mirror of
https://github.com/samba-team/samba.git
synced 2024-12-30 13:18:05 +03:00
b824a665bb
- Add parameter config_flag to get_config_item_int() and do the same
check as in get_conf_item_string.
(This used to be commit d1d1baa264
)
201 lines
5.8 KiB
C
201 lines
5.8 KiB
C
/* pam_winbind header file
|
|
(Solaris needs some macros from Linux for common PAM code)
|
|
|
|
Shirish Kalele 2000
|
|
*/
|
|
|
|
#include "lib/replace/replace.h"
|
|
#include "system/syslog.h"
|
|
#include "system/time.h"
|
|
|
|
#define MODULE_NAME "pam_winbind"
|
|
#define PAM_SM_AUTH
|
|
#define PAM_SM_ACCOUNT
|
|
#define PAM_SM_PASSWORD
|
|
|
|
#ifndef PAM_WINBIND_CONFIG_FILE
|
|
#define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf"
|
|
#endif
|
|
|
|
#include <iniparser.h>
|
|
|
|
#ifndef LINUX
|
|
|
|
/* Solaris always uses dynamic pam modules */
|
|
#define PAM_EXTERN extern
|
|
#if defined(HAVE_SECURITY_PAM_APPL_H)
|
|
#include <security/pam_appl.h>
|
|
#elif defined(HAVE_PAM_PAM_APPL_H)
|
|
#include <pam/pam_appl.h>
|
|
#endif
|
|
|
|
#ifndef PAM_AUTHTOK_RECOVER_ERR
|
|
#define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
|
|
#endif
|
|
|
|
#endif /* defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) */
|
|
|
|
#if defined(HAVE_SECURITY_PAM_MODULES_H)
|
|
#include <security/pam_modules.h>
|
|
#elif defined(HAVE_PAM_PAM_MODULES_H)
|
|
#include <pam/pam_modules.h>
|
|
#endif
|
|
|
|
#if defined(HAVE_SECURITY__PAM_MACROS_H)
|
|
#include <security/_pam_macros.h>
|
|
#elif defined(HAVE_PAM__PAM_MACROS_H)
|
|
#include <pam/_pam_macros.h>
|
|
#else
|
|
/* Define required macros from (Linux PAM 0.68) security/_pam_macros.h */
|
|
#define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
|
|
do { \
|
|
int reply_i; \
|
|
\
|
|
for (reply_i=0; reply_i<replies; ++reply_i) { \
|
|
if (reply[reply_i].resp) { \
|
|
_pam_overwrite(reply[reply_i].resp); \
|
|
free(reply[reply_i].resp); \
|
|
} \
|
|
} \
|
|
if (reply) \
|
|
free(reply); \
|
|
} while (0)
|
|
|
|
#define _pam_overwrite(x) \
|
|
do { \
|
|
register char *__xx__; \
|
|
if ((__xx__=(x))) \
|
|
while (*__xx__) \
|
|
*__xx__++ = '\0'; \
|
|
} while (0)
|
|
|
|
/*
|
|
* Don't just free it, forget it too.
|
|
*/
|
|
|
|
#define _pam_drop(X) SAFE_FREE(X)
|
|
|
|
#define x_strdup(s) ( (s) ? strdup(s):NULL )
|
|
#endif /* HAVE_SECURITY__PAM_MACROS_H */
|
|
|
|
#ifdef HAVE_SECURITY_PAM_EXT_H
|
|
#include <security/pam_ext.h>
|
|
#endif
|
|
|
|
#define WINBIND_DEBUG_ARG (1<<0)
|
|
#define WINBIND_USE_AUTHTOK_ARG (1<<1)
|
|
#define WINBIND_UNKNOWN_OK_ARG (1<<2)
|
|
#define WINBIND_TRY_FIRST_PASS_ARG (1<<3)
|
|
#define WINBIND_USE_FIRST_PASS_ARG (1<<4)
|
|
#define WINBIND__OLD_PASSWORD (1<<5)
|
|
#define WINBIND_REQUIRED_MEMBERSHIP (1<<6)
|
|
#define WINBIND_KRB5_AUTH (1<<7)
|
|
#define WINBIND_KRB5_CCACHE_TYPE (1<<8)
|
|
#define WINBIND_CACHED_LOGIN (1<<9)
|
|
#define WINBIND_CONFIG_FILE (1<<10)
|
|
#define WINBIND_SILENT (1<<11)
|
|
#define WINBIND_DEBUG_STATE (1<<12)
|
|
#define WINBIND_WARN_PWD_EXPIRE (1<<13)
|
|
|
|
/*
|
|
* here is the string to inform the user that the new passwords they
|
|
* typed were not the same.
|
|
*/
|
|
|
|
#define MISTYPED_PASS "Sorry, passwords do not match"
|
|
|
|
#define on(x, y) (x & y)
|
|
#define off(x, y) (!(x & y))
|
|
|
|
#define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD"
|
|
#define PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH "PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH"
|
|
#define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR"
|
|
#define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT"
|
|
#define PAM_WINBIND_LOGONSERVER "PAM_WINBIND_LOGONSERVER"
|
|
#define PAM_WINBIND_PROFILEPATH "PAM_WINBIND_PROFILEPATH"
|
|
#define PAM_WINBIND_PWD_LAST_SET "PAM_WINBIND_PWD_LAST_SET"
|
|
|
|
#define SECONDS_PER_DAY 86400
|
|
|
|
#define DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES 14
|
|
|
|
#include "winbind_client.h"
|
|
|
|
#define PAM_WB_REMARK_DIRECT(h,f,x)\
|
|
{\
|
|
const char *error_string = NULL; \
|
|
error_string = _get_ntstatus_error_string(x);\
|
|
if (error_string != NULL) {\
|
|
_make_remark(h, f, PAM_ERROR_MSG, error_string);\
|
|
} else {\
|
|
_make_remark(h, f, PAM_ERROR_MSG, x);\
|
|
};\
|
|
};
|
|
|
|
#define PAM_WB_REMARK_DIRECT_RET(h,f,x)\
|
|
{\
|
|
const char *error_string = NULL; \
|
|
error_string = _get_ntstatus_error_string(x);\
|
|
if (error_string != NULL) {\
|
|
_make_remark(h, f, PAM_ERROR_MSG, error_string);\
|
|
return ret;\
|
|
};\
|
|
_make_remark(h, f, PAM_ERROR_MSG, x);\
|
|
return ret;\
|
|
};
|
|
|
|
#define PAM_WB_REMARK_CHECK_RESPONSE(h,f,x,y)\
|
|
{\
|
|
const char *ntstatus = x.data.auth.nt_status_string; \
|
|
const char *error_string = NULL; \
|
|
if (!strcasecmp(ntstatus,y)) {\
|
|
error_string = _get_ntstatus_error_string(y);\
|
|
if (error_string != NULL) {\
|
|
_make_remark(h, f, PAM_ERROR_MSG, error_string);\
|
|
};\
|
|
if (x.data.auth.error_string[0] != '\0') {\
|
|
_make_remark(h, f, PAM_ERROR_MSG, x.data.auth.error_string);\
|
|
};\
|
|
_make_remark(h, f, PAM_ERROR_MSG, y);\
|
|
};\
|
|
};
|
|
|
|
#define PAM_WB_REMARK_CHECK_RESPONSE_RET(h,f,x,y)\
|
|
{\
|
|
const char *ntstatus = x.data.auth.nt_status_string; \
|
|
const char *error_string = NULL; \
|
|
if (!strcasecmp(ntstatus,y)) {\
|
|
error_string = _get_ntstatus_error_string(y);\
|
|
if (error_string != NULL) {\
|
|
_make_remark(h, f, PAM_ERROR_MSG, error_string);\
|
|
return ret;\
|
|
};\
|
|
if (x.data.auth.error_string[0] != '\0') {\
|
|
_make_remark(h, f, PAM_ERROR_MSG, x.data.auth.error_string);\
|
|
return ret;\
|
|
};\
|
|
_make_remark(h, f, PAM_ERROR_MSG, y);\
|
|
return ret;\
|
|
};\
|
|
};
|
|
|
|
/* from include/rpc_samr.h */
|
|
#define DOMAIN_PASSWORD_COMPLEX 0x00000001
|
|
|
|
#define REJECT_REASON_OTHER 0x00000000
|
|
#define REJECT_REASON_TOO_SHORT 0x00000001
|
|
#define REJECT_REASON_IN_HISTORY 0x00000002
|
|
#define REJECT_REASON_NOT_COMPLEX 0x00000005
|
|
|
|
/* from include/smb.h */
|
|
#define ACB_PWNOEXP 0x00000200
|
|
|
|
/* from include/rpc_netlogon.h */
|
|
#define LOGON_CACHED_ACCOUNT 0x00000004
|
|
#define LOGON_GRACE_LOGON 0x01000000
|
|
#define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
|
|
|
|
#define PAM_WB_CACHED_LOGON(x) (x & LOGON_CACHED_ACCOUNT)
|
|
#define PAM_WB_KRB5_CLOCK_SKEW(x) (x & LOGON_KRB5_FAIL_CLOCK_SKEW)
|
|
#define PAM_WB_GRACE_LOGON(x) ((LOGON_CACHED_ACCOUNT|LOGON_GRACE_LOGON) == ( x & (LOGON_CACHED_ACCOUNT|LOGON_GRACE_LOGON)))
|