関数 | |
int | smb_update_db (pam_handle_t *pamh, int ctrl, const char *user, const char *pass_new) |
int | pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) |
変数 | |
pam_module | _pam_smbpass_passwd_modstruct |
int smb_update_db | ( | pam_handle_t * | pamh, | |
int | ctrl, | |||
const char * | user, | |||
const char * | pass_new | |||
) |
pam_smb_passwd.c の 41 行で定義されています。
参照先 local_password_change()・make_remark().
参照元 pam_sm_chauthtok().
00042 { 00043 int retval; 00044 pstring err_str; 00045 pstring msg_str; 00046 00047 err_str[0] = '\0'; 00048 msg_str[0] = '\0'; 00049 00050 retval = NT_STATUS_IS_OK(local_password_change( user, LOCAL_SET_PASSWORD, pass_new, 00051 err_str, sizeof(err_str), 00052 msg_str, sizeof(msg_str) )); 00053 00054 if (!retval) { 00055 if (*err_str) { 00056 err_str[PSTRING_LEN-1] = '\0'; 00057 make_remark( pamh, ctrl, PAM_ERROR_MSG, err_str ); 00058 } 00059 00060 /* FIXME: what value is appropriate here? */ 00061 retval = PAM_AUTHTOK_ERR; 00062 } else { 00063 if (*msg_str) { 00064 msg_str[PSTRING_LEN-1] = '\0'; 00065 make_remark( pamh, ctrl, PAM_TEXT_INFO, msg_str ); 00066 } 00067 retval = PAM_SUCCESS; 00068 } 00069 00070 return retval; 00071 }
int pam_sm_chauthtok | ( | pam_handle_t * | pamh, | |
int | flags, | |||
int | argc, | |||
const char ** | argv | |||
) |
pam_smb_passwd.c の 91 行で定義されています。
参照先 _log_err()・_pam_smb_approve_pass()・_smb_blankpasswd()・_smb_read_password()・_smb_verify_password()・CatchSignal()・in_client・initialize_password_db()・load_case_tables()・nt_status_to_pam()・pdb_get_user_sid()・pdb_get_username()・pdb_getsampwnam()・samu_new()・set_ctrl()・setup_logging()・sid_to_uid()・smb_update_db()・uidtoname().
00093 { 00094 unsigned int ctrl; 00095 int retval; 00096 00097 extern BOOL in_client; 00098 00099 struct samu *sampass = NULL; 00100 void (*oldsig_handler)(int); 00101 const char *user; 00102 char *pass_old; 00103 char *pass_new; 00104 00105 /* Samba initialization. */ 00106 load_case_tables(); 00107 setup_logging( "pam_smbpass", False ); 00108 in_client = True; 00109 00110 ctrl = set_ctrl(flags, argc, argv); 00111 00112 /* 00113 * First get the name of a user. No need to do anything if we can't 00114 * determine this. 00115 */ 00116 00117 retval = pam_get_user( pamh, &user, "Username: " ); 00118 if (retval != PAM_SUCCESS) { 00119 if (on( SMB_DEBUG, ctrl )) { 00120 _log_err( LOG_DEBUG, "password: could not identify user" ); 00121 } 00122 return retval; 00123 } 00124 if (on( SMB_DEBUG, ctrl )) { 00125 _log_err( LOG_DEBUG, "username [%s] obtained", user ); 00126 } 00127 00128 if (geteuid() != 0) { 00129 _log_err( LOG_DEBUG, "Cannot access samba password database, not running as root."); 00130 return PAM_AUTHINFO_UNAVAIL; 00131 } 00132 00133 /* Getting into places that might use LDAP -- protect the app 00134 from a SIGPIPE it's not expecting */ 00135 oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN); 00136 00137 if (!initialize_password_db(False)) { 00138 _log_err( LOG_ALERT, "Cannot access samba password database" ); 00139 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); 00140 return PAM_AUTHINFO_UNAVAIL; 00141 } 00142 00143 /* obtain user record */ 00144 if ( !(sampass = samu_new( NULL )) ) { 00145 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); 00146 return nt_status_to_pam(NT_STATUS_NO_MEMORY); 00147 } 00148 00149 if (!pdb_getsampwnam(sampass,user)) { 00150 _log_err( LOG_ALERT, "Failed to find entry for user %s.", user ); 00151 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); 00152 return PAM_USER_UNKNOWN; 00153 } 00154 if (on( SMB_DEBUG, ctrl )) { 00155 _log_err( LOG_DEBUG, "Located account for %s", user ); 00156 } 00157 00158 if (flags & PAM_PRELIM_CHECK) { 00159 /* 00160 * obtain and verify the current password (OLDAUTHTOK) for 00161 * the user. 00162 */ 00163 00164 char *Announce; 00165 00166 if (_smb_blankpasswd( ctrl, sampass )) { 00167 00168 TALLOC_FREE(sampass); 00169 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); 00170 return PAM_SUCCESS; 00171 } 00172 00173 /* Password change by root, or for an expired token, doesn't 00174 require authentication. Is this a good choice? */ 00175 if (getuid() != 0 && !(flags & PAM_CHANGE_EXPIRED_AUTHTOK)) { 00176 00177 /* tell user what is happening */ 00178 #define greeting "Changing password for " 00179 Announce = SMB_MALLOC_ARRAY(char, sizeof(greeting)+strlen(user)); 00180 if (Announce == NULL) { 00181 _log_err(LOG_CRIT, "password: out of memory"); 00182 TALLOC_FREE(sampass); 00183 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); 00184 return PAM_BUF_ERR; 00185 } 00186 strncpy( Announce, greeting, sizeof(greeting) ); 00187 strncpy( Announce+sizeof(greeting)-1, user, strlen(user)+1 ); 00188 #undef greeting 00189 00190 set( SMB__OLD_PASSWD, ctrl ); 00191 retval = _smb_read_password( pamh, ctrl, Announce, "Current SMB password: ", 00192 NULL, _SMB_OLD_AUTHTOK, &pass_old ); 00193 SAFE_FREE( Announce ); 00194 00195 if (retval != PAM_SUCCESS) { 00196 _log_err( LOG_NOTICE 00197 , "password - (old) token not obtained" ); 00198 TALLOC_FREE(sampass); 00199 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); 00200 return retval; 00201 } 00202 00203 /* verify that this is the password for this user */ 00204 00205 retval = _smb_verify_password( pamh, sampass, pass_old, ctrl ); 00206 00207 } else { 00208 pass_old = NULL; 00209 retval = PAM_SUCCESS; /* root doesn't have to */ 00210 } 00211 00212 pass_old = NULL; 00213 TALLOC_FREE(sampass); 00214 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); 00215 return retval; 00216 00217 } else if (flags & PAM_UPDATE_AUTHTOK) { 00218 00219 /* 00220 * obtain the proposed password 00221 */ 00222 00223 /* 00224 * get the old token back. NULL was ok only if root [at this 00225 * point we assume that this has already been enforced on a 00226 * previous call to this function]. 00227 */ 00228 00229 if (off( SMB_NOT_SET_PASS, ctrl )) { 00230 retval = pam_get_item( pamh, PAM_OLDAUTHTOK, 00231 (const void **)&pass_old ); 00232 } else { 00233 retval = pam_get_data( pamh, _SMB_OLD_AUTHTOK, 00234 (const void **)&pass_old ); 00235 if (retval == PAM_NO_MODULE_DATA) { 00236 pass_old = NULL; 00237 retval = PAM_SUCCESS; 00238 } 00239 } 00240 00241 if (retval != PAM_SUCCESS) { 00242 _log_err( LOG_NOTICE, "password: user not authenticated" ); 00243 TALLOC_FREE(sampass); 00244 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); 00245 return retval; 00246 } 00247 00248 /* 00249 * use_authtok is to force the use of a previously entered 00250 * password -- needed for pluggable password strength checking 00251 * or other module stacking 00252 */ 00253 00254 if (on( SMB_USE_AUTHTOK, ctrl )) { 00255 set( SMB_USE_FIRST_PASS, ctrl ); 00256 } 00257 00258 retval = _smb_read_password( pamh, ctrl 00259 , NULL 00260 , "Enter new SMB password: " 00261 , "Retype new SMB password: " 00262 , _SMB_NEW_AUTHTOK 00263 , &pass_new ); 00264 00265 if (retval != PAM_SUCCESS) { 00266 if (on( SMB_DEBUG, ctrl )) { 00267 _log_err( LOG_ALERT 00268 , "password: new password not obtained" ); 00269 } 00270 pass_old = NULL; /* tidy up */ 00271 TALLOC_FREE(sampass); 00272 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); 00273 return retval; 00274 } 00275 00276 /* 00277 * At this point we know who the user is and what they 00278 * propose as their new password. Verify that the new 00279 * password is acceptable. 00280 */ 00281 00282 if (pass_new[0] == '\0') { /* "\0" password = NULL */ 00283 pass_new = NULL; 00284 } 00285 00286 retval = _pam_smb_approve_pass(pamh, ctrl, pass_old, pass_new); 00287 00288 if (retval != PAM_SUCCESS) { 00289 _log_err(LOG_NOTICE, "new password not acceptable"); 00290 pass_new = pass_old = NULL; /* tidy up */ 00291 TALLOC_FREE(sampass); 00292 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); 00293 return retval; 00294 } 00295 00296 /* 00297 * By reaching here we have approved the passwords and must now 00298 * rebuild the smb password file. 00299 */ 00300 00301 /* update the password database */ 00302 00303 retval = smb_update_db(pamh, ctrl, user, pass_new); 00304 if (retval == PAM_SUCCESS) { 00305 uid_t uid; 00306 00307 /* password updated */ 00308 if (!sid_to_uid(pdb_get_user_sid(sampass), &uid)) { 00309 _log_err( LOG_NOTICE, "Unable to get uid for user %s", 00310 pdb_get_username(sampass)); 00311 _log_err( LOG_NOTICE, "password for (%s) changed by (%s/%d)", 00312 user, uidtoname(getuid()), getuid()); 00313 } else { 00314 _log_err( LOG_NOTICE, "password for (%s/%d) changed by (%s/%d)", 00315 user, uid, uidtoname(getuid()), getuid()); 00316 } 00317 } else { 00318 _log_err( LOG_ERR, "password change failed for user %s", user); 00319 } 00320 00321 pass_old = pass_new = NULL; 00322 if (sampass) { 00323 TALLOC_FREE(sampass); 00324 sampass = NULL; 00325 } 00326 00327 } else { /* something has broken with the library */ 00328 00329 _log_err( LOG_ALERT, "password received unknown request" ); 00330 retval = PAM_ABORT; 00331 00332 } 00333 00334 if (sampass) { 00335 TALLOC_FREE(sampass); 00336 sampass = NULL; 00337 } 00338 00339 TALLOC_FREE(sampass); 00340 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); 00341 return retval; 00342 }
struct pam_module _pam_smbpass_passwd_modstruct |
初期値:
{ "pam_smbpass", NULL, NULL, NULL, NULL, NULL, pam_sm_chauthtok }
pam_smb_passwd.c の 346 行で定義されています。