librpc/idl/auth.idl

   1 #include "idl_types.h"
   2
   3 /*
   4   Authentication IDL structures
   5
   6   These are NOT public network structures, but it is helpful to define
   7   these things in IDL. They may change without ABI breakage or
   8   warning.
   9
  10 */
  11
  12 import "misc.idl", "security.idl", "lsa.idl", "krb5pac.idl", "netlogon.idl";
  13 [
  14         pyhelper("librpc/ndr/py_auth.c"),
  15         helper("../librpc/ndr/ndr_auth.h"),
  16         helpstring("internal Samba authentication structures")
  17 ]
  18
  19 interface auth
  20 {
  21         typedef [public] enum {
  22                 SEC_AUTH_METHOD_UNAUTHENTICATED = 0,
  23                 SEC_AUTH_METHOD_NTLM            = 1,
  24                 SEC_AUTH_METHOD_KERBEROS        = 2
  25         } auth_method;
  26
  27         /* This is the parts of the session_info that don't change
  28          * during local privilage and group manipulations */
  29         typedef [public] struct {
  30                 utf8string account_name;
  31                 utf8string domain_name;
  32
  33                 utf8string full_name;
  34                 utf8string logon_script;
  35                 utf8string profile_path;
  36                 utf8string home_directory;
  37                 utf8string home_drive;
  38                 utf8string logon_server;
  39
  40                 NTTIME last_logon;
  41                 NTTIME last_logoff;
  42                 NTTIME acct_expiry;
  43                 NTTIME last_password_change;
  44                 NTTIME allow_password_change;
  45                 NTTIME force_password_change;
  46
  47                 uint16 logon_count;
  48                 uint16 bad_password_count;
  49
  50                 uint32 acct_flags;
  51
  52                 uint8 authenticated;
  53         } auth_user_info;
  54
  55         /* This information is preserved only to assist torture tests */
  56         typedef [public] struct {
  57                 /* Number SIDs from the DC netlogon validation info */
  58                 uint32 num_dc_sids;
  59                 [size_is(num_dc_sids)] dom_sid dc_sids[*];
  60                 PAC_SIGNATURE_DATA *pac_srv_sig;
  61                 PAC_SIGNATURE_DATA *pac_kdc_sig;
  62         } auth_user_info_torture;
  63
  64         typedef [public] struct {
  65                 /* These match exactly the values from the
  66                  * auth_serversupplied_info, but should be changed to
  67                  * checks involving just the SIDs */
  68                 boolean8 guest;
  69                 boolean8 system;
  70
  71                 utf8string unix_name;
  72
  73                 /*
  74                  * For performance reasons we keep an alpha_strcpy-sanitized version
  75                  * of the username around as long as the global variable current_user
  76                  * still exists. If we did not do keep this, we'd have to call
  77                  * alpha_strcpy whenever we do a become_user(), potentially on every
  78                  * smb request. See set_current_user_info in source3.
  79                  */
  80                 utf8string sanitized_username;
  81         } auth_user_info_unix;
  82
  83         /* This is the interim product of the auth subsystem, before
  84          * privileges and local groups are handled */
  85         typedef [public] struct {
  86                 uint32 num_sids;
  87                 [size_is(num_sids)] dom_sid sids[*];
  88                 auth_user_info *info;
  89                 DATA_BLOB user_session_key;
  90                 DATA_BLOB lm_session_key;
  91         } auth_user_info_dc;
  92
  93         typedef [public] struct {
  94                 security_token *security_token;
  95                 security_unix_token *unix_token;
  96                 auth_user_info *info;
  97                 auth_user_info_unix *unix_info;
  98                 [value(NULL), ignore] auth_user_info_torture *torture;
  99                 DATA_BLOB session_key;
 100                 [value(NULL), ignore] cli_credentials *credentials;
 101         } auth_session_info;
 102
 103         typedef [public] struct {
 104                 security_token *security_token;
 105                 security_unix_token *unix_token;
 106                 netr_SamInfo3 *info3;
 107                 auth_user_info_unix *unix_info;
 108                 [value(NULL), ignore] auth_user_info_torture *torture;
 109
 110                 /* This is the final session key, as used by SMB signing, and
 111                  * (truncated to 16 bytes) encryption on the SAMR and LSA pipes
 112                  * when over ncacn_np.
 113                  * It is calculated by NTLMSSP from the session key in the info3,
 114                  * and is  set from the Kerberos session key using
 115                  * krb5_auth_con_getremotesubkey().
 116                  *
 117                  * Bottom line, it is not the same as the session keys in info3.
 118                  */
 119
 120                 DATA_BLOB session_key;
 121
 122                 [value(NULL), ignore] cli_credentials *credentials;
 123         } auth3_session_info;
 124
 125         typedef [public] struct {
 126                 auth_session_info *session_info;
 127                 DATA_BLOB exported_gssapi_credentials;
 128         } auth_session_info_transport;
 129 }