search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
selftest: Move MIT Kerberos knownfails to separate files in their own directory
[Samba.git] / librpc / idl / security.idl
blobedeed285943e1eaad1785ed6d7357deaaebb30d6
1 #include "idl_types.h"
2
3 /*
4 security IDL structures
5 */
6
7 import "misc.idl";
8
9 /*
10 use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
11 just a dom sid, but with the sub_auths represented as a conformant
12 array. As with all in-structure conformant arrays, the array length
13 is placed before the start of the structure. That's what gives rise
14 to the extra num_auths element. We don't want the Samba code to
15 have to bother with such esoteric NDR details, so its easier to just
16 define it as a dom_sid and use pidl magic to make it all work. It
17 just means you need to mark a sid as a "dom_sid2" in the IDL when you
18 know it is of the conformant array variety
19 */
20 cpp_quote("#define dom_sid2 dom_sid")
21
22 /* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */
23 cpp_quote("#define dom_sid28 dom_sid")
24
25 /* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */
26 cpp_quote("#define dom_sid0 dom_sid")
27
28 [
29 /*
30 * cbf7d408-2d6c-11e2-ae5b-0b5692790e18 just to make ndrdump happy
31 */
32 uuid("cbf7d408-2d6c-11e2-ae5b-0b5692790e18"),
33 version(0.0),
34 helper("../libcli/security/security.h"),
35 pyhelper("librpc/ndr/py_security.c"),
36 pointer_default(unique)
37 ]
38 interface security
39 {
40
41 typedef bitmap lsa_SystemAccessModeFlags lsa_SystemAccessModeFlags;
42
43 typedef [public,gensize,noprint,nosize,nopull,nopush] struct {
44 uint8 sid_rev_num; /**< SID revision number */
45 [range(0,15)] int8 num_auths; /**< Number of sub-authorities */
46 uint8 id_auth[6]; /**< Identifier Authority */
47 uint32 sub_auths[15];
48 } dom_sid;
49 /*
50 access masks are divided up like this:
51 0xabccdddd
52 where
53 a = generic rights bits SEC_GENERIC_
54 b = flags SEC_FLAG_
55 c = standard rights bits SEC_STD_
56 d = object type specific bits SEC_{FILE,DIR,REG,xxx}_
57
58 common combinations of bits are prefixed with SEC_RIGHTS_
59 */
60 const int SEC_MASK_GENERIC = 0xF0000000;
61 const int SEC_MASK_FLAGS = 0x0F000000;
62 const int SEC_MASK_STANDARD = 0x00FF0000;
63 const int SEC_MASK_SPECIFIC = 0x0000FFFF;
64
65 /* generic bits */
66 const int SEC_GENERIC_ALL = 0x10000000;
67 const int SEC_GENERIC_EXECUTE = 0x20000000;
68 const int SEC_GENERIC_WRITE = 0x40000000;
69 const int SEC_GENERIC_READ = 0x80000000;
70
71 /* flag bits */
72 const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000;
73 const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000;
74
75 /* standard bits */
76 const int SEC_STD_DELETE = 0x00010000;
77 const int SEC_STD_READ_CONTROL = 0x00020000;
78 const int SEC_STD_WRITE_DAC = 0x00040000;
79 const int SEC_STD_WRITE_OWNER = 0x00080000;
80 const int SEC_STD_SYNCHRONIZE = 0x00100000;
81 const int SEC_STD_REQUIRED = 0x000F0000;
82 const int SEC_STD_ALL = 0x001F0000;
83
84 /* file specific bits */
85 const int SEC_FILE_READ_DATA = 0x00000001;
86 const int SEC_FILE_WRITE_DATA = 0x00000002;
87 const int SEC_FILE_APPEND_DATA = 0x00000004;
88 const int SEC_FILE_READ_EA = 0x00000008;
89 const int SEC_FILE_WRITE_EA = 0x00000010;
90 const int SEC_FILE_EXECUTE = 0x00000020;
91 const int SEC_FILE_READ_ATTRIBUTE = 0x00000080;
92 const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100;
93 const int SEC_FILE_ALL = 0x000001ff;
94
95 /* directory specific bits */
96 const int SEC_DIR_LIST = 0x00000001;
97 const int SEC_DIR_ADD_FILE = 0x00000002;
98 const int SEC_DIR_ADD_SUBDIR = 0x00000004;
99 const int SEC_DIR_READ_EA = 0x00000008;
100 const int SEC_DIR_WRITE_EA = 0x00000010;
101 const int SEC_DIR_TRAVERSE = 0x00000020;
102 const int SEC_DIR_DELETE_CHILD = 0x00000040;
103 const int SEC_DIR_READ_ATTRIBUTE = 0x00000080;
104 const int SEC_DIR_WRITE_ATTRIBUTE = 0x00000100;
105
106 /* registry entry specific bits */
107 const int SEC_REG_QUERY_VALUE = 0x00000001;
108 const int SEC_REG_SET_VALUE = 0x00000002;
109 const int SEC_REG_CREATE_SUBKEY = 0x00000004;
110 const int SEC_REG_ENUM_SUBKEYS = 0x00000008;
111 const int SEC_REG_NOTIFY = 0x00000010;
112 const int SEC_REG_CREATE_LINK = 0x00000020;
113
114 /* ldap specific access bits */
115 const int SEC_ADS_CREATE_CHILD = 0x00000001;
116 const int SEC_ADS_DELETE_CHILD = 0x00000002;
117 const int SEC_ADS_LIST = 0x00000004;
118 const int SEC_ADS_SELF_WRITE = 0x00000008;
119 const int SEC_ADS_READ_PROP = 0x00000010;
120 const int SEC_ADS_WRITE_PROP = 0x00000020;
121 const int SEC_ADS_DELETE_TREE = 0x00000040;
122 const int SEC_ADS_LIST_OBJECT = 0x00000080;
123 const int SEC_ADS_CONTROL_ACCESS = 0x00000100;
124
125 /* invalid bits */
126 const int SEC_MASK_INVALID = 0x0ce0fe00;
127
128 /* generic->specific mappings for files */
129 const int SEC_RIGHTS_FILE_READ = SEC_STD_READ_CONTROL |
130 SEC_STD_SYNCHRONIZE |
131 SEC_FILE_READ_DATA |
132 SEC_FILE_READ_ATTRIBUTE |
133 SEC_FILE_READ_EA;
134
135 const int SEC_RIGHTS_FILE_WRITE = SEC_STD_READ_CONTROL |
136 SEC_STD_SYNCHRONIZE |
137 SEC_FILE_WRITE_DATA |
138 SEC_FILE_WRITE_ATTRIBUTE |
139 SEC_FILE_WRITE_EA |
140 SEC_FILE_APPEND_DATA;
141
142 const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE |
143 SEC_STD_READ_CONTROL |
144 SEC_FILE_READ_ATTRIBUTE |
145 SEC_FILE_EXECUTE;
146
147 const int SEC_RIGHTS_FILE_ALL = SEC_STD_ALL | SEC_FILE_ALL;
148
149 /* generic->specific mappings for directories (same as files) */
150 const int SEC_RIGHTS_DIR_READ = SEC_RIGHTS_FILE_READ;
151 const int SEC_RIGHTS_DIR_WRITE = SEC_RIGHTS_FILE_WRITE;
152 const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE;
153 const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL;
154
155 /* rights granted by some specific privileges */
156 const int SEC_RIGHTS_PRIV_BACKUP = SEC_STD_READ_CONTROL |
157 SEC_FLAG_SYSTEM_SECURITY |
158 SEC_RIGHTS_FILE_READ |
159 SEC_DIR_TRAVERSE;
160
161 const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC |
162 SEC_STD_WRITE_OWNER |
163 SEC_FLAG_SYSTEM_SECURITY |
164 SEC_RIGHTS_FILE_WRITE |
165 SEC_DIR_ADD_FILE |
166 SEC_DIR_ADD_SUBDIR |
167 SEC_STD_DELETE;
168
169 /* combinations of standard masks. */
170 const int STANDARD_RIGHTS_ALL_ACCESS = SEC_STD_ALL; /* 0x001f0000 */
171 const int STANDARD_RIGHTS_MODIFY_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
172 const int STANDARD_RIGHTS_EXECUTE_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
173 const int STANDARD_RIGHTS_READ_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
174 const int STANDARD_RIGHTS_WRITE_ACCESS =
175 (SEC_STD_WRITE_OWNER |
176 SEC_STD_WRITE_DAC |
177 SEC_STD_DELETE); /* 0x000d0000 */
178 const int STANDARD_RIGHTS_REQUIRED_ACCESS =
179 (SEC_STD_DELETE |
180 SEC_STD_READ_CONTROL |
181 SEC_STD_WRITE_DAC |
182 SEC_STD_WRITE_OWNER); /* 0x000f0000 */
183
184 /* generic->specific mappings for Directory Service objects */
185 /* directory specific part of GENERIC_ALL */
186 const int SEC_ADS_GENERIC_ALL_DS =
187 (SEC_STD_DELETE |
188 SEC_STD_WRITE_DAC |
189 SEC_STD_WRITE_OWNER |
190 SEC_ADS_CREATE_CHILD |
191 SEC_ADS_DELETE_CHILD |
192 SEC_ADS_DELETE_TREE |
193 SEC_ADS_CONTROL_ACCESS);
194 const int SEC_ADS_GENERIC_EXECUTE = SEC_STD_READ_CONTROL | SEC_ADS_LIST;
195 const int SEC_ADS_GENERIC_WRITE =
196 (SEC_STD_READ_CONTROL |
197 SEC_ADS_SELF_WRITE |
198 SEC_ADS_WRITE_PROP);
199 const int SEC_ADS_GENERIC_READ =
200 (SEC_STD_READ_CONTROL |
201 SEC_ADS_LIST |
202 SEC_ADS_READ_PROP |
203 SEC_ADS_LIST_OBJECT);
204 const int SEC_ADS_GENERIC_ALL =
205 (SEC_ADS_GENERIC_EXECUTE |
206 SEC_ADS_GENERIC_WRITE |
207 SEC_ADS_GENERIC_READ |
208 SEC_ADS_GENERIC_ALL_DS);
209
210 /*
211 * Rights implicitly granted to a user who is an owner of the security
212 * descriptor being processed.
213 */
214 typedef enum {
215 IMPLICIT_OWNER_READ_CONTROL_RIGHTS,
216 IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS
217 } implicit_owner_rights;
218
219 /***************************************************************/
220 /* WELL KNOWN SIDS */
221
222 /* a NULL sid */
223 const string SID_NULL = "S-1-0-0";
224
225 /* the world domain */
226 const string NAME_WORLD = "WORLD";
227
228 const string SID_WORLD_DOMAIN = "S-1-1";
229 const string SID_WORLD = "S-1-1-0";
230
231 /* SECURITY_CREATOR_SID_AUTHORITY */
232 const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
233 const string SID_CREATOR_OWNER = "S-1-3-0";
234 const string SID_CREATOR_GROUP = "S-1-3-1";
235 const string SID_OWNER_RIGHTS = "S-1-3-4";
236
237 /* SECURITY_NT_AUTHORITY */
238 const string NAME_NT_AUTHORITY = "NT AUTHORITY";
239
240 const string SID_NT_AUTHORITY = "S-1-5";
241 const string SID_NT_DIALUP = "S-1-5-1";
242 const string SID_NT_NETWORK = "S-1-5-2";
243 const string SID_NT_BATCH = "S-1-5-3";
244 const string SID_NT_INTERACTIVE = "S-1-5-4";
245 const string SID_NT_SERVICE = "S-1-5-6";
246 const string SID_NT_ANONYMOUS = "S-1-5-7";
247 const string SID_NT_PROXY = "S-1-5-8";
248 const string SID_NT_ENTERPRISE_DCS = "S-1-5-9";
249 const string SID_NT_SELF = "S-1-5-10";
250 const string SID_NT_AUTHENTICATED_USERS = "S-1-5-11";
251 const string SID_NT_RESTRICTED = "S-1-5-12";
252 const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13";
253 const string SID_NT_REMOTE_INTERACTIVE = "S-1-5-14";
254 const string SID_NT_THIS_ORGANISATION = "S-1-5-15";
255 const string SID_NT_IUSR = "S-1-5-17";
256 const string SID_NT_SYSTEM = "S-1-5-18";
257 const string SID_NT_LOCAL_SERVICE = "S-1-5-19";
258 const string SID_NT_NETWORK_SERVICE = "S-1-5-20";
259 const string SID_NT_DIGEST_AUTHENTICATION = "S-1-5-64-21";
260 const string SID_NT_NTLM_AUTHENTICATION = "S-1-5-64-10";
261 const string SID_NT_SCHANNEL_AUTHENTICATION = "S-1-5-64-14";
262 const string SID_NT_OTHER_ORGANISATION = "S-1-5-1000";
263
264 /* SECURITY_BUILTIN_DOMAIN_RID */
265 const string NAME_BUILTIN = "BUILTIN";
266
267 const string SID_BUILTIN = "S-1-5-32";
268 const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544";
269 const string SID_BUILTIN_USERS = "S-1-5-32-545";
270 const string SID_BUILTIN_GUESTS = "S-1-5-32-546";
271 const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547";
272 const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
273 const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549";
274 const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550";
275 const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551";
276 const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552";
277 const string SID_BUILTIN_RAS_SERVERS = "S-1-5-32-553";
278 const string SID_BUILTIN_PREW2K = "S-1-5-32-554";
279 const string SID_BUILTIN_REMOTE_DESKTOP_USERS = "S-1-5-32-555";
280 const string SID_BUILTIN_NETWORK_CONF_OPERATORS = "S-1-5-32-556";
281 const string SID_BUILTIN_INCOMING_FOREST_TRUST = "S-1-5-32-557";
282 const string SID_BUILTIN_PERFMON_USERS = "S-1-5-32-558";
283 const string SID_BUILTIN_PERFLOG_USERS = "S-1-5-32-559";
284 const string SID_BUILTIN_AUTH_ACCESS = "S-1-5-32-560";
285 const string SID_BUILTIN_TS_LICENSE_SERVERS = "S-1-5-32-561";
286 const string SID_BUILTIN_DISTRIBUTED_COM_USERS = "S-1-5-32-562";
287 const string SID_BUILTIN_IUSERS = "S-1-5-32-568";
288 const string SID_BUILTIN_CRYPTO_OPERATORS = "S-1-5-32-569";
289 const string SID_BUILTIN_EVENT_LOG_READERS = "S-1-5-32-573";
290 const string SID_BUILTIN_CERT_SERV_DCOM_ACCESS = "S-1-5-32-574";
291 const string SID_BUILTIN_RDS_REMOTE_ACCESS_SERVERS = "S-1-5-32-575";
292 const string SID_BUILTIN_RDS_ENDPOINT_SERVERS = "S-1-5-32-576";
293 const string SID_BUILTIN_RDS_MANAGEMENT_SERVERS = "S-1-5-32-577";
294 const string SID_BUILTIN_HYPER_V_ADMINS = "S-1-5-32-578";
295 const string SID_BUILTIN_ACCESS_CONTROL_ASSISTANCE_OPS = "S-1-5-32-579";
296 const string SID_BUILTIN_REMOTE_MANAGEMENT_USERS = "S-1-5-32-580";
297 const string SID_BUILTIN_SYSTEM_MANAGED_ACCOUNTS_GRP = "S-1-5-32-581";
298 const string SID_BUILTIN_STORAGE_REPLICA_ADMINISTRATORS = "S-1-5-32-582";
299
300 const string SID_SECURITY_RESTRICTED_CODE = "S-1-5-33";
301
302 /* UID/GID mapping Samba style */
303 const string SID_SAMBA_UNIX_USER_OWNER = "S-1-22-1";
304 const string SID_SAMBA_UNIX_GROUP_OWNER = "S-1-22-2";
305
306 /* SECURITY_NT_SERVICE */
307 const string NAME_NT_SERVICE = "NT SERVICE";
308
309 const string SID_NT_NT_SERVICE = "S-1-5-80";
310 const string SID_NT_TRUSTED_INSTALLER =
311 "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464";
312
313 /*
314 * This is added during the AS-REQ/AS-REP exchange after
315 * pre-authentication was successful.
316 */
317 const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1";
318 /*
319 * This is added during S4U2Self PAC creation.
320 *
321 * It won't replace a possible
322 * SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY
323 * during S4U2Proxy.
324 */
325 const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
326
327 /*
328 * This is added during the AS-REQ/AS-REP exchange after the
329 * PKINIT Freshness extension is used (shows current
330 * possession, rather than just a saved signature, of the
331 * client pulic key).
332 */
333 const string SID_FRESH_PUBLIC_KEY_IDENTITY = "S-1-18-3";
334
335 const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
336 const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";
337
338 const string SID_USER_MODE_DRIVERS = "S-1-5-84-0-0-0-0-0";
339
340 const string SID_SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE = "S-1-15-2-1";
341
342 const string SID_SECURITY_MANDATORY_LOW = "S-1-16-4096";
343 const string SID_SECURITY_MANDATORY_MEDIUM = "S-1-16-8192";
344 const string SID_SECURITY_MANDATORY_MEDIUM_PLUS = "S-1-16-8448";
345 const string SID_SECURITY_MANDATORY_HIGH = "S-1-16-12288";
346 const string SID_SECURITY_MANDATORY_SYSTEM = "S-1-16-16384";
347
348 /*
349 * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
350 */
351 const string SID_NT_NFS_SUBSYSTEM = "S-1-5-88";
352 const string SID_NT_NFS_USER = "S-1-5-88-1";
353 const string SID_NT_NFS_GROUP = "S-1-5-88-2";
354 const string SID_NT_NFS_MASK = "S-1-5-88-3";
355 const string SID_NT_NFS_OTHERS = "S-1-5-88-4";
356
357 /* well-known domain RIDs */
358 const int DOMAIN_RID_LOGON = 9;
359 const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498;
360 const int DOMAIN_RID_ADMINISTRATOR = 500;
361 const int DOMAIN_RID_GUEST = 501;
362 const int DOMAIN_RID_KRBTGT = 502;
363 const int DOMAIN_RID_ADMINS = 512;
364 const int DOMAIN_RID_USERS = 513;
365 const int DOMAIN_RID_GUESTS = 514;
366 const int DOMAIN_RID_DOMAIN_MEMBERS = 515;
367 const int DOMAIN_RID_DCS = 516;
368 const int DOMAIN_RID_CERT_ADMINS = 517;
369 const int DOMAIN_RID_SCHEMA_ADMINS = 518;
370 const int DOMAIN_RID_ENTERPRISE_ADMINS = 519;
371 const int DOMAIN_RID_POLICY_ADMINS = 520;
372 const int DOMAIN_RID_READONLY_DCS = 521;
373 const int DOMAIN_RID_CLONEABLE_CONTROLLERS = 522;
374 const int DOMAIN_RID_PROTECTED_USERS = 525;
375 const int DOMAIN_RID_KEY_ADMINS = 526;
376 const int DOMAIN_RID_ENTERPRISE_KEY_ADMINS = 527;
377 const int DOMAIN_RID_RAS_SERVERS = 553;
378 const int DOMAIN_RID_RODC_ALLOW = 571;
379 const int DOMAIN_RID_RODC_DENY = 572;
380
381 /* well-known builtin RIDs */
382 const int BUILTIN_RID_ADMINISTRATORS = 544;
383 const int BUILTIN_RID_USERS = 545;
384 const int BUILTIN_RID_GUESTS = 546;
385 const int BUILTIN_RID_POWER_USERS = 547;
386 const int BUILTIN_RID_ACCOUNT_OPERATORS = 548;
387 const int BUILTIN_RID_SERVER_OPERATORS = 549;
388 const int BUILTIN_RID_PRINT_OPERATORS = 550;
389 const int BUILTIN_RID_BACKUP_OPERATORS = 551;
390 const int BUILTIN_RID_REPLICATOR = 552;
391 const int BUILTIN_RID_RAS_SERVERS = 553;
392 const int BUILTIN_RID_PRE_2K_ACCESS = 554;
393 const int BUILTIN_RID_REMOTE_DESKTOP_USERS = 555;
394 const int BUILTIN_RID_NETWORK_CONF_OPERATORS = 556;
395 const int BUILTIN_RID_INCOMING_FOREST_TRUST = 557;
396 const int BUILTIN_RID_PERFMON_USERS = 558;
397 const int BUILTIN_RID_PERFLOG_USERS = 559;
398 const int BUILTIN_RID_AUTH_ACCESS = 560;
399 const int BUILTIN_RID_TS_LICENSE_SERVERS = 561;
400 const int BUILTIN_RID_DISTRIBUTED_COM_USERS = 562;
401 const int BUILTIN_RID_IUSERS = 568;
402 const int BUILTIN_RID_CRYPTO_OPERATORS = 569;
403 const int BUILTIN_RID_EVENT_LOG_READERS = 573;
404 const int BUILTIN_RID_CERT_SERV_DCOM_ACCESS = 574;
405 const int BUILTIN_RID_RDS_REMOTE_ACCESS_SERVERS = 575;
406 const int BUILTIN_RID_RDS_ENDPOINT_SERVERS = 576;
407 const int BUILTIN_RID_RDS_MANAGEMENT_SERVERS = 577;
408 const int BUILTIN_RID_HYPER_V_ADMINS = 578;
409 const int BUILTIN_RID_ACCESS_CONTROL_ASSISTANCE_OPS = 579;
410 const int BUILTIN_RID_REMOTE_MANAGEMENT_USERS = 580;
411
412 /********************************************************************
413 This is a list of privileges reported by a WIndows 2008 R2 DC
414 just for reference purposes (and I know the LUID is not guaranteed
415 across reboots):
416
417 0x00000002 SeCreateTokenPrivilege "Create a token object"
418 0x00000003 SeAssignPrimaryTokenPrivilege "Replace a process level token"
419 0x00000004 SeLockMemoryPrivilege "Lock pages in memory"
420 0x00000005 SeIncreaseQuotaPrivilege "Adjust memory quotas for a process"
421 0x00000006 SeMachineAccountPrivilege "Add workstations to domain"
422 0x00000007 SeTcbPrivilege "Act as part of the operating system"
423 0x00000008 SeSecurityPrivilege "Manage auditing and security log"
424 0x00000009 SeTakeOwnershipPrivilege "Take ownership of files or other objects"
425 0x0000000a SeLoadDriverPrivilege "Load and unload device drivers"
426 0x0000000b SeSystemProfilePrivilege "Profile system performance"
427 0x0000000c SeSystemtimePrivilege "Change the system time"
428 0x0000000d SeProfileSingleProcessPrivilege "Profile single process"
429 0x0000000e SeIncreaseBasePriorityPrivilege "Increase scheduling priority"
430 0x0000000f SeCreatePagefilePrivilege "Create a pagefile"
431 0x00000010 SeCreatePermanentPrivilege "Create permanent shared objects"
432 0x00000011 SeBackupPrivilege "Back up files and directories"
433 0x00000012 SeRestorePrivilege "Restore files and directories"
434 0x00000013 SeShutdownPrivilege "Shut down the system"
435 0x00000014 SeDebugPrivilege "Debug programs"
436 0x00000015 SeAuditPrivilege "Generate security audits"
437 0x00000016 SeSystemEnvironmentPrivilege "Modify firmware environment values"
438 0x00000017 SeChangeNotifyPrivilege "Bypass traverse checking"
439 0x00000018 SeRemoteShutdownPrivilege "Force shutdown from a remote system"
440 0x00000019 SeUndockPrivilege "Remove computer from docking station"
441 0x0000001a SeSyncAgentPrivilege "Synchronize directory service data"
442 0x0000001b SeEnableDelegationPrivilege "Enable computer and user accounts to be trusted for delegation"
443 0x0000001c SeManageVolumePrivilege "Perform volume maintenance tasks"
444 0x0000001d SeImpersonatePrivilege "Impersonate a client after authentication"
445 0x0000001e SeCreateGlobalPrivilege "Create global objects"
446 0x0000001f SeTrustedCredManAccessPrivilege "Access Credential Manager as a trusted caller"
447 0x00000020 SeRelabelPrivilege "Modify an object label"
448 0x00000021 SeIncreaseWorkingSetPrivilege "Increase a process working set"
449 0x00000022 SeTimeZonePrivilege "Change the time zone"
450 0x00000023 SeCreateSymbolicLinkPrivilege "Create symbolic links"
451
452 ********************************************************************/
453
454 /* LUID values for privileges known about by Samba (bottom 32 bits of enum, top bits are 0) */
455
456 /* we have to define the LUID here due to a horrible check by printmig.exe
457 that requires the SeBackupPrivilege match what is in Windows. So match
458 those that we implement and start Samba privileges at 0x1001 */
459
460 typedef enum {
461 SEC_PRIV_INVALID = 0x0,
462 SEC_PRIV_INCREASE_QUOTA = 0x5,
463 SEC_PRIV_MACHINE_ACCOUNT = 0x6,
464 SEC_PRIV_SECURITY = 0x8,
465 SEC_PRIV_TAKE_OWNERSHIP = 0x09,
466 SEC_PRIV_LOAD_DRIVER = 0x0a,
467 SEC_PRIV_SYSTEM_PROFILE = 0x0b,
468 SEC_PRIV_SYSTEMTIME = 0x0c,
469 SEC_PRIV_PROFILE_SINGLE_PROCESS = 0x0d,
470 SEC_PRIV_INCREASE_BASE_PRIORITY = 0x0e,
471 SEC_PRIV_CREATE_PAGEFILE = 0x0f,
472 SEC_PRIV_BACKUP = 0x11,
473 SEC_PRIV_RESTORE = 0x12,
474 SEC_PRIV_SHUTDOWN = 0x13,
475 SEC_PRIV_DEBUG = 0x14,
476 SEC_PRIV_SYSTEM_ENVIRONMENT = 0x16,
477 SEC_PRIV_CHANGE_NOTIFY = 0x17,
478 SEC_PRIV_REMOTE_SHUTDOWN = 0x18,
479 SEC_PRIV_UNDOCK = 0x19,
480 SEC_PRIV_ENABLE_DELEGATION = 0x1b,
481 SEC_PRIV_MANAGE_VOLUME = 0x1c,
482 SEC_PRIV_IMPERSONATE = 0x1d,
483 SEC_PRIV_CREATE_GLOBAL = 0x1e,
484 /* Samba-specific privs */
485 SEC_PRIV_PRINT_OPERATOR = 0x1001,
486 SEC_PRIV_ADD_USERS = 0x1002,
487 SEC_PRIV_DISK_OPERATOR = 0x1003
488 } sec_privilege;
489
490
491 /* Bitmap of privilege values for internal use only. We need
492 * our own bitmap here as privileges.tdb records these values
493 * as a bitmap (privilege.ldb uses the string forms).
494 */
495 typedef [bitmap64bit] bitmap {
496 SEC_PRIV_MACHINE_ACCOUNT_BIT = 0x00000010,
497
498 /* Samba-specific privs */
499 SEC_PRIV_PRINT_OPERATOR_BIT = 0x00000020,
500 SEC_PRIV_ADD_USERS_BIT = 0x00000040,
501 SEC_PRIV_DISK_OPERATOR_BIT = 0x00000080,
502
503 SEC_PRIV_REMOTE_SHUTDOWN_BIT = 0x00000100,
504 SEC_PRIV_BACKUP_BIT = 0x00000200,
505 SEC_PRIV_RESTORE_BIT = 0x00000400,
506 SEC_PRIV_TAKE_OWNERSHIP_BIT = 0x00000800,
507 /* End of privileges implemented before merge to common code */
508
509 SEC_PRIV_INCREASE_QUOTA_BIT = 0x00001000,
510 SEC_PRIV_SECURITY_BIT = 0x00002000,
511 SEC_PRIV_LOAD_DRIVER_BIT = 0x00004000,
512 SEC_PRIV_SYSTEM_PROFILE_BIT = 0x00008000,
513 SEC_PRIV_SYSTEMTIME_BIT = 0x00010000,
514 SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT = 0x00020000,
515 SEC_PRIV_INCREASE_BASE_PRIORITY_BIT = 0x00040000,
516 SEC_PRIV_CREATE_PAGEFILE_BIT = 0x00080000,
517 SEC_PRIV_SHUTDOWN_BIT = 0x00100000,
518 SEC_PRIV_DEBUG_BIT = 0x00200000,
519 SEC_PRIV_SYSTEM_ENVIRONMENT_BIT = 0x00400000,
520 SEC_PRIV_CHANGE_NOTIFY_BIT = 0x00800000,
521 SEC_PRIV_UNDOCK_BIT = 0x01000000,
522 SEC_PRIV_ENABLE_DELEGATION_BIT = 0x02000000,
523 SEC_PRIV_MANAGE_VOLUME_BIT = 0x04000000,
524 SEC_PRIV_IMPERSONATE_BIT = 0x08000000,
525 SEC_PRIV_CREATE_GLOBAL_BIT = 0x10000000
526 } se_privilege;
527
528 typedef [bitmap32bit] bitmap {
529 LSA_POLICY_MODE_INTERACTIVE = 0x00000001,
530 LSA_POLICY_MODE_NETWORK = 0x00000002,
531 LSA_POLICY_MODE_BATCH = 0x00000004,
532 LSA_POLICY_MODE_SERVICE = 0x00000010,
533 LSA_POLICY_MODE_PROXY = 0x00000020,
534 LSA_POLICY_MODE_DENY_INTERACTIVE = 0x00000040,
535 LSA_POLICY_MODE_DENY_NETWORK = 0x00000080,
536 LSA_POLICY_MODE_DENY_BATCH = 0x00000100,
537 LSA_POLICY_MODE_DENY_SERVICE = 0x00000200,
538 LSA_POLICY_MODE_REMOTE_INTERACTIVE = 0x00000400,
539 LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE = 0x00000800,
540 LSA_POLICY_MODE_ALL = 0x00000FF7,
541 LSA_POLICY_MODE_ALL_NT4 = 0x00000037
542 } lsa_SystemAccessModeFlags;
543
544 typedef [public,bitmap8bit] bitmap {
545 SEC_ACE_FLAG_OBJECT_INHERIT = 0x01,
546 SEC_ACE_FLAG_CONTAINER_INHERIT = 0x02,
547 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT = 0x04,
548 SEC_ACE_FLAG_INHERIT_ONLY = 0x08,
549 SEC_ACE_FLAG_INHERITED_ACE = 0x10,
550 SEC_ACE_FLAG_VALID_INHERIT = 0x0f,
551 SEC_ACE_FLAG_SUCCESSFUL_ACCESS = 0x40,
552 SEC_ACE_FLAG_FAILED_ACCESS = 0x80
553 } security_ace_flags;
554
555 typedef [public,enum8bit] enum {
556 /*
557 * The following entries tagged *reserved* have been
558 * named and allocated by Microsoft but apparently not
559 * implemented (MS-DTYP 2.4.4.1).
560 *
561 * The entries marked *unused* are more or less
562 * completely ignored by Samba.
563 */
564 SEC_ACE_TYPE_ACCESS_ALLOWED = 0,
565 SEC_ACE_TYPE_ACCESS_DENIED = 1,
566 SEC_ACE_TYPE_SYSTEM_AUDIT = 2,
567 SEC_ACE_TYPE_SYSTEM_ALARM = 3, /* reserved */
568 SEC_ACE_TYPE_ALLOWED_COMPOUND = 4, /* reserved */
569 SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT = 5,
570 SEC_ACE_TYPE_ACCESS_DENIED_OBJECT = 6,
571 SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT = 7,
572 SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT = 8, /* reserved */
573 SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK = 9,
574 SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK = 10,
575 SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT = 11,
576 SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT = 12,
577 SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK = 13,
578 SEC_ACE_TYPE_SYSTEM_ALARM_CALLBACK = 14, /* reserved */
579 SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT = 15,
580 SEC_ACE_TYPE_SYSTEM_ALARM_CALLBACK_OBJECT = 16, /* reserved */
581 SEC_ACE_TYPE_SYSTEM_MANDATORY_LABEL = 17, /*unused */
582 SEC_ACE_TYPE_SYSTEM_RESOURCE_ATTRIBUTE = 18,
583 SEC_ACE_TYPE_SYSTEM_SCOPED_POLICY_ID = 19 /* unused */
584 } security_ace_type;
585
586 typedef [bitmap32bit] bitmap {
587 SEC_ACE_OBJECT_TYPE_PRESENT = 0x00000001,
588 SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x00000002
589 } security_ace_object_flags;
590
591 typedef [nodiscriminant] union {
592 /* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */
593 [case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type;
594 [default];
595 } security_ace_object_type;
596
597 typedef [nodiscriminant] union {
598 /* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context
599 * (of the parent container)
600 */
601 [case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type;
602 [default];
603 } security_ace_object_inherited_type;
604
605 typedef struct {
606 security_ace_object_flags flags;
607 [switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type;
608 [switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type;
609 } security_ace_object;
610
611
612
613 /*
614 * flags that might occur in
615 * CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1.flags.
616 *
617 * Not all of them do anything. Conditional ACEs also use some
618 * of these flags.
619 */
620 typedef [bitmap32bit] bitmap {
621 CLAIM_SECURITY_ATTRIBUTE_NON_INHERITABLE = 1,
622 CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE = 2,
623 CLAIM_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY = 4, /*reserved*/
624 CLAIM_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT = 8,
625 CLAIM_SECURITY_ATTRIBUTE_DISABLED = 0x10, /*reserved*/
626 CLAIM_SECURITY_ATTRIBUTE_MANDATORY = 0x20,
627
628 /*
629 * These next two are curiously defined in [MS-DTYP] 2.4.10.1:
630 *
631 * > Flags: The upper two bytes of this DWORD are available for
632 * > application-specific data. The two lowest-order bits in the
633 * > lower of these two bytes are reserved. These two bytes
634 * > MAY contain only one of the following values in those two
635 * > bits:
636 * >
637 * > FCI_CLAIM_SECURITY_ATTRIBUTE_MANUAL 0x0001
638 * > FCI_CLAIM_SECURITY_ATTRIBUTE_POLICY_DERIVED 0x0002
639 *
640 * That is saying these mutually exclusive flags have offset
641 * values that are measured from the middle of flags field. We
642 * instead measure from the start.
643 */
644 CLAIM_SECURITY_ATTRIBUTE_MANUAL = 1 << 16,
645 CLAIM_SECURITY_ATTRIBUTE_POLICY_DERIVED = 1 << 17,
646
647 /*
648 * As the quote from [MS-DTYP] 2.4.10.1 above says,
649 * the upper 14 bits are for application-specific
650 * data. In Samba's case, we have one application
651 * specific flag to help us remember when we have
652 * sorted a claim and checked that it contains no
653 * duplicate values. We need to check this, and the
654 * check can be expensive, so it helps to remember.
655 * Having the values sorted is useful for comparisons
656 * in conditional ACEs.
657 *
658 * We can't just sort every claim_v1 we see, because
659 * resource attribute ACEs in SACLs contain them and
660 * are not meant to be evaluated prematurely (i.e. you
661 * can parse and reserialise a SACL even if it
662 * contains an ACE that would cause an error when used
663 * as a claim).
664 *
665 * In the case of string claims, evaluating uniqueness
666 * depends on the _CASE_SENSITIVE flag.
667 */
668 CLAIM_SECURITY_ATTRIBUTE_UNIQUE_AND_SORTED = 1 << 30,
669 /*
670 * Conditional ACEs use some of the above flags in
671 * combination with an internal one defined in
672 * conditional_ace.idl.
673 * This next definition is warning us in case a clash
674 * develops (which seems very unlikely).
675 */
676 CLAIM_SECURITY_ATTRIBUTE_RESERVED_FOR_SAMBA = 1UL << 31
677 } claim_flags;
678
679 /*
680 * These claim types for v1 claims mirror those of on-the-wire
681 * PAC claims, but not conditional ace literal token types.
682 */
683 typedef [public] enum {
684 CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64 = 0x0001,
685 CLAIM_SECURITY_ATTRIBUTE_TYPE_UINT64 = 0x0002,
686 CLAIM_SECURITY_ATTRIBUTE_TYPE_STRING = 0x0003,
687 CLAIM_SECURITY_ATTRIBUTE_TYPE_SID = 0x0005,
688 CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN = 0x0006,
689 CLAIM_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING = 0x0010
690 } security_claim_value_type;
691
692 typedef [nodiscriminant,flag(NDR_NOALIGN)] union {
693 [case(CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64),relative] int64 *int_value;
694 [case(CLAIM_SECURITY_ATTRIBUTE_TYPE_UINT64),relative] hyper *uint_value;
695 [case(CLAIM_SECURITY_ATTRIBUTE_TYPE_STRING),relative] nstring *string_value;
696 [case(CLAIM_SECURITY_ATTRIBUTE_TYPE_SID),relative] DATA_BLOB *sid_value;
697 [case(CLAIM_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING),relative] DATA_BLOB *octet_value;
698 [case(CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN),relative] hyper *uint_value;
699 } claim_values;
700
701 typedef [public,gensize] struct {
702 [relative] nstring *name;
703 uint16 value_type;
704 uint32 flags;
705 uint32 value_count;
706 [switch_is(value_type)] claim_values values[value_count];
707 } CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1;
708
709 typedef [public,nodiscriminant] union {
710 [default] security_ace_object object;
711 [case(false)];
712 } security_ace_object_ctr;
713
714 typedef [public,nodiscriminant,gensize] union {
715 [case(SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK)] [flag(NDR_REMAINING)] DATA_BLOB conditions;
716 [case(SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK)] [flag(NDR_REMAINING)] DATA_BLOB conditions;
717 [case(SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT)] [flag(NDR_REMAINING)] DATA_BLOB conditions;
718 [case(SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT)] [flag(NDR_REMAINING)] DATA_BLOB conditions;
719 [case(SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK)] [flag(NDR_REMAINING)] DATA_BLOB conditions;
720 [case(SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT)] [flag(NDR_REMAINING)] DATA_BLOB conditions;
721
722 [case(SEC_ACE_TYPE_SYSTEM_RESOURCE_ATTRIBUTE)] CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 claim;
723 [default][flag(NDR_REMAINING)] DATA_BLOB ignored;
724 } security_ace_coda;
725
726 typedef [public,gensize,nosize,nopush,nopull] struct {
727 security_ace_type type; /* SEC_ACE_TYPE_* */
728 security_ace_flags flags; /* SEC_ACE_FLAG_* */
729 [value(ndr_size_security_ace(r,ndr->flags))] uint16 size;
730 uint32 access_mask;
731 [switch_is(sec_ace_object(type))] security_ace_object_ctr object;
732 dom_sid trustee;
733 [switch_is(type), subcontext(0), subcontext_size(ndr_subcontext_size_of_ace_coda(r, size, ndr->flags))] security_ace_coda coda;
734 } security_ace;
735
736 typedef enum {
737 SECURITY_ACL_REVISION_NT4 = 2,
738 SECURITY_ACL_REVISION_ADS = 4
739 } security_acl_revision;
740
741 const uint NT4_ACL_REVISION = SECURITY_ACL_REVISION_NT4;
742
743 typedef [public,gensize,nosize] struct {
744 security_acl_revision revision;
745 [value(ndr_size_security_acl(r,ndr->flags))] uint16 size;
746 [range(0,2000)] uint32 num_aces;
747 security_ace aces[num_aces];
748 } security_acl;
749
750 /* default revision for new ACLs */
751 typedef [public,enum8bit] enum {
752 SECURITY_DESCRIPTOR_REVISION_1 = 1
753 } security_descriptor_revision;
754
755 const int SD_REVISION = SECURITY_DESCRIPTOR_REVISION_1;
756
757 /* security_descriptor->type bits */
758 typedef [public,bitmap16bit] bitmap {
759 SEC_DESC_OWNER_DEFAULTED = 0x0001,
760 SEC_DESC_GROUP_DEFAULTED = 0x0002,
761 SEC_DESC_DACL_PRESENT = 0x0004,
762 SEC_DESC_DACL_DEFAULTED = 0x0008,
763 SEC_DESC_SACL_PRESENT = 0x0010,
764 SEC_DESC_SACL_DEFAULTED = 0x0020,
765 SEC_DESC_DACL_TRUSTED = 0x0040,
766 SEC_DESC_SERVER_SECURITY = 0x0080,
767 SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100,
768 SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200,
769 SEC_DESC_DACL_AUTO_INHERITED = 0x0400,
770 SEC_DESC_SACL_AUTO_INHERITED = 0x0800,
771 SEC_DESC_DACL_PROTECTED = 0x1000,
772 SEC_DESC_SACL_PROTECTED = 0x2000,
773 SEC_DESC_RM_CONTROL_VALID = 0x4000,
774 SEC_DESC_SELF_RELATIVE = 0x8000
775 } security_descriptor_type;
776
777 typedef [gensize,nosize,public,flag(NDR_LITTLE_ENDIAN)] struct {
778 security_descriptor_revision revision;
779 security_descriptor_type type; /* SEC_DESC_xxxx flags */
780 [relative] dom_sid *owner_sid;
781 [relative] dom_sid *group_sid;
782 [relative] security_acl *sacl; /* system ACL */
783 [relative] security_acl *dacl; /* user (discretionary) ACL */
784 } security_descriptor;
785
786 typedef [public] struct {
787 [range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size;
788 [subcontext(4)] security_descriptor *sd;
789 } sec_desc_buf;
790
791 /* Group attributes, used to be samr_GroupAttrs */
792 typedef [public,bitmap32bit] bitmap {
793 SE_GROUP_MANDATORY = 0x00000001,
794 SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002,
795 SE_GROUP_ENABLED = 0x00000004,
796 SE_GROUP_OWNER = 0x00000008,
797 SE_GROUP_USE_FOR_DENY_ONLY = 0x00000010,
798 SE_GROUP_INTEGRITY = 0x00000020,
799 SE_GROUP_INTEGRITY_ENABLED = 0x00000040,
800 SE_GROUP_RESOURCE = 0x20000000,
801 SE_GROUP_LOGON_ID = 0xC0000000
802 } security_GroupAttrs;
803
804 const uint32 SE_GROUP_DEFAULT_FLAGS =
805 SE_GROUP_MANDATORY |
806 SE_GROUP_ENABLED_BY_DEFAULT |
807 SE_GROUP_ENABLED;
808
809 /*
810 * Should claims be evaluated on this token?
811 *
812 * 0 is invalid to catch a zeroed token
813 */
814 typedef enum {
815 CLAIMS_EVALUATION_INVALID_STATE=0,
816 CLAIMS_EVALUATION_NEVER = 1,
817 CLAIMS_EVALUATION_ALWAYS = 2
818 } claims_evaluation_control;
819
820 /*
821 * This is linearised to pass authentication over the NP proxy
822 * from smbd to RPC servers, but is not in public network protocols
823 */
824 typedef [public] struct {
825 uint32 num_sids;
826 [size_is(num_sids)] dom_sid sids[*];
827 se_privilege privilege_mask;
828 lsa_SystemAccessModeFlags rights_mask;
829 uint32 num_local_claims;
830 uint32 num_user_claims;
831 uint32 num_device_claims;
832 uint32 num_device_sids;
833 [size_is(num_local_claims)] CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 local_claims[*];
834 [size_is(num_user_claims)] CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 user_claims[*];
835 [size_is(num_device_claims)] CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 device_claims[*];
836 [size_is(num_device_sids)] dom_sid device_sids[*];
837
838 /*
839 * This allows us to disable claims evaluation on a
840 * per-token basis, allowing library code to remain
841 * distinct from configuration by passing this in as a
842 * flag here
843 */
844 claims_evaluation_control evaluate_claims;
845 } security_token;
846
847 typedef [public] struct {
848 security_token token;
849 security_descriptor sd;
850 uint32 access_desired;
851 } security_token_descriptor_fuzzing_pair;
852
853 /* This is not yet sent over the network, but is simply defined in IDL */
854 typedef [public] struct {
855 uid_t uid;
856 gid_t gid;
857 uint32 ngroups;
858 [size_is(ngroups)] gid_t groups[*];
859 } security_unix_token;
860
861 /* bits that determine which parts of a security descriptor
862 are being queried/set */
863 typedef [public,bitmap32bit] bitmap {
864 SECINFO_OWNER = 0x00000001,
865 SECINFO_GROUP = 0x00000002,
866 SECINFO_DACL = 0x00000004,
867 SECINFO_SACL = 0x00000008,
868 SECINFO_LABEL = 0x00000010,
869 SECINFO_ATTRIBUTE = 0x00000020,
870 SECINFO_SCOPE = 0x00000040,
871 SECINFO_BACKUP = 0x00010000,
872 SECINFO_UNPROTECTED_SACL = 0x10000000,
873 SECINFO_UNPROTECTED_DACL = 0x20000000,
874 SECINFO_PROTECTED_SACL = 0x40000000,
875 SECINFO_PROTECTED_DACL = 0x80000000
876 } security_secinfo;
877
878 /*
879 * a SMB server should only support the following flags
880 * and ignore all others.
881 *
882 * See AdditionalInformation in [MS-SMB2] 2.2.37 SMB2 QUERY_INFO Request
883 * and 2.2.39 SMB2 SET_INFO Request.
884 */
885 const int SMB_SUPPORTED_SECINFO_FLAGS = (
886 SECINFO_OWNER |
887 SECINFO_GROUP |
888 SECINFO_DACL |
889 SECINFO_SACL |
890 SECINFO_LABEL |
891 SECINFO_ATTRIBUTE |
892 SECINFO_SCOPE |
893 SECINFO_BACKUP |
894 0);
895
896 /*
897 * See [MS-KILE] 2.2.5 LSAP_TOKEN_INFO_INTEGRITY
898 */
899 typedef [public,gensize,flag(NDR_PAHEX)] struct {
900 uint32 Flags;
901 uint32 TokenIL;
902 uint8 MachineId[32];
903 } LSAP_TOKEN_INFO_INTEGRITY;
904
905 /*
906 * See [MS-KILE] 2.2.6 Supported Encryption Types Bit Flags
907 */
908 typedef [public,bitmap32bit] bitmap {
909 KERB_ENCTYPE_DES_CBC_CRC = 0x00000001,
910 KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002,
911 KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004,
912 KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
913 KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010,
914 KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK = 0x00000020,
915 KERB_ENCTYPE_FAST_SUPPORTED = 0x00010000,
916 KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED = 0x00020000,
917 KERB_ENCTYPE_CLAIMS_SUPPORTED = 0x00040000,
918 KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED = 0x00080000
919 } kerb_EncTypes;
920
921 typedef [public,bitmap32bit] bitmap {
922 SEC_DACL_AUTO_INHERIT = 0x00000001,
923 SEC_SACL_AUTO_INHERIT = 0x00000002,
924 SEC_DEFAULT_DESCRIPTOR = 0x00000004,
925 SEC_OWNER_FROM_PARENT = 0x00000008,
926 SEC_GROUP_FROM_PARENT = 0x00000010
927 } security_autoinherit;
928
929 /***************************************************************/
930 /* Extended right guids */
931
932 const string GUID_DRS_ALLOCATE_RIDS = "1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd";
933 const string GUID_DRS_CHANGE_DOMAIN_MASTER = "014bf69c-7b3b-11d1-85f6-08002be74fab";
934 const string GUID_DRS_CHANGE_INFR_MASTER = "cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd";
935 const string GUID_DRS_CHANGE_PDC = "bae50096-4752-11d1-9052-00c04fc2d4cf";
936 const string GUID_DRS_CHANGE_RID_MASTER = "d58d5f36-0a98-11d1-adbb-00c04fd8d5cd";
937 const string GUID_DRS_CHANGE_SCHEMA_MASTER = "e12b56b6-0a95-11d1-adbb-00c04fd8d5cd";
938 const string GUID_DRS_GET_CHANGES = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2";
939 const string GUID_DRS_REPL_SYNCRONIZE = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2";
940 const string GUID_DRS_MANAGE_TOPOLOGY = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2";
941 const string GUID_DRS_GET_ALL_CHANGES = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
942 const string GUID_DRS_RO_REPL_SECRET_SYNC = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2";
943 const string GUID_DRS_GET_FILTERED_ATTRIBUTES = "89e95b76-444d-4c62-991a-0facbeda640c";
944 const string GUID_DRS_MONITOR_TOPOLOGY = "f98340fb-7c5b-4cdb-a00b-2ebdfa115a96";
945 const string GUID_DRS_USER_CHANGE_PASSWORD = "ab721a53-1e2f-11d0-9819-00aa0040529b";
946 const string GUID_DRS_FORCE_CHANGE_PASSWORD = "00299570-246d-11d0-a768-00aa006e0529";
947 const string GUID_DRS_UPDATE_PASSWORD_NOT_REQUIRED_BIT
948 = "280f369c-67c7-438e-ae98-1d46f3c6f541";
949 const string GUID_DRS_UNEXPIRE_PASSWORD = "ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501";
950 const string GUID_DRS_ENABLE_PER_USER_REVERSIBLY_ENCRYPTED_PASSWORD
951 = "05c74c5e-4deb-43b4-bd9f-86664c2a7fd5";
952 const string GUID_DRS_DS_INSTALL_REPLICA = "9923a32a-3607-11d2-b9be-0000f87a36b2";
953 const string GUID_DRS_REANIMATE_TOMBSTONE = "45ec5156-db7e-47bb-b53f-dbeb2d03c40f";
954 const string GUID_DRS_ALLOWED_TO_AUTHENTICATE = "68b1d179-0d15-4D4F-ab71-46152e79a7bc";
955
956 /***************************************************************/
957 /* validated writes guids */
958 const string GUID_DRS_VALIDATE_SPN = "f3a64788-5306-11d1-a9c5-0000f80367c1";
959 const string GUID_DRS_SELF_MEMBERSHIP = "bf9679c0-0de6-11d0-a285-00aa003049e2";
960 const string GUID_DRS_DNS_HOST_NAME = "72e39547-7b18-11d1-adef-00c04fd8d5cd";
961 const string GUID_DRS_ADD_DNS_HOST_NAME = "80863791-dbe9-4eb8-837e-7f0ab55d9ac7";
962 const string GUID_DRS_BEHAVIOR_VERSION = "d31a8757-2447-4545-8081-3bb610cacbf2";
963
964 /* A type to describe the mapping of generic access rights to object
965 specific access rights. */
966
967 typedef struct {
968 uint32 generic_read;
969 uint32 generic_write;
970 uint32 generic_execute;
971 uint32 generic_all;
972 } generic_mapping;
973
974 typedef struct {
975 uint32 std_read;
976 uint32 std_write;
977 uint32 std_execute;
978 uint32 std_all;
979 } standard_mapping;
980 }
Samba GIT mirror