1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
samba-mirror/librpc
Douglas Bagnall f893cf85cc security.idl: extend security token for claims
A security token contains the context needed to make access decisions
for a particular client, which has until now been a number of SIDs and
flags. Claims are arbitrary attributes that can be tacked onto the
security token. Typically they will arrive via a Kerberos PAC, but we
don't need to worry about that now -- only that they are stored on the
token.

The security token in [MS-DTYP] 2.5.2 is described in abstract terms
(it is not transmitted on the wire) as behaving *as if* it held claims
in three arrays of CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 structures. We
take that suggestion literally. This is *almost* the same as storing
the [MS-ADTS] 2.2.18 claims wire structures that the claims are
presumably derived from, and doing that might seem like a small
optimisation. But we don't do that because of subtle differences and
we already need CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 in security.idl
for resource attribute ACEs.

The three stored claim types are user claims, device claims, and local
claims. Local claims relate to local Windows accounts and are unlikely
to occur in Samba. Nevertheless we have the array there just in case.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep  7 05:50:24 UTC 2023 on atb-devel-224
2023-09-07 05:50:24 +00:00
..
ABI librpc:ndr: Add ‘int64’ type 2023-08-15 18:46:33 +00:00
gen_ndr
idl security.idl: extend security token for claims 2023-09-07 05:50:24 +00:00
ndr librpc/security.idl: adjust size calculations for upcoming ace types 2023-08-24 02:53:31 +00:00
rpc librpc/rpc: let dcerpc_read_ncacn_packet_next_vector() handle fragments without any payload 2023-08-08 08:02:40 +00:00
tests libprc/test: add pull_string_array large array test 2020-08-07 04:44:17 +00:00
tools ndrdump: Allow a long string of hexidecimal digits as well as a hex dump for --hex-input 2023-03-31 01:48:30 +00:00
binding-strings.txt docs: Document DCEPRC binding string for rpcclient 2019-02-04 02:03:56 +01:00
ndr_krb5pac.pc.in build: correct package dependencies 2017-04-18 18:54:13 +02:00
ndr_nbt.pc.in pkgconfig: Do not hardcode library version numbers in pc files. 2013-08-22 20:48:44 +02:00
ndr_standard.pc.in pkgconfig: Do not hardcode library version numbers in pc files. 2013-08-22 20:48:44 +02:00
ndr.pc.in pkgconfig: Do not hardcode library version numbers in pc files. 2013-08-22 20:48:44 +02:00
tables.pl librpc/tables.pl: remove unused $opt_output option 2018-11-20 01:33:35 +01:00
wscript_build librpc:ndr: Add ‘int64’ type 2023-08-15 18:46:33 +00:00