search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:rpc_server: Handle an np_read_send with len==0 correctly
[samba.git] / source3 / auth / pampass.c
blob0be7f9f9d1fb3d50f5d17c3c7425877b5091a407
1 /*
2 Unix SMB/CIFS implementation.
3 PAM Password checking
4 Copyright (C) Andrew Tridgell 1992-2001
5 Copyright (C) John H Terpsta 1999-2001
6 Copyright (C) Andrew Bartlett 2001
7 Copyright (C) Jeremy Allison 2001
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 /*
24 * This module provides PAM based functions for validation of
25 * username/password pairs, account management, session and access control.
26 * Note: SMB password checking is done in smbpass.c
27 */
28
29 #include "includes.h"
30 #include "auth.h"
31 #include "../libcli/auth/pam_errors.h"
32 #include "lib/util/string_wrappers.h"
33
34 #undef DBGC_CLASS
35 #define DBGC_CLASS DBGC_AUTH
36
37 #ifdef WITH_PAM
38
39 /*******************************************************************
40 * Handle PAM authentication
41 * - Access, Authentication, Session, Password
42 * Note: See PAM Documentation and refer to local system PAM implementation
43 * which determines what actions/limitations/allowances become affected.
44 *********************************************************************/
45
46 #if defined(HAVE_SECURITY_PAM_APPL_H)
47 #include <security/pam_appl.h>
48 #elif defined(HAVE_PAM_PAM_APPL_H)
49 #include <pam/pam_appl.h>
50 #endif
51
52 /*
53 * Structure used to communicate between the conversation function
54 * and the server_login/change password functions.
55 */
56
57 struct smb_pam_userdata {
58 const char *PAM_username;
59 const char *PAM_password;
60 const char *PAM_newpassword;
61 };
62
63 typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_response **, void *appdata_ptr);
64
65 static char *smb_pam_copy_string(const char *s)
66 {
67 if (s == NULL) {
68 return NULL;
69 }
70 return SMB_STRDUP(s);
71 }
72
73 static char *smb_pam_copy_fstring(const char *s)
74 {
75 if (s[0] == '\0') {
76 return NULL;
77 }
78 return SMB_STRDUP(s);
79 }
80
81 /*******************************************************************
82 PAM error handler.
83 *********************************************************************/
84
85 static bool smb_pam_error_handler(pam_handle_t *pamh, int pam_error, const char *msg, int dbglvl)
86 {
87
88 if( pam_error != PAM_SUCCESS) {
89 DEBUG(dbglvl, ("smb_pam_error_handler: PAM: %s : %s\n",
90 msg, pam_strerror(pamh, pam_error)));
91 return False;
92 }
93 return True;
94 }
95
96 /*******************************************************************
97 This function is a sanity check, to make sure that we NEVER report
98 failure as success.
99 *********************************************************************/
100
101 static bool smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error,
102 const char *msg, int dbglvl,
103 NTSTATUS *nt_status)
104 {
105 *nt_status = pam_to_nt_status(pam_error);
106
107 if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl))
108 return True;
109
110 if (NT_STATUS_IS_OK(*nt_status)) {
111 /* Complain LOUDLY */
112 DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \
113 error MISMATCH, forcing to NT_STATUS_LOGON_FAILURE\n"));
114 *nt_status = NT_STATUS_LOGON_FAILURE;
115 }
116 return False;
117 }
118
119 /*
120 * PAM conversation function
121 * Here we assume (for now, at least) that echo on means login name, and
122 * echo off means password.
123 */
124
125 static int smb_pam_conv(int num_msg,
126 const struct pam_message **msg,
127 struct pam_response **resp,
128 void *appdata_ptr)
129 {
130 int replies = 0;
131 struct pam_response *reply = NULL;
132 struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr;
133
134 if (resp != NULL) {
135 *resp = NULL;
136 }
137
138 if (num_msg <= 0)
139 return PAM_CONV_ERR;
140
141 /*
142 * Apparently HPUX has a buggy PAM that doesn't support the
143 * appdata_ptr. Fail if this is the case. JRA.
144 */
145
146 if (udp == NULL) {
147 DEBUG(0,("smb_pam_conv: PAM on this system is broken - appdata_ptr == NULL !\n"));
148 return PAM_CONV_ERR;
149 }
150
151 reply = SMB_MALLOC_ARRAY(struct pam_response, num_msg);
152 if (!reply)
153 return PAM_CONV_ERR;
154
155 memset(reply, '\0', sizeof(struct pam_response) * num_msg);
156
157 for (replies = 0; replies < num_msg; replies++) {
158 switch (msg[replies]->msg_style) {
159 case PAM_PROMPT_ECHO_ON:
160 reply[replies].resp_retcode = PAM_SUCCESS;
161 reply[replies].resp = smb_pam_copy_string(
162 udp->PAM_username);
163 /* PAM frees resp */
164 break;
165
166 case PAM_PROMPT_ECHO_OFF:
167 reply[replies].resp_retcode = PAM_SUCCESS;
168 reply[replies].resp = smb_pam_copy_string(
169 udp->PAM_password);
170 /* PAM frees resp */
171 break;
172
173 case PAM_TEXT_INFO:
174 FALL_THROUGH;
175
176 case PAM_ERROR_MSG:
177 /* ignore it... */
178 reply[replies].resp_retcode = PAM_SUCCESS;
179 reply[replies].resp = NULL;
180 break;
181
182 default:
183 /* Must be an error of some sort... */
184 SAFE_FREE(reply);
185 return PAM_CONV_ERR;
186 }
187 }
188 if (reply != NULL) {
189 if (resp != NULL) {
190 *resp = reply;
191 } else {
192 SAFE_FREE(reply);
193 }
194 }
195 return PAM_SUCCESS;
196 }
197
198 /*
199 * PAM password change conversation function
200 * Here we assume (for now, at least) that echo on means login name, and
201 * echo off means password.
202 */
203
204 static void special_char_sub(char *buf)
205 {
206 all_string_sub(buf, "\\n", "", 0);
207 all_string_sub(buf, "\\r", "", 0);
208 all_string_sub(buf, "\\s", " ", 0);
209 all_string_sub(buf, "\\t", "\t", 0);
210 }
211
212 static void pwd_sub(char *buf, const char *username, const char *oldpass, const char *newpass)
213 {
214 string_sub(buf, "%u", username, sizeof(fstring));
215 all_string_sub(buf, "%o", oldpass, sizeof(fstring));
216 all_string_sub(buf, "%n", newpass, sizeof(fstring));
217 }
218
219
220 struct chat_struct {
221 struct chat_struct *next, *prev;
222 fstring prompt;
223 fstring reply;
224 };
225
226 /**************************************************************
227 Create a linked list containing chat data.
228 ***************************************************************/
229
230 static struct chat_struct *make_pw_chat(const char *p)
231 {
232 char *prompt;
233 char *reply;
234 struct chat_struct *list = NULL;
235 struct chat_struct *t;
236 TALLOC_CTX *frame = talloc_stackframe();
237
238 while (1) {
239 t = SMB_MALLOC_P(struct chat_struct);
240 if (!t) {
241 DEBUG(0,("make_pw_chat: malloc failed!\n"));
242 TALLOC_FREE(frame);
243 return NULL;
244 }
245
246 ZERO_STRUCTP(t);
247
248 DLIST_ADD_END(list, t);
249
250 if (!next_token_talloc(frame, &p, &prompt, NULL)) {
251 break;
252 }
253
254 if (strequal(prompt,".")) {
255 fstrcpy(prompt,"*");
256 }
257
258 special_char_sub(prompt);
259 fstrcpy(t->prompt, prompt);
260 (void)strlower_m(t->prompt);
261 trim_char(t->prompt, ' ', ' ');
262
263 if (!next_token_talloc(frame, &p, &reply, NULL)) {
264 break;
265 }
266
267 if (strequal(reply,".")) {
268 fstrcpy(reply,"");
269 }
270
271 special_char_sub(reply);
272 fstrcpy(t->reply, reply);
273 (void)strlower_m(t->reply);
274 trim_char(t->reply, ' ', ' ');
275
276 }
277 TALLOC_FREE(frame);
278 return list;
279 }
280
281 static void free_pw_chat(struct chat_struct *list)
282 {
283 while (list) {
284 struct chat_struct *old_head = list;
285 DLIST_REMOVE(list, list);
286 SAFE_FREE(old_head);
287 }
288 }
289
290 static int smb_pam_passchange_conv(int num_msg,
291 const struct pam_message **msg,
292 struct pam_response **resp,
293 void *appdata_ptr)
294 {
295 int replies = 0;
296 struct pam_response *reply = NULL;
297 fstring current_prompt;
298 fstring current_reply;
299 struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr;
300 struct chat_struct *pw_chat;
301 struct chat_struct *t;
302 const struct loadparm_substitution *lp_sub =
303 loadparm_s3_global_substitution();
304 bool found;
305 *resp = NULL;
306
307 DEBUG(10,("smb_pam_passchange_conv: starting conversation for %d messages\n", num_msg));
308
309 if (num_msg <= 0)
310 return PAM_CONV_ERR;
311
312 if ((pw_chat = make_pw_chat(lp_passwd_chat(talloc_tos(), lp_sub))) == NULL)
313 return PAM_CONV_ERR;
314
315 /*
316 * Apparently HPUX has a buggy PAM that doesn't support the
317 * appdata_ptr. Fail if this is the case. JRA.
318 */
319
320 if (udp == NULL) {
321 DEBUG(0,("smb_pam_passchange_conv: PAM on this system is broken - appdata_ptr == NULL !\n"));
322 free_pw_chat(pw_chat);
323 return PAM_CONV_ERR;
324 }
325
326 reply = SMB_MALLOC_ARRAY(struct pam_response, num_msg);
327 if (!reply) {
328 DEBUG(0,("smb_pam_passchange_conv: malloc for reply failed!\n"));
329 free_pw_chat(pw_chat);
330 return PAM_CONV_ERR;
331 }
332
333 for (replies = 0; replies < num_msg; replies++) {
334 found = False;
335 DEBUG(10,("smb_pam_passchange_conv: Processing message %d\n", replies));
336 switch (msg[replies]->msg_style) {
337 case PAM_PROMPT_ECHO_ON:
338 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: PAM said: %s\n", msg[replies]->msg));
339 fstrcpy(current_prompt, msg[replies]->msg);
340 trim_char(current_prompt, ' ', ' ');
341 for (t=pw_chat; t; t=t->next) {
342
343 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: trying to match |%s| to |%s|\n",
344 t->prompt, current_prompt ));
345
346 if (unix_wild_match(t->prompt, current_prompt)) {
347 fstrcpy(current_reply, t->reply);
348 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We sent: %s\n", current_reply));
349 pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword);
350 #ifdef DEBUG_PASSWORD
351 DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We actually sent: %s\n", current_reply));
352 #endif
353 reply[replies].resp_retcode = PAM_SUCCESS;
354 reply[replies].resp = smb_pam_copy_fstring(
355 current_reply);
356 found = True;
357 break;
358 }
359 }
360 /* PAM frees resp */
361 if (!found) {
362 DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg));
363 free_pw_chat(pw_chat);
364 SAFE_FREE(reply);
365 return PAM_CONV_ERR;
366 }
367 break;
368
369 case PAM_PROMPT_ECHO_OFF:
370 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: %s\n", msg[replies]->msg));
371 fstrcpy(current_prompt, msg[replies]->msg);
372 trim_char(current_prompt, ' ', ' ');
373 for (t=pw_chat; t; t=t->next) {
374
375 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |%s| to |%s|\n",
376 t->prompt, current_prompt ));
377
378 if (unix_wild_match(t->prompt, current_prompt)) {
379 fstrcpy(current_reply, t->reply);
380 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply));
381 pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword);
382 reply[replies].resp_retcode = PAM_SUCCESS;
383 reply[replies].resp = smb_pam_copy_fstring(
384 current_reply);
385 #ifdef DEBUG_PASSWORD
386 DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We actually sent: %s\n", current_reply));
387 #endif
388 found = True;
389 break;
390 }
391 }
392 /* PAM frees resp */
393
394 if (!found) {
395 DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg));
396 free_pw_chat(pw_chat);
397 SAFE_FREE(reply);
398 return PAM_CONV_ERR;
399 }
400 break;
401
402 case PAM_TEXT_INFO:
403 FALL_THROUGH;
404
405 case PAM_ERROR_MSG:
406 /* ignore it... */
407 reply[replies].resp_retcode = PAM_SUCCESS;
408 reply[replies].resp = NULL;
409 break;
410
411 default:
412 /* Must be an error of some sort... */
413 free_pw_chat(pw_chat);
414 SAFE_FREE(reply);
415 return PAM_CONV_ERR;
416 }
417 }
418
419 free_pw_chat(pw_chat);
420 if (reply)
421 *resp = reply;
422 return PAM_SUCCESS;
423 }
424
425 /***************************************************************************
426 Free up a malloced pam_conv struct.
427 ****************************************************************************/
428
429 static void smb_free_pam_conv(struct pam_conv *pconv)
430 {
431 if (pconv)
432 SAFE_FREE(pconv->appdata_ptr);
433
434 SAFE_FREE(pconv);
435 }
436
437 /***************************************************************************
438 Allocate a pam_conv struct.
439 ****************************************************************************/
440
441 static struct pam_conv *smb_setup_pam_conv(smb_pam_conv_fn smb_pam_conv_fnptr, const char *user,
442 const char *passwd, const char *newpass)
443 {
444 struct pam_conv *pconv = SMB_MALLOC_P(struct pam_conv);
445 struct smb_pam_userdata *udp = SMB_MALLOC_P(struct smb_pam_userdata);
446
447 if (pconv == NULL || udp == NULL) {
448 SAFE_FREE(pconv);
449 SAFE_FREE(udp);
450 return NULL;
451 }
452
453 udp->PAM_username = user;
454 udp->PAM_password = passwd;
455 udp->PAM_newpassword = newpass;
456
457 pconv->conv = smb_pam_conv_fnptr;
458 pconv->appdata_ptr = (void *)udp;
459 return pconv;
460 }
461
462 /*
463 * PAM Closing out cleanup handler
464 */
465
466 static bool smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr)
467 {
468 int pam_error;
469
470 smb_free_pam_conv(smb_pam_conv_ptr);
471
472 if( pamh != NULL ) {
473 pam_error = pam_end(pamh, 0);
474 if (pam_error == PAM_SUCCESS) {
475 DBG_NOTICE("PAM: PAM_END OK.\n");
476 return True;
477 }
478
479 DBG_WARNING("PAM: PAM_END FAILED (%d).\n", pam_error);
480 } else {
481 DBG_INFO("PAM: not initialised\n");
482 }
483
484 return False;
485 }
486
487 /*
488 * Start PAM authentication for specified account
489 */
490
491 static bool smb_pam_start(pam_handle_t **pamh, const char *user, const char *rhost, struct pam_conv *pconv)
492 {
493 int pam_error;
494
495 *pamh = (pam_handle_t *)NULL;
496
497 DEBUG(4,("smb_pam_start: PAM: Init user: %s\n", user));
498
499 pam_error = pam_start("samba", user, pconv, pamh);
500 if( !smb_pam_error_handler(*pamh, pam_error, "Init Failed", 0)) {
501 *pamh = (pam_handle_t *)NULL;
502 return False;
503 }
504
505 #ifdef HAVE_PAM_RHOST
506 DEBUG(4,("smb_pam_start: PAM: setting rhost to: %s\n", rhost));
507 pam_error = pam_set_item(*pamh, PAM_RHOST, rhost);
508 if(!smb_pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) {
509 smb_pam_end(*pamh, pconv);
510 *pamh = (pam_handle_t *)NULL;
511 return False;
512 }
513 #endif
514 #ifdef HAVE_PAM_TTY
515 DEBUG(4,("smb_pam_start: PAM: setting tty\n"));
516 pam_error = pam_set_item(*pamh, PAM_TTY, "samba");
517 if (!smb_pam_error_handler(*pamh, pam_error, "set tty failed", 0)) {
518 smb_pam_end(*pamh, pconv);
519 *pamh = (pam_handle_t *)NULL;
520 return False;
521 }
522 #endif
523 DEBUG(4,("smb_pam_start: PAM: Init passed for user: %s\n", user));
524 return True;
525 }
526
527 /*
528 * PAM Authentication Handler
529 */
530 static NTSTATUS smb_pam_auth(pam_handle_t *pamh, const char *user)
531 {
532 int pam_error;
533 NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
534
535 /*
536 * To enable debugging set in /etc/pam.d/samba:
537 * auth required /lib/security/pam_pwdb.so nullok shadow audit
538 */
539
540 DEBUG(4,("smb_pam_auth: PAM: Authenticate User: %s\n", user));
541 pam_error = pam_authenticate(pamh, PAM_SILENT | (lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK));
542 switch( pam_error ){
543 case PAM_AUTH_ERR:
544 DEBUG(2, ("smb_pam_auth: PAM: Authentication Error for user %s\n", user));
545 break;
546 case PAM_CRED_INSUFFICIENT:
547 DEBUG(2, ("smb_pam_auth: PAM: Insufficient Credentials for user %s\n", user));
548 break;
549 case PAM_AUTHINFO_UNAVAIL:
550 DEBUG(2, ("smb_pam_auth: PAM: Authentication Information Unavailable for user %s\n", user));
551 break;
552 case PAM_USER_UNKNOWN:
553 DEBUG(2, ("smb_pam_auth: PAM: Username %s NOT known to Authentication system\n", user));
554 break;
555 case PAM_MAXTRIES:
556 DEBUG(2, ("smb_pam_auth: PAM: One or more authentication modules reports user limit for user %s exceeeded\n", user));
557 break;
558 case PAM_ABORT:
559 DEBUG(0, ("smb_pam_auth: PAM: One or more PAM modules failed to load for user %s\n", user));
560 break;
561 case PAM_SUCCESS:
562 DEBUG(4, ("smb_pam_auth: PAM: User %s Authenticated OK\n", user));
563 break;
564 default:
565 DEBUG(0, ("smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user %s\n", user));
566 break;
567 }
568
569 smb_pam_nt_status_error_handler(pamh, pam_error, "Authentication Failure", 2, &nt_status);
570 return nt_status;
571 }
572
573 /*
574 * PAM Account Handler
575 */
576 static NTSTATUS smb_pam_account(pam_handle_t *pamh, const char * user)
577 {
578 int pam_error;
579 NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED;
580
581 DEBUG(4,("smb_pam_account: PAM: Account Management for User: %s\n", user));
582 pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */
583 switch( pam_error ) {
584 case PAM_AUTHTOK_EXPIRED:
585 DEBUG(2, ("smb_pam_account: PAM: User %s is valid but password is expired\n", user));
586 break;
587 case PAM_ACCT_EXPIRED:
588 DEBUG(2, ("smb_pam_account: PAM: User %s no longer permitted to access system\n", user));
589 break;
590 case PAM_AUTH_ERR:
591 DEBUG(2, ("smb_pam_account: PAM: There was an authentication error for user %s\n", user));
592 break;
593 case PAM_PERM_DENIED:
594 DEBUG(0, ("smb_pam_account: PAM: User %s is NOT permitted to access system at this time\n", user));
595 break;
596 case PAM_USER_UNKNOWN:
597 DEBUG(0, ("smb_pam_account: PAM: User \"%s\" is NOT known to account management\n", user));
598 break;
599 case PAM_SUCCESS:
600 DEBUG(4, ("smb_pam_account: PAM: Account OK for User: %s\n", user));
601 break;
602 default:
603 DEBUG(0, ("smb_pam_account: PAM: UNKNOWN PAM ERROR (%d) during Account Management for User: %s\n", pam_error, user));
604 break;
605 }
606
607 smb_pam_nt_status_error_handler(pamh, pam_error, "Account Check Failed", 2, &nt_status);
608 return nt_status;
609 }
610
611 /*
612 * PAM Credential Setting
613 */
614
615 static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, const char * user)
616 {
617 int pam_error;
618 NTSTATUS nt_status = NT_STATUS_NO_TOKEN;
619
620 /*
621 * This will allow samba to acquire a kerberos token. And, when
622 * exporting an AFS cell, be able to /write/ to this cell.
623 */
624
625 DEBUG(4,("PAM: Account Management SetCredentials for User: %s\n", user));
626 pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT));
627 switch( pam_error ) {
628 case PAM_CRED_UNAVAIL:
629 DEBUG(0, ("smb_pam_setcred: PAM: Credentials not found for user:%s\n", user ));
630 break;
631 case PAM_CRED_EXPIRED:
632 DEBUG(0, ("smb_pam_setcred: PAM: Credentials for user: \"%s\" EXPIRED!\n", user ));
633 break;
634 case PAM_USER_UNKNOWN:
635 DEBUG(0, ("smb_pam_setcred: PAM: User: \"%s\" is NOT known so can not set credentials!\n", user ));
636 break;
637 case PAM_CRED_ERR:
638 DEBUG(0, ("smb_pam_setcred: PAM: Unknown setcredentials error - unable to set credentials for %s\n", user ));
639 break;
640 case PAM_SUCCESS:
641 DEBUG(4, ("smb_pam_setcred: PAM: SetCredentials OK for User: %s\n", user));
642 break;
643 default:
644 DEBUG(0, ("smb_pam_setcred: PAM: UNKNOWN PAM ERROR (%d) during SetCredentials for User: %s\n", pam_error, user));
645 break;
646 }
647
648 smb_pam_nt_status_error_handler(pamh, pam_error, "Set Credential Failure", 2, &nt_status);
649 return nt_status;
650 }
651
652 /*
653 * PAM Internal Session Handler
654 */
655 static bool smb_internal_pam_session(pam_handle_t *pamh, const char *user, const char *tty, bool flag)
656 {
657 int pam_error;
658
659 #ifdef HAVE_PAM_TTY
660 DEBUG(4,("smb_internal_pam_session: PAM: tty set to: %s\n", tty));
661 pam_error = pam_set_item(pamh, PAM_TTY, tty);
662 if (!smb_pam_error_handler(pamh, pam_error, "set tty failed", 0))
663 return False;
664 #endif
665
666 if (flag) {
667 pam_error = pam_open_session(pamh, PAM_SILENT);
668 if (!smb_pam_error_handler(pamh, pam_error, "session setup failed", 0))
669 return False;
670 } else {
671 pam_setcred(pamh, (PAM_DELETE_CRED|PAM_SILENT)); /* We don't care if this fails */
672 pam_error = pam_close_session(pamh, PAM_SILENT); /* This will probably pick up the error anyway */
673 if (!smb_pam_error_handler(pamh, pam_error, "session close failed", 0))
674 return False;
675 }
676 return (True);
677 }
678
679 /*
680 * Internal PAM Password Changer.
681 */
682
683 static bool smb_pam_chauthtok(pam_handle_t *pamh, const char * user)
684 {
685 int pam_error;
686
687 DEBUG(4,("smb_pam_chauthtok: PAM: Password Change for User: %s\n", user));
688
689 pam_error = pam_chauthtok(pamh, PAM_SILENT); /* Change Password */
690
691 switch( pam_error ) {
692 case PAM_AUTHTOK_ERR:
693 DEBUG(2, ("PAM: unable to obtain the new authentication token - is password to weak?\n"));
694 break;
695
696 /* This doesn't seem to be defined on Solaris. JRA */
697 #ifdef PAM_AUTHTOK_RECOVER_ERR
698 case PAM_AUTHTOK_RECOVER_ERR:
699 DEBUG(2, ("PAM: unable to obtain the old authentication token - was the old password wrong?.\n"));
700 break;
701 #endif
702
703 case PAM_AUTHTOK_LOCK_BUSY:
704 DEBUG(2, ("PAM: unable to change the authentication token since it is currently locked.\n"));
705 break;
706 case PAM_AUTHTOK_DISABLE_AGING:
707 DEBUG(2, ("PAM: Authentication token aging has been disabled.\n"));
708 break;
709 case PAM_PERM_DENIED:
710 DEBUG(0, ("PAM: Permission denied.\n"));
711 break;
712 case PAM_TRY_AGAIN:
713 DEBUG(0, ("PAM: Could not update all authentication token(s). No authentication tokens were updated.\n"));
714 break;
715 case PAM_USER_UNKNOWN:
716 DEBUG(0, ("PAM: User not known to PAM\n"));
717 break;
718 case PAM_SUCCESS:
719 DEBUG(4, ("PAM: Account OK for User: %s\n", user));
720 break;
721 default:
722 DEBUG(0, ("PAM: UNKNOWN PAM ERROR (%d) for User: %s\n", pam_error, user));
723 }
724
725 if(!smb_pam_error_handler(pamh, pam_error, "Password Change Failed", 2)) {
726 return False;
727 }
728
729 /* If this point is reached, the password has changed. */
730 return True;
731 }
732
733 /*
734 * PAM Externally accessible Session handler
735 */
736
737 bool smb_pam_claim_session(const char *user, const char *tty, const char *rhost)
738 {
739 pam_handle_t *pamh = NULL;
740 struct pam_conv *pconv = NULL;
741
742 /* Ignore PAM if told to. */
743
744 if (!lp_obey_pam_restrictions())
745 return True;
746
747 if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
748 return False;
749
750 if (!smb_pam_start(&pamh, user, rhost, pconv))
751 return False;
752
753 if (!smb_internal_pam_session(pamh, user, tty, True)) {
754 smb_pam_end(pamh, pconv);
755 return False;
756 }
757
758 return smb_pam_end(pamh, pconv);
759 }
760
761 /*
762 * PAM Externally accessible Session handler
763 */
764
765 bool smb_pam_close_session(const char *user, const char *tty, const char *rhost)
766 {
767 pam_handle_t *pamh = NULL;
768 struct pam_conv *pconv = NULL;
769
770 /* Ignore PAM if told to. */
771
772 if (!lp_obey_pam_restrictions())
773 return True;
774
775 if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
776 return False;
777
778 if (!smb_pam_start(&pamh, user, rhost, pconv))
779 return False;
780
781 if (!smb_internal_pam_session(pamh, user, tty, False)) {
782 smb_pam_end(pamh, pconv);
783 return False;
784 }
785
786 return smb_pam_end(pamh, pconv);
787 }
788
789 /*
790 * PAM Externally accessible Account handler
791 */
792
793 NTSTATUS smb_pam_accountcheck(const char *user, const char *rhost)
794 {
795 NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED;
796 pam_handle_t *pamh = NULL;
797 struct pam_conv *pconv = NULL;
798
799 /* Ignore PAM if told to. */
800
801 if (!lp_obey_pam_restrictions())
802 return NT_STATUS_OK;
803
804 if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
805 return NT_STATUS_NO_MEMORY;
806
807 if (!smb_pam_start(&pamh, user, rhost, pconv))
808 return NT_STATUS_ACCOUNT_DISABLED;
809
810 if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user)))
811 DEBUG(0, ("smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User %s!\n", user));
812
813 smb_pam_end(pamh, pconv);
814 return nt_status;
815 }
816
817 /*
818 * PAM Password Validation Suite
819 */
820
821 NTSTATUS smb_pam_passcheck(const char * user, const char * rhost,
822 const char * password)
823 {
824 pam_handle_t *pamh = NULL;
825 NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
826 struct pam_conv *pconv = NULL;
827
828 /*
829 * Note we can't ignore PAM here as this is the only
830 * way of doing auths on plaintext passwords when
831 * compiled --with-pam.
832 */
833
834 if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, password, NULL)) == NULL)
835 return NT_STATUS_LOGON_FAILURE;
836
837 if (!smb_pam_start(&pamh, user, rhost, pconv))
838 return NT_STATUS_LOGON_FAILURE;
839
840 if (!NT_STATUS_IS_OK(nt_status = smb_pam_auth(pamh, user))) {
841 DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User %s !\n", user));
842 smb_pam_end(pamh, pconv);
843 return nt_status;
844 }
845
846 if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user))) {
847 DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_account failed - Rejecting User %s !\n", user));
848 smb_pam_end(pamh, pconv);
849 return nt_status;
850 }
851
852 if (!NT_STATUS_IS_OK(nt_status = smb_pam_setcred(pamh, user))) {
853 DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_setcred failed - Rejecting User %s !\n", user));
854 smb_pam_end(pamh, pconv);
855 return nt_status;
856 }
857
858 smb_pam_end(pamh, pconv);
859 return nt_status;
860 }
861
862 /*
863 * PAM Password Change Suite
864 */
865
866 bool smb_pam_passchange(const char *user, const char *rhost,
867 const char *oldpassword, const char *newpassword)
868 {
869 /* Appropriate quantities of root should be obtained BEFORE calling this function */
870 struct pam_conv *pconv = NULL;
871 pam_handle_t *pamh = NULL;
872
873 if ((pconv = smb_setup_pam_conv(smb_pam_passchange_conv, user, oldpassword, newpassword)) == NULL)
874 return False;
875
876 if(!smb_pam_start(&pamh, user, rhost, pconv))
877 return False;
878
879 if (!smb_pam_chauthtok(pamh, user)) {
880 DEBUG(0, ("smb_pam_passchange: PAM: Password Change Failed for user %s!\n", user));
881 smb_pam_end(pamh, pconv);
882 return False;
883 }
884
885 return smb_pam_end(pamh, pconv);
886 }
887
888 #else
889
890 /* If PAM not used, no PAM restrictions on accounts. */
891 NTSTATUS smb_pam_accountcheck(const char *user, const char *rhost)
892 {
893 return NT_STATUS_OK;
894 }
895
896 /* If PAM not used, also no PAM restrictions on sessions. */
897 bool smb_pam_claim_session(const char *user, const char *tty, const char *rhost)
898 {
899 return True;
900 }
901
902 /* If PAM not used, also no PAM restrictions on sessions. */
903 bool smb_pam_close_session(const char *in_user, const char *tty, const char *rhost)
904 {
905 return True;
906 }
907 #endif /* WITH_PAM */
Samba git mirror