2005-01-13 21:20:37 +03:00
/*
2002-01-30 09:08:46 +03:00
* Unix SMB / CIFS implementation .
2001-02-26 22:31:07 +03:00
* RPC Pipe client / server routines
* Copyright ( C ) Andrew Tridgell 1992 - 1997 ,
* Copyright ( C ) Luke Kenneth Casson Leighton 1996 - 1997 ,
2002-07-15 14:35:28 +04:00
* Copyright ( C ) Paul Ashton 1997 ,
2006-02-16 04:06:21 +03:00
* Copyright ( C ) Jeremy Allison 2001 , 2006.
2002-08-17 19:34:15 +04:00
* Copyright ( C ) Rafal Szczesniak 2002 ,
2004-04-13 18:39:48 +04:00
* Copyright ( C ) Jim McDonough < jmcd @ us . ibm . com > 2002 ,
2005-01-13 21:20:37 +03:00
* Copyright ( C ) Simo Sorce 2003.
2005-03-10 21:50:47 +03:00
* Copyright ( C ) Gerald ( Jerry ) Carter 2005.
2006-02-04 01:19:41 +03:00
* Copyright ( C ) Volker Lendecke 2005.
2001-02-26 22:31:07 +03:00
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation ; either version 2 of the License , or
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
* along with this program ; if not , write to the Free Software
* Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
/* This is the implementation of the lsa server code. */
# include "includes.h"
2002-07-15 14:35:28 +04:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_RPC_SRV
2001-07-09 22:32:54 +04:00
extern PRIVS privs [ ] ;
struct lsa_info {
2002-11-13 02:20:50 +03:00
DOM_SID sid ;
uint32 access ;
2001-07-09 22:32:54 +04:00
} ;
2001-12-18 02:03:23 +03:00
struct generic_mapping lsa_generic_mapping = {
POLICY_READ ,
POLICY_WRITE ,
POLICY_EXECUTE ,
POLICY_ALL_ACCESS
} ;
2001-07-09 22:32:54 +04:00
/*******************************************************************
Function to free the per handle data .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void free_lsa_info ( void * ptr )
{
struct lsa_info * lsa = ( struct lsa_info * ) ptr ;
2003-04-22 12:50:20 +04:00
SAFE_FREE ( lsa ) ;
2001-07-09 22:32:54 +04:00
}
2001-02-26 22:31:07 +03:00
/***************************************************************************
Init dom_query
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-04-11 19:47:24 +04:00
static void init_dom_query_3 ( DOM_QUERY_3 * d_q , const char * dom_name , DOM_SID * dom_sid )
2001-02-26 22:31:07 +03:00
{
2003-09-26 01:26:16 +04:00
d_q - > buffer_dom_name = ( dom_name ! = NULL ) ? 1 : 0 ; /* domain buffer pointer */
d_q - > buffer_dom_sid = ( dom_sid ! = NULL ) ? 1 : 0 ; /* domain sid pointer */
/* this string is supposed to be non-null terminated. */
/* But the maxlen in this UNISTR2 must include the terminating null. */
2003-12-11 00:13:44 +03:00
init_unistr2 ( & d_q - > uni_domain_name , dom_name , UNI_BROKEN_NON_NULL ) ;
2001-02-26 22:31:07 +03:00
/*
* I ' m not sure why this really odd combination of length
* values works , but it does appear to . I need to look at
* this * much * more closely - but at the moment leave alone
* until it ' s understood . This allows a W2k client to join
* a domain with both odd and even length names . . . JRA .
*/
2003-09-26 01:26:16 +04:00
/*
* IMPORTANT NOTE ! ! ! !
* The two fields below probably are reversed in meaning , ie .
* the first field is probably the str_len , the second the max
* len . Both are measured in bytes anyway .
*/
2001-02-26 22:31:07 +03:00
2003-09-26 01:26:16 +04:00
d_q - > uni_dom_str_len = d_q - > uni_domain_name . uni_max_len * 2 ;
d_q - > uni_dom_max_len = d_q - > uni_domain_name . uni_str_len * 2 ;
2001-02-26 22:31:07 +03:00
if ( dom_sid ! = NULL )
init_dom_sid2 ( & d_q - > dom_sid , dom_sid ) ;
}
2006-04-11 19:47:24 +04:00
/***************************************************************************
Init dom_query
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void init_dom_query_5 ( DOM_QUERY_5 * d_q , const char * dom_name , DOM_SID * dom_sid )
{
return init_dom_query_3 ( d_q , dom_name , dom_sid ) ;
}
2001-02-26 22:31:07 +03:00
/***************************************************************************
init_dom_ref - adds a domain if it ' s not already in , returns the index .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-12-10 14:22:01 +03:00
static int init_dom_ref ( DOM_R_REF * ref , const char * dom_name , DOM_SID * dom_sid )
2001-02-26 22:31:07 +03:00
{
int num = 0 ;
if ( dom_name ! = NULL ) {
for ( num = 0 ; num < ref - > num_ref_doms_1 ; num + + ) {
2006-02-04 01:19:41 +03:00
if ( sid_equal ( dom_sid , & ref - > ref_dom [ num ] . ref_dom . sid ) )
2001-02-26 22:31:07 +03:00
return num ;
}
} else {
num = ref - > num_ref_doms_1 ;
}
if ( num > = MAX_REF_DOMAINS ) {
/* index not found, already at maximum domain limit */
return - 1 ;
}
ref - > num_ref_doms_1 = num + 1 ;
ref - > ptr_ref_dom = 1 ;
ref - > max_entries = MAX_REF_DOMAINS ;
ref - > num_ref_doms_2 = num + 1 ;
2006-03-11 05:09:18 +03:00
ref - > hdr_ref_dom [ num ] . ptr_dom_sid = 1 ; /* dom sid cannot be NULL. */
2001-02-26 22:31:07 +03:00
2003-09-26 01:26:16 +04:00
init_unistr2 ( & ref - > ref_dom [ num ] . uni_dom_name , dom_name , UNI_FLAGS_NONE ) ;
init_uni_hdr ( & ref - > hdr_ref_dom [ num ] . hdr_dom_name , & ref - > ref_dom [ num ] . uni_dom_name ) ;
2001-02-26 22:31:07 +03:00
init_dom_sid2 ( & ref - > ref_dom [ num ] . ref_dom , dom_sid ) ;
return num ;
}
/***************************************************************************
2006-02-16 04:06:21 +03:00
lookup_lsa_rids . Must be called as root for lookup_name to work .
2001-02-26 22:31:07 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-02-16 04:06:21 +03:00
static NTSTATUS lookup_lsa_rids ( TALLOC_CTX * mem_ctx ,
DOM_R_REF * ref ,
DOM_RID * prid ,
2006-02-18 03:27:31 +03:00
uint32 num_entries ,
2006-02-16 04:06:21 +03:00
const UNISTR2 * name ,
int flags ,
2006-02-18 03:27:31 +03:00
uint32 * pmapped_count )
2001-02-26 22:31:07 +03:00
{
2006-02-18 03:27:31 +03:00
uint32 mapped_count , i ;
2001-02-26 22:31:07 +03:00
SMB_ASSERT ( num_entries < = MAX_LOOKUP_SIDS ) ;
2005-12-03 21:34:13 +03:00
mapped_count = 0 ;
2006-02-16 04:06:21 +03:00
* pmapped_count = 0 ;
2002-01-26 13:02:23 +03:00
2001-02-26 22:31:07 +03:00
for ( i = 0 ; i < num_entries ; i + + ) {
DOM_SID sid ;
2005-12-03 21:34:13 +03:00
uint32 rid ;
int dom_idx ;
2005-12-10 14:22:01 +03:00
char * full_name ;
const char * domain ;
2005-12-03 21:34:13 +03:00
enum SID_NAME_USE type = SID_NAME_UNKNOWN ;
2001-02-26 22:31:07 +03:00
/* Split name into domain and user component */
2006-02-04 01:19:41 +03:00
full_name = rpcstr_pull_unistr2_talloc ( mem_ctx , & name [ i ] ) ;
if ( full_name = = NULL ) {
2005-12-03 21:34:13 +03:00
DEBUG ( 0 , ( " pull_ucs2_talloc failed \n " ) ) ;
2006-02-16 04:06:21 +03:00
return NT_STATUS_NO_MEMORY ;
2005-12-03 21:34:13 +03:00
}
2001-02-26 22:31:07 +03:00
2006-02-16 04:06:21 +03:00
DEBUG ( 5 , ( " lookup_lsa_rids: looking up name %s \n " , full_name ) ) ;
2001-02-26 22:31:07 +03:00
2005-12-03 21:34:13 +03:00
/* We can ignore the result of lookup_name, it will not touch
" type " if it ' s not successful */
2004-04-07 02:02:47 +04:00
2005-12-03 21:34:13 +03:00
lookup_name ( mem_ctx , full_name , flags , & domain , NULL ,
& sid , & type ) ;
2004-04-07 16:43:44 +04:00
2005-12-03 21:34:13 +03:00
switch ( type ) {
case SID_NAME_USER :
case SID_NAME_DOM_GRP :
case SID_NAME_DOMAIN :
case SID_NAME_ALIAS :
case SID_NAME_WKN_GRP :
2006-02-11 05:46:41 +03:00
DEBUG ( 5 , ( " init_lsa_rids: %s found \n " , full_name ) ) ;
2005-12-03 21:34:13 +03:00
/* Leave these unchanged */
break ;
default :
/* Don't hand out anything but the list above */
2006-02-11 05:46:41 +03:00
DEBUG ( 5 , ( " init_lsa_rids: %s not found \n " , full_name ) ) ;
2005-12-03 21:34:13 +03:00
type = SID_NAME_UNKNOWN ;
break ;
}
rid = 0 ;
dom_idx = - 1 ;
if ( type ! = SID_NAME_UNKNOWN ) {
2001-02-26 22:31:07 +03:00
sid_split_rid ( & sid , & rid ) ;
2005-12-03 21:34:13 +03:00
dom_idx = init_dom_ref ( ref , domain , & sid ) ;
mapped_count + + ;
2001-02-26 22:31:07 +03:00
}
2006-02-11 05:46:41 +03:00
init_dom_rid ( & prid [ i ] , rid , type , dom_idx ) ;
2001-02-26 22:31:07 +03:00
}
2002-01-26 13:02:23 +03:00
2006-02-16 04:06:21 +03:00
* pmapped_count = mapped_count ;
return NT_STATUS_OK ;
}
/***************************************************************************
lookup_lsa_sids . Must be called as root for lookup_name to work .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS lookup_lsa_sids ( TALLOC_CTX * mem_ctx ,
DOM_R_REF * ref ,
LSA_TRANSLATED_SID3 * trans_sids ,
2006-02-18 03:27:31 +03:00
uint32 num_entries ,
2006-02-16 04:06:21 +03:00
const UNISTR2 * name ,
int flags ,
2006-02-18 03:27:31 +03:00
uint32 * pmapped_count )
2006-02-16 04:06:21 +03:00
{
2006-02-18 03:27:31 +03:00
uint32 mapped_count , i ;
2006-02-16 04:06:21 +03:00
SMB_ASSERT ( num_entries < = MAX_LOOKUP_SIDS ) ;
mapped_count = 0 ;
* pmapped_count = 0 ;
for ( i = 0 ; i < num_entries ; i + + ) {
DOM_SID sid ;
uint32 rid ;
int dom_idx ;
char * full_name ;
const char * domain ;
enum SID_NAME_USE type = SID_NAME_UNKNOWN ;
/* Split name into domain and user component */
full_name = rpcstr_pull_unistr2_talloc ( mem_ctx , & name [ i ] ) ;
if ( full_name = = NULL ) {
DEBUG ( 0 , ( " pull_ucs2_talloc failed \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
DEBUG ( 5 , ( " init_lsa_sids: looking up name %s \n " , full_name ) ) ;
/* We can ignore the result of lookup_name, it will not touch
" type " if it ' s not successful */
lookup_name ( mem_ctx , full_name , flags , & domain , NULL ,
& sid , & type ) ;
switch ( type ) {
case SID_NAME_USER :
case SID_NAME_DOM_GRP :
case SID_NAME_DOMAIN :
case SID_NAME_ALIAS :
case SID_NAME_WKN_GRP :
DEBUG ( 5 , ( " init_lsa_sids: %s found \n " , full_name ) ) ;
/* Leave these unchanged */
break ;
default :
/* Don't hand out anything but the list above */
DEBUG ( 5 , ( " init_lsa_sids: %s not found \n " , full_name ) ) ;
type = SID_NAME_UNKNOWN ;
break ;
}
rid = 0 ;
dom_idx = - 1 ;
if ( type ! = SID_NAME_UNKNOWN ) {
DOM_SID domain_sid ;
sid_copy ( & domain_sid , & sid ) ;
sid_split_rid ( & domain_sid , & rid ) ;
dom_idx = init_dom_ref ( ref , domain , & domain_sid ) ;
mapped_count + + ;
}
/* Initialize the LSA_TRANSLATED_SID3 return. */
trans_sids [ i ] . sid_type = type ;
trans_sids [ i ] . sid2 = TALLOC_P ( mem_ctx , DOM_SID2 ) ;
if ( trans_sids [ i ] . sid2 = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
init_dom_sid2 ( trans_sids [ i ] . sid2 , & sid ) ;
trans_sids [ i ] . sid_idx = dom_idx ;
}
2005-12-03 21:34:13 +03:00
2006-02-16 04:06:21 +03:00
* pmapped_count = mapped_count ;
return NT_STATUS_OK ;
2001-02-26 22:31:07 +03:00
}
/***************************************************************************
init_reply_lookup_names
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void init_reply_lookup_names ( LSA_R_LOOKUP_NAMES * r_l ,
DOM_R_REF * ref , uint32 num_entries ,
2006-02-11 05:46:41 +03:00
DOM_RID * rid , uint32 mapped_count )
2001-02-26 22:31:07 +03:00
{
r_l - > ptr_dom_ref = 1 ;
r_l - > dom_ref = ref ;
r_l - > num_entries = num_entries ;
r_l - > ptr_entries = 1 ;
r_l - > num_entries2 = num_entries ;
2006-02-11 05:46:41 +03:00
r_l - > dom_rid = rid ;
2001-02-26 22:31:07 +03:00
r_l - > mapped_count = mapped_count ;
}
2006-02-11 07:25:06 +03:00
/***************************************************************************
init_reply_lookup_names2
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void init_reply_lookup_names2 ( LSA_R_LOOKUP_NAMES2 * r_l ,
DOM_R_REF * ref , uint32 num_entries ,
DOM_RID2 * rid , uint32 mapped_count )
{
r_l - > ptr_dom_ref = 1 ;
r_l - > dom_ref = ref ;
r_l - > num_entries = num_entries ;
r_l - > ptr_entries = 1 ;
r_l - > num_entries2 = num_entries ;
r_l - > dom_rid = rid ;
r_l - > mapped_count = mapped_count ;
}
2006-02-16 04:06:21 +03:00
/***************************************************************************
init_reply_lookup_names3
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void init_reply_lookup_names3 ( LSA_R_LOOKUP_NAMES3 * r_l ,
DOM_R_REF * ref , uint32 num_entries ,
LSA_TRANSLATED_SID3 * trans_sids , uint32 mapped_count )
{
r_l - > ptr_dom_ref = 1 ;
r_l - > dom_ref = ref ;
r_l - > num_entries = num_entries ;
r_l - > ptr_entries = 1 ;
r_l - > num_entries2 = num_entries ;
r_l - > trans_sids = trans_sids ;
r_l - > mapped_count = mapped_count ;
}
/***************************************************************************
init_reply_lookup_names4
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void init_reply_lookup_names4 ( LSA_R_LOOKUP_NAMES4 * r_l ,
DOM_R_REF * ref , uint32 num_entries ,
LSA_TRANSLATED_SID3 * trans_sids , uint32 mapped_count )
{
r_l - > ptr_dom_ref = 1 ;
r_l - > dom_ref = ref ;
r_l - > num_entries = num_entries ;
r_l - > ptr_entries = 1 ;
r_l - > num_entries2 = num_entries ;
r_l - > trans_sids = trans_sids ;
r_l - > mapped_count = mapped_count ;
}
2001-02-26 22:31:07 +03:00
/***************************************************************************
Init_reply_lookup_sids .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-02-11 02:52:53 +03:00
static void init_reply_lookup_sids2 ( LSA_R_LOOKUP_SIDS2 * r_l ,
DOM_R_REF * ref ,
LSA_TRANS_NAME_ENUM2 * names ,
uint32 mapped_count )
2001-02-26 22:31:07 +03:00
{
2006-02-04 01:19:41 +03:00
r_l - > ptr_dom_ref = ref ? 1 : 0 ;
2001-02-26 22:31:07 +03:00
r_l - > dom_ref = ref ;
r_l - > names = names ;
r_l - > mapped_count = mapped_count ;
}
2006-02-11 02:52:53 +03:00
/***************************************************************************
Init_reply_lookup_sids .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void init_reply_lookup_sids3 ( LSA_R_LOOKUP_SIDS3 * r_l ,
DOM_R_REF * ref ,
LSA_TRANS_NAME_ENUM2 * names ,
uint32 mapped_count )
{
r_l - > ptr_dom_ref = ref ? 1 : 0 ;
r_l - > dom_ref = ref ;
r_l - > names = names ;
r_l - > mapped_count = mapped_count ;
}
/***************************************************************************
Init_reply_lookup_sids .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS init_reply_lookup_sids ( TALLOC_CTX * mem_ctx ,
LSA_R_LOOKUP_SIDS * r_l ,
DOM_R_REF * ref ,
LSA_TRANS_NAME_ENUM2 * names ,
uint32 mapped_count )
{
LSA_TRANS_NAME_ENUM * oldnames = TALLOC_ZERO_P ( mem_ctx , LSA_TRANS_NAME_ENUM ) ;
if ( ! oldnames ) {
return NT_STATUS_NO_MEMORY ;
}
oldnames - > num_entries = names - > num_entries ;
oldnames - > ptr_trans_names = names - > ptr_trans_names ;
oldnames - > num_entries2 = names - > num_entries2 ;
oldnames - > uni_name = names - > uni_name ;
if ( names - > num_entries ) {
int i ;
oldnames - > name = TALLOC_ARRAY ( oldnames , LSA_TRANS_NAME , names - > num_entries ) ;
if ( ! oldnames - > name ) {
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < names - > num_entries ; i + + ) {
oldnames - > name [ i ] . sid_name_use = names - > name [ i ] . sid_name_use ;
oldnames - > name [ i ] . hdr_name = names - > name [ i ] . hdr_name ;
oldnames - > name [ i ] . domain_idx = names - > name [ i ] . domain_idx ;
}
}
r_l - > ptr_dom_ref = ref ? 1 : 0 ;
r_l - > dom_ref = ref ;
r_l - > names = oldnames ;
r_l - > mapped_count = mapped_count ;
return NT_STATUS_OK ;
}
2001-12-18 02:03:23 +03:00
static NTSTATUS lsa_get_generic_sd ( TALLOC_CTX * mem_ctx , SEC_DESC * * sd , size_t * sd_size )
{
DOM_SID local_adm_sid ;
DOM_SID adm_sid ;
SEC_ACE ace [ 3 ] ;
SEC_ACCESS mask ;
SEC_ACL * psa = NULL ;
init_sec_access ( & mask , POLICY_EXECUTE ) ;
init_sec_ace ( & ace [ 0 ] , & global_sid_World , SEC_ACE_TYPE_ACCESS_ALLOWED , mask , 0 ) ;
2002-07-15 14:35:28 +04:00
sid_copy ( & adm_sid , get_global_sam_sid ( ) ) ;
2001-12-18 02:03:23 +03:00
sid_append_rid ( & adm_sid , DOMAIN_GROUP_RID_ADMINS ) ;
init_sec_access ( & mask , POLICY_ALL_ACCESS ) ;
init_sec_ace ( & ace [ 1 ] , & adm_sid , SEC_ACE_TYPE_ACCESS_ALLOWED , mask , 0 ) ;
sid_copy ( & local_adm_sid , & global_sid_Builtin ) ;
sid_append_rid ( & local_adm_sid , BUILTIN_ALIAS_RID_ADMINS ) ;
init_sec_access ( & mask , POLICY_ALL_ACCESS ) ;
init_sec_ace ( & ace [ 2 ] , & local_adm_sid , SEC_ACE_TYPE_ACCESS_ALLOWED , mask , 0 ) ;
if ( ( psa = make_sec_acl ( mem_ctx , NT4_ACL_REVISION , 3 , ace ) ) = = NULL )
return NT_STATUS_NO_MEMORY ;
2003-09-20 01:57:43 +04:00
if ( ( * sd = make_sec_desc ( mem_ctx , SEC_DESC_REVISION , SEC_DESC_SELF_RELATIVE , & adm_sid , NULL , NULL , psa , sd_size ) ) = = NULL )
2001-12-18 02:03:23 +03:00
return NT_STATUS_NO_MEMORY ;
return NT_STATUS_OK ;
}
2005-03-10 21:50:47 +03:00
#if 0 /* AD DC work in ongoing in Samba 4 */
2002-08-17 19:34:15 +04:00
/***************************************************************************
2002-11-13 02:20:50 +03:00
Init_dns_dom_info .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void init_dns_dom_info ( LSA_DNS_DOM_INFO * r_l , const char * nb_name ,
const char * dns_name , const char * forest_name ,
2004-04-13 18:39:48 +04:00
struct uuid * dom_guid , DOM_SID * dom_sid )
2002-08-17 19:34:15 +04:00
{
if ( nb_name & & * nb_name ) {
2003-09-26 01:26:16 +04:00
init_unistr2 ( & r_l - > uni_nb_dom_name , nb_name , UNI_FLAGS_NONE ) ;
init_uni_hdr ( & r_l - > hdr_nb_dom_name , & r_l - > uni_nb_dom_name ) ;
2002-08-17 19:34:15 +04:00
r_l - > hdr_nb_dom_name . uni_max_len + = 2 ;
r_l - > uni_nb_dom_name . uni_max_len + = 1 ;
}
if ( dns_name & & * dns_name ) {
2003-09-26 01:26:16 +04:00
init_unistr2 ( & r_l - > uni_dns_dom_name , dns_name , UNI_FLAGS_NONE ) ;
init_uni_hdr ( & r_l - > hdr_dns_dom_name , & r_l - > uni_dns_dom_name ) ;
2002-08-17 19:34:15 +04:00
r_l - > hdr_dns_dom_name . uni_max_len + = 2 ;
r_l - > uni_dns_dom_name . uni_max_len + = 1 ;
}
if ( forest_name & & * forest_name ) {
2003-09-26 01:26:16 +04:00
init_unistr2 ( & r_l - > uni_forest_name , forest_name , UNI_FLAGS_NONE ) ;
init_uni_hdr ( & r_l - > hdr_forest_name , & r_l - > uni_forest_name ) ;
2002-08-17 19:34:15 +04:00
r_l - > hdr_forest_name . uni_max_len + = 2 ;
r_l - > uni_forest_name . uni_max_len + = 1 ;
}
/* how do we init the guid ? probably should write an init fn */
if ( dom_guid ) {
2004-04-13 18:39:48 +04:00
memcpy ( & r_l - > dom_guid , dom_guid , sizeof ( struct uuid ) ) ;
2002-08-17 19:34:15 +04:00
}
if ( dom_sid ) {
r_l - > ptr_dom_sid = 1 ;
init_dom_sid2 ( & r_l - > dom_sid , dom_sid ) ;
}
}
2005-03-10 21:50:47 +03:00
# endif /* AD DC work in ongoing in Samba 4 */
2002-08-17 19:34:15 +04:00
2001-02-26 22:31:07 +03:00
/***************************************************************************
_lsa_open_policy2 .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 21:52:23 +04:00
NTSTATUS _lsa_open_policy2 ( pipes_struct * p , LSA_Q_OPEN_POL2 * q_u , LSA_R_OPEN_POL2 * r_u )
2001-02-26 22:31:07 +03:00
{
2001-12-18 02:03:23 +03:00
struct lsa_info * info ;
SEC_DESC * psd = NULL ;
size_t sd_size ;
uint32 des_access = q_u - > des_access ;
uint32 acc_granted ;
NTSTATUS status ;
/* map the generic bits to the lsa policy ones */
se_map_generic ( & des_access , & lsa_generic_mapping ) ;
/* get the generic lsa policy SD until we store it */
lsa_get_generic_sd ( p - > mem_ctx , & psd , & sd_size ) ;
2003-06-18 19:24:10 +04:00
if ( ! se_access_check ( psd , p - > pipe_user . nt_user_token , des_access , & acc_granted , & status ) ) {
if ( geteuid ( ) ! = 0 ) {
return status ;
}
DEBUG ( 4 , ( " ACCESS should be DENIED (granted: %#010x; required: %#010x) \n " ,
acc_granted , des_access ) ) ;
DEBUGADD ( 4 , ( " but overwritten by euid == 0 \n " ) ) ;
}
2005-01-13 21:20:37 +03:00
/* This is needed for lsa_open_account and rpcclient .... :-) */
if ( geteuid ( ) = = 0 )
acc_granted = POLICY_ALL_ACCESS ;
2001-12-18 02:03:23 +03:00
/* associate the domain SID with the (unique) handle. */
2004-12-07 21:25:53 +03:00
if ( ( info = SMB_MALLOC_P ( struct lsa_info ) ) = = NULL )
2001-12-18 02:03:23 +03:00
return NT_STATUS_NO_MEMORY ;
ZERO_STRUCTP ( info ) ;
2002-07-15 14:35:28 +04:00
sid_copy ( & info - > sid , get_global_sam_sid ( ) ) ;
2001-12-18 02:03:23 +03:00
info - > access = acc_granted ;
2001-02-26 22:31:07 +03:00
/* set up the LSA QUERY INFO response */
2001-12-18 02:03:23 +03:00
if ( ! create_policy_hnd ( p , & r_u - > pol , free_lsa_info , ( void * ) info ) )
2001-03-11 03:32:10 +03:00
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
2001-02-26 22:31:07 +03:00
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK ;
2001-02-26 22:31:07 +03:00
}
/***************************************************************************
_lsa_open_policy
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _lsa_open_policy ( pipes_struct * p , LSA_Q_OPEN_POL * q_u , LSA_R_OPEN_POL * r_u )
2001-02-26 22:31:07 +03:00
{
2001-12-18 02:03:23 +03:00
struct lsa_info * info ;
SEC_DESC * psd = NULL ;
size_t sd_size ;
uint32 des_access = q_u - > des_access ;
uint32 acc_granted ;
NTSTATUS status ;
/* map the generic bits to the lsa policy ones */
se_map_generic ( & des_access , & lsa_generic_mapping ) ;
/* get the generic lsa policy SD until we store it */
lsa_get_generic_sd ( p - > mem_ctx , & psd , & sd_size ) ;
2003-06-18 19:24:10 +04:00
if ( ! se_access_check ( psd , p - > pipe_user . nt_user_token , des_access , & acc_granted , & status ) ) {
if ( geteuid ( ) ! = 0 ) {
return status ;
}
DEBUG ( 4 , ( " ACCESS should be DENIED (granted: %#010x; required: %#010x) \n " ,
acc_granted , des_access ) ) ;
DEBUGADD ( 4 , ( " but overwritten by euid == 0 \n " ) ) ;
acc_granted = des_access ;
}
2001-12-18 02:03:23 +03:00
/* associate the domain SID with the (unique) handle. */
2004-12-07 21:25:53 +03:00
if ( ( info = SMB_MALLOC_P ( struct lsa_info ) ) = = NULL )
2001-12-18 02:03:23 +03:00
return NT_STATUS_NO_MEMORY ;
ZERO_STRUCTP ( info ) ;
2002-07-15 14:35:28 +04:00
sid_copy ( & info - > sid , get_global_sam_sid ( ) ) ;
2001-12-18 02:03:23 +03:00
info - > access = acc_granted ;
2001-02-26 22:31:07 +03:00
/* set up the LSA QUERY INFO response */
2001-12-18 02:03:23 +03:00
if ( ! create_policy_hnd ( p , & r_u - > pol , free_lsa_info , ( void * ) info ) )
2001-03-11 03:32:10 +03:00
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
2001-02-26 22:31:07 +03:00
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK ;
2001-02-26 22:31:07 +03:00
}
/***************************************************************************
_lsa_enum_trust_dom - this needs fixing to do more than return NULL ! JRA .
2002-07-15 14:35:28 +04:00
ufff , done : ) mimir
2001-02-26 22:31:07 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-02-04 01:19:41 +03:00
NTSTATUS _lsa_enum_trust_dom ( pipes_struct * p , LSA_Q_ENUM_TRUST_DOM * q_u ,
LSA_R_ENUM_TRUST_DOM * r_u )
2001-02-26 22:31:07 +03:00
{
2001-12-18 02:03:23 +03:00
struct lsa_info * info ;
2006-02-04 01:19:41 +03:00
uint32 next_idx ;
struct trustdom_info * * domains ;
2002-07-15 14:35:28 +04:00
/*
* preferred length is set to 5 as a " our " preferred length
* nt sets this parameter to 2
2002-09-25 19:19:00 +04:00
* update ( 20.08 .2002 ) : it ' s not preferred length , but preferred size !
* it needs further investigation how to optimally choose this value
2002-07-15 14:35:28 +04:00
*/
2006-02-04 01:19:41 +03:00
uint32 max_num_domains =
q_u - > preferred_len < 5 ? q_u - > preferred_len : 10 ;
2002-07-15 14:35:28 +04:00
uint32 num_domains ;
NTSTATUS nt_status ;
2006-02-04 01:19:41 +03:00
uint32 num_thistime ;
2001-02-26 22:31:07 +03:00
2005-12-03 09:46:46 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & info ) )
2001-03-11 03:32:10 +03:00
return NT_STATUS_INVALID_HANDLE ;
2001-12-18 02:03:23 +03:00
/* check if the user have enough rights */
if ( ! ( info - > access & POLICY_VIEW_LOCAL_INFORMATION ) )
return NT_STATUS_ACCESS_DENIED ;
2006-02-04 01:19:41 +03:00
nt_status = secrets_trusted_domains ( p - > mem_ctx , & num_domains ,
& domains ) ;
2002-07-15 14:35:28 +04:00
2006-02-04 01:19:41 +03:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2002-07-15 14:35:28 +04:00
return nt_status ;
}
2006-02-04 01:19:41 +03:00
if ( q_u - > enum_context < num_domains ) {
num_thistime = MIN ( num_domains , max_num_domains ) ;
r_u - > status = STATUS_MORE_ENTRIES ;
if ( q_u - > enum_context + num_thistime > num_domains ) {
num_thistime = num_domains - q_u - > enum_context ;
r_u - > status = NT_STATUS_OK ;
}
next_idx = q_u - > enum_context + num_thistime ;
} else {
num_thistime = 0 ;
next_idx = 0xffffffff ;
r_u - > status = NT_STATUS_NO_MORE_ENTRIES ;
}
2002-07-15 14:35:28 +04:00
/* set up the lsa_enum_trust_dom response */
2005-04-07 02:27:55 +04:00
2006-02-04 01:19:41 +03:00
init_r_enum_trust_dom ( p - > mem_ctx , r_u , next_idx ,
num_thistime , domains + q_u - > enum_context ) ;
2001-02-26 22:31:07 +03:00
return r_u - > status ;
}
/***************************************************************************
2001-03-15 07:34:53 +03:00
_lsa_query_info . See the POLICY_INFOMATION_CLASS docs at msdn .
2001-02-26 22:31:07 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _lsa_query_info ( pipes_struct * p , LSA_Q_QUERY_INFO * q_u , LSA_R_QUERY_INFO * r_u )
2001-02-26 22:31:07 +03:00
{
2001-12-18 02:03:23 +03:00
struct lsa_info * handle ;
2006-04-11 19:47:24 +04:00
LSA_INFO_CTR * ctr = & r_u - > ctr ;
2001-02-26 22:31:07 +03:00
DOM_SID domain_sid ;
2002-11-13 02:20:50 +03:00
const char * name ;
2001-02-26 22:31:07 +03:00
DOM_SID * sid = NULL ;
2001-08-27 23:46:22 +04:00
r_u - > status = NT_STATUS_OK ;
2001-02-26 22:31:07 +03:00
2005-12-03 09:46:46 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & handle ) )
2001-03-11 03:32:10 +03:00
return NT_STATUS_INVALID_HANDLE ;
2001-02-26 22:31:07 +03:00
switch ( q_u - > info_class ) {
case 0x02 :
{
2006-04-11 19:47:24 +04:00
uint32 policy_def = LSA_AUDIT_POLICY_ALL ;
2001-12-18 02:03:23 +03:00
/* check if the user have enough rights */
2006-04-11 19:47:24 +04:00
if ( ! ( handle - > access & POLICY_VIEW_AUDIT_INFORMATION ) ) {
DEBUG ( 10 , ( " _lsa_query_info: insufficient access rights \n " ) ) ;
2001-12-18 02:03:23 +03:00
return NT_STATUS_ACCESS_DENIED ;
2006-04-11 19:47:24 +04:00
}
2001-12-18 02:03:23 +03:00
/* fake info: We audit everything. ;) */
2006-04-11 19:47:24 +04:00
ctr - > info . id2 . ptr = 1 ;
ctr - > info . id2 . auditing_enabled = True ;
ctr - > info . id2 . count1 = ctr - > info . id2 . count2 = LSA_AUDIT_NUM_CATEGORIES ;
if ( ( ctr - > info . id2 . auditsettings = TALLOC_ZERO_ARRAY ( p - > mem_ctx , uint32 , LSA_AUDIT_NUM_CATEGORIES ) ) = = NULL )
2001-12-18 02:03:23 +03:00
return NT_STATUS_NO_MEMORY ;
2006-04-11 19:47:24 +04:00
ctr - > info . id2 . auditsettings [ LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT ] = policy_def ;
ctr - > info . id2 . auditsettings [ LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS ] = policy_def ;
ctr - > info . id2 . auditsettings [ LSA_AUDIT_CATEGORY_LOGON ] = policy_def ;
ctr - > info . id2 . auditsettings [ LSA_AUDIT_CATEGORY_PROCCESS_TRACKING ] = policy_def ;
ctr - > info . id2 . auditsettings [ LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES ] = policy_def ;
ctr - > info . id2 . auditsettings [ LSA_AUDIT_CATEGORY_SYSTEM ] = policy_def ;
ctr - > info . id2 . auditsettings [ LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS ] = policy_def ;
2001-12-18 02:03:23 +03:00
break ;
2001-02-26 22:31:07 +03:00
}
case 0x03 :
2001-12-18 02:03:23 +03:00
/* check if the user have enough rights */
if ( ! ( handle - > access & POLICY_VIEW_LOCAL_INFORMATION ) )
return NT_STATUS_ACCESS_DENIED ;
2001-04-22 03:06:59 +04:00
/* Request PolicyPrimaryDomainInformation. */
switch ( lp_server_role ( ) ) {
2001-02-26 22:31:07 +03:00
case ROLE_DOMAIN_PDC :
case ROLE_DOMAIN_BDC :
2003-05-07 12:21:06 +04:00
name = get_global_sam_name ( ) ;
2002-07-15 14:35:28 +04:00
sid = get_global_sam_sid ( ) ;
2001-02-26 22:31:07 +03:00
break ;
case ROLE_DOMAIN_MEMBER :
2002-11-13 02:20:50 +03:00
name = lp_workgroup ( ) ;
2001-04-22 03:06:59 +04:00
/* We need to return the Domain SID here. */
2002-11-13 02:20:50 +03:00
if ( secrets_fetch_domain_sid ( lp_workgroup ( ) , & domain_sid ) )
2001-06-02 10:14:42 +04:00
sid = & domain_sid ;
2001-03-15 05:49:06 +03:00
else
2001-04-22 03:06:59 +04:00
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO ;
2001-02-26 22:31:07 +03:00
break ;
2001-03-15 06:08:22 +03:00
case ROLE_STANDALONE :
2002-11-13 02:20:50 +03:00
name = lp_workgroup ( ) ;
2002-01-31 12:37:26 +03:00
sid = NULL ;
2001-03-15 06:08:22 +03:00
break ;
2001-03-15 05:49:06 +03:00
default :
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO ;
2001-02-26 22:31:07 +03:00
}
2006-04-11 19:47:24 +04:00
init_dom_query_3 ( & r_u - > ctr . info . id3 , name , sid ) ;
2001-02-26 22:31:07 +03:00
break ;
case 0x05 :
2001-12-18 02:03:23 +03:00
/* check if the user have enough rights */
if ( ! ( handle - > access & POLICY_VIEW_LOCAL_INFORMATION ) )
return NT_STATUS_ACCESS_DENIED ;
2001-04-22 03:06:59 +04:00
/* Request PolicyAccountDomainInformation. */
2003-05-07 12:21:06 +04:00
name = get_global_sam_name ( ) ;
sid = get_global_sam_sid ( ) ;
2006-04-11 19:47:24 +04:00
init_dom_query_5 ( & r_u - > ctr . info . id5 , name , sid ) ;
2001-02-26 22:31:07 +03:00
break ;
case 0x06 :
2001-12-18 02:03:23 +03:00
/* check if the user have enough rights */
if ( ! ( handle - > access & POLICY_VIEW_LOCAL_INFORMATION ) )
return NT_STATUS_ACCESS_DENIED ;
2001-04-22 03:06:59 +04:00
switch ( lp_server_role ( ) ) {
2001-02-26 22:31:07 +03:00
case ROLE_DOMAIN_BDC :
/*
* only a BDC is a backup controller
* of the domain , it controls .
*/
2006-04-11 19:47:24 +04:00
ctr - > info . id6 . server_role = 2 ;
2001-02-26 22:31:07 +03:00
break ;
default :
/*
* any other role is a primary
* of the domain , it controls .
*/
2006-04-11 19:47:24 +04:00
ctr - > info . id6 . server_role = 3 ;
2001-02-26 22:31:07 +03:00
break ;
}
break ;
default :
DEBUG ( 0 , ( " _lsa_query_info: unknown info level in Lsa Query: %d \n " , q_u - > info_class ) ) ;
r_u - > status = NT_STATUS_INVALID_INFO_CLASS ;
break ;
}
2001-08-27 23:46:22 +04:00
if ( NT_STATUS_IS_OK ( r_u - > status ) ) {
2006-04-11 19:47:24 +04:00
r_u - > dom_ptr = 0x22000000 ; /* bizarre */
ctr - > info_class = q_u - > info_class ;
2001-02-26 22:31:07 +03:00
}
return r_u - > status ;
}
/***************************************************************************
2006-02-11 02:52:53 +03:00
_lsa_lookup_sids_internal
2001-02-26 22:31:07 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-02-11 02:52:53 +03:00
static NTSTATUS _lsa_lookup_sids_internal ( pipes_struct * p ,
uint16 level , /* input */
int num_sids , /* input */
const DOM_SID2 * sid , /* input */
DOM_R_REF * * pp_ref , /* output */
LSA_TRANS_NAME_ENUM2 * * pp_names , /* output */
uint32 * pp_mapped_count )
2001-02-26 22:31:07 +03:00
{
2006-02-11 02:52:53 +03:00
NTSTATUS status ;
int i ;
const DOM_SID * * sids = NULL ;
LSA_TRANS_NAME_ENUM2 * names = NULL ;
2006-02-04 01:19:41 +03:00
DOM_R_REF * ref = NULL ;
2006-02-11 02:52:53 +03:00
uint32 mapped_count = 0 ;
struct lsa_dom_info * dom_infos = NULL ;
struct lsa_name_info * name_infos = NULL ;
2002-03-30 00:50:21 +03:00
2006-02-11 02:52:53 +03:00
* pp_mapped_count = 0 ;
* pp_ref = NULL ;
* pp_names = NULL ;
names = TALLOC_ZERO_P ( p - > mem_ctx , LSA_TRANS_NAME_ENUM2 ) ;
sids = TALLOC_ARRAY ( p - > mem_ctx , const DOM_SID * , num_sids ) ;
2006-02-04 01:19:41 +03:00
ref = TALLOC_ZERO_P ( p - > mem_ctx , DOM_R_REF ) ;
2006-02-11 02:52:53 +03:00
if ( sids = = NULL | | names = = NULL | | ref = = NULL ) {
return NT_STATUS_NO_MEMORY ;
2006-02-04 01:19:41 +03:00
}
for ( i = 0 ; i < num_sids ; i + + ) {
2006-02-11 02:52:53 +03:00
sids [ i ] = & sid [ i ] . sid ;
2006-02-04 01:19:41 +03:00
}
2006-02-11 02:52:53 +03:00
status = lookup_sids ( p - > mem_ctx , num_sids , sids , level ,
2006-02-04 01:19:41 +03:00
& dom_infos , & name_infos ) ;
2006-02-11 02:52:53 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2006-02-04 01:19:41 +03:00
}
if ( num_sids > 0 ) {
2006-02-11 02:52:53 +03:00
names - > name = TALLOC_ARRAY ( names , LSA_TRANS_NAME2 , num_sids ) ;
2006-02-04 01:19:41 +03:00
names - > uni_name = TALLOC_ARRAY ( names , UNISTR2 , num_sids ) ;
if ( ( names - > name = = NULL ) | | ( names - > uni_name = = NULL ) ) {
2006-02-11 02:52:53 +03:00
return NT_STATUS_NO_MEMORY ;
2006-02-04 01:19:41 +03:00
}
2004-05-21 22:06:27 +04:00
}
2006-02-04 01:19:41 +03:00
for ( i = 0 ; i < MAX_REF_DOMAINS ; i + + ) {
if ( ! dom_infos [ i ] . valid ) {
break ;
}
if ( init_dom_ref ( ref , dom_infos [ i ] . name ,
& dom_infos [ i ] . sid ) ! = i ) {
DEBUG ( 0 , ( " Domain %s mentioned twice?? \n " ,
dom_infos [ i ] . name ) ) ;
2006-02-11 02:52:53 +03:00
return NT_STATUS_INTERNAL_ERROR ;
2006-02-04 01:19:41 +03:00
}
}
for ( i = 0 ; i < num_sids ; i + + ) {
struct lsa_name_info * name = & name_infos [ i ] ;
if ( name - > type = = SID_NAME_UNKNOWN ) {
name - > dom_idx = - 1 ;
name - > name = talloc_asprintf ( p - > mem_ctx , " %8.8x " ,
name - > rid ) ;
if ( name - > name = = NULL ) {
2006-02-11 02:52:53 +03:00
return NT_STATUS_NO_MEMORY ;
2006-02-04 01:19:41 +03:00
}
} else {
mapped_count + = 1 ;
}
2006-02-11 02:52:53 +03:00
init_lsa_trans_name2 ( & names - > name [ i ] , & names - > uni_name [ i ] ,
2006-02-04 01:19:41 +03:00
name - > type , name - > name , name - > dom_idx ) ;
}
names - > num_entries = num_sids ;
names - > ptr_trans_names = 1 ;
names - > num_entries2 = num_sids ;
2006-02-11 02:52:53 +03:00
status = NT_STATUS_NONE_MAPPED ;
2006-02-04 01:19:41 +03:00
if ( mapped_count > 0 ) {
2006-02-11 02:52:53 +03:00
status = ( mapped_count < num_sids ) ?
2006-02-04 01:19:41 +03:00
STATUS_SOME_UNMAPPED : NT_STATUS_OK ;
}
DEBUG ( 10 , ( " num_sids %d, mapped_count %d, status %s \n " ,
2006-02-11 02:52:53 +03:00
num_sids , mapped_count , nt_errstr ( status ) ) ) ;
* pp_mapped_count = mapped_count ;
* pp_ref = ref ;
* pp_names = names ;
return status ;
}
/***************************************************************************
_lsa_lookup_sids
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _lsa_lookup_sids ( pipes_struct * p ,
LSA_Q_LOOKUP_SIDS * q_u ,
LSA_R_LOOKUP_SIDS * r_u )
{
struct lsa_info * handle ;
int num_sids = q_u - > sids . num_entries ;
uint32 mapped_count = 0 ;
DOM_R_REF * ref = NULL ;
LSA_TRANS_NAME_ENUM2 * names = NULL ;
NTSTATUS status ;
if ( ( q_u - > level < 1 ) | | ( q_u - > level > 6 ) ) {
return NT_STATUS_INVALID_PARAMETER ;
}
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & handle ) ) {
return NT_STATUS_INVALID_HANDLE ;
}
/* check if the user has enough rights */
if ( ! ( handle - > access & POLICY_LOOKUP_NAMES ) ) {
return NT_STATUS_ACCESS_DENIED ;
}
if ( num_sids > MAX_LOOKUP_SIDS ) {
DEBUG ( 5 , ( " _lsa_lookup_sids: limit of %d exceeded, requested %d \n " ,
MAX_LOOKUP_SIDS , num_sids ) ) ;
return NT_STATUS_NONE_MAPPED ;
}
r_u - > status = _lsa_lookup_sids_internal ( p ,
q_u - > level ,
num_sids ,
q_u - > sids . sid ,
& ref ,
& names ,
& mapped_count ) ;
/* Convert from LSA_TRANS_NAME_ENUM2 to LSA_TRANS_NAME_ENUM */
status = init_reply_lookup_sids ( p - > mem_ctx , r_u , ref , names , mapped_count ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
return r_u - > status ;
}
/***************************************************************************
_lsa_lookup_sids2
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _lsa_lookup_sids2 ( pipes_struct * p ,
LSA_Q_LOOKUP_SIDS2 * q_u ,
LSA_R_LOOKUP_SIDS2 * r_u )
{
struct lsa_info * handle ;
int num_sids = q_u - > sids . num_entries ;
uint32 mapped_count = 0 ;
DOM_R_REF * ref = NULL ;
LSA_TRANS_NAME_ENUM2 * names = NULL ;
if ( ( q_u - > level < 1 ) | | ( q_u - > level > 6 ) ) {
return NT_STATUS_INVALID_PARAMETER ;
}
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & handle ) ) {
return NT_STATUS_INVALID_HANDLE ;
}
/* check if the user have enough rights */
if ( ! ( handle - > access & POLICY_LOOKUP_NAMES ) ) {
return NT_STATUS_ACCESS_DENIED ;
}
if ( num_sids > MAX_LOOKUP_SIDS ) {
DEBUG ( 5 , ( " _lsa_lookup_sids2: limit of %d exceeded, requested %d \n " ,
MAX_LOOKUP_SIDS , num_sids ) ) ;
return NT_STATUS_NONE_MAPPED ;
}
r_u - > status = _lsa_lookup_sids_internal ( p ,
q_u - > level ,
num_sids ,
q_u - > sids . sid ,
& ref ,
& names ,
& mapped_count ) ;
init_reply_lookup_sids2 ( r_u , ref , names , mapped_count ) ;
return r_u - > status ;
}
/***************************************************************************
_lsa_lookup_sida3
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _lsa_lookup_sids3 ( pipes_struct * p ,
LSA_Q_LOOKUP_SIDS3 * q_u ,
LSA_R_LOOKUP_SIDS3 * r_u )
{
int num_sids = q_u - > sids . num_entries ;
uint32 mapped_count = 0 ;
DOM_R_REF * ref = NULL ;
LSA_TRANS_NAME_ENUM2 * names = NULL ;
if ( ( q_u - > level < 1 ) | | ( q_u - > level > 6 ) ) {
return NT_STATUS_INVALID_PARAMETER ;
}
/* No policy handle on this call. Restrict to crypto connections. */
2006-02-11 03:04:39 +03:00
if ( p - > auth . auth_type ! = PIPE_AUTH_TYPE_SCHANNEL ) {
DEBUG ( 0 , ( " _lsa_lookup_sids3: client %s not using schannel for netlogon \n " ,
get_remote_machine_name ( ) ) ) ;
return NT_STATUS_INVALID_PARAMETER ;
}
2006-02-11 02:52:53 +03:00
if ( num_sids > MAX_LOOKUP_SIDS ) {
DEBUG ( 5 , ( " _lsa_lookup_sids3: limit of %d exceeded, requested %d \n " ,
MAX_LOOKUP_SIDS , num_sids ) ) ;
return NT_STATUS_NONE_MAPPED ;
}
2006-02-04 01:19:41 +03:00
2006-02-11 02:52:53 +03:00
r_u - > status = _lsa_lookup_sids_internal ( p ,
q_u - > level ,
num_sids ,
q_u - > sids . sid ,
& ref ,
& names ,
& mapped_count ) ;
2001-02-26 22:31:07 +03:00
2006-02-11 02:52:53 +03:00
init_reply_lookup_sids3 ( r_u , ref , names , mapped_count ) ;
2001-02-26 22:31:07 +03:00
return r_u - > status ;
}
/***************************************************************************
lsa_reply_lookup_names
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _lsa_lookup_names ( pipes_struct * p , LSA_Q_LOOKUP_NAMES * q_u , LSA_R_LOOKUP_NAMES * r_u )
2001-02-26 22:31:07 +03:00
{
2001-12-18 02:03:23 +03:00
struct lsa_info * handle ;
2001-02-26 22:31:07 +03:00
UNISTR2 * names = q_u - > uni_name ;
2006-02-18 03:27:31 +03:00
uint32 num_entries = q_u - > num_entries ;
2001-03-01 07:01:23 +03:00
DOM_R_REF * ref ;
2006-02-11 05:46:41 +03:00
DOM_RID * rids ;
2001-02-26 22:31:07 +03:00
uint32 mapped_count = 0 ;
2005-12-03 21:34:13 +03:00
int flags = 0 ;
2001-02-26 22:31:07 +03:00
2002-01-26 13:02:23 +03:00
if ( num_entries > MAX_LOOKUP_SIDS ) {
num_entries = MAX_LOOKUP_SIDS ;
DEBUG ( 5 , ( " _lsa_lookup_names: truncating name lookup list to %d \n " , num_entries ) ) ;
}
2005-12-03 21:34:13 +03:00
/* Probably the lookup_level is some sort of bitmask. */
if ( q_u - > lookup_level = = 1 ) {
flags = LOOKUP_NAME_ALL ;
}
2004-12-07 21:25:53 +03:00
ref = TALLOC_ZERO_P ( p - > mem_ctx , DOM_R_REF ) ;
2006-02-11 05:46:41 +03:00
rids = TALLOC_ZERO_ARRAY ( p - > mem_ctx , DOM_RID , num_entries ) ;
2001-03-01 07:01:23 +03:00
2005-12-03 09:46:46 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & handle ) ) {
2002-03-30 00:50:21 +03:00
r_u - > status = NT_STATUS_INVALID_HANDLE ;
goto done ;
}
2002-03-29 23:37:56 +03:00
/* check if the user have enough rights */
2002-03-30 00:50:21 +03:00
if ( ! ( handle - > access & POLICY_LOOKUP_NAMES ) ) {
r_u - > status = NT_STATUS_ACCESS_DENIED ;
goto done ;
}
2002-03-29 23:37:56 +03:00
2001-03-01 07:01:23 +03:00
if ( ! ref | | ! rids )
return NT_STATUS_NO_MEMORY ;
2001-02-26 22:31:07 +03:00
2005-12-03 21:34:13 +03:00
/* set up the LSA Lookup RIDs response */
2006-02-16 04:06:21 +03:00
become_root ( ) ; /* lookup_name can require root privs */
r_u - > status = lookup_lsa_rids ( p - > mem_ctx , ref , rids , num_entries ,
names , flags , & mapped_count ) ;
unbecome_root ( ) ;
2002-03-30 00:50:21 +03:00
done :
2006-03-15 03:10:38 +03:00
if ( NT_STATUS_IS_OK ( r_u - > status ) & & ( num_entries ! = 0 ) ) {
2004-05-26 22:27:16 +04:00
if ( mapped_count = = 0 )
r_u - > status = NT_STATUS_NONE_MAPPED ;
else if ( mapped_count ! = num_entries )
r_u - > status = STATUS_SOME_UNMAPPED ;
}
2001-02-26 22:31:07 +03:00
2006-02-16 04:06:21 +03:00
init_reply_lookup_names ( r_u , ref , num_entries , rids , mapped_count ) ;
2001-02-26 22:31:07 +03:00
return r_u - > status ;
}
2006-02-11 07:25:06 +03:00
/***************************************************************************
lsa_reply_lookup_names2
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _lsa_lookup_names2 ( pipes_struct * p , LSA_Q_LOOKUP_NAMES2 * q_u , LSA_R_LOOKUP_NAMES2 * r_u )
{
struct lsa_info * handle ;
UNISTR2 * names = q_u - > uni_name ;
2006-02-18 03:27:31 +03:00
uint32 num_entries = q_u - > num_entries ;
2006-02-11 07:25:06 +03:00
DOM_R_REF * ref ;
DOM_RID * rids ;
DOM_RID2 * rids2 ;
int i ;
uint32 mapped_count = 0 ;
int flags = 0 ;
if ( num_entries > MAX_LOOKUP_SIDS ) {
num_entries = MAX_LOOKUP_SIDS ;
2006-02-16 04:06:21 +03:00
DEBUG ( 5 , ( " _lsa_lookup_names2: truncating name lookup list to %d \n " , num_entries ) ) ;
2006-02-11 07:25:06 +03:00
}
/* Probably the lookup_level is some sort of bitmask. */
if ( q_u - > lookup_level = = 1 ) {
flags = LOOKUP_NAME_ALL ;
}
ref = TALLOC_ZERO_P ( p - > mem_ctx , DOM_R_REF ) ;
rids = TALLOC_ZERO_ARRAY ( p - > mem_ctx , DOM_RID , num_entries ) ;
rids2 = TALLOC_ZERO_ARRAY ( p - > mem_ctx , DOM_RID2 , num_entries ) ;
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & handle ) ) {
r_u - > status = NT_STATUS_INVALID_HANDLE ;
goto done ;
}
/* check if the user have enough rights */
if ( ! ( handle - > access & POLICY_LOOKUP_NAMES ) ) {
r_u - > status = NT_STATUS_ACCESS_DENIED ;
goto done ;
}
2006-02-16 04:06:21 +03:00
if ( ! ref | | ! rids | | ! rids2 ) {
2006-02-11 07:25:06 +03:00
return NT_STATUS_NO_MEMORY ;
2006-02-16 04:06:21 +03:00
}
2006-02-11 07:25:06 +03:00
/* set up the LSA Lookup RIDs response */
2006-02-16 04:06:21 +03:00
become_root ( ) ; /* lookup_name can require root privs */
r_u - > status = lookup_lsa_rids ( p - > mem_ctx , ref , rids , num_entries ,
names , flags , & mapped_count ) ;
unbecome_root ( ) ;
2006-02-11 07:25:06 +03:00
done :
if ( NT_STATUS_IS_OK ( r_u - > status ) ) {
2006-02-16 04:06:21 +03:00
if ( mapped_count = = 0 ) {
2006-02-11 07:25:06 +03:00
r_u - > status = NT_STATUS_NONE_MAPPED ;
2006-02-16 04:06:21 +03:00
} else if ( mapped_count ! = num_entries ) {
2006-02-11 07:25:06 +03:00
r_u - > status = STATUS_SOME_UNMAPPED ;
2006-02-16 04:06:21 +03:00
}
2006-02-11 07:25:06 +03:00
}
/* Convert the rids array to rids2. */
for ( i = 0 ; i < num_entries ; i + + ) {
rids2 [ i ] . type = rids [ i ] . type ;
rids2 [ i ] . rid = rids [ i ] . rid ;
rids2 [ i ] . rid_idx = rids [ i ] . rid_idx ;
rids2 [ i ] . unknown = 0 ;
}
init_reply_lookup_names2 ( r_u , ref , num_entries , rids2 , mapped_count ) ;
return r_u - > status ;
}
2006-02-11 08:36:27 +03:00
/***************************************************************************
2006-02-16 04:06:21 +03:00
lsa_reply_lookup_names3 .
2006-02-11 08:36:27 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _lsa_lookup_names3 ( pipes_struct * p , LSA_Q_LOOKUP_NAMES3 * q_u , LSA_R_LOOKUP_NAMES3 * r_u )
{
2006-02-16 04:06:21 +03:00
struct lsa_info * handle ;
UNISTR2 * names = q_u - > uni_name ;
2006-02-18 03:27:31 +03:00
uint32 num_entries = q_u - > num_entries ;
2006-02-16 04:06:21 +03:00
DOM_R_REF * ref = NULL ;
LSA_TRANSLATED_SID3 * trans_sids = NULL ;
uint32 mapped_count = 0 ;
int flags = 0 ;
if ( num_entries > MAX_LOOKUP_SIDS ) {
num_entries = MAX_LOOKUP_SIDS ;
DEBUG ( 5 , ( " _lsa_lookup_names3: truncating name lookup list to %d \n " , num_entries ) ) ;
}
/* Probably the lookup_level is some sort of bitmask. */
if ( q_u - > lookup_level = = 1 ) {
flags = LOOKUP_NAME_ALL ;
}
ref = TALLOC_ZERO_P ( p - > mem_ctx , DOM_R_REF ) ;
trans_sids = TALLOC_ZERO_ARRAY ( p - > mem_ctx , LSA_TRANSLATED_SID3 , num_entries ) ;
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & handle ) ) {
r_u - > status = NT_STATUS_INVALID_HANDLE ;
goto done ;
}
/* check if the user have enough rights */
if ( ! ( handle - > access & POLICY_LOOKUP_NAMES ) ) {
r_u - > status = NT_STATUS_ACCESS_DENIED ;
goto done ;
}
if ( ! ref | | ! trans_sids ) {
return NT_STATUS_NO_MEMORY ;
}
/* set up the LSA Lookup SIDs response */
become_root ( ) ; /* lookup_name can require root privs */
r_u - > status = lookup_lsa_sids ( p - > mem_ctx , ref , trans_sids , num_entries ,
names , flags , & mapped_count ) ;
unbecome_root ( ) ;
done :
if ( NT_STATUS_IS_OK ( r_u - > status ) ) {
if ( mapped_count = = 0 ) {
r_u - > status = NT_STATUS_NONE_MAPPED ;
} else if ( mapped_count ! = num_entries ) {
r_u - > status = STATUS_SOME_UNMAPPED ;
}
}
init_reply_lookup_names3 ( r_u , ref , num_entries , trans_sids , mapped_count ) ;
return r_u - > status ;
2006-02-11 08:36:27 +03:00
}
/***************************************************************************
2006-02-16 04:06:21 +03:00
lsa_reply_lookup_names4 .
2006-02-11 08:36:27 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _lsa_lookup_names4 ( pipes_struct * p , LSA_Q_LOOKUP_NAMES4 * q_u , LSA_R_LOOKUP_NAMES4 * r_u )
{
2006-02-16 04:06:21 +03:00
UNISTR2 * names = q_u - > uni_name ;
2006-02-18 03:27:31 +03:00
uint32 num_entries = q_u - > num_entries ;
2006-02-16 04:06:21 +03:00
DOM_R_REF * ref = NULL ;
LSA_TRANSLATED_SID3 * trans_sids = NULL ;
uint32 mapped_count = 0 ;
int flags = 0 ;
if ( num_entries > MAX_LOOKUP_SIDS ) {
num_entries = MAX_LOOKUP_SIDS ;
DEBUG ( 5 , ( " _lsa_lookup_names4: truncating name lookup list to %d \n " , num_entries ) ) ;
}
/* Probably the lookup_level is some sort of bitmask. */
if ( q_u - > lookup_level = = 1 ) {
flags = LOOKUP_NAME_ALL ;
}
/* No policy handle on this call. Restrict to crypto connections. */
if ( p - > auth . auth_type ! = PIPE_AUTH_TYPE_SCHANNEL ) {
DEBUG ( 0 , ( " _lsa_lookup_names4: client %s not using schannel for netlogon \n " ,
get_remote_machine_name ( ) ) ) ;
return NT_STATUS_INVALID_PARAMETER ;
}
ref = TALLOC_ZERO_P ( p - > mem_ctx , DOM_R_REF ) ;
trans_sids = TALLOC_ZERO_ARRAY ( p - > mem_ctx , LSA_TRANSLATED_SID3 , num_entries ) ;
if ( ! ref | | ! trans_sids ) {
return NT_STATUS_NO_MEMORY ;
}
/* set up the LSA Lookup SIDs response */
become_root ( ) ; /* lookup_name can require root privs */
r_u - > status = lookup_lsa_sids ( p - > mem_ctx , ref , trans_sids , num_entries ,
names , flags , & mapped_count ) ;
unbecome_root ( ) ;
if ( NT_STATUS_IS_OK ( r_u - > status ) ) {
if ( mapped_count = = 0 ) {
r_u - > status = NT_STATUS_NONE_MAPPED ;
} else if ( mapped_count ! = num_entries ) {
r_u - > status = STATUS_SOME_UNMAPPED ;
}
}
init_reply_lookup_names4 ( r_u , ref , num_entries , trans_sids , mapped_count ) ;
return r_u - > status ;
2006-02-11 08:36:27 +03:00
}
2006-02-11 07:25:06 +03:00
2001-02-26 22:31:07 +03:00
/***************************************************************************
_lsa_close . Also weird - needs to check if lsa handle is correct . JRA .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _lsa_close ( pipes_struct * p , LSA_Q_CLOSE * q_u , LSA_R_CLOSE * r_u )
2001-02-26 22:31:07 +03:00
{
2006-02-16 04:06:21 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , NULL ) ) {
2001-03-11 03:32:10 +03:00
return NT_STATUS_INVALID_HANDLE ;
2006-02-16 04:06:21 +03:00
}
2001-03-11 03:32:10 +03:00
close_policy_hnd ( p , & q_u - > pol ) ;
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK ;
2001-02-26 22:31:07 +03:00
}
/***************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _lsa_open_secret ( pipes_struct * p , LSA_Q_OPEN_SECRET * q_u , LSA_R_OPEN_SECRET * r_u )
2001-02-26 22:31:07 +03:00
{
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
}
2001-06-30 03:12:55 +04:00
2005-05-31 17:46:45 +04:00
/***************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _lsa_open_trusted_domain ( pipes_struct * p , LSA_Q_OPEN_TRUSTED_DOMAIN * q_u , LSA_R_OPEN_TRUSTED_DOMAIN * r_u )
{
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
}
/***************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _lsa_create_trusted_domain ( pipes_struct * p , LSA_Q_CREATE_TRUSTED_DOMAIN * q_u , LSA_R_CREATE_TRUSTED_DOMAIN * r_u )
{
return NT_STATUS_ACCESS_DENIED ;
}
/***************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _lsa_create_secret ( pipes_struct * p , LSA_Q_CREATE_SECRET * q_u , LSA_R_CREATE_SECRET * r_u )
{
return NT_STATUS_ACCESS_DENIED ;
}
/***************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _lsa_set_secret ( pipes_struct * p , LSA_Q_SET_SECRET * q_u , LSA_R_SET_SECRET * r_u )
{
return NT_STATUS_ACCESS_DENIED ;
}
/***************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _lsa_delete_object ( pipes_struct * p , LSA_Q_DELETE_OBJECT * q_u , LSA_R_DELETE_OBJECT * r_u )
{
return NT_STATUS_ACCESS_DENIED ;
}
2001-07-09 22:32:54 +04:00
/***************************************************************************
_lsa_enum_privs .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _lsa_enum_privs ( pipes_struct * p , LSA_Q_ENUM_PRIVS * q_u , LSA_R_ENUM_PRIVS * r_u )
2001-07-09 22:32:54 +04:00
{
2001-12-18 02:03:23 +03:00
struct lsa_info * handle ;
2001-07-09 22:32:54 +04:00
uint32 i ;
2005-01-13 21:20:37 +03:00
uint32 enum_context = q_u - > enum_context ;
2005-09-30 21:13:37 +04:00
int num_privs = count_all_privileges ( ) ;
2005-01-13 21:20:37 +03:00
LSA_PRIV_ENTRY * entries = NULL ;
2005-01-17 18:23:11 +03:00
LUID_ATTR luid ;
2001-07-09 22:32:54 +04:00
2005-01-13 21:20:37 +03:00
/* remember that the enum_context starts at 0 and not 1 */
2001-07-09 22:32:54 +04:00
2005-01-13 21:20:37 +03:00
if ( enum_context > = num_privs )
2002-03-29 23:37:56 +03:00
return NT_STATUS_NO_MORE_ENTRIES ;
2005-01-13 21:20:37 +03:00
DEBUG ( 10 , ( " _lsa_enum_privs: enum_context:%d total entries:%d \n " ,
enum_context , num_privs ) ) ;
2005-12-03 09:46:46 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & handle ) )
2001-07-09 22:32:54 +04:00
return NT_STATUS_INVALID_HANDLE ;
2005-01-13 21:20:37 +03:00
/* check if the user have enough rights
I don ' t know if it ' s the right one . not documented . */
2001-12-18 02:03:23 +03:00
if ( ! ( handle - > access & POLICY_VIEW_LOCAL_INFORMATION ) )
return NT_STATUS_ACCESS_DENIED ;
2005-01-13 21:20:37 +03:00
if ( ! ( entries = TALLOC_ZERO_ARRAY ( p - > mem_ctx , LSA_PRIV_ENTRY , num_privs ) ) )
return NT_STATUS_NO_MEMORY ;
for ( i = 0 ; i < num_privs ; i + + ) {
if ( i < enum_context ) {
init_unistr2 ( & entries [ i ] . name , NULL , UNI_FLAGS_NONE ) ;
init_uni_hdr ( & entries [ i ] . hdr_name , & entries [ i ] . name ) ;
2005-01-17 18:23:11 +03:00
2005-01-13 21:20:37 +03:00
entries [ i ] . luid_low = 0 ;
entries [ i ] . luid_high = 0 ;
2001-11-23 02:50:16 +03:00
} else {
2005-01-13 21:20:37 +03:00
init_unistr2 ( & entries [ i ] . name , privs [ i ] . name , UNI_FLAGS_NONE ) ;
init_uni_hdr ( & entries [ i ] . hdr_name , & entries [ i ] . name ) ;
2005-01-17 18:23:11 +03:00
luid = get_privilege_luid ( & privs [ i ] . se_priv ) ;
entries [ i ] . luid_low = luid . luid . low ;
entries [ i ] . luid_high = luid . luid . high ;
2001-11-23 02:50:16 +03:00
}
2001-07-09 22:32:54 +04:00
}
2005-01-13 21:20:37 +03:00
enum_context = num_privs ;
init_lsa_r_enum_privs ( r_u , enum_context , num_privs , entries ) ;
2001-07-09 22:32:54 +04:00
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK ;
2001-07-09 22:32:54 +04:00
}
/***************************************************************************
_lsa_priv_get_dispname .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _lsa_priv_get_dispname ( pipes_struct * p , LSA_Q_PRIV_GET_DISPNAME * q_u , LSA_R_PRIV_GET_DISPNAME * r_u )
2001-07-09 22:32:54 +04:00
{
2001-12-18 02:03:23 +03:00
struct lsa_info * handle ;
2001-07-09 22:32:54 +04:00
fstring name_asc ;
2005-01-17 18:23:11 +03:00
const char * description ;
2001-07-09 22:32:54 +04:00
2005-12-03 09:46:46 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & handle ) )
2001-07-09 22:32:54 +04:00
return NT_STATUS_INVALID_HANDLE ;
2001-12-18 02:03:23 +03:00
/* check if the user have enough rights */
/*
* I don ' t know if it ' s the right one . not documented .
*/
if ( ! ( handle - > access & POLICY_VIEW_LOCAL_INFORMATION ) )
return NT_STATUS_ACCESS_DENIED ;
2001-07-09 22:32:54 +04:00
unistr2_to_ascii ( name_asc , & q_u - > name , sizeof ( name_asc ) ) ;
2005-01-17 18:23:11 +03:00
DEBUG ( 10 , ( " _lsa_priv_get_dispname: name = %s \n " , name_asc ) ) ;
2001-07-09 22:32:54 +04:00
2005-01-17 18:23:11 +03:00
description = get_privilege_dispname ( name_asc ) ;
2001-11-22 20:19:59 +03:00
2005-01-17 18:23:11 +03:00
if ( description ) {
DEBUG ( 10 , ( " _lsa_priv_get_dispname: display name = %s \n " , description ) ) ;
init_unistr2 ( & r_u - > desc , description , UNI_FLAGS_NONE ) ;
2003-09-26 01:26:16 +04:00
init_uni_hdr ( & r_u - > hdr_desc , & r_u - > desc ) ;
2001-07-09 22:32:54 +04:00
2005-01-13 21:20:37 +03:00
r_u - > ptr_info = 0xdeadbeef ;
r_u - > lang_id = q_u - > lang_id ;
2005-01-17 18:23:11 +03:00
2001-11-22 20:19:59 +03:00
return NT_STATUS_OK ;
} else {
2001-11-29 19:05:05 +03:00
DEBUG ( 10 , ( " _lsa_priv_get_dispname: doesn't exist \n " ) ) ;
2005-01-17 18:23:11 +03:00
2005-01-13 21:20:37 +03:00
r_u - > ptr_info = 0 ;
2005-01-17 18:23:11 +03:00
2001-11-22 20:19:59 +03:00
return NT_STATUS_NO_SUCH_PRIVILEGE ;
}
2001-07-09 22:32:54 +04:00
}
/***************************************************************************
_lsa_enum_accounts .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _lsa_enum_accounts ( pipes_struct * p , LSA_Q_ENUM_ACCOUNTS * q_u , LSA_R_ENUM_ACCOUNTS * r_u )
2001-07-09 22:32:54 +04:00
{
2001-12-18 02:03:23 +03:00
struct lsa_info * handle ;
2005-01-13 21:20:37 +03:00
DOM_SID * sid_list ;
int i , j , num_entries ;
2001-07-09 22:32:54 +04:00
LSA_SID_ENUM * sids = & r_u - > sids ;
2005-01-13 21:20:37 +03:00
NTSTATUS ret ;
2001-07-09 22:32:54 +04:00
2005-12-03 09:46:46 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & handle ) )
2001-07-09 22:32:54 +04:00
return NT_STATUS_INVALID_HANDLE ;
2001-12-18 02:03:23 +03:00
if ( ! ( handle - > access & POLICY_VIEW_LOCAL_INFORMATION ) )
return NT_STATUS_ACCESS_DENIED ;
2005-01-13 21:20:37 +03:00
sid_list = NULL ;
num_entries = 0 ;
/* The only way we can currently find out all the SIDs that have been
privileged is to scan all privileges */
if ( ! NT_STATUS_IS_OK ( ret = privilege_enumerate_accounts ( & sid_list , & num_entries ) ) ) {
return ret ;
2003-11-24 20:31:38 +03:00
}
2001-07-09 22:32:54 +04:00
2001-11-23 18:11:22 +03:00
if ( q_u - > enum_context > = num_entries )
return NT_STATUS_NO_MORE_ENTRIES ;
2004-12-07 21:25:53 +03:00
sids - > ptr_sid = TALLOC_ZERO_ARRAY ( p - > mem_ctx , uint32 , num_entries - q_u - > enum_context ) ;
sids - > sid = TALLOC_ZERO_ARRAY ( p - > mem_ctx , DOM_SID2 , num_entries - q_u - > enum_context ) ;
2001-07-09 22:32:54 +04:00
if ( sids - > ptr_sid = = NULL | | sids - > sid = = NULL ) {
2005-01-13 21:20:37 +03:00
SAFE_FREE ( sid_list ) ;
2001-07-09 22:32:54 +04:00
return NT_STATUS_NO_MEMORY ;
}
2005-01-13 21:20:37 +03:00
for ( i = q_u - > enum_context , j = 0 ; i < num_entries ; i + + , j + + ) {
init_dom_sid2 ( & ( * sids ) . sid [ j ] , & sid_list [ i ] ) ;
( * sids ) . ptr_sid [ j ] = 1 ;
2001-07-09 22:32:54 +04:00
}
2005-01-13 21:20:37 +03:00
SAFE_FREE ( sid_list ) ;
2001-07-09 22:32:54 +04:00
2005-01-13 21:20:37 +03:00
init_lsa_r_enum_accounts ( r_u , num_entries ) ;
2001-07-09 22:32:54 +04:00
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK ;
2001-07-09 22:32:54 +04:00
}
2001-08-27 23:46:22 +04:00
NTSTATUS _lsa_unk_get_connuser ( pipes_struct * p , LSA_Q_UNK_GET_CONNUSER * q_u , LSA_R_UNK_GET_CONNUSER * r_u )
2001-06-30 03:12:55 +04:00
{
2001-12-18 02:03:23 +03:00
fstring username , domname ;
user_struct * vuser = get_valid_user_struct ( p - > vuid ) ;
2001-06-30 03:12:55 +04:00
2001-12-18 02:03:23 +03:00
if ( vuser = = NULL )
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO ;
2001-06-30 03:12:55 +04:00
2001-12-18 02:03:23 +03:00
fstrcpy ( username , vuser - > user . smb_name ) ;
fstrcpy ( domname , vuser - > user . domain ) ;
2001-06-30 03:12:55 +04:00
2001-12-18 02:03:23 +03:00
r_u - > ptr_user_name = 1 ;
2003-09-26 01:26:16 +04:00
init_unistr2 ( & r_u - > uni2_user_name , username , UNI_STR_TERMINATE ) ;
init_uni_hdr ( & r_u - > hdr_user_name , & r_u - > uni2_user_name ) ;
2001-06-30 03:12:55 +04:00
2001-12-18 02:03:23 +03:00
r_u - > unk1 = 1 ;
2001-06-30 03:12:55 +04:00
2001-12-18 02:03:23 +03:00
r_u - > ptr_dom_name = 1 ;
2003-09-26 01:26:16 +04:00
init_unistr2 ( & r_u - > uni2_dom_name , domname , UNI_STR_TERMINATE ) ;
init_uni_hdr ( & r_u - > hdr_dom_name , & r_u - > uni2_dom_name ) ;
2001-06-30 03:12:55 +04:00
2001-12-18 02:03:23 +03:00
r_u - > status = NT_STATUS_OK ;
2001-06-30 03:12:55 +04:00
2001-12-18 02:03:23 +03:00
return r_u - > status ;
2001-06-30 03:12:55 +04:00
}
2001-07-09 22:32:54 +04:00
/***************************************************************************
2005-01-13 21:20:37 +03:00
Lsa Create Account
2001-07-09 22:32:54 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-01-13 21:20:37 +03:00
NTSTATUS _lsa_create_account ( pipes_struct * p , LSA_Q_CREATEACCOUNT * q_u , LSA_R_CREATEACCOUNT * r_u )
2001-07-09 22:32:54 +04:00
{
2001-12-18 02:03:23 +03:00
struct lsa_info * handle ;
2001-07-09 22:32:54 +04:00
struct lsa_info * info ;
2005-01-13 21:20:37 +03:00
/* find the connection policy handle. */
2005-12-03 09:46:46 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & handle ) )
2005-01-13 21:20:37 +03:00
return NT_STATUS_INVALID_HANDLE ;
/* check if the user have enough rights */
/*
* I don ' t know if it ' s the right one . not documented .
* but guessed with rpcclient .
*/
if ( ! ( handle - > access & POLICY_GET_PRIVATE_INFORMATION ) )
return NT_STATUS_ACCESS_DENIED ;
2005-01-15 00:05:54 +03:00
/* check to see if the pipe_user is a Domain Admin since
account_pol . tdb was already opened as root , this is all we have */
if ( ! nt_token_check_domain_rid ( p - > pipe_user . nt_user_token , DOMAIN_GROUP_RID_ADMINS ) )
return NT_STATUS_ACCESS_DENIED ;
2005-01-18 21:29:28 +03:00
2005-02-06 04:12:15 +03:00
if ( is_privileged_sid ( & q_u - > sid . sid ) )
2005-01-18 21:29:28 +03:00
return NT_STATUS_OBJECT_NAME_COLLISION ;
2005-01-15 00:05:54 +03:00
2005-01-13 21:20:37 +03:00
/* associate the user/group SID with the (unique) handle. */
2005-01-15 00:05:54 +03:00
2005-01-13 21:20:37 +03:00
if ( ( info = SMB_MALLOC_P ( struct lsa_info ) ) = = NULL )
return NT_STATUS_NO_MEMORY ;
ZERO_STRUCTP ( info ) ;
info - > sid = q_u - > sid . sid ;
info - > access = q_u - > access ;
/* get a (unique) handle. open a policy on it. */
if ( ! create_policy_hnd ( p , & r_u - > pol , free_lsa_info , ( void * ) info ) )
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
return privilege_create_account ( & info - > sid ) ;
}
/***************************************************************************
Lsa Open Account
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _lsa_open_account ( pipes_struct * p , LSA_Q_OPENACCOUNT * q_u , LSA_R_OPENACCOUNT * r_u )
{
struct lsa_info * handle ;
struct lsa_info * info ;
2001-07-09 22:32:54 +04:00
/* find the connection policy handle. */
2005-12-03 09:46:46 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & handle ) )
2001-07-09 22:32:54 +04:00
return NT_STATUS_INVALID_HANDLE ;
2001-12-18 02:03:23 +03:00
/* check if the user have enough rights */
/*
* I don ' t know if it ' s the right one . not documented .
* but guessed with rpcclient .
*/
if ( ! ( handle - > access & POLICY_GET_PRIVATE_INFORMATION ) )
return NT_STATUS_ACCESS_DENIED ;
2005-01-13 21:20:37 +03:00
/* TODO: Fis the parsing routine before reenabling this check! */
#if 0
if ( ! lookup_sid ( & handle - > sid , dom_name , name , & type ) )
return NT_STATUS_ACCESS_DENIED ;
# endif
2001-07-09 22:32:54 +04:00
/* associate the user/group SID with the (unique) handle. */
2004-12-07 21:25:53 +03:00
if ( ( info = SMB_MALLOC_P ( struct lsa_info ) ) = = NULL )
2001-07-09 22:32:54 +04:00
return NT_STATUS_NO_MEMORY ;
ZERO_STRUCTP ( info ) ;
info - > sid = q_u - > sid . sid ;
info - > access = q_u - > access ;
/* get a (unique) handle. open a policy on it. */
if ( ! create_policy_hnd ( p , & r_u - > pol , free_lsa_info , ( void * ) info ) )
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
2005-01-13 21:20:37 +03:00
return NT_STATUS_OK ;
2001-07-09 22:32:54 +04:00
}
/***************************************************************************
2001-11-23 18:11:22 +03:00
For a given SID , enumerate all the privilege this account has .
2001-07-09 22:32:54 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-10-06 05:38:46 +04:00
NTSTATUS _lsa_enum_privsaccount ( pipes_struct * p , prs_struct * ps , LSA_Q_ENUMPRIVSACCOUNT * q_u , LSA_R_ENUMPRIVSACCOUNT * r_u )
2001-07-09 22:32:54 +04:00
{
struct lsa_info * info = NULL ;
2005-01-17 18:23:11 +03:00
SE_PRIV mask ;
PRIVILEGE_SET privileges ;
2001-07-09 22:32:54 +04:00
/* find the connection policy handle. */
2005-12-03 09:46:46 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & info ) )
2001-07-09 22:32:54 +04:00
return NT_STATUS_INVALID_HANDLE ;
2005-01-17 18:23:11 +03:00
if ( ! get_privileges_for_sids ( & mask , & info - > sid , 1 ) )
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
2001-07-09 22:32:54 +04:00
2005-01-17 18:23:11 +03:00
privilege_set_init ( & privileges ) ;
2001-11-29 19:05:05 +03:00
2005-01-17 18:23:11 +03:00
if ( se_priv_to_privilege_set ( & privileges , & mask ) ) {
2001-07-09 22:32:54 +04:00
2005-01-17 18:23:11 +03:00
DEBUG ( 10 , ( " _lsa_enum_privsaccount: %s has %d privileges \n " ,
sid_string_static ( & info - > sid ) , privileges . count ) ) ;
2003-06-18 19:24:10 +04:00
2005-01-17 18:23:11 +03:00
r_u - > status = init_lsa_r_enum_privsaccount ( ps - > mem_ctx , r_u , privileges . set , privileges . count , 0 ) ;
}
else
r_u - > status = NT_STATUS_NO_SUCH_PRIVILEGE ;
2001-07-09 22:32:54 +04:00
2005-01-17 18:23:11 +03:00
privilege_set_free ( & privileges ) ;
return r_u - > status ;
2001-07-09 22:32:54 +04:00
}
/***************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _lsa_getsystemaccount ( pipes_struct * p , LSA_Q_GETSYSTEMACCOUNT * q_u , LSA_R_GETSYSTEMACCOUNT * r_u )
2001-07-09 22:32:54 +04:00
{
2001-11-29 19:05:05 +03:00
struct lsa_info * info = NULL ;
2001-07-09 22:32:54 +04:00
/* find the connection policy handle. */
2005-01-13 21:20:37 +03:00
2005-12-03 09:46:46 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & info ) )
2001-07-09 22:32:54 +04:00
return NT_STATUS_INVALID_HANDLE ;
2005-12-03 21:34:13 +03:00
if ( ! lookup_sid ( p - > mem_ctx , & info - > sid , NULL , NULL , NULL ) )
2005-01-13 21:20:37 +03:00
return NT_STATUS_ACCESS_DENIED ;
2001-11-29 19:05:05 +03:00
/*
0x01 - > Log on locally
0x02 - > Access this computer from network
0x04 - > Log on as a batch job
0x10 - > Log on as a service
they can be ORed together
*/
2003-06-18 19:24:10 +04:00
r_u - > access = PR_LOG_ON_LOCALLY | PR_ACCESS_FROM_NETWORK ;
2001-07-09 22:32:54 +04:00
2005-01-13 21:20:37 +03:00
return NT_STATUS_OK ;
2001-07-09 22:32:54 +04:00
}
2001-11-29 19:05:05 +03:00
/***************************************************************************
update the systemaccount information
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _lsa_setsystemaccount ( pipes_struct * p , LSA_Q_SETSYSTEMACCOUNT * q_u , LSA_R_SETSYSTEMACCOUNT * r_u )
{
struct lsa_info * info = NULL ;
GROUP_MAP map ;
r_u - > status = NT_STATUS_OK ;
/* find the connection policy handle. */
2005-12-03 09:46:46 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & info ) )
2001-11-29 19:05:05 +03:00
return NT_STATUS_INVALID_HANDLE ;
2005-01-15 00:05:54 +03:00
/* check to see if the pipe_user is a Domain Admin since
account_pol . tdb was already opened as root , this is all we have */
if ( ! nt_token_check_domain_rid ( p - > pipe_user . nt_user_token , DOMAIN_GROUP_RID_ADMINS ) )
return NT_STATUS_ACCESS_DENIED ;
2003-06-18 19:24:10 +04:00
if ( ! pdb_getgrsid ( & map , info - > sid ) )
2001-11-29 19:05:05 +03:00
return NT_STATUS_NO_SUCH_GROUP ;
2006-02-04 01:19:41 +03:00
return pdb_update_group_mapping_entry ( & map ) ;
2001-11-29 19:05:05 +03:00
}
/***************************************************************************
For a given SID , add some privileges .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _lsa_addprivs ( pipes_struct * p , LSA_Q_ADDPRIVS * q_u , LSA_R_ADDPRIVS * r_u )
{
2003-10-06 05:38:46 +04:00
struct lsa_info * info = NULL ;
2005-01-17 18:23:11 +03:00
SE_PRIV mask ;
2003-10-06 05:38:46 +04:00
PRIVILEGE_SET * set = NULL ;
2005-01-28 19:55:09 +03:00
struct current_user user ;
2001-11-29 19:05:05 +03:00
/* find the connection policy handle. */
2005-12-03 09:46:46 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & info ) )
2001-11-29 19:05:05 +03:00
return NT_STATUS_INVALID_HANDLE ;
2005-01-15 00:05:54 +03:00
2005-01-28 19:55:09 +03:00
/* check to see if the pipe_user is root or a Domain Admin since
2005-01-15 00:05:54 +03:00
account_pol . tdb was already opened as root , this is all we have */
2005-03-10 21:50:47 +03:00
2005-01-28 19:55:09 +03:00
get_current_user ( & user , p ) ;
2006-02-02 23:44:50 +03:00
if ( user . ut . uid ! = sec_initial_uid ( )
2005-01-28 19:55:09 +03:00
& & ! nt_token_check_domain_rid ( p - > pipe_user . nt_user_token , DOMAIN_GROUP_RID_ADMINS ) )
{
2005-01-15 00:05:54 +03:00
return NT_STATUS_ACCESS_DENIED ;
2005-01-28 19:55:09 +03:00
}
2001-11-29 19:05:05 +03:00
2003-10-06 05:38:46 +04:00
set = & q_u - > set ;
2001-11-29 19:05:05 +03:00
2005-01-17 18:23:11 +03:00
if ( ! privilege_set_to_se_priv ( & mask , set ) )
return NT_STATUS_NO_SUCH_PRIVILEGE ;
2005-01-13 21:20:37 +03:00
2005-01-17 18:23:11 +03:00
if ( ! grant_privilege ( & info - > sid , & mask ) ) {
DEBUG ( 3 , ( " _lsa_addprivs: grant_privilege(%s) failed! \n " ,
sid_string_static ( & info - > sid ) ) ) ;
DEBUG ( 3 , ( " Privilege mask: \n " ) ) ;
dump_se_priv ( DBGC_ALL , 3 , & mask ) ;
return NT_STATUS_NO_SUCH_PRIVILEGE ;
2001-11-29 19:05:05 +03:00
}
2005-01-13 21:20:37 +03:00
return NT_STATUS_OK ;
2001-11-29 19:05:05 +03:00
}
/***************************************************************************
For a given SID , remove some privileges .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _lsa_removeprivs ( pipes_struct * p , LSA_Q_REMOVEPRIVS * q_u , LSA_R_REMOVEPRIVS * r_u )
{
2003-10-06 05:38:46 +04:00
struct lsa_info * info = NULL ;
2005-01-17 18:23:11 +03:00
SE_PRIV mask ;
2003-10-06 05:38:46 +04:00
PRIVILEGE_SET * set = NULL ;
2005-01-28 19:55:09 +03:00
struct current_user user ;
2001-11-29 19:05:05 +03:00
/* find the connection policy handle. */
2005-12-03 09:46:46 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & info ) )
2001-11-29 19:05:05 +03:00
return NT_STATUS_INVALID_HANDLE ;
2005-01-28 19:55:09 +03:00
/* check to see if the pipe_user is root or a Domain Admin since
2005-01-15 00:05:54 +03:00
account_pol . tdb was already opened as root , this is all we have */
2005-03-10 21:50:47 +03:00
2005-01-28 19:55:09 +03:00
get_current_user ( & user , p ) ;
2006-02-02 23:44:50 +03:00
if ( user . ut . uid ! = sec_initial_uid ( )
2005-01-28 19:55:09 +03:00
& & ! nt_token_check_domain_rid ( p - > pipe_user . nt_user_token , DOMAIN_GROUP_RID_ADMINS ) )
{
2005-01-15 00:05:54 +03:00
return NT_STATUS_ACCESS_DENIED ;
2005-01-28 19:55:09 +03:00
}
2005-01-15 00:05:54 +03:00
2003-10-06 05:38:46 +04:00
set = & q_u - > set ;
2001-11-29 19:05:05 +03:00
2005-01-17 18:23:11 +03:00
if ( ! privilege_set_to_se_priv ( & mask , set ) )
return NT_STATUS_NO_SUCH_PRIVILEGE ;
2005-01-13 21:20:37 +03:00
2005-01-17 18:23:11 +03:00
if ( ! revoke_privilege ( & info - > sid , & mask ) ) {
DEBUG ( 3 , ( " _lsa_removeprivs: revoke_privilege(%s) failed! \n " ,
sid_string_static ( & info - > sid ) ) ) ;
DEBUG ( 3 , ( " Privilege mask: \n " ) ) ;
dump_se_priv ( DBGC_ALL , 3 , & mask ) ;
return NT_STATUS_NO_SUCH_PRIVILEGE ;
2001-11-29 19:05:05 +03:00
}
2005-01-13 21:20:37 +03:00
return NT_STATUS_OK ;
2001-11-29 19:05:05 +03:00
}
2001-12-14 20:31:48 +03:00
/***************************************************************************
For a given SID , remove some privileges .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _lsa_query_secobj ( pipes_struct * p , LSA_Q_QUERY_SEC_OBJ * q_u , LSA_R_QUERY_SEC_OBJ * r_u )
{
2001-12-18 02:03:23 +03:00
struct lsa_info * handle = NULL ;
2001-12-14 20:31:48 +03:00
SEC_DESC * psd = NULL ;
size_t sd_size ;
2001-12-18 02:03:23 +03:00
NTSTATUS status ;
2001-12-14 20:31:48 +03:00
r_u - > status = NT_STATUS_OK ;
/* find the connection policy handle. */
2005-12-03 09:46:46 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & handle ) )
2001-12-14 20:31:48 +03:00
return NT_STATUS_INVALID_HANDLE ;
2001-12-18 02:03:23 +03:00
/* check if the user have enough rights */
if ( ! ( handle - > access & POLICY_VIEW_LOCAL_INFORMATION ) )
return NT_STATUS_ACCESS_DENIED ;
2001-12-14 20:31:48 +03:00
switch ( q_u - > sec_info ) {
case 1 :
/* SD contains only the owner */
2001-12-18 02:03:23 +03:00
status = lsa_get_generic_sd ( p - > mem_ctx , & psd , & sd_size ) ;
if ( ! NT_STATUS_IS_OK ( status ) )
2001-12-14 20:31:48 +03:00
return NT_STATUS_NO_MEMORY ;
2001-12-18 02:03:23 +03:00
2001-12-14 20:31:48 +03:00
if ( ( r_u - > buf = make_sec_desc_buf ( p - > mem_ctx , sd_size , psd ) ) = = NULL )
return NT_STATUS_NO_MEMORY ;
break ;
case 4 :
/* SD contains only the ACL */
2001-12-18 02:03:23 +03:00
status = lsa_get_generic_sd ( p - > mem_ctx , & psd , & sd_size ) ;
if ( ! NT_STATUS_IS_OK ( status ) )
2001-12-14 20:31:48 +03:00
return NT_STATUS_NO_MEMORY ;
if ( ( r_u - > buf = make_sec_desc_buf ( p - > mem_ctx , sd_size , psd ) ) = = NULL )
return NT_STATUS_NO_MEMORY ;
break ;
default :
return NT_STATUS_INVALID_LEVEL ;
}
r_u - > ptr = 1 ;
return r_u - > status ;
}
2005-03-10 21:50:47 +03:00
#if 0 /* AD DC work in ongoing in Samba 4 */
2005-01-15 05:20:30 +03:00
/***************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-12-14 20:31:48 +03:00
2002-08-17 19:34:15 +04:00
NTSTATUS _lsa_query_info2 ( pipes_struct * p , LSA_Q_QUERY_INFO2 * q_u , LSA_R_QUERY_INFO2 * r_u )
{
struct lsa_info * handle ;
2002-11-13 02:20:50 +03:00
const char * nb_name ;
2002-08-17 19:34:15 +04:00
char * dns_name = NULL ;
char * forest_name = NULL ;
DOM_SID * sid = NULL ;
2004-04-13 18:39:48 +04:00
struct uuid guid ;
2003-04-22 11:28:41 +04:00
fstring dnsdomname ;
2002-08-17 19:34:15 +04:00
ZERO_STRUCT ( guid ) ;
r_u - > status = NT_STATUS_OK ;
2005-12-03 09:46:46 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & handle ) )
2002-08-17 19:34:15 +04:00
return NT_STATUS_INVALID_HANDLE ;
switch ( q_u - > info_class ) {
case 0x0c :
/* check if the user have enough rights */
if ( ! ( handle - > access & POLICY_VIEW_LOCAL_INFORMATION ) )
return NT_STATUS_ACCESS_DENIED ;
/* Request PolicyPrimaryDomainInformation. */
switch ( lp_server_role ( ) ) {
case ROLE_DOMAIN_PDC :
case ROLE_DOMAIN_BDC :
2003-05-07 12:21:06 +04:00
nb_name = get_global_sam_name ( ) ;
2002-08-17 19:34:15 +04:00
/* ugly temp hack for these next two */
2003-04-22 11:28:41 +04:00
/* This should be a 'netbios domain -> DNS domain' mapping */
dnsdomname [ 0 ] = ' \0 ' ;
2004-01-30 21:38:48 +03:00
get_mydnsdomname ( dnsdomname ) ;
2003-07-03 23:11:31 +04:00
strlower_m ( dnsdomname ) ;
2003-04-22 11:28:41 +04:00
dns_name = dnsdomname ;
forest_name = dnsdomname ;
2002-08-17 19:34:15 +04:00
sid = get_global_sam_sid ( ) ;
2002-11-13 02:20:50 +03:00
secrets_fetch_domain_guid ( lp_workgroup ( ) , & guid ) ;
2002-08-17 19:34:15 +04:00
break ;
default :
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO ;
}
init_dns_dom_info ( & r_u - > info . dns_dom_info , nb_name , dns_name ,
forest_name , & guid , sid ) ;
break ;
default :
DEBUG ( 0 , ( " _lsa_query_info2: unknown info level in Lsa Query: %d \n " , q_u - > info_class ) ) ;
r_u - > status = NT_STATUS_INVALID_INFO_CLASS ;
break ;
}
if ( NT_STATUS_IS_OK ( r_u - > status ) ) {
r_u - > ptr = 0x1 ;
r_u - > info_class = q_u - > info_class ;
}
return r_u - > status ;
}
2005-03-10 21:50:47 +03:00
# endif /* AD DC work in ongoing in Samba 4 */
2005-01-15 05:20:30 +03:00
/***************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _lsa_add_acct_rights ( pipes_struct * p , LSA_Q_ADD_ACCT_RIGHTS * q_u , LSA_R_ADD_ACCT_RIGHTS * r_u )
{
struct lsa_info * info = NULL ;
int i = 0 ;
DOM_SID sid ;
fstring privname ;
2005-03-26 09:52:56 +03:00
UNISTR4_ARRAY * uni_privnames = q_u - > rights ;
2005-02-14 04:13:14 +03:00
struct current_user user ;
2005-01-15 05:20:30 +03:00
/* find the connection policy handle. */
2005-12-03 09:46:46 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & info ) )
2005-01-15 05:20:30 +03:00
return NT_STATUS_INVALID_HANDLE ;
/* check to see if the pipe_user is a Domain Admin since
account_pol . tdb was already opened as root , this is all we have */
2005-02-14 04:13:14 +03:00
get_current_user ( & user , p ) ;
2006-02-02 23:44:50 +03:00
if ( user . ut . uid ! = sec_initial_uid ( )
2005-02-14 04:13:14 +03:00
& & ! nt_token_check_domain_rid ( p - > pipe_user . nt_user_token , DOMAIN_GROUP_RID_ADMINS ) )
{
2005-01-15 05:20:30 +03:00
return NT_STATUS_ACCESS_DENIED ;
2005-02-14 04:13:14 +03:00
}
2005-01-15 05:20:30 +03:00
/* according to an NT4 PDC, you can add privileges to SIDs even without
call_lsa_create_account ( ) first . And you can use any arbitrary SID . */
sid_copy ( & sid , & q_u - > sid . sid ) ;
/* just a little sanity check */
if ( q_u - > count ! = uni_privnames - > count ) {
DEBUG ( 0 , ( " _lsa_add_acct_rights: count != number of UNISTR2 elements! \n " ) ) ;
return NT_STATUS_INVALID_HANDLE ;
}
for ( i = 0 ; i < q_u - > count ; i + + ) {
2005-03-26 09:52:56 +03:00
UNISTR4 * uni4_str = & uni_privnames - > strings [ i ] ;
2005-01-15 05:20:30 +03:00
/* only try to add non-null strings */
2005-03-26 09:52:56 +03:00
if ( ! uni4_str - > string )
continue ;
rpcstr_pull ( privname , uni4_str - > string - > buffer , sizeof ( privname ) , - 1 , STR_TERMINATE ) ;
2005-01-15 05:20:30 +03:00
2005-03-26 09:52:56 +03:00
if ( ! grant_privilege_by_name ( & sid , privname ) ) {
2005-01-15 05:20:30 +03:00
DEBUG ( 2 , ( " _lsa_add_acct_rights: Failed to add privilege [%s] \n " , privname ) ) ;
return NT_STATUS_NO_SUCH_PRIVILEGE ;
}
}
return NT_STATUS_OK ;
}
/***************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _lsa_remove_acct_rights ( pipes_struct * p , LSA_Q_REMOVE_ACCT_RIGHTS * q_u , LSA_R_REMOVE_ACCT_RIGHTS * r_u )
{
struct lsa_info * info = NULL ;
int i = 0 ;
DOM_SID sid ;
fstring privname ;
2005-03-26 09:52:56 +03:00
UNISTR4_ARRAY * uni_privnames = q_u - > rights ;
2005-02-14 04:13:14 +03:00
struct current_user user ;
2005-01-15 05:20:30 +03:00
/* find the connection policy handle. */
2005-12-03 09:46:46 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & info ) )
2005-01-15 05:20:30 +03:00
return NT_STATUS_INVALID_HANDLE ;
/* check to see if the pipe_user is a Domain Admin since
account_pol . tdb was already opened as root , this is all we have */
2005-02-14 04:13:14 +03:00
get_current_user ( & user , p ) ;
2006-02-02 23:44:50 +03:00
if ( user . ut . uid ! = sec_initial_uid ( )
2005-02-14 04:13:14 +03:00
& & ! nt_token_check_domain_rid ( p - > pipe_user . nt_user_token , DOMAIN_GROUP_RID_ADMINS ) )
{
2005-01-15 05:20:30 +03:00
return NT_STATUS_ACCESS_DENIED ;
2005-02-14 04:13:14 +03:00
}
2005-01-15 05:20:30 +03:00
sid_copy ( & sid , & q_u - > sid . sid ) ;
if ( q_u - > removeall ) {
2005-01-17 18:23:11 +03:00
if ( ! revoke_all_privileges ( & sid ) )
2005-01-15 05:20:30 +03:00
return NT_STATUS_ACCESS_DENIED ;
return NT_STATUS_OK ;
}
/* just a little sanity check */
if ( q_u - > count ! = uni_privnames - > count ) {
DEBUG ( 0 , ( " _lsa_add_acct_rights: count != number of UNISTR2 elements! \n " ) ) ;
return NT_STATUS_INVALID_HANDLE ;
}
for ( i = 0 ; i < q_u - > count ; i + + ) {
2005-03-26 09:52:56 +03:00
UNISTR4 * uni4_str = & uni_privnames - > strings [ i ] ;
2005-01-15 05:20:30 +03:00
/* only try to add non-null strings */
2005-03-26 09:52:56 +03:00
if ( ! uni4_str - > string )
continue ;
rpcstr_pull ( privname , uni4_str - > string - > buffer , sizeof ( privname ) , - 1 , STR_TERMINATE ) ;
2005-01-15 05:20:30 +03:00
2005-03-26 09:52:56 +03:00
if ( ! revoke_privilege_by_name ( & sid , privname ) ) {
2005-01-15 06:54:03 +03:00
DEBUG ( 2 , ( " _lsa_remove_acct_rights: Failed to revoke privilege [%s] \n " , privname ) ) ;
2005-01-15 05:20:30 +03:00
return NT_STATUS_NO_SUCH_PRIVILEGE ;
}
}
return NT_STATUS_OK ;
}
2005-03-26 09:52:56 +03:00
/***************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-01-15 06:54:03 +03:00
NTSTATUS _lsa_enum_acct_rights ( pipes_struct * p , LSA_Q_ENUM_ACCT_RIGHTS * q_u , LSA_R_ENUM_ACCT_RIGHTS * r_u )
{
struct lsa_info * info = NULL ;
DOM_SID sid ;
PRIVILEGE_SET privileges ;
2005-01-17 18:23:11 +03:00
SE_PRIV mask ;
2005-01-15 06:54:03 +03:00
/* find the connection policy handle. */
2005-12-03 09:46:46 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & info ) )
2005-01-15 06:54:03 +03:00
return NT_STATUS_INVALID_HANDLE ;
/* according to an NT4 PDC, you can add privileges to SIDs even without
call_lsa_create_account ( ) first . And you can use any arbitrary SID . */
sid_copy ( & sid , & q_u - > sid . sid ) ;
2005-01-17 18:23:11 +03:00
if ( ! get_privileges_for_sids ( & mask , & sid , 1 ) )
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
2005-01-15 06:54:03 +03:00
privilege_set_init ( & privileges ) ;
2005-01-17 18:23:11 +03:00
if ( se_priv_to_privilege_set ( & privileges , & mask ) ) {
DEBUG ( 10 , ( " _lsa_enum_acct_rights: %s has %d privileges \n " ,
sid_string_static ( & sid ) , privileges . count ) ) ;
2005-01-15 06:54:03 +03:00
2005-01-17 18:23:11 +03:00
r_u - > status = init_r_enum_acct_rights ( r_u , & privileges ) ;
}
else
r_u - > status = NT_STATUS_NO_SUCH_PRIVILEGE ;
2005-01-15 06:54:03 +03:00
privilege_set_free ( & privileges ) ;
return r_u - > status ;
}
2005-03-26 09:52:56 +03:00
/***************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-03-10 21:50:47 +03:00
NTSTATUS _lsa_lookup_priv_value ( pipes_struct * p , LSA_Q_LOOKUP_PRIV_VALUE * q_u , LSA_R_LOOKUP_PRIV_VALUE * r_u )
{
struct lsa_info * info = NULL ;
fstring name ;
LUID_ATTR priv_luid ;
SE_PRIV mask ;
/* find the connection policy handle. */
2005-12-03 09:46:46 +03:00
if ( ! find_policy_by_hnd ( p , & q_u - > pol , ( void * * ) ( void * ) & info ) )
2005-03-10 21:50:47 +03:00
return NT_STATUS_INVALID_HANDLE ;
unistr2_to_ascii ( name , & q_u - > privname . unistring , sizeof ( name ) ) ;
2005-06-29 20:35:32 +04:00
DEBUG ( 10 , ( " _lsa_lookup_priv_value: name = %s \n " , name ) ) ;
2005-03-10 21:50:47 +03:00
if ( ! se_priv_from_name ( name , & mask ) )
return NT_STATUS_NO_SUCH_PRIVILEGE ;
priv_luid = get_privilege_luid ( & mask ) ;
r_u - > luid . low = priv_luid . luid . low ;
r_u - > luid . high = priv_luid . luid . high ;
return NT_STATUS_OK ;
}