mirror of
https://github.com/samba-team/samba.git
synced 2025-01-12 09:18:10 +03:00
a59c9cba31
This blob will be store in secrets.tdb. It makes it possible to store much more useful details about the workstation trust. The key feature that that triggered this change is the ability to store details for the next password change before doing the remote change. This will allow us to recover from failures. While being there I also thought about possible new features, which we may implement in the near future. We also store the raw UTF16 like cleartext buffer as well as derived keys like the NTHASH (arcfour-hmac-md5 key) and other kerberos keys. This will allow us to avoid recalculating the keys for an in memory keytab in future. I also added pointer to an optional lsa_ForestTrustInformation structure, which might be useful to implement multi-tenancy in future. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
132 lines
3.2 KiB
Plaintext
132 lines
3.2 KiB
Plaintext
#include "idl_types.h"
|
|
|
|
import "misc.idl", "samr.idl", "lsa.idl", "netlogon.idl", "security.idl";
|
|
|
|
/*
|
|
IDL structures for secrets code
|
|
*/
|
|
|
|
[
|
|
pointer_default(unique)
|
|
]
|
|
interface secrets
|
|
{
|
|
|
|
/*
|
|
* s3 on-disc storage structure for trusted domains, do not change !
|
|
*/
|
|
|
|
typedef [flag(NDR_NOALIGN),public] struct {
|
|
[value(strlen_m_term(uni_name))] uint32 uni_name_len;
|
|
[charset(UTF16)] uint16 uni_name[32]; /* unicode domain name */
|
|
[value(strlen(pass))] uint32 pass_len;
|
|
astring pass; /* trust relationship's password */
|
|
time_t mod_time;
|
|
dom_sid domain_sid; /* remote domain's sid */
|
|
} TRUSTED_DOM_PASS;
|
|
|
|
/*
|
|
* s3 on-disc storage structure for lsa secrets, do not change !
|
|
*/
|
|
|
|
typedef [public] struct {
|
|
DATA_BLOB *secret_current;
|
|
NTTIME secret_current_lastchange;
|
|
DATA_BLOB *secret_old;
|
|
NTTIME secret_old_lastchange;
|
|
security_descriptor *sd;
|
|
} lsa_secret;
|
|
|
|
/*
|
|
* This is the on-disc format the workstation trust.
|
|
*
|
|
* DO NOT CHANGE
|
|
* without changing secrets_domain_info_version
|
|
* and adding glue code. Discuss on samba-technical
|
|
* first!
|
|
*/
|
|
typedef struct {
|
|
uint32 keytype;
|
|
uint32 iteration_count;
|
|
[flag(NDR_SECRET)] DATA_BLOB value;
|
|
} secrets_domain_info1_kerberos_key;
|
|
|
|
typedef struct {
|
|
NTTIME change_time;
|
|
[string,charset(UTF16)] uint16 change_server[];
|
|
|
|
[flag(NDR_SECRET)] DATA_BLOB cleartext_blob;
|
|
[flag(NDR_SECRET)] samr_Password nt_hash;
|
|
|
|
[string,charset(UTF16)] uint16 *salt_data;
|
|
uint32 default_iteration_count;
|
|
uint16 num_keys;
|
|
secrets_domain_info1_kerberos_key keys[num_keys];
|
|
} secrets_domain_info1_password;
|
|
|
|
typedef struct {
|
|
NTSTATUS local_status;
|
|
NTSTATUS remote_status;
|
|
NTTIME change_time;
|
|
[string,charset(UTF16)] uint16 change_server[];
|
|
[ref] secrets_domain_info1_password *password;
|
|
} secrets_domain_info1_change;
|
|
|
|
typedef [public] struct {
|
|
[value(0)] hyper reserved_flags;
|
|
|
|
NTTIME join_time;
|
|
|
|
[string,charset(UTF16)] uint16 computer_name[];
|
|
[string,charset(UTF16)] uint16 account_name[];
|
|
netr_SchannelType secure_channel_type;
|
|
|
|
lsa_DnsDomainInfo domain_info;
|
|
netr_TrustFlags trust_flags;
|
|
lsa_TrustType trust_type;
|
|
lsa_TrustAttributes trust_attributes;
|
|
|
|
/*
|
|
* This is unused currently, it might
|
|
* be useful to implement multi-tenancy (joining multiple domains)
|
|
* in future.
|
|
*
|
|
* Or we could use it to do other filtering of domains.
|
|
*/
|
|
[value(NULL)] lsa_ForestTrustInformation *reserved_routing;
|
|
|
|
kerb_EncTypes supported_enc_types;
|
|
[string,charset(UTF16)] uint16 *salt_principal;
|
|
|
|
NTTIME password_last_change;
|
|
hyper password_changes;
|
|
secrets_domain_info1_change *next_change;
|
|
|
|
[ref] secrets_domain_info1_password *password;
|
|
secrets_domain_info1_password *old_password;
|
|
secrets_domain_info1_password *older_password;
|
|
} secrets_domain_info1;
|
|
|
|
typedef [v1_enum] enum {
|
|
SECRETS_DOMAIN_INFO_VERSION_1 = 0x00000001
|
|
} secrets_domain_info_version;
|
|
|
|
/*
|
|
* If we ever need to change this we need to
|
|
* change secrets_domain_info into
|
|
* secrets_domain_info_v1
|
|
*/
|
|
typedef union {
|
|
[case(SECRETS_DOMAIN_INFO_VERSION_1)]
|
|
secrets_domain_info1 *info1;
|
|
[default];
|
|
} secrets_domain_infoU;
|
|
|
|
typedef [public] struct {
|
|
secrets_domain_info_version version;
|
|
[value(0)] uint32 reserved;
|
|
[switch_is(version)] secrets_domain_infoU info;
|
|
} secrets_domain_infoB;
|
|
}
|
|
|