1 /* pam_winbind header file
2 (Solaris needs some macros from Linux for common PAM code)
7 #include "lib/replace/replace.h"
8 #include "system/syslog.h"
9 #include "system/time.h"
11 #define MODULE_NAME "pam_winbind"
13 #define PAM_SM_ACCOUNT
14 #define PAM_SM_PASSWORD
15 #define PAM_SM_SESSION
17 #ifndef PAM_WINBIND_CONFIG_FILE
18 #define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf"
21 #include <iniparser.h>
25 /* newer versions of PAM have this in _pam_compat.h */
26 #ifndef PAM_AUTHTOK_RECOVERY_ERR
27 #define PAM_AUTHTOK_RECOVERY_ERR PAM_AUTHTOK_RECOVER_ERR
32 /* Solaris always uses dynamic pam modules */
33 #define PAM_EXTERN extern
34 #if defined(HAVE_SECURITY_PAM_APPL_H)
35 #include <security/pam_appl.h>
36 #elif defined(HAVE_PAM_PAM_APPL_H)
37 #include <pam/pam_appl.h>
40 #ifndef PAM_AUTHTOK_RECOVER_ERR
41 #define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
44 #endif /* defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) */
46 #if defined(HAVE_SECURITY_PAM_MODULES_H)
47 #include <security/pam_modules.h>
48 #elif defined(HAVE_PAM_PAM_MODULES_H)
49 #include <pam/pam_modules.h>
52 #if defined(HAVE_SECURITY__PAM_MACROS_H)
53 #include <security/_pam_macros.h>
54 #elif defined(HAVE_PAM__PAM_MACROS_H)
55 #include <pam/_pam_macros.h>
57 /* Define required macros from (Linux PAM 0.68) security/_pam_macros.h */
58 #define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
62 for (reply_i=0; reply_i<replies; ++reply_i) { \
63 if (reply[reply_i].resp) { \
64 _pam_overwrite(reply[reply_i].resp); \
65 free(reply[reply_i].resp); \
72 #define _pam_overwrite(x) \
74 register char *__xx__; \
81 * Don't just free it, forget it too.
84 #define _pam_drop(X) SAFE_FREE(X)
86 #define x_strdup(s) ( (s) ? strdup(s):NULL )
87 #endif /* HAVE_SECURITY__PAM_MACROS_H */
89 #ifdef HAVE_SECURITY_PAM_EXT_H
90 #include <security/pam_ext.h>
93 #define WINBIND_DEBUG_ARG (1<<0)
94 #define WINBIND_USE_AUTHTOK_ARG (1<<1)
95 #define WINBIND_UNKNOWN_OK_ARG (1<<2)
96 #define WINBIND_TRY_FIRST_PASS_ARG (1<<3)
97 #define WINBIND_USE_FIRST_PASS_ARG (1<<4)
98 #define WINBIND__OLD_PASSWORD (1<<5)
99 #define WINBIND_REQUIRED_MEMBERSHIP (1<<6)
100 #define WINBIND_KRB5_AUTH (1<<7)
101 #define WINBIND_KRB5_CCACHE_TYPE (1<<8)
102 #define WINBIND_CACHED_LOGIN (1<<9)
103 #define WINBIND_CONFIG_FILE (1<<10)
104 #define WINBIND_SILENT (1<<11)
105 #define WINBIND_DEBUG_STATE (1<<12)
106 #define WINBIND_WARN_PWD_EXPIRE (1<<13)
109 * here is the string to inform the user that the new passwords they
110 * typed were not the same.
113 #define MISTYPED_PASS "Sorry, passwords do not match"
115 #define on(x, y) (x & y)
116 #define off(x, y) (!(x & y))
118 #define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD"
119 #define PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH "PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH"
120 #define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR"
121 #define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT"
122 #define PAM_WINBIND_LOGONSERVER "PAM_WINBIND_LOGONSERVER"
123 #define PAM_WINBIND_PROFILEPATH "PAM_WINBIND_PROFILEPATH"
124 #define PAM_WINBIND_PWD_LAST_SET "PAM_WINBIND_PWD_LAST_SET"
126 #define SECONDS_PER_DAY 86400
128 #define DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES 14
130 #include "winbind_client.h"
132 #define PAM_WB_REMARK_DIRECT(c,x)\
134 const char *error_string = NULL; \
135 error_string = _get_ntstatus_error_string(x);\
136 if (error_string != NULL) {\
137 _make_remark(c, PAM_ERROR_MSG, error_string);\
139 _make_remark(c, PAM_ERROR_MSG, x);\
143 #define PAM_WB_REMARK_DIRECT_RET(h,f,x)\
145 const char *error_string = NULL; \
146 error_string = _get_ntstatus_error_string(x);\
147 if (error_string != NULL) {\
148 _make_remark(h, f, PAM_ERROR_MSG, error_string);\
151 _make_remark(h, f, PAM_ERROR_MSG, x);\
155 #define PAM_WB_REMARK_CHECK_RESPONSE(c,x,y)\
157 const char *ntstatus = x.data.auth.nt_status_string; \
158 const char *error_string = NULL; \
159 if (!strcasecmp(ntstatus,y)) {\
160 error_string = _get_ntstatus_error_string(y);\
161 if (error_string != NULL) {\
162 _make_remark(c, PAM_ERROR_MSG, error_string);\
164 if (x.data.auth.error_string[0] != '\0') {\
165 _make_remark(c, PAM_ERROR_MSG, x.data.auth.error_string);\
167 _make_remark(c, PAM_ERROR_MSG, y);\
171 #define PAM_WB_REMARK_CHECK_RESPONSE_RET(c,x,y)\
173 const char *ntstatus = x.data.auth.nt_status_string; \
174 const char *error_string = NULL; \
175 if (!strcasecmp(ntstatus,y)) {\
176 error_string = _get_ntstatus_error_string(y);\
177 if (error_string != NULL) {\
178 _make_remark(c, PAM_ERROR_MSG, error_string);\
181 if (x.data.auth.error_string[0] != '\0') {\
182 _make_remark(c, PAM_ERROR_MSG, x.data.auth.error_string);\
185 _make_remark(c, PAM_ERROR_MSG, y);\
191 #define DOMAIN_PASSWORD_COMPLEX 0x00000001
193 #define SAMR_REJECT_OTHER 0x00000000
194 #define SAMR_REJECT_TOO_SHORT 0x00000001
195 #define SAMR_REJECT_IN_HISTORY 0x00000002
196 #define SAMR_REJECT_COMPLEXITY 0x00000005
198 #define ACB_PWNOEXP 0x00000200
200 /* from netlogon.idl */
201 #define NETLOGON_CACHED_ACCOUNT 0x00000004
202 #define NETLOGON_GRACE_LOGON 0x01000000
204 /* from include/rpc_netlogon.h */
205 #define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
207 #define PAM_WB_CACHED_LOGON(x) (x & NETLOGON_CACHED_ACCOUNT)
208 #define PAM_WB_KRB5_CLOCK_SKEW(x) (x & LOGON_KRB5_FAIL_CLOCK_SKEW)
209 #define PAM_WB_GRACE_LOGON(x) ((NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON) == ( x & (NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON)))