4 security IDL structures
10 use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
11 just a dom sid, but with the sub_auths represented as a conformant
12 array. As with all in-structure conformant arrays, the array length
13 is placed before the start of the structure. That's what gives rise
14 to the extra num_auths elemenent. We don't want the Samba code to
15 have to bother with such esoteric NDR details, so its easier to just
16 define it as a dom_sid and use pidl magic to make it all work. It
17 just means you need to mark a sid as a "dom_sid2" in the IDL when you
18 know it is of the conformant array variety
20 cpp_quote("#define dom_sid2 dom_sid")
22 /* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */
23 cpp_quote("#define dom_sid28 dom_sid")
25 /* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */
26 cpp_quote("#define dom_sid0 dom_sid")
29 pyhelper("librpc/ndr/py_security.c"),
30 pointer_default(unique)
35 typedef bitmap lsa_SystemAccessModeFlags lsa_SystemAccessModeFlags;
37 typedef [public,gensize,noprint,nosize,nopull,nopush] struct {
38 uint8 sid_rev_num; /**< SID revision number */
39 [range(0,15)] int8 num_auths; /**< Number of sub-authorities */
40 uint8 id_auth[6]; /**< Identifier Authority */
44 access masks are divided up like this:
47 a = generic rights bits SEC_GENERIC_
49 c = standard rights bits SEC_STD_
50 d = object type specific bits SEC_{FILE,DIR,REG,xxx}_
52 common combinations of bits are prefixed with SEC_RIGHTS_
54 const int SEC_MASK_GENERIC = 0xF0000000;
55 const int SEC_MASK_FLAGS = 0x0F000000;
56 const int SEC_MASK_STANDARD = 0x00FF0000;
57 const int SEC_MASK_SPECIFIC = 0x0000FFFF;
60 const int SEC_GENERIC_ALL = 0x10000000;
61 const int SEC_GENERIC_EXECUTE = 0x20000000;
62 const int SEC_GENERIC_WRITE = 0x40000000;
63 const int SEC_GENERIC_READ = 0x80000000;
66 const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000;
67 const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000;
70 const int SEC_STD_DELETE = 0x00010000;
71 const int SEC_STD_READ_CONTROL = 0x00020000;
72 const int SEC_STD_WRITE_DAC = 0x00040000;
73 const int SEC_STD_WRITE_OWNER = 0x00080000;
74 const int SEC_STD_SYNCHRONIZE = 0x00100000;
75 const int SEC_STD_REQUIRED = 0x000F0000;
76 const int SEC_STD_ALL = 0x001F0000;
78 /* file specific bits */
79 const int SEC_FILE_READ_DATA = 0x00000001;
80 const int SEC_FILE_WRITE_DATA = 0x00000002;
81 const int SEC_FILE_APPEND_DATA = 0x00000004;
82 const int SEC_FILE_READ_EA = 0x00000008;
83 const int SEC_FILE_WRITE_EA = 0x00000010;
84 const int SEC_FILE_EXECUTE = 0x00000020;
85 const int SEC_FILE_READ_ATTRIBUTE = 0x00000080;
86 const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100;
87 const int SEC_FILE_ALL = 0x000001ff;
89 /* directory specific bits */
90 const int SEC_DIR_LIST = 0x00000001;
91 const int SEC_DIR_ADD_FILE = 0x00000002;
92 const int SEC_DIR_ADD_SUBDIR = 0x00000004;
93 const int SEC_DIR_READ_EA = 0x00000008;
94 const int SEC_DIR_WRITE_EA = 0x00000010;
95 const int SEC_DIR_TRAVERSE = 0x00000020;
96 const int SEC_DIR_DELETE_CHILD = 0x00000040;
97 const int SEC_DIR_READ_ATTRIBUTE = 0x00000080;
98 const int SEC_DIR_WRITE_ATTRIBUTE = 0x00000100;
100 /* registry entry specific bits */
101 const int SEC_REG_QUERY_VALUE = 0x00000001;
102 const int SEC_REG_SET_VALUE = 0x00000002;
103 const int SEC_REG_CREATE_SUBKEY = 0x00000004;
104 const int SEC_REG_ENUM_SUBKEYS = 0x00000008;
105 const int SEC_REG_NOTIFY = 0x00000010;
106 const int SEC_REG_CREATE_LINK = 0x00000020;
108 /* ldap specific access bits */
109 const int SEC_ADS_CREATE_CHILD = 0x00000001;
110 const int SEC_ADS_DELETE_CHILD = 0x00000002;
111 const int SEC_ADS_LIST = 0x00000004;
112 const int SEC_ADS_SELF_WRITE = 0x00000008;
113 const int SEC_ADS_READ_PROP = 0x00000010;
114 const int SEC_ADS_WRITE_PROP = 0x00000020;
115 const int SEC_ADS_DELETE_TREE = 0x00000040;
116 const int SEC_ADS_LIST_OBJECT = 0x00000080;
117 const int SEC_ADS_CONTROL_ACCESS = 0x00000100;
120 const int SEC_MASK_INVALID = 0x0ce0fe00;
122 /* generic->specific mappings for files */
123 const int SEC_RIGHTS_FILE_READ = SEC_STD_READ_CONTROL |
124 SEC_STD_SYNCHRONIZE |
126 SEC_FILE_READ_ATTRIBUTE |
129 const int SEC_RIGHTS_FILE_WRITE = SEC_STD_READ_CONTROL |
130 SEC_STD_SYNCHRONIZE |
131 SEC_FILE_WRITE_DATA |
132 SEC_FILE_WRITE_ATTRIBUTE |
134 SEC_FILE_APPEND_DATA;
136 const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE |
137 SEC_STD_READ_CONTROL |
138 SEC_FILE_READ_ATTRIBUTE |
141 const int SEC_RIGHTS_FILE_ALL = SEC_STD_ALL | SEC_FILE_ALL;
143 /* generic->specific mappings for directories (same as files) */
144 const int SEC_RIGHTS_DIR_READ = SEC_RIGHTS_FILE_READ;
145 const int SEC_RIGHTS_DIR_WRITE = SEC_RIGHTS_FILE_WRITE;
146 const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE;
147 const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL;
149 /* rights granted by some specific privileges */
150 const int SEC_RIGHTS_PRIV_BACKUP = SEC_STD_READ_CONTROL |
151 SEC_FLAG_SYSTEM_SECURITY |
153 const int SEC_RIGHTS_DIR_PRIV_BACKUP = SEC_RIGHTS_PRIV_BACKUP
156 const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC |
157 SEC_STD_WRITE_OWNER |
158 SEC_FLAG_SYSTEM_SECURITY |
160 const int SEC_RIGHTS_DIR_PRIV_RESTORE = SEC_RIGHTS_PRIV_RESTORE |
164 /* combinations of standard masks. */
165 const int STANDARD_RIGHTS_ALL_ACCESS = SEC_STD_ALL; /* 0x001f0000 */
166 const int STANDARD_RIGHTS_MODIFY_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
167 const int STANDARD_RIGHTS_EXECUTE_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
168 const int STANDARD_RIGHTS_READ_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
169 const int STANDARD_RIGHTS_WRITE_ACCESS =
170 (SEC_STD_WRITE_OWNER |
172 SEC_STD_DELETE); /* 0x000d0000 */
173 const int STANDARD_RIGHTS_REQUIRED_ACCESS =
175 SEC_STD_READ_CONTROL |
177 SEC_STD_WRITE_OWNER); /* 0x000f0000 */
179 /* generic->specific mappings for Directory Service objects */
180 /* directory specific part of GENERIC_ALL */
181 const int SEC_ADS_GENERIC_ALL_DS =
184 SEC_STD_WRITE_OWNER |
185 SEC_ADS_CREATE_CHILD |
186 SEC_ADS_DELETE_CHILD |
187 SEC_ADS_DELETE_TREE |
188 SEC_ADS_CONTROL_ACCESS);
189 const int SEC_ADS_GENERIC_EXECUTE = SEC_STD_READ_CONTROL | SEC_ADS_LIST;
190 const int SEC_ADS_GENERIC_WRITE =
191 (SEC_STD_READ_CONTROL |
194 const int SEC_ADS_GENERIC_READ =
195 (SEC_STD_READ_CONTROL |
198 SEC_ADS_LIST_OBJECT);
199 const int SEC_ADS_GENERIC_ALL =
200 (SEC_ADS_GENERIC_EXECUTE |
201 SEC_ADS_GENERIC_WRITE |
202 SEC_ADS_GENERIC_READ |
203 SEC_ADS_GENERIC_ALL_DS);
205 /***************************************************************/
206 /* WELL KNOWN SIDS */
209 const string SID_NULL = "S-1-0-0";
211 /* the world domain */
212 const string NAME_WORLD = "WORLD";
214 const string SID_WORLD_DOMAIN = "S-1-1";
215 const string SID_WORLD = "S-1-1-0";
217 /* SECURITY_CREATOR_SID_AUTHORITY */
218 const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
219 const string SID_CREATOR_OWNER = "S-1-3-0";
220 const string SID_CREATOR_GROUP = "S-1-3-1";
221 const string SID_OWNER_RIGHTS = "S-1-3-4";
223 /* SECURITY_NT_AUTHORITY */
224 const string NAME_NT_AUTHORITY = "NT AUTHORITY";
226 const string SID_NT_AUTHORITY = "S-1-5";
227 const string SID_NT_DIALUP = "S-1-5-1";
228 const string SID_NT_NETWORK = "S-1-5-2";
229 const string SID_NT_BATCH = "S-1-5-3";
230 const string SID_NT_INTERACTIVE = "S-1-5-4";
231 const string SID_NT_SERVICE = "S-1-5-6";
232 const string SID_NT_ANONYMOUS = "S-1-5-7";
233 const string SID_NT_PROXY = "S-1-5-8";
234 const string SID_NT_ENTERPRISE_DCS = "S-1-5-9";
235 const string SID_NT_SELF = "S-1-5-10";
236 const string SID_NT_AUTHENTICATED_USERS = "S-1-5-11";
237 const string SID_NT_RESTRICTED = "S-1-5-12";
238 const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13";
239 const string SID_NT_REMOTE_INTERACTIVE = "S-1-5-14";
240 const string SID_NT_THIS_ORGANISATION = "S-1-5-15";
241 const string SID_NT_IUSR = "S-1-5-17";
242 const string SID_NT_SYSTEM = "S-1-5-18";
243 const string SID_NT_LOCAL_SERVICE = "S-1-5-19";
244 const string SID_NT_NETWORK_SERVICE = "S-1-5-20";
245 const string SID_NT_DIGEST_AUTHENTICATION = "S-1-5-64-21";
246 const string SID_NT_NTLM_AUTHENTICATION = "S-1-5-64-10";
247 const string SID_NT_SCHANNEL_AUTHENTICATION = "S-1-5-64-14";
248 const string SID_NT_OTHER_ORGANISATION = "S-1-5-1000";
250 /* SECURITY_BUILTIN_DOMAIN_RID */
251 const string NAME_BUILTIN = "BUILTIN";
253 const string SID_BUILTIN = "S-1-5-32";
254 const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544";
255 const string SID_BUILTIN_USERS = "S-1-5-32-545";
256 const string SID_BUILTIN_GUESTS = "S-1-5-32-546";
257 const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547";
258 const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
259 const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549";
260 const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550";
261 const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551";
262 const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552";
263 const string SID_BUILTIN_RAS_SERVERS = "S-1-5-32-553";
264 const string SID_BUILTIN_PREW2K = "S-1-5-32-554";
265 const string SID_BUILTIN_REMOTE_DESKTOP_USERS = "S-1-5-32-555";
266 const string SID_BUILTIN_NETWORK_CONF_OPERATORS = "S-1-5-32-556";
267 const string SID_BUILTIN_INCOMING_FOREST_TRUST = "S-1-5-32-557";
268 const string SID_BUILTIN_PERFMON_USERS = "S-1-5-32-558";
269 const string SID_BUILTIN_PERFLOG_USERS = "S-1-5-32-559";
270 const string SID_BUILTIN_AUTH_ACCESS = "S-1-5-32-560";
271 const string SID_BUILTIN_TS_LICENSE_SERVERS = "S-1-5-32-561";
272 const string SID_BUILTIN_DISTRIBUTED_COM_USERS = "S-1-5-32-562";
273 const string SID_BUILTIN_CRYPTO_OPERATORS = "S-1-5-32-569";
274 const string SID_BUILTIN_EVENT_LOG_READERS = "S-1-5-32-573";
275 const string SID_BUILTIN_CERT_SERV_DCOM_ACCESS = "S-1-5-32-574";
277 /* SECURITY_NT_SERVICE */
278 const string NAME_NT_SERVICE = "NT SERVICE";
280 const string SID_NT_NT_SERVICE = "S-1-5-80";
281 const string SID_NT_TRUSTED_INSTALLER =
282 "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464";
284 /* well-known domain RIDs */
285 const int DOMAIN_RID_LOGON = 9;
286 const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498;
287 const int DOMAIN_RID_ADMINISTRATOR = 500;
288 const int DOMAIN_RID_GUEST = 501;
289 const int DOMAIN_RID_KRBTGT = 502;
290 const int DOMAIN_RID_ADMINS = 512;
291 const int DOMAIN_RID_USERS = 513;
292 const int DOMAIN_RID_GUESTS = 514;
293 const int DOMAIN_RID_DOMAIN_MEMBERS = 515;
294 const int DOMAIN_RID_DCS = 516;
295 const int DOMAIN_RID_CERT_ADMINS = 517;
296 const int DOMAIN_RID_SCHEMA_ADMINS = 518;
297 const int DOMAIN_RID_ENTERPRISE_ADMINS = 519;
298 const int DOMAIN_RID_POLICY_ADMINS = 520;
299 const int DOMAIN_RID_READONLY_DCS = 521;
300 const int DOMAIN_RID_RAS_SERVERS = 553;
301 const int DOMAIN_RID_RODC_ALLOW = 571;
302 const int DOMAIN_RID_RODC_DENY = 572;
304 /* well-known builtin RIDs */
305 const int BUILTIN_RID_ADMINISTRATORS = 544;
306 const int BUILTIN_RID_USERS = 545;
307 const int BUILTIN_RID_GUESTS = 546;
308 const int BUILTIN_RID_POWER_USERS = 547;
309 const int BUILTIN_RID_ACCOUNT_OPERATORS = 548;
310 const int BUILTIN_RID_SERVER_OPERATORS = 549;
311 const int BUILTIN_RID_PRINT_OPERATORS = 550;
312 const int BUILTIN_RID_BACKUP_OPERATORS = 551;
313 const int BUILTIN_RID_REPLICATOR = 552;
314 const int BUILTIN_RID_RAS_SERVERS = 553;
315 const int BUILTIN_RID_PRE_2K_ACCESS = 554;
316 const int BUILTIN_RID_REMOTE_DESKTOP_USERS = 555;
317 const int BUILTIN_RID_NETWORK_CONF_OPERATORS = 556;
318 const int BUILTIN_RID_INCOMING_FOREST_TRUST = 557;
319 const int BUILTIN_RID_PERFMON_USERS = 558;
320 const int BUILTIN_RID_PERFLOG_USERS = 559;
321 const int BUILTIN_RID_AUTH_ACCESS = 560;
322 const int BUILTIN_RID_TS_LICENSE_SERVERS = 561;
323 const int BUILTIN_RID_DISTRIBUTED_COM_USERS = 562;
324 const int BUILTIN_RID_CRYPTO_OPERATORS = 569;
325 const int BUILTIN_RID_EVENT_LOG_READERS = 573;
326 const int BUILTIN_RID_CERT_SERV_DCOM_ACCESS = 574;
328 /********************************************************************
329 This is a list of privileges reported by a WIndows 2008 R2 DC
330 just for reference purposes (and I know the LUID is not guaranteed
333 0x00000002 SeCreateTokenPrivilege "Create a token object"
334 0x00000003 SeAssignPrimaryTokenPrivilege "Replace a process level token"
335 0x00000004 SeLockMemoryPrivilege "Lock pages in memory"
336 0x00000005 SeIncreaseQuotaPrivilege "Adjust memory quotas for a process"
337 0x00000006 SeMachineAccountPrivilege "Add workstations to domain"
338 0x00000007 SeTcbPrivilege "Act as part of the operating system"
339 0x00000008 SeSecurityPrivilege "Manage auditing and security log"
340 0x00000009 SeTakeOwnershipPrivilege "Take ownership of files or other objects"
341 0x0000000a SeLoadDriverPrivilege "Load and unload device drivers"
342 0x0000000b SeSystemProfilePrivilege "Profile system performance"
343 0x0000000c SeSystemtimePrivilege "Change the system time"
344 0x0000000d SeProfileSingleProcessPrivilege "Profile single process"
345 0x0000000e SeIncreaseBasePriorityPrivilege "Increase scheduling priority"
346 0x0000000f SeCreatePagefilePrivilege "Create a pagefile"
347 0x00000010 SeCreatePermanentPrivilege "Create permanent shared objects"
348 0x00000011 SeBackupPrivilege "Back up files and directories"
349 0x00000012 SeRestorePrivilege "Restore files and directories"
350 0x00000013 SeShutdownPrivilege "Shut down the system"
351 0x00000014 SeDebugPrivilege "Debug programs"
352 0x00000015 SeAuditPrivilege "Generate security audits"
353 0x00000016 SeSystemEnvironmentPrivilege "Modify firmware environment values"
354 0x00000017 SeChangeNotifyPrivilege "Bypass traverse checking"
355 0x00000018 SeRemoteShutdownPrivilege "Force shutdown from a remote system"
356 0x00000019 SeUndockPrivilege "Remove computer from docking station"
357 0x0000001a SeSyncAgentPrivilege "Synchronize directory service data"
358 0x0000001b SeEnableDelegationPrivilege "Enable computer and user accounts to be trusted for delegation"
359 0x0000001c SeManageVolumePrivilege "Perform volume maintenance tasks"
360 0x0000001d SeImpersonatePrivilege "Impersonate a client after authentication"
361 0x0000001e SeCreateGlobalPrivilege "Create global objects"
362 0x0000001f SeTrustedCredManAccessPrivilege "Access Credential Manager as a trusted caller"
363 0x00000020 SeRelabelPrivilege "Modify an object label"
364 0x00000021 SeIncreaseWorkingSetPrivilege "Increase a process working set"
365 0x00000022 SeTimeZonePrivilege "Change the time zone"
366 0x00000023 SeCreateSymbolicLinkPrivilege "Create symbolic links"
368 ********************************************************************/
370 /* LUID values for privileges known about by Samba (bottom 32 bits of enum, top bits are 0) */
372 /* we have to define the LUID here due to a horrible check by printmig.exe
373 that requires the SeBackupPrivilege match what is in Windows. So match
374 those that we implement and start Samba privileges at 0x1001 */
377 SEC_PRIV_INVALID = 0x0,
378 SEC_PRIV_INCREASE_QUOTA = 0x5,
379 SEC_PRIV_MACHINE_ACCOUNT = 0x6,
380 SEC_PRIV_SECURITY = 0x8,
381 SEC_PRIV_TAKE_OWNERSHIP = 0x09,
382 SEC_PRIV_LOAD_DRIVER = 0x0a,
383 SEC_PRIV_SYSTEM_PROFILE = 0x0b,
384 SEC_PRIV_SYSTEMTIME = 0x0c,
385 SEC_PRIV_PROFILE_SINGLE_PROCESS = 0x0d,
386 SEC_PRIV_INCREASE_BASE_PRIORITY = 0x0e,
387 SEC_PRIV_CREATE_PAGEFILE = 0x0f,
388 SEC_PRIV_BACKUP = 0x11,
389 SEC_PRIV_RESTORE = 0x12,
390 SEC_PRIV_SHUTDOWN = 0x13,
391 SEC_PRIV_DEBUG = 0x14,
392 SEC_PRIV_SYSTEM_ENVIRONMENT = 0x16,
393 SEC_PRIV_CHANGE_NOTIFY = 0x17,
394 SEC_PRIV_REMOTE_SHUTDOWN = 0x18,
395 SEC_PRIV_UNDOCK = 0x19,
396 SEC_PRIV_ENABLE_DELEGATION = 0x1b,
397 SEC_PRIV_MANAGE_VOLUME = 0x1c,
398 SEC_PRIV_IMPERSONATE = 0x1d,
399 SEC_PRIV_CREATE_GLOBAL = 0x1e,
400 /* Samba-specific privs */
401 SEC_PRIV_PRINT_OPERATOR = 0x1001,
402 SEC_PRIV_ADD_USERS = 0x1002,
403 SEC_PRIV_DISK_OPERATOR = 0x1003
407 /* Bitmap of privilege values for internal use only. We need
408 * our own bitmap here as privilages.tdb records these values
409 * as a bitmap (privilages.ldb uses the string forms).
411 typedef [bitmap64bit] bitmap {
412 SEC_PRIV_MACHINE_ACCOUNT_BIT = 0x00000010,
414 /* Samba-specific privs */
415 SEC_PRIV_PRINT_OPERATOR_BIT = 0x00000020,
416 SEC_PRIV_ADD_USERS_BIT = 0x00000040,
417 SEC_PRIV_DISK_OPERATOR_BIT = 0x00000080,
419 SEC_PRIV_REMOTE_SHUTDOWN_BIT = 0x00000100,
420 SEC_PRIV_BACKUP_BIT = 0x00000200,
421 SEC_PRIV_RESTORE_BIT = 0x00000400,
422 SEC_PRIV_TAKE_OWNERSHIP_BIT = 0x00000800,
423 /* End of privilages implemented before merge to common code */
425 SEC_PRIV_INCREASE_QUOTA_BIT = 0x00001000,
426 SEC_PRIV_SECURITY_BIT = 0x00002000,
427 SEC_PRIV_LOAD_DRIVER_BIT = 0x00004000,
428 SEC_PRIV_SYSTEM_PROFILE_BIT = 0x00008000,
429 SEC_PRIV_SYSTEMTIME_BIT = 0x00010000,
430 SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT = 0x00020000,
431 SEC_PRIV_INCREASE_BASE_PRIORITY_BIT = 0x00040000,
432 SEC_PRIV_CREATE_PAGEFILE_BIT = 0x00080000,
433 SEC_PRIV_SHUTDOWN_BIT = 0x00100000,
434 SEC_PRIV_DEBUG_BIT = 0x00200000,
435 SEC_PRIV_SYSTEM_ENVIRONMENT_BIT = 0x00400000,
436 SEC_PRIV_CHANGE_NOTIFY_BIT = 0x00800000,
437 SEC_PRIV_UNDOCK_BIT = 0x01000000,
438 SEC_PRIV_ENABLE_DELEGATION_BIT = 0x02000000,
439 SEC_PRIV_MANAGE_VOLUME_BIT = 0x04000000,
440 SEC_PRIV_IMPERSONATE_BIT = 0x08000000,
441 SEC_PRIV_CREATE_GLOBAL_BIT = 0x10000000
444 typedef [bitmap32bit] bitmap {
445 LSA_POLICY_MODE_INTERACTIVE = 0x00000001,
446 LSA_POLICY_MODE_NETWORK = 0x00000002,
447 LSA_POLICY_MODE_BATCH = 0x00000004,
448 LSA_POLICY_MODE_SERVICE = 0x00000010,
449 LSA_POLICY_MODE_PROXY = 0x00000020,
450 LSA_POLICY_MODE_DENY_INTERACTIVE = 0x00000040,
451 LSA_POLICY_MODE_DENY_NETWORK = 0x00000080,
452 LSA_POLICY_MODE_DENY_BATCH = 0x00000100,
453 LSA_POLICY_MODE_DENY_SERVICE = 0x00000200,
454 LSA_POLICY_MODE_REMOTE_INTERACTIVE = 0x00000400,
455 LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE = 0x00000800,
456 LSA_POLICY_MODE_ALL = 0x00000FF7,
457 LSA_POLICY_MODE_ALL_NT4 = 0x00000037
458 } lsa_SystemAccessModeFlags;
460 typedef [public,bitmap8bit] bitmap {
461 SEC_ACE_FLAG_OBJECT_INHERIT = 0x01,
462 SEC_ACE_FLAG_CONTAINER_INHERIT = 0x02,
463 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT = 0x04,
464 SEC_ACE_FLAG_INHERIT_ONLY = 0x08,
465 SEC_ACE_FLAG_INHERITED_ACE = 0x10,
466 SEC_ACE_FLAG_VALID_INHERIT = 0x0f,
467 SEC_ACE_FLAG_SUCCESSFUL_ACCESS = 0x40,
468 SEC_ACE_FLAG_FAILED_ACCESS = 0x80
469 } security_ace_flags;
471 typedef [public,enum8bit] enum {
472 SEC_ACE_TYPE_ACCESS_ALLOWED = 0,
473 SEC_ACE_TYPE_ACCESS_DENIED = 1,
474 SEC_ACE_TYPE_SYSTEM_AUDIT = 2,
475 SEC_ACE_TYPE_SYSTEM_ALARM = 3,
476 SEC_ACE_TYPE_ALLOWED_COMPOUND = 4,
477 SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT = 5,
478 SEC_ACE_TYPE_ACCESS_DENIED_OBJECT = 6,
479 SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT = 7,
480 SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT = 8
483 typedef [bitmap32bit] bitmap {
484 SEC_ACE_OBJECT_TYPE_PRESENT = 0x00000001,
485 SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x00000002
486 } security_ace_object_flags;
488 typedef [nodiscriminant] union {
489 /* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */
490 [case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type;
492 } security_ace_object_type;
494 typedef [nodiscriminant] union {
495 /* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context
496 * (of the parent container)
498 [case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type;
500 } security_ace_object_inherited_type;
503 security_ace_object_flags flags;
504 [switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type;
505 [switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type;
506 } security_ace_object;
508 typedef [public,nodiscriminant] union {
509 [case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] security_ace_object object;
510 [case(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT)] security_ace_object object;
511 [case(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT)] security_ace_object object;
512 [case(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT)] security_ace_object object;
514 } security_ace_object_ctr;
516 typedef [public,nopull,gensize,nosize] struct {
517 security_ace_type type; /* SEC_ACE_TYPE_* */
518 security_ace_flags flags; /* SEC_ACE_FLAG_* */
519 [value(ndr_size_security_ace(r,ndr->flags))] uint16 size;
521 [switch_is(type)] security_ace_object_ctr object;
526 SECURITY_ACL_REVISION_NT4 = 2,
527 SECURITY_ACL_REVISION_ADS = 4
528 } security_acl_revision;
530 const uint NT4_ACL_REVISION = SECURITY_ACL_REVISION_NT4;
532 typedef [public,gensize,nosize] struct {
533 security_acl_revision revision;
534 [value(ndr_size_security_acl(r,ndr->flags))] uint16 size;
535 [range(0,1000)] uint32 num_aces;
536 security_ace aces[num_aces];
539 /* default revision for new ACLs */
540 typedef [public,enum8bit] enum {
541 SECURITY_DESCRIPTOR_REVISION_1 = 1
542 } security_descriptor_revision;
544 const int SD_REVISION = SECURITY_DESCRIPTOR_REVISION_1;
546 /* security_descriptor->type bits */
547 typedef [public,bitmap16bit] bitmap {
548 SEC_DESC_OWNER_DEFAULTED = 0x0001,
549 SEC_DESC_GROUP_DEFAULTED = 0x0002,
550 SEC_DESC_DACL_PRESENT = 0x0004,
551 SEC_DESC_DACL_DEFAULTED = 0x0008,
552 SEC_DESC_SACL_PRESENT = 0x0010,
553 SEC_DESC_SACL_DEFAULTED = 0x0020,
554 SEC_DESC_DACL_TRUSTED = 0x0040,
555 SEC_DESC_SERVER_SECURITY = 0x0080,
556 SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100,
557 SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200,
558 SEC_DESC_DACL_AUTO_INHERITED = 0x0400,
559 SEC_DESC_SACL_AUTO_INHERITED = 0x0800,
560 SEC_DESC_DACL_PROTECTED = 0x1000,
561 SEC_DESC_SACL_PROTECTED = 0x2000,
562 SEC_DESC_RM_CONTROL_VALID = 0x4000,
563 SEC_DESC_SELF_RELATIVE = 0x8000
564 } security_descriptor_type;
566 typedef [gensize,nosize,public,flag(NDR_LITTLE_ENDIAN)] struct {
567 security_descriptor_revision revision;
568 security_descriptor_type type; /* SEC_DESC_xxxx flags */
569 [relative] dom_sid *owner_sid;
570 [relative] dom_sid *group_sid;
571 [relative] security_acl *sacl; /* system ACL */
572 [relative] security_acl *dacl; /* user (discretionary) ACL */
573 } security_descriptor;
575 typedef [public] struct {
576 [range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size;
577 [subcontext(4)] security_descriptor *sd;
580 /* This is not yet sent over the network, but is simply defined in IDL */
581 typedef [public] struct {
583 [size_is(num_sids)] dom_sid sids[*];
584 se_privilege privilege_mask;
585 lsa_SystemAccessModeFlags rights_mask;
588 /* This is not yet sent over the network, but is simply defined in IDL */
589 typedef [public] struct {
593 [size_is(ngroups)] gid_t groups[*];
594 } security_unix_token;
596 /* bits that determine which parts of a security descriptor
597 are being queried/set */
598 typedef [public,bitmap32bit] bitmap {
599 SECINFO_OWNER = 0x00000001,
600 SECINFO_GROUP = 0x00000002,
601 SECINFO_DACL = 0x00000004,
602 SECINFO_SACL = 0x00000008,
603 SECINFO_UNPROTECTED_SACL = 0x10000000,
604 SECINFO_UNPROTECTED_DACL = 0x20000000,
605 SECINFO_PROTECTED_SACL = 0x40000000,
606 SECINFO_PROTECTED_DACL = 0x80000000
609 typedef [public,bitmap32bit] bitmap {
610 KERB_ENCTYPE_DES_CBC_CRC = 0x00000001,
611 KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002,
612 KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004,
613 KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
614 KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
617 typedef [public,bitmap32bit] bitmap {
618 SEC_DACL_AUTO_INHERIT = 0x00000001,
619 SEC_SACL_AUTO_INHERIT = 0x00000002,
620 SEC_DEFAULT_DESCRIPTOR = 0x00000004,
621 SEC_OWNER_FROM_PARENT = 0x00000008,
622 SEC_GROUP_FROM_PARENT = 0x00000010
623 } security_autoinherit;
625 /***************************************************************/
626 /* Extended right guids */
628 const string GUID_DRS_ALLOCATE_RIDS = "1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd";
629 const string GUID_DRS_CHANGE_DOMAIN_MASTER = "014bf69c-7b3b-11d1-85f6-08002be74fab";
630 const string GUID_DRS_CHANGE_INFR_MASTER = "cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd";
631 const string GUID_DRS_CHANGE_PDC = "bae50096-4752-11d1-9052-00c04fc2d4cf";
632 const string GUID_DRS_CHANGE_RID_MASTER = "d58d5f36-0a98-11d1-adbb-00c04fd8d5cd";
633 const string GUID_DRS_CHANGE_SCHEMA_MASTER = "e12b56b6-0a95-11d1-adbb-00c04fd8d5cd";
634 const string GUID_DRS_GET_CHANGES = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2";
635 const string GUID_DRS_GET_ALL_CHANGES = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
636 const string GUID_DRS_GET_FILTERED_ATTRIBUTES = "89e95b76-444d-4c62-991a-0facbeda640c";
637 const string GUID_DRS_MANAGE_TOPOLOGY = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2";
638 const string GUID_DRS_MONITOR_TOPOLOGY = "f98340fb-7c5b-4cdb-a00b-2ebdfa115a96";
639 const string GUID_DRS_REPL_SYNCRONIZE = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2";
640 const string GUID_DRS_RO_REPL_SECRET_SYNC = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2";
641 const string GUID_DRS_USER_CHANGE_PASSWORD = "ab721a53-1e2f-11d0-9819-00aa0040529b";
642 const string GUID_DRS_FORCE_CHANGE_PASSWORD = "00299570-246d-11d0-a768-00aa006e0529";
644 /***************************************************************/
645 /* validated writes guids */
646 const string GUID_DRS_VALIDATE_SPN = "f3a64788-5306-11d1-a9c5-0000f80367c1";
647 const string GUID_DRS_SELF_MEMBERSHIP = "bf9679c0-0de6-11d0-a285-00aa003049e2";
648 const string GUID_DRS_DNS_HOST_NAME = "72e39547-7b18-11d1-adef-00c04fd8d5cd";
649 const string GUID_DRS_ADD_DNS_HOST_NAME = "80863791-dbe9-4eb8-837e-7f0ab55d9ac7";
650 const string GUID_DRS_BEHAVIOR_VERSION = "d31a8757-2447-4545-8081-3bb610cacbf2";
652 /* A type to describe the mapping of generic access rights to object
653 specific access rights. */
657 uint32 generic_write;
658 uint32 generic_execute;
git.samba.org / mat / samba.git / blob