source3/nsswitch/pam_winbind.h

   1 /* pam_winbind header file
   2    (Solaris needs some macros from Linux for common PAM code)
   3
   4    Shirish Kalele 2000
   5 */
   6
   7 #include "lib/replace/replace.h"
   8 #include "system/syslog.h"
   9 #include "system/time.h"
  10
  11 #define MODULE_NAME "pam_winbind"
  12 #define PAM_SM_AUTH
  13 #define PAM_SM_ACCOUNT
  14 #define PAM_SM_PASSWORD
  15
  16 #ifndef PAM_WINBIND_CONFIG_FILE
  17 #define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf"
  18 #endif
  19
  20 #include <iniparser.h>
  21
  22 #ifndef LINUX
  23
  24 /* Solaris always uses dynamic pam modules */
  25 #define PAM_EXTERN extern
  26 #if defined(HAVE_SECURITY_PAM_APPL_H)
  27 #include <security/pam_appl.h>
  28 #elif defined(HAVE_PAM_PAM_APPL_H)
  29 #include <pam/pam_appl.h>
  30 #endif
  31
  32 #ifndef PAM_AUTHTOK_RECOVER_ERR
  33 #define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
  34 #endif
  35
  36 #endif /* defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) */
  37
  38 #if defined(HAVE_SECURITY_PAM_MODULES_H)
  39 #include <security/pam_modules.h>
  40 #elif defined(HAVE_PAM_PAM_MODULES_H)
  41 #include <pam/pam_modules.h>
  42 #endif
  43
  44 #if defined(HAVE_SECURITY__PAM_MACROS_H)
  45 #include <security/_pam_macros.h>
  46 #elif defined(HAVE_PAM__PAM_MACROS_H)
  47 #include <pam/_pam_macros.h>
  48 #else
  49 /* Define required macros from (Linux PAM 0.68) security/_pam_macros.h */
  50 #define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
  51 do {                                              \
  52     int reply_i;                                  \
  53                                                   \
  54     for (reply_i=0; reply_i<replies; ++reply_i) { \
  55         if (reply[reply_i].resp) {                \
  56             _pam_overwrite(reply[reply_i].resp);  \
  57             free(reply[reply_i].resp);            \
  58         }                                         \
  59     }                                             \
  60     if (reply)                                    \
  61         free(reply);                              \
  62 } while (0)
  63
  64 #define _pam_overwrite(x)        \
  65 do {                             \
  66      register char *__xx__;      \
  67      if ((__xx__=(x)))           \
  68           while (*__xx__)        \
  69                *__xx__++ = '\0'; \
  70 } while (0)
  71
  72 /*
  73  * Don't just free it, forget it too.
  74  */
  75
  76 #define _pam_drop(X) SAFE_FREE(X)
  77
  78 #define  x_strdup(s)  ( (s) ? strdup(s):NULL )
  79 #endif /* HAVE_SECURITY__PAM_MACROS_H */
  80
  81 #ifdef HAVE_SECURITY_PAM_EXT_H
  82 #include <security/pam_ext.h>
  83 #endif
  84
  85 #define WINBIND_DEBUG_ARG (1<<0)
  86 #define WINBIND_USE_AUTHTOK_ARG (1<<1)
  87 #define WINBIND_UNKNOWN_OK_ARG (1<<2)
  88 #define WINBIND_TRY_FIRST_PASS_ARG (1<<3)
  89 #define WINBIND_USE_FIRST_PASS_ARG (1<<4)
  90 #define WINBIND__OLD_PASSWORD (1<<5)
  91 #define WINBIND_REQUIRED_MEMBERSHIP (1<<6)
  92 #define WINBIND_KRB5_AUTH (1<<7)
  93 #define WINBIND_KRB5_CCACHE_TYPE (1<<8)
  94 #define WINBIND_CACHED_LOGIN (1<<9)
  95 #define WINBIND_CONFIG_FILE (1<<10)
  96 #define WINBIND_SILENT (1<<11)
  97 #define WINBIND_DEBUG_STATE (1<<12)
  98 #define WINBIND_WARN_PWD_EXPIRE (1<<13)
  99
 100 /*
 101  * here is the string to inform the user that the new passwords they
 102  * typed were not the same.
 103  */
 104
 105 #define MISTYPED_PASS "Sorry, passwords do not match"
 106
 107 #define on(x, y) (x & y)
 108 #define off(x, y) (!(x & y))
 109
 110 #define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD"
 111 #define PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH "PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH"
 112 #define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR"
 113 #define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT"
 114 #define PAM_WINBIND_LOGONSERVER "PAM_WINBIND_LOGONSERVER"
 115 #define PAM_WINBIND_PROFILEPATH "PAM_WINBIND_PROFILEPATH"
 116 #define PAM_WINBIND_PWD_LAST_SET "PAM_WINBIND_PWD_LAST_SET"
 117
 118 #define SECONDS_PER_DAY 86400
 119
 120 #define DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES 14
 121
 122 #include "winbind_client.h"
 123
 124 #define PAM_WB_REMARK_DIRECT(h,f,x)\
 125 {\
 126         const char *error_string = NULL; \
 127         error_string = _get_ntstatus_error_string(x);\
 128         if (error_string != NULL) {\
 129                 _make_remark(h, f, PAM_ERROR_MSG, error_string);\
 130         } else {\
 131                 _make_remark(h, f, PAM_ERROR_MSG, x);\
 132         };\
 133 };
 134
 135 #define PAM_WB_REMARK_DIRECT_RET(h,f,x)\
 136 {\
 137         const char *error_string = NULL; \
 138         error_string = _get_ntstatus_error_string(x);\
 139         if (error_string != NULL) {\
 140                 _make_remark(h, f, PAM_ERROR_MSG, error_string);\
 141                 return ret;\
 142         };\
 143         _make_remark(h, f, PAM_ERROR_MSG, x);\
 144         return ret;\
 145 };
 146
 147 #define PAM_WB_REMARK_CHECK_RESPONSE(h,f,x,y)\
 148 {\
 149         const char *ntstatus = x.data.auth.nt_status_string; \
 150         const char *error_string = NULL; \
 151         if (!strcasecmp(ntstatus,y)) {\
 152                 error_string = _get_ntstatus_error_string(y);\
 153                 if (error_string != NULL) {\
 154                         _make_remark(h, f, PAM_ERROR_MSG, error_string);\
 155                 };\
 156                 if (x.data.auth.error_string[0] != '\0') {\
 157                         _make_remark(h, f, PAM_ERROR_MSG, x.data.auth.error_string);\
 158                 };\
 159                 _make_remark(h, f, PAM_ERROR_MSG, y);\
 160         };\
 161 };
 162
 163 #define PAM_WB_REMARK_CHECK_RESPONSE_RET(h,f,x,y)\
 164 {\
 165         const char *ntstatus = x.data.auth.nt_status_string; \
 166         const char *error_string = NULL; \
 167         if (!strcasecmp(ntstatus,y)) {\
 168                 error_string = _get_ntstatus_error_string(y);\
 169                 if (error_string != NULL) {\
 170                         _make_remark(h, f, PAM_ERROR_MSG, error_string);\
 171                         return ret;\
 172                 };\
 173                 if (x.data.auth.error_string[0] != '\0') {\
 174                         _make_remark(h, f, PAM_ERROR_MSG, x.data.auth.error_string);\
 175                         return ret;\
 176                 };\
 177                 _make_remark(h, f, PAM_ERROR_MSG, y);\
 178                 return ret;\
 179         };\
 180 };
 181
 182 /* from include/rpc_samr.h */
 183 #define DOMAIN_PASSWORD_COMPLEX            0x00000001
 184
 185 #define REJECT_REASON_OTHER             0x00000000
 186 #define REJECT_REASON_TOO_SHORT         0x00000001
 187 #define REJECT_REASON_IN_HISTORY        0x00000002
 188 #define REJECT_REASON_NOT_COMPLEX       0x00000005
 189
 190 /* from include/smb.h */
 191 #define ACB_PWNOEXP                     0x00000200
 192
 193 /* from include/rpc_netlogon.h */
 194 #define LOGON_CACHED_ACCOUNT            0x00000004
 195 #define LOGON_GRACE_LOGON               0x01000000
 196 #define LOGON_KRB5_FAIL_CLOCK_SKEW      0x02000000
 197
 198 #define PAM_WB_CACHED_LOGON(x) (x & LOGON_CACHED_ACCOUNT)
 199 #define PAM_WB_KRB5_CLOCK_SKEW(x) (x & LOGON_KRB5_FAIL_CLOCK_SKEW)
 200 #define PAM_WB_GRACE_LOGON(x)  ((LOGON_CACHED_ACCOUNT|LOGON_GRACE_LOGON) == ( x & (LOGON_CACHED_ACCOUNT|LOGON_GRACE_LOGON)))