mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
245b494ceb
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Bjoern Jacke <bj@sernet.de>
526 lines
14 KiB
C
526 lines
14 KiB
C
/*
|
|
Unix SMB/CIFS implementation.
|
|
|
|
Winbind daemon for ntdom nss module
|
|
|
|
Copyright (C) Tim Potter 2000
|
|
Copyright (C) Gerald Carter 2006
|
|
|
|
You are free to use this interface definition in any way you see
|
|
fit, including without restriction, using this header in your own
|
|
products. You do not need to give any attribution.
|
|
*/
|
|
|
|
#ifndef SAFE_FREE
|
|
#define SAFE_FREE(x) do { if(x) {free(x); x=NULL;} } while(0)
|
|
#endif
|
|
|
|
#ifndef FSTRING_LEN
|
|
#define FSTRING_LEN 256
|
|
typedef char fstring[FSTRING_LEN];
|
|
#endif
|
|
|
|
#ifndef _WINBINDD_NTDOM_H
|
|
#define _WINBINDD_NTDOM_H
|
|
|
|
#define WINBINDD_SOCKET_NAME "pipe" /* Name of PF_UNIX socket */
|
|
|
|
/* We let the build environment set the public winbindd socket
|
|
* location. Therefore we no longer set
|
|
*
|
|
* #define WINBINDD_SOCKET_DIR "/tmp/.winbindd"
|
|
*
|
|
* A number of different distributions set different paths, and so it
|
|
* needs to come from configure in Samba. External users of this header will
|
|
* need to know where the path is on their system by some other
|
|
* mechanism.
|
|
*/
|
|
|
|
#define WINBINDD_PRIV_SOCKET_SUBDIR "winbindd_privileged" /* name of subdirectory of lp_lock_directory() to hold the 'privileged' pipe */
|
|
#define WINBINDD_DOMAIN_ENV "WINBINDD_DOMAIN" /* Environment variables */
|
|
#define WINBINDD_DONT_ENV "_NO_WINBINDD"
|
|
#define WINBINDD_LOCATOR_KDC_ADDRESS "WINBINDD_LOCATOR_KDC_ADDRESS"
|
|
|
|
/* Update this when you change the interface.
|
|
* 21: added WINBINDD_GETPWSID
|
|
* added WINBINDD_GETSIDALIASES
|
|
* 22: added WINBINDD_PING_DC
|
|
* 23: added session_key to ccache_ntlm_auth response
|
|
* added WINBINDD_CCACHE_SAVE
|
|
* 24: Fill in num_entries WINBINDD_LIST_USERS and WINBINDD_LIST_GROUPS
|
|
* 25: removed WINBINDD_SET_HWM
|
|
* removed WINBINDD_SET_MAPPING
|
|
* removed WINBINDD_REMOVE_MAPPING
|
|
* 26: added WINBINDD_DC_INFO
|
|
* 27: added WINBINDD_LOOKUPSIDS
|
|
* 28: added WINBINDD_XIDS_TO_SIDS
|
|
* removed WINBINDD_SID_TO_UID
|
|
* removed WINBINDD_SID_TO_GID
|
|
* removed WINBINDD_GID_TO_SID
|
|
* removed WINBINDD_UID_TO_SID
|
|
* 29: added "authoritative" to response.data.auth
|
|
* 30: added "validation_level" and "info6" to response.data.auth
|
|
* 31: added "client_name" to the request
|
|
*/
|
|
#define WINBIND_INTERFACE_VERSION 31
|
|
|
|
/* Have to deal with time_t being 4 or 8 bytes due to structure alignment.
|
|
On a 64bit Linux box, we have to support a constant structure size
|
|
between /lib/libnss_winbind.so.2 and /lib64/libnss_winbind.so.2.
|
|
The easiest way to do this is to always use 8byte values for time_t. */
|
|
|
|
#define SMB_TIME_T int64_t
|
|
|
|
/* Socket commands */
|
|
|
|
enum winbindd_cmd {
|
|
|
|
WINBINDD_INTERFACE_VERSION, /* Always a well known value */
|
|
|
|
/* Get users and groups */
|
|
|
|
WINBINDD_GETPWNAM,
|
|
WINBINDD_GETPWUID,
|
|
WINBINDD_GETPWSID,
|
|
WINBINDD_GETGRNAM,
|
|
WINBINDD_GETGRGID,
|
|
WINBINDD_GETGROUPS,
|
|
|
|
/* Enumerate users and groups */
|
|
|
|
WINBINDD_SETPWENT,
|
|
WINBINDD_ENDPWENT,
|
|
WINBINDD_GETPWENT,
|
|
WINBINDD_SETGRENT,
|
|
WINBINDD_ENDGRENT,
|
|
WINBINDD_GETGRENT,
|
|
|
|
/* PAM authenticate and password change */
|
|
|
|
WINBINDD_PAM_AUTH,
|
|
WINBINDD_PAM_AUTH_CRAP,
|
|
WINBINDD_PAM_CHAUTHTOK,
|
|
WINBINDD_PAM_LOGOFF,
|
|
WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP,
|
|
|
|
/* List various things */
|
|
|
|
WINBINDD_LIST_USERS, /* List w/o rid->id mapping */
|
|
WINBINDD_LIST_GROUPS, /* Ditto */
|
|
WINBINDD_LIST_TRUSTDOM,
|
|
|
|
/* SID conversion */
|
|
|
|
WINBINDD_LOOKUPSID,
|
|
WINBINDD_LOOKUPNAME,
|
|
WINBINDD_LOOKUPRIDS,
|
|
WINBINDD_LOOKUPSIDS,
|
|
|
|
/* Lookup functions */
|
|
|
|
WINBINDD_SIDS_TO_XIDS,
|
|
WINBINDD_XIDS_TO_SIDS,
|
|
|
|
WINBINDD_ALLOCATE_UID,
|
|
WINBINDD_ALLOCATE_GID,
|
|
|
|
/* Miscellaneous other stuff */
|
|
|
|
WINBINDD_CHECK_MACHACC, /* Check machine account pw works */
|
|
WINBINDD_CHANGE_MACHACC, /* Change machine account pw */
|
|
WINBINDD_PING_DC, /* Ping the DC through NETLOGON */
|
|
WINBINDD_PING, /* Just tell me winbind is running */
|
|
WINBINDD_INFO, /* Various bit of info. Currently just tidbits */
|
|
WINBINDD_DOMAIN_NAME, /* The domain this winbind server is a member of (lp_workgroup()) */
|
|
|
|
WINBINDD_DOMAIN_INFO, /* Most of what we know from
|
|
struct winbindd_domain */
|
|
WINBINDD_GETDCNAME, /* Issue a GetDCName Request */
|
|
WINBINDD_DSGETDCNAME, /* Issue a DsGetDCName Request */
|
|
WINBINDD_DC_INFO, /* Which DC are we connected to? */
|
|
|
|
WINBINDD_SHOW_SEQUENCE, /* display sequence numbers of domains */
|
|
|
|
/* WINS commands */
|
|
|
|
WINBINDD_WINS_BYIP,
|
|
WINBINDD_WINS_BYNAME,
|
|
|
|
/* this is like GETGRENT but gives an empty group list */
|
|
WINBINDD_GETGRLST,
|
|
|
|
WINBINDD_NETBIOS_NAME, /* The netbios name of the server */
|
|
|
|
/* find the location of our privileged pipe */
|
|
WINBINDD_PRIV_PIPE_DIR,
|
|
|
|
/* return a list of group sids for a user sid */
|
|
WINBINDD_GETUSERSIDS,
|
|
|
|
/* Various group queries */
|
|
WINBINDD_GETUSERDOMGROUPS,
|
|
|
|
/* lookup local groups */
|
|
WINBINDD_GETSIDALIASES,
|
|
|
|
/* Initialize connection in a child */
|
|
WINBINDD_INIT_CONNECTION,
|
|
|
|
/* Blocking calls that are not allowed on the main winbind pipe, only
|
|
* between parent and children */
|
|
WINBINDD_DUAL_SID2UID,
|
|
WINBINDD_DUAL_SID2GID,
|
|
WINBINDD_DUAL_SIDS2XIDS,
|
|
WINBINDD_DUAL_UID2SID,
|
|
WINBINDD_DUAL_GID2SID,
|
|
|
|
/* Wrapper around possibly blocking unix nss calls */
|
|
WINBINDD_DUAL_USERINFO,
|
|
WINBINDD_DUAL_GETSIDALIASES,
|
|
|
|
WINBINDD_DUAL_NDRCMD,
|
|
|
|
/* Complete the challenge phase of the NTLM authentication
|
|
protocol using cached password. */
|
|
WINBINDD_CCACHE_NTLMAUTH,
|
|
WINBINDD_CCACHE_SAVE,
|
|
|
|
WINBINDD_NUM_CMDS
|
|
};
|
|
|
|
typedef struct winbindd_pw {
|
|
fstring pw_name;
|
|
fstring pw_passwd;
|
|
uid_t pw_uid;
|
|
gid_t pw_gid;
|
|
fstring pw_gecos;
|
|
fstring pw_dir;
|
|
fstring pw_shell;
|
|
} WINBINDD_PW;
|
|
|
|
|
|
typedef struct winbindd_gr {
|
|
fstring gr_name;
|
|
fstring gr_passwd;
|
|
gid_t gr_gid;
|
|
uint32_t num_gr_mem;
|
|
uint32_t gr_mem_ofs; /* offset to group membership */
|
|
} WINBINDD_GR;
|
|
|
|
/* Request flags */
|
|
#define WBFLAG_PAM_INFO3_NDR 0x00000001
|
|
#define WBFLAG_PAM_INFO3_TEXT 0x00000002
|
|
#define WBFLAG_PAM_USER_SESSION_KEY 0x00000004
|
|
#define WBFLAG_PAM_LMKEY 0x00000008
|
|
#define WBFLAG_PAM_CONTACT_TRUSTDOM 0x00000010
|
|
#define WBFLAG_QUERY_ONLY 0x00000020 /* not used */
|
|
#define WBFLAG_PAM_AUTH_PAC 0x00000040
|
|
#define WBFLAG_PAM_UNIX_NAME 0x00000080
|
|
#define WBFLAG_PAM_AFS_TOKEN 0x00000100
|
|
#define WBFLAG_PAM_NT_STATUS_SQUASH 0x00000200
|
|
/* This is a flag that can only be sent from parent to child */
|
|
#define WBFLAG_IS_PRIVILEGED 0x00000400 /* not used */
|
|
/* Flag to say this is a winbindd internal send - don't recurse. */
|
|
#define WBFLAG_RECURSE 0x00000800
|
|
#define WBFLAG_PAM_KRB5 0x00001000
|
|
#define WBFLAG_PAM_FALLBACK_AFTER_KRB5 0x00002000
|
|
#define WBFLAG_PAM_CACHED_LOGIN 0x00004000
|
|
#define WBFLAG_PAM_GET_PWD_POLICY 0x00008000
|
|
/* Flag to tell winbind the NTLMv2 blob is too big for the struct and is in the
|
|
* extra_data field */
|
|
#define WBFLAG_BIG_NTLMV2_BLOB 0x00010000
|
|
#define WBFLAG_FROM_NSS 0x00020000
|
|
|
|
#define WINBINDD_MAX_EXTRA_DATA (128*1024)
|
|
|
|
/* Winbind request structure */
|
|
|
|
/*******************************************************************************
|
|
* This structure MUST be the same size in the 32bit and 64bit builds
|
|
* for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
|
|
*
|
|
* DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
|
|
* A 64BIT WINBINDD --jerry
|
|
******************************************************************************/
|
|
|
|
struct winbindd_request {
|
|
uint32_t length;
|
|
enum winbindd_cmd cmd; /* Winbindd command to execute */
|
|
enum winbindd_cmd original_cmd; /* Original Winbindd command
|
|
issued to parent process */
|
|
pid_t pid; /* pid of calling process */
|
|
uint32_t wb_flags; /* generic flags */
|
|
uint32_t flags; /* flags relevant *only* to a given request */
|
|
fstring domain_name; /* name of domain for which the request applies */
|
|
char client_name[32]; /* The client process sending the request */
|
|
|
|
union {
|
|
fstring winsreq; /* WINS request */
|
|
fstring username; /* getpwnam */
|
|
fstring groupname; /* getgrnam */
|
|
uid_t uid; /* getpwuid, uid_to_sid */
|
|
gid_t gid; /* getgrgid, gid_to_sid */
|
|
uint32_t ndrcmd;
|
|
struct {
|
|
/* We deliberately don't split into domain/user to
|
|
avoid having the client know what the separator
|
|
character is. */
|
|
fstring user;
|
|
fstring pass;
|
|
char require_membership_of_sid[1024];
|
|
fstring krb5_cc_type;
|
|
uid_t uid;
|
|
} auth; /* pam_winbind auth module */
|
|
struct {
|
|
uint8_t chal[8];
|
|
uint32_t logon_parameters;
|
|
fstring user;
|
|
fstring domain;
|
|
fstring lm_resp;
|
|
uint32_t lm_resp_len;
|
|
fstring nt_resp;
|
|
uint32_t nt_resp_len;
|
|
fstring workstation;
|
|
fstring require_membership_of_sid;
|
|
} auth_crap;
|
|
struct {
|
|
fstring user;
|
|
fstring oldpass;
|
|
fstring newpass;
|
|
} chauthtok; /* pam_winbind passwd module */
|
|
struct {
|
|
fstring user;
|
|
fstring domain;
|
|
uint8_t new_nt_pswd[516];
|
|
uint16_t new_nt_pswd_len;
|
|
uint8_t old_nt_hash_enc[16];
|
|
uint16_t old_nt_hash_enc_len;
|
|
uint8_t new_lm_pswd[516];
|
|
uint16_t new_lm_pswd_len;
|
|
uint8_t old_lm_hash_enc[16];
|
|
uint16_t old_lm_hash_enc_len;
|
|
} chng_pswd_auth_crap;/* pam_winbind passwd module */
|
|
struct {
|
|
fstring user;
|
|
fstring krb5ccname;
|
|
uid_t uid;
|
|
} logoff; /* pam_winbind session module */
|
|
fstring sid; /* lookupsid, sid_to_[ug]id */
|
|
struct {
|
|
fstring dom_name; /* lookupname */
|
|
fstring name;
|
|
} name;
|
|
uint32_t num_entries; /* getpwent, getgrent */
|
|
struct {
|
|
fstring username;
|
|
fstring groupname;
|
|
} acct_mgt;
|
|
struct {
|
|
bool is_primary;
|
|
fstring dcname;
|
|
} init_conn;
|
|
struct {
|
|
fstring sid;
|
|
fstring name;
|
|
} dual_sid2id;
|
|
struct {
|
|
fstring sid;
|
|
uint32_t type;
|
|
uint32_t id;
|
|
} dual_idmapset;
|
|
bool list_all_domains;
|
|
|
|
struct {
|
|
uid_t uid;
|
|
fstring user;
|
|
/* the effective uid of the client, must be the uid for 'user'.
|
|
This is checked by the main daemon, trusted by children. */
|
|
/* if the blobs are length zero, then this doesn't
|
|
produce an actual challenge response. It merely
|
|
succeeds if there are cached credentials available
|
|
that could be used. */
|
|
uint32_t initial_blob_len; /* blobs in extra_data */
|
|
uint32_t challenge_blob_len;
|
|
} ccache_ntlm_auth;
|
|
struct {
|
|
uid_t uid;
|
|
fstring user;
|
|
fstring pass;
|
|
} ccache_save;
|
|
struct {
|
|
fstring domain_name;
|
|
fstring domain_guid;
|
|
fstring site_name;
|
|
uint32_t flags;
|
|
} dsgetdcname;
|
|
|
|
/* padding -- needed to fix alignment between 32bit and 64bit libs.
|
|
The size is the sizeof the union without the padding aligned on
|
|
an 8 byte boundary. --jerry */
|
|
|
|
char padding[1800];
|
|
} data;
|
|
union {
|
|
SMB_TIME_T padding;
|
|
char *data;
|
|
} extra_data;
|
|
uint32_t extra_len;
|
|
char null_term;
|
|
};
|
|
|
|
/* Response values */
|
|
|
|
enum winbindd_result {
|
|
WINBINDD_ERROR,
|
|
WINBINDD_PENDING,
|
|
WINBINDD_OK
|
|
};
|
|
|
|
/* Winbind response structure */
|
|
|
|
/*******************************************************************************
|
|
* This structure MUST be the same size in the 32bit and 64bit builds
|
|
* for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
|
|
*
|
|
* DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
|
|
* A 64BIT WINBINDD --jerry
|
|
******************************************************************************/
|
|
|
|
struct winbindd_response {
|
|
|
|
/* Header information */
|
|
|
|
uint32_t length; /* Length of response */
|
|
enum winbindd_result result; /* Result code */
|
|
|
|
/* Fixed length return data */
|
|
|
|
union {
|
|
int interface_version; /* Try to ensure this is always in the same spot... */
|
|
|
|
fstring winsresp; /* WINS response */
|
|
|
|
/* getpwnam, getpwuid */
|
|
|
|
struct winbindd_pw pw;
|
|
|
|
/* getgrnam, getgrgid */
|
|
|
|
struct winbindd_gr gr;
|
|
|
|
uint32_t num_entries; /* getpwent, getgrent */
|
|
struct winbindd_sid {
|
|
fstring sid; /* lookupname, [ug]id_to_sid */
|
|
int type;
|
|
} sid;
|
|
struct winbindd_name {
|
|
fstring dom_name; /* lookupsid */
|
|
fstring name;
|
|
int type;
|
|
} name;
|
|
uid_t uid; /* sid_to_uid */
|
|
gid_t gid; /* sid_to_gid */
|
|
struct winbindd_info {
|
|
char winbind_separator;
|
|
fstring samba_version;
|
|
} info;
|
|
fstring domain_name;
|
|
fstring netbios_name;
|
|
fstring dc_name;
|
|
|
|
struct auth_reply {
|
|
uint32_t nt_status;
|
|
fstring nt_status_string;
|
|
fstring error_string;
|
|
int pam_error;
|
|
char user_session_key[16];
|
|
char first_8_lm_hash[8];
|
|
fstring krb5ccname;
|
|
uint32_t reject_reason;
|
|
uint8_t authoritative;
|
|
uint8_t padding[1];
|
|
uint16_t validation_level;
|
|
struct policy_settings {
|
|
uint32_t min_length_password;
|
|
uint32_t password_history;
|
|
uint32_t password_properties;
|
|
uint32_t padding;
|
|
SMB_TIME_T expire;
|
|
SMB_TIME_T min_passwordage;
|
|
} policy;
|
|
struct info3_text {
|
|
SMB_TIME_T logon_time;
|
|
SMB_TIME_T logoff_time;
|
|
SMB_TIME_T kickoff_time;
|
|
SMB_TIME_T pass_last_set_time;
|
|
SMB_TIME_T pass_can_change_time;
|
|
SMB_TIME_T pass_must_change_time;
|
|
uint32_t logon_count;
|
|
uint32_t bad_pw_count;
|
|
uint32_t user_rid;
|
|
uint32_t group_rid;
|
|
uint32_t num_groups;
|
|
uint32_t user_flgs;
|
|
uint32_t acct_flags;
|
|
uint32_t num_other_sids;
|
|
fstring dom_sid;
|
|
fstring user_name;
|
|
fstring full_name;
|
|
fstring logon_script;
|
|
fstring profile_path;
|
|
fstring home_dir;
|
|
fstring dir_drive;
|
|
fstring logon_srv;
|
|
fstring logon_dom;
|
|
} info3;
|
|
struct info6_text {
|
|
fstring dns_domainname;
|
|
fstring principal_name;
|
|
} info6;
|
|
fstring unix_username;
|
|
} auth;
|
|
struct {
|
|
fstring name;
|
|
fstring alt_name;
|
|
fstring sid;
|
|
bool native_mode;
|
|
bool active_directory;
|
|
bool primary;
|
|
} domain_info;
|
|
uint32_t sequence_number;
|
|
struct {
|
|
fstring acct_name;
|
|
fstring full_name;
|
|
fstring homedir;
|
|
fstring shell;
|
|
uint32_t primary_gid;
|
|
uint32_t group_rid;
|
|
} user_info;
|
|
struct {
|
|
uint8_t session_key[16];
|
|
uint32_t auth_blob_len; /* blob in extra_data */
|
|
uint8_t new_spnego;
|
|
} ccache_ntlm_auth;
|
|
struct {
|
|
fstring dc_unc;
|
|
fstring dc_address;
|
|
uint32_t dc_address_type;
|
|
fstring domain_guid;
|
|
fstring domain_name;
|
|
fstring forest_name;
|
|
uint32_t dc_flags;
|
|
fstring dc_site_name;
|
|
fstring client_site_name;
|
|
} dsgetdcname;
|
|
} data;
|
|
|
|
/* Variable length return data */
|
|
|
|
union {
|
|
SMB_TIME_T padding;
|
|
void *data;
|
|
} extra_data;
|
|
};
|
|
|
|
#endif
|