r8156: I found out that the unknown[2] field of the unknown[4] array is a length...

it's always 16 bytes smaller than the size in the PAC_BUFFER

we now dump the blob's on LOCAL-PAC with -d 10

metze
(This used to be commit 4ef721ce53539ac56ca8ac4d601f512149ca7283)

diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c
index 760de8c6c620331d11581cd624804915c5224864..c659db064bb42273c0a61e016949f93ba9d528e5 100644 (file)
--- a/source4/auth/kerberos/kerberos_pac.c
+++ b/source4/auth/kerberos/kerberos_pac.c
@@ -92,6 +92,8 @@ static NTSTATUS check_pac_checksum(TALLOC_CTX *mem_ctx,
        DATA_BLOB modified_pac_blob = data_blob_talloc(mem_ctx, blob.data, blob.length);
        int i;
 
+       /* file_save("tmp_pac_data.dat",blob.data,blob.length); */
+
        status = ndr_pull_struct_blob(&blob, mem_ctx, &pac_data,
                                        (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
        if (!NT_STATUS_IS_OK(status)) {
@@ -111,7 +113,7 @@ static NTSTATUS check_pac_checksum(TALLOC_CTX *mem_ctx,
                                if (!pac_data.buffers[i].info) {
                                        break;
                                }
-                               logon_info = pac_data.buffers[i].info->logon_info.i;
+                               logon_info = pac_data.buffers[i].info->logon_info.info;
                                break;
                        case PAC_TYPE_SRV_CHECKSUM:
                                if (!pac_data.buffers[i].info) {
@@ -315,11 +317,7 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
                return EINVAL;
        }
 
-       u_LOGON_INFO->logon_info.unknown[0]     = 0x00081001;
-       u_LOGON_INFO->logon_info.unknown[1]     = 0xCCCCCCCC;
-       u_LOGON_INFO->logon_info.unknown[2]     = 0x000001C8;
-       u_LOGON_INFO->logon_info.unknown[3]     = 0x00000000;
-       u_LOGON_INFO->logon_info.i              = LOGON_INFO;
+       u_LOGON_INFO->logon_info.info           = LOGON_INFO;
        LOGON_INFO->info3.base = *sam;
 
        LOGON_NAME->account_name        = server_info->account_name;

diff --git a/source4/librpc/idl/krb5pac.idl b/source4/librpc/idl/krb5pac.idl
index a0df6f38227e2828177401996b19ca536f391751..13a562a8f883a35123b7b5b9bbdb0470cf567827 100644 (file)
--- a/source4/librpc/idl/krb5pac.idl
+++ b/source4/librpc/idl/krb5pac.idl
@@ -23,15 +23,18 @@ interface krb5pac
                uint8 signature[16];
        } PAC_SIGNATURE_DATA;
 
-       typedef struct {
+       typedef [gensize] struct {
                netr_SamInfo3 info3;
                dom_sid2 *res_group_dom_sid;
                samr_RidWithAttributeArray res_groups;
        } PAC_LOGON_INFO;
 
        typedef struct {
-               uint32 unknown[4];
-               PAC_LOGON_INFO *i;
+               [value(0x00081001)] uint32 unknown1;
+               [value(0xCCCCCCCC)] uint32 unknown2;
+               [value(NDR_ROUND(ndr_size_PAC_LOGON_INFO(info, ndr->flags)+4,8))] uint32 _ndr_size;
+               [value(0x00000000)] uint32 unknown3;
+               PAC_LOGON_INFO *info;
        } PAC_LOGON_INFO_CTR;
 
        typedef [public,v1_enum] enum {

diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c
index ebf876c651b32bd74ba2b63aeca9894c279a274c..ecf67a90147faa6941e7e5542226255839a20cdc 100644 (file)
--- a/source4/torture/auth/pac.c
+++ b/source4/torture/auth/pac.c
@@ -119,7 +119,7 @@ static BOOL torture_pac_self_check(void)
                return False;
        }
 
-       /* dump_data(0,tmp_blob.data,tmp_blob.length); */
+       dump_data(10,tmp_blob.data,tmp_blob.length);
 
        /* Now check that we can read it back */
        nt_status = kerberos_decode_pac(mem_ctx, &pac_info,
@@ -230,7 +230,7 @@ static BOOL torture_pac_saved_check(void)
 
        /*tmp_blob.data = file_load(lp_parm_string(-1,"torture","pac_file"), &tmp_blob.length);*/
 
-       /*dump_data(0,tmp_blob.data,tmp_blob.length);*/
+       dump_data(10,tmp_blob.data,tmp_blob.length);
 
        /* Decode and verify the signaure on the PAC */
        nt_status = kerberos_decode_pac(mem_ctx, &pac_info,
@@ -263,7 +263,7 @@ static BOOL torture_pac_saved_check(void)
                return False;
        }
 
-       /* dump_data(0,validate_blob.data,validate_blob.length); */
+       dump_data(10,validate_blob.data,validate_blob.length);
 
        /* all we can check is the length of the buffers,
         * to check that the alignment and padding is ok,