You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
421 lines
16 KiB
421 lines
16 KiB
/*++
|
|
|
|
Copyright (c) 1991 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
lsaicli.h
|
|
|
|
Abstract:
|
|
|
|
Local Security Authority - Definitions for internal LSA Clients.
|
|
|
|
NOTE: This file is included via lsaclip.h or lsasrvp.h. It should
|
|
not be included directly.
|
|
|
|
This module contains definitions used only when callouts are made
|
|
from one LSA to another, i.e. where the server side of one LSA
|
|
communicates with the client side of another LSA.
|
|
|
|
Author:
|
|
|
|
Scott Birrell (ScottBi) April 9, 1992
|
|
|
|
Environment:
|
|
|
|
Revision History:
|
|
|
|
--*/
|
|
|
|
#ifndef _LSAICLI_
|
|
#define _LSAICLI_
|
|
|
|
//
|
|
// The following datatype specifies the Call Level for Sid and Name
|
|
// Lookup operations.
|
|
//
|
|
|
|
typedef enum _LSAP_LOOKUP_LEVEL {
|
|
|
|
LsapLookupWksta = 1,
|
|
LsapLookupPDC,
|
|
LsapLookupTDL,
|
|
LsapLookupGC, // valid only on NT5 domain controllers
|
|
LsapLookupXForestReferral, // valid only on NT5.1 domain controllers
|
|
LsapLookupXForestResolve // valid only on NT5.1 domain controllers
|
|
|
|
} LSAP_LOOKUP_LEVEL, *PLSAP_LOOKUP_LEVEL;
|
|
|
|
//
|
|
// where the entries have the following meaning:
|
|
//
|
|
// LsapLookupWksta - First Level Lookup performed on a workstation
|
|
// normally configured for Windows-Nt. The lookup searches the
|
|
// Well-Known Sids/Names, and the Built-in Domain and Account Domain
|
|
// in the local SAM Database. If not all Sids or Names are
|
|
// identified, performs a "handoff" of a Second level Lookup to the
|
|
// LSA running on a Controller for the workstation's Primary Domain
|
|
// (if any).
|
|
//
|
|
// LsapLookupPDC - Second Level Lookup performed on a Primary Domain
|
|
// Controller. The lookup searches the Account Domain of the
|
|
// SAM Database on the controller. If not all Sids or Names are
|
|
// found, the Trusted Domain List (TDL) is obtained from the
|
|
// LSA's Policy Database and Third Level lookups are performed
|
|
// via "handoff" to each Trusted Domain in the List.
|
|
//
|
|
// LsapLookupTDL - Third Level Lookup performed on a controller
|
|
// for a Trusted Domain. The lookup searches the Account Domain of
|
|
// the SAM Database on the controller only.
|
|
//
|
|
// LsapLookupGC - This is used by a workstation to perform a lookup at a GC
|
|
// This resolves UPN's, samaccountname's with NetBios and DNS domain names,
|
|
// Sid's and Sid Histories for transitivly trusted domains (within a
|
|
// forest). This lookup level is only used when a NT5+ client is in
|
|
// a mixed domain and its secure channel DC is NT4
|
|
//
|
|
// LsapLookupXForestReferral -- This is used to pass entries (names and Sids)
|
|
// to the root of the forest via the trust chain. After a set of entries,
|
|
// comes back from the GC, some may be marked as belonging to a cross
|
|
// forest. These entries are then passed on to the DC's parent domain until
|
|
// the root of the domain is reached. The root will then issue a
|
|
// LsapLookupXForestResolve directed at a DC in the external forest.
|
|
//
|
|
// LpsaLookupXForestResolve -- This level is used by the root of one forest
|
|
// lookup entries from the DC in another forest.
|
|
//
|
|
|
|
typedef struct _LSA_TRANSLATED_NAME_EX
|
|
{
|
|
SID_NAME_USE Use;
|
|
LSA_UNICODE_STRING Name;
|
|
LONG DomainIndex;
|
|
ULONG Flags;
|
|
|
|
} LSA_TRANSLATED_NAME_EX;
|
|
|
|
typedef struct _LSA_TRANSLATED_NAME_EX *PLSA_TRANSLATED_NAME_EX;
|
|
|
|
typedef struct _LSA_TRANSLATED_NAMES
|
|
{
|
|
ULONG Entries;
|
|
PLSA_TRANSLATED_NAME_EX Names;
|
|
|
|
} LSA_TRANSLATED_NAMES_EX;
|
|
|
|
typedef struct _LSA_TRANSLATED_NAMES *PLSA_TRANSLATED_NAMES_EX;
|
|
|
|
|
|
typedef struct _LSA_TRANSLATED_SID_EX
|
|
{
|
|
SID_NAME_USE Use;
|
|
ULONG RelativeId;
|
|
LONG DomainIndex;
|
|
ULONG Flags;
|
|
|
|
} LSA_TRANSLATED_SID_EX;
|
|
|
|
typedef struct _LSA_TRANSLATED_SID_EX *PLSA_TRANSLATED_SID_EX;
|
|
|
|
typedef struct _LSA_TRANSLATED_SIDS_EX
|
|
{
|
|
ULONG Entries;
|
|
PLSA_TRANSLATED_SID_EX Names;
|
|
|
|
} LSA_TRANSLATED_SIDS_EX;
|
|
|
|
typedef struct _LSA_TRANSLATED_SIDS_EX *PLSA_TRANSLATED_SIDS_EX;
|
|
|
|
typedef struct _LSA_TRANSLATED_SID_EX2
|
|
{
|
|
SID_NAME_USE Use;
|
|
PSID Sid;
|
|
LONG DomainIndex;
|
|
ULONG Flags;
|
|
|
|
} LSA_TRANSLATED_SID_EX2;
|
|
|
|
typedef struct _LSA_TRANSLATED_SID_EX2 *PLSA_TRANSLATED_SID_EX2;
|
|
|
|
typedef struct _LSA_TRANSLATED_SIDS_EX2
|
|
{
|
|
ULONG Entries;
|
|
PLSA_TRANSLATED_SID_EX2 Names;
|
|
|
|
} LSA_TRANSLATED_SIDS_EX2;
|
|
|
|
typedef struct _LSA_TRANSLATED_SIDS_EX2 *PLSA_TRANSLATED_SIDS_EX2;
|
|
|
|
#define LSAIC_NO_LARGE_SID 0x00000001
|
|
#define LSAIC_NT4_TARGET 0x00000002
|
|
#define LSAIC_WIN2K_TARGET 0x00000004
|
|
|
|
NTSTATUS
|
|
LsaICLookupNames(
|
|
IN LSA_HANDLE PolicyHandle,
|
|
IN ULONG LookupOptions,
|
|
IN ULONG Count,
|
|
IN PUNICODE_STRING Names,
|
|
OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
|
|
OUT PLSA_TRANSLATED_SID_EX2 *Sids,
|
|
IN LSAP_LOOKUP_LEVEL LookupLevel,
|
|
IN ULONG Flags,
|
|
IN OUT PULONG MappedCount,
|
|
IN OUT PULONG ServerRevision
|
|
);
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function is the internal client side version of the LsaLookupNames
|
|
API. It is called both from the client side (as an internal routine)
|
|
and the server side of the LSA. The function is identical to the
|
|
LsaLookupNames API except that there is an additional parameter, the
|
|
LookupLevel parameter.
|
|
|
|
The LsaLookupNames API attempts to translate names of domains, users,
|
|
groups or aliases to Sids. The caller must have POLICY_LOOKUP_NAMES
|
|
access to the Policy object.
|
|
|
|
Names may be either isolated (e.g. JohnH) or composite names containing
|
|
both the domain name and account name. Composite names must include a
|
|
backslash character separating the domain name from the account name
|
|
(e.g. Acctg\JohnH). An isolated name may be either an account name
|
|
(user, group, or alias) or a domain name.
|
|
|
|
Translation of isolated names introduces the possibility of name
|
|
collisions (since the same name may be used in multiple domains). An
|
|
isolated name will be translated using the following algorithm:
|
|
|
|
If the name is a well-known name (e.g. Local or Interactive), then the
|
|
corresponding well-known Sid is returned.
|
|
|
|
If the name is the Built-in Domain's name, then that domain's Sid
|
|
will be returned.
|
|
|
|
If the name is the Account Domain's name, then that domain's Sid
|
|
will be returned.
|
|
|
|
If the name is the Primary Domain's name, then that domain's Sid will
|
|
be returned.
|
|
|
|
If the name is a user, group, or alias in the Built-in Domain, then the
|
|
Sid of that account is returned.
|
|
|
|
If the name is a user, group, or alias in the Primary Domain, then the
|
|
Sid of that account is returned.
|
|
|
|
Otherwise, the name is not translated.
|
|
|
|
NOTE: Proxy, Machine, and Trust user accounts are not referenced
|
|
for name translation. Only normal user accounts are used for ID
|
|
translation. If translation of other account types is needed, then
|
|
SAM services should be used directly.
|
|
|
|
Arguments:
|
|
|
|
This function is the LSA server RPC worker routine for the
|
|
LsaLookupNamesInLsa API.
|
|
|
|
PolicyHandle - Handle from an LsaOpenPolicy call.
|
|
|
|
LookupOptions - values to pass through to LsarLookupNames2 and above.
|
|
|
|
Count - Specifies the number of names to be translated.
|
|
|
|
Names - Pointer to an array of Count Unicode String structures
|
|
specifying the names to be looked up and mapped to Sids.
|
|
The strings may be names of User, Group or Alias accounts or
|
|
domains.
|
|
|
|
ReferencedDomains - receives a pointer to a structure describing the
|
|
domains used for the translation. The entries in this structure
|
|
are referenced by the structure returned via the Sids parameter.
|
|
Unlike the Sids parameter, which contains an array entry for
|
|
each translated name, this structure will only contain one
|
|
component for each domain utilized in the translation.
|
|
|
|
When this information is no longer needed, it must be released
|
|
by passing the returned pointer to LsaFreeMemory().
|
|
|
|
Sids - Receives a pointer to an array of records describing each
|
|
translated Sid. The nth entry in this array provides a translation
|
|
for (the nth element in the Names parameter.
|
|
|
|
When this information is no longer needed, it must be released
|
|
by passing the returned pointer to LsaFreeMemory().
|
|
|
|
LookupLevel - Specifies the Level of Lookup to be performed on this
|
|
machine. Values of this field are are follows:
|
|
|
|
LsapLookupWksta - First Level Lookup performed on a workstation
|
|
normally configured for Windows-Nt. The lookup searches the
|
|
Well-Known Sids/Names, and the Built-in Domain and Account Domain
|
|
in the local SAM Database. If not all Sids or Names are
|
|
identified, performs a "handoff" of a Second level Lookup to the
|
|
LSA running on a Controller for the workstation's Primary Domain
|
|
(if any).
|
|
|
|
LsapLookupPDC - Second Level Lookup performed on a Primary Domain
|
|
Controller. The lookup searches the Account Domain of the
|
|
SAM Database on the controller. If not all Sids or Names are
|
|
found, the Trusted Domain List (TDL) is obtained from the
|
|
LSA's Policy Database and Third Level lookups are performed
|
|
via "handoff" to each Trusted Domain in the List.
|
|
|
|
LsapLookupTDL - Third Level Lookup performed on a controller
|
|
for a Trusted Domain. The lookup searches the Account Domain of
|
|
the SAM Database on the controller only.
|
|
Flags - flags to control the operation of the function. Currently defined:
|
|
|
|
LSAIC_NO_LARGE_SID -- implies only call interfaces that will return
|
|
the old style format SID (no more than
|
|
28 bytes)
|
|
|
|
LSAIC_NT4_TARGET -- target server is known to be NT4
|
|
|
|
LSAIC_WIN2K_TARGET -- target server is known to be Win2k
|
|
|
|
Return Values:
|
|
|
|
NTSTATUS - Standard Nt Result Code
|
|
|
|
STATUS_ACCESS_DENIED - Caller does not have the appropriate access
|
|
to complete the operation.
|
|
|
|
STATUS_SOME_NOT_MAPPED - Some or all of the names provided could
|
|
not be mapped. This is an informational status only.
|
|
|
|
STATUS_INSUFFICIENT_RESOURCES - Insufficient system resources
|
|
to complete the call.
|
|
--*/
|
|
|
|
|
|
|
|
NTSTATUS
|
|
LsaICLookupSids(
|
|
IN LSA_HANDLE PolicyHandle,
|
|
IN ULONG Count,
|
|
IN PSID *Sids,
|
|
OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
|
|
OUT PLSA_TRANSLATED_NAME_EX *Names,
|
|
IN LSAP_LOOKUP_LEVEL LookupLevel,
|
|
IN ULONG Flags,
|
|
IN OUT PULONG MappedCount,
|
|
OUT ULONG *ServerRevision OPTIONAL
|
|
);
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
WARNING! THIS FUNCTION IS NOT COMPLETELY IMPLEMENTED. ONLY SIDS
|
|
MAPPABLE AT THE LOCAL SYSTEM WILL BE TRANSLATED.
|
|
|
|
The LsaLookupSids API attempts to find names corresponding to Sids.
|
|
If a name can not be mapped to a Sid, the Sid is converted to character
|
|
form. The caller must have POLICY_LOOKUP_NAMES access to the Policy
|
|
object.
|
|
|
|
WARNING: This routine allocates memory for its output. The caller is
|
|
responsible for freeing this memory after use. See description of the
|
|
Names parameter.
|
|
|
|
Arguments:
|
|
|
|
PolicyHandle - Handle from an LsaOpenPolicy call.
|
|
|
|
Count - Specifies the number of Sids to be translated.
|
|
|
|
Sids - Pointer to an array of Count pointers to Sids to be mapped
|
|
to names. The Sids may be well_known SIDs, SIDs of User accounts
|
|
Group Accounts, Alias accounts, or Domains.
|
|
|
|
ReferencedDomains - Receives a pointer to a structure describing the
|
|
domains used for the translation. The entries in this structure
|
|
are referenced by the strutcure returned via the Names parameter.
|
|
Unlike the Names paraemeter, which contains an array entry
|
|
for (each translated name, this strutcure will only contain
|
|
component for each domain utilized in the translation.
|
|
|
|
When this information is no longer needed, it must be released
|
|
by passing the returned pointer to LsaFreeMemory().
|
|
|
|
Names - Receives a pointer to array records describing each translated
|
|
name. The nth entry in this array provides a translation for
|
|
the nth entry in the Sids parameter.
|
|
|
|
All of the retruned names will be isolated names or NULL strings
|
|
(domain names are returned as NULL strings). If the caller needs
|
|
composite names, they can be generated by prepending the
|
|
isolated name with the domain name and a backslash. For example,
|
|
if (the name Sally is returned, and it is from the domain Manufact,
|
|
then the composite name would be "Manufact" + "\" + "Sally" or
|
|
"Manufact\Sally".
|
|
|
|
When this information is no longer needed, it must be released
|
|
by passing the returned pointer to LsaFreeMemory().
|
|
|
|
If a Sid is not translatable, then the following will occur:
|
|
|
|
1) If the SID's domain is known, then a reference domain record
|
|
will be generated with the domain's name. In this case, the
|
|
name returned via the Names parameter is a Unicode representation
|
|
of the relative ID of the account, such as "(314)" or the null
|
|
string, if the Sid is that of a domain. So, you might end up
|
|
with a resultant name of "Manufact\(314) for the example with
|
|
Sally above, if Sally's relative id is 314.
|
|
|
|
2) If not even the SID's domain could be located, then a full
|
|
Unicode representation of the SID is generated and no domain
|
|
record is referenced. In this case, the returned string might
|
|
be something like: "(S-1-672194-21-314)".
|
|
|
|
When this information is no longer needed, it must be released
|
|
by passing the returned pointer to LsaFreeMemory().
|
|
|
|
LookupLevel - Specifies the Level of Lookup to be performed on this
|
|
machine. Values of this field are are follows:
|
|
|
|
LsapLookupWksta - First Level Lookup performed on a workstation
|
|
normally configured for Windows-Nt. The lookup searches the
|
|
Well-Known Sids/Names, and the Built-in Domain and Account Domain
|
|
in the local SAM Database. If not all Sids or Names are
|
|
identified, performs a "handoff" of a Second level Lookup to the
|
|
LSA running on a Controller for the workstation's Primary Domain
|
|
(if any).
|
|
|
|
LsapLookupPDC - Second Level Lookup performed on a Primary Domain
|
|
Controller. The lookup searches the Account Domain of the
|
|
SAM Database on the controller. If not all Sids or Names are
|
|
found, the Trusted Domain List (TDL) is obtained from the
|
|
LSA's Policy Database and Third Level lookups are performed
|
|
via "handoff" to each Trusted Domain in the List.
|
|
|
|
LsapLookupTDL - Third Level Lookup performed on a controller
|
|
for a Trusted Domain. The lookup searches the Account Domain of
|
|
the SAM Database on the controller only.
|
|
|
|
Flags:
|
|
|
|
LSAIC_NT4_TARGET -- target server is known to be NT4
|
|
|
|
LSAIC_WIN2K_TARGET -- target server is known to be Win2k
|
|
|
|
ServerRevision : the revision of the server that is called
|
|
|
|
Return Values:
|
|
|
|
NTSTATUS - Standard Nt Result Code
|
|
|
|
STATUS_ACCESS_DENIED - Caller does not have the appropriate access
|
|
to complete the operation.
|
|
|
|
STATUS_SOME_NOT_MAPPED - Some or all of the names provided could not be
|
|
mapped. This is a warning only.
|
|
|
|
Rest TBS
|
|
--*/
|
|
|
|
#endif // _LSAICLI_
|