| // Copyright 2017 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| syntax = "proto2"; |
| |
| option optimize_for = LITE_RUNTIME; |
| |
| package authpolicy; |
| |
| // D-Bus call error codes. These values are written to logs. New enum values can |
| // be added, but existing enums must never be renumbered or deleted and reused. |
| enum ErrorType { |
| // Everything is A-OK! |
| ERROR_NONE = 0; |
| // Unspecified error. |
| ERROR_UNKNOWN = 1; |
| // Unspecified D-Bus error. |
| ERROR_DBUS_FAILURE = 2; |
| // Badly formatted user principal name. |
| ERROR_PARSE_UPN_FAILED = 3; |
| // Auth failed because of bad user name. |
| ERROR_BAD_USER_NAME = 4; |
| // Auth failed because of bad password. |
| ERROR_BAD_PASSWORD = 5; |
| // Auth failed because of expired password. |
| ERROR_PASSWORD_EXPIRED = 6; |
| // Auth failed because of bad realm or network. |
| ERROR_CANNOT_RESOLVE_KDC = 7; |
| // kinit exited with unspecified error. |
| ERROR_KINIT_FAILED = 8; |
| // net exited with unspecified error. |
| ERROR_NET_FAILED = 9; |
| // smdclient exited with unspecified error. |
| ERROR_SMBCLIENT_FAILED = 10; |
| // authpolicy_parser exited with unknown error. |
| ERROR_PARSE_FAILED = 11; |
| // Parsing GPOs failed. |
| ERROR_PARSE_PREG_FAILED = 12; |
| // GPO data is bad. |
| ERROR_BAD_GPOS = 13; |
| // Some local IO operation failed. |
| ERROR_LOCAL_IO = 14; |
| // Machine is not joined to AD domain yet. |
| ERROR_NOT_JOINED = 15; |
| // User is not logged in yet. |
| ERROR_NOT_LOGGED_IN = 16; |
| // Failed to send policy to session_manager. |
| ERROR_STORE_POLICY_FAILED = 17; |
| // User doesn't have the right to join machines to the domain. |
| ERROR_JOIN_ACCESS_DENIED = 18; |
| // General network problem. |
| ERROR_NETWORK_PROBLEM = 19; |
| // Machine name contains restricted characters. |
| ERROR_INVALID_MACHINE_NAME = 20; |
| // Machine name too long. |
| ERROR_MACHINE_NAME_TOO_LONG = 21; |
| // User joined maximum number of machines to the domain. |
| ERROR_USER_HIT_JOIN_QUOTA = 22; |
| // Kinit or smbclient failed to contact Key Distribution Center. |
| ERROR_CONTACTING_KDC_FAILED = 23; |
| // Kerberos credentials cache not found. |
| ERROR_NO_CREDENTIALS_CACHE_FOUND = 24; |
| // Kerberos ticket expired while renewing credentials. |
| ERROR_KERBEROS_TICKET_EXPIRED = 25; |
| // Klist exited with unspecified error. |
| ERROR_KLIST_FAILED = 26; |
| // Kinit failed because of bad machine name. |
| ERROR_BAD_MACHINE_NAME = 27; |
| // Kinit failed to change the password because the password was rejected. |
| ERROR_PASSWORD_REJECTED = 28; |
| // Returned by RefreshDevicePolicy when policy fetch succeeded but policy |
| // cannot be sent to session_manager because install attributes are not locked |
| // yet. authpolicyd caches policy in this case and returns it in the next |
| // RefreshDevicePolicy call. Should happen during enrollment only. |
| ERROR_DEVICE_POLICY_CACHED_BUT_NOT_SENT = 29; |
| // Join failed because computer organizational unit does not exist. |
| ERROR_OU_DOES_NOT_EXIST = 30; |
| // Join failed because computer organizational unit is invalid. |
| ERROR_INVALID_OU = 31; |
| // Setting computer organizational unit failed with insufficient permissions. |
| ERROR_OU_ACCESS_DENIED = 32; |
| // Setting computer organizational unit failed with unspecified error. |
| ERROR_SETTING_OU_FAILED = 33; |
| // Fetching user policy failed because device policy was unavailable. |
| ERROR_NO_DEVICE_POLICY = 34; |
| // Domain join failed because the device is already joined. |
| ERROR_ALREADY_JOINED = 35; |
| // Domain join failed because KDC does not support the encryption enforced in |
| // the Samba configuration, e.g. if 'kerberos encryption types' is set to |
| // 'strong' to enforce AES encryption, but KDC does not support AES. |
| ERROR_KDC_DOES_NOT_SUPPORT_ENCRYPTION_TYPE = 36; |
| // Kpasswd exited with unspecified error. |
| ERROR_KPASSWD_FAILED = 37; |
| // Setting computer organizational unit failed with constraint violation. |
| ERROR_OU_CONSTRAINT_VIOLATION = 38; |
| // Should be the last. |
| ERROR_COUNT = 39; |
| } |
| |
| // Message sent to Chrome by authpolicyd as a response of a successful |
| // AuthenticateUser call. Contains information about authenticated user fetched |
| // from Active Directory server with "net ads search ...". |
| message ActiveDirectoryAccountInfo { |
| // Unique id of the user account. Taken from the objectGUID property of the |
| // Active Directory user account information. |
| optional string account_id = 1; |
| // Display name of the user. Taken from the displayName property of the Active |
| // account information. |
| optional string display_name = 2; |
| // Given name of the user. AKA first name. Taken from the givenName property |
| // of the Active Directory user account information. |
| optional string given_name = 3; |
| // Logon name of the user (without @realm). Taken from the sAMAccountName |
| // property of the Active Directory user account information. |
| optional string sam_account_name = 4; |
| // Timestamp when the password was last set, see |
| // https://msdn.microsoft.com/en-us/library/ms679430(v=vs.85).aspx. Taken from |
| // the pwdLastSet property of the Active Directory user account information. |
| // Used in authpolicyd only, unused in Chrome. |
| optional uint64 pwd_last_set = 5; |
| // User account control flags, see |
| // https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx. Taken from |
| // the userAccountControl property of the Active Directory user account |
| // information. Used in authpolicyd only, unused in Chrome. |
| optional uint32 user_account_control = 6; |
| // Common name of the user, e.g. "John Doe [jdoe]". Taken from the commonName |
| // property of the Active Directory user account information. |
| optional string common_name = 7; |
| // Next ID to use: 8 |
| } |
| |
| // Message sent to Chrome by authpolicyd as a response to a successful |
| // GetUserStatus call. |
| message ActiveDirectoryUserStatus { |
| // Ticket-granting-ticket status. |
| enum TgtStatus { |
| TGT_VALID = 0; // Ticket is still valid. |
| TGT_EXPIRED = 1; // Ticket expired. |
| TGT_NOT_FOUND = 2; // Kerberos credentials cache not found. |
| // Next ID to use: 3 |
| } |
| |
| // Whether the password has to be changed or sync'ed with cryptohome. |
| enum PasswordStatus { |
| PASSWORD_VALID = 0; // Valid as far as we can tell. |
| PASSWORD_EXPIRED = 1; // User has to enter a new password on next logon. |
| PASSWORD_CHANGED = 2; // Changed on server, possibly from other client. |
| // Next ID to use: 3 |
| } |
| |
| // User's account information, see above. |
| optional ActiveDirectoryAccountInfo account_info = 1; |
| // Status of the user's ticket-granting-ticket (TGT). |
| optional TgtStatus tgt_status = 2; |
| // Status of the user's password. |
| optional PasswordStatus password_status = 3; |
| reserved 4; |
| // Next ID to use: 5 |
| } |
| |
| // Message sent to Chrome by authpolicyd as a response to a successful |
| // GetUserKerberosFiles call. |
| message KerberosFiles { |
| // Kerberos credential cache. |
| optional bytes krb5cc = 1; |
| // Kerberos configuration file. |
| optional bytes krb5conf = 2; |
| // Next ID to use: 3 |
| } |
| |
| // What Kerberos encryption types kinit should use. These values are written to |
| // logs. New enum values can be added, but existing enums must never be |
| // renumbered or deleted and reused. |
| enum KerberosEncryptionTypes { |
| ENC_TYPES_ALL = 0; // AES + RC4_HMAC. |
| ENC_TYPES_STRONG = 1; // AES only. |
| ENC_TYPES_LEGACY = 2; // RC4_HMAC only. |
| // Should be the last. |
| ENC_TYPES_COUNT = 3; |
| } |
| |
| // Message sent by Chrome to authpolicyd with JoinAdDomain call. |
| message JoinDomainRequest { |
| // Logon name of the user (with @realm) who joins the machine to the domain. |
| optional string user_principal_name = 1; |
| // Netbios computer (aka machine) name for the joining device. |
| // https://technet.microsoft.com/en-us/library/cc959322.aspx |
| optional string machine_name = 2; |
| // Domain (realm) the machine should be joined to. |
| optional string machine_domain = 3; |
| // Organizational unit the machine should be put into. Goes from leaf to root, |
| // i.e. the OU at index 1 is the parent of OU at index 0, etc. |
| repeated string machine_ou = 4; |
| // Supported Kerberos encryption types for domain join. By default, only |
| // strong types are allowed during negotiation. However, some Active Directory |
| // setups might be configured to not allow strong types, in particular for |
| // cross-domain authentication (join machine to domain A using credentials |
| // from domain B), where at the time of writing the default settings do not |
| // allow strong encryption. In this case, domain join fails. Likewise, there |
| // might also be rare use cases that require legacy encryption only. If the |
| // server supports strong encryption, it is always preferred. |
| // On the sign-in screen and during user sessions the device policy |
| // DeviceKerberosEncryptionTypes policy is used to determine encryption types. |
| optional KerberosEncryptionTypes kerberos_encryption_types = 5 |
| [default = ENC_TYPES_STRONG]; |
| // The DM token used by Chrome to authenticate to DM server. Passed during |
| // domain join so authpolicyd can set it in device policy as it's done for |
| // cloud management. |
| optional string dm_token = 6; |
| // Next ID to use: 7 |
| } |
| |
| // Message sent by Chrome to authpolicyd with AuthenticateUser call. |
| message AuthenticateUserRequest { |
| // Logon name of the user (with @realm). |
| optional string user_principal_name = 1; |
| // Unique id of the user account. Taken from the objectGUID property of the |
| // Active Directory user account information. |
| optional string account_id = 2; |
| // Next ID to use: 3 |
| } |
| |
| // Message sent by Chrome to authpolicyd with GetUserStatus call. |
| message GetUserStatusRequest { |
| // Logon name of the user (with @realm). |
| optional string user_principal_name = 1; |
| // Unique id of the user account. Taken from the objectGUID property of the |
| // Active Directory user account information. |
| optional string account_id = 2; |
| // Next ID to use: 3 |
| } |