archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/published/inc/lsaicli.w

421 lines
16 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 1991 Microsoft Corporation
  5. Module Name:
  7. lsaicli.h
  9. Abstract:
  11. Local Security Authority - Definitions for internal LSA Clients.
  13. NOTE: This file is included via lsaclip.h or lsasrvp.h. It should
  14. not be included directly.
  16. This module contains definitions used only when callouts are made
  17. from one LSA to another, i.e. where the server side of one LSA
  18. communicates with the client side of another LSA.
  20. Author:
  22. Scott Birrell (ScottBi) April 9, 1992
  24. Environment:
  26. Revision History:
  28. --*/
  30. #ifndef _LSAICLI_
  31. #define _LSAICLI_
  33. //
  34. // The following datatype specifies the Call Level for Sid and Name
  35. // Lookup operations.
  36. //
  38. typedef enum _LSAP_LOOKUP_LEVEL {
  40. LsapLookupWksta = 1,
  41. LsapLookupPDC,
  42. LsapLookupTDL,
  43. LsapLookupGC, // valid only on NT5 domain controllers
  44. LsapLookupXForestReferral, // valid only on NT5.1 domain controllers
  45. LsapLookupXForestResolve // valid only on NT5.1 domain controllers
  47. } LSAP_LOOKUP_LEVEL, *PLSAP_LOOKUP_LEVEL;
  49. //
  50. // where the entries have the following meaning:
  51. //
  52. // LsapLookupWksta - First Level Lookup performed on a workstation
  53. // normally configured for Windows-Nt. The lookup searches the
  54. // Well-Known Sids/Names, and the Built-in Domain and Account Domain
  55. // in the local SAM Database. If not all Sids or Names are
  56. // identified, performs a "handoff" of a Second level Lookup to the
  57. // LSA running on a Controller for the workstation's Primary Domain
  58. // (if any).
  59. //
  60. // LsapLookupPDC - Second Level Lookup performed on a Primary Domain
  61. // Controller. The lookup searches the Account Domain of the
  62. // SAM Database on the controller. If not all Sids or Names are
  63. // found, the Trusted Domain List (TDL) is obtained from the
  64. // LSA's Policy Database and Third Level lookups are performed
  65. // via "handoff" to each Trusted Domain in the List.
  66. //
  67. // LsapLookupTDL - Third Level Lookup performed on a controller
  68. // for a Trusted Domain. The lookup searches the Account Domain of
  69. // the SAM Database on the controller only.
  70. //
  71. // LsapLookupGC - This is used by a workstation to perform a lookup at a GC
  72. // This resolves UPN's, samaccountname's with NetBios and DNS domain names,
  73. // Sid's and Sid Histories for transitivly trusted domains (within a
  74. // forest). This lookup level is only used when a NT5+ client is in
  75. // a mixed domain and its secure channel DC is NT4
  76. //
  77. // LsapLookupXForestReferral -- This is used to pass entries (names and Sids)
  78. // to the root of the forest via the trust chain. After a set of entries,
  79. // comes back from the GC, some may be marked as belonging to a cross
  80. // forest. These entries are then passed on to the DC's parent domain until
  81. // the root of the domain is reached. The root will then issue a
  82. // LsapLookupXForestResolve directed at a DC in the external forest.
  83. //
  84. // LpsaLookupXForestResolve -- This level is used by the root of one forest
  85. // lookup entries from the DC in another forest.
  86. //
  88. typedef struct _LSA_TRANSLATED_NAME_EX
  89. {
  90. SID_NAME_USE Use;
  91. LSA_UNICODE_STRING Name;
  92. LONG DomainIndex;
  93. ULONG Flags;
  95. } LSA_TRANSLATED_NAME_EX;
  97. typedef struct _LSA_TRANSLATED_NAME_EX *PLSA_TRANSLATED_NAME_EX;
  99. typedef struct _LSA_TRANSLATED_NAMES
  100. {
  101. ULONG Entries;
  102. PLSA_TRANSLATED_NAME_EX Names;
  104. } LSA_TRANSLATED_NAMES_EX;
  106. typedef struct _LSA_TRANSLATED_NAMES *PLSA_TRANSLATED_NAMES_EX;
  109. typedef struct _LSA_TRANSLATED_SID_EX
  110. {
  111. SID_NAME_USE Use;
  112. ULONG RelativeId;
  113. LONG DomainIndex;
  114. ULONG Flags;
  116. } LSA_TRANSLATED_SID_EX;
  118. typedef struct _LSA_TRANSLATED_SID_EX *PLSA_TRANSLATED_SID_EX;
  120. typedef struct _LSA_TRANSLATED_SIDS_EX
  121. {
  122. ULONG Entries;
  123. PLSA_TRANSLATED_SID_EX Names;
  125. } LSA_TRANSLATED_SIDS_EX;
  127. typedef struct _LSA_TRANSLATED_SIDS_EX *PLSA_TRANSLATED_SIDS_EX;
  129. typedef struct _LSA_TRANSLATED_SID_EX2
  130. {
  131. SID_NAME_USE Use;
  132. PSID Sid;
  133. LONG DomainIndex;
  134. ULONG Flags;
  136. } LSA_TRANSLATED_SID_EX2;
  138. typedef struct _LSA_TRANSLATED_SID_EX2 *PLSA_TRANSLATED_SID_EX2;
  140. typedef struct _LSA_TRANSLATED_SIDS_EX2
  141. {
  142. ULONG Entries;
  143. PLSA_TRANSLATED_SID_EX2 Names;
  145. } LSA_TRANSLATED_SIDS_EX2;
  147. typedef struct _LSA_TRANSLATED_SIDS_EX2 *PLSA_TRANSLATED_SIDS_EX2;
  149. #define LSAIC_NO_LARGE_SID 0x00000001
  150. #define LSAIC_NT4_TARGET 0x00000002
  151. #define LSAIC_WIN2K_TARGET 0x00000004
  153. NTSTATUS
  154. LsaICLookupNames(
  155. IN LSA_HANDLE PolicyHandle,
  156. IN ULONG LookupOptions,
  157. IN ULONG Count,
  158. IN PUNICODE_STRING Names,
  159. OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
  160. OUT PLSA_TRANSLATED_SID_EX2 *Sids,
  161. IN LSAP_LOOKUP_LEVEL LookupLevel,
  162. IN ULONG Flags,
  163. IN OUT PULONG MappedCount,
  164. IN OUT PULONG ServerRevision
  165. );
  167. /*++
  169. Routine Description:
  171. This function is the internal client side version of the LsaLookupNames
  172. API. It is called both from the client side (as an internal routine)
  173. and the server side of the LSA. The function is identical to the
  174. LsaLookupNames API except that there is an additional parameter, the
  175. LookupLevel parameter.
  177. The LsaLookupNames API attempts to translate names of domains, users,
  178. groups or aliases to Sids. The caller must have POLICY_LOOKUP_NAMES
  179. access to the Policy object.
  181. Names may be either isolated (e.g. JohnH) or composite names containing
  182. both the domain name and account name. Composite names must include a
  183. backslash character separating the domain name from the account name
  184. (e.g. Acctg\JohnH). An isolated name may be either an account name
  185. (user, group, or alias) or a domain name.
  187. Translation of isolated names introduces the possibility of name
  188. collisions (since the same name may be used in multiple domains). An
  189. isolated name will be translated using the following algorithm:
  191. If the name is a well-known name (e.g. Local or Interactive), then the
  192. corresponding well-known Sid is returned.
  194. If the name is the Built-in Domain's name, then that domain's Sid
  195. will be returned.
  197. If the name is the Account Domain's name, then that domain's Sid
  198. will be returned.
  200. If the name is the Primary Domain's name, then that domain's Sid will
  201. be returned.
  203. If the name is a user, group, or alias in the Built-in Domain, then the
  204. Sid of that account is returned.
  206. If the name is a user, group, or alias in the Primary Domain, then the
  207. Sid of that account is returned.
  209. Otherwise, the name is not translated.
  211. NOTE: Proxy, Machine, and Trust user accounts are not referenced
  212. for name translation. Only normal user accounts are used for ID
  213. translation. If translation of other account types is needed, then
  214. SAM services should be used directly.
  216. Arguments:
  218. This function is the LSA server RPC worker routine for the
  219. LsaLookupNamesInLsa API.
  221. PolicyHandle - Handle from an LsaOpenPolicy call.
  223. LookupOptions - values to pass through to LsarLookupNames2 and above.
  225. Count - Specifies the number of names to be translated.
  227. Names - Pointer to an array of Count Unicode String structures
  228. specifying the names to be looked up and mapped to Sids.
  229. The strings may be names of User, Group or Alias accounts or
  230. domains.
  232. ReferencedDomains - receives a pointer to a structure describing the
  233. domains used for the translation. The entries in this structure
  234. are referenced by the structure returned via the Sids parameter.
  235. Unlike the Sids parameter, which contains an array entry for
  236. each translated name, this structure will only contain one
  237. component for each domain utilized in the translation.
  239. When this information is no longer needed, it must be released
  240. by passing the returned pointer to LsaFreeMemory().
  242. Sids - Receives a pointer to an array of records describing each
  243. translated Sid. The nth entry in this array provides a translation
  244. for (the nth element in the Names parameter.
  246. When this information is no longer needed, it must be released
  247. by passing the returned pointer to LsaFreeMemory().
  249. LookupLevel - Specifies the Level of Lookup to be performed on this
  250. machine. Values of this field are are follows:
  252. LsapLookupWksta - First Level Lookup performed on a workstation
  253. normally configured for Windows-Nt. The lookup searches the
  254. Well-Known Sids/Names, and the Built-in Domain and Account Domain
  255. in the local SAM Database. If not all Sids or Names are
  256. identified, performs a "handoff" of a Second level Lookup to the
  257. LSA running on a Controller for the workstation's Primary Domain
  258. (if any).
  260. LsapLookupPDC - Second Level Lookup performed on a Primary Domain
  261. Controller. The lookup searches the Account Domain of the
  262. SAM Database on the controller. If not all Sids or Names are
  263. found, the Trusted Domain List (TDL) is obtained from the
  264. LSA's Policy Database and Third Level lookups are performed
  265. via "handoff" to each Trusted Domain in the List.
  267. LsapLookupTDL - Third Level Lookup performed on a controller
  268. for a Trusted Domain. The lookup searches the Account Domain of
  269. the SAM Database on the controller only.
  270. Flags - flags to control the operation of the function. Currently defined:
  272. LSAIC_NO_LARGE_SID -- implies only call interfaces that will return
  273. the old style format SID (no more than
  274. 28 bytes)
  276. LSAIC_NT4_TARGET -- target server is known to be NT4
  278. LSAIC_WIN2K_TARGET -- target server is known to be Win2k
  280. Return Values:
  282. NTSTATUS - Standard Nt Result Code
  284. STATUS_ACCESS_DENIED - Caller does not have the appropriate access
  285. to complete the operation.
  287. STATUS_SOME_NOT_MAPPED - Some or all of the names provided could
  288. not be mapped. This is an informational status only.
  290. STATUS_INSUFFICIENT_RESOURCES - Insufficient system resources
  291. to complete the call.
  292. --*/
  296. NTSTATUS
  297. LsaICLookupSids(
  298. IN LSA_HANDLE PolicyHandle,
  299. IN ULONG Count,
  300. IN PSID *Sids,
  301. OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
  302. OUT PLSA_TRANSLATED_NAME_EX *Names,
  303. IN LSAP_LOOKUP_LEVEL LookupLevel,
  304. IN ULONG Flags,
  305. IN OUT PULONG MappedCount,
  306. OUT ULONG *ServerRevision OPTIONAL
  307. );
  309. /*++
  311. Routine Description:
  313. WARNING! THIS FUNCTION IS NOT COMPLETELY IMPLEMENTED. ONLY SIDS
  314. MAPPABLE AT THE LOCAL SYSTEM WILL BE TRANSLATED.
  316. The LsaLookupSids API attempts to find names corresponding to Sids.
  317. If a name can not be mapped to a Sid, the Sid is converted to character
  318. form. The caller must have POLICY_LOOKUP_NAMES access to the Policy
  319. object.
  321. WARNING: This routine allocates memory for its output. The caller is
  322. responsible for freeing this memory after use. See description of the
  323. Names parameter.
  325. Arguments:
  327. PolicyHandle - Handle from an LsaOpenPolicy call.
  329. Count - Specifies the number of Sids to be translated.
  331. Sids - Pointer to an array of Count pointers to Sids to be mapped
  332. to names. The Sids may be well_known SIDs, SIDs of User accounts
  333. Group Accounts, Alias accounts, or Domains.
  335. ReferencedDomains - Receives a pointer to a structure describing the
  336. domains used for the translation. The entries in this structure
  337. are referenced by the strutcure returned via the Names parameter.
  338. Unlike the Names paraemeter, which contains an array entry
  339. for (each translated name, this strutcure will only contain
  340. component for each domain utilized in the translation.
  342. When this information is no longer needed, it must be released
  343. by passing the returned pointer to LsaFreeMemory().
  345. Names - Receives a pointer to array records describing each translated
  346. name. The nth entry in this array provides a translation for
  347. the nth entry in the Sids parameter.
  349. All of the retruned names will be isolated names or NULL strings
  350. (domain names are returned as NULL strings). If the caller needs
  351. composite names, they can be generated by prepending the
  352. isolated name with the domain name and a backslash. For example,
  353. if (the name Sally is returned, and it is from the domain Manufact,
  354. then the composite name would be "Manufact" + "\" + "Sally" or
  355. "Manufact\Sally".
  357. When this information is no longer needed, it must be released
  358. by passing the returned pointer to LsaFreeMemory().
  360. If a Sid is not translatable, then the following will occur:
  362. 1) If the SID's domain is known, then a reference domain record
  363. will be generated with the domain's name. In this case, the
  364. name returned via the Names parameter is a Unicode representation
  365. of the relative ID of the account, such as "(314)" or the null
  366. string, if the Sid is that of a domain. So, you might end up
  367. with a resultant name of "Manufact\(314) for the example with
  368. Sally above, if Sally's relative id is 314.
  370. 2) If not even the SID's domain could be located, then a full
  371. Unicode representation of the SID is generated and no domain
  372. record is referenced. In this case, the returned string might
  373. be something like: "(S-1-672194-21-314)".
  375. When this information is no longer needed, it must be released
  376. by passing the returned pointer to LsaFreeMemory().
  378. LookupLevel - Specifies the Level of Lookup to be performed on this
  379. machine. Values of this field are are follows:
  381. LsapLookupWksta - First Level Lookup performed on a workstation
  382. normally configured for Windows-Nt. The lookup searches the
  383. Well-Known Sids/Names, and the Built-in Domain and Account Domain
  384. in the local SAM Database. If not all Sids or Names are
  385. identified, performs a "handoff" of a Second level Lookup to the
  386. LSA running on a Controller for the workstation's Primary Domain
  387. (if any).
  389. LsapLookupPDC - Second Level Lookup performed on a Primary Domain
  390. Controller. The lookup searches the Account Domain of the
  391. SAM Database on the controller. If not all Sids or Names are
  392. found, the Trusted Domain List (TDL) is obtained from the
  393. LSA's Policy Database and Third Level lookups are performed
  394. via "handoff" to each Trusted Domain in the List.
  396. LsapLookupTDL - Third Level Lookup performed on a controller
  397. for a Trusted Domain. The lookup searches the Account Domain of
  398. the SAM Database on the controller only.
  400. Flags:
  402. LSAIC_NT4_TARGET -- target server is known to be NT4
  404. LSAIC_WIN2K_TARGET -- target server is known to be Win2k
  406. ServerRevision : the revision of the server that is called
  408. Return Values:
  410. NTSTATUS - Standard Nt Result Code
  412. STATUS_ACCESS_DENIED - Caller does not have the appropriate access
  413. to complete the operation.
  415. STATUS_SOME_NOT_MAPPED - Some or all of the names provided could not be
  416. mapped. This is a warning only.
  418. Rest TBS
  419. --*/
  421. #endif // _LSAICLI_