1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-08 21:18:16 +03:00

netlogon.idl: add NetlogonTicketLogonInformation/NetlogonValidationTicketLogon

I have basic tests, which have shown that the payload is not
encrypted at application level.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
Stefan Metzmacher 2024-11-21 14:16:12 +01:00
parent 61a5151af5
commit 544838ac5b
3 changed files with 134 additions and 3 deletions

View File

@ -886,6 +886,9 @@ static NTSTATUS netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_C
base = &validation->sam6->base;
}
break;
case 7:
/* NetlogonValidationTicketLogon */
return NT_STATUS_OK;
default:
/* If we can't find it, we can't very well decrypt it */
return NT_STATUS_INVALID_INFO_CLASS;
@ -1146,6 +1149,9 @@ static NTSTATUS netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Creden
return NT_STATUS_INVALID_PARAMETER;
}
break;
case NetlogonTicketLogonInformation:
break;
}
return NT_STATUS_OK;
@ -1395,6 +1401,9 @@ union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx,
}
return out;
case NetlogonTicketLogonInformation:
break;
}
return out;

View File

@ -2624,6 +2624,7 @@ struct tevent_req *netlogon_creds_cli_LogonSamLogon_send(TALLOC_CTX *mem_ctx,
case NetlogonNetworkInformation:
case NetlogonNetworkTransitiveInformation:
case NetlogonTicketLogonInformation:
break;
}

View File

@ -219,6 +219,54 @@ interface netlogon
[size_is(length)] uint8 *data;
} netr_GenericInfo;
typedef [bitmap64bit] bitmap {
/*
* These are documented in strange ways!
*
* Following [MS-ADPS] 2.2.2.1 NETLOGON_TICKET_LOGON_INFO Message,
* would mean this, but these are not really flags...
* they document the number of the bit in the 64 bit value.
*
* CriticalOptions:
* NO_AUTHORIZATION_DATA = 0x0000
*
* ComputerDomainOptions:
* SKIP_RESOURCE_GROUPS = 0x0010
* SKIP_A2A_CHECKS = 0x0011
*
* TransitOptions:
* SKIP_SID_FILTER = 0x0020
* SKIP_NAMESPACE_FILTER = 0x0021
*
* KerberosOptions:
* SKIP_PAC_SIGNATURES = 0x0030
* REMOVE_RESOURCE_GROUPS = 0x0031
*
* Following [MS-NPRPC] 2.2.1.4.19 NETLOGON_TICKET_LOGON_INFO
* and its DUMMYSTRUCTNAME definition
*/
NETLOGON_TICKET_LOGON_CRITICAL_OPTIONS = 0x000000000000FFFF,
NETLOGON_TICKET_LOGON_NO_AUTHORIZATION_DATA = 0x0000000000000001,
NETLOGON_TICKET_LOGON_COMPUTER_DOMAIN_OPTIONS = 0x00000000FFFF0000,
NETLOGON_TICKET_LOGON_SKIP_RESOURCE_GROUPS = 0x0000000000010000,
NETLOGON_TICKET_LOGON_SKIP_A2A_CHECKS = 0x0000000000020000,
NETLOGON_TICKET_LOGON_TRANSIT_OPTIONS = 0x0000FFFF00000000,
NETLOGON_TICKET_LOGON_SKIP_SID_FILTER = 0x0000000100000000,
NETLOGON_TICKET_LOGON_SKIP_NAMESPACE_FILTER = 0x0000000200000000,
NETLOGON_TICKET_LOGON_KERBEROS_OPTIONS = 0xFFFF000000000000,
NETLOGON_TICKET_LOGON_SKIP_PAC_SIGNATURES = 0x0001000000000000,
NETLOGON_TICKET_LOGON_REMOVE_RESOURCE_GROUPS = 0x0002000000000000
} netr_TicketLogonInfoRequestOptions;
typedef [public,flag(NDR_PAHEX)] struct {
netr_IdentityInfo identity_info;
netr_TicketLogonInfoRequestOptions request_options;
uint32 service_ticket_length;
[size_is(service_ticket_length)] uint8 *service_ticket;
uint32 additional_ticket_length;
[size_is(additional_ticket_length)] uint8 *additional_ticket;
} netr_TicketLogonInfo;
typedef [public] enum {
NetlogonInteractiveInformation = 1,
NetlogonNetworkInformation = 2,
@ -226,7 +274,8 @@ interface netlogon
NetlogonGenericInformation = 4,
NetlogonInteractiveTransitiveInformation = 5,
NetlogonNetworkTransitiveInformation = 6,
NetlogonServiceTransitiveInformation = 7
NetlogonServiceTransitiveInformation = 7,
NetlogonTicketLogonInformation = 8
} netr_LogonInfoClass;
typedef [public,switch_type(netr_LogonInfoClass)] union {
@ -237,6 +286,7 @@ interface netlogon
[case(NetlogonInteractiveTransitiveInformation)] netr_PasswordInfo *password;
[case(NetlogonNetworkTransitiveInformation)] netr_NetworkInfo *network;
[case(NetlogonServiceTransitiveInformation)] netr_PasswordInfo *password;
[case(NetlogonTicketLogonInformation)] netr_TicketLogonInfo *ticket;
[default];
} netr_LogonLevel;
@ -348,12 +398,82 @@ interface netlogon
[size_is(length)] uint8 *data;
} netr_GenericInfo2;
typedef enum {
typedef [bitmap64bit] bitmap {
/*
* These are documented in strange ways!
*
* Following [MS-ADPS] 2.2.3.1 NETLOGON_VALIDATION_TICKET_LOGON
* message would mean this, but these are not really flags...
* they document the number of the bit in the relative 16-bit
* space.
*
* CriticalResults:
* LogonFailed = 0x0000
*
* SourceInformation:
* TicketDecryptionFailed = 0x0000
* PacValidationFailed = 0x0001
* CompoundSource = 0x0002
* SourceUserClaims = 0x0003
* SourceDeviceClaims = 0x0004
* FullSignaturePresent = 0x0005
* ResourceGroupsRemoved = 0x0006
*
* TransitInformation:
* UserSidsFailed = 0x0000
* UserNamespaceFailed = 0x0001
* UserFailedA2A = 0x0002
* DeviceSidsFailed = 0x0003
* DeviceNamespaceFailed = 0x0004
* UserSidsFiltered = 0x0005
* DeviceSidsFiltered = 0x0006
*
* Following [MS-NPRPC] 2.2.1.4.20 NETLOGON_VALIDATION_TICKET_LOGON
* and its DUMMYSTRUCTNAME definition
*/
NETLOGON_TICKET_LOGON_CRITICAL_RESULTS = 0x00000000000000FF,
NETLOGON_TICKET_LOGON_FAILED_LOGON = 0x0000000000000001,
NETLOGON_TICKET_LOGON_CRITICAL_CLIENT_RESULTS = 0x000000000000FF00,
NETLOGON_TICKET_LOGON_CRITICAL_COMPUTER_DOMAIN_RESULTS = 0x0000000000FF0000,
NETLOGON_TICKET_LOGON_CRITICAL_TRANSIT_RESULTS = 0x00000000FF000000,
NETLOGON_TICKET_LOGON_SOURCE_INFORMATION = 0x0000FFFF00000000,
NETLOGON_TICKET_LOGON_TICKET_DECRYPTION_FAILED = 0x0000000100000000,
NETLOGON_TICKET_LOGON_PAC_VALIDATION_FAILED = 0x0000000200000000,
NETLOGON_TICKET_LOGON_COMPOUND_SOURCE = 0x0000000400000000,
NETLOGON_TICKET_LOGON_SOURCE_USER_CLAIMS = 0x0000000800000000,
NETLOGON_TICKET_LOGON_SOURCE_DEVICE_CLAIMS = 0x0000001000000000,
NETLOGON_TICKET_LOGON_FULL_SIGNATURE_PRESENT = 0x0000002000000000,
NETLOGON_TICKET_LOGON_RESOURCE_GROUPS_REMOVED = 0x0000004000000000,
NETLOGON_TICKET_LOGON_TRANSIT_INFORMATION = 0xFFFF000000000000,
NETLOGON_TICKET_LOGON_USER_SIDS_FAILED = 0x0001000000000000,
NETLOGON_TICKET_LOGON_USER_NAMESPACE_FAILED = 0x0002000000000000,
NETLOGON_TICKET_LOGON_USER_FAILED_A2A = 0x0004000000000000,
NETLOGON_TICKET_LOGON_DEVICE_SIDS_FAILED = 0x0008000000000000,
NETLOGON_TICKET_LOGON_DEVICE_NAMESPACE_FAILED = 0x0010000000000000,
NETLOGON_TICKET_LOGON_USER_SIDS_FILTERED = 0x0020000000000000,
NETLOGON_TICKET_LOGON_DEVICE_SIDS_FILTERED = 0x0040000000000000
} netr_TicketLogonResults;
typedef [public,flag(NDR_PAHEX)] struct {
netr_TicketLogonResults results;
NTSTATUS kerberos_status;
NTSTATUS netlogon_status;
lsa_String source_of_status;
netr_SamInfo6 *user_information;
netr_SamInfo6 *device_information;
uint32 user_claims_length;
[size_is(user_claims_length)] uint8 *user_claims;
uint32 device_claims_length;
[size_is(device_claims_length)] uint8 *device_claims;
} netr_ValidationTicketLogon;
typedef [public] enum {
NetlogonValidationUasInfo = 1,
NetlogonValidationSamInfo = 2,
NetlogonValidationSamInfo2 = 3,
NetlogonValidationGenericInfo2 = 5,
NetlogonValidationSamInfo4 = 6
NetlogonValidationSamInfo4 = 6,
NetlogonValidationTicketLogon = 7
} netr_ValidationInfoClass;
typedef [public,switch_type(uint16)] union {
@ -362,6 +482,7 @@ interface netlogon
[case(4)] netr_PacInfo *pac;
[case(NetlogonValidationGenericInfo2)] netr_GenericInfo2 *generic;
[case(NetlogonValidationSamInfo4)] netr_SamInfo6 *sam6;
[case(NetlogonValidationTicketLogon)] netr_ValidationTicketLogon *ticket;
[default];
} netr_Validation;