2001-05-07 09:03:40 +04:00
/* pam_winbind header file
( Solaris needs some macros from Linux for common PAM code )
Shirish Kalele 2000
*/
2006-09-22 02:24:53 +04:00
# include "lib/replace/replace.h"
# include "system/syslog.h"
# include "system/time.h"
2001-05-07 09:03:40 +04:00
# define MODULE_NAME "pam_winbind"
# define PAM_SM_AUTH
# define PAM_SM_ACCOUNT
# define PAM_SM_PASSWORD
2006-04-11 19:18:46 +04:00
# ifndef PAM_WINBIND_CONFIG_FILE
# define PAM_WINBIND_CONFIG_FILE " / etc / security / pam_winbind.conf"
# endif
2006-04-11 18:40:53 +04:00
# include <iniparser.h>
2006-10-06 00:05:09 +04:00
# ifndef LINUX
2001-05-07 09:03:40 +04:00
/* Solaris always uses dynamic pam modules */
# define PAM_EXTERN extern
2007-05-24 00:31:28 +04:00
# if defined(HAVE_SECURITY_PAM_APPL_H)
2001-05-07 09:03:40 +04:00
# include <security/pam_appl.h>
2007-05-24 00:31:28 +04:00
# elif defined(HAVE_PAM_PAM_APPL_H)
# include <pam/pam_appl.h>
# endif
2001-05-07 09:03:40 +04:00
2003-09-04 07:28:40 +04:00
# ifndef PAM_AUTHTOK_RECOVER_ERR
2001-05-07 09:03:40 +04:00
# define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
# endif
2006-09-13 20:39:52 +04:00
# endif /* defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) */
2003-09-04 07:28:40 +04:00
2007-05-24 00:31:28 +04:00
# if defined(HAVE_SECURITY_PAM_MODULES_H)
2001-05-07 09:03:40 +04:00
# include <security/pam_modules.h>
2007-05-24 00:31:28 +04:00
# elif defined(HAVE_PAM_PAM_MODULES_H)
# include <pam/pam_modules.h>
2001-05-23 01:47:11 +04:00
# endif
2001-05-07 09:03:40 +04:00
2007-05-24 00:31:28 +04:00
# if defined(HAVE_SECURITY__PAM_MACROS_H)
2001-05-07 09:03:40 +04:00
# include <security/_pam_macros.h>
2007-05-24 00:31:28 +04:00
# elif defined(HAVE_PAM__PAM_MACROS_H)
# include <pam/_pam_macros.h>
2001-05-07 09:03:40 +04:00
# else
/* Define required macros from (Linux PAM 0.68) security/_pam_macros.h */
# define _pam_drop_reply( /* struct pam_response * */ reply, /* int */ replies) \
do { \
int reply_i ; \
\
for ( reply_i = 0 ; reply_i < replies ; + + reply_i ) { \
if ( reply [ reply_i ] . resp ) { \
_pam_overwrite ( reply [ reply_i ] . resp ) ; \
free ( reply [ reply_i ] . resp ) ; \
} \
} \
if ( reply ) \
free ( reply ) ; \
} while ( 0 )
# define _pam_overwrite(x) \
do { \
register char * __xx__ ; \
if ( ( __xx__ = ( x ) ) ) \
while ( * __xx__ ) \
* __xx__ + + = ' \0 ' ; \
} while ( 0 )
/*
* Don ' t just free it , forget it too .
*/
2001-09-17 08:52:45 +04:00
# define _pam_drop(X) SAFE_FREE(X)
2001-05-07 09:03:40 +04:00
# define x_strdup(s) ( (s) ? strdup(s):NULL )
2006-09-13 20:39:52 +04:00
# endif /* HAVE_SECURITY__PAM_MACROS_H */
# ifdef HAVE_SECURITY_PAM_EXT_H
# include <security/pam_ext.h>
2001-05-07 09:03:40 +04:00
# endif
2002-02-05 12:40:36 +03:00
# define WINBIND_DEBUG_ARG (1<<0)
# define WINBIND_USE_AUTHTOK_ARG (1<<1)
# define WINBIND_UNKNOWN_OK_ARG (1<<2)
# define WINBIND_TRY_FIRST_PASS_ARG (1<<3)
# define WINBIND_USE_FIRST_PASS_ARG (1<<4)
# define WINBIND__OLD_PASSWORD (1<<5)
2004-08-18 20:25:41 +04:00
# define WINBIND_REQUIRED_MEMBERSHIP (1<<6)
2006-02-04 01:19:41 +03:00
# define WINBIND_KRB5_AUTH (1<<7)
# define WINBIND_KRB5_CCACHE_TYPE (1<<8)
# define WINBIND_CACHED_LOGIN (1<<9)
2006-04-11 18:40:53 +04:00
# define WINBIND_CONFIG_FILE (1<<10)
2006-09-13 20:39:52 +04:00
# define WINBIND_SILENT (1<<11)
2007-01-25 04:56:34 +03:00
# define WINBIND_DEBUG_STATE (1<<12)
2007-07-05 00:25:29 +04:00
# define WINBIND_WARN_PWD_EXPIRE (1<<13)
2006-01-13 14:11:23 +03:00
2002-02-05 12:40:36 +03:00
/*
* here is the string to inform the user that the new passwords they
* typed were not the same .
*/
# define MISTYPED_PASS "Sorry, passwords do not match"
# define on(x, y) (x & y)
# define off(x, y) (!(x & y))
2001-05-07 09:03:40 +04:00
2006-02-04 01:19:41 +03:00
# define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD"
2007-02-22 16:35:01 +03:00
# define PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH "PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH"
2006-02-04 01:19:41 +03:00
# define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR"
2006-08-01 19:31:16 +04:00
# define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT"
2007-02-05 20:12:13 +03:00
# define PAM_WINBIND_LOGONSERVER "PAM_WINBIND_LOGONSERVER"
2006-10-17 03:13:56 +04:00
# define PAM_WINBIND_PROFILEPATH "PAM_WINBIND_PROFILEPATH"
2006-05-02 23:22:39 +04:00
# define PAM_WINBIND_PWD_LAST_SET "PAM_WINBIND_PWD_LAST_SET"
2006-02-04 01:19:41 +03:00
# define SECONDS_PER_DAY 86400
2007-07-04 18:03:10 +04:00
# define DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES 14
2006-02-04 01:19:41 +03:00
2002-09-25 19:19:00 +04:00
# include "winbind_client.h"
2006-02-04 01:19:41 +03:00
2007-02-05 18:25:31 +03:00
# define PAM_WB_REMARK_DIRECT(h,f,x)\
2006-02-04 01:19:41 +03:00
{ \
const char * error_string = NULL ; \
error_string = _get_ntstatus_error_string ( x ) ; \
if ( error_string ! = NULL ) { \
2007-02-05 18:25:31 +03:00
_make_remark ( h , f , PAM_ERROR_MSG , error_string ) ; \
2006-02-04 01:19:41 +03:00
} else { \
2007-02-05 18:25:31 +03:00
_make_remark ( h , f , PAM_ERROR_MSG , x ) ; \
2006-02-04 01:19:41 +03:00
} ; \
} ;
2007-02-05 18:25:31 +03:00
# define PAM_WB_REMARK_DIRECT_RET(h,f,x)\
2006-02-04 01:19:41 +03:00
{ \
const char * error_string = NULL ; \
error_string = _get_ntstatus_error_string ( x ) ; \
if ( error_string ! = NULL ) { \
2007-02-05 18:25:31 +03:00
_make_remark ( h , f , PAM_ERROR_MSG , error_string ) ; \
2006-02-04 01:19:41 +03:00
return ret ; \
} ; \
2007-02-05 18:25:31 +03:00
_make_remark ( h , f , PAM_ERROR_MSG , x ) ; \
2006-02-04 01:19:41 +03:00
return ret ; \
} ;
2007-02-05 20:35:25 +03:00
# define PAM_WB_REMARK_CHECK_RESPONSE(h,f,x,y)\
{ \
const char * ntstatus = x . data . auth . nt_status_string ; \
const char * error_string = NULL ; \
if ( ! strcasecmp ( ntstatus , y ) ) { \
error_string = _get_ntstatus_error_string ( y ) ; \
if ( error_string ! = NULL ) { \
_make_remark ( h , f , PAM_ERROR_MSG , error_string ) ; \
} ; \
if ( x . data . auth . error_string [ 0 ] ! = ' \0 ' ) { \
_make_remark ( h , f , PAM_ERROR_MSG , x . data . auth . error_string ) ; \
} ; \
_make_remark ( h , f , PAM_ERROR_MSG , y ) ; \
} ; \
} ;
2007-02-05 18:25:31 +03:00
# define PAM_WB_REMARK_CHECK_RESPONSE_RET(h,f,x,y)\
2006-02-04 01:19:41 +03:00
{ \
const char * ntstatus = x . data . auth . nt_status_string ; \
const char * error_string = NULL ; \
2006-04-11 18:40:53 +04:00
if ( ! strcasecmp ( ntstatus , y ) ) { \
2006-02-04 01:19:41 +03:00
error_string = _get_ntstatus_error_string ( y ) ; \
if ( error_string ! = NULL ) { \
2007-02-05 18:25:31 +03:00
_make_remark ( h , f , PAM_ERROR_MSG , error_string ) ; \
2006-02-04 01:19:41 +03:00
return ret ; \
} ; \
if ( x . data . auth . error_string [ 0 ] ! = ' \0 ' ) { \
2007-02-05 18:25:31 +03:00
_make_remark ( h , f , PAM_ERROR_MSG , x . data . auth . error_string ) ; \
2006-02-04 01:19:41 +03:00
return ret ; \
} ; \
2007-02-05 18:25:31 +03:00
_make_remark ( h , f , PAM_ERROR_MSG , y ) ; \
2006-02-04 01:19:41 +03:00
return ret ; \
} ; \
} ;
2006-04-11 18:40:53 +04:00
2008-01-17 12:24:34 +03:00
/* from samr.idl */
# define DOMAIN_PASSWORD_COMPLEX 0x00000001
2006-04-11 18:40:53 +04:00
2008-01-17 12:24:34 +03:00
# define SAMR_REJECT_OTHER 0x00000000
# define SAMR_REJECT_TOO_SHORT 0x00000001
# define SAMR_REJECT_IN_HISTORY 0x00000002
# define SAMR_REJECT_COMPLEXITY 0x00000005
2006-04-11 18:40:53 +04:00
# define ACB_PWNOEXP 0x00000200
2008-01-17 12:24:34 +03:00
/* from netlogon.idl */
# define NETLOGON_CACHED_ACCOUNT 0x00000004
# define NETLOGON_GRACE_LOGON 0x01000000
2006-04-11 18:40:53 +04:00
/* from include/rpc_netlogon.h */
2007-05-07 00:33:33 +04:00
# define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
2006-04-11 18:40:53 +04:00
2008-01-17 12:24:34 +03:00
# define PAM_WB_CACHED_LOGON(x) (x & NETLOGON_CACHED_ACCOUNT)
2007-05-07 00:33:33 +04:00
# define PAM_WB_KRB5_CLOCK_SKEW(x) (x & LOGON_KRB5_FAIL_CLOCK_SKEW)
2008-01-17 12:24:34 +03:00
# define PAM_WB_GRACE_LOGON(x) ((NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON) == ( x & (NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON)))