2 Unix SMB/CIFS implementation.
4 Copyright (C) Andrew Tridgell 1992-2001
5 Copyright (C) John H Terpsta 1999-2001
6 Copyright (C) Andrew Bartlett 2001
7 Copyright (C) Jeremy Allison 2001
8 Copyright (C) Simo Sorce 2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 * This module provides PAM based functions for validation of
27 * username/password pairs.
28 * Note: This module is a stripped down version of pampass.c of samba 3
29 * It has been adapted to perform only pam auth checks and code has
30 * been shaped out to meet samba4 coding stile
35 #ifdef HAVE_SECURITY_PAM_APPL_H
37 /*******************************************************************
38 * Handle PAM authentication
39 * - Access, Authentication, Session, Password
40 * Note: See PAM Documentation and refer to local system PAM implementation
41 * which determines what actions/limitations/allowances become affected.
42 *********************************************************************/
44 #include <security/pam_appl.h>
47 * Structure used to communicate between the conversation function
48 * and the server_login/change password functions.
51 struct smb_pam_userdata {
52 const char *PAM_username;
53 const char *PAM_password;
56 typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_response **, void *appdata_ptr);
58 /*******************************************************************
60 *********************************************************************/
62 static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, const char *msg, int dbglvl)
65 if( pam_error != PAM_SUCCESS) {
66 DEBUG(dbglvl, ("smb_pam_error_handler: PAM: %s : %s\n",
67 msg, pam_strerror(pamh, pam_error)));
74 /*******************************************************************
75 This function is a sanity check, to make sure that we NEVER report
77 *********************************************************************/
79 static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error,
80 const char *msg, int dbglvl,
83 *nt_status = pam_to_nt_status(pam_error);
85 if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl))
88 if (NT_STATUS_IS_OK(*nt_status)) {
90 DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \
91 error MISMATCH, forcing to NT_STATUS_LOGON_FAILURE"));
92 *nt_status = NT_STATUS_LOGON_FAILURE;
98 * PAM conversation function
99 * Here we assume (for now, at least) that echo on means login name, and
100 * echo off means password.
103 static int smb_pam_conv(int num_msg,
104 const struct pam_message **msg,
105 struct pam_response **resp,
109 struct pam_response *reply = NULL;
110 struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr;
118 * Apparantly HPUX has a buggy PAM that doesn't support the
119 * appdata_ptr. Fail if this is the case. JRA.
123 DEBUG(0,("smb_pam_conv: PAM on this system is broken - appdata_ptr == NULL !\n"));
127 reply = malloc_array_p(struct pam_response, num_msg);
131 memset(reply, '\0', sizeof(struct pam_response) * num_msg);
133 for (replies = 0; replies < num_msg; replies++) {
134 switch (msg[replies]->msg_style) {
135 case PAM_PROMPT_ECHO_ON:
136 reply[replies].resp_retcode = PAM_SUCCESS;
137 reply[replies].resp = strdup(udp->PAM_username);
141 case PAM_PROMPT_ECHO_OFF:
142 reply[replies].resp_retcode = PAM_SUCCESS;
143 reply[replies].resp = strdup(udp->PAM_password);
152 reply[replies].resp_retcode = PAM_SUCCESS;
153 reply[replies].resp = NULL;
157 /* Must be an error of some sort... */
168 /***************************************************************************
169 Allocate a pam_conv struct.
170 ****************************************************************************/
172 static struct pam_conv *smb_setup_pam_conv(TALLOC_CTX *ctx,
173 smb_pam_conv_fn smb_pam_conv_fnptr,
174 const char *username, const char *password)
176 struct pam_conv *pconv;
177 struct smb_pam_userdata *udp;
179 pconv = talloc(ctx, struct pam_conv);
183 udp = talloc(ctx, struct smb_pam_userdata);
187 udp->PAM_username = username;
188 udp->PAM_password = password;
190 pconv->conv = smb_pam_conv_fnptr;
191 pconv->appdata_ptr = (void *)udp;
197 * PAM Closing out cleanup handler
200 static BOOL smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr)
205 pam_error = pam_end(pamh, 0);
206 if(smb_pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) {
207 DEBUG(4, ("smb_pam_end: PAM: PAM_END OK.\n"));
211 DEBUG(2,("smb_pam_end: PAM: not initialised"));
216 * Start PAM authentication for specified account
219 static BOOL smb_pam_start(pam_handle_t **pamh, const char *user, const char *rhost, struct pam_conv *pconv)
222 const char *our_rhost;
224 if (user == NULL || rhost == NULL || pconv == NULL) {
228 *pamh = (pam_handle_t *)NULL;
230 DEBUG(4,("smb_pam_start: PAM: Init user: %s\n", user));
232 pam_error = pam_start("samba", user, pconv, pamh);
233 if( !smb_pam_error_handler(*pamh, pam_error, "Init Failed", 0)) {
234 *pamh = (pam_handle_t *)NULL;
239 DEBUG(4,("smb_pam_start: PAM: setting rhost to: %s\n", rhost));
240 pam_error = pam_set_item(*pamh, PAM_RHOST, rhost);
241 if(!smb_pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) {
242 smb_pam_end(*pamh, pconv);
243 *pamh = (pam_handle_t *)NULL;
248 DEBUG(4,("smb_pam_start: PAM: setting tty\n"));
249 pam_error = pam_set_item(*pamh, PAM_TTY, "samba");
250 if (!smb_pam_error_handler(*pamh, pam_error, "set tty failed", 0)) {
251 smb_pam_end(*pamh, pconv);
252 *pamh = (pam_handle_t *)NULL;
256 DEBUG(4,("smb_pam_start: PAM: Init passed for user: %s\n", user));
261 * PAM Authentication Handler
263 static NTSTATUS smb_pam_auth(pam_handle_t *pamh, const char *user)
266 NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
269 * To enable debugging set in /etc/pam.d/samba:
270 * auth required /lib/security/pam_pwdb.so nullok shadow audit
273 DEBUG(4,("smb_pam_auth: PAM: Authenticate User: %s\n", user));
274 pam_error = pam_authenticate(pamh, PAM_SILENT | lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK);
277 DEBUG(2, ("smb_pam_auth: PAM: Athentication Error for user %s\n", user));
279 case PAM_CRED_INSUFFICIENT:
280 DEBUG(2, ("smb_pam_auth: PAM: Insufficient Credentials for user %s\n", user));
282 case PAM_AUTHINFO_UNAVAIL:
283 DEBUG(2, ("smb_pam_auth: PAM: Authentication Information Unavailable for user %s\n", user));
285 case PAM_USER_UNKNOWN:
286 DEBUG(2, ("smb_pam_auth: PAM: Username %s NOT known to Authentication system\n", user));
289 DEBUG(2, ("smb_pam_auth: PAM: One or more authentication modules reports user limit for user %s exceeeded\n", user));
292 DEBUG(0, ("smb_pam_auth: PAM: One or more PAM modules failed to load for user %s\n", user));
295 DEBUG(4, ("smb_pam_auth: PAM: User %s Authenticated OK\n", user));
298 DEBUG(0, ("smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user %s\n", user));
302 smb_pam_nt_status_error_handler(pamh, pam_error, "Authentication Failure", 2, &nt_status);
307 * PAM Password Validation Suite
310 NTSTATUS unix_passcheck(TALLOC_CTX *ctx, const char *client, const char *username, const char *password)
312 NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
313 pam_handle_t *pamh = NULL;
314 struct pam_conv *pconv = NULL;
316 if ((pconv = smb_setup_pam_conv(ctx, smb_pam_conv, username, password)) == NULL)
319 if (!smb_pam_start(&pamh, username, client, pconv)) {
324 if (!NT_STATUS_IS_OK(nt_status = smb_pam_auth(pamh, username))) {
325 DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User %s !\n", username));
328 smb_pam_end(pamh, pconv);
336 NTSTATUS unix_passcheck(TALLOC_CTX *ctx, const char *client, const char *username, const char *password)
338 return NT_STATUS_LOGON_FAILURE;
341 #endif /* WITH_PAM */