Implement NETLOGON PAC verfication on the server-side

This is implemented by means of a message to the KDC, to avoid having
to link most of the KDC into netlogon.

Andrew Bartlett

2 files changed, 18 insertions, 1 deletions

diff --git a/source/librpc/idl/irpc.idl b/source/librpc/idl/irpc.idl
index 2c659aa7850..e3ea7e55e1a 100644
--- a/source/librpc/idl/irpc.idl
+++ b/source/librpc/idl/irpc.idl
@@ -52,6 +52,9 @@ import "misc.idl", "security.idl", "nbt.idl";
 		[out,switch_is(level)] nbtd_info info
 		);
 
+	/* Send a GetDCName from the privilaged port (owned by nbtd),
+	 * and await a reply */
+
 	void nbtd_getdcname(
 		[in] astring domainname,
 		[in] astring ip_address,
@@ -78,6 +81,20 @@ import "misc.idl", "security.idl", "nbt.idl";
 		[in] nbtd_proxy_wins_addr addrs[num_addrs]
 		);
 
+	/*
+	  Generic Kerberos package call (on the NETLOGON pipe, as a SamLogon)
+
+	  The normal use for this call is to check the PAC signature in the KDC
+	  
+	  The KDC has the routines to check this, so it is easier to
+	  proxy the request over by IRPC than set up the environment
+	 */
+
+	void kdc_check_generic_kerberos(
+		[in] DATA_BLOB generic_request,
+		[out] DATA_BLOB generic_reply
+		);
+
 	/******************************************************
          management calls for the smb server
 	******************************************************/
diff --git a/source/librpc/idl/krb5pac.idl b/source/librpc/idl/krb5pac.idl
index dcee280150d..bddba041651 100644
--- a/source/librpc/idl/krb5pac.idl
+++ b/source/librpc/idl/krb5pac.idl
@@ -105,7 +105,7 @@ interface krb5pac
 	typedef [public] struct {
 		[value(NETLOGON_GENERIC_KRB5_PAC_VALIDATE)] uint32 MessageType;
 		uint32 ChecksumLength;
-		uint32 SignatureType;
+		int32 SignatureType;
 		uint32 SignatureLength;
 		[flag(NDR_REMAINING)] DATA_BLOB ChecksumAndSignature;
 	} PAC_Validate;