#include "idl_types.h"
-import "drsuapi.idl", "misc.idl", "samr.idl", "lsa.idl";
+import "drsuapi.idl", "misc.idl", "samr.idl", "lsa.idl", "security.idl";
[
uuid("12345778-1234-abcd-0001-00000001"),
helpstring("Active Directory Replication LDAP Blobs")
]
interface drsblobs {
- typedef bitmap drsuapi_DsReplicaSyncOptions drsuapi_DsReplicaSyncOptions;
- typedef bitmap drsuapi_DsReplicaNeighbourFlags drsuapi_DsReplicaNeighbourFlags;
+ typedef bitmap drsuapi_DrsOptions drsuapi_DrsOptions;
typedef [v1_enum] enum drsuapi_DsAttributeId drsuapi_DsAttributeId;
typedef [v1_enum] enum lsa_TrustAuthType lsa_TrustAuthType;
/*
* replPropertyMetaData
* w2k uses version 1
* w2k3 uses version 1
+ *
+ * Also equivalent to
+ * MS-DRSR 4.1.10.2.22 PROPERTY_META_DATA
*/
- typedef struct {
+ typedef [public] struct {
drsuapi_DsAttributeId attid;
uint32 version;
NTTIME_1sec originating_change_time;
typedef struct {
uint32 count;
- uint32 reserved;
+ [value(0)] uint32 reserved;
replPropertyMetaData1 array[count];
} replPropertyMetaDataCtr1;
typedef [nodiscriminant] union {
[case(1)] replPropertyMetaDataCtr1 ctr1;
} replPropertyMetaDataCtr;
-
+
typedef [public] struct {
uint32 version;
- uint32 reserved;
+ [value(0)] uint32 reserved;
[switch_is(version)] replPropertyMetaDataCtr ctr;
} replPropertyMetaDataBlob;
- void decode_replPropertyMetaData(
- [in] replPropertyMetaDataBlob blob
- );
-
/*
* replUpToDateVector
* w2k uses version 1
*/
typedef struct {
uint32 count;
- uint32 reserved;
+ [value(0)] uint32 reserved;
drsuapi_DsReplicaCursor cursors[count];
} replUpToDateVectorCtr1;
typedef struct {
uint32 count;
- uint32 reserved;
+ [value(0)] uint32 reserved;
drsuapi_DsReplicaCursor2 cursors[count];
} replUpToDateVectorCtr2;
typedef [public] struct {
uint32 version;
- uint32 reserved;
+ [value(0)] uint32 reserved;
[switch_is(version)] replUpToDateVectorCtr ctr;
} replUpToDateVectorBlob;
- void decode_replUpToDateVector(
- [in] replUpToDateVectorBlob blob
- );
-
/*
* repsFrom/repsTo
* w2k uses version 1
* w2k3 uses version 1
+ * w2k8 uses version 2
*/
typedef [public,gensize] struct {
[value(strlen(dns_name)+1)] uint32 __dns_name_size;
typedef [public,gensize,flag(NDR_PAHEX)] struct {
/* this includes the 8 bytes of the repsFromToBlob header */
- [value(ndr_size_repsFromTo1(this, ndr->iconv_convenience, ndr->flags)+8)] uint32 blobsize;
+ [value(ndr_size_repsFromTo1(this, ndr->flags)+8)] uint32 blobsize;
uint32 consecutive_sync_failures;
NTTIME_1sec last_success;
NTTIME_1sec last_attempt;
WERROR result_last_attempt;
[relative] repsFromTo1OtherInfo *other_info;
- [value(ndr_size_repsFromTo1OtherInfo(other_info, ndr->iconv_convenience, ndr->flags))] uint32 other_info_length;
- drsuapi_DsReplicaNeighbourFlags replica_flags;
+ [value(ndr_size_repsFromTo1OtherInfo(other_info, ndr->flags))] uint32 other_info_length;
+ drsuapi_DrsOptions replica_flags;
uint8 schedule[84];
- uint32 reserved;
+ [value(0)] uint32 reserved;
drsuapi_DsReplicaHighWaterMark highwatermark;
GUID source_dsa_obj_guid; /* the 'objectGuid' field of the CN=NTDS Settings object */
GUID source_dsa_invocation_id; /* the 'invocationId' field of the CN=NTDS Settings object */
GUID transport_guid;
} repsFromTo1;
+ typedef [public,relative_base,gensize] struct {
+ [value(ndr_size_repsFromTo2OtherInfo(this,ndr->flags))]
+ uint32 __ndr_size;
+ [relative] nstring *dns_name1;
+ uint32 unknown1;
+ [relative] nstring *dns_name2;
+ hyper unknown2;
+ } repsFromTo2OtherInfo;
+
+ typedef [public,gensize,flag(NDR_PAHEX)] struct {
+ /* this includes the 8 bytes of the repsFromToBlob header */
+ [value(ndr_size_repsFromTo2(this, ndr->flags)+8)] uint32 blobsize;
+ uint32 consecutive_sync_failures;
+ NTTIME_1sec last_success;
+ NTTIME_1sec last_attempt;
+ WERROR result_last_attempt;
+ [relative] repsFromTo2OtherInfo *other_info;
+ [value(ndr_size_repsFromTo2OtherInfo(other_info, ndr->flags))] uint32 other_info_length;
+ drsuapi_DrsOptions replica_flags;
+ uint8 schedule[84];
+ [value(0)] uint32 reserved;
+ drsuapi_DsReplicaHighWaterMark highwatermark;
+ GUID source_dsa_obj_guid; /* the 'objectGuid' field of the CN=NTDS Settings object */
+ GUID source_dsa_invocation_id; /* the 'invocationId' field of the CN=NTDS Settings object */
+ GUID transport_guid;
+ hyper unknown1;
+ } repsFromTo2;
+
typedef [nodiscriminant] union {
[case(1)] repsFromTo1 ctr1;
+ [case(2)] repsFromTo2 ctr2;
} repsFromTo;
typedef [public] struct {
uint32 version;
- uint32 reserved;
+ [value(0)] uint32 reserved;
[switch_is(version)] repsFromTo ctr;
} repsFromToBlob;
- void decode_repsFromTo(
- [in] repsFromToBlob blob
- );
+ /* Replication schedule structures as defined in MS-ADTS 7.1.4.5
+ * Appears as attribute of NTDSConnection object
+ */
+ typedef [public] struct {
+ [value(0)] uint32 type; /* always 0 */
+ uint32 offset;
+ } scheduleHeader;
+
+ typedef [public] struct {
+ uint8 slots[168];
+ } scheduleSlots;
+
+ typedef [public] struct {
+ uint32 size;
+ [value(0)] uint32 bandwidth; /* ignored */
+ uint32 numberOfSchedules; /* typically 1 */
+ scheduleHeader headerArray[numberOfSchedules];
+ scheduleSlots dataArray[numberOfSchedules];
+ } schedule;
/*
* partialAttributeSet
typedef [public] struct {
uint32 version;
- uint32 reserved;
+ [value(0)] uint32 reserved;
[switch_is(version)] partialAttributeSetCtr ctr;
} partialAttributeSetBlob;
- void decode_partialAttributeSet(
- [in] partialAttributeSetBlob blob
- );
+ /*
+ * schemaInfo attribute
+ *
+ * Used as an attribute on Schema.
+ * Also during replication as part of
+ * prefixMap to identify what revision
+ * of Schema source DC has
+ */
+ typedef [public,flag(NDR_NOALIGN)] struct {
+ [value(0xFF)] uint8 marker;
+ [flag(NDR_BIG_ENDIAN)] uint32 revision;
+ GUID invocation_id;
+ } schemaInfoBlob;
+
+
+ /*
+ * MS w2k3 and w2k8 prefixMap format
+ * There is no version number. Format is:
+ * uint32 - number of entries in the map
+ * uint32 - total bytes that structure occupies
+ * ENTRIES:
+ * uint16 - prefix ID (OID's last sub-id encoded. see prefixMap)
+ * uint16 - number of bytes in prefix N
+ * uint8[N] - BER encoded prefix
+ */
+ typedef [noprint,flag(NDR_NOALIGN)] struct {
+ uint16 entryID;
+ uint16 length;
+ uint8 binary_oid[length];
+ } drsuapi_MSPrefixMap_Entry;
+
+ typedef [public,gensize] struct {
+ uint32 num_entries;
+ [value(ndr_size_drsuapi_MSPrefixMap_Ctr(r, ndr->flags))] uint32 __ndr_size;
+ drsuapi_MSPrefixMap_Entry entries[num_entries];
+ } drsuapi_MSPrefixMap_Ctr;
/*
* prefixMap
typedef [public] struct {
prefixMapVersion version;
- uint32 reserved;
+ [value(0)] uint32 reserved;
[switch_is(version)] prefixMapCtr ctr;
} prefixMapBlob;
- void decode_prefixMap(
- [in] prefixMapBlob blob
- );
-
-
- /*
- * repsTo structure. This is not sent over the wire so we are
- * free to choose our own format. It is updated by the
- * DRSUpdateRefs DRSUAPI call. This is stored in NDR format
- * in the root of each partition in the repsTo attribute
- */
- typedef [v1_enum] enum {
- REPSTO_VERSION1 = 1
- } repsToVersion;
-
- typedef struct {
- utf8string dest_dsa_dns_name;
- GUID dest_guid;
- uint32 options;
- } repsToDest;
-
- typedef struct {
- uint32 count;
- [size_is(count)] repsToDest reps[];
- } repsTov1;
-
- typedef [nodiscriminant] union {
- [case(REPSTO_VERSION1)] repsTov1 r;
- } repsToCtr;
-
- typedef [public] struct {
- repsToVersion version;
- [switch_is(version)] repsToCtr ctr;
- } repsTo;
-
-
/*
* the cookie for the LDAP dirsync control
*/
NTTIME time;
uint32 u2;
uint32 u3;
- [value(ndr_size_ldapControlDirSyncExtra(&extra, extra.uptodateness_vector.version, ndr->iconv_convenience, 0))]
+ [value(ndr_size_ldapControlDirSyncExtra(&extra, extra.uptodateness_vector.version, 0))]
uint32 extra_length;
drsuapi_DsReplicaHighWaterMark highwatermark;
GUID guid1;
[subcontext(0)] ldapControlDirSyncBlob blob;
} ldapControlDirSyncCookie;
- void decode_ldapControlDirSync(
- [in] ldapControlDirSyncCookie cookie
- );
-
- typedef struct {
+ typedef [public] struct {
[value(2*strlen_m(name))] uint16 name_len;
[value(strlen(data))] uint16 data_len;
uint16 reserved; /* 2 for 'Packages', 1 for 'Primary:*', but should be ignored */
[charset(UTF16)] uint8 name[name_len];
- /*
+ /*
* the data field contains data as HEX strings
*
* 'Packages':
* data contains the list of packages
- * as non termiated UTF16 strings with
+ * as non terminated UTF16 strings with
* a UTF16 NULL byte as separator
*
* 'Primary:Kerberos-Newer-Keys':
* 'Primary:CLEARTEXT':
* data contains the cleartext password
* as UTF16 string encoded as HEX string
+ *
+ * 'Primary:userPassword':
+ * ...
+ *
+ * 'Primary:SambaGPG':
+ * ...
+ *
+ * 'Primary:NTLM-Strong-NTOWF':
+ * ... Not yet implemented.
+ *
*/
[charset(DOS)] uint8 data[data_len];
} supplementalCredentialsPackage;
/* this are 0x30 (48) whitespaces (0x20) */
const string SUPPLEMENTAL_CREDENTIALS_PREFIX = " ";
- typedef [flag(NDR_PAHEX)] enum {
+ typedef [flag(NDR_PAHEX),public] enum {
SUPPLEMENTAL_CREDENTIALS_SIGNATURE = 0x0050
} supplementalCredentialsSignature;
- typedef [gensize] struct {
+ typedef [gensize,nopush,nopull] struct {
[value(SUPPLEMENTAL_CREDENTIALS_PREFIX),charset(UTF16)] uint16 prefix[0x30];
[value(SUPPLEMENTAL_CREDENTIALS_SIGNATURE)] supplementalCredentialsSignature signature;
uint16 num_packages;
typedef [public] struct {
[value(0)] uint32 unknown1;
- [value(ndr_size_supplementalCredentialsSubBlob(&sub, ndr->iconv_convenience, ndr->flags))] uint32 __ndr_size;
+ [value(ndr_size_supplementalCredentialsSubBlob(&sub, ndr->flags))] uint32 __ndr_size;
[value(0)] uint32 unknown2;
[subcontext(0),subcontext_size(__ndr_size)] supplementalCredentialsSubBlob sub;
[value(0)] uint8 unknown3;
} supplementalCredentialsBlob;
- void decode_supplementalCredentials(
- [in] supplementalCredentialsBlob blob
- );
-
typedef [public] struct {
[flag(STR_NOTERM|NDR_REMAINING)] string_array names;
} package_PackagesBlob;
- void decode_Packages(
- [in] package_PackagesBlob blob
- );
-
typedef struct {
[value(2*strlen_m(string))] uint16 length;
[value(2*strlen_m(string))] uint16 size;
[switch_is(version)] package_PrimaryKerberosCtr ctr;
} package_PrimaryKerberosBlob;
- void decode_PrimaryKerberos(
- [in] package_PrimaryKerberosBlob blob
- );
-
typedef [public] struct {
[flag(NDR_REMAINING)] DATA_BLOB cleartext;
} package_PrimaryCLEARTEXTBlob;
- void decode_PrimaryCLEARTEXT(
- [in] package_PrimaryCLEARTEXTBlob blob
- );
-
typedef [flag(NDR_PAHEX)] struct {
uint8 hash[16];
} package_PrimaryWDigestHash;
[value(0x01)] uint8 unknown2;
uint8 num_hashes;
[value(0)] uint32 unknown3;
- [value(0)] udlong uuknown4;
+ [value(0)] udlong unknown4;
package_PrimaryWDigestHash hashes[num_hashes];
} package_PrimaryWDigestBlob;
- void decode_PrimaryWDigest(
- [in] package_PrimaryWDigestBlob blob
- );
+ typedef [public] struct {
+ [flag(NDR_REMAINING)] DATA_BLOB gpg_blob;
+ } package_PrimarySambaGPGBlob;
+
+ /*
+ * Password hashes stored in a scheme compatible with
+ * OpenLDAP's userPassword attribute. The Package is named
+ * Primary:userPassword each calculated hash,
+ * which is typically calculated via crypt(), the scheme is stored.
+ * The scheme name and the {scheme} format is re-used from OpenLDAP's
+ * use for userPassword to aid interoperability when exported.
+ *
+ * The currently supported scheme so far is {CRYPT}, which may
+ * be specified multiple times if both CryptSHA256 ($5$) and
+ * CryptSHA512 ($6$) are in use.
+ *
+ * current_nt_hash is either the unicodePwd or the
+ * NTLM-Strong-NTOWF, to allow us to prove this password is
+ * a valid element.
+ */
+ typedef struct {
+ [value(2*strlen_m(scheme))] uint16 scheme_len;
+ [charset(UTF16)] uint8 scheme[scheme_len];
+ [value((value?value->length:0))] uint32 value_len;
+ [relative,subcontext(0),subcontext_size(value_len),
+ flag(NDR_REMAINING)] DATA_BLOB *value;
+ } package_PrimaryUserPasswordValue;
+
+ typedef [public] struct {
+ samr_Password current_nt_hash;
+ uint16 num_hashes;
+ package_PrimaryUserPasswordValue hashes[num_hashes];
+ } package_PrimaryUserPasswordBlob;
typedef struct {
[value(0)] uint32 size;
samr_Password password;
} AuthInfoNT4Owf;
- /*
+ /*
* the secret value is encoded as UTF16 if it's a string
* but depending the AuthType, it might also be krb5 trusts have random bytes here, so converting to UTF16
- * mayfail...
+ * may fail...
*
* TODO: We should try handle the case of a random buffer in all places
* we deal with cleartext passwords from windows
typedef [public] struct {
NTTIME LastUpdateTime;
lsa_TrustAuthType AuthType;
-
[switch_is(AuthType)] AuthInfo AuthInfo;
[flag(NDR_ALIGN4)] DATA_BLOB _pad;
} AuthenticationInformation;
- typedef [nopull,nopush,noprint] struct {
- /* sizeis here is bogus, but this is here just for the structure */
- [size_is(1)] AuthenticationInformation array[];
+ /* count is not on the wire */
+ typedef [public,nopull,nopush,gensize] struct {
+ uint32 count;
+ AuthenticationInformation array[count];
} AuthenticationInformationArray;
- /* This is nopull,nopush because we pass count down to the
- * manual parser of AuthenticationInformationArray */
- typedef [public,nopull,nopush,noprint,gensize] struct {
+ /* we cannot use [relative] pointers here because Windows expects the
+ * previous_offset to match the total size of the struct in case
+ * the previous array is empty, see MS-LSAD 2.2.7.16 - gd */
+ typedef [public,gensize,nopush] struct {
uint32 count;
- [relative] AuthenticationInformationArray *current;
- [relative] AuthenticationInformationArray *previous;
+ [value((count > 0) ? 12 : 0)] uint32 current_offset;
+ [value((count > 0) ? 12 + ndr_size_AuthenticationInformationArray(¤t, ndr->flags) : 0)] uint32 previous_offset;
+ [subcontext(0),subcontext_size((previous_offset)-(current_offset))] AuthenticationInformationArray current;
+ [subcontext(0)] [flag(NDR_REMAINING)] AuthenticationInformationArray previous;
} trustAuthInOutBlob;
- void decode_trustAuthInOut(
- [in] trustAuthInOutBlob blob
- );
-
- typedef [public,gensize] struct {
- uint32 count;
- [relative] AuthenticationInformation *current[count];
- } trustCurrentPasswords;
-
typedef [public,nopull] struct {
uint8 confounder[512];
- [subcontext(0),subcontext_size(outgoing_size)] trustCurrentPasswords outgoing;
- [subcontext(0),subcontext_size(incoming_size)] trustCurrentPasswords incoming;
- [value(ndr_size_trustCurrentPasswords(&outgoing, ndr->iconv_convenience, ndr->flags))] uint32 outgoing_size;
- [value(ndr_size_trustCurrentPasswords(&incoming, ndr->iconv_convenience, ndr->flags))] uint32 incoming_size;
+ [subcontext(0),subcontext_size(outgoing_size)] trustAuthInOutBlob outgoing;
+ [subcontext(0),subcontext_size(incoming_size)] trustAuthInOutBlob incoming;
+ [value(ndr_size_trustAuthInOutBlob(&outgoing, ndr->flags))] uint32 outgoing_size;
+ [value(ndr_size_trustAuthInOutBlob(&incoming, ndr->flags))] uint32 incoming_size;
} trustDomainPasswords;
- void decode_trustDomainPasswords(
- [in] trustDomainPasswords blob
- );
-
typedef [public] struct {
uint32 marker;
DATA_BLOB data;
} ExtendedErrorParam;
typedef [public] struct {
- ExtendedErrorInfo *next;
+ [max_recursion(20000)] ExtendedErrorInfo *next;
ExtendedErrorComputerName computer_name;
hyper pid;
NTTIME time;
[unique] ExtendedErrorInfo *info;
} ExtendedErrorInfoPtr;
- void decode_ExtendedErrorInfo (
- [in,subcontext(0xFFFFFC01)] ExtendedErrorInfoPtr ptr
- );
+ /* MS-ADTS 7.1.6.9.3 msDS-TrustForestTrustInfo Attribute */
+
+ typedef struct {
+ [value(strlen_m(string))] uint32 size;
+ [charset(UTF8)] uint8 string[size];
+ } ForestTrustString;
+
+ typedef [flag(NDR_NOALIGN)] struct {
+ [value(ndr_size_dom_sid0(&sid, ndr->flags))] uint32 sid_size;
+ [subcontext(0),subcontext_size(sid_size)] dom_sid sid;
+ ForestTrustString dns_name;
+ ForestTrustString netbios_name;
+ } ForestTrustDataDomainInfo;
+
+ typedef [flag(NDR_NOALIGN)] struct {
+ uint32 size;
+ uint8 data[size];
+ } ForestTrustDataBinaryData;
+
+ typedef [nodiscriminant] union {
+ [case(FOREST_TRUST_TOP_LEVEL_NAME)] ForestTrustString name;
+ [case(FOREST_TRUST_TOP_LEVEL_NAME_EX)] ForestTrustString name;
+ [case(FOREST_TRUST_DOMAIN_INFO)] ForestTrustDataDomainInfo info;
+ [default] ForestTrustDataBinaryData data;
+ } ForestTrustData;
+
+ /* same as lsa_ForestTrustRecordType, but only 8 bit */
+ typedef [enum8bit] enum {
+ FOREST_TRUST_TOP_LEVEL_NAME = LSA_FOREST_TRUST_TOP_LEVEL_NAME,
+ FOREST_TRUST_TOP_LEVEL_NAME_EX = LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX,
+ FOREST_TRUST_DOMAIN_INFO = LSA_FOREST_TRUST_DOMAIN_INFO
+ } ForestTrustInfoRecordType;
+
+ /* meaning of flags depends on record type and values are
+ the same as in lsa.idl, see collision record types */
+ typedef [public,gensize,flag(NDR_NOALIGN)] struct {
+ lsa_ForestTrustRecordFlags flags;
+ NTTIME timestamp;
+ ForestTrustInfoRecordType type;
+ [switch_is(type)] ForestTrustData data;
+ } ForestTrustInfoRecord;
+
+ typedef [flag(NDR_NOALIGN)] struct {
+ [value(ndr_size_ForestTrustInfoRecord(&record, ndr->flags))] uint32 record_size;
+ ForestTrustInfoRecord record;
+ } ForestTrustInfoRecordArmor;
+
+ typedef [public,flag(NDR_NOALIGN)] struct {
+ uint32 version;
+ uint32 count;
+ ForestTrustInfoRecordArmor records[count];
+ } ForestTrustInfo;
+
+ typedef enum {
+ ENC_SECRET_AES_128_AEAD = 1
+ } EncryptedSecretAlgorithm;
+
+ const uint32 ENCRYPTED_SECRET_MAGIC_VALUE = 0xCA5CADED;
+
+ typedef [public] struct {
+ DATA_BLOB cleartext;
+ } PlaintextSecret;
+
+ /* The AEAD routines uses this as the additional authenticated data */
+ typedef [public] struct {
+ uint32 magic;
+ uint32 version;
+ uint32 algorithm;
+ uint32 flags;
+ } EncryptedSecretHeader;
+
+ typedef [public] struct {
+ /*
+ * The iv is before the header to ensure that the first bytes of
+ * the encrypted values are not predictable.
+ * We do this so that if the decryption gets disabled, we don't
+ * end up with predictable unicodePasswords.
+ */
+ DATA_BLOB iv;
+ EncryptedSecretHeader header;
+ [flag(NDR_REMAINING)] DATA_BLOB encrypted;
+ } EncryptedSecret;
}