1 /* pam_winbind header file
2 (Solaris needs some macros from Linux for common PAM code)
7 #include "lib/replace/replace.h"
8 #include "system/syslog.h"
9 #include "system/time.h"
11 #define MODULE_NAME "pam_winbind"
13 #define PAM_SM_ACCOUNT
14 #define PAM_SM_PASSWORD
15 #define PAM_SM_SESSION
17 #ifndef PAM_WINBIND_CONFIG_FILE
18 #define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf"
21 #include <iniparser.h>
25 /* Solaris always uses dynamic pam modules */
26 #define PAM_EXTERN extern
27 #if defined(HAVE_SECURITY_PAM_APPL_H)
28 #include <security/pam_appl.h>
29 #elif defined(HAVE_PAM_PAM_APPL_H)
30 #include <pam/pam_appl.h>
33 #ifndef PAM_AUTHTOK_RECOVER_ERR
34 #define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
37 #endif /* defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) */
39 #if defined(HAVE_SECURITY_PAM_MODULES_H)
40 #include <security/pam_modules.h>
41 #elif defined(HAVE_PAM_PAM_MODULES_H)
42 #include <pam/pam_modules.h>
45 #if defined(HAVE_SECURITY__PAM_MACROS_H)
46 #include <security/_pam_macros.h>
47 #elif defined(HAVE_PAM__PAM_MACROS_H)
48 #include <pam/_pam_macros.h>
50 /* Define required macros from (Linux PAM 0.68) security/_pam_macros.h */
51 #define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
55 for (reply_i=0; reply_i<replies; ++reply_i) { \
56 if (reply[reply_i].resp) { \
57 _pam_overwrite(reply[reply_i].resp); \
58 free(reply[reply_i].resp); \
65 #define _pam_overwrite(x) \
67 register char *__xx__; \
74 * Don't just free it, forget it too.
77 #define _pam_drop(X) SAFE_FREE(X)
79 #define x_strdup(s) ( (s) ? strdup(s):NULL )
80 #endif /* HAVE_SECURITY__PAM_MACROS_H */
82 #ifdef HAVE_SECURITY_PAM_EXT_H
83 #include <security/pam_ext.h>
86 #define WINBIND_DEBUG_ARG (1<<0)
87 #define WINBIND_USE_AUTHTOK_ARG (1<<1)
88 #define WINBIND_UNKNOWN_OK_ARG (1<<2)
89 #define WINBIND_TRY_FIRST_PASS_ARG (1<<3)
90 #define WINBIND_USE_FIRST_PASS_ARG (1<<4)
91 #define WINBIND__OLD_PASSWORD (1<<5)
92 #define WINBIND_REQUIRED_MEMBERSHIP (1<<6)
93 #define WINBIND_KRB5_AUTH (1<<7)
94 #define WINBIND_KRB5_CCACHE_TYPE (1<<8)
95 #define WINBIND_CACHED_LOGIN (1<<9)
96 #define WINBIND_CONFIG_FILE (1<<10)
97 #define WINBIND_SILENT (1<<11)
98 #define WINBIND_DEBUG_STATE (1<<12)
99 #define WINBIND_WARN_PWD_EXPIRE (1<<13)
102 * here is the string to inform the user that the new passwords they
103 * typed were not the same.
106 #define MISTYPED_PASS "Sorry, passwords do not match"
108 #define on(x, y) (x & y)
109 #define off(x, y) (!(x & y))
111 #define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD"
112 #define PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH "PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH"
113 #define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR"
114 #define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT"
115 #define PAM_WINBIND_LOGONSERVER "PAM_WINBIND_LOGONSERVER"
116 #define PAM_WINBIND_PROFILEPATH "PAM_WINBIND_PROFILEPATH"
117 #define PAM_WINBIND_PWD_LAST_SET "PAM_WINBIND_PWD_LAST_SET"
119 #define SECONDS_PER_DAY 86400
121 #define DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES 14
123 #include "winbind_client.h"
125 #define PAM_WB_REMARK_DIRECT(c,x)\
127 const char *error_string = NULL; \
128 error_string = _get_ntstatus_error_string(x);\
129 if (error_string != NULL) {\
130 _make_remark(c, PAM_ERROR_MSG, error_string);\
132 _make_remark(c, PAM_ERROR_MSG, x);\
136 #define PAM_WB_REMARK_DIRECT_RET(h,f,x)\
138 const char *error_string = NULL; \
139 error_string = _get_ntstatus_error_string(x);\
140 if (error_string != NULL) {\
141 _make_remark(h, f, PAM_ERROR_MSG, error_string);\
144 _make_remark(h, f, PAM_ERROR_MSG, x);\
148 #define PAM_WB_REMARK_CHECK_RESPONSE(c,x,y)\
150 const char *ntstatus = x.data.auth.nt_status_string; \
151 const char *error_string = NULL; \
152 if (!strcasecmp(ntstatus,y)) {\
153 error_string = _get_ntstatus_error_string(y);\
154 if (error_string != NULL) {\
155 _make_remark(c, PAM_ERROR_MSG, error_string);\
157 if (x.data.auth.error_string[0] != '\0') {\
158 _make_remark(c, PAM_ERROR_MSG, x.data.auth.error_string);\
160 _make_remark(c, PAM_ERROR_MSG, y);\
164 #define PAM_WB_REMARK_CHECK_RESPONSE_RET(c,x,y)\
166 const char *ntstatus = x.data.auth.nt_status_string; \
167 const char *error_string = NULL; \
168 if (!strcasecmp(ntstatus,y)) {\
169 error_string = _get_ntstatus_error_string(y);\
170 if (error_string != NULL) {\
171 _make_remark(c, PAM_ERROR_MSG, error_string);\
174 if (x.data.auth.error_string[0] != '\0') {\
175 _make_remark(c, PAM_ERROR_MSG, x.data.auth.error_string);\
178 _make_remark(c, PAM_ERROR_MSG, y);\
184 #define DOMAIN_PASSWORD_COMPLEX 0x00000001
186 #define SAMR_REJECT_OTHER 0x00000000
187 #define SAMR_REJECT_TOO_SHORT 0x00000001
188 #define SAMR_REJECT_IN_HISTORY 0x00000002
189 #define SAMR_REJECT_COMPLEXITY 0x00000005
191 #define ACB_PWNOEXP 0x00000200
193 /* from netlogon.idl */
194 #define NETLOGON_CACHED_ACCOUNT 0x00000004
195 #define NETLOGON_GRACE_LOGON 0x01000000
197 /* from include/rpc_netlogon.h */
198 #define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
200 #define PAM_WB_CACHED_LOGON(x) (x & NETLOGON_CACHED_ACCOUNT)
201 #define PAM_WB_KRB5_CLOCK_SKEW(x) (x & LOGON_KRB5_FAIL_CLOCK_SKEW)
202 #define PAM_WB_GRACE_LOGON(x) ((NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON) == ( x & (NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON)))