3 import "drsuapi.idl", "misc.idl", "samr.idl", "lsa.idl", "security.idl";
6 uuid("12345778-1234-abcd-0001-00000001"),
8 pointer_default(unique),
9 helper("../librpc/ndr/ndr_drsblobs.h"),
10 helpstring("Active Directory Replication LDAP Blobs")
13 typedef bitmap drsuapi_DrsOptions drsuapi_DrsOptions;
14 typedef [v1_enum] enum drsuapi_DsAttributeId drsuapi_DsAttributeId;
15 typedef [v1_enum] enum lsa_TrustAuthType lsa_TrustAuthType;
17 * replPropertyMetaData
22 * MS-DRSR 4.1.10.2.22 PROPERTY_META_DATA
24 typedef [public] struct {
25 drsuapi_DsAttributeId attid;
27 NTTIME_1sec originating_change_time;
28 GUID originating_invocation_id;
29 hyper originating_usn;
31 } replPropertyMetaData1;
35 [value(0)] uint32 reserved;
36 replPropertyMetaData1 array[count];
37 } replPropertyMetaDataCtr1;
39 typedef [nodiscriminant] union {
40 [case(1)] replPropertyMetaDataCtr1 ctr1;
41 } replPropertyMetaDataCtr;
43 typedef [public] struct {
45 [value(0)] uint32 reserved;
46 [switch_is(version)] replPropertyMetaDataCtr ctr;
47 } replPropertyMetaDataBlob;
56 [value(0)] uint32 reserved;
57 drsuapi_DsReplicaCursor cursors[count];
58 } replUpToDateVectorCtr1;
62 [value(0)] uint32 reserved;
63 drsuapi_DsReplicaCursor2 cursors[count];
64 } replUpToDateVectorCtr2;
66 typedef [nodiscriminant] union {
67 [case(1)] replUpToDateVectorCtr1 ctr1;
68 [case(2)] replUpToDateVectorCtr2 ctr2;
69 } replUpToDateVectorCtr;
71 typedef [public] struct {
73 [value(0)] uint32 reserved;
74 [switch_is(version)] replUpToDateVectorCtr ctr;
75 } replUpToDateVectorBlob;
83 typedef [public,gensize] struct {
84 [value(strlen(dns_name)+1)] uint32 __dns_name_size;
85 [charset(DOS)] uint8 dns_name[__dns_name_size];
86 } repsFromTo1OtherInfo;
88 typedef [public,gensize,flag(NDR_PAHEX)] struct {
89 /* this includes the 8 bytes of the repsFromToBlob header */
90 [value(ndr_size_repsFromTo1(this, ndr->flags)+8)] uint32 blobsize;
91 uint32 consecutive_sync_failures;
92 NTTIME_1sec last_success;
93 NTTIME_1sec last_attempt;
94 WERROR result_last_attempt;
95 [relative] repsFromTo1OtherInfo *other_info;
96 [value(ndr_size_repsFromTo1OtherInfo(other_info, ndr->flags))] uint32 other_info_length;
97 drsuapi_DrsOptions replica_flags;
99 [value(0)] uint32 reserved;
100 drsuapi_DsReplicaHighWaterMark highwatermark;
101 GUID source_dsa_obj_guid; /* the 'objectGuid' field of the CN=NTDS Settings object */
102 GUID source_dsa_invocation_id; /* the 'invocationId' field of the CN=NTDS Settings object */
106 typedef [public,relative_base,gensize] struct {
107 [value(ndr_size_repsFromTo2OtherInfo(this,ndr->flags))]
109 [relative] nstring *dns_name1;
111 [relative] nstring *dns_name2;
113 } repsFromTo2OtherInfo;
115 typedef [public,gensize,flag(NDR_PAHEX)] struct {
116 /* this includes the 8 bytes of the repsFromToBlob header */
117 [value(ndr_size_repsFromTo2(this, ndr->flags)+8)] uint32 blobsize;
118 uint32 consecutive_sync_failures;
119 NTTIME_1sec last_success;
120 NTTIME_1sec last_attempt;
121 WERROR result_last_attempt;
122 [relative] repsFromTo2OtherInfo *other_info;
123 [value(ndr_size_repsFromTo2OtherInfo(other_info, ndr->flags))] uint32 other_info_length;
124 drsuapi_DrsOptions replica_flags;
126 [value(0)] uint32 reserved;
127 drsuapi_DsReplicaHighWaterMark highwatermark;
128 GUID source_dsa_obj_guid; /* the 'objectGuid' field of the CN=NTDS Settings object */
129 GUID source_dsa_invocation_id; /* the 'invocationId' field of the CN=NTDS Settings object */
134 typedef [nodiscriminant] union {
135 [case(1)] repsFromTo1 ctr1;
136 [case(2)] repsFromTo2 ctr2;
139 typedef [public] struct {
141 [value(0)] uint32 reserved;
142 [switch_is(version)] repsFromTo ctr;
145 /* Replication schedule structures as defined in MS-ADTS 7.1.4.5
146 * Appears as attribute of NTDSConnection object
148 typedef [public] struct {
149 [value(0)] uint32 type; /* always 0 */
153 typedef [public] struct {
157 typedef [public] struct {
159 [value(0)] uint32 bandwidth; /* ignored */
160 uint32 numberOfSchedules; /* typically 1 */
161 scheduleHeader headerArray[numberOfSchedules];
162 scheduleSlots dataArray[numberOfSchedules];
166 * partialAttributeSet
168 * w2k3 uses version 1
172 drsuapi_DsAttributeId array[count];
173 } partialAttributeSetCtr1;
175 typedef [nodiscriminant] union {
176 [case(1)] partialAttributeSetCtr1 ctr1;
177 } partialAttributeSetCtr;
179 typedef [public] struct {
181 [value(0)] uint32 reserved;
182 [switch_is(version)] partialAttributeSetCtr ctr;
183 } partialAttributeSetBlob;
186 * schemaInfo attribute
188 * Used as an attribute on Schema.
189 * Also during replication as part of
190 * prefixMap to identify what revision
191 * of Schema source DC has
193 typedef [public,flag(NDR_NOALIGN)] struct {
194 [value(0xFF)] uint8 marker;
195 [flag(NDR_BIG_ENDIAN)] uint32 revision;
201 * MS w2k3 and w2k8 prefixMap format
202 * There is no version number. Format is:
203 * uint32 - number of entries in the map
204 * uint32 - total bytes that structure occupies
206 * uint16 - prefix ID (OID's last sub-id encoded. see prefixMap)
207 * uint16 - number of bytes in prefix N
208 * uint8[N] - BER encoded prefix
210 typedef [noprint,flag(NDR_NOALIGN)] struct {
213 uint8 binary_oid[length];
214 } drsuapi_MSPrefixMap_Entry;
216 typedef [public,gensize] struct {
218 [value(ndr_size_drsuapi_MSPrefixMap_Ctr(r, ndr->flags))] uint32 __ndr_size;
219 drsuapi_MSPrefixMap_Entry entries[num_entries];
220 } drsuapi_MSPrefixMap_Ctr;
226 * samba4 uses 0x44534442 'DSDB'
228 * as we windows don't return the prefixMap attribute when you ask for
229 * we don't know the format, but the attribute is not replicated
230 * so that we can choose our own format...
232 typedef [v1_enum] enum {
233 PREFIX_MAP_VERSION_DSDB = 0x44534442
236 typedef [nodiscriminant] union {
237 [case(PREFIX_MAP_VERSION_DSDB)] drsuapi_DsReplicaOIDMapping_Ctr dsdb;
240 typedef [public] struct {
241 prefixMapVersion version;
242 [value(0)] uint32 reserved;
243 [switch_is(version)] prefixMapCtr ctr;
247 * the cookie for the LDAP dirsync control
249 typedef [nodiscriminant,gensize] union {
251 [default] replUpToDateVectorBlob uptodateness_vector;
252 } ldapControlDirSyncExtra;
255 [value(3)] uint32 u1;
259 [value(ndr_size_ldapControlDirSyncExtra(&extra, extra.uptodateness_vector.version, 0))]
261 drsuapi_DsReplicaHighWaterMark highwatermark;
263 [switch_is(extra_length)] ldapControlDirSyncExtra extra;
264 } ldapControlDirSyncBlob;
266 typedef [public,relative_base] struct {
267 [charset(DOS),value("MSDS")] uint8 msds[4];
268 [subcontext(0)] ldapControlDirSyncBlob blob;
269 } ldapControlDirSyncCookie;
271 typedef [public] struct {
272 [value(2*strlen_m(name))] uint16 name_len;
273 [value(strlen(data))] uint16 data_len;
274 uint16 reserved; /* 2 for 'Packages', 1 for 'Primary:*', but should be ignored */
275 [charset(UTF16)] uint8 name[name_len];
277 * the data field contains data as HEX strings
280 * data contains the list of packages
281 * as non termiated UTF16 strings with
282 * a UTF16 NULL byte as separator
284 * 'Primary:Kerberos-Newer-Keys':
287 * 'Primary:Kerberos':
293 * 'Primary:CLEARTEXT':
294 * data contains the cleartext password
295 * as UTF16 string encoded as HEX string
297 * 'Primary:userPassword':
300 * 'Primary:SambaGPG':
303 * 'Primary:NTLM-Strong-NTOWF':
304 * ... Not yet implemented.
307 [charset(DOS)] uint8 data[data_len];
308 } supplementalCredentialsPackage;
310 /* this are 0x30 (48) whitespaces (0x20) */
311 const string SUPPLEMENTAL_CREDENTIALS_PREFIX = " ";
313 typedef [flag(NDR_PAHEX),public] enum {
314 SUPPLEMENTAL_CREDENTIALS_SIGNATURE = 0x0050
315 } supplementalCredentialsSignature;
317 typedef [gensize,nopush,nopull] struct {
318 [value(SUPPLEMENTAL_CREDENTIALS_PREFIX),charset(UTF16)] uint16 prefix[0x30];
319 [value(SUPPLEMENTAL_CREDENTIALS_SIGNATURE)] supplementalCredentialsSignature signature;
321 supplementalCredentialsPackage packages[num_packages];
322 } supplementalCredentialsSubBlob;
324 typedef [public] struct {
325 [value(0)] uint32 unknown1;
326 [value(ndr_size_supplementalCredentialsSubBlob(&sub, ndr->flags))] uint32 __ndr_size;
327 [value(0)] uint32 unknown2;
328 [subcontext(0),subcontext_size(__ndr_size)] supplementalCredentialsSubBlob sub;
329 [value(0)] uint8 unknown3;
330 } supplementalCredentialsBlob;
332 typedef [public] struct {
333 [flag(STR_NOTERM|NDR_REMAINING)] string_array names;
334 } package_PackagesBlob;
337 [value(2*strlen_m(string))] uint16 length;
338 [value(2*strlen_m(string))] uint16 size;
339 [relative,subcontext(0),subcontext_size(size),flag(STR_NOTERM|NDR_REMAINING)] string *string;
340 } package_PrimaryKerberosString;
343 [value(0)] uint16 reserved1;
344 [value(0)] uint16 reserved2;
345 [value(0)] uint32 reserved3;
347 [value((value?value->length:0))] uint32 value_len;
348 [relative,subcontext(0),subcontext_size(value_len),flag(NDR_REMAINING)] DATA_BLOB *value;
349 } package_PrimaryKerberosKey3;
354 package_PrimaryKerberosString salt;
355 package_PrimaryKerberosKey3 keys[num_keys];
356 package_PrimaryKerberosKey3 old_keys[num_old_keys];
357 [value(0)] uint32 padding1;
358 [value(0)] uint32 padding2;
359 [value(0)] uint32 padding3;
360 [value(0)] uint32 padding4;
361 [value(0)] uint32 padding5;
362 } package_PrimaryKerberosCtr3;
365 [value(0)] uint16 reserved1;
366 [value(0)] uint16 reserved2;
367 [value(0)] uint32 reserved3;
368 uint32 iteration_count;
370 [value((value?value->length:0))] uint32 value_len;
371 [relative,subcontext(0),subcontext_size(value_len),flag(NDR_REMAINING)] DATA_BLOB *value;
372 } package_PrimaryKerberosKey4;
376 [value(0)] uint16 num_service_keys;
378 uint16 num_older_keys;
379 package_PrimaryKerberosString salt;
380 uint32 default_iteration_count;
381 package_PrimaryKerberosKey4 keys[num_keys];
382 package_PrimaryKerberosKey4 service_keys[num_service_keys];
383 package_PrimaryKerberosKey4 old_keys[num_old_keys];
384 package_PrimaryKerberosKey4 older_keys[num_older_keys];
385 } package_PrimaryKerberosCtr4;
387 typedef [nodiscriminant] union {
388 [case(3)] package_PrimaryKerberosCtr3 ctr3;
389 [case(4)] package_PrimaryKerberosCtr4 ctr4;
390 } package_PrimaryKerberosCtr;
392 typedef [public] struct {
394 [value(0)] uint16 flags;
395 [switch_is(version)] package_PrimaryKerberosCtr ctr;
396 } package_PrimaryKerberosBlob;
398 typedef [public] struct {
399 [flag(NDR_REMAINING)] DATA_BLOB cleartext;
400 } package_PrimaryCLEARTEXTBlob;
402 typedef [flag(NDR_PAHEX)] struct {
404 } package_PrimaryWDigestHash;
406 typedef [public] struct {
407 [value(0x31)] uint16 unknown1;
408 [value(0x01)] uint8 unknown2;
410 [value(0)] uint32 unknown3;
411 [value(0)] udlong uuknown4;
412 package_PrimaryWDigestHash hashes[num_hashes];
413 } package_PrimaryWDigestBlob;
415 typedef [public] struct {
416 [flag(NDR_REMAINING)] DATA_BLOB gpg_blob;
417 } package_PrimarySambaGPGBlob;
420 * Password hashes stored in a scheme compatible with
421 * OpenLDAP's userPassword attribute. The Package is named
422 * Primary:userPassword each calculated hash,
423 * which is typically calculated via crypt(), the scheme is stored.
424 * The scheme name and the {scheme} format is re-used from OpenLDAP's
425 * use for userPassword to aid interopability when exported.
427 * The currently supported scheme so far is {CRYPT}, which may
428 * be specified multiple times if both CryptSHA256 ($5$) and
429 * CryptSHA512 ($6$) are in use.
431 * current_nt_hash is either the unicodePwd or the
432 * NTLM-Strong-NTOWF, to allow us to prove this password is
436 [value(2*strlen_m(scheme))] uint16 scheme_len;
437 [charset(UTF16)] uint8 scheme[scheme_len];
438 [value((value?value->length:0))] uint32 value_len;
439 [relative,subcontext(0),subcontext_size(value_len),
440 flag(NDR_REMAINING)] DATA_BLOB *value;
441 } package_PrimaryUserPasswordValue;
443 typedef [public] struct {
444 samr_Password current_nt_hash;
446 package_PrimaryUserPasswordValue hashes[num_hashes];
447 } package_PrimaryUserPasswordBlob;
450 [value(0)] uint32 size;
454 [value(16)] uint32 size;
455 samr_Password password;
459 * the secret value is encoded as UTF16 if it's a string
460 * but depending the AuthType, it might also be krb5 trusts have random bytes here, so converting to UTF16
463 * TODO: We should try handle the case of a random buffer in all places
464 * we deal with cleartext passwords from windows
466 * so we don't use this:
469 * [charset(UTF16)] uint8 value[value_len];
474 uint8 password[size];
478 [value(4)] uint32 size;
482 typedef [nodiscriminant] union {
483 [case(TRUST_AUTH_TYPE_NONE)] AuthInfoNone none;
484 [case(TRUST_AUTH_TYPE_NT4OWF)] AuthInfoNT4Owf nt4owf;
485 [case(TRUST_AUTH_TYPE_CLEAR)] AuthInfoClear clear;
486 [case(TRUST_AUTH_TYPE_VERSION)] AuthInfoVersion version;
489 typedef [public] struct {
490 NTTIME LastUpdateTime;
491 lsa_TrustAuthType AuthType;
492 [switch_is(AuthType)] AuthInfo AuthInfo;
493 [flag(NDR_ALIGN4)] DATA_BLOB _pad;
494 } AuthenticationInformation;
496 /* count is not on the wire */
497 typedef [public,nopull,nopush,gensize] struct {
499 AuthenticationInformation array[count];
500 } AuthenticationInformationArray;
502 /* we cannot use [relative] pointers here because Windows expects the
503 * previous_offset to match the total size of the struct in case
504 * the previous array is empty, see MS-LSAD 2.2.7.16 - gd */
505 typedef [public,gensize,nopush] struct {
507 [value((count > 0) ? 12 : 0)] uint32 current_offset;
508 [value((count > 0) ? 12 + ndr_size_AuthenticationInformationArray(¤t, ndr->flags) : 0)] uint32 previous_offset;
509 [subcontext(0),subcontext_size((previous_offset)-(current_offset))] AuthenticationInformationArray current;
510 [subcontext(0)] [flag(NDR_REMAINING)] AuthenticationInformationArray previous;
511 } trustAuthInOutBlob;
513 typedef [public,nopull] struct {
514 uint8 confounder[512];
515 [subcontext(0),subcontext_size(outgoing_size)] trustAuthInOutBlob outgoing;
516 [subcontext(0),subcontext_size(incoming_size)] trustAuthInOutBlob incoming;
517 [value(ndr_size_trustAuthInOutBlob(&outgoing, ndr->flags))] uint32 outgoing_size;
518 [value(ndr_size_trustAuthInOutBlob(&incoming, ndr->flags))] uint32 incoming_size;
519 } trustDomainPasswords;
521 typedef [public] struct {
528 [size_is(__size),charset(DOS)] uint8 *string;
529 } ExtendedErrorAString;
533 [size_is(__size),charset(UTF16)] uint16 *string;
534 } ExtendedErrorUString;
538 [size_is(length)] uint8 *data;
542 EXTENDED_ERROR_COMPUTER_NAME_PRESENT = 1,
543 EXTENDED_ERROR_COMPUTER_NAME_NOT_PRESENT= 2
544 } ExtendedErrorComputerNamePresent;
546 typedef [switch_type(ExtendedErrorComputerNamePresent)] union {
547 [case(EXTENDED_ERROR_COMPUTER_NAME_PRESENT)] ExtendedErrorUString name;
548 [case(EXTENDED_ERROR_COMPUTER_NAME_NOT_PRESENT)];
549 } ExtendedErrorComputerNameU;
552 ExtendedErrorComputerNamePresent present;
553 [switch_is(present)] ExtendedErrorComputerNameU n;
554 } ExtendedErrorComputerName;
557 EXTENDED_ERROR_PARAM_TYPE_ASCII_STRING = 1,
558 EXTENDED_ERROR_PARAM_TYPE_UNICODE_STRING = 2,
559 EXTENDED_ERROR_PARAM_TYPE_UINT32 = 3,
560 EXTENDED_ERROR_PARAM_TYPE_UINT16 = 4,
561 EXTENDED_ERROR_PARAM_TYPE_UINT64 = 5,
562 EXTENDED_ERROR_PARAM_TYPE_NONE = 6,
563 EXTENDED_ERROR_PARAM_TYPE_BLOB = 7
564 } ExtendedErrorParamType;
566 typedef [switch_type(ExtendedErrorParamType)] union {
567 [case(EXTENDED_ERROR_PARAM_TYPE_ASCII_STRING)] ExtendedErrorAString a_string;
568 [case(EXTENDED_ERROR_PARAM_TYPE_UNICODE_STRING)] ExtendedErrorUString u_string;
569 [case(EXTENDED_ERROR_PARAM_TYPE_UINT32)] uint32 uint32;
570 [case(EXTENDED_ERROR_PARAM_TYPE_UINT16)] uint16 uint16;
571 [case(EXTENDED_ERROR_PARAM_TYPE_UINT64)] hyper uint64;
572 [case(EXTENDED_ERROR_PARAM_TYPE_NONE)];
573 [case(EXTENDED_ERROR_PARAM_TYPE_BLOB)] ExtendedErrorBlob blob;
574 } ExtendedErrorParamU;
577 ExtendedErrorParamType type;
578 [switch_is(type)] ExtendedErrorParamU p;
579 } ExtendedErrorParam;
581 typedef [public] struct {
582 [max_recursion(20000)] ExtendedErrorInfo *next;
583 ExtendedErrorComputerName computer_name;
586 uint32 generating_component;
588 uint16 detection_location;
591 [size_is(num_params)] ExtendedErrorParam params[];
595 [unique] ExtendedErrorInfo *info;
596 } ExtendedErrorInfoPtr;
598 /* MS-ADTS 7.1.6.9.3 msDS-TrustForestTrustInfo Attribute */
601 [value(strlen_m(string))] uint32 size;
602 [charset(UTF8)] uint8 string[size];
605 typedef [flag(NDR_NOALIGN)] struct {
606 [value(ndr_size_dom_sid0(&sid, ndr->flags))] uint32 sid_size;
607 [subcontext(0),subcontext_size(sid_size)] dom_sid sid;
608 ForestTrustString dns_name;
609 ForestTrustString netbios_name;
610 } ForestTrustDataDomainInfo;
612 typedef [flag(NDR_NOALIGN)] struct {
615 } ForestTrustDataBinaryData;
617 typedef [nodiscriminant] union {
618 [case(FOREST_TRUST_TOP_LEVEL_NAME)] ForestTrustString name;
619 [case(FOREST_TRUST_TOP_LEVEL_NAME_EX)] ForestTrustString name;
620 [case(FOREST_TRUST_DOMAIN_INFO)] ForestTrustDataDomainInfo info;
621 [default] ForestTrustDataBinaryData data;
624 /* same as lsa_ForestTrustRecordType, but only 8 bit */
625 typedef [enum8bit] enum {
626 FOREST_TRUST_TOP_LEVEL_NAME = LSA_FOREST_TRUST_TOP_LEVEL_NAME,
627 FOREST_TRUST_TOP_LEVEL_NAME_EX = LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX,
628 FOREST_TRUST_DOMAIN_INFO = LSA_FOREST_TRUST_DOMAIN_INFO
629 } ForestTrustInfoRecordType;
631 /* meaning of flags depends on record type and values are
632 the same as in lsa.idl, see collision record types */
633 typedef [public,gensize,flag(NDR_NOALIGN)] struct {
634 lsa_ForestTrustRecordFlags flags;
636 ForestTrustInfoRecordType type;
637 [switch_is(type)] ForestTrustData data;
638 } ForestTrustInfoRecord;
640 typedef [flag(NDR_NOALIGN)] struct {
641 [value(ndr_size_ForestTrustInfoRecord(&record, ndr->flags))] uint32 record_size;
642 ForestTrustInfoRecord record;
643 } ForestTrustInfoRecordArmor;
645 typedef [public,flag(NDR_NOALIGN)] struct {
648 ForestTrustInfoRecordArmor records[count];
652 ENC_SECRET_AES_128_AEAD = 1
653 } EncryptedSecretAlgorithm;
655 const uint32 ENCRYPTED_SECRET_MAGIC_VALUE = 0xCA5CADED;
657 typedef [public] struct {
661 /* The AEAD routines uses this as the additional authenticated data */
662 typedef [public] struct {
667 } EncryptedSecretHeader;
669 typedef [public] struct {
671 * The iv is before the header to ensure that the first bytes of
672 * the encrypted values are not predictable.
673 * We do this so that if the decryption gets disabled, we don't
674 * end up with predictable unicodePasswords.
677 EncryptedSecretHeader header;
678 [flag(NDR_REMAINING)] DATA_BLOB encrypted;
git.samba.org / samba.git / blob