xref: /illumos-gate/usr/src/uts/common/smbsrv/smb_sid.h (revision 7257d1b4) 
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef _SMB_SID_H
27 #define	_SMB_SID_H
28 
29 #pragma ident	"%Z%%M%	%I%	%E% SMI"
30 
31 /*
32  * NT Security Identifier (SID) interface definition.
33  */
34 #include <smbsrv/wintypes.h>
35 
36 #ifdef __cplusplus
37 extern "C" {
38 #endif
39 
40 /*
41  * Predefined global user RIDs.
42  */
43 #define	DOMAIN_USER_RID_ADMIN		(0x000001F4L)	/* 500 */
44 #define	DOMAIN_USER_RID_GUEST		(0x000001F5L)	/* 501 */
45 #define	DOMAIN_USER_RID_KRBTGT		(0x000001F6L)	/* 502 */
46 
47 /*
48  * Predefined global group RIDs.
49  */
50 #define	DOMAIN_GROUP_RID_ADMINS		(0x00000200L)	/* 512 */
51 #define	DOMAIN_GROUP_RID_USERS		(0x00000201L)
52 #define	DOMAIN_GROUP_RID_GUESTS		(0x00000202L)
53 #define	DOMAIN_GROUP_RID_COMPUTERS	(0x00000203L)
54 #define	DOMAIN_GROUP_RID_CONTROLLERS	(0x00000204L)
55 #define	DOMAIN_GROUP_RID_CERT_ADMINS	(0x00000205L)
56 #define	DOMAIN_GROUP_RID_SCHEMA_ADMINS	(0x00000206L)
57 
58 
59 /*
60  * Predefined local alias RIDs.
61  */
62 #define	DOMAIN_ALIAS_RID_ADMINS		(0x00000220L)	/* 544 */
63 #define	DOMAIN_ALIAS_RID_USERS		(0x00000221L)
64 #define	DOMAIN_ALIAS_RID_GUESTS		(0x00000222L)
65 #define	DOMAIN_ALIAS_RID_POWER_USERS	(0x00000223L)
66 #define	DOMAIN_ALIAS_RID_ACCOUNT_OPS	(0x00000224L)
67 #define	DOMAIN_ALIAS_RID_SYSTEM_OPS	(0x00000225L)
68 #define	DOMAIN_ALIAS_RID_PRINT_OPS	(0x00000226L)
69 #define	DOMAIN_ALIAS_RID_BACKUP_OPS	(0x00000227L)
70 #define	DOMAIN_ALIAS_RID_REPLICATOR	(0x00000228L)
71 
72 
73 /*
74  * Universal and NT well-known SIDs
75  */
76 #define	NT_NULL_SIDSTR				"S-1-0-0"
77 #define	NT_WORLD_SIDSTR				"S-1-1-0"
78 #define	NT_LOCAL_SIDSTR				"S-1-2-0"
79 #define	NT_CREATOR_OWNER_ID_SIDSTR		"S-1-3-0"
80 #define	NT_CREATOR_GROUP_ID_SIDSTR		"S-1-3-1"
81 #define	NT_CREATOR_OWNER_SERVER_ID_SIDSTR	"S-1-3-2"
82 #define	NT_CREATOR_GROUP_SERVER_ID_SIDSTR	"S-1-3-3"
83 #define	NT_NON_UNIQUE_IDS_SIDSTR		"S-1-4"
84 #define	NT_AUTHORITY_SIDSTR			"S-1-5"
85 #define	NT_DIALUP_SIDSTR			"S-1-5-1"
86 #define	NT_NETWORK_SIDSTR			"S-1-5-2"
87 #define	NT_BATCH_SIDSTR				"S-1-5-3"
88 #define	NT_INTERACTIVE_SIDSTR			"S-1-5-4"
89 #define	NT_SERVICE_SIDSTR			"S-1-5-6"
90 #define	NT_ANONYMOUS_LOGON_SIDSTR		"S-1-5-7"
91 #define	NT_PROXY_SIDSTR				"S-1-5-8"
92 #define	NT_SERVER_LOGON_SIDSTR			"S-1-5-9"
93 #define	NT_SELF_SIDSTR				"S-1-5-10"
94 #define	NT_AUTHENTICATED_USER_SIDSTR		"S-1-5-11"
95 #define	NT_RESTRICTED_CODE_SIDSTR		"S-1-5-12"
96 #define	NT_LOCAL_SYSTEM_SIDSTR			"S-1-5-18"
97 #define	NT_NON_UNIQUE_SIDSTR			"S-1-5-21"
98 #define	NT_BUILTIN_DOMAIN_SIDSTR		"S-1-5-32"
99 
100 
101 /*
102  * SID type indicators (SID_NAME_USE).
103  */
104 #define	SidTypeNull			0
105 #define	SidTypeUser			1
106 #define	SidTypeGroup			2
107 #define	SidTypeDomain			3
108 #define	SidTypeAlias			4
109 #define	SidTypeWellKnownGroup		5
110 #define	SidTypeDeletedAccount		6
111 #define	SidTypeInvalid			7
112 #define	SidTypeUnknown			8
113 #define	SidTypeComputer			9
114 
115 
116 /*
117  * Identifier authorities for various domains.
118  */
119 #define	NT_SID_NULL_AUTH		0
120 #define	NT_SID_WORLD_AUTH		1
121 #define	NT_SID_LOCAL_AUTH		2
122 #define	NT_SID_CREATOR_AUTH		3
123 #define	NT_SID_NON_UNIQUE_AUTH		4
124 #define	NT_SID_NT_AUTH			5
125 
126 
127 #define	NT_SECURITY_NULL_AUTH		{0, 0, 0, 0, 0, 0}
128 #define	NT_SECURITY_WORLD_AUTH		{0, 0, 0, 0, 0, 1}
129 #define	NT_SECURITY_LOCAL_AUTH		{0, 0, 0, 0, 0, 2}
130 #define	NT_SECURITY_CREATOR_AUTH	{0, 0, 0, 0, 0, 3}
131 #define	NT_SECURITY_NON_UNIQUE_AUTH	{0, 0, 0, 0, 0, 4}
132 #define	NT_SECURITY_NT_AUTH		{0, 0, 0, 0, 0, 5}
133 #define	NT_SECURITY_UNIX_AUTH		{0, 0, 0, 0, 0, 99}
134 
135 
136 #define	SECURITY_NULL_RID			(0x00000000L)
137 #define	SECURITY_WORLD_RID			(0x00000000L)
138 #define	SECURITY_LOCAL_RID			(0X00000000L)
139 
140 #define	SECURITY_CREATOR_OWNER_RID		(0x00000000L)
141 #define	SECURITY_CREATOR_GROUP_RID		(0x00000001L)
142 #define	SECURITY_CREATOR_OWNER_SERVER_RID	(0x00000002L)
143 #define	SECURITY_CREATOR_GROUP_SERVER_RID	(0x00000003L)
144 
145 #define	SECURITY_DIALUP_RID			(0x00000001L)
146 #define	SECURITY_NETWORK_RID			(0x00000002L)
147 #define	SECURITY_BATCH_RID			(0x00000003L)
148 #define	SECURITY_INTERACTIVE_RID		(0x00000004L)
149 #define	SECURITY_LOGON_IDS_RID			(0x00000005L)
150 #define	SECURITY_LOGON_IDS_RID_COUNT		(3L)
151 #define	SECURITY_SERVICE_RID			(0x00000006L)
152 #define	SECURITY_ANONYMOUS_LOGON_RID		(0x00000007L)
153 #define	SECURITY_PROXY_RID			(0x00000008L)
154 #define	SECURITY_ENTERPRISE_CONTROLLERS_RID	(0x00000009L)
155 #define	SECURITY_SERVER_LOGON_RID	SECURITY_ENTERPRISE_CONTROLLERS_RID
156 #define	SECURITY_PRINCIPAL_SELF_RID		(0x0000000AL)
157 #define	SECURITY_AUTHENTICATED_USER_RID		(0x0000000BL)
158 #define	SECURITY_RESTRICTED_CODE_RID		(0x0000000CL)
159 
160 #define	SECURITY_LOCAL_SYSTEM_RID		(0x00000012L)
161 #define	SECURITY_NT_NON_UNIQUE			(0x00000015L)
162 #define	SECURITY_BUILTIN_DOMAIN_RID		(0x00000020L)
163 
164 
165 #define	NT_SID_NON_UNIQUE_SUBAUTH 21
166 
167 
168 /*
169  * Common definition for a SID.
170  */
171 #define	NT_SID_REVISION		1
172 #define	NT_SID_AUTH_MAX		6
173 #define	NT_SID_SUBAUTH_MAX	15
174 
175 
176 /*
177  * Security Identifier (SID)
178  *
179  * The security identifier (SID) uniquely identifies a user, group or
180  * a domain. It consists of a revision number, the identifier authority,
181  * and a list of sub-authorities. The revision number is currently 1.
182  * The identifier authority identifies which system issued the SID. The
183  * sub-authorities of a domain SID uniquely identify a domain. A user
184  * or group SID consists of a domain SID with the user or group id
185  * appended. The user or group id (also known as a relative id (RID)
186  * uniquely identifies a user within a domain. A user or group SID
187  * uniquely identifies a user or group across all domains. The SidType
188  * values identify the various types of SID.
189  *
190  *      1   1   1   1   1   1
191  *      5   4   3   2   1   0   9   8   7   6   5   4   3   2   1   0
192  *   +---------------------------------------------------------------+
193  *   |      SubAuthorityCount        |Reserved1 (SBZ)|   Revision    |
194  *   +---------------------------------------------------------------+
195  *   |                   IdentifierAuthority[0]                      |
196  *   +---------------------------------------------------------------+
197  *   |                   IdentifierAuthority[1]                      |
198  *   +---------------------------------------------------------------+
199  *   |                   IdentifierAuthority[2]                      |
200  *   +---------------------------------------------------------------+
201  *   |                                                               |
202  *   +- -  -  -  -  -  -  -  SubAuthority[]  -  -  -  -  -  -  -  - -+
203  *   |                                                               |
204  *   +---------------------------------------------------------------+
205  *
206  */
207 /*
208  * Note: NT defines the Identifier Authority as a separate
209  * structure (SID_IDENTIFIER_AUTHORITY) containing a literal
210  * definition of a 6 byte vector but the effect is the same
211  * as defining it as a member value.
212  */
213 typedef struct smb_sid {
214 	uint8_t sid_revision;
215 	uint8_t sid_subauthcnt;
216 	uint8_t sid_authority[NT_SID_AUTH_MAX];
217 	uint32_t sid_subauth[ANY_SIZE_ARRAY];
218 } smb_sid_t;
219 
220 /*
221  * Well-known account structure
222  */
223 typedef struct smb_wka {
224 	uint16_t	wka_type;
225 	uint8_t		wka_domidx;
226 	char		*wka_sid;
227 	char		*wka_name;
228 	uint16_t	wka_flags;
229 	char		*wka_desc;
230 	smb_sid_t	*wka_binsid;
231 } smb_wka_t;
232 
233 /*
234  * Defined values for smb_wka.wka_flags
235  *
236  * SMB_WKAFLG_LGRP_ENABLE		Can be added as local group
237  */
238 #define	SMB_WKAFLG_LGRP_ENABLE	0x1
239 
240 /*
241  * The maximum size of a SID in string format
242  */
243 #define	SMB_SID_STRSZ		256
244 
245 boolean_t smb_sid_isvalid(smb_sid_t *);
246 int smb_sid_len(smb_sid_t *);
247 smb_sid_t *smb_sid_dup(smb_sid_t *);
248 smb_sid_t *smb_sid_splice(smb_sid_t *, uint32_t);
249 int smb_sid_getrid(smb_sid_t *, uint32_t *);
250 int smb_sid_split(smb_sid_t *, uint32_t *);
251 boolean_t smb_sid_cmp(smb_sid_t *, smb_sid_t *);
252 boolean_t smb_sid_islocal(smb_sid_t *);
253 boolean_t smb_sid_indomain(smb_sid_t *, smb_sid_t *);
254 void smb_sid_free(smb_sid_t *);
255 int smb_sid_splitstr(char *, uint32_t *);
256 void smb_sid_tostr(smb_sid_t *, char *);
257 smb_sid_t *smb_sid_fromstr(char *);
258 char *smb_sid_type2str(uint16_t);
259 
260 
261 /*
262  * Well-known account interfaces
263  */
264 int smb_wka_init(void);
265 void smb_wka_fini(void);
266 smb_wka_t *smb_wka_lookup(char *);
267 char *smb_wka_lookup_sid(smb_sid_t *, uint16_t *);
268 smb_sid_t *smb_wka_lookup_name(char *, uint16_t *);
269 char *smb_wka_lookup_domain(char *);
270 boolean_t smb_wka_is_wellknown(char *);
271 
272 
273 #ifdef __cplusplus
274 }
275 #endif
276 
277 
278 #endif /* _SMB_SID_H */
279