#include "idl_types.h" /* security IDL structures */ import "misc.idl"; /* use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really just a dom sid, but with the sub_auths represented as a conformant array. As with all in-structure conformant arrays, the array length is placed before the start of the structure. That's what gives rise to the extra num_auths element. We don't want the Samba code to have to bother with such esoteric NDR details, so its easier to just define it as a dom_sid and use pidl magic to make it all work. It just means you need to mark a sid as a "dom_sid2" in the IDL when you know it is of the conformant array variety */ cpp_quote("#define dom_sid2 dom_sid") /* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */ cpp_quote("#define dom_sid28 dom_sid") /* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */ cpp_quote("#define dom_sid0 dom_sid") [ /* * cbf7d408-2d6c-11e2-ae5b-0b5692790e18 just to make ndrdump happy */ uuid("cbf7d408-2d6c-11e2-ae5b-0b5692790e18"), version(0.0), helper("../libcli/security/security.h"), pyhelper("librpc/ndr/py_security.c"), pointer_default(unique) ] interface security { typedef bitmap lsa_SystemAccessModeFlags lsa_SystemAccessModeFlags; typedef [public,gensize,noprint,nosize,nopull,nopush] struct { uint8 sid_rev_num; /**< SID revision number */ [range(0,15)] int8 num_auths; /**< Number of sub-authorities */ uint8 id_auth[6]; /**< Identifier Authority */ uint32 sub_auths[15]; } dom_sid; /* access masks are divided up like this: 0xabccdddd where a = generic rights bits SEC_GENERIC_ b = flags SEC_FLAG_ c = standard rights bits SEC_STD_ d = object type specific bits SEC_{FILE,DIR,REG,xxx}_ common combinations of bits are prefixed with SEC_RIGHTS_ */ const int SEC_MASK_GENERIC = 0xF0000000; const int SEC_MASK_FLAGS = 0x0F000000; const int SEC_MASK_STANDARD = 0x00FF0000; const int SEC_MASK_SPECIFIC = 0x0000FFFF; /* generic bits */ const int SEC_GENERIC_ALL = 0x10000000; const int SEC_GENERIC_EXECUTE = 0x20000000; const int SEC_GENERIC_WRITE = 0x40000000; const int SEC_GENERIC_READ = 0x80000000; /* flag bits */ const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000; const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000; /* standard bits */ const int SEC_STD_DELETE = 0x00010000; const int SEC_STD_READ_CONTROL = 0x00020000; const int SEC_STD_WRITE_DAC = 0x00040000; const int SEC_STD_WRITE_OWNER = 0x00080000; const int SEC_STD_SYNCHRONIZE = 0x00100000; const int SEC_STD_REQUIRED = 0x000F0000; const int SEC_STD_ALL = 0x001F0000; /* file specific bits */ const int SEC_FILE_READ_DATA = 0x00000001; const int SEC_FILE_WRITE_DATA = 0x00000002; const int SEC_FILE_APPEND_DATA = 0x00000004; const int SEC_FILE_READ_EA = 0x00000008; const int SEC_FILE_WRITE_EA = 0x00000010; const int SEC_FILE_EXECUTE = 0x00000020; const int SEC_FILE_READ_ATTRIBUTE = 0x00000080; const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100; const int SEC_FILE_ALL = 0x000001ff; /* directory specific bits */ const int SEC_DIR_LIST = 0x00000001; const int SEC_DIR_ADD_FILE = 0x00000002; const int SEC_DIR_ADD_SUBDIR = 0x00000004; const int SEC_DIR_READ_EA = 0x00000008; const int SEC_DIR_WRITE_EA = 0x00000010; const int SEC_DIR_TRAVERSE = 0x00000020; const int SEC_DIR_DELETE_CHILD = 0x00000040; const int SEC_DIR_READ_ATTRIBUTE = 0x00000080; const int SEC_DIR_WRITE_ATTRIBUTE = 0x00000100; /* registry entry specific bits */ const int SEC_REG_QUERY_VALUE = 0x00000001; const int SEC_REG_SET_VALUE = 0x00000002; const int SEC_REG_CREATE_SUBKEY = 0x00000004; const int SEC_REG_ENUM_SUBKEYS = 0x00000008; const int SEC_REG_NOTIFY = 0x00000010; const int SEC_REG_CREATE_LINK = 0x00000020; /* ldap specific access bits */ const int SEC_ADS_CREATE_CHILD = 0x00000001; const int SEC_ADS_DELETE_CHILD = 0x00000002; const int SEC_ADS_LIST = 0x00000004; const int SEC_ADS_SELF_WRITE = 0x00000008; const int SEC_ADS_READ_PROP = 0x00000010; const int SEC_ADS_WRITE_PROP = 0x00000020; const int SEC_ADS_DELETE_TREE = 0x00000040; const int SEC_ADS_LIST_OBJECT = 0x00000080; const int SEC_ADS_CONTROL_ACCESS = 0x00000100; /* invalid bits */ const int SEC_MASK_INVALID = 0x0ce0fe00; /* generic->specific mappings for files */ const int SEC_RIGHTS_FILE_READ = SEC_STD_READ_CONTROL | SEC_STD_SYNCHRONIZE | SEC_FILE_READ_DATA | SEC_FILE_READ_ATTRIBUTE | SEC_FILE_READ_EA; const int SEC_RIGHTS_FILE_WRITE = SEC_STD_READ_CONTROL | SEC_STD_SYNCHRONIZE | SEC_FILE_WRITE_DATA | SEC_FILE_WRITE_ATTRIBUTE | SEC_FILE_WRITE_EA | SEC_FILE_APPEND_DATA; const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE | SEC_STD_READ_CONTROL | SEC_FILE_READ_ATTRIBUTE | SEC_FILE_EXECUTE; const int SEC_RIGHTS_FILE_ALL = SEC_STD_ALL | SEC_FILE_ALL; /* generic->specific mappings for directories (same as files) */ const int SEC_RIGHTS_DIR_READ = SEC_RIGHTS_FILE_READ; const int SEC_RIGHTS_DIR_WRITE = SEC_RIGHTS_FILE_WRITE; const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE; const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL; /* rights granted by some specific privileges */ const int SEC_RIGHTS_PRIV_BACKUP = SEC_STD_READ_CONTROL | SEC_FLAG_SYSTEM_SECURITY | SEC_RIGHTS_FILE_READ | SEC_DIR_TRAVERSE; const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC | SEC_STD_WRITE_OWNER | SEC_FLAG_SYSTEM_SECURITY | SEC_RIGHTS_FILE_WRITE | SEC_DIR_ADD_FILE | SEC_DIR_ADD_SUBDIR | SEC_STD_DELETE; /* combinations of standard masks. */ const int STANDARD_RIGHTS_ALL_ACCESS = SEC_STD_ALL; /* 0x001f0000 */ const int STANDARD_RIGHTS_MODIFY_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */ const int STANDARD_RIGHTS_EXECUTE_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */ const int STANDARD_RIGHTS_READ_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */ const int STANDARD_RIGHTS_WRITE_ACCESS = (SEC_STD_WRITE_OWNER | SEC_STD_WRITE_DAC | SEC_STD_DELETE); /* 0x000d0000 */ const int STANDARD_RIGHTS_REQUIRED_ACCESS = (SEC_STD_DELETE | SEC_STD_READ_CONTROL | SEC_STD_WRITE_DAC | SEC_STD_WRITE_OWNER); /* 0x000f0000 */ /* generic->specific mappings for Directory Service objects */ /* directory specific part of GENERIC_ALL */ const int SEC_ADS_GENERIC_ALL_DS = (SEC_STD_DELETE | SEC_STD_WRITE_DAC | SEC_STD_WRITE_OWNER | SEC_ADS_CREATE_CHILD | SEC_ADS_DELETE_CHILD | SEC_ADS_DELETE_TREE | SEC_ADS_CONTROL_ACCESS); const int SEC_ADS_GENERIC_EXECUTE = SEC_STD_READ_CONTROL | SEC_ADS_LIST; const int SEC_ADS_GENERIC_WRITE = (SEC_STD_READ_CONTROL | SEC_ADS_SELF_WRITE | SEC_ADS_WRITE_PROP); const int SEC_ADS_GENERIC_READ = (SEC_STD_READ_CONTROL | SEC_ADS_LIST | SEC_ADS_READ_PROP | SEC_ADS_LIST_OBJECT); const int SEC_ADS_GENERIC_ALL = (SEC_ADS_GENERIC_EXECUTE | SEC_ADS_GENERIC_WRITE | SEC_ADS_GENERIC_READ | SEC_ADS_GENERIC_ALL_DS); /* * Rights implicitly granted to a user who is an owner of the security * descriptor being processed. */ typedef enum { IMPLICIT_OWNER_READ_CONTROL_RIGHTS, IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS } implicit_owner_rights; /***************************************************************/ /* WELL KNOWN SIDS */ /* a NULL sid */ const string SID_NULL = "S-1-0-0"; /* the world domain */ const string NAME_WORLD = "WORLD"; const string SID_WORLD_DOMAIN = "S-1-1"; const string SID_WORLD = "S-1-1-0"; /* SECURITY_CREATOR_SID_AUTHORITY */ const string SID_CREATOR_OWNER_DOMAIN = "S-1-3"; const string SID_CREATOR_OWNER = "S-1-3-0"; const string SID_CREATOR_GROUP = "S-1-3-1"; const string SID_OWNER_RIGHTS = "S-1-3-4"; /* SECURITY_NT_AUTHORITY */ const string NAME_NT_AUTHORITY = "NT AUTHORITY"; const string SID_NT_AUTHORITY = "S-1-5"; const string SID_NT_DIALUP = "S-1-5-1"; const string SID_NT_NETWORK = "S-1-5-2"; const string SID_NT_BATCH = "S-1-5-3"; const string SID_NT_INTERACTIVE = "S-1-5-4"; const string SID_NT_SERVICE = "S-1-5-6"; const string SID_NT_ANONYMOUS = "S-1-5-7"; const string SID_NT_PROXY = "S-1-5-8"; const string SID_NT_ENTERPRISE_DCS = "S-1-5-9"; const string SID_NT_SELF = "S-1-5-10"; const string SID_NT_AUTHENTICATED_USERS = "S-1-5-11"; const string SID_NT_RESTRICTED = "S-1-5-12"; const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13"; const string SID_NT_REMOTE_INTERACTIVE = "S-1-5-14"; const string SID_NT_THIS_ORGANISATION = "S-1-5-15"; const string SID_NT_IUSR = "S-1-5-17"; const string SID_NT_SYSTEM = "S-1-5-18"; const string SID_NT_LOCAL_SERVICE = "S-1-5-19"; const string SID_NT_NETWORK_SERVICE = "S-1-5-20"; const string SID_NT_DIGEST_AUTHENTICATION = "S-1-5-64-21"; const string SID_NT_NTLM_AUTHENTICATION = "S-1-5-64-10"; const string SID_NT_SCHANNEL_AUTHENTICATION = "S-1-5-64-14"; const string SID_NT_OTHER_ORGANISATION = "S-1-5-1000"; /* SECURITY_BUILTIN_DOMAIN_RID */ const string NAME_BUILTIN = "BUILTIN"; const string SID_BUILTIN = "S-1-5-32"; const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544"; const string SID_BUILTIN_USERS = "S-1-5-32-545"; const string SID_BUILTIN_GUESTS = "S-1-5-32-546"; const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547"; const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548"; const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549"; const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550"; const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551"; const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552"; const string SID_BUILTIN_RAS_SERVERS = "S-1-5-32-553"; const string SID_BUILTIN_PREW2K = "S-1-5-32-554"; const string SID_BUILTIN_REMOTE_DESKTOP_USERS = "S-1-5-32-555"; const string SID_BUILTIN_NETWORK_CONF_OPERATORS = "S-1-5-32-556"; const string SID_BUILTIN_INCOMING_FOREST_TRUST = "S-1-5-32-557"; const string SID_BUILTIN_PERFMON_USERS = "S-1-5-32-558"; const string SID_BUILTIN_PERFLOG_USERS = "S-1-5-32-559"; const string SID_BUILTIN_AUTH_ACCESS = "S-1-5-32-560"; const string SID_BUILTIN_TS_LICENSE_SERVERS = "S-1-5-32-561"; const string SID_BUILTIN_DISTRIBUTED_COM_USERS = "S-1-5-32-562"; const string SID_BUILTIN_IUSERS = "S-1-5-32-568"; const string SID_BUILTIN_CRYPTO_OPERATORS = "S-1-5-32-569"; const string SID_BUILTIN_EVENT_LOG_READERS = "S-1-5-32-573"; const string SID_BUILTIN_CERT_SERV_DCOM_ACCESS = "S-1-5-32-574"; const string SID_BUILTIN_RDS_REMOTE_ACCESS_SERVERS = "S-1-5-32-575"; const string SID_BUILTIN_RDS_ENDPOINT_SERVERS = "S-1-5-32-576"; const string SID_BUILTIN_RDS_MANAGEMENT_SERVERS = "S-1-5-32-577"; const string SID_BUILTIN_HYPER_V_ADMINS = "S-1-5-32-578"; const string SID_BUILTIN_ACCESS_CONTROL_ASSISTANCE_OPS = "S-1-5-32-579"; const string SID_BUILTIN_REMOTE_MANAGEMENT_USERS = "S-1-5-32-580"; const string SID_BUILTIN_SYSTEM_MANAGED_ACCOUNTS_GRP = "S-1-5-32-581"; const string SID_BUILTIN_STORAGE_REPLICA_ADMINISTRATORS = "S-1-5-32-582"; const string SID_SECURITY_RESTRICTED_CODE = "S-1-5-33"; /* UID/GID mapping Samba style */ const string SID_SAMBA_UNIX_USER_OWNER = "S-1-22-1"; const string SID_SAMBA_UNIX_GROUP_OWNER = "S-1-22-2"; /* SECURITY_NT_SERVICE */ const string NAME_NT_SERVICE = "NT SERVICE"; const string SID_NT_NT_SERVICE = "S-1-5-80"; const string SID_NT_TRUSTED_INSTALLER = "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464"; /* * This is added during the AS-REQ/AS-REP exchange after * pre-authentication was successful. */ const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1"; /* * This is added during S4U2Self PAC creation. * * It won't replace a possible * SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY * during S4U2Proxy. */ const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2"; const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496"; const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497"; const string SID_USER_MODE_DRIVERS = "S-1-5-84-0-0-0-0-0"; const string SID_SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE = "S-1-15-2-1"; const string SID_SECURITY_MANDATORY_LOW = "S-1-16-4096"; const string SID_SECURITY_MANDATORY_MEDIUM = "S-1-16-8192"; const string SID_SECURITY_MANDATORY_MEDIUM_PLUS = "S-1-16-8448"; const string SID_SECURITY_MANDATORY_HIGH = "S-1-16-12288"; const string SID_SECURITY_MANDATORY_SYSTEM = "S-1-16-16384"; /* * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx */ const string SID_NT_NFS_SUBSYSTEM = "S-1-5-88"; const string SID_NT_NFS_USER = "S-1-5-88-1"; const string SID_NT_NFS_GROUP = "S-1-5-88-2"; const string SID_NT_NFS_MASK = "S-1-5-88-3"; const string SID_NT_NFS_OTHERS = "S-1-5-88-4"; /* well-known domain RIDs */ const int DOMAIN_RID_LOGON = 9; const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498; const int DOMAIN_RID_ADMINISTRATOR = 500; const int DOMAIN_RID_GUEST = 501; const int DOMAIN_RID_KRBTGT = 502; const int DOMAIN_RID_ADMINS = 512; const int DOMAIN_RID_USERS = 513; const int DOMAIN_RID_GUESTS = 514; const int DOMAIN_RID_DOMAIN_MEMBERS = 515; const int DOMAIN_RID_DCS = 516; const int DOMAIN_RID_CERT_ADMINS = 517; const int DOMAIN_RID_SCHEMA_ADMINS = 518; const int DOMAIN_RID_ENTERPRISE_ADMINS = 519; const int DOMAIN_RID_POLICY_ADMINS = 520; const int DOMAIN_RID_READONLY_DCS = 521; const int DOMAIN_RID_CLONEABLE_CONTROLLERS = 522; const int DOMAIN_RID_PROTECTED_USERS = 525; const int DOMAIN_RID_KEY_ADMINS = 526; const int DOMAIN_RID_ENTERPRISE_KEY_ADMINS = 527; const int DOMAIN_RID_RAS_SERVERS = 553; const int DOMAIN_RID_RODC_ALLOW = 571; const int DOMAIN_RID_RODC_DENY = 572; /* well-known builtin RIDs */ const int BUILTIN_RID_ADMINISTRATORS = 544; const int BUILTIN_RID_USERS = 545; const int BUILTIN_RID_GUESTS = 546; const int BUILTIN_RID_POWER_USERS = 547; const int BUILTIN_RID_ACCOUNT_OPERATORS = 548; const int BUILTIN_RID_SERVER_OPERATORS = 549; const int BUILTIN_RID_PRINT_OPERATORS = 550; const int BUILTIN_RID_BACKUP_OPERATORS = 551; const int BUILTIN_RID_REPLICATOR = 552; const int BUILTIN_RID_RAS_SERVERS = 553; const int BUILTIN_RID_PRE_2K_ACCESS = 554; const int BUILTIN_RID_REMOTE_DESKTOP_USERS = 555; const int BUILTIN_RID_NETWORK_CONF_OPERATORS = 556; const int BUILTIN_RID_INCOMING_FOREST_TRUST = 557; const int BUILTIN_RID_PERFMON_USERS = 558; const int BUILTIN_RID_PERFLOG_USERS = 559; const int BUILTIN_RID_AUTH_ACCESS = 560; const int BUILTIN_RID_TS_LICENSE_SERVERS = 561; const int BUILTIN_RID_DISTRIBUTED_COM_USERS = 562; const int BUILTIN_RID_IUSERS = 568; const int BUILTIN_RID_CRYPTO_OPERATORS = 569; const int BUILTIN_RID_EVENT_LOG_READERS = 573; const int BUILTIN_RID_CERT_SERV_DCOM_ACCESS = 574; const int BUILTIN_RID_RDS_REMOTE_ACCESS_SERVERS = 575; const int BUILTIN_RID_RDS_ENDPOINT_SERVERS = 576; const int BUILTIN_RID_RDS_MANAGEMENT_SERVERS = 577; const int BUILTIN_RID_HYPER_V_ADMINS = 578; const int BUILTIN_RID_ACCESS_CONTROL_ASSISTANCE_OPS = 579; const int BUILTIN_RID_REMOTE_MANAGEMENT_USERS = 580; /******************************************************************** This is a list of privileges reported by a WIndows 2008 R2 DC just for reference purposes (and I know the LUID is not guaranteed across reboots): 0x00000002 SeCreateTokenPrivilege "Create a token object" 0x00000003 SeAssignPrimaryTokenPrivilege "Replace a process level token" 0x00000004 SeLockMemoryPrivilege "Lock pages in memory" 0x00000005 SeIncreaseQuotaPrivilege "Adjust memory quotas for a process" 0x00000006 SeMachineAccountPrivilege "Add workstations to domain" 0x00000007 SeTcbPrivilege "Act as part of the operating system" 0x00000008 SeSecurityPrivilege "Manage auditing and security log" 0x00000009 SeTakeOwnershipPrivilege "Take ownership of files or other objects" 0x0000000a SeLoadDriverPrivilege "Load and unload device drivers" 0x0000000b SeSystemProfilePrivilege "Profile system performance" 0x0000000c SeSystemtimePrivilege "Change the system time" 0x0000000d SeProfileSingleProcessPrivilege "Profile single process" 0x0000000e SeIncreaseBasePriorityPrivilege "Increase scheduling priority" 0x0000000f SeCreatePagefilePrivilege "Create a pagefile" 0x00000010 SeCreatePermanentPrivilege "Create permanent shared objects" 0x00000011 SeBackupPrivilege "Back up files and directories" 0x00000012 SeRestorePrivilege "Restore files and directories" 0x00000013 SeShutdownPrivilege "Shut down the system" 0x00000014 SeDebugPrivilege "Debug programs" 0x00000015 SeAuditPrivilege "Generate security audits" 0x00000016 SeSystemEnvironmentPrivilege "Modify firmware environment values" 0x00000017 SeChangeNotifyPrivilege "Bypass traverse checking" 0x00000018 SeRemoteShutdownPrivilege "Force shutdown from a remote system" 0x00000019 SeUndockPrivilege "Remove computer from docking station" 0x0000001a SeSyncAgentPrivilege "Synchronize directory service data" 0x0000001b SeEnableDelegationPrivilege "Enable computer and user accounts to be trusted for delegation" 0x0000001c SeManageVolumePrivilege "Perform volume maintenance tasks" 0x0000001d SeImpersonatePrivilege "Impersonate a client after authentication" 0x0000001e SeCreateGlobalPrivilege "Create global objects" 0x0000001f SeTrustedCredManAccessPrivilege "Access Credential Manager as a trusted caller" 0x00000020 SeRelabelPrivilege "Modify an object label" 0x00000021 SeIncreaseWorkingSetPrivilege "Increase a process working set" 0x00000022 SeTimeZonePrivilege "Change the time zone" 0x00000023 SeCreateSymbolicLinkPrivilege "Create symbolic links" ********************************************************************/ /* LUID values for privileges known about by Samba (bottom 32 bits of enum, top bits are 0) */ /* we have to define the LUID here due to a horrible check by printmig.exe that requires the SeBackupPrivilege match what is in Windows. So match those that we implement and start Samba privileges at 0x1001 */ typedef enum { SEC_PRIV_INVALID = 0x0, SEC_PRIV_INCREASE_QUOTA = 0x5, SEC_PRIV_MACHINE_ACCOUNT = 0x6, SEC_PRIV_SECURITY = 0x8, SEC_PRIV_TAKE_OWNERSHIP = 0x09, SEC_PRIV_LOAD_DRIVER = 0x0a, SEC_PRIV_SYSTEM_PROFILE = 0x0b, SEC_PRIV_SYSTEMTIME = 0x0c, SEC_PRIV_PROFILE_SINGLE_PROCESS = 0x0d, SEC_PRIV_INCREASE_BASE_PRIORITY = 0x0e, SEC_PRIV_CREATE_PAGEFILE = 0x0f, SEC_PRIV_BACKUP = 0x11, SEC_PRIV_RESTORE = 0x12, SEC_PRIV_SHUTDOWN = 0x13, SEC_PRIV_DEBUG = 0x14, SEC_PRIV_SYSTEM_ENVIRONMENT = 0x16, SEC_PRIV_CHANGE_NOTIFY = 0x17, SEC_PRIV_REMOTE_SHUTDOWN = 0x18, SEC_PRIV_UNDOCK = 0x19, SEC_PRIV_ENABLE_DELEGATION = 0x1b, SEC_PRIV_MANAGE_VOLUME = 0x1c, SEC_PRIV_IMPERSONATE = 0x1d, SEC_PRIV_CREATE_GLOBAL = 0x1e, /* Samba-specific privs */ SEC_PRIV_PRINT_OPERATOR = 0x1001, SEC_PRIV_ADD_USERS = 0x1002, SEC_PRIV_DISK_OPERATOR = 0x1003 } sec_privilege; /* Bitmap of privilege values for internal use only. We need * our own bitmap here as privileges.tdb records these values * as a bitmap (privileges.ldb uses the string forms). */ typedef [bitmap64bit] bitmap { SEC_PRIV_MACHINE_ACCOUNT_BIT = 0x00000010, /* Samba-specific privs */ SEC_PRIV_PRINT_OPERATOR_BIT = 0x00000020, SEC_PRIV_ADD_USERS_BIT = 0x00000040, SEC_PRIV_DISK_OPERATOR_BIT = 0x00000080, SEC_PRIV_REMOTE_SHUTDOWN_BIT = 0x00000100, SEC_PRIV_BACKUP_BIT = 0x00000200, SEC_PRIV_RESTORE_BIT = 0x00000400, SEC_PRIV_TAKE_OWNERSHIP_BIT = 0x00000800, /* End of privileges implemented before merge to common code */ SEC_PRIV_INCREASE_QUOTA_BIT = 0x00001000, SEC_PRIV_SECURITY_BIT = 0x00002000, SEC_PRIV_LOAD_DRIVER_BIT = 0x00004000, SEC_PRIV_SYSTEM_PROFILE_BIT = 0x00008000, SEC_PRIV_SYSTEMTIME_BIT = 0x00010000, SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT = 0x00020000, SEC_PRIV_INCREASE_BASE_PRIORITY_BIT = 0x00040000, SEC_PRIV_CREATE_PAGEFILE_BIT = 0x00080000, SEC_PRIV_SHUTDOWN_BIT = 0x00100000, SEC_PRIV_DEBUG_BIT = 0x00200000, SEC_PRIV_SYSTEM_ENVIRONMENT_BIT = 0x00400000, SEC_PRIV_CHANGE_NOTIFY_BIT = 0x00800000, SEC_PRIV_UNDOCK_BIT = 0x01000000, SEC_PRIV_ENABLE_DELEGATION_BIT = 0x02000000, SEC_PRIV_MANAGE_VOLUME_BIT = 0x04000000, SEC_PRIV_IMPERSONATE_BIT = 0x08000000, SEC_PRIV_CREATE_GLOBAL_BIT = 0x10000000 } se_privilege; typedef [bitmap32bit] bitmap { LSA_POLICY_MODE_INTERACTIVE = 0x00000001, LSA_POLICY_MODE_NETWORK = 0x00000002, LSA_POLICY_MODE_BATCH = 0x00000004, LSA_POLICY_MODE_SERVICE = 0x00000010, LSA_POLICY_MODE_PROXY = 0x00000020, LSA_POLICY_MODE_DENY_INTERACTIVE = 0x00000040, LSA_POLICY_MODE_DENY_NETWORK = 0x00000080, LSA_POLICY_MODE_DENY_BATCH = 0x00000100, LSA_POLICY_MODE_DENY_SERVICE = 0x00000200, LSA_POLICY_MODE_REMOTE_INTERACTIVE = 0x00000400, LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE = 0x00000800, LSA_POLICY_MODE_ALL = 0x00000FF7, LSA_POLICY_MODE_ALL_NT4 = 0x00000037 } lsa_SystemAccessModeFlags; typedef [public,bitmap8bit] bitmap { SEC_ACE_FLAG_OBJECT_INHERIT = 0x01, SEC_ACE_FLAG_CONTAINER_INHERIT = 0x02, SEC_ACE_FLAG_NO_PROPAGATE_INHERIT = 0x04, SEC_ACE_FLAG_INHERIT_ONLY = 0x08, SEC_ACE_FLAG_INHERITED_ACE = 0x10, SEC_ACE_FLAG_VALID_INHERIT = 0x0f, SEC_ACE_FLAG_SUCCESSFUL_ACCESS = 0x40, SEC_ACE_FLAG_FAILED_ACCESS = 0x80 } security_ace_flags; typedef [public,enum8bit] enum { /* * The following entries tagged *reserved* have been * named and allocated by Microsoft but apparently not * implemented (MS-DTYP 2.4.4.1). * * The entries marked *unused* are more or less * completely ignored by Samba. */ SEC_ACE_TYPE_ACCESS_ALLOWED = 0, SEC_ACE_TYPE_ACCESS_DENIED = 1, SEC_ACE_TYPE_SYSTEM_AUDIT = 2, SEC_ACE_TYPE_SYSTEM_ALARM = 3, /* reserved */ SEC_ACE_TYPE_ALLOWED_COMPOUND = 4, /* reserved */ SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT = 5, SEC_ACE_TYPE_ACCESS_DENIED_OBJECT = 6, SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT = 7, SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT = 8, /* reserved */ SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK = 9, SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK = 10, SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT = 11, SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT = 12, SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK = 13, SEC_ACE_TYPE_SYSTEM_ALARM_CALLBACK = 14, /* reserved */ SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT = 15, SEC_ACE_TYPE_SYSTEM_ALARM_CALLBACK_OBJECT = 16, /* reserved */ SEC_ACE_TYPE_SYSTEM_MANDATORY_LABEL = 17, /*unused */ SEC_ACE_TYPE_SYSTEM_RESOURCE_ATTRIBUTE = 18, SEC_ACE_TYPE_SYSTEM_SCOPED_POLICY_ID = 19 /* unused */ } security_ace_type; typedef [bitmap32bit] bitmap { SEC_ACE_OBJECT_TYPE_PRESENT = 0x00000001, SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x00000002 } security_ace_object_flags; typedef [nodiscriminant] union { /* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */ [case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type; [default]; } security_ace_object_type; typedef [nodiscriminant] union { /* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context * (of the parent container) */ [case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type; [default]; } security_ace_object_inherited_type; typedef struct { security_ace_object_flags flags; [switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type; [switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type; } security_ace_object; /* * flags that might occur in * CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1.flags. * * Not all of them do anything. Conditional ACEs also use some * of these flags. */ typedef [bitmap32bit] bitmap { CLAIM_SECURITY_ATTRIBUTE_NON_INHERITABLE = 1, CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE = 2, CLAIM_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY = 4, /*reserved*/ CLAIM_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT = 8, CLAIM_SECURITY_ATTRIBUTE_DISABLED = 0x10, /*reserved*/ CLAIM_SECURITY_ATTRIBUTE_MANDATORY = 0x20, /* * These next two are curiously defined in [MS-DTYP] 2.4.10.1: * * > Flags: The upper two bytes of this DWORD are available for * > application-specific data. The two lowest-order bits in the * > lower of these two bytes are reserved. These two bytes * > MAY contain only one of the following values in those two * > bits: * > * > FCI_CLAIM_SECURITY_ATTRIBUTE_MANUAL 0x0001 * > FCI_CLAIM_SECURITY_ATTRIBUTE_POLICY_DERIVED 0x0002 * * That is saying these mutually exclusive flags have offset * values that are measured from the middle of flags field. We * instead measure from the start. */ CLAIM_SECURITY_ATTRIBUTE_MANUAL = 1 << 16, CLAIM_SECURITY_ATTRIBUTE_POLICY_DERIVED = 1 << 17, /* * As the quote from [MS-DTYP] 2.4.10.1 above says, * the upper 14 bits are for application-specific * data. In Samba's case, we have one application * specific flag to help us remember when we have * sorted a claim and checked that it contains no * duplicate values. We need to check this, and the * check can be expensive, so it helps to remember. * Having the values sorted is useful for comparisons * in conditional ACEs. * * We can't just sort every claim_v1 we see, because * resource attribute ACEs in SACLs contain them and * are not meant to be evaluated prematurely (i.e. you * can parse and reserialise a SACL even if it * contains an ACE that would cause an error when used * as a claim). * * In the case of string claims, evaluating uniqueness * depends on the _CASE_SENSITIVE flag. */ CLAIM_SECURITY_ATTRIBUTE_UNIQUE_AND_SORTED = 1 << 30, /* * Conditional ACEs use some of the above flags in * combination with an internal one defined in * conditional_ace.idl. * This next definition is warning us in case a clash * develops (which seems very unlikely). */ CLAIM_SECURITY_ATTRIBUTE_RESERVED_FOR_SAMBA = 1UL << 31 } claim_flags; /* * These claim types for v1 claims mirror those of on-the-wire * PAC claims, but not conditional ace literal token types. */ typedef [public] enum { CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64 = 0x0001, CLAIM_SECURITY_ATTRIBUTE_TYPE_UINT64 = 0x0002, CLAIM_SECURITY_ATTRIBUTE_TYPE_STRING = 0x0003, CLAIM_SECURITY_ATTRIBUTE_TYPE_SID = 0x0005, CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN = 0x0006, CLAIM_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING = 0x0010 } security_claim_value_type; typedef [nodiscriminant,flag(NDR_NOALIGN)] union { [case(CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64),relative] int64 *int_value; [case(CLAIM_SECURITY_ATTRIBUTE_TYPE_UINT64),relative] hyper *uint_value; [case(CLAIM_SECURITY_ATTRIBUTE_TYPE_STRING),relative] nstring *string_value; [case(CLAIM_SECURITY_ATTRIBUTE_TYPE_SID),relative] DATA_BLOB *sid_value; [case(CLAIM_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING),relative] DATA_BLOB *octet_value; [case(CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN),relative] hyper *uint_value; } claim_values; typedef [public,gensize] struct { [relative] nstring *name; uint16 value_type; uint32 flags; uint32 value_count; [switch_is(value_type)] claim_values values[value_count]; } CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1; typedef [public,nodiscriminant] union { [default] security_ace_object object; [case(false)]; } security_ace_object_ctr; typedef [public,nodiscriminant,gensize] union { [case(SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK)] [flag(NDR_REMAINING)] DATA_BLOB conditions; [case(SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK)] [flag(NDR_REMAINING)] DATA_BLOB conditions; [case(SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT)] [flag(NDR_REMAINING)] DATA_BLOB conditions; [case(SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT)] [flag(NDR_REMAINING)] DATA_BLOB conditions; [case(SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK)] [flag(NDR_REMAINING)] DATA_BLOB conditions; [case(SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT)] [flag(NDR_REMAINING)] DATA_BLOB conditions; [case(SEC_ACE_TYPE_SYSTEM_RESOURCE_ATTRIBUTE)] CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 claim; [default][flag(NDR_REMAINING)] DATA_BLOB ignored; } security_ace_coda; typedef [public,gensize,nosize,nopush,nopull] struct { security_ace_type type; /* SEC_ACE_TYPE_* */ security_ace_flags flags; /* SEC_ACE_FLAG_* */ [value(ndr_size_security_ace(r,ndr->flags))] uint16 size; uint32 access_mask; [switch_is(sec_ace_object(type))] security_ace_object_ctr object; dom_sid trustee; [switch_is(type), subcontext(0), subcontext_size(ndr_subcontext_size_of_ace_coda(r, size, ndr->flags))] security_ace_coda coda; } security_ace; typedef enum { SECURITY_ACL_REVISION_NT4 = 2, SECURITY_ACL_REVISION_ADS = 4 } security_acl_revision; const uint NT4_ACL_REVISION = SECURITY_ACL_REVISION_NT4; typedef [public,gensize,nosize] struct { security_acl_revision revision; [value(ndr_size_security_acl(r,ndr->flags))] uint16 size; [range(0,2000)] uint32 num_aces; security_ace aces[num_aces]; } security_acl; /* default revision for new ACLs */ typedef [public,enum8bit] enum { SECURITY_DESCRIPTOR_REVISION_1 = 1 } security_descriptor_revision; const int SD_REVISION = SECURITY_DESCRIPTOR_REVISION_1; /* security_descriptor->type bits */ typedef [public,bitmap16bit] bitmap { SEC_DESC_OWNER_DEFAULTED = 0x0001, SEC_DESC_GROUP_DEFAULTED = 0x0002, SEC_DESC_DACL_PRESENT = 0x0004, SEC_DESC_DACL_DEFAULTED = 0x0008, SEC_DESC_SACL_PRESENT = 0x0010, SEC_DESC_SACL_DEFAULTED = 0x0020, SEC_DESC_DACL_TRUSTED = 0x0040, SEC_DESC_SERVER_SECURITY = 0x0080, SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100, SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200, SEC_DESC_DACL_AUTO_INHERITED = 0x0400, SEC_DESC_SACL_AUTO_INHERITED = 0x0800, SEC_DESC_DACL_PROTECTED = 0x1000, SEC_DESC_SACL_PROTECTED = 0x2000, SEC_DESC_RM_CONTROL_VALID = 0x4000, SEC_DESC_SELF_RELATIVE = 0x8000 } security_descriptor_type; typedef [gensize,nosize,public,flag(NDR_LITTLE_ENDIAN)] struct { security_descriptor_revision revision; security_descriptor_type type; /* SEC_DESC_xxxx flags */ [relative] dom_sid *owner_sid; [relative] dom_sid *group_sid; [relative] security_acl *sacl; /* system ACL */ [relative] security_acl *dacl; /* user (discretionary) ACL */ } security_descriptor; typedef [public] struct { [range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size; [subcontext(4)] security_descriptor *sd; } sec_desc_buf; /* Group attributes, used to be samr_GroupAttrs */ typedef [public,bitmap32bit] bitmap { SE_GROUP_MANDATORY = 0x00000001, SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002, SE_GROUP_ENABLED = 0x00000004, SE_GROUP_OWNER = 0x00000008, SE_GROUP_USE_FOR_DENY_ONLY = 0x00000010, SE_GROUP_INTEGRITY = 0x00000020, SE_GROUP_INTEGRITY_ENABLED = 0x00000040, SE_GROUP_RESOURCE = 0x20000000, SE_GROUP_LOGON_ID = 0xC0000000 } security_GroupAttrs; const uint32 SE_GROUP_DEFAULT_FLAGS = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; /* * Should claims be evaluated on this token? * * 0 is invalid to catch a zeroed token */ typedef enum { CLAIMS_EVALUATION_INVALID_STATE=0, CLAIMS_EVALUATION_NEVER = 1, CLAIMS_EVALUATION_ALWAYS = 2 } claims_evaluation_control; /* * This is linearised to pass authentication over the NP proxy * from smbd to RPC servers, but is not in public network protocols */ typedef [public] struct { uint32 num_sids; [size_is(num_sids)] dom_sid sids[*]; se_privilege privilege_mask; lsa_SystemAccessModeFlags rights_mask; uint32 num_local_claims; uint32 num_user_claims; uint32 num_device_claims; uint32 num_device_sids; [size_is(num_local_claims)] CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 local_claims[*]; [size_is(num_user_claims)] CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 user_claims[*]; [size_is(num_device_claims)] CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 device_claims[*]; [size_is(num_device_sids)] dom_sid device_sids[*]; /* * This allows us to disable claims evaluation on a * per-token basis, allowing library code to remain * distinct from configuration by passing this in as a * flag here */ claims_evaluation_control evaluate_claims; } security_token; typedef [public] struct { security_token token; security_descriptor sd; uint32 access_desired; } security_token_descriptor_fuzzing_pair; /* This is not yet sent over the network, but is simply defined in IDL */ typedef [public] struct { uid_t uid; gid_t gid; uint32 ngroups; [size_is(ngroups)] gid_t groups[*]; } security_unix_token; /* bits that determine which parts of a security descriptor are being queried/set */ typedef [public,bitmap32bit] bitmap { SECINFO_OWNER = 0x00000001, SECINFO_GROUP = 0x00000002, SECINFO_DACL = 0x00000004, SECINFO_SACL = 0x00000008, SECINFO_LABEL = 0x00000010, SECINFO_ATTRIBUTE = 0x00000020, SECINFO_SCOPE = 0x00000040, SECINFO_BACKUP = 0x00010000, SECINFO_UNPROTECTED_SACL = 0x10000000, SECINFO_UNPROTECTED_DACL = 0x20000000, SECINFO_PROTECTED_SACL = 0x40000000, SECINFO_PROTECTED_DACL = 0x80000000 } security_secinfo; /* * a SMB server should only support the following flags * and ignore all others. * * See AdditionalInformation in [MS-SMB2] 2.2.37 SMB2 QUERY_INFO Request * and 2.2.39 SMB2 SET_INFO Request. */ const int SMB_SUPPORTED_SECINFO_FLAGS = ( SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL | SECINFO_SACL | SECINFO_LABEL | SECINFO_ATTRIBUTE | SECINFO_SCOPE | SECINFO_BACKUP | 0); /* * See [MS-KILE] 2.2.5 LSAP_TOKEN_INFO_INTEGRITY */ typedef [public,gensize,flag(NDR_PAHEX)] struct { uint32 Flags; uint32 TokenIL; uint8 MachineId[32]; } LSAP_TOKEN_INFO_INTEGRITY; /* * See [MS-KILE] 2.2.6 Supported Encryption Types Bit Flags */ typedef [public,bitmap32bit] bitmap { KERB_ENCTYPE_DES_CBC_CRC = 0x00000001, KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002, KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004, KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008, KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010, KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK = 0x00000020, KERB_ENCTYPE_FAST_SUPPORTED = 0x00010000, KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED = 0x00020000, KERB_ENCTYPE_CLAIMS_SUPPORTED = 0x00040000, KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED = 0x00080000 } kerb_EncTypes; typedef [public,bitmap32bit] bitmap { SEC_DACL_AUTO_INHERIT = 0x00000001, SEC_SACL_AUTO_INHERIT = 0x00000002, SEC_DEFAULT_DESCRIPTOR = 0x00000004, SEC_OWNER_FROM_PARENT = 0x00000008, SEC_GROUP_FROM_PARENT = 0x00000010 } security_autoinherit; /***************************************************************/ /* Extended right guids */ const string GUID_DRS_ALLOCATE_RIDS = "1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd"; const string GUID_DRS_CHANGE_DOMAIN_MASTER = "014bf69c-7b3b-11d1-85f6-08002be74fab"; const string GUID_DRS_CHANGE_INFR_MASTER = "cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd"; const string GUID_DRS_CHANGE_PDC = "bae50096-4752-11d1-9052-00c04fc2d4cf"; const string GUID_DRS_CHANGE_RID_MASTER = "d58d5f36-0a98-11d1-adbb-00c04fd8d5cd"; const string GUID_DRS_CHANGE_SCHEMA_MASTER = "e12b56b6-0a95-11d1-adbb-00c04fd8d5cd"; const string GUID_DRS_GET_CHANGES = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"; const string GUID_DRS_REPL_SYNCRONIZE = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2"; const string GUID_DRS_MANAGE_TOPOLOGY = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2"; const string GUID_DRS_GET_ALL_CHANGES = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"; const string GUID_DRS_RO_REPL_SECRET_SYNC = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2"; const string GUID_DRS_GET_FILTERED_ATTRIBUTES = "89e95b76-444d-4c62-991a-0facbeda640c"; const string GUID_DRS_MONITOR_TOPOLOGY = "f98340fb-7c5b-4cdb-a00b-2ebdfa115a96"; const string GUID_DRS_USER_CHANGE_PASSWORD = "ab721a53-1e2f-11d0-9819-00aa0040529b"; const string GUID_DRS_FORCE_CHANGE_PASSWORD = "00299570-246d-11d0-a768-00aa006e0529"; const string GUID_DRS_UPDATE_PASSWORD_NOT_REQUIRED_BIT = "280f369c-67c7-438e-ae98-1d46f3c6f541"; const string GUID_DRS_UNEXPIRE_PASSWORD = "ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501"; const string GUID_DRS_ENABLE_PER_USER_REVERSIBLY_ENCRYPTED_PASSWORD = "05c74c5e-4deb-43b4-bd9f-86664c2a7fd5"; const string GUID_DRS_DS_INSTALL_REPLICA = "9923a32a-3607-11d2-b9be-0000f87a36b2"; const string GUID_DRS_REANIMATE_TOMBSTONE = "45ec5156-db7e-47bb-b53f-dbeb2d03c40f"; const string GUID_DRS_ALLOWED_TO_AUTHENTICATE = "68b1d179-0d15-4D4F-ab71-46152e79a7bc"; /***************************************************************/ /* validated writes guids */ const string GUID_DRS_VALIDATE_SPN = "f3a64788-5306-11d1-a9c5-0000f80367c1"; const string GUID_DRS_SELF_MEMBERSHIP = "bf9679c0-0de6-11d0-a285-00aa003049e2"; const string GUID_DRS_DNS_HOST_NAME = "72e39547-7b18-11d1-adef-00c04fd8d5cd"; const string GUID_DRS_ADD_DNS_HOST_NAME = "80863791-dbe9-4eb8-837e-7f0ab55d9ac7"; const string GUID_DRS_BEHAVIOR_VERSION = "d31a8757-2447-4545-8081-3bb610cacbf2"; /* A type to describe the mapping of generic access rights to object specific access rights. */ typedef struct { uint32 generic_read; uint32 generic_write; uint32 generic_execute; uint32 generic_all; } generic_mapping; typedef struct { uint32 std_read; uint32 std_write; uint32 std_execute; uint32 std_all; } standard_mapping; }