diff options
Diffstat (limited to 'source3/nsswitch/pam_winbind.h')
-rw-r--r-- | source3/nsswitch/pam_winbind.h | 211 |
1 files changed, 211 insertions, 0 deletions
diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h new file mode 100644 index 0000000000..c8c1910641 --- /dev/null +++ b/source3/nsswitch/pam_winbind.h @@ -0,0 +1,211 @@ +/* pam_winbind header file + (Solaris needs some macros from Linux for common PAM code) + + Shirish Kalele 2000 +*/ + +#include "lib/replace/replace.h" +#include "system/syslog.h" +#include "system/time.h" + +#define MODULE_NAME "pam_winbind" +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_SM_PASSWORD +#define PAM_SM_SESSION + +#ifndef PAM_WINBIND_CONFIG_FILE +#define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf" +#endif + +#include <iniparser.h> + +#ifndef LINUX + +/* Solaris always uses dynamic pam modules */ +#define PAM_EXTERN extern +#if defined(HAVE_SECURITY_PAM_APPL_H) +#include <security/pam_appl.h> +#elif defined(HAVE_PAM_PAM_APPL_H) +#include <pam/pam_appl.h> +#endif + +#ifndef PAM_AUTHTOK_RECOVER_ERR +#define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR +#endif + +#endif /* defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) */ + +#if defined(HAVE_SECURITY_PAM_MODULES_H) +#include <security/pam_modules.h> +#elif defined(HAVE_PAM_PAM_MODULES_H) +#include <pam/pam_modules.h> +#endif + +#if defined(HAVE_SECURITY__PAM_MACROS_H) +#include <security/_pam_macros.h> +#elif defined(HAVE_PAM__PAM_MACROS_H) +#include <pam/_pam_macros.h> +#else +/* Define required macros from (Linux PAM 0.68) security/_pam_macros.h */ +#define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \ +do { \ + int reply_i; \ + \ + for (reply_i=0; reply_i<replies; ++reply_i) { \ + if (reply[reply_i].resp) { \ + _pam_overwrite(reply[reply_i].resp); \ + free(reply[reply_i].resp); \ + } \ + } \ + if (reply) \ + free(reply); \ +} while (0) + +#define _pam_overwrite(x) \ +do { \ + register char *__xx__; \ + if ((__xx__=(x))) \ + while (*__xx__) \ + *__xx__++ = '\0'; \ +} while (0) + +/* + * Don't just free it, forget it too. + */ + +#define _pam_drop(X) SAFE_FREE(X) + +#define x_strdup(s) ( (s) ? strdup(s):NULL ) +#endif /* HAVE_SECURITY__PAM_MACROS_H */ + +#ifdef HAVE_SECURITY_PAM_EXT_H +#include <security/pam_ext.h> +#endif + +#define WINBIND_DEBUG_ARG 0x00000001 +#define WINBIND_USE_AUTHTOK_ARG 0x00000002 +#define WINBIND_UNKNOWN_OK_ARG 0x00000004 +#define WINBIND_TRY_FIRST_PASS_ARG 0x00000008 +#define WINBIND_USE_FIRST_PASS_ARG 0x00000010 +#define WINBIND__OLD_PASSWORD 0x00000020 +#define WINBIND_REQUIRED_MEMBERSHIP 0x00000040 +#define WINBIND_KRB5_AUTH 0x00000080 +#define WINBIND_KRB5_CCACHE_TYPE 0x00000100 +#define WINBIND_CACHED_LOGIN 0x00000200 +#define WINBIND_CONFIG_FILE 0x00000400 +#define WINBIND_SILENT 0x00000800 +#define WINBIND_DEBUG_STATE 0x00001000 +#define WINBIND_WARN_PWD_EXPIRE 0x00002000 + +/* + * here is the string to inform the user that the new passwords they + * typed were not the same. + */ + +#define MISTYPED_PASS "Sorry, passwords do not match" + +#define on(x, y) (x & y) +#define off(x, y) (!(x & y)) + +#define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD" +#define PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH "PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH" +#define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR" +#define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT" +#define PAM_WINBIND_LOGONSERVER "PAM_WINBIND_LOGONSERVER" +#define PAM_WINBIND_PROFILEPATH "PAM_WINBIND_PROFILEPATH" +#define PAM_WINBIND_PWD_LAST_SET "PAM_WINBIND_PWD_LAST_SET" + +#define SECONDS_PER_DAY 86400 + +#define DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES 14 + +#include "winbind_client.h" + +#define PAM_WB_REMARK_DIRECT(c,x)\ +{\ + const char *error_string = NULL; \ + error_string = _get_ntstatus_error_string(x);\ + if (error_string != NULL) {\ + _make_remark(c, PAM_ERROR_MSG, error_string);\ + } else {\ + _make_remark(c, PAM_ERROR_MSG, x);\ + };\ +}; + +#define PAM_WB_REMARK_DIRECT_RET(h,f,x)\ +{\ + const char *error_string = NULL; \ + error_string = _get_ntstatus_error_string(x);\ + if (error_string != NULL) {\ + _make_remark(h, f, PAM_ERROR_MSG, error_string);\ + return ret;\ + };\ + _make_remark(h, f, PAM_ERROR_MSG, x);\ + return ret;\ +}; + +#define PAM_WB_REMARK_CHECK_RESPONSE(c,x,y)\ +{\ + const char *ntstatus = x.data.auth.nt_status_string; \ + const char *error_string = NULL; \ + if (!strcasecmp(ntstatus,y)) {\ + error_string = _get_ntstatus_error_string(y);\ + if (error_string != NULL) {\ + _make_remark(c, PAM_ERROR_MSG, error_string);\ + };\ + if (x.data.auth.error_string[0] != '\0') {\ + _make_remark(c, PAM_ERROR_MSG, x.data.auth.error_string);\ + };\ + _make_remark(c, PAM_ERROR_MSG, y);\ + };\ +}; + +#define PAM_WB_REMARK_CHECK_RESPONSE_RET(c,x,y)\ +{\ + const char *ntstatus = x.data.auth.nt_status_string; \ + const char *error_string = NULL; \ + if (!strcasecmp(ntstatus,y)) {\ + error_string = _get_ntstatus_error_string(y);\ + if (error_string != NULL) {\ + _make_remark(c, PAM_ERROR_MSG, error_string);\ + return ret;\ + };\ + if (x.data.auth.error_string[0] != '\0') {\ + _make_remark(c, PAM_ERROR_MSG, x.data.auth.error_string);\ + return ret;\ + };\ + _make_remark(c, PAM_ERROR_MSG, y);\ + return ret;\ + };\ +}; + +/* from samr.idl */ +#define DOMAIN_PASSWORD_COMPLEX 0x00000001 + +#define SAMR_REJECT_OTHER 0x00000000 +#define SAMR_REJECT_TOO_SHORT 0x00000001 +#define SAMR_REJECT_IN_HISTORY 0x00000002 +#define SAMR_REJECT_COMPLEXITY 0x00000005 + +#define ACB_PWNOEXP 0x00000200 + +/* from netlogon.idl */ +#define NETLOGON_CACHED_ACCOUNT 0x00000004 +#define NETLOGON_GRACE_LOGON 0x01000000 + +/* from include/rpc_netlogon.h */ +#define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000 + +#define PAM_WB_CACHED_LOGON(x) (x & NETLOGON_CACHED_ACCOUNT) +#define PAM_WB_KRB5_CLOCK_SKEW(x) (x & LOGON_KRB5_FAIL_CLOCK_SKEW) +#define PAM_WB_GRACE_LOGON(x) ((NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON) == ( x & (NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON))) + +struct pwb_context { + pam_handle_t *pamh; + int flags; + int argc; + const char **argv; + dictionary *dict; + uint32_t ctrl; +}; |