2 * Copyright Alexander O. Yuriev, 1996. All rights reserved.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, and the entire permission notice in its entirety,
9 * including the disclaimer of warranties.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. The name of the author may not be used to endorse or promote
14 * products derived from this software without specific prior
17 * ALTERNATIVELY, this product may be distributed under the terms of
18 * the GNU Public License, in which case the provisions of the GPL are
19 * required INSTEAD OF the above restrictions. (This clause is
20 * necessary due to a potential bad interaction between the GPL and
21 * the restrictions contained in a BSD-style copyright.)
23 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
24 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
26 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
27 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
28 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
29 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
33 * OF THE POSSIBILITY OF SUCH DAMAGE.
37 This code has been changed heavily for smb authentication by
39 pam_ntdom_auth -- David Airlie 1998 v1.3a ( airlied@samba.org )
40 http://www.csn.ul.ie/~airlied
42 all changes are (C) David Airlie 1998.
47 #ifdef HAVE_SECURITY_PAM_APPL_H
49 #include <security/pam_appl.h>
53 #define _PAM_EXTERN_FUNCTIONS
55 #ifdef HAVE_SECURITY_PAM_MODULES_H
56 #include <security/pam_modules.h>
60 #define PAM_EXTERN extern
63 extern int DEBUGLEVEL
;
65 #include "pam_ntdom_proto.h"
68 extern int converse(pam_handle_t
* pamh
,
70 struct pam_message
**message
,
71 struct pam_response
**response
);
73 extern int _set_auth_tok(pam_handle_t
* pamh
,
74 int flags
, int argc
, const char **argv
);
76 static int _pam_auth_smb(pam_handle_t
* pamh
,
77 int flags
, int argc
, const char **argv
);
79 static int _pam_set_credentials_smb(pam_handle_t
* pamh
,
80 int flags
, int argc
, const char **argv
);
87 * _pam_auth_smb() actually performs UNIX/shadow authentication and
88 * then performs the NT Validation.
90 * First, if shadow support is available, attempt to perform
91 * authentication using shadow passwords. If shadow is not
92 * available, or user does not have a shadow password, fallback
93 * onto a normal UNIX authentication
94 * If neither shadow nor normal succeed it will send the username
95 * and password to a local server, which will do the authentication.
98 static int _pam_auth_smb(pam_handle_t
* pamh
,
99 int flags
, int argc
, const char **argv
)
109 int debug
= 0, use_first_pass
= 0;
110 int unknown_user
= 0;
121 /* Parse Command line options */
123 for (loop
= 0; loop
< argc
; loop
++)
125 if (!strcmp(argv
[loop
], "debug"))
130 else if (!strcmp(argv
[loop
], "use_first_pass"))
132 else if (!strcmp(argv
[loop
], "nolocal"))
136 syslog(LOG_AUTHPRIV
| LOG_ERR
,
137 "pam_ntdom: Unknown Command Line Option in pam.d : %s",
142 if (!rpc_initialise())
147 syslog(LOG_AUTHPRIV
| LOG_ERR
,
148 "pam_ntdom: initialisation failed\n");
151 return PAM_SERVICE_ERR
;
153 /* get the user'name' */
155 if ((retval
= pam_get_user(pamh
, &name
, "login: ")) != PAM_SUCCESS
)
158 syslog(LOG_AUTHPRIV
| LOG_ERR
, "pam_ntdom: User not found");
163 pam_get_item(pamh
, PAM_AUTHTOK
, (void *)&p
);
167 if (use_first_pass
!= 1)
169 retval
= _set_auth_tok(pamh
, flags
, argc
, argv
);
170 if (retval
!= PAM_SUCCESS
)
178 We have to call pam_get_item() again because value of p should
182 pam_get_item(pamh
, PAM_AUTHTOK
, (void *)&p
);
184 if (!split_domain_name(name
, domain
, ntname
))
189 /* If nolocal is specified pam_ntdom does not try and do local
190 username/password authentication .. this is a command line option
191 to pam_ntdom_auth.so in /etc/pam.d/ */
203 * Support for shadow passwords on Linux and SVR4-based
204 * systems. Shadow passwords are optional on Linux - if
205 * there is no shadow password, use the non-shadow one.
209 if (sp
&& (!strcmp(pw
->pw_passwd
, "x")))
211 /* TODO: check if password has expired etc. */
216 salt
= pw
->pw_passwd
;
221 /* The 'always-encrypt' method does not make sense in PAM
222 because the framework requires return of a different
223 error code for non-existant users -- alex */
226 if ((!pw
->pw_passwd
) && (!p
))
227 if (flags
&& PAM_DISALLOW_NULL_AUTHTOK
)
232 if (strcmp(pp
, salt
) == 0)
236 syslog(LOG_AUTHPRIV
| LOG_DEBUG
,
237 "pam_ntdom: Local UNIX username/password pair correct.");
245 syslog(LOG_AUTHPRIV
| LOG_DEBUG
,
246 "pam_ntdom: Local UNIX username/password check incorrect.");
250 } /* End of Local Section */
252 { /* If Local System Authentication is switched off */
255 syslog(LOG_AUTHPRIV
| LOG_DEBUG
,
256 "No Local authentication done, relying on other modules for password file entry.");
263 syslog(LOG_AUTHPRIV
| LOG_DEBUG
,
264 "pam_ntdom: Configuration Data, Domain %s.", domain
);
271 syslog(LOG_AUTHPRIV
| LOG_DEBUG
,
272 "pam_ntdom: user: %s domain: %s password: %s",
277 w
= Valid_User(ntname
, p
, domain
);
279 /* Users valid user for return value 0 is success
280 1 and 2 indicate Network and protocol failures and
290 syslog(LOG_AUTHPRIV
| LOG_DEBUG
,
291 "pam_ntdom: Correct NT username/password pair");
300 syslog(LOG_AUTHPRIV
| LOG_DEBUG
,
301 "pam_ntdom: Authentication unavailable\n");
304 return PAM_AUTHINFO_UNAVAIL
;
309 syslog(LOG_AUTHPRIV
| LOG_NOTICE
,
310 "pam_ntdom: Incorrect NT password for username : %s",
320 syslog(LOG_AUTHPRIV
| LOG_DEBUG
,
321 "pam_ntdom: Authentication failed\n");
329 * The _pam_set_credentials_smb() does nothing.
332 static int _pam_set_credentials_smb(pam_handle_t
* pamh
,
333 int flags
, int argc
, const char **argv
)
335 return PAM_SUCCESS
; /* This is a wrong result code. From what I
336 remember from reafing one of the guides
337 there's an error-level saying 'N/A func'
343 * PAM framework looks for these entry-points to pass control to the
344 * authentication module.
348 int pam_sm_authenticate(pam_handle_t
* pamh
,
349 int flags
, int argc
, const char **argv
)
351 return _pam_auth_smb(pamh
, flags
, argc
, argv
);
355 int pam_sm_setcred(pam_handle_t
* pamh
,
356 int flags
, int argc
, const char **argv
)
358 return _pam_set_credentials_smb(pamh
, flags
, argc
, argv
);