#include "idl_types.h" /* Authentication IDL structures These are NOT public network structures, but it is helpful to define these things in IDL. They may change without ABI breakage or warning. */ import "misc.idl", "security.idl", "lsa.idl", "krb5pac.idl"; [ pyhelper("librpc/ndr/py_auth.c"), helper("../librpc/ndr/ndr_auth.h"), helpstring("internal Samba authentication structures") ] interface auth { typedef [public] enum { SEC_AUTH_METHOD_UNAUTHENTICATED = 0, SEC_AUTH_METHOD_NTLM = 1, SEC_AUTH_METHOD_KERBEROS = 2 } auth_method; /* This is the parts of the session_info that don't change * during local privilege and group manipulations */ typedef [public] struct { [unique,charset(UTF8),string] char *account_name; [unique,charset(UTF8),string] char *user_principal_name; boolean8 user_principal_constructed; [unique,charset(UTF8),string] char *domain_name; [unique,charset(UTF8),string] char *dns_domain_name; [unique,charset(UTF8),string] char *full_name; [unique,charset(UTF8),string] char *logon_script; [unique,charset(UTF8),string] char *profile_path; [unique,charset(UTF8),string] char *home_directory; [unique,charset(UTF8),string] char *home_drive; [unique,charset(UTF8),string] char *logon_server; NTTIME last_logon; NTTIME last_logoff; NTTIME acct_expiry; NTTIME last_password_change; NTTIME allow_password_change; NTTIME force_password_change; uint16 logon_count; uint16 bad_password_count; uint32 acct_flags; uint8 authenticated; } auth_user_info; /* This information is preserved only to assist torture tests */ typedef [public] struct { /* Number SIDs from the DC netlogon validation info */ uint32 num_dc_sids; [size_is(num_dc_sids)] auth_SidAttr dc_sids[*]; } auth_user_info_torture; typedef [public] struct { [unique,charset(UTF8),string] char *unix_name; /* * For performance reasons we keep an alpha_strcpy-sanitized version * of the username around as long as the global variable current_user * still exists. If we did not do keep this, we'd have to call * alpha_strcpy whenever we do a become_user(), potentially on every * smb request. See set_current_user_info in source3. */ [unique,charset(UTF8),string] char *sanitized_username; } auth_user_info_unix; /* * If the user was authenticated with a Kerberos ticket, this indicates * the type of the ticket; TGT, or non-TGT (i.e. service ticket). If * unset, the type is unknown. This indicator is useful for the KDC and * the kpasswd service, which share the same account and keys. By * ensuring it is provided with the appopriate ticket type, each service * avoids accepting a ticket meant for the other. * * The heuristic used to determine the type is the presence or absence * of a REQUESTER_SID buffer in the PAC; we use its presence to assume * we have a TGT. This heuristic will fail for older Samba versions and * Windows prior to Nov. 2021 updates, which lack support for this * buffer. */ typedef enum { TICKET_TYPE_UNKNOWN = 0, TICKET_TYPE_TGT = 1, TICKET_TYPE_NON_TGT = 2 } ticket_type; /* * Used to indicate whether or not to include resource groups in the * formation of SamInfo or a PAC. */ typedef enum { AUTH_INCLUDE_RESOURCE_GROUPS = 0, AUTH_EXCLUDE_RESOURCE_GROUPS = 1 } auth_group_inclusion; typedef [public] struct { dom_sid sid; security_GroupAttrs attrs; } auth_SidAttr; /* This is the interim product of the auth subsystem, before * privileges and local groups are handled */ typedef [public] struct { uint32 num_sids; [size_is(num_sids)] auth_SidAttr sids[*]; auth_user_info *info; [noprint] DATA_BLOB user_session_key; [noprint] DATA_BLOB lm_session_key; ticket_type ticket_type; } auth_user_info_dc; typedef [public] struct { security_token *security_token; security_unix_token *unix_token; auth_user_info *info; auth_user_info_unix *unix_info; [value(NULL), ignore] auth_user_info_torture *torture; /* This is the final session key, as used by SMB signing, and * (truncated to 16 bytes) encryption on the SAMR and LSA pipes * when over ncacn_np. * It is calculated by NTLMSSP from the session key in the info3, * and is set from the Kerberos session key using * krb5_auth_con_getremotesubkey(). * * Bottom line, it is not the same as the session keys in info3. */ [noprint] DATA_BLOB session_key; [value(NULL), ignore] cli_credentials *credentials; /* * It is really handy to have our authorization code log a * token that can be used to tie later requests together. * We generate this in auth_generate_session_info() */ GUID unique_session_token; ticket_type ticket_type; } auth_session_info; typedef [public] struct { auth_session_info *session_info; [noprint] DATA_BLOB exported_gssapi_credentials; } auth_session_info_transport; }