*/
import "misc.idl";
-import "dom_sid.idl";
/*
use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
/* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */
cpp_quote("#define dom_sid0 dom_sid")
-
-
[
- helper("librpc/gen_ndr/ndr_dom_sid.h"),
+ pyhelper("librpc/ndr/py_security.c"),
pointer_default(unique)
]
interface security
const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE;
const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL;
+ /* rights granted by some specific privileges */
+ const int SEC_RIGHTS_PRIV_BACKUP = SEC_STD_READ_CONTROL |
+ SEC_FLAG_SYSTEM_SECURITY |
+ SEC_GENERIC_READ;
+ const int SEC_RIGHTS_DIR_PRIV_BACKUP = SEC_RIGHTS_PRIV_BACKUP
+ | SEC_DIR_TRAVERSE;
+
+ const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC |
+ SEC_STD_WRITE_OWNER |
+ SEC_FLAG_SYSTEM_SECURITY |
+ SEC_STD_DELETE;
+ const int SEC_RIGHTS_DIR_PRIV_RESTORE = SEC_RIGHTS_PRIV_RESTORE |
+ SEC_DIR_ADD_FILE |
+ SEC_DIR_ADD_SUBDIR;
+
/* combinations of standard masks. */
const int STANDARD_RIGHTS_ALL_ACCESS = SEC_STD_ALL; /* 0x001f0000 */
const int STANDARD_RIGHTS_MODIFY_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
SEC_STD_WRITE_DAC |
SEC_STD_WRITE_OWNER); /* 0x000f0000 */
+ /* generic->specific mappings for Directory Service objects */
+ /* directory specific part of GENERIC_ALL */
+ const int SEC_ADS_GENERIC_ALL_DS =
+ (SEC_STD_DELETE |
+ SEC_STD_WRITE_DAC |
+ SEC_STD_WRITE_OWNER |
+ SEC_ADS_CREATE_CHILD |
+ SEC_ADS_DELETE_CHILD |
+ SEC_ADS_DELETE_TREE |
+ SEC_ADS_CONTROL_ACCESS);
+ const int SEC_ADS_GENERIC_EXECUTE = SEC_STD_READ_CONTROL | SEC_ADS_LIST;
+ const int SEC_ADS_GENERIC_WRITE =
+ (SEC_STD_READ_CONTROL |
+ SEC_ADS_SELF_WRITE |
+ SEC_ADS_WRITE_PROP);
+ const int SEC_ADS_GENERIC_READ =
+ (SEC_STD_READ_CONTROL |
+ SEC_ADS_LIST |
+ SEC_ADS_READ_PROP |
+ SEC_ADS_LIST_OBJECT);
+ const int SEC_ADS_GENERIC_ALL =
+ (SEC_ADS_GENERIC_EXECUTE |
+ SEC_ADS_GENERIC_WRITE |
+ SEC_ADS_GENERIC_READ |
+ SEC_ADS_GENERIC_ALL_DS);
+
/***************************************************************/
/* WELL KNOWN SIDS */
const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552";
const string SID_BUILTIN_RAS_SERVERS = "S-1-5-32-553";
const string SID_BUILTIN_PREW2K = "S-1-5-32-554";
+ const string SID_BUILTIN_REMOTE_DESKTOP_USERS = "S-1-5-32-555";
+ const string SID_BUILTIN_NETWORK_CONF_OPERATORS = "S-1-5-32-556";
+ const string SID_BUILTIN_INCOMING_FOREST_TRUST = "S-1-5-32-557";
+
+ /* SECURITY_NT_SERVICE */
+ const string NAME_NT_SERVICE = "NT SERVICE";
+
+ const string SID_NT_NT_SERVICE = "S-1-5-80";
+ const string SID_NT_TRUSTED_INSTALLER =
+ "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464";
/* well-known domain RIDs */
- const int DOMAIN_RID_LOGON = 9;
- const int DOMAIN_RID_ADMINISTRATOR = 500;
- const int DOMAIN_RID_GUEST = 501;
- const int DOMAIN_RID_ADMINS = 512;
- const int DOMAIN_RID_USERS = 513;
- const int DOMAIN_RID_DOMAIN_MEMBERS = 515;
- const int DOMAIN_RID_DCS = 516;
- const int DOMAIN_RID_CERT_ADMINS = 517;
- const int DOMAIN_RID_SCHEMA_ADMINS = 518;
- const int DOMAIN_RID_ENTERPRISE_ADMINS = 519;
+ const int DOMAIN_RID_LOGON = 9;
+ const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498;
+ const int DOMAIN_RID_ADMINISTRATOR = 500;
+ const int DOMAIN_RID_GUEST = 501;
+ const int DOMAIN_RID_KRBTGT = 502;
+ const int DOMAIN_RID_ADMINS = 512;
+ const int DOMAIN_RID_USERS = 513;
+ const int DOMAIN_RID_GUESTS = 514;
+ const int DOMAIN_RID_DOMAIN_MEMBERS = 515;
+ const int DOMAIN_RID_DCS = 516;
+ const int DOMAIN_RID_CERT_ADMINS = 517;
+ const int DOMAIN_RID_SCHEMA_ADMINS = 518;
+ const int DOMAIN_RID_ENTERPRISE_ADMINS = 519;
+ const int DOMAIN_RID_POLICY_ADMINS = 520;
+ const int DOMAIN_RID_READONLY_DCS = 521;
+ const int DOMAIN_RID_RAS_SERVERS = 553;
/*
SEC_PRIV_ENABLE_DELEGATION = 21,
SEC_PRIV_INTERACTIVE_LOGON = 22,
SEC_PRIV_NETWORK_LOGON = 23,
- SEC_PRIV_REMOTE_INTERACTIVE_LOGON = 24
+ SEC_PRIV_REMOTE_INTERACTIVE_LOGON = 24,
+ SEC_PRIV_MACHINE_ACCOUNT = 25
} sec_privilege;
typedef [public,nopull,gensize,nosize] struct {
security_ace_type type; /* SEC_ACE_TYPE_* */
security_ace_flags flags; /* SEC_ACE_FLAG_* */
- [value(ndr_size_security_ace(r,ndr->flags))] uint16 size;
+ [value(ndr_size_security_ace(r,ndr->iconv_convenience,ndr->flags))] uint16 size;
uint32 access_mask;
[switch_is(type)] security_ace_object_ctr object;
dom_sid trustee;
typedef [public,gensize,nosize] struct {
security_acl_revision revision;
- [value(ndr_size_security_acl(r,ndr->flags))] uint16 size;
+ [value(ndr_size_security_acl(r,ndr->iconv_convenience,ndr->flags))] uint16 size;
[range(0,1000)] uint32 num_aces;
security_ace aces[num_aces];
} security_acl;
/* default revision for new ACLs */
- typedef [enum8bit] enum {
+ typedef [public,enum8bit] enum {
SECURITY_DESCRIPTOR_REVISION_1 = 1
} security_descriptor_revision;
const int SD_REVISION = SECURITY_DESCRIPTOR_REVISION_1;
/* security_descriptor->type bits */
- typedef [bitmap16bit] bitmap {
+ typedef [public,bitmap16bit] bitmap {
SEC_DESC_OWNER_DEFAULTED = 0x0001,
SEC_DESC_GROUP_DEFAULTED = 0x0002,
SEC_DESC_DACL_PRESENT = 0x0004,
} security_descriptor;
typedef [public] struct {
- [range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size;
+ [range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->iconv_convenience,ndr->flags))] uint32 sd_size;
[subcontext(4)] security_descriptor *sd;
} sec_desc_buf;
KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
} kerb_EncTypes;
+ typedef [public,bitmap32bit] bitmap {
+ SEC_DACL_AUTO_INHERIT = 0x00000001,
+ SEC_SACL_AUTO_INHERIT = 0x00000002,
+ SEC_DEFAULT_DESCRIPTOR = 0x00000004,
+ SEC_OWNER_FROM_PARENT = 0x00000008,
+ SEC_GROUP_FROM_PARENT = 0x00000010
+ } security_autoinherit;
}