diff options
Diffstat (limited to 'source3')
-rw-r--r-- | source3/pam_smbpass/INSTALL | 64 | ||||
-rw-r--r-- | source3/pam_smbpass/general.h | 7 | ||||
-rw-r--r-- | source3/pam_smbpass/pam_smb_acct.c | 4 | ||||
-rw-r--r-- | source3/pam_smbpass/pam_smb_auth.c | 5 | ||||
-rw-r--r-- | source3/pam_smbpass/pam_smb_passwd.c | 8 | ||||
-rw-r--r-- | source3/pam_smbpass/support.c | 222 |
6 files changed, 192 insertions, 118 deletions
diff --git a/source3/pam_smbpass/INSTALL b/source3/pam_smbpass/INSTALL new file mode 100644 index 0000000000..ae2ba02bbb --- /dev/null +++ b/source3/pam_smbpass/INSTALL @@ -0,0 +1,64 @@ + +Because pam_smbpass is derived from the Samba smbpasswd utility, recent +versions of pam_smbpass require a copy of the Samba source code to be +available on the build system. Version 0.7.5 has been tested against +Samba 2.2.0-alpha3, and this is the recommended version of Samba to use +for building pam_smbpass. This only affects /building/ pam_smbpass; you +can still run any version of the Samba server that you want, although +clearly it saves some disk space to have only one copy of the source +code on your system (Samba 2.2.0-alpha3 takes roughly 32MB of disk space +to build pam_smbpass). + +Version 0.7.5 features a new build system to make it easier to build +pam_smbpass. + + +Using the new build system +========================== + +If you don't have a copy of the Samba source code on your machine, and you +don't have a preferred Samba version (or mirror site), you can build +pam_smbpass by just typing 'make'. + +If you want to use a version other than 2.2.0-alpha3, or you want to +download the source code from a faster Samba mirror (see +<http://us1.samba.org/samba/> for a list of mirror sites), please download +the source code and unpack it before running make. The build scripts will +attempt to autodetect your Samba source directory, and if it can't be +found automatically, you will be given the opportunity to specify an +alternate directory for the Samba sources. + +Feedback is welcome if you try (or succeed!) to build pam_smbpass with +other versions of Samba. + + +Options to 'make' +================= + +By default, pam_smbpass will configure the Samba build tree with the +options + + --with-fhs --with-privatedir=/etc --with-configdir=/etc + +This will configure pam_smbpass to look for the smbpasswd file as +/etc/smbpasswd (or /etc/smbpasswd.tdb), and the smb.conf file as +/etc/smb.conf. You can override these options by setting CONFIGOPTS when +calling make. E.g., if you have your smb.conf file in /usr/etc and your +smbpasswd file in /usr/etc/private, you might run + + make CONFIGOPTS="--with-privatedir=/usr/etc/private --with-configdir=/usr/etc" + +For a complete list of available configuration options, see +'./samba/configure --help' + + +Installing the module +===================== + +If all goes well in the build process, the file pam_smbpass.so will be +created in the current directory. Simply install the module into your +system's PAM module directory: + + install -m 755 -s bin/pam_smbpass.so /lib/security + +and you're all set. diff --git a/source3/pam_smbpass/general.h b/source3/pam_smbpass/general.h index 0291146cbb..4f13d60131 100644 --- a/source3/pam_smbpass/general.h +++ b/source3/pam_smbpass/general.h @@ -121,3 +121,10 @@ struct _pam_failed_auth { char *agent; /* attempt from user with name */ int count; /* number of failures so far */ }; + +/* + * General use functions go here + */ + +/* from support.c */ +int make_remark(pam_handle_t *, unsigned int, int, const char *); diff --git a/source3/pam_smbpass/pam_smb_acct.c b/source3/pam_smbpass/pam_smb_acct.c index 8d91c456bf..0803ef82a2 100644 --- a/source3/pam_smbpass/pam_smb_acct.c +++ b/source3/pam_smbpass/pam_smb_acct.c @@ -33,6 +33,7 @@ #include "support.h" + /* * pam_sm_acct_mgmt() verifies whether or not the account is disabled. * @@ -45,15 +46,12 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags, int retval; const char *name; - const char *p; SAM_ACCOUNT *sampass = NULL; extern BOOL in_client; /* Samba initialization. */ setup_logging( "pam_smbpass", False ); - charset_initialise(); - codepage_initialise(lp_client_code_page()); in_client = True; ctrl = set_ctrl( flags, argc, argv ); diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index 9952eb94db..e5cc12e2f6 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -47,6 +47,7 @@ do { \ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, const char *name, SAM_ACCOUNT *sampass, BOOL exist); + /* * pam_sm_authenticate() authenticates users against the samba password file. * @@ -67,13 +68,11 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, BOOL found; /* Points to memory managed by the PAM library. Do not free. */ - const char *p = NULL; + char *p = NULL; /* Samba initialization. */ setup_logging("pam_smbpass",False); - charset_initialise(); - codepage_initialise(lp_client_code_page()); in_client = True; ctrl = set_ctrl(flags, argc, argv); diff --git a/source3/pam_smbpass/pam_smb_passwd.c b/source3/pam_smbpass/pam_smb_passwd.c index 338d873d25..0f52755252 100644 --- a/source3/pam_smbpass/pam_smb_passwd.c +++ b/source3/pam_smbpass/pam_smb_passwd.c @@ -35,8 +35,7 @@ int smb_update_db( pam_handle_t *pamh, int ctrl, const char *user, const char *pass_new ) { - char c; - int retval, i; + int retval; pstring err_str; pstring msg_str; @@ -94,12 +93,11 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, SAM_ACCOUNT *sampass = NULL; const char *user; - const char *pass_old, *pass_new; + char *pass_old; + char *pass_new; /* Samba initialization. */ setup_logging( "pam_smbpass", False ); - charset_initialise(); - codepage_initialise(lp_client_code_page()); in_client = True; ctrl = set_ctrl(flags, argc, argv); diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index 86349f8c16..a55dcb0272 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -1,132 +1,135 @@ -/* Unix NT password database implementation, version 0.6. - * - * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free - * Software Foundation; either version 2 of the License, or (at your option) - * any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 675 - * Mass Ave, Cambridge, MA 02139, USA. - */ - -#include "includes.h" -#include "general.h" + /* Unix NT password database implementation, version 0.6. + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 675 + * Mass Ave, Cambridge, MA 02139, USA. + */ -#include "support.h" + #include "includes.h" + #include "general.h" + #include "support.h" -#define _pam_overwrite(x) \ -do { \ - register char *__xx__; \ - if ((__xx__=(x))) \ - while (*__xx__) \ - *__xx__++ = '\0'; \ -} while (0) -/* - * Don't just free it, forget it too. - */ + #define _pam_overwrite(x) \ + do { \ + register char *__xx__; \ + if ((__xx__=(x))) \ + while (*__xx__) \ + *__xx__++ = '\0'; \ + } while (0) -#define _pam_drop(X) \ -do { \ - if (X) { \ - free(X); \ - X=NULL; \ - } \ -} while (0) - -#define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \ -do { \ - int reply_i; \ - \ - for (reply_i=0; reply_i<replies; ++reply_i) { \ - if (reply[reply_i].resp) { \ - _pam_overwrite(reply[reply_i].resp); \ - free(reply[reply_i].resp); \ - } \ - } \ - if (reply) \ - free(reply); \ -} while (0) - - -int converse(pam_handle_t *, int, int, struct pam_message **, - struct pam_response **); -int make_remark(pam_handle_t *, unsigned int, int, const char *); -void _cleanup(pam_handle_t *, void *, int); -char *_pam_delete(register char *); - -/* syslogging function for errors and other information */ - -void _log_err( int err, const char *format, ... ) -{ - va_list args; + /* + * Don't just free it, forget it too. + */ - va_start( args, format ); - openlog( "PAM_smbpass", LOG_CONS | LOG_PID, LOG_AUTH ); - vsyslog( err, format, args ); - va_end( args ); - closelog(); -} + #define _pam_drop(X) \ + do { \ + if (X) { \ + free(X); \ + X=NULL; \ + } \ + } while (0) + + #define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \ + do { \ + int reply_i; \ + \ + for (reply_i=0; reply_i<replies; ++reply_i) { \ + if (reply[reply_i].resp) { \ + _pam_overwrite(reply[reply_i].resp); \ + free(reply[reply_i].resp); \ + } \ + } \ + if (reply) \ + free(reply); \ + } while (0) + + + int converse(pam_handle_t *, int, int, struct pam_message **, + struct pam_response **); + int make_remark(pam_handle_t *, unsigned int, int, const char *); + void _cleanup(pam_handle_t *, void *, int); + char *_pam_delete(register char *); + + /* default configuration file location */ + + char *servicesf = dyn_CONFIGFILE; + + /* syslogging function for errors and other information */ + + void _log_err( int err, const char *format, ... ) + { + va_list args; + + va_start( args, format ); + openlog( "PAM_smbpass", LOG_CONS | LOG_PID, LOG_AUTH ); + vsyslog( err, format, args ); + va_end( args ); + closelog(); + } -/* this is a front-end for module-application conversations */ + /* this is a front-end for module-application conversations */ -int converse( pam_handle_t * pamh, int ctrl, int nargs - , struct pam_message **message - , struct pam_response **response ) -{ - int retval; - struct pam_conv *conv; + int converse( pam_handle_t * pamh, int ctrl, int nargs + , struct pam_message **message + , struct pam_response **response ) + { + int retval; + struct pam_conv *conv; - retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv); - if (retval == PAM_SUCCESS) { + retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv); + if (retval == PAM_SUCCESS) { - retval = conv->conv(nargs, (const struct pam_message **) message - ,response, conv->appdata_ptr); + retval = conv->conv(nargs, (const struct pam_message **) message + ,response, conv->appdata_ptr); - if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) { - _log_err(LOG_DEBUG, "conversation failure [%s]" + if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) { + _log_err(LOG_DEBUG, "conversation failure [%s]" + ,pam_strerror(pamh, retval)); + } + } else { + _log_err(LOG_ERR, "couldn't obtain coversation function [%s]" ,pam_strerror(pamh, retval)); } - } else { - _log_err(LOG_ERR, "couldn't obtain coversation function [%s]" - ,pam_strerror(pamh, retval)); - } - return retval; /* propagate error status */ -} + return retval; /* propagate error status */ + } -int make_remark( pam_handle_t * pamh, unsigned int ctrl - , int type, const char *text ) -{ - if (off(SMB__QUIET, ctrl)) { - struct pam_message *pmsg[1], msg[1]; - struct pam_response *resp; + int make_remark( pam_handle_t * pamh, unsigned int ctrl + , int type, const char *text ) + { + if (off(SMB__QUIET, ctrl)) { + struct pam_message *pmsg[1], msg[1]; + struct pam_response *resp; - pmsg[0] = &msg[0]; - msg[0].msg = text; - msg[0].msg_style = type; - resp = NULL; + pmsg[0] = &msg[0]; + msg[0].msg = text; + msg[0].msg_style = type; + resp = NULL; - return converse(pamh, ctrl, 1, pmsg, &resp); + return converse(pamh, ctrl, 1, pmsg, &resp); + } + return PAM_SUCCESS; } - return PAM_SUCCESS; -} -/* set the control flags for the SMB module. */ + /* set the control flags for the SMB module. */ int set_ctrl( int flags, int argc, const char **argv ) { int i = 0; - static pstring servicesf = CONFIGFILE; - const char *service_file = servicesf; + const char *service_file = dyn_CONFIGFILE; unsigned int ctrl; ctrl = SMB_DEFAULTS; /* the default selection of options */ @@ -136,6 +139,9 @@ int set_ctrl( int flags, int argc, const char **argv ) /* A good, sane default (matches Samba's behavior). */ set( SMB__NONULL, ctrl ); + /* initialize service file location */ + service_file=servicesf; + if (flags & PAM_SILENT) { set( SMB__QUIET, ctrl ); } @@ -165,6 +171,8 @@ int set_ctrl( int flags, int argc, const char **argv ) _log_err( LOG_ERR, "Error loading service file %s", service_file ); } + secrets_init(); + if (lp_null_passwords()) { set( SMB__NULLOK, ctrl ); } @@ -303,7 +311,7 @@ int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass, uchar hash_pass[16]; uchar lm_pw[16]; uchar nt_pw[16]; - int retval; + int retval = PAM_AUTH_ERR; char *data_name; const char *name; @@ -482,7 +490,7 @@ int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl, { int authtok_flag; int retval; - const char *item = NULL; + char *item = NULL; char *token; struct pam_message msg[3], *pmsg[3]; |