sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-03 13:47:25 +03:00
Code
samba-mirror/source4/kdc/db-glue.h
Andreas Schneider 5c4afce7bb s4:kdc: Implement samba_kdc_check_s4u2proxy_rbcd() 
This will be used by the MIT KDB plugin in the next commits.

A security descriptor created by Windows looks like this:

    security_descriptor: struct security_descriptor
        revision                 : SECURITY_DESCRIPTOR_REVISION_1 (1)
        type                     : 0x8004 (32772)
               0: SEC_DESC_OWNER_DEFAULTED
               0: SEC_DESC_GROUP_DEFAULTED
               1: SEC_DESC_DACL_PRESENT
               0: SEC_DESC_DACL_DEFAULTED
               0: SEC_DESC_SACL_PRESENT
               0: SEC_DESC_SACL_DEFAULTED
               0: SEC_DESC_DACL_TRUSTED
               0: SEC_DESC_SERVER_SECURITY
               0: SEC_DESC_DACL_AUTO_INHERIT_REQ
               0: SEC_DESC_SACL_AUTO_INHERIT_REQ
               0: SEC_DESC_DACL_AUTO_INHERITED
               0: SEC_DESC_SACL_AUTO_INHERITED
               0: SEC_DESC_DACL_PROTECTED
               0: SEC_DESC_SACL_PROTECTED
               0: SEC_DESC_RM_CONTROL_VALID
               1: SEC_DESC_SELF_RELATIVE
        owner_sid                : *
            owner_sid                : S-1-5-32-544
        group_sid                : NULL
        sacl                     : NULL
        dacl                     : *
            dacl: struct security_acl
                revision                 : SECURITY_ACL_REVISION_ADS (4)
                size                     : 0x002c (44)
                num_aces                 : 0x00000001 (1)
                aces: ARRAY(1)
                    aces: struct security_ace
                        type                     : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
                        flags                    : 0x00 (0)
                               0: SEC_ACE_FLAG_OBJECT_INHERIT
                               0: SEC_ACE_FLAG_CONTAINER_INHERIT
                               0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
                               0: SEC_ACE_FLAG_INHERIT_ONLY
                               0: SEC_ACE_FLAG_INHERITED_ACE
                            0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
                               0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
                               0: SEC_ACE_FLAG_FAILED_ACCESS
                        size                     : 0x0024 (36)
                        access_mask              : 0x000f01ff (983551)
                        object                   : union security_ace_object_ctr(case 0)
                        trustee                  : S-1-5-21-3001743926-1909451141-602466370-1108

Created with the following powershell code:

    $host1 = Get-ADComputer -Identity ServerA
    $host2 = Get-ADComputer -Identity ServerB
    Set-ADComputer $host2 -PrincipalsAllowedToDelegateToAccount $host1

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-04 14:05:31 +00:00

74 lines
2.5 KiB
C
Raw Blame History

/*
Unix SMB/CIFS implementation.
Database Glue between Samba and the KDC
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
Copyright (C) Simo Sorce <idra@samba.org> 2010
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
struct sdb_entry_ex;
int samba_kdc_set_fixed_keys(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
const struct ldb_val *secretbuffer,
struct sdb_entry_ex *entry_ex);
krb5_error_code samba_kdc_fetch(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
krb5_const_principal principal,
unsigned flags,
krb5_kvno kvno,
struct sdb_entry_ex *entry_ex);
krb5_error_code samba_kdc_firstkey(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
struct sdb_entry_ex *entry);
krb5_error_code samba_kdc_nextkey(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
struct sdb_entry_ex *entry);
krb5_error_code
samba_kdc_check_client_matches_target_service(krb5_context context,
struct samba_kdc_entry *skdc_entry_client,
struct samba_kdc_entry *skdc_entry_server_target);
krb5_error_code
samba_kdc_check_pkinit_ms_upn_match(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
struct samba_kdc_entry *skdc_entry,
krb5_const_principal certificate_principal);
krb5_error_code
samba_kdc_check_s4u2proxy(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
struct samba_kdc_entry *skdc_entry,
krb5_const_principal target_principal);
krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
krb5_const_principal client_principal,
krb5_const_principal server_principal,
krb5_pac header_pac,
struct samba_kdc_entry *proxy_skdc_entry);
NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_context *base_ctx,
struct samba_kdc_db_context **kdc_db_ctx_out);
View Git Blame Copy Permalink