1 files changed, 170 insertions, 0 deletions
diff --git a/librpc/idl/auth.idl b/librpc/idl/auth.idl
new file mode 100644
index 0000000..ab5675e
--- /dev/null
+++ b/librpc/idl/auth.idl
@@ -0,0 +1,170 @@
+#include "idl_types.h"
+
+/*
+  Authentication IDL structures
+
+  These are NOT public network structures, but it is helpful to define
+  these things in IDL. They may change without ABI breakage or
+  warning.
+
+*/
+
+import "misc.idl", "security.idl", "lsa.idl", "krb5pac.idl";
+[
+	pyhelper("librpc/ndr/py_auth.c"),
+	helper("../librpc/ndr/ndr_auth.h"),
+	helpstring("internal Samba authentication structures")
+]
+
+interface auth
+{
+	typedef [public] enum {
+		SEC_AUTH_METHOD_UNAUTHENTICATED = 0,
+		SEC_AUTH_METHOD_NTLM            = 1,
+		SEC_AUTH_METHOD_KERBEROS        = 2
+	} auth_method;
+
+	/* This is the parts of the session_info that don't change
+	 * during local privilege and group manipulations */
+	typedef [public] struct {
+		[unique,charset(UTF8),string] char *account_name;
+		[unique,charset(UTF8),string] char *user_principal_name;
+		boolean8 user_principal_constructed;
+		[unique,charset(UTF8),string] char *domain_name;
+		[unique,charset(UTF8),string] char *dns_domain_name;
+
+		[unique,charset(UTF8),string] char *full_name;
+		[unique,charset(UTF8),string] char *logon_script;
+		[unique,charset(UTF8),string] char *profile_path;
+		[unique,charset(UTF8),string] char *home_directory;
+		[unique,charset(UTF8),string] char *home_drive;
+		[unique,charset(UTF8),string] char *logon_server;
+
+		NTTIME last_logon;
+		NTTIME last_logoff;
+		NTTIME acct_expiry;
+		NTTIME last_password_change;
+		NTTIME allow_password_change;
+		NTTIME force_password_change;
+
+		uint16 logon_count;
+		uint16 bad_password_count;
+
+		uint32 acct_flags;
+
+		/*
+		 * The NETLOGON_GUEST flag being set indicates the user is not
+		 * authenticated.
+		 */
+		uint32 user_flags;
+	} auth_user_info;
+
+	/* This information is preserved only to assist torture tests */
+	typedef [public] struct {
+		/* Number SIDs from the DC netlogon validation info */
+		uint32 num_dc_sids;
+		[size_is(num_dc_sids)] auth_SidAttr dc_sids[*];
+	} auth_user_info_torture;
+
+	typedef [public] struct {
+		[unique,charset(UTF8),string] char *unix_name;
+
+		/*
+		 * For performance reasons we keep an alpha_strcpy-sanitized version
+		 * of the username around as long as the global variable current_user
+		 * still exists. If we did not do keep this, we'd have to call
+		 * alpha_strcpy whenever we do a become_user(), potentially on every
+		 * smb request. See set_current_user_info in source3.
+		 */
+		[unique,charset(UTF8),string] char *sanitized_username;
+	} auth_user_info_unix;
+
+	/*
+	 * If the user was authenticated with a Kerberos ticket, this indicates
+	 * the type of the ticket; TGT, or non-TGT (i.e. service ticket). If
+	 * unset, the type is unknown. This indicator is useful for the KDC and
+	 * the kpasswd service, which share the same account and keys. By
+	 * ensuring it is provided with the appropriate ticket type, each service
+	 * avoids accepting a ticket meant for the other.
+	 *
+	 * The heuristic used to determine the type is the presence or absence
+	 * of a REQUESTER_SID buffer in the PAC; we use its presence to assume
+	 * we have a TGT. This heuristic will fail for older Samba versions and
+	 * Windows prior to Nov. 2021 updates, which lack support for this
+	 * buffer.
+	 */
+	typedef enum {
+		TICKET_TYPE_UNKNOWN = 0,
+		TICKET_TYPE_TGT = 1,
+		TICKET_TYPE_NON_TGT = 2
+	} ticket_type;
+
+	/*
+	 * Used to indicate whether or not to include or disregard resource
+	 * groups when forming a SamInfo structure, user_info_dc structure, or
+	 * PAC, and whether or not to compress them when forming a PAC.
+	 *
+	 * When producing a TGT, existing resource groups are always copied
+	 * unmodified into the PAC. When producing a service ticket, existing
+	 * resource groups and resource groups in other domains are always
+	 * discarded.
+	 */
+	typedef enum {
+		AUTH_GROUP_INCLUSION_INVALID = 0, /* require invalid values to be handled. */
+		AUTH_INCLUDE_RESOURCE_GROUPS = 2,
+		AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED = 3,
+		AUTH_EXCLUDE_RESOURCE_GROUPS = 4
+	} auth_group_inclusion;
+
+	typedef [public] struct {
+		dom_sid sid;
+		security_GroupAttrs attrs;
+	} auth_SidAttr;
+
+	/* This is the interim product of the auth subsystem, before
+	 * privileges and local groups are handled */
+	typedef [public] struct {
+		uint32 num_sids;
+		[size_is(num_sids)] auth_SidAttr sids[*];
+		auth_user_info *info;
+		[noprint] DATA_BLOB user_session_key;
+		[noprint] DATA_BLOB lm_session_key;
+		ticket_type ticket_type;
+	} auth_user_info_dc;
+
+	typedef [public] struct {
+		security_token *security_token;
+		security_unix_token *unix_token;
+		auth_user_info *info;
+		auth_user_info_unix *unix_info;
+		[value(NULL), ignore] auth_user_info_torture *torture;
+
+		/* This is the final session key, as used by SMB signing, and
+		 * (truncated to 16 bytes) encryption on the SAMR and LSA pipes
+		 * when over ncacn_np.
+		 * It is calculated by NTLMSSP from the session key in the info3,
+		 * and is  set from the Kerberos session key using
+		 * krb5_auth_con_getremotesubkey().
+		 *
+		 * Bottom line, it is not the same as the session keys in info3.
+		 */
+
+		[noprint] DATA_BLOB session_key;
+
+		[value(NULL), ignore] cli_credentials *credentials;
+
+	        /*
+		 * It is really handy to have our authorization code log a
+		 * token that can be used to tie later requests together.
+		 * We generate this in auth_generate_session_info()
+		 */
+	        GUID unique_session_token;
+
+		ticket_type ticket_type;
+	} auth_session_info;
+
+	typedef [public] struct {
+		auth_session_info *session_info;
+		[noprint] DATA_BLOB exported_gssapi_credentials;
+	} auth_session_info_transport;
+}