*/
import "misc.idl";
-import "dom_sid.idl";
+
+/*
+ use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
+ just a dom sid, but with the sub_auths represented as a conformant
+ array. As with all in-structure conformant arrays, the array length
+ is placed before the start of the structure. That's what gives rise
+ to the extra num_auths elemenent. We don't want the Samba code to
+ have to bother with such esoteric NDR details, so its easier to just
+ define it as a dom_sid and use pidl magic to make it all work. It
+ just means you need to mark a sid as a "dom_sid2" in the IDL when you
+ know it is of the conformant array variety
+*/
+cpp_quote("#define dom_sid2 dom_sid")
+
+/* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */
+cpp_quote("#define dom_sid28 dom_sid")
+
+/* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */
+cpp_quote("#define dom_sid0 dom_sid")
[
- helper("librpc/gen_ndr/ndr_dom_sid.h"),
+ pyhelper("librpc/ndr/py_security.c"),
pointer_default(unique)
]
interface security
{
+
+ typedef [public,gensize,noprint,nosize,nopull,nopush] struct {
+ uint8 sid_rev_num; /**< SID revision number */
+ [range(0,15)] int8 num_auths; /**< Number of sub-authorities */
+ uint8 id_auth[6]; /**< Identifier Authority */
+ uint32 sub_auths[15];
+ } dom_sid;
/*
access masks are divided up like this:
0xabccdddd
const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE;
const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL;
+ /* rights granted by some specific privileges */
+ const int SEC_RIGHTS_PRIV_BACKUP = SEC_STD_READ_CONTROL |
+ SEC_FLAG_SYSTEM_SECURITY |
+ SEC_GENERIC_READ;
+ const int SEC_RIGHTS_DIR_PRIV_BACKUP = SEC_RIGHTS_PRIV_BACKUP
+ | SEC_DIR_TRAVERSE;
+
+ const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC |
+ SEC_STD_WRITE_OWNER |
+ SEC_FLAG_SYSTEM_SECURITY |
+ SEC_STD_DELETE;
+ const int SEC_RIGHTS_DIR_PRIV_RESTORE = SEC_RIGHTS_PRIV_RESTORE |
+ SEC_DIR_ADD_FILE |
+ SEC_DIR_ADD_SUBDIR;
+
/* combinations of standard masks. */
const int STANDARD_RIGHTS_ALL_ACCESS = SEC_STD_ALL; /* 0x001f0000 */
const int STANDARD_RIGHTS_MODIFY_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
SEC_STD_WRITE_DAC |
SEC_STD_WRITE_OWNER); /* 0x000f0000 */
+ /* generic->specific mappings for Directory Service objects */
+ /* directory specific part of GENERIC_ALL */
+ const int SEC_ADS_GENERIC_ALL_DS =
+ (SEC_STD_DELETE |
+ SEC_STD_WRITE_DAC |
+ SEC_STD_WRITE_OWNER |
+ SEC_ADS_CREATE_CHILD |
+ SEC_ADS_DELETE_CHILD |
+ SEC_ADS_DELETE_TREE |
+ SEC_ADS_CONTROL_ACCESS);
+ const int SEC_ADS_GENERIC_EXECUTE = SEC_STD_READ_CONTROL | SEC_ADS_LIST;
+ const int SEC_ADS_GENERIC_WRITE =
+ (SEC_STD_READ_CONTROL |
+ SEC_ADS_SELF_WRITE |
+ SEC_ADS_WRITE_PROP);
+ const int SEC_ADS_GENERIC_READ =
+ (SEC_STD_READ_CONTROL |
+ SEC_ADS_LIST |
+ SEC_ADS_READ_PROP |
+ SEC_ADS_LIST_OBJECT);
+ const int SEC_ADS_GENERIC_ALL =
+ (SEC_ADS_GENERIC_EXECUTE |
+ SEC_ADS_GENERIC_WRITE |
+ SEC_ADS_GENERIC_READ |
+ SEC_ADS_GENERIC_ALL_DS);
+
/***************************************************************/
/* WELL KNOWN SIDS */
const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552";
const string SID_BUILTIN_RAS_SERVERS = "S-1-5-32-553";
const string SID_BUILTIN_PREW2K = "S-1-5-32-554";
+ const string SID_BUILTIN_REMOTE_DESKTOP_USERS = "S-1-5-32-555";
+ const string SID_BUILTIN_NETWORK_CONF_OPERATORS = "S-1-5-32-556";
+ const string SID_BUILTIN_INCOMING_FOREST_TRUST = "S-1-5-32-557";
+ const string SID_BUILTIN_PERFMON_USERS = "S-1-5-32-558";
+ const string SID_BUILTIN_PERFLOG_USERS = "S-1-5-32-559";
+ const string SID_BUILTIN_AUTH_ACCESS = "S-1-5-32-560";
+ const string SID_BUILTIN_TS_LICENSE_SERVERS = "S-1-5-32-561";
- /* well-known domain RIDs */
- const int DOMAIN_RID_LOGON = 9;
- const int DOMAIN_RID_ADMINISTRATOR = 500;
- const int DOMAIN_RID_GUEST = 501;
- const int DOMAIN_RID_ADMINS = 512;
- const int DOMAIN_RID_USERS = 513;
- const int DOMAIN_RID_DOMAIN_MEMBERS = 515;
- const int DOMAIN_RID_DCS = 516;
- const int DOMAIN_RID_CERT_ADMINS = 517;
- const int DOMAIN_RID_SCHEMA_ADMINS = 518;
- const int DOMAIN_RID_ENTERPRISE_ADMINS = 519;
+ /* SECURITY_NT_SERVICE */
+ const string NAME_NT_SERVICE = "NT SERVICE";
+ const string SID_NT_NT_SERVICE = "S-1-5-80";
+ const string SID_NT_TRUSTED_INSTALLER =
+ "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464";
+
+ /* well-known domain RIDs */
+ const int DOMAIN_RID_LOGON = 9;
+ const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498;
+ const int DOMAIN_RID_ADMINISTRATOR = 500;
+ const int DOMAIN_RID_GUEST = 501;
+ const int DOMAIN_RID_KRBTGT = 502;
+ const int DOMAIN_RID_ADMINS = 512;
+ const int DOMAIN_RID_USERS = 513;
+ const int DOMAIN_RID_GUESTS = 514;
+ const int DOMAIN_RID_DOMAIN_MEMBERS = 515;
+ const int DOMAIN_RID_DCS = 516;
+ const int DOMAIN_RID_CERT_ADMINS = 517;
+ const int DOMAIN_RID_SCHEMA_ADMINS = 518;
+ const int DOMAIN_RID_ENTERPRISE_ADMINS = 519;
+ const int DOMAIN_RID_POLICY_ADMINS = 520;
+ const int DOMAIN_RID_READONLY_DCS = 521;
+ const int DOMAIN_RID_RAS_SERVERS = 553;
+
+ /* well-known builtin RIDs */
+ const int BUILTIN_RID_ADMINISTRATORS = 544;
+ const int BUILTIN_RID_USERS = 545;
+ const int BUILTIN_RID_GUESTS = 546;
+ const int BUILTIN_RID_POWER_USERS = 547;
+ const int BUILTIN_RID_ACCOUNT_OPERATORS = 548;
+ const int BUILTIN_RID_SERVER_OPERATORS = 549;
+ const int BUILTIN_RID_PRINT_OPERATORS = 550;
+ const int BUILTIN_RID_BACKUP_OPERATORS = 551;
+ const int BUILTIN_RID_REPLICATOR = 552;
+ const int BUILTIN_RID_RAS_SERVERS = 553;
+ const int BUILTIN_RID_PRE_2K_ACCESS = 554;
+ const int BUILTIN_RID_REMOTE_DESKTOP_USERS = 555;
+ const int BUILTIN_RID_NETWORK_CONF_OPERATORS = 556;
+ const int BUILTIN_RID_INCOMING_FOREST_TRUST = 557;
+ const int BUILTIN_RID_PERFMON_USERS = 558;
+ const int BUILTIN_RID_PERFLOG_USERS = 559;
+ const int BUILTIN_RID_AUTH_ACCESS = 560;
+ const int BUILTIN_RID_TS_LICENSE_SERVERS = 561;
/*
privilege IDs. Please keep the IDs below 64. If we get more
SEC_PRIV_ENABLE_DELEGATION = 21,
SEC_PRIV_INTERACTIVE_LOGON = 22,
SEC_PRIV_NETWORK_LOGON = 23,
- SEC_PRIV_REMOTE_INTERACTIVE_LOGON = 24
+ SEC_PRIV_REMOTE_INTERACTIVE_LOGON = 24,
+ SEC_PRIV_MACHINE_ACCOUNT = 25
} sec_privilege;
} security_acl;
/* default revision for new ACLs */
- typedef [enum8bit] enum {
+ typedef [public,enum8bit] enum {
SECURITY_DESCRIPTOR_REVISION_1 = 1
} security_descriptor_revision;
const int SD_REVISION = SECURITY_DESCRIPTOR_REVISION_1;
/* security_descriptor->type bits */
- typedef [bitmap16bit] bitmap {
+ typedef [public,bitmap16bit] bitmap {
SEC_DESC_OWNER_DEFAULTED = 0x0001,
SEC_DESC_GROUP_DEFAULTED = 0x0002,
SEC_DESC_DACL_PRESENT = 0x0004,
KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
} kerb_EncTypes;
+
+ typedef [public,bitmap32bit] bitmap {
+ SEC_DACL_AUTO_INHERIT = 0x00000001,
+ SEC_SACL_AUTO_INHERIT = 0x00000002,
+ SEC_DEFAULT_DESCRIPTOR = 0x00000004,
+ SEC_OWNER_FROM_PARENT = 0x00000008,
+ SEC_GROUP_FROM_PARENT = 0x00000010
+ } security_autoinherit;
+
+ /***************************************************************/
+ /* Extended right guids */
+
+ const string GUID_DRS_ALLOCATE_RIDS = "1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd";
+ const string GUID_DRS_CHANGE_DOMAIN_MASTER = "014bf69c-7b3b-11d1-85f6-08002be74fab";
+ const string GUID_DRS_CHANGE_INFR_MASTER = "cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd";
+ const string GUID_DRS_CHANGE_PDC = "bae50096-4752-11d1-9052-00c04fc2d4cf";
+ const string GUID_DRS_CHANGE_RID_MASTER = "d58d5f36-0a98-11d1-adbb-00c04fd8d5cd";
+ const string GUID_DRS_CHANGE_SCHEMA_MASTER = "e12b56b6-0a95-11d1-adbb-00c04fd8d5cd";
+ const string GUID_DRS_GET_CHANGES = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2";
+ const string GUID_DRS_GET_ALL_CHANGES = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
+ const string GUID_DRS_GET_FILTERED_ATTRIBUTES = "89e95b76-444d-4c62-991a-0facbeda640c";
+ const string GUID_DRS_MANAGE_TOPOLOGY = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2";
+ const string GUID_DRS_MONITOR_TOPOLOGY = "f98340fb-7c5b-4cdb-a00b-2ebdfa115a96";
+ const string GUID_DRS_REPL_SYNCRONIZE = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2";
+ const string GUID_DRS_RO_REPL_SECRET_SYNC = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2";
+ const string GUID_DRS_USER_CHANGE_PASSWORD = "ab721a53-1e2f-11d0-9819-00aa0040529b";
+ const string GUID_DRS_FORCE_CHANGE_PASSWORD = "00299570-246d-11d0-a768-00aa006e0529";
+
+ /***************************************************************/
+ /* validated writes guids */
+ const string GUID_DRS_VALIDATE_SPN = "f3a64788-5306-11d1-a9c5-0000f80367c1";
+ const string GUID_DRS_SELF_MEMBERSHIP = "bf9679c0-0de6-11d0-a285-00aa003049e2";
+ const string GUID_DRS_DNS_HOST_NAME = "72e39547-7b18-11d1-adef-00c04fd8d5cd";
+ const string GUID_DRS_ADD_DNS_HOST_NAME = "80863791-dbe9-4eb8-837e-7f0ab55d9ac7";
+ const string GUID_DRS_BEHAVIOR_VERSION = "d31a8757-2447-4545-8081-3bb610cacbf2";
+
+ /* A type to describe the mapping of generic access rights to object
+ specific access rights. */
+
+ typedef struct {
+ uint32 generic_read;
+ uint32 generic_write;
+ uint32 generic_execute;
+ uint32 generic_all;
+ } generic_mapping;
+
+ typedef struct {
+ uint32 std_read;
+ uint32 std_write;
+ uint32 std_execute;
+ uint32 std_all;
+ } standard_mapping;
}
git.samba.org / kai / samba-autobuild / .git / blobdiff