1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
|
/*++
Copyright (c) 1991 Microsoft Corporation
Module Name:
lsaicli.h
Abstract:
Local Security Authority - Definitions for internal LSA Clients.
NOTE: This file is included via lsaclip.h or lsasrvp.h. It should
not be included directly.
This module contains definitions used only when callouts are made
from one LSA to another, i.e. where the server side of one LSA
communicates with the client side of another LSA.
Author:
Scott Birrell (ScottBi) April 9, 1992
Environment:
Revision History:
--*/
#ifndef _LSAICLI_
#define _LSAICLI_
//
// The following datatype specifies the Call Level for Sid and Name
// Lookup operations.
//
typedef enum _LSAP_LOOKUP_LEVEL {
LsapLookupWksta = 1,
LsapLookupPDC,
LsapLookupTDL
} LSAP_LOOKUP_LEVEL, *PLSAP_LOOKUP_LEVEL;
//
// where the entries have the following meaning:
//
// LsapLookupWksta - First Level Lookup performed on a workstation
// normally configured for Windows-Nt. The lookup searches the
// Well-Known Sids/Names, and the Built-in Domain and Account Domain
// in the local SAM Database. If not all Sids or Names are
// identified, performs a "handoff" of a Second level Lookup to the
// LSA running on a Controller for the workstation's Primary Domain
// (if any).
//
// LsapLookupPDC - Second Level Lookup performed on a Primary Domain
// Controller. The lookup searches the Account Domain of the
// SAM Database on the controller. If not all Sids or Names are
// found, the Trusted Domain List (TDL) is obtained from the
// LSA's Policy Database and Third Level lookups are performed
// via "handoff" to each Trusted Domain in the List.
//
// LsapLookupTDL - Third Level Lookup performed on a controller
// for a Trusted Domain. The lookup searches the Account Domain of
// the SAM Database on the controller only.
//
NTSTATUS
LsaICLookupNames(
IN LSA_HANDLE PolicyHandle,
IN ULONG Count,
IN PUNICODE_STRING Names,
OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
OUT PLSA_TRANSLATED_SID *Sids,
IN LSAP_LOOKUP_LEVEL LookupLevel,
IN OUT PULONG MappedCount
);
/*++
Routine Description:
This function is the internal client side version of the LsaLookupNames
API. It is called both from the client side (as an internal routine)
and the server side of the LSA. The function is identical to the
LsaLookupNames API except that there is an additional parameter, the
LookupLevel parameter.
The LsaLookupNames API attempts to translate names of domains, users,
groups or aliases to Sids. The caller must have POLICY_LOOKUP_NAMES
access to the Policy object.
Names may be either isolated (e.g. JohnH) or composite names containing
both the domain name and account name. Composite names must include a
backslash character separating the domain name from the account name
(e.g. Acctg\JohnH). An isolated name may be either an account name
(user, group, or alias) or a domain name.
Translation of isolated names introduces the possibility of name
collisions (since the same name may be used in multiple domains). An
isolated name will be translated using the following algorithm:
If the name is a well-known name (e.g. Local or Interactive), then the
corresponding well-known Sid is returned.
If the name is the Built-in Domain's name, then that domain's Sid
will be returned.
If the name is the Account Domain's name, then that domain's Sid
will be returned.
If the name is the Primary Domain's name, then that domain's Sid will
be returned.
If the name is a user, group, or alias in the Built-in Domain, then the
Sid of that account is returned.
If the name is a user, group, or alias in the Primary Domain, then the
Sid of that account is returned.
Otherwise, the name is not translated.
NOTE: Proxy, Machine, and Trust user accounts are not referenced
for name translation. Only normal user accounts are used for ID
translation. If translation of other account types is needed, then
SAM services should be used directly.
Arguments:
This function is the LSA server RPC worker routine for the
LsaLookupNamesInLsa API.
PolicyHandle - Handle from an LsaOpenPolicy call.
Count - Specifies the number of names to be translated.
Names - Pointer to an array of Count Unicode String structures
specifying the names to be looked up and mapped to Sids.
The strings may be names of User, Group or Alias accounts or
domains.
ReferencedDomains - receives a pointer to a structure describing the
domains used for the translation. The entries in this structure
are referenced by the structure returned via the Sids parameter.
Unlike the Sids parameter, which contains an array entry for
each translated name, this structure will only contain one
component for each domain utilized in the translation.
When this information is no longer needed, it must be released
by passing the returned pointer to LsaFreeMemory().
Sids - Receives a pointer to an array of records describing each
translated Sid. The nth entry in this array provides a translation
for (the nth element in the Names parameter.
When this information is no longer needed, it must be released
by passing the returned pointer to LsaFreeMemory().
LookupLevel - Specifies the Level of Lookup to be performed on this
machine. Values of this field are are follows:
LsapLookupWksta - First Level Lookup performed on a workstation
normally configured for Windows-Nt. The lookup searches the
Well-Known Sids/Names, and the Built-in Domain and Account Domain
in the local SAM Database. If not all Sids or Names are
identified, performs a "handoff" of a Second level Lookup to the
LSA running on a Controller for the workstation's Primary Domain
(if any).
LsapLookupPDC - Second Level Lookup performed on a Primary Domain
Controller. The lookup searches the Account Domain of the
SAM Database on the controller. If not all Sids or Names are
found, the Trusted Domain List (TDL) is obtained from the
LSA's Policy Database and Third Level lookups are performed
via "handoff" to each Trusted Domain in the List.
LsapLookupTDL - Third Level Lookup performed on a controller
for a Trusted Domain. The lookup searches the Account Domain of
the SAM Database on the controller only.
Return Values:
NTSTATUS - Standard Nt Result Code
STATUS_ACCESS_DENIED - Caller does not have the appropriate access
to complete the operation.
STATUS_SOME_NOT_MAPPED - Some or all of the names provided could
not be mapped. This is an informational status only.
STATUS_INSUFFICIENT_RESOURCES - Insufficient system resources
to complete the call.
--*/
NTSTATUS
LsaICLookupSids(
IN LSA_HANDLE PolicyHandle,
IN ULONG Count,
IN PSID *Sids,
OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
OUT PLSA_TRANSLATED_NAME *Names,
IN LSAP_LOOKUP_LEVEL LookupLevel,
IN OUT PULONG MappedCount
);
/*++
Routine Description:
WARNING! THIS FUNCTION IS NOT COMPLETELY IMPLEMENTED. ONLY SIDS
MAPPABLE AT THE LOCAL SYSTEM WILL BE TRANSLATED.
The LsaLookupSids API attempts to find names corresponding to Sids.
If a name can not be mapped to a Sid, the Sid is converted to character
form. The caller must have POLICY_LOOKUP_NAMES access to the Policy
object.
WARNING: This routine allocates memory for its output. The caller is
responsible for freeing this memory after use. See description of the
Names parameter.
Arguments:
PolicyHandle - Handle from an LsaOpenPolicy call.
Count - Specifies the number of Sids to be translated.
Sids - Pointer to an array of Count pointers to Sids to be mapped
to names. The Sids may be well_known SIDs, SIDs of User accounts
Group Accounts, Alias accounts, or Domains.
ReferencedDomains - Receives a pointer to a structure describing the
domains used for the translation. The entries in this structure
are referenced by the strutcure returned via the Names parameter.
Unlike the Names paraemeter, which contains an array entry
for (each translated name, this strutcure will only contain
component for each domain utilized in the translation.
When this information is no longer needed, it must be released
by passing the returned pointer to LsaFreeMemory().
Names - Receives a pointer to array records describing each translated
name. The nth entry in this array provides a translation for
the nth entry in the Sids parameter.
All of the retruned names will be isolated names or NULL strings
(domain names are returned as NULL strings). If the caller needs
composite names, they can be generated by prepending the
isolated name with the domain name and a backslash. For example,
if (the name Sally is returned, and it is from the domain Manufact,
then the composite name would be "Manufact" + "\" + "Sally" or
"Manufact\Sally".
When this information is no longer needed, it must be released
by passing the returned pointer to LsaFreeMemory().
If a Sid is not translatable, then the following will occur:
1) If the SID's domain is known, then a reference domain record
will be generated with the domain's name. In this case, the
name returned via the Names parameter is a Unicode representation
of the relative ID of the account, such as "(314)" or the null
string, if the Sid is that of a domain. So, you might end up
with a resultant name of "Manufact\(314) for the example with
Sally above, if Sally's relative id is 314.
2) If not even the SID's domain could be located, then a full
Unicode representation of the SID is generated and no domain
record is referenced. In this case, the returned string might
be something like: "(S-1-672194-21-314)".
When this information is no longer needed, it must be released
by passing the returned pointer to LsaFreeMemory().
LookupLevel - Specifies the Level of Lookup to be performed on this
machine. Values of this field are are follows:
LsapLookupWksta - First Level Lookup performed on a workstation
normally configured for Windows-Nt. The lookup searches the
Well-Known Sids/Names, and the Built-in Domain and Account Domain
in the local SAM Database. If not all Sids or Names are
identified, performs a "handoff" of a Second level Lookup to the
LSA running on a Controller for the workstation's Primary Domain
(if any).
LsapLookupPDC - Second Level Lookup performed on a Primary Domain
Controller. The lookup searches the Account Domain of the
SAM Database on the controller. If not all Sids or Names are
found, the Trusted Domain List (TDL) is obtained from the
LSA's Policy Database and Third Level lookups are performed
via "handoff" to each Trusted Domain in the List.
LsapLookupTDL - Third Level Lookup performed on a controller
for a Trusted Domain. The lookup searches the Account Domain of
the SAM Database on the controller only.
Return Values:
NTSTATUS - Standard Nt Result Code
STATUS_ACCESS_DENIED - Caller does not have the appropriate access
to complete the operation.
STATUS_SOME_NOT_MAPPED - Some or all of the names provided could not be
mapped. This is a warning only.
Rest TBS
--*/
#endif // _LSAICLI_
|
