1040 lines
26 KiB
C
1040 lines
26 KiB
C
/*++ BUILD Version: 0001 // Increment this if a change has global effects
|
|
|
|
Copyright (c) 1992 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
lsaisrv.h
|
|
|
|
Abstract:
|
|
|
|
This file contains interfaces to internal routines in the Lsa
|
|
Server that provide additional functionality not contained in
|
|
the Lsar routines. These routines are only used by LSA clients which
|
|
live in the same process as the LSA server.
|
|
|
|
|
|
Author:
|
|
|
|
Scott Birrell (ScottBi) April 8, 1992
|
|
|
|
Environment:
|
|
|
|
User Mode - Win32
|
|
|
|
Revision History:
|
|
|
|
|
|
--*/
|
|
|
|
#ifndef _LSAISRV_
|
|
#define _LSAISRV_
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif
|
|
|
|
//
|
|
// The following constants are defined for callers of the LsaIHealthCheckRoutine
|
|
//
|
|
// 1. LSAI_SAM_STATE_SESS_KEY is used to convey the syskey by SAM to LSA.
|
|
// This is used in upgrade cases from NT4 and win2k B3 and RC1.
|
|
// SAM in these cases knows the syskey
|
|
//
|
|
// 2. LSAI_SAM_STATE_UNROLL_SP4_ENCRYPTION is used to convey SAM's password
|
|
// encryption key to LSA. This is used to unroll encryption used in NT4 SP4
|
|
// ( incorrectly ) using SAM's password encryption key
|
|
//
|
|
// 3. LSAI_SAM_STATE_RETRIEVE_SESS_KEY is used by SAM/DS to retrieve the
|
|
// from LSA to decrypt their respective password encryption keys
|
|
//
|
|
// 4. LSAI_SAM_GENERATE_SESS_KEY is used by SAM to tell the LSA to generate
|
|
// a new Password Encryption key in the case where we are upgrading
|
|
// from a NT4 or Win2k B3 or RC1 Machine and the machine is not syskey'd
|
|
//
|
|
// 5. LSAI_SAM_STATE_CLEAR_SESS_KEY is used by SAM or DS to clear the syskey
|
|
// after it has been used for decrypting their respective password
|
|
// encryption keys.
|
|
//
|
|
// 6. LSAI_SAM_STATE_OLD_SESS_KEY This is used to retrieve the old syskey in
|
|
// to implement error recovery during syskey change cases.
|
|
//
|
|
|
|
|
|
#define LSAI_SAM_STATE_SESS_KEY 0x1
|
|
#define LSAI_SAM_STATE_UNROLL_SP4_ENCRYPTION 0x2
|
|
#define LSAI_SAM_STATE_RETRIEVE_SESS_KEY 0x3
|
|
#define LSAI_SAM_STATE_CLEAR_SESS_KEY 0x4
|
|
#define LSAI_SAM_GENERATE_SESS_KEY 0x5
|
|
#define LSAI_SAM_STATE_OLD_SESS_KEY 0x6
|
|
|
|
//
|
|
// Internal limit on the number of SIDs that can be assigned to a single
|
|
// security context. If, for some reason, someone logs on to an account
|
|
// and is assigned more than this number of SIDs, the logon will fail.
|
|
// An error should be logged in this case.
|
|
//
|
|
|
|
#define LSAI_CONTEXT_SID_LIMIT 1024
|
|
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
// //
|
|
// The following prototypes are usable throughout the process that the //
|
|
// LSA server resides in. //
|
|
// //
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIHealthCheck(
|
|
IN LSAPR_HANDLE DomainHandle OPTIONAL,
|
|
IN ULONG StateChange,
|
|
IN OUT PVOID StateChangeData,
|
|
IN OUT PULONG StateChangeDataLength
|
|
);
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIOpenPolicyTrusted(
|
|
OUT PLSAPR_HANDLE PolicyHandle
|
|
);
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIQueryInformationPolicyTrusted(
|
|
IN POLICY_INFORMATION_CLASS InformationClass,
|
|
OUT PLSAPR_POLICY_INFORMATION *Buffer
|
|
);
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIGetSerialNumberPolicy(
|
|
IN LSAPR_HANDLE PolicyHandle,
|
|
OUT PLARGE_INTEGER ModifiedCount,
|
|
OUT PLARGE_INTEGER CreationTime
|
|
);
|
|
|
|
NTSTATUS NTAPI
|
|
LsaISetSerialNumberPolicy(
|
|
IN LSAPR_HANDLE PolicyHandle,
|
|
IN PLARGE_INTEGER ModifiedCount,
|
|
IN PLARGE_INTEGER CreationTime,
|
|
IN BOOLEAN StartOfFullSync
|
|
);
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIEnumerateSecrets(
|
|
IN LSAPR_HANDLE PolicyHandle,
|
|
IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext,
|
|
OUT PVOID *Buffer,
|
|
IN ULONG PreferedMaximumLength,
|
|
OUT PULONG CountReturned
|
|
);
|
|
|
|
NTSTATUS NTAPI
|
|
LsaISetTimesSecret(
|
|
IN LSAPR_HANDLE SecretHandle,
|
|
IN PLARGE_INTEGER CurrentValueSetTime,
|
|
IN PLARGE_INTEGER OldValueSetTime
|
|
);
|
|
|
|
#ifdef __LOGONMSV_H__ // This API is only of interest to users of logonmsv.h
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIFilterSids(
|
|
IN PUNICODE_STRING TrustedDomainName,
|
|
IN ULONG TrustDirection,
|
|
IN ULONG TrustType,
|
|
IN ULONG TrustAttributes,
|
|
IN OPTIONAL PSID Sid,
|
|
IN NETLOGON_VALIDATION_INFO_CLASS InfoClass,
|
|
IN OUT PVOID SamInfo,
|
|
IN OPTIONAL PSID ResourceGroupDomainSid,
|
|
IN OUT OPTIONAL PULONG ResourceGroupCount,
|
|
IN OUT OPTIONAL PGROUP_MEMBERSHIP ResourceGroupIds
|
|
);
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIFilterNamespace(
|
|
IN PUNICODE_STRING TrustedDomainName,
|
|
IN ULONG TrustDirection,
|
|
IN ULONG TrustType,
|
|
IN ULONG TrustAttributes,
|
|
IN PUNICODE_STRING Namespace
|
|
);
|
|
|
|
#endif
|
|
|
|
typedef enum {
|
|
|
|
RoutingMatchDomainSid,
|
|
RoutingMatchDomainName,
|
|
RoutingMatchUpn,
|
|
RoutingMatchSpn,
|
|
RoutingMatchNamespace
|
|
|
|
} LSA_ROUTING_MATCH_TYPE;
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIForestTrustFindMatch(
|
|
IN LSA_ROUTING_MATCH_TYPE Type,
|
|
IN PVOID Data,
|
|
OUT PLSA_UNICODE_STRING Match
|
|
);
|
|
|
|
VOID
|
|
LsaIFree_LSA_FOREST_TRUST_INFORMATION(
|
|
IN PLSA_FOREST_TRUST_INFORMATION * ForestTrustInfo
|
|
);
|
|
|
|
VOID
|
|
LsaIFree_LSA_FOREST_TRUST_COLLISION_INFORMATION(
|
|
IN PLSA_FOREST_TRUST_COLLISION_INFORMATION * CollisionInfo
|
|
);
|
|
|
|
BOOLEAN NTAPI
|
|
LsaISetupWasRun(
|
|
);
|
|
|
|
BOOLEAN NTAPI
|
|
LsaISafeMode(
|
|
VOID
|
|
);
|
|
|
|
BOOLEAN NTAPI
|
|
LsaILookupWellKnownName(
|
|
IN PUNICODE_STRING WellKnownName
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFree_LSAPR_ACCOUNT_ENUM_BUFFER (
|
|
IN PLSAPR_ACCOUNT_ENUM_BUFFER EnumerationBuffer
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFree_LSAPR_TRANSLATED_SIDS (
|
|
IN PLSAPR_TRANSLATED_SIDS TranslatedSids
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFree_LSAPR_TRANSLATED_NAMES (
|
|
IN PLSAPR_TRANSLATED_NAMES TranslatedNames
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFree_LSAPR_POLICY_INFORMATION (
|
|
IN POLICY_INFORMATION_CLASS InformationClass,
|
|
IN PLSAPR_POLICY_INFORMATION PolicyInformation
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFree_LSAPR_POLICY_DOMAIN_INFORMATION (
|
|
IN POLICY_DOMAIN_INFORMATION_CLASS DomainInformationClass,
|
|
IN PLSAPR_POLICY_DOMAIN_INFORMATION PolicyDomainInformation
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFree_LSAPR_TRUSTED_DOMAIN_INFO (
|
|
IN TRUSTED_INFORMATION_CLASS InformationClass,
|
|
IN PLSAPR_TRUSTED_DOMAIN_INFO TrustedDomainInformation
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFree_LSAPR_REFERENCED_DOMAIN_LIST (
|
|
IN PLSAPR_REFERENCED_DOMAIN_LIST ReferencedDomains
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFree_LSAPR_TRUSTED_ENUM_BUFFER (
|
|
IN PLSAPR_TRUSTED_ENUM_BUFFER EnumerationBuffer
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFree_LSAPR_TRUSTED_ENUM_BUFFER_EX (
|
|
PLSAPR_TRUSTED_ENUM_BUFFER_EX EnumerationBuffer
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFree_LSAPR_TRUST_INFORMATION (
|
|
IN PLSAPR_TRUST_INFORMATION TrustInformation
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFree_LSAP_SECRET_ENUM_BUFFER (
|
|
IN PVOID Buffer,
|
|
IN ULONG Count
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFree_LSAPR_PRIVILEGE_ENUM_BUFFER (
|
|
PLSAPR_PRIVILEGE_ENUM_BUFFER EnumerationBuffer
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFree_LSAPR_SR_SECURITY_DESCRIPTOR (
|
|
IN PLSAPR_SR_SECURITY_DESCRIPTOR SecurityDescriptor
|
|
);
|
|
|
|
VOID
|
|
LsaIFree_LSAI_SECRET_ENUM_BUFFER (
|
|
IN PVOID Buffer,
|
|
IN ULONG Count
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFree_LSAI_PRIVATE_DATA (
|
|
IN PVOID Data
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFree_LSAPR_UNICODE_STRING (
|
|
IN PLSAPR_UNICODE_STRING UnicodeName
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFree_LSAPR_UNICODE_STRING_BUFFER (
|
|
IN PLSAPR_UNICODE_STRING UnicodeName
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFree_LSAPR_PRIVILEGE_SET (
|
|
IN PLSAPR_PRIVILEGE_SET PrivilegeSet
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFree_LSAPR_CR_CIPHER_VALUE (
|
|
IN PLSAPR_CR_CIPHER_VALUE CipherValue
|
|
);
|
|
|
|
|
|
//
|
|
// Enumeration to describe the attribute value data
|
|
//
|
|
typedef enum _LSAP_AUDIT_SAM_ATTR_DELTA_TYPE
|
|
{
|
|
LsapAuditSamAttrUnchanged = 0,
|
|
LsapAuditSamAttrNewValue,
|
|
LsapAuditSamAttrNoValue,
|
|
LsapAuditSamAttrSecret
|
|
|
|
} LSAP_SAM_AUDIT_ATTR_DELTA_TYPE, *PLSAP_SAM_AUDIT_ATTR_DELTA_TYPE;
|
|
|
|
|
|
//
|
|
// Macro to compute the UINT_PTR offset of a field in a structure type
|
|
//
|
|
#define LSAP_FIELD_PTR(Type, Field) \
|
|
((FIELD_OFFSET(Type, Field)) / sizeof(UINT_PTR))
|
|
|
|
|
|
//
|
|
// Macro to compute the index into AttrDeltaType given the containing
|
|
// structure's base address and the address of the associated field whos
|
|
// delta type is desired.
|
|
//
|
|
// Base - pointer to the structure
|
|
// Field - pointer to attribute field whos deltatype is being indexed
|
|
//
|
|
#define LSAP_INDEX_ATTR_DELTA_TYPE(Base, Field) \
|
|
((((UINT_PTR)(Field)) - ((UINT_PTR)(Base))) / sizeof(UINT_PTR))
|
|
|
|
|
|
//
|
|
// Attribute change information for auditing domain objects
|
|
//
|
|
#define LSAP_DOMAIN_ATTR_COUNT 13
|
|
//
|
|
// The above count must match the number of attribute pointers in the
|
|
// associated structure as it determines how many attributes we
|
|
// maintain LSAI_SAM_AUDIT_ATTR_DELTA_TYPEs for.
|
|
//
|
|
|
|
typedef struct _LSAP_AUDIT_DOMAIN_ATTR_VALUES
|
|
{
|
|
PLARGE_INTEGER MinPasswordAge;
|
|
PLARGE_INTEGER MaxPasswordAge;
|
|
PLARGE_INTEGER ForceLogoff;
|
|
PUSHORT LockoutThreshold;
|
|
PLARGE_INTEGER LockoutObservationWindow;
|
|
PLARGE_INTEGER LockoutDuration;
|
|
PULONG PasswordProperties;
|
|
PUSHORT MinPasswordLength;
|
|
PUSHORT PasswordHistoryLength;
|
|
PULONG MachineAccountQuota;
|
|
PULONG MixedDomainMode;
|
|
PULONG DomainBehaviorVersion;
|
|
PUNICODE_STRING OemInformation;
|
|
|
|
LSAP_SAM_AUDIT_ATTR_DELTA_TYPE AttrDeltaType[LSAP_DOMAIN_ATTR_COUNT];
|
|
|
|
} LSAP_AUDIT_DOMAIN_ATTR_VALUES, *PLSAP_AUDIT_DOMAIN_ATTR_VALUES;
|
|
|
|
|
|
//
|
|
// Attribute change information for auditing user/computer objects
|
|
//
|
|
|
|
#define LSAP_USER_ATTR_COUNT 18
|
|
|
|
|
|
//
|
|
// The above count must match the number of attribute pointers in the
|
|
// associated structure as it determines how many attributes we
|
|
// maintain LSAI_SAM_AUDIT_ATTR_DELTA_TYPEs for.
|
|
//
|
|
|
|
typedef struct _LSAP_AUDIT_USER_ATTR_VALUES
|
|
{
|
|
PUNICODE_STRING SamAccountName;
|
|
PUNICODE_STRING DisplayName;
|
|
PUNICODE_STRING UserPrincipalName;
|
|
PUNICODE_STRING HomeDirectory;
|
|
PUNICODE_STRING HomeDrive;
|
|
PUNICODE_STRING ScriptPath;
|
|
PUNICODE_STRING ProfilePath;
|
|
PUNICODE_STRING UserWorkStations;
|
|
PFILETIME PasswordLastSet;
|
|
PFILETIME AccountExpires;
|
|
PULONG PrimaryGroupId;
|
|
PLSA_ADT_STRING_LIST AllowedToDelegateTo;
|
|
PULONG UserAccountControl;
|
|
PUNICODE_STRING UserParameters;
|
|
PLSA_ADT_SID_LIST SidHistory;
|
|
PLOGON_HOURS LogonHours;
|
|
|
|
// Computers only
|
|
PUNICODE_STRING DnsHostName;
|
|
PLSA_ADT_STRING_LIST ServicePrincipalNames;
|
|
|
|
// Metadata indicating how each of the above were changed
|
|
LSAP_SAM_AUDIT_ATTR_DELTA_TYPE AttrDeltaType[LSAP_USER_ATTR_COUNT];
|
|
|
|
// Valid only if UserAccountControl is non-NULL
|
|
PULONG PrevUserAccountControl;
|
|
|
|
} LSAP_AUDIT_USER_ATTR_VALUES, *PLSAP_AUDIT_USER_ATTR_VALUES;
|
|
|
|
|
|
//
|
|
// Attribute change information for auditing group/alias objects
|
|
//
|
|
|
|
#define LSAP_GROUP_ATTR_COUNT 2
|
|
|
|
|
|
//
|
|
// The above count must match the number of attribute pointers in the
|
|
// associated structure as it determines how many attributes we
|
|
// maintain LSAI_SAM_AUDIT_ATTR_DELTA_TYPEs for.
|
|
//
|
|
|
|
typedef struct _LSAP_AUDIT_GROUP_ATTR_VALUES
|
|
{
|
|
PUNICODE_STRING SamAccountName;
|
|
PLSA_ADT_SID_LIST SidHistory;
|
|
|
|
LSAP_SAM_AUDIT_ATTR_DELTA_TYPE AttrDeltaType[LSAP_GROUP_ATTR_COUNT];
|
|
|
|
} LSAP_AUDIT_GROUP_ATTR_VALUES, *PLSAP_AUDIT_GROUP_ATTR_VALUES;
|
|
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIAuditSamEvent(
|
|
IN NTSTATUS Status,
|
|
IN ULONG AuditId,
|
|
IN PSID DomainSid,
|
|
IN PUNICODE_STRING AdditionalInfo OPTIONAL,
|
|
IN PULONG MemberRid OPTIONAL,
|
|
IN PSID MemberSid OPTIONAL,
|
|
IN PUNICODE_STRING AccountName OPTIONAL,
|
|
IN PUNICODE_STRING DomainName,
|
|
IN PULONG AccountRid OPTIONAL,
|
|
IN PPRIVILEGE_SET Privileges OPTIONAL,
|
|
IN PVOID ExtendedInfo OPTIONAL
|
|
);
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIAuditNotifyPackageLoad(
|
|
PUNICODE_STRING PackageFileName
|
|
);
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIAuditKdcEvent(
|
|
IN ULONG AuditId,
|
|
IN PUNICODE_STRING ClientName,
|
|
IN PUNICODE_STRING ClientDomain,
|
|
IN PSID ClientSid,
|
|
IN PUNICODE_STRING ServiceName,
|
|
IN PSID ServiceSid,
|
|
IN PULONG KdcOptions,
|
|
IN PULONG KerbStatus,
|
|
IN PULONG EncryptionType,
|
|
IN PULONG PreAuthType,
|
|
IN PBYTE ClientAddress,
|
|
IN LPGUID LogonGuid OPTIONAL,
|
|
IN PLSA_ADT_STRING_LIST TransittedServices OPTIONAL,
|
|
IN PUNICODE_STRING CertIssuerName OPTIONAL,
|
|
IN PUNICODE_STRING CertSerialNumber OPTIONAL,
|
|
IN PUNICODE_STRING CertThumbprint OPTIONAL
|
|
);
|
|
|
|
NTSTATUS
|
|
LsaIGetLogonGuid(
|
|
IN PUNICODE_STRING pUserName,
|
|
IN PUNICODE_STRING pUserDomain,
|
|
IN PBYTE pBuffer,
|
|
IN UINT BufferSize,
|
|
OUT LPGUID pLogonGuid
|
|
);
|
|
|
|
NTSTATUS
|
|
LsaISetLogonGuidInLogonSession(
|
|
IN PLUID LogonId,
|
|
IN LPGUID LogonGuid OPTIONAL
|
|
);
|
|
|
|
VOID
|
|
LsaIAuditKerberosLogon(
|
|
IN NTSTATUS LogonStatus,
|
|
IN NTSTATUS LogonSubStatus,
|
|
IN PUNICODE_STRING AccountName,
|
|
IN PUNICODE_STRING AuthenticatingAuthority,
|
|
IN PUNICODE_STRING WorkstationName,
|
|
IN PSID UserSid, OPTIONAL
|
|
IN SECURITY_LOGON_TYPE LogonType,
|
|
IN PTOKEN_SOURCE TokenSource,
|
|
IN PLUID LogonId,
|
|
IN LPGUID LogonGuid,
|
|
IN PLSA_ADT_STRING_LIST TransittedServices
|
|
);
|
|
|
|
NTSTATUS
|
|
LsaIAuditLogonUsingExplicitCreds(
|
|
IN USHORT AuditEventType,
|
|
IN PLUID pUser1LogonId,
|
|
IN LPGUID pUser1LogonGuid, OPTIONAL
|
|
IN HANDLE User1ProcessId,
|
|
IN PUNICODE_STRING pUser2Name,
|
|
IN PUNICODE_STRING pUser2Domain,
|
|
IN LPGUID pUser2LogonGuid,
|
|
IN PUNICODE_STRING pTargetName,
|
|
IN PUNICODE_STRING pTargetInfo
|
|
);
|
|
|
|
NTSTATUS
|
|
LsaIAdtAuditingEnabledByCategory(
|
|
IN POLICY_AUDIT_EVENT_TYPE Category,
|
|
IN USHORT AuditEventType,
|
|
IN PSID pUserSid OPTIONAL,
|
|
IN PLUID pLogonId OPTIONAL,
|
|
OUT PBOOLEAN pbAudit
|
|
);
|
|
|
|
NTSTATUS
|
|
LsaIAuditAccountLogon(
|
|
IN ULONG AuditId,
|
|
IN BOOLEAN Successful,
|
|
IN PUNICODE_STRING Source,
|
|
IN PUNICODE_STRING ClientName,
|
|
IN PUNICODE_STRING MappedName,
|
|
IN NTSTATUS Status OPTIONAL
|
|
);
|
|
|
|
NTSTATUS
|
|
LsaIAuditAccountLogonEx(
|
|
IN ULONG AuditId,
|
|
IN BOOLEAN Successful,
|
|
IN PUNICODE_STRING Source,
|
|
IN PUNICODE_STRING ClientName,
|
|
IN PUNICODE_STRING MappedName,
|
|
IN NTSTATUS Status, OPTIONAL
|
|
IN PSID ClientSid
|
|
);
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIAuditDPAPIEvent(
|
|
IN ULONG AuditId,
|
|
IN PSID UserSid,
|
|
IN PUNICODE_STRING MasterKeyID,
|
|
IN PUNICODE_STRING RecoveryServer,
|
|
IN PULONG Reason,
|
|
IN PUNICODE_STRING RecoverykeyID,
|
|
IN PULONG FailureReason
|
|
);
|
|
|
|
#define LSA_AUDIT_PARAMETERS_ABSOLUTE 1
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIWriteAuditEvent(
|
|
IN PSE_ADT_PARAMETER_ARRAY AuditParameters,
|
|
IN ULONG Options
|
|
);
|
|
|
|
|
|
NTSTATUS
|
|
LsaIAuditPasswordAccessEvent(
|
|
IN USHORT EventType,
|
|
IN PCWSTR pszTargetUserName,
|
|
IN PCWSTR pszTargetUserDomain
|
|
);
|
|
|
|
VOID
|
|
LsaIAuditFailed(
|
|
NTSTATUS AuditStatus
|
|
);
|
|
|
|
NTSTATUS NTAPI
|
|
LsaICallPackage(
|
|
IN PUNICODE_STRING AuthenticationPackage,
|
|
IN PVOID ProtocolSubmitBuffer,
|
|
IN ULONG SubmitBufferLength,
|
|
OUT PVOID *ProtocolReturnBuffer,
|
|
OUT PULONG ReturnBufferLength,
|
|
OUT PNTSTATUS ProtocolStatus
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFreeReturnBuffer(
|
|
IN PVOID Buffer
|
|
);
|
|
|
|
//
|
|
// NT5 routines for using the Ds for Lsa store
|
|
//
|
|
|
|
#define LSAI_FOREST_ROOT_TRUST 0x00000001
|
|
#define LSAI_FOREST_DOMAIN_GUID_PRESENT 0x00000002
|
|
|
|
//
|
|
// These structures correspond to the private interface Kerberos uses
|
|
// to build a tree of the domains in an organization.
|
|
//
|
|
|
|
typedef struct _LSAPR_TREE_TRUST_INFO {
|
|
|
|
UNICODE_STRING DnsDomainName;
|
|
UNICODE_STRING FlatName;
|
|
GUID DomainGuid;
|
|
PSID DomainSid;
|
|
ULONG Flags;
|
|
ULONG Children;
|
|
struct _LSAPR_TREE_TRUST_INFO *ChildDomains;
|
|
} LSAPR_TREE_TRUST_INFO, *PLSAPR_TREE_TRUST_INFO;
|
|
|
|
typedef struct _LSAPR_FOREST_TRUST_INFO {
|
|
|
|
LSAPR_TREE_TRUST_INFO RootTrust;
|
|
PLSAPR_TREE_TRUST_INFO ParentDomainReference;
|
|
|
|
} LSAPR_FOREST_TRUST_INFO, *PLSAPR_FOREST_TRUST_INFO;
|
|
|
|
VOID
|
|
LsaIFreeForestTrustInfo(
|
|
IN PLSAPR_FOREST_TRUST_INFO ForestTrustInfo
|
|
);
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
LsaIQueryForestTrustInfo(
|
|
IN LSAPR_HANDLE PolicyHandle,
|
|
OUT PLSAPR_FOREST_TRUST_INFO *ForestTrustInfo
|
|
);
|
|
|
|
NTSTATUS NTAPI
|
|
LsaISetTrustedDomainAuthInfoBlobs(
|
|
IN LSAPR_HANDLE PolicyHandle,
|
|
IN PLSAPR_UNICODE_STRING TrustedDomainName,
|
|
IN PLSAPR_TRUSTED_DOMAIN_AUTH_BLOB IncomingBlob,
|
|
IN PLSAPR_TRUSTED_DOMAIN_AUTH_BLOB OutgoingBlob);
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIUpgradeRegistryToDs(
|
|
IN BOOLEAN DeleteOnly
|
|
);
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIGetTrustedDomainAuthInfoBlobs(
|
|
IN LSAPR_HANDLE PolicyHandle,
|
|
IN PLSAPR_UNICODE_STRING TrustedDomainName,
|
|
OUT PLSAPR_TRUSTED_DOMAIN_AUTH_BLOB IncomingBlob,
|
|
OUT PLSAPR_TRUSTED_DOMAIN_AUTH_BLOB OutgoingBlob
|
|
);
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIDsNotifiedObjectChange(
|
|
IN ULONG Class,
|
|
IN PVOID ObjectPath, // This is a DSNAME
|
|
IN SECURITY_DB_DELTA_TYPE DeltaType,
|
|
IN PSID UserSid,
|
|
IN LUID AuthenticationId,
|
|
IN BOOLEAN fReplicatedIn,
|
|
IN BOOLEAN ChangeOriginatedInLSA
|
|
);
|
|
|
|
typedef NTSTATUS (NTAPI *pfLsaIDsNotifiedObjectChange )(
|
|
ULONG, PVOID, SECURITY_DB_DELTA_TYPE, PSID, LUID, BOOLEAN, BOOLEAN );
|
|
|
|
//
|
|
// NT5 routines for moving some SAM domain object properties to the Lsa Ds objects
|
|
//
|
|
|
|
NTSTATUS NTAPI
|
|
LsaISamIndicatedDsStarted(
|
|
IN BOOLEAN PerformDomainRenameCheck
|
|
);
|
|
|
|
//
|
|
// Netlogon routines for enumerating subnets
|
|
//
|
|
|
|
typedef struct _LSAP_SUBNET_INFO_ENTRY {
|
|
UNICODE_STRING SubnetName;
|
|
UNICODE_STRING SiteName;
|
|
} LSAP_SUBNET_INFO_ENTRY, *PLSAP_SUBNET_INFO_ENTRY;
|
|
|
|
typedef struct _LSAP_SUBNET_INFO {
|
|
ULONG SiteCount;
|
|
ULONG SubnetCount;
|
|
LSAP_SUBNET_INFO_ENTRY Subnets[1];
|
|
} LSAP_SUBNET_INFO, *PLSAP_SUBNET_INFO;
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIQuerySubnetInfo(
|
|
OUT PLSAP_SUBNET_INFO *SubnetInformation
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFree_LSAP_SUBNET_INFO(
|
|
IN PLSAP_SUBNET_INFO SubnetInfo
|
|
);
|
|
|
|
//
|
|
// Netlogon routines for UPN/SPN suffixes
|
|
//
|
|
|
|
typedef struct _LSAP_UPN_SUFFIXES {
|
|
ULONG SuffixCount;
|
|
UNICODE_STRING Suffixes[1];
|
|
} LSAP_UPN_SUFFIXES, *PLSAP_UPN_SUFFIXES;
|
|
|
|
NTSTATUS
|
|
LsaIQueryUpnSuffixes(
|
|
OUT PLSAP_UPN_SUFFIXES *UpnSuffixes
|
|
);
|
|
|
|
VOID
|
|
LsaIFree_LSAP_UPN_SUFFIXES(
|
|
IN PLSAP_UPN_SUFFIXES UpnSuffixes
|
|
);
|
|
|
|
NTSTATUS
|
|
LsaIGetForestTrustInformation(
|
|
OUT PLSA_FOREST_TRUST_INFORMATION *ForestTrustInfo
|
|
);
|
|
|
|
NTSTATUS
|
|
LsaIUpdateForestTrustInformation(
|
|
IN LSAPR_HANDLE PolicyHandle,
|
|
IN UNICODE_STRING * TrustedDomainName,
|
|
IN PLSA_FOREST_TRUST_INFORMATION NewForestTrustInfo
|
|
);
|
|
|
|
//
|
|
// Netlogon routines for enumerating sites
|
|
//
|
|
|
|
typedef struct _LSAP_SITE_INFO_ENTRY {
|
|
UNICODE_STRING SiteName;
|
|
} LSAP_SITE_INFO_ENTRY, *PLSAP_SITE_INFO_ENTRY;
|
|
|
|
typedef struct _LSAP_SITE_INFO {
|
|
ULONG SiteCount;
|
|
LSAP_SITE_INFO_ENTRY Sites[1];
|
|
} LSAP_SITE_INFO, *PLSAP_SITE_INFO;
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIQuerySiteInfo(
|
|
OUT PLSAP_SITE_INFO *SiteInformation
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFree_LSAP_SITE_INFO(
|
|
IN PLSAP_SITE_INFO SubnetInfo
|
|
);
|
|
|
|
//
|
|
// Netlogon routines for getting the name of the site we're in.
|
|
//
|
|
|
|
typedef struct _LSAP_SITENAME_INFO {
|
|
UNICODE_STRING SiteName;
|
|
GUID DsaGuid;
|
|
ULONG DsaOptions;
|
|
} LSAP_SITENAME_INFO, *PLSAP_SITENAME_INFO;
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIGetSiteName(
|
|
OUT PLSAP_SITENAME_INFO *SiteNameInformation
|
|
);
|
|
|
|
VOID NTAPI
|
|
LsaIFree_LSAP_SITENAME_INFO(
|
|
IN PLSAP_SITENAME_INFO SiteNameInfo
|
|
);
|
|
|
|
BOOLEAN NTAPI
|
|
LsaIIsDsPaused(
|
|
VOID
|
|
);
|
|
|
|
//
|
|
// Lsa notification routine definitions
|
|
//
|
|
|
|
//
|
|
// Notification callback routine prototype
|
|
//
|
|
typedef VOID ( NTAPI fLsaPolicyChangeNotificationCallback) (
|
|
IN POLICY_NOTIFICATION_INFORMATION_CLASS ChangedInfoClass
|
|
);
|
|
|
|
typedef fLsaPolicyChangeNotificationCallback *pfLsaPolicyChangeNotificationCallback;
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIRegisterPolicyChangeNotificationCallback(
|
|
IN pfLsaPolicyChangeNotificationCallback Callback,
|
|
IN POLICY_NOTIFICATION_INFORMATION_CLASS MonitorInfoClass
|
|
);
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIUnregisterPolicyChangeNotificationCallback(
|
|
IN pfLsaPolicyChangeNotificationCallback Callback,
|
|
IN POLICY_NOTIFICATION_INFORMATION_CLASS MonitorInfoClass
|
|
);
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIUnregisterAllPolicyChangeNotificationCallback(
|
|
IN pfLsaPolicyChangeNotificationCallback Callback
|
|
);
|
|
|
|
HANDLE NTAPI
|
|
LsaIRegisterNotification(
|
|
IN PTHREAD_START_ROUTINE StartFunction,
|
|
IN PVOID Parameter,
|
|
IN ULONG NotificationType,
|
|
IN ULONG NotificationClass,
|
|
IN ULONG NotificationFlags,
|
|
IN ULONG IntervalMinutes,
|
|
IN OPTIONAL HANDLE WaitEvent
|
|
);
|
|
|
|
NTSTATUS NTAPI
|
|
LsaICancelNotification(
|
|
IN HANDLE NotifyHandle
|
|
);
|
|
|
|
//
|
|
// This is the notification Kerberos registers to receive updates on changing trusts
|
|
//
|
|
|
|
typedef VOID (fLsaTrustChangeNotificationCallback) (
|
|
IN SECURITY_DB_DELTA_TYPE DeltaType
|
|
);
|
|
|
|
typedef fLsaTrustChangeNotificationCallback *pfLsaTrustChangeNotificationCallback;
|
|
|
|
typedef enum LSAP_REGISTER {
|
|
|
|
LsaRegister = 0,
|
|
LsaUnregister
|
|
|
|
} LSAP_REGISTER, *PLSAP_REGISTER;
|
|
|
|
NTSTATUS NTAPI
|
|
LsaIKerberosRegisterTrustNotification(
|
|
IN pfLsaTrustChangeNotificationCallback Callback,
|
|
IN LSAP_REGISTER Register
|
|
);
|
|
|
|
//
|
|
// See secpkg.h : LsaGetCallInfo and SECPKG_CALL_INFO
|
|
//
|
|
|
|
BOOLEAN
|
|
NTAPI
|
|
LsaIGetCallInfo(
|
|
PVOID
|
|
);
|
|
|
|
NTSTATUS
|
|
LsaISetTokenDacl(
|
|
IN HANDLE Token
|
|
);
|
|
|
|
NTSTATUS
|
|
LsaISetClientDnsHostName(
|
|
IN PWSTR ClientName,
|
|
IN PWSTR ClientDnsHostName OPTIONAL,
|
|
IN POSVERSIONINFOEXW OsVersionInfo OPTIONAL,
|
|
IN PWSTR OsName OPTIONAL,
|
|
OUT PWSTR *OldDnsHostName OPTIONAL
|
|
);
|
|
|
|
NTSTATUS
|
|
LsaICallPackageEx(
|
|
IN PUNICODE_STRING AuthenticationPackage,
|
|
IN PVOID ClientBufferBase,
|
|
IN PVOID ProtocolSubmitBuffer,
|
|
IN ULONG SubmitBufferLength,
|
|
OUT PVOID * ProtocolReturnBuffer,
|
|
OUT PULONG ReturnBufferLength,
|
|
OUT PNTSTATUS ProtocolStatus
|
|
);
|
|
|
|
NTSTATUS
|
|
LsaICallPackagePassthrough(
|
|
IN PUNICODE_STRING AuthenticationPackage,
|
|
IN PVOID ClientBufferBase,
|
|
IN PVOID ProtocolSubmitBuffer,
|
|
IN ULONG SubmitBufferLength,
|
|
OUT PVOID * ProtocolReturnBuffer,
|
|
OUT PULONG ReturnBufferLength,
|
|
OUT PNTSTATUS ProtocolStatus
|
|
);
|
|
|
|
NTSTATUS
|
|
LsaISetBootOption(
|
|
IN ULONG BootOption,
|
|
IN PVOID OldKey,
|
|
IN ULONG OldKeyLength,
|
|
IN PVOID NewKey,
|
|
IN ULONG NewKeyLength
|
|
);
|
|
|
|
NTSTATUS
|
|
LsaIGetBootOption(
|
|
OUT PULONG BootOption
|
|
);
|
|
|
|
VOID
|
|
LsaINotifyPasswordChanged(
|
|
IN PUNICODE_STRING NetbiosDomainName OPTIONAL,
|
|
IN PUNICODE_STRING UserName,
|
|
IN PUNICODE_STRING DnsDomainName OPTIONAL,
|
|
IN PUNICODE_STRING Upn OPTIONAL,
|
|
IN PUNICODE_STRING OldPassword,
|
|
IN PUNICODE_STRING NewPassword,
|
|
IN BOOLEAN Impersonating
|
|
);
|
|
|
|
NTSTATUS
|
|
LsaINotifyChangeNotification(
|
|
IN POLICY_NOTIFICATION_INFORMATION_CLASS InfoClass
|
|
);
|
|
|
|
NTSTATUS
|
|
LsaIGetNbAndDnsDomainNames(
|
|
IN PUNICODE_STRING DomainName,
|
|
OUT PUNICODE_STRING DnsDomainName,
|
|
OUT PUNICODE_STRING NetbiosDomainName
|
|
);
|
|
|
|
//
|
|
// This flag indicates the the protected blob is a system blob, and cannot
|
|
// be decrypted by the user-space.
|
|
//
|
|
|
|
#define CRYPTPROTECT_SYSTEM 0x20000000
|
|
|
|
//
|
|
// Local Free should be used to free the returned buffer
|
|
//
|
|
|
|
BOOLEAN
|
|
LsaICryptProtectData(
|
|
IN PVOID DataIn,
|
|
IN ULONG DataInLength,
|
|
IN PUNICODE_STRING szDataDescr,
|
|
IN PVOID OptionalEntropy,
|
|
IN ULONG OptionalEntropyLength,
|
|
IN PVOID Reserved,
|
|
IN PVOID Reserved2,
|
|
IN ULONG Flags,
|
|
OUT PVOID * DataOut,
|
|
OUT PULONG DataOutLength);
|
|
|
|
//
|
|
// Local Free should be used to free the returned buffer
|
|
//
|
|
|
|
BOOLEAN
|
|
LsaICryptUnprotectData(
|
|
IN PVOID DataIn,
|
|
IN ULONG DataInLength,
|
|
IN PVOID OptionalEntropy,
|
|
IN ULONG OptionalEntropyLength,
|
|
IN PVOID Reserved,
|
|
IN PVOID Reserved2,
|
|
IN ULONG Flags,
|
|
OUT PUNICODE_STRING szDataDescr,
|
|
OUT PVOID * DataOut,
|
|
OUT PULONG DataOutLength);
|
|
|
|
//
|
|
// Heap allocator for the LSA process
|
|
//
|
|
|
|
PVOID
|
|
NTAPI
|
|
LsaIAllocateHeap(
|
|
IN SIZE_T cbMemory
|
|
);
|
|
|
|
VOID
|
|
NTAPI
|
|
LsaIFreeHeap(
|
|
IN PVOID Base
|
|
);
|
|
|
|
typedef enum LSAP_NETLOGON_PARAMETER {
|
|
|
|
LsaEmulateNT4,
|
|
|
|
} LSAP_NETLOGON_PARAMETER;
|
|
|
|
VOID
|
|
NTAPI
|
|
LsaINotifyNetlogonParametersChangeW(
|
|
IN LSAP_NETLOGON_PARAMETER Parameter,
|
|
IN DWORD dwType,
|
|
IN PWSTR lpData,
|
|
IN DWORD cbData
|
|
);
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
LsaIChangeSecretCipherKey(
|
|
IN PVOID NewSysKey
|
|
);
|
|
|
|
BOOLEAN
|
|
LsaINoMoreWin2KDomain();
|
|
|
|
void
|
|
LsaINotifyGCStatusChange(
|
|
IN BOOLEAN PromotingToGC
|
|
);
|
|
|
|
NTSTATUS
|
|
LsaIIsDomainWithinForest(
|
|
IN UNICODE_STRING * TrustedDomainName,
|
|
OUT BOOL * WithinForest,
|
|
OUT OPTIONAL BOOL * ThisDomain,
|
|
OUT OPTIONAL PSID * TrustedDomainSid,
|
|
OUT OPTIONAL ULONG * TrustDirection,
|
|
OUT OPTIONAL ULONG * TrustType,
|
|
OUT OPTIONAL ULONG * TrustAttributes
|
|
);
|
|
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
|
|
#endif // _LSAISRV_
|