2010-05-04 10:44:08 +04:00
/*
Unix SMB / CIFS implementation .
Standardised Authentication types
Copyright ( C ) Andrew Bartlett 2001 - 2010
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 3 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
2011-05-07 10:36:06 +04:00
# ifndef AUTH_COMMON_AUTH_H
# define AUTH_COMMON_AUTH_H
2011-07-15 09:22:41 +04:00
# include "librpc/gen_ndr/auth.h"
2010-05-04 10:44:08 +04:00
# define USER_INFO_CASE_INSENSITIVE_USERNAME 0x01 /* username may be in any case */
# define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */
# define USER_INFO_DONT_CHECK_UNIX_ACCOUNT 0x04 /* don't check unix account status */
2014-03-27 03:58:05 +04:00
# define USER_INFO_INTERACTIVE_LOGON 0x08 /* Interactive logon */
2017-03-21 10:32:27 +03:00
/*unused #define USER_INFO_LOCAL_SAM_ONLY 0x10 Only authenticate against the local SAM, do not map missing passwords to NO_SUCH_USER */
2014-03-27 03:58:05 +04:00
# define USER_INFO_INFO3_AND_NO_AUTHZ 0x20 /* Only fill in server_info->info3 and do not do any authorization steps */
2010-05-04 10:44:08 +04:00
enum auth_password_state {
2010-06-01 15:52:01 +04:00
AUTH_PASSWORD_PLAIN = 1 ,
AUTH_PASSWORD_HASH = 2 ,
AUTH_PASSWORD_RESPONSE = 3
2010-05-04 10:44:08 +04:00
} ;
2011-12-31 15:24:44 +04:00
# define AUTH_SESSION_INFO_DEFAULT_GROUPS 0x01 /* Add the user to the default world and network groups */
# define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */
2023-03-14 10:50:34 +03:00
# define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES 0x04 /* Use a trivial map between users and privileges, rather than a DB */
2011-12-31 15:24:44 +04:00
# define AUTH_SESSION_INFO_UNIX_TOKEN 0x08 /* The returned token must have the unix_token and unix_info elements provided */
2017-03-06 02:11:18 +03:00
# define AUTH_SESSION_INFO_NTLM 0x10 /* The returned token must have authenticated-with-NTLM flag set */
2023-09-27 04:54:06 +03:00
# define AUTH_SESSION_INFO_FORCE_COMPOUNDED_AUTHENTICATION 0x20 /* The user authenticated with a device. */
2023-10-19 10:02:32 +03:00
# define AUTH_SESSION_INFO_DEVICE_DEFAULT_GROUPS 0x40 /* Add the device to the default world and network groups */
2023-10-20 05:00:12 +03:00
# define AUTH_SESSION_INFO_DEVICE_AUTHENTICATED 0x80 /* Add the device to the 'authenticated users' group */
2011-12-31 15:24:44 +04:00
2010-05-04 10:44:08 +04:00
struct auth_usersupplied_info
{
const char * workstation_name ;
const struct tsocket_address * remote_host ;
2017-02-20 02:04:52 +03:00
const struct tsocket_address * local_host ;
2010-05-04 10:44:08 +04:00
uint32_t logon_parameters ;
2022-03-03 13:10:00 +03:00
bool cracknames_called ;
2010-05-04 10:44:08 +04:00
bool was_mapped ;
2019-01-31 23:40:10 +03:00
uint64_t logon_id ;
2010-05-04 10:44:08 +04:00
/* the values the client gives us */
struct {
const char * account_name ;
const char * domain_name ;
2022-03-03 13:10:00 +03:00
} client , mapped , orig_client ;
2010-05-04 10:44:08 +04:00
enum auth_password_state password_state ;
struct {
struct {
DATA_BLOB lanman ;
DATA_BLOB nt ;
} response ;
struct {
struct samr_Password * lanman ;
struct samr_Password * nt ;
} hash ;
char * plaintext ;
} password ;
uint32_t flags ;
2017-02-20 02:04:52 +03:00
struct {
uint32_t negotiate_flags ;
2024-10-29 20:30:22 +03:00
bool authenticate_kerberos ;
2017-02-20 02:04:52 +03:00
enum netr_SchannelType secure_channel_type ;
const char * computer_name ; /* [charset(UTF8)] */
const char * account_name ; /* [charset(UTF8)] */
struct dom_sid * sid ; /* [unique] */
} netlogon_trust_account ;
2017-02-20 04:15:46 +03:00
const char * service_description ;
2017-02-21 01:57:57 +03:00
const char * auth_description ;
2017-02-21 04:07:54 +03:00
/*
* for logging only , normally worked out from the password but
* for krb5 logging only ( krb5 normally doesn ' t use this ) we
* record the enc type here
*/
const char * password_type ;
2010-05-04 10:44:08 +04:00
} ;
2011-05-07 10:36:06 +04:00
2011-12-31 15:45:51 +04:00
struct auth_method_context ;
struct tevent_context ;
struct imessaging_context ;
struct loadparm_context ;
struct ldb_context ;
struct smb_krb5_context ;
struct auth4_context {
struct {
/* Who set this up in the first place? */
const char * set_by ;
DATA_BLOB data ;
} challenge ;
/* methods, in the order they should be called */
struct auth_method_context * methods ;
/* the event context to use for calls that can block */
struct tevent_context * event_ctx ;
/* the messaging context which can be used by backends */
struct imessaging_context * msg_ctx ;
/* loadparm context */
struct loadparm_context * lp_ctx ;
/* SAM database for this local machine - to fill in local groups, or to authenticate local NTLM users */
struct ldb_context * sam_ctx ;
2018-06-10 14:00:34 +03:00
/* The time this authentication started */
struct timeval start_time ;
2012-01-30 01:00:28 +04:00
/* Private data for the callbacks on this auth context */
void * private_data ;
2022-06-10 03:47:01 +03:00
/* Kerberos context, set up on demand */
struct smb_krb5_context * smb_krb5_context ;
2017-06-16 18:18:17 +03:00
struct tevent_req * ( * check_ntlm_password_send ) ( TALLOC_CTX * mem_ctx ,
struct tevent_context * ev ,
struct auth4_context * auth_ctx ,
const struct auth_usersupplied_info * user_info ) ;
NTSTATUS ( * check_ntlm_password_recv ) ( struct tevent_req * req ,
TALLOC_CTX * mem_ctx ,
uint8_t * pauthoritative ,
void * * server_returned_info ,
DATA_BLOB * nt_session_key ,
DATA_BLOB * lm_session_key ) ;
2011-12-31 15:45:51 +04:00
2012-02-03 09:33:44 +04:00
NTSTATUS ( * get_ntlm_challenge ) ( struct auth4_context * auth_ctx , uint8_t chal [ 8 ] ) ;
2011-12-31 15:45:51 +04:00
2012-02-03 09:33:44 +04:00
NTSTATUS ( * set_ntlm_challenge ) ( struct auth4_context * auth_ctx , const uint8_t chal [ 8 ] , const char * set_by ) ;
2011-12-31 15:45:51 +04:00
2012-02-04 10:49:49 +04:00
NTSTATUS ( * generate_session_info ) ( struct auth4_context * auth_context ,
TALLOC_CTX * mem_ctx ,
2012-01-30 04:17:44 +04:00
void * server_returned_info ,
2012-01-30 14:49:33 +04:00
const char * original_user_name ,
2011-12-31 15:45:51 +04:00
uint32_t session_info_flags ,
struct auth_session_info * * session_info ) ;
NTSTATUS ( * generate_session_info_pac ) ( struct auth4_context * auth_ctx ,
TALLOC_CTX * mem_ctx ,
struct smb_krb5_context * smb_krb5_context ,
DATA_BLOB * pac_blob ,
const char * principal_name ,
const struct tsocket_address * remote_address ,
uint32_t session_info_flags ,
struct auth_session_info * * session_info ) ;
} ;
2017-03-06 04:10:17 +03:00
# define AUTHZ_TRANSPORT_PROTECTION_NONE "NONE"
# define AUTHZ_TRANSPORT_PROTECTION_SMB "SMB"
# define AUTHZ_TRANSPORT_PROTECTION_TLS "TLS"
# define AUTHZ_TRANSPORT_PROTECTION_SEAL "SEAL"
# define AUTHZ_TRANSPORT_PROTECTION_SIGN "SIGN"
2017-03-24 05:18:46 +03:00
/*
* Log details of an authentication attempt .
* Successful and unsuccessful attempts are logged .
*
* NOTE : msg_ctx and lp_ctx is optional , but when supplied allows streaming the
* authentication events over the message bus .
*/
2023-06-15 08:07:05 +03:00
struct authn_audit_info ;
2017-03-24 05:18:46 +03:00
void log_authentication_event ( struct imessaging_context * msg_ctx ,
struct loadparm_context * lp_ctx ,
2018-06-10 14:00:34 +03:00
const struct timeval * start_time ,
2017-03-24 05:18:46 +03:00
const struct auth_usersupplied_info * ui ,
2017-02-23 03:50:14 +03:00
NTSTATUS status ,
const char * domain_name ,
2023-05-10 04:00:08 +03:00
const char * account_name ,
2023-06-15 08:07:05 +03:00
struct dom_sid * sid ,
const struct authn_audit_info * client_audit_info ,
const struct authn_audit_info * server_audit_info ) ;
2017-03-01 02:18:49 +03:00
2017-03-24 05:18:46 +03:00
/*
* Log details of a successful authorization to a service .
*
* Only successful authorizations are logged . For clarity :
* - NTLM bad passwords will be recorded by log_authentication_event
* - Kerberos decrypt failures need to be logged in gensec_gssapi et al
*
* The service may later refuse authorization due to an ACL .
*
*
* NOTE : msg_ctx and lp_ctx is optional , but when supplied allows streaming the
* authorization events over the message bus .
*/
void log_successful_authz_event ( struct imessaging_context * msg_ctx ,
struct loadparm_context * lp_ctx ,
const struct tsocket_address * remote ,
2017-03-01 02:18:49 +03:00
const struct tsocket_address * local ,
const char * service_description ,
2017-03-01 06:00:03 +03:00
const char * auth_type ,
2017-03-06 04:10:17 +03:00
const char * transport_protection ,
2023-06-15 08:07:05 +03:00
struct auth_session_info * session_info ,
const struct authn_audit_info * client_audit_info ,
const struct authn_audit_info * server_audit_info ) ;
2023-06-15 02:18:45 +03:00
/*
* Log details of an authorization to a service .
*
* NOTE : msg_ctx and lp_ctx are optional , but when supplied , allow streaming the
* authorization events over the message bus .
*/
void log_authz_event (
struct imessaging_context * msg_ctx ,
struct loadparm_context * lp_ctx ,
const struct tsocket_address * remote ,
const struct tsocket_address * local ,
2023-06-15 08:07:05 +03:00
const struct authn_audit_info * server_audit_info ,
2023-06-15 02:18:45 +03:00
const char * service_description ,
const char * auth_type ,
const char * domain_name ,
const char * account_name ,
const struct dom_sid * sid ,
const char * logon_server ,
const struct timeval authtime ,
NTSTATUS status ) ;
2011-05-07 10:36:06 +04:00
# endif