From 35611f2ba0feb79f78dbb7995a1018b39e2ad005 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 17 Nov 2023 14:59:20 +1300 Subject: [PATCH] gmsa.idl: Add definition for MANAGEDPASSWORD_BLOB Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- librpc/idl/gmsa.idl | 44 ++++++++++++++++++++++++++++++++++++ librpc/idl/idl_types.h | 5 ++++ librpc/idl/wscript_build | 1 + librpc/wscript_build | 6 ++++- source4/librpc/wscript_build | 7 ++++++ 5 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 librpc/idl/gmsa.idl diff --git a/librpc/idl/gmsa.idl b/librpc/idl/gmsa.idl new file mode 100644 index 00000000000..bad9030ce17 --- /dev/null +++ b/librpc/idl/gmsa.idl @@ -0,0 +1,44 @@ +/* + * Type definitions for Group Managed Service Accounts + * + * Derived from [MS-ADTS] 2.2.19 MSDS-MANAGEDPASSWORD_BLOB. + */ + +#include "idl_types.h" + +[ + uuid("e43b8cf6-1ead-11ee-aed1-e3597136ce70"), + version(0.0), + pointer_default(unique), + helpstring("Active Directory Group Managed Service Accounts") +] +interface gmsa +{ + /* Public structures. */ + + typedef [gensize] struct { + [relative_short] secret_u16string *current; + [relative_short] secret_u16string *previous; + /* + * MS-ADTS states that these fields must be placed on a 64‐bit + * boundary, but samples obtained from Windows are found not to + * be so. In practice, they’re offset by two bytes. That’s why + * we need NOALIGN. + */ + [relative_short, flag(NDR_NOALIGN)] hyper *query_interval; + [relative_short, flag(NDR_NOALIGN)] hyper *unchanged_interval; + } MANAGEDPASSWORD_BLOB_PASSWORDS; + + typedef [public] struct { + [value(1)] uint16 version; + [value(0)] uint16 reserved; + /* + * The size of the entire blob. 8 bytes account for the + * ‘version’ field, the ‘reserved’ field, and the ‘length’ field + * itself. + */ + [value(8 + ndr_size_MANAGEDPASSWORD_BLOB_PASSWORDS(&passwords, + ndr->flags))] uint32 length; + MANAGEDPASSWORD_BLOB_PASSWORDS passwords; + } MANAGEDPASSWORD_BLOB; +} diff --git a/librpc/idl/idl_types.h b/librpc/idl/idl_types.h index a21893f6562..4f0e69b8d40 100644 --- a/librpc/idl/idl_types.h +++ b/librpc/idl/idl_types.h @@ -31,6 +31,11 @@ */ #define raw8string [flag(STR_RAW8|STR_NULLTERM)] string +/* + a secret null terminated UTF‐16 string (null terminated word sequence) +*/ +#define secret_u16string [flag(NDR_SECRET|STR_NULLTERM)] u16string + /* a null terminated UCS2 string */ diff --git a/librpc/idl/wscript_build b/librpc/idl/wscript_build index 49b79a74f69..1f4d54c87de 100644 --- a/librpc/idl/wscript_build +++ b/librpc/idl/wscript_build @@ -131,6 +131,7 @@ bld.SAMBA_PIDL_LIST('PIDL', dns.idl dnsp.idl drsblobs.idl + gmsa.idl idmap.idl krb5pac.idl krb5ccache.idl diff --git a/librpc/wscript_build b/librpc/wscript_build index b69324477e6..dd86c44d83e 100644 --- a/librpc/wscript_build +++ b/librpc/wscript_build @@ -390,6 +390,10 @@ bld.SAMBA_SUBSYSTEM('NDR_CLAIMS', source='gen_ndr/ndr_claims.c ndr/ndr_claims.c', deps='ndr NDR_COMPRESSION LZXPRESS') +bld.SAMBA_SUBSYSTEM('NDR_GMSA', + source='gen_ndr/ndr_gmsa.c', + deps='ndr') + bld.SAMBA_LIBRARY('ndr-standard', source='', vnum='0.0.1', @@ -634,7 +638,7 @@ bld.SAMBA_LIBRARY('ndr-samba', NDR_DNSSERVER NDR_EPMAPPER NDR_XATTR NDR_UNIXINFO NDR_NAMED_PIPE_AUTH NDR_NTPRINTING NDR_FSRVP NDR_WITNESS NDR_MDSSVC NDR_OPEN_FILES NDR_SMBXSRV NDR_SMB3POSIX - NDR_KRB5CCACHE NDR_WSP''', + NDR_KRB5CCACHE NDR_WSP NDR_GMSA''', private_library=True, grouping_library=True ) diff --git a/source4/librpc/wscript_build b/source4/librpc/wscript_build index 0d20cbb9349..0a08c524ea7 100644 --- a/source4/librpc/wscript_build +++ b/source4/librpc/wscript_build @@ -268,6 +268,13 @@ bld.SAMBA_PYTHON('python_claims', cflags_end=gen_cflags ) +bld.SAMBA_PYTHON('python_gmsa', + source='../../librpc/gen_ndr/py_gmsa.c', + deps='NDR_GMSA %s %s' % (pytalloc_util, pyrpc_util), + realname='samba/dcerpc/gmsa.so', + cflags_end=gen_cflags + ) + bld.SAMBA_PYTHON('python_netlogon', source='../../librpc/gen_ndr/py_netlogon.c', deps='RPC_NDR_NETLOGON %s %s' % (pytalloc_util, pyrpc_util),