xref: /onnv-gate/usr/src/lib/pam_modules/smb/smb_passwd.c (revision 7052:efa04b030974) 
15331Samw /*
25331Samw  * CDDL HEADER START
35331Samw  *
45331Samw  * The contents of this file are subject to the terms of the
55331Samw  * Common Development and Distribution License (the "License").
65331Samw  * You may not use this file except in compliance with the License.
75331Samw  *
85331Samw  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
95331Samw  * or http://www.opensolaris.org/os/licensing.
105331Samw  * See the License for the specific language governing permissions
115331Samw  * and limitations under the License.
125331Samw  *
135331Samw  * When distributing Covered Code, include this CDDL HEADER in each
145331Samw  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
155331Samw  * If applicable, add the following below this CDDL HEADER, with the
165331Samw  * fields enclosed by brackets "[]" replaced with your own identifying
175331Samw  * information: Portions Copyright [yyyy] [name of copyright owner]
185331Samw  *
195331Samw  * CDDL HEADER END
205331Samw  */
215331Samw /*
226030Sjb150015  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
235331Samw  * Use is subject to license terms.
245331Samw  */
255331Samw 
265331Samw #pragma ident	"%Z%%M%	%I%	%E% SMI"
275331Samw 
285331Samw #include <sys/types.h>
295331Samw #include <sys/varargs.h>
305331Samw #include <string.h>
315331Samw #include <syslog.h>
325331Samw #include <stdlib.h>
335331Samw 
345331Samw #include <security/pam_appl.h>
355331Samw #include <security/pam_modules.h>
365331Samw #include <security/pam_impl.h>
375331Samw 
385331Samw #include <libintl.h>
395331Samw #include <passwdutil.h>
405331Samw 
415331Samw #include <smbsrv/libsmb.h>
425331Samw 
435331Samw /*PRINTFLIKE3*/
445331Samw static void
error(boolean_t nowarn,pam_handle_t * pamh,char * fmt,...)455331Samw error(boolean_t nowarn, pam_handle_t *pamh, char *fmt, ...)
465331Samw {
475331Samw 	va_list ap;
485331Samw 	char message[PAM_MAX_MSG_SIZE];
495331Samw 
505331Samw 	if (nowarn)
515331Samw 		return;
525331Samw 
535331Samw 	va_start(ap, fmt);
545331Samw 	(void) vsnprintf(message, sizeof (message), fmt, ap);
555331Samw 	(void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, &message,
565331Samw 	    NULL);
575331Samw 	va_end(ap);
585331Samw }
595331Samw 
605331Samw /*PRINTFLIKE3*/
615331Samw static void
info(boolean_t nowarn,pam_handle_t * pamh,char * fmt,...)625331Samw info(boolean_t nowarn, pam_handle_t *pamh, char *fmt, ...)
635331Samw {
645331Samw 	va_list ap;
655331Samw 	char message[PAM_MAX_MSG_SIZE];
665331Samw 
675331Samw 	if (nowarn)
685331Samw 		return;
695331Samw 
705331Samw 	va_start(ap, fmt);
715331Samw 	(void) vsnprintf(message, sizeof (message), fmt, ap);
725331Samw 	(void) __pam_display_msg(pamh, PAM_TEXT_INFO, 1, &message,
735331Samw 	    NULL);
745331Samw 	va_end(ap);
755331Samw }
765331Samw 
775331Samw int
pam_sm_chauthtok(pam_handle_t * pamh,int flags,int argc,const char ** argv)785331Samw pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
795331Samw {
805331Samw 	boolean_t debug = B_FALSE;
815331Samw 	boolean_t nowarn = B_FALSE;
825331Samw 	pwu_repository_t files_rep;
835331Samw 	char *user, *local_user;
845331Samw 	char *newpw;
855331Samw 	char *service;
865331Samw 	int privileged;
875331Samw 	int res;
885331Samw 	int i;
895331Samw 
905331Samw 	for (i = 0; i < argc; i++) {
915331Samw 		if (strcmp(argv[i], "debug") == 0)
925331Samw 			debug = B_TRUE;
935331Samw 		else if (strcmp(argv[i], "nowarn") == 0)
945331Samw 			nowarn = B_TRUE;
955331Samw 	}
965331Samw 
975331Samw 	if ((flags & PAM_PRELIM_CHECK) != 0)
985331Samw 		return (PAM_IGNORE);
995331Samw 
1005331Samw 	if ((flags & PAM_UPDATE_AUTHTOK) == 0)
1015331Samw 		return (PAM_SYSTEM_ERR);
1025331Samw 
1035331Samw 	if ((flags & PAM_SILENT) != 0)
1045331Samw 		nowarn = B_TRUE;
1055331Samw 
1065331Samw 	if (debug)
1075331Samw 		__pam_log(LOG_AUTH | LOG_DEBUG,
1085331Samw 		    "pam_smb_passwd: storing authtok");
1095331Samw 
1105331Samw 	(void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
1115331Samw 	(void) pam_get_item(pamh, PAM_USER, (void **)&user);
1125331Samw 
1135331Samw 	if (user == NULL || *user == '\0') {
1145331Samw 		__pam_log(LOG_AUTH | LOG_ERR,
1155331Samw 		    "pam_smb_passwd: username is empty");
1165331Samw 		return (PAM_USER_UNKNOWN);
1175331Samw 	}
1185331Samw 
1195331Samw 	(void) pam_get_item(pamh, PAM_AUTHTOK, (void **)&newpw);
1205331Samw 	if (newpw == NULL) {
1215331Samw 		/*
1225331Samw 		 * A module on the stack has removed PAM_AUTHTOK. We fail
1235331Samw 		 */
1245331Samw 		return (PAM_AUTHTOK_ERR);
1255331Samw 	}
1265331Samw 
1275331Samw 	/* Check to see if this is a local user */
1285331Samw 	files_rep.type = "files";
1295331Samw 	files_rep.scope = NULL;
1305331Samw 	files_rep.scope_len = 0;
1315331Samw 	res = __user_to_authenticate(user, &files_rep, &local_user,
1325331Samw 	    &privileged);
1335331Samw 	if (res != PWU_SUCCESS) {
1345331Samw 		switch (res) {
1355331Samw 		case PWU_NOT_FOUND:
1365331Samw 			/* if not a local user, ignore */
1375331Samw 			if (debug) {
1385331Samw 				__pam_log(LOG_AUTH | LOG_DEBUG,
1395331Samw 				    "pam_smb_passwd: %s is not local", user);
1405331Samw 			}
1415331Samw 			return (PAM_IGNORE);
1425331Samw 		case PWU_DENIED:
1435331Samw 			return (PAM_PERM_DENIED);
1445331Samw 		}
1455331Samw 		return (PAM_SYSTEM_ERR);
1465331Samw 	}
1475331Samw 
148*7052Samw 	smb_pwd_init(B_FALSE);
1496030Sjb150015 
1505331Samw 	res = smb_pwd_setpasswd(user, newpw);
1515331Samw 
1526030Sjb150015 	smb_pwd_fini();
1536030Sjb150015 
1545331Samw 	/*
1555331Samw 	 * now map the various return states to user messages
1565331Samw 	 * and PAM return codes.
1575331Samw 	 */
1585331Samw 	switch (res) {
1595331Samw 	case SMB_PWE_SUCCESS:
1605331Samw 		info(nowarn, pamh, dgettext(TEXT_DOMAIN,
1615331Samw 		    "%s: SMB password successfully changed for %s"),
1625331Samw 		    service, user);
1635331Samw 		return (PAM_SUCCESS);
1645331Samw 
1655331Samw 	case SMB_PWE_STAT_FAILED:
1665331Samw 		__pam_log(LOG_AUTH | LOG_ERR,
1675331Samw 		    "%s: stat of SMB password file failed", service);
1685331Samw 		return (PAM_SYSTEM_ERR);
1695331Samw 
1705331Samw 	case SMB_PWE_OPEN_FAILED:
1715331Samw 	case SMB_PWE_WRITE_FAILED:
1725331Samw 	case SMB_PWE_CLOSE_FAILED:
1735331Samw 	case SMB_PWE_UPDATE_FAILED:
1745331Samw 		error(nowarn, pamh, dgettext(TEXT_DOMAIN,
1755331Samw 		    "%s: Unexpected failure. SMB password database unchanged."),
1765331Samw 		    service);
1775331Samw 		return (PAM_SYSTEM_ERR);
1785331Samw 
1795331Samw 	case SMB_PWE_BUSY:
1805331Samw 		error(nowarn, pamh, dgettext(TEXT_DOMAIN,
1815331Samw 		    "%s: SMB password database busy. Try again later."),
1825331Samw 		    service);
1835331Samw 
1845331Samw 		return (PAM_AUTHTOK_LOCK_BUSY);
1855331Samw 
1865331Samw 	case SMB_PWE_USER_UNKNOWN:
1875331Samw 		error(nowarn, pamh, dgettext(TEXT_DOMAIN,
1885331Samw 		    "%s: %s does not exist."), service, user);
1895331Samw 		return (PAM_USER_UNKNOWN);
1905331Samw 
1915331Samw 	case SMB_PWE_USER_DISABLE:
1925331Samw 		error(nowarn, pamh, dgettext(TEXT_DOMAIN,
1935331Samw 		    "%s: %s is disable. SMB password database unchanged."),
1945331Samw 		    service, user);
1955331Samw 		return (PAM_IGNORE);
1965331Samw 
1975331Samw 	case SMB_PWE_DENIED:
1985331Samw 		return (PAM_PERM_DENIED);
1995331Samw 
2005331Samw 	default:
2015331Samw 		res = PAM_SYSTEM_ERR;
2025331Samw 		break;
2035331Samw 	}
2045331Samw 
2055331Samw 	return (res);
2065331Samw }
207