1 /* 2 * Unix SMB/CIFS implementation. 3 * secrets.tdb file format info 4 * Copyright (C) Andrew Tridgell 2000 5 * 6 * This program is free software; you can redistribute it and/or modify it 7 * under the terms of the GNU General Public License as published by the 8 * Free Software Foundation; either version 3 of the License, or (at your 9 * option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for 14 * more details. 15 * 16 * You should have received a copy of the GNU General Public License along with 17 * this program; if not, see <http://www.gnu.org/licenses/>. 18 */ 19 20 #ifndef _SECRETS_H 21 #define _SECRETS_H 22 23 /* the first one is for the hashed password (NT4 style) the latter 24 for plaintext (ADS) 25 */ 26 #define SECRETS_MACHINE_ACCT_PASS "SECRETS/$MACHINE.ACC" 27 #define SECRETS_MACHINE_PASSWORD "SECRETS/MACHINE_PASSWORD" 28 #define SECRETS_MACHINE_PASSWORD_PREV "SECRETS/MACHINE_PASSWORD.PREV" 29 #define SECRETS_MACHINE_LAST_CHANGE_TIME "SECRETS/MACHINE_LAST_CHANGE_TIME" 30 #define SECRETS_MACHINE_SEC_CHANNEL_TYPE "SECRETS/MACHINE_SEC_CHANNEL_TYPE" 31 #define SECRETS_MACHINE_TRUST_ACCOUNT_NAME "SECRETS/SECRETS_MACHINE_TRUST_ACCOUNT_NAME" 32 #define SECRETS_MACHINE_DOMAIN_INFO "SECRETS/MACHINE_DOMAIN_INFO" 33 /* this one is for storing trusted domain account password */ 34 #define SECRETS_DOMTRUST_ACCT_PASS "SECRETS/$DOMTRUST.ACC" 35 36 /* Store the principal name used for Kerberos DES key salt under this key name. */ 37 #define SECRETS_SALTING_PRINCIPAL "SECRETS/SALTING_PRINCIPAL" 38 39 /* The domain sid and our sid are stored here even though they aren't 40 really secret. */ 41 #define SECRETS_DOMAIN_SID "SECRETS/SID" 42 #define SECRETS_SAM_SID "SAM/SID" 43 #define SECRETS_PROTECT_IDS "SECRETS/PROTECT/IDS" 44 45 /* The domain GUID and server GUID (NOT the same) are also not secret */ 46 #define SECRETS_DOMAIN_GUID "SECRETS/DOMGUID" 47 #define SECRETS_SERVER_GUID "SECRETS/GUID" 48 49 #define SECRETS_LDAP_BIND_PW "SECRETS/LDAP_BIND_PW" 50 51 #define SECRETS_LOCAL_SCHANNEL_KEY "SECRETS/LOCAL_SCHANNEL_KEY" 52 53 /* Authenticated user info is stored in secrets.tdb under these keys */ 54 55 #define SECRETS_AUTH_USER "SECRETS/AUTH_USER" 56 #define SECRETS_AUTH_DOMAIN "SECRETS/AUTH_DOMAIN" 57 #define SECRETS_AUTH_PASSWORD "SECRETS/AUTH_PASSWORD" 58 59 /* structure for storing machine account password 60 (ie. when samba server is member of a domain */ 61 struct machine_acct_pass { 62 uint8_t hash[16]; 63 time_t mod_time; 64 }; 65 66 /* 67 * Format of an OpenAFS keyfile 68 */ 69 70 #define SECRETS_AFS_MAXKEYS 8 71 72 struct afs_key { 73 uint32_t kvno; 74 char key[8]; 75 }; 76 77 struct afs_keyfile { 78 uint32_t nkeys; 79 struct afs_key entry[SECRETS_AFS_MAXKEYS]; 80 }; 81 82 #define SECRETS_AFS_KEYFILE "SECRETS/AFS_KEYFILE" 83 84 /* The following definitions come from passdb/secrets.c */ 85 86 bool secrets_init_path(const char *private_dir); 87 bool secrets_init(void); 88 struct db_context *secrets_db_ctx(void); 89 void secrets_shutdown(void); 90 void *secrets_fetch(const char *key, size_t *size); 91 bool secrets_store(const char *key, const void *data, size_t size); 92 bool secrets_delete_entry(const char *key); 93 bool secrets_delete(const char *key); 94 95 /* The following definitions come from passdb/machine_account_secrets.c */ 96 bool secrets_mark_domain_protected(const char *domain); 97 bool secrets_clear_domain_protection(const char *domain); 98 bool secrets_store_domain_sid(const char *domain, const struct dom_sid *sid); 99 bool secrets_fetch_domain_sid(const char *domain, struct dom_sid *sid); 100 bool secrets_store_domain_guid(const char *domain, const struct GUID *guid); 101 bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid); 102 enum netr_SchannelType get_default_sec_channel(void); 103 bool secrets_fetch_trust_account_password_legacy(const char *domain, 104 uint8_t ret_pwd[16], 105 time_t *pass_last_set_time, 106 enum netr_SchannelType *channel); 107 bool secrets_fetch_trust_account_password(const char *domain, uint8_t ret_pwd[16], 108 time_t *pass_last_set_time, 109 enum netr_SchannelType *channel); 110 bool secrets_fetch_trusted_domain_password(const char *domain, char** pwd, 111 struct dom_sid *sid, time_t *pass_last_set_time); 112 bool secrets_store_trusted_domain_password(const char* domain, const char* pwd, 113 const struct dom_sid *sid); 114 struct libnet_JoinCtx; 115 NTSTATUS secrets_store_JoinCtx(const struct libnet_JoinCtx *r); 116 struct secrets_domain_info1; 117 struct secrets_domain_info1_change; 118 void secrets_debug_domain_info(int lvl, const struct secrets_domain_info1 *info, 119 const char *name); 120 char *secrets_domain_info_string(TALLOC_CTX *mem_ctx, const struct secrets_domain_info1 *info1, 121 const char *name, bool include_secrets); 122 NTSTATUS secrets_fetch_or_upgrade_domain_info(const char *domain, 123 TALLOC_CTX *mem_ctx, 124 struct secrets_domain_info1 **pinfo); 125 NTSTATUS secrets_prepare_password_change(const char *domain, const char *dcname, 126 const char *cleartext_unix, 127 TALLOC_CTX *mem_ctx, 128 struct secrets_domain_info1 **pinfo, 129 struct secrets_domain_info1_change **pprev); 130 NTSTATUS secrets_failed_password_change(const char *change_server, 131 NTSTATUS local_status, 132 NTSTATUS remote_status, 133 const struct secrets_domain_info1 *info); 134 NTSTATUS secrets_defer_password_change(const char *change_server, 135 NTSTATUS local_status, 136 NTSTATUS remote_status, 137 const struct secrets_domain_info1 *info); 138 NTSTATUS secrets_finish_password_change(const char *change_server, 139 NTTIME change_time, 140 const struct secrets_domain_info1 *info); 141 bool secrets_delete_machine_password_ex(const char *domain, const char *realm); 142 bool secrets_delete_domain_sid(const char *domain); 143 char *secrets_fetch_prev_machine_password(const char *domain); 144 time_t secrets_fetch_pass_last_set_time(const char *domain); 145 char *secrets_fetch_machine_password(const char *domain, 146 time_t *pass_last_set_time, 147 enum netr_SchannelType *channel); 148 bool trusted_domain_password_delete(const char *domain); 149 bool secrets_store_ldap_pw(const char* dn, char* pw); 150 bool fetch_ldap_pw(char **dn, char** pw); 151 bool secrets_store_afs_keyfile(const char *cell, const struct afs_keyfile *keyfile); 152 bool secrets_fetch_afs_key(const char *cell, struct afs_key *result); 153 void secrets_fetch_ipc_userpass(char **username, char **domain, char **password); 154 bool secrets_store_generic(const char *owner, const char *key, const char *secret); 155 char *secrets_fetch_generic(const char *owner, const char *key); 156 157 bool secrets_store_machine_pw_sync(const char *pass, const char *oldpass, const char *domain, 158 const char *realm, 159 const char *salting_principal, uint32_t supported_enc_types, 160 const struct dom_sid *domain_sid, uint32_t last_change_time, 161 uint32_t secure_channel, 162 bool delete_join); 163 164 char* kerberos_standard_des_salt( void ); 165 bool kerberos_secrets_store_des_salt( const char* salt ); 166 char *kerberos_secrets_fetch_salt_princ(void); 167 168 /* The following definitions come from passdb/secrets_lsa.c */ 169 NTSTATUS lsa_secret_get(TALLOC_CTX *mem_ctx, 170 const char *secret_name, 171 DATA_BLOB *secret_current, 172 NTTIME *secret_current_lastchange, 173 DATA_BLOB *secret_old, 174 NTTIME *secret_old_lastchange, 175 struct security_descriptor **sd); 176 NTSTATUS lsa_secret_set(const char *secret_name, 177 DATA_BLOB *secret_current, 178 DATA_BLOB *secret_old, 179 struct security_descriptor *sd); 180 NTSTATUS lsa_secret_delete(const char *secret_name); 181 182 #endif /* _SECRETS_H */ 183