Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : Winbind daemon for ntdom nss module
5 :
6 : Copyright (C) Tim Potter 2000
7 : Copyright (C) Gerald Carter 2006
8 :
9 : You are free to use this interface definition in any way you see
10 : fit, including without restriction, using this header in your own
11 : products. You do not need to give any attribution.
12 : */
13 :
14 : #ifndef SAFE_FREE
15 : #define SAFE_FREE(x) do { if(x) {free(x); x=NULL;} } while(0)
16 : #endif
17 :
18 : #ifndef FSTRING_LEN
19 : #define FSTRING_LEN 256
20 : typedef char fstring[FSTRING_LEN];
21 : #endif
22 :
23 : #ifndef _WINBINDD_NTDOM_H
24 : #define _WINBINDD_NTDOM_H
25 :
26 : #define WINBINDD_SOCKET_NAME "pipe" /* Name of PF_UNIX socket */
27 :
28 : /* We let the build environment set the public winbindd socket
29 : * location. Therefore we no longer set
30 : *
31 : * #define WINBINDD_SOCKET_DIR "/tmp/.winbindd"
32 : *
33 : * A number of different distributions set different paths, and so it
34 : * needs to come from configure in Samba. External users of this header will
35 : * need to know where the path is on their system by some other
36 : * mechanism.
37 : */
38 :
39 : #define WINBINDD_PRIV_SOCKET_SUBDIR "winbindd_privileged" /* name of subdirectory of lp_lock_directory() to hold the 'privileged' pipe */
40 : #define WINBINDD_DOMAIN_ENV "WINBINDD_DOMAIN" /* Environment variables */
41 : #define WINBINDD_DONT_ENV "_NO_WINBINDD"
42 : #define WINBINDD_LOCATOR_KDC_ADDRESS "WINBINDD_LOCATOR_KDC_ADDRESS"
43 :
44 : /* Update this when you change the interface.
45 : * 21: added WINBINDD_GETPWSID
46 : * added WINBINDD_GETSIDALIASES
47 : * 22: added WINBINDD_PING_DC
48 : * 23: added session_key to ccache_ntlm_auth response
49 : * added WINBINDD_CCACHE_SAVE
50 : * 24: Fill in num_entries WINBINDD_LIST_USERS and WINBINDD_LIST_GROUPS
51 : * 25: removed WINBINDD_SET_HWM
52 : * removed WINBINDD_SET_MAPPING
53 : * removed WINBINDD_REMOVE_MAPPING
54 : * 26: added WINBINDD_DC_INFO
55 : * 27: added WINBINDD_LOOKUPSIDS
56 : * 28: added WINBINDD_XIDS_TO_SIDS
57 : * removed WINBINDD_SID_TO_UID
58 : * removed WINBINDD_SID_TO_GID
59 : * removed WINBINDD_GID_TO_SID
60 : * removed WINBINDD_UID_TO_SID
61 : * 29: added "authoritative" to response.data.auth
62 : * 30: added "validation_level" and "info6" to response.data.auth
63 : * 31: added "client_name" to the request
64 : * 32: added "traceid" to the request
65 : * removed WINBINDD_INIT_CONNECTION
66 : */
67 : #define WINBIND_INTERFACE_VERSION 32
68 :
69 : /* Have to deal with time_t being 4 or 8 bytes due to structure alignment.
70 : On a 64bit Linux box, we have to support a constant structure size
71 : between /lib/libnss_winbind.so.2 and /lib64/libnss_winbind.so.2.
72 : The easiest way to do this is to always use 8byte values for time_t. */
73 :
74 : #define SMB_TIME_T int64_t
75 :
76 : /* Socket commands */
77 :
78 : enum winbindd_cmd {
79 :
80 : WINBINDD_INTERFACE_VERSION, /* Always a well known value */
81 :
82 : /* Get users and groups */
83 :
84 : WINBINDD_GETPWNAM,
85 : WINBINDD_GETPWUID,
86 : WINBINDD_GETPWSID,
87 : WINBINDD_GETGRNAM,
88 : WINBINDD_GETGRGID,
89 : WINBINDD_GETGROUPS,
90 :
91 : /* Enumerate users and groups */
92 :
93 : WINBINDD_SETPWENT,
94 : WINBINDD_ENDPWENT,
95 : WINBINDD_GETPWENT,
96 : WINBINDD_SETGRENT,
97 : WINBINDD_ENDGRENT,
98 : WINBINDD_GETGRENT,
99 :
100 : /* PAM authenticate and password change */
101 :
102 : WINBINDD_PAM_AUTH,
103 : WINBINDD_PAM_AUTH_CRAP,
104 : WINBINDD_PAM_CHAUTHTOK,
105 : WINBINDD_PAM_LOGOFF,
106 : WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP,
107 :
108 : /* List various things */
109 :
110 : WINBINDD_LIST_USERS, /* List w/o rid->id mapping */
111 : WINBINDD_LIST_GROUPS, /* Ditto */
112 : WINBINDD_LIST_TRUSTDOM,
113 :
114 : /* SID conversion */
115 :
116 : WINBINDD_LOOKUPSID,
117 : WINBINDD_LOOKUPNAME,
118 : WINBINDD_LOOKUPRIDS,
119 : WINBINDD_LOOKUPSIDS,
120 :
121 : /* Lookup functions */
122 :
123 : WINBINDD_SIDS_TO_XIDS,
124 : WINBINDD_XIDS_TO_SIDS,
125 :
126 : WINBINDD_ALLOCATE_UID,
127 : WINBINDD_ALLOCATE_GID,
128 :
129 : /* Miscellaneous other stuff */
130 :
131 : WINBINDD_CHECK_MACHACC, /* Check machine account pw works */
132 : WINBINDD_CHANGE_MACHACC, /* Change machine account pw */
133 : WINBINDD_PING_DC, /* Ping the DC through NETLOGON */
134 : WINBINDD_PING, /* Just tell me winbind is running */
135 : WINBINDD_INFO, /* Various bit of info. Currently just tidbits */
136 : WINBINDD_DOMAIN_NAME, /* The domain this winbind server is a member of (lp_workgroup()) */
137 :
138 : WINBINDD_DOMAIN_INFO, /* Most of what we know from
139 : struct winbindd_domain */
140 : WINBINDD_GETDCNAME, /* Issue a GetDCName Request */
141 : WINBINDD_DSGETDCNAME, /* Issue a DsGetDCName Request */
142 : WINBINDD_DC_INFO, /* Which DC are we connected to? */
143 :
144 : WINBINDD_SHOW_SEQUENCE, /* display sequence numbers of domains */
145 :
146 : /* WINS commands */
147 :
148 : WINBINDD_WINS_BYIP,
149 : WINBINDD_WINS_BYNAME,
150 :
151 : /* this is like GETGRENT but gives an empty group list */
152 : WINBINDD_GETGRLST,
153 :
154 : WINBINDD_NETBIOS_NAME, /* The netbios name of the server */
155 :
156 : /* find the location of our privileged pipe */
157 : WINBINDD_PRIV_PIPE_DIR,
158 :
159 : /* return a list of group sids for a user sid */
160 : WINBINDD_GETUSERSIDS,
161 :
162 : /* Various group queries */
163 : WINBINDD_GETUSERDOMGROUPS,
164 :
165 : /* lookup local groups */
166 : WINBINDD_GETSIDALIASES,
167 :
168 : /* Blocking calls that are not allowed on the main winbind pipe, only
169 : * between parent and children */
170 : WINBINDD_DUAL_SID2UID,
171 : WINBINDD_DUAL_SID2GID,
172 : WINBINDD_DUAL_SIDS2XIDS,
173 : WINBINDD_DUAL_UID2SID,
174 : WINBINDD_DUAL_GID2SID,
175 :
176 : /* Wrapper around possibly blocking unix nss calls */
177 : WINBINDD_DUAL_USERINFO,
178 : WINBINDD_DUAL_GETSIDALIASES,
179 :
180 : WINBINDD_DUAL_NDRCMD,
181 :
182 : /* Complete the challenge phase of the NTLM authentication
183 : protocol using cached password. */
184 : WINBINDD_CCACHE_NTLMAUTH,
185 : WINBINDD_CCACHE_SAVE,
186 :
187 : WINBINDD_NUM_CMDS
188 : };
189 :
190 : typedef struct winbindd_pw {
191 : fstring pw_name;
192 : fstring pw_passwd;
193 : uid_t pw_uid;
194 : gid_t pw_gid;
195 : fstring pw_gecos;
196 : fstring pw_dir;
197 : fstring pw_shell;
198 : } WINBINDD_PW;
199 :
200 :
201 : typedef struct winbindd_gr {
202 : fstring gr_name;
203 : fstring gr_passwd;
204 : gid_t gr_gid;
205 : uint32_t num_gr_mem;
206 : uint32_t gr_mem_ofs; /* offset to group membership */
207 : } WINBINDD_GR;
208 :
209 : /* Request flags */
210 : #define WBFLAG_PAM_INFO3_NDR 0x00000001
211 : #define WBFLAG_PAM_INFO3_TEXT 0x00000002
212 : #define WBFLAG_PAM_USER_SESSION_KEY 0x00000004
213 : #define WBFLAG_PAM_LMKEY 0x00000008
214 : #define WBFLAG_PAM_CONTACT_TRUSTDOM 0x00000010
215 : #define WBFLAG_QUERY_ONLY 0x00000020 /* not used */
216 : #define WBFLAG_PAM_AUTH_PAC 0x00000040
217 : #define WBFLAG_PAM_UNIX_NAME 0x00000080
218 : #define WBFLAG_PAM_AFS_TOKEN 0x00000100
219 : #define WBFLAG_PAM_NT_STATUS_SQUASH 0x00000200
220 : /* This is a flag that can only be sent from parent to child */
221 : #define WBFLAG_IS_PRIVILEGED 0x00000400 /* not used */
222 : /* Flag to say this is a winbindd internal send - don't recurse. */
223 : #define WBFLAG_RECURSE 0x00000800
224 : #define WBFLAG_PAM_KRB5 0x00001000
225 : #define WBFLAG_PAM_FALLBACK_AFTER_KRB5 0x00002000
226 : #define WBFLAG_PAM_CACHED_LOGIN 0x00004000
227 : #define WBFLAG_PAM_GET_PWD_POLICY 0x00008000
228 : /* Flag to tell winbind the NTLMv2 blob is too big for the struct and is in the
229 : * extra_data field */
230 : #define WBFLAG_BIG_NTLMV2_BLOB 0x00010000
231 : #define WBFLAG_FROM_NSS 0x00020000
232 :
233 : #define WINBINDD_MAX_EXTRA_DATA (128*1024)
234 :
235 : /* Winbind request structure */
236 :
237 : /*******************************************************************************
238 : * This structure MUST be the same size in the 32bit and 64bit builds
239 : * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
240 : *
241 : * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
242 : * A 64BIT WINBINDD --jerry
243 : ******************************************************************************/
244 :
245 : struct winbindd_request {
246 : uint32_t length;
247 : enum winbindd_cmd cmd; /* Winbindd command to execute */
248 : enum winbindd_cmd original_cmd; /* Original Winbindd command
249 : issued to parent process */
250 : pid_t pid; /* pid of calling process */
251 : uint32_t wb_flags; /* generic flags */
252 : uint32_t flags; /* flags relevant *only* to a given request */
253 : fstring domain_name; /* name of domain for which the request applies */
254 : char client_name[32]; /* The client process sending the request */
255 : uint64_t traceid; /* debug traceid is sent from parent to child */
256 :
257 : union {
258 : fstring winsreq; /* WINS request */
259 : fstring username; /* getpwnam */
260 : fstring groupname; /* getgrnam */
261 : uid_t uid; /* getpwuid, uid_to_sid */
262 : gid_t gid; /* getgrgid, gid_to_sid */
263 : uint32_t ndrcmd;
264 : struct {
265 : /* We deliberately don't split into domain/user to
266 : avoid having the client know what the separator
267 : character is. */
268 : fstring user;
269 : fstring pass;
270 : char require_membership_of_sid[1024];
271 : fstring krb5_cc_type;
272 : uid_t uid;
273 : } auth; /* pam_winbind auth module */
274 : struct {
275 : uint8_t chal[8];
276 : uint32_t logon_parameters;
277 : fstring user;
278 : fstring domain;
279 : fstring lm_resp;
280 : uint32_t lm_resp_len;
281 : fstring nt_resp;
282 : uint32_t nt_resp_len;
283 : fstring workstation;
284 : fstring require_membership_of_sid;
285 : } auth_crap;
286 : struct {
287 : fstring user;
288 : fstring oldpass;
289 : fstring newpass;
290 : } chauthtok; /* pam_winbind passwd module */
291 : struct {
292 : fstring user;
293 : fstring domain;
294 : uint8_t new_nt_pswd[516];
295 : uint16_t new_nt_pswd_len;
296 : uint8_t old_nt_hash_enc[16];
297 : uint16_t old_nt_hash_enc_len;
298 : uint8_t new_lm_pswd[516];
299 : uint16_t new_lm_pswd_len;
300 : uint8_t old_lm_hash_enc[16];
301 : uint16_t old_lm_hash_enc_len;
302 : } chng_pswd_auth_crap;/* pam_winbind passwd module */
303 : struct {
304 : fstring user;
305 : fstring krb5ccname;
306 : uid_t uid;
307 : } logoff; /* pam_winbind session module */
308 : fstring sid; /* lookupsid, sid_to_[ug]id */
309 : struct {
310 : fstring dom_name; /* lookupname */
311 : fstring name;
312 : } name;
313 : uint32_t num_entries; /* getpwent, getgrent */
314 : struct {
315 : fstring username;
316 : fstring groupname;
317 : } acct_mgt;
318 : struct {
319 : bool is_primary;
320 : fstring dcname;
321 : } init_conn;
322 : struct {
323 : fstring sid;
324 : fstring name;
325 : } dual_sid2id;
326 : struct {
327 : fstring sid;
328 : uint32_t type;
329 : uint32_t id;
330 : } dual_idmapset;
331 : bool list_all_domains;
332 :
333 : struct {
334 : uid_t uid;
335 : fstring user;
336 : /* the effective uid of the client, must be the uid for 'user'.
337 : This is checked by the main daemon, trusted by children. */
338 : /* if the blobs are length zero, then this doesn't
339 : produce an actual challenge response. It merely
340 : succeeds if there are cached credentials available
341 : that could be used. */
342 : uint32_t initial_blob_len; /* blobs in extra_data */
343 : uint32_t challenge_blob_len;
344 : } ccache_ntlm_auth;
345 : struct {
346 : uid_t uid;
347 : fstring user;
348 : fstring pass;
349 : } ccache_save;
350 : struct {
351 : fstring domain_name;
352 : fstring domain_guid;
353 : fstring site_name;
354 : uint32_t flags;
355 : } dsgetdcname;
356 :
357 : /* padding -- needed to fix alignment between 32bit and 64bit libs.
358 : The size is the sizeof the union without the padding aligned on
359 : an 8 byte boundary. --jerry */
360 :
361 : char padding[1800];
362 : } data;
363 : union {
364 : SMB_TIME_T padding;
365 : char *data;
366 : } extra_data;
367 : uint32_t extra_len;
368 : char null_term;
369 : };
370 :
371 : /* Response values */
372 :
373 : enum winbindd_result {
374 : WINBINDD_ERROR,
375 : WINBINDD_PENDING,
376 : WINBINDD_OK
377 : };
378 :
379 : /* Winbind response structure */
380 :
381 : /*******************************************************************************
382 : * This structure MUST be the same size in the 32bit and 64bit builds
383 : * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
384 : *
385 : * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
386 : * A 64BIT WINBINDD --jerry
387 : ******************************************************************************/
388 :
389 : struct winbindd_response {
390 :
391 : /* Header information */
392 :
393 : uint32_t length; /* Length of response */
394 : enum winbindd_result result; /* Result code */
395 :
396 : /* Fixed length return data */
397 :
398 : union {
399 : int interface_version; /* Try to ensure this is always in the same spot... */
400 :
401 : fstring winsresp; /* WINS response */
402 :
403 : /* getpwnam, getpwuid */
404 :
405 : struct winbindd_pw pw;
406 :
407 : /* getgrnam, getgrgid */
408 :
409 : struct winbindd_gr gr;
410 :
411 : uint32_t num_entries; /* getpwent, getgrent */
412 : struct winbindd_sid {
413 : fstring sid; /* lookupname, [ug]id_to_sid */
414 : int type;
415 : } sid;
416 : struct winbindd_name {
417 : fstring dom_name; /* lookupsid */
418 : fstring name;
419 : int type;
420 : } name;
421 : uid_t uid; /* sid_to_uid */
422 : gid_t gid; /* sid_to_gid */
423 : struct winbindd_info {
424 : char winbind_separator;
425 : fstring samba_version;
426 : } info;
427 : fstring domain_name;
428 : fstring netbios_name;
429 : fstring dc_name;
430 :
431 : struct auth_reply {
432 : uint32_t nt_status;
433 : fstring nt_status_string;
434 : fstring error_string;
435 : int pam_error;
436 : char user_session_key[16];
437 : char first_8_lm_hash[8];
438 : fstring krb5ccname;
439 : uint32_t reject_reason;
440 : uint8_t authoritative;
441 : uint8_t padding[1];
442 : uint16_t validation_level;
443 : struct policy_settings {
444 : uint32_t min_length_password;
445 : uint32_t password_history;
446 : uint32_t password_properties;
447 : uint32_t padding;
448 : SMB_TIME_T expire;
449 : SMB_TIME_T min_passwordage;
450 : } policy;
451 : struct info3_text {
452 : SMB_TIME_T logon_time;
453 : SMB_TIME_T logoff_time;
454 : SMB_TIME_T kickoff_time;
455 : SMB_TIME_T pass_last_set_time;
456 : SMB_TIME_T pass_can_change_time;
457 : SMB_TIME_T pass_must_change_time;
458 : uint32_t logon_count;
459 : uint32_t bad_pw_count;
460 : uint32_t user_rid;
461 : uint32_t group_rid;
462 : uint32_t num_groups;
463 : uint32_t user_flgs;
464 : uint32_t acct_flags;
465 : uint32_t num_other_sids;
466 : fstring dom_sid;
467 : fstring user_name;
468 : fstring full_name;
469 : fstring logon_script;
470 : fstring profile_path;
471 : fstring home_dir;
472 : fstring dir_drive;
473 : fstring logon_srv;
474 : fstring logon_dom;
475 : } info3;
476 : struct info6_text {
477 : fstring dns_domainname;
478 : fstring principal_name;
479 : } info6;
480 : fstring unix_username;
481 : } auth;
482 : struct {
483 : fstring name;
484 : fstring alt_name;
485 : fstring sid;
486 : bool native_mode;
487 : bool active_directory;
488 : bool primary;
489 : } domain_info;
490 : uint32_t sequence_number;
491 : struct {
492 : fstring acct_name;
493 : fstring full_name;
494 : fstring homedir;
495 : fstring shell;
496 : uint32_t primary_gid;
497 : uint32_t group_rid;
498 : } user_info;
499 : struct {
500 : uint8_t session_key[16];
501 : uint32_t auth_blob_len; /* blob in extra_data */
502 : uint8_t new_spnego;
503 : } ccache_ntlm_auth;
504 : struct {
505 : fstring dc_unc;
506 : fstring dc_address;
507 : uint32_t dc_address_type;
508 : fstring domain_guid;
509 : fstring domain_name;
510 : fstring forest_name;
511 : uint32_t dc_flags;
512 : fstring dc_site_name;
513 : fstring client_site_name;
514 : } dsgetdcname;
515 : } data;
516 :
517 : /* Variable length return data */
518 :
519 : union {
520 : SMB_TIME_T padding;
521 : void *data;
522 : } extra_data;
523 : };
524 :
525 : /* Free a response structure */
526 :
527 381265 : static inline void winbindd_free_response(struct winbindd_response *response)
528 : {
529 : /* Free any allocated extra_data */
530 :
531 381265 : if (response)
532 381265 : SAFE_FREE(response->extra_data.data);
533 379646 : }
534 :
535 : #endif
|