You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
445 lines
13 KiB
445 lines
13 KiB
/*++
|
|
|
|
Copyright (c) 1987-1991 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
ssi.h
|
|
|
|
Abstract:
|
|
|
|
Definition of Netlogon service APIs and structures used for SAM database
|
|
replication.
|
|
|
|
This file is shared by the Netlogon service and the XACT server.
|
|
|
|
Author:
|
|
|
|
Cliff Van Dyke (cliffv) 27-Jun-1991
|
|
|
|
Environment:
|
|
|
|
User mode only.
|
|
Contains NT-specific code.
|
|
Requires ANSI C extensions: slash-slash comments, long external names.
|
|
|
|
Revision History:
|
|
|
|
27-Jun-1991 (cliffv)
|
|
Ported from LanMan 2.1.
|
|
|
|
04-Apr-1992 (madana)
|
|
Added support for LSA replication.
|
|
|
|
--*/
|
|
|
|
#ifndef _NET_SSI_H_
|
|
#define _NET_SSI_H_
|
|
|
|
//**************************************************************
|
|
//
|
|
// Data structure template - AUTHENTICATION
|
|
//
|
|
// ***************************************************************//
|
|
|
|
typedef struct _NETLOGON_VALIDATION_UAS_INFO {
|
|
#ifdef MIDL_PASS
|
|
[string] wchar_t * usrlog1_eff_name;
|
|
#else // MIDL_PASS
|
|
LPWSTR usrlog1_eff_name;
|
|
#endif // MIDL_PASS
|
|
DWORD usrlog1_priv;
|
|
DWORD usrlog1_auth_flags;
|
|
DWORD usrlog1_num_logons;
|
|
DWORD usrlog1_bad_pw_count;
|
|
DWORD usrlog1_last_logon;
|
|
DWORD usrlog1_last_logoff;
|
|
DWORD usrlog1_logoff_time;
|
|
DWORD usrlog1_kickoff_time;
|
|
DWORD usrlog1_password_age;
|
|
DWORD usrlog1_pw_can_change;
|
|
DWORD usrlog1_pw_must_change;
|
|
#ifdef MIDL_PASS
|
|
[string] wchar_t * usrlog1_computer;
|
|
[string] wchar_t * usrlog1_domain;
|
|
[string] wchar_t * usrlog1_script_path;
|
|
#else // MIDL_PASS
|
|
LPWSTR usrlog1_computer;
|
|
LPWSTR usrlog1_domain;
|
|
LPWSTR usrlog1_script_path;
|
|
#endif // MIDL_PASS
|
|
DWORD usrlog1_reserved1;
|
|
} NETLOGON_VALIDATION_UAS_INFO, *PNETLOGON_VALIDATION_UAS_INFO ;
|
|
|
|
typedef struct _NETLOGON_LOGOFF_UAS_INFO {
|
|
DWORD Duration;
|
|
USHORT LogonCount;
|
|
} NETLOGON_LOGOFF_UAS_INFORMATION, *PNETLOGON_LOGOFF_UAS_INFO;
|
|
|
|
// ***************************************************************
|
|
//
|
|
// Function prototypes - AUTHENTICATION
|
|
//
|
|
// ***************************************************************
|
|
|
|
NTSTATUS
|
|
I_NetServerReqChallenge(
|
|
IN LPWSTR PrimaryName OPTIONAL,
|
|
IN LPWSTR ComputerName,
|
|
IN PNETLOGON_CREDENTIAL ClientChallenge,
|
|
OUT PNETLOGON_CREDENTIAL ServerChallenge
|
|
);
|
|
|
|
NTSTATUS
|
|
I_NetServerAuthenticate(
|
|
IN LPWSTR PrimaryName OPTIONAL,
|
|
IN LPWSTR AccountName,
|
|
IN NETLOGON_SECURE_CHANNEL_TYPE AccountType,
|
|
IN LPWSTR ComputerName,
|
|
IN PNETLOGON_CREDENTIAL ClientCredential,
|
|
OUT PNETLOGON_CREDENTIAL ServerCredential
|
|
);
|
|
|
|
NTSTATUS
|
|
I_NetServerAuthenticate2(
|
|
IN LPWSTR PrimaryName OPTIONAL,
|
|
IN LPWSTR AccountName,
|
|
IN NETLOGON_SECURE_CHANNEL_TYPE AccountType,
|
|
IN LPWSTR ComputerName,
|
|
IN PNETLOGON_CREDENTIAL ClientCredential,
|
|
OUT PNETLOGON_CREDENTIAL ServerCredential,
|
|
IN OUT PULONG NegotiatedFlags
|
|
);
|
|
|
|
NTSTATUS
|
|
I_NetServerAuthenticate3(
|
|
IN LPWSTR PrimaryName OPTIONAL,
|
|
IN LPWSTR AccountName,
|
|
IN NETLOGON_SECURE_CHANNEL_TYPE AccountType,
|
|
IN LPWSTR ComputerName,
|
|
IN PNETLOGON_CREDENTIAL ClientCredential,
|
|
OUT PNETLOGON_CREDENTIAL ServerCredential,
|
|
IN OUT PULONG NegotiatedFlags,
|
|
OUT PULONG AccountRid
|
|
);
|
|
|
|
//
|
|
// Values of I_NetServerAuthenticate2 NegotiatedFlags
|
|
//
|
|
|
|
#define NETLOGON_SUPPORTS_ACCOUNT_LOCKOUT 0x00000001
|
|
#define NETLOGON_SUPPORTS_PERSISTENT_BDC 0x00000002
|
|
#define NETLOGON_SUPPORTS_RC4_ENCRYPTION 0x00000004
|
|
#define NETLOGON_SUPPORTS_PROMOTION_COUNT 0x00000008
|
|
#define NETLOGON_SUPPORTS_BDC_CHANGELOG 0x00000010
|
|
#define NETLOGON_SUPPORTS_FULL_SYNC_RESTART 0x00000020
|
|
#define NETLOGON_SUPPORTS_MULTIPLE_SIDS 0x00000040
|
|
#define NETLOGON_SUPPORTS_REDO 0x00000080
|
|
|
|
//
|
|
// For NT 3.51, the mask was 0xFF.
|
|
//
|
|
|
|
#define NETLOGON_SUPPORTS_NT351_MASK 0x000000FF
|
|
|
|
#define NETLOGON_SUPPORTS_REFUSE_CHANGE_PWD 0x00000100
|
|
|
|
//
|
|
// For NT 4.0, the mask was 0x1FF.
|
|
// For NT 4 SP 4, the machine might have NETLOGON_SUPPORTS_AUTH_RPC or'd in
|
|
//
|
|
|
|
#define NETLOGON_SUPPORTS_NT4_MASK 0x400001FF
|
|
|
|
#define NETLOGON_SUPPORTS_PDC_PASSWORD 0x00000200
|
|
#define NETLOGON_SUPPORTS_GENERIC_PASSTHRU 0x00000400
|
|
#define NETLOGON_SUPPORTS_CONCURRENT_RPC 0x00000800
|
|
#define NETLOGON_SUPPORTS_AVOID_SAM_REPL 0x00001000
|
|
#define NETLOGON_SUPPORTS_AVOID_LSA_REPL 0x00002000
|
|
#define NETLOGON_SUPPORTS_STRONG_KEY 0x00004000 // Added after NT 5 Beta 2
|
|
#define NETLOGON_SUPPORTS_TRANSITIVE 0x00008000 // Added after NT 5 Beta 2
|
|
#define NETLOGON_SUPPORTS_DNS_DOMAIN_TRUST 0x00010000
|
|
#define NETLOGON_SUPPORTS_PASSWORD_SET_2 0x00020000
|
|
#define NETLOGON_SUPPORTS_GET_DOMAIN_INFO 0x00040000
|
|
#define NETLOGON_SUPPORTS_LSA_AUTH_RPC 0x20000000 // Added after NT 5 Beta 2
|
|
#define NETLOGON_SUPPORTS_AUTH_RPC 0x40000000
|
|
|
|
//
|
|
// Masks added after Windows 2000
|
|
//
|
|
|
|
#define NETLOGON_SUPPORTS_CROSS_FOREST 0x00080000 // Added for XP (Whistler client)
|
|
#define NETLOGON_SUPPORTS_NT4EMULATOR_NEUTRALIZER 0x00100000 // Added for XP (Whistler client) and ported into win2k SP2
|
|
|
|
//
|
|
// For Windows 2000, the mask was 0x6007FFFF
|
|
// NETLOGON_SUPPORTS_NT4EMULATOR_NEUTRALIZER was added in win2k SP2
|
|
//
|
|
|
|
#define NETLOGON_SUPPORTS_WIN2000_MASK (0x6007FFFF | NETLOGON_SUPPORTS_NT4EMULATOR_NEUTRALIZER)
|
|
|
|
//
|
|
// For Windows XP, NETLOGON_SUPPORTS_CROSS_FOREST was added
|
|
//
|
|
|
|
#define NETLOGON_SUPPORTS_XP_MASK (NETLOGON_SUPPORTS_WIN2000_MASK & NETLOGON_SUPPORTS_CROSS_FOREST)
|
|
|
|
//
|
|
// Mask of bits always supported by current build (regardless of options)
|
|
//
|
|
#define NETLOGON_SUPPORTS_MASK ( \
|
|
NETLOGON_SUPPORTS_ACCOUNT_LOCKOUT | \
|
|
NETLOGON_SUPPORTS_PERSISTENT_BDC | \
|
|
NETLOGON_SUPPORTS_RC4_ENCRYPTION | \
|
|
NETLOGON_SUPPORTS_PROMOTION_COUNT | \
|
|
NETLOGON_SUPPORTS_BDC_CHANGELOG | \
|
|
NETLOGON_SUPPORTS_FULL_SYNC_RESTART | \
|
|
NETLOGON_SUPPORTS_MULTIPLE_SIDS | \
|
|
NETLOGON_SUPPORTS_REDO | \
|
|
NETLOGON_SUPPORTS_REFUSE_CHANGE_PWD | \
|
|
NETLOGON_SUPPORTS_PDC_PASSWORD | \
|
|
NETLOGON_SUPPORTS_GENERIC_PASSTHRU | \
|
|
NETLOGON_SUPPORTS_CONCURRENT_RPC | \
|
|
NETLOGON_SUPPORTS_TRANSITIVE | \
|
|
NETLOGON_SUPPORTS_DNS_DOMAIN_TRUST | \
|
|
NETLOGON_SUPPORTS_PASSWORD_SET_2 | \
|
|
NETLOGON_SUPPORTS_GET_DOMAIN_INFO | \
|
|
NETLOGON_SUPPORTS_CROSS_FOREST )
|
|
|
|
|
|
NTSTATUS
|
|
I_NetServerPasswordSet(
|
|
IN LPWSTR PrimaryName OPTIONAL,
|
|
IN LPWSTR AccountName,
|
|
IN NETLOGON_SECURE_CHANNEL_TYPE AccountType,
|
|
IN LPWSTR ComputerName,
|
|
IN PNETLOGON_AUTHENTICATOR Authenticator,
|
|
OUT PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
|
|
IN PENCRYPTED_LM_OWF_PASSWORD UasNewPassword
|
|
);
|
|
|
|
//
|
|
// Values of QueryLevel
|
|
#define NETLOGON_QUERY_DOMAIN_INFO 1
|
|
#define NETLOGON_QUERY_LSA_POLICY_INFO 2
|
|
|
|
NTSTATUS
|
|
I_NetLogonGetDomainInfo(
|
|
IN LPWSTR ServerName,
|
|
IN LPWSTR ComputerName,
|
|
IN PNETLOGON_AUTHENTICATOR Authenticator,
|
|
OUT PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
|
|
IN DWORD QueryLevel,
|
|
IN LPBYTE InBuffer,
|
|
OUT LPBYTE *OutBuffer
|
|
);
|
|
|
|
|
|
|
|
NET_API_STATUS NET_API_FUNCTION
|
|
I_NetLogonUasLogon (
|
|
IN LPWSTR UserName,
|
|
IN LPWSTR Workstation,
|
|
OUT PNETLOGON_VALIDATION_UAS_INFO *ValidationInformation
|
|
);
|
|
|
|
NET_API_STATUS
|
|
I_NetLogonUasLogoff (
|
|
IN LPWSTR UserName,
|
|
IN LPWSTR Workstation,
|
|
OUT PNETLOGON_LOGOFF_UAS_INFO LogoffInformation
|
|
);
|
|
|
|
// **************************************************************
|
|
//
|
|
// Special values and constants - AUTHENTICATION
|
|
//
|
|
// **************************************************************
|
|
|
|
// **************************************************************
|
|
//
|
|
// Data structure template - UAS/SAM REPLICATION
|
|
//
|
|
// **************************************************************
|
|
|
|
typedef struct _UAS_INFO_0 {
|
|
CHAR ComputerName[LM20_CNLEN+1];
|
|
ULONG TimeCreated;
|
|
ULONG SerialNumber;
|
|
} UAS_INFO_0, *PUAS_INFO_0 ;
|
|
|
|
// **************************************************************
|
|
//
|
|
// Function prototypes - UAS/SAM REPLICATION
|
|
//
|
|
// **************************************************************
|
|
|
|
NET_API_STATUS NET_API_FUNCTION
|
|
I_NetAccountDeltas (
|
|
IN LPWSTR primaryname,
|
|
IN LPWSTR computername,
|
|
IN PNETLOGON_AUTHENTICATOR authenticator,
|
|
OUT PNETLOGON_AUTHENTICATOR ret_auth,
|
|
IN PUAS_INFO_0 record_id,
|
|
IN DWORD count,
|
|
IN DWORD level,
|
|
OUT LPBYTE buffer,
|
|
IN DWORD buffer_len,
|
|
OUT PULONG entries_read,
|
|
OUT PULONG total_entries,
|
|
OUT PUAS_INFO_0 next_record_id
|
|
);
|
|
|
|
NET_API_STATUS NET_API_FUNCTION
|
|
I_NetAccountSync (
|
|
IN LPWSTR primaryname,
|
|
IN LPWSTR computername,
|
|
IN PNETLOGON_AUTHENTICATOR authenticator,
|
|
OUT PNETLOGON_AUTHENTICATOR ret_auth,
|
|
IN DWORD reference,
|
|
IN DWORD level,
|
|
OUT LPBYTE buffer,
|
|
IN DWORD buffer_len,
|
|
OUT PULONG entries_read,
|
|
OUT PULONG total_entries,
|
|
OUT PULONG next_reference,
|
|
OUT PUAS_INFO_0 last_record_id
|
|
);
|
|
|
|
typedef enum _NETLOGON_DELTA_TYPE {
|
|
AddOrChangeDomain = 1,
|
|
AddOrChangeGroup,
|
|
DeleteGroup,
|
|
RenameGroup,
|
|
AddOrChangeUser,
|
|
DeleteUser,
|
|
RenameUser,
|
|
ChangeGroupMembership,
|
|
AddOrChangeAlias,
|
|
DeleteAlias,
|
|
RenameAlias,
|
|
ChangeAliasMembership,
|
|
AddOrChangeLsaPolicy,
|
|
AddOrChangeLsaTDomain,
|
|
DeleteLsaTDomain,
|
|
AddOrChangeLsaAccount,
|
|
DeleteLsaAccount,
|
|
AddOrChangeLsaSecret,
|
|
DeleteLsaSecret,
|
|
// The following deltas require NETLOGON_SUPPORTS_BDC_CHANGELOG to be
|
|
// negotiated.
|
|
DeleteGroupByName,
|
|
DeleteUserByName,
|
|
SerialNumberSkip,
|
|
DummyChangeLogEntry
|
|
} NETLOGON_DELTA_TYPE;
|
|
|
|
|
|
//
|
|
// Group and User account used for SSI.
|
|
//
|
|
|
|
#define SSI_ACCOUNT_NAME_POSTFIX L"$"
|
|
#define SSI_ACCOUNT_NAME_POSTFIX_CHAR L'$'
|
|
#define SSI_ACCOUNT_NAME_POSTFIX_LENGTH 1
|
|
#define SSI_ACCOUNT_NAME_LENGTH (CNLEN + SSI_ACCOUNT_NAME_POSTFIX_LENGTH)
|
|
|
|
#define SSI_SERVER_GROUP_W L"SERVERS"
|
|
|
|
//
|
|
// Structure to pass an encrypted password over the wire. The Length is the
|
|
// length of the password, which should be placed at the end of the buffer.
|
|
//
|
|
|
|
#define NL_MAX_PASSWORD_LENGTH 256
|
|
typedef struct _NL_TRUST_PASSWORD {
|
|
WCHAR Buffer[NL_MAX_PASSWORD_LENGTH];
|
|
ULONG Length;
|
|
} NL_TRUST_PASSWORD, *PNL_TRUST_PASSWORD;
|
|
|
|
//
|
|
// Structure to be prefixed before the password in the Buffer of NL_TRUST_PASSWORD
|
|
// structure passed over the wire. It will be used to distinguish between diferent
|
|
// versions of information passed in the buffer. Begining with RC1 NT5, the presence
|
|
// of the structure in the buffer and the equality of PasswordVersionPresent to
|
|
// PASSWORD_VERSION_PRESENT indicates that the password version number is present
|
|
// and is stored in PasswordVersionNumber; the value of ReservedField is set to 0.
|
|
// RC0 NT5 clients will generate random numbers in place of NL_PASSWORD_VERSION; it
|
|
// is highly unlikely that they will generate PASSWORD_VERSION_PRESENT sequence of
|
|
// bits in place where the PasswordVersionPresent would be present. This (very week)
|
|
// uncertainty will exist only between RC0 NT5 and RC1 NT5 machines. A server running
|
|
// RC1 NT5 will check the PasswordVersionPresent field only for RC0 NT5 and higher
|
|
// clients. The ReservedField will be used in future versions to indicate the version
|
|
// of the information stored in the buffer.
|
|
//
|
|
|
|
#define PASSWORD_VERSION_NUMBER_PRESENT 0x02231968
|
|
typedef struct _NL_PASSWORD_VERSION {
|
|
DWORD ReservedField;
|
|
DWORD PasswordVersionNumber;
|
|
DWORD PasswordVersionPresent;
|
|
} NL_PASSWORD_VERSION, *PNL_PASSWORD_VERSION;
|
|
|
|
NTSTATUS
|
|
I_NetServerPasswordSet2(
|
|
IN LPWSTR PrimaryName OPTIONAL,
|
|
IN LPWSTR AccountName,
|
|
IN NETLOGON_SECURE_CHANNEL_TYPE AccountType,
|
|
IN LPWSTR ComputerName,
|
|
IN PNETLOGON_AUTHENTICATOR Authenticator,
|
|
OUT PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
|
|
IN PNL_TRUST_PASSWORD NewPassword
|
|
);
|
|
|
|
NTSTATUS
|
|
I_NetServerPasswordGet(
|
|
IN LPWSTR PrimaryName,
|
|
IN LPWSTR AccountName,
|
|
IN NETLOGON_SECURE_CHANNEL_TYPE AccountType,
|
|
IN LPWSTR ComputerName,
|
|
IN PNETLOGON_AUTHENTICATOR Authenticator,
|
|
OUT PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
|
|
OUT PENCRYPTED_NT_OWF_PASSWORD EncryptedNtOwfPassword
|
|
);
|
|
|
|
NTSTATUS
|
|
I_NetServerTrustPasswordsGet(
|
|
IN LPWSTR TrustedDcName,
|
|
IN LPWSTR AccountName,
|
|
IN NETLOGON_SECURE_CHANNEL_TYPE AccountType,
|
|
IN LPWSTR ComputerName,
|
|
IN PNETLOGON_AUTHENTICATOR Authenticator,
|
|
OUT PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
|
|
OUT PENCRYPTED_NT_OWF_PASSWORD EncryptedNewOwfPassword,
|
|
OUT PENCRYPTED_NT_OWF_PASSWORD EncryptedOldOwfPassword
|
|
);
|
|
|
|
NTSTATUS
|
|
I_NetLogonSendToSam(
|
|
IN LPWSTR PrimaryName,
|
|
IN LPWSTR ComputerName,
|
|
IN PNETLOGON_AUTHENTICATOR Authenticator,
|
|
OUT PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
|
|
IN LPBYTE Buffer,
|
|
IN ULONG BufferSize
|
|
);
|
|
|
|
|
|
//
|
|
// Only define this API if the caller has #included the pre-requisite ntlsa.h
|
|
|
|
#ifdef _NTLSA_
|
|
|
|
NTSTATUS
|
|
I_NetGetForestTrustInformation (
|
|
IN LPWSTR ServerName OPTIONAL,
|
|
IN LPWSTR ComputerName,
|
|
IN PNETLOGON_AUTHENTICATOR Authenticator,
|
|
OUT PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
|
|
IN DWORD Flags,
|
|
OUT PLSA_FOREST_TRUST_INFORMATION *ForestTrustInfo
|
|
);
|
|
|
|
#endif // _NTLSA_
|
|
|
|
#endif // _NET_SSI_H_
|