*/
#include "includes.h"
+#include "auth.h"
+#include "../libcli/auth/pam_errors.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_response **, void *appdata_ptr);
-/*
- * Macros to help make life easy
- */
-
static char *smb_pam_copy_string(const char *s)
{
if (s == NULL) {
ZERO_STRUCTP(t);
- DLIST_ADD_END(list, t, struct chat_struct*);
+ DLIST_ADD_END(list, t);
if (!next_token_talloc(frame, &p, &prompt, NULL)) {
break;
special_char_sub(prompt);
fstrcpy(t->prompt, prompt);
- strlower_m(t->prompt);
+ (void)strlower_m(t->prompt);
trim_char(t->prompt, ' ', ' ');
if (!next_token_talloc(frame, &p, &reply, NULL)) {
special_char_sub(reply);
fstrcpy(t->reply, reply);
- strlower_m(t->reply);
+ (void)strlower_m(t->reply);
trim_char(t->reply, ' ', ' ');
}
if (num_msg <= 0)
return PAM_CONV_ERR;
- if ((pw_chat = make_pw_chat(lp_passwd_chat())) == NULL)
+ if ((pw_chat = make_pw_chat(lp_passwd_chat(talloc_tos()))) == NULL)
return PAM_CONV_ERR;
/*
DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We sent: %s\n", current_reply));
pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword);
#ifdef DEBUG_PASSWORD
- DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We actualy sent: %s\n", current_reply));
+ DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We actually sent: %s\n", current_reply));
#endif
reply[replies].resp_retcode = PAM_SUCCESS;
reply[replies].resp = smb_pam_copy_fstring(
reply[replies].resp = smb_pam_copy_fstring(
current_reply);
#ifdef DEBUG_PASSWORD
- DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We actualy sent: %s\n", current_reply));
+ DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We actually sent: %s\n", current_reply));
#endif
found = True;
break;
static bool smb_pam_start(pam_handle_t **pamh, const char *user, const char *rhost, struct pam_conv *pconv)
{
int pam_error;
-#if HAVE_PAM_RHOST
- const char *our_rhost;
- char addr[INET6_ADDRSTRLEN];
-#endif
*pamh = (pam_handle_t *)NULL;
}
#if HAVE_PAM_RHOST
- if (rhost == NULL) {
- our_rhost = client_name(smbd_server_fd());
- if (strequal(our_rhost,"UNKNOWN"))
- our_rhost = client_addr(smbd_server_fd(), addr,
- sizeof(addr));
- } else {
- our_rhost = rhost;
- }
-
- DEBUG(4,("smb_pam_start: PAM: setting rhost to: %s\n", our_rhost));
- pam_error = pam_set_item(*pamh, PAM_RHOST, our_rhost);
+ DEBUG(4,("smb_pam_start: PAM: setting rhost to: %s\n", rhost));
+ pam_error = pam_set_item(*pamh, PAM_RHOST, rhost);
if(!smb_pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) {
smb_pam_end(*pamh, pconv);
*pamh = (pam_handle_t *)NULL;
*/
DEBUG(4,("smb_pam_auth: PAM: Authenticate User: %s\n", user));
- pam_error = pam_authenticate(pamh, PAM_SILENT | lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK);
+ pam_error = pam_authenticate(pamh, PAM_SILENT | (lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK));
switch( pam_error ){
case PAM_AUTH_ERR:
DEBUG(2, ("smb_pam_auth: PAM: Authentication Error for user %s\n", user));
* PAM Externally accessible Session handler
*/
-bool smb_pam_claim_session(char *user, char *tty, char *rhost)
+bool smb_pam_claim_session(const char *user, const char *tty, const char *rhost)
{
pam_handle_t *pamh = NULL;
struct pam_conv *pconv = NULL;
* PAM Externally accessible Session handler
*/
-bool smb_pam_close_session(char *user, char *tty, char *rhost)
+bool smb_pam_close_session(const char *user, const char *tty, const char *rhost)
{
pam_handle_t *pamh = NULL;
struct pam_conv *pconv = NULL;
* PAM Password Validation Suite
*/
-NTSTATUS smb_pam_passcheck(const char * user, const char * password)
+NTSTATUS smb_pam_passcheck(const char * user, const char * rhost,
+ const char * password)
{
pam_handle_t *pamh = NULL;
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, password, NULL)) == NULL)
return NT_STATUS_LOGON_FAILURE;
- if (!smb_pam_start(&pamh, user, NULL, pconv))
+ if (!smb_pam_start(&pamh, user, rhost, pconv))
return NT_STATUS_LOGON_FAILURE;
if (!NT_STATUS_IS_OK(nt_status = smb_pam_auth(pamh, user))) {
* PAM Password Change Suite
*/
-bool smb_pam_passchange(const char * user, const char * oldpassword, const char * newpassword)
+bool smb_pam_passchange(const char *user, const char *rhost,
+ const char *oldpassword, const char *newpassword)
{
/* Appropriate quantities of root should be obtained BEFORE calling this function */
struct pam_conv *pconv = NULL;
if ((pconv = smb_setup_pam_conv(smb_pam_passchange_conv, user, oldpassword, newpassword)) == NULL)
return False;
- if(!smb_pam_start(&pamh, user, NULL, pconv))
+ if(!smb_pam_start(&pamh, user, rhost, pconv))
return False;
if (!smb_pam_chauthtok(pamh, user)) {
}
/* If PAM not used, also no PAM restrictions on sessions. */
-bool smb_pam_claim_session(char *user, char *tty, char *rhost)
+bool smb_pam_claim_session(const char *user, const char *tty, const char *rhost)
{
return True;
}
/* If PAM not used, also no PAM restrictions on sessions. */
-bool smb_pam_close_session(char *in_user, char *tty, char *rhost)
+bool smb_pam_close_session(const char *in_user, const char *tty, const char *rhost)
{
return True;
}