summaryrefslogtreecommitdiff
path: root/nsswitch/winbind_struct_protocol.h
blob: 7554d5799a6c16a1d34138511e95514e74ca72f8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
/*
   Unix SMB/CIFS implementation.

   Winbind daemon for ntdom nss module

   Copyright (C) Tim Potter 2000
   Copyright (C) Gerald Carter 2006

   You are free to use this interface definition in any way you see
   fit, including without restriction, using this header in your own
   products. You do not need to give any attribution.
*/

#ifndef SAFE_FREE
#define SAFE_FREE(x) do { if(x) {free(x); x=NULL;} } while(0)
#endif

#ifndef FSTRING_LEN
#define FSTRING_LEN 256
typedef char fstring[FSTRING_LEN];
#endif

#ifndef _WINBINDD_NTDOM_H
#define _WINBINDD_NTDOM_H

#define WINBINDD_SOCKET_NAME "pipe"            /* Name of PF_UNIX socket */

/* Let the build environment override the public winbindd socket location. This
 * is needed for launchd support -- jpeach.
 */
#ifndef WINBINDD_SOCKET_DIR
#define WINBINDD_SOCKET_DIR  "/tmp/.winbindd"  /* Name of PF_UNIX dir */
#endif

/*
 * when compiled with socket_wrapper support
 * the location of the WINBINDD_SOCKET_DIR
 * can be overwritten via an environment variable
 */
#define WINBINDD_SOCKET_DIR_ENVVAR "WINBINDD_SOCKET_DIR"

#define WINBINDD_PRIV_SOCKET_SUBDIR "winbindd_privileged" /* name of subdirectory of lp_lockdir() to hold the 'privileged' pipe */
#define WINBINDD_DOMAIN_ENV  "WINBINDD_DOMAIN" /* Environment variables */
#define WINBINDD_DONT_ENV    "_NO_WINBINDD"
#define WINBINDD_LOCATOR_KDC_ADDRESS "WINBINDD_LOCATOR_KDC_ADDRESS"

/* Update this when you change the interface.
 * 21: added WINBINDD_GETPWSID
 *     added WINBINDD_GETSIDALIASES
 * 22: added WINBINDD_PING_DC
 * 23: added session_key to ccache_ntlm_auth response
 *     added WINBINDD_CCACHE_SAVE
 * 24: Fill in num_entries WINBINDD_LIST_USERS and WINBINDD_LIST_GROUPS
 */
#define WINBIND_INTERFACE_VERSION 24

/* Have to deal with time_t being 4 or 8 bytes due to structure alignment.
   On a 64bit Linux box, we have to support a constant structure size
   between /lib/libnss_winbind.so.2 and /lib64/libnss_winbind.so.2.
   The easiest way to do this is to always use 8byte values for time_t. */

#define SMB_TIME_T int64_t

/* Socket commands */

enum winbindd_cmd {

	WINBINDD_INTERFACE_VERSION,    /* Always a well known value */

	/* Get users and groups */

	WINBINDD_GETPWNAM,
	WINBINDD_GETPWUID,
	WINBINDD_GETPWSID,
	WINBINDD_GETGRNAM,
	WINBINDD_GETGRGID,
	WINBINDD_GETGROUPS,

	/* Enumerate users and groups */

	WINBINDD_SETPWENT,
	WINBINDD_ENDPWENT,
	WINBINDD_GETPWENT,
	WINBINDD_SETGRENT,
	WINBINDD_ENDGRENT,
	WINBINDD_GETGRENT,

	/* PAM authenticate and password change */

	WINBINDD_PAM_AUTH,
	WINBINDD_PAM_AUTH_CRAP,
	WINBINDD_PAM_CHAUTHTOK,
	WINBINDD_PAM_LOGOFF,
	WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP,

	/* List various things */

	WINBINDD_LIST_USERS,         /* List w/o rid->id mapping */
	WINBINDD_LIST_GROUPS,        /* Ditto */
	WINBINDD_LIST_TRUSTDOM,

	/* SID conversion */

	WINBINDD_LOOKUPSID,
	WINBINDD_LOOKUPNAME,
	WINBINDD_LOOKUPRIDS,

	/* Lookup functions */

	WINBINDD_SID_TO_UID,
	WINBINDD_SID_TO_GID,
	WINBINDD_SIDS_TO_XIDS,
	WINBINDD_UID_TO_SID,
	WINBINDD_GID_TO_SID,

	WINBINDD_ALLOCATE_UID,
	WINBINDD_ALLOCATE_GID,
	WINBINDD_SET_MAPPING,
	WINBINDD_REMOVE_MAPPING,

	/* Miscellaneous other stuff */

	WINBINDD_CHECK_MACHACC,     /* Check machine account pw works */
	WINBINDD_CHANGE_MACHACC,    /* Change machine account pw */
	WINBINDD_PING_DC,     	    /* Ping the DC through NETLOGON */
	WINBINDD_PING,              /* Just tell me winbind is running */
	WINBINDD_INFO,              /* Various bit of info.  Currently just tidbits */
	WINBINDD_DOMAIN_NAME,       /* The domain this winbind server is a member of (lp_workgroup()) */

	WINBINDD_DOMAIN_INFO,	/* Most of what we know from
				   struct winbindd_domain */
	WINBINDD_GETDCNAME,	/* Issue a GetDCName Request */
	WINBINDD_DSGETDCNAME,	/* Issue a DsGetDCName Request */

	WINBINDD_SHOW_SEQUENCE, /* display sequence numbers of domains */

	/* WINS commands */

	WINBINDD_WINS_BYIP,
	WINBINDD_WINS_BYNAME,

	/* this is like GETGRENT but gives an empty group list */
	WINBINDD_GETGRLST,

	WINBINDD_NETBIOS_NAME,       /* The netbios name of the server */

	/* find the location of our privileged pipe */
	WINBINDD_PRIV_PIPE_DIR,

	/* return a list of group sids for a user sid */
	WINBINDD_GETUSERSIDS,

	/* Various group queries */
	WINBINDD_GETUSERDOMGROUPS,

	/* lookup local groups */
	WINBINDD_GETSIDALIASES,

	/* Initialize connection in a child */
	WINBINDD_INIT_CONNECTION,

	/* Blocking calls that are not allowed on the main winbind pipe, only
	 * between parent and children */
	WINBINDD_DUAL_SID2UID,
	WINBINDD_DUAL_SID2GID,
	WINBINDD_DUAL_SIDS2XIDS,
	WINBINDD_DUAL_UID2SID,
	WINBINDD_DUAL_GID2SID,
	WINBINDD_DUAL_SET_MAPPING,
	WINBINDD_DUAL_REMOVE_MAPPING,

	/* Wrapper around possibly blocking unix nss calls */
	WINBINDD_DUAL_USERINFO,
	WINBINDD_DUAL_GETSIDALIASES,

	WINBINDD_DUAL_NDRCMD,

	/* Complete the challenge phase of the NTLM authentication
	   protocol using cached password. */
	WINBINDD_CCACHE_NTLMAUTH,
	WINBINDD_CCACHE_SAVE,

	WINBINDD_NUM_CMDS
};

typedef struct winbindd_pw {
	fstring pw_name;
	fstring pw_passwd;
	uid_t pw_uid;
	gid_t pw_gid;
	fstring pw_gecos;
	fstring pw_dir;
	fstring pw_shell;
} WINBINDD_PW;


typedef struct winbindd_gr {
	fstring gr_name;
	fstring gr_passwd;
	gid_t gr_gid;
	uint32_t num_gr_mem;
	uint32_t gr_mem_ofs;   /* offset to group membership */
} WINBINDD_GR;

/* PAM specific request flags */
#define WBFLAG_PAM_INFO3_NDR		0x00000001
#define WBFLAG_PAM_INFO3_TEXT		0x00000002
#define WBFLAG_PAM_USER_SESSION_KEY	0x00000004
#define WBFLAG_PAM_LMKEY		0x00000008
#define WBFLAG_PAM_CONTACT_TRUSTDOM	0x00000010
#define WBFLAG_PAM_UNIX_NAME		0x00000080
#define WBFLAG_PAM_AFS_TOKEN		0x00000100
#define WBFLAG_PAM_NT_STATUS_SQUASH	0x00000200
#define WBFLAG_PAM_KRB5			0x00001000
#define WBFLAG_PAM_FALLBACK_AFTER_KRB5	0x00002000
#define WBFLAG_PAM_CACHED_LOGIN		0x00004000
#define WBFLAG_PAM_GET_PWD_POLICY	0x00008000

/* generic request flags */
#define WBFLAG_QUERY_ONLY		0x00000020	/* not used */
/* This is a flag that can only be sent from parent to child */
#define WBFLAG_IS_PRIVILEGED		0x00000400	/* not used */
/* Flag to say this is a winbindd internal send - don't recurse. */
#define WBFLAG_RECURSE			0x00000800
/* Flag to tell winbind the NTLMv2 blob is too big for the struct and is in the
 * extra_data field */
#define WBFLAG_BIG_NTLMV2_BLOB		0x00010000

#define WINBINDD_MAX_EXTRA_DATA (128*1024)

/* Winbind request structure */

/*******************************************************************************
 * This structure MUST be the same size in the 32bit and 64bit builds
 * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
 *
 * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
 * A 64BIT WINBINDD    --jerry
 ******************************************************************************/

struct winbindd_request {
	uint32_t length;
	enum winbindd_cmd cmd;   /* Winbindd command to execute */
	enum winbindd_cmd original_cmd;   /* Original Winbindd command
					     issued to parent process */
	pid_t pid;               /* pid of calling process */
	uint32_t wb_flags;       /* generic flags */
	uint32_t flags;          /* flags relevant *only* to a given request */
	fstring domain_name;	/* name of domain for which the request applies */

	union {
		fstring winsreq;     /* WINS request */
		fstring username;    /* getpwnam */
		fstring groupname;   /* getgrnam */
		uid_t uid;           /* getpwuid, uid_to_sid */
		gid_t gid;           /* getgrgid, gid_to_sid */
		uint32_t ndrcmd;
		struct {
			/* We deliberatedly don't split into domain/user to
                           avoid having the client know what the separator
                           character is. */
			fstring user;
			fstring pass;
			char require_membership_of_sid[1024];
			fstring krb5_cc_type;
			uid_t uid;
		} auth;              /* pam_winbind auth module */
                struct {
                        uint8_t chal[8];
			uint32_t logon_parameters;
                        fstring user;
                        fstring domain;
                        fstring lm_resp;
                        uint32_t lm_resp_len;
                        fstring nt_resp;
                        uint32_t nt_resp_len;
			fstring workstation;
		        fstring require_membership_of_sid;
                } auth_crap;
                struct {
                    fstring user;
                    fstring oldpass;
                    fstring newpass;
                } chauthtok;         /* pam_winbind passwd module */
		struct {
			fstring user;
			fstring domain;
			uint8_t new_nt_pswd[516];
			uint16_t new_nt_pswd_len;
			uint8_t old_nt_hash_enc[16];
			uint16_t old_nt_hash_enc_len;
			uint8_t new_lm_pswd[516];
			uint16_t new_lm_pswd_len;
			uint8_t old_lm_hash_enc[16];
			uint16_t old_lm_hash_enc_len;
		} chng_pswd_auth_crap;/* pam_winbind passwd module */
		struct {
			fstring user;
			fstring krb5ccname;
			uid_t uid;
		} logoff;              /* pam_winbind session module */
		fstring sid;         /* lookupsid, sid_to_[ug]id */
		struct {
			fstring dom_name;       /* lookupname */
			fstring name;
		} name;
		uint32_t num_entries;  /* getpwent, getgrent */
		struct {
			fstring username;
			fstring groupname;
		} acct_mgt;
		struct {
			bool is_primary;
			fstring dcname;
		} init_conn;
		struct {
			fstring sid;
			fstring name;
		} dual_sid2id;
		struct {
			fstring sid;
			uint32_t type;
			uint32_t id;
		} dual_idmapset;
		bool list_all_domains;

		struct {
			uid_t uid;
			fstring user;
			/* the effective uid of the client, must be the uid for 'user'.
			   This is checked by the main daemon, trusted by children. */
			/* if the blobs are length zero, then this doesn't
			   produce an actual challenge response. It merely
			   succeeds if there are cached credentials available
			   that could be used. */
			uint32_t initial_blob_len; /* blobs in extra_data */
			uint32_t challenge_blob_len;
		} ccache_ntlm_auth;
		struct {
			uid_t uid;
			fstring user;
			fstring pass;
		} ccache_save;
		struct {
			fstring domain_name;
			fstring domain_guid;
			fstring site_name;
			uint32_t flags;
		} dsgetdcname;

		/* padding -- needed to fix alignment between 32bit and 64bit libs.
		   The size is the sizeof the union without the padding aligned on
		   an 8 byte boundary.   --jerry */

		char padding[1800];
	} data;
	union {
		SMB_TIME_T padding;
		char *data;
	} extra_data;
	uint32_t extra_len;
	char null_term;
};

/* Response values */

enum winbindd_result {
	WINBINDD_ERROR,
	WINBINDD_PENDING,
	WINBINDD_OK
};

/* Winbind response structure */

/*******************************************************************************
 * This structure MUST be the same size in the 32bit and 64bit builds
 * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
 *
 * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
 * A 64BIT WINBINDD    --jerry
 ******************************************************************************/

struct winbindd_response {

	/* Header information */

	uint32_t length;                      /* Length of response */
	enum winbindd_result result;          /* Result code */

	/* Fixed length return data */

	union {
		int interface_version;  /* Try to ensure this is always in the same spot... */

		fstring winsresp;		/* WINS response */

		/* getpwnam, getpwuid */

		struct winbindd_pw pw;

		/* getgrnam, getgrgid */

		struct winbindd_gr gr;

		uint32_t num_entries; /* getpwent, getgrent */
		struct winbindd_sid {
			fstring sid;        /* lookupname, [ug]id_to_sid */
			int type;
		} sid;
		struct winbindd_name {
			fstring dom_name;       /* lookupsid */
			fstring name;
			int type;
		} name;
		uid_t uid;          /* sid_to_uid */
		gid_t gid;          /* sid_to_gid */
		struct winbindd_info {
			char winbind_separator;
			fstring samba_version;
		} info;
		fstring domain_name;
		fstring netbios_name;
		fstring dc_name;

		struct auth_reply {
			uint32_t nt_status;
			fstring nt_status_string;
			fstring error_string;
			int pam_error;
			char user_session_key[16];
			char first_8_lm_hash[8];
			fstring krb5ccname;
			uint32_t reject_reason;
			uint32_t padding;
			struct policy_settings {
				uint32_t min_length_password;
				uint32_t password_history;
				uint32_t password_properties;
				uint32_t padding;
				SMB_TIME_T expire;
				SMB_TIME_T min_passwordage;
			} policy;
			struct info3_text {
				SMB_TIME_T logon_time;
				SMB_TIME_T logoff_time;
				SMB_TIME_T kickoff_time;
				SMB_TIME_T pass_last_set_time;
				SMB_TIME_T pass_can_change_time;
				SMB_TIME_T pass_must_change_time;
				uint32_t logon_count;
				uint32_t bad_pw_count;
				uint32_t user_rid;
				uint32_t group_rid;
				uint32_t num_groups;
				uint32_t user_flgs;
				uint32_t acct_flags;
				uint32_t num_other_sids;
				fstring dom_sid;
				fstring user_name;
				fstring full_name;
				fstring logon_script;
				fstring profile_path;
				fstring home_dir;
				fstring dir_drive;
				fstring logon_srv;
				fstring logon_dom;
			} info3;
			fstring unix_username;
		} auth;
		struct {
			fstring name;
			fstring alt_name;
			fstring sid;
			bool native_mode;
			bool active_directory;
			bool primary;
		} domain_info;
		uint32_t sequence_number;
		struct {
			fstring acct_name;
			fstring full_name;
			fstring homedir;
			fstring shell;
			uint32_t primary_gid;
			uint32_t group_rid;
		} user_info;
		struct {
			uint8_t session_key[16];
			uint32_t auth_blob_len; /* blob in extra_data */
		} ccache_ntlm_auth;
		struct {
			fstring dc_unc;
			fstring dc_address;
			uint32_t dc_address_type;
			fstring domain_guid;
			fstring domain_name;
			fstring forest_name;
			uint32_t dc_flags;
			fstring dc_site_name;
			fstring client_site_name;
		} dsgetdcname;
	} data;

	/* Variable length return data */

	union {
		SMB_TIME_T padding;
		void *data;
	} extra_data;
};

#endif