00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019 #define PAM_SM_ACCT
00020
00021 #include "includes.h"
00022
00023 #ifndef LINUX
00024
00025
00026 #include <security/pam_appl.h>
00027
00028 #endif
00029
00030 #include <security/pam_modules.h>
00031
00032 #include "general.h"
00033
00034 #include "support.h"
00035
00036
00037
00038
00039
00040
00041
00042 int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags,
00043 int argc, const char **argv )
00044 {
00045 unsigned int ctrl;
00046 int retval;
00047
00048 const char *name;
00049 struct samu *sampass = NULL;
00050 void (*oldsig_handler)(int);
00051 extern BOOL in_client;
00052
00053
00054 load_case_tables();
00055 setup_logging( "pam_smbpass", False );
00056 in_client = True;
00057
00058 ctrl = set_ctrl( flags, argc, argv );
00059
00060
00061
00062 retval = pam_get_user( pamh, &name, "Username: " );
00063 if (retval != PAM_SUCCESS) {
00064 if (on( SMB_DEBUG, ctrl )) {
00065 _log_err( LOG_DEBUG, "acct: could not identify user" );
00066 }
00067 return retval;
00068 }
00069 if (on( SMB_DEBUG, ctrl )) {
00070 _log_err( LOG_DEBUG, "acct: username [%s] obtained", name );
00071 }
00072
00073 if (geteuid() != 0) {
00074 _log_err( LOG_DEBUG, "Cannot access samba password database, not running as root.");
00075 return PAM_AUTHINFO_UNAVAIL;
00076 }
00077
00078
00079
00080 oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN);
00081 if (!initialize_password_db(True)) {
00082 _log_err( LOG_ALERT, "Cannot access samba password database" );
00083 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
00084 return PAM_AUTHINFO_UNAVAIL;
00085 }
00086
00087
00088
00089 if (!(sampass = samu_new( NULL ))) {
00090 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
00091
00092 return nt_status_to_pam(NT_STATUS_NO_MEMORY);
00093 }
00094
00095 if (!pdb_getsampwnam(sampass, name )) {
00096 _log_err( LOG_DEBUG, "acct: could not identify user" );
00097 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
00098 return PAM_USER_UNKNOWN;
00099 }
00100
00101
00102 if (!strlen(pdb_get_username(sampass)) ) {
00103 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
00104 return PAM_USER_UNKNOWN;
00105 }
00106
00107 if (pdb_get_acct_ctrl(sampass) & ACB_DISABLED) {
00108 if (on( SMB_DEBUG, ctrl )) {
00109 _log_err( LOG_DEBUG
00110 , "acct: account %s is administratively disabled", name );
00111 }
00112 make_remark( pamh, ctrl, PAM_ERROR_MSG
00113 , "Your account has been disabled; "
00114 "please see your system administrator." );
00115
00116 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
00117 return PAM_ACCT_EXPIRED;
00118 }
00119
00120
00121
00122 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
00123 return PAM_SUCCESS;
00124 }
00125
00126
00127 #ifdef PAM_STATIC
00128 struct pam_module _pam_smbpass_acct_modstruct = {
00129 "pam_smbpass",
00130 NULL,
00131 NULL,
00132 pam_sm_acct_mgmt,
00133 NULL,
00134 NULL,
00135 NULL
00136 };
00137 #endif
00138