4 samr interface definition
6 import "misc.idl", "lsa.idl", "security.idl";
9 Thanks to Todd Sabin for some information from his samr.idl in acltools
12 [ uuid("12345778-1234-abcd-ef00-0123456789ac"),
14 endpoint("ncacn_np:[\\pipe\\samr]","ncacn_ip_tcp:", "ncalrpc:"),
15 pointer_default(unique)
18 typedef bitmap security_secinfo security_secinfo;
20 /* account control (acct_flags) bits */
21 typedef [public,bitmap32bit] bitmap {
22 ACB_DISABLED = 0x00000001, /* 1 = User account disabled */
23 ACB_HOMDIRREQ = 0x00000002, /* 1 = Home directory required */
24 ACB_PWNOTREQ = 0x00000004, /* 1 = User password not required */
25 ACB_TEMPDUP = 0x00000008, /* 1 = Temporary duplicate account */
26 ACB_NORMAL = 0x00000010, /* 1 = Normal user account */
27 ACB_MNS = 0x00000020, /* 1 = MNS logon user account */
28 ACB_DOMTRUST = 0x00000040, /* 1 = Interdomain trust account */
29 ACB_WSTRUST = 0x00000080, /* 1 = Workstation trust account */
30 ACB_SVRTRUST = 0x00000100, /* 1 = Server trust account */
31 ACB_PWNOEXP = 0x00000200, /* 1 = User password does not expire */
32 ACB_AUTOLOCK = 0x00000400, /* 1 = Account auto locked */
33 ACB_ENC_TXT_PWD_ALLOWED = 0x00000800, /* 1 = Encryped text password is allowed */
34 ACB_SMARTCARD_REQUIRED = 0x00001000, /* 1 = Smart Card required */
35 ACB_TRUSTED_FOR_DELEGATION = 0x00002000, /* 1 = Trusted for Delegation */
36 ACB_NOT_DELEGATED = 0x00004000, /* 1 = Not delegated */
37 ACB_USE_DES_KEY_ONLY = 0x00008000, /* 1 = Use DES key only */
38 ACB_DONT_REQUIRE_PREAUTH = 0x00010000, /* 1 = Preauth not required */
39 ACB_PW_EXPIRED = 0x00020000, /* 1 = Password Expired */
40 ACB_NO_AUTH_DATA_REQD = 0x00080000 /* 1 = No authorization data required */
43 typedef [bitmap32bit] bitmap {
44 SAMR_ACCESS_CONNECT_TO_SERVER = 0x00000001,
45 SAMR_ACCESS_SHUTDOWN_SERVER = 0x00000002,
46 SAMR_ACCESS_INITIALIZE_SERVER = 0x00000004,
47 SAMR_ACCESS_CREATE_DOMAIN = 0x00000008,
48 SAMR_ACCESS_ENUM_DOMAINS = 0x00000010,
49 SAMR_ACCESS_OPEN_DOMAIN = 0x00000020
50 } samr_ConnectAccessMask;
52 typedef [bitmap32bit] bitmap {
53 SAMR_USER_ACCESS_GET_NAME_ETC = 0x00000001,
54 SAMR_USER_ACCESS_GET_LOCALE = 0x00000002,
55 SAMR_USER_ACCESS_SET_LOC_COM = 0x00000004,
56 SAMR_USER_ACCESS_GET_LOGONINFO = 0x00000008,
57 SAMR_USER_ACCESS_GET_ATTRIBUTES = 0x00000010,
58 SAMR_USER_ACCESS_SET_ATTRIBUTES = 0x00000020,
59 SAMR_USER_ACCESS_CHANGE_PASSWORD = 0x00000040,
60 SAMR_USER_ACCESS_SET_PASSWORD = 0x00000080,
61 SAMR_USER_ACCESS_GET_GROUPS = 0x00000100,
62 SAMR_USER_ACCESS_GET_GROUP_MEMBERSHIP = 0x00000200,
63 SAMR_USER_ACCESS_CHANGE_GROUP_MEMBERSHIP = 0x00000400
64 } samr_UserAccessMask;
66 typedef [bitmap32bit] bitmap {
67 SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 = 0x00000001,
68 SAMR_DOMAIN_ACCESS_SET_INFO_1 = 0x00000002,
69 SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 = 0x00000004,
70 SAMR_DOMAIN_ACCESS_SET_INFO_2 = 0x00000008,
71 SAMR_DOMAIN_ACCESS_CREATE_USER = 0x00000010,
72 SAMR_DOMAIN_ACCESS_CREATE_GROUP = 0x00000020,
73 SAMR_DOMAIN_ACCESS_CREATE_ALIAS = 0x00000040,
74 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS = 0x00000080,
75 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS = 0x00000100,
76 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT = 0x00000200,
77 SAMR_DOMAIN_ACCESS_SET_INFO_3 = 0x00000400
78 } samr_DomainAccessMask;
80 typedef [bitmap32bit] bitmap {
81 SAMR_GROUP_ACCESS_LOOKUP_INFO = 0x00000001,
82 SAMR_GROUP_ACCESS_SET_INFO = 0x00000002,
83 SAMR_GROUP_ACCESS_ADD_MEMBER = 0x00000004,
84 SAMR_GROUP_ACCESS_REMOVE_MEMBER = 0x00000008,
85 SAMR_GROUP_ACCESS_GET_MEMBERS = 0x00000010
86 } samr_GroupAccessMask;
88 typedef [bitmap32bit] bitmap {
89 SAMR_ALIAS_ACCESS_ADD_MEMBER = 0x00000001,
90 SAMR_ALIAS_ACCESS_REMOVE_MEMBER = 0x00000002,
91 SAMR_ALIAS_ACCESS_GET_MEMBERS = 0x00000004,
92 SAMR_ALIAS_ACCESS_LOOKUP_INFO = 0x00000008,
93 SAMR_ALIAS_ACCESS_SET_INFO = 0x00000010
94 } samr_AliasAccessMask;
98 NTSTATUS samr_Connect (
99 /* notice the lack of [string] */
100 [in,unique] uint16 *system_name,
101 [in] samr_ConnectAccessMask access_mask,
102 [out,ref] policy_handle *connect_handle
108 [public] NTSTATUS samr_Close (
109 [in,out,ref] policy_handle *handle
115 NTSTATUS samr_SetSecurity (
116 [in,ref] policy_handle *handle,
117 [in] security_secinfo sec_info,
118 [in,ref] sec_desc_buf *sdbuf
124 NTSTATUS samr_QuerySecurity (
125 [in,ref] policy_handle *handle,
126 [in] security_secinfo sec_info,
127 [out,ref] sec_desc_buf **sdbuf
134 shutdown the SAM - once you call this the SAM will be dead
136 NTSTATUS samr_Shutdown (
137 [in,ref] policy_handle *connect_handle
142 NTSTATUS samr_LookupDomain (
143 [in,ref] policy_handle *connect_handle,
144 [in,ref] lsa_String *domain_name,
145 [out,ref] dom_sid2 **sid
159 [size_is(count)] samr_SamEntry *entries;
162 NTSTATUS samr_EnumDomains (
163 [in] policy_handle *connect_handle,
164 [in,out,ref] uint32 *resume_handle,
165 [out,ref] samr_SamArray **sam,
166 [in] uint32 buf_size,
167 [out,ref] uint32 *num_entries
171 /************************/
173 [public] NTSTATUS samr_OpenDomain(
174 [in,ref] policy_handle *connect_handle,
175 [in] samr_DomainAccessMask access_mask,
176 [in,ref] dom_sid2 *sid,
177 [out,ref] policy_handle *domain_handle
180 /************************/
183 typedef [v1_enum] enum {
184 SAMR_ROLE_STANDALONE = 0,
185 SAMR_ROLE_DOMAIN_MEMBER = 1,
186 SAMR_ROLE_DOMAIN_BDC = 2,
187 SAMR_ROLE_DOMAIN_PDC = 3
190 /* password properties flags */
191 typedef [public,bitmap32bit] bitmap {
192 DOMAIN_PASSWORD_COMPLEX = 0x00000001,
193 DOMAIN_PASSWORD_NO_ANON_CHANGE = 0x00000002,
194 DOMAIN_PASSWORD_NO_CLEAR_CHANGE = 0x00000004,
195 DOMAIN_PASSWORD_LOCKOUT_ADMINS = 0x00000008,
196 DOMAIN_PASSWORD_STORE_CLEARTEXT = 0x00000010,
197 DOMAIN_REFUSE_PASSWORD_CHANGE = 0x00000020
198 } samr_PasswordProperties;
201 uint16 min_password_length;
202 uint16 password_history_length;
203 samr_PasswordProperties password_properties;
204 /* yes, these are signed. They are in negative 100ns */
205 dlong max_password_age;
206 dlong min_password_age;
210 NTTIME force_logoff_time;
211 lsa_String oem_information; /* comment */
212 lsa_String domain_name;
213 lsa_String primary; /* PDC name if this is a BDC */
221 } samr_DomGeneralInformation;
224 NTTIME force_logoff_time;
228 lsa_String oem_information; /* comment */
229 } samr_DomOEMInformation;
232 lsa_String domain_name;
245 NTTIME domain_create_time;
249 uint32 unknown; /* w2k3 returns 1 */
253 samr_DomGeneralInformation general;
254 hyper lockout_duration;
255 hyper lockout_window;
256 uint16 lockout_threshold;
257 } samr_DomGeneralInformation2;
260 hyper lockout_duration;
261 hyper lockout_window;
262 uint16 lockout_threshold;
267 NTTIME domain_create_time;
272 typedef [switch_type(uint16)] union {
273 [case(1)] samr_DomInfo1 info1;
274 [case(2)] samr_DomGeneralInformation general;
275 [case(3)] samr_DomInfo3 info3;
276 [case(4)] samr_DomOEMInformation oem;
277 [case(5)] samr_DomInfo5 info5;
278 [case(6)] samr_DomInfo6 info6;
279 [case(7)] samr_DomInfo7 info7;
280 [case(8)] samr_DomInfo8 info8;
281 [case(9)] samr_DomInfo9 info9;
282 [case(11)] samr_DomGeneralInformation2 general2;
283 [case(12)] samr_DomInfo12 info12;
284 [case(13)] samr_DomInfo13 info13;
287 NTSTATUS samr_QueryDomainInfo(
288 [in,ref] policy_handle *domain_handle,
290 [out,ref,switch_is(level)] samr_DomainInfo **info
293 /************************/
296 only levels 1, 3, 4, 6, 7, 9, 12 are valid for this
299 NTSTATUS samr_SetDomainInfo(
300 [in,ref] policy_handle *domain_handle,
302 [in,switch_is(level),ref] samr_DomainInfo *info
306 /************************/
308 NTSTATUS samr_CreateDomainGroup(
309 [in,ref] policy_handle *domain_handle,
310 [in,ref] lsa_String *name,
311 [in] samr_GroupAccessMask access_mask,
312 [out,ref] policy_handle *group_handle,
313 [out,ref] uint32 *rid
317 /************************/
320 const int MAX_SAM_ENTRIES_W2K = 0x400; /* 1024 */
321 const int MAX_SAM_ENTRIES_W95 = 50;
323 NTSTATUS samr_EnumDomainGroups(
324 [in] policy_handle *domain_handle,
325 [in,out,ref] uint32 *resume_handle,
326 [out,ref] samr_SamArray **sam,
327 [in] uint32 max_size,
328 [out,ref] uint32 *num_entries
331 /************************/
333 NTSTATUS samr_CreateUser(
334 [in,ref] policy_handle *domain_handle,
335 [in,ref] lsa_String *account_name,
336 [in] samr_UserAccessMask access_mask,
337 [out,ref] policy_handle *user_handle,
338 [out,ref] uint32 *rid
341 /************************/
345 /* w2k3 treats max_size as max_users*54 and sets the
346 resume_handle as the rid of the last user sent
348 const int SAMR_ENUM_USERS_MULTIPLIER = 54;
350 NTSTATUS samr_EnumDomainUsers(
351 [in] policy_handle *domain_handle,
352 [in,out,ref] uint32 *resume_handle,
353 [in] samr_AcctFlags acct_flags,
354 [out,ref] samr_SamArray **sam,
355 [in] uint32 max_size,
356 [out,ref] uint32 *num_entries
359 /************************/
361 NTSTATUS samr_CreateDomAlias(
362 [in,ref] policy_handle *domain_handle,
363 [in,ref] lsa_String *alias_name,
364 [in] samr_AliasAccessMask access_mask,
365 [out,ref] policy_handle *alias_handle,
366 [out,ref] uint32 *rid
369 /************************/
371 NTSTATUS samr_EnumDomainAliases(
372 [in] policy_handle *domain_handle,
373 [in,out,ref] uint32 *resume_handle,
374 [out,ref] samr_SamArray **sam,
375 [in] uint32 max_size,
376 [out,ref] uint32 *num_entries
379 /************************/
383 [range(0,1024)] uint32 count;
384 [size_is(count)] uint32 *ids;
387 NTSTATUS samr_GetAliasMembership(
388 [in,ref] policy_handle *domain_handle,
389 [in,ref] lsa_SidArray *sids,
390 [out,ref] samr_Ids *rids
393 /************************/
396 [public] NTSTATUS samr_LookupNames(
397 [in,ref] policy_handle *domain_handle,
398 [in,range(0,1000)] uint32 num_names,
399 [in,size_is(1000),length_is(num_names)] lsa_String names[],
400 [out,ref] samr_Ids *rids,
401 [out,ref] samr_Ids *types
405 /************************/
407 NTSTATUS samr_LookupRids(
408 [in,ref] policy_handle *domain_handle,
409 [in,range(0,1000)] uint32 num_rids,
410 [in,size_is(1000),length_is(num_rids)] uint32 rids[],
411 [out,ref] lsa_Strings *names,
412 [out,ref] samr_Ids *types
415 /************************/
417 NTSTATUS samr_OpenGroup(
418 [in,ref] policy_handle *domain_handle,
419 [in] samr_GroupAccessMask access_mask,
421 [out,ref] policy_handle *group_handle
424 /* Group attributes */
425 typedef [public,bitmap32bit] bitmap {
426 SE_GROUP_MANDATORY = 0x00000001,
427 SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002,
428 SE_GROUP_ENABLED = 0x00000004,
429 SE_GROUP_OWNER = 0x00000008,
430 SE_GROUP_USE_FOR_DENY_ONLY = 0x00000010,
431 SE_GROUP_RESOURCE = 0x20000000,
432 SE_GROUP_LOGON_ID = 0xC0000000
435 /************************/
440 samr_GroupAttrs attributes;
442 lsa_String description;
446 samr_GroupAttrs attributes;
447 } samr_GroupInfoAttributes;
450 lsa_String description;
451 } samr_GroupInfoDescription;
456 GROUPINFOATTRIBUTES = 3,
457 GROUPINFODESCRIPTION = 4,
459 } samr_GroupInfoEnum;
461 typedef [switch_type(samr_GroupInfoEnum)] union {
462 [case(GROUPINFOALL)] samr_GroupInfoAll all;
463 [case(GROUPINFONAME)] lsa_String name;
464 [case(GROUPINFOATTRIBUTES)] samr_GroupInfoAttributes attributes;
465 [case(GROUPINFODESCRIPTION)] lsa_String description;
466 [case(GROUPINFOALL2)] samr_GroupInfoAll all2;
469 NTSTATUS samr_QueryGroupInfo(
470 [in,ref] policy_handle *group_handle,
471 [in] samr_GroupInfoEnum level,
472 [out,ref,switch_is(level)] samr_GroupInfo **info
475 /************************/
477 NTSTATUS samr_SetGroupInfo(
478 [in,ref] policy_handle *group_handle,
479 [in] samr_GroupInfoEnum level,
480 [in,switch_is(level),ref] samr_GroupInfo *info
483 /************************/
485 NTSTATUS samr_AddGroupMember(
486 [in,ref] policy_handle *group_handle,
491 /************************/
493 NTSTATUS samr_DeleteDomainGroup(
494 [in,out,ref] policy_handle *group_handle
497 /************************/
499 NTSTATUS samr_DeleteGroupMember(
500 [in,ref] policy_handle *group_handle,
505 /************************/
509 [size_is(count)] uint32 *rids;
510 [size_is(count)] uint32 *types;
513 NTSTATUS samr_QueryGroupMember(
514 [in,ref] policy_handle *group_handle,
515 [out,ref] samr_RidTypeArray **rids
519 /************************/
523 win2003 seems to accept any data at all for the two integers
524 below, and doesn't seem to do anything with them that I can
525 see. Weird. I really expected the first integer to be a rid
526 and the second to be the attributes for that rid member.
528 NTSTATUS samr_SetMemberAttributesOfGroup(
529 [in,ref] policy_handle *group_handle,
530 [in] uint32 unknown1,
535 /************************/
537 NTSTATUS samr_OpenAlias (
538 [in,ref] policy_handle *domain_handle,
539 [in] samr_AliasAccessMask access_mask,
541 [out,ref] policy_handle *alias_handle
545 /************************/
551 lsa_String description;
557 ALIASINFODESCRIPTION = 3
558 } samr_AliasInfoEnum;
560 typedef [switch_type(samr_AliasInfoEnum)] union {
561 [case(ALIASINFOALL)] samr_AliasInfoAll all;
562 [case(ALIASINFONAME)] lsa_String name;
563 [case(ALIASINFODESCRIPTION)] lsa_String description;
566 NTSTATUS samr_QueryAliasInfo(
567 [in,ref] policy_handle *alias_handle,
568 [in] samr_AliasInfoEnum level,
569 [out,ref,switch_is(level)] samr_AliasInfo **info
572 /************************/
574 NTSTATUS samr_SetAliasInfo(
575 [in,ref] policy_handle *alias_handle,
576 [in] samr_AliasInfoEnum level,
577 [in,switch_is(level),ref] samr_AliasInfo *info
580 /************************/
582 NTSTATUS samr_DeleteDomAlias(
583 [in,out,ref] policy_handle *alias_handle
586 /************************/
588 NTSTATUS samr_AddAliasMember(
589 [in,ref] policy_handle *alias_handle,
590 [in,ref] dom_sid2 *sid
593 /************************/
595 NTSTATUS samr_DeleteAliasMember(
596 [in,ref] policy_handle *alias_handle,
597 [in,ref] dom_sid2 *sid
600 /************************/
602 NTSTATUS samr_GetMembersInAlias(
603 [in,ref] policy_handle *alias_handle,
604 [out,ref] lsa_SidArray *sids
607 /************************/
609 [public] NTSTATUS samr_OpenUser(
610 [in,ref] policy_handle *domain_handle,
611 [in] samr_UserAccessMask access_mask,
613 [out,ref] policy_handle *user_handle
616 /************************/
618 NTSTATUS samr_DeleteUser(
619 [in,out,ref] policy_handle *user_handle
622 /************************/
625 lsa_String account_name;
626 lsa_String full_name;
628 lsa_String description;
634 lsa_String unknown; /* settable, but doesn't stick. probably obsolete */
639 /* this is also used in samr and netlogon */
640 typedef [public, flag(NDR_PAHEX)] struct {
641 uint16 units_per_week;
642 [size_is(1260), length_is(units_per_week/8)] uint8 *bits;
646 lsa_String account_name;
647 lsa_String full_name;
650 lsa_String home_directory;
651 lsa_String home_drive;
652 lsa_String logon_script;
653 lsa_String profile_path;
654 lsa_String workstations;
657 NTTIME last_password_change;
658 NTTIME allow_password_change;
659 NTTIME force_password_change;
660 samr_LogonHours logon_hours;
661 uint16 bad_password_count;
663 samr_AcctFlags acct_flags;
667 samr_LogonHours logon_hours;
671 lsa_String account_name;
672 lsa_String full_name;
675 lsa_String home_directory;
676 lsa_String home_drive;
677 lsa_String logon_script;
678 lsa_String profile_path;
679 lsa_String description;
680 lsa_String workstations;
683 samr_LogonHours logon_hours;
684 uint16 bad_password_count;
686 NTTIME last_password_change;
688 samr_AcctFlags acct_flags;
692 lsa_String account_name;
693 lsa_String full_name;
697 lsa_String account_name;
701 lsa_String full_name;
709 lsa_String home_directory;
710 lsa_String home_drive;
714 lsa_String logon_script;
718 lsa_String profile_path;
722 lsa_String description;
726 lsa_String workstations;
730 samr_AcctFlags acct_flags;
737 typedef [public, flag(NDR_PAHEX)] struct {
742 samr_Password lm_pwd;
743 samr_Password nt_pwd;
744 boolean8 lm_pwd_active;
745 boolean8 nt_pwd_active;
749 lsa_BinaryString parameters;
752 /* this defines the bits used for fields_present in info21 */
753 typedef [bitmap32bit] bitmap {
754 SAMR_FIELD_ACCOUNT_NAME = 0x00000001,
755 SAMR_FIELD_FULL_NAME = 0x00000002,
756 SAMR_FIELD_RID = 0x00000004,
757 SAMR_FIELD_PRIMARY_GID = 0x00000008,
758 SAMR_FIELD_DESCRIPTION = 0x00000010,
759 SAMR_FIELD_COMMENT = 0x00000020,
760 SAMR_FIELD_HOME_DIRECTORY = 0x00000040,
761 SAMR_FIELD_HOME_DRIVE = 0x00000080,
762 SAMR_FIELD_LOGON_SCRIPT = 0x00000100,
763 SAMR_FIELD_PROFILE_PATH = 0x00000200,
764 SAMR_FIELD_WORKSTATIONS = 0x00000400,
765 SAMR_FIELD_LAST_LOGON = 0x00000800,
766 SAMR_FIELD_LAST_LOGOFF = 0x00001000,
767 SAMR_FIELD_LOGON_HOURS = 0x00002000,
768 SAMR_FIELD_BAD_PWD_COUNT = 0x00004000,
769 SAMR_FIELD_NUM_LOGONS = 0x00008000,
770 SAMR_FIELD_ALLOW_PWD_CHANGE = 0x00010000,
771 SAMR_FIELD_FORCE_PWD_CHANGE = 0x00020000,
772 SAMR_FIELD_LAST_PWD_CHANGE = 0x00040000,
773 SAMR_FIELD_ACCT_EXPIRY = 0x00080000,
774 SAMR_FIELD_ACCT_FLAGS = 0x00100000,
775 SAMR_FIELD_PARAMETERS = 0x00200000,
776 SAMR_FIELD_COUNTRY_CODE = 0x00400000,
777 SAMR_FIELD_CODE_PAGE = 0x00800000,
778 SAMR_FIELD_PASSWORD = 0x01000000, /* either of these */
779 SAMR_FIELD_PASSWORD2 = 0x02000000, /* two bits seems to work */
780 SAMR_FIELD_PRIVATE_DATA = 0x04000000,
781 SAMR_FIELD_EXPIRED_FLAG = 0x08000000,
782 SAMR_FIELD_SEC_DESC = 0x10000000,
783 SAMR_FIELD_OWF_PWD = 0x20000000
784 } samr_FieldsPresent;
786 /* used for 'password_expired' in samr_UserInfo21 */
787 const int PASS_MUST_CHANGE_AT_NEXT_LOGON = 0x01;
788 const int PASS_DONT_CHANGE_AT_NEXT_LOGON = 0x00;
793 NTTIME last_password_change;
795 NTTIME allow_password_change;
796 NTTIME force_password_change;
797 lsa_String account_name;
798 lsa_String full_name;
799 lsa_String home_directory;
800 lsa_String home_drive;
801 lsa_String logon_script;
802 lsa_String profile_path;
803 lsa_String description;
804 lsa_String workstations;
806 lsa_BinaryString parameters;
811 [size_is(buf_count)] uint8 *buffer;
814 samr_AcctFlags acct_flags;
815 samr_FieldsPresent fields_present;
816 samr_LogonHours logon_hours;
817 uint16 bad_password_count;
821 uint8 nt_password_set;
822 uint8 lm_password_set;
823 uint8 password_expired;
827 typedef [public, flag(NDR_PAHEX)] struct {
829 } samr_CryptPassword;
832 samr_UserInfo21 info;
833 samr_CryptPassword password;
837 samr_CryptPassword password;
841 typedef [flag(NDR_PAHEX)] struct {
843 } samr_CryptPasswordEx;
846 samr_UserInfo21 info;
847 samr_CryptPasswordEx password;
851 samr_CryptPasswordEx password;
855 typedef [switch_type(uint16)] union {
856 [case(1)] samr_UserInfo1 info1;
857 [case(2)] samr_UserInfo2 info2;
858 [case(3)] samr_UserInfo3 info3;
859 [case(4)] samr_UserInfo4 info4;
860 [case(5)] samr_UserInfo5 info5;
861 [case(6)] samr_UserInfo6 info6;
862 [case(7)] samr_UserInfo7 info7;
863 [case(8)] samr_UserInfo8 info8;
864 [case(9)] samr_UserInfo9 info9;
865 [case(10)] samr_UserInfo10 info10;
866 [case(11)] samr_UserInfo11 info11;
867 [case(12)] samr_UserInfo12 info12;
868 [case(13)] samr_UserInfo13 info13;
869 [case(14)] samr_UserInfo14 info14;
870 [case(16)] samr_UserInfo16 info16;
871 [case(17)] samr_UserInfo17 info17;
872 [case(18)] samr_UserInfo18 info18;
873 [case(20)] samr_UserInfo20 info20;
874 [case(21)] samr_UserInfo21 info21;
875 [case(23)] samr_UserInfo23 info23;
876 [case(24)] samr_UserInfo24 info24;
877 [case(25)] samr_UserInfo25 info25;
878 [case(26)] samr_UserInfo26 info26;
881 [public] NTSTATUS samr_QueryUserInfo(
882 [in,ref] policy_handle *user_handle,
884 [out,ref,switch_is(level)] samr_UserInfo **info
888 /************************/
890 [public] NTSTATUS samr_SetUserInfo(
891 [in,ref] policy_handle *user_handle,
893 [in,ref,switch_is(level)] samr_UserInfo *info
896 /************************/
899 this is a password change interface that doesn't give
900 the server the plaintext password. Depricated.
902 NTSTATUS samr_ChangePasswordUser(
903 [in,ref] policy_handle *user_handle,
904 [in] boolean8 lm_present,
905 [in,unique] samr_Password *old_lm_crypted,
906 [in,unique] samr_Password *new_lm_crypted,
907 [in] boolean8 nt_present,
908 [in,unique] samr_Password *old_nt_crypted,
909 [in,unique] samr_Password *new_nt_crypted,
910 [in] boolean8 cross1_present,
911 [in,unique] samr_Password *nt_cross,
912 [in] boolean8 cross2_present,
913 [in,unique] samr_Password *lm_cross
916 /************************/
919 typedef [public] struct {
921 samr_GroupAttrs attributes;
922 } samr_RidWithAttribute;
924 typedef [public] struct {
926 [size_is(count)] samr_RidWithAttribute *rids;
927 } samr_RidWithAttributeArray;
929 NTSTATUS samr_GetGroupsForUser(
930 [in,ref] policy_handle *user_handle,
931 [out,ref] samr_RidWithAttributeArray **rids
934 /************************/
940 samr_AcctFlags acct_flags;
941 lsa_String account_name;
942 lsa_String description;
943 lsa_String full_name;
944 } samr_DispEntryGeneral;
948 [size_is(count)] samr_DispEntryGeneral *entries;
949 } samr_DispInfoGeneral;
954 samr_AcctFlags acct_flags;
955 lsa_String account_name;
956 lsa_String description;
957 } samr_DispEntryFull;
961 [size_is(count)] samr_DispEntryFull *entries;
967 samr_GroupAttrs acct_flags;
968 lsa_String account_name;
969 lsa_String description;
970 } samr_DispEntryFullGroup;
974 [size_is(count)] samr_DispEntryFullGroup *entries;
975 } samr_DispInfoFullGroups;
979 lsa_AsciiStringLarge account_name;
980 } samr_DispEntryAscii;
984 [size_is(count)] samr_DispEntryAscii *entries;
985 } samr_DispInfoAscii;
987 typedef [switch_type(uint16)] union {
988 [case(1)] samr_DispInfoGeneral info1;/* users */
989 [case(2)] samr_DispInfoFull info2; /* trust accounts? */
990 [case(3)] samr_DispInfoFullGroups info3; /* groups */
991 [case(4)] samr_DispInfoAscii info4; /* users */
992 [case(5)] samr_DispInfoAscii info5; /* groups */
995 NTSTATUS samr_QueryDisplayInfo(
996 [in,ref] policy_handle *domain_handle,
998 [in] uint32 start_idx,
999 [in] uint32 max_entries,
1000 [in] uint32 buf_size,
1001 [out,ref] uint32 *total_size,
1002 [out,ref] uint32 *returned_size,
1003 [out,ref,switch_is(level)] samr_DispInfo *info
1007 /************************/
1011 this seems to be an alphabetic search function. The returned index
1012 is the index for samr_QueryDisplayInfo needed to get names occurring
1013 after the specified name. The supplied name does not need to exist
1014 in the database (for example you can supply just a first letter for
1015 searching starting at that letter)
1017 The level corresponds to the samr_QueryDisplayInfo level
1019 NTSTATUS samr_GetDisplayEnumerationIndex(
1020 [in,ref] policy_handle *domain_handle,
1022 [in,ref] lsa_String *name,
1023 [out,ref] uint32 *idx
1028 /************************/
1032 w2k3 returns NT_STATUS_NOT_IMPLEMENTED for this
1034 NTSTATUS samr_TestPrivateFunctionsDomain(
1035 [in,ref] policy_handle *domain_handle
1039 /************************/
1043 w2k3 returns NT_STATUS_NOT_IMPLEMENTED for this
1045 NTSTATUS samr_TestPrivateFunctionsUser(
1046 [in,ref] policy_handle *user_handle
1050 /************************/
1054 uint16 min_password_length;
1055 samr_PasswordProperties password_properties;
1058 [public] NTSTATUS samr_GetUserPwInfo(
1059 [in,ref] policy_handle *user_handle,
1060 [out,ref] samr_PwInfo *info
1063 /************************/
1065 NTSTATUS samr_RemoveMemberFromForeignDomain(
1066 [in,ref] policy_handle *domain_handle,
1067 [in,ref] dom_sid2 *sid
1070 /************************/
1074 how is this different from QueryDomainInfo ??
1076 NTSTATUS samr_QueryDomainInfo2(
1077 [in,ref] policy_handle *domain_handle,
1079 [out,ref,switch_is(level)] samr_DomainInfo **info
1082 /************************/
1086 how is this different from QueryUserInfo ??
1088 NTSTATUS samr_QueryUserInfo2(
1089 [in,ref] policy_handle *user_handle,
1091 [out,ref,switch_is(level)] samr_UserInfo *info
1094 /************************/
1098 how is this different from QueryDisplayInfo??
1100 NTSTATUS samr_QueryDisplayInfo2(
1101 [in,ref] policy_handle *domain_handle,
1103 [in] uint32 start_idx,
1104 [in] uint32 max_entries,
1105 [in] uint32 buf_size,
1106 [out,ref] uint32 *total_size,
1107 [out,ref] uint32 *returned_size,
1108 [out,ref,switch_is(level)] samr_DispInfo *info
1111 /************************/
1115 how is this different from GetDisplayEnumerationIndex ??
1117 NTSTATUS samr_GetDisplayEnumerationIndex2(
1118 [in,ref] policy_handle *domain_handle,
1120 [in,ref] lsa_String *name,
1121 [out,ref] uint32 *idx
1125 /************************/
1127 NTSTATUS samr_CreateUser2(
1128 [in,ref] policy_handle *domain_handle,
1129 [in,ref] lsa_String *account_name,
1130 [in] samr_AcctFlags acct_flags,
1131 [in] samr_UserAccessMask access_mask,
1132 [out,ref] policy_handle *user_handle,
1133 [out,ref] uint32 *access_granted,
1134 [out,ref] uint32 *rid
1138 /************************/
1142 another duplicate. There must be a reason ....
1144 NTSTATUS samr_QueryDisplayInfo3(
1145 [in,ref] policy_handle *domain_handle,
1147 [in] uint32 start_idx,
1148 [in] uint32 max_entries,
1149 [in] uint32 buf_size,
1150 [out,ref] uint32 *total_size,
1151 [out,ref] uint32 *returned_size,
1152 [out,ref,switch_is(level)] samr_DispInfo *info
1155 /************************/
1157 NTSTATUS samr_AddMultipleMembersToAlias(
1158 [in,ref] policy_handle *alias_handle,
1159 [in,ref] lsa_SidArray *sids
1162 /************************/
1164 NTSTATUS samr_RemoveMultipleMembersFromAlias(
1165 [in,ref] policy_handle *alias_handle,
1166 [in,ref] lsa_SidArray *sids
1169 /************************/
1172 NTSTATUS samr_OemChangePasswordUser2(
1173 [in,unique] lsa_AsciiString *server,
1174 [in,ref] lsa_AsciiString *account,
1175 [in,unique] samr_CryptPassword *password,
1176 [in,unique] samr_Password *hash
1179 /************************/
1181 NTSTATUS samr_ChangePasswordUser2(
1182 [in,unique] lsa_String *server,
1183 [in,ref] lsa_String *account,
1184 [in,unique] samr_CryptPassword *nt_password,
1185 [in,unique] samr_Password *nt_verifier,
1186 [in] boolean8 lm_change,
1187 [in,unique] samr_CryptPassword *lm_password,
1188 [in,unique] samr_Password *lm_verifier
1191 /************************/
1193 NTSTATUS samr_GetDomPwInfo(
1194 [in,unique] lsa_String *domain_name,
1195 [out,ref] samr_PwInfo *info
1198 /************************/
1200 NTSTATUS samr_Connect2(
1201 [in,unique,string,charset(UTF16)] uint16 *system_name,
1202 [in] samr_ConnectAccessMask access_mask,
1203 [out,ref] policy_handle *connect_handle
1206 /************************/
1209 seems to be an exact alias for samr_SetUserInfo()
1211 [public] NTSTATUS samr_SetUserInfo2(
1212 [in,ref] policy_handle *user_handle,
1214 [in,ref,switch_is(level)] samr_UserInfo *info
1217 /************************/
1220 this one is mysterious. I have a few guesses, but nothing working yet
1222 NTSTATUS samr_SetBootKeyInformation(
1223 [in,ref] policy_handle *connect_handle,
1224 [in] uint32 unknown1,
1225 [in] uint32 unknown2,
1226 [in] uint32 unknown3
1229 /************************/
1231 NTSTATUS samr_GetBootKeyInformation(
1232 [in,ref] policy_handle *domain_handle,
1233 [out,ref] uint32 *unknown
1236 /************************/
1238 NTSTATUS samr_Connect3(
1239 [in,unique,string,charset(UTF16)] uint16 *system_name,
1240 /* this unknown value seems to be completely ignored by w2k3 */
1241 [in] uint32 unknown,
1242 [in] samr_ConnectAccessMask access_mask,
1243 [out,ref] policy_handle *connect_handle
1246 /************************/
1250 SAMR_CONNECT_PRE_W2K = 1,
1251 SAMR_CONNECT_W2K = 2,
1252 SAMR_CONNECT_AFTER_W2K = 3
1253 } samr_ConnectVersion;
1255 NTSTATUS samr_Connect4(
1256 [in,unique,string,charset(UTF16)] uint16 *system_name,
1257 [in] samr_ConnectVersion client_version,
1258 [in] samr_ConnectAccessMask access_mask,
1259 [out,ref] policy_handle *connect_handle
1262 /************************/
1265 typedef enum samr_RejectReason samr_RejectReason;
1268 samr_RejectReason reason;
1271 } samr_ChangeReject;
1273 NTSTATUS samr_ChangePasswordUser3(
1274 [in,unique] lsa_String *server,
1275 [in,ref] lsa_String *account,
1276 [in,unique] samr_CryptPassword *nt_password,
1277 [in,unique] samr_Password *nt_verifier,
1278 [in] boolean8 lm_change,
1279 [in,unique] samr_CryptPassword *lm_password,
1280 [in,unique] samr_Password *lm_verifier,
1281 [in,unique] samr_CryptPassword *password3,
1282 [out,ref] samr_DomInfo1 **dominfo,
1283 [out,ref] samr_ChangeReject **reject
1286 /************************/
1290 samr_ConnectVersion client_version; /* w2k3 gives 3 */
1291 uint32 unknown2; /* w2k3 gives 0 */
1292 } samr_ConnectInfo1;
1295 [case(1)] samr_ConnectInfo1 info1;
1298 [public] NTSTATUS samr_Connect5(
1299 [in,unique,string,charset(UTF16)] uint16 *system_name,
1300 [in] samr_ConnectAccessMask access_mask,
1301 [in] uint32 level_in,
1302 [in,ref,switch_is(level_in)] samr_ConnectInfo *info_in,
1303 [out,ref] uint32 *level_out,
1304 [out,ref,switch_is(*level_out)] samr_ConnectInfo *info_out,
1305 [out,ref] policy_handle *connect_handle
1308 /************************/
1310 NTSTATUS samr_RidToSid(
1311 [in,ref] policy_handle *domain_handle,
1313 [out,ref] dom_sid2 *sid
1317 /************************/
1321 this should set the DSRM password for the server, which is used
1322 when booting into Directory Services Recovery Mode on a DC. Win2003
1323 gives me NT_STATUS_NOT_SUPPORTED
1326 NTSTATUS samr_SetDsrmPassword(
1327 [in,unique] lsa_String *name,
1328 [in] uint32 unknown,
1329 [in,unique] samr_Password *hash
1333 /************************/
1335 /************************/
1336 typedef [bitmap32bit] bitmap {
1337 SAMR_VALIDATE_FIELD_PASSWORD_LAST_SET = 0x00000001,
1338 SAMR_VALIDATE_FIELD_BAD_PASSWORD_TIME = 0x00000002,
1339 SAMR_VALIDATE_FIELD_LOCKOUT_TIME = 0x00000004,
1340 SAMR_VALIDATE_FIELD_BAD_PASSWORD_COUNT = 0x00000008,
1341 SAMR_VALIDATE_FIELD_PASSWORD_HISTORY_LENGTH = 0x00000010,
1342 SAMR_VALIDATE_FIELD_PASSWORD_HISTORY = 0x00000020
1343 } samr_ValidateFieldsPresent;
1346 NetValidateAuthentication = 1,
1347 NetValidatePasswordChange= 2,
1348 NetValidatePasswordReset = 3
1349 } samr_ValidatePasswordLevel;
1351 /* NetApi maps samr_ValidationStatus errors to WERRORs. Haven't
1352 * identified the mapping of
1353 * - NERR_PasswordFilterError
1354 * - NERR_PasswordExpired and
1355 * - NERR_PasswordCantChange
1360 SAMR_VALIDATION_STATUS_SUCCESS = 0,
1361 SAMR_VALIDATION_STATUS_PASSWORD_MUST_CHANGE = 1,
1362 SAMR_VALIDATION_STATUS_ACCOUNT_LOCKED_OUT = 2,
1363 SAMR_VALIDATION_STATUS_BAD_PASSWORD = 4,
1364 SAMR_VALIDATION_STATUS_PWD_HISTORY_CONFLICT = 5,
1365 SAMR_VALIDATION_STATUS_PWD_TOO_SHORT = 6,
1366 SAMR_VALIDATION_STATUS_PWD_TOO_LONG = 7,
1367 SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH = 8,
1368 SAMR_VALIDATION_STATUS_PASSWORD_TOO_RECENT = 9
1369 } samr_ValidationStatus;
1373 [size_is(length)] uint8 *data;
1374 } samr_ValidationBlob;
1377 samr_ValidateFieldsPresent fields_present;
1378 NTTIME_hyper last_password_change;
1379 NTTIME_hyper bad_password_time;
1380 NTTIME_hyper lockout_time;
1381 uint32 bad_pwd_count;
1382 uint32 pwd_history_len;
1383 [size_is(pwd_history_len)] samr_ValidationBlob *pwd_history;
1384 } samr_ValidatePasswordInfo;
1387 samr_ValidatePasswordInfo info;
1388 samr_ValidationStatus status;
1389 } samr_ValidatePasswordRepCtr;
1391 typedef [switch_type(uint16)] union {
1392 [case(1)] samr_ValidatePasswordRepCtr ctr1;
1393 [case(2)] samr_ValidatePasswordRepCtr ctr2;
1394 [case(3)] samr_ValidatePasswordRepCtr ctr3;
1395 } samr_ValidatePasswordRep;
1398 samr_ValidatePasswordInfo info;
1399 lsa_StringLarge password;
1400 lsa_StringLarge account;
1401 samr_ValidationBlob hash;
1402 boolean8 pwd_must_change_at_next_logon;
1403 boolean8 clear_lockout;
1404 } samr_ValidatePasswordReq3;
1407 samr_ValidatePasswordInfo info;
1408 lsa_StringLarge password;
1409 lsa_StringLarge account;
1410 samr_ValidationBlob hash;
1411 boolean8 password_matched;
1412 } samr_ValidatePasswordReq2;
1415 samr_ValidatePasswordInfo info;
1416 boolean8 password_matched;
1417 } samr_ValidatePasswordReq1;
1419 typedef [switch_type(uint16)] union {
1420 [case(1)] samr_ValidatePasswordReq1 req1;
1421 [case(2)] samr_ValidatePasswordReq2 req2;
1422 [case(3)] samr_ValidatePasswordReq3 req3;
1423 } samr_ValidatePasswordReq;
1425 NTSTATUS samr_ValidatePassword(
1426 [in] samr_ValidatePasswordLevel level,
1427 [in,switch_is(level)] samr_ValidatePasswordReq req,
1428 [out,ref,switch_is(level)] samr_ValidatePasswordRep *rep
git.samba.org / kai / samba.git / blob