From 2321514e9300ac85a1976318bae18a6b177f25c9 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Tue, 24 Apr 2001 20:00:12 +0000 Subject: Added Steve Langasek pam_smbpass PAM module code. Note: Still have to add build stuff - not ready yet. (This used to be commit 1de7022f98b64b15503aaf48c8d729789fc49781) --- source3/pam_smbpass/support.c | 651 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 651 insertions(+) create mode 100644 source3/pam_smbpass/support.c (limited to 'source3/pam_smbpass/support.c') diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c new file mode 100644 index 0000000000..01f4aa30c7 --- /dev/null +++ b/source3/pam_smbpass/support.c @@ -0,0 +1,651 @@ +/* Unix NT password database implementation, version 0.6. + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 675 + * Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" +#include "general.h" + +#include "support.h" + + +#define _pam_overwrite(x) \ +do { \ + register char *__xx__; \ + if ((__xx__=(x))) \ + while (*__xx__) \ + *__xx__++ = '\0'; \ +} while (0) + +/* + * Don't just free it, forget it too. + */ + +#define _pam_drop(X) \ +do { \ + if (X) { \ + free(X); \ + X=NULL; \ + } \ +} while (0) + +#define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \ +do { \ + int reply_i; \ + \ + for (reply_i=0; reply_iconv(nargs, (const struct pam_message **) message + ,response, conv->appdata_ptr); + + if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) { + _log_err(LOG_DEBUG, "conversation failure [%s]" + ,pam_strerror(pamh, retval)); + } + } else { + _log_err(LOG_ERR, "couldn't obtain coversation function [%s]" + ,pam_strerror(pamh, retval)); + } + + return retval; /* propagate error status */ +} + +int make_remark( pam_handle_t * pamh, unsigned int ctrl + , int type, const char *text ) +{ + if (off(SMB__QUIET, ctrl)) { + struct pam_message *pmsg[1], msg[1]; + struct pam_response *resp; + + pmsg[0] = &msg[0]; + msg[0].msg = text; + msg[0].msg_style = type; + resp = NULL; + + return converse(pamh, ctrl, 1, pmsg, &resp); + } + return PAM_SUCCESS; +} + + +/* set the control flags for the SMB module. */ + +int set_ctrl( int flags, int argc, const char **argv ) +{ + int i = 0; + static pstring servicesf = CONFIGFILE; + const char *service_file = servicesf; + unsigned int ctrl; + + ctrl = SMB_DEFAULTS; /* the default selection of options */ + + /* set some flags manually */ + + /* A good, sane default (matches Samba's behavior). */ + set( SMB__NONULL, ctrl ); + + if (flags & PAM_SILENT) { + set( SMB__QUIET, ctrl ); + } + + /* Run through the arguments once, looking for an alternate smb config + file location */ + while (i < argc) { + int j; + + for (j = 0; j < SMB_CTRLS_; ++j) { + if (smb_args[j].token + && !strncmp(argv[i], smb_args[j].token, strlen(smb_args[j].token))) + { + break; + } + } + + if (j == SMB_CONF_FILE) { + service_file = argv[i] + 8; + } + i++; + } + + /* Read some options from the Samba config. Can be overridden by + the PAM config. */ + if(lp_load(service_file,True,False,False) == False) { + _log_err( LOG_ERR, "Error loading service file %s", service_file ); + } + + if (lp_null_passwords()) { + set( SMB__NULLOK, ctrl ); + } + + /* now parse the rest of the arguments to this module */ + + while (argc-- > 0) { + int j; + + for (j = 0; j < SMB_CTRLS_; ++j) { + if (smb_args[j].token + && !strncmp(*argv, smb_args[j].token, strlen(smb_args[j].token))) + { + break; + } + } + + if (j >= SMB_CTRLS_) { + _log_err( LOG_ERR, "unrecognized option [%s]", *argv ); + } else { + ctrl &= smb_args[j].mask; /* for turning things off */ + ctrl |= smb_args[j].flag; /* for turning things on */ + } + + ++argv; /* step to next argument */ + } + + /* auditing is a more sensitive version of debug */ + + if (on( SMB_AUDIT, ctrl )) { + set( SMB_DEBUG, ctrl ); + } + /* return the set of flags */ + + return ctrl; +} + +/* use this to free strings. ESPECIALLY password strings */ + +char * _pam_delete( register char *xx ) +{ + _pam_overwrite( xx ); + _pam_drop( xx ); + return NULL; +} + +void _cleanup( pam_handle_t * pamh, void *x, int error_status ) +{ + x = _pam_delete( (char *) x ); +} + +/* + * Safe duplication of character strings. "Paranoid"; don't leave + * evidence of old token around for later stack analysis. + */ + +char * xstrdup( const char *x ) +{ + register char *new = NULL; + + if (x != NULL) { + register int i; + + for (i = 0; x[i]; ++i); /* length of string */ + if ((new = malloc(++i)) == NULL) { + i = 0; + _log_err( LOG_CRIT, "out of memory in xstrdup" ); + } else { + while (i-- > 0) { + new[i] = x[i]; + } + } + x = NULL; + } + return new; /* return the duplicate or NULL on error */ +} + +/* ************************************************************** * + * Useful non-trivial functions * + * ************************************************************** */ + +void _cleanup_failures( pam_handle_t * pamh, void *fl, int err ) +{ + int quiet; + const char *service = NULL; + struct _pam_failed_auth *failure; + +#ifdef PAM_DATA_SILENT + quiet = err & PAM_DATA_SILENT; /* should we log something? */ +#else + quiet = 0; +#endif +#ifdef PAM_DATA_REPLACE + err &= PAM_DATA_REPLACE; /* are we just replacing data? */ +#endif + failure = (struct _pam_failed_auth *) fl; + + if (failure != NULL) { + +#ifdef PAM_DATA_SILENT + if (!quiet && !err) { /* under advisement from Sun,may go away */ +#else + if (!quiet) { /* under advisement from Sun,may go away */ +#endif + + /* log the number of authentication failures */ + if (failure->count != 0) { + pam_get_item( pamh, PAM_SERVICE, (const void **) &service ); + _log_err( LOG_NOTICE + , "%d authentication %s " + "from %s for service %s as %s(%d)" + , failure->count + , failure->count == 1 ? "failure" : "failures" + , failure->agent + , service == NULL ? "**unknown**" : service + , failure->user, failure->id ); + if (failure->count > SMB_MAX_RETRIES) { + _log_err( LOG_ALERT + , "service(%s) ignoring max retries; %d > %d" + , service == NULL ? "**unknown**" : service + , failure->count + , SMB_MAX_RETRIES ); + } + } + } + _pam_delete( failure->agent ); /* tidy up */ + _pam_delete( failure->user ); /* tidy up */ + free( failure ); + } +} + +int _smb_verify_password( pam_handle_t * pamh + , const struct smb_passwd *smb_pwent + , const char *p, unsigned int ctrl ) +{ + uchar hash_pass[16]; + uchar lm_pw[16]; + uchar nt_pw[16]; + int retval; + char *data_name; + const char *name; + + if (!smb_pwent) + return PAM_ABORT; + + name = smb_pwent->smb_name; + +#ifdef HAVE_PAM_FAIL_DELAY + if (off( SMB_NODELAY, ctrl )) { + (void) pam_fail_delay( pamh, 1000000 ); /* 1 sec delay for on failure */ + } +#endif + + if (!smb_pwent->smb_passwd) + { + _log_err( LOG_DEBUG, "user %s has null SMB password" + , name ); + + if (off( SMB__NONULL, ctrl ) + && (smb_pwent->acct_ctrl & ACB_PWNOTREQ)) + { /* this means we've succeeded */ + return PAM_SUCCESS; + } else { + const char *service; + + pam_get_item( pamh, PAM_SERVICE, (const void **)&service ); + _log_err( LOG_NOTICE + , "failed auth request by %s for service %s as %s(%d)" + , uidtoname( getuid() ) + , service ? service : "**unknown**", name + , smb_pwent->smb_userid ); + return PAM_AUTH_ERR; + } + } + + data_name = (char *) malloc( sizeof(FAIL_PREFIX) + + strlen( name )); + if (data_name == NULL) { + _log_err( LOG_CRIT, "no memory for data-name" ); + } + strncpy( data_name, FAIL_PREFIX, sizeof(FAIL_PREFIX) ); + strncpy( data_name + sizeof(FAIL_PREFIX) - 1, name, strlen( name ) + 1 ); + + /* First we check whether we've been given the password in already + encrypted form. */ + if (strlen( p ) == 16 || (strlen( p ) == 32 + && pdb_gethexpwd( p, (char *) hash_pass ))) { + + if (!memcmp( hash_pass, smb_pwent->smb_passwd, 16 ) + || (smb_pwent->smb_nt_passwd + && !memcmp( hash_pass, smb_pwent->smb_nt_passwd, 16 ))) + { + retval = PAM_SUCCESS; + if (data_name) { /* reset failures */ + pam_set_data( pamh, data_name, NULL, _cleanup_failures ); + } + _pam_delete( data_name ); + memset( hash_pass, '\0', 16 ); + smb_pwent = NULL; + return retval; + } + } + + /* + * The password we were given wasn't an encrypted password, or it + * didn't match the one we have. We encrypt the password now and try + * again. + */ + + nt_lm_owf_gen(p, nt_pw, lm_pw); + + /* the moment of truth -- do we agree with the password? */ + + if (!memcmp( nt_pw, smb_pwent->smb_nt_passwd, 16 )) { + + retval = PAM_SUCCESS; + if (data_name) { /* reset failures */ + pam_set_data(pamh, data_name, NULL, _cleanup_failures); + } + } else { + + const char *service; + + pam_get_item( pamh, PAM_SERVICE, (const void **)&service ); + + if (data_name != NULL) { + struct _pam_failed_auth *new = NULL; + const struct _pam_failed_auth *old = NULL; + + /* get a failure recorder */ + + new = (struct _pam_failed_auth *) + malloc( sizeof(struct _pam_failed_auth) ); + + if (new != NULL) { + + /* any previous failures for this user ? */ + pam_get_data(pamh, data_name, (const void **) &old); + + if (old != NULL) { + new->count = old->count + 1; + if (new->count >= SMB_MAX_RETRIES) { + retval = PAM_MAXTRIES; + } + } else { + _log_err( LOG_NOTICE + , "failed auth request by %s for service %s as %s(%d)" + , uidtoname( getuid() ) + , service ? service : "**unknown**", name + , smb_pwent->smb_userid ); + new->count = 1; + } + new->user = xstrdup( name ); + new->id = smb_pwent->smb_userid; + new->agent = xstrdup( uidtoname( getuid() ) ); + pam_set_data( pamh, data_name, new, _cleanup_failures ); + + } else { + _log_err( LOG_CRIT, "no memory for failure recorder" ); + _log_err( LOG_NOTICE + , "failed auth request by %s for service %s as %s(%d)" + , uidtoname( getuid() ) + , service ? service : "**unknown**", name + , smb_pwent->smb_userid ); + } + } else { + _log_err( LOG_NOTICE + , "failed auth request by %s for service %s as %s(%d)" + , uidtoname( getuid() ) + , service ? service : "**unknown**", name + , smb_pwent->smb_userid ); + retval = PAM_AUTH_ERR; + } + } + + _pam_delete( data_name ); + smb_pwent = NULL; + return retval; +} + + +/* + * _smb_blankpasswd() is a quick check for a blank password + * + * returns TRUE if user does not have a password + * - to avoid prompting for one in such cases (CG) + */ + +int _smb_blankpasswd( unsigned int ctrl, const struct smb_passwd *smb_pwent ) +{ + int retval; + + /* + * This function does not have to be too smart if something goes + * wrong, return FALSE and let this case to be treated somewhere + * else (CG) + */ + + if (on( SMB__NONULL, ctrl )) + return 0; /* will fail but don't let on yet */ + + if (smb_pwent->smb_passwd == NULL) + retval = 1; + else + retval = 0; + + return retval; +} + +/* + * obtain a password from the user + */ + +int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl + , const char *comment, const char *prompt1 + , const char *prompt2, const char *data_name + , const char **pass ) +{ + int authtok_flag; + int retval; + const char *item = NULL; + char *token; + + struct pam_message msg[3], *pmsg[3]; + struct pam_response *resp; + int i, expect; + + + /* make sure nothing inappropriate gets returned */ + + *pass = token = NULL; + + /* which authentication token are we getting? */ + + authtok_flag = on(SMB__OLD_PASSWD, ctrl) ? PAM_OLDAUTHTOK : PAM_AUTHTOK; + + /* should we obtain the password from a PAM item ? */ + + if (on(SMB_TRY_FIRST_PASS, ctrl) || on(SMB_USE_FIRST_PASS, ctrl)) { + retval = pam_get_item( pamh, authtok_flag, (const void **) &item ); + if (retval != PAM_SUCCESS) { + /* very strange. */ + _log_err( LOG_ALERT + , "pam_get_item returned error to smb_read_password" ); + return retval; + } else if (item != NULL) { /* we have a password! */ + *pass = item; + item = NULL; + return PAM_SUCCESS; + } else if (on( SMB_USE_FIRST_PASS, ctrl )) { + return PAM_AUTHTOK_RECOVER_ERR; /* didn't work */ + } else if (on( SMB_USE_AUTHTOK, ctrl ) + && off( SMB__OLD_PASSWD, ctrl )) + { + return PAM_AUTHTOK_RECOVER_ERR; + } + } + + /* + * getting here implies we will have to get the password from the + * user directly. + */ + + /* prepare to converse */ + if (comment != NULL && off(SMB__QUIET, ctrl)) { + pmsg[0] = &msg[0]; + msg[0].msg_style = PAM_TEXT_INFO; + msg[0].msg = comment; + i = 1; + } else { + i = 0; + } + + pmsg[i] = &msg[i]; + msg[i].msg_style = PAM_PROMPT_ECHO_OFF; + msg[i++].msg = prompt1; + + if (prompt2 != NULL) { + pmsg[i] = &msg[i]; + msg[i].msg_style = PAM_PROMPT_ECHO_OFF; + msg[i++].msg = prompt2; + expect = 2; + } else + expect = 1; + + resp = NULL; + + retval = converse( pamh, ctrl, i, pmsg, &resp ); + + if (resp != NULL) { + int j = comment ? 1 : 0; + /* interpret the response */ + + if (retval == PAM_SUCCESS) { /* a good conversation */ + + token = xstrdup(resp[j++].resp); + if (token != NULL) { + if (expect == 2) { + /* verify that password entered correctly */ + if (!resp[j].resp || strcmp( token, resp[j].resp )) { + _pam_delete( token ); + retval = PAM_AUTHTOK_RECOVER_ERR; + make_remark( pamh, ctrl, PAM_ERROR_MSG + , MISTYPED_PASS ); + } + } + } else { + _log_err(LOG_NOTICE, "could not recover authentication token"); + } + } + + /* tidy up */ + _pam_drop_reply( resp, expect ); + + } else { + retval = (retval == PAM_SUCCESS) ? PAM_AUTHTOK_RECOVER_ERR : retval; + } + + if (retval != PAM_SUCCESS) { + if (on( SMB_DEBUG, ctrl )) + _log_err( LOG_DEBUG, "unable to obtain a password" ); + return retval; + } + /* 'token' is the entered password */ + + if (off( SMB_NOT_SET_PASS, ctrl )) { + + /* we store this password as an item */ + + retval = pam_set_item( pamh, authtok_flag, (const void *)token ); + _pam_delete( token ); /* clean it up */ + if (retval != PAM_SUCCESS + || (retval = pam_get_item( pamh, authtok_flag + ,(const void **)&item )) != PAM_SUCCESS) + { + _log_err( LOG_CRIT, "error manipulating password" ); + return retval; + } + } else { + /* + * then store it as data specific to this module. pam_end() + * will arrange to clean it up. + */ + + retval = pam_set_data( pamh, data_name, (void *) token, _cleanup ); + if (retval != PAM_SUCCESS + || (retval = pam_get_data( pamh, data_name, (const void **)&item )) + != PAM_SUCCESS) + { + _log_err( LOG_CRIT, "error manipulating password data [%s]" + , pam_strerror( pamh, retval )); + _pam_delete( token ); + item = NULL; + return retval; + } + token = NULL; /* break link to password */ + } + + *pass = item; + item = NULL; /* break link to password */ + + return PAM_SUCCESS; +} + +int _pam_smb_approve_pass(pam_handle_t * pamh + ,unsigned int ctrl + ,const char *pass_old + ,const char *pass_new) +{ + + /* Further checks should be handled through module stacking. -SRL */ + if (pass_new == NULL || (pass_old && !strcmp( pass_old, pass_new ))) + { + if (on(SMB_DEBUG, ctrl)) { + _log_err( LOG_DEBUG, + "passwd: bad authentication token (null or unchanged)" ); + } + make_remark( pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ? + "No password supplied" : "Password unchanged" ); + return PAM_AUTHTOK_ERR; + } + + return PAM_SUCCESS; +} -- cgit From 61adb3396d4ab1a26764d76387976894524e6a76 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 22 Oct 2001 02:43:20 +0000 Subject: Renamed inbuilt xstrdup to smb_xstrdup. Jeremy. (This used to be commit cf99f9361370c521f28dcced008cbfec9fc38de5) --- source3/pam_smbpass/support.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/pam_smbpass/support.c') diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index 01f4aa30c7..8646792753 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -221,7 +221,7 @@ void _cleanup( pam_handle_t * pamh, void *x, int error_status ) * evidence of old token around for later stack analysis. */ -char * xstrdup( const char *x ) +char * smb_xstrdup( const char *x ) { register char *new = NULL; @@ -231,7 +231,7 @@ char * xstrdup( const char *x ) for (i = 0; x[i]; ++i); /* length of string */ if ((new = malloc(++i)) == NULL) { i = 0; - _log_err( LOG_CRIT, "out of memory in xstrdup" ); + _log_err( LOG_CRIT, "out of memory in smb_xstrdup" ); } else { while (i-- > 0) { new[i] = x[i]; @@ -417,9 +417,9 @@ int _smb_verify_password( pam_handle_t * pamh , smb_pwent->smb_userid ); new->count = 1; } - new->user = xstrdup( name ); + new->user = smb_xstrdup( name ); new->id = smb_pwent->smb_userid; - new->agent = xstrdup( uidtoname( getuid() ) ); + new->agent = smb_xstrdup( uidtoname( getuid() ) ); pam_set_data( pamh, data_name, new, _cleanup_failures ); } else { @@ -560,7 +560,7 @@ int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl if (retval == PAM_SUCCESS) { /* a good conversation */ - token = xstrdup(resp[j++].resp); + token = smb_xstrdup(resp[j++].resp); if (token != NULL) { if (expect == 2) { /* verify that password entered correctly */ -- cgit From f741f656737f4ec46cd318e986b6bf412ed309d2 Mon Sep 17 00:00:00 2001 From: Martin Pool Date: Mon, 19 Nov 2001 02:49:53 +0000 Subject: Store some path names in global variables initialized to configure default, rather than in preprocessor macros. (This used to be commit 79ec88f0da40faebe1e587f1b3e87b5f2b184f58) --- source3/pam_smbpass/support.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/pam_smbpass/support.c') diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index 8646792753..007fb922eb 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -125,7 +125,7 @@ int make_remark( pam_handle_t * pamh, unsigned int ctrl int set_ctrl( int flags, int argc, const char **argv ) { int i = 0; - static pstring servicesf = CONFIGFILE; + static pstring servicesf = dyn_CONFIGFILE; const char *service_file = servicesf; unsigned int ctrl; -- cgit From 65cfe6a492b236f49edd591a7e728cbeeed3c344 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 11 Dec 2001 23:44:33 +0000 Subject: pam_smbpass updates from a.bokovoy@sam-solutions.net (This used to be commit 016e203a2c5286d8b48ab3eff0226affc203deaf) --- source3/pam_smbpass/support.c | 29 +---------------------------- 1 file changed, 1 insertion(+), 28 deletions(-) (limited to 'source3/pam_smbpass/support.c') diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index 007fb922eb..f35a354b7c 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -125,8 +125,7 @@ int make_remark( pam_handle_t * pamh, unsigned int ctrl int set_ctrl( int flags, int argc, const char **argv ) { int i = 0; - static pstring servicesf = dyn_CONFIGFILE; - const char *service_file = servicesf; + const char *service_file = dyn_CONFIGFILE; unsigned int ctrl; ctrl = SMB_DEFAULTS; /* the default selection of options */ @@ -216,32 +215,6 @@ void _cleanup( pam_handle_t * pamh, void *x, int error_status ) x = _pam_delete( (char *) x ); } -/* - * Safe duplication of character strings. "Paranoid"; don't leave - * evidence of old token around for later stack analysis. - */ - -char * smb_xstrdup( const char *x ) -{ - register char *new = NULL; - - if (x != NULL) { - register int i; - - for (i = 0; x[i]; ++i); /* length of string */ - if ((new = malloc(++i)) == NULL) { - i = 0; - _log_err( LOG_CRIT, "out of memory in smb_xstrdup" ); - } else { - while (i-- > 0) { - new[i] = x[i]; - } - } - x = NULL; - } - return new; /* return the duplicate or NULL on error */ -} - /* ************************************************************** * * Useful non-trivial functions * * ************************************************************** */ -- cgit From b79fa88b4db3bc88b0a5ae567b19286f64fd113c Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 12 Jan 2002 23:12:13 +0000 Subject: updates from 2.2 (This used to be commit 398b4ff0d40d89b3e96d481807f85f15b7a7966a) --- source3/pam_smbpass/support.c | 94 +++++++++++++++++++++++++++---------------- 1 file changed, 59 insertions(+), 35 deletions(-) (limited to 'source3/pam_smbpass/support.c') diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index f35a354b7c..86349f8c16 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -125,7 +125,8 @@ int make_remark( pam_handle_t * pamh, unsigned int ctrl int set_ctrl( int flags, int argc, const char **argv ) { int i = 0; - const char *service_file = dyn_CONFIGFILE; + static pstring servicesf = CONFIGFILE; + const char *service_file = servicesf; unsigned int ctrl; ctrl = SMB_DEFAULTS; /* the default selection of options */ @@ -215,6 +216,33 @@ void _cleanup( pam_handle_t * pamh, void *x, int error_status ) x = _pam_delete( (char *) x ); } +/* JHT + * + * Safe duplication of character strings. "Paranoid"; don't leave + * evidence of old token around for later stack analysis. + * + */ +char * smbpXstrDup( const char *x ) +{ + register char *new = NULL; + + if (x != NULL) { + register int i; + + for (i = 0; x[i]; ++i); /* length of string */ + if ((new = malloc(++i)) == NULL) { + i = 0; + _log_err( LOG_CRIT, "out of memory in smbpXstrDup" ); + } else { + while (i-- > 0) { + new[i] = x[i]; + } + } + x = NULL; + } + return new; /* return the duplicate or NULL on error */ +} + /* ************************************************************** * * Useful non-trivial functions * * ************************************************************** */ @@ -265,13 +293,12 @@ void _cleanup_failures( pam_handle_t * pamh, void *fl, int err ) } _pam_delete( failure->agent ); /* tidy up */ _pam_delete( failure->user ); /* tidy up */ - free( failure ); + SAFE_FREE( failure ); } } -int _smb_verify_password( pam_handle_t * pamh - , const struct smb_passwd *smb_pwent - , const char *p, unsigned int ctrl ) +int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass, + const char *p, unsigned int ctrl ) { uchar hash_pass[16]; uchar lm_pw[16]; @@ -280,10 +307,10 @@ int _smb_verify_password( pam_handle_t * pamh char *data_name; const char *name; - if (!smb_pwent) + if (!sampass) return PAM_ABORT; - name = smb_pwent->smb_name; + name = pdb_get_username(sampass); #ifdef HAVE_PAM_FAIL_DELAY if (off( SMB_NODELAY, ctrl )) { @@ -291,13 +318,13 @@ int _smb_verify_password( pam_handle_t * pamh } #endif - if (!smb_pwent->smb_passwd) + if (!pdb_get_lanman_passwd(sampass)) { _log_err( LOG_DEBUG, "user %s has null SMB password" , name ); if (off( SMB__NONULL, ctrl ) - && (smb_pwent->acct_ctrl & ACB_PWNOTREQ)) + && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)) { /* this means we've succeeded */ return PAM_SUCCESS; } else { @@ -308,13 +335,12 @@ int _smb_verify_password( pam_handle_t * pamh , "failed auth request by %s for service %s as %s(%d)" , uidtoname( getuid() ) , service ? service : "**unknown**", name - , smb_pwent->smb_userid ); + , pdb_get_uid(sampass) ); return PAM_AUTH_ERR; } } - data_name = (char *) malloc( sizeof(FAIL_PREFIX) - + strlen( name )); + data_name = (char *) malloc( sizeof(FAIL_PREFIX) + strlen( name )); if (data_name == NULL) { _log_err( LOG_CRIT, "no memory for data-name" ); } @@ -326,9 +352,9 @@ int _smb_verify_password( pam_handle_t * pamh if (strlen( p ) == 16 || (strlen( p ) == 32 && pdb_gethexpwd( p, (char *) hash_pass ))) { - if (!memcmp( hash_pass, smb_pwent->smb_passwd, 16 ) - || (smb_pwent->smb_nt_passwd - && !memcmp( hash_pass, smb_pwent->smb_nt_passwd, 16 ))) + if (!memcmp( hash_pass, pdb_get_lanman_passwd(sampass), 16 ) + || (pdb_get_nt_passwd(sampass) + && !memcmp( hash_pass, pdb_get_nt_passwd(sampass), 16 ))) { retval = PAM_SUCCESS; if (data_name) { /* reset failures */ @@ -336,7 +362,6 @@ int _smb_verify_password( pam_handle_t * pamh } _pam_delete( data_name ); memset( hash_pass, '\0', 16 ); - smb_pwent = NULL; return retval; } } @@ -351,7 +376,7 @@ int _smb_verify_password( pam_handle_t * pamh /* the moment of truth -- do we agree with the password? */ - if (!memcmp( nt_pw, smb_pwent->smb_nt_passwd, 16 )) { + if (!memcmp( nt_pw, pdb_get_nt_passwd(sampass), 16 )) { retval = PAM_SUCCESS; if (data_name) { /* reset failures */ @@ -387,12 +412,12 @@ int _smb_verify_password( pam_handle_t * pamh , "failed auth request by %s for service %s as %s(%d)" , uidtoname( getuid() ) , service ? service : "**unknown**", name - , smb_pwent->smb_userid ); + , pdb_get_uid(sampass) ); new->count = 1; } - new->user = smb_xstrdup( name ); - new->id = smb_pwent->smb_userid; - new->agent = smb_xstrdup( uidtoname( getuid() ) ); + new->user = smbpXstrDup( name ); + new->id = pdb_get_uid(sampass); + new->agent = smbpXstrDup( uidtoname( getuid() ) ); pam_set_data( pamh, data_name, new, _cleanup_failures ); } else { @@ -401,20 +426,20 @@ int _smb_verify_password( pam_handle_t * pamh , "failed auth request by %s for service %s as %s(%d)" , uidtoname( getuid() ) , service ? service : "**unknown**", name - , smb_pwent->smb_userid ); + , pdb_get_uid(sampass) ); } } else { _log_err( LOG_NOTICE , "failed auth request by %s for service %s as %s(%d)" , uidtoname( getuid() ) , service ? service : "**unknown**", name - , smb_pwent->smb_userid ); + , pdb_get_uid(sampass) ); retval = PAM_AUTH_ERR; } } _pam_delete( data_name ); - smb_pwent = NULL; + return retval; } @@ -426,7 +451,7 @@ int _smb_verify_password( pam_handle_t * pamh * - to avoid prompting for one in such cases (CG) */ -int _smb_blankpasswd( unsigned int ctrl, const struct smb_passwd *smb_pwent ) +int _smb_blankpasswd( unsigned int ctrl, SAM_ACCOUNT *sampass ) { int retval; @@ -439,7 +464,7 @@ int _smb_blankpasswd( unsigned int ctrl, const struct smb_passwd *smb_pwent ) if (on( SMB__NONULL, ctrl )) return 0; /* will fail but don't let on yet */ - if (smb_pwent->smb_passwd == NULL) + if (pdb_get_lanman_passwd(sampass) == NULL) retval = 1; else retval = 0; @@ -451,10 +476,9 @@ int _smb_blankpasswd( unsigned int ctrl, const struct smb_passwd *smb_pwent ) * obtain a password from the user */ -int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl - , const char *comment, const char *prompt1 - , const char *prompt2, const char *data_name - , const char **pass ) +int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl, + const char *comment, const char *prompt1, + const char *prompt2, const char *data_name, char **pass ) { int authtok_flag; int retval; @@ -533,7 +557,7 @@ int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl if (retval == PAM_SUCCESS) { /* a good conversation */ - token = smb_xstrdup(resp[j++].resp); + token = smbpXstrDup(resp[j++].resp); if (token != NULL) { if (expect == 2) { /* verify that password entered correctly */ @@ -602,10 +626,10 @@ int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl return PAM_SUCCESS; } -int _pam_smb_approve_pass(pam_handle_t * pamh - ,unsigned int ctrl - ,const char *pass_old - ,const char *pass_new) +int _pam_smb_approve_pass(pam_handle_t * pamh, + unsigned int ctrl, + const char *pass_old, + const char *pass_new ) { /* Further checks should be handled through module stacking. -SRL */ -- cgit From e90b65284812aaa5ff9e9935ce9bbad7791cbbcd Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 15 Jul 2002 10:35:28 +0000 Subject: updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce) --- source3/pam_smbpass/support.c | 222 ++++++++++++++++++++++-------------------- 1 file changed, 115 insertions(+), 107 deletions(-) (limited to 'source3/pam_smbpass/support.c') diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index 86349f8c16..a55dcb0272 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -1,132 +1,135 @@ -/* Unix NT password database implementation, version 0.6. - * - * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free - * Software Foundation; either version 2 of the License, or (at your option) - * any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 675 - * Mass Ave, Cambridge, MA 02139, USA. - */ - -#include "includes.h" -#include "general.h" + /* Unix NT password database implementation, version 0.6. + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 675 + * Mass Ave, Cambridge, MA 02139, USA. + */ -#include "support.h" + #include "includes.h" + #include "general.h" + #include "support.h" -#define _pam_overwrite(x) \ -do { \ - register char *__xx__; \ - if ((__xx__=(x))) \ - while (*__xx__) \ - *__xx__++ = '\0'; \ -} while (0) -/* - * Don't just free it, forget it too. - */ + #define _pam_overwrite(x) \ + do { \ + register char *__xx__; \ + if ((__xx__=(x))) \ + while (*__xx__) \ + *__xx__++ = '\0'; \ + } while (0) -#define _pam_drop(X) \ -do { \ - if (X) { \ - free(X); \ - X=NULL; \ - } \ -} while (0) - -#define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \ -do { \ - int reply_i; \ - \ - for (reply_i=0; reply_iconv(nargs, (const struct pam_message **) message - ,response, conv->appdata_ptr); + retval = conv->conv(nargs, (const struct pam_message **) message + ,response, conv->appdata_ptr); - if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) { - _log_err(LOG_DEBUG, "conversation failure [%s]" + if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) { + _log_err(LOG_DEBUG, "conversation failure [%s]" + ,pam_strerror(pamh, retval)); + } + } else { + _log_err(LOG_ERR, "couldn't obtain coversation function [%s]" ,pam_strerror(pamh, retval)); } - } else { - _log_err(LOG_ERR, "couldn't obtain coversation function [%s]" - ,pam_strerror(pamh, retval)); - } - return retval; /* propagate error status */ -} + return retval; /* propagate error status */ + } -int make_remark( pam_handle_t * pamh, unsigned int ctrl - , int type, const char *text ) -{ - if (off(SMB__QUIET, ctrl)) { - struct pam_message *pmsg[1], msg[1]; - struct pam_response *resp; + int make_remark( pam_handle_t * pamh, unsigned int ctrl + , int type, const char *text ) + { + if (off(SMB__QUIET, ctrl)) { + struct pam_message *pmsg[1], msg[1]; + struct pam_response *resp; - pmsg[0] = &msg[0]; - msg[0].msg = text; - msg[0].msg_style = type; - resp = NULL; + pmsg[0] = &msg[0]; + msg[0].msg = text; + msg[0].msg_style = type; + resp = NULL; - return converse(pamh, ctrl, 1, pmsg, &resp); + return converse(pamh, ctrl, 1, pmsg, &resp); + } + return PAM_SUCCESS; } - return PAM_SUCCESS; -} -/* set the control flags for the SMB module. */ + /* set the control flags for the SMB module. */ int set_ctrl( int flags, int argc, const char **argv ) { int i = 0; - static pstring servicesf = CONFIGFILE; - const char *service_file = servicesf; + const char *service_file = dyn_CONFIGFILE; unsigned int ctrl; ctrl = SMB_DEFAULTS; /* the default selection of options */ @@ -136,6 +139,9 @@ int set_ctrl( int flags, int argc, const char **argv ) /* A good, sane default (matches Samba's behavior). */ set( SMB__NONULL, ctrl ); + /* initialize service file location */ + service_file=servicesf; + if (flags & PAM_SILENT) { set( SMB__QUIET, ctrl ); } @@ -165,6 +171,8 @@ int set_ctrl( int flags, int argc, const char **argv ) _log_err( LOG_ERR, "Error loading service file %s", service_file ); } + secrets_init(); + if (lp_null_passwords()) { set( SMB__NULLOK, ctrl ); } @@ -303,7 +311,7 @@ int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass, uchar hash_pass[16]; uchar lm_pw[16]; uchar nt_pw[16]; - int retval; + int retval = PAM_AUTH_ERR; char *data_name; const char *name; @@ -482,7 +490,7 @@ int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl, { int authtok_flag; int retval; - const char *item = NULL; + char *item = NULL; char *token; struct pam_message msg[3], *pmsg[3]; -- cgit From 1e531eb6046908e480a36ff92f649405ad2dc15e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 3 Jan 2003 01:40:13 +0000 Subject: Merge from HEAD - remove silly 'NT or LM# as password' stuff from pam_smbpass. Andrew Bartlett (This used to be commit c9994ab7bb0ea96e1a2ddf78935306a7b8507f25) --- source3/pam_smbpass/support.c | 19 ------------------- 1 file changed, 19 deletions(-) (limited to 'source3/pam_smbpass/support.c') diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index a55dcb0272..11de306d13 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -355,25 +355,6 @@ int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass, strncpy( data_name, FAIL_PREFIX, sizeof(FAIL_PREFIX) ); strncpy( data_name + sizeof(FAIL_PREFIX) - 1, name, strlen( name ) + 1 ); - /* First we check whether we've been given the password in already - encrypted form. */ - if (strlen( p ) == 16 || (strlen( p ) == 32 - && pdb_gethexpwd( p, (char *) hash_pass ))) { - - if (!memcmp( hash_pass, pdb_get_lanman_passwd(sampass), 16 ) - || (pdb_get_nt_passwd(sampass) - && !memcmp( hash_pass, pdb_get_nt_passwd(sampass), 16 ))) - { - retval = PAM_SUCCESS; - if (data_name) { /* reset failures */ - pam_set_data( pamh, data_name, NULL, _cleanup_failures ); - } - _pam_delete( data_name ); - memset( hash_pass, '\0', 16 ); - return retval; - } - } - /* * The password we were given wasn't an encrypted password, or it * didn't match the one we have. We encrypt the password now and try -- cgit From c823b191ab476fc2583d6d6aaa1e2edb09cbb88e Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 12 May 2003 18:12:31 +0000 Subject: And finally IDMAP in 3_0 We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d) --- source3/pam_smbpass/support.c | 42 ++++++++++++++++++++---------------------- 1 file changed, 20 insertions(+), 22 deletions(-) (limited to 'source3/pam_smbpass/support.c') diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index 11de306d13..62cc866fae 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -308,7 +308,6 @@ void _cleanup_failures( pam_handle_t * pamh, void *fl, int err ) int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass, const char *p, unsigned int ctrl ) { - uchar hash_pass[16]; uchar lm_pw[16]; uchar nt_pw[16]; int retval = PAM_AUTH_ERR; @@ -339,11 +338,8 @@ int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass, const char *service; pam_get_item( pamh, PAM_SERVICE, (const void **)&service ); - _log_err( LOG_NOTICE - , "failed auth request by %s for service %s as %s(%d)" - , uidtoname( getuid() ) - , service ? service : "**unknown**", name - , pdb_get_uid(sampass) ); + _log_err( LOG_NOTICE, "failed auth request by %s for service %s as %s", + uidtoname(getuid()), service ? service : "**unknown**", name); return PAM_AUTH_ERR; } } @@ -397,32 +393,34 @@ int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass, retval = PAM_MAXTRIES; } } else { - _log_err( LOG_NOTICE - , "failed auth request by %s for service %s as %s(%d)" - , uidtoname( getuid() ) - , service ? service : "**unknown**", name - , pdb_get_uid(sampass) ); + _log_err(LOG_NOTICE, + "failed auth request by %s for service %s as %s", + uidtoname(getuid()), + service ? service : "**unknown**", name); new->count = 1; } + if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sampass), &(new->id)))) { + _log_err(LOG_NOTICE, + "failed auth request by %s for service %s as %s", + uidtoname(getuid()), + service ? service : "**unknown**", name); + } new->user = smbpXstrDup( name ); - new->id = pdb_get_uid(sampass); new->agent = smbpXstrDup( uidtoname( getuid() ) ); pam_set_data( pamh, data_name, new, _cleanup_failures ); } else { _log_err( LOG_CRIT, "no memory for failure recorder" ); - _log_err( LOG_NOTICE - , "failed auth request by %s for service %s as %s(%d)" - , uidtoname( getuid() ) - , service ? service : "**unknown**", name - , pdb_get_uid(sampass) ); + _log_err(LOG_NOTICE, + "failed auth request by %s for service %s as %s(%d)", + uidtoname(getuid()), + service ? service : "**unknown**", name); } } else { - _log_err( LOG_NOTICE - , "failed auth request by %s for service %s as %s(%d)" - , uidtoname( getuid() ) - , service ? service : "**unknown**", name - , pdb_get_uid(sampass) ); + _log_err(LOG_NOTICE, + "failed auth request by %s for service %s as %s(%d)", + uidtoname(getuid()), + service ? service : "**unknown**", name); retval = PAM_AUTH_ERR; } } -- cgit From f5974dfaae680d98b78d600cd1f1aaece332a085 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 22 Jun 2003 10:09:52 +0000 Subject: Found out a good number of NT_STATUS_IS_ERR used the wrong way. As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK This patch will cure the problem. Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is used correctly, but I'm not 100% sure, coders should check the use of NT_STATUS_IS_ERR() in samba is ok now. Simo. (This used to be commit c501e84d412563eb3f674f76038ec48c2b458687) --- source3/pam_smbpass/support.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/pam_smbpass/support.c') diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index 62cc866fae..8a0432c855 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -399,7 +399,7 @@ int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass, service ? service : "**unknown**", name); new->count = 1; } - if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sampass), &(new->id)))) { + if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(sampass), &(new->id)))) { _log_err(LOG_NOTICE, "failed auth request by %s for service %s as %s", uidtoname(getuid()), -- cgit From a3f4c365171097eaa615b390d74a90b9345a3973 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 31 May 2005 01:44:44 +0000 Subject: r7126: fixing paranoid malloc checker failures (This used to be commit b01026674fddb4179a7f002c13f5e341eaaa0a1c) --- source3/pam_smbpass/support.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'source3/pam_smbpass/support.c') diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index 8a0432c855..f5682480eb 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -238,7 +238,7 @@ char * smbpXstrDup( const char *x ) register int i; for (i = 0; x[i]; ++i); /* length of string */ - if ((new = malloc(++i)) == NULL) { + if ((new = SMB_MALLOC_ARRAY(char, ++i)) == NULL) { i = 0; _log_err( LOG_CRIT, "out of memory in smbpXstrDup" ); } else { @@ -344,7 +344,7 @@ int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass, } } - data_name = (char *) malloc( sizeof(FAIL_PREFIX) + strlen( name )); + data_name = SMB_MALLOC_ARRAY(char, sizeof(FAIL_PREFIX) + strlen( name )); if (data_name == NULL) { _log_err( LOG_CRIT, "no memory for data-name" ); } @@ -379,8 +379,7 @@ int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass, /* get a failure recorder */ - new = (struct _pam_failed_auth *) - malloc( sizeof(struct _pam_failed_auth) ); + new = SMB_MALLOC_P( struct _pam_failed_auth ); if (new != NULL) { -- cgit From b20239df942527c0cbf70d779df56a4a56518315 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 24 Jun 2005 21:18:20 +0000 Subject: r7886: Fix building with pam_smbpass. Jeremy. (This used to be commit 22a796fe012e212f7744f0d63a8512e6942a5324) --- source3/pam_smbpass/support.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) (limited to 'source3/pam_smbpass/support.c') diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index f5682480eb..82d51103d2 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -232,23 +232,23 @@ void _cleanup( pam_handle_t * pamh, void *x, int error_status ) */ char * smbpXstrDup( const char *x ) { - register char *new = NULL; + register char *newstr = NULL; if (x != NULL) { register int i; for (i = 0; x[i]; ++i); /* length of string */ - if ((new = SMB_MALLOC_ARRAY(char, ++i)) == NULL) { + if ((newstr = SMB_MALLOC_ARRAY(char, ++i)) == NULL) { i = 0; _log_err( LOG_CRIT, "out of memory in smbpXstrDup" ); } else { while (i-- > 0) { - new[i] = x[i]; + newstr[i] = x[i]; } } x = NULL; } - return new; /* return the duplicate or NULL on error */ + return newstr; /* return the duplicate or NULL on error */ } /* ************************************************************** * @@ -374,21 +374,21 @@ int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass, pam_get_item( pamh, PAM_SERVICE, (const void **)&service ); if (data_name != NULL) { - struct _pam_failed_auth *new = NULL; + struct _pam_failed_auth *newauth = NULL; const struct _pam_failed_auth *old = NULL; /* get a failure recorder */ - new = SMB_MALLOC_P( struct _pam_failed_auth ); + newauth = SMB_MALLOC_P( struct _pam_failed_auth ); - if (new != NULL) { + if (newauth != NULL) { /* any previous failures for this user ? */ pam_get_data(pamh, data_name, (const void **) &old); if (old != NULL) { - new->count = old->count + 1; - if (new->count >= SMB_MAX_RETRIES) { + newauth->count = old->count + 1; + if (newauth->count >= SMB_MAX_RETRIES) { retval = PAM_MAXTRIES; } } else { @@ -396,17 +396,17 @@ int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass, "failed auth request by %s for service %s as %s", uidtoname(getuid()), service ? service : "**unknown**", name); - new->count = 1; + newauth->count = 1; } - if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(sampass), &(new->id)))) { + if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(sampass), &(newauth->id)))) { _log_err(LOG_NOTICE, "failed auth request by %s for service %s as %s", uidtoname(getuid()), service ? service : "**unknown**", name); } - new->user = smbpXstrDup( name ); - new->agent = smbpXstrDup( uidtoname( getuid() ) ); - pam_set_data( pamh, data_name, new, _cleanup_failures ); + newauth->user = smbpXstrDup( name ); + newauth->agent = smbpXstrDup( uidtoname( getuid() ) ); + pam_set_data( pamh, data_name, newauth, _cleanup_failures ); } else { _log_err( LOG_CRIT, "no memory for failure recorder" ); -- cgit From 9c15bd311db76885b27f30ba92d885833f668550 Mon Sep 17 00:00:00 2001 From: Derrell Lipman Date: Sat, 28 Jan 2006 22:53:04 +0000 Subject: r13212: r12414@cabra: derrell | 2006-01-28 17:52:17 -0500 lp_load() could not be called multiple times to modify parameter settings based on reading from multiple configuration settings. Each time, it initialized all of the settings back to their defaults before reading the specified configuration file. This patch adds a parameter to lp_load() specifying whether the settings should be initialized. It does, however, still force the settings to be initialized the first time, even if the request was to not initialize them. (Not doing so could wreak havoc due to uninitialized values.) (This used to be commit f2a24de769d1b2266e576597c57a8e3b1e2a2b51) --- source3/pam_smbpass/support.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/pam_smbpass/support.c') diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index 82d51103d2..3f2c638816 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -167,7 +167,7 @@ int set_ctrl( int flags, int argc, const char **argv ) /* Read some options from the Samba config. Can be overridden by the PAM config. */ - if(lp_load(service_file,True,False,False) == False) { + if(lp_load(service_file,True,False,False,True) == False) { _log_err( LOG_ERR, "Error loading service file %s", service_file ); } -- cgit From 0af1500fc0bafe61019f1b2ab1d9e1d369221240 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 3 Feb 2006 22:19:41 +0000 Subject: r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f) --- source3/pam_smbpass/support.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/pam_smbpass/support.c') diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index 3f2c638816..add74acc5d 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -398,7 +398,7 @@ int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass, service ? service : "**unknown**", name); newauth->count = 1; } - if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(sampass), &(newauth->id)))) { + if (!sid_to_uid(pdb_get_user_sid(sampass), &(newauth->id))) { _log_err(LOG_NOTICE, "failed auth request by %s for service %s as %s", uidtoname(getuid()), -- cgit From 2203bed32c84c63737f402accf73452efb76b483 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 20 Feb 2006 20:09:36 +0000 Subject: r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0) --- source3/pam_smbpass/support.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/pam_smbpass/support.c') diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index add74acc5d..c318a5c3ed 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -305,7 +305,7 @@ void _cleanup_failures( pam_handle_t * pamh, void *fl, int err ) } } -int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass, +int _smb_verify_password( pam_handle_t * pamh, struct samu *sampass, const char *p, unsigned int ctrl ) { uchar lm_pw[16]; @@ -437,7 +437,7 @@ int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass, * - to avoid prompting for one in such cases (CG) */ -int _smb_blankpasswd( unsigned int ctrl, SAM_ACCOUNT *sampass ) +int _smb_blankpasswd( unsigned int ctrl, struct samu *sampass ) { int retval; -- cgit From fbc58eb455bd6f48725b0a817c28c8d5e02f69b4 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 6 May 2006 20:05:43 +0000 Subject: r15477: Committing parts of the patch Timur has submitted for bug 2961, as agreed upon on irc. Thanks, Volker (This used to be commit 51b415d2306f8244d7449756e4fa873adfc8fbe7) --- source3/pam_smbpass/support.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/pam_smbpass/support.c') diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index c318a5c3ed..2ee43ffa1e 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -114,7 +114,7 @@ struct pam_response *resp; pmsg[0] = &msg[0]; - msg[0].msg = text; + msg[0].msg = CONST_DISCARD(char *, text); msg[0].msg_style = type; resp = NULL; @@ -515,7 +515,7 @@ int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl, if (comment != NULL && off(SMB__QUIET, ctrl)) { pmsg[0] = &msg[0]; msg[0].msg_style = PAM_TEXT_INFO; - msg[0].msg = comment; + msg[0].msg = CONST_DISCARD(char *, comment); i = 1; } else { i = 0; @@ -523,12 +523,12 @@ int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl, pmsg[i] = &msg[i]; msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = prompt1; + msg[i++].msg = CONST_DISCARD(char *, prompt1); if (prompt2 != NULL) { pmsg[i] = &msg[i]; msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = prompt2; + msg[i++].msg = CONST_DISCARD(char *, prompt2); expect = 2; } else expect = 1; -- cgit From d824b98f80ba186030cbb70b3a1e5daf80469ecd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Jul 2007 19:25:36 +0000 Subject: r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3) --- source3/pam_smbpass/support.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/pam_smbpass/support.c') diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index 2ee43ffa1e..c3cc333675 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -2,7 +2,7 @@ * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free - * Software Foundation; either version 2 of the License, or (at your option) + * Software Foundation; either version 3 of the License, or (at your option) * any later version. * * This program is distributed in the hope that it will be useful, but WITHOUT -- cgit From 153cfb9c83534b09f15cc16205d7adb19b394928 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 05:23:25 +0000 Subject: r23801: The FSF has moved around a lot. This fixes their Mass Ave address. (This used to be commit 87c91e4362c51819032bfbebbb273c52e203b227) --- source3/pam_smbpass/support.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/pam_smbpass/support.c') diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index c3cc333675..78d6441c90 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -11,8 +11,7 @@ * more details. * * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 675 - * Mass Ave, Cambridge, MA 02139, USA. + * this program; if not, see . */ #include "includes.h" -- cgit From 7faee02d0d351c5c039e8f1be7e82ce3a93cbe96 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 10 Dec 2007 11:30:37 -0800 Subject: Remove the char[1024] strings from dynconfig. Replace them with malloc'ing accessor functions. Should save a lot of static space :-). Jeremy. (This used to be commit 52dc5eaef2106015b3a8b659e818bdb15ad94b05) --- source3/pam_smbpass/support.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/pam_smbpass/support.c') diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index 78d6441c90..9d56bd4950 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -63,7 +63,7 @@ /* default configuration file location */ - char *servicesf = dyn_CONFIGFILE; + const char *servicesf = get_dyn_CONFIGFILE(); /* syslogging function for errors and other information */ @@ -128,7 +128,7 @@ int set_ctrl( int flags, int argc, const char **argv ) { int i = 0; - const char *service_file = dyn_CONFIGFILE; + const char *service_file = get_dyn_CONFIGFILE(); unsigned int ctrl; ctrl = SMB_DEFAULTS; /* the default selection of options */ -- cgit From ceedf1a111598c815ffef9a0fe312689cc4bf136 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 13 Dec 2007 12:55:32 +0300 Subject: Fix pam_smbpass build (This used to be commit fbc510f1717fe82338262c18c252d18987c55b5c) --- source3/pam_smbpass/support.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'source3/pam_smbpass/support.c') diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index 9d56bd4950..bc9481d9e9 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -61,10 +61,6 @@ void _cleanup(pam_handle_t *, void *, int); char *_pam_delete(register char *); - /* default configuration file location */ - - const char *servicesf = get_dyn_CONFIGFILE(); - /* syslogging function for errors and other information */ void _log_err( int err, const char *format, ... ) @@ -128,7 +124,7 @@ int set_ctrl( int flags, int argc, const char **argv ) { int i = 0; - const char *service_file = get_dyn_CONFIGFILE(); + const char *service_file = NULL; unsigned int ctrl; ctrl = SMB_DEFAULTS; /* the default selection of options */ @@ -139,7 +135,7 @@ int set_ctrl( int flags, int argc, const char **argv ) set( SMB__NONULL, ctrl ); /* initialize service file location */ - service_file=servicesf; + service_file=get_dyn_CONFIGFILE(); if (flags & PAM_SILENT) { set( SMB__QUIET, ctrl ); -- cgit From 16b8d9436c1054c042725145e55302758e4fbe26 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Mon, 10 Mar 2008 12:32:56 +0100 Subject: Reformat: Remove indentation of part of pam_smbpass/support.c by one tab. The first 120 lines of this source file were indented by one tab. Sorry, but I could not stand this.. Michael (This used to be commit 728723dea39b2e978bfc4162ef99e883f3647a4b) --- source3/pam_smbpass/support.c | 204 +++++++++++++++++++++--------------------- 1 file changed, 102 insertions(+), 102 deletions(-) (limited to 'source3/pam_smbpass/support.c') diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index bc9481d9e9..bb54ef6dd3 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -1,125 +1,125 @@ - /* Unix NT password database implementation, version 0.6. - * - * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free - * Software Foundation; either version 3 of the License, or (at your option) - * any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, see . - */ +/* Unix NT password database implementation, version 0.6. + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 3 of the License, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, see . + */ - #include "includes.h" - #include "general.h" +#include "includes.h" +#include "general.h" - #include "support.h" +#include "support.h" - #define _pam_overwrite(x) \ - do { \ - register char *__xx__; \ - if ((__xx__=(x))) \ - while (*__xx__) \ - *__xx__++ = '\0'; \ - } while (0) +#define _pam_overwrite(x) \ +do { \ + register char *__xx__; \ + if ((__xx__=(x))) \ + while (*__xx__) \ + *__xx__++ = '\0'; \ +} while (0) - /* - * Don't just free it, forget it too. - */ +/* + * Don't just free it, forget it too. + */ - #define _pam_drop(X) \ - do { \ - if (X) { \ - free(X); \ - X=NULL; \ - } \ - } while (0) - - #define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \ - do { \ - int reply_i; \ - \ - for (reply_i=0; reply_iconv(nargs, (const struct pam_message **) message - ,response, conv->appdata_ptr); + retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv); + if (retval == PAM_SUCCESS) { - if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) { - _log_err(LOG_DEBUG, "conversation failure [%s]" - ,pam_strerror(pamh, retval)); - } - } else { - _log_err(LOG_ERR, "couldn't obtain coversation function [%s]" + retval = conv->conv(nargs, (const struct pam_message **) message + ,response, conv->appdata_ptr); + + if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) { + _log_err(LOG_DEBUG, "conversation failure [%s]" ,pam_strerror(pamh, retval)); } - - return retval; /* propagate error status */ + } else { + _log_err(LOG_ERR, "couldn't obtain coversation function [%s]" + ,pam_strerror(pamh, retval)); } - int make_remark( pam_handle_t * pamh, unsigned int ctrl - , int type, const char *text ) - { - if (off(SMB__QUIET, ctrl)) { - struct pam_message *pmsg[1], msg[1]; - struct pam_response *resp; + return retval; /* propagate error status */ +} - pmsg[0] = &msg[0]; - msg[0].msg = CONST_DISCARD(char *, text); - msg[0].msg_style = type; - resp = NULL; +int make_remark( pam_handle_t * pamh, unsigned int ctrl + , int type, const char *text ) +{ + if (off(SMB__QUIET, ctrl)) { + struct pam_message *pmsg[1], msg[1]; + struct pam_response *resp; - return converse(pamh, ctrl, 1, pmsg, &resp); - } - return PAM_SUCCESS; + pmsg[0] = &msg[0]; + msg[0].msg = CONST_DISCARD(char *, text); + msg[0].msg_style = type; + resp = NULL; + + return converse(pamh, ctrl, 1, pmsg, &resp); } + return PAM_SUCCESS; +} - /* set the control flags for the SMB module. */ +/* set the control flags for the SMB module. */ int set_ctrl( int flags, int argc, const char **argv ) { -- cgit From 765c3b953db8e4ab84fcfdce9d86356436a10f5b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 2 Jul 2008 10:51:45 -0700 Subject: Ensure consistent use of pdb_get_nt_passwd instead of pdb_get_lanman_passwd. Reported by hongbing Zhang . Jeremy. (This used to be commit ade27d8baa03816b6f5f480096dfb90f3e231e6a) --- source3/pam_smbpass/support.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) (limited to 'source3/pam_smbpass/support.c') diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index bb54ef6dd3..8f537c4d8d 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -320,7 +320,7 @@ int _smb_verify_password( pam_handle_t * pamh, struct samu *sampass, } #endif - if (!pdb_get_lanman_passwd(sampass)) + if (!pdb_get_nt_passwd(sampass)) { _log_err( LOG_DEBUG, "user %s has null SMB password" , name ); @@ -342,6 +342,7 @@ int _smb_verify_password( pam_handle_t * pamh, struct samu *sampass, data_name = SMB_MALLOC_ARRAY(char, sizeof(FAIL_PREFIX) + strlen( name )); if (data_name == NULL) { _log_err( LOG_CRIT, "no memory for data-name" ); + return PAM_AUTH_ERR; } strncpy( data_name, FAIL_PREFIX, sizeof(FAIL_PREFIX) ); strncpy( data_name + sizeof(FAIL_PREFIX) - 1, name, strlen( name ) + 1 ); @@ -410,13 +411,12 @@ int _smb_verify_password( pam_handle_t * pamh, struct samu *sampass, uidtoname(getuid()), service ? service : "**unknown**", name); } - } else { - _log_err(LOG_NOTICE, - "failed auth request by %s for service %s as %s(%d)", - uidtoname(getuid()), - service ? service : "**unknown**", name); - retval = PAM_AUTH_ERR; } + _log_err(LOG_NOTICE, + "failed auth request by %s for service %s as %s(%d)", + uidtoname(getuid()), + service ? service : "**unknown**", name); + retval = PAM_AUTH_ERR; } _pam_delete( data_name ); @@ -445,7 +445,10 @@ int _smb_blankpasswd( unsigned int ctrl, struct samu *sampass ) if (on( SMB__NONULL, ctrl )) return 0; /* will fail but don't let on yet */ - if (pdb_get_lanman_passwd(sampass) == NULL) + if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)) + return 0; + + if (pdb_get_nt_passwd(sampass) == NULL) retval = 1; else retval = 0; -- cgit