From a8f83fe8a2ff2f5ab5f36538df26b097810c417a Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Fri, 10 Nov 2023 14:53:44 +1300
Subject: [PATCH] librpc/idl:security: add a couple of claims flags

We don't use these.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 librpc/idl/security.idl | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 400da6b3355..6a7f54fcb07 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -616,6 +616,26 @@ interface security
 		CLAIM_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT  = 8,
 		CLAIM_SECURITY_ATTRIBUTE_DISABLED          = 0x10, /*reserved*/
 		CLAIM_SECURITY_ATTRIBUTE_MANDATORY         = 0x20,
+
+		/*
+		 * These next two are curiously defined in [MS-DTYP] 2.4.10.1:
+		 *
+		 * > Flags: The upper two bytes of this DWORD are available for
+		 * > application-specific data. The two lowest-order bits in the
+		 * > lower of these two bytes are reserved. These two bytes
+		 * > MAY contain only one of the following values in those two
+		 * > bits:
+		 * >
+		 * >  FCI_CLAIM_SECURITY_ATTRIBUTE_MANUAL	   0x0001
+		 * >  FCI_CLAIM_SECURITY_ATTRIBUTE_POLICY_DERIVED  0x0002
+		 *
+		 * That is saying these mutually exclusive flags have offset
+		 * values that are measured from the middle of flags field. We
+		 * instead measure from the start.
+		 */
+		CLAIM_SECURITY_ATTRIBUTE_MANUAL                 =    1 << 16,
+		CLAIM_SECURITY_ATTRIBUTE_POLICY_DERIVED         =    1 << 17,
+
 		/*
 		 * Conditional ACEs use some of the above flags in
 		 * combination with an internal one defined in
-- 
2.47.3