librpc/idl:security: add a couple of claims flags

We don't use these.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 400da6b3355d66b4f331b350fe7b05e7376c996f..6a7f54fcb0780d53377ad9e365d8da907b34569e 100644 (file)
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -616,6 +616,26 @@ interface security
                CLAIM_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT  = 8,
                CLAIM_SECURITY_ATTRIBUTE_DISABLED          = 0x10, /*reserved*/
                CLAIM_SECURITY_ATTRIBUTE_MANDATORY         = 0x20,
+
+               /*
+                * These next two are curiously defined in [MS-DTYP] 2.4.10.1:
+                *
+                * > Flags: The upper two bytes of this DWORD are available for
+                * > application-specific data. The two lowest-order bits in the
+                * > lower of these two bytes are reserved. These two bytes
+                * > MAY contain only one of the following values in those two
+                * > bits:
+                * >
+                * >  FCI_CLAIM_SECURITY_ATTRIBUTE_MANUAL          0x0001
+                * >  FCI_CLAIM_SECURITY_ATTRIBUTE_POLICY_DERIVED  0x0002
+                *
+                * That is saying these mutually exclusive flags have offset
+                * values that are measured from the middle of flags field. We
+                * instead measure from the start.
+                */
+               CLAIM_SECURITY_ATTRIBUTE_MANUAL                 =    1 << 16,
+               CLAIM_SECURITY_ATTRIBUTE_POLICY_DERIVED         =    1 << 17,
+
                /*
                 * Conditional ACEs use some of the above flags in
                 * combination with an internal one defined in