1 /* 2 Unix SMB/CIFS implementation. 3 Standardised Authentication types 4 Copyright (C) Andrew Bartlett 2001 5 Copyright (C) Stefan Metzmacher 2005 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License as published by 9 the Free Software Foundation; either version 2 of the License, or 10 (at your option) any later version. 11 12 This program is distributed in the hope that it will be useful, 13 but WITHOUT ANY WARRANTY; without even the implied warranty of 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 GNU General Public License for more details. 16 17 You should have received a copy of the GNU General Public License 18 along with this program; if not, write to the Free Software 19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 20 */ 21 22 #ifndef _SAMBA_AUTH_H 23 #define _SAMBA_AUTH_H 24 25 union netr_Validation; 26 struct netr_SamBaseInfo; 27 struct netr_SamInfo3; 28 29 /* modules can use the following to determine if the interface has changed 30 * please increment the version number after each interface change 31 * with a comment and maybe update struct auth_critical_sizes. 32 */ 33 /* version 1 - version from samba 3.0 - metze */ 34 /* version 2 - initial samba4 version - metze */ 35 /* version 3 - subsequent samba4 version - abartlet */ 36 /* version 4 - subsequent samba4 version - metze */ 37 /* version 0 - till samba4 is stable - metze */ 38 #define AUTH_INTERFACE_VERSION 0 39 40 #define USER_INFO_CASE_INSENSITIVE_USERNAME 0x01 /* username may be in any case */ 41 #define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */ 42 #define USER_INFO_DONT_CHECK_UNIX_ACCOUNT 0x04 /* dont check unix account status */ 43 #define USER_INFO_INTERACTIVE_LOGON 0x08 /* dont check unix account status */ 44 45 enum auth_password_state { 46 AUTH_PASSWORD_RESPONSE, 47 AUTH_PASSWORD_HASH, 48 AUTH_PASSWORD_PLAIN 49 }; 50 51 struct auth_usersupplied_info 52 { 53 const char *workstation_name; 54 struct socket_address *remote_host; 55 56 uint32_t logon_parameters; 57 58 BOOL mapped_state; 59 /* the values the client gives us */ 60 struct { 61 const char *account_name; 62 const char *domain_name; 63 } client, mapped; 64 65 enum auth_password_state password_state; 66 67 union { 68 struct { 69 DATA_BLOB lanman; 70 DATA_BLOB nt; 71 } response; 72 struct { 73 struct samr_Password *lanman; 74 struct samr_Password *nt; 75 } hash; 76 77 char *plaintext; 78 } password; 79 uint32_t flags; 80 }; 81 82 struct auth_serversupplied_info 83 { 84 struct dom_sid *account_sid; 85 struct dom_sid *primary_group_sid; 86 87 size_t n_domain_groups; 88 struct dom_sid **domain_groups; 89 90 DATA_BLOB user_session_key; 91 DATA_BLOB lm_session_key; 92 93 const char *account_name; 94 const char *domain_name; 95 96 const char *full_name; 97 const char *logon_script; 98 const char *profile_path; 99 const char *home_directory; 100 const char *home_drive; 101 const char *logon_server; 102 103 NTTIME last_logon; 104 NTTIME last_logoff; 105 NTTIME acct_expiry; 106 NTTIME last_password_change; 107 NTTIME allow_password_change; 108 NTTIME force_password_change; 109 110 uint16_t logon_count; 111 uint16_t bad_password_count; 112 113 uint32_t acct_flags; 114 115 BOOL authenticated; 116 }; 117 118 struct auth_session_info { 119 struct security_token *security_token; 120 struct auth_serversupplied_info *server_info; 121 DATA_BLOB session_key; 122 struct cli_credentials *credentials; 123 }; 124 125 struct auth_method_context; 126 struct auth_check_password_request; 127 128 struct auth_operations { 129 const char *name; 130 131 /* If you are using this interface, then you are probably 132 * getting something wrong. This interface is only for 133 * security=server, and makes a number of compromises to allow 134 * that. It is not compatible with being a PDC. */ 135 136 NTSTATUS (*get_challenge)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *challenge); 137 138 /* Given the user supplied info, check if this backend want to handle the password checking */ 139 140 NTSTATUS (*want_check)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, 141 const struct auth_usersupplied_info *user_info); 142 143 /* Given the user supplied info, check a password */ 144 145 NTSTATUS (*check_password)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, 146 const struct auth_usersupplied_info *user_info, 147 struct auth_serversupplied_info **server_info); 148 }; 149 150 struct auth_method_context { 151 struct auth_method_context *prev, *next; 152 struct auth_context *auth_ctx; 153 const struct auth_operations *ops; 154 int depth; 155 void *private_data; 156 }; 157 158 struct auth_context { 159 struct { 160 /* Who set this up in the first place? */ 161 const char *set_by; 162 163 BOOL may_be_modified; 164 165 DATA_BLOB data; 166 } challenge; 167 168 /* methods, in the order they should be called */ 169 struct auth_method_context *methods; 170 171 /* the event context to use for calls that can block */ 172 struct event_context *event_ctx; 173 174 /* the messaging context which can be used by backends */ 175 struct messaging_context *msg_ctx; 176 }; 177 178 /* this structure is used by backends to determine the size of some critical types */ 179 struct auth_critical_sizes { 180 int interface_version; 181 int sizeof_auth_operations; 182 int sizeof_auth_methods; 183 int sizeof_auth_context; 184 int sizeof_auth_usersupplied_info; 185 int sizeof_auth_serversupplied_info; 186 }; 187 188 NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_context, 189 enum auth_password_state to_state, 190 const struct auth_usersupplied_info *user_info_in, 191 const struct auth_usersupplied_info **user_info_encrypted); 192 193 #include "auth/auth_proto.h" 194 195 #endif /* _SMBAUTH_H_ */ 196