diff options
Diffstat (limited to '')
| -rw-r--r-- | librpc/idl/auth.idl | 170 |
1 files changed, 170 insertions, 0 deletions
diff --git a/librpc/idl/auth.idl b/librpc/idl/auth.idl new file mode 100644 index 0000000..ab5675e --- /dev/null +++ b/librpc/idl/auth.idl @@ -0,0 +1,170 @@ +#include "idl_types.h" + +/* + Authentication IDL structures + + These are NOT public network structures, but it is helpful to define + these things in IDL. They may change without ABI breakage or + warning. + +*/ + +import "misc.idl", "security.idl", "lsa.idl", "krb5pac.idl"; +[ + pyhelper("librpc/ndr/py_auth.c"), + helper("../librpc/ndr/ndr_auth.h"), + helpstring("internal Samba authentication structures") +] + +interface auth +{ + typedef [public] enum { + SEC_AUTH_METHOD_UNAUTHENTICATED = 0, + SEC_AUTH_METHOD_NTLM = 1, + SEC_AUTH_METHOD_KERBEROS = 2 + } auth_method; + + /* This is the parts of the session_info that don't change + * during local privilege and group manipulations */ + typedef [public] struct { + [unique,charset(UTF8),string] char *account_name; + [unique,charset(UTF8),string] char *user_principal_name; + boolean8 user_principal_constructed; + [unique,charset(UTF8),string] char *domain_name; + [unique,charset(UTF8),string] char *dns_domain_name; + + [unique,charset(UTF8),string] char *full_name; + [unique,charset(UTF8),string] char *logon_script; + [unique,charset(UTF8),string] char *profile_path; + [unique,charset(UTF8),string] char *home_directory; + [unique,charset(UTF8),string] char *home_drive; + [unique,charset(UTF8),string] char *logon_server; + + NTTIME last_logon; + NTTIME last_logoff; + NTTIME acct_expiry; + NTTIME last_password_change; + NTTIME allow_password_change; + NTTIME force_password_change; + + uint16 logon_count; + uint16 bad_password_count; + + uint32 acct_flags; + + /* + * The NETLOGON_GUEST flag being set indicates the user is not + * authenticated. + */ + uint32 user_flags; + } auth_user_info; + + /* This information is preserved only to assist torture tests */ + typedef [public] struct { + /* Number SIDs from the DC netlogon validation info */ + uint32 num_dc_sids; + [size_is(num_dc_sids)] auth_SidAttr dc_sids[*]; + } auth_user_info_torture; + + typedef [public] struct { + [unique,charset(UTF8),string] char *unix_name; + + /* + * For performance reasons we keep an alpha_strcpy-sanitized version + * of the username around as long as the global variable current_user + * still exists. If we did not do keep this, we'd have to call + * alpha_strcpy whenever we do a become_user(), potentially on every + * smb request. See set_current_user_info in source3. + */ + [unique,charset(UTF8),string] char *sanitized_username; + } auth_user_info_unix; + + /* + * If the user was authenticated with a Kerberos ticket, this indicates + * the type of the ticket; TGT, or non-TGT (i.e. service ticket). If + * unset, the type is unknown. This indicator is useful for the KDC and + * the kpasswd service, which share the same account and keys. By + * ensuring it is provided with the appropriate ticket type, each service + * avoids accepting a ticket meant for the other. + * + * The heuristic used to determine the type is the presence or absence + * of a REQUESTER_SID buffer in the PAC; we use its presence to assume + * we have a TGT. This heuristic will fail for older Samba versions and + * Windows prior to Nov. 2021 updates, which lack support for this + * buffer. + */ + typedef enum { + TICKET_TYPE_UNKNOWN = 0, + TICKET_TYPE_TGT = 1, + TICKET_TYPE_NON_TGT = 2 + } ticket_type; + + /* + * Used to indicate whether or not to include or disregard resource + * groups when forming a SamInfo structure, user_info_dc structure, or + * PAC, and whether or not to compress them when forming a PAC. + * + * When producing a TGT, existing resource groups are always copied + * unmodified into the PAC. When producing a service ticket, existing + * resource groups and resource groups in other domains are always + * discarded. + */ + typedef enum { + AUTH_GROUP_INCLUSION_INVALID = 0, /* require invalid values to be handled. */ + AUTH_INCLUDE_RESOURCE_GROUPS = 2, + AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED = 3, + AUTH_EXCLUDE_RESOURCE_GROUPS = 4 + } auth_group_inclusion; + + typedef [public] struct { + dom_sid sid; + security_GroupAttrs attrs; + } auth_SidAttr; + + /* This is the interim product of the auth subsystem, before + * privileges and local groups are handled */ + typedef [public] struct { + uint32 num_sids; + [size_is(num_sids)] auth_SidAttr sids[*]; + auth_user_info *info; + [noprint] DATA_BLOB user_session_key; + [noprint] DATA_BLOB lm_session_key; + ticket_type ticket_type; + } auth_user_info_dc; + + typedef [public] struct { + security_token *security_token; + security_unix_token *unix_token; + auth_user_info *info; + auth_user_info_unix *unix_info; + [value(NULL), ignore] auth_user_info_torture *torture; + + /* This is the final session key, as used by SMB signing, and + * (truncated to 16 bytes) encryption on the SAMR and LSA pipes + * when over ncacn_np. + * It is calculated by NTLMSSP from the session key in the info3, + * and is set from the Kerberos session key using + * krb5_auth_con_getremotesubkey(). + * + * Bottom line, it is not the same as the session keys in info3. + */ + + [noprint] DATA_BLOB session_key; + + [value(NULL), ignore] cli_credentials *credentials; + + /* + * It is really handy to have our authorization code log a + * token that can be used to tie later requests together. + * We generate this in auth_generate_session_info() + */ + GUID unique_session_token; + + ticket_type ticket_type; + } auth_session_info; + + typedef [public] struct { + auth_session_info *session_info; + [noprint] DATA_BLOB exported_gssapi_credentials; + } auth_session_info_transport; +} |