From b789ff950f054ede2ef1dfaf94f8ddff062c092b Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Mon, 20 Oct 2008 15:50:07 +1100 Subject: LSA Patch for User Manager New (major) patch ================= - Enhances the "lsa.idl" file in the sense that it adds more values to "PolicyInformation" to improve the "lsa_QueryInfoPolicy*" calls. - Adds a minimal implementation for "AuditEvents" (also lsa_QueryInfoPolicy* calls) to enable the "Audit" option in the "User Manager for Domains" (at least readable). - Adds to the "lsa.idl" file the system access mode flags needed for the calls "lsa_*SystemAccessAccount". - Fill in the "lsa_GetSystemAccessAccount" for enabling the "User Rights" option in the "User Manager for Domains" (at least readable). - Merge the two similar torture tests of the "lsa_QueryInfoPolicy*" calls in one using "if"'s for a few separations. - Add a torture test for "lsa_GetSystemAccessAccount". - Some cosmetic-only changes (unifications) in output strings in the "LSA" torture test. The work has been done using the Microsoft WSPP docs. Signed-off-by: Andrew Bartlett --- source4/librpc/idl/lsa.idl | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) (limited to 'source4/librpc') diff --git a/source4/librpc/idl/lsa.idl b/source4/librpc/idl/lsa.idl index dd9791d894..8745385a10 100644 --- a/source4/librpc/idl/lsa.idl +++ b/source4/librpc/idl/lsa.idl @@ -263,11 +263,12 @@ import "misc.idl", "security.idl"; LSA_POLICY_INFO_ROLE=6, LSA_POLICY_INFO_REPLICA=7, LSA_POLICY_INFO_QUOTA=8, - LSA_POLICY_INFO_DB=9, + LSA_POLICY_INFO_MOD=9, LSA_POLICY_INFO_AUDIT_FULL_SET=10, LSA_POLICY_INFO_AUDIT_FULL_QUERY=11, LSA_POLICY_INFO_DNS=12, - LSA_POLICY_INFO_DNS_INT=13 + LSA_POLICY_INFO_DNS_INT=13, + LSA_POLICY_INFO_L_ACCOUNT_DOMAIN=14 } lsa_PolicyInfo; typedef [switch_type(uint16)] union { @@ -279,11 +280,12 @@ import "misc.idl", "security.idl"; [case(LSA_POLICY_INFO_ROLE)] lsa_ServerRole role; [case(LSA_POLICY_INFO_REPLICA)] lsa_ReplicaSourceInfo replica; [case(LSA_POLICY_INFO_QUOTA)] lsa_DefaultQuotaInfo quota; - [case(LSA_POLICY_INFO_DB)] lsa_ModificationInfo db; + [case(LSA_POLICY_INFO_MOD)] lsa_ModificationInfo mod; [case(LSA_POLICY_INFO_AUDIT_FULL_SET)] lsa_AuditFullSetInfo auditfullset; [case(LSA_POLICY_INFO_AUDIT_FULL_QUERY)] lsa_AuditFullQueryInfo auditfullquery; [case(LSA_POLICY_INFO_DNS)] lsa_DnsDomainInfo dns; [case(LSA_POLICY_INFO_DNS_INT)] lsa_DnsDomainInfo dns; + [case(LSA_POLICY_INFO_L_ACCOUNT_DOMAIN)] lsa_DomainInfo l_account_domain; } lsa_PolicyInformation; NTSTATUS lsa_QueryInfoPolicy ( @@ -512,23 +514,39 @@ import "misc.idl", "security.idl"; /* Function: 0x16 */ [todo] NTSTATUS lsa_SetQuotasForAccount(); + typedef [bitmap32bit] bitmap { + LSA_POLICY_MODE_INTERACTIVE = 0x00000001, + LSA_POLICY_MODE_NETWORK = 0x00000002, + LSA_POLICY_MODE_BATCH = 0x00000004, + LSA_POLICY_MODE_SERVICE = 0x00000010, + LSA_POLICY_MODE_PROXY = 0x00000020, + LSA_POLICY_MODE_DENY_INTERACTIVE = 0x00000040, + LSA_POLICY_MODE_DENY_NETWORK = 0x00000080, + LSA_POLICY_MODE_DENY_BATCH = 0x00000100, + LSA_POLICY_MODE_DENY_SERVICE = 0x00000200, + LSA_POLICY_MODE_REMOTE_INTERACTIVE = 0x00000400, + LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE = 0x00000800, + LSA_POLICY_MODE_ALL = 0x00000FF7, + LSA_POLICY_MODE_ALL_NT4 = 0x00000037 + } lsa_SystemAccessModeFlags; + /* Function: 0x17 */ NTSTATUS lsa_GetSystemAccessAccount( - [in] policy_handle *handle, + [in] policy_handle *handle, [out,ref] uint32 *access_mask ); /* Function: 0x18 */ NTSTATUS lsa_SetSystemAccessAccount( - [in] policy_handle *handle, - [in] uint32 access_mask + [in] policy_handle *handle, + [in] uint32 access_mask ); /* Function: 0x19 */ NTSTATUS lsa_OpenTrustedDomain( [in] policy_handle *handle, [in] dom_sid2 *sid, - [in] uint32 access_mask, + [in] uint32 access_mask, [out] policy_handle *trustdom_handle ); -- cgit From fc8fadf1e93cffcf36bd56ba02894804018b9972 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 20 Oct 2008 11:11:19 +0200 Subject: idl: finally share krb5_pac.idl. Guenther --- source4/librpc/idl/krb5pac.idl | 130 ----------------------------------------- 1 file changed, 130 deletions(-) delete mode 100644 source4/librpc/idl/krb5pac.idl (limited to 'source4/librpc') diff --git a/source4/librpc/idl/krb5pac.idl b/source4/librpc/idl/krb5pac.idl deleted file mode 100644 index bddba04165..0000000000 --- a/source4/librpc/idl/krb5pac.idl +++ /dev/null @@ -1,130 +0,0 @@ -/* - krb5 PAC -*/ - -#include "idl_types.h" - -import "security.idl", "netlogon.idl", "samr.idl"; - -[ - uuid("12345778-1234-abcd-0000-00000000"), - version(0.0), - pointer_default(unique), - helpstring("Active Directory KRB5 PAC") -] -interface krb5pac -{ - typedef struct { - NTTIME logon_time; - [value(2*strlen_m(account_name))] uint16 size; - [charset(UTF16)] uint8 account_name[size]; - } PAC_LOGON_NAME; - - typedef [public,flag(NDR_PAHEX)] struct { - uint32 type; - [flag(NDR_REMAINING)] DATA_BLOB signature; - } PAC_SIGNATURE_DATA; - - typedef [gensize] struct { - netr_SamInfo3 info3; - dom_sid2 *res_group_dom_sid; - samr_RidWithAttributeArray res_groups; - } PAC_LOGON_INFO; - - typedef struct { - [value(2*strlen_m(upn_name))] uint16 upn_size; - uint16 upn_offset; - [value(2*strlen_m(domain_name))] uint16 domain_size; - uint16 domain_offset; - uint16 unknown3; /* 0x01 */ - uint16 unknown4; - uint32 unknown5; - [charset(UTF16)] uint8 upn_name[upn_size+2]; - [charset(UTF16)] uint8 domain_name[domain_size+2]; - uint32 unknown6; /* padding */ - } PAC_UNKNOWN_12; - - typedef [public] struct { - PAC_LOGON_INFO *info; - } PAC_LOGON_INFO_CTR; - - typedef [public,v1_enum] enum { - PAC_TYPE_LOGON_INFO = 1, - PAC_TYPE_SRV_CHECKSUM = 6, - PAC_TYPE_KDC_CHECKSUM = 7, - PAC_TYPE_LOGON_NAME = 10, - PAC_TYPE_CONSTRAINED_DELEGATION = 11, - PAC_TYPE_UNKNOWN_12 = 12 - } PAC_TYPE; - - typedef struct { - [flag(NDR_REMAINING)] DATA_BLOB remaining; - } DATA_BLOB_REM; - - typedef [public,nodiscriminant,gensize] union { - [case(PAC_TYPE_LOGON_INFO)][subcontext(0xFFFFFC01)] PAC_LOGON_INFO_CTR logon_info; - [case(PAC_TYPE_SRV_CHECKSUM)] PAC_SIGNATURE_DATA srv_cksum; - [case(PAC_TYPE_KDC_CHECKSUM)] PAC_SIGNATURE_DATA kdc_cksum; - [case(PAC_TYPE_LOGON_NAME)] PAC_LOGON_NAME logon_name; - /* when new PAC info types are added they are supposed to be done - in such a way that they are backwards compatible with existing - servers. This makes it safe to just use a [default] for - unknown types, which lets us ignore the data */ - [default] [subcontext(0)] DATA_BLOB_REM unknown; - /* [case(PAC_TYPE_UNKNOWN_12)] PAC_UNKNOWN_12 unknown; */ - } PAC_INFO; - - typedef [public,nopush,nopull,noprint] struct { - PAC_TYPE type; - [value(_ndr_size_PAC_INFO(info, type, 0))] uint32 _ndr_size; - [relative,switch_is(type),subcontext(0),subcontext_size(_subcontext_size_PAC_INFO(r, ndr->flags)),flag(NDR_ALIGN8)] PAC_INFO *info; - [value(0)] uint32 _pad; /* Top half of a 64 bit pointer? */ - } PAC_BUFFER; - - typedef [public] struct { - uint32 num_buffers; - uint32 version; - PAC_BUFFER buffers[num_buffers]; - } PAC_DATA; - - typedef [public] struct { - PAC_TYPE type; - uint32 ndr_size; - [relative,subcontext(0),subcontext_size(NDR_ROUND(ndr_size,8)),flag(NDR_ALIGN8)] DATA_BLOB_REM *info; - [value(0)] uint32 _pad; /* Top half of a 64 bit pointer? */ - } PAC_BUFFER_RAW; - - typedef [public] struct { - uint32 num_buffers; - uint32 version; - PAC_BUFFER_RAW buffers[num_buffers]; - } PAC_DATA_RAW; - - const int NETLOGON_GENERIC_KRB5_PAC_VALIDATE = 3; - - typedef [public] struct { - [value(NETLOGON_GENERIC_KRB5_PAC_VALIDATE)] uint32 MessageType; - uint32 ChecksumLength; - int32 SignatureType; - uint32 SignatureLength; - [flag(NDR_REMAINING)] DATA_BLOB ChecksumAndSignature; - } PAC_Validate; - - void decode_pac( - [in] PAC_DATA pac - ); - - void decode_pac_raw( - [in] PAC_DATA_RAW pac - ); - - void decode_login_info( - [in] PAC_LOGON_INFO logon_info - ); - - void decode_pac_validate( - [in] PAC_Validate pac_validate - ); - - -} -- cgit