summaryrefslogtreecommitdiffstats
path: root/librpc/idl/auth.idl
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--librpc/idl/auth.idl170
1 files changed, 170 insertions, 0 deletions
diff --git a/librpc/idl/auth.idl b/librpc/idl/auth.idl
new file mode 100644
index 0000000..ab5675e
--- /dev/null
+++ b/librpc/idl/auth.idl
@@ -0,0 +1,170 @@
+#include "idl_types.h"
+
+/*
+ Authentication IDL structures
+
+ These are NOT public network structures, but it is helpful to define
+ these things in IDL. They may change without ABI breakage or
+ warning.
+
+*/
+
+import "misc.idl", "security.idl", "lsa.idl", "krb5pac.idl";
+[
+ pyhelper("librpc/ndr/py_auth.c"),
+ helper("../librpc/ndr/ndr_auth.h"),
+ helpstring("internal Samba authentication structures")
+]
+
+interface auth
+{
+ typedef [public] enum {
+ SEC_AUTH_METHOD_UNAUTHENTICATED = 0,
+ SEC_AUTH_METHOD_NTLM = 1,
+ SEC_AUTH_METHOD_KERBEROS = 2
+ } auth_method;
+
+ /* This is the parts of the session_info that don't change
+ * during local privilege and group manipulations */
+ typedef [public] struct {
+ [unique,charset(UTF8),string] char *account_name;
+ [unique,charset(UTF8),string] char *user_principal_name;
+ boolean8 user_principal_constructed;
+ [unique,charset(UTF8),string] char *domain_name;
+ [unique,charset(UTF8),string] char *dns_domain_name;
+
+ [unique,charset(UTF8),string] char *full_name;
+ [unique,charset(UTF8),string] char *logon_script;
+ [unique,charset(UTF8),string] char *profile_path;
+ [unique,charset(UTF8),string] char *home_directory;
+ [unique,charset(UTF8),string] char *home_drive;
+ [unique,charset(UTF8),string] char *logon_server;
+
+ NTTIME last_logon;
+ NTTIME last_logoff;
+ NTTIME acct_expiry;
+ NTTIME last_password_change;
+ NTTIME allow_password_change;
+ NTTIME force_password_change;
+
+ uint16 logon_count;
+ uint16 bad_password_count;
+
+ uint32 acct_flags;
+
+ /*
+ * The NETLOGON_GUEST flag being set indicates the user is not
+ * authenticated.
+ */
+ uint32 user_flags;
+ } auth_user_info;
+
+ /* This information is preserved only to assist torture tests */
+ typedef [public] struct {
+ /* Number SIDs from the DC netlogon validation info */
+ uint32 num_dc_sids;
+ [size_is(num_dc_sids)] auth_SidAttr dc_sids[*];
+ } auth_user_info_torture;
+
+ typedef [public] struct {
+ [unique,charset(UTF8),string] char *unix_name;
+
+ /*
+ * For performance reasons we keep an alpha_strcpy-sanitized version
+ * of the username around as long as the global variable current_user
+ * still exists. If we did not do keep this, we'd have to call
+ * alpha_strcpy whenever we do a become_user(), potentially on every
+ * smb request. See set_current_user_info in source3.
+ */
+ [unique,charset(UTF8),string] char *sanitized_username;
+ } auth_user_info_unix;
+
+ /*
+ * If the user was authenticated with a Kerberos ticket, this indicates
+ * the type of the ticket; TGT, or non-TGT (i.e. service ticket). If
+ * unset, the type is unknown. This indicator is useful for the KDC and
+ * the kpasswd service, which share the same account and keys. By
+ * ensuring it is provided with the appropriate ticket type, each service
+ * avoids accepting a ticket meant for the other.
+ *
+ * The heuristic used to determine the type is the presence or absence
+ * of a REQUESTER_SID buffer in the PAC; we use its presence to assume
+ * we have a TGT. This heuristic will fail for older Samba versions and
+ * Windows prior to Nov. 2021 updates, which lack support for this
+ * buffer.
+ */
+ typedef enum {
+ TICKET_TYPE_UNKNOWN = 0,
+ TICKET_TYPE_TGT = 1,
+ TICKET_TYPE_NON_TGT = 2
+ } ticket_type;
+
+ /*
+ * Used to indicate whether or not to include or disregard resource
+ * groups when forming a SamInfo structure, user_info_dc structure, or
+ * PAC, and whether or not to compress them when forming a PAC.
+ *
+ * When producing a TGT, existing resource groups are always copied
+ * unmodified into the PAC. When producing a service ticket, existing
+ * resource groups and resource groups in other domains are always
+ * discarded.
+ */
+ typedef enum {
+ AUTH_GROUP_INCLUSION_INVALID = 0, /* require invalid values to be handled. */
+ AUTH_INCLUDE_RESOURCE_GROUPS = 2,
+ AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED = 3,
+ AUTH_EXCLUDE_RESOURCE_GROUPS = 4
+ } auth_group_inclusion;
+
+ typedef [public] struct {
+ dom_sid sid;
+ security_GroupAttrs attrs;
+ } auth_SidAttr;
+
+ /* This is the interim product of the auth subsystem, before
+ * privileges and local groups are handled */
+ typedef [public] struct {
+ uint32 num_sids;
+ [size_is(num_sids)] auth_SidAttr sids[*];
+ auth_user_info *info;
+ [noprint] DATA_BLOB user_session_key;
+ [noprint] DATA_BLOB lm_session_key;
+ ticket_type ticket_type;
+ } auth_user_info_dc;
+
+ typedef [public] struct {
+ security_token *security_token;
+ security_unix_token *unix_token;
+ auth_user_info *info;
+ auth_user_info_unix *unix_info;
+ [value(NULL), ignore] auth_user_info_torture *torture;
+
+ /* This is the final session key, as used by SMB signing, and
+ * (truncated to 16 bytes) encryption on the SAMR and LSA pipes
+ * when over ncacn_np.
+ * It is calculated by NTLMSSP from the session key in the info3,
+ * and is set from the Kerberos session key using
+ * krb5_auth_con_getremotesubkey().
+ *
+ * Bottom line, it is not the same as the session keys in info3.
+ */
+
+ [noprint] DATA_BLOB session_key;
+
+ [value(NULL), ignore] cli_credentials *credentials;
+
+ /*
+ * It is really handy to have our authorization code log a
+ * token that can be used to tie later requests together.
+ * We generate this in auth_generate_session_info()
+ */
+ GUID unique_session_token;
+
+ ticket_type ticket_type;
+ } auth_session_info;
+
+ typedef [public] struct {
+ auth_session_info *session_info;
+ [noprint] DATA_BLOB exported_gssapi_credentials;
+ } auth_session_info_transport;
+}