root/source3/include/ads.h

/* [<][>][^][v][top][bottom][index][help] */

INCLUDED FROM


   1 #ifndef _INCLUDE_ADS_H_
   2 #define _INCLUDE_ADS_H_
   3 /*
   4   header for ads (active directory) library routines
   5 
   6   basically this is a wrapper around ldap
   7 */
   8 
   9 enum wb_posix_mapping {
  10         WB_POSIX_MAP_UNKNOWN    = -1,
  11         WB_POSIX_MAP_TEMPLATE   = 0, 
  12         WB_POSIX_MAP_SFU        = 1, 
  13         WB_POSIX_MAP_SFU20      = 2, 
  14         WB_POSIX_MAP_RFC2307    = 3,
  15         WB_POSIX_MAP_UNIXINFO   = 4
  16 };
  17 
  18 /* there are 5 possible types of errors the ads subsystem can produce */
  19 enum ads_error_type {ENUM_ADS_ERROR_KRB5, ENUM_ADS_ERROR_GSS, 
  20                      ENUM_ADS_ERROR_LDAP, ENUM_ADS_ERROR_SYSTEM, ENUM_ADS_ERROR_NT};
  21 
  22 typedef struct {
  23         enum ads_error_type error_type;
  24         union err_state{                
  25                 int rc;
  26                 NTSTATUS nt_status;
  27         } err;
  28         /* For error_type = ENUM_ADS_ERROR_GSS minor_status describe GSS API error */
  29         /* Where rc represents major_status of GSS API error */
  30         int minor_status;
  31 } ADS_STATUS;
  32 
  33 struct ads_struct;
  34 
  35 struct ads_saslwrap_ops {
  36         const char *name;
  37         ADS_STATUS (*wrap)(struct ads_struct *, uint8 *buf, uint32 len);
  38         ADS_STATUS (*unwrap)(struct ads_struct *);
  39         void (*disconnect)(struct ads_struct *);
  40 };
  41 
  42 enum ads_saslwrap_type {
  43         ADS_SASLWRAP_TYPE_PLAIN = 1,
  44         ADS_SASLWRAP_TYPE_SIGN = 2,
  45         ADS_SASLWRAP_TYPE_SEAL = 4
  46 };
  47 
  48 typedef struct ads_struct {
  49         int is_mine;    /* do I own this structure's memory? */
  50         
  51         /* info needed to find the server */
  52         struct {
  53                 char *realm;
  54                 char *workgroup;
  55                 char *ldap_server;
  56                 int foreign; /* set to 1 if connecting to a foreign
  57                               * realm */
  58                 bool gc;     /* Is this a global catalog server? */
  59         } server;
  60 
  61         /* info needed to authenticate */
  62         struct {
  63                 char *realm;
  64                 char *password;
  65                 char *user_name;
  66                 char *kdc_server;
  67                 unsigned flags;
  68                 int time_offset;
  69                 time_t tgt_expire;
  70                 time_t tgs_expire;
  71                 time_t renewable;
  72         } auth;
  73 
  74         /* info derived from the servers config */
  75         struct {
  76                 uint32 flags; /* cldap flags identifying the services. */
  77                 char *realm;
  78                 char *bind_path;
  79                 char *ldap_server_name;
  80                 char *server_site_name;
  81                 char *client_site_name;
  82                 time_t current_time;
  83                 char *schema_path;
  84                 char *config_path;
  85         } config;
  86 
  87         /* info about the current LDAP connection */
  88 #ifdef HAVE_LDAP
  89         struct {
  90                 LDAP *ld;
  91                 struct sockaddr_storage ss; /* the ip of the active connection, if any */
  92                 time_t last_attempt; /* last attempt to reconnect */
  93                 int port;
  94 
  95                 enum ads_saslwrap_type wrap_type;
  96 
  97 #ifdef HAVE_LDAP_SASL_WRAPPING
  98                 Sockbuf_IO_Desc *sbiod; /* lowlevel state for LDAP wrapping */
  99 #endif /* HAVE_LDAP_SASL_WRAPPING */
 100                 TALLOC_CTX *mem_ctx;
 101                 const struct ads_saslwrap_ops *wrap_ops;
 102                 void *wrap_private_data;
 103                 struct {
 104                         uint32 ofs;
 105                         uint32 needed;
 106                         uint32 left;
 107 #define        ADS_SASL_WRAPPING_IN_MAX_WRAPPED        0x0FFFFFFF
 108                         uint32 max_wrapped;
 109                         uint32 min_wrapped;
 110                         uint32 size;
 111                         uint8 *buf;
 112                 } in;
 113                 struct {
 114                         uint32 ofs;
 115                         uint32 left;
 116 #define        ADS_SASL_WRAPPING_OUT_MAX_WRAPPED       0x00A00000
 117                         uint32 max_unwrapped;
 118                         uint32 sig_size;
 119                         uint32 size;
 120                         uint8 *buf;
 121                 } out;
 122         } ldap;
 123 #endif /* HAVE_LDAP */
 124 } ADS_STRUCT;
 125 
 126 /* used to remember the names of the posix attributes in AD */
 127 /* see the rfc2307 & sfu nss backends */
 128 
 129 struct posix_schema {
 130         char *posix_homedir_attr;
 131         char *posix_shell_attr;
 132         char *posix_uidnumber_attr;
 133         char *posix_gidnumber_attr;
 134         char *posix_gecos_attr;
 135         char *posix_uid_attr;
 136 };
 137 
 138 
 139 
 140 #ifdef HAVE_ADS
 141 typedef LDAPMod **ADS_MODLIST;
 142 #else
 143 typedef void **ADS_MODLIST;
 144 #endif
 145 
 146 /* macros to simplify error returning */
 147 #define ADS_ERROR(rc) ADS_ERROR_LDAP(rc)
 148 #define ADS_ERROR_LDAP(rc) ads_build_error(ENUM_ADS_ERROR_LDAP, rc, 0)
 149 #define ADS_ERROR_SYSTEM(rc) ads_build_error(ENUM_ADS_ERROR_SYSTEM, rc?rc:EINVAL, 0)
 150 #define ADS_ERROR_KRB5(rc) ads_build_error(ENUM_ADS_ERROR_KRB5, rc, 0)
 151 #define ADS_ERROR_GSS(rc, minor) ads_build_error(ENUM_ADS_ERROR_GSS, rc, minor)
 152 #define ADS_ERROR_NT(rc) ads_build_nt_error(ENUM_ADS_ERROR_NT,rc)
 153 
 154 #define ADS_ERR_OK(status) ((status.error_type == ENUM_ADS_ERROR_NT) ? NT_STATUS_IS_OK(status.err.nt_status):(status.err.rc == 0))
 155 #define ADS_SUCCESS ADS_ERROR(0)
 156 
 157 #define ADS_ERROR_HAVE_NO_MEMORY(x) do { \
 158         if (!(x)) {\
 159                 return ADS_ERROR(LDAP_NO_MEMORY);\
 160         }\
 161 } while (0)
 162 
 163 
 164 /* time between reconnect attempts */
 165 #define ADS_RECONNECT_TIME 5
 166 
 167 /* ldap control oids */
 168 #define ADS_PAGE_CTL_OID        "1.2.840.113556.1.4.319"
 169 #define ADS_NO_REFERRALS_OID    "1.2.840.113556.1.4.1339"
 170 #define ADS_SERVER_SORT_OID     "1.2.840.113556.1.4.473"
 171 #define ADS_PERMIT_MODIFY_OID   "1.2.840.113556.1.4.1413"
 172 #define ADS_ASQ_OID             "1.2.840.113556.1.4.1504"
 173 #define ADS_EXTENDED_DN_OID     "1.2.840.113556.1.4.529"
 174 #define ADS_SD_FLAGS_OID        "1.2.840.113556.1.4.801"
 175 
 176 /* ldap attribute oids (Services for Unix 3.0, 3.5) */
 177 #define ADS_ATTR_SFU_UIDNUMBER_OID      "1.2.840.113556.1.6.18.1.310"
 178 #define ADS_ATTR_SFU_GIDNUMBER_OID      "1.2.840.113556.1.6.18.1.311"
 179 #define ADS_ATTR_SFU_HOMEDIR_OID        "1.2.840.113556.1.6.18.1.344"
 180 #define ADS_ATTR_SFU_SHELL_OID          "1.2.840.113556.1.6.18.1.312"
 181 #define ADS_ATTR_SFU_GECOS_OID          "1.2.840.113556.1.6.18.1.337"
 182 #define ADS_ATTR_SFU_UID_OID            "1.2.840.113556.1.6.18.1.309"
 183 
 184 /* ldap attribute oids (Services for Unix 2.0) */
 185 #define ADS_ATTR_SFU20_UIDNUMBER_OID    "1.2.840.113556.1.4.7000.187.70"
 186 #define ADS_ATTR_SFU20_GIDNUMBER_OID    "1.2.840.113556.1.4.7000.187.71"
 187 #define ADS_ATTR_SFU20_HOMEDIR_OID      "1.2.840.113556.1.4.7000.187.106"
 188 #define ADS_ATTR_SFU20_SHELL_OID        "1.2.840.113556.1.4.7000.187.72"
 189 #define ADS_ATTR_SFU20_GECOS_OID        "1.2.840.113556.1.4.7000.187.97"
 190 #define ADS_ATTR_SFU20_UID_OID          "1.2.840.113556.1.4.7000.187.102"
 191 
 192 
 193 /* ldap attribute oids (RFC2307) */
 194 #define ADS_ATTR_RFC2307_UIDNUMBER_OID  "1.3.6.1.1.1.1.0"
 195 #define ADS_ATTR_RFC2307_GIDNUMBER_OID  "1.3.6.1.1.1.1.1"
 196 #define ADS_ATTR_RFC2307_HOMEDIR_OID    "1.3.6.1.1.1.1.3"
 197 #define ADS_ATTR_RFC2307_SHELL_OID      "1.3.6.1.1.1.1.4"
 198 #define ADS_ATTR_RFC2307_GECOS_OID      "1.3.6.1.1.1.1.2"
 199 #define ADS_ATTR_RFC2307_UID_OID        "0.9.2342.19200300.100.1.1"
 200 
 201 /* ldap bitwise searches */
 202 #define ADS_LDAP_MATCHING_RULE_BIT_AND  "1.2.840.113556.1.4.803"
 203 #define ADS_LDAP_MATCHING_RULE_BIT_OR   "1.2.840.113556.1.4.804"
 204 
 205 /* UserFlags for userAccountControl */
 206 #define UF_SCRIPT                               0x00000001
 207 #define UF_ACCOUNTDISABLE                       0x00000002
 208 #define UF_UNUSED_1                             0x00000004
 209 #define UF_HOMEDIR_REQUIRED                     0x00000008
 210 
 211 #define UF_LOCKOUT                              0x00000010
 212 #define UF_PASSWD_NOTREQD                       0x00000020
 213 #define UF_PASSWD_CANT_CHANGE                   0x00000040
 214 #define UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED      0x00000080
 215 
 216 #define UF_TEMP_DUPLICATE_ACCOUNT               0x00000100
 217 #define UF_NORMAL_ACCOUNT                       0x00000200
 218 #define UF_UNUSED_2                             0x00000400
 219 #define UF_INTERDOMAIN_TRUST_ACCOUNT            0x00000800
 220 
 221 #define UF_WORKSTATION_TRUST_ACCOUNT            0x00001000
 222 #define UF_SERVER_TRUST_ACCOUNT                 0x00002000
 223 #define UF_UNUSED_3                             0x00004000
 224 #define UF_UNUSED_4                             0x00008000
 225 
 226 #define UF_DONT_EXPIRE_PASSWD                   0x00010000
 227 #define UF_MNS_LOGON_ACCOUNT                    0x00020000
 228 #define UF_SMARTCARD_REQUIRED                   0x00040000
 229 #define UF_TRUSTED_FOR_DELEGATION               0x00080000
 230 
 231 #define UF_NOT_DELEGATED                        0x00100000
 232 #define UF_USE_DES_KEY_ONLY                     0x00200000
 233 #define UF_DONT_REQUIRE_PREAUTH                 0x00400000
 234 #define UF_PASSWORD_EXPIRED                     0x00800000
 235 
 236 #define UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0x01000000
 237 #define UF_NO_AUTH_DATA_REQUIRED                0x02000000
 238 #define UF_UNUSED_8                             0x04000000
 239 #define UF_UNUSED_9                             0x08000000
 240 
 241 #define UF_UNUSED_10                            0x10000000
 242 #define UF_UNUSED_11                            0x20000000
 243 #define UF_UNUSED_12                            0x40000000
 244 #define UF_UNUSED_13                            0x80000000
 245 
 246 #define UF_MACHINE_ACCOUNT_MASK (\
 247                 UF_INTERDOMAIN_TRUST_ACCOUNT |\
 248                 UF_WORKSTATION_TRUST_ACCOUNT |\
 249                 UF_SERVER_TRUST_ACCOUNT \
 250                 )
 251 
 252 #define UF_ACCOUNT_TYPE_MASK (\
 253                 UF_TEMP_DUPLICATE_ACCOUNT |\
 254                 UF_NORMAL_ACCOUNT |\
 255                 UF_INTERDOMAIN_TRUST_ACCOUNT |\
 256                 UF_WORKSTATION_TRUST_ACCOUNT |\
 257                 UF_SERVER_TRUST_ACCOUNT \
 258                 )
 259 
 260 #define UF_SETTABLE_BITS (\
 261                 UF_SCRIPT |\
 262                 UF_ACCOUNTDISABLE |\
 263                 UF_HOMEDIR_REQUIRED  |\
 264                 UF_LOCKOUT |\
 265                 UF_PASSWD_NOTREQD |\
 266                 UF_PASSWD_CANT_CHANGE |\
 267                 UF_ACCOUNT_TYPE_MASK | \
 268                 UF_DONT_EXPIRE_PASSWD | \
 269                 UF_MNS_LOGON_ACCOUNT |\
 270                 UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED |\
 271                 UF_SMARTCARD_REQUIRED |\
 272                 UF_TRUSTED_FOR_DELEGATION |\
 273                 UF_NOT_DELEGATED |\
 274                 UF_USE_DES_KEY_ONLY  |\
 275                 UF_DONT_REQUIRE_PREAUTH \
 276                 )
 277 
 278 /* sAMAccountType */
 279 #define ATYPE_NORMAL_ACCOUNT                    0x30000000 /* 805306368 */
 280 #define ATYPE_WORKSTATION_TRUST                 0x30000001 /* 805306369 */
 281 #define ATYPE_INTERDOMAIN_TRUST                 0x30000002 /* 805306370 */ 
 282 #define ATYPE_SECURITY_GLOBAL_GROUP             0x10000000 /* 268435456 */
 283 #define ATYPE_DISTRIBUTION_GLOBAL_GROUP         0x10000001 /* 268435457 */
 284 #define ATYPE_DISTRIBUTION_UNIVERSAL_GROUP      ATYPE_DISTRIBUTION_GLOBAL_GROUP
 285 #define ATYPE_SECURITY_LOCAL_GROUP              0x20000000 /* 536870912 */
 286 #define ATYPE_DISTRIBUTION_LOCAL_GROUP          0x20000001 /* 536870913 */
 287 
 288 #define ATYPE_ACCOUNT           ATYPE_NORMAL_ACCOUNT            /* 0x30000000 805306368 */
 289 #define ATYPE_GLOBAL_GROUP      ATYPE_SECURITY_GLOBAL_GROUP     /* 0x10000000 268435456 */
 290 #define ATYPE_LOCAL_GROUP       ATYPE_SECURITY_LOCAL_GROUP      /* 0x20000000 536870912 */
 291 
 292 /* groupType */
 293 #define GROUP_TYPE_BUILTIN_LOCAL_GROUP          0x00000001
 294 #define GROUP_TYPE_ACCOUNT_GROUP                0x00000002
 295 #define GROUP_TYPE_RESOURCE_GROUP               0x00000004
 296 #define GROUP_TYPE_UNIVERSAL_GROUP              0x00000008
 297 #define GROUP_TYPE_APP_BASIC_GROUP              0x00000010
 298 #define GROUP_TYPE_APP_QUERY_GROUP              0x00000020
 299 #define GROUP_TYPE_SECURITY_ENABLED             0x80000000
 300 
 301 #define GTYPE_SECURITY_BUILTIN_LOCAL_GROUP (    /* 0x80000005 -2147483643 */ \
 302                 GROUP_TYPE_BUILTIN_LOCAL_GROUP| \
 303                 GROUP_TYPE_RESOURCE_GROUP| \
 304                 GROUP_TYPE_SECURITY_ENABLED \
 305                 )
 306 #define GTYPE_SECURITY_DOMAIN_LOCAL_GROUP (     /* 0x80000004 -2147483644 */ \
 307                 GROUP_TYPE_RESOURCE_GROUP| \
 308                 GROUP_TYPE_SECURITY_ENABLED \
 309                 )
 310 #define GTYPE_SECURITY_GLOBAL_GROUP (           /* 0x80000002 -2147483646 */ \
 311                 GROUP_TYPE_ACCOUNT_GROUP| \
 312                 GROUP_TYPE_SECURITY_ENABLED \
 313                 )
 314 #define GTYPE_SECURITY_UNIVERSAL_GROUP (        /* 0x80000008 -2147483656 */ \
 315                 GROUP_TYPE_UNIVERSAL_GROUP| \
 316                 GROUP_TYPE_SECURITY_ENABLED \
 317                 )
 318 
 319 #define GTYPE_DISTRIBUTION_GLOBAL_GROUP         0x00000002      /* 2 */
 320 #define GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP   0x00000004      /* 4 */
 321 #define GTYPE_DISTRIBUTION_UNIVERSAL_GROUP      0x00000008      /* 8 */
 322 
 323 #define ADS_PINGS          0x0000FFFF  /* Ping response */
 324 #define ADS_DNS_CONTROLLER 0x20000000  /* DomainControllerName is a DNS name*/
 325 #define ADS_DNS_DOMAIN     0x40000000  /* DomainName is a DNS name */
 326 #define ADS_DNS_FOREST     0x80000000  /* DnsForestName is a DNS name */
 327 
 328 /* ads auth control flags */
 329 #define ADS_AUTH_DISABLE_KERBEROS 0x0001
 330 #define ADS_AUTH_NO_BIND          0x0002
 331 #define ADS_AUTH_ANON_BIND        0x0004
 332 #define ADS_AUTH_SIMPLE_BIND      0x0008
 333 #define ADS_AUTH_ALLOW_NTLMSSP    0x0010
 334 #define ADS_AUTH_SASL_SIGN        0x0020
 335 #define ADS_AUTH_SASL_SEAL        0x0040
 336 #define ADS_AUTH_SASL_FORCE       0x0080
 337 #define ADS_AUTH_USER_CREDS       0x0100
 338 
 339 /* Kerberos environment variable names */
 340 #define KRB5_ENV_CCNAME "KRB5CCNAME"
 341 
 342 /* Heimdal uses a slightly different name */
 343 #if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
 344 #define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
 345 #endif
 346 
 347 /* The older versions of heimdal that don't have this
 348    define don't seem to use it anyway.  I'm told they
 349    always use a subkey */
 350 #ifndef HAVE_AP_OPTS_USE_SUBKEY
 351 #define AP_OPTS_USE_SUBKEY 0
 352 #endif
 353 
 354 #define WELL_KNOWN_GUID_COMPUTERS       "AA312825768811D1ADED00C04FD8D5CD" 
 355 #define WELL_KNOWN_GUID_USERS           "A9D1CA15768811D1ADED00C04FD8D5CD"
 356 
 357 #ifndef KRB5_ADDR_NETBIOS
 358 #define KRB5_ADDR_NETBIOS 0x14
 359 #endif
 360 
 361 #ifndef KRB5KRB_ERR_RESPONSE_TOO_BIG
 362 #define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L)
 363 #endif
 364 
 365 #ifdef HAVE_KRB5
 366 typedef struct {
 367 #if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
 368         krb5_address **addrs;
 369 #elif defined(HAVE_KRB5_ADDRESSES) /* Heimdal */
 370         krb5_addresses *addrs;
 371 #else
 372 #error UNKNOWN_KRB5_ADDRESS_TYPE
 373 #endif /* defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) */
 374 } smb_krb5_addresses;
 375 
 376 #ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */
 377 #define KRB5_KEY_TYPE(k)        ((k)->keytype)
 378 #define KRB5_KEY_LENGTH(k)      ((k)->keyvalue.length)
 379 #define KRB5_KEY_DATA(k)        ((k)->keyvalue.data)
 380 #define KRB5_KEY_DATA_CAST      void
 381 #else /* MIT */
 382 #define KRB5_KEY_TYPE(k)        ((k)->enctype)
 383 #define KRB5_KEY_LENGTH(k)      ((k)->length)
 384 #define KRB5_KEY_DATA(k)        ((k)->contents)
 385 #define KRB5_KEY_DATA_CAST      krb5_octet
 386 #endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
 387 
 388 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY               /* MIT */
 389 #define KRB5_KT_KEY(k)          (&(k)->key)
 390 #elif HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK          /* Heimdal */
 391 #define KRB5_KT_KEY(k)          (&(k)->keyblock)
 392 #else
 393 #error krb5_keytab_entry has no key or keyblock member
 394 #endif /* HAVE_KRB5_KEYTAB_ENTRY_KEY */
 395 
 396 #endif /* HAVE_KRB5 */
 397 
 398 enum ads_extended_dn_flags {
 399         ADS_EXTENDED_DN_HEX_STRING      = 0,
 400         ADS_EXTENDED_DN_STRING          = 1 /* not supported on win2k */
 401 };
 402 
 403 /* this is probably not very well suited to pass other controls generically but
 404  * is good enough for the extended dn control where it is only used for atm */
 405 
 406 typedef struct {
 407         const char *control;
 408         int val;
 409         int critical;
 410 } ads_control;
 411 
 412 #define ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY "edacfd8f-ffb3-11d1-b41d-00a0c968f939"
 413 
 414 #define ADS_IGNORE_PRINCIPAL "not_defined_in_RFC4178@please_ignore"
 415 
 416 /* Settings for the domainFunctionality attribute in the rootDSE */
 417 
 418 #define DS_DOMAIN_FUNCTION_2000         0
 419 #define DS_DOMAIN_FUCNTION_2003_MIXED   1
 420 #define DS_DOMAIN_FUNCTION_2003         2
 421 #define DS_DOMAIN_FUNCTION_2008         3
 422 
 423 #endif  /* _INCLUDE_ADS_H_ */

/* [<][>][^][v][top][bottom][index][help] */