1 /* pam_winbind header file
2 (Solaris needs some macros from Linux for common PAM code)
7 #include "../lib/replace/replace.h"
8 #include "system/syslog.h"
9 #include "system/time.h"
11 #include "libwbclient/wbclient.h"
13 #define MODULE_NAME "pam_winbind"
15 #define PAM_SM_ACCOUNT
16 #define PAM_SM_PASSWORD
17 #define PAM_SM_SESSION
19 #ifndef PAM_WINBIND_CONFIG_FILE
20 #define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf"
23 #include <iniparser.h>
27 /* Solaris always uses dynamic pam modules */
28 #define PAM_EXTERN extern
29 #if defined(HAVE_SECURITY_PAM_APPL_H)
30 #include <security/pam_appl.h>
31 #elif defined(HAVE_PAM_PAM_APPL_H)
32 #include <pam/pam_appl.h>
35 #ifndef PAM_AUTHTOK_RECOVER_ERR
36 #define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
39 #endif /* defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) */
41 #if defined(HAVE_SECURITY_PAM_MODULES_H)
42 #include <security/pam_modules.h>
43 #elif defined(HAVE_PAM_PAM_MODULES_H)
44 #include <pam/pam_modules.h>
47 #if defined(HAVE_SECURITY__PAM_MACROS_H)
48 #include <security/_pam_macros.h>
49 #elif defined(HAVE_PAM__PAM_MACROS_H)
50 #include <pam/_pam_macros.h>
52 /* Define required macros from (Linux PAM 0.68) security/_pam_macros.h */
53 #define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
57 for (reply_i=0; reply_i<replies; ++reply_i) { \
58 if (reply[reply_i].resp) { \
59 _pam_overwrite(reply[reply_i].resp); \
60 free(reply[reply_i].resp); \
67 #define _pam_overwrite(x) \
69 register char *__xx__; \
76 * Don't just free it, forget it too.
79 #define _pam_drop(X) SAFE_FREE(X)
81 #define x_strdup(s) ( (s) ? strdup(s):NULL )
82 #endif /* HAVE_SECURITY__PAM_MACROS_H */
84 #ifdef HAVE_SECURITY_PAM_EXT_H
85 #include <security/pam_ext.h>
88 #define WINBIND_DEBUG_ARG 0x00000001
89 #define WINBIND_USE_AUTHTOK_ARG 0x00000002
90 #define WINBIND_UNKNOWN_OK_ARG 0x00000004
91 #define WINBIND_TRY_FIRST_PASS_ARG 0x00000008
92 #define WINBIND_USE_FIRST_PASS_ARG 0x00000010
93 #define WINBIND__OLD_PASSWORD 0x00000020
94 #define WINBIND_REQUIRED_MEMBERSHIP 0x00000040
95 #define WINBIND_KRB5_AUTH 0x00000080
96 #define WINBIND_KRB5_CCACHE_TYPE 0x00000100
97 #define WINBIND_CACHED_LOGIN 0x00000200
98 #define WINBIND_CONFIG_FILE 0x00000400
99 #define WINBIND_SILENT 0x00000800
100 #define WINBIND_DEBUG_STATE 0x00001000
101 #define WINBIND_WARN_PWD_EXPIRE 0x00002000
104 * here is the string to inform the user that the new passwords they
105 * typed were not the same.
108 #define MISTYPED_PASS "Sorry, passwords do not match"
110 #define on(x, y) (x & y)
111 #define off(x, y) (!(x & y))
113 #define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD"
114 #define PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH "PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH"
115 #define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR"
116 #define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT"
117 #define PAM_WINBIND_LOGONSERVER "PAM_WINBIND_LOGONSERVER"
118 #define PAM_WINBIND_PROFILEPATH "PAM_WINBIND_PROFILEPATH"
119 #define PAM_WINBIND_PWD_LAST_SET "PAM_WINBIND_PWD_LAST_SET"
121 #define SECONDS_PER_DAY 86400
123 #define DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES 14
125 #include "winbind_client.h"
127 #define PAM_WB_REMARK_DIRECT(c,x)\
129 const char *error_string = NULL; \
130 error_string = _get_ntstatus_error_string(x);\
131 if (error_string != NULL) {\
132 _make_remark(c, PAM_ERROR_MSG, error_string);\
134 _make_remark(c, PAM_ERROR_MSG, x);\
138 #define PAM_WB_REMARK_DIRECT_RET(h,f,x)\
140 const char *error_string = NULL; \
141 error_string = _get_ntstatus_error_string(x);\
142 if (error_string != NULL) {\
143 _make_remark(h, f, PAM_ERROR_MSG, error_string);\
146 _make_remark(h, f, PAM_ERROR_MSG, x);\
150 #define PAM_WB_REMARK_CHECK_RESPONSE(c,x,y)\
152 const char *ntstatus = x.data.auth.nt_status_string; \
153 const char *error_string = NULL; \
154 if (!strcasecmp(ntstatus,y)) {\
155 error_string = _get_ntstatus_error_string(y);\
156 if (error_string != NULL) {\
157 _make_remark(c, PAM_ERROR_MSG, error_string);\
159 if (x.data.auth.error_string[0] != '\0') {\
160 _make_remark(c, PAM_ERROR_MSG, x.data.auth.error_string);\
162 _make_remark(c, PAM_ERROR_MSG, y);\
166 #define PAM_WB_REMARK_CHECK_RESPONSE_RET(c,x,y)\
168 const char *ntstatus = x.data.auth.nt_status_string; \
169 const char *error_string = NULL; \
170 if (!strcasecmp(ntstatus,y)) {\
171 error_string = _get_ntstatus_error_string(y);\
172 if (error_string != NULL) {\
173 _make_remark(c, PAM_ERROR_MSG, error_string);\
176 if (x.data.auth.error_string[0] != '\0') {\
177 _make_remark(c, PAM_ERROR_MSG, x.data.auth.error_string);\
180 _make_remark(c, PAM_ERROR_MSG, y);\
185 /* from netlogon.idl */
186 #define NETLOGON_CACHED_ACCOUNT 0x00000004
187 #define NETLOGON_GRACE_LOGON 0x01000000
189 /* from include/rpc_netlogon.h */
190 #define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
192 #define PAM_WB_CACHED_LOGON(x) (x & NETLOGON_CACHED_ACCOUNT)
193 #define PAM_WB_KRB5_CLOCK_SKEW(x) (x & LOGON_KRB5_FAIL_CLOCK_SKEW)
194 #define PAM_WB_GRACE_LOGON(x) ((NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON) == ( x & (NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON)))
205 #define TALLOC_FREE(ctx) do { if ((ctx) != NULL) {talloc_free(ctx); ctx=NULL;} } while(0)
206 #define TALLOC_ZERO_P(ctx, type) (type *)_talloc_zero(ctx, sizeof(type), #type)
207 #define TALLOC_P(ctx, type) (type *)talloc_named_const(ctx, sizeof(type), #type)