2ef4587ac170a6fee44e3f95875da93694389b2c
[sfrench/samba-autobuild/.git] / librpc / idl / security.idl
1 #include "idl_types.h"
2
3 /*
4   security IDL structures
5 */
6
7 import "misc.idl";
8
9 /*
10    use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
11    just a dom sid, but with the sub_auths represented as a conformant
12    array. As with all in-structure conformant arrays, the array length
13    is placed before the start of the structure. That's what gives rise
14    to the extra num_auths elemenent. We don't want the Samba code to
15    have to bother with such esoteric NDR details, so its easier to just
16    define it as a dom_sid and use pidl magic to make it all work. It
17    just means you need to mark a sid as a "dom_sid2" in the IDL when you
18    know it is of the conformant array variety
19 */
20 cpp_quote("#define dom_sid2 dom_sid")
21
22 /* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */
23 cpp_quote("#define dom_sid28 dom_sid")
24
25 /* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */
26 cpp_quote("#define dom_sid0 dom_sid")
27
28 [
29         /*
30          * cbf7d408-2d6c-11e2-ae5b-0b5692790e18 just to make ndrdump happy
31          */
32         uuid("cbf7d408-2d6c-11e2-ae5b-0b5692790e18"),
33         version(0.0),
34         pyhelper("librpc/ndr/py_security.c"),
35         pointer_default(unique)
36 ]
37 interface security
38 {
39
40         typedef bitmap lsa_SystemAccessModeFlags lsa_SystemAccessModeFlags;
41
42         typedef [public,gensize,noprint,nosize,nopull,nopush] struct {
43                 uint8  sid_rev_num;             /**< SID revision number */
44                 [range(0,15)] int8  num_auths;  /**< Number of sub-authorities */
45                 uint8  id_auth[6];              /**< Identifier Authority */
46                 uint32 sub_auths[15];
47         } dom_sid;
48         /*
49           access masks are divided up like this:
50                 0xabccdddd
51                 where 
52                    a = generic rights bits        SEC_GENERIC_
53                    b = flags                      SEC_FLAG_
54                    c = standard rights bits       SEC_STD_
55                    d = object type specific bits  SEC_{FILE,DIR,REG,xxx}_
56                    
57           common combinations of bits are prefixed with SEC_RIGHTS_
58         */
59         const int SEC_MASK_GENERIC         = 0xF0000000;
60         const int SEC_MASK_FLAGS           = 0x0F000000;
61         const int SEC_MASK_STANDARD        = 0x00FF0000;
62         const int SEC_MASK_SPECIFIC        = 0x0000FFFF;
63
64         /* generic bits */
65         const int SEC_GENERIC_ALL          = 0x10000000;
66         const int SEC_GENERIC_EXECUTE      = 0x20000000;
67         const int SEC_GENERIC_WRITE        = 0x40000000;
68         const int SEC_GENERIC_READ         = 0x80000000;
69
70         /* flag bits */
71         const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000;
72         const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000;
73
74         /* standard bits */
75         const int SEC_STD_DELETE           = 0x00010000;
76         const int SEC_STD_READ_CONTROL     = 0x00020000;
77         const int SEC_STD_WRITE_DAC        = 0x00040000;
78         const int SEC_STD_WRITE_OWNER      = 0x00080000;
79         const int SEC_STD_SYNCHRONIZE      = 0x00100000;
80         const int SEC_STD_REQUIRED         = 0x000F0000;
81         const int SEC_STD_ALL              = 0x001F0000;
82
83         /* file specific bits */
84         const int SEC_FILE_READ_DATA       = 0x00000001;
85         const int SEC_FILE_WRITE_DATA      = 0x00000002;
86         const int SEC_FILE_APPEND_DATA     = 0x00000004;
87         const int SEC_FILE_READ_EA         = 0x00000008;
88         const int SEC_FILE_WRITE_EA        = 0x00000010;
89         const int SEC_FILE_EXECUTE         = 0x00000020;
90         const int SEC_FILE_READ_ATTRIBUTE  = 0x00000080;
91         const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100;
92         const int SEC_FILE_ALL             = 0x000001ff;
93
94         /* directory specific bits */
95         const int SEC_DIR_LIST             = 0x00000001;
96         const int SEC_DIR_ADD_FILE         = 0x00000002;
97         const int SEC_DIR_ADD_SUBDIR       = 0x00000004;
98         const int SEC_DIR_READ_EA          = 0x00000008;
99         const int SEC_DIR_WRITE_EA         = 0x00000010;
100         const int SEC_DIR_TRAVERSE         = 0x00000020;
101         const int SEC_DIR_DELETE_CHILD     = 0x00000040;
102         const int SEC_DIR_READ_ATTRIBUTE   = 0x00000080;
103         const int SEC_DIR_WRITE_ATTRIBUTE  = 0x00000100;
104
105         /* registry entry specific bits */
106         const int SEC_REG_QUERY_VALUE      = 0x00000001;
107         const int SEC_REG_SET_VALUE        = 0x00000002;
108         const int SEC_REG_CREATE_SUBKEY    = 0x00000004;
109         const int SEC_REG_ENUM_SUBKEYS     = 0x00000008;
110         const int SEC_REG_NOTIFY           = 0x00000010;
111         const int SEC_REG_CREATE_LINK      = 0x00000020;
112
113         /* ldap specific access bits */
114         const int SEC_ADS_CREATE_CHILD     = 0x00000001;
115         const int SEC_ADS_DELETE_CHILD     = 0x00000002;
116         const int SEC_ADS_LIST             = 0x00000004;
117         const int SEC_ADS_SELF_WRITE       = 0x00000008;
118         const int SEC_ADS_READ_PROP        = 0x00000010;
119         const int SEC_ADS_WRITE_PROP       = 0x00000020;
120         const int SEC_ADS_DELETE_TREE      = 0x00000040;
121         const int SEC_ADS_LIST_OBJECT      = 0x00000080;
122         const int SEC_ADS_CONTROL_ACCESS   = 0x00000100;
123
124         /* invalid bits */
125         const int SEC_MASK_INVALID         = 0x0ce0fe00;
126
127         /* generic->specific mappings for files */
128         const int SEC_RIGHTS_FILE_READ    = SEC_STD_READ_CONTROL | 
129                                             SEC_STD_SYNCHRONIZE | 
130                                             SEC_FILE_READ_DATA | 
131                                             SEC_FILE_READ_ATTRIBUTE | 
132                                             SEC_FILE_READ_EA;
133
134         const int SEC_RIGHTS_FILE_WRITE   = SEC_STD_READ_CONTROL | 
135                                             SEC_STD_SYNCHRONIZE | 
136                                             SEC_FILE_WRITE_DATA | 
137                                             SEC_FILE_WRITE_ATTRIBUTE | 
138                                             SEC_FILE_WRITE_EA |
139                                             SEC_FILE_APPEND_DATA;
140         
141         const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE | 
142                                             SEC_STD_READ_CONTROL | 
143                                             SEC_FILE_READ_ATTRIBUTE | 
144                                             SEC_FILE_EXECUTE;
145
146         const int SEC_RIGHTS_FILE_ALL     = SEC_STD_ALL | SEC_FILE_ALL;
147
148         /* generic->specific mappings for directories (same as files) */
149         const int SEC_RIGHTS_DIR_READ     = SEC_RIGHTS_FILE_READ;
150         const int SEC_RIGHTS_DIR_WRITE    = SEC_RIGHTS_FILE_WRITE;
151         const int SEC_RIGHTS_DIR_EXECUTE  = SEC_RIGHTS_FILE_EXECUTE;
152         const int SEC_RIGHTS_DIR_ALL      = SEC_RIGHTS_FILE_ALL;
153
154         /* rights granted by some specific privileges */
155         const int SEC_RIGHTS_PRIV_BACKUP  = SEC_STD_READ_CONTROL |
156                                             SEC_FLAG_SYSTEM_SECURITY |
157                                             SEC_RIGHTS_FILE_READ |
158                                             SEC_DIR_TRAVERSE;
159
160         const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC |
161                                             SEC_STD_WRITE_OWNER |
162                                             SEC_FLAG_SYSTEM_SECURITY |
163                                             SEC_RIGHTS_FILE_WRITE |
164                                             SEC_DIR_ADD_FILE |
165                                             SEC_DIR_ADD_SUBDIR |
166                                             SEC_STD_DELETE;
167
168         /* combinations of standard masks. */
169         const int STANDARD_RIGHTS_ALL_ACCESS            = SEC_STD_ALL; /* 0x001f0000 */
170         const int STANDARD_RIGHTS_MODIFY_ACCESS         = SEC_STD_READ_CONTROL; /* 0x00020000 */
171         const int STANDARD_RIGHTS_EXECUTE_ACCESS        = SEC_STD_READ_CONTROL; /* 0x00020000 */
172         const int STANDARD_RIGHTS_READ_ACCESS           = SEC_STD_READ_CONTROL; /* 0x00020000 */
173         const int STANDARD_RIGHTS_WRITE_ACCESS =
174                 (SEC_STD_WRITE_OWNER            |
175                  SEC_STD_WRITE_DAC              |
176                  SEC_STD_DELETE);       /* 0x000d0000 */
177         const int STANDARD_RIGHTS_REQUIRED_ACCESS =
178                 (SEC_STD_DELETE                 |
179                  SEC_STD_READ_CONTROL           |
180                  SEC_STD_WRITE_DAC              |
181                  SEC_STD_WRITE_OWNER);  /* 0x000f0000 */
182
183         /* generic->specific mappings for Directory Service objects */
184         /* directory specific part of GENERIC_ALL */
185         const int SEC_ADS_GENERIC_ALL_DS =
186                 (SEC_STD_DELETE                 |
187                  SEC_STD_WRITE_DAC              |
188                  SEC_STD_WRITE_OWNER            |
189                  SEC_ADS_CREATE_CHILD           |
190                  SEC_ADS_DELETE_CHILD           |
191                  SEC_ADS_DELETE_TREE            |
192                  SEC_ADS_CONTROL_ACCESS);
193         const int SEC_ADS_GENERIC_EXECUTE = SEC_STD_READ_CONTROL | SEC_ADS_LIST;
194         const int SEC_ADS_GENERIC_WRITE   =
195                 (SEC_STD_READ_CONTROL           |
196                  SEC_ADS_SELF_WRITE             |
197                  SEC_ADS_WRITE_PROP);
198         const int SEC_ADS_GENERIC_READ    =
199                 (SEC_STD_READ_CONTROL           |
200                  SEC_ADS_LIST                   |
201                  SEC_ADS_READ_PROP              |
202                  SEC_ADS_LIST_OBJECT);
203         const int SEC_ADS_GENERIC_ALL     =
204                 (SEC_ADS_GENERIC_EXECUTE        |
205                  SEC_ADS_GENERIC_WRITE          |
206                  SEC_ADS_GENERIC_READ           |
207                  SEC_ADS_GENERIC_ALL_DS);
208
209         /***************************************************************/
210         /* WELL KNOWN SIDS */
211
212         /* a NULL sid */
213         const string SID_NULL = "S-1-0-0";
214
215         /* the world domain */
216         const string NAME_WORLD       = "WORLD";
217
218         const string SID_WORLD_DOMAIN = "S-1-1";
219         const string SID_WORLD        = "S-1-1-0";
220
221         /* SECURITY_CREATOR_SID_AUTHORITY */
222         const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
223         const string SID_CREATOR_OWNER        = "S-1-3-0";
224         const string SID_CREATOR_GROUP        = "S-1-3-1";
225         const string SID_OWNER_RIGHTS         = "S-1-3-4";
226
227         /* SECURITY_NT_AUTHORITY */
228         const string NAME_NT_AUTHORITY            = "NT AUTHORITY";
229
230         const string SID_NT_AUTHORITY             = "S-1-5";
231         const string SID_NT_DIALUP                = "S-1-5-1";
232         const string SID_NT_NETWORK               = "S-1-5-2";
233         const string SID_NT_BATCH                 = "S-1-5-3";
234         const string SID_NT_INTERACTIVE           = "S-1-5-4";
235         const string SID_NT_SERVICE               = "S-1-5-6";
236         const string SID_NT_ANONYMOUS             = "S-1-5-7";
237         const string SID_NT_PROXY                 = "S-1-5-8";
238         const string SID_NT_ENTERPRISE_DCS        = "S-1-5-9";
239         const string SID_NT_SELF                  = "S-1-5-10";
240         const string SID_NT_AUTHENTICATED_USERS   = "S-1-5-11";
241         const string SID_NT_RESTRICTED            = "S-1-5-12";
242         const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13";
243         const string SID_NT_REMOTE_INTERACTIVE    = "S-1-5-14";
244         const string SID_NT_THIS_ORGANISATION     = "S-1-5-15";
245         const string SID_NT_IUSR                  = "S-1-5-17";
246         const string SID_NT_SYSTEM                = "S-1-5-18";
247         const string SID_NT_LOCAL_SERVICE         = "S-1-5-19";
248         const string SID_NT_NETWORK_SERVICE       = "S-1-5-20";
249         const string SID_NT_DIGEST_AUTHENTICATION = "S-1-5-64-21";
250         const string SID_NT_NTLM_AUTHENTICATION   = "S-1-5-64-10";
251         const string SID_NT_SCHANNEL_AUTHENTICATION = "S-1-5-64-14";
252         const string SID_NT_OTHER_ORGANISATION    = "S-1-5-1000";
253
254         /* SECURITY_BUILTIN_DOMAIN_RID */
255         const string NAME_BUILTIN                  = "BUILTIN";
256
257         const string SID_BUILTIN                   = "S-1-5-32";
258         const string SID_BUILTIN_ADMINISTRATORS    = "S-1-5-32-544";
259         const string SID_BUILTIN_USERS             = "S-1-5-32-545";
260         const string SID_BUILTIN_GUESTS            = "S-1-5-32-546";
261         const string SID_BUILTIN_POWER_USERS       = "S-1-5-32-547";
262         const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
263         const string SID_BUILTIN_SERVER_OPERATORS  = "S-1-5-32-549";
264         const string SID_BUILTIN_PRINT_OPERATORS   = "S-1-5-32-550";
265         const string SID_BUILTIN_BACKUP_OPERATORS  = "S-1-5-32-551";
266         const string SID_BUILTIN_REPLICATOR        = "S-1-5-32-552";
267         const string SID_BUILTIN_RAS_SERVERS       = "S-1-5-32-553";
268         const string SID_BUILTIN_PREW2K            = "S-1-5-32-554";
269         const string SID_BUILTIN_REMOTE_DESKTOP_USERS   = "S-1-5-32-555";
270         const string SID_BUILTIN_NETWORK_CONF_OPERATORS = "S-1-5-32-556";
271         const string SID_BUILTIN_INCOMING_FOREST_TRUST  = "S-1-5-32-557";
272         const string SID_BUILTIN_PERFMON_USERS          = "S-1-5-32-558";
273         const string SID_BUILTIN_PERFLOG_USERS          = "S-1-5-32-559";
274         const string SID_BUILTIN_AUTH_ACCESS            = "S-1-5-32-560";
275         const string SID_BUILTIN_TS_LICENSE_SERVERS     = "S-1-5-32-561";
276         const string SID_BUILTIN_DISTRIBUTED_COM_USERS  = "S-1-5-32-562";
277         const string SID_BUILTIN_CRYPTO_OPERATORS       = "S-1-5-32-569";
278         const string SID_BUILTIN_EVENT_LOG_READERS      = "S-1-5-32-573";
279         const string SID_BUILTIN_CERT_SERV_DCOM_ACCESS  = "S-1-5-32-574";
280
281         /* SECURITY_NT_SERVICE */
282         const string NAME_NT_SERVICE            = "NT SERVICE";
283
284         const string SID_NT_NT_SERVICE          = "S-1-5-80";
285         const string SID_NT_TRUSTED_INSTALLER =
286                 "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464";
287
288         const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1";
289         const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
290
291         /*
292          * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
293          */
294         const string SID_NT_NFS_SUBSYSTEM         = "S-1-5-88";
295         const string SID_NT_NFS_USER              = "S-1-5-88-1";
296         const string SID_NT_NFS_GROUP             = "S-1-5-88-2";
297         const string SID_NT_NFS_MASK              = "S-1-5-88-3";
298         const string SID_NT_NFS_OTHERS            = "S-1-5-88-4";
299
300         /* well-known domain RIDs */
301         const int DOMAIN_RID_LOGON                   = 9;
302         const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498;
303         const int DOMAIN_RID_ADMINISTRATOR           = 500;
304         const int DOMAIN_RID_GUEST                   = 501;
305         const int DOMAIN_RID_KRBTGT                  = 502;
306         const int DOMAIN_RID_ADMINS                  = 512;
307         const int DOMAIN_RID_USERS                   = 513;
308         const int DOMAIN_RID_GUESTS                  = 514;
309         const int DOMAIN_RID_DOMAIN_MEMBERS          = 515;
310         const int DOMAIN_RID_DCS                     = 516;
311         const int DOMAIN_RID_CERT_ADMINS             = 517;
312         const int DOMAIN_RID_SCHEMA_ADMINS           = 518;
313         const int DOMAIN_RID_ENTERPRISE_ADMINS       = 519;
314         const int DOMAIN_RID_POLICY_ADMINS           = 520;
315         const int DOMAIN_RID_READONLY_DCS            = 521;
316         const int DOMAIN_RID_RAS_SERVERS             = 553;
317         const int DOMAIN_RID_RODC_ALLOW              = 571;
318         const int DOMAIN_RID_RODC_DENY               = 572;
319
320         /* well-known builtin RIDs */
321         const int BUILTIN_RID_ADMINISTRATORS            = 544;
322         const int BUILTIN_RID_USERS                     = 545;
323         const int BUILTIN_RID_GUESTS                    = 546;
324         const int BUILTIN_RID_POWER_USERS               = 547;
325         const int BUILTIN_RID_ACCOUNT_OPERATORS         = 548;
326         const int BUILTIN_RID_SERVER_OPERATORS          = 549;
327         const int BUILTIN_RID_PRINT_OPERATORS           = 550;
328         const int BUILTIN_RID_BACKUP_OPERATORS          = 551;
329         const int BUILTIN_RID_REPLICATOR                = 552;
330         const int BUILTIN_RID_RAS_SERVERS               = 553;
331         const int BUILTIN_RID_PRE_2K_ACCESS             = 554;
332         const int BUILTIN_RID_REMOTE_DESKTOP_USERS      = 555;
333         const int BUILTIN_RID_NETWORK_CONF_OPERATORS    = 556;
334         const int BUILTIN_RID_INCOMING_FOREST_TRUST     = 557;
335         const int BUILTIN_RID_PERFMON_USERS             = 558;
336         const int BUILTIN_RID_PERFLOG_USERS             = 559;
337         const int BUILTIN_RID_AUTH_ACCESS               = 560;
338         const int BUILTIN_RID_TS_LICENSE_SERVERS        = 561;
339         const int BUILTIN_RID_DISTRIBUTED_COM_USERS     = 562;
340         const int BUILTIN_RID_CRYPTO_OPERATORS          = 569;
341         const int BUILTIN_RID_EVENT_LOG_READERS         = 573;
342         const int BUILTIN_RID_CERT_SERV_DCOM_ACCESS     = 574;
343
344 /********************************************************************
345  This is a list of privileges reported by a WIndows 2008 R2 DC
346  just for reference purposes (and I know the LUID is not guaranteed
347  across reboots):
348
349 0x00000002          SeCreateTokenPrivilege "Create a token object"
350 0x00000003   SeAssignPrimaryTokenPrivilege "Replace a process level token"
351 0x00000004           SeLockMemoryPrivilege "Lock pages in memory"
352 0x00000005        SeIncreaseQuotaPrivilege "Adjust memory quotas for a process"
353 0x00000006       SeMachineAccountPrivilege "Add workstations to domain"
354 0x00000007                  SeTcbPrivilege "Act as part of the operating system"
355 0x00000008             SeSecurityPrivilege "Manage auditing and security log"
356 0x00000009        SeTakeOwnershipPrivilege "Take ownership of files or other objects"
357 0x0000000a           SeLoadDriverPrivilege "Load and unload device drivers"
358 0x0000000b        SeSystemProfilePrivilege "Profile system performance"
359 0x0000000c           SeSystemtimePrivilege "Change the system time"
360 0x0000000d SeProfileSingleProcessPrivilege "Profile single process"
361 0x0000000e SeIncreaseBasePriorityPrivilege "Increase scheduling priority"
362 0x0000000f       SeCreatePagefilePrivilege "Create a pagefile"
363 0x00000010      SeCreatePermanentPrivilege "Create permanent shared objects"
364 0x00000011               SeBackupPrivilege "Back up files and directories"
365 0x00000012              SeRestorePrivilege "Restore files and directories"
366 0x00000013             SeShutdownPrivilege "Shut down the system"
367 0x00000014                SeDebugPrivilege "Debug programs"
368 0x00000015                SeAuditPrivilege "Generate security audits"
369 0x00000016    SeSystemEnvironmentPrivilege "Modify firmware environment values"
370 0x00000017         SeChangeNotifyPrivilege "Bypass traverse checking"
371 0x00000018       SeRemoteShutdownPrivilege "Force shutdown from a remote system"
372 0x00000019               SeUndockPrivilege "Remove computer from docking station"
373 0x0000001a            SeSyncAgentPrivilege "Synchronize directory service data"
374 0x0000001b     SeEnableDelegationPrivilege "Enable computer and user accounts to be trusted for delegation"
375 0x0000001c         SeManageVolumePrivilege "Perform volume maintenance tasks"
376 0x0000001d          SeImpersonatePrivilege "Impersonate a client after authentication"
377 0x0000001e         SeCreateGlobalPrivilege "Create global objects"
378 0x0000001f SeTrustedCredManAccessPrivilege "Access Credential Manager as a trusted caller"
379 0x00000020              SeRelabelPrivilege "Modify an object label"
380 0x00000021   SeIncreaseWorkingSetPrivilege "Increase a process working set"
381 0x00000022             SeTimeZonePrivilege "Change the time zone"
382 0x00000023   SeCreateSymbolicLinkPrivilege "Create symbolic links"
383
384  ********************************************************************/
385
386         /* LUID values for privileges known about by Samba (bottom 32 bits of enum, top bits are 0) */
387
388         /* we have to define the LUID here due to a horrible check by printmig.exe
389            that requires the SeBackupPrivilege match what is in Windows.  So match
390            those that we implement and start Samba privileges at 0x1001 */
391
392         typedef enum {
393                 SEC_PRIV_INVALID                   = 0x0,
394                 SEC_PRIV_INCREASE_QUOTA            = 0x5,
395                 SEC_PRIV_MACHINE_ACCOUNT           = 0x6,
396                 SEC_PRIV_SECURITY                  = 0x8,
397                 SEC_PRIV_TAKE_OWNERSHIP            = 0x09,
398                 SEC_PRIV_LOAD_DRIVER               = 0x0a,
399                 SEC_PRIV_SYSTEM_PROFILE            = 0x0b,
400                 SEC_PRIV_SYSTEMTIME                = 0x0c,
401                 SEC_PRIV_PROFILE_SINGLE_PROCESS    = 0x0d,
402                 SEC_PRIV_INCREASE_BASE_PRIORITY    = 0x0e,
403                 SEC_PRIV_CREATE_PAGEFILE           = 0x0f,
404                 SEC_PRIV_BACKUP                    = 0x11,
405                 SEC_PRIV_RESTORE                   = 0x12,
406                 SEC_PRIV_SHUTDOWN                  = 0x13,
407                 SEC_PRIV_DEBUG                     = 0x14,
408                 SEC_PRIV_SYSTEM_ENVIRONMENT        = 0x16,
409                 SEC_PRIV_CHANGE_NOTIFY             = 0x17,
410                 SEC_PRIV_REMOTE_SHUTDOWN           = 0x18,
411                 SEC_PRIV_UNDOCK                    = 0x19,
412                 SEC_PRIV_ENABLE_DELEGATION         = 0x1b,
413                 SEC_PRIV_MANAGE_VOLUME             = 0x1c,
414                 SEC_PRIV_IMPERSONATE               = 0x1d,
415                 SEC_PRIV_CREATE_GLOBAL             = 0x1e,
416                 /* Samba-specific privs */
417                 SEC_PRIV_PRINT_OPERATOR            = 0x1001,
418                 SEC_PRIV_ADD_USERS                 = 0x1002,
419                 SEC_PRIV_DISK_OPERATOR             = 0x1003
420         } sec_privilege;
421
422
423         /* Bitmap of privilege values for internal use only.  We need
424          * our own bitmap here as privilages.tdb records these values
425          * as a bitmap (privilages.ldb uses the string forms).
426          */
427         typedef [bitmap64bit] bitmap {
428                 SEC_PRIV_MACHINE_ACCOUNT_BIT            = 0x00000010,
429
430                 /* Samba-specific privs */
431                 SEC_PRIV_PRINT_OPERATOR_BIT             = 0x00000020,
432                 SEC_PRIV_ADD_USERS_BIT                  = 0x00000040,
433                 SEC_PRIV_DISK_OPERATOR_BIT              = 0x00000080,
434
435                 SEC_PRIV_REMOTE_SHUTDOWN_BIT            = 0x00000100,
436                 SEC_PRIV_BACKUP_BIT                     = 0x00000200,
437                 SEC_PRIV_RESTORE_BIT                    = 0x00000400,
438                 SEC_PRIV_TAKE_OWNERSHIP_BIT             = 0x00000800,
439                 /* End of privilages implemented before merge to common code */
440
441                 SEC_PRIV_INCREASE_QUOTA_BIT               = 0x00001000,
442                 SEC_PRIV_SECURITY_BIT                     = 0x00002000,
443                 SEC_PRIV_LOAD_DRIVER_BIT                  = 0x00004000,
444                 SEC_PRIV_SYSTEM_PROFILE_BIT               = 0x00008000,
445                 SEC_PRIV_SYSTEMTIME_BIT                   = 0x00010000,
446                 SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT       = 0x00020000,
447                 SEC_PRIV_INCREASE_BASE_PRIORITY_BIT       = 0x00040000,
448                 SEC_PRIV_CREATE_PAGEFILE_BIT              = 0x00080000,
449                 SEC_PRIV_SHUTDOWN_BIT                     = 0x00100000,
450                 SEC_PRIV_DEBUG_BIT                        = 0x00200000,
451                 SEC_PRIV_SYSTEM_ENVIRONMENT_BIT           = 0x00400000,
452                 SEC_PRIV_CHANGE_NOTIFY_BIT                = 0x00800000,
453                 SEC_PRIV_UNDOCK_BIT                       = 0x01000000,
454                 SEC_PRIV_ENABLE_DELEGATION_BIT            = 0x02000000,
455                 SEC_PRIV_MANAGE_VOLUME_BIT                = 0x04000000,
456                 SEC_PRIV_IMPERSONATE_BIT                  = 0x08000000,
457                 SEC_PRIV_CREATE_GLOBAL_BIT                = 0x10000000
458         } se_privilege;
459
460         typedef [bitmap32bit] bitmap {
461                 LSA_POLICY_MODE_INTERACTIVE             = 0x00000001,
462                 LSA_POLICY_MODE_NETWORK                 = 0x00000002,
463                 LSA_POLICY_MODE_BATCH                   = 0x00000004,
464                 LSA_POLICY_MODE_SERVICE                 = 0x00000010,
465                 LSA_POLICY_MODE_PROXY                   = 0x00000020,
466                 LSA_POLICY_MODE_DENY_INTERACTIVE        = 0x00000040,
467                 LSA_POLICY_MODE_DENY_NETWORK            = 0x00000080,
468                 LSA_POLICY_MODE_DENY_BATCH              = 0x00000100,
469                 LSA_POLICY_MODE_DENY_SERVICE            = 0x00000200,
470                 LSA_POLICY_MODE_REMOTE_INTERACTIVE      = 0x00000400,
471                 LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE = 0x00000800,
472                 LSA_POLICY_MODE_ALL                     = 0x00000FF7,
473                 LSA_POLICY_MODE_ALL_NT4                 = 0x00000037
474         } lsa_SystemAccessModeFlags;
475
476         typedef [public,bitmap8bit] bitmap {
477                 SEC_ACE_FLAG_OBJECT_INHERIT             = 0x01,
478                 SEC_ACE_FLAG_CONTAINER_INHERIT          = 0x02,
479                 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT       = 0x04,
480                 SEC_ACE_FLAG_INHERIT_ONLY               = 0x08,
481                 SEC_ACE_FLAG_INHERITED_ACE              = 0x10,
482                 SEC_ACE_FLAG_VALID_INHERIT              = 0x0f,
483                 SEC_ACE_FLAG_SUCCESSFUL_ACCESS          = 0x40,
484                 SEC_ACE_FLAG_FAILED_ACCESS              = 0x80
485         } security_ace_flags;
486
487         typedef [public,enum8bit] enum {
488                 SEC_ACE_TYPE_ACCESS_ALLOWED             = 0,
489                 SEC_ACE_TYPE_ACCESS_DENIED              = 1,
490                 SEC_ACE_TYPE_SYSTEM_AUDIT               = 2,
491                 SEC_ACE_TYPE_SYSTEM_ALARM               = 3,
492                 SEC_ACE_TYPE_ALLOWED_COMPOUND           = 4,
493                 SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT      = 5,
494                 SEC_ACE_TYPE_ACCESS_DENIED_OBJECT       = 6,
495                 SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT        = 7,
496                 SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT        = 8
497         } security_ace_type;
498
499         typedef [bitmap32bit] bitmap {
500                 SEC_ACE_OBJECT_TYPE_PRESENT             = 0x00000001,
501                 SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT   = 0x00000002
502         } security_ace_object_flags;
503
504         typedef [nodiscriminant] union {
505                 /* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */
506                 [case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type;
507                 [default];
508         } security_ace_object_type;
509
510         typedef [nodiscriminant] union {
511                 /* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context
512                  * (of the parent container)
513                  */
514                 [case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type;
515                 [default];
516         } security_ace_object_inherited_type;
517
518         typedef struct {
519                 security_ace_object_flags flags;
520                 [switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type;
521                 [switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type;
522         } security_ace_object;
523
524         typedef [public,nodiscriminant] union {
525                 [case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] security_ace_object object;
526                 [case(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT)] security_ace_object object;
527                 [case(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT)] security_ace_object object;
528                 [case(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT)] security_ace_object object;
529                 [default];
530         } security_ace_object_ctr;
531
532         typedef [public,nopull,gensize,nosize] struct {
533                 security_ace_type type;  /* SEC_ACE_TYPE_* */
534                 security_ace_flags flags; /* SEC_ACE_FLAG_* */
535                 [value(ndr_size_security_ace(r,ndr->flags))] uint16 size;
536                 uint32 access_mask;
537                 [switch_is(type)] security_ace_object_ctr object;
538                 dom_sid trustee;
539         } security_ace;
540
541         typedef enum {
542                 SECURITY_ACL_REVISION_NT4       = 2,
543                 SECURITY_ACL_REVISION_ADS       = 4
544         } security_acl_revision;
545
546         const uint NT4_ACL_REVISION     = SECURITY_ACL_REVISION_NT4;
547
548         typedef [public,gensize,nosize] struct {
549                 security_acl_revision revision;
550                 [value(ndr_size_security_acl(r,ndr->flags))] uint16 size;
551                 [range(0,2000)] uint32 num_aces;
552                 security_ace aces[num_aces];
553         } security_acl;
554
555         /* default revision for new ACLs */
556         typedef [public,enum8bit] enum {
557                 SECURITY_DESCRIPTOR_REVISION_1 = 1
558         } security_descriptor_revision;
559
560         const int SD_REVISION                    = SECURITY_DESCRIPTOR_REVISION_1;
561
562         /* security_descriptor->type bits */
563         typedef [public,bitmap16bit] bitmap {
564                 SEC_DESC_OWNER_DEFAULTED        = 0x0001,
565                 SEC_DESC_GROUP_DEFAULTED        = 0x0002,
566                 SEC_DESC_DACL_PRESENT           = 0x0004,
567                 SEC_DESC_DACL_DEFAULTED         = 0x0008,
568                 SEC_DESC_SACL_PRESENT           = 0x0010,
569                 SEC_DESC_SACL_DEFAULTED         = 0x0020,
570                 SEC_DESC_DACL_TRUSTED           = 0x0040,
571                 SEC_DESC_SERVER_SECURITY        = 0x0080,
572                 SEC_DESC_DACL_AUTO_INHERIT_REQ  = 0x0100,
573                 SEC_DESC_SACL_AUTO_INHERIT_REQ  = 0x0200,
574                 SEC_DESC_DACL_AUTO_INHERITED    = 0x0400,
575                 SEC_DESC_SACL_AUTO_INHERITED    = 0x0800,
576                 SEC_DESC_DACL_PROTECTED         = 0x1000,
577                 SEC_DESC_SACL_PROTECTED         = 0x2000,
578                 SEC_DESC_RM_CONTROL_VALID       = 0x4000,
579                 SEC_DESC_SELF_RELATIVE          = 0x8000
580         } security_descriptor_type;
581
582         typedef [gensize,nosize,public,flag(NDR_LITTLE_ENDIAN)] struct {
583                 security_descriptor_revision revision;
584                 security_descriptor_type type;     /* SEC_DESC_xxxx flags */
585                 [relative] dom_sid *owner_sid; 
586                 [relative] dom_sid *group_sid;
587                 [relative] security_acl *sacl; /* system ACL */
588                 [relative] security_acl *dacl; /* user (discretionary) ACL */
589         } security_descriptor;
590
591         [nopython] void decode_security_descriptor (
592                 [in] security_descriptor sd
593                 );
594
595         typedef [public] struct {
596                 [range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size;
597                 [subcontext(4)] security_descriptor *sd;
598         } sec_desc_buf;
599
600         [nopython] void decode_sec_desc_buf (
601                 [in] sec_desc_buf sd_buf
602                 );
603
604         /* This is not yet sent over the network, but is simply defined in IDL */
605         typedef [public] struct {
606                 uint32 num_sids;
607                 [size_is(num_sids)] dom_sid sids[*];
608                 se_privilege privilege_mask;
609                 lsa_SystemAccessModeFlags rights_mask;
610         } security_token;
611
612         [nopython] void decode_security_token (
613                 [in] security_token token
614                 );
615
616         /* This is not yet sent over the network, but is simply defined in IDL */
617         typedef [public] struct {
618                 uid_t uid;
619                 gid_t gid;
620                 uint32 ngroups;
621                 [size_is(ngroups)] gid_t groups[*];
622         } security_unix_token;
623
624         [nopython] void decode_security_unix_token (
625                 [in] security_unix_token unix_token
626                 );
627
628         /* bits that determine which parts of a security descriptor
629            are being queried/set */
630         typedef [public,bitmap32bit] bitmap {
631                 SECINFO_OWNER                = 0x00000001,
632                 SECINFO_GROUP                = 0x00000002,
633                 SECINFO_DACL                 = 0x00000004,
634                 SECINFO_SACL                 = 0x00000008,
635                 SECINFO_LABEL                = 0x00000010,
636                 SECINFO_ATTRIBUTE            = 0x00000020,
637                 SECINFO_SCOPE                = 0x00000040,
638                 SECINFO_BACKUP               = 0x00010000,
639                 SECINFO_UNPROTECTED_SACL     = 0x10000000,
640                 SECINFO_UNPROTECTED_DACL     = 0x20000000,
641                 SECINFO_PROTECTED_SACL       = 0x40000000,
642                 SECINFO_PROTECTED_DACL       = 0x80000000
643         } security_secinfo;
644
645         /*
646          * a SMB server should only support the following flags
647          * and ignore all others.
648          *
649          * See AdditionalInformation in [MS-SMB2] 2.2.37 SMB2 QUERY_INFO Request
650          * and 2.2.39 SMB2 SET_INFO Request.
651          */
652         const int SMB_SUPPORTED_SECINFO_FLAGS = (
653                 SECINFO_OWNER           |
654                 SECINFO_GROUP           |
655                 SECINFO_DACL            |
656                 SECINFO_SACL            |
657                 SECINFO_LABEL           |
658                 SECINFO_ATTRIBUTE       |
659                 SECINFO_SCOPE           |
660                 SECINFO_BACKUP          |
661                 0);
662
663         /*
664          * See [MS-KILE] 2.2.5 LSAP_TOKEN_INFO_INTEGRITY
665          */
666         typedef [public,gensize,flag(NDR_PAHEX)] struct {
667                 uint32 Flags;
668                 uint32 TokenIL;
669                 uint8 MachineId[32];
670         } LSAP_TOKEN_INFO_INTEGRITY;
671
672         /*
673          * See [MS-KILE] 2.2.6 Supported Encryption Types Bit Flags
674          */
675         typedef [public,bitmap32bit] bitmap {
676                 KERB_ENCTYPE_DES_CBC_CRC             = 0x00000001,
677                 KERB_ENCTYPE_DES_CBC_MD5             = 0x00000002,
678                 KERB_ENCTYPE_RC4_HMAC_MD5            = 0x00000004,
679                 KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
680                 KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010,
681                 KERB_ENCTYPE_FAST_SUPPORTED          = 0x00010000,
682                 KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED = 0x00020000,
683                 KERB_ENCTYPE_CLAIMS_SUPPORTED        = 0x00040000,
684                 KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED = 0x00080000
685         } kerb_EncTypes;
686
687         typedef [public,bitmap32bit] bitmap {
688                 SEC_DACL_AUTO_INHERIT                = 0x00000001,
689                 SEC_SACL_AUTO_INHERIT                = 0x00000002,
690                 SEC_DEFAULT_DESCRIPTOR               = 0x00000004,
691                 SEC_OWNER_FROM_PARENT                = 0x00000008,
692                 SEC_GROUP_FROM_PARENT                = 0x00000010
693         } security_autoinherit;
694
695         /***************************************************************/
696         /* Extended right guids */
697
698         const string GUID_DRS_ALLOCATE_RIDS           = "1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd";
699         const string GUID_DRS_CHANGE_DOMAIN_MASTER    = "014bf69c-7b3b-11d1-85f6-08002be74fab";
700         const string GUID_DRS_CHANGE_INFR_MASTER      = "cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd";
701         const string GUID_DRS_CHANGE_PDC              = "bae50096-4752-11d1-9052-00c04fc2d4cf";
702         const string GUID_DRS_CHANGE_RID_MASTER       = "d58d5f36-0a98-11d1-adbb-00c04fd8d5cd";
703         const string GUID_DRS_CHANGE_SCHEMA_MASTER    = "e12b56b6-0a95-11d1-adbb-00c04fd8d5cd";
704         const string GUID_DRS_GET_CHANGES             = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2";
705         const string GUID_DRS_REPL_SYNCRONIZE         = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2";
706         const string GUID_DRS_MANAGE_TOPOLOGY         = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2";
707         const string GUID_DRS_GET_ALL_CHANGES         = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
708         const string GUID_DRS_RO_REPL_SECRET_SYNC     = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2";
709         const string GUID_DRS_GET_FILTERED_ATTRIBUTES = "89e95b76-444d-4c62-991a-0facbeda640c";
710         const string GUID_DRS_MONITOR_TOPOLOGY        = "f98340fb-7c5b-4cdb-a00b-2ebdfa115a96";
711         const string GUID_DRS_USER_CHANGE_PASSWORD    = "ab721a53-1e2f-11d0-9819-00aa0040529b";
712         const string GUID_DRS_FORCE_CHANGE_PASSWORD   = "00299570-246d-11d0-a768-00aa006e0529";
713         const string GUID_DRS_UPDATE_PASSWORD_NOT_REQUIRED_BIT
714                                                       = "280f369c-67c7-438e-ae98-1d46f3c6f541";
715         const string GUID_DRS_UNEXPIRE_PASSWORD       = "ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501";
716         const string GUID_DRS_ENABLE_PER_USER_REVERSIBLY_ENCRYPTED_PASSWORD
717                                                       = "05c74c5e-4deb-43b4-bd9f-86664c2a7fd5";
718         const string GUID_DRS_DS_INSTALL_REPLICA      = "9923a32a-3607-11d2-b9be-0000f87a36b2";
719         const string GUID_DRS_REANIMATE_TOMBSTONE     = "45ec5156-db7e-47bb-b53f-dbeb2d03c40f";
720
721
722         /***************************************************************/
723         /* validated writes guids */
724         const string GUID_DRS_VALIDATE_SPN            = "f3a64788-5306-11d1-a9c5-0000f80367c1";
725         const string GUID_DRS_SELF_MEMBERSHIP         = "bf9679c0-0de6-11d0-a285-00aa003049e2";
726         const string GUID_DRS_DNS_HOST_NAME           = "72e39547-7b18-11d1-adef-00c04fd8d5cd";
727         const string GUID_DRS_ADD_DNS_HOST_NAME       = "80863791-dbe9-4eb8-837e-7f0ab55d9ac7";
728         const string GUID_DRS_BEHAVIOR_VERSION        = "d31a8757-2447-4545-8081-3bb610cacbf2";
729
730         /* A type to describe the mapping of generic access rights to object
731            specific access rights. */
732
733         typedef struct {
734                 uint32 generic_read;
735                 uint32 generic_write;
736                 uint32 generic_execute;
737                 uint32 generic_all;
738         } generic_mapping;
739
740         typedef struct {
741                 uint32 std_read;
742                 uint32 std_write;
743                 uint32 std_execute;
744                 uint32 std_all;
745         } standard_mapping;
746 }