Authentication issues: PAM, null password and LM disabling

Thu Apr 12 11:35:35 GMT 2001

Attached is a small patch to deal with these issues.  I have already
posted (to samba-patches) a much larger patch, with deals with the
fundamental reasons behind many of these problems, and adds PAM session
support.

PAM:  Samba purports to have PAM support, but unfortunately its coverage
is not universal.
The latest patches improve the situation markedly, but do not provide
PAM account checking for encrypted passwords.  This patch adds that
support. Without this samba will allow disabled users to login.
As to the patch, chucks 2 & 3 are optional, I did them for correctness
of error messages, they don't affect the result.  Chunk 1 corrects the
spelling of my name ;-)

Null passwords:  Not all the parts of samba actually check for null
passwords before just letting them though.  This fixes the nt domain
stuff to check lp_null_passwords()

LM disabling:  Again, nt domain support does not check the lm disabling
code.  This fixes that.

Unfortunately I can't test the NT domain stuff, but the rest is tested
with smbclient.

Finally, I have a question:  Should 'invalid users' apply to domain
logons?  Currently they don't.

(a make proto may be required after applying the patch).

I'm about to drop off the face of the net for a few days, but I hope
these can be applied before release.  Note that the PAM patch changes
existing behavior, i.e. doing the job properly.  This needs to be
emphasized in the release notes.

abartlet at pcug.org.au
Andrew Bartlett
-- 
Andrew Bartlett
abartlet at pcug.org.au
-------------- next part --------------
Index: source/passdb/pampass.c
===================================================================
RCS file: /cvsroot/samba/source/passdb/pampass.c,v
retrieving revision 1.1.2.5
diff -u -r1.1.2.5 pampass.c

--- source/passdb/pampass.c	2001/04/12 03:37:42	1.1.2.5
+++ source/passdb/pampass.c	2001/04/12 11:14:44
@@ -4,7 +4,7 @@
    PAM Password checking
    Copyright (C) Andrew Tridgell 1992-2001
    Copyright (C) John H Terpsta 1999-2001
-   Copyright (C) Andrew Barton 2001
+   Copyright (C) Andrew Bartlett 2001
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -224,8 +224,11 @@
 		case PAM_ABORT:
 			DEBUG(0, ("PAM: One or more PAM modules failed to load\n"));
 			break;
-		default:
+	        case PAM_SUCCESS:
 			DEBUG(4, ("PAM: User %s Authenticated OK\n", user));
+		        break;
+		default:
+			DEBUG(0, ("PAM: UNKNOWN ERROR while authenticating user %s\n", user));
 	}
 	if(!pam_error_handler(pamh, pam_error, "Authentication Failure", 2)) {
 		proc_pam_end(pamh);
@@ -260,8 +263,11 @@
 		case PAM_USER_UNKNOWN:
 			DEBUG(0, ("PAM: User \"%s\" is NOT known to account management\n", user));
 			break;
-		default:
+	        case PAM_SUCCESS:
 			DEBUG(4, ("PAM: Account OK for User: %s\n", user));
+		        break;
+		default:
+			DEBUG(0, ("PAM: UNKNOWN ERROR for User: %s\n", user));
 	}
 	if(!pam_error_handler(pamh, pam_error, "Account Check Failed", 2)) {
 		proc_pam_end(pamh);
@@ -355,6 +361,27 @@
 	  proc_pam_end(pamh);
 	  return False;
 	}
+}
+
+/*
+ * PAM Externally accessible Account handler
+ */
+BOOL pam_accountcheck(char * user)
+{
+	pam_handle_t *pamh = NULL;
+
+	PAM_username = user;
+	PAM_password = NULL;
+
+	if( proc_pam_start(&pamh, user))
+	{
+			if ( pam_account(pamh, user, NULL))
+			{
+				return( proc_pam_end(pamh));
+			}
+	}
+	DEBUG(0, ("PAM: Account Validation Failed - Rejecting User!\n"));
+	return( False );
 }
 
 /*
Index: source/rpc_server/srv_netlog_nt.c
===================================================================
RCS file: /cvsroot/samba/source/rpc_server/srv_netlog_nt.c,v
retrieving revision 1.1.2.9
diff -u -r1.1.2.9 srv_netlog_nt.c
--- source/rpc_server/srv_netlog_nt.c	2001/04/10 06:10:19	1.1.2.9
+++ source/rpc_server/srv_netlog_nt.c	2001/04/12 11:14:44
@@ -434,7 +434,8 @@
 	   not do, for various security-hole reasons).
 	 */
 
-	if (id2->hdr_lm_chal_resp.str_str_len == 24 &&
+	if (lp_lanman_auth() &&
+	    id2->hdr_lm_chal_resp.str_str_len == 24 &&
 		smb_password_check((char *)id2->lm_chal_resp.buffer,
 		                   smb_pass->smb_passwd,
 		                   id2->lm_chal))
@@ -541,6 +542,19 @@
     
 	/* Validate password - if required. */
     
+	if (smb_pass->acct_ctrl & ACB_PWNOTREQ) {
+	  if (!lp_null_passwords()) {
+	    DEBUG(3,("Account for user %s has a null password and null passwords are NOT allowed",nt_username));
+	    return NT_STATUS_ACCOUNT_DISABLED;
+	  }
+	} 
+
+#ifdef WITH_PAM
+	if (!pam_accountcheck(nt_username)) {
+	  return NT_STATUS_ACCOUNT_DISABLED;
+	}
+#endif
+
 	if (!(smb_pass->acct_ctrl & ACB_PWNOTREQ)) {
 		switch (q_u->sam_id.logon_level) {
 		case INTERACTIVE_LOGON_TYPE:
Index: source/smbd/password.c
===================================================================
RCS file: /cvsroot/samba/source/smbd/password.c,v
retrieving revision 1.186.2.15
diff -u -r1.186.2.15 password.c
--- source/smbd/password.c	2001/03/27 00:25:06	1.186.2.15
+++ source/smbd/password.c	2001/04/12 11:14:50
@@ -574,6 +574,9 @@
 ****************************************************************************/
 BOOL password_ok(char *user, char *password, int pwlen, struct passwd *pwd)
 {
+
+  BOOL ret;
+
 	if ((pwlen == 0) && !lp_null_passwords()) {
 		DEBUG(4,("Null passwords not allowed.\n"));
 		return False;
@@ -590,8 +593,14 @@
 			return False;
 		}
 
-		return pass_check_smb(user, global_myworkgroup,
+		ret = pass_check_smb(user, global_myworkgroup,
 		                      challenge, (uchar *)password, (uchar *)password, pwd);
+#ifdef WITH_PAM
+		if (ret) {
+		  return pam_accountcheck(user);
+		}
+#endif
+		return ret;
 	} 
 
 	return pass_check(user, password, pwlen, pwd, 
