| blob | ce6d9dd37ec4f323d0dcbc15c8c5870f56844a60 |
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2002,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 * Copyright (C) Gerald (Jerry) Carter 2003,
12 *
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License as published by
15 * the Free Software Foundation; either version 2 of the License, or
16 * (at your option) any later version.
17 *
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
22 *
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 */
28 /*
29 * This is the implementation of the SAMR code.
30 */
34 #undef DBGC_CLASS
35 #define DBGC_CLASS DBGC_RPC_SRV
45 BOOL user_dbloaded;
46 uint32 num_user_account;
48 BOOL group_dbloaded;
49 uint32 num_group_account;
54 /* for use by the \PIPE\samr policy */
55 DOM_SID sid;
57 uint32 acc_granted;
58 uint16 acb_mask;
59 BOOL all_machines;
60 DISP_INFO disp_info;
63 };
65 struct generic_mapping sam_generic_mapping = {GENERIC_RIGHTS_SAM_READ, GENERIC_RIGHTS_SAM_WRITE, GENERIC_RIGHTS_SAM_EXECUTE, GENERIC_RIGHTS_SAM_ALL_ACCESS};
66 struct generic_mapping dom_generic_mapping = {GENERIC_RIGHTS_DOMAIN_READ, GENERIC_RIGHTS_DOMAIN_WRITE, GENERIC_RIGHTS_DOMAIN_EXECUTE, GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
67 struct generic_mapping usr_generic_mapping = {GENERIC_RIGHTS_USER_READ, GENERIC_RIGHTS_USER_WRITE, GENERIC_RIGHTS_USER_EXECUTE, GENERIC_RIGHTS_USER_ALL_ACCESS};
68 struct generic_mapping grp_generic_mapping = {GENERIC_RIGHTS_GROUP_READ, GENERIC_RIGHTS_GROUP_WRITE, GENERIC_RIGHTS_GROUP_EXECUTE, GENERIC_RIGHTS_GROUP_ALL_ACCESS};
69 struct generic_mapping ali_generic_mapping = {GENERIC_RIGHTS_ALIAS_READ, GENERIC_RIGHTS_ALIAS_WRITE, GENERIC_RIGHTS_ALIAS_EXECUTE, GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
73 /*******************************************************************
74 Checks if access to an object should be granted, and returns that
75 level of access for further checks.
76 ********************************************************************/
78 NTSTATUS access_check_samr_object(SEC_DESC *psd, NT_USER_TOKEN *nt_user_token, uint32 des_access,
80 {
90 }
94 }
95 }
97 }
99 /*******************************************************************
100 Checks if access to a function can be granted
101 ********************************************************************/
104 {
113 }
117 }
119 }
122 /*******************************************************************
123 Create a samr_info struct.
124 ********************************************************************/
127 {
129 fstring sid_str;
136 }
149 }
152 }
154 /*******************************************************************
155 Function to free the per handle data.
156 ********************************************************************/
159 {
165 /* Not really a free, actually a 'clear' */
167 }
168 }
171 }
173 /*******************************************************************
174 Function to free the per handle data.
175 ********************************************************************/
178 {
179 /* Groups are talloced */
185 }
188 {
193 }
195 /*******************************************************************
196 Ensure password info is never given out. Paranioa... JRA.
197 ********************************************************************/
200 {
205 /* These now zero out the old password */
209 }
213 {
221 /* if the snapshoot is already loaded, return */
227 }
234 }
242 DEBUG(5,("load_sampwd_entries: '%s' is not a machine account - ACB: %x - skipping\n", pdb_get_username(pwd), acb_mask));
245 }
251 }
252 }
254 /* Realloc some memory for the array of ptr to the SAM_ACCOUNT structs */
265 }
267 /* Copy the SAM_ACCOUNT into the array */
273 }
277 /* the snapshoot is in memory, we're ready to enumerate fast */
286 }
289 {
293 uint32 i;
295 BOOL ret;
299 /* if the snapshoot is already loaded, return */
303 }
306 /* No domain groups for now in the BUILTIN domain */
311 }
320 }
330 }
339 }
343 /* the snapshoot is in memory, we're ready to enumerate fast */
350 }
353 /*******************************************************************
354 _samr_close_hnd
355 ********************************************************************/
358 {
361 /* close the policy handle */
368 }
370 /*******************************************************************
371 samr_reply_open_domain
372 ********************************************************************/
375 {
378 uint32 acc_granted;
381 NTSTATUS status;
385 /* find the connection policy handle. */
389 if (!NT_STATUS_IS_OK(status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_OPEN_DOMAIN,"_samr_open_domain"))) {
391 }
393 /*check if access can be granted as requested by client. */
401 }
403 /* associate the domain SID with the (unique) handle. */
408 /* get a (unique) handle. open a policy on it. */
415 }
417 /*******************************************************************
418 _samr_get_usrdom_pwinfo
419 ********************************************************************/
421 NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, SAMR_R_GET_USRDOM_PWINFO *r_u)
422 {
427 /* find the policy handle. open a policy on it. */
438 /*
439 * NT sometimes return NT_STATUS_ACCESS_DENIED
440 * I don't know yet why.
441 */
444 }
446 /*******************************************************************
447 samr_make_dom_obj_sd
448 ********************************************************************/
451 {
453 DOM_SID adm_sid;
454 DOM_SID act_sid;
457 SEC_ACCESS mask;
467 /*basic access for every one*/
471 /*full access for builtin aliases Administrators and Account Operators*/
479 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
483 }
485 /*******************************************************************
486 samr_make_usr_obj_sd
487 ********************************************************************/
489 static NTSTATUS samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size, DOM_SID *usr_sid)
490 {
492 DOM_SID adm_sid;
493 DOM_SID act_sid;
496 SEC_ACCESS mask;
506 /*basic access for every one*/
510 /*full access for builtin aliases Administrators and Account Operators*/
515 /*extended access for the user*/
516 init_sec_access(&mask,READ_CONTROL_ACCESS | SA_RIGHT_USER_CHANGE_PASSWORD | SA_RIGHT_USER_SET_LOC_COM);
522 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
526 }
528 /*******************************************************************
529 samr_make_grp_obj_sd
530 ********************************************************************/
533 {
535 DOM_SID adm_sid;
536 DOM_SID act_sid;
539 SEC_ACCESS mask;
549 /*basic access for every one*/
553 /*full access for builtin aliases Administrators and Account Operators*/
561 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
565 }
567 /*******************************************************************
568 samr_make_ali_obj_sd
569 ********************************************************************/
572 {
574 DOM_SID adm_sid;
575 DOM_SID act_sid;
578 SEC_ACCESS mask;
588 /*basic access for every one*/
592 /*full access for builtin aliases Administrators and Account Operators*/
600 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
604 }
606 static BOOL get_lsa_policy_samr_sid(pipes_struct *p, POLICY_HND *pol, DOM_SID *sid, uint32 *acc_granted)
607 {
610 /* find the policy handle. open a policy on it. */
620 }
622 /*******************************************************************
623 _samr_set_sec_obj
624 ********************************************************************/
627 {
630 }
633 /*******************************************************************
634 _samr_query_sec_obj
635 ********************************************************************/
637 NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_QUERY_SEC_OBJ *r_u)
638 {
639 DOM_SID pol_sid;
640 fstring str_sid;
643 uint32 acc_granted;
647 /* Get the SID. */
653 DEBUG(10,("_samr_query_sec_obj: querying security on SID: %s\n", sid_to_string(str_sid, &pol_sid)));
655 /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
657 /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */
659 {
662 }
665 {
666 DEBUG(5,("_samr_query_sec_obj: querying security on Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
668 }
670 {
671 /* TODO: Builtin probably needs a different SD with restricted write access*/
672 DEBUG(5,("_samr_query_sec_obj: querying security on Builtin Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
674 }
677 {
678 /* TODO: different SDs have to be generated for aliases groups and users.
679 Currently all three get a default user SD */
680 DEBUG(10,("_samr_query_sec_obj: querying security on Object with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
682 }
692 }
694 /*******************************************************************
695 makes a SAM_ENTRY / UNISTR2* structure from a user list.
696 ********************************************************************/
698 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNISTR2 **uni_name_pp,
701 {
702 uint32 i;
706 UNISTR2 uni_temp_name;
709 uint32 user_rid;
710 fstring user_sid_string;
711 fstring domain_sid_string;
726 }
737 temp_name,
741 }
745 }
750 }
752 /*******************************************************************
753 samr_reply_enum_dom_users
754 ********************************************************************/
758 {
764 uint32 temp_size;
768 DOM_SID domain_sid;
772 /* find the policy handle. open a policy on it. */
779 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
782 }
798 }
800 /* verify we won't overflow */
804 }
806 /* calculate the size and limit on the number of entries we will return */
812 }
814 /*
815 * Note from JRA. total_entries is not being used here. Currently if there is a
816 * large user base then it looks like NT will enumerate until get_sampwd_entries
817 * returns False due to num_entries being zero. This will cause an access denied
818 * return. I don't think this is right and needs further investigation. Note that
819 * this is also the same in the TNG code (I don't think that has been tested with
820 * a very large user list as MAX_SAM_ENTRIES is set to 600).
821 *
822 * I also think that one of the 'num_entries' return parameters is probably
823 * the "max entries" parameter - but in the TNG code they're all currently set to the same
824 * value (again I think this is wrong).
825 */
845 }
847 /*******************************************************************
848 makes a SAM_ENTRY / UNISTR2* structure from a group list.
849 ********************************************************************/
851 static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNISTR2 **uni_name_pp,
853 {
854 uint32 i;
871 }
874 /*
875 * JRA. I think this should include the null. TNG does not.
876 */
879 }
883 }
885 /*******************************************************************
886 Get the group entries - similar to get_sampwd_entries().
887 ******************************************************************/
892 {
900 /* access checks for the users were performed higher up. become/unbecome_root()
901 needed for some passdb backends to enumerate groups */
905 ENUM_ONLY_MAPPED);
910 /* limit the number of entries */
914 }
920 }
927 }
937 }
939 /*******************************************************************
940 Wrapper for enumerating local groups
941 ******************************************************************/
946 {
949 BOOL res;
967 }
974 }
978 }
980 /*******************************************************************
981 samr_reply_enum_dom_groups
982 ********************************************************************/
984 NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAMR_R_ENUM_DOM_GROUPS *r_u)
985 {
987 uint32 num_entries;
988 DOM_SID sid;
989 uint32 acc_granted;
996 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_groups"))) {
998 }
1002 /* the domain group array is being allocated in the function below */
1003 if (!NT_STATUS_IS_OK(r_u->status = get_group_domain_entries(p->mem_ctx, &grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES))) {
1005 }
1014 }
1017 /*******************************************************************
1018 samr_reply_enum_dom_aliases
1019 ********************************************************************/
1021 NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAMR_R_ENUM_DOM_ALIASES *r_u)
1022 {
1025 fstring sid_str;
1026 DOM_SID sid;
1027 NTSTATUS status;
1028 uint32 acc_granted;
1035 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_aliases"))) {
1037 }
1048 /*safe_free(grp);*/
1055 }
1057 /*******************************************************************
1058 samr_reply_query_dispinfo
1059 ********************************************************************/
1063 {
1073 NTSTATUS disp_ret;
1077 DOM_SID domain_sid;
1082 /* find the policy handle. open a policy on it. */
1088 /*
1089 * calculate how many entries we will return.
1090 * based on
1091 * - the number of entries the client asked
1092 * - our limit on that
1093 * - the starting point (enumeration context)
1094 * - the buffer size the client will accept
1095 */
1097 /*
1098 * We are a lot more like W2K. Instead of reading the SAM
1099 * each time to find the records we need to send back,
1100 * we read it once and link that copy to the sam handle.
1101 * For large user list (over the MAX_SAM_ENTRIES)
1102 * it's a definitive win.
1103 * second point to notice: between enumerations
1104 * our sam is now the same as it's a snapshoot.
1105 * third point: got rid of the static SAM_USER_21 struct
1106 * no more intermediate.
1107 * con: it uses much more memory, as a full copy is stored
1108 * in memory.
1109 *
1110 * If you want to change it, think twice and think
1111 * of the second point , that's really important.
1112 *
1113 * JFM, 12/20/2001
1114 */
1116 /* Get what we need from the password database */
1119 /* When playing with usrmgr, this is necessary
1120 if you want immediate refresh after editing
1121 a user. I would like to do this after the
1122 setuserinfo2, but we do not have access to
1123 the domain handle in that call, only to the
1124 user handle. Where else does this hurt?
1125 -- Volker
1126 */
1127 #if 0
1128 /* We cannot do this here - it kills performace. JRA. */
1130 #endif
1134 /* Level 2 is for all machines, otherwise only 'normal' users */
1140 }
1151 DEBUG(0,("_samr_query_dispinfo: Unknown info level (%u)\n", (unsigned int)q_u->switch_level ));
1153 }
1155 /* first limit the number of entries we will return */
1157 DEBUG(5, ("samr_reply_query_dispinfo: client requested %d entries, limiting to %d\n", max_entries, max_sam_entries));
1159 }
1164 }
1166 /* verify we won't overflow */
1170 }
1172 /* calculate the size and limit on the number of entries we will return */
1178 }
1185 /* Now create reply structure */
1189 if (!(ctr->sam.info1 = (SAM_DISPINFO_1 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_1))))
1191 }
1199 if (!(ctr->sam.info2 = (SAM_DISPINFO_2 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_2))))
1201 }
1209 if (!(ctr->sam.info3 = (SAM_DISPINFO_3 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_3))))
1211 }
1212 disp_ret = init_sam_dispinfo_3(p->mem_ctx, ctr->sam.info3, max_entries, enum_context, info->disp_info.disp_group_info);
1218 if (!(ctr->sam.info4 = (SAM_DISPINFO_4 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_4))))
1220 }
1221 disp_ret = init_sam_dispinfo_4(p->mem_ctx, ctr->sam.info4, max_entries, enum_context, info->disp_info.disp_user_info);
1227 if (!(ctr->sam.info5 = (SAM_DISPINFO_5 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_5))))
1229 }
1230 disp_ret = init_sam_dispinfo_5(p->mem_ctx, ctr->sam.info5, max_entries, enum_context, info->disp_info.disp_group_info);
1238 }
1240 /* calculate the total size */
1248 init_samr_r_query_dispinfo(r_u, max_entries, total_data_size, temp_size, q_u->switch_level, ctr, r_u->status);
1252 }
1254 /*******************************************************************
1255 samr_reply_query_aliasinfo
1256 ********************************************************************/
1258 NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_R_QUERY_ALIASINFO *r_u)
1259 {
1260 DOM_SID sid;
1262 uint32 acc_granted;
1263 BOOL ret;
1269 /* find the policy handle. open a policy on it. */
1272 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_LOOKUP_INFO, "_samr_query_aliasinfo"))) {
1274 }
1297 }
1302 }
1304 #if 0
1305 /*******************************************************************
1306 samr_reply_lookup_ids
1307 ********************************************************************/
1310 {
1321 }
1323 #if 0
1328 {
1330 fstring user_name;
1336 /* find the user account */
1342 {
1345 }
1346 else
1347 {
1349 }
1350 }
1351 #endif
1361 }
1362 #endif
1364 /*******************************************************************
1365 _samr_lookup_names
1366 ********************************************************************/
1368 NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOKUP_NAMES *r_u)
1369 {
1371 uint32 local_rid;
1376 DOM_SID pol_sid;
1377 fstring sid_str;
1378 uint32 acc_granted;
1390 }
1392 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, 0, "_samr_lookup_names"))) { /* Don't know the acc_bits yet */
1394 }
1399 }
1404 fstring name;
1405 DOM_SID sid;
1413 ret = rpcstr_pull(name, q_u->uni_name[i].buffer, sizeof(name), q_u->uni_name[i].uni_str_len*2, 0);
1415 /*
1416 * we are only looking for a name
1417 * the SID we get back can be outside
1418 * the scope of the pol_sid
1419 *
1420 * in clear: it prevents to reply to domain\group: yes
1421 * when only builtin\group exists.
1422 *
1423 * a cleaner code is to add the sid of the domain we're looking in
1424 * to the local_lookup_name function.
1425 */
1433 /* Windows does not return WKN_GRP here, even
1434 * on lookups in builtin */
1439 }
1440 }
1441 }
1448 }
1450 /*******************************************************************
1451 _samr_chgpasswd_user
1452 ********************************************************************/
1454 NTSTATUS _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_R_CHGPASSWD_USER *r_u)
1455 {
1456 fstring user_name;
1457 fstring wks;
1463 rpcstr_pull(user_name, q_u->uni_user_name.buffer, sizeof(user_name), q_u->uni_user_name.uni_str_len*2, 0);
1468 /*
1469 * Pass the user through the NT -> unix user mapping
1470 * function.
1471 */
1475 /*
1476 * UNIX username case mangling not required, pass_oem_change
1477 * is case insensitive.
1478 */
1488 }
1490 /*******************************************************************
1491 makes a SAMR_R_LOOKUP_RIDS structure.
1492 ********************************************************************/
1496 {
1497 uint32 i;
1512 }
1518 }
1524 }
1526 /*******************************************************************
1527 _samr_lookup_rids
1528 ********************************************************************/
1531 {
1536 DOM_SID pol_sid;
1539 uint32 acc_granted;
1545 /* find the policy handle. open a policy on it. */
1552 }
1557 }
1564 fstring tmpname;
1565 fstring domname;
1566 DOM_SID sid;
1581 }
1582 }
1583 }
1595 }
1597 /*******************************************************************
1598 _samr_open_user. Safe - gives out no passwd info.
1599 ********************************************************************/
1602 {
1604 DOM_SID sid;
1609 uint32 acc_granted;
1612 BOOL ret;
1613 NTSTATUS nt_status;
1617 /* find the domain policy handle and get domain SID / access bits in the domain policy. */
1621 if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_user"))) {
1623 }
1628 }
1630 /* append the user's RID to it */
1634 /* check if access can be granted as requested by client. */
1641 }
1647 /* check that the SID exists in our domain. */
1650 }
1654 /* associate the user's SID and access bits with the new handle. */
1659 /* get a (unique) handle. open a policy on it. */
1664 }
1666 /*************************************************************************
1667 get_user_info_10. Safe. Only gives out acb bits.
1668 *************************************************************************/
1670 static NTSTATUS get_user_info_10(TALLOC_CTX *mem_ctx, SAM_USER_INFO_10 *id10, DOM_SID *user_sid)
1671 {
1673 BOOL ret;
1674 NTSTATUS nt_status;
1680 }
1689 }
1699 }
1701 /*************************************************************************
1702 get_user_info_12. OK - this is the killer as it gives out password info.
1703 Ensure that this is only allowed on an encrypted connection with a root
1704 user. JRA.
1705 *************************************************************************/
1707 static NTSTATUS get_user_info_12(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_INFO_12 * id12, DOM_SID *user_sid)
1708 {
1710 BOOL ret;
1711 NTSTATUS nt_status;
1716 if (!(p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) || !(p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL))
1719 /*
1720 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
1721 */
1727 }
1735 }
1742 }
1750 }
1752 /*************************************************************************
1753 get_user_info_20
1754 *************************************************************************/
1756 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DOM_SID *user_sid)
1757 {
1759 BOOL ret;
1770 }
1782 }
1784 /*************************************************************************
1785 get_user_info_21
1786 *************************************************************************/
1790 {
1792 BOOL ret;
1793 NTSTATUS nt_status;
1798 }
1807 }
1819 }
1821 /*******************************************************************
1822 _samr_query_userinfo
1823 ********************************************************************/
1825 NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_QUERY_USERINFO *r_u)
1826 {
1829 DOM_SID domain_sid;
1830 uint32 rid;
1834 /* search for the handle */
1853 /* ok! user info levels (lots: see MSDEV help), off we go... */
1866 #if 0
1867 /* whoops - got this wrong. i think. or don't understand what's happening. */
1869 {
1870 NTTIME expire;
1877 sizeof
1879 info.
1880 id11));
1889 }
1890 #endif
1897 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_12(p, p->mem_ctx, ctr->info.id12, &info->sid)))
1920 }
1927 }
1929 /*******************************************************************
1930 samr_reply_query_usergroups
1931 ********************************************************************/
1933 NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u)
1934 {
1936 DOM_SID sid;
1939 uint32 acc_granted;
1940 BOOL ret;
1942 /*
1943 * from the SID in the request:
1944 * we should send back the list of DOMAIN GROUPS
1945 * the user is a member of
1946 *
1947 * and only the DOMAIN GROUPS
1948 * no ALIASES !!! neither aliases of the domain
1949 * nor aliases of the builtin SID
1950 *
1951 * JFM, 12/2/2001
1952 */
1958 /* find the policy handle. open a policy on it. */
1962 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_USER_GET_GROUPS, "_samr_query_usergroups"))) {
1964 }
1978 }
1983 }
1985 /* construct the response. lkclXXXX: gids are not copied! */
1993 }
1995 /*******************************************************************
1996 _samr_query_dom_info
1997 ********************************************************************/
1999 NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR_R_QUERY_DOMAIN_INFO *r_u)
2000 {
2009 uint32 lockout;
2012 NTTIME nt_logout;
2014 uint32 account_policy_temp;
2027 /* find the policy handle. open a policy on it. */
2062 }
2070 }
2074 /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */
2110 }
2117 }
2119 /*******************************************************************
2120 _samr_create_user
2121 Create an account, can be either a normal user or a machine.
2122 This funcion will need to be updated for bdc/domain trusts.
2123 ********************************************************************/
2126 {
2128 fstring account;
2129 DOM_SID sid;
2130 pstring add_script;
2136 BOOL ret;
2137 NTSTATUS nt_status;
2139 uint32 acc_granted;
2143 /* check this, when giving away 'add computer to domain' privs */
2146 /* Get the domain SID stored in the domain policy */
2150 if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_USER, "_samr_create_user"))) {
2152 }
2154 if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST || acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) {
2155 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
2156 this parameter is not an account type */
2158 }
2160 /* find the account: tell the caller if it exists.
2161 lkclXXXX i have *no* idea if this is a problem or not
2162 or even if you are supposed to construct a different
2163 reply if the account already exists...
2164 */
2175 /* this account exists: say so */
2178 }
2182 /*
2183 * NB. VERY IMPORTANT ! This call must be done as the current pipe user,
2184 * *NOT* surrounded by a become_root()/unbecome_root() call. This ensures
2185 * that only people with write access to the smbpasswd file will be able
2186 * to create a user. JRA.
2187 */
2189 /*
2190 * add the user in the /etc/passwd file or the unix authority system.
2191 * We don't check if the smb_create_user() function succed or not for 2 reasons:
2192 * a) local_password_change() checks for us if the /etc/passwd account really exists
2193 * b) smb_create_user() would return an error if the account already exists
2194 * and as it could return an error also if it can't create the account, it would be tricky.
2195 *
2196 * So we go the easy way, only check after if the account exists.
2197 * JFM (2/3/2001), to clear any possible bad understanding (-:
2198 *
2199 * We now have seperate script paramaters for adding users/machines so we
2200 * now have some sainity-checking to match.
2201 */
2203 DEBUG(10,("checking account %s at pos %lu for $ termination\n",account, (unsigned long)strlen(account)-1));
2205 /*
2206 * we used to have code here that made sure the acb_info flags
2207 * matched with the users named (e.g. an account flags as a machine
2208 * trust account ended in '$'). It has been ifdef'd out for a long
2209 * time, so I replaced it with this comment. --jerry
2210 */
2212 /* the passdb lookup has failed; check to see if we need to run the
2213 add user/machine script */
2217 /*********************************************************************
2218 * HEADS UP! If we have to create a new user account, we have to get
2219 * a new RID from somewhere. This used to be done by the passdb
2220 * backend. It has been moved into idmap now. Since idmap is now
2221 * wrapped up behind winbind, this means you have to run winbindd if you
2222 * want new accounts to get a new RID when "enable rid algorithm = no".
2223 * Tough. We now have a uniform way of allocating RIDs regardless
2224 * of what ever passdb backend people may use.
2225 * --jerry (2003-07-10)
2226 *********************************************************************/
2229 /*
2230 * we can't check both the ending $ and the acb_info.
2231 *
2232 * UserManager creates trust accounts (ending in $,
2233 * normal that hidden accounts) with the acb_info equals to ACB_NORMAL.
2234 * JFM, 11/29/2001
2235 */
2238 else
2246 }
2248 {
2251 account));
2252 }
2253 }
2255 }
2257 /* implicit call to getpwnam() next. we have a valid SID coming out of this call */
2267 account));
2269 }
2271 /* Get the user's SID */
2280 }
2282 /* associate the user's SID with the new handle. */
2286 }
2292 /* get a (unique) handle. open a policy on it. */
2296 }
2305 }
2307 /*******************************************************************
2308 samr_reply_connect_anon
2309 ********************************************************************/
2311 NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CONNECT_ANON *r_u)
2312 {
2316 /* Access check */
2322 }
2324 /* set up the SAMR connect_anon response */
2328 /* associate the user's SID with the new handle. */
2332 /* don't give away the farm but this is probably ok. The SA_RIGHT_SAM_ENUM_DOMAINS
2333 was observed from a win98 client trying to enumerate users (when configured
2334 user level access control on shares) --jerry */
2341 /* get a (unique) handle. open a policy on it. */
2346 }
2348 /*******************************************************************
2349 samr_reply_connect
2350 ********************************************************************/
2353 {
2356 uint32 acc_granted;
2359 NTSTATUS nt_status;
2364 /* Access check */
2370 }
2378 }
2382 /* associate the user's SID and access granted with the new handle. */
2389 /* get a (unique) handle. open a policy on it. */
2396 }
2398 /*******************************************************************
2399 samr_connect4
2400 ********************************************************************/
2403 {
2406 uint32 acc_granted;
2409 NTSTATUS nt_status;
2414 /* Access check */
2420 }
2428 }
2432 /* associate the user's SID and access granted with the new handle. */
2439 /* get a (unique) handle. open a policy on it. */
2446 }
2448 /**********************************************************************
2449 api_samr_lookup_domain
2450 **********************************************************************/
2452 NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_LOOKUP_DOMAIN *r_u)
2453 {
2455 fstring domain_name;
2456 DOM_SID sid;
2465 {
2467 }
2469 rpcstr_pull(domain_name, q_u->uni_domain.buffer, sizeof(domain_name), q_u->uni_domain.uni_str_len*2, 0);
2475 }
2482 }
2484 /******************************************************************
2485 makes a SAMR_R_ENUM_DOMAINS structure.
2486 ********************************************************************/
2490 {
2491 uint32 i;
2512 }
2518 }
2520 /**********************************************************************
2521 api_samr_enum_domains
2522 **********************************************************************/
2524 NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_ENUM_DOMAINS *r_u)
2525 {
2536 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_ENUM_DOMAINS, "_samr_enum_domains"))) {
2538 }
2552 }
2554 /*******************************************************************
2555 api_samr_open_alias
2556 ********************************************************************/
2559 {
2560 DOM_SID sid;
2566 uint32 acc_granted;
2569 NTSTATUS status;
2573 /* find the domain policy and get the SID / access bits stored in the domain policy */
2577 if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_alias"))) {
2579 }
2581 /* append the alias' RID to it */
2585 /*check if access can be granted as requested by client. */
2592 }
2594 /*
2595 * we should check if the rid really exist !!!
2596 * JFM.
2597 */
2599 /* associate the user's SID with the new handle. */
2605 /* get a (unique) handle. open a policy on it. */
2610 }
2612 /*******************************************************************
2613 set_user_info_10
2614 ********************************************************************/
2617 {
2619 BOOL ret;
2628 }
2634 }
2636 /* FIX ME: check if the value is really changed --metze */
2640 }
2645 }
2650 }
2652 /*******************************************************************
2653 set_user_info_12
2654 ********************************************************************/
2657 {
2665 }
2671 }
2676 }
2680 }
2684 }
2689 }
2693 }
2695 /*******************************************************************
2696 The GROUPSID field in the SAM_ACCOUNT changed. Try to tell unix.
2697 ********************************************************************/
2699 {
2701 gid_t gid;
2708 }
2717 }
2725 }
2728 }
2731 /*******************************************************************
2732 set_user_info_20
2733 ********************************************************************/
2736 {
2742 }
2749 }
2753 /* write the change out */
2757 }
2762 }
2763 /*******************************************************************
2764 set_user_info_21
2765 ********************************************************************/
2768 {
2774 }
2781 }
2785 /*
2786 * The funny part about the previous two calls is
2787 * that pwd still has the password hashes from the
2788 * passdb entry. These have not been updated from
2789 * id21. I don't know if they need to be set. --jerry
2790 */
2795 /* write the change out */
2799 }
2804 }
2806 /*******************************************************************
2807 set_user_info_23
2808 ********************************************************************/
2811 {
2813 pstring plaintext_buf;
2814 uint32 len;
2815 uint16 acct_ctrl;
2820 }
2827 }
2837 }
2842 }
2846 /* if it's a trust account, don't update /etc/passwd */
2852 /* update the UNIX password */
2857 }
2862 }
2863 }
2864 }
2874 }
2879 }
2881 /*******************************************************************
2882 set_user_info_pw
2883 ********************************************************************/
2886 {
2888 uint32 len;
2889 pstring plaintext_buf;
2890 uint16 acct_ctrl;
2897 }
2909 }
2914 }
2916 /* if it's a trust account, don't update /etc/passwd */
2922 /* update the UNIX password */
2927 }
2932 }
2933 }
2934 }
2940 /* update the SAMBA password */
2944 }
2949 }
2951 /*******************************************************************
2952 samr_reply_set_userinfo
2953 ********************************************************************/
2955 NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_USERINFO *r_u)
2956 {
2957 DOM_SID sid;
2961 uint32 acc_granted;
2962 uint32 acc_required;
2968 /* find the policy handle. open a policy on it. */
2972 acc_required = SA_RIGHT_USER_SET_LOC_COM | SA_RIGHT_USER_SET_ATTRIBUTES; /* This is probably wrong */
2973 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo"))) {
2975 }
2982 }
2984 /* ok! user info levels (lots: see MSDEV help), off we go... */
2994 }
3004 #if 0
3005 /*
3006 * Currently we don't really know how to unmarshall
3007 * the level 25 struct, and the password encryption
3008 * is different. This is a placeholder for when we
3009 * do understand it. In the meantime just return INVALID
3010 * info level and W2K SP2 drops down to level 23... JRA.
3011 */
3015 }
3023 #endif
3029 }
3040 }
3043 }
3045 /*******************************************************************
3046 samr_reply_set_userinfo2
3047 ********************************************************************/
3049 NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SET_USERINFO2 *r_u)
3050 {
3051 DOM_SID sid;
3055 uint32 acc_granted;
3056 uint32 acc_required;
3062 /* find the policy handle. open a policy on it. */
3066 acc_required = SA_RIGHT_USER_SET_LOC_COM | SA_RIGHT_USER_SET_ATTRIBUTES; /* This is probably wrong */
3067 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo2"))) {
3069 }
3076 }
3080 /* ok! user info levels (lots: see MSDEV help), off we go... */
3095 /* Used by AS/U JRA. */
3101 }
3104 }
3106 /*********************************************************************
3107 _samr_query_aliasmem
3108 *********************************************************************/
3110 NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, SAMR_R_QUERY_USERALIASES *r_u)
3111 {
3117 NTSTATUS ntstatus1;
3118 NTSTATUS ntstatus2;
3120 /* until i see a real useraliases query, we fack one up */
3122 /* I have seen one, JFM 2/12/2001 */
3123 /*
3124 * Explanation of what this call does:
3125 * for all the SID given in the request:
3126 * return a list of alias (local groups)
3127 * that have those SID as members.
3128 *
3129 * and that's the alias in the domain specified
3130 * in the policy_handle
3131 *
3132 * if the policy handle is on an incorrect sid
3133 * for example a user's sid
3134 * we should reply NT_STATUS_OBJECT_TYPE_MISMATCH
3135 */
3141 /* find the policy handle. open a policy on it. */
3145 ntstatus1 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM, "_samr_query_useraliases");
3146 ntstatus2 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_query_useraliases");
3152 }
3153 }
3162 r_u->status=get_alias_user_groups(p->mem_ctx, &info->sid, &tmp_num_groups, &tmp_rids, &(q_u->sid[i].sid));
3164 /*
3165 * if there is an error, we just continue as
3166 * it can be an unfound user or group
3167 */
3171 }
3176 }
3178 new_rids=(uint32 *)talloc_realloc(p->mem_ctx, rids, (num_groups+tmp_num_groups)*sizeof(uint32));
3182 }
3191 }
3195 }
3197 /*********************************************************************
3198 _samr_query_aliasmem
3199 *********************************************************************/
3201 NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_R_QUERY_ALIASMEM *r_u)
3202 {
3209 DOM_SID alias_sid;
3211 uint32 acc_granted;
3213 /* find the policy handle. open a policy on it. */
3218 access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_GET_MEMBERS, "_samr_query_aliasmem"))) {
3220 }
3231 }
3235 }
3242 }
3245 {
3251 }
3260 }
3264 {
3272 /* We only look at our own sam, so don't care about imported stuff */
3279 }
3281 /* Primary group members */
3289 }
3293 /* Secondary group members */
3301 }
3306 }
3308 /*********************************************************************
3309 _samr_query_groupmem
3310 *********************************************************************/
3312 NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_QUERY_GROUPMEM *r_u)
3313 {
3315 DOM_SID group_sid;
3316 fstring group_sid_str;
3319 gid_t gid;
3324 uint32 acc_granted;
3326 /* find the policy handle. open a policy on it. */
3330 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_GET_MEMBERS, "_samr_query_groupmem"))) {
3332 }
3340 }
3359 DOM_SID sid;
3364 }
3370 }
3374 /* Hmm. In a trace I got the constant 7 here from NT. */
3378 }
3383 NT_STATUS_OK);
3386 }
3388 /*********************************************************************
3389 _samr_add_aliasmem
3390 *********************************************************************/
3392 NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_ADD_ALIASMEM *r_u)
3393 {
3394 DOM_SID alias_sid;
3395 uint32 acc_granted;
3397 /* Find the policy handle. Open a policy on it. */
3401 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_ADD_MEMBER, "_samr_add_aliasmem"))) {
3403 }
3411 }
3413 /*********************************************************************
3414 _samr_del_aliasmem
3415 *********************************************************************/
3417 NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DEL_ALIASMEM *r_u)
3418 {
3419 DOM_SID alias_sid;
3420 uint32 acc_granted;
3422 /* Find the policy handle. Open a policy on it. */
3426 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_REMOVE_MEMBER, "_samr_del_aliasmem"))) {
3428 }
3437 }
3439 /*********************************************************************
3440 _samr_add_groupmem
3441 *********************************************************************/
3443 NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_ADD_GROUPMEM *r_u)
3444 {
3445 DOM_SID group_sid;
3446 DOM_SID user_sid;
3447 fstring group_sid_str;
3448 uid_t uid;
3451 fstring grp_name;
3452 GROUP_MAP map;
3453 NTSTATUS ret;
3455 BOOL check;
3456 uint32 acc_granted;
3458 /* Find the policy handle. Open a policy on it. */
3462 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_ADD_MEMBER, "_samr_add_groupmem"))) {
3464 }
3489 }
3491 /* check a real user exist before we run the script to add a user to a group */
3495 }
3501 }
3506 }
3508 /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */
3511 /* if the user is already in the group */
3515 }
3517 /*
3518 * ok, the group exist, the user exist, the user is not in the group,
3519 *
3520 * we can (finally) add it to the group !
3521 */
3525 /* check if the user has been added then ... */
3529 }
3533 }
3535 /*********************************************************************
3536 _samr_del_groupmem
3537 *********************************************************************/
3539 NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DEL_GROUPMEM *r_u)
3540 {
3541 DOM_SID group_sid;
3542 DOM_SID user_sid;
3544 GROUP_MAP map;
3545 fstring grp_name;
3547 uint32 acc_granted;
3549 /*
3550 * delete the group member named q_u->rid
3551 * who is a member of the sid associated with the handle
3552 * the rid is a user's rid as the group is a domain group.
3553 */
3555 /* Find the policy handle. Open a policy on it. */
3559 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_REMOVE_MEMBER, "_samr_del_groupmem"))) {
3561 }
3575 /* we need to copy the name otherwise it's overloaded in user_in_group_list */
3578 /* check if the user exists before trying to remove it from the group */
3584 }
3586 /* if the user is not in the group */
3590 }
3594 /* check if the user has been removed then ... */
3598 }
3603 }
3605 /****************************************************************************
3606 Delete a UNIX user on demand.
3607 ****************************************************************************/
3610 {
3611 pstring del_script;
3614 /* try winbindd first since it is impossible to determine where
3615 a user came from via NSS. Try the delete user script if this fails
3616 meaning the user did not exist in winbindd's list of accounts */
3621 }
3624 /* fall back to 'delete user script' */
3634 }
3636 /*********************************************************************
3637 _samr_delete_dom_user
3638 *********************************************************************/
3640 NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAMR_R_DELETE_DOM_USER *r_u )
3641 {
3642 DOM_SID user_sid;
3644 uint32 acc_granted;
3648 /* Find the policy handle. Open a policy on it. */
3652 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_user"))) {
3654 }
3659 /* check if the user exists before trying to delete */
3666 }
3668 /* delete the unix side */
3669 /*
3670 * note: we don't check if the delete really happened
3671 * as the script is not necessary present
3672 * and maybe the sysadmin doesn't want to delete the unix side
3673 */
3676 /* and delete the samba side */
3678 DEBUG(5,("_samr_delete_dom_user:Failed to delete entry for user %s.\n", pdb_get_username(sam_pass)));
3681 }
3689 }
3691 /*********************************************************************
3692 _samr_delete_dom_group
3693 *********************************************************************/
3695 NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, SAMR_R_DELETE_DOM_GROUP *r_u)
3696 {
3697 DOM_SID group_sid;
3698 DOM_SID dom_sid;
3699 uint32 group_rid;
3700 fstring group_sid_str;
3701 gid_t gid;
3703 GROUP_MAP map;
3704 uint32 acc_granted;
3708 /* Find the policy handle. Open a policy on it. */
3712 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_group"))) {
3714 }
3722 /* we check if it's our SID before deleting */
3733 /* check if group really exists */
3737 /* delete mapping first */
3741 /* we can delete the UNIX group */
3744 /* check if the group has been successfully deleted */
3753 }
3755 /*********************************************************************
3756 _samr_delete_dom_alias
3757 *********************************************************************/
3759 NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, SAMR_R_DELETE_DOM_ALIAS *r_u)
3760 {
3761 DOM_SID alias_sid;
3762 uint32 acc_granted;
3766 /* Find the policy handle. Open a policy on it. */
3770 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_alias"))) {
3772 }
3781 /* Have passdb delete the alias */
3789 }
3791 /*********************************************************************
3792 _samr_create_dom_group
3793 *********************************************************************/
3795 NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, SAMR_R_CREATE_DOM_GROUP *r_u)
3796 {
3797 DOM_SID dom_sid;
3798 DOM_SID info_sid;
3799 fstring name;
3800 fstring sid_string;
3803 uint32 acc_granted;
3804 gid_t gid;
3806 /* Find the policy handle. Open a policy on it. */
3810 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_GROUP, "_samr_create_dom_group"))) {
3812 }
3817 /* TODO: check if allowed to create group and add a become_root/unbecome_root pair.*/
3821 /* check if group already exist */
3825 /* we can create the UNIX group */
3829 /* check if the group has been successfully created */
3835 /* add the group to the mapping table */
3846 /* get a (unique) handle. open a policy on it. */
3851 }
3853 /*********************************************************************
3854 _samr_create_dom_alias
3855 *********************************************************************/
3857 NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, SAMR_R_CREATE_DOM_ALIAS *r_u)
3858 {
3859 DOM_SID dom_sid;
3860 DOM_SID info_sid;
3861 fstring name;
3864 uint32 acc_granted;
3865 gid_t gid;
3866 NTSTATUS result;
3868 /* Find the policy handle. Open a policy on it. */
3872 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_ALIAS, "_samr_create_alias"))) {
3874 }
3879 /* TODO: check if allowed to create group and add a become_root/unbecome_root pair.*/
3883 /* Have passdb create the alias */
3895 /* check if the group has been successfully created */
3902 /* get a (unique) handle. open a policy on it. */
3907 }
3909 /*********************************************************************
3910 _samr_query_groupinfo
3912 sends the name/comment pair of a domain group
3913 level 1 send also the number of users of that group
3914 *********************************************************************/
3916 NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAMR_R_QUERY_GROUPINFO *r_u)
3917 {
3918 DOM_SID group_sid;
3919 GROUP_MAP map;
3924 uint32 acc_granted;
3925 BOOL ret;
3930 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_LOOKUP_INFO, "_samr_query_groupinfo"))) {
3932 }
3963 }
3968 }
3970 /*********************************************************************
3971 _samr_set_groupinfo
3973 update a domain group's comment.
3974 *********************************************************************/
3976 NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_SET_GROUPINFO *r_u)
3977 {
3978 DOM_SID group_sid;
3979 GROUP_MAP map;
3981 uint32 acc_granted;
3986 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_SET_INFO, "_samr_set_groupinfo"))) {
3988 }
4004 }
4008 }
4011 }
4013 /*********************************************************************
4014 _samr_set_aliasinfo
4016 update an alias's comment.
4017 *********************************************************************/
4019 NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_SET_ALIASINFO *r_u)
4020 {
4021 DOM_SID group_sid;
4024 uint32 acc_granted;
4029 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_SET_INFO, "_samr_set_aliasinfo"))) {
4031 }
4043 }
4047 }
4050 }
4052 /*********************************************************************
4053 _samr_get_dom_pwinfo
4054 *********************************************************************/
4056 NTSTATUS _samr_get_dom_pwinfo(pipes_struct *p, SAMR_Q_GET_DOM_PWINFO *q_u, SAMR_R_GET_DOM_PWINFO *r_u)
4057 {
4058 /* Perform access check. Since this rpc does not require a
4059 policy handle it will not be caught by the access checks on
4060 SAMR_CONNECT or SAMR_CONNECT_ANON. */
4066 }
4068 /* Actually, returning zeros here works quite well :-). */
4071 }
4073 /*********************************************************************
4074 _samr_open_group
4075 *********************************************************************/
4078 {
4079 DOM_SID sid;
4080 DOM_SID info_sid;
4081 GROUP_MAP map;
4084 uint32 acc_granted;
4087 NTSTATUS status;
4088 fstring sid_string;
4089 BOOL ret;
4094 if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_group"))) {
4096 }
4098 /*check if access can be granted as requested by client. */
4105 }
4108 /* this should not be hard-coded like this */
4123 /* check if that group really exists */
4130 /* get a (unique) handle. open a policy on it. */
4135 }
4137 /*********************************************************************
4138 _samr_remove_sid_foreign_domain
4139 *********************************************************************/
4144 {
4147 uint32 acc_granted;
4148 GROUP_MAP map;
4150 NTSTATUS result;
4158 /* Find the policy handle. Open a policy on it. */
4172 /* make sure we can handle this */
4182 }
4184 /* check if the user exists before trying to delete */
4191 /* maybe it is a group */
4197 }
4198 }
4200 /* we can only delete a user from a group since we don't have
4201 nested groups anyways. So in the latter case, just say OK */
4210 /* interate over the groups */
4218 }
4226 /* should we fail here ? */
4230 }
4234 }
4237 }
4238 }
4241 done:
4246 }
4248 /*******************************************************************
4249 _samr_unknown_2e
4250 ********************************************************************/
4253 {
4262 uint32 lockout;
4265 NTTIME nt_logout;
4269 uint32 account_policy_temp;
4280 /* find the policy handle. open a policy on it. */
4314 }
4322 }
4326 /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */
4364 }
4371 }
4373 /*******************************************************************
4374 _samr_
4375 ********************************************************************/
4377 NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R_SET_DOMAIN_INFO *r_u)
4378 {
4387 /* find the policy handle. open a policy on it. */
4426 }
4433 }