2001-02-27 21:22:39 +03:00
/*
2002-01-30 09:08:46 +03:00
* Unix SMB / CIFS implementation .
2001-02-27 21:22:39 +03:00
* RPC Pipe client / server routines
2005-01-19 19:52:19 +03:00
* Copyright ( C ) Andrew Tridgell 1992 - 1997 ,
* Copyright ( C ) Luke Kenneth Casson Leighton 1996 - 1997 ,
2002-08-17 19:34:15 +04:00
* Copyright ( C ) Paul Ashton 1997 ,
* Copyright ( C ) Marc Jacobsen 1999 ,
2005-01-19 19:52:19 +03:00
* Copyright ( C ) Jeremy Allison 2001 - 2002 ,
2005-09-30 21:13:37 +04:00
* Copyright ( C ) Jean François Micouleau 1998 - 2001 ,
2004-04-13 18:39:48 +04:00
* Copyright ( C ) Jim McDonough < jmcd @ us . ibm . com > 2002 ,
2005-01-19 19:52:19 +03:00
* Copyright ( C ) Gerald ( Jerry ) Carter 2003 - 2004 ,
2005-06-14 22:38:15 +04:00
* Copyright ( C ) Simo Sorce 2003.
2001-02-27 21:22:39 +03:00
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation ; either version 2 of the License , or
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
* along with this program ; if not , write to the Free Software
* Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
/*
* This is the implementation of the SAMR code .
*/
# include "includes.h"
2002-07-15 14:35:28 +04:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_RPC_SRV
2005-02-01 01:42:30 +03:00
# define SAMR_USR_RIGHTS_WRITE_PW \
( READ_CONTROL_ACCESS | \
SA_RIGHT_USER_CHANGE_PASSWORD | \
SA_RIGHT_USER_SET_LOC_COM )
2005-11-22 23:26:23 +03:00
# define DISP_INFO_CACHE_TIMEOUT 10
2005-11-19 02:15:47 +03:00
2005-04-15 17:41:49 +04:00
typedef struct disp_info {
2005-11-19 02:15:47 +03:00
struct disp_info * next , * prev ;
TALLOC_CTX * mem_ctx ;
DOM_SID sid ; /* identify which domain this is. */
2005-06-22 18:16:10 +04:00
struct pdb_search * users ; /* querydispinfo 1 and 4 */
struct pdb_search * machines ; /* querydispinfo 2 */
struct pdb_search * groups ; /* querydispinfo 3 and 5, enumgroups */
struct pdb_search * aliases ; /* enumaliases */
struct pdb_search * builtins ; /* enumaliases */
uint16 enum_acb_mask ;
struct pdb_search * enum_users ; /* enumusers with a mask */
2005-11-19 02:15:47 +03:00
smb_event_id_t di_cache_timeout_event ; /* cache idle timeout handler. */
2001-12-21 16:36:14 +03:00
} DISP_INFO ;
2005-11-19 02:15:47 +03:00
/* We keep a static list of these by SID as modern clients close down
all resources between each request in a complete enumeration . */
static DISP_INFO * disp_info_list ;
2001-03-11 03:32:10 +03:00
struct samr_info {
2001-12-21 16:36:14 +03:00
/* for use by the \PIPE\samr policy */
DOM_SID sid ;
uint32 status ; /* some sort of flag. best to record it. comes from opnum 0x39 */
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
2005-11-19 02:15:47 +03:00
DISP_INFO * disp_info ;
2002-07-15 14:35:28 +04:00
TALLOC_CTX * mem_ctx ;
2001-03-11 03:32:10 +03:00
} ;
2005-11-26 23:28:12 +03:00
static struct generic_mapping sam_generic_mapping = {
GENERIC_RIGHTS_SAM_READ ,
GENERIC_RIGHTS_SAM_WRITE ,
GENERIC_RIGHTS_SAM_EXECUTE ,
GENERIC_RIGHTS_SAM_ALL_ACCESS } ;
static struct generic_mapping dom_generic_mapping = {
GENERIC_RIGHTS_DOMAIN_READ ,
GENERIC_RIGHTS_DOMAIN_WRITE ,
GENERIC_RIGHTS_DOMAIN_EXECUTE ,
GENERIC_RIGHTS_DOMAIN_ALL_ACCESS } ;
static struct generic_mapping usr_generic_mapping = {
GENERIC_RIGHTS_USER_READ ,
GENERIC_RIGHTS_USER_WRITE ,
GENERIC_RIGHTS_USER_EXECUTE ,
GENERIC_RIGHTS_USER_ALL_ACCESS } ;
static struct generic_mapping grp_generic_mapping = {
GENERIC_RIGHTS_GROUP_READ ,
GENERIC_RIGHTS_GROUP_WRITE ,
GENERIC_RIGHTS_GROUP_EXECUTE ,
GENERIC_RIGHTS_GROUP_ALL_ACCESS } ;
static struct generic_mapping ali_generic_mapping = {
GENERIC_RIGHTS_ALIAS_READ ,
GENERIC_RIGHTS_ALIAS_WRITE ,
GENERIC_RIGHTS_ALIAS_EXECUTE ,
GENERIC_RIGHTS_ALIAS_ALL_ACCESS } ;
2002-07-15 14:35:28 +04:00
2005-01-26 23:36:44 +03:00
/*******************************************************************
2005-02-01 01:42:30 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-01-26 23:36:44 +03:00
2005-02-01 01:42:30 +03:00
static NTSTATUS make_samr_object_sd ( TALLOC_CTX * ctx , SEC_DESC * * psd , size_t * sd_size ,
struct generic_mapping * map ,
DOM_SID * sid , uint32 sid_access )
2005-01-26 23:36:44 +03:00
{
2005-06-14 22:38:15 +04:00
DOM_SID domadmin_sid ;
2005-02-01 01:42:30 +03:00
SEC_ACE ace [ 5 ] ; /* at most 5 entries */
2005-01-26 23:36:44 +03:00
SEC_ACCESS mask ;
size_t i = 0 ;
SEC_ACL * psa = NULL ;
2005-02-01 01:42:30 +03:00
/* basic access for Everyone */
2005-09-30 21:13:37 +04:00
2005-02-01 01:42:30 +03:00
init_sec_access ( & mask , map - > generic_execute | map - > generic_read ) ;
init_sec_ace ( & ace [ i + + ] , & global_sid_World , SEC_ACE_TYPE_ACCESS_ALLOWED , mask , 0 ) ;
2005-09-30 21:13:37 +04:00
2005-02-01 01:42:30 +03:00
/* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
2005-09-30 21:13:37 +04:00
2005-02-01 01:42:30 +03:00
init_sec_access ( & mask , map - > generic_all ) ;
2005-01-26 23:36:44 +03:00
2005-06-14 22:38:15 +04:00
init_sec_ace ( & ace [ i + + ] , & global_sid_Builtin_Administrators , SEC_ACE_TYPE_ACCESS_ALLOWED , mask , 0 ) ;
init_sec_ace ( & ace [ i + + ] , & global_sid_Builtin_Account_Operators , SEC_ACE_TYPE_ACCESS_ALLOWED , mask , 0 ) ;
2005-09-30 21:13:37 +04:00
2005-02-01 01:42:30 +03:00
/* Add Full Access for Domain Admins if we are a DC */
2005-01-26 23:36:44 +03:00
if ( IS_DC ) {
sid_copy ( & domadmin_sid , get_global_sam_sid ( ) ) ;
sid_append_rid ( & domadmin_sid , DOMAIN_GROUP_RID_ADMINS ) ;
init_sec_ace ( & ace [ i + + ] , & domadmin_sid , SEC_ACE_TYPE_ACCESS_ALLOWED , mask , 0 ) ;
}
2005-02-01 01:42:30 +03:00
/* if we have a sid, give it some special access */
2005-09-30 21:13:37 +04:00
2005-02-01 01:42:30 +03:00
if ( sid ) {
init_sec_access ( & mask , sid_access ) ;
init_sec_ace ( & ace [ i + + ] , sid , SEC_ACE_TYPE_ACCESS_ALLOWED , mask , 0 ) ;
2005-09-30 21:13:37 +04:00
}
2005-02-01 01:42:30 +03:00
/* create the security descriptor */
2005-09-30 21:13:37 +04:00
2005-02-01 01:42:30 +03:00
if ( ( psa = make_sec_acl ( ctx , NT4_ACL_REVISION , i , ace ) ) = = NULL )
2005-01-26 23:36:44 +03:00
return NT_STATUS_NO_MEMORY ;
if ( ( * psd = make_sec_desc ( ctx , SEC_DESC_REVISION , SEC_DESC_SELF_RELATIVE , NULL , NULL , NULL , psa , sd_size ) ) = = NULL )
return NT_STATUS_NO_MEMORY ;
return NT_STATUS_OK ;
}
2002-07-15 14:35:28 +04:00
/*******************************************************************
Checks if access to an object should be granted , and returns that
level of access for further checks .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-01-26 23:36:44 +03:00
static NTSTATUS access_check_samr_object ( SEC_DESC * psd , NT_USER_TOKEN * token ,
SE_PRIV * rights , uint32 rights_mask ,
uint32 des_access , uint32 * acc_granted ,
const char * debug )
2002-07-15 14:35:28 +04:00
{
NTSTATUS status = NT_STATUS_ACCESS_DENIED ;
2005-01-26 23:36:44 +03:00
uint32 saved_mask = 0 ;
2002-07-15 14:35:28 +04:00
2005-01-26 23:36:44 +03:00
/* check privileges; certain SAM access bits should be overridden
by privileges ( mostly having to do with creating / modifying / deleting
users and groups ) */
if ( rights & & user_has_any_privilege ( token , rights ) ) {
saved_mask = ( des_access & rights_mask ) ;
des_access & = ~ saved_mask ;
2005-01-28 19:55:09 +03:00
DEBUG ( 4 , ( " access_check_samr_object: user rights access mask [0x%x] \n " ,
rights_mask ) ) ;
2005-01-26 23:36:44 +03:00
}
/* check the security descriptor first */
if ( se_access_check ( psd , token , des_access , acc_granted , & status ) )
goto done ;
/* give root a free pass */
if ( geteuid ( ) = = sec_initial_uid ( ) ) {
DEBUG ( 4 , ( " %s: ACCESS should be DENIED (requested: %#010x) \n " , debug , des_access ) ) ;
DEBUGADD ( 4 , ( " but overritten by euid == sec_initial_uid() \n " ) ) ;
2003-03-21 16:35:15 +03:00
* acc_granted = des_access ;
2005-01-26 23:36:44 +03:00
status = NT_STATUS_OK ;
goto done ;
2002-07-15 14:35:28 +04:00
}
2005-01-26 23:36:44 +03:00
done :
/* add in any bits saved during the privilege check (only
2005-01-28 19:55:09 +03:00
matters is status is ok ) */
2005-01-26 23:36:44 +03:00
2005-01-28 19:55:09 +03:00
* acc_granted | = rights_mask ;
2005-01-27 05:16:02 +03:00
DEBUG ( 4 , ( " %s: access %s (requested: 0x%08x, granted: 0x%08x) \n " ,
debug , NT_STATUS_IS_OK ( status ) ? " GRANTED " : " DENIED " ,
des_access , * acc_granted ) ) ;
2005-01-26 23:36:44 +03:00
2002-07-15 14:35:28 +04:00
return status ;
}
/*******************************************************************
Checks if access to a function can be granted
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-01-14 22:26:13 +03:00
static NTSTATUS access_check_samr_function ( uint32 acc_granted , uint32 acc_required , const char * debug )
2002-07-15 14:35:28 +04:00
{
2005-01-26 23:36:44 +03:00
DEBUG ( 5 , ( " %s: access check ((granted: %#010x; required: %#010x) \n " ,
debug , acc_granted , acc_required ) ) ;
/* check the security descriptor first */
if ( ( acc_granted & acc_required ) = = acc_required )
return NT_STATUS_OK ;
/* give root a free pass */
if ( geteuid ( ) = = sec_initial_uid ( ) ) {
DEBUG ( 4 , ( " %s: ACCESS should be DENIED (granted: %#010x; required: %#010x) \n " ,
2002-07-15 14:35:28 +04:00
debug , acc_granted , acc_required ) ) ;
2005-01-26 23:36:44 +03:00
DEBUGADD ( 4 , ( " but overwritten by euid == 0 \n " ) ) ;
return NT_STATUS_OK ;
2002-07-15 14:35:28 +04:00
}
2005-01-26 23:36:44 +03:00
DEBUG ( 2 , ( " %s: ACCESS DENIED (granted: %#010x; required: %#010x) \n " ,
debug , acc_granted , acc_required ) ) ;
return NT_STATUS_ACCESS_DENIED ;
2002-07-15 14:35:28 +04:00
}
2005-11-19 02:15:47 +03:00
/*******************************************************************
Fetch or create a dispinfo struct .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static DISP_INFO * get_samr_dispinfo_by_sid ( DOM_SID * psid , const char * sid_str )
{
TALLOC_CTX * mem_ctx ;
DISP_INFO * dpi ;
for ( dpi = disp_info_list ; dpi ; dpi = dpi - > next ) {
if ( sid_equal ( psid , & dpi - > sid ) ) {
return dpi ;
}
}
/* This struct is never free'd - I'm using talloc so we
can get a list out of smbd using smbcontrol . There will
be one of these per SID we ' re authorative for . JRA . */
mem_ctx = talloc_init ( " DISP_INFO for domain sid %s " , sid_str ) ;
if ( ( dpi = TALLOC_ZERO_P ( mem_ctx , DISP_INFO ) ) = = NULL )
return NULL ;
dpi - > mem_ctx = mem_ctx ;
if ( psid ) {
sid_copy ( & dpi - > sid , psid ) ;
}
DLIST_ADD ( disp_info_list , dpi ) ;
return dpi ;
}
2002-07-15 14:35:28 +04:00
2002-01-02 10:27:33 +03:00
/*******************************************************************
Create a samr_info struct .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static struct samr_info * get_samr_info_by_sid ( DOM_SID * psid )
{
struct samr_info * info ;
fstring sid_str ;
2002-07-15 14:35:28 +04:00
TALLOC_CTX * mem_ctx ;
if ( psid ) {
sid_to_string ( sid_str , psid ) ;
} else {
fstrcpy ( sid_str , " (NULL) " ) ;
}
2002-12-20 23:21:31 +03:00
mem_ctx = talloc_init ( " samr_info for domain sid %s " , sid_str ) ;
2002-01-02 10:27:33 +03:00
2005-04-15 17:41:49 +04:00
if ( ( info = TALLOC_ZERO_P ( mem_ctx , struct samr_info ) ) = = NULL )
2002-01-02 10:27:33 +03:00
return NULL ;
2002-07-15 14:35:28 +04:00
DEBUG ( 10 , ( " get_samr_info_by_sid: created new info for sid %s \n " , sid_str ) ) ;
2002-01-02 10:27:33 +03:00
if ( psid ) {
sid_copy ( & info - > sid , psid ) ;
} else {
DEBUG ( 10 , ( " get_samr_info_by_sid: created new info for NULL sid. \n " ) ) ;
}
2002-07-15 14:35:28 +04:00
info - > mem_ctx = mem_ctx ;
2005-11-19 02:15:47 +03:00
info - > disp_info = get_samr_dispinfo_by_sid ( psid , sid_str ) ;
if ( ! info - > disp_info ) {
talloc_destroy ( mem_ctx ) ;
return NULL ;
}
2002-01-02 10:27:33 +03:00
return info ;
}
2001-03-11 03:32:10 +03:00
/*******************************************************************
2005-11-19 02:15:47 +03:00
Function to free the per SID data .
2001-03-11 03:32:10 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-07-09 01:58:29 +04:00
2005-11-22 23:26:23 +03:00
static void free_samr_cache ( DISP_INFO * disp_info , const char * sid_str )
2005-11-19 02:15:47 +03:00
{
2005-11-22 23:26:23 +03:00
DEBUG ( 10 , ( " free_samr_cache: deleting cache for SID %s \n " , sid_str ) ) ;
2005-11-19 02:15:47 +03:00
2005-11-25 13:19:24 +03:00
/* We need to become root here because the paged search might have to
* tell the LDAP server we ' re not interested in the rest anymore . */
become_root ( ) ;
2005-11-19 02:15:47 +03:00
if ( disp_info - > users ) {
DEBUG ( 10 , ( " free_samr_cache: deleting users cache \n " ) ) ;
pdb_search_destroy ( disp_info - > users ) ;
disp_info - > users = NULL ;
}
if ( disp_info - > machines ) {
DEBUG ( 10 , ( " free_samr_cache: deleting machines cache \n " ) ) ;
pdb_search_destroy ( disp_info - > machines ) ;
disp_info - > machines = NULL ;
}
if ( disp_info - > groups ) {
DEBUG ( 10 , ( " free_samr_cache: deleting groups cache \n " ) ) ;
pdb_search_destroy ( disp_info - > groups ) ;
disp_info - > groups = NULL ;
}
if ( disp_info - > aliases ) {
DEBUG ( 10 , ( " free_samr_cache: deleting aliases cache \n " ) ) ;
pdb_search_destroy ( disp_info - > aliases ) ;
disp_info - > aliases = NULL ;
}
if ( disp_info - > builtins ) {
DEBUG ( 10 , ( " free_samr_cache: deleting builtins cache \n " ) ) ;
pdb_search_destroy ( disp_info - > builtins ) ;
disp_info - > builtins = NULL ;
}
if ( disp_info - > enum_users ) {
DEBUG ( 10 , ( " free_samr_cache: deleting enum_users cache \n " ) ) ;
pdb_search_destroy ( disp_info - > enum_users ) ;
disp_info - > enum_users = NULL ;
}
disp_info - > enum_acb_mask = 0 ;
2005-11-25 13:19:24 +03:00
unbecome_root ( ) ;
2005-11-19 02:15:47 +03:00
}
2002-09-25 19:19:00 +04:00
/*******************************************************************
Function to free the per handle data .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-07-09 01:58:29 +04:00
2001-12-22 01:34:49 +03:00
static void free_samr_info ( void * ptr )
{
struct samr_info * info = ( struct samr_info * ) ptr ;
2005-11-19 02:15:47 +03:00
/* Only free the dispinfo cache if no one bothered to set up
a timeout . */
if ( info - > disp_info & & info - > disp_info - > di_cache_timeout_event = = ( smb_event_id_t ) 0 ) {
2005-11-22 23:26:23 +03:00
fstring sid_str ;
sid_to_string ( sid_str , & info - > disp_info - > sid ) ;
free_samr_cache ( info - > disp_info , sid_str ) ;
2005-11-19 02:15:47 +03:00
}
2002-07-15 14:35:28 +04:00
talloc_destroy ( info - > mem_ctx ) ;
2001-03-11 03:32:10 +03:00
}
2005-11-19 02:15:47 +03:00
/*******************************************************************
Idle event handler . Throw away the disp info cache .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void disp_info_cache_idle_timeout_handler ( void * * private_data ,
time_t * ev_interval ,
time_t ev_now )
{
2005-11-22 23:26:23 +03:00
fstring sid_str ;
2005-11-19 02:15:47 +03:00
DISP_INFO * disp_info = ( DISP_INFO * ) ( * private_data ) ;
2005-11-22 23:26:23 +03:00
sid_to_string ( sid_str , & disp_info - > sid ) ;
free_samr_cache ( disp_info , sid_str ) ;
2005-11-19 02:15:47 +03:00
/* Remove the event. */
smb_unregister_idle_event ( disp_info - > di_cache_timeout_event ) ;
disp_info - > di_cache_timeout_event = ( smb_event_id_t ) 0 ;
2005-11-22 23:26:23 +03:00
DEBUG ( 10 , ( " disp_info_cache_idle_timeout_handler: caching timed out for SID %s at %u \n " ,
sid_str , ( unsigned int ) ev_now ) ) ;
2005-11-19 02:15:47 +03:00
}
/*******************************************************************
Setup cache removal idle event handler .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void set_disp_info_cache_timeout ( DISP_INFO * disp_info , time_t secs_fromnow )
{
2005-11-22 23:26:23 +03:00
fstring sid_str ;
sid_to_string ( sid_str , & disp_info - > sid ) ;
2005-11-19 02:15:47 +03:00
/* Remove any pending timeout and update. */
if ( disp_info - > di_cache_timeout_event ) {
smb_unregister_idle_event ( disp_info - > di_cache_timeout_event ) ;
disp_info - > di_cache_timeout_event = ( smb_event_id_t ) 0 ;
}
2005-11-22 23:26:23 +03:00
DEBUG ( 10 , ( " set_disp_info_cache_timeout: caching enumeration for SID %s for %u seconds \n " ,
sid_str , ( unsigned int ) secs_fromnow ) ) ;
2005-11-19 02:15:47 +03:00
disp_info - > di_cache_timeout_event =
smb_register_idle_event ( disp_info_cache_idle_timeout_handler ,
disp_info ,
secs_fromnow ) ;
}
/*******************************************************************
Force flush any cache . We do this on any samr_set_xxx call .
2005-11-22 23:26:23 +03:00
We must also remove the timeout handler .
2005-11-19 02:15:47 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void force_flush_samr_cache ( DISP_INFO * disp_info )
{
if ( disp_info ) {
2005-11-22 23:26:23 +03:00
fstring sid_str ;
sid_to_string ( sid_str , & disp_info - > sid ) ;
if ( disp_info - > di_cache_timeout_event ) {
smb_unregister_idle_event ( disp_info - > di_cache_timeout_event ) ;
disp_info - > di_cache_timeout_event = ( smb_event_id_t ) 0 ;
DEBUG ( 10 , ( " force_flush_samr_cache: clearing idle event for SID %s \n " ,
sid_str ) ) ;
}
free_samr_cache ( disp_info , sid_str ) ;
2005-11-19 02:15:47 +03:00
}
}
2001-03-13 03:32:43 +03:00
/*******************************************************************
Ensure password info is never given out . Paranioa . . . JRA .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-05-04 19:44:27 +04:00
static void samr_clear_sam_passwd ( SAM_ACCOUNT * sam_pass )
2001-03-13 03:32:43 +03:00
{
2002-01-02 10:41:54 +03:00
2001-03-13 03:32:43 +03:00
if ( ! sam_pass )
return ;
2002-01-02 10:41:54 +03:00
/* These now zero out the old password */
2002-11-02 06:47:48 +03:00
pdb_set_lanman_passwd ( sam_pass , NULL , PDB_DEFAULT ) ;
pdb_set_nt_passwd ( sam_pass , NULL , PDB_DEFAULT ) ;
2001-03-13 03:32:43 +03:00
}
2005-04-15 17:41:49 +04:00
static uint32 count_sam_users ( struct disp_info * info , uint16 acct_flags )
2001-12-21 16:36:14 +03:00
{
2005-04-15 17:41:49 +04:00
struct samr_displayentry * entry ;
2005-11-19 02:15:47 +03:00
if ( info - > users = = NULL ) {
2005-04-15 17:41:49 +04:00
info - > users = pdb_search_users ( acct_flags ) ;
2005-11-19 02:15:47 +03:00
if ( info - > users = = NULL ) {
return 0 ;
}
}
2005-04-15 17:41:49 +04:00
/* Fetch the last possible entry, thus trigger an enumeration */
pdb_search_entries ( info - > users , 0xffffffff , 1 , & entry ) ;
2005-11-19 02:15:47 +03:00
/* Ensure we cache this enumeration. */
set_disp_info_cache_timeout ( info , DISP_INFO_CACHE_TIMEOUT ) ;
2005-04-15 17:41:49 +04:00
return info - > users - > num_entries ;
2001-12-21 16:36:14 +03:00
}
2005-04-15 17:41:49 +04:00
static uint32 count_sam_groups ( struct disp_info * info )
2001-12-21 16:36:14 +03:00
{
2005-04-15 17:41:49 +04:00
struct samr_displayentry * entry ;
2005-11-19 02:15:47 +03:00
if ( info - > groups = = NULL ) {
2005-04-15 17:41:49 +04:00
info - > groups = pdb_search_groups ( ) ;
2005-11-19 02:15:47 +03:00
if ( info - > groups = = NULL ) {
return 0 ;
}
}
2005-04-15 17:41:49 +04:00
/* Fetch the last possible entry, thus trigger an enumeration */
pdb_search_entries ( info - > groups , 0xffffffff , 1 , & entry ) ;
2005-11-19 02:15:47 +03:00
/* Ensure we cache this enumeration. */
set_disp_info_cache_timeout ( info , DISP_INFO_CACHE_TIMEOUT ) ;
2005-04-15 17:41:49 +04:00
return info - > groups - > num_entries ;
2001-12-21 16:36:14 +03:00
}
2002-07-15 14:35:28 +04:00
/*******************************************************************
2005-01-26 23:36:44 +03:00
_samr_close_hnd
2002-07-15 14:35:28 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-01-26 23:36:44 +03:00
NTSTATUS _samr_close_hnd ( pipes_struct * p , SAMR_Q_CLOSE_HND * q_u , SAMR_R_CLOSE_HND * r_u )
2002-07-15 14:35:28 +04:00
{
2005-01-26 23:36:44 +03:00
r_u - > status = NT_STATUS_OK ;
2002-07-15 14:35:28 +04:00
2005-01-26 23:36:44 +03:00
/* close the policy handle */
if ( ! close_policy_hnd ( p , & q_u - > pol ) )
return NT_STATUS_OBJECT_NAME_INVALID ;
2002-07-15 14:35:28 +04:00
2005-01-26 23:36:44 +03:00
DEBUG ( 5 , ( " samr_reply_close_hnd: %d \n " , __LINE__ ) ) ;
2002-07-15 14:35:28 +04:00
2005-01-26 23:36:44 +03:00
return r_u - > status ;
}
2002-07-15 14:35:28 +04:00
2005-01-26 23:36:44 +03:00
/*******************************************************************
samr_reply_open_domain
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-07-15 14:35:28 +04:00
2005-01-26 23:36:44 +03:00
NTSTATUS _samr_open_domain ( pipes_struct * p , SAMR_Q_OPEN_DOMAIN * q_u , SAMR_R_OPEN_DOMAIN * r_u )
{
struct samr_info * info ;
SEC_DESC * psd = NULL ;
uint32 acc_granted ;
uint32 des_access = q_u - > flags ;
NTSTATUS status ;
2005-09-30 21:13:37 +04:00
size_t sd_size ;
2005-01-26 23:36:44 +03:00
SE_PRIV se_rights ;
2002-07-15 14:35:28 +04:00
2005-01-26 23:36:44 +03:00
r_u - > status = NT_STATUS_OK ;
2002-07-15 14:35:28 +04:00
2005-01-26 23:36:44 +03:00
/* find the connection policy handle. */
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) & info ) )
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
2005-01-26 23:36:44 +03:00
status = access_check_samr_function ( info - > acc_granted ,
SA_RIGHT_SAM_OPEN_DOMAIN , " _samr_open_domain " ) ;
if ( ! NT_STATUS_IS_OK ( status ) )
return status ;
/*check if access can be granted as requested by client. */
2005-02-01 01:42:30 +03:00
make_samr_object_sd ( p - > mem_ctx , & psd , & sd_size , & dom_generic_mapping , NULL , 0 ) ;
2005-01-26 23:36:44 +03:00
se_map_generic ( & des_access , & dom_generic_mapping ) ;
se_priv_copy ( & se_rights , & se_machine_account ) ;
se_priv_add ( & se_rights , & se_add_users ) ;
status = access_check_samr_object ( psd , p - > pipe_user . nt_user_token ,
& se_rights , GENERIC_RIGHTS_DOMAIN_WRITE , des_access ,
& acc_granted , " _samr_open_domain " ) ;
if ( ! NT_STATUS_IS_OK ( status ) )
return status ;
2005-11-27 00:35:43 +03:00
if ( ! sid_check_is_domain ( & q_u - > dom_sid . sid ) & &
! sid_check_is_builtin ( & q_u - > dom_sid . sid ) ) {
return NT_STATUS_NO_SUCH_DOMAIN ;
}
2005-01-26 23:36:44 +03:00
/* associate the domain SID with the (unique) handle. */
if ( ( info = get_samr_info_by_sid ( & q_u - > dom_sid . sid ) ) = = NULL )
2001-02-27 21:22:39 +03:00
return NT_STATUS_NO_MEMORY ;
2005-01-26 23:36:44 +03:00
info - > acc_granted = acc_granted ;
2001-02-27 21:22:39 +03:00
2005-01-26 23:36:44 +03:00
/* get a (unique) handle. open a policy on it. */
if ( ! create_policy_hnd ( p , & r_u - > domain_pol , free_samr_info , ( void * ) info ) )
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
DEBUG ( 5 , ( " samr_open_domain: %d \n " , __LINE__ ) ) ;
return r_u - > status ;
2001-02-27 21:22:39 +03:00
}
2002-07-15 14:35:28 +04:00
/*******************************************************************
2005-01-26 23:36:44 +03:00
_samr_get_usrdom_pwinfo
2002-07-15 14:35:28 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-01-26 23:36:44 +03:00
NTSTATUS _samr_get_usrdom_pwinfo ( pipes_struct * p , SAMR_Q_GET_USRDOM_PWINFO * q_u , SAMR_R_GET_USRDOM_PWINFO * r_u )
2002-07-15 14:35:28 +04:00
{
2005-01-26 23:36:44 +03:00
struct samr_info * info = NULL ;
2002-07-15 14:35:28 +04:00
2005-01-26 23:36:44 +03:00
r_u - > status = NT_STATUS_OK ;
2002-07-15 14:35:28 +04:00
2005-01-26 23:36:44 +03:00
/* find the policy handle. open a policy on it. */
if ( ! find_policy_by_hnd ( p , & q_u - > user_pol , ( void * * ) & info ) )
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
2005-01-26 23:36:44 +03:00
if ( ! sid_check_is_in_our_domain ( & info - > sid ) )
return NT_STATUS_OBJECT_TYPE_MISMATCH ;
2002-07-15 14:35:28 +04:00
2005-01-26 23:36:44 +03:00
init_samr_r_get_usrdom_pwinfo ( r_u , NT_STATUS_OK ) ;
2002-07-15 14:35:28 +04:00
2005-01-26 23:36:44 +03:00
DEBUG ( 5 , ( " _samr_get_usrdom_pwinfo: %d \n " , __LINE__ ) ) ;
2002-07-15 14:35:28 +04:00
2005-01-26 23:36:44 +03:00
/*
* NT sometimes return NT_STATUS_ACCESS_DENIED
* I don ' t know yet why .
*/
2002-07-15 14:35:28 +04:00
2005-01-26 23:36:44 +03:00
return r_u - > status ;
}
2002-07-15 14:35:28 +04:00
2005-01-26 23:36:44 +03:00
/*******************************************************************
_samr_set_sec_obj
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_set_sec_obj ( pipes_struct * p , SAMR_Q_SET_SEC_OBJ * q_u , SAMR_R_SET_SEC_OBJ * r_u )
{
DEBUG ( 0 , ( " _samr_set_sec_obj: Not yet implemented! \n " ) ) ;
return NT_STATUS_NOT_IMPLEMENTED ;
2002-07-15 14:35:28 +04:00
}
2005-01-26 23:36:44 +03:00
/*******************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static BOOL get_lsa_policy_samr_sid ( pipes_struct * p , POLICY_HND * pol ,
2005-11-19 02:15:47 +03:00
DOM_SID * sid , uint32 * acc_granted ,
DISP_INFO * * ppdisp_info )
2001-03-11 03:32:10 +03:00
{
struct samr_info * info = NULL ;
/* find the policy handle. open a policy on it. */
if ( ! find_policy_by_hnd ( p , pol , ( void * * ) & info ) )
return False ;
if ( ! info )
return False ;
* sid = info - > sid ;
2002-07-15 14:35:28 +04:00
* acc_granted = info - > acc_granted ;
2005-11-19 02:15:47 +03:00
if ( ppdisp_info ) {
* ppdisp_info = info - > disp_info ;
}
2001-03-11 03:32:10 +03:00
return True ;
}
2001-02-27 21:22:39 +03:00
/*******************************************************************
_samr_query_sec_obj
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_query_sec_obj ( pipes_struct * p , SAMR_Q_QUERY_SEC_OBJ * q_u , SAMR_R_QUERY_SEC_OBJ * r_u )
2001-02-27 21:22:39 +03:00
{
DOM_SID pol_sid ;
2001-12-02 03:06:10 +03:00
fstring str_sid ;
2002-07-15 14:35:28 +04:00
SEC_DESC * psd = NULL ;
uint32 acc_granted ;
2005-02-01 01:42:30 +03:00
size_t sd_size ;
2001-02-27 21:22:39 +03:00
2001-08-27 23:46:22 +04:00
r_u - > status = NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
/* Get the SID. */
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & q_u - > user_pol , & pol_sid , & acc_granted , NULL ) )
2001-03-11 03:32:10 +03:00
return NT_STATUS_INVALID_HANDLE ;
2001-02-27 21:22:39 +03:00
2001-12-02 03:06:10 +03:00
DEBUG ( 10 , ( " _samr_query_sec_obj: querying security on SID: %s \n " , sid_to_string ( str_sid , & pol_sid ) ) ) ;
2002-07-15 14:35:28 +04:00
/* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
/* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */
2005-11-19 02:15:47 +03:00
if ( pol_sid . sid_rev_num = = 0 ) {
2002-07-15 14:35:28 +04:00
DEBUG ( 5 , ( " _samr_query_sec_obj: querying security on SAM \n " ) ) ;
2005-02-01 01:42:30 +03:00
r_u - > status = make_samr_object_sd ( p - > mem_ctx , & psd , & sd_size , & sam_generic_mapping , NULL , 0 ) ;
2005-11-19 02:15:47 +03:00
} else if ( sid_equal ( & pol_sid , get_global_sam_sid ( ) ) ) {
/* check if it is our domain SID */
2002-07-15 14:35:28 +04:00
DEBUG ( 5 , ( " _samr_query_sec_obj: querying security on Domain with SID: %s \n " , sid_to_string ( str_sid , & pol_sid ) ) ) ;
2005-02-01 01:42:30 +03:00
r_u - > status = make_samr_object_sd ( p - > mem_ctx , & psd , & sd_size , & dom_generic_mapping , NULL , 0 ) ;
2005-11-19 02:15:47 +03:00
} else if ( sid_equal ( & pol_sid , & global_sid_Builtin ) ) {
/* check if it is the Builtin Domain */
2002-07-15 14:35:28 +04:00
/* TODO: Builtin probably needs a different SD with restricted write access*/
DEBUG ( 5 , ( " _samr_query_sec_obj: querying security on Builtin Domain with SID: %s \n " , sid_to_string ( str_sid , & pol_sid ) ) ) ;
2005-02-01 01:42:30 +03:00
r_u - > status = make_samr_object_sd ( p - > mem_ctx , & psd , & sd_size , & dom_generic_mapping , NULL , 0 ) ;
2005-11-19 02:15:47 +03:00
} else if ( sid_check_is_in_our_domain ( & pol_sid ) | |
sid_check_is_in_builtin ( & pol_sid ) ) {
2002-07-15 14:35:28 +04:00
/* TODO: different SDs have to be generated for aliases groups and users.
Currently all three get a default user SD */
DEBUG ( 10 , ( " _samr_query_sec_obj: querying security on Object with SID: %s \n " , sid_to_string ( str_sid , & pol_sid ) ) ) ;
2005-02-01 01:42:30 +03:00
r_u - > status = make_samr_object_sd ( p - > mem_ctx , & psd , & sd_size , & usr_generic_mapping , & pol_sid , SAMR_USR_RIGHTS_WRITE_PW ) ;
2005-11-19 02:15:47 +03:00
} else {
return NT_STATUS_OBJECT_TYPE_MISMATCH ;
2002-07-15 14:35:28 +04:00
}
if ( ( r_u - > buf = make_sec_desc_buf ( p - > mem_ctx , sd_size , psd ) ) = = NULL )
return NT_STATUS_NO_MEMORY ;
2001-02-27 21:22:39 +03:00
2001-08-27 23:46:22 +04:00
if ( NT_STATUS_IS_OK ( r_u - > status ) )
2001-02-27 21:22:39 +03:00
r_u - > ptr = 1 ;
return r_u - > status ;
}
/*******************************************************************
makes a SAM_ENTRY / UNISTR2 * structure from a user list .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-04-15 17:41:49 +04:00
static NTSTATUS make_user_sam_entry_list ( TALLOC_CTX * ctx , SAM_ENTRY * * sam_pp ,
UNISTR2 * * uni_name_pp ,
uint32 num_entries , uint32 start_idx ,
struct samr_displayentry * entries )
2001-02-27 21:22:39 +03:00
{
uint32 i ;
SAM_ENTRY * sam ;
UNISTR2 * uni_name ;
2002-07-15 14:35:28 +04:00
2001-02-27 21:22:39 +03:00
* sam_pp = NULL ;
* uni_name_pp = NULL ;
2002-07-15 14:35:28 +04:00
if ( num_entries = = 0 )
return NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
2004-12-07 21:25:53 +03:00
sam = TALLOC_ZERO_ARRAY ( ctx , SAM_ENTRY , num_entries ) ;
2001-02-27 21:22:39 +03:00
2004-12-07 21:25:53 +03:00
uni_name = TALLOC_ZERO_ARRAY ( ctx , UNISTR2 , num_entries ) ;
2001-02-27 21:22:39 +03:00
if ( sam = = NULL | | uni_name = = NULL ) {
2002-07-15 14:35:28 +04:00
DEBUG ( 0 , ( " make_user_sam_entry_list: talloc_zero failed! \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
2001-02-27 21:22:39 +03:00
}
2002-07-15 14:35:28 +04:00
for ( i = 0 ; i < num_entries ; i + + ) {
2005-04-15 17:41:49 +04:00
UNISTR2 uni_temp_name ;
2004-09-17 02:08:26 +04:00
/*
* usrmgr expects a non - NULL terminated string with
* trust relationships
*/
2005-04-15 17:41:49 +04:00
if ( entries [ i ] . acct_flags & ACB_DOMTRUST ) {
init_unistr2 ( & uni_temp_name , entries [ i ] . account_name ,
UNI_FLAGS_NONE ) ;
2004-09-17 02:08:26 +04:00
} else {
2005-04-15 17:41:49 +04:00
init_unistr2 ( & uni_temp_name , entries [ i ] . account_name ,
UNI_STR_TERMINATE ) ;
2004-09-17 02:08:26 +04:00
}
2005-04-15 17:41:49 +04:00
init_sam_entry ( & sam [ i ] , & uni_temp_name , entries [ i ] . rid ) ;
2002-07-15 14:35:28 +04:00
copy_unistr2 ( & uni_name [ i ] , & uni_temp_name ) ;
2001-02-27 21:22:39 +03:00
}
* sam_pp = sam ;
* uni_name_pp = uni_name ;
2002-07-15 14:35:28 +04:00
return NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
}
/*******************************************************************
samr_reply_enum_dom_users
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-07-15 14:35:28 +04:00
NTSTATUS _samr_enum_dom_users ( pipes_struct * p , SAMR_Q_ENUM_DOM_USERS * q_u ,
SAMR_R_ENUM_DOM_USERS * r_u )
2001-02-27 21:22:39 +03:00
{
2002-07-15 14:35:28 +04:00
struct samr_info * info = NULL ;
int num_account ;
uint32 enum_context = q_u - > start_idx ;
enum remote_arch_types ra_type = get_remote_arch ( ) ;
int max_sam_entries = ( ra_type = = RA_WIN95 ) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K ;
uint32 max_entries = max_sam_entries ;
2005-04-15 17:41:49 +04:00
struct samr_displayentry * entries = NULL ;
2001-02-27 21:22:39 +03:00
2001-08-27 23:46:22 +04:00
r_u - > status = NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
/* find the policy handle. open a policy on it. */
2002-07-15 14:35:28 +04:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) & info ) )
2001-02-27 21:22:39 +03:00
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = access_check_samr_function ( info - > acc_granted ,
2002-11-02 15:53:13 +03:00
SA_RIGHT_DOMAIN_ENUM_ACCOUNTS ,
2002-07-15 14:35:28 +04:00
" _samr_enum_dom_users " ) ) ) {
return r_u - > status ;
}
2001-02-27 21:22:39 +03:00
DEBUG ( 5 , ( " _samr_enum_dom_users: %d \n " , __LINE__ ) ) ;
become_root ( ) ;
2005-11-19 02:15:47 +03:00
/* AS ROOT !!!! */
if ( ( info - > disp_info - > enum_users ! = NULL ) & &
( info - > disp_info - > enum_acb_mask ! = q_u - > acb_mask ) ) {
pdb_search_destroy ( info - > disp_info - > enum_users ) ;
info - > disp_info - > enum_users = NULL ;
2005-06-22 18:16:10 +04:00
}
2005-11-19 02:15:47 +03:00
if ( info - > disp_info - > enum_users = = NULL ) {
info - > disp_info - > enum_users = pdb_search_users ( q_u - > acb_mask ) ;
info - > disp_info - > enum_acb_mask = q_u - > acb_mask ;
2005-06-22 18:16:10 +04:00
}
2005-11-19 02:15:47 +03:00
if ( info - > disp_info - > enum_users = = NULL ) {
/* END AS ROOT !!!! */
unbecome_root ( ) ;
2005-04-15 17:41:49 +04:00
return NT_STATUS_ACCESS_DENIED ;
2005-11-19 02:15:47 +03:00
}
num_account = pdb_search_entries ( info - > disp_info - > enum_users ,
2005-04-15 17:41:49 +04:00
enum_context , max_entries ,
& entries ) ;
2005-11-19 02:15:47 +03:00
/* END AS ROOT !!!! */
2001-02-27 21:22:39 +03:00
unbecome_root ( ) ;
2002-07-15 14:35:28 +04:00
2005-04-15 17:41:49 +04:00
if ( num_account = = 0 ) {
DEBUG ( 5 , ( " _samr_enum_dom_users: enumeration handle over "
" total entries \n " ) ) ;
2002-07-15 14:35:28 +04:00
return NT_STATUS_OK ;
}
2005-04-15 17:41:49 +04:00
r_u - > status = make_user_sam_entry_list ( p - > mem_ctx , & r_u - > sam ,
& r_u - > uni_acct_name ,
num_account , enum_context ,
entries ) ;
2002-07-15 14:35:28 +04:00
if ( ! NT_STATUS_IS_OK ( r_u - > status ) )
return r_u - > status ;
2005-11-19 02:15:47 +03:00
if ( max_entries < = num_account ) {
2002-07-15 14:35:28 +04:00
r_u - > status = STATUS_MORE_ENTRIES ;
2005-11-19 02:15:47 +03:00
} else {
2005-11-22 23:26:23 +03:00
r_u - > status = NT_STATUS_OK ;
2005-11-19 02:15:47 +03:00
}
2001-02-27 21:22:39 +03:00
2005-11-22 23:26:23 +03:00
/* Ensure we cache this enumeration. */
set_disp_info_cache_timeout ( info - > disp_info , DISP_INFO_CACHE_TIMEOUT ) ;
2002-07-15 14:35:28 +04:00
DEBUG ( 5 , ( " _samr_enum_dom_users: %d \n " , __LINE__ ) ) ;
2005-04-15 17:41:49 +04:00
init_samr_r_enum_dom_users ( r_u , q_u - > start_idx + num_account ,
num_account ) ;
2001-02-27 21:22:39 +03:00
DEBUG ( 5 , ( " _samr_enum_dom_users: %d \n " , __LINE__ ) ) ;
return r_u - > status ;
}
/*******************************************************************
makes a SAM_ENTRY / UNISTR2 * structure from a group list .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-04-15 17:41:49 +04:00
static void make_group_sam_entry_list ( TALLOC_CTX * ctx , SAM_ENTRY * * sam_pp ,
UNISTR2 * * uni_name_pp ,
uint32 num_sam_entries ,
struct samr_displayentry * entries )
2001-02-27 21:22:39 +03:00
{
uint32 i ;
SAM_ENTRY * sam ;
UNISTR2 * uni_name ;
* sam_pp = NULL ;
* uni_name_pp = NULL ;
if ( num_sam_entries = = 0 )
return ;
2004-12-07 21:25:53 +03:00
sam = TALLOC_ZERO_ARRAY ( ctx , SAM_ENTRY , num_sam_entries ) ;
uni_name = TALLOC_ZERO_ARRAY ( ctx , UNISTR2 , num_sam_entries ) ;
2001-02-27 21:22:39 +03:00
if ( sam = = NULL | | uni_name = = NULL ) {
DEBUG ( 0 , ( " NULL pointers in SAMR_R_QUERY_DISPINFO \n " ) ) ;
return ;
}
for ( i = 0 ; i < num_sam_entries ; i + + ) {
/*
* JRA . I think this should include the null . TNG does not .
*/
2005-08-26 22:57:32 +04:00
init_unistr2 ( & uni_name [ i ] , entries [ i ] . account_name ,
2005-04-15 17:41:49 +04:00
UNI_STR_TERMINATE ) ;
init_sam_entry ( & sam [ i ] , & uni_name [ i ] , entries [ i ] . rid ) ;
2001-02-27 21:22:39 +03:00
}
* sam_pp = sam ;
* uni_name_pp = uni_name ;
}
/*******************************************************************
samr_reply_enum_dom_groups
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_enum_dom_groups ( pipes_struct * p , SAMR_Q_ENUM_DOM_GROUPS * q_u , SAMR_R_ENUM_DOM_GROUPS * r_u )
2001-02-27 21:22:39 +03:00
{
2005-04-15 17:41:49 +04:00
struct samr_info * info = NULL ;
struct samr_displayentry * groups ;
uint32 num_groups ;
2001-02-27 21:22:39 +03:00
2001-08-27 23:46:22 +04:00
r_u - > status = NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
2005-04-15 17:41:49 +04:00
/* find the policy handle. open a policy on it. */
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) & info ) )
2001-02-27 21:22:39 +03:00
return NT_STATUS_INVALID_HANDLE ;
2005-04-15 17:41:49 +04:00
r_u - > status = access_check_samr_function ( info - > acc_granted ,
SA_RIGHT_DOMAIN_ENUM_ACCOUNTS ,
" _samr_enum_dom_groups " ) ;
if ( ! NT_STATUS_IS_OK ( r_u - > status ) )
2002-07-15 14:35:28 +04:00
return r_u - > status ;
2001-02-27 21:22:39 +03:00
DEBUG ( 5 , ( " samr_reply_enum_dom_groups: %d \n " , __LINE__ ) ) ;
2001-05-04 19:44:27 +04:00
/* the domain group array is being allocated in the function below */
2005-04-10 21:12:25 +04:00
2005-04-15 17:41:49 +04:00
become_root ( ) ;
2001-02-27 21:22:39 +03:00
2005-11-19 02:15:47 +03:00
if ( info - > disp_info - > groups = = NULL ) {
info - > disp_info - > groups = pdb_search_groups ( ) ;
2005-04-15 17:41:49 +04:00
2005-11-19 02:15:47 +03:00
if ( info - > disp_info - > groups = = NULL ) {
unbecome_root ( ) ;
return NT_STATUS_ACCESS_DENIED ;
}
}
num_groups = pdb_search_entries ( info - > disp_info - > groups , q_u - > start_idx ,
2005-04-15 17:41:49 +04:00
MAX_SAM_ENTRIES , & groups ) ;
unbecome_root ( ) ;
2005-11-19 02:15:47 +03:00
/* Ensure we cache this enumeration. */
set_disp_info_cache_timeout ( info - > disp_info , DISP_INFO_CACHE_TIMEOUT ) ;
2005-04-10 21:12:25 +04:00
make_group_sam_entry_list ( p - > mem_ctx , & r_u - > sam , & r_u - > uni_grp_name ,
2005-04-15 17:41:49 +04:00
num_groups , groups ) ;
2001-02-27 21:22:39 +03:00
2005-04-15 17:41:49 +04:00
init_samr_r_enum_dom_groups ( r_u , q_u - > start_idx , num_groups ) ;
2001-02-27 21:22:39 +03:00
DEBUG ( 5 , ( " samr_enum_dom_groups: %d \n " , __LINE__ ) ) ;
return r_u - > status ;
}
/*******************************************************************
samr_reply_enum_dom_aliases
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_enum_dom_aliases ( pipes_struct * p , SAMR_Q_ENUM_DOM_ALIASES * q_u , SAMR_R_ENUM_DOM_ALIASES * r_u )
2001-02-27 21:22:39 +03:00
{
2005-04-15 17:41:49 +04:00
struct samr_info * info ;
struct samr_displayentry * aliases ;
struct pdb_search * * search = NULL ;
uint32 num_aliases = 0 ;
2001-02-27 21:22:39 +03:00
2005-04-15 17:41:49 +04:00
/* find the policy handle. open a policy on it. */
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) & info ) )
2001-02-27 21:22:39 +03:00
return NT_STATUS_INVALID_HANDLE ;
2005-04-15 17:41:49 +04:00
r_u - > status = access_check_samr_function ( info - > acc_granted ,
SA_RIGHT_DOMAIN_ENUM_ACCOUNTS ,
" _samr_enum_dom_aliases " ) ;
if ( ! NT_STATUS_IS_OK ( r_u - > status ) )
2002-07-15 14:35:28 +04:00
return r_u - > status ;
2001-02-27 21:22:39 +03:00
2005-04-15 17:41:49 +04:00
DEBUG ( 5 , ( " samr_reply_enum_dom_aliases: sid %s \n " ,
sid_string_static ( & info - > sid ) ) ) ;
if ( sid_check_is_domain ( & info - > sid ) )
2005-11-19 02:15:47 +03:00
search = & info - > disp_info - > aliases ;
2005-04-15 17:41:49 +04:00
if ( sid_check_is_builtin ( & info - > sid ) )
2005-11-19 02:15:47 +03:00
search = & info - > disp_info - > builtins ;
2005-04-15 17:41:49 +04:00
2005-05-02 00:05:16 +04:00
if ( search = = NULL )
return NT_STATUS_INVALID_HANDLE ;
2005-04-15 17:41:49 +04:00
become_root ( ) ;
2005-11-19 02:15:47 +03:00
if ( * search = = NULL ) {
* search = pdb_search_aliases ( & info - > sid ) ;
if ( * search = = NULL ) {
unbecome_root ( ) ;
return NT_STATUS_ACCESS_DENIED ;
}
}
2001-02-27 21:22:39 +03:00
2005-04-15 17:41:49 +04:00
num_aliases = pdb_search_entries ( * search , q_u - > start_idx ,
MAX_SAM_ENTRIES , & aliases ) ;
unbecome_root ( ) ;
2005-11-19 02:15:47 +03:00
/* Ensure we cache this enumeration. */
set_disp_info_cache_timeout ( info - > disp_info , DISP_INFO_CACHE_TIMEOUT ) ;
2005-04-15 17:41:49 +04:00
make_group_sam_entry_list ( p - > mem_ctx , & r_u - > sam , & r_u - > uni_grp_name ,
num_aliases , aliases ) ;
2001-02-27 21:22:39 +03:00
2005-04-15 17:41:49 +04:00
init_samr_r_enum_dom_aliases ( r_u , q_u - > start_idx + num_aliases ,
num_aliases ) ;
2001-02-27 21:22:39 +03:00
DEBUG ( 5 , ( " samr_enum_dom_aliases: %d \n " , __LINE__ ) ) ;
return r_u - > status ;
}
/*******************************************************************
samr_reply_query_dispinfo
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-07-09 01:58:29 +04:00
2002-07-15 14:35:28 +04:00
NTSTATUS _samr_query_dispinfo ( pipes_struct * p , SAMR_Q_QUERY_DISPINFO * q_u ,
SAMR_R_QUERY_DISPINFO * r_u )
2001-02-27 21:22:39 +03:00
{
2001-12-21 16:36:14 +03:00
struct samr_info * info = NULL ;
2001-12-22 01:34:49 +03:00
uint32 struct_size = 0x20 ; /* W2K always reply that, client doesn't care */
2001-12-21 16:36:14 +03:00
uint32 max_entries = q_u - > max_entries ;
uint32 enum_context = q_u - > start_idx ;
uint32 max_size = q_u - > max_size ;
2001-02-27 21:22:39 +03:00
SAM_DISPINFO_CTR * ctr ;
2001-12-21 16:36:14 +03:00
uint32 temp_size = 0 , total_data_size = 0 ;
2005-11-02 03:19:26 +03:00
NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL ;
2002-01-02 10:27:33 +03:00
uint32 num_account = 0 ;
enum remote_arch_types ra_type = get_remote_arch ( ) ;
2002-07-15 14:35:28 +04:00
int max_sam_entries = ( ra_type = = RA_WIN95 ) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K ;
2005-04-15 17:41:49 +04:00
struct samr_displayentry * entries = NULL ;
2001-02-27 21:22:39 +03:00
DEBUG ( 5 , ( " samr_reply_query_dispinfo: %d \n " , __LINE__ ) ) ;
2005-08-03 05:08:42 +04:00
r_u - > status = NT_STATUS_UNSUCCESSFUL ;
2001-02-27 21:22:39 +03:00
2001-12-21 16:36:14 +03:00
/* find the policy handle. open a policy on it. */
if ( ! find_policy_by_hnd ( p , & q_u - > domain_pol , ( void * * ) & info ) )
2001-02-27 21:22:39 +03:00
return NT_STATUS_INVALID_HANDLE ;
2001-12-21 16:36:14 +03:00
/*
* calculate how many entries we will return .
* based on
* - the number of entries the client asked
* - our limit on that
* - the starting point ( enumeration context )
* - the buffer size the client will accept
*/
2001-07-09 22:25:40 +04:00
2001-12-21 16:36:14 +03:00
/*
* We are a lot more like W2K . Instead of reading the SAM
* each time to find the records we need to send back ,
* we read it once and link that copy to the sam handle .
* For large user list ( over the MAX_SAM_ENTRIES )
* it ' s a definitive win .
* second point to notice : between enumerations
* our sam is now the same as it ' s a snapshoot .
* third point : got rid of the static SAM_USER_21 struct
* no more intermediate .
* con : it uses much more memory , as a full copy is stored
* in memory .
*
* If you want to change it , think twice and think
* of the second point , that ' s really important .
*
* JFM , 12 / 20 / 2001
*/
2001-02-27 21:22:39 +03:00
2005-04-15 17:41:49 +04:00
if ( ( q_u - > switch_level < 1 ) | | ( q_u - > switch_level > 5 ) ) {
DEBUG ( 0 , ( " _samr_query_dispinfo: Unknown info level (%u) \n " ,
( unsigned int ) q_u - > switch_level ) ) ;
return NT_STATUS_INVALID_INFO_CLASS ;
2001-02-27 21:22:39 +03:00
}
2001-12-21 16:36:14 +03:00
/* first limit the number of entries we will return */
2002-01-02 10:27:33 +03:00
if ( max_entries > max_sam_entries ) {
2005-04-15 17:41:49 +04:00
DEBUG ( 5 , ( " samr_reply_query_dispinfo: client requested %d "
" entries, limiting to %d \n " , max_entries ,
max_sam_entries ) ) ;
2002-01-02 10:27:33 +03:00
max_entries = max_sam_entries ;
2001-12-21 16:36:14 +03:00
}
2005-04-15 17:41:49 +04:00
/* calculate the size and limit on the number of entries we will
* return */
2001-02-27 21:22:39 +03:00
2002-03-30 00:50:21 +03:00
temp_size = max_entries * struct_size ;
2001-12-21 16:36:14 +03:00
2001-12-22 01:34:49 +03:00
if ( temp_size > max_size ) {
2002-03-30 00:50:21 +03:00
max_entries = MIN ( ( max_size / struct_size ) , max_entries ) ; ;
2005-04-15 17:41:49 +04:00
DEBUG ( 5 , ( " samr_reply_query_dispinfo: buffer size limits to "
" only %d entries \n " , max_entries ) ) ;
2001-12-21 16:36:14 +03:00
}
2001-02-27 21:22:39 +03:00
2004-12-07 21:25:53 +03:00
if ( ! ( ctr = TALLOC_ZERO_P ( p - > mem_ctx , SAM_DISPINFO_CTR ) ) )
2001-06-29 22:41:31 +04:00
return NT_STATUS_NO_MEMORY ;
2001-02-27 21:22:39 +03:00
2001-07-17 06:26:04 +04:00
ZERO_STRUCTP ( ctr ) ;
2005-04-15 17:41:49 +04:00
become_root ( ) ;
2005-11-19 02:15:47 +03:00
/* THe following done as ROOT. Don't return without unbecome_root(). */
2005-04-15 17:41:49 +04:00
switch ( q_u - > switch_level ) {
case 0x1 :
case 0x4 :
2005-11-19 02:15:47 +03:00
if ( info - > disp_info - > users = = NULL ) {
info - > disp_info - > users = pdb_search_users ( ACB_NORMAL ) ;
if ( info - > disp_info - > users = = NULL ) {
unbecome_root ( ) ;
return NT_STATUS_ACCESS_DENIED ;
}
DEBUG ( 10 , ( " samr_reply_query_dispinfo: starting user enumeration at index %u \n " ,
( unsigned int ) enum_context ) ) ;
} else {
DEBUG ( 10 , ( " samr_reply_query_dispinfo: using cached user enumeration at index %u \n " ,
( unsigned int ) enum_context ) ) ;
}
num_account = pdb_search_entries ( info - > disp_info - > users ,
2005-04-15 17:41:49 +04:00
enum_context , max_entries ,
& entries ) ;
break ;
case 0x2 :
2005-11-19 02:15:47 +03:00
if ( info - > disp_info - > machines = = NULL ) {
info - > disp_info - > machines =
2005-04-15 17:41:49 +04:00
pdb_search_users ( ACB_WSTRUST | ACB_SVRTRUST ) ;
2005-11-19 02:15:47 +03:00
if ( info - > disp_info - > machines = = NULL ) {
unbecome_root ( ) ;
return NT_STATUS_ACCESS_DENIED ;
}
DEBUG ( 10 , ( " samr_reply_query_dispinfo: starting machine enumeration at index %u \n " ,
( unsigned int ) enum_context ) ) ;
} else {
DEBUG ( 10 , ( " samr_reply_query_dispinfo: using cached machine enumeration at index %u \n " ,
( unsigned int ) enum_context ) ) ;
}
num_account = pdb_search_entries ( info - > disp_info - > machines ,
2005-04-15 17:41:49 +04:00
enum_context , max_entries ,
& entries ) ;
break ;
case 0x3 :
case 0x5 :
2005-11-19 02:15:47 +03:00
if ( info - > disp_info - > groups = = NULL ) {
info - > disp_info - > groups = pdb_search_groups ( ) ;
if ( info - > disp_info - > groups = = NULL ) {
unbecome_root ( ) ;
return NT_STATUS_ACCESS_DENIED ;
}
DEBUG ( 10 , ( " samr_reply_query_dispinfo: starting group enumeration at index %u \n " ,
( unsigned int ) enum_context ) ) ;
} else {
DEBUG ( 10 , ( " samr_reply_query_dispinfo: using cached group enumeration at index %u \n " ,
( unsigned int ) enum_context ) ) ;
}
num_account = pdb_search_entries ( info - > disp_info - > groups ,
2005-04-15 17:41:49 +04:00
enum_context , max_entries ,
& entries ) ;
break ;
default :
2005-11-19 02:15:47 +03:00
unbecome_root ( ) ;
2005-04-15 17:41:49 +04:00
smb_panic ( " info class changed " ) ;
break ;
}
unbecome_root ( ) ;
2001-02-27 21:22:39 +03:00
/* Now create reply structure */
switch ( q_u - > switch_level ) {
case 0x1 :
2005-04-15 17:41:49 +04:00
disp_ret = init_sam_dispinfo_1 ( p - > mem_ctx , & ctr - > sam . info1 ,
num_account , enum_context ,
entries ) ;
2001-02-27 21:22:39 +03:00
break ;
case 0x2 :
2005-04-15 17:41:49 +04:00
disp_ret = init_sam_dispinfo_2 ( p - > mem_ctx , & ctr - > sam . info2 ,
num_account , enum_context ,
entries ) ;
2001-02-27 21:22:39 +03:00
break ;
case 0x3 :
2005-04-15 17:41:49 +04:00
disp_ret = init_sam_dispinfo_3 ( p - > mem_ctx , & ctr - > sam . info3 ,
num_account , enum_context ,
entries ) ;
2001-02-27 21:22:39 +03:00
break ;
case 0x4 :
2005-04-15 17:41:49 +04:00
disp_ret = init_sam_dispinfo_4 ( p - > mem_ctx , & ctr - > sam . info4 ,
num_account , enum_context ,
entries ) ;
2001-02-27 21:22:39 +03:00
break ;
case 0x5 :
2005-04-15 17:41:49 +04:00
disp_ret = init_sam_dispinfo_5 ( p - > mem_ctx , & ctr - > sam . info5 ,
num_account , enum_context ,
entries ) ;
2001-02-27 21:22:39 +03:00
break ;
default :
2005-04-15 17:41:49 +04:00
smb_panic ( " info class changed " ) ;
break ;
2001-02-27 21:22:39 +03:00
}
2005-04-15 17:41:49 +04:00
if ( ! NT_STATUS_IS_OK ( disp_ret ) )
return disp_ret ;
2001-12-21 16:36:14 +03:00
/* calculate the total size */
2002-01-02 10:27:33 +03:00
total_data_size = num_account * struct_size ;
2001-02-27 21:22:39 +03:00
2005-11-19 02:15:47 +03:00
if ( num_account ) {
2001-12-21 16:36:14 +03:00
r_u - > status = STATUS_MORE_ENTRIES ;
2005-11-19 02:15:47 +03:00
} else {
2005-08-03 05:08:42 +04:00
r_u - > status = NT_STATUS_OK ;
2005-11-19 02:15:47 +03:00
}
2001-07-06 02:36:25 +04:00
2005-11-22 23:26:23 +03:00
/* Ensure we cache this enumeration. */
set_disp_info_cache_timeout ( info - > disp_info , DISP_INFO_CACHE_TIMEOUT ) ;
2001-12-21 16:36:14 +03:00
DEBUG ( 5 , ( " _samr_query_dispinfo: %d \n " , __LINE__ ) ) ;
2005-04-15 17:41:49 +04:00
init_samr_r_query_dispinfo ( r_u , num_account , total_data_size ,
temp_size , q_u - > switch_level , ctr ,
r_u - > status ) ;
2001-02-27 21:22:39 +03:00
return r_u - > status ;
2001-12-21 16:36:14 +03:00
2001-02-27 21:22:39 +03:00
}
/*******************************************************************
samr_reply_query_aliasinfo
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_query_aliasinfo ( pipes_struct * p , SAMR_Q_QUERY_ALIASINFO * q_u , SAMR_R_QUERY_ALIASINFO * r_u )
2001-02-27 21:22:39 +03:00
{
2002-07-15 14:35:28 +04:00
DOM_SID sid ;
2004-04-07 16:43:44 +04:00
struct acct_info info ;
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
2003-12-10 19:40:17 +03:00
BOOL ret ;
2001-02-27 21:22:39 +03:00
2001-08-27 23:46:22 +04:00
r_u - > status = NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
DEBUG ( 5 , ( " _samr_query_aliasinfo: %d \n " , __LINE__ ) ) ;
/* find the policy handle. open a policy on it. */
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & q_u - > pol , & sid , & acc_granted , NULL ) )
2001-02-27 21:22:39 +03:00
return NT_STATUS_INVALID_HANDLE ;
2002-11-02 15:53:13 +03:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = access_check_samr_function ( acc_granted , SA_RIGHT_ALIAS_LOOKUP_INFO , " _samr_query_aliasinfo " ) ) ) {
2002-07-15 14:35:28 +04:00
return r_u - > status ;
}
2001-02-27 21:22:39 +03:00
2003-12-10 19:40:17 +03:00
become_root ( ) ;
2004-04-07 16:43:44 +04:00
ret = pdb_get_aliasinfo ( & sid , & info ) ;
2003-12-10 19:40:17 +03:00
unbecome_root ( ) ;
if ( ! ret )
2001-03-11 03:32:10 +03:00
return NT_STATUS_NO_SUCH_ALIAS ;
2001-02-27 21:22:39 +03:00
2005-05-03 18:01:39 +04:00
if ( ! ( r_u - > ctr = TALLOC_ZERO_P ( p - > mem_ctx , ALIAS_INFO_CTR ) ) )
return NT_STATUS_NO_MEMORY ;
switch ( q_u - > level ) {
2001-12-19 03:15:29 +03:00
case 1 :
2005-05-03 18:01:39 +04:00
r_u - > ctr - > level = 1 ;
init_samr_alias_info1 ( & r_u - > ctr - > alias . info1 , info . acct_name , 1 , info . acct_desc ) ;
2001-12-19 03:15:29 +03:00
break ;
2001-02-27 21:22:39 +03:00
case 3 :
2005-05-03 18:01:39 +04:00
r_u - > ctr - > level = 3 ;
init_samr_alias_info3 ( & r_u - > ctr - > alias . info3 , info . acct_desc ) ;
2001-02-27 21:22:39 +03:00
break ;
default :
return NT_STATUS_INVALID_INFO_CLASS ;
}
DEBUG ( 5 , ( " _samr_query_aliasinfo: %d \n " , __LINE__ ) ) ;
return r_u - > status ;
}
#if 0
/*******************************************************************
samr_reply_lookup_ids
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
uint32 _samr_lookup_ids ( pipes_struct * p , SAMR_Q_LOOKUP_IDS * q_u , SAMR_R_LOOKUP_IDS * r_u )
{
uint32 rid [ MAX_SAM_ENTRIES ] ;
int num_rids = q_u - > num_sids1 ;
2001-08-27 23:46:22 +04:00
r_u - > status = NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
DEBUG ( 5 , ( " _samr_lookup_ids: %d \n " , __LINE__ ) ) ;
if ( num_rids > MAX_SAM_ENTRIES ) {
num_rids = MAX_SAM_ENTRIES ;
DEBUG ( 5 , ( " _samr_lookup_ids: truncating entries to %d \n " , num_rids ) ) ;
}
#if 0
int i ;
SMB_ASSERT_ARRAY ( q_u - > uni_user_name , num_rids ) ;
for ( i = 0 ; i < num_rids & & status = = 0 ; i + + )
{
struct sam_passwd * sam_pass ;
fstring user_name ;
fstrcpy ( user_name , unistrn2 ( q_u - > uni_user_name [ i ] . buffer ,
q_u - > uni_user_name [ i ] . uni_str_len ) ) ;
/* find the user account */
become_root ( ) ;
sam_pass = get_smb21pwd_entry ( user_name , 0 ) ;
unbecome_root ( ) ;
if ( sam_pass = = NULL )
{
status = 0xC0000000 | NT_STATUS_NO_SUCH_USER ;
rid [ i ] = 0 ;
}
else
{
rid [ i ] = sam_pass - > user_rid ;
}
}
# endif
num_rids = 1 ;
rid [ 0 ] = BUILTIN_ALIAS_RID_USERS ;
2001-08-27 23:46:22 +04:00
init_samr_r_lookup_ids ( & r_u , num_rids , rid , NT_STATUS_OK ) ;
2001-02-27 21:22:39 +03:00
DEBUG ( 5 , ( " _samr_lookup_ids: %d \n " , __LINE__ ) ) ;
return r_u - > status ;
}
# endif
/*******************************************************************
_samr_lookup_names
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_lookup_names ( pipes_struct * p , SAMR_Q_LOOKUP_NAMES * q_u , SAMR_R_LOOKUP_NAMES * r_u )
2001-02-27 21:22:39 +03:00
{
2001-12-02 03:06:10 +03:00
uint32 rid [ MAX_SAM_ENTRIES ] ;
uint32 local_rid ;
enum SID_NAME_USE type [ MAX_SAM_ENTRIES ] ;
enum SID_NAME_USE local_type ;
int i ;
int num_rids = q_u - > num_names2 ;
DOM_SID pol_sid ;
fstring sid_str ;
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
2001-02-27 21:22:39 +03:00
2001-12-02 03:06:10 +03:00
r_u - > status = NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
2001-12-02 03:06:10 +03:00
DEBUG ( 5 , ( " _samr_lookup_names: %d \n " , __LINE__ ) ) ;
2001-02-27 21:22:39 +03:00
2001-12-02 03:06:10 +03:00
ZERO_ARRAY ( rid ) ;
ZERO_ARRAY ( type ) ;
2001-02-27 21:22:39 +03:00
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & q_u - > pol , & pol_sid , & acc_granted , NULL ) ) {
2001-12-02 03:06:10 +03:00
init_samr_r_lookup_names ( p - > mem_ctx , r_u , 0 , NULL , NULL , NT_STATUS_OBJECT_TYPE_MISMATCH ) ;
return r_u - > status ;
}
2002-07-15 14:35:28 +04:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = access_check_samr_function ( acc_granted , 0 , " _samr_lookup_names " ) ) ) { /* Don't know the acc_bits yet */
return r_u - > status ;
}
2001-02-27 21:22:39 +03:00
2001-12-02 03:06:10 +03:00
if ( num_rids > MAX_SAM_ENTRIES ) {
num_rids = MAX_SAM_ENTRIES ;
DEBUG ( 5 , ( " _samr_lookup_names: truncating entries to %d \n " , num_rids ) ) ;
}
2001-02-27 21:22:39 +03:00
2001-12-02 03:06:10 +03:00
DEBUG ( 5 , ( " _samr_lookup_names: looking name on SID %s \n " , sid_to_string ( sid_str , & pol_sid ) ) ) ;
2002-01-26 13:03:25 +03:00
2001-12-02 03:06:10 +03:00
for ( i = 0 ; i < num_rids ; i + + ) {
fstring name ;
DOM_SID sid ;
2003-04-23 18:07:33 +04:00
int ret ;
2001-12-02 03:06:10 +03:00
r_u - > status = NT_STATUS_NONE_MAPPED ;
rid [ i ] = 0xffffffff ;
type [ i ] = SID_NAME_UNKNOWN ;
2003-04-23 18:07:33 +04:00
ret = rpcstr_pull ( name , q_u - > uni_name [ i ] . buffer , sizeof ( name ) , q_u - > uni_name [ i ] . uni_str_len * 2 , 0 ) ;
2001-12-02 03:06:10 +03:00
/*
* we are only looking for a name
* the SID we get back can be outside
* the scope of the pol_sid
*
* in clear : it prevents to reply to domain \ group : yes
* when only builtin \ group exists .
*
* a cleaner code is to add the sid of the domain we ' re looking in
* to the local_lookup_name function .
*/
2003-04-23 18:07:33 +04:00
if ( ( ret > 0 ) & & local_lookup_name ( name , & sid , & local_type ) ) {
2001-12-02 03:06:10 +03:00
sid_split_rid ( & sid , & local_rid ) ;
if ( sid_equal ( & sid , & pol_sid ) ) {
rid [ i ] = local_rid ;
2004-02-17 13:11:53 +03:00
/* Windows does not return WKN_GRP here, even
* on lookups in builtin */
type [ i ] = ( local_type = = SID_NAME_WKN_GRP ) ?
SID_NAME_ALIAS : local_type ;
2001-12-02 03:06:10 +03:00
r_u - > status = NT_STATUS_OK ;
}
}
}
2001-02-27 21:22:39 +03:00
2001-12-02 03:06:10 +03:00
init_samr_r_lookup_names ( p - > mem_ctx , r_u , num_rids , rid , ( uint32 * ) type , r_u - > status ) ;
2001-02-27 21:22:39 +03:00
2001-12-02 03:06:10 +03:00
DEBUG ( 5 , ( " _samr_lookup_names: %d \n " , __LINE__ ) ) ;
2001-02-27 21:22:39 +03:00
2001-12-02 03:06:10 +03:00
return r_u - > status ;
2001-02-27 21:22:39 +03:00
}
/*******************************************************************
_samr_chgpasswd_user
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_chgpasswd_user ( pipes_struct * p , SAMR_Q_CHGPASSWD_USER * q_u , SAMR_R_CHGPASSWD_USER * r_u )
2001-02-27 21:22:39 +03:00
{
2003-07-31 05:33:44 +04:00
fstring user_name ;
fstring wks ;
2001-02-27 21:22:39 +03:00
2003-07-31 05:33:44 +04:00
DEBUG ( 5 , ( " _samr_chgpasswd_user: %d \n " , __LINE__ ) ) ;
2001-02-27 21:22:39 +03:00
2003-07-31 05:33:44 +04:00
r_u - > status = NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
2003-07-31 05:33:44 +04:00
rpcstr_pull ( user_name , q_u - > uni_user_name . buffer , sizeof ( user_name ) , q_u - > uni_user_name . uni_str_len * 2 , 0 ) ;
rpcstr_pull ( wks , q_u - > uni_dest_host . buffer , sizeof ( wks ) , q_u - > uni_dest_host . uni_str_len * 2 , 0 ) ;
2001-02-27 21:22:39 +03:00
2003-07-31 05:33:44 +04:00
DEBUG ( 5 , ( " samr_chgpasswd_user: user: %s wks: %s \n " , user_name , wks ) ) ;
2001-02-27 21:22:39 +03:00
2001-04-16 02:29:36 +04:00
/*
* Pass the user through the NT - > unix user mapping
* function .
*/
( void ) map_username ( user_name ) ;
/*
2002-01-17 11:45:58 +03:00
* UNIX username case mangling not required , pass_oem_change
* is case insensitive .
2001-04-16 02:29:36 +04:00
*/
2003-07-31 05:33:44 +04:00
r_u - > status = pass_oem_change ( user_name , q_u - > lm_newpass . pass , q_u - > lm_oldhash . hash ,
q_u - > nt_newpass . pass , q_u - > nt_oldhash . hash ) ;
2001-02-27 21:22:39 +03:00
2003-07-31 05:33:44 +04:00
init_samr_r_chgpasswd_user ( r_u , r_u - > status ) ;
2001-02-27 21:22:39 +03:00
2003-07-31 05:33:44 +04:00
DEBUG ( 5 , ( " _samr_chgpasswd_user: %d \n " , __LINE__ ) ) ;
2001-02-27 21:22:39 +03:00
2003-07-31 05:33:44 +04:00
return r_u - > status ;
2001-02-27 21:22:39 +03:00
}
/*******************************************************************
makes a SAMR_R_LOOKUP_RIDS structure .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-03-22 23:50:29 +03:00
static BOOL make_samr_lookup_rids ( TALLOC_CTX * ctx , uint32 num_names ,
const char * * names , UNIHDR * * pp_hdr_name ,
UNISTR2 * * pp_uni_name )
2001-02-27 21:22:39 +03:00
{
uint32 i ;
2001-03-23 03:50:31 +03:00
UNIHDR * hdr_name = NULL ;
UNISTR2 * uni_name = NULL ;
2001-02-27 21:22:39 +03:00
* pp_uni_name = NULL ;
* pp_hdr_name = NULL ;
if ( num_names ! = 0 ) {
2004-12-07 21:25:53 +03:00
hdr_name = TALLOC_ZERO_ARRAY ( ctx , UNIHDR , num_names ) ;
2001-02-27 21:22:39 +03:00
if ( hdr_name = = NULL )
return False ;
2004-12-07 21:25:53 +03:00
uni_name = TALLOC_ZERO_ARRAY ( ctx , UNISTR2 , num_names ) ;
2001-02-27 21:22:39 +03:00
if ( uni_name = = NULL )
return False ;
}
for ( i = 0 ; i < num_names ; i + + ) {
2005-08-05 08:48:02 +04:00
DEBUG ( 10 , ( " names[%d]:%s \n " , i , names [ i ] & & * names [ i ] ? names [ i ] : " " ) ) ;
2003-09-26 01:26:16 +04:00
init_unistr2 ( & uni_name [ i ] , names [ i ] , UNI_FLAGS_NONE ) ;
init_uni_hdr ( & hdr_name [ i ] , & uni_name [ i ] ) ;
2001-02-27 21:22:39 +03:00
}
* pp_uni_name = uni_name ;
* pp_hdr_name = hdr_name ;
return True ;
}
/*******************************************************************
_samr_lookup_rids
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_lookup_rids ( pipes_struct * p , SAMR_Q_LOOKUP_RIDS * q_u , SAMR_R_LOOKUP_RIDS * r_u )
2001-02-27 21:22:39 +03:00
{
2005-03-22 23:50:29 +03:00
const char * * names ;
uint32 * attrs = NULL ;
2001-02-27 21:22:39 +03:00
UNIHDR * hdr_name = NULL ;
UNISTR2 * uni_name = NULL ;
DOM_SID pol_sid ;
int num_rids = q_u - > num_rids1 ;
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
2005-02-20 17:26:58 +03:00
2001-08-27 23:46:22 +04:00
r_u - > status = NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
DEBUG ( 5 , ( " _samr_lookup_rids: %d \n " , __LINE__ ) ) ;
/* find the policy handle. open a policy on it. */
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & q_u - > pol , & pol_sid , & acc_granted , NULL ) )
2001-02-27 21:22:39 +03:00
return NT_STATUS_INVALID_HANDLE ;
2005-02-20 18:15:33 +03:00
if ( num_rids > 1000 ) {
DEBUG ( 0 , ( " Got asked for %d rids (more than 1000) -- according "
" to samba4 idl this is not possible \n " , num_rids ) ) ;
return NT_STATUS_UNSUCCESSFUL ;
2001-02-27 21:22:39 +03:00
}
2005-03-22 23:50:29 +03:00
names = TALLOC_ZERO_ARRAY ( p - > mem_ctx , const char * , num_rids ) ;
attrs = TALLOC_ZERO_ARRAY ( p - > mem_ctx , uint32 , num_rids ) ;
if ( ( num_rids ! = 0 ) & & ( ( names = = NULL ) | | ( attrs = = NULL ) ) )
return NT_STATUS_NO_MEMORY ;
2002-01-26 13:03:25 +03:00
become_root ( ) ; /* lookup_sid can require root privs */
2005-11-27 01:04:28 +03:00
r_u - > status = pdb_lookup_rids ( & pol_sid , num_rids , q_u - > rid ,
names , attrs ) ;
2002-01-26 13:03:25 +03:00
unbecome_root ( ) ;
2005-03-22 23:50:29 +03:00
if ( ! make_samr_lookup_rids ( p - > mem_ctx , num_rids , names ,
& hdr_name , & uni_name ) )
2001-02-27 21:22:39 +03:00
return NT_STATUS_NO_MEMORY ;
2005-03-22 23:50:29 +03:00
init_samr_r_lookup_rids ( r_u , num_rids , hdr_name , uni_name , attrs ) ;
2001-02-27 21:22:39 +03:00
DEBUG ( 5 , ( " _samr_lookup_rids: %d \n " , __LINE__ ) ) ;
return r_u - > status ;
}
/*******************************************************************
2003-08-28 00:50:24 +04:00
_samr_open_user . Safe - gives out no passwd info .
2001-02-27 21:22:39 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-08-28 00:50:24 +04:00
NTSTATUS _samr_open_user ( pipes_struct * p , SAMR_Q_OPEN_USER * q_u , SAMR_R_OPEN_USER * r_u )
2001-02-27 21:22:39 +03:00
{
2001-05-04 19:44:27 +04:00
SAM_ACCOUNT * sampass = NULL ;
DOM_SID sid ;
POLICY_HND domain_pol = q_u - > domain_pol ;
POLICY_HND * user_pol = & r_u - > user_pol ;
2001-03-11 03:32:10 +03:00
struct samr_info * info = NULL ;
2002-07-15 14:35:28 +04:00
SEC_DESC * psd = NULL ;
uint32 acc_granted ;
uint32 des_access = q_u - > access_mask ;
size_t sd_size ;
2001-05-04 19:44:27 +04:00
BOOL ret ;
2002-07-15 14:35:28 +04:00
NTSTATUS nt_status ;
2005-01-26 23:36:44 +03:00
SE_PRIV se_rights ;
2001-02-27 21:22:39 +03:00
2001-08-27 23:46:22 +04:00
r_u - > status = NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
2002-07-15 14:35:28 +04:00
/* find the domain policy handle and get domain SID / access bits in the domain policy. */
2005-01-26 23:36:44 +03:00
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & domain_pol , & sid , & acc_granted , NULL ) )
2001-05-04 19:44:27 +04:00
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
2005-01-26 23:36:44 +03:00
nt_status = access_check_samr_function ( acc_granted ,
SA_RIGHT_DOMAIN_OPEN_ACCOUNT , " _samr_open_user " ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) )
2002-07-15 14:35:28 +04:00
return nt_status ;
nt_status = pdb_init_sam_talloc ( p - > mem_ctx , & sampass ) ;
2005-01-26 23:36:44 +03:00
if ( ! NT_STATUS_IS_OK ( nt_status ) )
2002-07-15 14:35:28 +04:00
return nt_status ;
2001-02-27 21:22:39 +03:00
2002-07-15 14:35:28 +04:00
/* append the user's RID to it */
2005-01-26 23:36:44 +03:00
2002-07-15 14:35:28 +04:00
if ( ! sid_append_rid ( & sid , q_u - > user_rid ) )
return NT_STATUS_NO_SUCH_USER ;
/* check if access can be granted as requested by client. */
2005-01-26 23:36:44 +03:00
2005-02-01 01:42:30 +03:00
make_samr_object_sd ( p - > mem_ctx , & psd , & sd_size , & usr_generic_mapping , & sid , SAMR_USR_RIGHTS_WRITE_PW ) ;
2002-07-15 14:35:28 +04:00
se_map_generic ( & des_access , & usr_generic_mapping ) ;
2005-01-26 23:36:44 +03:00
se_priv_copy ( & se_rights , & se_machine_account ) ;
se_priv_add ( & se_rights , & se_add_users ) ;
nt_status = access_check_samr_object ( psd , p - > pipe_user . nt_user_token ,
& se_rights , GENERIC_RIGHTS_USER_WRITE , des_access ,
& acc_granted , " _samr_open_user " ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) )
2002-07-15 14:35:28 +04:00
return nt_status ;
2001-05-08 20:33:18 +04:00
2001-05-04 19:44:27 +04:00
become_root ( ) ;
2002-07-15 14:35:28 +04:00
ret = pdb_getsampwsid ( sampass , & sid ) ;
2001-05-04 19:44:27 +04:00
unbecome_root ( ) ;
2001-02-27 21:22:39 +03:00
2002-07-15 14:35:28 +04:00
/* check that the SID exists in our domain. */
2001-05-04 19:44:27 +04:00
if ( ret = = False ) {
return NT_STATUS_NO_SUCH_USER ;
}
2001-02-27 21:22:39 +03:00
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & sampass ) ;
2001-03-13 03:32:43 +03:00
2002-07-15 14:35:28 +04:00
/* associate the user's SID and access bits with the new handle. */
2002-01-02 10:27:33 +03:00
if ( ( info = get_samr_info_by_sid ( & sid ) ) = = NULL )
2001-05-04 19:44:27 +04:00
return NT_STATUS_NO_MEMORY ;
2002-07-15 14:35:28 +04:00
info - > acc_granted = acc_granted ;
2001-03-11 03:32:10 +03:00
2001-05-04 19:44:27 +04:00
/* get a (unique) handle. open a policy on it. */
if ( ! create_policy_hnd ( p , user_pol , free_samr_info , ( void * ) info ) )
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
2001-02-27 21:22:39 +03:00
2001-05-04 19:44:27 +04:00
return r_u - > status ;
2001-02-27 21:22:39 +03:00
}
2005-01-22 14:26:13 +03:00
/*************************************************************************
get_user_info_7 . Safe . Only gives out account_name .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS get_user_info_7 ( TALLOC_CTX * mem_ctx , SAM_USER_INFO_7 * id7 , DOM_SID * user_sid )
{
SAM_ACCOUNT * smbpass = NULL ;
BOOL ret ;
NTSTATUS nt_status ;
nt_status = pdb_init_sam_talloc ( mem_ctx , & smbpass ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
return nt_status ;
}
become_root ( ) ;
ret = pdb_getsampwsid ( smbpass , user_sid ) ;
unbecome_root ( ) ;
if ( ret = = False ) {
DEBUG ( 4 , ( " User %s not found \n " , sid_string_static ( user_sid ) ) ) ;
return NT_STATUS_NO_SUCH_USER ;
}
DEBUG ( 3 , ( " User:[%s] \n " , pdb_get_username ( smbpass ) ) ) ;
ZERO_STRUCTP ( id7 ) ;
init_sam_user_info7 ( id7 , pdb_get_username ( smbpass ) ) ;
pdb_free_sam ( & smbpass ) ;
return NT_STATUS_OK ;
}
2001-02-27 21:22:39 +03:00
/*************************************************************************
2005-07-19 04:59:25 +04:00
get_user_info_16 . Safe . Only gives out acb bits .
2001-02-27 21:22:39 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-07-19 04:59:25 +04:00
static NTSTATUS get_user_info_16 ( TALLOC_CTX * mem_ctx , SAM_USER_INFO_16 * id16 , DOM_SID * user_sid )
2001-02-27 21:22:39 +03:00
{
2001-05-04 19:44:27 +04:00
SAM_ACCOUNT * smbpass = NULL ;
BOOL ret ;
2002-07-15 14:35:28 +04:00
NTSTATUS nt_status ;
2001-02-27 21:22:39 +03:00
2002-07-15 14:35:28 +04:00
nt_status = pdb_init_sam_talloc ( mem_ctx , & smbpass ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
return nt_status ;
}
2001-02-27 21:22:39 +03:00
2001-05-04 19:44:27 +04:00
become_root ( ) ;
2002-07-15 14:35:28 +04:00
ret = pdb_getsampwsid ( smbpass , user_sid ) ;
2001-05-04 19:44:27 +04:00
unbecome_root ( ) ;
if ( ret = = False ) {
2002-07-15 14:35:28 +04:00
DEBUG ( 4 , ( " User %s not found \n " , sid_string_static ( user_sid ) ) ) ;
return NT_STATUS_NO_SUCH_USER ;
2001-05-04 19:44:27 +04:00
}
DEBUG ( 3 , ( " User:[%s] \n " , pdb_get_username ( smbpass ) ) ) ;
2001-02-27 21:22:39 +03:00
2005-07-19 04:59:25 +04:00
ZERO_STRUCTP ( id16 ) ;
init_sam_user_info16 ( id16 , pdb_get_acct_ctrl ( smbpass ) ) ;
2001-02-27 21:22:39 +03:00
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & smbpass ) ;
2001-02-27 21:22:39 +03:00
2002-07-15 14:35:28 +04:00
return NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
}
/*************************************************************************
2005-07-19 04:59:25 +04:00
get_user_info_18 . OK - this is the killer as it gives out password info .
2001-03-13 03:32:43 +03:00
Ensure that this is only allowed on an encrypted connection with a root
user . JRA .
2001-02-27 21:22:39 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-07-19 04:59:25 +04:00
static NTSTATUS get_user_info_18 ( pipes_struct * p , TALLOC_CTX * mem_ctx , SAM_USER_INFO_18 * id18 , DOM_SID * user_sid )
2001-02-27 21:22:39 +03:00
{
2001-05-04 19:44:27 +04:00
SAM_ACCOUNT * smbpass = NULL ;
BOOL ret ;
2002-07-15 14:35:28 +04:00
NTSTATUS nt_status ;
2001-02-27 21:22:39 +03:00
2005-09-30 21:13:37 +04:00
if ( p - > auth . auth_type ! = PIPE_AUTH_TYPE_NTLMSSP | | p - > auth . auth_type ! = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP ) {
2001-03-13 03:32:43 +03:00
return NT_STATUS_ACCESS_DENIED ;
2005-09-30 21:13:37 +04:00
}
2001-03-13 03:32:43 +03:00
2005-09-30 21:13:37 +04:00
if ( p - > auth . auth_level ! = PIPE_AUTH_LEVEL_PRIVACY ) {
2001-03-13 03:32:43 +03:00
return NT_STATUS_ACCESS_DENIED ;
2005-09-30 21:13:37 +04:00
}
2001-03-13 03:32:43 +03:00
/*
* Do * NOT * do become_root ( ) / unbecome_root ( ) here ! JRA .
*/
2002-07-15 14:35:28 +04:00
nt_status = pdb_init_sam_talloc ( mem_ctx , & smbpass ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
return nt_status ;
}
ret = pdb_getsampwsid ( smbpass , user_sid ) ;
2001-02-27 21:22:39 +03:00
2001-05-04 19:44:27 +04:00
if ( ret = = False ) {
2002-07-15 14:35:28 +04:00
DEBUG ( 4 , ( " User %s not found \n " , sid_string_static ( user_sid ) ) ) ;
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & smbpass ) ;
2001-03-13 03:32:43 +03:00
return ( geteuid ( ) = = ( uid_t ) 0 ) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED ;
2001-02-27 21:22:39 +03:00
}
2001-05-04 19:44:27 +04:00
DEBUG ( 3 , ( " User:[%s] 0x%x \n " , pdb_get_username ( smbpass ) , pdb_get_acct_ctrl ( smbpass ) ) ) ;
2001-02-27 21:22:39 +03:00
2001-05-04 19:44:27 +04:00
if ( pdb_get_acct_ctrl ( smbpass ) & ACB_DISABLED ) {
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & smbpass ) ;
2001-05-04 19:44:27 +04:00
return NT_STATUS_ACCOUNT_DISABLED ;
}
2001-02-27 21:22:39 +03:00
2005-07-19 04:59:25 +04:00
ZERO_STRUCTP ( id18 ) ;
init_sam_user_info18 ( id18 , pdb_get_lanman_passwd ( smbpass ) , pdb_get_nt_passwd ( smbpass ) ) ;
2001-05-04 19:44:27 +04:00
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & smbpass ) ;
2001-02-27 21:22:39 +03:00
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
}
2001-07-09 22:25:40 +04:00
/*************************************************************************
get_user_info_20
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-07-15 14:35:28 +04:00
static NTSTATUS get_user_info_20 ( TALLOC_CTX * mem_ctx , SAM_USER_INFO_20 * id20 , DOM_SID * user_sid )
2001-07-09 22:25:40 +04:00
{
SAM_ACCOUNT * sampass = NULL ;
BOOL ret ;
2002-07-15 14:35:28 +04:00
pdb_init_sam_talloc ( mem_ctx , & sampass ) ;
2001-07-09 22:25:40 +04:00
become_root ( ) ;
2002-07-15 14:35:28 +04:00
ret = pdb_getsampwsid ( sampass , user_sid ) ;
2001-07-09 22:25:40 +04:00
unbecome_root ( ) ;
if ( ret = = False ) {
2002-07-15 14:35:28 +04:00
DEBUG ( 4 , ( " User %s not found \n " , sid_string_static ( user_sid ) ) ) ;
return NT_STATUS_NO_SUCH_USER ;
2001-07-09 22:25:40 +04:00
}
samr_clear_sam_passwd ( sampass ) ;
DEBUG ( 3 , ( " User:[%s] \n " , pdb_get_username ( sampass ) ) ) ;
ZERO_STRUCTP ( id20 ) ;
init_sam_user_info20A ( id20 , sampass ) ;
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & sampass ) ;
2001-07-09 22:25:40 +04:00
2002-07-15 14:35:28 +04:00
return NT_STATUS_OK ;
2001-07-09 22:25:40 +04:00
}
2001-02-27 21:22:39 +03:00
/*************************************************************************
get_user_info_21
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-07-15 14:35:28 +04:00
static NTSTATUS get_user_info_21 ( TALLOC_CTX * mem_ctx , SAM_USER_INFO_21 * id21 ,
DOM_SID * user_sid , DOM_SID * domain_sid )
2001-02-27 21:22:39 +03:00
{
2001-05-04 19:44:27 +04:00
SAM_ACCOUNT * sampass = NULL ;
BOOL ret ;
2002-07-15 14:35:28 +04:00
NTSTATUS nt_status ;
2001-02-27 21:22:39 +03:00
2002-07-15 14:35:28 +04:00
nt_status = pdb_init_sam_talloc ( mem_ctx , & sampass ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
return nt_status ;
}
2001-05-08 20:33:18 +04:00
2001-05-04 19:44:27 +04:00
become_root ( ) ;
2002-07-15 14:35:28 +04:00
ret = pdb_getsampwsid ( sampass , user_sid ) ;
2001-05-04 19:44:27 +04:00
unbecome_root ( ) ;
2001-02-27 21:22:39 +03:00
2001-05-04 19:44:27 +04:00
if ( ret = = False ) {
2002-07-15 14:35:28 +04:00
DEBUG ( 4 , ( " User %s not found \n " , sid_string_static ( user_sid ) ) ) ;
return NT_STATUS_NO_SUCH_USER ;
2001-05-04 19:44:27 +04:00
}
2001-02-27 21:22:39 +03:00
2001-03-13 03:32:43 +03:00
samr_clear_sam_passwd ( sampass ) ;
2001-05-04 19:44:27 +04:00
DEBUG ( 3 , ( " User:[%s] \n " , pdb_get_username ( sampass ) ) ) ;
2001-03-11 03:32:10 +03:00
2001-07-09 22:25:40 +04:00
ZERO_STRUCTP ( id21 ) ;
2002-07-15 14:35:28 +04:00
nt_status = init_sam_user_info21A ( id21 , sampass , domain_sid ) ;
2001-05-04 19:44:27 +04:00
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & sampass ) ;
2001-02-27 21:22:39 +03:00
2002-07-15 14:35:28 +04:00
return NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
}
/*******************************************************************
_samr_query_userinfo
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_query_userinfo ( pipes_struct * p , SAMR_Q_QUERY_USERINFO * q_u , SAMR_R_QUERY_USERINFO * r_u )
2001-02-27 21:22:39 +03:00
{
SAM_USERINFO_CTR * ctr ;
2001-03-11 03:32:10 +03:00
struct samr_info * info = NULL ;
2002-07-15 14:35:28 +04:00
DOM_SID domain_sid ;
uint32 rid ;
2001-08-27 23:46:22 +04:00
r_u - > status = NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
/* search for the handle */
2001-03-11 03:32:10 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) & info ) )
2001-02-27 21:22:39 +03:00
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
domain_sid = info - > sid ;
sid_split_rid ( & domain_sid , & rid ) ;
2001-12-05 00:53:47 +03:00
if ( ! sid_check_is_in_our_domain ( & info - > sid ) )
2001-02-27 21:22:39 +03:00
return NT_STATUS_OBJECT_TYPE_MISMATCH ;
2002-07-15 14:35:28 +04:00
DEBUG ( 5 , ( " _samr_query_userinfo: sid:%s \n " , sid_string_static ( & info - > sid ) ) ) ;
2001-02-27 21:22:39 +03:00
2004-12-07 21:25:53 +03:00
ctr = TALLOC_ZERO_P ( p - > mem_ctx , SAM_USERINFO_CTR ) ;
2001-02-27 21:22:39 +03:00
if ( ! ctr )
return NT_STATUS_NO_MEMORY ;
ZERO_STRUCTP ( ctr ) ;
/* ok! user info levels (lots: see MSDEV help), off we go... */
ctr - > switch_value = q_u - > switch_value ;
switch ( q_u - > switch_value ) {
2005-07-19 04:59:25 +04:00
case 7 :
2005-01-22 14:26:13 +03:00
ctr - > info . id7 = TALLOC_ZERO_P ( p - > mem_ctx , SAM_USER_INFO_7 ) ;
if ( ctr - > info . id7 = = NULL )
return NT_STATUS_NO_MEMORY ;
if ( ! NT_STATUS_IS_OK ( r_u - > status = get_user_info_7 ( p - > mem_ctx , ctr - > info . id7 , & info - > sid ) ) )
return r_u - > status ;
break ;
2005-07-19 04:59:25 +04:00
case 16 :
ctr - > info . id16 = TALLOC_ZERO_P ( p - > mem_ctx , SAM_USER_INFO_16 ) ;
if ( ctr - > info . id16 = = NULL )
2001-02-27 21:22:39 +03:00
return NT_STATUS_NO_MEMORY ;
2005-07-19 04:59:25 +04:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = get_user_info_16 ( p - > mem_ctx , ctr - > info . id16 , & info - > sid ) ) )
2002-07-15 14:35:28 +04:00
return r_u - > status ;
2001-02-27 21:22:39 +03:00
break ;
#if 0
/* whoops - got this wrong. i think. or don't understand what's happening. */
2005-07-19 04:59:25 +04:00
case 17 :
2001-02-27 21:22:39 +03:00
{
NTTIME expire ;
info = ( void * ) & id11 ;
expire . low = 0xffffffff ;
expire . high = 0x7fffffff ;
2005-07-19 04:59:25 +04:00
ctr - > info . id = TALLOC_ZERO_P ( p - > mem_ctx , SAM_USER_INFO_17 ) ) ;
ZERO_STRUCTP ( ctr - > info . id17 ) ;
init_sam_user_info17 ( ctr - > info . id17 , & expire ,
2001-02-27 21:22:39 +03:00
" BROOKFIELDS$ " , /* name */
0x03ef , /* user rid */
0x201 , /* group rid */
0x0080 ) ; /* acb info */
break ;
}
# endif
2005-07-19 04:59:25 +04:00
case 18 :
ctr - > info . id18 = TALLOC_ZERO_P ( p - > mem_ctx , SAM_USER_INFO_18 ) ;
if ( ctr - > info . id18 = = NULL )
2001-02-27 21:22:39 +03:00
return NT_STATUS_NO_MEMORY ;
2005-07-19 04:59:25 +04:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = get_user_info_18 ( p , p - > mem_ctx , ctr - > info . id18 , & info - > sid ) ) )
2001-03-13 03:32:43 +03:00
return r_u - > status ;
2001-02-27 21:22:39 +03:00
break ;
2002-07-15 14:35:28 +04:00
2001-07-09 22:25:40 +04:00
case 20 :
2004-12-07 21:25:53 +03:00
ctr - > info . id20 = TALLOC_ZERO_P ( p - > mem_ctx , SAM_USER_INFO_20 ) ;
2001-07-09 22:25:40 +04:00
if ( ctr - > info . id20 = = NULL )
return NT_STATUS_NO_MEMORY ;
2002-07-15 14:35:28 +04:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = get_user_info_20 ( p - > mem_ctx , ctr - > info . id20 , & info - > sid ) ) )
return r_u - > status ;
2001-07-09 22:25:40 +04:00
break ;
2001-02-27 21:22:39 +03:00
case 21 :
2004-12-07 21:25:53 +03:00
ctr - > info . id21 = TALLOC_ZERO_P ( p - > mem_ctx , SAM_USER_INFO_21 ) ;
2001-02-27 21:22:39 +03:00
if ( ctr - > info . id21 = = NULL )
return NT_STATUS_NO_MEMORY ;
2002-07-15 14:35:28 +04:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = get_user_info_21 ( p - > mem_ctx , ctr - > info . id21 ,
& info - > sid , & domain_sid ) ) )
return r_u - > status ;
2001-02-27 21:22:39 +03:00
break ;
default :
return NT_STATUS_INVALID_INFO_CLASS ;
}
init_samr_r_query_userinfo ( r_u , ctr , r_u - > status ) ;
DEBUG ( 5 , ( " _samr_query_userinfo: %d \n " , __LINE__ ) ) ;
2002-07-15 14:35:28 +04:00
2001-02-27 21:22:39 +03:00
return r_u - > status ;
}
/*******************************************************************
samr_reply_query_usergroups
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_query_usergroups ( pipes_struct * p , SAMR_Q_QUERY_USERGROUPS * q_u , SAMR_R_QUERY_USERGROUPS * r_u )
2001-02-27 21:22:39 +03:00
{
2001-08-09 19:53:49 +04:00
SAM_ACCOUNT * sam_pass = NULL ;
2004-11-12 18:49:47 +03:00
struct passwd * passwd ;
2002-07-15 14:35:28 +04:00
DOM_SID sid ;
2004-11-12 18:49:47 +03:00
DOM_SID * sids ;
2001-05-04 19:44:27 +04:00
DOM_GID * gids = NULL ;
2005-10-18 07:24:00 +04:00
size_t num_groups = 0 ;
2004-11-12 18:49:47 +03:00
gid_t * unix_gids ;
2005-10-18 07:24:00 +04:00
size_t i , num_gids ;
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
2001-05-04 19:44:27 +04:00
BOOL ret ;
2004-11-12 18:49:47 +03:00
NTSTATUS result ;
2001-02-27 21:22:39 +03:00
2001-12-02 04:45:50 +03:00
/*
* from the SID in the request :
* we should send back the list of DOMAIN GROUPS
* the user is a member of
*
* and only the DOMAIN GROUPS
* no ALIASES ! ! ! neither aliases of the domain
* nor aliases of the builtin SID
*
* JFM , 12 / 2 / 2001
*/
2001-08-27 23:46:22 +04:00
r_u - > status = NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
2001-05-04 19:44:27 +04:00
DEBUG ( 5 , ( " _samr_query_usergroups: %d \n " , __LINE__ ) ) ;
2001-02-27 21:22:39 +03:00
2001-05-04 19:44:27 +04:00
/* find the policy handle. open a policy on it. */
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & q_u - > pol , & sid , & acc_granted , NULL ) )
2001-05-04 19:44:27 +04:00
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
2002-11-02 15:53:13 +03:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = access_check_samr_function ( acc_granted , SA_RIGHT_USER_GET_GROUPS , " _samr_query_usergroups " ) ) ) {
2002-07-15 14:35:28 +04:00
return r_u - > status ;
}
2001-02-27 21:22:39 +03:00
2002-07-15 14:35:28 +04:00
if ( ! sid_check_is_in_our_domain ( & sid ) )
2001-05-04 19:44:27 +04:00
return NT_STATUS_OBJECT_TYPE_MISMATCH ;
2001-02-27 21:22:39 +03:00
2001-05-04 19:44:27 +04:00
pdb_init_sam ( & sam_pass ) ;
2002-07-15 14:35:28 +04:00
2001-05-04 19:44:27 +04:00
become_root ( ) ;
2002-07-15 14:35:28 +04:00
ret = pdb_getsampwsid ( sam_pass , & sid ) ;
2001-05-04 19:44:27 +04:00
unbecome_root ( ) ;
2001-02-27 21:22:39 +03:00
2001-05-04 19:44:27 +04:00
if ( ret = = False ) {
2001-12-06 16:09:15 +03:00
pdb_free_sam ( & sam_pass ) ;
2001-05-04 19:44:27 +04:00
return NT_STATUS_NO_SUCH_USER ;
}
2004-11-12 18:49:47 +03:00
passwd = getpwnam_alloc ( pdb_get_username ( sam_pass ) ) ;
if ( passwd = = NULL ) {
2001-12-06 16:09:15 +03:00
pdb_free_sam ( & sam_pass ) ;
2004-11-12 18:49:47 +03:00
return NT_STATUS_NO_SUCH_USER ;
}
sids = NULL ;
become_root ( ) ;
result = pdb_enum_group_memberships ( pdb_get_username ( sam_pass ) ,
passwd - > pw_gid ,
& sids , & unix_gids , & num_groups ) ;
unbecome_root ( ) ;
pdb_free_sam ( & sam_pass ) ;
passwd_free ( & passwd ) ;
if ( ! NT_STATUS_IS_OK ( result ) )
return result ;
SAFE_FREE ( unix_gids ) ;
gids = NULL ;
num_gids = 0 ;
for ( i = 0 ; i < num_groups ; i + + ) {
uint32 rid ;
if ( ! sid_peek_check_rid ( get_global_sam_sid ( ) ,
& ( sids [ i ] ) , & rid ) )
continue ;
2004-12-07 21:25:53 +03:00
gids = TALLOC_REALLOC_ARRAY ( p - > mem_ctx , gids , DOM_GID , num_gids + 1 ) ;
2005-11-22 17:29:14 +03:00
gids [ num_gids ] . attr = ( SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED ) ;
2004-11-12 18:49:47 +03:00
gids [ num_gids ] . g_rid = rid ;
num_gids + = 1 ;
2001-12-05 00:53:47 +03:00
}
2004-11-12 18:49:47 +03:00
SAFE_FREE ( sids ) ;
2002-07-15 14:35:28 +04:00
2001-05-04 19:44:27 +04:00
/* construct the response. lkclXXXX: gids are not copied! */
init_samr_r_query_usergroups ( r_u , num_groups , gids , r_u - > status ) ;
2002-07-15 14:35:28 +04:00
2001-05-04 19:44:27 +04:00
DEBUG ( 5 , ( " _samr_query_usergroups: %d \n " , __LINE__ ) ) ;
return r_u - > status ;
2001-02-27 21:22:39 +03:00
}
/*******************************************************************
_samr_query_dom_info
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_query_dom_info ( pipes_struct * p , SAMR_Q_QUERY_DOMAIN_INFO * q_u , SAMR_R_QUERY_DOMAIN_INFO * r_u )
2001-02-27 21:22:39 +03:00
{
2001-12-22 01:34:49 +03:00
struct samr_info * info = NULL ;
2001-12-03 20:14:23 +03:00
SAM_UNK_CTR * ctr ;
uint32 min_pass_len , pass_hist , flag ;
time_t u_expire , u_min_age ;
NTTIME nt_expire , nt_min_age ;
time_t u_lock_duration , u_reset_time ;
NTTIME nt_lock_duration , nt_reset_time ;
uint32 lockout ;
time_t u_logout ;
NTTIME nt_logout ;
2002-08-17 19:34:15 +04:00
uint32 account_policy_temp ;
2005-09-30 21:13:37 +04:00
time_t seq_num ;
2005-02-07 17:14:44 +03:00
uint32 server_role ;
2002-08-17 19:34:15 +04:00
2001-12-22 01:34:49 +03:00
uint32 num_users = 0 , num_groups = 0 , num_aliases = 0 ;
2001-02-27 21:22:39 +03:00
2005-11-01 02:47:57 +03:00
if ( ( ctr = TALLOC_ZERO_P ( p - > mem_ctx , SAM_UNK_CTR ) ) = = NULL ) {
2001-02-27 21:22:39 +03:00
return NT_STATUS_NO_MEMORY ;
2005-11-01 02:47:57 +03:00
}
2001-02-27 21:22:39 +03:00
2001-12-03 20:14:23 +03:00
ZERO_STRUCTP ( ctr ) ;
2001-02-27 21:22:39 +03:00
2001-12-03 20:14:23 +03:00
r_u - > status = NT_STATUS_OK ;
2002-07-15 14:35:28 +04:00
2001-12-03 20:14:23 +03:00
DEBUG ( 5 , ( " _samr_query_dom_info: %d \n " , __LINE__ ) ) ;
2002-07-15 14:35:28 +04:00
2001-12-03 20:14:23 +03:00
/* find the policy handle. open a policy on it. */
2005-11-01 02:47:57 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > domain_pol , ( void * * ) & info ) ) {
2001-12-03 20:14:23 +03:00
return NT_STATUS_INVALID_HANDLE ;
2005-11-01 02:47:57 +03:00
}
2002-07-15 14:35:28 +04:00
2001-12-03 20:14:23 +03:00
switch ( q_u - > switch_value ) {
case 0x01 :
2002-08-17 19:34:15 +04:00
2005-11-01 02:47:57 +03:00
become_root ( ) ;
/* AS ROOT !!! */
2005-09-30 21:13:37 +04:00
pdb_get_account_policy ( AP_MIN_PASSWORD_LEN , & account_policy_temp ) ;
2002-08-17 19:34:15 +04:00
min_pass_len = account_policy_temp ;
2001-12-03 20:14:23 +03:00
2005-09-30 21:13:37 +04:00
pdb_get_account_policy ( AP_PASSWORD_HISTORY , & account_policy_temp ) ;
2002-08-17 19:34:15 +04:00
pass_hist = account_policy_temp ;
2005-09-30 21:13:37 +04:00
pdb_get_account_policy ( AP_USER_MUST_LOGON_TO_CHG_PASS , & account_policy_temp ) ;
2002-08-17 19:34:15 +04:00
flag = account_policy_temp ;
2005-09-30 21:13:37 +04:00
pdb_get_account_policy ( AP_MAX_PASSWORD_AGE , & account_policy_temp ) ;
2002-08-17 19:34:15 +04:00
u_expire = account_policy_temp ;
2005-09-30 21:13:37 +04:00
pdb_get_account_policy ( AP_MIN_PASSWORD_AGE , & account_policy_temp ) ;
2002-08-17 19:34:15 +04:00
u_min_age = account_policy_temp ;
2005-11-01 02:47:57 +03:00
/* !AS ROOT */
2002-08-17 19:34:15 +04:00
2005-11-01 02:47:57 +03:00
unbecome_root ( ) ;
2001-12-03 20:14:23 +03:00
unix_to_nt_time_abs ( & nt_expire , u_expire ) ;
unix_to_nt_time_abs ( & nt_min_age , u_min_age ) ;
init_unk_info1 ( & ctr - > info . inf1 , ( uint16 ) min_pass_len , ( uint16 ) pass_hist ,
flag , nt_expire , nt_min_age ) ;
break ;
case 0x02 :
2005-11-01 02:47:57 +03:00
2005-04-15 17:41:49 +04:00
become_root ( ) ;
2005-11-01 02:47:57 +03:00
/* AS ROOT !!! */
2005-11-19 02:15:47 +03:00
num_users = count_sam_users ( info - > disp_info ,
2005-04-15 17:41:49 +04:00
ACB_NORMAL ) ;
2005-11-19 02:15:47 +03:00
num_groups = count_sam_groups ( info - > disp_info ) ;
2004-12-23 02:50:31 +03:00
2005-09-30 21:13:37 +04:00
pdb_get_account_policy ( AP_TIME_TO_LOGOUT , & account_policy_temp ) ;
2004-12-23 02:50:31 +03:00
u_logout = account_policy_temp ;
unix_to_nt_time_abs ( & nt_logout , u_logout ) ;
2005-09-30 21:13:37 +04:00
if ( ! pdb_get_seq_num ( & seq_num ) )
seq_num = time ( NULL ) ;
2005-11-01 02:47:57 +03:00
/* !AS ROOT */
unbecome_root ( ) ;
2005-02-07 17:14:44 +03:00
server_role = ROLE_DOMAIN_PDC ;
if ( lp_server_role ( ) = = ROLE_DOMAIN_BDC )
server_role = ROLE_DOMAIN_BDC ;
2005-09-30 21:13:37 +04:00
init_unk_info2 ( & ctr - > info . inf2 , lp_serverstring ( ) , lp_workgroup ( ) , global_myname ( ) , seq_num ,
2005-02-07 17:14:44 +03:00
num_users , num_groups , num_aliases , nt_logout , server_role ) ;
2001-12-03 20:14:23 +03:00
break ;
case 0x03 :
2005-11-01 02:47:57 +03:00
become_root ( ) ;
/* AS ROOT !!! */
2005-09-30 21:13:37 +04:00
pdb_get_account_policy ( AP_TIME_TO_LOGOUT , ( unsigned int * ) & u_logout ) ;
2005-11-01 02:47:57 +03:00
/* !AS ROOT */
unbecome_root ( ) ;
2001-12-03 20:14:23 +03:00
unix_to_nt_time_abs ( & nt_logout , u_logout ) ;
init_unk_info3 ( & ctr - > info . inf3 , nt_logout ) ;
break ;
case 0x05 :
2002-11-13 02:20:50 +03:00
init_unk_info5 ( & ctr - > info . inf5 , global_myname ( ) ) ;
2001-12-03 20:14:23 +03:00
break ;
case 0x06 :
init_unk_info6 ( & ctr - > info . inf6 ) ;
break ;
case 0x07 :
2005-02-07 17:14:44 +03:00
server_role = ROLE_DOMAIN_PDC ;
if ( lp_server_role ( ) = = ROLE_DOMAIN_BDC )
server_role = ROLE_DOMAIN_BDC ;
init_unk_info7 ( & ctr - > info . inf7 , server_role ) ;
2001-12-03 20:14:23 +03:00
break ;
2004-12-22 19:58:43 +03:00
case 0x08 :
2005-11-01 02:47:57 +03:00
become_root ( ) ;
/* AS ROOT !!! */
if ( ! pdb_get_seq_num ( & seq_num ) ) {
2005-09-30 21:13:37 +04:00
seq_num = time ( NULL ) ;
2005-11-01 02:47:57 +03:00
}
/* !AS ROOT */
unbecome_root ( ) ;
2005-09-30 21:13:37 +04:00
init_unk_info8 ( & ctr - > info . inf8 , ( uint32 ) seq_num ) ;
2004-12-22 19:58:43 +03:00
break ;
2001-12-03 20:14:23 +03:00
case 0x0c :
2005-11-01 02:47:57 +03:00
become_root ( ) ;
/* AS ROOT !!! */
2005-09-30 21:13:37 +04:00
pdb_get_account_policy ( AP_LOCK_ACCOUNT_DURATION , & account_policy_temp ) ;
2005-01-10 18:28:07 +03:00
u_lock_duration = account_policy_temp ;
2005-11-01 02:47:57 +03:00
if ( u_lock_duration ! = - 1 ) {
2005-01-10 18:28:07 +03:00
u_lock_duration * = 60 ;
2005-11-01 02:47:57 +03:00
}
2002-08-17 19:34:15 +04:00
2005-09-30 21:13:37 +04:00
pdb_get_account_policy ( AP_RESET_COUNT_TIME , & account_policy_temp ) ;
2004-02-25 23:02:47 +03:00
u_reset_time = account_policy_temp * 60 ;
2002-08-17 19:34:15 +04:00
2005-09-30 21:13:37 +04:00
pdb_get_account_policy ( AP_BAD_ATTEMPT_LOCKOUT , & account_policy_temp ) ;
2002-08-17 19:34:15 +04:00
lockout = account_policy_temp ;
2005-11-01 02:47:57 +03:00
/* !AS ROOT */
unbecome_root ( ) ;
2001-12-03 20:14:23 +03:00
unix_to_nt_time_abs ( & nt_lock_duration , u_lock_duration ) ;
unix_to_nt_time_abs ( & nt_reset_time , u_reset_time ) ;
init_unk_info12 ( & ctr - > info . inf12 , nt_lock_duration , nt_reset_time , ( uint16 ) lockout ) ;
break ;
default :
return NT_STATUS_INVALID_INFO_CLASS ;
2002-07-15 14:35:28 +04:00
}
2005-11-01 02:47:57 +03:00
2001-12-03 20:14:23 +03:00
init_samr_r_query_dom_info ( r_u , q_u - > switch_value , ctr , NT_STATUS_OK ) ;
2002-07-15 14:35:28 +04:00
2001-12-03 20:14:23 +03:00
DEBUG ( 5 , ( " _samr_query_dom_info: %d \n " , __LINE__ ) ) ;
2002-07-15 14:35:28 +04:00
2001-12-03 20:14:23 +03:00
return r_u - > status ;
2001-02-27 21:22:39 +03:00
}
/*******************************************************************
2003-08-28 00:50:24 +04:00
_samr_create_user
2001-09-14 14:31:39 +04:00
Create an account , can be either a normal user or a machine .
This funcion will need to be updated for bdc / domain trusts .
2001-02-27 21:22:39 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-08-28 00:50:24 +04:00
NTSTATUS _samr_create_user ( pipes_struct * p , SAMR_Q_CREATE_USER * q_u , SAMR_R_CREATE_USER * r_u )
2001-02-27 21:22:39 +03:00
{
2001-05-04 19:44:27 +04:00
SAM_ACCOUNT * sam_pass = NULL ;
2001-09-14 14:31:39 +04:00
fstring account ;
2001-05-04 19:44:27 +04:00
DOM_SID sid ;
pstring add_script ;
POLICY_HND dom_pol = q_u - > domain_pol ;
UNISTR2 user_account = q_u - > uni_name ;
uint16 acb_info = q_u - > acb_info ;
POLICY_HND * user_pol = & r_u - > user_pol ;
2001-03-11 03:32:10 +03:00
struct samr_info * info = NULL ;
2001-05-04 19:44:27 +04:00
BOOL ret ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
NTSTATUS nt_status ;
struct passwd * pw ;
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
SEC_DESC * psd ;
size_t sd_size ;
2003-07-11 09:33:40 +04:00
uint32 new_rid = 0 ;
2003-04-23 05:04:20 +04:00
/* check this, when giving away 'add computer to domain' privs */
2003-03-21 16:35:15 +03:00
uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS ;
2005-02-16 22:51:16 +03:00
BOOL can_add_account = False ;
2005-01-19 19:52:19 +03:00
SE_PRIV se_rights ;
2005-11-19 02:15:47 +03:00
DISP_INFO * disp_info = NULL ;
2001-02-27 21:22:39 +03:00
2002-07-15 14:35:28 +04:00
/* Get the domain SID stored in the domain policy */
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & dom_pol , & sid , & acc_granted , & disp_info ) )
2001-05-04 19:44:27 +04:00
return NT_STATUS_INVALID_HANDLE ;
2001-02-27 21:22:39 +03:00
2002-11-02 15:53:13 +03:00
if ( ! NT_STATUS_IS_OK ( nt_status = access_check_samr_function ( acc_granted , SA_RIGHT_DOMAIN_CREATE_USER , " _samr_create_user " ) ) ) {
2002-07-15 14:35:28 +04:00
return nt_status ;
}
2004-01-03 02:55:44 +03:00
if ( ! ( acb_info = = ACB_NORMAL | | acb_info = = ACB_DOMTRUST | | acb_info = = ACB_WSTRUST | | acb_info = = ACB_SVRTRUST ) ) {
2003-12-02 15:48:15 +03:00
/* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
2004-01-03 02:55:44 +03:00
this parameter is not an account type */
2003-12-02 15:48:15 +03:00
return NT_STATUS_INVALID_PARAMETER ;
}
2001-09-14 14:31:39 +04:00
rpcstr_pull ( account , user_account . buffer , sizeof ( account ) , user_account . uni_str_len * 2 , 0 ) ;
2003-07-03 23:11:31 +04:00
strlower_m ( account ) ;
2005-09-30 21:13:37 +04:00
2001-05-04 19:44:27 +04:00
pdb_init_sam ( & sam_pass ) ;
2001-02-27 21:22:39 +03:00
2001-05-04 19:44:27 +04:00
become_root ( ) ;
2001-09-14 14:31:39 +04:00
ret = pdb_getsampwnam ( sam_pass , account ) ;
2001-05-04 19:44:27 +04:00
unbecome_root ( ) ;
if ( ret = = True ) {
2001-09-14 14:31:39 +04:00
/* this account exists: say so */
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & sam_pass ) ;
2001-05-04 19:44:27 +04:00
return NT_STATUS_USER_EXISTS ;
}
2001-02-27 21:22:39 +03:00
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
pdb_free_sam ( & sam_pass ) ;
2005-09-30 21:13:37 +04:00
2003-07-11 09:33:40 +04:00
/*********************************************************************
* HEADS UP ! If we have to create a new user account , we have to get
* a new RID from somewhere . This used to be done by the passdb
* backend . It has been moved into idmap now . Since idmap is now
* wrapped up behind winbind , this means you have to run winbindd if you
* want new accounts to get a new RID when " enable rid algorithm = no " .
* Tough . We now have a uniform way of allocating RIDs regardless
* of what ever passdb backend people may use .
* - - jerry ( 2003 - 07 - 10 )
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-09-30 21:13:37 +04:00
2005-01-07 02:27:28 +03:00
pw = Get_Pwnam ( account ) ;
2005-01-19 19:52:19 +03:00
2005-01-27 05:16:02 +03:00
/* determine which user right we need to check based on the acb_info */
2005-02-03 18:14:54 +03:00
2005-02-03 19:23:49 +03:00
if ( acb_info & ACB_WSTRUST )
2005-02-03 18:14:54 +03:00
{
2005-01-19 19:52:19 +03:00
pstrcpy ( add_script , lp_addmachine_script ( ) ) ;
2005-02-03 18:14:54 +03:00
se_priv_copy ( & se_rights , & se_machine_account ) ;
can_add_account = user_has_privileges ( p - > pipe_user . nt_user_token , & se_rights ) ;
}
2005-04-21 21:13:50 +04:00
/* usrmgr.exe (and net rpc trustdom grant) creates a normal user
account for domain trusts and changes the ACB flags later */
else if ( acb_info & ACB_NORMAL & & ( account [ strlen ( account ) - 1 ] ! = ' $ ' ) )
2005-02-03 18:14:54 +03:00
{
2005-01-19 19:52:19 +03:00
pstrcpy ( add_script , lp_adduser_script ( ) ) ;
2005-02-03 18:14:54 +03:00
se_priv_copy ( & se_rights , & se_add_users ) ;
can_add_account = user_has_privileges ( p - > pipe_user . nt_user_token , & se_rights ) ;
}
2005-04-21 21:13:50 +04:00
else /* implicit assumption of a BDC or domain trust account here (we already check the flags earlier) */
2005-02-03 18:14:54 +03:00
{
pstrcpy ( add_script , lp_addmachine_script ( ) ) ;
2005-02-03 19:23:49 +03:00
if ( lp_enable_privileges ( ) ) {
/* only Domain Admins can add a BDC or domain trust */
se_priv_copy ( & se_rights , & se_priv_none ) ;
can_add_account = nt_token_check_domain_rid ( p - > pipe_user . nt_user_token , DOMAIN_GROUP_RID_ADMINS ) ;
2005-01-19 19:52:19 +03:00
}
2005-09-30 21:13:37 +04:00
}
2005-01-19 19:52:19 +03:00
DEBUG ( 5 , ( " _samr_create_user: %s can add this account : %s \n " ,
p - > pipe_user_name , can_add_account ? " True " : " False " ) ) ;
/********** BEGIN Admin BLOCK **********/
2005-09-30 21:13:37 +04:00
2005-01-19 19:52:19 +03:00
if ( can_add_account )
2005-01-07 02:27:28 +03:00
become_root ( ) ;
2005-09-30 21:13:37 +04:00
2003-04-29 09:30:29 +04:00
if ( ! pw ) {
if ( * add_script ) {
2005-09-30 21:13:37 +04:00
int add_ret ;
all_string_sub ( add_script , " %u " , account , sizeof ( add_script ) ) ;
add_ret = smbrun ( add_script , NULL ) ;
DEBUG ( add_ret ? 0 : 3 , ( " _samr_create_user: Running the command `%s' gave %d \n " , add_script , add_ret ) ) ;
}
2003-04-29 09:30:29 +04:00
}
2005-09-30 21:13:37 +04:00
2003-07-11 09:33:40 +04:00
/* implicit call to getpwnam() next. we have a valid SID coming out of this call */
2003-07-09 20:44:47 +04:00
2005-03-03 19:52:44 +03:00
flush_pwnam_cache ( ) ;
2005-01-19 19:52:19 +03:00
nt_status = pdb_init_sam_new ( & sam_pass , account , new_rid ) ;
/* this code is order such that we have no unnecessary retuns
out of the admin block of code */
if ( NT_STATUS_IS_OK ( nt_status ) ) {
pdb_set_acct_ctrl ( sam_pass , acb_info , PDB_CHANGED ) ;
if ( ! ( ret = pdb_add_sam_account ( sam_pass ) ) ) {
pdb_free_sam ( & sam_pass ) ;
DEBUG ( 0 , ( " could not add user/computer %s to passdb. Check permissions? \n " ,
account ) ) ;
nt_status = NT_STATUS_ACCESS_DENIED ;
}
2005-01-07 02:27:28 +03:00
}
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
2005-01-19 19:52:19 +03:00
if ( can_add_account )
2005-01-07 02:27:28 +03:00
unbecome_root ( ) ;
2005-01-19 19:52:19 +03:00
/********** END Admin BLOCK **********/
/* now check for failure */
if ( ! NT_STATUS_IS_OK ( nt_status ) )
return nt_status ;
2002-07-15 14:35:28 +04:00
/* Get the user's SID */
2005-01-07 02:27:28 +03:00
2002-07-15 14:35:28 +04:00
sid_copy ( & sid , pdb_get_user_sid ( sam_pass ) ) ;
2005-02-01 01:42:30 +03:00
make_samr_object_sd ( p - > mem_ctx , & psd , & sd_size , & usr_generic_mapping , & sid , SAMR_USR_RIGHTS_WRITE_PW ) ;
2002-07-15 14:35:28 +04:00
se_map_generic ( & des_access , & usr_generic_mapping ) ;
2005-01-07 02:27:28 +03:00
nt_status = access_check_samr_object ( psd , p - > pipe_user . nt_user_token ,
2005-01-26 23:36:44 +03:00
& se_rights , GENERIC_RIGHTS_USER_WRITE , des_access ,
& acc_granted , " _samr_create_user " ) ;
2005-01-07 02:27:28 +03:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2002-07-15 14:35:28 +04:00
return nt_status ;
2001-05-04 19:44:27 +04:00
}
/* associate the user's SID with the new handle. */
2002-01-02 10:27:33 +03:00
if ( ( info = get_samr_info_by_sid ( & sid ) ) = = NULL ) {
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & sam_pass ) ;
2001-05-04 19:44:27 +04:00
return NT_STATUS_NO_MEMORY ;
}
ZERO_STRUCTP ( info ) ;
info - > sid = sid ;
2002-07-15 14:35:28 +04:00
info - > acc_granted = acc_granted ;
2001-05-04 19:44:27 +04:00
/* get a (unique) handle. open a policy on it. */
if ( ! create_policy_hnd ( p , user_pol , free_samr_info , ( void * ) info ) ) {
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & sam_pass ) ;
2001-05-04 19:44:27 +04:00
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
}
2005-11-19 02:15:47 +03:00
/* After a "set" ensure we have no cached display info. */
force_flush_samr_cache ( info - > disp_info ) ;
2002-01-02 10:41:54 +03:00
r_u - > user_rid = pdb_get_user_rid ( sam_pass ) ;
2002-08-17 19:34:15 +04:00
r_u - > access_granted = acc_granted ;
2001-05-04 19:44:27 +04:00
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & sam_pass ) ;
2001-05-04 19:44:27 +04:00
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
}
/*******************************************************************
samr_reply_connect_anon
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_connect_anon ( pipes_struct * p , SAMR_Q_CONNECT_ANON * q_u , SAMR_R_CONNECT_ANON * r_u )
2001-02-27 21:22:39 +03:00
{
2001-03-11 03:32:10 +03:00
struct samr_info * info = NULL ;
2003-08-13 07:59:41 +04:00
uint32 des_access = q_u - > access_mask ;
2001-03-11 03:32:10 +03:00
2002-07-15 14:35:28 +04:00
/* Access check */
2001-02-27 21:22:39 +03:00
2002-07-15 14:35:28 +04:00
if ( ! pipe_access_check ( p ) ) {
DEBUG ( 3 , ( " access denied to samr_connect_anon \n " ) ) ;
r_u - > status = NT_STATUS_ACCESS_DENIED ;
return r_u - > status ;
}
/* set up the SAMR connect_anon response */
2001-02-27 21:22:39 +03:00
2002-07-15 14:35:28 +04:00
r_u - > status = NT_STATUS_OK ;
/* associate the user's SID with the new handle. */
if ( ( info = get_samr_info_by_sid ( NULL ) ) = = NULL )
return NT_STATUS_NO_MEMORY ;
2001-03-11 03:32:10 +03:00
2003-08-13 07:59:41 +04:00
/* don't give away the farm but this is probably ok. The SA_RIGHT_SAM_ENUM_DOMAINS
was observed from a win98 client trying to enumerate users ( when configured
user level access control on shares ) - - jerry */
se_map_generic ( & des_access , & sam_generic_mapping ) ;
info - > acc_granted = des_access & ( SA_RIGHT_SAM_ENUM_DOMAINS | SA_RIGHT_SAM_OPEN_DOMAIN ) ;
2002-07-15 14:35:28 +04:00
info - > status = q_u - > unknown_0 ;
2001-02-27 21:22:39 +03:00
2002-07-15 14:35:28 +04:00
/* get a (unique) handle. open a policy on it. */
if ( ! create_policy_hnd ( p , & r_u - > connect_pol , free_samr_info , ( void * ) info ) )
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
2001-02-27 21:22:39 +03:00
2002-07-15 14:35:28 +04:00
return r_u - > status ;
2001-02-27 21:22:39 +03:00
}
/*******************************************************************
samr_reply_connect
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_connect ( pipes_struct * p , SAMR_Q_CONNECT * q_u , SAMR_R_CONNECT * r_u )
2001-02-27 21:22:39 +03:00
{
2001-03-11 03:32:10 +03:00
struct samr_info * info = NULL ;
2002-07-15 14:35:28 +04:00
SEC_DESC * psd = NULL ;
uint32 acc_granted ;
uint32 des_access = q_u - > access_mask ;
NTSTATUS nt_status ;
2005-09-30 21:13:37 +04:00
size_t sd_size ;
2001-03-11 03:32:10 +03:00
2001-02-27 21:22:39 +03:00
2002-07-15 14:35:28 +04:00
DEBUG ( 5 , ( " _samr_connect: %d \n " , __LINE__ ) ) ;
/* Access check */
if ( ! pipe_access_check ( p ) ) {
DEBUG ( 3 , ( " access denied to samr_connect \n " ) ) ;
r_u - > status = NT_STATUS_ACCESS_DENIED ;
return r_u - > status ;
}
2005-02-01 01:42:30 +03:00
make_samr_object_sd ( p - > mem_ctx , & psd , & sd_size , & sam_generic_mapping , NULL , 0 ) ;
2002-07-15 14:35:28 +04:00
se_map_generic ( & des_access , & sam_generic_mapping ) ;
2005-01-26 23:36:44 +03:00
nt_status = access_check_samr_object ( psd , p - > pipe_user . nt_user_token ,
NULL , 0 , des_access , & acc_granted , " _samr_connect " ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) )
2002-07-15 14:35:28 +04:00
return nt_status ;
r_u - > status = NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
2002-07-15 14:35:28 +04:00
/* associate the user's SID and access granted with the new handle. */
2002-01-02 10:27:33 +03:00
if ( ( info = get_samr_info_by_sid ( NULL ) ) = = NULL )
2002-07-15 14:35:28 +04:00
return NT_STATUS_NO_MEMORY ;
2001-03-11 03:32:10 +03:00
2002-07-15 14:35:28 +04:00
info - > acc_granted = acc_granted ;
info - > status = q_u - > access_mask ;
2001-02-27 21:22:39 +03:00
2002-07-15 14:35:28 +04:00
/* get a (unique) handle. open a policy on it. */
if ( ! create_policy_hnd ( p , & r_u - > connect_pol , free_samr_info , ( void * ) info ) )
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
2001-02-27 21:22:39 +03:00
2002-07-15 14:35:28 +04:00
DEBUG ( 5 , ( " _samr_connect: %d \n " , __LINE__ ) ) ;
2001-02-27 21:22:39 +03:00
2002-07-15 14:35:28 +04:00
return r_u - > status ;
2001-02-27 21:22:39 +03:00
}
2002-08-17 19:34:15 +04:00
/*******************************************************************
samr_connect4
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_connect4 ( pipes_struct * p , SAMR_Q_CONNECT4 * q_u , SAMR_R_CONNECT4 * r_u )
{
struct samr_info * info = NULL ;
SEC_DESC * psd = NULL ;
uint32 acc_granted ;
uint32 des_access = q_u - > access_mask ;
NTSTATUS nt_status ;
2005-09-30 21:13:37 +04:00
size_t sd_size ;
2002-08-17 19:34:15 +04:00
DEBUG ( 5 , ( " _samr_connect4: %d \n " , __LINE__ ) ) ;
/* Access check */
if ( ! pipe_access_check ( p ) ) {
DEBUG ( 3 , ( " access denied to samr_connect4 \n " ) ) ;
r_u - > status = NT_STATUS_ACCESS_DENIED ;
return r_u - > status ;
}
2005-02-01 01:42:30 +03:00
make_samr_object_sd ( p - > mem_ctx , & psd , & sd_size , & sam_generic_mapping , NULL , 0 ) ;
2002-08-17 19:34:15 +04:00
se_map_generic ( & des_access , & sam_generic_mapping ) ;
2005-01-26 23:36:44 +03:00
nt_status = access_check_samr_object ( psd , p - > pipe_user . nt_user_token ,
NULL , 0 , des_access , & acc_granted , " _samr_connect4 " ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) )
2002-08-17 19:34:15 +04:00
return nt_status ;
r_u - > status = NT_STATUS_OK ;
/* associate the user's SID and access granted with the new handle. */
if ( ( info = get_samr_info_by_sid ( NULL ) ) = = NULL )
return NT_STATUS_NO_MEMORY ;
info - > acc_granted = acc_granted ;
info - > status = q_u - > access_mask ;
/* get a (unique) handle. open a policy on it. */
if ( ! create_policy_hnd ( p , & r_u - > connect_pol , free_samr_info , ( void * ) info ) )
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
DEBUG ( 5 , ( " _samr_connect: %d \n " , __LINE__ ) ) ;
return r_u - > status ;
}
2005-11-18 01:40:10 +03:00
/*******************************************************************
samr_connect5
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_connect5 ( pipes_struct * p , SAMR_Q_CONNECT5 * q_u , SAMR_R_CONNECT5 * r_u )
{
struct samr_info * info = NULL ;
SEC_DESC * psd = NULL ;
uint32 acc_granted ;
uint32 des_access = q_u - > access_mask ;
NTSTATUS nt_status ;
POLICY_HND pol ;
size_t sd_size ;
DEBUG ( 5 , ( " _samr_connect5: %d \n " , __LINE__ ) ) ;
ZERO_STRUCTP ( r_u ) ;
/* Access check */
if ( ! pipe_access_check ( p ) ) {
DEBUG ( 3 , ( " access denied to samr_connect5 \n " ) ) ;
r_u - > status = NT_STATUS_ACCESS_DENIED ;
return r_u - > status ;
}
make_samr_object_sd ( p - > mem_ctx , & psd , & sd_size , & sam_generic_mapping , NULL , 0 ) ;
se_map_generic ( & des_access , & sam_generic_mapping ) ;
nt_status = access_check_samr_object ( psd , p - > pipe_user . nt_user_token ,
NULL , 0 , des_access , & acc_granted , " _samr_connect5 " ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) )
return nt_status ;
/* associate the user's SID and access granted with the new handle. */
if ( ( info = get_samr_info_by_sid ( NULL ) ) = = NULL )
return NT_STATUS_NO_MEMORY ;
info - > acc_granted = acc_granted ;
info - > status = q_u - > access_mask ;
/* get a (unique) handle. open a policy on it. */
if ( ! create_policy_hnd ( p , & pol , free_samr_info , ( void * ) info ) )
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
DEBUG ( 5 , ( " _samr_connect: %d \n " , __LINE__ ) ) ;
init_samr_r_connect5 ( r_u , & pol , NT_STATUS_OK ) ;
return r_u - > status ;
}
2001-02-27 21:22:39 +03:00
/**********************************************************************
api_samr_lookup_domain
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_lookup_domain ( pipes_struct * p , SAMR_Q_LOOKUP_DOMAIN * q_u , SAMR_R_LOOKUP_DOMAIN * r_u )
2001-02-27 21:22:39 +03:00
{
2002-07-15 14:35:28 +04:00
struct samr_info * info ;
2002-03-10 04:45:49 +03:00
fstring domain_name ;
DOM_SID sid ;
r_u - > status = NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
2002-07-15 14:35:28 +04:00
if ( ! find_policy_by_hnd ( p , & q_u - > connect_pol , ( void * * ) & info ) )
2002-03-10 04:45:49 +03:00
return NT_STATUS_INVALID_HANDLE ;
2001-02-27 21:22:39 +03:00
2005-01-20 20:05:10 +03:00
/* win9x user manager likes to use SA_RIGHT_SAM_ENUM_DOMAINS here.
Reverted that change so we will work with RAS servers again */
2003-08-13 07:59:41 +04:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = access_check_samr_function ( info - > acc_granted ,
2005-01-20 20:05:10 +03:00
SA_RIGHT_SAM_OPEN_DOMAIN , " _samr_lookup_domain " ) ) )
2003-08-13 07:59:41 +04:00
{
2002-07-15 14:35:28 +04:00
return r_u - > status ;
}
2002-03-10 04:45:49 +03:00
rpcstr_pull ( domain_name , q_u - > uni_domain . buffer , sizeof ( domain_name ) , q_u - > uni_domain . uni_str_len * 2 , 0 ) ;
2001-02-27 21:22:39 +03:00
2002-03-10 04:45:49 +03:00
ZERO_STRUCT ( sid ) ;
if ( ! secrets_fetch_domain_sid ( domain_name , & sid ) ) {
r_u - > status = NT_STATUS_NO_SUCH_DOMAIN ;
}
DEBUG ( 2 , ( " Returning domain sid for domain %s -> %s \n " , domain_name , sid_string_static ( & sid ) ) ) ;
init_samr_r_lookup_domain ( r_u , & sid , r_u - > status ) ;
return r_u - > status ;
2001-02-27 21:22:39 +03:00
}
/******************************************************************
makes a SAMR_R_ENUM_DOMAINS structure .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static BOOL make_enum_domains ( TALLOC_CTX * ctx , SAM_ENTRY * * pp_sam ,
UNISTR2 * * pp_uni_name , uint32 num_sam_entries , fstring doms [ ] )
{
uint32 i ;
SAM_ENTRY * sam ;
UNISTR2 * uni_name ;
DEBUG ( 5 , ( " make_enum_domains \n " ) ) ;
* pp_sam = NULL ;
* pp_uni_name = NULL ;
if ( num_sam_entries = = 0 )
return True ;
2004-12-07 21:25:53 +03:00
sam = TALLOC_ZERO_ARRAY ( ctx , SAM_ENTRY , num_sam_entries ) ;
uni_name = TALLOC_ZERO_ARRAY ( ctx , UNISTR2 , num_sam_entries ) ;
2001-02-27 21:22:39 +03:00
if ( sam = = NULL | | uni_name = = NULL )
return False ;
for ( i = 0 ; i < num_sam_entries ; i + + ) {
2003-09-26 01:26:16 +04:00
init_unistr2 ( & uni_name [ i ] , doms [ i ] , UNI_FLAGS_NONE ) ;
init_sam_entry ( & sam [ i ] , & uni_name [ i ] , 0 ) ;
2001-02-27 21:22:39 +03:00
}
* pp_sam = sam ;
* pp_uni_name = uni_name ;
return True ;
}
/**********************************************************************
api_samr_enum_domains
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_enum_domains ( pipes_struct * p , SAMR_Q_ENUM_DOMAINS * q_u , SAMR_R_ENUM_DOMAINS * r_u )
2001-02-27 21:22:39 +03:00
{
2002-07-15 14:35:28 +04:00
struct samr_info * info ;
2001-02-27 21:22:39 +03:00
uint32 num_entries = 2 ;
fstring dom [ 2 ] ;
2002-11-13 02:20:50 +03:00
const char * name ;
2001-02-27 21:22:39 +03:00
2001-08-27 23:46:22 +04:00
r_u - > status = NT_STATUS_OK ;
2002-07-15 14:35:28 +04:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) & info ) )
return NT_STATUS_INVALID_HANDLE ;
2002-11-02 15:53:13 +03:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = access_check_samr_function ( info - > acc_granted , SA_RIGHT_SAM_ENUM_DOMAINS , " _samr_enum_domains " ) ) ) {
2002-07-15 14:35:28 +04:00
return r_u - > status ;
}
2001-02-27 21:22:39 +03:00
2003-05-07 12:21:06 +04:00
name = get_global_sam_name ( ) ;
2002-03-10 04:45:49 +03:00
fstrcpy ( dom [ 0 ] , name ) ;
2003-07-03 23:11:31 +04:00
strupper_m ( dom [ 0 ] ) ;
2001-02-27 21:22:39 +03:00
fstrcpy ( dom [ 1 ] , " Builtin " ) ;
if ( ! make_enum_domains ( p - > mem_ctx , & r_u - > sam , & r_u - > uni_dom_name , num_entries , dom ) )
return NT_STATUS_NO_MEMORY ;
init_samr_r_enum_domains ( r_u , q_u - > start_idx + num_entries , num_entries ) ;
return r_u - > status ;
}
/*******************************************************************
api_samr_open_alias
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-08-28 00:50:24 +04:00
NTSTATUS _samr_open_alias ( pipes_struct * p , SAMR_Q_OPEN_ALIAS * q_u , SAMR_R_OPEN_ALIAS * r_u )
2001-02-27 21:22:39 +03:00
{
DOM_SID sid ;
POLICY_HND domain_pol = q_u - > dom_pol ;
uint32 alias_rid = q_u - > rid_alias ;
POLICY_HND * alias_pol = & r_u - > pol ;
2002-07-15 14:35:28 +04:00
struct samr_info * info = NULL ;
SEC_DESC * psd = NULL ;
uint32 acc_granted ;
uint32 des_access = q_u - > access_mask ;
size_t sd_size ;
NTSTATUS status ;
2005-01-26 23:36:44 +03:00
SE_PRIV se_rights ;
2001-02-27 21:22:39 +03:00
2001-08-27 23:46:22 +04:00
r_u - > status = NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
2002-07-15 14:35:28 +04:00
/* find the domain policy and get the SID / access bits stored in the domain policy */
2005-01-26 23:36:44 +03:00
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & domain_pol , & sid , & acc_granted , NULL ) )
2001-02-27 21:22:39 +03:00
return NT_STATUS_INVALID_HANDLE ;
2005-01-26 23:36:44 +03:00
status = access_check_samr_function ( acc_granted ,
SA_RIGHT_DOMAIN_OPEN_ACCOUNT , " _samr_open_alias " ) ;
2002-07-15 14:35:28 +04:00
2005-01-26 23:36:44 +03:00
if ( ! NT_STATUS_IS_OK ( status ) )
2002-07-15 14:35:28 +04:00
return status ;
2001-03-11 03:32:10 +03:00
/* append the alias' RID to it */
2005-01-26 23:36:44 +03:00
2002-07-15 14:35:28 +04:00
if ( ! sid_append_rid ( & sid , alias_rid ) )
2001-03-11 03:32:10 +03:00
return NT_STATUS_NO_SUCH_USER ;
2002-07-15 14:35:28 +04:00
/*check if access can be granted as requested by client. */
2005-01-26 23:36:44 +03:00
2005-02-01 01:42:30 +03:00
make_samr_object_sd ( p - > mem_ctx , & psd , & sd_size , & ali_generic_mapping , NULL , 0 ) ;
2002-07-15 14:35:28 +04:00
se_map_generic ( & des_access , & ali_generic_mapping ) ;
2005-01-26 23:36:44 +03:00
2005-05-13 13:18:50 +04:00
se_priv_copy ( & se_rights , & se_add_users ) ;
2005-01-26 23:36:44 +03:00
status = access_check_samr_object ( psd , p - > pipe_user . nt_user_token ,
& se_rights , GENERIC_RIGHTS_ALIAS_WRITE , des_access ,
& acc_granted , " _samr_open_alias " ) ;
if ( ! NT_STATUS_IS_OK ( status ) )
2002-07-15 14:35:28 +04:00
return status ;
2001-02-27 21:22:39 +03:00
/*
* we should check if the rid really exist ! ! !
* JFM .
*/
2001-12-05 00:53:47 +03:00
/* associate the user's SID with the new handle. */
2002-01-02 10:27:33 +03:00
if ( ( info = get_samr_info_by_sid ( & sid ) ) = = NULL )
2001-12-05 00:53:47 +03:00
return NT_STATUS_NO_MEMORY ;
2002-07-15 14:35:28 +04:00
info - > acc_granted = acc_granted ;
2001-02-27 21:22:39 +03:00
2001-03-11 03:32:10 +03:00
/* get a (unique) handle. open a policy on it. */
if ( ! create_policy_hnd ( p , alias_pol , free_samr_info , ( void * ) info ) )
2001-02-27 21:22:39 +03:00
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
return r_u - > status ;
}
2005-10-12 00:14:04 +04:00
/*******************************************************************
set_user_info_7
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS set_user_info_7 ( const SAM_USER_INFO_7 * id7 , SAM_ACCOUNT * pwd )
{
fstring new_name ;
2005-10-21 00:40:47 +04:00
SAM_ACCOUNT * check_acct = NULL ;
2005-10-12 00:14:04 +04:00
NTSTATUS rc ;
2005-10-21 00:40:47 +04:00
BOOL check_rc ;
2005-10-12 00:14:04 +04:00
if ( id7 = = NULL ) {
DEBUG ( 5 , ( " set_user_info_7: NULL id7 \n " ) ) ;
pdb_free_sam ( & pwd ) ;
return NT_STATUS_ACCESS_DENIED ;
}
if ( ! rpcstr_pull ( new_name , id7 - > uni_name . buffer , sizeof ( new_name ) , id7 - > uni_name . uni_str_len * 2 , 0 ) ) {
DEBUG ( 5 , ( " set_user_info_7: failed to get new username \n " ) ) ;
pdb_free_sam ( & pwd ) ;
return NT_STATUS_ACCESS_DENIED ;
}
2005-10-21 00:40:47 +04:00
/* check to see if the new username already exists. Note: we can't
reliably lock all backends , so there is potentially the
possibility that a user can be created in between this check and
the rename . The rename should fail , but may not get the
exact same failure status code . I think this is small enough
of a window for this type of operation and the results are
simply that the rename fails with a slightly different status
code ( like UNSUCCESSFUL instead of ALREADY_EXISTS ) . */
pdb_init_sam ( & check_acct ) ;
check_rc = pdb_getsampwnam ( check_acct , new_name ) ;
pdb_free_sam ( & check_acct ) ;
if ( check_rc = = True ) {
/* this account exists: say so */
return NT_STATUS_USER_EXISTS ;
}
2005-10-12 00:14:04 +04:00
rc = pdb_rename_sam_account ( pwd , new_name ) ;
pdb_free_sam ( & pwd ) ;
return rc ;
}
2001-02-27 21:22:39 +03:00
/*******************************************************************
2005-07-19 04:59:25 +04:00
set_user_info_16
2001-02-27 21:22:39 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-07-19 04:59:25 +04:00
static BOOL set_user_info_16 ( const SAM_USER_INFO_16 * id16 , SAM_ACCOUNT * pwd )
2001-02-27 21:22:39 +03:00
{
2005-07-19 04:59:25 +04:00
if ( id16 = = NULL ) {
DEBUG ( 5 , ( " set_user_info_16: NULL id16 \n " ) ) ;
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & pwd ) ;
2001-02-27 21:22:39 +03:00
return False ;
}
2002-11-02 06:47:48 +03:00
/* FIX ME: check if the value is really changed --metze */
2005-07-19 04:59:25 +04:00
if ( ! pdb_set_acct_ctrl ( pwd , id16 - > acb_info , PDB_CHANGED ) ) {
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & pwd ) ;
return False ;
}
2001-02-27 21:22:39 +03:00
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
if ( ! pdb_update_sam_account ( pwd ) ) {
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & pwd ) ;
2001-02-27 21:22:39 +03:00
return False ;
2001-05-04 19:44:27 +04:00
}
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & pwd ) ;
2001-02-27 21:22:39 +03:00
return True ;
}
/*******************************************************************
2005-07-19 04:59:25 +04:00
set_user_info_18
2001-02-27 21:22:39 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-07-19 04:59:25 +04:00
static BOOL set_user_info_18 ( SAM_USER_INFO_18 * id18 , SAM_ACCOUNT * pwd )
2001-02-27 21:22:39 +03:00
{
2001-05-04 19:44:27 +04:00
2005-07-19 04:59:25 +04:00
if ( id18 = = NULL ) {
DEBUG ( 2 , ( " set_user_info_18: id18 is NULL \n " ) ) ;
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & pwd ) ;
2001-02-27 21:22:39 +03:00
return False ;
}
2001-03-11 03:32:10 +03:00
2005-07-19 04:59:25 +04:00
if ( ! pdb_set_lanman_passwd ( pwd , id18 - > lm_pwd , PDB_CHANGED ) ) {
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & pwd ) ;
return False ;
}
2005-07-19 04:59:25 +04:00
if ( ! pdb_set_nt_passwd ( pwd , id18 - > nt_pwd , PDB_CHANGED ) ) {
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & pwd ) ;
return False ;
}
2001-10-29 10:15:51 +03:00
if ( ! pdb_set_pass_changed_now ( pwd ) ) {
pdb_free_sam ( & pwd ) ;
return False ;
}
2001-03-11 03:32:10 +03:00
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
if ( ! pdb_update_sam_account ( pwd ) ) {
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & pwd ) ;
2001-02-27 21:22:39 +03:00
return False ;
2001-05-04 19:44:27 +04:00
}
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & pwd ) ;
2001-02-27 21:22:39 +03:00
return True ;
}
2003-06-12 00:42:10 +04:00
/*******************************************************************
The GROUPSID field in the SAM_ACCOUNT changed . Try to tell unix .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static BOOL set_unix_primary_group ( SAM_ACCOUNT * sampass )
{
struct group * grp ;
gid_t gid ;
if ( ! NT_STATUS_IS_OK ( sid_to_gid ( pdb_get_group_sid ( sampass ) ,
& gid ) ) ) {
DEBUG ( 2 , ( " Could not get gid for primary group of "
" user %s \n " , pdb_get_username ( sampass ) ) ) ;
return False ;
}
grp = getgrgid ( gid ) ;
if ( grp = = NULL ) {
2003-07-22 10:52:39 +04:00
DEBUG ( 2 , ( " Could not find primary group %lu for "
" user %s \n " , ( unsigned long ) gid ,
pdb_get_username ( sampass ) ) ) ;
2003-06-12 00:42:10 +04:00
return False ;
}
if ( smb_set_primary_group ( grp - > gr_name ,
pdb_get_username ( sampass ) ) ! = 0 ) {
DEBUG ( 2 , ( " Could not set primary group for user %s to "
" %s \n " ,
pdb_get_username ( sampass ) , grp - > gr_name ) ) ;
return False ;
}
return True ;
}
2003-11-07 21:32:23 +03:00
/*******************************************************************
set_user_info_20
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-01-26 23:36:44 +03:00
static BOOL set_user_info_20 ( SAM_USER_INFO_20 * id20 , SAM_ACCOUNT * pwd )
2003-11-07 21:32:23 +03:00
{
if ( id20 = = NULL ) {
DEBUG ( 5 , ( " set_user_info_20: NULL id20 \n " ) ) ;
return False ;
}
copy_id20_to_sam_passwd ( pwd , id20 ) ;
/* write the change out */
if ( ! pdb_update_sam_account ( pwd ) ) {
pdb_free_sam ( & pwd ) ;
return False ;
}
pdb_free_sam ( & pwd ) ;
return True ;
}
2001-02-27 21:22:39 +03:00
/*******************************************************************
set_user_info_21
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-01-26 23:36:44 +03:00
static BOOL set_user_info_21 ( SAM_USER_INFO_21 * id21 , SAM_ACCOUNT * pwd )
2001-02-27 21:22:39 +03:00
{
2001-03-11 03:32:10 +03:00
2001-02-27 21:22:39 +03:00
if ( id21 = = NULL ) {
DEBUG ( 5 , ( " set_user_info_21: NULL id21 \n " ) ) ;
return False ;
}
2001-03-11 03:32:10 +03:00
2001-11-24 03:36:37 +03:00
copy_id21_to_sam_passwd ( pwd , id21 ) ;
2001-03-11 03:32:10 +03:00
/*
* The funny part about the previous two calls is
* that pwd still has the password hashes from the
* passdb entry . These have not been updated from
* id21 . I don ' t know if they need to be set . - - jerry
*/
2003-06-12 00:42:10 +04:00
if ( IS_SAM_CHANGED ( pwd , PDB_GROUPSID ) )
set_unix_primary_group ( pwd ) ;
2001-03-11 03:32:10 +03:00
/* write the change out */
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
if ( ! pdb_update_sam_account ( pwd ) ) {
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & pwd ) ;
2001-02-27 21:22:39 +03:00
return False ;
2001-05-04 19:44:27 +04:00
}
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & pwd ) ;
2001-05-04 19:44:27 +04:00
2001-02-27 21:22:39 +03:00
return True ;
}
/*******************************************************************
set_user_info_23
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-01-26 23:36:44 +03:00
static BOOL set_user_info_23 ( SAM_USER_INFO_23 * id23 , SAM_ACCOUNT * pwd )
2001-02-27 21:22:39 +03:00
{
2001-09-26 15:51:25 +04:00
pstring plaintext_buf ;
2001-05-04 19:44:27 +04:00
uint32 len ;
2001-03-11 03:32:10 +03:00
uint16 acct_ctrl ;
2001-05-04 19:44:27 +04:00
if ( id23 = = NULL ) {
DEBUG ( 5 , ( " set_user_info_23: NULL id23 \n " ) ) ;
return False ;
}
2001-03-11 03:32:10 +03:00
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
DEBUG ( 5 , ( " Attempting administrator password change (level 23) for user %s \n " ,
pdb_get_username ( pwd ) ) ) ;
2001-05-04 19:44:27 +04:00
acct_ctrl = pdb_get_acct_ctrl ( pwd ) ;
2005-03-22 21:07:58 +03:00
if ( ! decode_pw_buffer ( id23 - > pass , plaintext_buf , 256 , & len , STR_UNICODE ) ) {
2001-11-24 03:36:37 +03:00
pdb_free_sam ( & pwd ) ;
2001-05-04 19:44:27 +04:00
return False ;
}
2001-04-22 06:54:04 +04:00
2001-11-24 03:36:37 +03:00
if ( ! pdb_set_plaintext_passwd ( pwd , plaintext_buf ) ) {
pdb_free_sam ( & pwd ) ;
2001-09-29 17:08:26 +04:00
return False ;
}
2001-03-11 03:32:10 +03:00
2002-09-26 22:37:55 +04:00
copy_id23_to_sam_passwd ( pwd , id23 ) ;
2001-02-27 21:22:39 +03:00
/* if it's a trust account, don't update /etc/passwd */
2003-05-12 22:12:31 +04:00
if ( ( ( acct_ctrl & ACB_DOMTRUST ) = = ACB_DOMTRUST ) | |
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
( ( acct_ctrl & ACB_WSTRUST ) = = ACB_WSTRUST ) | |
( ( acct_ctrl & ACB_SVRTRUST ) = = ACB_SVRTRUST ) ) {
DEBUG ( 5 , ( " Changing trust account or non-unix-user password, not updating /etc/passwd \n " ) ) ;
2001-03-11 03:32:10 +03:00
} else {
2001-02-27 21:22:39 +03:00
/* update the UNIX password */
2004-02-02 03:08:35 +03:00
if ( lp_unix_password_sync ( ) ) {
struct passwd * passwd = Get_Pwnam ( pdb_get_username ( pwd ) ) ;
if ( ! passwd ) {
DEBUG ( 1 , ( " chgpasswd: Username does not exist in system !?! \n " ) ) ;
}
if ( ! chgpasswd ( pdb_get_username ( pwd ) , passwd , " " , plaintext_buf , True ) ) {
2001-11-24 03:36:37 +03:00
pdb_free_sam ( & pwd ) ;
2001-02-27 21:22:39 +03:00
return False ;
2001-05-04 19:44:27 +04:00
}
2004-02-02 03:08:35 +03:00
}
2001-02-27 21:22:39 +03:00
}
2001-03-11 03:32:10 +03:00
2001-09-26 15:51:25 +04:00
ZERO_STRUCT ( plaintext_buf ) ;
2001-03-11 03:32:10 +03:00
2003-06-12 00:42:10 +04:00
if ( IS_SAM_CHANGED ( pwd , PDB_GROUPSID ) )
set_unix_primary_group ( pwd ) ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
if ( ! pdb_update_sam_account ( pwd ) ) {
2001-11-24 03:36:37 +03:00
pdb_free_sam ( & pwd ) ;
2001-05-04 19:44:27 +04:00
return False ;
}
2001-03-11 03:32:10 +03:00
2001-11-24 03:36:37 +03:00
pdb_free_sam ( & pwd ) ;
2001-05-04 19:44:27 +04:00
return True ;
2001-02-27 21:22:39 +03:00
}
/*******************************************************************
2001-06-20 23:55:59 +04:00
set_user_info_pw
2001-02-27 21:22:39 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-03-22 21:07:58 +03:00
static BOOL set_user_info_pw ( uint8 * pass , SAM_ACCOUNT * pwd )
2001-02-27 21:22:39 +03:00
{
uint32 len ;
2001-09-26 15:51:25 +04:00
pstring plaintext_buf ;
2001-03-11 03:32:10 +03:00
uint16 acct_ctrl ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
DEBUG ( 5 , ( " Attempting administrator password change for user %s \n " ,
pdb_get_username ( pwd ) ) ) ;
2001-03-11 03:32:10 +03:00
acct_ctrl = pdb_get_acct_ctrl ( pwd ) ;
2001-02-27 21:22:39 +03:00
2001-09-26 15:51:25 +04:00
ZERO_STRUCT ( plaintext_buf ) ;
2001-03-11 03:32:10 +03:00
2004-01-26 11:45:02 +03:00
if ( ! decode_pw_buffer ( pass , plaintext_buf , 256 , & len , STR_UNICODE ) ) {
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & pwd ) ;
2001-02-27 21:22:39 +03:00
return False ;
2001-05-04 19:44:27 +04:00
}
2001-09-29 17:08:26 +04:00
if ( ! pdb_set_plaintext_passwd ( pwd , plaintext_buf ) ) {
pdb_free_sam ( & pwd ) ;
return False ;
}
2001-03-11 03:32:10 +03:00
2001-02-27 21:22:39 +03:00
/* if it's a trust account, don't update /etc/passwd */
2003-05-12 22:12:31 +04:00
if ( ( ( acct_ctrl & ACB_DOMTRUST ) = = ACB_DOMTRUST ) | |
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
( ( acct_ctrl & ACB_WSTRUST ) = = ACB_WSTRUST ) | |
( ( acct_ctrl & ACB_SVRTRUST ) = = ACB_SVRTRUST ) ) {
DEBUG ( 5 , ( " Changing trust account or non-unix-user password, not updating /etc/passwd \n " ) ) ;
2001-02-27 21:22:39 +03:00
} else {
/* update the UNIX password */
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
if ( lp_unix_password_sync ( ) ) {
2004-02-02 03:08:35 +03:00
struct passwd * passwd = Get_Pwnam ( pdb_get_username ( pwd ) ) ;
if ( ! passwd ) {
DEBUG ( 1 , ( " chgpasswd: Username does not exist in system !?! \n " ) ) ;
}
if ( ! chgpasswd ( pdb_get_username ( pwd ) , passwd , " " , plaintext_buf , True ) ) {
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & pwd ) ;
2001-02-27 21:22:39 +03:00
return False ;
2001-05-04 19:44:27 +04:00
}
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
}
2001-02-27 21:22:39 +03:00
}
2001-03-11 03:32:10 +03:00
2001-09-26 15:51:25 +04:00
ZERO_STRUCT ( plaintext_buf ) ;
2001-03-11 03:32:10 +03:00
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
DEBUG ( 5 , ( " set_user_info_pw: pdb_update_pwd() \n " ) ) ;
2001-03-11 03:32:10 +03:00
2001-05-04 19:44:27 +04:00
/* update the SAMBA password */
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
if ( ! pdb_update_sam_account ( pwd ) ) {
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & pwd ) ;
2001-05-04 19:44:27 +04:00
return False ;
}
2001-09-29 17:08:26 +04:00
pdb_free_sam ( & pwd ) ;
2001-05-04 19:44:27 +04:00
return True ;
2001-02-27 21:22:39 +03:00
}
/*******************************************************************
samr_reply_set_userinfo
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_set_userinfo ( pipes_struct * p , SAMR_Q_SET_USERINFO * q_u , SAMR_R_SET_USERINFO * r_u )
2001-02-27 21:22:39 +03:00
{
2005-01-26 23:36:44 +03:00
SAM_ACCOUNT * pwd = NULL ;
2001-02-27 21:22:39 +03:00
DOM_SID sid ;
POLICY_HND * pol = & q_u - > pol ;
uint16 switch_value = q_u - > switch_value ;
SAM_USERINFO_CTR * ctr = q_u - > ctr ;
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
uint32 acc_required ;
2005-01-26 23:36:44 +03:00
BOOL ret ;
2005-02-16 22:51:16 +03:00
BOOL has_enough_rights = False ;
2005-02-03 19:23:49 +03:00
uint32 acb_info ;
2005-11-19 02:15:47 +03:00
DISP_INFO * disp_info = NULL ;
2001-02-27 21:22:39 +03:00
DEBUG ( 5 , ( " _samr_set_userinfo: %d \n " , __LINE__ ) ) ;
2001-08-27 23:46:22 +04:00
r_u - > status = NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
/* find the policy handle. open a policy on it. */
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , pol , & sid , & acc_granted , & disp_info ) )
2001-02-27 21:22:39 +03:00
return NT_STATUS_INVALID_HANDLE ;
2005-01-07 02:27:28 +03:00
2005-01-27 05:16:02 +03:00
/* observed when joining an XP client to a Samba domain */
acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY ;
2005-01-07 02:27:28 +03:00
2002-07-15 14:35:28 +04:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = access_check_samr_function ( acc_granted , acc_required , " _samr_set_userinfo " ) ) ) {
return r_u - > status ;
}
2005-09-30 21:13:37 +04:00
2002-07-15 14:35:28 +04:00
DEBUG ( 5 , ( " _samr_set_userinfo: sid:%s, level:%d \n " , sid_string_static ( & sid ) , switch_value ) ) ;
2001-02-27 21:22:39 +03:00
if ( ctr = = NULL ) {
DEBUG ( 5 , ( " _samr_set_userinfo: NULL info level \n " ) ) ;
return NT_STATUS_INVALID_INFO_CLASS ;
}
2005-01-26 23:36:44 +03:00
pdb_init_sam ( & pwd ) ;
become_root ( ) ;
ret = pdb_getsampwsid ( pwd , & sid ) ;
unbecome_root ( ) ;
if ( ! ret ) {
pdb_free_sam ( & pwd ) ;
return NT_STATUS_NO_SUCH_USER ;
}
/* deal with machine password changes differently from userinfo changes */
/* check to see if we have the sufficient rights */
2005-01-07 02:27:28 +03:00
2005-02-03 19:23:49 +03:00
acb_info = pdb_get_acct_ctrl ( pwd ) ;
if ( acb_info & ACB_WSTRUST )
has_enough_rights = user_has_privileges ( p - > pipe_user . nt_user_token , & se_machine_account ) ;
else if ( acb_info & ACB_NORMAL )
has_enough_rights = user_has_privileges ( p - > pipe_user . nt_user_token , & se_add_users ) ;
else if ( acb_info & ( ACB_SVRTRUST | ACB_DOMTRUST ) ) {
if ( lp_enable_privileges ( ) )
has_enough_rights = nt_token_check_domain_rid ( p - > pipe_user . nt_user_token , DOMAIN_GROUP_RID_ADMINS ) ;
}
2005-09-30 21:13:37 +04:00
2005-01-26 23:36:44 +03:00
DEBUG ( 5 , ( " _samr_set_userinfo: %s does%s possess sufficient rights \n " ,
p - > pipe_user_name , has_enough_rights ? " " : " not " ) ) ;
2005-01-07 02:27:28 +03:00
2005-01-13 21:20:37 +03:00
/* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
2005-01-07 02:27:28 +03:00
2005-01-26 23:36:44 +03:00
if ( has_enough_rights )
become_root ( ) ;
2001-02-27 21:22:39 +03:00
/* ok! user info levels (lots: see MSDEV help), off we go... */
2005-01-07 02:27:28 +03:00
2001-02-27 21:22:39 +03:00
switch ( switch_value ) {
2005-01-26 23:36:44 +03:00
case 18 :
2005-07-19 04:59:25 +04:00
if ( ! set_user_info_18 ( ctr - > info . id18 , pwd ) )
2005-01-07 02:27:28 +03:00
r_u - > status = NT_STATUS_ACCESS_DENIED ;
2001-02-27 21:22:39 +03:00
break ;
case 24 :
2003-11-23 03:04:29 +03:00
if ( ! p - > session_key . length ) {
2005-01-07 02:27:28 +03:00
r_u - > status = NT_STATUS_NO_USER_SESSION_KEY ;
Changes all over the shop, but all towards:
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-11-22 16:19:38 +03:00
}
2003-11-23 03:04:29 +03:00
SamOEMhashBlob ( ctr - > info . id24 - > pass , 516 , & p - > session_key ) ;
2001-06-20 23:55:59 +04:00
dump_data ( 100 , ( char * ) ctr - > info . id24 - > pass , 516 ) ;
2005-03-22 21:07:58 +03:00
if ( ! set_user_info_pw ( ctr - > info . id24 - > pass , pwd ) )
2005-01-07 02:27:28 +03:00
r_u - > status = NT_STATUS_ACCESS_DENIED ;
2001-02-27 21:22:39 +03:00
break ;
2001-06-20 23:55:59 +04:00
case 25 :
#if 0
/*
* Currently we don ' t really know how to unmarshall
* the level 25 struct , and the password encryption
* is different . This is a placeholder for when we
* do understand it . In the meantime just return INVALID
* info level and W2K SP2 drops down to level 23. . . JRA .
*/
2003-11-23 03:04:29 +03:00
if ( ! p - > session_key . length ) {
2005-01-07 02:27:28 +03:00
r_u - > status = NT_STATUS_NO_USER_SESSION_KEY ;
Changes all over the shop, but all towards:
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-11-22 16:19:38 +03:00
}
2003-11-23 03:04:29 +03:00
SamOEMhashBlob ( ctr - > info . id25 - > pass , 532 , & p - > session_key ) ;
2001-06-20 23:55:59 +04:00
dump_data ( 100 , ( char * ) ctr - > info . id25 - > pass , 532 ) ;
2002-07-15 14:35:28 +04:00
if ( ! set_user_info_pw ( ctr - > info . id25 - > pass , & sid ) )
2005-01-07 02:27:28 +03:00
r_u - > status = NT_STATUS_ACCESS_DENIED ;
2001-06-20 23:55:59 +04:00
break ;
# endif
2005-01-07 02:27:28 +03:00
r_u - > status = NT_STATUS_INVALID_INFO_CLASS ;
break ;
2001-06-20 23:55:59 +04:00
2001-02-27 21:22:39 +03:00
case 23 :
2003-11-23 03:04:29 +03:00
if ( ! p - > session_key . length ) {
2005-01-07 02:27:28 +03:00
r_u - > status = NT_STATUS_NO_USER_SESSION_KEY ;
Changes all over the shop, but all towards:
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-11-22 16:19:38 +03:00
}
2003-11-23 03:04:29 +03:00
SamOEMhashBlob ( ctr - > info . id23 - > pass , 516 , & p - > session_key ) ;
2001-06-20 23:55:59 +04:00
dump_data ( 100 , ( char * ) ctr - > info . id23 - > pass , 516 ) ;
2005-01-26 23:36:44 +03:00
if ( ! set_user_info_23 ( ctr - > info . id23 , pwd ) )
2005-01-07 02:27:28 +03:00
r_u - > status = NT_STATUS_ACCESS_DENIED ;
2001-02-27 21:22:39 +03:00
break ;
default :
2005-01-07 02:27:28 +03:00
r_u - > status = NT_STATUS_INVALID_INFO_CLASS ;
2001-02-27 21:22:39 +03:00
}
2005-01-07 02:27:28 +03:00
2005-01-26 23:36:44 +03:00
if ( has_enough_rights )
2005-01-07 02:27:28 +03:00
unbecome_root ( ) ;
2005-01-13 21:20:37 +03:00
/* ================ END SeMachineAccountPrivilege BLOCK ================ */
2005-01-07 02:27:28 +03:00
2005-11-19 02:15:47 +03:00
if ( NT_STATUS_IS_OK ( r_u - > status ) ) {
force_flush_samr_cache ( disp_info ) ;
}
2001-02-27 21:22:39 +03:00
return r_u - > status ;
}
/*******************************************************************
samr_reply_set_userinfo2
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_set_userinfo2 ( pipes_struct * p , SAMR_Q_SET_USERINFO2 * q_u , SAMR_R_SET_USERINFO2 * r_u )
2001-02-27 21:22:39 +03:00
{
2005-01-26 23:36:44 +03:00
SAM_ACCOUNT * pwd = NULL ;
2001-02-27 21:22:39 +03:00
DOM_SID sid ;
2001-03-11 03:32:10 +03:00
SAM_USERINFO_CTR * ctr = q_u - > ctr ;
2001-02-27 21:22:39 +03:00
POLICY_HND * pol = & q_u - > pol ;
uint16 switch_value = q_u - > switch_value ;
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
uint32 acc_required ;
2005-01-26 23:36:44 +03:00
BOOL ret ;
2005-02-16 22:51:16 +03:00
BOOL has_enough_rights = False ;
2005-02-03 19:23:49 +03:00
uint32 acb_info ;
2005-11-19 02:15:47 +03:00
DISP_INFO * disp_info = NULL ;
2001-02-27 21:22:39 +03:00
DEBUG ( 5 , ( " samr_reply_set_userinfo2: %d \n " , __LINE__ ) ) ;
2001-08-27 23:46:22 +04:00
r_u - > status = NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
/* find the policy handle. open a policy on it. */
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , pol , & sid , & acc_granted , & disp_info ) )
2001-02-27 21:22:39 +03:00
return NT_STATUS_INVALID_HANDLE ;
2005-01-27 05:16:02 +03:00
/* observed when joining XP client to Samba domain */
acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY ;
2002-07-15 14:35:28 +04:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = access_check_samr_function ( acc_granted , acc_required , " _samr_set_userinfo2 " ) ) ) {
return r_u - > status ;
}
2001-02-27 21:22:39 +03:00
2002-07-15 14:35:28 +04:00
DEBUG ( 5 , ( " samr_reply_set_userinfo2: sid:%s \n " , sid_string_static ( & sid ) ) ) ;
2001-02-27 21:22:39 +03:00
if ( ctr = = NULL ) {
DEBUG ( 5 , ( " samr_reply_set_userinfo2: NULL info level \n " ) ) ;
return NT_STATUS_INVALID_INFO_CLASS ;
}
2001-03-11 03:32:10 +03:00
switch_value = ctr - > switch_value ;
2001-02-27 21:22:39 +03:00
2005-01-26 23:36:44 +03:00
pdb_init_sam ( & pwd ) ;
become_root ( ) ;
ret = pdb_getsampwsid ( pwd , & sid ) ;
unbecome_root ( ) ;
if ( ! ret ) {
pdb_free_sam ( & pwd ) ;
return NT_STATUS_NO_SUCH_USER ;
}
2005-02-03 19:23:49 +03:00
acb_info = pdb_get_acct_ctrl ( pwd ) ;
if ( acb_info & ACB_WSTRUST )
has_enough_rights = user_has_privileges ( p - > pipe_user . nt_user_token , & se_machine_account ) ;
else if ( acb_info & ACB_NORMAL )
has_enough_rights = user_has_privileges ( p - > pipe_user . nt_user_token , & se_add_users ) ;
else if ( acb_info & ( ACB_SVRTRUST | ACB_DOMTRUST ) ) {
if ( lp_enable_privileges ( ) )
has_enough_rights = nt_token_check_domain_rid ( p - > pipe_user . nt_user_token , DOMAIN_GROUP_RID_ADMINS ) ;
}
2005-09-30 21:13:37 +04:00
2005-01-26 23:36:44 +03:00
DEBUG ( 5 , ( " _samr_set_userinfo: %s does%s possess sufficient rights \n " ,
p - > pipe_user_name , has_enough_rights ? " " : " not " ) ) ;
2005-01-07 02:27:28 +03:00
2005-01-13 21:20:37 +03:00
/* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
2005-01-07 02:27:28 +03:00
2005-01-26 23:36:44 +03:00
if ( has_enough_rights )
become_root ( ) ;
2001-02-27 21:22:39 +03:00
/* ok! user info levels (lots: see MSDEV help), off we go... */
2005-01-07 02:27:28 +03:00
2001-02-27 21:22:39 +03:00
switch ( switch_value ) {
2005-10-12 00:14:04 +04:00
case 7 :
r_u - > status = set_user_info_7 ( ctr - > info . id7 , pwd ) ;
break ;
2001-02-27 21:22:39 +03:00
case 16 :
2005-07-19 04:59:25 +04:00
if ( ! set_user_info_16 ( ctr - > info . id16 , pwd ) )
2005-01-07 02:27:28 +03:00
r_u - > status = NT_STATUS_ACCESS_DENIED ;
2001-02-27 21:22:39 +03:00
break ;
2001-03-13 22:21:51 +03:00
case 18 :
/* Used by AS/U JRA. */
2005-07-19 04:59:25 +04:00
if ( ! set_user_info_18 ( ctr - > info . id18 , pwd ) )
2005-01-07 02:27:28 +03:00
r_u - > status = NT_STATUS_ACCESS_DENIED ;
2001-03-13 22:21:51 +03:00
break ;
2005-01-27 05:16:02 +03:00
case 20 :
if ( ! set_user_info_20 ( ctr - > info . id20 , pwd ) )
r_u - > status = NT_STATUS_ACCESS_DENIED ;
break ;
case 21 :
if ( ! set_user_info_21 ( ctr - > info . id21 , pwd ) )
return NT_STATUS_ACCESS_DENIED ;
break ;
2001-02-27 21:22:39 +03:00
default :
2005-01-07 02:27:28 +03:00
r_u - > status = NT_STATUS_INVALID_INFO_CLASS ;
2001-02-27 21:22:39 +03:00
}
2005-01-26 23:36:44 +03:00
if ( has_enough_rights )
2005-01-07 02:27:28 +03:00
unbecome_root ( ) ;
2005-01-13 21:20:37 +03:00
/* ================ END SeMachineAccountPrivilege BLOCK ================ */
2005-01-07 02:27:28 +03:00
2005-11-19 02:15:47 +03:00
if ( NT_STATUS_IS_OK ( r_u - > status ) ) {
force_flush_samr_cache ( disp_info ) ;
}
2001-02-27 21:22:39 +03:00
return r_u - > status ;
}
/*********************************************************************
_samr_query_aliasmem
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_query_useraliases ( pipes_struct * p , SAMR_Q_QUERY_USERALIASES * q_u , SAMR_R_QUERY_USERALIASES * r_u )
2001-02-27 21:22:39 +03:00
{
2005-10-18 07:24:00 +04:00
size_t num_alias_rids ;
2005-03-27 20:33:04 +04:00
uint32 * alias_rids ;
2001-12-05 18:41:44 +03:00
struct samr_info * info = NULL ;
2005-10-18 07:24:00 +04:00
size_t i ;
2002-09-26 22:37:55 +04:00
NTSTATUS ntstatus1 ;
NTSTATUS ntstatus2 ;
2004-11-06 02:34:00 +03:00
DOM_SID * members ;
BOOL res ;
2001-03-23 03:50:31 +03:00
2001-12-05 18:41:44 +03:00
r_u - > status = NT_STATUS_OK ;
2001-12-02 04:45:50 +03:00
2001-12-05 18:41:44 +03:00
DEBUG ( 5 , ( " _samr_query_useraliases: %d \n " , __LINE__ ) ) ;
2001-03-23 03:50:31 +03:00
2001-12-05 18:41:44 +03:00
/* find the policy handle. open a policy on it. */
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) & info ) )
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
2002-11-02 15:53:13 +03:00
ntstatus1 = access_check_samr_function ( info - > acc_granted , SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM , " _samr_query_useraliases " ) ;
ntstatus2 = access_check_samr_function ( info - > acc_granted , SA_RIGHT_DOMAIN_OPEN_ACCOUNT , " _samr_query_useraliases " ) ;
2002-09-26 22:37:55 +04:00
if ( ! NT_STATUS_IS_OK ( ntstatus1 ) | | ! NT_STATUS_IS_OK ( ntstatus2 ) ) {
if ( ! ( NT_STATUS_EQUAL ( ntstatus1 , NT_STATUS_ACCESS_DENIED ) & & NT_STATUS_IS_OK ( ntstatus2 ) ) & &
! ( NT_STATUS_EQUAL ( ntstatus1 , NT_STATUS_ACCESS_DENIED ) & & NT_STATUS_IS_OK ( ntstatus1 ) ) ) {
return ( NT_STATUS_IS_OK ( ntstatus1 ) ) ? ntstatus2 : ntstatus1 ;
}
}
2001-03-23 03:50:31 +03:00
2001-12-05 18:41:44 +03:00
if ( ! sid_check_is_domain ( & info - > sid ) & &
! sid_check_is_builtin ( & info - > sid ) )
return NT_STATUS_OBJECT_TYPE_MISMATCH ;
2004-12-07 21:25:53 +03:00
members = TALLOC_ARRAY ( p - > mem_ctx , DOM_SID , q_u - > num_sids1 ) ;
2001-12-05 18:41:44 +03:00
2004-11-06 02:34:00 +03:00
if ( members = = NULL )
return NT_STATUS_NO_MEMORY ;
2001-12-05 18:41:44 +03:00
2004-11-06 02:34:00 +03:00
for ( i = 0 ; i < q_u - > num_sids1 ; i + + )
sid_copy ( & members [ i ] , & q_u - > sid [ i ] . sid ) ;
2001-03-23 03:50:31 +03:00
2005-03-27 20:33:04 +04:00
alias_rids = NULL ;
num_alias_rids = 0 ;
2004-11-06 02:34:00 +03:00
become_root ( ) ;
2005-03-27 20:33:04 +04:00
res = pdb_enum_alias_memberships ( p - > mem_ctx , & info - > sid , members ,
q_u - > num_sids1 ,
& alias_rids , & num_alias_rids ) ;
2004-11-06 02:34:00 +03:00
unbecome_root ( ) ;
if ( ! res )
return NT_STATUS_UNSUCCESSFUL ;
2001-12-05 18:41:44 +03:00
2005-03-27 20:33:04 +04:00
init_samr_r_query_useraliases ( r_u , num_alias_rids , alias_rids ,
NT_STATUS_OK ) ;
2001-12-05 18:41:44 +03:00
return NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
}
/*********************************************************************
_samr_query_aliasmem
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_query_aliasmem ( pipes_struct * p , SAMR_Q_QUERY_ALIASMEM * q_u , SAMR_R_QUERY_ALIASMEM * r_u )
2001-02-27 21:22:39 +03:00
{
2005-10-18 07:24:00 +04:00
size_t i ;
size_t num_sids = 0 ;
2001-03-23 03:50:31 +03:00
DOM_SID2 * sid ;
2004-01-02 08:32:07 +03:00
DOM_SID * sids = NULL ;
2001-03-23 03:50:31 +03:00
DOM_SID alias_sid ;
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
2001-03-23 03:50:31 +03:00
/* find the policy handle. open a policy on it. */
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & q_u - > alias_pol , & alias_sid , & acc_granted , NULL ) )
2001-03-23 03:50:31 +03:00
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
2002-09-26 22:37:55 +04:00
if ( ! NT_STATUS_IS_OK ( r_u - > status =
2002-11-02 15:53:13 +03:00
access_check_samr_function ( acc_granted , SA_RIGHT_ALIAS_GET_MEMBERS , " _samr_query_aliasmem " ) ) ) {
2002-07-15 14:35:28 +04:00
return r_u - > status ;
}
2001-03-23 03:50:31 +03:00
2004-04-07 16:43:44 +04:00
DEBUG ( 10 , ( " sid is %s \n " , sid_string_static ( & alias_sid ) ) ) ;
2001-03-23 03:50:31 +03:00
2004-04-07 16:43:44 +04:00
if ( ! pdb_enum_aliasmem ( & alias_sid , & sids , & num_sids ) )
2001-03-23 03:50:31 +03:00
return NT_STATUS_NO_SUCH_ALIAS ;
2004-12-07 21:25:53 +03:00
sid = TALLOC_ZERO_ARRAY ( p - > mem_ctx , DOM_SID2 , num_sids ) ;
2004-01-02 08:32:07 +03:00
if ( num_sids ! = 0 & & sid = = NULL ) {
SAFE_FREE ( sids ) ;
2001-05-08 20:33:18 +04:00
return NT_STATUS_NO_MEMORY ;
2004-01-02 08:32:07 +03:00
}
2001-03-23 03:50:31 +03:00
2004-01-02 08:32:07 +03:00
for ( i = 0 ; i < num_sids ; i + + ) {
init_dom_sid2 ( & sid [ i ] , & sids [ i ] ) ;
2001-03-23 03:50:31 +03:00
}
2004-01-02 08:32:07 +03:00
init_samr_r_query_aliasmem ( r_u , num_sids , sid , NT_STATUS_OK ) ;
SAFE_FREE ( sids ) ;
2001-03-23 03:50:31 +03:00
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
}
2004-04-07 16:43:44 +04:00
static void add_uid_to_array_unique ( uid_t uid , uid_t * * uids , int * num )
{
int i ;
for ( i = 0 ; i < * num ; i + + ) {
if ( ( * uids ) [ i ] = = uid )
return ;
}
2004-12-07 21:25:53 +03:00
* uids = SMB_REALLOC_ARRAY ( * uids , uid_t , * num + 1 ) ;
2004-04-07 16:43:44 +04:00
if ( * uids = = NULL )
return ;
( * uids ) [ * num ] = uid ;
* num + = 1 ;
}
static BOOL get_memberuids ( gid_t gid , uid_t * * uids , int * num )
{
struct group * grp ;
char * * gr ;
struct sys_pwent * userlist , * user ;
* uids = NULL ;
* num = 0 ;
/* We only look at our own sam, so don't care about imported stuff */
winbind_off ( ) ;
if ( ( grp = getgrgid ( gid ) ) = = NULL ) {
winbind_on ( ) ;
return False ;
}
/* Primary group members */
userlist = getpwent_list ( ) ;
for ( user = userlist ; user ! = NULL ; user = user - > next ) {
if ( user - > pw_gid ! = gid )
continue ;
add_uid_to_array_unique ( user - > pw_uid , uids , num ) ;
}
pwent_free ( userlist ) ;
/* Secondary group members */
2004-05-21 04:13:16 +04:00
for ( gr = grp - > gr_mem ; ( * gr ! = NULL ) & & ( ( * gr ) [ 0 ] ! = ' \0 ' ) ; gr + = 1 ) {
2004-04-07 16:43:44 +04:00
struct passwd * pw = getpwnam ( * gr ) ;
if ( pw = = NULL )
continue ;
add_uid_to_array_unique ( pw - > pw_uid , uids , num ) ;
}
winbind_on ( ) ;
return True ;
}
2001-02-27 21:22:39 +03:00
/*********************************************************************
_samr_query_groupmem
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_query_groupmem ( pipes_struct * p , SAMR_Q_QUERY_GROUPMEM * q_u , SAMR_R_QUERY_GROUPMEM * r_u )
2001-02-27 21:22:39 +03:00
{
2001-03-23 03:50:31 +03:00
DOM_SID group_sid ;
fstring group_sid_str ;
2005-10-18 07:24:00 +04:00
size_t i , num_members ;
2001-03-23 03:50:31 +03:00
uint32 * rid = NULL ;
uint32 * attr = NULL ;
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
2001-03-23 03:50:31 +03:00
2005-02-20 16:47:16 +03:00
NTSTATUS result ;
2001-03-23 03:50:31 +03:00
/* find the policy handle. open a policy on it. */
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & q_u - > group_pol , & group_sid , & acc_granted , NULL ) )
2001-03-23 03:50:31 +03:00
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
2002-11-02 15:53:13 +03:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = access_check_samr_function ( acc_granted , SA_RIGHT_GROUP_GET_MEMBERS , " _samr_query_groupmem " ) ) ) {
2002-07-15 14:35:28 +04:00
return r_u - > status ;
}
2001-03-23 03:50:31 +03:00
sid_to_string ( group_sid_str , & group_sid ) ;
DEBUG ( 10 , ( " sid is %s \n " , group_sid_str ) ) ;
2004-02-16 17:24:35 +03:00
if ( ! sid_check_is_in_our_domain ( & group_sid ) ) {
DEBUG ( 3 , ( " sid %s is not in our domain \n " , group_sid_str ) ) ;
2001-03-23 03:50:31 +03:00
return NT_STATUS_NO_SUCH_GROUP ;
2004-02-16 17:24:35 +03:00
}
2001-03-23 03:50:31 +03:00
DEBUG ( 10 , ( " lookup on Domain SID \n " ) ) ;
2005-02-20 16:47:16 +03:00
become_root ( ) ;
result = pdb_enum_group_members ( p - > mem_ctx , & group_sid ,
& rid , & num_members ) ;
unbecome_root ( ) ;
2001-03-23 03:50:31 +03:00
2005-02-20 16:47:16 +03:00
if ( ! NT_STATUS_IS_OK ( result ) )
return result ;
2001-03-23 03:50:31 +03:00
2005-02-20 16:47:16 +03:00
attr = TALLOC_ZERO_ARRAY ( p - > mem_ctx , uint32 , num_members ) ;
2001-03-23 03:50:31 +03:00
2005-02-20 16:47:16 +03:00
if ( ( num_members ! = 0 ) & & ( rid = = NULL ) )
2001-03-23 03:50:31 +03:00
return NT_STATUS_NO_MEMORY ;
2005-02-20 16:47:16 +03:00
for ( i = 0 ; i < num_members ; i + + )
attr [ i ] = SID_NAME_USER ;
2004-04-07 16:43:44 +04:00
2005-02-20 16:47:16 +03:00
init_samr_r_query_groupmem ( r_u , num_members , rid , attr , NT_STATUS_OK ) ;
2001-03-23 03:50:31 +03:00
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
}
/*********************************************************************
_samr_add_aliasmem
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_add_aliasmem ( pipes_struct * p , SAMR_Q_ADD_ALIASMEM * q_u , SAMR_R_ADD_ALIASMEM * r_u )
2001-02-27 21:22:39 +03:00
{
2001-03-23 03:50:31 +03:00
DOM_SID alias_sid ;
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
2005-01-19 19:52:19 +03:00
SE_PRIV se_rights ;
BOOL can_add_accounts ;
BOOL ret ;
2005-11-19 02:15:47 +03:00
DISP_INFO * disp_info = NULL ;
2001-03-23 03:50:31 +03:00
/* Find the policy handle. Open a policy on it. */
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & q_u - > alias_pol , & alias_sid , & acc_granted , & disp_info ) )
2001-03-23 03:50:31 +03:00
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
2002-11-02 15:53:13 +03:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = access_check_samr_function ( acc_granted , SA_RIGHT_ALIAS_ADD_MEMBER , " _samr_add_aliasmem " ) ) ) {
2002-07-15 14:35:28 +04:00
return r_u - > status ;
}
2004-04-07 16:43:44 +04:00
DEBUG ( 10 , ( " sid is %s \n " , sid_string_static ( & alias_sid ) ) ) ;
2005-01-19 19:52:19 +03:00
se_priv_copy ( & se_rights , & se_add_users ) ;
can_add_accounts = user_has_privileges ( p - > pipe_user . nt_user_token , & se_rights ) ;
2001-11-29 19:05:05 +03:00
2005-01-19 19:52:19 +03:00
/******** BEGIN SeAddUsers BLOCK *********/
if ( can_add_accounts )
become_root ( ) ;
ret = pdb_add_aliasmem ( & alias_sid , & q_u - > sid . sid ) ;
if ( can_add_accounts )
unbecome_root ( ) ;
/******** END SeAddUsers BLOCK *********/
2005-11-19 02:15:47 +03:00
if ( ret ) {
force_flush_samr_cache ( disp_info ) ;
}
2005-01-19 19:52:19 +03:00
return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED ;
2001-02-27 21:22:39 +03:00
}
/*********************************************************************
_samr_del_aliasmem
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_del_aliasmem ( pipes_struct * p , SAMR_Q_DEL_ALIASMEM * q_u , SAMR_R_DEL_ALIASMEM * r_u )
2001-02-27 21:22:39 +03:00
{
2001-12-10 18:03:16 +03:00
DOM_SID alias_sid ;
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
2005-01-19 19:52:19 +03:00
SE_PRIV se_rights ;
BOOL can_add_accounts ;
BOOL ret ;
2005-11-19 02:15:47 +03:00
DISP_INFO * disp_info = NULL ;
2001-12-10 18:03:16 +03:00
/* Find the policy handle. Open a policy on it. */
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & q_u - > alias_pol , & alias_sid , & acc_granted , & disp_info ) )
2001-12-10 18:03:16 +03:00
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
2002-11-02 15:53:13 +03:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = access_check_samr_function ( acc_granted , SA_RIGHT_ALIAS_REMOVE_MEMBER , " _samr_del_aliasmem " ) ) ) {
2002-07-15 14:35:28 +04:00
return r_u - > status ;
}
2004-04-07 16:43:44 +04:00
DEBUG ( 10 , ( " _samr_del_aliasmem:sid is %s \n " ,
sid_string_static ( & alias_sid ) ) ) ;
2001-12-10 18:03:16 +03:00
2005-01-19 19:52:19 +03:00
se_priv_copy ( & se_rights , & se_add_users ) ;
can_add_accounts = user_has_privileges ( p - > pipe_user . nt_user_token , & se_rights ) ;
/******** BEGIN SeAddUsers BLOCK *********/
2004-04-07 16:43:44 +04:00
2005-01-19 19:52:19 +03:00
if ( can_add_accounts )
become_root ( ) ;
ret = pdb_del_aliasmem ( & alias_sid , & q_u - > sid . sid ) ;
if ( can_add_accounts )
unbecome_root ( ) ;
/******** END SeAddUsers BLOCK *********/
2005-11-19 02:15:47 +03:00
if ( ret ) {
force_flush_samr_cache ( disp_info ) ;
}
2005-01-19 19:52:19 +03:00
return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED ;
2001-02-27 21:22:39 +03:00
}
/*********************************************************************
_samr_add_groupmem
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_add_groupmem ( pipes_struct * p , SAMR_Q_ADD_GROUPMEM * q_u , SAMR_R_ADD_GROUPMEM * r_u )
2001-02-27 21:22:39 +03:00
{
2001-03-23 03:50:31 +03:00
DOM_SID group_sid ;
2002-07-15 14:35:28 +04:00
DOM_SID user_sid ;
2001-03-23 03:50:31 +03:00
fstring group_sid_str ;
2003-05-16 22:30:22 +04:00
uid_t uid ;
2001-03-23 03:50:31 +03:00
struct passwd * pwd ;
struct group * grp ;
fstring grp_name ;
GROUP_MAP map ;
2002-03-19 02:57:14 +03:00
NTSTATUS ret ;
2002-11-02 06:47:48 +03:00
SAM_ACCOUNT * sam_user = NULL ;
2002-03-19 02:57:14 +03:00
BOOL check ;
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
2005-01-19 19:52:19 +03:00
SE_PRIV se_rights ;
BOOL can_add_accounts ;
2005-11-19 02:15:47 +03:00
DISP_INFO * disp_info = NULL ;
2001-03-23 03:50:31 +03:00
/* Find the policy handle. Open a policy on it. */
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & q_u - > pol , & group_sid , & acc_granted , & disp_info ) )
2001-03-23 03:50:31 +03:00
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
2002-11-02 15:53:13 +03:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = access_check_samr_function ( acc_granted , SA_RIGHT_GROUP_ADD_MEMBER , " _samr_add_groupmem " ) ) ) {
2002-07-15 14:35:28 +04:00
return r_u - > status ;
}
2001-03-23 03:50:31 +03:00
sid_to_string ( group_sid_str , & group_sid ) ;
DEBUG ( 10 , ( " sid is %s \n " , group_sid_str ) ) ;
2002-07-15 14:35:28 +04:00
if ( sid_compare ( & group_sid , get_global_sam_sid ( ) ) < = 0 )
2001-03-23 03:50:31 +03:00
return NT_STATUS_NO_SUCH_GROUP ;
DEBUG ( 10 , ( " lookup on Domain SID \n " ) ) ;
2003-06-18 19:24:10 +04:00
if ( ! get_domain_group_from_sid ( group_sid , & map ) )
2001-03-23 03:50:31 +03:00
return NT_STATUS_NO_SUCH_GROUP ;
2002-07-15 14:35:28 +04:00
sid_copy ( & user_sid , get_global_sam_sid ( ) ) ;
sid_append_rid ( & user_sid , q_u - > rid ) ;
2002-03-19 02:57:14 +03:00
ret = pdb_init_sam ( & sam_user ) ;
2002-07-15 14:35:28 +04:00
if ( ! NT_STATUS_IS_OK ( ret ) )
2002-03-19 02:57:14 +03:00
return ret ;
2002-07-15 14:35:28 +04:00
check = pdb_getsampwsid ( sam_user , & user_sid ) ;
2002-03-19 02:57:14 +03:00
2002-03-19 16:57:53 +03:00
if ( check ! = True ) {
pdb_free_sam ( & sam_user ) ;
2002-03-19 02:57:14 +03:00
return NT_STATUS_NO_SUCH_USER ;
2002-03-19 16:57:53 +03:00
}
2003-05-16 22:30:22 +04:00
/* check a real user exist before we run the script to add a user to a group */
2003-06-22 14:09:52 +04:00
if ( ! NT_STATUS_IS_OK ( sid_to_uid ( pdb_get_user_sid ( sam_user ) , & uid ) ) ) {
2003-05-16 22:30:22 +04:00
pdb_free_sam ( & sam_user ) ;
return NT_STATUS_NO_SUCH_USER ;
}
pdb_free_sam ( & sam_user ) ;
if ( ( pwd = getpwuid_alloc ( uid ) ) = = NULL ) {
return NT_STATUS_NO_SUCH_USER ;
}
2002-11-02 06:47:48 +03:00
if ( ( grp = getgrgid ( map . gid ) ) = = NULL ) {
passwd_free ( & pwd ) ;
2001-03-23 03:50:31 +03:00
return NT_STATUS_NO_SUCH_GROUP ;
2002-11-02 06:47:48 +03:00
}
2001-03-23 03:50:31 +03:00
2003-02-24 05:35:54 +03:00
/* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */
2001-03-23 03:50:31 +03:00
fstrcpy ( grp_name , grp - > gr_name ) ;
/* if the user is already in the group */
2003-02-24 05:35:54 +03:00
if ( user_in_unix_group_list ( pwd - > pw_name , grp_name ) ) {
2002-11-02 06:47:48 +03:00
passwd_free ( & pwd ) ;
2001-03-23 03:50:31 +03:00
return NT_STATUS_MEMBER_IN_GROUP ;
2002-11-02 06:47:48 +03:00
}
2001-03-23 03:50:31 +03:00
2005-01-19 19:52:19 +03:00
se_priv_copy ( & se_rights , & se_add_users ) ;
can_add_accounts = user_has_privileges ( p - > pipe_user . nt_user_token , & se_rights ) ;
/******** BEGIN SeAddUsers BLOCK *********/
if ( can_add_accounts )
become_root ( ) ;
2001-03-23 03:50:31 +03:00
/*
* ok , the group exist , the user exist , the user is not in the group ,
*
* we can ( finally ) add it to the group !
*/
smb_add_user_group ( grp_name , pwd - > pw_name ) ;
2005-01-19 19:52:19 +03:00
if ( can_add_accounts )
unbecome_root ( ) ;
/******** END SeAddUsers BLOCK *********/
2001-03-23 03:50:31 +03:00
/* check if the user has been added then ... */
2003-02-24 05:35:54 +03:00
if ( ! user_in_unix_group_list ( pwd - > pw_name , grp_name ) ) {
2002-11-02 06:47:48 +03:00
passwd_free ( & pwd ) ;
2001-03-23 03:50:31 +03:00
return NT_STATUS_MEMBER_NOT_IN_GROUP ; /* don't know what to reply else */
2002-11-02 06:47:48 +03:00
}
2001-03-23 03:50:31 +03:00
2002-11-02 06:47:48 +03:00
passwd_free ( & pwd ) ;
2005-11-19 02:15:47 +03:00
force_flush_samr_cache ( disp_info ) ;
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
}
/*********************************************************************
_samr_del_groupmem
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_del_groupmem ( pipes_struct * p , SAMR_Q_DEL_GROUPMEM * q_u , SAMR_R_DEL_GROUPMEM * r_u )
2001-02-27 21:22:39 +03:00
{
2001-12-10 18:03:16 +03:00
DOM_SID group_sid ;
2002-07-15 14:35:28 +04:00
DOM_SID user_sid ;
2001-12-10 18:03:16 +03:00
SAM_ACCOUNT * sam_pass = NULL ;
GROUP_MAP map ;
fstring grp_name ;
struct group * grp ;
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
2005-01-19 19:52:19 +03:00
SE_PRIV se_rights ;
BOOL can_add_accounts ;
2005-11-19 02:15:47 +03:00
DISP_INFO * disp_info = NULL ;
2001-12-10 18:03:16 +03:00
/*
* delete the group member named q_u - > rid
* who is a member of the sid associated with the handle
* the rid is a user ' s rid as the group is a domain group .
*/
/* Find the policy handle. Open a policy on it. */
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & q_u - > pol , & group_sid , & acc_granted , & disp_info ) )
2001-12-10 18:03:16 +03:00
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
2002-11-02 15:53:13 +03:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = access_check_samr_function ( acc_granted , SA_RIGHT_GROUP_REMOVE_MEMBER , " _samr_del_groupmem " ) ) ) {
2002-07-15 14:35:28 +04:00
return r_u - > status ;
}
if ( ! sid_check_is_in_our_domain ( & group_sid ) )
2001-12-10 18:03:16 +03:00
return NT_STATUS_NO_SUCH_GROUP ;
2002-07-15 14:35:28 +04:00
sid_copy ( & user_sid , get_global_sam_sid ( ) ) ;
sid_append_rid ( & user_sid , q_u - > rid ) ;
2001-12-10 18:03:16 +03:00
2003-06-18 19:24:10 +04:00
if ( ! get_domain_group_from_sid ( group_sid , & map ) )
2001-12-10 18:03:16 +03:00
return NT_STATUS_NO_SUCH_GROUP ;
if ( ( grp = getgrgid ( map . gid ) ) = = NULL )
return NT_STATUS_NO_SUCH_GROUP ;
/* we need to copy the name otherwise it's overloaded in user_in_group_list */
fstrcpy ( grp_name , grp - > gr_name ) ;
/* check if the user exists before trying to remove it from the group */
pdb_init_sam ( & sam_pass ) ;
2002-07-15 14:35:28 +04:00
if ( ! pdb_getsampwsid ( sam_pass , & user_sid ) ) {
2002-01-02 10:41:54 +03:00
DEBUG ( 5 , ( " User %s doesn't exist. \n " , pdb_get_username ( sam_pass ) ) ) ;
2001-12-10 18:03:16 +03:00
pdb_free_sam ( & sam_pass ) ;
return NT_STATUS_NO_SUCH_USER ;
}
/* if the user is not in the group */
2003-02-24 05:35:54 +03:00
if ( ! user_in_unix_group_list ( pdb_get_username ( sam_pass ) , grp_name ) ) {
2001-12-10 18:03:16 +03:00
pdb_free_sam ( & sam_pass ) ;
return NT_STATUS_MEMBER_NOT_IN_GROUP ;
}
2005-01-19 19:52:19 +03:00
se_priv_copy ( & se_rights , & se_add_users ) ;
can_add_accounts = user_has_privileges ( p - > pipe_user . nt_user_token , & se_rights ) ;
2001-12-10 18:03:16 +03:00
2005-01-19 19:52:19 +03:00
/******** BEGIN SeAddUsers BLOCK *********/
if ( can_add_accounts )
become_root ( ) ;
2002-01-02 10:41:54 +03:00
smb_delete_user_group ( grp_name , pdb_get_username ( sam_pass ) ) ;
2001-12-10 18:03:16 +03:00
2005-01-19 19:52:19 +03:00
if ( can_add_accounts )
unbecome_root ( ) ;
/******** END SeAddUsers BLOCK *********/
2001-12-10 18:03:16 +03:00
/* check if the user has been removed then ... */
2003-02-24 05:35:54 +03:00
if ( user_in_unix_group_list ( pdb_get_username ( sam_pass ) , grp_name ) ) {
2001-12-10 18:03:16 +03:00
pdb_free_sam ( & sam_pass ) ;
return NT_STATUS_ACCESS_DENIED ; /* don't know what to reply else */
}
pdb_free_sam ( & sam_pass ) ;
2005-11-19 02:15:47 +03:00
force_flush_samr_cache ( disp_info ) ;
2001-12-10 18:03:16 +03:00
return NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
}
2002-07-15 14:35:28 +04:00
/****************************************************************************
Delete a UNIX user on demand .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static int smb_delete_user ( const char * unix_user )
{
pstring del_script ;
int ret ;
pstrcpy ( del_script , lp_deluser_script ( ) ) ;
if ( ! * del_script )
return - 1 ;
2004-09-14 04:21:11 +04:00
all_string_sub ( del_script , " %u " , unix_user , sizeof ( del_script ) ) ;
2002-07-15 14:35:28 +04:00
ret = smbrun ( del_script , NULL ) ;
2005-03-03 19:52:44 +03:00
flush_pwnam_cache ( ) ;
2005-02-07 21:20:06 +03:00
DEBUG ( ret ? 0 : 3 , ( " smb_delete_user: Running the command `%s' gave %d \n " , del_script , ret ) ) ;
2003-07-11 09:33:40 +04:00
2002-07-15 14:35:28 +04:00
return ret ;
}
2001-02-27 21:22:39 +03:00
/*********************************************************************
_samr_delete_dom_user
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_delete_dom_user ( pipes_struct * p , SAMR_Q_DELETE_DOM_USER * q_u , SAMR_R_DELETE_DOM_USER * r_u )
2001-02-27 21:22:39 +03:00
{
2001-12-10 18:03:16 +03:00
DOM_SID user_sid ;
SAM_ACCOUNT * sam_pass = NULL ;
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
2005-01-19 19:52:19 +03:00
BOOL can_add_accounts ;
BOOL ret ;
2005-11-19 02:15:47 +03:00
DISP_INFO * disp_info = NULL ;
2001-12-10 18:03:16 +03:00
DEBUG ( 5 , ( " _samr_delete_dom_user: %d \n " , __LINE__ ) ) ;
/* Find the policy handle. Open a policy on it. */
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & q_u - > user_pol , & user_sid , & acc_granted , & disp_info ) )
2001-12-10 18:03:16 +03:00
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
2002-11-02 15:53:13 +03:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = access_check_samr_function ( acc_granted , STD_RIGHT_DELETE_ACCESS , " _samr_delete_dom_user " ) ) ) {
2002-07-15 14:35:28 +04:00
return r_u - > status ;
}
2001-12-10 18:03:16 +03:00
if ( ! sid_check_is_in_our_domain ( & user_sid ) )
return NT_STATUS_CANNOT_DELETE ;
/* check if the user exists before trying to delete */
pdb_init_sam ( & sam_pass ) ;
2002-07-15 14:35:28 +04:00
if ( ! pdb_getsampwsid ( sam_pass , & user_sid ) ) {
2003-08-20 20:07:19 +04:00
DEBUG ( 5 , ( " _samr_delete_dom_user:User %s doesn't exist. \n " ,
sid_string_static ( & user_sid ) ) ) ;
2001-12-10 18:03:16 +03:00
pdb_free_sam ( & sam_pass ) ;
return NT_STATUS_NO_SUCH_USER ;
}
2005-01-19 19:52:19 +03:00
2005-03-22 17:20:25 +03:00
can_add_accounts = user_has_privileges ( p - > pipe_user . nt_user_token , & se_add_users ) ;
2001-12-10 18:03:16 +03:00
2005-01-19 19:52:19 +03:00
/******** BEGIN SeAddUsers BLOCK *********/
if ( can_add_accounts )
become_root ( ) ;
/* First delete the samba side....
code is order to prevent unnecessary returns out of the admin
block of code */
if ( ( ret = pdb_delete_sam_account ( sam_pass ) ) = = True ) {
/*
* Now delete the unix side . . . .
* note : we don ' t check if the delete really happened
* as the script is not necessary present
* and maybe the sysadmin doesn ' t want to delete the unix side
*/
smb_delete_user ( pdb_get_username ( sam_pass ) ) ;
}
if ( can_add_accounts )
unbecome_root ( ) ;
/******** END SeAddUsers BLOCK *********/
if ( ! ret ) {
2004-09-22 04:33:09 +04:00
DEBUG ( 5 , ( " _samr_delete_dom_user:Failed to delete entry for user %s. \n " , pdb_get_username ( sam_pass ) ) ) ;
pdb_free_sam ( & sam_pass ) ;
return NT_STATUS_CANNOT_DELETE ;
}
2001-12-10 18:03:16 +03:00
pdb_free_sam ( & sam_pass ) ;
if ( ! close_policy_hnd ( p , & q_u - > user_pol ) )
return NT_STATUS_OBJECT_NAME_INVALID ;
2005-11-19 02:15:47 +03:00
force_flush_samr_cache ( disp_info ) ;
2001-12-10 18:03:16 +03:00
return NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
}
/*********************************************************************
_samr_delete_dom_group
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_delete_dom_group ( pipes_struct * p , SAMR_Q_DELETE_DOM_GROUP * q_u , SAMR_R_DELETE_DOM_GROUP * r_u )
2001-02-27 21:22:39 +03:00
{
2001-07-09 22:25:40 +04:00
DOM_SID group_sid ;
DOM_SID dom_sid ;
uint32 group_rid ;
fstring group_sid_str ;
gid_t gid ;
struct group * grp ;
GROUP_MAP map ;
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
2005-01-19 19:52:19 +03:00
SE_PRIV se_rights ;
BOOL can_add_accounts ;
BOOL ret ;
2005-11-19 02:15:47 +03:00
DISP_INFO * disp_info = NULL ;
2001-07-09 22:25:40 +04:00
DEBUG ( 5 , ( " samr_delete_dom_group: %d \n " , __LINE__ ) ) ;
/* Find the policy handle. Open a policy on it. */
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & q_u - > group_pol , & group_sid , & acc_granted , & disp_info ) )
2001-07-09 22:25:40 +04:00
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
2002-11-02 15:53:13 +03:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = access_check_samr_function ( acc_granted , STD_RIGHT_DELETE_ACCESS , " _samr_delete_dom_group " ) ) ) {
2002-07-15 14:35:28 +04:00
return r_u - > status ;
}
2001-07-09 22:25:40 +04:00
sid_copy ( & dom_sid , & group_sid ) ;
sid_to_string ( group_sid_str , & dom_sid ) ;
sid_split_rid ( & dom_sid , & group_rid ) ;
DEBUG ( 10 , ( " sid is %s \n " , group_sid_str ) ) ;
/* we check if it's our SID before deleting */
2002-07-15 14:35:28 +04:00
if ( ! sid_equal ( & dom_sid , get_global_sam_sid ( ) ) )
2001-07-09 22:25:40 +04:00
return NT_STATUS_NO_SUCH_GROUP ;
DEBUG ( 10 , ( " lookup on Domain SID \n " ) ) ;
2003-06-18 19:24:10 +04:00
if ( ! get_domain_group_from_sid ( group_sid , & map ) )
2001-12-10 18:03:16 +03:00
return NT_STATUS_NO_SUCH_GROUP ;
2001-07-09 22:25:40 +04:00
gid = map . gid ;
/* check if group really exists */
2005-09-30 21:13:37 +04:00
if ( ( grp = getgrgid ( gid ) ) = = NULL )
2001-07-09 22:25:40 +04:00
return NT_STATUS_NO_SUCH_GROUP ;
2005-01-19 19:52:19 +03:00
se_priv_copy ( & se_rights , & se_add_users ) ;
can_add_accounts = user_has_privileges ( p - > pipe_user . nt_user_token , & se_rights ) ;
/******** BEGIN SeAddUsers BLOCK *********/
if ( can_add_accounts )
become_root ( ) ;
2003-12-16 21:35:23 +03:00
/* delete mapping first */
2005-01-19 19:52:19 +03:00
if ( ( ret = pdb_delete_group_mapping_entry ( group_sid ) ) = = True ) {
smb_delete_group ( grp - > gr_name ) ;
}
2001-07-09 22:25:40 +04:00
2005-01-19 19:52:19 +03:00
if ( can_add_accounts )
unbecome_root ( ) ;
/******** END SeAddUsers BLOCK *********/
if ( ! ret ) {
DEBUG ( 5 , ( " _samr_delete_dom_group: Failed to delete mapping entry for group %s. \n " ,
group_sid_str ) ) ;
2001-07-09 22:25:40 +04:00
return NT_STATUS_ACCESS_DENIED ;
2005-01-19 19:52:19 +03:00
}
/* don't check that the unix group has been deleted. Work like
_samr_delet_dom_user ( ) */
2001-07-09 22:25:40 +04:00
if ( ! close_policy_hnd ( p , & q_u - > group_pol ) )
return NT_STATUS_OBJECT_NAME_INVALID ;
2005-11-19 02:15:47 +03:00
force_flush_samr_cache ( disp_info ) ;
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
}
/*********************************************************************
_samr_delete_dom_alias
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_delete_dom_alias ( pipes_struct * p , SAMR_Q_DELETE_DOM_ALIAS * q_u , SAMR_R_DELETE_DOM_ALIAS * r_u )
2001-02-27 21:22:39 +03:00
{
2001-07-09 22:25:40 +04:00
DOM_SID alias_sid ;
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
2005-01-19 19:52:19 +03:00
SE_PRIV se_rights ;
BOOL can_add_accounts ;
BOOL ret ;
2005-11-19 02:15:47 +03:00
DISP_INFO * disp_info = NULL ;
2001-07-09 22:25:40 +04:00
DEBUG ( 5 , ( " _samr_delete_dom_alias: %d \n " , __LINE__ ) ) ;
/* Find the policy handle. Open a policy on it. */
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & q_u - > alias_pol , & alias_sid , & acc_granted , & disp_info ) )
2001-07-09 22:25:40 +04:00
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
2002-11-02 15:53:13 +03:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = access_check_samr_function ( acc_granted , STD_RIGHT_DELETE_ACCESS , " _samr_delete_dom_alias " ) ) ) {
2002-07-15 14:35:28 +04:00
return r_u - > status ;
}
2001-07-09 22:25:40 +04:00
2004-04-07 16:43:44 +04:00
DEBUG ( 10 , ( " sid is %s \n " , sid_string_static ( & alias_sid ) ) ) ;
2001-07-09 22:25:40 +04:00
2004-04-07 16:43:44 +04:00
if ( ! sid_check_is_in_our_domain ( & alias_sid ) )
2001-07-09 22:25:40 +04:00
return NT_STATUS_NO_SUCH_ALIAS ;
2004-04-07 16:43:44 +04:00
2001-07-09 22:25:40 +04:00
DEBUG ( 10 , ( " lookup on Local SID \n " ) ) ;
2005-01-19 19:52:19 +03:00
se_priv_copy ( & se_rights , & se_add_users ) ;
can_add_accounts = user_has_privileges ( p - > pipe_user . nt_user_token , & se_rights ) ;
/******** BEGIN SeAddUsers BLOCK *********/
if ( can_add_accounts )
become_root ( ) ;
2004-04-07 16:43:44 +04:00
/* Have passdb delete the alias */
2005-01-19 19:52:19 +03:00
ret = pdb_delete_alias ( & alias_sid ) ;
if ( can_add_accounts )
unbecome_root ( ) ;
/******** END SeAddUsers BLOCK *********/
if ( ! ret )
2001-07-09 22:25:40 +04:00
return NT_STATUS_ACCESS_DENIED ;
if ( ! close_policy_hnd ( p , & q_u - > alias_pol ) )
return NT_STATUS_OBJECT_NAME_INVALID ;
2005-11-19 02:15:47 +03:00
force_flush_samr_cache ( disp_info ) ;
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
}
/*********************************************************************
_samr_create_dom_group
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_create_dom_group ( pipes_struct * p , SAMR_Q_CREATE_DOM_GROUP * q_u , SAMR_R_CREATE_DOM_GROUP * r_u )
2001-02-27 21:22:39 +03:00
{
2001-03-23 03:50:31 +03:00
DOM_SID dom_sid ;
DOM_SID info_sid ;
fstring name ;
fstring sid_string ;
struct group * grp ;
struct samr_info * info ;
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
2002-09-25 19:19:00 +04:00
gid_t gid ;
2005-01-19 19:52:19 +03:00
SE_PRIV se_rights ;
BOOL can_add_accounts ;
NTSTATUS result ;
2005-11-19 02:15:47 +03:00
DISP_INFO * disp_info = NULL ;
2001-11-29 19:05:05 +03:00
2001-03-23 03:50:31 +03:00
/* Find the policy handle. Open a policy on it. */
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & q_u - > pol , & dom_sid , & acc_granted , & disp_info ) )
2001-03-23 03:50:31 +03:00
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
2002-11-02 15:53:13 +03:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = access_check_samr_function ( acc_granted , SA_RIGHT_DOMAIN_CREATE_GROUP , " _samr_create_dom_group " ) ) ) {
2002-07-15 14:35:28 +04:00
return r_u - > status ;
}
if ( ! sid_equal ( & dom_sid , get_global_sam_sid ( ) ) )
2001-03-23 03:50:31 +03:00
return NT_STATUS_ACCESS_DENIED ;
unistr2_to_ascii ( name , & q_u - > uni_acct_desc , sizeof ( name ) - 1 ) ;
/* check if group already exist */
if ( ( grp = getgrnam ( name ) ) ! = NULL )
return NT_STATUS_GROUP_EXISTS ;
2005-01-19 19:52:19 +03:00
se_priv_copy ( & se_rights , & se_add_users ) ;
can_add_accounts = user_has_privileges ( p - > pipe_user . nt_user_token , & se_rights ) ;
2001-03-23 03:50:31 +03:00
2005-01-19 19:52:19 +03:00
/******** BEGIN SeAddUsers BLOCK *********/
if ( can_add_accounts )
become_root ( ) ;
/* check that we successfully create the UNIX group */
result = NT_STATUS_ACCESS_DENIED ;
if ( ( smb_create_group ( name , & gid ) = = 0 ) & & ( ( grp = getgrgid ( gid ) ) ! = NULL ) ) {
/* so far, so good */
result = NT_STATUS_OK ;
r_u - > rid = pdb_gid_to_group_rid ( grp - > gr_gid ) ;
2002-01-02 10:27:33 +03:00
2005-01-19 19:52:19 +03:00
/* add the group to the mapping table */
sid_copy ( & info_sid , get_global_sam_sid ( ) ) ;
sid_append_rid ( & info_sid , r_u - > rid ) ;
sid_to_string ( sid_string , & info_sid ) ;
/* reset the error code if we fail to add the mapping entry */
if ( ! add_initial_entry ( grp - > gr_gid , sid_string , SID_NAME_DOM_GRP , name , NULL ) )
result = NT_STATUS_ACCESS_DENIED ;
}
2001-03-23 03:50:31 +03:00
2005-01-19 19:52:19 +03:00
if ( can_add_accounts )
unbecome_root ( ) ;
/******** END SeAddUsers BLOCK *********/
/* check if we should bail out here */
if ( ! NT_STATUS_IS_OK ( result ) )
return result ;
2002-01-02 10:27:33 +03:00
if ( ( info = get_samr_info_by_sid ( & info_sid ) ) = = NULL )
2001-03-23 03:50:31 +03:00
return NT_STATUS_NO_MEMORY ;
2005-05-07 18:55:44 +04:00
/* they created it; let the user do what he wants with it */
info - > acc_granted = GENERIC_RIGHTS_GROUP_ALL_ACCESS ;
2001-03-23 03:50:31 +03:00
/* get a (unique) handle. open a policy on it. */
if ( ! create_policy_hnd ( p , & r_u - > pol , free_samr_info , ( void * ) info ) )
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
2005-11-19 02:15:47 +03:00
force_flush_samr_cache ( disp_info ) ;
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
}
/*********************************************************************
_samr_create_dom_alias
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_create_dom_alias ( pipes_struct * p , SAMR_Q_CREATE_DOM_ALIAS * q_u , SAMR_R_CREATE_DOM_ALIAS * r_u )
2001-02-27 21:22:39 +03:00
{
2001-03-23 03:50:31 +03:00
DOM_SID dom_sid ;
2002-01-02 10:27:33 +03:00
DOM_SID info_sid ;
2001-03-23 03:50:31 +03:00
fstring name ;
struct samr_info * info ;
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
2002-09-25 19:19:00 +04:00
gid_t gid ;
2004-04-10 20:09:48 +04:00
NTSTATUS result ;
2005-01-19 19:52:19 +03:00
SE_PRIV se_rights ;
BOOL can_add_accounts ;
2005-11-19 02:15:47 +03:00
DISP_INFO * disp_info = NULL ;
2001-11-29 19:05:05 +03:00
2001-03-23 03:50:31 +03:00
/* Find the policy handle. Open a policy on it. */
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & q_u - > dom_pol , & dom_sid , & acc_granted , & disp_info ) )
2001-03-23 03:50:31 +03:00
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
2002-11-02 15:53:13 +03:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = access_check_samr_function ( acc_granted , SA_RIGHT_DOMAIN_CREATE_ALIAS , " _samr_create_alias " ) ) ) {
2002-07-15 14:35:28 +04:00
return r_u - > status ;
}
if ( ! sid_equal ( & dom_sid , get_global_sam_sid ( ) ) )
2001-03-23 03:50:31 +03:00
return NT_STATUS_ACCESS_DENIED ;
unistr2_to_ascii ( name , & q_u - > uni_acct_desc , sizeof ( name ) - 1 ) ;
2005-01-19 19:52:19 +03:00
se_priv_copy ( & se_rights , & se_add_users ) ;
can_add_accounts = user_has_privileges ( p - > pipe_user . nt_user_token , & se_rights ) ;
/******** BEGIN SeAddUsers BLOCK *********/
if ( can_add_accounts )
become_root ( ) ;
2004-04-07 16:43:44 +04:00
/* Have passdb create the alias */
2004-04-10 20:09:48 +04:00
result = pdb_create_alias ( name , & r_u - > rid ) ;
2005-01-19 19:52:19 +03:00
if ( can_add_accounts )
unbecome_root ( ) ;
/******** END SeAddUsers BLOCK *********/
2004-04-10 20:09:48 +04:00
if ( ! NT_STATUS_IS_OK ( result ) )
return result ;
2001-03-23 03:50:31 +03:00
2002-07-15 14:35:28 +04:00
sid_copy ( & info_sid , get_global_sam_sid ( ) ) ;
2002-01-02 10:27:33 +03:00
sid_append_rid ( & info_sid , r_u - > rid ) ;
2001-03-23 03:50:31 +03:00
2004-04-07 16:43:44 +04:00
if ( ! NT_STATUS_IS_OK ( sid_to_gid ( & info_sid , & gid ) ) )
return NT_STATUS_ACCESS_DENIED ;
/* check if the group has been successfully created */
2005-03-22 17:54:12 +03:00
if ( getgrgid ( gid ) = = NULL )
2001-05-08 20:33:18 +04:00
return NT_STATUS_ACCESS_DENIED ;
2002-01-02 10:27:33 +03:00
if ( ( info = get_samr_info_by_sid ( & info_sid ) ) = = NULL )
return NT_STATUS_NO_MEMORY ;
2005-05-02 00:05:16 +04:00
/* they created it; let the user do what he wants with it */
info - > acc_granted = GENERIC_RIGHTS_ALIAS_ALL_ACCESS ;
2001-03-23 03:50:31 +03:00
/* get a (unique) handle. open a policy on it. */
if ( ! create_policy_hnd ( p , & r_u - > alias_pol , free_samr_info , ( void * ) info ) )
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
2005-11-19 02:15:47 +03:00
force_flush_samr_cache ( disp_info ) ;
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
}
/*********************************************************************
_samr_query_groupinfo
2001-03-23 03:50:31 +03:00
sends the name / comment pair of a domain group
level 1 send also the number of users of that group
2001-02-27 21:22:39 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_query_groupinfo ( pipes_struct * p , SAMR_Q_QUERY_GROUPINFO * q_u , SAMR_R_QUERY_GROUPINFO * r_u )
2001-02-27 21:22:39 +03:00
{
2001-03-23 03:50:31 +03:00
DOM_SID group_sid ;
GROUP_MAP map ;
2004-01-02 08:32:07 +03:00
DOM_SID * sids = NULL ;
2004-04-07 16:43:44 +04:00
uid_t * uids ;
int num = 0 ;
2001-03-23 03:50:31 +03:00
GROUP_INFO_CTR * ctr ;
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
2003-11-08 02:04:06 +03:00
BOOL ret ;
2001-03-23 03:50:31 +03:00
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & q_u - > pol , & group_sid , & acc_granted , NULL ) )
2001-03-23 03:50:31 +03:00
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
2002-11-02 15:53:13 +03:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = access_check_samr_function ( acc_granted , SA_RIGHT_GROUP_LOOKUP_INFO , " _samr_query_groupinfo " ) ) ) {
2002-07-15 14:35:28 +04:00
return r_u - > status ;
}
2003-11-08 02:04:06 +03:00
become_root ( ) ;
ret = get_domain_group_from_sid ( group_sid , & map ) ;
unbecome_root ( ) ;
if ( ! ret )
2001-03-23 03:50:31 +03:00
return NT_STATUS_INVALID_HANDLE ;
2001-11-29 19:05:05 +03:00
2004-12-07 21:25:53 +03:00
ctr = TALLOC_ZERO_P ( p - > mem_ctx , GROUP_INFO_CTR ) ;
2001-03-23 03:50:31 +03:00
if ( ctr = = NULL )
return NT_STATUS_NO_MEMORY ;
switch ( q_u - > switch_level ) {
case 1 :
ctr - > switch_value1 = 1 ;
2004-04-07 16:43:44 +04:00
if ( ! get_memberuids ( map . gid , & uids , & num ) )
2001-03-23 03:50:31 +03:00
return NT_STATUS_NO_SUCH_GROUP ;
2004-04-07 16:43:44 +04:00
SAFE_FREE ( uids ) ;
init_samr_group_info1 ( & ctr - > group . info1 , map . nt_name , map . comment , num ) ;
2004-01-02 08:32:07 +03:00
SAFE_FREE ( sids ) ;
2001-03-23 03:50:31 +03:00
break ;
2001-12-10 18:03:16 +03:00
case 3 :
ctr - > switch_value1 = 3 ;
init_samr_group_info3 ( & ctr - > group . info3 ) ;
break ;
2001-03-23 03:50:31 +03:00
case 4 :
ctr - > switch_value1 = 4 ;
init_samr_group_info4 ( & ctr - > group . info4 , map . comment ) ;
break ;
default :
return NT_STATUS_INVALID_INFO_CLASS ;
}
2001-08-27 23:46:22 +04:00
init_samr_r_query_groupinfo ( r_u , ctr , NT_STATUS_OK ) ;
2001-03-23 03:50:31 +03:00
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
}
/*********************************************************************
_samr_set_groupinfo
2001-03-23 03:50:31 +03:00
update a domain group ' s comment .
2001-02-27 21:22:39 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_set_groupinfo ( pipes_struct * p , SAMR_Q_SET_GROUPINFO * q_u , SAMR_R_SET_GROUPINFO * r_u )
2001-02-27 21:22:39 +03:00
{
2001-03-23 03:50:31 +03:00
DOM_SID group_sid ;
GROUP_MAP map ;
GROUP_INFO_CTR * ctr ;
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
2005-09-02 17:42:56 +04:00
BOOL ret ;
BOOL can_mod_accounts ;
2005-11-19 02:15:47 +03:00
DISP_INFO * disp_info = NULL ;
2001-03-23 03:50:31 +03:00
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & q_u - > pol , & group_sid , & acc_granted , & disp_info ) )
2001-03-23 03:50:31 +03:00
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
2002-11-02 15:53:13 +03:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = access_check_samr_function ( acc_granted , SA_RIGHT_GROUP_SET_INFO , " _samr_set_groupinfo " ) ) ) {
2002-07-15 14:35:28 +04:00
return r_u - > status ;
}
2003-06-18 19:24:10 +04:00
if ( ! get_domain_group_from_sid ( group_sid , & map ) )
2001-03-23 03:50:31 +03:00
return NT_STATUS_NO_SUCH_GROUP ;
ctr = q_u - > ctr ;
switch ( ctr - > switch_value1 ) {
case 1 :
unistr2_to_ascii ( map . comment , & ( ctr - > group . info1 . uni_acct_desc ) , sizeof ( map . comment ) - 1 ) ;
break ;
case 4 :
unistr2_to_ascii ( map . comment , & ( ctr - > group . info4 . uni_acct_desc ) , sizeof ( map . comment ) - 1 ) ;
2001-05-08 20:33:18 +04:00
break ;
default :
return NT_STATUS_INVALID_INFO_CLASS ;
}
2005-09-02 17:42:56 +04:00
can_mod_accounts = user_has_privileges ( p - > pipe_user . nt_user_token , & se_add_users ) ;
2001-11-29 19:05:05 +03:00
2005-09-02 17:42:56 +04:00
/******** BEGIN SeAddUsers BLOCK *********/
if ( can_mod_accounts )
become_root ( ) ;
ret = pdb_update_group_mapping_entry ( & map ) ;
if ( can_mod_accounts )
unbecome_root ( ) ;
/******** End SeAddUsers BLOCK *********/
2005-11-19 02:15:47 +03:00
if ( ret ) {
force_flush_samr_cache ( disp_info ) ;
}
2005-09-02 17:42:56 +04:00
return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED ;
2001-05-08 20:33:18 +04:00
}
/*********************************************************************
2002-09-25 19:19:00 +04:00
_samr_set_aliasinfo
2001-05-08 20:33:18 +04:00
2002-09-25 19:19:00 +04:00
update an alias ' s comment .
2001-05-08 20:33:18 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_set_aliasinfo ( pipes_struct * p , SAMR_Q_SET_ALIASINFO * q_u , SAMR_R_SET_ALIASINFO * r_u )
2001-05-08 20:33:18 +04:00
{
DOM_SID group_sid ;
2004-04-07 16:43:44 +04:00
struct acct_info info ;
2001-05-08 20:33:18 +04:00
ALIAS_INFO_CTR * ctr ;
2002-07-15 14:35:28 +04:00
uint32 acc_granted ;
2005-09-02 17:42:56 +04:00
BOOL ret ;
BOOL can_mod_accounts ;
2005-11-19 02:15:47 +03:00
DISP_INFO * disp_info = NULL ;
2001-05-08 20:33:18 +04:00
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & q_u - > alias_pol , & group_sid , & acc_granted , & disp_info ) )
2001-05-08 20:33:18 +04:00
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
2002-11-02 15:53:13 +03:00
if ( ! NT_STATUS_IS_OK ( r_u - > status = access_check_samr_function ( acc_granted , SA_RIGHT_ALIAS_SET_INFO , " _samr_set_aliasinfo " ) ) ) {
2002-07-15 14:35:28 +04:00
return r_u - > status ;
}
2001-05-08 20:33:18 +04:00
ctr = & q_u - > ctr ;
2005-05-03 18:01:39 +04:00
switch ( ctr - > level ) {
2001-05-08 20:33:18 +04:00
case 3 :
2005-05-03 18:01:39 +04:00
if ( ctr - > alias . info3 . description . string ) {
unistr2_to_ascii ( info . acct_desc ,
ctr - > alias . info3 . description . string ,
sizeof ( info . acct_desc ) - 1 ) ;
}
2001-03-23 03:50:31 +03:00
break ;
default :
return NT_STATUS_INVALID_INFO_CLASS ;
}
2005-09-02 17:42:56 +04:00
can_mod_accounts = user_has_privileges ( p - > pipe_user . nt_user_token , & se_add_users ) ;
2001-11-29 19:05:05 +03:00
2005-09-02 17:42:56 +04:00
/******** BEGIN SeAddUsers BLOCK *********/
if ( can_mod_accounts )
become_root ( ) ;
ret = pdb_set_aliasinfo ( & group_sid , & info ) ;
if ( can_mod_accounts )
unbecome_root ( ) ;
/******** End SeAddUsers BLOCK *********/
2005-11-19 02:15:47 +03:00
if ( ret ) {
force_flush_samr_cache ( disp_info ) ;
}
2005-09-02 17:42:56 +04:00
return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED ;
2001-02-27 21:22:39 +03:00
}
/*********************************************************************
_samr_get_dom_pwinfo
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_get_dom_pwinfo ( pipes_struct * p , SAMR_Q_GET_DOM_PWINFO * q_u , SAMR_R_GET_DOM_PWINFO * r_u )
2001-02-27 21:22:39 +03:00
{
2002-07-15 14:35:28 +04:00
/* Perform access check. Since this rpc does not require a
policy handle it will not be caught by the access checks on
SAMR_CONNECT or SAMR_CONNECT_ANON . */
if ( ! pipe_access_check ( p ) ) {
DEBUG ( 3 , ( " access denied to samr_get_dom_pwinfo \n " ) ) ;
r_u - > status = NT_STATUS_ACCESS_DENIED ;
return r_u - > status ;
}
2001-03-13 03:32:43 +03:00
/* Actually, returning zeros here works quite well :-). */
2002-07-15 14:35:28 +04:00
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
}
/*********************************************************************
_samr_open_group
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _samr_open_group ( pipes_struct * p , SAMR_Q_OPEN_GROUP * q_u , SAMR_R_OPEN_GROUP * r_u )
2001-02-27 21:22:39 +03:00
{
2001-03-23 03:50:31 +03:00
DOM_SID sid ;
2002-01-02 10:27:33 +03:00
DOM_SID info_sid ;
2001-03-23 03:50:31 +03:00
GROUP_MAP map ;
struct samr_info * info ;
2002-07-15 14:35:28 +04:00
SEC_DESC * psd = NULL ;
uint32 acc_granted ;
2003-09-15 07:36:04 +04:00
uint32 des_access = q_u - > access_mask ;
2002-07-15 14:35:28 +04:00
size_t sd_size ;
NTSTATUS status ;
2001-03-23 03:50:31 +03:00
fstring sid_string ;
2003-11-08 02:04:06 +03:00
BOOL ret ;
2005-01-26 23:36:44 +03:00
SE_PRIV se_rights ;
2001-03-23 03:50:31 +03:00
2005-11-19 02:15:47 +03:00
if ( ! get_lsa_policy_samr_sid ( p , & q_u - > domain_pol , & sid , & acc_granted , NULL ) )
2001-03-23 03:50:31 +03:00
return NT_STATUS_INVALID_HANDLE ;
2002-07-15 14:35:28 +04:00
2005-01-26 23:36:44 +03:00
status = access_check_samr_function ( acc_granted ,
SA_RIGHT_DOMAIN_OPEN_ACCOUNT , " _samr_open_group " ) ;
if ( ! NT_STATUS_IS_OK ( status ) )
2002-07-15 14:35:28 +04:00
return status ;
/*check if access can be granted as requested by client. */
2005-02-01 01:42:30 +03:00
make_samr_object_sd ( p - > mem_ctx , & psd , & sd_size , & grp_generic_mapping , NULL , 0 ) ;
2002-07-15 14:35:28 +04:00
se_map_generic ( & des_access , & grp_generic_mapping ) ;
2005-01-26 23:36:44 +03:00
se_priv_copy ( & se_rights , & se_add_users ) ;
status = access_check_samr_object ( psd , p - > pipe_user . nt_user_token ,
& se_rights , GENERIC_RIGHTS_GROUP_WRITE , des_access ,
& acc_granted , " _samr_open_group " ) ;
if ( ! NT_STATUS_IS_OK ( status ) )
return status ;
2001-03-23 03:50:31 +03:00
/* this should not be hard-coded like this */
2005-01-26 23:36:44 +03:00
2002-07-15 14:35:28 +04:00
if ( ! sid_equal ( & sid , get_global_sam_sid ( ) ) )
2001-03-23 03:50:31 +03:00
return NT_STATUS_ACCESS_DENIED ;
2002-07-15 14:35:28 +04:00
sid_copy ( & info_sid , get_global_sam_sid ( ) ) ;
2002-01-02 10:27:33 +03:00
sid_append_rid ( & info_sid , q_u - > rid_group ) ;
sid_to_string ( sid_string , & info_sid ) ;
2001-03-23 03:50:31 +03:00
2002-01-02 10:27:33 +03:00
if ( ( info = get_samr_info_by_sid ( & info_sid ) ) = = NULL )
return NT_STATUS_NO_MEMORY ;
2002-07-15 14:35:28 +04:00
info - > acc_granted = acc_granted ;
2001-03-23 03:50:31 +03:00
2001-12-02 03:06:10 +03:00
DEBUG ( 10 , ( " _samr_open_group:Opening SID: %s \n " , sid_string ) ) ;
2001-03-23 03:50:31 +03:00
/* check if that group really exists */
2003-11-08 02:04:06 +03:00
become_root ( ) ;
ret = get_domain_group_from_sid ( info - > sid , & map ) ;
unbecome_root ( ) ;
if ( ! ret )
2001-12-02 03:06:10 +03:00
return NT_STATUS_NO_SUCH_GROUP ;
2001-03-23 03:50:31 +03:00
/* get a (unique) handle. open a policy on it. */
if ( ! create_policy_hnd ( p , & r_u - > pol , free_samr_info , ( void * ) info ) )
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK ;
2001-02-27 21:22:39 +03:00
}
/*********************************************************************
2003-12-04 06:35:46 +03:00
_samr_remove_sid_foreign_domain
2001-02-27 21:22:39 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-12-04 06:35:46 +03:00
NTSTATUS _samr_remove_sid_foreign_domain ( pipes_struct * p ,
SAMR_Q_REMOVE_SID_FOREIGN_DOMAIN * q_u ,
SAMR_R_REMOVE_SID_FOREIGN_DOMAIN * r_u )
2001-02-27 21:22:39 +03:00
{
2005-04-15 17:41:49 +04:00
DOM_SID delete_sid , domain_sid ;
2003-08-20 20:07:19 +04:00
uint32 acc_granted ;
2003-12-04 06:35:46 +03:00
NTSTATUS result ;
2005-11-19 02:15:47 +03:00
DISP_INFO * disp_info = NULL ;
2003-12-04 06:35:46 +03:00
sid_copy ( & delete_sid , & q_u - > sid . sid ) ;
2003-08-20 20:07:19 +04:00
2003-12-04 06:35:46 +03:00
DEBUG ( 5 , ( " _samr_remove_sid_foreign_domain: removing SID [%s] \n " ,
sid_string_static ( & delete_sid ) ) ) ;
2003-08-20 20:07:19 +04:00
/* Find the policy handle. Open a policy on it. */
2005-04-15 17:41:49 +04:00
if ( ! get_lsa_policy_samr_sid ( p , & q_u - > dom_pol , & domain_sid ,
2005-11-19 02:15:47 +03:00
& acc_granted , & disp_info ) )
2003-08-20 20:07:19 +04:00
return NT_STATUS_INVALID_HANDLE ;
2003-12-04 06:35:46 +03:00
result = access_check_samr_function ( acc_granted , STD_RIGHT_DELETE_ACCESS ,
" _samr_remove_sid_foreign_domain " ) ;
2003-08-20 20:07:19 +04:00
2003-12-04 06:35:46 +03:00
if ( ! NT_STATUS_IS_OK ( result ) )
return result ;
DEBUG ( 8 , ( " _samr_remove_sid_foreign_domain:sid is %s \n " ,
2005-04-15 17:41:49 +04:00
sid_string_static ( & domain_sid ) ) ) ;
2003-08-20 20:07:19 +04:00
2003-12-04 06:35:46 +03:00
/* we can only delete a user from a group since we don't have
nested groups anyways . So in the latter case , just say OK */
2003-08-20 20:07:19 +04:00
2005-04-15 17:41:49 +04:00
/* TODO: The above comment nowadays is bogus. Since we have nested
* groups now , and aliases members are never reported out of the unix
* group membership , the " just say OK " makes this call a no - op . For
* us . This needs fixing however . */
/* I've only ever seen this in the wild when deleting a user from
* usrmgr . exe . domain_sid is the builtin domain , and the sid to delete
* is the user about to be deleted . I very much suspect this is the
* only application of this call . To verify this , let people report
* other cases . */
if ( ! sid_check_is_builtin ( & domain_sid ) ) {
DEBUG ( 1 , ( " _samr_remove_sid_foreign_domain: domain_sid = %s, "
" global_sam_sid() = %s \n " ,
sid_string_static ( & domain_sid ) ,
sid_string_static ( get_global_sam_sid ( ) ) ) ) ;
DEBUGADD ( 1 , ( " please report to samba-technical@samba.org! \n " ) ) ;
return NT_STATUS_OK ;
2003-08-20 20:07:19 +04:00
}
2003-12-04 06:35:46 +03:00
2005-11-19 02:15:47 +03:00
force_flush_samr_cache ( disp_info ) ;
2005-04-15 17:41:49 +04:00
result = NT_STATUS_OK ;
2003-08-20 20:07:19 +04:00
2003-12-04 06:35:46 +03:00
return result ;
2001-02-27 21:22:39 +03:00
}
2001-11-28 03:06:00 +03:00
/*******************************************************************
2005-11-19 02:15:47 +03:00
_samr_query_domain_info2
2001-11-28 03:06:00 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-11-19 02:15:47 +03:00
NTSTATUS _samr_query_domain_info2 ( pipes_struct * p ,
SAMR_Q_QUERY_DOMAIN_INFO2 * q_u ,
SAMR_R_QUERY_DOMAIN_INFO2 * r_u )
2001-11-28 03:06:00 +03:00
{
2001-12-22 01:34:49 +03:00
struct samr_info * info = NULL ;
2001-12-03 20:14:23 +03:00
SAM_UNK_CTR * ctr ;
uint32 min_pass_len , pass_hist , flag ;
time_t u_expire , u_min_age ;
NTTIME nt_expire , nt_min_age ;
time_t u_lock_duration , u_reset_time ;
NTTIME nt_lock_duration , nt_reset_time ;
uint32 lockout ;
time_t u_logout ;
NTTIME nt_logout ;
2001-11-28 03:06:00 +03:00
2001-12-22 01:34:49 +03:00
uint32 num_users = 0 , num_groups = 0 , num_aliases = 0 ;
2002-08-17 19:34:15 +04:00
uint32 account_policy_temp ;
2005-09-30 21:13:37 +04:00
time_t seq_num ;
2005-02-07 17:14:44 +03:00
uint32 server_role ;
2002-08-17 19:34:15 +04:00
2004-12-07 21:25:53 +03:00
if ( ( ctr = TALLOC_ZERO_P ( p - > mem_ctx , SAM_UNK_CTR ) ) = = NULL )
2001-11-28 03:06:00 +03:00
return NT_STATUS_NO_MEMORY ;
2001-12-03 20:14:23 +03:00
ZERO_STRUCTP ( ctr ) ;
2001-11-28 03:06:00 +03:00
2001-12-03 20:14:23 +03:00
r_u - > status = NT_STATUS_OK ;
2001-11-28 03:06:00 +03:00
2005-11-19 02:15:47 +03:00
DEBUG ( 5 , ( " _samr_query_domain_info2: %d \n " , __LINE__ ) ) ;
2001-11-28 03:06:00 +03:00
2001-12-03 20:14:23 +03:00
/* find the policy handle. open a policy on it. */
2001-12-22 01:34:49 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > domain_pol , ( void * * ) & info ) )
2001-12-03 20:14:23 +03:00
return NT_STATUS_INVALID_HANDLE ;
2001-11-28 03:06:00 +03:00
2001-12-03 20:14:23 +03:00
switch ( q_u - > switch_value ) {
case 0x01 :
2005-09-30 21:13:37 +04:00
pdb_get_account_policy ( AP_MIN_PASSWORD_LEN , & account_policy_temp ) ;
2002-08-17 19:34:15 +04:00
min_pass_len = account_policy_temp ;
2005-09-30 21:13:37 +04:00
pdb_get_account_policy ( AP_PASSWORD_HISTORY , & account_policy_temp ) ;
2002-08-17 19:34:15 +04:00
pass_hist = account_policy_temp ;
2005-09-30 21:13:37 +04:00
pdb_get_account_policy ( AP_USER_MUST_LOGON_TO_CHG_PASS , & account_policy_temp ) ;
2002-08-17 19:34:15 +04:00
flag = account_policy_temp ;
2005-09-30 21:13:37 +04:00
pdb_get_account_policy ( AP_MAX_PASSWORD_AGE , & account_policy_temp ) ;
2002-08-17 19:34:15 +04:00
u_expire = account_policy_temp ;
2005-09-30 21:13:37 +04:00
pdb_get_account_policy ( AP_MIN_PASSWORD_AGE , & account_policy_temp ) ;
2002-08-17 19:34:15 +04:00
u_min_age = account_policy_temp ;
2001-12-03 20:14:23 +03:00
unix_to_nt_time_abs ( & nt_expire , u_expire ) ;
unix_to_nt_time_abs ( & nt_min_age , u_min_age ) ;
init_unk_info1 ( & ctr - > info . inf1 , ( uint16 ) min_pass_len , ( uint16 ) pass_hist ,
flag , nt_expire , nt_min_age ) ;
break ;
case 0x02 :
2001-12-22 01:34:49 +03:00
become_root ( ) ;
2005-11-19 02:15:47 +03:00
num_users = count_sam_users ( info - > disp_info ,
2005-04-15 17:41:49 +04:00
ACB_NORMAL ) ;
2005-11-19 02:15:47 +03:00
num_groups = count_sam_groups ( info - > disp_info ) ;
2001-12-22 01:34:49 +03:00
unbecome_root ( ) ;
2005-04-15 17:41:49 +04:00
2005-09-30 21:13:37 +04:00
pdb_get_account_policy ( AP_TIME_TO_LOGOUT , & account_policy_temp ) ;
2004-12-23 02:50:31 +03:00
u_logout = account_policy_temp ;
unix_to_nt_time_abs ( & nt_logout , u_logout ) ;
2005-09-30 21:13:37 +04:00
if ( ! pdb_get_seq_num ( & seq_num ) )
seq_num = time ( NULL ) ;
2005-02-07 17:14:44 +03:00
server_role = ROLE_DOMAIN_PDC ;
if ( lp_server_role ( ) = = ROLE_DOMAIN_BDC )
server_role = ROLE_DOMAIN_BDC ;
2005-09-30 21:13:37 +04:00
init_unk_info2 ( & ctr - > info . inf2 , lp_serverstring ( ) , lp_workgroup ( ) , global_myname ( ) , seq_num ,
2005-02-07 17:14:44 +03:00
num_users , num_groups , num_aliases , nt_logout , server_role ) ;
2001-12-03 20:14:23 +03:00
break ;
case 0x03 :
2005-09-30 21:13:37 +04:00
pdb_get_account_policy ( AP_TIME_TO_LOGOUT , & account_policy_temp ) ;
2002-08-17 19:34:15 +04:00
u_logout = account_policy_temp ;
2001-12-03 20:14:23 +03:00
unix_to_nt_time_abs ( & nt_logout , u_logout ) ;
init_unk_info3 ( & ctr - > info . inf3 , nt_logout ) ;
break ;
case 0x05 :
2002-11-13 02:20:50 +03:00
init_unk_info5 ( & ctr - > info . inf5 , global_myname ( ) ) ;
2001-12-03 20:14:23 +03:00
break ;
case 0x06 :
init_unk_info6 ( & ctr - > info . inf6 ) ;
break ;
case 0x07 :
2005-02-07 17:14:44 +03:00
server_role = ROLE_DOMAIN_PDC ;
if ( lp_server_role ( ) = = ROLE_DOMAIN_BDC )
server_role = ROLE_DOMAIN_BDC ;
2005-09-30 21:13:37 +04:00
2005-02-07 17:14:44 +03:00
init_unk_info7 ( & ctr - > info . inf7 , server_role ) ;
2001-12-03 20:14:23 +03:00
break ;
2004-12-23 12:36:49 +03:00
case 0x08 :
2005-09-30 21:13:37 +04:00
if ( ! pdb_get_seq_num ( & seq_num ) )
seq_num = time ( NULL ) ;
init_unk_info8 ( & ctr - > info . inf8 , ( uint32 ) seq_num ) ;
2004-12-23 12:36:49 +03:00
break ;
2001-12-03 20:14:23 +03:00
case 0x0c :
2005-09-30 21:13:37 +04:00
pdb_get_account_policy ( AP_LOCK_ACCOUNT_DURATION , & account_policy_temp ) ;
2005-01-10 18:28:07 +03:00
u_lock_duration = account_policy_temp ;
if ( u_lock_duration ! = - 1 )
u_lock_duration * = 60 ;
2002-08-17 19:34:15 +04:00
2005-09-30 21:13:37 +04:00
pdb_get_account_policy ( AP_RESET_COUNT_TIME , & account_policy_temp ) ;
2004-03-03 20:44:00 +03:00
u_reset_time = account_policy_temp * 60 ;
2002-08-17 19:34:15 +04:00
2005-09-30 21:13:37 +04:00
pdb_get_account_policy ( AP_BAD_ATTEMPT_LOCKOUT , & account_policy_temp ) ;
2002-08-17 19:34:15 +04:00
lockout = account_policy_temp ;
2001-12-03 20:14:23 +03:00
unix_to_nt_time_abs ( & nt_lock_duration , u_lock_duration ) ;
unix_to_nt_time_abs ( & nt_reset_time , u_reset_time ) ;
init_unk_info12 ( & ctr - > info . inf12 , nt_lock_duration , nt_reset_time , ( uint16 ) lockout ) ;
break ;
default :
return NT_STATUS_INVALID_INFO_CLASS ;
}
2001-11-28 03:06:00 +03:00
2005-11-19 02:15:47 +03:00
init_samr_r_samr_query_domain_info2 ( r_u , q_u - > switch_value , ctr , NT_STATUS_OK ) ;
2001-11-28 03:06:00 +03:00
2005-11-19 02:15:47 +03:00
DEBUG ( 5 , ( " _samr_query_domain_info2: %d \n " , __LINE__ ) ) ;
2001-11-28 03:06:00 +03:00
2001-12-03 20:14:23 +03:00
return r_u - > status ;
2001-11-28 03:06:00 +03:00
}
/*******************************************************************
_samr_
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_set_dom_info ( pipes_struct * p , SAMR_Q_SET_DOMAIN_INFO * q_u , SAMR_R_SET_DOMAIN_INFO * r_u )
{
2001-12-03 20:14:23 +03:00
time_t u_expire , u_min_age ;
time_t u_logout ;
time_t u_lock_duration , u_reset_time ;
2001-11-28 03:06:00 +03:00
r_u - > status = NT_STATUS_OK ;
DEBUG ( 5 , ( " _samr_set_dom_info: %d \n " , __LINE__ ) ) ;
/* find the policy handle. open a policy on it. */
if ( ! find_policy_by_hnd ( p , & q_u - > domain_pol , NULL ) )
return NT_STATUS_INVALID_HANDLE ;
2001-12-03 20:14:23 +03:00
DEBUG ( 5 , ( " _samr_set_dom_info: switch_value: %d \n " , q_u - > switch_value ) ) ;
2001-11-28 03:06:00 +03:00
switch ( q_u - > switch_value ) {
2001-12-03 20:14:23 +03:00
case 0x01 :
u_expire = nt_time_to_unix_abs ( & q_u - > ctr - > info . inf1 . expire ) ;
u_min_age = nt_time_to_unix_abs ( & q_u - > ctr - > info . inf1 . min_passwordage ) ;
2005-09-30 21:13:37 +04:00
pdb_set_account_policy ( AP_MIN_PASSWORD_LEN , ( uint32 ) q_u - > ctr - > info . inf1 . min_length_password ) ;
pdb_set_account_policy ( AP_PASSWORD_HISTORY , ( uint32 ) q_u - > ctr - > info . inf1 . password_history ) ;
pdb_set_account_policy ( AP_USER_MUST_LOGON_TO_CHG_PASS , ( uint32 ) q_u - > ctr - > info . inf1 . flag ) ;
pdb_set_account_policy ( AP_MAX_PASSWORD_AGE , ( int ) u_expire ) ;
pdb_set_account_policy ( AP_MIN_PASSWORD_AGE , ( int ) u_min_age ) ;
2001-12-03 20:14:23 +03:00
break ;
case 0x02 :
break ;
case 0x03 :
u_logout = nt_time_to_unix_abs ( & q_u - > ctr - > info . inf3 . logout ) ;
2005-09-30 21:13:37 +04:00
pdb_set_account_policy ( AP_TIME_TO_LOGOUT , ( int ) u_logout ) ;
2001-12-03 20:14:23 +03:00
break ;
case 0x05 :
break ;
case 0x06 :
break ;
case 0x07 :
break ;
case 0x0c :
2005-01-10 18:28:07 +03:00
u_lock_duration = nt_time_to_unix_abs ( & q_u - > ctr - > info . inf12 . duration ) ;
if ( u_lock_duration ! = - 1 )
u_lock_duration / = 60 ;
2005-01-22 06:37:09 +03:00
2004-02-25 18:02:55 +03:00
u_reset_time = nt_time_to_unix_abs ( & q_u - > ctr - > info . inf12 . reset_count ) / 60 ;
2001-12-03 20:14:23 +03:00
2005-09-30 21:13:37 +04:00
pdb_set_account_policy ( AP_LOCK_ACCOUNT_DURATION , ( int ) u_lock_duration ) ;
pdb_set_account_policy ( AP_RESET_COUNT_TIME , ( int ) u_reset_time ) ;
pdb_set_account_policy ( AP_BAD_ATTEMPT_LOCKOUT , ( uint32 ) q_u - > ctr - > info . inf12 . bad_attempt_lockout ) ;
2001-12-03 20:14:23 +03:00
break ;
default :
return NT_STATUS_INVALID_INFO_CLASS ;
2001-11-28 03:06:00 +03:00
}
init_samr_r_set_domain_info ( r_u , NT_STATUS_OK ) ;
DEBUG ( 5 , ( " _samr_set_dom_info: %d \n " , __LINE__ ) ) ;
return r_u - > status ;
}