1da6c28aamw/*
2da6c28aamw * CDDL HEADER START
3da6c28aamw *
4da6c28aamw * The contents of this file are subject to the terms of the
5da6c28aamw * Common Development and Distribution License (the "License").
6da6c28aamw * You may not use this file except in compliance with the License.
7da6c28aamw *
8da6c28aamw * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9da6c28aamw * or http://www.opensolaris.org/os/licensing.
10da6c28aamw * See the License for the specific language governing permissions
11da6c28aamw * and limitations under the License.
12da6c28aamw *
13da6c28aamw * When distributing Covered Code, include this CDDL HEADER in each
14da6c28aamw * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15da6c28aamw * If applicable, add the following below this CDDL HEADER, with the
16da6c28aamw * fields enclosed by brackets "[]" replaced with your own identifying
17da6c28aamw * information: Portions Copyright [yyyy] [name of copyright owner]
18da6c28aamw *
19da6c28aamw * CDDL HEADER END
20da6c28aamw */
21da6c28aamw/*
227b59d02jb * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23da6c28aamw * Use is subject to license terms.
24da6c28aamw */
25da6c28aamw
26da6c28aamw#pragma ident	"%Z%%M%	%I%	%E% SMI"
27da6c28aamw
28da6c28aamw#include <sys/types.h>
29da6c28aamw#include <sys/varargs.h>
30da6c28aamw#include <string.h>
31da6c28aamw#include <syslog.h>
32da6c28aamw#include <stdlib.h>
33da6c28aamw
34da6c28aamw#include <security/pam_appl.h>
35da6c28aamw#include <security/pam_modules.h>
36da6c28aamw#include <security/pam_impl.h>
37da6c28aamw
38da6c28aamw#include <libintl.h>
39da6c28aamw#include <passwdutil.h>
40da6c28aamw
41da6c28aamw#include <smbsrv/libsmb.h>
42da6c28aamw
43da6c28aamw/*PRINTFLIKE3*/
44da6c28aamwstatic void
45da6c28aamwerror(boolean_t nowarn, pam_handle_t *pamh, char *fmt, ...)
46da6c28aamw{
47da6c28aamw	va_list ap;
48da6c28aamw	char message[PAM_MAX_MSG_SIZE];
49da6c28aamw
50da6c28aamw	if (nowarn)
51da6c28aamw		return;
52da6c28aamw
53da6c28aamw	va_start(ap, fmt);
54da6c28aamw	(void) vsnprintf(message, sizeof (message), fmt, ap);
55da6c28aamw	(void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, &message,
56da6c28aamw	    NULL);
57da6c28aamw	va_end(ap);
58da6c28aamw}
59da6c28aamw
60da6c28aamw/*PRINTFLIKE3*/
61da6c28aamwstatic void
62da6c28aamwinfo(boolean_t nowarn, pam_handle_t *pamh, char *fmt, ...)
63da6c28aamw{
64da6c28aamw	va_list ap;
65da6c28aamw	char message[PAM_MAX_MSG_SIZE];
66da6c28aamw
67da6c28aamw	if (nowarn)
68da6c28aamw		return;
69da6c28aamw
70da6c28aamw	va_start(ap, fmt);
71da6c28aamw	(void) vsnprintf(message, sizeof (message), fmt, ap);
72da6c28aamw	(void) __pam_display_msg(pamh, PAM_TEXT_INFO, 1, &message,
73da6c28aamw	    NULL);
74da6c28aamw	va_end(ap);
75da6c28aamw}
76da6c28aamw
77da6c28aamwint
78da6c28aamwpam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
79da6c28aamw{
80da6c28aamw	boolean_t debug = B_FALSE;
81da6c28aamw	boolean_t nowarn = B_FALSE;
82da6c28aamw	pwu_repository_t files_rep;
83da6c28aamw	char *user, *local_user;
84da6c28aamw	char *newpw;
85da6c28aamw	char *service;
86da6c28aamw	int privileged;
87da6c28aamw	int res;
88da6c28aamw	int i;
89da6c28aamw
90da6c28aamw	for (i = 0; i < argc; i++) {
91da6c28aamw		if (strcmp(argv[i], "debug") == 0)
92da6c28aamw			debug = B_TRUE;
93da6c28aamw		else if (strcmp(argv[i], "nowarn") == 0)
94da6c28aamw			nowarn = B_TRUE;
95da6c28aamw	}
96da6c28aamw
97da6c28aamw	if ((flags & PAM_PRELIM_CHECK) != 0)
98da6c28aamw		return (PAM_IGNORE);
99da6c28aamw
100da6c28aamw	if ((flags & PAM_UPDATE_AUTHTOK) == 0)
101da6c28aamw		return (PAM_SYSTEM_ERR);
102da6c28aamw
103da6c28aamw	if ((flags & PAM_SILENT) != 0)
104da6c28aamw		nowarn = B_TRUE;
105da6c28aamw
106da6c28aamw	if (debug)
107da6c28aamw		__pam_log(LOG_AUTH | LOG_DEBUG,
108da6c28aamw		    "pam_smb_passwd: storing authtok");
109da6c28aamw
110da6c28aamw	(void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
111da6c28aamw	(void) pam_get_item(pamh, PAM_USER, (void **)&user);
112da6c28aamw
113da6c28aamw	if (user == NULL || *user == '\0') {
114da6c28aamw		__pam_log(LOG_AUTH | LOG_ERR,
115da6c28aamw		    "pam_smb_passwd: username is empty");
116da6c28aamw		return (PAM_USER_UNKNOWN);
117da6c28aamw	}
118da6c28aamw
119da6c28aamw	(void) pam_get_item(pamh, PAM_AUTHTOK, (void **)&newpw);
120da6c28aamw	if (newpw == NULL) {
121da6c28aamw		/*
122da6c28aamw		 * A module on the stack has removed PAM_AUTHTOK. We fail
123da6c28aamw		 */
124da6c28aamw		return (PAM_AUTHTOK_ERR);
125da6c28aamw	}
126da6c28aamw
127da6c28aamw	/* Check to see if this is a local user */
128da6c28aamw	files_rep.type = "files";
129da6c28aamw	files_rep.scope = NULL;
130da6c28aamw	files_rep.scope_len = 0;
131da6c28aamw	res = __user_to_authenticate(user, &files_rep, &local_user,
132da6c28aamw	    &privileged);
133da6c28aamw	if (res != PWU_SUCCESS) {
134da6c28aamw		switch (res) {
135da6c28aamw		case PWU_NOT_FOUND:
136da6c28aamw			/* if not a local user, ignore */
137da6c28aamw			if (debug) {
138da6c28aamw				__pam_log(LOG_AUTH | LOG_DEBUG,
139da6c28aamw				    "pam_smb_passwd: %s is not local", user);
140da6c28aamw			}
141da6c28aamw			return (PAM_IGNORE);
142da6c28aamw		case PWU_DENIED:
143da6c28aamw			return (PAM_PERM_DENIED);
144da6c28aamw		}
145da6c28aamw		return (PAM_SYSTEM_ERR);
146da6c28aamw	}
147da6c28aamw
1483db3f65amw	smb_pwd_init(B_FALSE);
1497b59d02jb
150da6c28aamw	res = smb_pwd_setpasswd(user, newpw);
151da6c28aamw
1527b59d02jb	smb_pwd_fini();
1537b59d02jb
154da6c28aamw	/*
155da6c28aamw	 * now map the various return states to user messages
156da6c28aamw	 * and PAM return codes.
157da6c28aamw	 */
158da6c28aamw	switch (res) {
159da6c28aamw	case SMB_PWE_SUCCESS:
160da6c28aamw		info(nowarn, pamh, dgettext(TEXT_DOMAIN,
161da6c28aamw		    "%s: SMB password successfully changed for %s"),
162da6c28aamw		    service, user);
163