1*da6c28aaSamw /* 2*da6c28aaSamw * CDDL HEADER START 3*da6c28aaSamw * 4*da6c28aaSamw * The contents of this file are subject to the terms of the 5*da6c28aaSamw * Common Development and Distribution License (the "License"). 6*da6c28aaSamw * You may not use this file except in compliance with the License. 7*da6c28aaSamw * 8*da6c28aaSamw * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9*da6c28aaSamw * or http://www.opensolaris.org/os/licensing. 10*da6c28aaSamw * See the License for the specific language governing permissions 11*da6c28aaSamw * and limitations under the License. 12*da6c28aaSamw * 13*da6c28aaSamw * When distributing Covered Code, include this CDDL HEADER in each 14*da6c28aaSamw * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15*da6c28aaSamw * If applicable, add the following below this CDDL HEADER, with the 16*da6c28aaSamw * fields enclosed by brackets "[]" replaced with your own identifying 17*da6c28aaSamw * information: Portions Copyright [yyyy] [name of copyright owner] 18*da6c28aaSamw * 19*da6c28aaSamw * CDDL HEADER END 20*da6c28aaSamw */ 21*da6c28aaSamw /* 22*da6c28aaSamw * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23*da6c28aaSamw * Use is subject to license terms. 24*da6c28aaSamw */ 25*da6c28aaSamw 26*da6c28aaSamw #pragma ident "%Z%%M% %I% %E% SMI" 27*da6c28aaSamw 28*da6c28aaSamw #include <sys/types.h> 29*da6c28aaSamw #include <sys/varargs.h> 30*da6c28aaSamw #include <string.h> 31*da6c28aaSamw #include <syslog.h> 32*da6c28aaSamw #include <stdlib.h> 33*da6c28aaSamw 34*da6c28aaSamw #include <security/pam_appl.h> 35*da6c28aaSamw #include <security/pam_modules.h> 36*da6c28aaSamw #include <security/pam_impl.h> 37*da6c28aaSamw 38*da6c28aaSamw #include <libintl.h> 39*da6c28aaSamw #include <passwdutil.h> 40*da6c28aaSamw 41*da6c28aaSamw #include <smbsrv/libsmb.h> 42*da6c28aaSamw 43*da6c28aaSamw /*PRINTFLIKE3*/ 44*da6c28aaSamw static void 45*da6c28aaSamw error(boolean_t nowarn, pam_handle_t *pamh, char *fmt, ...) 46*da6c28aaSamw { 47*da6c28aaSamw va_list ap; 48*da6c28aaSamw char message[PAM_MAX_MSG_SIZE]; 49*da6c28aaSamw 50*da6c28aaSamw if (nowarn) 51*da6c28aaSamw return; 52*da6c28aaSamw 53*da6c28aaSamw va_start(ap, fmt); 54*da6c28aaSamw (void) vsnprintf(message, sizeof (message), fmt, ap); 55*da6c28aaSamw (void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, &message, 56*da6c28aaSamw NULL); 57*da6c28aaSamw va_end(ap); 58*da6c28aaSamw } 59*da6c28aaSamw 60*da6c28aaSamw /*PRINTFLIKE3*/ 61*da6c28aaSamw static void 62*da6c28aaSamw info(boolean_t nowarn, pam_handle_t *pamh, char *fmt, ...) 63*da6c28aaSamw { 64*da6c28aaSamw va_list ap; 65*da6c28aaSamw char message[PAM_MAX_MSG_SIZE]; 66*da6c28aaSamw 67*da6c28aaSamw if (nowarn) 68*da6c28aaSamw return; 69*da6c28aaSamw 70*da6c28aaSamw va_start(ap, fmt); 71*da6c28aaSamw (void) vsnprintf(message, sizeof (message), fmt, ap); 72*da6c28aaSamw (void) __pam_display_msg(pamh, PAM_TEXT_INFO, 1, &message, 73*da6c28aaSamw NULL); 74*da6c28aaSamw va_end(ap); 75*da6c28aaSamw } 76*da6c28aaSamw 77*da6c28aaSamw int 78*da6c28aaSamw pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) 79*da6c28aaSamw { 80*da6c28aaSamw boolean_t debug = B_FALSE; 81*da6c28aaSamw boolean_t nowarn = B_FALSE; 82*da6c28aaSamw pwu_repository_t files_rep; 83*da6c28aaSamw char *user, *local_user; 84*da6c28aaSamw char *newpw; 85*da6c28aaSamw char *service; 86*da6c28aaSamw int privileged; 87*da6c28aaSamw int res; 88*da6c28aaSamw int i; 89*da6c28aaSamw 90*da6c28aaSamw for (i = 0; i < argc; i++) { 91*da6c28aaSamw if (strcmp(argv[i], "debug") == 0) 92*da6c28aaSamw debug = B_TRUE; 93*da6c28aaSamw else if (strcmp(argv[i], "nowarn") == 0) 94*da6c28aaSamw nowarn = B_TRUE; 95*da6c28aaSamw } 96*da6c28aaSamw 97*da6c28aaSamw if ((flags & PAM_PRELIM_CHECK) != 0) 98*da6c28aaSamw return (PAM_IGNORE); 99*da6c28aaSamw 100*da6c28aaSamw if ((flags & PAM_UPDATE_AUTHTOK) == 0) 101*da6c28aaSamw return (PAM_SYSTEM_ERR); 102*da6c28aaSamw 103*da6c28aaSamw if ((flags & PAM_SILENT) != 0) 104*da6c28aaSamw nowarn = B_TRUE; 105*da6c28aaSamw 106*da6c28aaSamw if (debug) 107*da6c28aaSamw __pam_log(LOG_AUTH | LOG_DEBUG, 108*da6c28aaSamw "pam_smb_passwd: storing authtok"); 109*da6c28aaSamw 110*da6c28aaSamw (void) pam_get_item(pamh, PAM_SERVICE, (void **)&service); 111*da6c28aaSamw (void) pam_get_item(pamh, PAM_USER, (void **)&user); 112*da6c28aaSamw 113*da6c28aaSamw if (user == NULL || *user == '\0') { 114*da6c28aaSamw __pam_log(LOG_AUTH | LOG_ERR, 115*da6c28aaSamw "pam_smb_passwd: username is empty"); 116*da6c28aaSamw return (PAM_USER_UNKNOWN); 117*da6c28aaSamw } 118*da6c28aaSamw 119*da6c28aaSamw (void) pam_get_item(pamh, PAM_AUTHTOK, (void **)&newpw); 120*da6c28aaSamw if (newpw == NULL) { 121*da6c28aaSamw /* 122*da6c28aaSamw * A module on the stack has removed PAM_AUTHTOK. We fail 123*da6c28aaSamw */ 124*da6c28aaSamw return (PAM_AUTHTOK_ERR); 125*da6c28aaSamw } 126*da6c28aaSamw 127*da6c28aaSamw /* Check to see if this is a local user */ 128*da6c28aaSamw files_rep.type = "files"; 129*da6c28aaSamw files_rep.scope = NULL; 130*da6c28aaSamw files_rep.scope_len = 0; 131*da6c28aaSamw res = __user_to_authenticate(user, &files_rep, &local_user, 132*da6c28aaSamw &privileged); 133*da6c28aaSamw if (res != PWU_SUCCESS) { 134*da6c28aaSamw switch (res) { 135*da6c28aaSamw case PWU_NOT_FOUND: 136*da6c28aaSamw /* if not a local user, ignore */ 137*da6c28aaSamw if (debug) { 138*da6c28aaSamw __pam_log(LOG_AUTH | LOG_DEBUG, 139*da6c28aaSamw "pam_smb_passwd: %s is not local", user); 140*da6c28aaSamw } 141*da6c28aaSamw return (PAM_IGNORE); 142*da6c28aaSamw case PWU_DENIED: 143*da6c28aaSamw return (PAM_PERM_DENIED); 144*da6c28aaSamw } 145*da6c28aaSamw return (PAM_SYSTEM_ERR); 146*da6c28aaSamw } 147*da6c28aaSamw 148*da6c28aaSamw res = smb_pwd_setpasswd(user, newpw); 149*da6c28aaSamw 150*da6c28aaSamw /* 151*da6c28aaSamw * now map the various return states to user messages 152*da6c28aaSamw * and PAM return codes. 153*da6c28aaSamw */ 154*da6c28aaSamw switch (res) { 155*da6c28aaSamw case SMB_PWE_SUCCESS: 156*da6c28aaSamw info(nowarn, pamh, dgettext(TEXT_DOMAIN, 157*da6c28aaSamw "%s: SMB password successfully changed for %s"), 158*da6c28aaSamw service, user); 159*da6c28aaSamw return (PAM_SUCCESS); 160*da6c28aaSamw 161*da6c28aaSamw case SMB_PWE_STAT_FAILED: 162*da6c28aaSamw __pam_log(LOG_AUTH | LOG_ERR, 163*da6c28aaSamw "%s: stat of SMB password file failed", service); 164*da6c28aaSamw return (PAM_SYSTEM_ERR); 165*da6c28aaSamw 166*da6c28aaSamw case SMB_PWE_OPEN_FAILED: 167*da6c28aaSamw case SMB_PWE_WRITE_FAILED: 168*da6c28aaSamw case SMB_PWE_CLOSE_FAILED: 169*da6c28aaSamw case SMB_PWE_UPDATE_FAILED: 170*da6c28aaSamw error(nowarn, pamh, dgettext(TEXT_DOMAIN, 171*da6c28aaSamw "%s: Unexpected failure. SMB password database unchanged."), 172*da6c28aaSamw service); 173*da6c28aaSamw return (PAM_SYSTEM_ERR); 174*da6c28aaSamw 175*da6c28aaSamw case SMB_PWE_BUSY: 176*da6c28aaSamw error(nowarn, pamh, dgettext(TEXT_DOMAIN, 177*da6c28aaSamw "%s: SMB password database busy. Try again later."), 178*da6c28aaSamw service); 179*da6c28aaSamw 180*da6c28aaSamw return (PAM_AUTHTOK_LOCK_BUSY); 181*da6c28aaSamw 182*da6c28aaSamw case SMB_PWE_USER_UNKNOWN: 183*da6c28aaSamw error(nowarn, pamh, dgettext(TEXT_DOMAIN, 184*da6c28aaSamw "%s: %s does not exist."), service, user); 185*da6c28aaSamw return (PAM_USER_UNKNOWN); 186*da6c28aaSamw 187*da6c28aaSamw case SMB_PWE_USER_DISABLE: 188*da6c28aaSamw error(nowarn, pamh, dgettext(TEXT_DOMAIN, 189*da6c28aaSamw "%s: %s is disable. SMB password database unchanged."), 190*da6c28aaSamw service, user); 191*da6c28aaSamw return (PAM_IGNORE); 192*da6c28aaSamw 193*da6c28aaSamw case SMB_PWE_DENIED: 194*da6c28aaSamw return (PAM_PERM_DENIED); 195*da6c28aaSamw 196*da6c28aaSamw default: 197*da6c28aaSamw res = PAM_SYSTEM_ERR; 198*da6c28aaSamw break; 199*da6c28aaSamw } 200*da6c28aaSamw 201*da6c28aaSamw return (res); 202*da6c28aaSamw } 203