r23704: Add pam_pwd_expire feature as discussed on samba-technical.
[kai/samba-autobuild/.git] / source / nsswitch / pam_winbind.h
1 /* pam_winbind header file 
2    (Solaris needs some macros from Linux for common PAM code)
3
4    Shirish Kalele 2000
5 */
6
7 #include "lib/replace/replace.h"
8 #include "system/syslog.h"
9 #include "system/time.h"
10
11 #define MODULE_NAME "pam_winbind"
12 #define PAM_SM_AUTH
13 #define PAM_SM_ACCOUNT
14 #define PAM_SM_PASSWORD
15
16 #ifndef PAM_WINBIND_CONFIG_FILE
17 #define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf"
18 #endif
19
20 #include <iniparser.h>
21
22 #ifndef LINUX
23
24 /* Solaris always uses dynamic pam modules */
25 #define PAM_EXTERN extern
26 #if defined(HAVE_SECURITY_PAM_APPL_H)
27 #include <security/pam_appl.h> 
28 #elif defined(HAVE_PAM_PAM_APPL_H)
29 #include <pam/pam_appl.h>
30 #endif
31
32 #ifndef PAM_AUTHTOK_RECOVER_ERR
33 #define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
34 #endif
35
36 #endif /* defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) */
37
38 #if defined(HAVE_SECURITY_PAM_MODULES_H)
39 #include <security/pam_modules.h>
40 #elif defined(HAVE_PAM_PAM_MODULES_H)
41 #include <pam/pam_modules.h>
42 #endif
43
44 #if defined(HAVE_SECURITY__PAM_MACROS_H)
45 #include <security/_pam_macros.h>
46 #elif defined(HAVE_PAM__PAM_MACROS_H)
47 #include <pam/_pam_macros.h>
48 #else
49 /* Define required macros from (Linux PAM 0.68) security/_pam_macros.h */
50 #define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
51 do {                                              \
52     int reply_i;                                  \
53                                                   \
54     for (reply_i=0; reply_i<replies; ++reply_i) { \
55         if (reply[reply_i].resp) {                \
56             _pam_overwrite(reply[reply_i].resp);  \
57             free(reply[reply_i].resp);            \
58         }                                         \
59     }                                             \
60     if (reply)                                    \
61         free(reply);                              \
62 } while (0)
63
64 #define _pam_overwrite(x)        \
65 do {                             \
66      register char *__xx__;      \
67      if ((__xx__=(x)))           \
68           while (*__xx__)        \
69                *__xx__++ = '\0'; \
70 } while (0)
71
72 /*
73  * Don't just free it, forget it too.
74  */
75
76 #define _pam_drop(X) SAFE_FREE(X)
77
78 #define  x_strdup(s)  ( (s) ? strdup(s):NULL )     
79 #endif /* HAVE_SECURITY__PAM_MACROS_H */
80
81 #ifdef HAVE_SECURITY_PAM_EXT_H
82 #include <security/pam_ext.h>
83 #endif
84
85 #define WINBIND_DEBUG_ARG (1<<0)
86 #define WINBIND_USE_AUTHTOK_ARG (1<<1)
87 #define WINBIND_UNKNOWN_OK_ARG (1<<2)
88 #define WINBIND_TRY_FIRST_PASS_ARG (1<<3)
89 #define WINBIND_USE_FIRST_PASS_ARG (1<<4)
90 #define WINBIND__OLD_PASSWORD (1<<5)
91 #define WINBIND_REQUIRED_MEMBERSHIP (1<<6)
92 #define WINBIND_KRB5_AUTH (1<<7)
93 #define WINBIND_KRB5_CCACHE_TYPE (1<<8)
94 #define WINBIND_CACHED_LOGIN (1<<9)
95 #define WINBIND_CONFIG_FILE (1<<10)
96 #define WINBIND_SILENT (1<<11)
97 #define WINBIND_DEBUG_STATE (1<<12)
98
99 /*
100  * here is the string to inform the user that the new passwords they
101  * typed were not the same.
102  */
103
104 #define MISTYPED_PASS "Sorry, passwords do not match"
105
106 #define on(x, y) (x & y)
107 #define off(x, y) (!(x & y))
108
109 #define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD"
110 #define PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH "PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH"
111 #define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR"
112 #define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT"
113 #define PAM_WINBIND_LOGONSERVER "PAM_WINBIND_LOGONSERVER"
114 #define PAM_WINBIND_PROFILEPATH "PAM_WINBIND_PROFILEPATH"
115 #define PAM_WINBIND_PWD_LAST_SET "PAM_WINBIND_PWD_LAST_SET"
116
117 #define SECONDS_PER_DAY 86400
118
119 #define DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES 14
120
121 #include "winbind_client.h"
122
123 #define PAM_WB_REMARK_DIRECT(h,f,x)\
124 {\
125         const char *error_string = NULL; \
126         error_string = _get_ntstatus_error_string(x);\
127         if (error_string != NULL) {\
128                 _make_remark(h, f, PAM_ERROR_MSG, error_string);\
129         } else {\
130                 _make_remark(h, f, PAM_ERROR_MSG, x);\
131         };\
132 };
133
134 #define PAM_WB_REMARK_DIRECT_RET(h,f,x)\
135 {\
136         const char *error_string = NULL; \
137         error_string = _get_ntstatus_error_string(x);\
138         if (error_string != NULL) {\
139                 _make_remark(h, f, PAM_ERROR_MSG, error_string);\
140                 return ret;\
141         };\
142         _make_remark(h, f, PAM_ERROR_MSG, x);\
143         return ret;\
144 };
145
146 #define PAM_WB_REMARK_CHECK_RESPONSE(h,f,x,y)\
147 {\
148         const char *ntstatus = x.data.auth.nt_status_string; \
149         const char *error_string = NULL; \
150         if (!strcasecmp(ntstatus,y)) {\
151                 error_string = _get_ntstatus_error_string(y);\
152                 if (error_string != NULL) {\
153                         _make_remark(h, f, PAM_ERROR_MSG, error_string);\
154                 };\
155                 if (x.data.auth.error_string[0] != '\0') {\
156                         _make_remark(h, f, PAM_ERROR_MSG, x.data.auth.error_string);\
157                 };\
158                 _make_remark(h, f, PAM_ERROR_MSG, y);\
159         };\
160 };
161
162 #define PAM_WB_REMARK_CHECK_RESPONSE_RET(h,f,x,y)\
163 {\
164         const char *ntstatus = x.data.auth.nt_status_string; \
165         const char *error_string = NULL; \
166         if (!strcasecmp(ntstatus,y)) {\
167                 error_string = _get_ntstatus_error_string(y);\
168                 if (error_string != NULL) {\
169                         _make_remark(h, f, PAM_ERROR_MSG, error_string);\
170                         return ret;\
171                 };\
172                 if (x.data.auth.error_string[0] != '\0') {\
173                         _make_remark(h, f, PAM_ERROR_MSG, x.data.auth.error_string);\
174                         return ret;\
175                 };\
176                 _make_remark(h, f, PAM_ERROR_MSG, y);\
177                 return ret;\
178         };\
179 };
180
181 /* from include/rpc_samr.h */
182 #define DOMAIN_PASSWORD_COMPLEX            0x00000001
183
184 #define REJECT_REASON_OTHER             0x00000000
185 #define REJECT_REASON_TOO_SHORT         0x00000001
186 #define REJECT_REASON_IN_HISTORY        0x00000002
187 #define REJECT_REASON_NOT_COMPLEX       0x00000005
188
189 /* from include/smb.h */
190 #define ACB_PWNOEXP                     0x00000200
191
192 /* from include/rpc_netlogon.h */
193 #define LOGON_CACHED_ACCOUNT            0x00000004
194 #define LOGON_GRACE_LOGON               0x01000000
195 #define LOGON_KRB5_FAIL_CLOCK_SKEW      0x02000000
196
197 #define PAM_WB_CACHED_LOGON(x) (x & LOGON_CACHED_ACCOUNT)
198 #define PAM_WB_KRB5_CLOCK_SKEW(x) (x & LOGON_KRB5_FAIL_CLOCK_SKEW)
199 #define PAM_WB_GRACE_LOGON(x)  ((LOGON_CACHED_ACCOUNT|LOGON_GRACE_LOGON) == ( x & (LOGON_CACHED_ACCOUNT|LOGON_GRACE_LOGON)))