source/nsswitch/pam_winbind.h

   1 /* pam_winbind header file
   2    (Solaris needs some macros from Linux for common PAM code)
   3
   4    Shirish Kalele 2000
   5 */
   6
   7 #include "lib/replace/replace.h"
   8 #include "system/syslog.h"
   9 #include "system/time.h"
  10
  11 #define MODULE_NAME "pam_winbind"
  12 #define PAM_SM_AUTH
  13 #define PAM_SM_ACCOUNT
  14 #define PAM_SM_PASSWORD
  15 #define PAM_SM_SESSION
  16
  17 #ifndef PAM_WINBIND_CONFIG_FILE
  18 #define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf"
  19 #endif
  20
  21 #include <iniparser.h>
  22
  23 #ifndef LINUX
  24
  25 /* Solaris always uses dynamic pam modules */
  26 #define PAM_EXTERN extern
  27 #if defined(HAVE_SECURITY_PAM_APPL_H)
  28 #include <security/pam_appl.h>
  29 #elif defined(HAVE_PAM_PAM_APPL_H)
  30 #include <pam/pam_appl.h>
  31 #endif
  32
  33 #ifndef PAM_AUTHTOK_RECOVER_ERR
  34 #define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
  35 #endif
  36
  37 #endif /* defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) */
  38
  39 #if defined(HAVE_SECURITY_PAM_MODULES_H)
  40 #include <security/pam_modules.h>
  41 #elif defined(HAVE_PAM_PAM_MODULES_H)
  42 #include <pam/pam_modules.h>
  43 #endif
  44
  45 #if defined(HAVE_SECURITY__PAM_MACROS_H)
  46 #include <security/_pam_macros.h>
  47 #elif defined(HAVE_PAM__PAM_MACROS_H)
  48 #include <pam/_pam_macros.h>
  49 #else
  50 /* Define required macros from (Linux PAM 0.68) security/_pam_macros.h */
  51 #define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
  52 do {                                              \
  53     int reply_i;                                  \
  54                                                   \
  55     for (reply_i=0; reply_i<replies; ++reply_i) { \
  56         if (reply[reply_i].resp) {                \
  57             _pam_overwrite(reply[reply_i].resp);  \
  58             free(reply[reply_i].resp);            \
  59         }                                         \
  60     }                                             \
  61     if (reply)                                    \
  62         free(reply);                              \
  63 } while (0)
  64
  65 #define _pam_overwrite(x)        \
  66 do {                             \
  67      register char *__xx__;      \
  68      if ((__xx__=(x)))           \
  69           while (*__xx__)        \
  70                *__xx__++ = '\0'; \
  71 } while (0)
  72
  73 /*
  74  * Don't just free it, forget it too.
  75  */
  76
  77 #define _pam_drop(X) SAFE_FREE(X)
  78
  79 #define  x_strdup(s)  ( (s) ? strdup(s):NULL )
  80 #endif /* HAVE_SECURITY__PAM_MACROS_H */
  81
  82 #ifdef HAVE_SECURITY_PAM_EXT_H
  83 #include <security/pam_ext.h>
  84 #endif
  85
  86 #define WINBIND_DEBUG_ARG               0x00000001
  87 #define WINBIND_USE_AUTHTOK_ARG         0x00000002
  88 #define WINBIND_UNKNOWN_OK_ARG          0x00000004
  89 #define WINBIND_TRY_FIRST_PASS_ARG      0x00000008
  90 #define WINBIND_USE_FIRST_PASS_ARG      0x00000010
  91 #define WINBIND__OLD_PASSWORD           0x00000020
  92 #define WINBIND_REQUIRED_MEMBERSHIP     0x00000040
  93 #define WINBIND_KRB5_AUTH               0x00000080
  94 #define WINBIND_KRB5_CCACHE_TYPE        0x00000100
  95 #define WINBIND_CACHED_LOGIN            0x00000200
  96 #define WINBIND_CONFIG_FILE             0x00000400
  97 #define WINBIND_SILENT                  0x00000800
  98 #define WINBIND_DEBUG_STATE             0x00001000
  99 #define WINBIND_WARN_PWD_EXPIRE         0x00002000
 100
 101 /*
 102  * here is the string to inform the user that the new passwords they
 103  * typed were not the same.
 104  */
 105
 106 #define MISTYPED_PASS "Sorry, passwords do not match"
 107
 108 #define on(x, y) (x & y)
 109 #define off(x, y) (!(x & y))
 110
 111 #define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD"
 112 #define PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH "PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH"
 113 #define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR"
 114 #define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT"
 115 #define PAM_WINBIND_LOGONSERVER "PAM_WINBIND_LOGONSERVER"
 116 #define PAM_WINBIND_PROFILEPATH "PAM_WINBIND_PROFILEPATH"
 117 #define PAM_WINBIND_PWD_LAST_SET "PAM_WINBIND_PWD_LAST_SET"
 118
 119 #define SECONDS_PER_DAY 86400
 120
 121 #define DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES 14
 122
 123 #include "winbind_client.h"
 124
 125 #define PAM_WB_REMARK_DIRECT(c,x)\
 126 {\
 127         const char *error_string = NULL; \
 128         error_string = _get_ntstatus_error_string(x);\
 129         if (error_string != NULL) {\
 130                 _make_remark(c, PAM_ERROR_MSG, error_string);\
 131         } else {\
 132                 _make_remark(c, PAM_ERROR_MSG, x);\
 133         };\
 134 };
 135
 136 #define PAM_WB_REMARK_DIRECT_RET(h,f,x)\
 137 {\
 138         const char *error_string = NULL; \
 139         error_string = _get_ntstatus_error_string(x);\
 140         if (error_string != NULL) {\
 141                 _make_remark(h, f, PAM_ERROR_MSG, error_string);\
 142                 return ret;\
 143         };\
 144         _make_remark(h, f, PAM_ERROR_MSG, x);\
 145         return ret;\
 146 };
 147
 148 #define PAM_WB_REMARK_CHECK_RESPONSE(c,x,y)\
 149 {\
 150         const char *ntstatus = x.data.auth.nt_status_string; \
 151         const char *error_string = NULL; \
 152         if (!strcasecmp(ntstatus,y)) {\
 153                 error_string = _get_ntstatus_error_string(y);\
 154                 if (error_string != NULL) {\
 155                         _make_remark(c, PAM_ERROR_MSG, error_string);\
 156                 };\
 157                 if (x.data.auth.error_string[0] != '\0') {\
 158                         _make_remark(c, PAM_ERROR_MSG, x.data.auth.error_string);\
 159                 };\
 160                 _make_remark(c, PAM_ERROR_MSG, y);\
 161         };\
 162 };
 163
 164 #define PAM_WB_REMARK_CHECK_RESPONSE_RET(c,x,y)\
 165 {\
 166         const char *ntstatus = x.data.auth.nt_status_string; \
 167         const char *error_string = NULL; \
 168         if (!strcasecmp(ntstatus,y)) {\
 169                 error_string = _get_ntstatus_error_string(y);\
 170                 if (error_string != NULL) {\
 171                         _make_remark(c, PAM_ERROR_MSG, error_string);\
 172                         return ret;\
 173                 };\
 174                 if (x.data.auth.error_string[0] != '\0') {\
 175                         _make_remark(c, PAM_ERROR_MSG, x.data.auth.error_string);\
 176                         return ret;\
 177                 };\
 178                 _make_remark(c, PAM_ERROR_MSG, y);\
 179                 return ret;\
 180         };\
 181 };
 182
 183 /* from samr.idl */
 184 #define DOMAIN_PASSWORD_COMPLEX         0x00000001
 185
 186 #define SAMR_REJECT_OTHER               0x00000000
 187 #define SAMR_REJECT_TOO_SHORT           0x00000001
 188 #define SAMR_REJECT_IN_HISTORY          0x00000002
 189 #define SAMR_REJECT_COMPLEXITY          0x00000005
 190
 191 #define ACB_PWNOEXP                     0x00000200
 192
 193 /* from netlogon.idl */
 194 #define NETLOGON_CACHED_ACCOUNT         0x00000004
 195 #define NETLOGON_GRACE_LOGON            0x01000000
 196
 197 /* from include/rpc_netlogon.h */
 198 #define LOGON_KRB5_FAIL_CLOCK_SKEW      0x02000000
 199
 200 #define PAM_WB_CACHED_LOGON(x) (x & NETLOGON_CACHED_ACCOUNT)
 201 #define PAM_WB_KRB5_CLOCK_SKEW(x) (x & LOGON_KRB5_FAIL_CLOCK_SKEW)
 202 #define PAM_WB_GRACE_LOGON(x)  ((NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON) == ( x & (NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON)))
 203
 204 struct pwb_context {
 205         pam_handle_t *pamh;
 206         int flags;
 207         int argc;
 208         const char **argv;
 209         dictionary *dict;
 210         uint32_t ctrl;
 211 };