diff options
| -rw-r--r-- | source/pam_smbpass/pam_smb_acct.c | 11 | ||||
| -rw-r--r-- | source/pam_smbpass/pam_smb_auth.c | 44 | ||||
| -rw-r--r-- | source/pam_smbpass/pam_smb_passwd.c | 38 | ||||
| -rw-r--r-- | source/pam_smbpass/support.c | 53 | ||||
| -rw-r--r-- | source/pam_smbpass/support.h | 12 |
5 files changed, 81 insertions, 77 deletions
diff --git a/source/pam_smbpass/pam_smb_acct.c b/source/pam_smbpass/pam_smb_acct.c index af0c21cad57..49ca8306153 100644 --- a/source/pam_smbpass/pam_smb_acct.c +++ b/source/pam_smbpass/pam_smb_acct.c @@ -46,7 +46,7 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags, const char *name; const char *p; - struct smb_passwd *smb_pwent = NULL; + SAM_ACCOUNT *sampass = NULL; extern BOOL in_client; @@ -70,18 +70,19 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags, _log_err( LOG_DEBUG, "acct: username [%s] obtained", name ); } - if (!initialize_password_db()) { + if (!initialize_password_db(True)) { _log_err( LOG_ALERT, "Cannot access samba password database" ); return PAM_AUTHINFO_UNAVAIL; } /* Get the user's record. */ - smb_pwent = getsmbpwnam( name ); + pdb_init_sam(&sampass); + pdb_getsampwnam(sampass, name ); - if (!smb_pwent) + if (!sampass) return PAM_USER_UNKNOWN; - if (smb_pwent->acct_ctrl & ACB_DISABLED) { + if (pdb_get_acct_ctrl(sampass) & ACB_DISABLED) { if (on( SMB_DEBUG, ctrl )) { _log_err( LOG_DEBUG , "acct: account %s is administratively disabled", name ); diff --git a/source/pam_smbpass/pam_smb_auth.c b/source/pam_smbpass/pam_smb_auth.c index 0e95a842993..09caa20c6db 100644 --- a/source/pam_smbpass/pam_smb_auth.c +++ b/source/pam_smbpass/pam_smb_auth.c @@ -45,7 +45,7 @@ do { \ } while (0) static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, - const char *name, struct smb_passwd *smb_pwent); + const char *name, SAM_ACCOUNT *sampass); /* * pam_sm_authenticate() authenticates users against the samba password file. @@ -65,9 +65,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, const char *name; /* Points to memory managed by the PAM library. Do not free. */ - const char *p = NULL; + char *p = NULL; - struct smb_passwd *smb_pwent = NULL; + SAM_ACCOUNT *sampass = NULL; extern BOOL in_client; @@ -94,20 +94,22 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, _log_err( LOG_DEBUG, "username [%s] obtained", name ); } - if (!initialize_password_db()) { + if (!initialize_password_db(True)) { _log_err( LOG_ALERT, "Cannot access samba password database" ); retval = PAM_AUTHINFO_UNAVAIL; AUTH_RETURN; } - smb_pwent = getsmbpwnam( name ); + pdb_init_sam(&sampass); + + pdb_getsampwnam( sampass, name ); if (on( SMB_MIGRATE, ctrl )) { - retval = _smb_add_user(pamh, ctrl, name, smb_pwent); + retval = _smb_add_user(pamh, ctrl, name, sampass); AUTH_RETURN; } - if (smb_pwent == NULL) { + if (sampass == NULL) { _log_err(LOG_ALERT, "Failed to find entry for user %s.", name); retval = PAM_USER_UNKNOWN; AUTH_RETURN; @@ -115,27 +117,29 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, /* if this user does not have a password... */ - if (_smb_blankpasswd( ctrl, smb_pwent )) { - smb_pwent = NULL; + if (_smb_blankpasswd( ctrl, sampass )) { + pdb_free_sam(sampass); + sampass = NULL; retval = PAM_SUCCESS; AUTH_RETURN; } /* get this user's authentication token */ - retval = _smb_read_password(pamh, ctrl, NULL, "Password: ", NULL - , _SMB_AUTHTOK, &p); + retval = _smb_read_password(pamh, ctrl, NULL, "Password: ", NULL, _SMB_AUTHTOK, &p); if (retval != PAM_SUCCESS ) { _log_err(LOG_CRIT, "auth: no password provided for [%s]" , name); - smb_pwent = NULL; + pdb_free_sam(sampass); + sampass = NULL; AUTH_RETURN; } /* verify the password of this user */ - retval = _smb_verify_password( pamh, smb_pwent, p, ctrl ); - smb_pwent = NULL; + retval = _smb_verify_password( pamh, sampass, p, ctrl ); + pdb_free_sam(sampass); + sampass = NULL; p = NULL; AUTH_RETURN; } @@ -165,11 +169,11 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags, /* Helper function for adding a user to the db. */ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, - const char *name, struct smb_passwd *smb_pwent) + const char *name, SAM_ACCOUNT *sampass) { pstring err_str; pstring msg_str; - const char *pass = NULL; + char *pass = NULL; int retval; err_str[0] = '\0'; @@ -187,7 +191,7 @@ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, } /* Add the user to the db if they aren't already there. */ - if (smb_pwent == NULL) { + if (sampass == NULL) { retval = local_password_change( name, LOCAL_ADD_USER, pass, err_str, sizeof(err_str), @@ -208,11 +212,9 @@ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl, } /* Change the user's password IFF it's null. */ - if (smb_pwent->smb_passwd == NULL && (smb_pwent->acct_ctrl & ACB_PWNOTREQ)) + if ((pdb_get_lanman_passwd(sampass) == NULL) && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)) { - retval = local_password_change( name, 0, - pass, err_str, - sizeof(err_str), + retval = local_password_change( name, 0, pass, err_str, sizeof(err_str), msg_str, sizeof(msg_str) ); if (!retval && *err_str) { diff --git a/source/pam_smbpass/pam_smb_passwd.c b/source/pam_smbpass/pam_smb_passwd.c index e1bb8f37042..a200894db70 100644 --- a/source/pam_smbpass/pam_smb_passwd.c +++ b/source/pam_smbpass/pam_smb_passwd.c @@ -33,8 +33,7 @@ #include "support.h" -int smb_update_db( pam_handle_t *pamh, int ctrl, const char *user - , const char *pass_new ) +int smb_update_db( pam_handle_t *pamh, int ctrl, const char *user, char *pass_new ) { char c; int retval, i; @@ -93,9 +92,9 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, extern BOOL in_client; - struct smb_passwd *smb_pwent=NULL; + SAM_ACCOUNT *sampass = NULL; const char *user; - const char *pass_old, *pass_new; + char *pass_old, *pass_new; /* Samba initialization. */ setup_logging( "pam_smbpass", False ); @@ -120,15 +119,16 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, _log_err( LOG_DEBUG, "username [%s] obtained", user ); } - if (!initialize_password_db()) { + if (!initialize_password_db(True)) { _log_err( LOG_ALERT, "Cannot access samba password database" ); return PAM_AUTHINFO_UNAVAIL; } /* obtain user record */ - smb_pwent = getsmbpwnam(user); + pdb_init_sam(&sampass); + pdb_samgetpwnam(sampass,user); - if (smb_pwent == NULL) { + if (sampass == NULL) { _log_err( LOG_ALERT, "Failed to find entry for user %s.", user ); return PAM_USER_UNKNOWN; } @@ -141,7 +141,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, char *Announce; - if (_smb_blankpasswd( ctrl, smb_pwent )) { + if (_smb_blankpasswd( ctrl, sampass )) { return PAM_SUCCESS; @@ -163,12 +163,8 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, #undef greeting set( SMB__OLD_PASSWD, ctrl ); - retval = _smb_read_password( pamh, ctrl - , Announce - , "Current SMB password: " - , NULL - , _SMB_OLD_AUTHTOK - , &pass_old ); + retval = _smb_read_password( pamh, ctrl, Announce, "Current SMB password: ", + NULL, _SMB_OLD_AUTHTOK, &pass_old ); free( Announce ); if (retval != PAM_SUCCESS) { @@ -179,7 +175,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, /* verify that this is the password for this user */ - retval = _smb_verify_password( pamh, smb_pwent, pass_old, ctrl ); + retval = _smb_verify_password( pamh, sampass, pass_old, ctrl ); } else { pass_old = NULL; @@ -279,7 +275,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, if (retval == PAM_SUCCESS) { /* password updated */ _log_err( LOG_NOTICE, "password for (%s/%d) changed by (%s/%d)" - , user, smb_pwent->smb_userid, uidtoname( getuid() ) + , user, pdb_get_uid(sampass), uidtoname( getuid() ) , getuid() ); } else { _log_err( LOG_ERR, "password change failed for user %s" @@ -287,7 +283,10 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, } pass_old = pass_new = NULL; - smb_pwent = NULL; + if (sampass) { + pdb_free_sam(sampass); + sampass = NULL; + } } else { /* something has broken with the library */ @@ -295,6 +294,11 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, retval = PAM_ABORT; } + + if (sampass) { + pdb_free_sam(sampass); + sampass = NULL; + } return retval; } diff --git a/source/pam_smbpass/support.c b/source/pam_smbpass/support.c index 01f4aa30c7d..b3d6415d3ee 100644 --- a/source/pam_smbpass/support.c +++ b/source/pam_smbpass/support.c @@ -296,9 +296,8 @@ void _cleanup_failures( pam_handle_t * pamh, void *fl, int err ) } } -int _smb_verify_password( pam_handle_t * pamh - , const struct smb_passwd *smb_pwent - , const char *p, unsigned int ctrl ) +int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass, + const char *p, unsigned int ctrl ) { uchar hash_pass[16]; uchar lm_pw[16]; @@ -307,10 +306,10 @@ int _smb_verify_password( pam_handle_t * pamh char *data_name; const char *name; - if (!smb_pwent) + if (!sampass) return PAM_ABORT; - name = smb_pwent->smb_name; + name = pdb_get_username(sampass); #ifdef HAVE_PAM_FAIL_DELAY if (off( SMB_NODELAY, ctrl )) { @@ -318,13 +317,13 @@ int _smb_verify_password( pam_handle_t * pamh } #endif - if (!smb_pwent->smb_passwd) + if (!pdb_get_lm_pw(sampass)) { _log_err( LOG_DEBUG, "user %s has null SMB password" , name ); if (off( SMB__NONULL, ctrl ) - && (smb_pwent->acct_ctrl & ACB_PWNOTREQ)) + && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)) { /* this means we've succeeded */ return PAM_SUCCESS; } else { @@ -335,13 +334,12 @@ int _smb_verify_password( pam_handle_t * pamh , "failed auth request by %s for service %s as %s(%d)" , uidtoname( getuid() ) , service ? service : "**unknown**", name - , smb_pwent->smb_userid ); + , pdb_get_uid(sampass) ); return PAM_AUTH_ERR; } } - data_name = (char *) malloc( sizeof(FAIL_PREFIX) - + strlen( name )); + data_name = (char *) malloc( sizeof(FAIL_PREFIX) + strlen( name )); if (data_name == NULL) { _log_err( LOG_CRIT, "no memory for data-name" ); } @@ -353,9 +351,8 @@ int _smb_verify_password( pam_handle_t * pamh if (strlen( p ) == 16 || (strlen( p ) == 32 && pdb_gethexpwd( p, (char *) hash_pass ))) { - if (!memcmp( hash_pass, smb_pwent->smb_passwd, 16 ) - || (smb_pwent->smb_nt_passwd - && !memcmp( hash_pass, smb_pwent->smb_nt_passwd, 16 ))) + if (!memcmp( hash_pass, pdb_get_lanman_passwd(sampass), 16 ) + || (!memcmp( hash_pass, pdb_get_nt_passwd(sampass), 16 ))) { retval = PAM_SUCCESS; if (data_name) { /* reset failures */ @@ -363,7 +360,6 @@ int _smb_verify_password( pam_handle_t * pamh } _pam_delete( data_name ); memset( hash_pass, '\0', 16 ); - smb_pwent = NULL; return retval; } } @@ -378,7 +374,7 @@ int _smb_verify_password( pam_handle_t * pamh /* the moment of truth -- do we agree with the password? */ - if (!memcmp( nt_pw, smb_pwent->smb_nt_passwd, 16 )) { + if (!memcmp( nt_pw, pdb_get_nt_passwd(sampass), 16 )) { retval = PAM_SUCCESS; if (data_name) { /* reset failures */ @@ -414,11 +410,11 @@ int _smb_verify_password( pam_handle_t * pamh , "failed auth request by %s for service %s as %s(%d)" , uidtoname( getuid() ) , service ? service : "**unknown**", name - , smb_pwent->smb_userid ); + , pdb_get_uid(sampass) ); new->count = 1; } new->user = xstrdup( name ); - new->id = smb_pwent->smb_userid; + new->id = pdb_get_uid(sampass); new->agent = xstrdup( uidtoname( getuid() ) ); pam_set_data( pamh, data_name, new, _cleanup_failures ); @@ -428,20 +424,24 @@ int _smb_verify_password( pam_handle_t * pamh , "failed auth request by %s for service %s as %s(%d)" , uidtoname( getuid() ) , service ? service : "**unknown**", name - , smb_pwent->smb_userid ); + , pdb_get_uid(sampass) ); } } else { _log_err( LOG_NOTICE , "failed auth request by %s for service %s as %s(%d)" , uidtoname( getuid() ) , service ? service : "**unknown**", name - , smb_pwent->smb_userid ); + , pdb_get_uid(sampass) ); retval = PAM_AUTH_ERR; } } _pam_delete( data_name ); - smb_pwent = NULL; + if (sampass) { + pdb_free_sam(sampass); + sampass = NULL; + } + return retval; } @@ -453,7 +453,7 @@ int _smb_verify_password( pam_handle_t * pamh * - to avoid prompting for one in such cases (CG) */ -int _smb_blankpasswd( unsigned int ctrl, const struct smb_passwd *smb_pwent ) +int _smb_blankpasswd( unsigned int ctrl, SAM_ACCOUNT *sampass ) { int retval; @@ -466,7 +466,7 @@ int _smb_blankpasswd( unsigned int ctrl, const struct smb_passwd *smb_pwent ) if (on( SMB__NONULL, ctrl )) return 0; /* will fail but don't let on yet */ - if (smb_pwent->smb_passwd == NULL) + if (pdb_get_lanman_passwd(sampass) == NULL) retval = 1; else retval = 0; @@ -478,14 +478,13 @@ int _smb_blankpasswd( unsigned int ctrl, const struct smb_passwd *smb_pwent ) * obtain a password from the user */ -int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl - , const char *comment, const char *prompt1 - , const char *prompt2, const char *data_name - , const char **pass ) +int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl, + char *comment, char *prompt1, + char *prompt2, char *data_name, char **pass ) { int authtok_flag; int retval; - const char *item = NULL; + char *item = NULL; char *token; struct pam_message msg[3], *pmsg[3]; diff --git a/source/pam_smbpass/support.h b/source/pam_smbpass/support.h index 85bbd0a523c..da27f759a5b 100644 --- a/source/pam_smbpass/support.h +++ b/source/pam_smbpass/support.h @@ -26,9 +26,8 @@ extern BOOL strequal(const char *, const char *); extern struct smb_passwd * _my_get_smbpwnam(FILE *, const char *, BOOL *, BOOL *, long *); -extern int _smb_verify_password( pam_handle_t *pamh - , const struct smb_passwd *smb_pwent - , const char *p, unsigned int ctrl ); +extern int _smb_verify_password( pam_handle_t *pamh , SAM_ACCOUNT *sampass, + const char *p, unsigned int ctrl ); /* * this function obtains the name of the current user and ensures @@ -40,13 +39,12 @@ extern int _smb_get_user(pam_handle_t *, unsigned int, /* _smb_blankpasswd() is a quick check for a blank password */ -extern int _smb_blankpasswd(unsigned int, const struct smb_passwd *); +extern int _smb_blankpasswd(unsigned int, SAM_ACCOUNT *sampass); /* obtain a password from the user */ -extern int _smb_read_password( pam_handle_t *, unsigned int, const char*, - const char *, const char *, const char *, - const char **); +extern int _smb_read_password( pam_handle_t *, unsigned int, char*, + char *, char *, char *, char **); extern int _pam_smb_approve_pass(pam_handle_t *, unsigned int, const char *, const char *); |