Difference between revisions of "Projects/PAC and principal APIs"
SamHartman (talk | contribs) (new project) |
|||
| (4 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
| − | {{project- |
+ | {{project-rel|1.8}} |
| + | |||
The '''PAC and principal APIs''' project defines some APIs that are useful in an active-directory enviroment. |
The '''PAC and principal APIs''' project defines some APIs that are useful in an active-directory enviroment. |
||
| Line 83: | Line 83: | ||
Several principal parsing and comparison functions are introduced. Several of these are Heimdal compatible. |
Several principal parsing and comparison functions are introduced. Several of these are Heimdal compatible. |
||
<pre> |
<pre> |
||
| − | #define KRB5_PRINCIPAL_UNPARSE_SHORT 1 |
+ | #define KRB5_PRINCIPAL_UNPARSE_SHORT 1 /* Omit realm if it is the local realm */ |
| − | #define KRB5_PRINCIPAL_UNPARSE_NO_REALM 2 |
+ | #define KRB5_PRINCIPAL_UNPARSE_NO_REALM 2 /* Omit realm always */ |
| − | #define KRB5_PRINCIPAL_UNPARSE_DISPLAY 4 |
+ | #define KRB5_PRINCIPAL_UNPARSE_DISPLAY 4 /* Don't escape special characters */ |
krb5_error_code KRB5_CALLCONV krb5_unparse_name_flags |
krb5_error_code KRB5_CALLCONV krb5_unparse_name_flags |
||
(krb5_context, |
(krb5_context, |
||
| Line 97: | Line 97: | ||
char **, |
char **, |
||
unsigned int *); |
unsigned int *); |
||
| − | #define KRB5_PRINCIPAL_PARSE_NO_REALM 1 |
+ | #define KRB5_PRINCIPAL_PARSE_NO_REALM 1 /* Error if realm is present */ |
| − | #define |
+ | #define KRB5_PRINCIPAL_PARSE_REQUIRE_REALM 2 /* Error if realm is not present */ |
| − | #define KRB5_PRINCIPAL_PARSE_ENTERPRISE 4 |
+ | #define KRB5_PRINCIPAL_PARSE_ENTERPRISE 4 /* Create single-component enterprise principle */ |
krb5_error_code KRB5_CALLCONV krb5_parse_name_flags |
krb5_error_code KRB5_CALLCONV krb5_parse_name_flags |
||
(krb5_context, |
(krb5_context, |
||
| Line 153: | Line 153: | ||
#define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */ |
#define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */ |
||
</pre> |
</pre> |
||
| + | |||
| + | ==Review== |
||
| + | |||
| + | This section documents the review of the project according to [[Project policy]]. |
||
| + | It is divided into multiple sections. First, approvals should be listed. To list an approval type |
||
| + | :<nowiki>#~~~~</nowiki> |
||
| + | on its own line. |
||
| + | The next section is for discussion. Use standard [http://en.wikipedia.org/wiki/Wikipedia:Tutorial_%28Talk_pages%29 talk page conventions]. In particular, sign comments with |
||
| + | :<nowiki>--~~~~</nowiki> |
||
| + | and indent replies. |
||
| + | |||
| + | Members of Krbcore raising Blocking objections should preface their comment with <nowiki>{{project-block}}</nowiki>. The member who raised the objection should remove this markup when their objection is handled. |
||
| + | |||
| + | ===Approvals=== |
||
| + | |||
| + | Greg Hudson, December 30, 2008 |
||
| + | |||
| + | ===Discussion=== |
||
Latest revision as of 23:29, 15 February 2010
The PAC and principal APIs project defines some APIs that are useful in an active-directory enviroment.
Contents
PAC API
Microsoft Windows uses a data structure called the PAC in order to convey authorization information. See the expired draft-brezak-win2k-krb-authz-00 for documentation. The PAC is logically a set of type-length-value elements. That is, it is a collection of typed data items, and lengths are associated with each type. Typically the data items are NDR encoded. This API provides facilities to create and sign a PAC and to extract a given typed buffer from a PAC. NDR encoders and decoders are not provided.
/*
* Windows PAC
*/
struct krb5_pac_data;
typedef struct krb5_pac_data *krb5_pac;
krb5_error_code KRB5_CALLCONV
krb5_pac_add_buffer
(krb5_context context,
krb5_pac pac,
krb5_ui_4 type,
const krb5_data *data);
void KRB5_CALLCONV
krb5_pac_free
(krb5_context context,
krb5_pac pac);
krb5_error_code KRB5_CALLCONV
krb5_pac_get_buffer
(krb5_context context,
krb5_pac pac,
krb5_ui_4 type,
krb5_data *data);
krb5_error_code KRB5_CALLCONV
krb5_pac_get_types
(krb5_context context,
krb5_pac pac,
size_t *len,
krb5_ui_4 **types);
krb5_error_code KRB5_CALLCONV
krb5_pac_init
(krb5_context context,
krb5_pac *pac);
krb5_error_code KRB5_CALLCONV
krb5_pac_parse
(krb5_context context,
const void *ptr,
size_t len,
krb5_pac *pac);
krb5_error_code KRB5_CALLCONV
krb5_pac_verify
(krb5_context context,
const krb5_pac pac,
krb5_timestamp authtime,
krb5_const_principal principal,
const krb5_keyblock *server,
const krb5_keyblock *privsvr);
The krb5_pac_parse function will allocate a new PAC.
In addition, the following internal API is defined:
krb5_error_code KRB5_CALLCONV
krb5int_pac_sign(krb5_context context,
krb5_pac pac,
krb5_timestamp authtime,
krb5_const_principal principal,
const krb5_keyblock *server_key,
const krb5_keyblock *privsvr_key,
krb5_data *data);
This function signs and outputs a PAC. It is internal because it is only useful in the KDC.
Principal parsing and comparison
Several principal parsing and comparison functions are introduced. Several of these are Heimdal compatible.
#define KRB5_PRINCIPAL_UNPARSE_SHORT 1 /* Omit realm if it is the local realm */
#define KRB5_PRINCIPAL_UNPARSE_NO_REALM 2 /* Omit realm always */
#define KRB5_PRINCIPAL_UNPARSE_DISPLAY 4 /* Don't escape special characters */
krb5_error_code KRB5_CALLCONV krb5_unparse_name_flags
(krb5_context,
krb5_const_principal,
int,
char **);
krb5_error_code KRB5_CALLCONV krb5_unparse_name_flags_ext
(krb5_context,
krb5_const_principal,
int,
char **,
unsigned int *);
#define KRB5_PRINCIPAL_PARSE_NO_REALM 1 /* Error if realm is present */
#define KRB5_PRINCIPAL_PARSE_REQUIRE_REALM 2 /* Error if realm is not present */
#define KRB5_PRINCIPAL_PARSE_ENTERPRISE 4 /* Create single-component enterprise principle */
krb5_error_code KRB5_CALLCONV krb5_parse_name_flags
(krb5_context,
const char *,
int,
krb5_principal * );
krb5_boolean KRB5_CALLCONV krb5_principal_compare_any_realm
(krb5_context,
krb5_const_principal,
krb5_const_principal);
#define KRB5_PRINCIPAL_COMPARE_IGNORE_REALM 1
#define KRB5_PRINCIPAL_COMPARE_ENTERPRISE 2 /* compare UPNs as real principals */
#define KRB5_PRINCIPAL_COMPARE_CASEFOLD 4 /* case-insensitive comparison */
#define KRB5_PRINCIPAL_COMPARE_UTF8 8 /* treat principals as UTF-8 */
krb5_boolean KRB5_CALLCONV krb5_principal_compare_flags
(krb5_context,
krb5_const_principal,
krb5_const_principal,
int);
User to User tickets
The following flag is defined for krb5_get_credentials:
#define KRB5_GC_USER_USER 1 /* want user-user ticket */ #define KRB5_GC_CANONICALIZE 4 /* set canonicalize KDC option */
The user_user flag searches the ccache for a credential encrypted in the right TGT.
Constants
/* Name in form of SMTP email name */ #define KRB5_NT_SMTP_NAME 7 /* Windows 2000 UPN */ #define KRB5_NT_ENTERPRISE_PRINCIPAL 10 /* Windows 2000 UPN and SID */ #define KRB5_NT_MS_PRINCIPAL -128 /* NT 4 style name */ #define KRB5_NT_MS_PRINCIPAL_AND_ID -129 /* NT 4 style name and SID */ #define KRB5_NT_ENT_PRINCIPAL_AND_ID -130 #define ADDRTYPE_NETBIOS 0x0014 #define KDC_OPT_CNAME_IN_ADDL_TKT 0x00020000 #define CKSUMTYPE_MD5_HMAC_ARCFOUR -137 /*Microsoft netlogon cksumtype*/ #define KRB5_PADATA_SVR_REFERRAL_INFO 20 /* Windows 2000 referrals */ #define KRB5_PADATA_PAC_REQUEST 128 /* include Windows PAC */ #define KRB5_PADATA_FOR_USER 129 /* username protocol transition request */ #define KRB5_PADATA_S4U_X509_USER 130 /* certificate protocol transition request */ #define KRB5_AUTHDATA_WIN2K_PAC 128 #define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */
Review
This section documents the review of the project according to Project policy. It is divided into multiple sections. First, approvals should be listed. To list an approval type
- #~~~~
on its own line. The next section is for discussion. Use standard talk page conventions. In particular, sign comments with
- --~~~~
and indent replies.
Members of Krbcore raising Blocking objections should preface their comment with {{project-block}}. The member who raised the objection should remove this markup when their objection is handled.
Approvals
Greg Hudson, December 30, 2008
