summaryrefslogtreecommitdiffstats
path: root/source4/nsswitch
diff options
context:
space:
mode:
authorKai Blin <kai@samba.org>2007-06-02 11:38:27 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:53:10 -0500
commit3fb4bd1c06a081f8f010ecfe66a9e18ed8413d66 (patch)
treeb4689eeec25beb84f09cb9ad9104957d75e55cca /source4/nsswitch
parente0f3a383b4aa15980e1b91a9355fd9e802be0c97 (diff)
downloadsamba-3fb4bd1c06a081f8f010ecfe66a9e18ed8413d66.tar.gz
samba-3fb4bd1c06a081f8f010ecfe66a9e18ed8413d66.tar.xz
samba-3fb4bd1c06a081f8f010ecfe66a9e18ed8413d66.zip
r23311: Updating the samba4 winbind protocol to version 18.
nsswitch/winbindd_nss.h is just copied from SAMBA_3_0. nsswitch/winbind_nss_config.h is copied from SAMBA_3_0, too, but I had to drop some of the defines to make things build again. Kai (This used to be commit 553b7e146f52975b45941ba850140e312a280513)
Diffstat (limited to 'source4/nsswitch')
-rw-r--r--source4/nsswitch/wb_common.c12
-rw-r--r--source4/nsswitch/winbind_nss_config.h104
-rw-r--r--source4/nsswitch/winbindd_nss.h330
3 files changed, 304 insertions, 142 deletions
diff --git a/source4/nsswitch/wb_common.c b/source4/nsswitch/wb_common.c
index e8c317b598..51f9deb5b0 100644
--- a/source4/nsswitch/wb_common.c
+++ b/source4/nsswitch/wb_common.c
@@ -38,7 +38,7 @@ void free_response(struct winbindd_response *response)
/* Free any allocated extra_data */
if (response)
- SAFE_FREE(response->extra_data);
+ SAFE_FREE(response->extra_data.data);
}
/* Initialise a request structure */
@@ -324,13 +324,13 @@ int winbind_open_pipe_sock(void)
if (winbindd_request(WINBINDD_PRIV_PIPE_DIR, &request, &response) == NSS_STATUS_SUCCESS) {
int fd;
- if ((fd = winbind_named_pipe_sock(response.extra_data)) != -1) {
+ if ((fd = winbind_named_pipe_sock(response.extra_data.data)) != -1) {
close(winbindd_fd);
winbindd_fd = fd;
}
}
- SAFE_FREE(response.extra_data);
+ SAFE_FREE(response.extra_data.data);
return winbindd_fd;
#else
@@ -488,7 +488,7 @@ int read_reply(struct winbindd_response *response)
the server. This has no meaning in the client's address space
so we clear it out. */
- response->extra_data = NULL;
+ response->extra_data.data = NULL;
/* Read variable length response */
@@ -498,11 +498,11 @@ int read_reply(struct winbindd_response *response)
/* Mallocate memory for extra data */
- if (!(response->extra_data = malloc(extra_data_len))) {
+ if (!(response->extra_data.data = malloc(extra_data_len))) {
return -1;
}
- if ((result2 = read_sock(response->extra_data, extra_data_len))
+ if ((result2 = read_sock(response->extra_data.data, extra_data_len))
== -1) {
free_response(response);
return -1;
diff --git a/source4/nsswitch/winbind_nss_config.h b/source4/nsswitch/winbind_nss_config.h
index 345e8d3228..65cf7b232b 100644
--- a/source4/nsswitch/winbind_nss_config.h
+++ b/source4/nsswitch/winbind_nss_config.h
@@ -24,78 +24,75 @@
#ifndef _WINBIND_NSS_CONFIG_H
#define _WINBIND_NSS_CONFIG_H
-/* Include header files from data in config.h file */
-
-#ifndef NO_CONFIG_H
-#include <config.h>
+/* shutup the compiler warnings due to krb5.h on 64-bit sles9 */
+#ifdef SIZEOF_LONG
+#undef SIZEOF_LONG
#endif
-#include <stdio.h>
-#ifdef HAVE_STDLIB_H
-#include <stdlib.h>
-#endif
+/* Include header files from data in config.h file */
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
+#ifndef NO_CONFIG_H
+#include "lib/replace/replace.h"
#endif
-#ifdef HAVE_SYS_SELECT_H
-#include <sys/select.h>
-#endif
+#include "system/passwd.h"
+#include "system/filesys.h"
+#include "system/network.h"
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
+#include "nsswitch/winbind_nss.h"
-#ifdef HAVE_UNIXSOCKET
-#include <sys/un.h>
-#endif
+/* I'm trying really hard not to include anything from smb.h with the
+ result of some silly looking redeclaration of structures. */
-#ifdef HAVE_SYS_TIME_H
-#include <sys/time.h>
+#ifndef _PSTRING
+#define _PSTRING
+#define PSTRING_LEN 1024
+#define FSTRING_LEN 256
+typedef char pstring[PSTRING_LEN];
+typedef char fstring[FSTRING_LEN];
#endif
-#ifdef HAVE_GRP_H
-#include <grp.h>
+#if !defined(uint32)
+#if (SIZEOF_INT == 4)
+#define uint32 unsigned int
+#elif (SIZEOF_LONG == 4)
+#define uint32 unsigned long
+#elif (SIZEOF_SHORT == 4)
+#define uint32 unsigned short
#endif
-
-#ifdef HAVE_STRING_H
-#include <string.h>
#endif
-#ifdef HAVE_FCNTL_H
-#include <fcntl.h>
-#else
-#ifdef HAVE_SYS_FCNTL_H
-#include <sys/fcntl.h>
+#if !defined(uint16)
+#if (SIZEOF_SHORT == 4)
+#define uint16 __ERROR___CANNOT_DETERMINE_TYPE_FOR_INT16;
+#else /* SIZEOF_SHORT != 4 */
+#define uint16 unsigned short
+#endif /* SIZEOF_SHORT != 4 */
#endif
-#endif
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <errno.h>
-#ifdef HAVE_PWD_H
-#include <pwd.h>
+#ifndef uint8
+#define uint8 unsigned char
#endif
-#include "nsswitch/winbind_nss.h"
-#ifndef Auto
-#define False (0)
-#define True (1)
-#define Auto (2)
-typedef int BOOL;
-#endif
+/*
+ * check for 8 byte long long
+ */
-/* zero a structure */
-#ifndef ZERO_STRUCT
-#define ZERO_STRUCT(x) memset((char *)&(x), 0, sizeof(x))
+#if !defined(uint64)
+#if (SIZEOF_LONG == 8)
+#define uint64 unsigned long
+#elif (SIZEOF_LONG_LONG == 8)
+#define uint64 unsigned long long
+#endif /* don't lie. If we don't have it, then don't use it */
#endif
-/* zero a structure given a pointer to the structure */
-#ifndef ZERO_STRUCTP
-#define ZERO_STRUCTP(x) { if ((x) != NULL) memset((char *)(x), 0, sizeof(*(x))); }
+#if !defined(int64)
+#if (SIZEOF_LONG == 8)
+#define int64 long
+#elif (SIZEOF_LONG_LONG == 8)
+#define int64 long long
+#endif /* don't lie. If we don't have it, then don't use it */
#endif
/* Some systems (SCO) treat UNIX domain sockets as FIFOs */
@@ -108,4 +105,9 @@ typedef int BOOL;
#define S_ISSOCK(mode) ((mode & S_IFSOCK) == S_IFSOCK)
#endif
+#ifndef HAVE_SOCKLEN_T
+#define HAVE_SOCKLEN_T
+typedef int socklen_t;
+#endif
+
#endif
diff --git a/source4/nsswitch/winbindd_nss.h b/source4/nsswitch/winbindd_nss.h
index 37695c6aa6..ae8a6846a3 100644
--- a/source4/nsswitch/winbindd_nss.h
+++ b/source4/nsswitch/winbindd_nss.h
@@ -4,6 +4,7 @@
Winbind daemon for ntdom nss module
Copyright (C) Tim Potter 2000
+ Copyright (C) Gerald Carter 2006
You are free to use this interface definition in any way you see
fit, including without restriction, using this header in your own
@@ -27,19 +28,32 @@
#define _WINBINDD_NTDOM_H
#define WINBINDD_SOCKET_NAME "pipe" /* Name of PF_UNIX socket */
+
+/* Let the build environment override the public winbindd socket location. This
+ * is needed for launchd support -- jpeach.
+ */
#ifndef WINBINDD_SOCKET_DIR
#define WINBINDD_SOCKET_DIR "/tmp/.winbindd" /* Name of PF_UNIX dir */
#endif
+
#define WINBINDD_PRIV_SOCKET_SUBDIR "winbindd_privileged" /* name of subdirectory of lp_lockdir() to hold the 'privileged' pipe */
#define WINBINDD_DOMAIN_ENV "WINBINDD_DOMAIN" /* Environment variables */
#define WINBINDD_DONT_ENV "_NO_WINBINDD"
-typedef char winbind_string[256];
-#define winbind_strcpy(d,s) safe_strcpy((d),(s),sizeof(winbind_string));
-
/* Update this when you change the interface. */
-#define WINBIND_INTERFACE_VERSION 11
+#define WINBIND_INTERFACE_VERSION 18
+
+/* Have to deal with time_t being 4 or 8 bytes due to structure alignment.
+ On a 64bit Linux box, we have to support a constant structure size
+ between /lib/libnss_winbind.so.2 and /li64/libnss_winbind.so.2.
+ The easiest way to do this is to always use 8byte values for time_t. */
+
+#if defined(int64)
+# define SMB_TIME_T int64
+#else
+# define SMB_TIME_T time_t
+#endif
/* Socket commands */
@@ -69,6 +83,8 @@ enum winbindd_cmd {
WINBINDD_PAM_AUTH,
WINBINDD_PAM_AUTH_CRAP,
WINBINDD_PAM_CHAUTHTOK,
+ WINBINDD_PAM_LOGOFF,
+ WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP,
/* List various things */
@@ -80,18 +96,25 @@ enum winbindd_cmd {
WINBINDD_LOOKUPSID,
WINBINDD_LOOKUPNAME,
+ WINBINDD_LOOKUPRIDS,
/* Lookup functions */
- WINBINDD_SID_TO_UID,
+ WINBINDD_SID_TO_UID,
WINBINDD_SID_TO_GID,
+ WINBINDD_SIDS_TO_XIDS,
WINBINDD_UID_TO_SID,
WINBINDD_GID_TO_SID,
- WINBINDD_ALLOCATE_RID,
- WINBINDD_ALLOCATE_RID_AND_GID,
+
+ WINBINDD_ALLOCATE_UID,
+ WINBINDD_ALLOCATE_GID,
+ WINBINDD_SET_MAPPING,
+ WINBINDD_SET_HWM,
/* Miscellaneous other stuff */
+ WINBINDD_DUMP_MAPS,
+
WINBINDD_CHECK_MACHACC, /* Check machine account pw works */
WINBINDD_PING, /* Just tell me winbind is running */
WINBINDD_INFO, /* Various bit of info. Currently just tidbits */
@@ -119,7 +142,7 @@ enum winbindd_cmd {
/* return a list of group sids for a user sid */
WINBINDD_GETUSERSIDS,
- /* Return the domain groups a user is in */
+ /* Various group queries */
WINBINDD_GETUSERDOMGROUPS,
/* Initialize connection in a child */
@@ -129,7 +152,12 @@ enum winbindd_cmd {
* between parent and children */
WINBINDD_DUAL_SID2UID,
WINBINDD_DUAL_SID2GID,
- WINBINDD_DUAL_IDMAPSET,
+ WINBINDD_DUAL_SIDS2XIDS,
+ WINBINDD_DUAL_UID2SID,
+ WINBINDD_DUAL_GID2SID,
+ WINBINDD_DUAL_SET_MAPPING,
+ WINBINDD_DUAL_SET_HWM,
+ WINBINDD_DUAL_DUMP_MAPS,
/* Wrapper around possibly blocking unix nss calls */
WINBINDD_DUAL_UID2NAME,
@@ -140,27 +168,30 @@ enum winbindd_cmd {
WINBINDD_DUAL_USERINFO,
WINBINDD_DUAL_GETSIDALIASES,
+ /* Complete the challenge phase of the NTLM authentication
+ protocol using cached password. */
+ WINBINDD_CCACHE_NTLMAUTH,
+
WINBINDD_NUM_CMDS
};
typedef struct winbindd_pw {
- winbind_string pw_name;
- winbind_string pw_passwd;
+ fstring pw_name;
+ fstring pw_passwd;
uid_t pw_uid;
gid_t pw_gid;
- winbind_string pw_gecos;
- winbind_string pw_dir;
- winbind_string pw_shell;
+ fstring pw_gecos;
+ fstring pw_dir;
+ fstring pw_shell;
} WINBINDD_PW;
typedef struct winbindd_gr {
- winbind_string gr_name;
- winbind_string gr_passwd;
+ fstring gr_name;
+ fstring gr_passwd;
gid_t gr_gid;
- int num_gr_mem;
- int gr_mem_ofs; /* offset to group membership */
- char **gr_mem;
+ uint32 num_gr_mem;
+ uint32 gr_mem_ofs; /* offset to group membership */
} WINBINDD_GR;
@@ -170,7 +201,6 @@ typedef struct winbindd_gr {
#define WBFLAG_PAM_LMKEY 0x0008
#define WBFLAG_PAM_CONTACT_TRUSTDOM 0x0010
#define WBFLAG_QUERY_ONLY 0x0020
-#define WBFLAG_ALLOCATE_RID 0x0040
#define WBFLAG_PAM_UNIX_NAME 0x0080
#define WBFLAG_PAM_AFS_TOKEN 0x0100
#define WBFLAG_PAM_NT_STATUS_SQUASH 0x0200
@@ -180,74 +210,131 @@ typedef struct winbindd_gr {
/* Flag to say this is a winbindd internal send - don't recurse. */
#define WBFLAG_RECURSE 0x0800
+#define WBFLAG_PAM_KRB5 0x1000
+#define WBFLAG_PAM_FALLBACK_AFTER_KRB5 0x2000
+#define WBFLAG_PAM_CACHED_LOGIN 0x4000
+#define WBFLAG_PAM_GET_PWD_POLICY 0x8000 /* not used */
+
+#define WINBINDD_MAX_EXTRA_DATA (128*1024)
+
/* Winbind request structure */
+/*******************************************************************************
+ * This structure MUST be the same size in the 32bit and 64bit builds
+ * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
+ *
+ * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
+ * A 64BIT WINBINDD --jerry
+ ******************************************************************************/
+
struct winbindd_request {
- uint32_t length;
+ uint32 length;
enum winbindd_cmd cmd; /* Winbindd command to execute */
+ enum winbindd_cmd original_cmd; /* Original Winbindd command
+ issued to parent process */
pid_t pid; /* pid of calling process */
- uint32_t flags; /* flags relavant to a given request */
- winbind_string domain_name; /* name of domain for which the request applies */
+ uint32 flags; /* flags relavant to a given request */
+ fstring domain_name; /* name of domain for which the request applies */
union {
- winbind_string winsreq; /* WINS request */
- winbind_string username; /* getpwnam */
- winbind_string groupname; /* getgrnam */
+ fstring winsreq; /* WINS request */
+ fstring username; /* getpwnam */
+ fstring groupname; /* getgrnam */
uid_t uid; /* getpwuid, uid_to_sid */
gid_t gid; /* getgrgid, gid_to_sid */
struct {
/* We deliberatedly don't split into domain/user to
avoid having the client know what the separator
character is. */
- winbind_string user;
- winbind_string pass;
- winbind_string require_membership_of_sid;
+ fstring user;
+ fstring pass;
+ pstring require_membership_of_sid;
+ fstring krb5_cc_type;
+ uid_t uid;
} auth; /* pam_winbind auth module */
struct {
unsigned char chal[8];
- uint32_t logon_parameters;
- winbind_string user;
- winbind_string domain;
- winbind_string lm_resp;
- uint16_t lm_resp_len;
- winbind_string nt_resp;
- uint16_t nt_resp_len;
- winbind_string workstation;
- winbind_string require_membership_of_sid;
+ uint32 logon_parameters;
+ fstring user;
+ fstring domain;
+ fstring lm_resp;
+ uint32 lm_resp_len;
+ fstring nt_resp;
+ uint32 nt_resp_len;
+ fstring workstation;
+ fstring require_membership_of_sid;
} auth_crap;
struct {
- winbind_string user;
- winbind_string oldpass;
- winbind_string newpass;
+ fstring user;
+ fstring oldpass;
+ fstring newpass;
} chauthtok; /* pam_winbind passwd module */
- winbind_string sid; /* lookupsid, sid_to_[ug]id */
struct {
- winbind_string dom_name; /* lookupname */
- winbind_string name;
+ fstring user;
+ fstring domain;
+ unsigned char new_nt_pswd[516];
+ uint16 new_nt_pswd_len;
+ unsigned char old_nt_hash_enc[16];
+ uint16 old_nt_hash_enc_len;
+ unsigned char new_lm_pswd[516];
+ uint16 new_lm_pswd_len;
+ unsigned char old_lm_hash_enc[16];
+ uint16 old_lm_hash_enc_len;
+ } chng_pswd_auth_crap;/* pam_winbind passwd module */
+ struct {
+ fstring user;
+ fstring krb5ccname;
+ uid_t uid;
+ } logoff; /* pam_winbind session module */
+ fstring sid; /* lookupsid, sid_to_[ug]id */
+ struct {
+ fstring dom_name; /* lookupname */
+ fstring name;
} name;
- uint32_t num_entries; /* getpwent, getgrent */
+ uint32 num_entries; /* getpwent, getgrent */
struct {
- winbind_string username;
- winbind_string groupname;
+ fstring username;
+ fstring groupname;
} acct_mgt;
struct {
BOOL is_primary;
- winbind_string dcname;
+ fstring dcname;
} init_conn;
struct {
- winbind_string sid;
- winbind_string name;
- BOOL alloc;
+ fstring sid;
+ fstring name;
} dual_sid2id;
struct {
- int type;
- uid_t uid;
- gid_t gid;
- winbind_string sid;
+ fstring sid;
+ uint32 type;
+ uint32 id;
} dual_idmapset;
+ BOOL list_all_domains;
+
+ struct {
+ uid_t uid;
+ fstring user;
+ /* the effective uid of the client, must be the uid for 'user'.
+ This is checked by the main daemon, trusted by children. */
+ /* if the blobs are length zero, then this doesn't
+ produce an actual challenge response. It merely
+ succeeds if there are cached credentials available
+ that could be used. */
+ uint32 initial_blob_len; /* blobs in extra_data */
+ uint32 challenge_blob_len;
+ } ccache_ntlm_auth;
+
+ /* padding -- needed to fix alignment between 32bit and 64bit libs.
+ The size is the sizeof the union without the padding aligned on
+ an 8 byte boundary. --jerry */
+
+ char padding[1560];
} data;
- char *extra_data;
- size_t extra_len;
+ union {
+ SMB_TIME_T padding;
+ char *data;
+ } extra_data;
+ uint32 extra_len;
char null_term;
};
@@ -261,11 +348,19 @@ enum winbindd_result {
/* Winbind response structure */
+/*******************************************************************************
+ * This structure MUST be the same size in the 32bit and 64bit builds
+ * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
+ *
+ * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
+ * A 64BIT WINBINDD --jerry
+ ******************************************************************************/
+
struct winbindd_response {
/* Header information */
- uint32_t length; /* Length of response */
+ uint32 length; /* Length of response */
enum winbindd_result result; /* Result code */
/* Fixed length return data */
@@ -273,7 +368,7 @@ struct winbindd_response {
union {
int interface_version; /* Try to ensure this is always in the same spot... */
- winbind_string winsresp; /* WINS response */
+ fstring winsresp; /* WINS response */
/* getpwnam, getpwuid */
@@ -283,60 +378,125 @@ struct winbindd_response {
struct winbindd_gr gr;
- uint32_t num_entries; /* getpwent, getgrent */
+ uint32 num_entries; /* getpwent, getgrent */
struct winbindd_sid {
- winbind_string sid; /* lookupname, [ug]id_to_sid */
+ fstring sid; /* lookupname, [ug]id_to_sid */
int type;
} sid;
struct winbindd_name {
- winbind_string dom_name; /* lookupsid */
- winbind_string name;
+ fstring dom_name; /* lookupsid */
+ fstring name;
int type;
} name;
uid_t uid; /* sid_to_uid */
gid_t gid; /* sid_to_gid */
struct winbindd_info {
char winbind_separator;
- winbind_string samba_version;
+ fstring samba_version;
} info;
- winbind_string domain_name;
- winbind_string netbios_name;
- winbind_string dc_name;
+ fstring domain_name;
+ fstring netbios_name;
+ fstring dc_name;
struct auth_reply {
- uint32_t nt_status;
- winbind_string nt_status_string;
- winbind_string error_string;
+ uint32 nt_status;
+ fstring nt_status_string;
+ fstring error_string;
int pam_error;
char user_session_key[16];
char first_8_lm_hash[8];
+ fstring krb5ccname;
+ uint32 reject_reason;
+ uint32 padding;
+ struct policy_settings {
+ uint32 min_length_password;
+ uint32 password_history;
+ uint32 password_properties;
+ uint32 padding;
+ SMB_TIME_T expire;
+ SMB_TIME_T min_passwordage;
+ } policy;
+ struct info3_text {
+ SMB_TIME_T logon_time;
+ SMB_TIME_T logoff_time;
+ SMB_TIME_T kickoff_time;
+ SMB_TIME_T pass_last_set_time;
+ SMB_TIME_T pass_can_change_time;
+ SMB_TIME_T pass_must_change_time;
+ uint32 logon_count;
+ uint32 bad_pw_count;
+ uint32 user_rid;
+ uint32 group_rid;
+ uint32 num_groups;
+ uint32 user_flgs;
+ uint32 acct_flags;
+ uint32 num_other_sids;
+ fstring dom_sid;
+ fstring user_name;
+ fstring full_name;
+ fstring logon_script;
+ fstring profile_path;
+ fstring home_dir;
+ fstring dir_drive;
+ fstring logon_srv;
+ fstring logon_dom;
+ } info3;
} auth;
- uint32_t rid; /* create user or group or allocate rid */
struct {
- uint32_t rid;
- gid_t gid;
- } rid_and_gid;
- struct {
- winbind_string name;
- winbind_string alt_name;
- winbind_string sid;
+ fstring name;
+ fstring alt_name;
+ fstring sid;
BOOL native_mode;
BOOL active_directory;
BOOL primary;
- uint32_t sequence_number;
+ uint32 sequence_number;
} domain_info;
struct {
- winbind_string acct_name;
- winbind_string full_name;
- winbind_string homedir;
- winbind_string shell;
- uint32_t group_rid;
+ fstring acct_name;
+ fstring full_name;
+ fstring homedir;
+ fstring shell;
+ uint32 primary_gid;
+ uint32 group_rid;
} user_info;
+ struct {
+ uint32 auth_blob_len; /* blob in extra_data */
+ } ccache_ntlm_auth;
} data;
/* Variable length return data */
- void *extra_data; /* getgrnam, getgrgid, getgrent */
+ union {
+ SMB_TIME_T padding;
+ void *data;
+ } extra_data;
+};
+
+struct WINBINDD_MEMORY_CREDS {
+ struct WINBINDD_MEMORY_CREDS *next, *prev;
+ const char *username; /* lookup key. */
+ uid_t uid;
+ int ref_count;
+ size_t len;
+ unsigned char *nt_hash; /* Base pointer for the following 2 */
+ unsigned char *lm_hash;
+ char *pass;
+};
+
+struct WINBINDD_CCACHE_ENTRY {
+ struct WINBINDD_CCACHE_ENTRY *next, *prev;
+ const char *principal_name;
+ const char *ccname;
+ const char *service;
+ const char *username;
+ const char *realm;
+ struct WINBINDD_MEMORY_CREDS *cred_ptr;
+ int ref_count;
+ uid_t uid;
+ time_t create_time;
+ time_t renew_until;
+ time_t refresh_time;
+ struct timed_event *event;
};
#endif