windows-nt/Source/XPSP1/NT/ds/security/base/lsa/server/db.h

1384 lines
34 KiB
C
Raw Normal View History

2020-09-26 03:20:57 -05:00
/*++ BUILD Version: 0001 // Increment this if a change has global effects
Copyright (c) 1991 Microsoft Corporation
Module Name:
db.h
Abstract:
LSA Database Exported Function Definitions, Datatypes and Defines
This module contains the LSA Database Routines that may be called
by parts of the LSA outside the Database sub-component.
Author:
Scott Birrell (ScottBi) August 26, 1991
Environment:
Revision History:
--*/
#ifndef _LSA_DB_
#define _LSA_DB_
//
// Maximum Number of attributes in the various object types
//
#define LSAP_DB_ATTRS_POLICY ((ULONG) 0x00000010L)
#define LSAP_DB_ATTRS_ACCOUNT ((ULONG) 0x00000010L)
#define LSAP_DB_ATTRS_DOMAIN ((ULONG) 0x00000012L)
#define LSAP_DB_ATTRS_SECRET ((ULONG) 0x00000010L)
//
// Constants for matching options on Sid/Name lookup operations
//
#define LSAP_DB_MATCH_ON_SID ((ULONG) 0x00000001L)
#define LSAP_DB_MATCH_ON_NAME ((ULONG) 0x00000002L)
//
// Options for LsapDbLookupSidsInLocalDomains()
//
#define LSAP_DB_SEARCH_BUILT_IN_DOMAIN ((ULONG) 0x00000001L)
#define LSAP_DB_SEARCH_ACCOUNT_DOMAIN ((ULONG) 0x00000002L)
//
// Options for LsapDbMergeDisjointReferencedDomains
//
#define LSAP_DB_USE_FIRST_MERGAND_GRAPH ((ULONG) 0x00000001L)
#define LSAP_DB_USE_SECOND_MERGAND_GRAPH ((ULONG) 0x00000002L)
//
// Option for updating Policy Database
//
#define LSAP_DB_UPDATE_POLICY_DATABASE ((ULONG) 0x00000001L)
//
// Option for updating Policy Database
//
#define LSAP_DB_UPDATE_POLICY_DATABASE ((ULONG) 0x00000001L)
//
// Maximum number of attributes corresponding to a Policy Object
// Information Class
//
#define LSAP_DB_ATTRS_INFO_CLASS_POLICY ((ULONG) 0x00000007L)
//
// Maximum number of attributes corresponding to a Trusted Domain Object
// Information Class
//
#define LSAP_DB_ATTRS_INFO_CLASS_DOMAIN ((ULONG) 0x00000010L)
//
// Global variables
//
extern BOOLEAN LsapDbRequiresSidInfo[];
extern BOOLEAN LsapDbRequiresNameInfo[];
extern LSAPR_HANDLE LsapDbHandle;
extern BOOLEAN LsapSetupWasRun;
extern BOOLEAN LsapDatabaseSetupPerformed;
extern NT_PRODUCT_TYPE LsapProductType;
extern WORD LsapProductSuiteMask;
extern BOOLEAN LsapDsIsRunning;
extern BOOLEAN LsapDsWReplEnabled;
//
// Table of accesses required to query Policy Information. This table
// is indexed by Policy Information Class
//
extern ACCESS_MASK LsapDbRequiredAccessQueryPolicy[];
extern ACCESS_MASK LsapDbRequiredAccessQueryDomainPolicy[];
//
// Table of accesses required to set Policy Information. This table
// is indexed by Policy Information Class
//
extern ACCESS_MASK LsapDbRequiredAccessSetPolicy[];
extern ACCESS_MASK LsapDbRequiredAccessSetDomainPolicy[];
//
// Table of accesses required to query TrustedDomain Information. This table
// is indexed by TrustedDomain Information Class
//
extern ACCESS_MASK LsapDbRequiredAccessQueryTrustedDomain[];
//
// Table of accesses required to set TrustedDomain Information. This table
// is indexed by TrustedDomain Information Class
//
extern ACCESS_MASK LsapDbRequiredAccessSetTrustedDomain[];
//
// Maximum Handle Reference Count
//
#define LSAP_DB_MAXIMUM_REFERENCE_COUNT ((ULONG) 0x00001000L)
//
// Maximum handles per user logon id
// This was determined by taking the "interesting" access bits and generating possible
// permutations and using that. The interesting bits were determined to be:
// POLICY_VIEW_LOCAL_INFORMATION
// POLICY_VIEW_AUDIT_INFORMATION
// POLICY_TRUST_ADMIN
// POLICY_CREATE_ACCOUNT
// POLICY_CREATE_SECRET
// POLICY_LOOKUP_NAMES
// The possible combinations add up to 720 entries
#define LSAP_DB_MAXIMUM_HANDLES_PER_USER 0x000002D0
//
// Default Computer Name used for Policy Account Domain Info
//
#define LSAP_DB_DEFAULT_COMPUTER_NAME (L"MACHINENAME")
//
// Options for the LsaDbReferenceObject and LsaDbDereferenceObject
//
#define LSAP_DB_LOCK ((ULONG) 0x00000001L)
#define LSAP_DB_NO_LOCK ((ULONG) 0x00000004L)
#define LSAP_DB_START_TRANSACTION ((ULONG) 0x00000008L)
#define LSAP_DB_FINISH_TRANSACTION ((ULONG) 0x00000010L)
#define LSAP_DB_VALIDATE_HANDLE ((ULONG) 0x00000020L)
#define LSAP_DB_TRUSTED ((ULONG) 0x00000040L)
#define LSAP_DB_STANDALONE_REFERENCE ((ULONG) 0x00000080L)
#define LSAP_DB_DEREFERENCE_CONTR ((ULONG) 0x00000100L)
#define LSAP_DB_LOG_QUEUE_LOCK ((ULONG) 0x00001000L)
#define LSAP_DB_OMIT_REPLICATOR_NOTIFICATION ((ULONG) 0x00004000L)
#define LSAP_DB_USE_LPC_IMPERSONATE ((ULONG) 0x00008000L)
#define LSAP_DB_ADMIT_DELETED_OBJECT_HANDLES ((ULONG) 0x00010000L)
#define LSAP_DB_DS_NO_PARENT_OBJECT ((ULONG) 0x00080000L)
#define LSAP_DB_OBJECT_SCOPE_DS ((ULONG) 0x00100000L)
#define LSAP_DB_DS_TRUSTED_DOMAIN_AS_SECRET ((ULONG) 0x00400000L)
#define LSAP_DB_READ_ONLY_TRANSACTION ((ULONG) 0x01000000L)
#define LSAP_DB_DS_OP_TRANSACTION ((ULONG) 0x02000000L)
#define LSAP_DB_NO_DS_OP_TRANSACTION ((ULONG) 0x04000000L)
#define LSAP_DB_HANDLE_UPGRADE ((ULONG) 0x10000000L)
#define LSAP_DB_HANDLE_CREATED_SECRET ((ULONG) 0x20000000L)
#define LSAP_DB_SCE_POLICY_HANDLE ((ULONG) 0x40000000L)
#define LSAP_DB_STATE_MASK \
(LSAP_DB_LOCK | LSAP_DB_NO_LOCK | \
LSAP_DB_START_TRANSACTION | LSAP_DB_FINISH_TRANSACTION | \
LSAP_DB_LOG_QUEUE_LOCK | \
LSAP_DB_READ_ONLY_TRANSACTION | LSAP_DB_DS_OP_TRANSACTION | \
LSAP_DB_NO_DS_OP_TRANSACTION)
//
// Configuration Registry Root Key for Lsa Database. All Physical Object
// and Attribute Names are relative to this Key.
//
#define LSAP_DB_ROOT_REG_KEY_NAME L"\\Registry\\Machine\\Security"
//
// LSA Database Object Defines
//
#define LSAP_DB_OBJECT_OPEN FILE_OPEN
#define LSAP_DB_OBJECT_OPEN_IF FILE_OPEN_IF
#define LSAP_DB_OBJECT_CREATE FILE_CREATE
#define LSAP_DB_KEY_VALUE_MAX_LENGTH (0x00000040L)
#define LSAP_DB_LOGICAL_NAME_MAX_LENGTH (0x00000100L)
#define LSAP_DB_CREATE_OBJECT_IN_DS (0x00000200L)
#define LSAP_DB_CREATE_VALID_EXTENDED_FLAGS 0x00000600
//
// LSA Database Object SubKey Defines
//
#define LSAP_DB_SUBKEY_OPEN FILE_OPEN
#define LSAP_DB_SUBKEY_OPEN_IF FILE_OPEN_IF
#define LSAP_DB_SUBKEY_CREATE FILE_CREATE
//
// Growth Delta for Referenced Domain Lists
//
#define LSAP_DB_REF_DOMAIN_DELTA ((ULONG) 0x00000020L )
//
// Object options values for the object handles
//
#define LSAP_DB_OBJECT_SECRET_INTERNAL 0x00000001 // M$
#define LSAP_DB_OBJECT_SECRET_LOCAL 0x00000002 // L$
//
// The following data type is used in name and SID lookup services to
// describe the domains referenced in the lookup operation.
//
// WARNING! This is an internal version of LSA_REFERENCED_DOMAIN_LIST
// in ntlsa.h. It has an additional field, MaxEntries.
//
typedef struct _LSAP_DB_REFERENCED_DOMAIN_LIST {
ULONG Entries;
PLSA_TRUST_INFORMATION Domains;
ULONG MaxEntries;
} LSAP_DB_REFERENCED_DOMAIN_LIST, *PLSAP_DB_REFERENCED_DOMAIN_LIST;
// where members have the following usage:
//
// Entries - Is a count of the number of domains described in the
// Domains array.
//
// Domains - Is a pointer to an array of Entries LSA_TRUST_INFORMATION data
// structures.
//
// MaxEntries - Is the maximum number of entries that can be stored
// in the current array
/////////////////////////////////////////////////////////////////////////////
//
// LSA Database Object Types
//
/////////////////////////////////////////////////////////////////////////////
//
// Lsa Database Object Type
//
typedef enum _LSAP_DB_OBJECT_TYPE_ID {
NullObject = 0,
PolicyObject,
TrustedDomainObject,
AccountObject,
SecretObject,
AllObject,
NewTrustedDomainObject,
DummyLastObject
} LSAP_DB_OBJECT_TYPE_ID, *PLSAP_DB_OBJECT_TYPE_ID;
//
// LSA Database Object Handle structure (Internal definition of LSAPR_HANDLE)
//
// Note that the Handle structure is public to clients of the Lsa Database
// exported functions, e.g server API workers) so that they can get at things
// like GrantedAccess.
//
// Access to all fields serialized by LsapDbHandleTableEx.TableLock
//
typedef struct _LSAP_DB_HANDLE {
struct _LSAP_DB_HANDLE *Next;
struct _LSAP_DB_HANDLE *Previous;
LIST_ENTRY UserHandleList;
BOOLEAN Allocated;
BOOLEAN SceHandle; // Sce Open Policy handle (opened with LsaOpenPolicySce)
BOOLEAN SceHandleChild; // Child handle of an Sce Open Policy Handle
ULONG ReferenceCount;
UNICODE_STRING LogicalNameU;
UNICODE_STRING PhysicalNameU;
PSID Sid;
HANDLE KeyHandle;
LSAP_DB_OBJECT_TYPE_ID ObjectTypeId;
struct _LSAP_DB_HANDLE *ContainerHandle;
ACCESS_MASK DesiredAccess;
ACCESS_MASK GrantedAccess;
ACCESS_MASK RequestedAccess;
BOOLEAN GenerateOnClose;
BOOLEAN Trusted;
BOOLEAN DeletedObject;
BOOLEAN NetworkClient;
ULONG Options;
// New for the Ds
UNICODE_STRING PhysicalNameDs;
BOOLEAN fWriteDs;
ULONG ObjectOptions;
PVOID UserEntry;
#if DBG == 1
LARGE_INTEGER HandleCreateTime;
LARGE_INTEGER HandleLastAccessTime;
#endif
} *LSAP_DB_HANDLE, **PLSAP_DB_HANDLE;
//
// LSA Database Object Sid Enumeration Buffer
//
typedef struct _LSAP_DB_SID_ENUMERATION_BUFFER {
ULONG EntriesRead;
PSID *Sids;
} LSAP_DB_SID_ENUMERATION_BUFFER, *PLSAP_DB_SID_ENUMERATION_BUFFER;
//
// LSA Database Object Name Enumeration Buffer
//
typedef struct _LSAP_DB_NAME_ENUMERATION_BUFFER {
ULONG EntriesRead;
PUNICODE_STRING Names;
} LSAP_DB_NAME_ENUMERATION_BUFFER, *PLSAP_DB_NAME_ENUMERATION_BUFFER;
#define LSAP_DB_OBJECT_TYPE_COUNT 0x00000005L
//
// Default System Access assigned to Account objects
//
#define LSAP_DB_ACCOUNT_DEFAULT_SYS_ACCESS ((ULONG) 0L);
//
// LSA Database Account Object Information
//
typedef struct _LSAP_DB_ACCOUNT_INFORMATION {
QUOTA_LIMITS QuotaLimits;
PRIVILEGE_SET Privileges;
} LSAP_DB_ACCOUNT_INFORMATION, *PLSAP_DB_ACCOUNT_INFORMATION;
//
// LSA Database Change Account Privilege Mode
//
typedef enum _LSAP_DB_CHANGE_PRIVILEGE_MODE {
AddPrivileges = 1,
RemovePrivileges,
SetPrivileges
} LSAP_DB_CHANGE_PRIVILEGE_MODE;
//
// Self-Relative Unicode String Structure.
//
//
// UNICODE_STRING_SR is used to store self-relative unicode strings in
// the database. Prior to Sundown, the UNICODE_STRING structure was used,
// overloading the "Buffer" field with a byte offset.
//
typedef struct _UNICODE_STRING_SR {
USHORT Length;
USHORT MaximumLength;
ULONG Offset;
} UNICODE_STRING_SR, *PUNICODE_STRING_SR;
typedef struct _LSAP_DB_MULTI_UNICODE_STRING {
ULONG Entries;
UNICODE_STRING_SR UnicodeStrings[1];
} LSAP_DB_MULTI_UNICODE_STRING, *PLSAP_DB_MULTI_UNICODE_STRING;
//
// LSA Database Object SubKey names in Unicode Form
//
typedef enum _LSAP_DB_NAMES {
SecDesc = 0,
Privilgs,
Sid,
Name,
AdminMod,
OperMode,
QuotaLim,
DefQuota,
QuAbsMin,
QuAbsMax,
AdtLog,
AdtEvent,
PrDomain,
EnPasswd,
Policy,
Accounts,
Domains,
Secrets,
CurrVal,
OldVal,
CupdTime,
OupdTime,
WkstaMgr,
PolAdtLg,
PolAdtEv,
PolAcDmN,
PolAcDmS,
PolDnDDN,
PolDnTrN,
PolDnDmG,
PolEfDat,
PolPrDmN,
PolPrDmS,
PolPdAcN,
PolRepSc,
PolRepAc,
PolRevision,
PolDefQu,
PolMod,
PolAdtFL,
PolState,
PolNxPxF,
ActSysAc,
TrDmName,
TrDmTrPN, // Netbios name of trust partner
TrDmSid,
TrDmAcN,
TrDmCtN,
TrDmPxOf,
TrDmCtEn,
TrDmTrTy, // Type of trust
TrDmTrDi, // Trust direction
TrDmTrLA, // Trust attributes
TrDmTrPr, // Trust partner
TrDmTrRt, // Trust root partner
TrDmSAI, // Auth inbound
TrDmSAO, // Auth outbound
TrDmForT, // Forest trust info
AcMaPCF, // Machine account password change frequency
PolIPSec, // IPSec object reference
PolDIPSec, // Domain wide IPSec object reference
PolLoc, // Policy location,
PolPubK, // Public key policy
KerOpts, // Kerberos authentication options
KerMinT, // Kerberos Minimum ticket age
KerMaxT, // Kerberos maximum ticket age
KerMaxR, // Kerberos maximum renewal age
KerProxy, // Kerberos proxy lifetime
KerLogoff, // Kerberos force logoff duration
DmLDur, // Lockout duration
DmLObWin, // Lockout observation window
DmLThrs, // Lockout threshold
DmPMinL, // Minimum password length
DmPHisL, // Password history length
DmPProp, // Password properties
DmPMinA, // Minimum password age
DmPMaxA, // Maximum password age
BhvrVers, // Behavior-Version
AuditLog,
AuditLogMaxSize,
AuditRecordRetentionPeriod, // Entries beyond this point don't correspond to real policy
// entries, but are pseudo entries only
PseudoSystemCritical,
PolSecretEncryptionKey,
XRefDnsRoot, // DNS name of cross-ref object
XRefNetbiosName, // NETBIOS name of cross-ref object
DummyLastName
} LSAP_DB_NAMES;
typedef struct _LSAP_DB_ACCOUNT_TYPE_SPECIFIC_INFO {
ULONG SystemAccess;
QUOTA_LIMITS QuotaLimits;
PPRIVILEGE_SET PrivilegeSet;
} LSAP_DB_ACCOUNT_TYPE_SPECIFIC_INFO, *PLSAP_DB_ACCOUNT_TYPE_SPECIFIC_INFO;
#ifdef __cplusplus
extern "C" {
#endif // __cplusplus
extern UNICODE_STRING LsapDbNames[DummyLastName];
extern UNICODE_STRING LsapDbObjectTypeNames[DummyLastObject];
//
// LSA Database Object Type-specific attribute names and values. If
// supplied on a call to LsapDbCreateObject, they will be stored with
// the object.
//
typedef enum _LSAP_DB_ATTRIB_TYPE {
LsapDbAttribUnknown = 0,
LsapDbAttribUnicode,
LsapDbAttribMultiUnicode,
LsapDbAttribSid,
LsapDbAttribGuid,
LsapDbAttribULong,
LsapDbAttribUShortAsULong,
LsapDbAttribSecDesc,
LsapDbAttribDsName,
LsapDbAttribPByte,
LsapDbAttribTime,
LsapDbAttribDsNameAsUnicode,
LsapDbAttribDsNameAsSid,
LsapDbAttribIntervalAsULong
} LSAP_DB_ATTRIB_TYPE, *PLSAP_DB_ATTRIB_TYPE;
typedef struct _LSAP_DB_ATTRIBUTE {
PUNICODE_STRING AttributeName;
PVOID AttributeValue;
ULONG AttributeValueLength;
BOOLEAN MemoryAllocated;
BOOLEAN CanDefaultToZero;
BOOLEAN PseudoAttribute;
ULONG DsAttId;
LSAP_DB_ATTRIB_TYPE AttribType;
LSAP_DB_NAMES DbNameIndex;
} LSAP_DB_ATTRIBUTE, *PLSAP_DB_ATTRIBUTE;
typedef enum _LSAP_DB_DS_LOCATION {
LsapDsLocUnknown = 0,
LsapDsLocRegistry,
LsapDsLocDs,
LsapDsLocDsLocalPolObj,
LsapDsLocDsDomainPolObj,
LsapDsLocLocalAndReg
} LSAP_DB_DS_LOCATION, *PLSAP_DB_DS_LOCATION;
typedef struct _LSAP_DB_DS_INFO {
ULONG AttributeId;
LSAP_DB_ATTRIB_TYPE AttributeType;
LSAP_DB_DS_LOCATION AttributeLocation;
} LSAP_DB_DS_INFO, *PLSAP_DB_DS_INFO;
//
// LSA Database Object General Information.
//
typedef struct _LSAP_DB_OBJECT_INFORMATION {
LSAP_DB_OBJECT_TYPE_ID ObjectTypeId;
LSAP_DB_OBJECT_TYPE_ID ContainerTypeId;
OBJECT_ATTRIBUTES ObjectAttributes;
PLSAP_DB_ATTRIBUTE TypeSpecificAttributes;
PSID Sid;
BOOLEAN ObjectAttributeNameOnly;
ULONG DesiredObjectAccess;
} LSAP_DB_OBJECT_INFORMATION, *PLSAP_DB_OBJECT_INFORMATION;
//
// New for the Ds integration
//
extern PLSAP_DB_DS_INFO LsapDbDsAttInfo;
//
// Installed, absolute minimum and absolute maximum Quota Limits.
//
extern QUOTA_LIMITS LsapDbInstalledQuotaLimits;
extern QUOTA_LIMITS LsapDbAbsMinQuotaLimits;
extern QUOTA_LIMITS LsapDbAbsMaxQuotaLimits;
//
// Required Ds data types
//
//
// This is the state of the machine with respect to the Ds. It will control
// some of the basic functionality of the Lsa APIs by determing who can write
// what where, etc...
//
typedef enum _LSADS_INIT_STATE {
LsapDsUnknown = 0,
LsapDsNoDs,
LsapDsDs,
LsapDsDsMaintenance,
LsapDsDsSetup
} LSADS_INIT_STATE, *PLSADS_INIT_STATE;
//
// LSA Database Exported Function Prototypes
//
// NOTE: These are callable only from the LSA
//
BOOLEAN
LsapDbIsServerInitialized(
);
NTSTATUS
LsapDbOpenPolicy(
IN PLSAPR_SERVER_NAME SystemName OPTIONAL,
IN OPTIONAL PLSAPR_OBJECT_ATTRIBUTES ObjectAttributes,
IN ACCESS_MASK DesiredAccess,
IN ULONG Options,
OUT PLSAPR_HANDLE PolicyHandle,
IN BOOLEAN TrustedClient
);
NTSTATUS
LsapDbOpenTrustedDomain(
IN LSAPR_HANDLE PolicyHandle,
IN PSID TrustedDomainSid,
IN ACCESS_MASK DesiredAccess,
OUT PLSAPR_HANDLE TrustedDomainHandle,
IN ULONG Options
);
NTSTATUS
LsapDbOpenTrustedDomainByName(
IN LSAPR_HANDLE PolicyHandle OPTIONAL,
IN PUNICODE_STRING TrustedDomainName,
OUT PLSAPR_HANDLE TrustedDomainHandle,
IN ULONG AccessMask,
IN ULONG Options,
IN BOOLEAN Trusted
);
NTSTATUS
LsapDbOpenObject(
IN PLSAP_DB_OBJECT_INFORMATION ObjectInformation,
IN ACCESS_MASK DesiredAccess,
IN ULONG Options,
OUT PLSAPR_HANDLE LsaHandle
);
NTSTATUS
LsapDbCreateObject(
IN PLSAP_DB_OBJECT_INFORMATION ObjectInformation,
IN ACCESS_MASK DesiredAccess,
IN ULONG CreateDisposition,
IN ULONG Options,
IN OPTIONAL PLSAP_DB_ATTRIBUTE TypeSpecificAttributes,
IN ULONG TypeSpecificAttributeCount,
OUT PLSAPR_HANDLE LsaHandle
);
NTSTATUS
LsapCloseHandle(
IN OUT LSAPR_HANDLE *ObjectHandle,
IN NTSTATUS PreliminaryStatus
);
NTSTATUS
LsapDbCloseObject(
IN PLSAPR_HANDLE ObjectHandle,
IN ULONG Options,
IN NTSTATUS PreliminaryStatus
);
NTSTATUS
LsapDbDeleteObject(
IN LSAPR_HANDLE ObjectHandle
);
NTSTATUS
LsapDbReferenceObject(
IN LSAPR_HANDLE ObjectHandle,
IN ACCESS_MASK DesiredAccess,
IN LSAP_DB_OBJECT_TYPE_ID HandleTypeId,
IN LSAP_DB_OBJECT_TYPE_ID ObjectTypeId,
IN ULONG Options
);
NTSTATUS
LsapDbDereferenceObject(
IN OUT PLSAPR_HANDLE ObjectHandle,
IN LSAP_DB_OBJECT_TYPE_ID HandleTypeId,
IN LSAP_DB_OBJECT_TYPE_ID ObjectTypeId,
IN ULONG Options,
IN SECURITY_DB_DELTA_TYPE SecurityDbDeltaType,
IN NTSTATUS PreliminaryStatus
);
NTSTATUS
LsapDbReadAttributeObject(
IN LSAPR_HANDLE ObjectHandle,
IN PUNICODE_STRING AttributeNameU,
IN OPTIONAL PVOID AttributeValue,
IN OUT PULONG AttributeValueLength
);
NTSTATUS
LsapDbReadAttributeObjectEx(
IN LSAPR_HANDLE ObjectHandle,
IN LSAP_DB_NAMES AttributeIndex,
IN OPTIONAL PVOID AttributeValue,
IN OUT PULONG AttributeValueLength,
IN BOOLEAN CanDefaultToZero
);
NTSTATUS
LsapDbWriteAttributeObject(
IN LSAPR_HANDLE ObjectHandle,
IN PUNICODE_STRING AttributeNameU,
IN PVOID AttributeValue,
IN ULONG AttributeValueLength
);
NTSTATUS
LsapDbWriteAttributeObjectEx(
IN LSAPR_HANDLE ObjectHandle,
IN LSAP_DB_NAMES AttributeIndex,
IN PVOID AttributeValue,
IN ULONG AttributeValueLength
);
NTSTATUS
LsapDbWriteAttributesObject(
IN LSAPR_HANDLE ObjectHandle,
IN PLSAP_DB_ATTRIBUTE Attributes,
IN ULONG AttributeCount
);
NTSTATUS
LsapDbReadAttributesObject(
IN LSAPR_HANDLE ObjectHandle,
IN ULONG Options,
IN OUT PLSAP_DB_ATTRIBUTE Attributes,
IN ULONG AttributeCount
);
NTSTATUS
LsapDbDeleteAttributeObject(
IN LSAPR_HANDLE ObjectHandle,
IN PUNICODE_STRING AttributeNameU,
IN BOOLEAN DeleteSecurely
);
NTSTATUS
LsapDbDeleteAttributesObject(
IN LSAPR_HANDLE ObjectHandle,
IN PLSAP_DB_ATTRIBUTE Attributes,
IN ULONG AttributeCount
);
NTSTATUS
LsapDbQueryInformationAccounts(
IN LSAPR_HANDLE PolicyHandle,
IN ULONG IdCount,
IN PSID_AND_ATTRIBUTES Ids,
OUT PULONG PrivilegeCount,
OUT PLUID_AND_ATTRIBUTES *Privileges,
OUT PQUOTA_LIMITS QuotaLimits,
OUT PULONG SystemAccess
);
NTSTATUS
LsapDbOpenTransaction(
IN ULONG Options
);
NTSTATUS
LsapDbApplyTransaction(
IN LSAPR_HANDLE ObjectHandle,
IN ULONG Options,
IN SECURITY_DB_DELTA_TYPE SecurityDbDeltaType
);
NTSTATUS
LsapDbAbortTransaction(
IN ULONG Options
);
NTSTATUS
LsapDbSidToLogicalNameObject(
IN PSID Sid,
OUT PUNICODE_STRING LogicalNameU
);
NTSTATUS
LsapDbMakeTemporaryObject(
IN LSAPR_HANDLE ObjectHandle
);
NTSTATUS
LsapDbChangePrivilegesAccount(
IN LSAPR_HANDLE AccountHandle,
IN LSAP_DB_CHANGE_PRIVILEGE_MODE ChangeMode,
IN BOOLEAN AllPrivileges,
IN OPTIONAL PPRIVILEGE_SET Privileges,
IN BOOL LockSce
);
NTSTATUS
LsapDbEnumerateSids(
IN LSAPR_HANDLE ContainerHandle,
IN LSAP_DB_OBJECT_TYPE_ID ObjectTypeId,
IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext,
OUT PLSAP_DB_SID_ENUMERATION_BUFFER DbEnumerationBuffer,
IN ULONG PreferedMaximumLength
);
NTSTATUS
LsapDbFindNextSid(
IN LSAPR_HANDLE ContainerHandle,
IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext,
IN LSAP_DB_OBJECT_TYPE_ID ObjectTypeId,
OUT PLSAPR_SID *NextSid
);
NTSTATUS
LsapDbEnumeratePrivileges(
IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext,
OUT PLSAPR_PRIVILEGE_ENUM_BUFFER EnumerationBuffer,
IN ULONG PreferedMaximumLength
);
NTSTATUS
LsapDbEnumerateNames(
IN LSAPR_HANDLE ContainerHandle,
IN LSAP_DB_OBJECT_TYPE_ID ObjectTypeId,
IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext,
OUT PLSAP_DB_NAME_ENUMERATION_BUFFER DbEnumerationBuffer,
IN ULONG PreferedMaximumLength
);
NTSTATUS
LsapDbFindNextName(
IN LSAPR_HANDLE ContainerHandle,
IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext,
IN LSAP_DB_OBJECT_TYPE_ID ObjectTypeId,
OUT PLSAPR_UNICODE_STRING Name
);
VOID
LsapDbFreeEnumerationBuffer(
IN PLSAP_DB_NAME_ENUMERATION_BUFFER DbEnumerationBuffer
);
NTSTATUS
LsapDbInitializeServer(
IN ULONG Pass
);
NTSTATUS
LsapDbInstallRegistry(
);
//
// These routines may someday migrate to Rtl runtime library. Their
// names have Lsap Prefixes only temporarily, so that they can be located
// easily.
//
// Options for LsapRtlAddPrivileges
#define RTL_COMBINE_PRIVILEGE_ATTRIBUTES ((ULONG) 0x00000001L)
#define RTL_SUPERSEDE_PRIVILEGE_ATTRIBUTES ((ULONG) 0x00000002L)
NTSTATUS
LsapRtlAddPrivileges(
IN OUT PPRIVILEGE_SET * RunningPrivileges,
IN OUT PULONG MaxRunningPrivileges,
IN PPRIVILEGE_SET PrivilegesToAdd,
IN ULONG Options,
OUT OPTIONAL BOOLEAN * Changed
);
NTSTATUS
LsapRtlRemovePrivileges(
IN OUT PPRIVILEGE_SET ExistingPrivileges,
IN PPRIVILEGE_SET PrivilegesToRemove
);
PLUID_AND_ATTRIBUTES
LsapRtlGetPrivilege(
IN PLUID_AND_ATTRIBUTES Privilege,
IN PPRIVILEGE_SET Privileges
);
BOOLEAN
LsapRtlPrefixSid(
IN PSID PrefixSid,
IN PSID Sid
);
ULONG
LsapDbGetSizeTextSid(
IN PSID Sid
);
NTSTATUS
LsapDbSidToTextSid(
IN PSID Sid,
OUT PSZ TextSid
);
NTSTATUS
LsapDbSidToUnicodeSid(
IN PSID Sid,
OUT PUNICODE_STRING SidU,
IN BOOLEAN AllocateDestinationString
);
NTSTATUS
LsapDbInitializeWellKnownValues();
#if defined(REMOTE_BOOT)
VOID
LsapDbInitializeRemoteBootState();
#endif // defined(REMOTE_BOOT)
NTSTATUS
LsapDbVerifyInformationObject(
IN PLSAP_DB_OBJECT_INFORMATION ObjectInformation
);
/*++
BOOLEAN
LsapDbIsValidTypeObject(
IN LSAP_DB_OBJECT_TYPE_ID ObjectTypeId
)
Routine Description:
This macro function determines if a given Object Type Id is valid.
Arguments:
ObjectTypeId - Object Type Id.
Return Values:
BOOLEAN - TRUE if object type id is valid, else FALSE.
--*/
#define LsapDbIsValidTypeObject(ObjectTypeId) \
(((ObjectTypeId) > NullObject) && \
((ObjectTypeId) < DummyLastObject))
NTSTATUS
LsapDbGetRequiredAccessQueryPolicy(
IN POLICY_INFORMATION_CLASS InformationClass,
OUT PACCESS_MASK RequiredAccess
);
NTSTATUS
LsapDbVerifyInfoQueryPolicy(
IN LSAPR_HANDLE PolicyHandle,
IN POLICY_INFORMATION_CLASS InformationClass,
OUT PACCESS_MASK RequiredAccess
);
NTSTATUS
LsapDbVerifyInfoSetPolicy(
IN LSAPR_HANDLE PolicyHandle,
IN POLICY_INFORMATION_CLASS InformationClass,
IN PLSAPR_POLICY_INFORMATION PolicyInformation,
OUT PACCESS_MASK RequiredAccess
);
BOOLEAN
LsapDbValidInfoPolicy(
IN POLICY_INFORMATION_CLASS InformationClass,
IN OPTIONAL PLSAPR_POLICY_INFORMATION PolicyInformation
);
NTSTATUS
LsapDbVerifyInfoQueryTrustedDomain(
IN TRUSTED_INFORMATION_CLASS InformationClass,
IN BOOLEAN Trusted,
OUT PACCESS_MASK RequiredAccess
);
NTSTATUS
LsapDbVerifyInfoSetTrustedDomain(
IN TRUSTED_INFORMATION_CLASS InformationClass,
IN PLSAPR_TRUSTED_DOMAIN_INFO TrustedDomainInformation,
IN BOOLEAN Trusted,
OUT PACCESS_MASK RequiredAccess
);
BOOLEAN
LsapDbValidInfoTrustedDomain(
IN TRUSTED_INFORMATION_CLASS InformationClass,
IN OPTIONAL PLSAPR_TRUSTED_DOMAIN_INFO TrustedDomainInformation
);
NTSTATUS
LsapDbMakeUnicodeAttribute(
IN OPTIONAL PUNICODE_STRING UnicodeValue,
IN PUNICODE_STRING AttributeName,
OUT PLSAP_DB_ATTRIBUTE Attribute
);
NTSTATUS
LsapDbMakeMultiUnicodeAttribute(
OUT PLSAP_DB_ATTRIBUTE Attribute,
IN PUNICODE_STRING AttributeName,
IN PUNICODE_STRING UnicodeNames,
IN ULONG Entries
);
VOID
LsapDbCopyUnicodeAttributeNoAlloc(
OUT PUNICODE_STRING OutputString,
IN PLSAP_DB_ATTRIBUTE Attribute,
IN BOOLEAN SelfRelative
);
NTSTATUS
LsapDbCopyUnicodeAttribute(
OUT PUNICODE_STRING OutputString,
IN PLSAP_DB_ATTRIBUTE Attribute,
IN BOOLEAN SelfRelative
);
NTSTATUS
LsapDbMakeSidAttribute(
IN PSID Sid,
IN PUNICODE_STRING AttributeName,
OUT PLSAP_DB_ATTRIBUTE Attribute
);
NTSTATUS
LsapDbMakeGuidAttribute(
IN GUID *Guid,
IN PUNICODE_STRING AttributeName,
OUT PLSAP_DB_ATTRIBUTE Attribute
);
NTSTATUS
LsapDbMakeBlobAttribute(
IN ULONG BlobLength,
IN PBYTE pBlob,
IN PUNICODE_STRING AttributeName,
OUT PLSAP_DB_ATTRIBUTE Attribute
);
NTSTATUS
LsapDbMakeUnicodeAttributeDs(
IN OPTIONAL PUNICODE_STRING UnicodeValue,
IN LSAP_DB_NAMES Name,
OUT PLSAP_DB_ATTRIBUTE Attribute
);
NTSTATUS
LsapDbMakeMultiUnicodeAttributeDs(
OUT PLSAP_DB_ATTRIBUTE Attribute,
IN LSAP_DB_NAMES Name,
IN PUNICODE_STRING UnicodeNames,
IN ULONG Entries
);
NTSTATUS
LsapDbMakeSidAttributeDs(
IN PSID Sid,
IN IN LSAP_DB_NAMES Name,
OUT PLSAP_DB_ATTRIBUTE Attribute
);
NTSTATUS
LsapDbMakeGuidAttributeDs(
IN GUID *Guid,
IN LSAP_DB_NAMES Name,
OUT PLSAP_DB_ATTRIBUTE Attribute
);
NTSTATUS
LsapDbMakeBlobAttributeDs(
IN ULONG BlobLength,
IN PBYTE pBlob,
IN LSAP_DB_NAMES Name,
OUT PLSAP_DB_ATTRIBUTE Attribute
);
NTSTATUS
LsapDbMakePByteAttributeDs(
IN OPTIONAL PBYTE Buffer,
IN ULONG BufferLength,
IN LSAP_DB_ATTRIB_TYPE AttribType,
IN PUNICODE_STRING AttributeName,
OUT PLSAP_DB_ATTRIBUTE Attribute
);
NTSTATUS
LsapDbReadAttribute(
IN LSAPR_HANDLE ObjectHandle,
IN OUT PLSAP_DB_ATTRIBUTE Attribute
);
NTSTATUS
LsapDbFreeAttributes(
IN ULONG Count,
IN PLSAP_DB_ATTRIBUTE Attributes
);
/*++
VOID
LsapDbInitializeAttribute(
IN PLSAP_DB_ATTRIBUTE AttributeP,
IN PUNICODE_STRING AttributeNameP,
IN OPTIONAL PVOID AttributeValueP,
IN ULONG AttributeValueLengthP,
IN BOOLEAN MemoryAllocatedP
)
Routine Description:
This macro function initialize an Lsa Database Object Attribute
structure. No validation is done.
Arguments:
AttributeP - Pointer to Lsa Database Attribute structure to be
initialized.
AttributeNameP - Pointer to Unicode String containing the attribute's
name.
AttributeValueP - Pointer to the attribute's value. NULL may be
specified.
AttributeValueLengthP - Length of the attribute's value in bytes.
MemoryAllocatedP - TRUE if memory is allocated by MIDL_user_allocate
within the LSA Server code (not by RPC server stubs), else FALSE.
Return Values:
None.
--*/
#define LsapDbInitializeAttribute( \
AttributeP, \
AttributeNameP, \
AttributeValueP, \
AttributeValueLengthP, \
MemoryAllocatedP \
) \
\
{ \
(AttributeP)->AttributeName = AttributeNameP; \
(AttributeP)->AttributeValue = AttributeValueP; \
(AttributeP)->AttributeValueLength = AttributeValueLengthP; \
(AttributeP)->MemoryAllocated = MemoryAllocatedP; \
(AttributeP)->DsAttId = 0; \
(AttributeP)->AttribType = LsapDbAttribUnknown; \
(AttributeP)->CanDefaultToZero = FALSE; \
(AttributeP)->PseudoAttribute = FALSE; \
}
/*++
VOID
LsapDbInitializeAttributeDs(
IN PLSAP_DB_ATTRIBUTE AttributeP,
IN LSAP_DB_NAMES Name,
IN OPTIONAL PVOID AttributeValueP,
IN ULONG AttributeValueLengthP,
IN BOOLEAN MemoryAllocatedP
)
Routine Description:
This macro function initialize an Lsa Database Object Attribute
structure. No validation is done.
Arguments:
AttributeP - Pointer to Lsa Database Attribute structure to be
initialized.
Name - Name index to create
AttributeValueP - Pointer to the attribute's value. NULL may be
specified.
AttributeValueLengthP - Length of the attribute's value in bytes.
MemoryAllocatedP - TRUE if memory is allocated by MIDL_user_allocate
within the LSA Server code (not by RPC server stubs), else FALSE.
Return Values:
None.
--*/
#define LsapDbInitializeAttributeDs( \
AttributeP, \
Name, \
AttributeValueP, \
AttributeValueLengthP, \
MemoryAllocatedP \
) \
\
{ \
LsapDbInitializeAttribute( (AttributeP), &LsapDbNames[Name], \
AttributeValueP, AttributeValueLengthP, \
MemoryAllocatedP ); \
(AttributeP)->DsAttId = LsapDbDsAttInfo[Name].AttributeId; \
(AttributeP)->AttribType = LsapDbDsAttInfo[Name].AttributeType; \
(AttributeP)->CanDefaultToZero = FALSE; \
(AttributeP)->DbNameIndex = Name; \
}
#define LsapDbAttributeCanNotExist( \
AttributeP \
) \
{ \
(AttributeP)->CanDefaultToZero = TRUE; \
}
NTSTATUS
LsapDbGetPrivilegesAndQuotas(
IN LSAPR_HANDLE PolicyHandle,
IN SECURITY_LOGON_TYPE LogonType,
IN ULONG IdCount,
IN PSID_AND_ATTRIBUTES Ids,
OUT PULONG PrivilegeCount,
OUT PLUID_AND_ATTRIBUTES *Privileges,
OUT PQUOTA_LIMITS QuotaLimits
);
NTSTATUS
LsapInitializeNotifiyList(
VOID
);
NTSTATUS
LsapCrServerGetSessionKeySafe(
IN LSAPR_HANDLE ObjectHandle,
IN LSAP_DB_OBJECT_TYPE_ID ObjectTypeId,
OUT PLSAP_CR_CIPHER_KEY *SessionKey
);
NTSTATUS
LsapDbVerifyHandle(
IN LSAPR_HANDLE ObjectHandle,
IN ULONG Options,
IN LSAP_DB_OBJECT_TYPE_ID ExpectedObjectTypeId,
IN BOOLEAN ReferenceHandle
);
BOOLEAN
LsapDbDereferenceHandle(
IN LSAPR_HANDLE ObjectHandle
);
NTSTATUS
LsapDbQueryAllInformationAccounts(
IN LSAPR_HANDLE PolicyHandle,
IN ULONG IdCount,
IN PSID_AND_ATTRIBUTES Ids,
OUT PLSAP_DB_ACCOUNT_TYPE_SPECIFIC_INFO AccountInfo
);
NTSTATUS
LsapCreateTrustedDomain2(
IN LSAPR_HANDLE PolicyHandle,
IN PLSAPR_TRUSTED_DOMAIN_INFORMATION_EX TrustedDomainInformation,
IN PLSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION AuthenticationInformation,
IN ACCESS_MASK DesiredAccess,
OUT PLSAPR_HANDLE TrustedDomainHandle
);
NTSTATUS
LsapDsInitializeDsStateInfo(
IN LSADS_INIT_STATE DsInitState
);
NTSTATUS
LsapDsUnitializeDsStateInfo(
);
/*++
BOOLEAN
LsapValidateLsaUnicodeString(
IN PLSAPR_UNICODE_STRING UnicodeString
);
Returns TRUE if the LSAPR_UNICODE_STRING is valid. FALSE otherwise
--*/
#define LsapValidateLsaUnicodeString( _us_ ) \
(( (_us_) == NULL || \
( \
(_us_)->MaximumLength >= ( _us_ )->Length && \
(_us_)->Length % 2 == 0 && \
(_us_)->MaximumLength % 2 == 0 && \
((_us_)->Length == 0 || (_us_)->Buffer != NULL ) \
) \
) ? TRUE : FALSE )
/*++
BOOLEAN
LsapValidateLsaCipherValue(
IN PLSAPR_UNICODE_STRING UnicodeString
);
Returns TRUE if the LSAPR_CR_CIPHER_KEY is valid. FALSE otherwise
--*/
#define LsapValidateLsaCipherValue( _us_ ) \
( \
(_us_)->MaximumLength >= ( _us_ )->Length && \
((_us_)->Length == 0 || (_us_)->Buffer != NULL ) \
) \
? TRUE : FALSE
NTSTATUS
LsapDbIsImpersonatedClientNetworkClient(
IN OUT PBOOLEAN IsNetworkClient
);
BOOLEAN
LsapSidPresentInGroups(
IN PTOKEN_GROUPS TokenGroups,
IN SID * Sid
);
NTSTATUS
LsapDomainRenameHandlerForLogonSessions(
IN PUNICODE_STRING OldNetbiosName,
IN PUNICODE_STRING OldDnsName,
IN PUNICODE_STRING NewNetbiosName,
IN PUNICODE_STRING NewDnsName
);
NTSTATUS
LsapRetrieveDnsDomainNameFromHive(
IN HKEY Hkey,
IN OUT DWORD * Length,
OUT WCHAR * Buffer
);
#ifdef __cplusplus
}
#endif // __cplusplus
#endif // _LSA_DB_