sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-26 10:04:02 +03:00
Code
samba-mirror/source3/include/rpc_ds.h

185 lines
4.6 KiB
C
Raw Normal View History

merge of working dsrolegetprimdominfo() client code from APP_HEAD (This used to be commit f70caa25e4ee198151b915cf2bc0a26b2d0e243d)
2002-10-04 19:11:36 +00:00
/*
Unix SMB/CIFS implementation.
SMB parameters and setup
Copyright (C) Gerald Carter 2002
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-07-09 19:25:36 +00:00
the Free Software Foundation; either version 3 of the License, or
merge of working dsrolegetprimdominfo() client code from APP_HEAD (This used to be commit f70caa25e4ee198151b915cf2bc0a26b2d0e243d)
2002-10-04 19:11:36 +00:00
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text (This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
2007-07-10 00:52:41 +00:00
along with this program. If not, see <http://www.gnu.org/licenses/>.
merge of working dsrolegetprimdominfo() client code from APP_HEAD (This used to be commit f70caa25e4ee198151b915cf2bc0a26b2d0e243d)
2002-10-04 19:11:36 +00:00
*/
#ifndef _RPC_DS_H /* _RPC_LSA_H */
#define _RPC_DS_H
/* Opcodes available on PIPE_LSARPC_DS */
#define DS_GETPRIMDOMINFO 0x00
Attempt at fixing bug #283. There however is no solution. There is a workaround documented in the bug report. This patch does: * add server support for the LSA_DS UUID on the lsarpc pipe * store a list of context_ids/api_structs in the pipe_struct so that we don't have to lookup the function table for a pipe. We just match the context_id. Note that a dce/rpc alter_context does not destroy the previous context so it is possible to have multiple bindings active on the same pipe. Observed from standalone win2k sp4 client. * added server code for DsROleGetPrimaryDOmainInfo() but disabled it since it causes problems enumerating users and groups from a 2ksp4 domain member in a Samba domain. (This used to be commit 96bc2abfcb0dd0912696fad76e43cb217b33e061)
2003-08-14 21:14:28 +00:00
#define DS_NOP 0xFF /* no op -- placeholder */
merge of working dsrolegetprimdominfo() client code from APP_HEAD (This used to be commit f70caa25e4ee198151b915cf2bc0a26b2d0e243d)
2002-10-04 19:11:36 +00:00
add support for DsEnumerateDomainTrusted for enumerating all the trusted domains in a forest. (This used to be commit c691c7f7d9afb8af542dc83cf934df1dfd38ef17)
2003-07-30 17:29:00 +00:00
/* Opcodes available on PIPE_NETLOGON */
#define DS_ENUM_DOM_TRUSTS 0x28
merge of working dsrolegetprimdominfo() client code from APP_HEAD (This used to be commit f70caa25e4ee198151b915cf2bc0a26b2d0e243d)
2002-10-04 19:11:36 +00:00
/* macros for RPC's */
Attempt at fixing bug #283. There however is no solution. There is a workaround documented in the bug report. This patch does: * add server support for the LSA_DS UUID on the lsarpc pipe * store a list of context_ids/api_structs in the pipe_struct so that we don't have to lookup the function table for a pipe. We just match the context_id. Note that a dce/rpc alter_context does not destroy the previous context so it is possible to have multiple bindings active on the same pipe. Observed from standalone win2k sp4 client. * added server code for DsROleGetPrimaryDOmainInfo() but disabled it since it causes problems enumerating users and groups from a 2ksp4 domain member in a Samba domain. (This used to be commit 96bc2abfcb0dd0912696fad76e43cb217b33e061)
2003-08-14 21:14:28 +00:00
/* DSROLE_PRIMARY_DOMAIN_INFO_BASIC */
/* flags */
merge of working dsrolegetprimdominfo() client code from APP_HEAD (This used to be commit f70caa25e4ee198151b915cf2bc0a26b2d0e243d)
2002-10-04 19:11:36 +00:00
#define DSROLE_PRIMARY_DS_RUNNING 0x00000001
#define DSROLE_PRIMARY_DS_MIXED_MODE 0x00000002
#define DSROLE_UPGRADE_IN_PROGRESS 0x00000004
#define DSROLE_PRIMARY_DOMAIN_GUID_PRESENT 0x01000000
Attempt at fixing bug #283. There however is no solution. There is a workaround documented in the bug report. This patch does: * add server support for the LSA_DS UUID on the lsarpc pipe * store a list of context_ids/api_structs in the pipe_struct so that we don't have to lookup the function table for a pipe. We just match the context_id. Note that a dce/rpc alter_context does not destroy the previous context so it is possible to have multiple bindings active on the same pipe. Observed from standalone win2k sp4 client. * added server code for DsROleGetPrimaryDOmainInfo() but disabled it since it causes problems enumerating users and groups from a 2ksp4 domain member in a Samba domain. (This used to be commit 96bc2abfcb0dd0912696fad76e43cb217b33e061)
2003-08-14 21:14:28 +00:00
/* machine role */
r22104: BUG 4439: Fix the object picket on x64 WIndopws XP/2003. Enable the DsRoleGetPrimaryDomainInfo() server code. Tested by Win2000/XP/2003/Vista (x86) and WinXP (x64) (This used to be commit eab9ca7e7d8d7dc3e705720f8bc5dff5c8ec5f5f)
2007-04-06 18:52:30 +00:00
#define DSROLE_DOMAIN_MEMBER_WKS 1
Attempt at fixing bug #283. There however is no solution. There is a workaround documented in the bug report. This patch does: * add server support for the LSA_DS UUID on the lsarpc pipe * store a list of context_ids/api_structs in the pipe_struct so that we don't have to lookup the function table for a pipe. We just match the context_id. Note that a dce/rpc alter_context does not destroy the previous context so it is possible to have multiple bindings active on the same pipe. Observed from standalone win2k sp4 client. * added server code for DsROleGetPrimaryDOmainInfo() but disabled it since it causes problems enumerating users and groups from a 2ksp4 domain member in a Samba domain. (This used to be commit 96bc2abfcb0dd0912696fad76e43cb217b33e061)
2003-08-14 21:14:28 +00:00
#define DSROLE_STANDALONE_SRV 2
#define DSROLE_DOMAIN_MEMBER_SRV 3
#define DSROLE_BDC 4
#define DSROLE_PDC 5
r20512: Fix typo. Guenther (This used to be commit 36bd5cb21bdaf35c7dae47f8b8e93822b3f6188c)
2007-01-03 16:05:00 +00:00
/* Settings for the domainFunctionality attribute in the rootDSE */
r16952: New derive DES salt code and Krb5 keytab generation Major points of interest: * Figure the DES salt based on the domain functional level and UPN (if present and applicable) * Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC keys * Remove all the case permutations in the keytab entry generation (to be partially re-added only if necessary). * Generate keytab entries based on the existing SPN values in AD The resulting keytab looks like: ktutil: list -e slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName) and the sAMAccountName value. The UPN will be added as well if the machine has one. This fixes 'kinit -k'. Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket() continues to work with RC4-HMAC and DES keys. (This used to be commit 6261dd3c67d10db6cfa2e77a8d304d3dce4050a4)
2006-07-11 18:45:22 +00:00
#define DS_DOMAIN_FUNCTION_2000 0
#define DS_DOMAIN_FUCNTION_2003_MIXED 1
#define DS_DOMAIN_FUNCTION_2003 2
merge of working dsrolegetprimdominfo() client code from APP_HEAD (This used to be commit f70caa25e4ee198151b915cf2bc0a26b2d0e243d)
2002-10-04 19:11:36 +00:00
typedef struct
{
uint16 machine_role;
r22104: BUG 4439: Fix the object picket on x64 WIndopws XP/2003. Enable the DsRoleGetPrimaryDomainInfo() server code. Tested by Win2000/XP/2003/Vista (x86) and WinXP (x64) (This used to be commit eab9ca7e7d8d7dc3e705720f8bc5dff5c8ec5f5f)
2007-04-06 18:52:30 +00:00
uint32 flags;
merge of working dsrolegetprimdominfo() client code from APP_HEAD (This used to be commit f70caa25e4ee198151b915cf2bc0a26b2d0e243d)
2002-10-04 19:11:36 +00:00
uint32 netbios_ptr;
uint32 dnsname_ptr;
uint32 forestname_ptr;
r22104: BUG 4439: Fix the object picket on x64 WIndopws XP/2003. Enable the DsRoleGetPrimaryDomainInfo() server code. Tested by Win2000/XP/2003/Vista (x86) and WinXP (x64) (This used to be commit eab9ca7e7d8d7dc3e705720f8bc5dff5c8ec5f5f)
2007-04-06 18:52:30 +00:00
struct GUID domain_guid;
merge of working dsrolegetprimdominfo() client code from APP_HEAD (This used to be commit f70caa25e4ee198151b915cf2bc0a26b2d0e243d)
2002-10-04 19:11:36 +00:00
UNISTR2 netbios_domain;
working on transtive trusts issue: * use DsEnumerateDomainTrusts() instead of LDAP search. wbinfo -m now lists all trusted downlevel domains and all domains in the forest. Thnigs to do: o Look at Krb5 connection trusted domains o make sure to initial the trusted domain cache as soon as possible (This used to be commit 0ab00ccaedf204b39c86a9e1c2fcac5f15d0e033)
2003-07-31 05:43:47 +00:00
UNISTR2 dns_domain; /* our dns domain */
UNISTR2 forest_domain; /* root domain of the forest to which we belong */
merge of working dsrolegetprimdominfo() client code from APP_HEAD (This used to be commit f70caa25e4ee198151b915cf2bc0a26b2d0e243d)
2002-10-04 19:11:36 +00:00
} DSROLE_PRIMARY_DOMAIN_INFO_BASIC;
typedef struct
{
DSROLE_PRIMARY_DOMAIN_INFO_BASIC *basic;
} DS_DOMINFO_CTR;
/* info levels for ds_getprimdominfo() */
#define DsRolePrimaryDomainInfoBasic 1
/* DS_Q_GETPRIMDOMINFO - DsGetPrimaryDomainInformation() request */
typedef struct
{
uint16 level;
} DS_Q_GETPRIMDOMINFO;
/* DS_R_GETPRIMDOMINFO - DsGetPrimaryDomainInformation() response */
typedef struct
{
uint32 ptr;
uint16 level;
uint16 unknown0; /* 0x455c -- maybe just alignment? */
DS_DOMINFO_CTR info;
NTSTATUS status;
} DS_R_GETPRIMDOMINFO;
add support for DsEnumerateDomainTrusted for enumerating all the trusted domains in a forest. (This used to be commit c691c7f7d9afb8af542dc83cf934df1dfd38ef17)
2003-07-30 17:29:00 +00:00
typedef struct {
/* static portion of structure */
uint32 netbios_ptr;
uint32 dns_ptr;
uint32 flags;
uint32 parent_index;
uint32 trust_type;
uint32 trust_attributes;
uint32 sid_ptr;
r18654: Rename "struct uuid" => "struct GUID" for consistency. (This used to be commit 5de76767e857e9d159ea46e2ded612ccd6d6bf19)
2006-09-19 00:12:11 +00:00
struct GUID guid;
add support for DsEnumerateDomainTrusted for enumerating all the trusted domains in a forest. (This used to be commit c691c7f7d9afb8af542dc83cf934df1dfd38ef17)
2003-07-30 17:29:00 +00:00
UNISTR2 netbios_domain;
UNISTR2 dns_domain;
DOM_SID2 sid;
} DS_DOMAIN_TRUSTS;
rpc_client/cli_lsarpc.c: rpc_parse/parse_lsa.c: nsswitch/winbindd_rpc.c: nsswitch/winbindd.h: - Add const libads/ads_ldap.c: - Cleanup function for use nsswitch/winbindd_ads.c: - Use new utility function ads_sid_to_dn - Don't search for 'dn=', rather call the ads_search_retry_dn() nsswitch/winbindd_ads.c: include/rpc_ds.h: rpc_client/cli_ds.c: - Fixup braindamage in cli_ds_enum_domain_trusts(): - This function was returning a UNISTR2 up to the caller, and was doing nasty (invalid, per valgrind) things with memcpy() - Create a new structure that represents this informaiton in a useful way and use talloc. Andrew Bartlett (This used to be commit 06c3f15aa166bb567d8be0a8bc4b095b167ab371)
2004-01-05 02:04:37 +00:00
struct ds_domain_trust {
/* static portion of structure */
uint32 flags;
uint32 parent_index;
uint32 trust_type;
uint32 trust_attributes;
r18654: Rename "struct uuid" => "struct GUID" for consistency. (This used to be commit 5de76767e857e9d159ea46e2ded612ccd6d6bf19)
2006-09-19 00:12:11 +00:00
struct GUID guid;
rpc_client/cli_lsarpc.c: rpc_parse/parse_lsa.c: nsswitch/winbindd_rpc.c: nsswitch/winbindd.h: - Add const libads/ads_ldap.c: - Cleanup function for use nsswitch/winbindd_ads.c: - Use new utility function ads_sid_to_dn - Don't search for 'dn=', rather call the ads_search_retry_dn() nsswitch/winbindd_ads.c: include/rpc_ds.h: rpc_client/cli_ds.c: - Fixup braindamage in cli_ds_enum_domain_trusts(): - This function was returning a UNISTR2 up to the caller, and was doing nasty (invalid, per valgrind) things with memcpy() - Create a new structure that represents this informaiton in a useful way and use talloc. Andrew Bartlett (This used to be commit 06c3f15aa166bb567d8be0a8bc4b095b167ab371)
2004-01-05 02:04:37 +00:00
DOM_SID sid;
char *netbios_domain;
char *dns_domain;
};
add support for DsEnumerateDomainTrusted for enumerating all the trusted domains in a forest. (This used to be commit c691c7f7d9afb8af542dc83cf934df1dfd38ef17)
2003-07-30 17:29:00 +00:00
typedef struct {
uint32 ptr;
uint32 max_count;
DS_DOMAIN_TRUSTS *trusts;
} DS_DOMAIN_TRUSTS_CTR;
r22704: Implement three step method for enumerating domain trusts. (a) Query our primary domain for trusts (b) Query all tree roots in our forest (c) Query all forest roots in trusted forests. This will give us a complete trust topology including domains via transitive Krb5 trusts. We also store the trust type, flags, and attributes so we can determine one-way trusted domains (outgoing only trust path). Patch for one-way trusts coming in a later check-in. "wbinfo -m" now lists all domains in the domain_list() as held by the main winbindd process. (This used to be commit 9cf6068f1e0a1063d331af17aa493140497b96ef)
2007-05-06 19:17:30 +00:00
/* Trust flags */
working on transtive trusts issue: * use DsEnumerateDomainTrusts() instead of LDAP search. wbinfo -m now lists all trusted downlevel domains and all domains in the forest. Thnigs to do: o Look at Krb5 connection trusted domains o make sure to initial the trusted domain cache as soon as possible (This used to be commit 0ab00ccaedf204b39c86a9e1c2fcac5f15d0e033)
2003-07-31 05:43:47 +00:00
#define DS_DOMAIN_IN_FOREST 0x0001 /* domains in the forest to which
we belong; even different domain trees */
#define DS_DOMAIN_DIRECT_OUTBOUND 0x0002 /* trusted domains */
r22704: Implement three step method for enumerating domain trusts. (a) Query our primary domain for trusts (b) Query all tree roots in our forest (c) Query all forest roots in trusted forests. This will give us a complete trust topology including domains via transitive Krb5 trusts. We also store the trust type, flags, and attributes so we can determine one-way trusted domains (outgoing only trust path). Patch for one-way trusts coming in a later check-in. "wbinfo -m" now lists all domains in the domain_list() as held by the main winbindd process. (This used to be commit 9cf6068f1e0a1063d331af17aa493140497b96ef)
2007-05-06 19:17:30 +00:00
#define DS_DOMAIN_TREE_ROOT 0x0004 /* root of a forest */
working on transtive trusts issue: * use DsEnumerateDomainTrusts() instead of LDAP search. wbinfo -m now lists all trusted downlevel domains and all domains in the forest. Thnigs to do: o Look at Krb5 connection trusted domains o make sure to initial the trusted domain cache as soon as possible (This used to be commit 0ab00ccaedf204b39c86a9e1c2fcac5f15d0e033)
2003-07-31 05:43:47 +00:00
#define DS_DOMAIN_PRIMARY 0x0008 /* our domain */
#define DS_DOMAIN_NATIVE_MODE 0x0010 /* native mode AD servers */
#define DS_DOMAIN_DIRECT_INBOUND 0x0020 /* trusting domains */
r22704: Implement three step method for enumerating domain trusts. (a) Query our primary domain for trusts (b) Query all tree roots in our forest (c) Query all forest roots in trusted forests. This will give us a complete trust topology including domains via transitive Krb5 trusts. We also store the trust type, flags, and attributes so we can determine one-way trusted domains (outgoing only trust path). Patch for one-way trusts coming in a later check-in. "wbinfo -m" now lists all domains in the domain_list() as held by the main winbindd process. (This used to be commit 9cf6068f1e0a1063d331af17aa493140497b96ef)
2007-05-06 19:17:30 +00:00
/* Trust types */
#define DS_DOMAIN_TRUST_TYPE_DOWNLEVEL 0x00000001
#define DS_DOMAIN_TRUST_TYPE_UPLEVEL 0x00000002
/* Trust attributes */
#define DS_DOMAIN_TRUST_ATTRIB_NON_TRANSITIVE 0x00000001
#define DS_DOMAIN_TRUST_ATTRIB_UPLEVEL_ONLY 0x00000002
#define DS_DOMAIN_TRUST_ATTRIB_QUARANTINED_DOMAIN 0x00000004
#define DS_DOMAIN_TRUST_ATTRIB_FOREST_TRANSITIVE 0x00000008
#define DS_DOMAIN_TRUST_ATTRIB_CROSS_ORG 0x00000010
#define DS_DOMAIN_TRUST_ATTRIB_IN_FOREST 0x00000020
#define DS_DOMAIN_TRUST_ATTRIB_EXTERNAL 0x00000040
add support for DsEnumerateDomainTrusted for enumerating all the trusted domains in a forest. (This used to be commit c691c7f7d9afb8af542dc83cf934df1dfd38ef17)
2003-07-30 17:29:00 +00:00
/* DS_Q_ENUM_DOM_TRUSTS - DsEnumerateDomainTrusts() request */
typedef struct
{
uint32 server_ptr;
UNISTR2 server;
uint32 flags;
} DS_Q_ENUM_DOM_TRUSTS;
/* DS_R_ENUM_DOM_TRUSTS - DsEnumerateDomainTrusts() response */
typedef struct
{
uint32 num_domains;
DS_DOMAIN_TRUSTS_CTR domains;
NTSTATUS status;
merge of working dsrolegetprimdominfo() client code from APP_HEAD (This used to be commit f70caa25e4ee198151b915cf2bc0a26b2d0e243d)
2002-10-04 19:11:36 +00:00
add support for DsEnumerateDomainTrusted for enumerating all the trusted domains in a forest. (This used to be commit c691c7f7d9afb8af542dc83cf934df1dfd38ef17)
2003-07-30 17:29:00 +00:00
} DS_R_ENUM_DOM_TRUSTS;
merge of working dsrolegetprimdominfo() client code from APP_HEAD (This used to be commit f70caa25e4ee198151b915cf2bc0a26b2d0e243d)
2002-10-04 19:11:36 +00:00
#endif /* _RPC_DS_H */
Copy Permalink