2011-02-08 16:39:34 +11:00
#include "idl_types.h"
/*
2011-04-05 16:15:27 +10:00
Authentication IDL structures
These are NOT public network structures, but it is helpful to define
these things in IDL. They may change without ABI breakage or
warning.
2011-02-08 16:39:34 +11:00
*/
2011-07-18 12:58:25 +10:00
import "misc.idl", "security.idl", "lsa.idl", "krb5pac.idl";
2011-04-05 16:15:27 +10:00
[
pyhelper("librpc/ndr/py_auth.c"),
helper("../librpc/ndr/ndr_auth.h"),
helpstring("internal Samba authentication structures")
]
2011-02-08 16:39:34 +11:00
interface auth
{
typedef [public] enum {
SEC_AUTH_METHOD_UNAUTHENTICATED = 0,
SEC_AUTH_METHOD_NTLM = 1,
SEC_AUTH_METHOD_KERBEROS = 2
} auth_method;
/* This is the parts of the session_info that don't change
2021-04-22 10:29:14 +02:00
* during local privilege and group manipulations */
2011-02-08 16:39:34 +11:00
typedef [public] struct {
2011-07-18 18:04:12 +10:00
[unique,charset(UTF8),string] char *account_name;
2016-01-07 14:46:24 +01:00
[unique,charset(UTF8),string] char *user_principal_name;
boolean8 user_principal_constructed;
2011-07-18 18:04:12 +10:00
[unique,charset(UTF8),string] char *domain_name;
2016-01-07 14:46:24 +01:00
[unique,charset(UTF8),string] char *dns_domain_name;
2011-02-08 16:39:34 +11:00
2011-07-18 18:04:12 +10:00
[unique,charset(UTF8),string] char *full_name;
[unique,charset(UTF8),string] char *logon_script;
[unique,charset(UTF8),string] char *profile_path;
[unique,charset(UTF8),string] char *home_directory;
[unique,charset(UTF8),string] char *home_drive;
[unique,charset(UTF8),string] char *logon_server;
2011-02-08 16:39:34 +11:00
NTTIME last_logon;
NTTIME last_logoff;
NTTIME acct_expiry;
NTTIME last_password_change;
NTTIME allow_password_change;
NTTIME force_password_change;
uint16 logon_count;
uint16 bad_password_count;
uint32 acct_flags;
2022-12-12 10:50:01 +13:00
/*
* The NETLOGON_GUEST flag being set indicates the user is not
* authenticated.
*/
uint32 user_flags;
2011-02-08 16:39:34 +11:00
} auth_user_info;
/* This information is preserved only to assist torture tests */
typedef [public] struct {
/* Number SIDs from the DC netlogon validation info */
uint32 num_dc_sids;
2022-09-27 15:13:12 +13:00
[size_is(num_dc_sids)] auth_SidAttr dc_sids[*];
2011-02-08 16:39:34 +11:00
} auth_user_info_torture;
2011-02-11 18:47:21 +11:00
typedef [public] struct {
2011-07-18 18:04:12 +10:00
[unique,charset(UTF8),string] char *unix_name;
2011-02-11 18:47:21 +11:00
/*
* For performance reasons we keep an alpha_strcpy-sanitized version
* of the username around as long as the global variable current_user
* still exists. If we did not do keep this, we'd have to call
* alpha_strcpy whenever we do a become_user(), potentially on every
* smb request. See set_current_user_info in source3.
*/
2011-07-18 18:04:12 +10:00
[unique,charset(UTF8),string] char *sanitized_username;
2011-02-11 18:47:21 +11:00
} auth_user_info_unix;
2022-06-10 19:18:07 +12:00
/*
* If the user was authenticated with a Kerberos ticket, this indicates
* the type of the ticket; TGT, or non-TGT (i.e. service ticket). If
* unset, the type is unknown. This indicator is useful for the KDC and
* the kpasswd service, which share the same account and keys. By
2023-06-06 12:58:34 +02:00
* ensuring it is provided with the appropriate ticket type, each service
2022-06-10 19:18:07 +12:00
* avoids accepting a ticket meant for the other.
*
* The heuristic used to determine the type is the presence or absence
* of a REQUESTER_SID buffer in the PAC; we use its presence to assume
* we have a TGT. This heuristic will fail for older Samba versions and
* Windows prior to Nov. 2021 updates, which lack support for this
* buffer.
*/
typedef enum {
TICKET_TYPE_UNKNOWN = 0,
TICKET_TYPE_TGT = 1,
TICKET_TYPE_NON_TGT = 2
} ticket_type;
2022-09-27 14:51:54 +13:00
/*
2022-12-02 10:49:20 +13:00
* Used to indicate whether or not to include or disregard resource
* groups when forming a SamInfo structure, user_info_dc structure, or
* PAC, and whether or not to compress them when forming a PAC.
*
* When producing a TGT, existing resource groups are always copied
* unmodified into the PAC. When producing a service ticket, existing
* resource groups and resource groups in other domains are always
* discarded.
2022-09-27 14:51:54 +13:00
*/
typedef enum {
2022-12-02 10:49:20 +13:00
AUTH_GROUP_INCLUSION_INVALID = 0, /* require invalid values to be handled. */
AUTH_INCLUDE_RESOURCE_GROUPS = 2,
AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED = 3,
AUTH_EXCLUDE_RESOURCE_GROUPS = 4
2022-09-27 14:51:54 +13:00
} auth_group_inclusion;
2022-09-27 15:12:19 +13:00
typedef [public] struct {
dom_sid sid;
security_GroupAttrs attrs;
} auth_SidAttr;
2011-02-08 16:39:34 +11:00
/* This is the interim product of the auth subsystem, before
* privileges and local groups are handled */
typedef [public] struct {
uint32 num_sids;
2022-09-27 15:13:12 +13:00
[size_is(num_sids)] auth_SidAttr sids[*];
2011-02-08 16:39:34 +11:00
auth_user_info *info;
2012-06-14 17:52:23 +02:00
[noprint] DATA_BLOB user_session_key;
[noprint] DATA_BLOB lm_session_key;
2022-06-10 19:18:07 +12:00
ticket_type ticket_type;
2011-02-08 16:39:34 +11:00
} auth_user_info_dc;
2011-07-18 12:28:50 +10:00
typedef [public] struct {
security_token *security_token;
security_unix_token *unix_token;
2011-07-18 12:58:25 +10:00
auth_user_info *info;
2011-07-18 12:28:50 +10:00
auth_user_info_unix *unix_info;
[value(NULL), ignore] auth_user_info_torture *torture;
/* This is the final session key, as used by SMB signing, and
* (truncated to 16 bytes) encryption on the SAMR and LSA pipes
* when over ncacn_np.
* It is calculated by NTLMSSP from the session key in the info3,
* and is set from the Kerberos session key using
* krb5_auth_con_getremotesubkey().
*
* Bottom line, it is not the same as the session keys in info3.
*/
2012-06-14 17:52:23 +02:00
[noprint] DATA_BLOB session_key;
2011-07-18 12:28:50 +10:00
[value(NULL), ignore] cli_credentials *credentials;
2018-04-10 06:44:00 +12:00
/*
* It is really handy to have our authorization code log a
2019-03-14 17:16:12 +01:00
* token that can be used to tie later requests together.
2018-04-10 06:44:00 +12:00
* We generate this in auth_generate_session_info()
*/
GUID unique_session_token;
2022-06-10 19:18:07 +12:00
ticket_type ticket_type;
2011-07-18 18:29:47 +10:00
} auth_session_info;
2011-07-18 12:28:50 +10:00
2011-04-05 16:15:27 +10:00
typedef [public] struct {
auth_session_info *session_info;
2012-06-14 17:52:23 +02:00
[noprint] DATA_BLOB exported_gssapi_credentials;
2011-02-08 16:39:34 +11:00
} auth_session_info_transport;
}