1/* 2 Unix SMB/CIFS implementation. 3 Standardised Authentication types 4 Copyright (C) Andrew Bartlett 2001 5 Copyright (C) Stefan Metzmacher 2005 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License as published by 9 the Free Software Foundation; either version 3 of the License, or 10 (at your option) any later version. 11 12 This program is distributed in the hope that it will be useful, 13 but WITHOUT ANY WARRANTY; without even the implied warranty of 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 GNU General Public License for more details. 16 17 You should have received a copy of the GNU General Public License 18 along with this program. If not, see <http://www.gnu.org/licenses/>. 19*/ 20 21#ifndef _SAMBA_AUTH_H 22#define _SAMBA_AUTH_H 23 24#include "librpc/gen_ndr/ndr_krb5pac.h" 25 26extern const char *krbtgt_attrs[]; 27extern const char *server_attrs[]; 28extern const char *user_attrs[]; 29 30union netr_Validation; 31struct netr_SamBaseInfo; 32struct netr_SamInfo3; 33struct loadparm_context; 34 35/* modules can use the following to determine if the interface has changed 36 * please increment the version number after each interface change 37 * with a comment and maybe update struct auth_critical_sizes. 38 */ 39/* version 1 - version from samba 3.0 - metze */ 40/* version 2 - initial samba4 version - metze */ 41/* version 3 - subsequent samba4 version - abartlet */ 42/* version 4 - subsequent samba4 version - metze */ 43/* version 0 - till samba4 is stable - metze */ 44#define AUTH_INTERFACE_VERSION 0 45 46#define USER_INFO_CASE_INSENSITIVE_USERNAME 0x01 /* username may be in any case */ 47#define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */ 48#define USER_INFO_DONT_CHECK_UNIX_ACCOUNT 0x04 /* dont check unix account status */ 49#define USER_INFO_INTERACTIVE_LOGON 0x08 /* dont check unix account status */ 50 51enum auth_password_state { 52 AUTH_PASSWORD_RESPONSE, 53 AUTH_PASSWORD_HASH, 54 AUTH_PASSWORD_PLAIN 55}; 56 57struct auth_usersupplied_info 58{ 59 const char *workstation_name; 60 struct socket_address *remote_host; 61 62 uint32_t logon_parameters; 63 64 bool mapped_state; 65 /* the values the client gives us */ 66 struct { 67 const char *account_name; 68 const char *domain_name; 69 } client, mapped; 70 71 enum auth_password_state password_state; 72 73 union { 74 struct { 75 DATA_BLOB lanman; 76 DATA_BLOB nt; 77 } response; 78 struct { 79 struct samr_Password *lanman; 80 struct samr_Password *nt; 81 } hash; 82 83 char *plaintext; 84 } password; 85 uint32_t flags; 86}; 87 88struct auth_serversupplied_info 89{ 90 struct dom_sid *account_sid; 91 struct dom_sid *primary_group_sid; 92 93 size_t n_domain_groups; 94 struct dom_sid **domain_groups; 95 96 DATA_BLOB user_session_key; 97 DATA_BLOB lm_session_key; 98 99 const char *account_name; 100 const char *domain_name; 101 102 const char *full_name; 103 const char *logon_script; 104 const char *profile_path; 105 const char *home_directory; 106 const char *home_drive; 107 const char *logon_server; 108 109 NTTIME last_logon; 110 NTTIME last_logoff; 111 NTTIME acct_expiry; 112 NTTIME last_password_change; 113 NTTIME allow_password_change; 114 NTTIME force_password_change; 115 116 uint16_t logon_count; 117 uint16_t bad_password_count; 118 119 uint32_t acct_flags; 120 121 bool authenticated; 122 123 struct PAC_SIGNATURE_DATA pac_srv_sig, pac_kdc_sig; 124}; 125 126struct auth_method_context; 127struct auth_check_password_request; 128struct auth_context; 129 130struct auth_operations { 131 const char *name; 132 133 /* If you are using this interface, then you are probably 134 * getting something wrong. This interface is only for 135 * security=server, and makes a number of compromises to allow 136 * that. It is not compatible with being a PDC. */ 137 138 NTSTATUS (*get_challenge)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *challenge); 139 140 /* Given the user supplied info, check if this backend want to handle the password checking */ 141 142 NTSTATUS (*want_check)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, 143 const struct auth_usersupplied_info *user_info); 144 145 /* Given the user supplied info, check a password */ 146 147 NTSTATUS (*check_password)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, 148 const struct auth_usersupplied_info *user_info, 149 struct auth_serversupplied_info **server_info); 150 151 /* Lookup a 'server info' return based only on the principal */ 152 NTSTATUS (*get_server_info_principal)(TALLOC_CTX *mem_ctx, 153 struct auth_context *auth_context, 154 const char *principal, 155 struct auth_serversupplied_info **server_info); 156}; 157 158struct auth_method_context { 159 struct auth_method_context *prev, *next; 160 struct auth_context *auth_ctx; 161 const struct auth_operations *ops; 162 int depth; 163 void *private_data; 164}; 165 166struct auth_context { 167 struct { 168 /* Who set this up in the first place? */ 169 const char *set_by; 170 171 bool may_be_modified; 172 173 DATA_BLOB data; 174 } challenge; 175 176 /* methods, in the order they should be called */ 177 struct auth_method_context *methods; 178 179 /* the event context to use for calls that can block */ 180 struct tevent_context *event_ctx; 181 182 /* the messaging context which can be used by backends */ 183 struct messaging_context *msg_ctx; 184 185 /* loadparm context */ 186 struct loadparm_context *lp_ctx; 187 188 NTSTATUS (*check_password)(struct auth_context *auth_ctx, 189 TALLOC_CTX *mem_ctx, 190 const struct auth_usersupplied_info *user_info, 191 struct auth_serversupplied_info **server_info); 192 193 NTSTATUS (*get_challenge)(struct auth_context *auth_ctx, const uint8_t **_chal); 194 195 bool (*challenge_may_be_modified)(struct auth_context *auth_ctx); 196 197 NTSTATUS (*set_challenge)(struct auth_context *auth_ctx, const uint8_t chal[8], const char *set_by); 198 199 NTSTATUS (*get_server_info_principal)(TALLOC_CTX *mem_ctx, 200 struct auth_context *auth_context, 201 const char *principal, 202 struct auth_serversupplied_info **server_info); 203 204}; 205 206/* this structure is used by backends to determine the size of some critical types */ 207struct auth_critical_sizes { 208 int interface_version; 209 int sizeof_auth_operations; 210 int sizeof_auth_methods; 211 int sizeof_auth_context; 212 int sizeof_auth_usersupplied_info; 213 int sizeof_auth_serversupplied_info; 214}; 215 216 NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_context, 217 enum auth_password_state to_state, 218 const struct auth_usersupplied_info *user_info_in, 219 const struct auth_usersupplied_info **user_info_encrypted); 220 221#include "auth/session.h" 222#include "auth/system_session_proto.h" 223 224struct ldb_message; 225struct ldb_context; 226struct ldb_dn; 227struct gensec_security; 228 229NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, const uint8_t **_chal); 230NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, 231 struct ldb_context *sam_ctx, 232 uint32_t logon_parameters, 233 struct ldb_dn *domain_dn, 234 struct ldb_message *msg, 235 const char *logon_workstation, 236 const char *name_for_logs, 237 bool allow_domain_trust, 238 bool password_change); 239struct auth_session_info *system_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx); 240NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, 241 const char *netbios_name, 242 const char *domain_name, 243 struct ldb_dn *domain_dn, 244 struct ldb_message *msg, 245 DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key, 246 struct auth_serversupplied_info **_server_info); 247NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, 248 struct loadparm_context *lp_ctx, 249 struct auth_session_info **_session_info) ; 250NTSTATUS auth_nt_status_squash(NTSTATUS nt_status); 251 252NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **methods, 253 struct tevent_context *ev, 254 struct messaging_context *msg, 255 struct loadparm_context *lp_ctx, 256 struct auth_context **auth_ctx); 257 258NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx, 259 struct tevent_context *ev, 260 struct messaging_context *msg, 261 struct loadparm_context *lp_ctx, 262 struct auth_context **auth_ctx); 263 264NTSTATUS auth_check_password(struct auth_context *auth_ctx, 265 TALLOC_CTX *mem_ctx, 266 const struct auth_usersupplied_info *user_info, 267 struct auth_serversupplied_info **server_info); 268NTSTATUS auth_init(void); 269NTSTATUS auth_register(const struct auth_operations *ops); 270NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx, 271 struct tevent_context *ev, 272 struct messaging_context *msg, 273 struct loadparm_context *lp_ctx, 274 const char *nt4_domain, 275 const char *nt4_username, 276 const char *password, 277 struct auth_session_info **session_info); 278NTSTATUS auth_check_password_recv(struct auth_check_password_request *req, 279 TALLOC_CTX *mem_ctx, 280 struct auth_serversupplied_info **server_info); 281 282void auth_check_password_send(struct auth_context *auth_ctx, 283 const struct auth_usersupplied_info *user_info, 284 void (*callback)(struct auth_check_password_request *req, void *private_data), 285 void *private_data); 286NTSTATUS auth_context_set_challenge(struct auth_context *auth_ctx, const uint8_t chal[8], const char *set_by); 287 288NTSTATUS samba_server_gensec_start(TALLOC_CTX *mem_ctx, 289 struct tevent_context *event_ctx, 290 struct messaging_context *msg_ctx, 291 struct loadparm_context *lp_ctx, 292 struct cli_credentials *server_credentials, 293 const char *target_service, 294 struct gensec_security **gensec_context); 295 296#endif /* _SMBAUTH_H_ */ 297