mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
f893cf85cc
A security token contains the context needed to make access decisions for a particular client, which has until now been a number of SIDs and flags. Claims are arbitrary attributes that can be tacked onto the security token. Typically they will arrive via a Kerberos PAC, but we don't need to worry about that now -- only that they are stored on the token. The security token in [MS-DTYP] 2.5.2 is described in abstract terms (it is not transmitted on the wire) as behaving *as if* it held claims in three arrays of CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 structures. We take that suggestion literally. This is *almost* the same as storing the [MS-ADTS] 2.2.18 claims wire structures that the claims are presumably derived from, and doing that might seem like a small optimisation. But we don't do that because of subtle differences and we already need CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 in security.idl for resource attribute ACEs. The three stored claim types are user claims, device claims, and local claims. Local claims relate to local Windows accounts and are unlikely to occur in Samba. Nevertheless we have the array there just in case. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Sep 7 05:50:24 UTC 2023 on atb-devel-224 |
||
---|---|---|
.. | ||
ABI | ||
gen_ndr | ||
idl | ||
ndr | ||
rpc | ||
tests | ||
tools | ||
binding-strings.txt | ||
ndr_krb5pac.pc.in | ||
ndr_nbt.pc.in | ||
ndr_standard.pc.in | ||
ndr.pc.in | ||
tables.pl | ||
wscript_build |