2008-10-03 17:52:59 -07:00
/* need access mask/acl implementation */
2004-05-27 04:13:58 +00:00
/*
Unix SMB / CIFS implementation .
endpoint server for the lsarpc pipe
Copyright ( C ) Andrew Tridgell 2004
2008-09-08 10:55:34 +10:00
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2004 - 2008
2004-05-27 04:13:58 +00:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 02:07:03 +00:00
the Free Software Foundation ; either version 3 of the License , or
2004-05-27 04:13:58 +00:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 02:07:03 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2004-05-27 04:13:58 +00:00
*/
2007-09-17 05:31:49 +00:00
# include "rpc_server/lsa/lsa.h"
2008-10-11 21:31:42 +02:00
# include "../lib/util/util_ldb.h"
2007-12-06 21:39:49 +01:00
# include "libcli/ldap/ldap_ndr.h"
2008-08-26 12:18:26 +10:00
# include "system/kerberos.h"
# include "auth/kerberos/kerberos.h"
2008-09-08 10:55:34 +10:00
# include "librpc/gen_ndr/ndr_drsblobs.h"
# include "librpc/gen_ndr/ndr_lsa.h"
2008-09-24 15:30:23 +02:00
# include "../lib/crypto/crypto.h"
2004-05-27 04:13:58 +00:00
/*
this type allows us to distinguish handle types
*/
2004-12-19 05:01:52 +00:00
/*
state associated with a lsa_OpenAccount ( ) operation
*/
struct lsa_account_state {
struct lsa_policy_state * policy ;
uint32_t access_mask ;
struct dom_sid * account_sid ;
} ;
2005-01-11 14:04:58 +00:00
/*
state associated with a lsa_OpenSecret ( ) operation
*/
struct lsa_secret_state {
struct lsa_policy_state * policy ;
uint32_t access_mask ;
2006-08-31 08:22:13 +00:00
struct ldb_dn * secret_dn ;
2005-02-27 11:35:47 +00:00
struct ldb_context * sam_ldb ;
2007-10-06 22:25:41 +00:00
bool global ;
2005-01-11 14:04:58 +00:00
} ;
2005-01-12 02:40:25 +00:00
/*
state associated with a lsa_OpenTrustedDomain ( ) operation
*/
struct lsa_trusted_domain_state {
struct lsa_policy_state * policy ;
uint32_t access_mask ;
2006-11-22 00:59:34 +00:00
struct ldb_dn * trusted_domain_dn ;
2008-09-08 10:55:34 +10:00
struct ldb_dn * trusted_domain_user_dn ;
2005-01-12 02:40:25 +00:00
} ;
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_EnumAccountRights ( struct dcesrv_call_state * dce_call ,
2006-07-06 05:23:29 +00:00
TALLOC_CTX * mem_ctx ,
struct lsa_EnumAccountRights * r ) ;
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_AddRemoveAccountRights ( struct dcesrv_call_state * dce_call ,
2006-07-06 05:23:29 +00:00
TALLOC_CTX * mem_ctx ,
struct lsa_policy_state * state ,
int ldb_flag ,
struct dom_sid * sid ,
const struct lsa_RightSet * rights ) ;
2004-05-27 04:13:58 +00:00
/*
lsa_Close
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_Close ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-05-27 04:13:58 +00:00
struct lsa_Close * r )
{
struct dcesrv_handle * h ;
* r - > out . handle = * r - > in . handle ;
DCESRV_PULL_HANDLE ( h , r - > in . handle , DCESRV_HANDLE_ANY ) ;
2005-01-10 12:15:26 +00:00
talloc_free ( h ) ;
2004-05-27 04:13:58 +00:00
ZERO_STRUCTP ( r - > out . handle ) ;
return NT_STATUS_OK ;
}
/*
lsa_Delete
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_Delete ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-05-27 04:13:58 +00:00
struct lsa_Delete * r )
2008-08-26 10:32:49 +10:00
{
return NT_STATUS_NOT_SUPPORTED ;
}
/*
lsa_DeleteObject
*/
static NTSTATUS dcesrv_lsa_DeleteObject ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
struct lsa_DeleteObject * r )
2004-05-27 04:13:58 +00:00
{
2005-01-12 00:37:13 +00:00
struct dcesrv_handle * h ;
int ret ;
DCESRV_PULL_HANDLE ( h , r - > in . handle , DCESRV_HANDLE_ANY ) ;
2008-03-20 12:12:10 +11:00
2005-01-12 00:37:13 +00:00
if ( h - > wire_handle . handle_type = = LSA_HANDLE_SECRET ) {
struct lsa_secret_state * secret_state = h - > data ;
2008-03-20 12:12:10 +11:00
/* Ensure user is permitted to delete this... */
switch ( security_session_user_level ( dce_call - > conn - > auth_state . session_info ) )
{
case SECURITY_SYSTEM :
case SECURITY_ADMINISTRATOR :
break ;
default :
/* Users and annonymous are not allowed delete things */
return NT_STATUS_ACCESS_DENIED ;
}
2007-11-27 01:25:11 +01:00
ret = ldb_delete ( secret_state - > sam_ldb ,
secret_state - > secret_dn ) ;
2005-01-12 00:37:13 +00:00
talloc_free ( h ) ;
if ( ret ! = 0 ) {
return NT_STATUS_INVALID_HANDLE ;
}
2008-08-26 10:32:49 +10:00
ZERO_STRUCTP ( r - > out . handle ) ;
2005-01-12 02:40:25 +00:00
return NT_STATUS_OK ;
} else if ( h - > wire_handle . handle_type = = LSA_HANDLE_TRUSTED_DOMAIN ) {
2008-10-03 17:52:59 -07:00
struct lsa_trusted_domain_state * trusted_domain_state =
talloc_get_type ( h - > data , struct lsa_trusted_domain_state ) ;
2008-09-08 10:55:34 +10:00
ret = ldb_transaction_start ( trusted_domain_state - > policy - > sam_ldb ) ;
if ( ret ! = 0 ) {
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
2007-11-27 01:25:11 +01:00
ret = ldb_delete ( trusted_domain_state - > policy - > sam_ldb ,
trusted_domain_state - > trusted_domain_dn ) ;
2005-01-12 02:40:25 +00:00
if ( ret ! = 0 ) {
2008-09-08 10:55:34 +10:00
ldb_transaction_cancel ( trusted_domain_state - > policy - > sam_ldb ) ;
2005-01-12 02:40:25 +00:00
return NT_STATUS_INVALID_HANDLE ;
}
2008-09-08 10:55:34 +10:00
if ( trusted_domain_state - > trusted_domain_user_dn ) {
ret = ldb_delete ( trusted_domain_state - > policy - > sam_ldb ,
trusted_domain_state - > trusted_domain_user_dn ) ;
if ( ret ! = 0 ) {
ldb_transaction_cancel ( trusted_domain_state - > policy - > sam_ldb ) ;
return NT_STATUS_INVALID_HANDLE ;
}
}
ret = ldb_transaction_commit ( trusted_domain_state - > policy - > sam_ldb ) ;
if ( ret ! = 0 ) {
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
talloc_free ( h ) ;
2008-08-26 10:32:49 +10:00
ZERO_STRUCTP ( r - > out . handle ) ;
2005-01-12 00:37:13 +00:00
return NT_STATUS_OK ;
2006-07-06 05:23:29 +00:00
} else if ( h - > wire_handle . handle_type = = LSA_HANDLE_ACCOUNT ) {
struct lsa_RightSet * rights ;
struct lsa_account_state * astate ;
struct lsa_EnumAccountRights r2 ;
NTSTATUS status ;
rights = talloc ( mem_ctx , struct lsa_RightSet ) ;
DCESRV_PULL_HANDLE ( h , r - > in . handle , LSA_HANDLE_ACCOUNT ) ;
astate = h - > data ;
r2 . in . handle = & astate - > policy - > handle - > wire_handle ;
r2 . in . sid = astate - > account_sid ;
r2 . out . rights = rights ;
2008-10-03 17:52:59 -07:00
/* dcesrv_lsa_EnumAccountRights takes a LSA_HANDLE_POLICY,
but we have a LSA_HANDLE_ACCOUNT here , so this call
will always fail */
2007-01-17 14:49:36 +00:00
status = dcesrv_lsa_EnumAccountRights ( dce_call , mem_ctx , & r2 ) ;
2006-07-06 05:23:29 +00:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_OBJECT_NAME_NOT_FOUND ) ) {
return NT_STATUS_OK ;
}
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2007-01-17 14:49:36 +00:00
status = dcesrv_lsa_AddRemoveAccountRights ( dce_call , mem_ctx , astate - > policy ,
2006-07-06 05:23:29 +00:00
LDB_FLAG_MOD_DELETE , astate - > account_sid ,
r2 . out . rights ) ;
if ( NT_STATUS_EQUAL ( status , NT_STATUS_OBJECT_NAME_NOT_FOUND ) ) {
return NT_STATUS_OK ;
}
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2008-08-26 10:32:49 +10:00
ZERO_STRUCTP ( r - > out . handle ) ;
2005-01-12 00:37:13 +00:00
}
return NT_STATUS_INVALID_HANDLE ;
2004-05-27 04:13:58 +00:00
}
/*
lsa_EnumPrivs
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_EnumPrivs ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-05-27 04:13:58 +00:00
struct lsa_EnumPrivs * r )
{
2004-12-14 05:20:38 +00:00
struct dcesrv_handle * h ;
struct lsa_policy_state * state ;
int i ;
const char * privname ;
DCESRV_PULL_HANDLE ( h , r - > in . handle , LSA_HANDLE_POLICY ) ;
state = h - > data ;
i = * r - > in . resume_handle ;
if ( i = = 0 ) i = 1 ;
while ( ( privname = sec_privilege_name ( i ) ) & &
r - > out . privs - > count < r - > in . max_count ) {
struct lsa_PrivEntry * e ;
2005-01-27 07:08:20 +00:00
r - > out . privs - > privs = talloc_realloc ( r - > out . privs ,
2004-12-14 05:20:38 +00:00
r - > out . privs - > privs ,
struct lsa_PrivEntry ,
r - > out . privs - > count + 1 ) ;
if ( r - > out . privs - > privs = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
e = & r - > out . privs - > privs [ r - > out . privs - > count ] ;
2004-12-14 05:32:51 +00:00
e - > luid . low = i ;
e - > luid . high = 0 ;
2004-12-14 05:20:38 +00:00
e - > name . string = privname ;
r - > out . privs - > count + + ;
i + + ;
}
2004-12-30 19:08:32 +00:00
* r - > out . resume_handle = i ;
2004-12-14 05:20:38 +00:00
return NT_STATUS_OK ;
2004-05-27 04:13:58 +00:00
}
/*
lsa_QuerySecObj
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_QuerySecurity ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-11-22 08:47:47 +00:00
struct lsa_QuerySecurity * r )
2004-05-27 04:13:58 +00:00
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_SetSecObj
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_SetSecObj ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-05-27 04:13:58 +00:00
struct lsa_SetSecObj * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_ChangePassword
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_ChangePassword ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-05-27 04:13:58 +00:00
struct lsa_ChangePassword * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
2006-08-31 13:10:11 +00:00
/*
dssetup_DsRoleGetPrimaryDomainInformation
2006-09-11 05:11:10 +00:00
This is not an LSA call , but is the only call left on the DSSETUP
pipe ( after the pipe was truncated ) , and needs lsa_get_policy_state
2006-08-31 13:10:11 +00:00
*/
2007-01-17 14:49:36 +00:00
static WERROR dcesrv_dssetup_DsRoleGetPrimaryDomainInformation ( struct dcesrv_call_state * dce_call ,
2006-08-31 13:10:11 +00:00
TALLOC_CTX * mem_ctx ,
struct dssetup_DsRoleGetPrimaryDomainInformation * r )
{
union dssetup_DsRoleInfo * info ;
info = talloc ( mem_ctx , union dssetup_DsRoleInfo ) ;
W_ERROR_HAVE_NO_MEMORY ( info ) ;
switch ( r - > in . level ) {
case DS_ROLE_BASIC_INFORMATION :
{
enum dssetup_DsRole role = DS_ROLE_STANDALONE_SERVER ;
uint32_t flags = 0 ;
const char * domain = NULL ;
const char * dns_domain = NULL ;
const char * forest = NULL ;
struct GUID domain_guid ;
struct lsa_policy_state * state ;
2007-01-17 14:49:36 +00:00
NTSTATUS status = dcesrv_lsa_get_policy_state ( dce_call , mem_ctx , & state ) ;
2006-08-31 13:10:11 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return ntstatus_to_werror ( status ) ;
}
ZERO_STRUCT ( domain_guid ) ;
2007-12-04 20:05:00 +01:00
switch ( lp_server_role ( dce_call - > conn - > dce_ctx - > lp_ctx ) ) {
2006-08-31 13:10:11 +00:00
case ROLE_STANDALONE :
role = DS_ROLE_STANDALONE_SERVER ;
break ;
case ROLE_DOMAIN_MEMBER :
role = DS_ROLE_MEMBER_SERVER ;
break ;
2006-12-13 11:19:51 +00:00
case ROLE_DOMAIN_CONTROLLER :
if ( samdb_is_pdc ( state - > sam_ldb ) ) {
role = DS_ROLE_PRIMARY_DC ;
} else {
role = DS_ROLE_BACKUP_DC ;
}
2006-08-31 13:10:11 +00:00
break ;
}
2007-12-04 20:05:00 +01:00
switch ( lp_server_role ( dce_call - > conn - > dce_ctx - > lp_ctx ) ) {
2006-08-31 13:10:11 +00:00
case ROLE_STANDALONE :
2007-12-04 20:05:00 +01:00
domain = talloc_strdup ( mem_ctx , lp_workgroup ( dce_call - > conn - > dce_ctx - > lp_ctx ) ) ;
2006-08-31 13:10:11 +00:00
W_ERROR_HAVE_NO_MEMORY ( domain ) ;
break ;
case ROLE_DOMAIN_MEMBER :
2007-12-04 20:05:00 +01:00
domain = talloc_strdup ( mem_ctx , lp_workgroup ( dce_call - > conn - > dce_ctx - > lp_ctx ) ) ;
2006-08-31 13:10:11 +00:00
W_ERROR_HAVE_NO_MEMORY ( domain ) ;
/* TODO: what is with dns_domain and forest and guid? */
break ;
2006-12-13 11:19:51 +00:00
case ROLE_DOMAIN_CONTROLLER :
2006-08-31 13:10:11 +00:00
flags = DS_ROLE_PRIMARY_DS_RUNNING ;
if ( state - > mixed_domain = = 1 ) {
flags | = DS_ROLE_PRIMARY_DS_MIXED_MODE ;
}
domain = state - > domain_name ;
dns_domain = state - > domain_dns ;
2007-02-22 13:15:49 +00:00
forest = state - > forest_dns ;
2006-08-31 13:10:11 +00:00
domain_guid = state - > domain_guid ;
flags | = DS_ROLE_PRIMARY_DOMAIN_GUID_PRESENT ;
break ;
}
info - > basic . role = role ;
info - > basic . flags = flags ;
info - > basic . domain = domain ;
info - > basic . dns_domain = dns_domain ;
info - > basic . forest = forest ;
info - > basic . domain_guid = domain_guid ;
r - > out . info = info ;
return WERR_OK ;
}
case DS_ROLE_UPGRADE_STATUS :
{
info - > upgrade . upgrading = DS_ROLE_NOT_UPGRADING ;
info - > upgrade . previous_role = DS_ROLE_PREVIOUS_UNKNOWN ;
r - > out . info = info ;
return WERR_OK ;
}
case DS_ROLE_OP_STATUS :
{
info - > opstatus . status = DS_ROLE_OP_IDLE ;
r - > out . info = info ;
return WERR_OK ;
}
default :
return WERR_INVALID_PARAM ;
}
return WERR_INVALID_PARAM ;
}
2004-05-27 04:13:58 +00:00
/*
fill in the AccountDomain info
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_info_AccountDomain ( struct lsa_policy_state * state , TALLOC_CTX * mem_ctx ,
2004-05-27 04:13:58 +00:00
struct lsa_DomainInfo * info )
{
2005-08-03 05:25:30 +00:00
info - > name . string = state - > domain_name ;
info - > sid = state - > domain_sid ;
2004-05-27 04:13:58 +00:00
return NT_STATUS_OK ;
}
2004-05-27 06:27:21 +00:00
/*
fill in the DNS domain info
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_info_DNS ( struct lsa_policy_state * state , TALLOC_CTX * mem_ctx ,
2004-05-27 06:27:21 +00:00
struct lsa_DnsDomainInfo * info )
{
2005-08-03 05:25:30 +00:00
info - > name . string = state - > domain_name ;
info - > sid = state - > domain_sid ;
2006-08-31 08:22:13 +00:00
info - > dns_domain . string = state - > domain_dns ;
2007-02-22 13:15:49 +00:00
info - > dns_forest . string = state - > forest_dns ;
2006-08-31 08:22:13 +00:00
info - > domain_guid = state - > domain_guid ;
2004-05-27 06:27:21 +00:00
return NT_STATUS_OK ;
}
2004-05-27 04:13:58 +00:00
/*
2004-05-27 06:27:21 +00:00
lsa_QueryInfoPolicy2
2004-05-27 04:13:58 +00:00
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_QueryInfoPolicy2 ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-05-27 06:27:21 +00:00
struct lsa_QueryInfoPolicy2 * r )
2004-05-27 04:13:58 +00:00
{
struct lsa_policy_state * state ;
struct dcesrv_handle * h ;
2008-10-24 15:05:57 +02:00
union lsa_PolicyInformation * info ;
2004-05-27 04:13:58 +00:00
2008-10-24 15:05:57 +02:00
* r - > out . info = NULL ;
2004-05-27 04:13:58 +00:00
DCESRV_PULL_HANDLE ( h , r - > in . handle , LSA_HANDLE_POLICY ) ;
state = h - > data ;
2008-10-24 15:05:57 +02:00
info = talloc_zero ( mem_ctx , union lsa_PolicyInformation ) ;
if ( ! info ) {
2004-05-27 04:13:58 +00:00
return NT_STATUS_NO_MEMORY ;
}
2008-10-24 15:05:57 +02:00
* r - > out . info = info ;
2004-05-27 04:13:58 +00:00
switch ( r - > in . level ) {
2008-10-03 17:52:59 -07:00
case LSA_POLICY_INFO_AUDIT_LOG :
/* we don't need to fill in any of this */
2008-10-24 15:05:57 +02:00
ZERO_STRUCT ( info - > audit_log ) ;
2008-10-03 17:52:59 -07:00
return NT_STATUS_OK ;
case LSA_POLICY_INFO_AUDIT_EVENTS :
/* we don't need to fill in any of this */
2008-10-24 15:05:57 +02:00
ZERO_STRUCT ( info - > audit_events ) ;
2008-10-03 17:52:59 -07:00
return NT_STATUS_OK ;
case LSA_POLICY_INFO_PD :
/* we don't need to fill in any of this */
2008-10-24 15:05:57 +02:00
ZERO_STRUCT ( info - > pd ) ;
2008-10-03 17:52:59 -07:00
return NT_STATUS_OK ;
2008-10-20 15:50:07 +11:00
2004-05-27 06:27:21 +00:00
case LSA_POLICY_INFO_DOMAIN :
2008-10-24 15:05:57 +02:00
return dcesrv_lsa_info_AccountDomain ( state , mem_ctx , & info - > domain ) ;
2004-05-27 04:13:58 +00:00
case LSA_POLICY_INFO_ACCOUNT_DOMAIN :
2008-10-24 15:05:57 +02:00
return dcesrv_lsa_info_AccountDomain ( state , mem_ctx , & info - > account_domain ) ;
2008-10-20 15:50:07 +11:00
case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN :
2008-10-24 15:05:57 +02:00
return dcesrv_lsa_info_AccountDomain ( state , mem_ctx , & info - > l_account_domain ) ;
2008-10-20 15:50:07 +11:00
2008-10-03 17:52:59 -07:00
case LSA_POLICY_INFO_ROLE :
2008-10-24 15:05:57 +02:00
info - > role . role = LSA_ROLE_PRIMARY ;
2008-10-03 17:52:59 -07:00
return NT_STATUS_OK ;
2004-05-27 06:27:21 +00:00
case LSA_POLICY_INFO_DNS :
2008-10-03 17:52:59 -07:00
case LSA_POLICY_INFO_DNS_INT :
2008-10-24 15:05:57 +02:00
return dcesrv_lsa_info_DNS ( state , mem_ctx , & info - > dns ) ;
2008-10-03 17:52:59 -07:00
case LSA_POLICY_INFO_REPLICA :
2008-10-24 15:05:57 +02:00
ZERO_STRUCT ( info - > replica ) ;
2008-10-03 17:52:59 -07:00
return NT_STATUS_OK ;
case LSA_POLICY_INFO_QUOTA :
2008-10-24 15:05:57 +02:00
ZERO_STRUCT ( info - > quota ) ;
2008-10-03 17:52:59 -07:00
return NT_STATUS_OK ;
2008-10-20 15:50:07 +11:00
case LSA_POLICY_INFO_MOD :
2007-09-17 05:31:49 +00:00
case LSA_POLICY_INFO_AUDIT_FULL_SET :
2008-10-20 16:12:37 +11:00
case LSA_POLICY_INFO_AUDIT_FULL_QUERY :
2008-10-03 17:52:59 -07:00
/* windows gives INVALID_PARAMETER */
2008-10-24 15:05:57 +02:00
* r - > out . info = NULL ;
2007-09-17 05:31:49 +00:00
return NT_STATUS_INVALID_PARAMETER ;
2004-05-27 04:13:58 +00:00
}
2008-10-24 15:05:57 +02:00
* r - > out . info = NULL ;
2004-05-27 04:13:58 +00:00
return NT_STATUS_INVALID_INFO_CLASS ;
}
2004-05-27 06:27:21 +00:00
/*
lsa_QueryInfoPolicy
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_QueryInfoPolicy ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-05-27 06:27:21 +00:00
struct lsa_QueryInfoPolicy * r )
{
struct lsa_QueryInfoPolicy2 r2 ;
NTSTATUS status ;
2008-10-03 17:52:59 -07:00
ZERO_STRUCT ( r2 ) ;
2004-05-27 06:27:21 +00:00
r2 . in . handle = r - > in . handle ;
r2 . in . level = r - > in . level ;
2008-10-24 15:05:57 +02:00
r2 . out . info = r - > out . info ;
2004-05-27 06:27:21 +00:00
2007-01-17 14:49:36 +00:00
status = dcesrv_lsa_QueryInfoPolicy2 ( dce_call , mem_ctx , & r2 ) ;
2004-05-27 06:27:21 +00:00
return status ;
}
2004-05-27 04:13:58 +00:00
/*
lsa_SetInfoPolicy
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_SetInfoPolicy ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-05-27 04:13:58 +00:00
struct lsa_SetInfoPolicy * r )
{
2008-10-03 17:52:59 -07:00
/* need to support this */
2004-05-27 04:13:58 +00:00
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_ClearAuditLog
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_ClearAuditLog ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-05-27 04:13:58 +00:00
struct lsa_ClearAuditLog * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_CreateAccount
2008-03-20 12:12:10 +11:00
This call does not seem to have any long - term effects , hence no database operations
2008-10-03 17:52:59 -07:00
we need to talk to the MS product group to find out what this account database means !
answer is that the lsa database is totally separate from the SAM and
ldap databases . We are going to need a separate ldb to store these
accounts . The SIDs on this account bear no relation to the SIDs in
AD
2004-05-27 04:13:58 +00:00
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_CreateAccount ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-05-27 04:13:58 +00:00
struct lsa_CreateAccount * r )
{
2006-07-06 05:23:29 +00:00
struct lsa_account_state * astate ;
struct lsa_policy_state * state ;
struct dcesrv_handle * h , * ah ;
ZERO_STRUCTP ( r - > out . acct_handle ) ;
DCESRV_PULL_HANDLE ( h , r - > in . handle , LSA_HANDLE_POLICY ) ;
state = h - > data ;
astate = talloc ( dce_call - > conn , struct lsa_account_state ) ;
if ( astate = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
astate - > account_sid = dom_sid_dup ( astate , r - > in . sid ) ;
if ( astate - > account_sid = = NULL ) {
talloc_free ( astate ) ;
return NT_STATUS_NO_MEMORY ;
}
astate - > policy = talloc_reference ( astate , state ) ;
astate - > access_mask = r - > in . access_mask ;
ah = dcesrv_handle_new ( dce_call - > context , LSA_HANDLE_ACCOUNT ) ;
if ( ! ah ) {
talloc_free ( astate ) ;
return NT_STATUS_NO_MEMORY ;
}
ah - > data = talloc_steal ( ah , astate ) ;
* r - > out . acct_handle = ah - > wire_handle ;
return NT_STATUS_OK ;
2004-05-27 04:13:58 +00:00
}
/*
lsa_EnumAccounts
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_EnumAccounts ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-05-27 04:13:58 +00:00
struct lsa_EnumAccounts * r )
{
2004-12-19 05:53:13 +00:00
struct dcesrv_handle * h ;
struct lsa_policy_state * state ;
int ret , i ;
struct ldb_message * * res ;
const char * const attrs [ ] = { " objectSid " , NULL } ;
uint32_t count ;
DCESRV_PULL_HANDLE ( h , r - > in . handle , LSA_HANDLE_POLICY ) ;
state = h - > data ;
2006-07-06 05:23:29 +00:00
/* NOTE: This call must only return accounts that have at least
one privilege set
*/
2006-08-25 07:08:06 +00:00
ret = gendb_search ( state - > sam_ldb , mem_ctx , NULL , & res , attrs ,
2006-07-06 05:23:29 +00:00
" (&(objectSid=*)(privilege=*)) " ) ;
if ( ret < 0 ) {
2004-12-19 05:53:13 +00:00
return NT_STATUS_NO_SUCH_USER ;
}
if ( * r - > in . resume_handle > = ret ) {
return NT_STATUS_NO_MORE_ENTRIES ;
}
count = ret - * r - > in . resume_handle ;
if ( count > r - > in . num_entries ) {
count = r - > in . num_entries ;
}
if ( count = = 0 ) {
return NT_STATUS_NO_MORE_ENTRIES ;
}
2005-01-27 07:08:20 +00:00
r - > out . sids - > sids = talloc_array ( r - > out . sids , struct lsa_SidPtr , count ) ;
2004-12-19 05:53:13 +00:00
if ( r - > out . sids - > sids = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < count ; i + + ) {
2005-06-24 00:18:20 +00:00
r - > out . sids - > sids [ i ] . sid =
samdb_result_dom_sid ( r - > out . sids - > sids ,
res [ i + * r - > in . resume_handle ] ,
" objectSid " ) ;
NT_STATUS_HAVE_NO_MEMORY ( r - > out . sids - > sids [ i ] . sid ) ;
2004-12-19 05:53:13 +00:00
}
r - > out . sids - > num_sids = count ;
* r - > out . resume_handle = count + * r - > in . resume_handle ;
return NT_STATUS_OK ;
2004-05-27 04:13:58 +00:00
}
2005-01-12 02:40:25 +00:00
/*
lsa_CreateTrustedDomainEx2
*/
2008-09-08 10:55:34 +10:00
static NTSTATUS dcesrv_lsa_CreateTrustedDomain_base ( struct dcesrv_call_state * dce_call ,
TALLOC_CTX * mem_ctx ,
struct lsa_CreateTrustedDomainEx2 * r ,
int op )
2005-01-12 02:40:25 +00:00
{
struct dcesrv_handle * policy_handle ;
struct lsa_policy_state * policy_state ;
struct lsa_trusted_domain_state * trusted_domain_state ;
struct dcesrv_handle * handle ;
2008-09-08 10:55:34 +10:00
struct ldb_message * * msgs , * msg , * msg_user ;
2005-01-12 02:40:25 +00:00
const char * attrs [ ] = {
NULL
} ;
2008-09-08 10:55:34 +10:00
const char * netbios_name ;
const char * dns_name ;
2005-01-12 02:40:25 +00:00
const char * name ;
2008-09-08 10:55:34 +10:00
DATA_BLOB session_key = data_blob ( NULL , 0 ) ;
DATA_BLOB trustAuthIncoming , trustAuthOutgoing , auth_blob ;
2008-09-29 21:36:21 -07:00
struct trustDomainPasswords auth_struct ;
2005-01-12 02:40:25 +00:00
int ret ;
2008-09-08 10:55:34 +10:00
NTSTATUS nt_status ;
enum ndr_err_code ndr_err ;
DCESRV_PULL_HANDLE ( policy_handle , r - > in . policy_handle , LSA_HANDLE_POLICY ) ;
2005-01-12 02:40:25 +00:00
ZERO_STRUCTP ( r - > out . trustdom_handle ) ;
policy_state = policy_handle - > data ;
2008-09-08 10:55:34 +10:00
nt_status = dcesrv_fetch_session_key ( dce_call - > conn , & session_key ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
return nt_status ;
}
netbios_name = r - > in . info - > netbios_name . string ;
if ( ! netbios_name ) {
2005-01-12 02:40:25 +00:00
return NT_STATUS_INVALID_PARAMETER ;
}
2008-09-08 10:55:34 +10:00
dns_name = r - > in . info - > domain_name . string ;
2005-01-12 02:40:25 +00:00
2008-10-03 17:52:59 -07:00
trusted_domain_state = talloc_zero ( mem_ctx , struct lsa_trusted_domain_state ) ;
2005-01-12 02:40:25 +00:00
if ( ! trusted_domain_state ) {
return NT_STATUS_NO_MEMORY ;
}
trusted_domain_state - > policy = policy_state ;
2008-09-08 10:55:34 +10:00
if ( strcasecmp ( netbios_name , " BUILTIN " ) = = 0
| | ( dns_name & & strcasecmp ( dns_name , " BUILTIN " ) = = 0 )
| | ( dom_sid_in_domain ( policy_state - > builtin_sid , r - > in . info - > sid ) ) ) {
return NT_STATUS_INVALID_PARAMETER ; ;
2005-01-12 02:40:25 +00:00
}
2008-09-08 10:55:34 +10:00
if ( strcasecmp ( netbios_name , policy_state - > domain_name ) = = 0
| | strcasecmp ( netbios_name , policy_state - > domain_dns ) = = 0
| | ( dns_name & & strcasecmp ( dns_name , policy_state - > domain_dns ) = = 0 )
| | ( dns_name & & strcasecmp ( dns_name , policy_state - > domain_name ) = = 0 )
| | ( dom_sid_equal ( policy_state - > domain_sid , r - > in . info - > sid ) ) ) {
return NT_STATUS_CURRENT_DOMAIN_NOT_ALLOWED ;
}
/* While this is a REF pointer, some of the functions that wrap this don't provide this */
if ( op = = NDR_LSA_CREATETRUSTEDDOMAIN ) {
/* No secrets are created at this time, for this function */
auth_struct . outgoing . count = 0 ;
auth_struct . incoming . count = 0 ;
} else {
auth_blob = data_blob_const ( r - > in . auth_info - > auth_blob . data , r - > in . auth_info - > auth_blob . size ) ;
arcfour_crypt_blob ( auth_blob . data , auth_blob . length , & session_key ) ;
ndr_err = ndr_pull_struct_blob ( & auth_blob , mem_ctx ,
lp_iconv_convenience ( dce_call - > conn - > dce_ctx - > lp_ctx ) ,
& auth_struct ,
2008-09-29 21:36:21 -07:00
( ndr_pull_flags_fn_t ) ndr_pull_trustDomainPasswords ) ;
2008-09-08 10:55:34 +10:00
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
return NT_STATUS_INVALID_PARAMETER ;
}
2008-10-01 13:12:15 -07:00
if ( op = = NDR_LSA_CREATETRUSTEDDOMAINEX ) {
if ( auth_struct . incoming . count > 1 ) {
return NT_STATUS_INVALID_PARAMETER ;
}
}
2008-09-08 10:55:34 +10:00
}
if ( auth_struct . incoming . count ) {
2008-10-01 13:12:15 -07:00
int i ;
struct trustAuthInOutBlob incoming ;
incoming . count = auth_struct . incoming . count ;
incoming . current = talloc ( mem_ctx , struct AuthenticationInformationArray ) ;
if ( ! incoming . current ) {
return NT_STATUS_NO_MEMORY ;
}
incoming . current - > array = * auth_struct . incoming . current ;
if ( ! incoming . current - > array ) {
return NT_STATUS_NO_MEMORY ;
}
incoming . previous = talloc ( mem_ctx , struct AuthenticationInformationArray ) ;
if ( ! incoming . previous ) {
return NT_STATUS_NO_MEMORY ;
}
incoming . previous - > array = talloc_array ( mem_ctx , struct AuthenticationInformation , incoming . count ) ;
if ( ! incoming . previous - > array ) {
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < incoming . count ; i + + ) {
incoming . previous - > array [ i ] . LastUpdateTime = 0 ;
incoming . previous - > array [ i ] . AuthType = 0 ;
}
2008-09-08 10:55:34 +10:00
ndr_err = ndr_push_struct_blob ( & trustAuthIncoming , mem_ctx ,
lp_iconv_convenience ( dce_call - > conn - > dce_ctx - > lp_ctx ) ,
2008-10-01 13:12:15 -07:00
& incoming ,
( ndr_push_flags_fn_t ) ndr_push_trustAuthInOutBlob ) ;
2008-09-08 10:55:34 +10:00
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
return NT_STATUS_INVALID_PARAMETER ;
}
} else {
trustAuthIncoming = data_blob ( NULL , 0 ) ;
2005-01-12 02:40:25 +00:00
}
2008-09-08 10:55:34 +10:00
if ( auth_struct . outgoing . count ) {
2008-10-01 13:12:15 -07:00
int i ;
struct trustAuthInOutBlob outgoing ;
outgoing . count = auth_struct . outgoing . count ;
outgoing . current = talloc ( mem_ctx , struct AuthenticationInformationArray ) ;
if ( ! outgoing . current ) {
return NT_STATUS_NO_MEMORY ;
}
outgoing . current - > array = * auth_struct . outgoing . current ;
if ( ! outgoing . current - > array ) {
return NT_STATUS_NO_MEMORY ;
}
outgoing . previous = talloc ( mem_ctx , struct AuthenticationInformationArray ) ;
if ( ! outgoing . previous ) {
return NT_STATUS_NO_MEMORY ;
}
outgoing . previous - > array = talloc_array ( mem_ctx , struct AuthenticationInformation , outgoing . count ) ;
if ( ! outgoing . previous - > array ) {
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < outgoing . count ; i + + ) {
outgoing . previous - > array [ i ] . LastUpdateTime = 0 ;
outgoing . previous - > array [ i ] . AuthType = 0 ;
}
2008-09-08 10:55:34 +10:00
ndr_err = ndr_push_struct_blob ( & trustAuthOutgoing , mem_ctx ,
lp_iconv_convenience ( dce_call - > conn - > dce_ctx - > lp_ctx ) ,
2008-10-01 13:12:15 -07:00
& outgoing ,
( ndr_push_flags_fn_t ) ndr_push_trustAuthInOutBlob ) ;
2008-09-08 10:55:34 +10:00
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
return NT_STATUS_INVALID_PARAMETER ;
}
} else {
trustAuthOutgoing = data_blob ( NULL , 0 ) ;
}
ret = ldb_transaction_start ( policy_state - > sam_ldb ) ;
if ( ret ! = LDB_SUCCESS ) {
2005-01-12 02:40:25 +00:00
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
2008-09-08 10:55:34 +10:00
if ( dns_name ) {
char * dns_encoded = ldb_binary_encode_string ( mem_ctx , netbios_name ) ;
char * netbios_encoded = ldb_binary_encode_string ( mem_ctx , netbios_name ) ;
/* search for the trusted_domain record */
ret = gendb_search ( policy_state - > sam_ldb ,
mem_ctx , policy_state - > system_dn , & msgs , attrs ,
" (&(|(flatname=%s)(cn=%s)(trustPartner=%s)(flatname=%s)(cn=%s)(trustPartner=%s))(objectclass=trustedDomain)) " ,
dns_encoded , dns_encoded , dns_encoded , netbios_encoded , netbios_encoded , netbios_encoded ) ;
if ( ret > 0 ) {
ldb_transaction_cancel ( policy_state - > sam_ldb ) ;
return NT_STATUS_OBJECT_NAME_COLLISION ;
}
} else {
char * netbios_encoded = ldb_binary_encode_string ( mem_ctx , netbios_name ) ;
/* search for the trusted_domain record */
ret = gendb_search ( policy_state - > sam_ldb ,
mem_ctx , policy_state - > system_dn , & msgs , attrs ,
" (&(|(flatname=%s)(cn=%s)(trustPartner=%s))(objectclass=trustedDomain)) " ,
netbios_encoded , netbios_encoded , netbios_encoded ) ;
if ( ret > 0 ) {
ldb_transaction_cancel ( policy_state - > sam_ldb ) ;
return NT_STATUS_OBJECT_NAME_COLLISION ;
}
}
2005-01-12 02:40:25 +00:00
2008-09-08 10:55:34 +10:00
if ( ret < 0 ) {
ldb_transaction_cancel ( policy_state - > sam_ldb ) ;
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
name = dns_name ? dns_name : netbios_name ;
msg = ldb_msg_new ( mem_ctx ) ;
if ( msg = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
2006-11-22 00:59:34 +00:00
msg - > dn = ldb_dn_copy ( mem_ctx , policy_state - > system_dn ) ;
2006-12-27 03:23:25 +00:00
if ( ! ldb_dn_add_child_fmt ( msg - > dn , " cn=%s " , name ) ) {
2008-09-08 10:55:34 +10:00
ldb_transaction_cancel ( policy_state - > sam_ldb ) ;
2005-01-12 02:40:25 +00:00
return NT_STATUS_NO_MEMORY ;
}
2008-09-08 10:55:34 +10:00
samdb_msg_add_string ( trusted_domain_state - > policy - > sam_ldb , mem_ctx , msg , " flatname " , netbios_name ) ;
2005-01-12 02:40:25 +00:00
if ( r - > in . info - > sid ) {
const char * sid_string = dom_sid_string ( mem_ctx , r - > in . info - > sid ) ;
if ( ! sid_string ) {
2008-09-08 10:55:34 +10:00
ldb_transaction_cancel ( policy_state - > sam_ldb ) ;
2005-01-12 02:40:25 +00:00
return NT_STATUS_NO_MEMORY ;
}
2005-02-27 11:35:47 +00:00
samdb_msg_add_string ( trusted_domain_state - > policy - > sam_ldb , mem_ctx , msg , " securityIdentifier " , sid_string ) ;
2005-01-12 02:40:25 +00:00
}
2005-02-27 11:35:47 +00:00
samdb_msg_add_string ( trusted_domain_state - > policy - > sam_ldb , mem_ctx , msg , " objectClass " , " trustedDomain " ) ;
2008-09-01 14:43:00 +10:00
2008-09-08 10:55:34 +10:00
samdb_msg_add_int ( trusted_domain_state - > policy - > sam_ldb , mem_ctx , msg , " trustType " , r - > in . info - > trust_type ) ;
2008-09-01 14:43:00 +10:00
2008-09-08 10:55:34 +10:00
samdb_msg_add_int ( trusted_domain_state - > policy - > sam_ldb , mem_ctx , msg , " trustAttributes " , r - > in . info - > trust_attributes ) ;
2008-09-01 14:43:00 +10:00
2008-09-08 10:55:34 +10:00
samdb_msg_add_int ( trusted_domain_state - > policy - > sam_ldb , mem_ctx , msg , " trustDirection " , r - > in . info - > trust_direction ) ;
2005-01-12 02:40:25 +00:00
2008-09-08 10:55:34 +10:00
if ( dns_name ) {
samdb_msg_add_string ( trusted_domain_state - > policy - > sam_ldb , mem_ctx , msg , " trustPartner " , dns_name ) ;
}
if ( trustAuthIncoming . data ) {
ret = ldb_msg_add_value ( msg , " trustAuthIncoming " , & trustAuthIncoming , NULL ) ;
if ( ret ! = LDB_SUCCESS ) {
ldb_transaction_cancel ( policy_state - > sam_ldb ) ;
return NT_STATUS_NO_MEMORY ;
}
}
if ( trustAuthOutgoing . data ) {
ret = ldb_msg_add_value ( msg , " trustAuthOutgoing " , & trustAuthOutgoing , NULL ) ;
if ( ret ! = LDB_SUCCESS ) {
ldb_transaction_cancel ( policy_state - > sam_ldb ) ;
return NT_STATUS_NO_MEMORY ;
}
}
2005-01-12 02:40:25 +00:00
trusted_domain_state - > trusted_domain_dn = talloc_reference ( trusted_domain_state , msg - > dn ) ;
/* create the trusted_domain */
2006-08-31 08:22:13 +00:00
ret = ldb_add ( trusted_domain_state - > policy - > sam_ldb , msg ) ;
2008-03-13 16:35:11 +11:00
switch ( ret ) {
case LDB_SUCCESS :
break ;
case LDB_ERR_ENTRY_ALREADY_EXISTS :
ldb_transaction_cancel ( trusted_domain_state - > policy - > sam_ldb ) ;
DEBUG ( 0 , ( " Failed to create trusted domain record %s: %s \n " ,
ldb_dn_get_linearized ( msg - > dn ) ,
ldb_errstring ( trusted_domain_state - > policy - > sam_ldb ) ) ) ;
return NT_STATUS_DOMAIN_EXISTS ;
case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS :
ldb_transaction_cancel ( trusted_domain_state - > policy - > sam_ldb ) ;
DEBUG ( 0 , ( " Failed to create trusted domain record %s: %s \n " ,
ldb_dn_get_linearized ( msg - > dn ) ,
ldb_errstring ( trusted_domain_state - > policy - > sam_ldb ) ) ) ;
return NT_STATUS_ACCESS_DENIED ;
default :
ldb_transaction_cancel ( trusted_domain_state - > policy - > sam_ldb ) ;
DEBUG ( 0 , ( " Failed to create user record %s: %s \n " ,
ldb_dn_get_linearized ( msg - > dn ) ,
ldb_errstring ( trusted_domain_state - > policy - > sam_ldb ) ) ) ;
2005-01-12 02:40:25 +00:00
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
2008-09-08 10:55:34 +10:00
if ( r - > in . info - > trust_direction & LSA_TRUST_DIRECTION_INBOUND ) {
msg_user = ldb_msg_new ( mem_ctx ) ;
if ( msg = = NULL ) {
ldb_transaction_cancel ( trusted_domain_state - > policy - > sam_ldb ) ;
return NT_STATUS_NO_MEMORY ;
}
/* Inbound trusts must also create a cn=users object to match */
trusted_domain_state - > trusted_domain_user_dn = msg_user - > dn
= ldb_dn_copy ( trusted_domain_state , policy_state - > domain_dn ) ;
if ( ! ldb_dn_add_child_fmt ( msg_user - > dn , " cn=users " ) ) {
ldb_transaction_cancel ( policy_state - > sam_ldb ) ;
return NT_STATUS_NO_MEMORY ;
}
if ( ! ldb_dn_add_child_fmt ( msg_user - > dn , " cn=%s " , netbios_name ) ) {
ldb_transaction_cancel ( policy_state - > sam_ldb ) ;
return NT_STATUS_NO_MEMORY ;
}
ldb_msg_add_string ( msg_user , " objectClass " , " user " ) ;
ldb_msg_add_steal_string ( msg_user , " samAccountName " ,
talloc_asprintf ( mem_ctx , " %s$ " , netbios_name ) ) ;
if ( samdb_msg_add_uint ( trusted_domain_state - > policy - > sam_ldb , mem_ctx , msg_user ,
" userAccountControl " ,
UF_INTERDOMAIN_TRUST_ACCOUNT ) ! = 0 ) {
ldb_transaction_cancel ( policy_state - > sam_ldb ) ;
return NT_STATUS_NO_MEMORY ;
}
if ( auth_struct . incoming . count ) {
int i ;
for ( i = 0 ; i < auth_struct . incoming . count ; i + + ) {
2008-09-29 22:34:30 -07:00
if ( auth_struct . incoming . current [ i ] - > AuthType = = TRUST_AUTH_TYPE_NT4OWF ) {
2008-09-08 10:55:34 +10:00
samdb_msg_add_hash ( trusted_domain_state - > policy - > sam_ldb ,
mem_ctx , msg_user , " unicodePwd " ,
2008-09-29 22:34:30 -07:00
& auth_struct . incoming . current [ i ] - > AuthInfo . nt4owf . password ) ;
} else if ( auth_struct . incoming . current [ i ] - > AuthType = = TRUST_AUTH_TYPE_CLEAR ) {
2008-10-16 12:48:16 +11:00
DATA_BLOB new_password = data_blob_const ( auth_struct . incoming . current [ i ] - > AuthInfo . clear . password ,
auth_struct . incoming . current [ i ] - > AuthInfo . clear . size ) ;
ret = ldb_msg_add_value ( msg_user , " clearTextPassword " , & new_password , NULL ) ;
if ( ret ! = LDB_SUCCESS ) {
ldb_transaction_cancel ( policy_state - > sam_ldb ) ;
return NT_STATUS_NO_MEMORY ;
}
}
2008-09-08 10:55:34 +10:00
}
}
/* create the cn=users trusted_domain account */
ret = ldb_add ( trusted_domain_state - > policy - > sam_ldb , msg_user ) ;
switch ( ret ) {
case LDB_SUCCESS :
break ;
case LDB_ERR_ENTRY_ALREADY_EXISTS :
ldb_transaction_cancel ( trusted_domain_state - > policy - > sam_ldb ) ;
DEBUG ( 0 , ( " Failed to create trusted domain record %s: %s \n " ,
ldb_dn_get_linearized ( msg_user - > dn ) ,
ldb_errstring ( trusted_domain_state - > policy - > sam_ldb ) ) ) ;
return NT_STATUS_DOMAIN_EXISTS ;
case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS :
ldb_transaction_cancel ( trusted_domain_state - > policy - > sam_ldb ) ;
DEBUG ( 0 , ( " Failed to create trusted domain record %s: %s \n " ,
ldb_dn_get_linearized ( msg_user - > dn ) ,
ldb_errstring ( trusted_domain_state - > policy - > sam_ldb ) ) ) ;
return NT_STATUS_ACCESS_DENIED ;
default :
ldb_transaction_cancel ( trusted_domain_state - > policy - > sam_ldb ) ;
DEBUG ( 0 , ( " Failed to create user record %s: %s \n " ,
ldb_dn_get_linearized ( msg_user - > dn ) ,
ldb_errstring ( trusted_domain_state - > policy - > sam_ldb ) ) ) ;
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
}
ret = ldb_transaction_commit ( policy_state - > sam_ldb ) ;
if ( ret ! = LDB_SUCCESS ) {
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
2005-01-12 02:40:25 +00:00
handle = dcesrv_handle_new ( dce_call - > context , LSA_HANDLE_TRUSTED_DOMAIN ) ;
if ( ! handle ) {
return NT_STATUS_NO_MEMORY ;
}
handle - > data = talloc_steal ( handle , trusted_domain_state ) ;
trusted_domain_state - > access_mask = r - > in . access_mask ;
trusted_domain_state - > policy = talloc_reference ( trusted_domain_state , policy_state ) ;
* r - > out . trustdom_handle = handle - > wire_handle ;
return NT_STATUS_OK ;
}
2008-09-08 10:55:34 +10:00
/*
lsa_CreateTrustedDomainEx2
*/
static NTSTATUS dcesrv_lsa_CreateTrustedDomainEx2 ( struct dcesrv_call_state * dce_call ,
TALLOC_CTX * mem_ctx ,
struct lsa_CreateTrustedDomainEx2 * r )
{
return dcesrv_lsa_CreateTrustedDomain_base ( dce_call , mem_ctx , r , NDR_LSA_CREATETRUSTEDDOMAINEX2 ) ;
}
/*
lsa_CreateTrustedDomainEx
*/
static NTSTATUS dcesrv_lsa_CreateTrustedDomainEx ( struct dcesrv_call_state * dce_call ,
TALLOC_CTX * mem_ctx ,
struct lsa_CreateTrustedDomainEx * r )
{
struct lsa_CreateTrustedDomainEx2 r2 ;
r2 . in . policy_handle = r - > in . policy_handle ;
r2 . in . info = r - > in . info ;
r2 . in . auth_info = r - > in . auth_info ;
r2 . out . trustdom_handle = r - > out . trustdom_handle ;
return dcesrv_lsa_CreateTrustedDomain_base ( dce_call , mem_ctx , & r2 , NDR_LSA_CREATETRUSTEDDOMAINEX ) ;
}
/*
lsa_CreateTrustedDomain
*/
static NTSTATUS dcesrv_lsa_CreateTrustedDomain ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
struct lsa_CreateTrustedDomain * r )
{
struct lsa_CreateTrustedDomainEx2 r2 ;
r2 . in . policy_handle = r - > in . policy_handle ;
r2 . in . info = talloc ( mem_ctx , struct lsa_TrustDomainInfoInfoEx ) ;
if ( ! r2 . in . info ) {
return NT_STATUS_NO_MEMORY ;
}
r2 . in . info - > domain_name . string = NULL ;
r2 . in . info - > netbios_name = r - > in . info - > name ;
r2 . in . info - > sid = r - > in . info - > sid ;
r2 . in . info - > trust_direction = LSA_TRUST_DIRECTION_OUTBOUND ;
r2 . in . info - > trust_type = LSA_TRUST_TYPE_DOWNLEVEL ;
r2 . in . info - > trust_attributes = 0 ;
r2 . in . access_mask = r - > in . access_mask ;
r2 . out . trustdom_handle = r - > out . trustdom_handle ;
return dcesrv_lsa_CreateTrustedDomain_base ( dce_call , mem_ctx , & r2 , NDR_LSA_CREATETRUSTEDDOMAIN ) ;
}
2005-01-12 02:40:25 +00:00
/*
lsa_OpenTrustedDomain
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_OpenTrustedDomain ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2005-01-12 02:40:25 +00:00
struct lsa_OpenTrustedDomain * r )
{
struct dcesrv_handle * policy_handle ;
struct lsa_policy_state * policy_state ;
struct lsa_trusted_domain_state * trusted_domain_state ;
struct dcesrv_handle * handle ;
struct ldb_message * * msgs ;
const char * attrs [ ] = {
2008-09-08 10:55:34 +10:00
" trustDirection " ,
" flatname " ,
2005-01-12 02:40:25 +00:00
NULL
} ;
const char * sid_string ;
int ret ;
DCESRV_PULL_HANDLE ( policy_handle , r - > in . handle , LSA_HANDLE_POLICY ) ;
ZERO_STRUCTP ( r - > out . trustdom_handle ) ;
policy_state = policy_handle - > data ;
2008-10-03 17:52:59 -07:00
trusted_domain_state = talloc_zero ( mem_ctx , struct lsa_trusted_domain_state ) ;
2005-01-12 02:40:25 +00:00
if ( ! trusted_domain_state ) {
return NT_STATUS_NO_MEMORY ;
}
trusted_domain_state - > policy = policy_state ;
sid_string = dom_sid_string ( mem_ctx , r - > in . sid ) ;
if ( ! sid_string ) {
return NT_STATUS_NO_MEMORY ;
}
/* search for the trusted_domain record */
2005-03-23 01:30:43 +00:00
ret = gendb_search ( trusted_domain_state - > policy - > sam_ldb ,
2005-01-12 02:40:25 +00:00
mem_ctx , policy_state - > system_dn , & msgs , attrs ,
" (&(securityIdentifier=%s)(objectclass=trustedDomain)) " ,
sid_string ) ;
if ( ret = = 0 ) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
}
if ( ret ! = 1 ) {
2005-08-18 15:02:01 +00:00
DEBUG ( 0 , ( " Found %d records matching DN %s \n " , ret ,
2006-11-22 02:05:19 +00:00
ldb_dn_get_linearized ( policy_state - > system_dn ) ) ) ;
2005-01-12 02:40:25 +00:00
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
trusted_domain_state - > trusted_domain_dn = talloc_reference ( trusted_domain_state , msgs [ 0 ] - > dn ) ;
2008-09-08 10:55:34 +10:00
trusted_domain_state - > trusted_domain_user_dn = NULL ;
if ( ldb_msg_find_attr_as_int ( msgs [ 0 ] , " trustDirection " , 0 ) & LSA_TRUST_DIRECTION_INBOUND ) {
const char * flatname = ldb_binary_encode_string ( mem_ctx , ldb_msg_find_attr_as_string ( msgs [ 0 ] , " flatname " , NULL ) ) ;
/* search for the trusted_domain record */
ret = gendb_search ( trusted_domain_state - > policy - > sam_ldb ,
mem_ctx , policy_state - > domain_dn , & msgs , attrs ,
" (&(samaccountname=%s$)(objectclass=user)(userAccountControl:1.2.840.113556.1.4.803:=%d)) " ,
flatname , UF_INTERDOMAIN_TRUST_ACCOUNT ) ;
if ( ret = = 1 ) {
trusted_domain_state - > trusted_domain_user_dn = talloc_steal ( trusted_domain_state , msgs [ 0 ] - > dn ) ;
}
}
2005-01-12 02:40:25 +00:00
handle = dcesrv_handle_new ( dce_call - > context , LSA_HANDLE_TRUSTED_DOMAIN ) ;
if ( ! handle ) {
return NT_STATUS_NO_MEMORY ;
}
handle - > data = talloc_steal ( handle , trusted_domain_state ) ;
trusted_domain_state - > access_mask = r - > in . access_mask ;
trusted_domain_state - > policy = talloc_reference ( trusted_domain_state , policy_state ) ;
* r - > out . trustdom_handle = handle - > wire_handle ;
return NT_STATUS_OK ;
}
/*
lsa_OpenTrustedDomainByName
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_OpenTrustedDomainByName ( struct dcesrv_call_state * dce_call ,
2005-01-12 02:40:25 +00:00
TALLOC_CTX * mem_ctx ,
struct lsa_OpenTrustedDomainByName * r )
{
struct dcesrv_handle * policy_handle ;
struct lsa_policy_state * policy_state ;
struct lsa_trusted_domain_state * trusted_domain_state ;
struct dcesrv_handle * handle ;
struct ldb_message * * msgs ;
const char * attrs [ ] = {
NULL
} ;
int ret ;
DCESRV_PULL_HANDLE ( policy_handle , r - > in . handle , LSA_HANDLE_POLICY ) ;
ZERO_STRUCTP ( r - > out . trustdom_handle ) ;
policy_state = policy_handle - > data ;
if ( ! r - > in . name . string ) {
return NT_STATUS_INVALID_PARAMETER ;
}
2008-10-03 17:52:59 -07:00
trusted_domain_state = talloc_zero ( mem_ctx , struct lsa_trusted_domain_state ) ;
2005-01-12 02:40:25 +00:00
if ( ! trusted_domain_state ) {
return NT_STATUS_NO_MEMORY ;
}
2005-01-12 07:57:33 +00:00
trusted_domain_state - > policy = policy_state ;
2005-01-12 02:40:25 +00:00
/* search for the trusted_domain record */
2005-03-23 01:30:43 +00:00
ret = gendb_search ( trusted_domain_state - > policy - > sam_ldb ,
2005-01-12 02:40:25 +00:00
mem_ctx , policy_state - > system_dn , & msgs , attrs ,
2005-01-12 07:57:33 +00:00
" (&(flatname=%s)(objectclass=trustedDomain)) " ,
2005-12-19 07:07:11 +00:00
ldb_binary_encode_string ( mem_ctx , r - > in . name . string ) ) ;
2005-01-12 02:40:25 +00:00
if ( ret = = 0 ) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
}
if ( ret ! = 1 ) {
2005-08-18 15:02:01 +00:00
DEBUG ( 0 , ( " Found %d records matching DN %s \n " , ret ,
2006-11-22 02:05:19 +00:00
ldb_dn_get_linearized ( policy_state - > system_dn ) ) ) ;
2005-01-12 02:40:25 +00:00
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
trusted_domain_state - > trusted_domain_dn = talloc_reference ( trusted_domain_state , msgs [ 0 ] - > dn ) ;
handle = dcesrv_handle_new ( dce_call - > context , LSA_HANDLE_TRUSTED_DOMAIN ) ;
if ( ! handle ) {
return NT_STATUS_NO_MEMORY ;
}
handle - > data = talloc_steal ( handle , trusted_domain_state ) ;
trusted_domain_state - > access_mask = r - > in . access_mask ;
trusted_domain_state - > policy = talloc_reference ( trusted_domain_state , policy_state ) ;
* r - > out . trustdom_handle = handle - > wire_handle ;
return NT_STATUS_OK ;
}
2006-08-31 08:22:13 +00:00
2005-01-12 02:40:25 +00:00
/*
2006-08-31 08:22:13 +00:00
lsa_SetTrustedDomainInfo
2005-01-12 02:40:25 +00:00
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_SetTrustedDomainInfo ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2006-08-31 08:22:13 +00:00
struct lsa_SetTrustedDomainInfo * r )
2005-01-12 02:40:25 +00:00
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
2006-08-31 08:22:13 +00:00
2005-01-12 02:40:25 +00:00
/*
2006-08-31 08:22:13 +00:00
lsa_SetInfomrationTrustedDomain
2005-01-12 02:40:25 +00:00
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_SetInformationTrustedDomain ( struct dcesrv_call_state * dce_call ,
2006-08-31 08:22:13 +00:00
TALLOC_CTX * mem_ctx ,
struct lsa_SetInformationTrustedDomain * r )
2005-01-12 02:40:25 +00:00
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
2006-08-31 08:22:13 +00:00
lsa_DeleteTrustedDomain
2005-01-12 02:40:25 +00:00
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_DeleteTrustedDomain ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2006-08-31 08:22:13 +00:00
struct lsa_DeleteTrustedDomain * r )
2005-01-12 02:40:25 +00:00
{
2006-08-31 08:22:13 +00:00
NTSTATUS status ;
struct lsa_OpenTrustedDomain open ;
2008-08-26 10:32:49 +10:00
struct lsa_DeleteObject delete ;
2006-08-31 08:22:13 +00:00
struct dcesrv_handle * h ;
open . in . handle = r - > in . handle ;
open . in . sid = r - > in . dom_sid ;
open . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
open . out . trustdom_handle = talloc ( mem_ctx , struct policy_handle ) ;
if ( ! open . out . trustdom_handle ) {
return NT_STATUS_NO_MEMORY ;
}
2007-01-17 14:49:36 +00:00
status = dcesrv_lsa_OpenTrustedDomain ( dce_call , mem_ctx , & open ) ;
2006-08-31 08:22:13 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
DCESRV_PULL_HANDLE ( h , open . out . trustdom_handle , DCESRV_HANDLE_ANY ) ;
talloc_steal ( mem_ctx , h ) ;
delete . in . handle = open . out . trustdom_handle ;
2008-08-26 10:32:49 +10:00
delete . out . handle = open . out . trustdom_handle ;
status = dcesrv_lsa_DeleteObject ( dce_call , mem_ctx , & delete ) ;
2006-08-31 08:22:13 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
return NT_STATUS_OK ;
2005-01-12 02:40:25 +00:00
}
2006-08-31 08:22:13 +00:00
static NTSTATUS fill_trust_domain_ex ( TALLOC_CTX * mem_ctx ,
struct ldb_message * msg ,
struct lsa_TrustDomainInfoInfoEx * info_ex )
{
info_ex - > domain_name . string
= ldb_msg_find_attr_as_string ( msg , " trustPartner " , NULL ) ;
info_ex - > netbios_name . string
= ldb_msg_find_attr_as_string ( msg , " flatname " , NULL ) ;
info_ex - > sid
= samdb_result_dom_sid ( mem_ctx , msg , " securityIdentifier " ) ;
info_ex - > trust_direction
= ldb_msg_find_attr_as_int ( msg , " trustDirection " , 0 ) ;
info_ex - > trust_type
= ldb_msg_find_attr_as_int ( msg , " trustType " , 0 ) ;
info_ex - > trust_attributes
= ldb_msg_find_attr_as_int ( msg , " trustAttributes " , 0 ) ;
return NT_STATUS_OK ;
}
2005-01-12 02:40:25 +00:00
/*
lsa_QueryTrustedDomainInfo
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_QueryTrustedDomainInfo ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2005-01-12 11:54:11 +00:00
struct lsa_QueryTrustedDomainInfo * r )
2005-01-12 02:40:25 +00:00
{
2008-10-21 10:33:27 +02:00
union lsa_TrustedDomainInfo * info = NULL ;
2005-01-12 11:54:11 +00:00
struct dcesrv_handle * h ;
struct lsa_trusted_domain_state * trusted_domain_state ;
struct ldb_message * msg ;
int ret ;
struct ldb_message * * res ;
const char * attrs [ ] = {
2006-08-31 08:22:13 +00:00
" flatname " ,
" trustPartner " ,
2005-01-12 11:54:11 +00:00
" securityIdentifier " ,
2006-08-31 08:22:13 +00:00
" trustDirection " ,
" trustType " ,
" trustAttributes " ,
2008-08-26 10:32:49 +10:00
" msDs-supportedEncryptionTypes " ,
2005-01-12 11:54:11 +00:00
NULL
} ;
DCESRV_PULL_HANDLE ( h , r - > in . trustdom_handle , LSA_HANDLE_TRUSTED_DOMAIN ) ;
2008-10-03 17:52:59 -07:00
trusted_domain_state = talloc_get_type ( h - > data , struct lsa_trusted_domain_state ) ;
2005-01-12 11:54:11 +00:00
/* pull all the user attributes */
2005-06-14 19:15:17 +00:00
ret = gendb_search_dn ( trusted_domain_state - > policy - > sam_ldb , mem_ctx ,
trusted_domain_state - > trusted_domain_dn , & res , attrs ) ;
2005-01-12 11:54:11 +00:00
if ( ret ! = 1 ) {
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
msg = res [ 0 ] ;
2008-10-21 10:33:27 +02:00
info = talloc_zero ( mem_ctx , union lsa_TrustedDomainInfo ) ;
if ( ! info ) {
2005-01-12 11:54:11 +00:00
return NT_STATUS_NO_MEMORY ;
}
2008-10-21 10:33:27 +02:00
* r - > out . info = info ;
2005-01-12 11:54:11 +00:00
switch ( r - > in . level ) {
case LSA_TRUSTED_DOMAIN_INFO_NAME :
2008-10-21 10:33:27 +02:00
info - > name . netbios_name . string
2005-01-12 11:54:11 +00:00
= samdb_result_string ( msg , " flatname " , NULL ) ;
break ;
case LSA_TRUSTED_DOMAIN_INFO_POSIX_OFFSET :
2008-10-21 10:33:27 +02:00
info - > posix_offset . posix_offset
2005-01-12 11:54:11 +00:00
= samdb_result_uint ( msg , " posixOffset " , 0 ) ;
break ;
2006-08-31 08:22:13 +00:00
#if 0 /* Win2k3 doesn't implement this */
case LSA_TRUSTED_DOMAIN_INFO_BASIC :
r - > out . info - > info_basic . netbios_name . string
= ldb_msg_find_attr_as_string ( msg , " flatname " , NULL ) ;
r - > out . info - > info_basic . sid
= samdb_result_dom_sid ( mem_ctx , msg , " securityIdentifier " ) ;
break ;
# endif
case LSA_TRUSTED_DOMAIN_INFO_INFO_EX :
2008-10-21 10:33:27 +02:00
return fill_trust_domain_ex ( mem_ctx , msg , & info - > info_ex ) ;
2006-08-31 08:22:13 +00:00
case LSA_TRUSTED_DOMAIN_INFO_FULL_INFO :
2008-10-21 10:33:27 +02:00
ZERO_STRUCT ( info - > full_info ) ;
return fill_trust_domain_ex ( mem_ctx , msg , & info - > full_info . info_ex ) ;
2006-08-31 08:22:13 +00:00
2008-08-26 10:32:49 +10:00
case LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_2_INTERNAL :
2008-10-21 10:33:27 +02:00
ZERO_STRUCT ( info - > full_info2_internal ) ;
info - > full_info2_internal . posix_offset . posix_offset
2008-08-26 10:32:49 +10:00
= samdb_result_uint ( msg , " posixOffset " , 0 ) ;
2008-10-21 10:33:27 +02:00
return fill_trust_domain_ex ( mem_ctx , msg , & info - > full_info2_internal . info . info_ex ) ;
2008-08-26 10:32:49 +10:00
case LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRTYPION_TYPES :
2008-10-21 10:33:27 +02:00
info - > enc_types . enc_types
2008-08-26 10:32:49 +10:00
= samdb_result_uint ( msg , " msDs-supportedEncryptionTypes " , KERB_ENCTYPE_RC4_HMAC_MD5 ) ;
break ;
2006-08-31 08:22:13 +00:00
2008-08-26 10:32:49 +10:00
case LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS :
case LSA_TRUSTED_DOMAIN_INFO_INFO_EX2_INTERNAL :
2006-08-31 08:22:13 +00:00
/* oops, we don't want to return the info after all */
2008-10-21 10:33:27 +02:00
talloc_free ( info ) ;
2008-10-28 12:21:44 +01:00
* r - > out . info = NULL ;
2006-08-31 08:22:13 +00:00
return NT_STATUS_INVALID_PARAMETER ;
2005-01-12 11:54:11 +00:00
default :
/* oops, we don't want to return the info after all */
2008-10-21 10:33:27 +02:00
talloc_free ( info ) ;
2008-10-28 12:21:44 +01:00
* r - > out . info = NULL ;
2005-01-12 11:54:11 +00:00
return NT_STATUS_INVALID_INFO_CLASS ;
}
return NT_STATUS_OK ;
2005-01-12 02:40:25 +00:00
}
/*
2006-08-31 08:22:13 +00:00
lsa_QueryTrustedDomainInfoBySid
2005-01-12 02:40:25 +00:00
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_QueryTrustedDomainInfoBySid ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2006-08-31 08:22:13 +00:00
struct lsa_QueryTrustedDomainInfoBySid * r )
2005-01-12 02:40:25 +00:00
{
2006-08-31 08:22:13 +00:00
NTSTATUS status ;
struct lsa_OpenTrustedDomain open ;
struct lsa_QueryTrustedDomainInfo query ;
struct dcesrv_handle * h ;
open . in . handle = r - > in . handle ;
open . in . sid = r - > in . dom_sid ;
open . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
open . out . trustdom_handle = talloc ( mem_ctx , struct policy_handle ) ;
if ( ! open . out . trustdom_handle ) {
return NT_STATUS_NO_MEMORY ;
}
2007-01-17 14:49:36 +00:00
status = dcesrv_lsa_OpenTrustedDomain ( dce_call , mem_ctx , & open ) ;
2006-08-31 08:22:13 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2005-01-12 02:40:25 +00:00
2006-08-31 08:22:13 +00:00
/* Ensure this handle goes away at the end of this call */
DCESRV_PULL_HANDLE ( h , open . out . trustdom_handle , DCESRV_HANDLE_ANY ) ;
talloc_steal ( mem_ctx , h ) ;
2008-10-21 10:33:27 +02:00
2006-08-31 08:22:13 +00:00
query . in . trustdom_handle = open . out . trustdom_handle ;
query . in . level = r - > in . level ;
2008-10-21 02:34:45 +02:00
query . out . info = r - > out . info ;
2007-01-17 14:49:36 +00:00
status = dcesrv_lsa_QueryTrustedDomainInfo ( dce_call , mem_ctx , & query ) ;
2006-08-31 08:22:13 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2008-10-21 02:34:45 +02:00
2006-08-31 08:22:13 +00:00
return NT_STATUS_OK ;
2005-01-12 02:40:25 +00:00
}
/*
lsa_SetTrustedDomainInfoByName
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_SetTrustedDomainInfoByName ( struct dcesrv_call_state * dce_call ,
2005-01-12 02:40:25 +00:00
TALLOC_CTX * mem_ctx ,
struct lsa_SetTrustedDomainInfoByName * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
2006-08-31 08:22:13 +00:00
/*
lsa_QueryTrustedDomainInfoByName
2005-01-12 02:40:25 +00:00
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_QueryTrustedDomainInfoByName ( struct dcesrv_call_state * dce_call ,
2006-08-31 08:22:13 +00:00
TALLOC_CTX * mem_ctx ,
struct lsa_QueryTrustedDomainInfoByName * r )
2005-01-12 02:40:25 +00:00
{
2006-08-31 08:22:13 +00:00
NTSTATUS status ;
struct lsa_OpenTrustedDomainByName open ;
struct lsa_QueryTrustedDomainInfo query ;
struct dcesrv_handle * h ;
open . in . handle = r - > in . handle ;
2008-10-21 10:23:14 +02:00
open . in . name = * r - > in . trusted_domain ;
2006-08-31 08:22:13 +00:00
open . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
open . out . trustdom_handle = talloc ( mem_ctx , struct policy_handle ) ;
if ( ! open . out . trustdom_handle ) {
return NT_STATUS_NO_MEMORY ;
}
2007-01-17 14:49:36 +00:00
status = dcesrv_lsa_OpenTrustedDomainByName ( dce_call , mem_ctx , & open ) ;
2006-08-31 08:22:13 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
/* Ensure this handle goes away at the end of this call */
DCESRV_PULL_HANDLE ( h , open . out . trustdom_handle , DCESRV_HANDLE_ANY ) ;
talloc_steal ( mem_ctx , h ) ;
query . in . trustdom_handle = open . out . trustdom_handle ;
query . in . level = r - > in . level ;
2008-10-21 10:23:14 +02:00
query . out . info = r - > out . info ;
2007-01-17 14:49:36 +00:00
status = dcesrv_lsa_QueryTrustedDomainInfo ( dce_call , mem_ctx , & query ) ;
2006-08-31 08:22:13 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
return NT_STATUS_OK ;
2005-01-12 02:40:25 +00:00
}
/*
2006-08-31 08:22:13 +00:00
lsa_CloseTrustedDomainEx
2005-01-12 02:40:25 +00:00
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_CloseTrustedDomainEx ( struct dcesrv_call_state * dce_call ,
2005-01-12 02:40:25 +00:00
TALLOC_CTX * mem_ctx ,
struct lsa_CloseTrustedDomainEx * r )
2004-05-27 04:13:58 +00:00
{
2006-08-31 08:22:13 +00:00
/* The result of a bad hair day from an IDL programmer? Not
* implmented in Win2k3 . You should always just lsa_Close
* anyway . */
return NT_STATUS_NOT_IMPLEMENTED ;
2004-05-27 04:13:58 +00:00
}
2005-01-12 07:57:33 +00:00
/*
comparison function for sorting lsa_DomainInformation array
*/
2006-08-31 08:22:13 +00:00
static int compare_DomainInfo ( struct lsa_DomainInfo * e1 , struct lsa_DomainInfo * e2 )
2005-01-12 07:57:33 +00:00
{
2006-09-01 04:37:31 +00:00
return strcasecmp_m ( e1 - > name . string , e2 - > name . string ) ;
2005-01-12 07:57:33 +00:00
}
2004-05-27 04:13:58 +00:00
/*
lsa_EnumTrustDom
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_EnumTrustDom ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2005-01-12 07:57:33 +00:00
struct lsa_EnumTrustDom * r )
2004-05-27 04:13:58 +00:00
{
2005-01-12 07:57:33 +00:00
struct dcesrv_handle * policy_handle ;
2006-08-31 08:22:13 +00:00
struct lsa_DomainInfo * entries ;
2005-01-12 07:57:33 +00:00
struct lsa_policy_state * policy_state ;
struct ldb_message * * domains ;
const char * attrs [ ] = {
" flatname " ,
" securityIdentifier " ,
NULL
} ;
int count , i ;
* r - > out . resume_handle = 0 ;
r - > out . domains - > domains = NULL ;
r - > out . domains - > count = 0 ;
DCESRV_PULL_HANDLE ( policy_handle , r - > in . handle , LSA_HANDLE_POLICY ) ;
policy_state = policy_handle - > data ;
/* search for all users in this domain. This could possibly be cached and
resumed based on resume_key */
2005-03-23 01:30:43 +00:00
count = gendb_search ( policy_state - > sam_ldb , mem_ctx , policy_state - > system_dn , & domains , attrs ,
2005-01-12 07:57:33 +00:00
" objectclass=trustedDomain " ) ;
if ( count = = - 1 ) {
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
2006-08-31 08:22:13 +00:00
/* convert to lsa_TrustInformation format */
entries = talloc_array ( mem_ctx , struct lsa_DomainInfo , count ) ;
2005-01-12 07:57:33 +00:00
if ( ! entries ) {
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < count ; i + + ) {
entries [ i ] . sid = samdb_result_dom_sid ( mem_ctx , domains [ i ] , " securityIdentifier " ) ;
entries [ i ] . name . string = samdb_result_string ( domains [ i ] , " flatname " , NULL ) ;
}
/* sort the results by name */
2006-08-31 08:22:13 +00:00
qsort ( entries , count , sizeof ( * entries ) ,
( comparison_fn_t ) compare_DomainInfo ) ;
2005-01-12 07:57:33 +00:00
if ( * r - > in . resume_handle > = count ) {
* r - > out . resume_handle = - 1 ;
return NT_STATUS_NO_MORE_ENTRIES ;
}
/* return the rest, limit by max_size. Note that we
use the w2k3 element size value of 60 */
r - > out . domains - > count = count - * r - > in . resume_handle ;
r - > out . domains - > count = MIN ( r - > out . domains - > count ,
1 + ( r - > in . max_size / LSA_ENUM_TRUST_DOMAIN_MULTIPLIER ) ) ;
r - > out . domains - > domains = entries + * r - > in . resume_handle ;
r - > out . domains - > count = r - > out . domains - > count ;
if ( r - > out . domains - > count < count - * r - > in . resume_handle ) {
* r - > out . resume_handle = * r - > in . resume_handle + r - > out . domains - > count ;
return STATUS_MORE_ENTRIES ;
}
return NT_STATUS_OK ;
2004-05-27 04:13:58 +00:00
}
2006-08-31 08:22:13 +00:00
/*
comparison function for sorting lsa_DomainInformation array
*/
static int compare_TrustDomainInfoInfoEx ( struct lsa_TrustDomainInfoInfoEx * e1 , struct lsa_TrustDomainInfoInfoEx * e2 )
{
2006-09-01 04:37:31 +00:00
return strcasecmp_m ( e1 - > netbios_name . string , e2 - > netbios_name . string ) ;
2006-08-31 08:22:13 +00:00
}
/*
lsa_EnumTrustedDomainsEx
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_EnumTrustedDomainsEx ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2006-08-31 08:22:13 +00:00
struct lsa_EnumTrustedDomainsEx * r )
{
struct dcesrv_handle * policy_handle ;
struct lsa_TrustDomainInfoInfoEx * entries ;
struct lsa_policy_state * policy_state ;
struct ldb_message * * domains ;
const char * attrs [ ] = {
" flatname " ,
" trustPartner " ,
" securityIdentifier " ,
" trustDirection " ,
" trustType " ,
" trustAttributes " ,
NULL
} ;
NTSTATUS nt_status ;
int count , i ;
* r - > out . resume_handle = 0 ;
r - > out . domains - > domains = NULL ;
r - > out . domains - > count = 0 ;
DCESRV_PULL_HANDLE ( policy_handle , r - > in . handle , LSA_HANDLE_POLICY ) ;
policy_state = policy_handle - > data ;
/* search for all users in this domain. This could possibly be cached and
resumed based on resume_key */
count = gendb_search ( policy_state - > sam_ldb , mem_ctx , policy_state - > system_dn , & domains , attrs ,
" objectclass=trustedDomain " ) ;
if ( count = = - 1 ) {
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
/* convert to lsa_DomainInformation format */
entries = talloc_array ( mem_ctx , struct lsa_TrustDomainInfoInfoEx , count ) ;
if ( ! entries ) {
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < count ; i + + ) {
nt_status = fill_trust_domain_ex ( mem_ctx , domains [ i ] , & entries [ i ] ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
return nt_status ;
}
}
/* sort the results by name */
qsort ( entries , count , sizeof ( * entries ) ,
( comparison_fn_t ) compare_TrustDomainInfoInfoEx ) ;
if ( * r - > in . resume_handle > = count ) {
* r - > out . resume_handle = - 1 ;
return NT_STATUS_NO_MORE_ENTRIES ;
}
/* return the rest, limit by max_size. Note that we
use the w2k3 element size value of 60 */
r - > out . domains - > count = count - * r - > in . resume_handle ;
r - > out . domains - > count = MIN ( r - > out . domains - > count ,
1 + ( r - > in . max_size / LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER ) ) ;
r - > out . domains - > domains = entries + * r - > in . resume_handle ;
r - > out . domains - > count = r - > out . domains - > count ;
if ( r - > out . domains - > count < count - * r - > in . resume_handle ) {
* r - > out . resume_handle = * r - > in . resume_handle + r - > out . domains - > count ;
return STATUS_MORE_ENTRIES ;
}
return NT_STATUS_OK ;
}
2004-05-27 04:13:58 +00:00
/*
lsa_OpenAccount
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_OpenAccount ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-12-19 05:01:52 +00:00
struct lsa_OpenAccount * r )
2004-05-27 04:13:58 +00:00
{
2004-12-19 05:01:52 +00:00
struct dcesrv_handle * h , * ah ;
struct lsa_policy_state * state ;
struct lsa_account_state * astate ;
ZERO_STRUCTP ( r - > out . acct_handle ) ;
DCESRV_PULL_HANDLE ( h , r - > in . handle , LSA_HANDLE_POLICY ) ;
state = h - > data ;
2005-01-27 07:08:20 +00:00
astate = talloc ( dce_call - > conn , struct lsa_account_state ) ;
2004-12-19 05:01:52 +00:00
if ( astate = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
astate - > account_sid = dom_sid_dup ( astate , r - > in . sid ) ;
if ( astate - > account_sid = = NULL ) {
talloc_free ( astate ) ;
return NT_STATUS_NO_MEMORY ;
}
astate - > policy = talloc_reference ( astate , state ) ;
astate - > access_mask = r - > in . access_mask ;
2005-01-10 12:15:26 +00:00
ah = dcesrv_handle_new ( dce_call - > context , LSA_HANDLE_ACCOUNT ) ;
2004-12-19 05:01:52 +00:00
if ( ! ah ) {
talloc_free ( astate ) ;
return NT_STATUS_NO_MEMORY ;
}
2005-01-10 12:15:26 +00:00
ah - > data = talloc_steal ( ah , astate ) ;
2004-12-19 05:01:52 +00:00
* r - > out . acct_handle = ah - > wire_handle ;
return NT_STATUS_OK ;
2004-05-27 04:13:58 +00:00
}
/*
lsa_EnumPrivsAccount
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_EnumPrivsAccount ( struct dcesrv_call_state * dce_call ,
2004-12-14 22:18:33 +00:00
TALLOC_CTX * mem_ctx ,
struct lsa_EnumPrivsAccount * r )
2004-05-27 04:13:58 +00:00
{
2004-12-19 06:41:27 +00:00
struct dcesrv_handle * h ;
struct lsa_account_state * astate ;
int ret , i ;
struct ldb_message * * res ;
const char * const attrs [ ] = { " privilege " , NULL } ;
struct ldb_message_element * el ;
2006-07-06 05:23:29 +00:00
const char * sidstr ;
2008-10-21 02:11:54 +02:00
struct lsa_PrivilegeSet * privs ;
2004-12-19 06:41:27 +00:00
DCESRV_PULL_HANDLE ( h , r - > in . handle , LSA_HANDLE_ACCOUNT ) ;
astate = h - > data ;
2008-10-21 02:11:54 +02:00
privs = talloc ( mem_ctx , struct lsa_PrivilegeSet ) ;
if ( privs = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
privs - > count = 0 ;
privs - > unknown = 0 ;
privs - > set = NULL ;
* r - > out . privs = privs ;
2004-12-19 06:41:27 +00:00
2006-07-06 05:23:29 +00:00
sidstr = ldap_encode_ndr_dom_sid ( mem_ctx , astate - > account_sid ) ;
if ( sidstr = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
2006-08-25 07:08:06 +00:00
ret = gendb_search ( astate - > policy - > sam_ldb , mem_ctx , NULL , & res , attrs ,
2006-07-06 05:23:29 +00:00
" objectSid=%s " , sidstr ) ;
2004-12-19 06:41:27 +00:00
if ( ret ! = 1 ) {
return NT_STATUS_OK ;
}
el = ldb_msg_find_element ( res [ 0 ] , " privilege " ) ;
if ( el = = NULL | | el - > num_values = = 0 ) {
return NT_STATUS_OK ;
}
2008-10-21 02:11:54 +02:00
privs - > set = talloc_array ( privs ,
struct lsa_LUIDAttribute , el - > num_values ) ;
if ( privs - > set = = NULL ) {
2004-12-19 06:41:27 +00:00
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < el - > num_values ; i + + ) {
2005-07-13 15:18:20 +00:00
int id = sec_privilege_id ( ( const char * ) el - > values [ i ] . data ) ;
2004-12-19 06:41:27 +00:00
if ( id = = - 1 ) {
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
2008-10-21 02:11:54 +02:00
privs - > set [ i ] . attribute = 0 ;
privs - > set [ i ] . luid . low = id ;
privs - > set [ i ] . luid . high = 0 ;
2004-12-19 06:41:27 +00:00
}
2008-10-21 02:11:54 +02:00
privs - > count = el - > num_values ;
2004-12-19 06:41:27 +00:00
return NT_STATUS_OK ;
2004-05-27 04:13:58 +00:00
}
2004-12-19 11:34:19 +00:00
/*
lsa_EnumAccountRights
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_EnumAccountRights ( struct dcesrv_call_state * dce_call ,
2004-12-19 11:34:19 +00:00
TALLOC_CTX * mem_ctx ,
struct lsa_EnumAccountRights * r )
{
struct dcesrv_handle * h ;
struct lsa_policy_state * state ;
int ret , i ;
struct ldb_message * * res ;
const char * const attrs [ ] = { " privilege " , NULL } ;
const char * sidstr ;
struct ldb_message_element * el ;
DCESRV_PULL_HANDLE ( h , r - > in . handle , LSA_HANDLE_POLICY ) ;
state = h - > data ;
2005-06-24 00:18:20 +00:00
sidstr = ldap_encode_ndr_dom_sid ( mem_ctx , r - > in . sid ) ;
2004-12-19 11:34:19 +00:00
if ( sidstr = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
2006-08-25 07:08:06 +00:00
ret = gendb_search ( state - > sam_ldb , mem_ctx , NULL , & res , attrs ,
2006-07-06 05:23:29 +00:00
" (&(objectSid=%s)(privilege=*)) " , sidstr ) ;
if ( ret = = 0 ) {
2004-12-19 11:34:19 +00:00
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
}
2006-07-06 05:23:29 +00:00
if ( ret > 1 ) {
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
if ( ret = = - 1 ) {
DEBUG ( 3 , ( " searching for account rights for SID: %s failed: %s " ,
dom_sid_string ( mem_ctx , r - > in . sid ) ,
ldb_errstring ( state - > sam_ldb ) ) ) ;
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
2004-12-19 11:34:19 +00:00
el = ldb_msg_find_element ( res [ 0 ] , " privilege " ) ;
if ( el = = NULL | | el - > num_values = = 0 ) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
}
r - > out . rights - > count = el - > num_values ;
2005-01-27 07:08:20 +00:00
r - > out . rights - > names = talloc_array ( r - > out . rights ,
2006-01-09 15:50:08 +00:00
struct lsa_StringLarge , r - > out . rights - > count ) ;
2004-12-19 11:34:19 +00:00
if ( r - > out . rights - > names = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < el - > num_values ; i + + ) {
2005-07-13 15:18:20 +00:00
r - > out . rights - > names [ i ] . string = ( const char * ) el - > values [ i ] . data ;
2004-12-19 11:34:19 +00:00
}
return NT_STATUS_OK ;
}
2004-05-27 04:13:58 +00:00
2004-12-19 07:50:19 +00:00
/*
helper for lsa_AddAccountRights and lsa_RemoveAccountRights
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_AddRemoveAccountRights ( struct dcesrv_call_state * dce_call ,
2004-12-19 07:50:19 +00:00
TALLOC_CTX * mem_ctx ,
struct lsa_policy_state * state ,
int ldb_flag ,
2004-12-19 11:34:19 +00:00
struct dom_sid * sid ,
2004-12-19 07:50:19 +00:00
const struct lsa_RightSet * rights )
{
const char * sidstr ;
2005-01-12 02:40:25 +00:00
struct ldb_message * msg ;
2006-07-06 05:23:29 +00:00
struct ldb_message_element * el ;
2004-12-19 07:50:19 +00:00
int i , ret ;
2004-12-19 11:34:19 +00:00
struct lsa_EnumAccountRights r2 ;
2004-12-19 07:50:19 +00:00
2005-06-24 00:18:20 +00:00
sidstr = ldap_encode_ndr_dom_sid ( mem_ctx , sid ) ;
2004-12-19 07:50:19 +00:00
if ( sidstr = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
2005-01-12 02:40:25 +00:00
msg = ldb_msg_new ( mem_ctx ) ;
if ( msg = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
2006-07-06 05:23:29 +00:00
msg - > dn = samdb_search_dn ( state - > sam_ldb , mem_ctx ,
2006-08-25 07:08:06 +00:00
NULL , " objectSid=%s " , sidstr ) ;
2005-01-12 02:40:25 +00:00
if ( msg - > dn = = NULL ) {
2006-07-06 05:23:29 +00:00
NTSTATUS status ;
if ( ldb_flag = = LDB_FLAG_MOD_DELETE ) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
}
status = samdb_create_foreign_security_principal ( state - > sam_ldb , mem_ctx ,
sid , & msg - > dn ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2005-09-01 23:26:50 +00:00
return NT_STATUS_NO_SUCH_USER ;
2004-12-19 07:50:19 +00:00
}
2005-01-12 02:40:25 +00:00
2006-10-25 01:42:59 +00:00
if ( ldb_msg_add_empty ( msg , " privilege " , ldb_flag , NULL ) ) {
2004-12-19 07:50:19 +00:00
return NT_STATUS_NO_MEMORY ;
}
2004-12-19 11:34:19 +00:00
if ( ldb_flag = = LDB_FLAG_MOD_ADD ) {
NTSTATUS status ;
r2 . in . handle = & state - > handle - > wire_handle ;
r2 . in . sid = sid ;
2005-01-27 07:08:20 +00:00
r2 . out . rights = talloc ( mem_ctx , struct lsa_RightSet ) ;
2004-12-19 11:34:19 +00:00
2007-01-17 14:49:36 +00:00
status = dcesrv_lsa_EnumAccountRights ( dce_call , mem_ctx , & r2 ) ;
2004-12-19 11:34:19 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
ZERO_STRUCTP ( r2 . out . rights ) ;
}
}
for ( i = 0 ; i < rights - > count ; i + + ) {
2004-12-19 07:50:19 +00:00
if ( sec_privilege_id ( rights - > names [ i ] . string ) = = - 1 ) {
return NT_STATUS_NO_SUCH_PRIVILEGE ;
}
2004-12-19 11:34:19 +00:00
if ( ldb_flag = = LDB_FLAG_MOD_ADD ) {
int j ;
for ( j = 0 ; j < r2 . out . rights - > count ; j + + ) {
2005-08-30 11:55:05 +00:00
if ( strcasecmp_m ( r2 . out . rights - > names [ j ] . string ,
2004-12-19 11:34:19 +00:00
rights - > names [ i ] . string ) = = 0 ) {
break ;
}
}
if ( j ! = r2 . out . rights - > count ) continue ;
}
2006-07-06 05:23:29 +00:00
ret = ldb_msg_add_string ( msg , " privilege " , rights - > names [ i ] . string ) ;
if ( ret ! = LDB_SUCCESS ) {
2004-12-19 07:50:19 +00:00
return NT_STATUS_NO_MEMORY ;
}
2004-12-19 11:34:19 +00:00
}
2006-07-06 05:23:29 +00:00
el = ldb_msg_find_element ( msg , " privilege " ) ;
if ( ! el ) {
2004-12-19 11:34:19 +00:00
return NT_STATUS_OK ;
2004-12-19 07:50:19 +00:00
}
2007-11-27 01:25:11 +01:00
ret = ldb_modify ( state - > sam_ldb , msg ) ;
2004-12-19 07:50:19 +00:00
if ( ret ! = 0 ) {
2006-07-06 05:23:29 +00:00
if ( ldb_flag = = LDB_FLAG_MOD_DELETE & & ret = = LDB_ERR_NO_SUCH_ATTRIBUTE ) {
2004-12-19 07:50:19 +00:00
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
}
2006-07-06 05:23:29 +00:00
DEBUG ( 3 , ( " Could not %s attributes from %s: %s " ,
ldb_flag = = LDB_FLAG_MOD_DELETE ? " delete " : " add " ,
2006-11-22 02:05:19 +00:00
ldb_dn_get_linearized ( msg - > dn ) , ldb_errstring ( state - > sam_ldb ) ) ) ;
2004-12-19 07:50:19 +00:00
return NT_STATUS_UNEXPECTED_IO_ERROR ;
}
return NT_STATUS_OK ;
}
2004-05-27 04:13:58 +00:00
/*
2004-08-14 01:11:34 +00:00
lsa_AddPrivilegesToAccount
2004-05-27 04:13:58 +00:00
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_AddPrivilegesToAccount ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-12-19 07:50:19 +00:00
struct lsa_AddPrivilegesToAccount * r )
2004-05-27 04:13:58 +00:00
{
2004-12-19 07:50:19 +00:00
struct lsa_RightSet rights ;
struct dcesrv_handle * h ;
struct lsa_account_state * astate ;
int i ;
DCESRV_PULL_HANDLE ( h , r - > in . handle , LSA_HANDLE_ACCOUNT ) ;
astate = h - > data ;
rights . count = r - > in . privs - > count ;
2006-01-09 15:50:08 +00:00
rights . names = talloc_array ( mem_ctx , struct lsa_StringLarge , rights . count ) ;
2004-12-19 07:50:19 +00:00
if ( rights . names = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < rights . count ; i + + ) {
int id = r - > in . privs - > set [ i ] . luid . low ;
if ( r - > in . privs - > set [ i ] . luid . high ) {
return NT_STATUS_NO_SUCH_PRIVILEGE ;
}
rights . names [ i ] . string = sec_privilege_name ( id ) ;
if ( rights . names [ i ] . string = = NULL ) {
return NT_STATUS_NO_SUCH_PRIVILEGE ;
}
}
2007-01-17 14:49:36 +00:00
return dcesrv_lsa_AddRemoveAccountRights ( dce_call , mem_ctx , astate - > policy ,
2004-12-19 07:50:19 +00:00
LDB_FLAG_MOD_ADD , astate - > account_sid ,
& rights ) ;
2004-05-27 04:13:58 +00:00
}
/*
2004-08-14 01:11:34 +00:00
lsa_RemovePrivilegesFromAccount
2004-05-27 04:13:58 +00:00
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_RemovePrivilegesFromAccount ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-12-19 07:50:19 +00:00
struct lsa_RemovePrivilegesFromAccount * r )
2004-05-27 04:13:58 +00:00
{
2004-12-19 07:50:19 +00:00
struct lsa_RightSet * rights ;
struct dcesrv_handle * h ;
struct lsa_account_state * astate ;
int i ;
DCESRV_PULL_HANDLE ( h , r - > in . handle , LSA_HANDLE_ACCOUNT ) ;
astate = h - > data ;
2005-01-27 07:08:20 +00:00
rights = talloc ( mem_ctx , struct lsa_RightSet ) ;
2004-12-19 07:50:19 +00:00
if ( r - > in . remove_all = = 1 & &
r - > in . privs = = NULL ) {
struct lsa_EnumAccountRights r2 ;
NTSTATUS status ;
r2 . in . handle = & astate - > policy - > handle - > wire_handle ;
r2 . in . sid = astate - > account_sid ;
r2 . out . rights = rights ;
2007-01-17 14:49:36 +00:00
status = dcesrv_lsa_EnumAccountRights ( dce_call , mem_ctx , & r2 ) ;
2004-12-19 07:50:19 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2007-01-17 14:49:36 +00:00
return dcesrv_lsa_AddRemoveAccountRights ( dce_call , mem_ctx , astate - > policy ,
2004-12-19 07:50:19 +00:00
LDB_FLAG_MOD_DELETE , astate - > account_sid ,
r2 . out . rights ) ;
}
if ( r - > in . remove_all ! = 0 ) {
return NT_STATUS_INVALID_PARAMETER ;
}
rights - > count = r - > in . privs - > count ;
2006-01-09 15:50:08 +00:00
rights - > names = talloc_array ( mem_ctx , struct lsa_StringLarge , rights - > count ) ;
2004-12-19 07:50:19 +00:00
if ( rights - > names = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < rights - > count ; i + + ) {
int id = r - > in . privs - > set [ i ] . luid . low ;
if ( r - > in . privs - > set [ i ] . luid . high ) {
return NT_STATUS_NO_SUCH_PRIVILEGE ;
}
rights - > names [ i ] . string = sec_privilege_name ( id ) ;
if ( rights - > names [ i ] . string = = NULL ) {
return NT_STATUS_NO_SUCH_PRIVILEGE ;
}
}
2007-01-17 14:49:36 +00:00
return dcesrv_lsa_AddRemoveAccountRights ( dce_call , mem_ctx , astate - > policy ,
2004-12-19 07:50:19 +00:00
LDB_FLAG_MOD_DELETE , astate - > account_sid ,
rights ) ;
2004-05-27 04:13:58 +00:00
}
/*
2004-08-14 01:11:34 +00:00
lsa_GetQuotasForAccount
2004-05-27 04:13:58 +00:00
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_GetQuotasForAccount ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-08-14 01:11:34 +00:00
struct lsa_GetQuotasForAccount * r )
2004-05-27 04:13:58 +00:00
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
2004-08-14 01:11:34 +00:00
lsa_SetQuotasForAccount
2004-05-27 04:13:58 +00:00
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_SetQuotasForAccount ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-08-14 01:11:34 +00:00
struct lsa_SetQuotasForAccount * r )
2004-05-27 04:13:58 +00:00
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
2004-08-14 01:11:34 +00:00
lsa_GetSystemAccessAccount
2004-05-27 04:13:58 +00:00
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_GetSystemAccessAccount ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-08-14 01:11:34 +00:00
struct lsa_GetSystemAccessAccount * r )
2004-05-27 04:13:58 +00:00
{
2008-10-20 15:50:07 +11:00
int i ;
NTSTATUS status ;
struct lsa_EnumPrivsAccount enumPrivs ;
2008-10-21 02:11:54 +02:00
struct lsa_PrivilegeSet * privs ;
privs = talloc ( mem_ctx , struct lsa_PrivilegeSet ) ;
if ( ! privs ) {
return NT_STATUS_NO_MEMORY ;
}
privs - > count = 0 ;
privs - > unknown = 0 ;
privs - > set = NULL ;
2008-10-20 15:50:07 +11:00
enumPrivs . in . handle = r - > in . handle ;
2008-10-21 02:11:54 +02:00
enumPrivs . out . privs = & privs ;
2008-10-20 15:50:07 +11:00
status = dcesrv_lsa_EnumPrivsAccount ( dce_call , mem_ctx , & enumPrivs ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
* ( r - > out . access_mask ) = 0x00000000 ;
2008-10-21 02:11:54 +02:00
for ( i = 0 ; i < privs - > count ; i + + ) {
int priv = privs - > set [ i ] . luid . low ;
2008-10-20 15:50:07 +11:00
switch ( priv ) {
case SEC_PRIV_INTERACTIVE_LOGON :
* ( r - > out . access_mask ) | = LSA_POLICY_MODE_INTERACTIVE ;
break ;
case SEC_PRIV_NETWORK_LOGON :
* ( r - > out . access_mask ) | = LSA_POLICY_MODE_NETWORK ;
break ;
case SEC_PRIV_REMOTE_INTERACTIVE_LOGON :
* ( r - > out . access_mask ) | = LSA_POLICY_MODE_REMOTE_INTERACTIVE ;
break ;
}
}
return NT_STATUS_OK ;
2004-05-27 04:13:58 +00:00
}
/*
2004-08-14 01:11:34 +00:00
lsa_SetSystemAccessAccount
2004-05-27 04:13:58 +00:00
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_SetSystemAccessAccount ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-08-14 01:11:34 +00:00
struct lsa_SetSystemAccessAccount * r )
2004-05-27 04:13:58 +00:00
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
2005-01-11 14:04:58 +00:00
/*
lsa_CreateSecret
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_CreateSecret ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2005-01-11 14:04:58 +00:00
struct lsa_CreateSecret * r )
{
struct dcesrv_handle * policy_handle ;
struct lsa_policy_state * policy_state ;
struct lsa_secret_state * secret_state ;
struct dcesrv_handle * handle ;
struct ldb_message * * msgs , * msg ;
2006-08-24 10:41:31 +00:00
const char * errstr ;
2005-01-11 14:04:58 +00:00
const char * attrs [ ] = {
NULL
} ;
const char * name ;
int ret ;
DCESRV_PULL_HANDLE ( policy_handle , r - > in . handle , LSA_HANDLE_POLICY ) ;
ZERO_STRUCTP ( r - > out . sec_handle ) ;
2008-03-20 12:12:10 +11:00
switch ( security_session_user_level ( dce_call - > conn - > auth_state . session_info ) )
{
case SECURITY_SYSTEM :
case SECURITY_ADMINISTRATOR :
break ;
default :
/* Users and annonymous are not allowed create secrets */
return NT_STATUS_ACCESS_DENIED ;
}
2005-01-11 14:04:58 +00:00
policy_state = policy_handle - > data ;
if ( ! r - > in . name . string ) {
return NT_STATUS_INVALID_PARAMETER ;
}
secret_state = talloc ( mem_ctx , struct lsa_secret_state ) ;
if ( ! secret_state ) {
return NT_STATUS_NO_MEMORY ;
}
2005-01-12 02:40:25 +00:00
secret_state - > policy = policy_state ;
2005-01-11 14:04:58 +00:00
msg = ldb_msg_new ( mem_ctx ) ;
if ( msg = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
if ( strncmp ( " G$ " , r - > in . name . string , 2 ) = = 0 ) {
const char * name2 ;
name = & r - > in . name . string [ 2 ] ;
2008-09-08 12:46:04 +10:00
/* We need to connect to the database as system, as this is one of the rare RPC calls that must read the secrets (and this is denied otherwise) */
secret_state - > sam_ldb = talloc_reference ( secret_state ,
samdb_connect ( mem_ctx , dce_call - > event_ctx , dce_call - > conn - > dce_ctx - > lp_ctx , system_session ( secret_state , dce_call - > conn - > dce_ctx - > lp_ctx ) ) ) ;
2007-10-06 22:25:41 +00:00
secret_state - > global = true ;
2005-01-11 14:04:58 +00:00
if ( strlen ( name ) < 1 ) {
return NT_STATUS_INVALID_PARAMETER ;
}
2005-12-19 07:07:11 +00:00
name2 = talloc_asprintf ( mem_ctx , " %s Secret " , ldb_binary_encode_string ( mem_ctx , name ) ) ;
2005-01-11 14:04:58 +00:00
/* search for the secret record */
2005-03-23 01:30:43 +00:00
ret = gendb_search ( secret_state - > sam_ldb ,
2005-01-11 14:04:58 +00:00
mem_ctx , policy_state - > system_dn , & msgs , attrs ,
" (&(cn=%s)(objectclass=secret)) " ,
name2 ) ;
if ( ret > 0 ) {
return NT_STATUS_OBJECT_NAME_COLLISION ;
}
2006-07-06 05:23:29 +00:00
if ( ret = = - 1 ) {
DEBUG ( 0 , ( " Failure searching for CN=%s: %s \n " ,
name2 , ldb_errstring ( secret_state - > sam_ldb ) ) ) ;
2005-01-11 14:04:58 +00:00
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
2006-11-22 00:59:34 +00:00
msg - > dn = ldb_dn_copy ( mem_ctx , policy_state - > system_dn ) ;
if ( ! name2 | | ! ldb_dn_add_child_fmt ( msg - > dn , " cn=%s " , name2 ) ) {
2005-01-11 14:04:58 +00:00
return NT_STATUS_NO_MEMORY ;
}
2005-02-27 11:35:47 +00:00
samdb_msg_add_string ( secret_state - > sam_ldb , mem_ctx , msg , " cn " , name2 ) ;
2005-01-11 14:04:58 +00:00
} else {
2007-10-06 22:25:41 +00:00
secret_state - > global = false ;
2005-01-11 22:16:14 +00:00
2005-01-11 14:04:58 +00:00
name = r - > in . name . string ;
if ( strlen ( name ) < 1 ) {
return NT_STATUS_INVALID_PARAMETER ;
}
2007-12-04 20:05:00 +01:00
secret_state - > sam_ldb = talloc_reference ( secret_state ,
2008-06-14 11:24:17 -04:00
secrets_db_connect ( mem_ctx , dce_call - > event_ctx , dce_call - > conn - > dce_ctx - > lp_ctx ) ) ;
2005-01-11 14:04:58 +00:00
/* search for the secret record */
2005-08-18 15:02:01 +00:00
ret = gendb_search ( secret_state - > sam_ldb , mem_ctx ,
2006-11-22 00:59:34 +00:00
ldb_dn_new ( mem_ctx , secret_state - > sam_ldb , " cn=LSA Secrets " ) ,
2005-08-18 15:02:01 +00:00
& msgs , attrs ,
2005-12-19 07:07:11 +00:00
" (&(cn=%s)(objectclass=secret)) " ,
ldb_binary_encode_string ( mem_ctx , name ) ) ;
2005-01-11 14:04:58 +00:00
if ( ret > 0 ) {
return NT_STATUS_OBJECT_NAME_COLLISION ;
}
2006-07-06 05:23:29 +00:00
if ( ret = = - 1 ) {
DEBUG ( 0 , ( " Failure searching for CN=%s: %s \n " ,
name , ldb_errstring ( secret_state - > sam_ldb ) ) ) ;
2005-01-11 14:04:58 +00:00
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
2006-11-22 00:59:34 +00:00
msg - > dn = ldb_dn_new_fmt ( mem_ctx , secret_state - > sam_ldb , " cn=%s,cn=LSA Secrets " , name ) ;
2005-02-27 11:35:47 +00:00
samdb_msg_add_string ( secret_state - > sam_ldb , mem_ctx , msg , " cn " , name ) ;
2005-01-11 14:04:58 +00:00
}
2005-01-12 02:40:25 +00:00
/* pull in all the template attributes. Note this is always from the global samdb */
2006-07-06 05:23:29 +00:00
ret = samdb_copy_template ( secret_state - > policy - > sam_ldb , msg ,
2007-09-03 07:56:29 +00:00
" secret " , & errstr ) ;
2005-01-12 02:40:25 +00:00
if ( ret ! = 0 ) {
2006-08-14 02:50:18 +00:00
DEBUG ( 0 , ( " Failed to load TemplateSecret from samdb: %s \n " ,
errstr ) ) ;
2005-01-12 02:40:25 +00:00
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
2005-02-27 11:35:47 +00:00
samdb_msg_add_string ( secret_state - > sam_ldb , mem_ctx , msg , " objectClass " , " secret " ) ;
2005-01-11 14:04:58 +00:00
secret_state - > secret_dn = talloc_reference ( secret_state , msg - > dn ) ;
/* create the secret */
2007-11-27 01:25:11 +01:00
ret = ldb_add ( secret_state - > sam_ldb , msg ) ;
2005-01-11 14:04:58 +00:00
if ( ret ! = 0 ) {
2006-07-06 05:23:29 +00:00
DEBUG ( 0 , ( " Failed to create secret record %s: %s \n " ,
2006-11-22 02:05:19 +00:00
ldb_dn_get_linearized ( msg - > dn ) ,
2006-07-06 05:23:29 +00:00
ldb_errstring ( secret_state - > sam_ldb ) ) ) ;
2007-09-07 07:31:26 +00:00
return NT_STATUS_ACCESS_DENIED ;
2005-01-11 14:04:58 +00:00
}
handle = dcesrv_handle_new ( dce_call - > context , LSA_HANDLE_SECRET ) ;
if ( ! handle ) {
return NT_STATUS_NO_MEMORY ;
}
handle - > data = talloc_steal ( handle , secret_state ) ;
secret_state - > access_mask = r - > in . access_mask ;
secret_state - > policy = talloc_reference ( secret_state , policy_state ) ;
* r - > out . sec_handle = handle - > wire_handle ;
return NT_STATUS_OK ;
}
2004-05-27 04:13:58 +00:00
/*
lsa_OpenSecret
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_OpenSecret ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2005-01-11 14:04:58 +00:00
struct lsa_OpenSecret * r )
2004-05-27 04:13:58 +00:00
{
2005-01-11 14:04:58 +00:00
struct dcesrv_handle * policy_handle ;
struct lsa_policy_state * policy_state ;
struct lsa_secret_state * secret_state ;
struct dcesrv_handle * handle ;
struct ldb_message * * msgs ;
const char * attrs [ ] = {
NULL
} ;
const char * name ;
int ret ;
DCESRV_PULL_HANDLE ( policy_handle , r - > in . handle , LSA_HANDLE_POLICY ) ;
ZERO_STRUCTP ( r - > out . sec_handle ) ;
policy_state = policy_handle - > data ;
if ( ! r - > in . name . string ) {
return NT_STATUS_INVALID_PARAMETER ;
}
2008-03-20 12:12:10 +11:00
switch ( security_session_user_level ( dce_call - > conn - > auth_state . session_info ) )
{
case SECURITY_SYSTEM :
case SECURITY_ADMINISTRATOR :
break ;
default :
/* Users and annonymous are not allowed to access secrets */
return NT_STATUS_ACCESS_DENIED ;
}
2005-01-11 14:04:58 +00:00
secret_state = talloc ( mem_ctx , struct lsa_secret_state ) ;
if ( ! secret_state ) {
return NT_STATUS_NO_MEMORY ;
}
2005-01-12 02:40:25 +00:00
secret_state - > policy = policy_state ;
2005-01-11 14:04:58 +00:00
if ( strncmp ( " G$ " , r - > in . name . string , 2 ) = = 0 ) {
name = & r - > in . name . string [ 2 ] ;
2008-09-08 12:46:04 +10:00
/* We need to connect to the database as system, as this is one of the rare RPC calls that must read the secrets (and this is denied otherwise) */
secret_state - > sam_ldb = talloc_reference ( secret_state ,
samdb_connect ( mem_ctx , dce_call - > event_ctx , dce_call - > conn - > dce_ctx - > lp_ctx , system_session ( secret_state , dce_call - > conn - > dce_ctx - > lp_ctx ) ) ) ;
2007-10-06 22:25:41 +00:00
secret_state - > global = true ;
2005-01-11 14:04:58 +00:00
if ( strlen ( name ) < 1 ) {
return NT_STATUS_INVALID_PARAMETER ;
}
/* search for the secret record */
2005-03-23 01:30:43 +00:00
ret = gendb_search ( secret_state - > sam_ldb ,
2005-01-11 14:04:58 +00:00
mem_ctx , policy_state - > system_dn , & msgs , attrs ,
" (&(cn=%s Secret)(objectclass=secret)) " ,
2005-12-19 07:07:11 +00:00
ldb_binary_encode_string ( mem_ctx , name ) ) ;
2005-01-11 14:04:58 +00:00
if ( ret = = 0 ) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
}
if ( ret ! = 1 ) {
2005-08-18 15:02:01 +00:00
DEBUG ( 0 , ( " Found %d records matching DN %s \n " , ret ,
2006-11-22 02:05:19 +00:00
ldb_dn_get_linearized ( policy_state - > system_dn ) ) ) ;
2005-01-11 14:04:58 +00:00
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
} else {
2008-03-20 12:12:10 +11:00
secret_state - > global = false ;
2007-11-29 16:01:16 +01:00
secret_state - > sam_ldb = talloc_reference ( secret_state ,
2008-06-14 11:24:17 -04:00
secrets_db_connect ( mem_ctx , dce_call - > event_ctx , dce_call - > conn - > dce_ctx - > lp_ctx ) ) ;
2005-01-11 22:16:14 +00:00
2005-01-11 14:04:58 +00:00
name = r - > in . name . string ;
if ( strlen ( name ) < 1 ) {
return NT_STATUS_INVALID_PARAMETER ;
}
/* search for the secret record */
2005-08-18 15:02:01 +00:00
ret = gendb_search ( secret_state - > sam_ldb , mem_ctx ,
2006-11-22 00:59:34 +00:00
ldb_dn_new ( mem_ctx , secret_state - > sam_ldb , " cn=LSA Secrets " ) ,
2005-08-18 15:02:01 +00:00
& msgs , attrs ,
2005-12-19 07:07:11 +00:00
" (&(cn=%s)(objectclass=secret)) " ,
ldb_binary_encode_string ( mem_ctx , name ) ) ;
2005-01-11 14:04:58 +00:00
if ( ret = = 0 ) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
}
if ( ret ! = 1 ) {
2007-09-07 07:31:26 +00:00
DEBUG ( 0 , ( " Found %d records matching CN=%s \n " ,
ret , ldb_binary_encode_string ( mem_ctx , name ) ) ) ;
2005-01-11 14:04:58 +00:00
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
}
secret_state - > secret_dn = talloc_reference ( secret_state , msgs [ 0 ] - > dn ) ;
handle = dcesrv_handle_new ( dce_call - > context , LSA_HANDLE_SECRET ) ;
if ( ! handle ) {
return NT_STATUS_NO_MEMORY ;
}
handle - > data = talloc_steal ( handle , secret_state ) ;
secret_state - > access_mask = r - > in . access_mask ;
secret_state - > policy = talloc_reference ( secret_state , policy_state ) ;
* r - > out . sec_handle = handle - > wire_handle ;
return NT_STATUS_OK ;
2004-05-27 04:13:58 +00:00
}
/*
lsa_SetSecret
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_SetSecret ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2005-01-11 14:04:58 +00:00
struct lsa_SetSecret * r )
2004-05-27 04:13:58 +00:00
{
2005-01-11 14:04:58 +00:00
struct dcesrv_handle * h ;
struct lsa_secret_state * secret_state ;
struct ldb_message * msg ;
DATA_BLOB session_key ;
DATA_BLOB crypt_secret , secret ;
struct ldb_val val ;
int ret ;
NTSTATUS status = NT_STATUS_OK ;
struct timeval now = timeval_current ( ) ;
NTTIME nt_now = timeval_to_nttime ( & now ) ;
DCESRV_PULL_HANDLE ( h , r - > in . sec_handle , LSA_HANDLE_SECRET ) ;
secret_state = h - > data ;
msg = ldb_msg_new ( mem_ctx ) ;
if ( msg = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
msg - > dn = talloc_reference ( mem_ctx , secret_state - > secret_dn ) ;
if ( ! msg - > dn ) {
return NT_STATUS_NO_MEMORY ;
}
status = dcesrv_fetch_session_key ( dce_call - > conn , & session_key ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
if ( r - > in . old_val ) {
/* Decrypt */
crypt_secret . data = r - > in . old_val - > data ;
crypt_secret . length = r - > in . old_val - > size ;
status = sess_decrypt_blob ( mem_ctx , & crypt_secret , & session_key , & secret ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
val . data = secret . data ;
val . length = secret . length ;
/* set value */
2005-02-27 11:35:47 +00:00
if ( samdb_msg_add_value ( secret_state - > sam_ldb ,
2006-09-11 06:29:58 +00:00
mem_ctx , msg , " priorValue " , & val ) ! = 0 ) {
2005-01-11 14:04:58 +00:00
return NT_STATUS_NO_MEMORY ;
}
/* set old value mtime */
2005-02-27 11:35:47 +00:00
if ( samdb_msg_add_uint64 ( secret_state - > sam_ldb ,
2005-01-11 14:04:58 +00:00
mem_ctx , msg , " priorSetTime " , nt_now ) ! = 0 ) {
return NT_STATUS_NO_MEMORY ;
}
2005-01-11 22:16:14 +00:00
2008-09-08 12:46:04 +10:00
} else {
/* If the old value is not set, then migrate the
* current value to the old value */
const struct ldb_val * old_val ;
NTTIME last_set_time ;
struct ldb_message * * res ;
const char * attrs [ ] = {
" currentValue " ,
" lastSetTime " ,
NULL
} ;
/* search for the secret record */
ret = gendb_search_dn ( secret_state - > sam_ldb , mem_ctx ,
secret_state - > secret_dn , & res , attrs ) ;
if ( ret = = 0 ) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
}
if ( ret ! = 1 ) {
DEBUG ( 0 , ( " Found %d records matching dn=%s \n " , ret ,
ldb_dn_get_linearized ( secret_state - > secret_dn ) ) ) ;
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
old_val = ldb_msg_find_ldb_val ( res [ 0 ] , " currentValue " ) ;
last_set_time = ldb_msg_find_attr_as_uint64 ( res [ 0 ] , " lastSetTime " , 0 ) ;
if ( old_val ) {
/* set old value */
if ( samdb_msg_add_value ( secret_state - > sam_ldb ,
mem_ctx , msg , " priorValue " ,
old_val ) ! = 0 ) {
2008-08-26 10:33:41 +10:00
return NT_STATUS_NO_MEMORY ;
}
2008-09-08 12:46:04 +10:00
} else {
2008-08-26 10:33:41 +10:00
if ( samdb_msg_add_delete ( secret_state - > sam_ldb ,
2008-09-08 12:46:04 +10:00
mem_ctx , msg , " priorValue " ) ) {
2008-08-26 10:33:41 +10:00
return NT_STATUS_NO_MEMORY ;
2005-01-11 22:16:14 +00:00
}
2008-09-08 12:46:04 +10:00
}
/* set old value mtime */
if ( ldb_msg_find_ldb_val ( res [ 0 ] , " lastSetTime " ) ) {
if ( samdb_msg_add_uint64 ( secret_state - > sam_ldb ,
mem_ctx , msg , " priorSetTime " , last_set_time ) ! = 0 ) {
return NT_STATUS_NO_MEMORY ;
}
} else {
if ( samdb_msg_add_uint64 ( secret_state - > sam_ldb ,
mem_ctx , msg , " priorSetTime " , nt_now ) ! = 0 ) {
return NT_STATUS_NO_MEMORY ;
}
2005-01-11 22:16:14 +00:00
}
2005-01-11 14:04:58 +00:00
}
if ( r - > in . new_val ) {
/* Decrypt */
crypt_secret . data = r - > in . new_val - > data ;
crypt_secret . length = r - > in . new_val - > size ;
status = sess_decrypt_blob ( mem_ctx , & crypt_secret , & session_key , & secret ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
val . data = secret . data ;
val . length = secret . length ;
/* set value */
2005-02-27 11:35:47 +00:00
if ( samdb_msg_add_value ( secret_state - > sam_ldb ,
2006-09-11 06:29:58 +00:00
mem_ctx , msg , " currentValue " , & val ) ! = 0 ) {
2005-01-11 14:04:58 +00:00
return NT_STATUS_NO_MEMORY ;
}
/* set new value mtime */
2005-02-27 11:35:47 +00:00
if ( samdb_msg_add_uint64 ( secret_state - > sam_ldb ,
2005-01-11 14:04:58 +00:00
mem_ctx , msg , " lastSetTime " , nt_now ) ! = 0 ) {
return NT_STATUS_NO_MEMORY ;
}
2008-09-08 12:46:04 +10:00
} else {
/* NULL out the NEW value */
if ( samdb_msg_add_uint64 ( secret_state - > sam_ldb ,
mem_ctx , msg , " lastSetTime " , nt_now ) ! = 0 ) {
return NT_STATUS_NO_MEMORY ;
}
if ( samdb_msg_add_delete ( secret_state - > sam_ldb ,
mem_ctx , msg , " currentValue " ) ) {
return NT_STATUS_NO_MEMORY ;
2005-01-11 14:04:58 +00:00
}
}
/* modify the samdb record */
2005-02-27 11:35:47 +00:00
ret = samdb_replace ( secret_state - > sam_ldb , mem_ctx , msg ) ;
2005-01-11 14:04:58 +00:00
if ( ret ! = 0 ) {
/* we really need samdb.c to return NTSTATUS */
return NT_STATUS_UNSUCCESSFUL ;
}
return NT_STATUS_OK ;
2004-05-27 04:13:58 +00:00
}
/*
lsa_QuerySecret
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_QuerySecret ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2005-01-11 14:04:58 +00:00
struct lsa_QuerySecret * r )
2004-05-27 04:13:58 +00:00
{
2005-01-11 14:04:58 +00:00
struct dcesrv_handle * h ;
struct lsa_secret_state * secret_state ;
struct ldb_message * msg ;
DATA_BLOB session_key ;
DATA_BLOB crypt_secret , secret ;
int ret ;
struct ldb_message * * res ;
const char * attrs [ ] = {
2006-09-11 06:29:58 +00:00
" currentValue " ,
" priorValue " ,
2005-01-11 14:04:58 +00:00
" lastSetTime " ,
" priorSetTime " ,
NULL
} ;
NTSTATUS nt_status ;
DCESRV_PULL_HANDLE ( h , r - > in . sec_handle , LSA_HANDLE_SECRET ) ;
2008-03-20 12:12:10 +11:00
/* Ensure user is permitted to read this... */
switch ( security_session_user_level ( dce_call - > conn - > auth_state . session_info ) )
{
case SECURITY_SYSTEM :
case SECURITY_ADMINISTRATOR :
break ;
default :
/* Users and annonymous are not allowed to read secrets */
return NT_STATUS_ACCESS_DENIED ;
}
2005-01-11 14:04:58 +00:00
secret_state = h - > data ;
/* pull all the user attributes */
2005-06-14 19:15:17 +00:00
ret = gendb_search_dn ( secret_state - > sam_ldb , mem_ctx ,
secret_state - > secret_dn , & res , attrs ) ;
2005-01-11 14:04:58 +00:00
if ( ret ! = 1 ) {
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
msg = res [ 0 ] ;
nt_status = dcesrv_fetch_session_key ( dce_call - > conn , & session_key ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
return nt_status ;
}
if ( r - > in . old_val ) {
const struct ldb_val * prior_val ;
2005-01-11 22:16:14 +00:00
r - > out . old_val = talloc_zero ( mem_ctx , struct lsa_DATA_BUF_PTR ) ;
if ( ! r - > out . old_val ) {
return NT_STATUS_NO_MEMORY ;
}
2006-09-11 06:29:58 +00:00
prior_val = ldb_msg_find_ldb_val ( res [ 0 ] , " priorValue " ) ;
2005-01-11 14:04:58 +00:00
if ( prior_val & & prior_val - > length ) {
secret . data = prior_val - > data ;
secret . length = prior_val - > length ;
2006-11-13 03:20:24 +00:00
/* Encrypt */
2005-01-11 14:04:58 +00:00
crypt_secret = sess_encrypt_blob ( mem_ctx , & secret , & session_key ) ;
if ( ! crypt_secret . length ) {
return NT_STATUS_NO_MEMORY ;
}
r - > out . old_val - > buf = talloc ( mem_ctx , struct lsa_DATA_BUF ) ;
2005-01-11 22:16:14 +00:00
if ( ! r - > out . old_val - > buf ) {
return NT_STATUS_NO_MEMORY ;
}
2005-01-11 14:04:58 +00:00
r - > out . old_val - > buf - > size = crypt_secret . length ;
r - > out . old_val - > buf - > length = crypt_secret . length ;
r - > out . old_val - > buf - > data = crypt_secret . data ;
}
}
if ( r - > in . old_mtime ) {
2005-01-27 06:16:59 +00:00
r - > out . old_mtime = talloc ( mem_ctx , NTTIME ) ;
2005-01-11 14:04:58 +00:00
if ( ! r - > out . old_mtime ) {
return NT_STATUS_NO_MEMORY ;
}
2006-08-13 08:00:36 +00:00
* r - > out . old_mtime = ldb_msg_find_attr_as_uint64 ( res [ 0 ] , " priorSetTime " , 0 ) ;
2005-01-11 14:04:58 +00:00
}
if ( r - > in . new_val ) {
const struct ldb_val * new_val ;
2005-01-11 22:16:14 +00:00
r - > out . new_val = talloc_zero ( mem_ctx , struct lsa_DATA_BUF_PTR ) ;
if ( ! r - > out . new_val ) {
return NT_STATUS_NO_MEMORY ;
}
2006-09-11 06:29:58 +00:00
new_val = ldb_msg_find_ldb_val ( res [ 0 ] , " currentValue " ) ;
2005-01-11 14:04:58 +00:00
if ( new_val & & new_val - > length ) {
secret . data = new_val - > data ;
secret . length = new_val - > length ;
2006-11-13 03:20:24 +00:00
/* Encrypt */
2005-01-11 14:04:58 +00:00
crypt_secret = sess_encrypt_blob ( mem_ctx , & secret , & session_key ) ;
if ( ! crypt_secret . length ) {
return NT_STATUS_NO_MEMORY ;
}
r - > out . new_val - > buf = talloc ( mem_ctx , struct lsa_DATA_BUF ) ;
2005-01-11 22:16:14 +00:00
if ( ! r - > out . new_val - > buf ) {
return NT_STATUS_NO_MEMORY ;
}
2005-01-11 14:04:58 +00:00
r - > out . new_val - > buf - > length = crypt_secret . length ;
r - > out . new_val - > buf - > size = crypt_secret . length ;
r - > out . new_val - > buf - > data = crypt_secret . data ;
}
}
if ( r - > in . new_mtime ) {
2005-01-27 06:16:59 +00:00
r - > out . new_mtime = talloc ( mem_ctx , NTTIME ) ;
2005-01-11 14:04:58 +00:00
if ( ! r - > out . new_mtime ) {
return NT_STATUS_NO_MEMORY ;
}
2006-08-13 08:00:36 +00:00
* r - > out . new_mtime = ldb_msg_find_attr_as_uint64 ( res [ 0 ] , " lastSetTime " , 0 ) ;
2005-01-11 14:04:58 +00:00
}
return NT_STATUS_OK ;
2004-05-27 04:13:58 +00:00
}
/*
2004-08-14 01:11:34 +00:00
lsa_LookupPrivValue
2004-05-27 04:13:58 +00:00
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_LookupPrivValue ( struct dcesrv_call_state * dce_call ,
2004-12-14 05:32:51 +00:00
TALLOC_CTX * mem_ctx ,
struct lsa_LookupPrivValue * r )
2004-05-27 04:13:58 +00:00
{
2004-12-14 05:32:51 +00:00
struct dcesrv_handle * h ;
struct lsa_policy_state * state ;
int id ;
DCESRV_PULL_HANDLE ( h , r - > in . handle , LSA_HANDLE_POLICY ) ;
state = h - > data ;
id = sec_privilege_id ( r - > in . name - > string ) ;
if ( id = = - 1 ) {
return NT_STATUS_NO_SUCH_PRIVILEGE ;
}
r - > out . luid - > low = id ;
r - > out . luid - > high = 0 ;
return NT_STATUS_OK ;
2004-05-27 04:13:58 +00:00
}
/*
lsa_LookupPrivName
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_LookupPrivName ( struct dcesrv_call_state * dce_call ,
2004-12-14 05:32:51 +00:00
TALLOC_CTX * mem_ctx ,
struct lsa_LookupPrivName * r )
2004-05-27 04:13:58 +00:00
{
2004-12-14 05:51:01 +00:00
struct dcesrv_handle * h ;
struct lsa_policy_state * state ;
2008-10-21 02:24:07 +02:00
struct lsa_StringLarge * name ;
2004-12-14 05:51:01 +00:00
const char * privname ;
DCESRV_PULL_HANDLE ( h , r - > in . handle , LSA_HANDLE_POLICY ) ;
state = h - > data ;
if ( r - > in . luid - > high ! = 0 ) {
return NT_STATUS_NO_SUCH_PRIVILEGE ;
}
privname = sec_privilege_name ( r - > in . luid - > low ) ;
if ( privname = = NULL ) {
return NT_STATUS_NO_SUCH_PRIVILEGE ;
}
2008-10-21 02:24:07 +02:00
name = talloc ( mem_ctx , struct lsa_StringLarge ) ;
if ( name = = NULL ) {
2004-12-14 05:51:01 +00:00
return NT_STATUS_NO_MEMORY ;
}
2008-10-21 02:24:07 +02:00
name - > string = privname ;
* r - > out . name = name ;
2004-12-14 05:51:01 +00:00
return NT_STATUS_OK ;
2004-05-27 04:13:58 +00:00
}
/*
2004-08-14 01:11:34 +00:00
lsa_LookupPrivDisplayName
2004-05-27 04:13:58 +00:00
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_LookupPrivDisplayName ( struct dcesrv_call_state * dce_call ,
2004-12-14 05:51:01 +00:00
TALLOC_CTX * mem_ctx ,
struct lsa_LookupPrivDisplayName * r )
2004-05-27 04:13:58 +00:00
{
2004-12-14 05:51:01 +00:00
struct dcesrv_handle * h ;
struct lsa_policy_state * state ;
2008-10-21 01:53:32 +02:00
struct lsa_StringLarge * disp_name = NULL ;
2004-12-14 05:51:01 +00:00
int id ;
DCESRV_PULL_HANDLE ( h , r - > in . handle , LSA_HANDLE_POLICY ) ;
state = h - > data ;
id = sec_privilege_id ( r - > in . name - > string ) ;
if ( id = = - 1 ) {
return NT_STATUS_NO_SUCH_PRIVILEGE ;
}
2008-10-21 01:53:32 +02:00
disp_name = talloc ( mem_ctx , struct lsa_StringLarge ) ;
if ( disp_name = = NULL ) {
2004-12-14 05:51:01 +00:00
return NT_STATUS_NO_MEMORY ;
}
2008-10-21 01:53:32 +02:00
disp_name - > string = sec_privilege_display_name ( id , & r - > in . language_id ) ;
if ( disp_name - > string = = NULL ) {
2004-12-14 05:51:01 +00:00
return NT_STATUS_INTERNAL_ERROR ;
}
2008-10-21 01:53:32 +02:00
* r - > out . disp_name = disp_name ;
* r - > out . returned_language_id = 0 ;
2004-12-14 05:51:01 +00:00
return NT_STATUS_OK ;
2004-05-27 04:13:58 +00:00
}
/*
2004-08-14 01:11:34 +00:00
lsa_EnumAccountsWithUserRight
2004-05-27 04:13:58 +00:00
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_EnumAccountsWithUserRight ( struct dcesrv_call_state * dce_call ,
2004-12-14 05:07:29 +00:00
TALLOC_CTX * mem_ctx ,
struct lsa_EnumAccountsWithUserRight * r )
2004-05-27 04:13:58 +00:00
{
2004-12-14 05:07:29 +00:00
struct dcesrv_handle * h ;
struct lsa_policy_state * state ;
int ret , i ;
struct ldb_message * * res ;
const char * const attrs [ ] = { " objectSid " , NULL } ;
const char * privname ;
DCESRV_PULL_HANDLE ( h , r - > in . handle , LSA_HANDLE_POLICY ) ;
state = h - > data ;
if ( r - > in . name = = NULL ) {
return NT_STATUS_NO_SUCH_PRIVILEGE ;
}
privname = r - > in . name - > string ;
if ( sec_privilege_id ( privname ) = = - 1 ) {
return NT_STATUS_NO_SUCH_PRIVILEGE ;
}
2006-08-25 07:08:06 +00:00
ret = gendb_search ( state - > sam_ldb , mem_ctx , NULL , & res , attrs ,
2004-12-14 05:07:29 +00:00
" privilege=%s " , privname ) ;
2006-07-06 05:23:29 +00:00
if ( ret = = - 1 ) {
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
if ( ret = = 0 ) {
return NT_STATUS_NO_MORE_ENTRIES ;
2004-12-14 05:07:29 +00:00
}
2005-01-27 07:08:20 +00:00
r - > out . sids - > sids = talloc_array ( r - > out . sids , struct lsa_SidPtr , ret ) ;
2004-12-14 05:07:29 +00:00
if ( r - > out . sids - > sids = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < ret ; i + + ) {
2005-06-24 00:18:20 +00:00
r - > out . sids - > sids [ i ] . sid = samdb_result_dom_sid ( r - > out . sids - > sids ,
res [ i ] , " objectSid " ) ;
NT_STATUS_HAVE_NO_MEMORY ( r - > out . sids - > sids [ i ] . sid ) ;
2004-12-14 05:07:29 +00:00
}
r - > out . sids - > num_sids = ret ;
return NT_STATUS_OK ;
2004-05-27 04:13:58 +00:00
}
2004-12-14 06:17:33 +00:00
/*
lsa_AddAccountRights
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_AddAccountRights ( struct dcesrv_call_state * dce_call ,
2004-12-14 06:17:33 +00:00
TALLOC_CTX * mem_ctx ,
struct lsa_AddAccountRights * r )
{
struct dcesrv_handle * h ;
struct lsa_policy_state * state ;
DCESRV_PULL_HANDLE ( h , r - > in . handle , LSA_HANDLE_POLICY ) ;
state = h - > data ;
2007-01-17 14:49:36 +00:00
return dcesrv_lsa_AddRemoveAccountRights ( dce_call , mem_ctx , state ,
2004-12-14 06:17:33 +00:00
LDB_FLAG_MOD_ADD ,
r - > in . sid , r - > in . rights ) ;
}
2004-05-27 04:13:58 +00:00
/*
2004-08-14 01:11:34 +00:00
lsa_RemoveAccountRights
2004-05-27 04:13:58 +00:00
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_RemoveAccountRights ( struct dcesrv_call_state * dce_call ,
2004-12-14 06:10:45 +00:00
TALLOC_CTX * mem_ctx ,
struct lsa_RemoveAccountRights * r )
2004-05-27 04:13:58 +00:00
{
2004-12-14 06:17:33 +00:00
struct dcesrv_handle * h ;
struct lsa_policy_state * state ;
DCESRV_PULL_HANDLE ( h , r - > in . handle , LSA_HANDLE_POLICY ) ;
state = h - > data ;
2007-01-17 14:49:36 +00:00
return dcesrv_lsa_AddRemoveAccountRights ( dce_call , mem_ctx , state ,
2004-12-14 06:17:33 +00:00
LDB_FLAG_MOD_DELETE ,
r - > in . sid , r - > in . rights ) ;
2004-05-27 04:13:58 +00:00
}
/*
2004-08-14 01:11:34 +00:00
lsa_StorePrivateData
2004-05-27 04:13:58 +00:00
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_StorePrivateData ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-08-14 01:11:34 +00:00
struct lsa_StorePrivateData * r )
2004-05-27 04:13:58 +00:00
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
2004-08-14 01:11:34 +00:00
lsa_RetrievePrivateData
2004-05-27 04:13:58 +00:00
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_RetrievePrivateData ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-08-14 01:11:34 +00:00
struct lsa_RetrievePrivateData * r )
2004-05-27 04:13:58 +00:00
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
2004-08-14 01:11:34 +00:00
lsa_GetUserName
2004-05-27 04:13:58 +00:00
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_GetUserName ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2005-10-06 11:15:20 +00:00
struct lsa_GetUserName * r )
2004-05-27 04:13:58 +00:00
{
2004-12-21 12:22:57 +00:00
NTSTATUS status = NT_STATUS_OK ;
const char * account_name ;
const char * authority_name ;
struct lsa_String * _account_name ;
2008-10-21 01:20:53 +02:00
struct lsa_String * _authority_name = NULL ;
2004-12-21 12:22:57 +00:00
/* this is what w2k3 does */
r - > out . account_name = r - > in . account_name ;
r - > out . authority_name = r - > in . authority_name ;
2008-10-21 01:20:53 +02:00
if ( r - > in . account_name
& & * r - > in . account_name
/* && *(*r->in.account_name)->string */
) {
2004-12-21 12:22:57 +00:00
return NT_STATUS_INVALID_PARAMETER ;
}
2008-10-21 01:20:53 +02:00
if ( r - > in . authority_name
& & * r - > in . authority_name
/* && *(*r->in.authority_name)->string */
) {
2004-12-21 12:22:57 +00:00
return NT_STATUS_INVALID_PARAMETER ;
}
2004-12-23 03:02:57 +00:00
account_name = talloc_reference ( mem_ctx , dce_call - > conn - > auth_state . session_info - > server_info - > account_name ) ;
2005-01-09 12:55:25 +00:00
authority_name = talloc_reference ( mem_ctx , dce_call - > conn - > auth_state . session_info - > server_info - > domain_name ) ;
2004-12-21 12:22:57 +00:00
2005-01-27 07:08:20 +00:00
_account_name = talloc ( mem_ctx , struct lsa_String ) ;
2006-04-29 11:48:56 +00:00
NT_STATUS_HAVE_NO_MEMORY ( _account_name ) ;
2004-12-21 12:22:57 +00:00
_account_name - > string = account_name ;
if ( r - > in . authority_name ) {
2008-10-21 01:20:53 +02:00
_authority_name = talloc ( mem_ctx , struct lsa_String ) ;
2006-04-29 11:48:56 +00:00
NT_STATUS_HAVE_NO_MEMORY ( _authority_name ) ;
2008-10-21 01:20:53 +02:00
_authority_name - > string = authority_name ;
2004-12-21 12:22:57 +00:00
}
2008-10-21 01:20:53 +02:00
* r - > out . account_name = _account_name ;
if ( r - > out . authority_name ) {
* r - > out . authority_name = _authority_name ;
}
2004-12-21 12:22:57 +00:00
return status ;
2004-05-27 04:13:58 +00:00
}
2004-08-14 01:11:34 +00:00
/*
lsa_SetInfoPolicy2
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_SetInfoPolicy2 ( struct dcesrv_call_state * dce_call ,
2004-08-14 01:11:34 +00:00
TALLOC_CTX * mem_ctx ,
struct lsa_SetInfoPolicy2 * r )
{
2008-10-03 17:52:59 -07:00
/* need to support these */
2004-08-14 01:11:34 +00:00
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_QueryDomainInformationPolicy
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_QueryDomainInformationPolicy ( struct dcesrv_call_state * dce_call ,
2004-08-14 01:11:34 +00:00
TALLOC_CTX * mem_ctx ,
struct lsa_QueryDomainInformationPolicy * r )
{
2008-10-21 13:03:49 +02:00
union lsa_DomainInformationPolicy * info ;
info = talloc ( r - > out . info , union lsa_DomainInformationPolicy ) ;
if ( ! info ) {
2008-08-26 12:18:26 +10:00
return NT_STATUS_NO_MEMORY ;
}
switch ( r - > in . level ) {
case LSA_DOMAIN_INFO_POLICY_EFS :
2008-10-21 13:03:49 +02:00
talloc_free ( info ) ;
* r - > out . info = NULL ;
2008-08-26 12:18:26 +10:00
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
case LSA_DOMAIN_INFO_POLICY_KERBEROS :
{
2008-10-21 13:03:49 +02:00
struct lsa_DomainInfoKerberos * k = & info - > kerberos_info ;
2008-08-26 12:18:26 +10:00
struct smb_krb5_context * smb_krb5_context ;
int ret = smb_krb5_init_context ( mem_ctx ,
dce_call - > event_ctx ,
dce_call - > conn - > dce_ctx - > lp_ctx ,
& smb_krb5_context ) ;
if ( ret ! = 0 ) {
2008-10-28 12:21:44 +01:00
talloc_free ( info ) ;
* r - > out . info = NULL ;
2008-08-26 12:18:26 +10:00
return NT_STATUS_INTERNAL_ERROR ;
}
k - > enforce_restrictions = 0 ; /* FIXME, details missing from MS-LSAD 2.2.53 */
k - > service_tkt_lifetime = 0 ; /* Need to find somewhere to store this, and query in KDC too */
k - > user_tkt_lifetime = 0 ; /* Need to find somewhere to store this, and query in KDC too */
k - > user_tkt_renewaltime = 0 ; /* Need to find somewhere to store this, and query in KDC too */
k - > clock_skew = krb5_get_max_time_skew ( smb_krb5_context - > krb5_context ) ;
talloc_free ( smb_krb5_context ) ;
2008-10-21 13:03:49 +02:00
* r - > out . info = info ;
2008-08-26 12:18:26 +10:00
return NT_STATUS_OK ;
}
default :
2008-10-21 13:03:49 +02:00
talloc_free ( info ) ;
* r - > out . info = NULL ;
2008-08-26 12:18:26 +10:00
return NT_STATUS_INVALID_INFO_CLASS ;
}
2004-08-14 01:11:34 +00:00
}
/*
lsa_SetDomInfoPolicy
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_SetDomainInformationPolicy ( struct dcesrv_call_state * dce_call ,
2005-09-01 10:36:48 +00:00
TALLOC_CTX * mem_ctx ,
struct lsa_SetDomainInformationPolicy * r )
2004-08-14 01:11:34 +00:00
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_TestCall
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_TestCall ( struct dcesrv_call_state * dce_call ,
2004-08-14 01:11:34 +00:00
TALLOC_CTX * mem_ctx ,
struct lsa_TestCall * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
2004-12-31 06:08:43 +00:00
/*
lsa_CREDRWRITE
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_CREDRWRITE ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-12-31 06:08:43 +00:00
struct lsa_CREDRWRITE * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_CREDRREAD
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_CREDRREAD ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-12-31 06:08:43 +00:00
struct lsa_CREDRREAD * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_CREDRENUMERATE
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_CREDRENUMERATE ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-12-31 06:08:43 +00:00
struct lsa_CREDRENUMERATE * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_CREDRWRITEDOMAINCREDENTIALS
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_CREDRWRITEDOMAINCREDENTIALS ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-12-31 06:08:43 +00:00
struct lsa_CREDRWRITEDOMAINCREDENTIALS * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_CREDRREADDOMAINCREDENTIALS
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_CREDRREADDOMAINCREDENTIALS ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-12-31 06:08:43 +00:00
struct lsa_CREDRREADDOMAINCREDENTIALS * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_CREDRDELETE
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_CREDRDELETE ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-12-31 06:08:43 +00:00
struct lsa_CREDRDELETE * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_CREDRGETTARGETINFO
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_CREDRGETTARGETINFO ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-12-31 06:08:43 +00:00
struct lsa_CREDRGETTARGETINFO * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_CREDRPROFILELOADED
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_CREDRPROFILELOADED ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-12-31 06:08:43 +00:00
struct lsa_CREDRPROFILELOADED * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_CREDRGETSESSIONTYPES
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_CREDRGETSESSIONTYPES ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-12-31 06:08:43 +00:00
struct lsa_CREDRGETSESSIONTYPES * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_LSARREGISTERAUDITEVENT
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_LSARREGISTERAUDITEVENT ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-12-31 06:08:43 +00:00
struct lsa_LSARREGISTERAUDITEVENT * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_LSARGENAUDITEVENT
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_LSARGENAUDITEVENT ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-12-31 06:08:43 +00:00
struct lsa_LSARGENAUDITEVENT * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_LSARUNREGISTERAUDITEVENT
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_LSARUNREGISTERAUDITEVENT ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-12-31 06:08:43 +00:00
struct lsa_LSARUNREGISTERAUDITEVENT * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
2007-06-08 10:42:33 +00:00
lsa_lsaRQueryForestTrustInformation
2004-12-31 06:08:43 +00:00
*/
2007-06-08 10:42:33 +00:00
static NTSTATUS dcesrv_lsa_lsaRQueryForestTrustInformation ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
struct lsa_lsaRQueryForestTrustInformation * r )
2004-12-31 06:08:43 +00:00
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_LSARSETFORESTTRUSTINFORMATION
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_LSARSETFORESTTRUSTINFORMATION ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-12-31 06:08:43 +00:00
struct lsa_LSARSETFORESTTRUSTINFORMATION * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_CREDRRENAME
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_CREDRRENAME ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-12-31 06:08:43 +00:00
struct lsa_CREDRRENAME * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_LSAROPENPOLICYSCE
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_LSAROPENPOLICYSCE ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-12-31 06:08:43 +00:00
struct lsa_LSAROPENPOLICYSCE * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_LSARADTREGISTERSECURITYEVENTSOURCE
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_LSARADTREGISTERSECURITYEVENTSOURCE ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-12-31 06:08:43 +00:00
struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-12-31 06:08:43 +00:00
struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
lsa_LSARADTREPORTSECURITYEVENT
*/
2007-01-17 14:49:36 +00:00
static NTSTATUS dcesrv_lsa_LSARADTREPORTSECURITYEVENT ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2004-12-31 06:08:43 +00:00
struct lsa_LSARADTREPORTSECURITYEVENT * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
2004-05-27 04:13:58 +00:00
/* include the generated boilerplate */
# include "librpc/gen_ndr/ndr_lsa_s.c"
2006-08-31 13:10:11 +00:00
/*****************************************
NOTE ! The remaining calls below were
removed in w2k3 , so the DCESRV_FAULT ( )
replies are the correct implementation . Do
not try and fill these in with anything else
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
/*
dssetup_DsRoleDnsNameToFlatName
*/
2007-01-17 14:49:36 +00:00
static WERROR dcesrv_dssetup_DsRoleDnsNameToFlatName ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2006-08-31 13:10:11 +00:00
struct dssetup_DsRoleDnsNameToFlatName * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
dssetup_DsRoleDcAsDc
*/
2007-01-17 14:49:36 +00:00
static WERROR dcesrv_dssetup_DsRoleDcAsDc ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2006-08-31 13:10:11 +00:00
struct dssetup_DsRoleDcAsDc * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
dssetup_DsRoleDcAsReplica
*/
2007-01-17 14:49:36 +00:00
static WERROR dcesrv_dssetup_DsRoleDcAsReplica ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2006-08-31 13:10:11 +00:00
struct dssetup_DsRoleDcAsReplica * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
dssetup_DsRoleDemoteDc
*/
2007-01-17 14:49:36 +00:00
static WERROR dcesrv_dssetup_DsRoleDemoteDc ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2006-08-31 13:10:11 +00:00
struct dssetup_DsRoleDemoteDc * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
dssetup_DsRoleGetDcOperationProgress
*/
2007-01-17 14:49:36 +00:00
static WERROR dcesrv_dssetup_DsRoleGetDcOperationProgress ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2006-08-31 13:10:11 +00:00
struct dssetup_DsRoleGetDcOperationProgress * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
dssetup_DsRoleGetDcOperationResults
*/
2007-01-17 14:49:36 +00:00
static WERROR dcesrv_dssetup_DsRoleGetDcOperationResults ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2006-08-31 13:10:11 +00:00
struct dssetup_DsRoleGetDcOperationResults * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
dssetup_DsRoleCancel
*/
2007-01-17 14:49:36 +00:00
static WERROR dcesrv_dssetup_DsRoleCancel ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2006-08-31 13:10:11 +00:00
struct dssetup_DsRoleCancel * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
dssetup_DsRoleServerSaveStateForUpgrade
*/
2007-01-17 14:49:36 +00:00
static WERROR dcesrv_dssetup_DsRoleServerSaveStateForUpgrade ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2006-08-31 13:10:11 +00:00
struct dssetup_DsRoleServerSaveStateForUpgrade * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
dssetup_DsRoleUpgradeDownlevelServer
*/
2007-01-17 14:49:36 +00:00
static WERROR dcesrv_dssetup_DsRoleUpgradeDownlevelServer ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2006-08-31 13:10:11 +00:00
struct dssetup_DsRoleUpgradeDownlevelServer * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/*
dssetup_DsRoleAbortDownlevelServerUpgrade
*/
2007-01-17 14:49:36 +00:00
static WERROR dcesrv_dssetup_DsRoleAbortDownlevelServerUpgrade ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
2006-08-31 13:10:11 +00:00
struct dssetup_DsRoleAbortDownlevelServerUpgrade * r )
{
DCESRV_FAULT ( DCERPC_FAULT_OP_RNG_ERROR ) ;
}
/* include the generated boilerplate */
# include "librpc/gen_ndr/ndr_dssetup_s.c"
NTSTATUS dcerpc_server_lsa_init ( void )
{
NTSTATUS ret ;
ret = dcerpc_server_dssetup_init ( ) ;
if ( ! NT_STATUS_IS_OK ( ret ) ) {
return ret ;
}
ret = dcerpc_server_lsarpc_init ( ) ;
if ( ! NT_STATUS_IS_OK ( ret ) ) {
return ret ;
}
return ret ;
}