librpc/idl/auth.idl

   1 #include "idl_types.h"
   2
   3 /*
   4   Authentication IDL structures
   5
   6   These are NOT public network structures, but it is helpful to define
   7   these things in IDL. They may change without ABI breakage or
   8   warning.
   9
  10 */
  11
  12 import "misc.idl", "security.idl", "lsa.idl", "krb5pac.idl";
  13 [
  14         pyhelper("librpc/ndr/py_auth.c"),
  15         helper("../librpc/ndr/ndr_auth.h"),
  16         helpstring("internal Samba authentication structures")
  17 ]
  18
  19 interface auth
  20 {
  21         typedef [public] enum {
  22                 SEC_AUTH_METHOD_UNAUTHENTICATED = 0,
  23                 SEC_AUTH_METHOD_NTLM            = 1,
  24                 SEC_AUTH_METHOD_KERBEROS        = 2
  25         } auth_method;
  26
  27         /* This is the parts of the session_info that don't change
  28          * during local privilege and group manipulations */
  29         typedef [public] struct {
  30                 [unique,charset(UTF8),string] char *account_name;
  31                 [unique,charset(UTF8),string] char *user_principal_name;
  32                 boolean8 user_principal_constructed;
  33                 [unique,charset(UTF8),string] char *domain_name;
  34                 [unique,charset(UTF8),string] char *dns_domain_name;
  35
  36                 [unique,charset(UTF8),string] char *full_name;
  37                 [unique,charset(UTF8),string] char *logon_script;
  38                 [unique,charset(UTF8),string] char *profile_path;
  39                 [unique,charset(UTF8),string] char *home_directory;
  40                 [unique,charset(UTF8),string] char *home_drive;
  41                 [unique,charset(UTF8),string] char *logon_server;
  42
  43                 NTTIME last_logon;
  44                 NTTIME last_logoff;
  45                 NTTIME acct_expiry;
  46                 NTTIME last_password_change;
  47                 NTTIME allow_password_change;
  48                 NTTIME force_password_change;
  49
  50                 uint16 logon_count;
  51                 uint16 bad_password_count;
  52
  53                 uint32 acct_flags;
  54
  55                 /*
  56                  * The NETLOGON_GUEST flag being set indicates the user is not
  57                  * authenticated.
  58                  */
  59                 uint32 user_flags;
  60         } auth_user_info;
  61
  62         /* This information is preserved only to assist torture tests */
  63         typedef [public] struct {
  64                 /* Number SIDs from the DC netlogon validation info */
  65                 uint32 num_dc_sids;
  66                 [size_is(num_dc_sids)] auth_SidAttr dc_sids[*];
  67         } auth_user_info_torture;
  68
  69         typedef [public] struct {
  70                 [unique,charset(UTF8),string] char *unix_name;
  71
  72                 /*
  73                  * For performance reasons we keep an alpha_strcpy-sanitized version
  74                  * of the username around as long as the global variable current_user
  75                  * still exists. If we did not do keep this, we'd have to call
  76                  * alpha_strcpy whenever we do a become_user(), potentially on every
  77                  * smb request. See set_current_user_info in source3.
  78                  */
  79                 [unique,charset(UTF8),string] char *sanitized_username;
  80         } auth_user_info_unix;
  81
  82         /*
  83          * If the user was authenticated with a Kerberos ticket, this indicates
  84          * the type of the ticket; TGT, or non-TGT (i.e. service ticket). If
  85          * unset, the type is unknown. This indicator is useful for the KDC and
  86          * the kpasswd service, which share the same account and keys. By
  87          * ensuring it is provided with the appropriate ticket type, each service
  88          * avoids accepting a ticket meant for the other.
  89          *
  90          * The heuristic used to determine the type is the presence or absence
  91          * of a REQUESTER_SID buffer in the PAC; we use its presence to assume
  92          * we have a TGT. This heuristic will fail for older Samba versions and
  93          * Windows prior to Nov. 2021 updates, which lack support for this
  94          * buffer.
  95          */
  96         typedef enum {
  97                 TICKET_TYPE_UNKNOWN = 0,
  98                 TICKET_TYPE_TGT = 1,
  99                 TICKET_TYPE_NON_TGT = 2
 100         } ticket_type;
 101
 102         /*
 103          * Used to indicate whether or not to include or disregard resource
 104          * groups when forming a SamInfo structure, user_info_dc structure, or
 105          * PAC, and whether or not to compress them when forming a PAC.
 106          *
 107          * When producing a TGT, existing resource groups are always copied
 108          * unmodified into the PAC. When producing a service ticket, existing
 109          * resource groups and resource groups in other domains are always
 110          * discarded.
 111          */
 112         typedef enum {
 113                 AUTH_GROUP_INCLUSION_INVALID = 0, /* require invalid values to be handled. */
 114                 AUTH_INCLUDE_RESOURCE_GROUPS = 2,
 115                 AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED = 3,
 116                 AUTH_EXCLUDE_RESOURCE_GROUPS = 4
 117         } auth_group_inclusion;
 118
 119         typedef [public] struct {
 120                 dom_sid sid;
 121                 security_GroupAttrs attrs;
 122         } auth_SidAttr;
 123
 124         /* This is the interim product of the auth subsystem, before
 125          * privileges and local groups are handled */
 126         typedef [public] struct {
 127                 uint32 num_sids;
 128                 [size_is(num_sids)] auth_SidAttr sids[*];
 129                 auth_user_info *info;
 130                 [noprint] DATA_BLOB user_session_key;
 131                 [noprint] DATA_BLOB lm_session_key;
 132                 ticket_type ticket_type;
 133         } auth_user_info_dc;
 134
 135         typedef [public] struct {
 136                 security_token *security_token;
 137                 security_unix_token *unix_token;
 138                 auth_user_info *info;
 139                 auth_user_info_unix *unix_info;
 140                 [value(NULL), ignore] auth_user_info_torture *torture;
 141
 142                 /* This is the final session key, as used by SMB signing, and
 143                  * (truncated to 16 bytes) encryption on the SAMR and LSA pipes
 144                  * when over ncacn_np.
 145                  * It is calculated by NTLMSSP from the session key in the info3,
 146                  * and is  set from the Kerberos session key using
 147                  * krb5_auth_con_getremotesubkey().
 148                  *
 149                  * Bottom line, it is not the same as the session keys in info3.
 150                  */
 151
 152                 [noprint] DATA_BLOB session_key;
 153
 154                 [value(NULL), ignore] cli_credentials *credentials;
 155
 156                 /*
 157                  * It is really handy to have our authorization code log a
 158                  * token that can be used to tie later requests together.
 159                  * We generate this in auth_generate_session_info()
 160                  */
 161                 GUID unique_session_token;
 162
 163                 ticket_type ticket_type;
 164         } auth_session_info;
 165
 166         typedef [public] struct {
 167                 auth_session_info *session_info;
 168                 [noprint] DATA_BLOB exported_gssapi_credentials;
 169         } auth_session_info_transport;
 170 }