nsswitch/winbind_struct_protocol.h

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Winbind daemon for ntdom nss module
   5
   6    Copyright (C) Tim Potter 2000
   7    Copyright (C) Gerald Carter 2006
   8
   9    You are free to use this interface definition in any way you see
  10    fit, including without restriction, using this header in your own
  11    products. You do not need to give any attribution.
  12 */
  13
  14 #ifndef SAFE_FREE
  15 #define SAFE_FREE(x) do { if(x) {free(x); x=NULL;} } while(0)
  16 #endif
  17
  18 #ifndef FSTRING_LEN
  19 #define FSTRING_LEN 256
  20 typedef char fstring[FSTRING_LEN];
  21 #endif
  22
  23 #ifndef _WINBINDD_NTDOM_H
  24 #define _WINBINDD_NTDOM_H
  25
  26 #define WINBINDD_SOCKET_NAME "pipe"            /* Name of PF_UNIX socket */
  27
  28 /* We let the build environment set the public winbindd socket
  29  * location. Therefore we no longer set
  30  *
  31  * #define WINBINDD_SOCKET_DIR "/tmp/.winbindd"
  32  *
  33  * A number of different distributions set different paths, and so it
  34  * needs to come from configure in Samba.  External users of this header will
  35  * need to know where the path is on their system by some other
  36  * mechanism.
  37  */
  38
  39 #define WINBINDD_PRIV_SOCKET_SUBDIR "winbindd_privileged" /* name of subdirectory of lp_lock_directory() to hold the 'privileged' pipe */
  40 #define WINBINDD_DOMAIN_ENV  "WINBINDD_DOMAIN" /* Environment variables */
  41 #define WINBINDD_DONT_ENV    "_NO_WINBINDD"
  42 #define WINBINDD_LOCATOR_KDC_ADDRESS "WINBINDD_LOCATOR_KDC_ADDRESS"
  43
  44 /* Update this when you change the interface.
  45  * 21: added WINBINDD_GETPWSID
  46  *     added WINBINDD_GETSIDALIASES
  47  * 22: added WINBINDD_PING_DC
  48  * 23: added session_key to ccache_ntlm_auth response
  49  *     added WINBINDD_CCACHE_SAVE
  50  * 24: Fill in num_entries WINBINDD_LIST_USERS and WINBINDD_LIST_GROUPS
  51  * 25: removed WINBINDD_SET_HWM
  52  *     removed WINBINDD_SET_MAPPING
  53  *     removed WINBINDD_REMOVE_MAPPING
  54  * 26: added WINBINDD_DC_INFO
  55  * 27: added WINBINDD_LOOKUPSIDS
  56  * 28: added WINBINDD_XIDS_TO_SIDS
  57  *     removed WINBINDD_SID_TO_UID
  58  *     removed WINBINDD_SID_TO_GID
  59  *     removed WINBINDD_GID_TO_SID
  60  *     removed WINBINDD_UID_TO_SID
  61  * 29: added "authoritative" to response.data.auth
  62  * 30: added "validation_level" and "info6" to response.data.auth
  63  */
  64 #define WINBIND_INTERFACE_VERSION 30
  65
  66 /* Have to deal with time_t being 4 or 8 bytes due to structure alignment.
  67    On a 64bit Linux box, we have to support a constant structure size
  68    between /lib/libnss_winbind.so.2 and /lib64/libnss_winbind.so.2.
  69    The easiest way to do this is to always use 8byte values for time_t. */
  70
  71 #define SMB_TIME_T int64_t
  72
  73 /* Socket commands */
  74
  75 enum winbindd_cmd {
  76
  77         WINBINDD_INTERFACE_VERSION,    /* Always a well known value */
  78
  79         /* Get users and groups */
  80
  81         WINBINDD_GETPWNAM,
  82         WINBINDD_GETPWUID,
  83         WINBINDD_GETPWSID,
  84         WINBINDD_GETGRNAM,
  85         WINBINDD_GETGRGID,
  86         WINBINDD_GETGROUPS,
  87
  88         /* Enumerate users and groups */
  89
  90         WINBINDD_SETPWENT,
  91         WINBINDD_ENDPWENT,
  92         WINBINDD_GETPWENT,
  93         WINBINDD_SETGRENT,
  94         WINBINDD_ENDGRENT,
  95         WINBINDD_GETGRENT,
  96
  97         /* PAM authenticate and password change */
  98
  99         WINBINDD_PAM_AUTH,
 100         WINBINDD_PAM_AUTH_CRAP,
 101         WINBINDD_PAM_CHAUTHTOK,
 102         WINBINDD_PAM_LOGOFF,
 103         WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP,
 104
 105         /* List various things */
 106
 107         WINBINDD_LIST_USERS,         /* List w/o rid->id mapping */
 108         WINBINDD_LIST_GROUPS,        /* Ditto */
 109         WINBINDD_LIST_TRUSTDOM,
 110
 111         /* SID conversion */
 112
 113         WINBINDD_LOOKUPSID,
 114         WINBINDD_LOOKUPNAME,
 115         WINBINDD_LOOKUPRIDS,
 116         WINBINDD_LOOKUPSIDS,
 117
 118         /* Lookup functions */
 119
 120         WINBINDD_SIDS_TO_XIDS,
 121         WINBINDD_XIDS_TO_SIDS,
 122
 123         WINBINDD_ALLOCATE_UID,
 124         WINBINDD_ALLOCATE_GID,
 125
 126         /* Miscellaneous other stuff */
 127
 128         WINBINDD_CHECK_MACHACC,     /* Check machine account pw works */
 129         WINBINDD_CHANGE_MACHACC,    /* Change machine account pw */
 130         WINBINDD_PING_DC,           /* Ping the DC through NETLOGON */
 131         WINBINDD_PING,              /* Just tell me winbind is running */
 132         WINBINDD_INFO,              /* Various bit of info.  Currently just tidbits */
 133         WINBINDD_DOMAIN_NAME,       /* The domain this winbind server is a member of (lp_workgroup()) */
 134
 135         WINBINDD_DOMAIN_INFO,   /* Most of what we know from
 136                                    struct winbindd_domain */
 137         WINBINDD_GETDCNAME,     /* Issue a GetDCName Request */
 138         WINBINDD_DSGETDCNAME,   /* Issue a DsGetDCName Request */
 139         WINBINDD_DC_INFO,       /* Which DC are we connected to? */
 140
 141         WINBINDD_SHOW_SEQUENCE, /* display sequence numbers of domains */
 142
 143         /* WINS commands */
 144
 145         WINBINDD_WINS_BYIP,
 146         WINBINDD_WINS_BYNAME,
 147
 148         /* this is like GETGRENT but gives an empty group list */
 149         WINBINDD_GETGRLST,
 150
 151         WINBINDD_NETBIOS_NAME,       /* The netbios name of the server */
 152
 153         /* find the location of our privileged pipe */
 154         WINBINDD_PRIV_PIPE_DIR,
 155
 156         /* return a list of group sids for a user sid */
 157         WINBINDD_GETUSERSIDS,
 158
 159         /* Various group queries */
 160         WINBINDD_GETUSERDOMGROUPS,
 161
 162         /* lookup local groups */
 163         WINBINDD_GETSIDALIASES,
 164
 165         /* Initialize connection in a child */
 166         WINBINDD_INIT_CONNECTION,
 167
 168         /* Blocking calls that are not allowed on the main winbind pipe, only
 169          * between parent and children */
 170         WINBINDD_DUAL_SID2UID,
 171         WINBINDD_DUAL_SID2GID,
 172         WINBINDD_DUAL_SIDS2XIDS,
 173         WINBINDD_DUAL_UID2SID,
 174         WINBINDD_DUAL_GID2SID,
 175
 176         /* Wrapper around possibly blocking unix nss calls */
 177         WINBINDD_DUAL_USERINFO,
 178         WINBINDD_DUAL_GETSIDALIASES,
 179
 180         WINBINDD_DUAL_NDRCMD,
 181
 182         /* Complete the challenge phase of the NTLM authentication
 183            protocol using cached password. */
 184         WINBINDD_CCACHE_NTLMAUTH,
 185         WINBINDD_CCACHE_SAVE,
 186
 187         WINBINDD_NUM_CMDS
 188 };
 189
 190 typedef struct winbindd_pw {
 191         fstring pw_name;
 192         fstring pw_passwd;
 193         uid_t pw_uid;
 194         gid_t pw_gid;
 195         fstring pw_gecos;
 196         fstring pw_dir;
 197         fstring pw_shell;
 198 } WINBINDD_PW;
 199
 200
 201 typedef struct winbindd_gr {
 202         fstring gr_name;
 203         fstring gr_passwd;
 204         gid_t gr_gid;
 205         uint32_t num_gr_mem;
 206         uint32_t gr_mem_ofs;   /* offset to group membership */
 207 } WINBINDD_GR;
 208
 209 /* Request flags */
 210 #define WBFLAG_PAM_INFO3_NDR            0x00000001
 211 #define WBFLAG_PAM_INFO3_TEXT           0x00000002
 212 #define WBFLAG_PAM_USER_SESSION_KEY     0x00000004
 213 #define WBFLAG_PAM_LMKEY                0x00000008
 214 #define WBFLAG_PAM_CONTACT_TRUSTDOM     0x00000010
 215 #define WBFLAG_QUERY_ONLY               0x00000020      /* not used */
 216 #define WBFLAG_PAM_AUTH_PAC             0x00000040
 217 #define WBFLAG_PAM_UNIX_NAME            0x00000080
 218 #define WBFLAG_PAM_AFS_TOKEN            0x00000100
 219 #define WBFLAG_PAM_NT_STATUS_SQUASH     0x00000200
 220 /* This is a flag that can only be sent from parent to child */
 221 #define WBFLAG_IS_PRIVILEGED            0x00000400      /* not used */
 222 /* Flag to say this is a winbindd internal send - don't recurse. */
 223 #define WBFLAG_RECURSE                  0x00000800
 224 #define WBFLAG_PAM_KRB5                 0x00001000
 225 #define WBFLAG_PAM_FALLBACK_AFTER_KRB5  0x00002000
 226 #define WBFLAG_PAM_CACHED_LOGIN         0x00004000
 227 #define WBFLAG_PAM_GET_PWD_POLICY       0x00008000
 228 /* Flag to tell winbind the NTLMv2 blob is too big for the struct and is in the
 229  * extra_data field */
 230 #define WBFLAG_BIG_NTLMV2_BLOB          0x00010000
 231
 232 #define WINBINDD_MAX_EXTRA_DATA (128*1024)
 233
 234 /* Winbind request structure */
 235
 236 /*******************************************************************************
 237  * This structure MUST be the same size in the 32bit and 64bit builds
 238  * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
 239  *
 240  * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
 241  * A 64BIT WINBINDD    --jerry
 242  ******************************************************************************/
 243
 244 struct winbindd_request {
 245         uint32_t length;
 246         enum winbindd_cmd cmd;   /* Winbindd command to execute */
 247         enum winbindd_cmd original_cmd;   /* Original Winbindd command
 248                                              issued to parent process */
 249         pid_t pid;               /* pid of calling process */
 250         uint32_t wb_flags;       /* generic flags */
 251         uint32_t flags;          /* flags relevant *only* to a given request */
 252         fstring domain_name;    /* name of domain for which the request applies */
 253
 254         union {
 255                 fstring winsreq;     /* WINS request */
 256                 fstring username;    /* getpwnam */
 257                 fstring groupname;   /* getgrnam */
 258                 uid_t uid;           /* getpwuid, uid_to_sid */
 259                 gid_t gid;           /* getgrgid, gid_to_sid */
 260                 uint32_t ndrcmd;
 261                 struct {
 262                         /* We deliberately don't split into domain/user to
 263                            avoid having the client know what the separator
 264                            character is. */
 265                         fstring user;
 266                         fstring pass;
 267                         char require_membership_of_sid[1024];
 268                         fstring krb5_cc_type;
 269                         uid_t uid;
 270                 } auth;              /* pam_winbind auth module */
 271                 struct {
 272                         uint8_t chal[8];
 273                         uint32_t logon_parameters;
 274                         fstring user;
 275                         fstring domain;
 276                         fstring lm_resp;
 277                         uint32_t lm_resp_len;
 278                         fstring nt_resp;
 279                         uint32_t nt_resp_len;
 280                         fstring workstation;
 281                         fstring require_membership_of_sid;
 282                 } auth_crap;
 283                 struct {
 284                     fstring user;
 285                     fstring oldpass;
 286                     fstring newpass;
 287                 } chauthtok;         /* pam_winbind passwd module */
 288                 struct {
 289                         fstring user;
 290                         fstring domain;
 291                         uint8_t new_nt_pswd[516];
 292                         uint16_t new_nt_pswd_len;
 293                         uint8_t old_nt_hash_enc[16];
 294                         uint16_t old_nt_hash_enc_len;
 295                         uint8_t new_lm_pswd[516];
 296                         uint16_t new_lm_pswd_len;
 297                         uint8_t old_lm_hash_enc[16];
 298                         uint16_t old_lm_hash_enc_len;
 299                 } chng_pswd_auth_crap;/* pam_winbind passwd module */
 300                 struct {
 301                         fstring user;
 302                         fstring krb5ccname;
 303                         uid_t uid;
 304                 } logoff;              /* pam_winbind session module */
 305                 fstring sid;         /* lookupsid, sid_to_[ug]id */
 306                 struct {
 307                         fstring dom_name;       /* lookupname */
 308                         fstring name;
 309                 } name;
 310                 uint32_t num_entries;  /* getpwent, getgrent */
 311                 struct {
 312                         fstring username;
 313                         fstring groupname;
 314                 } acct_mgt;
 315                 struct {
 316                         bool is_primary;
 317                         fstring dcname;
 318                 } init_conn;
 319                 struct {
 320                         fstring sid;
 321                         fstring name;
 322                 } dual_sid2id;
 323                 struct {
 324                         fstring sid;
 325                         uint32_t type;
 326                         uint32_t id;
 327                 } dual_idmapset;
 328                 bool list_all_domains;
 329
 330                 struct {
 331                         uid_t uid;
 332                         fstring user;
 333                         /* the effective uid of the client, must be the uid for 'user'.
 334                            This is checked by the main daemon, trusted by children. */
 335                         /* if the blobs are length zero, then this doesn't
 336                            produce an actual challenge response. It merely
 337                            succeeds if there are cached credentials available
 338                            that could be used. */
 339                         uint32_t initial_blob_len; /* blobs in extra_data */
 340                         uint32_t challenge_blob_len;
 341                 } ccache_ntlm_auth;
 342                 struct {
 343                         uid_t uid;
 344                         fstring user;
 345                         fstring pass;
 346                 } ccache_save;
 347                 struct {
 348                         fstring domain_name;
 349                         fstring domain_guid;
 350                         fstring site_name;
 351                         uint32_t flags;
 352                 } dsgetdcname;
 353
 354                 /* padding -- needed to fix alignment between 32bit and 64bit libs.
 355                    The size is the sizeof the union without the padding aligned on
 356                    an 8 byte boundary.   --jerry */
 357
 358                 char padding[1800];
 359         } data;
 360         union {
 361                 SMB_TIME_T padding;
 362                 char *data;
 363         } extra_data;
 364         uint32_t extra_len;
 365         char null_term;
 366 };
 367
 368 /* Response values */
 369
 370 enum winbindd_result {
 371         WINBINDD_ERROR,
 372         WINBINDD_PENDING,
 373         WINBINDD_OK
 374 };
 375
 376 /* Winbind response structure */
 377
 378 /*******************************************************************************
 379  * This structure MUST be the same size in the 32bit and 64bit builds
 380  * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
 381  *
 382  * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
 383  * A 64BIT WINBINDD    --jerry
 384  ******************************************************************************/
 385
 386 struct winbindd_response {
 387
 388         /* Header information */
 389
 390         uint32_t length;                      /* Length of response */
 391         enum winbindd_result result;          /* Result code */
 392
 393         /* Fixed length return data */
 394
 395         union {
 396                 int interface_version;  /* Try to ensure this is always in the same spot... */
 397
 398                 fstring winsresp;               /* WINS response */
 399
 400                 /* getpwnam, getpwuid */
 401
 402                 struct winbindd_pw pw;
 403
 404                 /* getgrnam, getgrgid */
 405
 406                 struct winbindd_gr gr;
 407
 408                 uint32_t num_entries; /* getpwent, getgrent */
 409                 struct winbindd_sid {
 410                         fstring sid;        /* lookupname, [ug]id_to_sid */
 411                         int type;
 412                 } sid;
 413                 struct winbindd_name {
 414                         fstring dom_name;       /* lookupsid */
 415                         fstring name;
 416                         int type;
 417                 } name;
 418                 uid_t uid;          /* sid_to_uid */
 419                 gid_t gid;          /* sid_to_gid */
 420                 struct winbindd_info {
 421                         char winbind_separator;
 422                         fstring samba_version;
 423                 } info;
 424                 fstring domain_name;
 425                 fstring netbios_name;
 426                 fstring dc_name;
 427
 428                 struct auth_reply {
 429                         uint32_t nt_status;
 430                         fstring nt_status_string;
 431                         fstring error_string;
 432                         int pam_error;
 433                         char user_session_key[16];
 434                         char first_8_lm_hash[8];
 435                         fstring krb5ccname;
 436                         uint32_t reject_reason;
 437                         uint8_t authoritative;
 438                         uint8_t padding[1];
 439                         uint16_t validation_level;
 440                         struct policy_settings {
 441                                 uint32_t min_length_password;
 442                                 uint32_t password_history;
 443                                 uint32_t password_properties;
 444                                 uint32_t padding;
 445                                 SMB_TIME_T expire;
 446                                 SMB_TIME_T min_passwordage;
 447                         } policy;
 448                         struct info3_text {
 449                                 SMB_TIME_T logon_time;
 450                                 SMB_TIME_T logoff_time;
 451                                 SMB_TIME_T kickoff_time;
 452                                 SMB_TIME_T pass_last_set_time;
 453                                 SMB_TIME_T pass_can_change_time;
 454                                 SMB_TIME_T pass_must_change_time;
 455                                 uint32_t logon_count;
 456                                 uint32_t bad_pw_count;
 457                                 uint32_t user_rid;
 458                                 uint32_t group_rid;
 459                                 uint32_t num_groups;
 460                                 uint32_t user_flgs;
 461                                 uint32_t acct_flags;
 462                                 uint32_t num_other_sids;
 463                                 fstring dom_sid;
 464                                 fstring user_name;
 465                                 fstring full_name;
 466                                 fstring logon_script;
 467                                 fstring profile_path;
 468                                 fstring home_dir;
 469                                 fstring dir_drive;
 470                                 fstring logon_srv;
 471                                 fstring logon_dom;
 472                         } info3;
 473                         struct info6_text {
 474                                 fstring dns_domainname;
 475                                 fstring principal_name;
 476                         } info6;
 477                         fstring unix_username;
 478                 } auth;
 479                 struct {
 480                         fstring name;
 481                         fstring alt_name;
 482                         fstring sid;
 483                         bool native_mode;
 484                         bool active_directory;
 485                         bool primary;
 486                 } domain_info;
 487                 uint32_t sequence_number;
 488                 struct {
 489                         fstring acct_name;
 490                         fstring full_name;
 491                         fstring homedir;
 492                         fstring shell;
 493                         uint32_t primary_gid;
 494                         uint32_t group_rid;
 495                 } user_info;
 496                 struct {
 497                         uint8_t session_key[16];
 498                         uint32_t auth_blob_len; /* blob in extra_data */
 499                         uint8_t new_spnego;
 500                 } ccache_ntlm_auth;
 501                 struct {
 502                         fstring dc_unc;
 503                         fstring dc_address;
 504                         uint32_t dc_address_type;
 505                         fstring domain_guid;
 506                         fstring domain_name;
 507                         fstring forest_name;
 508                         uint32_t dc_flags;
 509                         fstring dc_site_name;
 510                         fstring client_site_name;
 511                 } dsgetdcname;
 512         } data;
 513
 514         /* Variable length return data */
 515
 516         union {
 517                 SMB_TIME_T padding;
 518                 void *data;
 519         } extra_data;
 520 };
 521
 522 #endif