summaryrefslogtreecommitdiff
path: root/source4/librpc/idl/krb5pac.idl
AgeCommit message (Collapse)AuthorFilesLines
2008-03-06Ignore Kerberos PAC type 12.Günther Deschner1-5/+6
Until we worked out the PAC_TYPE_UNKNOWN_12 format (or received documentation) ignore it so that the PAC parsing can proceed. Guenther (cherry picked from commit 3630ec26c99fdea46c47117d026f9bffb2c4590a) (This used to be commit 0c1ccbc183c1d2967da2d9a17033f3b116ff7387)
2008-03-06Slowly making progress on PAC_UNKNOWN_12.Günther Deschner1-3/+3
unknown1 and unknown2 are offset headers for the strings. Guenther (cherry picked from commit 7af70e75b9abf92921f33ec4207ad486ee2493d6) (This used to be commit ad19da7f83761948f379921560da34bb6a01e625)
2008-03-06Add new Windows 2008 Kerberos PAC Type 12 (apparently again undocumented).Günther Deschner1-1/+16
We need at least to parse this in order to correctly support kerberized session setup from w2k8 as well as local pam_winbind logons using kerberos. Guenther (cherry picked from commit 4ba62d49d740c43cf17ceef1534cf1c8a7e4a130) (This used to be commit ef0971206cda598e6bfad2ff06a3d2e9e8131682)
2008-02-15krb5pac.idl: use charset() instead of string type with flagsStefan Metzmacher1-1/+2
metze (This used to be commit 30657ae0ebdb85ae995a3dfe3ce123851fd92e0f)
2007-10-10r21805: Add PAC_TYPE_CONSTRAINED_DELEGATION to the PAC_TYPE enum.Andrew Bartlett1-1/+2
(This used to be commit 6fb3b4be10d204bec61a1fddd1c50c1c24d52ebf)
2007-10-10r20639: Commit part 1 of 2.Andrew Bartlett1-1/+1
This patch updates our build system and glue to support a new snapshot of lorikeet-heimdal. We now procude a [SUBSYTEM] in the ans1_deps.pl script, and can depend on that in the heimdal_build/config.mk. This is much easier than listing every generated .o file individually. This required some small changes to the build system, due to the way the parent directory was handled for the output of scripts. I've also cleaned up et_deps.pl to handle cleaning up it's generated files on clean. The PAC glue in Heimdal has changed significantly: we no longer have a custom hack in the KDC, instead we have the windc plugin interface. As such, pac-glue.c is much smaller. In the future, when I'm confident of the new code, we will also be able to 'downsize' auth/kerberos/kerberos_pac.c. (I'll include the updated copy of heimdal in the next chekin, to make it clearer what's changed in Samba4 itself). Andrew Bartlett (This used to be commit 75fddbbc0811010a28ca5bb597b573b3f10ef6d6)
2007-10-10r20566: Prepending with r-> is no longer necessary.Jelmer Vernooij1-1/+1
(This used to be commit 1df96af3103795f609165e7a7344e1bf6046be79)
2007-10-10r19588: Use include and import statements rather than depends() and helper().Jelmer Vernooij1-2/+3
(This used to be commit 347ae9628202ca4de4318ef8156999239aad9192)
2007-10-10r15328: Move some functions around, remove dependencies.Jelmer Vernooij1-2/+1
Remove some autogenerated headers (which had prototypes now autogenerated by pidl) Remove ndr_security.h from a few places - it's no longer necessary (This used to be commit c19c2b51d3e1ad347120b06a22bda5ec586c22e8)
2007-10-10r15222: Use more standard UUIDs. Should help AIX build.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit cde98e9ad1990ae9da89d6449b3f0e15f00f4e54)
2007-10-10r14721: Fix a couple of warnings.Jelmer Vernooij1-1/+1
(This used to be commit 426ac78108b35adc8412d12d2d888c3d5ddf4171)
2007-10-10r14708: Add a (bogus) UUID and a comment to the PAC defintion.Andrew Bartlett1-0/+2
Andrew Bartlett (This used to be commit 0ce6513e342abf9e35a76dd080ab99d1762cb3c1)
2007-10-10r14464: Don't include ndr_BASENAME.h files unless strictly required, insteadJelmer Vernooij1-1/+1
try to include just the BASENAME.h files (containing only structs) (This used to be commit 3dd477ca5147f28a962b8437e2611a8222d706bd)
2007-10-10r14361: Support 'helper' attribute in pidl and use it.Jelmer Vernooij1-1/+2
Remove some headers from include/includes.h (they're now only included in the file they are used) (This used to be commit 7213b7498eacac2c2cd03cf6aace376ce153cc7c)
2007-10-10r12512: Use GUID structs in API functions everywhere rather then converting ↵Jelmer Vernooij1-1/+0
back and forth between GUID structs and strings in several places. (This used to be commit 3564e2f967ef72d6301b4f7e9a311cebcded4d75)
2007-10-10r11096: Eliminate pointer_default_top()Jelmer Vernooij1-1/+0
(This used to be commit b773d848e854394f36351f97130a20a245367b2c)
2007-10-10r10181: Fix the buildJelmer Vernooij1-1/+1
(This used to be commit 231d01a3e79b26884409d24d8e25fc4ab8567d89)
2007-10-10r10171: This seems to work for encoding/decoding a PAC at the buffers onlyAndrew Bartlett1-0/+21
level (required for signature verification). Andrew Bartlett (This used to be commit 76c224f28885759daae45e02a7637f2451dc84d3)
2007-10-10r10145: Allow a variable length signature, so we can support signing withAndrew Bartlett1-1/+1
other than arcfour-hmac-md5. Currently we still fail to verify other signatures however. Andrew Bartlett (This used to be commit 2e5884fc2472c6bcc7e6e083c28a4da6b2f72af1)
2007-10-10r8250: More PAC work. We now sucessfully verify the KDC signature from my DCAndrew Bartlett1-1/+1
(I have included the krbtgt key from my test network). It turns out the krbtgt signature is over the 16 (or whatever, enc-type dependent) bytes of the signature, not the entire structure. Also do not even try to use Kerberos or GSSAPI on an IP address, it will only fail. Andrew Bartlett (This used to be commit 3b9558e82fdebb58f240d43f6a594d676eb04daf)
2007-10-10r8156: I found out that the unknown[2] field of the unknown[4] array is a ↵Stefan Metzmacher1-3/+6
length too, it's always 16 bytes smaller than the size in the PAC_BUFFER we now dump the blob's on LOCAL-PAC with -d 10 metze (This used to be commit 4ef721ce53539ac56ca8ac4d601f512149ca7283)
2007-10-10r8148: - make the PAC generation code a bit more readable and add some outof ↵Stefan Metzmacher1-13/+19
memory checks - move to handmodified pull/push code for PAC_BUFFER to get the _ndr_size field and the subcontext size right - after looking closely to the sample w2k3 PAC in our torture test (and some more in my archive) I found out that the first uint32 before the netr_SamInfo3 was also a pointer, (and we passed a NULL pointer there before, so I think that was the reason why the windows clients doesn't want our PAC) w2k3 uses this for unique pointers: ptr = ndr->ptr_count * 4; ptr |= 0x00020000; ndr->ptr_count; - do one more pull/push round with the sample PAC metze (This used to be commit 0eee17941595e9842a264bf89ac73ca66cea7ed5)
2007-10-10r8110: More PAC work. I still can't get WinXP to accept the PAC, but we areAndrew Bartlett1-7/+5
much closer. This changes PIDL to allow a subcontext to have a pad8 flag, saying to pad behind to an 8 byte boundary. This is the only way I can explain the 4 trainling zeros in the signature struct. Far more importantly, the PAC code is now under self-test, both in creating/parsing our own PAC, but also a PAC from my win2k3 server. This required changing auth_anonymous, because I wanted to reuse the anonymous 'server_info' generation code. I'm still having trouble with PIDL, particulary as surrounds value(), but I'll follow up on the list. Andrew Bartlett (This used to be commit 50a54bf4e9bf04d2a8e0aebb3482a2ff655c8bbb)
2007-10-10r8001: Also fill in the krbtgt checksum, and make sure to put the rightAndrew Bartlett1-1/+1
checksum in the right place... Andrew Bartlett (This used to be commit 90d0f502da20add6784c883b2085cde519604933)
2007-10-10r7993: Further work on the Krb5 PAC.Andrew Bartlett1-7/+9
We now generate the PAC, and can verifiy both our own PAC and the PAC from Win2k3. This commit adds the PAC generation code, spits out the code to get the information we need from the NETLOGON server back into a auth/ helper function, and adds a number of glue functions. In the process of building the PAC generation code, some hints in the Microsoft PAC specification shed light on other parts of the code, and the updates to samr.idl and netlogon.idl come from those hints. Also in this commit: The Heimdal build package has been split up, so as to only link the KDC with smbd, not the client utils. To enable the PAC to be veified with gensec_krb5 (which isn't quite dead yet), the keyblock has been passed back to the calling layer. Andrew Bartlett (This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466)
2007-10-10r6973: Merge new version of pidl into the main SAMBA_4_0 branch.Jelmer Vernooij1-0/+1
The main difference in this new version is the extra data structure generated between the IDL data structure and the NDR parser: IDL -> NDR -> { ndr_parser, ndr_header, eparser, etc } This makes the ndr_parser.pm internals much more sane. Other changes include: - Remove unnecessary calls with NDR_BUFFERS (for example, GUID doesn't have any buffers, just scalars) as well as some (unnecessary) nested setting of flags. - Parse array loops in the C code rather then calling ndr_pull_array(). This allows us to have, for example, arrays of pointers or arrays of pointers to arrays, etc.. - Use if() {} rather then if () goto foo; everywhere - NDR_IN no longer implies LIBNDR_FLAG_REF_ALLOC - By default, top level pointers are now "ref" (as is the default in most other IDL compilers). This can be overridden using the default_pointer_top() property. - initial work on new ethereal parser generators by Alan DeKok and me - pidl now writes errors in the standard format used by compilers, which is parsable by most editors - ability to warn about the fact that pidl extension(s) have been used, useful for making sure IDL files work with other IDL compilers. oh, and there's probably some other things I can't think of right now.. (This used to be commit 13cf227615f6b9e0e5fa62e59197024410254f01)
2007-10-10r6544: Use common structures between SAMR, NETLGON and the Krb5 PAC.Andrew Bartlett1-2/+1
Fill out the group list for the SamLogon reply, so clients get the supplementary groups. Andrew Bartlett (This used to be commit d9c31e60a72c345e3a23a7eb742906bcfc18721c)
2007-10-10r5661: Be a little stricter on syntax regarding arrays. A pointer to anJelmer Vernooij1-1/+1
array can now only be : type *name[]; rather then : type *name; which was supported in the past. Warnings will be given when the first syntax is used. Reasons for this change in behaviour include improved readability and the fact that the second format makes dealing with multiple levels of pointers harder. (This used to be commit a416de5825c540fd3741731c4be05e9a659a6fdb)
2007-10-10r4338: reuse netlogon structs in the krb5 PACStefan Metzmacher1-63/+5
that simplifies the code a lot... also add a note: we should fail the krb5 auth if there's no PAC present (when heimdal is ready for that:-) metze (This used to be commit 532641a7003d23b034a253d166482f18c2de6191)
2007-10-10r3810: create a LIB_SECURITY subsystemStefan Metzmacher1-1/+2
- move dom_sid, security_descriptor, security_* funtions to one place and rename some of them metze (This used to be commit b620bdd672cfdf0e009492e648b0709e6b6d8596)
2007-10-10r3572: Thanks to tridge for his patience with my build breakage.Andrew Bartlett1-1/+1
This concludes the proper fixes. Andrew Bartlett (This used to be commit c1d025793f2994c8f1cab304c3394ab186654071)
2007-10-10r3511: teh PAC used 8byte alignmentStefan Metzmacher1-3/+1
metze (This used to be commit 08b26ed7ec41f0575da79858ccd0bf0f9a27b2b2)
2007-10-10r3283: converted to quoted uuid() defines in all our IDL. This should helpAndrew Tridgell1-1/+1
the build on systems like solaris with the SunPRO compiler (This used to be commit fe913ad11bf1c5e9fe04ed769a93b0ea16aa0a34)
2007-10-10r3113: make us able to generate the PAC with the same align as a MS KDCStefan Metzmacher1-1/+3
(we should fix pidl to handle NDR_ALIGN8 correct as a real fix for this problem) metze (This used to be commit ab7a26a95052cfd8bac1d03b534b5b516b409f61)
2007-10-10r1849: use LIBNDR_STRING_BYTESIZE hereStefan Metzmacher1-2/+1
metze (This used to be commit 6e6bfd6dd290b5e1cd3e90ebf20cd2207f94342e)
2007-10-10r1790: a few updates on krb5 PAC...Stefan Metzmacher1-4/+4
metze (This used to be commit 5a3a10c004ee2c94c42f08d52b36c75b413bdb79)
2007-10-10r1770: here's the krb5 server code,Stefan Metzmacher1-9/+9
there're some cleanups needed and we need to verify the PAC correctly and create the auth_session_info correctly... metze (This used to be commit d8fe497097ee49611bb05c4a2fed36912d8e16b4)
2007-10-10r1679: fix add the extrasids and resource group array inStefan Metzmacher1-5/+12
the EXTRA_SIDS idl isn't verified to be correct yet metze (This used to be commit 43fd611593af030a3d86d2640be6b1de959939c7)
2007-10-10r1673: using the new [relative] pidl handling, the PAC decode is now much closerAndrew Tridgell1-54/+17
(This used to be commit c33bf6f935025b5623f21cca50664ba70f886b49)
2007-10-10r1558: the unknown_time is the same as the logon_time in the PAC_LOGON_INFOStefan Metzmacher1-3/+3
the account_name is a 'nstring' metze (This used to be commit bb906e5e9e566e7ed931436956ba8323503875f9)
2007-10-10r1552: commit the first version of the pidl generated krb5 PAC parserStefan Metzmacher1-0/+153
NOTE: there a lot of work todo, maybe we need to extent pidl metze (This used to be commit b94a09d461291d9dd47c5859537d6025f02a80ff)