summaryrefslogtreecommitdiff
path: root/nsswitch/winbind_struct_protocol.h
diff options
context:
space:
mode:
Diffstat (limited to 'nsswitch/winbind_struct_protocol.h')
-rw-r--r--nsswitch/winbind_struct_protocol.h514
1 files changed, 514 insertions, 0 deletions
diff --git a/nsswitch/winbind_struct_protocol.h b/nsswitch/winbind_struct_protocol.h
new file mode 100644
index 0000000000..fe3da81791
--- /dev/null
+++ b/nsswitch/winbind_struct_protocol.h
@@ -0,0 +1,514 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind daemon for ntdom nss module
+
+ Copyright (C) Tim Potter 2000
+ Copyright (C) Gerald Carter 2006
+
+ You are free to use this interface definition in any way you see
+ fit, including without restriction, using this header in your own
+ products. You do not need to give any attribution.
+*/
+
+#ifndef SAFE_FREE
+#define SAFE_FREE(x) do { if(x) {free(x); x=NULL;} } while(0)
+#endif
+
+#ifndef _WINBINDD_NTDOM_H
+#define _WINBINDD_NTDOM_H
+
+#define WINBINDD_SOCKET_NAME "pipe" /* Name of PF_UNIX socket */
+
+/* Let the build environment override the public winbindd socket location. This
+ * is needed for launchd support -- jpeach.
+ */
+#ifndef WINBINDD_SOCKET_DIR
+#define WINBINDD_SOCKET_DIR "/tmp/.winbindd" /* Name of PF_UNIX dir */
+#endif
+
+/*
+ * when compiled with socket_wrapper support
+ * the location of the WINBINDD_SOCKET_DIR
+ * can be overwritten via an environment variable
+ */
+#define WINBINDD_SOCKET_DIR_ENVVAR "WINBINDD_SOCKET_DIR"
+
+#define WINBINDD_PRIV_SOCKET_SUBDIR "winbindd_privileged" /* name of subdirectory of lp_lockdir() to hold the 'privileged' pipe */
+#define WINBINDD_DOMAIN_ENV "WINBINDD_DOMAIN" /* Environment variables */
+#define WINBINDD_DONT_ENV "_NO_WINBINDD"
+#define WINBINDD_LOCATOR_KDC_ADDRESS "WINBINDD_LOCATOR_KDC_ADDRESS"
+
+/* Update this when you change the interface. */
+
+#define WINBIND_INTERFACE_VERSION 20
+
+/* Have to deal with time_t being 4 or 8 bytes due to structure alignment.
+ On a 64bit Linux box, we have to support a constant structure size
+ between /lib/libnss_winbind.so.2 and /li64/libnss_winbind.so.2.
+ The easiest way to do this is to always use 8byte values for time_t. */
+
+#define SMB_TIME_T int64_t
+
+/* Socket commands */
+
+enum winbindd_cmd {
+
+ WINBINDD_INTERFACE_VERSION, /* Always a well known value */
+
+ /* Get users and groups */
+
+ WINBINDD_GETPWNAM,
+ WINBINDD_GETPWUID,
+ WINBINDD_GETGRNAM,
+ WINBINDD_GETGRGID,
+ WINBINDD_GETGROUPS,
+
+ /* Enumerate users and groups */
+
+ WINBINDD_SETPWENT,
+ WINBINDD_ENDPWENT,
+ WINBINDD_GETPWENT,
+ WINBINDD_SETGRENT,
+ WINBINDD_ENDGRENT,
+ WINBINDD_GETGRENT,
+
+ /* PAM authenticate and password change */
+
+ WINBINDD_PAM_AUTH,
+ WINBINDD_PAM_AUTH_CRAP,
+ WINBINDD_PAM_CHAUTHTOK,
+ WINBINDD_PAM_LOGOFF,
+ WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP,
+
+ /* List various things */
+
+ WINBINDD_LIST_USERS, /* List w/o rid->id mapping */
+ WINBINDD_LIST_GROUPS, /* Ditto */
+ WINBINDD_LIST_TRUSTDOM,
+
+ /* SID conversion */
+
+ WINBINDD_LOOKUPSID,
+ WINBINDD_LOOKUPNAME,
+ WINBINDD_LOOKUPRIDS,
+
+ /* Lookup functions */
+
+ WINBINDD_SID_TO_UID,
+ WINBINDD_SID_TO_GID,
+ WINBINDD_SIDS_TO_XIDS,
+ WINBINDD_UID_TO_SID,
+ WINBINDD_GID_TO_SID,
+
+ WINBINDD_ALLOCATE_UID,
+ WINBINDD_ALLOCATE_GID,
+ WINBINDD_SET_MAPPING,
+ WINBINDD_REMOVE_MAPPING,
+ WINBINDD_SET_HWM,
+
+ /* Miscellaneous other stuff */
+
+ WINBINDD_CHECK_MACHACC, /* Check machine account pw works */
+ WINBINDD_PING, /* Just tell me winbind is running */
+ WINBINDD_INFO, /* Various bit of info. Currently just tidbits */
+ WINBINDD_DOMAIN_NAME, /* The domain this winbind server is a member of (lp_workgroup()) */
+
+ WINBINDD_DOMAIN_INFO, /* Most of what we know from
+ struct winbindd_domain */
+ WINBINDD_GETDCNAME, /* Issue a GetDCName Request */
+ WINBINDD_DSGETDCNAME, /* Issue a DsGetDCName Request */
+
+ WINBINDD_SHOW_SEQUENCE, /* display sequence numbers of domains */
+
+ /* WINS commands */
+
+ WINBINDD_WINS_BYIP,
+ WINBINDD_WINS_BYNAME,
+
+ /* this is like GETGRENT but gives an empty group list */
+ WINBINDD_GETGRLST,
+
+ WINBINDD_NETBIOS_NAME, /* The netbios name of the server */
+
+ /* find the location of our privileged pipe */
+ WINBINDD_PRIV_PIPE_DIR,
+
+ /* return a list of group sids for a user sid */
+ WINBINDD_GETUSERSIDS,
+
+ /* Various group queries */
+ WINBINDD_GETUSERDOMGROUPS,
+
+ /* Initialize connection in a child */
+ WINBINDD_INIT_CONNECTION,
+
+ /* Blocking calls that are not allowed on the main winbind pipe, only
+ * between parent and children */
+ WINBINDD_DUAL_SID2UID,
+ WINBINDD_DUAL_SID2GID,
+ WINBINDD_DUAL_SIDS2XIDS,
+ WINBINDD_DUAL_UID2SID,
+ WINBINDD_DUAL_GID2SID,
+ WINBINDD_DUAL_SET_MAPPING,
+ WINBINDD_DUAL_REMOVE_MAPPING,
+ WINBINDD_DUAL_SET_HWM,
+
+ /* Wrapper around possibly blocking unix nss calls */
+ WINBINDD_DUAL_USERINFO,
+ WINBINDD_DUAL_GETSIDALIASES,
+
+ /* Complete the challenge phase of the NTLM authentication
+ protocol using cached password. */
+ WINBINDD_CCACHE_NTLMAUTH,
+
+ WINBINDD_NUM_CMDS
+};
+
+typedef struct winbindd_pw {
+ fstring pw_name;
+ fstring pw_passwd;
+ uid_t pw_uid;
+ gid_t pw_gid;
+ fstring pw_gecos;
+ fstring pw_dir;
+ fstring pw_shell;
+} WINBINDD_PW;
+
+
+typedef struct winbindd_gr {
+ fstring gr_name;
+ fstring gr_passwd;
+ gid_t gr_gid;
+ uint32_t num_gr_mem;
+ uint32_t gr_mem_ofs; /* offset to group membership */
+} WINBINDD_GR;
+
+/* PAM specific request flags */
+#define WBFLAG_PAM_INFO3_NDR 0x00000001
+#define WBFLAG_PAM_INFO3_TEXT 0x00000002
+#define WBFLAG_PAM_USER_SESSION_KEY 0x00000004
+#define WBFLAG_PAM_LMKEY 0x00000008
+#define WBFLAG_PAM_CONTACT_TRUSTDOM 0x00000010
+#define WBFLAG_PAM_UNIX_NAME 0x00000080
+#define WBFLAG_PAM_AFS_TOKEN 0x00000100
+#define WBFLAG_PAM_NT_STATUS_SQUASH 0x00000200
+#define WBFLAG_PAM_KRB5 0x00001000
+#define WBFLAG_PAM_FALLBACK_AFTER_KRB5 0x00002000
+#define WBFLAG_PAM_CACHED_LOGIN 0x00004000
+#define WBFLAG_PAM_GET_PWD_POLICY 0x00008000
+
+/* generic request flags */
+#define WBFLAG_QUERY_ONLY 0x00000020 /* not used */
+/* This is a flag that can only be sent from parent to child */
+#define WBFLAG_IS_PRIVILEGED 0x00000400 /* not used */
+/* Flag to say this is a winbindd internal send - don't recurse. */
+#define WBFLAG_RECURSE 0x00000800
+/* Flag to tell winbind the NTLMv2 blob is too big for the struct and is in the
+ * extra_data field */
+#define WBFLAG_BIG_NTLMV2_BLOB 0x00010000
+
+#define WINBINDD_MAX_EXTRA_DATA (128*1024)
+
+/* Winbind request structure */
+
+/*******************************************************************************
+ * This structure MUST be the same size in the 32bit and 64bit builds
+ * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
+ *
+ * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
+ * A 64BIT WINBINDD --jerry
+ ******************************************************************************/
+
+struct winbindd_request {
+ uint32_t length;
+ enum winbindd_cmd cmd; /* Winbindd command to execute */
+ enum winbindd_cmd original_cmd; /* Original Winbindd command
+ issued to parent process */
+ pid_t pid; /* pid of calling process */
+ uint32_t wb_flags; /* generic flags */
+ uint32_t flags; /* flags relevant *only* to a given request */
+ fstring domain_name; /* name of domain for which the request applies */
+
+ union {
+ fstring winsreq; /* WINS request */
+ fstring username; /* getpwnam */
+ fstring groupname; /* getgrnam */
+ uid_t uid; /* getpwuid, uid_to_sid */
+ gid_t gid; /* getgrgid, gid_to_sid */
+ struct {
+ /* We deliberatedly don't split into domain/user to
+ avoid having the client know what the separator
+ character is. */
+ fstring user;
+ fstring pass;
+ char require_membership_of_sid[1024];
+ fstring krb5_cc_type;
+ uid_t uid;
+ } auth; /* pam_winbind auth module */
+ struct {
+ uint8_t chal[8];
+ uint32_t logon_parameters;
+ fstring user;
+ fstring domain;
+ fstring lm_resp;
+ uint32_t lm_resp_len;
+ fstring nt_resp;
+ uint32_t nt_resp_len;
+ fstring workstation;
+ fstring require_membership_of_sid;
+ } auth_crap;
+ struct {
+ fstring user;
+ fstring oldpass;
+ fstring newpass;
+ } chauthtok; /* pam_winbind passwd module */
+ struct {
+ fstring user;
+ fstring domain;
+ uint8_t new_nt_pswd[516];
+ uint16_t new_nt_pswd_len;
+ uint8_t old_nt_hash_enc[16];
+ uint16_t old_nt_hash_enc_len;
+ uint8_t new_lm_pswd[516];
+ uint16_t new_lm_pswd_len;
+ uint8_t old_lm_hash_enc[16];
+ uint16_t old_lm_hash_enc_len;
+ } chng_pswd_auth_crap;/* pam_winbind passwd module */
+ struct {
+ fstring user;
+ fstring krb5ccname;
+ uid_t uid;
+ } logoff; /* pam_winbind session module */
+ fstring sid; /* lookupsid, sid_to_[ug]id */
+ struct {
+ fstring dom_name; /* lookupname */
+ fstring name;
+ } name;
+ uint32_t num_entries; /* getpwent, getgrent */
+ struct {
+ fstring username;
+ fstring groupname;
+ } acct_mgt;
+ struct {
+ bool is_primary;
+ fstring dcname;
+ } init_conn;
+ struct {
+ fstring sid;
+ fstring name;
+ } dual_sid2id;
+ struct {
+ fstring sid;
+ uint32_t type;
+ uint32_t id;
+ } dual_idmapset;
+ bool list_all_domains;
+
+ struct {
+ uid_t uid;
+ fstring user;
+ /* the effective uid of the client, must be the uid for 'user'.
+ This is checked by the main daemon, trusted by children. */
+ /* if the blobs are length zero, then this doesn't
+ produce an actual challenge response. It merely
+ succeeds if there are cached credentials available
+ that could be used. */
+ uint32_t initial_blob_len; /* blobs in extra_data */
+ uint32_t challenge_blob_len;
+ } ccache_ntlm_auth;
+ struct {
+ fstring domain_name;
+ fstring domain_guid;
+ fstring site_name;
+ uint32_t flags;
+ } dsgetdcname;
+
+ /* padding -- needed to fix alignment between 32bit and 64bit libs.
+ The size is the sizeof the union without the padding aligned on
+ an 8 byte boundary. --jerry */
+
+ char padding[1800];
+ } data;
+ union {
+ SMB_TIME_T padding;
+ char *data;
+ } extra_data;
+ uint32_t extra_len;
+ char null_term;
+};
+
+/* Response values */
+
+enum winbindd_result {
+ WINBINDD_ERROR,
+ WINBINDD_PENDING,
+ WINBINDD_OK
+};
+
+/* Winbind response structure */
+
+/*******************************************************************************
+ * This structure MUST be the same size in the 32bit and 64bit builds
+ * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
+ *
+ * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
+ * A 64BIT WINBINDD --jerry
+ ******************************************************************************/
+
+struct winbindd_response {
+
+ /* Header information */
+
+ uint32_t length; /* Length of response */
+ enum winbindd_result result; /* Result code */
+
+ /* Fixed length return data */
+
+ union {
+ int interface_version; /* Try to ensure this is always in the same spot... */
+
+ fstring winsresp; /* WINS response */
+
+ /* getpwnam, getpwuid */
+
+ struct winbindd_pw pw;
+
+ /* getgrnam, getgrgid */
+
+ struct winbindd_gr gr;
+
+ uint32_t num_entries; /* getpwent, getgrent */
+ struct winbindd_sid {
+ fstring sid; /* lookupname, [ug]id_to_sid */
+ int type;
+ } sid;
+ struct winbindd_name {
+ fstring dom_name; /* lookupsid */
+ fstring name;
+ int type;
+ } name;
+ uid_t uid; /* sid_to_uid */
+ gid_t gid; /* sid_to_gid */
+ struct winbindd_info {
+ char winbind_separator;
+ fstring samba_version;
+ } info;
+ fstring domain_name;
+ fstring netbios_name;
+ fstring dc_name;
+
+ struct auth_reply {
+ uint32_t nt_status;
+ fstring nt_status_string;
+ fstring error_string;
+ int pam_error;
+ char user_session_key[16];
+ char first_8_lm_hash[8];
+ fstring krb5ccname;
+ uint32_t reject_reason;
+ uint32_t padding;
+ struct policy_settings {
+ uint32_t min_length_password;
+ uint32_t password_history;
+ uint32_t password_properties;
+ uint32_t padding;
+ SMB_TIME_T expire;
+ SMB_TIME_T min_passwordage;
+ } policy;
+ struct info3_text {
+ SMB_TIME_T logon_time;
+ SMB_TIME_T logoff_time;
+ SMB_TIME_T kickoff_time;
+ SMB_TIME_T pass_last_set_time;
+ SMB_TIME_T pass_can_change_time;
+ SMB_TIME_T pass_must_change_time;
+ uint32_t logon_count;
+ uint32_t bad_pw_count;
+ uint32_t user_rid;
+ uint32_t group_rid;
+ uint32_t num_groups;
+ uint32_t user_flgs;
+ uint32_t acct_flags;
+ uint32_t num_other_sids;
+ fstring dom_sid;
+ fstring user_name;
+ fstring full_name;
+ fstring logon_script;
+ fstring profile_path;
+ fstring home_dir;
+ fstring dir_drive;
+ fstring logon_srv;
+ fstring logon_dom;
+ } info3;
+ fstring unix_username;
+ } auth;
+ struct {
+ fstring name;
+ fstring alt_name;
+ fstring sid;
+ bool native_mode;
+ bool active_directory;
+ bool primary;
+ } domain_info;
+ uint32_t sequence_number;
+ struct {
+ fstring acct_name;
+ fstring full_name;
+ fstring homedir;
+ fstring shell;
+ uint32_t primary_gid;
+ uint32_t group_rid;
+ } user_info;
+ struct {
+ uint32_t auth_blob_len; /* blob in extra_data */
+ } ccache_ntlm_auth;
+ struct {
+ fstring dc_unc;
+ fstring dc_address;
+ uint32_t dc_address_type;
+ fstring domain_guid;
+ fstring domain_name;
+ fstring forest_name;
+ uint32_t dc_flags;
+ fstring dc_site_name;
+ fstring client_site_name;
+ } dsgetdcname;
+ } data;
+
+ /* Variable length return data */
+
+ union {
+ SMB_TIME_T padding;
+ void *data;
+ } extra_data;
+};
+
+struct WINBINDD_MEMORY_CREDS {
+ struct WINBINDD_MEMORY_CREDS *next, *prev;
+ const char *username; /* lookup key. */
+ uid_t uid;
+ int ref_count;
+ size_t len;
+ uint8_t *nt_hash; /* Base pointer for the following 2 */
+ uint8_t *lm_hash;
+ char *pass;
+};
+
+struct WINBINDD_CCACHE_ENTRY {
+ struct WINBINDD_CCACHE_ENTRY *next, *prev;
+ const char *principal_name;
+ const char *ccname;
+ const char *service;
+ const char *username;
+ const char *realm;
+ struct WINBINDD_MEMORY_CREDS *cred_ptr;
+ int ref_count;
+ uid_t uid;
+ time_t create_time;
+ time_t renew_until;
+ time_t refresh_time;
+ struct timed_event *event;
+};
+
+#endif