1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
|
// Copyright 2017 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
syntax = "proto2";
option optimize_for = LITE_RUNTIME;
package authpolicy;
// D-Bus call error codes. These values are written to logs. New enum values can
// be added, but existing enums must never be renumbered or deleted and reused.
enum ErrorType {
// TODO(ljusten): Remove this and ERROR_NO_WINDOWS_POLICY when Chrome is
// switched over, see crbug.com/807999.
option allow_alias = true;
// Everything is A-OK!
ERROR_NONE = 0;
// Unspecified error.
ERROR_UNKNOWN = 1;
// Unspecified D-Bus error.
ERROR_DBUS_FAILURE = 2;
// Badly formatted user principal name.
ERROR_PARSE_UPN_FAILED = 3;
// Auth failed because of bad user name.
ERROR_BAD_USER_NAME = 4;
// Auth failed because of bad password.
ERROR_BAD_PASSWORD = 5;
// Auth failed because of expired password.
ERROR_PASSWORD_EXPIRED = 6;
// Auth failed because of bad realm or network.
ERROR_CANNOT_RESOLVE_KDC = 7;
// kinit exited with unspecified error.
ERROR_KINIT_FAILED = 8;
// net exited with unspecified error.
ERROR_NET_FAILED = 9;
// smdclient exited with unspecified error.
ERROR_SMBCLIENT_FAILED = 10;
// authpolicy_parser exited with unknown error.
ERROR_PARSE_FAILED = 11;
// Parsing GPOs failed.
ERROR_PARSE_PREG_FAILED = 12;
// GPO data is bad.
ERROR_BAD_GPOS = 13;
// Some local IO operation failed.
ERROR_LOCAL_IO = 14;
// Machine is not joined to AD domain yet.
ERROR_NOT_JOINED = 15;
// User is not logged in yet.
ERROR_NOT_LOGGED_IN = 16;
// Failed to send policy to session_manager.
ERROR_STORE_POLICY_FAILED = 17;
// User doesn't have the right to join machines to the domain.
ERROR_JOIN_ACCESS_DENIED = 18;
// General network problem.
ERROR_NETWORK_PROBLEM = 19;
// Machine name contains restricted characters.
ERROR_INVALID_MACHINE_NAME = 20;
// Machine name too long.
ERROR_MACHINE_NAME_TOO_LONG = 21;
// User joined maximum number of machines to the domain.
ERROR_USER_HIT_JOIN_QUOTA = 22;
// Kinit or smbclient failed to contact Key Distribution Center.
ERROR_CONTACTING_KDC_FAILED = 23;
// Kerberos credentials cache not found.
ERROR_NO_CREDENTIALS_CACHE_FOUND = 24;
// Kerberos ticket expired while renewing credentials.
ERROR_KERBEROS_TICKET_EXPIRED = 25;
// Klist exited with unspecified error.
ERROR_KLIST_FAILED = 26;
// Kinit failed because of bad machine name.
ERROR_BAD_MACHINE_NAME = 27;
// Kinit failed to change the password because the password was rejected.
ERROR_PASSWORD_REJECTED = 28;
// Returned by RefreshDevicePolicy when policy fetch succeeded but policy
// cannot be sent to session_manager because install attributes are not locked
// yet. authpolicyd caches policy in this case and returns it in the next
// RefreshDevicePolicy call. Should happen during enrollment only.
ERROR_DEVICE_POLICY_CACHED_BUT_NOT_SENT = 29;
// Join failed because computer organizational unit does not exist.
ERROR_OU_DOES_NOT_EXIST = 30;
// Join failed because computer organizational unit is invalid.
ERROR_INVALID_OU = 31;
// Setting computer organizational unit failed with insufficient permissions.
ERROR_OU_ACCESS_DENIED = 32;
// Setting computer organizational unit failed with unspecified error.
ERROR_SETTING_OU_FAILED = 33;
// Fetching user policy failed because device policy was unavailable.
ERROR_NO_DEVICE_POLICY = 34;
ERROR_NO_WINDOWS_POLICY = 34;
// Domain join failed because the device is already joined.
ERROR_ALREADY_JOINED = 35;
// Domain join failed because KDC does not support the encryption enforced in
// the Samba configuration, e.g. if 'kerberos encryption types' is set to
// 'strong' to enforce AES encryption, but KDC does not support AES.
ERROR_KDC_DOES_NOT_SUPPORT_ENCRYPTION_TYPE = 36;
// Should be the last.
ERROR_COUNT = 37;
}
// Message sent to Chrome by authpolicyd as a response of a successful
// AuthenticateUser call. Contains information about authenticated user fetched
// from Active Directory server with "net ads search ...".
message ActiveDirectoryAccountInfo {
// Unique id of the user account. Taken from the objectGUID property of the
// Active Directory user account information.
optional string account_id = 1;
// Display name of the user. Taken from the displayName property of the Active
// account information.
optional string display_name = 2;
// Given name of the user. AKA first name. Taken from the givenName property
// of the Active Directory user account information.
optional string given_name = 3;
// Logon name of the user (without @realm). Taken from the sAMAccountName
// property of the Active Directory user account information.
optional string sam_account_name = 4;
// Timestamp when the password was last set, see
// https://msdn.microsoft.com/en-us/library/ms679430(v=vs.85).aspx. Taken from
// the pwdLastSet property of the Active Directory user account information.
// Used in authpolicyd only, unused in Chrome.
optional uint64 pwd_last_set = 5;
// User account control flags, see
// https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx. Taken from
// the userAccountControl property of the Active Directory user account
// information. Used in authpolicyd only, unused in Chrome.
optional uint32 user_account_control = 6;
// Common name of the user, e.g. "John Doe [jdoe]". Taken from the commonName
// property of the Active Directory user account information.
optional string common_name = 7;
// Next ID to use: 8
}
// Message sent to Chrome by authpolicyd as a response to a successful
// GetUserStatus call.
message ActiveDirectoryUserStatus {
// Ticket-granting-ticket status.
enum TgtStatus {
TGT_VALID = 0; // Ticket is still valid.
TGT_EXPIRED = 1; // Ticket expired.
TGT_NOT_FOUND = 2; // Kerberos credentials cache not found.
// Next ID to use: 3
}
// Whether the password has to be changed or sync'ed with cryptohome.
enum PasswordStatus {
PASSWORD_VALID = 0; // Valid as far as we can tell.
PASSWORD_EXPIRED = 1; // User has to enter a new password on next logon.
PASSWORD_CHANGED = 2; // Changed on server, possibly from other client.
// Next ID to use: 3
}
// User's account information, see above.
optional ActiveDirectoryAccountInfo account_info = 1;
// Status of the user's ticket-granting-ticket (TGT).
optional TgtStatus tgt_status = 2;
// Status of the user's password.
optional PasswordStatus password_status = 3;
// Last error returned from AuthenticateUser D-Bus call.
optional ErrorType last_auth_error = 4;
// Next ID to use: 5
}
// Message sent to Chrome by authpolicyd as a response to a successful
// GetUserKerberosFiles call.
message KerberosFiles {
// Kerberos credential cache.
optional bytes krb5cc = 1;
// Kerberos configuration file.
optional bytes krb5conf = 2;
// Next ID to use: 3
}
// What Kerberos encryption types kinit should use.
enum KerberosEncryptionTypes {
ENC_TYPES_ALL = 0; // AES + RC4_HMAC.
ENC_TYPES_STRONG = 1; // AES only.
ENC_TYPES_LEGACY = 2; // RC4_HMAC only.
// Next ID to use: 3
}
// Message sent by Chrome to authpolicyd with JoinAdDomain call.
message JoinDomainRequest {
// Logon name of the user (with @realm) who joins the machine to the domain.
optional string user_principal_name = 1;
// Netbios computer (aka machine) name for the joining device.
// https://technet.microsoft.com/en-us/library/cc959322.aspx
optional string machine_name = 2;
// Domain (realm) the machine should be joined to.
optional string machine_domain = 3;
// Organizational unit the machine should be put into. Goes from leaf to root,
// i.e. the OU at index 1 is the parent of OU at index 0, etc.
repeated string machine_ou = 4;
// Supported Kerberos encryption types for domain join. By default, only
// strong types are allowed during negotiation. However, some Active Directory
// setups might be configured to not allow strong types, in particular for
// cross-domain authentication (join machine to domain A using credentials
// from domain B), where at the time of writing the default settings do not
// allow strong encryption. In this case, domain join fails. Likewise, there
// might also be rare use cases that require legacy encryption only. If the
// server supports strong encryption, it is always preferred.
// On the sign-in screen and during user sessions the device policy
// DeviceKerberosEncryptionTypes policy is used to determine encryption types.
optional KerberosEncryptionTypes kerberos_encryption_types = 5
[default = ENC_TYPES_STRONG];
// The DM token used by Chrome to authenticate to DM server. Passed during
// domain join so authpolicyd can set it in device policy as it's done for
// cloud management.
optional string dm_token = 6;
// Next ID to use: 7
}
// Message sent by Chrome to authpolicyd with AuthenticateUser call.
message AuthenticateUserRequest {
// Logon name of the user (with @realm).
optional string user_principal_name = 1;
// Unique id of the user account. Taken from the objectGUID property of the
// Active Directory user account information.
optional string account_id = 2;
// Next ID to use: 3
}
// Message sent by Chrome to authpolicyd with GetUserStatus call.
message GetUserStatusRequest {
// Logon name of the user (with @realm).
optional string user_principal_name = 1;
// Unique id of the user account. Taken from the objectGUID property of the
// Active Directory user account information.
optional string account_id = 2;
// Next ID to use: 3
}
|
