2N/A * The contents of this file are subject to the terms of the 2N/A * Common Development and Distribution License (the "License"). 2N/A * You may not use this file except in compliance with the License. 2N/A * See the License for the specific language governing permissions 2N/A * and limitations under the License. 2N/A * When distributing Covered Code, include this CDDL HEADER in each 2N/A * If applicable, add the following below this CDDL HEADER, with the 2N/A * fields enclosed by brackets "[]" replaced with your own identifying 2N/A * information: Portions Copyright [yyyy] [name of copyright owner] 2N/A * Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved. 2N/A * Local Security Authority RPC (LSAR) client-side interface. 2N/A * The maximum number of bytes we are prepared to deal with in a 2N/A * This structure is used when looking up names. We only lookup one 2N/A * name at a time but the structure will allow for more. 2N/A * Wrapper function for the actual LSA lookup operation. 2N/A * Upon detection of a DC failure, reports the failed DC to DC failover 2N/A * service and retries with a newly selected DC after DC failover completes. 2N/A * Obtain an LSA policy handle using OpenPolicy2. A policy handle is 2N/A * required to access LSA resources on a remote server. The server 2N/A * name supplied does not need the double backslash prefix; it will 2N/A * If username is NULL, an anonymous connection will be established. 2N/A * Otherwise, an authenticated connection will be established. 2N/A * Returns 0 on success. Otherwise non-zero to indicate a failure. 2N/A * Obtain an LSA account handle. The lsa_handle must be a valid handle 2N/A * obtained via lsar_open_policy2. The main thing to remember here is 2N/A * to set up the context in the lsa_account_handle. I'm not sure what 2N/A * the requirements are for desired access. Some values require admin 2N/A * Returns 0 on success. Otherwise non-zero to indicate a failure. 2N/A * Close the LSA connection associated with the handle. The lsa_handle 2N/A * must be a valid handle obtained via a call to lsar_open_policy2 or 2N/A * lsar_open_account. On success the handle will be zeroed out to 2N/A * ensure that it is not used again. If this is the top level handle 2N/A * (i.e. the one obtained via lsar_open_policy2) the pipe is closed. 2N/A * Returns 0 on success. Otherwise non-zero to indicate a failure. 2N/A * lsar_query_security_desc 2N/A * Don't use this call yet. It is just a place holder for now. 2N/A * lsar_query_info_policy 2N/A * The general purpose of this function is to allow various pieces of 2N/A * information to be queried on the domain controller. The only 2N/A * information queries supported are MSLSA_POLICY_PRIMARY_DOMAIN_INFO 2N/A * and MSLSA_POLICY_ACCOUNT_DOMAIN_INFO. 2N/A * On success, the return code will be 0 and the user_info structure 2N/A * will be set up. The sid_name_use field will be set to SidTypeDomain 2N/A * indicating that the domain name and domain sid fields are vaild. If 2N/A * the infoClass returned from the server is not one of the supported 2N/A * values, the sid_name_use willbe set to SidTypeUnknown. If the RPC 2N/A * fails, a negative error code will be returned, in which case the 2N/A * user_info will not have been updated. 2N/A * This is a wrapper for the various lookup sid RPCs. 2N/A * Windows 2000 doesn't like an LSA lookup for 2N/A * DOMAIN\Administrator. 2N/A * The name may be in one of the following forms: 2N/A * Return a strdup'd copy of the username. The caller is responsible 2N/A * for freeing the allocated memory. 2N/A * lsar_lookup_names1 2N/A * Lookup a name and obtain the domain and user rid. 2N/A * Note: NT returns an error if the mapped_count is non-zero when the RPC 2N/A * If the lookup fails, the status will typically be NT_STATUS_NONE_MAPPED. 2N/A * lsar_lookup_names2 2N/A * lsar_lookup_names3 2N/A * lsar_lookup_names4 2N/A * This function is only valid if the remote RPC server is a domain 2N/A * controller and requires the security extensions defined in MS-RPCE. 2N/A * Domain controllers will return RPC_NT_PROTSEQ_NOT_SUPPORTED here 2N/A * because we don't support the RPC_C_AUTHN_NETLOGON security provider. 2N/A * Non-domain controllers will return NT_STATUS_INVALID_SERVER_STATE. 2N/A * Lookup a sid and obtain the domain sid and account name. 2N/A * This is a wrapper for the various lookup sid RPCs. 2N/A * This function is only valid if the remote RPC server is a domain 2N/A * controller and requires the security extensions defined in MS-RPCE. 2N/A * Domain controllers will return RPC_NT_PROTSEQ_NOT_SUPPORTED here 2N/A * because we don't support the RPC_C_AUTHN_NETLOGON security provider. 2N/A * Non-domain controllers will return NT_STATUS_INVALID_SERVER_STATE. 2N/A * lsar_enum_accounts 2N/A * Enumerate the list of accounts (i.e. SIDs). Use the handle returned 2N/A * from lsa_open_policy2. The enum_context is used to support multiple 2N/A * calls to this enumeration function. It should be set to 0 on the 2N/A * first call. It will be updated by the domain controller and should 2N/A * simply be passed unchanged to subsequent calls until there are no 2N/A * more accounts. A warning status of 0x1A indicates that no more data 2N/A * is available. The list of accounts will be returned in accounts. 2N/A * This list is dynamically allocated using malloc, it should be freed 2N/A * by the caller when it is no longer required. 2N/A * lsar_enum_trusted_domains 2N/A * Enumerate the list of trusted domains. Use the handle returned from 2N/A * lsa_open_policy2. The enum_context is used to support multiple calls 2N/A * to this enumeration function. It should be set to 0 on the first 2N/A * call. It will be updated by the domain controller and should simply 2N/A * be passed unchanged to subsequent calls until there are no more 2N/A * The trusted domains aren't actually returned here. They are added 2N/A * to the NT domain database. After all of the trusted domains have 2N/A * been discovered, the database can be interrogated to find all of 2N/A * the trusted domains. 2N/A * STATUS_NO_MORE_ENTRIES provides call 2N/A * status but does not indicate an error. 2N/A * STATUS_NO_MORE_ENTRIES provides call 2N/A * status but does not indicate an error. 2N/A * lsar_enum_privs_account 2N/A * Privileges enum? Need an account handle. 2N/A * lsar_lookup_priv_value 2N/A * Map a privilege name to a local unique id (LUID). Privilege names 2N/A * are consistent across the network. LUIDs are machine specific. 2N/A * This function provides the means to map a privilege name to the 2N/A * LUID used by a remote server to represent it. The handle here is 2N/A * lsar_lookup_priv_name 2N/A * Map a local unique id (LUID) to a privilege name. Privilege names 2N/A * are consistent across the network. LUIDs are machine specific. 2N/A * This function the means to map the LUID used by a remote server to 2N/A * the appropriate privilege name. The handle here is a policy handle. 2N/A * lsar_lookup_priv_display_name 2N/A * Map a privilege name to a privilege display name. The input handle 2N/A * should be an LSA policy handle and the name would normally be one 2N/A * There's something peculiar about the return status from NT servers, 2N/A * it's not always present. So for now, I'm ignoring the status in the 2N/A * Returns NT status codes.