winbind_struct_protocol.h 14.1 KB
Newer Older
1
/*
2
   Unix SMB/CIFS implementation.
3 4 5 6

   Winbind daemon for ntdom nss module

   Copyright (C) Tim Potter 2000
7
   Copyright (C) Gerald Carter 2006
8

9 10
   You are free to use this interface definition in any way you see
   fit, including without restriction, using this header in your own
11
   products. You do not need to give any attribution.
12 13
*/

Simo Sorce's avatar
Simo Sorce committed
14
#ifndef SAFE_FREE
15
#define SAFE_FREE(x) do { if(x) {free(x); x=NULL;} } while(0)
Simo Sorce's avatar
Simo Sorce committed
16 17
#endif

18 19 20 21 22
#ifndef FSTRING_LEN
#define FSTRING_LEN 256
typedef char fstring[FSTRING_LEN];
#endif

23 24 25 26
#ifndef _WINBINDD_NTDOM_H
#define _WINBINDD_NTDOM_H

#define WINBINDD_SOCKET_NAME "pipe"            /* Name of PF_UNIX socket */
27

28 29 30 31 32 33 34 35 36
/* We let the build environment set the public winbindd socket
 * location. Therefore we no longer set
 *
 * #define WINBINDD_SOCKET_DIR "/tmp/.winbindd"
 *
 * A number of different distributions set different paths, and so it
 * needs to come from configure in Samba.  External users of this header will
 * need to know where the path is on their system by some other
 * mechanism.
37 38
 */

39
#define WINBINDD_PRIV_SOCKET_SUBDIR "winbindd_privileged" /* name of subdirectory of lp_lock_directory() to hold the 'privileged' pipe */
Tim Potter's avatar
Tim Potter committed
40 41
#define WINBINDD_DOMAIN_ENV  "WINBINDD_DOMAIN" /* Environment variables */
#define WINBINDD_DONT_ENV    "_NO_WINBINDD"
42
#define WINBINDD_LOCATOR_KDC_ADDRESS "WINBINDD_LOCATOR_KDC_ADDRESS"
43

Dan Sledz's avatar
Dan Sledz committed
44 45 46
/* Update this when you change the interface.
 * 21: added WINBINDD_GETPWSID
 *     added WINBINDD_GETSIDALIASES
47
 * 22: added WINBINDD_PING_DC
48 49
 * 23: added session_key to ccache_ntlm_auth response
 *     added WINBINDD_CCACHE_SAVE
50
 * 24: Fill in num_entries WINBINDD_LIST_USERS and WINBINDD_LIST_GROUPS
51 52 53
 * 25: removed WINBINDD_SET_HWM
 *     removed WINBINDD_SET_MAPPING
 *     removed WINBINDD_REMOVE_MAPPING
54
 * 26: added WINBINDD_DC_INFO
55
 * 27: added WINBINDD_LOOKUPSIDS
56
 * 28: added WINBINDD_XIDS_TO_SIDS
57
 *     removed WINBINDD_SID_TO_UID
58
 *     removed WINBINDD_SID_TO_GID
59
 *     removed WINBINDD_GID_TO_SID
60
 *     removed WINBINDD_UID_TO_SID
61
 * 29: added "authoritative" to response.data.auth
62
 * 30: added "validation_level" and "info6" to response.data.auth
Dan Sledz's avatar
Dan Sledz committed
63
 */
64
#define WINBIND_INTERFACE_VERSION 30
65

66 67
/* Have to deal with time_t being 4 or 8 bytes due to structure alignment.
   On a 64bit Linux box, we have to support a constant structure size
68
   between /lib/libnss_winbind.so.2 and /lib64/libnss_winbind.so.2.
69 70
   The easiest way to do this is to always use 8byte values for time_t. */

71
#define SMB_TIME_T int64_t
72

73
/* Socket commands */
74

75
enum winbindd_cmd {
Tim Potter's avatar
Tim Potter committed
76

77 78
	WINBINDD_INTERFACE_VERSION,    /* Always a well known value */

Tim Potter's avatar
Tim Potter committed
79 80
	/* Get users and groups */

81 82
	WINBINDD_GETPWNAM,
	WINBINDD_GETPWUID,
Dan Sledz's avatar
Dan Sledz committed
83
	WINBINDD_GETPWSID,
84 85
	WINBINDD_GETGRNAM,
	WINBINDD_GETGRGID,
86
	WINBINDD_GETGROUPS,
Tim Potter's avatar
Tim Potter committed
87 88 89 90 91 92 93 94 95 96 97 98 99

	/* Enumerate users and groups */

	WINBINDD_SETPWENT,
	WINBINDD_ENDPWENT,
	WINBINDD_GETPWENT,
	WINBINDD_SETGRENT,
	WINBINDD_ENDGRENT,
	WINBINDD_GETGRENT,

	/* PAM authenticate and password change */

	WINBINDD_PAM_AUTH,
100
	WINBINDD_PAM_AUTH_CRAP,
Tim Potter's avatar
Tim Potter committed
101
	WINBINDD_PAM_CHAUTHTOK,
102
	WINBINDD_PAM_LOGOFF,
103
	WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP,
Tim Potter's avatar
Tim Potter committed
104 105 106

	/* List various things */

107 108
	WINBINDD_LIST_USERS,         /* List w/o rid->id mapping */
	WINBINDD_LIST_GROUPS,        /* Ditto */
Tim Potter's avatar
Tim Potter committed
109 110 111 112 113 114
	WINBINDD_LIST_TRUSTDOM,

	/* SID conversion */

	WINBINDD_LOOKUPSID,
	WINBINDD_LOOKUPNAME,
115
	WINBINDD_LOOKUPRIDS,
116
	WINBINDD_LOOKUPSIDS,
Tim Potter's avatar
Tim Potter committed
117

118
	/* Lookup functions */
Tim Potter's avatar
Tim Potter committed
119

120
	WINBINDD_SIDS_TO_XIDS,
121
	WINBINDD_XIDS_TO_SIDS,
122 123 124

	WINBINDD_ALLOCATE_UID,
	WINBINDD_ALLOCATE_GID,
Tim Potter's avatar
Tim Potter committed
125 126 127 128

	/* Miscellaneous other stuff */

	WINBINDD_CHECK_MACHACC,     /* Check machine account pw works */
129
	WINBINDD_CHANGE_MACHACC,    /* Change machine account pw */
130
	WINBINDD_PING_DC,     	    /* Ping the DC through NETLOGON */
131
	WINBINDD_PING,              /* Just tell me winbind is running */
132
	WINBINDD_INFO,              /* Various bit of info.  Currently just tidbits */
133
	WINBINDD_DOMAIN_NAME,       /* The domain this winbind server is a member of (lp_workgroup()) */
Tim Potter's avatar
Tim Potter committed
134

135 136
	WINBINDD_DOMAIN_INFO,	/* Most of what we know from
				   struct winbindd_domain */
137
	WINBINDD_GETDCNAME,	/* Issue a GetDCName Request */
138
	WINBINDD_DSGETDCNAME,	/* Issue a DsGetDCName Request */
139
	WINBINDD_DC_INFO,	/* Which DC are we connected to? */
140

141 142
	WINBINDD_SHOW_SEQUENCE, /* display sequence numbers of domains */

143 144 145 146 147
	/* WINS commands */

	WINBINDD_WINS_BYIP,
	WINBINDD_WINS_BYNAME,

148 149 150
	/* this is like GETGRENT but gives an empty group list */
	WINBINDD_GETGRLST,

Andrew Bartlett's avatar
Andrew Bartlett committed
151
	WINBINDD_NETBIOS_NAME,       /* The netbios name of the server */
Tim Potter's avatar
Tim Potter committed
152

153
	/* find the location of our privileged pipe */
Andrew Bartlett's avatar
Andrew Bartlett committed
154 155
	WINBINDD_PRIV_PIPE_DIR,

156
	/* return a list of group sids for a user sid */
157 158
	WINBINDD_GETUSERSIDS,

159
	/* Various group queries */
160 161
	WINBINDD_GETUSERDOMGROUPS,

162 163 164
	/* lookup local groups */
	WINBINDD_GETSIDALIASES,

165 166 167 168 169 170 171
	/* Initialize connection in a child */
	WINBINDD_INIT_CONNECTION,

	/* Blocking calls that are not allowed on the main winbind pipe, only
	 * between parent and children */
	WINBINDD_DUAL_SID2UID,
	WINBINDD_DUAL_SID2GID,
172
	WINBINDD_DUAL_SIDS2XIDS,
173 174
	WINBINDD_DUAL_UID2SID,
	WINBINDD_DUAL_GID2SID,
175 176 177 178

	/* Wrapper around possibly blocking unix nss calls */
	WINBINDD_DUAL_USERINFO,
	WINBINDD_DUAL_GETSIDALIASES,
179

180 181
	WINBINDD_DUAL_NDRCMD,

182 183 184
	/* Complete the challenge phase of the NTLM authentication
	   protocol using cached password. */
	WINBINDD_CCACHE_NTLMAUTH,
185
	WINBINDD_CCACHE_SAVE,
186

Tim Potter's avatar
Tim Potter committed
187
	WINBINDD_NUM_CMDS
188 189
};

190 191 192 193 194 195 196 197 198 199 200 201 202 203 204
typedef struct winbindd_pw {
	fstring pw_name;
	fstring pw_passwd;
	uid_t pw_uid;
	gid_t pw_gid;
	fstring pw_gecos;
	fstring pw_dir;
	fstring pw_shell;
} WINBINDD_PW;


typedef struct winbindd_gr {
	fstring gr_name;
	fstring gr_passwd;
	gid_t gr_gid;
205 206
	uint32_t num_gr_mem;
	uint32_t gr_mem_ofs;   /* offset to group membership */
207 208
} WINBINDD_GR;

209
/* Request flags */
210 211 212 213 214
#define WBFLAG_PAM_INFO3_NDR		0x00000001
#define WBFLAG_PAM_INFO3_TEXT		0x00000002
#define WBFLAG_PAM_USER_SESSION_KEY	0x00000004
#define WBFLAG_PAM_LMKEY		0x00000008
#define WBFLAG_PAM_CONTACT_TRUSTDOM	0x00000010
215
#define WBFLAG_QUERY_ONLY		0x00000020	/* not used */
216
#define WBFLAG_PAM_AUTH_PAC		0x00000040
217 218 219
#define WBFLAG_PAM_UNIX_NAME		0x00000080
#define WBFLAG_PAM_AFS_TOKEN		0x00000100
#define WBFLAG_PAM_NT_STATUS_SQUASH	0x00000200
220
/* This is a flag that can only be sent from parent to child */
221
#define WBFLAG_IS_PRIVILEGED		0x00000400	/* not used */
222
/* Flag to say this is a winbindd internal send - don't recurse. */
223
#define WBFLAG_RECURSE			0x00000800
224 225 226 227
#define WBFLAG_PAM_KRB5			0x00001000
#define WBFLAG_PAM_FALLBACK_AFTER_KRB5	0x00002000
#define WBFLAG_PAM_CACHED_LOGIN		0x00004000
#define WBFLAG_PAM_GET_PWD_POLICY	0x00008000
228 229 230
/* Flag to tell winbind the NTLMv2 blob is too big for the struct and is in the
 * extra_data field */
#define WBFLAG_BIG_NTLMV2_BLOB		0x00010000
231

232 233
#define WINBINDD_MAX_EXTRA_DATA (128*1024)

234 235
/* Winbind request structure */

236 237 238
/*******************************************************************************
 * This structure MUST be the same size in the 32bit and 64bit builds
 * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
239
 *
240 241 242 243
 * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
 * A 64BIT WINBINDD    --jerry
 ******************************************************************************/

244
struct winbindd_request {
245
	uint32_t length;
246
	enum winbindd_cmd cmd;   /* Winbindd command to execute */
247 248
	enum winbindd_cmd original_cmd;   /* Original Winbindd command
					     issued to parent process */
249
	pid_t pid;               /* pid of calling process */
250 251
	uint32_t wb_flags;       /* generic flags */
	uint32_t flags;          /* flags relevant *only* to a given request */
252
	fstring domain_name;	/* name of domain for which the request applies */
253 254

	union {
255
		fstring winsreq;     /* WINS request */
Tim Potter's avatar
Tim Potter committed
256 257 258 259
		fstring username;    /* getpwnam */
		fstring groupname;   /* getgrnam */
		uid_t uid;           /* getpwuid, uid_to_sid */
		gid_t gid;           /* getgrgid, gid_to_sid */
260
		uint32_t ndrcmd;
261
		struct {
Volker Lendecke's avatar
Volker Lendecke committed
262
			/* We deliberately don't split into domain/user to
263
                           avoid having the client know what the separator
264
                           character is. */
265 266
			fstring user;
			fstring pass;
267
			char require_membership_of_sid[1024];
268 269
			fstring krb5_cc_type;
			uid_t uid;
Tim Potter's avatar
Tim Potter committed
270
		} auth;              /* pam_winbind auth module */
271
                struct {
272 273
                        uint8_t chal[8];
			uint32_t logon_parameters;
274
                        fstring user;
275
                        fstring domain;
276
                        fstring lm_resp;
277
                        uint32_t lm_resp_len;
278
                        fstring nt_resp;
279
                        uint32_t nt_resp_len;
280
			fstring workstation;
281
		        fstring require_membership_of_sid;
282
                } auth_crap;
Tim Potter's avatar
Tim Potter committed
283 284 285 286 287
                struct {
                    fstring user;
                    fstring oldpass;
                    fstring newpass;
                } chauthtok;         /* pam_winbind passwd module */
288 289 290
		struct {
			fstring user;
			fstring domain;
291 292 293 294 295 296 297 298
			uint8_t new_nt_pswd[516];
			uint16_t new_nt_pswd_len;
			uint8_t old_nt_hash_enc[16];
			uint16_t old_nt_hash_enc_len;
			uint8_t new_lm_pswd[516];
			uint16_t new_lm_pswd_len;
			uint8_t old_lm_hash_enc[16];
			uint16_t old_lm_hash_enc_len;
299
		} chng_pswd_auth_crap;/* pam_winbind passwd module */
300 301 302 303 304
		struct {
			fstring user;
			fstring krb5ccname;
			uid_t uid;
		} logoff;              /* pam_winbind session module */
Tim Potter's avatar
Tim Potter committed
305
		fstring sid;         /* lookupsid, sid_to_[ug]id */
306 307
		struct {
			fstring dom_name;       /* lookupname */
308
			fstring name;
309
		} name;
310
		uint32_t num_entries;  /* getpwent, getgrent */
311 312 313 314
		struct {
			fstring username;
			fstring groupname;
		} acct_mgt;
315
		struct {
316
			bool is_primary;
317 318 319 320 321 322 323 324
			fstring dcname;
		} init_conn;
		struct {
			fstring sid;
			fstring name;
		} dual_sid2id;
		struct {
			fstring sid;
325 326
			uint32_t type;
			uint32_t id;
327
		} dual_idmapset;
328
		bool list_all_domains;
329

330 331 332 333 334 335 336 337 338
		struct {
			uid_t uid;
			fstring user;
			/* the effective uid of the client, must be the uid for 'user'.
			   This is checked by the main daemon, trusted by children. */
			/* if the blobs are length zero, then this doesn't
			   produce an actual challenge response. It merely
			   succeeds if there are cached credentials available
			   that could be used. */
339 340
			uint32_t initial_blob_len; /* blobs in extra_data */
			uint32_t challenge_blob_len;
341
		} ccache_ntlm_auth;
342 343 344 345 346
		struct {
			uid_t uid;
			fstring user;
			fstring pass;
		} ccache_save;
347 348 349 350 351 352
		struct {
			fstring domain_name;
			fstring domain_guid;
			fstring site_name;
			uint32_t flags;
		} dsgetdcname;
353

354
		/* padding -- needed to fix alignment between 32bit and 64bit libs.
355
		   The size is the sizeof the union without the padding aligned on
356 357
		   an 8 byte boundary.   --jerry */

358
		char padding[1800];
359
	} data;
360
	union {
361
		SMB_TIME_T padding;
362 363
		char *data;
	} extra_data;
364
	uint32_t extra_len;
Tim Potter's avatar
Tim Potter committed
365
	char null_term;
366 367 368 369 370
};

/* Response values */

enum winbindd_result {
Tim Potter's avatar
Tim Potter committed
371
	WINBINDD_ERROR,
372
	WINBINDD_PENDING,
Tim Potter's avatar
Tim Potter committed
373
	WINBINDD_OK
374 375 376 377
};

/* Winbind response structure */

378 379 380
/*******************************************************************************
 * This structure MUST be the same size in the 32bit and 64bit builds
 * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
381
 *
382 383 384 385
 * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
 * A 64BIT WINBINDD    --jerry
 ******************************************************************************/

386
struct winbindd_response {
387

Tim Potter's avatar
Tim Potter committed
388
	/* Header information */
389

390
	uint32_t length;                      /* Length of response */
Tim Potter's avatar
Tim Potter committed
391
	enum winbindd_result result;          /* Result code */
392

Tim Potter's avatar
Tim Potter committed
393
	/* Fixed length return data */
394

Tim Potter's avatar
Tim Potter committed
395
	union {
396
		int interface_version;  /* Try to ensure this is always in the same spot... */
397

398 399
		fstring winsresp;		/* WINS response */

Tim Potter's avatar
Tim Potter committed
400
		/* getpwnam, getpwuid */
401

402
		struct winbindd_pw pw;
Tim Potter's avatar
Tim Potter committed
403

Tim Potter's avatar
Tim Potter committed
404
		/* getgrnam, getgrgid */
Tim Potter's avatar
Tim Potter committed
405

406
		struct winbindd_gr gr;
Tim Potter's avatar
Tim Potter committed
407

408
		uint32_t num_entries; /* getpwent, getgrent */
409
		struct winbindd_sid {
410 411 412
			fstring sid;        /* lookupname, [ug]id_to_sid */
			int type;
		} sid;
413
		struct winbindd_name {
414
			fstring dom_name;       /* lookupsid */
415
			fstring name;
Tim Potter's avatar
Tim Potter committed
416 417 418 419
			int type;
		} name;
		uid_t uid;          /* sid_to_uid */
		gid_t gid;          /* sid_to_gid */
420 421 422 423
		struct winbindd_info {
			char winbind_separator;
			fstring samba_version;
		} info;
424
		fstring domain_name;
Andrew Bartlett's avatar
Andrew Bartlett committed
425
		fstring netbios_name;
426
		fstring dc_name;
427 428

		struct auth_reply {
429
			uint32_t nt_status;
430 431 432
			fstring nt_status_string;
			fstring error_string;
			int pam_error;
433
			char user_session_key[16];
434
			char first_8_lm_hash[8];
435
			fstring krb5ccname;
436
			uint32_t reject_reason;
437
			uint8_t authoritative;
438 439
			uint8_t padding[1];
			uint16_t validation_level;
440
			struct policy_settings {
441 442 443 444
				uint32_t min_length_password;
				uint32_t password_history;
				uint32_t password_properties;
				uint32_t padding;
445 446
				SMB_TIME_T expire;
				SMB_TIME_T min_passwordage;
447 448
			} policy;
			struct info3_text {
449 450 451 452 453 454
				SMB_TIME_T logon_time;
				SMB_TIME_T logoff_time;
				SMB_TIME_T kickoff_time;
				SMB_TIME_T pass_last_set_time;
				SMB_TIME_T pass_can_change_time;
				SMB_TIME_T pass_must_change_time;
455 456 457 458 459 460 461 462
				uint32_t logon_count;
				uint32_t bad_pw_count;
				uint32_t user_rid;
				uint32_t group_rid;
				uint32_t num_groups;
				uint32_t user_flgs;
				uint32_t acct_flags;
				uint32_t num_other_sids;
463
				fstring dom_sid;
464 465 466 467 468 469 470 471 472
				fstring user_name;
				fstring full_name;
				fstring logon_script;
				fstring profile_path;
				fstring home_dir;
				fstring dir_drive;
				fstring logon_srv;
				fstring logon_dom;
			} info3;
473 474 475 476
			struct info6_text {
				fstring dns_domainname;
				fstring principal_name;
			} info6;
477
			fstring unix_username;
478
		} auth;
479 480 481 482
		struct {
			fstring name;
			fstring alt_name;
			fstring sid;
483 484 485
			bool native_mode;
			bool active_directory;
			bool primary;
486
		} domain_info;
487
		uint32_t sequence_number;
488 489 490
		struct {
			fstring acct_name;
			fstring full_name;
491 492
			fstring homedir;
			fstring shell;
493 494
			uint32_t primary_gid;
			uint32_t group_rid;
495
		} user_info;
496
		struct {
497
			uint8_t session_key[16];
498
			uint32_t auth_blob_len; /* blob in extra_data */
499
			uint8_t new_spnego;
500
		} ccache_ntlm_auth;
501 502 503 504 505 506 507 508 509 510 511
		struct {
			fstring dc_unc;
			fstring dc_address;
			uint32_t dc_address_type;
			fstring domain_guid;
			fstring domain_name;
			fstring forest_name;
			uint32_t dc_flags;
			fstring dc_site_name;
			fstring client_site_name;
		} dsgetdcname;
Tim Potter's avatar
Tim Potter committed
512
	} data;
513

Tim Potter's avatar
Tim Potter committed
514
	/* Variable length return data */
515

516
	union {
517
		SMB_TIME_T padding;
518 519
		void *data;
	} extra_data;
520 521 522
};

#endif