| // Copyright 2016 The Chromium OS Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #ifndef AUTHPOLICY_SAMBA_INTERFACE_H_ |
| #define AUTHPOLICY_SAMBA_INTERFACE_H_ |
| |
| #include <map> |
| #include <memory> |
| #include <string> |
| #include <vector> |
| |
| #include <base/files/file_path.h> |
| #include <base/macros.h> |
| #include <base/memory/ref_counted.h> |
| #include <base/timer/timer.h> |
| #include <dbus/authpolicy/dbus-constants.h> |
| |
| #include "authpolicy/auth_data_cache.h" |
| #include "authpolicy/authpolicy_flags.h" |
| #include "authpolicy/authpolicy_metrics.h" |
| #include "authpolicy/constants.h" |
| #include "authpolicy/gpo_version_cache.h" |
| #include "authpolicy/jail_helper.h" |
| #include "authpolicy/path_service.h" |
| #include "authpolicy/proto_bindings/active_directory_info.pb.h" |
| #include "authpolicy/samba_helper.h" |
| #include "authpolicy/tgt_manager.h" |
| #include "bindings/authpolicy_containers.pb.h" |
| #include "bindings/chrome_device_policy.pb.h" |
| |
| // Helper methods for Samba Active Directory authentication, machine (device) |
| // joining and policy fetching. Note: "Device" and "machine" can be used |
| // interchangably here. |
| |
| namespace enterprise_management { |
| class ChromeDeviceSettingsProto; |
| } |
| |
| namespace policy { |
| class DevicePolicyImpl; |
| } |
| |
| namespace authpolicy { |
| |
| class Anonymizer; |
| class AuthPolicyMetrics; |
| class CryptohomeClient; |
| class PathService; |
| class ProcessExecutor; |
| |
| class SambaInterface : public TgtManager::Delegate { |
| public: |
| SambaInterface(AuthPolicyMetrics* metrics, |
| const PathService* path_service, |
| const base::Closure& user_kerberos_files_changed); |
| |
| ~SambaInterface(); |
| |
| // Creates directories required by Samba code. If |expect_config| is true, |
| // loads configuration and device policy and initializes dependent stuff like |
| // |encryption_types_|. |
| // Returns an error |
| // - if a directory failed to create or |
| // - if |expect_config| is true and the config file fails to load. |
| ErrorType Initialize(bool expect_config) WARN_UNUSED_RESULT; |
| |
| // Sets the interface to Cryptohome. |
| void SetCryptohomeClient(std::unique_ptr<CryptohomeClient> cryptohome_client); |
| |
| // Cleans all persistent state files. Returns true if all files were cleared. |
| static bool CleanState(const PathService* path_service); |
| |
| // Calls kinit to get a Kerberos ticket-granting-ticket (TGT) for the given |
| // |user_principal_name| (format: user_name@workgroup.domain). If a TGT |
| // already exists, it is renewed. The password must be readable from the pipe |
| // referenced by the file descriptor |password_fd|. On success, the user's |
| // account information is returned in |account_info|. If |account_id| is |
| // non-empty, the |account_info| is queried by |account_id| instead of by |
| // user name. This is safer since the account id is invariant, whereas the |
| // user name can change. The updated user name (or rather the sAMAccountName) |
| // is returned in the |account_info|. Thus, |account_id| should be set if |
| // known and left empty if unknown. |
| ErrorType AuthenticateUser(const std::string& user_principal_name, |
| const std::string& account_id, |
| int password_fd, |
| ActiveDirectoryAccountInfo* account_info) |
| WARN_UNUSED_RESULT; |
| |
| // Figures out whether the user is affiliated or not. If affiliated, caches |
| // auth data and saves the auth data cache to disk. Must be called after a |
| // successful AuthenticateUser() call. It is separate from that method in |
| // order to allow asynchronous execution. |
| void UpdateUserAffiliation(); |
| |
| // Retrieves the status of the user account given by |account_id| (aka |
| // objectGUID). |user_principal_name| is used to derive the user's realm. |
| // The returned |user_status| contains general ActiveDirectoryAccountInfo as |
| // well as the status of the user's ticket-granting-ticket (TGT). Does not |
| // fill |user_status| on error. |
| ErrorType GetUserStatus(const std::string& user_principal_name, |
| const std::string& account_id, |
| ActiveDirectoryUserStatus* user_status) |
| WARN_UNUSED_RESULT; |
| |
| // Gets the user Kerberos credential cache (krb5cc) and configuration |
| // (krb5.conf) files if they exist. Does not set |files| on error. |
| ErrorType GetUserKerberosFiles(const std::string& account_id, |
| KerberosFiles* files) WARN_UNUSED_RESULT; |
| |
| // Joins the local device with name |machine_name| to an Active Directory |
| // domain. The credentials for joining (usually admin level) are given by |
| // |user_principal_name| and |password_fd|, see AuthenticateUser() for |
| // details. |machine_domain| is the domain where the machine is joined to. If |
| // empty, it is derived from |user_principal_name|. |machine_ou| is a vector |
| // of organizational units where the machine is placed into, ordered |
| // leaf-to-root. If empty, the machine is placed in the default location (e.g. |
| // Computers OU). |encryption_types| specifies the allowed encryption types |
| // for Kerberos authentication. On success, |joined_domain| is set to the |
| // domain that was joined (may be nullptr). |
| ErrorType JoinMachine(const std::string& machine_name, |
| const std::string& machine_domain, |
| const std::vector<std::string>& machine_ou, |
| const std::string& user_principal_name, |
| KerberosEncryptionTypes encryption_types, |
| int password_fd, |
| std::string* joined_domain) WARN_UNUSED_RESULT; |
| |
| // Downloads user and extension policy from the Active Directory server and |
| // stores it in |gpo_policy_data|. |account_id| is the unique user objectGUID |
| // returned from |AuthenticateUser| in |account_info|. The user's Kerberos |
| // authentication ticket must still be valid. If this operation fails, call |
| // |AuthenticateUser| and try again. |
| ErrorType FetchUserGpos(const std::string& account_id, |
| protos::GpoPolicyData* gpo_policy_data) |
| WARN_UNUSED_RESULT; |
| |
| // Downloads device and extension policy from the Active Directory server and |
| // stores it in |gpo_policy_data|. The device must be joined to the Active |
| // Directory domain already (see JoinMachine()) as policy fetch requires |
| // authentication with the machine account generated during domain join. |
| ErrorType FetchDeviceGpos(protos::GpoPolicyData* gpo_policy_data) |
| WARN_UNUSED_RESULT; |
| |
| // Should be called when the user session state changed (e.g. "started", |
| // "stopped"). User auth state can only be backed up when the session is in |
| // "started" state. |
| void OnSessionStateChanged(const std::string& state); |
| |
| // Sets the default log level, see AuthPolicyFlags::DefaultLevel for details. |
| // The level persists between restarts of authpolicyd, but gets reset on |
| // reboot. |
| void SetDefaultLogLevel(AuthPolicyFlags::DefaultLevel level); |
| |
| // Returns the user's principal name (sAMAccountName @ realm). |
| std::string GetUserPrincipal() const; |
| |
| const std::string& user_account_id() const { return user_account_id_; } |
| |
| // Returns true if the current user's domain is trusted by the machine domain. |
| // Must be logged in. |
| bool is_user_affiliated() const { |
| DCHECK(user_logged_in_); |
| return is_user_affiliated_; |
| } |
| |
| const std::string& machine_name() const { |
| return device_account_.netbios_name; |
| } |
| |
| // TgtManager::Delegate: |
| void OnTgtRenewed() override; |
| |
| // Disables sleep between kinit tries for unit tests. |
| void DisableRetrySleepForTesting(); |
| |
| // Disables seccomp filtering for unit tests as they might make different |
| // syscalls than production code. |
| void DisableSeccompForTesting(bool disabled) { |
| disable_seccomp_for_testing_ = disabled; |
| } |
| |
| // Returns the anonymizer. |
| const Anonymizer* GetAnonymizerForTesting() const { |
| return anonymizer_.get(); |
| } |
| |
| // Returns the cache for the GPO version. |
| GpoVersionCache* GetGpoVersionCacheForTesting() { |
| return &gpo_version_cache_; |
| } |
| |
| // Returns the lifetime of cached GPos. |
| base::TimeDelta GetGpoVersionCacheTTLForTesting() const { |
| return gpo_version_cache_ttl_; |
| } |
| |
| // Returns the cache for the GPO version. |
| AuthDataCache* GetAuthDataCacheForTesting() { return &auth_data_cache_; } |
| |
| // Returns the lifetime of cached auth data. |
| base::TimeDelta GetAuthDataCacheTTLForTesting() const { |
| return auth_data_cache_ttl_; |
| } |
| |
| // Renew the user ticket-granting-ticket. |
| ErrorType RenewUserTgtForTesting() WARN_UNUSED_RESULT; |
| |
| // Returns the ticket-granting-ticket manager for the user account. |
| TgtManager& GetUserTgtManagerForTesting() { return user_tgt_manager_; } |
| |
| // Sets the container used to load device policy during Initialize(). Can be |
| // used to load device policy from a different location and without key check. |
| void SetDevicePolicyImplForTesting( |
| std::unique_ptr<policy::DevicePolicyImpl> policy_impl); |
| |
| // Sets the actual device policy. Only a few policies are taken into account, |
| // see UpdateDevicePolicyDependencies(). |
| void SetUserPolicyModeForTesting( |
| enterprise_management::DeviceUserPolicyLoopbackProcessingModeProto::Mode |
| mode) { |
| user_policy_mode_ = mode; |
| } |
| |
| // Returns true if AutoCheckMachinePasswordChange() was called at least once. |
| bool DidPasswordChangeCheckRunForTesting() const { |
| return did_password_change_check_run_for_testing_; |
| } |
| |
| // Resets internal state (useful for doing multiple domain joins). |
| void ResetForTesting(); |
| |
| // Runs kpasswd to change machine password. |
| ErrorType ChangeMachinePasswordForTesting() WARN_UNUSED_RESULT; |
| |
| private: |
| // User or device specific information. The user might be logging on to a |
| // different realm than the machine was joined to. |
| struct AccountData { |
| std::string realm; // Active Directory realm. |
| std::string workgroup; // Active Directory workgroup name. |
| std::string netbios_name; // Netbios name is empty for user. |
| std::string kdc_ip; // IPv4/IPv6 address of key distribution center. |
| std::string dc_name; // DNS name of the domain controller |
| std::string user_name; // User sAMAccountName or device netbios_name+$. |
| base::Time server_time; // The server time at last query. |
| Path smb_conf_path; // Path of the Samba configuration file. |
| |
| // Note: Initialize server_time to Now(). This prevents an unnecessary net |
| // ads info call in UpdateKdcIpAndServerTime() during user auth when the KDC |
| // IP is cached. |
| explicit AccountData(Path _smb_conf_path) |
| : server_time(base::Time::Now()), smb_conf_path(_smb_conf_path) {} |
| |
| // Returns user_name @ realm. |
| std::string GetPrincipal() const { return user_name + "@" + realm; } |
| }; |
| |
| // Actual implementation of AuthenticateUser() (see above). The method is |
| // wrapped in order to catch and memorize the returned error. |
| ErrorType AuthenticateUserInternal(const std::string& user_principal_name, |
| const std::string& account_id, |
| int password_fd, |
| ActiveDirectoryAccountInfo* account_info) |
| WARN_UNUSED_RESULT; |
| |
| // Gets the status of the user's ticket-granting-ticket (TGT). Uses klist |
| // internally to check whether the ticket is valid, expired or not present. |
| // Does not perform any server-side checks. |
| ErrorType GetUserTgtStatus(ActiveDirectoryUserStatus::TgtStatus* tgt_status) |
| WARN_UNUSED_RESULT; |
| |
| // Determines the password status by comparing the old |user_pwd_last_set_| |
| // timestamp to the new timestamp in |account_info|. |
| ActiveDirectoryUserStatus::PasswordStatus GetUserPasswordStatus( |
| const ActiveDirectoryAccountInfo& account_info); |
| |
| // Writes the Samba configuration file using the given |account|. |
| ErrorType WriteSmbConf(const AccountData& account) const WARN_UNUSED_RESULT; |
| |
| // Queries the name of the workgroup for the given |account| and stores it in |
| // |account|->workgroup. |
| ErrorType UpdateWorkgroup(AccountData* account) const WARN_UNUSED_RESULT; |
| |
| // Queries the IP of the key distribution center (KDC) and server time for the |
| // given |account| and stores them in |account|->kdc_ip and |
| // |account|->server_time, respectively. The KDC address is required to speed |
| // up network communication and to get rid of waiting for the machine account |
| // propagation after Active Directory domain join. The server time is required |
| // to keep track of the machine password age. |
| ErrorType UpdateKdcIpAndServerTime(AccountData* account) const |
| WARN_UNUSED_RESULT; |
| |
| // Queries the DNS domain name of the domain controller (DC) for the given |
| // |account| and stores it in |account|->dc_name. The DC name is required as |
| // host name in smbclient. With an IP address only, Samba wouldn't be able to |
| // use the Kerberos ticket. |
| ErrorType UpdateDcName(AccountData* account) const WARN_UNUSED_RESULT; |
| |
| // Writes the Samba configuration file for the given |account| and updates |
| // the account's |kdc_ip|, |server_time|, |dc_name| and |workgroup|. Does not |
| // refresh the values if they are already set. |
| ErrorType UpdateAccountData(AccountData* account) WARN_UNUSED_RESULT; |
| |
| // Checks whether the ADS server for |account| is available. Currently |
| // implemented by calling net ads workgroup. |
| ErrorType PingServer(AccountData* account) WARN_UNUSED_RESULT; |
| |
| // Returns true if the current user is affiliated with the machine domain in |
| // the sense that the machine domain trusts the user domain. Returns false |
| // otherwise and on error. Currently implemented by calling net ads search for |
| // the machine account using the user's Kerberos ticket. The search command is |
| // sent to the device's server. |
| bool IsUserAffiliated() WARN_UNUSED_RESULT; |
| |
| // Acquire a Kerberos ticket-granting-ticket for the user account. |
| // |password_fd| is a file descriptor containing the user's password. |
| ErrorType AcquireUserTgt(int password_fd) WARN_UNUSED_RESULT; |
| |
| // Acquire a Kerberos ticket-granting-ticket for the device account. Uses the |
| // machine password file for authentication (or the keytab for backwards |
| // compatibility). If the current machine password doesn't work, uses the |
| // previous password (e.g. password change didn't propagate through AD yet). |
| ErrorType AcquireDeviceTgt() WARN_UNUSED_RESULT; |
| |
| // Writes the machine password to the path specified by |path|. |
| ErrorType WriteMachinePassword( |
| Path path, const std::string& machine_pass) const WARN_UNUSED_RESULT; |
| |
| // Rolls NEW_MACHINE_PASS -> MACHINE_PASS -> PREV_MACHINE_PASS. Used during |
| // machine password change. |
| ErrorType RollMachinePassword() WARN_UNUSED_RESULT; |
| |
| // Writes the file with configuration information. |
| ErrorType WriteConfiguration() const WARN_UNUSED_RESULT; |
| |
| // Reads the file with configuration information. |
| ErrorType ReadConfiguration() WARN_UNUSED_RESULT; |
| |
| // Gets user account info. If |account_id| is not empty, searches by |
| // objectGUID = |account_id| only. Otherwise, searches by sAMAccountName = |
| // |user_name| and - if that fails - by userPrincipalName = |normalized_upn|. |
| // Note that sAMAccountName can be different from the name-part of the |
| // userPrincipalName and that kinit/Windows prefer sAMAccountName over |
| // userPrincipalName. Assumes that the account is up-to-date and the user's |
| // TGT is valid. |
| ErrorType GetAccountInfo(const std::string& user_name, |
| const std::string& normalized_upn, |
| const std::string& account_id, |
| ActiveDirectoryAccountInfo* account_info) |
| WARN_UNUSED_RESULT; |
| |
| // Calls net ads search with given |search_string| to retrieve |account_info|. |
| // Authenticates with the device TGT. |
| ErrorType SearchAccountInfo(const std::string& search_string, |
| ActiveDirectoryAccountInfo* account_info) |
| WARN_UNUSED_RESULT; |
| |
| // Downloads GPOs and returns the |gpo_file_paths|. |source| determines |
| // whether to get GPOs that apply to the user or the device. |scope| |
| // determines whether user or device policy is to be loaded from the GPOs. |
| // Note that some use cases like user policy loopback processing require |
| // reading user policy from device GPOs. Calls GetGpoList() and DownloadGpos() |
| // internally. |
| ErrorType GetGpos(GpoSource source, |
| PolicyScope scope, |
| std::vector<base::FilePath>* gpo_file_paths) |
| WARN_UNUSED_RESULT; |
| |
| // Calls net ads gpo list to retrieve a list of GPOs in |gpo_list|. See |
| // GetGpos() for an explanation of |source| and |scope|. |
| ErrorType GetGpoList(GpoSource source, |
| PolicyScope scope, |
| protos::GpoList* gpo_list) WARN_UNUSED_RESULT; |
| |
| // Downloads user or device GPOs in the given |gpo_list|. See GetGpos() for an |
| // explanation of |source| and |scope|. Returns the downloaded GPO file paths |
| // in |gpo_file_paths|. |
| ErrorType DownloadGpos(const protos::GpoList& gpo_list, |
| GpoSource source, |
| PolicyScope scope, |
| std::vector<base::FilePath>* gpo_file_paths) |
| WARN_UNUSED_RESULT; |
| |
| // Parses GPOs and stores them in user/device policy protobufs. |
| ErrorType ParseGposIntoProtobuf( |
| const std::vector<base::FilePath>& gpo_file_paths, |
| const char* parser_cmd_string, |
| std::string* policy_blob) const WARN_UNUSED_RESULT; |
| |
| // Update stuff that depends on device policy like |encryption_types_|. Should |
| // be called whenever new device policy is available. |
| void UpdateDevicePolicyDependencies( |
| const enterprise_management::ChromeDeviceSettingsProto& device_policy); |
| |
| // Updates |auth_data_cache_| with data from |account| and |is_affiliated| and |
| // saves to disk. |
| void UpdateAuthDataCache(const AccountData& account, bool is_affiliated); |
| |
| // Sets the |rate| at which the machine password is changed. Turns off |
| // automatic password change if |rate| is non-positive. Turned off by default. |
| // Prints out a warning on devices that are still using the machine keytab. |
| // Repeatedly schedules AutoCheckMachinePasswordChange() every few hours. |
| void UpdateMachinePasswordAutoChange(const base::TimeDelta& rate); |
| |
| // Calls CheckMachinePasswordChange() and logs errors. |
| void AutoCheckMachinePasswordChange(); |
| |
| // Checks whether the age of the password exceeds |password_change_rate_| and |
| // renews the password if it does. |
| ErrorType CheckMachinePasswordChange() WARN_UNUSED_RESULT; |
| |
| // Get user or device AccountData. Depends on GpoSource, not on PolicyScope, |
| // since that determines what account to download GPOs for. |
| const AccountData& GetAccount(GpoSource source) const { |
| return source == GpoSource::USER ? user_account_ : device_account_; |
| } |
| |
| // Get user or device TGT manager. Depends on GpoSource, not on PolicyScope, |
| // since that determines what account to download GPOs for and the TGT is tied |
| // to the account. |
| const TgtManager& GetTgtManager(GpoSource source) const { |
| return source == GpoSource::USER ? user_tgt_manager_ : device_tgt_manager_; |
| } |
| |
| // Sets and fixes the current user by account id. Only one account id is |
| // allowed per user. Calling this multiple times with different account ids |
| // crashes the daemon. |
| void SetUserAccountId(const std::string& account_id); |
| |
| // Similar to SetUser, but sets user_account_.realm. |
| void SetUserRealm(const std::string& user_realm); |
| |
| // Calls net setdomainsid S-1-5-21-0000000000-0000000000-00000000. This is a |
| // workaround for Samba 4.8.6+, which expects a domain SID to exist in |
| // add_builtin_guests() (Samba code). The SID is stored in Samba's, |
| // secrets.tdb, which authpolicyd places in /tmp/authpolicyd/samba/private, |
| // so it is wiped whenever the daemon is restarted and the SID is lost. |
| // However, the SID is not really needed for our purposes, so we set a fake |
| // SID here. |
| // Earlies out if set successfully before. |
| ErrorType MaybeSetFakeDomainSid() WARN_UNUSED_RESULT; |
| |
| // Sets machine name and realm on the device account and the tgt manager. |
| void InitDeviceAccount(const std::string& netbios_name, |
| const std::string& realm); |
| |
| // Sets encryption types used by Kerberos tickets. |
| void SetKerberosEncryptionTypes(KerberosEncryptionTypes encryption_types); |
| |
| // Backs up user authentication state (including the credentials cache) on the |
| // user's Cryptohome if the user is logged in (i.e. AuthenticateUser() |
| // succeeded). |
| void MaybeBackupUserAuthState(); |
| |
| // Restores user authentication state (including the credentials cache) from |
| // the user's Cryptohome if the backup data exists and the user isn't logged |
| // in yet. The restored state is equivalent to the state if AuthenticateUser() |
| // succeeds. |
| void MaybeRestoreUserAuthState(); |
| |
| // Anonymizes |realm| in different capitalizations as well as all parts. For |
| // instance, if realm is SOME.EXAMPLE.COM, anonymizes SOME, EXAMPLE and COM. |
| void AnonymizeRealm(const std::string& realm, const char* placeholder); |
| |
| // Returns true if the device is not in a 'joined' state. |
| bool IsDeviceJoined() const; |
| |
| // Resets internal state to an 'unenrolled' state by wiping configuration and |
| // user data. |
| void Reset(); |
| |
| // Loads |flags_default_level_| from Path::FLAGS_DEFAULT_LEVEL. Logs an |
| // error if the file exists, but the level cannot be loaded. Fails silently if |
| // the file does not exist. |
| void LoadFlagsDefaultLevel(); |
| |
| // Saves |flags_default_level_| to Path::FLAGS_DEFAULT_LEVEL. Logs on error. |
| void SaveFlagsDefaultLevel(); |
| |
| // Reloads debug flags. Should be done on every public method called from |
| // D-Bus, so that authpolicyd doesn't have to be restarted if the flags |
| // change. Note that this is cheap in a production environment where the flags |
| // file does not exist, so this is no performance concern. |
| void ReloadDebugFlags(); |
| |
| // User account_id (aka objectGUID). |
| std::string user_account_id_; |
| // Timestamp of last password change on server. |
| uint64_t user_pwd_last_set_ = 0; |
| // Whether AuthenticateUser() succeeded or the equivalent auth state could be |
| // restored from a backup. |
| bool user_logged_in_ = false; |
| // Is the user affiliated with the machine's domain? |
| bool is_user_affiliated_ = false; |
| // Last AuthenticateUser() error. |
| ErrorType last_auth_error_ = ERROR_NONE; |
| // Path for user data backup, e.g. /run/daemon-store/authpolicyd/<user_hash>. |
| // Note that this is essentially bound to /home/root/<user_hash>/authpolicyd. |
| base::FilePath user_daemon_store_path_; |
| // Whether the user session has been started, so Cryptohome is available. |
| bool in_user_session_ = false; |
| |
| AccountData user_account_; |
| AccountData device_account_; |
| |
| // The order of members is carefully chosen to match initialization order, so |
| // don't mess with it unless you have a reason. |
| |
| // UMA statistics, not owned. |
| AuthPolicyMetrics* metrics_; |
| |
| // Lookup for file paths, not owned. |
| const PathService* paths_; |
| |
| // D-Bus interface to Cryptohome. |
| std::unique_ptr<CryptohomeClient> cryptohome_client_; |
| |
| // Removes sensitive data from logs. |
| std::unique_ptr<Anonymizer> anonymizer_; |
| |
| // Debug flags, loaded from Path::DEBUG_FLAGS. |
| protos::DebugFlags flags_; |
| AuthPolicyFlags::DefaultLevel flags_default_level_ = AuthPolicyFlags::kQuiet; |
| |
| // Helper to setup and run minijailed processes. |
| JailHelper jail_helper_; |
| |
| // User and device ticket-granting-ticket managers. |
| TgtManager user_tgt_manager_; |
| TgtManager device_tgt_manager_; |
| |
| // Cache for GPO version, used to prevent unnecessary downloads. |
| GpoVersionCache gpo_version_cache_; |
| base::TimeDelta gpo_version_cache_ttl_; |
| |
| // File-based cache for authentication data. The cache persists across |
| // restarts of authpolicyd (but not reboots), so that it can speed up logins |
| // for different users and ephemeral mode. |
| AuthDataCache auth_data_cache_; |
| base::TimeDelta auth_data_cache_ttl_; |
| |
| // Encryption types to use for kinit and Samba commands. Don't set directly, |
| // always set through SetKerberosEncryptionTypes(). Updated by |
| // UpdateDevicePolicyDependencies. |
| KerberosEncryptionTypes encryption_types_ = ENC_TYPES_STRONG; |
| |
| // Loopback processing mode (how/if user policy from machine GPOs is used). |
| // Updated by UpdateDevicePolicyDependencies. |
| enterprise_management::DeviceUserPolicyLoopbackProcessingModeProto::Mode |
| user_policy_mode_ = enterprise_management:: |
| DeviceUserPolicyLoopbackProcessingModeProto::USER_POLICY_MODE_DEFAULT; |
| |
| // Timer for automatic machine password change. Updated by |
| // UpdateDevicePolicyDependencies. |
| base::TimeDelta password_change_rate_; |
| |
| // Timer for repeated password age checks. Calls |
| // AutoCheckMachinePasswordChange(). |
| base::RepeatingTimer password_change_timer_; |
| |
| // Whether device policy has been fetched or loaded from disk on startup. |
| bool has_device_policy_ = false; |
| |
| // Whether a fake domain SID was set to work around Samba issue. |
| bool fake_domain_sid_was_set_ = false; |
| |
| // For testing only. Used/consumed during Initialize(). |
| std::unique_ptr<policy::DevicePolicyImpl> device_policy_impl_for_testing; |
| |
| // Disables sleeping when retrying net or smbclient (to prevent slowdowns in |
| // tests). |
| bool retry_sleep_disabled_for_testing_ = false; |
| |
| // Keeps track of whether AutoCheckMachinePasswordChange() ran or not. |
| bool did_password_change_check_run_for_testing_ = false; |
| |
| // Disables seccomp filtering for unit tests. |
| bool disable_seccomp_for_testing_ = false; |
| |
| DISALLOW_COPY_AND_ASSIGN(SambaInterface); |
| }; |
| |
| } // namespace authpolicy |
| |
| #endif // AUTHPOLICY_SAMBA_INTERFACE_H_ |