diff options
Diffstat (limited to 'source')
-rw-r--r-- | source/include/mapping.h | 48 | ||||
-rw-r--r-- | source/include/util_getent.h | 45 | ||||
-rw-r--r-- | source/libsmb/cli_netlogon.c | 128 | ||||
-rw-r--r-- | source/libsmb/cli_srvsvc.c | 128 | ||||
-rw-r--r-- | source/nsswitch/winbind_nss_solaris.c | 279 | ||||
-rw-r--r-- | source/nsswitch/winbindd_sid.c | 244 | ||||
-rw-r--r-- | source/pam_smbpass/CHANGELOG | 31 | ||||
-rw-r--r-- | source/pam_smbpass/README | 66 | ||||
-rw-r--r-- | source/pam_smbpass/TODO | 7 | ||||
-rw-r--r-- | source/pam_smbpass/general.h | 123 | ||||
-rw-r--r-- | source/pam_smbpass/samples/README | 3 | ||||
-rw-r--r-- | source/pam_smbpass/samples/kdc-pdc | 15 | ||||
-rw-r--r-- | source/pam_smbpass/samples/password-mature | 14 | ||||
-rw-r--r-- | source/pam_smbpass/samples/password-migration | 18 | ||||
-rw-r--r-- | source/pam_smbpass/samples/password-sync | 15 | ||||
-rw-r--r-- | source/pam_smbpass/support.c | 651 | ||||
-rw-r--r-- | source/pam_smbpass/support.h | 52 |
17 files changed, 0 insertions, 1867 deletions
diff --git a/source/include/mapping.h b/source/include/mapping.h deleted file mode 100644 index f3e0be6e4a7..00000000000 --- a/source/include/mapping.h +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Unix SMB/Netbios implementation. - * Version 1.9. - * RPC Pipe client / server routines - * Copyright (C) Andrew Tridgell 1992-2000, - * Copyright (C) Jean François Micouleau 1998-2001. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - */ - -typedef struct _GROUP_MAP { - gid_t gid; - DOM_SID sid; - enum SID_NAME_USE sid_name_use; - fstring nt_name; - fstring comment; - uint32 privilege; -} GROUP_MAP; - -typedef struct _PRIVS { - uint32 se_priv; - char *priv; - char *description; -} PRIVS; - -#define SE_PRIV_NONE 0x0000 -#define SE_PRIV_ADD_USERS 0x0001 -#define SE_PRIV_ADD_MACHINES 0x0002 -#define SE_PRIV_PRINT_OPERATOR 0x0004 -#define SE_PRIV_ALL 0xffff - -#define PRIV_ALL_INDEX 4 - - -#define ENUM_ONLY_MAPPED True -#define ENUM_ALL_MAPPED False diff --git a/source/include/util_getent.h b/source/include/util_getent.h deleted file mode 100644 index 11926b89641..00000000000 --- a/source/include/util_getent.h +++ /dev/null @@ -1,45 +0,0 @@ -/* - Unix SMB/Netbios implementation. - Version 3.0 - Samba utility functions - Copyright (C) Simo Sorce 2001 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -/* element for a single linked list of group entries */ -/* replace the use of struct group in some cases */ -/* used by getgrent_list() */ -struct sys_grent { - char *gr_name; - char *gr_passwd; - gid_t gr_gid; - char **gr_mem; - struct sys_grent *next; -}; - -/* element for a single linked list of passwd entries */ -/* replace the use of struct passwd in some cases */ -/* used by getpwent_list() */ -struct sys_pwent { - char *pw_name; - char *pw_passwd; - uid_t pw_uid; - gid_t pw_gid; - char *pw_gecos; - char *pw_dir; - char *pw_shell; - struct sys_pwent *next; -}; diff --git a/source/libsmb/cli_netlogon.c b/source/libsmb/cli_netlogon.c deleted file mode 100644 index 47b7c2f22ec..00000000000 --- a/source/libsmb/cli_netlogon.c +++ /dev/null @@ -1,128 +0,0 @@ -/* - Unix SMB/Netbios implementation. - Version 1.9. - NT Domain Authentication SMB / MSRPC client - Copyright (C) Andrew Tridgell 1994-2000 - Copyright (C) Luke Kenneth Casson Leighton 1996-2000 - Copyright (C) Tim Potter 2001 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -/* Opens a SMB connection to the netlogon pipe */ - -struct cli_state *cli_netlogon_initialise(struct cli_state *cli, - char *system_name, - struct ntuser_creds *creds) -{ - struct in_addr dest_ip; - struct nmb_name calling, called; - fstring dest_host; - extern pstring global_myname; - struct ntuser_creds anon; - - /* Initialise cli_state information */ - - if (!cli_initialise(cli)) { - return NULL; - } - - if (!creds) { - ZERO_STRUCT(anon); - anon.pwd.null_pwd = 1; - creds = &anon; - } - - cli_init_creds(cli, creds); - - /* Establish a SMB connection */ - - if (!resolve_srv_name(system_name, dest_host, &dest_ip)) { - return NULL; - } - - make_nmb_name(&called, dns_to_netbios_name(dest_host), 0x20); - make_nmb_name(&calling, dns_to_netbios_name(global_myname), 0); - - if (!cli_establish_connection(cli, dest_host, &dest_ip, &calling, - &called, "IPC$", "IPC", False, True)) { - return NULL; - } - - /* Open a NT session thingy */ - - if (!cli_nt_session_open(cli, PIPE_NETLOGON)) { - cli_shutdown(cli); - return NULL; - } - - return cli; -} - -/* Shut down a SMB connection to the netlogon pipe */ - -void cli_netlogon_shutdown(struct cli_state *cli) -{ - if (cli->fd != -1) cli_ulogoff(cli); - cli_shutdown(cli); -} - -/* Logon Control 2 */ - -uint32 cli_netlogon_logon_ctrl2(struct cli_state *cli, TALLOC_CTX *mem_ctx, - uint32 query_level) -{ - prs_struct qbuf, rbuf; - NET_Q_LOGON_CTRL2 q; - NET_R_LOGON_CTRL2 r; - uint32 result = NT_STATUS_UNSUCCESSFUL; - - ZERO_STRUCT(q); - ZERO_STRUCT(r); - - /* Initialise parse structures */ - - prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL); - prs_init(&rbuf, 0, mem_ctx, UNMARSHALL); - - /* Initialise input parameters */ - - init_net_q_logon_ctrl2(&q, cli->srv_name_slash, query_level); - - /* Marshall data and send request */ - - if (!net_io_q_logon_ctrl2("", &q, &qbuf, 0) || - !rpc_api_pipe_req(cli, NET_LOGON_CTRL2, &qbuf, &rbuf)) { - result = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - /* Unmarshall response */ - - if (!net_io_r_logon_ctrl2("", &r, &rbuf, 0)) { - result = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - result = r.status; - - done: - prs_mem_free(&qbuf); - prs_mem_free(&rbuf); - - return result; -} diff --git a/source/libsmb/cli_srvsvc.c b/source/libsmb/cli_srvsvc.c deleted file mode 100644 index 8209d9301f1..00000000000 --- a/source/libsmb/cli_srvsvc.c +++ /dev/null @@ -1,128 +0,0 @@ -/* - Unix SMB/Netbios implementation. - Version 1.9. - NT Domain Authentication SMB / MSRPC client - Copyright (C) Andrew Tridgell 1994-2000 - Copyright (C) Luke Kenneth Casson Leighton 1996-2000 - Copyright (C) Tim Potter 2001 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -/* Opens a SMB connection to the svrsvc pipe */ - -struct cli_state *cli_svrsvc_initialise(struct cli_state *cli, - char *system_name, - struct ntuser_creds *creds) -{ - struct in_addr dest_ip; - struct nmb_name calling, called; - fstring dest_host; - extern pstring global_myname; - struct ntuser_creds anon; - - /* Initialise cli_state information */ - - if (!cli_initialise(cli)) { - return NULL; - } - - if (!creds) { - ZERO_STRUCT(anon); - anon.pwd.null_pwd = 1; - creds = &anon; - } - - cli_init_creds(cli, creds); - - /* Establish a SMB connection */ - - if (!resolve_srv_name(system_name, dest_host, &dest_ip)) { - return NULL; - } - - make_nmb_name(&called, dns_to_netbios_name(dest_host), 0x20); - make_nmb_name(&calling, dns_to_netbios_name(global_myname), 0); - - if (!cli_establish_connection(cli, dest_host, &dest_ip, &calling, - &called, "IPC$", "IPC", False, True)) { - return NULL; - } - - /* Open a NT session thingy */ - - if (!cli_nt_session_open(cli, PIPE_SRVSVC)) { - cli_shutdown(cli); - return NULL; - } - - return cli; -} - -/* Shut down a SMB connection to the srvsvc pipe */ - -void cli_srvsvc_shutdown(struct cli_state *cli) -{ - if (cli->fd != -1) cli_ulogoff(cli); - cli_shutdown(cli); -} - -uint32 cli_srvsvc_net_srv_get_info(struct cli_state *cli, TALLOC_CTX *mem_ctx, - uint32 switch_value, SRV_INFO_CTR *ctr) -{ - prs_struct qbuf, rbuf; - SRV_Q_NET_SRV_GET_INFO q; - SRV_R_NET_SRV_GET_INFO r; - uint32 result; - - ZERO_STRUCT(q); - ZERO_STRUCT(r); - - /* Initialise parse structures */ - - prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL); - prs_init(&rbuf, 0, mem_ctx, UNMARSHALL); - - /* Initialise input parameters */ - - init_srv_q_net_srv_get_info(&q, cli->srv_name_slash, switch_value); - - /* Marshall data and send request */ - - if (!srv_io_q_net_srv_get_info("", &q, &qbuf, 0) || - !rpc_api_pipe_req(cli, SRV_NET_SRV_GET_INFO, &qbuf, &rbuf)) { - result = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - /* Unmarshall response */ - - r.ctr = ctr; - - if (!srv_io_r_net_srv_get_info("", &r, &rbuf, 0)) { - result = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - result = r.status; - - done: - prs_mem_free(&qbuf); - prs_mem_free(&rbuf); - - return result; -} diff --git a/source/nsswitch/winbind_nss_solaris.c b/source/nsswitch/winbind_nss_solaris.c deleted file mode 100644 index de8a63b90bf..00000000000 --- a/source/nsswitch/winbind_nss_solaris.c +++ /dev/null @@ -1,279 +0,0 @@ -/* - Solaris NSS wrapper for winbind - - Shirish Kalele 2000 - - Based on Luke Howard's ldap_nss module for Solaris - */ - -#include <stdlib.h> -#include <sys/types.h> -#include <sys/param.h> -#include <string.h> -#include <pwd.h> -#include <syslog.h> -#include <sys/syslog.h> -#include "includes.h" -#include "winbind_nss_config.h" - -#ifdef HAVE_NSS_COMMON_H - -#undef NSS_DEBUG - -#ifdef NSS_DEBUG -#define NSS_DEBUG(str) syslog(LOG_DEBUG, "nss_winbind: %s", str); -#else -#define NSS_DEBUG(str) ; -#endif - -#define NSS_ARGS(args) ((nss_XbyY_args_t *)args) - -#define make_pwent_str(dest, src) \ -{ \ - if((dest = get_static(buffer, buflen, strlen(src)+1)) == NULL) \ - { \ - *errnop = ERANGE; \ - NSS_DEBUG("ERANGE error"); \ - return NSS_STATUS_TRYAGAIN; \ - } \ - strcpy(dest, src); \ -} - -static NSS_STATUS _nss_winbind_setpwent_solwrap (nss_backend_t* be, void* args) -{ - NSS_DEBUG("_nss_winbind_setpwent_solwrap"); - return _nss_winbind_setpwent(); -} - -static NSS_STATUS -_nss_winbind_endpwent_solwrap (nss_backend_t * be, void *args) -{ - NSS_DEBUG("_nss_winbind_endpwent_solwrap"); - return _nss_winbind_endpwent(); -} - -static NSS_STATUS -_nss_winbind_getpwent_solwrap (nss_backend_t* be, void *args) -{ - NSS_STATUS ret; - char* buffer = NSS_ARGS(args)->buf.buffer; - int buflen = NSS_ARGS(args)->buf.buflen; - struct passwd* result = (struct passwd*) NSS_ARGS(args)->buf.result; - int* errnop = &NSS_ARGS(args)->erange; - char logmsg[80]; - - ret = _nss_winbind_getpwent_r(result, buffer, - buflen, errnop); - - if(ret == NSS_STATUS_SUCCESS) - { - snprintf(logmsg, 79, "_nss_winbind_getpwent_solwrap: Returning user: %s\n", - result->pw_name); - NSS_DEBUG(logmsg); - NSS_ARGS(args)->returnval = (void*) result; - } else { - snprintf(logmsg, 79, "_nss_winbind_getpwent_solwrap: Returning error: %d.\n",ret); - NSS_DEBUG(logmsg); - } - - return ret; -} - -static NSS_STATUS -_nss_winbind_getpwnam_solwrap (nss_backend_t* be, void* args) -{ - NSS_STATUS ret; - struct passwd* result = (struct passwd*) NSS_ARGS(args)->buf.result; - - NSS_DEBUG("_nss_winbind_getpwnam_solwrap"); - - ret = _nss_winbind_getpwnam_r (NSS_ARGS(args)->key.name, - result, - NSS_ARGS(args)->buf.buffer, - NSS_ARGS(args)->buf.buflen, - &NSS_ARGS(args)->erange); - if(ret == NSS_STATUS_SUCCESS) - NSS_ARGS(args)->returnval = (void*) result; - - return ret; -} - -static NSS_STATUS -_nss_winbind_getpwuid_solwrap(nss_backend_t* be, void* args) -{ - NSS_STATUS ret; - struct passwd* result = (struct passwd*) NSS_ARGS(args)->buf.result; - - NSS_DEBUG("_nss_winbind_getpwuid_solwrap"); - ret = _nss_winbind_getpwuid_r (NSS_ARGS(args)->key.uid, - result, - NSS_ARGS(args)->buf.buffer, - NSS_ARGS(args)->buf.buflen, - &NSS_ARGS(args)->erange); - if(ret == NSS_STATUS_SUCCESS) - NSS_ARGS(args)->returnval = (void*) result; - - return ret; -} - -static NSS_STATUS _nss_winbind_passwd_destr (nss_backend_t * be, void *args) -{ - free(be); - NSS_DEBUG("_nss_winbind_passwd_destr"); - return NSS_STATUS_SUCCESS; -} - -static nss_backend_op_t passwd_ops[] = -{ - _nss_winbind_passwd_destr, - _nss_winbind_endpwent_solwrap, /* NSS_DBOP_ENDENT */ - _nss_winbind_setpwent_solwrap, /* NSS_DBOP_SETENT */ - _nss_winbind_getpwent_solwrap, /* NSS_DBOP_GETENT */ - _nss_winbind_getpwnam_solwrap, /* NSS_DBOP_PASSWD_BYNAME */ - _nss_winbind_getpwuid_solwrap /* NSS_DBOP_PASSWD_BYUID */ -}; - -nss_backend_t* -_nss_winbind_passwd_constr (const char* db_name, - const char* src_name, - const char* cfg_args) -{ - nss_backend_t *be; - - if(!(be = (nss_backend_t*) malloc(sizeof(nss_backend_t))) ) - return NULL; - - be->ops = passwd_ops; - be->n_ops = sizeof(passwd_ops) / sizeof(nss_backend_op_t); - - NSS_DEBUG("Initialized nss_winbind passwd backend"); - return be; -} - -/***************************************************************** - GROUP database backend - *****************************************************************/ - -static NSS_STATUS _nss_winbind_setgrent_solwrap (nss_backend_t* be, void* args) -{ - NSS_DEBUG("_nss_winbind_setgrent_solwrap"); - return _nss_winbind_setgrent(); -} - -static NSS_STATUS -_nss_winbind_endgrent_solwrap (nss_backend_t * be, void *args) -{ - NSS_DEBUG("_nss_winbind_endgrent_solwrap"); - return _nss_winbind_endgrent(); -} - -static NSS_STATUS -_nss_winbind_getgrent_solwrap(nss_backend_t* be, void* args) -{ - NSS_STATUS ret; - char* buffer = NSS_ARGS(args)->buf.buffer; - int buflen = NSS_ARGS(args)->buf.buflen; - struct group* result = (struct group*) NSS_ARGS(args)->buf.result; - int* errnop = &NSS_ARGS(args)->erange; - char logmsg[80]; - - ret = _nss_winbind_getgrent_r(result, buffer, - buflen, errnop); - - if(ret == NSS_STATUS_SUCCESS) - { - snprintf(logmsg, 79, "_nss_winbind_getgrent_solwrap: Returning group: %s\n", result->gr_name); - NSS_DEBUG(logmsg); - NSS_ARGS(args)->returnval = (void*) result; - } else { - snprintf(logmsg, 79, "_nss_winbind_getgrent_solwrap: Returning error: %d.\n", ret); - NSS_DEBUG(logmsg); - } - - return ret; - -} - -static NSS_STATUS -_nss_winbind_getgrnam_solwrap(nss_backend_t* be, void* args) -{ - NSS_STATUS ret; - struct group* result = (struct group*) NSS_ARGS(args)->buf.result; - - NSS_DEBUG("_nss_winbind_getgrnam_solwrap"); - ret = _nss_winbind_getgrnam_r(NSS_ARGS(args)->key.name, - result, - NSS_ARGS(args)->buf.buffer, - NSS_ARGS(args)->buf.buflen, - &NSS_ARGS(args)->erange); - - if(ret == NSS_STATUS_SUCCESS) - NSS_ARGS(args)->returnval = (void*) result; - - return ret; -} - -static NSS_STATUS -_nss_winbind_getgrgid_solwrap(nss_backend_t* be, void* args) -{ - NSS_STATUS ret; - struct group* result = (struct group*) NSS_ARGS(args)->buf.result; - - NSS_DEBUG("_nss_winbind_getgrgid_solwrap"); - ret = _nss_winbind_getgrgid_r (NSS_ARGS(args)->key.gid, - result, - NSS_ARGS(args)->buf.buffer, - NSS_ARGS(args)->buf.buflen, - &NSS_ARGS(args)->erange); - - if(ret == NSS_STATUS_SUCCESS) - NSS_ARGS(args)->returnval = (void*) result; - - return ret; -} - -static NSS_STATUS -_nss_winbind_getgroupsbymember_solwrap(nss_backend_t* be, void* args) -{ - NSS_DEBUG("_nss_winbind_getgroupsbymember"); - return NSS_STATUS_NOTFOUND; -} - -static NSS_STATUS -_nss_winbind_group_destr (nss_backend_t* be, void* args) -{ - free(be); - NSS_DEBUG("_nss_winbind_group_destr"); - return NSS_STATUS_SUCCESS; -} - -static nss_backend_op_t group_ops[] = -{ - _nss_winbind_group_destr, - _nss_winbind_endgrent_solwrap, - _nss_winbind_setgrent_solwrap, - _nss_winbind_getgrent_solwrap, - _nss_winbind_getgrnam_solwrap, - _nss_winbind_getgrgid_solwrap, - _nss_winbind_getgroupsbymember_solwrap -}; - -nss_backend_t* -_nss_winbind_group_constr (const char* db_name, - const char* src_name, - const char* cfg_args) -{ - nss_backend_t* be; - - if(!(be = (nss_backend_t*) malloc(sizeof(nss_backend_t))) ) - return NULL; - - be->ops = group_ops; - be->n_ops = sizeof(group_ops) / sizeof(nss_backend_op_t); - - NSS_DEBUG("Initialized nss_winbind group backend"); - return be; -} - -#endif /* SUN_NSS */ - - diff --git a/source/nsswitch/winbindd_sid.c b/source/nsswitch/winbindd_sid.c deleted file mode 100644 index bc014f26918..00000000000 --- a/source/nsswitch/winbindd_sid.c +++ /dev/null @@ -1,244 +0,0 @@ -/* - Unix SMB/Netbios implementation. - Version 2.0 - - Winbind daemon - sid related functions - - Copyright (C) Tim Potter 2000 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "winbindd.h" -#include "sids.h" - -/* Convert a string */ - -enum winbindd_result winbindd_lookupsid(struct winbindd_cli_state *state) -{ - extern DOM_SID global_sid_Builtin; - enum SID_NAME_USE type; - DOM_SID sid, tmp_sid; - uint32 rid; - fstring name; - - DEBUG(3, ("[%5d]: lookupsid %s\n", state->pid, - state->request.data.sid)); - - /* Lookup sid from PDC using lsa_lookup_sids() */ - - string_to_sid(&sid, state->request.data.sid); - - /* Don't look up BUILTIN sids */ - - sid_copy(&tmp_sid, &sid); - sid_split_rid(&tmp_sid, &rid); - - if (sid_equal(&tmp_sid, &global_sid_Builtin)) { - return WINBINDD_ERROR; - } - - /* Lookup the sid */ - - if (!winbindd_lookup_name_by_sid(&sid, name, &type)) { - return WINBINDD_ERROR; - } - - string_sub(name, "\\", lp_winbind_separator(), sizeof(fstring)); - fstrcpy(state->response.data.name.name, name); - state->response.data.name.type = type; - - return WINBINDD_OK; -} - -/* Convert a sid to a string */ - -enum winbindd_result winbindd_lookupname(struct winbindd_cli_state *state) -{ - enum SID_NAME_USE type; - fstring sid_str, name_domain, name_user, name; - DOM_SID sid; - - DEBUG(3, ("[%5d]: lookupname %s\n", state->pid, - state->request.data.name)); - - parse_domain_user(state->request.data.name, name_domain, name_user); - - snprintf(name, sizeof(name), "%s\\%s", name_domain, name_user); - - /* Lookup name from PDC using lsa_lookup_names() */ - - if (!winbindd_lookup_sid_by_name(name, &sid, &type)) { - return WINBINDD_ERROR; - } - - sid_to_string(sid_str, &sid); - fstrcpy(state->response.data.sid.sid, sid_str); - state->response.data.sid.type = type; - - return WINBINDD_OK; -} - -/* Convert a sid to a uid. We assume we only have one rid attached to the - sid. */ - -enum winbindd_result winbindd_sid_to_uid(struct winbindd_cli_state *state) -{ - DOM_SID sid; - uint32 user_rid; - struct winbindd_domain *domain; - - DEBUG(3, ("[%5d]: sid to uid %s\n", state->pid, - state->request.data.sid)); - - /* Split sid into domain sid and user rid */ - - string_to_sid(&sid, state->request.data.sid); - sid_split_rid(&sid, &user_rid); - - /* Find domain this sid belongs to */ - - if ((domain = find_domain_from_sid(&sid)) == NULL) { - fstring sid_str; - - sid_to_string(sid_str, &sid); - DEBUG(1, ("Could not find domain for sid %s\n", sid_str)); - return WINBINDD_ERROR; - } - - /* Find uid for this sid and return it */ - - if (!winbindd_idmap_get_uid_from_rid(domain->name, user_rid, - &state->response.data.uid)) { - DEBUG(1, ("Could not get uid for sid %s\n", - state->request.data.sid)); - return WINBINDD_ERROR; - } - - return WINBINDD_OK; -} - -/* Convert a sid to a gid. We assume we only have one rid attached to the - sid.*/ - -enum winbindd_result winbindd_sid_to_gid(struct winbindd_cli_state *state) -{ - DOM_SID sid; - uint32 group_rid; - struct winbindd_domain *domain; - - DEBUG(3, ("[%5d]: sid to gid %s\n", state->pid, - state->request.data.sid)); - - /* Split sid into domain sid and user rid */ - - string_to_sid(&sid, state->request.data.sid); - sid_split_rid(&sid, &group_rid); - - /* Find domain this sid belongs to */ - - if ((domain = find_domain_from_sid(&sid)) == NULL) { - fstring sid_str; - - sid_to_string(sid_str, &sid); - DEBUG(1, ("Could not find domain for sid %s\n", sid_str)); - return WINBINDD_ERROR; - } - - /* Find uid for this sid and return it */ - - if (!winbindd_idmap_get_gid_from_rid(domain->name, group_rid, - &state->response.data.gid)) { - DEBUG(1, ("Could not get gid for sid %s\n", - state->request.data.sid)); - return WINBINDD_ERROR; - } - - return WINBINDD_OK; -} - -/* Convert a uid to a sid */ - -enum winbindd_result winbindd_uid_to_sid(struct winbindd_cli_state *state) -{ - struct winbindd_domain *domain; - uint32 user_rid; - DOM_SID sid; - - /* Bug out if the uid isn't in the winbind range */ - - if ((state->request.data.uid < server_state.uid_low ) || - (state->request.data.uid > server_state.uid_high)) { - return WINBINDD_ERROR; - } - - DEBUG(3, ("[%5d]: uid to sid %d\n", state->pid, - state->request.data.uid)); - - /* Lookup rid for this uid */ - - if (!winbindd_idmap_get_rid_from_uid(state->request.data.uid, - &user_rid, &domain)) { - DEBUG(1, ("Could not convert uid %d to rid\n", - state->request.data.uid)); - return WINBINDD_ERROR; - } - - /* Construct sid and return it */ - - sid_copy(&sid, &domain->sid); - sid_append_rid(&sid, user_rid); - sid_to_string(state->response.data.sid.sid, &sid); - state->response.data.sid.type = SID_NAME_USER; - - return WINBINDD_OK; -} - -/* Convert a gid to a sid */ - -enum winbindd_result winbindd_gid_to_sid(struct winbindd_cli_state *state) -{ - struct winbindd_domain *domain; - uint32 group_rid; - DOM_SID sid; - - /* Bug out if the gid isn't in the winbind range */ - - if ((state->request.data.gid < server_state.gid_low) || - (state->request.data.gid > server_state.gid_high)) { - return WINBINDD_ERROR; - } - - DEBUG(3, ("[%5d]: gid to sid %d\n", state->pid, - state->request.data.gid)); - - /* Lookup rid for this uid */ - - if (!winbindd_idmap_get_rid_from_gid(state->request.data.gid, - &group_rid, &domain)) { - DEBUG(1, ("Could not convert gid %d to rid\n", - state->request.data.gid)); - return WINBINDD_ERROR; - } - - /* Construct sid and return it */ - - sid_copy(&sid, &domain->sid); - sid_append_rid(&sid, group_rid); - sid_to_string(state->response.data.sid.sid, &sid); - state->response.data.sid.type = SID_NAME_DOM_GRP; - - return WINBINDD_OK; -} diff --git a/source/pam_smbpass/CHANGELOG b/source/pam_smbpass/CHANGELOG deleted file mode 100644 index 96ef7840084..00000000000 --- a/source/pam_smbpass/CHANGELOG +++ /dev/null @@ -1,31 +0,0 @@ -version 0.7.5 25 Mar 2001 - - Use Samba 2.2.0 (alpha) as the target codebase, since it doesn't look - like Samba will be offering shared libraries in the near future. - - added a Makefile and support scripts to make the build process easier. - - imported some Solaris fixes that I've been sitting on. - -version 0.7.4 20 Jan 2000 - - added a 'migrate' option to the authentication code which makes no - effort to authenticate the user, or even to ask for a password, but - it can be useful for filling in an SMB password db. - -version 0.7.3 19 Jan 2000 - - updated to use the SAMBA_TNG Samba branch, allowing us to dynamically - link against Luke's new shared libs (libsamba, libsmb). - -version 0.7.2 20 Jul 1999 - - miscellaneous bugfixes. Cleanup of legacy pam_pwdb code. - - fixed return value of pam_sm_setcred function. - - fix to autoconf support - - clarified some of the messages being logged - -version 0.6, 15 Jul 1999 - - updated to use the new Samba (2.0) password database API. - - added autoconf support. May now theoretically compile on more - platforms than PAM itself does. - - added support for account management functions (i.e., disabled - accounts) - -version 0.5, 4 Apr 1998 - - added support for hashed passwords as input. Now capable of serving - as an authentication agent for encrypted network transactions. diff --git a/source/pam_smbpass/README b/source/pam_smbpass/README deleted file mode 100644 index 6f50ce4d2c0..00000000000 --- a/source/pam_smbpass/README +++ /dev/null @@ -1,66 +0,0 @@ -25 Mar 2001 - -pam_smbpass is a PAM module which can be used on conforming systems to -keep the smbpasswd (Samba password) database in sync with the unix -password file. PAM (Pluggable Authentication Modules) is an API supported -under some Unices, such as Solaris, HPUX and Linux, that provides a -generic interface to authentication mechanisms. - -For more information on PAM, see http://ftp.kernel.org/pub/linux/libs/pam/ - -This module authenticates a local smbpasswd user database. If you require -support for authenticating against a remote SMB server, or if you're -concerned about the presence of suid root binaries on your system, it is -recommended that you use one of the other two following modules - - pam_smb - http://www.csn.ul.ie/~airlied/pam_smb/ - authenticates against any remote SMB server - - pam_ntdom - ftp://ftp.samba.org/pub/samba/pam_ntdom/ - authenticates against an NT or Samba domain controller - -Options recognized by this module are as follows: - - debug - log more debugging info - audit - like debug, but also logs unknown usernames - use_first_pass - don't prompt the user for passwords; - take them from PAM_ items instead - try_first_pass - try to get the password from a previous - PAM module, fall back to prompting the user - use_authtok - like try_first_pass, but *fail* if the new - PAM_AUTHTOK has not been previously set. - (intended for stacking password modules only) - not_set_pass - don't make passwords used by this module - available to other modules. - nodelay - don't insert ~1 second delays on authentication - failure. - nullok - null passwords are allowed. - nonull - null passwords are not allowed. Used to - override the Samba configuration. - migrate - only meaningful in an "auth" context; - used to update smbpasswd file with a - password used for successful authentication. - smbconf=<file> - specify an alternate path to the smb.conf - file. - -See the samples/ directory for example PAM configurations using this -module. - -Thanks go to the following people: - -* Andrew Morgan <morgan@transmeta.com>, for providing the Linux-PAM -framework, without which none of this would have happened - -* Christian Gafton <gafton@redhat.com> and Andrew Morgan again, for the -pam_pwdb module upon which pam_smbpass was originally based - -* Luke Leighton <lkcl@switchboard.net> for being receptive to the idea, -and for the occasional good-natured complaint about the project's status -that keep me working on it :) - -* and of course, all the other members of the Samba team -<samba-bugs@samba.org>, for creating a great product and for giving this -project a purpose - ---------------------- -Stephen Langasek <vorlon@netexpress.net> diff --git a/source/pam_smbpass/TODO b/source/pam_smbpass/TODO deleted file mode 100644 index 20cf4fb0987..00000000000 --- a/source/pam_smbpass/TODO +++ /dev/null @@ -1,7 +0,0 @@ -This is a tentative TODO file which will probably get much longer before -it gets much shorter. - -- Recognizing (and overriding) debug options in the smb.conf file -- Support for 'name=value' parameters in the PAM config -- Compliant handling of unrecognized PAM parameters (i.e., fail on error) -- diff --git a/source/pam_smbpass/general.h b/source/pam_smbpass/general.h deleted file mode 100644 index 0291146cbba..00000000000 --- a/source/pam_smbpass/general.h +++ /dev/null @@ -1,123 +0,0 @@ -#ifndef LINUX -/* This is only needed by modules in the Sun implementation. */ -#include <security/pam_appl.h> -#endif /* LINUX */ - -#include <security/pam_modules.h> - -#ifndef PAM_AUTHTOK_RECOVER_ERR -#define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <syslog.h> -#include <unistd.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <sys/wait.h> - -/* - * here is the string to inform the user that the new passwords they - * typed were not the same. - */ - -#define MISTYPED_PASS "Sorry, passwords do not match" - -/* type definition for the control options */ - -typedef struct { - const char *token; - unsigned int mask; /* shall assume 32 bits of flags */ - unsigned int flag; -} SMB_Ctrls; - -#ifndef False -#define False (0) -#endif - -#ifndef True -#define True (1) -#endif - -/* macro to determine if a given flag is on */ -#define on(x,ctrl) (smb_args[x].flag & ctrl) - -/* macro to determine that a given flag is NOT on */ -#define off(x,ctrl) (!on(x,ctrl)) - -/* macro to turn on/off a ctrl flag manually */ -#define set(x,ctrl) (ctrl = ((ctrl)&smb_args[x].mask)|smb_args[x].flag) -#define unset(x,ctrl) (ctrl &= ~(smb_args[x].flag)) - -#ifndef __linux__ -#define strncasecmp(s1,s2,n) StrnCaseCmp(s1,s2,n) -#endif - -/* the generic mask */ -#define _ALL_ON_ (~0U) - -/* end of macro definitions definitions for the control flags */ - -/* - * These are the options supported by the smb password module, very - * similar to the pwdb options - */ - -#define SMB__OLD_PASSWD 0 /* internal */ -#define SMB__VERIFY_PASSWD 1 /* internal */ - -#define SMB_AUDIT 2 /* print more things than debug.. - some information may be sensitive */ -#define SMB_USE_FIRST_PASS 3 -#define SMB_TRY_FIRST_PASS 4 -#define SMB_NOT_SET_PASS 5 /* don't set the AUTHTOK items */ - -#define SMB__NONULL 6 /* internal */ -#define SMB__QUIET 7 /* internal */ -#define SMB_USE_AUTHTOK 8 /* insist on reading PAM_AUTHTOK */ -#define SMB__NULLOK 9 /* Null token ok */ -#define SMB_DEBUG 10 /* send more info to syslog(3) */ -#define SMB_NODELAY 11 /* admin does not want a fail-delay */ -#define SMB_MIGRATE 12 /* Does no authentication, just - updates the smb database. */ -#define SMB_CONF_FILE 13 /* Alternate location of smb.conf */ - -#define SMB_CTRLS_ 14 /* number of ctrl arguments defined */ - -static const SMB_Ctrls smb_args[SMB_CTRLS_] = { -/* symbol token name ctrl mask ctrl * - * ------------------ ------------------ -------------- ---------- */ - -/* SMB__OLD_PASSWD */ { NULL, _ALL_ON_, 01 }, -/* SMB__VERIFY_PASSWD */ { NULL, _ALL_ON_, 02 }, -/* SMB_AUDIT */ { "audit", _ALL_ON_, 04 }, -/* SMB_USE_FIRST_PASS */ { "use_first_pass", _ALL_ON_^(030), 010 }, -/* SMB_TRY_FIRST_PASS */ { "try_first_pass", _ALL_ON_^(030), 020 }, -/* SMB_NOT_SET_PASS */ { "not_set_pass", _ALL_ON_, 040 }, -/* SMB__NONULL */ { "nonull", _ALL_ON_, 0100 }, -/* SMB__QUIET */ { NULL, _ALL_ON_, 0200 }, -/* SMB_USE_AUTHTOK */ { "use_authtok", _ALL_ON_, 0400 }, -/* SMB__NULLOK */ { "nullok", _ALL_ON_^(0100), 0 }, -/* SMB_DEBUG */ { "debug", _ALL_ON_, 01000 }, -/* SMB_NODELAY */ { "nodelay", _ALL_ON_, 02000 }, -/* SMB_MIGRATE */ { "migrate", _ALL_ON_^(0100), 04000 }, -/* SMB_CONF_FILE */ { "smbconf=", _ALL_ON_, 0 }, -}; - -#define SMB_DEFAULTS (smb_args[SMB__NONULL].flag) - -/* - * the following is used to keep track of the number of times a user fails - * to authenticate themself. - */ - -#define FAIL_PREFIX "-SMB-FAIL-" -#define SMB_MAX_RETRIES 3 - -struct _pam_failed_auth { - char *user; /* user that's failed to be authenticated */ - int id; /* uid of requested user */ - char *agent; /* attempt from user with name */ - int count; /* number of failures so far */ -}; diff --git a/source/pam_smbpass/samples/README b/source/pam_smbpass/samples/README deleted file mode 100644 index d77603306f1..00000000000 --- a/source/pam_smbpass/samples/README +++ /dev/null @@ -1,3 +0,0 @@ -This directory contains example configurations demonstrating various uses -of pam_smbpass. These examples use Linux-style /etc/pam.d syntax, and -must be modified for use on Solaris systems. diff --git a/source/pam_smbpass/samples/kdc-pdc b/source/pam_smbpass/samples/kdc-pdc deleted file mode 100644 index 70f1998f32a..00000000000 --- a/source/pam_smbpass/samples/kdc-pdc +++ /dev/null @@ -1,15 +0,0 @@ -#%PAM-1.0 -# kdc-pdc -# -# A sample PAM configuration that shows pam_smbpass used together with -# pam_krb5. This could be useful on a Samba PDC that is also a member of -# a Kerberos realm. - -auth requisite pam_nologin.so -auth requisite pam_krb5.so -auth optional pam_smbpass.so migrate -account required pam_krb5.so -password requisite pam_cracklib.so retry=3 -password optional pam_smbpass.so nullok use_authtok try_first_pass -password required pam_krb5.so use_authtok try_first_pass -session required pam_krb5.so diff --git a/source/pam_smbpass/samples/password-mature b/source/pam_smbpass/samples/password-mature deleted file mode 100644 index 6d73e0906fc..00000000000 --- a/source/pam_smbpass/samples/password-mature +++ /dev/null @@ -1,14 +0,0 @@ -#%PAM-1.0 -# password-mature -# -# A sample PAM configuration for a 'mature' smbpasswd installation. -# private/smbpasswd is fully populated, and we consider it an error if -# the smbpasswd doesn't exist or doesn't match the Unix password. - -auth requisite pam_nologin.so -auth required pam_unix.so -account required pam_unix.so -password requisite pam_cracklib.so retry=3 -password requisite pam_unix.so shadow md5 use_authtok try_first_pass -password required pam_smbpass.so use_authtok use_first_pass -session required pam_unix.so diff --git a/source/pam_smbpass/samples/password-migration b/source/pam_smbpass/samples/password-migration deleted file mode 100644 index 305cb53858e..00000000000 --- a/source/pam_smbpass/samples/password-migration +++ /dev/null @@ -1,18 +0,0 @@ -#%PAM-1.0 -# password-migration -# -# A sample PAM configuration that shows the use of pam_smbpass to migrate -# from plaintext to encrypted passwords for Samba. Unlike other methods, -# this can be used for users who have never connected to Samba shares: -# password migration takes place when users ftp in, login using ssh, pop -# their mail, etc. - -auth requisite pam_nologin.so -# pam_smbpass is called IFF pam_unix succeeds. -auth requisite pam_unix.so -auth optional pam_smbpass.so migrate -account required pam_unix.so -password requisite pam_cracklib.so retry=3 -password requisite pam_unix.so shadow md5 use_authtok try_first_pass -password optional pam_smbpass.so nullok use_authtok try_first_pass -session required pam_unix.so diff --git a/source/pam_smbpass/samples/password-sync b/source/pam_smbpass/samples/password-sync deleted file mode 100644 index 0a950dd2e9a..00000000000 --- a/source/pam_smbpass/samples/password-sync +++ /dev/null @@ -1,15 +0,0 @@ -#%PAM-1.0 -# password-sync -# -# A sample PAM configuration that shows the use of pam_smbpass to make -# sure private/smbpasswd is kept in sync when /etc/passwd (/etc/shadow) -# is changed. Useful when an expired password might be changed by an -# application (such as ssh). - -auth requisite pam_nologin.so -auth required pam_unix.so -account required pam_unix.so -password requisite pam_cracklib.so retry=3 -password requisite pam_unix.so shadow md5 use_authtok try_first_pass -password required pam_smbpass.so nullok use_authtok try_first_pass -session required pam_unix.so diff --git a/source/pam_smbpass/support.c b/source/pam_smbpass/support.c deleted file mode 100644 index 01f4aa30c7d..00000000000 --- a/source/pam_smbpass/support.c +++ /dev/null @@ -1,651 +0,0 @@ -/* Unix NT password database implementation, version 0.6. - * - * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free - * Software Foundation; either version 2 of the License, or (at your option) - * any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 675 - * Mass Ave, Cambridge, MA 02139, USA. - */ - -#include "includes.h" -#include "general.h" - -#include "support.h" - - -#define _pam_overwrite(x) \ -do { \ - register char *__xx__; \ - if ((__xx__=(x))) \ - while (*__xx__) \ - *__xx__++ = '\0'; \ -} while (0) - -/* - * Don't just free it, forget it too. - */ - -#define _pam_drop(X) \ -do { \ - if (X) { \ - free(X); \ - X=NULL; \ - } \ -} while (0) - -#define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \ -do { \ - int reply_i; \ - \ - for (reply_i=0; reply_i<replies; ++reply_i) { \ - if (reply[reply_i].resp) { \ - _pam_overwrite(reply[reply_i].resp); \ - free(reply[reply_i].resp); \ - } \ - } \ - if (reply) \ - free(reply); \ -} while (0) - - -int converse(pam_handle_t *, int, int, struct pam_message **, - struct pam_response **); -int make_remark(pam_handle_t *, unsigned int, int, const char *); -void _cleanup(pam_handle_t *, void *, int); -char *_pam_delete(register char *); - -/* syslogging function for errors and other information */ - -void _log_err( int err, const char *format, ... ) -{ - va_list args; - - va_start( args, format ); - openlog( "PAM_smbpass", LOG_CONS | LOG_PID, LOG_AUTH ); - vsyslog( err, format, args ); - va_end( args ); - closelog(); -} - -/* this is a front-end for module-application conversations */ - -int converse( pam_handle_t * pamh, int ctrl, int nargs - , struct pam_message **message - , struct pam_response **response ) -{ - int retval; - struct pam_conv *conv; - - retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv); - if (retval == PAM_SUCCESS) { - - retval = conv->conv(nargs, (const struct pam_message **) message - ,response, conv->appdata_ptr); - - if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) { - _log_err(LOG_DEBUG, "conversation failure [%s]" - ,pam_strerror(pamh, retval)); - } - } else { - _log_err(LOG_ERR, "couldn't obtain coversation function [%s]" - ,pam_strerror(pamh, retval)); - } - - return retval; /* propagate error status */ -} - -int make_remark( pam_handle_t * pamh, unsigned int ctrl - , int type, const char *text ) -{ - if (off(SMB__QUIET, ctrl)) { - struct pam_message *pmsg[1], msg[1]; - struct pam_response *resp; - - pmsg[0] = &msg[0]; - msg[0].msg = text; - msg[0].msg_style = type; - resp = NULL; - - return converse(pamh, ctrl, 1, pmsg, &resp); - } - return PAM_SUCCESS; -} - - -/* set the control flags for the SMB module. */ - -int set_ctrl( int flags, int argc, const char **argv ) -{ - int i = 0; - static pstring servicesf = CONFIGFILE; - const char *service_file = servicesf; - unsigned int ctrl; - - ctrl = SMB_DEFAULTS; /* the default selection of options */ - - /* set some flags manually */ - - /* A good, sane default (matches Samba's behavior). */ - set( SMB__NONULL, ctrl ); - - if (flags & PAM_SILENT) { - set( SMB__QUIET, ctrl ); - } - - /* Run through the arguments once, looking for an alternate smb config - file location */ - while (i < argc) { - int j; - - for (j = 0; j < SMB_CTRLS_; ++j) { - if (smb_args[j].token - && !strncmp(argv[i], smb_args[j].token, strlen(smb_args[j].token))) - { - break; - } - } - - if (j == SMB_CONF_FILE) { - service_file = argv[i] + 8; - } - i++; - } - - /* Read some options from the Samba config. Can be overridden by - the PAM config. */ - if(lp_load(service_file,True,False,False) == False) { - _log_err( LOG_ERR, "Error loading service file %s", service_file ); - } - - if (lp_null_passwords()) { - set( SMB__NULLOK, ctrl ); - } - - /* now parse the rest of the arguments to this module */ - - while (argc-- > 0) { - int j; - - for (j = 0; j < SMB_CTRLS_; ++j) { - if (smb_args[j].token - && !strncmp(*argv, smb_args[j].token, strlen(smb_args[j].token))) - { - break; - } - } - - if (j >= SMB_CTRLS_) { - _log_err( LOG_ERR, "unrecognized option [%s]", *argv ); - } else { - ctrl &= smb_args[j].mask; /* for turning things off */ - ctrl |= smb_args[j].flag; /* for turning things on */ - } - - ++argv; /* step to next argument */ - } - - /* auditing is a more sensitive version of debug */ - - if (on( SMB_AUDIT, ctrl )) { - set( SMB_DEBUG, ctrl ); - } - /* return the set of flags */ - - return ctrl; -} - -/* use this to free strings. ESPECIALLY password strings */ - -char * _pam_delete( register char *xx ) -{ - _pam_overwrite( xx ); - _pam_drop( xx ); - return NULL; -} - -void _cleanup( pam_handle_t * pamh, void *x, int error_status ) -{ - x = _pam_delete( (char *) x ); -} - -/* - * Safe duplication of character strings. "Paranoid"; don't leave - * evidence of old token around for later stack analysis. - */ - -char * xstrdup( const char *x ) -{ - register char *new = NULL; - - if (x != NULL) { - register int i; - - for (i = 0; x[i]; ++i); /* length of string */ - if ((new = malloc(++i)) == NULL) { - i = 0; - _log_err( LOG_CRIT, "out of memory in xstrdup" ); - } else { - while (i-- > 0) { - new[i] = x[i]; - } - } - x = NULL; - } - return new; /* return the duplicate or NULL on error */ -} - -/* ************************************************************** * - * Useful non-trivial functions * - * ************************************************************** */ - -void _cleanup_failures( pam_handle_t * pamh, void *fl, int err ) -{ - int quiet; - const char *service = NULL; - struct _pam_failed_auth *failure; - -#ifdef PAM_DATA_SILENT - quiet = err & PAM_DATA_SILENT; /* should we log something? */ -#else - quiet = 0; -#endif -#ifdef PAM_DATA_REPLACE - err &= PAM_DATA_REPLACE; /* are we just replacing data? */ -#endif - failure = (struct _pam_failed_auth *) fl; - - if (failure != NULL) { - -#ifdef PAM_DATA_SILENT - if (!quiet && !err) { /* under advisement from Sun,may go away */ -#else - if (!quiet) { /* under advisement from Sun,may go away */ -#endif - - /* log the number of authentication failures */ - if (failure->count != 0) { - pam_get_item( pamh, PAM_SERVICE, (const void **) &service ); - _log_err( LOG_NOTICE - , "%d authentication %s " - "from %s for service %s as %s(%d)" - , failure->count - , failure->count == 1 ? "failure" : "failures" - , failure->agent - , service == NULL ? "**unknown**" : service - , failure->user, failure->id ); - if (failure->count > SMB_MAX_RETRIES) { - _log_err( LOG_ALERT - , "service(%s) ignoring max retries; %d > %d" - , service == NULL ? "**unknown**" : service - , failure->count - , SMB_MAX_RETRIES ); - } - } - } - _pam_delete( failure->agent ); /* tidy up */ - _pam_delete( failure->user ); /* tidy up */ - free( failure ); - } -} - -int _smb_verify_password( pam_handle_t * pamh - , const struct smb_passwd *smb_pwent - , const char *p, unsigned int ctrl ) -{ - uchar hash_pass[16]; - uchar lm_pw[16]; - uchar nt_pw[16]; - int retval; - char *data_name; - const char *name; - - if (!smb_pwent) - return PAM_ABORT; - - name = smb_pwent->smb_name; - -#ifdef HAVE_PAM_FAIL_DELAY - if (off( SMB_NODELAY, ctrl )) { - (void) pam_fail_delay( pamh, 1000000 ); /* 1 sec delay for on failure */ - } -#endif - - if (!smb_pwent->smb_passwd) - { - _log_err( LOG_DEBUG, "user %s has null SMB password" - , name ); - - if (off( SMB__NONULL, ctrl ) - && (smb_pwent->acct_ctrl & ACB_PWNOTREQ)) - { /* this means we've succeeded */ - return PAM_SUCCESS; - } else { - const char *service; - - pam_get_item( pamh, PAM_SERVICE, (const void **)&service ); - _log_err( LOG_NOTICE - , "failed auth request by %s for service %s as %s(%d)" - , uidtoname( getuid() ) - , service ? service : "**unknown**", name - , smb_pwent->smb_userid ); - return PAM_AUTH_ERR; - } - } - - data_name = (char *) malloc( sizeof(FAIL_PREFIX) - + strlen( name )); - if (data_name == NULL) { - _log_err( LOG_CRIT, "no memory for data-name" ); - } - strncpy( data_name, FAIL_PREFIX, sizeof(FAIL_PREFIX) ); - strncpy( data_name + sizeof(FAIL_PREFIX) - 1, name, strlen( name ) + 1 ); - - /* First we check whether we've been given the password in already - encrypted form. */ - if (strlen( p ) == 16 || (strlen( p ) == 32 - && pdb_gethexpwd( p, (char *) hash_pass ))) { - - if (!memcmp( hash_pass, smb_pwent->smb_passwd, 16 ) - || (smb_pwent->smb_nt_passwd - && !memcmp( hash_pass, smb_pwent->smb_nt_passwd, 16 ))) - { - retval = PAM_SUCCESS; - if (data_name) { /* reset failures */ - pam_set_data( pamh, data_name, NULL, _cleanup_failures ); - } - _pam_delete( data_name ); - memset( hash_pass, '\0', 16 ); - smb_pwent = NULL; - return retval; - } - } - - /* - * The password we were given wasn't an encrypted password, or it - * didn't match the one we have. We encrypt the password now and try - * again. - */ - - nt_lm_owf_gen(p, nt_pw, lm_pw); - - /* the moment of truth -- do we agree with the password? */ - - if (!memcmp( nt_pw, smb_pwent->smb_nt_passwd, 16 )) { - - retval = PAM_SUCCESS; - if (data_name) { /* reset failures */ - pam_set_data(pamh, data_name, NULL, _cleanup_failures); - } - } else { - - const char *service; - - pam_get_item( pamh, PAM_SERVICE, (const void **)&service ); - - if (data_name != NULL) { - struct _pam_failed_auth *new = NULL; - const struct _pam_failed_auth *old = NULL; - - /* get a failure recorder */ - - new = (struct _pam_failed_auth *) - malloc( sizeof(struct _pam_failed_auth) ); - - if (new != NULL) { - - /* any previous failures for this user ? */ - pam_get_data(pamh, data_name, (const void **) &old); - - if (old != NULL) { - new->count = old->count + 1; - if (new->count >= SMB_MAX_RETRIES) { - retval = PAM_MAXTRIES; - } - } else { - _log_err( LOG_NOTICE - , "failed auth request by %s for service %s as %s(%d)" - , uidtoname( getuid() ) - , service ? service : "**unknown**", name - , smb_pwent->smb_userid ); - new->count = 1; - } - new->user = xstrdup( name ); - new->id = smb_pwent->smb_userid; - new->agent = xstrdup( uidtoname( getuid() ) ); - pam_set_data( pamh, data_name, new, _cleanup_failures ); - - } else { - _log_err( LOG_CRIT, "no memory for failure recorder" ); - _log_err( LOG_NOTICE - , "failed auth request by %s for service %s as %s(%d)" - , uidtoname( getuid() ) - , service ? service : "**unknown**", name - , smb_pwent->smb_userid ); - } - } else { - _log_err( LOG_NOTICE - , "failed auth request by %s for service %s as %s(%d)" - , uidtoname( getuid() ) - , service ? service : "**unknown**", name - , smb_pwent->smb_userid ); - retval = PAM_AUTH_ERR; - } - } - - _pam_delete( data_name ); - smb_pwent = NULL; - return retval; -} - - -/* - * _smb_blankpasswd() is a quick check for a blank password - * - * returns TRUE if user does not have a password - * - to avoid prompting for one in such cases (CG) - */ - -int _smb_blankpasswd( unsigned int ctrl, const struct smb_passwd *smb_pwent ) -{ - int retval; - - /* - * This function does not have to be too smart if something goes - * wrong, return FALSE and let this case to be treated somewhere - * else (CG) - */ - - if (on( SMB__NONULL, ctrl )) - return 0; /* will fail but don't let on yet */ - - if (smb_pwent->smb_passwd == NULL) - retval = 1; - else - retval = 0; - - return retval; -} - -/* - * obtain a password from the user - */ - -int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl - , const char *comment, const char *prompt1 - , const char *prompt2, const char *data_name - , const char **pass ) -{ - int authtok_flag; - int retval; - const char *item = NULL; - char *token; - - struct pam_message msg[3], *pmsg[3]; - struct pam_response *resp; - int i, expect; - - - /* make sure nothing inappropriate gets returned */ - - *pass = token = NULL; - - /* which authentication token are we getting? */ - - authtok_flag = on(SMB__OLD_PASSWD, ctrl) ? PAM_OLDAUTHTOK : PAM_AUTHTOK; - - /* should we obtain the password from a PAM item ? */ - - if (on(SMB_TRY_FIRST_PASS, ctrl) || on(SMB_USE_FIRST_PASS, ctrl)) { - retval = pam_get_item( pamh, authtok_flag, (const void **) &item ); - if (retval != PAM_SUCCESS) { - /* very strange. */ - _log_err( LOG_ALERT - , "pam_get_item returned error to smb_read_password" ); - return retval; - } else if (item != NULL) { /* we have a password! */ - *pass = item; - item = NULL; - return PAM_SUCCESS; - } else if (on( SMB_USE_FIRST_PASS, ctrl )) { - return PAM_AUTHTOK_RECOVER_ERR; /* didn't work */ - } else if (on( SMB_USE_AUTHTOK, ctrl ) - && off( SMB__OLD_PASSWD, ctrl )) - { - return PAM_AUTHTOK_RECOVER_ERR; - } - } - - /* - * getting here implies we will have to get the password from the - * user directly. - */ - - /* prepare to converse */ - if (comment != NULL && off(SMB__QUIET, ctrl)) { - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_TEXT_INFO; - msg[0].msg = comment; - i = 1; - } else { - i = 0; - } - - pmsg[i] = &msg[i]; - msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = prompt1; - - if (prompt2 != NULL) { - pmsg[i] = &msg[i]; - msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = prompt2; - expect = 2; - } else - expect = 1; - - resp = NULL; - - retval = converse( pamh, ctrl, i, pmsg, &resp ); - - if (resp != NULL) { - int j = comment ? 1 : 0; - /* interpret the response */ - - if (retval == PAM_SUCCESS) { /* a good conversation */ - - token = xstrdup(resp[j++].resp); - if (token != NULL) { - if (expect == 2) { - /* verify that password entered correctly */ - if (!resp[j].resp || strcmp( token, resp[j].resp )) { - _pam_delete( token ); - retval = PAM_AUTHTOK_RECOVER_ERR; - make_remark( pamh, ctrl, PAM_ERROR_MSG - , MISTYPED_PASS ); - } - } - } else { - _log_err(LOG_NOTICE, "could not recover authentication token"); - } - } - - /* tidy up */ - _pam_drop_reply( resp, expect ); - - } else { - retval = (retval == PAM_SUCCESS) ? PAM_AUTHTOK_RECOVER_ERR : retval; - } - - if (retval != PAM_SUCCESS) { - if (on( SMB_DEBUG, ctrl )) - _log_err( LOG_DEBUG, "unable to obtain a password" ); - return retval; - } - /* 'token' is the entered password */ - - if (off( SMB_NOT_SET_PASS, ctrl )) { - - /* we store this password as an item */ - - retval = pam_set_item( pamh, authtok_flag, (const void *)token ); - _pam_delete( token ); /* clean it up */ - if (retval != PAM_SUCCESS - || (retval = pam_get_item( pamh, authtok_flag - ,(const void **)&item )) != PAM_SUCCESS) - { - _log_err( LOG_CRIT, "error manipulating password" ); - return retval; - } - } else { - /* - * then store it as data specific to this module. pam_end() - * will arrange to clean it up. - */ - - retval = pam_set_data( pamh, data_name, (void *) token, _cleanup ); - if (retval != PAM_SUCCESS - || (retval = pam_get_data( pamh, data_name, (const void **)&item )) - != PAM_SUCCESS) - { - _log_err( LOG_CRIT, "error manipulating password data [%s]" - , pam_strerror( pamh, retval )); - _pam_delete( token ); - item = NULL; - return retval; - } - token = NULL; /* break link to password */ - } - - *pass = item; - item = NULL; /* break link to password */ - - return PAM_SUCCESS; -} - -int _pam_smb_approve_pass(pam_handle_t * pamh - ,unsigned int ctrl - ,const char *pass_old - ,const char *pass_new) -{ - - /* Further checks should be handled through module stacking. -SRL */ - if (pass_new == NULL || (pass_old && !strcmp( pass_old, pass_new ))) - { - if (on(SMB_DEBUG, ctrl)) { - _log_err( LOG_DEBUG, - "passwd: bad authentication token (null or unchanged)" ); - } - make_remark( pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ? - "No password supplied" : "Password unchanged" ); - return PAM_AUTHTOK_ERR; - } - - return PAM_SUCCESS; -} diff --git a/source/pam_smbpass/support.h b/source/pam_smbpass/support.h deleted file mode 100644 index 85bbd0a523c..00000000000 --- a/source/pam_smbpass/support.h +++ /dev/null @@ -1,52 +0,0 @@ -/* syslogging function for errors and other information */ -extern void _log_err(int, const char *, ...); - -/* set the control flags for the UNIX module. */ -extern int set_ctrl(int, int, const char **); - -/* generic function for freeing pam data segments */ -extern void _cleanup(pam_handle_t *, void *, int); - -/* - * Safe duplication of character strings. "Paranoid"; don't leave - * evidence of old token around for later stack analysis. - */ - -extern char *xstrdup(const char *); - -/* ************************************************************** * - * Useful non-trivial functions * - * ************************************************************** */ - -extern void _cleanup_failures(pam_handle_t *, void *, int); - -/* compare 2 strings */ -extern BOOL strequal(const char *, const char *); - -extern struct smb_passwd * -_my_get_smbpwnam(FILE *, const char *, BOOL *, BOOL *, long *); - -extern int _smb_verify_password( pam_handle_t *pamh - , const struct smb_passwd *smb_pwent - , const char *p, unsigned int ctrl ); - -/* - * this function obtains the name of the current user and ensures - * that the PAM_USER item is set to this value - */ - -extern int _smb_get_user(pam_handle_t *, unsigned int, - const char *, const char **); - -/* _smb_blankpasswd() is a quick check for a blank password */ - -extern int _smb_blankpasswd(unsigned int, const struct smb_passwd *); - - -/* obtain a password from the user */ -extern int _smb_read_password( pam_handle_t *, unsigned int, const char*, - const char *, const char *, const char *, - const char **); - -extern int _pam_smb_approve_pass(pam_handle_t *, unsigned int, const char *, - const char *); |