データ構造 | |
struct | smb_pam_userdata |
struct | chat_struct |
型定義 | |
typedef int(*) | smb_pam_conv_fn (int, const struct pam_message **, struct pam_response **, void *appdata_ptr) |
関数 | |
static BOOL | smb_pam_error_handler (pam_handle_t *pamh, int pam_error, const char *msg, int dbglvl) |
static BOOL | smb_pam_nt_status_error_handler (pam_handle_t *pamh, int pam_error, const char *msg, int dbglvl, NTSTATUS *nt_status) |
static int | smb_pam_conv (int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) |
static void | special_char_sub (char *buf) |
static void | pwd_sub (char *buf, const char *username, const char *oldpass, const char *newpass) |
static struct chat_struct * | make_pw_chat (const char *p) |
static void | free_pw_chat (struct chat_struct *list) |
static int | smb_pam_passchange_conv (int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) |
static void | smb_free_pam_conv (struct pam_conv *pconv) |
static struct pam_conv * | smb_setup_pam_conv (smb_pam_conv_fn smb_pam_conv_fnptr, const char *user, const char *passwd, const char *newpass) |
static BOOL | smb_pam_end (pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr) |
static BOOL | smb_pam_start (pam_handle_t **pamh, const char *user, const char *rhost, struct pam_conv *pconv) |
static NTSTATUS | smb_pam_auth (pam_handle_t *pamh, const char *user) |
static NTSTATUS | smb_pam_account (pam_handle_t *pamh, const char *user) |
static NTSTATUS | smb_pam_setcred (pam_handle_t *pamh, const char *user) |
static BOOL | smb_internal_pam_session (pam_handle_t *pamh, const char *user, const char *tty, BOOL flag) |
static BOOL | smb_pam_chauthtok (pam_handle_t *pamh, const char *user) |
BOOL | smb_pam_claim_session (char *user, char *tty, char *rhost) |
BOOL | smb_pam_close_session (char *user, char *tty, char *rhost) |
NTSTATUS | smb_pam_accountcheck (const char *user) |
NTSTATUS | smb_pam_passcheck (const char *user, const char *password) |
BOOL | smb_pam_passchange (const char *user, const char *oldpassword, const char *newpassword) |
typedef int(*) smb_pam_conv_fn(int, const struct pam_message **, struct pam_response **, void *appdata_ptr) |
static BOOL smb_pam_error_handler | ( | pam_handle_t * | pamh, | |
int | pam_error, | |||
const char * | msg, | |||
int | dbglvl | |||
) | [static] |
参照元 smb_internal_pam_session()・smb_pam_chauthtok()・smb_pam_end()・smb_pam_nt_status_error_handler()・smb_pam_start().
00069 { 00070 00071 if( pam_error != PAM_SUCCESS) { 00072 DEBUG(dbglvl, ("smb_pam_error_handler: PAM: %s : %s\n", 00073 msg, pam_strerror(pamh, pam_error))); 00074 00075 return False; 00076 } 00077 return True; 00078 }
static BOOL smb_pam_nt_status_error_handler | ( | pam_handle_t * | pamh, | |
int | pam_error, | |||
const char * | msg, | |||
int | dbglvl, | |||
NTSTATUS * | nt_status | |||
) | [static] |
参照先 pam_to_nt_status()・smb_pam_error_handler().
参照元 smb_pam_account()・smb_pam_auth()・smb_pam_setcred().
00088 { 00089 *nt_status = pam_to_nt_status(pam_error); 00090 00091 if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl)) 00092 return True; 00093 00094 if (NT_STATUS_IS_OK(*nt_status)) { 00095 /* Complain LOUDLY */ 00096 DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \ 00097 error MISMATCH, forcing to NT_STATUS_LOGON_FAILURE")); 00098 *nt_status = NT_STATUS_LOGON_FAILURE; 00099 } 00100 return False; 00101 }
static int smb_pam_conv | ( | int | num_msg, | |
const struct pam_message ** | msg, | |||
struct pam_response ** | resp, | |||
void * | appdata_ptr | |||
) | [static] |
参照先 smb_pam_userdata::PAM_password・smb_pam_userdata::PAM_username.
参照元 smb_pam_accountcheck()・smb_pam_claim_session()・smb_pam_close_session()・smb_pam_passcheck().
00113 { 00114 int replies = 0; 00115 struct pam_response *reply = NULL; 00116 struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr; 00117 00118 *resp = NULL; 00119 00120 if (num_msg <= 0) 00121 return PAM_CONV_ERR; 00122 00123 /* 00124 * Apparantly HPUX has a buggy PAM that doesn't support the 00125 * appdata_ptr. Fail if this is the case. JRA. 00126 */ 00127 00128 if (udp == NULL) { 00129 DEBUG(0,("smb_pam_conv: PAM on this system is broken - appdata_ptr == NULL !\n")); 00130 return PAM_CONV_ERR; 00131 } 00132 00133 reply = SMB_MALLOC_ARRAY(struct pam_response, num_msg); 00134 if (!reply) 00135 return PAM_CONV_ERR; 00136 00137 memset(reply, '\0', sizeof(struct pam_response) * num_msg); 00138 00139 for (replies = 0; replies < num_msg; replies++) { 00140 switch (msg[replies]->msg_style) { 00141 case PAM_PROMPT_ECHO_ON: 00142 reply[replies].resp_retcode = PAM_SUCCESS; 00143 reply[replies].resp = COPY_STRING(udp->PAM_username); 00144 /* PAM frees resp */ 00145 break; 00146 00147 case PAM_PROMPT_ECHO_OFF: 00148 reply[replies].resp_retcode = PAM_SUCCESS; 00149 reply[replies].resp = COPY_STRING(udp->PAM_password); 00150 /* PAM frees resp */ 00151 break; 00152 00153 case PAM_TEXT_INFO: 00154 /* fall through */ 00155 00156 case PAM_ERROR_MSG: 00157 /* ignore it... */ 00158 reply[replies].resp_retcode = PAM_SUCCESS; 00159 reply[replies].resp = NULL; 00160 break; 00161 00162 default: 00163 /* Must be an error of some sort... */ 00164 SAFE_FREE(reply); 00165 return PAM_CONV_ERR; 00166 } 00167 } 00168 if (reply) 00169 *resp = reply; 00170 return PAM_SUCCESS; 00171 }
static void special_char_sub | ( | char * | buf | ) | [static] |
参照先 all_string_sub().
参照元 make_pw_chat().
00180 { 00181 all_string_sub(buf, "\\n", "", 0); 00182 all_string_sub(buf, "\\r", "", 0); 00183 all_string_sub(buf, "\\s", " ", 0); 00184 all_string_sub(buf, "\\t", "\t", 0); 00185 }
static void pwd_sub | ( | char * | buf, | |
const char * | username, | |||
const char * | oldpass, | |||
const char * | newpass | |||
) | [static] |
参照先 all_string_sub()・fstring_sub().
参照元 smb_pam_passchange_conv()・talktochild().
00188 { 00189 fstring_sub(buf, "%u", username); 00190 all_string_sub(buf, "%o", oldpass, sizeof(fstring)); 00191 all_string_sub(buf, "%n", newpass, sizeof(fstring)); 00192 }
static struct chat_struct* make_pw_chat | ( | const char * | p | ) | [static] |
参照先 list()・next_token()・prompt・chat_struct::reply・special_char_sub()・strequal()・strlower_m()・t・trim_char().
参照元 smb_pam_passchange_conv().
00206 { 00207 fstring prompt; 00208 fstring reply; 00209 struct chat_struct *list = NULL; 00210 struct chat_struct *t; 00211 00212 while (1) { 00213 t = SMB_MALLOC_P(struct chat_struct); 00214 if (!t) { 00215 DEBUG(0,("make_pw_chat: malloc failed!\n")); 00216 return NULL; 00217 } 00218 00219 ZERO_STRUCTP(t); 00220 00221 DLIST_ADD_END(list, t, struct chat_struct*); 00222 00223 if (!next_token(&p, prompt, NULL, sizeof(fstring))) 00224 break; 00225 00226 if (strequal(prompt,".")) 00227 fstrcpy(prompt,"*"); 00228 00229 special_char_sub(prompt); 00230 fstrcpy(t->prompt, prompt); 00231 strlower_m(t->prompt); 00232 trim_char(t->prompt, ' ', ' '); 00233 00234 if (!next_token(&p, reply, NULL, sizeof(fstring))) 00235 break; 00236 00237 if (strequal(reply,".")) 00238 fstrcpy(reply,""); 00239 00240 special_char_sub(reply); 00241 fstrcpy(t->reply, reply); 00242 strlower_m(t->reply); 00243 trim_char(t->reply, ' ', ' '); 00244 00245 } 00246 return list; 00247 }
static void free_pw_chat | ( | struct chat_struct * | list | ) | [static] |
参照先 list().
参照元 smb_pam_passchange_conv().
00250 { 00251 while (list) { 00252 struct chat_struct *old_head = list; 00253 DLIST_REMOVE(list, list); 00254 SAFE_FREE(old_head); 00255 } 00256 }
static int smb_pam_passchange_conv | ( | int | num_msg, | |
const struct pam_message ** | msg, | |||
struct pam_response ** | resp, | |||
void * | appdata_ptr | |||
) | [static] |
参照先 free_pw_chat()・make_pw_chat()・smb_pam_userdata::PAM_newpassword・smb_pam_userdata::PAM_password・smb_pam_userdata::PAM_username・pwd_sub()・t・trim_char()・unix_wild_match().
参照元 smb_pam_passchange().
00262 { 00263 int replies = 0; 00264 struct pam_response *reply = NULL; 00265 fstring current_prompt; 00266 fstring current_reply; 00267 struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr; 00268 struct chat_struct *pw_chat= make_pw_chat(lp_passwd_chat()); 00269 struct chat_struct *t; 00270 BOOL found; 00271 *resp = NULL; 00272 00273 DEBUG(10,("smb_pam_passchange_conv: starting converstation for %d messages\n", num_msg)); 00274 00275 if (num_msg <= 0) 00276 return PAM_CONV_ERR; 00277 00278 if (pw_chat == NULL) 00279 return PAM_CONV_ERR; 00280 00281 /* 00282 * Apparantly HPUX has a buggy PAM that doesn't support the 00283 * appdata_ptr. Fail if this is the case. JRA. 00284 */ 00285 00286 if (udp == NULL) { 00287 DEBUG(0,("smb_pam_passchange_conv: PAM on this system is broken - appdata_ptr == NULL !\n")); 00288 free_pw_chat(pw_chat); 00289 return PAM_CONV_ERR; 00290 } 00291 00292 reply = SMB_MALLOC_ARRAY(struct pam_response, num_msg); 00293 if (!reply) { 00294 DEBUG(0,("smb_pam_passchange_conv: malloc for reply failed!\n")); 00295 free_pw_chat(pw_chat); 00296 return PAM_CONV_ERR; 00297 } 00298 00299 for (replies = 0; replies < num_msg; replies++) { 00300 found = False; 00301 DEBUG(10,("smb_pam_passchange_conv: Processing message %d\n", replies)); 00302 switch (msg[replies]->msg_style) { 00303 case PAM_PROMPT_ECHO_ON: 00304 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: PAM said: %s\n", msg[replies]->msg)); 00305 fstrcpy(current_prompt, msg[replies]->msg); 00306 trim_char(current_prompt, ' ', ' '); 00307 for (t=pw_chat; t; t=t->next) { 00308 00309 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: trying to match |%s| to |%s|\n", 00310 t->prompt, current_prompt )); 00311 00312 if (unix_wild_match(t->prompt, current_prompt)) { 00313 fstrcpy(current_reply, t->reply); 00314 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We sent: %s\n", current_reply)); 00315 pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); 00316 #ifdef DEBUG_PASSWORD 00317 DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We actualy sent: %s\n", current_reply)); 00318 #endif 00319 reply[replies].resp_retcode = PAM_SUCCESS; 00320 reply[replies].resp = COPY_STRING(current_reply); 00321 found = True; 00322 break; 00323 } 00324 } 00325 /* PAM frees resp */ 00326 if (!found) { 00327 DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg)); 00328 free_pw_chat(pw_chat); 00329 SAFE_FREE(reply); 00330 return PAM_CONV_ERR; 00331 } 00332 break; 00333 00334 case PAM_PROMPT_ECHO_OFF: 00335 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: %s\n", msg[replies]->msg)); 00336 fstrcpy(current_prompt, msg[replies]->msg); 00337 trim_char(current_prompt, ' ', ' '); 00338 for (t=pw_chat; t; t=t->next) { 00339 00340 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |%s| to |%s|\n", 00341 t->prompt, current_prompt )); 00342 00343 if (unix_wild_match(t->prompt, current_prompt)) { 00344 fstrcpy(current_reply, t->reply); 00345 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply)); 00346 pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); 00347 reply[replies].resp_retcode = PAM_SUCCESS; 00348 reply[replies].resp = COPY_STRING(current_reply); 00349 #ifdef DEBUG_PASSWORD 00350 DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We actualy sent: %s\n", current_reply)); 00351 #endif 00352 found = True; 00353 break; 00354 } 00355 } 00356 /* PAM frees resp */ 00357 00358 if (!found) { 00359 DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg)); 00360 free_pw_chat(pw_chat); 00361 SAFE_FREE(reply); 00362 return PAM_CONV_ERR; 00363 } 00364 break; 00365 00366 case PAM_TEXT_INFO: 00367 /* fall through */ 00368 00369 case PAM_ERROR_MSG: 00370 /* ignore it... */ 00371 reply[replies].resp_retcode = PAM_SUCCESS; 00372 reply[replies].resp = NULL; 00373 break; 00374 00375 default: 00376 /* Must be an error of some sort... */ 00377 free_pw_chat(pw_chat); 00378 SAFE_FREE(reply); 00379 return PAM_CONV_ERR; 00380 } 00381 } 00382 00383 free_pw_chat(pw_chat); 00384 if (reply) 00385 *resp = reply; 00386 return PAM_SUCCESS; 00387 }
static void smb_free_pam_conv | ( | struct pam_conv * | pconv | ) | [static] |
static struct pam_conv* smb_setup_pam_conv | ( | smb_pam_conv_fn | smb_pam_conv_fnptr, | |
const char * | user, | |||
const char * | passwd, | |||
const char * | newpass | |||
) | [static] |
参照先 smb_pam_userdata::PAM_newpassword・smb_pam_userdata::PAM_password・smb_pam_userdata::PAM_username.
参照元 smb_pam_accountcheck()・smb_pam_claim_session()・smb_pam_close_session()・smb_pam_passchange()・smb_pam_passcheck().
00407 { 00408 struct pam_conv *pconv = SMB_MALLOC_P(struct pam_conv); 00409 struct smb_pam_userdata *udp = SMB_MALLOC_P(struct smb_pam_userdata); 00410 00411 if (pconv == NULL || udp == NULL) { 00412 SAFE_FREE(pconv); 00413 SAFE_FREE(udp); 00414 return NULL; 00415 } 00416 00417 udp->PAM_username = user; 00418 udp->PAM_password = passwd; 00419 udp->PAM_newpassword = newpass; 00420 00421 pconv->conv = smb_pam_conv_fnptr; 00422 pconv->appdata_ptr = (void *)udp; 00423 return pconv; 00424 }
static BOOL smb_pam_end | ( | pam_handle_t * | pamh, | |
struct pam_conv * | smb_pam_conv_ptr | |||
) | [static] |
参照先 smb_free_pam_conv()・smb_pam_error_handler().
参照元 smb_pam_accountcheck()・smb_pam_claim_session()・smb_pam_close_session()・smb_pam_passchange()・smb_pam_passcheck()・smb_pam_start().
00431 { 00432 int pam_error; 00433 00434 smb_free_pam_conv(smb_pam_conv_ptr); 00435 00436 if( pamh != NULL ) { 00437 pam_error = pam_end(pamh, 0); 00438 if(smb_pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) { 00439 DEBUG(4, ("smb_pam_end: PAM: PAM_END OK.\n")); 00440 return True; 00441 } 00442 } 00443 DEBUG(2,("smb_pam_end: PAM: not initialised")); 00444 return False; 00445 }
static BOOL smb_pam_start | ( | pam_handle_t ** | pamh, | |
const char * | user, | |||
const char * | rhost, | |||
struct pam_conv * | pconv | |||
) | [static] |
参照先 client_addr()・client_name()・smb_pam_end()・smb_pam_error_handler()・strequal().
参照元 smb_pam_accountcheck()・smb_pam_claim_session()・smb_pam_close_session()・smb_pam_passchange()・smb_pam_passcheck().
00452 { 00453 int pam_error; 00454 const char *our_rhost; 00455 00456 *pamh = (pam_handle_t *)NULL; 00457 00458 DEBUG(4,("smb_pam_start: PAM: Init user: %s\n", user)); 00459 00460 pam_error = pam_start("samba", user, pconv, pamh); 00461 if( !smb_pam_error_handler(*pamh, pam_error, "Init Failed", 0)) { 00462 *pamh = (pam_handle_t *)NULL; 00463 return False; 00464 } 00465 00466 if (rhost == NULL) { 00467 our_rhost = client_name(); 00468 if (strequal(our_rhost,"UNKNOWN")) 00469 our_rhost = client_addr(); 00470 } else { 00471 our_rhost = rhost; 00472 } 00473 00474 #ifdef PAM_RHOST 00475 DEBUG(4,("smb_pam_start: PAM: setting rhost to: %s\n", our_rhost)); 00476 pam_error = pam_set_item(*pamh, PAM_RHOST, our_rhost); 00477 if(!smb_pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { 00478 smb_pam_end(*pamh, pconv); 00479 *pamh = (pam_handle_t *)NULL; 00480 return False; 00481 } 00482 #endif 00483 #ifdef PAM_TTY 00484 DEBUG(4,("smb_pam_start: PAM: setting tty\n")); 00485 pam_error = pam_set_item(*pamh, PAM_TTY, "samba"); 00486 if (!smb_pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { 00487 smb_pam_end(*pamh, pconv); 00488 *pamh = (pam_handle_t *)NULL; 00489 return False; 00490 } 00491 #endif 00492 DEBUG(4,("smb_pam_start: PAM: Init passed for user: %s\n", user)); 00493 return True; 00494 }
static NTSTATUS smb_pam_auth | ( | pam_handle_t * | pamh, | |
const char * | user | |||
) | [static] |
参照先 smb_pam_nt_status_error_handler().
参照元 smb_pam_passcheck().
00500 { 00501 int pam_error; 00502 NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; 00503 00504 /* 00505 * To enable debugging set in /etc/pam.d/samba: 00506 * auth required /lib/security/pam_pwdb.so nullok shadow audit 00507 */ 00508 00509 DEBUG(4,("smb_pam_auth: PAM: Authenticate User: %s\n", user)); 00510 pam_error = pam_authenticate(pamh, PAM_SILENT | lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK); 00511 switch( pam_error ){ 00512 case PAM_AUTH_ERR: 00513 DEBUG(2, ("smb_pam_auth: PAM: Authentication Error for user %s\n", user)); 00514 break; 00515 case PAM_CRED_INSUFFICIENT: 00516 DEBUG(2, ("smb_pam_auth: PAM: Insufficient Credentials for user %s\n", user)); 00517 break; 00518 case PAM_AUTHINFO_UNAVAIL: 00519 DEBUG(2, ("smb_pam_auth: PAM: Authentication Information Unavailable for user %s\n", user)); 00520 break; 00521 case PAM_USER_UNKNOWN: 00522 DEBUG(2, ("smb_pam_auth: PAM: Username %s NOT known to Authentication system\n", user)); 00523 break; 00524 case PAM_MAXTRIES: 00525 DEBUG(2, ("smb_pam_auth: PAM: One or more authentication modules reports user limit for user %s exceeeded\n", user)); 00526 break; 00527 case PAM_ABORT: 00528 DEBUG(0, ("smb_pam_auth: PAM: One or more PAM modules failed to load for user %s\n", user)); 00529 break; 00530 case PAM_SUCCESS: 00531 DEBUG(4, ("smb_pam_auth: PAM: User %s Authenticated OK\n", user)); 00532 break; 00533 default: 00534 DEBUG(0, ("smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user %s\n", user)); 00535 break; 00536 } 00537 00538 smb_pam_nt_status_error_handler(pamh, pam_error, "Authentication Failure", 2, &nt_status); 00539 return nt_status; 00540 }
static NTSTATUS smb_pam_account | ( | pam_handle_t * | pamh, | |
const char * | user | |||
) | [static] |
参照先 smb_pam_nt_status_error_handler().
参照元 smb_pam_accountcheck()・smb_pam_passcheck().
00546 { 00547 int pam_error; 00548 NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED; 00549 00550 DEBUG(4,("smb_pam_account: PAM: Account Management for User: %s\n", user)); 00551 pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */ 00552 switch( pam_error ) { 00553 case PAM_AUTHTOK_EXPIRED: 00554 DEBUG(2, ("smb_pam_account: PAM: User %s is valid but password is expired\n", user)); 00555 break; 00556 case PAM_ACCT_EXPIRED: 00557 DEBUG(2, ("smb_pam_account: PAM: User %s no longer permitted to access system\n", user)); 00558 break; 00559 case PAM_AUTH_ERR: 00560 DEBUG(2, ("smb_pam_account: PAM: There was an authentication error for user %s\n", user)); 00561 break; 00562 case PAM_PERM_DENIED: 00563 DEBUG(0, ("smb_pam_account: PAM: User %s is NOT permitted to access system at this time\n", user)); 00564 break; 00565 case PAM_USER_UNKNOWN: 00566 DEBUG(0, ("smb_pam_account: PAM: User \"%s\" is NOT known to account management\n", user)); 00567 break; 00568 case PAM_SUCCESS: 00569 DEBUG(4, ("smb_pam_account: PAM: Account OK for User: %s\n", user)); 00570 break; 00571 default: 00572 DEBUG(0, ("smb_pam_account: PAM: UNKNOWN PAM ERROR (%d) during Account Management for User: %s\n", pam_error, user)); 00573 break; 00574 } 00575 00576 smb_pam_nt_status_error_handler(pamh, pam_error, "Account Check Failed", 2, &nt_status); 00577 return nt_status; 00578 }
static NTSTATUS smb_pam_setcred | ( | pam_handle_t * | pamh, | |
const char * | user | |||
) | [static] |
参照先 smb_pam_nt_status_error_handler().
参照元 smb_pam_passcheck().
00585 { 00586 int pam_error; 00587 NTSTATUS nt_status = NT_STATUS_NO_TOKEN; 00588 00589 /* 00590 * This will allow samba to aquire a kerberos token. And, when 00591 * exporting an AFS cell, be able to /write/ to this cell. 00592 */ 00593 00594 DEBUG(4,("PAM: Account Management SetCredentials for User: %s\n", user)); 00595 pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT)); 00596 switch( pam_error ) { 00597 case PAM_CRED_UNAVAIL: 00598 DEBUG(0, ("smb_pam_setcred: PAM: Credentials not found for user:%s\n", user )); 00599 break; 00600 case PAM_CRED_EXPIRED: 00601 DEBUG(0, ("smb_pam_setcred: PAM: Credentials for user: \"%s\" EXPIRED!\n", user )); 00602 break; 00603 case PAM_USER_UNKNOWN: 00604 DEBUG(0, ("smb_pam_setcred: PAM: User: \"%s\" is NOT known so can not set credentials!\n", user )); 00605 break; 00606 case PAM_CRED_ERR: 00607 DEBUG(0, ("smb_pam_setcred: PAM: Unknown setcredentials error - unable to set credentials for %s\n", user )); 00608 break; 00609 case PAM_SUCCESS: 00610 DEBUG(4, ("smb_pam_setcred: PAM: SetCredentials OK for User: %s\n", user)); 00611 break; 00612 default: 00613 DEBUG(0, ("smb_pam_setcred: PAM: UNKNOWN PAM ERROR (%d) during SetCredentials for User: %s\n", pam_error, user)); 00614 break; 00615 } 00616 00617 smb_pam_nt_status_error_handler(pamh, pam_error, "Set Credential Failure", 2, &nt_status); 00618 return nt_status; 00619 }
static BOOL smb_internal_pam_session | ( | pam_handle_t * | pamh, | |
const char * | user, | |||
const char * | tty, | |||
BOOL | flag | |||
) | [static] |
参照元 smb_pam_claim_session()・smb_pam_close_session().
00625 { 00626 int pam_error; 00627 00628 #ifdef PAM_TTY 00629 DEBUG(4,("smb_internal_pam_session: PAM: tty set to: %s\n", tty)); 00630 pam_error = pam_set_item(pamh, PAM_TTY, tty); 00631 if (!smb_pam_error_handler(pamh, pam_error, "set tty failed", 0)) 00632 return False; 00633 #endif 00634 00635 if (flag) { 00636 pam_error = pam_open_session(pamh, PAM_SILENT); 00637 if (!smb_pam_error_handler(pamh, pam_error, "session setup failed", 0)) 00638 return False; 00639 } else { 00640 pam_setcred(pamh, (PAM_DELETE_CRED|PAM_SILENT)); /* We don't care if this fails */ 00641 pam_error = pam_close_session(pamh, PAM_SILENT); /* This will probably pick up the error anyway */ 00642 if (!smb_pam_error_handler(pamh, pam_error, "session close failed", 0)) 00643 return False; 00644 } 00645 return (True); 00646 }
static BOOL smb_pam_chauthtok | ( | pam_handle_t * | pamh, | |
const char * | user | |||
) | [static] |
参照元 smb_pam_passchange().
00653 { 00654 int pam_error; 00655 00656 DEBUG(4,("smb_pam_chauthtok: PAM: Password Change for User: %s\n", user)); 00657 00658 pam_error = pam_chauthtok(pamh, PAM_SILENT); /* Change Password */ 00659 00660 switch( pam_error ) { 00661 case PAM_AUTHTOK_ERR: 00662 DEBUG(2, ("PAM: unable to obtain the new authentication token - is password to weak?\n")); 00663 break; 00664 00665 /* This doesn't seem to be defined on Solaris. JRA */ 00666 #ifdef PAM_AUTHTOK_RECOVER_ERR 00667 case PAM_AUTHTOK_RECOVER_ERR: 00668 DEBUG(2, ("PAM: unable to obtain the old authentication token - was the old password wrong?.\n")); 00669 break; 00670 #endif 00671 00672 case PAM_AUTHTOK_LOCK_BUSY: 00673 DEBUG(2, ("PAM: unable to change the authentication token since it is currently locked.\n")); 00674 break; 00675 case PAM_AUTHTOK_DISABLE_AGING: 00676 DEBUG(2, ("PAM: Authentication token aging has been disabled.\n")); 00677 break; 00678 case PAM_PERM_DENIED: 00679 DEBUG(0, ("PAM: Permission denied.\n")); 00680 break; 00681 case PAM_TRY_AGAIN: 00682 DEBUG(0, ("PAM: Could not update all authentication token(s). No authentication tokens were updated.\n")); 00683 break; 00684 case PAM_USER_UNKNOWN: 00685 DEBUG(0, ("PAM: User not known to PAM\n")); 00686 break; 00687 case PAM_SUCCESS: 00688 DEBUG(4, ("PAM: Account OK for User: %s\n", user)); 00689 break; 00690 default: 00691 DEBUG(0, ("PAM: UNKNOWN PAM ERROR (%d) for User: %s\n", pam_error, user)); 00692 } 00693 00694 if(!smb_pam_error_handler(pamh, pam_error, "Password Change Failed", 2)) { 00695 return False; 00696 } 00697 00698 /* If this point is reached, the password has changed. */ 00699 return True; 00700 }
BOOL smb_pam_claim_session | ( | char * | user, | |
char * | tty, | |||
char * | rhost | |||
) |
参照先 smb_internal_pam_session()・smb_pam_conv()・smb_pam_end()・smb_pam_start()・smb_setup_pam_conv().
参照元 session_claim().
00707 { 00708 pam_handle_t *pamh = NULL; 00709 struct pam_conv *pconv = NULL; 00710 00711 /* Ignore PAM if told to. */ 00712 00713 if (!lp_obey_pam_restrictions()) 00714 return True; 00715 00716 if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL) 00717 return False; 00718 00719 if (!smb_pam_start(&pamh, user, rhost, pconv)) 00720 return False; 00721 00722 if (!smb_internal_pam_session(pamh, user, tty, True)) { 00723 smb_pam_end(pamh, pconv); 00724 return False; 00725 } 00726 00727 return smb_pam_end(pamh, pconv); 00728 }
BOOL smb_pam_close_session | ( | char * | user, | |
char * | tty, | |||
char * | rhost | |||
) |
参照先 smb_internal_pam_session()・smb_pam_conv()・smb_pam_end()・smb_pam_start()・smb_setup_pam_conv().
参照元 session_yield().
00735 { 00736 pam_handle_t *pamh = NULL; 00737 struct pam_conv *pconv = NULL; 00738 00739 /* Ignore PAM if told to. */ 00740 00741 if (!lp_obey_pam_restrictions()) 00742 return True; 00743 00744 if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL) 00745 return False; 00746 00747 if (!smb_pam_start(&pamh, user, rhost, pconv)) 00748 return False; 00749 00750 if (!smb_internal_pam_session(pamh, user, tty, False)) { 00751 smb_pam_end(pamh, pconv); 00752 return False; 00753 } 00754 00755 return smb_pam_end(pamh, pconv); 00756 }
NTSTATUS smb_pam_accountcheck | ( | const char * | user | ) |
参照先 smb_pam_account()・smb_pam_conv()・smb_pam_end()・smb_pam_start()・smb_setup_pam_conv().
参照元 check_ntlm_password()・check_smbserver_security()・check_unix_security()・domain_client_validate()・reply_spnego_kerberos().
00763 { 00764 NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED; 00765 pam_handle_t *pamh = NULL; 00766 struct pam_conv *pconv = NULL; 00767 00768 /* Ignore PAM if told to. */ 00769 00770 if (!lp_obey_pam_restrictions()) 00771 return NT_STATUS_OK; 00772 00773 if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL) 00774 return NT_STATUS_NO_MEMORY; 00775 00776 if (!smb_pam_start(&pamh, user, NULL, pconv)) 00777 return NT_STATUS_ACCOUNT_DISABLED; 00778 00779 if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user))) 00780 DEBUG(0, ("smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User %s!\n", user)); 00781 00782 smb_pam_end(pamh, pconv); 00783 return nt_status; 00784 }
NTSTATUS smb_pam_passcheck | ( | const char * | user, | |
const char * | password | |||
) |
参照先 smb_pam_account()・smb_pam_auth()・smb_pam_conv()・smb_pam_end()・smb_pam_setcred()・smb_pam_start()・smb_setup_pam_conv().
参照元 password_check().
00791 { 00792 pam_handle_t *pamh = NULL; 00793 NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; 00794 struct pam_conv *pconv = NULL; 00795 00796 /* 00797 * Note we can't ignore PAM here as this is the only 00798 * way of doing auths on plaintext passwords when 00799 * compiled --with-pam. 00800 */ 00801 00802 if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, password, NULL)) == NULL) 00803 return NT_STATUS_LOGON_FAILURE; 00804 00805 if (!smb_pam_start(&pamh, user, NULL, pconv)) 00806 return NT_STATUS_LOGON_FAILURE; 00807 00808 if (!NT_STATUS_IS_OK(nt_status = smb_pam_auth(pamh, user))) { 00809 DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User %s !\n", user)); 00810 smb_pam_end(pamh, pconv); 00811 return nt_status; 00812 } 00813 00814 if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user))) { 00815 DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_account failed - Rejecting User %s !\n", user)); 00816 smb_pam_end(pamh, pconv); 00817 return nt_status; 00818 } 00819 00820 if (!NT_STATUS_IS_OK(nt_status = smb_pam_setcred(pamh, user))) { 00821 DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_setcred failed - Rejecting User %s !\n", user)); 00822 smb_pam_end(pamh, pconv); 00823 return nt_status; 00824 } 00825 00826 smb_pam_end(pamh, pconv); 00827 return nt_status; 00828 }
BOOL smb_pam_passchange | ( | const char * | user, | |
const char * | oldpassword, | |||
const char * | newpassword | |||
) |
参照先 smb_pam_chauthtok()・smb_pam_end()・smb_pam_passchange_conv()・smb_pam_start()・smb_setup_pam_conv().
参照元 chgpasswd().
00835 { 00836 /* Appropriate quantities of root should be obtained BEFORE calling this function */ 00837 struct pam_conv *pconv = NULL; 00838 pam_handle_t *pamh = NULL; 00839 00840 if ((pconv = smb_setup_pam_conv(smb_pam_passchange_conv, user, oldpassword, newpassword)) == NULL) 00841 return False; 00842 00843 if(!smb_pam_start(&pamh, user, NULL, pconv)) 00844 return False; 00845 00846 if (!smb_pam_chauthtok(pamh, user)) { 00847 DEBUG(0, ("smb_pam_passchange: PAM: Password Change Failed for user %s!\n", user)); 00848 smb_pam_end(pamh, pconv); 00849 return False; 00850 } 00851 00852 return smb_pam_end(pamh, pconv); 00853 }