1/* 2 Unix SMB/CIFS implementation. 3 4 Winbind client API 5 6 Copyright (C) Gerald (Jerry) Carter 2007 7 Copyright (C) Volker Lendecke 2009 8 9 This library is free software; you can redistribute it and/or 10 modify it under the terms of the GNU Lesser General Public 11 License as published by the Free Software Foundation; either 12 version 3 of the License, or (at your option) any later version. 13 14 This library is distributed in the hope that it will be useful, 15 but WITHOUT ANY WARRANTY; without even the implied warranty of 16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 17 Library General Public License for more details. 18 19 You should have received a copy of the GNU Lesser General Public License 20 along with this program. If not, see <http://www.gnu.org/licenses/>. 21*/ 22 23#ifndef _WBCLIENT_H 24#define _WBCLIENT_H 25 26#include <pwd.h> 27#include <grp.h> 28 29/* Define error types */ 30 31/** 32 * @brief Status codes returned from wbc functions 33 **/ 34 35enum _wbcErrType { 36 WBC_ERR_SUCCESS = 0, /**< Successful completion **/ 37 WBC_ERR_NOT_IMPLEMENTED,/**< Function not implemented **/ 38 WBC_ERR_UNKNOWN_FAILURE,/**< General failure **/ 39 WBC_ERR_NO_MEMORY, /**< Memory allocation error **/ 40 WBC_ERR_INVALID_SID, /**< Invalid SID format **/ 41 WBC_ERR_INVALID_PARAM, /**< An Invalid parameter was supplied **/ 42 WBC_ERR_WINBIND_NOT_AVAILABLE, /**< Winbind daemon is not available **/ 43 WBC_ERR_DOMAIN_NOT_FOUND, /**< Domain is not trusted or cannot be found **/ 44 WBC_ERR_INVALID_RESPONSE, /**< Winbind returned an invalid response **/ 45 WBC_ERR_NSS_ERROR, /**< NSS_STATUS error **/ 46 WBC_ERR_AUTH_ERROR, /**< Authentication failed **/ 47 WBC_ERR_UNKNOWN_USER, /**< User account cannot be found */ 48 WBC_ERR_UNKNOWN_GROUP, /**< Group account cannot be found */ 49 WBC_ERR_PWD_CHANGE_FAILED /**< Password Change has failed */ 50}; 51 52typedef enum _wbcErrType wbcErr; 53 54#define WBC_ERROR_IS_OK(x) ((x) == WBC_ERR_SUCCESS) 55 56const char *wbcErrorString(wbcErr error); 57 58/** 59 * @brief Some useful details about the wbclient library 60 * 61 * 0.1: Initial version 62 * 0.2: Added wbcRemoveUidMapping() 63 * Added wbcRemoveGidMapping() 64 * 0.3: Added wbcGetpwsid() 65 * Added wbcGetSidAliases() 66 * 0.4: Added wbcSidTypeString() 67 * 0.5: Added wbcChangeTrustCredentials() 68 **/ 69#define WBCLIENT_MAJOR_VERSION 0 70#define WBCLIENT_MINOR_VERSION 5 71#define WBCLIENT_VENDOR_VERSION "Samba libwbclient" 72struct wbcLibraryDetails { 73 uint16_t major_version; 74 uint16_t minor_version; 75 const char *vendor_version; 76}; 77 78/** 79 * @brief Some useful details about the running winbindd 80 * 81 **/ 82struct wbcInterfaceDetails { 83 uint32_t interface_version; 84 const char *winbind_version; 85 char winbind_separator; 86 const char *netbios_name; 87 const char *netbios_domain; 88 const char *dns_domain; 89}; 90 91/* 92 * Data types used by the Winbind Client API 93 */ 94 95#ifndef WBC_MAXSUBAUTHS 96#define WBC_MAXSUBAUTHS 15 /* max sub authorities in a SID */ 97#endif 98 99/** 100 * @brief Windows Security Identifier 101 * 102 **/ 103 104struct wbcDomainSid { 105 uint8_t sid_rev_num; 106 uint8_t num_auths; 107 uint8_t id_auth[6]; 108 uint32_t sub_auths[WBC_MAXSUBAUTHS]; 109}; 110 111/** 112 * @brief Security Identifier type 113 **/ 114 115enum wbcSidType { 116 WBC_SID_NAME_USE_NONE=0, 117 WBC_SID_NAME_USER=1, 118 WBC_SID_NAME_DOM_GRP=2, 119 WBC_SID_NAME_DOMAIN=3, 120 WBC_SID_NAME_ALIAS=4, 121 WBC_SID_NAME_WKN_GRP=5, 122 WBC_SID_NAME_DELETED=6, 123 WBC_SID_NAME_INVALID=7, 124 WBC_SID_NAME_UNKNOWN=8, 125 WBC_SID_NAME_COMPUTER=9 126}; 127 128/** 129 * @brief Security Identifier with attributes 130 **/ 131 132struct wbcSidWithAttr { 133 struct wbcDomainSid sid; 134 uint32_t attributes; 135}; 136 137/* wbcSidWithAttr->attributes */ 138 139#define WBC_SID_ATTR_GROUP_MANDATORY 0x00000001 140#define WBC_SID_ATTR_GROUP_ENABLED_BY_DEFAULT 0x00000002 141#define WBC_SID_ATTR_GROUP_ENABLED 0x00000004 142#define WBC_SID_ATTR_GROUP_OWNER 0x00000008 143#define WBC_SID_ATTR_GROUP_USEFOR_DENY_ONLY 0x00000010 144#define WBC_SID_ATTR_GROUP_RESOURCE 0x20000000 145#define WBC_SID_ATTR_GROUP_LOGON_ID 0xC0000000 146 147/** 148 * @brief Windows GUID 149 * 150 **/ 151 152struct wbcGuid { 153 uint32_t time_low; 154 uint16_t time_mid; 155 uint16_t time_hi_and_version; 156 uint8_t clock_seq[2]; 157 uint8_t node[6]; 158}; 159 160/** 161 * @brief Domain Information 162 **/ 163 164struct wbcDomainInfo { 165 char *short_name; 166 char *dns_name; 167 struct wbcDomainSid sid; 168 uint32_t domain_flags; 169 uint32_t trust_flags; 170 uint32_t trust_type; 171}; 172 173/* wbcDomainInfo->domain_flags */ 174 175#define WBC_DOMINFO_DOMAIN_UNKNOWN 0x00000000 176#define WBC_DOMINFO_DOMAIN_NATIVE 0x00000001 177#define WBC_DOMINFO_DOMAIN_AD 0x00000002 178#define WBC_DOMINFO_DOMAIN_PRIMARY 0x00000004 179#define WBC_DOMINFO_DOMAIN_OFFLINE 0x00000008 180 181/* wbcDomainInfo->trust_flags */ 182 183#define WBC_DOMINFO_TRUST_TRANSITIVE 0x00000001 184#define WBC_DOMINFO_TRUST_INCOMING 0x00000002 185#define WBC_DOMINFO_TRUST_OUTGOING 0x00000004 186 187/* wbcDomainInfo->trust_type */ 188 189#define WBC_DOMINFO_TRUSTTYPE_NONE 0x00000000 190#define WBC_DOMINFO_TRUSTTYPE_FOREST 0x00000001 191#define WBC_DOMINFO_TRUSTTYPE_IN_FOREST 0x00000002 192#define WBC_DOMINFO_TRUSTTYPE_EXTERNAL 0x00000003 193 194 195/** 196 * @brief Auth User Parameters 197 **/ 198 199struct wbcAuthUserParams { 200 const char *account_name; 201 const char *domain_name; 202 const char *workstation_name; 203 204 uint32_t flags; 205 206 uint32_t parameter_control; 207 208 enum wbcAuthUserLevel { 209 WBC_AUTH_USER_LEVEL_PLAIN = 1, 210 WBC_AUTH_USER_LEVEL_HASH = 2, 211 WBC_AUTH_USER_LEVEL_RESPONSE = 3 212 } level; 213 union { 214 const char *plaintext; 215 struct { 216 uint8_t nt_hash[16]; 217 uint8_t lm_hash[16]; 218 } hash; 219 struct { 220 uint8_t challenge[8]; 221 uint32_t nt_length; 222 uint8_t *nt_data; 223 uint32_t lm_length; 224 uint8_t *lm_data; 225 } response; 226 } password; 227}; 228 229/** 230 * @brief Generic Blob 231 **/ 232 233struct wbcBlob { 234 uint8_t *data; 235 size_t length; 236}; 237 238/** 239 * @brief Named Blob 240 **/ 241 242struct wbcNamedBlob { 243 const char *name; 244 uint32_t flags; 245 struct wbcBlob blob; 246}; 247 248/** 249 * @brief Logon User Parameters 250 **/ 251 252struct wbcLogonUserParams { 253 const char *username; 254 const char *password; 255 size_t num_blobs; 256 struct wbcNamedBlob *blobs; 257}; 258 259/** 260 * @brief ChangePassword Parameters 261 **/ 262 263struct wbcChangePasswordParams { 264 const char *account_name; 265 const char *domain_name; 266 267 uint32_t flags; 268 269 enum wbcChangePasswordLevel { 270 WBC_CHANGE_PASSWORD_LEVEL_PLAIN = 1, 271 WBC_CHANGE_PASSWORD_LEVEL_RESPONSE = 2 272 } level; 273 274 union { 275 const char *plaintext; 276 struct { 277 uint32_t old_nt_hash_enc_length; 278 uint8_t *old_nt_hash_enc_data; 279 uint32_t old_lm_hash_enc_length; 280 uint8_t *old_lm_hash_enc_data; 281 } response; 282 } old_password; 283 union { 284 const char *plaintext; 285 struct { 286 uint32_t nt_length; 287 uint8_t *nt_data; 288 uint32_t lm_length; 289 uint8_t *lm_data; 290 } response; 291 } new_password; 292}; 293 294/* wbcAuthUserParams->parameter_control */ 295 296#define WBC_MSV1_0_CLEARTEXT_PASSWORD_ALLOWED 0x00000002 297#define WBC_MSV1_0_UPDATE_LOGON_STATISTICS 0x00000004 298#define WBC_MSV1_0_RETURN_USER_PARAMETERS 0x00000008 299#define WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT 0x00000020 300#define WBC_MSV1_0_RETURN_PROFILE_PATH 0x00000200 301#define WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT 0x00000800 302 303/* wbcAuthUserParams->flags */ 304 305#define WBC_AUTH_PARAM_FLAGS_INTERACTIVE_LOGON 0x00000001 306 307/** 308 * @brief Auth User Information 309 * 310 * Some of the strings are maybe NULL 311 **/ 312 313struct wbcAuthUserInfo { 314 uint32_t user_flags; 315 316 char *account_name; 317 char *user_principal; 318 char *full_name; 319 char *domain_name; 320 char *dns_domain_name; 321 322 uint32_t acct_flags; 323 uint8_t user_session_key[16]; 324 uint8_t lm_session_key[8]; 325 326 uint16_t logon_count; 327 uint16_t bad_password_count; 328 329 uint64_t logon_time; 330 uint64_t logoff_time; 331 uint64_t kickoff_time; 332 uint64_t pass_last_set_time; 333 uint64_t pass_can_change_time; 334 uint64_t pass_must_change_time; 335 336 char *logon_server; 337 char *logon_script; 338 char *profile_path; 339 char *home_directory; 340 char *home_drive; 341 342 /* 343 * the 1st one is the account sid 344 * the 2nd one is the primary_group sid 345 * followed by the rest of the groups 346 */ 347 uint32_t num_sids; 348 struct wbcSidWithAttr *sids; 349}; 350 351/** 352 * @brief Logon User Information 353 * 354 * Some of the strings are maybe NULL 355 **/ 356 357struct wbcLogonUserInfo { 358 struct wbcAuthUserInfo *info; 359 size_t num_blobs; 360 struct wbcNamedBlob *blobs; 361}; 362 363/* wbcAuthUserInfo->user_flags */ 364 365#define WBC_AUTH_USER_INFO_GUEST 0x00000001 366#define WBC_AUTH_USER_INFO_NOENCRYPTION 0x00000002 367#define WBC_AUTH_USER_INFO_CACHED_ACCOUNT 0x00000004 368#define WBC_AUTH_USER_INFO_USED_LM_PASSWORD 0x00000008 369#define WBC_AUTH_USER_INFO_EXTRA_SIDS 0x00000020 370#define WBC_AUTH_USER_INFO_SUBAUTH_SESSION_KEY 0x00000040 371#define WBC_AUTH_USER_INFO_SERVER_TRUST_ACCOUNT 0x00000080 372#define WBC_AUTH_USER_INFO_NTLMV2_ENABLED 0x00000100 373#define WBC_AUTH_USER_INFO_RESOURCE_GROUPS 0x00000200 374#define WBC_AUTH_USER_INFO_PROFILE_PATH_RETURNED 0x00000400 375#define WBC_AUTH_USER_INFO_GRACE_LOGON 0x01000000 376 377/* wbcAuthUserInfo->acct_flags */ 378 379#define WBC_ACB_DISABLED 0x00000001 /* 1 User account disabled */ 380#define WBC_ACB_HOMDIRREQ 0x00000002 /* 1 Home directory required */ 381#define WBC_ACB_PWNOTREQ 0x00000004 /* 1 User password not required */ 382#define WBC_ACB_TEMPDUP 0x00000008 /* 1 Temporary duplicate account */ 383#define WBC_ACB_NORMAL 0x00000010 /* 1 Normal user account */ 384#define WBC_ACB_MNS 0x00000020 /* 1 MNS logon user account */ 385#define WBC_ACB_DOMTRUST 0x00000040 /* 1 Interdomain trust account */ 386#define WBC_ACB_WSTRUST 0x00000080 /* 1 Workstation trust account */ 387#define WBC_ACB_SVRTRUST 0x00000100 /* 1 Server trust account */ 388#define WBC_ACB_PWNOEXP 0x00000200 /* 1 User password does not expire */ 389#define WBC_ACB_AUTOLOCK 0x00000400 /* 1 Account auto locked */ 390#define WBC_ACB_ENC_TXT_PWD_ALLOWED 0x00000800 /* 1 Encryped text password is allowed */ 391#define WBC_ACB_SMARTCARD_REQUIRED 0x00001000 /* 1 Smart Card required */ 392#define WBC_ACB_TRUSTED_FOR_DELEGATION 0x00002000 /* 1 Trusted for Delegation */ 393#define WBC_ACB_NOT_DELEGATED 0x00004000 /* 1 Not delegated */ 394#define WBC_ACB_USE_DES_KEY_ONLY 0x00008000 /* 1 Use DES key only */ 395#define WBC_ACB_DONT_REQUIRE_PREAUTH 0x00010000 /* 1 Preauth not required */ 396#define WBC_ACB_PW_EXPIRED 0x00020000 /* 1 Password Expired */ 397#define WBC_ACB_NO_AUTH_DATA_REQD 0x00080000 /* 1 = No authorization data required */ 398 399struct wbcAuthErrorInfo { 400 uint32_t nt_status; 401 char *nt_string; 402 int32_t pam_error; 403 char *display_string; 404}; 405 406/** 407 * @brief User Password Policy Information 408 **/ 409 410/* wbcUserPasswordPolicyInfo->password_properties */ 411 412#define WBC_DOMAIN_PASSWORD_COMPLEX 0x00000001 413#define WBC_DOMAIN_PASSWORD_NO_ANON_CHANGE 0x00000002 414#define WBC_DOMAIN_PASSWORD_NO_CLEAR_CHANGE 0x00000004 415#define WBC_DOMAIN_PASSWORD_LOCKOUT_ADMINS 0x00000008 416#define WBC_DOMAIN_PASSWORD_STORE_CLEARTEXT 0x00000010 417#define WBC_DOMAIN_REFUSE_PASSWORD_CHANGE 0x00000020 418 419struct wbcUserPasswordPolicyInfo { 420 uint32_t min_length_password; 421 uint32_t password_history; 422 uint32_t password_properties; 423 uint64_t expire; 424 uint64_t min_passwordage; 425}; 426 427/** 428 * @brief Change Password Reject Reason 429 **/ 430 431enum wbcPasswordChangeRejectReason { 432 WBC_PWD_CHANGE_REJECT_OTHER=0, 433 WBC_PWD_CHANGE_REJECT_TOO_SHORT=1, 434 WBC_PWD_CHANGE_REJECT_IN_HISTORY=2, 435 WBC_PWD_CHANGE_REJECT_COMPLEXITY=5 436}; 437 438/** 439 * @brief Logoff User Parameters 440 **/ 441 442struct wbcLogoffUserParams { 443 const char *username; 444 size_t num_blobs; 445 struct wbcNamedBlob *blobs; 446}; 447 448/** @brief Credential cache log-on parameters 449 * 450 */ 451 452struct wbcCredentialCacheParams { 453 const char *account_name; 454 const char *domain_name; 455 enum wbcCredentialCacheLevel { 456 WBC_CREDENTIAL_CACHE_LEVEL_NTLMSSP = 1 457 } level; 458 size_t num_blobs; 459 struct wbcNamedBlob *blobs; 460}; 461 462 463/** @brief Info returned by credential cache auth 464 * 465 */ 466 467struct wbcCredentialCacheInfo { 468 size_t num_blobs; 469 struct wbcNamedBlob *blobs; 470}; 471 472/* 473 * DomainControllerInfo struct 474 */ 475struct wbcDomainControllerInfo { 476 char *dc_name; 477}; 478 479/* 480 * DomainControllerInfoEx struct 481 */ 482struct wbcDomainControllerInfoEx { 483 const char *dc_unc; 484 const char *dc_address; 485 uint16_t dc_address_type; 486 struct wbcGuid *domain_guid; 487 const char *domain_name; 488 const char *forest_name; 489 uint32_t dc_flags; 490 const char *dc_site_name; 491 const char *client_site_name; 492}; 493 494/********************************************************** 495 * Memory Management 496 **********************************************************/ 497 498/** 499 * @brief Free library allocated memory 500 * 501 * @param * Pointer to free 502 * 503 * @return void 504 **/ 505void wbcFreeMemory(void*); 506 507 508/* 509 * Utility functions for dealing with SIDs 510 */ 511 512/** 513 * @brief Get a string representation of the SID type 514 * 515 * @param type type of the SID 516 * 517 * @return string representation of the SID type 518 */ 519const char* wbcSidTypeString(enum wbcSidType type); 520 521/** 522 * @brief Convert a binary SID to a character string 523 * 524 * @param sid Binary Security Identifier 525 * @param **sid_string Resulting character string 526 * 527 * @return #wbcErr 528 **/ 529wbcErr wbcSidToString(const struct wbcDomainSid *sid, 530 char **sid_string); 531 532/** 533 * @brief Convert a character string to a binary SID 534 * 535 * @param *sid_string Character string in the form of S-... 536 * @param sid Resulting binary SID 537 * 538 * @return #wbcErr 539 **/ 540wbcErr wbcStringToSid(const char *sid_string, 541 struct wbcDomainSid *sid); 542 543/* 544 * Utility functions for dealing with GUIDs 545 */ 546 547/** 548 * @brief Convert a binary GUID to a character string 549 * 550 * @param guid Binary Guid 551 * @param **guid_string Resulting character string 552 * 553 * @return #wbcErr 554 **/ 555wbcErr wbcGuidToString(const struct wbcGuid *guid, 556 char **guid_string); 557 558/** 559 * @brief Convert a character string to a binary GUID 560 * 561 * @param *guid_string Character string 562 * @param guid Resulting binary GUID 563 * 564 * @return #wbcErr 565 **/ 566wbcErr wbcStringToGuid(const char *guid_string, 567 struct wbcGuid *guid); 568 569/** 570 * @brief Ping winbindd to see if the daemon is running 571 * 572 * @return #wbcErr 573 **/ 574wbcErr wbcPing(void); 575 576wbcErr wbcLibraryDetails(struct wbcLibraryDetails **details); 577 578wbcErr wbcInterfaceDetails(struct wbcInterfaceDetails **details); 579 580/********************************************************** 581 * Name/SID conversion 582 **********************************************************/ 583 584/** 585 * @brief Convert a domain and name to SID 586 * 587 * @param dom_name Domain name (possibly "") 588 * @param name User or group name 589 * @param *sid Pointer to the resolved domain SID 590 * @param *name_type Pointer to the SID type 591 * 592 * @return #wbcErr 593 **/ 594wbcErr wbcLookupName(const char *dom_name, 595 const char *name, 596 struct wbcDomainSid *sid, 597 enum wbcSidType *name_type); 598 599/** 600 * @brief Convert a SID to a domain and name 601 * 602 * @param *sid Pointer to the domain SID to be resolved 603 * @param domain Resolved Domain name (possibly "") 604 * @param name Resolved User or group name 605 * @param *name_type Pointer to the resolved SID type 606 * 607 * @return #wbcErr 608 **/ 609wbcErr wbcLookupSid(const struct wbcDomainSid *sid, 610 char **domain, 611 char **name, 612 enum wbcSidType *name_type); 613 614/** 615 * @brief Translate a collection of RIDs within a domain to names 616 */ 617wbcErr wbcLookupRids(struct wbcDomainSid *dom_sid, 618 int num_rids, 619 uint32_t *rids, 620 const char **domain_name, 621 const char ***names, 622 enum wbcSidType **types); 623 624/* 625 * @brief Get the groups a user belongs to 626 **/ 627wbcErr wbcLookupUserSids(const struct wbcDomainSid *user_sid, 628 bool domain_groups_only, 629 uint32_t *num_sids, 630 struct wbcDomainSid **sids); 631 632/* 633 * @brief Get alias membership for sids 634 **/ 635wbcErr wbcGetSidAliases(const struct wbcDomainSid *dom_sid, 636 struct wbcDomainSid *sids, 637 uint32_t num_sids, 638 uint32_t **alias_rids, 639 uint32_t *num_alias_rids); 640 641/** 642 * @brief Lists Users 643 **/ 644wbcErr wbcListUsers(const char *domain_name, 645 uint32_t *num_users, 646 const char ***users); 647 648/** 649 * @brief Lists Groups 650 **/ 651wbcErr wbcListGroups(const char *domain_name, 652 uint32_t *num_groups, 653 const char ***groups); 654 655wbcErr wbcGetDisplayName(const struct wbcDomainSid *sid, 656 char **pdomain, 657 char **pfullname, 658 enum wbcSidType *pname_type); 659 660/********************************************************** 661 * SID/uid/gid Mappings 662 **********************************************************/ 663 664/** 665 * @brief Convert a Windows SID to a Unix uid, allocating an uid if needed 666 * 667 * @param *sid Pointer to the domain SID to be resolved 668 * @param *puid Pointer to the resolved uid_t value 669 * 670 * @return #wbcErr 671 * 672 **/ 673wbcErr wbcSidToUid(const struct wbcDomainSid *sid, 674 uid_t *puid); 675 676/** 677 * @brief Convert a Windows SID to a Unix uid if there already is a mapping 678 * 679 * @param *sid Pointer to the domain SID to be resolved 680 * @param *puid Pointer to the resolved uid_t value 681 * 682 * @return #wbcErr 683 * 684 **/ 685wbcErr wbcQuerySidToUid(const struct wbcDomainSid *sid, 686 uid_t *puid); 687 688/** 689 * @brief Convert a Unix uid to a Windows SID, allocating a SID if needed 690 * 691 * @param uid Unix uid to be resolved 692 * @param *sid Pointer to the resolved domain SID 693 * 694 * @return #wbcErr 695 * 696 **/ 697wbcErr wbcUidToSid(uid_t uid, 698 struct wbcDomainSid *sid); 699 700/** 701 * @brief Convert a Unix uid to a Windows SID if there already is a mapping 702 * 703 * @param uid Unix uid to be resolved 704 * @param *sid Pointer to the resolved domain SID 705 * 706 * @return #wbcErr 707 * 708 **/ 709wbcErr wbcQueryUidToSid(uid_t uid, 710 struct wbcDomainSid *sid); 711 712/** 713 * @brief Convert a Windows SID to a Unix gid, allocating a gid if needed 714 * 715 * @param *sid Pointer to the domain SID to be resolved 716 * @param *pgid Pointer to the resolved gid_t value 717 * 718 * @return #wbcErr 719 * 720 **/ 721wbcErr wbcSidToGid(const struct wbcDomainSid *sid, 722 gid_t *pgid); 723 724/** 725 * @brief Convert a Windows SID to a Unix gid if there already is a mapping 726 * 727 * @param *sid Pointer to the domain SID to be resolved 728 * @param *pgid Pointer to the resolved gid_t value 729 * 730 * @return #wbcErr 731 * 732 **/ 733wbcErr wbcQuerySidToGid(const struct wbcDomainSid *sid, 734 gid_t *pgid); 735 736/** 737 * @brief Convert a Unix gid to a Windows SID, allocating a SID if needed 738 * 739 * @param gid Unix gid to be resolved 740 * @param *sid Pointer to the resolved domain SID 741 * 742 * @return #wbcErr 743 * 744 **/ 745wbcErr wbcGidToSid(gid_t gid, 746 struct wbcDomainSid *sid); 747 748/** 749 * @brief Convert a Unix gid to a Windows SID if there already is a mapping 750 * 751 * @param gid Unix gid to be resolved 752 * @param *sid Pointer to the resolved domain SID 753 * 754 * @return #wbcErr 755 * 756 **/ 757wbcErr wbcQueryGidToSid(gid_t gid, 758 struct wbcDomainSid *sid); 759 760/** 761 * @brief Obtain a new uid from Winbind 762 * 763 * @param *puid *pointer to the allocated uid 764 * 765 * @return #wbcErr 766 **/ 767wbcErr wbcAllocateUid(uid_t *puid); 768 769/** 770 * @brief Obtain a new gid from Winbind 771 * 772 * @param *pgid Pointer to the allocated gid 773 * 774 * @return #wbcErr 775 **/ 776wbcErr wbcAllocateGid(gid_t *pgid); 777 778/** 779 * @brief Set an user id mapping 780 * 781 * @param uid Uid of the desired mapping. 782 * @param *sid Pointer to the sid of the diresired mapping. 783 * 784 * @return #wbcErr 785 **/ 786wbcErr wbcSetUidMapping(uid_t uid, const struct wbcDomainSid *sid); 787 788/** 789 * @brief Set a group id mapping 790 * 791 * @param gid Gid of the desired mapping. 792 * @param *sid Pointer to the sid of the diresired mapping. 793 * 794 * @return #wbcErr 795 **/ 796wbcErr wbcSetGidMapping(gid_t gid, const struct wbcDomainSid *sid); 797 798/** 799 * @brief Remove a user id mapping 800 * 801 * @param uid Uid of the mapping to remove. 802 * @param *sid Pointer to the sid of the mapping to remove. 803 * 804 * @return #wbcErr 805 **/ 806wbcErr wbcRemoveUidMapping(uid_t uid, const struct wbcDomainSid *sid); 807 808/** 809 * @brief Remove a group id mapping 810 * 811 * @param gid Gid of the mapping to remove. 812 * @param *sid Pointer to the sid of the mapping to remove. 813 * 814 * @return #wbcErr 815 **/ 816wbcErr wbcRemoveGidMapping(gid_t gid, const struct wbcDomainSid *sid); 817 818/** 819 * @brief Set the highwater mark for allocated uids. 820 * 821 * @param uid_hwm The new uid highwater mark value 822 * 823 * @return #wbcErr 824 **/ 825wbcErr wbcSetUidHwm(uid_t uid_hwm); 826 827/** 828 * @brief Set the highwater mark for allocated gids. 829 * 830 * @param gid_hwm The new gid highwater mark value 831 * 832 * @return #wbcErr 833 **/ 834wbcErr wbcSetGidHwm(gid_t gid_hwm); 835 836/********************************************************** 837 * NSS Lookup User/Group details 838 **********************************************************/ 839 840/** 841 * @brief Fill in a struct passwd* for a domain user based 842 * on username 843 * 844 * @param *name Username to lookup 845 * @param **pwd Pointer to resulting struct passwd* from the query. 846 * 847 * @return #wbcErr 848 **/ 849wbcErr wbcGetpwnam(const char *name, struct passwd **pwd); 850 851/** 852 * @brief Fill in a struct passwd* for a domain user based 853 * on uid 854 * 855 * @param uid Uid to lookup 856 * @param **pwd Pointer to resulting struct passwd* from the query. 857 * 858 * @return #wbcErr 859 **/ 860wbcErr wbcGetpwuid(uid_t uid, struct passwd **pwd); 861 862/** 863 * @brief Fill in a struct passwd* for a domain user based 864 * on sid 865 * 866 * @param sid Sid to lookup 867 * @param **pwd Pointer to resulting struct passwd* from the query. 868 * 869 * @return #wbcErr 870 **/ 871wbcErr wbcGetpwsid(struct wbcDomainSid * sid, struct passwd **pwd); 872 873/** 874 * @brief Fill in a struct passwd* for a domain user based 875 * on username 876 * 877 * @param *name Username to lookup 878 * @param **grp Pointer to resulting struct group* from the query. 879 * 880 * @return #wbcErr 881 **/ 882wbcErr wbcGetgrnam(const char *name, struct group **grp); 883 884/** 885 * @brief Fill in a struct passwd* for a domain user based 886 * on uid 887 * 888 * @param gid Uid to lookup 889 * @param **grp Pointer to resulting struct group* from the query. 890 * 891 * @return #wbcErr 892 **/ 893wbcErr wbcGetgrgid(gid_t gid, struct group **grp); 894 895/** 896 * @brief Reset the passwd iterator 897 * 898 * @return #wbcErr 899 **/ 900wbcErr wbcSetpwent(void); 901 902/** 903 * @brief Close the passwd iterator 904 * 905 * @return #wbcErr 906 **/ 907wbcErr wbcEndpwent(void); 908 909/** 910 * @brief Return the next struct passwd* entry from the pwent iterator 911 * 912 * @param **pwd Pointer to resulting struct passwd* from the query. 913 * 914 * @return #wbcErr 915 **/ 916wbcErr wbcGetpwent(struct passwd **pwd); 917 918/** 919 * @brief Reset the group iterator 920 * 921 * @return #wbcErr 922 **/ 923wbcErr wbcSetgrent(void); 924 925/** 926 * @brief Close the group iterator 927 * 928 * @return #wbcErr 929 **/ 930wbcErr wbcEndgrent(void); 931 932/** 933 * @brief Return the next struct group* entry from the pwent iterator 934 * 935 * @param **grp Pointer to resulting struct group* from the query. 936 * 937 * @return #wbcErr 938 **/ 939wbcErr wbcGetgrent(struct group **grp); 940 941/** 942 * @brief Return the next struct group* entry from the pwent iterator 943 * 944 * This is similar to #wbcGetgrent, just that the member list is empty 945 * 946 * @param **grp Pointer to resulting struct group* from the query. 947 * 948 * @return #wbcErr 949 **/ 950wbcErr wbcGetgrlist(struct group **grp); 951 952/** 953 * @brief Return the unix group array belonging to the given user 954 * 955 * @param *account The given user name 956 * @param *num_groups Number of elements returned in the groups array 957 * @param **_groups Pointer to resulting gid_t array. 958 * 959 * @return #wbcErr 960 **/ 961wbcErr wbcGetGroups(const char *account, 962 uint32_t *num_groups, 963 gid_t **_groups); 964 965 966/********************************************************** 967 * Lookup Domain information 968 **********************************************************/ 969 970/** 971 * @brief Lookup the current status of a trusted domain 972 * 973 * @param domain Domain to query 974 * @param *info Pointer to returned domain_info struct 975 * 976 * @return #wbcErr 977 **/ 978wbcErr wbcDomainInfo(const char *domain, 979 struct wbcDomainInfo **info); 980 981/** 982 * @brief Enumerate the domain trusts known by Winbind 983 * 984 * @param **domains Pointer to the allocated domain list array 985 * @param *num_domains Pointer to number of domains returned 986 * 987 * @return #wbcErr 988 **/ 989wbcErr wbcListTrusts(struct wbcDomainInfo **domains, 990 size_t *num_domains); 991 992/* Flags for wbcLookupDomainController */ 993 994#define WBC_LOOKUP_DC_FORCE_REDISCOVERY 0x00000001 995#define WBC_LOOKUP_DC_DS_REQUIRED 0x00000010 996#define WBC_LOOKUP_DC_DS_PREFERRED 0x00000020 997#define WBC_LOOKUP_DC_GC_SERVER_REQUIRED 0x00000040 998#define WBC_LOOKUP_DC_PDC_REQUIRED 0x00000080 999#define WBC_LOOKUP_DC_BACKGROUND_ONLY 0x00000100 1000#define WBC_LOOKUP_DC_IP_REQUIRED 0x00000200 1001#define WBC_LOOKUP_DC_KDC_REQUIRED 0x00000400 1002#define WBC_LOOKUP_DC_TIMESERV_REQUIRED 0x00000800 1003#define WBC_LOOKUP_DC_WRITABLE_REQUIRED 0x00001000 1004#define WBC_LOOKUP_DC_GOOD_TIMESERV_PREFERRED 0x00002000 1005#define WBC_LOOKUP_DC_AVOID_SELF 0x00004000 1006#define WBC_LOOKUP_DC_ONLY_LDAP_NEEDED 0x00008000 1007#define WBC_LOOKUP_DC_IS_FLAT_NAME 0x00010000 1008#define WBC_LOOKUP_DC_IS_DNS_NAME 0x00020000 1009#define WBC_LOOKUP_DC_TRY_NEXTCLOSEST_SITE 0x00040000 1010#define WBC_LOOKUP_DC_DS_6_REQUIRED 0x00080000 1011#define WBC_LOOKUP_DC_RETURN_DNS_NAME 0x40000000 1012#define WBC_LOOKUP_DC_RETURN_FLAT_NAME 0x80000000 1013 1014/** 1015 * @brief Enumerate the domain trusts known by Winbind 1016 * 1017 * @param domain Name of the domain to query for a DC 1018 * @param flags Bit flags used to control the domain location query 1019 * @param *dc_info Pointer to the returned domain controller information 1020 * 1021 * @return #wbcErr 1022 **/ 1023wbcErr wbcLookupDomainController(const char *domain, 1024 uint32_t flags, 1025 struct wbcDomainControllerInfo **dc_info); 1026 1027/** 1028 * @brief Get extended domain controller information 1029 * 1030 * @param domain Name of the domain to query for a DC 1031 * @param guid Guid of the domain to query for a DC 1032 * @param site Site of the domain to query for a DC 1033 * @param flags Bit flags used to control the domain location query 1034 * @param *dc_info Pointer to the returned extended domain controller information 1035 * 1036 * @return #wbcErr 1037 **/ 1038wbcErr wbcLookupDomainControllerEx(const char *domain, 1039 struct wbcGuid *guid, 1040 const char *site, 1041 uint32_t flags, 1042 struct wbcDomainControllerInfoEx **dc_info); 1043 1044/********************************************************** 1045 * Athenticate functions 1046 **********************************************************/ 1047 1048/** 1049 * @brief Authenticate a username/password pair 1050 * 1051 * @param username Name of user to authenticate 1052 * @param password Clear text password os user 1053 * 1054 * @return #wbcErr 1055 **/ 1056wbcErr wbcAuthenticateUser(const char *username, 1057 const char *password); 1058 1059/** 1060 * @brief Authenticate with more detailed information 1061 * 1062 * @param params Input parameters, WBC_AUTH_USER_LEVEL_HASH 1063 * is not supported yet 1064 * @param info Output details on WBC_ERR_SUCCESS 1065 * @param error Output details on WBC_ERR_AUTH_ERROR 1066 * 1067 * @return #wbcErr 1068 **/ 1069wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params, 1070 struct wbcAuthUserInfo **info, 1071 struct wbcAuthErrorInfo **error); 1072 1073/** 1074 * @brief Logon a User 1075 * 1076 * @param[in] params Pointer to a wbcLogonUserParams structure 1077 * @param[out] info Pointer to a pointer to a wbcLogonUserInfo structure 1078 * @param[out] error Pointer to a pointer to a wbcAuthErrorInfo structure 1079 * @param[out] policy Pointer to a pointer to a wbcUserPasswordPolicyInfo structure 1080 * 1081 * @return #wbcErr 1082 **/ 1083wbcErr wbcLogonUser(const struct wbcLogonUserParams *params, 1084 struct wbcLogonUserInfo **info, 1085 struct wbcAuthErrorInfo **error, 1086 struct wbcUserPasswordPolicyInfo **policy); 1087 1088/** 1089 * @brief Trigger a logoff notification to Winbind for a specific user 1090 * 1091 * @param username Name of user to remove from Winbind's list of 1092 * logged on users. 1093 * @param uid Uid assigned to the username 1094 * @param ccfilename Absolute path to the Krb5 credentials cache to 1095 * be removed 1096 * 1097 * @return #wbcErr 1098 **/ 1099wbcErr wbcLogoffUser(const char *username, 1100 uid_t uid, 1101 const char *ccfilename); 1102 1103/** 1104 * @brief Trigger an extended logoff notification to Winbind for a specific user 1105 * 1106 * @param params A wbcLogoffUserParams structure 1107 * @param error User output details on error 1108 * 1109 * @return #wbcErr 1110 **/ 1111wbcErr wbcLogoffUserEx(const struct wbcLogoffUserParams *params, 1112 struct wbcAuthErrorInfo **error); 1113 1114/** 1115 * @brief Change a password for a user 1116 * 1117 * @param username Name of user to authenticate 1118 * @param old_password Old clear text password of user 1119 * @param new_password New clear text password of user 1120 * 1121 * @return #wbcErr 1122 **/ 1123wbcErr wbcChangeUserPassword(const char *username, 1124 const char *old_password, 1125 const char *new_password); 1126 1127/** 1128 * @brief Change a password for a user with more detailed information upon 1129 * failure 1130 * 1131 * @param params Input parameters 1132 * @param error User output details on WBC_ERR_PWD_CHANGE_FAILED 1133 * @param reject_reason New password reject reason on WBC_ERR_PWD_CHANGE_FAILED 1134 * @param policy Password policy output details on WBC_ERR_PWD_CHANGE_FAILED 1135 * 1136 * @return #wbcErr 1137 **/ 1138wbcErr wbcChangeUserPasswordEx(const struct wbcChangePasswordParams *params, 1139 struct wbcAuthErrorInfo **error, 1140 enum wbcPasswordChangeRejectReason *reject_reason, 1141 struct wbcUserPasswordPolicyInfo **policy); 1142 1143/** 1144 * @brief Authenticate a user with cached credentials 1145 * 1146 * @param *params Pointer to a wbcCredentialCacheParams structure 1147 * @param **info Pointer to a pointer to a wbcCredentialCacheInfo structure 1148 * @param **error Pointer to a pointer to a wbcAuthErrorInfo structure 1149 * 1150 * @return #wbcErr 1151 **/ 1152wbcErr wbcCredentialCache(struct wbcCredentialCacheParams *params, 1153 struct wbcCredentialCacheInfo **info, 1154 struct wbcAuthErrorInfo **error); 1155 1156/** 1157 * @brief Save a password with winbind for doing wbcCredentialCache() later 1158 * 1159 * @param *user Username 1160 * @param *password Password 1161 * 1162 * @return #wbcErr 1163 **/ 1164wbcErr wbcCredentialSave(const char *user, const char *password); 1165 1166/********************************************************** 1167 * Resolve functions 1168 **********************************************************/ 1169 1170/** 1171 * @brief Resolve a NetbiosName via WINS 1172 * 1173 * @param name Name to resolve 1174 * @param *ip Pointer to the ip address string 1175 * 1176 * @return #wbcErr 1177 **/ 1178wbcErr wbcResolveWinsByName(const char *name, char **ip); 1179 1180/** 1181 * @brief Resolve an IP address via WINS into a NetbiosName 1182 * 1183 * @param ip The ip address string 1184 * @param *name Pointer to the name 1185 * 1186 * @return #wbcErr 1187 * 1188 **/ 1189wbcErr wbcResolveWinsByIP(const char *ip, char **name); 1190 1191/********************************************************** 1192 * Trusted domain functions 1193 **********************************************************/ 1194 1195/** 1196 * @brief Trigger a verification of the trust credentials of a specific domain 1197 * 1198 * @param *domain The name of the domain. 1199 * @param error Output details on WBC_ERR_AUTH_ERROR 1200 * 1201 * @return #wbcErr 1202 **/ 1203wbcErr wbcCheckTrustCredentials(const char *domain, 1204 struct wbcAuthErrorInfo **error); 1205 1206/** 1207 * @brief Trigger a change of the trust credentials for a specific domain 1208 * 1209 * @param *domain The name of the domain. 1210 * @param error Output details on WBC_ERR_AUTH_ERROR 1211 * 1212 * @return #wbcErr 1213 **/ 1214wbcErr wbcChangeTrustCredentials(const char *domain, 1215 struct wbcAuthErrorInfo **error); 1216 1217/** 1218 * @brief Trigger a no-op call through the NETLOGON pipe. Low-cost 1219 * version of wbcCheckTrustCredentials 1220 * 1221 * @param *domain The name of the domain, only NULL for the default domain is 1222 * supported yet. Other values than NULL will result in 1223 * WBC_ERR_NOT_IMPLEMENTED. 1224 * @param error Output details on WBC_ERR_AUTH_ERROR 1225 * 1226 * @return #wbcErr 1227 **/ 1228wbcErr wbcPingDc(const char *domain, struct wbcAuthErrorInfo **error); 1229 1230/********************************************************** 1231 * Helper functions 1232 **********************************************************/ 1233 1234/** 1235 * @brief Initialize a named blob and add to list of blobs 1236 * 1237 * @param[in,out] num_blobs Pointer to the number of blobs 1238 * @param[in,out] blobs Pointer to an array of blobs 1239 * @param[in] name Name of the new named blob 1240 * @param[in] flags Flags of the new named blob 1241 * @param[in] data Blob data of new blob 1242 * @param[in] length Blob data length of new blob 1243 * 1244 * @return #wbcErr 1245 **/ 1246wbcErr wbcAddNamedBlob(size_t *num_blobs, 1247 struct wbcNamedBlob **blobs, 1248 const char *name, 1249 uint32_t flags, 1250 uint8_t *data, 1251 size_t length); 1252 1253#endif /* _WBCLIENT_H */ 1254