summaryrefslogtreecommitdiff
path: root/source4/librpc/idl/krb5pac.idl
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r10181: Fix the buildJelmer Vernooij1-1/+1
(This used to be commit 231d01a3e79b26884409d24d8e25fc4ab8567d89)
2007-10-10r10171: This seems to work for encoding/decoding a PAC at the buffers onlyAndrew Bartlett1-0/+21
level (required for signature verification). Andrew Bartlett (This used to be commit 76c224f28885759daae45e02a7637f2451dc84d3)
2007-10-10r10145: Allow a variable length signature, so we can support signing withAndrew Bartlett1-1/+1
other than arcfour-hmac-md5. Currently we still fail to verify other signatures however. Andrew Bartlett (This used to be commit 2e5884fc2472c6bcc7e6e083c28a4da6b2f72af1)
2007-10-10r8250: More PAC work. We now sucessfully verify the KDC signature from my DCAndrew Bartlett1-1/+1
(I have included the krbtgt key from my test network). It turns out the krbtgt signature is over the 16 (or whatever, enc-type dependent) bytes of the signature, not the entire structure. Also do not even try to use Kerberos or GSSAPI on an IP address, it will only fail. Andrew Bartlett (This used to be commit 3b9558e82fdebb58f240d43f6a594d676eb04daf)
2007-10-10r8156: I found out that the unknown[2] field of the unknown[4] array is a ↵Stefan Metzmacher1-3/+6
length too, it's always 16 bytes smaller than the size in the PAC_BUFFER we now dump the blob's on LOCAL-PAC with -d 10 metze (This used to be commit 4ef721ce53539ac56ca8ac4d601f512149ca7283)
2007-10-10r8148: - make the PAC generation code a bit more readable and add some outof ↵Stefan Metzmacher1-13/+19
memory checks - move to handmodified pull/push code for PAC_BUFFER to get the _ndr_size field and the subcontext size right - after looking closely to the sample w2k3 PAC in our torture test (and some more in my archive) I found out that the first uint32 before the netr_SamInfo3 was also a pointer, (and we passed a NULL pointer there before, so I think that was the reason why the windows clients doesn't want our PAC) w2k3 uses this for unique pointers: ptr = ndr->ptr_count * 4; ptr |= 0x00020000; ndr->ptr_count; - do one more pull/push round with the sample PAC metze (This used to be commit 0eee17941595e9842a264bf89ac73ca66cea7ed5)
2007-10-10r8110: More PAC work. I still can't get WinXP to accept the PAC, but we areAndrew Bartlett1-7/+5
much closer. This changes PIDL to allow a subcontext to have a pad8 flag, saying to pad behind to an 8 byte boundary. This is the only way I can explain the 4 trainling zeros in the signature struct. Far more importantly, the PAC code is now under self-test, both in creating/parsing our own PAC, but also a PAC from my win2k3 server. This required changing auth_anonymous, because I wanted to reuse the anonymous 'server_info' generation code. I'm still having trouble with PIDL, particulary as surrounds value(), but I'll follow up on the list. Andrew Bartlett (This used to be commit 50a54bf4e9bf04d2a8e0aebb3482a2ff655c8bbb)
2007-10-10r8001: Also fill in the krbtgt checksum, and make sure to put the rightAndrew Bartlett1-1/+1
checksum in the right place... Andrew Bartlett (This used to be commit 90d0f502da20add6784c883b2085cde519604933)
2007-10-10r7993: Further work on the Krb5 PAC.Andrew Bartlett1-7/+9
We now generate the PAC, and can verifiy both our own PAC and the PAC from Win2k3. This commit adds the PAC generation code, spits out the code to get the information we need from the NETLOGON server back into a auth/ helper function, and adds a number of glue functions. In the process of building the PAC generation code, some hints in the Microsoft PAC specification shed light on other parts of the code, and the updates to samr.idl and netlogon.idl come from those hints. Also in this commit: The Heimdal build package has been split up, so as to only link the KDC with smbd, not the client utils. To enable the PAC to be veified with gensec_krb5 (which isn't quite dead yet), the keyblock has been passed back to the calling layer. Andrew Bartlett (This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466)
2007-10-10r6973: Merge new version of pidl into the main SAMBA_4_0 branch.Jelmer Vernooij1-0/+1
The main difference in this new version is the extra data structure generated between the IDL data structure and the NDR parser: IDL -> NDR -> { ndr_parser, ndr_header, eparser, etc } This makes the ndr_parser.pm internals much more sane. Other changes include: - Remove unnecessary calls with NDR_BUFFERS (for example, GUID doesn't have any buffers, just scalars) as well as some (unnecessary) nested setting of flags. - Parse array loops in the C code rather then calling ndr_pull_array(). This allows us to have, for example, arrays of pointers or arrays of pointers to arrays, etc.. - Use if() {} rather then if () goto foo; everywhere - NDR_IN no longer implies LIBNDR_FLAG_REF_ALLOC - By default, top level pointers are now "ref" (as is the default in most other IDL compilers). This can be overridden using the default_pointer_top() property. - initial work on new ethereal parser generators by Alan DeKok and me - pidl now writes errors in the standard format used by compilers, which is parsable by most editors - ability to warn about the fact that pidl extension(s) have been used, useful for making sure IDL files work with other IDL compilers. oh, and there's probably some other things I can't think of right now.. (This used to be commit 13cf227615f6b9e0e5fa62e59197024410254f01)
2007-10-10r6544: Use common structures between SAMR, NETLGON and the Krb5 PAC.Andrew Bartlett1-2/+1
Fill out the group list for the SamLogon reply, so clients get the supplementary groups. Andrew Bartlett (This used to be commit d9c31e60a72c345e3a23a7eb742906bcfc18721c)
2007-10-10r5661: Be a little stricter on syntax regarding arrays. A pointer to anJelmer Vernooij1-1/+1
array can now only be : type *name[]; rather then : type *name; which was supported in the past. Warnings will be given when the first syntax is used. Reasons for this change in behaviour include improved readability and the fact that the second format makes dealing with multiple levels of pointers harder. (This used to be commit a416de5825c540fd3741731c4be05e9a659a6fdb)
2007-10-10r4338: reuse netlogon structs in the krb5 PACStefan Metzmacher1-63/+5
that simplifies the code a lot... also add a note: we should fail the krb5 auth if there's no PAC present (when heimdal is ready for that:-) metze (This used to be commit 532641a7003d23b034a253d166482f18c2de6191)
2007-10-10r3810: create a LIB_SECURITY subsystemStefan Metzmacher1-1/+2
- move dom_sid, security_descriptor, security_* funtions to one place and rename some of them metze (This used to be commit b620bdd672cfdf0e009492e648b0709e6b6d8596)
2007-10-10r3572: Thanks to tridge for his patience with my build breakage.Andrew Bartlett1-1/+1
This concludes the proper fixes. Andrew Bartlett (This used to be commit c1d025793f2994c8f1cab304c3394ab186654071)
2007-10-10r3511: teh PAC used 8byte alignmentStefan Metzmacher1-3/+1
metze (This used to be commit 08b26ed7ec41f0575da79858ccd0bf0f9a27b2b2)
2007-10-10r3283: converted to quoted uuid() defines in all our IDL. This should helpAndrew Tridgell1-1/+1
the build on systems like solaris with the SunPRO compiler (This used to be commit fe913ad11bf1c5e9fe04ed769a93b0ea16aa0a34)
2007-10-10r3113: make us able to generate the PAC with the same align as a MS KDCStefan Metzmacher1-1/+3
(we should fix pidl to handle NDR_ALIGN8 correct as a real fix for this problem) metze (This used to be commit ab7a26a95052cfd8bac1d03b534b5b516b409f61)
2007-10-10r1849: use LIBNDR_STRING_BYTESIZE hereStefan Metzmacher1-2/+1
metze (This used to be commit 6e6bfd6dd290b5e1cd3e90ebf20cd2207f94342e)
2007-10-10r1790: a few updates on krb5 PAC...Stefan Metzmacher1-4/+4
metze (This used to be commit 5a3a10c004ee2c94c42f08d52b36c75b413bdb79)
2007-10-10r1770: here's the krb5 server code,Stefan Metzmacher1-9/+9
there're some cleanups needed and we need to verify the PAC correctly and create the auth_session_info correctly... metze (This used to be commit d8fe497097ee49611bb05c4a2fed36912d8e16b4)
2007-10-10r1679: fix add the extrasids and resource group array inStefan Metzmacher1-5/+12
the EXTRA_SIDS idl isn't verified to be correct yet metze (This used to be commit 43fd611593af030a3d86d2640be6b1de959939c7)
2007-10-10r1673: using the new [relative] pidl handling, the PAC decode is now much closerAndrew Tridgell1-54/+17
(This used to be commit c33bf6f935025b5623f21cca50664ba70f886b49)
2007-10-10r1558: the unknown_time is the same as the logon_time in the PAC_LOGON_INFOStefan Metzmacher1-3/+3
the account_name is a 'nstring' metze (This used to be commit bb906e5e9e566e7ed931436956ba8323503875f9)
2007-10-10r1552: commit the first version of the pidl generated krb5 PAC parserStefan Metzmacher1-0/+153
NOTE: there a lot of work todo, maybe we need to extent pidl metze (This used to be commit b94a09d461291d9dd47c5859537d6025f02a80ff)