4 security IDL structures
10 use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
11 just a dom sid, but with the sub_auths represented as a conformant
12 array. As with all in-structure conformant arrays, the array length
13 is placed before the start of the structure. That's what gives rise
14 to the extra num_auths elemenent. We don't want the Samba code to
15 have to bother with such esoteric NDR details, so its easier to just
16 define it as a dom_sid and use pidl magic to make it all work. It
17 just means you need to mark a sid as a "dom_sid2" in the IDL when you
18 know it is of the conformant array variety
20 cpp_quote("#define dom_sid2 dom_sid")
22 /* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */
23 cpp_quote("#define dom_sid28 dom_sid")
25 /* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */
26 cpp_quote("#define dom_sid0 dom_sid")
29 pyhelper("librpc/ndr/py_security.c"),
30 pointer_default(unique)
35 typedef [public,gensize,noprint,nosize,nopull,nopush] struct {
36 uint8 sid_rev_num; /**< SID revision number */
37 [range(0,15)] int8 num_auths; /**< Number of sub-authorities */
38 uint8 id_auth[6]; /**< Identifier Authority */
42 access masks are divided up like this:
45 a = generic rights bits SEC_GENERIC_
47 c = standard rights bits SEC_STD_
48 d = object type specific bits SEC_{FILE,DIR,REG,xxx}_
50 common combinations of bits are prefixed with SEC_RIGHTS_
52 const int SEC_MASK_GENERIC = 0xF0000000;
53 const int SEC_MASK_FLAGS = 0x0F000000;
54 const int SEC_MASK_STANDARD = 0x00FF0000;
55 const int SEC_MASK_SPECIFIC = 0x0000FFFF;
58 const int SEC_GENERIC_ALL = 0x10000000;
59 const int SEC_GENERIC_EXECUTE = 0x20000000;
60 const int SEC_GENERIC_WRITE = 0x40000000;
61 const int SEC_GENERIC_READ = 0x80000000;
64 const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000;
65 const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000;
68 const int SEC_STD_DELETE = 0x00010000;
69 const int SEC_STD_READ_CONTROL = 0x00020000;
70 const int SEC_STD_WRITE_DAC = 0x00040000;
71 const int SEC_STD_WRITE_OWNER = 0x00080000;
72 const int SEC_STD_SYNCHRONIZE = 0x00100000;
73 const int SEC_STD_REQUIRED = 0x000F0000;
74 const int SEC_STD_ALL = 0x001F0000;
76 /* file specific bits */
77 const int SEC_FILE_READ_DATA = 0x00000001;
78 const int SEC_FILE_WRITE_DATA = 0x00000002;
79 const int SEC_FILE_APPEND_DATA = 0x00000004;
80 const int SEC_FILE_READ_EA = 0x00000008;
81 const int SEC_FILE_WRITE_EA = 0x00000010;
82 const int SEC_FILE_EXECUTE = 0x00000020;
83 const int SEC_FILE_READ_ATTRIBUTE = 0x00000080;
84 const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100;
85 const int SEC_FILE_ALL = 0x000001ff;
87 /* directory specific bits */
88 const int SEC_DIR_LIST = 0x00000001;
89 const int SEC_DIR_ADD_FILE = 0x00000002;
90 const int SEC_DIR_ADD_SUBDIR = 0x00000004;
91 const int SEC_DIR_READ_EA = 0x00000008;
92 const int SEC_DIR_WRITE_EA = 0x00000010;
93 const int SEC_DIR_TRAVERSE = 0x00000020;
94 const int SEC_DIR_DELETE_CHILD = 0x00000040;
95 const int SEC_DIR_READ_ATTRIBUTE = 0x00000080;
96 const int SEC_DIR_WRITE_ATTRIBUTE = 0x00000100;
98 /* registry entry specific bits */
99 const int SEC_REG_QUERY_VALUE = 0x00000001;
100 const int SEC_REG_SET_VALUE = 0x00000002;
101 const int SEC_REG_CREATE_SUBKEY = 0x00000004;
102 const int SEC_REG_ENUM_SUBKEYS = 0x00000008;
103 const int SEC_REG_NOTIFY = 0x00000010;
104 const int SEC_REG_CREATE_LINK = 0x00000020;
106 /* ldap specific access bits */
107 const int SEC_ADS_CREATE_CHILD = 0x00000001;
108 const int SEC_ADS_DELETE_CHILD = 0x00000002;
109 const int SEC_ADS_LIST = 0x00000004;
110 const int SEC_ADS_SELF_WRITE = 0x00000008;
111 const int SEC_ADS_READ_PROP = 0x00000010;
112 const int SEC_ADS_WRITE_PROP = 0x00000020;
113 const int SEC_ADS_DELETE_TREE = 0x00000040;
114 const int SEC_ADS_LIST_OBJECT = 0x00000080;
115 const int SEC_ADS_CONTROL_ACCESS = 0x00000100;
118 const int SEC_MASK_INVALID = 0x0ce0fe00;
120 /* generic->specific mappings for files */
121 const int SEC_RIGHTS_FILE_READ = SEC_STD_READ_CONTROL |
122 SEC_STD_SYNCHRONIZE |
124 SEC_FILE_READ_ATTRIBUTE |
127 const int SEC_RIGHTS_FILE_WRITE = SEC_STD_READ_CONTROL |
128 SEC_STD_SYNCHRONIZE |
129 SEC_FILE_WRITE_DATA |
130 SEC_FILE_WRITE_ATTRIBUTE |
132 SEC_FILE_APPEND_DATA;
134 const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE |
135 SEC_STD_READ_CONTROL |
136 SEC_FILE_READ_ATTRIBUTE |
139 const int SEC_RIGHTS_FILE_ALL = SEC_STD_ALL | SEC_FILE_ALL;
141 /* generic->specific mappings for directories (same as files) */
142 const int SEC_RIGHTS_DIR_READ = SEC_RIGHTS_FILE_READ;
143 const int SEC_RIGHTS_DIR_WRITE = SEC_RIGHTS_FILE_WRITE;
144 const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE;
145 const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL;
147 /* rights granted by some specific privileges */
148 const int SEC_RIGHTS_PRIV_BACKUP = SEC_STD_READ_CONTROL |
149 SEC_FLAG_SYSTEM_SECURITY |
151 const int SEC_RIGHTS_DIR_PRIV_BACKUP = SEC_RIGHTS_PRIV_BACKUP
154 const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC |
155 SEC_STD_WRITE_OWNER |
156 SEC_FLAG_SYSTEM_SECURITY |
158 const int SEC_RIGHTS_DIR_PRIV_RESTORE = SEC_RIGHTS_PRIV_RESTORE |
162 /* combinations of standard masks. */
163 const int STANDARD_RIGHTS_ALL_ACCESS = SEC_STD_ALL; /* 0x001f0000 */
164 const int STANDARD_RIGHTS_MODIFY_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
165 const int STANDARD_RIGHTS_EXECUTE_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
166 const int STANDARD_RIGHTS_READ_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
167 const int STANDARD_RIGHTS_WRITE_ACCESS =
168 (SEC_STD_WRITE_OWNER |
170 SEC_STD_DELETE); /* 0x000d0000 */
171 const int STANDARD_RIGHTS_REQUIRED_ACCESS =
173 SEC_STD_READ_CONTROL |
175 SEC_STD_WRITE_OWNER); /* 0x000f0000 */
177 /* generic->specific mappings for Directory Service objects */
178 /* directory specific part of GENERIC_ALL */
179 const int SEC_ADS_GENERIC_ALL_DS =
182 SEC_STD_WRITE_OWNER |
183 SEC_ADS_CREATE_CHILD |
184 SEC_ADS_DELETE_CHILD |
185 SEC_ADS_DELETE_TREE |
186 SEC_ADS_CONTROL_ACCESS);
187 const int SEC_ADS_GENERIC_EXECUTE = SEC_STD_READ_CONTROL | SEC_ADS_LIST;
188 const int SEC_ADS_GENERIC_WRITE =
189 (SEC_STD_READ_CONTROL |
192 const int SEC_ADS_GENERIC_READ =
193 (SEC_STD_READ_CONTROL |
196 SEC_ADS_LIST_OBJECT);
197 const int SEC_ADS_GENERIC_ALL =
198 (SEC_ADS_GENERIC_EXECUTE |
199 SEC_ADS_GENERIC_WRITE |
200 SEC_ADS_GENERIC_READ |
201 SEC_ADS_GENERIC_ALL_DS);
203 /***************************************************************/
204 /* WELL KNOWN SIDS */
207 const string SID_NULL = "S-1-0-0";
209 /* the world domain */
210 const string NAME_WORLD = "WORLD";
212 const string SID_WORLD_DOMAIN = "S-1-1";
213 const string SID_WORLD = "S-1-1-0";
215 /* SECURITY_CREATOR_SID_AUTHORITY */
216 const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
217 const string SID_CREATOR_OWNER = "S-1-3-0";
218 const string SID_CREATOR_GROUP = "S-1-3-1";
219 const string SID_OWNER_RIGHTS = "S-1-3-4";
221 /* SECURITY_NT_AUTHORITY */
222 const string NAME_NT_AUTHORITY = "NT AUTHORITY";
224 const string SID_NT_AUTHORITY = "S-1-5";
225 const string SID_NT_DIALUP = "S-1-5-1";
226 const string SID_NT_NETWORK = "S-1-5-2";
227 const string SID_NT_BATCH = "S-1-5-3";
228 const string SID_NT_INTERACTIVE = "S-1-5-4";
229 const string SID_NT_SERVICE = "S-1-5-6";
230 const string SID_NT_ANONYMOUS = "S-1-5-7";
231 const string SID_NT_PROXY = "S-1-5-8";
232 const string SID_NT_ENTERPRISE_DCS = "S-1-5-9";
233 const string SID_NT_SELF = "S-1-5-10";
234 const string SID_NT_AUTHENTICATED_USERS = "S-1-5-11";
235 const string SID_NT_RESTRICTED = "S-1-5-12";
236 const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13";
237 const string SID_NT_REMOTE_INTERACTIVE = "S-1-5-14";
238 const string SID_NT_THIS_ORGANISATION = "S-1-5-15";
239 const string SID_NT_IUSR = "S-1-5-17";
240 const string SID_NT_SYSTEM = "S-1-5-18";
241 const string SID_NT_LOCAL_SERVICE = "S-1-5-19";
242 const string SID_NT_NETWORK_SERVICE = "S-1-5-20";
243 const string SID_NT_DIGEST_AUTHENTICATION = "S-1-5-64-21";
244 const string SID_NT_NTLM_AUTHENTICATION = "S-1-5-64-10";
245 const string SID_NT_SCHANNEL_AUTHENTICATION = "S-1-5-64-14";
246 const string SID_NT_OTHER_ORGANISATION = "S-1-5-1000";
248 /* SECURITY_BUILTIN_DOMAIN_RID */
249 const string NAME_BUILTIN = "BUILTIN";
251 const string SID_BUILTIN = "S-1-5-32";
252 const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544";
253 const string SID_BUILTIN_USERS = "S-1-5-32-545";
254 const string SID_BUILTIN_GUESTS = "S-1-5-32-546";
255 const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547";
256 const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
257 const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549";
258 const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550";
259 const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551";
260 const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552";
261 const string SID_BUILTIN_RAS_SERVERS = "S-1-5-32-553";
262 const string SID_BUILTIN_PREW2K = "S-1-5-32-554";
263 const string SID_BUILTIN_REMOTE_DESKTOP_USERS = "S-1-5-32-555";
264 const string SID_BUILTIN_NETWORK_CONF_OPERATORS = "S-1-5-32-556";
265 const string SID_BUILTIN_INCOMING_FOREST_TRUST = "S-1-5-32-557";
266 const string SID_BUILTIN_PERFMON_USERS = "S-1-5-32-558";
267 const string SID_BUILTIN_PERFLOG_USERS = "S-1-5-32-559";
268 const string SID_BUILTIN_AUTH_ACCESS = "S-1-5-32-560";
269 const string SID_BUILTIN_TS_LICENSE_SERVERS = "S-1-5-32-561";
271 /* SECURITY_NT_SERVICE */
272 const string NAME_NT_SERVICE = "NT SERVICE";
274 const string SID_NT_NT_SERVICE = "S-1-5-80";
275 const string SID_NT_TRUSTED_INSTALLER =
276 "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464";
278 /* well-known domain RIDs */
279 const int DOMAIN_RID_LOGON = 9;
280 const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498;
281 const int DOMAIN_RID_ADMINISTRATOR = 500;
282 const int DOMAIN_RID_GUEST = 501;
283 const int DOMAIN_RID_KRBTGT = 502;
284 const int DOMAIN_RID_ADMINS = 512;
285 const int DOMAIN_RID_USERS = 513;
286 const int DOMAIN_RID_GUESTS = 514;
287 const int DOMAIN_RID_DOMAIN_MEMBERS = 515;
288 const int DOMAIN_RID_DCS = 516;
289 const int DOMAIN_RID_CERT_ADMINS = 517;
290 const int DOMAIN_RID_SCHEMA_ADMINS = 518;
291 const int DOMAIN_RID_ENTERPRISE_ADMINS = 519;
292 const int DOMAIN_RID_POLICY_ADMINS = 520;
293 const int DOMAIN_RID_READONLY_DCS = 521;
294 const int DOMAIN_RID_RAS_SERVERS = 553;
295 const int DOMAIN_RID_RODC_ALLOW = 571;
296 const int DOMAIN_RID_RODC_DENY = 572;
298 /* well-known builtin RIDs */
299 const int BUILTIN_RID_ADMINISTRATORS = 544;
300 const int BUILTIN_RID_USERS = 545;
301 const int BUILTIN_RID_GUESTS = 546;
302 const int BUILTIN_RID_POWER_USERS = 547;
303 const int BUILTIN_RID_ACCOUNT_OPERATORS = 548;
304 const int BUILTIN_RID_SERVER_OPERATORS = 549;
305 const int BUILTIN_RID_PRINT_OPERATORS = 550;
306 const int BUILTIN_RID_BACKUP_OPERATORS = 551;
307 const int BUILTIN_RID_REPLICATOR = 552;
308 const int BUILTIN_RID_RAS_SERVERS = 553;
309 const int BUILTIN_RID_PRE_2K_ACCESS = 554;
310 const int BUILTIN_RID_REMOTE_DESKTOP_USERS = 555;
311 const int BUILTIN_RID_NETWORK_CONF_OPERATORS = 556;
312 const int BUILTIN_RID_INCOMING_FOREST_TRUST = 557;
313 const int BUILTIN_RID_PERFMON_USERS = 558;
314 const int BUILTIN_RID_PERFLOG_USERS = 559;
315 const int BUILTIN_RID_AUTH_ACCESS = 560;
316 const int BUILTIN_RID_TS_LICENSE_SERVERS = 561;
318 /********************************************************************
319 This is a list of privileges reported by a WIndows 2000 SP4 AD DC
320 just for reference purposes (and I know the LUID is not guaranteed
323 SeCreateTokenPrivilege Create a token object ( 0x0, 0x2 )
324 SeAssignPrimaryTokenPrivilege Replace a process level token ( 0x0, 0x3 )
325 SeLockMemoryPrivilege Lock pages in memory ( 0x0, 0x4 )
326 SeIncreaseQuotaPrivilege Increase quotas ( 0x0, 0x5 )
327 SeMachineAccountPrivilege Add workstations to domain ( 0x0, 0x6 )
328 SeTcbPrivilege Act as part of the operating system ( 0x0, 0x7 )
329 SeSecurityPrivilege Manage auditing and security log ( 0x0, 0x8 )
330 SeTakeOwnershipPrivilege Take ownership of files or other objects ( 0x0, 0x9 )
331 SeLoadDriverPrivilege Load and unload device drivers ( 0x0, 0xa )
332 SeSystemProfilePrivilege Profile system performance ( 0x0, 0xb )
333 SeSystemtimePrivilege Change the system time ( 0x0, 0xc )
334 SeProfileSingleProcessPrivilege Profile single process ( 0x0, 0xd )
335 SeIncreaseBasePriorityPrivilege Increase scheduling priority ( 0x0, 0xe )
336 SeCreatePagefilePrivilege Create a pagefile ( 0x0, 0xf )
337 SeCreatePermanentPrivilege Create permanent shared objects ( 0x0, 0x10 )
338 SeBackupPrivilege Back up files and directories ( 0x0, 0x11 )
339 SeRestorePrivilege Restore files and directories ( 0x0, 0x12 )
340 SeShutdownPrivilege Shut down the system ( 0x0, 0x13 )
341 SeDebugPrivilege Debug programs ( 0x0, 0x14 )
342 SeAuditPrivilege Generate security audits ( 0x0, 0x15 )
343 SeSystemEnvironmentPrivilege Modify firmware environment values ( 0x0, 0x16 )
344 SeChangeNotifyPrivilege Bypass traverse checking ( 0x0, 0x17 )
345 SeRemoteShutdownPrivilege Force shutdown from a remote system ( 0x0, 0x18 )
346 SeUndockPrivilege Remove computer from docking station ( 0x0, 0x19 )
347 SeSyncAgentPrivilege Synchronize directory service data ( 0x0, 0x1a )
348 SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation ( 0x0, 0x1b )
349 SeManageVolumePrivilege Perform volume maintenance tasks ( 0x0, 0x1c )
350 SeImpersonatePrivilege Impersonate a client after authentication ( 0x0, 0x1d )
351 SeCreateGlobalPrivilege Create global objects ( 0x0, 0x1e )
353 ********************************************************************/
355 /* we have to define the LUID here due to a horrible check by printmig.exe
356 that requires the SeBackupPrivilege match what is in Windows. So match
357 those that we implement and start Samba privileges at 0x1001 */
360 SEC_PRIV_INCREASE_QUOTA = 0x5,
361 SEC_PRIV_MACHINE_ACCOUNT = 0x6,
362 SEC_PRIV_SECURITY = 0x8,
363 SEC_PRIV_TAKE_OWNERSHIP = 0x09,
364 SEC_PRIV_LOAD_DRIVER = 0x0a,
365 SEC_PRIV_SYSTEM_PROFILE = 0x0b,
366 SEC_PRIV_SYSTEMTIME = 0x0c,
367 SEC_PRIV_PROFILE_SINGLE_PROCESS = 0x0d,
368 SEC_PRIV_INCREASE_BASE_PRIORITY = 0x0e,
369 SEC_PRIV_CREATE_PAGEFILE = 0x0f,
370 SEC_PRIV_BACKUP = 0x11,
371 SEC_PRIV_RESTORE = 0x12,
372 SEC_PRIV_SHUTDOWN = 0x13,
373 SEC_PRIV_DEBUG = 0x14,
374 SEC_PRIV_SYSTEM_ENVIRONMENT = 0x16,
375 SEC_PRIV_CHANGE_NOTIFY = 0x17,
376 SEC_PRIV_REMOTE_SHUTDOWN = 0x18,
377 SEC_PRIV_UNDOCK = 0x19,
378 SEC_PRIV_ENABLE_DELEGATION = 0x1b,
379 SEC_PRIV_MANAGE_VOLUME = 0x1c,
380 SEC_PRIV_IMPERSONATE = 0x1d,
381 SEC_PRIV_CREATE_GLOBAL = 0x1e,
382 /* Samba-specific privs */
383 SEC_PRIV_PRINT_OPERATOR = 0x1001,
384 SEC_PRIV_ADD_USERS = 0x1002,
385 SEC_PRIV_DISK_OPERATOR = 0x1003,
386 /* Windows privs not in the list above */
387 SEC_PRIV_INTERACTIVE_LOGON = 0x2022,
388 SEC_PRIV_NETWORK_LOGON = 0x2023,
389 SEC_PRIV_REMOTE_INTERACTIVE_LOGON = 0x2024
393 * We will use our own bitmap here as the Samba3 privilages.tdb records these values
395 typedef [bitmap64bit] bitmap {
396 SE_NETWORK_LOGON = 0x00000001,
397 SE_INTERACTIVE_LOGON = 0x00000002,
398 SE_BATCH_LOGON = 0x00000004,
399 SE_SERVICE_LOGON = 0x00000008,
400 SE_MACHINE_ACCOUNT = 0x00000010,
402 /* Samba-specific privs */
403 SE_PRINT_OPERATOR = 0x00000020,
404 SE_ADD_USERS = 0x00000040,
405 SE_DISK_OPERATOR = 0x00000080,
407 SE_REMOTE_SHUTDOWN = 0x00000100,
408 SE_BACKUP = 0x00000200,
409 SE_RESTORE = 0x00000400,
410 SE_TAKE_OWNERSHIP = 0x00000800,
411 SE_INCREASE_QUOTA = 0x00001000,
412 SE_SECURITY = 0x00002000,
413 SE_LOAD_DRIVER = 0x00004000,
414 SE_SYSTEM_PROFILE = 0x00008000,
415 SE_SYSTEMTIME = 0x00010000,
416 SE_PROFILE_SINGLE_PROCESS = 0x00020000,
417 SE_INCREASE_BASE_PRIORITY = 0x00040000,
418 SE_CREATE_PAGEFILE = 0x00080000,
419 SE_SHUTDOWN = 0x00100000,
420 SE_DEBUG = 0x00200000,
421 SE_SYSTEM_ENVIRONMENT = 0x00400000,
422 SE_CHANGE_NOTIFY = 0x00800000,
423 SE_UNDOCK = 0x01000000,
424 SE_ENABLE_DELEGATION = 0x02000000,
425 SE_MANAGE_VOLUME = 0x04000000,
426 SE_IMPERSONATE = 0x08000000,
427 SE_CREATE_GLOBAL = 0x10000000,
428 /* Windows privs not in the list above */
429 SE_REMOTE_INTERACTIVE_LOGON = 0x20000000
432 typedef [public,bitmap8bit] bitmap {
433 SEC_ACE_FLAG_OBJECT_INHERIT = 0x01,
434 SEC_ACE_FLAG_CONTAINER_INHERIT = 0x02,
435 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT = 0x04,
436 SEC_ACE_FLAG_INHERIT_ONLY = 0x08,
437 SEC_ACE_FLAG_INHERITED_ACE = 0x10,
438 SEC_ACE_FLAG_VALID_INHERIT = 0x0f,
439 SEC_ACE_FLAG_SUCCESSFUL_ACCESS = 0x40,
440 SEC_ACE_FLAG_FAILED_ACCESS = 0x80
441 } security_ace_flags;
443 typedef [public,enum8bit] enum {
444 SEC_ACE_TYPE_ACCESS_ALLOWED = 0,
445 SEC_ACE_TYPE_ACCESS_DENIED = 1,
446 SEC_ACE_TYPE_SYSTEM_AUDIT = 2,
447 SEC_ACE_TYPE_SYSTEM_ALARM = 3,
448 SEC_ACE_TYPE_ALLOWED_COMPOUND = 4,
449 SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT = 5,
450 SEC_ACE_TYPE_ACCESS_DENIED_OBJECT = 6,
451 SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT = 7,
452 SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT = 8
455 typedef [bitmap32bit] bitmap {
456 SEC_ACE_OBJECT_TYPE_PRESENT = 0x00000001,
457 SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x00000002
458 } security_ace_object_flags;
460 typedef [nodiscriminant] union {
461 /* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */
462 [case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type;
464 } security_ace_object_type;
466 typedef [nodiscriminant] union {
467 /* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context
468 * (of the parent container)
470 [case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type;
472 } security_ace_object_inherited_type;
475 security_ace_object_flags flags;
476 [switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type;
477 [switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type;
478 } security_ace_object;
480 typedef [public,nodiscriminant] union {
481 [case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] security_ace_object object;
482 [case(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT)] security_ace_object object;
483 [case(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT)] security_ace_object object;
484 [case(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT)] security_ace_object object;
486 } security_ace_object_ctr;
488 typedef [public,nopull,gensize,nosize] struct {
489 security_ace_type type; /* SEC_ACE_TYPE_* */
490 security_ace_flags flags; /* SEC_ACE_FLAG_* */
491 [value(ndr_size_security_ace(r,ndr->flags))] uint16 size;
493 [switch_is(type)] security_ace_object_ctr object;
498 SECURITY_ACL_REVISION_NT4 = 2,
499 SECURITY_ACL_REVISION_ADS = 4
500 } security_acl_revision;
502 const uint NT4_ACL_REVISION = SECURITY_ACL_REVISION_NT4;
504 typedef [public,gensize,nosize] struct {
505 security_acl_revision revision;
506 [value(ndr_size_security_acl(r,ndr->flags))] uint16 size;
507 [range(0,1000)] uint32 num_aces;
508 security_ace aces[num_aces];
511 /* default revision for new ACLs */
512 typedef [public,enum8bit] enum {
513 SECURITY_DESCRIPTOR_REVISION_1 = 1
514 } security_descriptor_revision;
516 const int SD_REVISION = SECURITY_DESCRIPTOR_REVISION_1;
518 /* security_descriptor->type bits */
519 typedef [public,bitmap16bit] bitmap {
520 SEC_DESC_OWNER_DEFAULTED = 0x0001,
521 SEC_DESC_GROUP_DEFAULTED = 0x0002,
522 SEC_DESC_DACL_PRESENT = 0x0004,
523 SEC_DESC_DACL_DEFAULTED = 0x0008,
524 SEC_DESC_SACL_PRESENT = 0x0010,
525 SEC_DESC_SACL_DEFAULTED = 0x0020,
526 SEC_DESC_DACL_TRUSTED = 0x0040,
527 SEC_DESC_SERVER_SECURITY = 0x0080,
528 SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100,
529 SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200,
530 SEC_DESC_DACL_AUTO_INHERITED = 0x0400,
531 SEC_DESC_SACL_AUTO_INHERITED = 0x0800,
532 SEC_DESC_DACL_PROTECTED = 0x1000,
533 SEC_DESC_SACL_PROTECTED = 0x2000,
534 SEC_DESC_RM_CONTROL_VALID = 0x4000,
535 SEC_DESC_SELF_RELATIVE = 0x8000
536 } security_descriptor_type;
538 typedef [gensize,nosize,public,flag(NDR_LITTLE_ENDIAN)] struct {
539 security_descriptor_revision revision;
540 security_descriptor_type type; /* SEC_DESC_xxxx flags */
541 [relative] dom_sid *owner_sid;
542 [relative] dom_sid *group_sid;
543 [relative] security_acl *sacl; /* system ACL */
544 [relative] security_acl *dacl; /* user (discretionary) ACL */
545 } security_descriptor;
547 typedef [public] struct {
548 [range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size;
549 [subcontext(4)] security_descriptor *sd;
552 typedef [public] struct {
554 [size_is(num_sids)] dom_sid sids[*];
555 udlong privilege_mask;
558 /* bits that determine which parts of a security descriptor
559 are being queried/set */
560 typedef [public,bitmap32bit] bitmap {
561 SECINFO_OWNER = 0x00000001,
562 SECINFO_GROUP = 0x00000002,
563 SECINFO_DACL = 0x00000004,
564 SECINFO_SACL = 0x00000008,
565 SECINFO_UNPROTECTED_SACL = 0x10000000,
566 SECINFO_UNPROTECTED_DACL = 0x20000000,
567 SECINFO_PROTECTED_SACL = 0x40000000,
568 SECINFO_PROTECTED_DACL = 0x80000000
571 typedef [public,bitmap32bit] bitmap {
572 KERB_ENCTYPE_DES_CBC_CRC = 0x00000001,
573 KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002,
574 KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004,
575 KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
576 KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
579 typedef [public,bitmap32bit] bitmap {
580 SEC_DACL_AUTO_INHERIT = 0x00000001,
581 SEC_SACL_AUTO_INHERIT = 0x00000002,
582 SEC_DEFAULT_DESCRIPTOR = 0x00000004,
583 SEC_OWNER_FROM_PARENT = 0x00000008,
584 SEC_GROUP_FROM_PARENT = 0x00000010
585 } security_autoinherit;
587 /***************************************************************/
588 /* Extended right guids */
590 const string GUID_DRS_ALLOCATE_RIDS = "1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd";
591 const string GUID_DRS_CHANGE_DOMAIN_MASTER = "014bf69c-7b3b-11d1-85f6-08002be74fab";
592 const string GUID_DRS_CHANGE_INFR_MASTER = "cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd";
593 const string GUID_DRS_CHANGE_PDC = "bae50096-4752-11d1-9052-00c04fc2d4cf";
594 const string GUID_DRS_CHANGE_RID_MASTER = "d58d5f36-0a98-11d1-adbb-00c04fd8d5cd";
595 const string GUID_DRS_CHANGE_SCHEMA_MASTER = "e12b56b6-0a95-11d1-adbb-00c04fd8d5cd";
596 const string GUID_DRS_GET_CHANGES = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2";
597 const string GUID_DRS_GET_ALL_CHANGES = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
598 const string GUID_DRS_GET_FILTERED_ATTRIBUTES = "89e95b76-444d-4c62-991a-0facbeda640c";
599 const string GUID_DRS_MANAGE_TOPOLOGY = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2";
600 const string GUID_DRS_MONITOR_TOPOLOGY = "f98340fb-7c5b-4cdb-a00b-2ebdfa115a96";
601 const string GUID_DRS_REPL_SYNCRONIZE = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2";
602 const string GUID_DRS_RO_REPL_SECRET_SYNC = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2";
603 const string GUID_DRS_USER_CHANGE_PASSWORD = "ab721a53-1e2f-11d0-9819-00aa0040529b";
604 const string GUID_DRS_FORCE_CHANGE_PASSWORD = "00299570-246d-11d0-a768-00aa006e0529";
606 /***************************************************************/
607 /* validated writes guids */
608 const string GUID_DRS_VALIDATE_SPN = "f3a64788-5306-11d1-a9c5-0000f80367c1";
609 const string GUID_DRS_SELF_MEMBERSHIP = "bf9679c0-0de6-11d0-a285-00aa003049e2";
610 const string GUID_DRS_DNS_HOST_NAME = "72e39547-7b18-11d1-adef-00c04fd8d5cd";
611 const string GUID_DRS_ADD_DNS_HOST_NAME = "80863791-dbe9-4eb8-837e-7f0ab55d9ac7";
612 const string GUID_DRS_BEHAVIOR_VERSION = "d31a8757-2447-4545-8081-3bb610cacbf2";
614 /* A type to describe the mapping of generic access rights to object
615 specific access rights. */
619 uint32 generic_write;
620 uint32 generic_execute;