1// Copyright 2017 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5syntax = "proto2"; 6 7option optimize_for = LITE_RUNTIME; 8 9package authpolicy; 10 11// D-Bus call error codes. These values are written to logs. New enum values can 12// be added, but existing enums must never be renumbered or deleted and reused. 13enum ErrorType { 14 // TODO(ljusten): Remove this and ERROR_NO_WINDOWS_POLICY when Chrome is 15 // switched over, see crbug.com/807999. 16 option allow_alias = true; 17 18 // Everything is A-OK! 19 ERROR_NONE = 0; 20 // Unspecified error. 21 ERROR_UNKNOWN = 1; 22 // Unspecified D-Bus error. 23 ERROR_DBUS_FAILURE = 2; 24 // Badly formatted user principal name. 25 ERROR_PARSE_UPN_FAILED = 3; 26 // Auth failed because of bad user name. 27 ERROR_BAD_USER_NAME = 4; 28 // Auth failed because of bad password. 29 ERROR_BAD_PASSWORD = 5; 30 // Auth failed because of expired password. 31 ERROR_PASSWORD_EXPIRED = 6; 32 // Auth failed because of bad realm or network. 33 ERROR_CANNOT_RESOLVE_KDC = 7; 34 // kinit exited with unspecified error. 35 ERROR_KINIT_FAILED = 8; 36 // net exited with unspecified error. 37 ERROR_NET_FAILED = 9; 38 // smdclient exited with unspecified error. 39 ERROR_SMBCLIENT_FAILED = 10; 40 // authpolicy_parser exited with unknown error. 41 ERROR_PARSE_FAILED = 11; 42 // Parsing GPOs failed. 43 ERROR_PARSE_PREG_FAILED = 12; 44 // GPO data is bad. 45 ERROR_BAD_GPOS = 13; 46 // Some local IO operation failed. 47 ERROR_LOCAL_IO = 14; 48 // Machine is not joined to AD domain yet. 49 ERROR_NOT_JOINED = 15; 50 // User is not logged in yet. 51 ERROR_NOT_LOGGED_IN = 16; 52 // Failed to send policy to session_manager. 53 ERROR_STORE_POLICY_FAILED = 17; 54 // User doesn't have the right to join machines to the domain. 55 ERROR_JOIN_ACCESS_DENIED = 18; 56 // General network problem. 57 ERROR_NETWORK_PROBLEM = 19; 58 // Machine name contains restricted characters. 59 ERROR_INVALID_MACHINE_NAME = 20; 60 // Machine name too long. 61 ERROR_MACHINE_NAME_TOO_LONG = 21; 62 // User joined maximum number of machines to the domain. 63 ERROR_USER_HIT_JOIN_QUOTA = 22; 64 // Kinit or smbclient failed to contact Key Distribution Center. 65 ERROR_CONTACTING_KDC_FAILED = 23; 66 // Kerberos credentials cache not found. 67 ERROR_NO_CREDENTIALS_CACHE_FOUND = 24; 68 // Kerberos ticket expired while renewing credentials. 69 ERROR_KERBEROS_TICKET_EXPIRED = 25; 70 // Klist exited with unspecified error. 71 ERROR_KLIST_FAILED = 26; 72 // Kinit failed because of bad machine name. 73 ERROR_BAD_MACHINE_NAME = 27; 74 // Kinit failed to change the password because the password was rejected. 75 ERROR_PASSWORD_REJECTED = 28; 76 // Returned by RefreshDevicePolicy when policy fetch succeeded but policy 77 // cannot be sent to session_manager because install attributes are not locked 78 // yet. authpolicyd caches policy in this case and returns it in the next 79 // RefreshDevicePolicy call. Should happen during enrollment only. 80 ERROR_DEVICE_POLICY_CACHED_BUT_NOT_SENT = 29; 81 // Join failed because computer organizational unit does not exist. 82 ERROR_OU_DOES_NOT_EXIST = 30; 83 // Join failed because computer organizational unit is invalid. 84 ERROR_INVALID_OU = 31; 85 // Setting computer organizational unit failed with insufficient permissions. 86 ERROR_OU_ACCESS_DENIED = 32; 87 // Setting computer organizational unit failed with unspecified error. 88 ERROR_SETTING_OU_FAILED = 33; 89 // Fetching user policy failed because device policy was unavailable. 90 ERROR_NO_DEVICE_POLICY = 34; 91 ERROR_NO_WINDOWS_POLICY = 34; 92 // Domain join failed because the device is already joined. 93 ERROR_ALREADY_JOINED = 35; 94 // Domain join failed because KDC does not support the encryption enforced in 95 // the Samba configuration, e.g. if 'kerberos encryption types' is set to 96 // 'strong' to enforce AES encryption, but KDC does not support AES. 97 ERROR_KDC_DOES_NOT_SUPPORT_ENCRYPTION_TYPE = 36; 98 // Kpasswd exited with unspecified error. 99 ERROR_KPASSWD_FAILED = 37; 100 // Setting computer organizational unit failed with constraint violation. 101 ERROR_OU_CONSTRAINT_VIOLATION = 38; 102 // Should be the last. 103 ERROR_COUNT = 39; 104} 105 106// Message sent to Chrome by authpolicyd as a response of a successful 107// AuthenticateUser call. Contains information about authenticated user fetched 108// from Active Directory server with "net ads search ...". 109message ActiveDirectoryAccountInfo { 110 // Unique id of the user account. Taken from the objectGUID property of the 111 // Active Directory user account information. 112 optional string account_id = 1; 113 // Display name of the user. Taken from the displayName property of the Active 114 // account information. 115 optional string display_name = 2; 116 // Given name of the user. AKA first name. Taken from the givenName property 117 // of the Active Directory user account information. 118 optional string given_name = 3; 119 // Logon name of the user (without @realm). Taken from the sAMAccountName 120 // property of the Active Directory user account information. 121 optional string sam_account_name = 4; 122 // Timestamp when the password was last set, see 123 // https://msdn.microsoft.com/en-us/library/ms679430(v=vs.85).aspx. Taken from 124 // the pwdLastSet property of the Active Directory user account information. 125 // Used in authpolicyd only, unused in Chrome. 126 optional uint64 pwd_last_set = 5; 127 // User account control flags, see 128 // https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx. Taken from 129 // the userAccountControl property of the Active Directory user account 130 // information. Used in authpolicyd only, unused in Chrome. 131 optional uint32 user_account_control = 6; 132 // Common name of the user, e.g. "John Doe [jdoe]". Taken from the commonName 133 // property of the Active Directory user account information. 134 optional string common_name = 7; 135 // Next ID to use: 8 136} 137 138// Message sent to Chrome by authpolicyd as a response to a successful 139// GetUserStatus call. 140message ActiveDirectoryUserStatus { 141 // Ticket-granting-ticket status. 142 enum TgtStatus { 143 TGT_VALID = 0; // Ticket is still valid. 144 TGT_EXPIRED = 1; // Ticket expired. 145 TGT_NOT_FOUND = 2; // Kerberos credentials cache not found. 146 // Next ID to use: 3 147 } 148 149 // Whether the password has to be changed or sync'ed with cryptohome. 150 enum PasswordStatus { 151 PASSWORD_VALID = 0; // Valid as far as we can tell. 152 PASSWORD_EXPIRED = 1; // User has to enter a new password on next logon. 153 PASSWORD_CHANGED = 2; // Changed on server, possibly from other client. 154 // Next ID to use: 3 155 } 156 157 // User's account information, see above. 158 optional ActiveDirectoryAccountInfo account_info = 1; 159 // Status of the user's ticket-granting-ticket (TGT). 160 optional TgtStatus tgt_status = 2; 161 // Status of the user's password. 162 optional PasswordStatus password_status = 3; 163 reserved 4; 164 // Next ID to use: 5 165} 166 167// Message sent to Chrome by authpolicyd as a response to a successful 168// GetUserKerberosFiles call. 169message KerberosFiles { 170 // Kerberos credential cache. 171 optional bytes krb5cc = 1; 172 // Kerberos configuration file. 173 optional bytes krb5conf = 2; 174 // Next ID to use: 3 175} 176 177// What Kerberos encryption types kinit should use. 178enum KerberosEncryptionTypes { 179 ENC_TYPES_ALL = 0; // AES + RC4_HMAC. 180 ENC_TYPES_STRONG = 1; // AES only. 181 ENC_TYPES_LEGACY = 2; // RC4_HMAC only. 182 // Next ID to use: 3 183} 184 185// Message sent by Chrome to authpolicyd with JoinAdDomain call. 186message JoinDomainRequest { 187 // Logon name of the user (with @realm) who joins the machine to the domain. 188 optional string user_principal_name = 1; 189 // Netbios computer (aka machine) name for the joining device. 190 // https://technet.microsoft.com/en-us/library/cc959322.aspx 191 optional string machine_name = 2; 192 // Domain (realm) the machine should be joined to. 193 optional string machine_domain = 3; 194 // Organizational unit the machine should be put into. Goes from leaf to root, 195 // i.e. the OU at index 1 is the parent of OU at index 0, etc. 196 repeated string machine_ou = 4; 197 // Supported Kerberos encryption types for domain join. By default, only 198 // strong types are allowed during negotiation. However, some Active Directory 199 // setups might be configured to not allow strong types, in particular for 200 // cross-domain authentication (join machine to domain A using credentials 201 // from domain B), where at the time of writing the default settings do not 202 // allow strong encryption. In this case, domain join fails. Likewise, there 203 // might also be rare use cases that require legacy encryption only. If the 204 // server supports strong encryption, it is always preferred. 205 // On the sign-in screen and during user sessions the device policy 206 // DeviceKerberosEncryptionTypes policy is used to determine encryption types. 207 optional KerberosEncryptionTypes kerberos_encryption_types = 5 208 [default = ENC_TYPES_STRONG]; 209 // The DM token used by Chrome to authenticate to DM server. Passed during 210 // domain join so authpolicyd can set it in device policy as it's done for 211 // cloud management. 212 optional string dm_token = 6; 213 // Next ID to use: 7 214} 215 216// Message sent by Chrome to authpolicyd with AuthenticateUser call. 217message AuthenticateUserRequest { 218 // Logon name of the user (with @realm). 219 optional string user_principal_name = 1; 220 // Unique id of the user account. Taken from the objectGUID property of the 221 // Active Directory user account information. 222 optional string account_id = 2; 223 // Next ID to use: 3 224} 225 226// Message sent by Chrome to authpolicyd with GetUserStatus call. 227message GetUserStatusRequest { 228 // Logon name of the user (with @realm). 229 optional string user_principal_name = 1; 230 // Unique id of the user account. Taken from the objectGUID property of the 231 // Active Directory user account information. 232 optional string account_id = 2; 233 // Next ID to use: 3 234} 235