Version 1.1 Privilege Server Manager Interface (rpriv_v1

Version 1.1 Privilege Server Manager Interface (rpriv_v1_1) Operations

The rpriv_get_eptgt( ) operation constructs and returns an extended privilege certificate to the ticket-granting service. The caller supplies the extended privilege attributes in the form of an encoded Extended Privilege Attribute Certificate (EPAC). The procedure by which the requested privilege attributes are verified depends on how the call is authenticated and whether the request is local (that is, is a request from a client in this Privilege Servers cell) or is intercell (that is, is from a foreign privilege service).

If the request is local, then the ticket to the Privilege Server is based on a Kerberos V5 TGT and the requested_privs consists of a single encoded EPAC. The Privilege Server decodes the requested_privs and verifies that the requested privileges are valid by performing the necessary database queries.

If the request is foreign, then the ticket to the privilege service is based on a DCE EPTGT and the Privilege Server retrieves the EPAC seal from the DCE authorization data contained in the ticket, and uses it to verify that the requested privileges are valid.

Event Type (Event Classes)
PRIV_GetEptgt (0x136, dce_sec_control, dce_sec_authent)

Event-Specific Information
char * request_location /* LOCAL or INTERCELL */
if LOCAL request:
uuid req_princ_id->uuid; /* requested local principal uuid */
uuid req_group_id->uuid; /* requested local primary group uuid */
unsigned short int num_groups /* number of valid local groups */
uuid = groups[num_groups].uuid /* valid local groups uuids */
if INTERCELL request:
unsigned short int num_epacs /* number of epacs in delegation chain */
uuid [num_epacs].pa.realm.uuid /* privilege attribute realm uuid */
uuid [num_epacs].pa.principal.uuid /* privilege attribute principal uuid */
uuid [num_epacs].pa.num_groups /* number of groups in privilege attribute */
uuid [num_epacs].pa.groups[([epac_set.num_epacs].pa.num_groups)].uuid
/* uuids for groups in privilege attribute */

The rpriv_become_delegate( ) operation permits an intermediate server to become a delegate for its caller. The caller supplies extended privilege attributes in the form of an encoded Extended Privilege Attribute Certificate (EPAC). The Privilege Server verifies that the delegation token for this EPAC chain is correct and then creates a new chain from the existing one with the intermediarys EPAC as a new delegate.

Event Type (Event Classes)
PRIV_BecomeDelegate (0x138, dce_sec_control, dce_sec_authent)

Event-Specific Information
uuid req_princ_id->uuid; /* requested local principal uuid */
uuid req_group_id->uuid; /* requested local primary group uuid */
unsigned short int num_groups /* number of valid local groups */
uuid = groups[num_groups].uuid /* valid local groups uuids */
unsigned short int num_epacs /* number of epacs in delegation chain */
uuid [num_epacs].pa.realm.uuid /* privilege attribute realm uuid */
uuid [num_epacs].pa.principal.uuid /* privilege attribute principal uuid */
uuid [num_epacs].pa.num_groups /* number of groups in privilege attribute */
uuid [num_epacs].pa.groups[([epac_set.num_epacs].pa.num_groups)].uuid
/* uuids for groups in privilege attribute */

The rpriv_become_impersonator( ) operation permits an intermediate server to become an impersonator for its caller. The caller supplies extended privilege attributes in the form of an encoded Extended Privilege Attribute Certificate (EPAC). The Privilege Server verifies that the delegation token for the initiators EPAC is correct and also that the intermediary is allowed to impersonate the initiator.

Event Type (Event Classes)
PRIV_BecomeImpersonator (0x139, dce_sec_control, dce_sec_authent)