Merge commit 'origin/v3-2-test' into v3-2-stable

Conflicts:

	WHATSNEW.txt
(This used to be commit a390bcf9403df4cf4d5eef42b35ebccbe253882e)

5 files changed, 580 insertions, 34 deletions

diff --git a/source3/nsswitch/libwbclient/wbc_pam.c b/source3/nsswitch/libwbclient/wbc_pam.c
index 7f7c7b8140..1164ab173a 100644
--- a/source3/nsswitch/libwbclient/wbc_pam.c
+++ b/source3/nsswitch/libwbclient/wbc_pam.c
@@ -34,32 +34,389 @@
 wbcErr wbcAuthenticateUser(const char *username,
 			   const char *password)
 {
+	wbcErr wbc_status = WBC_ERR_SUCCESS;
+	struct wbcAuthUserParams params;
+
+	ZERO_STRUCT(params);
+
+	params.account_name		= username;
+	params.level			= WBC_AUTH_USER_LEVEL_PLAIN;
+	params.password.plaintext	= password;
+
+	wbc_status = wbcAuthenticateUserEx(&params, NULL, NULL);
+	BAIL_ON_WBC_ERROR(wbc_status);
+
+done:
+	return wbc_status;
+}
+
+static wbcErr wbc_create_auth_info(TALLOC_CTX *mem_ctx,
+				   const struct winbindd_response *resp,
+				   struct wbcAuthUserInfo **_i)
+{
+	wbcErr wbc_status = WBC_ERR_SUCCESS;
+	struct wbcAuthUserInfo *i;
+	struct wbcDomainSid domain_sid;
+	char *p;
+	uint32_t sn = 0;
+	uint32_t j;
+
+	i = talloc(mem_ctx, struct wbcAuthUserInfo);
+	BAIL_ON_PTR_ERROR(i, wbc_status);
+
+	i->user_flags	= resp->data.auth.info3.user_flgs;
+
+	i->account_name	= talloc_strdup(i, resp->data.auth.info3.user_name);
+	BAIL_ON_PTR_ERROR(i->account_name, wbc_status);
+	i->user_principal= NULL;
+	i->full_name	= talloc_strdup(i, resp->data.auth.info3.full_name);
+	BAIL_ON_PTR_ERROR(i->full_name, wbc_status);
+	i->domain_name	= talloc_strdup(i, resp->data.auth.info3.logon_dom);
+	BAIL_ON_PTR_ERROR(i->domain_name, wbc_status);
+	i->dns_domain_name= NULL;
+
+	i->acct_flags	= resp->data.auth.info3.acct_flags;
+	memcpy(i->user_session_key,
+	       resp->data.auth.user_session_key,
+	       sizeof(i->user_session_key));
+	memcpy(i->lm_session_key,
+	       resp->data.auth.first_8_lm_hash,
+	       sizeof(i->lm_session_key));
+
+	i->logon_count		= resp->data.auth.info3.logon_count;
+	i->bad_password_count	= resp->data.auth.info3.bad_pw_count;
+
+	i->logon_time		= resp->data.auth.info3.logon_time;
+	i->logoff_time		= resp->data.auth.info3.logoff_time;
+	i->kickoff_time		= resp->data.auth.info3.kickoff_time;
+	i->pass_last_set_time	= resp->data.auth.info3.pass_last_set_time;
+	i->pass_can_change_time	= resp->data.auth.info3.pass_can_change_time;
+	i->pass_must_change_time= resp->data.auth.info3.pass_must_change_time;
+
+	i->logon_server	= talloc_strdup(i, resp->data.auth.info3.logon_srv);
+	BAIL_ON_PTR_ERROR(i->logon_server, wbc_status);
+	i->logon_script	= talloc_strdup(i, resp->data.auth.info3.logon_script);
+	BAIL_ON_PTR_ERROR(i->logon_script, wbc_status);
+	i->profile_path	= talloc_strdup(i, resp->data.auth.info3.profile_path);
+	BAIL_ON_PTR_ERROR(i->profile_path, wbc_status);
+	i->home_directory= talloc_strdup(i, resp->data.auth.info3.home_dir);
+	BAIL_ON_PTR_ERROR(i->home_directory, wbc_status);
+	i->home_drive	= talloc_strdup(i, resp->data.auth.info3.dir_drive);
+	BAIL_ON_PTR_ERROR(i->home_drive, wbc_status);
+
+	i->num_sids	= 2;
+	i->num_sids 	+= resp->data.auth.info3.num_groups;
+	i->num_sids	+= resp->data.auth.info3.num_other_sids;
+
+	i->sids	= talloc_array(i, struct wbcSidWithAttr, i->num_sids);
+	BAIL_ON_PTR_ERROR(i->sids, wbc_status);
+
+	wbc_status = wbcStringToSid(resp->data.auth.info3.dom_sid,
+				    &domain_sid);
+	BAIL_ON_WBC_ERROR(wbc_status);
+
+#define _SID_COMPOSE(s, d, r, a) { \
+	(s).sid = d; \
+	if ((s).sid.num_auths < MAXSUBAUTHS) { \
+		(s).sid.sub_auths[(s).sid.num_auths++] = r; \
+	} else { \
+		wbc_status = WBC_ERR_INVALID_SID; \
+		BAIL_ON_WBC_ERROR(wbc_status); \
+	} \
+	(s).attributes = a; \
+} while (0)
+
+	sn = 0;
+	_SID_COMPOSE(i->sids[sn], domain_sid,
+		     resp->data.auth.info3.user_rid,
+		     0);
+	sn++;
+	_SID_COMPOSE(i->sids[sn], domain_sid,
+		     resp->data.auth.info3.group_rid,
+		     0);
+	sn++;
+
+	p = (char *)resp->extra_data.data;
+	if (!p) {
+		wbc_status = WBC_INVALID_RESPONSE;
+		BAIL_ON_WBC_ERROR(wbc_status);
+	}
+
+	for (j=0; j < resp->data.auth.info3.num_groups; j++) {
+		uint32_t rid;
+		uint32_t attrs;
+		int ret;
+		char *s = p;
+		char *e = strchr(p, '\n');
+		if (!e) {
+			wbc_status = WBC_INVALID_RESPONSE;
+			BAIL_ON_WBC_ERROR(wbc_status);
+		}
+		e[0] = '\0';
+		p = &e[1];
+
+		ret = sscanf(s, "0x%08X:0x%08X", &rid, &attrs);
+		if (ret != 2) {
+			wbc_status = WBC_INVALID_RESPONSE;
+			BAIL_ON_WBC_ERROR(wbc_status);
+		}
+
+		_SID_COMPOSE(i->sids[sn], domain_sid,
+			     rid, attrs);
+		sn++;
+	}
+
+	for (j=0; j < resp->data.auth.info3.num_other_sids; j++) {
+		uint32_t attrs;
+		int ret;
+		char *s = p;
+		char *a;
+		char *e = strchr(p, '\n');
+		if (!e) {
+			wbc_status = WBC_INVALID_RESPONSE;
+			BAIL_ON_WBC_ERROR(wbc_status);
+		}
+		e[0] = '\0';
+		p = &e[1];
+
+		e = strchr(s, ':');
+		if (!e) {
+			wbc_status = WBC_INVALID_RESPONSE;
+			BAIL_ON_WBC_ERROR(wbc_status);
+		}
+		e[0] = '\0';
+		a = &e[1];
+
+		ret = sscanf(a, "0x%08X",
+			     &attrs);
+		if (ret != 1) {
+			wbc_status = WBC_INVALID_RESPONSE;
+			BAIL_ON_WBC_ERROR(wbc_status);
+		}
+
+		wbc_status = wbcStringToSid(s, &i->sids[sn].sid);
+		BAIL_ON_WBC_ERROR(wbc_status);
+
+		i->sids[sn].attributes = attrs;
+		sn++;
+	}
+
+	i->num_sids = sn;
+
+	*_i = i;
+	i = NULL;
+done:
+	talloc_free(i);
+	return wbc_status;
+}
+
+static wbcErr wbc_create_error_info(TALLOC_CTX *mem_ctx,
+				  const struct winbindd_response *resp,
+				  struct wbcAuthErrorInfo **_e)
+{
+	wbcErr wbc_status = WBC_ERR_SUCCESS;
+	struct wbcAuthErrorInfo *e;
+
+	e = talloc(mem_ctx, struct wbcAuthErrorInfo);
+	BAIL_ON_PTR_ERROR(e, wbc_status);
+
+	e->nt_status = resp->data.auth.nt_status;
+	e->pam_error = resp->data.auth.pam_error;
+	e->nt_string = talloc_strdup(e, resp->data.auth.nt_status_string);
+	BAIL_ON_PTR_ERROR(e->nt_string, wbc_status);
+
+	e->display_string = talloc_strdup(e, resp->data.auth.error_string);
+	BAIL_ON_PTR_ERROR(e->display_string, wbc_status);
+
+	*_e = e;
+	e = NULL;
+
+done:
+	talloc_free(e);
+	return wbc_status;
+}
+
+/** @brief Authenticate with more detailed information
+ *
+ * @param params       Input parameters, WBC_AUTH_USER_LEVEL_HASH
+ *                     is not supported yet
+ * @param info         Output details on WBC_ERR_SUCCESS
+ * @param error        Output details on WBC_ERR_AUTH_ERROR
+ *
+ * @return #wbcErr
+ **/
+
+wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params,
+			     struct wbcAuthUserInfo **info,
+			     struct wbcAuthErrorInfo **error)
+{
 	wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
+	int cmd = 0;
 	struct winbindd_request request;
 	struct winbindd_response response;
 
-	if (!username) {
+	ZERO_STRUCT(request);
+	ZERO_STRUCT(response);
+
+	if (error) {
+		*error = NULL;
+	}
+
+	if (!params) {
+		wbc_status = WBC_ERR_INVALID_PARAM;
+		BAIL_ON_WBC_ERROR(wbc_status);
+	}
+
+	if (!params->account_name) {
 		wbc_status = WBC_ERR_INVALID_PARAM;
 		BAIL_ON_WBC_ERROR(wbc_status);
 	}
 
 	/* Initialize request */
 
-	ZERO_STRUCT(request);
-	ZERO_STRUCT(response);
+	switch (params->level) {
+	case WBC_AUTH_USER_LEVEL_PLAIN:
+		cmd = WINBINDD_PAM_AUTH;
+		request.flags = WBFLAG_PAM_INFO3_TEXT |
+				WBFLAG_PAM_USER_SESSION_KEY |
+				WBFLAG_PAM_LMKEY;
+
+		if (!params->password.plaintext) {
+			wbc_status = WBC_ERR_INVALID_PARAM;
+			BAIL_ON_WBC_ERROR(wbc_status);
+		}
+
+		if (params->domain_name && params->domain_name[0]) {
+			/* We need to get the winbind separator :-( */
+			struct winbindd_response sep_response;
 
-	/* dst is already null terminated from the memset above */
+			ZERO_STRUCT(sep_response);
 
-	strncpy(request.data.auth.user,	username,
-		sizeof(request.data.auth.user)-1);
-	strncpy(request.data.auth.pass,	password,
-		sizeof(request.data.auth.user)-1);
+			wbc_status = wbcRequestResponse(WINBINDD_INFO,
+							NULL, &sep_response);
+			BAIL_ON_WBC_ERROR(wbc_status);
 
-	wbc_status = wbcRequestResponse(WINBINDD_PAM_AUTH,
+			snprintf(request.data.auth.user,
+				 sizeof(request.data.auth.user)-1,
+				 "%s%c%s",
+				 params->domain_name,
+				 sep_response.data.info.winbind_separator,
+				 params->account_name);
+		} else {
+			strncpy(request.data.auth.user,
+				params->account_name,
+				sizeof(request.data.auth.user)-1);
+		}
+		strncpy(request.data.auth.pass,
+			params->password.plaintext,
+			sizeof(request.data.auth.user)-1);
+		break;
+
+	case WBC_AUTH_USER_LEVEL_HASH:
+		wbc_status = WBC_ERR_NOT_IMPLEMENTED;
+		BAIL_ON_WBC_ERROR(wbc_status);
+		break;
+
+	case WBC_AUTH_USER_LEVEL_RESPONSE:
+		cmd = WINBINDD_PAM_AUTH_CRAP;
+		request.flags = WBFLAG_PAM_INFO3_TEXT |
+				WBFLAG_PAM_USER_SESSION_KEY |
+				WBFLAG_PAM_LMKEY;
+
+		if (params->password.response.lm_length &&
+		    params->password.response.lm_data) {
+			wbc_status = WBC_ERR_INVALID_PARAM;
+			BAIL_ON_WBC_ERROR(wbc_status);
+		}
+		if (params->password.response.lm_length == 0 &&
+		    params->password.response.lm_data) {
+			wbc_status = WBC_ERR_INVALID_PARAM;
+			BAIL_ON_WBC_ERROR(wbc_status);
+		}
+
+		if (params->password.response.nt_length &&
+		    !params->password.response.nt_data) {
+			wbc_status = WBC_ERR_INVALID_PARAM;
+			BAIL_ON_WBC_ERROR(wbc_status);
+		}
+		if (params->password.response.nt_length == 0&&
+		    params->password.response.nt_data) {
+			wbc_status = WBC_ERR_INVALID_PARAM;
+			BAIL_ON_WBC_ERROR(wbc_status);
+		}
+
+		strncpy(request.data.auth_crap.user,
+			params->account_name,
+			sizeof(request.data.auth_crap.user)-1);
+		if (params->domain_name) {
+			strncpy(request.data.auth_crap.domain,
+				params->domain_name,
+				sizeof(request.data.auth_crap.domain)-1);
+		}
+		if (params->workstation_name) {
+			strncpy(request.data.auth_crap.workstation,
+				params->workstation_name,
+				sizeof(request.data.auth_crap.workstation)-1);
+		}
+
+		request.data.auth_crap.logon_parameters =
+				params->parameter_control;
+
+		memcpy(request.data.auth_crap.chal,
+		       params->password.response.challenge,
+		       sizeof(request.data.auth_crap.chal));
+
+		request.data.auth_crap.lm_resp_len =
+				MIN(params->password.response.lm_length,
+				    sizeof(request.data.auth_crap.lm_resp));
+		request.data.auth_crap.nt_resp_len =
+				MIN(params->password.response.nt_length,
+				    sizeof(request.data.auth_crap.nt_resp));
+		if (params->password.response.lm_data) {
+			memcpy(request.data.auth_crap.lm_resp,
+			       params->password.response.lm_data,
+			       request.data.auth_crap.lm_resp_len);
+		}
+		if (params->password.response.nt_data) {
+			memcpy(request.data.auth_crap.nt_resp,
+			       params->password.response.nt_data,
+			       request.data.auth_crap.nt_resp_len);
+		}
+		break;
+	default:
+		wbc_status = WBC_ERR_INVALID_PARAM;
+		BAIL_ON_WBC_ERROR(wbc_status);
+	}
+
+	if (cmd == 0) {
+		wbc_status = WBC_ERR_INVALID_PARAM;
+		BAIL_ON_WBC_ERROR(wbc_status);
+	}
+
+	wbc_status = wbcRequestResponse(cmd,
 					&request,
 					&response);
+	if (response.data.auth.nt_status != 0) {
+		if (error) {
+			wbc_status = wbc_create_error_info(NULL,
+							   &response,
+							   error);
+			BAIL_ON_WBC_ERROR(wbc_status);
+		}
+
+		wbc_status = WBC_ERR_AUTH_ERROR;
+		BAIL_ON_WBC_ERROR(wbc_status);
+	}
 	BAIL_ON_WBC_ERROR(wbc_status);
 
+	if (info) {
+		wbc_status = wbc_create_auth_info(NULL,
+						  &response,
+						  info);
+		BAIL_ON_WBC_ERROR(wbc_status);
+	}
+
 done:
+
 	return wbc_status;
 }
diff --git a/source3/nsswitch/libwbclient/wbc_pwd.c b/source3/nsswitch/libwbclient/wbc_pwd.c
index b24e198bc5..b7febcce0c 100644
--- a/source3/nsswitch/libwbclient/wbc_pwd.c
+++ b/source3/nsswitch/libwbclient/wbc_pwd.c
@@ -209,16 +209,16 @@ wbcErr wbcGetgrnam(const char *name, struct group **grp)
 	struct winbindd_request request;
 	struct winbindd_response response;
 
-	if (!name || !grp) {
-		wbc_status = WBC_ERR_INVALID_PARAM;
-		BAIL_ON_WBC_ERROR(wbc_status);
-	}
-
 	/* Initialize request */
 
 	ZERO_STRUCT(request);
 	ZERO_STRUCT(response);
 
+	if (!name || !grp) {
+		wbc_status = WBC_ERR_INVALID_PARAM;
+		BAIL_ON_WBC_ERROR(wbc_status);
+	}
+
 	/* dst is already null terminated from the memset above */
 
 	strncpy(request.data.groupname, name, sizeof(request.data.groupname)-1);
@@ -254,16 +254,16 @@ wbcErr wbcGetgrgid(gid_t gid, struct group **grp)
 	struct winbindd_request request;
 	struct winbindd_response response;
 
-	if (!grp) {
-		wbc_status = WBC_ERR_INVALID_PARAM;
-		BAIL_ON_WBC_ERROR(wbc_status);
-	}
-
 	/* Initialize request */
 
 	ZERO_STRUCT(request);
 	ZERO_STRUCT(response);
 
+	if (!grp) {
+		wbc_status = WBC_ERR_INVALID_PARAM;
+		BAIL_ON_WBC_ERROR(wbc_status);
+	}
+
 	request.data.gid = gid;
 
 	wbc_status = wbcRequestResponse(WINBINDD_GETGRGID,
diff --git a/source3/nsswitch/libwbclient/wbc_sid.c b/source3/nsswitch/libwbclient/wbc_sid.c
index abe1457cc1..0519d8bf9f 100644
--- a/source3/nsswitch/libwbclient/wbc_sid.c
+++ b/source3/nsswitch/libwbclient/wbc_sid.c
@@ -311,16 +311,16 @@ wbcErr wbcLookupRids(struct wbcDomainSid *dom_sid,
 	char *domain_name = NULL;
 	wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
 
-	if (!dom_sid || (num_rids == 0)) {
-		wbc_status = WBC_ERR_INVALID_PARAM;
-		BAIL_ON_WBC_ERROR(wbc_status);
-	}
-
 	/* Initialise request */
 
 	ZERO_STRUCT(request);
 	ZERO_STRUCT(response);
 
+	if (!dom_sid || (num_rids == 0)) {
+		wbc_status = WBC_ERR_INVALID_PARAM;
+		BAIL_ON_WBC_ERROR(wbc_status);
+	}
+
 	wbc_status = wbcSidToString(dom_sid, &sid_string);
 	BAIL_ON_WBC_ERROR(wbc_status);
 
@@ -355,6 +355,7 @@ wbcErr wbcLookupRids(struct wbcDomainSid *dom_sid,
 					&request,
 					&response);
 	talloc_free(ridlist);
+	BAIL_ON_WBC_ERROR(wbc_status);
 
 	domain_name = talloc_strdup(NULL, response.data.domain_name);
 	BAIL_ON_PTR_ERROR(domain_name, wbc_status);
diff --git a/source3/nsswitch/libwbclient/wbclient.c b/source3/nsswitch/libwbclient/wbclient.c
index 321a7db669..e17296283f 100644
--- a/source3/nsswitch/libwbclient/wbclient.c
+++ b/source3/nsswitch/libwbclient/wbclient.c
@@ -59,11 +59,7 @@ wbcErr wbcRequestResponse(int cmd,
 	wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
 	NSS_STATUS nss_status;
 
-	if (!request || !response) {
-		wbc_status = WBC_ERR_INVALID_PARAM;
-		BAIL_ON_WBC_ERROR(wbc_status);
-	}
-
+	/* for some calls the request and/or response cna be NULL */
 
 	nss_status = winbindd_request_response(cmd, request, response);
 
@@ -72,20 +68,55 @@ wbcErr wbcRequestResponse(int cmd,
 		wbc_status = WBC_ERR_SUCCESS;
 		break;
 	case NSS_STATUS_UNAVAIL:
-		return WBC_ERR_WINBIND_NOT_AVAILABLE;
+		wbc_status = WBC_ERR_WINBIND_NOT_AVAILABLE;
 		break;
 	case NSS_STATUS_NOTFOUND:
-		return WBC_ERR_DOMAIN_NOT_FOUND;
+		wbc_status = WBC_ERR_DOMAIN_NOT_FOUND;
 		break;
 	default:
 		wbc_status = WBC_ERR_NSS_ERROR;
 		break;
 	}
 
-done:
 	return wbc_status;
 }
 
+/** @brief Translate an error value into a string
+ *
+ * @param error
+ *
+ * @return a pointer to a static string
+ **/
+const char *wbcErrorString(wbcErr error)
+{
+	switch (error) {
+	case WBC_ERR_SUCCESS:
+		return "WBC_ERR_SUCCESS";
+	case WBC_ERR_NOT_IMPLEMENTED:
+		return "WBC_ERR_NOT_IMPLEMENTED";
+	case WBC_ERR_UNKNOWN_FAILURE:
+		return "WBC_ERR_UNKNOWN_FAILURE";
+	case WBC_ERR_NO_MEMORY:
+		return "WBC_ERR_NO_MEMORY";
+	case WBC_ERR_INVALID_SID:
+		return "WBC_ERR_INVALID_SID";
+	case WBC_ERR_INVALID_PARAM:
+		return "WBC_ERR_INVALID_PARAM";
+	case WBC_ERR_WINBIND_NOT_AVAILABLE:
+		return "WBC_ERR_WINBIND_NOT_AVAILABLE";
+	case WBC_ERR_DOMAIN_NOT_FOUND:
+		return "WBC_ERR_DOMAIN_NOT_FOUND";
+	case WBC_INVALID_RESPONSE:
+		return "WBC_INVALID_RESPONSE";
+	case WBC_ERR_NSS_ERROR:
+		return "WBC_ERR_NSS_ERROR";
+	case WBC_ERR_AUTH_ERROR:
+		return "WBC_ERR_AUTH_ERROR";
+	}
+
+	return "unknown wbcErr value";
+};
+
 /** @brief Free library allocated memory
  *
  * @param *p Pointer to free
diff --git a/source3/nsswitch/libwbclient/wbclient.h b/source3/nsswitch/libwbclient/wbclient.h
index 0b256d343f..c01db9618d 100644
--- a/source3/nsswitch/libwbclient/wbclient.h
+++ b/source3/nsswitch/libwbclient/wbclient.h
@@ -41,14 +41,15 @@ enum _wbcErrType {
 	WBC_ERR_WINBIND_NOT_AVAILABLE,   /**< Winbind daemon is not available **/
 	WBC_ERR_DOMAIN_NOT_FOUND,        /**< Domain is not trusted or cannot be found **/
 	WBC_INVALID_RESPONSE,        /**< Winbind returned an invalid response **/
-	WBC_ERR_NSS_ERROR            /**< NSS_STATUS error **/
+	WBC_ERR_NSS_ERROR,            /**< NSS_STATUS error **/
+	WBC_ERR_AUTH_ERROR        /**< Authentication failed **/
 };
 
 typedef enum _wbcErrType wbcErr;
 
 #define WBC_ERROR_IS_OK(x) ((x) == WBC_ERR_SUCCESS)
 
-char *wbcErrorString(wbcErr error);
+const char *wbcErrorString(wbcErr error);
 
 /*
  * Data types used by the Winbind Client API
@@ -88,6 +89,25 @@ enum wbcSidType {
 };
 
 /**
+ * @brief Security Identifier with attributes
+ **/
+
+struct wbcSidWithAttr {
+	struct wbcDomainSid sid;
+	uint32_t attributes;
+};
+
+/* wbcSidWithAttr->attributes */
+
+#define WBC_SID_ATTR_GROUP_MANDATORY		0x00000001
+#define WBC_SID_ATTR_GROUP_ENABLED_BY_DEFAULT	0x00000002
+#define WBC_SID_ATTR_GROUP_ENABLED 		0x00000004
+#define WBC_SID_ATTR_GROUP_OWNER 		0x00000008
+#define WBC_SID_ATTR_GROUP_USEFOR_DENY_ONLY 	0x00000010
+#define WBC_SID_ATTR_GROUP_RESOURCE 		0x20000000
+#define WBC_SID_ATTR_GROUP_LOGON_ID 		0xC0000000
+
+/**
  * @brief Domain Information
  **/
 
@@ -104,6 +124,140 @@ struct wbcDomainInfo {
 #define WBC_DOMINFO_AD                0x00000002
 #define WBC_DOMINFO_PRIMARY           0x00000004
 
+/**
+ * @brief Auth User Parameters
+ **/
+
+struct wbcAuthUserParams {
+	const char *account_name;
+	const char *domain_name;
+	const char *workstation_name;
+
+	uint32_t flags;
+
+	uint32_t parameter_control;
+
+	enum wbcAuthUserLevel {
+		WBC_AUTH_USER_LEVEL_PLAIN = 1,
+		WBC_AUTH_USER_LEVEL_HASH = 2,
+		WBC_AUTH_USER_LEVEL_RESPONSE = 3
+	} level;
+	union {
+		const char *plaintext;
+		struct {
+			uint8_t nt_hash[16];
+			uint8_t lm_hash[16];
+		} hash;
+		struct {
+			uint8_t challenge[8];
+			uint32_t nt_length;
+			uint8_t *nt_data;
+			uint32_t lm_length;
+			uint8_t *lm_data;
+		} response;
+	} password;
+};
+
+/* wbcAuthUserParams->parameter_control */
+
+#define WBC_MSV1_0_CLEARTEXT_PASSWORD_ALLOWED		0x00000002
+#define WBC_MSV1_0_UPDATE_LOGON_STATISTICS		0x00000004
+#define WBC_MSV1_0_RETURN_USER_PARAMETERS		0x00000008
+#define WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT		0x00000020
+#define WBC_MSV1_0_RETURN_PROFILE_PATH			0x00000200
+#define WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT	0x00000800
+
+/* wbcAuthUserParams->flags */
+
+#define WBC_AUTH_PARAM_FLAGS_INTERACTIVE_LOGON		0x00000001
+
+/**
+ * @brief Auth User Information
+ *
+ * Some of the strings are maybe NULL
+ **/
+
+struct wbcAuthUserInfo {
+	uint32_t user_flags;
+
+	char *account_name;
+	char *user_principal;
+	char *full_name;
+	char *domain_name;
+	char *dns_domain_name;
+
+	uint32_t acct_flags;
+	uint8_t user_session_key[16];
+	uint8_t lm_session_key[8];
+
+	uint16_t logon_count;
+	uint16_t bad_password_count;
+
+	uint64_t logon_time;
+	uint64_t logoff_time;
+	uint64_t kickoff_time;
+	uint64_t pass_last_set_time;
+	uint64_t pass_can_change_time;
+	uint64_t pass_must_change_time;
+
+	char *logon_server;
+	char *logon_script;
+	char *profile_path;
+	char *home_directory;
+	char *home_drive;
+
+	/*
+	 * the 1st one is the account sid
+	 * the 2nd one is the primary_group sid
+	 * followed by the rest of the groups
+	 */
+	uint32_t num_sids;
+	struct wbcSidWithAttr *sids;
+};
+
+/* wbcAuthUserInfo->user_flags */
+
+#define WBC_AUTH_USER_INFO_GUEST			0x00000001
+#define WBC_AUTH_USER_INFO_NOENCRYPTION			0x00000002
+#define WBC_AUTH_USER_INFO_CACHED_ACCOUNT		0x00000004
+#define WBC_AUTH_USER_INFO_USED_LM_PASSWORD		0x00000008
+#define WBC_AUTH_USER_INFO_EXTRA_SIDS 			0x00000020
+#define WBC_AUTH_USER_INFO_SUBAUTH_SESSION_KEY		0x00000040
+#define WBC_AUTH_USER_INFO_SERVER_TRUST_ACCOUNT		0x00000080
+#define WBC_AUTH_USER_INFO_NTLMV2_ENABLED		0x00000100
+#define WBC_AUTH_USER_INFO_RESOURCE_GROUPS		0x00000200
+#define WBC_AUTH_USER_INFO_PROFILE_PATH_RETURNED	0x00000400
+#define WBC_AUTH_USER_INFO_GRACE_LOGON			0x01000000
+
+/* wbcAuthUserInfo->acct_flags */
+
+#define WBC_ACB_DISABLED			0x00000001 /* 1 User account disabled */
+#define WBC_ACB_HOMDIRREQ			0x00000002 /* 1 Home directory required */
+#define WBC_ACB_PWNOTREQ			0x00000004 /* 1 User password not required */
+#define WBC_ACB_TEMPDUP				0x00000008 /* 1 Temporary duplicate account */
+#define WBC_ACB_NORMAL				0x00000010 /* 1 Normal user account */
+#define WBC_ACB_MNS				0x00000020 /* 1 MNS logon user account */
+#define WBC_ACB_DOMTRUST			0x00000040 /* 1 Interdomain trust account */
+#define WBC_ACB_WSTRUST				0x00000080 /* 1 Workstation trust account */
+#define WBC_ACB_SVRTRUST			0x00000100 /* 1 Server trust account */
+#define WBC_ACB_PWNOEXP				0x00000200 /* 1 User password does not expire */
+#define WBC_ACB_AUTOLOCK			0x00000400 /* 1 Account auto locked */
+#define WBC_ACB_ENC_TXT_PWD_ALLOWED		0x00000800 /* 1 Encryped text password is allowed */
+#define WBC_ACB_SMARTCARD_REQUIRED		0x00001000 /* 1 Smart Card required */
+#define WBC_ACB_TRUSTED_FOR_DELEGATION		0x00002000 /* 1 Trusted for Delegation */
+#define WBC_ACB_NOT_DELEGATED			0x00004000 /* 1 Not delegated */
+#define WBC_ACB_USE_DES_KEY_ONLY		0x00008000 /* 1 Use DES key only */
+#define WBC_ACB_DONT_REQUIRE_PREAUTH		0x00010000 /* 1 Preauth not required */
+#define WBC_ACB_PW_EXPIRED              	0x00020000 /* 1 Password Expired */
+#define WBC_ACB_NO_AUTH_DATA_REQD		0x00080000   /* 1 = No authorization data required */
+
+struct wbcAuthErrorInfo {
+	uint32_t nt_status;
+	char *nt_string;
+	int32_t pam_error;
+	char *display_string;
+};
+
 /*
  * Memory Management
  */
@@ -205,5 +359,8 @@ wbcErr wbcDomainSequenceNumbers(void);
 wbcErr wbcAuthenticateUser(const char *username,
 			   const char *password);
 
+wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params,
+			     struct wbcAuthUserInfo **info,
+			     struct wbcAuthErrorInfo **error);
 
 #endif      /* _WBCLIENT_H */