| 1 | /*
|
|---|
| 2 | * Unix SMB/CIFS implementation.
|
|---|
| 3 | * secrets.tdb file format info
|
|---|
| 4 | * Copyright (C) Andrew Tridgell 2000
|
|---|
| 5 | *
|
|---|
| 6 | * This program is free software; you can redistribute it and/or modify it
|
|---|
| 7 | * under the terms of the GNU General Public License as published by the
|
|---|
| 8 | * Free Software Foundation; either version 3 of the License, or (at your
|
|---|
| 9 | * option) any later version.
|
|---|
| 10 | *
|
|---|
| 11 | * This program is distributed in the hope that it will be useful, but WITHOUT
|
|---|
| 12 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|---|
| 13 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
|
|---|
| 14 | * more details.
|
|---|
| 15 | *
|
|---|
| 16 | * You should have received a copy of the GNU General Public License along with
|
|---|
| 17 | * this program; if not, see <http://www.gnu.org/licenses/>.
|
|---|
| 18 | */
|
|---|
| 19 |
|
|---|
| 20 | #ifndef _SECRETS_H
|
|---|
| 21 | #define _SECRETS_H
|
|---|
| 22 |
|
|---|
| 23 | /* the first one is for the hashed password (NT4 style) the latter
|
|---|
| 24 | for plaintext (ADS)
|
|---|
| 25 | */
|
|---|
| 26 | #define SECRETS_MACHINE_ACCT_PASS "SECRETS/$MACHINE.ACC"
|
|---|
| 27 | #define SECRETS_MACHINE_PASSWORD "SECRETS/MACHINE_PASSWORD"
|
|---|
| 28 | #define SECRETS_MACHINE_PASSWORD_PREV "SECRETS/MACHINE_PASSWORD.PREV"
|
|---|
| 29 | #define SECRETS_MACHINE_LAST_CHANGE_TIME "SECRETS/MACHINE_LAST_CHANGE_TIME"
|
|---|
| 30 | #define SECRETS_MACHINE_SEC_CHANNEL_TYPE "SECRETS/MACHINE_SEC_CHANNEL_TYPE"
|
|---|
| 31 | #define SECRETS_MACHINE_TRUST_ACCOUNT_NAME "SECRETS/SECRETS_MACHINE_TRUST_ACCOUNT_NAME"
|
|---|
| 32 | /* this one is for storing trusted domain account password */
|
|---|
| 33 | #define SECRETS_DOMTRUST_ACCT_PASS "SECRETS/$DOMTRUST.ACC"
|
|---|
| 34 |
|
|---|
| 35 | /* Store the principal name used for Kerberos DES key salt under this key name. */
|
|---|
| 36 | #define SECRETS_SALTING_PRINCIPAL "SECRETS/SALTING_PRINCIPAL"
|
|---|
| 37 |
|
|---|
| 38 | /* The domain sid and our sid are stored here even though they aren't
|
|---|
| 39 | really secret. */
|
|---|
| 40 | #define SECRETS_DOMAIN_SID "SECRETS/SID"
|
|---|
| 41 | #define SECRETS_SAM_SID "SAM/SID"
|
|---|
| 42 | #define SECRETS_PROTECT_IDS "SECRETS/PROTECT/IDS"
|
|---|
| 43 |
|
|---|
| 44 | /* The domain GUID and server GUID (NOT the same) are also not secret */
|
|---|
| 45 | #define SECRETS_DOMAIN_GUID "SECRETS/DOMGUID"
|
|---|
| 46 | #define SECRETS_SERVER_GUID "SECRETS/GUID"
|
|---|
| 47 |
|
|---|
| 48 | #define SECRETS_LDAP_BIND_PW "SECRETS/LDAP_BIND_PW"
|
|---|
| 49 |
|
|---|
| 50 | #define SECRETS_LOCAL_SCHANNEL_KEY "SECRETS/LOCAL_SCHANNEL_KEY"
|
|---|
| 51 |
|
|---|
| 52 | /* Authenticated user info is stored in secrets.tdb under these keys */
|
|---|
| 53 |
|
|---|
| 54 | #define SECRETS_AUTH_USER "SECRETS/AUTH_USER"
|
|---|
| 55 | #define SECRETS_AUTH_DOMAIN "SECRETS/AUTH_DOMAIN"
|
|---|
| 56 | #define SECRETS_AUTH_PASSWORD "SECRETS/AUTH_PASSWORD"
|
|---|
| 57 |
|
|---|
| 58 | /* structure for storing machine account password
|
|---|
| 59 | (ie. when samba server is member of a domain */
|
|---|
| 60 | struct machine_acct_pass {
|
|---|
| 61 | uint8_t hash[16];
|
|---|
| 62 | time_t mod_time;
|
|---|
| 63 | };
|
|---|
| 64 |
|
|---|
| 65 | /*
|
|---|
| 66 | * Format of an OpenAFS keyfile
|
|---|
| 67 | */
|
|---|
| 68 |
|
|---|
| 69 | #define SECRETS_AFS_MAXKEYS 8
|
|---|
| 70 |
|
|---|
| 71 | struct afs_key {
|
|---|
| 72 | uint32_t kvno;
|
|---|
| 73 | char key[8];
|
|---|
| 74 | };
|
|---|
| 75 |
|
|---|
| 76 | struct afs_keyfile {
|
|---|
| 77 | uint32_t nkeys;
|
|---|
| 78 | struct afs_key entry[SECRETS_AFS_MAXKEYS];
|
|---|
| 79 | };
|
|---|
| 80 |
|
|---|
| 81 | #define SECRETS_AFS_KEYFILE "SECRETS/AFS_KEYFILE"
|
|---|
| 82 |
|
|---|
| 83 | /* The following definitions come from passdb/secrets.c */
|
|---|
| 84 |
|
|---|
| 85 | bool secrets_init_path(const char *private_dir);
|
|---|
| 86 | bool secrets_init(void);
|
|---|
| 87 | struct db_context *secrets_db_ctx(void);
|
|---|
| 88 | void secrets_shutdown(void);
|
|---|
| 89 | void *secrets_fetch(const char *key, size_t *size);
|
|---|
| 90 | bool secrets_store(const char *key, const void *data, size_t size);
|
|---|
| 91 | bool secrets_delete(const char *key);
|
|---|
| 92 |
|
|---|
| 93 | /* The following definitions come from passdb/machine_account_secrets.c */
|
|---|
| 94 | bool secrets_mark_domain_protected(const char *domain);
|
|---|
| 95 | bool secrets_clear_domain_protection(const char *domain);
|
|---|
| 96 | bool secrets_store_domain_sid(const char *domain, const struct dom_sid *sid);
|
|---|
| 97 | bool secrets_fetch_domain_sid(const char *domain, struct dom_sid *sid);
|
|---|
| 98 | bool secrets_store_domain_guid(const char *domain, struct GUID *guid);
|
|---|
| 99 | bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid);
|
|---|
| 100 | enum netr_SchannelType get_default_sec_channel(void);
|
|---|
| 101 | bool secrets_fetch_trust_account_password_legacy(const char *domain,
|
|---|
| 102 | uint8_t ret_pwd[16],
|
|---|
| 103 | time_t *pass_last_set_time,
|
|---|
| 104 | enum netr_SchannelType *channel);
|
|---|
| 105 | bool secrets_fetch_trust_account_password(const char *domain, uint8_t ret_pwd[16],
|
|---|
| 106 | time_t *pass_last_set_time,
|
|---|
| 107 | enum netr_SchannelType *channel);
|
|---|
| 108 | bool secrets_fetch_trusted_domain_password(const char *domain, char** pwd,
|
|---|
| 109 | struct dom_sid *sid, time_t *pass_last_set_time);
|
|---|
| 110 | bool secrets_store_trusted_domain_password(const char* domain, const char* pwd,
|
|---|
| 111 | const struct dom_sid *sid);
|
|---|
| 112 | bool secrets_delete_machine_password_ex(const char *domain);
|
|---|
| 113 | bool secrets_delete_domain_sid(const char *domain);
|
|---|
| 114 | bool secrets_store_machine_password(const char *pass, const char *domain, enum netr_SchannelType sec_channel);
|
|---|
| 115 | char *secrets_fetch_prev_machine_password(const char *domain);
|
|---|
| 116 | time_t secrets_fetch_pass_last_set_time(const char *domain);
|
|---|
| 117 | char *secrets_fetch_machine_password(const char *domain,
|
|---|
| 118 | time_t *pass_last_set_time,
|
|---|
| 119 | enum netr_SchannelType *channel);
|
|---|
| 120 | bool trusted_domain_password_delete(const char *domain);
|
|---|
| 121 | bool secrets_store_ldap_pw(const char* dn, char* pw);
|
|---|
| 122 | bool fetch_ldap_pw(char **dn, char** pw);
|
|---|
| 123 | bool secrets_store_afs_keyfile(const char *cell, const struct afs_keyfile *keyfile);
|
|---|
| 124 | bool secrets_fetch_afs_key(const char *cell, struct afs_key *result);
|
|---|
| 125 | void secrets_fetch_ipc_userpass(char **username, char **domain, char **password);
|
|---|
| 126 | bool secrets_store_generic(const char *owner, const char *key, const char *secret);
|
|---|
| 127 | char *secrets_fetch_generic(const char *owner, const char *key);
|
|---|
| 128 |
|
|---|
| 129 | bool secrets_store_machine_pw_sync(const char *pass, const char *oldpass, const char *domain,
|
|---|
| 130 | const char *realm,
|
|---|
| 131 | const char *salting_principal, uint32_t supported_enc_types,
|
|---|
| 132 | const struct dom_sid *domain_sid, uint32_t last_change_time,
|
|---|
| 133 | uint32_t secure_channel,
|
|---|
| 134 | bool delete_join);
|
|---|
| 135 |
|
|---|
| 136 | /* The following definitions come from passdb/secrets_lsa.c */
|
|---|
| 137 | NTSTATUS lsa_secret_get(TALLOC_CTX *mem_ctx,
|
|---|
| 138 | const char *secret_name,
|
|---|
| 139 | DATA_BLOB *secret_current,
|
|---|
| 140 | NTTIME *secret_current_lastchange,
|
|---|
| 141 | DATA_BLOB *secret_old,
|
|---|
| 142 | NTTIME *secret_old_lastchange,
|
|---|
| 143 | struct security_descriptor **sd);
|
|---|
| 144 | NTSTATUS lsa_secret_set(const char *secret_name,
|
|---|
| 145 | DATA_BLOB *secret_current,
|
|---|
| 146 | DATA_BLOB *secret_old,
|
|---|
| 147 | struct security_descriptor *sd);
|
|---|
| 148 | NTSTATUS lsa_secret_delete(const char *secret_name);
|
|---|
| 149 |
|
|---|
| 150 | #endif /* _SECRETS_H */
|
|---|
