summaryrefslogtreecommitdiff
path: root/source
diff options
context:
space:
mode:
Diffstat (limited to 'source')
-rw-r--r--source/include/mapping.h48
-rw-r--r--source/include/util_getent.h45
-rw-r--r--source/libsmb/cli_netlogon.c128
-rw-r--r--source/libsmb/cli_srvsvc.c128
-rw-r--r--source/nsswitch/winbind_nss_solaris.c279
-rw-r--r--source/nsswitch/winbindd_sid.c244
-rw-r--r--source/pam_smbpass/CHANGELOG31
-rw-r--r--source/pam_smbpass/README66
-rw-r--r--source/pam_smbpass/TODO7
-rw-r--r--source/pam_smbpass/general.h123
-rw-r--r--source/pam_smbpass/samples/README3
-rw-r--r--source/pam_smbpass/samples/kdc-pdc15
-rw-r--r--source/pam_smbpass/samples/password-mature14
-rw-r--r--source/pam_smbpass/samples/password-migration18
-rw-r--r--source/pam_smbpass/samples/password-sync15
-rw-r--r--source/pam_smbpass/support.c651
-rw-r--r--source/pam_smbpass/support.h52
17 files changed, 0 insertions, 1867 deletions
diff --git a/source/include/mapping.h b/source/include/mapping.h
deleted file mode 100644
index f3e0be6e4a7..00000000000
--- a/source/include/mapping.h
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Unix SMB/Netbios implementation.
- * Version 1.9.
- * RPC Pipe client / server routines
- * Copyright (C) Andrew Tridgell 1992-2000,
- * Copyright (C) Jean François Micouleau 1998-2001.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- */
-
-typedef struct _GROUP_MAP {
- gid_t gid;
- DOM_SID sid;
- enum SID_NAME_USE sid_name_use;
- fstring nt_name;
- fstring comment;
- uint32 privilege;
-} GROUP_MAP;
-
-typedef struct _PRIVS {
- uint32 se_priv;
- char *priv;
- char *description;
-} PRIVS;
-
-#define SE_PRIV_NONE 0x0000
-#define SE_PRIV_ADD_USERS 0x0001
-#define SE_PRIV_ADD_MACHINES 0x0002
-#define SE_PRIV_PRINT_OPERATOR 0x0004
-#define SE_PRIV_ALL 0xffff
-
-#define PRIV_ALL_INDEX 4
-
-
-#define ENUM_ONLY_MAPPED True
-#define ENUM_ALL_MAPPED False
diff --git a/source/include/util_getent.h b/source/include/util_getent.h
deleted file mode 100644
index 11926b89641..00000000000
--- a/source/include/util_getent.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- Unix SMB/Netbios implementation.
- Version 3.0
- Samba utility functions
- Copyright (C) Simo Sorce 2001
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-/* element for a single linked list of group entries */
-/* replace the use of struct group in some cases */
-/* used by getgrent_list() */
-struct sys_grent {
- char *gr_name;
- char *gr_passwd;
- gid_t gr_gid;
- char **gr_mem;
- struct sys_grent *next;
-};
-
-/* element for a single linked list of passwd entries */
-/* replace the use of struct passwd in some cases */
-/* used by getpwent_list() */
-struct sys_pwent {
- char *pw_name;
- char *pw_passwd;
- uid_t pw_uid;
- gid_t pw_gid;
- char *pw_gecos;
- char *pw_dir;
- char *pw_shell;
- struct sys_pwent *next;
-};
diff --git a/source/libsmb/cli_netlogon.c b/source/libsmb/cli_netlogon.c
deleted file mode 100644
index 47b7c2f22ec..00000000000
--- a/source/libsmb/cli_netlogon.c
+++ /dev/null
@@ -1,128 +0,0 @@
-/*
- Unix SMB/Netbios implementation.
- Version 1.9.
- NT Domain Authentication SMB / MSRPC client
- Copyright (C) Andrew Tridgell 1994-2000
- Copyright (C) Luke Kenneth Casson Leighton 1996-2000
- Copyright (C) Tim Potter 2001
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-/* Opens a SMB connection to the netlogon pipe */
-
-struct cli_state *cli_netlogon_initialise(struct cli_state *cli,
- char *system_name,
- struct ntuser_creds *creds)
-{
- struct in_addr dest_ip;
- struct nmb_name calling, called;
- fstring dest_host;
- extern pstring global_myname;
- struct ntuser_creds anon;
-
- /* Initialise cli_state information */
-
- if (!cli_initialise(cli)) {
- return NULL;
- }
-
- if (!creds) {
- ZERO_STRUCT(anon);
- anon.pwd.null_pwd = 1;
- creds = &anon;
- }
-
- cli_init_creds(cli, creds);
-
- /* Establish a SMB connection */
-
- if (!resolve_srv_name(system_name, dest_host, &dest_ip)) {
- return NULL;
- }
-
- make_nmb_name(&called, dns_to_netbios_name(dest_host), 0x20);
- make_nmb_name(&calling, dns_to_netbios_name(global_myname), 0);
-
- if (!cli_establish_connection(cli, dest_host, &dest_ip, &calling,
- &called, "IPC$", "IPC", False, True)) {
- return NULL;
- }
-
- /* Open a NT session thingy */
-
- if (!cli_nt_session_open(cli, PIPE_NETLOGON)) {
- cli_shutdown(cli);
- return NULL;
- }
-
- return cli;
-}
-
-/* Shut down a SMB connection to the netlogon pipe */
-
-void cli_netlogon_shutdown(struct cli_state *cli)
-{
- if (cli->fd != -1) cli_ulogoff(cli);
- cli_shutdown(cli);
-}
-
-/* Logon Control 2 */
-
-uint32 cli_netlogon_logon_ctrl2(struct cli_state *cli, TALLOC_CTX *mem_ctx,
- uint32 query_level)
-{
- prs_struct qbuf, rbuf;
- NET_Q_LOGON_CTRL2 q;
- NET_R_LOGON_CTRL2 r;
- uint32 result = NT_STATUS_UNSUCCESSFUL;
-
- ZERO_STRUCT(q);
- ZERO_STRUCT(r);
-
- /* Initialise parse structures */
-
- prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
- prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
-
- /* Initialise input parameters */
-
- init_net_q_logon_ctrl2(&q, cli->srv_name_slash, query_level);
-
- /* Marshall data and send request */
-
- if (!net_io_q_logon_ctrl2("", &q, &qbuf, 0) ||
- !rpc_api_pipe_req(cli, NET_LOGON_CTRL2, &qbuf, &rbuf)) {
- result = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
-
- /* Unmarshall response */
-
- if (!net_io_r_logon_ctrl2("", &r, &rbuf, 0)) {
- result = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
-
- result = r.status;
-
- done:
- prs_mem_free(&qbuf);
- prs_mem_free(&rbuf);
-
- return result;
-}
diff --git a/source/libsmb/cli_srvsvc.c b/source/libsmb/cli_srvsvc.c
deleted file mode 100644
index 8209d9301f1..00000000000
--- a/source/libsmb/cli_srvsvc.c
+++ /dev/null
@@ -1,128 +0,0 @@
-/*
- Unix SMB/Netbios implementation.
- Version 1.9.
- NT Domain Authentication SMB / MSRPC client
- Copyright (C) Andrew Tridgell 1994-2000
- Copyright (C) Luke Kenneth Casson Leighton 1996-2000
- Copyright (C) Tim Potter 2001
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-/* Opens a SMB connection to the svrsvc pipe */
-
-struct cli_state *cli_svrsvc_initialise(struct cli_state *cli,
- char *system_name,
- struct ntuser_creds *creds)
-{
- struct in_addr dest_ip;
- struct nmb_name calling, called;
- fstring dest_host;
- extern pstring global_myname;
- struct ntuser_creds anon;
-
- /* Initialise cli_state information */
-
- if (!cli_initialise(cli)) {
- return NULL;
- }
-
- if (!creds) {
- ZERO_STRUCT(anon);
- anon.pwd.null_pwd = 1;
- creds = &anon;
- }
-
- cli_init_creds(cli, creds);
-
- /* Establish a SMB connection */
-
- if (!resolve_srv_name(system_name, dest_host, &dest_ip)) {
- return NULL;
- }
-
- make_nmb_name(&called, dns_to_netbios_name(dest_host), 0x20);
- make_nmb_name(&calling, dns_to_netbios_name(global_myname), 0);
-
- if (!cli_establish_connection(cli, dest_host, &dest_ip, &calling,
- &called, "IPC$", "IPC", False, True)) {
- return NULL;
- }
-
- /* Open a NT session thingy */
-
- if (!cli_nt_session_open(cli, PIPE_SRVSVC)) {
- cli_shutdown(cli);
- return NULL;
- }
-
- return cli;
-}
-
-/* Shut down a SMB connection to the srvsvc pipe */
-
-void cli_srvsvc_shutdown(struct cli_state *cli)
-{
- if (cli->fd != -1) cli_ulogoff(cli);
- cli_shutdown(cli);
-}
-
-uint32 cli_srvsvc_net_srv_get_info(struct cli_state *cli, TALLOC_CTX *mem_ctx,
- uint32 switch_value, SRV_INFO_CTR *ctr)
-{
- prs_struct qbuf, rbuf;
- SRV_Q_NET_SRV_GET_INFO q;
- SRV_R_NET_SRV_GET_INFO r;
- uint32 result;
-
- ZERO_STRUCT(q);
- ZERO_STRUCT(r);
-
- /* Initialise parse structures */
-
- prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
- prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
-
- /* Initialise input parameters */
-
- init_srv_q_net_srv_get_info(&q, cli->srv_name_slash, switch_value);
-
- /* Marshall data and send request */
-
- if (!srv_io_q_net_srv_get_info("", &q, &qbuf, 0) ||
- !rpc_api_pipe_req(cli, SRV_NET_SRV_GET_INFO, &qbuf, &rbuf)) {
- result = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
-
- /* Unmarshall response */
-
- r.ctr = ctr;
-
- if (!srv_io_r_net_srv_get_info("", &r, &rbuf, 0)) {
- result = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
-
- result = r.status;
-
- done:
- prs_mem_free(&qbuf);
- prs_mem_free(&rbuf);
-
- return result;
-}
diff --git a/source/nsswitch/winbind_nss_solaris.c b/source/nsswitch/winbind_nss_solaris.c
deleted file mode 100644
index de8a63b90bf..00000000000
--- a/source/nsswitch/winbind_nss_solaris.c
+++ /dev/null
@@ -1,279 +0,0 @@
-/*
- Solaris NSS wrapper for winbind
- - Shirish Kalele 2000
-
- Based on Luke Howard's ldap_nss module for Solaris
- */
-
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <string.h>
-#include <pwd.h>
-#include <syslog.h>
-#include <sys/syslog.h>
-#include "includes.h"
-#include "winbind_nss_config.h"
-
-#ifdef HAVE_NSS_COMMON_H
-
-#undef NSS_DEBUG
-
-#ifdef NSS_DEBUG
-#define NSS_DEBUG(str) syslog(LOG_DEBUG, "nss_winbind: %s", str);
-#else
-#define NSS_DEBUG(str) ;
-#endif
-
-#define NSS_ARGS(args) ((nss_XbyY_args_t *)args)
-
-#define make_pwent_str(dest, src) \
-{ \
- if((dest = get_static(buffer, buflen, strlen(src)+1)) == NULL) \
- { \
- *errnop = ERANGE; \
- NSS_DEBUG("ERANGE error"); \
- return NSS_STATUS_TRYAGAIN; \
- } \
- strcpy(dest, src); \
-}
-
-static NSS_STATUS _nss_winbind_setpwent_solwrap (nss_backend_t* be, void* args)
-{
- NSS_DEBUG("_nss_winbind_setpwent_solwrap");
- return _nss_winbind_setpwent();
-}
-
-static NSS_STATUS
-_nss_winbind_endpwent_solwrap (nss_backend_t * be, void *args)
-{
- NSS_DEBUG("_nss_winbind_endpwent_solwrap");
- return _nss_winbind_endpwent();
-}
-
-static NSS_STATUS
-_nss_winbind_getpwent_solwrap (nss_backend_t* be, void *args)
-{
- NSS_STATUS ret;
- char* buffer = NSS_ARGS(args)->buf.buffer;
- int buflen = NSS_ARGS(args)->buf.buflen;
- struct passwd* result = (struct passwd*) NSS_ARGS(args)->buf.result;
- int* errnop = &NSS_ARGS(args)->erange;
- char logmsg[80];
-
- ret = _nss_winbind_getpwent_r(result, buffer,
- buflen, errnop);
-
- if(ret == NSS_STATUS_SUCCESS)
- {
- snprintf(logmsg, 79, "_nss_winbind_getpwent_solwrap: Returning user: %s\n",
- result->pw_name);
- NSS_DEBUG(logmsg);
- NSS_ARGS(args)->returnval = (void*) result;
- } else {
- snprintf(logmsg, 79, "_nss_winbind_getpwent_solwrap: Returning error: %d.\n",ret);
- NSS_DEBUG(logmsg);
- }
-
- return ret;
-}
-
-static NSS_STATUS
-_nss_winbind_getpwnam_solwrap (nss_backend_t* be, void* args)
-{
- NSS_STATUS ret;
- struct passwd* result = (struct passwd*) NSS_ARGS(args)->buf.result;
-
- NSS_DEBUG("_nss_winbind_getpwnam_solwrap");
-
- ret = _nss_winbind_getpwnam_r (NSS_ARGS(args)->key.name,
- result,
- NSS_ARGS(args)->buf.buffer,
- NSS_ARGS(args)->buf.buflen,
- &NSS_ARGS(args)->erange);
- if(ret == NSS_STATUS_SUCCESS)
- NSS_ARGS(args)->returnval = (void*) result;
-
- return ret;
-}
-
-static NSS_STATUS
-_nss_winbind_getpwuid_solwrap(nss_backend_t* be, void* args)
-{
- NSS_STATUS ret;
- struct passwd* result = (struct passwd*) NSS_ARGS(args)->buf.result;
-
- NSS_DEBUG("_nss_winbind_getpwuid_solwrap");
- ret = _nss_winbind_getpwuid_r (NSS_ARGS(args)->key.uid,
- result,
- NSS_ARGS(args)->buf.buffer,
- NSS_ARGS(args)->buf.buflen,
- &NSS_ARGS(args)->erange);
- if(ret == NSS_STATUS_SUCCESS)
- NSS_ARGS(args)->returnval = (void*) result;
-
- return ret;
-}
-
-static NSS_STATUS _nss_winbind_passwd_destr (nss_backend_t * be, void *args)
-{
- free(be);
- NSS_DEBUG("_nss_winbind_passwd_destr");
- return NSS_STATUS_SUCCESS;
-}
-
-static nss_backend_op_t passwd_ops[] =
-{
- _nss_winbind_passwd_destr,
- _nss_winbind_endpwent_solwrap, /* NSS_DBOP_ENDENT */
- _nss_winbind_setpwent_solwrap, /* NSS_DBOP_SETENT */
- _nss_winbind_getpwent_solwrap, /* NSS_DBOP_GETENT */
- _nss_winbind_getpwnam_solwrap, /* NSS_DBOP_PASSWD_BYNAME */
- _nss_winbind_getpwuid_solwrap /* NSS_DBOP_PASSWD_BYUID */
-};
-
-nss_backend_t*
-_nss_winbind_passwd_constr (const char* db_name,
- const char* src_name,
- const char* cfg_args)
-{
- nss_backend_t *be;
-
- if(!(be = (nss_backend_t*) malloc(sizeof(nss_backend_t))) )
- return NULL;
-
- be->ops = passwd_ops;
- be->n_ops = sizeof(passwd_ops) / sizeof(nss_backend_op_t);
-
- NSS_DEBUG("Initialized nss_winbind passwd backend");
- return be;
-}
-
-/*****************************************************************
- GROUP database backend
- *****************************************************************/
-
-static NSS_STATUS _nss_winbind_setgrent_solwrap (nss_backend_t* be, void* args)
-{
- NSS_DEBUG("_nss_winbind_setgrent_solwrap");
- return _nss_winbind_setgrent();
-}
-
-static NSS_STATUS
-_nss_winbind_endgrent_solwrap (nss_backend_t * be, void *args)
-{
- NSS_DEBUG("_nss_winbind_endgrent_solwrap");
- return _nss_winbind_endgrent();
-}
-
-static NSS_STATUS
-_nss_winbind_getgrent_solwrap(nss_backend_t* be, void* args)
-{
- NSS_STATUS ret;
- char* buffer = NSS_ARGS(args)->buf.buffer;
- int buflen = NSS_ARGS(args)->buf.buflen;
- struct group* result = (struct group*) NSS_ARGS(args)->buf.result;
- int* errnop = &NSS_ARGS(args)->erange;
- char logmsg[80];
-
- ret = _nss_winbind_getgrent_r(result, buffer,
- buflen, errnop);
-
- if(ret == NSS_STATUS_SUCCESS)
- {
- snprintf(logmsg, 79, "_nss_winbind_getgrent_solwrap: Returning group: %s\n", result->gr_name);
- NSS_DEBUG(logmsg);
- NSS_ARGS(args)->returnval = (void*) result;
- } else {
- snprintf(logmsg, 79, "_nss_winbind_getgrent_solwrap: Returning error: %d.\n", ret);
- NSS_DEBUG(logmsg);
- }
-
- return ret;
-
-}
-
-static NSS_STATUS
-_nss_winbind_getgrnam_solwrap(nss_backend_t* be, void* args)
-{
- NSS_STATUS ret;
- struct group* result = (struct group*) NSS_ARGS(args)->buf.result;
-
- NSS_DEBUG("_nss_winbind_getgrnam_solwrap");
- ret = _nss_winbind_getgrnam_r(NSS_ARGS(args)->key.name,
- result,
- NSS_ARGS(args)->buf.buffer,
- NSS_ARGS(args)->buf.buflen,
- &NSS_ARGS(args)->erange);
-
- if(ret == NSS_STATUS_SUCCESS)
- NSS_ARGS(args)->returnval = (void*) result;
-
- return ret;
-}
-
-static NSS_STATUS
-_nss_winbind_getgrgid_solwrap(nss_backend_t* be, void* args)
-{
- NSS_STATUS ret;
- struct group* result = (struct group*) NSS_ARGS(args)->buf.result;
-
- NSS_DEBUG("_nss_winbind_getgrgid_solwrap");
- ret = _nss_winbind_getgrgid_r (NSS_ARGS(args)->key.gid,
- result,
- NSS_ARGS(args)->buf.buffer,
- NSS_ARGS(args)->buf.buflen,
- &NSS_ARGS(args)->erange);
-
- if(ret == NSS_STATUS_SUCCESS)
- NSS_ARGS(args)->returnval = (void*) result;
-
- return ret;
-}
-
-static NSS_STATUS
-_nss_winbind_getgroupsbymember_solwrap(nss_backend_t* be, void* args)
-{
- NSS_DEBUG("_nss_winbind_getgroupsbymember");
- return NSS_STATUS_NOTFOUND;
-}
-
-static NSS_STATUS
-_nss_winbind_group_destr (nss_backend_t* be, void* args)
-{
- free(be);
- NSS_DEBUG("_nss_winbind_group_destr");
- return NSS_STATUS_SUCCESS;
-}
-
-static nss_backend_op_t group_ops[] =
-{
- _nss_winbind_group_destr,
- _nss_winbind_endgrent_solwrap,
- _nss_winbind_setgrent_solwrap,
- _nss_winbind_getgrent_solwrap,
- _nss_winbind_getgrnam_solwrap,
- _nss_winbind_getgrgid_solwrap,
- _nss_winbind_getgroupsbymember_solwrap
-};
-
-nss_backend_t*
-_nss_winbind_group_constr (const char* db_name,
- const char* src_name,
- const char* cfg_args)
-{
- nss_backend_t* be;
-
- if(!(be = (nss_backend_t*) malloc(sizeof(nss_backend_t))) )
- return NULL;
-
- be->ops = group_ops;
- be->n_ops = sizeof(group_ops) / sizeof(nss_backend_op_t);
-
- NSS_DEBUG("Initialized nss_winbind group backend");
- return be;
-}
-
-#endif /* SUN_NSS */
-
-
diff --git a/source/nsswitch/winbindd_sid.c b/source/nsswitch/winbindd_sid.c
deleted file mode 100644
index bc014f26918..00000000000
--- a/source/nsswitch/winbindd_sid.c
+++ /dev/null
@@ -1,244 +0,0 @@
-/*
- Unix SMB/Netbios implementation.
- Version 2.0
-
- Winbind daemon - sid related functions
-
- Copyright (C) Tim Potter 2000
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "winbindd.h"
-#include "sids.h"
-
-/* Convert a string */
-
-enum winbindd_result winbindd_lookupsid(struct winbindd_cli_state *state)
-{
- extern DOM_SID global_sid_Builtin;
- enum SID_NAME_USE type;
- DOM_SID sid, tmp_sid;
- uint32 rid;
- fstring name;
-
- DEBUG(3, ("[%5d]: lookupsid %s\n", state->pid,
- state->request.data.sid));
-
- /* Lookup sid from PDC using lsa_lookup_sids() */
-
- string_to_sid(&sid, state->request.data.sid);
-
- /* Don't look up BUILTIN sids */
-
- sid_copy(&tmp_sid, &sid);
- sid_split_rid(&tmp_sid, &rid);
-
- if (sid_equal(&tmp_sid, &global_sid_Builtin)) {
- return WINBINDD_ERROR;
- }
-
- /* Lookup the sid */
-
- if (!winbindd_lookup_name_by_sid(&sid, name, &type)) {
- return WINBINDD_ERROR;
- }
-
- string_sub(name, "\\", lp_winbind_separator(), sizeof(fstring));
- fstrcpy(state->response.data.name.name, name);
- state->response.data.name.type = type;
-
- return WINBINDD_OK;
-}
-
-/* Convert a sid to a string */
-
-enum winbindd_result winbindd_lookupname(struct winbindd_cli_state *state)
-{
- enum SID_NAME_USE type;
- fstring sid_str, name_domain, name_user, name;
- DOM_SID sid;
-
- DEBUG(3, ("[%5d]: lookupname %s\n", state->pid,
- state->request.data.name));
-
- parse_domain_user(state->request.data.name, name_domain, name_user);
-
- snprintf(name, sizeof(name), "%s\\%s", name_domain, name_user);
-
- /* Lookup name from PDC using lsa_lookup_names() */
-
- if (!winbindd_lookup_sid_by_name(name, &sid, &type)) {
- return WINBINDD_ERROR;
- }
-
- sid_to_string(sid_str, &sid);
- fstrcpy(state->response.data.sid.sid, sid_str);
- state->response.data.sid.type = type;
-
- return WINBINDD_OK;
-}
-
-/* Convert a sid to a uid. We assume we only have one rid attached to the
- sid. */
-
-enum winbindd_result winbindd_sid_to_uid(struct winbindd_cli_state *state)
-{
- DOM_SID sid;
- uint32 user_rid;
- struct winbindd_domain *domain;
-
- DEBUG(3, ("[%5d]: sid to uid %s\n", state->pid,
- state->request.data.sid));
-
- /* Split sid into domain sid and user rid */
-
- string_to_sid(&sid, state->request.data.sid);
- sid_split_rid(&sid, &user_rid);
-
- /* Find domain this sid belongs to */
-
- if ((domain = find_domain_from_sid(&sid)) == NULL) {
- fstring sid_str;
-
- sid_to_string(sid_str, &sid);
- DEBUG(1, ("Could not find domain for sid %s\n", sid_str));
- return WINBINDD_ERROR;
- }
-
- /* Find uid for this sid and return it */
-
- if (!winbindd_idmap_get_uid_from_rid(domain->name, user_rid,
- &state->response.data.uid)) {
- DEBUG(1, ("Could not get uid for sid %s\n",
- state->request.data.sid));
- return WINBINDD_ERROR;
- }
-
- return WINBINDD_OK;
-}
-
-/* Convert a sid to a gid. We assume we only have one rid attached to the
- sid.*/
-
-enum winbindd_result winbindd_sid_to_gid(struct winbindd_cli_state *state)
-{
- DOM_SID sid;
- uint32 group_rid;
- struct winbindd_domain *domain;
-
- DEBUG(3, ("[%5d]: sid to gid %s\n", state->pid,
- state->request.data.sid));
-
- /* Split sid into domain sid and user rid */
-
- string_to_sid(&sid, state->request.data.sid);
- sid_split_rid(&sid, &group_rid);
-
- /* Find domain this sid belongs to */
-
- if ((domain = find_domain_from_sid(&sid)) == NULL) {
- fstring sid_str;
-
- sid_to_string(sid_str, &sid);
- DEBUG(1, ("Could not find domain for sid %s\n", sid_str));
- return WINBINDD_ERROR;
- }
-
- /* Find uid for this sid and return it */
-
- if (!winbindd_idmap_get_gid_from_rid(domain->name, group_rid,
- &state->response.data.gid)) {
- DEBUG(1, ("Could not get gid for sid %s\n",
- state->request.data.sid));
- return WINBINDD_ERROR;
- }
-
- return WINBINDD_OK;
-}
-
-/* Convert a uid to a sid */
-
-enum winbindd_result winbindd_uid_to_sid(struct winbindd_cli_state *state)
-{
- struct winbindd_domain *domain;
- uint32 user_rid;
- DOM_SID sid;
-
- /* Bug out if the uid isn't in the winbind range */
-
- if ((state->request.data.uid < server_state.uid_low ) ||
- (state->request.data.uid > server_state.uid_high)) {
- return WINBINDD_ERROR;
- }
-
- DEBUG(3, ("[%5d]: uid to sid %d\n", state->pid,
- state->request.data.uid));
-
- /* Lookup rid for this uid */
-
- if (!winbindd_idmap_get_rid_from_uid(state->request.data.uid,
- &user_rid, &domain)) {
- DEBUG(1, ("Could not convert uid %d to rid\n",
- state->request.data.uid));
- return WINBINDD_ERROR;
- }
-
- /* Construct sid and return it */
-
- sid_copy(&sid, &domain->sid);
- sid_append_rid(&sid, user_rid);
- sid_to_string(state->response.data.sid.sid, &sid);
- state->response.data.sid.type = SID_NAME_USER;
-
- return WINBINDD_OK;
-}
-
-/* Convert a gid to a sid */
-
-enum winbindd_result winbindd_gid_to_sid(struct winbindd_cli_state *state)
-{
- struct winbindd_domain *domain;
- uint32 group_rid;
- DOM_SID sid;
-
- /* Bug out if the gid isn't in the winbind range */
-
- if ((state->request.data.gid < server_state.gid_low) ||
- (state->request.data.gid > server_state.gid_high)) {
- return WINBINDD_ERROR;
- }
-
- DEBUG(3, ("[%5d]: gid to sid %d\n", state->pid,
- state->request.data.gid));
-
- /* Lookup rid for this uid */
-
- if (!winbindd_idmap_get_rid_from_gid(state->request.data.gid,
- &group_rid, &domain)) {
- DEBUG(1, ("Could not convert gid %d to rid\n",
- state->request.data.gid));
- return WINBINDD_ERROR;
- }
-
- /* Construct sid and return it */
-
- sid_copy(&sid, &domain->sid);
- sid_append_rid(&sid, group_rid);
- sid_to_string(state->response.data.sid.sid, &sid);
- state->response.data.sid.type = SID_NAME_DOM_GRP;
-
- return WINBINDD_OK;
-}
diff --git a/source/pam_smbpass/CHANGELOG b/source/pam_smbpass/CHANGELOG
deleted file mode 100644
index 96ef7840084..00000000000
--- a/source/pam_smbpass/CHANGELOG
+++ /dev/null
@@ -1,31 +0,0 @@
-version 0.7.5 25 Mar 2001
- - Use Samba 2.2.0 (alpha) as the target codebase, since it doesn't look
- like Samba will be offering shared libraries in the near future.
- - added a Makefile and support scripts to make the build process easier.
- - imported some Solaris fixes that I've been sitting on.
-
-version 0.7.4 20 Jan 2000
- - added a 'migrate' option to the authentication code which makes no
- effort to authenticate the user, or even to ask for a password, but
- it can be useful for filling in an SMB password db.
-
-version 0.7.3 19 Jan 2000
- - updated to use the SAMBA_TNG Samba branch, allowing us to dynamically
- link against Luke's new shared libs (libsamba, libsmb).
-
-version 0.7.2 20 Jul 1999
- - miscellaneous bugfixes. Cleanup of legacy pam_pwdb code.
- - fixed return value of pam_sm_setcred function.
- - fix to autoconf support
- - clarified some of the messages being logged
-
-version 0.6, 15 Jul 1999
- - updated to use the new Samba (2.0) password database API.
- - added autoconf support. May now theoretically compile on more
- platforms than PAM itself does.
- - added support for account management functions (i.e., disabled
- accounts)
-
-version 0.5, 4 Apr 1998
- - added support for hashed passwords as input. Now capable of serving
- as an authentication agent for encrypted network transactions.
diff --git a/source/pam_smbpass/README b/source/pam_smbpass/README
deleted file mode 100644
index 6f50ce4d2c0..00000000000
--- a/source/pam_smbpass/README
+++ /dev/null
@@ -1,66 +0,0 @@
-25 Mar 2001
-
-pam_smbpass is a PAM module which can be used on conforming systems to
-keep the smbpasswd (Samba password) database in sync with the unix
-password file. PAM (Pluggable Authentication Modules) is an API supported
-under some Unices, such as Solaris, HPUX and Linux, that provides a
-generic interface to authentication mechanisms.
-
-For more information on PAM, see http://ftp.kernel.org/pub/linux/libs/pam/
-
-This module authenticates a local smbpasswd user database. If you require
-support for authenticating against a remote SMB server, or if you're
-concerned about the presence of suid root binaries on your system, it is
-recommended that you use one of the other two following modules
-
- pam_smb - http://www.csn.ul.ie/~airlied/pam_smb/
- authenticates against any remote SMB server
-
- pam_ntdom - ftp://ftp.samba.org/pub/samba/pam_ntdom/
- authenticates against an NT or Samba domain controller
-
-Options recognized by this module are as follows:
-
- debug - log more debugging info
- audit - like debug, but also logs unknown usernames
- use_first_pass - don't prompt the user for passwords;
- take them from PAM_ items instead
- try_first_pass - try to get the password from a previous
- PAM module, fall back to prompting the user
- use_authtok - like try_first_pass, but *fail* if the new
- PAM_AUTHTOK has not been previously set.
- (intended for stacking password modules only)
- not_set_pass - don't make passwords used by this module
- available to other modules.
- nodelay - don't insert ~1 second delays on authentication
- failure.
- nullok - null passwords are allowed.
- nonull - null passwords are not allowed. Used to
- override the Samba configuration.
- migrate - only meaningful in an "auth" context;
- used to update smbpasswd file with a
- password used for successful authentication.
- smbconf=<file> - specify an alternate path to the smb.conf
- file.
-
-See the samples/ directory for example PAM configurations using this
-module.
-
-Thanks go to the following people:
-
-* Andrew Morgan <morgan@transmeta.com>, for providing the Linux-PAM
-framework, without which none of this would have happened
-
-* Christian Gafton <gafton@redhat.com> and Andrew Morgan again, for the
-pam_pwdb module upon which pam_smbpass was originally based
-
-* Luke Leighton <lkcl@switchboard.net> for being receptive to the idea,
-and for the occasional good-natured complaint about the project's status
-that keep me working on it :)
-
-* and of course, all the other members of the Samba team
-<samba-bugs@samba.org>, for creating a great product and for giving this
-project a purpose
-
----------------------
-Stephen Langasek <vorlon@netexpress.net>
diff --git a/source/pam_smbpass/TODO b/source/pam_smbpass/TODO
deleted file mode 100644
index 20cf4fb0987..00000000000
--- a/source/pam_smbpass/TODO
+++ /dev/null
@@ -1,7 +0,0 @@
-This is a tentative TODO file which will probably get much longer before
-it gets much shorter.
-
-- Recognizing (and overriding) debug options in the smb.conf file
-- Support for 'name=value' parameters in the PAM config
-- Compliant handling of unrecognized PAM parameters (i.e., fail on error)
--
diff --git a/source/pam_smbpass/general.h b/source/pam_smbpass/general.h
deleted file mode 100644
index 0291146cbba..00000000000
--- a/source/pam_smbpass/general.h
+++ /dev/null
@@ -1,123 +0,0 @@
-#ifndef LINUX
-/* This is only needed by modules in the Sun implementation. */
-#include <security/pam_appl.h>
-#endif /* LINUX */
-
-#include <security/pam_modules.h>
-
-#ifndef PAM_AUTHTOK_RECOVER_ERR
-#define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
-#endif
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/wait.h>
-
-/*
- * here is the string to inform the user that the new passwords they
- * typed were not the same.
- */
-
-#define MISTYPED_PASS "Sorry, passwords do not match"
-
-/* type definition for the control options */
-
-typedef struct {
- const char *token;
- unsigned int mask; /* shall assume 32 bits of flags */
- unsigned int flag;
-} SMB_Ctrls;
-
-#ifndef False
-#define False (0)
-#endif
-
-#ifndef True
-#define True (1)
-#endif
-
-/* macro to determine if a given flag is on */
-#define on(x,ctrl) (smb_args[x].flag & ctrl)
-
-/* macro to determine that a given flag is NOT on */
-#define off(x,ctrl) (!on(x,ctrl))
-
-/* macro to turn on/off a ctrl flag manually */
-#define set(x,ctrl) (ctrl = ((ctrl)&smb_args[x].mask)|smb_args[x].flag)
-#define unset(x,ctrl) (ctrl &= ~(smb_args[x].flag))
-
-#ifndef __linux__
-#define strncasecmp(s1,s2,n) StrnCaseCmp(s1,s2,n)
-#endif
-
-/* the generic mask */
-#define _ALL_ON_ (~0U)
-
-/* end of macro definitions definitions for the control flags */
-
-/*
- * These are the options supported by the smb password module, very
- * similar to the pwdb options
- */
-
-#define SMB__OLD_PASSWD 0 /* internal */
-#define SMB__VERIFY_PASSWD 1 /* internal */
-
-#define SMB_AUDIT 2 /* print more things than debug..
- some information may be sensitive */
-#define SMB_USE_FIRST_PASS 3
-#define SMB_TRY_FIRST_PASS 4
-#define SMB_NOT_SET_PASS 5 /* don't set the AUTHTOK items */
-
-#define SMB__NONULL 6 /* internal */
-#define SMB__QUIET 7 /* internal */
-#define SMB_USE_AUTHTOK 8 /* insist on reading PAM_AUTHTOK */
-#define SMB__NULLOK 9 /* Null token ok */
-#define SMB_DEBUG 10 /* send more info to syslog(3) */
-#define SMB_NODELAY 11 /* admin does not want a fail-delay */
-#define SMB_MIGRATE 12 /* Does no authentication, just
- updates the smb database. */
-#define SMB_CONF_FILE 13 /* Alternate location of smb.conf */
-
-#define SMB_CTRLS_ 14 /* number of ctrl arguments defined */
-
-static const SMB_Ctrls smb_args[SMB_CTRLS_] = {
-/* symbol token name ctrl mask ctrl *
- * ------------------ ------------------ -------------- ---------- */
-
-/* SMB__OLD_PASSWD */ { NULL, _ALL_ON_, 01 },
-/* SMB__VERIFY_PASSWD */ { NULL, _ALL_ON_, 02 },
-/* SMB_AUDIT */ { "audit", _ALL_ON_, 04 },
-/* SMB_USE_FIRST_PASS */ { "use_first_pass", _ALL_ON_^(030), 010 },
-/* SMB_TRY_FIRST_PASS */ { "try_first_pass", _ALL_ON_^(030), 020 },
-/* SMB_NOT_SET_PASS */ { "not_set_pass", _ALL_ON_, 040 },
-/* SMB__NONULL */ { "nonull", _ALL_ON_, 0100 },
-/* SMB__QUIET */ { NULL, _ALL_ON_, 0200 },
-/* SMB_USE_AUTHTOK */ { "use_authtok", _ALL_ON_, 0400 },
-/* SMB__NULLOK */ { "nullok", _ALL_ON_^(0100), 0 },
-/* SMB_DEBUG */ { "debug", _ALL_ON_, 01000 },
-/* SMB_NODELAY */ { "nodelay", _ALL_ON_, 02000 },
-/* SMB_MIGRATE */ { "migrate", _ALL_ON_^(0100), 04000 },
-/* SMB_CONF_FILE */ { "smbconf=", _ALL_ON_, 0 },
-};
-
-#define SMB_DEFAULTS (smb_args[SMB__NONULL].flag)
-
-/*
- * the following is used to keep track of the number of times a user fails
- * to authenticate themself.
- */
-
-#define FAIL_PREFIX "-SMB-FAIL-"
-#define SMB_MAX_RETRIES 3
-
-struct _pam_failed_auth {
- char *user; /* user that's failed to be authenticated */
- int id; /* uid of requested user */
- char *agent; /* attempt from user with name */
- int count; /* number of failures so far */
-};
diff --git a/source/pam_smbpass/samples/README b/source/pam_smbpass/samples/README
deleted file mode 100644
index d77603306f1..00000000000
--- a/source/pam_smbpass/samples/README
+++ /dev/null
@@ -1,3 +0,0 @@
-This directory contains example configurations demonstrating various uses
-of pam_smbpass. These examples use Linux-style /etc/pam.d syntax, and
-must be modified for use on Solaris systems.
diff --git a/source/pam_smbpass/samples/kdc-pdc b/source/pam_smbpass/samples/kdc-pdc
deleted file mode 100644
index 70f1998f32a..00000000000
--- a/source/pam_smbpass/samples/kdc-pdc
+++ /dev/null
@@ -1,15 +0,0 @@
-#%PAM-1.0
-# kdc-pdc
-#
-# A sample PAM configuration that shows pam_smbpass used together with
-# pam_krb5. This could be useful on a Samba PDC that is also a member of
-# a Kerberos realm.
-
-auth requisite pam_nologin.so
-auth requisite pam_krb5.so
-auth optional pam_smbpass.so migrate
-account required pam_krb5.so
-password requisite pam_cracklib.so retry=3
-password optional pam_smbpass.so nullok use_authtok try_first_pass
-password required pam_krb5.so use_authtok try_first_pass
-session required pam_krb5.so
diff --git a/source/pam_smbpass/samples/password-mature b/source/pam_smbpass/samples/password-mature
deleted file mode 100644
index 6d73e0906fc..00000000000
--- a/source/pam_smbpass/samples/password-mature
+++ /dev/null
@@ -1,14 +0,0 @@
-#%PAM-1.0
-# password-mature
-#
-# A sample PAM configuration for a 'mature' smbpasswd installation.
-# private/smbpasswd is fully populated, and we consider it an error if
-# the smbpasswd doesn't exist or doesn't match the Unix password.
-
-auth requisite pam_nologin.so
-auth required pam_unix.so
-account required pam_unix.so
-password requisite pam_cracklib.so retry=3
-password requisite pam_unix.so shadow md5 use_authtok try_first_pass
-password required pam_smbpass.so use_authtok use_first_pass
-session required pam_unix.so
diff --git a/source/pam_smbpass/samples/password-migration b/source/pam_smbpass/samples/password-migration
deleted file mode 100644
index 305cb53858e..00000000000
--- a/source/pam_smbpass/samples/password-migration
+++ /dev/null
@@ -1,18 +0,0 @@
-#%PAM-1.0
-# password-migration
-#
-# A sample PAM configuration that shows the use of pam_smbpass to migrate
-# from plaintext to encrypted passwords for Samba. Unlike other methods,
-# this can be used for users who have never connected to Samba shares:
-# password migration takes place when users ftp in, login using ssh, pop
-# their mail, etc.
-
-auth requisite pam_nologin.so
-# pam_smbpass is called IFF pam_unix succeeds.
-auth requisite pam_unix.so
-auth optional pam_smbpass.so migrate
-account required pam_unix.so
-password requisite pam_cracklib.so retry=3
-password requisite pam_unix.so shadow md5 use_authtok try_first_pass
-password optional pam_smbpass.so nullok use_authtok try_first_pass
-session required pam_unix.so
diff --git a/source/pam_smbpass/samples/password-sync b/source/pam_smbpass/samples/password-sync
deleted file mode 100644
index 0a950dd2e9a..00000000000
--- a/source/pam_smbpass/samples/password-sync
+++ /dev/null
@@ -1,15 +0,0 @@
-#%PAM-1.0
-# password-sync
-#
-# A sample PAM configuration that shows the use of pam_smbpass to make
-# sure private/smbpasswd is kept in sync when /etc/passwd (/etc/shadow)
-# is changed. Useful when an expired password might be changed by an
-# application (such as ssh).
-
-auth requisite pam_nologin.so
-auth required pam_unix.so
-account required pam_unix.so
-password requisite pam_cracklib.so retry=3
-password requisite pam_unix.so shadow md5 use_authtok try_first_pass
-password required pam_smbpass.so nullok use_authtok try_first_pass
-session required pam_unix.so
diff --git a/source/pam_smbpass/support.c b/source/pam_smbpass/support.c
deleted file mode 100644
index 01f4aa30c7d..00000000000
--- a/source/pam_smbpass/support.c
+++ /dev/null
@@ -1,651 +0,0 @@
-/* Unix NT password database implementation, version 0.6.
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free
- * Software Foundation; either version 2 of the License, or (at your option)
- * any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- * more details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 675
- * Mass Ave, Cambridge, MA 02139, USA.
- */
-
-#include "includes.h"
-#include "general.h"
-
-#include "support.h"
-
-
-#define _pam_overwrite(x) \
-do { \
- register char *__xx__; \
- if ((__xx__=(x))) \
- while (*__xx__) \
- *__xx__++ = '\0'; \
-} while (0)
-
-/*
- * Don't just free it, forget it too.
- */
-
-#define _pam_drop(X) \
-do { \
- if (X) { \
- free(X); \
- X=NULL; \
- } \
-} while (0)
-
-#define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
-do { \
- int reply_i; \
- \
- for (reply_i=0; reply_i<replies; ++reply_i) { \
- if (reply[reply_i].resp) { \
- _pam_overwrite(reply[reply_i].resp); \
- free(reply[reply_i].resp); \
- } \
- } \
- if (reply) \
- free(reply); \
-} while (0)
-
-
-int converse(pam_handle_t *, int, int, struct pam_message **,
- struct pam_response **);
-int make_remark(pam_handle_t *, unsigned int, int, const char *);
-void _cleanup(pam_handle_t *, void *, int);
-char *_pam_delete(register char *);
-
-/* syslogging function for errors and other information */
-
-void _log_err( int err, const char *format, ... )
-{
- va_list args;
-
- va_start( args, format );
- openlog( "PAM_smbpass", LOG_CONS | LOG_PID, LOG_AUTH );
- vsyslog( err, format, args );
- va_end( args );
- closelog();
-}
-
-/* this is a front-end for module-application conversations */
-
-int converse( pam_handle_t * pamh, int ctrl, int nargs
- , struct pam_message **message
- , struct pam_response **response )
-{
- int retval;
- struct pam_conv *conv;
-
- retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv);
- if (retval == PAM_SUCCESS) {
-
- retval = conv->conv(nargs, (const struct pam_message **) message
- ,response, conv->appdata_ptr);
-
- if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) {
- _log_err(LOG_DEBUG, "conversation failure [%s]"
- ,pam_strerror(pamh, retval));
- }
- } else {
- _log_err(LOG_ERR, "couldn't obtain coversation function [%s]"
- ,pam_strerror(pamh, retval));
- }
-
- return retval; /* propagate error status */
-}
-
-int make_remark( pam_handle_t * pamh, unsigned int ctrl
- , int type, const char *text )
-{
- if (off(SMB__QUIET, ctrl)) {
- struct pam_message *pmsg[1], msg[1];
- struct pam_response *resp;
-
- pmsg[0] = &msg[0];
- msg[0].msg = text;
- msg[0].msg_style = type;
- resp = NULL;
-
- return converse(pamh, ctrl, 1, pmsg, &resp);
- }
- return PAM_SUCCESS;
-}
-
-
-/* set the control flags for the SMB module. */
-
-int set_ctrl( int flags, int argc, const char **argv )
-{
- int i = 0;
- static pstring servicesf = CONFIGFILE;
- const char *service_file = servicesf;
- unsigned int ctrl;
-
- ctrl = SMB_DEFAULTS; /* the default selection of options */
-
- /* set some flags manually */
-
- /* A good, sane default (matches Samba's behavior). */
- set( SMB__NONULL, ctrl );
-
- if (flags & PAM_SILENT) {
- set( SMB__QUIET, ctrl );
- }
-
- /* Run through the arguments once, looking for an alternate smb config
- file location */
- while (i < argc) {
- int j;
-
- for (j = 0; j < SMB_CTRLS_; ++j) {
- if (smb_args[j].token
- && !strncmp(argv[i], smb_args[j].token, strlen(smb_args[j].token)))
- {
- break;
- }
- }
-
- if (j == SMB_CONF_FILE) {
- service_file = argv[i] + 8;
- }
- i++;
- }
-
- /* Read some options from the Samba config. Can be overridden by
- the PAM config. */
- if(lp_load(service_file,True,False,False) == False) {
- _log_err( LOG_ERR, "Error loading service file %s", service_file );
- }
-
- if (lp_null_passwords()) {
- set( SMB__NULLOK, ctrl );
- }
-
- /* now parse the rest of the arguments to this module */
-
- while (argc-- > 0) {
- int j;
-
- for (j = 0; j < SMB_CTRLS_; ++j) {
- if (smb_args[j].token
- && !strncmp(*argv, smb_args[j].token, strlen(smb_args[j].token)))
- {
- break;
- }
- }
-
- if (j >= SMB_CTRLS_) {
- _log_err( LOG_ERR, "unrecognized option [%s]", *argv );
- } else {
- ctrl &= smb_args[j].mask; /* for turning things off */
- ctrl |= smb_args[j].flag; /* for turning things on */
- }
-
- ++argv; /* step to next argument */
- }
-
- /* auditing is a more sensitive version of debug */
-
- if (on( SMB_AUDIT, ctrl )) {
- set( SMB_DEBUG, ctrl );
- }
- /* return the set of flags */
-
- return ctrl;
-}
-
-/* use this to free strings. ESPECIALLY password strings */
-
-char * _pam_delete( register char *xx )
-{
- _pam_overwrite( xx );
- _pam_drop( xx );
- return NULL;
-}
-
-void _cleanup( pam_handle_t * pamh, void *x, int error_status )
-{
- x = _pam_delete( (char *) x );
-}
-
-/*
- * Safe duplication of character strings. "Paranoid"; don't leave
- * evidence of old token around for later stack analysis.
- */
-
-char * xstrdup( const char *x )
-{
- register char *new = NULL;
-
- if (x != NULL) {
- register int i;
-
- for (i = 0; x[i]; ++i); /* length of string */
- if ((new = malloc(++i)) == NULL) {
- i = 0;
- _log_err( LOG_CRIT, "out of memory in xstrdup" );
- } else {
- while (i-- > 0) {
- new[i] = x[i];
- }
- }
- x = NULL;
- }
- return new; /* return the duplicate or NULL on error */
-}
-
-/* ************************************************************** *
- * Useful non-trivial functions *
- * ************************************************************** */
-
-void _cleanup_failures( pam_handle_t * pamh, void *fl, int err )
-{
- int quiet;
- const char *service = NULL;
- struct _pam_failed_auth *failure;
-
-#ifdef PAM_DATA_SILENT
- quiet = err & PAM_DATA_SILENT; /* should we log something? */
-#else
- quiet = 0;
-#endif
-#ifdef PAM_DATA_REPLACE
- err &= PAM_DATA_REPLACE; /* are we just replacing data? */
-#endif
- failure = (struct _pam_failed_auth *) fl;
-
- if (failure != NULL) {
-
-#ifdef PAM_DATA_SILENT
- if (!quiet && !err) { /* under advisement from Sun,may go away */
-#else
- if (!quiet) { /* under advisement from Sun,may go away */
-#endif
-
- /* log the number of authentication failures */
- if (failure->count != 0) {
- pam_get_item( pamh, PAM_SERVICE, (const void **) &service );
- _log_err( LOG_NOTICE
- , "%d authentication %s "
- "from %s for service %s as %s(%d)"
- , failure->count
- , failure->count == 1 ? "failure" : "failures"
- , failure->agent
- , service == NULL ? "**unknown**" : service
- , failure->user, failure->id );
- if (failure->count > SMB_MAX_RETRIES) {
- _log_err( LOG_ALERT
- , "service(%s) ignoring max retries; %d > %d"
- , service == NULL ? "**unknown**" : service
- , failure->count
- , SMB_MAX_RETRIES );
- }
- }
- }
- _pam_delete( failure->agent ); /* tidy up */
- _pam_delete( failure->user ); /* tidy up */
- free( failure );
- }
-}
-
-int _smb_verify_password( pam_handle_t * pamh
- , const struct smb_passwd *smb_pwent
- , const char *p, unsigned int ctrl )
-{
- uchar hash_pass[16];
- uchar lm_pw[16];
- uchar nt_pw[16];
- int retval;
- char *data_name;
- const char *name;
-
- if (!smb_pwent)
- return PAM_ABORT;
-
- name = smb_pwent->smb_name;
-
-#ifdef HAVE_PAM_FAIL_DELAY
- if (off( SMB_NODELAY, ctrl )) {
- (void) pam_fail_delay( pamh, 1000000 ); /* 1 sec delay for on failure */
- }
-#endif
-
- if (!smb_pwent->smb_passwd)
- {
- _log_err( LOG_DEBUG, "user %s has null SMB password"
- , name );
-
- if (off( SMB__NONULL, ctrl )
- && (smb_pwent->acct_ctrl & ACB_PWNOTREQ))
- { /* this means we've succeeded */
- return PAM_SUCCESS;
- } else {
- const char *service;
-
- pam_get_item( pamh, PAM_SERVICE, (const void **)&service );
- _log_err( LOG_NOTICE
- , "failed auth request by %s for service %s as %s(%d)"
- , uidtoname( getuid() )
- , service ? service : "**unknown**", name
- , smb_pwent->smb_userid );
- return PAM_AUTH_ERR;
- }
- }
-
- data_name = (char *) malloc( sizeof(FAIL_PREFIX)
- + strlen( name ));
- if (data_name == NULL) {
- _log_err( LOG_CRIT, "no memory for data-name" );
- }
- strncpy( data_name, FAIL_PREFIX, sizeof(FAIL_PREFIX) );
- strncpy( data_name + sizeof(FAIL_PREFIX) - 1, name, strlen( name ) + 1 );
-
- /* First we check whether we've been given the password in already
- encrypted form. */
- if (strlen( p ) == 16 || (strlen( p ) == 32
- && pdb_gethexpwd( p, (char *) hash_pass ))) {
-
- if (!memcmp( hash_pass, smb_pwent->smb_passwd, 16 )
- || (smb_pwent->smb_nt_passwd
- && !memcmp( hash_pass, smb_pwent->smb_nt_passwd, 16 )))
- {
- retval = PAM_SUCCESS;
- if (data_name) { /* reset failures */
- pam_set_data( pamh, data_name, NULL, _cleanup_failures );
- }
- _pam_delete( data_name );
- memset( hash_pass, '\0', 16 );
- smb_pwent = NULL;
- return retval;
- }
- }
-
- /*
- * The password we were given wasn't an encrypted password, or it
- * didn't match the one we have. We encrypt the password now and try
- * again.
- */
-
- nt_lm_owf_gen(p, nt_pw, lm_pw);
-
- /* the moment of truth -- do we agree with the password? */
-
- if (!memcmp( nt_pw, smb_pwent->smb_nt_passwd, 16 )) {
-
- retval = PAM_SUCCESS;
- if (data_name) { /* reset failures */
- pam_set_data(pamh, data_name, NULL, _cleanup_failures);
- }
- } else {
-
- const char *service;
-
- pam_get_item( pamh, PAM_SERVICE, (const void **)&service );
-
- if (data_name != NULL) {
- struct _pam_failed_auth *new = NULL;
- const struct _pam_failed_auth *old = NULL;
-
- /* get a failure recorder */
-
- new = (struct _pam_failed_auth *)
- malloc( sizeof(struct _pam_failed_auth) );
-
- if (new != NULL) {
-
- /* any previous failures for this user ? */
- pam_get_data(pamh, data_name, (const void **) &old);
-
- if (old != NULL) {
- new->count = old->count + 1;
- if (new->count >= SMB_MAX_RETRIES) {
- retval = PAM_MAXTRIES;
- }
- } else {
- _log_err( LOG_NOTICE
- , "failed auth request by %s for service %s as %s(%d)"
- , uidtoname( getuid() )
- , service ? service : "**unknown**", name
- , smb_pwent->smb_userid );
- new->count = 1;
- }
- new->user = xstrdup( name );
- new->id = smb_pwent->smb_userid;
- new->agent = xstrdup( uidtoname( getuid() ) );
- pam_set_data( pamh, data_name, new, _cleanup_failures );
-
- } else {
- _log_err( LOG_CRIT, "no memory for failure recorder" );
- _log_err( LOG_NOTICE
- , "failed auth request by %s for service %s as %s(%d)"
- , uidtoname( getuid() )
- , service ? service : "**unknown**", name
- , smb_pwent->smb_userid );
- }
- } else {
- _log_err( LOG_NOTICE
- , "failed auth request by %s for service %s as %s(%d)"
- , uidtoname( getuid() )
- , service ? service : "**unknown**", name
- , smb_pwent->smb_userid );
- retval = PAM_AUTH_ERR;
- }
- }
-
- _pam_delete( data_name );
- smb_pwent = NULL;
- return retval;
-}
-
-
-/*
- * _smb_blankpasswd() is a quick check for a blank password
- *
- * returns TRUE if user does not have a password
- * - to avoid prompting for one in such cases (CG)
- */
-
-int _smb_blankpasswd( unsigned int ctrl, const struct smb_passwd *smb_pwent )
-{
- int retval;
-
- /*
- * This function does not have to be too smart if something goes
- * wrong, return FALSE and let this case to be treated somewhere
- * else (CG)
- */
-
- if (on( SMB__NONULL, ctrl ))
- return 0; /* will fail but don't let on yet */
-
- if (smb_pwent->smb_passwd == NULL)
- retval = 1;
- else
- retval = 0;
-
- return retval;
-}
-
-/*
- * obtain a password from the user
- */
-
-int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl
- , const char *comment, const char *prompt1
- , const char *prompt2, const char *data_name
- , const char **pass )
-{
- int authtok_flag;
- int retval;
- const char *item = NULL;
- char *token;
-
- struct pam_message msg[3], *pmsg[3];
- struct pam_response *resp;
- int i, expect;
-
-
- /* make sure nothing inappropriate gets returned */
-
- *pass = token = NULL;
-
- /* which authentication token are we getting? */
-
- authtok_flag = on(SMB__OLD_PASSWD, ctrl) ? PAM_OLDAUTHTOK : PAM_AUTHTOK;
-
- /* should we obtain the password from a PAM item ? */
-
- if (on(SMB_TRY_FIRST_PASS, ctrl) || on(SMB_USE_FIRST_PASS, ctrl)) {
- retval = pam_get_item( pamh, authtok_flag, (const void **) &item );
- if (retval != PAM_SUCCESS) {
- /* very strange. */
- _log_err( LOG_ALERT
- , "pam_get_item returned error to smb_read_password" );
- return retval;
- } else if (item != NULL) { /* we have a password! */
- *pass = item;
- item = NULL;
- return PAM_SUCCESS;
- } else if (on( SMB_USE_FIRST_PASS, ctrl )) {
- return PAM_AUTHTOK_RECOVER_ERR; /* didn't work */
- } else if (on( SMB_USE_AUTHTOK, ctrl )
- && off( SMB__OLD_PASSWD, ctrl ))
- {
- return PAM_AUTHTOK_RECOVER_ERR;
- }
- }
-
- /*
- * getting here implies we will have to get the password from the
- * user directly.
- */
-
- /* prepare to converse */
- if (comment != NULL && off(SMB__QUIET, ctrl)) {
- pmsg[0] = &msg[0];
- msg[0].msg_style = PAM_TEXT_INFO;
- msg[0].msg = comment;
- i = 1;
- } else {
- i = 0;
- }
-
- pmsg[i] = &msg[i];
- msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
- msg[i++].msg = prompt1;
-
- if (prompt2 != NULL) {
- pmsg[i] = &msg[i];
- msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
- msg[i++].msg = prompt2;
- expect = 2;
- } else
- expect = 1;
-
- resp = NULL;
-
- retval = converse( pamh, ctrl, i, pmsg, &resp );
-
- if (resp != NULL) {
- int j = comment ? 1 : 0;
- /* interpret the response */
-
- if (retval == PAM_SUCCESS) { /* a good conversation */
-
- token = xstrdup(resp[j++].resp);
- if (token != NULL) {
- if (expect == 2) {
- /* verify that password entered correctly */
- if (!resp[j].resp || strcmp( token, resp[j].resp )) {
- _pam_delete( token );
- retval = PAM_AUTHTOK_RECOVER_ERR;
- make_remark( pamh, ctrl, PAM_ERROR_MSG
- , MISTYPED_PASS );
- }
- }
- } else {
- _log_err(LOG_NOTICE, "could not recover authentication token");
- }
- }
-
- /* tidy up */
- _pam_drop_reply( resp, expect );
-
- } else {
- retval = (retval == PAM_SUCCESS) ? PAM_AUTHTOK_RECOVER_ERR : retval;
- }
-
- if (retval != PAM_SUCCESS) {
- if (on( SMB_DEBUG, ctrl ))
- _log_err( LOG_DEBUG, "unable to obtain a password" );
- return retval;
- }
- /* 'token' is the entered password */
-
- if (off( SMB_NOT_SET_PASS, ctrl )) {
-
- /* we store this password as an item */
-
- retval = pam_set_item( pamh, authtok_flag, (const void *)token );
- _pam_delete( token ); /* clean it up */
- if (retval != PAM_SUCCESS
- || (retval = pam_get_item( pamh, authtok_flag
- ,(const void **)&item )) != PAM_SUCCESS)
- {
- _log_err( LOG_CRIT, "error manipulating password" );
- return retval;
- }
- } else {
- /*
- * then store it as data specific to this module. pam_end()
- * will arrange to clean it up.
- */
-
- retval = pam_set_data( pamh, data_name, (void *) token, _cleanup );
- if (retval != PAM_SUCCESS
- || (retval = pam_get_data( pamh, data_name, (const void **)&item ))
- != PAM_SUCCESS)
- {
- _log_err( LOG_CRIT, "error manipulating password data [%s]"
- , pam_strerror( pamh, retval ));
- _pam_delete( token );
- item = NULL;
- return retval;
- }
- token = NULL; /* break link to password */
- }
-
- *pass = item;
- item = NULL; /* break link to password */
-
- return PAM_SUCCESS;
-}
-
-int _pam_smb_approve_pass(pam_handle_t * pamh
- ,unsigned int ctrl
- ,const char *pass_old
- ,const char *pass_new)
-{
-
- /* Further checks should be handled through module stacking. -SRL */
- if (pass_new == NULL || (pass_old && !strcmp( pass_old, pass_new )))
- {
- if (on(SMB_DEBUG, ctrl)) {
- _log_err( LOG_DEBUG,
- "passwd: bad authentication token (null or unchanged)" );
- }
- make_remark( pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
- "No password supplied" : "Password unchanged" );
- return PAM_AUTHTOK_ERR;
- }
-
- return PAM_SUCCESS;
-}
diff --git a/source/pam_smbpass/support.h b/source/pam_smbpass/support.h
deleted file mode 100644
index 85bbd0a523c..00000000000
--- a/source/pam_smbpass/support.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/* syslogging function for errors and other information */
-extern void _log_err(int, const char *, ...);
-
-/* set the control flags for the UNIX module. */
-extern int set_ctrl(int, int, const char **);
-
-/* generic function for freeing pam data segments */
-extern void _cleanup(pam_handle_t *, void *, int);
-
-/*
- * Safe duplication of character strings. "Paranoid"; don't leave
- * evidence of old token around for later stack analysis.
- */
-
-extern char *xstrdup(const char *);
-
-/* ************************************************************** *
- * Useful non-trivial functions *
- * ************************************************************** */
-
-extern void _cleanup_failures(pam_handle_t *, void *, int);
-
-/* compare 2 strings */
-extern BOOL strequal(const char *, const char *);
-
-extern struct smb_passwd *
-_my_get_smbpwnam(FILE *, const char *, BOOL *, BOOL *, long *);
-
-extern int _smb_verify_password( pam_handle_t *pamh
- , const struct smb_passwd *smb_pwent
- , const char *p, unsigned int ctrl );
-
-/*
- * this function obtains the name of the current user and ensures
- * that the PAM_USER item is set to this value
- */
-
-extern int _smb_get_user(pam_handle_t *, unsigned int,
- const char *, const char **);
-
-/* _smb_blankpasswd() is a quick check for a blank password */
-
-extern int _smb_blankpasswd(unsigned int, const struct smb_passwd *);
-
-
-/* obtain a password from the user */
-extern int _smb_read_password( pam_handle_t *, unsigned int, const char*,
- const char *, const char *, const char *,
- const char **);
-
-extern int _pam_smb_approve_pass(pam_handle_t *, unsigned int, const char *,
- const char *);
View Lorry Controller Status