#include "idl_types.h" /* security IDL structures */ import "misc.idl"; /* use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really just a dom sid, but with the sub_auths represented as a conformant array. As with all in-structure conformant arrays, the array length is placed before the start of the structure. That's what gives rise to the extra num_auths elemenent. We don't want the Samba code to have to bother with such esoteric NDR details, so its easier to just define it as a dom_sid and use pidl magic to make it all work. It just means you need to mark a sid as a "dom_sid2" in the IDL when you know it is of the conformant array variety */ cpp_quote("#define dom_sid2 dom_sid") /* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */ cpp_quote("#define dom_sid28 dom_sid") /* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */ cpp_quote("#define dom_sid0 dom_sid") [ /* * cbf7d408-2d6c-11e2-ae5b-0b5692790e18 just to make ndrdump happy */ uuid("cbf7d408-2d6c-11e2-ae5b-0b5692790e18"), version(0.0), pyhelper("librpc/ndr/py_security.c"), pointer_default(unique) ] interface security { typedef bitmap lsa_SystemAccessModeFlags lsa_SystemAccessModeFlags; typedef [public,gensize,noprint,nosize,nopull,nopush] struct { uint8 sid_rev_num; /**< SID revision number */ [range(0,15)] int8 num_auths; /**< Number of sub-authorities */ uint8 id_auth[6]; /**< Identifier Authority */ uint32 sub_auths[15]; } dom_sid; /* access masks are divided up like this: 0xabccdddd where a = generic rights bits SEC_GENERIC_ b = flags SEC_FLAG_ c = standard rights bits SEC_STD_ d = object type specific bits SEC_{FILE,DIR,REG,xxx}_ common combinations of bits are prefixed with SEC_RIGHTS_ */ const int SEC_MASK_GENERIC = 0xF0000000; const int SEC_MASK_FLAGS = 0x0F000000; const int SEC_MASK_STANDARD = 0x00FF0000; const int SEC_MASK_SPECIFIC = 0x0000FFFF; /* generic bits */ const int SEC_GENERIC_ALL = 0x10000000; const int SEC_GENERIC_EXECUTE = 0x20000000; const int SEC_GENERIC_WRITE = 0x40000000; const int SEC_GENERIC_READ = 0x80000000; /* flag bits */ const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000; const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000; /* standard bits */ const int SEC_STD_DELETE = 0x00010000; const int SEC_STD_READ_CONTROL = 0x00020000; const int SEC_STD_WRITE_DAC = 0x00040000; const int SEC_STD_WRITE_OWNER = 0x00080000; const int SEC_STD_SYNCHRONIZE = 0x00100000; const int SEC_STD_REQUIRED = 0x000F0000; const int SEC_STD_ALL = 0x001F0000; /* file specific bits */ const int SEC_FILE_READ_DATA = 0x00000001; const int SEC_FILE_WRITE_DATA = 0x00000002; const int SEC_FILE_APPEND_DATA = 0x00000004; const int SEC_FILE_READ_EA = 0x00000008; const int SEC_FILE_WRITE_EA = 0x00000010; const int SEC_FILE_EXECUTE = 0x00000020; const int SEC_FILE_READ_ATTRIBUTE = 0x00000080; const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100; const int SEC_FILE_ALL = 0x000001ff; /* directory specific bits */ const int SEC_DIR_LIST = 0x00000001; const int SEC_DIR_ADD_FILE = 0x00000002; const int SEC_DIR_ADD_SUBDIR = 0x00000004; const int SEC_DIR_READ_EA = 0x00000008; const int SEC_DIR_WRITE_EA = 0x00000010; const int SEC_DIR_TRAVERSE = 0x00000020; const int SEC_DIR_DELETE_CHILD = 0x00000040; const int SEC_DIR_READ_ATTRIBUTE = 0x00000080; const int SEC_DIR_WRITE_ATTRIBUTE = 0x00000100; /* registry entry specific bits */ const int SEC_REG_QUERY_VALUE = 0x00000001; const int SEC_REG_SET_VALUE = 0x00000002; const int SEC_REG_CREATE_SUBKEY = 0x00000004; const int SEC_REG_ENUM_SUBKEYS = 0x00000008; const int SEC_REG_NOTIFY = 0x00000010; const int SEC_REG_CREATE_LINK = 0x00000020; /* ldap specific access bits */ const int SEC_ADS_CREATE_CHILD = 0x00000001; const int SEC_ADS_DELETE_CHILD = 0x00000002; const int SEC_ADS_LIST = 0x00000004; const int SEC_ADS_SELF_WRITE = 0x00000008; const int SEC_ADS_READ_PROP = 0x00000010; const int SEC_ADS_WRITE_PROP = 0x00000020; const int SEC_ADS_DELETE_TREE = 0x00000040; const int SEC_ADS_LIST_OBJECT = 0x00000080; const int SEC_ADS_CONTROL_ACCESS = 0x00000100; /* invalid bits */ const int SEC_MASK_INVALID = 0x0ce0fe00; /* generic->specific mappings for files */ const int SEC_RIGHTS_FILE_READ = SEC_STD_READ_CONTROL | SEC_STD_SYNCHRONIZE | SEC_FILE_READ_DATA | SEC_FILE_READ_ATTRIBUTE | SEC_FILE_READ_EA; const int SEC_RIGHTS_FILE_WRITE = SEC_STD_READ_CONTROL | SEC_STD_SYNCHRONIZE | SEC_FILE_WRITE_DATA | SEC_FILE_WRITE_ATTRIBUTE | SEC_FILE_WRITE_EA | SEC_FILE_APPEND_DATA; const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE | SEC_STD_READ_CONTROL | SEC_FILE_READ_ATTRIBUTE | SEC_FILE_EXECUTE; const int SEC_RIGHTS_FILE_ALL = SEC_STD_ALL | SEC_FILE_ALL; /* generic->specific mappings for directories (same as files) */ const int SEC_RIGHTS_DIR_READ = SEC_RIGHTS_FILE_READ; const int SEC_RIGHTS_DIR_WRITE = SEC_RIGHTS_FILE_WRITE; const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE; const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL; /* rights granted by some specific privileges */ const int SEC_RIGHTS_PRIV_BACKUP = SEC_STD_READ_CONTROL | SEC_FLAG_SYSTEM_SECURITY | SEC_RIGHTS_FILE_READ | SEC_DIR_TRAVERSE; const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC | SEC_STD_WRITE_OWNER | SEC_FLAG_SYSTEM_SECURITY | SEC_RIGHTS_FILE_WRITE | SEC_DIR_ADD_FILE | SEC_DIR_ADD_SUBDIR | SEC_STD_DELETE; /* combinations of standard masks. */ const int STANDARD_RIGHTS_ALL_ACCESS = SEC_STD_ALL; /* 0x001f0000 */ const int STANDARD_RIGHTS_MODIFY_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */ const int STANDARD_RIGHTS_EXECUTE_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */ const int STANDARD_RIGHTS_READ_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */ const int STANDARD_RIGHTS_WRITE_ACCESS = (SEC_STD_WRITE_OWNER | SEC_STD_WRITE_DAC | SEC_STD_DELETE); /* 0x000d0000 */ const int STANDARD_RIGHTS_REQUIRED_ACCESS = (SEC_STD_DELETE | SEC_STD_READ_CONTROL | SEC_STD_WRITE_DAC | SEC_STD_WRITE_OWNER); /* 0x000f0000 */ /* generic->specific mappings for Directory Service objects */ /* directory specific part of GENERIC_ALL */ const int SEC_ADS_GENERIC_ALL_DS = (SEC_STD_DELETE | SEC_STD_WRITE_DAC | SEC_STD_WRITE_OWNER | SEC_ADS_CREATE_CHILD | SEC_ADS_DELETE_CHILD | SEC_ADS_DELETE_TREE | SEC_ADS_CONTROL_ACCESS); const int SEC_ADS_GENERIC_EXECUTE = SEC_STD_READ_CONTROL | SEC_ADS_LIST; const int SEC_ADS_GENERIC_WRITE = (SEC_STD_READ_CONTROL | SEC_ADS_SELF_WRITE | SEC_ADS_WRITE_PROP); const int SEC_ADS_GENERIC_READ = (SEC_STD_READ_CONTROL | SEC_ADS_LIST | SEC_ADS_READ_PROP | SEC_ADS_LIST_OBJECT); const int SEC_ADS_GENERIC_ALL = (SEC_ADS_GENERIC_EXECUTE | SEC_ADS_GENERIC_WRITE | SEC_ADS_GENERIC_READ | SEC_ADS_GENERIC_ALL_DS); /***************************************************************/ /* WELL KNOWN SIDS */ /* a NULL sid */ const string SID_NULL = "S-1-0-0"; /* the world domain */ const string NAME_WORLD = "WORLD"; const string SID_WORLD_DOMAIN = "S-1-1"; const string SID_WORLD = "S-1-1-0"; /* SECURITY_CREATOR_SID_AUTHORITY */ const string SID_CREATOR_OWNER_DOMAIN = "S-1-3"; const string SID_CREATOR_OWNER = "S-1-3-0"; const string SID_CREATOR_GROUP = "S-1-3-1"; const string SID_OWNER_RIGHTS = "S-1-3-4"; /* SECURITY_NT_AUTHORITY */ const string NAME_NT_AUTHORITY = "NT AUTHORITY"; const string SID_NT_AUTHORITY = "S-1-5"; const string SID_NT_DIALUP = "S-1-5-1"; const string SID_NT_NETWORK = "S-1-5-2"; const string SID_NT_BATCH = "S-1-5-3"; const string SID_NT_INTERACTIVE = "S-1-5-4"; const string SID_NT_SERVICE = "S-1-5-6"; const string SID_NT_ANONYMOUS = "S-1-5-7"; const string SID_NT_PROXY = "S-1-5-8"; const string SID_NT_ENTERPRISE_DCS = "S-1-5-9"; const string SID_NT_SELF = "S-1-5-10"; const string SID_NT_AUTHENTICATED_USERS = "S-1-5-11"; const string SID_NT_RESTRICTED = "S-1-5-12"; const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13"; const string SID_NT_REMOTE_INTERACTIVE = "S-1-5-14"; const string SID_NT_THIS_ORGANISATION = "S-1-5-15"; const string SID_NT_IUSR = "S-1-5-17"; const string SID_NT_SYSTEM = "S-1-5-18"; const string SID_NT_LOCAL_SERVICE = "S-1-5-19"; const string SID_NT_NETWORK_SERVICE = "S-1-5-20"; const string SID_NT_DIGEST_AUTHENTICATION = "S-1-5-64-21"; const string SID_NT_NTLM_AUTHENTICATION = "S-1-5-64-10"; const string SID_NT_SCHANNEL_AUTHENTICATION = "S-1-5-64-14"; const string SID_NT_OTHER_ORGANISATION = "S-1-5-1000"; /* SECURITY_BUILTIN_DOMAIN_RID */ const string NAME_BUILTIN = "BUILTIN"; const string SID_BUILTIN = "S-1-5-32"; const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544"; const string SID_BUILTIN_USERS = "S-1-5-32-545"; const string SID_BUILTIN_GUESTS = "S-1-5-32-546"; const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547"; const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548"; const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549"; const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550"; const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551"; const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552"; const string SID_BUILTIN_RAS_SERVERS = "S-1-5-32-553"; const string SID_BUILTIN_PREW2K = "S-1-5-32-554"; const string SID_BUILTIN_REMOTE_DESKTOP_USERS = "S-1-5-32-555"; const string SID_BUILTIN_NETWORK_CONF_OPERATORS = "S-1-5-32-556"; const string SID_BUILTIN_INCOMING_FOREST_TRUST = "S-1-5-32-557"; const string SID_BUILTIN_PERFMON_USERS = "S-1-5-32-558"; const string SID_BUILTIN_PERFLOG_USERS = "S-1-5-32-559"; const string SID_BUILTIN_AUTH_ACCESS = "S-1-5-32-560"; const string SID_BUILTIN_TS_LICENSE_SERVERS = "S-1-5-32-561"; const string SID_BUILTIN_DISTRIBUTED_COM_USERS = "S-1-5-32-562"; const string SID_BUILTIN_CRYPTO_OPERATORS = "S-1-5-32-569"; const string SID_BUILTIN_EVENT_LOG_READERS = "S-1-5-32-573"; const string SID_BUILTIN_CERT_SERV_DCOM_ACCESS = "S-1-5-32-574"; /* SECURITY_NT_SERVICE */ const string NAME_NT_SERVICE = "NT SERVICE"; const string SID_NT_NT_SERVICE = "S-1-5-80"; const string SID_NT_TRUSTED_INSTALLER = "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464"; /* well-known domain RIDs */ const int DOMAIN_RID_LOGON = 9; const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498; const int DOMAIN_RID_ADMINISTRATOR = 500; const int DOMAIN_RID_GUEST = 501; const int DOMAIN_RID_KRBTGT = 502; const int DOMAIN_RID_ADMINS = 512; const int DOMAIN_RID_USERS = 513; const int DOMAIN_RID_GUESTS = 514; const int DOMAIN_RID_DOMAIN_MEMBERS = 515; const int DOMAIN_RID_DCS = 516; const int DOMAIN_RID_CERT_ADMINS = 517; const int DOMAIN_RID_SCHEMA_ADMINS = 518; const int DOMAIN_RID_ENTERPRISE_ADMINS = 519; const int DOMAIN_RID_POLICY_ADMINS = 520; const int DOMAIN_RID_READONLY_DCS = 521; const int DOMAIN_RID_RAS_SERVERS = 553; const int DOMAIN_RID_RODC_ALLOW = 571; const int DOMAIN_RID_RODC_DENY = 572; /* well-known builtin RIDs */ const int BUILTIN_RID_ADMINISTRATORS = 544; const int BUILTIN_RID_USERS = 545; const int BUILTIN_RID_GUESTS = 546; const int BUILTIN_RID_POWER_USERS = 547; const int BUILTIN_RID_ACCOUNT_OPERATORS = 548; const int BUILTIN_RID_SERVER_OPERATORS = 549; const int BUILTIN_RID_PRINT_OPERATORS = 550; const int BUILTIN_RID_BACKUP_OPERATORS = 551; const int BUILTIN_RID_REPLICATOR = 552; const int BUILTIN_RID_RAS_SERVERS = 553; const int BUILTIN_RID_PRE_2K_ACCESS = 554; const int BUILTIN_RID_REMOTE_DESKTOP_USERS = 555; const int BUILTIN_RID_NETWORK_CONF_OPERATORS = 556; const int BUILTIN_RID_INCOMING_FOREST_TRUST = 557; const int BUILTIN_RID_PERFMON_USERS = 558; const int BUILTIN_RID_PERFLOG_USERS = 559; const int BUILTIN_RID_AUTH_ACCESS = 560; const int BUILTIN_RID_TS_LICENSE_SERVERS = 561; const int BUILTIN_RID_DISTRIBUTED_COM_USERS = 562; const int BUILTIN_RID_CRYPTO_OPERATORS = 569; const int BUILTIN_RID_EVENT_LOG_READERS = 573; const int BUILTIN_RID_CERT_SERV_DCOM_ACCESS = 574; /******************************************************************** This is a list of privileges reported by a WIndows 2008 R2 DC just for reference purposes (and I know the LUID is not guaranteed across reboots): 0x00000002 SeCreateTokenPrivilege "Create a token object" 0x00000003 SeAssignPrimaryTokenPrivilege "Replace a process level token" 0x00000004 SeLockMemoryPrivilege "Lock pages in memory" 0x00000005 SeIncreaseQuotaPrivilege "Adjust memory quotas for a process" 0x00000006 SeMachineAccountPrivilege "Add workstations to domain" 0x00000007 SeTcbPrivilege "Act as part of the operating system" 0x00000008 SeSecurityPrivilege "Manage auditing and security log" 0x00000009 SeTakeOwnershipPrivilege "Take ownership of files or other objects" 0x0000000a SeLoadDriverPrivilege "Load and unload device drivers" 0x0000000b SeSystemProfilePrivilege "Profile system performance" 0x0000000c SeSystemtimePrivilege "Change the system time" 0x0000000d SeProfileSingleProcessPrivilege "Profile single process" 0x0000000e SeIncreaseBasePriorityPrivilege "Increase scheduling priority" 0x0000000f SeCreatePagefilePrivilege "Create a pagefile" 0x00000010 SeCreatePermanentPrivilege "Create permanent shared objects" 0x00000011 SeBackupPrivilege "Back up files and directories" 0x00000012 SeRestorePrivilege "Restore files and directories" 0x00000013 SeShutdownPrivilege "Shut down the system" 0x00000014 SeDebugPrivilege "Debug programs" 0x00000015 SeAuditPrivilege "Generate security audits" 0x00000016 SeSystemEnvironmentPrivilege "Modify firmware environment values" 0x00000017 SeChangeNotifyPrivilege "Bypass traverse checking" 0x00000018 SeRemoteShutdownPrivilege "Force shutdown from a remote system" 0x00000019 SeUndockPrivilege "Remove computer from docking station" 0x0000001a SeSyncAgentPrivilege "Synchronize directory service data" 0x0000001b SeEnableDelegationPrivilege "Enable computer and user accounts to be trusted for delegation" 0x0000001c SeManageVolumePrivilege "Perform volume maintenance tasks" 0x0000001d SeImpersonatePrivilege "Impersonate a client after authentication" 0x0000001e SeCreateGlobalPrivilege "Create global objects" 0x0000001f SeTrustedCredManAccessPrivilege "Access Credential Manager as a trusted caller" 0x00000020 SeRelabelPrivilege "Modify an object label" 0x00000021 SeIncreaseWorkingSetPrivilege "Increase a process working set" 0x00000022 SeTimeZonePrivilege "Change the time zone" 0x00000023 SeCreateSymbolicLinkPrivilege "Create symbolic links" ********************************************************************/ /* LUID values for privileges known about by Samba (bottom 32 bits of enum, top bits are 0) */ /* we have to define the LUID here due to a horrible check by printmig.exe that requires the SeBackupPrivilege match what is in Windows. So match those that we implement and start Samba privileges at 0x1001 */ typedef enum { SEC_PRIV_INVALID = 0x0, SEC_PRIV_INCREASE_QUOTA = 0x5, SEC_PRIV_MACHINE_ACCOUNT = 0x6, SEC_PRIV_SECURITY = 0x8, SEC_PRIV_TAKE_OWNERSHIP = 0x09, SEC_PRIV_LOAD_DRIVER = 0x0a, SEC_PRIV_SYSTEM_PROFILE = 0x0b, SEC_PRIV_SYSTEMTIME = 0x0c, SEC_PRIV_PROFILE_SINGLE_PROCESS = 0x0d, SEC_PRIV_INCREASE_BASE_PRIORITY = 0x0e, SEC_PRIV_CREATE_PAGEFILE = 0x0f, SEC_PRIV_BACKUP = 0x11, SEC_PRIV_RESTORE = 0x12, SEC_PRIV_SHUTDOWN = 0x13, SEC_PRIV_DEBUG = 0x14, SEC_PRIV_SYSTEM_ENVIRONMENT = 0x16, SEC_PRIV_CHANGE_NOTIFY = 0x17, SEC_PRIV_REMOTE_SHUTDOWN = 0x18, SEC_PRIV_UNDOCK = 0x19, SEC_PRIV_ENABLE_DELEGATION = 0x1b, SEC_PRIV_MANAGE_VOLUME = 0x1c, SEC_PRIV_IMPERSONATE = 0x1d, SEC_PRIV_CREATE_GLOBAL = 0x1e, /* Samba-specific privs */ SEC_PRIV_PRINT_OPERATOR = 0x1001, SEC_PRIV_ADD_USERS = 0x1002, SEC_PRIV_DISK_OPERATOR = 0x1003 } sec_privilege; /* Bitmap of privilege values for internal use only. We need * our own bitmap here as privilages.tdb records these values * as a bitmap (privilages.ldb uses the string forms). */ typedef [bitmap64bit] bitmap { SEC_PRIV_MACHINE_ACCOUNT_BIT = 0x00000010, /* Samba-specific privs */ SEC_PRIV_PRINT_OPERATOR_BIT = 0x00000020, SEC_PRIV_ADD_USERS_BIT = 0x00000040, SEC_PRIV_DISK_OPERATOR_BIT = 0x00000080, SEC_PRIV_REMOTE_SHUTDOWN_BIT = 0x00000100, SEC_PRIV_BACKUP_BIT = 0x00000200, SEC_PRIV_RESTORE_BIT = 0x00000400, SEC_PRIV_TAKE_OWNERSHIP_BIT = 0x00000800, /* End of privilages implemented before merge to common code */ SEC_PRIV_INCREASE_QUOTA_BIT = 0x00001000, SEC_PRIV_SECURITY_BIT = 0x00002000, SEC_PRIV_LOAD_DRIVER_BIT = 0x00004000, SEC_PRIV_SYSTEM_PROFILE_BIT = 0x00008000, SEC_PRIV_SYSTEMTIME_BIT = 0x00010000, SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT = 0x00020000, SEC_PRIV_INCREASE_BASE_PRIORITY_BIT = 0x00040000, SEC_PRIV_CREATE_PAGEFILE_BIT = 0x00080000, SEC_PRIV_SHUTDOWN_BIT = 0x00100000, SEC_PRIV_DEBUG_BIT = 0x00200000, SEC_PRIV_SYSTEM_ENVIRONMENT_BIT = 0x00400000, SEC_PRIV_CHANGE_NOTIFY_BIT = 0x00800000, SEC_PRIV_UNDOCK_BIT = 0x01000000, SEC_PRIV_ENABLE_DELEGATION_BIT = 0x02000000, SEC_PRIV_MANAGE_VOLUME_BIT = 0x04000000, SEC_PRIV_IMPERSONATE_BIT = 0x08000000, SEC_PRIV_CREATE_GLOBAL_BIT = 0x10000000 } se_privilege; typedef [bitmap32bit] bitmap { LSA_POLICY_MODE_INTERACTIVE = 0x00000001, LSA_POLICY_MODE_NETWORK = 0x00000002, LSA_POLICY_MODE_BATCH = 0x00000004, LSA_POLICY_MODE_SERVICE = 0x00000010, LSA_POLICY_MODE_PROXY = 0x00000020, LSA_POLICY_MODE_DENY_INTERACTIVE = 0x00000040, LSA_POLICY_MODE_DENY_NETWORK = 0x00000080, LSA_POLICY_MODE_DENY_BATCH = 0x00000100, LSA_POLICY_MODE_DENY_SERVICE = 0x00000200, LSA_POLICY_MODE_REMOTE_INTERACTIVE = 0x00000400, LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE = 0x00000800, LSA_POLICY_MODE_ALL = 0x00000FF7, LSA_POLICY_MODE_ALL_NT4 = 0x00000037 } lsa_SystemAccessModeFlags; typedef [public,bitmap8bit] bitmap { SEC_ACE_FLAG_OBJECT_INHERIT = 0x01, SEC_ACE_FLAG_CONTAINER_INHERIT = 0x02, SEC_ACE_FLAG_NO_PROPAGATE_INHERIT = 0x04, SEC_ACE_FLAG_INHERIT_ONLY = 0x08, SEC_ACE_FLAG_INHERITED_ACE = 0x10, SEC_ACE_FLAG_VALID_INHERIT = 0x0f, SEC_ACE_FLAG_SUCCESSFUL_ACCESS = 0x40, SEC_ACE_FLAG_FAILED_ACCESS = 0x80 } security_ace_flags; typedef [public,enum8bit] enum { SEC_ACE_TYPE_ACCESS_ALLOWED = 0, SEC_ACE_TYPE_ACCESS_DENIED = 1, SEC_ACE_TYPE_SYSTEM_AUDIT = 2, SEC_ACE_TYPE_SYSTEM_ALARM = 3, SEC_ACE_TYPE_ALLOWED_COMPOUND = 4, SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT = 5, SEC_ACE_TYPE_ACCESS_DENIED_OBJECT = 6, SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT = 7, SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT = 8 } security_ace_type; typedef [bitmap32bit] bitmap { SEC_ACE_OBJECT_TYPE_PRESENT = 0x00000001, SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x00000002 } security_ace_object_flags; typedef [nodiscriminant] union { /* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */ [case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type; [default]; } security_ace_object_type; typedef [nodiscriminant] union { /* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context * (of the parent container) */ [case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type; [default]; } security_ace_object_inherited_type; typedef struct { security_ace_object_flags flags; [switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type; [switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type; } security_ace_object; typedef [public,nodiscriminant] union { [case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] security_ace_object object; [case(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT)] security_ace_object object; [case(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT)] security_ace_object object; [case(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT)] security_ace_object object; [default]; } security_ace_object_ctr; typedef [public,nopull,gensize,nosize] struct { security_ace_type type; /* SEC_ACE_TYPE_* */ security_ace_flags flags; /* SEC_ACE_FLAG_* */ [value(ndr_size_security_ace(r,ndr->flags))] uint16 size; uint32 access_mask; [switch_is(type)] security_ace_object_ctr object; dom_sid trustee; } security_ace; typedef enum { SECURITY_ACL_REVISION_NT4 = 2, SECURITY_ACL_REVISION_ADS = 4 } security_acl_revision; const uint NT4_ACL_REVISION = SECURITY_ACL_REVISION_NT4; typedef [public,gensize,nosize] struct { security_acl_revision revision; [value(ndr_size_security_acl(r,ndr->flags))] uint16 size; [range(0,2000)] uint32 num_aces; security_ace aces[num_aces]; } security_acl; /* default revision for new ACLs */ typedef [public,enum8bit] enum { SECURITY_DESCRIPTOR_REVISION_1 = 1 } security_descriptor_revision; const int SD_REVISION = SECURITY_DESCRIPTOR_REVISION_1; /* security_descriptor->type bits */ typedef [public,bitmap16bit] bitmap { SEC_DESC_OWNER_DEFAULTED = 0x0001, SEC_DESC_GROUP_DEFAULTED = 0x0002, SEC_DESC_DACL_PRESENT = 0x0004, SEC_DESC_DACL_DEFAULTED = 0x0008, SEC_DESC_SACL_PRESENT = 0x0010, SEC_DESC_SACL_DEFAULTED = 0x0020, SEC_DESC_DACL_TRUSTED = 0x0040, SEC_DESC_SERVER_SECURITY = 0x0080, SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100, SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200, SEC_DESC_DACL_AUTO_INHERITED = 0x0400, SEC_DESC_SACL_AUTO_INHERITED = 0x0800, SEC_DESC_DACL_PROTECTED = 0x1000, SEC_DESC_SACL_PROTECTED = 0x2000, SEC_DESC_RM_CONTROL_VALID = 0x4000, SEC_DESC_SELF_RELATIVE = 0x8000 } security_descriptor_type; typedef [gensize,nosize,public,flag(NDR_LITTLE_ENDIAN)] struct { security_descriptor_revision revision; security_descriptor_type type; /* SEC_DESC_xxxx flags */ [relative] dom_sid *owner_sid; [relative] dom_sid *group_sid; [relative] security_acl *sacl; /* system ACL */ [relative] security_acl *dacl; /* user (discretionary) ACL */ } security_descriptor; [nopython] void decode_security_descriptor ( [in] security_descriptor sd ); typedef [public] struct { [range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size; [subcontext(4)] security_descriptor *sd; } sec_desc_buf; [nopython] void decode_sec_desc_buf ( [in] sec_desc_buf sd_buf ); /* This is not yet sent over the network, but is simply defined in IDL */ typedef [public] struct { uint32 num_sids; [size_is(num_sids)] dom_sid sids[*]; se_privilege privilege_mask; lsa_SystemAccessModeFlags rights_mask; } security_token; [nopython] void decode_security_token ( [in] security_token token ); /* This is not yet sent over the network, but is simply defined in IDL */ typedef [public] struct { uid_t uid; gid_t gid; uint32 ngroups; [size_is(ngroups)] gid_t groups[*]; } security_unix_token; [nopython] void decode_security_unix_token ( [in] security_unix_token unix_token ); /* bits that determine which parts of a security descriptor are being queried/set */ typedef [public,bitmap32bit] bitmap { SECINFO_OWNER = 0x00000001, SECINFO_GROUP = 0x00000002, SECINFO_DACL = 0x00000004, SECINFO_SACL = 0x00000008, SECINFO_LABEL = 0x00000010, SECINFO_ATTRIBUTE = 0x00000020, SECINFO_SCOPE = 0x00000040, SECINFO_BACKUP = 0x00010000, SECINFO_UNPROTECTED_SACL = 0x10000000, SECINFO_UNPROTECTED_DACL = 0x20000000, SECINFO_PROTECTED_SACL = 0x40000000, SECINFO_PROTECTED_DACL = 0x80000000 } security_secinfo; typedef [public,bitmap32bit] bitmap { KERB_ENCTYPE_DES_CBC_CRC = 0x00000001, KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002, KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004, KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008, KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010 } kerb_EncTypes; typedef [public,bitmap32bit] bitmap { SEC_DACL_AUTO_INHERIT = 0x00000001, SEC_SACL_AUTO_INHERIT = 0x00000002, SEC_DEFAULT_DESCRIPTOR = 0x00000004, SEC_OWNER_FROM_PARENT = 0x00000008, SEC_GROUP_FROM_PARENT = 0x00000010 } security_autoinherit; /***************************************************************/ /* Extended right guids */ const string GUID_DRS_ALLOCATE_RIDS = "1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd"; const string GUID_DRS_CHANGE_DOMAIN_MASTER = "014bf69c-7b3b-11d1-85f6-08002be74fab"; const string GUID_DRS_CHANGE_INFR_MASTER = "cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd"; const string GUID_DRS_CHANGE_PDC = "bae50096-4752-11d1-9052-00c04fc2d4cf"; const string GUID_DRS_CHANGE_RID_MASTER = "d58d5f36-0a98-11d1-adbb-00c04fd8d5cd"; const string GUID_DRS_CHANGE_SCHEMA_MASTER = "e12b56b6-0a95-11d1-adbb-00c04fd8d5cd"; const string GUID_DRS_GET_CHANGES = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"; const string GUID_DRS_REPL_SYNCRONIZE = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2"; const string GUID_DRS_MANAGE_TOPOLOGY = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2"; const string GUID_DRS_GET_ALL_CHANGES = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"; const string GUID_DRS_RO_REPL_SECRET_SYNC = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2"; const string GUID_DRS_GET_FILTERED_ATTRIBUTES = "89e95b76-444d-4c62-991a-0facbeda640c"; const string GUID_DRS_MONITOR_TOPOLOGY = "f98340fb-7c5b-4cdb-a00b-2ebdfa115a96"; const string GUID_DRS_USER_CHANGE_PASSWORD = "ab721a53-1e2f-11d0-9819-00aa0040529b"; const string GUID_DRS_FORCE_CHANGE_PASSWORD = "00299570-246d-11d0-a768-00aa006e0529"; const string GUID_DRS_UPDATE_PASSWORD_NOT_REQUIRED_BIT = "280f369c-67c7-438e-ae98-1d46f3c6f541"; const string GUID_DRS_UNEXPIRE_PASSWORD = "ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501"; const string GUID_DRS_ENABLE_PER_USER_REVERSIBLY_ENCRYPTED_PASSWORD = "05c74c5e-4deb-43b4-bd9f-86664c2a7fd5"; const string GUID_DRS_DS_INSTALL_REPLICA = "9923a32a-3607-11d2-b9be-0000f87a36b2"; /***************************************************************/ /* validated writes guids */ const string GUID_DRS_VALIDATE_SPN = "f3a64788-5306-11d1-a9c5-0000f80367c1"; const string GUID_DRS_SELF_MEMBERSHIP = "bf9679c0-0de6-11d0-a285-00aa003049e2"; const string GUID_DRS_DNS_HOST_NAME = "72e39547-7b18-11d1-adef-00c04fd8d5cd"; const string GUID_DRS_ADD_DNS_HOST_NAME = "80863791-dbe9-4eb8-837e-7f0ab55d9ac7"; const string GUID_DRS_BEHAVIOR_VERSION = "d31a8757-2447-4545-8081-3bb610cacbf2"; /* A type to describe the mapping of generic access rights to object specific access rights. */ typedef struct { uint32 generic_read; uint32 generic_write; uint32 generic_execute; uint32 generic_all; } generic_mapping; typedef struct { uint32 std_read; uint32 std_write; uint32 std_execute; uint32 std_all; } standard_mapping; }