Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

421 lines
15 KiB

  1. /*++
  2. Copyright (c) 1991 Microsoft Corporation
  3. Module Name:
  4. lsaicli.h
  5. Abstract:
  6. Local Security Authority - Definitions for internal LSA Clients.
  7. NOTE: This file is included via lsaclip.h or lsasrvp.h. It should
  8. not be included directly.
  9. This module contains definitions used only when callouts are made
  10. from one LSA to another, i.e. where the server side of one LSA
  11. communicates with the client side of another LSA.
  12. Author:
  13. Scott Birrell (ScottBi) April 9, 1992
  14. Environment:
  15. Revision History:
  16. --*/
  17. #ifndef _LSAICLI_
  18. #define _LSAICLI_
  19. //
  20. // The following datatype specifies the Call Level for Sid and Name
  21. // Lookup operations.
  22. //
  23. typedef enum _LSAP_LOOKUP_LEVEL {
  24. LsapLookupWksta = 1,
  25. LsapLookupPDC,
  26. LsapLookupTDL,
  27. LsapLookupGC, // valid only on NT5 domain controllers
  28. LsapLookupXForestReferral, // valid only on NT5.1 domain controllers
  29. LsapLookupXForestResolve // valid only on NT5.1 domain controllers
  30. } LSAP_LOOKUP_LEVEL, *PLSAP_LOOKUP_LEVEL;
  31. //
  32. // where the entries have the following meaning:
  33. //
  34. // LsapLookupWksta - First Level Lookup performed on a workstation
  35. // normally configured for Windows-Nt. The lookup searches the
  36. // Well-Known Sids/Names, and the Built-in Domain and Account Domain
  37. // in the local SAM Database. If not all Sids or Names are
  38. // identified, performs a "handoff" of a Second level Lookup to the
  39. // LSA running on a Controller for the workstation's Primary Domain
  40. // (if any).
  41. //
  42. // LsapLookupPDC - Second Level Lookup performed on a Primary Domain
  43. // Controller. The lookup searches the Account Domain of the
  44. // SAM Database on the controller. If not all Sids or Names are
  45. // found, the Trusted Domain List (TDL) is obtained from the
  46. // LSA's Policy Database and Third Level lookups are performed
  47. // via "handoff" to each Trusted Domain in the List.
  48. //
  49. // LsapLookupTDL - Third Level Lookup performed on a controller
  50. // for a Trusted Domain. The lookup searches the Account Domain of
  51. // the SAM Database on the controller only.
  52. //
  53. // LsapLookupGC - This is used by a workstation to perform a lookup at a GC
  54. // This resolves UPN's, samaccountname's with NetBios and DNS domain names,
  55. // Sid's and Sid Histories for transitivly trusted domains (within a
  56. // forest). This lookup level is only used when a NT5+ client is in
  57. // a mixed domain and its secure channel DC is NT4
  58. //
  59. // LsapLookupXForestReferral -- This is used to pass entries (names and Sids)
  60. // to the root of the forest via the trust chain. After a set of entries,
  61. // comes back from the GC, some may be marked as belonging to a cross
  62. // forest. These entries are then passed on to the DC's parent domain until
  63. // the root of the domain is reached. The root will then issue a
  64. // LsapLookupXForestResolve directed at a DC in the external forest.
  65. //
  66. // LpsaLookupXForestResolve -- This level is used by the root of one forest
  67. // lookup entries from the DC in another forest.
  68. //
  69. typedef struct _LSA_TRANSLATED_NAME_EX
  70. {
  71. SID_NAME_USE Use;
  72. LSA_UNICODE_STRING Name;
  73. LONG DomainIndex;
  74. ULONG Flags;
  75. } LSA_TRANSLATED_NAME_EX;
  76. typedef struct _LSA_TRANSLATED_NAME_EX *PLSA_TRANSLATED_NAME_EX;
  77. typedef struct _LSA_TRANSLATED_NAMES
  78. {
  79. ULONG Entries;
  80. PLSA_TRANSLATED_NAME_EX Names;
  81. } LSA_TRANSLATED_NAMES_EX;
  82. typedef struct _LSA_TRANSLATED_NAMES *PLSA_TRANSLATED_NAMES_EX;
  83. typedef struct _LSA_TRANSLATED_SID_EX
  84. {
  85. SID_NAME_USE Use;
  86. ULONG RelativeId;
  87. LONG DomainIndex;
  88. ULONG Flags;
  89. } LSA_TRANSLATED_SID_EX;
  90. typedef struct _LSA_TRANSLATED_SID_EX *PLSA_TRANSLATED_SID_EX;
  91. typedef struct _LSA_TRANSLATED_SIDS_EX
  92. {
  93. ULONG Entries;
  94. PLSA_TRANSLATED_SID_EX Names;
  95. } LSA_TRANSLATED_SIDS_EX;
  96. typedef struct _LSA_TRANSLATED_SIDS_EX *PLSA_TRANSLATED_SIDS_EX;
  97. typedef struct _LSA_TRANSLATED_SID_EX2
  98. {
  99. SID_NAME_USE Use;
  100. PSID Sid;
  101. LONG DomainIndex;
  102. ULONG Flags;
  103. } LSA_TRANSLATED_SID_EX2;
  104. typedef struct _LSA_TRANSLATED_SID_EX2 *PLSA_TRANSLATED_SID_EX2;
  105. typedef struct _LSA_TRANSLATED_SIDS_EX2
  106. {
  107. ULONG Entries;
  108. PLSA_TRANSLATED_SID_EX2 Names;
  109. } LSA_TRANSLATED_SIDS_EX2;
  110. typedef struct _LSA_TRANSLATED_SIDS_EX2 *PLSA_TRANSLATED_SIDS_EX2;
  111. #define LSAIC_NO_LARGE_SID 0x00000001
  112. #define LSAIC_NT4_TARGET 0x00000002
  113. #define LSAIC_WIN2K_TARGET 0x00000004
  114. NTSTATUS
  115. LsaICLookupNames(
  116. IN LSA_HANDLE PolicyHandle,
  117. IN ULONG LookupOptions,
  118. IN ULONG Count,
  119. IN PUNICODE_STRING Names,
  120. OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
  121. OUT PLSA_TRANSLATED_SID_EX2 *Sids,
  122. IN LSAP_LOOKUP_LEVEL LookupLevel,
  123. IN ULONG Flags,
  124. IN OUT PULONG MappedCount,
  125. IN OUT PULONG ServerRevision
  126. );
  127. /*++
  128. Routine Description:
  129. This function is the internal client side version of the LsaLookupNames
  130. API. It is called both from the client side (as an internal routine)
  131. and the server side of the LSA. The function is identical to the
  132. LsaLookupNames API except that there is an additional parameter, the
  133. LookupLevel parameter.
  134. The LsaLookupNames API attempts to translate names of domains, users,
  135. groups or aliases to Sids. The caller must have POLICY_LOOKUP_NAMES
  136. access to the Policy object.
  137. Names may be either isolated (e.g. JohnH) or composite names containing
  138. both the domain name and account name. Composite names must include a
  139. backslash character separating the domain name from the account name
  140. (e.g. Acctg\JohnH). An isolated name may be either an account name
  141. (user, group, or alias) or a domain name.
  142. Translation of isolated names introduces the possibility of name
  143. collisions (since the same name may be used in multiple domains). An
  144. isolated name will be translated using the following algorithm:
  145. If the name is a well-known name (e.g. Local or Interactive), then the
  146. corresponding well-known Sid is returned.
  147. If the name is the Built-in Domain's name, then that domain's Sid
  148. will be returned.
  149. If the name is the Account Domain's name, then that domain's Sid
  150. will be returned.
  151. If the name is the Primary Domain's name, then that domain's Sid will
  152. be returned.
  153. If the name is a user, group, or alias in the Built-in Domain, then the
  154. Sid of that account is returned.
  155. If the name is a user, group, or alias in the Primary Domain, then the
  156. Sid of that account is returned.
  157. Otherwise, the name is not translated.
  158. NOTE: Proxy, Machine, and Trust user accounts are not referenced
  159. for name translation. Only normal user accounts are used for ID
  160. translation. If translation of other account types is needed, then
  161. SAM services should be used directly.
  162. Arguments:
  163. This function is the LSA server RPC worker routine for the
  164. LsaLookupNamesInLsa API.
  165. PolicyHandle - Handle from an LsaOpenPolicy call.
  166. LookupOptions - values to pass through to LsarLookupNames2 and above.
  167. Count - Specifies the number of names to be translated.
  168. Names - Pointer to an array of Count Unicode String structures
  169. specifying the names to be looked up and mapped to Sids.
  170. The strings may be names of User, Group or Alias accounts or
  171. domains.
  172. ReferencedDomains - receives a pointer to a structure describing the
  173. domains used for the translation. The entries in this structure
  174. are referenced by the structure returned via the Sids parameter.
  175. Unlike the Sids parameter, which contains an array entry for
  176. each translated name, this structure will only contain one
  177. component for each domain utilized in the translation.
  178. When this information is no longer needed, it must be released
  179. by passing the returned pointer to LsaFreeMemory().
  180. Sids - Receives a pointer to an array of records describing each
  181. translated Sid. The nth entry in this array provides a translation
  182. for (the nth element in the Names parameter.
  183. When this information is no longer needed, it must be released
  184. by passing the returned pointer to LsaFreeMemory().
  185. LookupLevel - Specifies the Level of Lookup to be performed on this
  186. machine. Values of this field are are follows:
  187. LsapLookupWksta - First Level Lookup performed on a workstation
  188. normally configured for Windows-Nt. The lookup searches the
  189. Well-Known Sids/Names, and the Built-in Domain and Account Domain
  190. in the local SAM Database. If not all Sids or Names are
  191. identified, performs a "handoff" of a Second level Lookup to the
  192. LSA running on a Controller for the workstation's Primary Domain
  193. (if any).
  194. LsapLookupPDC - Second Level Lookup performed on a Primary Domain
  195. Controller. The lookup searches the Account Domain of the
  196. SAM Database on the controller. If not all Sids or Names are
  197. found, the Trusted Domain List (TDL) is obtained from the
  198. LSA's Policy Database and Third Level lookups are performed
  199. via "handoff" to each Trusted Domain in the List.
  200. LsapLookupTDL - Third Level Lookup performed on a controller
  201. for a Trusted Domain. The lookup searches the Account Domain of
  202. the SAM Database on the controller only.
  203. Flags - flags to control the operation of the function. Currently defined:
  204. LSAIC_NO_LARGE_SID -- implies only call interfaces that will return
  205. the old style format SID (no more than
  206. 28 bytes)
  207. LSAIC_NT4_TARGET -- target server is known to be NT4
  208. LSAIC_WIN2K_TARGET -- target server is known to be Win2k
  209. Return Values:
  210. NTSTATUS - Standard Nt Result Code
  211. STATUS_ACCESS_DENIED - Caller does not have the appropriate access
  212. to complete the operation.
  213. STATUS_SOME_NOT_MAPPED - Some or all of the names provided could
  214. not be mapped. This is an informational status only.
  215. STATUS_INSUFFICIENT_RESOURCES - Insufficient system resources
  216. to complete the call.
  217. --*/
  218. NTSTATUS
  219. LsaICLookupSids(
  220. IN LSA_HANDLE PolicyHandle,
  221. IN ULONG Count,
  222. IN PSID *Sids,
  223. OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
  224. OUT PLSA_TRANSLATED_NAME_EX *Names,
  225. IN LSAP_LOOKUP_LEVEL LookupLevel,
  226. IN ULONG Flags,
  227. IN OUT PULONG MappedCount,
  228. OUT ULONG *ServerRevision OPTIONAL
  229. );
  230. /*++
  231. Routine Description:
  232. WARNING! THIS FUNCTION IS NOT COMPLETELY IMPLEMENTED. ONLY SIDS
  233. MAPPABLE AT THE LOCAL SYSTEM WILL BE TRANSLATED.
  234. The LsaLookupSids API attempts to find names corresponding to Sids.
  235. If a name can not be mapped to a Sid, the Sid is converted to character
  236. form. The caller must have POLICY_LOOKUP_NAMES access to the Policy
  237. object.
  238. WARNING: This routine allocates memory for its output. The caller is
  239. responsible for freeing this memory after use. See description of the
  240. Names parameter.
  241. Arguments:
  242. PolicyHandle - Handle from an LsaOpenPolicy call.
  243. Count - Specifies the number of Sids to be translated.
  244. Sids - Pointer to an array of Count pointers to Sids to be mapped
  245. to names. The Sids may be well_known SIDs, SIDs of User accounts
  246. Group Accounts, Alias accounts, or Domains.
  247. ReferencedDomains - Receives a pointer to a structure describing the
  248. domains used for the translation. The entries in this structure
  249. are referenced by the strutcure returned via the Names parameter.
  250. Unlike the Names paraemeter, which contains an array entry
  251. for (each translated name, this strutcure will only contain
  252. component for each domain utilized in the translation.
  253. When this information is no longer needed, it must be released
  254. by passing the returned pointer to LsaFreeMemory().
  255. Names - Receives a pointer to array records describing each translated
  256. name. The nth entry in this array provides a translation for
  257. the nth entry in the Sids parameter.
  258. All of the retruned names will be isolated names or NULL strings
  259. (domain names are returned as NULL strings). If the caller needs
  260. composite names, they can be generated by prepending the
  261. isolated name with the domain name and a backslash. For example,
  262. if (the name Sally is returned, and it is from the domain Manufact,
  263. then the composite name would be "Manufact" + "\" + "Sally" or
  264. "Manufact\Sally".
  265. When this information is no longer needed, it must be released
  266. by passing the returned pointer to LsaFreeMemory().
  267. If a Sid is not translatable, then the following will occur:
  268. 1) If the SID's domain is known, then a reference domain record
  269. will be generated with the domain's name. In this case, the
  270. name returned via the Names parameter is a Unicode representation
  271. of the relative ID of the account, such as "(314)" or the null
  272. string, if the Sid is that of a domain. So, you might end up
  273. with a resultant name of "Manufact\(314) for the example with
  274. Sally above, if Sally's relative id is 314.
  275. 2) If not even the SID's domain could be located, then a full
  276. Unicode representation of the SID is generated and no domain
  277. record is referenced. In this case, the returned string might
  278. be something like: "(S-1-672194-21-314)".
  279. When this information is no longer needed, it must be released
  280. by passing the returned pointer to LsaFreeMemory().
  281. LookupLevel - Specifies the Level of Lookup to be performed on this
  282. machine. Values of this field are are follows:
  283. LsapLookupWksta - First Level Lookup performed on a workstation
  284. normally configured for Windows-Nt. The lookup searches the
  285. Well-Known Sids/Names, and the Built-in Domain and Account Domain
  286. in the local SAM Database. If not all Sids or Names are
  287. identified, performs a "handoff" of a Second level Lookup to the
  288. LSA running on a Controller for the workstation's Primary Domain
  289. (if any).
  290. LsapLookupPDC - Second Level Lookup performed on a Primary Domain
  291. Controller. The lookup searches the Account Domain of the
  292. SAM Database on the controller. If not all Sids or Names are
  293. found, the Trusted Domain List (TDL) is obtained from the
  294. LSA's Policy Database and Third Level lookups are performed
  295. via "handoff" to each Trusted Domain in the List.
  296. LsapLookupTDL - Third Level Lookup performed on a controller
  297. for a Trusted Domain. The lookup searches the Account Domain of
  298. the SAM Database on the controller only.
  299. Flags:
  300. LSAIC_NT4_TARGET -- target server is known to be NT4
  301. LSAIC_WIN2K_TARGET -- target server is known to be Win2k
  302. ServerRevision : the revision of the server that is called
  303. Return Values:
  304. NTSTATUS - Standard Nt Result Code
  305. STATUS_ACCESS_DENIED - Caller does not have the appropriate access
  306. to complete the operation.
  307. STATUS_SOME_NOT_MAPPED - Some or all of the names provided could not be
  308. mapped. This is a warning only.
  309. Rest TBS
  310. --*/
  311. #endif // _LSAICLI_