source/nsswitch/pam_winbind.h

   1 /* pam_winbind header file
   2    (Solaris needs some macros from Linux for common PAM code)
   3
   4    Shirish Kalele 2000
   5 */
   6
   7 #ifdef HAVE_FEATURES_H
   8 #include <features.h>
   9 #endif
  10
  11 #include <stdlib.h>
  12 #include <unistd.h>
  13 #include <limits.h>
  14 #include <string.h>
  15 #include <syslog.h>
  16 #include <stdarg.h>
  17 #include <sys/types.h>
  18 #include <sys/stat.h>
  19 #include <fcntl.h>
  20 #include <errno.h>
  21 #include <time.h>
  22
  23 #include <config.h>
  24
  25 #define MODULE_NAME "pam_winbind"
  26 #define PAM_SM_AUTH
  27 #define PAM_SM_ACCOUNT
  28 #define PAM_SM_PASSWORD
  29
  30 #ifndef PAM_WINBIND_CONFIG_FILE
  31 #define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf"
  32 #endif
  33
  34 #include <iniparser.h>
  35
  36 #if defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX)
  37
  38 /* Solaris always uses dynamic pam modules */
  39 #define PAM_EXTERN extern
  40 #include <security/pam_appl.h>
  41
  42 #ifndef PAM_AUTHTOK_RECOVER_ERR
  43 #define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
  44 #endif
  45
  46 #endif
  47
  48 #ifdef HAVE_SECURITY_PAM_MODULES_H
  49 #include <security/pam_modules.h>
  50 #endif
  51
  52 #ifdef HAVE_SECURITY__PAM_MACROS_H
  53 #include <security/_pam_macros.h>
  54 #else
  55 /* Define required macros from (Linux PAM 0.68) security/_pam_macros.h */
  56 #define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
  57 do {                                              \
  58     int reply_i;                                  \
  59                                                   \
  60     for (reply_i=0; reply_i<replies; ++reply_i) { \
  61         if (reply[reply_i].resp) {                \
  62             _pam_overwrite(reply[reply_i].resp);  \
  63             free(reply[reply_i].resp);            \
  64         }                                         \
  65     }                                             \
  66     if (reply)                                    \
  67         free(reply);                              \
  68 } while (0)
  69
  70 #define _pam_overwrite(x)        \
  71 do {                             \
  72      register char *__xx__;      \
  73      if ((__xx__=(x)))           \
  74           while (*__xx__)        \
  75                *__xx__++ = '\0'; \
  76 } while (0)
  77
  78 /*
  79  * Don't just free it, forget it too.
  80  */
  81
  82 #define _pam_drop(X) SAFE_FREE(X)
  83
  84 #define  x_strdup(s)  ( (s) ? strdup(s):NULL )
  85 #endif
  86
  87 #define WINBIND_DEBUG_ARG (1<<0)
  88 #define WINBIND_USE_AUTHTOK_ARG (1<<1)
  89 #define WINBIND_UNKNOWN_OK_ARG (1<<2)
  90 #define WINBIND_TRY_FIRST_PASS_ARG (1<<3)
  91 #define WINBIND_USE_FIRST_PASS_ARG (1<<4)
  92 #define WINBIND__OLD_PASSWORD (1<<5)
  93 #define WINBIND_REQUIRED_MEMBERSHIP (1<<6)
  94 #define WINBIND_KRB5_AUTH (1<<7)
  95 #define WINBIND_KRB5_CCACHE_TYPE (1<<8)
  96 #define WINBIND_CACHED_LOGIN (1<<9)
  97 #define WINBIND_CONFIG_FILE (1<<10)
  98
  99 /*
 100  * here is the string to inform the user that the new passwords they
 101  * typed were not the same.
 102  */
 103
 104 #define MISTYPED_PASS "Sorry, passwords do not match"
 105
 106 #define on(x, y) (x & y)
 107 #define off(x, y) (!(x & y))
 108
 109 #define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD"
 110 #define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR"
 111 #define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT"
 112 #define PAM_WINBIND_PWD_LAST_SET "PAM_WINBIND_PWD_LAST_SET"
 113
 114 #define SECONDS_PER_DAY 86400
 115
 116 #define DAYS_TO_WARN_BEFORE_PWD_EXPIRES 5
 117
 118 #include "winbind_client.h"
 119
 120 #define PAM_WB_REMARK_DIRECT(h,x)\
 121 {\
 122         const char *error_string = NULL; \
 123         error_string = _get_ntstatus_error_string(x);\
 124         if (error_string != NULL) {\
 125                 _make_remark(h, PAM_ERROR_MSG, error_string);\
 126         } else {\
 127                 _make_remark(h, PAM_ERROR_MSG, x);\
 128         };\
 129 };
 130
 131 #define PAM_WB_REMARK_DIRECT_RET(h,x)\
 132 {\
 133         const char *error_string = NULL; \
 134         error_string = _get_ntstatus_error_string(x);\
 135         if (error_string != NULL) {\
 136                 _make_remark(h, PAM_ERROR_MSG, error_string);\
 137                 return ret;\
 138         };\
 139         _make_remark(h, PAM_ERROR_MSG, x);\
 140         return ret;\
 141 };
 142
 143 #define PAM_WB_REMARK_CHECK_RESPONSE_RET(h,x,y)\
 144 {\
 145         const char *ntstatus = x.data.auth.nt_status_string; \
 146         const char *error_string = NULL; \
 147         if (!strcasecmp(ntstatus,y)) {\
 148                 error_string = _get_ntstatus_error_string(y);\
 149                 if (error_string != NULL) {\
 150                         _make_remark(h, PAM_ERROR_MSG, error_string);\
 151                         return ret;\
 152                 };\
 153                 if (x.data.auth.error_string[0] != '\0') {\
 154                         _make_remark(h, PAM_ERROR_MSG, x.data.auth.error_string);\
 155                         return ret;\
 156                 };\
 157                 _make_remark(h, PAM_ERROR_MSG, y);\
 158                 return ret;\
 159         };\
 160 };
 161
 162 /* from include/rpc_samr.h */
 163 #define DOMAIN_PASSWORD_COMPLEX            0x00000001
 164
 165 #define REJECT_REASON_OTHER             0x00000000
 166 #define REJECT_REASON_TOO_SHORT         0x00000001
 167 #define REJECT_REASON_IN_HISTORY        0x00000002
 168 #define REJECT_REASON_NOT_COMPLEX       0x00000005
 169
 170 /* from include/smb.h */
 171 #define ACB_PWNOEXP                     0x00000200
 172
 173 /* from include/rpc_netlogon.h */
 174 #define LOGON_CACHED_ACCOUNT            0x00000004
 175