summaryrefslogtreecommitdiffstats
path: root/public/sdk/inc/ntlsa.h
diff options
context:
space:
mode:
authorAdam <you@example.com>2020-05-17 05:51:50 +0200
committerAdam <you@example.com>2020-05-17 05:51:50 +0200
commite611b132f9b8abe35b362e5870b74bce94a1e58e (patch)
treea5781d2ec0e085eeca33cf350cf878f2efea6fe5 /public/sdk/inc/ntlsa.h
downloadNT4.0-e611b132f9b8abe35b362e5870b74bce94a1e58e.tar
NT4.0-e611b132f9b8abe35b362e5870b74bce94a1e58e.tar.gz
NT4.0-e611b132f9b8abe35b362e5870b74bce94a1e58e.tar.bz2
NT4.0-e611b132f9b8abe35b362e5870b74bce94a1e58e.tar.lz
NT4.0-e611b132f9b8abe35b362e5870b74bce94a1e58e.tar.xz
NT4.0-e611b132f9b8abe35b362e5870b74bce94a1e58e.tar.zst
NT4.0-e611b132f9b8abe35b362e5870b74bce94a1e58e.zip
Diffstat (limited to 'public/sdk/inc/ntlsa.h')
-rw-r--r--public/sdk/inc/ntlsa.h2190
1 files changed, 2190 insertions, 0 deletions
diff --git a/public/sdk/inc/ntlsa.h b/public/sdk/inc/ntlsa.h
new file mode 100644
index 000000000..bd19c50ba
--- /dev/null
+++ b/public/sdk/inc/ntlsa.h
@@ -0,0 +1,2190 @@
+/*++ BUILD Version: 0011 // Increment this if a change has global effects
+
+Copyright (c) 1989 Microsoft Corporation
+
+Module Name:
+
+ ntlsa.h
+
+Abstract:
+
+ This module contains the public data structures and API definitions
+ needed to utilize Local Security Authority (LSA) services.
+
+
+Author:
+
+ Jim Kelly (JimK) 21-February-1991
+
+Revision History:
+
+--*/
+
+#ifndef _NTLSA_
+#define _NTLSA_
+
+//
+// Generic negative values for unknown IDs, inapplicable indices etc.
+//
+
+#define LSA_UNKNOWN_ID ((ULONG) 0xFFFFFFFFL)
+#define LSA_UNKNOWN_INDEX ((LONG) -1)
+
+
+//
+// Each time a domain controller is promoted to primary domain
+// controller, its ModifiedId is incremented by this amount.
+//
+
+#define LSA_PROMOTION_INCREMENT {0x0,0x10}
+
+
+
+// begin_ntsecapi
+#ifndef _NTLSA_IFS_
+// begin_ntifs
+
+
+//
+// Security operation mode of the system is held in a control
+// longword.
+//
+
+typedef ULONG LSA_OPERATIONAL_MODE, *PLSA_OPERATIONAL_MODE;
+
+// end_ntifs
+#endif // _NTLSA_IFS_
+
+//
+// The flags in the security operational mode are defined
+// as:
+//
+// PasswordProtected - Some level of authentication (such as
+// a password) must be provided by users before they are
+// allowed to use the system. Once set, this value will
+// not be cleared without re-booting the system.
+//
+// IndividualAccounts - Each user must identify an account to
+// logon to. This flag is only meaningful if the
+// PasswordProtected flag is also set. If this flag is
+// not set and the PasswordProtected flag is set, then all
+// users may logon to the same account. Once set, this value
+// will not be cleared without re-booting the system.
+//
+// MandatoryAccess - Indicates the system is running in a mandatory
+// access control mode (e.g., B-level as defined by the U.S.A's
+// Department of Defense's "Orange Book"). This is not utilized
+// in the current release of NT. This flag is only meaningful
+// if both the PasswordProtected and IndividualAccounts flags are
+// set. Once set, this value will not be cleared without
+// re-booting the system.
+//
+// LogFull - Indicates the system has been brought up in a mode in
+// which if must perform security auditing, but its audit log
+// is full. This may (should) restrict the operations that
+// can occur until the audit log is made not-full again. THIS
+// VALUE MAY BE CLEARED WHILE THE SYSTEM IS RUNNING (I.E., WITHOUT
+// REBOOTING).
+//
+// If the PasswordProtected flag is not set, then the system is running
+// without security, and user interface should be adjusted appropriately.
+//
+
+#define LSA_MODE_PASSWORD_PROTECTED (0x00000001L)
+#define LSA_MODE_INDIVIDUAL_ACCOUNTS (0x00000002L)
+#define LSA_MODE_MANDATORY_ACCESS (0x00000004L)
+#define LSA_MODE_LOG_FULL (0x00000008L)
+
+// end_ntsecapi
+
+
+/////////////////////////////////////////////////////////////////////////
+// //
+// Widely used LSA defines //
+// //
+/////////////////////////////////////////////////////////////////////////
+
+//
+// Defines for Count Limits on LSA API
+//
+
+#define LSA_MAXIMUM_SID_COUNT (0x00000100L)
+#define LSA_MAXIMUM_ENUMERATION_LENGTH (32000)
+
+
+
+//
+// Defines used by ISVs or end-users defining their own privilege DLLs
+//
+
+#define LSA_PRIVILEGE_DLL_MAJOR_REV_1 (0x01)
+#define LSA_PRIVILEGE_DLL_MINOR_REV_0 (0x00)
+
+#define LSA_PRIVILEGE_DLL_INFO 1
+#define LSA_PRIVILEGE_PROGRAM_NAMES 2
+#define LSA_PRIVILEGE_DISPLAY_NAMES 3
+
+//
+// Flag OR'ed into AuthenticationPackage parameter of LsaLogonUser to
+// request that the license server be called upon successful logon.
+//
+
+#define LSA_CALL_LICENSE_SERVER 0x80000000
+
+
+/////////////////////////////////////////////////////////////////////////
+// //
+// Data types used by logon processes //
+// //
+/////////////////////////////////////////////////////////////////////////
+
+// begin_ntsecapi
+#ifndef _NTLSA_IFS_
+// begin_ntifs
+//
+// Used by a logon process to indicate what type of logon is being
+// requested.
+// NOTE: Proxy logon type is not currently supported in NT 3.x
+//
+
+typedef enum _SECURITY_LOGON_TYPE {
+ Interactive = 2, // Interactively logged on (locally or remotely)
+ Network, // Accessing system via network
+ Batch, // Started via a batch queue
+ Service, // Service started by service controller
+ Proxy, // Proxy logon
+ Unlock // Unlock workstation
+} SECURITY_LOGON_TYPE, *PSECURITY_LOGON_TYPE;
+
+// end_ntifs
+#endif // _NTLSA_IFS_
+
+// end_ntsecapi
+
+
+//
+// Security System Access Flags. These correspond to the enumerated
+// type values in SECURITY_LOGON_TYPE.
+//
+// IF YOU ADD A NEW LOGON TYPE HERE, ALSO ADD IT TO THE POLICY_MODE_xxx
+// data definitions.
+//
+
+#define SECURITY_ACCESS_INTERACTIVE_LOGON ((ULONG) 0x00000001L)
+#define SECURITY_ACCESS_NETWORK_LOGON ((ULONG) 0x00000002L)
+#define SECURITY_ACCESS_BATCH_LOGON ((ULONG) 0x00000004L)
+#define SECURITY_ACCESS_SERVICE_LOGON ((ULONG) 0x00000010L)
+#define SECURITY_ACCESS_PROXY_LOGON ((ULONG) 0x00000020L)
+
+
+/////////////////////////////////////////////////////////////////////////
+// //
+// Data types related to Auditing //
+// //
+/////////////////////////////////////////////////////////////////////////
+
+
+//
+// The following enumerated type is used between the reference monitor and
+// LSA in the generation of audit messages. It is used to indicate the
+// type of data being passed as a parameter from the reference monitor
+// to LSA. LSA is responsible for transforming the specified data type
+// into a set of unicode strings that are added to the event record in
+// the audit log.
+//
+
+typedef enum _SE_ADT_PARAMETER_TYPE {
+
+ SeAdtParmTypeNone = 0, //Produces 1 parameter
+ //Received value:
+ //
+ // None.
+ //
+ //Results in:
+ //
+ // a unicode string containing "-".
+ //
+ //Note: This is typically used to
+ // indicate that a parameter value
+ // was not available.
+ //
+
+ SeAdtParmTypeString, //Produces 1 parameter.
+ //Received Value:
+ //
+ // Unicode String (variable length)
+ //
+ //Results in:
+ //
+ // No transformation. The string
+ // entered into the event record as
+ // received.
+
+
+
+ SeAdtParmTypeFileSpec, //Produces 1 parameter.
+ //Received value:
+ //
+ // Unicode string containing a file or
+ // directory name.
+ //
+ //Results in:
+ //
+ // Unicode string with the prefix of the
+ // file's path replaced by a drive letter
+ // if possible.
+ //
+
+
+
+
+ SeAdtParmTypeUlong, //Produces 1 parameter
+ //Received value:
+ //
+ // Ulong
+ //
+ //Results in:
+ //
+ // Unicode string representation of
+ // unsigned integer value.
+
+
+ SeAdtParmTypeSid, //Produces 1 parameter.
+ //Received value:
+ //
+ // SID (variable length)
+ //
+ //Results in:
+ //
+ // String representation of SID
+ //
+
+
+
+
+ SeAdtParmTypeLogonId, //Produces 3 parameters.
+ //Received Value:
+ //
+ // LUID (fixed length)
+ //
+ //Results in:
+ //
+ // param 1: Username string
+ // param 2: domain name string
+ // param 3: Logon ID (Luid) string
+
+
+ SeAdtParmTypeNoLogonId, //Produces 3 parameters.
+ //Received value:
+ //
+ // None.
+ //
+ //Results in:
+ //
+ // param 1: "-"
+ // param 2: "-"
+ // param 3: "-"
+ //
+ //Note:
+ //
+ // This type is used when a logon ID
+ // is needed, but one is not available
+ // to pass. For example, if an
+ // impersonation logon ID is expected
+ // but the subject is not impersonating
+ // anyone.
+ //
+
+ SeAdtParmTypeAccessMask, //Produces 1 parameter with formatting.
+ //Received value:
+ //
+ // ACCESS_MASK followed by
+ // a Unicode string. The unicode
+ // string contains the name of the
+ // type of object the access mask
+ // applies to. The event's source
+ // further qualifies the object type.
+ //
+ //Results in:
+ //
+ // formatted unicode string built to
+ // take advantage of the specified
+ // source's parameter message file.
+ //
+ //Note:
+ //
+ // An access mask containing three
+ // access types for a Widget object
+ // type (defined by the Foozle source)
+ // might end up looking like:
+ //
+ // %%1062\n\t\t%1066\n\t\t%%601
+ //
+ // The %%numbers are signals to the
+ // event viewer to perform parameter
+ // substitution before display.
+ //
+
+
+
+ SeAdtParmTypePrivs //Produces 1 parameter with formatting.
+ //Received value:
+ //
+ // ??? Check with RobertRe and ScottBi
+ //
+ //Results in:
+ //
+ // formatted unicode string similar to
+ // that for access types. Each priv
+ // will be formatted to be displayed
+ // on its own line. E.g.,
+ //
+ // %%642\n\t\t%%651\n\t\t%%655
+ //
+
+
+
+
+} SE_ADT_PARAMETER_TYPE, *PSE_ADT_PARAMETER_TYPE;
+
+
+
+typedef struct _SE_ADT_PARAMETER_ARRAY_ENTRY {
+
+ SE_ADT_PARAMETER_TYPE Type;
+ ULONG Length;
+ ULONG Data[2];
+ PVOID Address;
+
+} SE_ADT_PARAMETER_ARRAY_ENTRY, *PSE_ADT_PARAMETER_ARRAY_ENTRY;
+
+
+
+//
+// Structure that will be passed between the Reference Monitor and LSA
+// to transmit auditing information.
+//
+
+#define SE_MAX_AUDIT_PARAMETERS 24
+
+typedef struct _SE_ADT_PARAMETER_ARRAY {
+
+ ULONG CategoryId;
+ ULONG AuditId;
+ ULONG ParameterCount;
+ ULONG Length;
+ USHORT Type;
+ ULONG Flags;
+ SE_ADT_PARAMETER_ARRAY_ENTRY Parameters[ SE_MAX_AUDIT_PARAMETERS ];
+
+} SE_ADT_PARAMETER_ARRAY, *PSE_ADT_PARAMETER_ARRAY;
+
+
+#define SE_ADT_PARAMETERS_SELF_RELATIVE 0x00000001
+
+// begin_ntsecapi
+
+//
+// Audit Event Categories
+//
+// The following are the built-in types or Categories of audit event.
+// WARNING! This structure is subject to expansion. The user should not
+// compute the number of elements of this type directly, but instead
+// should obtain the count of elements by calling LsaQueryInformationPolicy()
+// for the PolicyAuditEventsInformation class and extracting the count from
+// the MaximumAuditEventCount field of the returned structure.
+//
+
+typedef enum _POLICY_AUDIT_EVENT_TYPE {
+
+ AuditCategorySystem,
+ AuditCategoryLogon,
+ AuditCategoryObjectAccess,
+ AuditCategoryPrivilegeUse,
+ AuditCategoryDetailedTracking,
+ AuditCategoryPolicyChange,
+ AuditCategoryAccountManagement
+
+} POLICY_AUDIT_EVENT_TYPE, *PPOLICY_AUDIT_EVENT_TYPE;
+
+
+//
+// The following defines describe the auditing options for each
+// event type
+//
+
+// Leave options specified for this event unchanged
+
+#define POLICY_AUDIT_EVENT_UNCHANGED (0x00000000L)
+
+// Audit successful occurrences of events of this type
+
+#define POLICY_AUDIT_EVENT_SUCCESS (0x00000001L)
+
+// Audit failed attempts to cause an event of this type to occur
+
+#define POLICY_AUDIT_EVENT_FAILURE (0x00000002L)
+
+#define POLICY_AUDIT_EVENT_NONE (0x00000004L)
+
+// Mask of valid event auditing options
+
+#define POLICY_AUDIT_EVENT_MASK \
+ (POLICY_AUDIT_EVENT_SUCCESS | \
+ POLICY_AUDIT_EVENT_FAILURE | \
+ POLICY_AUDIT_EVENT_UNCHANGED | \
+ POLICY_AUDIT_EVENT_NONE)
+
+
+#ifdef _NTDEF_
+// begin_ntifs
+typedef UNICODE_STRING LSA_UNICODE_STRING, *PLSA_UNICODE_STRING;
+typedef STRING LSA_STRING, *PLSA_STRING;
+typedef OBJECT_ATTRIBUTES LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES;
+// end_ntifs
+#else // _NTDEF_
+
+#ifndef IN
+#define IN
+#endif
+
+#ifndef OUT
+#define OUT
+#endif
+
+#ifndef OPTIONAL
+#define OPTIONAL
+#endif
+
+
+typedef struct _LSA_UNICODE_STRING {
+ USHORT Length;
+ USHORT MaximumLength;
+ PWSTR Buffer;
+} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING;
+
+typedef struct _LSA_STRING {
+ USHORT Length;
+ USHORT MaximumLength;
+ PCHAR Buffer;
+} LSA_STRING, *PLSA_STRING;
+
+typedef struct _LSA_OBJECT_ATTRIBUTES {
+ ULONG Length;
+ HANDLE RootDirectory;
+ PLSA_UNICODE_STRING ObjectName;
+ ULONG Attributes;
+ PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR
+ PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE
+} LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES;
+
+
+
+#endif // _NTDEF_
+// end_ntsecapi
+
+// begin_ntsecapi
+
+//
+// Macro for determining whether an API succeeded.
+//
+
+#define LSA_SUCCESS(Error) ((LONG)(Error) >= 0)
+
+// end_ntsecapi
+
+
+
+/////////////////////////////////////////////////////////////////////////
+// //
+// Services provided for use by logon processes //
+// //
+/////////////////////////////////////////////////////////////////////////
+
+// begin_ntsecapi
+#ifndef _NTLSA_IFS_
+// begin_ntifs
+
+NTSTATUS
+NTAPI
+LsaRegisterLogonProcess (
+ IN PLSA_STRING LogonProcessName,
+ OUT PHANDLE LsaHandle,
+ OUT PLSA_OPERATIONAL_MODE SecurityMode
+ );
+
+// end_ntifs
+// begin_ntsrv
+
+NTSTATUS
+NTAPI
+LsaLogonUser (
+ IN HANDLE LsaHandle,
+ IN PLSA_STRING OriginName,
+ IN SECURITY_LOGON_TYPE LogonType,
+ IN ULONG AuthenticationPackage,
+ IN PVOID AuthenticationInformation,
+ IN ULONG AuthenticationInformationLength,
+ IN PTOKEN_GROUPS LocalGroups OPTIONAL,
+ IN PTOKEN_SOURCE SourceContext,
+ OUT PVOID *ProfileBuffer,
+ OUT PULONG ProfileBufferLength,
+ OUT PLUID LogonId,
+ OUT PHANDLE Token,
+ OUT PQUOTA_LIMITS Quotas,
+ OUT PNTSTATUS SubStatus
+ );
+
+
+// end_ntsrv
+// begin_ntifs
+
+NTSTATUS
+NTAPI
+LsaLookupAuthenticationPackage (
+ IN HANDLE LsaHandle,
+ IN PLSA_STRING PackageName,
+ OUT PULONG AuthenticationPackage
+ );
+
+NTSTATUS
+NTAPI
+LsaFreeReturnBuffer (
+ IN PVOID Buffer
+ );
+
+NTSTATUS
+NTAPI
+LsaCallAuthenticationPackage (
+ IN HANDLE LsaHandle,
+ IN ULONG AuthenticationPackage,
+ IN PVOID ProtocolSubmitBuffer,
+ IN ULONG SubmitBufferLength,
+ OUT PVOID *ProtocolReturnBuffer,
+ OUT PULONG ReturnBufferLength,
+ OUT PNTSTATUS ProtocolStatus
+ );
+
+
+NTSTATUS
+NTAPI
+LsaDeregisterLogonProcess (
+ IN HANDLE LsaHandle
+ );
+
+NTSTATUS
+NTAPI
+LsaConnectUntrusted (
+ OUT PHANDLE LsaHandle
+ );
+
+
+// end_ntifs
+#endif // _NTLSA_IFS_
+
+// end_ntsecapi
+
+
+/////////////////////////////////////////////////////////////////////////
+// //
+// Data types used by authentication packages //
+// //
+/////////////////////////////////////////////////////////////////////////
+
+//
+// opaque data type which represents a client request
+//
+
+typedef PVOID *PLSA_CLIENT_REQUEST;
+
+
+//
+// When a logon of a user is requested, the authentication package
+// is expected to return one of the following structures indicating
+// the contents of a user's token.
+//
+
+typedef enum _LSA_TOKEN_INFORMATION_TYPE {
+ LsaTokenInformationNull, // Implies LSA_TOKEN_INFORMATION_NULL data type
+ LsaTokenInformationV1 // Implies LSA_TOKEN_INFORMATION_V1 data type
+} LSA_TOKEN_INFORMATION_TYPE, *PLSA_TOKEN_INFORMATION_TYPE;
+
+
+//
+// The NULL information is used in cases where a non-authenticated
+// system access is needed. For example, a non-authentication network
+// circuit (such as LAN Manager's null session) can be given NULL
+// information. This will result in an anonymous token being generated
+// for the logon that gives the user no ability to access protected system
+// resources, but does allow access to non-protected system resources.
+//
+
+typedef struct _LSA_TOKEN_INFORMATION_NULL {
+
+ //
+ // Time at which the security context becomes invalid.
+ // Use a value in the distant future if the context
+ // never expires.
+ //
+
+ LARGE_INTEGER ExpirationTime;
+
+ //
+ // The SID(s) of groups the user is to be made a member of. This should
+ // not include WORLD or other system defined and assigned
+ // SIDs. These will be added automatically by LSA.
+ //
+ // Each SID is expected to be in a separately allocated block
+ // of memory. The TOKEN_GROUPS structure is also expected to
+ // be in a separately allocated block of memory.
+ //
+
+ PTOKEN_GROUPS Groups;
+
+} LSA_TOKEN_INFORMATION_NULL, *PLSA_TOKEN_INFORMATION_NULL;
+
+
+//
+// The V1 information is used in most cases of logon. This structure
+// contains information that an authentication package can place in a
+// Version 1 NT token object.
+//
+
+typedef struct _LSA_TOKEN_INFORMATION_V1 {
+
+ //
+ // Time at which the security context becomes invalid.
+ // Use a value in the distant future if the context
+ // never expires.
+ //
+
+ LARGE_INTEGER ExpirationTime;
+
+ //
+ // The SID of the user logging on. The SID value is in a
+ // separately allocated block of memory.
+ //
+
+ TOKEN_USER User;
+
+ //
+ // The SID(s) of groups the user is a member of. This should
+ // not include WORLD or other system defined and assigned
+ // SIDs. These will be added automatically by LSA.
+ //
+ // Each SID is expected to be in a separately allocated block
+ // of memory. The TOKEN_GROUPS structure is also expected to
+ // be in a separately allocated block of memory.
+ //
+
+ PTOKEN_GROUPS Groups;
+
+ //
+ // This field is used to establish the primary group of the user.
+ // This value does not have to correspond to one of the SIDs
+ // assigned to the user.
+ //
+ // The SID pointed to by this structure is expected to be in
+ // a separately allocated block of memory.
+ //
+ // This field is mandatory and must be filled in.
+ //
+
+ TOKEN_PRIMARY_GROUP PrimaryGroup;
+
+
+
+ //
+ // The privileges the user is assigned. This list of privileges
+ // will be augmented or over-ridden by any local security policy
+ // assigned privileges.
+ //
+ // Each privilege is expected to be in a separately allocated
+ // block of memory. The TOKEN_PRIVILEGES structure is also
+ // expected to be in a separately allocated block of memory.
+ //
+ // If there are no privileges to assign to the user, this field
+ // may be set to NULL.
+ //
+
+ PTOKEN_PRIVILEGES Privileges;
+
+
+
+ //
+ // This field may be used to establish an explicit default
+ // owner. Normally, the user ID is used as the default owner.
+ // If another value is desired, it must be specified here.
+ //
+ // The Owner.Sid field may be set to NULL to indicate there is no
+ // alternate default owner value.
+ //
+
+ TOKEN_OWNER Owner;
+
+ //
+ // This field may be used to establish a default
+ // protection for the user. If no value is provided, then
+ // a default protection that grants everyone all access will
+ // be established.
+ //
+ // The DefaultDacl.DefaultDacl field may be set to NULL to indicate
+ // there is no default protection.
+ //
+
+ TOKEN_DEFAULT_DACL DefaultDacl;
+
+} LSA_TOKEN_INFORMATION_V1, *PLSA_TOKEN_INFORMATION_V1;
+
+
+/////////////////////////////////////////////////////////////////////////
+// //
+// Interface definitions available for use by authentication packages //
+// //
+/////////////////////////////////////////////////////////////////////////
+
+
+
+typedef NTSTATUS
+(*PLSA_CREATE_LOGON_SESSION) (
+ IN PLUID LogonId
+ );
+
+typedef NTSTATUS
+(*PLSA_DELETE_LOGON_SESSION) (
+ IN PLUID LogonId
+ );
+
+typedef NTSTATUS
+(*PLSA_ADD_CREDENTIAL) (
+ IN PLUID LogonId,
+ IN ULONG AuthenticationPackage,
+ IN PLSA_STRING PrimaryKeyValue,
+ IN PLSA_STRING Credentials
+ );
+
+typedef NTSTATUS
+(*PLSA_GET_CREDENTIALS) (
+ IN PLUID LogonId,
+ IN ULONG AuthenticationPackage,
+ IN OUT PULONG QueryContext,
+ IN BOOLEAN RetrieveAllCredentials,
+ IN PLSA_STRING PrimaryKeyValue,
+ OUT PULONG PrimaryKeyLength,
+ IN PLSA_STRING Credentials
+ );
+
+typedef NTSTATUS
+(*PLSA_DELETE_CREDENTIAL) (
+ IN PLUID LogonId,
+ IN ULONG AuthenticationPackage,
+ IN PLSA_STRING PrimaryKeyValue
+ );
+
+typedef PVOID
+(*PLSA_ALLOCATE_LSA_HEAP) (
+ IN ULONG Length
+ );
+
+typedef VOID
+(*PLSA_FREE_LSA_HEAP) (
+ IN PVOID Base
+ );
+
+typedef NTSTATUS
+(*PLSA_ALLOCATE_CLIENT_BUFFER) (
+ IN PLSA_CLIENT_REQUEST ClientRequest,
+ IN ULONG LengthRequired,
+ OUT PVOID *ClientBaseAddress
+ );
+
+typedef NTSTATUS
+(*PLSA_FREE_CLIENT_BUFFER) (
+ IN PLSA_CLIENT_REQUEST ClientRequest,
+ IN PVOID ClientBaseAddress
+ );
+
+typedef NTSTATUS
+(*PLSA_COPY_TO_CLIENT_BUFFER) (
+ IN PLSA_CLIENT_REQUEST ClientRequest,
+ IN ULONG Length,
+ IN PVOID ClientBaseAddress,
+ IN PVOID BufferToCopy
+ );
+
+typedef NTSTATUS
+(*PLSA_COPY_FROM_CLIENT_BUFFER) (
+ IN PLSA_CLIENT_REQUEST ClientRequest,
+ IN ULONG Length,
+ IN PVOID BufferToCopy,
+ IN PVOID ClientBaseAddress
+ );
+
+
+
+//
+// The dispatch table of LSA services which are available to
+// authentication packages.
+//
+typedef struct _LSA_DISPATCH_TABLE {
+ PLSA_CREATE_LOGON_SESSION CreateLogonSession;
+ PLSA_DELETE_LOGON_SESSION DeleteLogonSession;
+ PLSA_ADD_CREDENTIAL AddCredential;
+ PLSA_GET_CREDENTIALS GetCredentials;
+ PLSA_DELETE_CREDENTIAL DeleteCredential;
+ PLSA_ALLOCATE_LSA_HEAP AllocateLsaHeap;
+ PLSA_FREE_LSA_HEAP FreeLsaHeap;
+ PLSA_ALLOCATE_CLIENT_BUFFER AllocateClientBuffer;
+ PLSA_FREE_CLIENT_BUFFER FreeClientBuffer;
+ PLSA_COPY_TO_CLIENT_BUFFER CopyToClientBuffer;
+ PLSA_COPY_FROM_CLIENT_BUFFER CopyFromClientBuffer;
+} LSA_DISPATCH_TABLE, *PLSA_DISPATCH_TABLE;
+
+
+
+////////////////////////////////////////////////////////////////////////////
+// //
+// Interface definitions of services provided by authentication packages //
+// //
+////////////////////////////////////////////////////////////////////////////
+
+
+//
+// Routine names
+//
+// The routines provided by the DLL must be assigned the following names
+// so that their addresses can be retrieved when the DLL is loaded.
+//
+
+#define LSA_AP_NAME_INITIALIZE_PACKAGE "LsaApInitializePackage\0"
+#define LSA_AP_NAME_LOGON_USER "LsaApLogonUser\0"
+#define LSA_AP_NAME_LOGON_USER_EX "LsaApLogonUserEx\0"
+#define LSA_AP_NAME_CALL_PACKAGE "LsaApCallPackage\0"
+#define LSA_AP_NAME_LOGON_TERMINATED "LsaApLogonTerminated\0"
+#define LSA_AP_NAME_CALL_PACKAGE_UNTRUSTED "LsaApCallPackageUntrusted\0"
+
+
+//
+// Routine templates
+//
+
+
+typedef NTSTATUS
+(*PLSA_AP_INITIALIZE_PACKAGE) (
+ IN ULONG AuthenticationPackageId,
+ IN PLSA_DISPATCH_TABLE LsaDispatchTable,
+ IN PLSA_STRING Database OPTIONAL,
+ IN PLSA_STRING Confidentiality OPTIONAL,
+ OUT PLSA_STRING *AuthenticationPackageName
+ );
+
+typedef NTSTATUS
+(*PLSA_AP_LOGON_USER) (
+ IN PLSA_CLIENT_REQUEST ClientRequest,
+ IN SECURITY_LOGON_TYPE LogonType,
+ IN PVOID AuthenticationInformation,
+ IN PVOID ClientAuthenticationBase,
+ IN ULONG AuthenticationInformationLength,
+ OUT PVOID *ProfileBuffer,
+ OUT PULONG ProfileBufferLength,
+ OUT PLUID LogonId,
+ OUT PNTSTATUS SubStatus,
+ OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
+ OUT PVOID *TokenInformation,
+ OUT PLSA_UNICODE_STRING *AccountName,
+ OUT PLSA_UNICODE_STRING *AuthenticatingAuthority
+ );
+
+typedef NTSTATUS
+(*PLSA_AP_LOGON_USER_EX) (
+ IN PLSA_CLIENT_REQUEST ClientRequest,
+ IN SECURITY_LOGON_TYPE LogonType,
+ IN PVOID AuthenticationInformation,
+ IN PVOID ClientAuthenticationBase,
+ IN ULONG AuthenticationInformationLength,
+ OUT PVOID *ProfileBuffer,
+ OUT PULONG ProfileBufferLength,
+ OUT PLUID LogonId,
+ OUT PNTSTATUS SubStatus,
+ OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
+ OUT PVOID *TokenInformation,
+ OUT PUNICODE_STRING *AccountName,
+ OUT PUNICODE_STRING *AuthenticatingAuthority,
+ OUT PUNICODE_STRING *MachineName
+ );
+
+typedef NTSTATUS
+(*PLSA_AP_CALL_PACKAGE) (
+ IN PLSA_CLIENT_REQUEST ClientRequest,
+ IN PVOID ProtocolSubmitBuffer,
+ IN PVOID ClientBufferBase,
+ IN ULONG SubmitBufferLength,
+ OUT PVOID *ProtocolReturnBuffer,
+ OUT PULONG ReturnBufferLength,
+ OUT PNTSTATUS ProtocolStatus
+ );
+
+typedef VOID
+(*PLSA_AP_LOGON_TERMINATED) (
+ IN PLUID LogonId
+ );
+
+typedef PLSA_AP_CALL_PACKAGE PLSA_AP_CALL_PACKAGE_UNTRUSTED;
+
+
+
+// begin_ntsecapi
+////////////////////////////////////////////////////////////////////////////
+// //
+// Local Security Policy Administration API datatypes and defines //
+// //
+////////////////////////////////////////////////////////////////////////////
+
+//
+// Access types for the Policy object
+//
+
+#define POLICY_VIEW_LOCAL_INFORMATION 0x00000001L
+#define POLICY_VIEW_AUDIT_INFORMATION 0x00000002L
+#define POLICY_GET_PRIVATE_INFORMATION 0x00000004L
+#define POLICY_TRUST_ADMIN 0x00000008L
+#define POLICY_CREATE_ACCOUNT 0x00000010L
+#define POLICY_CREATE_SECRET 0x00000020L
+#define POLICY_CREATE_PRIVILEGE 0x00000040L
+#define POLICY_SET_DEFAULT_QUOTA_LIMITS 0x00000080L
+#define POLICY_SET_AUDIT_REQUIREMENTS 0x00000100L
+#define POLICY_AUDIT_LOG_ADMIN 0x00000200L
+#define POLICY_SERVER_ADMIN 0x00000400L
+#define POLICY_LOOKUP_NAMES 0x00000800L
+
+#define POLICY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
+ POLICY_VIEW_LOCAL_INFORMATION |\
+ POLICY_VIEW_AUDIT_INFORMATION |\
+ POLICY_GET_PRIVATE_INFORMATION |\
+ POLICY_TRUST_ADMIN |\
+ POLICY_CREATE_ACCOUNT |\
+ POLICY_CREATE_SECRET |\
+ POLICY_CREATE_PRIVILEGE |\
+ POLICY_SET_DEFAULT_QUOTA_LIMITS |\
+ POLICY_SET_AUDIT_REQUIREMENTS |\
+ POLICY_AUDIT_LOG_ADMIN |\
+ POLICY_SERVER_ADMIN |\
+ POLICY_LOOKUP_NAMES )
+
+
+#define POLICY_READ (STANDARD_RIGHTS_READ |\
+ POLICY_VIEW_AUDIT_INFORMATION |\
+ POLICY_GET_PRIVATE_INFORMATION)
+
+#define POLICY_WRITE (STANDARD_RIGHTS_WRITE |\
+ POLICY_TRUST_ADMIN |\
+ POLICY_CREATE_ACCOUNT |\
+ POLICY_CREATE_SECRET |\
+ POLICY_CREATE_PRIVILEGE |\
+ POLICY_SET_DEFAULT_QUOTA_LIMITS |\
+ POLICY_SET_AUDIT_REQUIREMENTS |\
+ POLICY_AUDIT_LOG_ADMIN |\
+ POLICY_SERVER_ADMIN)
+
+#define POLICY_EXECUTE (STANDARD_RIGHTS_EXECUTE |\
+ POLICY_VIEW_LOCAL_INFORMATION |\
+ POLICY_LOOKUP_NAMES )
+
+
+//
+// Policy object specific data types.
+//
+
+//
+// The following data type is used to identify a domain
+//
+
+typedef struct _LSA_TRUST_INFORMATION {
+
+ LSA_UNICODE_STRING Name;
+ PSID Sid;
+
+} LSA_TRUST_INFORMATION, *PLSA_TRUST_INFORMATION;
+
+// where members have the following usage:
+//
+// Name - The name of the domain.
+//
+// Sid - A pointer to the Sid of the Domain
+//
+
+//
+// The following data type is used in name and SID lookup services to
+// describe the domains referenced in the lookup operation.
+//
+
+typedef struct _LSA_REFERENCED_DOMAIN_LIST {
+
+ ULONG Entries;
+ PLSA_TRUST_INFORMATION Domains;
+
+} LSA_REFERENCED_DOMAIN_LIST, *PLSA_REFERENCED_DOMAIN_LIST;
+
+// where members have the following usage:
+//
+// Entries - Is a count of the number of domains described in the
+// Domains array.
+//
+// Domains - Is a pointer to an array of Entries LSA_TRUST_INFORMATION data
+// structures.
+//
+
+
+//
+// The following data type is used in name to SID lookup services to describe
+// the domains referenced in the lookup operation.
+//
+
+typedef struct _LSA_TRANSLATED_SID {
+
+ SID_NAME_USE Use;
+ ULONG RelativeId;
+ LONG DomainIndex;
+
+} LSA_TRANSLATED_SID, *PLSA_TRANSLATED_SID;
+
+// where members have the following usage:
+//
+// Use - identifies the use of the SID. If this value is SidUnknown or
+// SidInvalid, then the remainder of the record is not set and
+// should be ignored.
+//
+// RelativeId - Contains the relative ID of the translated SID. The
+// remainder of the SID (the prefix) is obtained using the
+// DomainIndex field.
+//
+// DomainIndex - Is the index of an entry in a related
+// LSA_REFERENCED_DOMAIN_LIST data structure describing the
+// domain in which the account was found.
+//
+// If there is no corresponding reference domain for an entry, then
+// this field will contain a negative value.
+//
+
+
+//
+// The following data type is used in SID to name lookup services to
+// describe the domains referenced in the lookup operation.
+//
+
+typedef struct _LSA_TRANSLATED_NAME {
+
+ SID_NAME_USE Use;
+ LSA_UNICODE_STRING Name;
+ LONG DomainIndex;
+
+} LSA_TRANSLATED_NAME, *PLSA_TRANSLATED_NAME;
+
+// where the members have the following usage:
+//
+// Use - Identifies the use of the name. If this value is SidUnknown
+// or SidInvalid, then the remainder of the record is not set and
+// should be ignored. If this value is SidWellKnownGroup then the
+// Name field is invalid, but the DomainIndex field is not.
+//
+// Name - Contains the isolated name of the translated SID.
+//
+// DomainIndex - Is the index of an entry in a related
+// LSA_REFERENCED_DOMAIN_LIST data structure describing the domain
+// in which the account was found.
+//
+// If there is no corresponding reference domain for an entry, then
+// this field will contain a negative value.
+//
+
+// end_ntsecapi
+
+//
+// The following data type specifies the ways in whcih a user or member of
+// an alias or group may be allowed to access the system. An account may
+// be granted zero or more of these types of access to the system.
+//
+// The types of access are:
+//
+// Interactive - The user or alias/group member may interactively logon
+// to the system.
+//
+// Network - The user or alias/group member may access the system via
+// the network (e.g., through shares).
+//
+// Service - The user or alias may be activated as a service on the
+// system.
+//
+
+typedef ULONG POLICY_SYSTEM_ACCESS_MODE, *PPOLICY_SYSTEM_ACCESS_MODE;
+
+#define POLICY_MODE_INTERACTIVE SECURITY_ACCESS_INTERACTIVE_LOGON
+#define POLICY_MODE_NETWORK SECURITY_ACCESS_NETWORK_LOGON
+#define POLICY_MODE_BATCH SECURITY_ACCESS_BATCH_LOGON
+#define POLICY_MODE_SERVICE SECURITY_ACCESS_SERVICE_LOGON
+#define POLICY_MODE_PROXY SECURITY_ACCESS_PROXY_LOGON
+
+#define POLICY_MODE_ALL (POLICY_MODE_INTERACTIVE | \
+ POLICY_MODE_NETWORK | \
+ POLICY_MODE_BATCH | \
+ POLICY_MODE_SERVICE | \
+ POLICY_MODE_PROXY )
+
+// begin_ntsecapi
+
+//
+// The following data type is used to represent the role of the LSA
+// server (primary or backup).
+//
+
+typedef enum _POLICY_LSA_SERVER_ROLE {
+
+ PolicyServerRoleBackup = 2,
+ PolicyServerRolePrimary
+
+} POLICY_LSA_SERVER_ROLE, *PPOLICY_LSA_SERVER_ROLE;
+
+
+//
+// The following data type is used to represent the state of the LSA
+// server (enabled or disabled). Some operations may only be performed on
+// an enabled LSA server.
+//
+
+typedef enum _POLICY_SERVER_ENABLE_STATE {
+
+ PolicyServerEnabled = 2,
+ PolicyServerDisabled
+
+} POLICY_SERVER_ENABLE_STATE, *PPOLICY_SERVER_ENABLE_STATE;
+
+
+//
+// The following data type is used to specify the auditing options for
+// an Audit Event Type.
+//
+
+typedef ULONG POLICY_AUDIT_EVENT_OPTIONS, *PPOLICY_AUDIT_EVENT_OPTIONS;
+
+// where the following flags can be set:
+//
+// POLICY_AUDIT_EVENT_UNCHANGED - Leave existing auditing options
+// unchanged for events of this type. This flag is only used for
+// set operations. If this flag is set, then all other flags
+// are ignored.
+//
+// POLICY_AUDIT_EVENT_NONE - Cancel all auditing options for events
+// of this type. If this flag is set, the success/failure flags
+// are ignored.
+//
+// POLICY_AUDIT_EVENT_SUCCESS - When auditing is enabled, audit all
+// successful occurrences of events of the given type.
+//
+// POLICY_AUDIT_EVENT_FAILURE - When auditing is enabled, audit all
+// unsuccessful occurrences of events of the given type.
+//
+
+
+
+//
+// The following data type is used to return information about privileges
+// defined on a system.
+//
+
+typedef struct _POLICY_PRIVILEGE_DEFINITION {
+
+ LSA_UNICODE_STRING Name;
+ LUID LocalValue;
+
+} POLICY_PRIVILEGE_DEFINITION, *PPOLICY_PRIVILEGE_DEFINITION;
+
+// where the members have the following usage:
+//
+// Name - Is the architected name of the privilege. This is the
+// primary key of the privilege and the only value that is
+// transportable between systems.
+//
+// Luid - is a LUID value assigned locally for efficient representation
+// of the privilege. Ths value is meaningful only on the system it
+// was assigned on and is not transportable in any way.
+//
+
+
+//
+// The following data type defines the classes of Policy Information
+// that may be queried/set.
+//
+
+typedef enum _POLICY_INFORMATION_CLASS {
+
+ PolicyAuditLogInformation = 1,
+ PolicyAuditEventsInformation,
+ PolicyPrimaryDomainInformation,
+ PolicyPdAccountInformation,
+ PolicyAccountDomainInformation,
+ PolicyLsaServerRoleInformation,
+ PolicyReplicaSourceInformation,
+ PolicyDefaultQuotaInformation,
+ PolicyModificationInformation,
+ PolicyAuditFullSetInformation,
+ PolicyAuditFullQueryInformation
+
+} POLICY_INFORMATION_CLASS, *PPOLICY_INFORMATION_CLASS;
+
+
+//
+// The following data type corresponds to the PolicyAuditLogInformation
+// information class. It is used to represent information relating to
+// the Audit Log.
+//
+// This structure may be used in both query and set operations. However,
+// when used in set operations, some fields are ignored.
+//
+
+typedef struct _POLICY_AUDIT_LOG_INFO {
+
+ ULONG AuditLogPercentFull;
+ ULONG MaximumLogSize;
+ LARGE_INTEGER AuditRetentionPeriod;
+ BOOLEAN AuditLogFullShutdownInProgress;
+ LARGE_INTEGER TimeToShutdown;
+ ULONG NextAuditRecordId;
+
+} POLICY_AUDIT_LOG_INFO, *PPOLICY_AUDIT_LOG_INFO;
+
+// where the members have the following usage:
+//
+// AuditLogPercentFull - Indicates the percentage of the Audit Log
+// currently being used.
+//
+// MaximumLogSize - Specifies the maximum size of the Audit Log in
+// kilobytes.
+//
+// AuditRetentionPeriod - Indicates the length of time that Audit
+// Records are to be retained. Audit Records are discardable
+// if their timestamp predates the current time minus the
+// retention period.
+//
+// AuditLogFullShutdownInProgress - Indicates whether or not a system
+// shutdown is being initiated due to the security Audit Log becoming
+// full. This condition will only occur if the system is configured
+// to shutdown when the log becomes full.
+//
+// TRUE indicates that a shutdown is in progress
+// FALSE indicates that a shutdown is not in progress.
+//
+// Once a shutdown has been initiated, this flag will be set to
+// TRUE. If an administrator is able to currect the situation
+// before the shutdown becomes irreversible, then this flag will
+// be reset to false.
+//
+// This field is ignored for set operations.
+//
+// TimeToShutdown - If the AuditLogFullShutdownInProgress flag is set,
+// then this field contains the time left before the shutdown
+// becomes irreversible.
+//
+// This field is ignored for set operations.
+//
+
+
+//
+// The following data type corresponds to the PolicyAuditEventsInformation
+// information class. It is used to represent information relating to
+// the audit requirements.
+//
+
+typedef struct _POLICY_AUDIT_EVENTS_INFO {
+
+ BOOLEAN AuditingMode;
+ PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions;
+ ULONG MaximumAuditEventCount;
+
+} POLICY_AUDIT_EVENTS_INFO, *PPOLICY_AUDIT_EVENTS_INFO;
+
+// where the members have the following usage:
+//
+// AuditingMode - A Boolean variable specifying the Auditing Mode value.
+// This value is interpreted as follows:
+//
+// TRUE - Auditing is to be enabled (set operations) or is enabled
+// (query operations). Audit Records will be generated according
+// to the Event Auditing Options in effect (see the
+// EventAuditingOptions field.
+//
+// FALSE - Auditing is to be disabled (set operations) or is
+// disabled (query operations). No Audit Records will be
+// generated. Note that for set operations the Event Auditing
+// Options in effect will still be updated as specified by the
+// EventAuditingOptions field whether Auditing is enabled or
+// disabled.
+//
+// EventAuditingOptions - Pointer to an array of Auditing Options
+// indexed by Audit Event Type.
+//
+// MaximumAuditEventCount - Specifiesa count of the number of Audit
+// Event Types specified by the EventAuditingOptions parameter. If
+// this count is less than the number of Audit Event Types supported
+// by the system, the Auditing Options for Event Types with IDs
+// higher than (MaximumAuditEventCount + 1) are left unchanged.
+//
+
+
+//
+// The following structure corresponds to the PolicyAccountDomainInformation
+// information class.
+//
+
+typedef struct _POLICY_ACCOUNT_DOMAIN_INFO {
+
+ LSA_UNICODE_STRING DomainName;
+ PSID DomainSid;
+
+} POLICY_ACCOUNT_DOMAIN_INFO, *PPOLICY_ACCOUNT_DOMAIN_INFO;
+
+// where the members have the following usage:
+//
+// DomainName - Is the name of the domain
+//
+// DomainSid - Is the Sid of the domain
+//
+
+
+//
+// The following structure corresponds to the PolicyPrimaryDomainInformation
+// information class.
+//
+
+typedef struct _POLICY_PRIMARY_DOMAIN_INFO {
+
+ LSA_UNICODE_STRING Name;
+ PSID Sid;
+
+} POLICY_PRIMARY_DOMAIN_INFO, *PPOLICY_PRIMARY_DOMAIN_INFO;
+
+// where the members have the following usage:
+//
+// Name - Is the name of the domain
+//
+// Sid - Is the Sid of the domain
+//
+
+
+//
+// The following structure corresponds to the PolicyPdAccountInformation
+// information class. This structure may be used in Query operations
+// only.
+//
+
+typedef struct _POLICY_PD_ACCOUNT_INFO {
+
+ LSA_UNICODE_STRING Name;
+
+} POLICY_PD_ACCOUNT_INFO, *PPOLICY_PD_ACCOUNT_INFO;
+
+// where the members have the following usage:
+//
+// Name - Is the name of an account in the domain that should be used
+// for authentication and name/ID lookup requests.
+//
+
+
+//
+// The following structure corresponds to the PolicyLsaServerRoleInformation
+// information class.
+//
+
+typedef struct _POLICY_LSA_SERVER_ROLE_INFO {
+
+ POLICY_LSA_SERVER_ROLE LsaServerRole;
+
+} POLICY_LSA_SERVER_ROLE_INFO, *PPOLICY_LSA_SERVER_ROLE_INFO;
+
+// where the fields have the following usage:
+//
+// TBS
+//
+
+
+//
+// The following structure corresponds to the PolicyReplicaSourceInformation
+// information class.
+//
+
+typedef struct _POLICY_REPLICA_SOURCE_INFO {
+
+ LSA_UNICODE_STRING ReplicaSource;
+ LSA_UNICODE_STRING ReplicaAccountName;
+
+} POLICY_REPLICA_SOURCE_INFO, *PPOLICY_REPLICA_SOURCE_INFO;
+
+
+//
+// The following structure corresponds to the PolicyDefaultQuotaInformation
+// information class.
+//
+
+typedef struct _POLICY_DEFAULT_QUOTA_INFO {
+
+ QUOTA_LIMITS QuotaLimits;
+
+} POLICY_DEFAULT_QUOTA_INFO, *PPOLICY_DEFAULT_QUOTA_INFO;
+
+
+//
+// The following structure corresponds to the PolicyModificationInformation
+// information class.
+//
+
+typedef struct _POLICY_MODIFICATION_INFO {
+
+ LARGE_INTEGER ModifiedId;
+ LARGE_INTEGER DatabaseCreationTime;
+
+} POLICY_MODIFICATION_INFO, *PPOLICY_MODIFICATION_INFO;
+
+// where the members have the following usage:
+//
+// ModifiedId - Is a 64-bit unsigned integer that is incremented each
+// time anything in the LSA database is modified. This value is
+// only modified on Primary Domain Controllers.
+//
+// DatabaseCreationTime - Is the date/time that the LSA Database was
+// created. On Backup Domain Controllers, this value is replicated
+// from the Primary Domain Controller.
+//
+
+//
+// The following structure type corresponds to the PolicyAuditFullSetInformation
+// Information Class.
+//
+
+typedef struct _POLICY_AUDIT_FULL_SET_INFO {
+
+ BOOLEAN ShutDownOnFull;
+
+} POLICY_AUDIT_FULL_SET_INFO, *PPOLICY_AUDIT_FULL_SET_INFO;
+
+//
+// The following structure type corresponds to the PolicyAuditFullQueryInformation
+// Information Class.
+//
+
+typedef struct _POLICY_AUDIT_FULL_QUERY_INFO {
+
+ BOOLEAN ShutDownOnFull;
+ BOOLEAN LogIsFull;
+
+} POLICY_AUDIT_FULL_QUERY_INFO, *PPOLICY_AUDIT_FULL_QUERY_INFO;
+
+// end_ntsecapi
+
+//
+// Account object type-specific Access Types
+//
+
+#define ACCOUNT_VIEW 0x00000001L
+#define ACCOUNT_ADJUST_PRIVILEGES 0x00000002L
+#define ACCOUNT_ADJUST_QUOTAS 0x00000004L
+#define ACCOUNT_ADJUST_SYSTEM_ACCESS 0x00000008L
+
+#define ACCOUNT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
+ ACCOUNT_VIEW |\
+ ACCOUNT_ADJUST_PRIVILEGES |\
+ ACCOUNT_ADJUST_QUOTAS |\
+ ACCOUNT_ADJUST_SYSTEM_ACCESS)
+
+#define ACCOUNT_READ (STANDARD_RIGHTS_READ |\
+ ACCOUNT_VIEW)
+
+#define ACCOUNT_WRITE (STANDARD_RIGHTS_WRITE |\
+ ACCOUNT_ADJUST_PRIVILEGES |\
+ ACCOUNT_ADJUST_QUOTAS |\
+ ACCOUNT_ADJUST_SYSTEM_ACCESS)
+
+#define ACCOUNT_EXECUTE (STANDARD_RIGHTS_EXECUTE)
+
+// begin_ntsecapi
+
+//
+// LSA RPC Context Handle (Opaque form). Note that a Context Handle is
+// always a pointer type unlike regular handles.
+//
+
+typedef PVOID LSA_HANDLE, *PLSA_HANDLE;
+
+// end_ntsecapi
+
+//
+// Trusted Domain object specific access types
+//
+
+#define TRUSTED_QUERY_DOMAIN_NAME 0x00000001L
+#define TRUSTED_QUERY_CONTROLLERS 0x00000002L
+#define TRUSTED_SET_CONTROLLERS 0x00000004L
+#define TRUSTED_QUERY_POSIX 0x00000008L
+#define TRUSTED_SET_POSIX 0x00000010L
+
+
+#define TRUSTED_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
+ TRUSTED_QUERY_DOMAIN_NAME |\
+ TRUSTED_QUERY_CONTROLLERS |\
+ TRUSTED_SET_CONTROLLERS |\
+ TRUSTED_QUERY_POSIX |\
+ TRUSTED_SET_POSIX)
+
+#define TRUSTED_READ (STANDARD_RIGHTS_READ |\
+ TRUSTED_QUERY_DOMAIN_NAME)
+
+#define TRUSTED_WRITE (STANDARD_RIGHTS_WRITE |\
+ TRUSTED_SET_CONTROLLERS |\
+ TRUSTED_SET_POSIX)
+
+#define TRUSTED_EXECUTE (STANDARD_RIGHTS_EXECUTE |\
+ TRUSTED_QUERY_CONTROLLERS |\
+ TRUSTED_QUERY_POSIX)
+
+
+
+// begin_ntsecapi
+
+//
+// Trusted Domain Object specific data types
+//
+
+//
+// This data type defines the following information classes that may be
+// queried or set.
+//
+
+typedef enum _TRUSTED_INFORMATION_CLASS {
+
+ TrustedDomainNameInformation = 1,
+ TrustedControllersInformation,
+ TrustedPosixOffsetInformation,
+ TrustedPasswordInformation
+
+} TRUSTED_INFORMATION_CLASS, *PTRUSTED_INFORMATION_CLASS;
+
+//
+// The following data type corresponds to the TrustedDomainNameInformation
+// information class.
+//
+
+typedef struct _TRUSTED_DOMAIN_NAME_INFO {
+
+ LSA_UNICODE_STRING Name;
+
+} TRUSTED_DOMAIN_NAME_INFO, *PTRUSTED_DOMAIN_NAME_INFO;
+
+// where members have the following meaning:
+//
+// Name - The name of the Trusted Domain.
+//
+
+//
+// The following data type corresponds to the TrustedControllersInformation
+// information class.
+//
+
+typedef struct _TRUSTED_CONTROLLERS_INFO {
+
+ ULONG Entries;
+ PLSA_UNICODE_STRING Names;
+
+} TRUSTED_CONTROLLERS_INFO, *PTRUSTED_CONTROLLERS_INFO;
+
+// where members have the following meaning:
+//
+// Entries - Indicate how mamy entries there are in the Names array.
+//
+// Names - Pointer to an array of LSA_UNICODE_STRING structures containing the
+// names of domain controllers of the domain. This information may not
+// be accurate and should be used only as a hint. The order of this
+// list is considered significant and will be maintained.
+//
+// By convention, the first name in this list is assumed to be the
+// Primary Domain Controller of the domain. If the Primary Domain
+// Controller is not known, the first name should be set to the NULL
+// string.
+//
+
+
+//
+// The following data type corresponds to the TrustedPosixOffsetInformation
+// information class.
+//
+
+typedef struct _TRUSTED_POSIX_OFFSET_INFO {
+
+ ULONG Offset;
+
+} TRUSTED_POSIX_OFFSET_INFO, *PTRUSTED_POSIX_OFFSET_INFO;
+
+// where members have the following meaning:
+//
+// Offset - Is an offset to use for the generation of Posix user and group
+// IDs from SIDs. The Posix ID corresponding to any particular SID is
+// generated by adding the RID of that SID to the Offset of the SID's
+// corresponding TrustedDomain object.
+//
+
+//
+// The following data type corresponds to the TrustedPasswordInformation
+// information class.
+//
+
+typedef struct _TRUSTED_PASSWORD_INFO {
+ LSA_UNICODE_STRING Password;
+ LSA_UNICODE_STRING OldPassword;
+} TRUSTED_PASSWORD_INFO, *PTRUSTED_PASSWORD_INFO;
+
+
+
+// end_ntsecapi
+
+//
+// Secret object specific access types
+//
+
+#define SECRET_SET_VALUE 0x00000001L
+#define SECRET_QUERY_VALUE 0x00000002L
+
+#define SECRET_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
+ SECRET_SET_VALUE |\
+ SECRET_QUERY_VALUE)
+
+#define SECRET_READ (STANDARD_RIGHTS_READ |\
+ SECRET_QUERY_VALUE)
+
+#define SECRET_WRITE (STANDARD_RIGHTS_WRITE |\
+ SECRET_SET_VALUE)
+
+#define SECRET_EXECUTE (STANDARD_RIGHTS_EXECUTE)
+
+//
+// Global secret object prefix
+//
+
+#define LSA_GLOBAL_SECRET_PREFIX L"G$"
+#define LSA_GLOBAL_SECRET_PREFIX_LENGTH 2
+
+//
+// Secret object specific data types.
+//
+
+//
+// Secret object limits
+//
+
+#define LSA_SECRET_MAXIMUM_COUNT 0x00001000L
+#define LSA_SECRET_MAXIMUM_LENGTH 0x00000200L
+
+// begin_ntsecapi
+
+//
+// LSA Enumeration Context
+//
+
+typedef ULONG LSA_ENUMERATION_HANDLE, *PLSA_ENUMERATION_HANDLE;
+
+//
+// LSA Enumeration Information
+//
+
+typedef struct _LSA_ENUMERATION_INFORMATION {
+
+ PSID Sid;
+
+} LSA_ENUMERATION_INFORMATION, *PLSA_ENUMERATION_INFORMATION;
+
+
+////////////////////////////////////////////////////////////////////////////
+// //
+// Local Security Policy - Miscellaneous API function prototypes //
+// //
+////////////////////////////////////////////////////////////////////////////
+
+
+NTSTATUS
+NTAPI
+LsaFreeMemory(
+ IN PVOID Buffer
+ );
+
+NTSTATUS
+NTAPI
+LsaClose(
+ IN LSA_HANDLE ObjectHandle
+ );
+
+// end_ntsecapi
+
+NTSTATUS
+NTAPI
+LsaDelete(
+ IN LSA_HANDLE ObjectHandle
+ );
+
+NTSTATUS
+NTAPI
+LsaQuerySecurityObject(
+ IN LSA_HANDLE ObjectHandle,
+ IN SECURITY_INFORMATION SecurityInformation,
+ OUT PSECURITY_DESCRIPTOR *SecurityDescriptor
+ );
+
+NTSTATUS
+NTAPI
+LsaSetSecurityObject(
+ IN LSA_HANDLE ObjectHandle,
+ IN SECURITY_INFORMATION SecurityInformation,
+ IN PSECURITY_DESCRIPTOR SecurityDescriptor
+ );
+
+NTSTATUS
+NTAPI
+LsaChangePassword(
+ IN PLSA_UNICODE_STRING ServerName,
+ IN PLSA_UNICODE_STRING DomainName,
+ IN PLSA_UNICODE_STRING AccountName,
+ IN PLSA_UNICODE_STRING OldPassword,
+ IN PLSA_UNICODE_STRING NewPassword
+ );
+
+///////////////////////////////////////////////////////////////////////////////
+// //
+// Local Security Policy - Policy Object API function prototypes //
+// //
+///////////////////////////////////////////////////////////////////////////////
+
+// begin_ntsecapi
+NTSTATUS
+NTAPI
+LsaOpenPolicy(
+ IN PLSA_UNICODE_STRING SystemName OPTIONAL,
+ IN PLSA_OBJECT_ATTRIBUTES ObjectAttributes,
+ IN ACCESS_MASK DesiredAccess,
+ IN OUT PLSA_HANDLE PolicyHandle
+ );
+
+NTSTATUS
+NTAPI
+LsaQueryInformationPolicy(
+ IN LSA_HANDLE PolicyHandle,
+ IN POLICY_INFORMATION_CLASS InformationClass,
+ OUT PVOID *Buffer
+ );
+
+NTSTATUS
+NTAPI
+LsaSetInformationPolicy(
+ IN LSA_HANDLE PolicyHandle,
+ IN POLICY_INFORMATION_CLASS InformationClass,
+ IN PVOID Buffer
+ );
+
+// end_ntsecapi
+
+NTSTATUS
+NTAPI
+LsaClearAuditLog(
+ IN LSA_HANDLE PolicyHandle
+ );
+
+NTSTATUS
+NTAPI
+LsaCreateAccount(
+ IN LSA_HANDLE PolicyHandle,
+ IN PSID AccountSid,
+ IN ACCESS_MASK DesiredAccess,
+ OUT PLSA_HANDLE AccountHandle
+ );
+
+NTSTATUS
+NTAPI
+LsaEnumerateAccounts(
+ IN LSA_HANDLE PolicyHandle,
+ IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext,
+ OUT PVOID *EnumerationBuffer,
+ IN ULONG PreferedMaximumLength,
+ OUT PULONG CountReturned
+ );
+
+NTSTATUS
+NTAPI
+LsaCreateTrustedDomain(
+ IN LSA_HANDLE PolicyHandle,
+ IN PLSA_TRUST_INFORMATION TrustedDomainInformation,
+ IN ACCESS_MASK DesiredAccess,
+ OUT PLSA_HANDLE TrustedDomainHandle
+ );
+
+// begin_ntsecapi
+
+NTSTATUS
+NTAPI
+LsaEnumerateTrustedDomains(
+ IN LSA_HANDLE PolicyHandle,
+ IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext,
+ OUT PVOID *Buffer,
+ IN ULONG PreferedMaximumLength,
+ OUT PULONG CountReturned
+ );
+
+// end_ntsecapi
+
+NTSTATUS
+NTAPI
+LsaEnumeratePrivileges(
+ IN LSA_HANDLE PolicyHandle,
+ IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext,
+ OUT PVOID *Buffer,
+ IN ULONG PreferedMaximumLength,
+ OUT PULONG CountReturned
+ );
+
+// begin_ntsecapi
+
+NTSTATUS
+NTAPI
+LsaLookupNames(
+ IN LSA_HANDLE PolicyHandle,
+ IN ULONG Count,
+ IN PLSA_UNICODE_STRING Names,
+ OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
+ OUT PLSA_TRANSLATED_SID *Sids
+ );
+
+NTSTATUS
+NTAPI
+LsaLookupSids(
+ IN LSA_HANDLE PolicyHandle,
+ IN ULONG Count,
+ IN PSID *Sids,
+ OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
+ OUT PLSA_TRANSLATED_NAME *Names
+ );
+
+// end_ntsecapi
+
+NTSTATUS
+NTAPI
+LsaCreateSecret(
+ IN LSA_HANDLE PolicyHandle,
+ IN PLSA_UNICODE_STRING SecretName,
+ IN ACCESS_MASK DesiredAccess,
+ OUT PLSA_HANDLE SecretHandle
+ );
+
+///////////////////////////////////////////////////////////////////////////////
+// //
+// Local Security Policy - Account Object API function prototypes //
+// //
+///////////////////////////////////////////////////////////////////////////////
+
+NTSTATUS
+NTAPI
+LsaOpenAccount(
+ IN LSA_HANDLE PolicyHandle,
+ IN PSID AccountSid,
+ IN ACCESS_MASK DesiredAccess,
+ OUT PLSA_HANDLE AccountHandle
+ );
+
+NTSTATUS
+NTAPI
+LsaEnumeratePrivilegesOfAccount(
+ IN LSA_HANDLE AccountHandle,
+ OUT PPRIVILEGE_SET *Privileges
+ );
+
+NTSTATUS
+NTAPI
+LsaAddPrivilegesToAccount(
+ IN LSA_HANDLE AccountHandle,
+ IN PPRIVILEGE_SET Privileges
+ );
+
+NTSTATUS
+NTAPI
+LsaRemovePrivilegesFromAccount(
+ IN LSA_HANDLE AccountHandle,
+ IN BOOLEAN AllPrivileges,
+ IN PPRIVILEGE_SET Privileges
+ );
+
+NTSTATUS
+NTAPI
+LsaGetQuotasForAccount(
+ IN LSA_HANDLE AccountHandle,
+ OUT PQUOTA_LIMITS QuotaLimits
+ );
+
+NTSTATUS
+NTAPI
+LsaSetQuotasForAccount(
+ IN LSA_HANDLE AccountHandle,
+ IN PQUOTA_LIMITS QuotaLimits
+ );
+
+NTSTATUS
+NTAPI
+LsaGetSystemAccessAccount(
+ IN LSA_HANDLE AccountHandle,
+ OUT PULONG SystemAccess
+ );
+
+NTSTATUS
+NTAPI
+LsaSetSystemAccessAccount(
+ IN LSA_HANDLE AccountHandle,
+ IN ULONG SystemAccess
+ );
+
+///////////////////////////////////////////////////////////////////////////////
+// //
+// Local Security Policy - Trusted Domain Object API function prototypes //
+// //
+///////////////////////////////////////////////////////////////////////////////
+
+NTSTATUS
+NTAPI
+LsaOpenTrustedDomain(
+ IN LSA_HANDLE PolicyHandle,
+ IN PSID TrustedDomainSid,
+ IN ACCESS_MASK DesiredAccess,
+ OUT PLSA_HANDLE TrustedDomainHandle
+ );
+
+NTSTATUS
+NTAPI
+LsaQueryInfoTrustedDomain(
+ IN LSA_HANDLE TrustedDomainHandle,
+ IN TRUSTED_INFORMATION_CLASS InformationClass,
+ OUT PVOID *Buffer
+ );
+
+NTSTATUS
+NTAPI
+LsaSetInformationTrustedDomain(
+ IN LSA_HANDLE TrustedDomainHandle,
+ IN TRUSTED_INFORMATION_CLASS InformationClass,
+ IN PVOID Buffer
+ );
+
+///////////////////////////////////////////////////////////////////////////////
+// //
+// Local Security Policy - Secret Object API function prototypes //
+// //
+///////////////////////////////////////////////////////////////////////////////
+
+NTSTATUS
+NTAPI
+LsaOpenSecret(
+ IN LSA_HANDLE PolicyHandle,
+ IN PLSA_UNICODE_STRING SecretName,
+ IN ACCESS_MASK DesiredAccess,
+ OUT PLSA_HANDLE SecretHandle
+ );
+
+NTSTATUS
+NTAPI
+LsaSetSecret(
+ IN LSA_HANDLE SecretHandle,
+ IN OPTIONAL PLSA_UNICODE_STRING CurrentValue,
+ IN OPTIONAL PLSA_UNICODE_STRING OldValue
+ );
+
+NTSTATUS
+NTAPI
+LsaQuerySecret(
+ IN LSA_HANDLE SecretHandle,
+ OUT OPTIONAL PLSA_UNICODE_STRING *CurrentValue,
+ OUT OPTIONAL PLARGE_INTEGER CurrentValueSetTime,
+ OUT OPTIONAL PLSA_UNICODE_STRING *OldValue,
+ OUT OPTIONAL PLARGE_INTEGER OldValueSetTime
+ );
+
+
+/////////////////////////////////////////////////////////////////////////
+// //
+// Local Security Policy - Privilege Object API Prototypes //
+// //
+/////////////////////////////////////////////////////////////////////////
+
+NTSTATUS
+NTAPI
+LsaLookupPrivilegeValue(
+ IN LSA_HANDLE PolicyHandle,
+ IN PLSA_UNICODE_STRING Name,
+ OUT PLUID Value
+ );
+
+NTSTATUS
+NTAPI
+LsaLookupPrivilegeName(
+ IN LSA_HANDLE PolicyHandle,
+ IN PLUID Value,
+ OUT PLSA_UNICODE_STRING *Name
+ );
+
+NTSTATUS
+NTAPI
+LsaLookupPrivilegeDisplayName(
+ IN LSA_HANDLE PolicyHandle,
+ IN PLSA_UNICODE_STRING Name,
+ OUT PLSA_UNICODE_STRING *DisplayName,
+ OUT PSHORT LanguageReturned
+ );
+
+
+
+
+
+/////////////////////////////////////////////////////////////////////////
+// //
+// Local Security Policy - New APIs for NT 4.0 (SUR release) //
+// //
+/////////////////////////////////////////////////////////////////////////
+
+NTSTATUS
+LsaGetUserName(
+ OUT PUNICODE_STRING * UserName,
+ OUT OPTIONAL PUNICODE_STRING * DomainName
+ );
+
+
+/////////////////////////////////////////////////////////////////////////
+// //
+// Local Security Policy - New APIs for NT 3.51 (PPC release) //
+// //
+/////////////////////////////////////////////////////////////////////////
+
+// begin_ntsecapi
+
+
+#define SE_INTERACTIVE_LOGON_NAME TEXT("SeInteractiveLogonRight")
+#define SE_NETWORK_LOGON_NAME TEXT("SeNetworkLogonRight")
+#define SE_BATCH_LOGON_NAME TEXT("SeBatchLogonRight")
+#define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight")
+
+//
+// This new API returns all the accounts with a certain privilege
+//
+
+NTSTATUS
+NTAPI
+LsaEnumerateAccountsWithUserRight(
+ IN LSA_HANDLE PolicyHandle,
+ IN OPTIONAL PLSA_UNICODE_STRING UserRights,
+ OUT PVOID *EnumerationBuffer,
+ OUT PULONG CountReturned
+ );
+
+//
+// These new APIs differ by taking a SID instead of requiring the caller
+// to open the account first and passing in an account handle
+//
+
+NTSTATUS
+NTAPI
+LsaEnumerateAccountRights(
+ IN LSA_HANDLE PolicyHandle,
+ IN PSID AccountSid,
+ OUT PLSA_UNICODE_STRING *UserRights,
+ OUT PULONG CountOfRights
+ );
+
+NTSTATUS
+NTAPI
+LsaAddAccountRights(
+ IN LSA_HANDLE PolicyHandle,
+ IN PSID AccountSid,
+ IN PLSA_UNICODE_STRING UserRights,
+ IN ULONG CountOfRights
+ );
+
+NTSTATUS
+NTAPI
+LsaRemoveAccountRights(
+ IN LSA_HANDLE PolicyHandle,
+ IN PSID AccountSid,
+ IN BOOLEAN AllRights,
+ IN PLSA_UNICODE_STRING UserRights,
+ IN ULONG CountOfRights
+ );
+
+
+///////////////////////////////////////////////////////////////////////////////
+// //
+// Local Security Policy - Trusted Domain Object API function prototypes //
+// //
+///////////////////////////////////////////////////////////////////////////////
+
+NTSTATUS
+NTAPI
+LsaQueryTrustedDomainInfo(
+ IN LSA_HANDLE PolicyHandle,
+ IN PSID TrustedDomainSid,
+ IN TRUSTED_INFORMATION_CLASS InformationClass,
+ OUT PVOID *Buffer
+ );
+
+NTSTATUS
+NTAPI
+LsaSetTrustedDomainInformation(
+ IN LSA_HANDLE PolicyHandle,
+ IN PSID TrustedDomainSid,
+ IN TRUSTED_INFORMATION_CLASS InformationClass,
+ IN PVOID Buffer
+ );
+
+NTSTATUS
+NTAPI
+LsaDeleteTrustedDomain(
+ IN LSA_HANDLE PolicyHandle,
+ IN PSID TrustedDomainSid
+ );
+
+//
+// This API sets the workstation password (equivalent of setting/getting
+// the SSI_SECRET_NAME secret)
+//
+
+NTSTATUS
+NTAPI
+LsaStorePrivateData(
+ IN LSA_HANDLE PolicyHandle,
+ IN PLSA_UNICODE_STRING KeyName,
+ IN PLSA_UNICODE_STRING PrivateData
+ );
+
+NTSTATUS
+NTAPI
+LsaRetrievePrivateData(
+ IN LSA_HANDLE PolicyHandle,
+ IN PLSA_UNICODE_STRING KeyName,
+ OUT PLSA_UNICODE_STRING * PrivateData
+ );
+
+
+ULONG
+NTAPI
+LsaNtStatusToWinError(
+ NTSTATUS Status
+ );
+
+//
+// Define a symbol so we can tell if ntifs.h has been included.
+//
+
+// begin_ntifs
+#ifndef _NTLSA_IFS_
+#define _NTLSA_IFS_
+#endif
+// end_ntifs
+
+// end_ntsecapi
+
+#endif // _NTLSA_
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-04 00:34:47 +0200