diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-12-02 10:49:20 +1300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2023-02-08 00:03:39 +0000 |
commit | e3fdb2d00152d86558a2ba29b92fd36440055461 (patch) | |
tree | 185f5cf6fa8b9c065116c9a18a71b5b118aff7a8 /librpc | |
parent | 14d94460ca1ef22269373f36ec50df248aca9465 (diff) | |
download | samba-e3fdb2d00152d86558a2ba29b92fd36440055461.tar.gz |
s4:kdc: Add resource SID compression
The domain-local groups that are added to the PAC of a service ticket
are now, if the service doesn't disclaim support for SID compression,
placed into the resource groups structure in PAC_LOGON_INFO.
In a TGS exchange directed to a KDC, rather than to a service, the
resource groups structure is simply copied into the updated PAC without
any processing being done.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'librpc')
-rw-r--r-- | librpc/idl/auth.idl | 16 | ||||
-rw-r--r-- | librpc/idl/netlogon.idl | 1 |
2 files changed, 13 insertions, 4 deletions
diff --git a/librpc/idl/auth.idl b/librpc/idl/auth.idl index a6b4a118be2..351a2fcfb18 100644 --- a/librpc/idl/auth.idl +++ b/librpc/idl/auth.idl @@ -100,12 +100,20 @@ interface auth } ticket_type; /* - * Used to indicate whether or not to include resource groups in the - * formation of SamInfo or a PAC. + * Used to indicate whether or not to include or disregard resource + * groups when forming a SamInfo structure, user_info_dc structure, or + * PAC, and whether or not to compress them when forming a PAC. + * + * When producing a TGT, existing resource groups are always copied + * unmodified into the PAC. When producing a service ticket, existing + * resource groups and resource groups in other domains are always + * discarded. */ typedef enum { - AUTH_INCLUDE_RESOURCE_GROUPS = 0, - AUTH_EXCLUDE_RESOURCE_GROUPS = 1 + AUTH_GROUP_INCLUSION_INVALID = 0, /* require invalid values to be handled. */ + AUTH_INCLUDE_RESOURCE_GROUPS = 2, + AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED = 3, + AUTH_EXCLUDE_RESOURCE_GROUPS = 4 } auth_group_inclusion; typedef [public] struct { diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl index e563e114900..c6231c41aee 100644 --- a/librpc/idl/netlogon.idl +++ b/librpc/idl/netlogon.idl @@ -20,6 +20,7 @@ cpp_quote("#define ENC_HMAC_SHA1_96_AES256_SK KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_ cpp_quote("#define ENC_FAST_SUPPORTED KERB_ENCTYPE_FAST_SUPPORTED") cpp_quote("#define ENC_COMPOUND_IDENTITY_SUPPORTED KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED") cpp_quote("#define ENC_CLAIMS_SUPPORTED KERB_ENCTYPE_CLAIMS_SUPPORTED") +cpp_quote("#define ENC_RESOURCE_SID_COMPRESSION_DISABLED KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED") cpp_quote("#define NETLOGON_SERVER_PIPE_STATE_MAGIC 0x4f555358") [ |