xref: /onnv-gate/usr/src/lib/pam_modules/smbfs/smbfs_login.c (revision 6007:d57e38e8fdd1) 
1*6007Sthurlow /*
2*6007Sthurlow  * CDDL HEADER START
3*6007Sthurlow  *
4*6007Sthurlow  * The contents of this file are subject to the terms of the
5*6007Sthurlow  * Common Development and Distribution License (the "License").
6*6007Sthurlow  * You may not use this file except in compliance with the License.
7*6007Sthurlow  *
8*6007Sthurlow  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9*6007Sthurlow  * or http://www.opensolaris.org/os/licensing.
10*6007Sthurlow  * See the License for the specific language governing permissions
11*6007Sthurlow  * and limitations under the License.
12*6007Sthurlow  *
13*6007Sthurlow  * When distributing Covered Code, include this CDDL HEADER in each
14*6007Sthurlow  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15*6007Sthurlow  * If applicable, add the following below this CDDL HEADER, with the
16*6007Sthurlow  * fields enclosed by brackets "[]" replaced with your own identifying
17*6007Sthurlow  * information: Portions Copyright [yyyy] [name of copyright owner]
18*6007Sthurlow  *
19*6007Sthurlow  * CDDL HEADER END
20*6007Sthurlow  */
21*6007Sthurlow /*
22*6007Sthurlow  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23*6007Sthurlow  * Use is subject to license terms.
24*6007Sthurlow  */
25*6007Sthurlow 
26*6007Sthurlow #pragma ident	"%Z%%M%	%I%	%E% SMI"
27*6007Sthurlow 
28*6007Sthurlow #include <sys/types.h>
29*6007Sthurlow #include <sys/varargs.h>
30*6007Sthurlow #include <string.h>
31*6007Sthurlow #include <syslog.h>
32*6007Sthurlow #include <stdlib.h>
33*6007Sthurlow #include <unistd.h>
34*6007Sthurlow #include <pwd.h>
35*6007Sthurlow #include <nss_dbdefs.h>
36*6007Sthurlow 
37*6007Sthurlow #include <security/pam_appl.h>
38*6007Sthurlow #include <security/pam_modules.h>
39*6007Sthurlow #include <security/pam_impl.h>
40*6007Sthurlow 
41*6007Sthurlow #include <libintl.h>
42*6007Sthurlow #include <passwdutil.h>
43*6007Sthurlow 
44*6007Sthurlow #include <errno.h>
45*6007Sthurlow #include <netsmb/smb_keychain.h>
46*6007Sthurlow 
47*6007Sthurlow /*ARGSUSED*/
48*6007Sthurlow int
pam_sm_authenticate(pam_handle_t * pamh,int flags,int argc,const char ** argv)49*6007Sthurlow pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
50*6007Sthurlow {
51*6007Sthurlow 	return (PAM_IGNORE);
52*6007Sthurlow }
53*6007Sthurlow 
54*6007Sthurlow /*ARGSUSED*/
55*6007Sthurlow int
pam_sm_setcred(pam_handle_t * pamh,int flags,int argc,const char ** argv)56*6007Sthurlow pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
57*6007Sthurlow {
58*6007Sthurlow 	boolean_t debug = B_FALSE;
59*6007Sthurlow 	char dom[20];
60*6007Sthurlow 	char *user;
61*6007Sthurlow 	char *pw;
62*6007Sthurlow 	char *service;
63*6007Sthurlow 	struct passwd pwbuf;
64*6007Sthurlow 	char buf[NSS_BUFLEN_PASSWD];
65*6007Sthurlow 	char *home;
66*6007Sthurlow 	uid_t uid;
67*6007Sthurlow 	int res = PAM_SUCCESS;
68*6007Sthurlow 	int i, mask;
69*6007Sthurlow 
70*6007Sthurlow 	for (i = 0; i < argc; i++) {
71*6007Sthurlow 		if (strcmp(argv[i], "debug") == 0)
72*6007Sthurlow 			debug = B_TRUE;
73*6007Sthurlow 	}
74*6007Sthurlow 
75*6007Sthurlow 	/* Since our creds don't time out, ignore a refresh. */
76*6007Sthurlow 	if ((flags & PAM_REFRESH_CRED) != 0)
77*6007Sthurlow 		return (PAM_IGNORE);
78*6007Sthurlow 
79*6007Sthurlow 	/* Check for unknown options */
80*6007Sthurlow 	mask = PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED | PAM_DELETE_CRED;
81*6007Sthurlow 	if ((flags & ~mask) != 0)
82*6007Sthurlow 		return (PAM_IGNORE);
83*6007Sthurlow 
84*6007Sthurlow 	(void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
85*6007Sthurlow 	(void) pam_get_item(pamh, PAM_USER, (void **)&user);
86*6007Sthurlow 
87*6007Sthurlow 	if (user == NULL || *user == '\0') {
88*6007Sthurlow 		__pam_log(LOG_AUTH | LOG_ERR,
89*6007Sthurlow 		    "pam_smbfs_login: username is empty");
90*6007Sthurlow 		return (PAM_IGNORE);
91*6007Sthurlow 	}
92*6007Sthurlow 	if (getpwnam_r(user, &pwbuf, buf, sizeof (buf)) == NULL) {
93*6007Sthurlow 		__pam_log(LOG_AUTH | LOG_ERR,
94*6007Sthurlow 		    "pam_smbfs_login: username %s can't be found", user);
95*6007Sthurlow 		return (PAM_IGNORE);
96*6007Sthurlow 	}
97*6007Sthurlow 	uid = pwbuf.pw_uid;
98*6007Sthurlow 	home = pwbuf.pw_dir;
99*6007Sthurlow 
100*6007Sthurlow 	(void) pam_get_item(pamh, PAM_AUTHTOK, (void **)&pw);
101*6007Sthurlow 	if (pw == NULL) {
102*6007Sthurlow 		/*
103*6007Sthurlow 		 * A module on the stack has removed PAM_AUTHTOK.
104*6007Sthurlow 		 */
105*6007Sthurlow 		return (PAM_IGNORE);
106*6007Sthurlow 	}
107*6007Sthurlow 
108*6007Sthurlow 	res = smbfs_default_dom_usr(home, NULL, dom, sizeof (dom), NULL, 0);
109*6007Sthurlow 	if (res != 0)
110*6007Sthurlow 		(void) strcpy(dom, "WORKGROUP");
111*6007Sthurlow 
112*6007Sthurlow 	if (debug)
113*6007Sthurlow 		__pam_log(LOG_AUTH | LOG_DEBUG,
114*6007Sthurlow 		    "pam_smbfs_login: service %s, dom %s, user %s",
115*6007Sthurlow 		    service, dom, user);
116*6007Sthurlow 
117*6007Sthurlow 	if ((flags & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED)) != 0)
118*6007Sthurlow 		res = smbfs_keychain_add(uid, dom, user, pw);
119*6007Sthurlow 
120*6007Sthurlow 	if ((flags & PAM_DELETE_CRED) != 0)
121*6007Sthurlow 		res = smbfs_keychain_del(uid, dom, user);
122*6007Sthurlow 
123*6007Sthurlow 	/*
124*6007Sthurlow 	 * map errors to user messages and PAM return codes.
125*6007Sthurlow 	 */
126*6007Sthurlow 	switch (res) {
127*6007Sthurlow 	case SMB_KEYCHAIN_SUCCESS:
128*6007Sthurlow 		if (debug)
129*6007Sthurlow 			__pam_log(LOG_AUTH | LOG_DEBUG,
130*6007Sthurlow 			    "smbfs password successfully stored for %s", user);
131*6007Sthurlow 		break;
132*6007Sthurlow 
133*6007Sthurlow 	case SMB_KEYCHAIN_BADPASSWD:
134*6007Sthurlow 		__pam_log(LOG_AUTH | LOG_ERR, "smbfs password is invalid");
135*6007Sthurlow 		break;
136*6007Sthurlow 
137*6007Sthurlow 	case SMB_KEYCHAIN_BADDOMAIN:
138*6007Sthurlow 		__pam_log(LOG_AUTH | LOG_ERR,
139*6007Sthurlow 		    "%s: smbfs domain %s is invalid", service, dom);
140*6007Sthurlow 		break;
141*6007Sthurlow 
142*6007Sthurlow 	case SMB_KEYCHAIN_BADUSER:
143*6007Sthurlow 		__pam_log(LOG_AUTH | LOG_ERR, "smbfs user %s is invalid", user);
144*6007Sthurlow 		break;
145*6007Sthurlow 
146*6007Sthurlow 	case SMB_KEYCHAIN_NODRIVER:
147*6007Sthurlow 		__pam_log(LOG_AUTH | LOG_ERR,
148*6007Sthurlow 		    "driver open failed (%s), smbfs password not stored",
149*6007Sthurlow 		    strerror(errno));
150*6007Sthurlow 		break;
151*6007Sthurlow 
152*6007Sthurlow 	case SMB_KEYCHAIN_UNKNOWN:
153*6007Sthurlow 		__pam_log(LOG_AUTH | LOG_ERR,
154*6007Sthurlow 		    "Unexpected failure, smbfs password not stored");
155*6007Sthurlow 		break;
156*6007Sthurlow 
157*6007Sthurlow 	default:
158*6007Sthurlow 		__pam_log(LOG_AUTH | LOG_ERR,
159*6007Sthurlow 		    "driver ioctl failed (%s), smbfs password not stored",
160*6007Sthurlow 		    strerror(errno));
161*6007Sthurlow 		break;
162*6007Sthurlow 	}
163*6007Sthurlow 
164*6007Sthurlow 	return (PAM_IGNORE);
165*6007Sthurlow }
166