search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tevent: release 0.16.1
[Samba.git] / librpc / idl / security.idl
blobd1552475b638339bf516d0de0d19b222690fd29a
1 #include "idl_types.h"
2
3 /*
4 security IDL structures
5 */
6
7 import "misc.idl";
8
9 /*
10 use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
11 just a dom sid, but with the sub_auths represented as a conformant
12 array. As with all in-structure conformant arrays, the array length
13 is placed before the start of the structure. That's what gives rise
14 to the extra num_auths element. We don't want the Samba code to
15 have to bother with such esoteric NDR details, so its easier to just
16 define it as a dom_sid and use pidl magic to make it all work. It
17 just means you need to mark a sid as a "dom_sid2" in the IDL when you
18 know it is of the conformant array variety
19 */
20 cpp_quote("#define dom_sid2 dom_sid")
21
22 /* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */
23 cpp_quote("#define dom_sid28 dom_sid")
24
25 /* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */
26 cpp_quote("#define dom_sid0 dom_sid")
27
28 [
29 /*
30 * cbf7d408-2d6c-11e2-ae5b-0b5692790e18 just to make ndrdump happy
31 */
32 uuid("cbf7d408-2d6c-11e2-ae5b-0b5692790e18"),
33 version(0.0),
34 helper("../libcli/security/security.h"),
35 pyhelper("librpc/ndr/py_security.c"),
36 pointer_default(unique)
37 ]
38 interface security
39 {
40
41 typedef bitmap lsa_SystemAccessModeFlags lsa_SystemAccessModeFlags;
42
43 typedef [public,gensize,noprint,nosize,nopull,nopush] struct {
44 uint8 sid_rev_num; /**< SID revision number */
45 [range(0,15)] int8 num_auths; /**< Number of sub-authorities */
46 uint8 id_auth[6]; /**< Identifier Authority */
47 uint32 sub_auths[15];
48 } dom_sid;
49 /*
50 access masks are divided up like this:
51 0xabccdddd
52 where
53 a = generic rights bits SEC_GENERIC_
54 b = flags SEC_FLAG_
55 c = standard rights bits SEC_STD_
56 d = object type specific bits SEC_{FILE,DIR,REG,xxx}_
57
58 common combinations of bits are prefixed with SEC_RIGHTS_
59 */
60 const int SEC_MASK_GENERIC = 0xF0000000;
61 const int SEC_MASK_FLAGS = 0x0F000000;
62 const int SEC_MASK_STANDARD = 0x00FF0000;
63 const int SEC_MASK_SPECIFIC = 0x0000FFFF;
64
65 /* generic bits */
66 const int SEC_GENERIC_ALL = 0x10000000;
67 const int SEC_GENERIC_EXECUTE = 0x20000000;
68 const int SEC_GENERIC_WRITE = 0x40000000;
69 const int SEC_GENERIC_READ = 0x80000000;
70
71 /* flag bits */
72 const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000;
73 const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000;
74
75 /* standard bits */
76 const int SEC_STD_DELETE = 0x00010000;
77 const int SEC_STD_READ_CONTROL = 0x00020000;
78 const int SEC_STD_WRITE_DAC = 0x00040000;
79 const int SEC_STD_WRITE_OWNER = 0x00080000;
80 const int SEC_STD_SYNCHRONIZE = 0x00100000;
81 const int SEC_STD_REQUIRED = 0x000F0000;
82 const int SEC_STD_ALL = 0x001F0000;
83
84 /* file specific bits */
85 const int SEC_FILE_READ_DATA = 0x00000001;
86 const int SEC_FILE_WRITE_DATA = 0x00000002;
87 const int SEC_FILE_APPEND_DATA = 0x00000004;
88 const int SEC_FILE_READ_EA = 0x00000008;
89 const int SEC_FILE_WRITE_EA = 0x00000010;
90 const int SEC_FILE_EXECUTE = 0x00000020;
91 const int SEC_FILE_READ_ATTRIBUTE = 0x00000080;
92 const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100;
93 const int SEC_FILE_ALL = 0x000001ff;
94
95 /* directory specific bits */
96 const int SEC_DIR_LIST = 0x00000001;
97 const int SEC_DIR_ADD_FILE = 0x00000002;
98 const int SEC_DIR_ADD_SUBDIR = 0x00000004;
99 const int SEC_DIR_READ_EA = 0x00000008;
100 const int SEC_DIR_WRITE_EA = 0x00000010;
101 const int SEC_DIR_TRAVERSE = 0x00000020;
102 const int SEC_DIR_DELETE_CHILD = 0x00000040;
103 const int SEC_DIR_READ_ATTRIBUTE = 0x00000080;
104 const int SEC_DIR_WRITE_ATTRIBUTE = 0x00000100;
105
106 /* registry entry specific bits */
107 const int SEC_REG_QUERY_VALUE = 0x00000001;
108 const int SEC_REG_SET_VALUE = 0x00000002;
109 const int SEC_REG_CREATE_SUBKEY = 0x00000004;
110 const int SEC_REG_ENUM_SUBKEYS = 0x00000008;
111 const int SEC_REG_NOTIFY = 0x00000010;
112 const int SEC_REG_CREATE_LINK = 0x00000020;
113
114 /* ldap specific access bits */
115 const int SEC_ADS_CREATE_CHILD = 0x00000001;
116 const int SEC_ADS_DELETE_CHILD = 0x00000002;
117 const int SEC_ADS_LIST = 0x00000004;
118 const int SEC_ADS_SELF_WRITE = 0x00000008;
119 const int SEC_ADS_READ_PROP = 0x00000010;
120 const int SEC_ADS_WRITE_PROP = 0x00000020;
121 const int SEC_ADS_DELETE_TREE = 0x00000040;
122 const int SEC_ADS_LIST_OBJECT = 0x00000080;
123 const int SEC_ADS_CONTROL_ACCESS = 0x00000100;
124
125 /* invalid bits */
126 const int SEC_MASK_INVALID = 0x0ce0fe00;
127
128 /* generic->specific mappings for files */
129 const int SEC_RIGHTS_FILE_READ = SEC_STD_READ_CONTROL |
130 SEC_STD_SYNCHRONIZE |
131 SEC_FILE_READ_DATA |
132 SEC_FILE_READ_ATTRIBUTE |
133 SEC_FILE_READ_EA;
134
135 const int SEC_RIGHTS_FILE_WRITE = SEC_STD_READ_CONTROL |
136 SEC_STD_SYNCHRONIZE |
137 SEC_FILE_WRITE_DATA |
138 SEC_FILE_WRITE_ATTRIBUTE |
139 SEC_FILE_WRITE_EA |
140 SEC_FILE_APPEND_DATA;
141
142 const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE |
143 SEC_STD_READ_CONTROL |
144 SEC_FILE_READ_ATTRIBUTE |
145 SEC_FILE_EXECUTE;
146
147 const int SEC_RIGHTS_FILE_ALL = SEC_STD_ALL | SEC_FILE_ALL;
148
149 /* generic->specific mappings for directories (same as files) */
150 const int SEC_RIGHTS_DIR_READ = SEC_RIGHTS_FILE_READ;
151 const int SEC_RIGHTS_DIR_WRITE = SEC_RIGHTS_FILE_WRITE;
152 const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE;
153 const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL;
154
155 /* rights granted by some specific privileges */
156 const int SEC_RIGHTS_PRIV_BACKUP = SEC_STD_READ_CONTROL |
157 SEC_FLAG_SYSTEM_SECURITY |
158 SEC_RIGHTS_FILE_READ |
159 SEC_DIR_TRAVERSE;
160
161 const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC |
162 SEC_STD_WRITE_OWNER |
163 SEC_FLAG_SYSTEM_SECURITY |
164 SEC_RIGHTS_FILE_WRITE |
165 SEC_DIR_ADD_FILE |
166 SEC_DIR_ADD_SUBDIR |
167 SEC_STD_DELETE;
168
169 /* combinations of standard masks. */
170 const int STANDARD_RIGHTS_ALL_ACCESS = SEC_STD_ALL; /* 0x001f0000 */
171 const int STANDARD_RIGHTS_MODIFY_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
172 const int STANDARD_RIGHTS_EXECUTE_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
173 const int STANDARD_RIGHTS_READ_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
174 const int STANDARD_RIGHTS_WRITE_ACCESS =
175 (SEC_STD_WRITE_OWNER |
176 SEC_STD_WRITE_DAC |
177 SEC_STD_DELETE); /* 0x000d0000 */
178 const int STANDARD_RIGHTS_REQUIRED_ACCESS =
179 (SEC_STD_DELETE |
180 SEC_STD_READ_CONTROL |
181 SEC_STD_WRITE_DAC |
182 SEC_STD_WRITE_OWNER); /* 0x000f0000 */
183
184 /* generic->specific mappings for Directory Service objects */
185 /* directory specific part of GENERIC_ALL */
186 const int SEC_ADS_GENERIC_ALL_DS =
187 (SEC_STD_DELETE |
188 SEC_STD_WRITE_DAC |
189 SEC_STD_WRITE_OWNER |
190 SEC_ADS_CREATE_CHILD |
191 SEC_ADS_DELETE_CHILD |
192 SEC_ADS_DELETE_TREE |
193 SEC_ADS_CONTROL_ACCESS);
194 const int SEC_ADS_GENERIC_EXECUTE = SEC_STD_READ_CONTROL | SEC_ADS_LIST;
195 const int SEC_ADS_GENERIC_WRITE =
196 (SEC_STD_READ_CONTROL |
197 SEC_ADS_SELF_WRITE |
198 SEC_ADS_WRITE_PROP);
199 const int SEC_ADS_GENERIC_READ =
200 (SEC_STD_READ_CONTROL |
201 SEC_ADS_LIST |
202 SEC_ADS_READ_PROP |
203 SEC_ADS_LIST_OBJECT);
204 const int SEC_ADS_GENERIC_ALL =
205 (SEC_ADS_GENERIC_EXECUTE |
206 SEC_ADS_GENERIC_WRITE |
207 SEC_ADS_GENERIC_READ |
208 SEC_ADS_GENERIC_ALL_DS);
209
210 /*
211 * Rights implicitly granted to a user who is an owner of the security
212 * descriptor being processed.
213 */
214 typedef enum {
215 IMPLICIT_OWNER_READ_CONTROL_RIGHTS,
216 IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS
217 } implicit_owner_rights;
218
219 /***************************************************************/
220 /* WELL KNOWN SIDS */
221
222 /* a NULL sid */
223 const string SID_NULL = "S-1-0-0";
224
225 /* the world domain */
226 const string NAME_WORLD = "WORLD";
227
228 const string SID_WORLD_DOMAIN = "S-1-1";
229 const string SID_WORLD = "S-1-1-0";
230
231 /* SECURITY_CREATOR_SID_AUTHORITY */
232 const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
233 const string SID_CREATOR_OWNER = "S-1-3-0";
234 const string SID_CREATOR_GROUP = "S-1-3-1";
235 const string SID_OWNER_RIGHTS = "S-1-3-4";
236
237 /* SECURITY_NT_AUTHORITY */
238 const string NAME_NT_AUTHORITY = "NT AUTHORITY";
239
240 const string SID_NT_AUTHORITY = "S-1-5";
241 const string SID_NT_DIALUP = "S-1-5-1";
242 const string SID_NT_NETWORK = "S-1-5-2";
243 const string SID_NT_BATCH = "S-1-5-3";
244 const string SID_NT_INTERACTIVE = "S-1-5-4";
245 const string SID_NT_SERVICE = "S-1-5-6";
246 const string SID_NT_ANONYMOUS = "S-1-5-7";
247 const string SID_NT_PROXY = "S-1-5-8";
248 const string SID_NT_ENTERPRISE_DCS = "S-1-5-9";
249 const string SID_NT_SELF = "S-1-5-10";
250 const string SID_NT_AUTHENTICATED_USERS = "S-1-5-11";
251 const string SID_NT_RESTRICTED = "S-1-5-12";
252 const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13";
253 const string SID_NT_REMOTE_INTERACTIVE = "S-1-5-14";
254 const string SID_NT_THIS_ORGANISATION = "S-1-5-15";
255 const string SID_NT_IUSR = "S-1-5-17";
256 const string SID_NT_SYSTEM = "S-1-5-18";
257 const string SID_NT_LOCAL_SERVICE = "S-1-5-19";
258 const string SID_NT_NETWORK_SERVICE = "S-1-5-20";
259 const string SID_NT_DIGEST_AUTHENTICATION = "S-1-5-64-21";
260 const string SID_NT_NTLM_AUTHENTICATION = "S-1-5-64-10";
261 const string SID_NT_SCHANNEL_AUTHENTICATION = "S-1-5-64-14";
262 const string SID_NT_OTHER_ORGANISATION = "S-1-5-1000";
263
264 /* SECURITY_BUILTIN_DOMAIN_RID */
265 const string NAME_BUILTIN = "BUILTIN";
266
267 const string SID_BUILTIN = "S-1-5-32";
268 const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544";
269 const string SID_BUILTIN_USERS = "S-1-5-32-545";
270 const string SID_BUILTIN_GUESTS = "S-1-5-32-546";
271 const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547";
272 const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
273 const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549";
274 const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550";
275 const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551";
276 const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552";
277 const string SID_BUILTIN_RAS_SERVERS = "S-1-5-32-553";
278 const string SID_BUILTIN_PREW2K = "S-1-5-32-554";
279 const string SID_BUILTIN_REMOTE_DESKTOP_USERS = "S-1-5-32-555";
280 const string SID_BUILTIN_NETWORK_CONF_OPERATORS = "S-1-5-32-556";
281 const string SID_BUILTIN_INCOMING_FOREST_TRUST = "S-1-5-32-557";
282 const string SID_BUILTIN_PERFMON_USERS = "S-1-5-32-558";
283 const string SID_BUILTIN_PERFLOG_USERS = "S-1-5-32-559";
284 const string SID_BUILTIN_AUTH_ACCESS = "S-1-5-32-560";
285 const string SID_BUILTIN_TS_LICENSE_SERVERS = "S-1-5-32-561";
286 const string SID_BUILTIN_DISTRIBUTED_COM_USERS = "S-1-5-32-562";
287 const string SID_BUILTIN_IUSERS = "S-1-5-32-568";
288 const string SID_BUILTIN_CRYPTO_OPERATORS = "S-1-5-32-569";
289 const string SID_BUILTIN_EVENT_LOG_READERS = "S-1-5-32-573";
290 const string SID_BUILTIN_CERT_SERV_DCOM_ACCESS = "S-1-5-32-574";
291 const string SID_BUILTIN_RDS_REMOTE_ACCESS_SERVERS = "S-1-5-32-575";
292 const string SID_BUILTIN_RDS_ENDPOINT_SERVERS = "S-1-5-32-576";
293 const string SID_BUILTIN_RDS_MANAGEMENT_SERVERS = "S-1-5-32-577";
294 const string SID_BUILTIN_HYPER_V_ADMINS = "S-1-5-32-578";
295 const string SID_BUILTIN_ACCESS_CONTROL_ASSISTANCE_OPS = "S-1-5-32-579";
296 const string SID_BUILTIN_REMOTE_MANAGEMENT_USERS = "S-1-5-32-580";
297 const string SID_BUILTIN_SYSTEM_MANAGED_ACCOUNTS_GRP = "S-1-5-32-581";
298 const string SID_BUILTIN_STORAGE_REPLICA_ADMINISTRATORS = "S-1-5-32-582";
299
300 const string SID_SECURITY_RESTRICTED_CODE = "S-1-5-33";
301
302 /* UID/GID mapping Samba style */
303 const string SID_SAMBA_UNIX_USER_OWNER = "S-1-22-1";
304 const string SID_SAMBA_UNIX_GROUP_OWNER = "S-1-22-2";
305
306 /* SECURITY_NT_SERVICE */
307 const string NAME_NT_SERVICE = "NT SERVICE";
308
309 const string SID_NT_NT_SERVICE = "S-1-5-80";
310 const string SID_NT_TRUSTED_INSTALLER =
311 "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464";
312
313 /*
314 * This is added during the AS-REQ/AS-REP exchange after
315 * pre-authentication was successful.
316 */
317 const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1";
318 /*
319 * This is added during S4U2Self PAC creation.
320 *
321 * It won't replace a possible
322 * SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY
323 * during S4U2Proxy.
324 */
325 const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
326
327 const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
328 const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";
329
330 const string SID_USER_MODE_DRIVERS = "S-1-5-84-0-0-0-0-0";
331
332 const string SID_SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE = "S-1-15-2-1";
333
334 const string SID_SECURITY_MANDATORY_LOW = "S-1-16-4096";
335 const string SID_SECURITY_MANDATORY_MEDIUM = "S-1-16-8192";
336 const string SID_SECURITY_MANDATORY_MEDIUM_PLUS = "S-1-16-8448";
337 const string SID_SECURITY_MANDATORY_HIGH = "S-1-16-12288";
338 const string SID_SECURITY_MANDATORY_SYSTEM = "S-1-16-16384";
339
340 /*
341 * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
342 */
343 const string SID_NT_NFS_SUBSYSTEM = "S-1-5-88";
344 const string SID_NT_NFS_USER = "S-1-5-88-1";
345 const string SID_NT_NFS_GROUP = "S-1-5-88-2";
346 const string SID_NT_NFS_MASK = "S-1-5-88-3";
347 const string SID_NT_NFS_OTHERS = "S-1-5-88-4";
348
349 /* well-known domain RIDs */
350 const int DOMAIN_RID_LOGON = 9;
351 const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498;
352 const int DOMAIN_RID_ADMINISTRATOR = 500;
353 const int DOMAIN_RID_GUEST = 501;
354 const int DOMAIN_RID_KRBTGT = 502;
355 const int DOMAIN_RID_ADMINS = 512;
356 const int DOMAIN_RID_USERS = 513;
357 const int DOMAIN_RID_GUESTS = 514;
358 const int DOMAIN_RID_DOMAIN_MEMBERS = 515;
359 const int DOMAIN_RID_DCS = 516;
360 const int DOMAIN_RID_CERT_ADMINS = 517;
361 const int DOMAIN_RID_SCHEMA_ADMINS = 518;
362 const int DOMAIN_RID_ENTERPRISE_ADMINS = 519;
363 const int DOMAIN_RID_POLICY_ADMINS = 520;
364 const int DOMAIN_RID_READONLY_DCS = 521;
365 const int DOMAIN_RID_CLONEABLE_CONTROLLERS = 522;
366 const int DOMAIN_RID_PROTECTED_USERS = 525;
367 const int DOMAIN_RID_KEY_ADMINS = 526;
368 const int DOMAIN_RID_ENTERPRISE_KEY_ADMINS = 527;
369 const int DOMAIN_RID_RAS_SERVERS = 553;
370 const int DOMAIN_RID_RODC_ALLOW = 571;
371 const int DOMAIN_RID_RODC_DENY = 572;
372
373 /* well-known builtin RIDs */
374 const int BUILTIN_RID_ADMINISTRATORS = 544;
375 const int BUILTIN_RID_USERS = 545;
376 const int BUILTIN_RID_GUESTS = 546;
377 const int BUILTIN_RID_POWER_USERS = 547;
378 const int BUILTIN_RID_ACCOUNT_OPERATORS = 548;
379 const int BUILTIN_RID_SERVER_OPERATORS = 549;
380 const int BUILTIN_RID_PRINT_OPERATORS = 550;
381 const int BUILTIN_RID_BACKUP_OPERATORS = 551;
382 const int BUILTIN_RID_REPLICATOR = 552;
383 const int BUILTIN_RID_RAS_SERVERS = 553;
384 const int BUILTIN_RID_PRE_2K_ACCESS = 554;
385 const int BUILTIN_RID_REMOTE_DESKTOP_USERS = 555;
386 const int BUILTIN_RID_NETWORK_CONF_OPERATORS = 556;
387 const int BUILTIN_RID_INCOMING_FOREST_TRUST = 557;
388 const int BUILTIN_RID_PERFMON_USERS = 558;
389 const int BUILTIN_RID_PERFLOG_USERS = 559;
390 const int BUILTIN_RID_AUTH_ACCESS = 560;
391 const int BUILTIN_RID_TS_LICENSE_SERVERS = 561;
392 const int BUILTIN_RID_DISTRIBUTED_COM_USERS = 562;
393 const int BUILTIN_RID_IUSERS = 568;
394 const int BUILTIN_RID_CRYPTO_OPERATORS = 569;
395 const int BUILTIN_RID_EVENT_LOG_READERS = 573;
396 const int BUILTIN_RID_CERT_SERV_DCOM_ACCESS = 574;
397 const int BUILTIN_RID_RDS_REMOTE_ACCESS_SERVERS = 575;
398 const int BUILTIN_RID_RDS_ENDPOINT_SERVERS = 576;
399 const int BUILTIN_RID_RDS_MANAGEMENT_SERVERS = 577;
400 const int BUILTIN_RID_HYPER_V_ADMINS = 578;
401 const int BUILTIN_RID_ACCESS_CONTROL_ASSISTANCE_OPS = 579;
402 const int BUILTIN_RID_REMOTE_MANAGEMENT_USERS = 580;
403
404 /********************************************************************
405 This is a list of privileges reported by a WIndows 2008 R2 DC
406 just for reference purposes (and I know the LUID is not guaranteed
407 across reboots):
408
409 0x00000002 SeCreateTokenPrivilege "Create a token object"
410 0x00000003 SeAssignPrimaryTokenPrivilege "Replace a process level token"
411 0x00000004 SeLockMemoryPrivilege "Lock pages in memory"
412 0x00000005 SeIncreaseQuotaPrivilege "Adjust memory quotas for a process"
413 0x00000006 SeMachineAccountPrivilege "Add workstations to domain"
414 0x00000007 SeTcbPrivilege "Act as part of the operating system"
415 0x00000008 SeSecurityPrivilege "Manage auditing and security log"
416 0x00000009 SeTakeOwnershipPrivilege "Take ownership of files or other objects"
417 0x0000000a SeLoadDriverPrivilege "Load and unload device drivers"
418 0x0000000b SeSystemProfilePrivilege "Profile system performance"
419 0x0000000c SeSystemtimePrivilege "Change the system time"
420 0x0000000d SeProfileSingleProcessPrivilege "Profile single process"
421 0x0000000e SeIncreaseBasePriorityPrivilege "Increase scheduling priority"
422 0x0000000f SeCreatePagefilePrivilege "Create a pagefile"
423 0x00000010 SeCreatePermanentPrivilege "Create permanent shared objects"
424 0x00000011 SeBackupPrivilege "Back up files and directories"
425 0x00000012 SeRestorePrivilege "Restore files and directories"
426 0x00000013 SeShutdownPrivilege "Shut down the system"
427 0x00000014 SeDebugPrivilege "Debug programs"
428 0x00000015 SeAuditPrivilege "Generate security audits"
429 0x00000016 SeSystemEnvironmentPrivilege "Modify firmware environment values"
430 0x00000017 SeChangeNotifyPrivilege "Bypass traverse checking"
431 0x00000018 SeRemoteShutdownPrivilege "Force shutdown from a remote system"
432 0x00000019 SeUndockPrivilege "Remove computer from docking station"
433 0x0000001a SeSyncAgentPrivilege "Synchronize directory service data"
434 0x0000001b SeEnableDelegationPrivilege "Enable computer and user accounts to be trusted for delegation"
435 0x0000001c SeManageVolumePrivilege "Perform volume maintenance tasks"
436 0x0000001d SeImpersonatePrivilege "Impersonate a client after authentication"
437 0x0000001e SeCreateGlobalPrivilege "Create global objects"
438 0x0000001f SeTrustedCredManAccessPrivilege "Access Credential Manager as a trusted caller"
439 0x00000020 SeRelabelPrivilege "Modify an object label"
440 0x00000021 SeIncreaseWorkingSetPrivilege "Increase a process working set"
441 0x00000022 SeTimeZonePrivilege "Change the time zone"
442 0x00000023 SeCreateSymbolicLinkPrivilege "Create symbolic links"
443
444 ********************************************************************/
445
446 /* LUID values for privileges known about by Samba (bottom 32 bits of enum, top bits are 0) */
447
448 /* we have to define the LUID here due to a horrible check by printmig.exe
449 that requires the SeBackupPrivilege match what is in Windows. So match
450 those that we implement and start Samba privileges at 0x1001 */
451
452 typedef enum {
453 SEC_PRIV_INVALID = 0x0,
454 SEC_PRIV_INCREASE_QUOTA = 0x5,
455 SEC_PRIV_MACHINE_ACCOUNT = 0x6,
456 SEC_PRIV_SECURITY = 0x8,
457 SEC_PRIV_TAKE_OWNERSHIP = 0x09,
458 SEC_PRIV_LOAD_DRIVER = 0x0a,
459 SEC_PRIV_SYSTEM_PROFILE = 0x0b,
460 SEC_PRIV_SYSTEMTIME = 0x0c,
461 SEC_PRIV_PROFILE_SINGLE_PROCESS = 0x0d,
462 SEC_PRIV_INCREASE_BASE_PRIORITY = 0x0e,
463 SEC_PRIV_CREATE_PAGEFILE = 0x0f,
464 SEC_PRIV_BACKUP = 0x11,
465 SEC_PRIV_RESTORE = 0x12,
466 SEC_PRIV_SHUTDOWN = 0x13,
467 SEC_PRIV_DEBUG = 0x14,
468 SEC_PRIV_SYSTEM_ENVIRONMENT = 0x16,
469 SEC_PRIV_CHANGE_NOTIFY = 0x17,
470 SEC_PRIV_REMOTE_SHUTDOWN = 0x18,
471 SEC_PRIV_UNDOCK = 0x19,
472 SEC_PRIV_ENABLE_DELEGATION = 0x1b,
473 SEC_PRIV_MANAGE_VOLUME = 0x1c,
474 SEC_PRIV_IMPERSONATE = 0x1d,
475 SEC_PRIV_CREATE_GLOBAL = 0x1e,
476 /* Samba-specific privs */
477 SEC_PRIV_PRINT_OPERATOR = 0x1001,
478 SEC_PRIV_ADD_USERS = 0x1002,
479 SEC_PRIV_DISK_OPERATOR = 0x1003
480 } sec_privilege;
481
482
483 /* Bitmap of privilege values for internal use only. We need
484 * our own bitmap here as privileges.tdb records these values
485 * as a bitmap (privileges.ldb uses the string forms).
486 */
487 typedef [bitmap64bit] bitmap {
488 SEC_PRIV_MACHINE_ACCOUNT_BIT = 0x00000010,
489
490 /* Samba-specific privs */
491 SEC_PRIV_PRINT_OPERATOR_BIT = 0x00000020,
492 SEC_PRIV_ADD_USERS_BIT = 0x00000040,
493 SEC_PRIV_DISK_OPERATOR_BIT = 0x00000080,
494
495 SEC_PRIV_REMOTE_SHUTDOWN_BIT = 0x00000100,
496 SEC_PRIV_BACKUP_BIT = 0x00000200,
497 SEC_PRIV_RESTORE_BIT = 0x00000400,
498 SEC_PRIV_TAKE_OWNERSHIP_BIT = 0x00000800,
499 /* End of privileges implemented before merge to common code */
500
501 SEC_PRIV_INCREASE_QUOTA_BIT = 0x00001000,
502 SEC_PRIV_SECURITY_BIT = 0x00002000,
503 SEC_PRIV_LOAD_DRIVER_BIT = 0x00004000,
504 SEC_PRIV_SYSTEM_PROFILE_BIT = 0x00008000,
505 SEC_PRIV_SYSTEMTIME_BIT = 0x00010000,
506 SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT = 0x00020000,
507 SEC_PRIV_INCREASE_BASE_PRIORITY_BIT = 0x00040000,
508 SEC_PRIV_CREATE_PAGEFILE_BIT = 0x00080000,
509 SEC_PRIV_SHUTDOWN_BIT = 0x00100000,
510 SEC_PRIV_DEBUG_BIT = 0x00200000,
511 SEC_PRIV_SYSTEM_ENVIRONMENT_BIT = 0x00400000,
512 SEC_PRIV_CHANGE_NOTIFY_BIT = 0x00800000,
513 SEC_PRIV_UNDOCK_BIT = 0x01000000,
514 SEC_PRIV_ENABLE_DELEGATION_BIT = 0x02000000,
515 SEC_PRIV_MANAGE_VOLUME_BIT = 0x04000000,
516 SEC_PRIV_IMPERSONATE_BIT = 0x08000000,
517 SEC_PRIV_CREATE_GLOBAL_BIT = 0x10000000
518 } se_privilege;
519
520 typedef [bitmap32bit] bitmap {
521 LSA_POLICY_MODE_INTERACTIVE = 0x00000001,
522 LSA_POLICY_MODE_NETWORK = 0x00000002,
523 LSA_POLICY_MODE_BATCH = 0x00000004,
524 LSA_POLICY_MODE_SERVICE = 0x00000010,
525 LSA_POLICY_MODE_PROXY = 0x00000020,
526 LSA_POLICY_MODE_DENY_INTERACTIVE = 0x00000040,
527 LSA_POLICY_MODE_DENY_NETWORK = 0x00000080,
528 LSA_POLICY_MODE_DENY_BATCH = 0x00000100,
529 LSA_POLICY_MODE_DENY_SERVICE = 0x00000200,
530 LSA_POLICY_MODE_REMOTE_INTERACTIVE = 0x00000400,
531 LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE = 0x00000800,
532 LSA_POLICY_MODE_ALL = 0x00000FF7,
533 LSA_POLICY_MODE_ALL_NT4 = 0x00000037
534 } lsa_SystemAccessModeFlags;
535
536 typedef [public,bitmap8bit] bitmap {
537 SEC_ACE_FLAG_OBJECT_INHERIT = 0x01,
538 SEC_ACE_FLAG_CONTAINER_INHERIT = 0x02,
539 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT = 0x04,
540 SEC_ACE_FLAG_INHERIT_ONLY = 0x08,
541 SEC_ACE_FLAG_INHERITED_ACE = 0x10,
542 SEC_ACE_FLAG_VALID_INHERIT = 0x0f,
543 SEC_ACE_FLAG_SUCCESSFUL_ACCESS = 0x40,
544 SEC_ACE_FLAG_FAILED_ACCESS = 0x80
545 } security_ace_flags;
546
547 typedef [public,enum8bit] enum {
548 /*
549 * The following entries tagged *reserved* have been
550 * named and allocated by Microsoft but apparently not
551 * implemented (MS-DTYP 2.4.4.1).
552 *
553 * The entries marked *unused* are more or less
554 * completely ignored by Samba.
555 */
556 SEC_ACE_TYPE_ACCESS_ALLOWED = 0,
557 SEC_ACE_TYPE_ACCESS_DENIED = 1,
558 SEC_ACE_TYPE_SYSTEM_AUDIT = 2,
559 SEC_ACE_TYPE_SYSTEM_ALARM = 3, /* reserved */
560 SEC_ACE_TYPE_ALLOWED_COMPOUND = 4, /* reserved */
561 SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT = 5,
562 SEC_ACE_TYPE_ACCESS_DENIED_OBJECT = 6,
563 SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT = 7,
564 SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT = 8, /* reserved */
565 SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK = 9,
566 SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK = 10,
567 SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT = 11,
568 SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT = 12,
569 SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK = 13,
570 SEC_ACE_TYPE_SYSTEM_ALARM_CALLBACK = 14, /* reserved */
571 SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT = 15,
572 SEC_ACE_TYPE_SYSTEM_ALARM_CALLBACK_OBJECT = 16, /* reserved */
573 SEC_ACE_TYPE_SYSTEM_MANDATORY_LABEL = 17, /*unused */
574 SEC_ACE_TYPE_SYSTEM_RESOURCE_ATTRIBUTE = 18,
575 SEC_ACE_TYPE_SYSTEM_SCOPED_POLICY_ID = 19 /* unused */
576 } security_ace_type;
577
578 typedef [bitmap32bit] bitmap {
579 SEC_ACE_OBJECT_TYPE_PRESENT = 0x00000001,
580 SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x00000002
581 } security_ace_object_flags;
582
583 typedef [nodiscriminant] union {
584 /* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */
585 [case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type;
586 [default];
587 } security_ace_object_type;
588
589 typedef [nodiscriminant] union {
590 /* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context
591 * (of the parent container)
592 */
593 [case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type;
594 [default];
595 } security_ace_object_inherited_type;
596
597 typedef struct {
598 security_ace_object_flags flags;
599 [switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type;
600 [switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type;
601 } security_ace_object;
602
603
604
605 /*
606 * flags that might occur in
607 * CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1.flags.
608 *
609 * Not all of them do anything. Conditional ACEs also use some
610 * of these flags.
611 */
612 typedef [bitmap32bit] bitmap {
613 CLAIM_SECURITY_ATTRIBUTE_NON_INHERITABLE = 1,
614 CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE = 2,
615 CLAIM_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY = 4, /*reserved*/
616 CLAIM_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT = 8,
617 CLAIM_SECURITY_ATTRIBUTE_DISABLED = 0x10, /*reserved*/
618 CLAIM_SECURITY_ATTRIBUTE_MANDATORY = 0x20,
619
620 /*
621 * These next two are curiously defined in [MS-DTYP] 2.4.10.1:
622 *
623 * > Flags: The upper two bytes of this DWORD are available for
624 * > application-specific data. The two lowest-order bits in the
625 * > lower of these two bytes are reserved. These two bytes
626 * > MAY contain only one of the following values in those two
627 * > bits:
628 * >
629 * > FCI_CLAIM_SECURITY_ATTRIBUTE_MANUAL 0x0001
630 * > FCI_CLAIM_SECURITY_ATTRIBUTE_POLICY_DERIVED 0x0002
631 *
632 * That is saying these mutually exclusive flags have offset
633 * values that are measured from the middle of flags field. We
634 * instead measure from the start.
635 */
636 CLAIM_SECURITY_ATTRIBUTE_MANUAL = 1 << 16,
637 CLAIM_SECURITY_ATTRIBUTE_POLICY_DERIVED = 1 << 17,
638
639 /*
640 * As the quote from [MS-DTYP] 2.4.10.1 above says,
641 * the upper 14 bits are for application-specific
642 * data. In Samba's case, we have one application
643 * specific flag to help us remember when we have
644 * sorted a claim and checked that it contains no
645 * duplicate values. We need to check this, and the
646 * check can be expensive, so it helps to remember.
647 * Having the values sorted is useful for comparisons
648 * in conditional ACEs.
649 *
650 * We can't just sort every claim_v1 we see, because
651 * resource attribute ACEs in SACLs contain them and
652 * are not meant to be evaluated prematurely (i.e. you
653 * can parse and reserialise a SACL even if it
654 * contains an ACE that would cause an error when used
655 * as a claim).
656 *
657 * In the case of string claims, evaluating uniqueness
658 * depends on the _CASE_SENSITIVE flag.
659 */
660 CLAIM_SECURITY_ATTRIBUTE_UNIQUE_AND_SORTED = 1 << 30,
661 /*
662 * Conditional ACEs use some of the above flags in
663 * combination with an internal one defined in
664 * conditional_ace.idl.
665 * This next definition is warning us in case a clash
666 * develops (which seems very unlikely).
667 */
668 CLAIM_SECURITY_ATTRIBUTE_RESERVED_FOR_SAMBA = 1UL << 31
669 } claim_flags;
670
671 /*
672 * These claim types for v1 claims mirror those of on-the-wire
673 * PAC claims, but not conditional ace literal token types.
674 */
675 typedef [public] enum {
676 CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64 = 0x0001,
677 CLAIM_SECURITY_ATTRIBUTE_TYPE_UINT64 = 0x0002,
678 CLAIM_SECURITY_ATTRIBUTE_TYPE_STRING = 0x0003,
679 CLAIM_SECURITY_ATTRIBUTE_TYPE_SID = 0x0005,
680 CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN = 0x0006,
681 CLAIM_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING = 0x0010
682 } security_claim_value_type;
683
684 typedef [nodiscriminant,flag(NDR_NOALIGN)] union {
685 [case(CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64),relative] int64 *int_value;
686 [case(CLAIM_SECURITY_ATTRIBUTE_TYPE_UINT64),relative] hyper *uint_value;
687 [case(CLAIM_SECURITY_ATTRIBUTE_TYPE_STRING),relative] nstring *string_value;
688 [case(CLAIM_SECURITY_ATTRIBUTE_TYPE_SID),relative] DATA_BLOB *sid_value;
689 [case(CLAIM_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING),relative] DATA_BLOB *octet_value;
690 [case(CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN),relative] hyper *uint_value;
691 } claim_values;
692
693 typedef [public,gensize] struct {
694 [relative] nstring *name;
695 uint16 value_type;
696 uint32 flags;
697 uint32 value_count;
698 [switch_is(value_type)] claim_values values[value_count];
699 } CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1;
700
701 typedef [public,nodiscriminant] union {
702 [default] security_ace_object object;
703 [case(false)];
704 } security_ace_object_ctr;
705
706 typedef [public,nodiscriminant,gensize] union {
707 [case(SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK)] [flag(NDR_REMAINING)] DATA_BLOB conditions;
708 [case(SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK)] [flag(NDR_REMAINING)] DATA_BLOB conditions;
709 [case(SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT)] [flag(NDR_REMAINING)] DATA_BLOB conditions;
710 [case(SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT)] [flag(NDR_REMAINING)] DATA_BLOB conditions;
711 [case(SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK)] [flag(NDR_REMAINING)] DATA_BLOB conditions;
712 [case(SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT)] [flag(NDR_REMAINING)] DATA_BLOB conditions;
713
714 [case(SEC_ACE_TYPE_SYSTEM_RESOURCE_ATTRIBUTE)] CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 claim;
715 [default][flag(NDR_REMAINING)] DATA_BLOB ignored;
716 } security_ace_coda;
717
718 typedef [public,gensize,nosize] struct {
719 security_ace_type type; /* SEC_ACE_TYPE_* */
720 security_ace_flags flags; /* SEC_ACE_FLAG_* */
721 [value(ndr_size_security_ace(r,ndr->flags))] uint16 size;
722 uint32 access_mask;
723 [switch_is(sec_ace_object(type))] security_ace_object_ctr object;
724 dom_sid trustee;
725 [switch_is(type), subcontext(0), subcontext_size(ndr_subcontext_size_of_ace_coda(r, size, ndr->flags))] security_ace_coda coda;
726 } security_ace;
727
728 typedef enum {
729 SECURITY_ACL_REVISION_NT4 = 2,
730 SECURITY_ACL_REVISION_ADS = 4
731 } security_acl_revision;
732
733 const uint NT4_ACL_REVISION = SECURITY_ACL_REVISION_NT4;
734
735 typedef [public,gensize,nosize] struct {
736 security_acl_revision revision;
737 [value(ndr_size_security_acl(r,ndr->flags))] uint16 size;
738 [range(0,2000)] uint32 num_aces;
739 security_ace aces[num_aces];
740 } security_acl;
741
742 /* default revision for new ACLs */
743 typedef [public,enum8bit] enum {
744 SECURITY_DESCRIPTOR_REVISION_1 = 1
745 } security_descriptor_revision;
746
747 const int SD_REVISION = SECURITY_DESCRIPTOR_REVISION_1;
748
749 /* security_descriptor->type bits */
750 typedef [public,bitmap16bit] bitmap {
751 SEC_DESC_OWNER_DEFAULTED = 0x0001,
752 SEC_DESC_GROUP_DEFAULTED = 0x0002,
753 SEC_DESC_DACL_PRESENT = 0x0004,
754 SEC_DESC_DACL_DEFAULTED = 0x0008,
755 SEC_DESC_SACL_PRESENT = 0x0010,
756 SEC_DESC_SACL_DEFAULTED = 0x0020,
757 SEC_DESC_DACL_TRUSTED = 0x0040,
758 SEC_DESC_SERVER_SECURITY = 0x0080,
759 SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100,
760 SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200,
761 SEC_DESC_DACL_AUTO_INHERITED = 0x0400,
762 SEC_DESC_SACL_AUTO_INHERITED = 0x0800,
763 SEC_DESC_DACL_PROTECTED = 0x1000,
764 SEC_DESC_SACL_PROTECTED = 0x2000,
765 SEC_DESC_RM_CONTROL_VALID = 0x4000,
766 SEC_DESC_SELF_RELATIVE = 0x8000
767 } security_descriptor_type;
768
769 typedef [gensize,nosize,public,flag(NDR_LITTLE_ENDIAN)] struct {
770 security_descriptor_revision revision;
771 security_descriptor_type type; /* SEC_DESC_xxxx flags */
772 [relative] dom_sid *owner_sid;
773 [relative] dom_sid *group_sid;
774 [relative] security_acl *sacl; /* system ACL */
775 [relative] security_acl *dacl; /* user (discretionary) ACL */
776 } security_descriptor;
777
778 typedef [public] struct {
779 [range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size;
780 [subcontext(4)] security_descriptor *sd;
781 } sec_desc_buf;
782
783 /* Group attributes, used to be samr_GroupAttrs */
784 typedef [public,bitmap32bit] bitmap {
785 SE_GROUP_MANDATORY = 0x00000001,
786 SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002,
787 SE_GROUP_ENABLED = 0x00000004,
788 SE_GROUP_OWNER = 0x00000008,
789 SE_GROUP_USE_FOR_DENY_ONLY = 0x00000010,
790 SE_GROUP_INTEGRITY = 0x00000020,
791 SE_GROUP_INTEGRITY_ENABLED = 0x00000040,
792 SE_GROUP_RESOURCE = 0x20000000,
793 SE_GROUP_LOGON_ID = 0xC0000000
794 } security_GroupAttrs;
795
796 const uint32 SE_GROUP_DEFAULT_FLAGS =
797 SE_GROUP_MANDATORY |
798 SE_GROUP_ENABLED_BY_DEFAULT |
799 SE_GROUP_ENABLED;
800
801 /*
802 * Should claims be evaluated on this token?
803 *
804 * 0 is invalid to catch a zeroed token
805 */
806 typedef enum {
807 CLAIMS_EVALUATION_INVALID_STATE=0,
808 CLAIMS_EVALUATION_NEVER = 1,
809 CLAIMS_EVALUATION_ALWAYS = 2
810 } claims_evaluation_control;
811
812 /*
813 * This is linearised to pass authentication over the NP proxy
814 * from smbd to RPC servers, but is not in public network protocols
815 */
816 typedef [public] struct {
817 uint32 num_sids;
818 [size_is(num_sids)] dom_sid sids[*];
819 se_privilege privilege_mask;
820 lsa_SystemAccessModeFlags rights_mask;
821 uint32 num_local_claims;
822 uint32 num_user_claims;
823 uint32 num_device_claims;
824 uint32 num_device_sids;
825 [size_is(num_local_claims)] CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 local_claims[*];
826 [size_is(num_user_claims)] CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 user_claims[*];
827 [size_is(num_device_claims)] CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 device_claims[*];
828 [size_is(num_device_sids)] dom_sid device_sids[*];
829
830 /*
831 * This allows us to disable claims evaluation on a
832 * per-token basis, allowing library code to remain
833 * distinct from configuration by passing this in as a
834 * flag here
835 */
836 claims_evaluation_control evaluate_claims;
837 } security_token;
838
839 typedef [public] struct {
840 security_token token;
841 security_descriptor sd;
842 uint32 access_desired;
843 } security_token_descriptor_fuzzing_pair;
844
845 /* This is not yet sent over the network, but is simply defined in IDL */
846 typedef [public] struct {
847 uid_t uid;
848 gid_t gid;
849 uint32 ngroups;
850 [size_is(ngroups)] gid_t groups[*];
851 } security_unix_token;
852
853 /* bits that determine which parts of a security descriptor
854 are being queried/set */
855 typedef [public,bitmap32bit] bitmap {
856 SECINFO_OWNER = 0x00000001,
857 SECINFO_GROUP = 0x00000002,
858 SECINFO_DACL = 0x00000004,
859 SECINFO_SACL = 0x00000008,
860 SECINFO_LABEL = 0x00000010,
861 SECINFO_ATTRIBUTE = 0x00000020,
862 SECINFO_SCOPE = 0x00000040,
863 SECINFO_BACKUP = 0x00010000,
864 SECINFO_UNPROTECTED_SACL = 0x10000000,
865 SECINFO_UNPROTECTED_DACL = 0x20000000,
866 SECINFO_PROTECTED_SACL = 0x40000000,
867 SECINFO_PROTECTED_DACL = 0x80000000
868 } security_secinfo;
869
870 /*
871 * a SMB server should only support the following flags
872 * and ignore all others.
873 *
874 * See AdditionalInformation in [MS-SMB2] 2.2.37 SMB2 QUERY_INFO Request
875 * and 2.2.39 SMB2 SET_INFO Request.
876 */
877 const int SMB_SUPPORTED_SECINFO_FLAGS = (
878 SECINFO_OWNER |
879 SECINFO_GROUP |
880 SECINFO_DACL |
881 SECINFO_SACL |
882 SECINFO_LABEL |
883 SECINFO_ATTRIBUTE |
884 SECINFO_SCOPE |
885 SECINFO_BACKUP |
886 0);
887
888 /*
889 * See [MS-KILE] 2.2.5 LSAP_TOKEN_INFO_INTEGRITY
890 */
891 typedef [public,gensize,flag(NDR_PAHEX)] struct {
892 uint32 Flags;
893 uint32 TokenIL;
894 uint8 MachineId[32];
895 } LSAP_TOKEN_INFO_INTEGRITY;
896
897 /*
898 * See [MS-KILE] 2.2.6 Supported Encryption Types Bit Flags
899 */
900 typedef [public,bitmap32bit] bitmap {
901 KERB_ENCTYPE_DES_CBC_CRC = 0x00000001,
902 KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002,
903 KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004,
904 KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
905 KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010,
906 KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK = 0x00000020,
907 KERB_ENCTYPE_FAST_SUPPORTED = 0x00010000,
908 KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED = 0x00020000,
909 KERB_ENCTYPE_CLAIMS_SUPPORTED = 0x00040000,
910 KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED = 0x00080000
911 } kerb_EncTypes;
912
913 typedef [public,bitmap32bit] bitmap {
914 SEC_DACL_AUTO_INHERIT = 0x00000001,
915 SEC_SACL_AUTO_INHERIT = 0x00000002,
916 SEC_DEFAULT_DESCRIPTOR = 0x00000004,
917 SEC_OWNER_FROM_PARENT = 0x00000008,
918 SEC_GROUP_FROM_PARENT = 0x00000010
919 } security_autoinherit;
920
921 /***************************************************************/
922 /* Extended right guids */
923
924 const string GUID_DRS_ALLOCATE_RIDS = "1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd";
925 const string GUID_DRS_CHANGE_DOMAIN_MASTER = "014bf69c-7b3b-11d1-85f6-08002be74fab";
926 const string GUID_DRS_CHANGE_INFR_MASTER = "cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd";
927 const string GUID_DRS_CHANGE_PDC = "bae50096-4752-11d1-9052-00c04fc2d4cf";
928 const string GUID_DRS_CHANGE_RID_MASTER = "d58d5f36-0a98-11d1-adbb-00c04fd8d5cd";
929 const string GUID_DRS_CHANGE_SCHEMA_MASTER = "e12b56b6-0a95-11d1-adbb-00c04fd8d5cd";
930 const string GUID_DRS_GET_CHANGES = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2";
931 const string GUID_DRS_REPL_SYNCRONIZE = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2";
932 const string GUID_DRS_MANAGE_TOPOLOGY = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2";
933 const string GUID_DRS_GET_ALL_CHANGES = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
934 const string GUID_DRS_RO_REPL_SECRET_SYNC = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2";
935 const string GUID_DRS_GET_FILTERED_ATTRIBUTES = "89e95b76-444d-4c62-991a-0facbeda640c";
936 const string GUID_DRS_MONITOR_TOPOLOGY = "f98340fb-7c5b-4cdb-a00b-2ebdfa115a96";
937 const string GUID_DRS_USER_CHANGE_PASSWORD = "ab721a53-1e2f-11d0-9819-00aa0040529b";
938 const string GUID_DRS_FORCE_CHANGE_PASSWORD = "00299570-246d-11d0-a768-00aa006e0529";
939 const string GUID_DRS_UPDATE_PASSWORD_NOT_REQUIRED_BIT
940 = "280f369c-67c7-438e-ae98-1d46f3c6f541";
941 const string GUID_DRS_UNEXPIRE_PASSWORD = "ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501";
942 const string GUID_DRS_ENABLE_PER_USER_REVERSIBLY_ENCRYPTED_PASSWORD
943 = "05c74c5e-4deb-43b4-bd9f-86664c2a7fd5";
944 const string GUID_DRS_DS_INSTALL_REPLICA = "9923a32a-3607-11d2-b9be-0000f87a36b2";
945 const string GUID_DRS_REANIMATE_TOMBSTONE = "45ec5156-db7e-47bb-b53f-dbeb2d03c40f";
946 const string GUID_DRS_ALLOWED_TO_AUTHENTICATE = "68b1d179-0d15-4D4F-ab71-46152e79a7bc";
947
948 /***************************************************************/
949 /* validated writes guids */
950 const string GUID_DRS_VALIDATE_SPN = "f3a64788-5306-11d1-a9c5-0000f80367c1";
951 const string GUID_DRS_SELF_MEMBERSHIP = "bf9679c0-0de6-11d0-a285-00aa003049e2";
952 const string GUID_DRS_DNS_HOST_NAME = "72e39547-7b18-11d1-adef-00c04fd8d5cd";
953 const string GUID_DRS_ADD_DNS_HOST_NAME = "80863791-dbe9-4eb8-837e-7f0ab55d9ac7";
954 const string GUID_DRS_BEHAVIOR_VERSION = "d31a8757-2447-4545-8081-3bb610cacbf2";
955
956 /* A type to describe the mapping of generic access rights to object
957 specific access rights. */
958
959 typedef struct {
960 uint32 generic_read;
961 uint32 generic_write;
962 uint32 generic_execute;
963 uint32 generic_all;
964 } generic_mapping;
965
966 typedef struct {
967 uint32 std_read;
968 uint32 std_write;
969 uint32 std_execute;
970 uint32 std_all;
971 } standard_mapping;
972 }
Samba GIT mirror