LCOV - code coverage report
Current view: top level - nsswitch - winbind_struct_protocol.h (source / functions) Hit Total Coverage
Test: coverage report for master 2f515e9b Lines: 4 4 100.0 %
Date: 2024-04-21 15:09:00 Functions: 1 1 100.0 %

          Line data    Source code
       1             : /*
       2             :    Unix SMB/CIFS implementation.
       3             : 
       4             :    Winbind daemon for ntdom nss module
       5             : 
       6             :    Copyright (C) Tim Potter 2000
       7             :    Copyright (C) Gerald Carter 2006
       8             : 
       9             :    You are free to use this interface definition in any way you see
      10             :    fit, including without restriction, using this header in your own
      11             :    products. You do not need to give any attribution.
      12             : */
      13             : 
      14             : #ifndef SAFE_FREE
      15             : #define SAFE_FREE(x) do { if(x) {free(x); x=NULL;} } while(0)
      16             : #endif
      17             : 
      18             : #ifndef FSTRING_LEN
      19             : #define FSTRING_LEN 256
      20             : typedef char fstring[FSTRING_LEN];
      21             : #endif
      22             : 
      23             : #ifndef _WINBINDD_NTDOM_H
      24             : #define _WINBINDD_NTDOM_H
      25             : 
      26             : #define WINBINDD_SOCKET_NAME "pipe"            /* Name of PF_UNIX socket */
      27             : 
      28             : /* We let the build environment set the public winbindd socket
      29             :  * location. Therefore we no longer set
      30             :  *
      31             :  * #define WINBINDD_SOCKET_DIR "/tmp/.winbindd"
      32             :  *
      33             :  * A number of different distributions set different paths, and so it
      34             :  * needs to come from configure in Samba.  External users of this header will
      35             :  * need to know where the path is on their system by some other
      36             :  * mechanism.
      37             :  */
      38             : 
      39             : #define WINBINDD_PRIV_SOCKET_SUBDIR "winbindd_privileged" /* name of subdirectory of lp_lock_directory() to hold the 'privileged' pipe */
      40             : #define WINBINDD_DOMAIN_ENV  "WINBINDD_DOMAIN" /* Environment variables */
      41             : #define WINBINDD_DONT_ENV    "_NO_WINBINDD"
      42             : #define WINBINDD_LOCATOR_KDC_ADDRESS "WINBINDD_LOCATOR_KDC_ADDRESS"
      43             : 
      44             : /* Update this when you change the interface.
      45             :  * 21: added WINBINDD_GETPWSID
      46             :  *     added WINBINDD_GETSIDALIASES
      47             :  * 22: added WINBINDD_PING_DC
      48             :  * 23: added session_key to ccache_ntlm_auth response
      49             :  *     added WINBINDD_CCACHE_SAVE
      50             :  * 24: Fill in num_entries WINBINDD_LIST_USERS and WINBINDD_LIST_GROUPS
      51             :  * 25: removed WINBINDD_SET_HWM
      52             :  *     removed WINBINDD_SET_MAPPING
      53             :  *     removed WINBINDD_REMOVE_MAPPING
      54             :  * 26: added WINBINDD_DC_INFO
      55             :  * 27: added WINBINDD_LOOKUPSIDS
      56             :  * 28: added WINBINDD_XIDS_TO_SIDS
      57             :  *     removed WINBINDD_SID_TO_UID
      58             :  *     removed WINBINDD_SID_TO_GID
      59             :  *     removed WINBINDD_GID_TO_SID
      60             :  *     removed WINBINDD_UID_TO_SID
      61             :  * 29: added "authoritative" to response.data.auth
      62             :  * 30: added "validation_level" and "info6" to response.data.auth
      63             :  * 31: added "client_name" to the request
      64             :  * 32: added "traceid" to the request
      65             :  *     removed WINBINDD_INIT_CONNECTION
      66             :  */
      67             : #define WINBIND_INTERFACE_VERSION 32
      68             : 
      69             : /* Have to deal with time_t being 4 or 8 bytes due to structure alignment.
      70             :    On a 64bit Linux box, we have to support a constant structure size
      71             :    between /lib/libnss_winbind.so.2 and /lib64/libnss_winbind.so.2.
      72             :    The easiest way to do this is to always use 8byte values for time_t. */
      73             : 
      74             : #define SMB_TIME_T int64_t
      75             : 
      76             : /* Socket commands */
      77             : 
      78             : enum winbindd_cmd {
      79             : 
      80             :         WINBINDD_INTERFACE_VERSION,    /* Always a well known value */
      81             : 
      82             :         /* Get users and groups */
      83             : 
      84             :         WINBINDD_GETPWNAM,
      85             :         WINBINDD_GETPWUID,
      86             :         WINBINDD_GETPWSID,
      87             :         WINBINDD_GETGRNAM,
      88             :         WINBINDD_GETGRGID,
      89             :         WINBINDD_GETGROUPS,
      90             : 
      91             :         /* Enumerate users and groups */
      92             : 
      93             :         WINBINDD_SETPWENT,
      94             :         WINBINDD_ENDPWENT,
      95             :         WINBINDD_GETPWENT,
      96             :         WINBINDD_SETGRENT,
      97             :         WINBINDD_ENDGRENT,
      98             :         WINBINDD_GETGRENT,
      99             : 
     100             :         /* PAM authenticate and password change */
     101             : 
     102             :         WINBINDD_PAM_AUTH,
     103             :         WINBINDD_PAM_AUTH_CRAP,
     104             :         WINBINDD_PAM_CHAUTHTOK,
     105             :         WINBINDD_PAM_LOGOFF,
     106             :         WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP,
     107             : 
     108             :         /* List various things */
     109             : 
     110             :         WINBINDD_LIST_USERS,         /* List w/o rid->id mapping */
     111             :         WINBINDD_LIST_GROUPS,        /* Ditto */
     112             :         WINBINDD_LIST_TRUSTDOM,
     113             : 
     114             :         /* SID conversion */
     115             : 
     116             :         WINBINDD_LOOKUPSID,
     117             :         WINBINDD_LOOKUPNAME,
     118             :         WINBINDD_LOOKUPRIDS,
     119             :         WINBINDD_LOOKUPSIDS,
     120             : 
     121             :         /* Lookup functions */
     122             : 
     123             :         WINBINDD_SIDS_TO_XIDS,
     124             :         WINBINDD_XIDS_TO_SIDS,
     125             : 
     126             :         WINBINDD_ALLOCATE_UID,
     127             :         WINBINDD_ALLOCATE_GID,
     128             : 
     129             :         /* Miscellaneous other stuff */
     130             : 
     131             :         WINBINDD_CHECK_MACHACC,     /* Check machine account pw works */
     132             :         WINBINDD_CHANGE_MACHACC,    /* Change machine account pw */
     133             :         WINBINDD_PING_DC,           /* Ping the DC through NETLOGON */
     134             :         WINBINDD_PING,              /* Just tell me winbind is running */
     135             :         WINBINDD_INFO,              /* Various bit of info.  Currently just tidbits */
     136             :         WINBINDD_DOMAIN_NAME,       /* The domain this winbind server is a member of (lp_workgroup()) */
     137             : 
     138             :         WINBINDD_DOMAIN_INFO,   /* Most of what we know from
     139             :                                    struct winbindd_domain */
     140             :         WINBINDD_GETDCNAME,     /* Issue a GetDCName Request */
     141             :         WINBINDD_DSGETDCNAME,   /* Issue a DsGetDCName Request */
     142             :         WINBINDD_DC_INFO,       /* Which DC are we connected to? */
     143             : 
     144             :         WINBINDD_SHOW_SEQUENCE, /* display sequence numbers of domains */
     145             : 
     146             :         /* WINS commands */
     147             : 
     148             :         WINBINDD_WINS_BYIP,
     149             :         WINBINDD_WINS_BYNAME,
     150             : 
     151             :         /* this is like GETGRENT but gives an empty group list */
     152             :         WINBINDD_GETGRLST,
     153             : 
     154             :         WINBINDD_NETBIOS_NAME,       /* The netbios name of the server */
     155             : 
     156             :         /* find the location of our privileged pipe */
     157             :         WINBINDD_PRIV_PIPE_DIR,
     158             : 
     159             :         /* return a list of group sids for a user sid */
     160             :         WINBINDD_GETUSERSIDS,
     161             : 
     162             :         /* Various group queries */
     163             :         WINBINDD_GETUSERDOMGROUPS,
     164             : 
     165             :         /* lookup local groups */
     166             :         WINBINDD_GETSIDALIASES,
     167             : 
     168             :         /* Blocking calls that are not allowed on the main winbind pipe, only
     169             :          * between parent and children */
     170             :         WINBINDD_DUAL_SID2UID,
     171             :         WINBINDD_DUAL_SID2GID,
     172             :         WINBINDD_DUAL_SIDS2XIDS,
     173             :         WINBINDD_DUAL_UID2SID,
     174             :         WINBINDD_DUAL_GID2SID,
     175             : 
     176             :         /* Wrapper around possibly blocking unix nss calls */
     177             :         WINBINDD_DUAL_USERINFO,
     178             :         WINBINDD_DUAL_GETSIDALIASES,
     179             : 
     180             :         WINBINDD_DUAL_NDRCMD,
     181             : 
     182             :         /* Complete the challenge phase of the NTLM authentication
     183             :            protocol using cached password. */
     184             :         WINBINDD_CCACHE_NTLMAUTH,
     185             :         WINBINDD_CCACHE_SAVE,
     186             : 
     187             :         WINBINDD_NUM_CMDS
     188             : };
     189             : 
     190             : typedef struct winbindd_pw {
     191             :         fstring pw_name;
     192             :         fstring pw_passwd;
     193             :         uid_t pw_uid;
     194             :         gid_t pw_gid;
     195             :         fstring pw_gecos;
     196             :         fstring pw_dir;
     197             :         fstring pw_shell;
     198             : } WINBINDD_PW;
     199             : 
     200             : 
     201             : typedef struct winbindd_gr {
     202             :         fstring gr_name;
     203             :         fstring gr_passwd;
     204             :         gid_t gr_gid;
     205             :         uint32_t num_gr_mem;
     206             :         uint32_t gr_mem_ofs;   /* offset to group membership */
     207             : } WINBINDD_GR;
     208             : 
     209             : /* Request flags */
     210             : #define WBFLAG_PAM_INFO3_NDR            0x00000001
     211             : #define WBFLAG_PAM_INFO3_TEXT           0x00000002
     212             : #define WBFLAG_PAM_USER_SESSION_KEY     0x00000004
     213             : #define WBFLAG_PAM_LMKEY                0x00000008
     214             : #define WBFLAG_PAM_CONTACT_TRUSTDOM     0x00000010
     215             : #define WBFLAG_QUERY_ONLY               0x00000020      /* not used */
     216             : #define WBFLAG_PAM_AUTH_PAC             0x00000040
     217             : #define WBFLAG_PAM_UNIX_NAME            0x00000080
     218             : #define WBFLAG_PAM_AFS_TOKEN            0x00000100
     219             : #define WBFLAG_PAM_NT_STATUS_SQUASH     0x00000200
     220             : /* This is a flag that can only be sent from parent to child */
     221             : #define WBFLAG_IS_PRIVILEGED            0x00000400      /* not used */
     222             : /* Flag to say this is a winbindd internal send - don't recurse. */
     223             : #define WBFLAG_RECURSE                  0x00000800
     224             : #define WBFLAG_PAM_KRB5                 0x00001000
     225             : #define WBFLAG_PAM_FALLBACK_AFTER_KRB5  0x00002000
     226             : #define WBFLAG_PAM_CACHED_LOGIN         0x00004000
     227             : #define WBFLAG_PAM_GET_PWD_POLICY       0x00008000
     228             : /* Flag to tell winbind the NTLMv2 blob is too big for the struct and is in the
     229             :  * extra_data field */
     230             : #define WBFLAG_BIG_NTLMV2_BLOB          0x00010000
     231             : #define WBFLAG_FROM_NSS                 0x00020000
     232             : 
     233             : #define WINBINDD_MAX_EXTRA_DATA (128*1024)
     234             : 
     235             : /* Winbind request structure */
     236             : 
     237             : /*******************************************************************************
     238             :  * This structure MUST be the same size in the 32bit and 64bit builds
     239             :  * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
     240             :  *
     241             :  * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
     242             :  * A 64BIT WINBINDD    --jerry
     243             :  ******************************************************************************/
     244             : 
     245             : struct winbindd_request {
     246             :         uint32_t length;
     247             :         enum winbindd_cmd cmd;   /* Winbindd command to execute */
     248             :         enum winbindd_cmd original_cmd;   /* Original Winbindd command
     249             :                                              issued to parent process */
     250             :         pid_t pid;               /* pid of calling process */
     251             :         uint32_t wb_flags;       /* generic flags */
     252             :         uint32_t flags;          /* flags relevant *only* to a given request */
     253             :         fstring domain_name;    /* name of domain for which the request applies */
     254             :         char client_name[32];   /* The client process sending the request */
     255             :         uint64_t traceid;       /* debug traceid is sent from parent to child */
     256             : 
     257             :         union {
     258             :                 fstring winsreq;     /* WINS request */
     259             :                 fstring username;    /* getpwnam */
     260             :                 fstring groupname;   /* getgrnam */
     261             :                 uid_t uid;           /* getpwuid, uid_to_sid */
     262             :                 gid_t gid;           /* getgrgid, gid_to_sid */
     263             :                 uint32_t ndrcmd;
     264             :                 struct {
     265             :                         /* We deliberately don't split into domain/user to
     266             :                            avoid having the client know what the separator
     267             :                            character is. */
     268             :                         fstring user;
     269             :                         fstring pass;
     270             :                         char require_membership_of_sid[1024];
     271             :                         fstring krb5_cc_type;
     272             :                         uid_t uid;
     273             :                 } auth;              /* pam_winbind auth module */
     274             :                 struct {
     275             :                         uint8_t chal[8];
     276             :                         uint32_t logon_parameters;
     277             :                         fstring user;
     278             :                         fstring domain;
     279             :                         fstring lm_resp;
     280             :                         uint32_t lm_resp_len;
     281             :                         fstring nt_resp;
     282             :                         uint32_t nt_resp_len;
     283             :                         fstring workstation;
     284             :                         fstring require_membership_of_sid;
     285             :                 } auth_crap;
     286             :                 struct {
     287             :                     fstring user;
     288             :                     fstring oldpass;
     289             :                     fstring newpass;
     290             :                 } chauthtok;         /* pam_winbind passwd module */
     291             :                 struct {
     292             :                         fstring user;
     293             :                         fstring domain;
     294             :                         uint8_t new_nt_pswd[516];
     295             :                         uint16_t new_nt_pswd_len;
     296             :                         uint8_t old_nt_hash_enc[16];
     297             :                         uint16_t old_nt_hash_enc_len;
     298             :                         uint8_t new_lm_pswd[516];
     299             :                         uint16_t new_lm_pswd_len;
     300             :                         uint8_t old_lm_hash_enc[16];
     301             :                         uint16_t old_lm_hash_enc_len;
     302             :                 } chng_pswd_auth_crap;/* pam_winbind passwd module */
     303             :                 struct {
     304             :                         fstring user;
     305             :                         fstring krb5ccname;
     306             :                         uid_t uid;
     307             :                 } logoff;              /* pam_winbind session module */
     308             :                 fstring sid;         /* lookupsid, sid_to_[ug]id */
     309             :                 struct {
     310             :                         fstring dom_name;       /* lookupname */
     311             :                         fstring name;
     312             :                 } name;
     313             :                 uint32_t num_entries;  /* getpwent, getgrent */
     314             :                 struct {
     315             :                         fstring username;
     316             :                         fstring groupname;
     317             :                 } acct_mgt;
     318             :                 struct {
     319             :                         bool is_primary;
     320             :                         fstring dcname;
     321             :                 } init_conn;
     322             :                 struct {
     323             :                         fstring sid;
     324             :                         fstring name;
     325             :                 } dual_sid2id;
     326             :                 struct {
     327             :                         fstring sid;
     328             :                         uint32_t type;
     329             :                         uint32_t id;
     330             :                 } dual_idmapset;
     331             :                 bool list_all_domains;
     332             : 
     333             :                 struct {
     334             :                         uid_t uid;
     335             :                         fstring user;
     336             :                         /* the effective uid of the client, must be the uid for 'user'.
     337             :                            This is checked by the main daemon, trusted by children. */
     338             :                         /* if the blobs are length zero, then this doesn't
     339             :                            produce an actual challenge response. It merely
     340             :                            succeeds if there are cached credentials available
     341             :                            that could be used. */
     342             :                         uint32_t initial_blob_len; /* blobs in extra_data */
     343             :                         uint32_t challenge_blob_len;
     344             :                 } ccache_ntlm_auth;
     345             :                 struct {
     346             :                         uid_t uid;
     347             :                         fstring user;
     348             :                         fstring pass;
     349             :                 } ccache_save;
     350             :                 struct {
     351             :                         fstring domain_name;
     352             :                         fstring domain_guid;
     353             :                         fstring site_name;
     354             :                         uint32_t flags;
     355             :                 } dsgetdcname;
     356             : 
     357             :                 /* padding -- needed to fix alignment between 32bit and 64bit libs.
     358             :                    The size is the sizeof the union without the padding aligned on
     359             :                    an 8 byte boundary.   --jerry */
     360             : 
     361             :                 char padding[1800];
     362             :         } data;
     363             :         union {
     364             :                 SMB_TIME_T padding;
     365             :                 char *data;
     366             :         } extra_data;
     367             :         uint32_t extra_len;
     368             :         char null_term;
     369             : };
     370             : 
     371             : /* Response values */
     372             : 
     373             : enum winbindd_result {
     374             :         WINBINDD_ERROR,
     375             :         WINBINDD_PENDING,
     376             :         WINBINDD_OK
     377             : };
     378             : 
     379             : /* Winbind response structure */
     380             : 
     381             : /*******************************************************************************
     382             :  * This structure MUST be the same size in the 32bit and 64bit builds
     383             :  * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
     384             :  *
     385             :  * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
     386             :  * A 64BIT WINBINDD    --jerry
     387             :  ******************************************************************************/
     388             : 
     389             : struct winbindd_response {
     390             : 
     391             :         /* Header information */
     392             : 
     393             :         uint32_t length;                      /* Length of response */
     394             :         enum winbindd_result result;          /* Result code */
     395             : 
     396             :         /* Fixed length return data */
     397             : 
     398             :         union {
     399             :                 int interface_version;  /* Try to ensure this is always in the same spot... */
     400             : 
     401             :                 fstring winsresp;               /* WINS response */
     402             : 
     403             :                 /* getpwnam, getpwuid */
     404             : 
     405             :                 struct winbindd_pw pw;
     406             : 
     407             :                 /* getgrnam, getgrgid */
     408             : 
     409             :                 struct winbindd_gr gr;
     410             : 
     411             :                 uint32_t num_entries; /* getpwent, getgrent */
     412             :                 struct winbindd_sid {
     413             :                         fstring sid;        /* lookupname, [ug]id_to_sid */
     414             :                         int type;
     415             :                 } sid;
     416             :                 struct winbindd_name {
     417             :                         fstring dom_name;       /* lookupsid */
     418             :                         fstring name;
     419             :                         int type;
     420             :                 } name;
     421             :                 uid_t uid;          /* sid_to_uid */
     422             :                 gid_t gid;          /* sid_to_gid */
     423             :                 struct winbindd_info {
     424             :                         char winbind_separator;
     425             :                         fstring samba_version;
     426             :                 } info;
     427             :                 fstring domain_name;
     428             :                 fstring netbios_name;
     429             :                 fstring dc_name;
     430             : 
     431             :                 struct auth_reply {
     432             :                         uint32_t nt_status;
     433             :                         fstring nt_status_string;
     434             :                         fstring error_string;
     435             :                         int pam_error;
     436             :                         char user_session_key[16];
     437             :                         char first_8_lm_hash[8];
     438             :                         fstring krb5ccname;
     439             :                         uint32_t reject_reason;
     440             :                         uint8_t authoritative;
     441             :                         uint8_t padding[1];
     442             :                         uint16_t validation_level;
     443             :                         struct policy_settings {
     444             :                                 uint32_t min_length_password;
     445             :                                 uint32_t password_history;
     446             :                                 uint32_t password_properties;
     447             :                                 uint32_t padding;
     448             :                                 SMB_TIME_T expire;
     449             :                                 SMB_TIME_T min_passwordage;
     450             :                         } policy;
     451             :                         struct info3_text {
     452             :                                 SMB_TIME_T logon_time;
     453             :                                 SMB_TIME_T logoff_time;
     454             :                                 SMB_TIME_T kickoff_time;
     455             :                                 SMB_TIME_T pass_last_set_time;
     456             :                                 SMB_TIME_T pass_can_change_time;
     457             :                                 SMB_TIME_T pass_must_change_time;
     458             :                                 uint32_t logon_count;
     459             :                                 uint32_t bad_pw_count;
     460             :                                 uint32_t user_rid;
     461             :                                 uint32_t group_rid;
     462             :                                 uint32_t num_groups;
     463             :                                 uint32_t user_flgs;
     464             :                                 uint32_t acct_flags;
     465             :                                 uint32_t num_other_sids;
     466             :                                 fstring dom_sid;
     467             :                                 fstring user_name;
     468             :                                 fstring full_name;
     469             :                                 fstring logon_script;
     470             :                                 fstring profile_path;
     471             :                                 fstring home_dir;
     472             :                                 fstring dir_drive;
     473             :                                 fstring logon_srv;
     474             :                                 fstring logon_dom;
     475             :                         } info3;
     476             :                         struct info6_text {
     477             :                                 fstring dns_domainname;
     478             :                                 fstring principal_name;
     479             :                         } info6;
     480             :                         fstring unix_username;
     481             :                 } auth;
     482             :                 struct {
     483             :                         fstring name;
     484             :                         fstring alt_name;
     485             :                         fstring sid;
     486             :                         bool native_mode;
     487             :                         bool active_directory;
     488             :                         bool primary;
     489             :                 } domain_info;
     490             :                 uint32_t sequence_number;
     491             :                 struct {
     492             :                         fstring acct_name;
     493             :                         fstring full_name;
     494             :                         fstring homedir;
     495             :                         fstring shell;
     496             :                         uint32_t primary_gid;
     497             :                         uint32_t group_rid;
     498             :                 } user_info;
     499             :                 struct {
     500             :                         uint8_t session_key[16];
     501             :                         uint32_t auth_blob_len; /* blob in extra_data */
     502             :                         uint8_t new_spnego;
     503             :                 } ccache_ntlm_auth;
     504             :                 struct {
     505             :                         fstring dc_unc;
     506             :                         fstring dc_address;
     507             :                         uint32_t dc_address_type;
     508             :                         fstring domain_guid;
     509             :                         fstring domain_name;
     510             :                         fstring forest_name;
     511             :                         uint32_t dc_flags;
     512             :                         fstring dc_site_name;
     513             :                         fstring client_site_name;
     514             :                 } dsgetdcname;
     515             :         } data;
     516             : 
     517             :         /* Variable length return data */
     518             : 
     519             :         union {
     520             :                 SMB_TIME_T padding;
     521             :                 void *data;
     522             :         } extra_data;
     523             : };
     524             : 
     525             : /* Free a response structure */
     526             : 
     527      381265 : static inline void winbindd_free_response(struct winbindd_response *response)
     528             : {
     529             :         /* Free any allocated extra_data */
     530             : 
     531      381265 :         if (response)
     532      381265 :                 SAFE_FREE(response->extra_data.data);
     533      379646 : }
     534             : 
     535             : #endif

Generated by: LCOV version 1.14