mirror of
https://github.com/samba-team/samba.git
synced 2025-01-25 06:04:04 +03:00
8b51eabf31
This reverts commit a6be8a97f705247c1b1cbb0595887d8924740a71. We fail (often) to parse a krb5pac type 12 buffer due to the incomplete change which came in via a6be8a97f705247c1b1cbb0595887d8924740a71. This change came into master and has only been released in RCs so no regression to published 4.0.x releases. We should revert this for 4.1 for now until we can make it work in all cases (see work on this in https://git.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-krb5pac_type12). Without this revert the entire PAC parsing may fail which can effect serious implications (krb5 smb session setup not working). Bug: https://bugzilla.samba.org/show_bug.cgi?id=10178 Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Oct 3 17:08:46 CEST 2013 on sn-devel-104
151 lines
4.1 KiB
Plaintext
151 lines
4.1 KiB
Plaintext
/*
|
|
krb5 PAC
|
|
*/
|
|
|
|
#include "idl_types.h"
|
|
|
|
import "security.idl", "lsa.idl", "netlogon.idl", "samr.idl";
|
|
|
|
[
|
|
uuid("12345778-1234-abcd-0000-00000000"),
|
|
version(0.0),
|
|
pointer_default(unique),
|
|
helpstring("Active Directory KRB5 PAC")
|
|
]
|
|
interface krb5pac
|
|
{
|
|
typedef struct {
|
|
NTTIME logon_time;
|
|
[value(2*strlen_m(account_name))] uint16 size;
|
|
[charset(UTF16)] uint8 account_name[size];
|
|
} PAC_LOGON_NAME;
|
|
|
|
typedef [public,flag(NDR_PAHEX)] struct {
|
|
uint32 type;
|
|
[flag(NDR_REMAINING)] DATA_BLOB signature;
|
|
} PAC_SIGNATURE_DATA;
|
|
|
|
typedef struct {
|
|
netr_SamInfo3 info3;
|
|
dom_sid2 *res_group_dom_sid;
|
|
samr_RidWithAttributeArray res_groups;
|
|
} PAC_LOGON_INFO;
|
|
|
|
typedef struct {
|
|
lsa_String proxy_target;
|
|
uint32 num_transited_services;
|
|
[size_is(num_transited_services)] lsa_String *transited_services;
|
|
} PAC_CONSTRAINED_DELEGATION;
|
|
|
|
typedef struct {
|
|
[value(2*strlen_m(upn_name))] uint16 upn_size;
|
|
uint16 upn_offset;
|
|
[value(2*strlen_m(domain_name))] uint16 domain_size;
|
|
uint16 domain_offset;
|
|
uint16 unknown3; /* 0x01 */
|
|
uint16 unknown4;
|
|
uint32 unknown5;
|
|
[charset(UTF16)] uint8 upn_name[upn_size+2];
|
|
[charset(UTF16)] uint8 domain_name[domain_size+2];
|
|
uint32 unknown6; /* padding */
|
|
} PAC_UNKNOWN_12;
|
|
|
|
typedef [public] struct {
|
|
PAC_LOGON_INFO *info;
|
|
} PAC_LOGON_INFO_CTR;
|
|
|
|
typedef [public] struct {
|
|
PAC_CONSTRAINED_DELEGATION *info;
|
|
} PAC_CONSTRAINED_DELEGATION_CTR;
|
|
|
|
typedef [public,v1_enum] enum {
|
|
PAC_TYPE_LOGON_INFO = 1,
|
|
PAC_TYPE_SRV_CHECKSUM = 6,
|
|
PAC_TYPE_KDC_CHECKSUM = 7,
|
|
PAC_TYPE_LOGON_NAME = 10,
|
|
PAC_TYPE_CONSTRAINED_DELEGATION = 11,
|
|
PAC_TYPE_UNKNOWN_12 = 12
|
|
} PAC_TYPE;
|
|
|
|
typedef struct {
|
|
[flag(NDR_REMAINING)] DATA_BLOB remaining;
|
|
} DATA_BLOB_REM;
|
|
|
|
typedef [public,nodiscriminant,gensize] union {
|
|
[case(PAC_TYPE_LOGON_INFO)][subcontext(0xFFFFFC01)] PAC_LOGON_INFO_CTR logon_info;
|
|
[case(PAC_TYPE_SRV_CHECKSUM)] PAC_SIGNATURE_DATA srv_cksum;
|
|
[case(PAC_TYPE_KDC_CHECKSUM)] PAC_SIGNATURE_DATA kdc_cksum;
|
|
[case(PAC_TYPE_LOGON_NAME)] PAC_LOGON_NAME logon_name;
|
|
[case(PAC_TYPE_CONSTRAINED_DELEGATION)][subcontext(0xFFFFFC01)]
|
|
PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
|
|
/* when new PAC info types are added they are supposed to be done
|
|
in such a way that they are backwards compatible with existing
|
|
servers. This makes it safe to just use a [default] for
|
|
unknown types, which lets us ignore the data */
|
|
[default] [subcontext(0)] DATA_BLOB_REM unknown;
|
|
/* [case(PAC_TYPE_UNKNOWN_12)] PAC_UNKNOWN_12 unknown; */
|
|
} PAC_INFO;
|
|
|
|
typedef [public,nopush,nopull,noprint] struct {
|
|
PAC_TYPE type;
|
|
[value(_ndr_size_PAC_INFO(info, type, 0))] uint32 _ndr_size;
|
|
[relative,switch_is(type),subcontext(0),subcontext_size(_subcontext_size_PAC_INFO(r, ndr->flags)),flag(NDR_ALIGN8)] PAC_INFO *info;
|
|
[value(0)] uint32 _pad; /* Top half of a 64 bit pointer? */
|
|
} PAC_BUFFER;
|
|
|
|
typedef [public] struct {
|
|
uint32 num_buffers;
|
|
uint32 version;
|
|
PAC_BUFFER buffers[num_buffers];
|
|
} PAC_DATA;
|
|
|
|
typedef [public] struct {
|
|
PAC_TYPE type;
|
|
uint32 ndr_size;
|
|
[relative,subcontext(0),subcontext_size(NDR_ROUND(ndr_size,8)),flag(NDR_ALIGN8)] DATA_BLOB_REM *info;
|
|
[value(0)] uint32 _pad; /* Top half of a 64 bit pointer? */
|
|
} PAC_BUFFER_RAW;
|
|
|
|
typedef [public] struct {
|
|
uint32 num_buffers;
|
|
uint32 version;
|
|
PAC_BUFFER_RAW buffers[num_buffers];
|
|
} PAC_DATA_RAW;
|
|
|
|
const int NETLOGON_GENERIC_KRB5_PAC_VALIDATE = 3;
|
|
|
|
typedef [public] struct {
|
|
[value(NETLOGON_GENERIC_KRB5_PAC_VALIDATE)] uint32 MessageType;
|
|
uint32 ChecksumLength;
|
|
int32 SignatureType;
|
|
uint32 SignatureLength;
|
|
[flag(NDR_REMAINING)] DATA_BLOB ChecksumAndSignature;
|
|
} PAC_Validate;
|
|
|
|
[nopython] void decode_pac(
|
|
[in] PAC_DATA pac
|
|
);
|
|
|
|
[nopython] void decode_pac_raw(
|
|
[in] PAC_DATA_RAW pac
|
|
);
|
|
|
|
[nopython] void decode_login_info(
|
|
[in] PAC_LOGON_INFO logon_info
|
|
);
|
|
|
|
[nopython] void decode_login_info_ctr(
|
|
[in] PAC_LOGON_INFO_CTR logon_info_ctr
|
|
);
|
|
|
|
[nopython] void decode_pac_validate(
|
|
[in] PAC_Validate pac_validate
|
|
);
|
|
|
|
/* used for samba3 netsamlogon cache */
|
|
typedef [public] struct {
|
|
time_t timestamp;
|
|
netr_SamInfo3 info3;
|
|
} netsamlogoncache_entry;
|
|
}
|