2001-02-27 18:22:39 +00:00
/*
2002-01-30 06:08:46 +00:00
* Unix SMB / CIFS implementation .
2001-02-27 18:22:39 +00:00
* RPC Pipe client / server routines
2005-01-19 16:52:19 +00:00
* Copyright ( C ) Andrew Tridgell 1992 - 1997 ,
* Copyright ( C ) Luke Kenneth Casson Leighton 1996 - 1997 ,
2002-08-17 15:34:15 +00:00
* Copyright ( C ) Paul Ashton 1997 ,
* Copyright ( C ) Marc Jacobsen 1999 ,
2008-10-21 18:05:48 -07:00
* Copyright ( C ) Jeremy Allison 2001 - 2008 ,
2005-09-30 17:13:37 +00:00
* Copyright ( C ) Jean François Micouleau 1998 - 2001 ,
2004-04-13 14:39:48 +00:00
* Copyright ( C ) Jim McDonough < jmcd @ us . ibm . com > 2002 ,
2005-01-19 16:52:19 +00:00
* Copyright ( C ) Gerald ( Jerry ) Carter 2003 - 2004 ,
2005-06-14 18:38:15 +00:00
* Copyright ( C ) Simo Sorce 2003.
2005-11-27 01:17:24 +00:00
* Copyright ( C ) Volker Lendecke 2005.
2008-02-27 19:38:48 +01:00
* Copyright ( C ) Guenther Deschner 2008.
2001-02-27 18:22:39 +00:00
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
2007-07-09 19:25:36 +00:00
* the Free Software Foundation ; either version 3 of the License , or
2001-02-27 18:22:39 +00:00
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
2007-07-10 05:23:25 +00:00
* along with this program ; if not , see < http : //www.gnu.org/licenses/>.
2001-02-27 18:22:39 +00:00
*/
/*
* This is the implementation of the SAMR code .
*/
# include "includes.h"
2009-03-16 21:27:58 +11:00
# include "../libcli/auth/libcli_auth.h"
2001-02-27 18:22:39 +00:00
2002-07-15 10:35:28 +00:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_RPC_SRV
2005-01-31 22:42:30 +00:00
# define SAMR_USR_RIGHTS_WRITE_PW \
( READ_CONTROL_ACCESS | \
2008-10-23 19:24:41 +02:00
SAMR_USER_ACCESS_CHANGE_PASSWORD | \
SAMR_USER_ACCESS_SET_LOC_COM )
2006-10-03 17:14:18 +00:00
# define SAMR_USR_RIGHTS_CANT_WRITE_PW \
2008-10-23 19:24:41 +02:00
( READ_CONTROL_ACCESS | SAMR_USER_ACCESS_SET_LOC_COM )
2005-01-31 22:42:30 +00:00
2005-11-22 20:26:23 +00:00
# define DISP_INFO_CACHE_TIMEOUT 10
2005-11-18 23:15:47 +00:00
2008-11-05 13:39:25 +01:00
# define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
# define MAX_SAM_ENTRIES_W95 50
2009-04-18 13:38:22 +02:00
struct samr_connect_info {
2009-04-18 16:46:53 +02:00
uint8_t dummy ;
2009-04-18 13:38:22 +02:00
} ;
2009-04-19 22:58:09 +02:00
struct samr_domain_info {
struct dom_sid sid ;
struct disp_info * disp_info ;
} ;
2009-04-20 18:01:49 +02:00
struct samr_user_info {
struct dom_sid sid ;
} ;
2009-04-20 18:27:39 +02:00
struct samr_group_info {
struct dom_sid sid ;
} ;
2009-04-20 19:04:20 +02:00
struct samr_alias_info {
struct dom_sid sid ;
} ;
2005-04-15 13:41:49 +00:00
typedef struct disp_info {
2005-11-18 23:15:47 +00:00
DOM_SID sid ; /* identify which domain this is. */
2005-06-22 14:16:10 +00:00
struct pdb_search * users ; /* querydispinfo 1 and 4 */
struct pdb_search * machines ; /* querydispinfo 2 */
struct pdb_search * groups ; /* querydispinfo 3 and 5, enumgroups */
struct pdb_search * aliases ; /* enumaliases */
uint16 enum_acb_mask ;
struct pdb_search * enum_users ; /* enumusers with a mask */
2005-11-18 23:15:47 +00:00
2007-03-11 16:49:16 +00:00
struct timed_event * cache_timeout_event ; /* cache idle timeout
* handler . */
2001-12-21 13:36:14 +00:00
} DISP_INFO ;
2007-10-05 21:41:17 +00:00
static const struct generic_mapping sam_generic_mapping = {
2005-11-26 20:28:12 +00:00
GENERIC_RIGHTS_SAM_READ ,
GENERIC_RIGHTS_SAM_WRITE ,
GENERIC_RIGHTS_SAM_EXECUTE ,
GENERIC_RIGHTS_SAM_ALL_ACCESS } ;
2007-10-05 21:41:17 +00:00
static const struct generic_mapping dom_generic_mapping = {
2005-11-26 20:28:12 +00:00
GENERIC_RIGHTS_DOMAIN_READ ,
GENERIC_RIGHTS_DOMAIN_WRITE ,
GENERIC_RIGHTS_DOMAIN_EXECUTE ,
GENERIC_RIGHTS_DOMAIN_ALL_ACCESS } ;
2007-10-05 21:41:17 +00:00
static const struct generic_mapping usr_generic_mapping = {
2005-11-26 20:28:12 +00:00
GENERIC_RIGHTS_USER_READ ,
GENERIC_RIGHTS_USER_WRITE ,
GENERIC_RIGHTS_USER_EXECUTE ,
GENERIC_RIGHTS_USER_ALL_ACCESS } ;
2007-10-05 21:41:17 +00:00
static const struct generic_mapping usr_nopwchange_generic_mapping = {
2006-10-03 17:14:18 +00:00
GENERIC_RIGHTS_USER_READ ,
GENERIC_RIGHTS_USER_WRITE ,
2008-10-23 19:24:41 +02:00
GENERIC_RIGHTS_USER_EXECUTE & ~ SAMR_USER_ACCESS_CHANGE_PASSWORD ,
2006-10-03 17:14:18 +00:00
GENERIC_RIGHTS_USER_ALL_ACCESS } ;
2007-10-05 21:41:17 +00:00
static const struct generic_mapping grp_generic_mapping = {
2005-11-26 20:28:12 +00:00
GENERIC_RIGHTS_GROUP_READ ,
GENERIC_RIGHTS_GROUP_WRITE ,
GENERIC_RIGHTS_GROUP_EXECUTE ,
GENERIC_RIGHTS_GROUP_ALL_ACCESS } ;
2007-10-05 21:41:17 +00:00
static const struct generic_mapping ali_generic_mapping = {
2005-11-26 20:28:12 +00:00
GENERIC_RIGHTS_ALIAS_READ ,
GENERIC_RIGHTS_ALIAS_WRITE ,
GENERIC_RIGHTS_ALIAS_EXECUTE ,
GENERIC_RIGHTS_ALIAS_ALL_ACCESS } ;
2002-07-15 10:35:28 +00:00
2005-01-26 20:36:44 +00:00
/*******************************************************************
2005-01-31 22:42:30 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-01-26 20:36:44 +00:00
2005-01-31 22:42:30 +00:00
static NTSTATUS make_samr_object_sd ( TALLOC_CTX * ctx , SEC_DESC * * psd , size_t * sd_size ,
2007-10-05 21:41:17 +00:00
const struct generic_mapping * map ,
2005-01-31 22:42:30 +00:00
DOM_SID * sid , uint32 sid_access )
2005-01-26 20:36:44 +00:00
{
2005-06-14 18:38:15 +00:00
DOM_SID domadmin_sid ;
2005-01-31 22:42:30 +00:00
SEC_ACE ace [ 5 ] ; /* at most 5 entries */
2005-01-26 20:36:44 +00:00
size_t i = 0 ;
SEC_ACL * psa = NULL ;
2005-01-31 22:42:30 +00:00
/* basic access for Everyone */
2005-09-30 17:13:37 +00:00
2008-10-09 09:49:03 -07:00
init_sec_ace ( & ace [ i + + ] , & global_sid_World , SEC_ACE_TYPE_ACCESS_ALLOWED ,
map - > generic_execute | map - > generic_read , 0 ) ;
2005-09-30 17:13:37 +00:00
2005-01-31 22:42:30 +00:00
/* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
2005-09-30 17:13:37 +00:00
2008-10-09 09:49:03 -07:00
init_sec_ace ( & ace [ i + + ] , & global_sid_Builtin_Administrators ,
SEC_ACE_TYPE_ACCESS_ALLOWED , map - > generic_all , 0 ) ;
init_sec_ace ( & ace [ i + + ] , & global_sid_Builtin_Account_Operators ,
SEC_ACE_TYPE_ACCESS_ALLOWED , map - > generic_all , 0 ) ;
2005-09-30 17:13:37 +00:00
2005-01-31 22:42:30 +00:00
/* Add Full Access for Domain Admins if we are a DC */
2008-02-05 12:54:19 +01:00
2005-01-26 20:36:44 +00:00
if ( IS_DC ) {
sid_copy ( & domadmin_sid , get_global_sam_sid ( ) ) ;
sid_append_rid ( & domadmin_sid , DOMAIN_GROUP_RID_ADMINS ) ;
2008-10-09 09:49:03 -07:00
init_sec_ace ( & ace [ i + + ] , & domadmin_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED , map - > generic_all , 0 ) ;
2005-01-26 20:36:44 +00:00
}
2005-01-31 22:42:30 +00:00
/* if we have a sid, give it some special access */
2005-09-30 17:13:37 +00:00
2005-01-31 22:42:30 +00:00
if ( sid ) {
2008-10-09 09:49:03 -07:00
init_sec_ace ( & ace [ i + + ] , sid , SEC_ACE_TYPE_ACCESS_ALLOWED , sid_access , 0 ) ;
2006-02-03 22:19:41 +00:00
}
2005-09-30 17:13:37 +00:00
2005-01-31 22:42:30 +00:00
/* create the security descriptor */
2005-09-30 17:13:37 +00:00
2005-01-31 22:42:30 +00:00
if ( ( psa = make_sec_acl ( ctx , NT4_ACL_REVISION , i , ace ) ) = = NULL )
2005-01-26 20:36:44 +00:00
return NT_STATUS_NO_MEMORY ;
2007-12-20 22:27:01 +01:00
if ( ( * psd = make_sec_desc ( ctx , SECURITY_DESCRIPTOR_REVISION_1 ,
SEC_DESC_SELF_RELATIVE , NULL , NULL , NULL ,
psa , sd_size ) ) = = NULL )
2005-01-26 20:36:44 +00:00
return NT_STATUS_NO_MEMORY ;
return NT_STATUS_OK ;
}
2002-07-15 10:35:28 +00:00
/*******************************************************************
Checks if access to an object should be granted , and returns that
level of access for further checks .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-05 12:54:19 +01:00
static NTSTATUS access_check_samr_object ( SEC_DESC * psd , NT_USER_TOKEN * token ,
2005-01-26 20:36:44 +00:00
SE_PRIV * rights , uint32 rights_mask ,
2008-02-05 12:54:19 +01:00
uint32 des_access , uint32 * acc_granted ,
2005-01-26 20:36:44 +00:00
const char * debug )
2002-07-15 10:35:28 +00:00
{
NTSTATUS status = NT_STATUS_ACCESS_DENIED ;
2005-01-26 20:36:44 +00:00
uint32 saved_mask = 0 ;
2002-07-15 10:35:28 +00:00
2008-02-05 12:54:19 +01:00
/* check privileges; certain SAM access bits should be overridden
by privileges ( mostly having to do with creating / modifying / deleting
2005-01-26 20:36:44 +00:00
users and groups ) */
2008-02-05 12:54:19 +01:00
2005-01-26 20:36:44 +00:00
if ( rights & & user_has_any_privilege ( token , rights ) ) {
2008-02-05 12:54:19 +01:00
2005-01-26 20:36:44 +00:00
saved_mask = ( des_access & rights_mask ) ;
des_access & = ~ saved_mask ;
2008-02-05 12:54:19 +01:00
2005-01-28 16:55:09 +00:00
DEBUG ( 4 , ( " access_check_samr_object: user rights access mask [0x%x] \n " ,
rights_mask ) ) ;
2005-01-26 20:36:44 +00:00
}
2008-02-05 12:54:19 +01:00
2005-01-26 20:36:44 +00:00
/* check the security descriptor first */
2008-02-05 12:54:19 +01:00
2008-10-31 10:51:45 -07:00
status = se_access_check ( psd , token , des_access , acc_granted ) ;
if ( NT_STATUS_IS_OK ( status ) ) {
2005-01-26 20:36:44 +00:00
goto done ;
2008-10-31 10:51:45 -07:00
}
2008-02-05 12:54:19 +01:00
2005-01-26 20:36:44 +00:00
/* give root a free pass */
2008-02-05 12:54:19 +01:00
2005-01-26 20:36:44 +00:00
if ( geteuid ( ) = = sec_initial_uid ( ) ) {
2008-02-05 12:54:19 +01:00
2005-01-26 20:36:44 +00:00
DEBUG ( 4 , ( " %s: ACCESS should be DENIED (requested: %#010x) \n " , debug , des_access ) ) ;
DEBUGADD ( 4 , ( " but overritten by euid == sec_initial_uid() \n " ) ) ;
2008-02-05 12:54:19 +01:00
2003-03-21 13:35:15 +00:00
* acc_granted = des_access ;
2008-02-05 12:54:19 +01:00
2005-01-26 20:36:44 +00:00
status = NT_STATUS_OK ;
goto done ;
2002-07-15 10:35:28 +00:00
}
2008-02-05 12:54:19 +01:00
2005-01-26 20:36:44 +00:00
done :
2008-02-05 12:54:19 +01:00
/* add in any bits saved during the privilege check (only
2005-01-28 16:55:09 +00:00
matters is status is ok ) */
2008-02-05 12:54:19 +01:00
2005-01-28 16:55:09 +00:00
* acc_granted | = rights_mask ;
2005-01-27 02:16:02 +00:00
2008-02-05 12:54:19 +01:00
DEBUG ( 4 , ( " %s: access %s (requested: 0x%08x, granted: 0x%08x) \n " ,
debug , NT_STATUS_IS_OK ( status ) ? " GRANTED " : " DENIED " ,
2005-01-27 02:16:02 +00:00
des_access , * acc_granted ) ) ;
2008-02-05 12:54:19 +01:00
2002-07-15 10:35:28 +00:00
return status ;
}
2008-10-21 18:05:48 -07:00
/*******************************************************************
Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void map_max_allowed_access ( const NT_USER_TOKEN * token ,
uint32_t * pacc_requested )
{
if ( ! ( ( * pacc_requested ) & MAXIMUM_ALLOWED_ACCESS ) ) {
return ;
}
* pacc_requested & = ~ MAXIMUM_ALLOWED_ACCESS ;
/* At least try for generic read. */
* pacc_requested = GENERIC_READ_ACCESS ;
/* root gets anything. */
if ( geteuid ( ) = = sec_initial_uid ( ) ) {
* pacc_requested | = GENERIC_ALL_ACCESS ;
return ;
}
/* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
if ( is_sid_in_token ( token , & global_sid_Builtin_Administrators ) | |
is_sid_in_token ( token , & global_sid_Builtin_Account_Operators ) ) {
* pacc_requested | = GENERIC_ALL_ACCESS ;
return ;
}
/* Full access for DOMAIN\Domain Admins. */
if ( IS_DC ) {
DOM_SID domadmin_sid ;
sid_copy ( & domadmin_sid , get_global_sam_sid ( ) ) ;
sid_append_rid ( & domadmin_sid , DOMAIN_GROUP_RID_ADMINS ) ;
if ( is_sid_in_token ( token , & domadmin_sid ) ) {
* pacc_requested | = GENERIC_ALL_ACCESS ;
return ;
}
}
/* TODO ! Check privileges. */
}
2005-11-18 23:15:47 +00:00
/*******************************************************************
Fetch or create a dispinfo struct .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2009-04-19 22:01:16 +02:00
static DISP_INFO * get_samr_dispinfo_by_sid ( const struct dom_sid * psid )
2005-11-18 23:15:47 +00:00
{
2007-02-27 17:21:21 +00:00
/*
* We do a static cache for DISP_INFO ' s here . Explanation can be found
* in Jeremy ' s checkin message to r11793 :
*
* Fix the SAMR cache so it works across completely insane
* client behaviour ( ie . :
* open pipe / open SAMR handle / enumerate 0 - 1024
* close SAMR handle , close pipe .
* open pipe / open SAMR handle / enumerate 1024 - 2048. . .
* close SAMR handle , close pipe .
* And on ad - nausium . Amazing . . . . probably object - oriented
* client side programming in action yet again .
* This change should * massively * improve performance when
* enumerating users from an LDAP database .
* Jeremy .
*
* " Our " and the builtin domain are the only ones where we ever
* enumerate stuff , so just cache 2 entries .
*/
2009-02-12 17:48:52 +01:00
static struct disp_info * builtin_dispinfo ;
static struct disp_info * domain_dispinfo ;
2005-11-18 23:15:47 +00:00
2007-02-26 23:06:17 +00:00
/* There are two cases to consider here:
1 ) The SID is a domain SID and we look for an equality match , or
2008-02-05 12:54:19 +01:00
2 ) This is an account SID and so we return the DISP_INFO * for our
2007-02-26 23:06:17 +00:00
domain */
2007-02-27 17:21:21 +00:00
if ( psid = = NULL ) {
2005-11-18 23:15:47 +00:00
return NULL ;
2007-02-27 17:21:21 +00:00
}
2005-11-18 23:15:47 +00:00
2007-02-27 17:21:21 +00:00
if ( sid_check_is_builtin ( psid ) | | sid_check_is_in_builtin ( psid ) ) {
/*
* Necessary only once , but it does not really hurt .
*/
2009-02-12 17:48:52 +01:00
if ( builtin_dispinfo = = NULL ) {
builtin_dispinfo = talloc_zero (
talloc_autofree_context ( ) , struct disp_info ) ;
if ( builtin_dispinfo = = NULL ) {
return NULL ;
}
}
sid_copy ( & builtin_dispinfo - > sid , & global_sid_Builtin ) ;
2005-11-27 01:17:24 +00:00
2009-02-12 17:48:52 +01:00
return builtin_dispinfo ;
2007-02-26 23:06:17 +00:00
}
2008-02-05 12:54:19 +01:00
2007-02-27 17:21:21 +00:00
if ( sid_check_is_domain ( psid ) | | sid_check_is_in_our_domain ( psid ) ) {
/*
* Necessary only once , but it does not really hurt .
*/
2009-02-12 17:48:52 +01:00
if ( domain_dispinfo = = NULL ) {
domain_dispinfo = talloc_zero (
talloc_autofree_context ( ) , struct disp_info ) ;
if ( domain_dispinfo = = NULL ) {
return NULL ;
}
}
sid_copy ( & domain_dispinfo - > sid , get_global_sam_sid ( ) ) ;
2005-11-18 23:15:47 +00:00
2009-02-12 17:48:52 +01:00
return domain_dispinfo ;
2007-02-27 17:21:21 +00:00
}
2005-11-18 23:15:47 +00:00
2007-02-27 17:21:21 +00:00
return NULL ;
2005-11-18 23:15:47 +00:00
}
2002-07-15 10:35:28 +00:00
2001-03-11 00:32:10 +00:00
/*******************************************************************
2005-11-18 23:15:47 +00:00
Function to free the per SID data .
2001-03-11 00:32:10 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-07-08 21:58:29 +00:00
2007-03-11 16:49:16 +00:00
static void free_samr_cache ( DISP_INFO * disp_info )
2005-11-18 23:15:47 +00:00
{
2007-03-11 16:49:16 +00:00
DEBUG ( 10 , ( " free_samr_cache: deleting cache for SID %s \n " ,
2007-12-15 21:11:36 +01:00
sid_string_dbg ( & disp_info - > sid ) ) ) ;
2005-11-18 23:15:47 +00:00
2005-11-25 10:19:24 +00:00
/* We need to become root here because the paged search might have to
* tell the LDAP server we ' re not interested in the rest anymore . */
become_root ( ) ;
2009-02-12 17:48:52 +01:00
TALLOC_FREE ( disp_info - > users ) ;
TALLOC_FREE ( disp_info - > machines ) ;
TALLOC_FREE ( disp_info - > groups ) ;
TALLOC_FREE ( disp_info - > aliases ) ;
TALLOC_FREE ( disp_info - > enum_users ) ;
2005-11-25 10:19:24 +00:00
unbecome_root ( ) ;
2005-11-18 23:15:47 +00:00
}
/*******************************************************************
Idle event handler . Throw away the disp info cache .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-03-11 16:49:16 +00:00
static void disp_info_cache_idle_timeout_handler ( struct event_context * ev_ctx ,
struct timed_event * te ,
2009-01-05 10:22:50 +01:00
struct timeval now ,
2007-03-11 16:49:16 +00:00
void * private_data )
2005-11-18 23:15:47 +00:00
{
2007-03-11 16:49:16 +00:00
DISP_INFO * disp_info = ( DISP_INFO * ) private_data ;
2005-11-22 20:26:23 +00:00
2007-03-11 16:49:16 +00:00
TALLOC_FREE ( disp_info - > cache_timeout_event ) ;
2005-11-18 23:15:47 +00:00
2007-03-11 16:49:16 +00:00
DEBUG ( 10 , ( " disp_info_cache_idle_timeout_handler: caching timed "
" out \n " ) ) ;
free_samr_cache ( disp_info ) ;
2005-11-18 23:15:47 +00:00
}
/*******************************************************************
Setup cache removal idle event handler .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void set_disp_info_cache_timeout ( DISP_INFO * disp_info , time_t secs_fromnow )
{
/* Remove any pending timeout and update. */
2007-03-11 16:49:16 +00:00
TALLOC_FREE ( disp_info - > cache_timeout_event ) ;
2005-11-18 23:15:47 +00:00
2007-03-11 16:49:16 +00:00
DEBUG ( 10 , ( " set_disp_info_cache_timeout: caching enumeration for "
2007-12-15 21:11:36 +01:00
" SID %s for %u seconds \n " , sid_string_dbg ( & disp_info - > sid ) ,
2007-03-11 16:49:16 +00:00
( unsigned int ) secs_fromnow ) ) ;
2005-11-18 23:15:47 +00:00
2007-03-11 16:49:16 +00:00
disp_info - > cache_timeout_event = event_add_timed (
smbd_event_context ( ) , NULL ,
timeval_current_ofs ( secs_fromnow , 0 ) ,
disp_info_cache_idle_timeout_handler , ( void * ) disp_info ) ;
2005-11-18 23:15:47 +00:00
}
/*******************************************************************
Force flush any cache . We do this on any samr_set_xxx call .
2005-11-22 20:26:23 +00:00
We must also remove the timeout handler .
2005-11-18 23:15:47 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2009-04-19 22:01:16 +02:00
static void force_flush_samr_cache ( const struct dom_sid * sid )
2005-11-18 23:15:47 +00:00
{
2009-04-19 22:01:16 +02:00
struct disp_info * disp_info = get_samr_dispinfo_by_sid ( sid ) ;
2007-03-11 16:49:16 +00:00
if ( ( disp_info = = NULL ) | | ( disp_info - > cache_timeout_event = = NULL ) ) {
return ;
2005-11-18 23:15:47 +00:00
}
2007-03-11 16:49:16 +00:00
DEBUG ( 10 , ( " force_flush_samr_cache: clearing idle event \n " ) ) ;
TALLOC_FREE ( disp_info - > cache_timeout_event ) ;
free_samr_cache ( disp_info ) ;
2005-11-18 23:15:47 +00:00
}
2001-03-13 00:32:43 +00:00
/*******************************************************************
Ensure password info is never given out . Paranioa . . . JRA .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-02-20 20:09:36 +00:00
static void samr_clear_sam_passwd ( struct samu * sam_pass )
2001-03-13 00:32:43 +00:00
{
2008-02-05 12:54:19 +01:00
2001-03-13 00:32:43 +00:00
if ( ! sam_pass )
return ;
2002-01-02 07:41:54 +00:00
/* These now zero out the old password */
2002-11-02 03:47:48 +00:00
pdb_set_lanman_passwd ( sam_pass , NULL , PDB_DEFAULT ) ;
pdb_set_nt_passwd ( sam_pass , NULL , PDB_DEFAULT ) ;
2001-03-13 00:32:43 +00:00
}
2006-02-27 10:32:45 +00:00
static uint32 count_sam_users ( struct disp_info * info , uint32 acct_flags )
2001-12-21 13:36:14 +00:00
{
2005-04-15 13:41:49 +00:00
struct samr_displayentry * entry ;
2005-11-27 01:17:24 +00:00
2009-04-18 22:23:02 +02:00
if ( sid_check_is_builtin ( & info - > sid ) ) {
2005-11-27 01:17:24 +00:00
/* No users in builtin. */
return 0 ;
}
2005-11-18 23:15:47 +00:00
if ( info - > users = = NULL ) {
2009-02-12 17:48:52 +01:00
info - > users = pdb_search_users ( info , acct_flags ) ;
2005-11-18 23:15:47 +00:00
if ( info - > users = = NULL ) {
return 0 ;
}
}
2005-04-15 13:41:49 +00:00
/* Fetch the last possible entry, thus trigger an enumeration */
pdb_search_entries ( info - > users , 0xffffffff , 1 , & entry ) ;
2005-11-18 23:15:47 +00:00
/* Ensure we cache this enumeration. */
set_disp_info_cache_timeout ( info , DISP_INFO_CACHE_TIMEOUT ) ;
2005-04-15 13:41:49 +00:00
return info - > users - > num_entries ;
2001-12-21 13:36:14 +00:00
}
2005-04-15 13:41:49 +00:00
static uint32 count_sam_groups ( struct disp_info * info )
2001-12-21 13:36:14 +00:00
{
2005-04-15 13:41:49 +00:00
struct samr_displayentry * entry ;
2005-11-27 01:17:24 +00:00
2009-04-18 22:23:02 +02:00
if ( sid_check_is_builtin ( & info - > sid ) ) {
2005-11-27 01:17:24 +00:00
/* No groups in builtin. */
return 0 ;
}
2005-11-18 23:15:47 +00:00
if ( info - > groups = = NULL ) {
2009-02-12 17:48:52 +01:00
info - > groups = pdb_search_groups ( info ) ;
2005-11-18 23:15:47 +00:00
if ( info - > groups = = NULL ) {
return 0 ;
}
}
2005-04-15 13:41:49 +00:00
/* Fetch the last possible entry, thus trigger an enumeration */
pdb_search_entries ( info - > groups , 0xffffffff , 1 , & entry ) ;
2005-11-18 23:15:47 +00:00
/* Ensure we cache this enumeration. */
set_disp_info_cache_timeout ( info , DISP_INFO_CACHE_TIMEOUT ) ;
2005-04-15 13:41:49 +00:00
return info - > groups - > num_entries ;
2001-12-21 13:36:14 +00:00
}
2005-11-27 01:17:24 +00:00
static uint32 count_sam_aliases ( struct disp_info * info )
{
struct samr_displayentry * entry ;
if ( info - > aliases = = NULL ) {
2009-02-12 17:48:52 +01:00
info - > aliases = pdb_search_aliases ( info , & info - > sid ) ;
2005-11-27 01:17:24 +00:00
if ( info - > aliases = = NULL ) {
return 0 ;
}
}
/* Fetch the last possible entry, thus trigger an enumeration */
pdb_search_entries ( info - > aliases , 0xffffffff , 1 , & entry ) ;
/* Ensure we cache this enumeration. */
set_disp_info_cache_timeout ( info , DISP_INFO_CACHE_TIMEOUT ) ;
return info - > aliases - > num_entries ;
}
2002-07-15 10:35:28 +00:00
/*******************************************************************
2008-01-30 12:53:09 +01:00
_samr_Close
2002-07-15 10:35:28 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-01-30 12:53:09 +01:00
NTSTATUS _samr_Close ( pipes_struct * p , struct samr_Close * r )
2002-07-15 10:35:28 +00:00
{
2008-01-30 12:53:09 +01:00
if ( ! close_policy_hnd ( p , r - > in . handle ) ) {
return NT_STATUS_INVALID_HANDLE ;
}
2002-07-15 10:35:28 +00:00
2008-01-31 14:24:33 +01:00
ZERO_STRUCTP ( r - > out . handle ) ;
2002-07-15 10:35:28 +00:00
2008-01-30 12:53:09 +01:00
return NT_STATUS_OK ;
2005-01-26 20:36:44 +00:00
}
2002-07-15 10:35:28 +00:00
2005-01-26 20:36:44 +00:00
/*******************************************************************
2008-02-01 00:23:50 +01:00
_samr_OpenDomain
2005-01-26 20:36:44 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-07-15 10:35:28 +00:00
2008-02-01 00:23:50 +01:00
NTSTATUS _samr_OpenDomain ( pipes_struct * p ,
struct samr_OpenDomain * r )
2005-01-26 20:36:44 +00:00
{
2009-04-18 13:38:22 +02:00
struct samr_connect_info * cinfo ;
2009-04-19 22:58:09 +02:00
struct samr_domain_info * dinfo ;
2005-01-26 20:36:44 +00:00
SEC_DESC * psd = NULL ;
uint32 acc_granted ;
2008-02-01 00:23:50 +01:00
uint32 des_access = r - > in . access_mask ;
2005-01-26 20:36:44 +00:00
NTSTATUS status ;
2005-09-30 17:13:37 +00:00
size_t sd_size ;
2005-01-26 20:36:44 +00:00
SE_PRIV se_rights ;
2002-07-15 10:35:28 +00:00
2005-01-26 20:36:44 +00:00
/* find the connection policy handle. */
2008-02-05 12:54:19 +01:00
2009-04-18 16:46:53 +02:00
cinfo = policy_handle_find ( p , r - > in . connect_handle , 0 , NULL ,
struct samr_connect_info , & status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-01-26 20:36:44 +00:00
return status ;
2009-04-18 13:38:22 +02:00
}
2005-01-26 20:36:44 +00:00
/*check if access can be granted as requested by client. */
2008-11-23 23:48:17 +01:00
map_max_allowed_access ( p - > server_info - > ptok , & des_access ) ;
2008-02-05 12:54:19 +01:00
2005-01-31 22:42:30 +00:00
make_samr_object_sd ( p - > mem_ctx , & psd , & sd_size , & dom_generic_mapping , NULL , 0 ) ;
2005-01-26 20:36:44 +00:00
se_map_generic ( & des_access , & dom_generic_mapping ) ;
2008-02-05 12:54:19 +01:00
2005-01-26 20:36:44 +00:00
se_priv_copy ( & se_rights , & se_machine_account ) ;
se_priv_add ( & se_rights , & se_add_users ) ;
2008-11-23 23:48:17 +01:00
status = access_check_samr_object ( psd , p - > server_info - > ptok ,
2008-02-05 12:54:19 +01:00
& se_rights , GENERIC_RIGHTS_DOMAIN_WRITE , des_access ,
2008-02-01 00:23:50 +01:00
& acc_granted , " _samr_OpenDomain " ) ;
2008-02-05 12:54:19 +01:00
2005-01-26 20:36:44 +00:00
if ( ! NT_STATUS_IS_OK ( status ) )
return status ;
2008-02-01 00:23:50 +01:00
if ( ! sid_check_is_domain ( r - > in . sid ) & &
! sid_check_is_builtin ( r - > in . sid ) ) {
2005-11-26 21:35:43 +00:00
return NT_STATUS_NO_SUCH_DOMAIN ;
}
2009-04-19 22:58:09 +02:00
dinfo = policy_handle_create ( p , r - > out . domain_handle , acc_granted ,
struct samr_domain_info , & status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
dinfo - > sid = * r - > in . sid ;
dinfo - > disp_info = get_samr_dispinfo_by_sid ( r - > in . sid ) ;
2005-01-26 20:36:44 +00:00
2008-02-01 00:23:50 +01:00
DEBUG ( 5 , ( " _samr_OpenDomain: %d \n " , __LINE__ ) ) ;
2005-01-26 20:36:44 +00:00
2008-02-01 00:23:50 +01:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
2002-07-15 10:35:28 +00:00
/*******************************************************************
2008-02-04 22:53:03 +01:00
_samr_GetUserPwInfo
2002-07-15 10:35:28 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-04 22:53:03 +01:00
NTSTATUS _samr_GetUserPwInfo ( pipes_struct * p ,
struct samr_GetUserPwInfo * r )
2002-07-15 10:35:28 +00:00
{
2009-04-20 18:01:49 +02:00
struct samr_user_info * uinfo ;
2008-04-04 12:00:26 +02:00
enum lsa_SidType sid_type ;
uint32_t min_password_length = 0 ;
uint32_t password_properties = 0 ;
bool ret = false ;
NTSTATUS status ;
DEBUG ( 5 , ( " _samr_GetUserPwInfo: %d \n " , __LINE__ ) ) ;
2002-07-15 10:35:28 +00:00
2009-04-20 18:01:49 +02:00
uinfo = policy_handle_find ( p , r - > in . user_handle ,
SAMR_USER_ACCESS_GET_ATTRIBUTES , NULL ,
struct samr_user_info , & status ) ;
2008-04-04 12:00:26 +02:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2009-04-20 18:01:49 +02:00
if ( ! sid_check_is_in_our_domain ( & uinfo - > sid ) ) {
2005-01-26 20:36:44 +00:00
return NT_STATUS_OBJECT_TYPE_MISMATCH ;
2008-04-04 12:00:26 +02:00
}
2002-07-15 10:35:28 +00:00
2008-04-04 12:00:26 +02:00
become_root ( ) ;
2009-04-20 18:01:49 +02:00
ret = lookup_sid ( p - > mem_ctx , & uinfo - > sid , NULL , NULL , & sid_type ) ;
2008-04-04 12:00:26 +02:00
unbecome_root ( ) ;
if ( ret = = false ) {
return NT_STATUS_NO_SUCH_USER ;
}
2002-07-15 10:35:28 +00:00
2008-04-04 12:00:26 +02:00
switch ( sid_type ) {
case SID_NAME_USER :
become_root ( ) ;
pdb_get_account_policy ( AP_MIN_PASSWORD_LEN ,
& min_password_length ) ;
pdb_get_account_policy ( AP_USER_MUST_LOGON_TO_CHG_PASS ,
& password_properties ) ;
unbecome_root ( ) ;
if ( lp_check_password_script ( ) & & * lp_check_password_script ( ) ) {
password_properties | = DOMAIN_PASSWORD_COMPLEX ;
}
break ;
default :
break ;
}
2002-07-15 10:35:28 +00:00
2008-04-04 12:00:26 +02:00
r - > out . info - > min_password_length = min_password_length ;
r - > out . info - > password_properties = password_properties ;
DEBUG ( 5 , ( " _samr_GetUserPwInfo: %d \n " , __LINE__ ) ) ;
2002-07-15 10:35:28 +00:00
2008-02-04 22:53:03 +01:00
return NT_STATUS_OK ;
2005-01-26 20:36:44 +00:00
}
2002-07-15 10:35:28 +00:00
2006-10-03 17:14:18 +00:00
/*******************************************************************
2008-02-01 17:29:03 +01:00
_samr_SetSecurity
2006-10-03 17:14:18 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-01 17:29:03 +01:00
NTSTATUS _samr_SetSecurity ( pipes_struct * p ,
struct samr_SetSecurity * r )
2006-10-03 17:14:18 +00:00
{
2009-04-21 12:16:58 +02:00
struct samr_user_info * uinfo ;
uint32 i ;
2006-10-03 17:14:18 +00:00
SEC_ACL * dacl ;
2007-10-18 17:40:25 -07:00
bool ret ;
2006-10-03 17:14:18 +00:00
struct samu * sampass = NULL ;
NTSTATUS status ;
2009-04-21 12:16:58 +02:00
uinfo = policy_handle_find ( p , r - > in . handle ,
SAMR_USER_ACCESS_SET_ATTRIBUTES , NULL ,
struct samr_user_info , & status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2006-10-03 17:14:18 +00:00
if ( ! ( sampass = samu_new ( p - > mem_ctx ) ) ) {
DEBUG ( 0 , ( " No memory! \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
/* get the user record */
become_root ( ) ;
2009-04-21 12:16:58 +02:00
ret = pdb_getsampwsid ( sampass , & uinfo - > sid ) ;
2006-10-03 17:14:18 +00:00
unbecome_root ( ) ;
if ( ! ret ) {
2009-04-21 12:16:58 +02:00
DEBUG ( 4 , ( " User %s not found \n " ,
sid_string_dbg ( & uinfo - > sid ) ) ) ;
2006-10-03 17:14:18 +00:00
TALLOC_FREE ( sampass ) ;
return NT_STATUS_INVALID_HANDLE ;
}
2008-02-01 17:29:03 +01:00
dacl = r - > in . sdbuf - > sd - > dacl ;
2006-10-03 17:14:18 +00:00
for ( i = 0 ; i < dacl - > num_aces ; i + + ) {
2009-04-21 12:16:58 +02:00
if ( sid_equal ( & uinfo - > sid , & dacl - > aces [ i ] . trustee ) ) {
2008-02-05 12:54:19 +01:00
ret = pdb_set_pass_can_change ( sampass ,
( dacl - > aces [ i ] . access_mask &
2008-10-23 19:24:41 +02:00
SAMR_USER_ACCESS_CHANGE_PASSWORD ) ?
2006-10-03 17:14:18 +00:00
True : False ) ;
break ;
}
}
if ( ! ret ) {
TALLOC_FREE ( sampass ) ;
return NT_STATUS_ACCESS_DENIED ;
}
2009-04-21 12:16:58 +02:00
become_root ( ) ;
status = pdb_update_sam_account ( sampass ) ;
unbecome_root ( ) ;
2006-10-03 17:14:18 +00:00
TALLOC_FREE ( sampass ) ;
return status ;
}
/*******************************************************************
build correct perms based on policies and password times for _samr_query_sec_obj
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-18 17:40:25 -07:00
static bool check_change_pw_access ( TALLOC_CTX * mem_ctx , DOM_SID * user_sid )
2006-10-03 17:14:18 +00:00
{
struct samu * sampass = NULL ;
2007-10-18 17:40:25 -07:00
bool ret ;
2006-10-03 17:14:18 +00:00
if ( ! ( sampass = samu_new ( mem_ctx ) ) ) {
DEBUG ( 0 , ( " No memory! \n " ) ) ;
return False ;
}
become_root ( ) ;
ret = pdb_getsampwsid ( sampass , user_sid ) ;
unbecome_root ( ) ;
if ( ret = = False ) {
2007-12-15 21:11:36 +01:00
DEBUG ( 4 , ( " User %s not found \n " , sid_string_dbg ( user_sid ) ) ) ;
2006-10-03 17:14:18 +00:00
TALLOC_FREE ( sampass ) ;
return False ;
}
DEBUG ( 3 , ( " User:[%s] \n " , pdb_get_username ( sampass ) ) ) ;
if ( pdb_get_pass_can_change ( sampass ) ) {
TALLOC_FREE ( sampass ) ;
return True ;
}
TALLOC_FREE ( sampass ) ;
return False ;
}
2001-02-27 18:22:39 +00:00
/*******************************************************************
2008-02-01 17:28:01 +01:00
_samr_QuerySecurity
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-01 17:28:01 +01:00
NTSTATUS _samr_QuerySecurity ( pipes_struct * p ,
struct samr_QuerySecurity * r )
2001-02-27 18:22:39 +00:00
{
2009-04-21 12:35:53 +02:00
struct samr_connect_info * cinfo ;
struct samr_domain_info * dinfo ;
struct samr_user_info * uinfo ;
struct samr_group_info * ginfo ;
struct samr_alias_info * ainfo ;
2008-02-01 17:28:01 +01:00
NTSTATUS status ;
2002-07-15 10:35:28 +00:00
SEC_DESC * psd = NULL ;
2005-01-31 22:42:30 +00:00
size_t sd_size ;
2001-02-27 18:22:39 +00:00
2009-04-21 12:35:53 +02:00
cinfo = policy_handle_find ( p , r - > in . handle ,
STD_RIGHT_READ_CONTROL_ACCESS , NULL ,
struct samr_connect_info , & status ) ;
if ( NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 5 , ( " _samr_QuerySecurity: querying security on SAM \n " ) ) ;
status = make_samr_object_sd ( p - > mem_ctx , & psd , & sd_size ,
& sam_generic_mapping , NULL , 0 ) ;
goto done ;
2008-10-20 16:51:37 -07:00
}
2009-04-21 12:35:53 +02:00
dinfo = policy_handle_find ( p , r - > in . handle ,
STD_RIGHT_READ_CONTROL_ACCESS , NULL ,
struct samr_domain_info , & status ) ;
if ( NT_STATUS_IS_OK ( status ) ) {
2008-02-01 17:28:01 +01:00
DEBUG ( 5 , ( " _samr_QuerySecurity: querying security on Domain "
2009-04-21 12:35:53 +02:00
" with SID: %s \n " , sid_string_dbg ( & dinfo - > sid ) ) ) ;
/*
* TODO : Builtin probably needs a different SD with restricted
* write access
*/
status = make_samr_object_sd ( p - > mem_ctx , & psd , & sd_size ,
& dom_generic_mapping , NULL , 0 ) ;
goto done ;
}
uinfo = policy_handle_find ( p , r - > in . handle ,
STD_RIGHT_READ_CONTROL_ACCESS , NULL ,
struct samr_user_info , & status ) ;
if ( NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 10 , ( " _samr_QuerySecurity: querying security on user "
" Object with SID: %s \n " ,
sid_string_dbg ( & uinfo - > sid ) ) ) ;
if ( check_change_pw_access ( p - > mem_ctx , & uinfo - > sid ) ) {
status = make_samr_object_sd (
p - > mem_ctx , & psd , & sd_size ,
& usr_generic_mapping ,
& uinfo - > sid , SAMR_USR_RIGHTS_WRITE_PW ) ;
2006-10-03 17:14:18 +00:00
} else {
2009-04-21 12:35:53 +02:00
status = make_samr_object_sd (
p - > mem_ctx , & psd , & sd_size ,
& usr_nopwchange_generic_mapping ,
& uinfo - > sid , SAMR_USR_RIGHTS_CANT_WRITE_PW ) ;
2006-10-03 17:14:18 +00:00
}
2009-04-21 12:35:53 +02:00
goto done ;
}
ginfo = policy_handle_find ( p , r - > in . handle ,
STD_RIGHT_READ_CONTROL_ACCESS , NULL ,
struct samr_group_info , & status ) ;
if ( NT_STATUS_IS_OK ( status ) ) {
/*
* TODO : different SDs have to be generated for aliases groups
* and users . Currently all three get a default user SD
*/
DEBUG ( 10 , ( " _samr_QuerySecurity: querying security on group "
" Object with SID: %s \n " ,
sid_string_dbg ( & ginfo - > sid ) ) ) ;
status = make_samr_object_sd (
p - > mem_ctx , & psd , & sd_size ,
& usr_nopwchange_generic_mapping ,
& ginfo - > sid , SAMR_USR_RIGHTS_CANT_WRITE_PW ) ;
goto done ;
}
ainfo = policy_handle_find ( p , r - > in . handle ,
STD_RIGHT_READ_CONTROL_ACCESS , NULL ,
struct samr_alias_info , & status ) ;
if ( NT_STATUS_IS_OK ( status ) ) {
/*
* TODO : different SDs have to be generated for aliases groups
* and users . Currently all three get a default user SD
*/
DEBUG ( 10 , ( " _samr_QuerySecurity: querying security on alias "
" Object with SID: %s \n " ,
sid_string_dbg ( & ainfo - > sid ) ) ) ;
status = make_samr_object_sd (
p - > mem_ctx , & psd , & sd_size ,
& usr_nopwchange_generic_mapping ,
& ainfo - > sid , SAMR_USR_RIGHTS_CANT_WRITE_PW ) ;
goto done ;
2002-07-15 10:35:28 +00:00
}
2009-04-21 12:35:53 +02:00
return NT_STATUS_OBJECT_TYPE_MISMATCH ;
done :
2008-02-01 17:28:01 +01:00
if ( ( * r - > out . sdbuf = make_sec_desc_buf ( p - > mem_ctx , sd_size , psd ) ) = = NULL )
2002-07-15 10:35:28 +00:00
return NT_STATUS_NO_MEMORY ;
2001-02-27 18:22:39 +00:00
2008-02-01 17:28:01 +01:00
return status ;
2001-02-27 18:22:39 +00:00
}
/*******************************************************************
makes a SAM_ENTRY / UNISTR2 * structure from a user list .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-12 03:33:41 +01:00
static NTSTATUS make_user_sam_entry_list ( TALLOC_CTX * ctx ,
struct samr_SamEntry * * sam_pp ,
uint32_t num_entries ,
uint32_t start_idx ,
2005-04-15 13:41:49 +00:00
struct samr_displayentry * entries )
2001-02-27 18:22:39 +00:00
{
2008-02-12 03:33:41 +01:00
uint32_t i ;
struct samr_SamEntry * sam ;
2008-02-05 12:54:19 +01:00
2001-02-27 18:22:39 +00:00
* sam_pp = NULL ;
2008-02-12 03:33:41 +01:00
if ( num_entries = = 0 ) {
2002-07-15 10:35:28 +00:00
return NT_STATUS_OK ;
2008-02-12 03:33:41 +01:00
}
2001-02-27 18:22:39 +00:00
2008-02-12 03:33:41 +01:00
sam = TALLOC_ZERO_ARRAY ( ctx , struct samr_SamEntry , num_entries ) ;
if ( sam = = NULL ) {
2007-04-27 23:18:41 +00:00
DEBUG ( 0 , ( " make_user_sam_entry_list: TALLOC_ZERO failed! \n " ) ) ;
2002-07-15 10:35:28 +00:00
return NT_STATUS_NO_MEMORY ;
2001-02-27 18:22:39 +00:00
}
2002-07-15 10:35:28 +00:00
for ( i = 0 ; i < num_entries ; i + + ) {
2008-02-12 03:33:41 +01:00
#if 0
2004-09-16 22:08:26 +00:00
/*
* usrmgr expects a non - NULL terminated string with
* trust relationships
*/
2005-04-15 13:41:49 +00:00
if ( entries [ i ] . acct_flags & ACB_DOMTRUST ) {
init_unistr2 ( & uni_temp_name , entries [ i ] . account_name ,
UNI_FLAGS_NONE ) ;
2004-09-16 22:08:26 +00:00
} else {
2005-04-15 13:41:49 +00:00
init_unistr2 ( & uni_temp_name , entries [ i ] . account_name ,
UNI_STR_TERMINATE ) ;
2004-09-16 22:08:26 +00:00
}
2008-02-12 03:33:41 +01:00
# endif
init_lsa_String ( & sam [ i ] . name , entries [ i ] . account_name ) ;
sam [ i ] . idx = entries [ i ] . rid ;
2001-02-27 18:22:39 +00:00
}
* sam_pp = sam ;
2008-02-12 03:33:41 +01:00
2002-07-15 10:35:28 +00:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
2008-02-27 16:52:39 +01:00
# define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K
2001-02-27 18:22:39 +00:00
/*******************************************************************
2008-02-12 03:33:41 +01:00
_samr_EnumDomainUsers
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-12 03:33:41 +01:00
NTSTATUS _samr_EnumDomainUsers ( pipes_struct * p ,
struct samr_EnumDomainUsers * r )
2001-02-27 18:22:39 +00:00
{
2008-02-12 03:33:41 +01:00
NTSTATUS status ;
2009-04-19 22:58:09 +02:00
struct samr_domain_info * dinfo ;
2002-07-15 10:35:28 +00:00
int num_account ;
2008-02-12 03:33:41 +01:00
uint32 enum_context = * r - > in . resume_handle ;
2002-07-15 10:35:28 +00:00
enum remote_arch_types ra_type = get_remote_arch ( ) ;
int max_sam_entries = ( ra_type = = RA_WIN95 ) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K ;
uint32 max_entries = max_sam_entries ;
2005-04-15 13:41:49 +00:00
struct samr_displayentry * entries = NULL ;
2008-02-12 03:33:41 +01:00
struct samr_SamArray * samr_array = NULL ;
struct samr_SamEntry * samr_entries = NULL ;
2001-02-27 18:22:39 +00:00
2009-04-19 22:58:09 +02:00
DEBUG ( 5 , ( " _samr_EnumDomainUsers: %d \n " , __LINE__ ) ) ;
2001-02-27 18:22:39 +00:00
2009-04-19 22:58:09 +02:00
dinfo = policy_handle_find ( p , r - > in . domain_handle ,
SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS , NULL ,
struct samr_domain_info , & status ) ;
2008-02-12 03:33:41 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2008-02-12 10:07:50 +01:00
return status ;
2002-07-15 10:35:28 +00:00
}
2008-02-05 12:54:19 +01:00
2009-04-19 22:58:09 +02:00
if ( sid_check_is_builtin ( & dinfo - > sid ) ) {
2005-11-27 01:26:52 +00:00
/* No users in builtin. */
2008-02-12 03:33:41 +01:00
* r - > out . resume_handle = * r - > in . resume_handle ;
DEBUG ( 5 , ( " _samr_EnumDomainUsers: No users in BUILTIN \n " ) ) ;
return status ;
}
samr_array = TALLOC_ZERO_P ( p - > mem_ctx , struct samr_SamArray ) ;
if ( ! samr_array ) {
return NT_STATUS_NO_MEMORY ;
2005-11-27 01:26:52 +00:00
}
2008-12-02 00:08:56 +01:00
* r - > out . sam = samr_array ;
2005-11-27 01:26:52 +00:00
2001-02-27 18:22:39 +00:00
become_root ( ) ;
2005-11-18 23:15:47 +00:00
/* AS ROOT !!!! */
2009-04-19 22:58:09 +02:00
if ( ( dinfo - > disp_info - > enum_users ! = NULL ) & &
( dinfo - > disp_info - > enum_acb_mask ! = r - > in . acct_flags ) ) {
TALLOC_FREE ( dinfo - > disp_info - > enum_users ) ;
2005-06-22 14:16:10 +00:00
}
2009-04-19 22:58:09 +02:00
if ( dinfo - > disp_info - > enum_users = = NULL ) {
dinfo - > disp_info - > enum_users = pdb_search_users (
dinfo - > disp_info , r - > in . acct_flags ) ;
dinfo - > disp_info - > enum_acb_mask = r - > in . acct_flags ;
2005-06-22 14:16:10 +00:00
}
2005-11-18 23:15:47 +00:00
2009-04-19 22:58:09 +02:00
if ( dinfo - > disp_info - > enum_users = = NULL ) {
2005-11-18 23:15:47 +00:00
/* END AS ROOT !!!! */
unbecome_root ( ) ;
2005-04-15 13:41:49 +00:00
return NT_STATUS_ACCESS_DENIED ;
2005-11-18 23:15:47 +00:00
}
2009-04-19 22:58:09 +02:00
num_account = pdb_search_entries ( dinfo - > disp_info - > enum_users ,
2005-04-15 13:41:49 +00:00
enum_context , max_entries ,
& entries ) ;
2005-11-18 23:15:47 +00:00
/* END AS ROOT !!!! */
2001-02-27 18:22:39 +00:00
unbecome_root ( ) ;
2002-07-15 10:35:28 +00:00
2005-04-15 13:41:49 +00:00
if ( num_account = = 0 ) {
2008-02-12 03:33:41 +01:00
DEBUG ( 5 , ( " _samr_EnumDomainUsers: enumeration handle over "
2005-04-15 13:41:49 +00:00
" total entries \n " ) ) ;
2008-02-12 03:33:41 +01:00
* r - > out . resume_handle = * r - > in . resume_handle ;
2002-07-15 10:35:28 +00:00
return NT_STATUS_OK ;
}
2008-02-12 03:33:41 +01:00
status = make_user_sam_entry_list ( p - > mem_ctx , & samr_entries ,
num_account , enum_context ,
entries ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2002-07-15 10:35:28 +00:00
2005-11-18 23:15:47 +00:00
if ( max_entries < = num_account ) {
2008-02-12 03:33:41 +01:00
status = STATUS_MORE_ENTRIES ;
2005-11-18 23:15:47 +00:00
} else {
2008-02-12 03:33:41 +01:00
status = NT_STATUS_OK ;
2005-11-18 23:15:47 +00:00
}
2001-02-27 18:22:39 +00:00
2005-11-22 20:26:23 +00:00
/* Ensure we cache this enumeration. */
2009-04-19 22:58:09 +02:00
set_disp_info_cache_timeout ( dinfo - > disp_info , DISP_INFO_CACHE_TIMEOUT ) ;
2005-11-22 20:26:23 +00:00
2008-02-12 03:33:41 +01:00
DEBUG ( 5 , ( " _samr_EnumDomainUsers: %d \n " , __LINE__ ) ) ;
samr_array - > count = num_account ;
samr_array - > entries = samr_entries ;
2002-07-15 10:35:28 +00:00
2008-02-12 03:33:41 +01:00
* r - > out . resume_handle = * r - > in . resume_handle + num_account ;
* r - > out . num_entries = num_account ;
2001-02-27 18:22:39 +00:00
2008-02-12 03:33:41 +01:00
DEBUG ( 5 , ( " _samr_EnumDomainUsers: %d \n " , __LINE__ ) ) ;
2001-02-27 18:22:39 +00:00
2008-02-12 03:33:41 +01:00
return status ;
2001-02-27 18:22:39 +00:00
}
/*******************************************************************
makes a SAM_ENTRY / UNISTR2 * structure from a group list .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-12 03:15:03 +01:00
static void make_group_sam_entry_list ( TALLOC_CTX * ctx ,
struct samr_SamEntry * * sam_pp ,
uint32_t num_sam_entries ,
2005-04-15 13:41:49 +00:00
struct samr_displayentry * entries )
2001-02-27 18:22:39 +00:00
{
2008-02-12 03:15:03 +01:00
struct samr_SamEntry * sam ;
uint32_t i ;
2001-02-27 18:22:39 +00:00
* sam_pp = NULL ;
2008-02-12 03:15:03 +01:00
if ( num_sam_entries = = 0 ) {
2001-02-27 18:22:39 +00:00
return ;
2008-02-12 03:15:03 +01:00
}
2001-02-27 18:22:39 +00:00
2008-02-12 03:15:03 +01:00
sam = TALLOC_ZERO_ARRAY ( ctx , struct samr_SamEntry , num_sam_entries ) ;
if ( sam = = NULL ) {
2001-02-27 18:22:39 +00:00
return ;
}
for ( i = 0 ; i < num_sam_entries ; i + + ) {
/*
* JRA . I think this should include the null . TNG does not .
*/
2008-02-12 03:15:03 +01:00
init_lsa_String ( & sam [ i ] . name , entries [ i ] . account_name ) ;
sam [ i ] . idx = entries [ i ] . rid ;
2001-02-27 18:22:39 +00:00
}
* sam_pp = sam ;
}
/*******************************************************************
2008-02-12 03:15:03 +01:00
_samr_EnumDomainGroups
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-12 03:15:03 +01:00
NTSTATUS _samr_EnumDomainGroups ( pipes_struct * p ,
struct samr_EnumDomainGroups * r )
2001-02-27 18:22:39 +00:00
{
2008-02-12 03:15:03 +01:00
NTSTATUS status ;
2009-04-19 22:58:09 +02:00
struct samr_domain_info * dinfo ;
2005-04-15 13:41:49 +00:00
struct samr_displayentry * groups ;
uint32 num_groups ;
2008-02-12 03:15:03 +01:00
struct samr_SamArray * samr_array = NULL ;
struct samr_SamEntry * samr_entries = NULL ;
2001-02-27 18:22:39 +00:00
2009-04-19 22:58:09 +02:00
dinfo = policy_handle_find ( p , r - > in . domain_handle ,
SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS , NULL ,
struct samr_domain_info , & status ) ;
2008-02-12 03:15:03 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2001-02-27 18:22:39 +00:00
2008-02-12 03:15:03 +01:00
DEBUG ( 5 , ( " _samr_EnumDomainGroups: %d \n " , __LINE__ ) ) ;
2001-02-27 18:22:39 +00:00
2009-04-19 22:58:09 +02:00
if ( sid_check_is_builtin ( & dinfo - > sid ) ) {
2005-11-27 01:26:52 +00:00
/* No groups in builtin. */
2008-02-12 03:15:03 +01:00
* r - > out . resume_handle = * r - > in . resume_handle ;
DEBUG ( 5 , ( " _samr_EnumDomainGroups: No groups in BUILTIN \n " ) ) ;
return status ;
}
samr_array = TALLOC_ZERO_P ( p - > mem_ctx , struct samr_SamArray ) ;
if ( ! samr_array ) {
return NT_STATUS_NO_MEMORY ;
2005-11-27 01:26:52 +00:00
}
2001-05-04 15:44:27 +00:00
/* the domain group array is being allocated in the function below */
2005-04-10 17:12:25 +00:00
2005-04-15 13:41:49 +00:00
become_root ( ) ;
2001-02-27 18:22:39 +00:00
2009-04-19 22:58:09 +02:00
if ( dinfo - > disp_info - > groups = = NULL ) {
dinfo - > disp_info - > groups = pdb_search_groups ( dinfo - > disp_info ) ;
2005-04-15 13:41:49 +00:00
2009-04-19 22:58:09 +02:00
if ( dinfo - > disp_info - > groups = = NULL ) {
2005-11-18 23:15:47 +00:00
unbecome_root ( ) ;
return NT_STATUS_ACCESS_DENIED ;
}
}
2009-04-19 22:58:09 +02:00
num_groups = pdb_search_entries ( dinfo - > disp_info - > groups ,
2008-02-12 03:15:03 +01:00
* r - > in . resume_handle ,
2005-04-15 13:41:49 +00:00
MAX_SAM_ENTRIES , & groups ) ;
unbecome_root ( ) ;
2008-02-05 12:54:19 +01:00
2005-11-18 23:15:47 +00:00
/* Ensure we cache this enumeration. */
2009-04-19 22:58:09 +02:00
set_disp_info_cache_timeout ( dinfo - > disp_info , DISP_INFO_CACHE_TIMEOUT ) ;
2005-11-18 23:15:47 +00:00
2008-02-12 03:15:03 +01:00
make_group_sam_entry_list ( p - > mem_ctx , & samr_entries ,
2005-04-15 13:41:49 +00:00
num_groups , groups ) ;
2001-02-27 18:22:39 +00:00
2008-02-12 03:15:03 +01:00
samr_array - > count = num_groups ;
samr_array - > entries = samr_entries ;
2001-02-27 18:22:39 +00:00
2008-02-12 03:15:03 +01:00
* r - > out . sam = samr_array ;
* r - > out . num_entries = num_groups ;
* r - > out . resume_handle = num_groups + * r - > in . resume_handle ;
2001-02-27 18:22:39 +00:00
2008-02-12 03:15:03 +01:00
DEBUG ( 5 , ( " _samr_EnumDomainGroups: %d \n " , __LINE__ ) ) ;
return status ;
2001-02-27 18:22:39 +00:00
}
/*******************************************************************
2008-02-12 03:15:03 +01:00
_samr_EnumDomainAliases
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-12 03:15:03 +01:00
NTSTATUS _samr_EnumDomainAliases ( pipes_struct * p ,
struct samr_EnumDomainAliases * r )
2001-02-27 18:22:39 +00:00
{
2008-02-12 03:15:03 +01:00
NTSTATUS status ;
2009-04-19 22:58:09 +02:00
struct samr_domain_info * dinfo ;
2005-04-15 13:41:49 +00:00
struct samr_displayentry * aliases ;
uint32 num_aliases = 0 ;
2008-02-12 03:15:03 +01:00
struct samr_SamArray * samr_array = NULL ;
struct samr_SamEntry * samr_entries = NULL ;
2001-02-27 18:22:39 +00:00
2009-04-19 22:58:09 +02:00
dinfo = policy_handle_find ( p , r - > in . domain_handle ,
SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS , NULL ,
struct samr_domain_info , & status ) ;
2008-02-12 03:15:03 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2001-02-27 18:22:39 +00:00
2009-04-19 22:58:09 +02:00
DEBUG ( 5 , ( " _samr_EnumDomainAliases: sid %s \n " ,
sid_string_dbg ( & dinfo - > sid ) ) ) ;
2008-02-12 03:15:03 +01:00
samr_array = TALLOC_ZERO_P ( p - > mem_ctx , struct samr_SamArray ) ;
if ( ! samr_array ) {
return NT_STATUS_NO_MEMORY ;
}
2005-04-15 13:41:49 +00:00
become_root ( ) ;
2009-04-19 22:58:09 +02:00
if ( dinfo - > disp_info - > aliases = = NULL ) {
dinfo - > disp_info - > aliases = pdb_search_aliases (
dinfo - > disp_info , & dinfo - > sid ) ;
if ( dinfo - > disp_info - > aliases = = NULL ) {
2005-11-18 23:15:47 +00:00
unbecome_root ( ) ;
return NT_STATUS_ACCESS_DENIED ;
}
}
2001-02-27 18:22:39 +00:00
2009-04-19 22:58:09 +02:00
num_aliases = pdb_search_entries ( dinfo - > disp_info - > aliases ,
2008-02-12 03:15:03 +01:00
* r - > in . resume_handle ,
2005-04-15 13:41:49 +00:00
MAX_SAM_ENTRIES , & aliases ) ;
unbecome_root ( ) ;
2008-02-05 12:54:19 +01:00
2005-11-18 23:15:47 +00:00
/* Ensure we cache this enumeration. */
2009-04-19 22:58:09 +02:00
set_disp_info_cache_timeout ( dinfo - > disp_info , DISP_INFO_CACHE_TIMEOUT ) ;
2005-11-18 23:15:47 +00:00
2008-02-12 03:15:03 +01:00
make_group_sam_entry_list ( p - > mem_ctx , & samr_entries ,
2005-04-15 13:41:49 +00:00
num_aliases , aliases ) ;
2001-02-27 18:22:39 +00:00
2008-02-12 03:15:03 +01:00
DEBUG ( 5 , ( " _samr_EnumDomainAliases: %d \n " , __LINE__ ) ) ;
2001-02-27 18:22:39 +00:00
2008-02-12 03:15:03 +01:00
samr_array - > count = num_aliases ;
samr_array - > entries = samr_entries ;
2001-02-27 18:22:39 +00:00
2008-02-12 03:15:03 +01:00
* r - > out . sam = samr_array ;
* r - > out . num_entries = num_aliases ;
* r - > out . resume_handle = num_aliases + * r - > in . resume_handle ;
return status ;
2001-02-27 18:22:39 +00:00
}
2008-02-12 12:16:02 +01:00
/*******************************************************************
inits a samr_DispInfoGeneral structure .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS init_samr_dispinfo_1 ( TALLOC_CTX * ctx ,
struct samr_DispInfoGeneral * r ,
uint32_t num_entries ,
uint32_t start_idx ,
struct samr_displayentry * entries )
{
uint32 i ;
DEBUG ( 10 , ( " init_samr_dispinfo_1: num_entries: %d \n " , num_entries ) ) ;
if ( num_entries = = 0 ) {
return NT_STATUS_OK ;
}
r - > count = num_entries ;
r - > entries = TALLOC_ZERO_ARRAY ( ctx , struct samr_DispEntryGeneral , num_entries ) ;
if ( ! r - > entries ) {
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < num_entries ; i + + ) {
init_lsa_String ( & r - > entries [ i ] . account_name ,
entries [ i ] . account_name ) ;
init_lsa_String ( & r - > entries [ i ] . description ,
entries [ i ] . description ) ;
init_lsa_String ( & r - > entries [ i ] . full_name ,
entries [ i ] . fullname ) ;
r - > entries [ i ] . rid = entries [ i ] . rid ;
r - > entries [ i ] . acct_flags = entries [ i ] . acct_flags ;
r - > entries [ i ] . idx = start_idx + i + 1 ;
}
return NT_STATUS_OK ;
}
/*******************************************************************
inits a samr_DispInfoFull structure .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS init_samr_dispinfo_2 ( TALLOC_CTX * ctx ,
struct samr_DispInfoFull * r ,
uint32_t num_entries ,
uint32_t start_idx ,
struct samr_displayentry * entries )
{
uint32_t i ;
DEBUG ( 10 , ( " init_samr_dispinfo_2: num_entries: %d \n " , num_entries ) ) ;
if ( num_entries = = 0 ) {
return NT_STATUS_OK ;
}
r - > count = num_entries ;
r - > entries = TALLOC_ZERO_ARRAY ( ctx , struct samr_DispEntryFull , num_entries ) ;
if ( ! r - > entries ) {
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < num_entries ; i + + ) {
init_lsa_String ( & r - > entries [ i ] . account_name ,
entries [ i ] . account_name ) ;
init_lsa_String ( & r - > entries [ i ] . description ,
entries [ i ] . description ) ;
r - > entries [ i ] . rid = entries [ i ] . rid ;
r - > entries [ i ] . acct_flags = entries [ i ] . acct_flags ;
r - > entries [ i ] . idx = start_idx + i + 1 ;
}
return NT_STATUS_OK ;
}
/*******************************************************************
inits a samr_DispInfoFullGroups structure .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS init_samr_dispinfo_3 ( TALLOC_CTX * ctx ,
struct samr_DispInfoFullGroups * r ,
uint32_t num_entries ,
uint32_t start_idx ,
struct samr_displayentry * entries )
{
uint32_t i ;
DEBUG ( 5 , ( " init_samr_dispinfo_3: num_entries: %d \n " , num_entries ) ) ;
if ( num_entries = = 0 ) {
return NT_STATUS_OK ;
}
r - > count = num_entries ;
r - > entries = TALLOC_ZERO_ARRAY ( ctx , struct samr_DispEntryFullGroup , num_entries ) ;
if ( ! r - > entries ) {
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < num_entries ; i + + ) {
init_lsa_String ( & r - > entries [ i ] . account_name ,
entries [ i ] . account_name ) ;
init_lsa_String ( & r - > entries [ i ] . description ,
entries [ i ] . description ) ;
r - > entries [ i ] . rid = entries [ i ] . rid ;
r - > entries [ i ] . acct_flags = entries [ i ] . acct_flags ;
r - > entries [ i ] . idx = start_idx + i + 1 ;
}
return NT_STATUS_OK ;
}
/*******************************************************************
inits a samr_DispInfoAscii structure .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS init_samr_dispinfo_4 ( TALLOC_CTX * ctx ,
struct samr_DispInfoAscii * r ,
uint32_t num_entries ,
uint32_t start_idx ,
struct samr_displayentry * entries )
{
uint32_t i ;
DEBUG ( 5 , ( " init_samr_dispinfo_4: num_entries: %d \n " , num_entries ) ) ;
if ( num_entries = = 0 ) {
return NT_STATUS_OK ;
}
r - > count = num_entries ;
r - > entries = TALLOC_ZERO_ARRAY ( ctx , struct samr_DispEntryAscii , num_entries ) ;
if ( ! r - > entries ) {
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < num_entries ; i + + ) {
2008-02-28 23:37:47 +01:00
init_lsa_AsciiStringLarge ( & r - > entries [ i ] . account_name ,
entries [ i ] . account_name ) ;
2008-02-12 12:16:02 +01:00
r - > entries [ i ] . idx = start_idx + i + 1 ;
}
return NT_STATUS_OK ;
}
/*******************************************************************
inits a samr_DispInfoAscii structure .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS init_samr_dispinfo_5 ( TALLOC_CTX * ctx ,
struct samr_DispInfoAscii * r ,
uint32_t num_entries ,
uint32_t start_idx ,
struct samr_displayentry * entries )
{
uint32_t i ;
DEBUG ( 5 , ( " init_samr_dispinfo_5: num_entries: %d \n " , num_entries ) ) ;
if ( num_entries = = 0 ) {
return NT_STATUS_OK ;
}
r - > count = num_entries ;
r - > entries = TALLOC_ZERO_ARRAY ( ctx , struct samr_DispEntryAscii , num_entries ) ;
if ( ! r - > entries ) {
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < num_entries ; i + + ) {
2008-02-28 23:37:47 +01:00
init_lsa_AsciiStringLarge ( & r - > entries [ i ] . account_name ,
entries [ i ] . account_name ) ;
2008-02-12 12:16:02 +01:00
r - > entries [ i ] . idx = start_idx + i + 1 ;
}
return NT_STATUS_OK ;
}
2001-02-27 18:22:39 +00:00
/*******************************************************************
2008-02-07 17:57:20 +01:00
_samr_QueryDisplayInfo
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-07-08 21:58:29 +00:00
2008-02-07 17:57:20 +01:00
NTSTATUS _samr_QueryDisplayInfo ( pipes_struct * p ,
struct samr_QueryDisplayInfo * r )
2001-02-27 18:22:39 +00:00
{
2008-02-07 17:57:20 +01:00
NTSTATUS status ;
2009-04-19 22:58:09 +02:00
struct samr_domain_info * dinfo ;
2001-12-21 22:34:49 +00:00
uint32 struct_size = 0x20 ; /* W2K always reply that, client doesn't care */
2008-02-05 12:54:19 +01:00
2008-02-07 17:57:20 +01:00
uint32 max_entries = r - > in . max_entries ;
uint32 enum_context = r - > in . start_idx ;
uint32 max_size = r - > in . buf_size ;
union samr_DispInfo * disp_info = r - > out . info ;
2001-12-21 13:36:14 +00:00
uint32 temp_size = 0 , total_data_size = 0 ;
2005-11-02 00:19:26 +00:00
NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL ;
2002-01-02 07:27:33 +00:00
uint32 num_account = 0 ;
enum remote_arch_types ra_type = get_remote_arch ( ) ;
2002-07-15 10:35:28 +00:00
int max_sam_entries = ( ra_type = = RA_WIN95 ) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K ;
2005-04-15 13:41:49 +00:00
struct samr_displayentry * entries = NULL ;
2001-02-27 18:22:39 +00:00
2008-02-07 17:57:20 +01:00
DEBUG ( 5 , ( " _samr_QueryDisplayInfo: %d \n " , __LINE__ ) ) ;
2001-02-27 18:22:39 +00:00
2009-04-19 22:58:09 +02:00
dinfo = policy_handle_find ( p , r - > in . domain_handle ,
SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS , NULL ,
struct samr_domain_info , & status ) ;
2008-10-20 16:51:37 -07:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2009-05-07 18:40:39 +02:00
if ( sid_check_is_builtin ( & dinfo - > sid ) ) {
DEBUG ( 5 , ( " _samr_QueryDisplayInfo: no users in BUILTIN \n " ) ) ;
return NT_STATUS_OK ;
}
2001-12-21 13:36:14 +00:00
/*
* calculate how many entries we will return .
2008-02-05 12:54:19 +01:00
* based on
2001-12-21 13:36:14 +00:00
* - the number of entries the client asked
* - our limit on that
* - the starting point ( enumeration context )
* - the buffer size the client will accept
*/
2001-07-09 18:25:40 +00:00
2001-12-21 13:36:14 +00:00
/*
* We are a lot more like W2K . Instead of reading the SAM
* each time to find the records we need to send back ,
* we read it once and link that copy to the sam handle .
* For large user list ( over the MAX_SAM_ENTRIES )
* it ' s a definitive win .
* second point to notice : between enumerations
* our sam is now the same as it ' s a snapshoot .
* third point : got rid of the static SAM_USER_21 struct
* no more intermediate .
* con : it uses much more memory , as a full copy is stored
* in memory .
*
* If you want to change it , think twice and think
* of the second point , that ' s really important .
*
* JFM , 12 / 20 / 2001
*/
2001-02-27 18:22:39 +00:00
2008-02-07 17:57:20 +01:00
if ( ( r - > in . level < 1 ) | | ( r - > in . level > 5 ) ) {
DEBUG ( 0 , ( " _samr_QueryDisplayInfo: Unknown info level (%u) \n " ,
( unsigned int ) r - > in . level ) ) ;
2005-04-15 13:41:49 +00:00
return NT_STATUS_INVALID_INFO_CLASS ;
2001-02-27 18:22:39 +00:00
}
2001-12-21 13:36:14 +00:00
/* first limit the number of entries we will return */
2002-01-02 07:27:33 +00:00
if ( max_entries > max_sam_entries ) {
2008-02-07 17:57:20 +01:00
DEBUG ( 5 , ( " _samr_QueryDisplayInfo: client requested %d "
2005-04-15 13:41:49 +00:00
" entries, limiting to %d \n " , max_entries ,
max_sam_entries ) ) ;
2002-01-02 07:27:33 +00:00
max_entries = max_sam_entries ;
2001-12-21 13:36:14 +00:00
}
2005-04-15 13:41:49 +00:00
/* calculate the size and limit on the number of entries we will
* return */
2001-02-27 18:22:39 +00:00
2002-03-29 21:50:21 +00:00
temp_size = max_entries * struct_size ;
2008-02-05 12:54:19 +01:00
2001-12-21 22:34:49 +00:00
if ( temp_size > max_size ) {
2002-03-29 21:50:21 +00:00
max_entries = MIN ( ( max_size / struct_size ) , max_entries ) ; ;
2008-02-07 17:57:20 +01:00
DEBUG ( 5 , ( " _samr_QueryDisplayInfo: buffer size limits to "
2005-04-15 13:41:49 +00:00
" only %d entries \n " , max_entries ) ) ;
2001-12-21 13:36:14 +00:00
}
2001-02-27 18:22:39 +00:00
2005-04-15 13:41:49 +00:00
become_root ( ) ;
2005-11-18 23:15:47 +00:00
/* THe following done as ROOT. Don't return without unbecome_root(). */
2008-02-07 17:57:20 +01:00
switch ( r - > in . level ) {
2005-04-15 13:41:49 +00:00
case 0x1 :
case 0x4 :
2009-04-19 22:58:09 +02:00
if ( dinfo - > disp_info - > users = = NULL ) {
dinfo - > disp_info - > users = pdb_search_users (
dinfo - > disp_info , ACB_NORMAL ) ;
if ( dinfo - > disp_info - > users = = NULL ) {
2005-11-18 23:15:47 +00:00
unbecome_root ( ) ;
return NT_STATUS_ACCESS_DENIED ;
}
2008-02-07 17:57:20 +01:00
DEBUG ( 10 , ( " _samr_QueryDisplayInfo: starting user enumeration at index %u \n " ,
2005-11-18 23:15:47 +00:00
( unsigned int ) enum_context ) ) ;
} else {
2008-02-07 17:57:20 +01:00
DEBUG ( 10 , ( " _samr_QueryDisplayInfo: using cached user enumeration at index %u \n " ,
2005-11-18 23:15:47 +00:00
( unsigned int ) enum_context ) ) ;
}
2009-04-19 22:58:09 +02:00
num_account = pdb_search_entries ( dinfo - > disp_info - > users ,
2005-04-15 13:41:49 +00:00
enum_context , max_entries ,
& entries ) ;
break ;
case 0x2 :
2009-04-19 22:58:09 +02:00
if ( dinfo - > disp_info - > machines = = NULL ) {
dinfo - > disp_info - > machines = pdb_search_users (
dinfo - > disp_info , ACB_WSTRUST | ACB_SVRTRUST ) ;
if ( dinfo - > disp_info - > machines = = NULL ) {
2005-11-18 23:15:47 +00:00
unbecome_root ( ) ;
return NT_STATUS_ACCESS_DENIED ;
}
2008-02-07 17:57:20 +01:00
DEBUG ( 10 , ( " _samr_QueryDisplayInfo: starting machine enumeration at index %u \n " ,
2005-11-18 23:15:47 +00:00
( unsigned int ) enum_context ) ) ;
} else {
2008-02-07 17:57:20 +01:00
DEBUG ( 10 , ( " _samr_QueryDisplayInfo: using cached machine enumeration at index %u \n " ,
2005-11-18 23:15:47 +00:00
( unsigned int ) enum_context ) ) ;
}
2009-04-19 22:58:09 +02:00
num_account = pdb_search_entries ( dinfo - > disp_info - > machines ,
2005-04-15 13:41:49 +00:00
enum_context , max_entries ,
& entries ) ;
break ;
case 0x3 :
case 0x5 :
2009-04-19 22:58:09 +02:00
if ( dinfo - > disp_info - > groups = = NULL ) {
dinfo - > disp_info - > groups = pdb_search_groups (
dinfo - > disp_info ) ;
if ( dinfo - > disp_info - > groups = = NULL ) {
2005-11-18 23:15:47 +00:00
unbecome_root ( ) ;
return NT_STATUS_ACCESS_DENIED ;
}
2008-02-07 17:57:20 +01:00
DEBUG ( 10 , ( " _samr_QueryDisplayInfo: starting group enumeration at index %u \n " ,
2005-11-18 23:15:47 +00:00
( unsigned int ) enum_context ) ) ;
} else {
2008-02-07 17:57:20 +01:00
DEBUG ( 10 , ( " _samr_QueryDisplayInfo: using cached group enumeration at index %u \n " ,
2005-11-18 23:15:47 +00:00
( unsigned int ) enum_context ) ) ;
}
2009-04-19 22:58:09 +02:00
num_account = pdb_search_entries ( dinfo - > disp_info - > groups ,
2005-04-15 13:41:49 +00:00
enum_context , max_entries ,
& entries ) ;
break ;
default :
2005-11-18 23:15:47 +00:00
unbecome_root ( ) ;
2005-04-15 13:41:49 +00:00
smb_panic ( " info class changed " ) ;
break ;
}
unbecome_root ( ) ;
2008-02-07 17:57:20 +01:00
2001-02-27 18:22:39 +00:00
/* Now create reply structure */
2008-02-07 17:57:20 +01:00
switch ( r - > in . level ) {
2001-02-27 18:22:39 +00:00
case 0x1 :
2008-02-12 12:16:02 +01:00
disp_ret = init_samr_dispinfo_1 ( p - > mem_ctx , & disp_info - > info1 ,
num_account , enum_context ,
entries ) ;
2001-02-27 18:22:39 +00:00
break ;
case 0x2 :
2008-02-12 12:16:02 +01:00
disp_ret = init_samr_dispinfo_2 ( p - > mem_ctx , & disp_info - > info2 ,
num_account , enum_context ,
entries ) ;
2001-02-27 18:22:39 +00:00
break ;
case 0x3 :
2008-02-12 12:16:02 +01:00
disp_ret = init_samr_dispinfo_3 ( p - > mem_ctx , & disp_info - > info3 ,
num_account , enum_context ,
entries ) ;
2001-02-27 18:22:39 +00:00
break ;
case 0x4 :
2008-02-12 12:16:02 +01:00
disp_ret = init_samr_dispinfo_4 ( p - > mem_ctx , & disp_info - > info4 ,
num_account , enum_context ,
entries ) ;
2001-02-27 18:22:39 +00:00
break ;
case 0x5 :
2008-02-12 12:16:02 +01:00
disp_ret = init_samr_dispinfo_5 ( p - > mem_ctx , & disp_info - > info5 ,
num_account , enum_context ,
entries ) ;
2001-02-27 18:22:39 +00:00
break ;
default :
2005-04-15 13:41:49 +00:00
smb_panic ( " info class changed " ) ;
break ;
2001-02-27 18:22:39 +00:00
}
2005-04-15 13:41:49 +00:00
if ( ! NT_STATUS_IS_OK ( disp_ret ) )
return disp_ret ;
2001-12-21 13:36:14 +00:00
/* calculate the total size */
2002-01-02 07:27:33 +00:00
total_data_size = num_account * struct_size ;
2001-02-27 18:22:39 +00:00
2008-10-23 03:30:14 +02:00
if ( max_entries < = num_account ) {
2008-02-07 17:57:20 +01:00
status = STATUS_MORE_ENTRIES ;
2005-11-18 23:15:47 +00:00
} else {
2008-02-07 17:57:20 +01:00
status = NT_STATUS_OK ;
2005-11-18 23:15:47 +00:00
}
2001-07-05 22:36:25 +00:00
2005-11-22 20:26:23 +00:00
/* Ensure we cache this enumeration. */
2009-04-19 22:58:09 +02:00
set_disp_info_cache_timeout ( dinfo - > disp_info , DISP_INFO_CACHE_TIMEOUT ) ;
2005-11-22 20:26:23 +00:00
2008-02-07 17:57:20 +01:00
DEBUG ( 5 , ( " _samr_QueryDisplayInfo: %d \n " , __LINE__ ) ) ;
2001-02-27 18:22:39 +00:00
2008-02-07 17:57:20 +01:00
* r - > out . total_size = total_data_size ;
* r - > out . returned_size = temp_size ;
2001-12-21 13:36:14 +00:00
2008-02-07 17:57:20 +01:00
return status ;
2001-02-27 18:22:39 +00:00
}
2008-02-12 16:39:02 +01:00
/****************************************************************
_samr_QueryDisplayInfo2
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_QueryDisplayInfo2 ( pipes_struct * p ,
struct samr_QueryDisplayInfo2 * r )
{
struct samr_QueryDisplayInfo q ;
q . in . domain_handle = r - > in . domain_handle ;
q . in . level = r - > in . level ;
q . in . start_idx = r - > in . start_idx ;
q . in . max_entries = r - > in . max_entries ;
q . in . buf_size = r - > in . buf_size ;
q . out . total_size = r - > out . total_size ;
q . out . returned_size = r - > out . returned_size ;
q . out . info = r - > out . info ;
return _samr_QueryDisplayInfo ( p , & q ) ;
}
/****************************************************************
_samr_QueryDisplayInfo3
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_QueryDisplayInfo3 ( pipes_struct * p ,
struct samr_QueryDisplayInfo3 * r )
{
struct samr_QueryDisplayInfo q ;
q . in . domain_handle = r - > in . domain_handle ;
q . in . level = r - > in . level ;
q . in . start_idx = r - > in . start_idx ;
q . in . max_entries = r - > in . max_entries ;
q . in . buf_size = r - > in . buf_size ;
q . out . total_size = r - > out . total_size ;
q . out . returned_size = r - > out . returned_size ;
q . out . info = r - > out . info ;
return _samr_QueryDisplayInfo ( p , & q ) ;
}
2001-02-27 18:22:39 +00:00
/*******************************************************************
2008-02-07 13:14:40 +01:00
_samr_QueryAliasInfo
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-07 13:14:40 +01:00
NTSTATUS _samr_QueryAliasInfo ( pipes_struct * p ,
struct samr_QueryAliasInfo * r )
2001-02-27 18:22:39 +00:00
{
2009-04-20 19:04:20 +02:00
struct samr_alias_info * ainfo ;
2004-04-07 12:43:44 +00:00
struct acct_info info ;
2007-05-11 08:46:54 +00:00
NTSTATUS status ;
2008-02-07 13:14:40 +01:00
union samr_AliasInfo * alias_info = NULL ;
const char * alias_name = NULL ;
const char * alias_description = NULL ;
2001-02-27 18:22:39 +00:00
2008-02-07 13:14:40 +01:00
DEBUG ( 5 , ( " _samr_QueryAliasInfo: %d \n " , __LINE__ ) ) ;
2001-02-27 18:22:39 +00:00
2009-04-20 19:04:20 +02:00
ainfo = policy_handle_find ( p , r - > in . alias_handle ,
SAMR_ALIAS_ACCESS_LOOKUP_INFO , NULL ,
struct samr_alias_info , & status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2008-02-07 13:14:40 +01:00
alias_info = TALLOC_ZERO_P ( p - > mem_ctx , union samr_AliasInfo ) ;
if ( ! alias_info ) {
return NT_STATUS_NO_MEMORY ;
}
2001-02-27 18:22:39 +00:00
2003-12-10 16:40:17 +00:00
become_root ( ) ;
2009-04-20 19:04:20 +02:00
status = pdb_get_aliasinfo ( & ainfo - > sid , & info ) ;
2003-12-10 16:40:17 +00:00
unbecome_root ( ) ;
2008-02-05 12:54:19 +01:00
2007-05-11 08:46:54 +00:00
if ( ! NT_STATUS_IS_OK ( status ) )
return status ;
2001-02-27 18:22:39 +00:00
2008-02-07 13:14:40 +01:00
/* FIXME: info contains fstrings */
alias_name = talloc_strdup ( r , info . acct_name ) ;
alias_description = talloc_strdup ( r , info . acct_desc ) ;
2005-05-03 14:01:39 +00:00
2008-02-07 13:14:40 +01:00
switch ( r - > in . level ) {
case ALIASINFOALL :
2008-12-06 01:44:46 +01:00
alias_info - > all . name . string = alias_name ;
alias_info - > all . num_members = 1 ; /* ??? */
alias_info - > all . description . string = alias_description ;
2001-12-19 00:15:29 +00:00
break ;
2009-05-08 09:55:10 +02:00
case ALIASINFONAME :
alias_info - > name . string = alias_name ;
break ;
2008-02-07 13:14:40 +01:00
case ALIASINFODESCRIPTION :
2008-12-06 01:44:46 +01:00
alias_info - > description . string = alias_description ;
2001-02-27 18:22:39 +00:00
break ;
default :
return NT_STATUS_INVALID_INFO_CLASS ;
}
2008-02-07 13:14:40 +01:00
* r - > out . info = alias_info ;
2001-02-27 18:22:39 +00:00
2008-02-07 13:14:40 +01:00
DEBUG ( 5 , ( " _samr_QueryAliasInfo: %d \n " , __LINE__ ) ) ;
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
/*******************************************************************
2008-02-08 13:29:01 +01:00
_samr_LookupNames
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-08 13:29:01 +01:00
NTSTATUS _samr_LookupNames ( pipes_struct * p ,
struct samr_LookupNames * r )
2001-02-27 18:22:39 +00:00
{
2009-04-19 22:58:09 +02:00
struct samr_domain_info * dinfo ;
2008-02-08 13:29:01 +01:00
NTSTATUS status ;
2008-05-20 17:29:40 +02:00
uint32 * rid ;
enum lsa_SidType * type ;
2001-12-02 00:06:10 +00:00
int i ;
2008-02-08 13:29:01 +01:00
int num_rids = r - > in . num_names ;
struct samr_Ids rids , types ;
2008-11-25 12:19:35 +01:00
uint32_t num_mapped = 0 ;
2001-02-27 18:22:39 +00:00
2008-02-08 13:29:01 +01:00
DEBUG ( 5 , ( " _samr_LookupNames: %d \n " , __LINE__ ) ) ;
2001-02-27 18:22:39 +00:00
2009-04-19 22:58:09 +02:00
dinfo = policy_handle_find ( p , r - > in . domain_handle ,
0 /* Don't know the acc_bits yet */ , NULL ,
struct samr_domain_info , & status ) ;
2008-02-08 13:29:01 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2002-07-15 10:35:28 +00:00
}
2001-02-27 18:22:39 +00:00
2001-12-02 00:06:10 +00:00
if ( num_rids > MAX_SAM_ENTRIES ) {
num_rids = MAX_SAM_ENTRIES ;
2008-02-08 13:29:01 +01:00
DEBUG ( 5 , ( " _samr_LookupNames: truncating entries to %d \n " , num_rids ) ) ;
2001-12-02 00:06:10 +00:00
}
2001-02-27 18:22:39 +00:00
2008-05-20 17:29:40 +02:00
rid = talloc_array ( p - > mem_ctx , uint32 , num_rids ) ;
NT_STATUS_HAVE_NO_MEMORY ( rid ) ;
type = talloc_array ( p - > mem_ctx , enum lsa_SidType , num_rids ) ;
2008-05-20 17:48:39 +02:00
NT_STATUS_HAVE_NO_MEMORY ( type ) ;
2008-05-20 17:29:40 +02:00
2008-02-08 13:29:01 +01:00
DEBUG ( 5 , ( " _samr_LookupNames: looking name on SID %s \n " ,
2009-04-19 22:58:09 +02:00
sid_string_dbg ( & dinfo - > sid ) ) ) ;
2008-02-05 12:54:19 +01:00
2001-12-02 00:06:10 +00:00
for ( i = 0 ; i < num_rids ; i + + ) {
2008-02-08 13:29:01 +01:00
status = NT_STATUS_NONE_MAPPED ;
2005-12-03 18:34:13 +00:00
type [ i ] = SID_NAME_UNKNOWN ;
2001-12-02 00:06:10 +00:00
2008-02-08 13:29:01 +01:00
rid [ i ] = 0xffffffff ;
2005-12-03 18:34:13 +00:00
2009-04-19 22:58:09 +02:00
if ( sid_check_is_builtin ( & dinfo - > sid ) ) {
2008-02-08 13:29:01 +01:00
if ( lookup_builtin_name ( r - > in . names [ i ] . string ,
& rid [ i ] ) )
{
2005-12-03 18:34:13 +00:00
type [ i ] = SID_NAME_ALIAS ;
2001-12-02 00:06:10 +00:00
}
2005-12-03 18:34:13 +00:00
} else {
2008-02-08 13:29:01 +01:00
lookup_global_sam_name ( r - > in . names [ i ] . string , 0 ,
& rid [ i ] , & type [ i ] ) ;
2005-12-03 18:34:13 +00:00
}
if ( type [ i ] ! = SID_NAME_UNKNOWN ) {
2008-11-25 12:19:35 +01:00
num_mapped + + ;
2005-12-03 18:34:13 +00:00
}
2001-12-02 00:06:10 +00:00
}
2001-02-27 18:22:39 +00:00
2008-11-25 12:19:35 +01:00
if ( num_mapped = = num_rids ) {
status = NT_STATUS_OK ;
} else if ( num_mapped = = 0 ) {
status = NT_STATUS_NONE_MAPPED ;
} else {
status = STATUS_SOME_UNMAPPED ;
}
2008-02-08 13:29:01 +01:00
rids . count = num_rids ;
rids . ids = rid ;
2001-02-27 18:22:39 +00:00
2008-02-08 13:29:01 +01:00
types . count = num_rids ;
types . ids = type ;
2001-02-27 18:22:39 +00:00
2008-02-08 13:29:01 +01:00
* r - > out . rids = rids ;
* r - > out . types = types ;
DEBUG ( 5 , ( " _samr_LookupNames: %d \n " , __LINE__ ) ) ;
return status ;
2001-02-27 18:22:39 +00:00
}
2009-05-08 00:16:43 +02:00
/****************************************************************
_samr_ChangePasswordUser
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_ChangePasswordUser ( pipes_struct * p ,
struct samr_ChangePasswordUser * r )
{
NTSTATUS status ;
bool ret = false ;
struct samr_user_info * uinfo ;
struct samu * pwd ;
struct samr_Password new_lmPwdHash , new_ntPwdHash , checkHash ;
struct samr_Password lm_pwd , nt_pwd ;
uinfo = policy_handle_find ( p , r - > in . user_handle ,
SAMR_USER_ACCESS_SET_PASSWORD , NULL ,
struct samr_user_info , & status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
DEBUG ( 5 , ( " _samr_ChangePasswordUser: sid:%s \n " ,
sid_string_dbg ( & uinfo - > sid ) ) ) ;
if ( ! ( pwd = samu_new ( NULL ) ) ) {
return NT_STATUS_NO_MEMORY ;
}
become_root ( ) ;
ret = pdb_getsampwsid ( pwd , & uinfo - > sid ) ;
unbecome_root ( ) ;
if ( ! ret ) {
TALLOC_FREE ( pwd ) ;
return NT_STATUS_WRONG_PASSWORD ;
}
{
const uint8_t * lm_pass , * nt_pass ;
lm_pass = pdb_get_lanman_passwd ( pwd ) ;
nt_pass = pdb_get_nt_passwd ( pwd ) ;
2009-05-08 00:18:28 +02:00
if ( ! lm_pass | | ! nt_pass ) {
2009-05-08 01:23:54 +02:00
status = NT_STATUS_WRONG_PASSWORD ;
goto out ;
2009-05-08 00:18:28 +02:00
}
2009-05-08 00:16:43 +02:00
memcpy ( & lm_pwd . hash , lm_pass , sizeof ( lm_pwd . hash ) ) ;
memcpy ( & nt_pwd . hash , nt_pass , sizeof ( nt_pwd . hash ) ) ;
}
/* basic sanity checking on parameters. Do this before any database ops */
if ( ! r - > in . lm_present | | ! r - > in . nt_present | |
! r - > in . old_lm_crypted | | ! r - > in . new_lm_crypted | |
! r - > in . old_nt_crypted | | ! r - > in . new_nt_crypted ) {
/* we should really handle a change with lm not
present */
status = NT_STATUS_INVALID_PARAMETER_MIX ;
goto out ;
}
/* decrypt and check the new lm hash */
D_P16 ( lm_pwd . hash , r - > in . new_lm_crypted - > hash , new_lmPwdHash . hash ) ;
D_P16 ( new_lmPwdHash . hash , r - > in . old_lm_crypted - > hash , checkHash . hash ) ;
if ( memcmp ( checkHash . hash , lm_pwd . hash , 16 ) ! = 0 ) {
status = NT_STATUS_WRONG_PASSWORD ;
goto out ;
}
/* decrypt and check the new nt hash */
D_P16 ( nt_pwd . hash , r - > in . new_nt_crypted - > hash , new_ntPwdHash . hash ) ;
D_P16 ( new_ntPwdHash . hash , r - > in . old_nt_crypted - > hash , checkHash . hash ) ;
if ( memcmp ( checkHash . hash , nt_pwd . hash , 16 ) ! = 0 ) {
status = NT_STATUS_WRONG_PASSWORD ;
goto out ;
}
/* The NT Cross is not required by Win2k3 R2, but if present
check the nt cross hash */
if ( r - > in . cross1_present & & r - > in . nt_cross ) {
D_P16 ( lm_pwd . hash , r - > in . nt_cross - > hash , checkHash . hash ) ;
if ( memcmp ( checkHash . hash , new_ntPwdHash . hash , 16 ) ! = 0 ) {
status = NT_STATUS_WRONG_PASSWORD ;
goto out ;
}
}
/* The LM Cross is not required by Win2k3 R2, but if present
check the lm cross hash */
if ( r - > in . cross2_present & & r - > in . lm_cross ) {
D_P16 ( nt_pwd . hash , r - > in . lm_cross - > hash , checkHash . hash ) ;
if ( memcmp ( checkHash . hash , new_lmPwdHash . hash , 16 ) ! = 0 ) {
status = NT_STATUS_WRONG_PASSWORD ;
goto out ;
}
}
if ( ! pdb_set_nt_passwd ( pwd , new_ntPwdHash . hash , PDB_CHANGED ) | |
! pdb_set_lanman_passwd ( pwd , new_lmPwdHash . hash , PDB_CHANGED ) ) {
status = NT_STATUS_ACCESS_DENIED ;
goto out ;
}
status = pdb_update_sam_account ( pwd ) ;
out :
TALLOC_FREE ( pwd ) ;
return status ;
}
2001-02-27 18:22:39 +00:00
/*******************************************************************
2008-02-01 23:06:43 +01:00
_samr_ChangePasswordUser2
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-08 19:42:23 +01:00
2008-02-01 23:06:43 +01:00
NTSTATUS _samr_ChangePasswordUser2 ( pipes_struct * p ,
struct samr_ChangePasswordUser2 * r )
2001-02-27 18:22:39 +00:00
{
2008-02-01 23:06:43 +01:00
NTSTATUS status ;
2003-07-31 01:33:44 +00:00
fstring user_name ;
fstring wks ;
2001-02-27 18:22:39 +00:00
2008-02-01 23:06:43 +01:00
DEBUG ( 5 , ( " _samr_ChangePasswordUser2: %d \n " , __LINE__ ) ) ;
2001-02-27 18:22:39 +00:00
2008-02-01 23:06:43 +01:00
fstrcpy ( user_name , r - > in . account - > string ) ;
fstrcpy ( wks , r - > in . server - > string ) ;
2001-02-27 18:22:39 +00:00
2008-02-01 23:06:43 +01:00
DEBUG ( 5 , ( " _samr_ChangePasswordUser2: user: %s wks: %s \n " , user_name , wks ) ) ;
2001-02-27 18:22:39 +00:00
2001-04-15 22:29:36 +00:00
/*
* Pass the user through the NT - > unix user mapping
* function .
*/
2008-02-05 12:54:19 +01:00
2001-04-15 22:29:36 +00:00
( void ) map_username ( user_name ) ;
2008-02-05 12:54:19 +01:00
2001-04-15 22:29:36 +00:00
/*
2008-02-05 12:54:19 +01:00
* UNIX username case mangling not required , pass_oem_change
2002-01-17 08:45:58 +00:00
* is case insensitive .
2001-04-15 22:29:36 +00:00
*/
2008-02-08 19:42:23 +01:00
status = pass_oem_change ( user_name ,
r - > in . lm_password - > data ,
r - > in . lm_verifier - > hash ,
r - > in . nt_password - > data ,
r - > in . nt_verifier - > hash ,
NULL ) ;
2001-02-27 18:22:39 +00:00
2008-02-01 23:06:43 +01:00
DEBUG ( 5 , ( " _samr_ChangePasswordUser2: %d \n " , __LINE__ ) ) ;
2001-02-27 18:22:39 +00:00
2009-05-07 23:56:22 +02:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_NO_SUCH_USER ) ) {
return NT_STATUS_WRONG_PASSWORD ;
}
2008-02-01 23:06:43 +01:00
return status ;
2001-02-27 18:22:39 +00:00
}
2009-05-07 23:26:54 +02:00
/****************************************************************
_samr_OemChangePasswordUser2
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_OemChangePasswordUser2 ( pipes_struct * p ,
struct samr_OemChangePasswordUser2 * r )
{
NTSTATUS status ;
fstring user_name ;
const char * wks = NULL ;
DEBUG ( 5 , ( " _samr_OemChangePasswordUser2: %d \n " , __LINE__ ) ) ;
fstrcpy ( user_name , r - > in . account - > string ) ;
if ( r - > in . server & & r - > in . server - > string ) {
wks = r - > in . server - > string ;
}
DEBUG ( 5 , ( " _samr_OemChangePasswordUser2: user: %s wks: %s \n " , user_name , wks ) ) ;
/*
* Pass the user through the NT - > unix user mapping
* function .
*/
( void ) map_username ( user_name ) ;
/*
* UNIX username case mangling not required , pass_oem_change
* is case insensitive .
*/
if ( ! r - > in . hash | | ! r - > in . password ) {
return NT_STATUS_INVALID_PARAMETER ;
}
status = pass_oem_change ( user_name ,
r - > in . password - > data ,
r - > in . hash - > hash ,
0 ,
0 ,
NULL ) ;
2009-05-07 23:56:22 +02:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_NO_SUCH_USER ) ) {
return NT_STATUS_WRONG_PASSWORD ;
}
2009-05-07 23:26:54 +02:00
DEBUG ( 5 , ( " _samr_OemChangePasswordUser2: %d \n " , __LINE__ ) ) ;
return status ;
}
2006-02-10 23:09:00 +00:00
/*******************************************************************
2008-02-05 18:44:30 +01:00
_samr_ChangePasswordUser3
2006-02-10 23:09:00 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-05 18:44:30 +01:00
NTSTATUS _samr_ChangePasswordUser3 ( pipes_struct * p ,
struct samr_ChangePasswordUser3 * r )
2006-02-10 23:09:00 +00:00
{
2008-02-05 18:44:30 +01:00
NTSTATUS status ;
2006-02-10 23:09:00 +00:00
fstring user_name ;
2008-02-05 18:44:30 +01:00
const char * wks = NULL ;
2006-02-10 23:09:00 +00:00
uint32 reject_reason ;
2008-02-05 18:44:30 +01:00
struct samr_DomInfo1 * dominfo = NULL ;
struct samr_ChangeReject * reject = NULL ;
2009-01-18 13:15:23 +01:00
uint32_t tmp ;
2006-02-10 23:09:00 +00:00
2008-02-05 18:44:30 +01:00
DEBUG ( 5 , ( " _samr_ChangePasswordUser3: %d \n " , __LINE__ ) ) ;
2006-02-10 23:09:00 +00:00
2008-02-05 18:44:30 +01:00
fstrcpy ( user_name , r - > in . account - > string ) ;
if ( r - > in . server & & r - > in . server - > string ) {
wks = r - > in . server - > string ;
}
2006-02-10 23:09:00 +00:00
2008-02-05 18:44:30 +01:00
DEBUG ( 5 , ( " _samr_ChangePasswordUser3: user: %s wks: %s \n " , user_name , wks ) ) ;
2006-02-10 23:09:00 +00:00
/*
* Pass the user through the NT - > unix user mapping
* function .
*/
2008-02-05 12:54:19 +01:00
2006-02-10 23:09:00 +00:00
( void ) map_username ( user_name ) ;
2008-02-05 12:54:19 +01:00
2006-02-10 23:09:00 +00:00
/*
2008-02-05 12:54:19 +01:00
* UNIX username case mangling not required , pass_oem_change
2006-02-10 23:09:00 +00:00
* is case insensitive .
*/
2008-02-05 18:44:30 +01:00
status = pass_oem_change ( user_name ,
r - > in . lm_password - > data ,
r - > in . lm_verifier - > hash ,
r - > in . nt_password - > data ,
r - > in . nt_verifier - > hash ,
& reject_reason ) ;
2009-05-07 23:56:22 +02:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_NO_SUCH_USER ) ) {
return NT_STATUS_WRONG_PASSWORD ;
}
2006-02-10 23:09:00 +00:00
2008-02-05 18:44:30 +01:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_PASSWORD_RESTRICTION ) | |
NT_STATUS_EQUAL ( status , NT_STATUS_ACCOUNT_RESTRICTION ) ) {
2006-02-10 23:09:00 +00:00
time_t u_expire , u_min_age ;
uint32 account_policy_temp ;
2008-02-05 18:44:30 +01:00
dominfo = TALLOC_ZERO_P ( p - > mem_ctx , struct samr_DomInfo1 ) ;
if ( ! dominfo ) {
2006-02-10 23:09:00 +00:00
return NT_STATUS_NO_MEMORY ;
}
2008-02-05 18:44:30 +01:00
reject = TALLOC_ZERO_P ( p - > mem_ctx , struct samr_ChangeReject ) ;
if ( ! reject ) {
2006-02-10 23:09:00 +00:00
return NT_STATUS_NO_MEMORY ;
}
become_root ( ) ;
/* AS ROOT !!! */
2009-01-18 13:15:23 +01:00
pdb_get_account_policy ( AP_MIN_PASSWORD_LEN , & tmp ) ;
dominfo - > min_password_length = tmp ;
2006-02-10 23:09:00 +00:00
2009-01-18 13:15:23 +01:00
pdb_get_account_policy ( AP_PASSWORD_HISTORY , & tmp ) ;
dominfo - > password_history_length = tmp ;
2006-02-10 23:09:00 +00:00
2008-12-06 01:33:28 +01:00
pdb_get_account_policy ( AP_USER_MUST_LOGON_TO_CHG_PASS ,
& dominfo - > password_properties ) ;
2006-02-10 23:09:00 +00:00
pdb_get_account_policy ( AP_MAX_PASSWORD_AGE , & account_policy_temp ) ;
u_expire = account_policy_temp ;
pdb_get_account_policy ( AP_MIN_PASSWORD_AGE , & account_policy_temp ) ;
u_min_age = account_policy_temp ;
/* !AS ROOT */
2008-02-05 12:54:19 +01:00
2006-02-10 23:09:00 +00:00
unbecome_root ( ) ;
2008-12-06 01:33:28 +01:00
unix_to_nt_time_abs ( ( NTTIME * ) & dominfo - > max_password_age , u_expire ) ;
unix_to_nt_time_abs ( ( NTTIME * ) & dominfo - > min_password_age , u_min_age ) ;
2006-02-10 23:09:00 +00:00
2008-02-05 18:44:30 +01:00
if ( lp_check_password_script ( ) & & * lp_check_password_script ( ) ) {
2008-12-06 01:33:28 +01:00
dominfo - > password_properties | = DOMAIN_PASSWORD_COMPLEX ;
2008-02-05 18:44:30 +01:00
}
2006-02-10 23:09:00 +00:00
2008-02-05 18:44:30 +01:00
reject - > reason = reject_reason ;
2006-02-10 23:09:00 +00:00
2008-02-05 18:44:30 +01:00
* r - > out . dominfo = dominfo ;
* r - > out . reject = reject ;
}
2006-02-10 23:09:00 +00:00
2008-02-05 18:44:30 +01:00
DEBUG ( 5 , ( " _samr_ChangePasswordUser3: %d \n " , __LINE__ ) ) ;
return status ;
2006-02-10 23:09:00 +00:00
}
2001-02-27 18:22:39 +00:00
/*******************************************************************
makes a SAMR_R_LOOKUP_RIDS structure .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-18 17:40:25 -07:00
static bool make_samr_lookup_rids ( TALLOC_CTX * ctx , uint32 num_names ,
2008-02-06 21:29:17 +01:00
const char * * names ,
struct lsa_String * * lsa_name_array_p )
2001-02-27 18:22:39 +00:00
{
2008-02-06 21:29:17 +01:00
struct lsa_String * lsa_name_array = NULL ;
uint32_t i ;
2001-02-27 18:22:39 +00:00
2008-02-06 21:29:17 +01:00
* lsa_name_array_p = NULL ;
2001-02-27 18:22:39 +00:00
if ( num_names ! = 0 ) {
2008-02-06 21:29:17 +01:00
lsa_name_array = TALLOC_ZERO_ARRAY ( ctx , struct lsa_String , num_names ) ;
if ( ! lsa_name_array ) {
return false ;
}
2001-02-27 18:22:39 +00:00
}
for ( i = 0 ; i < num_names ; i + + ) {
2005-08-05 04:48:02 +00:00
DEBUG ( 10 , ( " names[%d]:%s \n " , i , names [ i ] & & * names [ i ] ? names [ i ] : " " ) ) ;
2008-02-06 21:29:17 +01:00
init_lsa_String ( & lsa_name_array [ i ] , names [ i ] ) ;
2001-02-27 18:22:39 +00:00
}
2008-02-06 21:29:17 +01:00
* lsa_name_array_p = lsa_name_array ;
2001-02-27 18:22:39 +00:00
2008-02-06 21:29:17 +01:00
return true ;
2001-02-27 18:22:39 +00:00
}
/*******************************************************************
2008-02-06 21:29:17 +01:00
_samr_LookupRids
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-06 21:29:17 +01:00
NTSTATUS _samr_LookupRids ( pipes_struct * p ,
struct samr_LookupRids * r )
2001-02-27 18:22:39 +00:00
{
2009-04-19 22:58:09 +02:00
struct samr_domain_info * dinfo ;
2008-02-06 21:29:17 +01:00
NTSTATUS status ;
2005-03-22 20:50:29 +00:00
const char * * names ;
2006-09-08 14:28:06 +00:00
enum lsa_SidType * attrs = NULL ;
2006-06-29 17:03:19 +00:00
uint32 * wire_attrs = NULL ;
2008-02-06 21:29:17 +01:00
int num_rids = ( int ) r - > in . num_rids ;
2006-06-29 17:03:19 +00:00
int i ;
2008-02-06 21:29:17 +01:00
struct lsa_Strings names_array ;
struct samr_Ids types_array ;
struct lsa_String * lsa_names = NULL ;
2006-06-29 17:03:19 +00:00
2008-02-06 21:29:17 +01:00
DEBUG ( 5 , ( " _samr_LookupRids: %d \n " , __LINE__ ) ) ;
2001-02-27 18:22:39 +00:00
2009-04-19 22:58:09 +02:00
dinfo = policy_handle_find ( p , r - > in . domain_handle ,
0 /* Don't know the acc_bits yet */ , NULL ,
struct samr_domain_info , & status ) ;
2008-10-20 16:51:37 -07:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2005-02-20 15:15:33 +00:00
if ( num_rids > 1000 ) {
DEBUG ( 0 , ( " Got asked for %d rids (more than 1000) -- according "
" to samba4 idl this is not possible \n " , num_rids ) ) ;
return NT_STATUS_UNSUCCESSFUL ;
2001-02-27 18:22:39 +00:00
}
2007-04-30 00:53:17 +00:00
if ( num_rids ) {
names = TALLOC_ZERO_ARRAY ( p - > mem_ctx , const char * , num_rids ) ;
attrs = TALLOC_ZERO_ARRAY ( p - > mem_ctx , enum lsa_SidType , num_rids ) ;
wire_attrs = TALLOC_ZERO_ARRAY ( p - > mem_ctx , uint32 , num_rids ) ;
2005-03-22 20:50:29 +00:00
2007-04-30 00:53:17 +00:00
if ( ( names = = NULL ) | | ( attrs = = NULL ) | | ( wire_attrs = = NULL ) )
return NT_STATUS_NO_MEMORY ;
} else {
names = NULL ;
attrs = NULL ;
wire_attrs = NULL ;
}
2005-03-22 20:50:29 +00:00
2002-01-26 10:03:25 +00:00
become_root ( ) ; /* lookup_sid can require root privs */
2009-04-19 22:58:09 +02:00
status = pdb_lookup_rids ( & dinfo - > sid , num_rids , r - > in . rids ,
2008-02-06 21:29:17 +01:00
names , attrs ) ;
2002-01-26 10:03:25 +00:00
unbecome_root ( ) ;
2008-02-06 21:29:17 +01:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_NONE_MAPPED ) & & ( num_rids = = 0 ) ) {
status = NT_STATUS_OK ;
2006-03-15 00:10:38 +00:00
}
2008-02-06 21:29:17 +01:00
if ( ! make_samr_lookup_rids ( p - > mem_ctx , num_rids , names ,
& lsa_names ) ) {
2001-02-27 18:22:39 +00:00
return NT_STATUS_NO_MEMORY ;
2008-02-06 21:29:17 +01:00
}
2001-02-27 18:22:39 +00:00
2006-09-08 14:28:06 +00:00
/* Convert from enum lsa_SidType to uint32 for wire format. */
2006-06-29 17:03:19 +00:00
for ( i = 0 ; i < num_rids ; i + + ) {
wire_attrs [ i ] = ( uint32 ) attrs [ i ] ;
}
2008-02-06 21:29:17 +01:00
names_array . count = num_rids ;
names_array . names = lsa_names ;
2001-02-27 18:22:39 +00:00
2008-02-06 21:29:17 +01:00
types_array . count = num_rids ;
types_array . ids = wire_attrs ;
2001-02-27 18:22:39 +00:00
2008-02-06 21:29:17 +01:00
* r - > out . names = names_array ;
* r - > out . types = types_array ;
DEBUG ( 5 , ( " _samr_LookupRids: %d \n " , __LINE__ ) ) ;
return status ;
2001-02-27 18:22:39 +00:00
}
/*******************************************************************
2008-02-01 00:39:06 +01:00
_samr_OpenUser
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-02-27 18:22:39 +00:00
2008-02-01 00:39:06 +01:00
NTSTATUS _samr_OpenUser ( pipes_struct * p ,
struct samr_OpenUser * r )
2001-02-27 18:22:39 +00:00
{
2006-02-20 20:09:36 +00:00
struct samu * sampass = NULL ;
2001-05-04 15:44:27 +00:00
DOM_SID sid ;
2009-04-19 22:58:09 +02:00
struct samr_domain_info * dinfo ;
2009-04-20 18:01:49 +02:00
struct samr_user_info * uinfo ;
2002-07-15 10:35:28 +00:00
SEC_DESC * psd = NULL ;
uint32 acc_granted ;
2008-02-01 00:39:06 +01:00
uint32 des_access = r - > in . access_mask ;
2002-07-15 10:35:28 +00:00
size_t sd_size ;
2007-10-18 17:40:25 -07:00
bool ret ;
2002-07-15 10:35:28 +00:00
NTSTATUS nt_status ;
2005-01-26 20:36:44 +00:00
SE_PRIV se_rights ;
2009-04-19 22:58:09 +02:00
NTSTATUS status ;
2001-02-27 18:22:39 +00:00
2009-04-19 22:58:09 +02:00
dinfo = policy_handle_find ( p , r - > in . domain_handle ,
SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT , NULL ,
struct samr_domain_info , & status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2002-07-15 10:35:28 +00:00
2006-02-21 14:34:11 +00:00
if ( ! ( sampass = samu_new ( p - > mem_ctx ) ) ) {
return NT_STATUS_NO_MEMORY ;
}
2001-02-27 18:22:39 +00:00
2002-07-15 10:35:28 +00:00
/* append the user's RID to it */
2008-02-05 12:54:19 +01:00
2009-04-19 22:58:09 +02:00
if ( ! sid_compose ( & sid , & dinfo - > sid , r - > in . rid ) )
2002-07-15 10:35:28 +00:00
return NT_STATUS_NO_SUCH_USER ;
2008-02-05 12:54:19 +01:00
2002-07-15 10:35:28 +00:00
/* check if access can be granted as requested by client. */
2008-02-05 12:54:19 +01:00
2008-11-23 23:48:17 +01:00
map_max_allowed_access ( p - > server_info - > ptok , & des_access ) ;
2008-10-21 18:05:48 -07:00
2005-01-31 22:42:30 +00:00
make_samr_object_sd ( p - > mem_ctx , & psd , & sd_size , & usr_generic_mapping , & sid , SAMR_USR_RIGHTS_WRITE_PW ) ;
2002-07-15 10:35:28 +00:00
se_map_generic ( & des_access , & usr_generic_mapping ) ;
2008-02-05 12:54:19 +01:00
2005-01-26 20:36:44 +00:00
se_priv_copy ( & se_rights , & se_machine_account ) ;
se_priv_add ( & se_rights , & se_add_users ) ;
2008-02-05 12:54:19 +01:00
2008-11-23 23:48:17 +01:00
nt_status = access_check_samr_object ( psd , p - > server_info - > ptok ,
2008-02-05 12:54:19 +01:00
& se_rights , GENERIC_RIGHTS_USER_WRITE , des_access ,
2008-02-01 00:39:06 +01:00
& acc_granted , " _samr_OpenUser " ) ;
2008-02-05 12:54:19 +01:00
2005-01-26 20:36:44 +00:00
if ( ! NT_STATUS_IS_OK ( nt_status ) )
2002-07-15 10:35:28 +00:00
return nt_status ;
2001-05-08 16:33:18 +00:00
2001-05-04 15:44:27 +00:00
become_root ( ) ;
2002-07-15 10:35:28 +00:00
ret = pdb_getsampwsid ( sampass , & sid ) ;
2001-05-04 15:44:27 +00:00
unbecome_root ( ) ;
2001-02-27 18:22:39 +00:00
2002-07-15 10:35:28 +00:00
/* check that the SID exists in our domain. */
2001-05-04 15:44:27 +00:00
if ( ret = = False ) {
return NT_STATUS_NO_SUCH_USER ;
}
2001-02-27 18:22:39 +00:00
2006-02-20 20:09:36 +00:00
TALLOC_FREE ( sampass ) ;
2001-03-13 00:32:43 +00:00
2009-04-20 18:01:49 +02:00
uinfo = policy_handle_create ( p , r - > out . user_handle , acc_granted ,
struct samr_user_info , & nt_status ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
return nt_status ;
}
uinfo - > sid = sid ;
2001-02-27 18:22:39 +00:00
2008-02-01 00:39:06 +01:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
2008-03-31 20:40:16 +02:00
/*************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS init_samr_parameters_string ( TALLOC_CTX * mem_ctx ,
DATA_BLOB * blob ,
struct lsa_BinaryString * * _r )
{
struct lsa_BinaryString * r ;
if ( ! blob | | ! _r ) {
return NT_STATUS_INVALID_PARAMETER ;
}
r = TALLOC_ZERO_P ( mem_ctx , struct lsa_BinaryString ) ;
if ( ! r ) {
return NT_STATUS_NO_MEMORY ;
}
r - > array = TALLOC_ZERO_ARRAY ( mem_ctx , uint16_t , blob - > length / 2 ) ;
if ( ! r - > array ) {
return NT_STATUS_NO_MEMORY ;
}
memcpy ( r - > array , blob - > data , blob - > length ) ;
r - > size = blob - > length ;
r - > length = blob - > length ;
if ( ! r - > array ) {
return NT_STATUS_NO_MEMORY ;
}
* _r = r ;
return NT_STATUS_OK ;
}
2009-05-07 17:05:49 +02:00
/*************************************************************************
get_user_info_1 .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS get_user_info_1 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo1 * r ,
struct samu * pw ,
DOM_SID * domain_sid )
{
const DOM_SID * sid_group ;
uint32_t primary_gid ;
become_root ( ) ;
sid_group = pdb_get_group_sid ( pw ) ;
unbecome_root ( ) ;
if ( ! sid_peek_check_rid ( domain_sid , sid_group , & primary_gid ) ) {
DEBUG ( 0 , ( " get_user_info_1: User %s has Primary Group SID %s, \n "
" which conflicts with the domain sid %s. Failing operation. \n " ,
pdb_get_username ( pw ) , sid_string_dbg ( sid_group ) ,
sid_string_dbg ( domain_sid ) ) ) ;
return NT_STATUS_UNSUCCESSFUL ;
}
r - > account_name . string = talloc_strdup ( mem_ctx , pdb_get_username ( pw ) ) ;
r - > full_name . string = talloc_strdup ( mem_ctx , pdb_get_fullname ( pw ) ) ;
r - > primary_gid = primary_gid ;
r - > description . string = talloc_strdup ( mem_ctx , pdb_get_acct_desc ( pw ) ) ;
r - > comment . string = talloc_strdup ( mem_ctx , pdb_get_comment ( pw ) ) ;
return NT_STATUS_OK ;
}
/*************************************************************************
get_user_info_2 .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS get_user_info_2 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo2 * r ,
struct samu * pw )
{
r - > comment . string = talloc_strdup ( mem_ctx , pdb_get_comment ( pw ) ) ;
r - > unknown . string = NULL ;
r - > country_code = 0 ;
r - > code_page = 0 ;
return NT_STATUS_OK ;
}
/*************************************************************************
get_user_info_3 .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS get_user_info_3 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo3 * r ,
struct samu * pw ,
DOM_SID * domain_sid )
{
const DOM_SID * sid_user , * sid_group ;
uint32_t rid , primary_gid ;
sid_user = pdb_get_user_sid ( pw ) ;
if ( ! sid_peek_check_rid ( domain_sid , sid_user , & rid ) ) {
DEBUG ( 0 , ( " get_user_info_3: User %s has SID %s, \n which conflicts with "
" the domain sid %s. Failing operation. \n " ,
pdb_get_username ( pw ) , sid_string_dbg ( sid_user ) ,
sid_string_dbg ( domain_sid ) ) ) ;
return NT_STATUS_UNSUCCESSFUL ;
}
become_root ( ) ;
sid_group = pdb_get_group_sid ( pw ) ;
unbecome_root ( ) ;
if ( ! sid_peek_check_rid ( domain_sid , sid_group , & primary_gid ) ) {
DEBUG ( 0 , ( " get_user_info_3: User %s has Primary Group SID %s, \n "
" which conflicts with the domain sid %s. Failing operation. \n " ,
pdb_get_username ( pw ) , sid_string_dbg ( sid_group ) ,
sid_string_dbg ( domain_sid ) ) ) ;
return NT_STATUS_UNSUCCESSFUL ;
}
unix_to_nt_time ( & r - > last_logon , pdb_get_logon_time ( pw ) ) ;
unix_to_nt_time ( & r - > last_logoff , pdb_get_logoff_time ( pw ) ) ;
unix_to_nt_time ( & r - > last_password_change , pdb_get_pass_last_set_time ( pw ) ) ;
unix_to_nt_time ( & r - > allow_password_change , pdb_get_pass_can_change_time ( pw ) ) ;
unix_to_nt_time ( & r - > force_password_change , pdb_get_pass_must_change_time ( pw ) ) ;
r - > account_name . string = talloc_strdup ( mem_ctx , pdb_get_username ( pw ) ) ;
r - > full_name . string = talloc_strdup ( mem_ctx , pdb_get_fullname ( pw ) ) ;
r - > home_directory . string = talloc_strdup ( mem_ctx , pdb_get_homedir ( pw ) ) ;
r - > home_drive . string = talloc_strdup ( mem_ctx , pdb_get_dir_drive ( pw ) ) ;
r - > logon_script . string = talloc_strdup ( mem_ctx , pdb_get_logon_script ( pw ) ) ;
r - > profile_path . string = talloc_strdup ( mem_ctx , pdb_get_profile_path ( pw ) ) ;
r - > workstations . string = talloc_strdup ( mem_ctx , pdb_get_workstations ( pw ) ) ;
r - > logon_hours = get_logon_hours_from_pdb ( mem_ctx , pw ) ;
r - > rid = rid ;
r - > primary_gid = primary_gid ;
r - > acct_flags = pdb_get_acct_ctrl ( pw ) ;
r - > bad_password_count = pdb_get_bad_password_count ( pw ) ;
r - > logon_count = pdb_get_logon_count ( pw ) ;
return NT_STATUS_OK ;
}
/*************************************************************************
get_user_info_4 .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS get_user_info_4 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo4 * r ,
struct samu * pw )
{
r - > logon_hours = get_logon_hours_from_pdb ( mem_ctx , pw ) ;
return NT_STATUS_OK ;
}
/*************************************************************************
get_user_info_5 .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-11-25 12:21:37 +01:00
static NTSTATUS get_user_info_5 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo5 * r ,
2008-12-02 02:08:05 +01:00
struct samu * pw ,
2008-11-25 12:21:37 +01:00
DOM_SID * domain_sid )
{
const DOM_SID * sid_user , * sid_group ;
uint32_t rid , primary_gid ;
sid_user = pdb_get_user_sid ( pw ) ;
if ( ! sid_peek_check_rid ( domain_sid , sid_user , & rid ) ) {
DEBUG ( 0 , ( " get_user_info_5: User %s has SID %s, \n which conflicts with "
" the domain sid %s. Failing operation. \n " ,
pdb_get_username ( pw ) , sid_string_dbg ( sid_user ) ,
sid_string_dbg ( domain_sid ) ) ) ;
return NT_STATUS_UNSUCCESSFUL ;
}
become_root ( ) ;
sid_group = pdb_get_group_sid ( pw ) ;
unbecome_root ( ) ;
if ( ! sid_peek_check_rid ( domain_sid , sid_group , & primary_gid ) ) {
DEBUG ( 0 , ( " get_user_info_5: User %s has Primary Group SID %s, \n "
" which conflicts with the domain sid %s. Failing operation. \n " ,
pdb_get_username ( pw ) , sid_string_dbg ( sid_group ) ,
sid_string_dbg ( domain_sid ) ) ) ;
return NT_STATUS_UNSUCCESSFUL ;
}
2008-12-06 00:28:34 +01:00
unix_to_nt_time ( & r - > last_logon , pdb_get_logon_time ( pw ) ) ;
unix_to_nt_time ( & r - > last_logoff , pdb_get_logoff_time ( pw ) ) ;
unix_to_nt_time ( & r - > acct_expiry , pdb_get_kickoff_time ( pw ) ) ;
unix_to_nt_time ( & r - > last_password_change , pdb_get_pass_last_set_time ( pw ) ) ;
r - > account_name . string = talloc_strdup ( mem_ctx , pdb_get_username ( pw ) ) ;
r - > full_name . string = talloc_strdup ( mem_ctx , pdb_get_fullname ( pw ) ) ;
r - > home_directory . string = talloc_strdup ( mem_ctx , pdb_get_homedir ( pw ) ) ;
r - > home_drive . string = talloc_strdup ( mem_ctx , pdb_get_dir_drive ( pw ) ) ;
r - > logon_script . string = talloc_strdup ( mem_ctx , pdb_get_logon_script ( pw ) ) ;
r - > profile_path . string = talloc_strdup ( mem_ctx , pdb_get_profile_path ( pw ) ) ;
r - > description . string = talloc_strdup ( mem_ctx , pdb_get_acct_desc ( pw ) ) ;
r - > workstations . string = talloc_strdup ( mem_ctx , pdb_get_workstations ( pw ) ) ;
r - > logon_hours = get_logon_hours_from_pdb ( mem_ctx , pw ) ;
r - > rid = rid ;
r - > primary_gid = primary_gid ;
r - > acct_flags = pdb_get_acct_ctrl ( pw ) ;
r - > bad_password_count = pdb_get_bad_password_count ( pw ) ;
r - > logon_count = pdb_get_logon_count ( pw ) ;
2008-11-25 12:21:37 +01:00
return NT_STATUS_OK ;
}
2009-05-07 17:05:49 +02:00
/*************************************************************************
get_user_info_6 .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS get_user_info_6 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo6 * r ,
struct samu * pw )
{
r - > account_name . string = talloc_strdup ( mem_ctx , pdb_get_username ( pw ) ) ;
r - > full_name . string = talloc_strdup ( mem_ctx , pdb_get_fullname ( pw ) ) ;
return NT_STATUS_OK ;
}
2005-01-22 11:26:13 +00:00
/*************************************************************************
get_user_info_7 . Safe . Only gives out account_name .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-12 12:58:47 +01:00
static NTSTATUS get_user_info_7 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo7 * r ,
2008-12-02 02:08:05 +01:00
struct samu * smbpass )
2005-01-22 11:26:13 +00:00
{
2008-12-06 00:28:34 +01:00
r - > account_name . string = talloc_strdup ( mem_ctx , pdb_get_username ( smbpass ) ) ;
if ( ! r - > account_name . string ) {
2008-02-12 12:58:47 +01:00
return NT_STATUS_NO_MEMORY ;
}
2005-01-22 11:26:13 +00:00
return NT_STATUS_OK ;
}
2006-01-14 12:37:25 +00:00
2009-05-07 17:05:49 +02:00
/*************************************************************************
get_user_info_8 .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS get_user_info_8 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo8 * r ,
struct samu * pw )
{
r - > full_name . string = talloc_strdup ( mem_ctx , pdb_get_fullname ( pw ) ) ;
return NT_STATUS_OK ;
}
2006-01-14 12:37:25 +00:00
/*************************************************************************
get_user_info_9 . Only gives out primary group SID .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-12 12:58:47 +01:00
static NTSTATUS get_user_info_9 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo9 * r ,
2008-12-02 02:08:05 +01:00
struct samu * smbpass )
2006-01-14 12:37:25 +00:00
{
2008-12-06 00:28:34 +01:00
r - > primary_gid = pdb_get_group_rid ( smbpass ) ;
2006-01-14 12:37:25 +00:00
return NT_STATUS_OK ;
}
2009-05-07 17:05:49 +02:00
/*************************************************************************
get_user_info_10 .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS get_user_info_10 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo10 * r ,
struct samu * pw )
{
r - > home_directory . string = talloc_strdup ( mem_ctx , pdb_get_homedir ( pw ) ) ;
r - > home_drive . string = talloc_strdup ( mem_ctx , pdb_get_dir_drive ( pw ) ) ;
return NT_STATUS_OK ;
}
/*************************************************************************
get_user_info_11 .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS get_user_info_11 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo11 * r ,
struct samu * pw )
{
r - > logon_script . string = talloc_strdup ( mem_ctx , pdb_get_logon_script ( pw ) ) ;
return NT_STATUS_OK ;
}
/*************************************************************************
get_user_info_12 .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS get_user_info_12 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo12 * r ,
struct samu * pw )
{
r - > profile_path . string = talloc_strdup ( mem_ctx , pdb_get_profile_path ( pw ) ) ;
return NT_STATUS_OK ;
}
/*************************************************************************
get_user_info_13 .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS get_user_info_13 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo13 * r ,
struct samu * pw )
{
r - > description . string = talloc_strdup ( mem_ctx , pdb_get_acct_desc ( pw ) ) ;
return NT_STATUS_OK ;
}
/*************************************************************************
get_user_info_14 .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS get_user_info_14 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo14 * r ,
struct samu * pw )
{
r - > workstations . string = talloc_strdup ( mem_ctx , pdb_get_workstations ( pw ) ) ;
return NT_STATUS_OK ;
}
2001-02-27 18:22:39 +00:00
/*************************************************************************
2005-07-19 00:59:25 +00:00
get_user_info_16 . Safe . Only gives out acb bits .
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-12 12:58:47 +01:00
static NTSTATUS get_user_info_16 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo16 * r ,
2008-12-02 02:08:05 +01:00
struct samu * smbpass )
2001-02-27 18:22:39 +00:00
{
2008-12-06 00:28:34 +01:00
r - > acct_flags = pdb_get_acct_ctrl ( smbpass ) ;
2001-02-27 18:22:39 +00:00
2002-07-15 10:35:28 +00:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
2009-05-07 17:05:49 +02:00
/*************************************************************************
get_user_info_17 .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS get_user_info_17 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo17 * r ,
struct samu * pw )
{
unix_to_nt_time ( & r - > acct_expiry , pdb_get_kickoff_time ( pw ) ) ;
return NT_STATUS_OK ;
}
2001-02-27 18:22:39 +00:00
/*************************************************************************
2005-07-19 00:59:25 +00:00
get_user_info_18 . OK - this is the killer as it gives out password info .
2001-03-13 00:32:43 +00:00
Ensure that this is only allowed on an encrypted connection with a root
2008-02-05 12:54:19 +01:00
user . JRA .
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-12 12:58:47 +01:00
static NTSTATUS get_user_info_18 ( pipes_struct * p ,
TALLOC_CTX * mem_ctx ,
struct samr_UserInfo18 * r ,
DOM_SID * user_sid )
2001-02-27 18:22:39 +00:00
{
2006-02-20 20:09:36 +00:00
struct samu * smbpass = NULL ;
2007-10-18 17:40:25 -07:00
bool ret ;
2001-02-27 18:22:39 +00:00
2008-02-12 12:58:47 +01:00
ZERO_STRUCTP ( r ) ;
2005-09-30 17:13:37 +00:00
if ( p - > auth . auth_type ! = PIPE_AUTH_TYPE_NTLMSSP | | p - > auth . auth_type ! = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP ) {
2001-03-13 00:32:43 +00:00
return NT_STATUS_ACCESS_DENIED ;
2005-09-30 17:13:37 +00:00
}
2001-03-13 00:32:43 +00:00
2005-09-30 17:13:37 +00:00
if ( p - > auth . auth_level ! = PIPE_AUTH_LEVEL_PRIVACY ) {
2001-03-13 00:32:43 +00:00
return NT_STATUS_ACCESS_DENIED ;
2005-09-30 17:13:37 +00:00
}
2001-03-13 00:32:43 +00:00
/*
* Do * NOT * do become_root ( ) / unbecome_root ( ) here ! JRA .
*/
2006-02-21 14:34:11 +00:00
if ( ! ( smbpass = samu_new ( mem_ctx ) ) ) {
return NT_STATUS_NO_MEMORY ;
2002-07-15 10:35:28 +00:00
}
ret = pdb_getsampwsid ( smbpass , user_sid ) ;
2001-02-27 18:22:39 +00:00
2001-05-04 15:44:27 +00:00
if ( ret = = False ) {
2007-12-15 21:11:36 +01:00
DEBUG ( 4 , ( " User %s not found \n " , sid_string_dbg ( user_sid ) ) ) ;
2006-02-20 20:09:36 +00:00
TALLOC_FREE ( smbpass ) ;
2001-03-13 00:32:43 +00:00
return ( geteuid ( ) = = ( uid_t ) 0 ) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED ;
2001-02-27 18:22:39 +00:00
}
2001-05-04 15:44:27 +00:00
DEBUG ( 3 , ( " User:[%s] 0x%x \n " , pdb_get_username ( smbpass ) , pdb_get_acct_ctrl ( smbpass ) ) ) ;
2001-02-27 18:22:39 +00:00
2001-05-04 15:44:27 +00:00
if ( pdb_get_acct_ctrl ( smbpass ) & ACB_DISABLED ) {
2006-02-20 20:09:36 +00:00
TALLOC_FREE ( smbpass ) ;
2001-05-04 15:44:27 +00:00
return NT_STATUS_ACCOUNT_DISABLED ;
}
2001-02-27 18:22:39 +00:00
2008-12-06 00:28:34 +01:00
r - > lm_pwd_active = true ;
r - > nt_pwd_active = true ;
memcpy ( r - > lm_pwd . hash , pdb_get_lanman_passwd ( smbpass ) , 16 ) ;
memcpy ( r - > nt_pwd . hash , pdb_get_nt_passwd ( smbpass ) , 16 ) ;
r - > password_expired = 0 ; /* FIXME */
2008-02-05 12:54:19 +01:00
2006-02-20 20:09:36 +00:00
TALLOC_FREE ( smbpass ) ;
2001-02-27 18:22:39 +00:00
2001-08-27 19:46:22 +00:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
2001-07-09 18:25:40 +00:00
/*************************************************************************
get_user_info_20
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-12 12:58:47 +01:00
static NTSTATUS get_user_info_20 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo20 * r ,
2008-12-02 02:08:05 +01:00
struct samu * sampass )
2001-07-09 18:25:40 +00:00
{
2008-02-12 12:58:47 +01:00
const char * munged_dial = NULL ;
DATA_BLOB blob ;
2008-03-31 20:43:18 +02:00
NTSTATUS status ;
struct lsa_BinaryString * parameters = NULL ;
2008-02-12 12:58:47 +01:00
ZERO_STRUCTP ( r ) ;
2001-07-09 18:25:40 +00:00
2008-02-12 12:58:47 +01:00
munged_dial = pdb_get_munged_dial ( sampass ) ;
2008-03-31 20:43:18 +02:00
DEBUG ( 3 , ( " User:[%s] has [%s] (length: %d) \n " , pdb_get_username ( sampass ) ,
2008-04-01 00:14:00 +02:00
munged_dial , ( int ) strlen ( munged_dial ) ) ) ;
2001-07-09 18:25:40 +00:00
2008-02-12 12:58:47 +01:00
if ( munged_dial ) {
blob = base64_decode_data_blob ( munged_dial ) ;
2008-03-31 20:43:18 +02:00
} else {
2008-10-13 05:20:26 +02:00
blob = data_blob_string_const_null ( " " ) ;
2008-02-12 12:58:47 +01:00
}
2008-03-31 20:43:18 +02:00
status = init_samr_parameters_string ( mem_ctx , & blob , & parameters ) ;
2008-02-12 12:58:47 +01:00
data_blob_free ( & blob ) ;
2008-03-31 20:43:18 +02:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2008-12-06 00:28:34 +01:00
r - > parameters = * parameters ;
2001-07-09 18:25:40 +00:00
2002-07-15 10:35:28 +00:00
return NT_STATUS_OK ;
2001-07-09 18:25:40 +00:00
}
2008-02-12 12:58:47 +01:00
2001-02-27 18:22:39 +00:00
/*************************************************************************
get_user_info_21
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-12 12:58:47 +01:00
static NTSTATUS get_user_info_21 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo21 * r ,
2008-12-02 02:08:05 +01:00
struct samu * pw ,
2008-02-12 12:58:47 +01:00
DOM_SID * domain_sid )
2001-02-27 18:22:39 +00:00
{
2008-03-31 20:43:18 +02:00
NTSTATUS status ;
2008-02-12 12:58:47 +01:00
const DOM_SID * sid_user , * sid_group ;
uint32_t rid , primary_gid ;
2008-12-06 00:28:34 +01:00
NTTIME force_password_change ;
2008-02-12 12:58:47 +01:00
time_t must_change_time ;
2008-03-31 20:43:18 +02:00
struct lsa_BinaryString * parameters = NULL ;
2008-02-12 12:58:47 +01:00
const char * munged_dial = NULL ;
DATA_BLOB blob ;
ZERO_STRUCTP ( r ) ;
sid_user = pdb_get_user_sid ( pw ) ;
2008-02-05 12:54:19 +01:00
2008-02-12 12:58:47 +01:00
if ( ! sid_peek_check_rid ( domain_sid , sid_user , & rid ) ) {
DEBUG ( 0 , ( " get_user_info_21: User %s has SID %s, \n which conflicts with "
" the domain sid %s. Failing operation. \n " ,
pdb_get_username ( pw ) , sid_string_dbg ( sid_user ) ,
sid_string_dbg ( domain_sid ) ) ) ;
return NT_STATUS_UNSUCCESSFUL ;
}
2001-02-27 18:22:39 +00:00
2008-02-12 12:58:47 +01:00
become_root ( ) ;
sid_group = pdb_get_group_sid ( pw ) ;
unbecome_root ( ) ;
if ( ! sid_peek_check_rid ( domain_sid , sid_group , & primary_gid ) ) {
DEBUG ( 0 , ( " get_user_info_21: User %s has Primary Group SID %s, \n "
" which conflicts with the domain sid %s. Failing operation. \n " ,
pdb_get_username ( pw ) , sid_string_dbg ( sid_group ) ,
sid_string_dbg ( domain_sid ) ) ) ;
return NT_STATUS_UNSUCCESSFUL ;
}
2008-12-06 00:28:34 +01:00
unix_to_nt_time ( & r - > last_logon , pdb_get_logon_time ( pw ) ) ;
unix_to_nt_time ( & r - > last_logoff , pdb_get_logoff_time ( pw ) ) ;
unix_to_nt_time ( & r - > acct_expiry , pdb_get_kickoff_time ( pw ) ) ;
unix_to_nt_time ( & r - > last_password_change , pdb_get_pass_last_set_time ( pw ) ) ;
unix_to_nt_time ( & r - > allow_password_change , pdb_get_pass_can_change_time ( pw ) ) ;
2008-02-12 12:58:47 +01:00
must_change_time = pdb_get_pass_must_change_time ( pw ) ;
if ( must_change_time = = get_time_t_max ( ) ) {
unix_to_nt_time_abs ( & force_password_change , must_change_time ) ;
} else {
unix_to_nt_time ( & force_password_change , must_change_time ) ;
}
munged_dial = pdb_get_munged_dial ( pw ) ;
if ( munged_dial ) {
blob = base64_decode_data_blob ( munged_dial ) ;
2008-02-12 17:21:17 -08:00
} else {
2008-10-13 05:20:26 +02:00
blob = data_blob_string_const_null ( " " ) ;
2008-02-12 12:58:47 +01:00
}
2008-03-31 20:43:18 +02:00
status = init_samr_parameters_string ( mem_ctx , & blob , & parameters ) ;
data_blob_free ( & blob ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2008-02-12 12:58:47 +01:00
2008-12-06 00:28:34 +01:00
r - > force_password_change = force_password_change ;
r - > account_name . string = talloc_strdup ( mem_ctx , pdb_get_username ( pw ) ) ;
r - > full_name . string = talloc_strdup ( mem_ctx , pdb_get_fullname ( pw ) ) ;
r - > home_directory . string = talloc_strdup ( mem_ctx , pdb_get_homedir ( pw ) ) ;
r - > home_drive . string = talloc_strdup ( mem_ctx , pdb_get_dir_drive ( pw ) ) ;
r - > logon_script . string = talloc_strdup ( mem_ctx , pdb_get_logon_script ( pw ) ) ;
r - > profile_path . string = talloc_strdup ( mem_ctx , pdb_get_profile_path ( pw ) ) ;
r - > description . string = talloc_strdup ( mem_ctx , pdb_get_acct_desc ( pw ) ) ;
r - > workstations . string = talloc_strdup ( mem_ctx , pdb_get_workstations ( pw ) ) ;
r - > comment . string = talloc_strdup ( mem_ctx , pdb_get_comment ( pw ) ) ;
r - > logon_hours = get_logon_hours_from_pdb ( mem_ctx , pw ) ;
r - > parameters = * parameters ;
r - > rid = rid ;
r - > primary_gid = primary_gid ;
r - > acct_flags = pdb_get_acct_ctrl ( pw ) ;
r - > bad_password_count = pdb_get_bad_password_count ( pw ) ;
r - > logon_count = pdb_get_logon_count ( pw ) ;
r - > fields_present = pdb_build_fields_present ( pw ) ;
r - > password_expired = ( pdb_get_pass_must_change_time ( pw ) = = 0 ) ?
PASS_MUST_CHANGE_AT_NEXT_LOGON : 0 ;
r - > country_code = 0 ;
r - > code_page = 0 ;
r - > lm_password_set = 0 ;
r - > nt_password_set = 0 ;
2008-02-12 12:58:47 +01:00
#if 0
/*
Look at a user on a real NT4 PDC with usrmgr , press
' ok ' . Then you will see that fields_present is set to
0x08f827fa . Look at the user immediately after that again ,
and you will see that 0x00fffff is returned . This solves
the problem that you get access denied after having looked
at the user .
- - Volker
*/
# endif
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
/*******************************************************************
2008-02-12 12:58:47 +01:00
_samr_QueryUserInfo
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-12 12:58:47 +01:00
NTSTATUS _samr_QueryUserInfo ( pipes_struct * p ,
struct samr_QueryUserInfo * r )
2001-02-27 18:22:39 +00:00
{
2008-02-12 12:58:47 +01:00
NTSTATUS status ;
union samr_UserInfo * user_info = NULL ;
2009-04-20 18:01:49 +02:00
struct samr_user_info * uinfo ;
2002-07-15 10:35:28 +00:00
DOM_SID domain_sid ;
uint32 rid ;
2008-12-02 02:08:05 +01:00
bool ret = false ;
struct samu * pwd = NULL ;
2008-02-05 12:54:19 +01:00
2009-04-20 18:01:49 +02:00
uinfo = policy_handle_find ( p , r - > in . user_handle ,
SAMR_USER_ACCESS_GET_ATTRIBUTES , NULL ,
struct samr_user_info , & status ) ;
2008-10-20 16:51:37 -07:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2009-04-20 18:01:49 +02:00
domain_sid = uinfo - > sid ;
2002-07-15 10:35:28 +00:00
sid_split_rid ( & domain_sid , & rid ) ;
2009-04-20 18:01:49 +02:00
if ( ! sid_check_is_in_our_domain ( & uinfo - > sid ) )
2001-02-27 18:22:39 +00:00
return NT_STATUS_OBJECT_TYPE_MISMATCH ;
2008-02-12 12:58:47 +01:00
DEBUG ( 5 , ( " _samr_QueryUserInfo: sid:%s \n " ,
2009-04-20 18:01:49 +02:00
sid_string_dbg ( & uinfo - > sid ) ) ) ;
2001-02-27 18:22:39 +00:00
2008-02-12 12:58:47 +01:00
user_info = TALLOC_ZERO_P ( p - > mem_ctx , union samr_UserInfo ) ;
if ( ! user_info ) {
2001-02-27 18:22:39 +00:00
return NT_STATUS_NO_MEMORY ;
2008-02-12 12:58:47 +01:00
}
2001-02-27 18:22:39 +00:00
2008-02-12 12:58:47 +01:00
DEBUG ( 5 , ( " _samr_QueryUserInfo: user info level: %d \n " , r - > in . level ) ) ;
2006-01-14 12:37:25 +00:00
2008-12-02 02:08:05 +01:00
if ( ! ( pwd = samu_new ( p - > mem_ctx ) ) ) {
return NT_STATUS_NO_MEMORY ;
}
become_root ( ) ;
2009-04-20 18:01:49 +02:00
ret = pdb_getsampwsid ( pwd , & uinfo - > sid ) ;
2008-12-02 02:08:05 +01:00
unbecome_root ( ) ;
if ( ret = = false ) {
2009-04-20 18:01:49 +02:00
DEBUG ( 4 , ( " User %s not found \n " , sid_string_dbg ( & uinfo - > sid ) ) ) ;
2008-12-02 02:08:05 +01:00
TALLOC_FREE ( pwd ) ;
return NT_STATUS_NO_SUCH_USER ;
}
DEBUG ( 3 , ( " User:[%s] \n " , pdb_get_username ( pwd ) ) ) ;
samr_clear_sam_passwd ( pwd ) ;
2008-02-12 12:58:47 +01:00
switch ( r - > in . level ) {
2009-05-07 17:05:49 +02:00
case 1 :
status = get_user_info_1 ( p - > mem_ctx , & user_info - > info1 , pwd , & domain_sid ) ;
break ;
case 2 :
status = get_user_info_2 ( p - > mem_ctx , & user_info - > info2 , pwd ) ;
break ;
case 3 :
status = get_user_info_3 ( p - > mem_ctx , & user_info - > info3 , pwd , & domain_sid ) ;
break ;
case 4 :
status = get_user_info_4 ( p - > mem_ctx , & user_info - > info4 , pwd ) ;
break ;
2008-11-25 12:21:37 +01:00
case 5 :
2008-12-02 02:08:05 +01:00
status = get_user_info_5 ( p - > mem_ctx , & user_info - > info5 , pwd , & domain_sid ) ;
2008-11-25 12:21:37 +01:00
break ;
2009-05-07 17:05:49 +02:00
case 6 :
status = get_user_info_6 ( p - > mem_ctx , & user_info - > info6 , pwd ) ;
break ;
2005-07-19 00:59:25 +00:00
case 7 :
2008-12-02 02:08:05 +01:00
status = get_user_info_7 ( p - > mem_ctx , & user_info - > info7 , pwd ) ;
2005-01-22 11:26:13 +00:00
break ;
2009-05-07 17:05:49 +02:00
case 8 :
status = get_user_info_8 ( p - > mem_ctx , & user_info - > info8 , pwd ) ;
break ;
2006-01-14 12:37:25 +00:00
case 9 :
2008-12-02 02:08:05 +01:00
status = get_user_info_9 ( p - > mem_ctx , & user_info - > info9 , pwd ) ;
2006-01-14 12:37:25 +00:00
break ;
2009-05-07 17:05:49 +02:00
case 10 :
status = get_user_info_10 ( p - > mem_ctx , & user_info - > info10 , pwd ) ;
break ;
case 11 :
status = get_user_info_11 ( p - > mem_ctx , & user_info - > info11 , pwd ) ;
break ;
case 12 :
status = get_user_info_12 ( p - > mem_ctx , & user_info - > info12 , pwd ) ;
break ;
case 13 :
status = get_user_info_13 ( p - > mem_ctx , & user_info - > info13 , pwd ) ;
break ;
case 14 :
status = get_user_info_14 ( p - > mem_ctx , & user_info - > info14 , pwd ) ;
break ;
2005-07-19 00:59:25 +00:00
case 16 :
2008-12-02 02:08:05 +01:00
status = get_user_info_16 ( p - > mem_ctx , & user_info - > info16 , pwd ) ;
2001-02-27 18:22:39 +00:00
break ;
2009-05-07 17:05:49 +02:00
case 17 :
status = get_user_info_17 ( p - > mem_ctx , & user_info - > info17 , pwd ) ;
break ;
2005-07-19 00:59:25 +00:00
case 18 :
2008-12-02 02:08:05 +01:00
/* level 18 is special */
2009-04-20 18:01:49 +02:00
status = get_user_info_18 ( p , p - > mem_ctx , & user_info - > info18 ,
& uinfo - > sid ) ;
2001-02-27 18:22:39 +00:00
break ;
2001-07-09 18:25:40 +00:00
case 20 :
2008-12-02 02:08:05 +01:00
status = get_user_info_20 ( p - > mem_ctx , & user_info - > info20 , pwd ) ;
2001-07-09 18:25:40 +00:00
break ;
2001-02-27 18:22:39 +00:00
case 21 :
2008-12-02 02:08:05 +01:00
status = get_user_info_21 ( p - > mem_ctx , & user_info - > info21 , pwd , & domain_sid ) ;
2001-02-27 18:22:39 +00:00
break ;
default :
2008-12-02 02:08:05 +01:00
status = NT_STATUS_INVALID_INFO_CLASS ;
break ;
2001-02-27 18:22:39 +00:00
}
2008-12-02 02:08:05 +01:00
TALLOC_FREE ( pwd ) ;
2008-02-12 12:58:47 +01:00
* r - > out . info = user_info ;
2001-02-27 18:22:39 +00:00
2008-02-12 12:58:47 +01:00
DEBUG ( 5 , ( " _samr_QueryUserInfo: %d \n " , __LINE__ ) ) ;
2008-02-05 12:54:19 +01:00
2008-02-12 12:58:47 +01:00
return status ;
2001-02-27 18:22:39 +00:00
}
2008-11-25 15:50:28 +01:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_QueryUserInfo2 ( pipes_struct * p ,
struct samr_QueryUserInfo2 * r )
{
struct samr_QueryUserInfo u ;
u . in . user_handle = r - > in . user_handle ;
u . in . level = r - > in . level ;
u . out . info = r - > out . info ;
return _samr_QueryUserInfo ( p , & u ) ;
}
2001-02-27 18:22:39 +00:00
/*******************************************************************
2008-02-06 16:06:04 +01:00
_samr_GetGroupsForUser
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-06 16:06:04 +01:00
NTSTATUS _samr_GetGroupsForUser ( pipes_struct * p ,
struct samr_GetGroupsForUser * r )
2001-02-27 18:22:39 +00:00
{
2009-04-20 18:01:49 +02:00
struct samr_user_info * uinfo ;
2006-02-20 20:09:36 +00:00
struct samu * sam_pass = NULL ;
2004-11-12 15:49:47 +00:00
DOM_SID * sids ;
2008-02-06 16:06:04 +01:00
struct samr_RidWithAttribute dom_gid ;
struct samr_RidWithAttribute * gids = NULL ;
2006-02-03 22:19:41 +00:00
uint32 primary_group_rid ;
2005-10-18 03:24:00 +00:00
size_t num_groups = 0 ;
2004-11-12 15:49:47 +00:00
gid_t * unix_gids ;
2005-10-18 03:24:00 +00:00
size_t i , num_gids ;
2007-10-18 17:40:25 -07:00
bool ret ;
2004-11-12 15:49:47 +00:00
NTSTATUS result ;
2007-10-18 17:40:25 -07:00
bool success = False ;
2001-02-27 18:22:39 +00:00
2008-02-06 16:06:04 +01:00
struct samr_RidWithAttributeArray * rids = NULL ;
2001-12-02 01:45:50 +00:00
/*
* from the SID in the request :
* we should send back the list of DOMAIN GROUPS
* the user is a member of
*
* and only the DOMAIN GROUPS
* no ALIASES ! ! ! neither aliases of the domain
* nor aliases of the builtin SID
*
* JFM , 12 / 2 / 2001
*/
2008-02-06 16:06:04 +01:00
DEBUG ( 5 , ( " _samr_GetGroupsForUser: %d \n " , __LINE__ ) ) ;
2001-02-27 18:22:39 +00:00
2009-04-20 18:01:49 +02:00
uinfo = policy_handle_find ( p , r - > in . user_handle ,
SAMR_USER_ACCESS_GET_GROUPS , NULL ,
struct samr_user_info , & result ) ;
if ( ! NT_STATUS_IS_OK ( result ) ) {
return result ;
}
2008-02-06 16:06:04 +01:00
rids = TALLOC_ZERO_P ( p - > mem_ctx , struct samr_RidWithAttributeArray ) ;
if ( ! rids ) {
return NT_STATUS_NO_MEMORY ;
}
2001-02-27 18:22:39 +00:00
2009-04-20 18:01:49 +02:00
if ( ! sid_check_is_in_our_domain ( & uinfo - > sid ) )
2001-05-04 15:44:27 +00:00
return NT_STATUS_OBJECT_TYPE_MISMATCH ;
2001-02-27 18:22:39 +00:00
2006-02-21 14:34:11 +00:00
if ( ! ( sam_pass = samu_new ( p - > mem_ctx ) ) ) {
return NT_STATUS_NO_MEMORY ;
}
2001-05-04 15:44:27 +00:00
become_root ( ) ;
2009-04-20 18:01:49 +02:00
ret = pdb_getsampwsid ( sam_pass , & uinfo - > sid ) ;
2001-05-04 15:44:27 +00:00
unbecome_root ( ) ;
2001-02-27 18:22:39 +00:00
2006-02-03 22:19:41 +00:00
if ( ! ret ) {
DEBUG ( 10 , ( " pdb_getsampwsid failed for %s \n " ,
2009-04-20 18:01:49 +02:00
sid_string_dbg ( & uinfo - > sid ) ) ) ;
2004-11-12 15:49:47 +00:00
return NT_STATUS_NO_SUCH_USER ;
}
sids = NULL ;
2007-02-22 20:52:27 +00:00
/* make both calls inside the root block */
2004-11-12 15:49:47 +00:00
become_root ( ) ;
2006-02-03 22:19:41 +00:00
result = pdb_enum_group_memberships ( p - > mem_ctx , sam_pass ,
2004-11-12 15:49:47 +00:00
& sids , & unix_gids , & num_groups ) ;
2007-02-22 20:52:27 +00:00
if ( NT_STATUS_IS_OK ( result ) ) {
2008-02-05 12:54:19 +01:00
success = sid_peek_check_rid ( get_global_sam_sid ( ) ,
2007-02-22 20:52:27 +00:00
pdb_get_group_sid ( sam_pass ) ,
& primary_group_rid ) ;
}
2004-11-12 15:49:47 +00:00
unbecome_root ( ) ;
2006-02-03 22:19:41 +00:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
DEBUG ( 10 , ( " pdb_enum_group_memberships failed for %s \n " ,
2009-04-20 18:01:49 +02:00
sid_string_dbg ( & uinfo - > sid ) ) ) ;
2004-11-12 15:49:47 +00:00
return result ;
2006-02-03 22:19:41 +00:00
}
2004-11-12 15:49:47 +00:00
2007-02-22 20:52:27 +00:00
if ( ! success ) {
2006-02-03 22:19:41 +00:00
DEBUG ( 5 , ( " Group sid %s for user %s not in our domain \n " ,
2007-12-15 21:11:36 +01:00
sid_string_dbg ( pdb_get_group_sid ( sam_pass ) ) ,
2006-02-03 22:19:41 +00:00
pdb_get_username ( sam_pass ) ) ) ;
2006-02-20 20:09:36 +00:00
TALLOC_FREE ( sam_pass ) ;
2006-02-03 22:19:41 +00:00
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
2007-02-22 20:52:27 +00:00
gids = NULL ;
num_gids = 0 ;
2006-02-03 22:19:41 +00:00
2008-02-06 16:06:04 +01:00
dom_gid . attributes = ( SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT |
SE_GROUP_ENABLED ) ;
dom_gid . rid = primary_group_rid ;
ADD_TO_ARRAY ( p - > mem_ctx , struct samr_RidWithAttribute , dom_gid , & gids , & num_gids ) ;
2006-02-03 22:19:41 +00:00
2004-11-12 15:49:47 +00:00
for ( i = 0 ; i < num_groups ; i + + ) {
if ( ! sid_peek_check_rid ( get_global_sam_sid ( ) ,
2008-02-06 16:06:04 +01:00
& ( sids [ i ] ) , & dom_gid . rid ) ) {
2006-02-03 22:19:41 +00:00
DEBUG ( 10 , ( " Found sid %s not in our domain \n " ,
2007-12-15 21:11:36 +01:00
sid_string_dbg ( & sids [ i ] ) ) ) ;
2006-02-03 22:19:41 +00:00
continue ;
}
2008-02-06 16:06:04 +01:00
if ( dom_gid . rid = = primary_group_rid ) {
2006-02-03 22:19:41 +00:00
/* We added the primary group directly from the
* sam_account . The other SIDs are unique from
* enum_group_memberships */
2004-11-12 15:49:47 +00:00
continue ;
2006-02-03 22:19:41 +00:00
}
2004-11-12 15:49:47 +00:00
2008-02-06 16:06:04 +01:00
ADD_TO_ARRAY ( p - > mem_ctx , struct samr_RidWithAttribute , dom_gid , & gids , & num_gids ) ;
2001-12-04 21:53:47 +00:00
}
2008-02-05 12:54:19 +01:00
2008-02-06 16:06:04 +01:00
rids - > count = num_gids ;
rids - > rids = gids ;
2008-02-05 12:54:19 +01:00
2008-02-06 16:06:04 +01:00
* r - > out . rids = rids ;
2008-02-05 12:54:19 +01:00
2008-02-06 16:06:04 +01:00
DEBUG ( 5 , ( " _samr_GetGroupsForUser: %d \n " , __LINE__ ) ) ;
return result ;
2001-02-27 18:22:39 +00:00
}
/*******************************************************************
2008-10-23 03:30:58 +02:00
_samr_QueryDomainInfo
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-10-23 03:30:58 +02:00
NTSTATUS _samr_QueryDomainInfo ( pipes_struct * p ,
struct samr_QueryDomainInfo * r )
2001-02-27 18:22:39 +00:00
{
2008-02-05 15:03:54 +01:00
NTSTATUS status = NT_STATUS_OK ;
2009-04-19 22:58:09 +02:00
struct samr_domain_info * dinfo ;
2008-02-05 15:03:54 +01:00
union samr_DomainInfo * dom_info ;
2001-12-03 17:14:23 +00:00
time_t u_expire , u_min_age ;
time_t u_lock_duration , u_reset_time ;
2008-12-06 01:33:28 +01:00
uint32_t u_logout ;
2001-12-03 17:14:23 +00:00
2002-08-17 15:34:15 +00:00
uint32 account_policy_temp ;
2005-09-30 17:13:37 +00:00
time_t seq_num ;
2005-02-07 14:14:44 +00:00
uint32 server_role ;
2002-08-17 15:34:15 +00:00
2008-10-23 03:30:58 +02:00
DEBUG ( 5 , ( " _samr_QueryDomainInfo: %d \n " , __LINE__ ) ) ;
2008-02-05 15:03:54 +01:00
2009-04-19 22:58:09 +02:00
dinfo = policy_handle_find ( p , r - > in . domain_handle ,
SAMR_ACCESS_LOOKUP_DOMAIN , NULL ,
struct samr_domain_info , & status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2008-02-05 15:03:54 +01:00
dom_info = TALLOC_ZERO_P ( p - > mem_ctx , union samr_DomainInfo ) ;
if ( ! dom_info ) {
2001-02-27 18:22:39 +00:00
return NT_STATUS_NO_MEMORY ;
2005-10-31 23:47:57 +00:00
}
2001-02-27 18:22:39 +00:00
2008-10-23 03:30:58 +02:00
switch ( r - > in . level ) {
2001-12-03 17:14:23 +00:00
case 0x01 :
2008-02-05 12:54:19 +01:00
2005-10-31 23:47:57 +00:00
become_root ( ) ;
/* AS ROOT !!! */
2008-12-06 01:33:28 +01:00
pdb_get_account_policy ( AP_MIN_PASSWORD_LEN ,
2009-01-18 13:15:23 +01:00
& account_policy_temp ) ;
dom_info - > info1 . min_password_length = account_policy_temp ;
2001-12-03 17:14:23 +00:00
2009-01-18 13:15:23 +01:00
pdb_get_account_policy ( AP_PASSWORD_HISTORY , & account_policy_temp ) ;
dom_info - > info1 . password_history_length = account_policy_temp ;
2002-08-17 15:34:15 +00:00
2008-12-06 01:33:28 +01:00
pdb_get_account_policy ( AP_USER_MUST_LOGON_TO_CHG_PASS ,
& dom_info - > info1 . password_properties ) ;
2002-08-17 15:34:15 +00:00
2005-09-30 17:13:37 +00:00
pdb_get_account_policy ( AP_MAX_PASSWORD_AGE , & account_policy_temp ) ;
2002-08-17 15:34:15 +00:00
u_expire = account_policy_temp ;
2005-09-30 17:13:37 +00:00
pdb_get_account_policy ( AP_MIN_PASSWORD_AGE , & account_policy_temp ) ;
2002-08-17 15:34:15 +00:00
u_min_age = account_policy_temp ;
2005-10-31 23:47:57 +00:00
/* !AS ROOT */
2008-02-05 12:54:19 +01:00
2005-10-31 23:47:57 +00:00
unbecome_root ( ) ;
2008-12-06 01:33:28 +01:00
unix_to_nt_time_abs ( ( NTTIME * ) & dom_info - > info1 . max_password_age , u_expire ) ;
unix_to_nt_time_abs ( ( NTTIME * ) & dom_info - > info1 . min_password_age , u_min_age ) ;
2001-12-03 17:14:23 +00:00
2008-10-20 20:16:03 +02:00
if ( lp_check_password_script ( ) & & * lp_check_password_script ( ) ) {
2008-12-06 01:33:28 +01:00
dom_info - > info1 . password_properties | = DOMAIN_PASSWORD_COMPLEX ;
2008-10-20 20:16:03 +02:00
}
2001-12-03 17:14:23 +00:00
break ;
case 0x02 :
2005-10-31 23:47:57 +00:00
2005-04-15 13:41:49 +00:00
become_root ( ) ;
2005-10-31 23:47:57 +00:00
/* AS ROOT !!! */
2009-04-19 22:58:09 +02:00
dom_info - > general . num_users = count_sam_users (
dinfo - > disp_info , ACB_NORMAL ) ;
dom_info - > general . num_groups = count_sam_groups (
dinfo - > disp_info ) ;
dom_info - > general . num_aliases = count_sam_aliases (
dinfo - > disp_info ) ;
2004-12-22 23:50:31 +00:00
2008-12-06 01:33:28 +01:00
pdb_get_account_policy ( AP_TIME_TO_LOGOUT , & u_logout ) ;
2004-12-22 23:50:31 +00:00
2008-12-06 01:33:28 +01:00
unix_to_nt_time_abs ( & dom_info - > general . force_logoff_time , u_logout ) ;
2004-12-22 23:50:31 +00:00
2005-09-30 17:13:37 +00:00
if ( ! pdb_get_seq_num ( & seq_num ) )
seq_num = time ( NULL ) ;
2005-10-31 23:47:57 +00:00
/* !AS ROOT */
2008-02-05 12:54:19 +01:00
2005-10-31 23:47:57 +00:00
unbecome_root ( ) ;
2005-02-07 14:14:44 +00:00
server_role = ROLE_DOMAIN_PDC ;
if ( lp_server_role ( ) = = ROLE_DOMAIN_BDC )
server_role = ROLE_DOMAIN_BDC ;
2008-12-06 01:33:28 +01:00
dom_info - > general . oem_information . string = lp_serverstring ( ) ;
dom_info - > general . domain_name . string = lp_workgroup ( ) ;
dom_info - > general . primary . string = global_myname ( ) ;
dom_info - > general . sequence_num = seq_num ;
dom_info - > general . domain_server_state = DOMAIN_SERVER_ENABLED ;
dom_info - > general . role = server_role ;
dom_info - > general . unknown3 = 1 ;
2001-12-03 17:14:23 +00:00
break ;
case 0x03 :
2005-10-31 23:47:57 +00:00
become_root ( ) ;
/* AS ROOT !!! */
2005-12-03 06:46:46 +00:00
{
uint32 ul ;
pdb_get_account_policy ( AP_TIME_TO_LOGOUT , & ul ) ;
u_logout = ( time_t ) ul ;
}
2005-10-31 23:47:57 +00:00
/* !AS ROOT */
2008-02-05 12:54:19 +01:00
2005-10-31 23:47:57 +00:00
unbecome_root ( ) ;
2008-12-06 01:33:28 +01:00
unix_to_nt_time_abs ( & dom_info - > info3 . force_logoff_time , u_logout ) ;
2008-02-05 15:03:54 +01:00
2001-12-03 17:14:23 +00:00
break ;
2006-05-05 08:26:34 +00:00
case 0x04 :
2008-12-06 01:33:28 +01:00
dom_info - > oem . oem_information . string = lp_serverstring ( ) ;
2006-05-05 08:26:34 +00:00
break ;
2001-12-03 17:14:23 +00:00
case 0x05 :
2008-12-06 01:33:28 +01:00
dom_info - > info5 . domain_name . string = get_global_sam_name ( ) ;
2001-12-03 17:14:23 +00:00
break ;
case 0x06 :
2006-05-04 19:01:11 +00:00
/* NT returns its own name when a PDC. win2k and later
* only the name of the PDC if itself is a BDC ( samba4
* idl ) */
2008-12-06 01:33:28 +01:00
dom_info - > info6 . primary . string = global_myname ( ) ;
2001-12-03 17:14:23 +00:00
break ;
case 0x07 :
2005-02-07 14:14:44 +00:00
server_role = ROLE_DOMAIN_PDC ;
if ( lp_server_role ( ) = = ROLE_DOMAIN_BDC )
server_role = ROLE_DOMAIN_BDC ;
2008-12-06 01:33:28 +01:00
dom_info - > info7 . role = server_role ;
2001-12-03 17:14:23 +00:00
break ;
2004-12-22 16:58:43 +00:00
case 0x08 :
2005-10-31 23:47:57 +00:00
become_root ( ) ;
/* AS ROOT !!! */
if ( ! pdb_get_seq_num ( & seq_num ) ) {
2005-09-30 17:13:37 +00:00
seq_num = time ( NULL ) ;
2005-10-31 23:47:57 +00:00
}
/* !AS ROOT */
2008-02-05 12:54:19 +01:00
2005-10-31 23:47:57 +00:00
unbecome_root ( ) ;
2005-09-30 17:13:37 +00:00
2008-12-06 01:33:28 +01:00
dom_info - > info8 . sequence_num = seq_num ;
dom_info - > info8 . domain_create_time = 0 ;
2009-05-08 09:55:10 +02:00
break ;
case 0x09 :
dom_info - > info9 . domain_server_state = DOMAIN_SERVER_ENABLED ;
break ;
case 0x0b :
/* AS ROOT !!! */
become_root ( ) ;
dom_info - > general2 . general . num_users = count_sam_users (
dinfo - > disp_info , ACB_NORMAL ) ;
dom_info - > general2 . general . num_groups = count_sam_groups (
dinfo - > disp_info ) ;
dom_info - > general2 . general . num_aliases = count_sam_aliases (
dinfo - > disp_info ) ;
pdb_get_account_policy ( AP_TIME_TO_LOGOUT , & u_logout ) ;
unix_to_nt_time_abs ( & dom_info - > general2 . general . force_logoff_time , u_logout ) ;
if ( ! pdb_get_seq_num ( & seq_num ) )
seq_num = time ( NULL ) ;
pdb_get_account_policy ( AP_LOCK_ACCOUNT_DURATION , & account_policy_temp ) ;
u_lock_duration = account_policy_temp ;
if ( u_lock_duration ! = - 1 ) {
u_lock_duration * = 60 ;
}
pdb_get_account_policy ( AP_RESET_COUNT_TIME , & account_policy_temp ) ;
u_reset_time = account_policy_temp * 60 ;
pdb_get_account_policy ( AP_BAD_ATTEMPT_LOCKOUT ,
& account_policy_temp ) ;
dom_info - > general2 . lockout_threshold = account_policy_temp ;
/* !AS ROOT */
unbecome_root ( ) ;
server_role = ROLE_DOMAIN_PDC ;
if ( lp_server_role ( ) = = ROLE_DOMAIN_BDC )
server_role = ROLE_DOMAIN_BDC ;
dom_info - > general2 . general . oem_information . string = lp_serverstring ( ) ;
dom_info - > general2 . general . domain_name . string = lp_workgroup ( ) ;
dom_info - > general2 . general . primary . string = global_myname ( ) ;
dom_info - > general2 . general . sequence_num = seq_num ;
dom_info - > general2 . general . domain_server_state = DOMAIN_SERVER_ENABLED ;
dom_info - > general2 . general . role = server_role ;
dom_info - > general2 . general . unknown3 = 1 ;
unix_to_nt_time_abs ( & dom_info - > general2 . lockout_duration ,
u_lock_duration ) ;
unix_to_nt_time_abs ( & dom_info - > general2 . lockout_window ,
u_reset_time ) ;
2004-12-22 16:58:43 +00:00
break ;
2001-12-03 17:14:23 +00:00
case 0x0c :
2005-10-31 23:47:57 +00:00
become_root ( ) ;
/* AS ROOT !!! */
2005-09-30 17:13:37 +00:00
pdb_get_account_policy ( AP_LOCK_ACCOUNT_DURATION , & account_policy_temp ) ;
2005-01-10 15:28:07 +00:00
u_lock_duration = account_policy_temp ;
2005-10-31 23:47:57 +00:00
if ( u_lock_duration ! = - 1 ) {
2005-01-10 15:28:07 +00:00
u_lock_duration * = 60 ;
2005-10-31 23:47:57 +00:00
}
2002-08-17 15:34:15 +00:00
2005-09-30 17:13:37 +00:00
pdb_get_account_policy ( AP_RESET_COUNT_TIME , & account_policy_temp ) ;
2004-02-25 20:02:47 +00:00
u_reset_time = account_policy_temp * 60 ;
2002-08-17 15:34:15 +00:00
2008-12-06 01:33:28 +01:00
pdb_get_account_policy ( AP_BAD_ATTEMPT_LOCKOUT ,
2009-01-18 13:15:23 +01:00
& account_policy_temp ) ;
dom_info - > info12 . lockout_threshold = account_policy_temp ;
2002-08-17 15:34:15 +00:00
2005-10-31 23:47:57 +00:00
/* !AS ROOT */
2008-02-05 12:54:19 +01:00
2005-10-31 23:47:57 +00:00
unbecome_root ( ) ;
2008-12-06 01:33:28 +01:00
unix_to_nt_time_abs ( & dom_info - > info12 . lockout_duration ,
u_lock_duration ) ;
unix_to_nt_time_abs ( & dom_info - > info12 . lockout_window ,
u_reset_time ) ;
2008-02-05 12:54:19 +01:00
2009-05-08 09:55:10 +02:00
break ;
case 0x0d :
become_root ( ) ;
/* AS ROOT !!! */
if ( ! pdb_get_seq_num ( & seq_num ) ) {
seq_num = time ( NULL ) ;
}
/* !AS ROOT */
unbecome_root ( ) ;
dom_info - > info13 . sequence_num = seq_num ;
dom_info - > info13 . domain_create_time = 0 ;
dom_info - > info13 . modified_count_at_last_promotion = 0 ;
2008-12-06 01:33:28 +01:00
break ;
2001-12-03 17:14:23 +00:00
default :
return NT_STATUS_INVALID_INFO_CLASS ;
2008-02-05 15:03:54 +01:00
}
2008-02-05 12:54:19 +01:00
2008-10-23 03:30:58 +02:00
* r - > out . info = dom_info ;
2005-10-31 23:47:57 +00:00
2008-10-23 03:30:58 +02:00
DEBUG ( 5 , ( " _samr_QueryDomainInfo: %d \n " , __LINE__ ) ) ;
2008-02-05 12:54:19 +01:00
2008-10-23 03:30:58 +02:00
return status ;
2001-02-27 18:22:39 +00:00
}
2005-12-03 18:34:13 +00:00
/* W2k3 seems to use the same check for all 3 objects that can be created via
* SAMR , if you try to create for example " Dialup " as an alias it says
* " NT_STATUS_USER_EXISTS " . This is racy , but we can ' t really lock the user
* database . */
static NTSTATUS can_create ( TALLOC_CTX * mem_ctx , const char * new_name )
{
2006-09-08 14:28:06 +00:00
enum lsa_SidType type ;
2007-10-18 17:40:25 -07:00
bool result ;
2005-12-03 18:34:13 +00:00
2005-12-08 19:34:22 +00:00
DEBUG ( 10 , ( " Checking whether [%s] can be created \n " , new_name ) ) ;
2005-12-03 18:34:13 +00:00
become_root ( ) ;
2007-12-17 11:32:21 +01:00
/* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
2005-12-03 18:34:13 +00:00
* whether the name already exists */
2007-12-17 11:32:21 +01:00
result = lookup_name ( mem_ctx , new_name , LOOKUP_NAME_LOCAL ,
2005-12-03 18:34:13 +00:00
NULL , NULL , NULL , & type ) ;
unbecome_root ( ) ;
if ( ! result ) {
2005-12-08 19:34:22 +00:00
DEBUG ( 10 , ( " %s does not exist, can create it \n " , new_name ) ) ;
2005-12-03 18:34:13 +00:00
return NT_STATUS_OK ;
}
DEBUG ( 5 , ( " trying to create %s, exists as %s \n " ,
new_name , sid_type_lookup ( type ) ) ) ;
if ( type = = SID_NAME_DOM_GRP ) {
return NT_STATUS_GROUP_EXISTS ;
}
if ( type = = SID_NAME_ALIAS ) {
return NT_STATUS_ALIAS_EXISTS ;
}
/* Yes, the default is NT_STATUS_USER_EXISTS */
return NT_STATUS_USER_EXISTS ;
}
2001-02-27 18:22:39 +00:00
/*******************************************************************
2008-02-01 14:50:33 +01:00
_samr_CreateUser2
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-01 14:50:33 +01:00
NTSTATUS _samr_CreateUser2 ( pipes_struct * p ,
struct samr_CreateUser2 * r )
2001-02-27 18:22:39 +00:00
{
2008-02-01 14:50:33 +01:00
const char * account = NULL ;
2001-05-04 15:44:27 +00:00
DOM_SID sid ;
2008-02-01 14:50:33 +01:00
uint32_t acb_info = r - > in . acct_flags ;
2009-04-19 22:58:09 +02:00
struct samr_domain_info * dinfo ;
2009-04-20 18:01:49 +02:00
struct samr_user_info * uinfo ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 14:30:58 +00:00
NTSTATUS nt_status ;
2002-07-15 10:35:28 +00:00
uint32 acc_granted ;
SEC_DESC * psd ;
size_t sd_size ;
2003-04-23 01:04:20 +00:00
/* check this, when giving away 'add computer to domain' privs */
2003-03-21 13:35:15 +00:00
uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS ;
2007-10-18 17:40:25 -07:00
bool can_add_account = False ;
2005-01-19 16:52:19 +00:00
SE_PRIV se_rights ;
2001-02-27 18:22:39 +00:00
2009-04-19 22:58:09 +02:00
dinfo = policy_handle_find ( p , r - > in . domain_handle ,
SAMR_DOMAIN_ACCESS_CREATE_USER , NULL ,
struct samr_domain_info , & nt_status ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
return nt_status ;
}
2001-02-27 18:22:39 +00:00
2009-04-19 22:58:09 +02:00
if ( sid_check_is_builtin ( & dinfo - > sid ) ) {
2008-11-27 01:21:49 +01:00
DEBUG ( 5 , ( " _samr_CreateUser2: Refusing user create in BUILTIN \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
}
2006-02-03 22:19:41 +00:00
if ( ! ( acb_info = = ACB_NORMAL | | acb_info = = ACB_DOMTRUST | |
2008-02-05 12:54:19 +01:00
acb_info = = ACB_WSTRUST | | acb_info = = ACB_SVRTRUST ) ) {
/* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
2004-01-02 23:55:44 +00:00
this parameter is not an account type */
2003-12-02 12:48:15 +00:00
return NT_STATUS_INVALID_PARAMETER ;
}
2008-02-01 14:50:33 +01:00
account = r - > in . account_name - > string ;
2006-02-13 17:08:25 +00:00
if ( account = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
2005-09-30 17:13:37 +00:00
2005-12-03 18:34:13 +00:00
nt_status = can_create ( p - > mem_ctx , account ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
return nt_status ;
2001-05-04 15:44:27 +00:00
}
2001-02-27 18:22:39 +00:00
2005-01-27 02:16:02 +00:00
/* determine which user right we need to check based on the acb_info */
2008-02-05 12:54:19 +01:00
2005-02-03 16:23:49 +00:00
if ( acb_info & ACB_WSTRUST )
2005-02-03 15:14:54 +00:00
{
se_priv_copy ( & se_rights , & se_machine_account ) ;
2006-02-03 22:19:41 +00:00
can_add_account = user_has_privileges (
2008-11-23 23:48:17 +01:00
p - > server_info - > ptok , & se_rights ) ;
2008-02-05 12:54:19 +01:00
}
/* usrmgr.exe (and net rpc trustdom grant) creates a normal user
2005-04-21 17:13:50 +00:00
account for domain trusts and changes the ACB flags later */
2006-02-03 22:19:41 +00:00
else if ( acb_info & ACB_NORMAL & &
( account [ strlen ( account ) - 1 ] ! = ' $ ' ) )
2005-02-03 15:14:54 +00:00
{
se_priv_copy ( & se_rights , & se_add_users ) ;
2006-02-03 22:19:41 +00:00
can_add_account = user_has_privileges (
2008-11-23 23:48:17 +01:00
p - > server_info - > ptok , & se_rights ) ;
2008-02-05 12:54:19 +01:00
}
2006-02-03 22:19:41 +00:00
else /* implicit assumption of a BDC or domain trust account here
* ( we already check the flags earlier ) */
2005-02-03 15:14:54 +00:00
{
2005-02-03 16:23:49 +00:00
if ( lp_enable_privileges ( ) ) {
/* only Domain Admins can add a BDC or domain trust */
se_priv_copy ( & se_rights , & se_priv_none ) ;
2006-02-03 22:19:41 +00:00
can_add_account = nt_token_check_domain_rid (
2008-11-23 23:48:17 +01:00
p - > server_info - > ptok ,
2006-02-03 22:19:41 +00:00
DOMAIN_GROUP_RID_ADMINS ) ;
}
2005-09-30 17:13:37 +00:00
}
2008-02-05 12:54:19 +01:00
2008-02-01 14:50:33 +01:00
DEBUG ( 5 , ( " _samr_CreateUser2: %s can add this account : %s \n " ,
2008-11-23 23:48:17 +01:00
uidtoname ( p - > server_info - > utok . uid ) ,
2006-07-11 18:01:26 +00:00
can_add_account ? " True " : " False " ) ) ;
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
/********** BEGIN Admin BLOCK **********/
2005-09-30 17:13:37 +00:00
2005-01-19 16:52:19 +00:00
if ( can_add_account )
2005-01-06 23:27:28 +00:00
become_root ( ) ;
2005-09-30 17:13:37 +00:00
2006-02-13 17:08:25 +00:00
nt_status = pdb_create_user ( p - > mem_ctx , account , acb_info ,
2008-02-01 14:50:33 +01:00
r - > out . rid ) ;
2003-07-09 16:44:47 +00:00
2005-01-19 16:52:19 +00:00
if ( can_add_account )
2005-01-06 23:27:28 +00:00
unbecome_root ( ) ;
2005-01-19 16:52:19 +00:00
/********** END Admin BLOCK **********/
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
/* now check for failure */
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
if ( ! NT_STATUS_IS_OK ( nt_status ) )
return nt_status ;
2008-02-05 12:54:19 +01:00
2002-07-15 10:35:28 +00:00
/* Get the user's SID */
2006-02-13 17:08:25 +00:00
2008-02-01 14:50:33 +01:00
sid_compose ( & sid , get_global_sam_sid ( ) , * r - > out . rid ) ;
2008-02-05 12:54:19 +01:00
2008-11-23 23:48:17 +01:00
map_max_allowed_access ( p - > server_info - > ptok , & des_access ) ;
2008-10-21 18:05:48 -07:00
2006-02-03 22:19:41 +00:00
make_samr_object_sd ( p - > mem_ctx , & psd , & sd_size , & usr_generic_mapping ,
& sid , SAMR_USR_RIGHTS_WRITE_PW ) ;
2002-07-15 10:35:28 +00:00
se_map_generic ( & des_access , & usr_generic_mapping ) ;
2008-02-05 12:54:19 +01:00
2008-11-23 23:48:17 +01:00
nt_status = access_check_samr_object ( psd , p - > server_info - > ptok ,
2008-02-05 12:54:19 +01:00
& se_rights , GENERIC_RIGHTS_USER_WRITE , des_access ,
2008-02-01 14:50:33 +01:00
& acc_granted , " _samr_CreateUser2 " ) ;
2008-02-05 12:54:19 +01:00
2005-01-06 23:27:28 +00:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2002-07-15 10:35:28 +00:00
return nt_status ;
2001-05-04 15:44:27 +00:00
}
2009-04-20 18:01:49 +02:00
uinfo = policy_handle_create ( p , r - > out . user_handle , acc_granted ,
struct samr_user_info , & nt_status ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
return nt_status ;
2001-05-04 15:44:27 +00:00
}
2009-04-20 18:01:49 +02:00
uinfo - > sid = sid ;
2001-05-04 15:44:27 +00:00
2005-11-18 23:15:47 +00:00
/* After a "set" ensure we have no cached display info. */
2009-04-19 22:01:16 +02:00
force_flush_samr_cache ( & sid ) ;
2005-11-18 23:15:47 +00:00
2008-02-01 14:50:33 +01:00
* r - > out . access_granted = acc_granted ;
2001-05-04 15:44:27 +00:00
2001-08-27 19:46:22 +00:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
2008-11-25 15:51:35 +01:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_CreateUser ( pipes_struct * p ,
struct samr_CreateUser * r )
{
struct samr_CreateUser2 c ;
uint32_t access_granted ;
c . in . domain_handle = r - > in . domain_handle ;
c . in . account_name = r - > in . account_name ;
c . in . acct_flags = ACB_NORMAL ;
c . in . access_mask = r - > in . access_mask ;
c . out . user_handle = r - > out . user_handle ;
c . out . access_granted = & access_granted ;
c . out . rid = r - > out . rid ;
return _samr_CreateUser2 ( p , & c ) ;
}
2001-02-27 18:22:39 +00:00
/*******************************************************************
2008-02-04 16:17:20 +01:00
_samr_Connect
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-04 16:17:20 +01:00
NTSTATUS _samr_Connect ( pipes_struct * p ,
struct samr_Connect * r )
2001-02-27 18:22:39 +00:00
{
2009-04-18 13:38:22 +02:00
struct samr_connect_info * info ;
2009-04-18 16:46:53 +02:00
uint32_t acc_granted ;
2009-04-18 13:38:22 +02:00
struct policy_handle hnd ;
2008-02-04 16:17:20 +01:00
uint32 des_access = r - > in . access_mask ;
2009-04-18 13:38:22 +02:00
NTSTATUS status ;
2001-03-11 00:32:10 +00:00
2002-07-15 10:35:28 +00:00
/* Access check */
2001-02-27 18:22:39 +00:00
2002-07-15 10:35:28 +00:00
if ( ! pipe_access_check ( p ) ) {
2008-02-04 16:17:20 +01:00
DEBUG ( 3 , ( " access denied to _samr_Connect \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
2002-07-15 10:35:28 +00:00
}
2008-10-23 19:01:04 +02:00
/* don't give away the farm but this is probably ok. The SAMR_ACCESS_ENUM_DOMAINS
2008-02-05 12:54:19 +01:00
was observed from a win98 client trying to enumerate users ( when configured
2003-08-13 03:59:41 +00:00
user level access control on shares ) - - jerry */
2008-02-05 12:54:19 +01:00
2008-11-23 23:48:17 +01:00
map_max_allowed_access ( p - > server_info - > ptok , & des_access ) ;
2006-02-09 00:23:40 +00:00
2003-08-13 03:59:41 +00:00
se_map_generic ( & des_access , & sam_generic_mapping ) ;
2001-02-27 18:22:39 +00:00
2009-04-18 16:46:53 +02:00
acc_granted = des_access & ( SAMR_ACCESS_ENUM_DOMAINS
| SAMR_ACCESS_LOOKUP_DOMAIN ) ;
/* set up the SAMR connect_anon response */
info = policy_handle_create ( p , & hnd , acc_granted ,
struct samr_connect_info ,
& status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2001-02-27 18:22:39 +00:00
2009-04-18 13:38:22 +02:00
* r - > out . connect_handle = hnd ;
2008-02-04 16:17:20 +01:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
/*******************************************************************
2008-02-04 16:23:46 +01:00
_samr_Connect2
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-04 16:23:46 +01:00
NTSTATUS _samr_Connect2 ( pipes_struct * p ,
struct samr_Connect2 * r )
2001-02-27 18:22:39 +00:00
{
2009-04-18 13:38:22 +02:00
struct samr_connect_info * info = NULL ;
struct policy_handle hnd ;
2002-07-15 10:35:28 +00:00
SEC_DESC * psd = NULL ;
uint32 acc_granted ;
2008-02-04 16:23:46 +01:00
uint32 des_access = r - > in . access_mask ;
2002-07-15 10:35:28 +00:00
NTSTATUS nt_status ;
2005-09-30 17:13:37 +00:00
size_t sd_size ;
2008-12-01 19:50:26 +01:00
const char * fn = " _samr_Connect2 " ;
2001-03-11 00:32:10 +00:00
2008-12-01 19:50:26 +01:00
switch ( p - > hdr_req . opnum ) {
case NDR_SAMR_CONNECT2 :
fn = " _samr_Connect2 " ;
break ;
2009-04-03 21:26:14 +02:00
case NDR_SAMR_CONNECT3 :
fn = " _samr_Connect3 " ;
break ;
2008-12-01 19:50:26 +01:00
case NDR_SAMR_CONNECT4 :
fn = " _samr_Connect4 " ;
break ;
case NDR_SAMR_CONNECT5 :
fn = " _samr_Connect5 " ;
break ;
}
2001-02-27 18:22:39 +00:00
2008-12-01 19:50:26 +01:00
DEBUG ( 5 , ( " %s: %d \n " , fn , __LINE__ ) ) ;
2002-07-15 10:35:28 +00:00
/* Access check */
if ( ! pipe_access_check ( p ) ) {
2008-12-01 19:50:26 +01:00
DEBUG ( 3 , ( " access denied to %s \n " , fn ) ) ;
2008-02-04 16:23:46 +01:00
return NT_STATUS_ACCESS_DENIED ;
2002-07-15 10:35:28 +00:00
}
2008-11-23 23:48:17 +01:00
map_max_allowed_access ( p - > server_info - > ptok , & des_access ) ;
2008-10-21 18:05:48 -07:00
2005-01-31 22:42:30 +00:00
make_samr_object_sd ( p - > mem_ctx , & psd , & sd_size , & sam_generic_mapping , NULL , 0 ) ;
2002-07-15 10:35:28 +00:00
se_map_generic ( & des_access , & sam_generic_mapping ) ;
2008-02-05 12:54:19 +01:00
2008-11-23 23:48:17 +01:00
nt_status = access_check_samr_object ( psd , p - > server_info - > ptok ,
2008-12-01 19:50:26 +01:00
NULL , 0 , des_access , & acc_granted , fn ) ;
2008-02-05 12:54:19 +01:00
if ( ! NT_STATUS_IS_OK ( nt_status ) )
2002-07-15 10:35:28 +00:00
return nt_status ;
2009-04-18 16:46:53 +02:00
info = policy_handle_create ( p , & hnd , acc_granted ,
struct samr_connect_info , & nt_status ) ;
2009-04-18 13:38:22 +02:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
return nt_status ;
}
2001-02-27 18:22:39 +00:00
2008-12-01 19:50:26 +01:00
DEBUG ( 5 , ( " %s: %d \n " , fn , __LINE__ ) ) ;
2001-02-27 18:22:39 +00:00
2009-04-18 13:38:22 +02:00
* r - > out . connect_handle = hnd ;
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
2009-04-03 21:26:14 +02:00
/****************************************************************
_samr_Connect3
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_Connect3 ( pipes_struct * p ,
struct samr_Connect3 * r )
{
struct samr_Connect2 c ;
c . in . system_name = r - > in . system_name ;
c . in . access_mask = r - > in . access_mask ;
c . out . connect_handle = r - > out . connect_handle ;
return _samr_Connect2 ( p , & c ) ;
}
2002-08-17 15:34:15 +00:00
/*******************************************************************
2008-02-04 16:35:32 +01:00
_samr_Connect4
2002-08-17 15:34:15 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-04 16:35:32 +01:00
NTSTATUS _samr_Connect4 ( pipes_struct * p ,
struct samr_Connect4 * r )
2002-08-17 15:34:15 +00:00
{
2008-12-01 19:51:27 +01:00
struct samr_Connect2 c ;
2008-02-05 12:54:19 +01:00
2008-12-01 19:51:27 +01:00
c . in . system_name = r - > in . system_name ;
c . in . access_mask = r - > in . access_mask ;
c . out . connect_handle = r - > out . connect_handle ;
2002-08-17 15:34:15 +00:00
2008-12-01 19:51:27 +01:00
return _samr_Connect2 ( p , & c ) ;
2002-08-17 15:34:15 +00:00
}
2005-11-17 22:40:10 +00:00
/*******************************************************************
2008-02-04 17:10:16 +01:00
_samr_Connect5
2005-11-17 22:40:10 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-04 17:10:16 +01:00
NTSTATUS _samr_Connect5 ( pipes_struct * p ,
struct samr_Connect5 * r )
2005-11-17 22:40:10 +00:00
{
2008-12-01 19:51:27 +01:00
NTSTATUS status ;
struct samr_Connect2 c ;
2008-02-04 17:10:16 +01:00
struct samr_ConnectInfo1 info1 ;
2005-11-17 22:40:10 +00:00
2008-12-01 19:51:27 +01:00
info1 . client_version = SAMR_CONNECT_AFTER_W2K ;
info1 . unknown2 = 0 ;
2005-11-17 22:40:10 +00:00
2008-12-01 19:51:27 +01:00
c . in . system_name = r - > in . system_name ;
c . in . access_mask = r - > in . access_mask ;
c . out . connect_handle = r - > out . connect_handle ;
2005-11-17 22:40:10 +00:00
2009-05-07 14:19:43 +02:00
* r - > out . level_out = 1 ;
2008-12-01 19:51:27 +01:00
status = _samr_Connect2 ( p , & c ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2005-11-17 22:40:10 +00:00
}
2008-02-04 17:10:16 +01:00
r - > out . info_out - > info1 = info1 ;
return NT_STATUS_OK ;
2005-11-17 22:40:10 +00:00
}
2001-02-27 18:22:39 +00:00
/**********************************************************************
2008-02-05 01:29:49 +01:00
_samr_LookupDomain
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-08 19:42:23 +01:00
2008-02-05 01:29:49 +01:00
NTSTATUS _samr_LookupDomain ( pipes_struct * p ,
struct samr_LookupDomain * r )
2001-02-27 18:22:39 +00:00
{
2009-04-18 16:46:53 +02:00
NTSTATUS status ;
2009-04-18 13:38:22 +02:00
struct samr_connect_info * info ;
2008-02-05 01:29:49 +01:00
const char * domain_name ;
DOM_SID * sid = NULL ;
2001-02-27 18:22:39 +00:00
2008-10-23 19:01:04 +02:00
/* win9x user manager likes to use SAMR_ACCESS_ENUM_DOMAINS here.
2005-01-20 17:05:10 +00:00
Reverted that change so we will work with RAS servers again */
2009-04-18 16:46:53 +02:00
info = policy_handle_find ( p , r - > in . connect_handle ,
SAMR_ACCESS_LOOKUP_DOMAIN , NULL ,
struct samr_connect_info ,
& status ) ;
2008-02-05 01:29:49 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2002-07-15 10:35:28 +00:00
}
2008-02-05 01:29:49 +01:00
domain_name = r - > in . domain_name - > string ;
2008-11-27 01:22:39 +01:00
if ( ! domain_name ) {
return NT_STATUS_INVALID_PARAMETER ;
}
2001-02-27 18:22:39 +00:00
2008-02-05 01:29:49 +01:00
sid = TALLOC_ZERO_P ( p - > mem_ctx , struct dom_sid2 ) ;
if ( ! sid ) {
return NT_STATUS_NO_MEMORY ;
}
2002-03-10 01:45:49 +00:00
2006-01-14 12:37:25 +00:00
if ( strequal ( domain_name , builtin_domain_name ( ) ) ) {
2008-02-05 01:29:49 +01:00
sid_copy ( sid , & global_sid_Builtin ) ;
2006-01-14 12:37:25 +00:00
} else {
2008-02-05 01:29:49 +01:00
if ( ! secrets_fetch_domain_sid ( domain_name , sid ) ) {
status = NT_STATUS_NO_SUCH_DOMAIN ;
2006-01-14 12:37:25 +00:00
}
2002-03-10 01:45:49 +00:00
}
2007-12-15 21:11:36 +01:00
DEBUG ( 2 , ( " Returning domain sid for domain %s -> %s \n " , domain_name ,
2008-02-05 01:29:49 +01:00
sid_string_dbg ( sid ) ) ) ;
2002-03-10 01:45:49 +00:00
2008-02-05 01:29:49 +01:00
* r - > out . sid = sid ;
2002-03-10 01:45:49 +00:00
2008-02-05 01:29:49 +01:00
return status ;
2001-02-27 18:22:39 +00:00
}
/**********************************************************************
2008-02-09 01:55:49 +01:00
_samr_EnumDomains
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-09 01:55:49 +01:00
NTSTATUS _samr_EnumDomains ( pipes_struct * p ,
struct samr_EnumDomains * r )
2001-02-27 18:22:39 +00:00
{
2008-02-09 01:55:49 +01:00
NTSTATUS status ;
2009-04-18 13:38:22 +02:00
struct samr_connect_info * info ;
2008-02-09 01:55:49 +01:00
uint32_t num_entries = 2 ;
struct samr_SamEntry * entry_array = NULL ;
struct samr_SamArray * sam ;
2008-02-05 12:54:19 +01:00
2009-04-18 13:38:22 +02:00
info = policy_handle_find ( p , r - > in . connect_handle ,
2009-04-18 16:46:53 +02:00
SAMR_ACCESS_ENUM_DOMAINS , NULL ,
struct samr_connect_info , & status ) ;
2008-02-09 01:55:49 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2002-07-15 10:35:28 +00:00
}
2001-02-27 18:22:39 +00:00
2008-02-09 01:55:49 +01:00
sam = TALLOC_ZERO_P ( p - > mem_ctx , struct samr_SamArray ) ;
if ( ! sam ) {
return NT_STATUS_NO_MEMORY ;
}
2001-02-27 18:22:39 +00:00
2008-02-09 01:55:49 +01:00
entry_array = TALLOC_ZERO_ARRAY ( p - > mem_ctx ,
struct samr_SamEntry ,
num_entries ) ;
if ( ! entry_array ) {
2001-02-27 18:22:39 +00:00
return NT_STATUS_NO_MEMORY ;
2008-02-09 01:55:49 +01:00
}
2001-02-27 18:22:39 +00:00
2008-02-09 01:55:49 +01:00
entry_array [ 0 ] . idx = 0 ;
init_lsa_String ( & entry_array [ 0 ] . name , get_global_sam_name ( ) ) ;
2001-02-27 18:22:39 +00:00
2008-02-09 01:55:49 +01:00
entry_array [ 1 ] . idx = 1 ;
init_lsa_String ( & entry_array [ 1 ] . name , " Builtin " ) ;
sam - > count = num_entries ;
sam - > entries = entry_array ;
* r - > out . sam = sam ;
* r - > out . num_entries = num_entries ;
return status ;
2001-02-27 18:22:39 +00:00
}
/*******************************************************************
2008-02-01 00:48:40 +01:00
_samr_OpenAlias
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-01 00:48:40 +01:00
NTSTATUS _samr_OpenAlias ( pipes_struct * p ,
struct samr_OpenAlias * r )
2001-02-27 18:22:39 +00:00
{
DOM_SID sid ;
2008-02-01 00:48:40 +01:00
uint32 alias_rid = r - > in . rid ;
2009-04-20 19:04:20 +02:00
struct samr_alias_info * ainfo ;
2009-04-19 22:58:09 +02:00
struct samr_domain_info * dinfo ;
2002-07-15 10:35:28 +00:00
SEC_DESC * psd = NULL ;
uint32 acc_granted ;
2008-02-01 00:48:40 +01:00
uint32 des_access = r - > in . access_mask ;
2002-07-15 10:35:28 +00:00
size_t sd_size ;
NTSTATUS status ;
2005-01-26 20:36:44 +00:00
SE_PRIV se_rights ;
2001-02-27 18:22:39 +00:00
2009-04-19 22:58:09 +02:00
dinfo = policy_handle_find ( p , r - > in . domain_handle ,
SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT , NULL ,
struct samr_domain_info , & status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2002-07-15 10:35:28 +00:00
return status ;
2009-04-19 22:58:09 +02:00
}
2001-03-11 00:32:10 +00:00
/* append the alias' RID to it */
2008-02-05 12:54:19 +01:00
2009-04-19 22:58:09 +02:00
if ( ! sid_compose ( & sid , & dinfo - > sid , alias_rid ) )
2005-12-03 18:34:13 +00:00
return NT_STATUS_NO_SUCH_ALIAS ;
2008-02-05 12:54:19 +01:00
2002-07-15 10:35:28 +00:00
/*check if access can be granted as requested by client. */
2008-02-05 12:54:19 +01:00
2008-11-23 23:48:17 +01:00
map_max_allowed_access ( p - > server_info - > ptok , & des_access ) ;
2008-10-21 18:05:48 -07:00
2005-01-31 22:42:30 +00:00
make_samr_object_sd ( p - > mem_ctx , & psd , & sd_size , & ali_generic_mapping , NULL , 0 ) ;
2002-07-15 10:35:28 +00:00
se_map_generic ( & des_access , & ali_generic_mapping ) ;
2008-02-05 12:54:19 +01:00
2005-05-13 09:18:50 +00:00
se_priv_copy ( & se_rights , & se_add_users ) ;
2008-02-05 12:54:19 +01:00
2008-11-23 23:48:17 +01:00
status = access_check_samr_object ( psd , p - > server_info - > ptok ,
2008-02-05 12:54:19 +01:00
& se_rights , GENERIC_RIGHTS_ALIAS_WRITE , des_access ,
2008-02-01 00:48:40 +01:00
& acc_granted , " _samr_OpenAlias " ) ;
2008-02-05 12:54:19 +01:00
2005-01-26 20:36:44 +00:00
if ( ! NT_STATUS_IS_OK ( status ) )
2002-07-15 10:35:28 +00:00
return status ;
2001-02-27 18:22:39 +00:00
2005-12-03 18:34:13 +00:00
{
/* Check we actually have the requested alias */
2006-09-08 14:28:06 +00:00
enum lsa_SidType type ;
2007-10-18 17:40:25 -07:00
bool result ;
2006-03-15 00:10:38 +00:00
gid_t gid ;
2001-02-27 18:22:39 +00:00
2005-12-03 18:34:13 +00:00
become_root ( ) ;
result = lookup_sid ( NULL , & sid , NULL , NULL , & type ) ;
unbecome_root ( ) ;
if ( ! result | | ( type ! = SID_NAME_ALIAS ) ) {
return NT_STATUS_NO_SUCH_ALIAS ;
}
2006-03-15 00:10:38 +00:00
/* make sure there is a mapping */
2008-02-05 12:54:19 +01:00
2006-03-15 00:10:38 +00:00
if ( ! sid_to_gid ( & sid , & gid ) ) {
return NT_STATUS_NO_SUCH_ALIAS ;
}
2005-12-03 18:34:13 +00:00
}
2009-04-20 19:04:20 +02:00
ainfo = policy_handle_create ( p , r - > out . alias_handle , acc_granted ,
struct samr_alias_info , & status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
ainfo - > sid = sid ;
2001-02-27 18:22:39 +00:00
2008-02-01 00:48:40 +01:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
2009-05-07 17:06:26 +02:00
/*******************************************************************
set_user_info_2
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS set_user_info_2 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo2 * id2 ,
struct samu * pwd )
{
if ( id2 = = NULL ) {
DEBUG ( 5 , ( " set_user_info_2: NULL id2 \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
}
copy_id2_to_sam_passwd ( pwd , id2 ) ;
return pdb_update_sam_account ( pwd ) ;
}
/*******************************************************************
set_user_info_4
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS set_user_info_4 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo4 * id4 ,
struct samu * pwd )
{
if ( id4 = = NULL ) {
DEBUG ( 5 , ( " set_user_info_2: NULL id4 \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
}
copy_id4_to_sam_passwd ( pwd , id4 ) ;
return pdb_update_sam_account ( pwd ) ;
}
/*******************************************************************
set_user_info_6
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS set_user_info_6 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo6 * id6 ,
struct samu * pwd )
{
if ( id6 = = NULL ) {
DEBUG ( 5 , ( " set_user_info_6: NULL id6 \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
}
copy_id6_to_sam_passwd ( pwd , id6 ) ;
return pdb_update_sam_account ( pwd ) ;
}
2005-10-11 20:14:04 +00:00
/*******************************************************************
set_user_info_7
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-11 21:09:21 +01:00
2005-12-03 18:34:13 +00:00
static NTSTATUS set_user_info_7 ( TALLOC_CTX * mem_ctx ,
2008-02-11 21:09:21 +01:00
struct samr_UserInfo7 * id7 ,
struct samu * pwd )
2005-10-11 20:14:04 +00:00
{
NTSTATUS rc ;
if ( id7 = = NULL ) {
DEBUG ( 5 , ( " set_user_info_7: NULL id7 \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
}
2008-02-11 21:09:21 +01:00
if ( ! id7 - > account_name . string ) {
2005-10-11 20:14:04 +00:00
DEBUG ( 5 , ( " set_user_info_7: failed to get new username \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
}
2005-10-20 20:40:47 +00:00
/* check to see if the new username already exists. Note: we can't
2008-02-05 12:54:19 +01:00
reliably lock all backends , so there is potentially the
2005-10-20 20:40:47 +00:00
possibility that a user can be created in between this check and
the rename . The rename should fail , but may not get the
exact same failure status code . I think this is small enough
of a window for this type of operation and the results are
simply that the rename fails with a slightly different status
code ( like UNSUCCESSFUL instead of ALREADY_EXISTS ) . */
2008-02-11 21:09:21 +01:00
rc = can_create ( mem_ctx , id7 - > account_name . string ) ;
2009-05-09 00:02:00 +02:00
/* when there is nothing to change, we're done here */
if ( NT_STATUS_EQUAL ( rc , NT_STATUS_USER_EXISTS ) & &
strequal ( id7 - > account_name . string , pdb_get_username ( pwd ) ) ) {
return NT_STATUS_OK ;
}
2005-12-03 18:34:13 +00:00
if ( ! NT_STATUS_IS_OK ( rc ) ) {
return rc ;
2005-10-20 20:40:47 +00:00
}
2008-02-11 21:09:21 +01:00
rc = pdb_rename_sam_account ( pwd , id7 - > account_name . string ) ;
2005-10-11 20:14:04 +00:00
return rc ;
}
2009-05-07 17:06:26 +02:00
/*******************************************************************
set_user_info_8
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS set_user_info_8 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo8 * id8 ,
struct samu * pwd )
{
if ( id8 = = NULL ) {
DEBUG ( 5 , ( " set_user_info_8: NULL id8 \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
}
copy_id8_to_sam_passwd ( pwd , id8 ) ;
return pdb_update_sam_account ( pwd ) ;
}
/*******************************************************************
set_user_info_10
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS set_user_info_10 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo10 * id10 ,
struct samu * pwd )
{
if ( id10 = = NULL ) {
DEBUG ( 5 , ( " set_user_info_8: NULL id10 \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
}
copy_id10_to_sam_passwd ( pwd , id10 ) ;
return pdb_update_sam_account ( pwd ) ;
}
/*******************************************************************
set_user_info_11
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS set_user_info_11 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo11 * id11 ,
struct samu * pwd )
{
if ( id11 = = NULL ) {
DEBUG ( 5 , ( " set_user_info_11: NULL id11 \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
}
copy_id11_to_sam_passwd ( pwd , id11 ) ;
return pdb_update_sam_account ( pwd ) ;
}
/*******************************************************************
set_user_info_12
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS set_user_info_12 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo12 * id12 ,
struct samu * pwd )
{
if ( id12 = = NULL ) {
DEBUG ( 5 , ( " set_user_info_12: NULL id12 \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
}
copy_id12_to_sam_passwd ( pwd , id12 ) ;
return pdb_update_sam_account ( pwd ) ;
}
/*******************************************************************
set_user_info_13
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS set_user_info_13 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo13 * id13 ,
struct samu * pwd )
{
if ( id13 = = NULL ) {
DEBUG ( 5 , ( " set_user_info_13: NULL id13 \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
}
copy_id13_to_sam_passwd ( pwd , id13 ) ;
return pdb_update_sam_account ( pwd ) ;
}
/*******************************************************************
set_user_info_14
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS set_user_info_14 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo14 * id14 ,
struct samu * pwd )
{
if ( id14 = = NULL ) {
DEBUG ( 5 , ( " set_user_info_14: NULL id14 \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
}
copy_id14_to_sam_passwd ( pwd , id14 ) ;
return pdb_update_sam_account ( pwd ) ;
}
2001-02-27 18:22:39 +00:00
/*******************************************************************
2005-07-19 00:59:25 +00:00
set_user_info_16
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2009-05-07 21:45:51 +02:00
static NTSTATUS set_user_info_16 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo16 * id16 ,
struct samu * pwd )
2001-02-27 18:22:39 +00:00
{
2005-07-19 00:59:25 +00:00
if ( id16 = = NULL ) {
2009-05-07 21:45:51 +02:00
DEBUG ( 5 , ( " set_user_info_16: NULL id16 \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
2001-02-27 18:22:39 +00:00
}
2008-02-05 12:54:19 +01:00
2009-05-07 21:45:51 +02:00
copy_id16_to_sam_passwd ( pwd , id16 ) ;
2001-02-27 18:22:39 +00:00
2009-05-07 21:45:51 +02:00
return pdb_update_sam_account ( pwd ) ;
2001-02-27 18:22:39 +00:00
}
2009-05-07 17:06:26 +02:00
/*******************************************************************
set_user_info_17
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS set_user_info_17 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo17 * id17 ,
struct samu * pwd )
{
if ( id17 = = NULL ) {
DEBUG ( 5 , ( " set_user_info_17: NULL id17 \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
}
copy_id17_to_sam_passwd ( pwd , id17 ) ;
return pdb_update_sam_account ( pwd ) ;
}
2001-02-27 18:22:39 +00:00
/*******************************************************************
2005-07-19 00:59:25 +00:00
set_user_info_18
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-12-05 16:13:28 +01:00
static NTSTATUS set_user_info_18 ( struct samr_UserInfo18 * id18 ,
TALLOC_CTX * mem_ctx ,
DATA_BLOB * session_key ,
struct samu * pwd )
2001-02-27 18:22:39 +00:00
{
2005-07-19 00:59:25 +00:00
if ( id18 = = NULL ) {
DEBUG ( 2 , ( " set_user_info_18: id18 is NULL \n " ) ) ;
2008-12-05 16:13:28 +01:00
return NT_STATUS_INVALID_PARAMETER ;
2001-02-27 18:22:39 +00:00
}
2008-02-05 12:54:19 +01:00
2008-12-05 16:13:28 +01:00
if ( id18 - > nt_pwd_active | | id18 - > lm_pwd_active ) {
if ( ! session_key - > length ) {
return NT_STATUS_NO_USER_SESSION_KEY ;
}
2001-09-29 13:08:26 +00:00
}
2008-12-05 16:13:28 +01:00
if ( id18 - > nt_pwd_active ) {
DATA_BLOB in , out ;
in = data_blob_const ( id18 - > nt_pwd . hash , 16 ) ;
out = data_blob_talloc_zero ( mem_ctx , 16 ) ;
sess_crypt_blob ( & out , & in , session_key , false ) ;
if ( ! pdb_set_nt_passwd ( pwd , out . data , PDB_CHANGED ) ) {
return NT_STATUS_ACCESS_DENIED ;
}
2008-12-09 12:39:47 +01:00
pdb_set_pass_last_set_time ( pwd , time ( NULL ) , PDB_CHANGED ) ;
2001-09-29 13:08:26 +00:00
}
2008-12-05 16:13:28 +01:00
if ( id18 - > lm_pwd_active ) {
DATA_BLOB in , out ;
in = data_blob_const ( id18 - > lm_pwd . hash , 16 ) ;
out = data_blob_talloc_zero ( mem_ctx , 16 ) ;
sess_crypt_blob ( & out , & in , session_key , false ) ;
if ( ! pdb_set_lanman_passwd ( pwd , out . data , PDB_CHANGED ) ) {
return NT_STATUS_ACCESS_DENIED ;
}
2008-12-09 12:39:47 +01:00
pdb_set_pass_last_set_time ( pwd , time ( NULL ) , PDB_CHANGED ) ;
2001-10-29 07:15:51 +00:00
}
2008-02-05 12:54:19 +01:00
2008-11-27 17:49:25 +01:00
copy_id18_to_sam_passwd ( pwd , id18 ) ;
2001-05-04 15:44:27 +00:00
2008-12-05 16:13:28 +01:00
return pdb_update_sam_account ( pwd ) ;
2001-02-27 18:22:39 +00:00
}
2003-11-07 18:32:23 +00:00
/*******************************************************************
set_user_info_20
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2009-05-07 21:45:51 +02:00
static NTSTATUS set_user_info_20 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo20 * id20 ,
struct samu * pwd )
2003-11-07 18:32:23 +00:00
{
if ( id20 = = NULL ) {
2009-05-07 21:45:51 +02:00
DEBUG ( 5 , ( " set_user_info_20: NULL id20 \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
2003-11-07 18:32:23 +00:00
}
2008-02-05 12:54:19 +01:00
2003-11-07 18:32:23 +00:00
copy_id20_to_sam_passwd ( pwd , id20 ) ;
2009-05-07 21:45:51 +02:00
return pdb_update_sam_account ( pwd ) ;
2003-11-07 18:32:23 +00:00
}
2008-02-11 21:09:21 +01:00
2001-02-27 18:22:39 +00:00
/*******************************************************************
set_user_info_21
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-12-09 13:25:59 +01:00
static NTSTATUS set_user_info_21 ( struct samr_UserInfo21 * id21 ,
TALLOC_CTX * mem_ctx ,
DATA_BLOB * session_key ,
2006-02-20 20:09:36 +00:00
struct samu * pwd )
2001-02-27 18:22:39 +00:00
{
2006-02-13 17:08:25 +00:00
NTSTATUS status ;
2008-02-05 12:54:19 +01:00
2001-02-27 18:22:39 +00:00
if ( id21 = = NULL ) {
DEBUG ( 5 , ( " set_user_info_21: NULL id21 \n " ) ) ;
2006-02-13 17:08:25 +00:00
return NT_STATUS_INVALID_PARAMETER ;
2001-02-27 18:22:39 +00:00
}
2006-02-22 10:28:02 +00:00
2008-11-29 00:23:16 +01:00
if ( id21 - > fields_present = = 0 ) {
return NT_STATUS_INVALID_PARAMETER ;
}
2008-11-27 17:29:30 +01:00
if ( id21 - > fields_present & SAMR_FIELD_LAST_PWD_CHANGE ) {
return NT_STATUS_ACCESS_DENIED ;
}
2008-12-09 13:25:59 +01:00
if ( id21 - > fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT ) {
if ( id21 - > nt_password_set ) {
DATA_BLOB in , out ;
if ( ( id21 - > nt_owf_password . length ! = 16 ) | |
( id21 - > nt_owf_password . size ! = 16 ) ) {
return NT_STATUS_INVALID_PARAMETER ;
}
if ( ! session_key - > length ) {
return NT_STATUS_NO_USER_SESSION_KEY ;
}
in = data_blob_const ( id21 - > nt_owf_password . array , 16 ) ;
out = data_blob_talloc_zero ( mem_ctx , 16 ) ;
sess_crypt_blob ( & out , & in , session_key , false ) ;
pdb_set_nt_passwd ( pwd , out . data , PDB_CHANGED ) ;
pdb_set_pass_last_set_time ( pwd , time ( NULL ) , PDB_CHANGED ) ;
}
}
if ( id21 - > fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT ) {
if ( id21 - > lm_password_set ) {
DATA_BLOB in , out ;
if ( ( id21 - > lm_owf_password . length ! = 16 ) | |
( id21 - > lm_owf_password . size ! = 16 ) ) {
return NT_STATUS_INVALID_PARAMETER ;
}
if ( ! session_key - > length ) {
return NT_STATUS_NO_USER_SESSION_KEY ;
}
in = data_blob_const ( id21 - > lm_owf_password . array , 16 ) ;
out = data_blob_talloc_zero ( mem_ctx , 16 ) ;
sess_crypt_blob ( & out , & in , session_key , false ) ;
pdb_set_lanman_passwd ( pwd , out . data , PDB_CHANGED ) ;
pdb_set_pass_last_set_time ( pwd , time ( NULL ) , PDB_CHANGED ) ;
}
}
2006-02-22 10:28:02 +00:00
/* we need to separately check for an account rename first */
2008-02-05 12:54:19 +01:00
2008-02-11 21:09:21 +01:00
if ( id21 - > account_name . string & &
( ! strequal ( id21 - > account_name . string , pdb_get_username ( pwd ) ) ) )
2006-07-11 18:01:26 +00:00
{
2006-02-22 10:28:02 +00:00
/* check to see if the new username already exists. Note: we can't
2008-02-05 12:54:19 +01:00
reliably lock all backends , so there is potentially the
2006-02-22 10:28:02 +00:00
possibility that a user can be created in between this check and
the rename . The rename should fail , but may not get the
exact same failure status code . I think this is small enough
of a window for this type of operation and the results are
simply that the rename fails with a slightly different status
code ( like UNSUCCESSFUL instead of ALREADY_EXISTS ) . */
2008-02-11 21:09:21 +01:00
status = can_create ( mem_ctx , id21 - > account_name . string ) ;
2006-02-22 10:28:02 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2008-02-11 21:09:21 +01:00
status = pdb_rename_sam_account ( pwd , id21 - > account_name . string ) ;
2006-02-22 10:28:02 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2008-02-05 12:54:19 +01:00
DEBUG ( 0 , ( " set_user_info_21: failed to rename account: %s \n " ,
2006-02-22 10:28:02 +00:00
nt_errstr ( status ) ) ) ;
return status ;
}
2008-02-05 12:54:19 +01:00
/* set the new username so that later
2006-02-22 10:28:02 +00:00
functions can work on the new account */
2008-02-11 21:09:21 +01:00
pdb_set_username ( pwd , id21 - > account_name . string , PDB_SET ) ;
2006-02-22 10:28:02 +00:00
}
2008-02-11 22:47:49 +01:00
copy_id21_to_sam_passwd ( " INFO_21 " , pwd , id21 ) ;
2008-02-05 12:54:19 +01:00
2001-03-11 00:32:10 +00:00
/*
* The funny part about the previous two calls is
* that pwd still has the password hashes from the
* passdb entry . These have not been updated from
* id21 . I don ' t know if they need to be set . - - jerry
*/
2008-02-05 12:54:19 +01:00
2006-02-24 21:36:40 +00:00
if ( IS_SAM_CHANGED ( pwd , PDB_GROUPSID ) ) {
status = pdb_set_unix_primary_group ( mem_ctx , pwd ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2006-02-13 17:08:25 +00:00
}
2008-02-05 12:54:19 +01:00
2006-02-24 21:36:40 +00:00
/* Don't worry about writing out the user account since the
2008-02-05 12:54:19 +01:00
primary group SID is generated solely from the user ' s Unix
2006-02-24 21:36:40 +00:00
primary group . */
2001-05-04 15:44:27 +00:00
2006-02-27 14:45:27 +00:00
/* write the change out */
if ( ! NT_STATUS_IS_OK ( status = pdb_update_sam_account ( pwd ) ) ) {
return status ;
}
2006-02-13 17:08:25 +00:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
/*******************************************************************
set_user_info_23
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-11 21:09:21 +01:00
static NTSTATUS set_user_info_23 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo23 * id23 ,
2006-02-20 20:09:36 +00:00
struct samu * pwd )
2001-02-27 18:22:39 +00:00
{
2007-11-12 15:02:50 -08:00
char * plaintext_buf = NULL ;
2009-03-16 21:27:58 +11:00
size_t len = 0 ;
2008-12-02 00:58:53 +01:00
uint32_t acct_ctrl ;
2006-02-13 17:08:25 +00:00
NTSTATUS status ;
2007-11-12 15:02:50 -08:00
2001-05-04 15:44:27 +00:00
if ( id23 = = NULL ) {
DEBUG ( 5 , ( " set_user_info_23: NULL id23 \n " ) ) ;
2006-02-13 17:08:25 +00:00
return NT_STATUS_INVALID_PARAMETER ;
2001-05-04 15:44:27 +00:00
}
2007-11-12 15:02:50 -08:00
2008-11-29 00:23:16 +01:00
if ( id23 - > info . fields_present = = 0 ) {
return NT_STATUS_INVALID_PARAMETER ;
}
2008-11-27 17:29:30 +01:00
if ( id23 - > info . fields_present & SAMR_FIELD_LAST_PWD_CHANGE ) {
return NT_STATUS_ACCESS_DENIED ;
}
2008-12-04 18:15:03 +01:00
if ( ( id23 - > info . fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT ) | |
( id23 - > info . fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT ) ) {
2008-11-27 17:29:30 +01:00
2008-12-02 00:58:53 +01:00
DEBUG ( 5 , ( " Attempting administrator password change (level 23) for user %s \n " ,
pdb_get_username ( pwd ) ) ) ;
2001-05-04 15:44:27 +00:00
2008-12-02 00:58:53 +01:00
if ( ! decode_pw_buffer ( mem_ctx ,
id23 - > password . data ,
& plaintext_buf ,
& len ,
2009-03-16 21:27:58 +11:00
CH_UTF16 ) ) {
2008-12-02 00:58:53 +01:00
return NT_STATUS_WRONG_PASSWORD ;
}
2007-11-12 15:02:50 -08:00
2008-12-02 00:58:53 +01:00
if ( ! pdb_set_plaintext_passwd ( pwd , plaintext_buf ) ) {
return NT_STATUS_ACCESS_DENIED ;
}
2001-09-29 13:08:26 +00:00
}
2007-11-12 15:02:50 -08:00
2002-09-26 18:37:55 +00:00
copy_id23_to_sam_passwd ( pwd , id23 ) ;
2007-11-12 15:02:50 -08:00
2008-12-02 00:58:53 +01:00
acct_ctrl = pdb_get_acct_ctrl ( pwd ) ;
2001-02-27 18:22:39 +00:00
/* if it's a trust account, don't update /etc/passwd */
2003-05-12 18:12:31 +00:00
if ( ( ( acct_ctrl & ACB_DOMTRUST ) = = ACB_DOMTRUST ) | |
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 14:30:58 +00:00
( ( acct_ctrl & ACB_WSTRUST ) = = ACB_WSTRUST ) | |
( ( acct_ctrl & ACB_SVRTRUST ) = = ACB_SVRTRUST ) ) {
2006-07-19 20:59:04 +00:00
DEBUG ( 5 , ( " Changing trust account. Not updating /etc/passwd \n " ) ) ;
2008-12-02 00:58:53 +01:00
} else if ( plaintext_buf ) {
2001-02-27 18:22:39 +00:00
/* update the UNIX password */
2004-02-02 00:08:35 +00:00
if ( lp_unix_password_sync ( ) ) {
2006-06-20 09:16:53 +00:00
struct passwd * passwd ;
if ( pdb_get_username ( pwd ) = = NULL ) {
DEBUG ( 1 , ( " chgpasswd: User without name??? \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
}
2007-12-19 15:02:59 +01:00
passwd = Get_Pwnam_alloc ( pwd , pdb_get_username ( pwd ) ) ;
if ( passwd = = NULL ) {
2004-02-02 00:08:35 +00:00
DEBUG ( 1 , ( " chgpasswd: Username does not exist in system !?! \n " ) ) ;
}
2007-11-12 15:02:50 -08:00
2004-02-02 00:08:35 +00:00
if ( ! chgpasswd ( pdb_get_username ( pwd ) , passwd , " " , plaintext_buf , True ) ) {
2006-02-13 17:08:25 +00:00
return NT_STATUS_ACCESS_DENIED ;
2001-05-04 15:44:27 +00:00
}
2007-12-19 15:02:59 +01:00
TALLOC_FREE ( passwd ) ;
2004-02-02 00:08:35 +00:00
}
2001-02-27 18:22:39 +00:00
}
2007-11-12 15:02:50 -08:00
2008-12-02 00:58:53 +01:00
if ( plaintext_buf ) {
memset ( plaintext_buf , ' \0 ' , strlen ( plaintext_buf ) ) ;
}
2007-11-12 15:02:50 -08:00
2006-02-13 17:08:25 +00:00
if ( IS_SAM_CHANGED ( pwd , PDB_GROUPSID ) & &
( ! NT_STATUS_IS_OK ( status = pdb_set_unix_primary_group ( mem_ctx ,
pwd ) ) ) ) {
return status ;
}
2003-06-11 20:42:10 +00:00
2006-02-13 17:08:25 +00:00
if ( ! NT_STATUS_IS_OK ( status = pdb_update_sam_account ( pwd ) ) ) {
return status ;
2001-05-04 15:44:27 +00:00
}
2007-11-12 15:02:50 -08:00
2006-02-13 17:08:25 +00:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
/*******************************************************************
2001-06-20 19:55:59 +00:00
set_user_info_pw
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-11-27 17:49:25 +01:00
static bool set_user_info_pw ( uint8 * pass , struct samu * pwd )
2001-02-27 18:22:39 +00:00
{
2009-03-16 21:27:58 +11:00
size_t len = 0 ;
2007-11-12 15:02:50 -08:00
char * plaintext_buf = NULL ;
2006-02-27 10:32:45 +00:00
uint32 acct_ctrl ;
2007-11-12 15:02:50 -08:00
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 14:30:58 +00:00
DEBUG ( 5 , ( " Attempting administrator password change for user %s \n " ,
pdb_get_username ( pwd ) ) ) ;
2001-03-11 00:32:10 +00:00
acct_ctrl = pdb_get_acct_ctrl ( pwd ) ;
2001-02-27 18:22:39 +00:00
2007-11-12 15:02:50 -08:00
if ( ! decode_pw_buffer ( talloc_tos ( ) ,
pass ,
& plaintext_buf ,
& len ,
2009-03-16 21:27:58 +11:00
CH_UTF16 ) ) {
2001-02-27 18:22:39 +00:00
return False ;
2001-05-04 15:44:27 +00:00
}
2001-09-29 13:08:26 +00:00
if ( ! pdb_set_plaintext_passwd ( pwd , plaintext_buf ) ) {
return False ;
}
2007-11-12 15:02:50 -08:00
2001-02-27 18:22:39 +00:00
/* if it's a trust account, don't update /etc/passwd */
2003-05-12 18:12:31 +00:00
if ( ( ( acct_ctrl & ACB_DOMTRUST ) = = ACB_DOMTRUST ) | |
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 14:30:58 +00:00
( ( acct_ctrl & ACB_WSTRUST ) = = ACB_WSTRUST ) | |
( ( acct_ctrl & ACB_SVRTRUST ) = = ACB_SVRTRUST ) ) {
DEBUG ( 5 , ( " Changing trust account or non-unix-user password, not updating /etc/passwd \n " ) ) ;
2001-02-27 18:22:39 +00:00
} else {
/* update the UNIX password */
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 14:30:58 +00:00
if ( lp_unix_password_sync ( ) ) {
2006-06-20 09:16:53 +00:00
struct passwd * passwd ;
if ( pdb_get_username ( pwd ) = = NULL ) {
DEBUG ( 1 , ( " chgpasswd: User without name??? \n " ) ) ;
return False ;
}
2007-12-19 15:02:59 +01:00
passwd = Get_Pwnam_alloc ( pwd , pdb_get_username ( pwd ) ) ;
if ( passwd = = NULL ) {
2004-02-02 00:08:35 +00:00
DEBUG ( 1 , ( " chgpasswd: Username does not exist in system !?! \n " ) ) ;
}
2007-11-12 15:02:50 -08:00
2004-02-02 00:08:35 +00:00
if ( ! chgpasswd ( pdb_get_username ( pwd ) , passwd , " " , plaintext_buf , True ) ) {
2001-02-27 18:22:39 +00:00
return False ;
2001-05-04 15:44:27 +00:00
}
2007-12-19 15:02:59 +01:00
TALLOC_FREE ( passwd ) ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 14:30:58 +00:00
}
2001-02-27 18:22:39 +00:00
}
2007-11-12 15:02:50 -08:00
memset ( plaintext_buf , ' \0 ' , strlen ( plaintext_buf ) ) ;
2008-11-27 17:49:25 +01:00
DEBUG ( 5 , ( " set_user_info_pw: pdb_update_pwd() \n " ) ) ;
return True ;
}
/*******************************************************************
set_user_info_24
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS set_user_info_24 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo24 * id24 ,
struct samu * pwd )
{
NTSTATUS status ;
if ( id24 = = NULL ) {
DEBUG ( 5 , ( " set_user_info_24: NULL id24 \n " ) ) ;
return NT_STATUS_INVALID_PARAMETER ;
2008-03-20 21:58:39 +01:00
}
2007-11-12 15:02:50 -08:00
2008-11-27 17:49:25 +01:00
if ( ! set_user_info_pw ( id24 - > password . data , pwd ) ) {
return NT_STATUS_WRONG_PASSWORD ;
}
2007-11-12 15:02:50 -08:00
2008-11-27 17:49:25 +01:00
copy_id24_to_sam_passwd ( pwd , id24 ) ;
status = pdb_update_sam_account ( pwd ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2001-05-04 15:44:27 +00:00
}
2008-11-27 17:49:25 +01:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
2006-06-06 14:18:12 +00:00
/*******************************************************************
set_user_info_25
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-11 21:09:21 +01:00
static NTSTATUS set_user_info_25 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo25 * id25 ,
2006-06-06 14:18:12 +00:00
struct samu * pwd )
{
NTSTATUS status ;
2008-02-05 12:54:19 +01:00
2006-06-06 14:18:12 +00:00
if ( id25 = = NULL ) {
DEBUG ( 5 , ( " set_user_info_25: NULL id25 \n " ) ) ;
return NT_STATUS_INVALID_PARAMETER ;
}
2008-11-29 00:23:16 +01:00
if ( id25 - > info . fields_present = = 0 ) {
return NT_STATUS_INVALID_PARAMETER ;
}
2008-11-27 17:29:30 +01:00
if ( id25 - > info . fields_present & SAMR_FIELD_LAST_PWD_CHANGE ) {
return NT_STATUS_ACCESS_DENIED ;
}
2008-11-27 17:49:25 +01:00
if ( ( id25 - > info . fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT ) | |
( id25 - > info . fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT ) ) {
if ( ! set_user_info_pw ( id25 - > password . data , pwd ) ) {
return NT_STATUS_WRONG_PASSWORD ;
}
}
2006-06-06 14:18:12 +00:00
copy_id25_to_sam_passwd ( pwd , id25 ) ;
2008-02-05 12:54:19 +01:00
2006-08-01 14:46:08 +00:00
/* write the change out */
if ( ! NT_STATUS_IS_OK ( status = pdb_update_sam_account ( pwd ) ) ) {
return status ;
}
2006-06-06 14:18:12 +00:00
/*
2006-08-01 14:46:08 +00:00
* We need to " pdb_update_sam_account " before the unix primary group
* is set , because the idealx scripts would also change the
* sambaPrimaryGroupSid using the ldap replace method . pdb_ldap uses
* the delete explicit / add explicit , which would then fail to find
* the previous primaryGroupSid value .
2006-06-06 14:18:12 +00:00
*/
2006-08-01 14:46:08 +00:00
2006-06-06 14:18:12 +00:00
if ( IS_SAM_CHANGED ( pwd , PDB_GROUPSID ) ) {
status = pdb_set_unix_primary_group ( mem_ctx , pwd ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
}
2008-02-05 12:54:19 +01:00
2006-06-06 14:18:12 +00:00
return NT_STATUS_OK ;
}
2008-11-27 17:49:25 +01:00
/*******************************************************************
set_user_info_26
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS set_user_info_26 ( TALLOC_CTX * mem_ctx ,
struct samr_UserInfo26 * id26 ,
struct samu * pwd )
{
NTSTATUS status ;
if ( id26 = = NULL ) {
DEBUG ( 5 , ( " set_user_info_26: NULL id26 \n " ) ) ;
return NT_STATUS_INVALID_PARAMETER ;
}
if ( ! set_user_info_pw ( id26 - > password . data , pwd ) ) {
return NT_STATUS_WRONG_PASSWORD ;
}
copy_id26_to_sam_passwd ( pwd , id26 ) ;
status = pdb_update_sam_account ( pwd ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
return NT_STATUS_OK ;
}
2001-02-27 18:22:39 +00:00
/*******************************************************************
2008-10-23 03:31:32 +02:00
samr_SetUserInfo
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-10-23 03:31:32 +02:00
NTSTATUS _samr_SetUserInfo ( pipes_struct * p ,
struct samr_SetUserInfo * r )
2001-02-27 18:22:39 +00:00
{
2009-04-20 18:01:49 +02:00
struct samr_user_info * uinfo ;
2008-02-11 21:09:21 +01:00
NTSTATUS status ;
2006-02-20 20:09:36 +00:00
struct samu * pwd = NULL ;
2008-10-23 03:31:32 +02:00
union samr_UserInfo * info = r - > in . info ;
uint16_t switch_value = r - > in . level ;
2008-02-12 02:10:40 +01:00
uint32_t acc_required ;
2007-10-18 17:40:25 -07:00
bool ret ;
bool has_enough_rights = False ;
2008-02-12 02:10:40 +01:00
uint32_t acb_info ;
2001-02-27 18:22:39 +00:00
2008-10-23 03:31:32 +02:00
DEBUG ( 5 , ( " _samr_SetUserInfo: %d \n " , __LINE__ ) ) ;
2001-02-27 18:22:39 +00:00
2008-02-05 12:54:19 +01:00
/* This is tricky. A WinXP domain join sets
2008-10-23 19:24:41 +02:00
( SAMR_USER_ACCESS_SET_PASSWORD | SAMR_USER_ACCESS_SET_ATTRIBUTES | SAMR_USER_ACCESS_GET_ATTRIBUTES )
2008-02-05 12:54:19 +01:00
The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser ( ) . But the
2008-10-23 19:24:41 +02:00
standard Win32 API calls just ask for SAMR_USER_ACCESS_SET_PASSWORD in the SamrOpenUser ( ) .
2008-02-05 12:54:19 +01:00
This should be enough for levels 18 , 24 , 25 , & 26. Info level 23 can set more so
2006-07-19 20:59:04 +00:00
we ' ll use the set from the WinXP join as the basis . */
2008-02-05 12:54:19 +01:00
2006-07-19 20:59:04 +00:00
switch ( switch_value ) {
case 18 :
case 24 :
case 25 :
case 26 :
2008-10-23 19:24:41 +02:00
acc_required = SAMR_USER_ACCESS_SET_PASSWORD ;
2006-07-19 20:59:04 +00:00
break ;
default :
2008-10-23 19:24:41 +02:00
acc_required = SAMR_USER_ACCESS_SET_PASSWORD |
SAMR_USER_ACCESS_SET_ATTRIBUTES |
SAMR_USER_ACCESS_GET_ATTRIBUTES ;
2006-07-19 20:59:04 +00:00
break ;
}
2008-02-05 12:54:19 +01:00
2009-04-20 18:01:49 +02:00
uinfo = policy_handle_find ( p , r - > in . user_handle , acc_required , NULL ,
struct samr_user_info , & status ) ;
2008-02-11 21:09:21 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2002-07-15 10:35:28 +00:00
}
2005-09-30 17:13:37 +00:00
2008-10-23 03:31:32 +02:00
DEBUG ( 5 , ( " _samr_SetUserInfo: sid:%s, level:%d \n " ,
2009-04-20 18:01:49 +02:00
sid_string_dbg ( & uinfo - > sid ) , switch_value ) ) ;
2001-02-27 18:22:39 +00:00
2008-02-11 21:09:21 +01:00
if ( info = = NULL ) {
2008-10-23 03:31:32 +02:00
DEBUG ( 5 , ( " _samr_SetUserInfo: NULL info level \n " ) ) ;
2001-02-27 18:22:39 +00:00
return NT_STATUS_INVALID_INFO_CLASS ;
}
2008-02-05 12:54:19 +01:00
2008-02-12 02:10:40 +01:00
if ( ! ( pwd = samu_new ( NULL ) ) ) {
2006-02-21 14:34:11 +00:00
return NT_STATUS_NO_MEMORY ;
}
2008-02-05 12:54:19 +01:00
2005-01-26 20:36:44 +00:00
become_root ( ) ;
2009-04-20 18:01:49 +02:00
ret = pdb_getsampwsid ( pwd , & uinfo - > sid ) ;
2005-01-26 20:36:44 +00:00
unbecome_root ( ) ;
2008-02-05 12:54:19 +01:00
2008-02-12 02:10:40 +01:00
if ( ! ret ) {
2006-02-20 20:09:36 +00:00
TALLOC_FREE ( pwd ) ;
2005-01-26 20:36:44 +00:00
return NT_STATUS_NO_SUCH_USER ;
}
2008-02-05 12:54:19 +01:00
2005-01-26 20:36:44 +00:00
/* deal with machine password changes differently from userinfo changes */
/* check to see if we have the sufficient rights */
2008-02-05 12:54:19 +01:00
2005-02-03 16:23:49 +00:00
acb_info = pdb_get_acct_ctrl ( pwd ) ;
2008-02-12 02:10:40 +01:00
if ( acb_info & ACB_WSTRUST )
2008-11-23 23:48:17 +01:00
has_enough_rights = user_has_privileges ( p - > server_info - > ptok ,
2008-02-12 02:10:40 +01:00
& se_machine_account ) ;
else if ( acb_info & ACB_NORMAL )
2008-11-23 23:48:17 +01:00
has_enough_rights = user_has_privileges ( p - > server_info - > ptok ,
2008-02-12 02:10:40 +01:00
& se_add_users ) ;
else if ( acb_info & ( ACB_SVRTRUST | ACB_DOMTRUST ) ) {
if ( lp_enable_privileges ( ) ) {
2008-11-23 23:48:17 +01:00
has_enough_rights = nt_token_check_domain_rid ( p - > server_info - > ptok ,
2008-02-12 02:10:40 +01:00
DOMAIN_GROUP_RID_ADMINS ) ;
}
2005-02-03 16:23:49 +00:00
}
2008-02-05 12:54:19 +01:00
2008-10-23 03:31:32 +02:00
DEBUG ( 5 , ( " _samr_SetUserInfo: %s does%s possess sufficient rights \n " ,
2008-11-23 23:48:17 +01:00
uidtoname ( p - > server_info - > utok . uid ) ,
2006-07-11 18:01:26 +00:00
has_enough_rights ? " " : " not " ) ) ;
2005-01-06 23:27:28 +00:00
2005-01-13 18:20:37 +00:00
/* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
2008-02-05 12:54:19 +01:00
2008-02-12 02:10:40 +01:00
if ( has_enough_rights ) {
2008-02-05 12:54:19 +01:00
become_root ( ) ;
2008-02-12 02:10:40 +01:00
}
2008-02-05 12:54:19 +01:00
2001-02-27 18:22:39 +00:00
/* ok! user info levels (lots: see MSDEV help), off we go... */
2005-01-06 23:27:28 +00:00
2001-02-27 18:22:39 +00:00
switch ( switch_value ) {
2008-02-12 02:10:40 +01:00
2009-05-07 17:06:26 +02:00
case 2 :
status = set_user_info_2 ( p - > mem_ctx ,
& info - > info2 , pwd ) ;
break ;
case 4 :
status = set_user_info_4 ( p - > mem_ctx ,
& info - > info4 , pwd ) ;
break ;
case 6 :
status = set_user_info_6 ( p - > mem_ctx ,
& info - > info6 , pwd ) ;
break ;
2008-02-12 02:10:40 +01:00
case 7 :
status = set_user_info_7 ( p - > mem_ctx ,
& info - > info7 , pwd ) ;
break ;
2009-05-07 17:06:26 +02:00
case 8 :
status = set_user_info_8 ( p - > mem_ctx ,
& info - > info8 , pwd ) ;
break ;
case 10 :
status = set_user_info_10 ( p - > mem_ctx ,
& info - > info10 , pwd ) ;
break ;
case 11 :
status = set_user_info_11 ( p - > mem_ctx ,
& info - > info11 , pwd ) ;
break ;
case 12 :
status = set_user_info_12 ( p - > mem_ctx ,
& info - > info12 , pwd ) ;
break ;
case 13 :
status = set_user_info_13 ( p - > mem_ctx ,
& info - > info13 , pwd ) ;
break ;
case 14 :
status = set_user_info_14 ( p - > mem_ctx ,
& info - > info14 , pwd ) ;
break ;
2008-02-12 02:10:40 +01:00
case 16 :
2009-05-07 21:45:51 +02:00
status = set_user_info_16 ( p - > mem_ctx ,
& info - > info16 , pwd ) ;
2008-02-12 02:10:40 +01:00
break ;
2009-05-07 17:06:26 +02:00
case 17 :
status = set_user_info_17 ( p - > mem_ctx ,
& info - > info17 , pwd ) ;
break ;
2005-01-26 20:36:44 +00:00
case 18 :
2008-02-12 02:10:40 +01:00
/* Used by AS/U JRA. */
2008-12-05 16:13:28 +01:00
status = set_user_info_18 ( & info - > info18 ,
p - > mem_ctx ,
& p - > server_info - > user_session_key ,
pwd ) ;
2008-02-12 02:10:40 +01:00
break ;
case 20 :
2009-05-07 21:45:51 +02:00
status = set_user_info_20 ( p - > mem_ctx ,
& info - > info20 , pwd ) ;
2008-02-12 02:10:40 +01:00
break ;
case 21 :
2008-12-09 13:25:59 +01:00
status = set_user_info_21 ( & info - > info21 ,
p - > mem_ctx ,
& p - > server_info - > user_session_key ,
pwd ) ;
2008-02-12 02:10:40 +01:00
break ;
case 23 :
2008-06-24 14:33:31 +02:00
if ( ! p - > server_info - > user_session_key . length ) {
2008-02-12 02:10:40 +01:00
status = NT_STATUS_NO_USER_SESSION_KEY ;
}
2009-03-16 21:27:58 +11:00
arcfour_crypt_blob ( info - > info23 . password . data , 516 ,
& p - > server_info - > user_session_key ) ;
2008-02-12 02:10:40 +01:00
dump_data ( 100 , info - > info23 . password . data , 516 ) ;
status = set_user_info_23 ( p - > mem_ctx ,
& info - > info23 , pwd ) ;
2001-02-27 18:22:39 +00:00
break ;
case 24 :
2008-06-24 14:33:31 +02:00
if ( ! p - > server_info - > user_session_key . length ) {
2008-02-11 21:09:21 +01:00
status = NT_STATUS_NO_USER_SESSION_KEY ;
Changes all over the shop, but all towards:
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-11-22 13:19:38 +00:00
}
2009-03-16 21:27:58 +11:00
arcfour_crypt_blob ( info - > info24 . password . data ,
516 ,
& p - > server_info - > user_session_key ) ;
2001-06-20 19:55:59 +00:00
2008-02-11 21:09:21 +01:00
dump_data ( 100 , info - > info24 . password . data , 516 ) ;
2001-06-20 19:55:59 +00:00
2008-11-27 17:49:25 +01:00
status = set_user_info_24 ( p - > mem_ctx ,
& info - > info24 , pwd ) ;
2001-02-27 18:22:39 +00:00
break ;
2001-06-20 19:55:59 +00:00
case 25 :
2008-06-24 14:33:31 +02:00
if ( ! p - > server_info - > user_session_key . length ) {
2008-02-11 21:09:21 +01:00
status = NT_STATUS_NO_USER_SESSION_KEY ;
Changes all over the shop, but all towards:
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-11-22 13:19:38 +00:00
}
2008-06-24 14:33:31 +02:00
encode_or_decode_arc4_passwd_buffer (
info - > info25 . password . data ,
& p - > server_info - > user_session_key ) ;
2001-06-20 19:55:59 +00:00
2008-02-11 21:09:21 +01:00
dump_data ( 100 , info - > info25 . password . data , 532 ) ;
2001-06-20 19:55:59 +00:00
2008-02-11 21:09:21 +01:00
status = set_user_info_25 ( p - > mem_ctx ,
& info - > info25 , pwd ) ;
2001-06-20 19:55:59 +00:00
break ;
2006-02-08 22:16:03 +00:00
case 26 :
2008-06-24 14:33:31 +02:00
if ( ! p - > server_info - > user_session_key . length ) {
2008-02-11 21:09:21 +01:00
status = NT_STATUS_NO_USER_SESSION_KEY ;
2006-02-08 22:16:03 +00:00
}
2008-06-24 14:33:31 +02:00
encode_or_decode_arc4_passwd_buffer (
info - > info26 . password . data ,
& p - > server_info - > user_session_key ) ;
2006-02-08 22:16:03 +00:00
2008-02-11 21:09:21 +01:00
dump_data ( 100 , info - > info26 . password . data , 516 ) ;
2006-02-08 22:16:03 +00:00
2008-11-27 17:49:25 +01:00
status = set_user_info_26 ( p - > mem_ctx ,
& info - > info26 , pwd ) ;
2001-02-27 18:22:39 +00:00
break ;
default :
2008-02-11 21:09:21 +01:00
status = NT_STATUS_INVALID_INFO_CLASS ;
2001-02-27 18:22:39 +00:00
}
2008-12-01 22:20:41 +01:00
TALLOC_FREE ( pwd ) ;
2008-02-12 02:10:40 +01:00
if ( has_enough_rights ) {
2005-01-06 23:27:28 +00:00
unbecome_root ( ) ;
2008-02-12 02:10:40 +01:00
}
2008-02-05 12:54:19 +01:00
2005-01-13 18:20:37 +00:00
/* ================ END SeMachineAccountPrivilege BLOCK ================ */
2005-01-06 23:27:28 +00:00
2008-02-11 21:09:21 +01:00
if ( NT_STATUS_IS_OK ( status ) ) {
2009-04-20 18:01:49 +02:00
force_flush_samr_cache ( & uinfo - > sid ) ;
2005-11-18 23:15:47 +00:00
}
2008-02-11 21:09:21 +01:00
return status ;
2001-02-27 18:22:39 +00:00
}
/*******************************************************************
2008-02-11 21:09:21 +01:00
_samr_SetUserInfo2
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-11 21:09:21 +01:00
NTSTATUS _samr_SetUserInfo2 ( pipes_struct * p ,
struct samr_SetUserInfo2 * r )
2001-02-27 18:22:39 +00:00
{
2008-10-23 03:31:32 +02:00
struct samr_SetUserInfo q ;
q . in . user_handle = r - > in . user_handle ;
q . in . level = r - > in . level ;
q . in . info = r - > in . info ;
return _samr_SetUserInfo ( p , & q ) ;
2001-02-27 18:22:39 +00:00
}
/*********************************************************************
2008-02-05 02:04:56 +01:00
_samr_GetAliasMembership
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-05 02:04:56 +01:00
NTSTATUS _samr_GetAliasMembership ( pipes_struct * p ,
struct samr_GetAliasMembership * r )
2001-02-27 18:22:39 +00:00
{
2005-10-18 03:24:00 +00:00
size_t num_alias_rids ;
2005-03-27 16:33:04 +00:00
uint32 * alias_rids ;
2009-04-19 22:58:09 +02:00
struct samr_domain_info * dinfo ;
2005-10-18 03:24:00 +00:00
size_t i ;
2008-02-05 12:54:19 +01:00
2009-04-19 22:58:09 +02:00
NTSTATUS status ;
2002-09-26 18:37:55 +00:00
2004-11-05 23:34:00 +00:00
DOM_SID * members ;
2001-03-23 00:50:31 +00:00
2008-02-05 02:04:56 +01:00
DEBUG ( 5 , ( " _samr_GetAliasMembership: %d \n " , __LINE__ ) ) ;
2001-03-23 00:50:31 +00:00
2009-04-19 22:58:09 +02:00
dinfo = policy_handle_find ( p , r - > in . domain_handle ,
SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
| SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT , NULL ,
struct samr_domain_info , & status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2008-02-05 12:54:19 +01:00
}
2001-03-23 00:50:31 +00:00
2009-04-19 22:58:09 +02:00
if ( ! sid_check_is_domain ( & dinfo - > sid ) & &
! sid_check_is_builtin ( & dinfo - > sid ) )
2001-12-05 15:41:44 +00:00
return NT_STATUS_OBJECT_TYPE_MISMATCH ;
2008-02-05 02:04:56 +01:00
if ( r - > in . sids - > num_sids ) {
members = TALLOC_ARRAY ( p - > mem_ctx , DOM_SID , r - > in . sids - > num_sids ) ;
2001-12-05 15:41:44 +00:00
2007-04-30 00:53:17 +00:00
if ( members = = NULL )
return NT_STATUS_NO_MEMORY ;
} else {
members = NULL ;
}
2001-12-05 15:41:44 +00:00
2008-02-05 02:04:56 +01:00
for ( i = 0 ; i < r - > in . sids - > num_sids ; i + + )
sid_copy ( & members [ i ] , r - > in . sids - > sids [ i ] . sid ) ;
2001-03-23 00:50:31 +00:00
2005-03-27 16:33:04 +00:00
alias_rids = NULL ;
num_alias_rids = 0 ;
2004-11-05 23:34:00 +00:00
become_root ( ) ;
2009-04-19 22:58:09 +02:00
status = pdb_enum_alias_memberships ( p - > mem_ctx , & dinfo - > sid , members ,
r - > in . sids - > num_sids ,
& alias_rids , & num_alias_rids ) ;
2004-11-05 23:34:00 +00:00
unbecome_root ( ) ;
2009-04-19 22:58:09 +02:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2006-02-03 22:19:41 +00:00
}
2001-12-05 15:41:44 +00:00
2008-02-05 02:04:56 +01:00
r - > out . rids - > count = num_alias_rids ;
r - > out . rids - > ids = alias_rids ;
2001-12-05 15:41:44 +00:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
/*********************************************************************
2008-02-05 00:29:11 +01:00
_samr_GetMembersInAlias
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-05 00:29:11 +01:00
NTSTATUS _samr_GetMembersInAlias ( pipes_struct * p ,
struct samr_GetMembersInAlias * r )
2001-02-27 18:22:39 +00:00
{
2009-04-20 19:04:20 +02:00
struct samr_alias_info * ainfo ;
2006-02-03 22:19:41 +00:00
NTSTATUS status ;
2005-10-18 03:24:00 +00:00
size_t i ;
size_t num_sids = 0 ;
2008-02-05 00:29:11 +01:00
struct lsa_SidPtr * sids = NULL ;
DOM_SID * pdb_sids = NULL ;
2001-03-23 00:50:31 +00:00
2009-04-20 19:04:20 +02:00
ainfo = policy_handle_find ( p , r - > in . alias_handle ,
SAMR_ALIAS_ACCESS_GET_MEMBERS , NULL ,
struct samr_alias_info , & status ) ;
2008-02-05 00:29:11 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2002-07-15 10:35:28 +00:00
}
2001-03-23 00:50:31 +00:00
2009-04-20 19:04:20 +02:00
DEBUG ( 10 , ( " sid is %s \n " , sid_string_dbg ( & ainfo - > sid ) ) ) ;
2001-03-23 00:50:31 +00:00
2006-07-24 12:05:20 +00:00
become_root ( ) ;
2009-04-20 19:04:20 +02:00
status = pdb_enum_aliasmem ( & ainfo - > sid , & pdb_sids , & num_sids ) ;
2006-07-24 12:05:20 +00:00
unbecome_root ( ) ;
2006-02-03 22:19:41 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2001-03-23 00:50:31 +00:00
2007-04-30 00:53:17 +00:00
if ( num_sids ) {
2008-02-05 00:29:11 +01:00
sids = TALLOC_ZERO_ARRAY ( p - > mem_ctx , struct lsa_SidPtr , num_sids ) ;
if ( sids = = NULL ) {
TALLOC_FREE ( pdb_sids ) ;
2007-04-30 00:53:17 +00:00
return NT_STATUS_NO_MEMORY ;
}
2004-01-02 05:32:07 +00:00
}
2001-03-23 00:50:31 +00:00
2004-01-02 05:32:07 +00:00
for ( i = 0 ; i < num_sids ; i + + ) {
2008-02-05 00:29:11 +01:00
sids [ i ] . sid = sid_dup_talloc ( p - > mem_ctx , & pdb_sids [ i ] ) ;
if ( ! sids [ i ] . sid ) {
TALLOC_FREE ( pdb_sids ) ;
return NT_STATUS_NO_MEMORY ;
}
2001-03-23 00:50:31 +00:00
}
2008-02-05 00:29:11 +01:00
r - > out . sids - > num_sids = num_sids ;
r - > out . sids - > sids = sids ;
2004-01-02 05:32:07 +00:00
2008-02-05 00:29:11 +01:00
TALLOC_FREE ( pdb_sids ) ;
2001-03-23 00:50:31 +00:00
2001-08-27 19:46:22 +00:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
/*********************************************************************
2008-02-05 03:17:12 +01:00
_samr_QueryGroupMember
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-05 03:17:12 +01:00
NTSTATUS _samr_QueryGroupMember ( pipes_struct * p ,
struct samr_QueryGroupMember * r )
2001-02-27 18:22:39 +00:00
{
2009-04-20 18:27:39 +02:00
struct samr_group_info * ginfo ;
2005-10-18 03:24:00 +00:00
size_t i , num_members ;
2001-03-23 00:50:31 +00:00
uint32 * rid = NULL ;
uint32 * attr = NULL ;
2008-02-05 03:17:12 +01:00
NTSTATUS status ;
struct samr_RidTypeArray * rids = NULL ;
2009-04-20 18:27:39 +02:00
ginfo = policy_handle_find ( p , r - > in . group_handle ,
SAMR_GROUP_ACCESS_GET_MEMBERS , NULL ,
struct samr_group_info , & status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2008-02-05 03:17:12 +01:00
rids = TALLOC_ZERO_P ( p - > mem_ctx , struct samr_RidTypeArray ) ;
if ( ! rids ) {
return NT_STATUS_NO_MEMORY ;
}
2005-02-20 13:47:16 +00:00
2009-04-20 18:27:39 +02:00
DEBUG ( 10 , ( " sid is %s \n " , sid_string_dbg ( & ginfo - > sid ) ) ) ;
2008-02-05 03:17:12 +01:00
2009-04-20 18:27:39 +02:00
if ( ! sid_check_is_in_our_domain ( & ginfo - > sid ) ) {
2007-12-15 21:11:36 +01:00
DEBUG ( 3 , ( " sid %s is not in our domain \n " ,
2009-04-20 18:27:39 +02:00
sid_string_dbg ( & ginfo - > sid ) ) ) ;
2001-03-23 00:50:31 +00:00
return NT_STATUS_NO_SUCH_GROUP ;
2004-02-16 14:24:35 +00:00
}
2001-03-23 00:50:31 +00:00
DEBUG ( 10 , ( " lookup on Domain SID \n " ) ) ;
2005-02-20 13:47:16 +00:00
become_root ( ) ;
2009-04-20 18:27:39 +02:00
status = pdb_enum_group_members ( p - > mem_ctx , & ginfo - > sid ,
2005-02-20 13:47:16 +00:00
& rid , & num_members ) ;
unbecome_root ( ) ;
2001-03-23 00:50:31 +00:00
2008-02-05 03:17:12 +01:00
if ( ! NT_STATUS_IS_OK ( status ) )
return status ;
2001-03-23 00:50:31 +00:00
2007-04-30 01:17:34 +00:00
if ( num_members ) {
attr = TALLOC_ZERO_ARRAY ( p - > mem_ctx , uint32 , num_members ) ;
if ( attr = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
} else {
attr = NULL ;
}
2008-02-05 12:54:19 +01:00
2005-02-20 13:47:16 +00:00
for ( i = 0 ; i < num_members ; i + + )
attr [ i ] = SID_NAME_USER ;
2004-04-07 12:43:44 +00:00
2008-02-05 03:17:12 +01:00
rids - > count = num_members ;
rids - > types = attr ;
rids - > rids = rid ;
* r - > out . rids = rids ;
2001-03-23 00:50:31 +00:00
2001-08-27 19:46:22 +00:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
/*********************************************************************
2008-02-04 23:40:19 +01:00
_samr_AddAliasMember
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-04 23:40:19 +01:00
NTSTATUS _samr_AddAliasMember ( pipes_struct * p ,
struct samr_AddAliasMember * r )
2001-02-27 18:22:39 +00:00
{
2009-04-20 19:04:20 +02:00
struct samr_alias_info * ainfo ;
2005-01-19 16:52:19 +00:00
SE_PRIV se_rights ;
2007-10-18 17:40:25 -07:00
bool can_add_accounts ;
2008-02-04 23:40:19 +01:00
NTSTATUS status ;
2001-03-23 00:50:31 +00:00
2009-04-20 19:04:20 +02:00
ainfo = policy_handle_find ( p , r - > in . alias_handle ,
SAMR_ALIAS_ACCESS_ADD_MEMBER , NULL ,
struct samr_alias_info , & status ) ;
2008-02-04 23:40:19 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2002-07-15 10:35:28 +00:00
}
2008-02-04 23:40:19 +01:00
2009-04-20 19:04:20 +02:00
DEBUG ( 10 , ( " sid is %s \n " , sid_string_dbg ( & ainfo - > sid ) ) ) ;
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
se_priv_copy ( & se_rights , & se_add_users ) ;
2008-11-23 23:48:17 +01:00
can_add_accounts = user_has_privileges ( p - > server_info - > ptok , & se_rights ) ;
2001-11-29 16:05:05 +00:00
2005-01-19 16:52:19 +00:00
/******** BEGIN SeAddUsers BLOCK *********/
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
if ( can_add_accounts )
become_root ( ) ;
2008-02-05 12:54:19 +01:00
2009-04-20 19:04:20 +02:00
status = pdb_add_aliasmem ( & ainfo - > sid , r - > in . sid ) ;
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
if ( can_add_accounts )
unbecome_root ( ) ;
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
/******** END SeAddUsers BLOCK *********/
2008-02-05 12:54:19 +01:00
2008-02-04 23:40:19 +01:00
if ( NT_STATUS_IS_OK ( status ) ) {
2009-04-20 19:04:20 +02:00
force_flush_samr_cache ( & ainfo - > sid ) ;
2005-11-18 23:15:47 +00:00
}
2008-02-04 23:40:19 +01:00
return status ;
2001-02-27 18:22:39 +00:00
}
/*********************************************************************
2008-02-04 23:27:22 +01:00
_samr_DeleteAliasMember
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-04 23:27:22 +01:00
NTSTATUS _samr_DeleteAliasMember ( pipes_struct * p ,
struct samr_DeleteAliasMember * r )
2001-02-27 18:22:39 +00:00
{
2009-04-20 19:04:20 +02:00
struct samr_alias_info * ainfo ;
2005-01-19 16:52:19 +00:00
SE_PRIV se_rights ;
2007-10-18 17:40:25 -07:00
bool can_add_accounts ;
2008-02-04 23:27:22 +01:00
NTSTATUS status ;
2001-12-10 15:03:16 +00:00
2009-04-20 19:04:20 +02:00
ainfo = policy_handle_find ( p , r - > in . alias_handle ,
SAMR_ALIAS_ACCESS_REMOVE_MEMBER , NULL ,
struct samr_alias_info , & status ) ;
2008-02-04 23:27:22 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2002-07-15 10:35:28 +00:00
}
2008-02-05 12:54:19 +01:00
2004-04-07 12:43:44 +00:00
DEBUG ( 10 , ( " _samr_del_aliasmem:sid is %s \n " ,
2009-04-20 19:04:20 +02:00
sid_string_dbg ( & ainfo - > sid ) ) ) ;
2001-12-10 15:03:16 +00:00
2005-01-19 16:52:19 +00:00
se_priv_copy ( & se_rights , & se_add_users ) ;
2008-11-23 23:48:17 +01:00
can_add_accounts = user_has_privileges ( p - > server_info - > ptok , & se_rights ) ;
2005-01-19 16:52:19 +00:00
/******** BEGIN SeAddUsers BLOCK *********/
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
if ( can_add_accounts )
become_root ( ) ;
2009-04-20 19:04:20 +02:00
status = pdb_del_aliasmem ( & ainfo - > sid , r - > in . sid ) ;
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
if ( can_add_accounts )
unbecome_root ( ) ;
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
/******** END SeAddUsers BLOCK *********/
2008-02-05 12:54:19 +01:00
2008-02-04 23:27:22 +01:00
if ( NT_STATUS_IS_OK ( status ) ) {
2009-04-20 19:04:20 +02:00
force_flush_samr_cache ( & ainfo - > sid ) ;
2005-11-18 23:15:47 +00:00
}
2008-02-04 23:27:22 +01:00
return status ;
2001-02-27 18:22:39 +00:00
}
/*********************************************************************
2008-02-04 18:36:44 +01:00
_samr_AddGroupMember
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-04 18:36:44 +01:00
NTSTATUS _samr_AddGroupMember ( pipes_struct * p ,
struct samr_AddGroupMember * r )
2001-02-27 18:22:39 +00:00
{
2009-04-20 18:27:39 +02:00
struct samr_group_info * ginfo ;
2008-02-04 18:36:44 +01:00
NTSTATUS status ;
2006-02-13 17:08:25 +00:00
uint32 group_rid ;
2005-01-19 16:52:19 +00:00
SE_PRIV se_rights ;
2007-10-18 17:40:25 -07:00
bool can_add_accounts ;
2008-02-04 18:36:44 +01:00
2009-04-20 18:27:39 +02:00
ginfo = policy_handle_find ( p , r - > in . group_handle ,
SAMR_GROUP_ACCESS_ADD_MEMBER , NULL ,
struct samr_group_info , & status ) ;
2008-02-04 18:36:44 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2002-07-15 10:35:28 +00:00
}
2001-03-23 00:50:31 +00:00
2009-04-20 18:27:39 +02:00
DEBUG ( 10 , ( " sid is %s \n " , sid_string_dbg ( & ginfo - > sid ) ) ) ;
2001-03-23 00:50:31 +00:00
2009-04-20 18:27:39 +02:00
if ( ! sid_peek_check_rid ( get_global_sam_sid ( ) , & ginfo - > sid ,
2006-02-13 17:08:25 +00:00
& group_rid ) ) {
return NT_STATUS_INVALID_HANDLE ;
2002-11-02 03:47:48 +00:00
}
2001-03-23 00:50:31 +00:00
2005-01-19 16:52:19 +00:00
se_priv_copy ( & se_rights , & se_add_users ) ;
2008-11-23 23:48:17 +01:00
can_add_accounts = user_has_privileges ( p - > server_info - > ptok , & se_rights ) ;
2005-01-19 16:52:19 +00:00
/******** BEGIN SeAddUsers BLOCK *********/
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
if ( can_add_accounts )
become_root ( ) ;
2001-03-23 00:50:31 +00:00
2008-02-04 18:36:44 +01:00
status = pdb_add_groupmem ( p - > mem_ctx , group_rid , r - > in . rid ) ;
2005-01-19 16:52:19 +00:00
if ( can_add_accounts )
unbecome_root ( ) ;
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
/******** END SeAddUsers BLOCK *********/
2008-02-05 12:54:19 +01:00
2009-04-20 18:27:39 +02:00
force_flush_samr_cache ( & ginfo - > sid ) ;
2005-11-18 23:15:47 +00:00
2008-02-04 18:36:44 +01:00
return status ;
2001-02-27 18:22:39 +00:00
}
/*********************************************************************
2008-02-04 18:09:35 +01:00
_samr_DeleteGroupMember
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-04 18:09:35 +01:00
NTSTATUS _samr_DeleteGroupMember ( pipes_struct * p ,
struct samr_DeleteGroupMember * r )
2001-02-27 18:22:39 +00:00
{
2009-04-20 18:27:39 +02:00
struct samr_group_info * ginfo ;
2008-02-04 18:09:35 +01:00
NTSTATUS status ;
2006-02-13 17:08:25 +00:00
uint32 group_rid ;
2005-01-19 16:52:19 +00:00
SE_PRIV se_rights ;
2007-10-18 17:40:25 -07:00
bool can_add_accounts ;
2001-12-10 15:03:16 +00:00
/*
2008-02-04 18:09:35 +01:00
* delete the group member named r - > in . rid
2001-12-10 15:03:16 +00:00
* who is a member of the sid associated with the handle
* the rid is a user ' s rid as the group is a domain group .
*/
2009-04-20 18:27:39 +02:00
ginfo = policy_handle_find ( p , r - > in . group_handle ,
SAMR_GROUP_ACCESS_REMOVE_MEMBER , NULL ,
struct samr_group_info , & status ) ;
2008-02-04 18:09:35 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2002-07-15 10:35:28 +00:00
}
2001-12-10 15:03:16 +00:00
2009-04-20 18:27:39 +02:00
if ( ! sid_peek_check_rid ( get_global_sam_sid ( ) , & ginfo - > sid ,
2006-02-13 17:08:25 +00:00
& group_rid ) ) {
return NT_STATUS_INVALID_HANDLE ;
2001-12-10 15:03:16 +00:00
}
2005-01-19 16:52:19 +00:00
se_priv_copy ( & se_rights , & se_add_users ) ;
2008-11-23 23:48:17 +01:00
can_add_accounts = user_has_privileges ( p - > server_info - > ptok , & se_rights ) ;
2001-12-10 15:03:16 +00:00
2005-01-19 16:52:19 +00:00
/******** BEGIN SeAddUsers BLOCK *********/
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
if ( can_add_accounts )
become_root ( ) ;
2008-02-05 12:54:19 +01:00
2008-02-04 18:09:35 +01:00
status = pdb_del_groupmem ( p - > mem_ctx , group_rid , r - > in . rid ) ;
2001-12-10 15:03:16 +00:00
2005-01-19 16:52:19 +00:00
if ( can_add_accounts )
unbecome_root ( ) ;
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
/******** END SeAddUsers BLOCK *********/
2008-02-05 12:54:19 +01:00
2009-04-20 18:27:39 +02:00
force_flush_samr_cache ( & ginfo - > sid ) ;
2005-11-18 23:15:47 +00:00
2008-02-04 18:09:35 +01:00
return status ;
2002-07-15 10:35:28 +00:00
}
2001-02-27 18:22:39 +00:00
/*********************************************************************
2008-02-01 01:30:50 +01:00
_samr_DeleteUser
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-01 01:30:50 +01:00
NTSTATUS _samr_DeleteUser ( pipes_struct * p ,
struct samr_DeleteUser * r )
2001-02-27 18:22:39 +00:00
{
2009-04-20 18:01:49 +02:00
struct samr_user_info * uinfo ;
2008-02-01 01:30:50 +01:00
NTSTATUS status ;
2006-02-20 20:09:36 +00:00
struct samu * sam_pass = NULL ;
2007-10-18 17:40:25 -07:00
bool can_add_accounts ;
2006-03-01 21:56:59 +00:00
uint32 acb_info ;
2007-10-18 17:40:25 -07:00
bool ret ;
2001-12-10 15:03:16 +00:00
2008-02-01 01:30:50 +01:00
DEBUG ( 5 , ( " _samr_DeleteUser: %d \n " , __LINE__ ) ) ;
2001-12-10 15:03:16 +00:00
2009-04-20 18:01:49 +02:00
uinfo = policy_handle_find ( p , r - > in . user_handle ,
STD_RIGHT_DELETE_ACCESS , NULL ,
struct samr_user_info , & status ) ;
2008-02-01 01:30:50 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2002-07-15 10:35:28 +00:00
}
2008-02-05 12:54:19 +01:00
2009-04-20 18:01:49 +02:00
if ( ! sid_check_is_in_our_domain ( & uinfo - > sid ) )
2001-12-10 15:03:16 +00:00
return NT_STATUS_CANNOT_DELETE ;
/* check if the user exists before trying to delete */
2006-02-21 14:34:11 +00:00
if ( ! ( sam_pass = samu_new ( NULL ) ) ) {
return NT_STATUS_NO_MEMORY ;
}
2006-07-19 20:59:04 +00:00
become_root ( ) ;
2009-04-20 18:01:49 +02:00
ret = pdb_getsampwsid ( sam_pass , & uinfo - > sid ) ;
2006-07-19 20:59:04 +00:00
unbecome_root ( ) ;
if ( ! ret ) {
2008-02-05 12:54:19 +01:00
DEBUG ( 5 , ( " _samr_DeleteUser: User %s doesn't exist. \n " ,
2009-04-20 18:01:49 +02:00
sid_string_dbg ( & uinfo - > sid ) ) ) ;
2006-02-20 20:09:36 +00:00
TALLOC_FREE ( sam_pass ) ;
2001-12-10 15:03:16 +00:00
return NT_STATUS_NO_SUCH_USER ;
}
2008-02-05 12:54:19 +01:00
2006-03-01 21:56:59 +00:00
acb_info = pdb_get_acct_ctrl ( sam_pass ) ;
/* For machine accounts it's the SeMachineAccountPrivilege that counts. */
if ( acb_info & ACB_WSTRUST ) {
2008-11-23 23:48:17 +01:00
can_add_accounts = user_has_privileges ( p - > server_info - > ptok , & se_machine_account ) ;
2006-03-01 21:56:59 +00:00
} else {
2008-11-23 23:48:17 +01:00
can_add_accounts = user_has_privileges ( p - > server_info - > ptok , & se_add_users ) ;
2008-02-05 12:54:19 +01:00
}
2001-12-10 15:03:16 +00:00
2005-01-19 16:52:19 +00:00
/******** BEGIN SeAddUsers BLOCK *********/
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
if ( can_add_accounts )
become_root ( ) ;
2008-02-01 01:30:50 +01:00
status = pdb_delete_user ( p - > mem_ctx , sam_pass ) ;
2006-02-13 17:08:25 +00:00
2005-01-19 16:52:19 +00:00
if ( can_add_accounts )
unbecome_root ( ) ;
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
/******** END SeAddUsers BLOCK *********/
2008-02-05 12:54:19 +01:00
2008-02-01 01:30:50 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 5 , ( " _samr_DeleteUser: Failed to delete entry for "
2006-02-13 17:08:25 +00:00
" user %s: %s. \n " , pdb_get_username ( sam_pass ) ,
2008-02-01 01:30:50 +01:00
nt_errstr ( status ) ) ) ;
2006-02-20 20:09:36 +00:00
TALLOC_FREE ( sam_pass ) ;
2008-02-01 01:30:50 +01:00
return status ;
2004-09-22 00:33:09 +00:00
}
2006-02-20 20:09:36 +00:00
TALLOC_FREE ( sam_pass ) ;
2001-12-10 15:03:16 +00:00
2008-02-01 01:30:50 +01:00
if ( ! close_policy_hnd ( p , r - > in . user_handle ) )
2001-12-10 15:03:16 +00:00
return NT_STATUS_OBJECT_NAME_INVALID ;
2008-10-23 01:42:27 +02:00
ZERO_STRUCTP ( r - > out . user_handle ) ;
2009-04-20 18:01:49 +02:00
force_flush_samr_cache ( & uinfo - > sid ) ;
2005-11-18 23:15:47 +00:00
2001-12-10 15:03:16 +00:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
/*********************************************************************
2008-02-01 01:31:45 +01:00
_samr_DeleteDomainGroup
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-01 01:31:45 +01:00
NTSTATUS _samr_DeleteDomainGroup ( pipes_struct * p ,
struct samr_DeleteDomainGroup * r )
2001-02-27 18:22:39 +00:00
{
2009-04-20 18:27:39 +02:00
struct samr_group_info * ginfo ;
2008-02-01 01:31:45 +01:00
NTSTATUS status ;
2001-07-09 18:25:40 +00:00
uint32 group_rid ;
2005-01-19 16:52:19 +00:00
SE_PRIV se_rights ;
2007-10-18 17:40:25 -07:00
bool can_add_accounts ;
2001-07-09 18:25:40 +00:00
2008-02-01 01:31:45 +01:00
DEBUG ( 5 , ( " samr_DeleteDomainGroup: %d \n " , __LINE__ ) ) ;
2001-07-09 18:25:40 +00:00
2009-04-20 18:27:39 +02:00
ginfo = policy_handle_find ( p , r - > in . group_handle ,
STD_RIGHT_DELETE_ACCESS , NULL ,
struct samr_group_info , & status ) ;
2008-02-01 01:31:45 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2002-07-15 10:35:28 +00:00
}
2001-07-09 18:25:40 +00:00
2009-04-20 18:27:39 +02:00
DEBUG ( 10 , ( " sid is %s \n " , sid_string_dbg ( & ginfo - > sid ) ) ) ;
2001-07-09 18:25:40 +00:00
2009-04-20 18:27:39 +02:00
if ( ! sid_peek_check_rid ( get_global_sam_sid ( ) , & ginfo - > sid ,
2006-02-13 17:08:25 +00:00
& group_rid ) ) {
2001-07-09 18:25:40 +00:00
return NT_STATUS_NO_SUCH_GROUP ;
2006-02-13 17:08:25 +00:00
}
2001-07-09 18:25:40 +00:00
2005-01-19 16:52:19 +00:00
se_priv_copy ( & se_rights , & se_add_users ) ;
2008-11-23 23:48:17 +01:00
can_add_accounts = user_has_privileges ( p - > server_info - > ptok , & se_rights ) ;
2005-01-19 16:52:19 +00:00
/******** BEGIN SeAddUsers BLOCK *********/
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
if ( can_add_accounts )
become_root ( ) ;
2008-02-01 01:31:45 +01:00
status = pdb_delete_dom_group ( p - > mem_ctx , group_rid ) ;
2001-07-09 18:25:40 +00:00
2005-01-19 16:52:19 +00:00
if ( can_add_accounts )
unbecome_root ( ) ;
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
/******** END SeAddUsers BLOCK *********/
2008-02-05 12:54:19 +01:00
2008-02-01 01:31:45 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 5 , ( " _samr_DeleteDomainGroup: Failed to delete mapping "
2006-02-13 17:08:25 +00:00
" entry for group %s: %s \n " ,
2009-04-20 18:27:39 +02:00
sid_string_dbg ( & ginfo - > sid ) ,
2008-02-01 01:31:45 +01:00
nt_errstr ( status ) ) ) ;
return status ;
2005-01-19 16:52:19 +00:00
}
2008-02-05 12:54:19 +01:00
2008-02-01 01:31:45 +01:00
if ( ! close_policy_hnd ( p , r - > in . group_handle ) )
2001-07-09 18:25:40 +00:00
return NT_STATUS_OBJECT_NAME_INVALID ;
2009-04-20 18:27:39 +02:00
force_flush_samr_cache ( & ginfo - > sid ) ;
2005-11-18 23:15:47 +00:00
2001-08-27 19:46:22 +00:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
/*********************************************************************
2008-02-01 01:32:18 +01:00
_samr_DeleteDomAlias
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-01 01:32:18 +01:00
NTSTATUS _samr_DeleteDomAlias ( pipes_struct * p ,
struct samr_DeleteDomAlias * r )
2001-02-27 18:22:39 +00:00
{
2009-04-20 19:04:20 +02:00
struct samr_alias_info * ainfo ;
2005-01-19 16:52:19 +00:00
SE_PRIV se_rights ;
2007-10-18 17:40:25 -07:00
bool can_add_accounts ;
2007-05-11 08:46:54 +00:00
NTSTATUS status ;
2001-07-09 18:25:40 +00:00
2008-02-01 01:32:18 +01:00
DEBUG ( 5 , ( " _samr_DeleteDomAlias: %d \n " , __LINE__ ) ) ;
2001-07-09 18:25:40 +00:00
2009-04-20 19:04:20 +02:00
ainfo = policy_handle_find ( p , r - > in . alias_handle ,
STD_RIGHT_DELETE_ACCESS , NULL ,
struct samr_alias_info , & status ) ;
2008-02-01 01:32:18 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2002-07-15 10:35:28 +00:00
}
2001-07-09 18:25:40 +00:00
2009-04-20 19:04:20 +02:00
DEBUG ( 10 , ( " sid is %s \n " , sid_string_dbg ( & ainfo - > sid ) ) ) ;
2001-07-09 18:25:40 +00:00
2006-03-22 08:04:13 +00:00
/* Don't let Windows delete builtin groups */
2009-04-20 19:04:20 +02:00
if ( sid_check_is_in_builtin ( & ainfo - > sid ) ) {
2006-03-22 08:04:13 +00:00
return NT_STATUS_SPECIAL_ACCOUNT ;
}
2009-04-20 19:04:20 +02:00
if ( ! sid_check_is_in_our_domain ( & ainfo - > sid ) )
2001-07-09 18:25:40 +00:00
return NT_STATUS_NO_SUCH_ALIAS ;
2008-02-05 12:54:19 +01:00
2001-07-09 18:25:40 +00:00
DEBUG ( 10 , ( " lookup on Local SID \n " ) ) ;
2005-01-19 16:52:19 +00:00
se_priv_copy ( & se_rights , & se_add_users ) ;
2008-11-23 23:48:17 +01:00
can_add_accounts = user_has_privileges ( p - > server_info - > ptok , & se_rights ) ;
2005-01-19 16:52:19 +00:00
/******** BEGIN SeAddUsers BLOCK *********/
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
if ( can_add_accounts )
become_root ( ) ;
2004-04-07 12:43:44 +00:00
/* Have passdb delete the alias */
2009-04-20 19:04:20 +02:00
status = pdb_delete_alias ( & ainfo - > sid ) ;
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
if ( can_add_accounts )
unbecome_root ( ) ;
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
/******** END SeAddUsers BLOCK *********/
2007-05-11 08:46:54 +00:00
if ( ! NT_STATUS_IS_OK ( status ) )
return status ;
2001-07-09 18:25:40 +00:00
2008-02-01 01:32:18 +01:00
if ( ! close_policy_hnd ( p , r - > in . alias_handle ) )
2001-07-09 18:25:40 +00:00
return NT_STATUS_OBJECT_NAME_INVALID ;
2009-04-20 19:04:20 +02:00
force_flush_samr_cache ( & ainfo - > sid ) ;
2005-11-18 23:15:47 +00:00
2001-08-27 19:46:22 +00:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
/*********************************************************************
2008-02-01 14:49:23 +01:00
_samr_CreateDomainGroup
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-01 14:49:23 +01:00
NTSTATUS _samr_CreateDomainGroup ( pipes_struct * p ,
struct samr_CreateDomainGroup * r )
2001-02-27 18:22:39 +00:00
{
2008-02-01 14:49:23 +01:00
NTSTATUS status ;
2006-02-13 17:08:25 +00:00
const char * name ;
2009-04-19 22:58:09 +02:00
struct samr_domain_info * dinfo ;
2009-04-20 18:27:39 +02:00
struct samr_group_info * ginfo ;
2005-01-19 16:52:19 +00:00
SE_PRIV se_rights ;
2007-10-18 17:40:25 -07:00
bool can_add_accounts ;
2008-02-05 12:54:19 +01:00
2009-04-19 22:58:09 +02:00
dinfo = policy_handle_find ( p , r - > in . domain_handle ,
SAMR_DOMAIN_ACCESS_CREATE_GROUP , NULL ,
struct samr_domain_info , & status ) ;
2008-02-01 14:49:23 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2002-07-15 10:35:28 +00:00
}
2008-02-05 12:54:19 +01:00
2009-04-19 22:58:09 +02:00
if ( ! sid_equal ( & dinfo - > sid , get_global_sam_sid ( ) ) )
2001-03-23 00:50:31 +00:00
return NT_STATUS_ACCESS_DENIED ;
2008-02-01 14:49:23 +01:00
name = r - > in . name - > string ;
2006-02-13 17:08:25 +00:00
if ( name = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
2001-03-23 00:50:31 +00:00
2008-02-01 14:49:23 +01:00
status = can_create ( p - > mem_ctx , name ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2005-12-03 18:34:13 +00:00
}
2001-03-23 00:50:31 +00:00
2005-01-19 16:52:19 +00:00
se_priv_copy ( & se_rights , & se_add_users ) ;
2008-11-23 23:48:17 +01:00
can_add_accounts = user_has_privileges ( p - > server_info - > ptok , & se_rights ) ;
2001-03-23 00:50:31 +00:00
2005-01-19 16:52:19 +00:00
/******** BEGIN SeAddUsers BLOCK *********/
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
if ( can_add_accounts )
become_root ( ) ;
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
/* check that we successfully create the UNIX group */
2008-02-05 12:54:19 +01:00
2008-02-01 14:49:23 +01:00
status = pdb_create_dom_group ( p - > mem_ctx , name , r - > out . rid ) ;
2001-03-23 00:50:31 +00:00
2005-01-19 16:52:19 +00:00
if ( can_add_accounts )
unbecome_root ( ) ;
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
/******** END SeAddUsers BLOCK *********/
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
/* check if we should bail out here */
2008-02-05 12:54:19 +01:00
2008-02-01 14:49:23 +01:00
if ( ! NT_STATUS_IS_OK ( status ) )
return status ;
2006-02-13 17:08:25 +00:00
2009-04-20 18:27:39 +02:00
ginfo = policy_handle_create ( p , r - > out . group_handle ,
GENERIC_RIGHTS_GROUP_ALL_ACCESS ,
struct samr_group_info , & status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
sid_compose ( & ginfo - > sid , & dinfo - > sid , * r - > out . rid ) ;
2001-03-23 00:50:31 +00:00
2009-04-20 18:27:39 +02:00
force_flush_samr_cache ( & dinfo - > sid ) ;
2005-11-18 23:15:47 +00:00
2001-08-27 19:46:22 +00:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
/*********************************************************************
2008-02-01 14:48:42 +01:00
_samr_CreateDomAlias
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-01 14:48:42 +01:00
NTSTATUS _samr_CreateDomAlias ( pipes_struct * p ,
struct samr_CreateDomAlias * r )
2001-02-27 18:22:39 +00:00
{
2002-01-02 07:27:33 +00:00
DOM_SID info_sid ;
2008-02-01 14:48:42 +01:00
const char * name = NULL ;
2009-04-19 22:58:09 +02:00
struct samr_domain_info * dinfo ;
2009-04-20 19:04:20 +02:00
struct samr_alias_info * ainfo ;
2002-09-25 15:19:00 +00:00
gid_t gid ;
2004-04-10 16:09:48 +00:00
NTSTATUS result ;
2005-01-19 16:52:19 +00:00
SE_PRIV se_rights ;
2007-10-18 17:40:25 -07:00
bool can_add_accounts ;
2008-02-05 12:54:19 +01:00
2009-04-19 22:58:09 +02:00
dinfo = policy_handle_find ( p , r - > in . domain_handle ,
SAMR_DOMAIN_ACCESS_CREATE_ALIAS , NULL ,
struct samr_domain_info , & result ) ;
2008-02-01 14:48:42 +01:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
return result ;
2002-07-15 10:35:28 +00:00
}
2008-02-05 12:54:19 +01:00
2009-04-19 22:58:09 +02:00
if ( ! sid_equal ( & dinfo - > sid , get_global_sam_sid ( ) ) )
2001-03-23 00:50:31 +00:00
return NT_STATUS_ACCESS_DENIED ;
2008-02-01 14:48:42 +01:00
name = r - > in . alias_name - > string ;
2001-03-23 00:50:31 +00:00
2005-01-19 16:52:19 +00:00
se_priv_copy ( & se_rights , & se_add_users ) ;
2008-11-23 23:48:17 +01:00
can_add_accounts = user_has_privileges ( p - > server_info - > ptok , & se_rights ) ;
2005-01-19 16:52:19 +00:00
2005-12-08 19:34:22 +00:00
result = can_create ( p - > mem_ctx , name ) ;
if ( ! NT_STATUS_IS_OK ( result ) ) {
return result ;
}
2005-01-19 16:52:19 +00:00
/******** BEGIN SeAddUsers BLOCK *********/
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
if ( can_add_accounts )
become_root ( ) ;
2004-04-07 12:43:44 +00:00
/* Have passdb create the alias */
2008-02-01 14:48:42 +01:00
result = pdb_create_alias ( name , r - > out . rid ) ;
2004-04-10 16:09:48 +00:00
2005-01-19 16:52:19 +00:00
if ( can_add_accounts )
unbecome_root ( ) ;
2008-02-05 12:54:19 +01:00
2005-01-19 16:52:19 +00:00
/******** END SeAddUsers BLOCK *********/
2006-02-03 22:19:41 +00:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
DEBUG ( 10 , ( " pdb_create_alias failed: %s \n " ,
nt_errstr ( result ) ) ) ;
2004-04-10 16:09:48 +00:00
return result ;
2006-02-03 22:19:41 +00:00
}
2001-03-23 00:50:31 +00:00
2009-04-19 22:58:09 +02:00
sid_compose ( & info_sid , & dinfo - > sid , * r - > out . rid ) ;
2001-03-23 00:50:31 +00:00
2006-02-03 22:19:41 +00:00
if ( ! sid_to_gid ( & info_sid , & gid ) ) {
DEBUG ( 10 , ( " Could not find alias just created \n " ) ) ;
2004-04-07 12:43:44 +00:00
return NT_STATUS_ACCESS_DENIED ;
2006-02-03 22:19:41 +00:00
}
2004-04-07 12:43:44 +00:00
/* check if the group has been successfully created */
2006-02-03 22:19:41 +00:00
if ( getgrgid ( gid ) = = NULL ) {
DEBUG ( 10 , ( " getgrgid(%d) of just created alias failed \n " ,
gid ) ) ;
2001-05-08 16:33:18 +00:00
return NT_STATUS_ACCESS_DENIED ;
2006-02-03 22:19:41 +00:00
}
2001-05-08 16:33:18 +00:00
2009-04-20 19:04:20 +02:00
ainfo = policy_handle_create ( p , r - > out . alias_handle ,
GENERIC_RIGHTS_ALIAS_ALL_ACCESS ,
struct samr_alias_info , & result ) ;
if ( ! NT_STATUS_IS_OK ( result ) ) {
return result ;
}
ainfo - > sid = info_sid ;
2001-03-23 00:50:31 +00:00
2009-04-19 22:01:16 +02:00
force_flush_samr_cache ( & info_sid ) ;
2005-11-18 23:15:47 +00:00
2001-08-27 19:46:22 +00:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
/*********************************************************************
2008-02-07 13:58:53 +01:00
_samr_QueryGroupInfo
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-07 13:58:53 +01:00
NTSTATUS _samr_QueryGroupInfo ( pipes_struct * p ,
struct samr_QueryGroupInfo * r )
2001-02-27 18:22:39 +00:00
{
2009-04-20 18:27:39 +02:00
struct samr_group_info * ginfo ;
2008-02-07 13:58:53 +01:00
NTSTATUS status ;
2001-03-23 00:50:31 +00:00
GROUP_MAP map ;
2008-02-07 13:58:53 +01:00
union samr_GroupInfo * info = NULL ;
2007-10-18 17:40:25 -07:00
bool ret ;
2008-02-07 13:58:53 +01:00
uint32_t attributes = SE_GROUP_MANDATORY |
SE_GROUP_ENABLED_BY_DEFAULT |
SE_GROUP_ENABLED ;
const char * group_name = NULL ;
const char * group_description = NULL ;
2001-03-23 00:50:31 +00:00
2009-04-20 18:27:39 +02:00
ginfo = policy_handle_find ( p , r - > in . group_handle ,
SAMR_GROUP_ACCESS_LOOKUP_INFO , NULL ,
struct samr_group_info , & status ) ;
2008-02-07 13:58:53 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2002-07-15 10:35:28 +00:00
}
2008-02-05 12:54:19 +01:00
2003-11-07 23:04:06 +00:00
become_root ( ) ;
2009-04-20 18:27:39 +02:00
ret = get_domain_group_from_sid ( ginfo - > sid , & map ) ;
2003-11-07 23:04:06 +00:00
unbecome_root ( ) ;
if ( ! ret )
2001-03-23 00:50:31 +00:00
return NT_STATUS_INVALID_HANDLE ;
2001-11-29 16:05:05 +00:00
2008-02-07 13:58:53 +01:00
/* FIXME: map contains fstrings */
group_name = talloc_strdup ( r , map . nt_name ) ;
group_description = talloc_strdup ( r , map . comment ) ;
info = TALLOC_ZERO_P ( p - > mem_ctx , union samr_GroupInfo ) ;
if ( ! info ) {
2001-03-23 00:50:31 +00:00
return NT_STATUS_NO_MEMORY ;
2008-02-07 13:58:53 +01:00
}
2001-03-23 00:50:31 +00:00
2008-02-07 13:58:53 +01:00
switch ( r - > in . level ) {
2006-02-13 17:08:25 +00:00
case 1 : {
uint32 * members ;
size_t num_members ;
become_root ( ) ;
2008-02-07 13:58:53 +01:00
status = pdb_enum_group_members (
2009-04-20 18:27:39 +02:00
p - > mem_ctx , & ginfo - > sid , & members ,
& num_members ) ;
2006-02-13 17:08:25 +00:00
unbecome_root ( ) ;
2008-02-05 12:54:19 +01:00
2008-02-07 13:58:53 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2006-02-13 17:08:25 +00:00
}
2008-12-06 01:41:28 +01:00
info - > all . name . string = group_name ;
info - > all . attributes = attributes ;
info - > all . num_members = num_members ;
info - > all . description . string = group_description ;
2001-03-23 00:50:31 +00:00
break ;
2006-02-13 17:08:25 +00:00
}
2006-03-22 15:00:42 +00:00
case 2 :
2008-12-06 01:41:28 +01:00
info - > name . string = group_name ;
2006-03-22 15:00:42 +00:00
break ;
2001-12-10 15:03:16 +00:00
case 3 :
2008-12-06 01:41:28 +01:00
info - > attributes . attributes = attributes ;
2001-12-10 15:03:16 +00:00
break ;
2001-03-23 00:50:31 +00:00
case 4 :
2008-12-06 01:41:28 +01:00
info - > description . string = group_description ;
2001-03-23 00:50:31 +00:00
break ;
2006-03-22 15:00:42 +00:00
case 5 : {
/*
uint32 * members ;
size_t num_members ;
*/
/*
become_root ( ) ;
2008-02-07 13:58:53 +01:00
status = pdb_enum_group_members (
2009-04-20 18:27:39 +02:00
p - > mem_ctx , & ginfo - > sid , & members ,
& num_members ) ;
2006-03-22 15:00:42 +00:00
unbecome_root ( ) ;
2008-02-05 12:54:19 +01:00
2008-02-07 13:58:53 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2006-03-22 15:00:42 +00:00
}
*/
2008-12-06 01:41:28 +01:00
info - > all2 . name . string = group_name ;
info - > all2 . attributes = attributes ;
info - > all2 . num_members = 0 ; /* num_members - in w2k3 this is always 0 */
info - > all2 . description . string = group_description ;
2008-02-07 13:58:53 +01:00
2006-03-22 15:00:42 +00:00
break ;
}
2001-03-23 00:50:31 +00:00
default :
return NT_STATUS_INVALID_INFO_CLASS ;
}
2008-02-07 13:58:53 +01:00
* r - > out . info = info ;
2001-03-23 00:50:31 +00:00
2001-08-27 19:46:22 +00:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
/*********************************************************************
2008-02-06 12:57:59 +01:00
_samr_SetGroupInfo
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-06 12:57:59 +01:00
NTSTATUS _samr_SetGroupInfo ( pipes_struct * p ,
struct samr_SetGroupInfo * r )
2001-02-27 18:22:39 +00:00
{
2009-04-20 18:27:39 +02:00
struct samr_group_info * ginfo ;
2001-03-23 00:50:31 +00:00
GROUP_MAP map ;
2008-02-06 12:57:59 +01:00
NTSTATUS status ;
bool ret ;
2007-10-18 17:40:25 -07:00
bool can_mod_accounts ;
2008-02-05 12:54:19 +01:00
2009-04-20 18:27:39 +02:00
ginfo = policy_handle_find ( p , r - > in . group_handle ,
SAMR_GROUP_ACCESS_SET_INFO , NULL ,
struct samr_group_info , & status ) ;
2008-02-06 12:57:59 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2002-07-15 10:35:28 +00:00
}
2006-01-25 21:29:36 +00:00
become_root ( ) ;
2009-04-20 18:27:39 +02:00
ret = get_domain_group_from_sid ( ginfo - > sid , & map ) ;
2006-01-25 21:29:36 +00:00
unbecome_root ( ) ;
2008-02-06 12:57:59 +01:00
if ( ! ret )
2001-03-23 00:50:31 +00:00
return NT_STATUS_NO_SUCH_GROUP ;
2008-02-05 12:54:19 +01:00
2008-02-06 12:57:59 +01:00
switch ( r - > in . level ) {
2001-03-23 00:50:31 +00:00
case 1 :
2008-02-06 12:57:59 +01:00
fstrcpy ( map . comment , r - > in . info - > all . description . string ) ;
2001-03-23 00:50:31 +00:00
break ;
2008-10-23 23:11:50 +02:00
case 2 :
/* group rename is not supported yet */
return NT_STATUS_NOT_SUPPORTED ;
2001-03-23 00:50:31 +00:00
case 4 :
2008-02-06 12:57:59 +01:00
fstrcpy ( map . comment , r - > in . info - > description . string ) ;
2001-05-08 16:33:18 +00:00
break ;
default :
return NT_STATUS_INVALID_INFO_CLASS ;
}
2008-11-23 23:48:17 +01:00
can_mod_accounts = user_has_privileges ( p - > server_info - > ptok , & se_add_users ) ;
2001-11-29 16:05:05 +00:00
2005-09-02 13:42:56 +00:00
/******** BEGIN SeAddUsers BLOCK *********/
if ( can_mod_accounts )
become_root ( ) ;
2008-02-05 12:54:19 +01:00
2008-02-06 12:57:59 +01:00
status = pdb_update_group_mapping_entry ( & map ) ;
2005-09-02 13:42:56 +00:00
if ( can_mod_accounts )
unbecome_root ( ) ;
/******** End SeAddUsers BLOCK *********/
2008-02-06 12:57:59 +01:00
if ( NT_STATUS_IS_OK ( status ) ) {
2009-04-20 18:27:39 +02:00
force_flush_samr_cache ( & ginfo - > sid ) ;
2005-11-18 23:15:47 +00:00
}
2008-02-06 12:57:59 +01:00
return status ;
2001-05-08 16:33:18 +00:00
}
/*********************************************************************
2008-02-06 12:53:43 +01:00
_samr_SetAliasInfo
2001-05-08 16:33:18 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-06 12:53:43 +01:00
NTSTATUS _samr_SetAliasInfo ( pipes_struct * p ,
struct samr_SetAliasInfo * r )
2001-05-08 16:33:18 +00:00
{
2009-04-20 19:04:20 +02:00
struct samr_alias_info * ainfo ;
2004-04-07 12:43:44 +00:00
struct acct_info info ;
2007-10-18 17:40:25 -07:00
bool can_mod_accounts ;
2007-05-11 08:46:54 +00:00
NTSTATUS status ;
2001-05-08 16:33:18 +00:00
2009-04-20 19:04:20 +02:00
ainfo = policy_handle_find ( p , r - > in . alias_handle ,
SAMR_ALIAS_ACCESS_SET_INFO , NULL ,
struct samr_alias_info , & status ) ;
2008-02-06 12:53:43 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2002-07-15 10:35:28 +00:00
}
2008-02-05 12:54:19 +01:00
2006-03-22 08:04:13 +00:00
/* get the current group information */
2006-07-24 12:05:20 +00:00
become_root ( ) ;
2009-04-20 19:04:20 +02:00
status = pdb_get_aliasinfo ( & ainfo - > sid , & info ) ;
2006-07-24 12:05:20 +00:00
unbecome_root ( ) ;
2007-05-11 08:46:54 +00:00
if ( ! NT_STATUS_IS_OK ( status ) )
return status ;
2006-03-22 08:04:13 +00:00
2008-02-06 12:53:43 +01:00
switch ( r - > in . level ) {
case ALIASINFONAME :
2006-07-11 20:02:22 +00:00
{
2008-02-06 12:53:43 +01:00
fstring group_name ;
2006-07-11 20:02:22 +00:00
2006-03-22 08:04:13 +00:00
/* We currently do not support renaming groups in the
2008-02-05 12:54:19 +01:00
the BUILTIN domain . Refer to util_builtin . c to understand
2006-03-22 08:04:13 +00:00
why . The eventually needs to be fixed to be like Windows
where you can rename builtin groups , just not delete them */
2009-04-20 19:04:20 +02:00
if ( sid_check_is_in_builtin ( & ainfo - > sid ) ) {
2006-03-22 08:04:13 +00:00
return NT_STATUS_SPECIAL_ACCOUNT ;
}
2006-08-24 12:49:18 +00:00
/* There has to be a valid name (and it has to be different) */
2008-02-06 12:53:43 +01:00
if ( ! r - > in . info - > name . string )
2006-07-11 20:02:22 +00:00
return NT_STATUS_INVALID_PARAMETER ;
2006-08-24 12:49:18 +00:00
/* If the name is the same just reply "ok". Yes this
doesn ' t allow you to change the case of a group name . */
2008-02-06 12:53:43 +01:00
if ( strequal ( r - > in . info - > name . string , info . acct_name ) )
2006-08-24 12:49:18 +00:00
return NT_STATUS_OK ;
2006-07-11 20:02:22 +00:00
2008-02-06 12:53:43 +01:00
fstrcpy ( info . acct_name , r - > in . info - > name . string ) ;
2006-09-12 18:02:33 +00:00
2008-02-05 12:54:19 +01:00
/* make sure the name doesn't already exist as a user
2006-07-11 20:02:22 +00:00
or local group */
fstr_sprintf ( group_name , " %s \\ %s " , global_myname ( ) , info . acct_name ) ;
2006-07-11 20:31:13 +00:00
status = can_create ( p - > mem_ctx , group_name ) ;
2008-02-05 12:54:19 +01:00
if ( ! NT_STATUS_IS_OK ( status ) )
2006-07-11 20:31:13 +00:00
return status ;
2006-03-22 08:04:13 +00:00
break ;
2006-07-11 20:02:22 +00:00
}
2008-02-06 12:53:43 +01:00
case ALIASINFODESCRIPTION :
if ( r - > in . info - > description . string ) {
fstrcpy ( info . acct_desc ,
r - > in . info - > description . string ) ;
} else {
2005-12-15 18:39:28 +00:00
fstrcpy ( info . acct_desc , " " ) ;
2008-02-06 12:53:43 +01:00
}
2001-03-23 00:50:31 +00:00
break ;
default :
return NT_STATUS_INVALID_INFO_CLASS ;
}
2008-11-23 23:48:17 +01:00
can_mod_accounts = user_has_privileges ( p - > server_info - > ptok , & se_add_users ) ;
2001-11-29 16:05:05 +00:00
2005-09-02 13:42:56 +00:00
/******** BEGIN SeAddUsers BLOCK *********/
if ( can_mod_accounts )
become_root ( ) ;
2009-04-20 19:04:20 +02:00
status = pdb_set_aliasinfo ( & ainfo - > sid , & info ) ;
2005-09-02 13:42:56 +00:00
if ( can_mod_accounts )
unbecome_root ( ) ;
/******** End SeAddUsers BLOCK *********/
2007-05-11 08:46:54 +00:00
if ( NT_STATUS_IS_OK ( status ) )
2009-04-20 19:04:20 +02:00
force_flush_samr_cache ( & ainfo - > sid ) ;
2005-11-18 23:15:47 +00:00
2007-05-11 08:46:54 +00:00
return status ;
2001-02-27 18:22:39 +00:00
}
2008-01-30 21:55:03 +01:00
/****************************************************************
_samr_GetDomPwInfo
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-02-27 18:22:39 +00:00
2008-01-30 21:55:03 +01:00
NTSTATUS _samr_GetDomPwInfo ( pipes_struct * p ,
struct samr_GetDomPwInfo * r )
2001-02-27 18:22:39 +00:00
{
2008-04-04 11:59:32 +02:00
uint32_t min_password_length = 0 ;
uint32_t password_properties = 0 ;
2002-07-15 10:35:28 +00:00
/* Perform access check. Since this rpc does not require a
policy handle it will not be caught by the access checks on
SAMR_CONNECT or SAMR_CONNECT_ANON . */
if ( ! pipe_access_check ( p ) ) {
2008-01-30 21:55:03 +01:00
DEBUG ( 3 , ( " access denied to _samr_GetDomPwInfo \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
2002-07-15 10:35:28 +00:00
}
2008-04-04 11:59:32 +02:00
become_root ( ) ;
pdb_get_account_policy ( AP_MIN_PASSWORD_LEN ,
& min_password_length ) ;
pdb_get_account_policy ( AP_USER_MUST_LOGON_TO_CHG_PASS ,
& password_properties ) ;
unbecome_root ( ) ;
if ( lp_check_password_script ( ) & & * lp_check_password_script ( ) ) {
password_properties | = DOMAIN_PASSWORD_COMPLEX ;
}
r - > out . info - > min_password_length = min_password_length ;
r - > out . info - > password_properties = password_properties ;
2002-07-15 10:35:28 +00:00
2001-08-27 19:46:22 +00:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
/*********************************************************************
2008-02-01 00:49:32 +01:00
_samr_OpenGroup
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-01 00:49:32 +01:00
NTSTATUS _samr_OpenGroup ( pipes_struct * p ,
struct samr_OpenGroup * r )
2001-02-27 18:22:39 +00:00
{
2002-01-02 07:27:33 +00:00
DOM_SID info_sid ;
2001-03-23 00:50:31 +00:00
GROUP_MAP map ;
2009-04-19 22:58:09 +02:00
struct samr_domain_info * dinfo ;
2009-04-20 18:27:39 +02:00
struct samr_group_info * ginfo ;
2002-07-15 10:35:28 +00:00
SEC_DESC * psd = NULL ;
uint32 acc_granted ;
2008-02-01 00:49:32 +01:00
uint32 des_access = r - > in . access_mask ;
2002-07-15 10:35:28 +00:00
size_t sd_size ;
NTSTATUS status ;
2007-10-18 17:40:25 -07:00
bool ret ;
2005-01-26 20:36:44 +00:00
SE_PRIV se_rights ;
2001-03-23 00:50:31 +00:00
2009-04-19 22:58:09 +02:00
dinfo = policy_handle_find ( p , r - > in . domain_handle ,
SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT , NULL ,
struct samr_domain_info , & status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2002-07-15 10:35:28 +00:00
return status ;
2009-04-19 22:58:09 +02:00
}
2008-02-05 12:54:19 +01:00
2002-07-15 10:35:28 +00:00
/*check if access can be granted as requested by client. */
2008-11-23 23:48:17 +01:00
map_max_allowed_access ( p - > server_info - > ptok , & des_access ) ;
2008-10-21 18:05:48 -07:00
2005-01-31 22:42:30 +00:00
make_samr_object_sd ( p - > mem_ctx , & psd , & sd_size , & grp_generic_mapping , NULL , 0 ) ;
2002-07-15 10:35:28 +00:00
se_map_generic ( & des_access , & grp_generic_mapping ) ;
2005-01-26 20:36:44 +00:00
se_priv_copy ( & se_rights , & se_add_users ) ;
2008-11-23 23:48:17 +01:00
status = access_check_samr_object ( psd , p - > server_info - > ptok ,
2008-02-05 12:54:19 +01:00
& se_rights , GENERIC_RIGHTS_GROUP_WRITE , des_access ,
2008-02-01 00:49:32 +01:00
& acc_granted , " _samr_OpenGroup " ) ;
2008-02-05 12:54:19 +01:00
if ( ! NT_STATUS_IS_OK ( status ) )
2005-01-26 20:36:44 +00:00
return status ;
2001-03-23 00:50:31 +00:00
/* this should not be hard-coded like this */
2008-02-05 12:54:19 +01:00
2009-04-19 22:58:09 +02:00
if ( ! sid_equal ( & dinfo - > sid , get_global_sam_sid ( ) ) )
2001-03-23 00:50:31 +00:00
return NT_STATUS_ACCESS_DENIED ;
2009-04-19 22:58:09 +02:00
sid_compose ( & info_sid , & dinfo - > sid , r - > in . rid ) ;
2001-03-23 00:50:31 +00:00
2009-04-19 22:58:09 +02:00
DEBUG ( 10 , ( " _samr_OpenGroup:Opening SID: %s \n " ,
sid_string_dbg ( & info_sid ) ) ) ;
2001-03-23 00:50:31 +00:00
/* check if that group really exists */
2003-11-07 23:04:06 +00:00
become_root ( ) ;
2009-04-20 18:27:39 +02:00
ret = get_domain_group_from_sid ( info_sid , & map ) ;
2003-11-07 23:04:06 +00:00
unbecome_root ( ) ;
if ( ! ret )
2001-12-02 00:06:10 +00:00
return NT_STATUS_NO_SUCH_GROUP ;
2001-03-23 00:50:31 +00:00
2009-04-20 18:27:39 +02:00
ginfo = policy_handle_create ( p , r - > out . group_handle ,
GENERIC_RIGHTS_GROUP_ALL_ACCESS ,
struct samr_group_info , & status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
ginfo - > sid = info_sid ;
2001-03-23 00:50:31 +00:00
2001-08-27 19:46:22 +00:00
return NT_STATUS_OK ;
2001-02-27 18:22:39 +00:00
}
/*********************************************************************
2008-02-05 11:16:58 +01:00
_samr_RemoveMemberFromForeignDomain
2001-02-27 18:22:39 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-05 11:16:58 +01:00
NTSTATUS _samr_RemoveMemberFromForeignDomain ( pipes_struct * p ,
struct samr_RemoveMemberFromForeignDomain * r )
2001-02-27 18:22:39 +00:00
{
2009-04-19 22:58:09 +02:00
struct samr_domain_info * dinfo ;
2003-12-04 03:35:46 +00:00
NTSTATUS result ;
2007-12-15 21:11:36 +01:00
2008-02-05 11:16:58 +01:00
DEBUG ( 5 , ( " _samr_RemoveMemberFromForeignDomain: removing SID [%s] \n " ,
2009-04-19 22:58:09 +02:00
sid_string_dbg ( r - > in . sid ) ) ) ;
2007-12-15 21:11:36 +01:00
2003-08-20 16:07:19 +00:00
/* Find the policy handle. Open a policy on it. */
2007-12-15 21:11:36 +01:00
2009-04-19 22:58:09 +02:00
dinfo = policy_handle_find ( p , r - > in . domain_handle ,
STD_RIGHT_DELETE_ACCESS , NULL ,
struct samr_domain_info , & result ) ;
if ( ! NT_STATUS_IS_OK ( result ) ) {
2003-12-04 03:35:46 +00:00
return result ;
2009-04-19 22:58:09 +02:00
}
2008-02-05 12:54:19 +01:00
2008-02-05 11:16:58 +01:00
DEBUG ( 8 , ( " _samr_RemoveMemberFromForeignDomain: sid is %s \n " ,
2009-04-19 22:58:09 +02:00
sid_string_dbg ( & dinfo - > sid ) ) ) ;
2003-08-20 16:07:19 +00:00
2008-02-05 12:54:19 +01:00
/* we can only delete a user from a group since we don't have
2003-12-04 03:35:46 +00:00
nested groups anyways . So in the latter case , just say OK */
2003-08-20 16:07:19 +00:00
2005-04-15 13:41:49 +00:00
/* TODO: The above comment nowadays is bogus. Since we have nested
* groups now , and aliases members are never reported out of the unix
* group membership , the " just say OK " makes this call a no - op . For
* us . This needs fixing however . */
/* I've only ever seen this in the wild when deleting a user from
* usrmgr . exe . domain_sid is the builtin domain , and the sid to delete
* is the user about to be deleted . I very much suspect this is the
* only application of this call . To verify this , let people report
* other cases . */
2009-04-19 22:58:09 +02:00
if ( ! sid_check_is_builtin ( & dinfo - > sid ) ) {
2008-02-05 11:16:58 +01:00
DEBUG ( 1 , ( " _samr_RemoveMemberFromForeignDomain: domain_sid = %s, "
2005-04-15 13:41:49 +00:00
" global_sam_sid() = %s \n " ,
2009-04-19 22:58:09 +02:00
sid_string_dbg ( & dinfo - > sid ) ,
2007-12-15 21:11:36 +01:00
sid_string_dbg ( get_global_sam_sid ( ) ) ) ) ;
2005-04-15 13:41:49 +00:00
DEBUGADD ( 1 , ( " please report to samba-technical@samba.org! \n " ) ) ;
return NT_STATUS_OK ;
2003-08-20 16:07:19 +00:00
}
2003-12-04 03:35:46 +00:00
2009-04-19 22:58:09 +02:00
force_flush_samr_cache ( & dinfo - > sid ) ;
2005-04-15 13:41:49 +00:00
result = NT_STATUS_OK ;
2003-08-20 16:07:19 +00:00
2003-12-04 03:35:46 +00:00
return result ;
2001-02-27 18:22:39 +00:00
}
2001-11-28 00:06:00 +00:00
/*******************************************************************
2008-02-05 15:03:54 +01:00
_samr_QueryDomainInfo2
2001-11-28 00:06:00 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-05 15:03:54 +01:00
NTSTATUS _samr_QueryDomainInfo2 ( pipes_struct * p ,
struct samr_QueryDomainInfo2 * r )
2001-11-28 00:06:00 +00:00
{
2008-10-23 03:30:58 +02:00
struct samr_QueryDomainInfo q ;
q . in . domain_handle = r - > in . domain_handle ;
q . in . level = r - > in . level ;
q . out . info = r - > out . info ;
return _samr_QueryDomainInfo ( p , & q ) ;
2001-11-28 00:06:00 +00:00
}
/*******************************************************************
2008-02-05 15:08:31 +01:00
_samr_SetDomainInfo
2001-11-28 00:06:00 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-05 15:08:31 +01:00
NTSTATUS _samr_SetDomainInfo ( pipes_struct * p ,
struct samr_SetDomainInfo * r )
2001-11-28 00:06:00 +00:00
{
2009-04-19 22:58:09 +02:00
struct samr_domain_info * dinfo ;
2001-12-03 17:14:23 +00:00
time_t u_expire , u_min_age ;
time_t u_logout ;
time_t u_lock_duration , u_reset_time ;
2008-10-20 16:51:37 -07:00
NTSTATUS result ;
2001-12-03 17:14:23 +00:00
2008-02-05 15:08:31 +01:00
DEBUG ( 5 , ( " _samr_SetDomainInfo: %d \n " , __LINE__ ) ) ;
2001-11-28 00:06:00 +00:00
2008-10-20 16:51:37 -07:00
/* We do have different access bits for info
* levels here , but we ' re really just looking for
* GENERIC_RIGHTS_DOMAIN_WRITE access . Unfortunately
* this maps to different specific bits . So
2008-10-23 19:39:14 +02:00
* assume if we have SAMR_DOMAIN_ACCESS_SET_INFO_1
2008-10-20 16:51:37 -07:00
* set we are ok . */
2009-04-19 22:58:09 +02:00
dinfo = policy_handle_find ( p , r - > in . domain_handle ,
SAMR_DOMAIN_ACCESS_SET_INFO_1 , NULL ,
struct samr_domain_info , & result ) ;
if ( ! NT_STATUS_IS_OK ( result ) ) {
2008-10-20 16:51:37 -07:00
return result ;
2009-04-19 22:58:09 +02:00
}
2008-10-20 16:51:37 -07:00
2008-02-05 15:08:31 +01:00
DEBUG ( 5 , ( " _samr_SetDomainInfo: level: %d \n " , r - > in . level ) ) ;
2001-11-28 00:06:00 +00:00
2008-02-05 15:08:31 +01:00
switch ( r - > in . level ) {
2001-12-03 17:14:23 +00:00
case 0x01 :
2008-02-05 15:08:31 +01:00
u_expire = nt_time_to_unix_abs ( ( NTTIME * ) & r - > in . info - > info1 . max_password_age ) ;
u_min_age = nt_time_to_unix_abs ( ( NTTIME * ) & r - > in . info - > info1 . min_password_age ) ;
pdb_set_account_policy ( AP_MIN_PASSWORD_LEN , ( uint32 ) r - > in . info - > info1 . min_password_length ) ;
pdb_set_account_policy ( AP_PASSWORD_HISTORY , ( uint32 ) r - > in . info - > info1 . password_history_length ) ;
pdb_set_account_policy ( AP_USER_MUST_LOGON_TO_CHG_PASS , ( uint32 ) r - > in . info - > info1 . password_properties ) ;
2005-09-30 17:13:37 +00:00
pdb_set_account_policy ( AP_MAX_PASSWORD_AGE , ( int ) u_expire ) ;
pdb_set_account_policy ( AP_MIN_PASSWORD_AGE , ( int ) u_min_age ) ;
2001-12-03 17:14:23 +00:00
break ;
case 0x03 :
2008-02-05 15:08:31 +01:00
u_logout = nt_time_to_unix_abs ( ( NTTIME * ) & r - > in . info - > info3 . force_logoff_time ) ;
2005-09-30 17:13:37 +00:00
pdb_set_account_policy ( AP_TIME_TO_LOGOUT , ( int ) u_logout ) ;
2001-12-03 17:14:23 +00:00
break ;
2009-05-08 11:24:35 +02:00
case 0x04 :
2001-12-03 17:14:23 +00:00
break ;
case 0x06 :
break ;
case 0x07 :
break ;
2009-05-08 11:24:35 +02:00
case 0x09 :
break ;
2001-12-03 17:14:23 +00:00
case 0x0c :
2008-02-05 15:08:31 +01:00
u_lock_duration = nt_time_to_unix_abs ( ( NTTIME * ) & r - > in . info - > info12 . lockout_duration ) ;
2005-01-10 15:28:07 +00:00
if ( u_lock_duration ! = - 1 )
u_lock_duration / = 60 ;
2005-01-22 03:37:09 +00:00
2008-02-05 15:08:31 +01:00
u_reset_time = nt_time_to_unix_abs ( ( NTTIME * ) & r - > in . info - > info12 . lockout_window ) / 60 ;
2008-02-05 12:54:19 +01:00
2005-09-30 17:13:37 +00:00
pdb_set_account_policy ( AP_LOCK_ACCOUNT_DURATION , ( int ) u_lock_duration ) ;
pdb_set_account_policy ( AP_RESET_COUNT_TIME , ( int ) u_reset_time ) ;
2008-02-05 15:08:31 +01:00
pdb_set_account_policy ( AP_BAD_ATTEMPT_LOCKOUT , ( uint32 ) r - > in . info - > info12 . lockout_threshold ) ;
2001-12-03 17:14:23 +00:00
break ;
default :
return NT_STATUS_INVALID_INFO_CLASS ;
2001-11-28 00:06:00 +00:00
}
2008-02-05 15:08:31 +01:00
DEBUG ( 5 , ( " _samr_SetDomainInfo: %d \n " , __LINE__ ) ) ;
2001-11-28 00:06:00 +00:00
2008-02-05 15:08:31 +01:00
return NT_STATUS_OK ;
2001-11-28 00:06:00 +00:00
}
2008-01-30 12:53:09 +01:00
2008-05-16 13:24:15 +02:00
/****************************************************************
_samr_GetDisplayEnumerationIndex
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_GetDisplayEnumerationIndex ( pipes_struct * p ,
struct samr_GetDisplayEnumerationIndex * r )
{
2009-04-19 22:58:09 +02:00
struct samr_domain_info * dinfo ;
2008-05-16 13:24:15 +02:00
uint32_t max_entries = ( uint32_t ) - 1 ;
uint32_t enum_context = 0 ;
int i ;
uint32_t num_account = 0 ;
struct samr_displayentry * entries = NULL ;
2008-10-20 16:51:37 -07:00
NTSTATUS status ;
2008-05-16 13:24:15 +02:00
DEBUG ( 5 , ( " _samr_GetDisplayEnumerationIndex: %d \n " , __LINE__ ) ) ;
2009-04-19 22:58:09 +02:00
dinfo = policy_handle_find ( p , r - > in . domain_handle ,
SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS , NULL ,
struct samr_domain_info , & status ) ;
2008-10-20 16:51:37 -07:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2008-05-16 13:24:15 +02:00
if ( ( r - > in . level < 1 ) | | ( r - > in . level > 3 ) ) {
DEBUG ( 0 , ( " _samr_GetDisplayEnumerationIndex: "
" Unknown info level (%u) \n " ,
r - > in . level ) ) ;
return NT_STATUS_INVALID_INFO_CLASS ;
}
become_root ( ) ;
/* The following done as ROOT. Don't return without unbecome_root(). */
switch ( r - > in . level ) {
case 1 :
2009-04-19 22:58:09 +02:00
if ( dinfo - > disp_info - > users = = NULL ) {
dinfo - > disp_info - > users = pdb_search_users (
dinfo - > disp_info , ACB_NORMAL ) ;
if ( dinfo - > disp_info - > users = = NULL ) {
2008-05-16 13:24:15 +02:00
unbecome_root ( ) ;
return NT_STATUS_ACCESS_DENIED ;
}
DEBUG ( 10 , ( " _samr_GetDisplayEnumerationIndex: "
" starting user enumeration at index %u \n " ,
( unsigned int ) enum_context ) ) ;
} else {
DEBUG ( 10 , ( " _samr_GetDisplayEnumerationIndex: "
" using cached user enumeration at index %u \n " ,
( unsigned int ) enum_context ) ) ;
}
2009-04-19 22:58:09 +02:00
num_account = pdb_search_entries ( dinfo - > disp_info - > users ,
2008-05-16 13:24:15 +02:00
enum_context , max_entries ,
& entries ) ;
break ;
case 2 :
2009-04-19 22:58:09 +02:00
if ( dinfo - > disp_info - > machines = = NULL ) {
dinfo - > disp_info - > machines = pdb_search_users (
dinfo - > disp_info , ACB_WSTRUST | ACB_SVRTRUST ) ;
if ( dinfo - > disp_info - > machines = = NULL ) {
2008-05-16 13:24:15 +02:00
unbecome_root ( ) ;
return NT_STATUS_ACCESS_DENIED ;
}
DEBUG ( 10 , ( " _samr_GetDisplayEnumerationIndex: "
" starting machine enumeration at index %u \n " ,
( unsigned int ) enum_context ) ) ;
} else {
DEBUG ( 10 , ( " _samr_GetDisplayEnumerationIndex: "
" using cached machine enumeration at index %u \n " ,
( unsigned int ) enum_context ) ) ;
}
2009-04-19 22:58:09 +02:00
num_account = pdb_search_entries ( dinfo - > disp_info - > machines ,
2008-05-16 13:24:15 +02:00
enum_context , max_entries ,
& entries ) ;
break ;
case 3 :
2009-04-19 22:58:09 +02:00
if ( dinfo - > disp_info - > groups = = NULL ) {
dinfo - > disp_info - > groups = pdb_search_groups (
dinfo - > disp_info ) ;
if ( dinfo - > disp_info - > groups = = NULL ) {
2008-05-16 13:24:15 +02:00
unbecome_root ( ) ;
return NT_STATUS_ACCESS_DENIED ;
}
DEBUG ( 10 , ( " _samr_GetDisplayEnumerationIndex: "
" starting group enumeration at index %u \n " ,
( unsigned int ) enum_context ) ) ;
} else {
DEBUG ( 10 , ( " _samr_GetDisplayEnumerationIndex: "
" using cached group enumeration at index %u \n " ,
( unsigned int ) enum_context ) ) ;
}
2009-04-19 22:58:09 +02:00
num_account = pdb_search_entries ( dinfo - > disp_info - > groups ,
2008-05-16 13:24:15 +02:00
enum_context , max_entries ,
& entries ) ;
break ;
default :
unbecome_root ( ) ;
smb_panic ( " info class changed " ) ;
break ;
}
unbecome_root ( ) ;
/* Ensure we cache this enumeration. */
2009-04-19 22:58:09 +02:00
set_disp_info_cache_timeout ( dinfo - > disp_info , DISP_INFO_CACHE_TIMEOUT ) ;
2008-05-16 13:24:15 +02:00
DEBUG ( 10 , ( " _samr_GetDisplayEnumerationIndex: looking for :%s \n " ,
r - > in . name - > string ) ) ;
for ( i = 0 ; i < num_account ; i + + ) {
if ( strequal ( entries [ i ] . account_name , r - > in . name - > string ) ) {
DEBUG ( 10 , ( " _samr_GetDisplayEnumerationIndex: "
" found %s at idx %d \n " ,
r - > in . name - > string , i ) ) ;
* r - > out . idx = i ;
return NT_STATUS_OK ;
}
}
/* assuming account_name lives at the very end */
* r - > out . idx = num_account ;
return NT_STATUS_NO_MORE_ENTRIES ;
}
/****************************************************************
_samr_GetDisplayEnumerationIndex2
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_GetDisplayEnumerationIndex2 ( pipes_struct * p ,
struct samr_GetDisplayEnumerationIndex2 * r )
{
struct samr_GetDisplayEnumerationIndex q ;
q . in . domain_handle = r - > in . domain_handle ;
q . in . level = r - > in . level ;
q . in . name = r - > in . name ;
q . out . idx = r - > out . idx ;
return _samr_GetDisplayEnumerationIndex ( p , & q ) ;
}
2008-01-30 12:53:09 +01:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_Shutdown ( pipes_struct * p ,
struct samr_Shutdown * r )
{
p - > rng_fault_state = true ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_SetMemberAttributesOfGroup ( pipes_struct * p ,
struct samr_SetMemberAttributesOfGroup * r )
{
p - > rng_fault_state = true ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_TestPrivateFunctionsDomain ( pipes_struct * p ,
struct samr_TestPrivateFunctionsDomain * r )
{
p - > rng_fault_state = true ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_TestPrivateFunctionsUser ( pipes_struct * p ,
struct samr_TestPrivateFunctionsUser * r )
{
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_AddMultipleMembersToAlias ( pipes_struct * p ,
struct samr_AddMultipleMembersToAlias * r )
{
p - > rng_fault_state = true ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_RemoveMultipleMembersFromAlias ( pipes_struct * p ,
struct samr_RemoveMultipleMembersFromAlias * r )
{
p - > rng_fault_state = true ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_SetBootKeyInformation ( pipes_struct * p ,
struct samr_SetBootKeyInformation * r )
{
p - > rng_fault_state = true ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_GetBootKeyInformation ( pipes_struct * p ,
struct samr_GetBootKeyInformation * r )
{
p - > rng_fault_state = true ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_RidToSid ( pipes_struct * p ,
struct samr_RidToSid * r )
{
p - > rng_fault_state = true ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_SetDsrmPassword ( pipes_struct * p ,
struct samr_SetDsrmPassword * r )
{
p - > rng_fault_state = true ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _samr_ValidatePassword ( pipes_struct * p ,
struct samr_ValidatePassword * r )
{
p - > rng_fault_state = true ;
return NT_STATUS_NOT_IMPLEMENTED ;
}