source/nsswitch/pam_winbind.h

   1 /* pam_winbind header file
   2    (Solaris needs some macros from Linux for common PAM code)
   3
   4    Shirish Kalele 2000
   5 */
   6
   7 #include "lib/replace/replace.h"
   8 #include "system/syslog.h"
   9 #include "system/time.h"
  10 #include <talloc.h>
  11 #include "libwbclient/wbclient.h"
  12 #include "localedir.h"
  13
  14 #define MODULE_NAME "pam_winbind"
  15 #define PAM_SM_AUTH
  16 #define PAM_SM_ACCOUNT
  17 #define PAM_SM_PASSWORD
  18 #define PAM_SM_SESSION
  19
  20 #ifndef PAM_WINBIND_CONFIG_FILE
  21 #define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf"
  22 #endif
  23
  24 #include <iniparser.h>
  25
  26 #ifdef HAVE_LIBINTL_H
  27 #include <libintl.h>
  28 #endif
  29
  30 #ifndef LINUX
  31
  32 /* Solaris always uses dynamic pam modules */
  33 #define PAM_EXTERN extern
  34 #if defined(HAVE_SECURITY_PAM_APPL_H)
  35 #include <security/pam_appl.h>
  36 #elif defined(HAVE_PAM_PAM_APPL_H)
  37 #include <pam/pam_appl.h>
  38 #endif
  39
  40 #ifndef PAM_AUTHTOK_RECOVER_ERR
  41 #define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
  42 #endif
  43
  44 #endif /* defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) */
  45
  46 #if defined(HAVE_SECURITY_PAM_MODULES_H)
  47 #include <security/pam_modules.h>
  48 #elif defined(HAVE_PAM_PAM_MODULES_H)
  49 #include <pam/pam_modules.h>
  50 #endif
  51
  52 #if defined(HAVE_SECURITY__PAM_MACROS_H)
  53 #include <security/_pam_macros.h>
  54 #elif defined(HAVE_PAM__PAM_MACROS_H)
  55 #include <pam/_pam_macros.h>
  56 #else
  57 /* Define required macros from (Linux PAM 0.68) security/_pam_macros.h */
  58 #define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
  59 do {                                              \
  60     int reply_i;                                  \
  61                                                   \
  62     for (reply_i=0; reply_i<replies; ++reply_i) { \
  63         if (reply[reply_i].resp) {                \
  64             _pam_overwrite(reply[reply_i].resp);  \
  65             free(reply[reply_i].resp);            \
  66         }                                         \
  67     }                                             \
  68     if (reply)                                    \
  69         free(reply);                              \
  70 } while (0)
  71
  72 #define _pam_overwrite(x)        \
  73 do {                             \
  74      register char *__xx__;      \
  75      if ((__xx__=(x)))           \
  76           while (*__xx__)        \
  77                *__xx__++ = '\0'; \
  78 } while (0)
  79
  80 /*
  81  * Don't just free it, forget it too.
  82  */
  83
  84 #define _pam_drop(X) SAFE_FREE(X)
  85
  86 #define  x_strdup(s)  ( (s) ? strdup(s):NULL )
  87 #endif /* HAVE_SECURITY__PAM_MACROS_H */
  88
  89 #ifdef HAVE_SECURITY_PAM_EXT_H
  90 #include <security/pam_ext.h>
  91 #endif
  92
  93 #define WINBIND_DEBUG_ARG               0x00000001
  94 #define WINBIND_USE_AUTHTOK_ARG         0x00000002
  95 #define WINBIND_UNKNOWN_OK_ARG          0x00000004
  96 #define WINBIND_TRY_FIRST_PASS_ARG      0x00000008
  97 #define WINBIND_USE_FIRST_PASS_ARG      0x00000010
  98 #define WINBIND__OLD_PASSWORD           0x00000020
  99 #define WINBIND_REQUIRED_MEMBERSHIP     0x00000040
 100 #define WINBIND_KRB5_AUTH               0x00000080
 101 #define WINBIND_KRB5_CCACHE_TYPE        0x00000100
 102 #define WINBIND_CACHED_LOGIN            0x00000200
 103 #define WINBIND_CONFIG_FILE             0x00000400
 104 #define WINBIND_SILENT                  0x00000800
 105 #define WINBIND_DEBUG_STATE             0x00001000
 106 #define WINBIND_WARN_PWD_EXPIRE         0x00002000
 107
 108 #if defined(HAVE_GETTEXT) && !defined(__LCLINT__)
 109 #define _(string) dgettext(MODULE_NAME, string)
 110 #else
 111 #define _(string) string
 112 #endif
 113
 114 #define N_(string) string
 115
 116 /*
 117  * here is the string to inform the user that the new passwords they
 118  * typed were not the same.
 119  */
 120
 121 #define MISTYPED_PASS _("Sorry, passwords do not match")
 122
 123 #define on(x, y) (x & y)
 124 #define off(x, y) (!(x & y))
 125
 126 #define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD"
 127 #define PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH "PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH"
 128 #define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR"
 129 #define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT"
 130 #define PAM_WINBIND_LOGONSERVER "PAM_WINBIND_LOGONSERVER"
 131 #define PAM_WINBIND_PROFILEPATH "PAM_WINBIND_PROFILEPATH"
 132 #define PAM_WINBIND_PWD_LAST_SET "PAM_WINBIND_PWD_LAST_SET"
 133
 134 #define SECONDS_PER_DAY 86400
 135
 136 #define DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES 14
 137
 138 #include "winbind_client.h"
 139
 140 #define PAM_WB_REMARK_DIRECT(c,x)\
 141 {\
 142         const char *error_string = NULL; \
 143         error_string = _get_ntstatus_error_string(x);\
 144         if (error_string != NULL) {\
 145                 _make_remark(c, PAM_ERROR_MSG, error_string);\
 146         } else {\
 147                 _make_remark(c, PAM_ERROR_MSG, x);\
 148         };\
 149 };
 150
 151 #define PAM_WB_REMARK_DIRECT_RET(h,f,x)\
 152 {\
 153         const char *error_string = NULL; \
 154         error_string = _get_ntstatus_error_string(x);\
 155         if (error_string != NULL) {\
 156                 _make_remark(h, f, PAM_ERROR_MSG, error_string);\
 157                 return ret;\
 158         };\
 159         _make_remark(h, f, PAM_ERROR_MSG, x);\
 160         return ret;\
 161 };
 162
 163 #define PAM_WB_REMARK_CHECK_RESPONSE(c,x,y)\
 164 {\
 165         const char *ntstatus = x.data.auth.nt_status_string; \
 166         const char *error_string = NULL; \
 167         if (!strcasecmp(ntstatus,y)) {\
 168                 error_string = _get_ntstatus_error_string(y);\
 169                 if (error_string != NULL) {\
 170                         _make_remark(c, PAM_ERROR_MSG, error_string);\
 171                 };\
 172                 if (x.data.auth.error_string[0] != '\0') {\
 173                         _make_remark(c, PAM_ERROR_MSG, x.data.auth.error_string);\
 174                 };\
 175                 _make_remark(c, PAM_ERROR_MSG, y);\
 176         };\
 177 };
 178
 179 #define PAM_WB_REMARK_CHECK_RESPONSE_RET(c,x,y)\
 180 {\
 181         const char *ntstatus = x.data.auth.nt_status_string; \
 182         const char *error_string = NULL; \
 183         if (!strcasecmp(ntstatus,y)) {\
 184                 error_string = _get_ntstatus_error_string(y);\
 185                 if (error_string != NULL) {\
 186                         _make_remark(c, PAM_ERROR_MSG, error_string);\
 187                         return ret;\
 188                 };\
 189                 if (x.data.auth.error_string[0] != '\0') {\
 190                         _make_remark(c, PAM_ERROR_MSG, x.data.auth.error_string);\
 191                         return ret;\
 192                 };\
 193                 _make_remark(c, PAM_ERROR_MSG, y);\
 194                 return ret;\
 195         };\
 196 };
 197
 198 #define ACB_PWNOEXP                     0x00000200
 199
 200 /* from netlogon.idl */
 201 #define NETLOGON_CACHED_ACCOUNT         0x00000004
 202 #define NETLOGON_GRACE_LOGON            0x01000000
 203
 204 /* from include/rpc_netlogon.h */
 205 #define LOGON_KRB5_FAIL_CLOCK_SKEW      0x02000000
 206
 207 #define PAM_WB_CACHED_LOGON(x) (x & NETLOGON_CACHED_ACCOUNT)
 208 #define PAM_WB_KRB5_CLOCK_SKEW(x) (x & LOGON_KRB5_FAIL_CLOCK_SKEW)
 209 #define PAM_WB_GRACE_LOGON(x)  ((NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON) == ( x & (NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON)))
 210
 211 struct pwb_context {
 212         pam_handle_t *pamh;
 213         int flags;
 214         int argc;
 215         const char **argv;
 216         dictionary *dict;
 217         uint32_t ctrl;
 218 };
 219
 220 #define TALLOC_FREE(ctx) do { if ((ctx) != NULL) {talloc_free(ctx); ctx=NULL;} } while(0)
 221 #define TALLOC_ZERO_P(ctx, type) (type *)_talloc_zero(ctx, sizeof(type), #type)
 222 #define TALLOC_P(ctx, type) (type *)talloc_named_const(ctx, sizeof(type), #type)
 223