diff options
Diffstat (limited to '')
-rw-r--r-- | private/inc/lsaicli.h | 315 |
1 files changed, 315 insertions, 0 deletions
diff --git a/private/inc/lsaicli.h b/private/inc/lsaicli.h new file mode 100644 index 000000000..7dc0bc073 --- /dev/null +++ b/private/inc/lsaicli.h @@ -0,0 +1,315 @@ +/*++ + +Copyright (c) 1991 Microsoft Corporation + +Module Name: + + lsaicli.h + +Abstract: + + Local Security Authority - Definitions for internal LSA Clients. + + NOTE: This file is included via lsaclip.h or lsasrvp.h. It should + not be included directly. + + This module contains definitions used only when callouts are made + from one LSA to another, i.e. where the server side of one LSA + communicates with the client side of another LSA. + +Author: + + Scott Birrell (ScottBi) April 9, 1992 + +Environment: + +Revision History: + +--*/ + +#ifndef _LSAICLI_ +#define _LSAICLI_ + + +// +// The following datatype specifies the Call Level for Sid and Name +// Lookup operations. +// + +typedef enum _LSAP_LOOKUP_LEVEL { + + LsapLookupWksta = 1, + LsapLookupPDC, + LsapLookupTDL + +} LSAP_LOOKUP_LEVEL, *PLSAP_LOOKUP_LEVEL; + +// +// where the entries have the following meaning: +// +// LsapLookupWksta - First Level Lookup performed on a workstation +// normally configured for Windows-Nt. The lookup searches the +// Well-Known Sids/Names, and the Built-in Domain and Account Domain +// in the local SAM Database. If not all Sids or Names are +// identified, performs a "handoff" of a Second level Lookup to the +// LSA running on a Controller for the workstation's Primary Domain +// (if any). +// +// LsapLookupPDC - Second Level Lookup performed on a Primary Domain +// Controller. The lookup searches the Account Domain of the +// SAM Database on the controller. If not all Sids or Names are +// found, the Trusted Domain List (TDL) is obtained from the +// LSA's Policy Database and Third Level lookups are performed +// via "handoff" to each Trusted Domain in the List. +// +// LsapLookupTDL - Third Level Lookup performed on a controller +// for a Trusted Domain. The lookup searches the Account Domain of +// the SAM Database on the controller only. +// + + +NTSTATUS +LsaICLookupNames( + IN LSA_HANDLE PolicyHandle, + IN ULONG Count, + IN PUNICODE_STRING Names, + OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains, + OUT PLSA_TRANSLATED_SID *Sids, + IN LSAP_LOOKUP_LEVEL LookupLevel, + IN OUT PULONG MappedCount + ); + +/*++ + +Routine Description: + + This function is the internal client side version of the LsaLookupNames + API. It is called both from the client side (as an internal routine) + and the server side of the LSA. The function is identical to the + LsaLookupNames API except that there is an additional parameter, the + LookupLevel parameter. + + The LsaLookupNames API attempts to translate names of domains, users, + groups or aliases to Sids. The caller must have POLICY_LOOKUP_NAMES + access to the Policy object. + + Names may be either isolated (e.g. JohnH) or composite names containing + both the domain name and account name. Composite names must include a + backslash character separating the domain name from the account name + (e.g. Acctg\JohnH). An isolated name may be either an account name + (user, group, or alias) or a domain name. + + Translation of isolated names introduces the possibility of name + collisions (since the same name may be used in multiple domains). An + isolated name will be translated using the following algorithm: + + If the name is a well-known name (e.g. Local or Interactive), then the + corresponding well-known Sid is returned. + + If the name is the Built-in Domain's name, then that domain's Sid + will be returned. + + If the name is the Account Domain's name, then that domain's Sid + will be returned. + + If the name is the Primary Domain's name, then that domain's Sid will + be returned. + + If the name is a user, group, or alias in the Built-in Domain, then the + Sid of that account is returned. + + If the name is a user, group, or alias in the Primary Domain, then the + Sid of that account is returned. + + Otherwise, the name is not translated. + + NOTE: Proxy, Machine, and Trust user accounts are not referenced + for name translation. Only normal user accounts are used for ID + translation. If translation of other account types is needed, then + SAM services should be used directly. + +Arguments: + + This function is the LSA server RPC worker routine for the + LsaLookupNamesInLsa API. + + PolicyHandle - Handle from an LsaOpenPolicy call. + + Count - Specifies the number of names to be translated. + + Names - Pointer to an array of Count Unicode String structures + specifying the names to be looked up and mapped to Sids. + The strings may be names of User, Group or Alias accounts or + domains. + + ReferencedDomains - receives a pointer to a structure describing the + domains used for the translation. The entries in this structure + are referenced by the structure returned via the Sids parameter. + Unlike the Sids parameter, which contains an array entry for + each translated name, this structure will only contain one + component for each domain utilized in the translation. + + When this information is no longer needed, it must be released + by passing the returned pointer to LsaFreeMemory(). + + Sids - Receives a pointer to an array of records describing each + translated Sid. The nth entry in this array provides a translation + for (the nth element in the Names parameter. + + When this information is no longer needed, it must be released + by passing the returned pointer to LsaFreeMemory(). + + LookupLevel - Specifies the Level of Lookup to be performed on this + machine. Values of this field are are follows: + + LsapLookupWksta - First Level Lookup performed on a workstation + normally configured for Windows-Nt. The lookup searches the + Well-Known Sids/Names, and the Built-in Domain and Account Domain + in the local SAM Database. If not all Sids or Names are + identified, performs a "handoff" of a Second level Lookup to the + LSA running on a Controller for the workstation's Primary Domain + (if any). + + LsapLookupPDC - Second Level Lookup performed on a Primary Domain + Controller. The lookup searches the Account Domain of the + SAM Database on the controller. If not all Sids or Names are + found, the Trusted Domain List (TDL) is obtained from the + LSA's Policy Database and Third Level lookups are performed + via "handoff" to each Trusted Domain in the List. + + LsapLookupTDL - Third Level Lookup performed on a controller + for a Trusted Domain. The lookup searches the Account Domain of + the SAM Database on the controller only. + +Return Values: + + NTSTATUS - Standard Nt Result Code + + STATUS_ACCESS_DENIED - Caller does not have the appropriate access + to complete the operation. + + STATUS_SOME_NOT_MAPPED - Some or all of the names provided could + not be mapped. This is an informational status only. + + STATUS_INSUFFICIENT_RESOURCES - Insufficient system resources + to complete the call. +--*/ + + + +NTSTATUS +LsaICLookupSids( + IN LSA_HANDLE PolicyHandle, + IN ULONG Count, + IN PSID *Sids, + OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains, + OUT PLSA_TRANSLATED_NAME *Names, + IN LSAP_LOOKUP_LEVEL LookupLevel, + IN OUT PULONG MappedCount + ); + +/*++ + +Routine Description: + + WARNING! THIS FUNCTION IS NOT COMPLETELY IMPLEMENTED. ONLY SIDS + MAPPABLE AT THE LOCAL SYSTEM WILL BE TRANSLATED. + + The LsaLookupSids API attempts to find names corresponding to Sids. + If a name can not be mapped to a Sid, the Sid is converted to character + form. The caller must have POLICY_LOOKUP_NAMES access to the Policy + object. + + WARNING: This routine allocates memory for its output. The caller is + responsible for freeing this memory after use. See description of the + Names parameter. + +Arguments: + + PolicyHandle - Handle from an LsaOpenPolicy call. + + Count - Specifies the number of Sids to be translated. + + Sids - Pointer to an array of Count pointers to Sids to be mapped + to names. The Sids may be well_known SIDs, SIDs of User accounts + Group Accounts, Alias accounts, or Domains. + + ReferencedDomains - Receives a pointer to a structure describing the + domains used for the translation. The entries in this structure + are referenced by the strutcure returned via the Names parameter. + Unlike the Names paraemeter, which contains an array entry + for (each translated name, this strutcure will only contain + component for each domain utilized in the translation. + + When this information is no longer needed, it must be released + by passing the returned pointer to LsaFreeMemory(). + + Names - Receives a pointer to array records describing each translated + name. The nth entry in this array provides a translation for + the nth entry in the Sids parameter. + + All of the retruned names will be isolated names or NULL strings + (domain names are returned as NULL strings). If the caller needs + composite names, they can be generated by prepending the + isolated name with the domain name and a backslash. For example, + if (the name Sally is returned, and it is from the domain Manufact, + then the composite name would be "Manufact" + "\" + "Sally" or + "Manufact\Sally". + + When this information is no longer needed, it must be released + by passing the returned pointer to LsaFreeMemory(). + + If a Sid is not translatable, then the following will occur: + + 1) If the SID's domain is known, then a reference domain record + will be generated with the domain's name. In this case, the + name returned via the Names parameter is a Unicode representation + of the relative ID of the account, such as "(314)" or the null + string, if the Sid is that of a domain. So, you might end up + with a resultant name of "Manufact\(314) for the example with + Sally above, if Sally's relative id is 314. + + 2) If not even the SID's domain could be located, then a full + Unicode representation of the SID is generated and no domain + record is referenced. In this case, the returned string might + be something like: "(S-1-672194-21-314)". + + When this information is no longer needed, it must be released + by passing the returned pointer to LsaFreeMemory(). + + LookupLevel - Specifies the Level of Lookup to be performed on this + machine. Values of this field are are follows: + + LsapLookupWksta - First Level Lookup performed on a workstation + normally configured for Windows-Nt. The lookup searches the + Well-Known Sids/Names, and the Built-in Domain and Account Domain + in the local SAM Database. If not all Sids or Names are + identified, performs a "handoff" of a Second level Lookup to the + LSA running on a Controller for the workstation's Primary Domain + (if any). + + LsapLookupPDC - Second Level Lookup performed on a Primary Domain + Controller. The lookup searches the Account Domain of the + SAM Database on the controller. If not all Sids or Names are + found, the Trusted Domain List (TDL) is obtained from the + LSA's Policy Database and Third Level lookups are performed + via "handoff" to each Trusted Domain in the List. + + LsapLookupTDL - Third Level Lookup performed on a controller + for a Trusted Domain. The lookup searches the Account Domain of + the SAM Database on the controller only. + +Return Values: + + NTSTATUS - Standard Nt Result Code + + STATUS_ACCESS_DENIED - Caller does not have the appropriate access + to complete the operation. + + STATUS_SOME_NOT_MAPPED - Some or all of the names provided could not be + mapped. This is a warning only. + + Rest TBS +--*/ + +#endif // _LSAICLI_ |