summaryrefslogtreecommitdiff
path: root/librpc/idl/security.idl
blob: 00bb6e6dc96571cf610c46f748f84ce767ab6b1f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
#include "idl_types.h"

/*
  security IDL structures
*/

import "misc.idl";

/*
   use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
   just a dom sid, but with the sub_auths represented as a conformant
   array. As with all in-structure conformant arrays, the array length
   is placed before the start of the structure. That's what gives rise
   to the extra num_auths elemenent. We don't want the Samba code to
   have to bother with such esoteric NDR details, so its easier to just
   define it as a dom_sid and use pidl magic to make it all work. It
   just means you need to mark a sid as a "dom_sid2" in the IDL when you
   know it is of the conformant array variety
*/
cpp_quote("#define dom_sid2 dom_sid")

/* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */
cpp_quote("#define dom_sid28 dom_sid")

/* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */
cpp_quote("#define dom_sid0 dom_sid")

[
	/*
	 * cbf7d408-2d6c-11e2-ae5b-0b5692790e18 just to make ndrdump happy
	 */
	uuid("cbf7d408-2d6c-11e2-ae5b-0b5692790e18"),
	version(0.0),
	pyhelper("librpc/ndr/py_security.c"),
	pointer_default(unique)
]
interface security
{

	typedef bitmap lsa_SystemAccessModeFlags lsa_SystemAccessModeFlags;

	typedef [public,gensize,noprint,nosize,nopull,nopush] struct {
		uint8  sid_rev_num;             /**< SID revision number */
		[range(0,15)] int8  num_auths;  /**< Number of sub-authorities */
		uint8  id_auth[6];              /**< Identifier Authority */
		uint32 sub_auths[15];
	} dom_sid;
	/*
	  access masks are divided up like this:
                0xabccdddd
		where 
		   a = generic rights bits        SEC_GENERIC_
		   b = flags                      SEC_FLAG_
		   c = standard rights bits       SEC_STD_
		   d = object type specific bits  SEC_{FILE,DIR,REG,xxx}_
		   
          common combinations of bits are prefixed with SEC_RIGHTS_
	*/
	const int SEC_MASK_GENERIC         = 0xF0000000;
	const int SEC_MASK_FLAGS           = 0x0F000000;
	const int SEC_MASK_STANDARD        = 0x00FF0000;
	const int SEC_MASK_SPECIFIC        = 0x0000FFFF;

	/* generic bits */
	const int SEC_GENERIC_ALL          = 0x10000000;
	const int SEC_GENERIC_EXECUTE      = 0x20000000;
	const int SEC_GENERIC_WRITE        = 0x40000000;
	const int SEC_GENERIC_READ         = 0x80000000;

	/* flag bits */
	const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000;
	const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000;

	/* standard bits */
	const int SEC_STD_DELETE           = 0x00010000;
	const int SEC_STD_READ_CONTROL     = 0x00020000;
	const int SEC_STD_WRITE_DAC        = 0x00040000;
	const int SEC_STD_WRITE_OWNER      = 0x00080000;
	const int SEC_STD_SYNCHRONIZE      = 0x00100000;
	const int SEC_STD_REQUIRED         = 0x000F0000;
	const int SEC_STD_ALL              = 0x001F0000;

	/* file specific bits */
	const int SEC_FILE_READ_DATA       = 0x00000001;
	const int SEC_FILE_WRITE_DATA      = 0x00000002;
	const int SEC_FILE_APPEND_DATA     = 0x00000004;
	const int SEC_FILE_READ_EA         = 0x00000008;
	const int SEC_FILE_WRITE_EA        = 0x00000010;
	const int SEC_FILE_EXECUTE         = 0x00000020;
	const int SEC_FILE_READ_ATTRIBUTE  = 0x00000080;
	const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100;
	const int SEC_FILE_ALL             = 0x000001ff;

	/* directory specific bits */
	const int SEC_DIR_LIST             = 0x00000001;
	const int SEC_DIR_ADD_FILE         = 0x00000002;
	const int SEC_DIR_ADD_SUBDIR       = 0x00000004;
	const int SEC_DIR_READ_EA          = 0x00000008;
	const int SEC_DIR_WRITE_EA         = 0x00000010;
	const int SEC_DIR_TRAVERSE         = 0x00000020;
	const int SEC_DIR_DELETE_CHILD     = 0x00000040;
	const int SEC_DIR_READ_ATTRIBUTE   = 0x00000080;
	const int SEC_DIR_WRITE_ATTRIBUTE  = 0x00000100;

	/* registry entry specific bits */
	const int SEC_REG_QUERY_VALUE      = 0x00000001;
	const int SEC_REG_SET_VALUE        = 0x00000002;
	const int SEC_REG_CREATE_SUBKEY    = 0x00000004;
	const int SEC_REG_ENUM_SUBKEYS     = 0x00000008;
	const int SEC_REG_NOTIFY           = 0x00000010;
	const int SEC_REG_CREATE_LINK      = 0x00000020;

	/* ldap specific access bits */
	const int SEC_ADS_CREATE_CHILD     = 0x00000001;
	const int SEC_ADS_DELETE_CHILD     = 0x00000002;
	const int SEC_ADS_LIST             = 0x00000004;
	const int SEC_ADS_SELF_WRITE       = 0x00000008;
	const int SEC_ADS_READ_PROP        = 0x00000010;
	const int SEC_ADS_WRITE_PROP       = 0x00000020;
	const int SEC_ADS_DELETE_TREE      = 0x00000040;
	const int SEC_ADS_LIST_OBJECT      = 0x00000080;
	const int SEC_ADS_CONTROL_ACCESS   = 0x00000100;

	/* invalid bits */
	const int SEC_MASK_INVALID         = 0x0ce0fe00;

	/* generic->specific mappings for files */
	const int SEC_RIGHTS_FILE_READ    = SEC_STD_READ_CONTROL | 
	                                    SEC_STD_SYNCHRONIZE | 
					    SEC_FILE_READ_DATA | 
                                            SEC_FILE_READ_ATTRIBUTE | 
                                            SEC_FILE_READ_EA;

	const int SEC_RIGHTS_FILE_WRITE   = SEC_STD_READ_CONTROL | 
	                                    SEC_STD_SYNCHRONIZE | 
					    SEC_FILE_WRITE_DATA | 
                                            SEC_FILE_WRITE_ATTRIBUTE | 
                                            SEC_FILE_WRITE_EA |
                                            SEC_FILE_APPEND_DATA;
	
	const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE | 
	                                    SEC_STD_READ_CONTROL | 
	                                    SEC_FILE_READ_ATTRIBUTE | 
                                            SEC_FILE_EXECUTE;

	const int SEC_RIGHTS_FILE_ALL     = SEC_STD_ALL | SEC_FILE_ALL;

	/* generic->specific mappings for directories (same as files) */
	const int SEC_RIGHTS_DIR_READ     = SEC_RIGHTS_FILE_READ;
	const int SEC_RIGHTS_DIR_WRITE    = SEC_RIGHTS_FILE_WRITE;
	const int SEC_RIGHTS_DIR_EXECUTE  = SEC_RIGHTS_FILE_EXECUTE;
	const int SEC_RIGHTS_DIR_ALL      = SEC_RIGHTS_FILE_ALL;

	/* rights granted by some specific privileges */
	const int SEC_RIGHTS_PRIV_BACKUP  = SEC_STD_READ_CONTROL |
					    SEC_FLAG_SYSTEM_SECURITY |
					    SEC_RIGHTS_FILE_READ |
					    SEC_DIR_TRAVERSE;

	const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC |
					    SEC_STD_WRITE_OWNER |
					    SEC_FLAG_SYSTEM_SECURITY |
					    SEC_RIGHTS_FILE_WRITE |
					    SEC_DIR_ADD_FILE |
					    SEC_DIR_ADD_SUBDIR |
					    SEC_STD_DELETE;

	/* combinations of standard masks. */
	const int STANDARD_RIGHTS_ALL_ACCESS		= SEC_STD_ALL; /* 0x001f0000 */
	const int STANDARD_RIGHTS_MODIFY_ACCESS		= SEC_STD_READ_CONTROL; /* 0x00020000 */
	const int STANDARD_RIGHTS_EXECUTE_ACCESS	= SEC_STD_READ_CONTROL; /* 0x00020000 */
	const int STANDARD_RIGHTS_READ_ACCESS		= SEC_STD_READ_CONTROL; /* 0x00020000 */
	const int STANDARD_RIGHTS_WRITE_ACCESS =
		(SEC_STD_WRITE_OWNER		|
		 SEC_STD_WRITE_DAC		|
		 SEC_STD_DELETE);	/* 0x000d0000 */
	const int STANDARD_RIGHTS_REQUIRED_ACCESS =
		(SEC_STD_DELETE			|
		 SEC_STD_READ_CONTROL		|
		 SEC_STD_WRITE_DAC		|
		 SEC_STD_WRITE_OWNER);	/* 0x000f0000 */

	/* generic->specific mappings for Directory Service objects */
	/* directory specific part of GENERIC_ALL */
	const int SEC_ADS_GENERIC_ALL_DS =
		(SEC_STD_DELETE                 |
		 SEC_STD_WRITE_DAC              |
		 SEC_STD_WRITE_OWNER            |
		 SEC_ADS_CREATE_CHILD           |
		 SEC_ADS_DELETE_CHILD           |
		 SEC_ADS_DELETE_TREE            |
		 SEC_ADS_CONTROL_ACCESS);
	const int SEC_ADS_GENERIC_EXECUTE = SEC_STD_READ_CONTROL | SEC_ADS_LIST;
	const int SEC_ADS_GENERIC_WRITE   =
		(SEC_STD_READ_CONTROL           |
		 SEC_ADS_SELF_WRITE             |
		 SEC_ADS_WRITE_PROP);
	const int SEC_ADS_GENERIC_READ    =
		(SEC_STD_READ_CONTROL           |
		 SEC_ADS_LIST                   |
		 SEC_ADS_READ_PROP              |
		 SEC_ADS_LIST_OBJECT);
	const int SEC_ADS_GENERIC_ALL     =
		(SEC_ADS_GENERIC_EXECUTE        |
		 SEC_ADS_GENERIC_WRITE          |
		 SEC_ADS_GENERIC_READ           |
		 SEC_ADS_GENERIC_ALL_DS);

	/***************************************************************/
	/* WELL KNOWN SIDS */

	/* a NULL sid */
	const string SID_NULL = "S-1-0-0";

	/* the world domain */
	const string NAME_WORLD       = "WORLD";

	const string SID_WORLD_DOMAIN = "S-1-1";
	const string SID_WORLD        = "S-1-1-0";

	/* SECURITY_CREATOR_SID_AUTHORITY */
	const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
	const string SID_CREATOR_OWNER        = "S-1-3-0";
	const string SID_CREATOR_GROUP        = "S-1-3-1";
	const string SID_OWNER_RIGHTS         = "S-1-3-4";

	/* SECURITY_NT_AUTHORITY */
	const string NAME_NT_AUTHORITY            = "NT AUTHORITY";

	const string SID_NT_AUTHORITY             = "S-1-5";
	const string SID_NT_DIALUP                = "S-1-5-1";
	const string SID_NT_NETWORK               = "S-1-5-2";
	const string SID_NT_BATCH                 = "S-1-5-3";
	const string SID_NT_INTERACTIVE           = "S-1-5-4";
	const string SID_NT_SERVICE               = "S-1-5-6";
	const string SID_NT_ANONYMOUS             = "S-1-5-7";
	const string SID_NT_PROXY                 = "S-1-5-8";
	const string SID_NT_ENTERPRISE_DCS        = "S-1-5-9";
	const string SID_NT_SELF                  = "S-1-5-10";
	const string SID_NT_AUTHENTICATED_USERS   = "S-1-5-11";
	const string SID_NT_RESTRICTED            = "S-1-5-12";
	const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13";
	const string SID_NT_REMOTE_INTERACTIVE    = "S-1-5-14";
	const string SID_NT_THIS_ORGANISATION     = "S-1-5-15";
	const string SID_NT_IUSR                  = "S-1-5-17";
	const string SID_NT_SYSTEM                = "S-1-5-18";
	const string SID_NT_LOCAL_SERVICE         = "S-1-5-19";
	const string SID_NT_NETWORK_SERVICE       = "S-1-5-20";
	const string SID_NT_DIGEST_AUTHENTICATION = "S-1-5-64-21";
	const string SID_NT_NTLM_AUTHENTICATION   = "S-1-5-64-10";
	const string SID_NT_SCHANNEL_AUTHENTICATION = "S-1-5-64-14";
	const string SID_NT_OTHER_ORGANISATION    = "S-1-5-1000";

	/* SECURITY_BUILTIN_DOMAIN_RID */
	const string NAME_BUILTIN                  = "BUILTIN";

	const string SID_BUILTIN                   = "S-1-5-32";
	const string SID_BUILTIN_ADMINISTRATORS    = "S-1-5-32-544";
	const string SID_BUILTIN_USERS             = "S-1-5-32-545";
	const string SID_BUILTIN_GUESTS            = "S-1-5-32-546";
	const string SID_BUILTIN_POWER_USERS       = "S-1-5-32-547";
	const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
	const string SID_BUILTIN_SERVER_OPERATORS  = "S-1-5-32-549";
	const string SID_BUILTIN_PRINT_OPERATORS   = "S-1-5-32-550";
	const string SID_BUILTIN_BACKUP_OPERATORS  = "S-1-5-32-551";
	const string SID_BUILTIN_REPLICATOR        = "S-1-5-32-552";
	const string SID_BUILTIN_RAS_SERVERS       = "S-1-5-32-553";
	const string SID_BUILTIN_PREW2K            = "S-1-5-32-554";
	const string SID_BUILTIN_REMOTE_DESKTOP_USERS   = "S-1-5-32-555";
	const string SID_BUILTIN_NETWORK_CONF_OPERATORS = "S-1-5-32-556";
	const string SID_BUILTIN_INCOMING_FOREST_TRUST  = "S-1-5-32-557";
	const string SID_BUILTIN_PERFMON_USERS		= "S-1-5-32-558";
	const string SID_BUILTIN_PERFLOG_USERS		= "S-1-5-32-559";
	const string SID_BUILTIN_AUTH_ACCESS 		= "S-1-5-32-560";
	const string SID_BUILTIN_TS_LICENSE_SERVERS	= "S-1-5-32-561";
	const string SID_BUILTIN_DISTRIBUTED_COM_USERS	= "S-1-5-32-562";
	const string SID_BUILTIN_CRYPTO_OPERATORS	= "S-1-5-32-569";
	const string SID_BUILTIN_EVENT_LOG_READERS	= "S-1-5-32-573";
	const string SID_BUILTIN_CERT_SERV_DCOM_ACCESS	= "S-1-5-32-574";

	/* SECURITY_NT_SERVICE */
	const string NAME_NT_SERVICE            = "NT SERVICE";

	const string SID_NT_NT_SERVICE          = "S-1-5-80";
	const string SID_NT_TRUSTED_INSTALLER =
		"S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464";

	/* well-known domain RIDs */
	const int DOMAIN_RID_LOGON                   = 9;
	const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498;
	const int DOMAIN_RID_ADMINISTRATOR           = 500;
	const int DOMAIN_RID_GUEST                   = 501;
	const int DOMAIN_RID_KRBTGT                  = 502;
	const int DOMAIN_RID_ADMINS                  = 512;
	const int DOMAIN_RID_USERS                   = 513;
	const int DOMAIN_RID_GUESTS                  = 514;
	const int DOMAIN_RID_DOMAIN_MEMBERS          = 515;
	const int DOMAIN_RID_DCS                     = 516;
	const int DOMAIN_RID_CERT_ADMINS             = 517;
	const int DOMAIN_RID_SCHEMA_ADMINS           = 518;
	const int DOMAIN_RID_ENTERPRISE_ADMINS       = 519;
	const int DOMAIN_RID_POLICY_ADMINS           = 520;
	const int DOMAIN_RID_READONLY_DCS            = 521;
	const int DOMAIN_RID_RAS_SERVERS             = 553;
	const int DOMAIN_RID_RODC_ALLOW              = 571;
	const int DOMAIN_RID_RODC_DENY               = 572;

	/* well-known builtin RIDs */
	const int BUILTIN_RID_ADMINISTRATORS		= 544;
	const int BUILTIN_RID_USERS			= 545;
	const int BUILTIN_RID_GUESTS			= 546;
	const int BUILTIN_RID_POWER_USERS		= 547;
	const int BUILTIN_RID_ACCOUNT_OPERATORS		= 548;
	const int BUILTIN_RID_SERVER_OPERATORS		= 549;
	const int BUILTIN_RID_PRINT_OPERATORS		= 550;
	const int BUILTIN_RID_BACKUP_OPERATORS		= 551;
	const int BUILTIN_RID_REPLICATOR		= 552;
	const int BUILTIN_RID_RAS_SERVERS		= 553;
	const int BUILTIN_RID_PRE_2K_ACCESS		= 554;
	const int BUILTIN_RID_REMOTE_DESKTOP_USERS	= 555;
	const int BUILTIN_RID_NETWORK_CONF_OPERATORS	= 556;
	const int BUILTIN_RID_INCOMING_FOREST_TRUST	= 557;
	const int BUILTIN_RID_PERFMON_USERS		= 558;
	const int BUILTIN_RID_PERFLOG_USERS		= 559;
	const int BUILTIN_RID_AUTH_ACCESS		= 560;
	const int BUILTIN_RID_TS_LICENSE_SERVERS	= 561;
	const int BUILTIN_RID_DISTRIBUTED_COM_USERS	= 562;
	const int BUILTIN_RID_CRYPTO_OPERATORS		= 569;
	const int BUILTIN_RID_EVENT_LOG_READERS		= 573;
	const int BUILTIN_RID_CERT_SERV_DCOM_ACCESS	= 574;

/********************************************************************
 This is a list of privileges reported by a WIndows 2008 R2 DC
 just for reference purposes (and I know the LUID is not guaranteed
 across reboots):

0x00000002          SeCreateTokenPrivilege "Create a token object"
0x00000003   SeAssignPrimaryTokenPrivilege "Replace a process level token"
0x00000004           SeLockMemoryPrivilege "Lock pages in memory"
0x00000005        SeIncreaseQuotaPrivilege "Adjust memory quotas for a process"
0x00000006       SeMachineAccountPrivilege "Add workstations to domain"
0x00000007                  SeTcbPrivilege "Act as part of the operating system"
0x00000008             SeSecurityPrivilege "Manage auditing and security log"
0x00000009        SeTakeOwnershipPrivilege "Take ownership of files or other objects"
0x0000000a           SeLoadDriverPrivilege "Load and unload device drivers"
0x0000000b        SeSystemProfilePrivilege "Profile system performance"
0x0000000c           SeSystemtimePrivilege "Change the system time"
0x0000000d SeProfileSingleProcessPrivilege "Profile single process"
0x0000000e SeIncreaseBasePriorityPrivilege "Increase scheduling priority"
0x0000000f       SeCreatePagefilePrivilege "Create a pagefile"
0x00000010      SeCreatePermanentPrivilege "Create permanent shared objects"
0x00000011               SeBackupPrivilege "Back up files and directories"
0x00000012              SeRestorePrivilege "Restore files and directories"
0x00000013             SeShutdownPrivilege "Shut down the system"
0x00000014                SeDebugPrivilege "Debug programs"
0x00000015                SeAuditPrivilege "Generate security audits"
0x00000016    SeSystemEnvironmentPrivilege "Modify firmware environment values"
0x00000017         SeChangeNotifyPrivilege "Bypass traverse checking"
0x00000018       SeRemoteShutdownPrivilege "Force shutdown from a remote system"
0x00000019               SeUndockPrivilege "Remove computer from docking station"
0x0000001a            SeSyncAgentPrivilege "Synchronize directory service data"
0x0000001b     SeEnableDelegationPrivilege "Enable computer and user accounts to be trusted for delegation"
0x0000001c         SeManageVolumePrivilege "Perform volume maintenance tasks"
0x0000001d          SeImpersonatePrivilege "Impersonate a client after authentication"
0x0000001e         SeCreateGlobalPrivilege "Create global objects"
0x0000001f SeTrustedCredManAccessPrivilege "Access Credential Manager as a trusted caller"
0x00000020              SeRelabelPrivilege "Modify an object label"
0x00000021   SeIncreaseWorkingSetPrivilege "Increase a process working set"
0x00000022             SeTimeZonePrivilege "Change the time zone"
0x00000023   SeCreateSymbolicLinkPrivilege "Create symbolic links"

 ********************************************************************/

	/* LUID values for privileges known about by Samba (bottom 32 bits of enum, top bits are 0) */

	/* we have to define the LUID here due to a horrible check by printmig.exe
	   that requires the SeBackupPrivilege match what is in Windows.  So match
	   those that we implement and start Samba privileges at 0x1001 */

	typedef enum {
		SEC_PRIV_INVALID                   = 0x0,
		SEC_PRIV_INCREASE_QUOTA            = 0x5,
		SEC_PRIV_MACHINE_ACCOUNT           = 0x6,
		SEC_PRIV_SECURITY                  = 0x8,
		SEC_PRIV_TAKE_OWNERSHIP            = 0x09,
		SEC_PRIV_LOAD_DRIVER               = 0x0a,
		SEC_PRIV_SYSTEM_PROFILE            = 0x0b,
		SEC_PRIV_SYSTEMTIME                = 0x0c,
		SEC_PRIV_PROFILE_SINGLE_PROCESS    = 0x0d,
		SEC_PRIV_INCREASE_BASE_PRIORITY    = 0x0e,
		SEC_PRIV_CREATE_PAGEFILE           = 0x0f,
		SEC_PRIV_BACKUP                    = 0x11,
		SEC_PRIV_RESTORE                   = 0x12,
		SEC_PRIV_SHUTDOWN                  = 0x13,
		SEC_PRIV_DEBUG                     = 0x14,
		SEC_PRIV_SYSTEM_ENVIRONMENT        = 0x16,
		SEC_PRIV_CHANGE_NOTIFY             = 0x17,
		SEC_PRIV_REMOTE_SHUTDOWN           = 0x18,
		SEC_PRIV_UNDOCK                    = 0x19,
		SEC_PRIV_ENABLE_DELEGATION         = 0x1b,
		SEC_PRIV_MANAGE_VOLUME             = 0x1c,
		SEC_PRIV_IMPERSONATE               = 0x1d,
		SEC_PRIV_CREATE_GLOBAL             = 0x1e,
		/* Samba-specific privs */
		SEC_PRIV_PRINT_OPERATOR            = 0x1001,
		SEC_PRIV_ADD_USERS                 = 0x1002,
		SEC_PRIV_DISK_OPERATOR             = 0x1003
	} sec_privilege;


	/* Bitmap of privilege values for internal use only.  We need
	 * our own bitmap here as privilages.tdb records these values
	 * as a bitmap (privilages.ldb uses the string forms).
	 */
	typedef [bitmap64bit] bitmap {
		SEC_PRIV_MACHINE_ACCOUNT_BIT		= 0x00000010,

		/* Samba-specific privs */
		SEC_PRIV_PRINT_OPERATOR_BIT		= 0x00000020,
		SEC_PRIV_ADD_USERS_BIT			= 0x00000040,
		SEC_PRIV_DISK_OPERATOR_BIT		= 0x00000080,

		SEC_PRIV_REMOTE_SHUTDOWN_BIT		= 0x00000100,
		SEC_PRIV_BACKUP_BIT			= 0x00000200,
		SEC_PRIV_RESTORE_BIT			= 0x00000400,
		SEC_PRIV_TAKE_OWNERSHIP_BIT		= 0x00000800,
		/* End of privilages implemented before merge to common code */

		SEC_PRIV_INCREASE_QUOTA_BIT               = 0x00001000,
		SEC_PRIV_SECURITY_BIT                     = 0x00002000,
		SEC_PRIV_LOAD_DRIVER_BIT                  = 0x00004000,
		SEC_PRIV_SYSTEM_PROFILE_BIT               = 0x00008000,
		SEC_PRIV_SYSTEMTIME_BIT                   = 0x00010000,
		SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT       = 0x00020000,
		SEC_PRIV_INCREASE_BASE_PRIORITY_BIT       = 0x00040000,
		SEC_PRIV_CREATE_PAGEFILE_BIT              = 0x00080000,
		SEC_PRIV_SHUTDOWN_BIT                     = 0x00100000,
		SEC_PRIV_DEBUG_BIT                        = 0x00200000,
		SEC_PRIV_SYSTEM_ENVIRONMENT_BIT           = 0x00400000,
		SEC_PRIV_CHANGE_NOTIFY_BIT                = 0x00800000,
		SEC_PRIV_UNDOCK_BIT                       = 0x01000000,
		SEC_PRIV_ENABLE_DELEGATION_BIT            = 0x02000000,
		SEC_PRIV_MANAGE_VOLUME_BIT                = 0x04000000,
		SEC_PRIV_IMPERSONATE_BIT                  = 0x08000000,
		SEC_PRIV_CREATE_GLOBAL_BIT                = 0x10000000
	} se_privilege;

	typedef [bitmap32bit] bitmap {
		LSA_POLICY_MODE_INTERACTIVE             = 0x00000001,
		LSA_POLICY_MODE_NETWORK                 = 0x00000002,
		LSA_POLICY_MODE_BATCH                   = 0x00000004,
		LSA_POLICY_MODE_SERVICE                 = 0x00000010,
		LSA_POLICY_MODE_PROXY			= 0x00000020,
		LSA_POLICY_MODE_DENY_INTERACTIVE        = 0x00000040,
		LSA_POLICY_MODE_DENY_NETWORK            = 0x00000080,
		LSA_POLICY_MODE_DENY_BATCH              = 0x00000100,
		LSA_POLICY_MODE_DENY_SERVICE            = 0x00000200,
		LSA_POLICY_MODE_REMOTE_INTERACTIVE      = 0x00000400,
		LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE = 0x00000800,
		LSA_POLICY_MODE_ALL			= 0x00000FF7,
		LSA_POLICY_MODE_ALL_NT4			= 0x00000037
	} lsa_SystemAccessModeFlags;

	typedef [public,bitmap8bit] bitmap {
		SEC_ACE_FLAG_OBJECT_INHERIT		= 0x01,
		SEC_ACE_FLAG_CONTAINER_INHERIT		= 0x02,
		SEC_ACE_FLAG_NO_PROPAGATE_INHERIT	= 0x04,
		SEC_ACE_FLAG_INHERIT_ONLY		= 0x08,
		SEC_ACE_FLAG_INHERITED_ACE		= 0x10,
		SEC_ACE_FLAG_VALID_INHERIT		= 0x0f,
		SEC_ACE_FLAG_SUCCESSFUL_ACCESS		= 0x40,
		SEC_ACE_FLAG_FAILED_ACCESS		= 0x80
	} security_ace_flags;

	typedef [public,enum8bit] enum {
		SEC_ACE_TYPE_ACCESS_ALLOWED		= 0,
		SEC_ACE_TYPE_ACCESS_DENIED		= 1,
		SEC_ACE_TYPE_SYSTEM_AUDIT		= 2,
		SEC_ACE_TYPE_SYSTEM_ALARM		= 3,
		SEC_ACE_TYPE_ALLOWED_COMPOUND		= 4,
		SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT	= 5,
		SEC_ACE_TYPE_ACCESS_DENIED_OBJECT	= 6,
		SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT	= 7,
		SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT	= 8
	} security_ace_type;

	typedef [bitmap32bit] bitmap {
		SEC_ACE_OBJECT_TYPE_PRESENT		= 0x00000001,
		SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT	= 0x00000002
	} security_ace_object_flags;

	typedef [nodiscriminant] union {
		/* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */
		[case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type;
		[default];
	} security_ace_object_type;

	typedef [nodiscriminant] union {
		/* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context
		 * (of the parent container)
		 */
		[case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type;
		[default];
	} security_ace_object_inherited_type;

	typedef struct {
		security_ace_object_flags flags;
		[switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type;
		[switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type;
	} security_ace_object;

	typedef [public,nodiscriminant] union {
		[case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] security_ace_object object;
		[case(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT)] security_ace_object object;
		[case(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT)] security_ace_object object;
		[case(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT)] security_ace_object object;
		[default];
	} security_ace_object_ctr;

	typedef [public,nopull,gensize,nosize] struct {
		security_ace_type type;  /* SEC_ACE_TYPE_* */
		security_ace_flags flags; /* SEC_ACE_FLAG_* */
		[value(ndr_size_security_ace(r,ndr->flags))] uint16 size;
		uint32 access_mask;
		[switch_is(type)] security_ace_object_ctr object;
		dom_sid trustee;
	} security_ace;

	typedef enum {
		SECURITY_ACL_REVISION_NT4	= 2,
		SECURITY_ACL_REVISION_ADS	= 4
	} security_acl_revision;

	const uint NT4_ACL_REVISION	= SECURITY_ACL_REVISION_NT4;

	typedef [public,gensize,nosize] struct {
		security_acl_revision revision;
		[value(ndr_size_security_acl(r,ndr->flags))] uint16 size;
		[range(0,2000)] uint32 num_aces;
		security_ace aces[num_aces];
	} security_acl;

	/* default revision for new ACLs */
	typedef [public,enum8bit] enum {
		SECURITY_DESCRIPTOR_REVISION_1 = 1
	} security_descriptor_revision;

	const int SD_REVISION                    = SECURITY_DESCRIPTOR_REVISION_1;

	/* security_descriptor->type bits */
	typedef [public,bitmap16bit] bitmap {
		SEC_DESC_OWNER_DEFAULTED	= 0x0001,
		SEC_DESC_GROUP_DEFAULTED	= 0x0002,
		SEC_DESC_DACL_PRESENT		= 0x0004,
		SEC_DESC_DACL_DEFAULTED		= 0x0008,
		SEC_DESC_SACL_PRESENT		= 0x0010,
		SEC_DESC_SACL_DEFAULTED		= 0x0020,
		SEC_DESC_DACL_TRUSTED		= 0x0040,
		SEC_DESC_SERVER_SECURITY	= 0x0080,
		SEC_DESC_DACL_AUTO_INHERIT_REQ	= 0x0100,
		SEC_DESC_SACL_AUTO_INHERIT_REQ	= 0x0200,
		SEC_DESC_DACL_AUTO_INHERITED	= 0x0400,
		SEC_DESC_SACL_AUTO_INHERITED	= 0x0800,
		SEC_DESC_DACL_PROTECTED		= 0x1000,
		SEC_DESC_SACL_PROTECTED		= 0x2000,
		SEC_DESC_RM_CONTROL_VALID	= 0x4000,
		SEC_DESC_SELF_RELATIVE		= 0x8000
	} security_descriptor_type;

	typedef [gensize,nosize,public,flag(NDR_LITTLE_ENDIAN)] struct {
		security_descriptor_revision revision;
		security_descriptor_type type;     /* SEC_DESC_xxxx flags */
		[relative] dom_sid *owner_sid; 
		[relative] dom_sid *group_sid;
		[relative] security_acl *sacl; /* system ACL */
		[relative] security_acl *dacl; /* user (discretionary) ACL */
	} security_descriptor;

	[nopython] void decode_security_descriptor (
		[in] security_descriptor sd
		);

	typedef [public] struct {
		[range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size;
		[subcontext(4)] security_descriptor *sd;
	} sec_desc_buf;

	[nopython] void decode_sec_desc_buf (
		[in] sec_desc_buf sd_buf
		);

	/* This is not yet sent over the network, but is simply defined in IDL */
	typedef [public] struct {
		uint32 num_sids;
		[size_is(num_sids)] dom_sid sids[*];
		se_privilege privilege_mask;
		lsa_SystemAccessModeFlags rights_mask;
	} security_token;

	[nopython] void decode_security_token (
		[in] security_token token
		);

	/* This is not yet sent over the network, but is simply defined in IDL */
	typedef [public] struct {
		uid_t uid;
		gid_t gid;
		uint32 ngroups;
		[size_is(ngroups)] gid_t groups[*];
	} security_unix_token;

	[nopython] void decode_security_unix_token (
		[in] security_unix_token unix_token
		);

	/* bits that determine which parts of a security descriptor
	   are being queried/set */
	typedef [public,bitmap32bit] bitmap {
		SECINFO_OWNER                = 0x00000001,
		SECINFO_GROUP                = 0x00000002,
		SECINFO_DACL                 = 0x00000004,
		SECINFO_SACL                 = 0x00000008,
		SECINFO_LABEL                = 0x00000010,
		SECINFO_UNPROTECTED_SACL     = 0x10000000,
		SECINFO_UNPROTECTED_DACL     = 0x20000000,
		SECINFO_PROTECTED_SACL	     = 0x40000000,
		SECINFO_PROTECTED_DACL	     = 0x80000000
	} security_secinfo;

	typedef [public,bitmap32bit] bitmap {
		KERB_ENCTYPE_DES_CBC_CRC             = 0x00000001,
		KERB_ENCTYPE_DES_CBC_MD5             = 0x00000002,
		KERB_ENCTYPE_RC4_HMAC_MD5            = 0x00000004,
		KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
		KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
	} kerb_EncTypes;

	typedef [public,bitmap32bit] bitmap {
		SEC_DACL_AUTO_INHERIT                = 0x00000001,
		SEC_SACL_AUTO_INHERIT                = 0x00000002,
		SEC_DEFAULT_DESCRIPTOR               = 0x00000004,
		SEC_OWNER_FROM_PARENT                = 0x00000008,
		SEC_GROUP_FROM_PARENT                = 0x00000010
	} security_autoinherit;

	/***************************************************************/
	/* Extended right guids */

	const string GUID_DRS_ALLOCATE_RIDS           = "1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd";
	const string GUID_DRS_CHANGE_DOMAIN_MASTER    = "014bf69c-7b3b-11d1-85f6-08002be74fab";
	const string GUID_DRS_CHANGE_INFR_MASTER      = "cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd";
	const string GUID_DRS_CHANGE_PDC              = "bae50096-4752-11d1-9052-00c04fc2d4cf";
	const string GUID_DRS_CHANGE_RID_MASTER       = "d58d5f36-0a98-11d1-adbb-00c04fd8d5cd";
	const string GUID_DRS_CHANGE_SCHEMA_MASTER    = "e12b56b6-0a95-11d1-adbb-00c04fd8d5cd";
	const string GUID_DRS_GET_CHANGES             = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2";
	const string GUID_DRS_GET_ALL_CHANGES         = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
	const string GUID_DRS_GET_FILTERED_ATTRIBUTES = "89e95b76-444d-4c62-991a-0facbeda640c";
	const string GUID_DRS_MANAGE_TOPOLOGY         = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2";
	const string GUID_DRS_MONITOR_TOPOLOGY        = "f98340fb-7c5b-4cdb-a00b-2ebdfa115a96";
	const string GUID_DRS_REPL_SYNCRONIZE         = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2";
	const string GUID_DRS_RO_REPL_SECRET_SYNC     = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2";
	const string GUID_DRS_USER_CHANGE_PASSWORD    = "ab721a53-1e2f-11d0-9819-00aa0040529b";
	const string GUID_DRS_FORCE_CHANGE_PASSWORD   = "00299570-246d-11d0-a768-00aa006e0529";

	/***************************************************************/
	/* validated writes guids */
	const string GUID_DRS_VALIDATE_SPN            = "f3a64788-5306-11d1-a9c5-0000f80367c1";
	const string GUID_DRS_SELF_MEMBERSHIP         = "bf9679c0-0de6-11d0-a285-00aa003049e2";
	const string GUID_DRS_DNS_HOST_NAME           = "72e39547-7b18-11d1-adef-00c04fd8d5cd";
	const string GUID_DRS_ADD_DNS_HOST_NAME       = "80863791-dbe9-4eb8-837e-7f0ab55d9ac7";
	const string GUID_DRS_BEHAVIOR_VERSION        = "d31a8757-2447-4545-8081-3bb610cacbf2";

	/* A type to describe the mapping of generic access rights to object
	   specific access rights. */

	typedef struct {
		uint32 generic_read;
		uint32 generic_write;
		uint32 generic_execute;
		uint32 generic_all;
	} generic_mapping;

	typedef	struct {
		uint32 std_read;
		uint32 std_write;
		uint32 std_execute;
		uint32 std_all;
	} standard_mapping;
}