diff options
-rw-r--r-- | source3/Makefile.in | 3 | ||||
-rw-r--r-- | source3/auth/pampass.c | 23 | ||||
-rw-r--r-- | source3/lib/pam_errors.c | 122 | ||||
-rw-r--r-- | source3/nsswitch/pam_winbind.c | 684 | ||||
-rw-r--r-- | source3/nsswitch/pam_winbind.h | 19 | ||||
-rw-r--r-- | source3/nsswitch/wbinfo.c | 6 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_nss.h | 9 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_pam.c | 99 |
8 files changed, 664 insertions, 301 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index 7dfd960a37..a16f673cff 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -126,7 +126,8 @@ LIB_OBJ = lib/charcnv.o lib/debug.o lib/fault.o \ lib/tallocmsg.o lib/dmallocmsg.o \ lib/md5.o lib/hmacmd5.o lib/iconv.o lib/smbpasswd.o \ nsswitch/wb_client.o nsswitch/wb_common.o \ - intl/lang_tdb.o lib/account_pol.o $(TDB_OBJ) + lib/pam_errors.o intl/lang_tdb.o lib/account_pol.o \ + $(TDB_OBJ) READLINE_OBJ = lib/readline.o diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 5db844eb55..c21a5b5319 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -86,6 +86,8 @@ static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error, if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl)) return True; + *nt_status = pam_to_nt_status(pam_error); + if (NT_STATUS_IS_OK(*nt_status)) { /* Complain LOUDLY */ DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \ @@ -507,35 +509,27 @@ static NTSTATUS smb_pam_auth(pam_handle_t *pamh, char *user) switch( pam_error ){ case PAM_AUTH_ERR: DEBUG(2, ("smb_pam_auth: PAM: Athentication Error for user %s\n", user)); - nt_status = NT_STATUS_WRONG_PASSWORD; break; case PAM_CRED_INSUFFICIENT: DEBUG(2, ("smb_pam_auth: PAM: Insufficient Credentials for user %s\n", user)); - nt_status = NT_STATUS_INSUFFICIENT_LOGON_INFO; break; case PAM_AUTHINFO_UNAVAIL: DEBUG(2, ("smb_pam_auth: PAM: Authentication Information Unavailable for user %s\n", user)); - nt_status = NT_STATUS_LOGON_FAILURE; break; case PAM_USER_UNKNOWN: DEBUG(2, ("smb_pam_auth: PAM: Username %s NOT known to Authentication system\n", user)); - nt_status = NT_STATUS_NO_SUCH_USER; break; case PAM_MAXTRIES: DEBUG(2, ("smb_pam_auth: PAM: One or more authentication modules reports user limit for user %s exceeeded\n", user)); - nt_status = NT_STATUS_REMOTE_SESSION_LIMIT; break; case PAM_ABORT: DEBUG(0, ("smb_pam_auth: PAM: One or more PAM modules failed to load for user %s\n", user)); - nt_status = NT_STATUS_LOGON_FAILURE; break; case PAM_SUCCESS: DEBUG(4, ("smb_pam_auth: PAM: User %s Authenticated OK\n", user)); - nt_status = NT_STATUS_OK; break; default: DEBUG(0, ("smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user %s\n", user)); - nt_status = NT_STATUS_LOGON_FAILURE; break; } @@ -556,30 +550,23 @@ static NTSTATUS smb_pam_account(pam_handle_t *pamh, const char * user) switch( pam_error ) { case PAM_AUTHTOK_EXPIRED: DEBUG(2, ("smb_pam_account: PAM: User %s is valid but password is expired\n", user)); - nt_status = NT_STATUS_PASSWORD_EXPIRED; break; case PAM_ACCT_EXPIRED: DEBUG(2, ("smb_pam_account: PAM: User %s no longer permitted to access system\n", user)); - nt_status = NT_STATUS_ACCOUNT_EXPIRED; break; case PAM_AUTH_ERR: DEBUG(2, ("smb_pam_account: PAM: There was an authentication error for user %s\n", user)); - nt_status = NT_STATUS_LOGON_FAILURE; break; case PAM_PERM_DENIED: DEBUG(0, ("smb_pam_account: PAM: User %s is NOT permitted to access system at this time\n", user)); - nt_status = NT_STATUS_ACCOUNT_RESTRICTION; break; case PAM_USER_UNKNOWN: DEBUG(0, ("smb_pam_account: PAM: User \"%s\" is NOT known to account management\n", user)); - nt_status = NT_STATUS_NO_SUCH_USER; break; case PAM_SUCCESS: DEBUG(4, ("smb_pam_account: PAM: Account OK for User: %s\n", user)); - nt_status = NT_STATUS_OK; break; default: - nt_status = NT_STATUS_ACCOUNT_DISABLED; DEBUG(0, ("smb_pam_account: PAM: UNKNOWN PAM ERROR (%d) during Account Management for User: %s\n", pam_error, user)); break; } @@ -607,27 +594,21 @@ static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, char * user) switch( pam_error ) { case PAM_CRED_UNAVAIL: DEBUG(0, ("smb_pam_setcred: PAM: Credentials not found for user:%s\n", user )); - nt_status = NT_STATUS_NO_TOKEN; break; case PAM_CRED_EXPIRED: DEBUG(0, ("smb_pam_setcred: PAM: Credentials for user: \"%s\" EXPIRED!\n", user )); - nt_status = NT_STATUS_PASSWORD_EXPIRED; break; case PAM_USER_UNKNOWN: DEBUG(0, ("smb_pam_setcred: PAM: User: \"%s\" is NOT known so can not set credentials!\n", user )); - nt_status = NT_STATUS_NO_SUCH_USER; break; case PAM_CRED_ERR: DEBUG(0, ("smb_pam_setcred: PAM: Unknown setcredentials error - unable to set credentials for %s\n", user )); - nt_status = NT_STATUS_LOGON_FAILURE; break; case PAM_SUCCESS: DEBUG(4, ("smb_pam_setcred: PAM: SetCredentials OK for User: %s\n", user)); - nt_status = NT_STATUS_OK; break; default: DEBUG(0, ("smb_pam_setcred: PAM: UNKNOWN PAM ERROR (%d) during SetCredentials for User: %s\n", pam_error, user)); - nt_status = NT_STATUS_NO_TOKEN; break; } diff --git a/source3/lib/pam_errors.c b/source3/lib/pam_errors.c new file mode 100644 index 0000000000..d7765c7c51 --- /dev/null +++ b/source3/lib/pam_errors.c @@ -0,0 +1,122 @@ +/* + * Unix SMB/CIFS implementation. + * PAM error mapping functions + * Copyright (C) Andrew Bartlett 2002 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" + +#ifdef WITH_PAM +#include <security/pam_appl.h> + +/* PAM -> NT_STATUS map */ +static struct { + int pam_code; + NTSTATUS ntstatus; +} pam_to_nt_status_map[] = { + {PAM_OPEN_ERR, NT_STATUS_UNSUCCESSFUL}, + {PAM_SYMBOL_ERR, NT_STATUS_UNSUCCESSFUL}, + {PAM_SERVICE_ERR, NT_STATUS_UNSUCCESSFUL}, + {PAM_SYSTEM_ERR, NT_STATUS_UNSUCCESSFUL}, + {PAM_BUF_ERR, NT_STATUS_UNSUCCESSFUL}, + {PAM_PERM_DENIED, NT_STATUS_ACCESS_DENIED}, + {PAM_AUTH_ERR, NT_STATUS_WRONG_PASSWORD}, + {PAM_CRED_INSUFFICIENT, NT_STATUS_INSUFFICIENT_LOGON_INFO}, /* FIXME: Is this correct? */ + {PAM_AUTHINFO_UNAVAIL, NT_STATUS_LOGON_FAILURE}, + {PAM_USER_UNKNOWN, NT_STATUS_NO_SUCH_USER}, + {PAM_MAXTRIES, NT_STATUS_REMOTE_SESSION_LIMIT}, /* FIXME: Is this correct? */ + {PAM_NEW_AUTHTOK_REQD, NT_STATUS_PASSWORD_MUST_CHANGE}, + {PAM_ACCT_EXPIRED, NT_STATUS_ACCOUNT_EXPIRED}, + {PAM_SESSION_ERR, NT_STATUS_INSUFFICIENT_RESOURCES}, + {PAM_CRED_UNAVAIL, NT_STATUS_NO_TOKEN}, /* FIXME: Is this correct? */ + {PAM_CRED_EXPIRED, NT_STATUS_PASSWORD_EXPIRED}, /* FIXME: Is this correct? */ + {PAM_CRED_ERR, NT_STATUS_UNSUCCESSFUL}, + {PAM_AUTHTOK_ERR, NT_STATUS_UNSUCCESSFUL}, +#if defined(PAM_AUTHTOK_RECOVERY_ERR) && !defined(PAM_AUTHTOK_RECOVER_ERR) +#define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR +#endif + {PAM_AUTHTOK_RECOVER_ERR, NT_STATUS_UNSUCCESSFUL}, + {PAM_AUTHTOK_EXPIRED, NT_STATUS_PASSWORD_EXPIRED}, + {PAM_SUCCESS, NT_STATUS_OK} +}; + +/* NT_STATUS -> PAM map */ +static struct { + NTSTATUS ntstatus; + int pam_code; +} nt_status_to_pam_map[] = { + {NT_STATUS_UNSUCCESSFUL, PAM_SYSTEM_ERR}, + {NT_STATUS_NO_SUCH_USER, PAM_USER_UNKNOWN}, + {NT_STATUS_WRONG_PASSWORD, PAM_AUTH_ERR}, + {NT_STATUS_LOGON_FAILURE, PAM_AUTH_ERR}, + {NT_STATUS_ACCOUNT_EXPIRED, PAM_ACCT_EXPIRED}, + {NT_STATUS_PASSWORD_MUST_CHANGE, PAM_NEW_AUTHTOK_REQD}, + {NT_STATUS_OK, PAM_SUCCESS} +}; + +/***************************************************************************** +convert a PAM error to a NT status32 code + *****************************************************************************/ +NTSTATUS pam_to_nt_status(int pam_error) +{ + int i; + if (pam_error == 0) return NT_STATUS_OK; + + for (i=0; NT_STATUS_V(pam_to_nt_status_map[i].ntstatus); i++) { + if (pam_error == pam_to_nt_status_map[i].pam_code) + return pam_to_nt_status_map[i].ntstatus; + } + return NT_STATUS_UNSUCCESSFUL; +} + +/***************************************************************************** +convert an NT status32 code to a PAM error + *****************************************************************************/ +int nt_status_to_pam(NTSTATUS nt_status) +{ + int i; + if NT_STATUS_IS_OK(nt_status) return PAM_SUCCESS; + + for (i=0; NT_STATUS_V(nt_status_to_pam_map[i].ntstatus); i++) { + if (NT_STATUS_EQUAL(nt_status,nt_status_to_pam_map[i].ntstatus)) + return nt_status_to_pam_map[i].pam_code; + } + return PAM_SYSTEM_ERR; +} + +#else + +/***************************************************************************** +convert a PAM error to a NT status32 code + *****************************************************************************/ +NTSTATUS pam_to_ntstatus(int pam_error) +{ + if (pam_errno == 0) return NT_STATUS_OK; + return NT_STATUS_UNSUCCESSFUL; +} + +/***************************************************************************** +convert an NT status32 code to a PAM error + *****************************************************************************/ +int ntstatus_to_pam(NTSTATUS nt_status) +{ + if (nt_status == NT_STATUS_OK) return 0; + return 4; /* PAM_SYSTEM_ERR */ +} + +#endif + diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c index ab4cb7712b..cc259ab041 100644 --- a/source3/nsswitch/pam_winbind.c +++ b/source3/nsswitch/pam_winbind.c @@ -2,8 +2,11 @@ Copyright Andrew Tridgell <tridge@samba.org> 2000 Copyright Tim Potter <tpot@samba.org> 2000 + Copyright Andrew Bartlettt <abartlet@samba.org> 2002 largely based on pam_userdb by Christian Gafton <gafton@redhat.com> + also contains large slabs of code from pam_unix by Elliot Lee <sopwith@redhat.com> + (see copyright below for full details) */ #include "pam_winbind.h" @@ -13,6 +16,10 @@ void init_request(struct winbindd_request *req,int rq_type); int write_sock(void *buffer, int count); int read_reply(struct winbindd_response *response); +/* data tokens */ + +#define MAX_PASSWD_TRIES 3 + /* some syslogging */ static void _pam_log(int err, const char *format, ...) { @@ -25,27 +32,71 @@ static void _pam_log(int err, const char *format, ...) closelog(); } -static int ctrl = 0; - static int _pam_parse(int argc, const char **argv) { - /* step through arguments */ - for (ctrl = 0; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else if (!strcasecmp(*argv, "use_authtok")) - ctrl |= PAM_USE_AUTHTOK_ARG; - else if (!strcasecmp(*argv, "unknown_ok")) - ctrl |= PAM_UNKNOWN_OK_ARG; - else { - _pam_log(LOG_ERR, "pam_parse: unknown option; %s", *argv); - } - } + int ctrl; + /* step through arguments */ + for (ctrl = 0; argc-- > 0; ++argv) { + + /* generic options */ + + if (!strcmp(*argv,"debug")) + ctrl |= WINBIND_DEBUG_ARG; + else if (!strcasecmp(*argv, "use_authtok")) + ctrl |= WINBIND_USE_AUTHTOK_ARG; + else if (!strcasecmp(*argv, "use_first_pass")) + ctrl |= WINBIND_TRY_FIRST_PASS_ARG; + else if (!strcasecmp(*argv, "try_first_pass")) + ctrl |= WINBIND_USE_FIRST_PASS_ARG; + else if (!strcasecmp(*argv, "unknown_ok")) + ctrl |= WINBIND_UNKNOWN_OK_ARG; + else { + _pam_log(LOG_ERR, "pam_parse: unknown option; %s", *argv); + } + } + + return ctrl; +} + +/* --- authentication management functions --- */ + +/* Attempt a conversation */ - return ctrl; +static int converse(pam_handle_t *pamh, int nargs, + struct pam_message **message, + struct pam_response **response) +{ + int retval; + struct pam_conv *conv; + + retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv ) ; + if (retval == PAM_SUCCESS) { + retval = conv->conv(nargs, (const struct pam_message **)message, + response, conv->appdata_ptr); + } + + return retval; /* propagate error status */ +} + + +int _make_remark(pam_handle_t * pamh, int type, const char *text) +{ + int retval = PAM_SUCCESS; + + struct pam_message *pmsg[1], msg[1]; + struct pam_response *resp; + + pmsg[0] = &msg[0]; + msg[0].msg = text; + msg[0].msg_style = type; + + resp = NULL; + retval = converse(pamh, 1, pmsg, &resp); + + if (resp) { + _pam_drop_reply(resp, 1); + } + return retval; } static int winbind_request(enum winbindd_cmd req_type, @@ -56,27 +107,38 @@ static int winbind_request(enum winbindd_cmd req_type, init_request(request, req_type); if (write_sock(request, sizeof(*request)) == -1) { - return -2; + _pam_log(LOG_ERR, "write to socket failed!"); + return PAM_SERVICE_ERR; } /* Wait for reply */ if (read_reply(response) == -1) { - return -2; + _pam_log(LOG_ERR, "read from socket failed!"); + return PAM_SERVICE_ERR; } /* Copy reply data from socket */ if (response->result != WINBINDD_OK) { - return 1; + if (response->data.auth.pam_error != PAM_SUCCESS) { + _pam_log(LOG_ERR, "request failed, PAM error was %d, NT error was %s", + response->data.auth.pam_error, + response->data.auth.nt_status_string); + return response->data.auth.pam_error; + } else { + _pam_log(LOG_ERR, "request failed, but PAM error 0!"); + return PAM_SERVICE_ERR; + } } - return 0; + return PAM_SUCCESS; } /* talk to winbindd */ -static int winbind_auth_request(const char *user, const char *pass) +static int winbind_auth_request(const char *user, const char *pass, int ctrl) { struct winbindd_request request; struct winbindd_response response; + int retval; ZERO_STRUCT(request); @@ -86,7 +148,33 @@ static int winbind_auth_request(const char *user, const char *pass) strncpy(request.data.auth.pass, pass, sizeof(request.data.auth.pass)-1); - return winbind_request(WINBINDD_PAM_AUTH, &request, &response); + retval = winbind_request(WINBINDD_PAM_AUTH, &request, &response); + + switch (retval) { + case PAM_AUTH_ERR: + /* incorrect password */ + _pam_log(LOG_WARNING, "user `%s' denied access (incorrect password)", user); + return retval; + case PAM_USER_UNKNOWN: + /* the user does not exist */ + if (ctrl & WINBIND_DEBUG_ARG) + _pam_log(LOG_NOTICE, "user `%s' not found", + user); + if (ctrl & WINBIND_UNKNOWN_OK_ARG) { + return PAM_IGNORE; + } + return retval; + case PAM_SUCCESS: + /* Otherwise, the authentication looked good */ + _pam_log(LOG_NOTICE, "user '%s' granted acces", user); + return retval; + default: + /* we don't know anything about this return value */ + _pam_log(LOG_ERR, "internal module error (retval = %d, user = `%s'", + retval, user); + return retval; + } + /* should not be reached */ } /* talk to winbindd */ @@ -121,20 +209,6 @@ static int winbind_chauthtok_request(const char *user, const char *oldpass, } /* - * Looks up an user name and checks the password - * - * return values: - * 1 = User not found - * 0 = OK - * -1 = Password incorrect - * -2 = System error - */ -static int user_lookup(const char *user, const char *pass) -{ - return winbind_auth_request(user, pass); -} - -/* * Checks if a user has an account * * return values: @@ -148,27 +222,6 @@ static int valid_user(const char *user) return 1; } -/* --- authentication management functions --- */ - -/* Attempt a conversation */ - -static int converse(pam_handle_t *pamh, int nargs, - struct pam_message **message, - struct pam_response **response) -{ - int retval; - struct pam_conv *conv; - - retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv ) ; - if (retval == PAM_SUCCESS) { - retval = conv->conv(nargs, (const struct pam_message **)message, - response, conv->appdata_ptr); - } - - return retval; /* propagate error status */ -} - - static char *_pam_delete(register char *xx) { _pam_overwrite(xx); @@ -177,48 +230,157 @@ static char *_pam_delete(register char *xx) } /* - * This is a conversation function to obtain the user's password + * obtain a password from the user */ -static int auth_conversation(pam_handle_t *pamh) + +int _winbind_read_password(pam_handle_t * pamh + ,unsigned int ctrl + ,const char *comment + ,const char *prompt1 + ,const char *prompt2 + ,const char **pass) { - struct pam_message msg, *pmsg; - struct pam_response *resp; - int retval; - char * token = NULL; - - pmsg = &msg; - msg.msg_style = PAM_PROMPT_ECHO_OFF; - msg.msg = "Password: "; - - /* so call the conversation expecting i responses */ - resp = NULL; - retval = converse(pamh, 1, &pmsg, &resp); - - if (resp != NULL) { - char * const item; - /* interpret the response */ - if (retval == PAM_SUCCESS) { /* a good conversation */ - token = x_strdup(resp[0].resp); - if (token == NULL) { - return PAM_AUTHTOK_RECOVER_ERR; - } + int authtok_flag; + int retval; + const char *item; + char *token; + + D(("called")); + + /* + * make sure nothing inappropriate gets returned + */ + + *pass = token = NULL; + + /* + * which authentication token are we getting? + */ + + authtok_flag = on(WINBIND__OLD_PASSWORD, ctrl) ? PAM_OLDAUTHTOK : PAM_AUTHTOK; + + /* + * should we obtain the password from a PAM item ? + */ + + if (on(WINBIND_TRY_FIRST_PASS_ARG, ctrl) || on(WINBIND_USE_FIRST_PASS_ARG, ctrl)) { + retval = pam_get_item(pamh, authtok_flag, (const void **) &item); + if (retval != PAM_SUCCESS) { + /* very strange. */ + _pam_log(LOG_ALERT, + "pam_get_item returned error to unix-read-password" + ); + return retval; + } else if (item != NULL) { /* we have a password! */ + *pass = item; + item = NULL; + return PAM_SUCCESS; + } else if (on(WINBIND_USE_FIRST_PASS_ARG, ctrl)) { + return PAM_AUTHTOK_RECOVER_ERR; /* didn't work */ + } else if (on(WINBIND_USE_AUTHTOK_ARG, ctrl) + && off(WINBIND__OLD_PASSWORD, ctrl)) { + return PAM_AUTHTOK_RECOVER_ERR; + } + } + /* + * getting here implies we will have to get the password from the + * user directly. + */ + + { + struct pam_message msg[3], *pmsg[3]; + struct pam_response *resp; + int i, replies; + + /* prepare to converse */ + + if (comment != NULL) { + pmsg[0] = &msg[0]; + msg[0].msg_style = PAM_TEXT_INFO; + msg[0].msg = comment; + i = 1; + } else { + i = 0; + } + + pmsg[i] = &msg[i]; + msg[i].msg_style = PAM_PROMPT_ECHO_OFF; + msg[i++].msg = prompt1; + replies = 1; + + if (prompt2 != NULL) { + pmsg[i] = &msg[i]; + msg[i].msg_style = PAM_PROMPT_ECHO_OFF; + msg[i++].msg = prompt2; + ++replies; + } + /* so call the conversation expecting i responses */ + resp = NULL; + retval = converse(pamh, i, pmsg, &resp); + + if (resp != NULL) { + + /* interpret the response */ + + if (retval == PAM_SUCCESS) { /* a good conversation */ + + token = x_strdup(resp[i - replies].resp); + if (token != NULL) { + if (replies == 2) { + + /* verify that password entered correctly */ + if (!resp[i - 1].resp + || strcmp(token, resp[i - 1].resp)) { + _pam_delete(token); /* mistyped */ + retval = PAM_AUTHTOK_RECOVER_ERR; + _make_remark(pamh ,PAM_ERROR_MSG, MISTYPED_PASS); + } + } + } else { + _pam_log(LOG_NOTICE + ,"could not recover authentication token"); + } + + } + /* + * tidy up the conversation (resp_retcode) is ignored + * -- what is it for anyway? AGM + */ + + _pam_drop_reply(resp, i); + + } else { + retval = (retval == PAM_SUCCESS) + ? PAM_AUTHTOK_RECOVER_ERR : retval; + } } - /* set the auth token */ - retval = pam_set_item(pamh, PAM_AUTHTOK, token); - token = _pam_delete(token); /* clean it up */ - if ( (retval != PAM_SUCCESS) || - (retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **) &item)) != PAM_SUCCESS ) { - return retval; + if (retval != PAM_SUCCESS) { + if (on(WINBIND_DEBUG_ARG, ctrl)) + _pam_log(LOG_DEBUG, + "unable to obtain a password"); + return retval; } + /* 'token' is the entered password */ + + /* we store this password as an item */ - _pam_drop_reply(resp, 1); - } else { - retval = (retval == PAM_SUCCESS) - ? PAM_AUTHTOK_RECOVER_ERR:retval ; - } + retval = pam_set_item(pamh, authtok_flag, token); + _pam_delete(token); /* clean it up */ + if (retval != PAM_SUCCESS + || (retval = pam_get_item(pamh, authtok_flag + ,(const void **) &item)) + != PAM_SUCCESS) { + + _pam_log(LOG_CRIT, "error manipulating password"); + return retval; + + } - return retval; + *pass = item; + item = NULL; /* break link to password */ + + return PAM_SUCCESS; } PAM_EXTERN @@ -230,34 +392,26 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int retval = PAM_AUTH_ERR; /* parse arguments */ - ctrl = _pam_parse(argc, argv); + int ctrl = _pam_parse(argc, argv); /* Get the username */ retval = pam_get_user(pamh, &username, NULL); if ((retval != PAM_SUCCESS) || (!username)) { - if (ctrl & PAM_DEBUG_ARG) + if (ctrl & WINBIND_DEBUG_ARG) _pam_log(LOG_DEBUG,"can not get the username"); return PAM_SERVICE_ERR; } - if ((ctrl & PAM_USE_AUTHTOK_ARG) == 0) { - /* Converse just to be sure we have the password */ - retval = auth_conversation(pamh); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_ERR, "could not obtain password for `%s'", - username); - return PAM_CONV_ERR; - } - } + retval = _winbind_read_password(pamh, ctrl, NULL, + "Password: ", NULL, + &password); - /* Get the password */ - retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **) &password); if (retval != PAM_SUCCESS) { _pam_log(LOG_ERR, "Could not retrive user's password"); return PAM_AUTHTOK_ERR; } - if (ctrl & PAM_DEBUG_ARG) { + if (ctrl & WINBIND_DEBUG_ARG) { /* Let's not give too much away in the log file */ @@ -270,36 +424,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, } /* Now use the username to look up password */ - retval = user_lookup(username, password); - switch (retval) { - case -2: - /* some sort of system error. The log was already printed */ - return PAM_SERVICE_ERR; - case -1: - /* incorrect password */ - _pam_log(LOG_WARNING, "user `%s' denied access (incorrect password)", username); - return PAM_AUTH_ERR; - case 1: - /* the user does not exist */ - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE, "user `%s' not found", - username); - if (ctrl & PAM_UNKNOWN_OK_ARG) { - return PAM_IGNORE; - } - return PAM_USER_UNKNOWN; - case 0: - /* Otherwise, the authentication looked good */ - _pam_log(LOG_NOTICE, "user '%s' granted acces", username); - return PAM_SUCCESS; - default: - /* we don't know anything about this return value */ - _pam_log(LOG_ERR, "internal module error (retval = %d, user = `%s'", - retval, username); - return PAM_SERVICE_ERR; - } - /* should not be reached */ - return PAM_IGNORE; + return winbind_auth_request(username, password, ctrl); } PAM_EXTERN @@ -321,12 +446,12 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int retval = PAM_USER_UNKNOWN; /* parse arguments */ - ctrl = _pam_parse(argc, argv); + int ctrl = _pam_parse(argc, argv); /* Get the username */ retval = pam_get_user(pamh, &username, NULL); if ((retval != PAM_SUCCESS) || (!username)) { - if (ctrl & PAM_DEBUG_ARG) + if (ctrl & WINBIND_DEBUG_ARG) _pam_log(LOG_DEBUG,"can not get the username"); return PAM_SERVICE_ERR; } @@ -339,10 +464,10 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, return PAM_SERVICE_ERR; case 1: /* the user does not exist */ - if (ctrl & PAM_DEBUG_ARG) + if (ctrl & WINBIND_DEBUG_ARG) _pam_log(LOG_NOTICE, "user `%s' not found", username); - if (ctrl & PAM_UNKNOWN_OK_ARG) + if (ctrl & WINBIND_UNKNOWN_OK_ARG) return PAM_IGNORE; return PAM_USER_UNKNOWN; case 0: @@ -361,111 +486,174 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, } -PAM_EXTERN -int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, - const char **argv) +PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, + int argc, const char **argv) { - int retval; - char *newpw, *oldpw; - const char *user; - - /* Get name of a user */ - - retval = pam_get_user(pamh, &user, "Username: "); - - if (retval != PAM_SUCCESS) { - return retval; - } - - /* XXX check in domain format */ - - /* Perform preliminary check and store requested password for updating - later on */ - - if (flags & PAM_PRELIM_CHECK) { - struct pam_message msg[3], *pmsg[3]; - struct pam_response *resp; - - /* Converse to ensure we have the current password */ - - retval = auth_conversation(pamh); - - if (retval != PAM_SUCCESS) { - return retval; - } - - /* Obtain and verify current password */ - - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_TEXT_INFO; - msg[0].msg = "Changing password for user %s"; + unsigned int lctrl; + int retval; + unsigned int ctrl = _pam_parse(argc, argv); - pmsg[1] = &msg[1]; - msg[1].msg_style = PAM_PROMPT_ECHO_OFF; - msg[1].msg = "New NT password: "; + /* <DO NOT free() THESE> */ + const char *user; + char *pass_old, *pass_new; + /* </DO NOT free() THESE> */ - pmsg[2] = &msg[2]; - msg[2].msg_style = PAM_PROMPT_ECHO_OFF; - msg[2].msg = "Retype new NT password: "; - - resp = NULL; - - retval = converse(pamh, 3, pmsg, &resp); - - if (resp != NULL) { - - if (retval == PAM_SUCCESS) { - - /* Check password entered correctly */ - - if (strcmp(resp[1].resp, resp[2].resp) != 0) { - struct pam_response *resp2; - - msg[0].msg_style = PAM_ERROR_MSG; - msg[0].msg = "Sorry, passwords do not match"; - - converse(pamh, 1, pmsg, &resp2); - - _pam_drop_reply(resp, 3); - _pam_drop_reply(resp2, 1); - - return PAM_AUTHTOK_RECOVER_ERR; - } - - /* Store passwords */ - - retval = pam_set_item(pamh, PAM_OLDAUTHTOK, resp[1].resp); - _pam_drop_reply(resp, 3); - } - } - - /* XXX What happens if root? */ - /* XXX try first pass and use first pass args */ - - return retval; - } - - if (flags & PAM_UPDATE_AUTHTOK) { - - retval = pam_get_item(pamh, PAM_OLDAUTHTOK, (const void **)&newpw); - if (retval != PAM_SUCCESS) { - return PAM_AUTHTOK_ERR; - } - - retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&oldpw); - if (retval != PAM_SUCCESS) { - return PAM_AUTHTOK_ERR; - } - - if (retval == PAM_SUCCESS && - winbind_chauthtok_request(user, oldpw, newpw) == 0) { - return PAM_SUCCESS; - } - - return PAM_AUTHTOK_ERR; - } + char *Announce; + + int retry = 0; + + D(("called.")); + + /* + * First get the name of a user + */ + retval = pam_get_user(pamh, &user, "Username: "); + if (retval == PAM_SUCCESS) { + if (user == NULL) { + _pam_log(LOG_ERR, "username was NULL!"); + return PAM_USER_UNKNOWN; + } + if (retval == PAM_SUCCESS && on(WINBIND_DEBUG_ARG, ctrl)) + _pam_log(LOG_DEBUG, "username [%s] obtained", + user); + } else { + if (on(WINBIND_DEBUG_ARG, ctrl)) + _pam_log(LOG_DEBUG, + "password - could not identify user"); + return retval; + } - return PAM_SERVICE_ERR; + D(("Got username of %s", user)); + + /* + * obtain and verify the current password (OLDAUTHTOK) for + * the user. + */ + + if (flags & PAM_PRELIM_CHECK) { + D(("prelim check")); + + /* instruct user what is happening */ +#define greeting "Changing password for " + Announce = (char *) malloc(sizeof(greeting) + strlen(user)); + if (Announce == NULL) { + _pam_log(LOG_CRIT, + "password - out of memory"); + return PAM_BUF_ERR; + } + (void) strcpy(Announce, greeting); + (void) strcpy(Announce + sizeof(greeting) - 1, user); +#undef greeting + + lctrl = ctrl | WINBIND__OLD_PASSWORD; + retval = _winbind_read_password(pamh, lctrl + ,Announce + ,"(current) NT password: " + ,NULL + ,(const char **) &pass_old); + free(Announce); + + if (retval != PAM_SUCCESS) { + _pam_log(LOG_NOTICE + ,"password - (old) token not obtained"); + return retval; + } + /* verify that this is the password for this user */ + + retval = winbind_auth_request(user, pass_old, ctrl); + + if (retval != PAM_ACCT_EXPIRED + && retval != PAM_NEW_AUTHTOK_REQD + && retval != PAM_SUCCESS) { + D(("Authentication failed")); + pass_old = NULL; + return retval; + } + + retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old); + pass_old = NULL; + if (retval != PAM_SUCCESS) { + _pam_log(LOG_CRIT, + "failed to set PAM_OLDAUTHTOK"); + } + } else if (flags & PAM_UPDATE_AUTHTOK) { + + /* + * obtain the proposed password + */ + + D(("do update")); + + /* + * get the old token back. + */ + + retval = pam_get_item(pamh, PAM_OLDAUTHTOK + ,(const void **) &pass_old); + D(("pass_old [%s]", pass_old)); + + if (retval != PAM_SUCCESS) { + _pam_log(LOG_NOTICE, "user not authenticated"); + return retval; + } + + D(("get new password now")); + + lctrl = ctrl; + + if (on(WINBIND_USE_AUTHTOK_ARG, lctrl)) { + ctrl = WINBIND_USE_FIRST_PASS_ARG | lctrl; + } + retry = 0; + retval = PAM_AUTHTOK_ERR; + while ((retval != PAM_SUCCESS) && (retry++ < MAX_PASSWD_TRIES)) { + /* + * use_authtok is to force the use of a previously entered + * password -- needed for pluggable password strength checking + */ + + retval = _winbind_read_password(pamh, lctrl + ,NULL + ,"Enter new NT password: " + ,"Retype new NT password: " + ,(const char **) &pass_new); + + if (retval != PAM_SUCCESS) { + if (on(WINBIND_DEBUG_ARG, ctrl)) { + _pam_log(LOG_ALERT + ,"password - new password not obtained"); + } + pass_old = NULL;/* tidy up */ + return retval; + } + D(("returned to main routine")); + + /* + * At this point we know who the user is and what they + * propose as their new password. Verify that the new + * password is acceptable. + */ + + if (pass_new[0] == '\0') {/* "\0" password = NULL */ + pass_new = NULL; + } + } + + /* + * By reaching here we have approved the passwords and must now + * rebuild the password database file. + */ + + retval = winbind_chauthtok_request(user, pass_old, pass_new); + _pam_overwrite(pass_new); + _pam_overwrite(pass_old); + pass_old = pass_new = NULL; + } else { + retval = PAM_SERVICE_ERR; + } + + D(("retval was %d", retval)); + return retval; } #ifdef PAM_STATIC @@ -485,8 +673,14 @@ struct pam_module _pam_winbind_modstruct = { #endif /* - * Copyright (c) Andrew Tridgell <tridge@samba.org> 2000 - * Copyright (c) Tim Potter <tpot@samba.org> 2000 + * Copyright (c) Andrew Tridgell <tridge@samba.org> 2000 + * Copyright (c) Tim Potter <tpot@samba.org> 2000 + * Copyright (c) Andrew Bartlettt <abartlet@samba.org> 2002 + * Copyright (c) Jan Rêkorajski 1999. + * Copyright (c) Andrew G. Morgan 1996-8. + * Copyright (c) Alex O. Yuriev, 1996. + * Copyright (c) Cristian Gafton 1996. + * Copyright (C) Elliot Lee <sopwith@redhat.com> 1996, Red Hat Software. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 991c117656..93d9ec9e73 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -73,9 +73,22 @@ do { \ #define x_strdup(s) ( (s) ? strdup(s):NULL ) #endif -#define PAM_DEBUG_ARG (1<<0) -#define PAM_USE_AUTHTOK_ARG (1<<1) -#define PAM_UNKNOWN_OK_ARG (1<<2) +#define WINBIND_DEBUG_ARG (1<<0) +#define WINBIND_USE_AUTHTOK_ARG (1<<1) +#define WINBIND_UNKNOWN_OK_ARG (1<<2) +#define WINBIND_TRY_FIRST_PASS_ARG (1<<3) +#define WINBIND_USE_FIRST_PASS_ARG (1<<4) +#define WINBIND__OLD_PASSWORD (1<<5) + +/* + * here is the string to inform the user that the new passwords they + * typed were not the same. + */ + +#define MISTYPED_PASS "Sorry, passwords do not match" + +#define on(x, y) (x & y) +#define off(x, y) (!(x & y)) #include "winbind_nss_config.h" #include "winbindd_nss.h" diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c index 32a3c95113..93c73f6095 100644 --- a/source3/nsswitch/wbinfo.c +++ b/source3/nsswitch/wbinfo.c @@ -389,6 +389,8 @@ static BOOL wbinfo_auth(char *username) printf("plaintext password authentication %s\n", (result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed"); + printf("error code was %s (HEX: %x)\n", response.data.auth.nt_status_string, response.data.auth.nt_status); + return result == NSS_STATUS_SUCCESS; } @@ -439,6 +441,10 @@ static BOOL wbinfo_auth_crap(char *username) printf("challenge/response password authentication %s\n", (result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed"); + printf("error code was %s (HEX: %x)\n", + response.data.auth.nt_status_string, + response.data.auth.nt_status); + return result == NSS_STATUS_SUCCESS; } diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h index 7a0926a035..476dc71ab2 100644 --- a/source3/nsswitch/winbindd_nss.h +++ b/source3/nsswitch/winbindd_nss.h @@ -36,7 +36,7 @@ /* Update this when you change the interface. */ -#define WINBIND_INTERFACE_VERSION 3 +#define WINBIND_INTERFACE_VERSION 4 /* Socket commands */ @@ -199,6 +199,13 @@ struct winbindd_response { fstring samba_version; } info; fstring domain_name; + + struct auth_reply { + uint32 nt_status; + fstring nt_status_string; + fstring error_string; + int pam_error; + } auth; } data; /* Variable length return data */ diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 0f53a3f82d..6ebf38f10a 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -5,7 +5,7 @@ Copyright (C) Andrew Tridgell 2000 Copyright (C) Tim Potter 2001 - Copyright (C) Andrew Bartlett 2001 + Copyright (C) Andrew Bartlett 2001-2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -37,7 +37,7 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) NET_USER_INFO_3 info3; struct cli_state *cli = NULL; uchar chal[8]; - TALLOC_CTX *mem_ctx; + TALLOC_CTX *mem_ctx = NULL; DATA_BLOB lm_resp; DATA_BLOB nt_resp; @@ -48,7 +48,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) if (!(mem_ctx = talloc_init_named("winbind pam auth for %s", state->request.data.auth.user))) { DEBUG(0, ("winbindd_pam_auth: could not talloc_init()!\n")); - return WINBINDD_ERROR; + result = NT_STATUS_NO_MEMORY; + goto done; } /* Parse domain and username */ @@ -56,16 +57,13 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) if (!parse_domain_user(state->request.data.auth.user, name_domain, name_user)) { DEBUG(5,("no domain seperator (%s) in username (%s) - failing auth\n", lp_winbind_separator(), state->request.data.auth.user)); - talloc_destroy(mem_ctx); - return WINBINDD_ERROR; + result = NT_STATUS_INVALID_PARAMETER; + goto done; } passlen = strlen(state->request.data.auth.pass); - if (!*state->request.data.auth.pass) { - return WINBINDD_ERROR; - talloc_destroy(mem_ctx); - } else { + { unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; @@ -86,8 +84,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) lp_workgroup(), trust_passwd, &last_change_time)) { DEBUG(0, ("winbindd_pam_auth: could not fetch trust account " "password for domain %s\n", lp_workgroup())); - talloc_destroy(mem_ctx); - return WINBINDD_ERROR; + result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + goto done; } /* We really don't care what LUID we give the user. */ @@ -100,6 +98,7 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) if (!NT_STATUS_IS_OK(result)) { DEBUG(3, ("could not open handle to NETLOGON pipe\n")); + result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; goto done; } @@ -115,8 +114,19 @@ done: if (cli) cli_shutdown(cli); - talloc_destroy(mem_ctx); + if (mem_ctx) + talloc_destroy(mem_ctx); + state->response.data.auth.nt_status = NT_STATUS_V(result); + fstrcpy(state->response.data.auth.nt_status_string, get_nt_error_msg(result)); + fstrcpy(state->response.data.auth.error_string, get_nt_error_msg(result)); + state->response.data.auth.pam_error = nt_status_to_pam(result); + + DEBUG(2, ("Plain-text authenticaion for user %s returned %s (PAM: %d)\n", + state->request.data.auth.user, + state->response.data.auth.nt_status_string, + state->response.data.auth.pam_error)); + return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; } @@ -129,7 +139,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) time_t last_change_time; NET_USER_INFO_3 info3; struct cli_state *cli = NULL; - TALLOC_CTX *mem_ctx; + TALLOC_CTX *mem_ctx = NULL; const char *domain = NULL; DATA_BLOB lm_resp, nt_resp; @@ -141,7 +151,8 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) if (!(mem_ctx = talloc_init_named("winbind pam auth crap for %s", state->request.data.auth.user))) { DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n")); - return WINBINDD_ERROR; + result = NT_STATUS_NO_MEMORY; + goto done; } if (*state->request.data.auth_crap.domain) { @@ -150,14 +161,14 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) domain = talloc_strdup(mem_ctx, lp_workgroup()); } else { DEBUG(5,("no domain specified with username (%s) - failing auth\n", state->request.data.auth.user)); - talloc_destroy(mem_ctx); - return WINBINDD_ERROR; + result = NT_STATUS_INVALID_PARAMETER; + goto done; } if (!domain) { DEBUG(0,("winbindd_pam_auth_crap: talloc_strdup failed!\n")); - talloc_destroy(mem_ctx); - return WINBINDD_ERROR; + result = NT_STATUS_NO_MEMORY; + goto done; } lm_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.lm_resp, state->request.data.auth_crap.lm_resp_len); @@ -171,8 +182,8 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) lp_workgroup(), trust_passwd, &last_change_time)) { DEBUG(0, ("winbindd_pam_auth: could not fetch trust account " "password for domain %s\n", lp_workgroup())); - talloc_destroy(mem_ctx); - return WINBINDD_ERROR; + result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + goto done; } ZERO_STRUCT(info3); @@ -190,13 +201,27 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) lm_resp, nt_resp, &info3); - uni_group_cache_store_netlogon(mem_ctx, &info3); + if (NT_STATUS_IS_OK(result)) { + uni_group_cache_store_netlogon(mem_ctx, &info3); + } + done: - talloc_destroy(mem_ctx); + if (mem_ctx) + talloc_destroy(mem_ctx); if (cli) cli_shutdown(cli); + state->response.data.auth.nt_status = NT_STATUS_V(result); + fstrcpy(state->response.data.auth.nt_status_string, get_nt_error_msg(result)); + fstrcpy(state->response.data.auth.error_string, get_nt_error_msg(result)); + state->response.data.auth.pam_error = nt_status_to_pam(result); + + DEBUG(2, ("NTLM CRAP authenticaion for user %s returned %s (PAM: %d)\n", + state->request.data.auth.user, + state->response.data.auth.nt_status_string, + state->response.data.auth.pam_error)); + return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; } @@ -204,6 +229,7 @@ done: enum winbindd_result winbindd_pam_chauthtok(struct winbindd_cli_state *state) { + NTSTATUS result; char *oldpass, *newpass; fstring domain, user; CLI_POLICY_HND *hnd; @@ -217,8 +243,10 @@ enum winbindd_result winbindd_pam_chauthtok(struct winbindd_cli_state *state) return WINBINDD_ERROR; if (!parse_domain_user(state->request.data.chauthtok.user, domain, - user)) - return WINBINDD_ERROR; + user)) { + result = NT_STATUS_INVALID_PARAMETER; + goto done; + } /* Change password */ @@ -227,14 +255,25 @@ enum winbindd_result winbindd_pam_chauthtok(struct winbindd_cli_state *state) /* Get sam handle */ - if (!(hnd = cm_get_sam_handle(domain))) - return WINBINDD_ERROR; + if (!(hnd = cm_get_sam_handle(domain))) { + DEBUG(1, ("could not get SAM handle on DC for %s\n", domain)); + result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; + goto done; + } if (!cli_oem_change_password(hnd->cli, user, newpass, oldpass)) { - DEBUG(0, ("password change failed for user %s/%s\n", domain, + DEBUG(1, ("password change failed for user %s/%s\n", domain, user)); - return WINBINDD_ERROR; + result = NT_STATUS_WRONG_PASSWORD; + } else { + result = NT_STATUS_OK; } - - return WINBINDD_OK; + +done: + state->response.data.auth.nt_status = NT_STATUS_V(result); + fstrcpy(state->response.data.auth.nt_status_string, get_nt_error_msg(result)); + fstrcpy(state->response.data.auth.error_string, get_nt_error_msg(result)); + state->response.data.auth.pam_error = nt_status_to_pam(result); + + return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; } |