From 2321514e9300ac85a1976318bae18a6b177f25c9 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Tue, 24 Apr 2001 20:00:12 +0000 Subject: Added Steve Langasek pam_smbpass PAM module code. Note: Still have to add build stuff - not ready yet. (This used to be commit 1de7022f98b64b15503aaf48c8d729789fc49781) --- source3/pam_smbpass/pam_smb_auth.c | 246 +++++++++++++++++++++++++++++++++++++ 1 file changed, 246 insertions(+) create mode 100644 source3/pam_smbpass/pam_smb_auth.c (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c new file mode 100644 index 0000000000..0e95a84299 --- /dev/null +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -0,0 +1,246 @@ +/* Unix NT password database implementation, version 0.7.5. + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 675 + * Mass Ave, Cambridge, MA 02139, USA. +*/ + +/* indicate the following groups are defined */ +#define PAM_SM_AUTH + +#include "includes.h" +#include "debug.h" + +#ifndef LINUX + +/* This is only used in the Sun implementation. */ +#include + +#endif /* LINUX */ + +#include + +#include "general.h" + +#include "support.h" + +#define AUTH_RETURN \ +do { \ + if(ret_data) { \ + *ret_data = retval; \ + pam_set_data( pamh, "smb_setcred_return" \ + , (void *) ret_data, NULL ); \ + } \ + return retval; \ +} while (0) + +static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, + const char *name, struct smb_passwd *smb_pwent); + +/* + * pam_sm_authenticate() authenticates users against the samba password file. + * + * First, obtain the password from the user. Then use a + * routine in 'support.c' to authenticate the user. + */ + +#define _SMB_AUTHTOK "-SMB-PASS" + +int pam_sm_authenticate(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + unsigned int ctrl; + int retval, *ret_data = NULL; + + const char *name; + + /* Points to memory managed by the PAM library. Do not free. */ + const char *p = NULL; + + struct smb_passwd *smb_pwent = NULL; + + extern BOOL in_client; + + /* Samba initialization. */ + setup_logging("pam_smbpass",False); + charset_initialise(); + in_client = True; + + ctrl = set_ctrl(flags, argc, argv); + + /* Get a few bytes so we can pass our return value to + pam_sm_setcred(). */ + ret_data = malloc(sizeof(int)); + + /* get the username */ + retval = pam_get_user( pamh, &name, "Username: " ); + if ( retval != PAM_SUCCESS ) { + if (on( SMB_DEBUG, ctrl )) { + _log_err(LOG_DEBUG, "auth: could not identify user"); + } + AUTH_RETURN; + } + if (on( SMB_DEBUG, ctrl )) { + _log_err( LOG_DEBUG, "username [%s] obtained", name ); + } + + if (!initialize_password_db()) { + _log_err( LOG_ALERT, "Cannot access samba password database" ); + retval = PAM_AUTHINFO_UNAVAIL; + AUTH_RETURN; + } + + smb_pwent = getsmbpwnam( name ); + + if (on( SMB_MIGRATE, ctrl )) { + retval = _smb_add_user(pamh, ctrl, name, smb_pwent); + AUTH_RETURN; + } + + if (smb_pwent == NULL) { + _log_err(LOG_ALERT, "Failed to find entry for user %s.", name); + retval = PAM_USER_UNKNOWN; + AUTH_RETURN; + } + + /* if this user does not have a password... */ + + if (_smb_blankpasswd( ctrl, smb_pwent )) { + smb_pwent = NULL; + retval = PAM_SUCCESS; + AUTH_RETURN; + } + + /* get this user's authentication token */ + + retval = _smb_read_password(pamh, ctrl, NULL, "Password: ", NULL + , _SMB_AUTHTOK, &p); + if (retval != PAM_SUCCESS ) { + _log_err(LOG_CRIT, "auth: no password provided for [%s]" + , name); + smb_pwent = NULL; + AUTH_RETURN; + } + + /* verify the password of this user */ + + retval = _smb_verify_password( pamh, smb_pwent, p, ctrl ); + smb_pwent = NULL; + p = NULL; + AUTH_RETURN; +} + +/* + * This function is for setting samba credentials. If anyone comes up + * with any credentials they think should be set, let me know. + */ + +int pam_sm_setcred(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + int retval, *pretval = NULL; + + retval = PAM_SUCCESS; + + pam_get_data(pamh, "smb_setcred_return", (const void **) &pretval); + if(pretval) { + retval = *pretval; + free(pretval); + } + pam_set_data(pamh, "smb_setcred_return", NULL, NULL); + + return retval; +} + + +/* Helper function for adding a user to the db. */ +static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, + const char *name, struct smb_passwd *smb_pwent) +{ + pstring err_str; + pstring msg_str; + const char *pass = NULL; + int retval; + + err_str[0] = '\0'; + msg_str[0] = '\0'; + + /* Get the authtok; if we don't have one, silently fail. */ + retval = pam_get_item( pamh, PAM_AUTHTOK, (const void **) &pass ); + + if (retval != PAM_SUCCESS) { + _log_err( LOG_ALERT + , "pam_get_item returned error to pam_sm_authenticate" ); + return PAM_AUTHTOK_RECOVER_ERR; + } else if (pass == NULL) { + return PAM_AUTHTOK_RECOVER_ERR; + } + + /* Add the user to the db if they aren't already there. */ + if (smb_pwent == NULL) { + retval = local_password_change( name, LOCAL_ADD_USER, + pass, err_str, + sizeof(err_str), + msg_str, sizeof(msg_str) ); + if (!retval && *err_str) + { + err_str[PSTRING_LEN-1] = '\0'; + make_remark( pamh, ctrl, PAM_ERROR_MSG, err_str ); + } + else if (*msg_str) + { + msg_str[PSTRING_LEN-1] = '\0'; + make_remark( pamh, ctrl, PAM_TEXT_INFO, msg_str ); + } + pass = NULL; + + return PAM_IGNORE; + } + + /* Change the user's password IFF it's null. */ + if (smb_pwent->smb_passwd == NULL && (smb_pwent->acct_ctrl & ACB_PWNOTREQ)) + { + retval = local_password_change( name, 0, + pass, err_str, + sizeof(err_str), + msg_str, sizeof(msg_str) ); + if (!retval && *err_str) + { + err_str[PSTRING_LEN-1] = '\0'; + make_remark( pamh, ctrl, PAM_ERROR_MSG, err_str ); + } + else if (*msg_str) + { + msg_str[PSTRING_LEN-1] = '\0'; + make_remark( pamh, ctrl, PAM_TEXT_INFO, msg_str ); + } + } + pass = NULL; + + return PAM_IGNORE; +} + + +/* static module data */ +#ifdef PAM_STATIC +struct pam_module _pam_smbpass_auth_modstruct = { + "pam_smbpass", + pam_sm_authenticate, + pam_sm_setcred, + NULL, + NULL, + NULL, + NULL +}; +#endif + -- cgit From 87fbb7092b8f8b2f0db0f361c3d625e19de57cd9 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 4 Jul 2001 07:15:53 +0000 Subject: The big character set handling changeover! This commit gets rid of all our old codepage handling and replaces it with iconv. All internal strings in Samba are now in "unix" charset, which may be multi-byte. See internals.doc and my posting to samba-technical for a more complete explanation. (This used to be commit debb471267960e56005a741817ebd227ecfc512a) --- source3/pam_smbpass/pam_smb_auth.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index 0e95a84299..ee4d68dcc3 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -73,7 +73,6 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, /* Samba initialization. */ setup_logging("pam_smbpass",False); - charset_initialise(); in_client = True; ctrl = set_ctrl(flags, argc, argv); -- cgit From f3cd2353de4ffb6066f6fbc0433660ff112d2060 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 24 Aug 2001 18:29:37 +0000 Subject: add a comment to make the code more readable (This used to be commit d6a33722168c64eb948c52e303cfb1cd4cfda7f9) --- source3/pam_smbpass/pam_smb_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index ee4d68dcc3..3126bebb34 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -78,7 +78,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, ctrl = set_ctrl(flags, argc, argv); /* Get a few bytes so we can pass our return value to - pam_sm_setcred(). */ + pam_sm_setcred(). Used in AUTH_RETURN macro */ ret_data = malloc(sizeof(int)); /* get the username */ -- cgit From 15741d2fe4bafee9100feca2bbf3c133421a2e88 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 30 Oct 2001 05:21:16 +0000 Subject: Fix up smbpasswd -e/-d so that it doesn't change the password under you any more. (Previously it set them to 'XXXX' or similar when only the flags were being changed - a bug I must have introduced when I reworked the passdb end of things a few weeks back.) Adds a new local flag: LOCAL_SET_PASSWORD to specify that the password is actually to be changed. Andrew Bartlett (This used to be commit cea6b6cb228c7e1f0c2d45951590e0d8fb8b315c) --- source3/pam_smbpass/pam_smb_auth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index 3126bebb34..8279915077 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -187,7 +187,7 @@ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, /* Add the user to the db if they aren't already there. */ if (smb_pwent == NULL) { - retval = local_password_change( name, LOCAL_ADD_USER, + retval = local_password_change( name, LOCAL_ADD_USER|LOCAL_SET_PASSWORD, pass, err_str, sizeof(err_str), msg_str, sizeof(msg_str) ); @@ -209,7 +209,7 @@ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, /* Change the user's password IFF it's null. */ if (smb_pwent->smb_passwd == NULL && (smb_pwent->acct_ctrl & ACB_PWNOTREQ)) { - retval = local_password_change( name, 0, + retval = local_password_change( name, LOCAL_SET_PASSWORD, pass, err_str, sizeof(err_str), msg_str, sizeof(msg_str) ); -- cgit From 65cfe6a492b236f49edd591a7e728cbeeed3c344 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 11 Dec 2001 23:44:33 +0000 Subject: pam_smbpass updates from a.bokovoy@sam-solutions.net (This used to be commit 016e203a2c5286d8b48ab3eff0226affc203deaf) --- source3/pam_smbpass/pam_smb_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index 8279915077..4b56b2b301 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -93,7 +93,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, _log_err( LOG_DEBUG, "username [%s] obtained", name ); } - if (!initialize_password_db()) { + if (!initialize_password_db(True)) { _log_err( LOG_ALERT, "Cannot access samba password database" ); retval = PAM_AUTHINFO_UNAVAIL; AUTH_RETURN; -- cgit From b79fa88b4db3bc88b0a5ae567b19286f64fd113c Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 12 Jan 2002 23:12:13 +0000 Subject: updates from 2.2 (This used to be commit 398b4ff0d40d89b3e96d481807f85f15b7a7966a) --- source3/pam_smbpass/pam_smb_auth.c | 57 +++++++++++++++++++++----------------- 1 file changed, 31 insertions(+), 26 deletions(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index 4b56b2b301..9952eb94db 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -45,7 +45,7 @@ do { \ } while (0) static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, - const char *name, struct smb_passwd *smb_pwent); + const char *name, SAM_ACCOUNT *sampass, BOOL exist); /* * pam_sm_authenticate() authenticates users against the samba password file. @@ -61,24 +61,25 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, { unsigned int ctrl; int retval, *ret_data = NULL; - + SAM_ACCOUNT *sampass = NULL; + extern BOOL in_client; const char *name; + BOOL found; /* Points to memory managed by the PAM library. Do not free. */ const char *p = NULL; - struct smb_passwd *smb_pwent = NULL; - - extern BOOL in_client; /* Samba initialization. */ setup_logging("pam_smbpass",False); + charset_initialise(); + codepage_initialise(lp_client_code_page()); in_client = True; ctrl = set_ctrl(flags, argc, argv); /* Get a few bytes so we can pass our return value to - pam_sm_setcred(). Used in AUTH_RETURN macro */ + pam_sm_setcred(). */ ret_data = malloc(sizeof(int)); /* get the username */ @@ -99,42 +100,46 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, AUTH_RETURN; } - smb_pwent = getsmbpwnam( name ); + pdb_init_sam(&sampass); + + found = pdb_getsampwnam( sampass, name ); if (on( SMB_MIGRATE, ctrl )) { - retval = _smb_add_user(pamh, ctrl, name, smb_pwent); + retval = _smb_add_user(pamh, ctrl, name, sampass, found); + pdb_free_sam(&sampass); AUTH_RETURN; } - if (smb_pwent == NULL) { + if (!found) { _log_err(LOG_ALERT, "Failed to find entry for user %s.", name); retval = PAM_USER_UNKNOWN; + pdb_free_sam(&sampass); + sampass = NULL; AUTH_RETURN; } /* if this user does not have a password... */ - if (_smb_blankpasswd( ctrl, smb_pwent )) { - smb_pwent = NULL; + if (_smb_blankpasswd( ctrl, sampass )) { + pdb_free_sam(&sampass); retval = PAM_SUCCESS; AUTH_RETURN; } /* get this user's authentication token */ - retval = _smb_read_password(pamh, ctrl, NULL, "Password: ", NULL - , _SMB_AUTHTOK, &p); + retval = _smb_read_password(pamh, ctrl, NULL, "Password: ", NULL, _SMB_AUTHTOK, &p); if (retval != PAM_SUCCESS ) { _log_err(LOG_CRIT, "auth: no password provided for [%s]" , name); - smb_pwent = NULL; + pdb_free_sam(&sampass); AUTH_RETURN; } /* verify the password of this user */ - retval = _smb_verify_password( pamh, smb_pwent, p, ctrl ); - smb_pwent = NULL; + retval = _smb_verify_password( pamh, sampass, p, ctrl ); + pdb_free_sam(&sampass); p = NULL; AUTH_RETURN; } @@ -154,7 +159,7 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags, pam_get_data(pamh, "smb_setcred_return", (const void **) &pretval); if(pretval) { retval = *pretval; - free(pretval); + SAFE_FREE(pretval); } pam_set_data(pamh, "smb_setcred_return", NULL, NULL); @@ -164,7 +169,7 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags, /* Helper function for adding a user to the db. */ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, - const char *name, struct smb_passwd *smb_pwent) + const char *name, SAM_ACCOUNT *sampass, BOOL exist) { pstring err_str; pstring msg_str; @@ -186,8 +191,8 @@ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, } /* Add the user to the db if they aren't already there. */ - if (smb_pwent == NULL) { - retval = local_password_change( name, LOCAL_ADD_USER|LOCAL_SET_PASSWORD, + if (!exist) { + retval = local_password_change( name, LOCAL_ADD_USER, pass, err_str, sizeof(err_str), msg_str, sizeof(msg_str) ); @@ -204,14 +209,12 @@ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, pass = NULL; return PAM_IGNORE; - } - + } + else { /* Change the user's password IFF it's null. */ - if (smb_pwent->smb_passwd == NULL && (smb_pwent->acct_ctrl & ACB_PWNOTREQ)) + if ((pdb_get_lanman_passwd(sampass) == NULL) && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)) { - retval = local_password_change( name, LOCAL_SET_PASSWORD, - pass, err_str, - sizeof(err_str), + retval = local_password_change( name, 0, pass, err_str, sizeof(err_str), msg_str, sizeof(msg_str) ); if (!retval && *err_str) { @@ -224,6 +227,8 @@ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, make_remark( pamh, ctrl, PAM_TEXT_INFO, msg_str ); } } + } + pass = NULL; return PAM_IGNORE; -- cgit From e90b65284812aaa5ff9e9935ce9bbad7791cbbcd Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 15 Jul 2002 10:35:28 +0000 Subject: updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce) --- source3/pam_smbpass/pam_smb_auth.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index 9952eb94db..e5cc12e2f6 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -47,6 +47,7 @@ do { \ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, const char *name, SAM_ACCOUNT *sampass, BOOL exist); + /* * pam_sm_authenticate() authenticates users against the samba password file. * @@ -67,13 +68,11 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, BOOL found; /* Points to memory managed by the PAM library. Do not free. */ - const char *p = NULL; + char *p = NULL; /* Samba initialization. */ setup_logging("pam_smbpass",False); - charset_initialise(); - codepage_initialise(lp_client_code_page()); in_client = True; ctrl = set_ctrl(flags, argc, argv); -- cgit From b15255d7ab8a0b883f97fe57bf7280fbbf8e92b7 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Tue, 8 Apr 2003 04:42:44 +0000 Subject: Patch from Steve Langasek fix up two issues in pam_smbpass. The first, more important issue is adding support for the (apparently new) LOCAL_SET_PASSWORD flag to local_password_change(), without which pam_smbpass is a complete and utter no-op. The second, lesser issue is that with the advent of ldapsam, it's possible for pam_smbpass to generate a SIGPIPE that isn't handled by the calling application. The most basic signal wrapping is put in place to prevent this. Beyond that, the only thing in the patch is a bit of reformatting to make pam_smb_passwd.c look a bit more like the rest of the code in CVS. More of that later, I'm sure. (This used to be commit 1aecda300e0b44c133fe0cd2bafb166621dbc17a) --- source3/pam_smbpass/pam_smb_auth.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index e5cc12e2f6..f4cbb59af3 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -36,6 +36,8 @@ #define AUTH_RETURN \ do { \ + /* Restore application signal handler */ \ + CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); \ if(ret_data) { \ *ret_data = retval; \ pam_set_data( pamh, "smb_setcred_return" \ @@ -65,6 +67,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, SAM_ACCOUNT *sampass = NULL; extern BOOL in_client; const char *name; + void (*oldsig_handler)(int); BOOL found; /* Points to memory managed by the PAM library. Do not free. */ @@ -93,6 +96,10 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, _log_err( LOG_DEBUG, "username [%s] obtained", name ); } + /* Getting into places that might use LDAP -- protect the app + from a SIGPIPE it's not expecting */ + oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN); + if (!initialize_password_db(True)) { _log_err( LOG_ALERT, "Cannot access samba password database" ); retval = PAM_AUTHINFO_UNAVAIL; -- cgit From 5d40499b9f46aff4a70aeda0b8b3b147d2d69c2a Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 18 Mar 2004 18:09:59 +0000 Subject: BUG 932: ulrich@holeschak.de (Ulrich Holeschak); fix local password change using pam_smbpass (This used to be commit f21182e24fe440b0cec57baf52cfbe6e07d6c7b7) --- source3/pam_smbpass/pam_smb_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index f4cbb59af3..4452538d32 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -198,7 +198,7 @@ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, /* Add the user to the db if they aren't already there. */ if (!exist) { - retval = local_password_change( name, LOCAL_ADD_USER, + retval = local_password_change( name, LOCAL_ADD_USER|LOCAL_SET_PASSWORD, pass, err_str, sizeof(err_str), msg_str, sizeof(msg_str) ); -- cgit From d4f815731d58db302856abcdac9835a8c2fe2168 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 6 Apr 2004 11:27:59 +0000 Subject: r75: patch from Cal Heldenbrand for 'pam_smbpass migrate' (This used to be commit 673c3f8bc0343cce293bacbf0773212b53182d1d) --- source3/pam_smbpass/pam_smb_auth.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index 4452538d32..d0dca6fa92 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -217,10 +217,10 @@ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, return PAM_IGNORE; } else { - /* Change the user's password IFF it's null. */ - if ((pdb_get_lanman_passwd(sampass) == NULL) && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)) + /* mimick 'update encrypted' as long as the 'no pw req' flag is not set */ + if ( pdb_get_acct_ctrl(sampass) & ~ACB_PWNOTREQ ) { - retval = local_password_change( name, 0, pass, err_str, sizeof(err_str), + retval = local_password_change( name, LOCAL_SET_PASSWORD, pass, err_str, sizeof(err_str), msg_str, sizeof(msg_str) ); if (!retval && *err_str) { -- cgit From a3f4c365171097eaa615b390d74a90b9345a3973 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 31 May 2005 01:44:44 +0000 Subject: r7126: fixing paranoid malloc checker failures (This used to be commit b01026674fddb4179a7f002c13f5e341eaaa0a1c) --- source3/pam_smbpass/pam_smb_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index d0dca6fa92..74645564d4 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -82,7 +82,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, /* Get a few bytes so we can pass our return value to pam_sm_setcred(). */ - ret_data = malloc(sizeof(int)); + ret_data = SMB_MALLOC_P(int); /* get the username */ retval = pam_get_user( pamh, &name, "Username: " ); -- cgit From 54abd2aa66069e6baf7769c496f46d9dba18db39 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 30 Sep 2005 17:13:37 +0000 Subject: r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3) --- source3/pam_smbpass/pam_smb_auth.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index 74645564d4..70275abf92 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -84,6 +84,11 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, pam_sm_setcred(). */ ret_data = SMB_MALLOC_P(int); + /* we need to do this before we call AUTH_RETURN */ + /* Getting into places that might use LDAP -- protect the app + from a SIGPIPE it's not expecting */ + oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN); + /* get the username */ retval = pam_get_user( pamh, &name, "Username: " ); if ( retval != PAM_SUCCESS ) { @@ -96,10 +101,6 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, _log_err( LOG_DEBUG, "username [%s] obtained", name ); } - /* Getting into places that might use LDAP -- protect the app - from a SIGPIPE it's not expecting */ - oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN); - if (!initialize_password_db(True)) { _log_err( LOG_ALERT, "Cannot access samba password database" ); retval = PAM_AUTHINFO_UNAVAIL; -- cgit From 0af1500fc0bafe61019f1b2ab1d9e1d369221240 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 3 Feb 2006 22:19:41 +0000 Subject: r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f) --- source3/pam_smbpass/pam_smb_auth.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index 70275abf92..cbdb6fa811 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -199,10 +199,10 @@ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, /* Add the user to the db if they aren't already there. */ if (!exist) { - retval = local_password_change( name, LOCAL_ADD_USER|LOCAL_SET_PASSWORD, + retval = NT_STATUS_IS_OK(local_password_change( name, LOCAL_ADD_USER|LOCAL_SET_PASSWORD, pass, err_str, sizeof(err_str), - msg_str, sizeof(msg_str) ); + msg_str, sizeof(msg_str) )); if (!retval && *err_str) { err_str[PSTRING_LEN-1] = '\0'; @@ -221,8 +221,8 @@ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, /* mimick 'update encrypted' as long as the 'no pw req' flag is not set */ if ( pdb_get_acct_ctrl(sampass) & ~ACB_PWNOTREQ ) { - retval = local_password_change( name, LOCAL_SET_PASSWORD, pass, err_str, sizeof(err_str), - msg_str, sizeof(msg_str) ); + retval = NT_STATUS_IS_OK(local_password_change( name, LOCAL_SET_PASSWORD, pass, err_str, sizeof(err_str), + msg_str, sizeof(msg_str) )); if (!retval && *err_str) { err_str[PSTRING_LEN-1] = '\0'; -- cgit From a988be716b87b0dca69688ed3b909af0a69e91f6 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 8 Feb 2006 04:11:08 +0000 Subject: r13384: Adding in some more SuSE patches * uninitialized-variables.diff * samba-smbadduser.diff * samba-implicit_decl.patch (This used to be commit 064338c6f5644d1ceddf341d4ba5619a3d68ffa7) --- source3/pam_smbpass/pam_smb_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index cbdb6fa811..f604d42449 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -67,7 +67,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, SAM_ACCOUNT *sampass = NULL; extern BOOL in_client; const char *name; - void (*oldsig_handler)(int); + void (*oldsig_handler)(int) = NULL; BOOL found; /* Points to memory managed by the PAM library. Do not free. */ -- cgit From 2203bed32c84c63737f402accf73452efb76b483 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 20 Feb 2006 20:09:36 +0000 Subject: r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0) --- source3/pam_smbpass/pam_smb_auth.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index f604d42449..3de752cd30 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -47,7 +47,7 @@ do { \ } while (0) static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, - const char *name, SAM_ACCOUNT *sampass, BOOL exist); + const char *name, struct samu *sampass, BOOL exist); /* @@ -64,7 +64,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, { unsigned int ctrl; int retval, *ret_data = NULL; - SAM_ACCOUNT *sampass = NULL; + struct samu *sampass = NULL; extern BOOL in_client; const char *name; void (*oldsig_handler)(int) = NULL; @@ -113,14 +113,14 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, if (on( SMB_MIGRATE, ctrl )) { retval = _smb_add_user(pamh, ctrl, name, sampass, found); - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); AUTH_RETURN; } if (!found) { _log_err(LOG_ALERT, "Failed to find entry for user %s.", name); retval = PAM_USER_UNKNOWN; - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); sampass = NULL; AUTH_RETURN; } @@ -128,7 +128,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, /* if this user does not have a password... */ if (_smb_blankpasswd( ctrl, sampass )) { - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); retval = PAM_SUCCESS; AUTH_RETURN; } @@ -139,14 +139,14 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, if (retval != PAM_SUCCESS ) { _log_err(LOG_CRIT, "auth: no password provided for [%s]" , name); - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); AUTH_RETURN; } /* verify the password of this user */ retval = _smb_verify_password( pamh, sampass, p, ctrl ); - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); p = NULL; AUTH_RETURN; } @@ -176,7 +176,7 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags, /* Helper function for adding a user to the db. */ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, - const char *name, SAM_ACCOUNT *sampass, BOOL exist) + const char *name, struct samu *sampass, BOOL exist) { pstring err_str; pstring msg_str; -- cgit From cd559192633d78a9f06e239c6a448955f6ea0842 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 21 Feb 2006 14:34:11 +0000 Subject: r13590: * replace all pdb_init_sam[_talloc]() calls with samu_new() * replace all pdb_{init,fill}_sam_pw() calls with samu_set_unix() (This used to be commit 6f1afa4acc93a07d0ee9940822d7715acaae634f) --- source3/pam_smbpass/pam_smb_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index 3de752cd30..f7980e2bb2 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -107,7 +107,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, AUTH_RETURN; } - pdb_init_sam(&sampass); + sampass = samu_new( NULL ); found = pdb_getsampwnam( sampass, name ); -- cgit From 5aa66fd0393318586edb5ee17e5cad2236aa5c8b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 20 Mar 2006 10:18:23 +0000 Subject: r14577: BUG Fixes: * Add back in the import/export support to pdbedit * Fix segv in pam_smbpass * Cleanup some error paths in pdb_tdb and pdb_interface (This used to be commit df53d64910fbb96eb810102e986b3c337d54c463) --- source3/pam_smbpass/pam_smb_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index f7980e2bb2..15726aa855 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -75,6 +75,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, /* Samba initialization. */ + load_case_tables(); setup_logging("pam_smbpass",False); in_client = True; -- cgit From f9147c4e408d316d194c4e367dfccbf433cb8ec9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 15 Jun 2006 01:54:09 +0000 Subject: r16241: Fix Klocwork #106 and others like it. Make 2 important changes. pdb_get_methods() returning NULL is a *fatal* error. Don't try and cope with it just call smb_panic. This removes a *lot* of pointless "if (!pdb)" handling code. Secondly, ensure that if samu_init() fails we *always* back out of a function. That way we are never in a situation where the pdb_XXX() functions need to start with a "if (sampass)" test - this was just bad design, not defensive programming. Jeremy. (This used to be commit a0d368197d6ae6777b7c2c3c6e970ab8ae7ca2ae) --- source3/pam_smbpass/pam_smb_auth.c | 160 +++++++++++++++++++------------------ 1 file changed, 81 insertions(+), 79 deletions(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index 15726aa855..df6d20e01a 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -62,94 +62,97 @@ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { - unsigned int ctrl; - int retval, *ret_data = NULL; - struct samu *sampass = NULL; - extern BOOL in_client; - const char *name; - void (*oldsig_handler)(int) = NULL; - BOOL found; - - /* Points to memory managed by the PAM library. Do not free. */ - char *p = NULL; - - - /* Samba initialization. */ - load_case_tables(); - setup_logging("pam_smbpass",False); - in_client = True; - - ctrl = set_ctrl(flags, argc, argv); - - /* Get a few bytes so we can pass our return value to - pam_sm_setcred(). */ - ret_data = SMB_MALLOC_P(int); - - /* we need to do this before we call AUTH_RETURN */ - /* Getting into places that might use LDAP -- protect the app - from a SIGPIPE it's not expecting */ - oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN); - - /* get the username */ - retval = pam_get_user( pamh, &name, "Username: " ); - if ( retval != PAM_SUCCESS ) { - if (on( SMB_DEBUG, ctrl )) { - _log_err(LOG_DEBUG, "auth: could not identify user"); - } - AUTH_RETURN; - } - if (on( SMB_DEBUG, ctrl )) { - _log_err( LOG_DEBUG, "username [%s] obtained", name ); - } + unsigned int ctrl; + int retval, *ret_data = NULL; + struct samu *sampass = NULL; + extern BOOL in_client; + const char *name; + void (*oldsig_handler)(int) = NULL; + BOOL found; + + /* Points to memory managed by the PAM library. Do not free. */ + char *p = NULL; + + /* Samba initialization. */ + load_case_tables(); + setup_logging("pam_smbpass",False); + in_client = True; + + ctrl = set_ctrl(flags, argc, argv); + + /* Get a few bytes so we can pass our return value to + pam_sm_setcred(). */ + ret_data = SMB_MALLOC_P(int); + + /* we need to do this before we call AUTH_RETURN */ + /* Getting into places that might use LDAP -- protect the app + from a SIGPIPE it's not expecting */ + oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN); + + /* get the username */ + retval = pam_get_user( pamh, &name, "Username: " ); + if ( retval != PAM_SUCCESS ) { + if (on( SMB_DEBUG, ctrl )) { + _log_err(LOG_DEBUG, "auth: could not identify user"); + } + AUTH_RETURN; + } + if (on( SMB_DEBUG, ctrl )) { + _log_err( LOG_DEBUG, "username [%s] obtained", name ); + } - if (!initialize_password_db(True)) { - _log_err( LOG_ALERT, "Cannot access samba password database" ); - retval = PAM_AUTHINFO_UNAVAIL; - AUTH_RETURN; - } + if (!initialize_password_db(True)) { + _log_err( LOG_ALERT, "Cannot access samba password database" ); + retval = PAM_AUTHINFO_UNAVAIL; + AUTH_RETURN; + } - sampass = samu_new( NULL ); - - found = pdb_getsampwnam( sampass, name ); + sampass = samu_new( NULL ); + if (!sampass) { + _log_err( LOG_ALERT, "Cannot talloc a samu struct" ); + retval = nt_status_to_pam(NT_STATUS_NO_MEMORY); + AUTH_RETURN; + } - if (on( SMB_MIGRATE, ctrl )) { - retval = _smb_add_user(pamh, ctrl, name, sampass, found); - TALLOC_FREE(sampass); - AUTH_RETURN; - } + found = pdb_getsampwnam( sampass, name ); - if (!found) { - _log_err(LOG_ALERT, "Failed to find entry for user %s.", name); - retval = PAM_USER_UNKNOWN; - TALLOC_FREE(sampass); - sampass = NULL; - AUTH_RETURN; - } + if (on( SMB_MIGRATE, ctrl )) { + retval = _smb_add_user(pamh, ctrl, name, sampass, found); + TALLOC_FREE(sampass); + AUTH_RETURN; + } + + if (!found) { + _log_err(LOG_ALERT, "Failed to find entry for user %s.", name); + retval = PAM_USER_UNKNOWN; + TALLOC_FREE(sampass); + sampass = NULL; + AUTH_RETURN; + } - /* if this user does not have a password... */ + /* if this user does not have a password... */ - if (_smb_blankpasswd( ctrl, sampass )) { - TALLOC_FREE(sampass); - retval = PAM_SUCCESS; - AUTH_RETURN; - } + if (_smb_blankpasswd( ctrl, sampass )) { + TALLOC_FREE(sampass); + retval = PAM_SUCCESS; + AUTH_RETURN; + } - /* get this user's authentication token */ + /* get this user's authentication token */ - retval = _smb_read_password(pamh, ctrl, NULL, "Password: ", NULL, _SMB_AUTHTOK, &p); - if (retval != PAM_SUCCESS ) { - _log_err(LOG_CRIT, "auth: no password provided for [%s]" - , name); - TALLOC_FREE(sampass); - AUTH_RETURN; - } + retval = _smb_read_password(pamh, ctrl, NULL, "Password: ", NULL, _SMB_AUTHTOK, &p); + if (retval != PAM_SUCCESS ) { + _log_err(LOG_CRIT, "auth: no password provided for [%s]", name); + TALLOC_FREE(sampass); + AUTH_RETURN; + } - /* verify the password of this user */ + /* verify the password of this user */ - retval = _smb_verify_password( pamh, sampass, p, ctrl ); - TALLOC_FREE(sampass); - p = NULL; - AUTH_RETURN; + retval = _smb_verify_password( pamh, sampass, p, ctrl ); + TALLOC_FREE(sampass); + p = NULL; + AUTH_RETURN; } /* @@ -255,4 +258,3 @@ struct pam_module _pam_smbpass_auth_modstruct = { NULL }; #endif - -- cgit From f4ae28576376741a5402a286827a46c053db0ff7 Mon Sep 17 00:00:00 2001 From: James Peach Date: Wed, 23 May 2007 20:31:28 +0000 Subject: r23095: Support systems that have their PAM headers in /usr/include/pam. (This used to be commit f1e8de4b576b3954d456cb64c02417908bab8da4) --- source3/pam_smbpass/pam_smb_auth.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index df6d20e01a..ceb23c3633 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -24,11 +24,19 @@ #ifndef LINUX /* This is only used in the Sun implementation. */ +#if defined(HAVE_SECURITY_PAM_APPL_H) #include +#elif defined(HAVE_PAM_PAM_APPL_H) +#include +#endif #endif /* LINUX */ +#if defined(HAVE_SECURITY_PAM_MODULES_H) #include +#elif defined(HAVE_PAM_PAM_MODULES_H) +#include +#endif #include "general.h" -- cgit From 825c4ceffef31ac68747cba747df44e6f4b1a576 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 24 May 2007 20:26:07 +0000 Subject: r23121: Fix Bug #2727 and let pam_smbpass at least link and dlopen correctly again. Thanks to Bartlomiej Solarz-Niesluchowski . Guenther (This used to be commit ba956ab8e4097d46bbad12caf2fad6857f463618) --- source3/pam_smbpass/pam_smb_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index ceb23c3633..819918e144 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -109,7 +109,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, _log_err( LOG_DEBUG, "username [%s] obtained", name ); } - if (!initialize_password_db(True)) { + if (!initialize_password_db(True, NULL)) { _log_err( LOG_ALERT, "Cannot access samba password database" ); retval = PAM_AUTHINFO_UNAVAIL; AUTH_RETURN; -- cgit From d824b98f80ba186030cbb70b3a1e5daf80469ecd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Jul 2007 19:25:36 +0000 Subject: r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3) --- source3/pam_smbpass/pam_smb_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index 819918e144..66e2f1d40b 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -2,7 +2,7 @@ * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free - * Software Foundation; either version 2 of the License, or (at your option) + * Software Foundation; either version 3 of the License, or (at your option) * any later version. * * This program is distributed in the hope that it will be useful, but WITHOUT -- cgit From 153cfb9c83534b09f15cc16205d7adb19b394928 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 05:23:25 +0000 Subject: r23801: The FSF has moved around a lot. This fixes their Mass Ave address. (This used to be commit 87c91e4362c51819032bfbebbb273c52e203b227) --- source3/pam_smbpass/pam_smb_auth.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index 66e2f1d40b..4ec1e6ebe3 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -11,8 +11,7 @@ * more details. * * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 675 - * Mass Ave, Cambridge, MA 02139, USA. + * this program; if not, see . */ /* indicate the following groups are defined */ -- cgit From 30191d1a5704ad2b158386b511558972d539ce47 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 18 Oct 2007 17:40:25 -0700 Subject: RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f) --- source3/pam_smbpass/pam_smb_auth.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index 4ec1e6ebe3..b29f7c838f 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -54,7 +54,7 @@ do { \ } while (0) static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, - const char *name, struct samu *sampass, BOOL exist); + const char *name, struct samu *sampass, bool exist); /* @@ -72,10 +72,10 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, unsigned int ctrl; int retval, *ret_data = NULL; struct samu *sampass = NULL; - extern BOOL in_client; + extern bool in_client; const char *name; void (*oldsig_handler)(int) = NULL; - BOOL found; + bool found; /* Points to memory managed by the PAM library. Do not free. */ char *p = NULL; @@ -187,7 +187,7 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags, /* Helper function for adding a user to the db. */ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, - const char *name, struct samu *sampass, BOOL exist) + const char *name, struct samu *sampass, bool exist) { pstring err_str; pstring msg_str; -- cgit From 7ef6c19074495110d5c0b698b05c4ee52a0744d6 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 21 Nov 2007 17:42:52 -0800 Subject: Remove pstrings from pam_smbpass - make local_password_change return malloced strings. Jeremy. (This used to be commit f652fe2bdb7a3a36e83dcf4b08347543fdffb9f0) --- source3/pam_smbpass/pam_smb_auth.c | 134 ++++++++++++++++--------------------- 1 file changed, 59 insertions(+), 75 deletions(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index b29f7c838f..79856a111d 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -170,98 +170,82 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) { - int retval, *pretval = NULL; + int retval, *pretval = NULL; - retval = PAM_SUCCESS; + retval = PAM_SUCCESS; - pam_get_data(pamh, "smb_setcred_return", (const void **) &pretval); - if(pretval) { - retval = *pretval; - SAFE_FREE(pretval); - } - pam_set_data(pamh, "smb_setcred_return", NULL, NULL); + pam_get_data(pamh, "smb_setcred_return", (const void **) &pretval); + if(pretval) { + retval = *pretval; + SAFE_FREE(pretval); + } + pam_set_data(pamh, "smb_setcred_return", NULL, NULL); - return retval; + return retval; } - /* Helper function for adding a user to the db. */ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, const char *name, struct samu *sampass, bool exist) { - pstring err_str; - pstring msg_str; - const char *pass = NULL; - int retval; - - err_str[0] = '\0'; - msg_str[0] = '\0'; - - /* Get the authtok; if we don't have one, silently fail. */ - retval = pam_get_item( pamh, PAM_AUTHTOK, (const void **) &pass ); - - if (retval != PAM_SUCCESS) { - _log_err( LOG_ALERT - , "pam_get_item returned error to pam_sm_authenticate" ); - return PAM_AUTHTOK_RECOVER_ERR; - } else if (pass == NULL) { - return PAM_AUTHTOK_RECOVER_ERR; - } - - /* Add the user to the db if they aren't already there. */ - if (!exist) { - retval = NT_STATUS_IS_OK(local_password_change( name, LOCAL_ADD_USER|LOCAL_SET_PASSWORD, - pass, err_str, - sizeof(err_str), - msg_str, sizeof(msg_str) )); - if (!retval && *err_str) - { - err_str[PSTRING_LEN-1] = '\0'; - make_remark( pamh, ctrl, PAM_ERROR_MSG, err_str ); - } - else if (*msg_str) - { - msg_str[PSTRING_LEN-1] = '\0'; - make_remark( pamh, ctrl, PAM_TEXT_INFO, msg_str ); + char *err_str = NULL; + char *msg_str = NULL; + const char *pass = NULL; + int retval; + + /* Get the authtok; if we don't have one, silently fail. */ + retval = pam_get_item( pamh, PAM_AUTHTOK, (const void **) &pass ); + + if (retval != PAM_SUCCESS) { + _log_err( LOG_ALERT + , "pam_get_item returned error to pam_sm_authenticate" ); + return PAM_AUTHTOK_RECOVER_ERR; + } else if (pass == NULL) { + return PAM_AUTHTOK_RECOVER_ERR; } - pass = NULL; - return PAM_IGNORE; - } - else { - /* mimick 'update encrypted' as long as the 'no pw req' flag is not set */ - if ( pdb_get_acct_ctrl(sampass) & ~ACB_PWNOTREQ ) - { - retval = NT_STATUS_IS_OK(local_password_change( name, LOCAL_SET_PASSWORD, pass, err_str, sizeof(err_str), - msg_str, sizeof(msg_str) )); - if (!retval && *err_str) - { - err_str[PSTRING_LEN-1] = '\0'; - make_remark( pamh, ctrl, PAM_ERROR_MSG, err_str ); - } - else if (*msg_str) - { - msg_str[PSTRING_LEN-1] = '\0'; - make_remark( pamh, ctrl, PAM_TEXT_INFO, msg_str ); + /* Add the user to the db if they aren't already there. */ + if (!exist) { + retval = NT_STATUS_IS_OK(local_password_change(name, LOCAL_ADD_USER|LOCAL_SET_PASSWORD, + pass, &err_str, &msg_str)); + if (!retval && err_str) { + make_remark(pamh, ctrl, PAM_ERROR_MSG, err_str ); + } else if (msg_str) { + make_remark(pamh, ctrl, PAM_TEXT_INFO, msg_str ); + } + pass = NULL; + + SAFE_FREE(err_str); + SAFE_FREE(msg_str); + return PAM_IGNORE; + } else { + /* mimick 'update encrypted' as long as the 'no pw req' flag is not set */ + if ( pdb_get_acct_ctrl(sampass) & ~ACB_PWNOTREQ ) { + retval = NT_STATUS_IS_OK(local_password_change(name, LOCAL_SET_PASSWORD, + pass, &err_str, &msg_str)); + if (!retval && err_str) { + make_remark(pamh, ctrl, PAM_ERROR_MSG, err_str ); + } else if (msg_str) { + make_remark(pamh, ctrl, PAM_TEXT_INFO, msg_str ); + } + } } - } - } - pass = NULL; - - return PAM_IGNORE; + SAFE_FREE(err_str); + SAFE_FREE(msg_str); + pass = NULL; + return PAM_IGNORE; } - /* static module data */ #ifdef PAM_STATIC struct pam_module _pam_smbpass_auth_modstruct = { - "pam_smbpass", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL + "pam_smbpass", + pam_sm_authenticate, + pam_sm_setcred, + NULL, + NULL, + NULL, + NULL }; #endif -- cgit From 9373e1ea90c088b4a1156554efb9e1da1738a8d3 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 12 Dec 2007 17:26:49 -0800 Subject: Fix bug #3727 with patch from Steve Langasek Jeremy. (This used to be commit 0723760ba47a465d2ff5a22a680f1b5196eca7d8) --- source3/pam_smbpass/pam_smb_auth.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index 79856a111d..3a841adebd 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -108,6 +108,12 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, _log_err( LOG_DEBUG, "username [%s] obtained", name ); } + if (geteuid() != 0) { + _log_err( LOG_DEBUG, "Cannot access samba password database, not running as root."); + retval = PAM_AUTHINFO_UNAVAIL; + AUTH_RETURN; + } + if (!initialize_password_db(True, NULL)) { _log_err( LOG_ALERT, "Cannot access samba password database" ); retval = PAM_AUTHINFO_UNAVAIL; @@ -136,7 +142,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, sampass = NULL; AUTH_RETURN; } - + /* if this user does not have a password... */ if (_smb_blankpasswd( ctrl, sampass )) { -- cgit From 914cd3e483bd83fb4d8e769b90d9136336ea51e9 Mon Sep 17 00:00:00 2001 From: Derrell Lipman Date: Thu, 6 Mar 2008 10:41:42 -0500 Subject: Eliminate global variable in_client and a plethora of extern declarations. Derrell (This used to be commit b7f34e7ef2907b498a0645ce68f2773ed7d60cdc) --- source3/pam_smbpass/pam_smb_auth.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/pam_smbpass/pam_smb_auth.c') diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index 3a841adebd..3dceb52c7d 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -72,7 +72,6 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, unsigned int ctrl; int retval, *ret_data = NULL; struct samu *sampass = NULL; - extern bool in_client; const char *name; void (*oldsig_handler)(int) = NULL; bool found; @@ -83,7 +82,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, /* Samba initialization. */ load_case_tables(); setup_logging("pam_smbpass",False); - in_client = True; + lp_set_in_client(True); ctrl = set_ctrl(flags, argc, argv); -- cgit