#include "idl_types.h" /* schannel structures */ import "netlogon.idl", "nbt.idl", "misc.idl", "security.idl"; [ pointer_default(unique), helper("../librpc/ndr/ndr_schannel.h", "../librpc/ndr/ndr_nbt.h") ] interface schannel { /* this structure is used internally in the NETLOGON server */ typedef [flag(NDR_PAHEX)] struct { /* * These were only used on the server part * with a single dom_sid for the client_sid. * * On the server we use CLEAR_IF_FIRST, * so db layout changes don't matter there, * but on the client side we need to handle * the ctdb case were CLEAR_IF_FIRST only * works if all cluster nodes are restarted. * * As this was a single dom_sid before, * we add some magic in order to let * old code (on other nodes to parse the new layout). * * We have basically this definition of dom_sid: * * typedef struct { * uint8 sid_rev_num; * [range(0,15)] int8 num_auths; * uint8 id_auth[6]; * uint32 sub_auths[num_auths]; * } dom_sid; * * It means it consumes at least 8 bytes while * and it's also 4 byte aligned (before sid_rev_num). * The largest sid would have 68 bytes. * * The old client side code would see a sid like * this: S-1-RSV-CRF-ATL-ATH-257-0-RID * * RSV => reserved (the last 4 bytes of id_auth) * * CRF => client_requested_flags (sub_auths[0] * * Note NTTIME used ndr_pull_udlong, it's not NTTIME_hyper! * ATL => low 4 bytes of auth_time (sub_auths[1]) * ATH => high 4 bytes of auth_time (sub_auths[2]) * * From client_sid (S-1-0-RID): sub_auth[3-5] * * 257 => 0x01 0x01 0x00 0x00 = * (sid_rev_num = 1, num_auths =1, * id_auth[0] = 0, id_auth[1] = 0) * 0 => id_auth[2-6] * * RID => the RID of the client * * It means the magic needs to simulate * num_auths = 6 */ [value(0x00000601)] uint32 magic; [value(0)] uint32 reserved; netr_NegotiateFlags client_requested_flags; NTTIME auth_time; dom_sid client_sid; } netlogon_creds_CredentialState_extra_info; typedef [public,flag(NDR_PAHEX)] struct { netr_NegotiateFlags negotiate_flags; uint8 session_key[16]; uint32 sequence; netr_Credential seed; netr_Credential client; netr_Credential server; netr_SchannelType secure_channel_type; [string,charset(UTF8)] uint8 computer_name[]; [string,charset(UTF8)] uint8 account_name[]; netlogon_creds_CredentialState_extra_info *ex; } netlogon_creds_CredentialState; typedef [public,flag(NDR_PAHEX)] struct { netr_NegotiateFlags negotiate_flags; uint8 session_key[16]; uint32 sequence; netr_Credential seed; netr_Credential client; netr_Credential server; netr_SchannelType secure_channel_type; [string,charset(UTF8)] uint8 computer_name[]; [string,charset(UTF8)] uint8 account_name[]; dom_sid *sid; } netlogon_creds_CredentialState_legacy; /* This is used in the schannel_store.tdb */ typedef [public] struct { [string,charset(UTF16)] uint16 *computer_name; netr_Credential server_challenge; netr_Credential client_challenge; } netlogon_cache_entry; /* MS-NRPC 2.2.1.3.1 NL_AUTH_MESSAGE */ typedef [v1_enum] enum { NL_NEGOTIATE_REQUEST = 0x00000000, NL_NEGOTIATE_RESPONSE = 0x00000001 } NL_AUTH_MESSAGE_TYPE; typedef [bitmap32bit] bitmap { NL_FLAG_OEM_NETBIOS_DOMAIN_NAME = 0x00000001, NL_FLAG_OEM_NETBIOS_COMPUTER_NAME = 0x00000002, NL_FLAG_UTF8_DNS_DOMAIN_NAME = 0x00000004, NL_FLAG_UTF8_DNS_HOST_NAME = 0x00000008, NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME = 0x00000010 } NL_AUTH_MESSAGE_FLAGS; typedef [public,nodiscriminant,noprint] union { [case (NL_FLAG_OEM_NETBIOS_DOMAIN_NAME)] astring a; [case (NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)] astring a; [case (NL_FLAG_UTF8_DNS_DOMAIN_NAME)] nbt_string u; [case (NL_FLAG_UTF8_DNS_HOST_NAME)] nbt_string u; [case (NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME)] nbt_string u; [default] ; } NL_AUTH_MESSAGE_BUFFER; typedef [public,nodiscriminant,noprint] union { [case (NL_NEGOTIATE_RESPONSE)] uint32 dummy; [default] ; } NL_AUTH_MESSAGE_BUFFER_REPLY; typedef [public,flag(NDR_PAHEX)] struct { NL_AUTH_MESSAGE_TYPE MessageType; NL_AUTH_MESSAGE_FLAGS Flags; [switch_is(Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME)] NL_AUTH_MESSAGE_BUFFER oem_netbios_domain; [switch_is(Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)] NL_AUTH_MESSAGE_BUFFER oem_netbios_computer; [switch_is(Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME)] NL_AUTH_MESSAGE_BUFFER utf8_dns_domain; [switch_is(Flags & NL_FLAG_UTF8_DNS_HOST_NAME)] NL_AUTH_MESSAGE_BUFFER utf8_dns_host; [switch_is(Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME)] NL_AUTH_MESSAGE_BUFFER utf8_netbios_computer; [switch_is(MessageType & NL_NEGOTIATE_RESPONSE)] NL_AUTH_MESSAGE_BUFFER_REPLY Buffer; } NL_AUTH_MESSAGE; /* MS-NRPC 2.2.1.3.2 NL_AUTH_SIGNATURE */ typedef enum { NL_SIGN_HMAC_SHA256 = 0x0013, NL_SIGN_HMAC_MD5 = 0x0077 } NL_SIGNATURE_ALGORITHM; typedef enum { NL_SEAL_AES128 = 0x001A, NL_SEAL_RC4 = 0x007A, NL_SEAL_NONE = 0xFFFF } NL_SEAL_ALGORITHM; typedef [public,flag(NDR_PAHEX)] struct { [value(NL_SIGN_HMAC_MD5)] NL_SIGNATURE_ALGORITHM SignatureAlgorithm; NL_SEAL_ALGORITHM SealAlgorithm; uint16 Pad; uint16 Flags; uint8 SequenceNumber[8]; uint8 Checksum[8]; uint8 Confounder[8]; } NL_AUTH_SIGNATURE; const int NL_AUTH_SIGNATURE_SIZE = 0x20; /* MS-NRPC 2.2.1.3.3 NL_AUTH_SHA2_SIGNATURE */ typedef [public,flag(NDR_PAHEX)] struct { [value(NL_SIGN_HMAC_SHA256)] NL_SIGNATURE_ALGORITHM SignatureAlgorithm; NL_SEAL_ALGORITHM SealAlgorithm; uint16 Pad; uint16 Flags; uint8 SequenceNumber[8]; uint8 Checksum[32]; uint8 Confounder[8]; } NL_AUTH_SHA2_SIGNATURE; }