From ebb900cf3ed9cf7627f1bbe724fb1e9c1e35e057 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 7 May 2001 05:03:40 +0000 Subject: iAdditional files for winbind merge. (This used to be commit 38ab3b31b5dc39fb59f224b399bb9c2269f1c933) --- source3/nsswitch/pam_winbind.h | 85 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 source3/nsswitch/pam_winbind.h (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h new file mode 100644 index 0000000000..85707cb4dc --- /dev/null +++ b/source3/nsswitch/pam_winbind.h @@ -0,0 +1,85 @@ +/* pam_winbind header file + (Solaris needs some macros from Linux for common PAM code) + + Shirish Kalele 2000 +*/ + +#ifdef HAVE_FEATURES_H +#include +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#define MODULE_NAME "pam_winbind" +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_SM_PASSWORD + +#if defined(SUNOS5) || defined(SUNOS4) + +/* Solaris always uses dynamic pam modules */ +#define PAM_EXTERN extern +#include + +#define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR +#endif + +#include + +#ifdef HAVE_SECURITY__PAM_MACROS_H +#include +#else +/* Define required macros from (Linux PAM 0.68) security/_pam_macros.h */ +#define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \ +do { \ + int reply_i; \ + \ + for (reply_i=0; reply_i Date: Tue, 22 May 2001 21:47:11 +0000 Subject: Try to fix build by adding autoconf tests for pam headers. Jeremy. (This used to be commit d52bc4d219bd07e656986e7754ea6e238c626d77) --- source3/nsswitch/pam_winbind.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 85707cb4dc..5618dc1b61 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -34,7 +34,9 @@ #define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR #endif +#ifdef HAVE_SECURITY_PAM_MODULES_H #include +#endif #ifdef HAVE_SECURITY__PAM_MACROS_H #include -- cgit From b50d10c2a313b45bbc195b13a353a20af0ab917a Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 17 Sep 2001 04:52:45 +0000 Subject: move to SAFE_FREE() (This used to be commit 03dc67788f68c9e01b5a82fdf43f837cb19f4608) --- source3/nsswitch/pam_winbind.h | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 5618dc1b61..991c117656 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -68,13 +68,7 @@ do { \ * Don't just free it, forget it too. */ -#define _pam_drop(X) \ -do { \ - if (X) { \ - free(X); \ - X=NULL; \ - } \ -} while (0) +#define _pam_drop(X) SAFE_FREE(X) #define x_strdup(s) ( (s) ? strdup(s):NULL ) #endif -- cgit From ed389ee8dc9246b2d6c4e483cee16f7255b9a7f5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 5 Feb 2002 09:40:36 +0000 Subject: Drastic impromvents to pam_winbind. This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280) --- source3/nsswitch/pam_winbind.h | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 991c117656..93d9ec9e73 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -73,9 +73,22 @@ do { \ #define x_strdup(s) ( (s) ? strdup(s):NULL ) #endif -#define PAM_DEBUG_ARG (1<<0) -#define PAM_USE_AUTHTOK_ARG (1<<1) -#define PAM_UNKNOWN_OK_ARG (1<<2) +#define WINBIND_DEBUG_ARG (1<<0) +#define WINBIND_USE_AUTHTOK_ARG (1<<1) +#define WINBIND_UNKNOWN_OK_ARG (1<<2) +#define WINBIND_TRY_FIRST_PASS_ARG (1<<3) +#define WINBIND_USE_FIRST_PASS_ARG (1<<4) +#define WINBIND__OLD_PASSWORD (1<<5) + +/* + * here is the string to inform the user that the new passwords they + * typed were not the same. + */ + +#define MISTYPED_PASS "Sorry, passwords do not match" + +#define on(x, y) (x & y) +#define off(x, y) (!(x & y)) #include "winbind_nss_config.h" #include "winbindd_nss.h" -- cgit From 657a24f476c90e0ffa8171f78b35a449171f54e1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 23 Mar 2002 08:28:19 +0000 Subject: Various winbind updates: - pam_winbind updates from vance, fixing a typo and making some the options work properly. - Extra parinoia in the winbind connection loop - Allow pam_winbind to compile on HP-UX (Don Mcall, more work to do). - Fix up configure.in to use the same method for building the test .so as the Makefile uses. Andrew Bartlett (This used to be commit 8e705dd9215b1cb3f44d6348094679d7dc6a7fbd) --- source3/nsswitch/pam_winbind.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 93d9ec9e73..9897249e16 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -25,7 +25,7 @@ #define PAM_SM_ACCOUNT #define PAM_SM_PASSWORD -#if defined(SUNOS5) || defined(SUNOS4) +#if defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) /* Solaris always uses dynamic pam modules */ #define PAM_EXTERN extern -- cgit From a834a73e341059be154426390304a42e4a011f72 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 25 Sep 2002 15:19:00 +0000 Subject: sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139) --- source3/nsswitch/pam_winbind.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 9897249e16..fae635d806 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -90,5 +90,4 @@ do { \ #define on(x, y) (x & y) #define off(x, y) (!(x & y)) -#include "winbind_nss_config.h" -#include "winbindd_nss.h" +#include "winbind_client.h" -- cgit From ea7b4b6c320d2c5aaaa9d67ba6794bb566cb5c56 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 2 Sep 2003 00:09:31 +0000 Subject: Fix for bug 261. Create a configure #define for FreeBSD and a check in nsswitch/pam_winbind.h so we can compile properly on this platform. (This used to be commit 75411005fcab7ecf31940c5f7b87fd407166f98a) --- source3/nsswitch/pam_winbind.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index fae635d806..865bf7513e 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -25,7 +25,7 @@ #define PAM_SM_ACCOUNT #define PAM_SM_PASSWORD -#if defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) +#if defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) /* Solaris always uses dynamic pam modules */ #define PAM_EXTERN extern -- cgit From d5bd98dd9a01ab9927f0581df0a21fc9f6c25bbf Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 4 Sep 2003 03:28:40 +0000 Subject: More FreeBSD PAM compile fixes. Don't redefine PAM_AUTHTOK_RECOVER_ERR if it already exists. FreeBSD 4.8 doesn't need the redefinition, 5.0 does. (This used to be commit 4a3727b03b0488fa82687014cb476b1971a78be8) --- source3/nsswitch/pam_winbind.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 865bf7513e..0afcceb6aa 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -31,9 +31,12 @@ #define PAM_EXTERN extern #include +#ifndef PAM_AUTHTOK_RECOVER_ERR #define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR #endif +#endif + #ifdef HAVE_SECURITY_PAM_MODULES_H #include #endif -- cgit From 33b2bc49306fcac00e7b38fa5c402c6568493938 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 18 Aug 2004 16:25:41 +0000 Subject: r1888: Bring the same level of "required_membership"-functionality that ntlm_auth uses, to pam_winbindd as well. This allows to make successfull authentication via PAM dependent on SID-membership. At the moment, both ntlm_auth and pam_winbindd.so accept user/group-names or sid-strings - as discussed, recursive membership (e.g. local aliases) will be added later. Guenther (This used to be commit 7494569655f8d112a0c883a2748a1012bb64ad3a) --- source3/nsswitch/pam_winbind.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 0afcceb6aa..7cae477714 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -82,6 +82,7 @@ do { \ #define WINBIND_TRY_FIRST_PASS_ARG (1<<3) #define WINBIND_USE_FIRST_PASS_ARG (1<<4) #define WINBIND__OLD_PASSWORD (1<<5) +#define WINBIND_REQUIRED_MEMBERSHIP (1<<6) /* * here is the string to inform the user that the new passwords they -- cgit From 29ba5c17cda35f4277e9d84e9ce2893685f3c683 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 13 Jan 2006 11:11:23 +0000 Subject: r12900: Merge from trunk: Correctly handle the case where users logon with an expired password. In that case pam_sm_authenticate has to return PAM_SUCESS instead of PAM_NEW_AUTHTOK_REQD or PAM_AUTHTOK_EXPIRED and pam_sm_acct_mgmt has to take care of requesting an immediate password change. (see the Linux PAM documentation). Fixes Bugzilla #1524, #3205. Tested with login, sshd, kdm and gdm on Linux. Thanks to Scott Barker . Guenther (This used to be commit 4cb662ffd76dbe30003c618c94ccf6ebd4afb48c) --- source3/nsswitch/pam_winbind.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 7cae477714..86ba977287 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -84,6 +84,8 @@ do { \ #define WINBIND__OLD_PASSWORD (1<<5) #define WINBIND_REQUIRED_MEMBERSHIP (1<<6) +#define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD" + /* * here is the string to inform the user that the new passwords they * typed were not the same. -- cgit From 0af1500fc0bafe61019f1b2ab1d9e1d369221240 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 3 Feb 2006 22:19:41 +0000 Subject: r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f) --- source3/nsswitch/pam_winbind.h | 56 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 54 insertions(+), 2 deletions(-) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 86ba977287..1e38269e0e 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -17,6 +17,7 @@ #include #include #include +#include #include @@ -83,8 +84,10 @@ do { \ #define WINBIND_USE_FIRST_PASS_ARG (1<<4) #define WINBIND__OLD_PASSWORD (1<<5) #define WINBIND_REQUIRED_MEMBERSHIP (1<<6) - -#define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD" +#define WINBIND_KRB5_AUTH (1<<7) +#define WINBIND_KRB5_CCACHE_TYPE (1<<8) +#define WINBIND_CACHED_LOGIN (1<<9) +#define WINBIND_CREATE_HOMEDIR (1<<10) /* * here is the string to inform the user that the new passwords they @@ -96,4 +99,53 @@ do { \ #define on(x, y) (x & y) #define off(x, y) (!(x & y)) +#define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD" +#define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR" + +#define SECONDS_PER_DAY 86400 + +#define DAYS_TO_WARN_BEFORE_PWD_EXPIRES 5 + #include "winbind_client.h" + +#define PAM_WB_REMARK_DIRECT(h,x)\ +{\ + const char *error_string = NULL; \ + error_string = _get_ntstatus_error_string(x);\ + if (error_string != NULL) {\ + _make_remark(h, PAM_ERROR_MSG, error_string);\ + } else {\ + _make_remark(h, PAM_ERROR_MSG, x);\ + };\ +}; + +#define PAM_WB_REMARK_DIRECT_RET(h,x)\ +{\ + const char *error_string = NULL; \ + error_string = _get_ntstatus_error_string(x);\ + if (error_string != NULL) {\ + _make_remark(h, PAM_ERROR_MSG, error_string);\ + return ret;\ + };\ + _make_remark(h, PAM_ERROR_MSG, x);\ + return ret;\ +}; + +#define PAM_WB_REMARK_CHECK_RESPONSE_RET(h,x,y)\ +{\ + const char *ntstatus = x.data.auth.nt_status_string; \ + const char *error_string = NULL; \ + if (strequal(ntstatus,y)) {\ + error_string = _get_ntstatus_error_string(y);\ + if (error_string != NULL) {\ + _make_remark(h, PAM_ERROR_MSG, error_string);\ + return ret;\ + };\ + if (x.data.auth.error_string[0] != '\0') {\ + _make_remark(h, PAM_ERROR_MSG, x.data.auth.error_string);\ + return ret;\ + };\ + _make_remark(h, PAM_ERROR_MSG, y);\ + return ret;\ + };\ +}; -- cgit From 69f3c630faac75aea68a4d954417351bb5423eda Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 31 Mar 2006 11:48:01 +0000 Subject: r14841: Fix IRIX build --with-pam. Guenther (This used to be commit 99158406b47dc07961c4f6536181da868cf276ca) --- source3/nsswitch/pam_winbind.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 1e38269e0e..d998cc0486 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -26,7 +26,7 @@ #define PAM_SM_ACCOUNT #define PAM_SM_PASSWORD -#if defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) +#if defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) /* Solaris always uses dynamic pam modules */ #define PAM_EXTERN extern -- cgit From ca09263d00c7c5493f4ab7214c7cfb2cf8a28eea Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 6 Apr 2006 09:23:34 +0000 Subject: r14940: Remove pam_winbind's ability to create home directories on it's own. Guenther (This used to be commit 87293802f3e0666c9a50eb3ca63bb1a7dccc50dc) --- source3/nsswitch/pam_winbind.h | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index d998cc0486..54150be8b3 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -87,7 +87,6 @@ do { \ #define WINBIND_KRB5_AUTH (1<<7) #define WINBIND_KRB5_CCACHE_TYPE (1<<8) #define WINBIND_CACHED_LOGIN (1<<9) -#define WINBIND_CREATE_HOMEDIR (1<<10) /* * here is the string to inform the user that the new passwords they -- cgit From 9608b4328d9ffd4b8d38e1dc872f68d80dd1cc22 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 11 Apr 2006 14:40:53 +0000 Subject: r15038: Replace all code in pam_winbind that relied on access to samba internals, mostly with the code that was in pam_winbind before. Also switch from using loadparm to use iniParser to read the new pam_winbind options from a configuration file. That still uses the old (parametric) option names which will be replaced next (as iniParser does not support parametric options). Guenther (This used to be commit 6f668ce67318f17bba79cd98b5d169cd19eafcd4) --- source3/nsswitch/pam_winbind.h | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 54150be8b3..8d2239aa11 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -26,6 +26,8 @@ #define PAM_SM_ACCOUNT #define PAM_SM_PASSWORD +#include + #if defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) /* Solaris always uses dynamic pam modules */ @@ -87,6 +89,7 @@ do { \ #define WINBIND_KRB5_AUTH (1<<7) #define WINBIND_KRB5_CCACHE_TYPE (1<<8) #define WINBIND_CACHED_LOGIN (1<<9) +#define WINBIND_CONFIG_FILE (1<<10) /* * here is the string to inform the user that the new passwords they @@ -107,6 +110,8 @@ do { \ #include "winbind_client.h" +#include + #define PAM_WB_REMARK_DIRECT(h,x)\ {\ const char *error_string = NULL; \ @@ -134,7 +139,7 @@ do { \ {\ const char *ntstatus = x.data.auth.nt_status_string; \ const char *error_string = NULL; \ - if (strequal(ntstatus,y)) {\ + if (!strcasecmp(ntstatus,y)) {\ error_string = _get_ntstatus_error_string(y);\ if (error_string != NULL) {\ _make_remark(h, PAM_ERROR_MSG, error_string);\ @@ -148,3 +153,18 @@ do { \ return ret;\ };\ }; + +/* from include/rpc_samr.h */ +#define DOMAIN_PASSWORD_COMPLEX 0x00000001 + +#define REJECT_REASON_OTHER 0x00000000 +#define REJECT_REASON_TOO_SHORT 0x00000001 +#define REJECT_REASON_IN_HISTORY 0x00000002 +#define REJECT_REASON_NOT_COMPLEX 0x00000005 + +/* from include/smb.h */ +#define ACB_PWNOEXP 0x00000200 + +/* from include/rpc_netlogon.h */ +#define LOGON_CACHED_ACCOUNT 0x00000004 + -- cgit From adc0a34cebfcd84b1886a8b1ddb8eecfd6fb1e1a Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 11 Apr 2006 15:18:46 +0000 Subject: r15040: Stripping the parametric options in pam_winbind and use /etc/security/pam_winbind.conf as config file for the PAM module by default. Guenther (This used to be commit 41b79ee80c7b0f4836ded51d42c7dc91cba75ccd) --- source3/nsswitch/pam_winbind.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 8d2239aa11..89553ebfc3 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -26,6 +26,10 @@ #define PAM_SM_ACCOUNT #define PAM_SM_PASSWORD +#ifndef PAM_WINBIND_CONFIG_FILE +#define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf" +#endif + #include #if defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) @@ -110,8 +114,6 @@ do { \ #include "winbind_client.h" -#include - #define PAM_WB_REMARK_DIRECT(h,x)\ {\ const char *error_string = NULL; \ -- cgit From af3490061b83ce83efb363bddcbcccf9f8a14d89 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 2 May 2006 19:22:39 +0000 Subject: r15398: Attempt to send the correct warning when a password change was attempted too early. Guenther (This used to be commit 7f64a66d25f2a4aa48c2639da8e783c1759c5dd4) --- source3/nsswitch/pam_winbind.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 89553ebfc3..38fe365f4c 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -107,6 +107,7 @@ do { \ #define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD" #define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR" +#define PAM_WINBIND_PWD_LAST_SET "PAM_WINBIND_PWD_LAST_SET" #define SECONDS_PER_DAY 86400 -- cgit From 64d729c84d7eacc26c47e186cf1f755304ca9a29 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 6 May 2006 20:17:12 +0000 Subject: r15479: Check in patch from bug # 3746 -- Thanks Timur (This used to be commit ac79bba1a118635ed18d23cf84bdf15923b354c0) --- source3/nsswitch/pam_winbind.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 38fe365f4c..fb2769d1c1 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -10,6 +10,7 @@ #include #include +#include #include #include #include -- cgit From ec17ea6b069fee0dca351dc53bcbb1c2ebaa0690 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 1 Aug 2006 15:31:16 +0000 Subject: r17366: Save the logon script path from the info3 in the PAM session allowing other PAM modules to pick it up from there. Guenther (This used to be commit b3ac5a586ba37b1122b0dc941dfee648fc4fa6d5) --- source3/nsswitch/pam_winbind.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index fb2769d1c1..2b7080182b 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -108,6 +108,7 @@ do { \ #define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD" #define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR" +#define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT" #define PAM_WINBIND_PWD_LAST_SET "PAM_WINBIND_PWD_LAST_SET" #define SECONDS_PER_DAY 86400 -- cgit From 1f0b2e84d71e2a7b06de288dbb54d2f12b6ca0e1 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 13 Sep 2006 16:39:52 +0000 Subject: r18484: Start some cleanup on pam_winbind's syslogging: * as openlog() is non-reentrant and pam_winbind thereby overrides the syslog settings of the calling application, directly call syslog (or pam_vsyslog if available) * support the PAM_SILENT flag to avoid any log messages beeing created Guenther (This used to be commit 0f7e37ffc4759a4e29f63ab83f39ddb31c8240f6) --- source3/nsswitch/pam_winbind.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 2b7080182b..eea4328105 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -43,7 +43,7 @@ #define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR #endif -#endif +#endif /* defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) */ #ifdef HAVE_SECURITY_PAM_MODULES_H #include @@ -82,6 +82,10 @@ do { \ #define _pam_drop(X) SAFE_FREE(X) #define x_strdup(s) ( (s) ? strdup(s):NULL ) +#endif /* HAVE_SECURITY__PAM_MACROS_H */ + +#ifdef HAVE_SECURITY_PAM_EXT_H +#include #endif #define WINBIND_DEBUG_ARG (1<<0) @@ -95,6 +99,7 @@ do { \ #define WINBIND_KRB5_CCACHE_TYPE (1<<8) #define WINBIND_CACHED_LOGIN (1<<9) #define WINBIND_CONFIG_FILE (1<<10) +#define WINBIND_SILENT (1<<11) /* * here is the string to inform the user that the new passwords they -- cgit From a734e98b516aec012ee2a9c866eb6debe663d14e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 21 Sep 2006 22:24:53 +0000 Subject: r18798: use libreplace headers in pam and nss modules this hopefully fixes the build on AIX metze (This used to be commit ef1001f5a269f3d6a66f40e3fb01eccc807dcd7e) --- source3/nsswitch/pam_winbind.h | 20 +++----------------- 1 file changed, 3 insertions(+), 17 deletions(-) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index eea4328105..0072f67904 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -4,23 +4,9 @@ Shirish Kalele 2000 */ -#ifdef HAVE_FEATURES_H -#include -#endif - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include +#include "lib/replace/replace.h" +#include "system/syslog.h" +#include "system/time.h" #define MODULE_NAME "pam_winbind" #define PAM_SM_AUTH -- cgit From 05109131b0541f4e046cc6ad6130f1bbd7eb6a27 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 5 Oct 2006 20:05:09 +0000 Subject: r19103: From "Björn JACKE ": The attached patch cleans up pam_winbind a tiny bit. Instead of making exceptions for all pam implementations except for Linux' it's better to make an exception for the only pam implementation which is different from all the others. This is equivalent to what pam_smb_auth does already. ----------------- Jeremy (This used to be commit 8e5596470822d20740f86585a6cf67240f2face4) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- source3/nsswitch/pam_winbind.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 0072f67904..0ca30c28aa 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -19,7 +19,7 @@ #include -#if defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) +#ifndef LINUX /* Solaris always uses dynamic pam modules */ #define PAM_EXTERN extern -- cgit From b26b8f95e95030506189d714ac62380788a5fe3e Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 16 Oct 2006 23:13:56 +0000 Subject: r19351: Also export the info3 profilepath via the PAM_WINBIND_PROFILEPATH data field. Guenther (This used to be commit 66b92f27fa4edec180b8c8eee929ec8f31ef6a08) --- source3/nsswitch/pam_winbind.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 0ca30c28aa..e817c5a840 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -100,6 +100,7 @@ do { \ #define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD" #define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR" #define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT" +#define PAM_WINBIND_PROFILEPATH "PAM_WINBIND_PROFILEPATH" #define PAM_WINBIND_PWD_LAST_SET "PAM_WINBIND_PWD_LAST_SET" #define SECONDS_PER_DAY 86400 -- cgit From 0d538f7370f13b175f127f061d5bff18e631cd5e Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 11 Jan 2007 15:41:02 +0000 Subject: r20687: Implement grace logons for offline authentications in pam_winbind. In case a user authenticated sucessfully and his password just expired while beeing disconnected, we should allow a user to logon (given a clear warning). We currently forced the user into a password change dialogue in that scenario; this did not make much sense while offline. Guenther (This used to be commit 668b278653acfc4de7807834988f7af557e608a5) --- source3/nsswitch/pam_winbind.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index e817c5a840..87307d740d 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -164,4 +164,7 @@ do { \ /* from include/rpc_netlogon.h */ #define LOGON_CACHED_ACCOUNT 0x00000004 +#define LOGON_GRACE_LOGON 0x01000000 +#define PAM_WB_CACHED_LOGON(x) (x & LOGON_CACHED_ACCOUNT) +#define PAM_WB_GRACE_LOGON(x) ((LOGON_CACHED_ACCOUNT|LOGON_GRACE_LOGON) == ( x & (LOGON_CACHED_ACCOUNT|LOGON_GRACE_LOGON))) -- cgit From 7e8a068a5edd6676353e80535660d803fc5bdfe4 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 25 Jan 2007 01:56:34 +0000 Subject: r21012: Patch from Danilo Almeida @ Centeris (via me): Details: Improve PAM logging - The improved logging is far tracking down PAM-related bugs - PAM_SILENT was being mis-used to suppress syslog output instead of suppressing user output. This lets PAM_SILENT still log to syslog. - Allow logging of item & data state via debug_state config file option. - Logging tracks the pam handle used. (This used to be commit cc1a13a9f06e5c15c8df19d0fbb31dbdeb81a9cc) --- source3/nsswitch/pam_winbind.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 87307d740d..91f662d5d0 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -86,6 +86,7 @@ do { \ #define WINBIND_CACHED_LOGIN (1<<9) #define WINBIND_CONFIG_FILE (1<<10) #define WINBIND_SILENT (1<<11) +#define WINBIND_DEBUG_STATE (1<<12) /* * here is the string to inform the user that the new passwords they -- cgit From 44512030b1f8b6d45c917dd2cb292c981bb7a543 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 5 Feb 2007 15:25:31 +0000 Subject: r21152: Correctly omit pam conversations when PAM_SILENT has been set by the calling application. Guenther (This used to be commit ebfae9a671d2c960178228ba7fdcd07cb2f49a05) --- source3/nsswitch/pam_winbind.h | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 91f662d5d0..d2bf7da9e3 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -110,44 +110,44 @@ do { \ #include "winbind_client.h" -#define PAM_WB_REMARK_DIRECT(h,x)\ +#define PAM_WB_REMARK_DIRECT(h,f,x)\ {\ const char *error_string = NULL; \ error_string = _get_ntstatus_error_string(x);\ if (error_string != NULL) {\ - _make_remark(h, PAM_ERROR_MSG, error_string);\ + _make_remark(h, f, PAM_ERROR_MSG, error_string);\ } else {\ - _make_remark(h, PAM_ERROR_MSG, x);\ + _make_remark(h, f, PAM_ERROR_MSG, x);\ };\ }; -#define PAM_WB_REMARK_DIRECT_RET(h,x)\ +#define PAM_WB_REMARK_DIRECT_RET(h,f,x)\ {\ const char *error_string = NULL; \ error_string = _get_ntstatus_error_string(x);\ if (error_string != NULL) {\ - _make_remark(h, PAM_ERROR_MSG, error_string);\ + _make_remark(h, f, PAM_ERROR_MSG, error_string);\ return ret;\ };\ - _make_remark(h, PAM_ERROR_MSG, x);\ + _make_remark(h, f, PAM_ERROR_MSG, x);\ return ret;\ }; -#define PAM_WB_REMARK_CHECK_RESPONSE_RET(h,x,y)\ +#define PAM_WB_REMARK_CHECK_RESPONSE_RET(h,f,x,y)\ {\ const char *ntstatus = x.data.auth.nt_status_string; \ const char *error_string = NULL; \ if (!strcasecmp(ntstatus,y)) {\ error_string = _get_ntstatus_error_string(y);\ if (error_string != NULL) {\ - _make_remark(h, PAM_ERROR_MSG, error_string);\ + _make_remark(h, f, PAM_ERROR_MSG, error_string);\ return ret;\ };\ if (x.data.auth.error_string[0] != '\0') {\ - _make_remark(h, PAM_ERROR_MSG, x.data.auth.error_string);\ + _make_remark(h, f, PAM_ERROR_MSG, x.data.auth.error_string);\ return ret;\ };\ - _make_remark(h, PAM_ERROR_MSG, y);\ + _make_remark(h, f, PAM_ERROR_MSG, y);\ return ret;\ };\ }; -- cgit From 0cf5662363b9ffbda9233df65072d2dfef1ac8b2 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 5 Feb 2007 17:12:13 +0000 Subject: r21154: Add PAM_WINBIND_LOGONSERVER, also merge the various pam_set_data calls. Guenther (This used to be commit 97a0b1b79499af10930500ce857c93ffbacfdb6e) --- source3/nsswitch/pam_winbind.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index d2bf7da9e3..2de7b355fc 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -101,6 +101,7 @@ do { \ #define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD" #define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR" #define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT" +#define PAM_WINBIND_LOGONSERVER "PAM_WINBIND_LOGONSERVER" #define PAM_WINBIND_PROFILEPATH "PAM_WINBIND_PROFILEPATH" #define PAM_WINBIND_PWD_LAST_SET "PAM_WINBIND_PWD_LAST_SET" -- cgit From 902a6e1da1720c00a91e627a32bd0091b1610b8e Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 5 Feb 2007 17:35:25 +0000 Subject: r21159: Cleanup pam_sm_chauthtok() in pam_winbind: Set info3 strings, krb5ccname and returned username after we changed a password and sucessfully re-authenticated afterwards. In that case we ended up without this information. Guenther (This used to be commit 034d42ba7236e67303a8221b7a613799d1a61b83) --- source3/nsswitch/pam_winbind.h | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 2de7b355fc..05fc2e128e 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -133,7 +133,23 @@ do { \ _make_remark(h, f, PAM_ERROR_MSG, x);\ return ret;\ }; - + +#define PAM_WB_REMARK_CHECK_RESPONSE(h,f,x,y)\ +{\ + const char *ntstatus = x.data.auth.nt_status_string; \ + const char *error_string = NULL; \ + if (!strcasecmp(ntstatus,y)) {\ + error_string = _get_ntstatus_error_string(y);\ + if (error_string != NULL) {\ + _make_remark(h, f, PAM_ERROR_MSG, error_string);\ + };\ + if (x.data.auth.error_string[0] != '\0') {\ + _make_remark(h, f, PAM_ERROR_MSG, x.data.auth.error_string);\ + };\ + _make_remark(h, f, PAM_ERROR_MSG, y);\ + };\ +}; + #define PAM_WB_REMARK_CHECK_RESPONSE_RET(h,f,x,y)\ {\ const char *ntstatus = x.data.auth.nt_status_string; \ -- cgit From 9684e353a16cd18424f5b35a5d84ae3c2a03ae70 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 22 Feb 2007 13:35:01 +0000 Subject: r21500: Fix inappropriate creation of a krb5 ticket refreshing event when a user changed a password via pam_chauthtok. Only do this if a) a user logs on using an expired password (or a password that needs to be changed immediately) or b) the user itself changes his password. Also make sure to delete the in-memory krb5 credential cache (when a user did not request a FILE based cred cache). Finally honor the krb5 settings in the first pam authentication in the chauthtok block (PAM_PRELIM_CHECK). This circumvents confusion when NTLM samlogon authentication is still possible with the old password after the password has been already changed (on w2k3 sp1 dcs). Guenther (This used to be commit c3005c48cd86bc1dd17fab80da05c2d34071b872) --- source3/nsswitch/pam_winbind.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 05fc2e128e..73da2826ca 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -99,6 +99,7 @@ do { \ #define off(x, y) (!(x & y)) #define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD" +#define PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH "PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH" #define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR" #define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT" #define PAM_WINBIND_LOGONSERVER "PAM_WINBIND_LOGONSERVER" -- cgit From fd5ff711b6fa4b1146776ba6f915a20e64786c53 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sun, 6 May 2007 20:33:33 +0000 Subject: r22712: Inform the user when logging in via pam_winbind and the krb5 tkt cache could not be created due to clock skew. (This used to be commit 24616f7d6be40b090dc74851b1ea7d09d6976811) --- source3/nsswitch/pam_winbind.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 73da2826ca..9015869a77 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -184,6 +184,8 @@ do { \ /* from include/rpc_netlogon.h */ #define LOGON_CACHED_ACCOUNT 0x00000004 #define LOGON_GRACE_LOGON 0x01000000 +#define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000 #define PAM_WB_CACHED_LOGON(x) (x & LOGON_CACHED_ACCOUNT) +#define PAM_WB_KRB5_CLOCK_SKEW(x) (x & LOGON_KRB5_FAIL_CLOCK_SKEW) #define PAM_WB_GRACE_LOGON(x) ((LOGON_CACHED_ACCOUNT|LOGON_GRACE_LOGON) == ( x & (LOGON_CACHED_ACCOUNT|LOGON_GRACE_LOGON))) -- cgit From f4ae28576376741a5402a286827a46c053db0ff7 Mon Sep 17 00:00:00 2001 From: James Peach Date: Wed, 23 May 2007 20:31:28 +0000 Subject: r23095: Support systems that have their PAM headers in /usr/include/pam. (This used to be commit f1e8de4b576b3954d456cb64c02417908bab8da4) --- source3/nsswitch/pam_winbind.h | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 9015869a77..0e7688be15 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -23,7 +23,11 @@ /* Solaris always uses dynamic pam modules */ #define PAM_EXTERN extern +#if defined(HAVE_SECURITY_PAM_APPL_H) #include +#elif defined(HAVE_PAM_PAM_APPL_H) +#include +#endif #ifndef PAM_AUTHTOK_RECOVER_ERR #define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR @@ -31,12 +35,16 @@ #endif /* defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) */ -#ifdef HAVE_SECURITY_PAM_MODULES_H +#if defined(HAVE_SECURITY_PAM_MODULES_H) #include +#elif defined(HAVE_PAM_PAM_MODULES_H) +#include #endif -#ifdef HAVE_SECURITY__PAM_MACROS_H +#if defined(HAVE_SECURITY__PAM_MACROS_H) #include +#elif defined(HAVE_PAM__PAM_MACROS_H) +#include #else /* Define required macros from (Linux PAM 0.68) security/_pam_macros.h */ #define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \ -- cgit From a3de7e9b9dcd4d15a1c07244acae205b1edb934b Mon Sep 17 00:00:00 2001 From: Lars Müller Date: Wed, 4 Jul 2007 14:03:10 +0000 Subject: r23704: Add pam_pwd_expire feature as discussed on samba-technical. This is a slightly modified version to set warn_pwd_expire to the default value if 0, no, or a broken value is set. This version also has one if statement less in get_config_item_int(). Thanks a lot to Andreas 'GlaDiaC' Schneider for this feature! (This used to be commit d26914c978457ae0ec097cc40c8e33a7cee9ebcf) --- source3/nsswitch/pam_winbind.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 0e7688be15..159cb28059 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -116,7 +116,7 @@ do { \ #define SECONDS_PER_DAY 86400 -#define DAYS_TO_WARN_BEFORE_PWD_EXPIRES 5 +#define DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES 14 #include "winbind_client.h" -- cgit From b824a665bb4dce018f8162674ad03ec781a85735 Mon Sep 17 00:00:00 2001 From: Lars Müller Date: Wed, 4 Jul 2007 20:25:29 +0000 Subject: r23708: - Add define for WINBIND_WARN_PWD_EXPIRE. - Add parameter config_flag to get_config_item_int() and do the same check as in get_conf_item_string. (This used to be commit d1d1baa264587911e1c97b3b35d5ed2bc56bf12b) --- source3/nsswitch/pam_winbind.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 159cb28059..59a2f39584 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -95,6 +95,7 @@ do { \ #define WINBIND_CONFIG_FILE (1<<10) #define WINBIND_SILENT (1<<11) #define WINBIND_DEBUG_STATE (1<<12) +#define WINBIND_WARN_PWD_EXPIRE (1<<13) /* * here is the string to inform the user that the new passwords they -- cgit From a92eb76688600efbf4a4056c2543f348e2fee8aa Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 17 Jan 2008 10:24:34 +0100 Subject: Finally enable pidl generated SAMR & NETLOGON headers and clients. Guenther (This used to be commit f7100156a7df7ac3ae84e45a47153b38d9375215) --- source3/nsswitch/pam_winbind.h | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 59a2f39584..6ec564fe71 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -179,22 +179,23 @@ do { \ };\ }; -/* from include/rpc_samr.h */ -#define DOMAIN_PASSWORD_COMPLEX 0x00000001 +/* from samr.idl */ +#define DOMAIN_PASSWORD_COMPLEX 0x00000001 -#define REJECT_REASON_OTHER 0x00000000 -#define REJECT_REASON_TOO_SHORT 0x00000001 -#define REJECT_REASON_IN_HISTORY 0x00000002 -#define REJECT_REASON_NOT_COMPLEX 0x00000005 +#define SAMR_REJECT_OTHER 0x00000000 +#define SAMR_REJECT_TOO_SHORT 0x00000001 +#define SAMR_REJECT_IN_HISTORY 0x00000002 +#define SAMR_REJECT_COMPLEXITY 0x00000005 -/* from include/smb.h */ #define ACB_PWNOEXP 0x00000200 +/* from netlogon.idl */ +#define NETLOGON_CACHED_ACCOUNT 0x00000004 +#define NETLOGON_GRACE_LOGON 0x01000000 + /* from include/rpc_netlogon.h */ -#define LOGON_CACHED_ACCOUNT 0x00000004 -#define LOGON_GRACE_LOGON 0x01000000 #define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000 -#define PAM_WB_CACHED_LOGON(x) (x & LOGON_CACHED_ACCOUNT) +#define PAM_WB_CACHED_LOGON(x) (x & NETLOGON_CACHED_ACCOUNT) #define PAM_WB_KRB5_CLOCK_SKEW(x) (x & LOGON_KRB5_FAIL_CLOCK_SKEW) -#define PAM_WB_GRACE_LOGON(x) ((LOGON_CACHED_ACCOUNT|LOGON_GRACE_LOGON) == ( x & (LOGON_CACHED_ACCOUNT|LOGON_GRACE_LOGON))) +#define PAM_WB_GRACE_LOGON(x) ((NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON) == ( x & (NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON))) -- cgit From a8d59ebe81cfc8c653c8302a75df6e621cb771c8 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 1 Feb 2008 13:03:39 +0100 Subject: NetBSD needs PAM_SM_SESSION Otherwise no prototype for pam_sm_close_session is defined (This used to be commit e26ba6a3c6bf54b426b55c4ca0b9db98cd0d7b75) --- source3/nsswitch/pam_winbind.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 6ec564fe71..a1d32726f5 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -12,6 +12,7 @@ #define PAM_SM_AUTH #define PAM_SM_ACCOUNT #define PAM_SM_PASSWORD +#define PAM_SM_SESSION #ifndef PAM_WINBIND_CONFIG_FILE #define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf" -- cgit From b365cd3fc531db124a4aa80693aa7d178b315f28 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 3 Apr 2008 13:19:46 +0200 Subject: Add pwb_context to pam_winbind.h. Guenther (This used to be commit fe8acb064433b286938e0b572ca1faa8a54414b7) --- source3/nsswitch/pam_winbind.h | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index a1d32726f5..1725a895e0 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -200,3 +200,12 @@ do { \ #define PAM_WB_CACHED_LOGON(x) (x & NETLOGON_CACHED_ACCOUNT) #define PAM_WB_KRB5_CLOCK_SKEW(x) (x & LOGON_KRB5_FAIL_CLOCK_SKEW) #define PAM_WB_GRACE_LOGON(x) ((NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON) == ( x & (NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON))) + +struct pwb_context { + const pam_handle_t *pamh; + int flags; + int argc; + const char **argv; + dictionary *dict; + uint32_t ctrl; +}; -- cgit From e7553ab79ca7e68a9c66f0ffc1f8e93dedcf12b8 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 3 Apr 2008 17:23:22 +0200 Subject: Fix pam_winbind macros. Guenther (This used to be commit 37091859126167e84e55afe8a32025ac0f65065e) --- source3/nsswitch/pam_winbind.h | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 1725a895e0..be17a6fe45 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -122,14 +122,14 @@ do { \ #include "winbind_client.h" -#define PAM_WB_REMARK_DIRECT(h,f,x)\ +#define PAM_WB_REMARK_DIRECT(c,x)\ {\ const char *error_string = NULL; \ error_string = _get_ntstatus_error_string(x);\ if (error_string != NULL) {\ - _make_remark(h, f, PAM_ERROR_MSG, error_string);\ + _make_remark(c, PAM_ERROR_MSG, error_string);\ } else {\ - _make_remark(h, f, PAM_ERROR_MSG, x);\ + _make_remark(c, PAM_ERROR_MSG, x);\ };\ }; @@ -145,37 +145,37 @@ do { \ return ret;\ }; -#define PAM_WB_REMARK_CHECK_RESPONSE(h,f,x,y)\ +#define PAM_WB_REMARK_CHECK_RESPONSE(c,x,y)\ {\ const char *ntstatus = x.data.auth.nt_status_string; \ const char *error_string = NULL; \ if (!strcasecmp(ntstatus,y)) {\ error_string = _get_ntstatus_error_string(y);\ if (error_string != NULL) {\ - _make_remark(h, f, PAM_ERROR_MSG, error_string);\ + _make_remark(c, PAM_ERROR_MSG, error_string);\ };\ if (x.data.auth.error_string[0] != '\0') {\ - _make_remark(h, f, PAM_ERROR_MSG, x.data.auth.error_string);\ + _make_remark(c, PAM_ERROR_MSG, x.data.auth.error_string);\ };\ - _make_remark(h, f, PAM_ERROR_MSG, y);\ + _make_remark(c, PAM_ERROR_MSG, y);\ };\ }; -#define PAM_WB_REMARK_CHECK_RESPONSE_RET(h,f,x,y)\ +#define PAM_WB_REMARK_CHECK_RESPONSE_RET(c,x,y)\ {\ const char *ntstatus = x.data.auth.nt_status_string; \ const char *error_string = NULL; \ if (!strcasecmp(ntstatus,y)) {\ error_string = _get_ntstatus_error_string(y);\ if (error_string != NULL) {\ - _make_remark(h, f, PAM_ERROR_MSG, error_string);\ + _make_remark(c, PAM_ERROR_MSG, error_string);\ return ret;\ };\ if (x.data.auth.error_string[0] != '\0') {\ - _make_remark(h, f, PAM_ERROR_MSG, x.data.auth.error_string);\ + _make_remark(c, PAM_ERROR_MSG, x.data.auth.error_string);\ return ret;\ };\ - _make_remark(h, f, PAM_ERROR_MSG, y);\ + _make_remark(c, PAM_ERROR_MSG, y);\ return ret;\ };\ }; @@ -202,7 +202,7 @@ do { \ #define PAM_WB_GRACE_LOGON(x) ((NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON) == ( x & (NETLOGON_CACHED_ACCOUNT|NETLOGON_GRACE_LOGON))) struct pwb_context { - const pam_handle_t *pamh; + pam_handle_t *pamh; int flags; int argc; const char **argv; -- cgit From 5692bbf64b2a40bc0fddcb796fe2c6cfa73247d9 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 14 Aug 2008 13:07:51 +0200 Subject: pam_winbind: use integer constants. Guenther (This used to be commit 8d19b2ceb131ca2a0fd983cdb4fd17acdad9c26e) --- source3/nsswitch/pam_winbind.h | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) (limited to 'source3/nsswitch/pam_winbind.h') diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index be17a6fe45..c8c1910641 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -83,20 +83,20 @@ do { \ #include #endif -#define WINBIND_DEBUG_ARG (1<<0) -#define WINBIND_USE_AUTHTOK_ARG (1<<1) -#define WINBIND_UNKNOWN_OK_ARG (1<<2) -#define WINBIND_TRY_FIRST_PASS_ARG (1<<3) -#define WINBIND_USE_FIRST_PASS_ARG (1<<4) -#define WINBIND__OLD_PASSWORD (1<<5) -#define WINBIND_REQUIRED_MEMBERSHIP (1<<6) -#define WINBIND_KRB5_AUTH (1<<7) -#define WINBIND_KRB5_CCACHE_TYPE (1<<8) -#define WINBIND_CACHED_LOGIN (1<<9) -#define WINBIND_CONFIG_FILE (1<<10) -#define WINBIND_SILENT (1<<11) -#define WINBIND_DEBUG_STATE (1<<12) -#define WINBIND_WARN_PWD_EXPIRE (1<<13) +#define WINBIND_DEBUG_ARG 0x00000001 +#define WINBIND_USE_AUTHTOK_ARG 0x00000002 +#define WINBIND_UNKNOWN_OK_ARG 0x00000004 +#define WINBIND_TRY_FIRST_PASS_ARG 0x00000008 +#define WINBIND_USE_FIRST_PASS_ARG 0x00000010 +#define WINBIND__OLD_PASSWORD 0x00000020 +#define WINBIND_REQUIRED_MEMBERSHIP 0x00000040 +#define WINBIND_KRB5_AUTH 0x00000080 +#define WINBIND_KRB5_CCACHE_TYPE 0x00000100 +#define WINBIND_CACHED_LOGIN 0x00000200 +#define WINBIND_CONFIG_FILE 0x00000400 +#define WINBIND_SILENT 0x00000800 +#define WINBIND_DEBUG_STATE 0x00001000 +#define WINBIND_WARN_PWD_EXPIRE 0x00002000 /* * here is the string to inform the user that the new passwords they -- cgit