cpp_quote("#define dom_sid0 dom_sid")
[
+ /*
+ * cbf7d408-2d6c-11e2-ae5b-0b5692790e18 just to make ndrdump happy
+ */
+ uuid("cbf7d408-2d6c-11e2-ae5b-0b5692790e18"),
+ version(0.0),
pyhelper("librpc/ndr/py_security.c"),
pointer_default(unique)
]
const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL;
/* rights granted by some specific privileges */
- const int SEC_RIGHTS_PRIV_BACKUP = SEC_STD_READ_CONTROL |
+ const int SEC_RIGHTS_PRIV_BACKUP = SEC_STD_READ_CONTROL |
SEC_FLAG_SYSTEM_SECURITY |
- SEC_GENERIC_READ;
- const int SEC_RIGHTS_DIR_PRIV_BACKUP = SEC_RIGHTS_PRIV_BACKUP
- | SEC_DIR_TRAVERSE;
+ SEC_RIGHTS_FILE_READ |
+ SEC_DIR_TRAVERSE;
- const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC |
+ const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC |
SEC_STD_WRITE_OWNER |
SEC_FLAG_SYSTEM_SECURITY |
- SEC_STD_DELETE;
- const int SEC_RIGHTS_DIR_PRIV_RESTORE = SEC_RIGHTS_PRIV_RESTORE |
+ SEC_RIGHTS_FILE_WRITE |
SEC_DIR_ADD_FILE |
- SEC_DIR_ADD_SUBDIR;
+ SEC_DIR_ADD_SUBDIR |
+ SEC_STD_DELETE;
/* combinations of standard masks. */
const int STANDARD_RIGHTS_ALL_ACCESS = SEC_STD_ALL; /* 0x001f0000 */
const string SID_BUILTIN_PERFLOG_USERS = "S-1-5-32-559";
const string SID_BUILTIN_AUTH_ACCESS = "S-1-5-32-560";
const string SID_BUILTIN_TS_LICENSE_SERVERS = "S-1-5-32-561";
+ const string SID_BUILTIN_DISTRIBUTED_COM_USERS = "S-1-5-32-562";
+ const string SID_BUILTIN_CRYPTO_OPERATORS = "S-1-5-32-569";
+ const string SID_BUILTIN_EVENT_LOG_READERS = "S-1-5-32-573";
+ const string SID_BUILTIN_CERT_SERV_DCOM_ACCESS = "S-1-5-32-574";
+
+ /* UID/GID mapping Samba style */
+ const string SID_SAMBA_UNIX_USER_OWNER = "S-1-22-1";
+ const string SID_SAMBA_UNIX_GROUP_OWNER = "S-1-22-2";
/* SECURITY_NT_SERVICE */
const string NAME_NT_SERVICE = "NT SERVICE";
const string SID_NT_TRUSTED_INSTALLER =
"S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464";
+ const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1";
+ const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
+
+ /*
+ * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
+ */
+ const string SID_NT_NFS_SUBSYSTEM = "S-1-5-88";
+ const string SID_NT_NFS_USER = "S-1-5-88-1";
+ const string SID_NT_NFS_GROUP = "S-1-5-88-2";
+ const string SID_NT_NFS_MASK = "S-1-5-88-3";
+ const string SID_NT_NFS_OTHERS = "S-1-5-88-4";
+
/* well-known domain RIDs */
const int DOMAIN_RID_LOGON = 9;
const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498;
const int BUILTIN_RID_PERFLOG_USERS = 559;
const int BUILTIN_RID_AUTH_ACCESS = 560;
const int BUILTIN_RID_TS_LICENSE_SERVERS = 561;
+ const int BUILTIN_RID_DISTRIBUTED_COM_USERS = 562;
+ const int BUILTIN_RID_CRYPTO_OPERATORS = 569;
+ const int BUILTIN_RID_EVENT_LOG_READERS = 573;
+ const int BUILTIN_RID_CERT_SERV_DCOM_ACCESS = 574;
/********************************************************************
This is a list of privileges reported by a WIndows 2008 R2 DC
typedef [public,gensize,nosize] struct {
security_acl_revision revision;
[value(ndr_size_security_acl(r,ndr->flags))] uint16 size;
- [range(0,1000)] uint32 num_aces;
+ [range(0,2000)] uint32 num_aces;
security_ace aces[num_aces];
} security_acl;
[relative] security_acl *dacl; /* user (discretionary) ACL */
} security_descriptor;
+ [nopython] void decode_security_descriptor (
+ [in] security_descriptor sd
+ );
+
typedef [public] struct {
[range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size;
[subcontext(4)] security_descriptor *sd;
} sec_desc_buf;
+ [nopython] void decode_sec_desc_buf (
+ [in] sec_desc_buf sd_buf
+ );
+
+ /* This is not yet sent over the network, but is simply defined in IDL */
typedef [public] struct {
uint32 num_sids;
[size_is(num_sids)] dom_sid sids[*];
lsa_SystemAccessModeFlags rights_mask;
} security_token;
+ [nopython] void decode_security_token (
+ [in] security_token token
+ );
+
+ /* This is not yet sent over the network, but is simply defined in IDL */
+ typedef [public] struct {
+ uid_t uid;
+ gid_t gid;
+ uint32 ngroups;
+ [size_is(ngroups)] gid_t groups[*];
+ } security_unix_token;
+
+ [nopython] void decode_security_unix_token (
+ [in] security_unix_token unix_token
+ );
+
/* bits that determine which parts of a security descriptor
are being queried/set */
typedef [public,bitmap32bit] bitmap {
SECINFO_GROUP = 0x00000002,
SECINFO_DACL = 0x00000004,
SECINFO_SACL = 0x00000008,
+ SECINFO_LABEL = 0x00000010,
+ SECINFO_ATTRIBUTE = 0x00000020,
+ SECINFO_SCOPE = 0x00000040,
+ SECINFO_BACKUP = 0x00010000,
SECINFO_UNPROTECTED_SACL = 0x10000000,
SECINFO_UNPROTECTED_DACL = 0x20000000,
SECINFO_PROTECTED_SACL = 0x40000000,
SECINFO_PROTECTED_DACL = 0x80000000
} security_secinfo;
+ /*
+ * a SMB server should only support the following flags
+ * and ignore all others.
+ *
+ * See AdditionalInformation in [MS-SMB2] 2.2.37 SMB2 QUERY_INFO Request
+ * and 2.2.39 SMB2 SET_INFO Request.
+ */
+ const int SMB_SUPPORTED_SECINFO_FLAGS = (
+ SECINFO_OWNER |
+ SECINFO_GROUP |
+ SECINFO_DACL |
+ SECINFO_SACL |
+ SECINFO_LABEL |
+ SECINFO_ATTRIBUTE |
+ SECINFO_SCOPE |
+ SECINFO_BACKUP |
+ 0);
+
+ /*
+ * See [MS-KILE] 2.2.5 LSAP_TOKEN_INFO_INTEGRITY
+ */
+ typedef [public,gensize,flag(NDR_PAHEX)] struct {
+ uint32 Flags;
+ uint32 TokenIL;
+ uint8 MachineId[32];
+ } LSAP_TOKEN_INFO_INTEGRITY;
+
+ /*
+ * See [MS-KILE] 2.2.6 Supported Encryption Types Bit Flags
+ */
typedef [public,bitmap32bit] bitmap {
KERB_ENCTYPE_DES_CBC_CRC = 0x00000001,
KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002,
KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004,
KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
- KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
+ KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010,
+ KERB_ENCTYPE_FAST_SUPPORTED = 0x00010000,
+ KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED = 0x00020000,
+ KERB_ENCTYPE_CLAIMS_SUPPORTED = 0x00040000,
+ KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED = 0x00080000
} kerb_EncTypes;
typedef [public,bitmap32bit] bitmap {
const string GUID_DRS_CHANGE_RID_MASTER = "d58d5f36-0a98-11d1-adbb-00c04fd8d5cd";
const string GUID_DRS_CHANGE_SCHEMA_MASTER = "e12b56b6-0a95-11d1-adbb-00c04fd8d5cd";
const string GUID_DRS_GET_CHANGES = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2";
+ const string GUID_DRS_REPL_SYNCRONIZE = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2";
+ const string GUID_DRS_MANAGE_TOPOLOGY = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2";
const string GUID_DRS_GET_ALL_CHANGES = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
+ const string GUID_DRS_RO_REPL_SECRET_SYNC = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2";
const string GUID_DRS_GET_FILTERED_ATTRIBUTES = "89e95b76-444d-4c62-991a-0facbeda640c";
- const string GUID_DRS_MANAGE_TOPOLOGY = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2";
const string GUID_DRS_MONITOR_TOPOLOGY = "f98340fb-7c5b-4cdb-a00b-2ebdfa115a96";
- const string GUID_DRS_REPL_SYNCRONIZE = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2";
- const string GUID_DRS_RO_REPL_SECRET_SYNC = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2";
const string GUID_DRS_USER_CHANGE_PASSWORD = "ab721a53-1e2f-11d0-9819-00aa0040529b";
const string GUID_DRS_FORCE_CHANGE_PASSWORD = "00299570-246d-11d0-a768-00aa006e0529";
+ const string GUID_DRS_UPDATE_PASSWORD_NOT_REQUIRED_BIT
+ = "280f369c-67c7-438e-ae98-1d46f3c6f541";
+ const string GUID_DRS_UNEXPIRE_PASSWORD = "ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501";
+ const string GUID_DRS_ENABLE_PER_USER_REVERSIBLY_ENCRYPTED_PASSWORD
+ = "05c74c5e-4deb-43b4-bd9f-86664c2a7fd5";
+ const string GUID_DRS_DS_INSTALL_REPLICA = "9923a32a-3607-11d2-b9be-0000f87a36b2";
+ const string GUID_DRS_REANIMATE_TOMBSTONE = "45ec5156-db7e-47bb-b53f-dbeb2d03c40f";
+
/***************************************************************/
/* validated writes guids */