CVE-2016-2114: s4:smb2_server: fix session setup with required signing
[Samba.git] / nsswitch / pam_winbind.h
blob13542b2968f002dba0b99139563a020969dce895
1 /*
2 * Copyright (c) Andrew Tridgell <tridge@samba.org> 2000
3 * Copyright (c) Tim Potter <tpot@samba.org> 2000
4 * Copyright (c) Andrew Bartlettt <abartlet@samba.org> 2002
5 * Copyright (c) Guenther Deschner <gd@samba.org> 2005-2008
6 * Copyright (c) Jan Rêkorajski 1999.
7 * Copyright (c) Andrew G. Morgan 1996-8.
8 * Copyright (c) Alex O. Yuriev, 1996.
9 * Copyright (c) Cristian Gafton 1996.
10 * Copyright (C) Elliot Lee <sopwith@redhat.com> 1996, Red Hat Software.
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
14 * are met:
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, and the entire permission notice in its entirety,
17 * including the disclaimer of warranties.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 * 3. The name of the author may not be used to endorse or promote
22 * products derived from this software without specific prior
23 * written permission.
25 * ALTERNATIVELY, this product may be distributed under the terms of
26 * the GNU Public License, in which case the provisions of the GPL are
27 * required INSTEAD OF the above restrictions. (This clause is
28 * necessary due to a potential bad interaction between the GPL and
29 * the restrictions contained in a BSD-style copyright.)
31 * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED
32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
34 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
35 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
36 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
37 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
38 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
39 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
40 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
41 * OF THE POSSIBILITY OF SUCH DAMAGE.
44 /* pam_winbind header file
45 (Solaris needs some macros from Linux for common PAM code)
47 Shirish Kalele 2000
50 #ifndef _NSSWITCH_PAM_WINBIND_H_
51 #define _NSSWITCH_PAM_WINBIND_H_
53 #include "../lib/replace/replace.h"
54 #include "system/syslog.h"
55 #include "system/time.h"
56 #include <talloc.h>
57 #include "libwbclient/wbclient.h"
58 #include "lib/util/tiniparser.h"
60 #define MODULE_NAME "pam_winbind"
61 #define PAM_SM_AUTH
62 #define PAM_SM_ACCOUNT
63 #define PAM_SM_PASSWORD
64 #define PAM_SM_SESSION
66 #ifndef PAM_WINBIND_CONFIG_FILE
67 #define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf"
68 #endif
70 #ifdef HAVE_LIBINTL_H
71 #include <libintl.h>
72 #endif
74 #if defined(LINUX)
76 /* newer versions of PAM have this in _pam_compat.h */
77 #ifndef PAM_AUTHTOK_RECOVERY_ERR
78 #define PAM_AUTHTOK_RECOVERY_ERR PAM_AUTHTOK_RECOVER_ERR
79 #endif
81 #else /* !LINUX */
83 /* Solaris always uses dynamic pam modules */
84 #define PAM_EXTERN extern
85 #if defined(HAVE_SECURITY_PAM_APPL_H)
86 #include <security/pam_appl.h>
87 #elif defined(HAVE_PAM_PAM_APPL_H)
88 #include <pam/pam_appl.h>
89 #endif
91 #ifndef PAM_AUTHTOK_RECOVER_ERR
92 #define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
93 #endif
95 #endif /* (!)LINUX */
97 #if defined(HAVE_SECURITY_PAM_MODULES_H)
98 #include <security/pam_modules.h>
99 #elif defined(HAVE_PAM_PAM_MODULES_H)
100 #include <pam/pam_modules.h>
101 #endif
103 #if defined(HAVE_SECURITY__PAM_MACROS_H)
104 #include <security/_pam_macros.h>
105 #elif defined(HAVE_PAM__PAM_MACROS_H)
106 #include <pam/_pam_macros.h>
107 #else
108 /* Define required macros from (Linux PAM 0.68) security/_pam_macros.h */
109 #define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
110 do { \
111 int reply_i; \
113 for (reply_i=0; reply_i<replies; ++reply_i) { \
114 if (reply[reply_i].resp) { \
115 _pam_overwrite(reply[reply_i].resp); \
116 free(reply[reply_i].resp); \
119 if (reply) \
120 free(reply); \
121 } while (0)
123 #define _pam_overwrite(x) \
124 do { \
125 register char *__xx__; \
126 if ((__xx__=(x))) \
127 while (*__xx__) \
128 *__xx__++ = '\0'; \
129 } while (0)
132 * Don't just free it, forget it too.
135 #define _pam_drop(X) SAFE_FREE(X)
137 #define x_strdup(s) ( (s) ? strdup(s):NULL )
138 #endif /* HAVE_SECURITY__PAM_MACROS_H */
140 #ifdef HAVE_SECURITY_PAM_EXT_H
141 #include <security/pam_ext.h>
142 #endif
144 #define WINBIND_DEBUG_ARG 0x00000001
145 #define WINBIND_USE_AUTHTOK_ARG 0x00000002
146 #define WINBIND_UNKNOWN_OK_ARG 0x00000004
147 #define WINBIND_TRY_FIRST_PASS_ARG 0x00000008
148 #define WINBIND_USE_FIRST_PASS_ARG 0x00000010
149 #define WINBIND__OLD_PASSWORD 0x00000020
150 #define WINBIND_REQUIRED_MEMBERSHIP 0x00000040
151 #define WINBIND_KRB5_AUTH 0x00000080
152 #define WINBIND_KRB5_CCACHE_TYPE 0x00000100
153 #define WINBIND_CACHED_LOGIN 0x00000200
154 #define WINBIND_CONFIG_FILE 0x00000400
155 #define WINBIND_SILENT 0x00000800
156 #define WINBIND_DEBUG_STATE 0x00001000
157 #define WINBIND_WARN_PWD_EXPIRE 0x00002000
158 #define WINBIND_MKHOMEDIR 0x00004000
160 #if defined(HAVE_GETTEXT) && !defined(__LCLINT__)
161 #define _(string) dgettext(MODULE_NAME, string)
162 #else
163 #define _(string) string
164 #endif
166 #define N_(string) string
169 * here is the string to inform the user that the new passwords they
170 * typed were not the same.
173 #define MISTYPED_PASS _("Sorry, passwords do not match")
175 #define on(x, y) (x & y)
176 #define off(x, y) (!(x & y))
178 #define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD"
179 #define PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH "PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH"
180 #define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR"
181 #define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT"
182 #define PAM_WINBIND_LOGONSERVER "PAM_WINBIND_LOGONSERVER"
183 #define PAM_WINBIND_PROFILEPATH "PAM_WINBIND_PROFILEPATH"
184 #define PAM_WINBIND_PWD_LAST_SET "PAM_WINBIND_PWD_LAST_SET"
186 #define SECONDS_PER_DAY 86400
188 #define DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES 14
190 #include "winbind_client.h"
192 #define PAM_WB_REMARK_DIRECT(c,x)\
194 const char *error_string = NULL; \
195 error_string = _get_ntstatus_error_string(x);\
196 if (error_string != NULL) {\
197 _make_remark(c, PAM_ERROR_MSG, error_string);\
198 } else {\
199 _make_remark(c, PAM_ERROR_MSG, x);\
203 #define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
205 #define PAM_WB_CACHED_LOGON(x) (x & WBC_AUTH_USER_INFO_CACHED_ACCOUNT)
206 #define PAM_WB_KRB5_CLOCK_SKEW(x) (x & LOGON_KRB5_FAIL_CLOCK_SKEW)
207 #define PAM_WB_GRACE_LOGON(x) ((WBC_AUTH_USER_INFO_CACHED_ACCOUNT|WBC_AUTH_USER_INFO_GRACE_LOGON) == ( x & (WBC_AUTH_USER_INFO_CACHED_ACCOUNT|WBC_AUTH_USER_INFO_GRACE_LOGON)))
209 struct pwb_context {
210 pam_handle_t *pamh;
211 int flags;
212 int argc;
213 const char **argv;
214 struct tiniparser_dictionary *dict;
215 uint32_t ctrl;
218 #ifndef TALLOC_FREE
219 #define TALLOC_FREE(ctx) do { talloc_free(ctx); ctx=NULL; } while(0)
220 #endif
221 #define TALLOC_ZERO_P(ctx, type) (type *)_talloc_zero(ctx, sizeof(type), #type)
222 #define TALLOC_P(ctx, type) (type *)talloc_named_const(ctx, sizeof(type), #type)
224 #endif /* _NSSWITCH_PAM_WINBIND_H_ */