pam_winbind.h 7.19 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
/*
 * Copyright (c) Andrew Tridgell  <tridge@samba.org>   2000
 * Copyright (c) Tim Potter       <tpot@samba.org>     2000
 * Copyright (c) Andrew Bartlettt <abartlet@samba.org> 2002
 * Copyright (c) Guenther Deschner <gd@samba.org>      2005-2008
 * Copyright (c) Jan Rêkorajski 1999.
 * Copyright (c) Andrew G. Morgan 1996-8.
 * Copyright (c) Alex O. Yuriev, 1996.
 * Copyright (c) Cristian Gafton 1996.
 * Copyright (C) Elliot Lee <sopwith@redhat.com> 1996, Red Hat Software.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, and the entire permission notice in its entirety,
 *    including the disclaimer of warranties.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior
 *    written permission.
 *
 * ALTERNATIVELY, this product may be distributed under the terms of
 * the GNU Public License, in which case the provisions of the GPL are
 * required INSTEAD OF the above restrictions.  (This clause is
 * necessary due to a potential bad interaction between the GPL and
 * the restrictions contained in a BSD-style copyright.)
 *
 * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 */

44
/* pam_winbind header file
45 46 47 48 49
   (Solaris needs some macros from Linux for common PAM code)

   Shirish Kalele 2000
*/

50 51 52
#ifndef _NSSWITCH_PAM_WINBIND_H_
#define _NSSWITCH_PAM_WINBIND_H_

53
#include "../lib/replace/replace.h"
54 55
#include "system/syslog.h"
#include "system/time.h"
56
#include <talloc.h>
57
#include "libwbclient/wbclient.h"
58
#include "lib/util/tiniparser.h"
59 60 61 62 63

#define MODULE_NAME "pam_winbind"
#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT
#define PAM_SM_PASSWORD
64
#define PAM_SM_SESSION
65

66 67 68 69
#ifndef PAM_WINBIND_CONFIG_FILE
#define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf"
#endif

Bo Yang's avatar
Bo Yang committed
70 71 72 73
#ifdef HAVE_LIBINTL_H
#include <libintl.h>
#endif

74 75 76 77 78 79 80 81
#if defined(LINUX)

/* newer versions of PAM have this in _pam_compat.h */
#ifndef PAM_AUTHTOK_RECOVERY_ERR
#define PAM_AUTHTOK_RECOVERY_ERR PAM_AUTHTOK_RECOVER_ERR
#endif

#else /* !LINUX */
82 83 84

/* Solaris always uses dynamic pam modules */
#define PAM_EXTERN extern
85
#if defined(HAVE_SECURITY_PAM_APPL_H)
86
#include <security/pam_appl.h>
87 88 89
#elif defined(HAVE_PAM_PAM_APPL_H)
#include <pam/pam_appl.h>
#endif
90

91
#ifndef PAM_AUTHTOK_RECOVER_ERR
92 93 94
#define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
#endif

95
#endif /* (!)LINUX */
96

97
#if defined(HAVE_SECURITY_PAM_MODULES_H)
98
#include <security/pam_modules.h>
99 100
#elif defined(HAVE_PAM_PAM_MODULES_H)
#include <pam/pam_modules.h>
101
#endif
102

103
#if defined(HAVE_SECURITY__PAM_MACROS_H)
104
#include <security/_pam_macros.h>
105 106
#elif defined(HAVE_PAM__PAM_MACROS_H)
#include <pam/_pam_macros.h>
107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134
#else
/* Define required macros from (Linux PAM 0.68) security/_pam_macros.h */
#define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
do {                                              \
    int reply_i;                                  \
                                                  \
    for (reply_i=0; reply_i<replies; ++reply_i) { \
        if (reply[reply_i].resp) {                \
            _pam_overwrite(reply[reply_i].resp);  \
            free(reply[reply_i].resp);            \
        }                                         \
    }                                             \
    if (reply)                                    \
        free(reply);                              \
} while (0)

#define _pam_overwrite(x)        \
do {                             \
     register char *__xx__;      \
     if ((__xx__=(x)))           \
          while (*__xx__)        \
               *__xx__++ = '\0'; \
} while (0)

/*
 * Don't just free it, forget it too.
 */

Simo Sorce's avatar
Simo Sorce committed
135
#define _pam_drop(X) SAFE_FREE(X)
136

137
#define  x_strdup(s)  ( (s) ? strdup(s):NULL )
138 139 140 141
#endif /* HAVE_SECURITY__PAM_MACROS_H */

#ifdef HAVE_SECURITY_PAM_EXT_H
#include <security/pam_ext.h>
142 143
#endif

144 145 146 147 148 149 150 151 152 153 154 155 156 157
#define WINBIND_DEBUG_ARG		0x00000001
#define WINBIND_USE_AUTHTOK_ARG		0x00000002
#define WINBIND_UNKNOWN_OK_ARG		0x00000004
#define WINBIND_TRY_FIRST_PASS_ARG	0x00000008
#define WINBIND_USE_FIRST_PASS_ARG	0x00000010
#define WINBIND__OLD_PASSWORD		0x00000020
#define WINBIND_REQUIRED_MEMBERSHIP	0x00000040
#define WINBIND_KRB5_AUTH		0x00000080
#define WINBIND_KRB5_CCACHE_TYPE	0x00000100
#define WINBIND_CACHED_LOGIN		0x00000200
#define WINBIND_CONFIG_FILE		0x00000400
#define WINBIND_SILENT			0x00000800
#define WINBIND_DEBUG_STATE		0x00001000
#define WINBIND_WARN_PWD_EXPIRE		0x00002000
158
#define WINBIND_MKHOMEDIR		0x00004000
159
#define WINBIND_TRY_AUTHTOK_ARG		0x00008000
160

Bo Yang's avatar
Bo Yang committed
161 162 163 164 165 166 167 168
#if defined(HAVE_GETTEXT) && !defined(__LCLINT__)
#define _(string) dgettext(MODULE_NAME, string)
#else
#define _(string) string
#endif

#define N_(string) string

169 170 171 172 173
/*
 * here is the string to inform the user that the new passwords they
 * typed were not the same.
 */

Bo Yang's avatar
Bo Yang committed
174
#define MISTYPED_PASS _("Sorry, passwords do not match")
175 176 177

#define on(x, y) (x & y)
#define off(x, y) (!(x & y))
178

179
#define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD"
180
#define PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH "PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH"
181
#define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR"
182
#define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT"
183
#define PAM_WINBIND_LOGONSERVER "PAM_WINBIND_LOGONSERVER"
184
#define PAM_WINBIND_PROFILEPATH "PAM_WINBIND_PROFILEPATH"
185
#define PAM_WINBIND_PWD_LAST_SET "PAM_WINBIND_PWD_LAST_SET"
186 187 188

#define SECONDS_PER_DAY 86400

189
#define DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES 14
190

191
#include "winbind_client.h"
192

193
#define PAM_WB_REMARK_DIRECT(c,x)\
194 195 196 197
{\
	const char *error_string = NULL; \
	error_string = _get_ntstatus_error_string(x);\
	if (error_string != NULL) {\
198
		_make_remark(c, PAM_ERROR_MSG, error_string);\
199
	} else {\
200
		_make_remark(c, PAM_ERROR_MSG, x);\
201 202 203
	};\
};

204
#define LOGON_KRB5_FAIL_CLOCK_SKEW	0x02000000
205

206
#define PAM_WB_CACHED_LOGON(x) (x & WBC_AUTH_USER_INFO_CACHED_ACCOUNT)
207
#define PAM_WB_KRB5_CLOCK_SKEW(x) (x & LOGON_KRB5_FAIL_CLOCK_SKEW)
208
#define PAM_WB_GRACE_LOGON(x)  ((WBC_AUTH_USER_INFO_CACHED_ACCOUNT|WBC_AUTH_USER_INFO_GRACE_LOGON) == ( x & (WBC_AUTH_USER_INFO_CACHED_ACCOUNT|WBC_AUTH_USER_INFO_GRACE_LOGON)))
209 210

struct pwb_context {
211
	pam_handle_t *pamh;
212 213 214
	int flags;
	int argc;
	const char **argv;
215
	struct tiniparser_dictionary *dict;
216
	uint32_t ctrl;
217
	struct wbcContext *wbc_ctx;
218
};
219

220
#endif /* _NSSWITCH_PAM_WINBIND_H_ */