2010-05-04 16:44:08 +10:00
/*
Unix SMB / CIFS implementation .
Standardised Authentication types
Copyright ( C ) Andrew Bartlett 2001 - 2010
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 3 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
2011-05-07 08:36:06 +02:00
# ifndef AUTH_COMMON_AUTH_H
# define AUTH_COMMON_AUTH_H
2011-07-15 15:22:41 +10:00
# include "librpc/gen_ndr/auth.h"
2010-05-04 16:44:08 +10:00
# define USER_INFO_CASE_INSENSITIVE_USERNAME 0x01 /* username may be in any case */
# define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */
# define USER_INFO_DONT_CHECK_UNIX_ACCOUNT 0x04 /* don't check unix account status */
2014-03-27 12:58:05 +13:00
# define USER_INFO_INTERACTIVE_LOGON 0x08 /* Interactive logon */
2017-03-21 08:32:27 +01:00
/*unused #define USER_INFO_LOCAL_SAM_ONLY 0x10 Only authenticate against the local SAM, do not map missing passwords to NO_SUCH_USER */
2014-03-27 12:58:05 +13:00
# define USER_INFO_INFO3_AND_NO_AUTHZ 0x20 /* Only fill in server_info->info3 and do not do any authorization steps */
2010-05-04 16:44:08 +10:00
enum auth_password_state {
2010-06-01 21:52:01 +10:00
AUTH_PASSWORD_PLAIN = 1 ,
AUTH_PASSWORD_HASH = 2 ,
AUTH_PASSWORD_RESPONSE = 3
2010-05-04 16:44:08 +10:00
} ;
2011-12-31 22:24:44 +11:00
# define AUTH_SESSION_INFO_DEFAULT_GROUPS 0x01 /* Add the user to the default world and network groups */
# define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */
2023-03-14 08:50:34 +01:00
# define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES 0x04 /* Use a trivial map between users and privileges, rather than a DB */
2011-12-31 22:24:44 +11:00
# define AUTH_SESSION_INFO_UNIX_TOKEN 0x08 /* The returned token must have the unix_token and unix_info elements provided */
2017-03-06 12:11:18 +13:00
# define AUTH_SESSION_INFO_NTLM 0x10 /* The returned token must have authenticated-with-NTLM flag set */
2023-09-27 14:54:06 +13:00
# define AUTH_SESSION_INFO_FORCE_COMPOUNDED_AUTHENTICATION 0x20 /* The user authenticated with a device. */
2023-10-19 20:02:32 +13:00
# define AUTH_SESSION_INFO_DEVICE_DEFAULT_GROUPS 0x40 /* Add the device to the default world and network groups */
2023-10-20 15:00:12 +13:00
# define AUTH_SESSION_INFO_DEVICE_AUTHENTICATED 0x80 /* Add the device to the 'authenticated users' group */
2011-12-31 22:24:44 +11:00
2010-05-04 16:44:08 +10:00
struct auth_usersupplied_info
{
const char * workstation_name ;
const struct tsocket_address * remote_host ;
2017-02-20 12:04:52 +13:00
const struct tsocket_address * local_host ;
2010-05-04 16:44:08 +10:00
uint32_t logon_parameters ;
2022-03-03 11:10:00 +01:00
bool cracknames_called ;
2010-05-04 16:44:08 +10:00
bool was_mapped ;
2019-02-01 09:40:10 +13:00
uint64_t logon_id ;
2010-05-04 16:44:08 +10:00
/* the values the client gives us */
struct {
const char * account_name ;
const char * domain_name ;
2022-03-03 11:10:00 +01:00
} client , mapped , orig_client ;
2010-05-04 16:44:08 +10:00
enum auth_password_state password_state ;
struct {
struct {
DATA_BLOB lanman ;
DATA_BLOB nt ;
} response ;
struct {
struct samr_Password * lanman ;
struct samr_Password * nt ;
} hash ;
char * plaintext ;
} password ;
uint32_t flags ;
2017-02-20 12:04:52 +13:00
struct {
uint32_t negotiate_flags ;
enum netr_SchannelType secure_channel_type ;
const char * computer_name ; /* [charset(UTF8)] */
const char * account_name ; /* [charset(UTF8)] */
struct dom_sid * sid ; /* [unique] */
} netlogon_trust_account ;
2017-02-20 14:15:46 +13:00
const char * service_description ;
2017-02-21 11:57:57 +13:00
const char * auth_description ;
2017-02-21 14:07:54 +13:00
/*
* for logging only , normally worked out from the password but
* for krb5 logging only ( krb5 normally doesn ' t use this ) we
* record the enc type here
*/
const char * password_type ;
2010-05-04 16:44:08 +10:00
} ;
2011-05-07 08:36:06 +02:00
2011-12-31 22:45:51 +11:00
struct auth_method_context ;
struct tevent_context ;
struct imessaging_context ;
struct loadparm_context ;
struct ldb_context ;
struct smb_krb5_context ;
struct auth4_context {
struct {
/* Who set this up in the first place? */
const char * set_by ;
DATA_BLOB data ;
} challenge ;
/* methods, in the order they should be called */
struct auth_method_context * methods ;
/* the event context to use for calls that can block */
struct tevent_context * event_ctx ;
/* the messaging context which can be used by backends */
struct imessaging_context * msg_ctx ;
/* loadparm context */
struct loadparm_context * lp_ctx ;
/* SAM database for this local machine - to fill in local groups, or to authenticate local NTLM users */
struct ldb_context * sam_ctx ;
2018-06-10 13:00:34 +02:00
/* The time this authentication started */
struct timeval start_time ;
2012-01-30 08:00:28 +11:00
/* Private data for the callbacks on this auth context */
void * private_data ;
2022-06-10 12:47:01 +12:00
/* Kerberos context, set up on demand */
struct smb_krb5_context * smb_krb5_context ;
2017-06-16 17:18:17 +02:00
struct tevent_req * ( * check_ntlm_password_send ) ( TALLOC_CTX * mem_ctx ,
struct tevent_context * ev ,
struct auth4_context * auth_ctx ,
const struct auth_usersupplied_info * user_info ) ;
NTSTATUS ( * check_ntlm_password_recv ) ( struct tevent_req * req ,
TALLOC_CTX * mem_ctx ,
uint8_t * pauthoritative ,
void * * server_returned_info ,
DATA_BLOB * nt_session_key ,
DATA_BLOB * lm_session_key ) ;
2011-12-31 22:45:51 +11:00
2012-02-03 16:33:44 +11:00
NTSTATUS ( * get_ntlm_challenge ) ( struct auth4_context * auth_ctx , uint8_t chal [ 8 ] ) ;
2011-12-31 22:45:51 +11:00
2012-02-03 16:33:44 +11:00
NTSTATUS ( * set_ntlm_challenge ) ( struct auth4_context * auth_ctx , const uint8_t chal [ 8 ] , const char * set_by ) ;
2011-12-31 22:45:51 +11:00
2012-02-04 17:49:49 +11:00
NTSTATUS ( * generate_session_info ) ( struct auth4_context * auth_context ,
TALLOC_CTX * mem_ctx ,
2012-01-30 11:17:44 +11:00
void * server_returned_info ,
2012-01-30 21:49:33 +11:00
const char * original_user_name ,
2011-12-31 22:45:51 +11:00
uint32_t session_info_flags ,
struct auth_session_info * * session_info ) ;
NTSTATUS ( * generate_session_info_pac ) ( struct auth4_context * auth_ctx ,
TALLOC_CTX * mem_ctx ,
struct smb_krb5_context * smb_krb5_context ,
DATA_BLOB * pac_blob ,
const char * principal_name ,
const struct tsocket_address * remote_address ,
uint32_t session_info_flags ,
struct auth_session_info * * session_info ) ;
} ;
2017-03-06 14:10:17 +13:00
# define AUTHZ_TRANSPORT_PROTECTION_NONE "NONE"
# define AUTHZ_TRANSPORT_PROTECTION_SMB "SMB"
# define AUTHZ_TRANSPORT_PROTECTION_TLS "TLS"
# define AUTHZ_TRANSPORT_PROTECTION_SEAL "SEAL"
# define AUTHZ_TRANSPORT_PROTECTION_SIGN "SIGN"
2017-03-24 15:18:46 +13:00
/*
* Log details of an authentication attempt .
* Successful and unsuccessful attempts are logged .
*
* NOTE : msg_ctx and lp_ctx is optional , but when supplied allows streaming the
* authentication events over the message bus .
*/
2023-06-15 17:07:05 +12:00
struct authn_audit_info ;
2017-03-24 15:18:46 +13:00
void log_authentication_event ( struct imessaging_context * msg_ctx ,
struct loadparm_context * lp_ctx ,
2018-06-10 13:00:34 +02:00
const struct timeval * start_time ,
2017-03-24 15:18:46 +13:00
const struct auth_usersupplied_info * ui ,
2017-02-23 13:50:14 +13:00
NTSTATUS status ,
const char * domain_name ,
2023-05-10 13:00:08 +12:00
const char * account_name ,
2023-06-15 17:07:05 +12:00
struct dom_sid * sid ,
const struct authn_audit_info * client_audit_info ,
const struct authn_audit_info * server_audit_info ) ;
2017-03-01 12:18:49 +13:00
2017-03-24 15:18:46 +13:00
/*
* Log details of a successful authorization to a service .
*
* Only successful authorizations are logged . For clarity :
* - NTLM bad passwords will be recorded by log_authentication_event
* - Kerberos decrypt failures need to be logged in gensec_gssapi et al
*
* The service may later refuse authorization due to an ACL .
*
*
* NOTE : msg_ctx and lp_ctx is optional , but when supplied allows streaming the
* authorization events over the message bus .
*/
void log_successful_authz_event ( struct imessaging_context * msg_ctx ,
struct loadparm_context * lp_ctx ,
const struct tsocket_address * remote ,
2017-03-01 12:18:49 +13:00
const struct tsocket_address * local ,
const char * service_description ,
2017-03-01 16:00:03 +13:00
const char * auth_type ,
2017-03-06 14:10:17 +13:00
const char * transport_protection ,
2023-06-15 17:07:05 +12:00
struct auth_session_info * session_info ,
const struct authn_audit_info * client_audit_info ,
const struct authn_audit_info * server_audit_info ) ;
2023-06-15 11:18:45 +12:00
/*
* Log details of an authorization to a service .
*
* NOTE : msg_ctx and lp_ctx are optional , but when supplied , allow streaming the
* authorization events over the message bus .
*/
void log_authz_event (
struct imessaging_context * msg_ctx ,
struct loadparm_context * lp_ctx ,
const struct tsocket_address * remote ,
const struct tsocket_address * local ,
2023-06-15 17:07:05 +12:00
const struct authn_audit_info * server_audit_info ,
2023-06-15 11:18:45 +12:00
const char * service_description ,
const char * auth_type ,
const char * domain_name ,
const char * account_name ,
const struct dom_sid * sid ,
const char * logon_server ,
const struct timeval authtime ,
NTSTATUS status ) ;
2011-05-07 08:36:06 +02:00
# endif
