r17943: The horror, the horror. Add KDC site support by
[tprouty/samba.git] / source / include / ads.h
1 /*
2   header for ads (active directory) library routines
3
4   basically this is a wrapper around ldap
5 */
6
7 enum wb_posix_mapping {
8         WB_POSIX_MAP_UNKNOWN    = -1,
9         WB_POSIX_MAP_TEMPLATE   = 0, 
10         WB_POSIX_MAP_SFU        = 1, 
11         WB_POSIX_MAP_RFC2307    = 2,
12         WB_POSIX_MAP_UNIXINFO   = 3
13 };
14
15 typedef struct {
16         void *ld; /* the active ldap structure */
17         struct in_addr ldap_ip; /* the ip of the active connection, if any */
18         time_t last_attempt; /* last attempt to reconnect */
19         int ldap_port;
20         
21         int is_mine;    /* do I own this structure's memory? */
22         
23         /* info needed to find the server */
24         struct {
25                 char *realm;
26                 char *workgroup;
27                 char *ldap_server;
28                 int foreign; /* set to 1 if connecting to a foreign realm */
29         } server;
30
31         /* info needed to authenticate */
32         struct {
33                 char *realm;
34                 char *password;
35                 char *user_name;
36                 char *kdc_server;
37                 unsigned flags;
38                 int time_offset;
39                 time_t expire;
40                 time_t renewable;
41         } auth;
42
43         /* info derived from the servers config */
44         struct {
45                 uint32 flags; /* cldap flags identifying the services. */
46                 char *realm;
47                 char *bind_path;
48                 char *ldap_server_name;
49                 time_t current_time;
50         } config;
51
52         /* info derived from the servers schema */
53         struct {
54                 enum wb_posix_mapping map_type;
55                 char *posix_homedir_attr;
56                 char *posix_shell_attr;
57                 char *posix_uidnumber_attr;
58                 char *posix_gidnumber_attr;
59                 char *posix_gecos_attr;
60         } schema;
61
62 } ADS_STRUCT;
63
64 /* there are 5 possible types of errors the ads subsystem can produce */
65 enum ads_error_type {ENUM_ADS_ERROR_KRB5, ENUM_ADS_ERROR_GSS, 
66                      ENUM_ADS_ERROR_LDAP, ENUM_ADS_ERROR_SYSTEM, ENUM_ADS_ERROR_NT};
67
68 typedef struct {
69         enum ads_error_type error_type;
70         union err_state{                
71                 int rc;
72                 NTSTATUS nt_status;
73         } err;
74         /* For error_type = ENUM_ADS_ERROR_GSS minor_status describe GSS API error */
75         /* Where rc represents major_status of GSS API error */
76         int minor_status;
77 } ADS_STATUS;
78
79 #ifdef HAVE_ADS
80 typedef LDAPMod **ADS_MODLIST;
81 #else
82 typedef void **ADS_MODLIST;
83 #endif
84
85 /* macros to simplify error returning */
86 #define ADS_ERROR(rc) ADS_ERROR_LDAP(rc)
87 #define ADS_ERROR_LDAP(rc) ads_build_error(ENUM_ADS_ERROR_LDAP, rc, 0)
88 #define ADS_ERROR_SYSTEM(rc) ads_build_error(ENUM_ADS_ERROR_SYSTEM, rc?rc:EINVAL, 0)
89 #define ADS_ERROR_KRB5(rc) ads_build_error(ENUM_ADS_ERROR_KRB5, rc, 0)
90 #define ADS_ERROR_GSS(rc, minor) ads_build_error(ENUM_ADS_ERROR_GSS, rc, minor)
91 #define ADS_ERROR_NT(rc) ads_build_nt_error(ENUM_ADS_ERROR_NT,rc)
92
93 #define ADS_ERR_OK(status) ((status.error_type == ENUM_ADS_ERROR_NT) ? NT_STATUS_IS_OK(status.err.nt_status):(status.err.rc == 0))
94 #define ADS_SUCCESS ADS_ERROR(0)
95
96 #define ADS_ERROR_HAVE_NO_MEMORY(x) do { \
97         if (!(x)) {\
98                 return ADS_ERROR(LDAP_NO_MEMORY);\
99         }\
100 } while (0)
101
102
103 /* time between reconnect attempts */
104 #define ADS_RECONNECT_TIME 5
105
106 /* ldap control oids */
107 #define ADS_PAGE_CTL_OID        "1.2.840.113556.1.4.319"
108 #define ADS_NO_REFERRALS_OID    "1.2.840.113556.1.4.1339"
109 #define ADS_SERVER_SORT_OID     "1.2.840.113556.1.4.473"
110 #define ADS_PERMIT_MODIFY_OID   "1.2.840.113556.1.4.1413"
111 #define ADS_ASQ_OID             "1.2.840.113556.1.4.1504"
112 #define ADS_EXTENDED_DN_OID     "1.2.840.113556.1.4.529"
113
114 /* ldap attribute oids (Services for Unix) */
115 #define ADS_ATTR_SFU_UIDNUMBER_OID      "1.2.840.113556.1.6.18.1.310"
116 #define ADS_ATTR_SFU_GIDNUMBER_OID      "1.2.840.113556.1.6.18.1.311"
117 #define ADS_ATTR_SFU_HOMEDIR_OID        "1.2.840.113556.1.6.18.1.344"
118 #define ADS_ATTR_SFU_SHELL_OID          "1.2.840.113556.1.6.18.1.312"
119 #define ADS_ATTR_SFU_GECOS_OID          "1.2.840.113556.1.6.18.1.337"
120
121 /* ldap attribute oids (RFC2307) */
122 #define ADS_ATTR_RFC2307_UIDNUMBER_OID  "1.3.6.1.1.1.1.0"
123 #define ADS_ATTR_RFC2307_GIDNUMBER_OID  "1.3.6.1.1.1.1.1"
124 #define ADS_ATTR_RFC2307_HOMEDIR_OID    "1.3.6.1.1.1.1.3"
125 #define ADS_ATTR_RFC2307_SHELL_OID      "1.3.6.1.1.1.1.4"
126 #define ADS_ATTR_RFC2307_GECOS_OID      "1.3.6.1.1.1.1.2"
127
128 /* ldap bitwise searches */
129 #define ADS_LDAP_MATCHING_RULE_BIT_AND  "1.2.840.113556.1.4.803"
130 #define ADS_LDAP_MATCHING_RULE_BIT_OR   "1.2.840.113556.1.4.804"
131
132 /* UserFlags for userAccountControl */
133 #define UF_SCRIPT                               0x00000001
134 #define UF_ACCOUNTDISABLE                       0x00000002
135 #define UF_UNUSED_1                             0x00000004
136 #define UF_HOMEDIR_REQUIRED                     0x00000008
137
138 #define UF_LOCKOUT                              0x00000010
139 #define UF_PASSWD_NOTREQD                       0x00000020
140 #define UF_PASSWD_CANT_CHANGE                   0x00000040
141 #define UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED      0x00000080
142
143 #define UF_TEMP_DUPLICATE_ACCOUNT               0x00000100
144 #define UF_NORMAL_ACCOUNT                       0x00000200
145 #define UF_UNUSED_2                             0x00000400
146 #define UF_INTERDOMAIN_TRUST_ACCOUNT            0x00000800
147
148 #define UF_WORKSTATION_TRUST_ACCOUNT            0x00001000
149 #define UF_SERVER_TRUST_ACCOUNT                 0x00002000
150 #define UF_UNUSED_3                             0x00004000
151 #define UF_UNUSED_4                             0x00008000
152
153 #define UF_DONT_EXPIRE_PASSWD                   0x00010000
154 #define UF_MNS_LOGON_ACCOUNT                    0x00020000
155 #define UF_SMARTCARD_REQUIRED                   0x00040000
156 #define UF_TRUSTED_FOR_DELEGATION               0x00080000
157
158 #define UF_NOT_DELEGATED                        0x00100000
159 #define UF_USE_DES_KEY_ONLY                     0x00200000
160 #define UF_DONT_REQUIRE_PREAUTH                 0x00400000
161 #define UF_PASSWORD_EXPIRED                     0x00800000
162
163 #define UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0x01000000
164 #define UF_NO_AUTH_DATA_REQUIRED                0x02000000
165 #define UF_UNUSED_8                             0x04000000
166 #define UF_UNUSED_9                             0x08000000
167
168 #define UF_UNUSED_10                            0x10000000
169 #define UF_UNUSED_11                            0x20000000
170 #define UF_UNUSED_12                            0x40000000
171 #define UF_UNUSED_13                            0x80000000
172
173 #define UF_MACHINE_ACCOUNT_MASK (\
174                 UF_INTERDOMAIN_TRUST_ACCOUNT |\
175                 UF_WORKSTATION_TRUST_ACCOUNT |\
176                 UF_SERVER_TRUST_ACCOUNT \
177                 )
178
179 #define UF_ACCOUNT_TYPE_MASK (\
180                 UF_TEMP_DUPLICATE_ACCOUNT |\
181                 UF_NORMAL_ACCOUNT |\
182                 UF_INTERDOMAIN_TRUST_ACCOUNT |\
183                 UF_WORKSTATION_TRUST_ACCOUNT |\
184                 UF_SERVER_TRUST_ACCOUNT \
185                 )
186
187 #define UF_SETTABLE_BITS (\
188                 UF_SCRIPT |\
189                 UF_ACCOUNTDISABLE |\
190                 UF_HOMEDIR_REQUIRED  |\
191                 UF_LOCKOUT |\
192                 UF_PASSWD_NOTREQD |\
193                 UF_PASSWD_CANT_CHANGE |\
194                 UF_ACCOUNT_TYPE_MASK | \
195                 UF_DONT_EXPIRE_PASSWD | \
196                 UF_MNS_LOGON_ACCOUNT |\
197                 UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED |\
198                 UF_SMARTCARD_REQUIRED |\
199                 UF_TRUSTED_FOR_DELEGATION |\
200                 UF_NOT_DELEGATED |\
201                 UF_USE_DES_KEY_ONLY  |\
202                 UF_DONT_REQUIRE_PREAUTH \
203                 )
204
205 /* sAMAccountType */
206 #define ATYPE_NORMAL_ACCOUNT                    0x30000000 /* 805306368 */
207 #define ATYPE_WORKSTATION_TRUST                 0x30000001 /* 805306369 */
208 #define ATYPE_INTERDOMAIN_TRUST                 0x30000002 /* 805306370 */ 
209 #define ATYPE_SECURITY_GLOBAL_GROUP             0x10000000 /* 268435456 */
210 #define ATYPE_DISTRIBUTION_GLOBAL_GROUP         0x10000001 /* 268435457 */
211 #define ATYPE_DISTRIBUTION_UNIVERSAL_GROUP      ATYPE_DISTRIBUTION_GLOBAL_GROUP
212 #define ATYPE_SECURITY_LOCAL_GROUP              0x20000000 /* 536870912 */
213 #define ATYPE_DISTRIBUTION_LOCAL_GROUP          0x20000001 /* 536870913 */
214
215 #define ATYPE_ACCOUNT           ATYPE_NORMAL_ACCOUNT            /* 0x30000000 805306368 */
216 #define ATYPE_GLOBAL_GROUP      ATYPE_SECURITY_GLOBAL_GROUP     /* 0x10000000 268435456 */
217 #define ATYPE_LOCAL_GROUP       ATYPE_SECURITY_LOCAL_GROUP      /* 0x20000000 536870912 */
218
219 /* groupType */
220 #define GROUP_TYPE_BUILTIN_LOCAL_GROUP          0x00000001
221 #define GROUP_TYPE_ACCOUNT_GROUP                0x00000002
222 #define GROUP_TYPE_RESOURCE_GROUP               0x00000004
223 #define GROUP_TYPE_UNIVERSAL_GROUP              0x00000008
224 #define GROUP_TYPE_APP_BASIC_GROUP              0x00000010
225 #define GROUP_TYPE_APP_QUERY_GROUP              0x00000020
226 #define GROUP_TYPE_SECURITY_ENABLED             0x80000000
227
228 #define GTYPE_SECURITY_BUILTIN_LOCAL_GROUP (    /* 0x80000005 -2147483643 */ \
229                 GROUP_TYPE_BUILTIN_LOCAL_GROUP| \
230                 GROUP_TYPE_RESOURCE_GROUP| \
231                 GROUP_TYPE_SECURITY_ENABLED \
232                 )
233 #define GTYPE_SECURITY_DOMAIN_LOCAL_GROUP (     /* 0x80000004 -2147483644 */ \
234                 GROUP_TYPE_RESOURCE_GROUP| \
235                 GROUP_TYPE_SECURITY_ENABLED \
236                 )
237 #define GTYPE_SECURITY_GLOBAL_GROUP (           /* 0x80000002 -2147483646 */ \
238                 GROUP_TYPE_ACCOUNT_GROUP| \
239                 GROUP_TYPE_SECURITY_ENABLED \
240                 )
241 #define GTYPE_DISTRIBUTION_GLOBAL_GROUP         0x00000002      /* 2 */
242 #define GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP   0x00000004      /* 4 */
243 #define GTYPE_DISTRIBUTION_UNIVERSAL_GROUP      0x00000008      /* 8 */
244
245 #define ADS_PINGS          0x0000FFFF  /* Ping response */
246 #define ADS_DNS_CONTROLLER 0x20000000  /* DomainControllerName is a DNS name*/
247 #define ADS_DNS_DOMAIN     0x40000000  /* DomainName is a DNS name */
248 #define ADS_DNS_FOREST     0x80000000  /* DnsForestName is a DNS name */
249
250 /* DomainCntrollerAddressType */
251 #define ADS_INET_ADDRESS      0x00000001
252 #define ADS_NETBIOS_ADDRESS   0x00000002
253
254
255 /* ads auth control flags */
256 #define ADS_AUTH_DISABLE_KERBEROS 0x01
257 #define ADS_AUTH_NO_BIND          0x02
258 #define ADS_AUTH_ANON_BIND        0x04
259 #define ADS_AUTH_SIMPLE_BIND      0x08
260 #define ADS_AUTH_ALLOW_NTLMSSP    0x10
261
262 /* Kerberos environment variable names */
263 #define KRB5_ENV_CCNAME "KRB5CCNAME"
264
265 /* Heimdal uses a slightly different name */
266 #if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
267 #define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
268 #endif
269
270 /* The older versions of heimdal that don't have this
271    define don't seem to use it anyway.  I'm told they
272    always use a subkey */
273 #ifndef HAVE_AP_OPTS_USE_SUBKEY
274 #define AP_OPTS_USE_SUBKEY 0
275 #endif
276
277 #define WELL_KNOWN_GUID_COMPUTERS       "AA312825768811D1ADED00C04FD8D5CD" 
278 #define WELL_KNOWN_GUID_USERS           "A9D1CA15768811D1ADED00C04FD8D5CD"
279
280 #ifndef KRB5_ADDR_NETBIOS
281 #define KRB5_ADDR_NETBIOS 0x14
282 #endif
283
284 #ifndef KRB5KRB_ERR_RESPONSE_TOO_BIG
285 #define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L)
286 #endif
287
288 #ifdef HAVE_KRB5
289 typedef struct {
290 #if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
291         krb5_address **addrs;
292 #elif defined(HAVE_KRB5_ADDRESSES) /* Heimdal */
293         krb5_addresses *addrs;
294 #else
295 #error UNKNOWN_KRB5_ADDRESS_TYPE
296 #endif
297 } smb_krb5_addresses;
298 #endif
299
300 enum ads_extended_dn_flags {
301         ADS_EXTENDED_DN_HEX_STRING      = 0,
302         ADS_EXTENDED_DN_STRING          = 1 /* not supported on win2k */
303 };
304
305 /* this is probably not very well suited to pass other controls generically but
306  * is good enough for the extended dn control where it is only used for atm */
307
308 typedef struct {
309         const char *control;
310         int val;
311         int critical;
312 } ads_control;