static int
QueryServerForUser(int x, char *username, char *password)
{
int result = 1;
result = Valid_User(username, password, ServerArray[x].pdc,
ServerArray[x].bdc, ServerArray[x].domain);
switch (result) { /* Write any helpful syslog messages */
case 0:
break;
case 1:
syslog(LOG_AUTHPRIV | LOG_INFO, "Server error when checking %s.",
username);
break;
case 2:
syslog(LOG_AUTHPRIV | LOG_INFO, "Protocol error when checking %s.",
username);
break;
case 3:
syslog(LOG_AUTHPRIV | LOG_INFO, "Authentication failed for %s.",
username);
break;
}
return result;
}
int main(int argc, char ** argv)
{
char * user, * pass, * server, * backup, * domain, * match;
if(argc < 6)
return 1;
user = argv[1];
pass = argv[2];
server = argv[3];
backup = argv[4];
/* Handle alternate domains, if we have a '/' in the username, use the
group specified before the '/', instead of argument 5 */
match = strchr(user, '/');
if (match)
{
*match = '\0';
domain = user;
user = match+1;
}
else
{
domain = argv[5];
}
if(Valid_User(user, pass, server, backup, domain) == NTV_NO_ERROR)
return 0;
return 1;
}
int main(int argc, char ** argv)
{
char * user, * pass, * server, * backup, * domain;
if(argc < 6)
return 1;
user = argv[1];
pass = argv[2];
server = argv[3];
backup = argv[4];
domain = argv[5];
if(Valid_User(user, pass, server, backup, domain) == NTV_NO_ERROR)
return 0;
return 1;
}
static int _pam_auth_smb( pam_handle_t *pamh,
int flags,
int argc,
const char **argv )
{
int retval;
struct passwd *pw;
const char *name;
char *p, *pp;
int w,loop;
const char *salt;
char server[80],server2[80],domain[80];
char ntname[32];
int debug=0, use_first_pass=0;
int nolocal=0;
#ifdef HAVE_SHADOW_H
struct spwd *sp;
#endif
/* Parse Command line options */
for (loop=0; loop<argc; loop++)
{
if (!strcmp(argv[loop], "debug"))
debug=1;
else
if (!strcmp(argv[loop], "use_first_pass"))
use_first_pass=1;
else
if (!strcmp(argv[loop], "nolocal"))
nolocal=1;
else
syslog(LOG_AUTHPRIV | LOG_ERR, "pam_smb: Unknown Command Line Option in pam.d : %s", argv[loop]);
}
/* get the user'name' */
if ( (retval = pam_get_user( pamh, &name, "login: "******"x")))
{
/* TODO: check if password has expired etc. */
salt = sp->sp_pwdp;
}
else
#endif
salt = pw->pw_passwd;
}
else
return PAM_USER_UNKNOWN;
/* The 'always-encrypt' method does not make sense in PAM
because the framework requires return of a different
error code for non-existant users -- alex */
if ( ( !pw->pw_passwd ) && ( !p ) )
if ( flags && PAM_DISALLOW_NULL_AUTHTOK )
return PAM_SUCCESS;
pp = crypt(p, salt);
if ( strcmp( pp, salt ) == 0 )
{
if (debug)
syslog(LOG_AUTHPRIV | LOG_DEBUG, "pam_smb: Local UNIX username/password pair correct.");
return PAM_SUCCESS;
}
if (debug) {
syslog (LOG_AUTHPRIV | LOG_DEBUG, "pam_smb: Local UNIX username/password check incorrect.");
}
} /* End of Local Section */
else { /* If Local System Authentication is switched off */
if (debug) syslog(LOG_AUTHPRIV | LOG_DEBUG,"No Local authentication done, relying on other modules for password file entry.");
}
w=smb_readpamconf(server,server2,domain);
if (w!=0)
{
syslog(LOG_AUTHPRIV | LOG_ALERT, "pam_smb: Missing Configuration file : /etc/pam_smb.conf");
return PAM_AUTHINFO_UNAVAIL;
}
if (debug) {
syslog(LOG_AUTHPRIV | LOG_DEBUG, "pam_smb: Configuration Data, Primary %s, Backup %s, Domain %s.", server, server2, domain);
}
w=Valid_User(ntname, p, server, server2, domain);
/* Users valid user for return value 0 is success
1 and 2 indicate Network and protocol failures and
3 is not logged on
*/
switch (w)
{
case 0 :
if (debug) syslog(LOG_AUTHPRIV | LOG_DEBUG, "pam_smb: Correct NT username/password pair");
return PAM_SUCCESS; break;
case 1 :
case 2 :
return PAM_AUTHINFO_UNAVAIL; break;
case 3 :
default:
syslog(LOG_AUTHPRIV | LOG_NOTICE, "pam_smb: Incorrect NT password for username : %s", ntname);
return PAM_AUTH_ERR; break;
}
return PAM_AUTH_ERR;
}
int main()
{
char username[256];
char password[256];
char wstr[256];
struct itimerval TimeOut;
/* Read denied user file. If it fails there is a serious problem.
Check syslog messages. Deny all users while in this state.
The process should then be killed. */
if (Read_denyusers() == 1)
{
while (1)
{
fgets(wstr, 255, stdin);
puts("ERR");
fflush(stdout);
}
}
/* An alarm timer is used to check the denied user file for changes
every minute. Reload the file if it has changed. */
TimeOut.it_interval.tv_sec = 60;
TimeOut.it_interval.tv_usec = 0;
TimeOut.it_value.tv_sec = 60;
TimeOut.it_value.tv_usec = 0;
setitimer(ITIMER_REAL, &TimeOut, 0);
signal(SIGALRM, Checkforchange);
signal(SIGHUP, Checkforchange);
while (1)
{
/* Read whole line from standard input. Terminate on break. */
if (fgets(wstr, 255, stdin) == NULL)
break;
/* Clear any current settings */
username[0] = '\0';
password[0] = '\0';
sscanf(wstr, "%s %s", username, password); /* Extract parameters */
/* Check for invalid or blank entries */
if ((username[0] == '\0') || (password[0] == '\0'))
{
puts("ERR");
fflush(stdout);
continue;
}
if (Check_user(username) == 1) /* Check if user is denied */
puts("ERR");
else
{
if (Valid_User(username, password, PRIMARY_DC, BACKUP_DC, NTDOMAIN) == 0)
puts("OK");
else
puts("ERR");
}
fflush(stdout);
}
return 0;
}
