4 Authentication IDL structures
6 These are NOT public network structures, but it is helpful to define
7 these things in IDL. They may change without ABI breakage or
12 import "misc.idl", "security.idl", "lsa.idl", "krb5pac.idl";
14 pyhelper("librpc/ndr/py_auth.c"),
15 helper("../librpc/ndr/ndr_auth.h"),
16 helpstring("internal Samba authentication structures")
21 typedef [public] enum {
22 SEC_AUTH_METHOD_UNAUTHENTICATED = 0,
23 SEC_AUTH_METHOD_NTLM = 1,
24 SEC_AUTH_METHOD_KERBEROS = 2
27 /* This is the parts of the session_info that don't change
28 * during local privilege and group manipulations */
29 typedef [public] struct {
30 [unique,charset(UTF8),string] char *account_name;
31 [unique,charset(UTF8),string] char *user_principal_name;
32 boolean8 user_principal_constructed;
33 [unique,charset(UTF8),string] char *domain_name;
34 [unique,charset(UTF8),string] char *dns_domain_name;
36 [unique,charset(UTF8),string] char *full_name;
37 [unique,charset(UTF8),string] char *logon_script;
38 [unique,charset(UTF8),string] char *profile_path;
39 [unique,charset(UTF8),string] char *home_directory;
40 [unique,charset(UTF8),string] char *home_drive;
41 [unique,charset(UTF8),string] char *logon_server;
46 NTTIME last_password_change;
47 NTTIME allow_password_change;
48 NTTIME force_password_change;
51 uint16 bad_password_count;
58 /* This information is preserved only to assist torture tests */
59 typedef [public] struct {
60 /* Number SIDs from the DC netlogon validation info */
62 [size_is(num_dc_sids)] auth_SidAttr dc_sids[*];
63 } auth_user_info_torture;
65 typedef [public] struct {
66 [unique,charset(UTF8),string] char *unix_name;
69 * For performance reasons we keep an alpha_strcpy-sanitized version
70 * of the username around as long as the global variable current_user
71 * still exists. If we did not do keep this, we'd have to call
72 * alpha_strcpy whenever we do a become_user(), potentially on every
73 * smb request. See set_current_user_info in source3.
75 [unique,charset(UTF8),string] char *sanitized_username;
76 } auth_user_info_unix;
79 * If the user was authenticated with a Kerberos ticket, this indicates
80 * the type of the ticket; TGT, or non-TGT (i.e. service ticket). If
81 * unset, the type is unknown. This indicator is useful for the KDC and
82 * the kpasswd service, which share the same account and keys. By
83 * ensuring it is provided with the appopriate ticket type, each service
84 * avoids accepting a ticket meant for the other.
86 * The heuristic used to determine the type is the presence or absence
87 * of a REQUESTER_SID buffer in the PAC; we use its presence to assume
88 * we have a TGT. This heuristic will fail for older Samba versions and
89 * Windows prior to Nov. 2021 updates, which lack support for this
93 TICKET_TYPE_UNKNOWN = 0,
95 TICKET_TYPE_NON_TGT = 2
99 * Used to indicate whether or not to include resource groups in the
100 * formation of SamInfo or a PAC.
103 AUTH_INCLUDE_RESOURCE_GROUPS = 0,
104 AUTH_EXCLUDE_RESOURCE_GROUPS = 1
105 } auth_group_inclusion;
107 typedef [public] struct {
109 security_GroupAttrs attrs;
112 /* This is the interim product of the auth subsystem, before
113 * privileges and local groups are handled */
114 typedef [public] struct {
116 [size_is(num_sids)] auth_SidAttr sids[*];
117 auth_user_info *info;
118 [noprint] DATA_BLOB user_session_key;
119 [noprint] DATA_BLOB lm_session_key;
120 ticket_type ticket_type;
123 typedef [public] struct {
124 security_token *security_token;
125 security_unix_token *unix_token;
126 auth_user_info *info;
127 auth_user_info_unix *unix_info;
128 [value(NULL), ignore] auth_user_info_torture *torture;
130 /* This is the final session key, as used by SMB signing, and
131 * (truncated to 16 bytes) encryption on the SAMR and LSA pipes
132 * when over ncacn_np.
133 * It is calculated by NTLMSSP from the session key in the info3,
134 * and is set from the Kerberos session key using
135 * krb5_auth_con_getremotesubkey().
137 * Bottom line, it is not the same as the session keys in info3.
140 [noprint] DATA_BLOB session_key;
142 [value(NULL), ignore] cli_credentials *credentials;
145 * It is really handy to have our authorization code log a
146 * token that can be used to tie later requests together.
147 * We generate this in auth_generate_session_info()
149 GUID unique_session_token;
151 ticket_type ticket_type;
154 typedef [public] struct {
155 auth_session_info *session_info;
156 [noprint] DATA_BLOB exported_gssapi_credentials;
157 } auth_session_info_transport;