windows-nt/Source/XPSP1/NT/ds/published/inc/lsaicli.w

422 lines
15 KiB
OpenEdge ABL
Raw Permalink Normal View History

2020-09-26 03:20:57 -05:00
/*++
Copyright (c) 1991 Microsoft Corporation
Module Name:
lsaicli.h
Abstract:
Local Security Authority - Definitions for internal LSA Clients.
NOTE: This file is included via lsaclip.h or lsasrvp.h. It should
not be included directly.
This module contains definitions used only when callouts are made
from one LSA to another, i.e. where the server side of one LSA
communicates with the client side of another LSA.
Author:
Scott Birrell (ScottBi) April 9, 1992
Environment:
Revision History:
--*/
#ifndef _LSAICLI_
#define _LSAICLI_
//
// The following datatype specifies the Call Level for Sid and Name
// Lookup operations.
//
typedef enum _LSAP_LOOKUP_LEVEL {
LsapLookupWksta = 1,
LsapLookupPDC,
LsapLookupTDL,
LsapLookupGC, // valid only on NT5 domain controllers
LsapLookupXForestReferral, // valid only on NT5.1 domain controllers
LsapLookupXForestResolve // valid only on NT5.1 domain controllers
} LSAP_LOOKUP_LEVEL, *PLSAP_LOOKUP_LEVEL;
//
// where the entries have the following meaning:
//
// LsapLookupWksta - First Level Lookup performed on a workstation
// normally configured for Windows-Nt. The lookup searches the
// Well-Known Sids/Names, and the Built-in Domain and Account Domain
// in the local SAM Database. If not all Sids or Names are
// identified, performs a "handoff" of a Second level Lookup to the
// LSA running on a Controller for the workstation's Primary Domain
// (if any).
//
// LsapLookupPDC - Second Level Lookup performed on a Primary Domain
// Controller. The lookup searches the Account Domain of the
// SAM Database on the controller. If not all Sids or Names are
// found, the Trusted Domain List (TDL) is obtained from the
// LSA's Policy Database and Third Level lookups are performed
// via "handoff" to each Trusted Domain in the List.
//
// LsapLookupTDL - Third Level Lookup performed on a controller
// for a Trusted Domain. The lookup searches the Account Domain of
// the SAM Database on the controller only.
//
// LsapLookupGC - This is used by a workstation to perform a lookup at a GC
// This resolves UPN's, samaccountname's with NetBios and DNS domain names,
// Sid's and Sid Histories for transitivly trusted domains (within a
// forest). This lookup level is only used when a NT5+ client is in
// a mixed domain and its secure channel DC is NT4
//
// LsapLookupXForestReferral -- This is used to pass entries (names and Sids)
// to the root of the forest via the trust chain. After a set of entries,
// comes back from the GC, some may be marked as belonging to a cross
// forest. These entries are then passed on to the DC's parent domain until
// the root of the domain is reached. The root will then issue a
// LsapLookupXForestResolve directed at a DC in the external forest.
//
// LpsaLookupXForestResolve -- This level is used by the root of one forest
// lookup entries from the DC in another forest.
//
typedef struct _LSA_TRANSLATED_NAME_EX
{
SID_NAME_USE Use;
LSA_UNICODE_STRING Name;
LONG DomainIndex;
ULONG Flags;
} LSA_TRANSLATED_NAME_EX;
typedef struct _LSA_TRANSLATED_NAME_EX *PLSA_TRANSLATED_NAME_EX;
typedef struct _LSA_TRANSLATED_NAMES
{
ULONG Entries;
PLSA_TRANSLATED_NAME_EX Names;
} LSA_TRANSLATED_NAMES_EX;
typedef struct _LSA_TRANSLATED_NAMES *PLSA_TRANSLATED_NAMES_EX;
typedef struct _LSA_TRANSLATED_SID_EX
{
SID_NAME_USE Use;
ULONG RelativeId;
LONG DomainIndex;
ULONG Flags;
} LSA_TRANSLATED_SID_EX;
typedef struct _LSA_TRANSLATED_SID_EX *PLSA_TRANSLATED_SID_EX;
typedef struct _LSA_TRANSLATED_SIDS_EX
{
ULONG Entries;
PLSA_TRANSLATED_SID_EX Names;
} LSA_TRANSLATED_SIDS_EX;
typedef struct _LSA_TRANSLATED_SIDS_EX *PLSA_TRANSLATED_SIDS_EX;
typedef struct _LSA_TRANSLATED_SID_EX2
{
SID_NAME_USE Use;
PSID Sid;
LONG DomainIndex;
ULONG Flags;
} LSA_TRANSLATED_SID_EX2;
typedef struct _LSA_TRANSLATED_SID_EX2 *PLSA_TRANSLATED_SID_EX2;
typedef struct _LSA_TRANSLATED_SIDS_EX2
{
ULONG Entries;
PLSA_TRANSLATED_SID_EX2 Names;
} LSA_TRANSLATED_SIDS_EX2;
typedef struct _LSA_TRANSLATED_SIDS_EX2 *PLSA_TRANSLATED_SIDS_EX2;
#define LSAIC_NO_LARGE_SID 0x00000001
#define LSAIC_NT4_TARGET 0x00000002
#define LSAIC_WIN2K_TARGET 0x00000004
NTSTATUS
LsaICLookupNames(
IN LSA_HANDLE PolicyHandle,
IN ULONG LookupOptions,
IN ULONG Count,
IN PUNICODE_STRING Names,
OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
OUT PLSA_TRANSLATED_SID_EX2 *Sids,
IN LSAP_LOOKUP_LEVEL LookupLevel,
IN ULONG Flags,
IN OUT PULONG MappedCount,
IN OUT PULONG ServerRevision
);
/*++
Routine Description:
This function is the internal client side version of the LsaLookupNames
API. It is called both from the client side (as an internal routine)
and the server side of the LSA. The function is identical to the
LsaLookupNames API except that there is an additional parameter, the
LookupLevel parameter.
The LsaLookupNames API attempts to translate names of domains, users,
groups or aliases to Sids. The caller must have POLICY_LOOKUP_NAMES
access to the Policy object.
Names may be either isolated (e.g. JohnH) or composite names containing
both the domain name and account name. Composite names must include a
backslash character separating the domain name from the account name
(e.g. Acctg\JohnH). An isolated name may be either an account name
(user, group, or alias) or a domain name.
Translation of isolated names introduces the possibility of name
collisions (since the same name may be used in multiple domains). An
isolated name will be translated using the following algorithm:
If the name is a well-known name (e.g. Local or Interactive), then the
corresponding well-known Sid is returned.
If the name is the Built-in Domain's name, then that domain's Sid
will be returned.
If the name is the Account Domain's name, then that domain's Sid
will be returned.
If the name is the Primary Domain's name, then that domain's Sid will
be returned.
If the name is a user, group, or alias in the Built-in Domain, then the
Sid of that account is returned.
If the name is a user, group, or alias in the Primary Domain, then the
Sid of that account is returned.
Otherwise, the name is not translated.
NOTE: Proxy, Machine, and Trust user accounts are not referenced
for name translation. Only normal user accounts are used for ID
translation. If translation of other account types is needed, then
SAM services should be used directly.
Arguments:
This function is the LSA server RPC worker routine for the
LsaLookupNamesInLsa API.
PolicyHandle - Handle from an LsaOpenPolicy call.
LookupOptions - values to pass through to LsarLookupNames2 and above.
Count - Specifies the number of names to be translated.
Names - Pointer to an array of Count Unicode String structures
specifying the names to be looked up and mapped to Sids.
The strings may be names of User, Group or Alias accounts or
domains.
ReferencedDomains - receives a pointer to a structure describing the
domains used for the translation. The entries in this structure
are referenced by the structure returned via the Sids parameter.
Unlike the Sids parameter, which contains an array entry for
each translated name, this structure will only contain one
component for each domain utilized in the translation.
When this information is no longer needed, it must be released
by passing the returned pointer to LsaFreeMemory().
Sids - Receives a pointer to an array of records describing each
translated Sid. The nth entry in this array provides a translation
for (the nth element in the Names parameter.
When this information is no longer needed, it must be released
by passing the returned pointer to LsaFreeMemory().
LookupLevel - Specifies the Level of Lookup to be performed on this
machine. Values of this field are are follows:
LsapLookupWksta - First Level Lookup performed on a workstation
normally configured for Windows-Nt. The lookup searches the
Well-Known Sids/Names, and the Built-in Domain and Account Domain
in the local SAM Database. If not all Sids or Names are
identified, performs a "handoff" of a Second level Lookup to the
LSA running on a Controller for the workstation's Primary Domain
(if any).
LsapLookupPDC - Second Level Lookup performed on a Primary Domain
Controller. The lookup searches the Account Domain of the
SAM Database on the controller. If not all Sids or Names are
found, the Trusted Domain List (TDL) is obtained from the
LSA's Policy Database and Third Level lookups are performed
via "handoff" to each Trusted Domain in the List.
LsapLookupTDL - Third Level Lookup performed on a controller
for a Trusted Domain. The lookup searches the Account Domain of
the SAM Database on the controller only.
Flags - flags to control the operation of the function. Currently defined:
LSAIC_NO_LARGE_SID -- implies only call interfaces that will return
the old style format SID (no more than
28 bytes)
LSAIC_NT4_TARGET -- target server is known to be NT4
LSAIC_WIN2K_TARGET -- target server is known to be Win2k
Return Values:
NTSTATUS - Standard Nt Result Code
STATUS_ACCESS_DENIED - Caller does not have the appropriate access
to complete the operation.
STATUS_SOME_NOT_MAPPED - Some or all of the names provided could
not be mapped. This is an informational status only.
STATUS_INSUFFICIENT_RESOURCES - Insufficient system resources
to complete the call.
--*/
NTSTATUS
LsaICLookupSids(
IN LSA_HANDLE PolicyHandle,
IN ULONG Count,
IN PSID *Sids,
OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
OUT PLSA_TRANSLATED_NAME_EX *Names,
IN LSAP_LOOKUP_LEVEL LookupLevel,
IN ULONG Flags,
IN OUT PULONG MappedCount,
OUT ULONG *ServerRevision OPTIONAL
);
/*++
Routine Description:
WARNING! THIS FUNCTION IS NOT COMPLETELY IMPLEMENTED. ONLY SIDS
MAPPABLE AT THE LOCAL SYSTEM WILL BE TRANSLATED.
The LsaLookupSids API attempts to find names corresponding to Sids.
If a name can not be mapped to a Sid, the Sid is converted to character
form. The caller must have POLICY_LOOKUP_NAMES access to the Policy
object.
WARNING: This routine allocates memory for its output. The caller is
responsible for freeing this memory after use. See description of the
Names parameter.
Arguments:
PolicyHandle - Handle from an LsaOpenPolicy call.
Count - Specifies the number of Sids to be translated.
Sids - Pointer to an array of Count pointers to Sids to be mapped
to names. The Sids may be well_known SIDs, SIDs of User accounts
Group Accounts, Alias accounts, or Domains.
ReferencedDomains - Receives a pointer to a structure describing the
domains used for the translation. The entries in this structure
are referenced by the strutcure returned via the Names parameter.
Unlike the Names paraemeter, which contains an array entry
for (each translated name, this strutcure will only contain
component for each domain utilized in the translation.
When this information is no longer needed, it must be released
by passing the returned pointer to LsaFreeMemory().
Names - Receives a pointer to array records describing each translated
name. The nth entry in this array provides a translation for
the nth entry in the Sids parameter.
All of the retruned names will be isolated names or NULL strings
(domain names are returned as NULL strings). If the caller needs
composite names, they can be generated by prepending the
isolated name with the domain name and a backslash. For example,
if (the name Sally is returned, and it is from the domain Manufact,
then the composite name would be "Manufact" + "\" + "Sally" or
"Manufact\Sally".
When this information is no longer needed, it must be released
by passing the returned pointer to LsaFreeMemory().
If a Sid is not translatable, then the following will occur:
1) If the SID's domain is known, then a reference domain record
will be generated with the domain's name. In this case, the
name returned via the Names parameter is a Unicode representation
of the relative ID of the account, such as "(314)" or the null
string, if the Sid is that of a domain. So, you might end up
with a resultant name of "Manufact\(314) for the example with
Sally above, if Sally's relative id is 314.
2) If not even the SID's domain could be located, then a full
Unicode representation of the SID is generated and no domain
record is referenced. In this case, the returned string might
be something like: "(S-1-672194-21-314)".
When this information is no longer needed, it must be released
by passing the returned pointer to LsaFreeMemory().
LookupLevel - Specifies the Level of Lookup to be performed on this
machine. Values of this field are are follows:
LsapLookupWksta - First Level Lookup performed on a workstation
normally configured for Windows-Nt. The lookup searches the
Well-Known Sids/Names, and the Built-in Domain and Account Domain
in the local SAM Database. If not all Sids or Names are
identified, performs a "handoff" of a Second level Lookup to the
LSA running on a Controller for the workstation's Primary Domain
(if any).
LsapLookupPDC - Second Level Lookup performed on a Primary Domain
Controller. The lookup searches the Account Domain of the
SAM Database on the controller. If not all Sids or Names are
found, the Trusted Domain List (TDL) is obtained from the
LSA's Policy Database and Third Level lookups are performed
via "handoff" to each Trusted Domain in the List.
LsapLookupTDL - Third Level Lookup performed on a controller
for a Trusted Domain. The lookup searches the Account Domain of
the SAM Database on the controller only.
Flags:
LSAIC_NT4_TARGET -- target server is known to be NT4
LSAIC_WIN2K_TARGET -- target server is known to be Win2k
ServerRevision : the revision of the server that is called
Return Values:
NTSTATUS - Standard Nt Result Code
STATUS_ACCESS_DENIED - Caller does not have the appropriate access
to complete the operation.
STATUS_SOME_NOT_MAPPED - Some or all of the names provided could not be
mapped. This is a warning only.
Rest TBS
--*/
#endif // _LSAICLI_