4 security IDL structures
10 use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
11 just a dom sid, but with the sub_auths represented as a conformant
12 array. As with all in-structure conformant arrays, the array length
13 is placed before the start of the structure. That's what gives rise
14 to the extra num_auths elemenent. We don't want the Samba code to
15 have to bother with such esoteric NDR details, so its easier to just
16 define it as a dom_sid and use pidl magic to make it all work. It
17 just means you need to mark a sid as a "dom_sid2" in the IDL when you
18 know it is of the conformant array variety
20 cpp_quote("#define dom_sid2 dom_sid")
22 /* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */
23 cpp_quote("#define dom_sid28 dom_sid")
25 /* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */
26 cpp_quote("#define dom_sid0 dom_sid")
29 pyhelper("librpc/ndr/py_security.c"),
30 pointer_default(unique)
35 typedef [public,gensize,noprint,nosize,nopull,nopush] struct {
36 uint8 sid_rev_num; /**< SID revision number */
37 [range(0,15)] int8 num_auths; /**< Number of sub-authorities */
38 uint8 id_auth[6]; /**< Identifier Authority */
42 access masks are divided up like this:
45 a = generic rights bits SEC_GENERIC_
47 c = standard rights bits SEC_STD_
48 d = object type specific bits SEC_{FILE,DIR,REG,xxx}_
50 common combinations of bits are prefixed with SEC_RIGHTS_
52 const int SEC_MASK_GENERIC = 0xF0000000;
53 const int SEC_MASK_FLAGS = 0x0F000000;
54 const int SEC_MASK_STANDARD = 0x00FF0000;
55 const int SEC_MASK_SPECIFIC = 0x0000FFFF;
58 const int SEC_GENERIC_ALL = 0x10000000;
59 const int SEC_GENERIC_EXECUTE = 0x20000000;
60 const int SEC_GENERIC_WRITE = 0x40000000;
61 const int SEC_GENERIC_READ = 0x80000000;
64 const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000;
65 const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000;
68 const int SEC_STD_DELETE = 0x00010000;
69 const int SEC_STD_READ_CONTROL = 0x00020000;
70 const int SEC_STD_WRITE_DAC = 0x00040000;
71 const int SEC_STD_WRITE_OWNER = 0x00080000;
72 const int SEC_STD_SYNCHRONIZE = 0x00100000;
73 const int SEC_STD_REQUIRED = 0x000F0000;
74 const int SEC_STD_ALL = 0x001F0000;
76 /* file specific bits */
77 const int SEC_FILE_READ_DATA = 0x00000001;
78 const int SEC_FILE_WRITE_DATA = 0x00000002;
79 const int SEC_FILE_APPEND_DATA = 0x00000004;
80 const int SEC_FILE_READ_EA = 0x00000008;
81 const int SEC_FILE_WRITE_EA = 0x00000010;
82 const int SEC_FILE_EXECUTE = 0x00000020;
83 const int SEC_FILE_READ_ATTRIBUTE = 0x00000080;
84 const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100;
85 const int SEC_FILE_ALL = 0x000001ff;
87 /* directory specific bits */
88 const int SEC_DIR_LIST = 0x00000001;
89 const int SEC_DIR_ADD_FILE = 0x00000002;
90 const int SEC_DIR_ADD_SUBDIR = 0x00000004;
91 const int SEC_DIR_READ_EA = 0x00000008;
92 const int SEC_DIR_WRITE_EA = 0x00000010;
93 const int SEC_DIR_TRAVERSE = 0x00000020;
94 const int SEC_DIR_DELETE_CHILD = 0x00000040;
95 const int SEC_DIR_READ_ATTRIBUTE = 0x00000080;
96 const int SEC_DIR_WRITE_ATTRIBUTE = 0x00000100;
98 /* registry entry specific bits */
99 const int SEC_REG_QUERY_VALUE = 0x00000001;
100 const int SEC_REG_SET_VALUE = 0x00000002;
101 const int SEC_REG_CREATE_SUBKEY = 0x00000004;
102 const int SEC_REG_ENUM_SUBKEYS = 0x00000008;
103 const int SEC_REG_NOTIFY = 0x00000010;
104 const int SEC_REG_CREATE_LINK = 0x00000020;
106 /* ldap specific access bits */
107 const int SEC_ADS_CREATE_CHILD = 0x00000001;
108 const int SEC_ADS_DELETE_CHILD = 0x00000002;
109 const int SEC_ADS_LIST = 0x00000004;
110 const int SEC_ADS_SELF_WRITE = 0x00000008;
111 const int SEC_ADS_READ_PROP = 0x00000010;
112 const int SEC_ADS_WRITE_PROP = 0x00000020;
113 const int SEC_ADS_DELETE_TREE = 0x00000040;
114 const int SEC_ADS_LIST_OBJECT = 0x00000080;
115 const int SEC_ADS_CONTROL_ACCESS = 0x00000100;
118 const int SEC_MASK_INVALID = 0x0ce0fe00;
120 /* generic->specific mappings for files */
121 const int SEC_RIGHTS_FILE_READ = SEC_STD_READ_CONTROL |
122 SEC_STD_SYNCHRONIZE |
124 SEC_FILE_READ_ATTRIBUTE |
127 const int SEC_RIGHTS_FILE_WRITE = SEC_STD_READ_CONTROL |
128 SEC_STD_SYNCHRONIZE |
129 SEC_FILE_WRITE_DATA |
130 SEC_FILE_WRITE_ATTRIBUTE |
132 SEC_FILE_APPEND_DATA;
134 const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE |
135 SEC_STD_READ_CONTROL |
136 SEC_FILE_READ_ATTRIBUTE |
139 const int SEC_RIGHTS_FILE_ALL = SEC_STD_ALL | SEC_FILE_ALL;
141 /* generic->specific mappings for directories (same as files) */
142 const int SEC_RIGHTS_DIR_READ = SEC_RIGHTS_FILE_READ;
143 const int SEC_RIGHTS_DIR_WRITE = SEC_RIGHTS_FILE_WRITE;
144 const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE;
145 const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL;
147 /* rights granted by some specific privileges */
148 const int SEC_RIGHTS_PRIV_BACKUP = SEC_STD_READ_CONTROL |
149 SEC_FLAG_SYSTEM_SECURITY |
151 const int SEC_RIGHTS_DIR_PRIV_BACKUP = SEC_RIGHTS_PRIV_BACKUP
154 const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC |
155 SEC_STD_WRITE_OWNER |
156 SEC_FLAG_SYSTEM_SECURITY |
158 const int SEC_RIGHTS_DIR_PRIV_RESTORE = SEC_RIGHTS_PRIV_RESTORE |
162 /* combinations of standard masks. */
163 const int STANDARD_RIGHTS_ALL_ACCESS = SEC_STD_ALL; /* 0x001f0000 */
164 const int STANDARD_RIGHTS_MODIFY_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
165 const int STANDARD_RIGHTS_EXECUTE_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
166 const int STANDARD_RIGHTS_READ_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
167 const int STANDARD_RIGHTS_WRITE_ACCESS =
168 (SEC_STD_WRITE_OWNER |
170 SEC_STD_DELETE); /* 0x000d0000 */
171 const int STANDARD_RIGHTS_REQUIRED_ACCESS =
173 SEC_STD_READ_CONTROL |
175 SEC_STD_WRITE_OWNER); /* 0x000f0000 */
177 /* generic->specific mappings for Directory Service objects */
178 /* directory specific part of GENERIC_ALL */
179 const int SEC_ADS_GENERIC_ALL_DS =
182 SEC_STD_WRITE_OWNER |
183 SEC_ADS_CREATE_CHILD |
184 SEC_ADS_DELETE_CHILD |
185 SEC_ADS_DELETE_TREE |
186 SEC_ADS_CONTROL_ACCESS);
187 const int SEC_ADS_GENERIC_EXECUTE = SEC_STD_READ_CONTROL | SEC_ADS_LIST;
188 const int SEC_ADS_GENERIC_WRITE =
189 (SEC_STD_READ_CONTROL |
192 const int SEC_ADS_GENERIC_READ =
193 (SEC_STD_READ_CONTROL |
196 SEC_ADS_LIST_OBJECT);
197 const int SEC_ADS_GENERIC_ALL =
198 (SEC_ADS_GENERIC_EXECUTE |
199 SEC_ADS_GENERIC_WRITE |
200 SEC_ADS_GENERIC_READ |
201 SEC_ADS_GENERIC_ALL_DS);
203 /***************************************************************/
204 /* WELL KNOWN SIDS */
207 const string SID_NULL = "S-1-0-0";
209 /* the world domain */
210 const string NAME_WORLD = "WORLD";
212 const string SID_WORLD_DOMAIN = "S-1-1";
213 const string SID_WORLD = "S-1-1-0";
215 /* SECURITY_CREATOR_SID_AUTHORITY */
216 const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
217 const string SID_CREATOR_OWNER = "S-1-3-0";
218 const string SID_CREATOR_GROUP = "S-1-3-1";
219 const string SID_OWNER_RIGHTS = "S-1-3-4";
221 /* SECURITY_NT_AUTHORITY */
222 const string NAME_NT_AUTHORITY = "NT AUTHORITY";
224 const string SID_NT_AUTHORITY = "S-1-5";
225 const string SID_NT_DIALUP = "S-1-5-1";
226 const string SID_NT_NETWORK = "S-1-5-2";
227 const string SID_NT_BATCH = "S-1-5-3";
228 const string SID_NT_INTERACTIVE = "S-1-5-4";
229 const string SID_NT_SERVICE = "S-1-5-6";
230 const string SID_NT_ANONYMOUS = "S-1-5-7";
231 const string SID_NT_PROXY = "S-1-5-8";
232 const string SID_NT_ENTERPRISE_DCS = "S-1-5-9";
233 const string SID_NT_SELF = "S-1-5-10";
234 const string SID_NT_AUTHENTICATED_USERS = "S-1-5-11";
235 const string SID_NT_RESTRICTED = "S-1-5-12";
236 const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13";
237 const string SID_NT_REMOTE_INTERACTIVE = "S-1-5-14";
238 const string SID_NT_THIS_ORGANISATION = "S-1-5-15";
239 const string SID_NT_IUSR = "S-1-5-17";
240 const string SID_NT_SYSTEM = "S-1-5-18";
241 const string SID_NT_LOCAL_SERVICE = "S-1-5-19";
242 const string SID_NT_NETWORK_SERVICE = "S-1-5-20";
243 const string SID_NT_DIGEST_AUTHENTICATION = "S-1-5-64-21";
244 const string SID_NT_NTLM_AUTHENTICATION = "S-1-5-64-10";
245 const string SID_NT_SCHANNEL_AUTHENTICATION = "S-1-5-64-14";
246 const string SID_NT_OTHER_ORGANISATION = "S-1-5-1000";
248 /* SECURITY_BUILTIN_DOMAIN_RID */
249 const string NAME_BUILTIN = "BUILTIN";
251 const string SID_BUILTIN = "S-1-5-32";
252 const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544";
253 const string SID_BUILTIN_USERS = "S-1-5-32-545";
254 const string SID_BUILTIN_GUESTS = "S-1-5-32-546";
255 const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547";
256 const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
257 const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549";
258 const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550";
259 const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551";
260 const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552";
261 const string SID_BUILTIN_RAS_SERVERS = "S-1-5-32-553";
262 const string SID_BUILTIN_PREW2K = "S-1-5-32-554";
263 const string SID_BUILTIN_REMOTE_DESKTOP_USERS = "S-1-5-32-555";
264 const string SID_BUILTIN_NETWORK_CONF_OPERATORS = "S-1-5-32-556";
265 const string SID_BUILTIN_INCOMING_FOREST_TRUST = "S-1-5-32-557";
266 const string SID_BUILTIN_PERFMON_USERS = "S-1-5-32-558";
267 const string SID_BUILTIN_PERFLOG_USERS = "S-1-5-32-559";
268 const string SID_BUILTIN_AUTH_ACCESS = "S-1-5-32-560";
269 const string SID_BUILTIN_TS_LICENSE_SERVERS = "S-1-5-32-561";
271 /* SECURITY_NT_SERVICE */
272 const string NAME_NT_SERVICE = "NT SERVICE";
274 const string SID_NT_NT_SERVICE = "S-1-5-80";
275 const string SID_NT_TRUSTED_INSTALLER =
276 "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464";
278 /* well-known domain RIDs */
279 const int DOMAIN_RID_LOGON = 9;
280 const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498;
281 const int DOMAIN_RID_ADMINISTRATOR = 500;
282 const int DOMAIN_RID_GUEST = 501;
283 const int DOMAIN_RID_KRBTGT = 502;
284 const int DOMAIN_RID_ADMINS = 512;
285 const int DOMAIN_RID_USERS = 513;
286 const int DOMAIN_RID_GUESTS = 514;
287 const int DOMAIN_RID_DOMAIN_MEMBERS = 515;
288 const int DOMAIN_RID_DCS = 516;
289 const int DOMAIN_RID_CERT_ADMINS = 517;
290 const int DOMAIN_RID_SCHEMA_ADMINS = 518;
291 const int DOMAIN_RID_ENTERPRISE_ADMINS = 519;
292 const int DOMAIN_RID_POLICY_ADMINS = 520;
293 const int DOMAIN_RID_READONLY_DCS = 521;
294 const int DOMAIN_RID_RAS_SERVERS = 553;
295 const int DOMAIN_RID_RODC_ALLOW = 571;
296 const int DOMAIN_RID_RODC_DENY = 572;
298 /* well-known builtin RIDs */
299 const int BUILTIN_RID_ADMINISTRATORS = 544;
300 const int BUILTIN_RID_USERS = 545;
301 const int BUILTIN_RID_GUESTS = 546;
302 const int BUILTIN_RID_POWER_USERS = 547;
303 const int BUILTIN_RID_ACCOUNT_OPERATORS = 548;
304 const int BUILTIN_RID_SERVER_OPERATORS = 549;
305 const int BUILTIN_RID_PRINT_OPERATORS = 550;
306 const int BUILTIN_RID_BACKUP_OPERATORS = 551;
307 const int BUILTIN_RID_REPLICATOR = 552;
308 const int BUILTIN_RID_RAS_SERVERS = 553;
309 const int BUILTIN_RID_PRE_2K_ACCESS = 554;
310 const int BUILTIN_RID_REMOTE_DESKTOP_USERS = 555;
311 const int BUILTIN_RID_NETWORK_CONF_OPERATORS = 556;
312 const int BUILTIN_RID_INCOMING_FOREST_TRUST = 557;
313 const int BUILTIN_RID_PERFMON_USERS = 558;
314 const int BUILTIN_RID_PERFLOG_USERS = 559;
315 const int BUILTIN_RID_AUTH_ACCESS = 560;
316 const int BUILTIN_RID_TS_LICENSE_SERVERS = 561;
318 /********************************************************************
319 This is a list of privileges reported by a WIndows 2008 R2 DC
320 just for reference purposes (and I know the LUID is not guaranteed
323 0x00000002 SeCreateTokenPrivilege "Create a token object"
324 0x00000003 SeAssignPrimaryTokenPrivilege "Replace a process level token"
325 0x00000004 SeLockMemoryPrivilege "Lock pages in memory"
326 0x00000005 SeIncreaseQuotaPrivilege "Adjust memory quotas for a process"
327 0x00000006 SeMachineAccountPrivilege "Add workstations to domain"
328 0x00000007 SeTcbPrivilege "Act as part of the operating system"
329 0x00000008 SeSecurityPrivilege "Manage auditing and security log"
330 0x00000009 SeTakeOwnershipPrivilege "Take ownership of files or other objects"
331 0x0000000a SeLoadDriverPrivilege "Load and unload device drivers"
332 0x0000000b SeSystemProfilePrivilege "Profile system performance"
333 0x0000000c SeSystemtimePrivilege "Change the system time"
334 0x0000000d SeProfileSingleProcessPrivilege "Profile single process"
335 0x0000000e SeIncreaseBasePriorityPrivilege "Increase scheduling priority"
336 0x0000000f SeCreatePagefilePrivilege "Create a pagefile"
337 0x00000010 SeCreatePermanentPrivilege "Create permanent shared objects"
338 0x00000011 SeBackupPrivilege "Back up files and directories"
339 0x00000012 SeRestorePrivilege "Restore files and directories"
340 0x00000013 SeShutdownPrivilege "Shut down the system"
341 0x00000014 SeDebugPrivilege "Debug programs"
342 0x00000015 SeAuditPrivilege "Generate security audits"
343 0x00000016 SeSystemEnvironmentPrivilege "Modify firmware environment values"
344 0x00000017 SeChangeNotifyPrivilege "Bypass traverse checking"
345 0x00000018 SeRemoteShutdownPrivilege "Force shutdown from a remote system"
346 0x00000019 SeUndockPrivilege "Remove computer from docking station"
347 0x0000001a SeSyncAgentPrivilege "Synchronize directory service data"
348 0x0000001b SeEnableDelegationPrivilege "Enable computer and user accounts to be trusted for delegation"
349 0x0000001c SeManageVolumePrivilege "Perform volume maintenance tasks"
350 0x0000001d SeImpersonatePrivilege "Impersonate a client after authentication"
351 0x0000001e SeCreateGlobalPrivilege "Create global objects"
352 0x0000001f SeTrustedCredManAccessPrivilege "Access Credential Manager as a trusted caller"
353 0x00000020 SeRelabelPrivilege "Modify an object label"
354 0x00000021 SeIncreaseWorkingSetPrivilege "Increase a process working set"
355 0x00000022 SeTimeZonePrivilege "Change the time zone"
356 0x00000023 SeCreateSymbolicLinkPrivilege "Create symbolic links"
358 ********************************************************************/
360 /* LUID values for privileges known about by Samba (bottom 32 bit of enum, top bits are 0) */
362 /* we have to define the LUID here due to a horrible check by printmig.exe
363 that requires the SeBackupPrivilege match what is in Windows. So match
364 those that we implement and start Samba privileges at 0x1001 */
367 SEC_PRIV_INCREASE_QUOTA = 0x5,
368 SEC_PRIV_MACHINE_ACCOUNT = 0x6,
369 SEC_PRIV_SECURITY = 0x8,
370 SEC_PRIV_TAKE_OWNERSHIP = 0x09,
371 SEC_PRIV_LOAD_DRIVER = 0x0a,
372 SEC_PRIV_SYSTEM_PROFILE = 0x0b,
373 SEC_PRIV_SYSTEMTIME = 0x0c,
374 SEC_PRIV_PROFILE_SINGLE_PROCESS = 0x0d,
375 SEC_PRIV_INCREASE_BASE_PRIORITY = 0x0e,
376 SEC_PRIV_CREATE_PAGEFILE = 0x0f,
377 SEC_PRIV_BACKUP = 0x11,
378 SEC_PRIV_RESTORE = 0x12,
379 SEC_PRIV_SHUTDOWN = 0x13,
380 SEC_PRIV_DEBUG = 0x14,
381 SEC_PRIV_SYSTEM_ENVIRONMENT = 0x16,
382 SEC_PRIV_CHANGE_NOTIFY = 0x17,
383 SEC_PRIV_REMOTE_SHUTDOWN = 0x18,
384 SEC_PRIV_UNDOCK = 0x19,
385 SEC_PRIV_ENABLE_DELEGATION = 0x1b,
386 SEC_PRIV_MANAGE_VOLUME = 0x1c,
387 SEC_PRIV_IMPERSONATE = 0x1d,
388 SEC_PRIV_CREATE_GLOBAL = 0x1e,
389 /* Samba-specific privs */
390 SEC_PRIV_PRINT_OPERATOR = 0x1001,
391 SEC_PRIV_ADD_USERS = 0x1002,
392 SEC_PRIV_DISK_OPERATOR = 0x1003,
393 /* Windows privs not in the list above */
394 SEC_PRIV_INTERACTIVE_LOGON = 0x2022,
395 SEC_PRIV_NETWORK_LOGON = 0x2023,
396 SEC_PRIV_REMOTE_INTERACTIVE_LOGON = 0x2024
400 /* Bitmap of privilege values for internal use only. We need
401 * our own bitmap here as privilages.tdb records these values
402 * as a bitmap (privilages.ldb uses the string forms).
404 typedef [bitmap64bit] bitmap {
405 SE_NETWORK_LOGON = 0x00000001,
406 SE_INTERACTIVE_LOGON = 0x00000002,
407 SE_BATCH_LOGON = 0x00000004,
408 SE_SERVICE_LOGON = 0x00000008,
409 SE_MACHINE_ACCOUNT = 0x00000010,
411 /* Samba-specific privs */
412 SE_PRINT_OPERATOR = 0x00000020,
413 SE_ADD_USERS = 0x00000040,
414 SE_DISK_OPERATOR = 0x00000080,
416 SE_REMOTE_SHUTDOWN = 0x00000100,
417 SE_BACKUP = 0x00000200,
418 SE_RESTORE = 0x00000400,
419 SE_TAKE_OWNERSHIP = 0x00000800,
420 SE_INCREASE_QUOTA = 0x00001000,
421 SE_SECURITY = 0x00002000,
422 SE_LOAD_DRIVER = 0x00004000,
423 SE_SYSTEM_PROFILE = 0x00008000,
424 SE_SYSTEMTIME = 0x00010000,
425 SE_PROFILE_SINGLE_PROCESS = 0x00020000,
426 SE_INCREASE_BASE_PRIORITY = 0x00040000,
427 SE_CREATE_PAGEFILE = 0x00080000,
428 SE_SHUTDOWN = 0x00100000,
429 SE_DEBUG = 0x00200000,
430 SE_SYSTEM_ENVIRONMENT = 0x00400000,
431 SE_CHANGE_NOTIFY = 0x00800000,
432 SE_UNDOCK = 0x01000000,
433 SE_ENABLE_DELEGATION = 0x02000000,
434 SE_MANAGE_VOLUME = 0x04000000,
435 SE_IMPERSONATE = 0x08000000,
436 SE_CREATE_GLOBAL = 0x10000000,
437 /* Windows privs not in the list above */
438 SE_REMOTE_INTERACTIVE_LOGON = 0x20000000
441 typedef [public,bitmap8bit] bitmap {
442 SEC_ACE_FLAG_OBJECT_INHERIT = 0x01,
443 SEC_ACE_FLAG_CONTAINER_INHERIT = 0x02,
444 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT = 0x04,
445 SEC_ACE_FLAG_INHERIT_ONLY = 0x08,
446 SEC_ACE_FLAG_INHERITED_ACE = 0x10,
447 SEC_ACE_FLAG_VALID_INHERIT = 0x0f,
448 SEC_ACE_FLAG_SUCCESSFUL_ACCESS = 0x40,
449 SEC_ACE_FLAG_FAILED_ACCESS = 0x80
450 } security_ace_flags;
452 typedef [public,enum8bit] enum {
453 SEC_ACE_TYPE_ACCESS_ALLOWED = 0,
454 SEC_ACE_TYPE_ACCESS_DENIED = 1,
455 SEC_ACE_TYPE_SYSTEM_AUDIT = 2,
456 SEC_ACE_TYPE_SYSTEM_ALARM = 3,
457 SEC_ACE_TYPE_ALLOWED_COMPOUND = 4,
458 SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT = 5,
459 SEC_ACE_TYPE_ACCESS_DENIED_OBJECT = 6,
460 SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT = 7,
461 SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT = 8
464 typedef [bitmap32bit] bitmap {
465 SEC_ACE_OBJECT_TYPE_PRESENT = 0x00000001,
466 SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x00000002
467 } security_ace_object_flags;
469 typedef [nodiscriminant] union {
470 /* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */
471 [case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type;
473 } security_ace_object_type;
475 typedef [nodiscriminant] union {
476 /* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context
477 * (of the parent container)
479 [case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type;
481 } security_ace_object_inherited_type;
484 security_ace_object_flags flags;
485 [switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type;
486 [switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type;
487 } security_ace_object;
489 typedef [public,nodiscriminant] union {
490 [case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] security_ace_object object;
491 [case(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT)] security_ace_object object;
492 [case(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT)] security_ace_object object;
493 [case(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT)] security_ace_object object;
495 } security_ace_object_ctr;
497 typedef [public,nopull,gensize,nosize] struct {
498 security_ace_type type; /* SEC_ACE_TYPE_* */
499 security_ace_flags flags; /* SEC_ACE_FLAG_* */
500 [value(ndr_size_security_ace(r,ndr->flags))] uint16 size;
502 [switch_is(type)] security_ace_object_ctr object;
507 SECURITY_ACL_REVISION_NT4 = 2,
508 SECURITY_ACL_REVISION_ADS = 4
509 } security_acl_revision;
511 const uint NT4_ACL_REVISION = SECURITY_ACL_REVISION_NT4;
513 typedef [public,gensize,nosize] struct {
514 security_acl_revision revision;
515 [value(ndr_size_security_acl(r,ndr->flags))] uint16 size;
516 [range(0,1000)] uint32 num_aces;
517 security_ace aces[num_aces];
520 /* default revision for new ACLs */
521 typedef [public,enum8bit] enum {
522 SECURITY_DESCRIPTOR_REVISION_1 = 1
523 } security_descriptor_revision;
525 const int SD_REVISION = SECURITY_DESCRIPTOR_REVISION_1;
527 /* security_descriptor->type bits */
528 typedef [public,bitmap16bit] bitmap {
529 SEC_DESC_OWNER_DEFAULTED = 0x0001,
530 SEC_DESC_GROUP_DEFAULTED = 0x0002,
531 SEC_DESC_DACL_PRESENT = 0x0004,
532 SEC_DESC_DACL_DEFAULTED = 0x0008,
533 SEC_DESC_SACL_PRESENT = 0x0010,
534 SEC_DESC_SACL_DEFAULTED = 0x0020,
535 SEC_DESC_DACL_TRUSTED = 0x0040,
536 SEC_DESC_SERVER_SECURITY = 0x0080,
537 SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100,
538 SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200,
539 SEC_DESC_DACL_AUTO_INHERITED = 0x0400,
540 SEC_DESC_SACL_AUTO_INHERITED = 0x0800,
541 SEC_DESC_DACL_PROTECTED = 0x1000,
542 SEC_DESC_SACL_PROTECTED = 0x2000,
543 SEC_DESC_RM_CONTROL_VALID = 0x4000,
544 SEC_DESC_SELF_RELATIVE = 0x8000
545 } security_descriptor_type;
547 typedef [gensize,nosize,public,flag(NDR_LITTLE_ENDIAN)] struct {
548 security_descriptor_revision revision;
549 security_descriptor_type type; /* SEC_DESC_xxxx flags */
550 [relative] dom_sid *owner_sid;
551 [relative] dom_sid *group_sid;
552 [relative] security_acl *sacl; /* system ACL */
553 [relative] security_acl *dacl; /* user (discretionary) ACL */
554 } security_descriptor;
556 typedef [public] struct {
557 [range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size;
558 [subcontext(4)] security_descriptor *sd;
561 typedef [public] struct {
563 [size_is(num_sids)] dom_sid sids[*];
564 udlong privilege_mask;
567 /* bits that determine which parts of a security descriptor
568 are being queried/set */
569 typedef [public,bitmap32bit] bitmap {
570 SECINFO_OWNER = 0x00000001,
571 SECINFO_GROUP = 0x00000002,
572 SECINFO_DACL = 0x00000004,
573 SECINFO_SACL = 0x00000008,
574 SECINFO_UNPROTECTED_SACL = 0x10000000,
575 SECINFO_UNPROTECTED_DACL = 0x20000000,
576 SECINFO_PROTECTED_SACL = 0x40000000,
577 SECINFO_PROTECTED_DACL = 0x80000000
580 typedef [public,bitmap32bit] bitmap {
581 KERB_ENCTYPE_DES_CBC_CRC = 0x00000001,
582 KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002,
583 KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004,
584 KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
585 KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
588 typedef [public,bitmap32bit] bitmap {
589 SEC_DACL_AUTO_INHERIT = 0x00000001,
590 SEC_SACL_AUTO_INHERIT = 0x00000002,
591 SEC_DEFAULT_DESCRIPTOR = 0x00000004,
592 SEC_OWNER_FROM_PARENT = 0x00000008,
593 SEC_GROUP_FROM_PARENT = 0x00000010
594 } security_autoinherit;
596 /***************************************************************/
597 /* Extended right guids */
599 const string GUID_DRS_ALLOCATE_RIDS = "1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd";
600 const string GUID_DRS_CHANGE_DOMAIN_MASTER = "014bf69c-7b3b-11d1-85f6-08002be74fab";
601 const string GUID_DRS_CHANGE_INFR_MASTER = "cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd";
602 const string GUID_DRS_CHANGE_PDC = "bae50096-4752-11d1-9052-00c04fc2d4cf";
603 const string GUID_DRS_CHANGE_RID_MASTER = "d58d5f36-0a98-11d1-adbb-00c04fd8d5cd";
604 const string GUID_DRS_CHANGE_SCHEMA_MASTER = "e12b56b6-0a95-11d1-adbb-00c04fd8d5cd";
605 const string GUID_DRS_GET_CHANGES = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2";
606 const string GUID_DRS_GET_ALL_CHANGES = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
607 const string GUID_DRS_GET_FILTERED_ATTRIBUTES = "89e95b76-444d-4c62-991a-0facbeda640c";
608 const string GUID_DRS_MANAGE_TOPOLOGY = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2";
609 const string GUID_DRS_MONITOR_TOPOLOGY = "f98340fb-7c5b-4cdb-a00b-2ebdfa115a96";
610 const string GUID_DRS_REPL_SYNCRONIZE = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2";
611 const string GUID_DRS_RO_REPL_SECRET_SYNC = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2";
612 const string GUID_DRS_USER_CHANGE_PASSWORD = "ab721a53-1e2f-11d0-9819-00aa0040529b";
613 const string GUID_DRS_FORCE_CHANGE_PASSWORD = "00299570-246d-11d0-a768-00aa006e0529";
615 /***************************************************************/
616 /* validated writes guids */
617 const string GUID_DRS_VALIDATE_SPN = "f3a64788-5306-11d1-a9c5-0000f80367c1";
618 const string GUID_DRS_SELF_MEMBERSHIP = "bf9679c0-0de6-11d0-a285-00aa003049e2";
619 const string GUID_DRS_DNS_HOST_NAME = "72e39547-7b18-11d1-adef-00c04fd8d5cd";
620 const string GUID_DRS_ADD_DNS_HOST_NAME = "80863791-dbe9-4eb8-837e-7f0ab55d9ac7";
621 const string GUID_DRS_BEHAVIOR_VERSION = "d31a8757-2447-4545-8081-3bb610cacbf2";
623 /* A type to describe the mapping of generic access rights to object
624 specific access rights. */
628 uint32 generic_write;
629 uint32 generic_execute;