From ef1a7311cec15f4444c80b92301de0dec92df288 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 10 Apr 2001 18:10:38 +0000 Subject: Added JohnT and Andrew Bartlett's PAM changes. Jeremy. (This used to be commit ecd00e258c6fe4e8d90f48da74874e090dce4a40) --- source3/auth/pampass.c | 440 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 440 insertions(+) create mode 100644 source3/auth/pampass.c (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c new file mode 100644 index 0000000000..a23727b689 --- /dev/null +++ b/source3/auth/pampass.c @@ -0,0 +1,440 @@ +/* + Unix SMB/Netbios implementation. + Version 2.2. + PAM Password checking + Copyright (C) Andrew Tridgell 1992-2001 + Copyright (C) John H Terpsta 1999-2001 + Copyright (C) Andrew Barton 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +/* + * This module provides PAM based functions for validation of + * username/password pairs, account managment, session and access control. + * Note: SMB password checking is done in smbpass.c + */ + +#include "includes.h" + +extern int DEBUGLEVEL; + +#ifdef WITH_PAM + +/******************************************************************* + * Handle PAM authentication + * - Access, Authentication, Session, Password + * Note: See PAM Documentation and refer to local system PAM implementation + * which determines what actions/limitations/allowances become affected. + *********************************************************************/ + +#include + +/* + * Static variables used to communicate between the conversation function + * and the server_login function + */ + +static char *PAM_username; +static char *PAM_password; + +/* + * Macros to help make life easy + */ +#define COPY_STRING(s) (s) ? strdup(s) : NULL + +/* + * Macro converted to a function to simplyify this thing + */ +static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) +{ + + int retval; + + if( pam_error != PAM_SUCCESS) + { + DEBUG(dbglvl, ("PAM %s: %s\n", pam_strerror(pamh, pam_error))); + return False; + } + return True; +} + +/* + * PAM conversation function + * Here we assume (for now, at least) that echo on means login name, and + * echo off means password. + */ + +static int PAM_conv(int num_msg, + const struct pam_message **msg, + struct pam_response **resp, + void *appdata_ptr) +{ + int replies = 0; + struct pam_response *reply = NULL; + + reply = malloc(sizeof(struct pam_response) * num_msg); + if (!reply) + return PAM_CONV_ERR; + + for (replies = 0; replies < num_msg; replies++) + { + switch (msg[replies]->msg_style) + { + case PAM_PROMPT_ECHO_ON: + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = + COPY_STRING(PAM_username); + /* PAM frees resp */ + break; + + case PAM_PROMPT_ECHO_OFF: + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = + COPY_STRING(PAM_password); + /* PAM frees resp */ + break; + + case PAM_TEXT_INFO: + /* fall through */ + + case PAM_ERROR_MSG: + /* ignore it... */ + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = NULL; + break; + + default: + /* Must be an error of some sort... */ + free(reply); + return PAM_CONV_ERR; + } + } + if (reply) + *resp = reply; + return PAM_SUCCESS; +} + +static struct pam_conv PAM_conversation = { + &PAM_conv, + NULL +}; + +static BOOL proc_pam_end(pam_handle_t *pamh) +{ + int pam_error; + + if( pamh != NULL ) + { + pam_error = pam_end(pamh, 0); + if(pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) { + return True; + } + } + DEBUG(2,("PAM not initialised")); + return False; +} + + +static BOOL pam_auth(char *user, char *password) +{ + pam_handle_t *pamh; + int pam_error; + + /* + * Now use PAM to do authentication. Bail out if there are any + * errors. + */ + + PAM_password = password; + PAM_username = user; + DEBUG(4,("PAM Start for User: %s\n", user)); + pam_error = pam_start("samba", user, &PAM_conversation, &pamh); + if(!pam_error_handler(pamh, pam_error, "start failure", 2)) { + proc_pam_end(pamh); + return False; + } + + /* + * To enable debugging set in /etc/pam.d/samba: + * auth required /lib/security/pam_pwdb.so nullok shadow audit + */ + + pam_error = pam_authenticate(pamh, PAM_SILENT); /* Can we authenticate user? */ + switch( pam_error ){ + case PAM_AUTH_ERR: + DEBUG(2, ("PAM: Athentication Error\n")); + break; + case PAM_CRED_INSUFFICIENT: + DEBUG(2, ("PAM: Insufficient Credentials\n")); + break; + case PAM_AUTHINFO_UNAVAIL: + DEBUG(2, ("PAM: Authentication Information Unavailable\n")); + break; + case PAM_USER_UNKNOWN: + DEBUG(2, ("PAM: Username NOT known to Authentication system\n")); + break; + case PAM_MAXTRIES: + DEBUG(2, ("PAM: One or more authentication modules reports user limit exceeeded\n")); + break; + case PAM_ABORT: + DEBUG(0, ("PAM: One or more PAM modules failed to load\n")); + break; + default: + DEBUG(4, ("PAM: User %s Authenticated OK\n", user)); + } + if(!pam_error_handler(pamh, pam_error, "Authentication Failure", 2)) { + proc_pam_end(pamh); + return False; + } + + /* + * Now do account management control and validation + */ + pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */ + switch( pam_error ) { + case PAM_AUTHTOK_EXPIRED: + DEBUG(2, ("PAM: User is valid but password is expired\n")); + break; + case PAM_ACCT_EXPIRED: + DEBUG(2, ("PAM: User no longer permitted to access system\n")); + break; + case PAM_AUTH_ERR: + DEBUG(2, ("PAM: There was an authentication error\n")); + break; + case PAM_PERM_DENIED: + DEBUG(0, ("PAM: User is NOT permitted to access system at this time\n")); + break; + case PAM_USER_UNKNOWN: + DEBUG(2, ("PAM: User \"%s\" is NOT known to account management\n", user)); + break; + default: + DEBUG(4, ("PAM: Account OK for User: %s\n", user)); + } + if(!pam_error_handler(pamh, pam_error, "Account Check Failed", 2)) { + proc_pam_end(pamh); + return False; + } + + /* + * This will allow samba to aquire a kerberos token. And, when + * exporting an AFS cell, be able to /write/ to this cell. + */ + + pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT)); + if(!pam_error_handler(pamh, pam_error, "Set Credential Failure", 2)) { + proc_pam_end(pamh); + return False; + } + + if( !proc_pam_end(pamh)) + return False; + + /* If this point is reached, the user has been authenticated. */ + DEBUG(4, ("PAM: pam_authentication passed for User: %s\n", user)); + return (True); +} + +#if NOTBLOCKEDOUT +/* Start PAM authentication for specified account */ +static BOOL proc_pam_start(pam_handle_t **pamh, char *user) +{ + int pam_error; + char * rhost; + + DEBUG(4,("PAM Init for user: %s\n", user)); + + pam_error = pam_start("samba", user, &PAM_conversation, pamh); + if( !pam_error_handler(*pamh, pam_error, "Init Failed", 0)) { + proc_pam_end(*pamh); + return False; + } + + rhost = client_name(); + if (strcmp(rhost,"UNKNOWN") == 0) + rhost = client_addr(); + +#ifdef PAM_RHOST + DEBUG(4,("PAM setting rhost to: %s\n", rhost)); + pam_error = pam_set_item(*pamh, PAM_RHOST, rhost); + if(!pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { + proc_pam_end(*pamh); + return False; + } +#endif + +#if defined(PAM_TTY_KLUDGE) && defined(PAM_TTY) + pam_error = pam_set_item(*pamh, PAM_TTY, "samba"); + if (!pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { + proc_pam_end(*pamh); + return False; + } +#endif + + return True; +} + +static BOOL pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL instance) +{ + int pam_error; + + PAM_password = NULL; + PAM_username = user; + +#ifdef PAM_TTY + DEBUG(4,("PAM tty set to: %s\"\n", tty)); + pam_error = pam_set_item(pamh, PAM_TTY, tty); + if (!pam_error_handler(pamh, pam_error, "set tty failed", 0)) { + proc_pam_end(pamh); + return False; + } +#endif + + if (instance) { + pam_error = pam_open_session(pamh, PAM_SILENT); + if (!pam_error_handler(pamh, pam_error, "session setup failed", 0)) { + proc_pam_end(pamh); + return False; + } + } + else + { + pam_error = pam_close_session(pamh, PAM_SILENT); + if (!pam_error_handler(pamh, pam_error, "session close failed", 0)) { + proc_pam_end(pamh); + return False; + } + } + return (True); +} + +static BOOL pam_account(pam_handle_t *pamh, char *user) +{ + int pam_error; + + PAM_password = NULL; + PAM_username = user; + + DEBUG(4,("PAM starting account management for user: %s \n", user)); + + pam_error = pam_acct_mgmt(pamh, PAM_SILENT); + if (!pam_error_handler(pamh, pam_error, "PAM set account management failed", 0)) { + proc_pam_end(pamh); + return False; + } else { + DEBUG(4,("PAM account management passed\n")); + } + + /* + * This will allow samba to aquire a kerberos token. And, when + * exporting an AFS cell, be able to /write/ to this cell. + */ + pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED)); + if (!pam_error_handler(pamh, pam_error, "set credentials failed\n", 0)) { + proc_pam_end(pamh); + return False; + } + + /* If this point is reached, the user has been authenticated. */ + return (True); +} +static BOOL account_pam(char *user) +{ + /* + * Check the account with the PAM account module: + * - This means that accounts can be disabled + * and or expired with avoidance of samba then just + * bypassing the situation. + */ + + pam_handle_t *pamh = NULL; + char * PAMuser; + + PAMuser = malloc(strlen(user)+1); + /* This is freed by PAM */ + strncpy(PAMuser, user, strlen(user)+1); + + if (proc_pam_start(&pamh, PAMuser)) + { + if (pam_account(pamh, PAMuser)) + { + return proc_pam_end(pamh); + } + } + proc_pam_end(pamh); + return False; +} + +BOOL PAM_session(BOOL instance, const connection_struct *conn, char *tty) +{ + pam_handle_t *pamh=NULL; + char * user; + + user = malloc(strlen(conn->user)+1); + + /* This is freed by PAM */ + strncpy(user, conn->user, strlen(conn->user)+1); + + if (!proc_pam_start(&pamh, user)) + { + proc_pam_end(pamh); + return False; + } + + if (pam_session(pamh, user, tty, instance)) + { + return proc_pam_end(pamh); + } + else + { + proc_pam_end(pamh); + return False; + } +} + +BOOL pam_passcheck(char * user, char * password) +{ + pam_handle_t *pamh = NULL; + + PAM_username = user; + PAM_password = password; + + if( proc_pam_start(&pamh, user)) + { + if( pam_auth(user, password)) + { + if( account_pam(user)) + { + return( proc_pam_end(pamh)); + } + } + } + proc_pam_end(pamh); + return( False ); +} +#endif /* NOTBLOCKEDOUT */ + +BOOL pam_passcheck( char * user, char * password ) +{ + return( pam_auth( user, password )); + +} +#else + + /* Do *NOT* make this function static. Doing so breaks the compile on gcc */ + + void pampass_dummy_function( void ) { } /*This stops compiler complaints */ + +#endif /* WITH_PAM */ -- cgit From abd96b890bc03e06672777c73b55a18b9e869620 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Wed, 11 Apr 2001 01:29:42 +0000 Subject: Updating pampass from Samba-2.2 code tree. ===> JHT (This used to be commit 88b6043b4e26c2771e0c444376b7017f5048baf8) --- source3/auth/pampass.c | 226 +++++++++++++++++++------------------------------ 1 file changed, 87 insertions(+), 139 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index a23727b689..90a6f773ce 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -56,7 +56,7 @@ static char *PAM_password; #define COPY_STRING(s) (s) ? strdup(s) : NULL /* - * Macro converted to a function to simplyify this thing + * PAM error handler. */ static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) { @@ -65,7 +65,7 @@ static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int if( pam_error != PAM_SUCCESS) { - DEBUG(dbglvl, ("PAM %s: %s\n", pam_strerror(pamh, pam_error))); + DEBUG(dbglvl, ("PAM: %s : %s\n", msg, pam_strerror(pamh, pam_error))); return False; } return True; @@ -132,6 +132,9 @@ static struct pam_conv PAM_conversation = { NULL }; +/* + * PAM Closing out cleanup handler + */ static BOOL proc_pam_end(pam_handle_t *pamh) { int pam_error; @@ -140,38 +143,66 @@ static BOOL proc_pam_end(pam_handle_t *pamh) { pam_error = pam_end(pamh, 0); if(pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) { + DEBUG(4, ("PAM: PAM_END OK.\n")); return True; } } - DEBUG(2,("PAM not initialised")); + DEBUG(2,("PAM: not initialised")); return False; } - -static BOOL pam_auth(char *user, char *password) +/* + * Start PAM authentication for specified account + */ +static BOOL proc_pam_start(pam_handle_t **pamh, char *user) { - pam_handle_t *pamh; - int pam_error; + int pam_error; + char * rhost; - /* - * Now use PAM to do authentication. Bail out if there are any - * errors. - */ + DEBUG(4,("PAM: Init user: %s\n", user)); - PAM_password = password; - PAM_username = user; - DEBUG(4,("PAM Start for User: %s\n", user)); - pam_error = pam_start("samba", user, &PAM_conversation, &pamh); - if(!pam_error_handler(pamh, pam_error, "start failure", 2)) { - proc_pam_end(pamh); - return False; - } + pam_error = pam_start("samba", user, &PAM_conversation, pamh); + if( !pam_error_handler(*pamh, pam_error, "Init Failed", 0)) { + proc_pam_end(*pamh); + return False; + } + + rhost = client_name(); + if (strcmp(rhost,"UNKNOWN") == 0) + rhost = client_addr(); + +#ifdef PAM_RHOST + DEBUG(4,("PAM: setting rhost to: %s\n", rhost)); + pam_error = pam_set_item(*pamh, PAM_RHOST, rhost); + if(!pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { + proc_pam_end(*pamh); + return False; + } +#endif +#ifdef PAM_TTY + pam_error = pam_set_item(*pamh, PAM_TTY, "samba"); + if (!pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { + proc_pam_end(*pamh); + return False; + } +#endif + DEBUG(4,("PAM: Init passed for user: %s\n", user)); + return True; +} + +/* + * PAM Authentication Handler + */ +static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password) +{ + int pam_error; /* * To enable debugging set in /etc/pam.d/samba: * auth required /lib/security/pam_pwdb.so nullok shadow audit */ + DEBUG(4,("PAM: Authenticate User: %s\n", user)); pam_error = pam_authenticate(pamh, PAM_SILENT); /* Can we authenticate user? */ switch( pam_error ){ case PAM_AUTH_ERR: @@ -199,10 +230,18 @@ static BOOL pam_auth(char *user, char *password) proc_pam_end(pamh); return False; } + /* If this point is reached, the user has been authenticated. */ + return (True); +} - /* - * Now do account management control and validation - */ +/* + * PAM Account Handler + */ +static BOOL pam_account(pam_handle_t *pamh, char * user, char * password) +{ + int pam_error; + + DEBUG(4,("PAM: Account Management for User: %s\n", user)); pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */ switch( pam_error ) { case PAM_AUTHTOK_EXPIRED: @@ -218,7 +257,7 @@ static BOOL pam_auth(char *user, char *password) DEBUG(0, ("PAM: User is NOT permitted to access system at this time\n")); break; case PAM_USER_UNKNOWN: - DEBUG(2, ("PAM: User \"%s\" is NOT known to account management\n", user)); + DEBUG(0, ("PAM: User \"%s\" is NOT known to account management\n", user)); break; default: DEBUG(4, ("PAM: Account OK for User: %s\n", user)); @@ -239,54 +278,15 @@ static BOOL pam_auth(char *user, char *password) return False; } - if( !proc_pam_end(pamh)) - return False; - /* If this point is reached, the user has been authenticated. */ - DEBUG(4, ("PAM: pam_authentication passed for User: %s\n", user)); return (True); } -#if NOTBLOCKEDOUT -/* Start PAM authentication for specified account */ -static BOOL proc_pam_start(pam_handle_t **pamh, char *user) -{ - int pam_error; - char * rhost; - - DEBUG(4,("PAM Init for user: %s\n", user)); - - pam_error = pam_start("samba", user, &PAM_conversation, pamh); - if( !pam_error_handler(*pamh, pam_error, "Init Failed", 0)) { - proc_pam_end(*pamh); - return False; - } - - rhost = client_name(); - if (strcmp(rhost,"UNKNOWN") == 0) - rhost = client_addr(); - -#ifdef PAM_RHOST - DEBUG(4,("PAM setting rhost to: %s\n", rhost)); - pam_error = pam_set_item(*pamh, PAM_RHOST, rhost); - if(!pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { - proc_pam_end(*pamh); - return False; - } -#endif - -#if defined(PAM_TTY_KLUDGE) && defined(PAM_TTY) - pam_error = pam_set_item(*pamh, PAM_TTY, "samba"); - if (!pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { - proc_pam_end(*pamh); - return False; - } -#endif - - return True; -} -static BOOL pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL instance) +/* + * PAM Internal Session Handler + */ +static BOOL proc_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag) { int pam_error; @@ -294,7 +294,7 @@ static BOOL pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL instance PAM_username = user; #ifdef PAM_TTY - DEBUG(4,("PAM tty set to: %s\"\n", tty)); + DEBUG(4,("PAM: tty set to: %s\n", tty)); pam_error = pam_set_item(pamh, PAM_TTY, tty); if (!pam_error_handler(pamh, pam_error, "set tty failed", 0)) { proc_pam_end(pamh); @@ -302,7 +302,7 @@ static BOOL pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL instance } #endif - if (instance) { + if (flag) { pam_error = pam_open_session(pamh, PAM_SILENT); if (!pam_error_handler(pamh, pam_error, "session setup failed", 0)) { proc_pam_end(pamh); @@ -320,72 +320,23 @@ static BOOL pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL instance return (True); } -static BOOL pam_account(pam_handle_t *pamh, char *user) -{ - int pam_error; - - PAM_password = NULL; - PAM_username = user; - - DEBUG(4,("PAM starting account management for user: %s \n", user)); - - pam_error = pam_acct_mgmt(pamh, PAM_SILENT); - if (!pam_error_handler(pamh, pam_error, "PAM set account management failed", 0)) { - proc_pam_end(pamh); - return False; - } else { - DEBUG(4,("PAM account management passed\n")); - } - - /* - * This will allow samba to aquire a kerberos token. And, when - * exporting an AFS cell, be able to /write/ to this cell. - */ - pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED)); - if (!pam_error_handler(pamh, pam_error, "set credentials failed\n", 0)) { - proc_pam_end(pamh); - return False; - } - - /* If this point is reached, the user has been authenticated. */ - return (True); -} -static BOOL account_pam(char *user) -{ - /* - * Check the account with the PAM account module: - * - This means that accounts can be disabled - * and or expired with avoidance of samba then just - * bypassing the situation. - */ - - pam_handle_t *pamh = NULL; - char * PAMuser; - - PAMuser = malloc(strlen(user)+1); - /* This is freed by PAM */ - strncpy(PAMuser, user, strlen(user)+1); - - if (proc_pam_start(&pamh, PAMuser)) - { - if (pam_account(pamh, PAMuser)) - { - return proc_pam_end(pamh); - } - } - proc_pam_end(pamh); - return False; -} - -BOOL PAM_session(BOOL instance, const connection_struct *conn, char *tty) +/* + * PAM Externally accessible Session handler + */ +BOOL pam_session(BOOL flag, const connection_struct *conn, char *tty) { - pam_handle_t *pamh=NULL; + pam_handle_t *pamh = NULL; char * user; user = malloc(strlen(conn->user)+1); + if ( user == NULL ) + { + DEBUG(0, ("PAM: PAM_session Malloc Failed!\n")); + return False; + } /* This is freed by PAM */ - strncpy(user, conn->user, strlen(conn->user)+1); + StrnCpy(user, conn->user, strlen(conn->user)+1); if (!proc_pam_start(&pamh, user)) { @@ -393,7 +344,7 @@ BOOL PAM_session(BOOL instance, const connection_struct *conn, char *tty) return False; } - if (pam_session(pamh, user, tty, instance)) + if (proc_pam_session(pamh, user, tty, flag)) { return proc_pam_end(pamh); } @@ -404,6 +355,9 @@ BOOL PAM_session(BOOL instance, const connection_struct *conn, char *tty) } } +/* + * PAM Password Validation Suite + */ BOOL pam_passcheck(char * user, char * password) { pam_handle_t *pamh = NULL; @@ -413,24 +367,18 @@ BOOL pam_passcheck(char * user, char * password) if( proc_pam_start(&pamh, user)) { - if( pam_auth(user, password)) + if ( pam_auth(pamh, user, password)) { - if( account_pam(user)) + if ( pam_account(pamh, user, password)) { return( proc_pam_end(pamh)); } - } + } } - proc_pam_end(pamh); + DEBUG(0, ("PAM: System Validation Failed - Rejecting User!\n")); return( False ); } -#endif /* NOTBLOCKEDOUT */ -BOOL pam_passcheck( char * user, char * password ) -{ - return( pam_auth( user, password )); - -} #else /* Do *NOT* make this function static. Doing so breaks the compile on gcc */ -- cgit From e5691d44a8e4551abe6290b8994f6fc8568e5759 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 12 Apr 2001 05:32:27 +0000 Subject: Merged John's changes. Jeremy. (This used to be commit add847778bf458238bf2a1b14ab71b8cdfd7aec0) --- source3/auth/pampass.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 90a6f773ce..204deaf8c7 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -180,6 +180,7 @@ static BOOL proc_pam_start(pam_handle_t **pamh, char *user) } #endif #ifdef PAM_TTY + DEBUG(4,("PAM: setting tty\n")); pam_error = pam_set_item(*pamh, PAM_TTY, "samba"); if (!pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { proc_pam_end(*pamh); @@ -272,6 +273,7 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password) * exporting an AFS cell, be able to /write/ to this cell. */ + DEBUG(4,("PAM: Account Management SetCredentials for User: %s\n", user)); pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT)); if(!pam_error_handler(pamh, pam_error, "Set Credential Failure", 2)) { proc_pam_end(pamh); -- cgit From abd4296ebf83d15d0a44a7173e4a0b4d711e17d8 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Fri, 13 Apr 2001 04:27:50 +0000 Subject: Updated with Andrew Bartlett patch. (This used to be commit 02e84267f74b26bdf7f76c0fc9dbaecbc8574d58) --- source3/auth/pampass.c | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 204deaf8c7..08f6027a88 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -4,7 +4,7 @@ PAM Password checking Copyright (C) Andrew Tridgell 1992-2001 Copyright (C) John H Terpsta 1999-2001 - Copyright (C) Andrew Barton 2001 + Copyright (C) Andrew Bartlett 2001 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -224,8 +224,11 @@ static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password) case PAM_ABORT: DEBUG(0, ("PAM: One or more PAM modules failed to load\n")); break; - default: + case PAM_SUCCESS: DEBUG(4, ("PAM: User %s Authenticated OK\n", user)); + break; + default: + DEBUG(0, ("PAM: UNKNOWN ERROR while authenticating user %s\n", user)); } if(!pam_error_handler(pamh, pam_error, "Authentication Failure", 2)) { proc_pam_end(pamh); @@ -260,8 +263,11 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password) case PAM_USER_UNKNOWN: DEBUG(0, ("PAM: User \"%s\" is NOT known to account management\n", user)); break; - default: + case PAM_SUCCESS: DEBUG(4, ("PAM: Account OK for User: %s\n", user)); + break; + default: + DEBUG(0, ("PAM: UNKNOWN ERROR for User: %s\n", user)); } if(!pam_error_handler(pamh, pam_error, "Account Check Failed", 2)) { proc_pam_end(pamh); @@ -357,6 +363,27 @@ BOOL pam_session(BOOL flag, const connection_struct *conn, char *tty) } } +/* + * PAM Externally accessible Account handler + */ +BOOL pam_accountcheck(char * user) +{ + pam_handle_t *pamh = NULL; + + PAM_username = user; + PAM_password = NULL; + + if( proc_pam_start(&pamh, user)) + { + if ( pam_account(pamh, user, NULL)) + { + return( proc_pam_end(pamh)); + } + } + DEBUG(0, ("PAM: Account Validation Failed - Rejecting User!\n")); + return( False ); +} + /* * PAM Password Validation Suite */ -- cgit From a40fe7b47d269d294b1bbf5c22d9a6d6c9f81e17 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 18 Apr 2001 04:34:42 +0000 Subject: patch from Steve Langasek to make sure we don't use pam_setcred() if we haven't called pam_authenticate() Merge from 2.2 Jeremy. (This used to be commit 89589895e3adce75ecd6205547392326cf291543) --- source3/auth/pampass.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 08f6027a88..271c46045b 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -61,8 +61,6 @@ static char *PAM_password; static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) { - int retval; - if( pam_error != PAM_SUCCESS) { DEBUG(dbglvl, ("PAM: %s : %s\n", msg, pam_strerror(pamh, pam_error))); @@ -241,7 +239,7 @@ static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password) /* * PAM Account Handler */ -static BOOL pam_account(pam_handle_t *pamh, char * user, char * password) +static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL pam_auth) { int pam_error; @@ -274,6 +272,14 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password) return False; } + /* Skip the pam_setcred() call if we didn't use pam_authenticate() + for authentication -- it's an error to call pam_setcred without + calling pam_authenticate first */ + if (!pam_auth) { + DEBUG(4, ("PAM: Skipping setcred for user: %s (using encrypted passwords)\n", user)); + return True; + } + /* * This will allow samba to aquire a kerberos token. And, when * exporting an AFS cell, be able to /write/ to this cell. @@ -375,7 +381,7 @@ BOOL pam_accountcheck(char * user) if( proc_pam_start(&pamh, user)) { - if ( pam_account(pamh, user, NULL)) + if ( pam_account(pamh, user, NULL, False)) { return( proc_pam_end(pamh)); } @@ -398,7 +404,7 @@ BOOL pam_passcheck(char * user, char * password) { if ( pam_auth(pamh, user, password)) { - if ( pam_account(pamh, user, password)) + if ( pam_account(pamh, user, password, True)) { return( proc_pam_end(pamh)); } -- cgit From 9ce5a03ccbcc21c60a3dbc39b1dbd06b30655852 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 18 Apr 2001 16:41:04 +0000 Subject: merge from 2.2 (This used to be commit f52a5014ee325f9d91f266f88eac51b6136a75b9) --- source3/auth/pampass.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 271c46045b..d9137045e2 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -337,12 +337,12 @@ static BOOL proc_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL fla /* * PAM Externally accessible Session handler */ -BOOL pam_session(BOOL flag, const connection_struct *conn, char *tty) +BOOL pam_session(BOOL flag, const char *in_user, char *tty) { pam_handle_t *pamh = NULL; char * user; - user = malloc(strlen(conn->user)+1); + user = malloc(strlen(in_user)+1); if ( user == NULL ) { DEBUG(0, ("PAM: PAM_session Malloc Failed!\n")); @@ -350,7 +350,7 @@ BOOL pam_session(BOOL flag, const connection_struct *conn, char *tty) } /* This is freed by PAM */ - StrnCpy(user, conn->user, strlen(conn->user)+1); + StrnCpy(user, in_user, strlen(in_user)+1); if (!proc_pam_start(&pamh, user)) { -- cgit From 80187366f2679e5c43d21978d4c6b1f7beee503a Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 19 Apr 2001 23:52:45 +0000 Subject: Added error reporting to pam_session code. (This used to be commit 72812e4cf199d804418dc52cc0b0ba683b8a2e5c) --- source3/auth/pampass.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index d9137045e2..277544ed91 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -287,6 +287,25 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL p DEBUG(4,("PAM: Account Management SetCredentials for User: %s\n", user)); pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT)); + switch( pam_error ) { + case PAM_CRED_UNAVAIL: + DEBUG(0, ("PAM: Credentials not found for user:%s", user )); + break; + case PAM_CRED_EXPIRED: + DEBUG(0, ("PAM: Credentials for user: \"%s\" EXPIRED!", user )); + break; + case PAM_CRED_UNKNOWN: + DEBUG(0, ("PAM: User: \"%s\" is NOT known so can not set credentials!", user )); + break; + case PAM_CRED_UNKNOWN: + DEBUG(0, ("PAM: Unknown setcredentials error - unable to set credentials for %s", user )); + break; + case PAM_SUCCESS: + DEBUG(4, ("PAM: SetCredentials OK for User: %s\n", user)); + break; + default: + DEBUG(0, ("PAM: Error Condition Unknown in pam_setcred function call!")); + } if(!pam_error_handler(pamh, pam_error, "Set Credential Failure", 2)) { proc_pam_end(pamh); return False; -- cgit From 790588eda41a7c8b2a56dce3fef57abd10df8a3f Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Fri, 20 Apr 2001 00:19:49 +0000 Subject: Oops. Typos. (This used to be commit 44f96771c384b319290ab5e14cad6ba8f3fb5383) --- source3/auth/pampass.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 277544ed91..bf1aca1e2c 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -294,10 +294,10 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL p case PAM_CRED_EXPIRED: DEBUG(0, ("PAM: Credentials for user: \"%s\" EXPIRED!", user )); break; - case PAM_CRED_UNKNOWN: + case PAM_USER_UNKNOWN: DEBUG(0, ("PAM: User: \"%s\" is NOT known so can not set credentials!", user )); break; - case PAM_CRED_UNKNOWN: + case PAM_CRED_ERR: DEBUG(0, ("PAM: Unknown setcredentials error - unable to set credentials for %s", user )); break; case PAM_SUCCESS: -- cgit From e277c08631316ccda875a09a67ebb220c495c5a9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sun, 22 Apr 2001 07:20:24 +0000 Subject: Commit of a modified version of Andrew Bartlett's patch that removes the horrid utmp hostname parameter - now uses the client name instead. Also tidies up some of the unencrypted password checking when PAM is compiled in. FIXME ! An pam_accountcheck() is being called even when smb encrypted passwords are negotiated. Is this the correct thing to do when winbindd is running ! This needs *SEVERE* testing.... Jeremy. (This used to be commit 071c799f479dd25efdb9c41745fc8f2beea7b568) --- source3/auth/pampass.c | 181 +++++++++++++++++++++++-------------------------- 1 file changed, 84 insertions(+), 97 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index bf1aca1e2c..e84a045d49 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -61,8 +61,7 @@ static char *PAM_password; static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) { - if( pam_error != PAM_SUCCESS) - { + if( pam_error != PAM_SUCCESS) { DEBUG(dbglvl, ("PAM: %s : %s\n", msg, pam_strerror(pamh, pam_error))); return False; } @@ -87,10 +86,8 @@ static int PAM_conv(int num_msg, if (!reply) return PAM_CONV_ERR; - for (replies = 0; replies < num_msg; replies++) - { - switch (msg[replies]->msg_style) - { + for (replies = 0; replies < num_msg; replies++) { + switch (msg[replies]->msg_style) { case PAM_PROMPT_ECHO_ON: reply[replies].resp_retcode = PAM_SUCCESS; reply[replies].resp = @@ -135,58 +132,58 @@ static struct pam_conv PAM_conversation = { */ static BOOL proc_pam_end(pam_handle_t *pamh) { - int pam_error; + int pam_error; - if( pamh != NULL ) - { + if( pamh != NULL ) { pam_error = pam_end(pamh, 0); if(pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) { DEBUG(4, ("PAM: PAM_END OK.\n")); - return True; + return True; } - } - DEBUG(2,("PAM: not initialised")); - return False; + } + DEBUG(2,("PAM: not initialised")); + return False; } /* * Start PAM authentication for specified account */ -static BOOL proc_pam_start(pam_handle_t **pamh, char *user) +static BOOL proc_pam_start(pam_handle_t **pamh, char *user, char *rhost) { - int pam_error; - char * rhost; + int pam_error; - DEBUG(4,("PAM: Init user: %s\n", user)); + DEBUG(4,("PAM: Init user: %s\n", user)); - pam_error = pam_start("samba", user, &PAM_conversation, pamh); - if( !pam_error_handler(*pamh, pam_error, "Init Failed", 0)) { - proc_pam_end(*pamh); - return False; - } + pam_error = pam_start("samba", user, &PAM_conversation, pamh); + if( !pam_error_handler(*pamh, pam_error, "Init Failed", 0)) { + proc_pam_end(*pamh); + return False; + } - rhost = client_name(); - if (strcmp(rhost,"UNKNOWN") == 0) - rhost = client_addr(); + if (rhost == NULL) { + rhost = client_name(); + if (strequal(rhost,"UNKNOWN")) + rhost = client_addr(); + } #ifdef PAM_RHOST - DEBUG(4,("PAM: setting rhost to: %s\n", rhost)); - pam_error = pam_set_item(*pamh, PAM_RHOST, rhost); - if(!pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { - proc_pam_end(*pamh); - return False; - } + DEBUG(4,("PAM: setting rhost to: %s\n", rhost)); + pam_error = pam_set_item(*pamh, PAM_RHOST, rhost); + if(!pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { + proc_pam_end(*pamh); + return False; + } #endif #ifdef PAM_TTY - DEBUG(4,("PAM: setting tty\n")); - pam_error = pam_set_item(*pamh, PAM_TTY, "samba"); - if (!pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { - proc_pam_end(*pamh); - return False; - } + DEBUG(4,("PAM: setting tty\n")); + pam_error = pam_set_item(*pamh, PAM_TTY, "samba"); + if (!pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { + proc_pam_end(*pamh); + return False; + } #endif - DEBUG(4,("PAM: Init passed for user: %s\n", user)); - return True; + DEBUG(4,("PAM: Init passed for user: %s\n", user)); + return True; } /* @@ -201,7 +198,7 @@ static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password) * auth required /lib/security/pam_pwdb.so nullok shadow audit */ - DEBUG(4,("PAM: Authenticate User: %s\n", user)); + DEBUG(4,("PAM: Authenticate User: %s\n", user)); pam_error = pam_authenticate(pamh, PAM_SILENT); /* Can we authenticate user? */ switch( pam_error ){ case PAM_AUTH_ERR: @@ -243,7 +240,7 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL p { int pam_error; - DEBUG(4,("PAM: Account Management for User: %s\n", user)); + DEBUG(4,("PAM: Account Management for User: %s\n", user)); pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */ switch( pam_error ) { case PAM_AUTHTOK_EXPIRED: @@ -285,7 +282,7 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL p * exporting an AFS cell, be able to /write/ to this cell. */ - DEBUG(4,("PAM: Account Management SetCredentials for User: %s\n", user)); + DEBUG(4,("PAM: Account Management SetCredentials for User: %s\n", user)); pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT)); switch( pam_error ) { case PAM_CRED_UNAVAIL: @@ -321,49 +318,46 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL p */ static BOOL proc_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag) { - int pam_error; + int pam_error; - PAM_password = NULL; - PAM_username = user; + PAM_password = NULL; + PAM_username = user; #ifdef PAM_TTY - DEBUG(4,("PAM: tty set to: %s\n", tty)); - pam_error = pam_set_item(pamh, PAM_TTY, tty); - if (!pam_error_handler(pamh, pam_error, "set tty failed", 0)) { - proc_pam_end(pamh); - return False; - } + DEBUG(4,("PAM: tty set to: %s\n", tty)); + pam_error = pam_set_item(pamh, PAM_TTY, tty); + if (!pam_error_handler(pamh, pam_error, "set tty failed", 0)) { + proc_pam_end(pamh); + return False; + } #endif - if (flag) { - pam_error = pam_open_session(pamh, PAM_SILENT); - if (!pam_error_handler(pamh, pam_error, "session setup failed", 0)) { - proc_pam_end(pamh); - return False; - } - } - else - { - pam_error = pam_close_session(pamh, PAM_SILENT); - if (!pam_error_handler(pamh, pam_error, "session close failed", 0)) { - proc_pam_end(pamh); - return False; - } - } - return (True); + if (flag) { + pam_error = pam_open_session(pamh, PAM_SILENT); + if (!pam_error_handler(pamh, pam_error, "session setup failed", 0)) { + proc_pam_end(pamh); + return False; + } + } else { + pam_error = pam_close_session(pamh, PAM_SILENT); + if (!pam_error_handler(pamh, pam_error, "session close failed", 0)) { + proc_pam_end(pamh); + return False; + } + } + return (True); } /* * PAM Externally accessible Session handler */ -BOOL pam_session(BOOL flag, const char *in_user, char *tty) +BOOL pam_session(BOOL flag, const char *in_user, char *tty, char *rhost) { pam_handle_t *pamh = NULL; char * user; user = malloc(strlen(in_user)+1); - if ( user == NULL ) - { + if ( user == NULL ) { DEBUG(0, ("PAM: PAM_session Malloc Failed!\n")); return False; } @@ -371,20 +365,16 @@ BOOL pam_session(BOOL flag, const char *in_user, char *tty) /* This is freed by PAM */ StrnCpy(user, in_user, strlen(in_user)+1); - if (!proc_pam_start(&pamh, user)) - { - proc_pam_end(pamh); - return False; + if (!proc_pam_start(&pamh, user, rhost)) { + proc_pam_end(pamh); + return False; } - if (proc_pam_session(pamh, user, tty, flag)) - { - return proc_pam_end(pamh); - } - else - { - proc_pam_end(pamh); - return False; + if (proc_pam_session(pamh, user, tty, flag)) { + return proc_pam_end(pamh); + } else { + proc_pam_end(pamh); + return False; } } @@ -398,12 +388,10 @@ BOOL pam_accountcheck(char * user) PAM_username = user; PAM_password = NULL; - if( proc_pam_start(&pamh, user)) - { - if ( pam_account(pamh, user, NULL, False)) - { - return( proc_pam_end(pamh)); - } + if( proc_pam_start(&pamh, user, NULL)) { + if ( pam_account(pamh, user, NULL, False)) { + return( proc_pam_end(pamh)); + } } DEBUG(0, ("PAM: Account Validation Failed - Rejecting User!\n")); return( False ); @@ -419,12 +407,9 @@ BOOL pam_passcheck(char * user, char * password) PAM_username = user; PAM_password = password; - if( proc_pam_start(&pamh, user)) - { - if ( pam_auth(pamh, user, password)) - { - if ( pam_account(pamh, user, password, True)) - { + if( proc_pam_start(&pamh, user, NULL)) { + if ( pam_auth(pamh, user, password)) { + if ( pam_account(pamh, user, password, True)) { return( proc_pam_end(pamh)); } } @@ -435,8 +420,10 @@ BOOL pam_passcheck(char * user, char * password) #else - /* Do *NOT* make this function static. Doing so breaks the compile on gcc */ - - void pampass_dummy_function( void ) { } /*This stops compiler complaints */ +/* If PAM not used, no PAM restrictions on accounts. */ + BOOL pam_accountcheck(char * user) +{ + return True; +} #endif /* WITH_PAM */ -- cgit From ae8418d0c400f6458c1eb0b79881fd02629e5acd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 23 Apr 2001 04:15:35 +0000 Subject: Added smb_ prefix to all Samba wrapper pam functions. Fixed off by one bug using StrnCpy instead of strdup(). Jeremy. (This used to be commit d4b1c0be2e700c86a4338bb497777f97e3c960a7) --- source3/auth/pampass.c | 96 ++++++++++++++++++++++++-------------------------- 1 file changed, 47 insertions(+), 49 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index e84a045d49..553ffcd323 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -5,6 +5,7 @@ Copyright (C) Andrew Tridgell 1992-2001 Copyright (C) John H Terpsta 1999-2001 Copyright (C) Andrew Bartlett 2001 + Copyright (C) Jeremy Allison 2001 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -58,7 +59,7 @@ static char *PAM_password; /* * PAM error handler. */ -static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) +static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) { if( pam_error != PAM_SUCCESS) { @@ -74,7 +75,7 @@ static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int * echo off means password. */ -static int PAM_conv(int num_msg, +static int smb_pam_conv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) @@ -122,21 +123,21 @@ static int PAM_conv(int num_msg, return PAM_SUCCESS; } -static struct pam_conv PAM_conversation = { - &PAM_conv, +static struct pam_conv smb_pam_conversation = { + &smb_pam_conv, NULL }; /* * PAM Closing out cleanup handler */ -static BOOL proc_pam_end(pam_handle_t *pamh) +static BOOL smb_pam_end(pam_handle_t *pamh) { int pam_error; if( pamh != NULL ) { pam_error = pam_end(pamh, 0); - if(pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) { + if(smb_pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) { DEBUG(4, ("PAM: PAM_END OK.\n")); return True; } @@ -148,15 +149,15 @@ static BOOL proc_pam_end(pam_handle_t *pamh) /* * Start PAM authentication for specified account */ -static BOOL proc_pam_start(pam_handle_t **pamh, char *user, char *rhost) +static BOOL smb_pam_start(pam_handle_t **pamh, char *user, char *rhost) { int pam_error; DEBUG(4,("PAM: Init user: %s\n", user)); - pam_error = pam_start("samba", user, &PAM_conversation, pamh); - if( !pam_error_handler(*pamh, pam_error, "Init Failed", 0)) { - proc_pam_end(*pamh); + pam_error = pam_start("samba", user, &smb_pam_conversation, pamh); + if( !smb_pam_error_handler(*pamh, pam_error, "Init Failed", 0)) { + smb_pam_end(*pamh); return False; } @@ -169,16 +170,16 @@ static BOOL proc_pam_start(pam_handle_t **pamh, char *user, char *rhost) #ifdef PAM_RHOST DEBUG(4,("PAM: setting rhost to: %s\n", rhost)); pam_error = pam_set_item(*pamh, PAM_RHOST, rhost); - if(!pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { - proc_pam_end(*pamh); + if(!smb_pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { + smb_pam_end(*pamh); return False; } #endif #ifdef PAM_TTY DEBUG(4,("PAM: setting tty\n")); pam_error = pam_set_item(*pamh, PAM_TTY, "samba"); - if (!pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { - proc_pam_end(*pamh); + if (!smb_pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { + smb_pam_end(*pamh); return False; } #endif @@ -189,7 +190,7 @@ static BOOL proc_pam_start(pam_handle_t **pamh, char *user, char *rhost) /* * PAM Authentication Handler */ -static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password) +static BOOL smb_pam_auth(pam_handle_t *pamh, char *user, char *password) { int pam_error; @@ -225,8 +226,8 @@ static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password) default: DEBUG(0, ("PAM: UNKNOWN ERROR while authenticating user %s\n", user)); } - if(!pam_error_handler(pamh, pam_error, "Authentication Failure", 2)) { - proc_pam_end(pamh); + if(!smb_pam_error_handler(pamh, pam_error, "Authentication Failure", 2)) { + smb_pam_end(pamh); return False; } /* If this point is reached, the user has been authenticated. */ @@ -236,7 +237,7 @@ static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password) /* * PAM Account Handler */ -static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL pam_auth) +static BOOL smb_pam_account(pam_handle_t *pamh, char * user, char * password, BOOL pam_auth) { int pam_error; @@ -264,8 +265,8 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL p default: DEBUG(0, ("PAM: UNKNOWN ERROR for User: %s\n", user)); } - if(!pam_error_handler(pamh, pam_error, "Account Check Failed", 2)) { - proc_pam_end(pamh); + if(!smb_pam_error_handler(pamh, pam_error, "Account Check Failed", 2)) { + smb_pam_end(pamh); return False; } @@ -303,8 +304,8 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL p default: DEBUG(0, ("PAM: Error Condition Unknown in pam_setcred function call!")); } - if(!pam_error_handler(pamh, pam_error, "Set Credential Failure", 2)) { - proc_pam_end(pamh); + if(!smb_pam_error_handler(pamh, pam_error, "Set Credential Failure", 2)) { + smb_pam_end(pamh); return False; } @@ -316,7 +317,7 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL p /* * PAM Internal Session Handler */ -static BOOL proc_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag) +static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag) { int pam_error; @@ -326,22 +327,22 @@ static BOOL proc_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL fla #ifdef PAM_TTY DEBUG(4,("PAM: tty set to: %s\n", tty)); pam_error = pam_set_item(pamh, PAM_TTY, tty); - if (!pam_error_handler(pamh, pam_error, "set tty failed", 0)) { - proc_pam_end(pamh); + if (!smb_pam_error_handler(pamh, pam_error, "set tty failed", 0)) { + smb_pam_end(pamh); return False; } #endif if (flag) { pam_error = pam_open_session(pamh, PAM_SILENT); - if (!pam_error_handler(pamh, pam_error, "session setup failed", 0)) { - proc_pam_end(pamh); + if (!smb_pam_error_handler(pamh, pam_error, "session setup failed", 0)) { + smb_pam_end(pamh); return False; } } else { pam_error = pam_close_session(pamh, PAM_SILENT); - if (!pam_error_handler(pamh, pam_error, "session close failed", 0)) { - proc_pam_end(pamh); + if (!smb_pam_error_handler(pamh, pam_error, "session close failed", 0)) { + smb_pam_end(pamh); return False; } } @@ -351,29 +352,26 @@ static BOOL proc_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL fla /* * PAM Externally accessible Session handler */ -BOOL pam_session(BOOL flag, const char *in_user, char *tty, char *rhost) +BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost) { pam_handle_t *pamh = NULL; char * user; - user = malloc(strlen(in_user)+1); + user = strdup(in_user); if ( user == NULL ) { DEBUG(0, ("PAM: PAM_session Malloc Failed!\n")); return False; } - /* This is freed by PAM */ - StrnCpy(user, in_user, strlen(in_user)+1); - - if (!proc_pam_start(&pamh, user, rhost)) { - proc_pam_end(pamh); + if (!smb_pam_start(&pamh, user, rhost)) { + smb_pam_end(pamh); return False; } - if (proc_pam_session(pamh, user, tty, flag)) { - return proc_pam_end(pamh); + if (smb_internal_pam_session(pamh, user, tty, flag)) { + return smb_pam_end(pamh); } else { - proc_pam_end(pamh); + smb_pam_end(pamh); return False; } } @@ -381,16 +379,16 @@ BOOL pam_session(BOOL flag, const char *in_user, char *tty, char *rhost) /* * PAM Externally accessible Account handler */ -BOOL pam_accountcheck(char * user) +BOOL smb_pam_accountcheck(char * user) { pam_handle_t *pamh = NULL; PAM_username = user; PAM_password = NULL; - if( proc_pam_start(&pamh, user, NULL)) { - if ( pam_account(pamh, user, NULL, False)) { - return( proc_pam_end(pamh)); + if( smb_pam_start(&pamh, user, NULL)) { + if ( smb_pam_account(pamh, user, NULL, False)) { + return( smb_pam_end(pamh)); } } DEBUG(0, ("PAM: Account Validation Failed - Rejecting User!\n")); @@ -400,17 +398,17 @@ BOOL pam_accountcheck(char * user) /* * PAM Password Validation Suite */ -BOOL pam_passcheck(char * user, char * password) +BOOL smb_pam_passcheck(char * user, char * password) { pam_handle_t *pamh = NULL; PAM_username = user; PAM_password = password; - if( proc_pam_start(&pamh, user, NULL)) { - if ( pam_auth(pamh, user, password)) { - if ( pam_account(pamh, user, password, True)) { - return( proc_pam_end(pamh)); + if( smb_pam_start(&pamh, user, NULL)) { + if ( smb_pam_auth(pamh, user, password)) { + if ( smb_pam_account(pamh, user, password, True)) { + return( smb_pam_end(pamh)); } } } @@ -421,7 +419,7 @@ BOOL pam_passcheck(char * user, char * password) #else /* If PAM not used, no PAM restrictions on accounts. */ - BOOL pam_accountcheck(char * user) + BOOL smb_pam_accountcheck(char * user) { return True; } -- cgit From d6a5dec6f225395ec764b29eb76c0a6577f3e039 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 23 Apr 2001 06:09:27 +0000 Subject: Fix for bug in code for pam_session failure - pam_end called twice. Jeremy. (This used to be commit c4048fcdb6ff3a890b69be8ef4832e9bd958cfec) --- source3/auth/pampass.c | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 553ffcd323..3335ed5551 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -327,24 +327,18 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, #ifdef PAM_TTY DEBUG(4,("PAM: tty set to: %s\n", tty)); pam_error = pam_set_item(pamh, PAM_TTY, tty); - if (!smb_pam_error_handler(pamh, pam_error, "set tty failed", 0)) { - smb_pam_end(pamh); + if (!smb_pam_error_handler(pamh, pam_error, "set tty failed", 0)) return False; - } #endif if (flag) { pam_error = pam_open_session(pamh, PAM_SILENT); - if (!smb_pam_error_handler(pamh, pam_error, "session setup failed", 0)) { - smb_pam_end(pamh); + if (!smb_pam_error_handler(pamh, pam_error, "session setup failed", 0)) return False; - } } else { pam_error = pam_close_session(pamh, PAM_SILENT); - if (!smb_pam_error_handler(pamh, pam_error, "session close failed", 0)) { - smb_pam_end(pamh); + if (!smb_pam_error_handler(pamh, pam_error, "session close failed", 0)) return False; - } } return (True); } @@ -368,12 +362,11 @@ BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost) return False; } - if (smb_internal_pam_session(pamh, user, tty, flag)) { - return smb_pam_end(pamh); - } else { + if (!smb_internal_pam_session(pamh, user, tty, flag)) { smb_pam_end(pamh); return False; } + return smb_pam_end(pamh); } /* -- cgit From e00451106bc0365405f68195afcb6351bd2a55c0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 23 Apr 2001 06:22:02 +0000 Subject: Fix more free twice bugs. Jeremy. (This used to be commit 4db22afeed659a871a4a1f719d5fa1f2df07e24d) --- source3/auth/pampass.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 3335ed5551..f91f472603 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -153,11 +153,13 @@ static BOOL smb_pam_start(pam_handle_t **pamh, char *user, char *rhost) { int pam_error; + *pamh = (pam_handle_t *)NULL; + DEBUG(4,("PAM: Init user: %s\n", user)); pam_error = pam_start("samba", user, &smb_pam_conversation, pamh); if( !smb_pam_error_handler(*pamh, pam_error, "Init Failed", 0)) { - smb_pam_end(*pamh); + *pamh = (pam_handle_t *)NULL; return False; } @@ -172,6 +174,7 @@ static BOOL smb_pam_start(pam_handle_t **pamh, char *user, char *rhost) pam_error = pam_set_item(*pamh, PAM_RHOST, rhost); if(!smb_pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { smb_pam_end(*pamh); + *pamh = (pam_handle_t *)NULL; return False; } #endif @@ -180,6 +183,7 @@ static BOOL smb_pam_start(pam_handle_t **pamh, char *user, char *rhost) pam_error = pam_set_item(*pamh, PAM_TTY, "samba"); if (!smb_pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { smb_pam_end(*pamh); + *pamh = (pam_handle_t *)NULL; return False; } #endif @@ -358,7 +362,6 @@ BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost) } if (!smb_pam_start(&pamh, user, rhost)) { - smb_pam_end(pamh); return False; } -- cgit From 70b55a9abc109df0e15e3aa6f01c03d9acea154a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 23 Apr 2001 20:43:20 +0000 Subject: Added "obey pam restrictions" parameter - default to "off". Only set this to "on" if you know you have your PAM set up correctly..... NB. Doesn't apply to plaintext password authentication, which must use pam when compiled in. Jeremy. (This used to be commit 59aa99f3901d098b7afbe675021bda53b62ee496) --- source3/auth/pampass.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index f91f472603..9f4a8f57b9 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -350,11 +350,17 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, /* * PAM Externally accessible Session handler */ + BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost) { pam_handle_t *pamh = NULL; char * user; + /* Ignore PAM if told to. */ + + if (!lp_obey_pam_restrictions()) + return True; + user = strdup(in_user); if ( user == NULL ) { DEBUG(0, ("PAM: PAM_session Malloc Failed!\n")); @@ -382,6 +388,11 @@ BOOL smb_pam_accountcheck(char * user) PAM_username = user; PAM_password = NULL; + /* Ignore PAM if told to. */ + + if (!lp_obey_pam_restrictions()) + return True; + if( smb_pam_start(&pamh, user, NULL)) { if ( smb_pam_account(pamh, user, NULL, False)) { return( smb_pam_end(pamh)); @@ -401,6 +412,12 @@ BOOL smb_pam_passcheck(char * user, char * password) PAM_username = user; PAM_password = password; + /* + * Note we can't ignore PAM here as this is the only + * way of doing auths on plaintext passwords when + * compiled --with-pam. + */ + if( smb_pam_start(&pamh, user, NULL)) { if ( smb_pam_auth(pamh, user, password)) { if ( smb_pam_account(pamh, user, password, True)) { -- cgit From c3a999409db6a9e0d38928feb02ab6815bd28d57 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 30 Apr 2001 21:05:58 +0000 Subject: Based on an original PAM patch by Andrew Bartlett, re-written by me to remove global static PAM variables, and to tidy up the PAM internals code. Now looks like the rest of Samba. Still needs testing. Jeremy. (This used to be commit 1648ac64a75de74d1a1575eb49cccc4f75488bfa) --- source3/auth/pampass.c | 541 +++++++++++++++++++++++++++++++++++++------------ 1 file changed, 417 insertions(+), 124 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 9f4a8f57b9..83640bf5c8 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -44,31 +44,58 @@ extern int DEBUGLEVEL; #include /* - * Static variables used to communicate between the conversation function - * and the server_login function + * Structure used to communicate between the conversation function + * and the server_login/change password functions. */ -static char *PAM_username; -static char *PAM_password; +struct smb_pam_userdata { + char *PAM_username; + char *PAM_password; + char *PAM_newpassword; +}; + +typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_response **, void *appdata_ptr); /* * Macros to help make life easy */ #define COPY_STRING(s) (s) ? strdup(s) : NULL -/* - * PAM error handler. - */ +/******************************************************************* + PAM error handler. + *********************************************************************/ + static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) { if( pam_error != PAM_SUCCESS) { - DEBUG(dbglvl, ("PAM: %s : %s\n", msg, pam_strerror(pamh, pam_error))); + DEBUG(dbglvl, ("smb_pam_error_handler: PAM: %s : %s\n", + msg, pam_strerror(pamh, pam_error))); return False; } return True; } +/******************************************************************* + This function is a sanity check, to make sure that we NEVER report + failure as sucess. +*********************************************************************/ + +static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error, + char *msg, int dbglvl, uint32 *nt_status) +{ + if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl)) + return True; + + if (*nt_status == NT_STATUS_NOPROBLEMO) { + /* Complain LOUDLY */ + DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \ +error MISMATCH, forcing to NT_STATUS_LOGON_FAILURE")); + *nt_status = NT_STATUS_LOGON_FAILURE; + } + return False; +} + /* * PAM conversation function * Here we assume (for now, at least) that echo on means login name, and @@ -82,6 +109,9 @@ static int smb_pam_conv(int num_msg, { int replies = 0; struct pam_response *reply = NULL; + struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr; + + *resp = NULL; reply = malloc(sizeof(struct pam_response) * num_msg); if (!reply) @@ -91,15 +121,13 @@ static int smb_pam_conv(int num_msg, switch (msg[replies]->msg_style) { case PAM_PROMPT_ECHO_ON: reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies].resp = - COPY_STRING(PAM_username); + reply[replies].resp = COPY_STRING(udp->PAM_username); /* PAM frees resp */ break; case PAM_PROMPT_ECHO_OFF: reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies].resp = - COPY_STRING(PAM_password); + reply[replies].resp = COPY_STRING(udp->PAM_password); /* PAM frees resp */ break; @@ -123,41 +151,158 @@ static int smb_pam_conv(int num_msg, return PAM_SUCCESS; } -static struct pam_conv smb_pam_conversation = { - &smb_pam_conv, - NULL -}; +/* + * PAM password change conversation function + * Here we assume (for now, at least) that echo on means login name, and + * echo off means password. + */ + +static int smb_pam_passchange_conv(int num_msg, + const struct pam_message **msg, + struct pam_response **resp, + void *appdata_ptr) +{ + int replies = 0; + struct pam_response *reply = NULL; + fstring currentpw_prompt; + fstring newpw_prompt; + fstring repeatpw_prompt; + char *p = lp_passwd_chat(); + struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr; + + /* Get the prompts... */ + + if (!next_token(&p, currentpw_prompt, NULL, sizeof(fstring))) + return PAM_CONV_ERR; + if (!next_token(&p, newpw_prompt, NULL, sizeof(fstring))) + return PAM_CONV_ERR; + if (!next_token(&p, repeatpw_prompt, NULL, sizeof(fstring))) + return PAM_CONV_ERR; + + *resp = NULL; + + reply = malloc(sizeof(struct pam_response) * num_msg); + if (!reply) + return PAM_CONV_ERR; + + for (replies = 0; replies < num_msg; replies++) { + switch (msg[replies]->msg_style) { + case PAM_PROMPT_ECHO_ON: + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = COPY_STRING(udp->PAM_username); + /* PAM frees resp */ + break; + + case PAM_PROMPT_ECHO_OFF: + reply[replies].resp_retcode = PAM_SUCCESS; + DEBUG(10,("smb_pam_passchange_conv: PAM Replied: %s\n", msg[replies]->msg)); + if (strncmp(currentpw_prompt, msg[replies]->msg, strlen(currentpw_prompt)) == 0) { + reply[replies].resp = COPY_STRING(udp->PAM_password); + } else if (strncmp(newpw_prompt, msg[replies]->msg, strlen(newpw_prompt)) == 0) { + reply[replies].resp = COPY_STRING(udp->PAM_newpassword); + } else if (strncmp(repeatpw_prompt, msg[replies]->msg, strlen(repeatpw_prompt)) == 0) { + reply[replies].resp = COPY_STRING(udp->PAM_newpassword); + } else { + DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg)); + DEBUG(5,("smb_pam_passchange_conv: Prompts available:\n CurrentPW: \"%s\"\n NewPW: \"%s\"\n \ +RepeatPW: \"%s\"\n",currentpw_prompt,newpw_prompt,repeatpw_prompt)); + } + /* PAM frees resp */ + break; + + case PAM_TEXT_INFO: + /* fall through */ + + case PAM_ERROR_MSG: + /* ignore it... */ + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = NULL; + break; + + default: + /* Must be an error of some sort... */ + free(reply); + reply = NULL; + return PAM_CONV_ERR; + } + } + + if (reply) + *resp = reply; + return PAM_SUCCESS; +} + +/*************************************************************************** + Free up a malloced pam_conv struct. +****************************************************************************/ + +static void smb_free_pam_conv(struct pam_conv *pconv) +{ + if (pconv) + safe_free(pconv->appdata_ptr); + + safe_free(pconv); +} + +/*************************************************************************** + Allocate a pam_conv struct. +****************************************************************************/ + +static struct pam_conv *smb_setup_pam_conv(smb_pam_conv_fn smb_pam_conv_fnptr, char *user, + char *passwd, char *newpass) +{ + struct pam_conv *pconv = (struct pam_conv *)malloc(sizeof(struct pam_conv)); + struct smb_pam_userdata *udp = (struct smb_pam_userdata *)malloc(sizeof(struct smb_pam_userdata)); + + if (pconv == NULL || udp == NULL) { + safe_free(pconv); + safe_free(udp); + return NULL; + } + + udp->PAM_username = user; + udp->PAM_password = passwd; + udp->PAM_newpassword = newpass; + + pconv->conv = smb_pam_conv_fnptr; + pconv->appdata_ptr = (void *)udp; + return pconv; +} /* * PAM Closing out cleanup handler */ -static BOOL smb_pam_end(pam_handle_t *pamh) + +static BOOL smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr) { int pam_error; + + smb_free_pam_conv(smb_pam_conv_ptr); if( pamh != NULL ) { pam_error = pam_end(pamh, 0); if(smb_pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) { - DEBUG(4, ("PAM: PAM_END OK.\n")); + DEBUG(4, ("smb_pam_end: PAM: PAM_END OK.\n")); return True; } } - DEBUG(2,("PAM: not initialised")); + DEBUG(2,("smb_pam_end: PAM: not initialised")); return False; } /* * Start PAM authentication for specified account */ -static BOOL smb_pam_start(pam_handle_t **pamh, char *user, char *rhost) + +static BOOL smb_pam_start(pam_handle_t **pamh, char *user, char *rhost, struct pam_conv *pconv) { int pam_error; *pamh = (pam_handle_t *)NULL; - DEBUG(4,("PAM: Init user: %s\n", user)); + DEBUG(4,("smb_pam_start: PAM: Init user: %s\n", user)); - pam_error = pam_start("samba", user, &smb_pam_conversation, pamh); + pam_error = pam_start("samba", user, pconv, pamh); if( !smb_pam_error_handler(*pamh, pam_error, "Init Failed", 0)) { *pamh = (pam_handle_t *)NULL; return False; @@ -170,117 +315,134 @@ static BOOL smb_pam_start(pam_handle_t **pamh, char *user, char *rhost) } #ifdef PAM_RHOST - DEBUG(4,("PAM: setting rhost to: %s\n", rhost)); + DEBUG(4,("smb_pam_start: PAM: setting rhost to: %s\n", rhost)); pam_error = pam_set_item(*pamh, PAM_RHOST, rhost); if(!smb_pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { - smb_pam_end(*pamh); + smb_pam_end(*pamh, pconv); *pamh = (pam_handle_t *)NULL; return False; } #endif #ifdef PAM_TTY - DEBUG(4,("PAM: setting tty\n")); + DEBUG(4,("smb_pam_start: PAM: setting tty\n")); pam_error = pam_set_item(*pamh, PAM_TTY, "samba"); if (!smb_pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { - smb_pam_end(*pamh); + smb_pam_end(*pamh, pconv); *pamh = (pam_handle_t *)NULL; return False; } #endif - DEBUG(4,("PAM: Init passed for user: %s\n", user)); + DEBUG(4,("smb_pam_start: PAM: Init passed for user: %s\n", user)); return True; } /* * PAM Authentication Handler */ -static BOOL smb_pam_auth(pam_handle_t *pamh, char *user, char *password) +static uint32 smb_pam_auth(pam_handle_t *pamh, char *user) { int pam_error; + uint32 nt_status = NT_STATUS_LOGON_FAILURE; /* * To enable debugging set in /etc/pam.d/samba: * auth required /lib/security/pam_pwdb.so nullok shadow audit */ - DEBUG(4,("PAM: Authenticate User: %s\n", user)); - pam_error = pam_authenticate(pamh, PAM_SILENT); /* Can we authenticate user? */ + DEBUG(4,("smb_pam_auth: PAM: Authenticate User: %s\n", user)); + pam_error = pam_authenticate(pamh, PAM_SILENT | lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK); switch( pam_error ){ case PAM_AUTH_ERR: - DEBUG(2, ("PAM: Athentication Error\n")); + DEBUG(2, ("smb_pam_auth: PAM: Athentication Error for user %s\n", user)); + nt_status = NT_STATUS_WRONG_PASSWORD; break; case PAM_CRED_INSUFFICIENT: - DEBUG(2, ("PAM: Insufficient Credentials\n")); + DEBUG(2, ("smb_pam_auth: PAM: Insufficient Credentials for user %s\n", user)); + nt_status = NT_STATUS_INSUFFICIENT_LOGON_INFO; break; case PAM_AUTHINFO_UNAVAIL: - DEBUG(2, ("PAM: Authentication Information Unavailable\n")); + DEBUG(2, ("smb_pam_auth: PAM: Authentication Information Unavailable for user %s\n", user)); + nt_status = NT_STATUS_LOGON_FAILURE; break; case PAM_USER_UNKNOWN: - DEBUG(2, ("PAM: Username NOT known to Authentication system\n")); + DEBUG(2, ("smb_pam_auth: PAM: Username %s NOT known to Authentication system\n", user)); + nt_status = NT_STATUS_NO_SUCH_USER; break; case PAM_MAXTRIES: - DEBUG(2, ("PAM: One or more authentication modules reports user limit exceeeded\n")); + DEBUG(2, ("smb_pam_auth: PAM: One or more authentication modules reports user limit for user %s exceeeded\n", user)); + nt_status = NT_STATUS_REMOTE_SESSION_LIMIT; break; case PAM_ABORT: - DEBUG(0, ("PAM: One or more PAM modules failed to load\n")); + DEBUG(0, ("smb_pam_auth: PAM: One or more PAM modules failed to load for user %s\n", user)); + nt_status = NT_STATUS_LOGON_FAILURE; + break; + case PAM_SUCCESS: + DEBUG(4, ("smb_pam_auth: PAM: User %s Authenticated OK\n", user)); + nt_status = NT_STATUS_NOPROBLEMO; break; - case PAM_SUCCESS: - DEBUG(4, ("PAM: User %s Authenticated OK\n", user)); - break; default: - DEBUG(0, ("PAM: UNKNOWN ERROR while authenticating user %s\n", user)); - } - if(!smb_pam_error_handler(pamh, pam_error, "Authentication Failure", 2)) { - smb_pam_end(pamh); - return False; + DEBUG(0, ("smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user %s\n", user)); + nt_status = NT_STATUS_LOGON_FAILURE; + break; } - /* If this point is reached, the user has been authenticated. */ - return (True); + + smb_pam_nt_status_error_handler(pamh, pam_error, "Authentication Failure", 2, &nt_status); + return nt_status; } /* * PAM Account Handler */ -static BOOL smb_pam_account(pam_handle_t *pamh, char * user, char * password, BOOL pam_auth) +static uint32 smb_pam_account(pam_handle_t *pamh, char * user) { int pam_error; + uint32 nt_status = NT_STATUS_ACCOUNT_DISABLED; - DEBUG(4,("PAM: Account Management for User: %s\n", user)); + DEBUG(4,("smb_pam_account: PAM: Account Management for User: %s\n", user)); pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */ switch( pam_error ) { case PAM_AUTHTOK_EXPIRED: - DEBUG(2, ("PAM: User is valid but password is expired\n")); + DEBUG(2, ("smb_pam_account: PAM: User %s is valid but password is expired\n", user)); + nt_status = NT_STATUS_PASSWORD_EXPIRED; break; case PAM_ACCT_EXPIRED: - DEBUG(2, ("PAM: User no longer permitted to access system\n")); + DEBUG(2, ("smb_pam_account: PAM: User %s no longer permitted to access system\n", user)); + nt_status = NT_STATUS_ACCOUNT_EXPIRED; break; case PAM_AUTH_ERR: - DEBUG(2, ("PAM: There was an authentication error\n")); + DEBUG(2, ("smb_pam_account: PAM: There was an authentication error for user %s\n", user)); + nt_status = NT_STATUS_LOGON_FAILURE; break; case PAM_PERM_DENIED: - DEBUG(0, ("PAM: User is NOT permitted to access system at this time\n")); + DEBUG(0, ("smb_pam_account: PAM: User %s is NOT permitted to access system at this time\n", user)); + nt_status = NT_STATUS_ACCOUNT_RESTRICTION; break; case PAM_USER_UNKNOWN: - DEBUG(0, ("PAM: User \"%s\" is NOT known to account management\n", user)); + DEBUG(0, ("smb_pam_account: PAM: User \"%s\" is NOT known to account management\n", user)); + nt_status = NT_STATUS_NO_SUCH_USER; + break; + case PAM_SUCCESS: + DEBUG(4, ("smb_pam_account: PAM: Account OK for User: %s\n", user)); + nt_status = NT_STATUS_NOPROBLEMO; break; - case PAM_SUCCESS: - DEBUG(4, ("PAM: Account OK for User: %s\n", user)); - break; default: - DEBUG(0, ("PAM: UNKNOWN ERROR for User: %s\n", user)); - } - if(!smb_pam_error_handler(pamh, pam_error, "Account Check Failed", 2)) { - smb_pam_end(pamh); - return False; + nt_status = NT_STATUS_ACCOUNT_DISABLED; + DEBUG(0, ("smb_pam_account: PAM: UNKNOWN PAM ERROR (%d) during Account Management for User: %s\n", pam_error, user)); + break; } - /* Skip the pam_setcred() call if we didn't use pam_authenticate() - for authentication -- it's an error to call pam_setcred without - calling pam_authenticate first */ - if (!pam_auth) { - DEBUG(4, ("PAM: Skipping setcred for user: %s (using encrypted passwords)\n", user)); - return True; - } + smb_pam_nt_status_error_handler(pamh, pam_error, "Account Check Failed", 2, &nt_status); + return nt_status; +} + +/* + * PAM Credential Setting + */ + +static uint32 smb_pam_setcred(pam_handle_t *pamh, char * user) +{ + int pam_error; + uint32 nt_status = NT_STATUS_NO_TOKEN; /* * This will allow samba to aquire a kerberos token. And, when @@ -291,32 +453,34 @@ static BOOL smb_pam_account(pam_handle_t *pamh, char * user, char * password, BO pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT)); switch( pam_error ) { case PAM_CRED_UNAVAIL: - DEBUG(0, ("PAM: Credentials not found for user:%s", user )); + DEBUG(0, ("smb_pam_setcred: PAM: Credentials not found for user:%s\n", user )); + nt_status = NT_STATUS_NO_TOKEN; break; case PAM_CRED_EXPIRED: - DEBUG(0, ("PAM: Credentials for user: \"%s\" EXPIRED!", user )); + DEBUG(0, ("smb_pam_setcred: PAM: Credentials for user: \"%s\" EXPIRED!\n", user )); + nt_status = NT_STATUS_PASSWORD_EXPIRED; break; case PAM_USER_UNKNOWN: - DEBUG(0, ("PAM: User: \"%s\" is NOT known so can not set credentials!", user )); + DEBUG(0, ("smb_pam_setcred: PAM: User: \"%s\" is NOT known so can not set credentials!\n", user )); + nt_status = NT_STATUS_NO_SUCH_USER; break; case PAM_CRED_ERR: - DEBUG(0, ("PAM: Unknown setcredentials error - unable to set credentials for %s", user )); + DEBUG(0, ("smb_pam_setcred: PAM: Unknown setcredentials error - unable to set credentials for %s\n", user )); + nt_status = NT_STATUS_LOGON_FAILURE; + break; + case PAM_SUCCESS: + DEBUG(4, ("smb_pam_setcred: PAM: SetCredentials OK for User: %s\n", user)); + nt_status = NT_STATUS_NOPROBLEMO; break; - case PAM_SUCCESS: - DEBUG(4, ("PAM: SetCredentials OK for User: %s\n", user)); - break; default: - DEBUG(0, ("PAM: Error Condition Unknown in pam_setcred function call!")); - } - if(!smb_pam_error_handler(pamh, pam_error, "Set Credential Failure", 2)) { - smb_pam_end(pamh); - return False; + DEBUG(0, ("smb_pam_setcred: PAM: UNKNOWN PAM ERROR (%d) during SetCredentials for User: %s\n", pam_error, user)); + nt_status = NT_STATUS_NO_TOKEN; + break; } - - /* If this point is reached, the user has been authenticated. */ - return (True); -} + smb_pam_nt_status_error_handler(pamh, pam_error, "Set Credential Failure", 2, &nt_status); + return nt_status; +} /* * PAM Internal Session Handler @@ -325,11 +489,8 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, { int pam_error; - PAM_password = NULL; - PAM_username = user; - #ifdef PAM_TTY - DEBUG(4,("PAM: tty set to: %s\n", tty)); + DEBUG(4,("smb_internal_pam_session: PAM: tty set to: %s\n", tty)); pam_error = pam_set_item(pamh, PAM_TTY, tty); if (!smb_pam_error_handler(pamh, pam_error, "set tty failed", 0)) return False; @@ -340,77 +501,156 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, if (!smb_pam_error_handler(pamh, pam_error, "session setup failed", 0)) return False; } else { - pam_error = pam_close_session(pamh, PAM_SILENT); + pam_setcred(pamh, (PAM_DELETE_CRED|PAM_SILENT)); /* We don't care if this fails */ + pam_error = pam_close_session(pamh, PAM_SILENT); /* This will probably pick up the error anyway */ if (!smb_pam_error_handler(pamh, pam_error, "session close failed", 0)) return False; } return (True); } +/* + * Internal PAM Password Changer. + */ + +static BOOL smb_pam_chauthtok(pam_handle_t *pamh, char * user) +{ + int pam_error; + + DEBUG(4,("smb_pam_chauthtok: PAM: Password Change for User: %s\n", user)); + + pam_error = pam_chauthtok(pamh, PAM_SILENT); /* Change Password */ + + switch( pam_error ) { + case PAM_AUTHTOK_ERR: + DEBUG(2, ("PAM: unable to obtain the new authentication token - is password to weak?\n")); + break; + case PAM_AUTHTOK_RECOVER_ERR: + DEBUG(2, ("PAM: unable to obtain the old authentication token - was the old password wrong?.\n")); + break; + case PAM_AUTHTOK_LOCK_BUSY: + DEBUG(2, ("PAM: unable to change the authentication token since it is currently locked.\n")); + break; + case PAM_AUTHTOK_DISABLE_AGING: + DEBUG(2, ("PAM: Authentication token aging has been disabled.\n")); + break; + case PAM_PERM_DENIED: + DEBUG(0, ("PAM: Permission denied.\n")); + break; + case PAM_TRY_AGAIN: + DEBUG(0, ("PAM: Could not update all authentication token(s). No authentication tokens were updated.\n")); + break; + case PAM_USER_UNKNOWN: + DEBUG(0, ("PAM: User not known to PAM\n")); + break; + case PAM_SUCCESS: + DEBUG(4, ("PAM: Account OK for User: %s\n", user)); + break; + default: + DEBUG(0, ("PAM: UNKNOWN PAM ERROR (%d) for User: %s\n", pam_error, user)); + } + + if(!smb_pam_error_handler(pamh, pam_error, "Password Change Failed", 2)) { + return False; + } + + /* If this point is reached, the password has changed. */ + return True; +} + /* * PAM Externally accessible Session handler */ -BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost) +BOOL smb_pam_claim_session(char *user, char *tty, char *rhost) { pam_handle_t *pamh = NULL; - char * user; + struct pam_conv *pconv = NULL; /* Ignore PAM if told to. */ if (!lp_obey_pam_restrictions()) return True; - user = strdup(in_user); - if ( user == NULL ) { - DEBUG(0, ("PAM: PAM_session Malloc Failed!\n")); + if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL) return False; - } - if (!smb_pam_start(&pamh, user, rhost)) { + if (!smb_pam_start(&pamh, user, rhost, pconv)) return False; - } - if (!smb_internal_pam_session(pamh, user, tty, flag)) { - smb_pam_end(pamh); + if (!smb_internal_pam_session(pamh, user, tty, True)) { + smb_pam_end(pamh, pconv); return False; } - return smb_pam_end(pamh); + + return smb_pam_end(pamh, pconv); } /* - * PAM Externally accessible Account handler + * PAM Externally accessible Session handler */ -BOOL smb_pam_accountcheck(char * user) + +BOOL smb_pam_close_session(char *user, char *tty, char *rhost) { pam_handle_t *pamh = NULL; - - PAM_username = user; - PAM_password = NULL; + struct pam_conv *pconv = NULL; /* Ignore PAM if told to. */ if (!lp_obey_pam_restrictions()) return True; - if( smb_pam_start(&pamh, user, NULL)) { - if ( smb_pam_account(pamh, user, NULL, False)) { - return( smb_pam_end(pamh)); - } + if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL) + return False; + + if (!smb_pam_start(&pamh, user, rhost, pconv)) + return False; + + if (!smb_internal_pam_session(pamh, user, tty, False)) { + smb_pam_end(pamh, pconv); + return False; } - DEBUG(0, ("PAM: Account Validation Failed - Rejecting User!\n")); - return( False ); + + return smb_pam_end(pamh, pconv); } /* - * PAM Password Validation Suite + * PAM Externally accessible Account handler */ -BOOL smb_pam_passcheck(char * user, char * password) + +uint32 smb_pam_accountcheck(char * user) { + uint32 nt_status = NT_STATUS_ACCOUNT_DISABLED; pam_handle_t *pamh = NULL; + struct pam_conv *pconv = NULL; - PAM_username = user; - PAM_password = password; + /* Ignore PAM if told to. */ + + if (!lp_obey_pam_restrictions()) + return NT_STATUS_NOPROBLEMO; + + if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL) + return False; + + if (!smb_pam_start(&pamh, user, NULL, pconv)) + return NT_STATUS_ACCOUNT_DISABLED; + + if ((nt_status = smb_pam_account(pamh, user)) != NT_STATUS_NOPROBLEMO) + DEBUG(0, ("smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User %s!\n", user)); + + smb_pam_end(pamh, pconv); + return nt_status; +} + +/* + * PAM Password Validation Suite + */ + +uint32 smb_pam_passcheck(char * user, char * password) +{ + pam_handle_t *pamh = NULL; + uint32 nt_status = NT_STATUS_LOGON_FAILURE; + struct pam_conv *pconv = NULL; /* * Note we can't ignore PAM here as this is the only @@ -418,23 +658,76 @@ BOOL smb_pam_passcheck(char * user, char * password) * compiled --with-pam. */ - if( smb_pam_start(&pamh, user, NULL)) { - if ( smb_pam_auth(pamh, user, password)) { - if ( smb_pam_account(pamh, user, password, True)) { - return( smb_pam_end(pamh)); - } - } + if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, password, NULL)) == NULL) + return False; + + if (!smb_pam_start(&pamh, user, NULL, NULL)) + return NT_STATUS_LOGON_FAILURE; + + if ((nt_status = smb_pam_auth(pamh, user)) != NT_STATUS_NOPROBLEMO) { + DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User %s !\n", user)); + smb_pam_end(pamh, pconv); + return nt_status; + } + + if ((nt_status = smb_pam_account(pamh, user)) != NT_STATUS_NOPROBLEMO) { + DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_account failed - Rejecting User %s !\n", user)); + smb_pam_end(pamh, pconv); + return nt_status; + } + + if ((nt_status = smb_pam_setcred(pamh, user)) != NT_STATUS_NOPROBLEMO) { + DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_setcred failed - Rejecting User %s !\n", user)); + smb_pam_end(pamh, pconv); + return nt_status; } - DEBUG(0, ("PAM: System Validation Failed - Rejecting User!\n")); - return( False ); + + smb_pam_end(pamh, pconv); + return nt_status; +} + +/* + * PAM Password Change Suite + */ + +BOOL smb_pam_passchange(char * user, char * oldpassword, char * newpassword) +{ + /* Appropriate quantities of root should be obtained BEFORE calling this function */ + struct pam_conv *pconv = NULL; + pam_handle_t *pamh = NULL; + + if ((pconv = smb_setup_pam_conv(smb_pam_passchange_conv, user, oldpassword, newpassword)) == NULL) + return False; + + if(!smb_pam_start(&pamh, user, NULL, pconv)) + return False; + + if (!smb_pam_chauthtok(pamh, user)) { + DEBUG(0, ("smb_pam_passchange: PAM: Password Change Failed for user %s!\n", user)); + smb_pam_end(pamh, pconv); + return False; + } + + return smb_pam_end(pamh, pconv); } #else /* If PAM not used, no PAM restrictions on accounts. */ - BOOL smb_pam_accountcheck(char * user) + uint32 smb_pam_accountcheck(char * user) +{ + return NT_STATUS_NOPROBLEMO; +} + +/* If PAM not used, also no PAM restrictions on sessions. */ + BOOL smb_pam_claim_session(const char *user, char *tty, char *rhost) { return True; } +/* If PAM not used, also no PAM restrictions on sessions. */ + BOOL smb_pam_close_session(const char *in_user, char *tty, char *rhost) +{ + return True; +} #endif /* WITH_PAM */ -- cgit From 0901dd473ae163b815b364fc7ac954778b77d3b5 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 30 Apr 2001 23:14:44 +0000 Subject: Fixing consts in pam code. Jeremy. (This used to be commit c4d3df4f145dc28d1b285fad64c787cebb613e70) --- source3/auth/pampass.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 83640bf5c8..01d2d81b9d 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -720,13 +720,13 @@ BOOL smb_pam_passchange(char * user, char * oldpassword, char * newpassword) } /* If PAM not used, also no PAM restrictions on sessions. */ - BOOL smb_pam_claim_session(const char *user, char *tty, char *rhost) + BOOL smb_pam_claim_session(char *user, char *tty, char *rhost) { return True; } /* If PAM not used, also no PAM restrictions on sessions. */ - BOOL smb_pam_close_session(const char *in_user, char *tty, char *rhost) + BOOL smb_pam_close_session(char *in_user, char *tty, char *rhost) { return True; } -- cgit From a290cd597db9e94b603b5e94c3ac87cb9e068da0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 1 May 2001 01:26:15 +0000 Subject: Allow pam code to compile on Solaris (which doesn't have PAM_AUTHTOK_RECOVER_ERR). Jeremy. (This used to be commit 6b2dd14205a4170c11067c4f851db11ab9154fce) --- source3/auth/pampass.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 01d2d81b9d..09b84db71a 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -525,9 +525,14 @@ static BOOL smb_pam_chauthtok(pam_handle_t *pamh, char * user) case PAM_AUTHTOK_ERR: DEBUG(2, ("PAM: unable to obtain the new authentication token - is password to weak?\n")); break; + + /* This doesn't seem to be defined on Solaris. JRA */ +#ifdef PAM_AUTHTOK_RECOVER_ERR case PAM_AUTHTOK_RECOVER_ERR: DEBUG(2, ("PAM: unable to obtain the old authentication token - was the old password wrong?.\n")); break; +#endif + case PAM_AUTHTOK_LOCK_BUSY: DEBUG(2, ("PAM: unable to change the authentication token since it is currently locked.\n")); break; -- cgit From 5197ccfef498d8d8072fba71d3bd58509fa10ad4 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 1 May 2001 17:19:42 +0000 Subject: Added Andrew Bartlett's fixes to my changes to his original patch (at the court of king caractacus, was just passing by... :-). Jeremy. (This used to be commit acc3e7a057ad7fb0c2fb1cafff0c623ec0524d04) --- source3/auth/pampass.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 09b84db71a..061e5ee0bf 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -664,9 +664,9 @@ uint32 smb_pam_passcheck(char * user, char * password) */ if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, password, NULL)) == NULL) - return False; + return NT_STATUS_LOGON_FAILURE; - if (!smb_pam_start(&pamh, user, NULL, NULL)) + if (!smb_pam_start(&pamh, user, NULL, pconv)) return NT_STATUS_LOGON_FAILURE; if ((nt_status = smb_pam_auth(pamh, user)) != NT_STATUS_NOPROBLEMO) { -- cgit From e2a997f7a9d987fb96321a581fae9a5f3e8f4110 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 1 May 2001 18:19:15 +0000 Subject: Stop coredump on pam password change with pam_pwdb.so module on error. Jeremy. (This used to be commit d9b960b4a5997e4cd09e3da9ea4754cbae1e29b3) --- source3/auth/pampass.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 061e5ee0bf..68024f9481 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -188,6 +188,7 @@ static int smb_pam_passchange_conv(int num_msg, for (replies = 0; replies < num_msg; replies++) { switch (msg[replies]->msg_style) { case PAM_PROMPT_ECHO_ON: + DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: Replied: %s\n", msg[replies]->msg)); reply[replies].resp_retcode = PAM_SUCCESS; reply[replies].resp = COPY_STRING(udp->PAM_username); /* PAM frees resp */ @@ -195,7 +196,7 @@ static int smb_pam_passchange_conv(int num_msg, case PAM_PROMPT_ECHO_OFF: reply[replies].resp_retcode = PAM_SUCCESS; - DEBUG(10,("smb_pam_passchange_conv: PAM Replied: %s\n", msg[replies]->msg)); + DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: Replied: %s\n", msg[replies]->msg)); if (strncmp(currentpw_prompt, msg[replies]->msg, strlen(currentpw_prompt)) == 0) { reply[replies].resp = COPY_STRING(udp->PAM_password); } else if (strncmp(newpw_prompt, msg[replies]->msg, strlen(newpw_prompt)) == 0) { @@ -206,6 +207,9 @@ static int smb_pam_passchange_conv(int num_msg, DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg)); DEBUG(5,("smb_pam_passchange_conv: Prompts available:\n CurrentPW: \"%s\"\n NewPW: \"%s\"\n \ RepeatPW: \"%s\"\n",currentpw_prompt,newpw_prompt,repeatpw_prompt)); + free(reply); + reply = NULL; + return PAM_CONV_ERR; } /* PAM frees resp */ break; -- cgit From 0961f7b494319e90c581016fda95be0b8eaf4229 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 1 May 2001 18:25:20 +0000 Subject: Runtime check for broken PAM systems with no appdata_ptr support. This should eventually be an autoconf test with a #ifdef workaround. I *HATE* pam :-). Jeremy. (This used to be commit 52a9226a5aaa769e960619c2bd0a561dd9b0493d) --- source3/auth/pampass.c | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 68024f9481..8f62d35317 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -113,6 +113,16 @@ static int smb_pam_conv(int num_msg, *resp = NULL; + /* + * Apparantly HPUX has a buggy PAM that doesn't support the + * appdata_ptr. Fail if this is the case. JRA. + */ + + if (udp == NULL) { + DEBUG(0,("smb_pam_conv: PAM on this system is broken - appdata_ptr == NULL !\n")); + return PAM_CONV_ERR; + } + reply = malloc(sizeof(struct pam_response) * num_msg); if (!reply) return PAM_CONV_ERR; @@ -170,6 +180,18 @@ static int smb_pam_passchange_conv(int num_msg, char *p = lp_passwd_chat(); struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr; + *resp = NULL; + + /* + * Apparantly HPUX has a buggy PAM that doesn't support the + * appdata_ptr. Fail if this is the case. JRA. + */ + + if (udp == NULL) { + DEBUG(0,("smb_pam_passchange_conv: PAM on this system is broken - appdata_ptr == NULL !\n")); + return PAM_CONV_ERR; + } + /* Get the prompts... */ if (!next_token(&p, currentpw_prompt, NULL, sizeof(fstring))) @@ -179,8 +201,6 @@ static int smb_pam_passchange_conv(int num_msg, if (!next_token(&p, repeatpw_prompt, NULL, sizeof(fstring))) return PAM_CONV_ERR; - *resp = NULL; - reply = malloc(sizeof(struct pam_response) * num_msg); if (!reply) return PAM_CONV_ERR; -- cgit From aac630b382fefff2e3ead291d2d838832a180925 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 2 May 2001 23:32:09 +0000 Subject: Had to add a "pam password change" parameter (defaults to "off") and inlined the pam password change code to ensure that existing and working password chat scripts don't break with 2.2.1. PAM password changing has to be explicitly requested. Allowed wildcards in pam password change matching (matches password chat script matching). Had to add const (sorry Tim :-) to ms_fnmatch() to stop warnings. Don't worry - the const changes are isolated and don't cause any other warnings :-). Jeremy. (This used to be commit 47b4d82536c09bffe3a0d9917fa31d935f1be7d8) --- source3/auth/pampass.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 8f62d35317..2d7bdcdf6a 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -113,6 +113,9 @@ static int smb_pam_conv(int num_msg, *resp = NULL; + if (num_msg <= 0) + return PAM_CONV_ERR; + /* * Apparantly HPUX has a buggy PAM that doesn't support the * appdata_ptr. Fail if this is the case. JRA. @@ -174,7 +177,6 @@ static int smb_pam_passchange_conv(int num_msg, { int replies = 0; struct pam_response *reply = NULL; - fstring currentpw_prompt; fstring newpw_prompt; fstring repeatpw_prompt; char *p = lp_passwd_chat(); @@ -182,6 +184,9 @@ static int smb_pam_passchange_conv(int num_msg, *resp = NULL; + if (num_msg <= 0) + return PAM_CONV_ERR; + /* * Apparantly HPUX has a buggy PAM that doesn't support the * appdata_ptr. Fail if this is the case. JRA. @@ -192,10 +197,8 @@ static int smb_pam_passchange_conv(int num_msg, return PAM_CONV_ERR; } - /* Get the prompts... */ + /* Get the prompts. We're running as root so we only get 2 prompts. */ - if (!next_token(&p, currentpw_prompt, NULL, sizeof(fstring))) - return PAM_CONV_ERR; if (!next_token(&p, newpw_prompt, NULL, sizeof(fstring))) return PAM_CONV_ERR; if (!next_token(&p, repeatpw_prompt, NULL, sizeof(fstring))) @@ -217,16 +220,14 @@ static int smb_pam_passchange_conv(int num_msg, case PAM_PROMPT_ECHO_OFF: reply[replies].resp_retcode = PAM_SUCCESS; DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: Replied: %s\n", msg[replies]->msg)); - if (strncmp(currentpw_prompt, msg[replies]->msg, strlen(currentpw_prompt)) == 0) { - reply[replies].resp = COPY_STRING(udp->PAM_password); - } else if (strncmp(newpw_prompt, msg[replies]->msg, strlen(newpw_prompt)) == 0) { + if (ms_fnmatch( newpw_prompt, msg[replies]->msg) == 0) { reply[replies].resp = COPY_STRING(udp->PAM_newpassword); - } else if (strncmp(repeatpw_prompt, msg[replies]->msg, strlen(repeatpw_prompt)) == 0) { + } else if (ms_fnmatch(repeatpw_prompt, msg[replies]->msg) == 0) { reply[replies].resp = COPY_STRING(udp->PAM_newpassword); } else { DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg)); - DEBUG(5,("smb_pam_passchange_conv: Prompts available:\n CurrentPW: \"%s\"\n NewPW: \"%s\"\n \ -RepeatPW: \"%s\"\n",currentpw_prompt,newpw_prompt,repeatpw_prompt)); + DEBUG(5,("smb_pam_passchange_conv: Prompts available:\n NewPW: \"%s\"\n \ +RepeatPW: \"%s\"\n",newpw_prompt,repeatpw_prompt)); free(reply); reply = NULL; return PAM_CONV_ERR; -- cgit From 5db15a0d682cb04047f28a076b0c8c6d95144c38 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 9 May 2001 21:14:41 +0000 Subject: Fixed up the oldpw prompts. Made the matching case insensitive. Jeremy. (This used to be commit 70bdf8e76135e96fabcedeffbfd5892a564985e0) --- source3/auth/pampass.c | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 2d7bdcdf6a..e27e15f24f 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -177,8 +177,10 @@ static int smb_pam_passchange_conv(int num_msg, { int replies = 0; struct pam_response *reply = NULL; + fstring oldpw_prompt; fstring newpw_prompt; fstring repeatpw_prompt; + fstring prompt_ret; char *p = lp_passwd_chat(); struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr; @@ -197,12 +199,17 @@ static int smb_pam_passchange_conv(int num_msg, return PAM_CONV_ERR; } - /* Get the prompts. We're running as root so we only get 2 prompts. */ + /* Get the prompts. */ + if (!next_token(&p, oldpw_prompt, NULL, sizeof(fstring))) + return PAM_CONV_ERR; + strlower(oldpw_prompt); if (!next_token(&p, newpw_prompt, NULL, sizeof(fstring))) return PAM_CONV_ERR; + strlower(newpw_prompt); if (!next_token(&p, repeatpw_prompt, NULL, sizeof(fstring))) return PAM_CONV_ERR; + strlower(repeatpw_prompt); reply = malloc(sizeof(struct pam_response) * num_msg); if (!reply) @@ -219,15 +226,27 @@ static int smb_pam_passchange_conv(int num_msg, case PAM_PROMPT_ECHO_OFF: reply[replies].resp_retcode = PAM_SUCCESS; + if (!msg[replies]->msg) { + free(reply); + reply = NULL; + return PAM_CONV_ERR; + } + DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: Replied: %s\n", msg[replies]->msg)); - if (ms_fnmatch( newpw_prompt, msg[replies]->msg) == 0) { + + fstrcpy(prompt_ret, msg[replies]->msg); + strlower(prompt_ret); + + if (ms_fnmatch( oldpw_prompt, prompt_ret) == 0) { + reply[replies].resp = COPY_STRING(udp->PAM_password); + } else if (ms_fnmatch( newpw_prompt, prompt_ret) == 0) { reply[replies].resp = COPY_STRING(udp->PAM_newpassword); - } else if (ms_fnmatch(repeatpw_prompt, msg[replies]->msg) == 0) { + } else if (ms_fnmatch(repeatpw_prompt, prompt_ret) == 0) { reply[replies].resp = COPY_STRING(udp->PAM_newpassword); } else { DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg)); - DEBUG(5,("smb_pam_passchange_conv: Prompts available:\n NewPW: \"%s\"\n \ -RepeatPW: \"%s\"\n",newpw_prompt,repeatpw_prompt)); + DEBUG(5,("smb_pam_passchange_conv: Prompts available:\n OldPW: \"%s\"\nNewPW: \"%s\"\n \ +RepeatPW: \"%s\"\n",oldpw_prompt, newpw_prompt,repeatpw_prompt)); free(reply); reply = NULL; return PAM_CONV_ERR; -- cgit From b0be9cd7683ae2b8d53aac3d98f1cb5a7d77f3f3 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 25 Jun 2001 20:44:04 +0000 Subject: Added Andrew's pam password change stuff. Needs some testing but looks good ! Jeremy. (This used to be commit e94957d548745649ce04423dc6f16bbe3dd4f869) --- source3/auth/pampass.c | 184 +++++++++++++++++++++++++++++++++++++------------ 1 file changed, 140 insertions(+), 44 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index e27e15f24f..53d2a062fd 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -71,6 +71,7 @@ static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, if( pam_error != PAM_SUCCESS) { DEBUG(dbglvl, ("smb_pam_error_handler: PAM: %s : %s\n", msg, pam_strerror(pamh, pam_error))); + return False; } return True; @@ -130,6 +131,8 @@ static int smb_pam_conv(int num_msg, if (!reply) return PAM_CONV_ERR; + memset(reply, '\0', sizeof(struct pam_response) * num_msg); + for (replies = 0; replies < num_msg; replies++) { switch (msg[replies]->msg_style) { case PAM_PROMPT_ECHO_ON: @@ -170,6 +173,82 @@ static int smb_pam_conv(int num_msg, * echo off means password. */ +static void special_char_sub(char *buf) +{ + all_string_sub(buf, "\\n", "", 0); + all_string_sub(buf, "\\r", "", 0); + all_string_sub(buf, "\\s", " ", 0); + all_string_sub(buf, "\\t", "\t", 0); +} + +static void pwd_sub(char *buf, char *username, char *oldpass, char *newpass) +{ + pstring_sub(buf, "%u", username); + all_string_sub(buf, "%o", oldpass, sizeof(fstring)); + all_string_sub(buf, "%n", newpass, sizeof(fstring)); +} + + +struct chat_struct { + struct chat_struct *next, *prev; + fstring prompt; + fstring reply; +}; + +/************************************************************** + Create a linked list containing chat data. +***************************************************************/ + +static struct chat_struct *make_pw_chat(char *p) +{ + fstring prompt; + fstring reply; + struct chat_struct *list = NULL; + struct chat_struct *t; + struct chat_struct *tmp; + + while (1) { + t = (struct chat_struct *)malloc(sizeof(*t)); + if (!t) { + DEBUG(0,("make_pw_chat: malloc failed!\n")); + return NULL; + } + + ZERO_STRUCTP(t); + + DLIST_ADD_END(list, t, tmp); + + if (!next_token(&p, prompt, NULL, sizeof(fstring))) + break; + + if (strequal(prompt,".")) + fstrcpy(prompt,"*"); + + special_char_sub(prompt); + fstrcpy(t->prompt, prompt); + + if (!next_token(&p, reply, NULL, sizeof(fstring))) + break; + + if (strequal(reply,".")) + fstrcpy(reply,""); + + special_char_sub(reply); + fstrcpy(t->reply, reply); + + } + return list; +} + +static void free_pw_chat(struct chat_struct *list) +{ + while (list) { + struct chat_struct *old_head = list; + DLIST_REMOVE(list, list); + free(old_head); + } +} + static int smb_pam_passchange_conv(int num_msg, const struct pam_message **msg, struct pam_response **resp, @@ -177,18 +256,22 @@ static int smb_pam_passchange_conv(int num_msg, { int replies = 0; struct pam_response *reply = NULL; - fstring oldpw_prompt; - fstring newpw_prompt; - fstring repeatpw_prompt; - fstring prompt_ret; - char *p = lp_passwd_chat(); + fstring current_prompt; + fstring current_reply; struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr; - + struct chat_struct *pw_chat= make_pw_chat(lp_passwd_chat()); + struct chat_struct *t; + BOOL found; *resp = NULL; + + DEBUG(10,("smb_pam_passchange_conv: starting converstation for %d messages\n", num_msg)); if (num_msg <= 0) return PAM_CONV_ERR; + if (pw_chat == NULL) + return PAM_CONV_ERR; + /* * Apparantly HPUX has a buggy PAM that doesn't support the * appdata_ptr. Fail if this is the case. JRA. @@ -196,62 +279,73 @@ static int smb_pam_passchange_conv(int num_msg, if (udp == NULL) { DEBUG(0,("smb_pam_passchange_conv: PAM on this system is broken - appdata_ptr == NULL !\n")); + free_pw_chat(pw_chat); return PAM_CONV_ERR; } - /* Get the prompts. */ - - if (!next_token(&p, oldpw_prompt, NULL, sizeof(fstring))) - return PAM_CONV_ERR; - strlower(oldpw_prompt); - if (!next_token(&p, newpw_prompt, NULL, sizeof(fstring))) - return PAM_CONV_ERR; - strlower(newpw_prompt); - if (!next_token(&p, repeatpw_prompt, NULL, sizeof(fstring))) - return PAM_CONV_ERR; - strlower(repeatpw_prompt); - reply = malloc(sizeof(struct pam_response) * num_msg); - if (!reply) + if (!reply) { + DEBUG(0,("smb_pam_passchange_conv: malloc for reply failed!\n")); + free_pw_chat(pw_chat); return PAM_CONV_ERR; + } for (replies = 0; replies < num_msg; replies++) { + found = False; + DEBUG(10,("smb_pam_passchange_conv: Processing message %d\n", replies)); switch (msg[replies]->msg_style) { case PAM_PROMPT_ECHO_ON: - DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: Replied: %s\n", msg[replies]->msg)); - reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies].resp = COPY_STRING(udp->PAM_username); + DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: PAM said: %s\n", msg[replies]->msg)); + fstrcpy(current_prompt, msg[replies]->msg); + strlower(current_prompt); + for (t=pw_chat; t; t=t->next) { + if (ms_fnmatch(t->prompt, current_prompt) == 0) { + fstrcpy(current_reply, t->reply); + pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); + DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We sent: %s\n", current_reply)); + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = COPY_STRING(current_reply); + found = True; + break; + } + } /* PAM frees resp */ - break; - - case PAM_PROMPT_ECHO_OFF: - reply[replies].resp_retcode = PAM_SUCCESS; - if (!msg[replies]->msg) { + if (!found) { + DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg)); + free_pw_chat(pw_chat); free(reply); reply = NULL; return PAM_CONV_ERR; } + break; - DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: Replied: %s\n", msg[replies]->msg)); - - fstrcpy(prompt_ret, msg[replies]->msg); - strlower(prompt_ret); - - if (ms_fnmatch( oldpw_prompt, prompt_ret) == 0) { - reply[replies].resp = COPY_STRING(udp->PAM_password); - } else if (ms_fnmatch( newpw_prompt, prompt_ret) == 0) { - reply[replies].resp = COPY_STRING(udp->PAM_newpassword); - } else if (ms_fnmatch(repeatpw_prompt, prompt_ret) == 0) { - reply[replies].resp = COPY_STRING(udp->PAM_newpassword); - } else { + case PAM_PROMPT_ECHO_OFF: + DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: %s\n", msg[replies]->msg)); + fstrcpy(current_prompt, msg[replies]->msg); + strlower(current_prompt); + for (t=pw_chat; t; t=t->next) { + if (ms_fnmatch(t->prompt, current_prompt) == 0) { + fstrcpy(current_reply, t->reply); + DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply)); + pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = COPY_STRING(current_reply); +#ifdef DEBUG_PASSWORD + DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We actualy sent: %s\n", current_reply)); +#endif + found = True; + break; + } + } + /* PAM frees resp */ + + if (!found) { DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg)); - DEBUG(5,("smb_pam_passchange_conv: Prompts available:\n OldPW: \"%s\"\nNewPW: \"%s\"\n \ -RepeatPW: \"%s\"\n",oldpw_prompt, newpw_prompt,repeatpw_prompt)); + free_pw_chat(pw_chat); free(reply); reply = NULL; return PAM_CONV_ERR; } - /* PAM frees resp */ break; case PAM_TEXT_INFO: @@ -262,15 +356,17 @@ RepeatPW: \"%s\"\n",oldpw_prompt, newpw_prompt,repeatpw_prompt)); reply[replies].resp_retcode = PAM_SUCCESS; reply[replies].resp = NULL; break; - + default: /* Must be an error of some sort... */ + free_pw_chat(pw_chat); free(reply); reply = NULL; return PAM_CONV_ERR; } } - + + free_pw_chat(pw_chat); if (reply) *resp = reply; return PAM_SUCCESS; -- cgit From 429b3c3cc5ea810d03716a1efd81140c772c15ee Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 6 Jul 2001 22:54:49 +0000 Subject: Password changing via PAM works now. DONT CHANGE THIS UNLESS YOU RE-TEST !!!!!! Jeremy. (This used to be commit 79574c07ed5de7194a17c9ee8d189370d8e42bcc) --- source3/auth/pampass.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 53d2a062fd..fc8e4af47d 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -226,7 +226,9 @@ static struct chat_struct *make_pw_chat(char *p) special_char_sub(prompt); fstrcpy(t->prompt, prompt); - + strlower(t->prompt); + trim_string(t->prompt, " ", " "); + if (!next_token(&p, reply, NULL, sizeof(fstring))) break; @@ -235,6 +237,8 @@ static struct chat_struct *make_pw_chat(char *p) special_char_sub(reply); fstrcpy(t->reply, reply); + strlower(t->reply); + trim_string(t->reply, " ", " "); } return list; @@ -298,11 +302,19 @@ static int smb_pam_passchange_conv(int num_msg, DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: PAM said: %s\n", msg[replies]->msg)); fstrcpy(current_prompt, msg[replies]->msg); strlower(current_prompt); + trim_string(current_prompt, " ", " "); for (t=pw_chat; t; t=t->next) { + + DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: trying to match |%s| to |%s|\n", + t->prompt, current_prompt )); + if (ms_fnmatch(t->prompt, current_prompt) == 0) { fstrcpy(current_reply, t->reply); - pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We sent: %s\n", current_reply)); + pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); +#ifdef DEBUG_PASSWORD + DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We actualy sent: %s\n", current_reply)); +#endif reply[replies].resp_retcode = PAM_SUCCESS; reply[replies].resp = COPY_STRING(current_reply); found = True; @@ -323,7 +335,12 @@ static int smb_pam_passchange_conv(int num_msg, DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: %s\n", msg[replies]->msg)); fstrcpy(current_prompt, msg[replies]->msg); strlower(current_prompt); + trim_string(current_prompt, " ", " "); for (t=pw_chat; t; t=t->next) { + + DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |%s| to |%s|\n", + t->prompt, current_prompt )); + if (ms_fnmatch(t->prompt, current_prompt) == 0) { fstrcpy(current_reply, t->reply); DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply)); -- cgit From a9ab7eaa5d023f0f6c2421f504f81988fd41467b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 23 Jul 2001 22:06:05 +0000 Subject: Fix case insensitive password change code. Fixed crash bug with un-zeroed talloced memory. Jeremy. (This used to be commit eea1c30df246e081e672d7132345d0fd35ad9841) --- source3/auth/pampass.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index fc8e4af47d..418c618af2 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -301,14 +301,13 @@ static int smb_pam_passchange_conv(int num_msg, case PAM_PROMPT_ECHO_ON: DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: PAM said: %s\n", msg[replies]->msg)); fstrcpy(current_prompt, msg[replies]->msg); - strlower(current_prompt); trim_string(current_prompt, " ", " "); for (t=pw_chat; t; t=t->next) { DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: trying to match |%s| to |%s|\n", t->prompt, current_prompt )); - if (ms_fnmatch(t->prompt, current_prompt) == 0) { + if (wild_match(t->prompt, current_prompt) == 0) { fstrcpy(current_reply, t->reply); DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We sent: %s\n", current_reply)); pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); @@ -334,14 +333,13 @@ static int smb_pam_passchange_conv(int num_msg, case PAM_PROMPT_ECHO_OFF: DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: %s\n", msg[replies]->msg)); fstrcpy(current_prompt, msg[replies]->msg); - strlower(current_prompt); trim_string(current_prompt, " ", " "); for (t=pw_chat; t; t=t->next) { DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |%s| to |%s|\n", t->prompt, current_prompt )); - if (ms_fnmatch(t->prompt, current_prompt) == 0) { + if (wild_match(t->prompt, current_prompt) == 0) { fstrcpy(current_reply, t->reply); DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply)); pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); -- cgit From b031af348c7dcc8c74bf49945211c466b8eca079 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 27 Aug 2001 19:46:22 +0000 Subject: converted another bunch of stuff to NTSTATUS (This used to be commit 1d36250e338ae0ff9fbbf86019809205dd97d05e) --- source3/auth/pampass.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 418c618af2..359ed02b29 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -88,7 +88,7 @@ static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error, if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl)) return True; - if (*nt_status == NT_STATUS_NOPROBLEMO) { + if (*nt_status == NT_STATUS_OK) { /* Complain LOUDLY */ DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \ error MISMATCH, forcing to NT_STATUS_LOGON_FAILURE")); @@ -533,7 +533,7 @@ static uint32 smb_pam_auth(pam_handle_t *pamh, char *user) break; case PAM_SUCCESS: DEBUG(4, ("smb_pam_auth: PAM: User %s Authenticated OK\n", user)); - nt_status = NT_STATUS_NOPROBLEMO; + nt_status = NT_STATUS_OK; break; default: DEBUG(0, ("smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user %s\n", user)); @@ -578,7 +578,7 @@ static uint32 smb_pam_account(pam_handle_t *pamh, char * user) break; case PAM_SUCCESS: DEBUG(4, ("smb_pam_account: PAM: Account OK for User: %s\n", user)); - nt_status = NT_STATUS_NOPROBLEMO; + nt_status = NT_STATUS_OK; break; default: nt_status = NT_STATUS_ACCOUNT_DISABLED; @@ -625,7 +625,7 @@ static uint32 smb_pam_setcred(pam_handle_t *pamh, char * user) break; case PAM_SUCCESS: DEBUG(4, ("smb_pam_setcred: PAM: SetCredentials OK for User: %s\n", user)); - nt_status = NT_STATUS_NOPROBLEMO; + nt_status = NT_STATUS_OK; break; default: DEBUG(0, ("smb_pam_setcred: PAM: UNKNOWN PAM ERROR (%d) during SetCredentials for User: %s\n", pam_error, user)); @@ -787,7 +787,7 @@ uint32 smb_pam_accountcheck(char * user) /* Ignore PAM if told to. */ if (!lp_obey_pam_restrictions()) - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL) return False; @@ -795,7 +795,7 @@ uint32 smb_pam_accountcheck(char * user) if (!smb_pam_start(&pamh, user, NULL, pconv)) return NT_STATUS_ACCOUNT_DISABLED; - if ((nt_status = smb_pam_account(pamh, user)) != NT_STATUS_NOPROBLEMO) + if ((nt_status = smb_pam_account(pamh, user)) != NT_STATUS_OK) DEBUG(0, ("smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User %s!\n", user)); smb_pam_end(pamh, pconv); @@ -824,19 +824,19 @@ uint32 smb_pam_passcheck(char * user, char * password) if (!smb_pam_start(&pamh, user, NULL, pconv)) return NT_STATUS_LOGON_FAILURE; - if ((nt_status = smb_pam_auth(pamh, user)) != NT_STATUS_NOPROBLEMO) { + if ((nt_status = smb_pam_auth(pamh, user)) != NT_STATUS_OK) { DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User %s !\n", user)); smb_pam_end(pamh, pconv); return nt_status; } - if ((nt_status = smb_pam_account(pamh, user)) != NT_STATUS_NOPROBLEMO) { + if ((nt_status = smb_pam_account(pamh, user)) != NT_STATUS_OK) { DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_account failed - Rejecting User %s !\n", user)); smb_pam_end(pamh, pconv); return nt_status; } - if ((nt_status = smb_pam_setcred(pamh, user)) != NT_STATUS_NOPROBLEMO) { + if ((nt_status = smb_pam_setcred(pamh, user)) != NT_STATUS_OK) { DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_setcred failed - Rejecting User %s !\n", user)); smb_pam_end(pamh, pconv); return nt_status; @@ -876,7 +876,7 @@ BOOL smb_pam_passchange(char * user, char * oldpassword, char * newpassword) /* If PAM not used, no PAM restrictions on accounts. */ uint32 smb_pam_accountcheck(char * user) { - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } /* If PAM not used, also no PAM restrictions on sessions. */ -- cgit From 19fea3242cf6234786b6cbb60631e0071f31ff9f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 4 Sep 2001 07:13:01 +0000 Subject: the next stage in the NTSTATUS/WERROR change. smbd and nmbd now compile, but the client code still needs some work (This used to be commit dcd6e735f709a9231860ceb9682db40ff26c9a66) --- source3/auth/pampass.c | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 359ed02b29..46b38ab1c0 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -83,12 +83,13 @@ static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, *********************************************************************/ static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error, - char *msg, int dbglvl, uint32 *nt_status) + char *msg, int dbglvl, + NTSTATUS *nt_status) { if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl)) return True; - if (*nt_status == NT_STATUS_OK) { + if (NT_STATUS_IS_OK(*nt_status)) { /* Complain LOUDLY */ DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \ error MISMATCH, forcing to NT_STATUS_LOGON_FAILURE")); @@ -494,10 +495,10 @@ static BOOL smb_pam_start(pam_handle_t **pamh, char *user, char *rhost, struct p /* * PAM Authentication Handler */ -static uint32 smb_pam_auth(pam_handle_t *pamh, char *user) +static NTSTATUS smb_pam_auth(pam_handle_t *pamh, char *user) { int pam_error; - uint32 nt_status = NT_STATUS_LOGON_FAILURE; + NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; /* * To enable debugging set in /etc/pam.d/samba: @@ -548,10 +549,10 @@ static uint32 smb_pam_auth(pam_handle_t *pamh, char *user) /* * PAM Account Handler */ -static uint32 smb_pam_account(pam_handle_t *pamh, char * user) +static NTSTATUS smb_pam_account(pam_handle_t *pamh, char * user) { int pam_error; - uint32 nt_status = NT_STATUS_ACCOUNT_DISABLED; + NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED; DEBUG(4,("smb_pam_account: PAM: Account Management for User: %s\n", user)); pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */ @@ -594,10 +595,10 @@ static uint32 smb_pam_account(pam_handle_t *pamh, char * user) * PAM Credential Setting */ -static uint32 smb_pam_setcred(pam_handle_t *pamh, char * user) +static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, char * user) { int pam_error; - uint32 nt_status = NT_STATUS_NO_TOKEN; + NTSTATUS nt_status = NT_STATUS_NO_TOKEN; /* * This will allow samba to aquire a kerberos token. And, when @@ -778,9 +779,9 @@ BOOL smb_pam_close_session(char *user, char *tty, char *rhost) * PAM Externally accessible Account handler */ -uint32 smb_pam_accountcheck(char * user) +NTSTATUS smb_pam_accountcheck(char * user) { - uint32 nt_status = NT_STATUS_ACCOUNT_DISABLED; + NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED; pam_handle_t *pamh = NULL; struct pam_conv *pconv = NULL; @@ -790,12 +791,12 @@ uint32 smb_pam_accountcheck(char * user) return NT_STATUS_OK; if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL) - return False; + return NT_STATUS_NO_MEMORY; if (!smb_pam_start(&pamh, user, NULL, pconv)) return NT_STATUS_ACCOUNT_DISABLED; - if ((nt_status = smb_pam_account(pamh, user)) != NT_STATUS_OK) + if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user))) DEBUG(0, ("smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User %s!\n", user)); smb_pam_end(pamh, pconv); @@ -806,10 +807,10 @@ uint32 smb_pam_accountcheck(char * user) * PAM Password Validation Suite */ -uint32 smb_pam_passcheck(char * user, char * password) +NTSTATUS smb_pam_passcheck(char * user, char * password) { pam_handle_t *pamh = NULL; - uint32 nt_status = NT_STATUS_LOGON_FAILURE; + NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; struct pam_conv *pconv = NULL; /* @@ -824,19 +825,19 @@ uint32 smb_pam_passcheck(char * user, char * password) if (!smb_pam_start(&pamh, user, NULL, pconv)) return NT_STATUS_LOGON_FAILURE; - if ((nt_status = smb_pam_auth(pamh, user)) != NT_STATUS_OK) { + if (!NT_STATUS_IS_OK(nt_status = smb_pam_auth(pamh, user))) { DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User %s !\n", user)); smb_pam_end(pamh, pconv); return nt_status; } - if ((nt_status = smb_pam_account(pamh, user)) != NT_STATUS_OK) { + if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user))) { DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_account failed - Rejecting User %s !\n", user)); smb_pam_end(pamh, pconv); return nt_status; } - if ((nt_status = smb_pam_setcred(pamh, user)) != NT_STATUS_OK) { + if (!NT_STATUS_IS_OK(nt_status = smb_pam_setcred(pamh, user))) { DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_setcred failed - Rejecting User %s !\n", user)); smb_pam_end(pamh, pconv); return nt_status; -- cgit From ed3fbafdd34af0f22c0f90c93718e887bae23dec Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 4 Sep 2001 11:39:57 +0000 Subject: cope with pam being off (This used to be commit 5f6e7bbce76c85571ee10a3f8b5bbbd0beadb632) --- source3/auth/pampass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 46b38ab1c0..fda4a54103 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -875,7 +875,7 @@ BOOL smb_pam_passchange(char * user, char * oldpassword, char * newpassword) #else /* If PAM not used, no PAM restrictions on accounts. */ - uint32 smb_pam_accountcheck(char * user) + NTSTATUS smb_pam_accountcheck(char * user) { return NT_STATUS_OK; } -- cgit From 4561e8a8ea35f3703ff607f604b5e25cd6144da1 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 17 Sep 2001 05:04:17 +0000 Subject: move to SAFE_FREE() (This used to be commit 64d35e94fe6f7e56353b286162f670c8595a90e6) --- source3/auth/pampass.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index fda4a54103..116ecaf95b 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -159,7 +159,7 @@ static int smb_pam_conv(int num_msg, default: /* Must be an error of some sort... */ - free(reply); + SAFE_FREE(reply); return PAM_CONV_ERR; } } @@ -250,7 +250,7 @@ static void free_pw_chat(struct chat_struct *list) while (list) { struct chat_struct *old_head = list; DLIST_REMOVE(list, list); - free(old_head); + SAFE_FREE(old_head); } } @@ -325,8 +325,7 @@ static int smb_pam_passchange_conv(int num_msg, if (!found) { DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg)); free_pw_chat(pw_chat); - free(reply); - reply = NULL; + SAFE_FREE(reply); return PAM_CONV_ERR; } break; @@ -358,8 +357,7 @@ static int smb_pam_passchange_conv(int num_msg, if (!found) { DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg)); free_pw_chat(pw_chat); - free(reply); - reply = NULL; + SAFE_FREE(reply); return PAM_CONV_ERR; } break; @@ -376,8 +374,7 @@ static int smb_pam_passchange_conv(int num_msg, default: /* Must be an error of some sort... */ free_pw_chat(pw_chat); - free(reply); - reply = NULL; + SAFE_FREE(reply); return PAM_CONV_ERR; } } @@ -395,9 +392,9 @@ static int smb_pam_passchange_conv(int num_msg, static void smb_free_pam_conv(struct pam_conv *pconv) { if (pconv) - safe_free(pconv->appdata_ptr); + SAFE_FREE(pconv->appdata_ptr); - safe_free(pconv); + SAFE_FREE(pconv); } /*************************************************************************** @@ -411,8 +408,8 @@ static struct pam_conv *smb_setup_pam_conv(smb_pam_conv_fn smb_pam_conv_fnptr, c struct smb_pam_userdata *udp = (struct smb_pam_userdata *)malloc(sizeof(struct smb_pam_userdata)); if (pconv == NULL || udp == NULL) { - safe_free(pconv); - safe_free(udp); + SAFE_FREE(pconv); + SAFE_FREE(udp); return NULL; } -- cgit From dc1fc3ee8ec2199bc73bb5d7ec711c6800f61d65 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 2 Oct 2001 04:29:50 +0000 Subject: Removed 'extern int DEBUGLEVEL' as it is now in the smb.h header. (This used to be commit 2d0922b0eabfdc0aaf1d0797482fef47ed7fde8e) --- source3/auth/pampass.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 116ecaf95b..6d0dabcd9d 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -30,8 +30,6 @@ #include "includes.h" -extern int DEBUGLEVEL; - #ifdef WITH_PAM /******************************************************************* -- cgit From facbdd692dc7d4b87fcc59b369ae445153146c13 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 2 Oct 2001 21:58:09 +0000 Subject: Fixed up the change password bug when not using PAM. The problem is we were trying to use mask_match as a generic wildcard matcher for UNIX strings (like the password prompts). We can't do that - we need a unix_wild_match (re-added into lib/util.c) as the ms_fnmatch semantics for empty strings are completely wrong. This caused partial reads to be accepted as correct passwd change responses when they were not.... Also added paranioa test to stop passwd change being done as root with no %u in the passwd program string. Jeremy. (This used to be commit 9333bbeb7627c8b21a3eaeae1683c34e17d14bf0) --- source3/auth/pampass.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 6d0dabcd9d..0c7c4f1291 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -306,7 +306,7 @@ static int smb_pam_passchange_conv(int num_msg, DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: trying to match |%s| to |%s|\n", t->prompt, current_prompt )); - if (wild_match(t->prompt, current_prompt) == 0) { + if (unix_wild_match(t->prompt, current_prompt) == 0) { fstrcpy(current_reply, t->reply); DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We sent: %s\n", current_reply)); pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); @@ -337,7 +337,7 @@ static int smb_pam_passchange_conv(int num_msg, DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |%s| to |%s|\n", t->prompt, current_prompt )); - if (wild_match(t->prompt, current_prompt) == 0) { + if (unix_wild_match(t->prompt, current_prompt) == 0) { fstrcpy(current_reply, t->reply); DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply)); pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); -- cgit From d9d7f023d8d11943ca0375e1573e6ec9921889bc Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 29 Oct 2001 07:35:11 +0000 Subject: This commit is number 4 of 4. In particular this commit focuses on: Actually adding the 'const' to the passdb interface, and the flow-on changes. Also kill off the 'disp_info' stuff, as its no longer used. While these changes have been mildly tested, and are pretty small, any assistance in this is appreciated. ---- These changes introduces a large dose of 'const' to the Samba tree. There are a number of good reasons to do this: - I want to allow the SAM_ACCOUNT structure to move from wasteful pstrings and fstrings to allocated strings. We can't do that if people are modifying these outputs, as they may well make assumptions about getting pstrings and fstrings - I want --with-pam_smbpass to compile with a slightly sane volume of warnings, currently its pretty bad, even in 2.2 where is compiles at all. - Tridge assures me that he no longer opposes 'const religion' based on the ability to #define const the problem away. - Changed Get_Pwnam(x,y) into two variants (so that the const parameter can work correctly): - Get_Pwnam(const x) and Get_Pwnam_Modify(x). - Reworked smbd/chgpasswd.c to work with these mods, passing around a 'struct passwd' rather than the modified username --- This finishes this line of commits off, your tree should now compile again :-) Andrew Bartlett (This used to be commit c95f5aeb9327347674589ae313b75bee3bf8e317) --- source3/auth/pampass.c | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 0c7c4f1291..6980b14f46 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -47,9 +47,9 @@ */ struct smb_pam_userdata { - char *PAM_username; - char *PAM_password; - char *PAM_newpassword; + const char *PAM_username; + const char *PAM_password; + const char *PAM_newpassword; }; typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_response **, void *appdata_ptr); @@ -180,7 +180,7 @@ static void special_char_sub(char *buf) all_string_sub(buf, "\\t", "\t", 0); } -static void pwd_sub(char *buf, char *username, char *oldpass, char *newpass) +static void pwd_sub(char *buf, const char *username, const char *oldpass, const char *newpass) { pstring_sub(buf, "%u", username); all_string_sub(buf, "%o", oldpass, sizeof(fstring)); @@ -399,8 +399,8 @@ static void smb_free_pam_conv(struct pam_conv *pconv) Allocate a pam_conv struct. ****************************************************************************/ -static struct pam_conv *smb_setup_pam_conv(smb_pam_conv_fn smb_pam_conv_fnptr, char *user, - char *passwd, char *newpass) +static struct pam_conv *smb_setup_pam_conv(smb_pam_conv_fn smb_pam_conv_fnptr, const char *user, + const char *passwd, const char *newpass) { struct pam_conv *pconv = (struct pam_conv *)malloc(sizeof(struct pam_conv)); struct smb_pam_userdata *udp = (struct smb_pam_userdata *)malloc(sizeof(struct smb_pam_userdata)); @@ -445,9 +445,10 @@ static BOOL smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr) * Start PAM authentication for specified account */ -static BOOL smb_pam_start(pam_handle_t **pamh, char *user, char *rhost, struct pam_conv *pconv) +static BOOL smb_pam_start(pam_handle_t **pamh, const char *user, const char *rhost, struct pam_conv *pconv) { int pam_error; + const char *our_rhost; *pamh = (pam_handle_t *)NULL; @@ -460,14 +461,16 @@ static BOOL smb_pam_start(pam_handle_t **pamh, char *user, char *rhost, struct p } if (rhost == NULL) { - rhost = client_name(); + our_rhost = client_name(); if (strequal(rhost,"UNKNOWN")) - rhost = client_addr(); + our_rhost = client_addr(); + } else { + our_rhost = rhost; } #ifdef PAM_RHOST - DEBUG(4,("smb_pam_start: PAM: setting rhost to: %s\n", rhost)); - pam_error = pam_set_item(*pamh, PAM_RHOST, rhost); + DEBUG(4,("smb_pam_start: PAM: setting rhost to: %s\n", our_rhost)); + pam_error = pam_set_item(*pamh, PAM_RHOST, our_rhost); if(!smb_pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { smb_pam_end(*pamh, pconv); *pamh = (pam_handle_t *)NULL; @@ -664,7 +667,7 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, * Internal PAM Password Changer. */ -static BOOL smb_pam_chauthtok(pam_handle_t *pamh, char * user) +static BOOL smb_pam_chauthtok(pam_handle_t *pamh, const char * user) { int pam_error; @@ -846,7 +849,7 @@ NTSTATUS smb_pam_passcheck(char * user, char * password) * PAM Password Change Suite */ -BOOL smb_pam_passchange(char * user, char * oldpassword, char * newpassword) +BOOL smb_pam_passchange(const char * user, const char * oldpassword, const char * newpassword) { /* Appropriate quantities of root should be obtained BEFORE calling this function */ struct pam_conv *pconv = NULL; -- cgit From 6ab678d42b46eccee080de415985a8a1e3c29dc3 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 31 Oct 2001 06:22:19 +0000 Subject: Small 'const' updates ahead of some AuthRewrite merging. (This used to be commit 3b5e72bda3263c6bdf81dfface4fae4f06b71032) --- source3/auth/pampass.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 6980b14f46..018eae3a07 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -547,7 +547,7 @@ static NTSTATUS smb_pam_auth(pam_handle_t *pamh, char *user) /* * PAM Account Handler */ -static NTSTATUS smb_pam_account(pam_handle_t *pamh, char * user) +static NTSTATUS smb_pam_account(pam_handle_t *pamh, const char * user) { int pam_error; NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED; @@ -777,7 +777,7 @@ BOOL smb_pam_close_session(char *user, char *tty, char *rhost) * PAM Externally accessible Account handler */ -NTSTATUS smb_pam_accountcheck(char * user) +NTSTATUS smb_pam_accountcheck(const char * user) { NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED; pam_handle_t *pamh = NULL; @@ -873,19 +873,19 @@ BOOL smb_pam_passchange(const char * user, const char * oldpassword, const char #else /* If PAM not used, no PAM restrictions on accounts. */ - NTSTATUS smb_pam_accountcheck(char * user) +NTSTATUS smb_pam_accountcheck(const char * user) { return NT_STATUS_OK; } /* If PAM not used, also no PAM restrictions on sessions. */ - BOOL smb_pam_claim_session(char *user, char *tty, char *rhost) +BOOL smb_pam_claim_session(char *user, char *tty, char *rhost) { return True; } /* If PAM not used, also no PAM restrictions on sessions. */ - BOOL smb_pam_close_session(char *in_user, char *tty, char *rhost) +BOOL smb_pam_close_session(char *in_user, char *tty, char *rhost) { return True; } -- cgit From cd68afe31256ad60748b34f7318a180cfc2127cc Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 30 Jan 2002 06:08:46 +0000 Subject: Removed version number from file header. Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa) --- source3/auth/pampass.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 018eae3a07..5db844eb55 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -1,6 +1,5 @@ /* - Unix SMB/Netbios implementation. - Version 2.2. + Unix SMB/CIFS implementation. PAM Password checking Copyright (C) Andrew Tridgell 1992-2001 Copyright (C) John H Terpsta 1999-2001 -- cgit From ed389ee8dc9246b2d6c4e483cee16f7255b9a7f5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 5 Feb 2002 09:40:36 +0000 Subject: Drastic impromvents to pam_winbind. This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280) --- source3/auth/pampass.c | 23 ++--------------------- 1 file changed, 2 insertions(+), 21 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 5db844eb55..c21a5b5319 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -86,6 +86,8 @@ static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error, if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl)) return True; + *nt_status = pam_to_nt_status(pam_error); + if (NT_STATUS_IS_OK(*nt_status)) { /* Complain LOUDLY */ DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \ @@ -507,35 +509,27 @@ static NTSTATUS smb_pam_auth(pam_handle_t *pamh, char *user) switch( pam_error ){ case PAM_AUTH_ERR: DEBUG(2, ("smb_pam_auth: PAM: Athentication Error for user %s\n", user)); - nt_status = NT_STATUS_WRONG_PASSWORD; break; case PAM_CRED_INSUFFICIENT: DEBUG(2, ("smb_pam_auth: PAM: Insufficient Credentials for user %s\n", user)); - nt_status = NT_STATUS_INSUFFICIENT_LOGON_INFO; break; case PAM_AUTHINFO_UNAVAIL: DEBUG(2, ("smb_pam_auth: PAM: Authentication Information Unavailable for user %s\n", user)); - nt_status = NT_STATUS_LOGON_FAILURE; break; case PAM_USER_UNKNOWN: DEBUG(2, ("smb_pam_auth: PAM: Username %s NOT known to Authentication system\n", user)); - nt_status = NT_STATUS_NO_SUCH_USER; break; case PAM_MAXTRIES: DEBUG(2, ("smb_pam_auth: PAM: One or more authentication modules reports user limit for user %s exceeeded\n", user)); - nt_status = NT_STATUS_REMOTE_SESSION_LIMIT; break; case PAM_ABORT: DEBUG(0, ("smb_pam_auth: PAM: One or more PAM modules failed to load for user %s\n", user)); - nt_status = NT_STATUS_LOGON_FAILURE; break; case PAM_SUCCESS: DEBUG(4, ("smb_pam_auth: PAM: User %s Authenticated OK\n", user)); - nt_status = NT_STATUS_OK; break; default: DEBUG(0, ("smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user %s\n", user)); - nt_status = NT_STATUS_LOGON_FAILURE; break; } @@ -556,30 +550,23 @@ static NTSTATUS smb_pam_account(pam_handle_t *pamh, const char * user) switch( pam_error ) { case PAM_AUTHTOK_EXPIRED: DEBUG(2, ("smb_pam_account: PAM: User %s is valid but password is expired\n", user)); - nt_status = NT_STATUS_PASSWORD_EXPIRED; break; case PAM_ACCT_EXPIRED: DEBUG(2, ("smb_pam_account: PAM: User %s no longer permitted to access system\n", user)); - nt_status = NT_STATUS_ACCOUNT_EXPIRED; break; case PAM_AUTH_ERR: DEBUG(2, ("smb_pam_account: PAM: There was an authentication error for user %s\n", user)); - nt_status = NT_STATUS_LOGON_FAILURE; break; case PAM_PERM_DENIED: DEBUG(0, ("smb_pam_account: PAM: User %s is NOT permitted to access system at this time\n", user)); - nt_status = NT_STATUS_ACCOUNT_RESTRICTION; break; case PAM_USER_UNKNOWN: DEBUG(0, ("smb_pam_account: PAM: User \"%s\" is NOT known to account management\n", user)); - nt_status = NT_STATUS_NO_SUCH_USER; break; case PAM_SUCCESS: DEBUG(4, ("smb_pam_account: PAM: Account OK for User: %s\n", user)); - nt_status = NT_STATUS_OK; break; default: - nt_status = NT_STATUS_ACCOUNT_DISABLED; DEBUG(0, ("smb_pam_account: PAM: UNKNOWN PAM ERROR (%d) during Account Management for User: %s\n", pam_error, user)); break; } @@ -607,27 +594,21 @@ static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, char * user) switch( pam_error ) { case PAM_CRED_UNAVAIL: DEBUG(0, ("smb_pam_setcred: PAM: Credentials not found for user:%s\n", user )); - nt_status = NT_STATUS_NO_TOKEN; break; case PAM_CRED_EXPIRED: DEBUG(0, ("smb_pam_setcred: PAM: Credentials for user: \"%s\" EXPIRED!\n", user )); - nt_status = NT_STATUS_PASSWORD_EXPIRED; break; case PAM_USER_UNKNOWN: DEBUG(0, ("smb_pam_setcred: PAM: User: \"%s\" is NOT known so can not set credentials!\n", user )); - nt_status = NT_STATUS_NO_SUCH_USER; break; case PAM_CRED_ERR: DEBUG(0, ("smb_pam_setcred: PAM: Unknown setcredentials error - unable to set credentials for %s\n", user )); - nt_status = NT_STATUS_LOGON_FAILURE; break; case PAM_SUCCESS: DEBUG(4, ("smb_pam_setcred: PAM: SetCredentials OK for User: %s\n", user)); - nt_status = NT_STATUS_OK; break; default: DEBUG(0, ("smb_pam_setcred: PAM: UNKNOWN PAM ERROR (%d) during SetCredentials for User: %s\n", pam_error, user)); - nt_status = NT_STATUS_NO_TOKEN; break; } -- cgit From 4f442bc0112a701fec9df7c5ae8132fc73c0f74c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 5 Feb 2002 23:45:29 +0000 Subject: Fix use of uninitialsed variable in PAM code (This used to be commit 6c08c233e6675056c0ee0bbc4ecdcbc205950f54) --- source3/auth/pampass.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index c21a5b5319..1428e929f1 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -83,11 +83,11 @@ static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl, NTSTATUS *nt_status) { + *nt_status = pam_to_nt_status(pam_error); + if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl)) return True; - *nt_status = pam_to_nt_status(pam_error); - if (NT_STATUS_IS_OK(*nt_status)) { /* Complain LOUDLY */ DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \ -- cgit From e90b65284812aaa5ff9e9935ce9bbad7791cbbcd Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 15 Jul 2002 10:35:28 +0000 Subject: updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce) --- source3/auth/pampass.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 1428e929f1..1a3e55dd44 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -29,6 +29,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + #ifdef WITH_PAM /******************************************************************* @@ -183,7 +186,7 @@ static void special_char_sub(char *buf) static void pwd_sub(char *buf, const char *username, const char *oldpass, const char *newpass) { - pstring_sub(buf, "%u", username); + fstring_sub(buf, "%u", username); all_string_sub(buf, "%o", oldpass, sizeof(fstring)); all_string_sub(buf, "%n", newpass, sizeof(fstring)); } @@ -494,7 +497,7 @@ static BOOL smb_pam_start(pam_handle_t **pamh, const char *user, const char *rho /* * PAM Authentication Handler */ -static NTSTATUS smb_pam_auth(pam_handle_t *pamh, char *user) +static NTSTATUS smb_pam_auth(pam_handle_t *pamh, const char *user) { int pam_error; NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; @@ -579,7 +582,7 @@ static NTSTATUS smb_pam_account(pam_handle_t *pamh, const char * user) * PAM Credential Setting */ -static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, char * user) +static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, const char * user) { int pam_error; NTSTATUS nt_status = NT_STATUS_NO_TOKEN; @@ -619,7 +622,7 @@ static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, char * user) /* * PAM Internal Session Handler */ -static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag) +static BOOL smb_internal_pam_session(pam_handle_t *pamh, const char *user, const char *tty, BOOL flag) { int pam_error; @@ -785,7 +788,7 @@ NTSTATUS smb_pam_accountcheck(const char * user) * PAM Password Validation Suite */ -NTSTATUS smb_pam_passcheck(char * user, char * password) +NTSTATUS smb_pam_passcheck(const char * user, const char * password) { pam_handle_t *pamh = NULL; NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; -- cgit From 634c54310c92c48dd4eceec602e230a021bdcfc5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 3 Jan 2003 08:28:12 +0000 Subject: Merge from HEAD - make Samba compile with -Wwrite-strings without additional warnings. (Adds a lot of const). Andrew Bartlett (This used to be commit 3a7458f9472432ef12c43008414925fd1ce8ea0c) --- source3/auth/pampass.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 1a3e55dd44..045ceb7c72 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -65,7 +65,7 @@ typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_resp PAM error handler. *********************************************************************/ -static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) +static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, const char *msg, int dbglvl) { if( pam_error != PAM_SUCCESS) { @@ -83,7 +83,7 @@ static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, *********************************************************************/ static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error, - char *msg, int dbglvl, + const char *msg, int dbglvl, NTSTATUS *nt_status) { *nt_status = pam_to_nt_status(pam_error); -- cgit From 9bcbaeee329cf190a793085a945acb8b20635bb0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 4 Jul 2003 18:50:21 +0000 Subject: Fixed strlower changes I missed. Pointed out by metze. Jeremy (This used to be commit da5ee2b765fc321b14e92eb27bde8ec8930b61d4) --- source3/auth/pampass.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 045ceb7c72..d666e439b0 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -229,7 +229,7 @@ static struct chat_struct *make_pw_chat(char *p) special_char_sub(prompt); fstrcpy(t->prompt, prompt); - strlower(t->prompt); + strlower_m(t->prompt); trim_string(t->prompt, " ", " "); if (!next_token(&p, reply, NULL, sizeof(fstring))) @@ -240,7 +240,7 @@ static struct chat_struct *make_pw_chat(char *p) special_char_sub(reply); fstrcpy(t->reply, reply); - strlower(t->reply); + strlower_m(t->reply); trim_string(t->reply, " ", " "); } -- cgit From 94f59f54921174fc156fade575ca114d331b1bd8 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 5 Sep 2003 19:59:55 +0000 Subject: More tuning from cachegrind. Change most trim_string() calls to trim_char(0, as that's what they do. Fix string_replace() to fast-path ascii. Jeremy. (This used to be commit f35e9a8b909d3c74be47083ccc4a4e91a14938db) --- source3/auth/pampass.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index d666e439b0..3239686a20 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -230,7 +230,7 @@ static struct chat_struct *make_pw_chat(char *p) special_char_sub(prompt); fstrcpy(t->prompt, prompt); strlower_m(t->prompt); - trim_string(t->prompt, " ", " "); + trim_char(t->prompt, ' ', ' '); if (!next_token(&p, reply, NULL, sizeof(fstring))) break; @@ -241,7 +241,7 @@ static struct chat_struct *make_pw_chat(char *p) special_char_sub(reply); fstrcpy(t->reply, reply); strlower_m(t->reply); - trim_string(t->reply, " ", " "); + trim_char(t->reply, ' ', ' '); } return list; @@ -304,7 +304,7 @@ static int smb_pam_passchange_conv(int num_msg, case PAM_PROMPT_ECHO_ON: DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: PAM said: %s\n", msg[replies]->msg)); fstrcpy(current_prompt, msg[replies]->msg); - trim_string(current_prompt, " ", " "); + trim_char(current_prompt, ' ', ' '); for (t=pw_chat; t; t=t->next) { DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: trying to match |%s| to |%s|\n", @@ -335,7 +335,7 @@ static int smb_pam_passchange_conv(int num_msg, case PAM_PROMPT_ECHO_OFF: DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: %s\n", msg[replies]->msg)); fstrcpy(current_prompt, msg[replies]->msg); - trim_string(current_prompt, " ", " "); + trim_char(current_prompt, ' ', ' '); for (t=pw_chat; t; t=t->next) { DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |%s| to |%s|\n", -- cgit From 521268be1caeb9e50274ff17451cbfb8dbb1765f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 28 Sep 2004 00:10:09 +0000 Subject: r2703: Fix typo noticed by Igor Belyi Jeremy. (This used to be commit ba69c7229c27e917a24e6d608d59e7c0bdd47551) --- source3/auth/pampass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 3239686a20..68871547b1 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -466,7 +466,7 @@ static BOOL smb_pam_start(pam_handle_t **pamh, const char *user, const char *rho if (rhost == NULL) { our_rhost = client_name(); - if (strequal(rhost,"UNKNOWN")) + if (strequal(our_rhost,"UNKNOWN")) our_rhost = client_addr(); } else { our_rhost = rhost; -- cgit From 54fdd5c7dc98e9039d94bc6b45ee31cb1d363eac Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 16 Dec 2004 21:12:29 +0000 Subject: r4236: More *alloc fixes. Jeremy. (This used to be commit 6b25a6e088390d33314ca69c8f17c869cec3904b) --- source3/auth/pampass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 68871547b1..68c2f183f1 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -59,7 +59,7 @@ typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_resp /* * Macros to help make life easy */ -#define COPY_STRING(s) (s) ? strdup(s) : NULL +#define COPY_STRING(s) (s) ? SMB_STRDUP(s) : NULL /******************************************************************* PAM error handler. -- cgit From 2e0cac8e3eb021aa8f5cad4ce8b72f98036af639 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 23 Apr 2005 18:07:01 +0000 Subject: r6445: Make us survive the PARANOID_MALLOC_CHECKER. Should we enable that for --enable-developer=yes? Volker (This used to be commit 61d40ac60dd9c8c9bbcf92e4fc57fe1d706bc721) --- source3/auth/pampass.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 68c2f183f1..5a40bf6c47 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -130,7 +130,7 @@ static int smb_pam_conv(int num_msg, return PAM_CONV_ERR; } - reply = malloc(sizeof(struct pam_response) * num_msg); + reply = SMB_MALLOC_ARRAY(struct pam_response, num_msg); if (!reply) return PAM_CONV_ERR; @@ -211,7 +211,7 @@ static struct chat_struct *make_pw_chat(char *p) struct chat_struct *tmp; while (1) { - t = (struct chat_struct *)malloc(sizeof(*t)); + t = SMB_MALLOC_P(struct chat_struct); if (!t) { DEBUG(0,("make_pw_chat: malloc failed!\n")); return NULL; @@ -290,7 +290,7 @@ static int smb_pam_passchange_conv(int num_msg, return PAM_CONV_ERR; } - reply = malloc(sizeof(struct pam_response) * num_msg); + reply = SMB_MALLOC_ARRAY(struct pam_response, num_msg); if (!reply) { DEBUG(0,("smb_pam_passchange_conv: malloc for reply failed!\n")); free_pw_chat(pw_chat); @@ -406,8 +406,8 @@ static void smb_free_pam_conv(struct pam_conv *pconv) static struct pam_conv *smb_setup_pam_conv(smb_pam_conv_fn smb_pam_conv_fnptr, const char *user, const char *passwd, const char *newpass) { - struct pam_conv *pconv = (struct pam_conv *)malloc(sizeof(struct pam_conv)); - struct smb_pam_userdata *udp = (struct smb_pam_userdata *)malloc(sizeof(struct smb_pam_userdata)); + struct pam_conv *pconv = SMB_MALLOC_P(struct pam_conv); + struct smb_pam_userdata *udp = SMB_MALLOC_P(struct smb_pam_userdata); if (pconv == NULL || udp == NULL) { SAFE_FREE(pconv); -- cgit From e9c7079afe2d46dba1d7bb9d741a7e02d0de17e4 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 1 Aug 2005 18:15:05 +0000 Subject: r8889: Another warning (This used to be commit 9ae1098d211f5e687786abb8474b1c4210413f0f) --- source3/auth/pampass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 5a40bf6c47..18d83ee364 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -202,7 +202,7 @@ struct chat_struct { Create a linked list containing chat data. ***************************************************************/ -static struct chat_struct *make_pw_chat(char *p) +static struct chat_struct *make_pw_chat(const char *p) { fstring prompt; fstring reply; -- cgit From 10b5609a1458d156938302a5a26c11913c340476 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 16 Dec 2005 01:41:12 +0000 Subject: r12279: unix_mask_match has been broken for *ever*... (How). Ensure it returns a BOOL. Jerry (and anyone else) please check this, I think all uses are now correct but could do with another set of eyes. Essential for 3.0.21 release. Jeremy. (This used to be commit 0c7b8a7637e760fcb6629092f36b610b8c71f5c9) --- source3/auth/pampass.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 18d83ee364..26b45c5ff8 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -310,7 +310,7 @@ static int smb_pam_passchange_conv(int num_msg, DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: trying to match |%s| to |%s|\n", t->prompt, current_prompt )); - if (unix_wild_match(t->prompt, current_prompt) == 0) { + if (unix_wild_match(t->prompt, current_prompt)) { fstrcpy(current_reply, t->reply); DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We sent: %s\n", current_reply)); pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); @@ -341,7 +341,7 @@ static int smb_pam_passchange_conv(int num_msg, DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |%s| to |%s|\n", t->prompt, current_prompt )); - if (unix_wild_match(t->prompt, current_prompt) == 0) { + if (unix_wild_match(t->prompt, current_prompt)) { fstrcpy(current_reply, t->reply); DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply)); pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); -- cgit From 097bd537adfda839705a9b8c1aa821c6e3e025a3 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 16 Aug 2006 17:43:13 +0000 Subject: r17573: Fix typo (This used to be commit fd6e3f133b267a9506699d1c2934a153dd732df2) --- source3/auth/pampass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 26b45c5ff8..6631b277dc 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -511,7 +511,7 @@ static NTSTATUS smb_pam_auth(pam_handle_t *pamh, const char *user) pam_error = pam_authenticate(pamh, PAM_SILENT | lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK); switch( pam_error ){ case PAM_AUTH_ERR: - DEBUG(2, ("smb_pam_auth: PAM: Athentication Error for user %s\n", user)); + DEBUG(2, ("smb_pam_auth: PAM: Authentication Error for user %s\n", user)); break; case PAM_CRED_INSUFFICIENT: DEBUG(2, ("smb_pam_auth: PAM: Insufficient Credentials for user %s\n", user)); -- cgit From 4646147a399d6fd7a452f5c16dd18afa97697aca Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 18 Sep 2006 18:28:56 +0000 Subject: r18616: fix breakage after DLIST_ADD_END() changes for --with-pam (This used to be commit 5c00b5497b7b2bb345429893d247cbb6bb0f4e20) --- source3/auth/pampass.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 6631b277dc..ba11d2e8fc 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -208,7 +208,6 @@ static struct chat_struct *make_pw_chat(const char *p) fstring reply; struct chat_struct *list = NULL; struct chat_struct *t; - struct chat_struct *tmp; while (1) { t = SMB_MALLOC_P(struct chat_struct); @@ -219,7 +218,7 @@ static struct chat_struct *make_pw_chat(const char *p) ZERO_STRUCTP(t); - DLIST_ADD_END(list, t, tmp); + DLIST_ADD_END(list, t, struct chat_struct*); if (!next_token(&p, prompt, NULL, sizeof(fstring))) break; -- cgit From f4ae28576376741a5402a286827a46c053db0ff7 Mon Sep 17 00:00:00 2001 From: James Peach Date: Wed, 23 May 2007 20:31:28 +0000 Subject: r23095: Support systems that have their PAM headers in /usr/include/pam. (This used to be commit f1e8de4b576b3954d456cb64c02417908bab8da4) --- source3/auth/pampass.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index ba11d2e8fc..a83e2bcb3f 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -41,7 +41,11 @@ * which determines what actions/limitations/allowances become affected. *********************************************************************/ +#if defined(HAVE_SECURITY_PAM_APPL_H) #include +#elif defined(HAVE_PAM_PAM_APPL_H) +#include +#endif /* * Structure used to communicate between the conversation function -- cgit From d824b98f80ba186030cbb70b3a1e5daf80469ecd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Jul 2007 19:25:36 +0000 Subject: r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3) --- source3/auth/pampass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index a83e2bcb3f..e2d52ada2d 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -8,7 +8,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, -- cgit From 5e54558c6dea67b56bbfaba5698f3a434d3dffb6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 00:52:41 +0000 Subject: r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text (This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07) --- source3/auth/pampass.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index e2d52ada2d..0104108e8e 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -17,8 +17,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ /* -- cgit From 30191d1a5704ad2b158386b511558972d539ce47 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 18 Oct 2007 17:40:25 -0700 Subject: RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f) --- source3/auth/pampass.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 0104108e8e..ac3aa3aa64 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -68,7 +68,7 @@ typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_resp PAM error handler. *********************************************************************/ -static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, const char *msg, int dbglvl) +static bool smb_pam_error_handler(pam_handle_t *pamh, int pam_error, const char *msg, int dbglvl) { if( pam_error != PAM_SUCCESS) { @@ -85,7 +85,7 @@ static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, const char failure as sucess. *********************************************************************/ -static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error, +static bool smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error, const char *msg, int dbglvl, NTSTATUS *nt_status) { @@ -270,7 +270,7 @@ static int smb_pam_passchange_conv(int num_msg, struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr; struct chat_struct *pw_chat= make_pw_chat(lp_passwd_chat()); struct chat_struct *t; - BOOL found; + bool found; *resp = NULL; DEBUG(10,("smb_pam_passchange_conv: starting converstation for %d messages\n", num_msg)); @@ -430,7 +430,7 @@ static struct pam_conv *smb_setup_pam_conv(smb_pam_conv_fn smb_pam_conv_fnptr, c * PAM Closing out cleanup handler */ -static BOOL smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr) +static bool smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr) { int pam_error; @@ -451,7 +451,7 @@ static BOOL smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr) * Start PAM authentication for specified account */ -static BOOL smb_pam_start(pam_handle_t **pamh, const char *user, const char *rhost, struct pam_conv *pconv) +static bool smb_pam_start(pam_handle_t **pamh, const char *user, const char *rhost, struct pam_conv *pconv) { int pam_error; const char *our_rhost; @@ -624,7 +624,7 @@ static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, const char * user) /* * PAM Internal Session Handler */ -static BOOL smb_internal_pam_session(pam_handle_t *pamh, const char *user, const char *tty, BOOL flag) +static bool smb_internal_pam_session(pam_handle_t *pamh, const char *user, const char *tty, bool flag) { int pam_error; @@ -652,7 +652,7 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, const char *user, const * Internal PAM Password Changer. */ -static BOOL smb_pam_chauthtok(pam_handle_t *pamh, const char * user) +static bool smb_pam_chauthtok(pam_handle_t *pamh, const char * user) { int pam_error; @@ -706,7 +706,7 @@ static BOOL smb_pam_chauthtok(pam_handle_t *pamh, const char * user) * PAM Externally accessible Session handler */ -BOOL smb_pam_claim_session(char *user, char *tty, char *rhost) +bool smb_pam_claim_session(char *user, char *tty, char *rhost) { pam_handle_t *pamh = NULL; struct pam_conv *pconv = NULL; @@ -734,7 +734,7 @@ BOOL smb_pam_claim_session(char *user, char *tty, char *rhost) * PAM Externally accessible Session handler */ -BOOL smb_pam_close_session(char *user, char *tty, char *rhost) +bool smb_pam_close_session(char *user, char *tty, char *rhost) { pam_handle_t *pamh = NULL; struct pam_conv *pconv = NULL; @@ -834,7 +834,7 @@ NTSTATUS smb_pam_passcheck(const char * user, const char * password) * PAM Password Change Suite */ -BOOL smb_pam_passchange(const char * user, const char * oldpassword, const char * newpassword) +bool smb_pam_passchange(const char * user, const char * oldpassword, const char * newpassword) { /* Appropriate quantities of root should be obtained BEFORE calling this function */ struct pam_conv *pconv = NULL; @@ -864,13 +864,13 @@ NTSTATUS smb_pam_accountcheck(const char * user) } /* If PAM not used, also no PAM restrictions on sessions. */ -BOOL smb_pam_claim_session(char *user, char *tty, char *rhost) +bool smb_pam_claim_session(char *user, char *tty, char *rhost) { return True; } /* If PAM not used, also no PAM restrictions on sessions. */ -BOOL smb_pam_close_session(char *in_user, char *tty, char *rhost) +bool smb_pam_close_session(char *in_user, char *tty, char *rhost) { return True; } -- cgit From 6658165d5e9cd186fea74e1581091233e8990e9b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 3 Nov 2007 18:15:45 -0700 Subject: Stop get_peer_addr() and client_addr() from using global statics. Part of my library cleanups. Jeremy. (This used to be commit e848506c858bd16706c1d7f6b4b032005512b8ac) --- source3/auth/pampass.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index ac3aa3aa64..9b8faf1609 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -455,6 +455,7 @@ static bool smb_pam_start(pam_handle_t **pamh, const char *user, const char *rho { int pam_error; const char *our_rhost; + char addr[INET6_ADDRSTRLEN]; *pamh = (pam_handle_t *)NULL; @@ -469,7 +470,7 @@ static bool smb_pam_start(pam_handle_t **pamh, const char *user, const char *rho if (rhost == NULL) { our_rhost = client_name(); if (strequal(our_rhost,"UNKNOWN")) - our_rhost = client_addr(); + our_rhost = client_addr(addr); } else { our_rhost = rhost; } -- cgit From 25074433f412c4dd2531fd268d51be8753ddc11b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 3 Nov 2007 18:41:26 -0700 Subject: I can't get away without a 'length' arg. :-). Jeremy. (This used to be commit 95d01279a5def709d0a5d5ae7224d6286006d120) --- source3/auth/pampass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 9b8faf1609..c7ec79b969 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -470,7 +470,7 @@ static bool smb_pam_start(pam_handle_t **pamh, const char *user, const char *rho if (rhost == NULL) { our_rhost = client_name(); if (strequal(our_rhost,"UNKNOWN")) - our_rhost = client_addr(addr); + our_rhost = client_addr(addr,sizeof(addr)); } else { our_rhost = rhost; } -- cgit From 5b0b4f23ef5fec3d1ad518237f973d4e014b5766 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 3 Nov 2007 23:20:10 -0700 Subject: Remove most of the remaining globals out of lib/util_sock.c. I have a plan for dealing with the remaining..... Watch this space. Jeremy. (This used to be commit 963fc7685212689f02b3adcc05b4273ee5c382d4) --- source3/auth/pampass.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index c7ec79b969..739e0a78fd 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -468,9 +468,9 @@ static bool smb_pam_start(pam_handle_t **pamh, const char *user, const char *rho } if (rhost == NULL) { - our_rhost = client_name(); + our_rhost = client_name(get_client_fd()); if (strequal(our_rhost,"UNKNOWN")) - our_rhost = client_addr(addr,sizeof(addr)); + our_rhost = client_addr(get_client_fd(),addr,sizeof(addr)); } else { our_rhost = rhost; } -- cgit From 42cfffae80480eae4381902fff3f7c61f858a933 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 7 Dec 2007 17:32:32 -0800 Subject: Remove next_token - all uses must now be next_token_talloc. No more temptations to use static length strings. Jeremy. (This used to be commit ec003f39369910dee852b7cafb883ddaa321c2de) --- source3/auth/pampass.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 739e0a78fd..554df3c157 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -207,15 +207,17 @@ struct chat_struct { static struct chat_struct *make_pw_chat(const char *p) { - fstring prompt; - fstring reply; + char *prompt; + char *reply; struct chat_struct *list = NULL; struct chat_struct *t; + TALLOC_CTX *frame = talloc_stackframe(); while (1) { t = SMB_MALLOC_P(struct chat_struct); if (!t) { DEBUG(0,("make_pw_chat: malloc failed!\n")); + TALLOC_FREE(frame); return NULL; } @@ -223,22 +225,26 @@ static struct chat_struct *make_pw_chat(const char *p) DLIST_ADD_END(list, t, struct chat_struct*); - if (!next_token(&p, prompt, NULL, sizeof(fstring))) + if (!next_token_talloc(frame, &p, &prompt, NULL)) { break; + } - if (strequal(prompt,".")) + if (strequal(prompt,".")) { fstrcpy(prompt,"*"); + } special_char_sub(prompt); fstrcpy(t->prompt, prompt); strlower_m(t->prompt); trim_char(t->prompt, ' ', ' '); - if (!next_token(&p, reply, NULL, sizeof(fstring))) + if (!next_token_talloc(frame, &p, reply, NULL)) { break; + } - if (strequal(reply,".")) - fstrcpy(reply,""); + if (strequal(reply,".")) { + fstrcpy(reply,""); + } special_char_sub(reply); fstrcpy(t->reply, reply); @@ -246,6 +252,7 @@ static struct chat_struct *make_pw_chat(const char *p) trim_char(t->reply, ' ', ' '); } + TALLOC_FREE(frame); return list; } -- cgit From 0cdcd255a5ab2d776d1f4d010199ca9edd06c5e9 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 8 Dec 2007 11:20:53 +0100 Subject: Fix two incompatible pointer warnings Jeremy, please check (This used to be commit 60500fac30911500eade7c2a9aa13569dcab0911) --- source3/auth/pampass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 554df3c157..58921bdf15 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -238,7 +238,7 @@ static struct chat_struct *make_pw_chat(const char *p) strlower_m(t->prompt); trim_char(t->prompt, ' ', ' '); - if (!next_token_talloc(frame, &p, reply, NULL)) { + if (!next_token_talloc(frame, &p, &reply, NULL)) { break; } -- cgit From ab5076d9fdd83cffe9a88f389bb8a49750f322e0 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 25 Aug 2008 11:36:56 +0200 Subject: auth: Fix build warning. Guenther (This used to be commit 4661ef625a6522d6f859b83e3e3702f01d0b952f) --- source3/auth/pampass.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source3/auth/pampass.c') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 58921bdf15..9345eed27a 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -63,6 +63,7 @@ typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_resp * Macros to help make life easy */ #define COPY_STRING(s) (s) ? SMB_STRDUP(s) : NULL +#define COPY_FSTRING(s) (s[0]) ? SMB_STRDUP(s) : NULL /******************************************************************* PAM error handler. @@ -327,7 +328,7 @@ static int smb_pam_passchange_conv(int num_msg, DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We actualy sent: %s\n", current_reply)); #endif reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies].resp = COPY_STRING(current_reply); + reply[replies].resp = COPY_FSTRING(current_reply); found = True; break; } @@ -355,7 +356,7 @@ static int smb_pam_passchange_conv(int num_msg, DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply)); pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies].resp = COPY_STRING(current_reply); + reply[replies].resp = COPY_FSTRING(current_reply); #ifdef DEBUG_PASSWORD DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We actualy sent: %s\n", current_reply)); #endif -- cgit