source3/nsswitch/winbind_struct_protocol.h

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Winbind daemon for ntdom nss module
   5
   6    Copyright (C) Tim Potter 2000
   7    Copyright (C) Gerald Carter 2006
   8
   9    You are free to use this interface definition in any way you see
  10    fit, including without restriction, using this header in your own
  11    products. You do not need to give any attribution.
  12 */
  13
  14 #ifndef SAFE_FREE
  15 #define SAFE_FREE(x) do { if(x) {free(x); x=NULL;} } while(0)
  16 #endif
  17
  18 #ifndef _WINBINDD_NTDOM_H
  19 #define _WINBINDD_NTDOM_H
  20
  21 #define WINBINDD_SOCKET_NAME "pipe"            /* Name of PF_UNIX socket */
  22
  23 /* Let the build environment override the public winbindd socket location. This
  24  * is needed for launchd support -- jpeach.
  25  */
  26 #ifndef WINBINDD_SOCKET_DIR
  27 #define WINBINDD_SOCKET_DIR  "/tmp/.winbindd"  /* Name of PF_UNIX dir */
  28 #endif
  29
  30 /*
  31  * when compiled with socket_wrapper support
  32  * the location of the WINBINDD_SOCKET_DIR
  33  * can be overwritten via an environment variable
  34  */
  35 #define WINBINDD_SOCKET_DIR_ENVVAR "WINBINDD_SOCKET_DIR"
  36
  37 #define WINBINDD_PRIV_SOCKET_SUBDIR "winbindd_privileged" /* name of subdirectory of lp_lockdir() to hold the 'privileged' pipe */
  38 #define WINBINDD_DOMAIN_ENV  "WINBINDD_DOMAIN" /* Environment variables */
  39 #define WINBINDD_DONT_ENV    "_NO_WINBINDD"
  40 #define WINBINDD_LOCATOR_KDC_ADDRESS "WINBINDD_LOCATOR_KDC_ADDRESS"
  41
  42 /* Update this when you change the interface.  */
  43
  44 #define WINBIND_INTERFACE_VERSION 19
  45
  46 /* Have to deal with time_t being 4 or 8 bytes due to structure alignment.
  47    On a 64bit Linux box, we have to support a constant structure size
  48    between /lib/libnss_winbind.so.2 and /li64/libnss_winbind.so.2.
  49    The easiest way to do this is to always use 8byte values for time_t. */
  50
  51 #define SMB_TIME_T int64_t
  52
  53 /* Socket commands */
  54
  55 enum winbindd_cmd {
  56
  57         WINBINDD_INTERFACE_VERSION,    /* Always a well known value */
  58
  59         /* Get users and groups */
  60
  61         WINBINDD_GETPWNAM,
  62         WINBINDD_GETPWUID,
  63         WINBINDD_GETGRNAM,
  64         WINBINDD_GETGRGID,
  65         WINBINDD_GETGROUPS,
  66
  67         /* Enumerate users and groups */
  68
  69         WINBINDD_SETPWENT,
  70         WINBINDD_ENDPWENT,
  71         WINBINDD_GETPWENT,
  72         WINBINDD_SETGRENT,
  73         WINBINDD_ENDGRENT,
  74         WINBINDD_GETGRENT,
  75
  76         /* PAM authenticate and password change */
  77
  78         WINBINDD_PAM_AUTH,
  79         WINBINDD_PAM_AUTH_CRAP,
  80         WINBINDD_PAM_CHAUTHTOK,
  81         WINBINDD_PAM_LOGOFF,
  82         WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP,
  83
  84         /* List various things */
  85
  86         WINBINDD_LIST_USERS,         /* List w/o rid->id mapping */
  87         WINBINDD_LIST_GROUPS,        /* Ditto */
  88         WINBINDD_LIST_TRUSTDOM,
  89
  90         /* SID conversion */
  91
  92         WINBINDD_LOOKUPSID,
  93         WINBINDD_LOOKUPNAME,
  94         WINBINDD_LOOKUPRIDS,
  95
  96         /* Lookup functions */
  97
  98         WINBINDD_SID_TO_UID,
  99         WINBINDD_SID_TO_GID,
 100         WINBINDD_SIDS_TO_XIDS,
 101         WINBINDD_UID_TO_SID,
 102         WINBINDD_GID_TO_SID,
 103
 104         WINBINDD_ALLOCATE_UID,
 105         WINBINDD_ALLOCATE_GID,
 106         WINBINDD_SET_MAPPING,
 107         WINBINDD_SET_HWM,
 108
 109         /* Miscellaneous other stuff */
 110
 111         WINBINDD_CHECK_MACHACC,     /* Check machine account pw works */
 112         WINBINDD_PING,              /* Just tell me winbind is running */
 113         WINBINDD_INFO,              /* Various bit of info.  Currently just tidbits */
 114         WINBINDD_DOMAIN_NAME,       /* The domain this winbind server is a member of (lp_workgroup()) */
 115
 116         WINBINDD_DOMAIN_INFO,   /* Most of what we know from
 117                                    struct winbindd_domain */
 118         WINBINDD_GETDCNAME,     /* Issue a GetDCName Request */
 119         WINBINDD_DSGETDCNAME,   /* Issue a DsGetDCName Request */
 120
 121         WINBINDD_SHOW_SEQUENCE, /* display sequence numbers of domains */
 122
 123         /* WINS commands */
 124
 125         WINBINDD_WINS_BYIP,
 126         WINBINDD_WINS_BYNAME,
 127
 128         /* this is like GETGRENT but gives an empty group list */
 129         WINBINDD_GETGRLST,
 130
 131         WINBINDD_NETBIOS_NAME,       /* The netbios name of the server */
 132
 133         /* find the location of our privileged pipe */
 134         WINBINDD_PRIV_PIPE_DIR,
 135
 136         /* return a list of group sids for a user sid */
 137         WINBINDD_GETUSERSIDS,
 138
 139         /* Various group queries */
 140         WINBINDD_GETUSERDOMGROUPS,
 141
 142         /* Initialize connection in a child */
 143         WINBINDD_INIT_CONNECTION,
 144
 145         /* Blocking calls that are not allowed on the main winbind pipe, only
 146          * between parent and children */
 147         WINBINDD_DUAL_SID2UID,
 148         WINBINDD_DUAL_SID2GID,
 149         WINBINDD_DUAL_SIDS2XIDS,
 150         WINBINDD_DUAL_UID2SID,
 151         WINBINDD_DUAL_GID2SID,
 152         WINBINDD_DUAL_SET_MAPPING,
 153         WINBINDD_DUAL_SET_HWM,
 154
 155         /* Wrapper around possibly blocking unix nss calls */
 156         WINBINDD_DUAL_USERINFO,
 157         WINBINDD_DUAL_GETSIDALIASES,
 158
 159         /* Complete the challenge phase of the NTLM authentication
 160            protocol using cached password. */
 161         WINBINDD_CCACHE_NTLMAUTH,
 162
 163         WINBINDD_NUM_CMDS
 164 };
 165
 166 typedef struct winbindd_pw {
 167         fstring pw_name;
 168         fstring pw_passwd;
 169         uid_t pw_uid;
 170         gid_t pw_gid;
 171         fstring pw_gecos;
 172         fstring pw_dir;
 173         fstring pw_shell;
 174 } WINBINDD_PW;
 175
 176
 177 typedef struct winbindd_gr {
 178         fstring gr_name;
 179         fstring gr_passwd;
 180         gid_t gr_gid;
 181         uint32_t num_gr_mem;
 182         uint32_t gr_mem_ofs;   /* offset to group membership */
 183 } WINBINDD_GR;
 184
 185 /* PAM specific request flags */
 186 #define WBFLAG_PAM_INFO3_NDR            0x00000001
 187 #define WBFLAG_PAM_INFO3_TEXT           0x00000002
 188 #define WBFLAG_PAM_USER_SESSION_KEY     0x00000004
 189 #define WBFLAG_PAM_LMKEY                0x00000008
 190 #define WBFLAG_PAM_CONTACT_TRUSTDOM     0x00000010
 191 #define WBFLAG_PAM_UNIX_NAME            0x00000080
 192 #define WBFLAG_PAM_AFS_TOKEN            0x00000100
 193 #define WBFLAG_PAM_NT_STATUS_SQUASH     0x00000200
 194 #define WBFLAG_PAM_KRB5                 0x00001000
 195 #define WBFLAG_PAM_FALLBACK_AFTER_KRB5  0x00002000
 196 #define WBFLAG_PAM_CACHED_LOGIN         0x00004000
 197 #define WBFLAG_PAM_GET_PWD_POLICY       0x00008000
 198
 199 /* generic request flags */
 200 #define WBFLAG_QUERY_ONLY               0x00000020      /* not used */
 201 /* This is a flag that can only be sent from parent to child */
 202 #define WBFLAG_IS_PRIVILEGED            0x00000400      /* not used */
 203 /* Flag to say this is a winbindd internal send - don't recurse. */
 204 #define WBFLAG_RECURSE                  0x00000800
 205 /* Flag to tell winbind the NTLMv2 blob is too big for the struct and is in the
 206  * extra_data field */
 207 #define WBFLAG_BIG_NTLMV2_BLOB          0x00010000
 208
 209 #define WINBINDD_MAX_EXTRA_DATA (128*1024)
 210
 211 /* Winbind request structure */
 212
 213 /*******************************************************************************
 214  * This structure MUST be the same size in the 32bit and 64bit builds
 215  * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
 216  *
 217  * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
 218  * A 64BIT WINBINDD    --jerry
 219  ******************************************************************************/
 220
 221 struct winbindd_request {
 222         uint32_t length;
 223         enum winbindd_cmd cmd;   /* Winbindd command to execute */
 224         enum winbindd_cmd original_cmd;   /* Original Winbindd command
 225                                              issued to parent process */
 226         pid_t pid;               /* pid of calling process */
 227         uint32_t wb_flags;       /* generic flags */
 228         uint32_t flags;          /* flags relevant *only* to a given request */
 229         fstring domain_name;    /* name of domain for which the request applies */
 230
 231         union {
 232                 fstring winsreq;     /* WINS request */
 233                 fstring username;    /* getpwnam */
 234                 fstring groupname;   /* getgrnam */
 235                 uid_t uid;           /* getpwuid, uid_to_sid */
 236                 gid_t gid;           /* getgrgid, gid_to_sid */
 237                 struct {
 238                         /* We deliberatedly don't split into domain/user to
 239                            avoid having the client know what the separator
 240                            character is. */
 241                         fstring user;
 242                         fstring pass;
 243                         char require_membership_of_sid[1024];
 244                         fstring krb5_cc_type;
 245                         uid_t uid;
 246                 } auth;              /* pam_winbind auth module */
 247                 struct {
 248                         uint8_t chal[8];
 249                         uint32_t logon_parameters;
 250                         fstring user;
 251                         fstring domain;
 252                         fstring lm_resp;
 253                         uint32_t lm_resp_len;
 254                         fstring nt_resp;
 255                         uint32_t nt_resp_len;
 256                         fstring workstation;
 257                         fstring require_membership_of_sid;
 258                 } auth_crap;
 259                 struct {
 260                     fstring user;
 261                     fstring oldpass;
 262                     fstring newpass;
 263                 } chauthtok;         /* pam_winbind passwd module */
 264                 struct {
 265                         fstring user;
 266                         fstring domain;
 267                         uint8_t new_nt_pswd[516];
 268                         uint16_t new_nt_pswd_len;
 269                         uint8_t old_nt_hash_enc[16];
 270                         uint16_t old_nt_hash_enc_len;
 271                         uint8_t new_lm_pswd[516];
 272                         uint16_t new_lm_pswd_len;
 273                         uint8_t old_lm_hash_enc[16];
 274                         uint16_t old_lm_hash_enc_len;
 275                 } chng_pswd_auth_crap;/* pam_winbind passwd module */
 276                 struct {
 277                         fstring user;
 278                         fstring krb5ccname;
 279                         uid_t uid;
 280                 } logoff;              /* pam_winbind session module */
 281                 fstring sid;         /* lookupsid, sid_to_[ug]id */
 282                 struct {
 283                         fstring dom_name;       /* lookupname */
 284                         fstring name;
 285                 } name;
 286                 uint32_t num_entries;  /* getpwent, getgrent */
 287                 struct {
 288                         fstring username;
 289                         fstring groupname;
 290                 } acct_mgt;
 291                 struct {
 292                         bool is_primary;
 293                         fstring dcname;
 294                 } init_conn;
 295                 struct {
 296                         fstring sid;
 297                         fstring name;
 298                 } dual_sid2id;
 299                 struct {
 300                         fstring sid;
 301                         uint32_t type;
 302                         uint32_t id;
 303                 } dual_idmapset;
 304                 bool list_all_domains;
 305
 306                 struct {
 307                         uid_t uid;
 308                         fstring user;
 309                         /* the effective uid of the client, must be the uid for 'user'.
 310                            This is checked by the main daemon, trusted by children. */
 311                         /* if the blobs are length zero, then this doesn't
 312                            produce an actual challenge response. It merely
 313                            succeeds if there are cached credentials available
 314                            that could be used. */
 315                         uint32_t initial_blob_len; /* blobs in extra_data */
 316                         uint32_t challenge_blob_len;
 317                 } ccache_ntlm_auth;
 318                 struct {
 319                         fstring domain_name;
 320                         fstring domain_guid;
 321                         fstring site_name;
 322                         uint32_t flags;
 323                 } dsgetdcname;
 324
 325                 /* padding -- needed to fix alignment between 32bit and 64bit libs.
 326                    The size is the sizeof the union without the padding aligned on
 327                    an 8 byte boundary.   --jerry */
 328
 329                 char padding[1800];
 330         } data;
 331         union {
 332                 SMB_TIME_T padding;
 333                 char *data;
 334         } extra_data;
 335         uint32_t extra_len;
 336         char null_term;
 337 };
 338
 339 /* Response values */
 340
 341 enum winbindd_result {
 342         WINBINDD_ERROR,
 343         WINBINDD_PENDING,
 344         WINBINDD_OK
 345 };
 346
 347 /* Winbind response structure */
 348
 349 /*******************************************************************************
 350  * This structure MUST be the same size in the 32bit and 64bit builds
 351  * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
 352  *
 353  * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
 354  * A 64BIT WINBINDD    --jerry
 355  ******************************************************************************/
 356
 357 struct winbindd_response {
 358
 359         /* Header information */
 360
 361         uint32_t length;                      /* Length of response */
 362         enum winbindd_result result;          /* Result code */
 363
 364         /* Fixed length return data */
 365
 366         union {
 367                 int interface_version;  /* Try to ensure this is always in the same spot... */
 368
 369                 fstring winsresp;               /* WINS response */
 370
 371                 /* getpwnam, getpwuid */
 372
 373                 struct winbindd_pw pw;
 374
 375                 /* getgrnam, getgrgid */
 376
 377                 struct winbindd_gr gr;
 378
 379                 uint32_t num_entries; /* getpwent, getgrent */
 380                 struct winbindd_sid {
 381                         fstring sid;        /* lookupname, [ug]id_to_sid */
 382                         int type;
 383                 } sid;
 384                 struct winbindd_name {
 385                         fstring dom_name;       /* lookupsid */
 386                         fstring name;
 387                         int type;
 388                 } name;
 389                 uid_t uid;          /* sid_to_uid */
 390                 gid_t gid;          /* sid_to_gid */
 391                 struct winbindd_info {
 392                         char winbind_separator;
 393                         fstring samba_version;
 394                 } info;
 395                 fstring domain_name;
 396                 fstring netbios_name;
 397                 fstring dc_name;
 398
 399                 struct auth_reply {
 400                         uint32_t nt_status;
 401                         fstring nt_status_string;
 402                         fstring error_string;
 403                         int pam_error;
 404                         char user_session_key[16];
 405                         char first_8_lm_hash[8];
 406                         fstring krb5ccname;
 407                         uint32_t reject_reason;
 408                         uint32_t padding;
 409                         struct policy_settings {
 410                                 uint32_t min_length_password;
 411                                 uint32_t password_history;
 412                                 uint32_t password_properties;
 413                                 uint32_t padding;
 414                                 SMB_TIME_T expire;
 415                                 SMB_TIME_T min_passwordage;
 416                         } policy;
 417                         struct info3_text {
 418                                 SMB_TIME_T logon_time;
 419                                 SMB_TIME_T logoff_time;
 420                                 SMB_TIME_T kickoff_time;
 421                                 SMB_TIME_T pass_last_set_time;
 422                                 SMB_TIME_T pass_can_change_time;
 423                                 SMB_TIME_T pass_must_change_time;
 424                                 uint32_t logon_count;
 425                                 uint32_t bad_pw_count;
 426                                 uint32_t user_rid;
 427                                 uint32_t group_rid;
 428                                 uint32_t num_groups;
 429                                 uint32_t user_flgs;
 430                                 uint32_t acct_flags;
 431                                 uint32_t num_other_sids;
 432                                 fstring dom_sid;
 433                                 fstring user_name;
 434                                 fstring full_name;
 435                                 fstring logon_script;
 436                                 fstring profile_path;
 437                                 fstring home_dir;
 438                                 fstring dir_drive;
 439                                 fstring logon_srv;
 440                                 fstring logon_dom;
 441                         } info3;
 442                         fstring unix_username;
 443                 } auth;
 444                 struct {
 445                         fstring name;
 446                         fstring alt_name;
 447                         fstring sid;
 448                         bool native_mode;
 449                         bool active_directory;
 450                         bool primary;
 451                 } domain_info;
 452                 uint32_t sequence_number;
 453                 struct {
 454                         fstring acct_name;
 455                         fstring full_name;
 456                         fstring homedir;
 457                         fstring shell;
 458                         uint32_t primary_gid;
 459                         uint32_t group_rid;
 460                 } user_info;
 461                 struct {
 462                         uint32_t auth_blob_len; /* blob in extra_data */
 463                 } ccache_ntlm_auth;
 464                 struct {
 465                         fstring dc_unc;
 466                         fstring dc_address;
 467                         uint32_t dc_address_type;
 468                         fstring domain_guid;
 469                         fstring domain_name;
 470                         fstring forest_name;
 471                         uint32_t dc_flags;
 472                         fstring dc_site_name;
 473                         fstring client_site_name;
 474                 } dsgetdcname;
 475         } data;
 476
 477         /* Variable length return data */
 478
 479         union {
 480                 SMB_TIME_T padding;
 481                 void *data;
 482         } extra_data;
 483 };
 484
 485 struct WINBINDD_MEMORY_CREDS {
 486         struct WINBINDD_MEMORY_CREDS *next, *prev;
 487         const char *username; /* lookup key. */
 488         uid_t uid;
 489         int ref_count;
 490         size_t len;
 491         uint8_t *nt_hash; /* Base pointer for the following 2 */
 492         uint8_t *lm_hash;
 493         char *pass;
 494 };
 495
 496 struct WINBINDD_CCACHE_ENTRY {
 497         struct WINBINDD_CCACHE_ENTRY *next, *prev;
 498         const char *principal_name;
 499         const char *ccname;
 500         const char *service;
 501         const char *username;
 502         const char *realm;
 503         struct WINBINDD_MEMORY_CREDS *cred_ptr;
 504         int ref_count;
 505         uid_t uid;
 506         time_t create_time;
 507         time_t renew_until;
 508         time_t refresh_time;
 509         struct timed_event *event;
 510 };
 511
 512 #endif