summaryrefslogtreecommitdiffstats
path: root/librpc/idl/krb5pac.idl
diff options
context:
space:
mode:
Diffstat (limited to 'librpc/idl/krb5pac.idl')
-rw-r--r--librpc/idl/krb5pac.idl225
1 files changed, 225 insertions, 0 deletions
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
new file mode 100644
index 0000000..a21533f
--- /dev/null
+++ b/librpc/idl/krb5pac.idl
@@ -0,0 +1,225 @@
+/*
+ krb5 PAC
+*/
+
+#include "idl_types.h"
+
+import "security.idl", "lsa.idl", "netlogon.idl", "samr.idl";
+
+[
+ uuid("12345778-1234-abcd-0000-00000000"),
+ version(0.0),
+ pointer_default(unique),
+ helpstring("Active Directory KRB5 PAC"),
+ helper("../librpc/ndr/ndr_krb5pac.h")
+]
+interface krb5pac
+{
+ typedef struct {
+ NTTIME logon_time;
+ [value(2*strlen_m(account_name))] uint16 size;
+ [charset(UTF16)] uint8 account_name[size];
+ } PAC_LOGON_NAME;
+
+ typedef [public,flag(NDR_PAHEX)] struct {
+ uint32 type;
+ [flag(NDR_REMAINING)] DATA_BLOB signature;
+ } PAC_SIGNATURE_DATA;
+
+ typedef struct {
+ dom_sid2 *domain_sid;
+ samr_RidWithAttributeArray groups;
+ } PAC_DOMAIN_GROUP_MEMBERSHIP;
+
+ typedef struct {
+ netr_SamInfo3 info3;
+ /*
+ * On ndr_push:
+ * Pointers values of info3.sids[*].sid
+ * should be allocated before the following ones?
+ * (just the 0x30 0x00 0x02 0x00 value).
+ */
+ PAC_DOMAIN_GROUP_MEMBERSHIP resource_groups;
+ } PAC_LOGON_INFO;
+
+ typedef [bitmap32bit] bitmap {
+ PAC_CREDENTIAL_NTLM_HAS_LM_HASH = 0x00000001,
+ PAC_CREDENTIAL_NTLM_HAS_NT_HASH = 0x00000002
+ } PAC_CREDENTIAL_NTLM_FLAGS;
+
+ typedef [public] struct {
+ [value(0)] uint32 version;
+ PAC_CREDENTIAL_NTLM_FLAGS flags;
+ [noprint] samr_Password lm_password;
+ [noprint] samr_Password nt_password;
+ } PAC_CREDENTIAL_NTLM_SECPKG;
+
+ typedef [public] struct {
+ lsa_String package_name;
+ uint32 credential_size;
+ [size_is(credential_size), noprint] uint8 *credential;
+ } PAC_CREDENTIAL_SUPPLEMENTAL_SECPKG;
+
+ typedef [public] struct {
+ uint32 credential_count;
+ [size_is(credential_count)] PAC_CREDENTIAL_SUPPLEMENTAL_SECPKG credentials[*];
+ } PAC_CREDENTIAL_DATA;
+
+ typedef [public] struct {
+ PAC_CREDENTIAL_DATA *data;
+ } PAC_CREDENTIAL_DATA_CTR;
+
+ typedef [public] struct {
+ [subcontext(0xFFFFFC01)] PAC_CREDENTIAL_DATA_CTR ctr;
+ } PAC_CREDENTIAL_DATA_NDR;
+
+ typedef [public] struct {
+ [value(0)] uint32 version;
+ uint32 encryption_type;
+ [flag(NDR_REMAINING)] DATA_BLOB encrypted_data;
+ } PAC_CREDENTIAL_INFO;
+
+ typedef struct {
+ lsa_String proxy_target;
+ uint32 num_transited_services;
+ [size_is(num_transited_services)] lsa_String *transited_services;
+ } PAC_CONSTRAINED_DELEGATION;
+
+ typedef [bitmap32bit] bitmap {
+ PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001,
+ PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID = 0x00000002
+ } PAC_UPN_DNS_FLAGS;
+
+ typedef struct {
+ [value(2*strlen_m(samaccountname))] uint16 samaccountname_size;
+ [relative_short,subcontext(0),subcontext_size(samaccountname_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *samaccountname;
+ [value(ndr_size_dom_sid(objectsid, ndr->flags))] uint16 objectsid_size;
+ [relative_short,subcontext(0),subcontext_size(objectsid_size)] dom_sid *objectsid;
+ } PAC_UPN_DNS_INFO_SAM_NAME_AND_SID;
+
+ typedef [nodiscriminant] union {
+ [case(PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_SAM_NAME_AND_SID sam_name_and_sid;
+ [default];
+ } PAC_UPN_DNS_INFO_EX;
+
+ typedef struct {
+ [value(2*strlen_m(upn_name))] uint16 upn_name_size;
+ [relative_short,subcontext(0),subcontext_size(upn_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *upn_name;
+ [value(2*strlen_m(dns_domain_name))] uint16 dns_domain_name_size;
+ [relative_short,subcontext(0),subcontext_size(dns_domain_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *dns_domain_name;
+ PAC_UPN_DNS_FLAGS flags;
+ [switch_is(flags & PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_EX ex;
+ } PAC_UPN_DNS_INFO;
+
+ typedef [bitmap32bit] bitmap {
+ PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED = 0x00000001,
+ PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY = 0x00000002
+ } PAC_ATTRIBUTE_INFO_FLAGS;
+
+ typedef struct {
+ uint32 flags_length; /* length in bits */
+ PAC_ATTRIBUTE_INFO_FLAGS flags;
+ } PAC_ATTRIBUTES_INFO;
+
+ typedef struct {
+ dom_sid sid;
+ } PAC_REQUESTER_SID;
+
+ typedef [public] struct {
+ PAC_LOGON_INFO *info;
+ } PAC_LOGON_INFO_CTR;
+
+ typedef [public] struct {
+ PAC_CONSTRAINED_DELEGATION *info;
+ } PAC_CONSTRAINED_DELEGATION_CTR;
+
+ typedef [public,v1_enum] enum {
+ PAC_TYPE_LOGON_INFO = 1,
+ PAC_TYPE_CREDENTIAL_INFO = 2,
+ PAC_TYPE_SRV_CHECKSUM = 6,
+ PAC_TYPE_KDC_CHECKSUM = 7,
+ PAC_TYPE_LOGON_NAME = 10,
+ PAC_TYPE_CONSTRAINED_DELEGATION = 11,
+ PAC_TYPE_UPN_DNS_INFO = 12,
+ PAC_TYPE_CLIENT_CLAIMS_INFO = 13,
+ PAC_TYPE_DEVICE_INFO = 14,
+ PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
+ PAC_TYPE_TICKET_CHECKSUM = 16,
+ PAC_TYPE_ATTRIBUTES_INFO = 17,
+ PAC_TYPE_REQUESTER_SID = 18,
+ PAC_TYPE_FULL_CHECKSUM = 19
+ } PAC_TYPE;
+
+ typedef struct {
+ [flag(NDR_REMAINING)] DATA_BLOB remaining;
+ } DATA_BLOB_REM;
+
+ typedef [public,nodiscriminant,gensize] union {
+ [case(PAC_TYPE_LOGON_INFO)][subcontext(0xFFFFFC01)] PAC_LOGON_INFO_CTR logon_info;
+ [case(PAC_TYPE_CREDENTIAL_INFO)] PAC_CREDENTIAL_INFO credential_info;
+ [case(PAC_TYPE_SRV_CHECKSUM)] PAC_SIGNATURE_DATA srv_cksum;
+ [case(PAC_TYPE_KDC_CHECKSUM)] PAC_SIGNATURE_DATA kdc_cksum;
+ [case(PAC_TYPE_LOGON_NAME)] PAC_LOGON_NAME logon_name;
+ [case(PAC_TYPE_CONSTRAINED_DELEGATION)][subcontext(0xFFFFFC01)]
+ PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
+ [case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
+ [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
+ [case(PAC_TYPE_ATTRIBUTES_INFO)] PAC_ATTRIBUTES_INFO attributes_info;
+ [case(PAC_TYPE_REQUESTER_SID)] PAC_REQUESTER_SID requester_sid;
+ [case(PAC_TYPE_FULL_CHECKSUM)] PAC_SIGNATURE_DATA full_checksum;
+ /* when new PAC info types are added they are supposed to be done
+ in such a way that they are backwards compatible with existing
+ servers. This makes it safe to just use a [default] for
+ unknown types, which lets us ignore the data */
+ [default] [subcontext(0)] DATA_BLOB_REM unknown;
+ } PAC_INFO;
+
+ typedef [public,nopush,nopull] struct {
+ PAC_TYPE type;
+ [value(_ndr_size_PAC_INFO(info, type, LIBNDR_FLAG_ALIGN8))] uint32 _ndr_size;
+ /*
+ * We need to have two subcontexts to get the padding right,
+ * the outer subcontext uses NDR_ROUND(_ndr_size, 8), while
+ * the inner subcontext only uses _ndr_size.
+ *
+ * We do that in non-generated push/pull functions.
+ */
+ [relative,switch_is(type),subcontext(0),subcontext_size(NDR_ROUND(_ndr_size,8)),flag(NDR_ALIGN8)] PAC_INFO *info;
+ [value(0)] uint32 _pad; /* Top half of a 64 bit pointer? */
+ } PAC_BUFFER;
+
+ typedef [public] struct {
+ uint32 num_buffers;
+ uint32 version;
+ PAC_BUFFER buffers[num_buffers];
+ } PAC_DATA;
+
+ typedef [public] struct {
+ PAC_TYPE type;
+ uint32 ndr_size;
+ [relative,subcontext(0),subcontext_size(NDR_ROUND(ndr_size,8)),flag(NDR_ALIGN8)] DATA_BLOB_REM *info;
+ [value(0)] uint32 _pad; /* Top half of a 64 bit pointer? */
+ } PAC_BUFFER_RAW;
+
+ typedef [public] struct {
+ uint32 num_buffers;
+ uint32 version;
+ PAC_BUFFER_RAW buffers[num_buffers];
+ } PAC_DATA_RAW;
+
+ const int NETLOGON_GENERIC_KRB5_PAC_VALIDATE = 3;
+
+ typedef [public] struct {
+ [value(NETLOGON_GENERIC_KRB5_PAC_VALIDATE)] uint32 MessageType;
+ uint32 ChecksumLength;
+ int32 SignatureType;
+ uint32 SignatureLength;
+ [flag(NDR_REMAINING)] DATA_BLOB ChecksumAndSignature;
+ } PAC_Validate;
+
+ /* used for samba3 netsamlogon cache */
+ typedef [public] struct {
+ time_t timestamp;
+ netr_SamInfo3 info3;
+ } netsamlogoncache_entry;
+}