r7993: Further work on the Krb5 PAC.

We now generate the PAC, and can verifiy both our own PAC and the PAC
from Win2k3.

This commit adds the PAC generation code, spits out the code to get
the information we need from the NETLOGON server back into a auth/
helper function, and adds a number of glue functions.

In the process of building the PAC generation code, some hints in the
Microsoft PAC specification shed light on other parts of the code, and
the updates to samr.idl and netlogon.idl come from those hints.

Also in this commit:

The Heimdal build package has been split up, so as to only link the
KDC with smbd, not the client utils.

To enable the PAC to be veified with gensec_krb5 (which isn't quite
dead yet), the keyblock has been passed back to the calling layer.

Andrew Bartlett
(This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466)

3 files changed, 23 insertions, 13 deletions

diff --git a/source4/librpc/idl/krb5pac.idl b/source4/librpc/idl/krb5pac.idl
index 16524197c5..e3395f8961 100644
--- a/source4/librpc/idl/krb5pac.idl
+++ b/source4/librpc/idl/krb5pac.idl
@@ -16,37 +16,39 @@ interface krb5pac
 	typedef struct {
 		NTTIME logon_time;
 		[flag(STR_SIZE2|STR_NOTERM|STR_BYTESIZE)] string account_name;
-	} PAC_UNKNOWN_10;
+		[value(0)] uint32 _pad; 
+	} PAC_LOGON_NAME;
 
 	typedef [flag(NDR_PAHEX)] struct {
 		uint32 type;
 		uint8 signature[16];
+		[value(0)] uint32 _pad; 
 	} PAC_SIGNATURE_DATA;
 
 	typedef struct {
 		uint32 unknown[5];
 		netr_SamInfo3 info3;
 		dom_sid2 *res_group_dom_sid;
-		samr_RidWithTypeArray res_groups;
+		samr_RidWithAttributeArray res_groups;
     	} PAC_LOGON_INFO;
 
 	const uint8 PAC_TYPE_LOGON_INFO = 1;
 	const uint8 PAC_TYPE_SRV_CHECKSUM = 6;
 	const uint8 PAC_TYPE_KDC_CHECKSUM = 7;
-	const uint8 PAC_TYPE_UNKNOWN_10 = 10;
+	const uint8 PAC_TYPE_LOGON_NAME = 10;
 
-	typedef [nodiscriminant] union {
+	typedef [nodiscriminant,gensize,flag(NDR_ALIGN8)] union {
 		[case(PAC_TYPE_LOGON_INFO)]	PAC_LOGON_INFO logon_info;
 		[case(PAC_TYPE_SRV_CHECKSUM)]	PAC_SIGNATURE_DATA srv_cksum;
 		[case(PAC_TYPE_KDC_CHECKSUM)]	PAC_SIGNATURE_DATA kdc_cksum;
-		[case(PAC_TYPE_UNKNOWN_10)]	PAC_UNKNOWN_10 type_10;
+		[case(PAC_TYPE_LOGON_NAME)]	PAC_LOGON_NAME logon_name;
 	} PAC_INFO;
 
 	typedef struct {
 		uint32 type;
-		uint32 size;
+		[value(ndr_size_PAC_INFO(info,type,ndr->flags))] uint32 size;
 		[relative,switch_is(type)] PAC_INFO *info;
-		uint32 _pad;
+		[value(0)] uint32 _pad; /* Top half of a 64 bit pointer? */
 	} PAC_BUFFER;
 
 	typedef [public,flag(NDR_ALIGN8)] struct {
diff --git a/source4/librpc/idl/netlogon.idl b/source4/librpc/idl/netlogon.idl
index 8301a6cf40..f73dc24f47 100644
--- a/source4/librpc/idl/netlogon.idl
+++ b/source4/librpc/idl/netlogon.idl
@@ -140,6 +140,10 @@ interface netlogon
 		uint8 key[8];
 	} netr_LMSessionKey;
 
+	/* Flags for user_flags below */
+	const int NETLOGON_EXTRA_SIDS = 0x0020;
+	const int NETLOGON_RESOURCE_GROUPS = 0x0200;
+
 	typedef struct {
 		NTTIME last_logon;
 		NTTIME last_logoff;
@@ -157,7 +161,7 @@ interface netlogon
 		uint16 bad_password_count;
 		uint32 rid;
 		uint32 primary_gid;
-		samr_RidWithTypeArray groups;
+		samr_RidWithAttributeArray groups;
 		uint32 user_flags;
 		netr_UserSessionKey key;
 		netr_String logon_server;
diff --git a/source4/librpc/idl/samr.idl b/source4/librpc/idl/samr.idl
index cf61011387..a989d09486 100644
--- a/source4/librpc/idl/samr.idl
+++ b/source4/librpc/idl/samr.idl
@@ -357,6 +357,10 @@
 		[out,ref]     policy_handle *group_handle
 		);
 
+	/* Group attributes */
+	const int SE_GROUP_MANDATORY = 0x0001;
+	const int SE_GROUP_ENABLED_BY_DEFAULT = 0x0002;
+	const int SE_GROUP_ENABLED = 0x0004;
 
 	/************************/
 	/* Function    0x14     */
@@ -816,17 +820,17 @@
 
 	typedef [public] struct {
 		uint32 rid;
-		uint32 type;
-	} samr_RidWithType;
+		uint32 attributes;
+	} samr_RidWithAttribute;
 
 	typedef [public] struct {
 		uint32     count;
-		[size_is(count)] samr_RidWithType *rids;
-	} samr_RidWithTypeArray;
+		[size_is(count)] samr_RidWithAttribute *rids;
+	} samr_RidWithAttributeArray;
 
 	NTSTATUS samr_GetGroupsForUser(
 		[in,ref]   policy_handle *user_handle,
-		[out]      samr_RidWithTypeArray  *rids
+		[out]      samr_RidWithAttributeArray  *rids
 		);
 
 	/************************/