4bff34e37def8a90f9194d81bc345c52ba20086athurlow/*
4bff34e37def8a90f9194d81bc345c52ba20086athurlow * CDDL HEADER START
4bff34e37def8a90f9194d81bc345c52ba20086athurlow *
4bff34e37def8a90f9194d81bc345c52ba20086athurlow * The contents of this file are subject to the terms of the
4bff34e37def8a90f9194d81bc345c52ba20086athurlow * Common Development and Distribution License (the "License").
4bff34e37def8a90f9194d81bc345c52ba20086athurlow * You may not use this file except in compliance with the License.
4bff34e37def8a90f9194d81bc345c52ba20086athurlow *
4bff34e37def8a90f9194d81bc345c52ba20086athurlow * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
4bff34e37def8a90f9194d81bc345c52ba20086athurlow * or http://www.opensolaris.org/os/licensing.
4bff34e37def8a90f9194d81bc345c52ba20086athurlow * See the License for the specific language governing permissions
4bff34e37def8a90f9194d81bc345c52ba20086athurlow * and limitations under the License.
4bff34e37def8a90f9194d81bc345c52ba20086athurlow *
4bff34e37def8a90f9194d81bc345c52ba20086athurlow * When distributing Covered Code, include this CDDL HEADER in each
4bff34e37def8a90f9194d81bc345c52ba20086athurlow * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
4bff34e37def8a90f9194d81bc345c52ba20086athurlow * If applicable, add the following below this CDDL HEADER, with the
4bff34e37def8a90f9194d81bc345c52ba20086athurlow * fields enclosed by brackets "[]" replaced with your own identifying
4bff34e37def8a90f9194d81bc345c52ba20086athurlow * information: Portions Copyright [yyyy] [name of copyright owner]
4bff34e37def8a90f9194d81bc345c52ba20086athurlow *
4bff34e37def8a90f9194d81bc345c52ba20086athurlow * CDDL HEADER END
4bff34e37def8a90f9194d81bc345c52ba20086athurlow */
4bff34e37def8a90f9194d81bc345c52ba20086athurlow/*
4bff34e37def8a90f9194d81bc345c52ba20086athurlow * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
4bff34e37def8a90f9194d81bc345c52ba20086athurlow * Use is subject to license terms.
4bff34e37def8a90f9194d81bc345c52ba20086athurlow */
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow#pragma ident "%Z%%M% %I% %E% SMI"
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow#include <sys/types.h>
4bff34e37def8a90f9194d81bc345c52ba20086athurlow#include <sys/varargs.h>
4bff34e37def8a90f9194d81bc345c52ba20086athurlow#include <string.h>
4bff34e37def8a90f9194d81bc345c52ba20086athurlow#include <syslog.h>
4bff34e37def8a90f9194d81bc345c52ba20086athurlow#include <stdlib.h>
4bff34e37def8a90f9194d81bc345c52ba20086athurlow#include <unistd.h>
4bff34e37def8a90f9194d81bc345c52ba20086athurlow#include <pwd.h>
4bff34e37def8a90f9194d81bc345c52ba20086athurlow#include <nss_dbdefs.h>
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow#include <security/pam_appl.h>
4bff34e37def8a90f9194d81bc345c52ba20086athurlow#include <security/pam_modules.h>
4bff34e37def8a90f9194d81bc345c52ba20086athurlow#include <security/pam_impl.h>
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow#include <libintl.h>
4bff34e37def8a90f9194d81bc345c52ba20086athurlow#include <passwdutil.h>
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow#include <errno.h>
4bff34e37def8a90f9194d81bc345c52ba20086athurlow#include <netsmb/smb_keychain.h>
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow/*ARGSUSED*/
4bff34e37def8a90f9194d81bc345c52ba20086athurlowint
4bff34e37def8a90f9194d81bc345c52ba20086athurlowpam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
4bff34e37def8a90f9194d81bc345c52ba20086athurlow{
4bff34e37def8a90f9194d81bc345c52ba20086athurlow return (PAM_IGNORE);
4bff34e37def8a90f9194d81bc345c52ba20086athurlow}
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow/*ARGSUSED*/
4bff34e37def8a90f9194d81bc345c52ba20086athurlowint
4bff34e37def8a90f9194d81bc345c52ba20086athurlowpam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
4bff34e37def8a90f9194d81bc345c52ba20086athurlow{
4bff34e37def8a90f9194d81bc345c52ba20086athurlow boolean_t debug = B_FALSE;
4bff34e37def8a90f9194d81bc345c52ba20086athurlow char dom[20];
4bff34e37def8a90f9194d81bc345c52ba20086athurlow char *user;
4bff34e37def8a90f9194d81bc345c52ba20086athurlow char *pw;
4bff34e37def8a90f9194d81bc345c52ba20086athurlow char *service;
4bff34e37def8a90f9194d81bc345c52ba20086athurlow struct passwd pwbuf;
4bff34e37def8a90f9194d81bc345c52ba20086athurlow char buf[NSS_BUFLEN_PASSWD];
4bff34e37def8a90f9194d81bc345c52ba20086athurlow char *home;
4bff34e37def8a90f9194d81bc345c52ba20086athurlow uid_t uid;
4bff34e37def8a90f9194d81bc345c52ba20086athurlow int res = PAM_SUCCESS;
4bff34e37def8a90f9194d81bc345c52ba20086athurlow int i, mask;
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow for (i = 0; i < argc; i++) {
4bff34e37def8a90f9194d81bc345c52ba20086athurlow if (strcmp(argv[i], "debug") == 0)
4bff34e37def8a90f9194d81bc345c52ba20086athurlow debug = B_TRUE;
4bff34e37def8a90f9194d81bc345c52ba20086athurlow }
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow /* Since our creds don't time out, ignore a refresh. */
4bff34e37def8a90f9194d81bc345c52ba20086athurlow if ((flags & PAM_REFRESH_CRED) != 0)
4bff34e37def8a90f9194d81bc345c52ba20086athurlow return (PAM_IGNORE);
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow /* Check for unknown options */
4bff34e37def8a90f9194d81bc345c52ba20086athurlow mask = PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED | PAM_DELETE_CRED;
4bff34e37def8a90f9194d81bc345c52ba20086athurlow if ((flags & ~mask) != 0)
4bff34e37def8a90f9194d81bc345c52ba20086athurlow return (PAM_IGNORE);
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow (void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
4bff34e37def8a90f9194d81bc345c52ba20086athurlow (void) pam_get_item(pamh, PAM_USER, (void **)&user);
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow if (user == NULL || *user == '\0') {
4bff34e37def8a90f9194d81bc345c52ba20086athurlow __pam_log(LOG_AUTH | LOG_ERR,
4bff34e37def8a90f9194d81bc345c52ba20086athurlow "pam_smbfs_login: username is empty");
4bff34e37def8a90f9194d81bc345c52ba20086athurlow return (PAM_IGNORE);
4bff34e37def8a90f9194d81bc345c52ba20086athurlow }
4bff34e37def8a90f9194d81bc345c52ba20086athurlow if (getpwnam_r(user, &pwbuf, buf, sizeof (buf)) == NULL) {
4bff34e37def8a90f9194d81bc345c52ba20086athurlow __pam_log(LOG_AUTH | LOG_ERR,
4bff34e37def8a90f9194d81bc345c52ba20086athurlow "pam_smbfs_login: username %s can't be found", user);
4bff34e37def8a90f9194d81bc345c52ba20086athurlow return (PAM_IGNORE);
4bff34e37def8a90f9194d81bc345c52ba20086athurlow }
4bff34e37def8a90f9194d81bc345c52ba20086athurlow uid = pwbuf.pw_uid;
4bff34e37def8a90f9194d81bc345c52ba20086athurlow home = pwbuf.pw_dir;
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow (void) pam_get_item(pamh, PAM_AUTHTOK, (void **)&pw);
4bff34e37def8a90f9194d81bc345c52ba20086athurlow if (pw == NULL) {
4bff34e37def8a90f9194d81bc345c52ba20086athurlow /*
4bff34e37def8a90f9194d81bc345c52ba20086athurlow * A module on the stack has removed PAM_AUTHTOK.
4bff34e37def8a90f9194d81bc345c52ba20086athurlow */
4bff34e37def8a90f9194d81bc345c52ba20086athurlow return (PAM_IGNORE);
4bff34e37def8a90f9194d81bc345c52ba20086athurlow }
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow res = smbfs_default_dom_usr(home, NULL, dom, sizeof (dom), NULL, 0);
4bff34e37def8a90f9194d81bc345c52ba20086athurlow if (res != 0)
4bff34e37def8a90f9194d81bc345c52ba20086athurlow (void) strcpy(dom, "WORKGROUP");
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow if (debug)
4bff34e37def8a90f9194d81bc345c52ba20086athurlow __pam_log(LOG_AUTH | LOG_DEBUG,
4bff34e37def8a90f9194d81bc345c52ba20086athurlow "pam_smbfs_login: service %s, dom %s, user %s",
4bff34e37def8a90f9194d81bc345c52ba20086athurlow service, dom, user);
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow if ((flags & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED)) != 0)
4bff34e37def8a90f9194d81bc345c52ba20086athurlow res = smbfs_keychain_add(uid, dom, user, pw);
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow if ((flags & PAM_DELETE_CRED) != 0)
4bff34e37def8a90f9194d81bc345c52ba20086athurlow res = smbfs_keychain_del(uid, dom, user);
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow /*
4bff34e37def8a90f9194d81bc345c52ba20086athurlow * map errors to user messages and PAM return codes.
4bff34e37def8a90f9194d81bc345c52ba20086athurlow */
4bff34e37def8a90f9194d81bc345c52ba20086athurlow switch (res) {
4bff34e37def8a90f9194d81bc345c52ba20086athurlow case SMB_KEYCHAIN_SUCCESS:
4bff34e37def8a90f9194d81bc345c52ba20086athurlow if (debug)
4bff34e37def8a90f9194d81bc345c52ba20086athurlow __pam_log(LOG_AUTH | LOG_DEBUG,
4bff34e37def8a90f9194d81bc345c52ba20086athurlow "smbfs password successfully stored for %s", user);
4bff34e37def8a90f9194d81bc345c52ba20086athurlow break;
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow case SMB_KEYCHAIN_BADPASSWD:
4bff34e37def8a90f9194d81bc345c52ba20086athurlow __pam_log(LOG_AUTH | LOG_ERR, "smbfs password is invalid");
4bff34e37def8a90f9194d81bc345c52ba20086athurlow break;
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow case SMB_KEYCHAIN_BADDOMAIN:
4bff34e37def8a90f9194d81bc345c52ba20086athurlow __pam_log(LOG_AUTH | LOG_ERR,
4bff34e37def8a90f9194d81bc345c52ba20086athurlow "%s: smbfs domain %s is invalid", service, dom);
4bff34e37def8a90f9194d81bc345c52ba20086athurlow break;
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow case SMB_KEYCHAIN_BADUSER:
4bff34e37def8a90f9194d81bc345c52ba20086athurlow __pam_log(LOG_AUTH | LOG_ERR, "smbfs user %s is invalid", user);
4bff34e37def8a90f9194d81bc345c52ba20086athurlow break;
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow case SMB_KEYCHAIN_NODRIVER:
4bff34e37def8a90f9194d81bc345c52ba20086athurlow __pam_log(LOG_AUTH | LOG_ERR,
4bff34e37def8a90f9194d81bc345c52ba20086athurlow "driver open failed (%s), smbfs password not stored",
4bff34e37def8a90f9194d81bc345c52ba20086athurlow strerror(errno));
4bff34e37def8a90f9194d81bc345c52ba20086athurlow break;
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow case SMB_KEYCHAIN_UNKNOWN:
4bff34e37def8a90f9194d81bc345c52ba20086athurlow __pam_log(LOG_AUTH | LOG_ERR,
4bff34e37def8a90f9194d81bc345c52ba20086athurlow "Unexpected failure, smbfs password not stored");
4bff34e37def8a90f9194d81bc345c52ba20086athurlow break;
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow default:
4bff34e37def8a90f9194d81bc345c52ba20086athurlow __pam_log(LOG_AUTH | LOG_ERR,
4bff34e37def8a90f9194d81bc345c52ba20086athurlow "driver ioctl failed (%s), smbfs password not stored",
4bff34e37def8a90f9194d81bc345c52ba20086athurlow strerror(errno));
4bff34e37def8a90f9194d81bc345c52ba20086athurlow break;
4bff34e37def8a90f9194d81bc345c52ba20086athurlow }
4bff34e37def8a90f9194d81bc345c52ba20086athurlow
4bff34e37def8a90f9194d81bc345c52ba20086athurlow return (PAM_IGNORE);
4bff34e37def8a90f9194d81bc345c52ba20086athurlow}