s4: torture: Tweak the compound padding streamfile test to send 3 reads instead of...

[Samba.git] / librpc / idl / auth.idl

#include "idl_types.h"

/*
  Authentication IDL structures

  These are NOT public network structures, but it is helpful to define
  these things in IDL. They may change without ABI breakage or
  warning.

*/

import "misc.idl", "security.idl", "lsa.idl", "krb5pac.idl";
[
        pyhelper("librpc/ndr/py_auth.c"),
        helper("../librpc/ndr/ndr_auth.h"),
        helpstring("internal Samba authentication structures")
]

interface auth
{
        typedef [public] enum {
                SEC_AUTH_METHOD_UNAUTHENTICATED = 0,
                SEC_AUTH_METHOD_NTLM            = 1,
                SEC_AUTH_METHOD_KERBEROS        = 2
        } auth_method;

        /* This is the parts of the session_info that don't change
         * during local privilege and group manipulations */
        typedef [public] struct {
                [unique,charset(UTF8),string] char *account_name;
                [unique,charset(UTF8),string] char *user_principal_name;
                boolean8 user_principal_constructed;
                [unique,charset(UTF8),string] char *domain_name;
                [unique,charset(UTF8),string] char *dns_domain_name;

                [unique,charset(UTF8),string] char *full_name;
                [unique,charset(UTF8),string] char *logon_script;
                [unique,charset(UTF8),string] char *profile_path;
                [unique,charset(UTF8),string] char *home_directory;
                [unique,charset(UTF8),string] char *home_drive;
                [unique,charset(UTF8),string] char *logon_server;

                NTTIME last_logon;
                NTTIME last_logoff;
                NTTIME acct_expiry;
                NTTIME last_password_change;
                NTTIME allow_password_change;
                NTTIME force_password_change;

                uint16 logon_count;
                uint16 bad_password_count;

                uint32 acct_flags;

                uint8 authenticated;
        } auth_user_info;

        /* This information is preserved only to assist torture tests */
        typedef [public] struct {
                /* Number SIDs from the DC netlogon validation info */
                uint32 num_dc_sids;
                [size_is(num_dc_sids)] dom_sid dc_sids[*];
        } auth_user_info_torture;

        typedef [public] struct {
                [unique,charset(UTF8),string] char *unix_name;

                /*
                 * For performance reasons we keep an alpha_strcpy-sanitized version
                 * of the username around as long as the global variable current_user
                 * still exists. If we did not do keep this, we'd have to call
                 * alpha_strcpy whenever we do a become_user(), potentially on every
                 * smb request. See set_current_user_info in source3.
                 */
                [unique,charset(UTF8),string] char *sanitized_username;
        } auth_user_info_unix;

        /*
         * If the user was authenticated with a Kerberos ticket, this indicates
         * the type of the ticket; TGT, or non-TGT (i.e. service ticket). If
         * unset, the type is unknown. This indicator is useful for the KDC and
         * the kpasswd service, which share the same account and keys. By
         * ensuring it is provided with the appopriate ticket type, each service
         * avoids accepting a ticket meant for the other.
         *
         * The heuristic used to determine the type is the presence or absence
         * of a REQUESTER_SID buffer in the PAC; we use its presence to assume
         * we have a TGT. This heuristic will fail for older Samba versions and
         * Windows prior to Nov. 2021 updates, which lack support for this
         * buffer.
         */
        typedef enum {
                TICKET_TYPE_UNKNOWN = 0,
                TICKET_TYPE_TGT = 1,
                TICKET_TYPE_NON_TGT = 2
        } ticket_type;

        /* This is the interim product of the auth subsystem, before
         * privileges and local groups are handled */
        typedef [public] struct {
                uint32 num_sids;
                [size_is(num_sids)] dom_sid sids[*];
                auth_user_info *info;
                [noprint] DATA_BLOB user_session_key;
                [noprint] DATA_BLOB lm_session_key;
                ticket_type ticket_type;
        } auth_user_info_dc;

        typedef [public] struct {
                security_token *security_token;
                security_unix_token *unix_token;
                auth_user_info *info;
                auth_user_info_unix *unix_info;
                [value(NULL), ignore] auth_user_info_torture *torture;

                /* This is the final session key, as used by SMB signing, and
                 * (truncated to 16 bytes) encryption on the SAMR and LSA pipes
                 * when over ncacn_np.
                 * It is calculated by NTLMSSP from the session key in the info3,
                 * and is  set from the Kerberos session key using
                 * krb5_auth_con_getremotesubkey().
                 *
                 * Bottom line, it is not the same as the session keys in info3.
                 */

                [noprint] DATA_BLOB session_key;

                [value(NULL), ignore] cli_credentials *credentials;

                /*
                 * It is really handy to have our authorization code log a
                 * token that can be used to tie later requests together.
                 * We generate this in auth_generate_session_info()
                 */
                GUID unique_session_token;

                ticket_type ticket_type;
        } auth_session_info;

        typedef [public] struct {
                auth_session_info *session_info;
                [noprint] DATA_BLOB exported_gssapi_credentials;
        } auth_session_info_transport;
}