Documentation
¶
Overview ¶
The pac package implements the PAC client protocol.
Introduction ¶
The Privilege Attribute Certificate (PAC) Data Structure is used by authentication protocols that verify identities to transport authorization information, which controls access to resources. The Kerberos protocol [RFC4120] does not provide authorization. The Privilege Attribute Certificate (PAC) was created to provide this authorization data for Kerberos Protocol Extensions [MS-KILE]. Into the PAC structure [MS-KILE] encodes authorization information, which consists of group memberships, additional credential information, profile and policy information, and supporting security metadata.<1>
Overview ¶
The PAC is a structure that conveys authorization-related information provided by domain controllers (DCs). The PAC is used by authentication protocols that verify identities to transport authorization information, which controls access to resources. Once authentication has been accomplished, the next task is to decide if a particular request is authorized. Management of network systems often models broad authorization decisions through groups; for example, all engineers who can access a specific printer or all sales personnel who can access a certain web server. Making group information consistently available to several services allows for simpler management.
The Kerberos protocol is one of the most commonly used authentication mechanisms. However, the Kerberos protocol [RFC4120] does not provide authorization; "kerberized" applications are expected to manage their own authorization, typically through names. Specifically, the Kerberos protocol does not define any explicit group membership or logon policy information to be carried in the Kerberos tickets. It leaves that for Kerberos extensions to provide a mechanism to convey authorization information by encapsulating this information within an AuthorizationData structure ([RFC4120] section 5.2.6). The PAC was created to provide this authorization data for Kerberos Protocol Extensions [MS-KILE].
[MS-KILE] requires that the PAC information be encoded within an AuthorizationData element ([RFC4120] section 5.2.6) which consists of group memberships, additional credential information, profile and policy information, and supporting security metadata. [MS-KILE] also requires that the PAC information be enclosed in an AD-IF-RELEVANT AuthorizationData element, since this information is noncritical authorization data. This clearly indicates to the receiver that this data can be ignored if the receiver does consume the information in the PAC.
Examples of information that can be provided by a DC include:
* Authorization data such as security identifiers (SIDs) ( f2ef15b6-1e9b-48b5-bf0b-019f061d41c8#gt_83f2020d-0804-4840-a5ac-e06439d50f8d ) and relative identifiers (RIDs) ( f2ef15b6-1e9b-48b5-bf0b-019f061d41c8#gt_df3d0b61-56cd-4dac-9402-982f1fedc41c ).
* User profile information such as a home directory or logon script.
* Password credentials, used during smart card authentication, for password based authentication protocols to use at a later time.
* Service for User (S4U) ( f2ef15b6-1e9b-48b5-bf0b-019f061d41c8#gt_083a5403-f654-4db6-b17e-9c10dc5cd420 ) protocol [MS-SFU] ( ../ms-sfu/3bff5864-8135-400e-bdd9-33b552051d94 ) data.
Index ¶
- Variables
- type CypherBlock
- type DomainGroupMembership
- type GroupMembership
- type KerberosSIDAndAttributes
- type KerberosValidationInfo
- type NTLMSupplementalCredential
- type PACAttributesInfo
- type PACClientClaimsInfo
- type PACClientInfo
- type PACCredentialData
- type PACCredentialInfo
- type PACDeviceClaimsInfo
- type PACDeviceInfo
- type PACInfoBuffer
- type PACSignatureData
- type PACType
- type S4UDelegationInfo
- type SecurityPackageSupplementalCred
- type UPNDNSInfo
- type UserSessionKey
Constants ¶
This section is empty.
Variables ¶
var (
// import guard
GoPackage = "pac"
)
Functions ¶
This section is empty.
Types ¶
type CypherBlock ¶
type CypherBlock struct {
Data []byte `idl:"name:data" json:"data"`
}
CypherBlock structure represents CYPHER_BLOCK RPC structure.
func (*CypherBlock) MarshalNDR ¶
func (*CypherBlock) UnmarshalNDR ¶
type DomainGroupMembership ¶
type DomainGroupMembership struct {
// DomainId: A SID structure that contains the SID for the domain. This member is used
// in conjunction with the GroupIds members to create group SIDs for the device.
DomainID *dtyp.SID `idl:"name:DomainId" json:"domain_id"`
// GroupCount: A 32-bit unsigned integer that contains the number of groups within the
// domain to which the account belongs.
GroupCount uint32 `idl:"name:GroupCount" json:"group_count"`
// GroupIds: A pointer to a list of GROUP_MEMBERSHIP structures that contain the groups
// to which the account belongs in the domain. The number of groups in this list MUST
// be equal to GroupCount.
GroupIDs []*GroupMembership `idl:"name:GroupIds;size_is:(GroupCount)" json:"group_ids"`
}
DomainGroupMembership structure represents DOMAIN_GROUP_MEMBERSHIP RPC structure.
The DOMAIN_GROUP_MEMBERSHIP structure identifies a domain and groups to which an account belongs. It is sent within the PAC_DEVICE_INFO (section 2.12) structure.<2>
The DOMAIN_GROUP_MEMBERSHIP structure is defined as follows.
func (*DomainGroupMembership) MarshalNDR ¶
func (*DomainGroupMembership) UnmarshalNDR ¶
type GroupMembership ¶
type GroupMembership struct {
// RelativeId: A 32-bit unsigned integer that contains the RID of a particular group.
RelativeID uint32 `idl:"name:RelativeId" json:"relative_id"`
// Attributes: A 32-bit unsigned integer value that contains the group membership attributes
// set for the RID contained in RelativeId. The possible values for the Attributes flags
// are identical to those specified in KERB_SID_AND_ATTRIBUTES (section 2.2.1).
Attributes uint32 `idl:"name:Attributes" json:"attributes"`
}
GroupMembership structure represents GROUP_MEMBERSHIP RPC structure.
The GROUP_MEMBERSHIP structure identifies a group to which an account belongs. It is sent within the KERB_VALIDATION_INFO (section 2.5) structure.
The GROUP_MEMBERSHIP structure is defined as follows.
func (*GroupMembership) MarshalNDR ¶
func (*GroupMembership) UnmarshalNDR ¶
type KerberosSIDAndAttributes ¶
type KerberosSIDAndAttributes struct {
// Sid: A pointer to an RPC_SID structure ([MS-DTYP] section 2.4.2.3).
SID *dtyp.SID `idl:"name:Sid" json:"sid"`
// Attributes: A set of bit flags that describe attributes of the SID in the Sid field.
//
// Attributes can contain one or more of the following bits.
//
// +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
// | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 2 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 3 | 1 |
// | | | | | | | | | | | 0 | | | | | | | | | | 0 | | | | | | | | | | 0 | |
// +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
// +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
// | 0 | 0 | E | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | D | C | B | A |
// +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
//
// Where the bits are defined as:
//
// +-------+----------------------------------------------------------------------------------+
// | | |
// | VALUE | DESCRIPTION |
// | | |
// +-------+----------------------------------------------------------------------------------+
// +-------+----------------------------------------------------------------------------------+
// | A | This setting means that the group is mandatory for the user and cannot be |
// | | disabled. Corresponds to SE_GROUP_MANDATORY. For more information, see [SIDATT]. |
// +-------+----------------------------------------------------------------------------------+
// | B | This setting means that the group is marked as enabled by default. Corresponds |
// | | to SE_GROUP_ENABLED_BY_DEFAULT. For more information, see [SIDATT]. |
// +-------+----------------------------------------------------------------------------------+
// | C | This setting means that the group is enabled for use. Corresponds to |
// | | SE_GROUP_ENABLED. For more information, see [SIDATT]. |
// +-------+----------------------------------------------------------------------------------+
// | D | This setting means that the group can be assigned as an owner of a resource. |
// | | Corresponds to SE_GROUP_OWNER. For more information, see [SIDATT]. |
// +-------+----------------------------------------------------------------------------------+
// | E | This setting means that the group is a domain-local or resource group. |
// | | Corresponds to SE_GROUP_RESOURCE. For more information, see [SIDATT]. |
// +-------+----------------------------------------------------------------------------------+
Attributes uint32 `idl:"name:Attributes" json:"attributes"`
}
KerberosSIDAndAttributes structure represents KERB_SID_AND_ATTRIBUTES RPC structure.
The KERB_SID_AND_ATTRIBUTES structure represents a SID and its attributes for use in authentication. It is sent within the KERB_VALIDATION_INFO (section 2.5) structure and used to include additional information about the group that the SID references.
The KERB_SID_AND_ATTRIBUTES structure is defined as follows.
func (*KerberosSIDAndAttributes) MarshalNDR ¶
func (*KerberosSIDAndAttributes) UnmarshalNDR ¶
type KerberosValidationInfo ¶
type KerberosValidationInfo struct {
// LogonTime: A FILETIME structure that contains the user account's lastLogon attribute
// ([MS-ADA1] section 2.351) value.
LogonTime *dtyp.Filetime `idl:"name:LogonTime" json:"logon_time"`
// LogoffTime: A FILETIME structure that contains the time the client's logon session
// is set to expire. If the session is set not to expire, the dwHighDateTime member
// is set to 0x7FFFFFFF and the dwLowDateTime member set to 0xFFFFFFFF. A recipient
// of the PAC SHOULD<11> use this value as an indicator of when to warn the user that
// the allowed time is due to expire.
LogoffTime *dtyp.Filetime `idl:"name:LogoffTime" json:"logoff_time"`
// KickOffTime: A FILETIME structure that contains LogoffTime minus the user account's
// forceLogoff attribute ([MS-ADA1] section 2.233) value. If the client is not to be
// forcibly logged off, the dwHighDateTime member is set to 0x7FFFFFFF and the dwLowDateTime
// member set to 0xFFFFFFFF. The Kerberos service ticket end time is a replacement for
// KickOffTime. The service ticket lifetime SHOULD NOT<12> be set longer than the KickOffTime
// of an account. A recipient of the PAC uses this value as the indicator of when the
// client is to be forcibly disconnected.
KickOffTime *dtyp.Filetime `idl:"name:KickOffTime" json:"kick_off_time"`
// PasswordLastSet: A FILETIME structure that contains the user account's pwdLastSet
// attribute ([MS-ADA3] section 2.175) value. If the password was never set, this structure
// MUST have the dwHighDateTime member set to 0x00000000 and the dwLowDateTime member
// set to 0x00000000.
PasswordLastSet *dtyp.Filetime `idl:"name:PasswordLastSet" json:"password_last_set"`
// PasswordCanChange: A FILETIME structure that contains the time at which the client's
// password is allowed to change. If there is no restriction on when the client can
// change the password, this member MUST be set to zero.
PasswordCanChange *dtyp.Filetime `idl:"name:PasswordCanChange" json:"password_can_change"`
// PasswordMustChange: A FILETIME structure that contains the time at which the client's
// password expires. If the password will not expire, this structure MUST have the dwHighDateTime
// member set to 0x7FFFFFFF and the dwLowDateTime member set to 0xFFFFFFFF.
PasswordMustChange *dtyp.Filetime `idl:"name:PasswordMustChange" json:"password_must_change"`
// EffectiveName: An RPC_UNICODE_STRING structure that contains the user account's samAccountName
// attribute ([MS-ADA3] section 2.222) value.
EffectiveName *dtyp.UnicodeString `idl:"name:EffectiveName" json:"effective_name"`
// FullName: An RPC_UNICODE_STRING structure that contains the user account's full name
// for interactive logon and is set to zero for network logon. If FullName is omitted,
// this member MUST contain an RPC_UNICODE_STRING structure with the Length member set
// to zero.
FullName *dtyp.UnicodeString `idl:"name:FullName" json:"full_name"`
// LogonScript: An RPC_UNICODE_STRING structure that contains the user account's scriptPath
// attribute ([MS-ADA3] section 2.232) value for interactive logon and is set to zero
// for network logon. If no LogonScript is configured for the user, this member MUST
// contain an RPC_UNICODE_STRING structure with the Length member set to zero.
LogonScript *dtyp.UnicodeString `idl:"name:LogonScript" json:"logon_script"`
// ProfilePath: An RPC_UNICODE_STRING structure that contains the user account's profilePath
// attribute ([MS-ADA3] section 2.167) value for interactive logon and is set to zero
// for network logon. If no ProfilePath is configured for the user, this member MUST
// contain an RPC_UNICODE_STRING structure with the Length member set to zero.
ProfilePath *dtyp.UnicodeString `idl:"name:ProfilePath" json:"profile_path"`
// HomeDirectory: An RPC_UNICODE_STRING structure that contains the user account's HomeDirectory
// attribute ([MS-ADA1] section 2.295) value for interactive logon and is set to zero
// for network logon. If no HomeDirectory is configured for the user, this member MUST
// contain an RPC_UNICODE_STRING structure with the Length member set to zero.
HomeDirectory *dtyp.UnicodeString `idl:"name:HomeDirectory" json:"home_directory"`
// HomeDirectoryDrive: An RPC_UNICODE_STRING structure that contains the user account's
// HomeDrive attribute ([MS-ADA1] section 2.296) value for interactive logon and is
// set to zero for network logon. This member MUST be populated if HomeDirectory contains
// a UNC path. If no HomeDirectoryDrive is configured for the user, this member MUST
// contain an RPC_UNICODE_STRING structure with the Length member set to zero.
HomeDirectoryDrive *dtyp.UnicodeString `idl:"name:HomeDirectoryDrive" json:"home_directory_drive"`
// LogonCount: A 16-bit unsigned integer that contains the user account's LogonCount
// attribute ([MS-ADA1] section 2.375) value.
LogonCount uint16 `idl:"name:LogonCount" json:"logon_count"`
// BadPasswordCount: A 16-bit unsigned integer that contains the user account's badPwdCount
// attribute ([MS-ADA1] section 2.83) value for interactive logon and is set to zero
// for network logon.
BadPasswordCount uint16 `idl:"name:BadPasswordCount" json:"bad_password_count"`
// UserId: A 32-bit unsigned integer that contains the RID of the account. If the UserId
// member equals 0x00000000, the first group SID in this member is the SID for this
// account.
UserID uint32 `idl:"name:UserId" json:"user_id"`
// PrimaryGroupId: A 32-bit unsigned integer that contains the RID for the primary group
// to which this account belongs.
PrimaryGroupID uint32 `idl:"name:PrimaryGroupId" json:"primary_group_id"`
// GroupCount: A 32-bit unsigned integer that contains the number of groups within the
// account domain to which the account belongs.
GroupCount uint32 `idl:"name:GroupCount" json:"group_count"`
// GroupIds: A pointer to a list of GROUP_MEMBERSHIP (section 2.2.2) structures that
// contains the groups to which the account belongs in the account domain. The number
// of groups in this list MUST be equal to GroupCount.
GroupIDs []*GroupMembership `idl:"name:GroupIds;size_is:(GroupCount)" json:"group_ids"`
// UserFlags: A 32-bit unsigned integer that contains a set of bit flags that describe
// the user's logon information.
//
// +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
// | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 2 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 3 | 1 |
// | | | | | | | | | | | 0 | | | | | | | | | | 0 | | | | | | | | | | 0 | |
// +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
// +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
// | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | L | K | J | I | H | G | F | E | D | 0 | C | 0 | B | A |
// +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
//
// The following flags are set only when this structure is created as the result of
// an NTLM authentication, as specified in [MS-NLMP]. These flags MUST be zero for any
// other authentication protocol, such as [MS-KILE] authentication.
//
// +-------+----------------------------------------------------------------------------------+
// | | |
// | VALUE | DESCRIPTION |
// | | |
// +-------+----------------------------------------------------------------------------------+
// +-------+----------------------------------------------------------------------------------+
// | A | Authentication was done via the GUEST account; no password was used. |
// +-------+----------------------------------------------------------------------------------+
// | B | No encryption is available. |
// +-------+----------------------------------------------------------------------------------+
// | C | LAN Manager key was used for authentication. |
// +-------+----------------------------------------------------------------------------------+
// | E | Sub-authentication used; session key came from the sub-authentication package. |
// +-------+----------------------------------------------------------------------------------+
// | F | Indicates that the account is a machine account. |
// +-------+----------------------------------------------------------------------------------+
// | G | Indicates that the domain controller understands NTLMv2. |
// +-------+----------------------------------------------------------------------------------+
// | I | Indicates that ProfilePath is populated. |
// +-------+----------------------------------------------------------------------------------+
// | J | The NTLMv2 response from the NtChallengeResponseFields ([MS-NLMP] section |
// | | 2.2.1.3) was used for authentication and session key generation. |
// +-------+----------------------------------------------------------------------------------+
// | K | The LMv2 response from the LmChallengeResponseFields ([MS-NLMP] section 2.2.1.3) |
// | | was used for authentication and session key generation. |
// +-------+----------------------------------------------------------------------------------+
// | L | The LMv2 response from the LmChallengeResponseFields ([MS-NLMP] section |
// | | 2.2.1.3) was used for authentication and the NTLMv2 response from the |
// | | NtChallengeResponseFields ([MS-NLMP] section 2.2.1.3) was used session key |
// | | generation. |
// +-------+----------------------------------------------------------------------------------+
//
// The following flags are valid for [MS-KILE] authentications; settings depend on the
// configuration of the user and groups referenced in the PAC.
//
// +-------+-------------------------------------------------------------------------------+
// | | |
// | VALUE | DESCRIPTION |
// | | |
// +-------+-------------------------------------------------------------------------------+
// +-------+-------------------------------------------------------------------------------+
// | D | Indicates that the ExtraSids field is populated and contains additional SIDs. |
// +-------+-------------------------------------------------------------------------------+
// | H | Indicates that the ResourceGroupIds field is populated. |
// +-------+-------------------------------------------------------------------------------+
UserFlags uint32 `idl:"name:UserFlags" json:"user_flags"`
// UserSessionKey: A session key that is used for cryptographic operations on a session.
// This field is valid only when authentication is performed using NTLM. For any other
// protocol, this field MUST be zero.
UserSessionKey *UserSessionKey `idl:"name:UserSessionKey" json:"user_session_key"`
// LogonServer: An RPC_UNICODE_STRING structure that contains the NetBIOS name of the
// Kerberos KDC that performed the authentication server (AS) ticket request.
LogonServer *dtyp.UnicodeString `idl:"name:LogonServer" json:"logon_server"`
// LogonDomainName: An RPC_UNICODE_STRING structure that contains the NetBIOS name of
// the domain to which this account belongs.
LogonDomainName *dtyp.UnicodeString `idl:"name:LogonDomainName" json:"logon_domain_name"`
// LogonDomainId: An RPC_SID structure ([MS-DTYP] section 2.4.2.3) that contains the
// SID for the domain specified in LogonDomainName. This member is used in conjunction
// with the UserId, PrimaryGroupId, and GroupIds members to create the user and group
// SIDs for the client.
LogonDomainID *dtyp.SID `idl:"name:LogonDomainId" json:"logon_domain_id"`
// UserAccountControl: A 32-bit unsigned integer that contains a set of bit flags that
// represent information about this account. This field carries the UserAccountControl
// information from the corresponding Security Account Manager field, as specified in
// [MS-SAMR].
UserAccountControl uint32 `idl:"name:UserAccountControl" json:"user_account_control"`
// SidCount: A 32-bit unsigned integer that contains the total number of SIDs present
// in the ExtraSids member. If this member is not zero then the D bit MUST be set in
// the UserFlags member.
SIDCount uint32 `idl:"name:SidCount" json:"sid_count"`
// ExtraSids: A pointer to a list of KERB_SID_AND_ATTRIBUTES (section 2.2.1) structures
// that contain a list of SIDs corresponding to groups in domains other than the account
// domain to which the principal belongs. This member is not NULL only if the D bit
// has been set in the UserFlags member. If the UserId member equals 0x00000000, the
// first group SID in this member is the SID for this account.
ExtraSIDs []*KerberosSIDAndAttributes `idl:"name:ExtraSids;size_is:(SidCount)" json:"extra_sids"`
// ResourceGroupDomainSid: An RPC_SID structure that contains the SID of the domain
// for the server whose resources the client is authenticating to. This member is used
// in conjunction with the ResourceGroupIds member to create the group SIDs for the
// user. If this member is populated, then the H bit MUST be set in the UserFlags member.
ResourceGroupDomainSID *dtyp.SID `idl:"name:ResourceGroupDomainSid" json:"resource_group_domain_sid"`
// ResourceGroupCount: A 32-bit unsigned integer that contains the number of resource
// group identifiers stored in ResourceGroupIds. If this member is not zero, then the
// H bit MUST be set in the UserFlags member.
ResourceGroupCount uint32 `idl:"name:ResourceGroupCount" json:"resource_group_count"`
// ResourceGroupIds: A pointer to a list of GROUP_MEMBERSHIP structures that contain
// the RIDs and attributes of the account's groups in the resource domain. If this member
// is not NULL, then the H bit MUST be set in the UserFlags member.
ResourceGroupIDs []*GroupMembership `idl:"name:ResourceGroupIds;size_is:(ResourceGroupCount)" json:"resource_group_ids"`
// contains filtered or unexported fields
}
KerberosValidationInfo structure represents KERB_VALIDATION_INFO RPC structure.
The KERB_VALIDATION_INFO structure defines the user's logon and authorization information provided by the DC. A pointer to the KERB_VALIDATION_INFO structure is serialized into an array of bytes and then placed after the Buffers array of the topmost PACTYPE structure (section 2.3), at the offset specified in the Offset field of the corresponding PAC_INFO_BUFFER structure (section 2.4) in the Buffers array. The ulType field of the corresponding PAC_INFO_BUFFER structure is set to 0x00000001.
The KERB_VALIDATION_INFO structure is a subset of the NETLOGON_VALIDATION_SAM_INFO4 structure ([MS-NRPC] section 2.2.1.4.13). It is a subset due to historical reasons and to the use of Active Directory to generate this information. NTLM uses the NETLOGON_VALIDATION_SAM_INFO4 structure in the context of the server to domain controller exchange, as defined in [MS-APDS] section 3.1. Consequently, the KERB_VALIDATION_INFO structure includes NTLM-specific fields. Fields that are common to the KERB_VALIDATION_INFO and the NETLOGON_VALIDATION_SAM_INFO4 structures, and which are specific to the NTLM authentication operation, are not used with [MS-KILE] authentication. The KERB_VALIDATION_INFO structure is marshaled by RPC [MS-RPCE].
The KERB_VALIDATION_INFO structure is defined as follows.
func (*KerberosValidationInfo) MarshalNDR ¶
func (*KerberosValidationInfo) UnmarshalNDR ¶
type NTLMSupplementalCredential ¶
type NTLMSupplementalCredential struct {
// Version: A 32-bit unsigned integer that defines the credential version. This field
// MUST be 0x00000000.
Version uint32 `idl:"name:Version" json:"version"`
// Flags: A 32-bit unsigned integer containing flags that define the credential options.
// Flags MUST contain at least one of the following values.
//
// +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
// | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 2 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 3 | 1 |
// | | | | | | | | | | | 0 | | | | | | | | | | 0 | | | | | | | | | | 0 | |
// +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
// +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
// | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N | L |
// +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
//
// Where the bits are defined as:
//
// +-------+--------------------------------------------------------+
// | | |
// | VALUE | DESCRIPTION |
// | | |
// +-------+--------------------------------------------------------+
// +-------+--------------------------------------------------------+
// | L | Indicates that the LM OWF member is present and valid. |
// +-------+--------------------------------------------------------+
// | N | Indicates that the NT OWF member is present and valid. |
// +-------+--------------------------------------------------------+
Flags uint32 `idl:"name:Flags" json:"flags"`
// LmPassword: A 16-element array of unsigned 8-bit integers that define the LM OWF.
// The LmPassword member MUST be ignored if the L flag is not set in the Flags member.
LMPassword []byte `idl:"name:LmPassword" json:"lm_password"`
// NtPassword: A 16-element array of unsigned 8-bit integers that define the NT OWF.
// The NtPassword member MUST be ignored if the N flag is not set in the Flags member.
NTPassword []byte `idl:"name:NtPassword" json:"nt_password"`
}
NTLMSupplementalCredential structure represents NTLM_SUPPLEMENTAL_CREDENTIAL RPC structure.
The NTLM_SUPPLEMENTAL_CREDENTIAL structure is used to encode the credentials that the NTLM security protocol uses, specifically the LAN Manager hash (LM OWF) and the NT hash (NT OWF). Generating the hashes encoded in this structure is not addressed in the PAC structure specification. Details on how the hashes are created are as specified in [MS-NLMP]. The PAC buffer type is included only when PKINIT [MS-PKCA] is used to authenticate the user. The NTLM_SUPPLEMENTAL_CREDENTIAL structure is marshaled by RPC [MS-RPCE].
The NTLM_SUPPLEMENTAL_CREDENTIAL structure is defined as follows.
func (*NTLMSupplementalCredential) MarshalNDR ¶
func (*NTLMSupplementalCredential) UnmarshalNDR ¶
type PACAttributesInfo ¶
type PACAttributesInfo struct {
FlagsLength uint32 `idl:"name:FlagsLength" json:"flags_length"`
Flags uint32 `idl:"name:Flags" json:"flags"`
}
PACAttributesInfo structure represents PAC_ATTRIBUTES_INFO RPC structure.
func (*PACAttributesInfo) MarshalNDR ¶
func (*PACAttributesInfo) UnmarshalNDR ¶
type PACClientClaimsInfo ¶
type PACClientClaimsInfo struct {
// Claims (variable): A variable-length CLAIMS_SET_METADATA structure ([MS-ADTS] section
// 2.2.18.8) that contains claims.
Claims *claims.ClaimsSetMetadata `idl:"name:Claims" json:"claims"`
}
PACClientClaimsInfo structure represents PAC_CLIENT_CLAIMS_INFO RPC structure.
The PAC_CLIENT_CLAIMS_ INFO structure is a variable length buffer of the PAC that SHOULD<24> contain the client's marshaled claims blob. The PAC_CLIENT_CLAIMS_ INFO structure is placed directly after the Buffers array of the topmost PACTYPE structure (section 2.3), at the offset specified in the Offset field of the corresponding PAC_INFO_BUFFER structure (section 2.4) in the Buffers array. The ulType field of the corresponding PAC_INFO_BUFFER is set to 0x0000000D.
The PAC_CLIENT_CLAIMS_ INFO structure is defined as follows.
The format of the PAC_CLIENT_CLAIMS_ INFO structure is defined as follows.
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 2 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 3 | 1 | | | | | | | | | | | | 0 | | | | | | | | | | 0 | | | | | | | | | | 0 | | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | Claims (variable) | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | ... | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
func (*PACClientClaimsInfo) MarshalNDR ¶
func (*PACClientClaimsInfo) UnmarshalNDR ¶
type PACClientInfo ¶
type PACClientInfo struct {
// ClientId (8 bytes): A FILETIME structure in little-endian format that contains the
// Kerberos initial ticket-granting ticket (TGT) authentication time, as specified in
// [RFC4120] section 5.3.
ClientID *dtyp.Filetime `idl:"name:ClientId" json:"client_id"`
// NameLength (2 bytes): An unsigned 16-bit integer in little-endian format that specifies
// the length, in bytes, of the Name field.
NameLength uint16 `idl:"name:NameLength" json:"name_length"`
// Name (variable): An array of 16-bit Unicode characters in little-endian format that
// contains the client's account name.
Name string `idl:"name:Name;size_is:(NameLength)" json:"name"`
}
PACClientInfo structure represents PAC_CLIENT_INFO RPC structure.
The PAC_CLIENT_INFO structure is a variable length buffer of the PAC that contains the client's name and authentication time. It is used to verify that the PAC corresponds to the client of the ticket. The PAC_CLIENT_INFO structure is placed directly after the Buffers array of the topmost PACTYPE structure (section 2.3), at the offset specified in the Offset field of the corresponding PAC_INFO_BUFFER structure (section 2.4) in the Buffers array. The ulType field of the corresponding PAC_INFO_BUFFER is set to 0x0000000A.
The PAC_CLIENT_INFO structure is defined as follows.
The format of the PAC_CLIENT_INFO structure is defined as follows.
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 2 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 3 | 1 | | | | | | | | | | | | 0 | | | | | | | | | | 0 | | | | | | | | | | 0 | | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | ClientId | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | ... | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | NameLength | Name (variable) | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | ... | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
func (*PACClientInfo) MarshalNDR ¶
func (*PACClientInfo) UnmarshalNDR ¶
type PACCredentialData ¶
type PACCredentialData struct {
// CredentialCount: A 32-bit unsigned integer that defines the number of elements in
// the Credentials member.
CredentialCount uint32 `idl:"name:CredentialCount" json:"credential_count"`
// Credentials: An array of SECPKG_SUPPLEMENTAL_CRED (section 2.6.3) structures that
// define the supplemental credentials.
Credentials []*SecurityPackageSupplementalCred `idl:"name:Credentials;size_is:(CredentialCount)" json:"credentials"`
}
PACCredentialData structure represents PAC_CREDENTIAL_DATA RPC structure.
The PAC_CREDENTIAL_DATA structure defines an array of security package-specific credentials that are provided to the Kerberos client. The PAC_CREDENTIAL_DATA structure is marshaled by RPC [MS-RPCE].
The PAC_CREDENTIAL_DATA structure is defined as follows.
func (*PACCredentialData) MarshalNDR ¶
func (*PACCredentialData) NDRSizeInfo ¶
func (o *PACCredentialData) NDRSizeInfo() []uint64
func (*PACCredentialData) UnmarshalNDR ¶
type PACCredentialInfo ¶
type PACCredentialInfo struct {
// Version (4 bytes): A 32-bit unsigned integer in little-endian format that defines
// the version. MUST be 0x00000000.
Version uint32 `idl:"name:Version" json:"version"`
// EncryptionType (4 bytes): A 32-bit unsigned integer in little-endian format that
// indicates the Kerberos encryption type used to encode the SerializedData array. This
// value MUST be one of the following encryption types, which are a subset of the possible
// encryption types supported in Kerberos authentication (as specified in [RFC4120],
// [RFC4757], and [RFC4556]). Note that the Key Usage Number ([RFC4120] sections 4 and
// 7.5.1) is KERB_NON_KERB_SALT [16] [MS-KILE] section 3.1.5.9.<14>
//
// +------------+----------------------------------------------------------------------------------+
// | | |
// | VALUE | MEANING |
// | | |
// +------------+----------------------------------------------------------------------------------+
// +------------+----------------------------------------------------------------------------------+
// | 0x00000001 | Data Encryption Standard (DES) in cipher block chaining (CBC) mode with cyclic |
// | | redundancy check (CRC). |
// +------------+----------------------------------------------------------------------------------+
// | 0x00000003 | DES in CBC mode with MD5. |
// +------------+----------------------------------------------------------------------------------+
// | 0x00000011 | AES128_CTS_HMAC_SHA1_96 (128-bit encryption key in clear to send (CTS) |
// | | encryption mode with integrity check algorithm HMAC_SHA1_96).<15> |
// +------------+----------------------------------------------------------------------------------+
// | 0x00000012 | AES256_CTS_HMAC_SHA1_96 (256-bit encryption key in CTS encryption mode with |
// | | integrity check algorithm HMAC_SHA1_96).<16> |
// +------------+----------------------------------------------------------------------------------+
// | 0x00000017 | RC4 with hashed message authentication code (HMAC) key. |
// +------------+----------------------------------------------------------------------------------+
EncryptionType uint32 `idl:"name:EncryptionType" json:"encryption_type"`
// SerializedData (variable): A variable length PAC_CREDENTIAL_DATA structure that contains
// credentials encrypted using the mechanism specified by the EncryptionType field.
// The byte array of encrypted data is computed according to the procedures specified
// in [RFC3961].
SerializedData uint8 `idl:"name:SerializedData" json:"serialized_data"`
}
PACCredentialInfo structure represents PAC_CREDENTIAL_INFO RPC structure.
The PAC_CREDENTIAL_INFO structure serves as the header for the credential information. The PAC_CREDENTIAL_INFO header indicates the encryption algorithm that was used to encrypt the data that follows it. The data that follows is an encrypted, IDL-serialized PAC_CREDENTIAL_DATA structure that contains the user's actual credentials. Note that this structure cannot be used by protocols other than the [MS-KILE] protocol; the encryption method relies on the encryption key currently in use by the Kerberos AS-REQ ([RFC4120] section 3.1 and [MS-KILE]) message.<13>
A PAC_CREDENTIAL_INFO structure contains the user's encrypted credentials. The Key Usage Number [RFC4120] used in the encryption is KERB_NON_KERB_SALT [16] [MS-KILE] section 3.1.5.9. The encryption key used is the AS reply key. The PAC credentials buffer is included only when PKINIT [RFC4556] is used. Therefore, the AS reply key is derived based on PKINIT.
The PAC_CREDENTIAL_INFO structure is defined as follows.
The format of the PAC_CREDENTIAL_INFO structure is defined as follows.
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 2 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 3 | 1 | | | | | | | | | | | | 0 | | | | | | | | | | 0 | | | | | | | | | | 0 | | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | Version | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | EncryptionType | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | SerializedData (variable) | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | ... | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
func (*PACCredentialInfo) MarshalNDR ¶
func (*PACCredentialInfo) UnmarshalNDR ¶
type PACDeviceClaimsInfo ¶
type PACDeviceClaimsInfo struct {
// Claims (variable): A variable-length CLAIMS_SET_METADATA structure ([MS-ADTS] section
// 2.2.18.8) that contains claims.
Claims *claims.ClaimsSetMetadata `idl:"name:Claims" json:"claims"`
}
PACDeviceClaimsInfo structure represents PAC_DEVICE_CLAIMS_INFO RPC structure.
The PAC_DEVICE_CLAIMS_ INFO structure is a variable length buffer of the PAC that SHOULD<26> contain the client's marshaled claims blob. The PAC_DEVICE_CLAIMS_ INFO structure is placed directly after the Buffers array of the topmost PACTYPE structure (section 2.3), at the offset specified in the Offset field of the corresponding PAC_INFO_BUFFER structure (section 2.4) in the Buffers array. The ulType field of the corresponding PAC_INFO_BUFFER is set to 0x0000000F.
The PAC_DEVICE_CLAIMS_INFO structure is defined as follows.
The format of the PAC_DEVICE_CLAIMS_ INFO structure is defined as follows.
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 2 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 3 | 1 | | | | | | | | | | | | 0 | | | | | | | | | | 0 | | | | | | | | | | 0 | | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | Claims (variable) | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | ... | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
func (*PACDeviceClaimsInfo) MarshalNDR ¶
func (*PACDeviceClaimsInfo) UnmarshalNDR ¶
type PACDeviceInfo ¶
type PACDeviceInfo struct {
// UserId: A 32-bit unsigned integer that contains the RID of the account. If the UserId
// member equals 0x00000000, the first group SID in this member is the SID for this
// account.
UserID uint32 `idl:"name:UserId" json:"user_id"`
// PrimaryGroupId: A 32-bit unsigned integer that contains the RID for the primary group
// to which this account belongs.
PrimaryGroupID uint32 `idl:"name:PrimaryGroupId" json:"primary_group_id"`
// AccountDomainId: A SID structure that contains the SID for the domain of the account.
// This member is used in conjunction with the UserId, and GroupIds members to create
// the user and group SIDs for the client.
AccountDomainID *dtyp.SID `idl:"name:AccountDomainId" json:"account_domain_id"`
// AccountGroupCount: A 32-bit unsigned integer that contains the number of groups within
// the account domain to which the account belongs.
AccountGroupCount uint32 `idl:"name:AccountGroupCount" json:"account_group_count"`
// AccountGroupIds: A pointer to a list of GROUP_MEMBERSHIP (section 2.2.2) structures
// that contains the groups to which the account belongs in the account domain. The
// number of groups in this list MUST be equal to GroupCount.
AccountGroupIDs []*GroupMembership `idl:"name:AccountGroupIds;size_is:(AccountGroupCount)" json:"account_group_ids"`
// SidCount: A 32-bit unsigned integer that contains the total number of SIDs present
// in the ExtraSids member.
SIDCount uint32 `idl:"name:SidCount" json:"sid_count"`
// ExtraSids: A pointer to a list of KERB_SID_AND_ATTRIBUTES structures (section 2.2.1)
// that contain a list of SIDs corresponding to groups not in domains. If the UserId
// member equals 0x00000000, the first group SID in this member is the SID for this
// account.
ExtraSIDs []*KerberosSIDAndAttributes `idl:"name:ExtraSids;size_is:(SidCount)" json:"extra_sids"`
// DomainGroupCount: A 32-bit unsigned integer that contains the number of domains with
// groups to which the account belongs.
DomainGroupCount uint32 `idl:"name:DomainGroupCount" json:"domain_group_count"`
// DomainGroup: A pointer to a list of DOMAIN_GROUP_MEMBERSHIP structures (section 2.2.3)
// that contains the domains to which the account belongs to a group. The number of
// sets in this list MUST be equal to DomainCount.
DomainGroup []*DomainGroupMembership `idl:"name:DomainGroup;size_is:(DomainGroupCount)" json:"domain_group"`
}
PACDeviceInfo structure represents PAC_DEVICE_INFO RPC structure.
The PAC_DEVICE_INFO structure is a variable length buffer of the PAC that SHOULD<25> contain the device's logon and authorization information provided by the DC. A pointer to the PAC_DEVICE_INFO structure is serialized into an array of bytes and placed directly after the Buffers array of the topmost PACTYPE structure (section 2.3), at the offset specified in the Offset field of the corresponding PAC_INFO_BUFFER structure (section 2.4) in the Buffers array. The ulType field of the corresponding PAC_INFO_BUFFER is set to 0x0000000E.
The PAC_DEVICE_INFO structure is defined as follows.
func (*PACDeviceInfo) MarshalNDR ¶
func (*PACDeviceInfo) UnmarshalNDR ¶
type PACInfoBuffer ¶
type PACInfoBuffer struct {
// ulType (4 bytes): A 32-bit unsigned integer in little-endian format that describes
// the type of data present in the buffer contained at Offset. Types that are not understood
// MUST be ignored.
//
// +-----------------+----------------------------------------------------------------------------------+
// | | |
// | VALUE | MEANING |
// | | |
// +-----------------+----------------------------------------------------------------------------------+
// +-----------------+----------------------------------------------------------------------------------+
// | 0x00000001 (1) | Logon information (section 2.5). PAC structures MUST contain one buffer of this |
// | | type. Additional logon information buffers MUST be ignored. |
// +-----------------+----------------------------------------------------------------------------------+
// | 0x00000002 (2) | Credentials information (section 2.6). PAC structures SHOULD NOT contain more |
// | | than one buffer of this type, based on constraints specified in section 2.6. |
// | | Second or subsequent credentials information buffers MUST be ignored on receipt. |
// +-----------------+----------------------------------------------------------------------------------+
// | 0x00000006 (6) | Server checksum (section 2.8). PAC structures MUST contain one buffer of this |
// | | type for Kerberos ticket-granting service (TGS) requests or Kerberos application |
// | | protocol (AP) requests, and none otherwise. Additional logon server checksum |
// | | buffers MUST be ignored. |
// +-----------------+----------------------------------------------------------------------------------+
// | 0x00000007 (7) | KDC (privilege server) checksum (section 2.8). PAC structures MUST contain |
// | | one buffer of this type for Kerberos ticket-granting service (TGS) requests or |
// | | Kerberos application protocol (AP) requests, and none otherwise. Additional KDC |
// | | checksum buffers MUST be ignored. |
// +-----------------+----------------------------------------------------------------------------------+
// | 0x0000000A (10) | Client name and ticket information (section 2.7). PAC structures MUST contain |
// | | one buffer of this type. Additional client and ticket information buffers MUST |
// | | be ignored. |
// +-----------------+----------------------------------------------------------------------------------+
// | 0x0000000B (11) | Constrained delegation information (section 2.9). PAC structures MUST contain |
// | | one buffer of this type for Service for User to Proxy (S4U2proxy) [MS-SFU] |
// | | requests and none otherwise. Additional constrained delegation information |
// | | buffers MUST be ignored. |
// +-----------------+----------------------------------------------------------------------------------+
// | 0x0000000C (12) | User principal name (UPN) and Domain Name System (DNS) information (section |
// | | 2.10). PAC structures SHOULD NOT<3> contain more than one buffer of this type. |
// | | Second or subsequent UPN and DNS information buffers MUST be ignored on receipt. |
// +-----------------+----------------------------------------------------------------------------------+
// | 0x0000000D (13) | Client claims information (section 2.11). PAC structures SHOULD NOT<4> contain |
// | | more than one buffer of this type. Additional client claims information buffers |
// | | MUST be ignored. |
// +-----------------+----------------------------------------------------------------------------------+
// | 0x0000000E (14) | Device information (section 2.12). PAC structures SHOULD NOT<5> contain more |
// | | than one buffer of this type. Additional device information buffers MUST be |
// | | ignored. |
// +-----------------+----------------------------------------------------------------------------------+
// | 0x0000000F (15) | Device claims information (section 2.13). PAC structures SHOULD NOT<6> contain |
// | | more than one buffer of this type. Additional device claims information buffers |
// | | MUST be ignored. |
// +-----------------+----------------------------------------------------------------------------------+
// | 0x00000010 (16) | Ticket checksum (section 2.8). PAC structures MUST contain one buffer of this |
// | | type for Kerberos ticket-granting service (TGS) requests, and none otherwise. |
// | | Additional ticket checksum buffers MUST be ignored.<7> |
// +-----------------+----------------------------------------------------------------------------------+
// | 0x00000011 (17) | PAC Attributes indicates that the buffer contains attribute bits for the PAC |
// | | (section 2.14). PAC structures SHOULD NOT contain more than one buffer of this |
// | | type. Additional attribute buffers MUST be ignored.<8> |
// +-----------------+----------------------------------------------------------------------------------+
// | 0x00000012 (18) | PAC Requestor indicates that the buffer contains the SID of principal that |
// | | requested the PAC (section 2.15). PAC structures MUST contain one buffer of this |
// | | type.<9> |
// +-----------------+----------------------------------------------------------------------------------+
// | 0x00000013 (19) | Extended KDC (privilege server) checksum (section 2.8). PAC structures MUST |
// | | contain one buffer of this type for Kerberos ticket-granting service (TGS) |
// | | requests, and none otherwise. Additional Extended KDC checksum buffers MUST be |
// | | ignored.<10> |
// +-----------------+----------------------------------------------------------------------------------+
Type uint32 `idl:"name:ulType" json:"type"`
// cbBufferSize (4 bytes): A 32-bit unsigned integer in little-endian format that contains
// the size, in bytes, of the buffer in the PAC located at Offset.
BufferLength uint32 `idl:"name:cbBufferSize" json:"buffer_length"`
// Offset (8 bytes): A 64-bit unsigned integer in little-endian format that contains
// the offset to the beginning of the buffer, in bytes, from the beginning of the PACTYPE
// structure (section 2.3). The data offset MUST be a multiple of eight. The following
// sections specify the format of each type of element.
Offset uint64 `idl:"name:Offset" json:"offset"`
}
PACInfoBuffer structure represents PAC_INFO_BUFFER RPC structure.
Following the PACTYPE (section 2.3) structure is an array of PAC_INFO_BUFFER structures each of which defines the type and byte offset to a buffer of the PAC. The PAC_INFO_BUFFER array has no defined ordering. Therefore, the order of the PAC_INFO_BUFFER buffers has no significance. However, once the Key Distribution Center (KDC) and server signatures are generated, the ordering of the buffers MUST NOT change, or signature verification of the PAC contents will fail.
The PAC_INFO_BUFFER structure is defined as follows.
The format of the PAC_INFO_BUFFER structure is defined as follows.
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 2 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 3 | 1 | | | | | | | | | | | | 0 | | | | | | | | | | 0 | | | | | | | | | | 0 | | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | ulType | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | cbBufferSize | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | Offset | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | ... | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
func (*PACInfoBuffer) MarshalNDR ¶
func (*PACInfoBuffer) UnmarshalNDR ¶
type PACSignatureData ¶
type PACSignatureData struct {
// SignatureType (4 bytes): A 32-bit unsigned integer value in little-endian format
// that defines the cryptographic system used to calculate the checksum. This MUST be
// one of the values defined in the following table. The corresponding sizes of the
// signatures are also given. The key used with the cryptographic system corresponds
// to the value of the ulType field of the outer PAC_INFO_BUFFER (section 2.4) structure.
// The value 0x00000006 specifies the server's key, and the value 0x00000007 specifies
// the KDC's key.
//
// +-----------------------------------+----------------------------------------------------------------------------------+
// | | |
// | VALUE | MEANING |
// | | |
// +-----------------------------------+----------------------------------------------------------------------------------+
// +-----------------------------------+----------------------------------------------------------------------------------+
// | KERB_CHECKSUM_HMAC_MD5 0xFFFFFF76 | As specified in [RFC4120] and [RFC4757] section 4. Signature size is 16 bytes. |
// | | Decimal value is -138. |
// +-----------------------------------+----------------------------------------------------------------------------------+
// | HMAC_SHA1_96_AES128 0x0000000F | As specified in [RFC3962] section 7. Signature size is 12 bytes. Decimal value |
// | | is 15. |
// +-----------------------------------+----------------------------------------------------------------------------------+
// | HMAC_SHA1_96_AES256 0x00000010 | As specified in [RFC3962] section 7. Signature size is 12 bytes. Decimal value |
// | | is 16. |
// +-----------------------------------+----------------------------------------------------------------------------------+
SignatureType uint32 `idl:"name:SignatureType" json:"signature_type"`
// Signature (variable): An array of 8-bit unsigned characters that contains the checksum.
// The KERB_CHECKSUM_HMAC_MD5 checksum (defined in the preceding table) is 16 bytes
// in length. The size of the signature is determined by the value of the SignatureType
// field, as indicated in the preceding table.
Signature uint8 `idl:"name:Signature" json:"signature"`
}
PACSignatureData structure represents PAC_SIGNATURE_DATA RPC structure.
Two PAC_SIGNATURE_DATA structures are appended to the PAC which stores the server and KDC signatures. These structures are placed after the Buffers array of the topmost PACTYPE structure (section 2.3), at the offsets specified in the Offset fields in each of the corresponding PAC_INFO_BUFFER structures (section 2.4) in the Buffers array. The ulType field of the PAC_INFO_BUFFER corresponding to the server signature contains the value 0x00000006 and the ulType field of the PAC_INFO_BUFFER corresponding to the KDC signature contains the value 0x00000007. PAC signatures can be generated only when the PAC is used by the [MS-KILE] protocol because the keys used to create and verify the signatures are the keys known to the KDC. No other protocol can use these PAC signatures.
The PAC_SIGNATURE_DATA structure is defined as follows.
The format of the PAC_SIGNATURE_DATA structures is defined as follows.
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 2 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 3 | 1 | | | | | | | | | | | | 0 | | | | | | | | | | 0 | | | | | | | | | | 0 | | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | SignatureType | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | Signature (variable) | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | ... | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | RODCIdentifier | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
func (*PACSignatureData) MarshalNDR ¶
func (*PACSignatureData) UnmarshalNDR ¶
type PACType ¶
type PACType struct {
// cBuffers (4 bytes): A 32-bit unsigned integer in little-endian format that defines
// the number of entries in the Buffers array.
BuffersCount uint32 `idl:"name:cBuffers" json:"buffers_count"`
// Version (4 bytes): A 32-bit unsigned integer in little-endian format that defines
// the PAC version; MUST be 0x00000000.
Version uint32 `idl:"name:Version" json:"version"`
// Buffers (variable): An array of PAC_INFO_BUFFER structures (section 2.4).
//
// The actual contents of the PAC are placed serially after the variable set of PAC_INFO_BUFFER
// structures. The contents are individually serialized PAC elements. All PAC elements
// MUST be placed on an 8-byte boundary.
Buffers []*PACInfoBuffer `idl:"name:Buffers" json:"buffers"`
}
PACType structure represents PACTYPE RPC structure.
The PACTYPE structure is the topmost structure of the PAC and specifies the number of elements in the PAC_INFO_BUFFER (section 2.4) array. The PACTYPE structure serves as the header for the complete PAC data.
The PACTYPE structure is defined as follows.
The format of the PACTYPE structure is defined as follows.
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 2 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 3 | 1 | | | | | | | | | | | | 0 | | | | | | | | | | 0 | | | | | | | | | | 0 | | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | cBuffers | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | Version | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | Buffers (variable) | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | ... | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
type S4UDelegationInfo ¶
type S4UDelegationInfo struct {
// S4U2proxyTarget: An RPC_UNICODE_STRING structure that MUST contain the name of the
// principal to whom the application can forward the ticket.
S4u2proxyTarget *dtyp.UnicodeString `idl:"name:S4U2proxyTarget" json:"s4u2proxy_target"`
// TransitedListSize: MUST be the number of elements in the S4UTransitedServices array.
TransitedListSize uint32 `idl:"name:TransitedListSize" json:"transited_list_size"`
// S4UTransitedServices: MUST contain the list of all services that have been delegated
// through by this client and subsequent services or servers.
S4UTransitedServices []*dtyp.UnicodeString `idl:"name:S4UTransitedServices;size_is:(TransitedListSize)" json:"s4u_transited_services"`
}
S4UDelegationInfo structure represents S4U_DELEGATION_INFO RPC structure.
The S4U_DELEGATION_INFO structure is used for constrained delegation information.<22> It lists the services that have been delegated through this Kerberos client and subsequent services or servers. The list is used only in a Service for User to Proxy (S4U2proxy) [MS-SFU] request. This feature could be used multiple times in succession from service to service, which is useful for auditing purposes. The S4U_DELEGATION_INFO structure is marshaled by RPC [MS-RPCE].
The S4U_DELEGATION_INFO structure is defined as follows.
func (*S4UDelegationInfo) MarshalNDR ¶
func (*S4UDelegationInfo) UnmarshalNDR ¶
type SecurityPackageSupplementalCred ¶
type SecurityPackageSupplementalCred struct {
// PackageName: A RPC_UNICODE_STRING structure that MUST store the name of the security
// protocol for which the supplemental credentials are being presented.<17>
PackageName *dtyp.UnicodeString `idl:"name:PackageName" json:"package_name"`
// CredentialSize: A 32-bit unsigned integer that MUST specify the length, in bytes,
// of the data in the Credentials member.
CredentialSize uint32 `idl:"name:CredentialSize" json:"credential_size"`
// Credentials: A pointer that MUST reference the serialized credentials being presented
// to the security protocol named in PackageName.
Credentials []byte `idl:"name:Credentials;size_is:(CredentialSize)" json:"credentials"`
}
SecurityPackageSupplementalCred structure represents SECPKG_SUPPLEMENTAL_CRED RPC structure.
The SECPKG_SUPPLEMENTAL_CRED structure defines the name of the security package that requires supplemental credentials and the credential buffer for that package. The SECPKG_SUPPLEMENTAL_CRED structure is marshaled by RPC [MS-RPCE].
The SECPKG_SUPPLEMENTAL_CRED structure is defined as follows.
func (*SecurityPackageSupplementalCred) MarshalNDR ¶
func (*SecurityPackageSupplementalCred) UnmarshalNDR ¶
type UPNDNSInfo ¶
type UPNDNSInfo struct {
// UpnLength (2 bytes): An unsigned 16-bit integer in little-endian format that specifies
// the length, in bytes, of the UPN information. The location of the UPN information
// is described later in this section.
UPNLength uint16 `idl:"name:UpnLength" json:"upn_length"`
// UpnOffset (2 bytes): An unsigned 16-bit integer in little-endian format that contains
// the offset to the beginning of the UPN information, in bytes, from the beginning
// of the UPN_DNS_INFO structure (section 2.10).
UPNOffset uint16 `idl:"name:UpnOffset" json:"upn_offset"`
// DnsDomainNameLength (2 bytes): An unsigned 16-bit integer in little-endian format
// that specifies the length, in bytes, of the DNS information. The location of the
// DNS information is described later in this section.
DNSDomainNameLength uint16 `idl:"name:DnsDomainNameLength" json:"dns_domain_name_length"`
// DnsDomainNameOffset (2 bytes): An unsigned 16-bit integer in little-endian format
// that contains the offset to the beginning of the DNS information, in bytes, from
// the beginning of the UPN_DNS_INFO structure.
DNSDomainNameOffset uint16 `idl:"name:DnsDomainNameOffset" json:"dns_domain_name_offset"`
// Flags (4 bytes): A set of bit flags in little-endian format. A flag is TRUE (or set)
// if its value is equal to 1. The value is constructed from zero or more bit flags
// from the following table:
//
// +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
// | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 2 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 3 | 1 |
// | | | | | | | | | | | 0 | | | | | | | | | | 0 | | | | | | | | | | 0 | |
// +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
// +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
// | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | S | U |
// +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
//
// Where the bits are defined as:
//
// +-------+----------------------------------------------------------------------------------+
// | | |
// | VALUE | DESCRIPTION |
// | | |
// +-------+----------------------------------------------------------------------------------+
// +-------+----------------------------------------------------------------------------------+
// | U | The user account object does not have the userPrincipalName attribute ([MS-ADA3] |
// | | section 2.349) set. A UPN constructed by concatenating the user name with the |
// | | DNS domain name of the account domain is provided. |
// +-------+----------------------------------------------------------------------------------+
// | S | The UPN_DNS_INFO structure has been extended with the user account’s SAM Name |
// | | and SID. |
// +-------+----------------------------------------------------------------------------------+
Flags uint32 `idl:"name:Flags" json:"flags"`
}
UPNDNSInfo structure represents UPN_DNS_INFO RPC structure.
The UPN_DNS_INFO structure contains the client's UPN, fully qualified domain name (FQDN), SAM name (optional), and SID (optional). It is used to provide the UPN, FQDN, SAM name, and SID that corresponds to the client of the ticket. The UPN_DNS_INFO structure is placed directly after the Buffers array of the topmost PACTYPE structure (section 2.3), at the offset specified in the Offset field of the corresponding PAC_INFO_BUFFER structure (section 2.4) in the Buffers array. The ulType field of the corresponding PAC_INFO_BUFFER is set to 0x0000000C.<23>
The UPN_DNS_INFO structure is defined as follows.
The format of the UPN_DNS_INFO structure is defined as follows.
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 2 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 3 | 1 | | | | | | | | | | | | 0 | | | | | | | | | | 0 | | | | | | | | | | 0 | | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | UpnLength | UpnOffset | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | DnsDomainNameLength | DnsDomainNameOffset | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | Flags | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | SamNameLength | SamNameOffset | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | SidLength | SidOffset | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
func (*UPNDNSInfo) MarshalNDR ¶
func (*UPNDNSInfo) UnmarshalNDR ¶
type UserSessionKey ¶
type UserSessionKey struct {
Data []*CypherBlock `idl:"name:data" json:"data"`
}
UserSessionKey structure represents USER_SESSION_KEY RPC structure.
Source Files