source/nsswitch/winbindd_nss.h

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Winbind daemon for ntdom nss module
   5
   6    Copyright (C) Tim Potter 2000
   7    Copyright (C) Gerald Carter 2006
   8
   9    You are free to use this interface definition in any way you see
  10    fit, including without restriction, using this header in your own
  11    products. You do not need to give any attribution.
  12 */
  13
  14
  15 #ifndef CONST_DISCARD
  16 #define CONST_DISCARD(type, ptr)      ((type) ((void *) (ptr)))
  17 #endif
  18
  19 #ifndef CONST_ADD
  20 #define CONST_ADD(type, ptr)          ((type) ((const void *) (ptr)))
  21 #endif
  22
  23 #ifndef SAFE_FREE
  24 #define SAFE_FREE(x) do { if(x) {free(x); x=NULL;} } while(0)
  25 #endif
  26
  27 #ifndef _WINBINDD_NTDOM_H
  28 #define _WINBINDD_NTDOM_H
  29
  30 #define WINBINDD_SOCKET_NAME "pipe"            /* Name of PF_UNIX socket */
  31 #define WINBINDD_SOCKET_DIR  "/tmp/.winbindd"  /* Name of PF_UNIX dir */
  32 #define WINBINDD_PRIV_SOCKET_SUBDIR "winbindd_privileged" /* name of subdirectory of lp_lockdir() to hold the 'privileged' pipe */
  33 #define WINBINDD_DOMAIN_ENV  "WINBINDD_DOMAIN" /* Environment variables */
  34 #define WINBINDD_DONT_ENV    "_NO_WINBINDD"
  35
  36 /* Update this when you change the interface.  */
  37
  38 #define WINBIND_INTERFACE_VERSION 16
  39
  40 /* Have to deal with time_t being 4 or 8 bytes due to structure alignment.
  41    On a 64bit Linux box, we have to support a constant structure size
  42    between /lib/libnss_winbind.so.2 and /li64/libnss_winbind.so.2.
  43    The easiest way to do this is to always use 8byte values for time_t. */
  44
  45 #if defined(uint64)
  46 #  define SMB_TIME_T uint64
  47 #else
  48 #  define SMB_TIME_T time_t
  49 #endif
  50
  51 /* Socket commands */
  52
  53 enum winbindd_cmd {
  54
  55         WINBINDD_INTERFACE_VERSION,    /* Always a well known value */
  56
  57         /* Get users and groups */
  58
  59         WINBINDD_GETPWNAM,
  60         WINBINDD_GETPWUID,
  61         WINBINDD_GETGRNAM,
  62         WINBINDD_GETGRGID,
  63         WINBINDD_GETGROUPS,
  64
  65         /* Enumerate users and groups */
  66
  67         WINBINDD_SETPWENT,
  68         WINBINDD_ENDPWENT,
  69         WINBINDD_GETPWENT,
  70         WINBINDD_SETGRENT,
  71         WINBINDD_ENDGRENT,
  72         WINBINDD_GETGRENT,
  73
  74         /* PAM authenticate and password change */
  75
  76         WINBINDD_PAM_AUTH,
  77         WINBINDD_PAM_AUTH_CRAP,
  78         WINBINDD_PAM_CHAUTHTOK,
  79         WINBINDD_PAM_LOGOFF,
  80         WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP,
  81
  82         /* List various things */
  83
  84         WINBINDD_LIST_USERS,         /* List w/o rid->id mapping */
  85         WINBINDD_LIST_GROUPS,        /* Ditto */
  86         WINBINDD_LIST_TRUSTDOM,
  87
  88         /* SID conversion */
  89
  90         WINBINDD_LOOKUPSID,
  91         WINBINDD_LOOKUPNAME,
  92         WINBINDD_LOOKUPRIDS,
  93
  94         /* Lookup functions */
  95
  96         WINBINDD_SID_TO_UID,
  97         WINBINDD_SID_TO_GID,
  98         WINBINDD_UID_TO_SID,
  99         WINBINDD_GID_TO_SID,
 100
 101         WINBINDD_ALLOCATE_UID,
 102         WINBINDD_ALLOCATE_GID,
 103
 104         /* Miscellaneous other stuff */
 105
 106         WINBINDD_CHECK_MACHACC,     /* Check machine account pw works */
 107         WINBINDD_PING,              /* Just tell me winbind is running */
 108         WINBINDD_INFO,              /* Various bit of info.  Currently just tidbits */
 109         WINBINDD_DOMAIN_NAME,       /* The domain this winbind server is a member of (lp_workgroup()) */
 110
 111         WINBINDD_DOMAIN_INFO,   /* Most of what we know from
 112                                    struct winbindd_domain */
 113         WINBINDD_GETDCNAME,     /* Issue a GetDCName Request */
 114
 115         WINBINDD_SHOW_SEQUENCE, /* display sequence numbers of domains */
 116
 117         /* WINS commands */
 118
 119         WINBINDD_WINS_BYIP,
 120         WINBINDD_WINS_BYNAME,
 121
 122         /* this is like GETGRENT but gives an empty group list */
 123         WINBINDD_GETGRLST,
 124
 125         WINBINDD_NETBIOS_NAME,       /* The netbios name of the server */
 126
 127         /* find the location of our privileged pipe */
 128         WINBINDD_PRIV_PIPE_DIR,
 129
 130         /* return a list of group sids for a user sid */
 131         WINBINDD_GETUSERSIDS,
 132
 133         /* Various group queries */
 134         WINBINDD_GETUSERDOMGROUPS,
 135
 136         /* Initialize connection in a child */
 137         WINBINDD_INIT_CONNECTION,
 138
 139         /* Blocking calls that are not allowed on the main winbind pipe, only
 140          * between parent and children */
 141         WINBINDD_DUAL_SID2UID,
 142         WINBINDD_DUAL_SID2GID,
 143         WINBINDD_DUAL_IDMAPSET,
 144
 145         /* Wrapper around possibly blocking unix nss calls */
 146         WINBINDD_DUAL_UID2NAME,
 147         WINBINDD_DUAL_NAME2UID,
 148         WINBINDD_DUAL_GID2NAME,
 149         WINBINDD_DUAL_NAME2GID,
 150
 151         WINBINDD_DUAL_USERINFO,
 152         WINBINDD_DUAL_GETSIDALIASES,
 153
 154         WINBINDD_NUM_CMDS
 155 };
 156
 157 typedef struct winbindd_pw {
 158         fstring pw_name;
 159         fstring pw_passwd;
 160         uid_t pw_uid;
 161         gid_t pw_gid;
 162         fstring pw_gecos;
 163         fstring pw_dir;
 164         fstring pw_shell;
 165 } WINBINDD_PW;
 166
 167
 168 typedef struct winbindd_gr {
 169         fstring gr_name;
 170         fstring gr_passwd;
 171         gid_t gr_gid;
 172         uint32 num_gr_mem;
 173         uint32 gr_mem_ofs;   /* offset to group membership */
 174 } WINBINDD_GR;
 175
 176
 177 #define WBFLAG_PAM_INFO3_NDR            0x0001
 178 #define WBFLAG_PAM_INFO3_TEXT           0x0002
 179 #define WBFLAG_PAM_USER_SESSION_KEY     0x0004
 180 #define WBFLAG_PAM_LMKEY                0x0008
 181 #define WBFLAG_PAM_CONTACT_TRUSTDOM     0x0010
 182 #define WBFLAG_QUERY_ONLY               0x0020
 183 #define WBFLAG_PAM_UNIX_NAME            0x0080
 184 #define WBFLAG_PAM_AFS_TOKEN            0x0100
 185 #define WBFLAG_PAM_NT_STATUS_SQUASH     0x0200
 186
 187 /* This is a flag that can only be sent from parent to child */
 188 #define WBFLAG_IS_PRIVILEGED            0x0400
 189 /* Flag to say this is a winbindd internal send - don't recurse. */
 190 #define WBFLAG_RECURSE                  0x0800
 191
 192 #define WBFLAG_PAM_KRB5                 0x1000
 193 #define WBFLAG_PAM_FALLBACK_AFTER_KRB5  0x2000
 194 #define WBFLAG_PAM_CACHED_LOGIN         0x4000
 195 #define WBFLAG_PAM_GET_PWD_POLICY       0x8000
 196
 197 #define WINBINDD_MAX_EXTRA_DATA (128*1024)
 198
 199 /* Winbind request structure */
 200
 201 /*******************************************************************************
 202  * This structure MUST be the same size in the 32bit and 64bit builds
 203  * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
 204  *
 205  * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
 206  * A 64BIT WINBINDD    --jerry
 207  ******************************************************************************/
 208
 209 struct winbindd_request {
 210         uint32 length;
 211         enum winbindd_cmd cmd;   /* Winbindd command to execute */
 212         pid_t pid;               /* pid of calling process */
 213         uint32 flags;            /* flags relavant to a given request */
 214         fstring domain_name;    /* name of domain for which the request applies */
 215
 216         union {
 217                 fstring winsreq;     /* WINS request */
 218                 fstring username;    /* getpwnam */
 219                 fstring groupname;   /* getgrnam */
 220                 uid_t uid;           /* getpwuid, uid_to_sid */
 221                 gid_t gid;           /* getgrgid, gid_to_sid */
 222                 struct {
 223                         /* We deliberatedly don't split into domain/user to
 224                            avoid having the client know what the separator
 225                            character is. */
 226                         fstring user;
 227                         fstring pass;
 228                         fstring require_membership_of_sid;
 229                         fstring krb5_cc_type;
 230                         uid_t uid;
 231                 } auth;              /* pam_winbind auth module */
 232                 struct {
 233                         unsigned char chal[8];
 234                         uint32 logon_parameters;
 235                         fstring user;
 236                         fstring domain;
 237                         fstring lm_resp;
 238                         uint32 lm_resp_len;
 239                         fstring nt_resp;
 240                         uint32 nt_resp_len;
 241                         fstring workstation;
 242                         fstring require_membership_of_sid;
 243                 } auth_crap;
 244                 struct {
 245                     fstring user;
 246                     fstring oldpass;
 247                     fstring newpass;
 248                 } chauthtok;         /* pam_winbind passwd module */
 249                 struct {
 250                         fstring user;
 251                         fstring domain;
 252                         unsigned char new_nt_pswd[516];
 253                         uint16  new_nt_pswd_len;
 254                         unsigned char old_nt_hash_enc[16];
 255                         uint16  old_nt_hash_enc_len;
 256                         unsigned char new_lm_pswd[516];
 257                         uint16  new_lm_pswd_len;
 258                         unsigned char old_lm_hash_enc[16];
 259                         uint16  old_lm_hash_enc_len;
 260                 } chng_pswd_auth_crap;/* pam_winbind passwd module */
 261                 struct {
 262                         fstring user;
 263                         fstring krb5ccname;
 264                         uid_t uid;
 265                 } logoff;              /* pam_winbind session module */
 266                 fstring sid;         /* lookupsid, sid_to_[ug]id */
 267                 struct {
 268                         fstring dom_name;       /* lookupname */
 269                         fstring name;
 270                 } name;
 271                 uint32 num_entries;  /* getpwent, getgrent */
 272                 struct {
 273                         fstring username;
 274                         fstring groupname;
 275                 } acct_mgt;
 276                 struct {
 277                         BOOL is_primary;
 278                         fstring dcname;
 279                 } init_conn;
 280                 struct {
 281                         fstring sid;
 282                         fstring name;
 283                         BOOL alloc;
 284                 } dual_sid2id;
 285                 struct {
 286                         int type;
 287                         uid_t uid;
 288                         gid_t gid;
 289                         fstring sid;
 290                 } dual_idmapset;
 291                 BOOL list_all_domains;
 292
 293                 /* padding -- needed to fix alignment between 32bit and 64bit libs.
 294                    The size if the sizeof the union without the padding aligned on
 295                    an 8 byte boundary.   --jerry */
 296
 297                 char padding[1560];
 298         } data;
 299         union {
 300                 SMB_TIME_T padding;
 301                 char *data;
 302         } extra_data;
 303         uint32 extra_len;
 304         char null_term;
 305 };
 306
 307 /* Response values */
 308
 309 enum winbindd_result {
 310         WINBINDD_ERROR,
 311         WINBINDD_PENDING,
 312         WINBINDD_OK
 313 };
 314
 315 /* Winbind response structure */
 316
 317 /*******************************************************************************
 318  * This structure MUST be the same size in the 32bit and 64bit builds
 319  * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
 320  *
 321  * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
 322  * A 64BIT WINBINDD    --jerry
 323  ******************************************************************************/
 324
 325 struct winbindd_response {
 326
 327         /* Header information */
 328
 329         uint32 length;                        /* Length of response */
 330         enum winbindd_result result;          /* Result code */
 331
 332         /* Fixed length return data */
 333
 334         union {
 335                 int interface_version;  /* Try to ensure this is always in the same spot... */
 336
 337                 fstring winsresp;               /* WINS response */
 338
 339                 /* getpwnam, getpwuid */
 340
 341                 struct winbindd_pw pw;
 342
 343                 /* getgrnam, getgrgid */
 344
 345                 struct winbindd_gr gr;
 346
 347                 uint32 num_entries; /* getpwent, getgrent */
 348                 struct winbindd_sid {
 349                         fstring sid;        /* lookupname, [ug]id_to_sid */
 350                         int type;
 351                 } sid;
 352                 struct winbindd_name {
 353                         fstring dom_name;       /* lookupsid */
 354                         fstring name;
 355                         int type;
 356                 } name;
 357                 uid_t uid;          /* sid_to_uid */
 358                 gid_t gid;          /* sid_to_gid */
 359                 struct winbindd_info {
 360                         char winbind_separator;
 361                         fstring samba_version;
 362                 } info;
 363                 fstring domain_name;
 364                 fstring netbios_name;
 365                 fstring dc_name;
 366
 367                 struct auth_reply {
 368                         uint32 nt_status;
 369                         fstring nt_status_string;
 370                         fstring error_string;
 371                         int pam_error;
 372                         char user_session_key[16];
 373                         char first_8_lm_hash[8];
 374                         fstring krb5ccname;
 375                         uint32 reject_reason;
 376                         uint32 padding;
 377                         struct policy_settings {
 378                                 uint32 min_length_password;
 379                                 uint32 password_history;
 380                                 uint32 password_properties;
 381                                 uint32 padding;
 382                                 SMB_TIME_T expire;
 383                                 SMB_TIME_T min_passwordage;
 384                         } policy;
 385                         struct info3_text {
 386                                 SMB_TIME_T logon_time;
 387                                 SMB_TIME_T logoff_time;
 388                                 SMB_TIME_T kickoff_time;
 389                                 SMB_TIME_T pass_last_set_time;
 390                                 SMB_TIME_T pass_can_change_time;
 391                                 SMB_TIME_T pass_must_change_time;
 392                                 uint32 logon_count;
 393                                 uint32 bad_pw_count;
 394                                 uint32 user_rid;
 395                                 uint32 group_rid;
 396                                 uint32 num_groups;
 397                                 uint32 user_flgs;
 398                                 uint32 acct_flags;
 399                                 uint32 num_other_sids;
 400                                 fstring dom_sid;
 401                                 fstring user_name;
 402                                 fstring full_name;
 403                                 fstring logon_script;
 404                                 fstring profile_path;
 405                                 fstring home_dir;
 406                                 fstring dir_drive;
 407                                 fstring logon_srv;
 408                                 fstring logon_dom;
 409                         } info3;
 410                 } auth;
 411                 struct {
 412                         fstring name;
 413                         fstring alt_name;
 414                         fstring sid;
 415                         BOOL native_mode;
 416                         BOOL active_directory;
 417                         BOOL primary;
 418                         uint32 sequence_number;
 419                 } domain_info;
 420                 struct {
 421                         fstring acct_name;
 422                         fstring full_name;
 423                         fstring homedir;
 424                         fstring shell;
 425                         uint32 group_rid;
 426                 } user_info;
 427         } data;
 428
 429         /* Variable length return data */
 430
 431         union {
 432                 SMB_TIME_T padding;
 433                 void *data;
 434         } extra_data;
 435 };
 436
 437 struct WINBINDD_CCACHE_ENTRY {
 438         const char *principal_name;
 439         const char *ccname;
 440         const char *service;
 441         const char *username;
 442         const char *sid_string;
 443         char *pass;
 444         uid_t uid;
 445         time_t create_time;
 446         time_t renew_until;
 447         BOOL refresh_tgt;
 448         time_t refresh_time;
 449         struct timed_event *event;
 450         struct WINBINDD_CCACHE_ENTRY *next, *prev;
 451 };
 452
 453 #endif