2N/A/*
2N/A * CDDL HEADER START
2N/A *
2N/A * The contents of this file are subject to the terms of the
2N/A * Common Development and Distribution License (the "License").
2N/A * You may not use this file except in compliance with the License.
2N/A *
2N/A * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
2N/A * or http://www.opensolaris.org/os/licensing.
2N/A * See the License for the specific language governing permissions
2N/A * and limitations under the License.
2N/A *
2N/A * When distributing Covered Code, include this CDDL HEADER in each
2N/A * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
2N/A * If applicable, add the following below this CDDL HEADER, with the
2N/A * fields enclosed by brackets "[]" replaced with your own identifying
2N/A * information: Portions Copyright [yyyy] [name of copyright owner]
2N/A *
2N/A * CDDL HEADER END
2N/A */
2N/A/*
2N/A * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
2N/A * Use is subject to license terms.
2N/A */
2N/A
2N/A#pragma ident "%Z%%M% %I% %E% SMI"
2N/A
2N/A#include <sys/types.h>
2N/A#include <sys/varargs.h>
2N/A#include <string.h>
2N/A#include <syslog.h>
2N/A#include <stdlib.h>
2N/A
2N/A#include <security/pam_appl.h>
2N/A#include <security/pam_modules.h>
2N/A#include <security/pam_impl.h>
2N/A
2N/A#include <libintl.h>
2N/A#include <passwdutil.h>
2N/A
2N/A#include <smbsrv/libsmb.h>
2N/A
2N/A/*PRINTFLIKE3*/
2N/Astatic void
2N/Aerror(boolean_t nowarn, pam_handle_t *pamh, char *fmt, ...)
2N/A{
2N/A va_list ap;
2N/A char message[PAM_MAX_MSG_SIZE];
2N/A
2N/A if (nowarn)
2N/A return;
2N/A
2N/A va_start(ap, fmt);
2N/A (void) vsnprintf(message, sizeof (message), fmt, ap);
2N/A (void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, &message,
2N/A NULL);
2N/A va_end(ap);
2N/A}
2N/A
2N/A/*PRINTFLIKE3*/
2N/Astatic void
2N/Ainfo(boolean_t nowarn, pam_handle_t *pamh, char *fmt, ...)
2N/A{
2N/A va_list ap;
2N/A char message[PAM_MAX_MSG_SIZE];
2N/A
2N/A if (nowarn)
2N/A return;
2N/A
2N/A va_start(ap, fmt);
2N/A (void) vsnprintf(message, sizeof (message), fmt, ap);
2N/A (void) __pam_display_msg(pamh, PAM_TEXT_INFO, 1, &message,
2N/A NULL);
2N/A va_end(ap);
2N/A}
2N/A
2N/Aint
2N/Apam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
2N/A{
2N/A boolean_t debug = B_FALSE;
2N/A boolean_t nowarn = B_FALSE;
2N/A pwu_repository_t files_rep;
2N/A char *user, *local_user;
2N/A char *newpw;
2N/A char *service;
2N/A int privileged;
2N/A int res;
2N/A int i;
2N/A
2N/A for (i = 0; i < argc; i++) {
2N/A if (strcmp(argv[i], "debug") == 0)
2N/A debug = B_TRUE;
2N/A else if (strcmp(argv[i], "nowarn") == 0)
2N/A nowarn = B_TRUE;
2N/A }
2N/A
2N/A if ((flags & PAM_PRELIM_CHECK) != 0)
2N/A return (PAM_IGNORE);
2N/A
2N/A if ((flags & PAM_UPDATE_AUTHTOK) == 0)
2N/A return (PAM_SYSTEM_ERR);
2N/A
2N/A if ((flags & PAM_SILENT) != 0)
2N/A nowarn = B_TRUE;
2N/A
2N/A if (debug)
2N/A __pam_log(LOG_AUTH | LOG_DEBUG,
2N/A "pam_smb_passwd: storing authtok");
2N/A
2N/A (void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
2N/A (void) pam_get_item(pamh, PAM_USER, (void **)&user);
2N/A
2N/A if (user == NULL || *user == '\0') {
2N/A __pam_log(LOG_AUTH | LOG_ERR,
2N/A "pam_smb_passwd: username is empty");
2N/A return (PAM_USER_UNKNOWN);
2N/A }
2N/A
2N/A (void) pam_get_item(pamh, PAM_AUTHTOK, (void **)&newpw);
2N/A if (newpw == NULL) {
2N/A /*
2N/A * A module on the stack has removed PAM_AUTHTOK. We fail
2N/A */
2N/A return (PAM_AUTHTOK_ERR);
2N/A }
2N/A
2N/A /* Check to see if this is a local user */
2N/A files_rep.type = "files";
2N/A files_rep.scope = NULL;
2N/A files_rep.scope_len = 0;
2N/A res = __user_to_authenticate(user, &files_rep, &local_user,
2N/A &privileged);
2N/A if (res != PWU_SUCCESS) {
2N/A switch (res) {
2N/A case PWU_NOT_FOUND:
2N/A /* if not a local user, ignore */
2N/A if (debug) {
2N/A __pam_log(LOG_AUTH | LOG_DEBUG,
2N/A "pam_smb_passwd: %s is not local", user);
2N/A }
2N/A return (PAM_IGNORE);
2N/A case PWU_DENIED:
2N/A return (PAM_PERM_DENIED);
2N/A }
2N/A return (PAM_SYSTEM_ERR);
2N/A }
2N/A
2N/A smb_pwd_init(B_FALSE);
2N/A
2N/A res = smb_pwd_setpasswd(user, newpw);
2N/A
2N/A smb_pwd_fini();
2N/A
2N/A /*
2N/A * now map the various return states to user messages
2N/A * and PAM return codes.
2N/A */
2N/A switch (res) {
2N/A case SMB_PWE_SUCCESS:
2N/A info(nowarn, pamh, dgettext(TEXT_DOMAIN,
2N/A "%s: SMB password successfully changed for %s"),
2N/A service, user);
2N/A return (PAM_SUCCESS);
2N/A
2N/A case SMB_PWE_STAT_FAILED:
2N/A __pam_log(LOG_AUTH | LOG_ERR,
2N/A "%s: stat of SMB password file failed", service);
2N/A return (PAM_SYSTEM_ERR);
2N/A
2N/A case SMB_PWE_OPEN_FAILED:
2N/A case SMB_PWE_WRITE_FAILED:
2N/A case SMB_PWE_CLOSE_FAILED:
2N/A case SMB_PWE_UPDATE_FAILED:
2N/A error(nowarn, pamh, dgettext(TEXT_DOMAIN,
2N/A "%s: Unexpected failure. SMB password database unchanged."),
2N/A service);
2N/A return (PAM_SYSTEM_ERR);
2N/A
2N/A case SMB_PWE_BUSY:
2N/A error(nowarn, pamh, dgettext(TEXT_DOMAIN,
2N/A "%s: SMB password database busy. Try again later."),
2N/A service);
2N/A
2N/A return (PAM_AUTHTOK_LOCK_BUSY);
2N/A
2N/A case SMB_PWE_USER_UNKNOWN:
2N/A error(nowarn, pamh, dgettext(TEXT_DOMAIN,
2N/A "%s: %s does not exist."), service, user);
2N/A return (PAM_USER_UNKNOWN);
2N/A
2N/A case SMB_PWE_USER_DISABLE:
2N/A error(nowarn, pamh, dgettext(TEXT_DOMAIN,
2N/A "%s: %s is disable. SMB password database unchanged."),
2N/A service, user);
2N/A return (PAM_IGNORE);
2N/A
2N/A case SMB_PWE_DENIED:
2N/A return (PAM_PERM_DENIED);
2N/A
2N/A default:
2N/A res = PAM_SYSTEM_ERR;
2N/A break;
2N/A }
2N/A
2N/A return (res);
2N/A}