r8482: gnutls_x509_crt_set_subject_key_id is not available in some versions
[bbaumbach/samba-autobuild/.git] / source4 / web_server / pam.c
1 /* 
2    Unix SMB/CIFS implementation.
3    PAM Password checking
4    Copyright (C) Andrew Tridgell 1992-2001
5    Copyright (C) John H Terpsta 1999-2001
6    Copyright (C) Andrew Bartlett 2001
7    Copyright (C) Jeremy Allison 2001
8    Copyright (C) Simo Sorce 2005
9    
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 2 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program; if not, write to the Free Software
22    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 /*
26  * This module provides PAM based functions for validation of
27  * username/password pairs.
28  * Note: This module is a stripped down version of pampass.c of samba 3
29  *       It has been adapted to perform only pam auth checks and code has
30  *       been shaped out to meet samba4 coding stile
31  */
32
33 #include "includes.h"
34
35 #ifdef HAVE_SECURITY_PAM_APPL_H
36
37 /*******************************************************************
38  * Handle PAM authentication 
39  *      - Access, Authentication, Session, Password
40  *   Note: See PAM Documentation and refer to local system PAM implementation
41  *   which determines what actions/limitations/allowances become affected.
42  *********************************************************************/
43
44 #include <security/pam_appl.h>
45
46 /*
47  * Structure used to communicate between the conversation function
48  * and the server_login/change password functions.
49  */
50
51 struct smb_pam_userdata {
52         const char *PAM_username;
53         const char *PAM_password;
54 };
55
56 typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_response **, void *appdata_ptr);
57
58 /*******************************************************************
59  PAM error handler.
60  *********************************************************************/
61
62 static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, const char *msg, int dbglvl)
63 {
64
65         if( pam_error != PAM_SUCCESS) {
66                 DEBUG(dbglvl, ("smb_pam_error_handler: PAM: %s : %s\n",
67                                 msg, pam_strerror(pamh, pam_error)));
68                 
69                 return False;
70         }
71         return True;
72 }
73
74 /*******************************************************************
75  This function is a sanity check, to make sure that we NEVER report
76  failure as sucess.
77 *********************************************************************/
78
79 static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error,
80                                             const char *msg, int dbglvl, 
81                                             NTSTATUS *nt_status)
82 {
83         *nt_status = pam_to_nt_status(pam_error);
84
85         if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl))
86                 return True;
87
88         if (NT_STATUS_IS_OK(*nt_status)) {
89                 /* Complain LOUDLY */
90                 DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \
91 error MISMATCH, forcing to NT_STATUS_LOGON_FAILURE"));
92                 *nt_status = NT_STATUS_LOGON_FAILURE;
93         }
94         return False;
95 }
96
97 /*
98  * PAM conversation function
99  * Here we assume (for now, at least) that echo on means login name, and
100  * echo off means password.
101  */
102
103 static int smb_pam_conv(int num_msg,
104                     const struct pam_message **msg,
105                     struct pam_response **resp,
106                     void *appdata_ptr)
107 {
108         int replies = 0;
109         struct pam_response *reply = NULL;
110         struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr;
111
112         *resp = NULL;
113
114         if (num_msg <= 0)
115                 return PAM_CONV_ERR;
116
117         /*
118          * Apparantly HPUX has a buggy PAM that doesn't support the
119          * appdata_ptr. Fail if this is the case. JRA.
120          */
121
122         if (udp == NULL) {
123                 DEBUG(0,("smb_pam_conv: PAM on this system is broken - appdata_ptr == NULL !\n"));
124                 return PAM_CONV_ERR;
125         }
126
127         reply = malloc_array_p(struct pam_response, num_msg);
128         if (!reply)
129                 return PAM_CONV_ERR;
130
131         memset(reply, '\0', sizeof(struct pam_response) * num_msg);
132
133         for (replies = 0; replies < num_msg; replies++) {
134                 switch (msg[replies]->msg_style) {
135                         case PAM_PROMPT_ECHO_ON:
136                                 reply[replies].resp_retcode = PAM_SUCCESS;
137                                 reply[replies].resp = strdup(udp->PAM_username);
138                                 /* PAM frees resp */
139                                 break;
140
141                         case PAM_PROMPT_ECHO_OFF:
142                                 reply[replies].resp_retcode = PAM_SUCCESS;
143                                 reply[replies].resp = strdup(udp->PAM_password);
144                                 /* PAM frees resp */
145                                 break;
146
147                         case PAM_TEXT_INFO:
148                                 /* fall through */
149
150                         case PAM_ERROR_MSG:
151                                 /* ignore it... */
152                                 reply[replies].resp_retcode = PAM_SUCCESS;
153                                 reply[replies].resp = NULL;
154                                 break;
155
156                         default:
157                                 /* Must be an error of some sort... */
158                                 if (reply)
159                                         free(reply);
160                                 return PAM_CONV_ERR;
161                 }
162         }
163         if (reply)
164                 *resp = reply;
165         return PAM_SUCCESS;
166 }
167
168 /***************************************************************************
169  Allocate a pam_conv struct.
170 ****************************************************************************/
171
172 static struct pam_conv *smb_setup_pam_conv(TALLOC_CTX *ctx,
173                                            smb_pam_conv_fn smb_pam_conv_fnptr,
174                                            const char *username, const char *password)
175 {
176         struct pam_conv *pconv;
177         struct smb_pam_userdata *udp;
178
179         pconv = talloc(ctx, struct pam_conv);
180         if (pconv == NULL)
181                 return NULL;
182
183         udp = talloc(ctx, struct smb_pam_userdata);
184         if (udp == NULL)
185                 return NULL;
186
187         udp->PAM_username = username;
188         udp->PAM_password = password;
189
190         pconv->conv = smb_pam_conv_fnptr;
191         pconv->appdata_ptr = (void *)udp;
192
193         return pconv;
194 }
195
196 /* 
197  * PAM Closing out cleanup handler
198  */
199
200 static BOOL smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr)
201 {
202         int pam_error;
203
204         if( pamh != NULL ) {
205                 pam_error = pam_end(pamh, 0);
206                 if(smb_pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) {
207                         DEBUG(4, ("smb_pam_end: PAM: PAM_END OK.\n"));
208                         return True;
209                 }
210         }
211         DEBUG(2,("smb_pam_end: PAM: not initialised"));
212         return False;
213 }
214
215 /*
216  * Start PAM authentication for specified account
217  */
218
219 static BOOL smb_pam_start(pam_handle_t **pamh, const char *user, const char *rhost, struct pam_conv *pconv)
220 {
221         int pam_error;
222         const char *our_rhost;
223
224         if (user == NULL || rhost == NULL || pconv == NULL) {
225                 return False;
226         }
227
228         *pamh = (pam_handle_t *)NULL;
229
230         DEBUG(4,("smb_pam_start: PAM: Init user: %s\n", user));
231
232         pam_error = pam_start("samba", user, pconv, pamh);
233         if( !smb_pam_error_handler(*pamh, pam_error, "Init Failed", 0)) {
234                 *pamh = (pam_handle_t *)NULL;
235                 return False;
236         }
237
238 #ifdef PAM_RHOST
239         DEBUG(4,("smb_pam_start: PAM: setting rhost to: %s\n", rhost));
240         pam_error = pam_set_item(*pamh, PAM_RHOST, rhost);
241         if(!smb_pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) {
242                 smb_pam_end(*pamh, pconv);
243                 *pamh = (pam_handle_t *)NULL;
244                 return False;
245         }
246 #endif
247 #ifdef PAM_TTY
248         DEBUG(4,("smb_pam_start: PAM: setting tty\n"));
249         pam_error = pam_set_item(*pamh, PAM_TTY, "samba");
250         if (!smb_pam_error_handler(*pamh, pam_error, "set tty failed", 0)) {
251                 smb_pam_end(*pamh, pconv);
252                 *pamh = (pam_handle_t *)NULL;
253                 return False;
254         }
255 #endif
256         DEBUG(4,("smb_pam_start: PAM: Init passed for user: %s\n", user));
257         return True;
258 }
259
260 /*
261  * PAM Authentication Handler
262  */
263 static NTSTATUS smb_pam_auth(pam_handle_t *pamh, const char *user)
264 {
265         int pam_error;
266         NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
267
268         /*
269          * To enable debugging set in /etc/pam.d/samba:
270          *      auth required /lib/security/pam_pwdb.so nullok shadow audit
271          */
272         
273         DEBUG(4,("smb_pam_auth: PAM: Authenticate User: %s\n", user));
274         pam_error = pam_authenticate(pamh, PAM_SILENT | lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK);
275         switch( pam_error ){
276                 case PAM_AUTH_ERR:
277                         DEBUG(2, ("smb_pam_auth: PAM: Athentication Error for user %s\n", user));
278                         break;
279                 case PAM_CRED_INSUFFICIENT:
280                         DEBUG(2, ("smb_pam_auth: PAM: Insufficient Credentials for user %s\n", user));
281                         break;
282                 case PAM_AUTHINFO_UNAVAIL:
283                         DEBUG(2, ("smb_pam_auth: PAM: Authentication Information Unavailable for user %s\n", user));
284                         break;
285                 case PAM_USER_UNKNOWN:
286                         DEBUG(2, ("smb_pam_auth: PAM: Username %s NOT known to Authentication system\n", user));
287                         break;
288                 case PAM_MAXTRIES:
289                         DEBUG(2, ("smb_pam_auth: PAM: One or more authentication modules reports user limit for user %s exceeeded\n", user));
290                         break;
291                 case PAM_ABORT:
292                         DEBUG(0, ("smb_pam_auth: PAM: One or more PAM modules failed to load for user %s\n", user));
293                         break;
294                 case PAM_SUCCESS:
295                         DEBUG(4, ("smb_pam_auth: PAM: User %s Authenticated OK\n", user));
296                         break;
297                 default:
298                         DEBUG(0, ("smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user %s\n", user));
299                         break;
300         }
301
302         smb_pam_nt_status_error_handler(pamh, pam_error, "Authentication Failure", 2, &nt_status);
303         return nt_status;
304 }
305
306 /*
307  * PAM Password Validation Suite
308  */
309
310 NTSTATUS unix_passcheck(TALLOC_CTX *ctx, const char *client, const char *username, const char *password)
311 {
312         NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
313         pam_handle_t *pamh = NULL;
314         struct pam_conv *pconv = NULL;
315
316         if ((pconv = smb_setup_pam_conv(ctx, smb_pam_conv, username, password)) == NULL)
317                 return nt_status;
318
319         if (!smb_pam_start(&pamh, username, client, pconv)) {
320                 talloc_free(pconv);
321                 return nt_status;
322         }
323
324         if (!NT_STATUS_IS_OK(nt_status = smb_pam_auth(pamh, username))) {
325                 DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User %s !\n", username));
326         }
327
328         smb_pam_end(pamh, pconv);
329         talloc_free(pconv);
330
331         return nt_status;
332 }
333
334 #else
335
336 NTSTATUS unix_passcheck(TALLOC_CTX *ctx, const char *client, const char *username, const char *password)
337 {
338         return NT_STATUS_LOGON_FAILURE;
339 }
340
341 #endif /* WITH_PAM */