1 /*
2    Unix SMB/CIFS implementation.
3 
4    Winbind daemon for ntdom nss module
5 
6    Copyright (C) Tim Potter 2000
7    Copyright (C) Gerald Carter 2006
8 
9    You are free to use this interface definition in any way you see
10    fit, including without restriction, using this header in your own
11    products. You do not need to give any attribution.
12 */
13 
14 #ifndef SAFE_FREE
15 #define SAFE_FREE(x) do { if(x) {free(x); x=NULL;} } while(0)
16 #endif
17 
18 #ifndef FSTRING_LEN
19 #define FSTRING_LEN 256
20 typedef char fstring[FSTRING_LEN];
21 #endif
22 
23 #ifndef _WINBINDD_NTDOM_H
24 #define _WINBINDD_NTDOM_H
25 
26 #define WINBINDD_SOCKET_NAME "pipe"            /* Name of PF_UNIX socket */
27 
28 /* We let the build environment set the public winbindd socket
29  * location. Therefore we no longer set
30  *
31  * #define WINBINDD_SOCKET_DIR "/tmp/.winbindd"
32  *
33  * A number of different distributions set different paths, and so it
34  * needs to come from configure in Samba.  External users of this header will
35  * need to know where the path is on their system by some other
36  * mechanism.
37  */
38 
39 #define WINBINDD_PRIV_SOCKET_SUBDIR "winbindd_privileged" /* name of subdirectory of lp_lock_directory() to hold the 'privileged' pipe */
40 #define WINBINDD_DOMAIN_ENV  "WINBINDD_DOMAIN" /* Environment variables */
41 #define WINBINDD_DONT_ENV    "_NO_WINBINDD"
42 #define WINBINDD_LOCATOR_KDC_ADDRESS "WINBINDD_LOCATOR_KDC_ADDRESS"
43 
44 /* Update this when you change the interface.
45  * 21: added WINBINDD_GETPWSID
46  *     added WINBINDD_GETSIDALIASES
47  * 22: added WINBINDD_PING_DC
48  * 23: added session_key to ccache_ntlm_auth response
49  *     added WINBINDD_CCACHE_SAVE
50  * 24: Fill in num_entries WINBINDD_LIST_USERS and WINBINDD_LIST_GROUPS
51  * 25: removed WINBINDD_SET_HWM
52  *     removed WINBINDD_SET_MAPPING
53  *     removed WINBINDD_REMOVE_MAPPING
54  * 26: added WINBINDD_DC_INFO
55  * 27: added WINBINDD_LOOKUPSIDS
56  * 28: added WINBINDD_XIDS_TO_SIDS
57  *     removed WINBINDD_SID_TO_UID
58  *     removed WINBINDD_SID_TO_GID
59  *     removed WINBINDD_GID_TO_SID
60  *     removed WINBINDD_UID_TO_SID
61  * 29: added "authoritative" to response.data.auth
62  * 30: added "validation_level" and "info6" to response.data.auth
63  * 31: added "client_name" to the request
64  */
65 #define WINBIND_INTERFACE_VERSION 31
66 
67 /* Have to deal with time_t being 4 or 8 bytes due to structure alignment.
68    On a 64bit Linux box, we have to support a constant structure size
69    between /lib/libnss_winbind.so.2 and /lib64/libnss_winbind.so.2.
70    The easiest way to do this is to always use 8byte values for time_t. */
71 
72 #define SMB_TIME_T int64_t
73 
74 /* Socket commands */
75 
76 enum winbindd_cmd {
77 
78 	WINBINDD_INTERFACE_VERSION,    /* Always a well known value */
79 
80 	/* Get users and groups */
81 
82 	WINBINDD_GETPWNAM,
83 	WINBINDD_GETPWUID,
84 	WINBINDD_GETPWSID,
85 	WINBINDD_GETGRNAM,
86 	WINBINDD_GETGRGID,
87 	WINBINDD_GETGROUPS,
88 
89 	/* Enumerate users and groups */
90 
91 	WINBINDD_SETPWENT,
92 	WINBINDD_ENDPWENT,
93 	WINBINDD_GETPWENT,
94 	WINBINDD_SETGRENT,
95 	WINBINDD_ENDGRENT,
96 	WINBINDD_GETGRENT,
97 
98 	/* PAM authenticate and password change */
99 
100 	WINBINDD_PAM_AUTH,
101 	WINBINDD_PAM_AUTH_CRAP,
102 	WINBINDD_PAM_CHAUTHTOK,
103 	WINBINDD_PAM_LOGOFF,
104 	WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP,
105 
106 	/* List various things */
107 
108 	WINBINDD_LIST_USERS,         /* List w/o rid->id mapping */
109 	WINBINDD_LIST_GROUPS,        /* Ditto */
110 	WINBINDD_LIST_TRUSTDOM,
111 
112 	/* SID conversion */
113 
114 	WINBINDD_LOOKUPSID,
115 	WINBINDD_LOOKUPNAME,
116 	WINBINDD_LOOKUPRIDS,
117 	WINBINDD_LOOKUPSIDS,
118 
119 	/* Lookup functions */
120 
121 	WINBINDD_SIDS_TO_XIDS,
122 	WINBINDD_XIDS_TO_SIDS,
123 
124 	WINBINDD_ALLOCATE_UID,
125 	WINBINDD_ALLOCATE_GID,
126 
127 	/* Miscellaneous other stuff */
128 
129 	WINBINDD_CHECK_MACHACC,     /* Check machine account pw works */
130 	WINBINDD_CHANGE_MACHACC,    /* Change machine account pw */
131 	WINBINDD_PING_DC,     	    /* Ping the DC through NETLOGON */
132 	WINBINDD_PING,              /* Just tell me winbind is running */
133 	WINBINDD_INFO,              /* Various bit of info.  Currently just tidbits */
134 	WINBINDD_DOMAIN_NAME,       /* The domain this winbind server is a member of (lp_workgroup()) */
135 
136 	WINBINDD_DOMAIN_INFO,	/* Most of what we know from
137 				   struct winbindd_domain */
138 	WINBINDD_GETDCNAME,	/* Issue a GetDCName Request */
139 	WINBINDD_DSGETDCNAME,	/* Issue a DsGetDCName Request */
140 	WINBINDD_DC_INFO,	/* Which DC are we connected to? */
141 
142 	WINBINDD_SHOW_SEQUENCE, /* display sequence numbers of domains */
143 
144 	/* WINS commands */
145 
146 	WINBINDD_WINS_BYIP,
147 	WINBINDD_WINS_BYNAME,
148 
149 	/* this is like GETGRENT but gives an empty group list */
150 	WINBINDD_GETGRLST,
151 
152 	WINBINDD_NETBIOS_NAME,       /* The netbios name of the server */
153 
154 	/* find the location of our privileged pipe */
155 	WINBINDD_PRIV_PIPE_DIR,
156 
157 	/* return a list of group sids for a user sid */
158 	WINBINDD_GETUSERSIDS,
159 
160 	/* Various group queries */
161 	WINBINDD_GETUSERDOMGROUPS,
162 
163 	/* lookup local groups */
164 	WINBINDD_GETSIDALIASES,
165 
166 	/* Initialize connection in a child */
167 	WINBINDD_INIT_CONNECTION,
168 
169 	/* Blocking calls that are not allowed on the main winbind pipe, only
170 	 * between parent and children */
171 	WINBINDD_DUAL_SID2UID,
172 	WINBINDD_DUAL_SID2GID,
173 	WINBINDD_DUAL_SIDS2XIDS,
174 	WINBINDD_DUAL_UID2SID,
175 	WINBINDD_DUAL_GID2SID,
176 
177 	/* Wrapper around possibly blocking unix nss calls */
178 	WINBINDD_DUAL_USERINFO,
179 	WINBINDD_DUAL_GETSIDALIASES,
180 
181 	WINBINDD_DUAL_NDRCMD,
182 
183 	/* Complete the challenge phase of the NTLM authentication
184 	   protocol using cached password. */
185 	WINBINDD_CCACHE_NTLMAUTH,
186 	WINBINDD_CCACHE_SAVE,
187 
188 	WINBINDD_NUM_CMDS
189 };
190 
191 typedef struct winbindd_pw {
192 	fstring pw_name;
193 	fstring pw_passwd;
194 	uid_t pw_uid;
195 	gid_t pw_gid;
196 	fstring pw_gecos;
197 	fstring pw_dir;
198 	fstring pw_shell;
199 } WINBINDD_PW;
200 
201 
202 typedef struct winbindd_gr {
203 	fstring gr_name;
204 	fstring gr_passwd;
205 	gid_t gr_gid;
206 	uint32_t num_gr_mem;
207 	uint32_t gr_mem_ofs;   /* offset to group membership */
208 } WINBINDD_GR;
209 
210 /* Request flags */
211 #define WBFLAG_PAM_INFO3_NDR		0x00000001
212 #define WBFLAG_PAM_INFO3_TEXT		0x00000002
213 #define WBFLAG_PAM_USER_SESSION_KEY	0x00000004
214 #define WBFLAG_PAM_LMKEY		0x00000008
215 #define WBFLAG_PAM_CONTACT_TRUSTDOM	0x00000010
216 #define WBFLAG_QUERY_ONLY		0x00000020	/* not used */
217 #define WBFLAG_PAM_AUTH_PAC		0x00000040
218 #define WBFLAG_PAM_UNIX_NAME		0x00000080
219 #define WBFLAG_PAM_AFS_TOKEN		0x00000100
220 #define WBFLAG_PAM_NT_STATUS_SQUASH	0x00000200
221 /* This is a flag that can only be sent from parent to child */
222 #define WBFLAG_IS_PRIVILEGED		0x00000400	/* not used */
223 /* Flag to say this is a winbindd internal send - don't recurse. */
224 #define WBFLAG_RECURSE			0x00000800
225 #define WBFLAG_PAM_KRB5			0x00001000
226 #define WBFLAG_PAM_FALLBACK_AFTER_KRB5	0x00002000
227 #define WBFLAG_PAM_CACHED_LOGIN		0x00004000
228 #define WBFLAG_PAM_GET_PWD_POLICY	0x00008000
229 /* Flag to tell winbind the NTLMv2 blob is too big for the struct and is in the
230  * extra_data field */
231 #define WBFLAG_BIG_NTLMV2_BLOB		0x00010000
232 #define WBFLAG_FROM_NSS                 0x00020000
233 
234 #define WINBINDD_MAX_EXTRA_DATA (128*1024)
235 
236 /* Winbind request structure */
237 
238 /*******************************************************************************
239  * This structure MUST be the same size in the 32bit and 64bit builds
240  * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
241  *
242  * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
243  * A 64BIT WINBINDD    --jerry
244  ******************************************************************************/
245 
246 struct winbindd_request {
247 	uint32_t length;
248 	enum winbindd_cmd cmd;   /* Winbindd command to execute */
249 	enum winbindd_cmd original_cmd;   /* Original Winbindd command
250 					     issued to parent process */
251 	pid_t pid;               /* pid of calling process */
252 	uint32_t wb_flags;       /* generic flags */
253 	uint32_t flags;          /* flags relevant *only* to a given request */
254 	fstring domain_name;	/* name of domain for which the request applies */
255 	char client_name[32];	/* The client process sending the request */
256 
257 	union {
258 		fstring winsreq;     /* WINS request */
259 		fstring username;    /* getpwnam */
260 		fstring groupname;   /* getgrnam */
261 		uid_t uid;           /* getpwuid, uid_to_sid */
262 		gid_t gid;           /* getgrgid, gid_to_sid */
263 		uint32_t ndrcmd;
264 		struct {
265 			/* We deliberately don't split into domain/user to
266                            avoid having the client know what the separator
267                            character is. */
268 			fstring user;
269 			fstring pass;
270 			char require_membership_of_sid[1024];
271 			fstring krb5_cc_type;
272 			uid_t uid;
273 		} auth;              /* pam_winbind auth module */
274                 struct {
275                         uint8_t chal[8];
276 			uint32_t logon_parameters;
277                         fstring user;
278                         fstring domain;
279                         fstring lm_resp;
280                         uint32_t lm_resp_len;
281                         fstring nt_resp;
282                         uint32_t nt_resp_len;
283 			fstring workstation;
284 		        fstring require_membership_of_sid;
285                 } auth_crap;
286                 struct {
287                     fstring user;
288                     fstring oldpass;
289                     fstring newpass;
290                 } chauthtok;         /* pam_winbind passwd module */
291 		struct {
292 			fstring user;
293 			fstring domain;
294 			uint8_t new_nt_pswd[516];
295 			uint16_t new_nt_pswd_len;
296 			uint8_t old_nt_hash_enc[16];
297 			uint16_t old_nt_hash_enc_len;
298 			uint8_t new_lm_pswd[516];
299 			uint16_t new_lm_pswd_len;
300 			uint8_t old_lm_hash_enc[16];
301 			uint16_t old_lm_hash_enc_len;
302 		} chng_pswd_auth_crap;/* pam_winbind passwd module */
303 		struct {
304 			fstring user;
305 			fstring krb5ccname;
306 			uid_t uid;
307 		} logoff;              /* pam_winbind session module */
308 		fstring sid;         /* lookupsid, sid_to_[ug]id */
309 		struct {
310 			fstring dom_name;       /* lookupname */
311 			fstring name;
312 		} name;
313 		uint32_t num_entries;  /* getpwent, getgrent */
314 		struct {
315 			fstring username;
316 			fstring groupname;
317 		} acct_mgt;
318 		struct {
319 			bool is_primary;
320 			fstring dcname;
321 		} init_conn;
322 		struct {
323 			fstring sid;
324 			fstring name;
325 		} dual_sid2id;
326 		struct {
327 			fstring sid;
328 			uint32_t type;
329 			uint32_t id;
330 		} dual_idmapset;
331 		bool list_all_domains;
332 
333 		struct {
334 			uid_t uid;
335 			fstring user;
336 			/* the effective uid of the client, must be the uid for 'user'.
337 			   This is checked by the main daemon, trusted by children. */
338 			/* if the blobs are length zero, then this doesn't
339 			   produce an actual challenge response. It merely
340 			   succeeds if there are cached credentials available
341 			   that could be used. */
342 			uint32_t initial_blob_len; /* blobs in extra_data */
343 			uint32_t challenge_blob_len;
344 		} ccache_ntlm_auth;
345 		struct {
346 			uid_t uid;
347 			fstring user;
348 			fstring pass;
349 		} ccache_save;
350 		struct {
351 			fstring domain_name;
352 			fstring domain_guid;
353 			fstring site_name;
354 			uint32_t flags;
355 		} dsgetdcname;
356 
357 		/* padding -- needed to fix alignment between 32bit and 64bit libs.
358 		   The size is the sizeof the union without the padding aligned on
359 		   an 8 byte boundary.   --jerry */
360 
361 		char padding[1800];
362 	} data;
363 	union {
364 		SMB_TIME_T padding;
365 		char *data;
366 	} extra_data;
367 	uint32_t extra_len;
368 	char null_term;
369 };
370 
371 /* Response values */
372 
373 enum winbindd_result {
374 	WINBINDD_ERROR,
375 	WINBINDD_PENDING,
376 	WINBINDD_OK
377 };
378 
379 /* Winbind response structure */
380 
381 /*******************************************************************************
382  * This structure MUST be the same size in the 32bit and 64bit builds
383  * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
384  *
385  * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
386  * A 64BIT WINBINDD    --jerry
387  ******************************************************************************/
388 
389 struct winbindd_response {
390 
391 	/* Header information */
392 
393 	uint32_t length;                      /* Length of response */
394 	enum winbindd_result result;          /* Result code */
395 
396 	/* Fixed length return data */
397 
398 	union {
399 		int interface_version;  /* Try to ensure this is always in the same spot... */
400 
401 		fstring winsresp;		/* WINS response */
402 
403 		/* getpwnam, getpwuid */
404 
405 		struct winbindd_pw pw;
406 
407 		/* getgrnam, getgrgid */
408 
409 		struct winbindd_gr gr;
410 
411 		uint32_t num_entries; /* getpwent, getgrent */
412 		struct winbindd_sid {
413 			fstring sid;        /* lookupname, [ug]id_to_sid */
414 			int type;
415 		} sid;
416 		struct winbindd_name {
417 			fstring dom_name;       /* lookupsid */
418 			fstring name;
419 			int type;
420 		} name;
421 		uid_t uid;          /* sid_to_uid */
422 		gid_t gid;          /* sid_to_gid */
423 		struct winbindd_info {
424 			char winbind_separator;
425 			fstring samba_version;
426 		} info;
427 		fstring domain_name;
428 		fstring netbios_name;
429 		fstring dc_name;
430 
431 		struct auth_reply {
432 			uint32_t nt_status;
433 			fstring nt_status_string;
434 			fstring error_string;
435 			int pam_error;
436 			char user_session_key[16];
437 			char first_8_lm_hash[8];
438 			fstring krb5ccname;
439 			uint32_t reject_reason;
440 			uint8_t authoritative;
441 			uint8_t padding[1];
442 			uint16_t validation_level;
443 			struct policy_settings {
444 				uint32_t min_length_password;
445 				uint32_t password_history;
446 				uint32_t password_properties;
447 				uint32_t padding;
448 				SMB_TIME_T expire;
449 				SMB_TIME_T min_passwordage;
450 			} policy;
451 			struct info3_text {
452 				SMB_TIME_T logon_time;
453 				SMB_TIME_T logoff_time;
454 				SMB_TIME_T kickoff_time;
455 				SMB_TIME_T pass_last_set_time;
456 				SMB_TIME_T pass_can_change_time;
457 				SMB_TIME_T pass_must_change_time;
458 				uint32_t logon_count;
459 				uint32_t bad_pw_count;
460 				uint32_t user_rid;
461 				uint32_t group_rid;
462 				uint32_t num_groups;
463 				uint32_t user_flgs;
464 				uint32_t acct_flags;
465 				uint32_t num_other_sids;
466 				fstring dom_sid;
467 				fstring user_name;
468 				fstring full_name;
469 				fstring logon_script;
470 				fstring profile_path;
471 				fstring home_dir;
472 				fstring dir_drive;
473 				fstring logon_srv;
474 				fstring logon_dom;
475 			} info3;
476 			struct info6_text {
477 				fstring dns_domainname;
478 				fstring principal_name;
479 			} info6;
480 			fstring unix_username;
481 		} auth;
482 		struct {
483 			fstring name;
484 			fstring alt_name;
485 			fstring sid;
486 			bool native_mode;
487 			bool active_directory;
488 			bool primary;
489 		} domain_info;
490 		uint32_t sequence_number;
491 		struct {
492 			fstring acct_name;
493 			fstring full_name;
494 			fstring homedir;
495 			fstring shell;
496 			uint32_t primary_gid;
497 			uint32_t group_rid;
498 		} user_info;
499 		struct {
500 			uint8_t session_key[16];
501 			uint32_t auth_blob_len; /* blob in extra_data */
502 			uint8_t new_spnego;
503 		} ccache_ntlm_auth;
504 		struct {
505 			fstring dc_unc;
506 			fstring dc_address;
507 			uint32_t dc_address_type;
508 			fstring domain_guid;
509 			fstring domain_name;
510 			fstring forest_name;
511 			uint32_t dc_flags;
512 			fstring dc_site_name;
513 			fstring client_site_name;
514 		} dsgetdcname;
515 	} data;
516 
517 	/* Variable length return data */
518 
519 	union {
520 		SMB_TIME_T padding;
521 		void *data;
522 	} extra_data;
523 };
524 
525 #endif
526