2ef341704794ecf1aa2a2f835862744b667c34a1
[samba.git] / librpc / idl / security.idl
1 #include "idl_types.h"
2
3 /*
4   security IDL structures
5 */
6
7 import "misc.idl";
8
9 /*
10    use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
11    just a dom sid, but with the sub_auths represented as a conformant
12    array. As with all in-structure conformant arrays, the array length
13    is placed before the start of the structure. That's what gives rise
14    to the extra num_auths elemenent. We don't want the Samba code to
15    have to bother with such esoteric NDR details, so its easier to just
16    define it as a dom_sid and use pidl magic to make it all work. It
17    just means you need to mark a sid as a "dom_sid2" in the IDL when you
18    know it is of the conformant array variety
19 */
20 cpp_quote("#define dom_sid2 dom_sid")
21
22 /* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */
23 cpp_quote("#define dom_sid28 dom_sid")
24
25 /* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */
26 cpp_quote("#define dom_sid0 dom_sid")
27
28 [
29         /*
30          * cbf7d408-2d6c-11e2-ae5b-0b5692790e18 just to make ndrdump happy
31          */
32         uuid("cbf7d408-2d6c-11e2-ae5b-0b5692790e18"),
33         version(0.0),
34         pyhelper("librpc/ndr/py_security.c"),
35         pointer_default(unique)
36 ]
37 interface security
38 {
39
40         typedef bitmap lsa_SystemAccessModeFlags lsa_SystemAccessModeFlags;
41
42         typedef [public,gensize,noprint,nosize,nopull,nopush] struct {
43                 uint8  sid_rev_num;             /**< SID revision number */
44                 [range(0,15)] int8  num_auths;  /**< Number of sub-authorities */
45                 uint8  id_auth[6];              /**< Identifier Authority */
46                 uint32 sub_auths[15];
47         } dom_sid;
48         /*
49           access masks are divided up like this:
50                 0xabccdddd
51                 where 
52                    a = generic rights bits        SEC_GENERIC_
53                    b = flags                      SEC_FLAG_
54                    c = standard rights bits       SEC_STD_
55                    d = object type specific bits  SEC_{FILE,DIR,REG,xxx}_
56                    
57           common combinations of bits are prefixed with SEC_RIGHTS_
58         */
59         const int SEC_MASK_GENERIC         = 0xF0000000;
60         const int SEC_MASK_FLAGS           = 0x0F000000;
61         const int SEC_MASK_STANDARD        = 0x00FF0000;
62         const int SEC_MASK_SPECIFIC        = 0x0000FFFF;
63
64         /* generic bits */
65         const int SEC_GENERIC_ALL          = 0x10000000;
66         const int SEC_GENERIC_EXECUTE      = 0x20000000;
67         const int SEC_GENERIC_WRITE        = 0x40000000;
68         const int SEC_GENERIC_READ         = 0x80000000;
69
70         /* flag bits */
71         const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000;
72         const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000;
73
74         /* standard bits */
75         const int SEC_STD_DELETE           = 0x00010000;
76         const int SEC_STD_READ_CONTROL     = 0x00020000;
77         const int SEC_STD_WRITE_DAC        = 0x00040000;
78         const int SEC_STD_WRITE_OWNER      = 0x00080000;
79         const int SEC_STD_SYNCHRONIZE      = 0x00100000;
80         const int SEC_STD_REQUIRED         = 0x000F0000;
81         const int SEC_STD_ALL              = 0x001F0000;
82
83         /* file specific bits */
84         const int SEC_FILE_READ_DATA       = 0x00000001;
85         const int SEC_FILE_WRITE_DATA      = 0x00000002;
86         const int SEC_FILE_APPEND_DATA     = 0x00000004;
87         const int SEC_FILE_READ_EA         = 0x00000008;
88         const int SEC_FILE_WRITE_EA        = 0x00000010;
89         const int SEC_FILE_EXECUTE         = 0x00000020;
90         const int SEC_FILE_READ_ATTRIBUTE  = 0x00000080;
91         const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100;
92         const int SEC_FILE_ALL             = 0x000001ff;
93
94         /* directory specific bits */
95         const int SEC_DIR_LIST             = 0x00000001;
96         const int SEC_DIR_ADD_FILE         = 0x00000002;
97         const int SEC_DIR_ADD_SUBDIR       = 0x00000004;
98         const int SEC_DIR_READ_EA          = 0x00000008;
99         const int SEC_DIR_WRITE_EA         = 0x00000010;
100         const int SEC_DIR_TRAVERSE         = 0x00000020;
101         const int SEC_DIR_DELETE_CHILD     = 0x00000040;
102         const int SEC_DIR_READ_ATTRIBUTE   = 0x00000080;
103         const int SEC_DIR_WRITE_ATTRIBUTE  = 0x00000100;
104
105         /* registry entry specific bits */
106         const int SEC_REG_QUERY_VALUE      = 0x00000001;
107         const int SEC_REG_SET_VALUE        = 0x00000002;
108         const int SEC_REG_CREATE_SUBKEY    = 0x00000004;
109         const int SEC_REG_ENUM_SUBKEYS     = 0x00000008;
110         const int SEC_REG_NOTIFY           = 0x00000010;
111         const int SEC_REG_CREATE_LINK      = 0x00000020;
112
113         /* ldap specific access bits */
114         const int SEC_ADS_CREATE_CHILD     = 0x00000001;
115         const int SEC_ADS_DELETE_CHILD     = 0x00000002;
116         const int SEC_ADS_LIST             = 0x00000004;
117         const int SEC_ADS_SELF_WRITE       = 0x00000008;
118         const int SEC_ADS_READ_PROP        = 0x00000010;
119         const int SEC_ADS_WRITE_PROP       = 0x00000020;
120         const int SEC_ADS_DELETE_TREE      = 0x00000040;
121         const int SEC_ADS_LIST_OBJECT      = 0x00000080;
122         const int SEC_ADS_CONTROL_ACCESS   = 0x00000100;
123
124         /* invalid bits */
125         const int SEC_MASK_INVALID         = 0x0ce0fe00;
126
127         /* generic->specific mappings for files */
128         const int SEC_RIGHTS_FILE_READ    = SEC_STD_READ_CONTROL | 
129                                             SEC_STD_SYNCHRONIZE | 
130                                             SEC_FILE_READ_DATA | 
131                                             SEC_FILE_READ_ATTRIBUTE | 
132                                             SEC_FILE_READ_EA;
133
134         const int SEC_RIGHTS_FILE_WRITE   = SEC_STD_READ_CONTROL | 
135                                             SEC_STD_SYNCHRONIZE | 
136                                             SEC_FILE_WRITE_DATA | 
137                                             SEC_FILE_WRITE_ATTRIBUTE | 
138                                             SEC_FILE_WRITE_EA |
139                                             SEC_FILE_APPEND_DATA;
140         
141         const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE | 
142                                             SEC_STD_READ_CONTROL | 
143                                             SEC_FILE_READ_ATTRIBUTE | 
144                                             SEC_FILE_EXECUTE;
145
146         const int SEC_RIGHTS_FILE_ALL     = SEC_STD_ALL | SEC_FILE_ALL;
147
148         /* generic->specific mappings for directories (same as files) */
149         const int SEC_RIGHTS_DIR_READ     = SEC_RIGHTS_FILE_READ;
150         const int SEC_RIGHTS_DIR_WRITE    = SEC_RIGHTS_FILE_WRITE;
151         const int SEC_RIGHTS_DIR_EXECUTE  = SEC_RIGHTS_FILE_EXECUTE;
152         const int SEC_RIGHTS_DIR_ALL      = SEC_RIGHTS_FILE_ALL;
153
154         /* rights granted by some specific privileges */
155         const int SEC_RIGHTS_PRIV_BACKUP  = SEC_STD_READ_CONTROL |
156                                             SEC_FLAG_SYSTEM_SECURITY |
157                                             SEC_RIGHTS_FILE_READ |
158                                             SEC_DIR_TRAVERSE;
159
160         const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC |
161                                             SEC_STD_WRITE_OWNER |
162                                             SEC_FLAG_SYSTEM_SECURITY |
163                                             SEC_RIGHTS_FILE_WRITE |
164                                             SEC_DIR_ADD_FILE |
165                                             SEC_DIR_ADD_SUBDIR |
166                                             SEC_STD_DELETE;
167
168         /* combinations of standard masks. */
169         const int STANDARD_RIGHTS_ALL_ACCESS            = SEC_STD_ALL; /* 0x001f0000 */
170         const int STANDARD_RIGHTS_MODIFY_ACCESS         = SEC_STD_READ_CONTROL; /* 0x00020000 */
171         const int STANDARD_RIGHTS_EXECUTE_ACCESS        = SEC_STD_READ_CONTROL; /* 0x00020000 */
172         const int STANDARD_RIGHTS_READ_ACCESS           = SEC_STD_READ_CONTROL; /* 0x00020000 */
173         const int STANDARD_RIGHTS_WRITE_ACCESS =
174                 (SEC_STD_WRITE_OWNER            |
175                  SEC_STD_WRITE_DAC              |
176                  SEC_STD_DELETE);       /* 0x000d0000 */
177         const int STANDARD_RIGHTS_REQUIRED_ACCESS =
178                 (SEC_STD_DELETE                 |
179                  SEC_STD_READ_CONTROL           |
180                  SEC_STD_WRITE_DAC              |
181                  SEC_STD_WRITE_OWNER);  /* 0x000f0000 */
182
183         /* generic->specific mappings for Directory Service objects */
184         /* directory specific part of GENERIC_ALL */
185         const int SEC_ADS_GENERIC_ALL_DS =
186                 (SEC_STD_DELETE                 |
187                  SEC_STD_WRITE_DAC              |
188                  SEC_STD_WRITE_OWNER            |
189                  SEC_ADS_CREATE_CHILD           |
190                  SEC_ADS_DELETE_CHILD           |
191                  SEC_ADS_DELETE_TREE            |
192                  SEC_ADS_CONTROL_ACCESS);
193         const int SEC_ADS_GENERIC_EXECUTE = SEC_STD_READ_CONTROL | SEC_ADS_LIST;
194         const int SEC_ADS_GENERIC_WRITE   =
195                 (SEC_STD_READ_CONTROL           |
196                  SEC_ADS_SELF_WRITE             |
197                  SEC_ADS_WRITE_PROP);
198         const int SEC_ADS_GENERIC_READ    =
199                 (SEC_STD_READ_CONTROL           |
200                  SEC_ADS_LIST                   |
201                  SEC_ADS_READ_PROP              |
202                  SEC_ADS_LIST_OBJECT);
203         const int SEC_ADS_GENERIC_ALL     =
204                 (SEC_ADS_GENERIC_EXECUTE        |
205                  SEC_ADS_GENERIC_WRITE          |
206                  SEC_ADS_GENERIC_READ           |
207                  SEC_ADS_GENERIC_ALL_DS);
208
209         /*
210          * Rights implicitly granted to a user who is an owner of the security
211          * descriptor being processed.
212          */
213         typedef enum {
214                 IMPLICIT_OWNER_READ_CONTROL_RIGHTS,
215                 IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS
216         } implicit_owner_rights;
217
218         /***************************************************************/
219         /* WELL KNOWN SIDS */
220
221         /* a NULL sid */
222         const string SID_NULL = "S-1-0-0";
223
224         /* the world domain */
225         const string NAME_WORLD       = "WORLD";
226
227         const string SID_WORLD_DOMAIN = "S-1-1";
228         const string SID_WORLD        = "S-1-1-0";
229
230         /* SECURITY_CREATOR_SID_AUTHORITY */
231         const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
232         const string SID_CREATOR_OWNER        = "S-1-3-0";
233         const string SID_CREATOR_GROUP        = "S-1-3-1";
234         const string SID_OWNER_RIGHTS         = "S-1-3-4";
235
236         /* SECURITY_NT_AUTHORITY */
237         const string NAME_NT_AUTHORITY            = "NT AUTHORITY";
238
239         const string SID_NT_AUTHORITY             = "S-1-5";
240         const string SID_NT_DIALUP                = "S-1-5-1";
241         const string SID_NT_NETWORK               = "S-1-5-2";
242         const string SID_NT_BATCH                 = "S-1-5-3";
243         const string SID_NT_INTERACTIVE           = "S-1-5-4";
244         const string SID_NT_SERVICE               = "S-1-5-6";
245         const string SID_NT_ANONYMOUS             = "S-1-5-7";
246         const string SID_NT_PROXY                 = "S-1-5-8";
247         const string SID_NT_ENTERPRISE_DCS        = "S-1-5-9";
248         const string SID_NT_SELF                  = "S-1-5-10";
249         const string SID_NT_AUTHENTICATED_USERS   = "S-1-5-11";
250         const string SID_NT_RESTRICTED            = "S-1-5-12";
251         const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13";
252         const string SID_NT_REMOTE_INTERACTIVE    = "S-1-5-14";
253         const string SID_NT_THIS_ORGANISATION     = "S-1-5-15";
254         const string SID_NT_IUSR                  = "S-1-5-17";
255         const string SID_NT_SYSTEM                = "S-1-5-18";
256         const string SID_NT_LOCAL_SERVICE         = "S-1-5-19";
257         const string SID_NT_NETWORK_SERVICE       = "S-1-5-20";
258         const string SID_NT_DIGEST_AUTHENTICATION = "S-1-5-64-21";
259         const string SID_NT_NTLM_AUTHENTICATION   = "S-1-5-64-10";
260         const string SID_NT_SCHANNEL_AUTHENTICATION = "S-1-5-64-14";
261         const string SID_NT_OTHER_ORGANISATION    = "S-1-5-1000";
262
263         /* SECURITY_BUILTIN_DOMAIN_RID */
264         const string NAME_BUILTIN                  = "BUILTIN";
265
266         const string SID_BUILTIN                   = "S-1-5-32";
267         const string SID_BUILTIN_ADMINISTRATORS    = "S-1-5-32-544";
268         const string SID_BUILTIN_USERS             = "S-1-5-32-545";
269         const string SID_BUILTIN_GUESTS            = "S-1-5-32-546";
270         const string SID_BUILTIN_POWER_USERS       = "S-1-5-32-547";
271         const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
272         const string SID_BUILTIN_SERVER_OPERATORS  = "S-1-5-32-549";
273         const string SID_BUILTIN_PRINT_OPERATORS   = "S-1-5-32-550";
274         const string SID_BUILTIN_BACKUP_OPERATORS  = "S-1-5-32-551";
275         const string SID_BUILTIN_REPLICATOR        = "S-1-5-32-552";
276         const string SID_BUILTIN_RAS_SERVERS       = "S-1-5-32-553";
277         const string SID_BUILTIN_PREW2K            = "S-1-5-32-554";
278         const string SID_BUILTIN_REMOTE_DESKTOP_USERS   = "S-1-5-32-555";
279         const string SID_BUILTIN_NETWORK_CONF_OPERATORS = "S-1-5-32-556";
280         const string SID_BUILTIN_INCOMING_FOREST_TRUST  = "S-1-5-32-557";
281         const string SID_BUILTIN_PERFMON_USERS          = "S-1-5-32-558";
282         const string SID_BUILTIN_PERFLOG_USERS          = "S-1-5-32-559";
283         const string SID_BUILTIN_AUTH_ACCESS            = "S-1-5-32-560";
284         const string SID_BUILTIN_TS_LICENSE_SERVERS     = "S-1-5-32-561";
285         const string SID_BUILTIN_DISTRIBUTED_COM_USERS  = "S-1-5-32-562";
286         const string SID_BUILTIN_IUSERS         = "S-1-5-32-568";
287         const string SID_BUILTIN_CRYPTO_OPERATORS       = "S-1-5-32-569";
288         const string SID_BUILTIN_EVENT_LOG_READERS      = "S-1-5-32-573";
289         const string SID_BUILTIN_CERT_SERV_DCOM_ACCESS  = "S-1-5-32-574";
290         const string SID_BUILTIN_RDS_REMOTE_ACCESS_SERVERS      = "S-1-5-32-575";
291         const string SID_BUILTIN_RDS_ENDPOINT_SERVERS   = "S-1-5-32-576";
292         const string SID_BUILTIN_RDS_MANAGEMENT_SERVERS = "S-1-5-32-577";
293         const string SID_BUILTIN_HYPER_V_ADMINS = "S-1-5-32-578";
294         const string SID_BUILTIN_ACCESS_CONTROL_ASSISTANCE_OPS  = "S-1-5-32-579";
295         const string SID_BUILTIN_REMOTE_MANAGEMENT_USERS        = "S-1-5-32-580";
296         const string SID_BUILTIN_SYSTEM_MANAGED_ACCOUNTS_GRP    = "S-1-5-32-581";
297         const string SID_BUILTIN_STORAGE_REPLICA_ADMINISTRATORS = "S-1-5-32-582";
298
299         const string SID_SECURITY_RESTRICTED_CODE = "S-1-5-33";
300
301         /* UID/GID mapping Samba style */
302         const string SID_SAMBA_UNIX_USER_OWNER          = "S-1-22-1";
303         const string SID_SAMBA_UNIX_GROUP_OWNER         = "S-1-22-2";
304
305         /* SECURITY_NT_SERVICE */
306         const string NAME_NT_SERVICE            = "NT SERVICE";
307
308         const string SID_NT_NT_SERVICE          = "S-1-5-80";
309         const string SID_NT_TRUSTED_INSTALLER =
310                 "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464";
311
312         /*
313          * This is added during the AS-REQ/AS-REP exchange after
314          * pre-authentication was successful.
315          */
316         const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1";
317         /*
318          * This is added during S4U2Self PAC creation.
319          *
320          * It won't replace a possible
321          * SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY
322          * during S4U2Proxy.
323          */
324         const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
325
326         const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
327         const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";
328
329         const string SID_USER_MODE_DRIVERS = "S-1-5-84-0-0-0-0-0";
330
331         const string SID_SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE = "S-1-15-2-1";
332
333         const string SID_SECURITY_MANDATORY_LOW = "S-1-16-4096";
334         const string SID_SECURITY_MANDATORY_MEDIUM = "S-1-16-8192";
335         const string SID_SECURITY_MANDATORY_MEDIUM_PLUS = "S-1-16-8448";
336         const string SID_SECURITY_MANDATORY_HIGH = "S-1-16-12288";
337         const string SID_SECURITY_MANDATORY_SYSTEM = "S-1-16-16384";
338
339         /*
340          * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
341          */
342         const string SID_NT_NFS_SUBSYSTEM         = "S-1-5-88";
343         const string SID_NT_NFS_USER              = "S-1-5-88-1";
344         const string SID_NT_NFS_GROUP             = "S-1-5-88-2";
345         const string SID_NT_NFS_MASK              = "S-1-5-88-3";
346         const string SID_NT_NFS_OTHERS            = "S-1-5-88-4";
347
348         /* well-known domain RIDs */
349         const int DOMAIN_RID_LOGON                   = 9;
350         const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498;
351         const int DOMAIN_RID_ADMINISTRATOR           = 500;
352         const int DOMAIN_RID_GUEST                   = 501;
353         const int DOMAIN_RID_KRBTGT                  = 502;
354         const int DOMAIN_RID_ADMINS                  = 512;
355         const int DOMAIN_RID_USERS                   = 513;
356         const int DOMAIN_RID_GUESTS                  = 514;
357         const int DOMAIN_RID_DOMAIN_MEMBERS          = 515;
358         const int DOMAIN_RID_DCS                     = 516;
359         const int DOMAIN_RID_CERT_ADMINS             = 517;
360         const int DOMAIN_RID_SCHEMA_ADMINS           = 518;
361         const int DOMAIN_RID_ENTERPRISE_ADMINS       = 519;
362         const int DOMAIN_RID_POLICY_ADMINS           = 520;
363         const int DOMAIN_RID_READONLY_DCS            = 521;
364         const int DOMAIN_RID_CLONEABLE_CONTROLLERS   = 522;
365         const int DOMAIN_RID_PROTECTED_USERS         = 525;
366         const int DOMAIN_RID_KEY_ADMINS              = 526;
367         const int DOMAIN_RID_ENTERPRISE_KEY_ADMINS   = 527;
368         const int DOMAIN_RID_RAS_SERVERS             = 553;
369         const int DOMAIN_RID_RODC_ALLOW              = 571;
370         const int DOMAIN_RID_RODC_DENY               = 572;
371
372         /* well-known builtin RIDs */
373         const int BUILTIN_RID_ADMINISTRATORS            = 544;
374         const int BUILTIN_RID_USERS                     = 545;
375         const int BUILTIN_RID_GUESTS                    = 546;
376         const int BUILTIN_RID_POWER_USERS               = 547;
377         const int BUILTIN_RID_ACCOUNT_OPERATORS         = 548;
378         const int BUILTIN_RID_SERVER_OPERATORS          = 549;
379         const int BUILTIN_RID_PRINT_OPERATORS           = 550;
380         const int BUILTIN_RID_BACKUP_OPERATORS          = 551;
381         const int BUILTIN_RID_REPLICATOR                = 552;
382         const int BUILTIN_RID_RAS_SERVERS               = 553;
383         const int BUILTIN_RID_PRE_2K_ACCESS             = 554;
384         const int BUILTIN_RID_REMOTE_DESKTOP_USERS      = 555;
385         const int BUILTIN_RID_NETWORK_CONF_OPERATORS    = 556;
386         const int BUILTIN_RID_INCOMING_FOREST_TRUST     = 557;
387         const int BUILTIN_RID_PERFMON_USERS             = 558;
388         const int BUILTIN_RID_PERFLOG_USERS             = 559;
389         const int BUILTIN_RID_AUTH_ACCESS               = 560;
390         const int BUILTIN_RID_TS_LICENSE_SERVERS        = 561;
391         const int BUILTIN_RID_DISTRIBUTED_COM_USERS     = 562;
392         const int BUILTIN_RID_IUSERS                    = 568;
393         const int BUILTIN_RID_CRYPTO_OPERATORS          = 569;
394         const int BUILTIN_RID_EVENT_LOG_READERS         = 573;
395         const int BUILTIN_RID_CERT_SERV_DCOM_ACCESS     = 574;
396         const int BUILTIN_RID_RDS_REMOTE_ACCESS_SERVERS = 575;
397         const int BUILTIN_RID_RDS_ENDPOINT_SERVERS      = 576;
398         const int BUILTIN_RID_RDS_MANAGEMENT_SERVERS    = 577;
399         const int BUILTIN_RID_HYPER_V_ADMINS    = 578;
400         const int BUILTIN_RID_ACCESS_CONTROL_ASSISTANCE_OPS     = 579;
401         const int BUILTIN_RID_REMOTE_MANAGEMENT_USERS   = 580;
402
403 /********************************************************************
404  This is a list of privileges reported by a WIndows 2008 R2 DC
405  just for reference purposes (and I know the LUID is not guaranteed
406  across reboots):
407
408 0x00000002          SeCreateTokenPrivilege "Create a token object"
409 0x00000003   SeAssignPrimaryTokenPrivilege "Replace a process level token"
410 0x00000004           SeLockMemoryPrivilege "Lock pages in memory"
411 0x00000005        SeIncreaseQuotaPrivilege "Adjust memory quotas for a process"
412 0x00000006       SeMachineAccountPrivilege "Add workstations to domain"
413 0x00000007                  SeTcbPrivilege "Act as part of the operating system"
414 0x00000008             SeSecurityPrivilege "Manage auditing and security log"
415 0x00000009        SeTakeOwnershipPrivilege "Take ownership of files or other objects"
416 0x0000000a           SeLoadDriverPrivilege "Load and unload device drivers"
417 0x0000000b        SeSystemProfilePrivilege "Profile system performance"
418 0x0000000c           SeSystemtimePrivilege "Change the system time"
419 0x0000000d SeProfileSingleProcessPrivilege "Profile single process"
420 0x0000000e SeIncreaseBasePriorityPrivilege "Increase scheduling priority"
421 0x0000000f       SeCreatePagefilePrivilege "Create a pagefile"
422 0x00000010      SeCreatePermanentPrivilege "Create permanent shared objects"
423 0x00000011               SeBackupPrivilege "Back up files and directories"
424 0x00000012              SeRestorePrivilege "Restore files and directories"
425 0x00000013             SeShutdownPrivilege "Shut down the system"
426 0x00000014                SeDebugPrivilege "Debug programs"
427 0x00000015                SeAuditPrivilege "Generate security audits"
428 0x00000016    SeSystemEnvironmentPrivilege "Modify firmware environment values"
429 0x00000017         SeChangeNotifyPrivilege "Bypass traverse checking"
430 0x00000018       SeRemoteShutdownPrivilege "Force shutdown from a remote system"
431 0x00000019               SeUndockPrivilege "Remove computer from docking station"
432 0x0000001a            SeSyncAgentPrivilege "Synchronize directory service data"
433 0x0000001b     SeEnableDelegationPrivilege "Enable computer and user accounts to be trusted for delegation"
434 0x0000001c         SeManageVolumePrivilege "Perform volume maintenance tasks"
435 0x0000001d          SeImpersonatePrivilege "Impersonate a client after authentication"
436 0x0000001e         SeCreateGlobalPrivilege "Create global objects"
437 0x0000001f SeTrustedCredManAccessPrivilege "Access Credential Manager as a trusted caller"
438 0x00000020              SeRelabelPrivilege "Modify an object label"
439 0x00000021   SeIncreaseWorkingSetPrivilege "Increase a process working set"
440 0x00000022             SeTimeZonePrivilege "Change the time zone"
441 0x00000023   SeCreateSymbolicLinkPrivilege "Create symbolic links"
442
443  ********************************************************************/
444
445         /* LUID values for privileges known about by Samba (bottom 32 bits of enum, top bits are 0) */
446
447         /* we have to define the LUID here due to a horrible check by printmig.exe
448            that requires the SeBackupPrivilege match what is in Windows.  So match
449            those that we implement and start Samba privileges at 0x1001 */
450
451         typedef enum {
452                 SEC_PRIV_INVALID                   = 0x0,
453                 SEC_PRIV_INCREASE_QUOTA            = 0x5,
454                 SEC_PRIV_MACHINE_ACCOUNT           = 0x6,
455                 SEC_PRIV_SECURITY                  = 0x8,
456                 SEC_PRIV_TAKE_OWNERSHIP            = 0x09,
457                 SEC_PRIV_LOAD_DRIVER               = 0x0a,
458                 SEC_PRIV_SYSTEM_PROFILE            = 0x0b,
459                 SEC_PRIV_SYSTEMTIME                = 0x0c,
460                 SEC_PRIV_PROFILE_SINGLE_PROCESS    = 0x0d,
461                 SEC_PRIV_INCREASE_BASE_PRIORITY    = 0x0e,
462                 SEC_PRIV_CREATE_PAGEFILE           = 0x0f,
463                 SEC_PRIV_BACKUP                    = 0x11,
464                 SEC_PRIV_RESTORE                   = 0x12,
465                 SEC_PRIV_SHUTDOWN                  = 0x13,
466                 SEC_PRIV_DEBUG                     = 0x14,
467                 SEC_PRIV_SYSTEM_ENVIRONMENT        = 0x16,
468                 SEC_PRIV_CHANGE_NOTIFY             = 0x17,
469                 SEC_PRIV_REMOTE_SHUTDOWN           = 0x18,
470                 SEC_PRIV_UNDOCK                    = 0x19,
471                 SEC_PRIV_ENABLE_DELEGATION         = 0x1b,
472                 SEC_PRIV_MANAGE_VOLUME             = 0x1c,
473                 SEC_PRIV_IMPERSONATE               = 0x1d,
474                 SEC_PRIV_CREATE_GLOBAL             = 0x1e,
475                 /* Samba-specific privs */
476                 SEC_PRIV_PRINT_OPERATOR            = 0x1001,
477                 SEC_PRIV_ADD_USERS                 = 0x1002,
478                 SEC_PRIV_DISK_OPERATOR             = 0x1003
479         } sec_privilege;
480
481
482         /* Bitmap of privilege values for internal use only.  We need
483          * our own bitmap here as privilages.tdb records these values
484          * as a bitmap (privilages.ldb uses the string forms).
485          */
486         typedef [bitmap64bit] bitmap {
487                 SEC_PRIV_MACHINE_ACCOUNT_BIT            = 0x00000010,
488
489                 /* Samba-specific privs */
490                 SEC_PRIV_PRINT_OPERATOR_BIT             = 0x00000020,
491                 SEC_PRIV_ADD_USERS_BIT                  = 0x00000040,
492                 SEC_PRIV_DISK_OPERATOR_BIT              = 0x00000080,
493
494                 SEC_PRIV_REMOTE_SHUTDOWN_BIT            = 0x00000100,
495                 SEC_PRIV_BACKUP_BIT                     = 0x00000200,
496                 SEC_PRIV_RESTORE_BIT                    = 0x00000400,
497                 SEC_PRIV_TAKE_OWNERSHIP_BIT             = 0x00000800,
498                 /* End of privilages implemented before merge to common code */
499
500                 SEC_PRIV_INCREASE_QUOTA_BIT               = 0x00001000,
501                 SEC_PRIV_SECURITY_BIT                     = 0x00002000,
502                 SEC_PRIV_LOAD_DRIVER_BIT                  = 0x00004000,
503                 SEC_PRIV_SYSTEM_PROFILE_BIT               = 0x00008000,
504                 SEC_PRIV_SYSTEMTIME_BIT                   = 0x00010000,
505                 SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT       = 0x00020000,
506                 SEC_PRIV_INCREASE_BASE_PRIORITY_BIT       = 0x00040000,
507                 SEC_PRIV_CREATE_PAGEFILE_BIT              = 0x00080000,
508                 SEC_PRIV_SHUTDOWN_BIT                     = 0x00100000,
509                 SEC_PRIV_DEBUG_BIT                        = 0x00200000,
510                 SEC_PRIV_SYSTEM_ENVIRONMENT_BIT           = 0x00400000,
511                 SEC_PRIV_CHANGE_NOTIFY_BIT                = 0x00800000,
512                 SEC_PRIV_UNDOCK_BIT                       = 0x01000000,
513                 SEC_PRIV_ENABLE_DELEGATION_BIT            = 0x02000000,
514                 SEC_PRIV_MANAGE_VOLUME_BIT                = 0x04000000,
515                 SEC_PRIV_IMPERSONATE_BIT                  = 0x08000000,
516                 SEC_PRIV_CREATE_GLOBAL_BIT                = 0x10000000
517         } se_privilege;
518
519         typedef [bitmap32bit] bitmap {
520                 LSA_POLICY_MODE_INTERACTIVE             = 0x00000001,
521                 LSA_POLICY_MODE_NETWORK                 = 0x00000002,
522                 LSA_POLICY_MODE_BATCH                   = 0x00000004,
523                 LSA_POLICY_MODE_SERVICE                 = 0x00000010,
524                 LSA_POLICY_MODE_PROXY                   = 0x00000020,
525                 LSA_POLICY_MODE_DENY_INTERACTIVE        = 0x00000040,
526                 LSA_POLICY_MODE_DENY_NETWORK            = 0x00000080,
527                 LSA_POLICY_MODE_DENY_BATCH              = 0x00000100,
528                 LSA_POLICY_MODE_DENY_SERVICE            = 0x00000200,
529                 LSA_POLICY_MODE_REMOTE_INTERACTIVE      = 0x00000400,
530                 LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE = 0x00000800,
531                 LSA_POLICY_MODE_ALL                     = 0x00000FF7,
532                 LSA_POLICY_MODE_ALL_NT4                 = 0x00000037
533         } lsa_SystemAccessModeFlags;
534
535         typedef [public,bitmap8bit] bitmap {
536                 SEC_ACE_FLAG_OBJECT_INHERIT             = 0x01,
537                 SEC_ACE_FLAG_CONTAINER_INHERIT          = 0x02,
538                 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT       = 0x04,
539                 SEC_ACE_FLAG_INHERIT_ONLY               = 0x08,
540                 SEC_ACE_FLAG_INHERITED_ACE              = 0x10,
541                 SEC_ACE_FLAG_VALID_INHERIT              = 0x0f,
542                 SEC_ACE_FLAG_SUCCESSFUL_ACCESS          = 0x40,
543                 SEC_ACE_FLAG_FAILED_ACCESS              = 0x80
544         } security_ace_flags;
545
546         typedef [public,enum8bit] enum {
547                 SEC_ACE_TYPE_ACCESS_ALLOWED             = 0,
548                 SEC_ACE_TYPE_ACCESS_DENIED              = 1,
549                 SEC_ACE_TYPE_SYSTEM_AUDIT               = 2,
550                 SEC_ACE_TYPE_SYSTEM_ALARM               = 3,
551                 SEC_ACE_TYPE_ALLOWED_COMPOUND           = 4,
552                 SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT      = 5,
553                 SEC_ACE_TYPE_ACCESS_DENIED_OBJECT       = 6,
554                 SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT        = 7,
555                 SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT        = 8
556         } security_ace_type;
557
558         typedef [bitmap32bit] bitmap {
559                 SEC_ACE_OBJECT_TYPE_PRESENT             = 0x00000001,
560                 SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT   = 0x00000002
561         } security_ace_object_flags;
562
563         typedef [nodiscriminant] union {
564                 /* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */
565                 [case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type;
566                 [default];
567         } security_ace_object_type;
568
569         typedef [nodiscriminant] union {
570                 /* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context
571                  * (of the parent container)
572                  */
573                 [case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type;
574                 [default];
575         } security_ace_object_inherited_type;
576
577         typedef struct {
578                 security_ace_object_flags flags;
579                 [switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type;
580                 [switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type;
581         } security_ace_object;
582
583         typedef [public,nodiscriminant] union {
584                 [case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] security_ace_object object;
585                 [case(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT)] security_ace_object object;
586                 [case(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT)] security_ace_object object;
587                 [case(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT)] security_ace_object object;
588                 [default];
589         } security_ace_object_ctr;
590
591         typedef [public,nopull,gensize,nosize] struct {
592                 security_ace_type type;  /* SEC_ACE_TYPE_* */
593                 security_ace_flags flags; /* SEC_ACE_FLAG_* */
594                 [value(ndr_size_security_ace(r,ndr->flags))] uint16 size;
595                 uint32 access_mask;
596                 [switch_is(type)] security_ace_object_ctr object;
597                 dom_sid trustee;
598         } security_ace;
599
600         typedef enum {
601                 SECURITY_ACL_REVISION_NT4       = 2,
602                 SECURITY_ACL_REVISION_ADS       = 4
603         } security_acl_revision;
604
605         const uint NT4_ACL_REVISION     = SECURITY_ACL_REVISION_NT4;
606
607         typedef [public,gensize,nosize] struct {
608                 security_acl_revision revision;
609                 [value(ndr_size_security_acl(r,ndr->flags))] uint16 size;
610                 [range(0,2000)] uint32 num_aces;
611                 security_ace aces[num_aces];
612         } security_acl;
613
614         /* default revision for new ACLs */
615         typedef [public,enum8bit] enum {
616                 SECURITY_DESCRIPTOR_REVISION_1 = 1
617         } security_descriptor_revision;
618
619         const int SD_REVISION                    = SECURITY_DESCRIPTOR_REVISION_1;
620
621         /* security_descriptor->type bits */
622         typedef [public,bitmap16bit] bitmap {
623                 SEC_DESC_OWNER_DEFAULTED        = 0x0001,
624                 SEC_DESC_GROUP_DEFAULTED        = 0x0002,
625                 SEC_DESC_DACL_PRESENT           = 0x0004,
626                 SEC_DESC_DACL_DEFAULTED         = 0x0008,
627                 SEC_DESC_SACL_PRESENT           = 0x0010,
628                 SEC_DESC_SACL_DEFAULTED         = 0x0020,
629                 SEC_DESC_DACL_TRUSTED           = 0x0040,
630                 SEC_DESC_SERVER_SECURITY        = 0x0080,
631                 SEC_DESC_DACL_AUTO_INHERIT_REQ  = 0x0100,
632                 SEC_DESC_SACL_AUTO_INHERIT_REQ  = 0x0200,
633                 SEC_DESC_DACL_AUTO_INHERITED    = 0x0400,
634                 SEC_DESC_SACL_AUTO_INHERITED    = 0x0800,
635                 SEC_DESC_DACL_PROTECTED         = 0x1000,
636                 SEC_DESC_SACL_PROTECTED         = 0x2000,
637                 SEC_DESC_RM_CONTROL_VALID       = 0x4000,
638                 SEC_DESC_SELF_RELATIVE          = 0x8000
639         } security_descriptor_type;
640
641         typedef [gensize,nosize,public,flag(NDR_LITTLE_ENDIAN)] struct {
642                 security_descriptor_revision revision;
643                 security_descriptor_type type;     /* SEC_DESC_xxxx flags */
644                 [relative] dom_sid *owner_sid; 
645                 [relative] dom_sid *group_sid;
646                 [relative] security_acl *sacl; /* system ACL */
647                 [relative] security_acl *dacl; /* user (discretionary) ACL */
648         } security_descriptor;
649
650         typedef [public] struct {
651                 [range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size;
652                 [subcontext(4)] security_descriptor *sd;
653         } sec_desc_buf;
654
655         /* Group attributes, used to be samr_GroupAttrs */
656         typedef [public,bitmap32bit] bitmap {
657                 SE_GROUP_MANDATORY              = 0x00000001,
658                 SE_GROUP_ENABLED_BY_DEFAULT     = 0x00000002,
659                 SE_GROUP_ENABLED                = 0x00000004,
660                 SE_GROUP_OWNER                  = 0x00000008,
661                 SE_GROUP_USE_FOR_DENY_ONLY      = 0x00000010,
662                 SE_GROUP_INTEGRITY              = 0x00000020,
663                 SE_GROUP_INTEGRITY_ENABLED      = 0x00000040,
664                 SE_GROUP_RESOURCE               = 0x20000000,
665                 SE_GROUP_LOGON_ID               = 0xC0000000
666         } security_GroupAttrs;
667
668         /* This is not yet sent over the network, but is simply defined in IDL */
669         typedef [public] struct {
670                 uint32 num_sids;
671                 [size_is(num_sids)] dom_sid sids[*];
672                 se_privilege privilege_mask;
673                 lsa_SystemAccessModeFlags rights_mask;
674         } security_token;
675
676         /* This is not yet sent over the network, but is simply defined in IDL */
677         typedef [public] struct {
678                 uid_t uid;
679                 gid_t gid;
680                 uint32 ngroups;
681                 [size_is(ngroups)] gid_t groups[*];
682         } security_unix_token;
683
684         /* bits that determine which parts of a security descriptor
685            are being queried/set */
686         typedef [public,bitmap32bit] bitmap {
687                 SECINFO_OWNER                = 0x00000001,
688                 SECINFO_GROUP                = 0x00000002,
689                 SECINFO_DACL                 = 0x00000004,
690                 SECINFO_SACL                 = 0x00000008,
691                 SECINFO_LABEL                = 0x00000010,
692                 SECINFO_ATTRIBUTE            = 0x00000020,
693                 SECINFO_SCOPE                = 0x00000040,
694                 SECINFO_BACKUP               = 0x00010000,
695                 SECINFO_UNPROTECTED_SACL     = 0x10000000,
696                 SECINFO_UNPROTECTED_DACL     = 0x20000000,
697                 SECINFO_PROTECTED_SACL       = 0x40000000,
698                 SECINFO_PROTECTED_DACL       = 0x80000000
699         } security_secinfo;
700
701         /*
702          * a SMB server should only support the following flags
703          * and ignore all others.
704          *
705          * See AdditionalInformation in [MS-SMB2] 2.2.37 SMB2 QUERY_INFO Request
706          * and 2.2.39 SMB2 SET_INFO Request.
707          */
708         const int SMB_SUPPORTED_SECINFO_FLAGS = (
709                 SECINFO_OWNER           |
710                 SECINFO_GROUP           |
711                 SECINFO_DACL            |
712                 SECINFO_SACL            |
713                 SECINFO_LABEL           |
714                 SECINFO_ATTRIBUTE       |
715                 SECINFO_SCOPE           |
716                 SECINFO_BACKUP          |
717                 0);
718
719         /*
720          * See [MS-KILE] 2.2.5 LSAP_TOKEN_INFO_INTEGRITY
721          */
722         typedef [public,gensize,flag(NDR_PAHEX)] struct {
723                 uint32 Flags;
724                 uint32 TokenIL;
725                 uint8 MachineId[32];
726         } LSAP_TOKEN_INFO_INTEGRITY;
727
728         /*
729          * See [MS-KILE] 2.2.6 Supported Encryption Types Bit Flags
730          */
731         typedef [public,bitmap32bit] bitmap {
732                 KERB_ENCTYPE_DES_CBC_CRC             = 0x00000001,
733                 KERB_ENCTYPE_DES_CBC_MD5             = 0x00000002,
734                 KERB_ENCTYPE_RC4_HMAC_MD5            = 0x00000004,
735                 KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
736                 KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010,
737                 KERB_ENCTYPE_FAST_SUPPORTED          = 0x00010000,
738                 KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED = 0x00020000,
739                 KERB_ENCTYPE_CLAIMS_SUPPORTED        = 0x00040000,
740                 KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED = 0x00080000
741         } kerb_EncTypes;
742
743         typedef [public,bitmap32bit] bitmap {
744                 SEC_DACL_AUTO_INHERIT                = 0x00000001,
745                 SEC_SACL_AUTO_INHERIT                = 0x00000002,
746                 SEC_DEFAULT_DESCRIPTOR               = 0x00000004,
747                 SEC_OWNER_FROM_PARENT                = 0x00000008,
748                 SEC_GROUP_FROM_PARENT                = 0x00000010
749         } security_autoinherit;
750
751         /***************************************************************/
752         /* Extended right guids */
753
754         const string GUID_DRS_ALLOCATE_RIDS           = "1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd";
755         const string GUID_DRS_CHANGE_DOMAIN_MASTER    = "014bf69c-7b3b-11d1-85f6-08002be74fab";
756         const string GUID_DRS_CHANGE_INFR_MASTER      = "cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd";
757         const string GUID_DRS_CHANGE_PDC              = "bae50096-4752-11d1-9052-00c04fc2d4cf";
758         const string GUID_DRS_CHANGE_RID_MASTER       = "d58d5f36-0a98-11d1-adbb-00c04fd8d5cd";
759         const string GUID_DRS_CHANGE_SCHEMA_MASTER    = "e12b56b6-0a95-11d1-adbb-00c04fd8d5cd";
760         const string GUID_DRS_GET_CHANGES             = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2";
761         const string GUID_DRS_REPL_SYNCRONIZE         = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2";
762         const string GUID_DRS_MANAGE_TOPOLOGY         = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2";
763         const string GUID_DRS_GET_ALL_CHANGES         = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
764         const string GUID_DRS_RO_REPL_SECRET_SYNC     = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2";
765         const string GUID_DRS_GET_FILTERED_ATTRIBUTES = "89e95b76-444d-4c62-991a-0facbeda640c";
766         const string GUID_DRS_MONITOR_TOPOLOGY        = "f98340fb-7c5b-4cdb-a00b-2ebdfa115a96";
767         const string GUID_DRS_USER_CHANGE_PASSWORD    = "ab721a53-1e2f-11d0-9819-00aa0040529b";
768         const string GUID_DRS_FORCE_CHANGE_PASSWORD   = "00299570-246d-11d0-a768-00aa006e0529";
769         const string GUID_DRS_UPDATE_PASSWORD_NOT_REQUIRED_BIT
770                                                       = "280f369c-67c7-438e-ae98-1d46f3c6f541";
771         const string GUID_DRS_UNEXPIRE_PASSWORD       = "ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501";
772         const string GUID_DRS_ENABLE_PER_USER_REVERSIBLY_ENCRYPTED_PASSWORD
773                                                       = "05c74c5e-4deb-43b4-bd9f-86664c2a7fd5";
774         const string GUID_DRS_DS_INSTALL_REPLICA      = "9923a32a-3607-11d2-b9be-0000f87a36b2";
775         const string GUID_DRS_REANIMATE_TOMBSTONE     = "45ec5156-db7e-47bb-b53f-dbeb2d03c40f";
776         const string GUID_DRS_ALLOWED_TO_AUTHENTICATE = "68b1d179-0d15-4D4F-ab71-46152e79a7bc";
777
778         /***************************************************************/
779         /* validated writes guids */
780         const string GUID_DRS_VALIDATE_SPN            = "f3a64788-5306-11d1-a9c5-0000f80367c1";
781         const string GUID_DRS_SELF_MEMBERSHIP         = "bf9679c0-0de6-11d0-a285-00aa003049e2";
782         const string GUID_DRS_DNS_HOST_NAME           = "72e39547-7b18-11d1-adef-00c04fd8d5cd";
783         const string GUID_DRS_ADD_DNS_HOST_NAME       = "80863791-dbe9-4eb8-837e-7f0ab55d9ac7";
784         const string GUID_DRS_BEHAVIOR_VERSION        = "d31a8757-2447-4545-8081-3bb610cacbf2";
785
786         /* A type to describe the mapping of generic access rights to object
787            specific access rights. */
788
789         typedef struct {
790                 uint32 generic_read;
791                 uint32 generic_write;
792                 uint32 generic_execute;
793                 uint32 generic_all;
794         } generic_mapping;
795
796         typedef struct {
797                 uint32 std_read;
798                 uint32 std_write;
799                 uint32 std_execute;
800                 uint32 std_all;
801         } standard_mapping;
802 }