s3:fix build of pam_winbind.so on older Linux systems.
[kai/samba.git] / source3 / nsswitch / pam_winbind.c
1 /* pam_winbind module
2
3    Copyright Andrew Tridgell <tridge@samba.org> 2000
4    Copyright Tim Potter <tpot@samba.org> 2000
5    Copyright Andrew Bartlett <abartlet@samba.org> 2002
6    Copyright Guenther Deschner <gd@samba.org> 2005-2008
7
8    largely based on pam_userdb by Cristian Gafton <gafton@redhat.com> also
9    contains large slabs of code from pam_unix by Elliot Lee
10    <sopwith@redhat.com> (see copyright below for full details)
11 */
12
13 #include "pam_winbind.h"
14
15 static int wbc_error_to_pam_error(wbcErr status)
16 {
17         switch (status) {
18                 case WBC_ERR_SUCCESS:
19                         return PAM_SUCCESS;
20                 case WBC_ERR_NOT_IMPLEMENTED:
21                         return PAM_SERVICE_ERR;
22                 case WBC_ERR_UNKNOWN_FAILURE:
23                         break;
24                 case WBC_ERR_NO_MEMORY:
25                         return PAM_BUF_ERR;
26                 case WBC_ERR_INVALID_SID:
27                 case WBC_ERR_INVALID_PARAM:
28                         break;
29                 case WBC_ERR_WINBIND_NOT_AVAILABLE:
30                         return PAM_AUTHINFO_UNAVAIL;
31                 case WBC_ERR_DOMAIN_NOT_FOUND:
32                         return PAM_AUTHINFO_UNAVAIL;
33                 case WBC_ERR_INVALID_RESPONSE:
34                         return PAM_BUF_ERR;
35                 case WBC_ERR_NSS_ERROR:
36                         return PAM_USER_UNKNOWN;
37                 case WBC_ERR_AUTH_ERROR:
38                         return PAM_AUTH_ERR;
39                 case WBC_ERR_UNKNOWN_USER:
40                         return PAM_USER_UNKNOWN;
41                 case WBC_ERR_UNKNOWN_GROUP:
42                         return PAM_USER_UNKNOWN;
43                 case WBC_ERR_PWD_CHANGE_FAILED:
44                         break;
45         }
46
47         /* be paranoid */
48         return PAM_AUTH_ERR;
49 }
50
51 static const char *_pam_error_code_str(int err)
52 {
53         switch (err) {
54                 case PAM_SUCCESS:
55                         return "PAM_SUCCESS";
56                 case PAM_OPEN_ERR:
57                         return "PAM_OPEN_ERR";
58                 case PAM_SYMBOL_ERR:
59                         return "PAM_SYMBOL_ERR";
60                 case PAM_SERVICE_ERR:
61                         return "PAM_SERVICE_ERR";
62                 case PAM_SYSTEM_ERR:
63                         return "PAM_SYSTEM_ERR";
64                 case PAM_BUF_ERR:
65                         return "PAM_BUF_ERR";
66                 case PAM_PERM_DENIED:
67                         return "PAM_PERM_DENIED";
68                 case PAM_AUTH_ERR:
69                         return "PAM_AUTH_ERR";
70                 case PAM_CRED_INSUFFICIENT:
71                         return "PAM_CRED_INSUFFICIENT";
72                 case PAM_AUTHINFO_UNAVAIL:
73                         return "PAM_AUTHINFO_UNAVAIL";
74                 case PAM_USER_UNKNOWN:
75                         return "PAM_USER_UNKNOWN";
76                 case PAM_MAXTRIES:
77                         return "PAM_MAXTRIES";
78                 case PAM_NEW_AUTHTOK_REQD:
79                         return "PAM_NEW_AUTHTOK_REQD";
80                 case PAM_ACCT_EXPIRED:
81                         return "PAM_ACCT_EXPIRED";
82                 case PAM_SESSION_ERR:
83                         return "PAM_SESSION_ERR";
84                 case PAM_CRED_UNAVAIL:
85                         return "PAM_CRED_UNAVAIL";
86                 case PAM_CRED_EXPIRED:
87                         return "PAM_CRED_EXPIRED";
88                 case PAM_CRED_ERR:
89                         return "PAM_CRED_ERR";
90                 case PAM_NO_MODULE_DATA:
91                         return "PAM_NO_MODULE_DATA";
92                 case PAM_CONV_ERR:
93                         return "PAM_CONV_ERR";
94                 case PAM_AUTHTOK_ERR:
95                         return "PAM_AUTHTOK_ERR";
96                 case PAM_AUTHTOK_RECOVER_ERR:
97                         return "PAM_AUTHTOK_RECOVER_ERR";
98                 case PAM_AUTHTOK_LOCK_BUSY:
99                         return "PAM_AUTHTOK_LOCK_BUSY";
100                 case PAM_AUTHTOK_DISABLE_AGING:
101                         return "PAM_AUTHTOK_DISABLE_AGING";
102                 case PAM_TRY_AGAIN:
103                         return "PAM_TRY_AGAIN";
104                 case PAM_IGNORE:
105                         return "PAM_IGNORE";
106                 case PAM_ABORT:
107                         return "PAM_ABORT";
108                 case PAM_AUTHTOK_EXPIRED:
109                         return "PAM_AUTHTOK_EXPIRED";
110 #ifdef PAM_MODULE_UNKNOWN
111                 case PAM_MODULE_UNKNOWN:
112                         return "PAM_MODULE_UNKNOWN";
113 #endif
114 #ifdef PAM_BAD_ITEM
115                 case PAM_BAD_ITEM:
116                         return "PAM_BAD_ITEM";
117 #endif
118 #ifdef PAM_CONV_AGAIN
119                 case PAM_CONV_AGAIN:
120                         return "PAM_CONV_AGAIN";
121 #endif
122 #ifdef PAM_INCOMPLETE
123                 case PAM_INCOMPLETE:
124                         return "PAM_INCOMPLETE";
125 #endif
126                 default:
127                         return NULL;
128         }
129 }
130
131 #define _PAM_LOG_FUNCTION_ENTER(function, ctx) \
132         do { \
133                 _pam_log_debug(ctx, LOG_DEBUG, "[pamh: %p] ENTER: " \
134                                function " (flags: 0x%04x)", ctx->pamh, ctx->flags); \
135                 _pam_log_state(ctx); \
136         } while (0)
137
138 #define _PAM_LOG_FUNCTION_LEAVE(function, ctx, retval) \
139         do { \
140                 _pam_log_debug(ctx, LOG_DEBUG, "[pamh: %p] LEAVE: " \
141                                function " returning %d (%s)", ctx->pamh, retval, \
142                                _pam_error_code_str(retval)); \
143                 _pam_log_state(ctx); \
144         } while (0)
145
146 /* data tokens */
147
148 #define MAX_PASSWD_TRIES        3
149
150 #ifdef HAVE_GETTEXT
151 static char initialized = 0;
152
153 static inline void textdomain_init(void);
154 static inline void textdomain_init(void)
155 {
156         if (!initialized) {
157                 bindtextdomain(MODULE_NAME, dyn_LOCALEDIR);
158                 initialized = 1;
159         }
160         return;
161 }
162 #endif
163
164
165 /*
166  * Work around the pam API that has functions with void ** as parameters
167  * These lead to strict aliasing warnings with gcc.
168  */
169 static int _pam_get_item(const pam_handle_t *pamh,
170                          int item_type,
171                          const void *_item)
172 {
173         const void **item = (const void **)_item;
174         return pam_get_item(pamh, item_type, item);
175 }
176 static int _pam_get_data(const pam_handle_t *pamh,
177                          const char *module_data_name,
178                          const void *_data)
179 {
180         const void **data = (const void **)_data;
181         return pam_get_data(pamh, module_data_name, data);
182 }
183
184 /* some syslogging */
185
186 #ifdef HAVE_PAM_VSYSLOG
187 static void _pam_log_int(const pam_handle_t *pamh,
188                          int err,
189                          const char *format,
190                          va_list args)
191 {
192         pam_vsyslog(pamh, err, format, args);
193 }
194 #else
195 static void _pam_log_int(const pam_handle_t *pamh,
196                          int err,
197                          const char *format,
198                          va_list args)
199 {
200         char *format2 = NULL;
201         const char *service;
202
203         _pam_get_item(pamh, PAM_SERVICE, &service);
204
205         format2 = (char *)malloc(strlen(MODULE_NAME)+strlen(format)+strlen(service)+5);
206         if (format2 == NULL) {
207                 /* what else todo ? */
208                 vsyslog(err, format, args);
209                 return;
210         }
211
212         sprintf(format2, "%s(%s): %s", MODULE_NAME, service, format);
213         vsyslog(err, format2, args);
214         SAFE_FREE(format2);
215 }
216 #endif /* HAVE_PAM_VSYSLOG */
217
218 static bool _pam_log_is_silent(int ctrl)
219 {
220         return on(ctrl, WINBIND_SILENT);
221 }
222
223 static void _pam_log(struct pwb_context *r, int err, const char *format, ...) PRINTF_ATTRIBUTE(3,4);
224 static void _pam_log(struct pwb_context *r, int err, const char *format, ...)
225 {
226         va_list args;
227
228         if (_pam_log_is_silent(r->ctrl)) {
229                 return;
230         }
231
232         va_start(args, format);
233         _pam_log_int(r->pamh, err, format, args);
234         va_end(args);
235 }
236 static void __pam_log(const pam_handle_t *pamh, int ctrl, int err, const char *format, ...) PRINTF_ATTRIBUTE(4,5);
237 static void __pam_log(const pam_handle_t *pamh, int ctrl, int err, const char *format, ...)
238 {
239         va_list args;
240
241         if (_pam_log_is_silent(ctrl)) {
242                 return;
243         }
244
245         va_start(args, format);
246         _pam_log_int(pamh, err, format, args);
247         va_end(args);
248 }
249
250 static bool _pam_log_is_debug_enabled(int ctrl)
251 {
252         if (ctrl == -1) {
253                 return false;
254         }
255
256         if (_pam_log_is_silent(ctrl)) {
257                 return false;
258         }
259
260         if (!(ctrl & WINBIND_DEBUG_ARG)) {
261                 return false;
262         }
263
264         return true;
265 }
266
267 static bool _pam_log_is_debug_state_enabled(int ctrl)
268 {
269         if (!(ctrl & WINBIND_DEBUG_STATE)) {
270                 return false;
271         }
272
273         return _pam_log_is_debug_enabled(ctrl);
274 }
275
276 static void _pam_log_debug(struct pwb_context *r, int err, const char *format, ...) PRINTF_ATTRIBUTE(3,4);
277 static void _pam_log_debug(struct pwb_context *r, int err, const char *format, ...)
278 {
279         va_list args;
280
281         if (!_pam_log_is_debug_enabled(r->ctrl)) {
282                 return;
283         }
284
285         va_start(args, format);
286         _pam_log_int(r->pamh, err, format, args);
287         va_end(args);
288 }
289 static void __pam_log_debug(const pam_handle_t *pamh, int ctrl, int err, const char *format, ...) PRINTF_ATTRIBUTE(4,5);
290 static void __pam_log_debug(const pam_handle_t *pamh, int ctrl, int err, const char *format, ...)
291 {
292         va_list args;
293
294         if (!_pam_log_is_debug_enabled(ctrl)) {
295                 return;
296         }
297
298         va_start(args, format);
299         _pam_log_int(pamh, err, format, args);
300         va_end(args);
301 }
302
303 static void _pam_log_state_datum(struct pwb_context *ctx,
304                                  int item_type,
305                                  const char *key,
306                                  int is_string)
307 {
308         const void *data = NULL;
309         if (item_type != 0) {
310                 pam_get_item(ctx->pamh, item_type, &data);
311         } else {
312                 pam_get_data(ctx->pamh, key, &data);
313         }
314         if (data != NULL) {
315                 const char *type = (item_type != 0) ? "ITEM" : "DATA";
316                 if (is_string != 0) {
317                         _pam_log_debug(ctx, LOG_DEBUG,
318                                        "[pamh: %p] STATE: %s(%s) = \"%s\" (%p)",
319                                        ctx->pamh, type, key, (const char *)data,
320                                        data);
321                 } else {
322                         _pam_log_debug(ctx, LOG_DEBUG,
323                                        "[pamh: %p] STATE: %s(%s) = %p",
324                                        ctx->pamh, type, key, data);
325                 }
326         }
327 }
328
329 #define _PAM_LOG_STATE_DATA_POINTER(ctx, module_data_name) \
330         _pam_log_state_datum(ctx, 0, module_data_name, 0)
331
332 #define _PAM_LOG_STATE_DATA_STRING(ctx, module_data_name) \
333         _pam_log_state_datum(ctx, 0, module_data_name, 1)
334
335 #define _PAM_LOG_STATE_ITEM_POINTER(ctx, item_type) \
336         _pam_log_state_datum(ctx, item_type, #item_type, 0)
337
338 #define _PAM_LOG_STATE_ITEM_STRING(ctx, item_type) \
339         _pam_log_state_datum(ctx, item_type, #item_type, 1)
340
341 #ifdef DEBUG_PASSWORD
342 #define _LOG_PASSWORD_AS_STRING 1
343 #else
344 #define _LOG_PASSWORD_AS_STRING 0
345 #endif
346
347 #define _PAM_LOG_STATE_ITEM_PASSWORD(ctx, item_type) \
348         _pam_log_state_datum(ctx, item_type, #item_type, \
349                              _LOG_PASSWORD_AS_STRING)
350
351 static void _pam_log_state(struct pwb_context *ctx)
352 {
353         if (!_pam_log_is_debug_state_enabled(ctx->ctrl)) {
354                 return;
355         }
356
357         _PAM_LOG_STATE_ITEM_STRING(ctx, PAM_SERVICE);
358         _PAM_LOG_STATE_ITEM_STRING(ctx, PAM_USER);
359         _PAM_LOG_STATE_ITEM_STRING(ctx, PAM_TTY);
360         _PAM_LOG_STATE_ITEM_STRING(ctx, PAM_RHOST);
361         _PAM_LOG_STATE_ITEM_STRING(ctx, PAM_RUSER);
362         _PAM_LOG_STATE_ITEM_PASSWORD(ctx, PAM_OLDAUTHTOK);
363         _PAM_LOG_STATE_ITEM_PASSWORD(ctx, PAM_AUTHTOK);
364         _PAM_LOG_STATE_ITEM_STRING(ctx, PAM_USER_PROMPT);
365         _PAM_LOG_STATE_ITEM_POINTER(ctx, PAM_CONV);
366 #ifdef PAM_FAIL_DELAY
367         _PAM_LOG_STATE_ITEM_POINTER(ctx, PAM_FAIL_DELAY);
368 #endif
369 #ifdef PAM_REPOSITORY
370         _PAM_LOG_STATE_ITEM_POINTER(ctx, PAM_REPOSITORY);
371 #endif
372
373         _PAM_LOG_STATE_DATA_STRING(ctx, PAM_WINBIND_HOMEDIR);
374         _PAM_LOG_STATE_DATA_STRING(ctx, PAM_WINBIND_LOGONSCRIPT);
375         _PAM_LOG_STATE_DATA_STRING(ctx, PAM_WINBIND_LOGONSERVER);
376         _PAM_LOG_STATE_DATA_STRING(ctx, PAM_WINBIND_PROFILEPATH);
377         _PAM_LOG_STATE_DATA_STRING(ctx,
378                                    PAM_WINBIND_NEW_AUTHTOK_REQD);
379                                    /* Use atoi to get PAM result code */
380         _PAM_LOG_STATE_DATA_STRING(ctx,
381                                    PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH);
382         _PAM_LOG_STATE_DATA_POINTER(ctx, PAM_WINBIND_PWD_LAST_SET);
383 }
384
385 static int _pam_parse(const pam_handle_t *pamh,
386                       int flags,
387                       int argc,
388                       const char **argv,
389                       dictionary **result_d)
390 {
391         int ctrl = 0;
392         const char *config_file = NULL;
393         int i;
394         const char **v;
395         dictionary *d = NULL;
396
397         if (flags & PAM_SILENT) {
398                 ctrl |= WINBIND_SILENT;
399         }
400
401         for (i=argc,v=argv; i-- > 0; ++v) {
402                 if (!strncasecmp(*v, "config", strlen("config"))) {
403                         ctrl |= WINBIND_CONFIG_FILE;
404                         config_file = v[i];
405                         break;
406                 }
407         }
408
409         if (config_file == NULL) {
410                 config_file = PAM_WINBIND_CONFIG_FILE;
411         }
412
413         d = iniparser_load(config_file);
414         if (d == NULL) {
415                 goto config_from_pam;
416         }
417
418         if (iniparser_getboolean(d, "global:debug", false)) {
419                 ctrl |= WINBIND_DEBUG_ARG;
420         }
421
422         if (iniparser_getboolean(d, "global:debug_state", false)) {
423                 ctrl |= WINBIND_DEBUG_STATE;
424         }
425
426         if (iniparser_getboolean(d, "global:cached_login", false)) {
427                 ctrl |= WINBIND_CACHED_LOGIN;
428         }
429
430         if (iniparser_getboolean(d, "global:krb5_auth", false)) {
431                 ctrl |= WINBIND_KRB5_AUTH;
432         }
433
434         if (iniparser_getboolean(d, "global:silent", false)) {
435                 ctrl |= WINBIND_SILENT;
436         }
437
438         if (iniparser_getstr(d, "global:krb5_ccache_type") != NULL) {
439                 ctrl |= WINBIND_KRB5_CCACHE_TYPE;
440         }
441
442         if ((iniparser_getstr(d, "global:require-membership-of") != NULL) ||
443             (iniparser_getstr(d, "global:require_membership_of") != NULL)) {
444                 ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
445         }
446
447         if (iniparser_getboolean(d, "global:try_first_pass", false)) {
448                 ctrl |= WINBIND_TRY_FIRST_PASS_ARG;
449         }
450
451         if (iniparser_getint(d, "global:warn_pwd_expire", 0)) {
452                 ctrl |= WINBIND_WARN_PWD_EXPIRE;
453         }
454
455         if (iniparser_getboolean(d, "global:mkhomedir", false)) {
456                 ctrl |= WINBIND_MKHOMEDIR;
457         }
458
459 config_from_pam:
460         /* step through arguments */
461         for (i=argc,v=argv; i-- > 0; ++v) {
462
463                 /* generic options */
464                 if (!strcmp(*v,"debug"))
465                         ctrl |= WINBIND_DEBUG_ARG;
466                 else if (!strcasecmp(*v, "debug_state"))
467                         ctrl |= WINBIND_DEBUG_STATE;
468                 else if (!strcasecmp(*v, "silent"))
469                         ctrl |= WINBIND_SILENT;
470                 else if (!strcasecmp(*v, "use_authtok"))
471                         ctrl |= WINBIND_USE_AUTHTOK_ARG;
472                 else if (!strcasecmp(*v, "use_first_pass"))
473                         ctrl |= WINBIND_USE_FIRST_PASS_ARG;
474                 else if (!strcasecmp(*v, "try_first_pass"))
475                         ctrl |= WINBIND_TRY_FIRST_PASS_ARG;
476                 else if (!strcasecmp(*v, "unknown_ok"))
477                         ctrl |= WINBIND_UNKNOWN_OK_ARG;
478                 else if (!strncasecmp(*v, "require_membership_of",
479                                       strlen("require_membership_of")))
480                         ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
481                 else if (!strncasecmp(*v, "require-membership-of",
482                                       strlen("require-membership-of")))
483                         ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
484                 else if (!strcasecmp(*v, "krb5_auth"))
485                         ctrl |= WINBIND_KRB5_AUTH;
486                 else if (!strncasecmp(*v, "krb5_ccache_type",
487                                       strlen("krb5_ccache_type")))
488                         ctrl |= WINBIND_KRB5_CCACHE_TYPE;
489                 else if (!strcasecmp(*v, "cached_login"))
490                         ctrl |= WINBIND_CACHED_LOGIN;
491                 else if (!strcasecmp(*v, "mkhomedir"))
492                         ctrl |= WINBIND_MKHOMEDIR;
493                 else {
494                         __pam_log(pamh, ctrl, LOG_ERR,
495                                  "pam_parse: unknown option: %s", *v);
496                         return -1;
497                 }
498
499         }
500
501         if (result_d) {
502                 *result_d = d;
503         } else {
504                 if (d) {
505                         iniparser_freedict(d);
506                 }
507         }
508
509         return ctrl;
510 };
511
512 static int _pam_winbind_free_context(struct pwb_context *ctx)
513 {
514         if (!ctx) {
515                 return 0;
516         }
517
518         if (ctx->dict) {
519                 iniparser_freedict(ctx->dict);
520         }
521
522         return 0;
523 }
524
525 static int _pam_winbind_init_context(pam_handle_t *pamh,
526                                      int flags,
527                                      int argc,
528                                      const char **argv,
529                                      struct pwb_context **ctx_p)
530 {
531         struct pwb_context *r = NULL;
532
533 #ifdef HAVE_GETTEXT
534         textdomain_init();
535 #endif
536
537         r = TALLOC_ZERO_P(NULL, struct pwb_context);
538         if (!r) {
539                 return PAM_BUF_ERR;
540         }
541
542         talloc_set_destructor(r, _pam_winbind_free_context);
543
544         r->pamh = pamh;
545         r->flags = flags;
546         r->argc = argc;
547         r->argv = argv;
548         r->ctrl = _pam_parse(pamh, flags, argc, argv, &r->dict);
549         if (r->ctrl == -1) {
550                 TALLOC_FREE(r);
551                 return PAM_SYSTEM_ERR;
552         }
553
554         *ctx_p = r;
555
556         return PAM_SUCCESS;
557 }
558
559 static void _pam_winbind_cleanup_func(pam_handle_t *pamh,
560                                       void *data,
561                                       int error_status)
562 {
563         int ctrl = _pam_parse(pamh, 0, 0, NULL, NULL);
564         if (_pam_log_is_debug_state_enabled(ctrl)) {
565                 __pam_log_debug(pamh, ctrl, LOG_DEBUG,
566                                "[pamh: %p] CLEAN: cleaning up PAM data %p "
567                                "(error_status = %d)", pamh, data,
568                                error_status);
569         }
570         TALLOC_FREE(data);
571 }
572
573
574 static const struct ntstatus_errors {
575         const char *ntstatus_string;
576         const char *error_string;
577 } ntstatus_errors[] = {
578         {"NT_STATUS_OK",
579                 N_("Success")},
580         {"NT_STATUS_BACKUP_CONTROLLER",
581                 N_("No primary Domain Controler available")},
582         {"NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND",
583                 N_("No domain controllers found")},
584         {"NT_STATUS_NO_LOGON_SERVERS",
585                 N_("No logon servers")},
586         {"NT_STATUS_PWD_TOO_SHORT",
587                 N_("Password too short")},
588         {"NT_STATUS_PWD_TOO_RECENT",
589                 N_("The password of this user is too recent to change")},
590         {"NT_STATUS_PWD_HISTORY_CONFLICT",
591                 N_("Password is already in password history")},
592         {"NT_STATUS_PASSWORD_EXPIRED",
593                 N_("Your password has expired")},
594         {"NT_STATUS_PASSWORD_MUST_CHANGE",
595                 N_("You need to change your password now")},
596         {"NT_STATUS_INVALID_WORKSTATION",
597                 N_("You are not allowed to logon from this workstation")},
598         {"NT_STATUS_INVALID_LOGON_HOURS",
599                 N_("You are not allowed to logon at this time")},
600         {"NT_STATUS_ACCOUNT_EXPIRED",
601                 N_("Your account has expired. "
602                    "Please contact your System administrator")}, /* SCNR */
603         {"NT_STATUS_ACCOUNT_DISABLED",
604                 N_("Your account is disabled. "
605                    "Please contact your System administrator")}, /* SCNR */
606         {"NT_STATUS_ACCOUNT_LOCKED_OUT",
607                 N_("Your account has been locked. "
608                    "Please contact your System administrator")}, /* SCNR */
609         {"NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT",
610                 N_("Invalid Trust Account")},
611         {"NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT",
612                 N_("Invalid Trust Account")},
613         {"NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT",
614                 N_("Invalid Trust Account")},
615         {"NT_STATUS_ACCESS_DENIED",
616                 N_("Access is denied")},
617         {NULL, NULL}
618 };
619
620 static const char *_get_ntstatus_error_string(const char *nt_status_string)
621 {
622         int i;
623         for (i=0; ntstatus_errors[i].ntstatus_string != NULL; i++) {
624                 if (!strcasecmp(ntstatus_errors[i].ntstatus_string,
625                                 nt_status_string)) {
626                         return _(ntstatus_errors[i].error_string);
627                 }
628         }
629         return NULL;
630 }
631
632 /* --- authentication management functions --- */
633
634 /* Attempt a conversation */
635
636 static int converse(const pam_handle_t *pamh,
637                     int nargs,
638                     struct pam_message **message,
639                     struct pam_response **response)
640 {
641         int retval;
642         struct pam_conv *conv;
643
644         retval = _pam_get_item(pamh, PAM_CONV, &conv);
645         if (retval == PAM_SUCCESS) {
646                 retval = conv->conv(nargs,
647                                     (const struct pam_message **)message,
648                                     response, conv->appdata_ptr);
649         }
650
651         return retval; /* propagate error status */
652 }
653
654
655 static int _make_remark(struct pwb_context *ctx,
656                         int type,
657                         const char *text)
658 {
659         int retval = PAM_SUCCESS;
660
661         struct pam_message *pmsg[1], msg[1];
662         struct pam_response *resp;
663
664         if (ctx->flags & WINBIND_SILENT) {
665                 return PAM_SUCCESS;
666         }
667
668         pmsg[0] = &msg[0];
669         msg[0].msg = discard_const_p(char, text);
670         msg[0].msg_style = type;
671
672         resp = NULL;
673         retval = converse(ctx->pamh, 1, pmsg, &resp);
674
675         if (resp) {
676                 _pam_drop_reply(resp, 1);
677         }
678         return retval;
679 }
680
681 static int _make_remark_v(struct pwb_context *ctx,
682                           int type,
683                           const char *format,
684                           va_list args)
685 {
686         char *var;
687         int ret;
688
689         ret = vasprintf(&var, format, args);
690         if (ret < 0) {
691                 _pam_log(ctx, LOG_ERR, "memory allocation failure");
692                 return ret;
693         }
694
695         ret = _make_remark(ctx, type, var);
696         SAFE_FREE(var);
697         return ret;
698 }
699
700 static int _make_remark_format(struct pwb_context *ctx, int type, const char *format, ...) PRINTF_ATTRIBUTE(3,4);
701 static int _make_remark_format(struct pwb_context *ctx, int type, const char *format, ...)
702 {
703         int ret;
704         va_list args;
705
706         va_start(args, format);
707         ret = _make_remark_v(ctx, type, format, args);
708         va_end(args);
709         return ret;
710 }
711
712 static int pam_winbind_request_log(struct pwb_context *ctx,
713                                    int retval,
714                                    const char *user,
715                                    const char *fn)
716 {
717         switch (retval) {
718         case PAM_AUTH_ERR:
719                 /* incorrect password */
720                 _pam_log(ctx, LOG_WARNING, "user '%s' denied access "
721                          "(incorrect password or invalid membership)", user);
722                 return retval;
723         case PAM_ACCT_EXPIRED:
724                 /* account expired */
725                 _pam_log(ctx, LOG_WARNING, "user '%s' account expired",
726                          user);
727                 return retval;
728         case PAM_AUTHTOK_EXPIRED:
729                 /* password expired */
730                 _pam_log(ctx, LOG_WARNING, "user '%s' password expired",
731                          user);
732                 return retval;
733         case PAM_NEW_AUTHTOK_REQD:
734                 /* new password required */
735                 _pam_log(ctx, LOG_WARNING, "user '%s' new password "
736                          "required", user);
737                 return retval;
738         case PAM_USER_UNKNOWN:
739                 /* the user does not exist */
740                 _pam_log_debug(ctx, LOG_NOTICE, "user '%s' not found",
741                                user);
742                 if (ctx->ctrl & WINBIND_UNKNOWN_OK_ARG) {
743                         return PAM_IGNORE;
744                 }
745                 return retval;
746         case PAM_SUCCESS:
747                 /* Otherwise, the authentication looked good */
748                 if (strcmp(fn, "wbcLogonUser") == 0) {
749                         _pam_log(ctx, LOG_NOTICE,
750                                  "user '%s' granted access", user);
751                 } else {
752                         _pam_log(ctx, LOG_NOTICE,
753                                  "user '%s' OK", user);
754                 }
755                 return retval;
756         default:
757                 /* we don't know anything about this return value */
758                 _pam_log(ctx, LOG_ERR,
759                          "internal module error (retval = %s(%d), user = '%s')",
760                         _pam_error_code_str(retval), retval, user);
761                 return retval;
762         }
763 }
764
765 static int wbc_auth_error_to_pam_error(struct pwb_context *ctx,
766                                        struct wbcAuthErrorInfo *e,
767                                        wbcErr status,
768                                        const char *username,
769                                        const char *fn)
770 {
771         int ret = PAM_AUTH_ERR;
772
773         if (WBC_ERROR_IS_OK(status)) {
774                 _pam_log_debug(ctx, LOG_DEBUG, "request %s succeeded",
775                         fn);
776                 ret = PAM_SUCCESS;
777                 return pam_winbind_request_log(ctx, ret, username, fn);
778         }
779
780         if (e) {
781                 if (e->pam_error != PAM_SUCCESS) {
782                         _pam_log(ctx, LOG_ERR,
783                                  "request %s failed: %s, "
784                                  "PAM error: %s (%d), NTSTATUS: %s, "
785                                  "Error message was: %s",
786                                  fn,
787                                  wbcErrorString(status),
788                                  _pam_error_code_str(e->pam_error),
789                                  e->pam_error,
790                                  e->nt_string,
791                                  e->display_string);
792                         ret = e->pam_error;
793                         return pam_winbind_request_log(ctx, ret, username, fn);
794                 }
795
796                 _pam_log(ctx, LOG_ERR, "request %s failed, but PAM error 0!", fn);
797
798                 ret = PAM_SERVICE_ERR;
799                 return pam_winbind_request_log(ctx, ret, username, fn);
800         }
801
802         ret = wbc_error_to_pam_error(status);
803         return pam_winbind_request_log(ctx, ret, username, fn);
804 }
805
806
807 /**
808  * send a password expiry message if required
809  *
810  * @param ctx PAM winbind context.
811  * @param next_change expected (calculated) next expiry date.
812  * @param already_expired pointer to a boolean to indicate if the password is
813  *        already expired.
814  *
815  * @return boolean Returns true if message has been sent, false if not.
816  */
817
818 static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
819                                               time_t next_change,
820                                               time_t now,
821                                               int warn_pwd_expire,
822                                               bool *already_expired)
823 {
824         int days = 0;
825         struct tm tm_now, tm_next_change;
826
827         if (already_expired) {
828                 *already_expired = false;
829         }
830
831         if (next_change <= now) {
832                 PAM_WB_REMARK_DIRECT(ctx, "NT_STATUS_PASSWORD_EXPIRED");
833                 if (already_expired) {
834                         *already_expired = true;
835                 }
836                 return true;
837         }
838
839         if ((next_change < 0) ||
840             (next_change > now + warn_pwd_expire * SECONDS_PER_DAY)) {
841                 return false;
842         }
843
844         if ((localtime_r(&now, &tm_now) == NULL) ||
845             (localtime_r(&next_change, &tm_next_change) == NULL)) {
846                 return false;
847         }
848
849         days = (tm_next_change.tm_yday+tm_next_change.tm_year*365) -
850                (tm_now.tm_yday+tm_now.tm_year*365);
851
852         if (days == 0) {
853                 _make_remark(ctx, PAM_TEXT_INFO,
854                              _("Your password expires today"));
855                 return true;
856         }
857
858         if (days > 0 && days < warn_pwd_expire) {
859                 _make_remark_format(ctx, PAM_TEXT_INFO,
860                                     _("Your password will expire in %d %s"),
861                                     days, (days > 1) ? _("days"):_("day"));
862                 return true;
863         }
864
865         return false;
866 }
867
868 /**
869  * Send a warning if the password expires in the near future
870  *
871  * @param ctx PAM winbind context.
872  * @param response The full authentication response structure.
873  * @param already_expired boolean, is the pwd already expired?
874  *
875  * @return void.
876  */
877
878 static void _pam_warn_password_expiry(struct pwb_context *ctx,
879                                       const struct wbcAuthUserInfo *info,
880                                       const struct wbcUserPasswordPolicyInfo *policy,
881                                       int warn_pwd_expire,
882                                       bool *already_expired)
883 {
884         time_t now = time(NULL);
885         time_t next_change = 0;
886
887         if (!info || !policy) {
888                 return;
889         }
890
891         if (already_expired) {
892                 *already_expired = false;
893         }
894
895         /* accounts with WBC_ACB_PWNOEXP set never receive a warning */
896         if (info->acct_flags & WBC_ACB_PWNOEXP) {
897                 return;
898         }
899
900         /* no point in sending a warning if this is a grace logon */
901         if (PAM_WB_GRACE_LOGON(info->user_flags)) {
902                 return;
903         }
904
905         /* check if the info3 must change timestamp has been set */
906         next_change = info->pass_must_change_time;
907
908         if (_pam_send_password_expiry_message(ctx, next_change, now,
909                                               warn_pwd_expire,
910                                               already_expired)) {
911                 return;
912         }
913
914         /* now check for the global password policy */
915         /* good catch from Ralf Haferkamp: an expiry of "never" is translated
916          * to -1 */
917         if (policy->expire <= 0) {
918                 return;
919         }
920
921         next_change = info->pass_last_set_time + policy->expire;
922
923         if (_pam_send_password_expiry_message(ctx, next_change, now,
924                                               warn_pwd_expire,
925                                               already_expired)) {
926                 return;
927         }
928
929         /* no warning sent */
930 }
931
932 #define IS_SID_STRING(name) (strncmp("S-", name, 2) == 0)
933
934 /**
935  * Append a string, making sure not to overflow and to always return a
936  * NULL-terminated string.
937  *
938  * @param dest Destination string buffer (must already be NULL-terminated).
939  * @param src Source string buffer.
940  * @param dest_buffer_size Size of dest buffer in bytes.
941  *
942  * @return false if dest buffer is not big enough (no bytes copied), true on
943  * success.
944  */
945
946 static bool safe_append_string(char *dest,
947                                const char *src,
948                                int dest_buffer_size)
949 {
950         int dest_length = strlen(dest);
951         int src_length = strlen(src);
952
953         if (dest_length + src_length + 1 > dest_buffer_size) {
954                 return false;
955         }
956
957         memcpy(dest + dest_length, src, src_length + 1);
958         return true;
959 }
960
961 /**
962  * Convert a names into a SID string, appending it to a buffer.
963  *
964  * @param ctx PAM winbind context.
965  * @param user User in PAM request.
966  * @param name Name to convert.
967  * @param sid_list_buffer Where to append the string sid.
968  * @param sid_list_buffer Size of sid_list_buffer (in bytes).
969  *
970  * @return false on failure, true on success.
971  */
972 static bool winbind_name_to_sid_string(struct pwb_context *ctx,
973                                        const char *user,
974                                        const char *name,
975                                        char *sid_list_buffer,
976                                        int sid_list_buffer_size)
977 {
978         const char* sid_string;
979
980         /* lookup name? */
981         if (IS_SID_STRING(name)) {
982                 sid_string = name;
983         } else {
984                 wbcErr wbc_status;
985                 struct wbcDomainSid sid;
986                 enum wbcSidType type;
987                 char *sid_str;
988
989                 _pam_log_debug(ctx, LOG_DEBUG,
990                                "no sid given, looking up: %s\n", name);
991
992                 wbc_status = wbcLookupName("", name, &sid, &type);
993                 if (!WBC_ERROR_IS_OK(wbc_status)) {
994                         _pam_log(ctx, LOG_INFO,
995                                  "could not lookup name: %s\n", name);
996                         return false;
997                 }
998
999                 wbc_status = wbcSidToString(&sid, &sid_str);
1000                 if (!WBC_ERROR_IS_OK(wbc_status)) {
1001                         return false;
1002                 }
1003
1004                 wbcFreeMemory(sid_str);
1005                 sid_string = sid_str;
1006         }
1007
1008         if (!safe_append_string(sid_list_buffer, sid_string,
1009                                 sid_list_buffer_size)) {
1010                 return false;
1011         }
1012
1013         return true;
1014 }
1015
1016 /**
1017  * Convert a list of names into a list of sids.
1018  *
1019  * @param ctx PAM winbind context.
1020  * @param user User in PAM request.
1021  * @param name_list List of names or string sids, separated by commas.
1022  * @param sid_list_buffer Where to put the list of string sids.
1023  * @param sid_list_buffer Size of sid_list_buffer (in bytes).
1024  *
1025  * @return false on failure, true on success.
1026  */
1027 static bool winbind_name_list_to_sid_string_list(struct pwb_context *ctx,
1028                                                  const char *user,
1029                                                  const char *name_list,
1030                                                  char *sid_list_buffer,
1031                                                  int sid_list_buffer_size)
1032 {
1033         bool result = false;
1034         char *current_name = NULL;
1035         const char *search_location;
1036         const char *comma;
1037
1038         if (sid_list_buffer_size > 0) {
1039                 sid_list_buffer[0] = 0;
1040         }
1041
1042         search_location = name_list;
1043         while ((comma = strstr(search_location, ",")) != NULL) {
1044                 current_name = strndup(search_location,
1045                                        comma - search_location);
1046                 if (NULL == current_name) {
1047                         goto out;
1048                 }
1049
1050                 if (!winbind_name_to_sid_string(ctx, user,
1051                                                 current_name,
1052                                                 sid_list_buffer,
1053                                                 sid_list_buffer_size)) {
1054                         goto out;
1055                 }
1056
1057                 SAFE_FREE(current_name);
1058
1059                 if (!safe_append_string(sid_list_buffer, ",",
1060                                         sid_list_buffer_size)) {
1061                         goto out;
1062                 }
1063
1064                 search_location = comma + 1;
1065         }
1066
1067         if (!winbind_name_to_sid_string(ctx, user, search_location,
1068                                         sid_list_buffer,
1069                                         sid_list_buffer_size)) {
1070                 goto out;
1071         }
1072
1073         result = true;
1074
1075 out:
1076         SAFE_FREE(current_name);
1077         return result;
1078 }
1079
1080 /**
1081  * put krb5ccname variable into environment
1082  *
1083  * @param ctx PAM winbind context.
1084  * @param krb5ccname env variable retrieved from winbindd.
1085  *
1086  * @return void.
1087  */
1088
1089 static void _pam_setup_krb5_env(struct pwb_context *ctx,
1090                                 struct wbcLogonUserInfo *info)
1091 {
1092         char var[PATH_MAX];
1093         int ret;
1094         uint32_t i;
1095         const char *krb5ccname = NULL;
1096
1097         if (off(ctx->ctrl, WINBIND_KRB5_AUTH)) {
1098                 return;
1099         }
1100
1101         if (!info) {
1102                 return;
1103         }
1104
1105         for (i=0; i < info->num_blobs; i++) {
1106                 if (strcasecmp(info->blobs[i].name, "krb5ccname") == 0) {
1107                         krb5ccname = (const char *)info->blobs[i].blob.data;
1108                         break;
1109                 }
1110         }
1111
1112         if (!krb5ccname || (strlen(krb5ccname) == 0)) {
1113                 return;
1114         }
1115
1116         _pam_log_debug(ctx, LOG_DEBUG,
1117                        "request returned KRB5CCNAME: %s", krb5ccname);
1118
1119         if (snprintf(var, sizeof(var), "KRB5CCNAME=%s", krb5ccname) == -1) {
1120                 return;
1121         }
1122
1123         ret = pam_putenv(ctx->pamh, var);
1124         if (ret) {
1125                 _pam_log(ctx, LOG_ERR,
1126                          "failed to set KRB5CCNAME to %s: %s",
1127                          var, pam_strerror(ctx->pamh, ret));
1128         }
1129 }
1130
1131 /**
1132  * Copy unix username if available (further processed in PAM).
1133  *
1134  * @param ctx PAM winbind context
1135  * @param user_ret A pointer that holds a pointer to a string
1136  * @param unix_username A username
1137  *
1138  * @return void.
1139  */
1140
1141 static void _pam_setup_unix_username(struct pwb_context *ctx,
1142                                      char **user_ret,
1143                                      struct wbcLogonUserInfo *info)
1144 {
1145         const char *unix_username = NULL;
1146         uint32_t i;
1147
1148         if (!user_ret || !info) {
1149                 return;
1150         }
1151
1152         for (i=0; i < info->num_blobs; i++) {
1153                 if (strcasecmp(info->blobs[i].name, "unix_username") == 0) {
1154                         unix_username = (const char *)info->blobs[i].blob.data;
1155                         break;
1156                 }
1157         }
1158
1159         if (!unix_username || !unix_username[0]) {
1160                 return;
1161         }
1162
1163         *user_ret = strdup(unix_username);
1164 }
1165
1166 /**
1167  * Set string into the PAM stack.
1168  *
1169  * @param ctx PAM winbind context.
1170  * @param data_name Key name for pam_set_data.
1171  * @param value String value.
1172  *
1173  * @return void.
1174  */
1175
1176 static void _pam_set_data_string(struct pwb_context *ctx,
1177                                  const char *data_name,
1178                                  const char *value)
1179 {
1180         int ret;
1181
1182         if (!data_name || !value || (strlen(data_name) == 0) ||
1183              (strlen(value) == 0)) {
1184                 return;
1185         }
1186
1187         ret = pam_set_data(ctx->pamh, data_name, talloc_strdup(NULL, value),
1188                            _pam_winbind_cleanup_func);
1189         if (ret) {
1190                 _pam_log_debug(ctx, LOG_DEBUG,
1191                                "Could not set data %s: %s\n",
1192                                data_name, pam_strerror(ctx->pamh, ret));
1193         }
1194 }
1195
1196 /**
1197  * Set info3 strings into the PAM stack.
1198  *
1199  * @param ctx PAM winbind context.
1200  * @param data_name Key name for pam_set_data.
1201  * @param value String value.
1202  *
1203  * @return void.
1204  */
1205
1206 static void _pam_set_data_info3(struct pwb_context *ctx,
1207                                 const struct wbcAuthUserInfo *info)
1208 {
1209         _pam_set_data_string(ctx, PAM_WINBIND_HOMEDIR,
1210                              info->home_directory);
1211         _pam_set_data_string(ctx, PAM_WINBIND_LOGONSCRIPT,
1212                              info->logon_script);
1213         _pam_set_data_string(ctx, PAM_WINBIND_LOGONSERVER,
1214                              info->logon_server);
1215         _pam_set_data_string(ctx, PAM_WINBIND_PROFILEPATH,
1216                              info->profile_path);
1217 }
1218
1219 /**
1220  * Free info3 strings in the PAM stack.
1221  *
1222  * @param pamh PAM handle
1223  *
1224  * @return void.
1225  */
1226
1227 static void _pam_free_data_info3(pam_handle_t *pamh)
1228 {
1229         pam_set_data(pamh, PAM_WINBIND_HOMEDIR, NULL, NULL);
1230         pam_set_data(pamh, PAM_WINBIND_LOGONSCRIPT, NULL, NULL);
1231         pam_set_data(pamh, PAM_WINBIND_LOGONSERVER, NULL, NULL);
1232         pam_set_data(pamh, PAM_WINBIND_PROFILEPATH, NULL, NULL);
1233 }
1234
1235 /**
1236  * Send PAM_ERROR_MSG for cached or grace logons.
1237  *
1238  * @param ctx PAM winbind context.
1239  * @param username User in PAM request.
1240  * @param info3_user_flgs Info3 flags containing logon type bits.
1241  *
1242  * @return void.
1243  */
1244
1245 static void _pam_warn_logon_type(struct pwb_context *ctx,
1246                                  const char *username,
1247                                  uint32_t info3_user_flgs)
1248 {
1249         /* inform about logon type */
1250         if (PAM_WB_GRACE_LOGON(info3_user_flgs)) {
1251
1252                 _make_remark(ctx, PAM_ERROR_MSG,
1253                              _("Grace login. "
1254                                "Please change your password as soon you're "
1255                                "online again"));
1256                 _pam_log_debug(ctx, LOG_DEBUG,
1257                                "User %s logged on using grace logon\n",
1258                                username);
1259
1260         } else if (PAM_WB_CACHED_LOGON(info3_user_flgs)) {
1261
1262                 _make_remark(ctx, PAM_ERROR_MSG,
1263                              _("Domain Controller unreachable, "
1264                                "using cached credentials instead. "
1265                                "Network resources may be unavailable"));
1266                 _pam_log_debug(ctx, LOG_DEBUG,
1267                                "User %s logged on using cached credentials\n",
1268                                username);
1269         }
1270 }
1271
1272 /**
1273  * Send PAM_ERROR_MSG for krb5 errors.
1274  *
1275  * @param ctx PAM winbind context.
1276  * @param username User in PAM request.
1277  * @param info3_user_flgs Info3 flags containing logon type bits.
1278  *
1279  * @return void.
1280  */
1281
1282 static void _pam_warn_krb5_failure(struct pwb_context *ctx,
1283                                    const char *username,
1284                                    uint32_t info3_user_flgs)
1285 {
1286         if (PAM_WB_KRB5_CLOCK_SKEW(info3_user_flgs)) {
1287                 _make_remark(ctx, PAM_ERROR_MSG,
1288                              _("Failed to establish your Kerberos Ticket cache "
1289                                "due time differences\n"
1290                                "with the domain controller.  "
1291                                "Please verify the system time.\n"));
1292                 _pam_log_debug(ctx, LOG_DEBUG,
1293                                "User %s: Clock skew when getting Krb5 TGT\n",
1294                                username);
1295         }
1296 }
1297
1298 static bool _pam_check_remark_auth_err(struct pwb_context *ctx,
1299                                        const struct wbcAuthErrorInfo *e,
1300                                        const char *nt_status_string,
1301                                        int *pam_error)
1302 {
1303         const char *ntstatus = NULL;
1304         const char *error_string = NULL;
1305
1306         if (!e || !pam_error) {
1307                 return false;
1308         }
1309
1310         ntstatus = e->nt_string;
1311         if (!ntstatus) {
1312                 return false;
1313         }
1314
1315         if (strcasecmp(ntstatus, nt_status_string) == 0) {
1316
1317                 error_string = _get_ntstatus_error_string(nt_status_string);
1318                 if (error_string) {
1319                         _make_remark(ctx, PAM_ERROR_MSG, error_string);
1320                         *pam_error = e->pam_error;
1321                         return true;
1322                 }
1323
1324                 if (e->display_string) {
1325                         _make_remark(ctx, PAM_ERROR_MSG, e->display_string);
1326                         *pam_error = e->pam_error;
1327                         return true;
1328                 }
1329
1330                 _make_remark(ctx, PAM_ERROR_MSG, nt_status_string);
1331                 *pam_error = e->pam_error;
1332
1333                 return true;
1334         }
1335
1336         return false;
1337 };
1338
1339 /**
1340  * Compose Password Restriction String for a PAM_ERROR_MSG conversation.
1341  *
1342  * @param i The wbcUserPasswordPolicyInfo struct.
1343  *
1344  * @return string (caller needs to talloc_free).
1345  */
1346
1347 static char *_pam_compose_pwd_restriction_string(struct pwb_context *ctx,
1348                                                  struct wbcUserPasswordPolicyInfo *i)
1349 {
1350         char *str = NULL;
1351
1352         if (!i) {
1353                 goto failed;
1354         }
1355
1356         str = talloc_asprintf(ctx, _("Your password "));
1357         if (!str) {
1358                 goto failed;
1359         }
1360
1361         if (i->min_length_password > 0) {
1362                 str = talloc_asprintf_append(str,
1363                                _("must be at least %d characters; "),
1364                                i->min_length_password);
1365                 if (!str) {
1366                         goto failed;
1367                 }
1368         }
1369
1370         if (i->password_history > 0) {
1371                 str = talloc_asprintf_append(str,
1372                                _("cannot repeat any of your previous %d "
1373                                 "passwords; "),
1374                                i->password_history);
1375                 if (!str) {
1376                         goto failed;
1377                 }
1378         }
1379
1380         if (i->password_properties & WBC_DOMAIN_PASSWORD_COMPLEX) {
1381                 str = talloc_asprintf_append(str,
1382                                _("must contain capitals, numerals "
1383                                  "or punctuation; "
1384                                  "and cannot contain your account "
1385                                  "or full name; "));
1386                 if (!str) {
1387                         goto failed;
1388                 }
1389         }
1390
1391         str = talloc_asprintf_append(str,
1392                        _("Please type a different password. "
1393                          "Type a password which meets these requirements in "
1394                          "both text boxes."));
1395         if (!str) {
1396                 goto failed;
1397         }
1398
1399         return str;
1400
1401  failed:
1402         TALLOC_FREE(str);
1403         return NULL;
1404 }
1405
1406 static int _pam_create_homedir(struct pwb_context *ctx,
1407                                const char *dirname,
1408                                mode_t mode)
1409 {
1410         struct stat sbuf;
1411
1412         if (stat(dirname, &sbuf) == 0) {
1413                 return PAM_SUCCESS;
1414         }
1415
1416         if (mkdir(dirname, mode) != 0) {
1417
1418                 _make_remark_format(ctx, PAM_TEXT_INFO,
1419                                     _("Creating directory: %s failed: %s"),
1420                                     dirname, strerror(errno));
1421                 _pam_log(ctx, LOG_ERR, "could not create dir: %s (%s)",
1422                  dirname, strerror(errno));
1423                  return PAM_PERM_DENIED;
1424         }
1425
1426         return PAM_SUCCESS;
1427 }
1428
1429 static int _pam_chown_homedir(struct pwb_context *ctx,
1430                               const char *dirname,
1431                               uid_t uid,
1432                               gid_t gid)
1433 {
1434         if (chown(dirname, uid, gid) != 0) {
1435                 _pam_log(ctx, LOG_ERR, "failed to chown user homedir: %s (%s)",
1436                          dirname, strerror(errno));
1437                 return PAM_PERM_DENIED;
1438         }
1439
1440         return PAM_SUCCESS;
1441 }
1442
1443 static int _pam_mkhomedir(struct pwb_context *ctx)
1444 {
1445         struct passwd *pwd = NULL;
1446         char *token = NULL;
1447         char *create_dir = NULL;
1448         char *user_dir = NULL;
1449         int ret;
1450         const char *username;
1451         mode_t mode = 0700;
1452         char *safe_ptr = NULL;
1453         char *p = NULL;
1454
1455         /* Get the username */
1456         ret = pam_get_user(ctx->pamh, &username, NULL);
1457         if ((ret != PAM_SUCCESS) || (!username)) {
1458                 _pam_log_debug(ctx, LOG_DEBUG, "can not get the username");
1459                 return PAM_SERVICE_ERR;
1460         }
1461
1462         pwd = getpwnam(username);
1463         if (pwd == NULL) {
1464                 _pam_log_debug(ctx, LOG_DEBUG, "can not get the username");
1465                 return PAM_USER_UNKNOWN;
1466         }
1467         _pam_log_debug(ctx, LOG_DEBUG, "homedir is: %s", pwd->pw_dir);
1468
1469         ret = _pam_create_homedir(ctx, pwd->pw_dir, 0700);
1470         if (ret == PAM_SUCCESS) {
1471                 ret = _pam_chown_homedir(ctx, pwd->pw_dir,
1472                                          pwd->pw_uid,
1473                                          pwd->pw_gid);
1474         }
1475
1476         if (ret == PAM_SUCCESS) {
1477                 return ret;
1478         }
1479
1480         /* maybe we need to create parent dirs */
1481         create_dir = talloc_strdup(ctx, "/");
1482         if (!create_dir) {
1483                 return PAM_BUF_ERR;
1484         }
1485
1486         /* find final directory */
1487         user_dir = strrchr(pwd->pw_dir, '/');
1488         if (!user_dir) {
1489                 return PAM_BUF_ERR;
1490         }
1491         user_dir++;
1492
1493         _pam_log(ctx, LOG_DEBUG, "final directory: %s", user_dir);
1494
1495         p = pwd->pw_dir;
1496
1497         while ((token = strtok_r(p, "/", &safe_ptr)) != NULL) {
1498
1499                 mode = 0755;
1500
1501                 p = NULL;
1502
1503                 _pam_log_debug(ctx, LOG_DEBUG, "token is %s", token);
1504
1505                 create_dir = talloc_asprintf_append(create_dir, "%s/", token);
1506                 if (!create_dir) {
1507                         return PAM_BUF_ERR;
1508                 }
1509                 _pam_log_debug(ctx, LOG_DEBUG, "current_dir is %s", create_dir);
1510
1511                 if (strcmp(token, user_dir) == 0) {
1512                         _pam_log_debug(ctx, LOG_DEBUG, "assuming last directory: %s", token);
1513                         mode = 0700;
1514                 }
1515
1516                 ret = _pam_create_homedir(ctx, create_dir, mode);
1517                 if (ret) {
1518                         return ret;
1519                 }
1520         }
1521
1522         return _pam_chown_homedir(ctx, create_dir,
1523                                   pwd->pw_uid,
1524                                   pwd->pw_gid);
1525 }
1526
1527 /* talk to winbindd */
1528 static int winbind_auth_request(struct pwb_context *ctx,
1529                                 const char *user,
1530                                 const char *pass,
1531                                 const char *member,
1532                                 const char *cctype,
1533                                 const int warn_pwd_expire,
1534                                 struct wbcAuthErrorInfo **p_error,
1535                                 struct wbcLogonUserInfo **p_info,
1536                                 struct wbcUserPasswordPolicyInfo **p_policy,
1537                                 time_t *pwd_last_set,
1538                                 char **user_ret)
1539 {
1540         wbcErr wbc_status;
1541
1542         struct wbcLogonUserParams logon;
1543         char membership_of[1024];
1544         uid_t user_uid = -1;
1545         uint32_t flags = WBFLAG_PAM_INFO3_TEXT |
1546                          WBFLAG_PAM_GET_PWD_POLICY;
1547
1548         struct wbcLogonUserInfo *info = NULL;
1549         struct wbcAuthUserInfo *user_info = NULL;
1550         struct wbcAuthErrorInfo *error = NULL;
1551         struct wbcUserPasswordPolicyInfo *policy = NULL;
1552
1553         int ret = PAM_AUTH_ERR;
1554         int i;
1555         const char *codes[] = {
1556                 "NT_STATUS_PASSWORD_EXPIRED",
1557                 "NT_STATUS_PASSWORD_MUST_CHANGE",
1558                 "NT_STATUS_INVALID_WORKSTATION",
1559                 "NT_STATUS_INVALID_LOGON_HOURS",
1560                 "NT_STATUS_ACCOUNT_EXPIRED",
1561                 "NT_STATUS_ACCOUNT_DISABLED",
1562                 "NT_STATUS_ACCOUNT_LOCKED_OUT",
1563                 "NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT",
1564                 "NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT",
1565                 "NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT",
1566                 "NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND",
1567                 "NT_STATUS_NO_LOGON_SERVERS",
1568                 "NT_STATUS_WRONG_PASSWORD",
1569                 "NT_STATUS_ACCESS_DENIED"
1570         };
1571
1572         if (pwd_last_set) {
1573                 *pwd_last_set = 0;
1574         }
1575
1576         /* Krb5 auth always has to go against the KDC of the user's realm */
1577
1578         if (ctx->ctrl & WINBIND_KRB5_AUTH) {
1579                 flags           |= WBFLAG_PAM_CONTACT_TRUSTDOM;
1580         }
1581
1582         if (ctx->ctrl & (WINBIND_KRB5_AUTH|WINBIND_CACHED_LOGIN)) {
1583                 struct passwd *pwd = NULL;
1584
1585                 pwd = getpwnam(user);
1586                 if (pwd == NULL) {
1587                         return PAM_USER_UNKNOWN;
1588                 }
1589                 user_uid        = pwd->pw_uid;
1590         }
1591
1592         if (ctx->ctrl & WINBIND_KRB5_AUTH) {
1593
1594                 _pam_log_debug(ctx, LOG_DEBUG,
1595                                "enabling krb5 login flag\n");
1596
1597                 flags           |= WBFLAG_PAM_KRB5 |
1598                                    WBFLAG_PAM_FALLBACK_AFTER_KRB5;
1599         }
1600
1601         if (ctx->ctrl & WINBIND_CACHED_LOGIN) {
1602                 _pam_log_debug(ctx, LOG_DEBUG,
1603                                "enabling cached login flag\n");
1604                 flags           |= WBFLAG_PAM_CACHED_LOGIN;
1605         }
1606
1607         if (user_ret) {
1608                 *user_ret = NULL;
1609                 flags           |= WBFLAG_PAM_UNIX_NAME;
1610         }
1611
1612         if (cctype != NULL) {
1613                 _pam_log_debug(ctx, LOG_DEBUG,
1614                                "enabling request for a %s krb5 ccache\n",
1615                                cctype);
1616         }
1617
1618         if (member != NULL) {
1619
1620                 ZERO_STRUCT(membership_of);
1621
1622                 if (!winbind_name_list_to_sid_string_list(ctx, user, member,
1623                                                           membership_of,
1624                                                           sizeof(membership_of))) {
1625                         _pam_log_debug(ctx, LOG_ERR,
1626                                        "failed to serialize membership of sid "
1627                                        "\"%s\"\n", member);
1628                         return PAM_AUTH_ERR;
1629                 }
1630         }
1631
1632         ZERO_STRUCT(logon);
1633
1634         logon.username                  = user;
1635         logon.password                  = pass;
1636
1637         if (cctype) {
1638                 wbc_status = wbcAddNamedBlob(&logon.num_blobs,
1639                                              &logon.blobs,
1640                                              "krb5_cc_type",
1641                                              0,
1642                                              (uint8_t *)cctype,
1643                                              strlen(cctype)+1);
1644                 if (!WBC_ERROR_IS_OK(wbc_status)) {
1645                         goto done;
1646                 }
1647         }
1648
1649         wbc_status = wbcAddNamedBlob(&logon.num_blobs,
1650                                      &logon.blobs,
1651                                      "flags",
1652                                      0,
1653                                      (uint8_t *)&flags,
1654                                      sizeof(flags));
1655         if (!WBC_ERROR_IS_OK(wbc_status)) {
1656                 goto done;
1657         }
1658
1659         wbc_status = wbcAddNamedBlob(&logon.num_blobs,
1660                                      &logon.blobs,
1661                                      "user_uid",
1662                                      0,
1663                                      (uint8_t *)&user_uid,
1664                                      sizeof(user_uid));
1665         if (!WBC_ERROR_IS_OK(wbc_status)) {
1666                 goto done;
1667         }
1668
1669         if (member) {
1670                 wbc_status = wbcAddNamedBlob(&logon.num_blobs,
1671                                              &logon.blobs,
1672                                              "membership_of",
1673                                              0,
1674                                              (uint8_t *)membership_of,
1675                                              sizeof(membership_of));
1676                 if (!WBC_ERROR_IS_OK(wbc_status)) {
1677                         goto done;
1678                 }
1679         }
1680
1681         wbc_status = wbcLogonUser(&logon, &info, &error, &policy);
1682         ret = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
1683                                           user, "wbcLogonUser");
1684         wbcFreeMemory(logon.blobs);
1685         logon.blobs = NULL;
1686
1687         if (info && info->info) {
1688                 user_info = info->info;
1689         }
1690
1691         if (pwd_last_set && user_info) {
1692                 *pwd_last_set = user_info->pass_last_set_time;
1693         }
1694
1695         if (p_info && info) {
1696                 *p_info = info;
1697         }
1698
1699         if (p_policy && policy) {
1700                 *p_policy = policy;
1701         }
1702
1703         if (p_error && error) {
1704                 /* We want to process the error in the caller. */
1705                 *p_error = error;
1706                 return ret;
1707         }
1708
1709         for (i=0; i<ARRAY_SIZE(codes); i++) {
1710                 int _ret = ret;
1711                 if (_pam_check_remark_auth_err(ctx, error, codes[i], &_ret)) {
1712                         ret = _ret;
1713                         goto done;
1714                 }
1715         }
1716
1717         if ((ret == PAM_SUCCESS) && user_info && policy && info) {
1718
1719                 bool already_expired = false;
1720
1721                 /* warn a user if the password is about to expire soon */
1722                 _pam_warn_password_expiry(ctx, user_info, policy,
1723                                           warn_pwd_expire,
1724                                           &already_expired);
1725
1726                 if (already_expired == true) {
1727
1728                         SMB_TIME_T last_set = user_info->pass_last_set_time;
1729
1730                         _pam_log_debug(ctx, LOG_DEBUG,
1731                                        "Password has expired "
1732                                        "(Password was last set: %lld, "
1733                                        "the policy says it should expire here "
1734                                        "%lld (now it's: %lu))\n",
1735                                        (long long int)last_set,
1736                                        (long long int)last_set +
1737                                        policy->expire,
1738                                        time(NULL));
1739
1740                         return PAM_AUTHTOK_EXPIRED;
1741                 }
1742
1743                 /* inform about logon type */
1744                 _pam_warn_logon_type(ctx, user, user_info->user_flags);
1745
1746                 /* inform about krb5 failures */
1747                 _pam_warn_krb5_failure(ctx, user, user_info->user_flags);
1748
1749                 /* set some info3 info for other modules in the stack */
1750                 _pam_set_data_info3(ctx, user_info);
1751
1752                 /* put krb5ccname into env */
1753                 _pam_setup_krb5_env(ctx, info);
1754
1755                 /* If winbindd returned a username, return the pointer to it
1756                  * here. */
1757                 _pam_setup_unix_username(ctx, user_ret, info);
1758         }
1759
1760  done:
1761         if (logon.blobs) {
1762                 wbcFreeMemory(logon.blobs);
1763         }
1764         if (info && info->blobs) {
1765                 wbcFreeMemory(info->blobs);
1766         }
1767         if (error && !p_error) {
1768                 wbcFreeMemory(error);
1769         }
1770         if (info && !p_info) {
1771                 wbcFreeMemory(info);
1772         }
1773         if (policy && !p_policy) {
1774                 wbcFreeMemory(policy);
1775         }
1776
1777         return ret;
1778 }
1779
1780 /* talk to winbindd */
1781 static int winbind_chauthtok_request(struct pwb_context *ctx,
1782                                      const char *user,
1783                                      const char *oldpass,
1784                                      const char *newpass,
1785                                      time_t pwd_last_set)
1786 {
1787         wbcErr wbc_status;
1788         struct wbcChangePasswordParams params;
1789         struct wbcAuthErrorInfo *error = NULL;
1790         struct wbcUserPasswordPolicyInfo *policy = NULL;
1791         enum wbcPasswordChangeRejectReason reject_reason = -1;
1792         uint32_t flags = 0;
1793
1794         int i;
1795         const char *codes[] = {
1796                 "NT_STATUS_BACKUP_CONTROLLER",
1797                 "NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND",
1798                 "NT_STATUS_NO_LOGON_SERVERS",
1799                 "NT_STATUS_ACCESS_DENIED",
1800                 "NT_STATUS_PWD_TOO_SHORT", /* TODO: tell the min pwd length ? */
1801                 "NT_STATUS_PWD_TOO_RECENT", /* TODO: tell the minage ? */
1802                 "NT_STATUS_PWD_HISTORY_CONFLICT" /* TODO: tell the history length ? */
1803         };
1804         int ret = PAM_AUTH_ERR;
1805
1806         ZERO_STRUCT(params);
1807
1808         if (ctx->ctrl & WINBIND_KRB5_AUTH) {
1809                 flags |= WBFLAG_PAM_KRB5 |
1810                          WBFLAG_PAM_CONTACT_TRUSTDOM;
1811         }
1812
1813         if (ctx->ctrl & WINBIND_CACHED_LOGIN) {
1814                 flags |= WBFLAG_PAM_CACHED_LOGIN;
1815         }
1816
1817         params.account_name             = user;
1818         params.level                    = WBC_AUTH_USER_LEVEL_PLAIN;
1819         params.old_password.plaintext   = oldpass;
1820         params.new_password.plaintext   = newpass;
1821         params.flags                    = flags;
1822
1823         wbc_status = wbcChangeUserPasswordEx(&params, &error, &reject_reason, &policy);
1824         ret = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
1825                                           user, "wbcChangeUserPasswordEx");
1826
1827         if (WBC_ERROR_IS_OK(wbc_status)) {
1828                 _pam_log(ctx, LOG_NOTICE,
1829                          "user '%s' password changed", user);
1830                 return PAM_SUCCESS;
1831         }
1832
1833         if (!error) {
1834                 wbcFreeMemory(policy);
1835                 return ret;
1836         }
1837
1838         for (i=0; i<ARRAY_SIZE(codes); i++) {
1839                 int _ret = ret;
1840                 if (_pam_check_remark_auth_err(ctx, error, codes[i], &_ret)) {
1841                         ret = _ret;
1842                         goto done;
1843                 }
1844         }
1845
1846         if (!strcasecmp(error->nt_string,
1847                         "NT_STATUS_PASSWORD_RESTRICTION")) {
1848
1849                 char *pwd_restriction_string = NULL;
1850                 SMB_TIME_T min_pwd_age = 0;
1851
1852                 if (policy) {
1853                         min_pwd_age     = policy->min_passwordage;
1854                 }
1855
1856                 /* FIXME: avoid to send multiple PAM messages after another */
1857                 switch (reject_reason) {
1858                         case -1:
1859                                 break;
1860                         case WBC_PWD_CHANGE_REJECT_OTHER:
1861                                 if ((min_pwd_age > 0) &&
1862                                     (pwd_last_set + min_pwd_age > time(NULL))) {
1863                                         PAM_WB_REMARK_DIRECT(ctx,
1864                                              "NT_STATUS_PWD_TOO_RECENT");
1865                                 }
1866                                 break;
1867                         case WBC_PWD_CHANGE_REJECT_TOO_SHORT:
1868                                 PAM_WB_REMARK_DIRECT(ctx,
1869                                         "NT_STATUS_PWD_TOO_SHORT");
1870                                 break;
1871                         case WBC_PWD_CHANGE_REJECT_IN_HISTORY:
1872                                 PAM_WB_REMARK_DIRECT(ctx,
1873                                         "NT_STATUS_PWD_HISTORY_CONFLICT");
1874                                 break;
1875                         case WBC_PWD_CHANGE_REJECT_COMPLEXITY:
1876                                 _make_remark(ctx, PAM_ERROR_MSG,
1877                                              _("Password does not meet "
1878                                                "complexity requirements"));
1879                                 break;
1880                         default:
1881                                 _pam_log_debug(ctx, LOG_DEBUG,
1882                                                "unknown password change "
1883                                                "reject reason: %d",
1884                                                reject_reason);
1885                                 break;
1886                 }
1887
1888                 pwd_restriction_string =
1889                         _pam_compose_pwd_restriction_string(ctx, policy);
1890                 if (pwd_restriction_string) {
1891                         _make_remark(ctx, PAM_ERROR_MSG,
1892                                      pwd_restriction_string);
1893                         TALLOC_FREE(pwd_restriction_string);
1894                 }
1895         }
1896  done:
1897         wbcFreeMemory(error);
1898         wbcFreeMemory(policy);
1899
1900         return ret;
1901 }
1902
1903 /*
1904  * Checks if a user has an account
1905  *
1906  * return values:
1907  *       1  = User not found
1908  *       0  = OK
1909  *      -1  = System error
1910  */
1911 static int valid_user(struct pwb_context *ctx,
1912                       const char *user)
1913 {
1914         /* check not only if the user is available over NSS calls, also make
1915          * sure it's really a winbind user, this is important when stacking PAM
1916          * modules in the 'account' or 'password' facility. */
1917
1918         wbcErr wbc_status;
1919         struct passwd *pwd = NULL;
1920         struct passwd *wb_pwd = NULL;
1921
1922         pwd = getpwnam(user);
1923         if (pwd == NULL) {
1924                 return 1;
1925         }
1926
1927         wbc_status = wbcGetpwnam(user, &wb_pwd);
1928         wbcFreeMemory(wb_pwd);
1929         if (!WBC_ERROR_IS_OK(wbc_status)) {
1930                 _pam_log(ctx, LOG_DEBUG, "valid_user: wbcGetpwnam gave %s\n",
1931                         wbcErrorString(wbc_status));
1932         }
1933
1934         switch (wbc_status) {
1935                 case WBC_ERR_UNKNOWN_USER:
1936                         return 1;
1937                 case WBC_ERR_SUCCESS:
1938                         return 0;
1939                 default:
1940                         break;
1941         }
1942         return -1;
1943 }
1944
1945 static char *_pam_delete(register char *xx)
1946 {
1947         _pam_overwrite(xx);
1948         _pam_drop(xx);
1949         return NULL;
1950 }
1951
1952 /*
1953  * obtain a password from the user
1954  */
1955
1956 static int _winbind_read_password(struct pwb_context *ctx,
1957                                   unsigned int ctrl,
1958                                   const char *comment,
1959                                   const char *prompt1,
1960                                   const char *prompt2,
1961                                   const char **pass)
1962 {
1963         int authtok_flag;
1964         int retval;
1965         const char *item;
1966         char *token;
1967
1968         _pam_log(ctx, LOG_DEBUG, "getting password (0x%08x)", ctrl);
1969
1970         /*
1971          * make sure nothing inappropriate gets returned
1972          */
1973
1974         *pass = token = NULL;
1975
1976         /*
1977          * which authentication token are we getting?
1978          */
1979
1980         if (on(WINBIND__OLD_PASSWORD, ctrl)) {
1981                 authtok_flag = PAM_OLDAUTHTOK;
1982         } else {
1983                 authtok_flag = PAM_AUTHTOK;
1984         }
1985
1986         /*
1987          * should we obtain the password from a PAM item ?
1988          */
1989
1990         if (on(WINBIND_TRY_FIRST_PASS_ARG, ctrl) ||
1991             on(WINBIND_USE_FIRST_PASS_ARG, ctrl)) {
1992                 retval = _pam_get_item(ctx->pamh, authtok_flag, &item);
1993                 if (retval != PAM_SUCCESS) {
1994                         /* very strange. */
1995                         _pam_log(ctx, LOG_ALERT,
1996                                  "pam_get_item returned error "
1997                                  "to unix-read-password");
1998                         return retval;
1999                 } else if (item != NULL) {      /* we have a password! */
2000                         *pass = item;
2001                         item = NULL;
2002                         _pam_log(ctx, LOG_DEBUG,
2003                                  "pam_get_item returned a password");
2004                         return PAM_SUCCESS;
2005                 } else if (on(WINBIND_USE_FIRST_PASS_ARG, ctrl)) {
2006                         return PAM_AUTHTOK_RECOVER_ERR; /* didn't work */
2007                 } else if (on(WINBIND_USE_AUTHTOK_ARG, ctrl)
2008                            && off(WINBIND__OLD_PASSWORD, ctrl)) {
2009                         return PAM_AUTHTOK_RECOVER_ERR;
2010                 }
2011         }
2012         /*
2013          * getting here implies we will have to get the password from the
2014          * user directly.
2015          */
2016
2017         {
2018                 struct pam_message msg[3], *pmsg[3];
2019                 struct pam_response *resp;
2020                 int i, replies;
2021
2022                 /* prepare to converse */
2023
2024                 if (comment != NULL && off(ctrl, WINBIND_SILENT)) {
2025                         pmsg[0] = &msg[0];
2026                         msg[0].msg_style = PAM_TEXT_INFO;
2027                         msg[0].msg = discard_const_p(char, comment);
2028                         i = 1;
2029                 } else {
2030                         i = 0;
2031                 }
2032
2033                 pmsg[i] = &msg[i];
2034                 msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
2035                 msg[i++].msg = discard_const_p(char, prompt1);
2036                 replies = 1;
2037
2038                 if (prompt2 != NULL) {
2039                         pmsg[i] = &msg[i];
2040                         msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
2041                         msg[i++].msg = discard_const_p(char, prompt2);
2042                         ++replies;
2043                 }
2044                 /* so call the conversation expecting i responses */
2045                 resp = NULL;
2046                 retval = converse(ctx->pamh, i, pmsg, &resp);
2047                 if (resp == NULL) {
2048                         if (retval == PAM_SUCCESS) {
2049                                 retval = PAM_AUTHTOK_RECOVER_ERR;
2050                         }
2051                         goto done;
2052                 }
2053                 if (retval != PAM_SUCCESS) {
2054                         _pam_drop_reply(resp, i);
2055                         goto done;
2056                 }
2057
2058                 /* interpret the response */
2059
2060                 token = x_strdup(resp[i - replies].resp);
2061                 if (!token) {
2062                         _pam_log(ctx, LOG_NOTICE,
2063                                  "could not recover "
2064                                  "authentication token");
2065                         retval = PAM_AUTHTOK_RECOVER_ERR;
2066                         goto done;
2067                 }
2068
2069                 if (replies == 2) {
2070                         /* verify that password entered correctly */
2071                         if (!resp[i - 1].resp ||
2072                             strcmp(token, resp[i - 1].resp)) {
2073                                 _pam_delete(token);     /* mistyped */
2074                                 retval = PAM_AUTHTOK_RECOVER_ERR;
2075                                 _make_remark(ctx, PAM_ERROR_MSG,
2076                                              MISTYPED_PASS);
2077                         }
2078                 }
2079
2080                 /*
2081                  * tidy up the conversation (resp_retcode) is ignored
2082                  * -- what is it for anyway? AGM
2083                  */
2084                 _pam_drop_reply(resp, i);
2085         }
2086
2087  done:
2088         if (retval != PAM_SUCCESS) {
2089                 _pam_log_debug(ctx, LOG_DEBUG,
2090                                "unable to obtain a password");
2091                 return retval;
2092         }
2093         /* 'token' is the entered password */
2094
2095         /* we store this password as an item */
2096
2097         retval = pam_set_item(ctx->pamh, authtok_flag, token);
2098         _pam_delete(token);     /* clean it up */
2099         if (retval != PAM_SUCCESS ||
2100             (retval = _pam_get_item(ctx->pamh, authtok_flag, &item)) != PAM_SUCCESS) {
2101
2102                 _pam_log(ctx, LOG_CRIT, "error manipulating password");
2103                 return retval;
2104
2105         }
2106
2107         *pass = item;
2108         item = NULL;            /* break link to password */
2109
2110         return PAM_SUCCESS;
2111 }
2112
2113 static const char *get_conf_item_string(struct pwb_context *ctx,
2114                                         const char *item,
2115                                         int config_flag)
2116 {
2117         int i = 0;
2118         const char *parm_opt = NULL;
2119
2120         if (!(ctx->ctrl & config_flag)) {
2121                 goto out;
2122         }
2123
2124         /* let the pam opt take precedence over the pam_winbind.conf option */
2125         for (i=0; i<ctx->argc; i++) {
2126
2127                 if ((strncmp(ctx->argv[i], item, strlen(item)) == 0)) {
2128                         char *p;
2129
2130                         if ((p = strchr(ctx->argv[i], '=')) == NULL) {
2131                                 _pam_log(ctx, LOG_INFO,
2132                                          "no \"=\" delimiter for \"%s\" found\n",
2133                                          item);
2134                                 goto out;
2135                         }
2136                         _pam_log_debug(ctx, LOG_INFO,
2137                                        "PAM config: %s '%s'\n", item, p+1);
2138                         return p + 1;
2139                 }
2140         }
2141
2142         if (ctx->dict) {
2143                 char *key = NULL;
2144
2145                 key = talloc_asprintf(ctx, "global:%s", item);
2146                 if (!key) {
2147                         goto out;
2148                 }
2149
2150                 parm_opt = iniparser_getstr(ctx->dict, key);
2151                 TALLOC_FREE(key);
2152
2153                 _pam_log_debug(ctx, LOG_INFO, "CONFIG file: %s '%s'\n",
2154                                item, parm_opt);
2155         }
2156 out:
2157         return parm_opt;
2158 }
2159
2160 static int get_config_item_int(struct pwb_context *ctx,
2161                                const char *item,
2162                                int config_flag)
2163 {
2164         int i, parm_opt = -1;
2165
2166         if (!(ctx->ctrl & config_flag)) {
2167                 goto out;
2168         }
2169
2170         /* let the pam opt take precedence over the pam_winbind.conf option */
2171         for (i = 0; i < ctx->argc; i++) {
2172
2173                 if ((strncmp(ctx->argv[i], item, strlen(item)) == 0)) {
2174                         char *p;
2175
2176                         if ((p = strchr(ctx->argv[i], '=')) == NULL) {
2177                                 _pam_log(ctx, LOG_INFO,
2178                                          "no \"=\" delimiter for \"%s\" found\n",
2179                                          item);
2180                                 goto out;
2181                         }
2182                         parm_opt = atoi(p + 1);
2183                         _pam_log_debug(ctx, LOG_INFO,
2184                                        "PAM config: %s '%d'\n",
2185                                        item, parm_opt);
2186                         return parm_opt;
2187                 }
2188         }
2189
2190         if (ctx->dict) {
2191                 char *key = NULL;
2192
2193                 key = talloc_asprintf(ctx, "global:%s", item);
2194                 if (!key) {
2195                         goto out;
2196                 }
2197
2198                 parm_opt = iniparser_getint(ctx->dict, key, -1);
2199                 TALLOC_FREE(key);
2200
2201                 _pam_log_debug(ctx, LOG_INFO,
2202                                "CONFIG file: %s '%d'\n",
2203                                item, parm_opt);
2204         }
2205 out:
2206         return parm_opt;
2207 }
2208
2209 static const char *get_krb5_cc_type_from_config(struct pwb_context *ctx)
2210 {
2211         return get_conf_item_string(ctx, "krb5_ccache_type",
2212                                     WINBIND_KRB5_CCACHE_TYPE);
2213 }
2214
2215 static const char *get_member_from_config(struct pwb_context *ctx)
2216 {
2217         const char *ret = NULL;
2218         ret = get_conf_item_string(ctx, "require_membership_of",
2219                                    WINBIND_REQUIRED_MEMBERSHIP);
2220         if (ret) {
2221                 return ret;
2222         }
2223         return get_conf_item_string(ctx, "require-membership-of",
2224                                     WINBIND_REQUIRED_MEMBERSHIP);
2225 }
2226
2227 static int get_warn_pwd_expire_from_config(struct pwb_context *ctx)
2228 {
2229         int ret;
2230         ret = get_config_item_int(ctx, "warn_pwd_expire",
2231                                   WINBIND_WARN_PWD_EXPIRE);
2232         /* no or broken setting */
2233         if (ret <= 0) {
2234                 return DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES;
2235         }
2236         return ret;
2237 }
2238
2239 /**
2240  * Retrieve the winbind separator.
2241  *
2242  * @param ctx PAM winbind context.
2243  *
2244  * @return string separator character. NULL on failure.
2245  */
2246
2247 static char winbind_get_separator(struct pwb_context *ctx)
2248 {
2249         wbcErr wbc_status;
2250         static struct wbcInterfaceDetails *details = NULL;
2251
2252         wbc_status = wbcInterfaceDetails(&details);
2253         if (!WBC_ERROR_IS_OK(wbc_status)) {
2254                 _pam_log(ctx, LOG_ERR,
2255                          "Could not retrieve winbind interface details: %s",
2256                          wbcErrorString(wbc_status));
2257                 return '\0';
2258         }
2259
2260         if (!details) {
2261                 return '\0';
2262         }
2263
2264         return details->winbind_separator;
2265 }
2266
2267
2268 /**
2269  * Convert a upn to a name.
2270  *
2271  * @param ctx PAM winbind context.
2272  * @param upn  USer UPN to be trabslated.
2273  *
2274  * @return converted name. NULL pointer on failure. Caller needs to free.
2275  */
2276
2277 static char* winbind_upn_to_username(struct pwb_context *ctx,
2278                                      const char *upn)
2279 {
2280         char sep;
2281         wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
2282         struct wbcDomainSid sid;
2283         enum wbcSidType type;
2284         char *domain;
2285         char *name;
2286
2287         /* This cannot work when the winbind separator = @ */
2288
2289         sep = winbind_get_separator(ctx);
2290         if (!sep || sep == '@') {
2291                 return NULL;
2292         }
2293
2294         /* Convert the UPN to a SID */
2295
2296         wbc_status = wbcLookupName("", upn, &sid, &type);
2297         if (!WBC_ERROR_IS_OK(wbc_status)) {
2298                 return NULL;
2299         }
2300
2301         /* Convert the the SID back to the sAMAccountName */
2302
2303         wbc_status = wbcLookupSid(&sid, &domain, &name, &type);
2304         if (!WBC_ERROR_IS_OK(wbc_status)) {
2305                 return NULL;
2306         }
2307
2308         return talloc_asprintf(ctx, "%s\\%s", domain, name);
2309 }
2310
2311 static int _pam_delete_cred(pam_handle_t *pamh, int flags,
2312                          int argc, const char **argv)
2313 {
2314         int retval = PAM_SUCCESS;
2315         struct pwb_context *ctx = NULL;
2316         struct wbcLogoffUserParams logoff;
2317         struct wbcAuthErrorInfo *error = NULL;
2318         const char *user;
2319         wbcErr wbc_status = WBC_ERR_SUCCESS;
2320
2321         retval = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
2322         if (retval) {
2323                 goto out;
2324         }
2325
2326         _PAM_LOG_FUNCTION_ENTER("_pam_delete_cred", ctx);
2327
2328         if (ctx->ctrl & WINBIND_KRB5_AUTH) {
2329
2330                 /* destroy the ccache here */
2331
2332                 uint32_t wbc_flags = 0;
2333                 const char *ccname = NULL;
2334                 struct passwd *pwd = NULL;
2335
2336                 retval = pam_get_user(pamh, &user, _("Username: "));
2337                 if (retval) {
2338                         _pam_log(ctx, LOG_ERR,
2339                                  "could not identify user");
2340                         goto out;
2341                 }
2342
2343                 if (user == NULL) {
2344                         _pam_log(ctx, LOG_ERR,
2345                                  "username was NULL!");
2346                         retval = PAM_USER_UNKNOWN;
2347                         goto out;
2348                 }
2349
2350                 _pam_log_debug(ctx, LOG_DEBUG,
2351                                "username [%s] obtained", user);
2352
2353                 ccname = pam_getenv(pamh, "KRB5CCNAME");
2354                 if (ccname == NULL) {
2355                         _pam_log_debug(ctx, LOG_DEBUG,
2356                                        "user has no KRB5CCNAME environment");
2357                 }
2358
2359                 pwd = getpwnam(user);
2360                 if (pwd == NULL) {
2361                         retval = PAM_USER_UNKNOWN;
2362                         goto out;
2363                 }
2364
2365                 wbc_flags = WBFLAG_PAM_KRB5 |
2366                         WBFLAG_PAM_CONTACT_TRUSTDOM;
2367
2368                 ZERO_STRUCT(logoff);
2369
2370                 logoff.username         = user;
2371
2372                 if (ccname) {
2373                         wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
2374                                                      &logoff.blobs,
2375                                                      "ccfilename",
2376                                                      0,
2377                                                      (uint8_t *)ccname,
2378                                                      strlen(ccname)+1);
2379                         if (!WBC_ERROR_IS_OK(wbc_status)) {
2380                                 goto out;
2381                         }
2382                 }
2383
2384                 wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
2385                                              &logoff.blobs,
2386                                              "flags",
2387                                              0,
2388                                              (uint8_t *)&wbc_flags,
2389                                              sizeof(wbc_flags));
2390                 if (!WBC_ERROR_IS_OK(wbc_status)) {
2391                         goto out;
2392                 }
2393
2394                 wbc_status = wbcAddNamedBlob(&logoff.num_blobs,
2395                                              &logoff.blobs,
2396                                              "user_uid",
2397                                              0,
2398                                              (uint8_t *)&pwd->pw_uid,
2399                                              sizeof(pwd->pw_uid));
2400                 if (!WBC_ERROR_IS_OK(wbc_status)) {
2401                         goto out;
2402                 }
2403
2404                 wbc_status = wbcLogoffUserEx(&logoff, &error);
2405                 retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
2406                                                      user, "wbcLogoffUser");
2407                 wbcFreeMemory(error);
2408                 wbcFreeMemory(logoff.blobs);
2409
2410                 if (!WBC_ERROR_IS_OK(wbc_status)) {
2411                         _pam_log(ctx, LOG_INFO,
2412                                  "failed to logoff user %s: %s\n",
2413                                          user, wbcErrorString(wbc_status));
2414                 }
2415         }
2416
2417 out:
2418         if (logoff.blobs) {
2419                 wbcFreeMemory(logoff.blobs);
2420         }
2421
2422         if (!WBC_ERROR_IS_OK(wbc_status)) {
2423                 retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
2424                      user, "wbcLogoffUser");
2425         }
2426
2427         /*
2428          * Delete the krb5 ccname variable from the PAM environment
2429          * if it was set by winbind.
2430          */
2431         if (ctx->ctrl & WINBIND_KRB5_AUTH) {
2432                 pam_putenv(pamh, "KRB5CCNAME");
2433         }
2434
2435         _PAM_LOG_FUNCTION_LEAVE("_pam_delete_cred", ctx, retval);
2436
2437         TALLOC_FREE(ctx);
2438
2439         return retval;
2440 }
2441
2442 PAM_EXTERN
2443 int pam_sm_authenticate(pam_handle_t *pamh, int flags,
2444                         int argc, const char **argv)
2445 {
2446         const char *username;
2447         const char *password;
2448         const char *member = NULL;
2449         const char *cctype = NULL;
2450         int warn_pwd_expire;
2451         int retval = PAM_AUTH_ERR;
2452         char *username_ret = NULL;
2453         char *new_authtok_required = NULL;
2454         char *real_username = NULL;
2455         struct pwb_context *ctx = NULL;
2456
2457         retval = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
2458         if (retval) {
2459                 goto out;
2460         }
2461
2462         _PAM_LOG_FUNCTION_ENTER("pam_sm_authenticate", ctx);
2463
2464         /* Get the username */
2465         retval = pam_get_user(pamh, &username, NULL);
2466         if ((retval != PAM_SUCCESS) || (!username)) {
2467                 _pam_log_debug(ctx, LOG_DEBUG,
2468                                "can not get the username");
2469                 retval = PAM_SERVICE_ERR;
2470                 goto out;
2471         }
2472
2473
2474 #if defined(AIX)
2475         /* Decode the user name since AIX does not support logn user
2476            names by default.  The name is encoded as _#uid.  */
2477
2478         if (username[0] == '_') {
2479                 uid_t id = atoi(&username[1]);
2480                 struct passwd *pw = NULL;
2481
2482                 if ((id!=0) && ((pw = getpwuid(id)) != NULL)) {
2483                         real_username = strdup(pw->pw_name);
2484                 }
2485         }
2486 #endif
2487
2488         if (!real_username) {
2489                 /* Just making a copy of the username we got from PAM */
2490                 if ((real_username = strdup(username)) == NULL) {
2491                         _pam_log_debug(ctx, LOG_DEBUG,
2492                                        "memory allocation failure when copying "
2493                                        "username");
2494                         retval = PAM_SERVICE_ERR;
2495                         goto out;
2496                 }
2497         }
2498
2499         /* Maybe this was a UPN */
2500
2501         if (strchr(real_username, '@') != NULL) {
2502                 char *samaccountname = NULL;
2503
2504                 samaccountname = winbind_upn_to_username(ctx,
2505                                                          real_username);
2506                 if (samaccountname) {
2507                         free(real_username);
2508                         real_username = strdup(samaccountname);
2509                 }
2510         }
2511
2512         retval = _winbind_read_password(ctx, ctx->ctrl, NULL,
2513                                         _("Password: "), NULL,
2514                                         &password);
2515
2516         if (retval != PAM_SUCCESS) {
2517                 _pam_log(ctx, LOG_ERR,
2518                          "Could not retrieve user's password");
2519                 retval = PAM_AUTHTOK_ERR;
2520                 goto out;
2521         }
2522
2523         /* Let's not give too much away in the log file */
2524
2525 #ifdef DEBUG_PASSWORD
2526         _pam_log_debug(ctx, LOG_INFO,
2527                        "Verify user '%s' with password '%s'",
2528                        real_username, password);
2529 #else
2530         _pam_log_debug(ctx, LOG_INFO,
2531                        "Verify user '%s'", real_username);
2532 #endif
2533
2534         member = get_member_from_config(ctx);
2535         cctype = get_krb5_cc_type_from_config(ctx);
2536         warn_pwd_expire = get_warn_pwd_expire_from_config(ctx);
2537
2538         /* Now use the username to look up password */
2539         retval = winbind_auth_request(ctx, real_username, password,
2540                                       member, cctype, warn_pwd_expire,
2541                                       NULL, NULL, NULL,
2542                                       NULL, &username_ret);
2543
2544         if (retval == PAM_NEW_AUTHTOK_REQD ||
2545             retval == PAM_AUTHTOK_EXPIRED) {
2546
2547                 char *new_authtok_required_during_auth = NULL;
2548
2549                 new_authtok_required = talloc_asprintf(NULL, "%d", retval);
2550                 if (!new_authtok_required) {
2551                         retval = PAM_BUF_ERR;
2552                         goto out;
2553                 }
2554
2555                 pam_set_data(pamh, PAM_WINBIND_NEW_AUTHTOK_REQD,
2556                              new_authtok_required,
2557                              _pam_winbind_cleanup_func);
2558
2559                 retval = PAM_SUCCESS;
2560
2561                 new_authtok_required_during_auth = talloc_asprintf(NULL, "%d", true);
2562                 if (!new_authtok_required_during_auth) {
2563                         retval = PAM_BUF_ERR;
2564                         goto out;
2565                 }
2566
2567                 pam_set_data(pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH,
2568                              new_authtok_required_during_auth,
2569                              _pam_winbind_cleanup_func);
2570
2571                 goto out;
2572         }
2573
2574 out:
2575         if (username_ret) {
2576                 pam_set_item (pamh, PAM_USER, username_ret);
2577                 _pam_log_debug(ctx, LOG_INFO,
2578                                "Returned user was '%s'", username_ret);
2579                 free(username_ret);
2580         }
2581
2582         if (real_username) {
2583                 free(real_username);
2584         }
2585
2586         if (!new_authtok_required) {
2587                 pam_set_data(pamh, PAM_WINBIND_NEW_AUTHTOK_REQD, NULL, NULL);
2588         }
2589
2590         if (retval != PAM_SUCCESS) {
2591                 _pam_free_data_info3(pamh);
2592         }
2593
2594         _PAM_LOG_FUNCTION_LEAVE("pam_sm_authenticate", ctx, retval);
2595
2596         TALLOC_FREE(ctx);
2597
2598         return retval;
2599 }
2600
2601 PAM_EXTERN
2602 int pam_sm_setcred(pam_handle_t *pamh, int flags,
2603                    int argc, const char **argv)
2604 {
2605         int ret = PAM_SYSTEM_ERR;
2606         struct pwb_context *ctx = NULL;
2607
2608         ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
2609         if (ret) {
2610                 goto out;
2611         }
2612
2613         _PAM_LOG_FUNCTION_ENTER("pam_sm_setcred", ctx);
2614
2615         switch (flags & ~PAM_SILENT) {
2616
2617                 case PAM_DELETE_CRED:
2618                         ret = _pam_delete_cred(pamh, flags, argc, argv);
2619                         break;
2620                 case PAM_REFRESH_CRED:
2621                         _pam_log_debug(ctx, LOG_WARNING,
2622                                        "PAM_REFRESH_CRED not implemented");
2623                         ret = PAM_SUCCESS;
2624                         break;
2625                 case PAM_REINITIALIZE_CRED:
2626                         _pam_log_debug(ctx, LOG_WARNING,
2627                                        "PAM_REINITIALIZE_CRED not implemented");
2628                         ret = PAM_SUCCESS;
2629                         break;
2630                 case PAM_ESTABLISH_CRED:
2631                         _pam_log_debug(ctx, LOG_WARNING,
2632                                        "PAM_ESTABLISH_CRED not implemented");
2633                         ret = PAM_SUCCESS;
2634                         break;
2635                 default:
2636                         ret = PAM_SYSTEM_ERR;
2637                         break;
2638         }
2639
2640  out:
2641
2642         _PAM_LOG_FUNCTION_LEAVE("pam_sm_setcred", ctx, ret);
2643
2644         TALLOC_FREE(ctx);
2645
2646         return ret;
2647 }
2648
2649 /*
2650  * Account management. We want to verify that the account exists
2651  * before returning PAM_SUCCESS
2652  */
2653 PAM_EXTERN
2654 int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
2655                    int argc, const char **argv)
2656 {
2657         const char *username;
2658         int ret = PAM_USER_UNKNOWN;
2659         void *tmp = NULL;
2660         struct pwb_context *ctx = NULL;
2661
2662         ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
2663         if (ret) {
2664                 goto out;
2665         }
2666
2667         _PAM_LOG_FUNCTION_ENTER("pam_sm_acct_mgmt", ctx);
2668
2669
2670         /* Get the username */
2671         ret = pam_get_user(pamh, &username, NULL);
2672         if ((ret != PAM_SUCCESS) || (!username)) {
2673                 _pam_log_debug(ctx, LOG_DEBUG,
2674                                "can not get the username");
2675                 ret = PAM_SERVICE_ERR;
2676                 goto out;
2677         }
2678
2679         /* Verify the username */
2680         ret = valid_user(ctx, username);
2681         switch (ret) {
2682         case -1:
2683                 /* some sort of system error. The log was already printed */
2684                 ret = PAM_SERVICE_ERR;
2685                 goto out;
2686         case 1:
2687                 /* the user does not exist */
2688                 _pam_log_debug(ctx, LOG_NOTICE, "user '%s' not found",
2689                                username);
2690                 if (ctx->ctrl & WINBIND_UNKNOWN_OK_ARG) {
2691                         ret = PAM_IGNORE;
2692                         goto out;
2693                 }
2694                 ret = PAM_USER_UNKNOWN;
2695                 goto out;
2696         case 0:
2697                 pam_get_data(pamh, PAM_WINBIND_NEW_AUTHTOK_REQD,
2698                              (const void **)&tmp);
2699                 if (tmp != NULL) {
2700                         ret = atoi((const char *)tmp);
2701                         switch (ret) {
2702                         case PAM_AUTHTOK_EXPIRED:
2703                                 /* fall through, since new token is required in this case */
2704                         case PAM_NEW_AUTHTOK_REQD:
2705                                 _pam_log(ctx, LOG_WARNING,
2706                                          "pam_sm_acct_mgmt success but %s is set",
2707                                          PAM_WINBIND_NEW_AUTHTOK_REQD);
2708                                 _pam_log(ctx, LOG_NOTICE,
2709                                          "user '%s' needs new password",
2710                                          username);
2711                                 /* PAM_AUTHTOKEN_REQD does not exist, but is documented in the manpage */
2712                                 ret = PAM_NEW_AUTHTOK_REQD;
2713                                 goto out;
2714                         default:
2715                                 _pam_log(ctx, LOG_WARNING,
2716                                          "pam_sm_acct_mgmt success");
2717                                 _pam_log(ctx, LOG_NOTICE,
2718                                          "user '%s' granted access", username);
2719                                 ret = PAM_SUCCESS;
2720                                 goto out;
2721                         }
2722                 }
2723
2724                 /* Otherwise, the authentication looked good */
2725                 _pam_log(ctx, LOG_NOTICE,
2726                          "user '%s' granted access", username);
2727                 ret = PAM_SUCCESS;
2728                 goto out;
2729         default:
2730                 /* we don't know anything about this return value */
2731                 _pam_log(ctx, LOG_ERR,
2732                          "internal module error (ret = %d, user = '%s')",
2733                          ret, username);
2734                 ret = PAM_SERVICE_ERR;
2735                 goto out;
2736         }
2737
2738         /* should not be reached */
2739         ret = PAM_IGNORE;
2740
2741  out:
2742
2743         _PAM_LOG_FUNCTION_LEAVE("pam_sm_acct_mgmt", ctx, ret);
2744
2745         TALLOC_FREE(ctx);
2746
2747         return ret;
2748 }
2749
2750 PAM_EXTERN
2751 int pam_sm_open_session(pam_handle_t *pamh, int flags,
2752                         int argc, const char **argv)
2753 {
2754         int ret = PAM_SUCCESS;
2755         struct pwb_context *ctx = NULL;
2756
2757         ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
2758         if (ret) {
2759                 goto out;
2760         }
2761
2762         _PAM_LOG_FUNCTION_ENTER("pam_sm_open_session", ctx);
2763
2764         if (ctx->ctrl & WINBIND_MKHOMEDIR) {
2765                 /* check and create homedir */
2766                 ret = _pam_mkhomedir(ctx);
2767         }
2768  out:
2769         _PAM_LOG_FUNCTION_LEAVE("pam_sm_open_session", ctx, ret);
2770
2771         TALLOC_FREE(ctx);
2772
2773         return ret;
2774 }
2775
2776 PAM_EXTERN
2777 int pam_sm_close_session(pam_handle_t *pamh, int flags,
2778                          int argc, const char **argv)
2779 {
2780         int ret = PAM_SUCCESS;
2781         struct pwb_context *ctx = NULL;
2782
2783         ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
2784         if (ret) {
2785                 goto out;
2786         }
2787
2788         _PAM_LOG_FUNCTION_ENTER("pam_sm_close_session", ctx);
2789
2790 out:
2791         _PAM_LOG_FUNCTION_LEAVE("pam_sm_close_session", ctx, ret);
2792
2793         TALLOC_FREE(ctx);
2794
2795         return ret;
2796 }
2797
2798 /**
2799  * evaluate whether we need to re-authenticate with kerberos after a
2800  * password change
2801  *
2802  * @param ctx PAM winbind context.
2803  * @param user The username
2804  *
2805  * @return boolean Returns true if required, false if not.
2806  */
2807
2808 static bool _pam_require_krb5_auth_after_chauthtok(struct pwb_context *ctx,
2809                                                    const char *user)
2810 {
2811
2812         /* Make sure that we only do this if a) the chauthtok got initiated
2813          * during a logon attempt (authenticate->acct_mgmt->chauthtok) b) any
2814          * later password change via the "passwd" command if done by the user
2815          * itself
2816          * NB. If we login from gdm or xdm and the password expires,
2817          * we change the password, but there is no memory cache.
2818          * Thus, even for passthrough login, we should do the
2819          * authentication again to update memory cache.
2820          * --- BoYang
2821          * */
2822
2823         char *new_authtok_reqd_during_auth = NULL;
2824         struct passwd *pwd = NULL;
2825
2826         _pam_get_data(ctx->pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH,
2827                       &new_authtok_reqd_during_auth);
2828         pam_set_data(ctx->pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH,
2829                      NULL, NULL);
2830
2831         if (new_authtok_reqd_during_auth) {
2832                 return true;
2833         }
2834
2835         pwd = getpwnam(user);
2836         if (!pwd) {
2837                 return false;
2838         }
2839
2840         if (getuid() == pwd->pw_uid) {
2841                 return true;
2842         }
2843
2844         return false;
2845 }
2846
2847
2848 PAM_EXTERN
2849 int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
2850                      int argc, const char **argv)
2851 {
2852         unsigned int lctrl;
2853         int ret;
2854         bool cached_login = false;
2855
2856         /* <DO NOT free() THESE> */
2857         const char *user;
2858         char *pass_old, *pass_new;
2859         /* </DO NOT free() THESE> */
2860
2861         char *Announce;
2862
2863         int retry = 0;
2864         char *username_ret = NULL;
2865         struct wbcAuthErrorInfo *error = NULL;
2866         struct pwb_context *ctx = NULL;
2867
2868         ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
2869         if (ret) {
2870                 goto out;
2871         }
2872
2873         _PAM_LOG_FUNCTION_ENTER("pam_sm_chauthtok", ctx);
2874
2875         cached_login = (ctx->ctrl & WINBIND_CACHED_LOGIN);
2876
2877         /* clearing offline bit for auth */
2878         ctx->ctrl &= ~WINBIND_CACHED_LOGIN;
2879
2880         /*
2881          * First get the name of a user
2882          */
2883         ret = pam_get_user(pamh, &user, _("Username: "));
2884         if (ret) {
2885                 _pam_log(ctx, LOG_ERR,
2886                          "password - could not identify user");
2887                 goto out;
2888         }
2889
2890         if (user == NULL) {
2891                 _pam_log(ctx, LOG_ERR, "username was NULL!");
2892                 ret = PAM_USER_UNKNOWN;
2893                 goto out;
2894         }
2895
2896         _pam_log_debug(ctx, LOG_DEBUG, "username [%s] obtained", user);
2897
2898         /* check if this is really a user in winbindd, not only in NSS */
2899         ret = valid_user(ctx, user);
2900         switch (ret) {
2901                 case 1:
2902                         ret = PAM_USER_UNKNOWN;
2903                         goto out;
2904                 case -1:
2905                         ret = PAM_SYSTEM_ERR;
2906                         goto out;
2907                 default:
2908                         break;
2909         }
2910
2911         /*
2912          * obtain and verify the current password (OLDAUTHTOK) for
2913          * the user.
2914          */
2915
2916         if (flags & PAM_PRELIM_CHECK) {
2917                 time_t pwdlastset_prelim = 0;
2918
2919                 /* instruct user what is happening */
2920
2921 #define greeting _("Changing password for")
2922                 Announce = talloc_asprintf(ctx, "%s %s", greeting, user);
2923                 if (!Announce) {
2924                         _pam_log(ctx, LOG_CRIT,
2925                                  "password - out of memory");
2926                         ret = PAM_BUF_ERR;
2927                         goto out;
2928                 }
2929 #undef greeting
2930
2931                 lctrl = ctx->ctrl | WINBIND__OLD_PASSWORD;
2932                 ret = _winbind_read_password(ctx, lctrl,
2933                                                 Announce,
2934                                                 _("(current) NT password: "),
2935                                                 NULL,
2936                                                 (const char **) &pass_old);
2937                 TALLOC_FREE(Announce);
2938                 if (ret != PAM_SUCCESS) {
2939                         _pam_log(ctx, LOG_NOTICE,
2940                                  "password - (old) token not obtained");
2941                         goto out;
2942                 }
2943
2944                 /* verify that this is the password for this user */
2945
2946                 ret = winbind_auth_request(ctx, user, pass_old,
2947                                            NULL, NULL, 0,
2948                                            &error, NULL, NULL,
2949                                            &pwdlastset_prelim, NULL);
2950
2951                 if (ret != PAM_ACCT_EXPIRED &&
2952                     ret != PAM_AUTHTOK_EXPIRED &&
2953                     ret != PAM_NEW_AUTHTOK_REQD &&
2954                     ret != PAM_SUCCESS) {
2955                         pass_old = NULL;
2956                         goto out;
2957                 }
2958
2959                 pam_set_data(pamh, PAM_WINBIND_PWD_LAST_SET,
2960                              (void *)pwdlastset_prelim, NULL);
2961
2962                 ret = pam_set_item(pamh, PAM_OLDAUTHTOK,
2963                                    (const void *) pass_old);
2964                 pass_old = NULL;
2965                 if (ret != PAM_SUCCESS) {
2966                         _pam_log(ctx, LOG_CRIT,
2967                                  "failed to set PAM_OLDAUTHTOK");
2968                 }
2969         } else if (flags & PAM_UPDATE_AUTHTOK) {
2970
2971                 time_t pwdlastset_update = 0;
2972
2973                 /*
2974                  * obtain the proposed password
2975                  */
2976
2977                 /*
2978                  * get the old token back.
2979                  */
2980
2981                 ret = _pam_get_item(pamh, PAM_OLDAUTHTOK, &pass_old);
2982
2983                 if (ret != PAM_SUCCESS) {
2984                         _pam_log(ctx, LOG_NOTICE,
2985                                  "user not authenticated");
2986                         goto out;
2987                 }
2988
2989                 lctrl = ctx->ctrl & ~WINBIND_TRY_FIRST_PASS_ARG;
2990
2991                 if (on(WINBIND_USE_AUTHTOK_ARG, lctrl)) {
2992                         lctrl |= WINBIND_USE_FIRST_PASS_ARG;
2993                 }
2994                 retry = 0;
2995                 ret = PAM_AUTHTOK_ERR;
2996                 while ((ret != PAM_SUCCESS) && (retry++ < MAX_PASSWD_TRIES)) {
2997                         /*
2998                          * use_authtok is to force the use of a previously entered
2999                          * password -- needed for pluggable password strength checking
3000                          */
3001
3002                         ret = _winbind_read_password(ctx, lctrl,
3003                                                      NULL,
3004                                                      _("Enter new NT password: "),
3005                                                      _("Retype new NT password: "),
3006                                                      (const char **)&pass_new);
3007
3008                         if (ret != PAM_SUCCESS) {
3009                                 _pam_log_debug(ctx, LOG_ALERT,
3010                                                "password - "
3011                                                "new password not obtained");
3012                                 pass_old = NULL;/* tidy up */
3013                                 goto out;
3014                         }
3015
3016                         /*
3017                          * At this point we know who the user is and what they
3018                          * propose as their new password. Verify that the new
3019                          * password is acceptable.
3020                          */
3021
3022                         if (pass_new[0] == '\0') {/* "\0" password = NULL */
3023                                 pass_new = NULL;
3024                         }
3025                 }
3026
3027                 /*
3028                  * By reaching here we have approved the passwords and must now
3029                  * rebuild the password database file.
3030                  */
3031                 _pam_get_data(pamh, PAM_WINBIND_PWD_LAST_SET,
3032                               &pwdlastset_update);
3033
3034                 /*
3035                  * if cached creds were enabled, make sure to set the
3036                  * WINBIND_CACHED_LOGIN bit here in order to have winbindd
3037                  * update the cached creds storage - gd
3038                  */
3039                 if (cached_login) {
3040                         ctx->ctrl |= WINBIND_CACHED_LOGIN;
3041                 }
3042
3043                 ret = winbind_chauthtok_request(ctx, user, pass_old,
3044                                                 pass_new, pwdlastset_update);
3045                 if (ret) {
3046                         _pam_overwrite(pass_new);
3047                         _pam_overwrite(pass_old);
3048                         pass_old = pass_new = NULL;
3049                         goto out;
3050                 }
3051
3052                 if (_pam_require_krb5_auth_after_chauthtok(ctx, user)) {
3053
3054                         const char *member = NULL;
3055                         const char *cctype = NULL;
3056                         int warn_pwd_expire;
3057                         struct wbcLogonUserInfo *info = NULL;
3058                         struct wbcUserPasswordPolicyInfo *policy = NULL;
3059
3060                         member = get_member_from_config(ctx);
3061                         cctype = get_krb5_cc_type_from_config(ctx);
3062                         warn_pwd_expire = get_warn_pwd_expire_from_config(ctx);
3063
3064                         /* Keep WINBIND_CACHED_LOGIN bit for
3065                          * authentication after changing the password.
3066                          * This will update the cached credentials in case
3067                          * that winbindd_dual_pam_chauthtok() fails
3068                          * to update them.
3069                          * --- BoYang
3070                          * */
3071
3072                         ret = winbind_auth_request(ctx, user, pass_new,
3073                                                    member, cctype, 0,
3074                                                    &error, &info, &policy,
3075                                                    NULL, &username_ret);
3076                         _pam_overwrite(pass_new);
3077                         _pam_overwrite(pass_old);
3078                         pass_old = pass_new = NULL;
3079
3080                         if (ret == PAM_SUCCESS) {
3081
3082                                 struct wbcAuthUserInfo *user_info = NULL;
3083
3084                                 if (info && info->info) {
3085                                         user_info = info->info;
3086                                 }
3087
3088                                 /* warn a user if the password is about to
3089                                  * expire soon */
3090                                 _pam_warn_password_expiry(ctx, user_info, policy,
3091                                                           warn_pwd_expire,
3092                                                           NULL);
3093
3094                                 /* set some info3 info for other modules in the
3095                                  * stack */
3096                                 _pam_set_data_info3(ctx, user_info);
3097
3098                                 /* put krb5ccname into env */
3099                                 _pam_setup_krb5_env(ctx, info);
3100
3101                                 if (username_ret) {
3102                                         pam_set_item(pamh, PAM_USER,
3103                                                      username_ret);
3104                                         _pam_log_debug(ctx, LOG_INFO,
3105                                                        "Returned user was '%s'",
3106                                                        username_ret);
3107                                         free(username_ret);
3108                                 }
3109
3110                                 wbcFreeMemory(info);
3111                                 wbcFreeMemory(policy);
3112              &nb