nsswitch/winbind_struct_protocol.h

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Winbind daemon for ntdom nss module
   5
   6    Copyright (C) Tim Potter 2000
   7    Copyright (C) Gerald Carter 2006
   8
   9    You are free to use this interface definition in any way you see
  10    fit, including without restriction, using this header in your own
  11    products. You do not need to give any attribution.
  12 */
  13
  14 #ifndef SAFE_FREE
  15 #define SAFE_FREE(x) do { if(x) {free(x); x=NULL;} } while(0)
  16 #endif
  17
  18 #ifndef FSTRING_LEN
  19 #define FSTRING_LEN 256
  20 typedef char fstring[FSTRING_LEN];
  21 #endif
  22
  23 #ifndef _WINBINDD_NTDOM_H
  24 #define _WINBINDD_NTDOM_H
  25
  26 #define WINBINDD_SOCKET_NAME "pipe"            /* Name of PF_UNIX socket */
  27
  28 /* Let the build environment override the public winbindd socket location. This
  29  * is needed for launchd support -- jpeach.
  30  */
  31 #ifndef WINBINDD_SOCKET_DIR
  32 #define WINBINDD_SOCKET_DIR  "/tmp/.winbindd"  /* Name of PF_UNIX dir */
  33 #endif
  34
  35 /*
  36  * when compiled with socket_wrapper support
  37  * the location of the WINBINDD_SOCKET_DIR
  38  * can be overwritten via an environment variable
  39  */
  40 #define WINBINDD_SOCKET_DIR_ENVVAR "WINBINDD_SOCKET_DIR"
  41
  42 #define WINBINDD_PRIV_SOCKET_SUBDIR "winbindd_privileged" /* name of subdirectory of lp_lockdir() to hold the 'privileged' pipe */
  43 #define WINBINDD_DOMAIN_ENV  "WINBINDD_DOMAIN" /* Environment variables */
  44 #define WINBINDD_DONT_ENV    "_NO_WINBINDD"
  45 #define WINBINDD_LOCATOR_KDC_ADDRESS "WINBINDD_LOCATOR_KDC_ADDRESS"
  46
  47 /* Update this when you change the interface.
  48  * 21: added WINBINDD_GETPWSID
  49  *     added WINBINDD_GETSIDALIASES
  50  * 22: added WINBINDD_PING_DC
  51  * 23: added session_key to ccache_ntlm_auth response
  52  *     added WINBINDD_CCACHE_SAVE
  53  * 24: Fill in num_entries WINBINDD_LIST_USERS and WINBINDD_LIST_GROUPS
  54  */
  55 #define WINBIND_INTERFACE_VERSION 24
  56
  57 /* Have to deal with time_t being 4 or 8 bytes due to structure alignment.
  58    On a 64bit Linux box, we have to support a constant structure size
  59    between /lib/libnss_winbind.so.2 and /lib64/libnss_winbind.so.2.
  60    The easiest way to do this is to always use 8byte values for time_t. */
  61
  62 #define SMB_TIME_T int64_t
  63
  64 /* Socket commands */
  65
  66 enum winbindd_cmd {
  67
  68         WINBINDD_INTERFACE_VERSION,    /* Always a well known value */
  69
  70         /* Get users and groups */
  71
  72         WINBINDD_GETPWNAM,
  73         WINBINDD_GETPWUID,
  74         WINBINDD_GETPWSID,
  75         WINBINDD_GETGRNAM,
  76         WINBINDD_GETGRGID,
  77         WINBINDD_GETGROUPS,
  78
  79         /* Enumerate users and groups */
  80
  81         WINBINDD_SETPWENT,
  82         WINBINDD_ENDPWENT,
  83         WINBINDD_GETPWENT,
  84         WINBINDD_SETGRENT,
  85         WINBINDD_ENDGRENT,
  86         WINBINDD_GETGRENT,
  87
  88         /* PAM authenticate and password change */
  89
  90         WINBINDD_PAM_AUTH,
  91         WINBINDD_PAM_AUTH_CRAP,
  92         WINBINDD_PAM_CHAUTHTOK,
  93         WINBINDD_PAM_LOGOFF,
  94         WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP,
  95
  96         /* List various things */
  97
  98         WINBINDD_LIST_USERS,         /* List w/o rid->id mapping */
  99         WINBINDD_LIST_GROUPS,        /* Ditto */
 100         WINBINDD_LIST_TRUSTDOM,
 101
 102         /* SID conversion */
 103
 104         WINBINDD_LOOKUPSID,
 105         WINBINDD_LOOKUPNAME,
 106         WINBINDD_LOOKUPRIDS,
 107
 108         /* Lookup functions */
 109
 110         WINBINDD_SID_TO_UID,
 111         WINBINDD_SID_TO_GID,
 112         WINBINDD_SIDS_TO_XIDS,
 113         WINBINDD_UID_TO_SID,
 114         WINBINDD_GID_TO_SID,
 115
 116         WINBINDD_ALLOCATE_UID,
 117         WINBINDD_ALLOCATE_GID,
 118         WINBINDD_REMOVE_MAPPING,
 119
 120         /* Miscellaneous other stuff */
 121
 122         WINBINDD_CHECK_MACHACC,     /* Check machine account pw works */
 123         WINBINDD_CHANGE_MACHACC,    /* Change machine account pw */
 124         WINBINDD_PING_DC,           /* Ping the DC through NETLOGON */
 125         WINBINDD_PING,              /* Just tell me winbind is running */
 126         WINBINDD_INFO,              /* Various bit of info.  Currently just tidbits */
 127         WINBINDD_DOMAIN_NAME,       /* The domain this winbind server is a member of (lp_workgroup()) */
 128
 129         WINBINDD_DOMAIN_INFO,   /* Most of what we know from
 130                                    struct winbindd_domain */
 131         WINBINDD_GETDCNAME,     /* Issue a GetDCName Request */
 132         WINBINDD_DSGETDCNAME,   /* Issue a DsGetDCName Request */
 133
 134         WINBINDD_SHOW_SEQUENCE, /* display sequence numbers of domains */
 135
 136         /* WINS commands */
 137
 138         WINBINDD_WINS_BYIP,
 139         WINBINDD_WINS_BYNAME,
 140
 141         /* this is like GETGRENT but gives an empty group list */
 142         WINBINDD_GETGRLST,
 143
 144         WINBINDD_NETBIOS_NAME,       /* The netbios name of the server */
 145
 146         /* find the location of our privileged pipe */
 147         WINBINDD_PRIV_PIPE_DIR,
 148
 149         /* return a list of group sids for a user sid */
 150         WINBINDD_GETUSERSIDS,
 151
 152         /* Various group queries */
 153         WINBINDD_GETUSERDOMGROUPS,
 154
 155         /* lookup local groups */
 156         WINBINDD_GETSIDALIASES,
 157
 158         /* Initialize connection in a child */
 159         WINBINDD_INIT_CONNECTION,
 160
 161         /* Blocking calls that are not allowed on the main winbind pipe, only
 162          * between parent and children */
 163         WINBINDD_DUAL_SID2UID,
 164         WINBINDD_DUAL_SID2GID,
 165         WINBINDD_DUAL_SIDS2XIDS,
 166         WINBINDD_DUAL_UID2SID,
 167         WINBINDD_DUAL_GID2SID,
 168         WINBINDD_DUAL_REMOVE_MAPPING,
 169
 170         /* Wrapper around possibly blocking unix nss calls */
 171         WINBINDD_DUAL_USERINFO,
 172         WINBINDD_DUAL_GETSIDALIASES,
 173
 174         WINBINDD_DUAL_NDRCMD,
 175
 176         /* Complete the challenge phase of the NTLM authentication
 177            protocol using cached password. */
 178         WINBINDD_CCACHE_NTLMAUTH,
 179         WINBINDD_CCACHE_SAVE,
 180
 181         WINBINDD_NUM_CMDS
 182 };
 183
 184 typedef struct winbindd_pw {
 185         fstring pw_name;
 186         fstring pw_passwd;
 187         uid_t pw_uid;
 188         gid_t pw_gid;
 189         fstring pw_gecos;
 190         fstring pw_dir;
 191         fstring pw_shell;
 192 } WINBINDD_PW;
 193
 194
 195 typedef struct winbindd_gr {
 196         fstring gr_name;
 197         fstring gr_passwd;
 198         gid_t gr_gid;
 199         uint32_t num_gr_mem;
 200         uint32_t gr_mem_ofs;   /* offset to group membership */
 201 } WINBINDD_GR;
 202
 203 /* PAM specific request flags */
 204 #define WBFLAG_PAM_INFO3_NDR            0x00000001
 205 #define WBFLAG_PAM_INFO3_TEXT           0x00000002
 206 #define WBFLAG_PAM_USER_SESSION_KEY     0x00000004
 207 #define WBFLAG_PAM_LMKEY                0x00000008
 208 #define WBFLAG_PAM_CONTACT_TRUSTDOM     0x00000010
 209 #define WBFLAG_PAM_UNIX_NAME            0x00000080
 210 #define WBFLAG_PAM_AFS_TOKEN            0x00000100
 211 #define WBFLAG_PAM_NT_STATUS_SQUASH     0x00000200
 212 #define WBFLAG_PAM_KRB5                 0x00001000
 213 #define WBFLAG_PAM_FALLBACK_AFTER_KRB5  0x00002000
 214 #define WBFLAG_PAM_CACHED_LOGIN         0x00004000
 215 #define WBFLAG_PAM_GET_PWD_POLICY       0x00008000
 216
 217 /* generic request flags */
 218 #define WBFLAG_QUERY_ONLY               0x00000020      /* not used */
 219 /* This is a flag that can only be sent from parent to child */
 220 #define WBFLAG_IS_PRIVILEGED            0x00000400      /* not used */
 221 /* Flag to say this is a winbindd internal send - don't recurse. */
 222 #define WBFLAG_RECURSE                  0x00000800
 223 /* Flag to tell winbind the NTLMv2 blob is too big for the struct and is in the
 224  * extra_data field */
 225 #define WBFLAG_BIG_NTLMV2_BLOB          0x00010000
 226
 227 #define WINBINDD_MAX_EXTRA_DATA (128*1024)
 228
 229 /* Winbind request structure */
 230
 231 /*******************************************************************************
 232  * This structure MUST be the same size in the 32bit and 64bit builds
 233  * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
 234  *
 235  * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
 236  * A 64BIT WINBINDD    --jerry
 237  ******************************************************************************/
 238
 239 struct winbindd_request {
 240         uint32_t length;
 241         enum winbindd_cmd cmd;   /* Winbindd command to execute */
 242         enum winbindd_cmd original_cmd;   /* Original Winbindd command
 243                                              issued to parent process */
 244         pid_t pid;               /* pid of calling process */
 245         uint32_t wb_flags;       /* generic flags */
 246         uint32_t flags;          /* flags relevant *only* to a given request */
 247         fstring domain_name;    /* name of domain for which the request applies */
 248
 249         union {
 250                 fstring winsreq;     /* WINS request */
 251                 fstring username;    /* getpwnam */
 252                 fstring groupname;   /* getgrnam */
 253                 uid_t uid;           /* getpwuid, uid_to_sid */
 254                 gid_t gid;           /* getgrgid, gid_to_sid */
 255                 uint32_t ndrcmd;
 256                 struct {
 257                         /* We deliberatedly don't split into domain/user to
 258                            avoid having the client know what the separator
 259                            character is. */
 260                         fstring user;
 261                         fstring pass;
 262                         char require_membership_of_sid[1024];
 263                         fstring krb5_cc_type;
 264                         uid_t uid;
 265                 } auth;              /* pam_winbind auth module */
 266                 struct {
 267                         uint8_t chal[8];
 268                         uint32_t logon_parameters;
 269                         fstring user;
 270                         fstring domain;
 271                         fstring lm_resp;
 272                         uint32_t lm_resp_len;
 273                         fstring nt_resp;
 274                         uint32_t nt_resp_len;
 275                         fstring workstation;
 276                         fstring require_membership_of_sid;
 277                 } auth_crap;
 278                 struct {
 279                     fstring user;
 280                     fstring oldpass;
 281                     fstring newpass;
 282                 } chauthtok;         /* pam_winbind passwd module */
 283                 struct {
 284                         fstring user;
 285                         fstring domain;
 286                         uint8_t new_nt_pswd[516];
 287                         uint16_t new_nt_pswd_len;
 288                         uint8_t old_nt_hash_enc[16];
 289                         uint16_t old_nt_hash_enc_len;
 290                         uint8_t new_lm_pswd[516];
 291                         uint16_t new_lm_pswd_len;
 292                         uint8_t old_lm_hash_enc[16];
 293                         uint16_t old_lm_hash_enc_len;
 294                 } chng_pswd_auth_crap;/* pam_winbind passwd module */
 295                 struct {
 296                         fstring user;
 297                         fstring krb5ccname;
 298                         uid_t uid;
 299                 } logoff;              /* pam_winbind session module */
 300                 fstring sid;         /* lookupsid, sid_to_[ug]id */
 301                 struct {
 302                         fstring dom_name;       /* lookupname */
 303                         fstring name;
 304                 } name;
 305                 uint32_t num_entries;  /* getpwent, getgrent */
 306                 struct {
 307                         fstring username;
 308                         fstring groupname;
 309                 } acct_mgt;
 310                 struct {
 311                         bool is_primary;
 312                         fstring dcname;
 313                 } init_conn;
 314                 struct {
 315                         fstring sid;
 316                         fstring name;
 317                 } dual_sid2id;
 318                 struct {
 319                         fstring sid;
 320                         uint32_t type;
 321                         uint32_t id;
 322                 } dual_idmapset;
 323                 bool list_all_domains;
 324
 325                 struct {
 326                         uid_t uid;
 327                         fstring user;
 328                         /* the effective uid of the client, must be the uid for 'user'.
 329                            This is checked by the main daemon, trusted by children. */
 330                         /* if the blobs are length zero, then this doesn't
 331                            produce an actual challenge response. It merely
 332                            succeeds if there are cached credentials available
 333                            that could be used. */
 334                         uint32_t initial_blob_len; /* blobs in extra_data */
 335                         uint32_t challenge_blob_len;
 336                 } ccache_ntlm_auth;
 337                 struct {
 338                         uid_t uid;
 339                         fstring user;
 340                         fstring pass;
 341                 } ccache_save;
 342                 struct {
 343                         fstring domain_name;
 344                         fstring domain_guid;
 345                         fstring site_name;
 346                         uint32_t flags;
 347                 } dsgetdcname;
 348
 349                 /* padding -- needed to fix alignment between 32bit and 64bit libs.
 350                    The size is the sizeof the union without the padding aligned on
 351                    an 8 byte boundary.   --jerry */
 352
 353                 char padding[1800];
 354         } data;
 355         union {
 356                 SMB_TIME_T padding;
 357                 char *data;
 358         } extra_data;
 359         uint32_t extra_len;
 360         char null_term;
 361 };
 362
 363 /* Response values */
 364
 365 enum winbindd_result {
 366         WINBINDD_ERROR,
 367         WINBINDD_PENDING,
 368         WINBINDD_OK
 369 };
 370
 371 /* Winbind response structure */
 372
 373 /*******************************************************************************
 374  * This structure MUST be the same size in the 32bit and 64bit builds
 375  * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
 376  *
 377  * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
 378  * A 64BIT WINBINDD    --jerry
 379  ******************************************************************************/
 380
 381 struct winbindd_response {
 382
 383         /* Header information */
 384
 385         uint32_t length;                      /* Length of response */
 386         enum winbindd_result result;          /* Result code */
 387
 388         /* Fixed length return data */
 389
 390         union {
 391                 int interface_version;  /* Try to ensure this is always in the same spot... */
 392
 393                 fstring winsresp;               /* WINS response */
 394
 395                 /* getpwnam, getpwuid */
 396
 397                 struct winbindd_pw pw;
 398
 399                 /* getgrnam, getgrgid */
 400
 401                 struct winbindd_gr gr;
 402
 403                 uint32_t num_entries; /* getpwent, getgrent */
 404                 struct winbindd_sid {
 405                         fstring sid;        /* lookupname, [ug]id_to_sid */
 406                         int type;
 407                 } sid;
 408                 struct winbindd_name {
 409                         fstring dom_name;       /* lookupsid */
 410                         fstring name;
 411                         int type;
 412                 } name;
 413                 uid_t uid;          /* sid_to_uid */
 414                 gid_t gid;          /* sid_to_gid */
 415                 struct winbindd_info {
 416                         char winbind_separator;
 417                         fstring samba_version;
 418                 } info;
 419                 fstring domain_name;
 420                 fstring netbios_name;
 421                 fstring dc_name;
 422
 423                 struct auth_reply {
 424                         uint32_t nt_status;
 425                         fstring nt_status_string;
 426                         fstring error_string;
 427                         int pam_error;
 428                         char user_session_key[16];
 429                         char first_8_lm_hash[8];
 430                         fstring krb5ccname;
 431                         uint32_t reject_reason;
 432                         uint32_t padding;
 433                         struct policy_settings {
 434                                 uint32_t min_length_password;
 435                                 uint32_t password_history;
 436                                 uint32_t password_properties;
 437                                 uint32_t padding;
 438                                 SMB_TIME_T expire;
 439                                 SMB_TIME_T min_passwordage;
 440                         } policy;
 441                         struct info3_text {
 442                                 SMB_TIME_T logon_time;
 443                                 SMB_TIME_T logoff_time;
 444                                 SMB_TIME_T kickoff_time;
 445                                 SMB_TIME_T pass_last_set_time;
 446                                 SMB_TIME_T pass_can_change_time;
 447                                 SMB_TIME_T pass_must_change_time;
 448                                 uint32_t logon_count;
 449                                 uint32_t bad_pw_count;
 450                                 uint32_t user_rid;
 451                                 uint32_t group_rid;
 452                                 uint32_t num_groups;
 453                                 uint32_t user_flgs;
 454                                 uint32_t acct_flags;
 455                                 uint32_t num_other_sids;
 456                                 fstring dom_sid;
 457                                 fstring user_name;
 458                                 fstring full_name;
 459                                 fstring logon_script;
 460                                 fstring profile_path;
 461                                 fstring home_dir;
 462                                 fstring dir_drive;
 463                                 fstring logon_srv;
 464                                 fstring logon_dom;
 465                         } info3;
 466                         fstring unix_username;
 467                 } auth;
 468                 struct {
 469                         fstring name;
 470                         fstring alt_name;
 471                         fstring sid;
 472                         bool native_mode;
 473                         bool active_directory;
 474                         bool primary;
 475                 } domain_info;
 476                 uint32_t sequence_number;
 477                 struct {
 478                         fstring acct_name;
 479                         fstring full_name;
 480                         fstring homedir;
 481                         fstring shell;
 482                         uint32_t primary_gid;
 483                         uint32_t group_rid;
 484                 } user_info;
 485                 struct {
 486                         uint8_t session_key[16];
 487                         uint32_t auth_blob_len; /* blob in extra_data */
 488                 } ccache_ntlm_auth;
 489                 struct {
 490                         fstring dc_unc;
 491                         fstring dc_address;
 492                         uint32_t dc_address_type;
 493                         fstring domain_guid;
 494                         fstring domain_name;
 495                         fstring forest_name;
 496                         uint32_t dc_flags;
 497                         fstring dc_site_name;
 498                         fstring client_site_name;
 499                 } dsgetdcname;
 500         } data;
 501
 502         /* Variable length return data */
 503
 504         union {
 505                 SMB_TIME_T padding;
 506                 void *data;
 507         } extra_data;
 508 };
 509
 510 #endif