X-Git-Url: http://git.samba.org/samba.git/?a=blobdiff_plain;f=librpc%2Fidl%2Fsecurity.idl;h=369579cb7cf3c302997d74f311c181e5713821a5;hb=81240b13b365400e2da903a7fc0af1f501bc1249;hp=caad08e954440251f1f07813ba9a31ec17da4d6a;hpb=08259c1c52a9921de6fba08939130698b474f382;p=kai%2Fsamba-autobuild%2F.git diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl index caad08e9544..369579cb7cf 100644 --- a/librpc/idl/security.idl +++ b/librpc/idl/security.idl @@ -144,6 +144,21 @@ interface security const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE; const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL; + /* rights granted by some specific privileges */ + const int SEC_RIGHTS_PRIV_BACKUP = SEC_STD_READ_CONTROL | + SEC_FLAG_SYSTEM_SECURITY | + SEC_GENERIC_READ; + const int SEC_RIGHTS_DIR_PRIV_BACKUP = SEC_RIGHTS_PRIV_BACKUP + | SEC_DIR_TRAVERSE; + + const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC | + SEC_STD_WRITE_OWNER | + SEC_FLAG_SYSTEM_SECURITY | + SEC_STD_DELETE; + const int SEC_RIGHTS_DIR_PRIV_RESTORE = SEC_RIGHTS_PRIV_RESTORE | + SEC_DIR_ADD_FILE | + SEC_DIR_ADD_SUBDIR; + /* combinations of standard masks. */ const int STANDARD_RIGHTS_ALL_ACCESS = SEC_STD_ALL; /* 0x001f0000 */ const int STANDARD_RIGHTS_MODIFY_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */ @@ -159,6 +174,32 @@ interface security SEC_STD_WRITE_DAC | SEC_STD_WRITE_OWNER); /* 0x000f0000 */ + /* generic->specific mappings for Directory Service objects */ + /* directory specific part of GENERIC_ALL */ + const int SEC_ADS_GENERIC_ALL_DS = + (SEC_STD_DELETE | + SEC_STD_WRITE_DAC | + SEC_STD_WRITE_OWNER | + SEC_ADS_CREATE_CHILD | + SEC_ADS_DELETE_CHILD | + SEC_ADS_DELETE_TREE | + SEC_ADS_CONTROL_ACCESS); + const int SEC_ADS_GENERIC_EXECUTE = SEC_STD_READ_CONTROL | SEC_ADS_LIST; + const int SEC_ADS_GENERIC_WRITE = + (SEC_STD_READ_CONTROL | + SEC_ADS_SELF_WRITE | + SEC_ADS_WRITE_PROP); + const int SEC_ADS_GENERIC_READ = + (SEC_STD_READ_CONTROL | + SEC_ADS_LIST | + SEC_ADS_READ_PROP | + SEC_ADS_LIST_OBJECT); + const int SEC_ADS_GENERIC_ALL = + (SEC_ADS_GENERIC_EXECUTE | + SEC_ADS_GENERIC_WRITE | + SEC_ADS_GENERIC_READ | + SEC_ADS_GENERIC_ALL_DS); + /***************************************************************/ /* WELL KNOWN SIDS */ @@ -219,19 +260,58 @@ interface security const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552"; const string SID_BUILTIN_RAS_SERVERS = "S-1-5-32-553"; const string SID_BUILTIN_PREW2K = "S-1-5-32-554"; + const string SID_BUILTIN_REMOTE_DESKTOP_USERS = "S-1-5-32-555"; + const string SID_BUILTIN_NETWORK_CONF_OPERATORS = "S-1-5-32-556"; + const string SID_BUILTIN_INCOMING_FOREST_TRUST = "S-1-5-32-557"; + const string SID_BUILTIN_PERFMON_USERS = "S-1-5-32-558"; + const string SID_BUILTIN_PERFLOG_USERS = "S-1-5-32-559"; + const string SID_BUILTIN_AUTH_ACCESS = "S-1-5-32-560"; + const string SID_BUILTIN_TS_LICENSE_SERVERS = "S-1-5-32-561"; - /* well-known domain RIDs */ - const int DOMAIN_RID_LOGON = 9; - const int DOMAIN_RID_ADMINISTRATOR = 500; - const int DOMAIN_RID_GUEST = 501; - const int DOMAIN_RID_ADMINS = 512; - const int DOMAIN_RID_USERS = 513; - const int DOMAIN_RID_DOMAIN_MEMBERS = 515; - const int DOMAIN_RID_DCS = 516; - const int DOMAIN_RID_CERT_ADMINS = 517; - const int DOMAIN_RID_SCHEMA_ADMINS = 518; - const int DOMAIN_RID_ENTERPRISE_ADMINS = 519; + /* SECURITY_NT_SERVICE */ + const string NAME_NT_SERVICE = "NT SERVICE"; + const string SID_NT_NT_SERVICE = "S-1-5-80"; + const string SID_NT_TRUSTED_INSTALLER = + "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464"; + + /* well-known domain RIDs */ + const int DOMAIN_RID_LOGON = 9; + const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498; + const int DOMAIN_RID_ADMINISTRATOR = 500; + const int DOMAIN_RID_GUEST = 501; + const int DOMAIN_RID_KRBTGT = 502; + const int DOMAIN_RID_ADMINS = 512; + const int DOMAIN_RID_USERS = 513; + const int DOMAIN_RID_GUESTS = 514; + const int DOMAIN_RID_DOMAIN_MEMBERS = 515; + const int DOMAIN_RID_DCS = 516; + const int DOMAIN_RID_CERT_ADMINS = 517; + const int DOMAIN_RID_SCHEMA_ADMINS = 518; + const int DOMAIN_RID_ENTERPRISE_ADMINS = 519; + const int DOMAIN_RID_POLICY_ADMINS = 520; + const int DOMAIN_RID_READONLY_DCS = 521; + const int DOMAIN_RID_RAS_SERVERS = 553; + + /* well-known builtin RIDs */ + const int BUILTIN_RID_ADMINISTRATORS = 544; + const int BUILTIN_RID_USERS = 545; + const int BUILTIN_RID_GUESTS = 546; + const int BUILTIN_RID_POWER_USERS = 547; + const int BUILTIN_RID_ACCOUNT_OPERATORS = 548; + const int BUILTIN_RID_SERVER_OPERATORS = 549; + const int BUILTIN_RID_PRINT_OPERATORS = 550; + const int BUILTIN_RID_BACKUP_OPERATORS = 551; + const int BUILTIN_RID_REPLICATOR = 552; + const int BUILTIN_RID_RAS_SERVERS = 553; + const int BUILTIN_RID_PRE_2K_ACCESS = 554; + const int BUILTIN_RID_REMOTE_DESKTOP_USERS = 555; + const int BUILTIN_RID_NETWORK_CONF_OPERATORS = 556; + const int BUILTIN_RID_INCOMING_FOREST_TRUST = 557; + const int BUILTIN_RID_PERFMON_USERS = 558; + const int BUILTIN_RID_PERFLOG_USERS = 559; + const int BUILTIN_RID_AUTH_ACCESS = 560; + const int BUILTIN_RID_TS_LICENSE_SERVERS = 561; /* privilege IDs. Please keep the IDs below 64. If we get more @@ -261,7 +341,8 @@ interface security SEC_PRIV_ENABLE_DELEGATION = 21, SEC_PRIV_INTERACTIVE_LOGON = 22, SEC_PRIV_NETWORK_LOGON = 23, - SEC_PRIV_REMOTE_INTERACTIVE_LOGON = 24 + SEC_PRIV_REMOTE_INTERACTIVE_LOGON = 24, + SEC_PRIV_MACHINE_ACCOUNT = 25 } sec_privilege; @@ -324,7 +405,7 @@ interface security typedef [public,nopull,gensize,nosize] struct { security_ace_type type; /* SEC_ACE_TYPE_* */ security_ace_flags flags; /* SEC_ACE_FLAG_* */ - [value(ndr_size_security_ace(r,ndr->iconv_convenience,ndr->flags))] uint16 size; + [value(ndr_size_security_ace(r,ndr->flags))] uint16 size; uint32 access_mask; [switch_is(type)] security_ace_object_ctr object; dom_sid trustee; @@ -339,20 +420,20 @@ interface security typedef [public,gensize,nosize] struct { security_acl_revision revision; - [value(ndr_size_security_acl(r,ndr->iconv_convenience,ndr->flags))] uint16 size; + [value(ndr_size_security_acl(r,ndr->flags))] uint16 size; [range(0,1000)] uint32 num_aces; security_ace aces[num_aces]; } security_acl; /* default revision for new ACLs */ - typedef [enum8bit] enum { + typedef [public,enum8bit] enum { SECURITY_DESCRIPTOR_REVISION_1 = 1 } security_descriptor_revision; const int SD_REVISION = SECURITY_DESCRIPTOR_REVISION_1; /* security_descriptor->type bits */ - typedef [bitmap16bit] bitmap { + typedef [public,bitmap16bit] bitmap { SEC_DESC_OWNER_DEFAULTED = 0x0001, SEC_DESC_GROUP_DEFAULTED = 0x0002, SEC_DESC_DACL_PRESENT = 0x0004, @@ -381,7 +462,7 @@ interface security } security_descriptor; typedef [public] struct { - [range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->iconv_convenience,ndr->flags))] uint32 sd_size; + [range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size; [subcontext(4)] security_descriptor *sd; } sec_desc_buf; @@ -414,4 +495,55 @@ interface security KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010 } kerb_EncTypes; + typedef [public,bitmap32bit] bitmap { + SEC_DACL_AUTO_INHERIT = 0x00000001, + SEC_SACL_AUTO_INHERIT = 0x00000002, + SEC_DEFAULT_DESCRIPTOR = 0x00000004, + SEC_OWNER_FROM_PARENT = 0x00000008, + SEC_GROUP_FROM_PARENT = 0x00000010 + } security_autoinherit; + + /***************************************************************/ + /* Extended right guids */ + + const string GUID_DRS_ALLOCATE_RIDS = "1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd"; + const string GUID_DRS_CHANGE_DOMAIN_MASTER = "014bf69c-7b3b-11d1-85f6-08002be74fab"; + const string GUID_DRS_CHANGE_INFR_MASTER = "cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd"; + const string GUID_DRS_CHANGE_PDC = "bae50096-4752-11d1-9052-00c04fc2d4cf"; + const string GUID_DRS_CHANGE_RID_MASTER = "d58d5f36-0a98-11d1-adbb-00c04fd8d5cd"; + const string GUID_DRS_CHANGE_SCHEMA_MASTER = "e12b56b6-0a95-11d1-adbb-00c04fd8d5cd"; + const string GUID_DRS_GET_CHANGES = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"; + const string GUID_DRS_GET_ALL_CHANGES = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"; + const string GUID_DRS_GET_FILTERED_ATTRIBUTES = "89e95b76-444d-4c62-991a-0facbeda640c"; + const string GUID_DRS_MANAGE_TOPOLOGY = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2"; + const string GUID_DRS_MONITOR_TOPOLOGY = "f98340fb-7c5b-4cdb-a00b-2ebdfa115a96"; + const string GUID_DRS_REPL_SYNCRONIZE = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2"; + const string GUID_DRS_RO_REPL_SECRET_SYNC = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2"; + const string GUID_DRS_USER_CHANGE_PASSWORD = "ab721a53-1e2f-11d0-9819-00aa0040529b"; + const string GUID_DRS_FORCE_CHANGE_PASSWORD = "00299570-246d-11d0-a768-00aa006e0529"; + + /***************************************************************/ + /* validated writes guids */ + const string GUID_DRS_VALIDATE_SPN = "f3a64788-5306-11d1-a9c5-0000f80367c1"; + const string GUID_DRS_SELF_MEMBERSHIP = "bf9679c0-0de6-11d0-a285-00aa003049e2"; + const string GUID_DRS_DNS_HOST_NAME = "72e39547-7b18-11d1-adef-00c04fd8d5cd"; + const string GUID_DRS_ADD_DNS_HOST_NAME = "80863791-dbe9-4eb8-837e-7f0ab55d9ac7"; + const string GUID_DRS_BEHAVIOR_VERSION = "d31a8757-2447-4545-8081-3bb610cacbf2"; + + /* A type to describe the mapping of generic access rights to object + specific access rights. */ + + typedef struct { + uint32 generic_read; + uint32 generic_write; + uint32 generic_execute; + uint32 generic_all; + } generic_mapping; + + typedef struct { + uint32 std_read; + uint32 std_write; + uint32 std_execute; + uint32 std_all; + } standard_mapping; }