1da6c28aaSamw /*
2da6c28aaSamw * CDDL HEADER START
3da6c28aaSamw *
4da6c28aaSamw * The contents of this file are subject to the terms of the
5da6c28aaSamw * Common Development and Distribution License (the "License").
6da6c28aaSamw * You may not use this file except in compliance with the License.
7da6c28aaSamw *
8da6c28aaSamw * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9da6c28aaSamw * or http://www.opensolaris.org/os/licensing.
10da6c28aaSamw * See the License for the specific language governing permissions
11da6c28aaSamw * and limitations under the License.
12da6c28aaSamw *
13da6c28aaSamw * When distributing Covered Code, include this CDDL HEADER in each
14da6c28aaSamw * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15da6c28aaSamw * If applicable, add the following below this CDDL HEADER, with the
16da6c28aaSamw * fields enclosed by brackets "[]" replaced with your own identifying
17da6c28aaSamw * information: Portions Copyright [yyyy] [name of copyright owner]
18da6c28aaSamw *
19da6c28aaSamw * CDDL HEADER END
20da6c28aaSamw */
21da6c28aaSamw /*
227b59d02dSjb150015 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
23da6c28aaSamw * Use is subject to license terms.
24da6c28aaSamw */
25da6c28aaSamw
26da6c28aaSamw #include <sys/types.h>
27da6c28aaSamw #include <sys/varargs.h>
28da6c28aaSamw #include <string.h>
29da6c28aaSamw #include <syslog.h>
30da6c28aaSamw #include <stdlib.h>
31da6c28aaSamw
32da6c28aaSamw #include <security/pam_appl.h>
33da6c28aaSamw #include <security/pam_modules.h>
34da6c28aaSamw #include <security/pam_impl.h>
35da6c28aaSamw
36da6c28aaSamw #include <libintl.h>
37da6c28aaSamw #include <passwdutil.h>
38da6c28aaSamw
39da6c28aaSamw #include <smbsrv/libsmb.h>
40da6c28aaSamw
41da6c28aaSamw /*PRINTFLIKE3*/
42da6c28aaSamw static void
error(boolean_t nowarn,pam_handle_t * pamh,char * fmt,...)43da6c28aaSamw error(boolean_t nowarn, pam_handle_t *pamh, char *fmt, ...)
44da6c28aaSamw {
45da6c28aaSamw va_list ap;
46da6c28aaSamw char message[PAM_MAX_MSG_SIZE];
47da6c28aaSamw
48da6c28aaSamw if (nowarn)
49da6c28aaSamw return;
50da6c28aaSamw
51da6c28aaSamw va_start(ap, fmt);
52da6c28aaSamw (void) vsnprintf(message, sizeof (message), fmt, ap);
53da6c28aaSamw (void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, &message,
54da6c28aaSamw NULL);
55da6c28aaSamw va_end(ap);
56da6c28aaSamw }
57da6c28aaSamw
58da6c28aaSamw /*PRINTFLIKE3*/
59da6c28aaSamw static void
info(boolean_t nowarn,pam_handle_t * pamh,char * fmt,...)60da6c28aaSamw info(boolean_t nowarn, pam_handle_t *pamh, char *fmt, ...)
61da6c28aaSamw {
62da6c28aaSamw va_list ap;
63da6c28aaSamw char message[PAM_MAX_MSG_SIZE];
64da6c28aaSamw
65da6c28aaSamw if (nowarn)
66da6c28aaSamw return;
67da6c28aaSamw
68da6c28aaSamw va_start(ap, fmt);
69da6c28aaSamw (void) vsnprintf(message, sizeof (message), fmt, ap);
70da6c28aaSamw (void) __pam_display_msg(pamh, PAM_TEXT_INFO, 1, &message,
71da6c28aaSamw NULL);
72da6c28aaSamw va_end(ap);
73da6c28aaSamw }
74da6c28aaSamw
75da6c28aaSamw int
pam_sm_chauthtok(pam_handle_t * pamh,int flags,int argc,const char ** argv)76da6c28aaSamw pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
77da6c28aaSamw {
78da6c28aaSamw boolean_t debug = B_FALSE;
79da6c28aaSamw boolean_t nowarn = B_FALSE;
80da6c28aaSamw pwu_repository_t files_rep;
81da6c28aaSamw char *user, *local_user;
82da6c28aaSamw char *newpw;
83da6c28aaSamw char *service;
84da6c28aaSamw int privileged;
85da6c28aaSamw int res;
86da6c28aaSamw int i;
87da6c28aaSamw
88da6c28aaSamw for (i = 0; i < argc; i++) {
89da6c28aaSamw if (strcmp(argv[i], "debug") == 0)
90da6c28aaSamw debug = B_TRUE;
91da6c28aaSamw else if (strcmp(argv[i], "nowarn") == 0)
92da6c28aaSamw nowarn = B_TRUE;
93da6c28aaSamw }
94da6c28aaSamw
95da6c28aaSamw if ((flags & PAM_PRELIM_CHECK) != 0)
96da6c28aaSamw return (PAM_IGNORE);
97da6c28aaSamw
98da6c28aaSamw if ((flags & PAM_UPDATE_AUTHTOK) == 0)
99da6c28aaSamw return (PAM_SYSTEM_ERR);
100da6c28aaSamw
101da6c28aaSamw if ((flags & PAM_SILENT) != 0)
102da6c28aaSamw nowarn = B_TRUE;
103da6c28aaSamw
104da6c28aaSamw if (debug)
105da6c28aaSamw __pam_log(LOG_AUTH | LOG_DEBUG,
106da6c28aaSamw "pam_smb_passwd: storing authtok");
107da6c28aaSamw
108da6c28aaSamw (void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
109da6c28aaSamw (void) pam_get_item(pamh, PAM_USER, (void **)&user);
110da6c28aaSamw
111da6c28aaSamw if (user == NULL || *user == '\0') {
112da6c28aaSamw __pam_log(LOG_AUTH | LOG_ERR,
113da6c28aaSamw "pam_smb_passwd: username is empty");
114da6c28aaSamw return (PAM_USER_UNKNOWN);
115da6c28aaSamw }
116da6c28aaSamw
117da6c28aaSamw (void) pam_get_item(pamh, PAM_AUTHTOK, (void **)&newpw);
118da6c28aaSamw if (newpw == NULL) {
119da6c28aaSamw /*
120da6c28aaSamw * A module on the stack has removed PAM_AUTHTOK. We fail
121da6c28aaSamw */
122da6c28aaSamw return (PAM_AUTHTOK_ERR);
123da6c28aaSamw }
124da6c28aaSamw
125da6c28aaSamw /* Check to see if this is a local user */
126da6c28aaSamw files_rep.type = "files";
127da6c28aaSamw files_rep.scope = NULL;
128da6c28aaSamw files_rep.scope_len = 0;
129da6c28aaSamw res = __user_to_authenticate(user, &files_rep, &local_user,
130da6c28aaSamw &privileged);
131da6c28aaSamw if (res != PWU_SUCCESS) {
132da6c28aaSamw switch (res) {
133da6c28aaSamw case PWU_NOT_FOUND:
134da6c28aaSamw /* if not a local user, ignore */
135da6c28aaSamw if (debug) {
136da6c28aaSamw __pam_log(LOG_AUTH | LOG_DEBUG,
137da6c28aaSamw "pam_smb_passwd: %s is not local", user);
138da6c28aaSamw }
139da6c28aaSamw return (PAM_IGNORE);
140da6c28aaSamw case PWU_DENIED:
141da6c28aaSamw return (PAM_PERM_DENIED);
142da6c28aaSamw }
143da6c28aaSamw return (PAM_SYSTEM_ERR);
144da6c28aaSamw }
145da6c28aaSamw
146*3db3f65cSamw smb_pwd_init(B_FALSE);
1477b59d02dSjb150015
148da6c28aaSamw res = smb_pwd_setpasswd(user, newpw);
149da6c28aaSamw
1507b59d02dSjb150015 smb_pwd_fini();
1517b59d02dSjb150015
152da6c28aaSamw /*
153da6c28aaSamw * now map the various return states to user messages
154da6c28aaSamw * and PAM return codes.
155da6c28aaSamw */
156da6c28aaSamw switch (res) {
157da6c28aaSamw case SMB_PWE_SUCCESS:
158da6c28aaSamw info(nowarn, pamh, dgettext(TEXT_DOMAIN,
159da6c28aaSamw "%s: SMB password successfully changed for %s"),
160da6c28aaSamw service, user);
161da6c28aaSamw return (PAM_SUCCESS);
162da6c28aaSamw
163da6c28aaSamw case SMB_PWE_STAT_FAILED:
164da6c28aaSamw __pam_log(LOG_AUTH | LOG_ERR,
165da6c28aaSamw "%s: stat of SMB password file failed", service);
166da6c28aaSamw return (PAM_SYSTEM_ERR);
167da6c28aaSamw
168da6c28aaSamw case SMB_PWE_OPEN_FAILED:
169da6c28aaSamw case SMB_PWE_WRITE_FAILED:
170da6c28aaSamw case SMB_PWE_CLOSE_FAILED:
171da6c28aaSamw case SMB_PWE_UPDATE_FAILED:
172da6c28aaSamw error(nowarn, pamh, dgettext(TEXT_DOMAIN,
173da6c28aaSamw "%s: Unexpected failure. SMB password database unchanged."),
174da6c28aaSamw service);
175da6c28aaSamw return (PAM_SYSTEM_ERR);
176da6c28aaSamw
177da6c28aaSamw case SMB_PWE_BUSY:
178da6c28aaSamw error(nowarn, pamh, dgettext(TEXT_DOMAIN,
179da6c28aaSamw "%s: SMB password database busy. Try again later."),
180da6c28aaSamw service);
181da6c28aaSamw
182da6c28aaSamw return (PAM_AUTHTOK_LOCK_BUSY);
183da6c28aaSamw
184da6c28aaSamw case SMB_PWE_USER_UNKNOWN:
185da6c28aaSamw error(nowarn, pamh, dgettext(TEXT_DOMAIN,
186da6c28aaSamw "%s: %s does not exist."), service, user);
187da6c28aaSamw return (PAM_USER_UNKNOWN);
188da6c28aaSamw
189da6c28aaSamw case SMB_PWE_USER_DISABLE:
190da6c28aaSamw error(nowarn, pamh, dgettext(TEXT_DOMAIN,
191da6c28aaSamw "%s: %s is disable. SMB password database unchanged."),
192da6c28aaSamw service, user);
193da6c28aaSamw return (PAM_IGNORE);
194da6c28aaSamw
195da6c28aaSamw case SMB_PWE_DENIED:
196da6c28aaSamw return (PAM_PERM_DENIED);
197da6c28aaSamw
198da6c28aaSamw default:
199da6c28aaSamw res = PAM_SYSTEM_ERR;
200da6c28aaSamw break;
201da6c28aaSamw }
202da6c28aaSamw
203da6c28aaSamw return (res);
204da6c28aaSamw }
205