lsarpc.ndl revision da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2007 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/*
***********************************************************************
* Local Security Authority RPC (LSARPC) interface definition.
***********************************************************************
*/
#include "ndrtypes.ndl"
/*
* There are at least two lookup level settings. Level 1 appears to mean
* only look on the local host and level 2 means forward the request to
* the PDC. On the PDC it probably doesn't matter which level you use but
* on a BDC a level 1 lookup will fail if the BDC doesn't have the info
* whereas a level 2 lookup will also check with the PDC.
*/
/*
* Definition for a SID. The ndl compiler won't allow a typedef of
* a structure containing variable size members.
*/
};
};
};
};
/*
***********************************************************************
* OpenPolicy2 obtains a handle for a remote LSA. This handle is
* required for all subsequent LSA requests.
*
* The server name should be the name of the target PDC or BDC, with
* the double backslash prefix.
*
* As far as I can tell, the mslsa_object_attributes structure can be
* all zero except for the length, which should be set to sizeof(struct
* mslsa_object_attributes).
*
* For read access, the desired access mask should contain the
* READ_CONTROL standard right and whatever policy rights are required.
* I haven't tried any update operations but if you get the access mask
* wrong you can crash the domain controller.
***********************************************************************
*/
/*
* From netmon:
* length = 12
* impersonation_level = 2
* context_tracking_mode = 1
* effective_only = 0
*/
};
};
};
};
/*
***********************************************************************
* CloseHandle closes an association with the LSA. The returned handle
* will be all zero.
***********************************************************************
*/
};
/*
***********************************************************************
* EnumPrivileges
*
* Obtain a list of privilege names. This interface is not implemented
* yet The definition below has not been tested. This is a guess based
* on data available from netmon.
***********************************************************************
*/
};
};
};
/*
***********************************************************************
* QuerySecurityObject. I'm not entirely sure how to set this up yet.
* I used the discovery RPC to scope it out. The structures are set up
* according to netmon and the assumption that a security descriptor
* on the wire looks like the regular user level security descriptor.
***********************************************************************
*/
};
/* struct mslsa_SecurityDescriptor *desc; */
};
};
/*
***********************************************************************
* EnumerateAccounts and EnumerateTrustedDomain.
***********************************************************************
*/
};
};
};
};
};
};
/*
***********************************************************************
* Definitions common to both LookupSids and LookupNames. Both return
* an mslsa_domain_table[]. Each interface also returns a specific
* table with entries which index the mslsa_domain_table[].
***********************************************************************
*/
};
};
/*
***********************************************************************
* Definitions for LookupSids.
*
* The input parameters are:
*
* A valid LSA handle obtained from an LsarOpenPolicy.
* The table of SIDs to be looked up.
* A table of names (probably empty).
* The lookup level (local=1 or PDC=2).
* An enumeration counter (used for continuation operations).
*
* The output results are:
*
* A table of referenced domains.
* A table of usernames.
* The updated value of the enumeration counter.
* The result status.
***********************************************************************
*/
};
};
};
};
};
/*
***********************************************************************
* Definitions for LookupNames.
*
* LookupNames requires the following input parameters.
*
* A valid LSA handle obtained from an LsarOpenPolicy.
* The table of names to be looked up.
* A table of translated sids (probably empty).
* The lookup level (local=1 or PDC=2).
* An enumeration counter (used for continuation operations).
*
* The outputs are as follows.
*
* A table of referenced domains.
* A table of translated sids (actually rids).
* The updated value of the enumeration counter.
* The result status.
***********************************************************************
*/
};
};
};
};
/*
***********************************************************************
* QueryInfoPolicy returns various pieces of policy information. The
* desired information is specified using a class value, as defined
* below.
***********************************************************************
*/
};
};
/*
struct mslsa_ServerRoleInfo {
WORD unknown_0x0003;
WORD unknown_0x000e;
};
*/
};
};
};
/*
***********************************************************************
* OpenAccount.
*
* Returns a handle that can be used to access the account specified
* by a SID. This handle can be used to enumerate account privileges.
***********************************************************************
*/
};
/*
***********************************************************************
* EnumPrivilegesAccount.
*
* Enumerate the list of privileges held by the specified account. The
* handle must be a valid account handle obtained via OpenAccount. The
* luid values returned will be probably only be relevant on the domain
* controller so we'll need to find a way to convert them to the
* actual privilege names.
***********************************************************************
*/
};
};
};
/*
***********************************************************************
* LookupPrivValue
*
* Map a privilege name to a local unique id (LUID). Privilege names
* are consistent across the network. LUIDs are machine specific.
* The privilege list is provided as a set of LUIDs so the privilege
* lookup functions must be used to identify which the privilege to
* which each LUID refers. The handle here is a policy handle.
***********************************************************************
*/
};
/*
***********************************************************************
* LookupPrivName
*
* Map a privilege value (LUID) to a privilege name. Privilege names
* are consistent across the network. LUIDs are machine specific.
* The privilege list is provided as a set of LUIDs so the privilege
* lookup functions must be used to identify which the privilege to
* which each LUID refers. The handle here is a policy handle.
***********************************************************************
*/
};
/*
***********************************************************************
* LookupPrivDisplayName
*
* Map a privilege name to a local unique id (LUID). Privilege names
* are consistent across the network. LUIDs are machine specific.
* The privilege list is provided as a set of LUIDs so the privilege
* lookup functions must be used to identify which the privilege to
* which each LUID refers. The handle here is a policy handle.
***********************************************************************
*/
};
/*
***********************************************************************
* GetConnectedUser
*
* This is still guesswork. Netmon doesn't know about this
* call and I'm not really sure what it is intended to achieve.
* Another packet capture application, Ethereal, calls this RPC as
* GetConnectedUser.
* We will receive our own hostname in the request and it appears
* we should respond with an account name and the domain name of connected
* user from the client that makes this call.
***********************************************************************
*/
};
};
/*
***********************************************************************
* LSARPC_OPNUM_LookupSids2
*
* SID lookup function that appeared in Windows 2000. It appears to be
* very similar to the original SID lookup RPC. There are two extra IN
* parameters, which we don't care about. The OUT name structure has
* an extra field, in which zero seems to be okay.
***********************************************************************
*/
};
};
};
/*
***********************************************************************
* LSARPC_OPNUM_LookupNames2
*
* Name lookup function that appeared in Windows 2000. It appears to be
* very similar to the original name lookup RPC. There are two extra IN
* parameters, which we don't care about. The lsar_rid_entry2 structure
* has an extra field, in which zero seems to be okay.
***********************************************************************
*/
};
};
};
/*
***********************************************************************
* This is a generic discovery entry. As long as the handle is valid
* this is useful for scoping the network to discover new worlds. To
* seek out new life, new civilizations. To boldly spilt infinitives
* where no man has gone before. So basically we send and receive a
* big buffer and let netmon tell us to which RPC the opnum refers.
***********************************************************************
*/
};
/*
***********************************************************************
* The LSARPC interface definition.
***********************************************************************
*/
INTERFACE(0)
};
#endif /* _MLSVC_LSA_NDL_ */