtain and verify the current password (OLDAUTHTOK) for
1825 if (flags
& PAM_PRELIM_CHECK
) {
1826 struct winbindd_response response
;
1827 time_t pwdlastset_prelim
= 0;
1829 /* instruct user what is happening */
1830 #define greeting "Changing password for "
1831 Announce
= (char *) malloc(sizeof(greeting
) + strlen(user
));
1832 if (Announce
== NULL
) {
1833 _pam_log(pamh
, ctrl
, LOG_CRIT
, "password - out of memory");
1837 (void) strcpy(Announce
, greeting
);
1838 (void) strcpy(Announce
+ sizeof(greeting
) - 1, user
);
1841 lctrl
= ctrl
| WINBIND__OLD_PASSWORD
;
1842 ret
= _winbind_read_password(pamh
, lctrl
,
1844 "(current) NT password: ",
1846 (const char **) &pass_old
);
1847 if (ret
!= PAM_SUCCESS
) {
1848 _pam_log(pamh
, ctrl
, LOG_NOTICE
, "password - (old) token not obtained");
1852 /* We don't need krb5 env set for password change test. */
1853 ctrl
&= ~WINBIND_KRB5_AUTH
;
1855 /* verify that this is the password for this user */
1857 ret
= winbind_auth_request(pamh
, ctrl
, user
, pass_old
,
1858 NULL
, NULL
, &response
, &pwdlastset_prelim
, NULL
);
1860 if (ret
!= PAM_ACCT_EXPIRED
&&
1861 ret
!= PAM_AUTHTOK_EXPIRED
&&
1862 ret
!= PAM_NEW_AUTHTOK_REQD
&&
1863 ret
!= PAM_SUCCESS
) {
1866 iniparser_freedict(d
);
1868 /* Deal with offline errors. */
1869 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
,
1871 "NT_STATUS_NO_LOGON_SERVERS");
1872 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
,
1874 "NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND");
1875 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
,
1877 "NT_STATUS_ACCESS_DENIED");
1881 pam_set_data(pamh
, PAM_WINBIND_PWD_LAST_SET
, (void *)pwdlastset_prelim
, NULL
);
1883 ret
= pam_set_item(pamh
, PAM_OLDAUTHTOK
, (const void *) pass_old
);
1885 if (ret
!= PAM_SUCCESS
) {
1886 _pam_log(pamh
, ctrl
, LOG_CRIT
, "failed to set PAM_OLDAUTHTOK");
1888 } else if (flags
& PAM_UPDATE_AUTHTOK
) {
1890 time_t pwdlastset_update
= 0;
1893 * obtain the proposed password
1897 * get the old token back.
1900 ret
= _pam_get_item(pamh
, PAM_OLDAUTHTOK
, &pass_old
);
1902 if (ret
!= PAM_SUCCESS
) {
1903 _pam_log(pamh
, ctrl
, LOG_NOTICE
, "user not authenticated");
1907 lctrl
= ctrl
& ~WINBIND_TRY_FIRST_PASS_ARG
;
1909 if (on(WINBIND_USE_AUTHTOK_ARG
, lctrl
)) {
1910 lctrl
|= WINBIND_USE_FIRST_PASS_ARG
;
1913 ret
= PAM_AUTHTOK_ERR
;
1914 while ((ret
!= PAM_SUCCESS
) && (retry
++ < MAX_PASSWD_TRIES
)) {
1916 * use_authtok is to force the use of a previously entered
1917 * password -- needed for pluggable password strength checking
1920 ret
= _winbind_read_password(pamh
, lctrl
,
1922 "Enter new NT password: ",
1923 "Retype new NT password: ",
1924 (const char **) &pass_new
);
1926 if (ret
!= PAM_SUCCESS
) {
1927 _pam_log_debug(pamh
, ctrl
, LOG_ALERT
1928 ,"password - new password not obtained");
1929 pass_old
= NULL
;/* tidy up */
1934 * At this point we know who the user is and what they
1935 * propose as their new password. Verify that the new
1936 * password is acceptable.
1939 if (pass_new
[0] == '\0') {/* "\0" password = NULL */
1945 * By reaching here we have approved the passwords and must now
1946 * rebuild the password database file.
1948 _pam_get_data( pamh
, PAM_WINBIND_PWD_LAST_SET
,
1949 &pwdlastset_update
);
1951 ret
= winbind_chauthtok_request(pamh
, ctrl
, user
, pass_old
, pass_new
, pwdlastset_update
);
1953 _pam_overwrite(pass_new
);
1954 _pam_overwrite(pass_old
);
1955 pass_old
= pass_new
= NULL
;
1959 /* just in case we need krb5 creds after a password change over msrpc */
1961 if (ctrl
& WINBIND_KRB5_AUTH
) {
1962 struct winbindd_response response
;
1964 const char *member
= get_member_from_config(pamh
, argc
, argv
, ctrl
, d
);
1965 const char *cctype
= get_krb5_cc_type_from_config(pamh
, argc
, argv
, ctrl
, d
);
1967 ret
= winbind_auth_request(pamh
, ctrl
, user
, pass_new
,
1968 member
, cctype
, &response
, NULL
, NULL
);
1969 _pam_overwrite(pass_new
);
1970 _pam_overwrite(pass_old
);
1971 pass_old
= pass_new
= NULL
;
1973 iniparser_freedict(d
);
1975 /* Deal with offline errors. */
1976 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
,
1978 "NT_STATUS_NO_LOGON_SERVERS");
1979 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
,
1981 "NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND");
1982 PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh
, ctrl
,
1984 "NT_STATUS_ACCESS_DENIED");
1988 ret
= PAM_SERVICE_ERR
;
1993 iniparser_freedict(d
);
1996 _PAM_LOG_FUNCTION_LEAVE("pam_sm_chauthtok", pamh
, ctrl
, ret
);
2003 /* static module data */
2005 struct pam_module _pam_winbind_modstruct
= {
2007 pam_sm_authenticate
,
2010 pam_sm_open_session
,
2011 pam_sm_close_session
,
2018 * Copyright (c) Andrew Tridgell <tridge@samba.org> 2000
2019 * Copyright (c) Tim Potter <tpot@samba.org> 2000
2020 * Copyright (c) Andrew Bartlettt <abartlet@samba.org> 2002
2021 * Copyright (c) Guenther Deschner <gd@samba.org> 2005-2007
2022 * Copyright (c) Jan Rêkorajski 1999.
2023 * Copyright (c) Andrew G. Morgan 1996-8.
2024 * Copyright (c) Alex O. Yuriev, 1996.
2025 * Copyright (c) Cristian Gafton 1996.
2026 * Copyright (C) Elliot Lee <sopwith@redhat.com> 1996, Red Hat Software.
2028 * Redistribution and use in source and binary forms, with or without
2029 * modification, are permitted provided that the following conditions
2031 * 1. Redistributions of source code must retain the above copyright
2032 * notice, and the entire permission notice in its entirety,
2033 * including the disclaimer of warranties.
2034 * 2. Redistributions in binary form must reproduce the above copyright
2035 * notice, this list of conditions and the following disclaimer in the
2036 * documentation and/or other materials provided with the distribution.
2037 * 3. The name of the author may not be used to endorse or promote
2038 * products derived from this software without specific prior
2039 * written permission.
2041 * ALTERNATIVELY, this product may be distributed under the terms of
2042 * the GNU Public License, in which case the provisions of the GPL are
2043 * required INSTEAD OF the above restrictions. (This clause is
2044 * necessary due to a potential bad interaction between the GPL and
2045 * the restrictions contained in a BSD-style copyright.)
2047 * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED
2048 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
2049 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
2050 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
2051 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
2052 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
2053 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
2054 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
2055 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
2056 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
2057 * OF THE POSSIBILITY OF SUCH DAMAGE.