1 /* pam_winbind header file
2 (Solaris needs some macros from Linux for common PAM code)
7 #include "lib/replace/replace.h"
8 #include "system/syslog.h"
9 #include "system/time.h"
10 #include "localedir.h"
12 #define MODULE_NAME "pam_winbind"
14 #define PAM_SM_ACCOUNT
15 #define PAM_SM_PASSWORD
16 #define PAM_SM_SESSION
18 #ifndef PAM_WINBIND_CONFIG_FILE
19 #define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf"
22 #include <iniparser.h>
30 /* Solaris always uses dynamic pam modules */
31 #define PAM_EXTERN extern
32 #if defined(HAVE_SECURITY_PAM_APPL_H)
33 #include <security/pam_appl.h>
34 #elif defined(HAVE_PAM_PAM_APPL_H)
35 #include <pam/pam_appl.h>
38 #ifndef PAM_AUTHTOK_RECOVER_ERR
39 #define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
42 #endif /* defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) */
44 #if defined(HAVE_SECURITY_PAM_MODULES_H)
45 #include <security/pam_modules.h>
46 #elif defined(HAVE_PAM_PAM_MODULES_H)
47 #include <pam/pam_modules.h>
50 #if defined(HAVE_SECURITY__PAM_MACROS_H)
51 #include <security/_pam_macros.h>
52 #elif defined(HAVE_PAM__PAM_MACROS_H)
53 #include <pam/_pam_macros.h>
55 /* Define required macros from (Linux PAM 0.68) security/_pam_macros.h */
56 #define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
60 for (reply_i=0; reply_i<replies; ++reply_i) { \
61 if (reply[reply_i].resp) { \
62 _pam_overwrite(reply[reply_i].resp); \
63 free(reply[reply_i].resp); \
70 #define _pam_overwrite(x) \
72 register char *__xx__; \
79 * Don't just free it, forget it too.
82 #define _pam_drop(X) SAFE_FREE(X)
84 #define x_strdup(s) ( (s) ? strdup(s):NULL )
85 #endif /* HAVE_SECURITY__PAM_MACROS_H */
87 #ifdef HAVE_SECURITY_PAM_EXT_H
88 #include <security/pam_ext.h>
91 #define WINBIND_DEBUG_ARG 0x00000001
92 #define WINBIND_USE_AUTHTOK_ARG 0x00000002
93 #define WINBIND_UNKNOWN_OK_ARG 0x00000004
94 #define WINBIND_TRY_FIRST_PASS_ARG 0x00000008
95 #define WINBIND_USE_FIRST_PASS_ARG 0x00000010
96 #define WINBIND__OLD_PASSWORD 0x00000020
97 #define WINBIND_REQUIRED_MEMBERSHIP 0x00000040
98 #define WINBIND_KRB5_AUTH 0x00000080
99 #define WINBIND_KRB5_CCACHE_TYPE 0x00000100
100 #define WINBIND_CACHED_LOGIN 0x00000200
101 #define WINBIND_CONFIG_FILE 0x00000400
102 #define WINBIND_SILENT 0x00000800
103 #define WINBIND_DEBUG_STATE 0x00001000
104 #define WINBIND_WARN_PWD_EXPIRE 0x00002000
106 #if defined(HAVE_GETTEXT) && !defined(__LCLINT__)
107 #define _(string) dgettext(MODULE_NAME, string)
109 #define _(string) string
112 #define N_(string) string
115 * here is the string to inform the user that the new passwords they
116 * typed were not the same.
119 #define MISTYPED_PASS _("Sorry, passwords do not match")
121 #define on(x, y) (x & y)
122 #define off(x, y) (!(x & y))
124 #define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD"
125 #define PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH "PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH"
126 #define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR"
127 #define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT"
128 #define PAM_WINBIND_LOGONSERVER "PAM_WINBIND_LOGONSERVER"
129 #define PAM_WINBIND_PROFILEPATH "PAM_WINBIND_PROFILEPATH"
130 #define PAM_WINBIND_PWD_LAST_SET "PAM_WINBIND_PWD_LAST_SET"
132 #define SECONDS_PER_DAY 86400
134 #define DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES 14
136 #include "winbind_client.h"
138 #define PAM_WB_REMARK_DIRECT(c,x)\
140 const char *error_string = NULL; \
141 error_string = _get_ntstatus_error_string(x);\
142 if (error_string != NULL) {\
143 _make_remark(c, PAM_ERROR_MSG, error_string);\
145 _make_remark(c, PAM_ERROR_MSG, x);\
149 #define PAM_WB_REMARK_DIRECT_RET(h,f,x)\
151 const char *error_string = NULL; \
152 error_string = _get_ntstatus_error_string(x);\
153 if (error_string != NULL) {\
154 _make_remark(h, f, PAM_ERROR_MSG, error_string);\
157 _make_remark(h, f, PAM_ERROR_MSG, x);\
161 #define PAM_WB_REMARK_CHECK_RESPONSE(c,x,y)\
163 const char *ntstatus = x.data.auth.nt_status_string; \
164 const char *error_string = NULL; \
165 if (!strcasecmp(ntstatus,y)) {\
166 error_string = _get_ntstatus_error_string(y);\
167 if (error_string != NULL) {\
168 _make_remark(c, PAM_ERROR_MSG, error_string);\
170 if (x.data.auth.error_string[0] != '\0') {\
171 _make_remark(c, PAM_ERROR_MSG, x.data.auth.error_string);\
173 _make_remark(c, PAM_ERROR_MSG, y);\
177 #define PAM_WB_REMARK_CHECK_RESPONSE_RET(c,x,y)\
179 const char *ntstatus = x.data.auth.nt_status_string; \
180 const char *error_string = NULL; \
181 if (!strcasecmp(ntstatus,y)) {\
182 error_string = _get_ntstatus_error_string(y);\
183 if (error_string != NULL) {\
184 _make_remark(c, PAM_ERROR_MSG, error_string);\
187 if (x.data.auth.error_string[0] != '\0') {\
188 _make_remark(c, PAM_ERROR_MSG, x.data.auth.error_string);\
191 _make_remark(c, PAM_ERROR_MSG, y);\
197 #define DOMAIN_PASSWORD_COMPLEX 0x00000001
199 #define SAMR_REJECT_OTHER 0x00000000
200 #define SAMR_REJECT_TOO_SHORT 0x00000001
201 #define SAMR_REJECT_IN_HISTORY 0x00000002
202 #define SAMR_REJECT_COMPLEXITY 0x00000005
204 #define ACB_PWNOEXP 0x00000200
206 /* from netlogon.idl */
207 #define NETLOGON_CACHED_ACCOUNT 0x00000004
208 #define NETLOGON_GRACE_LOGON 0x01000000
210 /* from include/rpc_netlogon.h */
211 #define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
213 #define PAM_WB_CACHED_LOGON(x) (x & NETLOGON_CACHED_ACCOUNT)
214 #define PAM_WB_KRB5_CLOCK_SKEW(x) (x & LOGON_KRB5_FAIL_CLOCK_SKEW)
215 #define PAM_WB_GRACE_LOGON(x) ((NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON) == ( x & (NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON)))