1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
|
#include "idl_types.h"
/*
Authentication IDL structures
These are NOT public network structures, but it is helpful to define
these things in IDL. They may change without ABI breakage or
warning.
*/
import "misc.idl", "security.idl", "lsa.idl", "krb5pac.idl";
[
pyhelper("librpc/ndr/py_auth.c"),
helper("../librpc/ndr/ndr_auth.h"),
helpstring("internal Samba authentication structures")
]
interface auth
{
typedef [public] enum {
SEC_AUTH_METHOD_UNAUTHENTICATED = 0,
SEC_AUTH_METHOD_NTLM = 1,
SEC_AUTH_METHOD_KERBEROS = 2
} auth_method;
/* This is the parts of the session_info that don't change
* during local privilege and group manipulations */
typedef [public] struct {
[unique,charset(UTF8),string] char *account_name;
[unique,charset(UTF8),string] char *user_principal_name;
boolean8 user_principal_constructed;
[unique,charset(UTF8),string] char *domain_name;
[unique,charset(UTF8),string] char *dns_domain_name;
[unique,charset(UTF8),string] char *full_name;
[unique,charset(UTF8),string] char *logon_script;
[unique,charset(UTF8),string] char *profile_path;
[unique,charset(UTF8),string] char *home_directory;
[unique,charset(UTF8),string] char *home_drive;
[unique,charset(UTF8),string] char *logon_server;
NTTIME last_logon;
NTTIME last_logoff;
NTTIME acct_expiry;
NTTIME last_password_change;
NTTIME allow_password_change;
NTTIME force_password_change;
uint16 logon_count;
uint16 bad_password_count;
uint32 acct_flags;
/*
* The NETLOGON_GUEST flag being set indicates the user is not
* authenticated.
*/
uint32 user_flags;
} auth_user_info;
/* This information is preserved only to assist torture tests */
typedef [public] struct {
/* Number SIDs from the DC netlogon validation info */
uint32 num_dc_sids;
[size_is(num_dc_sids)] auth_SidAttr dc_sids[*];
} auth_user_info_torture;
typedef [public] struct {
[unique,charset(UTF8),string] char *unix_name;
/*
* For performance reasons we keep an alpha_strcpy-sanitized version
* of the username around as long as the global variable current_user
* still exists. If we did not do keep this, we'd have to call
* alpha_strcpy whenever we do a become_user(), potentially on every
* smb request. See set_current_user_info in source3.
*/
[unique,charset(UTF8),string] char *sanitized_username;
} auth_user_info_unix;
/*
* If the user was authenticated with a Kerberos ticket, this indicates
* the type of the ticket; TGT, or non-TGT (i.e. service ticket). If
* unset, the type is unknown. This indicator is useful for the KDC and
* the kpasswd service, which share the same account and keys. By
* ensuring it is provided with the appropriate ticket type, each service
* avoids accepting a ticket meant for the other.
*
* The heuristic used to determine the type is the presence or absence
* of a REQUESTER_SID buffer in the PAC; we use its presence to assume
* we have a TGT. This heuristic will fail for older Samba versions and
* Windows prior to Nov. 2021 updates, which lack support for this
* buffer.
*/
typedef enum {
TICKET_TYPE_UNKNOWN = 0,
TICKET_TYPE_TGT = 1,
TICKET_TYPE_NON_TGT = 2
} ticket_type;
/*
* Used to indicate whether or not to include or disregard resource
* groups when forming a SamInfo structure, user_info_dc structure, or
* PAC, and whether or not to compress them when forming a PAC.
*
* When producing a TGT, existing resource groups are always copied
* unmodified into the PAC. When producing a service ticket, existing
* resource groups and resource groups in other domains are always
* discarded.
*/
typedef enum {
AUTH_GROUP_INCLUSION_INVALID = 0, /* require invalid values to be handled. */
AUTH_INCLUDE_RESOURCE_GROUPS = 2,
AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED = 3,
AUTH_EXCLUDE_RESOURCE_GROUPS = 4
} auth_group_inclusion;
typedef [public] struct {
dom_sid sid;
security_GroupAttrs attrs;
} auth_SidAttr;
/* This is the interim product of the auth subsystem, before
* privileges and local groups are handled */
typedef [public] struct {
uint32 num_sids;
[size_is(num_sids)] auth_SidAttr sids[*];
auth_user_info *info;
[noprint] DATA_BLOB user_session_key;
[noprint] DATA_BLOB lm_session_key;
ticket_type ticket_type;
} auth_user_info_dc;
typedef [public] struct {
security_token *security_token;
security_unix_token *unix_token;
auth_user_info *info;
auth_user_info_unix *unix_info;
[value(NULL), ignore] auth_user_info_torture *torture;
/* This is the final session key, as used by SMB signing, and
* (truncated to 16 bytes) encryption on the SAMR and LSA pipes
* when over ncacn_np.
* It is calculated by NTLMSSP from the session key in the info3,
* and is set from the Kerberos session key using
* krb5_auth_con_getremotesubkey().
*
* Bottom line, it is not the same as the session keys in info3.
*/
[noprint] DATA_BLOB session_key;
[value(NULL), ignore] cli_credentials *credentials;
/*
* It is really handy to have our authorization code log a
* token that can be used to tie later requests together.
* We generate this in auth_generate_session_info()
*/
GUID unique_session_token;
ticket_type ticket_type;
} auth_session_info;
typedef [public] struct {
auth_session_info *session_info;
[noprint] DATA_BLOB exported_gssapi_credentials;
} auth_session_info_transport;
}
|