Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into pac-verify

(This used to be commit b706708210a05d6f10474a3cd2bbc550704d4356)

7 files changed, 131 insertions, 68 deletions

diff --git a/source4/librpc/idl/dcerpc.idl b/source4/librpc/idl/dcerpc.idl
index e54bc2c29f..1c6574b11b 100644
--- a/source4/librpc/idl/dcerpc.idl
+++ b/source4/librpc/idl/dcerpc.idl
@@ -30,7 +30,6 @@ interface dcerpc
 	} dcerpc_bind;
 
 	const uint8 DCERPC_REQUEST_LENGTH = 24;
-	const uint8 DCERPC_MAX_SIGN_SIZE  = 64;
 
 	typedef struct {
 	} dcerpc_empty;
@@ -154,6 +153,8 @@ interface dcerpc
 		[flag(NDR_REMAINING)] DATA_BLOB credentials;
 	} dcerpc_auth;
 
+	const uint8 DCERPC_AUTH_TRAILER_LENGTH = 8;
+
 	typedef [public] struct {
 		uint32 _pad;
 		[flag(NDR_REMAINING)] DATA_BLOB auth_info;
diff --git a/source4/librpc/idl/drsblobs.idl b/source4/librpc/idl/drsblobs.idl
index b0cddfcdf9..eb85989eda 100644
--- a/source4/librpc/idl/drsblobs.idl
+++ b/source4/librpc/idl/drsblobs.idl
@@ -401,7 +401,7 @@ interface drsblobs {
 		[case(TRUST_AUTH_TYPE_VERSION)] AuthInfoVersion version;
 	} AuthInfo;
 
-	typedef struct {
+	typedef [public] struct {
 		NTTIME LastUpdateTime;
 		trustAuthType AuthType;
 		
@@ -422,32 +422,15 @@ interface drsblobs {
 		[flag(NDR_ALIGN4)] DATA_BLOB _pad;
 	} AuthenticationInformation;
 
-	typedef struct {
-		AuthenticationInformation info[1];
-	} AuthenticationInformation1;
-
-	typedef struct {
-		AuthenticationInformation info[2];
-	} AuthenticationInformation2;
-
-	typedef struct {
-		[relative] AuthenticationInformation1 *current;
-		[relative] AuthenticationInformation1 *previous;
-	} AuthenticationInformationCtr1;
-
-	typedef struct {
-		[relative] AuthenticationInformation2 *current;
-		[relative] AuthenticationInformation2 *previous;
-	} AuthenticationInformationCtr2;
+	typedef [nopull,nopush,noprint] struct {
+		/* sizeis here is bogus, but this is here just for the structure */
+		[size_is(1)] AuthenticationInformation array[];
+	} AuthenticationInformationArray;
 
-	typedef [nodiscriminant] union {
-		[case(1)] AuthenticationInformationCtr1 info1;
-		[case(2)] AuthenticationInformationCtr2 info2;
-	} AuthenticationInformationCtr;
-
-	typedef [public] struct {
+	typedef [public,nopull,nopush,noprint] struct {
 		uint32 count;
-		[switch_is(count)] AuthenticationInformationCtr auth;
+		[relative] AuthenticationInformationArray *current;
+		[relative] AuthenticationInformationArray *previous;
 	} trustAuthInOutBlob;
 
 	void decode_trustAuthInOut(
diff --git a/source4/librpc/idl/drsuapi.idl b/source4/librpc/idl/drsuapi.idl
index 88d2126d0b..cc76599be6 100644
--- a/source4/librpc/idl/drsuapi.idl
+++ b/source4/librpc/idl/drsuapi.idl
@@ -617,36 +617,44 @@ interface drsuapi
 		WERROR drs_error;
 	} drsuapi_DsGetNCChangesCtr6;
 
-	typedef struct {
+	typedef [public] struct {
+		[subcontext(0xFFFFFC01)] drsuapi_DsGetNCChangesCtr1 ctr1;
+	} drsuapi_DsGetNCChangesCtr1TS;
+
+	typedef [public] struct {
+		[subcontext(0xFFFFFC01)] drsuapi_DsGetNCChangesCtr6 ctr6;
+	} drsuapi_DsGetNCChangesCtr6TS;
+
+	typedef [nopush] struct {
 		uint32 decompressed_length;
 		uint32 compressed_length;
 		[subcontext(4),subcontext_size(compressed_length),
 		 compression(NDR_COMPRESSION_MSZIP,compressed_length,decompressed_length)]
-		 drsuapi_DsGetNCChangesCtr1 *ctr1;
+		 drsuapi_DsGetNCChangesCtr1TS *ts;
 	} drsuapi_DsGetNCChangesMSZIPCtr1;
 
-	typedef struct {
+	typedef [nopush] struct {
 		uint32 decompressed_length;
 		uint32 compressed_length;
 		[subcontext(4),subcontext_size(compressed_length),
 		 compression(NDR_COMPRESSION_MSZIP,compressed_length,decompressed_length)]
-		 drsuapi_DsGetNCChangesCtr6 *ctr6;
+		 drsuapi_DsGetNCChangesCtr6TS *ts;
 	} drsuapi_DsGetNCChangesMSZIPCtr6;
 
-	typedef struct {
+	typedef [nopush] struct {
 		uint32 decompressed_length;
 		uint32 compressed_length;
 		[subcontext(4),subcontext_size(compressed_length),
 		 compression(NDR_COMPRESSION_XPRESS,compressed_length,decompressed_length)]
-		 drsuapi_DsGetNCChangesCtr1 *ctr1;
+		 drsuapi_DsGetNCChangesCtr1TS *ts;
 	} drsuapi_DsGetNCChangesXPRESSCtr1;
 
-	typedef struct {
+	typedef [nopush] struct {
 		uint32 decompressed_length;
 		uint32 compressed_length;
 		[subcontext(4),subcontext_size(compressed_length),
 		 compression(NDR_COMPRESSION_XPRESS,compressed_length,decompressed_length)]
-		 drsuapi_DsGetNCChangesCtr6 *ctr6;
+		 drsuapi_DsGetNCChangesCtr6TS *ts;
 	} drsuapi_DsGetNCChangesXPRESSCtr6;
 
 	typedef [enum16bit] enum {
diff --git a/source4/librpc/idl/krb5pac.idl b/source4/librpc/idl/krb5pac.idl
index 3505fc895c..ca0efaed3e 100644
--- a/source4/librpc/idl/krb5pac.idl
+++ b/source4/librpc/idl/krb5pac.idl
@@ -45,10 +45,6 @@ interface krb5pac
 	} PAC_UNKNOWN_12;
 
 	typedef [public] struct {
-		[value(0x00081001)] uint32 unknown1;
-		[value(0xCCCCCCCC)] uint32 unknown2;
-		[value(NDR_ROUND(ndr_size_PAC_LOGON_INFO(info, ndr->flags)+4,8))] uint32 _ndr_size;
-		[value(0x00000000)] uint32 unknown3;
 		PAC_LOGON_INFO *info;
     	} PAC_LOGON_INFO_CTR;
 
@@ -66,11 +62,15 @@ interface krb5pac
 	} DATA_BLOB_REM;
 
 	typedef [public,nodiscriminant,gensize] union {
-		[case(PAC_TYPE_LOGON_INFO)]	PAC_LOGON_INFO_CTR logon_info;
+		[case(PAC_TYPE_LOGON_INFO)][subcontext(0xFFFFFC01)] PAC_LOGON_INFO_CTR logon_info;
 		[case(PAC_TYPE_SRV_CHECKSUM)]	PAC_SIGNATURE_DATA srv_cksum;
 		[case(PAC_TYPE_KDC_CHECKSUM)]	PAC_SIGNATURE_DATA kdc_cksum;
 		[case(PAC_TYPE_LOGON_NAME)]	PAC_LOGON_NAME logon_name;
-		[case(PAC_TYPE_UNKNOWN_12)]	[subcontext(0)] DATA_BLOB_REM unknown;
+		/* when new PAC info types are added they are supposed to be done
+		   in such a way that they are backwards compatible with existing
+		   servers. This makes it safe to just use a [default] for
+		   unknown types, which lets us ignore the data */
+		[default]	[subcontext(0)] DATA_BLOB_REM unknown;
 		/* [case(PAC_TYPE_UNKNOWN_12)]	PAC_UNKNOWN_12 unknown; */
 	} PAC_INFO;
 
diff --git a/source4/librpc/idl/lsa.idl b/source4/librpc/idl/lsa.idl
index 93cfdee201..408956b3fa 100644
--- a/source4/librpc/idl/lsa.idl
+++ b/source4/librpc/idl/lsa.idl
@@ -14,6 +14,7 @@ import "misc.idl", "security.idl";
 ] interface lsarpc
 {
 	typedef bitmap security_secinfo security_secinfo;
+	typedef bitmap kerb_EncTypes kerb_EncTypes;
 
 	typedef [public,noejs] struct {
 		[value(2*strlen_m(string))] uint16 length;
@@ -507,22 +508,53 @@ import "misc.idl", "security.idl";
 	} lsa_DATA_BUF2;
 
 	typedef enum {
-		LSA_TRUSTED_DOMAIN_INFO_NAME             = 1,
-		LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS_INFO = 2,
-		LSA_TRUSTED_DOMAIN_INFO_POSIX_OFFSET     = 3,
-		LSA_TRUSTED_DOMAIN_INFO_PASSWORD         = 4,
-		LSA_TRUSTED_DOMAIN_INFO_BASIC            = 5,
-		LSA_TRUSTED_DOMAIN_INFO_INFO_EX          = 6,
-		LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO        = 7,
-		LSA_TRUSTED_DOMAIN_INFO_FULL_INFO        = 8,
-		LSA_TRUSTED_DOMAIN_INFO_11               = 11,
-		LSA_TRUSTED_DOMAIN_INFO_INFO_ALL         = 12
+		LSA_TRUSTED_DOMAIN_INFO_NAME                  = 1,
+		LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS           = 2,
+		LSA_TRUSTED_DOMAIN_INFO_POSIX_OFFSET          = 3,
+		LSA_TRUSTED_DOMAIN_INFO_PASSWORD              = 4,
+		LSA_TRUSTED_DOMAIN_INFO_BASIC                 = 5,
+		LSA_TRUSTED_DOMAIN_INFO_INFO_EX               = 6,
+		LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO             = 7,
+		LSA_TRUSTED_DOMAIN_INFO_FULL_INFO             = 8,
+		LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO_INTERNAL    = 9,
+		LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_INTERNAL    = 10,
+		LSA_TRUSTED_DOMAIN_INFO_INFO_EX2_INTERNAL     = 11,
+		LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_2_INTERNAL  = 12,
+		LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRTYPION_TYPES = 13
 	} lsa_TrustDomInfoEnum;
 
+	typedef [public,bitmap32bit] bitmap {
+		LSA_TRUST_DIRECTION_INBOUND  = 0x00000001,
+		LSA_TRUST_DIRECTION_OUTBOUND = 0x00000002
+	} lsa_TrustDirection;
+
+	typedef [v1_enum] enum {
+		LSA_TRUST_TYPE_DOWNLEVEL  = 0x00000001,
+		LSA_TRUST_TYPE_UPLEVEL    = 0x00000002,
+		LSA_TRUST_TYPE_MIT        = 0x00000003
+	} lsa_TrustType;
+
+	typedef [public,bitmap32bit] bitmap {
+		LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE      = 0x00000001,
+		LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY        = 0x00000002,
+		LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN  = 0x00000004,
+		LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE   = 0x00000008,
+		LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION  = 0x00000010,
+		LSA_TRUST_ATTRIBUTE_WITHIN_FOREST       = 0x00000020,
+		LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL   = 0x00000040,
+		LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION = 0x00000080
+	} lsa_TrustAttributes;
+
 	typedef struct {
 		lsa_StringLarge  netbios_name;
 	} lsa_TrustDomainInfoName;
 
+
+	typedef struct {
+		uint32 entries;
+		[size_is(entries)] lsa_StringLarge  *netbios_names;
+	} lsa_TrustDomainInfoControllers;
+
 	typedef struct {
 		uint32         posix_offset;
 	} lsa_TrustDomainInfoPosixOffset;
@@ -540,10 +572,10 @@ import "misc.idl", "security.idl";
 	typedef struct {
 		lsa_StringLarge     domain_name;
 		lsa_StringLarge     netbios_name;
-		dom_sid2      *sid;
-		uint32         trust_direction;
-		uint32         trust_type;
-		uint32         trust_attributes;
+		dom_sid2           *sid;
+		lsa_TrustDirection  trust_direction;
+		lsa_TrustType       trust_type;
+		lsa_TrustAttributes trust_attributes;
 	} lsa_TrustDomainInfoInfoEx;
 
 	typedef struct {
@@ -570,25 +602,46 @@ import "misc.idl", "security.idl";
 	typedef struct {
 		lsa_TrustDomainInfoInfoEx      info_ex;
 		lsa_DATA_BUF2                  data1;
-	} lsa_TrustDomainInfo11;
+	} lsa_TrustDomainInfoInfoEx2Internal;
 
 	typedef struct {
 		lsa_TrustDomainInfoInfoEx      info_ex;
 		lsa_DATA_BUF2                  data1;
 		lsa_TrustDomainInfoPosixOffset posix_offset;
 		lsa_TrustDomainInfoAuthInfo    auth_info;
-	} lsa_TrustDomainInfoInfoAll;
+	} lsa_TrustDomainInfoInfo2Internal;
+
+	typedef struct {
+		kerb_EncTypes enc_types;
+	} lsa_TrustDomainInfoSupportedEncTypes;
 
 	typedef [switch_type(lsa_TrustDomInfoEnum)] union {
-		[case(LSA_TRUSTED_DOMAIN_INFO_NAME)]         lsa_TrustDomainInfoName        name;
-		[case(LSA_TRUSTED_DOMAIN_INFO_POSIX_OFFSET)] lsa_TrustDomainInfoPosixOffset posix_offset;
-		[case(LSA_TRUSTED_DOMAIN_INFO_PASSWORD)]     lsa_TrustDomainInfoPassword    password;
-		[case(LSA_TRUSTED_DOMAIN_INFO_BASIC)]        lsa_TrustDomainInfoBasic       info_basic;
-		[case(LSA_TRUSTED_DOMAIN_INFO_INFO_EX)]      lsa_TrustDomainInfoInfoEx      info_ex;
-		[case(LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO)]    lsa_TrustDomainInfoAuthInfo    auth_info;
-		[case(LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)]    lsa_TrustDomainInfoFullInfo    full_info;
-		[case(LSA_TRUSTED_DOMAIN_INFO_11)]           lsa_TrustDomainInfo11          info11;
-		[case(LSA_TRUSTED_DOMAIN_INFO_INFO_ALL)]     lsa_TrustDomainInfoInfoAll     info_all;
+		[case(LSA_TRUSTED_DOMAIN_INFO_NAME)]
+		        lsa_TrustDomainInfoName              name;
+		[case(LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS)]
+		        lsa_TrustDomainInfoControllers   controllers;
+		[case(LSA_TRUSTED_DOMAIN_INFO_POSIX_OFFSET)]
+		        lsa_TrustDomainInfoPosixOffset       posix_offset;
+		[case(LSA_TRUSTED_DOMAIN_INFO_PASSWORD)]
+		        lsa_TrustDomainInfoPassword          password;
+		[case(LSA_TRUSTED_DOMAIN_INFO_BASIC)]
+		        lsa_TrustDomainInfoBasic             info_basic;
+		[case(LSA_TRUSTED_DOMAIN_INFO_INFO_EX)]
+		        lsa_TrustDomainInfoInfoEx            info_ex;
+		[case(LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO)]
+		        lsa_TrustDomainInfoAuthInfo          auth_info;
+		[case(LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)]
+		        lsa_TrustDomainInfoFullInfo          full_info;
+		[case(LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO_INTERNAL)]
+		        lsa_TrustDomainInfoAuthInfo          auth_info_internal;
+		[case(LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_INTERNAL)]
+		        lsa_TrustDomainInfoFullInfo          full_info_internal;
+		[case(LSA_TRUSTED_DOMAIN_INFO_INFO_EX2_INTERNAL)]
+		        lsa_TrustDomainInfoInfoEx2Internal   info_ex2_internal;
+		[case(LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_2_INTERNAL)]
+		        lsa_TrustDomainInfoInfo2Internal     info2_internal;
+		[case(LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRTYPION_TYPES)]
+		        lsa_TrustDomainInfoSupportedEncTypes enc_types;
 	} lsa_TrustedDomainInfo;
 
 	/* Function:       0x1a */
@@ -658,8 +711,12 @@ import "misc.idl", "security.idl";
 		[in]         uint16 unknown
 		);
 
-	/* Function:        0x22 */
-	[todo] NTSTATUS lsa_DeleteObject();
+	/*******************/
+	/* Function:  0x22 */
+	NTSTATUS lsa_DeleteObject (
+		[in,out]     policy_handle *handle
+		);
+
 
 	
 	/*******************/
diff --git a/source4/librpc/idl/nbt.idl b/source4/librpc/idl/nbt.idl
index a6d0245455..63be489e0d 100644
--- a/source4/librpc/idl/nbt.idl
+++ b/source4/librpc/idl/nbt.idl
@@ -353,7 +353,13 @@ interface nbt
 		NBT_SERVER_TIMESERV      = 0x00000040,
 		NBT_SERVER_CLOSEST       = 0x00000080,
 		NBT_SERVER_WRITABLE      = 0x00000100, 
-		NBT_SERVER_GOOD_TIMESERV = 0x00000200
+		NBT_SERVER_GOOD_TIMESERV = 0x00000200,
+		NBT_SERVER_NDNC          = 0x00000400,
+		NBT_SERVER_SEL_SEC_DOM_6 = 0x00000800,
+		NBT_SERVER_FUL_SEC_DOM_6 = 0x00001000,
+		NBT_SERVER_DS_DNS_CONTR  = 0x04000000,
+		NBT_SERVER_DS_DNS_DOMAIN = 0x02000000,
+		NBT_SERVER_DS_DNS_FOREST = 0x01000000
 	} nbt_server_type;
 
 	typedef [bitmap32bit,public] bitmap {
diff --git a/source4/librpc/idl/security.idl b/source4/librpc/idl/security.idl
index f8e9e9e110..80efe46453 100644
--- a/source4/librpc/idl/security.idl
+++ b/source4/librpc/idl/security.idl
@@ -386,4 +386,12 @@ interface security
 		SECINFO_PROTECTED_SACL	     = 0x40000000,
 		SECINFO_PROTECTED_DACL	     = 0x80000000
 	} security_secinfo;
+
+	typedef [public,bitmap32bit] bitmap {
+		KERB_ENCTYPE_DES_CBC_CRC             = 0x00000001,
+		KERB_ENCTYPE_DES_CBC_MD5             = 0x00000002,
+		KERB_ENCTYPE_RC4_HMAC_MD5            = 0x00000004,
+		KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
+		KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
+	} kerb_EncTypes;
 }