that keep me working on it :)
* and of course, all the other members of the Samba team
-<samba@samba.org>, for creating a great product and for giving this
-project a purpose
+<http://www.samba.org/samba/team.html>, for creating a great product
+and for giving this project a purpose
---------------------
Stephen Langasek <vorlon@netexpress.net>
const char *name;
const char *p;
- struct smb_passwd *smb_pwent = NULL;
+ SAM_ACCOUNT *sampass = NULL;
extern BOOL in_client;
/* Samba initialization. */
setup_logging( "pam_smbpass", False );
+ charset_initialise();
+ codepage_initialise(lp_client_code_page());
in_client = True;
ctrl = set_ctrl( flags, argc, argv );
}
/* Get the user's record. */
- smb_pwent = getsmbpwnam( name );
+ pdb_init_sam(&sampass);
+ pdb_getsampwnam(sampass, name );
- if (!smb_pwent)
+ if (!sampass)
return PAM_USER_UNKNOWN;
- if (smb_pwent->acct_ctrl & ACB_DISABLED) {
+ if (pdb_get_acct_ctrl(sampass) & ACB_DISABLED) {
if (on( SMB_DEBUG, ctrl )) {
_log_err( LOG_DEBUG
, "acct: account %s is administratively disabled", name );
} while (0)
static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl,
- const char *name, struct smb_passwd *smb_pwent);
+ const char *name, SAM_ACCOUNT *sampass, BOOL exist);
/*
* pam_sm_authenticate() authenticates users against the samba password file.
{
unsigned int ctrl;
int retval, *ret_data = NULL;
-
+ SAM_ACCOUNT *sampass = NULL;
+ extern BOOL in_client;
const char *name;
+ BOOL found;
/* Points to memory managed by the PAM library. Do not free. */
const char *p = NULL;
- struct smb_passwd *smb_pwent = NULL;
-
- extern BOOL in_client;
/* Samba initialization. */
setup_logging("pam_smbpass",False);
+ charset_initialise();
+ codepage_initialise(lp_client_code_page());
in_client = True;
ctrl = set_ctrl(flags, argc, argv);
/* Get a few bytes so we can pass our return value to
- pam_sm_setcred(). Used in AUTH_RETURN macro */
+ pam_sm_setcred(). */
ret_data = malloc(sizeof(int));
/* get the username */
AUTH_RETURN;
}
- smb_pwent = getsmbpwnam( name );
+ pdb_init_sam(&sampass);
+
+ found = pdb_getsampwnam( sampass, name );
if (on( SMB_MIGRATE, ctrl )) {
- retval = _smb_add_user(pamh, ctrl, name, smb_pwent);
+ retval = _smb_add_user(pamh, ctrl, name, sampass, found);
+ pdb_free_sam(&sampass);
AUTH_RETURN;
}
- if (smb_pwent == NULL) {
+ if (!found) {
_log_err(LOG_ALERT, "Failed to find entry for user %s.", name);
retval = PAM_USER_UNKNOWN;
+ pdb_free_sam(&sampass);
+ sampass = NULL;
AUTH_RETURN;
}
/* if this user does not have a password... */
- if (_smb_blankpasswd( ctrl, smb_pwent )) {
- smb_pwent = NULL;
+ if (_smb_blankpasswd( ctrl, sampass )) {
+ pdb_free_sam(&sampass);
retval = PAM_SUCCESS;
AUTH_RETURN;
}
/* get this user's authentication token */
- retval = _smb_read_password(pamh, ctrl, NULL, "Password: ", NULL
- , _SMB_AUTHTOK, &p);
+ retval = _smb_read_password(pamh, ctrl, NULL, "Password: ", NULL, _SMB_AUTHTOK, &p);
if (retval != PAM_SUCCESS ) {
_log_err(LOG_CRIT, "auth: no password provided for [%s]"
, name);
- smb_pwent = NULL;
+ pdb_free_sam(&sampass);
AUTH_RETURN;
}
/* verify the password of this user */
- retval = _smb_verify_password( pamh, smb_pwent, p, ctrl );
- smb_pwent = NULL;
+ retval = _smb_verify_password( pamh, sampass, p, ctrl );
+ pdb_free_sam(&sampass);
p = NULL;
AUTH_RETURN;
}
pam_get_data(pamh, "smb_setcred_return", (const void **) &pretval);
if(pretval) {
retval = *pretval;
- free(pretval);
+ SAFE_FREE(pretval);
}
pam_set_data(pamh, "smb_setcred_return", NULL, NULL);
/* Helper function for adding a user to the db. */
static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl,
- const char *name, struct smb_passwd *smb_pwent)
+ const char *name, SAM_ACCOUNT *sampass, BOOL exist)
{
pstring err_str;
pstring msg_str;
}
/* Add the user to the db if they aren't already there. */
- if (smb_pwent == NULL) {
- retval = local_password_change( name, LOCAL_ADD_USER|LOCAL_SET_PASSWORD,
+ if (!exist) {
+ retval = local_password_change( name, LOCAL_ADD_USER,
pass, err_str,
sizeof(err_str),
msg_str, sizeof(msg_str) );
pass = NULL;
return PAM_IGNORE;
- }
-
+ }
+ else {
/* Change the user's password IFF it's null. */
- if (smb_pwent->smb_passwd == NULL && (smb_pwent->acct_ctrl & ACB_PWNOTREQ))
+ if ((pdb_get_lanman_passwd(sampass) == NULL) && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
{
- retval = local_password_change( name, LOCAL_SET_PASSWORD,
- pass, err_str,
- sizeof(err_str),
+ retval = local_password_change( name, 0, pass, err_str, sizeof(err_str),
msg_str, sizeof(msg_str) );
if (!retval && *err_str)
{
make_remark( pamh, ctrl, PAM_TEXT_INFO, msg_str );
}
}
+ }
+
pass = NULL;
return PAM_IGNORE;
#include "support.h"
-int smb_update_db( pam_handle_t *pamh, int ctrl, const char *user
- , const char *pass_new )
+int smb_update_db( pam_handle_t *pamh, int ctrl, const char *user, const char *pass_new )
{
char c;
int retval, i;
err_str[0] = '\0';
msg_str[0] = '\0';
- retval = local_password_change( user, LOCAL_SET_PASSWORD, pass_new, err_str, sizeof(err_str),
+ retval = local_password_change( user, 0, pass_new, err_str, sizeof(err_str),
msg_str, sizeof(msg_str) );
if (!retval) {
extern BOOL in_client;
- struct smb_passwd *smb_pwent=NULL;
+ SAM_ACCOUNT *sampass = NULL;
const char *user;
const char *pass_old, *pass_new;
/* Samba initialization. */
setup_logging( "pam_smbpass", False );
+ charset_initialise();
+ codepage_initialise(lp_client_code_page());
in_client = True;
ctrl = set_ctrl(flags, argc, argv);
}
/* obtain user record */
- smb_pwent = getsmbpwnam(user);
+ pdb_init_sam(&sampass);
+ pdb_getsampwnam(sampass,user);
- if (smb_pwent == NULL) {
+ if (sampass == NULL) {
_log_err( LOG_ALERT, "Failed to find entry for user %s.", user );
return PAM_USER_UNKNOWN;
}
char *Announce;
- if (_smb_blankpasswd( ctrl, smb_pwent )) {
+ if (_smb_blankpasswd( ctrl, sampass )) {
+ pdb_free_sam(&sampass);
return PAM_SUCCESS;
-
}
/* Password change by root, or for an expired token, doesn't
Announce = (char *) malloc(sizeof(greeting)+strlen(user));
if (Announce == NULL) {
_log_err(LOG_CRIT, "password: out of memory");
+ pdb_free_sam(&sampass);
return PAM_BUF_ERR;
}
strncpy( Announce, greeting, sizeof(greeting) );
#undef greeting
set( SMB__OLD_PASSWD, ctrl );
- retval = _smb_read_password( pamh, ctrl
- , Announce
- , "Current SMB password: "
- , NULL
- , _SMB_OLD_AUTHTOK
- , &pass_old );
- free( Announce );
+ retval = _smb_read_password( pamh, ctrl, Announce, "Current SMB password: ",
+ NULL, _SMB_OLD_AUTHTOK, &pass_old );
+ SAFE_FREE( Announce );
if (retval != PAM_SUCCESS) {
_log_err( LOG_NOTICE
, "password - (old) token not obtained" );
+ pdb_free_sam(&sampass);
return retval;
}
/* verify that this is the password for this user */
- retval = _smb_verify_password( pamh, smb_pwent, pass_old, ctrl );
+ retval = _smb_verify_password( pamh, sampass, pass_old, ctrl );
} else {
pass_old = NULL;
}
pass_old = NULL;
+ pdb_free_sam(&sampass);
return retval;
} else if (flags & PAM_UPDATE_AUTHTOK) {
+#if 0
+ /* We used to return when this flag was set, but that breaks
+ password synchronization when /other/ tokens are expired. For
+ now, we change the password whenever we're asked. SRL */
if (flags & PAM_CHANGE_EXPIRED_AUTHTOK) {
- /* NOTE: there is currently no support for password expiring
- under Samba. Support will be added here when it becomes
- available. */
+ pdb_free_sam(&sampass);
return PAM_SUCCESS;
}
+#endif
/*
* obtain the proposed password
*/
if (retval != PAM_SUCCESS) {
_log_err( LOG_NOTICE, "password: user not authenticated" );
+ pdb_free_sam(&sampass);
return retval;
}
, "password: new password not obtained" );
}
pass_old = NULL; /* tidy up */
+ pdb_free_sam(&sampass);
return retval;
}
if (retval != PAM_SUCCESS) {
_log_err(LOG_NOTICE, "new password not acceptable");
pass_new = pass_old = NULL; /* tidy up */
+ pdb_free_sam(&sampass);
return retval;
}
if (retval == PAM_SUCCESS) {
/* password updated */
_log_err( LOG_NOTICE, "password for (%s/%d) changed by (%s/%d)"
- , user, smb_pwent->smb_userid, uidtoname( getuid() )
+ , user, pdb_get_uid(sampass), uidtoname( getuid() )
, getuid() );
} else {
_log_err( LOG_ERR, "password change failed for user %s"
}
pass_old = pass_new = NULL;
- smb_pwent = NULL;
+ if (sampass) {
+ pdb_free_sam(&sampass);
+ sampass = NULL;
+ }
} else { /* something has broken with the library */
retval = PAM_ABORT;
}
+
+ if (sampass) {
+ pdb_free_sam(&sampass);
+ sampass = NULL;
+ }
+ pdb_free_sam(&sampass);
return retval;
}
int set_ctrl( int flags, int argc, const char **argv )
{
int i = 0;
- const char *service_file = dyn_CONFIGFILE;
+ static pstring servicesf = CONFIGFILE;
+ const char *service_file = servicesf;
unsigned int ctrl;
ctrl = SMB_DEFAULTS; /* the default selection of options */
x = _pam_delete( (char *) x );
}
+/* JHT
+ *
+ * Safe duplication of character strings. "Paranoid"; don't leave
+ * evidence of old token around for later stack analysis.
+ *
+ */
+char * smbpXstrDup( const char *x )
+{
+ register char *new = NULL;
+
+ if (x != NULL) {
+ register int i;
+
+ for (i = 0; x[i]; ++i); /* length of string */
+ if ((new = malloc(++i)) == NULL) {
+ i = 0;
+ _log_err( LOG_CRIT, "out of memory in smbpXstrDup" );
+ } else {
+ while (i-- > 0) {
+ new[i] = x[i];
+ }
+ }
+ x = NULL;
+ }
+ return new; /* return the duplicate or NULL on error */
+}
+
/* ************************************************************** *
* Useful non-trivial functions *
* ************************************************************** */
}
_pam_delete( failure->agent ); /* tidy up */
_pam_delete( failure->user ); /* tidy up */
- free( failure );
+ SAFE_FREE( failure );
}
}
-int _smb_verify_password( pam_handle_t * pamh
- , const struct smb_passwd *smb_pwent
- , const char *p, unsigned int ctrl )
+int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass,
+ const char *p, unsigned int ctrl )
{
uchar hash_pass[16];
uchar lm_pw[16];
char *data_name;
const char *name;
- if (!smb_pwent)
+ if (!sampass)
return PAM_ABORT;
- name = smb_pwent->smb_name;
+ name = pdb_get_username(sampass);
#ifdef HAVE_PAM_FAIL_DELAY
if (off( SMB_NODELAY, ctrl )) {
}
#endif
- if (!smb_pwent->smb_passwd)
+ if (!pdb_get_lanman_passwd(sampass))
{
_log_err( LOG_DEBUG, "user %s has null SMB password"
, name );
if (off( SMB__NONULL, ctrl )
- && (smb_pwent->acct_ctrl & ACB_PWNOTREQ))
+ && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
{ /* this means we've succeeded */
return PAM_SUCCESS;
} else {
, "failed auth request by %s for service %s as %s(%d)"
, uidtoname( getuid() )
, service ? service : "**unknown**", name
- , smb_pwent->smb_userid );
+ , pdb_get_uid(sampass) );
return PAM_AUTH_ERR;
}
}
- data_name = (char *) malloc( sizeof(FAIL_PREFIX)
- + strlen( name ));
+ data_name = (char *) malloc( sizeof(FAIL_PREFIX) + strlen( name ));
if (data_name == NULL) {
_log_err( LOG_CRIT, "no memory for data-name" );
}
if (strlen( p ) == 16 || (strlen( p ) == 32
&& pdb_gethexpwd( p, (char *) hash_pass ))) {
- if (!memcmp( hash_pass, smb_pwent->smb_passwd, 16 )
- || (smb_pwent->smb_nt_passwd
- && !memcmp( hash_pass, smb_pwent->smb_nt_passwd, 16 )))
+ if (!memcmp( hash_pass, pdb_get_lanman_passwd(sampass), 16 )
+ || (pdb_get_nt_passwd(sampass)
+ && !memcmp( hash_pass, pdb_get_nt_passwd(sampass), 16 )))
{
retval = PAM_SUCCESS;
if (data_name) { /* reset failures */
}
_pam_delete( data_name );
memset( hash_pass, '\0', 16 );
- smb_pwent = NULL;
return retval;
}
}
/* the moment of truth -- do we agree with the password? */
- if (!memcmp( nt_pw, smb_pwent->smb_nt_passwd, 16 )) {
+ if (!memcmp( nt_pw, pdb_get_nt_passwd(sampass), 16 )) {
retval = PAM_SUCCESS;
if (data_name) { /* reset failures */
, "failed auth request by %s for service %s as %s(%d)"
, uidtoname( getuid() )
, service ? service : "**unknown**", name
- , smb_pwent->smb_userid );
+ , pdb_get_uid(sampass) );
new->count = 1;
}
- new->user = smb_xstrdup( name );
- new->id = smb_pwent->smb_userid;
- new->agent = smb_xstrdup( uidtoname( getuid() ) );
+ new->user = smbpXstrDup( name );
+ new->id = pdb_get_uid(sampass);
+ new->agent = smbpXstrDup( uidtoname( getuid() ) );
pam_set_data( pamh, data_name, new, _cleanup_failures );
} else {
, "failed auth request by %s for service %s as %s(%d)"
, uidtoname( getuid() )
, service ? service : "**unknown**", name
- , smb_pwent->smb_userid );
+ , pdb_get_uid(sampass) );
}
} else {
_log_err( LOG_NOTICE
, "failed auth request by %s for service %s as %s(%d)"
, uidtoname( getuid() )
, service ? service : "**unknown**", name
- , smb_pwent->smb_userid );
+ , pdb_get_uid(sampass) );
retval = PAM_AUTH_ERR;
}
}
_pam_delete( data_name );
- smb_pwent = NULL;
+
return retval;
}
* - to avoid prompting for one in such cases (CG)
*/
-int _smb_blankpasswd( unsigned int ctrl, const struct smb_passwd *smb_pwent )
+int _smb_blankpasswd( unsigned int ctrl, SAM_ACCOUNT *sampass )
{
int retval;
if (on( SMB__NONULL, ctrl ))
return 0; /* will fail but don't let on yet */
- if (smb_pwent->smb_passwd == NULL)
+ if (pdb_get_lanman_passwd(sampass) == NULL)
retval = 1;
else
retval = 0;
* obtain a password from the user
*/
-int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl
- , const char *comment, const char *prompt1
- , const char *prompt2, const char *data_name
- , const char **pass )
+int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl,
+ const char *comment, const char *prompt1,
+ const char *prompt2, const char *data_name, char **pass )
{
int authtok_flag;
int retval;
if (retval == PAM_SUCCESS) { /* a good conversation */
- token = smb_xstrdup(resp[j++].resp);
+ token = smbpXstrDup(resp[j++].resp);
if (token != NULL) {
if (expect == 2) {
/* verify that password entered correctly */
return PAM_SUCCESS;
}
-int _pam_smb_approve_pass(pam_handle_t * pamh
- ,unsigned int ctrl
- ,const char *pass_old
- ,const char *pass_new)
+int _pam_smb_approve_pass(pam_handle_t * pamh,
+ unsigned int ctrl,
+ const char *pass_old,
+ const char *pass_new )
{
/* Further checks should be handled through module stacking. -SRL */
* evidence of old token around for later stack analysis.
*/
-extern char *xstrdup(const char *);
+extern char *smbpXstrDup(const char *);
/* ************************************************************** *
* Useful non-trivial functions *
extern struct smb_passwd *
_my_get_smbpwnam(FILE *, const char *, BOOL *, BOOL *, long *);
-extern int _smb_verify_password( pam_handle_t *pamh
- , const struct smb_passwd *smb_pwent
- , const char *p, unsigned int ctrl );
+extern int _smb_verify_password( pam_handle_t *pamh , SAM_ACCOUNT *sampass,
+ const char *p, unsigned int ctrl );
/*
* this function obtains the name of the current user and ensures
/* _smb_blankpasswd() is a quick check for a blank password */
-extern int _smb_blankpasswd(unsigned int, const struct smb_passwd *);
+extern int _smb_blankpasswd(unsigned int, SAM_ACCOUNT *);
/* obtain a password from the user */
extern int _smb_read_password( pam_handle_t *, unsigned int, const char*,
- const char *, const char *, const char *,
- const char **);
+ const char *, const char *, const char *, char **);
extern int _pam_smb_approve_pass(pam_handle_t *, unsigned int, const char *,
const char *);
git.samba.org / bbaumbach / samba-autobuild / .git / commitdiff