logo_kerberos.gif

Projects/PAC and principal APIs

From K5Wiki
< Projects(Difference between revisions)
Jump to: navigation, search
(new project)
 
(start review)
Line 1: Line 1:
{{project-early}}
+
{{project-review|January 10, 2009}}
  +
   
 
The '''PAC and principal APIs''' project defines some APIs that are useful in an active-directory enviroment.
 
The '''PAC and principal APIs''' project defines some APIs that are useful in an active-directory enviroment.
Line 153: Line 153:
 
#define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */
 
#define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */
 
</pre>
 
</pre>
  +
  +
==Review==
  +
  +
This section documents the review of the project according to [[Project policy]].
  +
It is divided into multiple sections. First, approvals should be listed. To list an approval type
  +
:<nowiki>#~~~~</nowiki>
  +
on its own line.
  +
The next section is for discussion. Use standard [http://en.wikipedia.org/wiki/Wikipedia:Tutorial_%28Talk_pages%29 talk page conventions]. In particular, sign comments with
  +
:<nowiki>--~~~~</nowiki>
  +
and indent replies.
  +
  +
Members of Krbcore raising Blocking objections should preface their comment with <nowiki>{{project-block}}</nowiki>. The member who raised the objection should remove this markup when their objection is handled.
  +
  +
===Approvals===
  +
  +
===Discussion===

Revision as of 14:40, 23 December 2008

An announcement has been sent to krbdev@mit.edu starting a review of this project. That review will conclude on January 10, 2009.

Comments can be sent to krbdev@mit.edu.


The PAC and principal APIs project defines some APIs that are useful in an active-directory enviroment.

Contents

PAC API

Microsoft Windows uses a data structure called the PAC in order to convey authorization information. See the expired draft-brezak-win2k-krb-authz-00 for documentation. The PAC is logically a set of type-length-value elements. That is, it is a collection of typed data items, and lengths are associated with each type. Typically the data items are NDR encoded. This API provides facilities to create and sign a PAC and to extract a given typed buffer from a PAC. NDR encoders and decoders are not provided.

/*
 * Windows PAC
 */
struct krb5_pac_data;
typedef struct krb5_pac_data *krb5_pac;

krb5_error_code KRB5_CALLCONV
krb5_pac_add_buffer
(krb5_context context,
                krb5_pac pac,
                krb5_ui_4 type,
                const krb5_data *data);

void KRB5_CALLCONV
krb5_pac_free
(krb5_context context,
                krb5_pac pac);

krb5_error_code KRB5_CALLCONV
krb5_pac_get_buffer
(krb5_context context,
                krb5_pac pac,
                krb5_ui_4 type,
                krb5_data *data);

krb5_error_code KRB5_CALLCONV
krb5_pac_get_types
(krb5_context context,
                krb5_pac pac,
                size_t *len,
                krb5_ui_4 **types);

krb5_error_code KRB5_CALLCONV
krb5_pac_init
(krb5_context context,
                krb5_pac *pac);

krb5_error_code KRB5_CALLCONV
krb5_pac_parse
(krb5_context context,
                const void *ptr,
                size_t len,
                krb5_pac *pac);

krb5_error_code KRB5_CALLCONV
krb5_pac_verify
(krb5_context context,
                const krb5_pac pac,
                krb5_timestamp authtime,
                krb5_const_principal principal,
                const krb5_keyblock *server,
                const krb5_keyblock *privsvr);

The krb5_pac_parse function will allocate a new PAC.


In addition, the following internal API is defined:

krb5_error_code KRB5_CALLCONV
krb5int_pac_sign(krb5_context context,
                 krb5_pac pac,
                 krb5_timestamp authtime,
                 krb5_const_principal principal,
                 const krb5_keyblock *server_key,
                 const krb5_keyblock *privsvr_key,
                 krb5_data *data);

This function signs and outputs a PAC. It is internal because it is only useful in the KDC.

Principal parsing and comparison

Several principal parsing and comparison functions are introduced. Several of these are Heimdal compatible.

#define KRB5_PRINCIPAL_UNPARSE_SHORT    1
#define KRB5_PRINCIPAL_UNPARSE_NO_REALM 2
#define KRB5_PRINCIPAL_UNPARSE_DISPLAY  4
krb5_error_code KRB5_CALLCONV krb5_unparse_name_flags
        (krb5_context,
                krb5_const_principal,
                int,
                char **);
krb5_error_code KRB5_CALLCONV krb5_unparse_name_flags_ext
        (krb5_context,
                krb5_const_principal,
                int,
                char **,
                unsigned int *);
#define KRB5_PRINCIPAL_PARSE_NO_REALM   1
#define KRB5_PRINCIPAL_PARSE_MUST_REALM 2
#define KRB5_PRINCIPAL_PARSE_ENTERPRISE 4
krb5_error_code KRB5_CALLCONV krb5_parse_name_flags
        (krb5_context,
                const char *,
                int,
                krb5_principal * );

krb5_boolean KRB5_CALLCONV krb5_principal_compare_any_realm
        (krb5_context,
                krb5_const_principal,
                krb5_const_principal);
#define KRB5_PRINCIPAL_COMPARE_IGNORE_REALM         1
#define KRB5_PRINCIPAL_COMPARE_ENTERPRISE           2 /* compare UPNs as real principals */
#define KRB5_PRINCIPAL_COMPARE_CASEFOLD             4 /* case-insensitive comparison */
#define KRB5_PRINCIPAL_COMPARE_UTF8                 8 /* treat principals as UTF-8 */

krb5_boolean KRB5_CALLCONV krb5_principal_compare_flags
        (krb5_context,
                krb5_const_principal,
                krb5_const_principal,
                int);

User to User tickets

The following flag is defined for krb5_get_credentials:

#define KRB5_GC_USER_USER       1       /* want user-user ticket */
#define KRB5_GC_CANONICALIZE    4       /* set canonicalize KDC option */

The user_user flag searches the ccache for a credential encrypted in the right TGT.

Constants

/* Name in form of SMTP email name */
#define KRB5_NT_SMTP_NAME               7
/* Windows 2000 UPN */
#define KRB5_NT_ENTERPRISE_PRINCIPAL    10
/* Windows 2000 UPN and SID */
#define KRB5_NT_MS_PRINCIPAL            -128
/* NT 4 style name */
#define KRB5_NT_MS_PRINCIPAL_AND_ID     -129
/* NT 4 style name and SID */
#define KRB5_NT_ENT_PRINCIPAL_AND_ID    -130
#define ADDRTYPE_NETBIOS        0x0014
#define KDC_OPT_CNAME_IN_ADDL_TKT       0x00020000
#define CKSUMTYPE_MD5_HMAC_ARCFOUR -137 /*Microsoft netlogon cksumtype*/
#define KRB5_PADATA_SVR_REFERRAL_INFO   20 /* Windows 2000 referrals */
#define KRB5_PADATA_PAC_REQUEST         128 /* include Windows PAC */
#define KRB5_PADATA_FOR_USER            129 /* username protocol transition request */
#define KRB5_PADATA_S4U_X509_USER       130 /* certificate protocol transition request */
#define KRB5_AUTHDATA_WIN2K_PAC 128
#define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129     /* RFC 4537 */

Review

This section documents the review of the project according to Project policy. It is divided into multiple sections. First, approvals should be listed. To list an approval type

#~~~~

on its own line. The next section is for discussion. Use standard talk page conventions. In particular, sign comments with

--~~~~

and indent replies.

Members of Krbcore raising Blocking objections should preface their comment with {{project-block}}. The member who raised the objection should remove this markup when their objection is handled.

Approvals

Discussion

Personal tools