auth: Exclude resource groups from a TGT
[samba.git] / librpc / idl / auth.idl
1 #include "idl_types.h"
2
3 /*
4   Authentication IDL structures
5
6   These are NOT public network structures, but it is helpful to define
7   these things in IDL. They may change without ABI breakage or
8   warning.
9
10 */
11
12 import "misc.idl", "security.idl", "lsa.idl", "krb5pac.idl";
13 [
14         pyhelper("librpc/ndr/py_auth.c"),
15         helper("../librpc/ndr/ndr_auth.h"),
16         helpstring("internal Samba authentication structures")
17 ]
18
19 interface auth
20 {
21         typedef [public] enum {
22                 SEC_AUTH_METHOD_UNAUTHENTICATED = 0,
23                 SEC_AUTH_METHOD_NTLM            = 1,
24                 SEC_AUTH_METHOD_KERBEROS        = 2
25         } auth_method;
26
27         /* This is the parts of the session_info that don't change
28          * during local privilege and group manipulations */
29         typedef [public] struct {
30                 [unique,charset(UTF8),string] char *account_name;
31                 [unique,charset(UTF8),string] char *user_principal_name;
32                 boolean8 user_principal_constructed;
33                 [unique,charset(UTF8),string] char *domain_name;
34                 [unique,charset(UTF8),string] char *dns_domain_name;
35
36                 [unique,charset(UTF8),string] char *full_name;
37                 [unique,charset(UTF8),string] char *logon_script;
38                 [unique,charset(UTF8),string] char *profile_path;
39                 [unique,charset(UTF8),string] char *home_directory;
40                 [unique,charset(UTF8),string] char *home_drive;
41                 [unique,charset(UTF8),string] char *logon_server;
42
43                 NTTIME last_logon;
44                 NTTIME last_logoff;
45                 NTTIME acct_expiry;
46                 NTTIME last_password_change;
47                 NTTIME allow_password_change;
48                 NTTIME force_password_change;
49
50                 uint16 logon_count;
51                 uint16 bad_password_count;
52
53                 uint32 acct_flags;
54
55                 uint8 authenticated;
56         } auth_user_info;
57
58         /* This information is preserved only to assist torture tests */
59         typedef [public] struct {
60                 /* Number SIDs from the DC netlogon validation info */
61                 uint32 num_dc_sids;
62                 [size_is(num_dc_sids)] auth_SidAttr dc_sids[*];
63         } auth_user_info_torture;
64
65         typedef [public] struct {
66                 [unique,charset(UTF8),string] char *unix_name;
67
68                 /*
69                  * For performance reasons we keep an alpha_strcpy-sanitized version
70                  * of the username around as long as the global variable current_user
71                  * still exists. If we did not do keep this, we'd have to call
72                  * alpha_strcpy whenever we do a become_user(), potentially on every
73                  * smb request. See set_current_user_info in source3.
74                  */
75                 [unique,charset(UTF8),string] char *sanitized_username;
76         } auth_user_info_unix;
77
78         /*
79          * If the user was authenticated with a Kerberos ticket, this indicates
80          * the type of the ticket; TGT, or non-TGT (i.e. service ticket). If
81          * unset, the type is unknown. This indicator is useful for the KDC and
82          * the kpasswd service, which share the same account and keys. By
83          * ensuring it is provided with the appopriate ticket type, each service
84          * avoids accepting a ticket meant for the other.
85          *
86          * The heuristic used to determine the type is the presence or absence
87          * of a REQUESTER_SID buffer in the PAC; we use its presence to assume
88          * we have a TGT. This heuristic will fail for older Samba versions and
89          * Windows prior to Nov. 2021 updates, which lack support for this
90          * buffer.
91          */
92         typedef enum {
93                 TICKET_TYPE_UNKNOWN = 0,
94                 TICKET_TYPE_TGT = 1,
95                 TICKET_TYPE_NON_TGT = 2
96         } ticket_type;
97
98         /*
99          * Used to indicate whether or not to include resource groups in the
100          * formation of SamInfo or a PAC.
101          */
102         typedef enum {
103                 AUTH_INCLUDE_RESOURCE_GROUPS = 0,
104                 AUTH_EXCLUDE_RESOURCE_GROUPS = 1
105         } auth_group_inclusion;
106
107         typedef [public] struct {
108                 dom_sid sid;
109                 security_GroupAttrs attrs;
110         } auth_SidAttr;
111
112         /* This is the interim product of the auth subsystem, before
113          * privileges and local groups are handled */
114         typedef [public] struct {
115                 uint32 num_sids;
116                 [size_is(num_sids)] auth_SidAttr sids[*];
117                 auth_user_info *info;
118                 [noprint] DATA_BLOB user_session_key;
119                 [noprint] DATA_BLOB lm_session_key;
120                 ticket_type ticket_type;
121         } auth_user_info_dc;
122
123         typedef [public] struct {
124                 security_token *security_token;
125                 security_unix_token *unix_token;
126                 auth_user_info *info;
127                 auth_user_info_unix *unix_info;
128                 [value(NULL), ignore] auth_user_info_torture *torture;
129
130                 /* This is the final session key, as used by SMB signing, and
131                  * (truncated to 16 bytes) encryption on the SAMR and LSA pipes
132                  * when over ncacn_np.
133                  * It is calculated by NTLMSSP from the session key in the info3,
134                  * and is  set from the Kerberos session key using
135                  * krb5_auth_con_getremotesubkey().
136                  *
137                  * Bottom line, it is not the same as the session keys in info3.
138                  */
139
140                 [noprint] DATA_BLOB session_key;
141
142                 [value(NULL), ignore] cli_credentials *credentials;
143
144                 /*
145                  * It is really handy to have our authorization code log a
146                  * token that can be used to tie later requests together.
147                  * We generate this in auth_generate_session_info()
148                  */
149                 GUID unique_session_token;
150
151                 ticket_type ticket_type;
152         } auth_session_info;
153
154         typedef [public] struct {
155                 auth_session_info *session_info;
156                 [noprint] DATA_BLOB exported_gssapi_credentials;
157         } auth_session_info_transport;
158 }