auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine...
[Samba.git] / librpc / idl / auth.idl
blobab5675ef8c56f3b215565103414812957dd46e68
1 #include "idl_types.h"
3 /*
4 Authentication IDL structures
6 These are NOT public network structures, but it is helpful to define
7 these things in IDL. They may change without ABI breakage or
8 warning.
12 import "misc.idl", "security.idl", "lsa.idl", "krb5pac.idl";
14 pyhelper("librpc/ndr/py_auth.c"),
15 helper("../librpc/ndr/ndr_auth.h"),
16 helpstring("internal Samba authentication structures")
19 interface auth
21 typedef [public] enum {
22 SEC_AUTH_METHOD_UNAUTHENTICATED = 0,
23 SEC_AUTH_METHOD_NTLM = 1,
24 SEC_AUTH_METHOD_KERBEROS = 2
25 } auth_method;
27 /* This is the parts of the session_info that don't change
28 * during local privilege and group manipulations */
29 typedef [public] struct {
30 [unique,charset(UTF8),string] char *account_name;
31 [unique,charset(UTF8),string] char *user_principal_name;
32 boolean8 user_principal_constructed;
33 [unique,charset(UTF8),string] char *domain_name;
34 [unique,charset(UTF8),string] char *dns_domain_name;
36 [unique,charset(UTF8),string] char *full_name;
37 [unique,charset(UTF8),string] char *logon_script;
38 [unique,charset(UTF8),string] char *profile_path;
39 [unique,charset(UTF8),string] char *home_directory;
40 [unique,charset(UTF8),string] char *home_drive;
41 [unique,charset(UTF8),string] char *logon_server;
43 NTTIME last_logon;
44 NTTIME last_logoff;
45 NTTIME acct_expiry;
46 NTTIME last_password_change;
47 NTTIME allow_password_change;
48 NTTIME force_password_change;
50 uint16 logon_count;
51 uint16 bad_password_count;
53 uint32 acct_flags;
56 * The NETLOGON_GUEST flag being set indicates the user is not
57 * authenticated.
59 uint32 user_flags;
60 } auth_user_info;
62 /* This information is preserved only to assist torture tests */
63 typedef [public] struct {
64 /* Number SIDs from the DC netlogon validation info */
65 uint32 num_dc_sids;
66 [size_is(num_dc_sids)] auth_SidAttr dc_sids[*];
67 } auth_user_info_torture;
69 typedef [public] struct {
70 [unique,charset(UTF8),string] char *unix_name;
73 * For performance reasons we keep an alpha_strcpy-sanitized version
74 * of the username around as long as the global variable current_user
75 * still exists. If we did not do keep this, we'd have to call
76 * alpha_strcpy whenever we do a become_user(), potentially on every
77 * smb request. See set_current_user_info in source3.
79 [unique,charset(UTF8),string] char *sanitized_username;
80 } auth_user_info_unix;
83 * If the user was authenticated with a Kerberos ticket, this indicates
84 * the type of the ticket; TGT, or non-TGT (i.e. service ticket). If
85 * unset, the type is unknown. This indicator is useful for the KDC and
86 * the kpasswd service, which share the same account and keys. By
87 * ensuring it is provided with the appropriate ticket type, each service
88 * avoids accepting a ticket meant for the other.
90 * The heuristic used to determine the type is the presence or absence
91 * of a REQUESTER_SID buffer in the PAC; we use its presence to assume
92 * we have a TGT. This heuristic will fail for older Samba versions and
93 * Windows prior to Nov. 2021 updates, which lack support for this
94 * buffer.
96 typedef enum {
97 TICKET_TYPE_UNKNOWN = 0,
98 TICKET_TYPE_TGT = 1,
99 TICKET_TYPE_NON_TGT = 2
100 } ticket_type;
103 * Used to indicate whether or not to include or disregard resource
104 * groups when forming a SamInfo structure, user_info_dc structure, or
105 * PAC, and whether or not to compress them when forming a PAC.
107 * When producing a TGT, existing resource groups are always copied
108 * unmodified into the PAC. When producing a service ticket, existing
109 * resource groups and resource groups in other domains are always
110 * discarded.
112 typedef enum {
113 AUTH_GROUP_INCLUSION_INVALID = 0, /* require invalid values to be handled. */
114 AUTH_INCLUDE_RESOURCE_GROUPS = 2,
115 AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED = 3,
116 AUTH_EXCLUDE_RESOURCE_GROUPS = 4
117 } auth_group_inclusion;
119 typedef [public] struct {
120 dom_sid sid;
121 security_GroupAttrs attrs;
122 } auth_SidAttr;
124 /* This is the interim product of the auth subsystem, before
125 * privileges and local groups are handled */
126 typedef [public] struct {
127 uint32 num_sids;
128 [size_is(num_sids)] auth_SidAttr sids[*];
129 auth_user_info *info;
130 [noprint] DATA_BLOB user_session_key;
131 [noprint] DATA_BLOB lm_session_key;
132 ticket_type ticket_type;
133 } auth_user_info_dc;
135 typedef [public] struct {
136 security_token *security_token;
137 security_unix_token *unix_token;
138 auth_user_info *info;
139 auth_user_info_unix *unix_info;
140 [value(NULL), ignore] auth_user_info_torture *torture;
142 /* This is the final session key, as used by SMB signing, and
143 * (truncated to 16 bytes) encryption on the SAMR and LSA pipes
144 * when over ncacn_np.
145 * It is calculated by NTLMSSP from the session key in the info3,
146 * and is set from the Kerberos session key using
147 * krb5_auth_con_getremotesubkey().
149 * Bottom line, it is not the same as the session keys in info3.
152 [noprint] DATA_BLOB session_key;
154 [value(NULL), ignore] cli_credentials *credentials;
157 * It is really handy to have our authorization code log a
158 * token that can be used to tie later requests together.
159 * We generate this in auth_generate_session_info()
161 GUID unique_session_token;
163 ticket_type ticket_type;
164 } auth_session_info;
166 typedef [public] struct {
167 auth_session_info *session_info;
168 [noprint] DATA_BLOB exported_gssapi_credentials;
169 } auth_session_info_transport;