Shirish Kalele 2000
*/
-#ifdef HAVE_FEATURES_H
-#include <features.h>
-#endif
-
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <syslog.h>
-#include <stdarg.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <errno.h>
-
-#include <config.h>
+#include "../lib/replace/replace.h"
+#include "system/syslog.h"
+#include "system/time.h"
+#include <talloc.h>
+#include "libwbclient/wbclient.h"
#define MODULE_NAME "pam_winbind"
#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT
#define PAM_SM_PASSWORD
+#define PAM_SM_SESSION
-#if defined(SUNOS5) || defined(SUNOS4) || defined(HPUX)
+#ifndef PAM_WINBIND_CONFIG_FILE
+#define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf"
+#endif
+
+#include <iniparser.h>
+
+#ifndef LINUX
/* Solaris always uses dynamic pam modules */
#define PAM_EXTERN extern
+#if defined(HAVE_SECURITY_PAM_APPL_H)
#include <security/pam_appl.h>
+#elif defined(HAVE_PAM_PAM_APPL_H)
+#include <pam/pam_appl.h>
+#endif
+#ifndef PAM_AUTHTOK_RECOVER_ERR
#define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
#endif
-#ifdef HAVE_SECURITY_PAM_MODULES_H
+#endif /* defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) */
+
+#if defined(HAVE_SECURITY_PAM_MODULES_H)
#include <security/pam_modules.h>
+#elif defined(HAVE_PAM_PAM_MODULES_H)
+#include <pam/pam_modules.h>
#endif
-#ifdef HAVE_SECURITY__PAM_MACROS_H
+#if defined(HAVE_SECURITY__PAM_MACROS_H)
#include <security/_pam_macros.h>
+#elif defined(HAVE_PAM__PAM_MACROS_H)
+#include <pam/_pam_macros.h>
#else
/* Define required macros from (Linux PAM 0.68) security/_pam_macros.h */
#define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
#define _pam_drop(X) SAFE_FREE(X)
#define x_strdup(s) ( (s) ? strdup(s):NULL )
+#endif /* HAVE_SECURITY__PAM_MACROS_H */
+
+#ifdef HAVE_SECURITY_PAM_EXT_H
+#include <security/pam_ext.h>
#endif
-#define WINBIND_DEBUG_ARG (1<<0)
-#define WINBIND_USE_AUTHTOK_ARG (1<<1)
-#define WINBIND_UNKNOWN_OK_ARG (1<<2)
-#define WINBIND_TRY_FIRST_PASS_ARG (1<<3)
-#define WINBIND_USE_FIRST_PASS_ARG (1<<4)
-#define WINBIND__OLD_PASSWORD (1<<5)
+#define WINBIND_DEBUG_ARG 0x00000001
+#define WINBIND_USE_AUTHTOK_ARG 0x00000002
+#define WINBIND_UNKNOWN_OK_ARG 0x00000004
+#define WINBIND_TRY_FIRST_PASS_ARG 0x00000008
+#define WINBIND_USE_FIRST_PASS_ARG 0x00000010
+#define WINBIND__OLD_PASSWORD 0x00000020
+#define WINBIND_REQUIRED_MEMBERSHIP 0x00000040
+#define WINBIND_KRB5_AUTH 0x00000080
+#define WINBIND_KRB5_CCACHE_TYPE 0x00000100
+#define WINBIND_CACHED_LOGIN 0x00000200
+#define WINBIND_CONFIG_FILE 0x00000400
+#define WINBIND_SILENT 0x00000800
+#define WINBIND_DEBUG_STATE 0x00001000
+#define WINBIND_WARN_PWD_EXPIRE 0x00002000
/*
* here is the string to inform the user that the new passwords they
#define on(x, y) (x & y)
#define off(x, y) (!(x & y))
+#define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD"
+#define PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH "PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH"
+#define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR"
+#define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT"
+#define PAM_WINBIND_LOGONSERVER "PAM_WINBIND_LOGONSERVER"
+#define PAM_WINBIND_PROFILEPATH "PAM_WINBIND_PROFILEPATH"
+#define PAM_WINBIND_PWD_LAST_SET "PAM_WINBIND_PWD_LAST_SET"
+
+#define SECONDS_PER_DAY 86400
+
+#define DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES 14
+
#include "winbind_client.h"
+
+#define PAM_WB_REMARK_DIRECT(c,x)\
+{\
+ const char *error_string = NULL; \
+ error_string = _get_ntstatus_error_string(x);\
+ if (error_string != NULL) {\
+ _make_remark(c, PAM_ERROR_MSG, error_string);\
+ } else {\
+ _make_remark(c, PAM_ERROR_MSG, x);\
+ };\
+};
+
+#define PAM_WB_REMARK_DIRECT_RET(h,f,x)\
+{\
+ const char *error_string = NULL; \
+ error_string = _get_ntstatus_error_string(x);\
+ if (error_string != NULL) {\
+ _make_remark(h, f, PAM_ERROR_MSG, error_string);\
+ return ret;\
+ };\
+ _make_remark(h, f, PAM_ERROR_MSG, x);\
+ return ret;\
+};
+
+#define PAM_WB_REMARK_CHECK_RESPONSE(c,x,y)\
+{\
+ const char *ntstatus = x.data.auth.nt_status_string; \
+ const char *error_string = NULL; \
+ if (!strcasecmp(ntstatus,y)) {\
+ error_string = _get_ntstatus_error_string(y);\
+ if (error_string != NULL) {\
+ _make_remark(c, PAM_ERROR_MSG, error_string);\
+ };\
+ if (x.data.auth.error_string[0] != '\0') {\
+ _make_remark(c, PAM_ERROR_MSG, x.data.auth.error_string);\
+ };\
+ _make_remark(c, PAM_ERROR_MSG, y);\
+ };\
+};
+
+#define PAM_WB_REMARK_CHECK_RESPONSE_RET(c,x,y)\
+{\
+ const char *ntstatus = x.data.auth.nt_status_string; \
+ const char *error_string = NULL; \
+ if (!strcasecmp(ntstatus,y)) {\
+ error_string = _get_ntstatus_error_string(y);\
+ if (error_string != NULL) {\
+ _make_remark(c, PAM_ERROR_MSG, error_string);\
+ return ret;\
+ };\
+ if (x.data.auth.error_string[0] != '\0') {\
+ _make_remark(c, PAM_ERROR_MSG, x.data.auth.error_string);\
+ return ret;\
+ };\
+ _make_remark(c, PAM_ERROR_MSG, y);\
+ return ret;\
+ };\
+};
+
+/* from netlogon.idl */
+#define NETLOGON_CACHED_ACCOUNT 0x00000004
+#define NETLOGON_GRACE_LOGON 0x01000000
+
+/* from include/rpc_netlogon.h */
+#define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
+
+#define PAM_WB_CACHED_LOGON(x) (x & NETLOGON_CACHED_ACCOUNT)
+#define PAM_WB_KRB5_CLOCK_SKEW(x) (x & LOGON_KRB5_FAIL_CLOCK_SKEW)
+#define PAM_WB_GRACE_LOGON(x) ((NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON) == ( x & (NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON)))
+
+struct pwb_context {
+ pam_handle_t *pamh;
+ int flags;
+ int argc;
+ const char **argv;
+ dictionary *dict;
+ uint32_t ctrl;
+};
+
+#define TALLOC_FREE(ctx) do { if ((ctx) != NULL) {talloc_free(ctx); ctx=NULL;} } while(0)
+#define TALLOC_ZERO_P(ctx, type) (type *)_talloc_zero(ctx, sizeof(type), #type)
+#define TALLOC_P(ctx, type) (type *)talloc_named_const(ctx, sizeof(type), #type)
+