mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
6a10e890a0
This field may be used to convey whether we were provided with a TGT or a non-TGT. We ensure both structures are zeroed out to avoid incorrect results being produced by an uninitialised field. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
145 lines
4.5 KiB
Plaintext
145 lines
4.5 KiB
Plaintext
#include "idl_types.h"
|
|
|
|
/*
|
|
Authentication IDL structures
|
|
|
|
These are NOT public network structures, but it is helpful to define
|
|
these things in IDL. They may change without ABI breakage or
|
|
warning.
|
|
|
|
*/
|
|
|
|
import "misc.idl", "security.idl", "lsa.idl", "krb5pac.idl";
|
|
[
|
|
pyhelper("librpc/ndr/py_auth.c"),
|
|
helper("../librpc/ndr/ndr_auth.h"),
|
|
helpstring("internal Samba authentication structures")
|
|
]
|
|
|
|
interface auth
|
|
{
|
|
typedef [public] enum {
|
|
SEC_AUTH_METHOD_UNAUTHENTICATED = 0,
|
|
SEC_AUTH_METHOD_NTLM = 1,
|
|
SEC_AUTH_METHOD_KERBEROS = 2
|
|
} auth_method;
|
|
|
|
/* This is the parts of the session_info that don't change
|
|
* during local privilege and group manipulations */
|
|
typedef [public] struct {
|
|
[unique,charset(UTF8),string] char *account_name;
|
|
[unique,charset(UTF8),string] char *user_principal_name;
|
|
boolean8 user_principal_constructed;
|
|
[unique,charset(UTF8),string] char *domain_name;
|
|
[unique,charset(UTF8),string] char *dns_domain_name;
|
|
|
|
[unique,charset(UTF8),string] char *full_name;
|
|
[unique,charset(UTF8),string] char *logon_script;
|
|
[unique,charset(UTF8),string] char *profile_path;
|
|
[unique,charset(UTF8),string] char *home_directory;
|
|
[unique,charset(UTF8),string] char *home_drive;
|
|
[unique,charset(UTF8),string] char *logon_server;
|
|
|
|
NTTIME last_logon;
|
|
NTTIME last_logoff;
|
|
NTTIME acct_expiry;
|
|
NTTIME last_password_change;
|
|
NTTIME allow_password_change;
|
|
NTTIME force_password_change;
|
|
|
|
uint16 logon_count;
|
|
uint16 bad_password_count;
|
|
|
|
uint32 acct_flags;
|
|
|
|
uint8 authenticated;
|
|
} auth_user_info;
|
|
|
|
/* This information is preserved only to assist torture tests */
|
|
typedef [public] struct {
|
|
/* Number SIDs from the DC netlogon validation info */
|
|
uint32 num_dc_sids;
|
|
[size_is(num_dc_sids)] dom_sid dc_sids[*];
|
|
} auth_user_info_torture;
|
|
|
|
typedef [public] struct {
|
|
[unique,charset(UTF8),string] char *unix_name;
|
|
|
|
/*
|
|
* For performance reasons we keep an alpha_strcpy-sanitized version
|
|
* of the username around as long as the global variable current_user
|
|
* still exists. If we did not do keep this, we'd have to call
|
|
* alpha_strcpy whenever we do a become_user(), potentially on every
|
|
* smb request. See set_current_user_info in source3.
|
|
*/
|
|
[unique,charset(UTF8),string] char *sanitized_username;
|
|
} auth_user_info_unix;
|
|
|
|
/*
|
|
* If the user was authenticated with a Kerberos ticket, this indicates
|
|
* the type of the ticket; TGT, or non-TGT (i.e. service ticket). If
|
|
* unset, the type is unknown. This indicator is useful for the KDC and
|
|
* the kpasswd service, which share the same account and keys. By
|
|
* ensuring it is provided with the appopriate ticket type, each service
|
|
* avoids accepting a ticket meant for the other.
|
|
*
|
|
* The heuristic used to determine the type is the presence or absence
|
|
* of a REQUESTER_SID buffer in the PAC; we use its presence to assume
|
|
* we have a TGT. This heuristic will fail for older Samba versions and
|
|
* Windows prior to Nov. 2021 updates, which lack support for this
|
|
* buffer.
|
|
*/
|
|
typedef enum {
|
|
TICKET_TYPE_UNKNOWN = 0,
|
|
TICKET_TYPE_TGT = 1,
|
|
TICKET_TYPE_NON_TGT = 2
|
|
} ticket_type;
|
|
|
|
/* This is the interim product of the auth subsystem, before
|
|
* privileges and local groups are handled */
|
|
typedef [public] struct {
|
|
uint32 num_sids;
|
|
[size_is(num_sids)] dom_sid sids[*];
|
|
auth_user_info *info;
|
|
[noprint] DATA_BLOB user_session_key;
|
|
[noprint] DATA_BLOB lm_session_key;
|
|
ticket_type ticket_type;
|
|
} auth_user_info_dc;
|
|
|
|
typedef [public] struct {
|
|
security_token *security_token;
|
|
security_unix_token *unix_token;
|
|
auth_user_info *info;
|
|
auth_user_info_unix *unix_info;
|
|
[value(NULL), ignore] auth_user_info_torture *torture;
|
|
|
|
/* This is the final session key, as used by SMB signing, and
|
|
* (truncated to 16 bytes) encryption on the SAMR and LSA pipes
|
|
* when over ncacn_np.
|
|
* It is calculated by NTLMSSP from the session key in the info3,
|
|
* and is set from the Kerberos session key using
|
|
* krb5_auth_con_getremotesubkey().
|
|
*
|
|
* Bottom line, it is not the same as the session keys in info3.
|
|
*/
|
|
|
|
[noprint] DATA_BLOB session_key;
|
|
|
|
[value(NULL), ignore] cli_credentials *credentials;
|
|
|
|
/*
|
|
* It is really handy to have our authorization code log a
|
|
* token that can be used to tie later requests together.
|
|
* We generate this in auth_generate_session_info()
|
|
*/
|
|
GUID unique_session_token;
|
|
|
|
ticket_type ticket_type;
|
|
} auth_session_info;
|
|
|
|
typedef [public] struct {
|
|
auth_session_info *session_info;
|
|
[noprint] DATA_BLOB exported_gssapi_credentials;
|
|
} auth_session_info_transport;
|
|
}
|