1/* Unix NT password database implementation, version 0.7.5. 2 * 3 * This program is free software; you can redistribute it and/or modify it under 4 * the terms of the GNU General Public License as published by the Free 5 * Software Foundation; either version 3 of the License, or (at your option) 6 * any later version. 7 * 8 * This program is distributed in the hope that it will be useful, but WITHOUT 9 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 10 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for 11 * more details. 12 * 13 * You should have received a copy of the GNU General Public License along with 14 * this program; if not, see <http://www.gnu.org/licenses/>. 15*/ 16 17/* indicate the following groups are defined */ 18#define PAM_SM_ACCT 19 20#include "includes.h" 21 22#ifndef LINUX 23 24/* This is only used in the Sun implementation. */ 25#if defined(HAVE_SECURITY_PAM_APPL_H) 26#include <security/pam_appl.h> 27#elif defined(HAVE_PAM_PAM_APPL_H) 28#include <pam/pam_appl.h> 29#endif 30 31#endif /* LINUX */ 32 33#if defined(HAVE_SECURITY_PAM_MODULES_H) 34#include <security/pam_modules.h> 35#elif defined(HAVE_PAM_PAM_MODULES_H) 36#include <pam/pam_modules.h> 37#endif 38 39#include "general.h" 40 41#include "support.h" 42 43 44/* 45 * pam_sm_acct_mgmt() verifies whether or not the account is disabled. 46 * 47 */ 48 49int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags, 50 int argc, const char **argv ) 51{ 52 unsigned int ctrl; 53 int retval; 54 55 const char *name; 56 struct samu *sampass = NULL; 57 void (*oldsig_handler)(int); 58 59 /* Samba initialization. */ 60 load_case_tables(); 61 lp_set_in_client(True); 62 63 ctrl = set_ctrl(pamh, flags, argc, argv ); 64 65 /* get the username */ 66 67 retval = pam_get_user( pamh, &name, "Username: " ); 68 if (retval != PAM_SUCCESS) { 69 if (on( SMB_DEBUG, ctrl )) { 70 _log_err(pamh, LOG_DEBUG, "acct: could not identify user" ); 71 } 72 return retval; 73 } 74 if (on( SMB_DEBUG, ctrl )) { 75 _log_err(pamh, LOG_DEBUG, "acct: username [%s] obtained", name ); 76 } 77 78 if (geteuid() != 0) { 79 _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root."); 80 return PAM_AUTHINFO_UNAVAIL; 81 } 82 83 /* Getting into places that might use LDAP -- protect the app 84 from a SIGPIPE it's not expecting */ 85 oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN); 86 if (!initialize_password_db(True, NULL)) { 87 _log_err(pamh, LOG_ALERT, "Cannot access samba password database" ); 88 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); 89 return PAM_AUTHINFO_UNAVAIL; 90 } 91 92 /* Get the user's record. */ 93 94 if (!(sampass = samu_new( NULL ))) { 95 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); 96 /* malloc fail. */ 97 return nt_status_to_pam(NT_STATUS_NO_MEMORY); 98 } 99 100 if (!pdb_getsampwnam(sampass, name )) { 101 _log_err(pamh, LOG_DEBUG, "acct: could not identify user"); 102 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); 103 return PAM_USER_UNKNOWN; 104 } 105 106 /* check for lookup failure */ 107 if (!strlen(pdb_get_username(sampass)) ) { 108 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); 109 return PAM_USER_UNKNOWN; 110 } 111 112 if (pdb_get_acct_ctrl(sampass) & ACB_DISABLED) { 113 if (on( SMB_DEBUG, ctrl )) { 114 _log_err(pamh, LOG_DEBUG, 115 "acct: account %s is administratively disabled", name); 116 } 117 make_remark( pamh, ctrl, PAM_ERROR_MSG 118 , "Your account has been disabled; " 119 "please see your system administrator." ); 120 121 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); 122 return PAM_ACCT_EXPIRED; 123 } 124 125 /* TODO: support for expired passwords. */ 126 127 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); 128 return PAM_SUCCESS; 129} 130 131/* static module data */ 132#ifdef PAM_STATIC 133struct pam_module _pam_smbpass_acct_modstruct = { 134 "pam_smbpass", 135 NULL, 136 NULL, 137 pam_sm_acct_mgmt, 138 NULL, 139 NULL, 140 NULL 141}; 142#endif 143 144