search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3: Fix malformed require_membership_of_sid.
[Samba.git] / source / rpc_server / srv_samr_nt.c
blob7dc81dd73dcf249216044a921047a0532f3a1942
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2008,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 * Copyright (C) Gerald (Jerry) Carter 2003-2004,
12 * Copyright (C) Simo Sorce 2003.
13 * Copyright (C) Volker Lendecke 2005.
14 * Copyright (C) Guenther Deschner 2008.
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
20 *
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
25 *
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
28 */
29
30 /*
31 * This is the implementation of the SAMR code.
32 */
33
34 #include "includes.h"
35
36 #undef DBGC_CLASS
37 #define DBGC_CLASS DBGC_RPC_SRV
38
39 #define SAMR_USR_RIGHTS_WRITE_PW \
40 ( READ_CONTROL_ACCESS | \
41 SAMR_USER_ACCESS_CHANGE_PASSWORD | \
42 SAMR_USER_ACCESS_SET_LOC_COM)
43 #define SAMR_USR_RIGHTS_CANT_WRITE_PW \
44 ( READ_CONTROL_ACCESS | SAMR_USER_ACCESS_SET_LOC_COM )
45
46 #define DISP_INFO_CACHE_TIMEOUT 10
47
48 typedef struct disp_info {
49 DOM_SID sid; /* identify which domain this is. */
50 bool builtin_domain; /* Quick flag to check if this is the builtin domain. */
51 struct pdb_search *users; /* querydispinfo 1 and 4 */
52 struct pdb_search *machines; /* querydispinfo 2 */
53 struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */
54 struct pdb_search *aliases; /* enumaliases */
55
56 uint16 enum_acb_mask;
57 struct pdb_search *enum_users; /* enumusers with a mask */
58
59 struct timed_event *cache_timeout_event; /* cache idle timeout
60 * handler. */
61 } DISP_INFO;
62
63 /* We keep a static list of these by SID as modern clients close down
64 all resources between each request in a complete enumeration. */
65
66 struct samr_info {
67 /* for use by the \PIPE\samr policy */
68 DOM_SID sid;
69 bool builtin_domain; /* Quick flag to check if this is the builtin domain. */
70 uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */
71 uint32 acc_granted;
72 DISP_INFO *disp_info;
73 TALLOC_CTX *mem_ctx;
74 };
75
76 static const struct generic_mapping sam_generic_mapping = {
77 GENERIC_RIGHTS_SAM_READ,
78 GENERIC_RIGHTS_SAM_WRITE,
79 GENERIC_RIGHTS_SAM_EXECUTE,
80 GENERIC_RIGHTS_SAM_ALL_ACCESS};
81 static const struct generic_mapping dom_generic_mapping = {
82 GENERIC_RIGHTS_DOMAIN_READ,
83 GENERIC_RIGHTS_DOMAIN_WRITE,
84 GENERIC_RIGHTS_DOMAIN_EXECUTE,
85 GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
86 static const struct generic_mapping usr_generic_mapping = {
87 GENERIC_RIGHTS_USER_READ,
88 GENERIC_RIGHTS_USER_WRITE,
89 GENERIC_RIGHTS_USER_EXECUTE,
90 GENERIC_RIGHTS_USER_ALL_ACCESS};
91 static const struct generic_mapping usr_nopwchange_generic_mapping = {
92 GENERIC_RIGHTS_USER_READ,
93 GENERIC_RIGHTS_USER_WRITE,
94 GENERIC_RIGHTS_USER_EXECUTE & ~SAMR_USER_ACCESS_CHANGE_PASSWORD,
95 GENERIC_RIGHTS_USER_ALL_ACCESS};
96 static const struct generic_mapping grp_generic_mapping = {
97 GENERIC_RIGHTS_GROUP_READ,
98 GENERIC_RIGHTS_GROUP_WRITE,
99 GENERIC_RIGHTS_GROUP_EXECUTE,
100 GENERIC_RIGHTS_GROUP_ALL_ACCESS};
101 static const struct generic_mapping ali_generic_mapping = {
102 GENERIC_RIGHTS_ALIAS_READ,
103 GENERIC_RIGHTS_ALIAS_WRITE,
104 GENERIC_RIGHTS_ALIAS_EXECUTE,
105 GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
106
107 /*******************************************************************
108 *******************************************************************/
109
110 static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size,
111 const struct generic_mapping *map,
112 DOM_SID *sid, uint32 sid_access )
113 {
114 DOM_SID domadmin_sid;
115 SEC_ACE ace[5]; /* at most 5 entries */
116 size_t i = 0;
117
118 SEC_ACL *psa = NULL;
119
120 /* basic access for Everyone */
121
122 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
123 map->generic_execute | map->generic_read, 0);
124
125 /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
126
127 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
128 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
129 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
130 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
131
132 /* Add Full Access for Domain Admins if we are a DC */
133
134 if ( IS_DC ) {
135 sid_copy( &domadmin_sid, get_global_sam_sid() );
136 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
137 init_sec_ace(&ace[i++], &domadmin_sid,
138 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
139 }
140
141 /* if we have a sid, give it some special access */
142
143 if ( sid ) {
144 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sid_access, 0);
145 }
146
147 /* create the security descriptor */
148
149 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL)
150 return NT_STATUS_NO_MEMORY;
151
152 if ((*psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
153 SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL,
154 psa, sd_size)) == NULL)
155 return NT_STATUS_NO_MEMORY;
156
157 return NT_STATUS_OK;
158 }
159
160 /*******************************************************************
161 Checks if access to an object should be granted, and returns that
162 level of access for further checks.
163 ********************************************************************/
164
165 static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
166 SE_PRIV *rights, uint32 rights_mask,
167 uint32 des_access, uint32 *acc_granted,
168 const char *debug )
169 {
170 NTSTATUS status = NT_STATUS_ACCESS_DENIED;
171 uint32 saved_mask = 0;
172
173 /* check privileges; certain SAM access bits should be overridden
174 by privileges (mostly having to do with creating/modifying/deleting
175 users and groups) */
176
177 if ( rights && user_has_any_privilege( token, rights ) ) {
178
179 saved_mask = (des_access & rights_mask);
180 des_access &= ~saved_mask;
181
182 DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
183 rights_mask));
184 }
185
186
187 /* check the security descriptor first */
188
189 status = se_access_check(psd, token, des_access, acc_granted);
190 if (NT_STATUS_IS_OK(status)) {
191 goto done;
192 }
193
194 /* give root a free pass */
195
196 if ( geteuid() == sec_initial_uid() ) {
197
198 DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access));
199 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
200
201 *acc_granted = des_access;
202
203 status = NT_STATUS_OK;
204 goto done;
205 }
206
207
208 done:
209 /* add in any bits saved during the privilege check (only
210 matters is status is ok) */
211
212 *acc_granted |= rights_mask;
213
214 DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
215 debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
216 des_access, *acc_granted));
217
218 return status;
219 }
220
221 /*******************************************************************
222 Checks if access to a function can be granted
223 ********************************************************************/
224
225 static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug)
226 {
227 DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n",
228 debug, acc_granted, acc_required));
229
230 /* check the security descriptor first */
231
232 if ( (acc_granted&acc_required) == acc_required )
233 return NT_STATUS_OK;
234
235 /* give root a free pass */
236
237 if (geteuid() == sec_initial_uid()) {
238
239 DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
240 debug, acc_granted, acc_required));
241 DEBUGADD(4,("but overwritten by euid == 0\n"));
242
243 return NT_STATUS_OK;
244 }
245
246 DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n",
247 debug, acc_granted, acc_required));
248
249 return NT_STATUS_ACCESS_DENIED;
250 }
251
252 /*******************************************************************
253 Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
254 ********************************************************************/
255
256 static void map_max_allowed_access(const NT_USER_TOKEN *token,
257 uint32_t *pacc_requested)
258 {
259 if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
260 return;
261 }
262 *pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
263
264 /* At least try for generic read|execute - Everyone gets that. */
265 *pacc_requested = GENERIC_READ_ACCESS|GENERIC_EXECUTE_ACCESS;
266
267 /* root gets anything. */
268 if (geteuid() == sec_initial_uid()) {
269 *pacc_requested |= GENERIC_ALL_ACCESS;
270 return;
271 }
272
273 /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
274
275 if (is_sid_in_token(token, &global_sid_Builtin_Administrators) ||
276 is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) {
277 *pacc_requested |= GENERIC_ALL_ACCESS;
278 return;
279 }
280
281 /* Full access for DOMAIN\Domain Admins. */
282 if ( IS_DC ) {
283 DOM_SID domadmin_sid;
284 sid_copy( &domadmin_sid, get_global_sam_sid() );
285 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
286 if (is_sid_in_token(token, &domadmin_sid)) {
287 *pacc_requested |= GENERIC_ALL_ACCESS;
288 return;
289 }
290 }
291 /* TODO ! Check privileges. */
292 }
293
294 /*******************************************************************
295 Fetch or create a dispinfo struct.
296 ********************************************************************/
297
298 static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid)
299 {
300 /*
301 * We do a static cache for DISP_INFO's here. Explanation can be found
302 * in Jeremy's checkin message to r11793:
303 *
304 * Fix the SAMR cache so it works across completely insane
305 * client behaviour (ie.:
306 * open pipe/open SAMR handle/enumerate 0 - 1024
307 * close SAMR handle, close pipe.
308 * open pipe/open SAMR handle/enumerate 1024 - 2048...
309 * close SAMR handle, close pipe.
310 * And on ad-nausium. Amazing.... probably object-oriented
311 * client side programming in action yet again.
312 * This change should *massively* improve performance when
313 * enumerating users from an LDAP database.
314 * Jeremy.
315 *
316 * "Our" and the builtin domain are the only ones where we ever
317 * enumerate stuff, so just cache 2 entries.
318 */
319
320 static struct disp_info builtin_dispinfo;
321 static struct disp_info domain_dispinfo;
322
323 /* There are two cases to consider here:
324 1) The SID is a domain SID and we look for an equality match, or
325 2) This is an account SID and so we return the DISP_INFO* for our
326 domain */
327
328 if (psid == NULL) {
329 return NULL;
330 }
331
332 if (sid_check_is_builtin(psid) || sid_check_is_in_builtin(psid)) {
333 /*
334 * Necessary only once, but it does not really hurt.
335 */
336 sid_copy(&builtin_dispinfo.sid, &global_sid_Builtin);
337
338 return &builtin_dispinfo;
339 }
340
341 if (sid_check_is_domain(psid) || sid_check_is_in_our_domain(psid)) {
342 /*
343 * Necessary only once, but it does not really hurt.
344 */
345 sid_copy(&domain_dispinfo.sid, get_global_sam_sid());
346
347 return &domain_dispinfo;
348 }
349
350 return NULL;
351 }
352
353 /*******************************************************************
354 Create a samr_info struct.
355 ********************************************************************/
356
357 static struct samr_info *get_samr_info_by_sid(DOM_SID *psid)
358 {
359 struct samr_info *info;
360 fstring sid_str;
361 TALLOC_CTX *mem_ctx;
362
363 if (psid) {
364 sid_to_fstring(sid_str, psid);
365 } else {
366 fstrcpy(sid_str,"(NULL)");
367 }
368
369 mem_ctx = talloc_init("samr_info for domain sid %s", sid_str);
370
371 if ((info = TALLOC_ZERO_P(mem_ctx, struct samr_info)) == NULL)
372 return NULL;
373
374 DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str));
375 if (psid) {
376 sid_copy( &info->sid, psid);
377 info->builtin_domain = sid_check_is_builtin(psid);
378 } else {
379 DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n"));
380 info->builtin_domain = False;
381 }
382 info->mem_ctx = mem_ctx;
383
384 info->disp_info = get_samr_dispinfo_by_sid(psid);
385
386 return info;
387 }
388
389 /*******************************************************************
390 Function to free the per SID data.
391 ********************************************************************/
392
393 static void free_samr_cache(DISP_INFO *disp_info)
394 {
395 DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n",
396 sid_string_dbg(&disp_info->sid)));
397
398 /* We need to become root here because the paged search might have to
399 * tell the LDAP server we're not interested in the rest anymore. */
400
401 become_root();
402
403 if (disp_info->users) {
404 DEBUG(10,("free_samr_cache: deleting users cache\n"));
405 pdb_search_destroy(disp_info->users);
406 disp_info->users = NULL;
407 }
408 if (disp_info->machines) {
409 DEBUG(10,("free_samr_cache: deleting machines cache\n"));
410 pdb_search_destroy(disp_info->machines);
411 disp_info->machines = NULL;
412 }
413 if (disp_info->groups) {
414 DEBUG(10,("free_samr_cache: deleting groups cache\n"));
415 pdb_search_destroy(disp_info->groups);
416 disp_info->groups = NULL;
417 }
418 if (disp_info->aliases) {
419 DEBUG(10,("free_samr_cache: deleting aliases cache\n"));
420 pdb_search_destroy(disp_info->aliases);
421 disp_info->aliases = NULL;
422 }
423 if (disp_info->enum_users) {
424 DEBUG(10,("free_samr_cache: deleting enum_users cache\n"));
425 pdb_search_destroy(disp_info->enum_users);
426 disp_info->enum_users = NULL;
427 }
428 disp_info->enum_acb_mask = 0;
429
430 unbecome_root();
431 }
432
433 /*******************************************************************
434 Function to free the per handle data.
435 ********************************************************************/
436
437 static void free_samr_info(void *ptr)
438 {
439 struct samr_info *info=(struct samr_info *) ptr;
440
441 /* Only free the dispinfo cache if no one bothered to set up
442 a timeout. */
443
444 if (info->disp_info && info->disp_info->cache_timeout_event == NULL) {
445 free_samr_cache(info->disp_info);
446 }
447
448 talloc_destroy(info->mem_ctx);
449 }
450
451 /*******************************************************************
452 Idle event handler. Throw away the disp info cache.
453 ********************************************************************/
454
455 static void disp_info_cache_idle_timeout_handler(struct event_context *ev_ctx,
456 struct timed_event *te,
457 struct timeval now,
458 void *private_data)
459 {
460 DISP_INFO *disp_info = (DISP_INFO *)private_data;
461
462 TALLOC_FREE(disp_info->cache_timeout_event);
463
464 DEBUG(10, ("disp_info_cache_idle_timeout_handler: caching timed "
465 "out\n"));
466 free_samr_cache(disp_info);
467 }
468
469 /*******************************************************************
470 Setup cache removal idle event handler.
471 ********************************************************************/
472
473 static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromnow)
474 {
475 /* Remove any pending timeout and update. */
476
477 TALLOC_FREE(disp_info->cache_timeout_event);
478
479 DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for "
480 "SID %s for %u seconds\n", sid_string_dbg(&disp_info->sid),
481 (unsigned int)secs_fromnow ));
482
483 disp_info->cache_timeout_event = event_add_timed(
484 smbd_event_context(), NULL,
485 timeval_current_ofs(secs_fromnow, 0),
486 disp_info_cache_idle_timeout_handler, (void *)disp_info);
487 }
488
489 /*******************************************************************
490 Force flush any cache. We do this on any samr_set_xxx call.
491 We must also remove the timeout handler.
492 ********************************************************************/
493
494 static void force_flush_samr_cache(DISP_INFO *disp_info)
495 {
496 if ((disp_info == NULL) || (disp_info->cache_timeout_event == NULL)) {
497 return;
498 }
499
500 DEBUG(10,("force_flush_samr_cache: clearing idle event\n"));
501 TALLOC_FREE(disp_info->cache_timeout_event);
502 free_samr_cache(disp_info);
503 }
504
505 /*******************************************************************
506 Ensure password info is never given out. Paranioa... JRA.
507 ********************************************************************/
508
509 static void samr_clear_sam_passwd(struct samu *sam_pass)
510 {
511
512 if (!sam_pass)
513 return;
514
515 /* These now zero out the old password */
516
517 pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT);
518 pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT);
519 }
520
521 static uint32 count_sam_users(struct disp_info *info, uint32 acct_flags)
522 {
523 struct samr_displayentry *entry;
524
525 if (info->builtin_domain) {
526 /* No users in builtin. */
527 return 0;
528 }
529
530 if (info->users == NULL) {
531 info->users = pdb_search_users(acct_flags);
532 if (info->users == NULL) {
533 return 0;
534 }
535 }
536 /* Fetch the last possible entry, thus trigger an enumeration */
537 pdb_search_entries(info->users, 0xffffffff, 1, &entry);
538
539 /* Ensure we cache this enumeration. */
540 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
541
542 return info->users->num_entries;
543 }
544
545 static uint32 count_sam_groups(struct disp_info *info)
546 {
547 struct samr_displayentry *entry;
548
549 if (info->builtin_domain) {
550 /* No groups in builtin. */
551 return 0;
552 }
553
554 if (info->groups == NULL) {
555 info->groups = pdb_search_groups();
556 if (info->groups == NULL) {
557 return 0;
558 }
559 }
560 /* Fetch the last possible entry, thus trigger an enumeration */
561 pdb_search_entries(info->groups, 0xffffffff, 1, &entry);
562
563 /* Ensure we cache this enumeration. */
564 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
565
566 return info->groups->num_entries;
567 }
568
569 static uint32 count_sam_aliases(struct disp_info *info)
570 {
571 struct samr_displayentry *entry;
572
573 if (info->aliases == NULL) {
574 info->aliases = pdb_search_aliases(&info->sid);
575 if (info->aliases == NULL) {
576 return 0;
577 }
578 }
579 /* Fetch the last possible entry, thus trigger an enumeration */
580 pdb_search_entries(info->aliases, 0xffffffff, 1, &entry);
581
582 /* Ensure we cache this enumeration. */
583 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
584
585 return info->aliases->num_entries;
586 }
587
588 /*******************************************************************
589 _samr_Close
590 ********************************************************************/
591
592 NTSTATUS _samr_Close(pipes_struct *p, struct samr_Close *r)
593 {
594 if (!close_policy_hnd(p, r->in.handle)) {
595 return NT_STATUS_INVALID_HANDLE;
596 }
597
598 ZERO_STRUCTP(r->out.handle);
599
600 return NT_STATUS_OK;
601 }
602
603 /*******************************************************************
604 _samr_OpenDomain
605 ********************************************************************/
606
607 NTSTATUS _samr_OpenDomain(pipes_struct *p,
608 struct samr_OpenDomain *r)
609 {
610 struct samr_info *info;
611 SEC_DESC *psd = NULL;
612 uint32 acc_granted;
613 uint32 des_access = r->in.access_mask;
614 NTSTATUS status;
615 size_t sd_size;
616 SE_PRIV se_rights;
617
618 /* find the connection policy handle. */
619
620 if ( !find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info) )
621 return NT_STATUS_INVALID_HANDLE;
622
623 /*check if access can be granted as requested by client. */
624 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
625
626 make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
627 se_map_generic( &des_access, &dom_generic_mapping );
628
629 se_priv_copy( &se_rights, &se_machine_account );
630 se_priv_add( &se_rights, &se_add_users );
631
632 status = access_check_samr_object( psd, p->pipe_user.nt_user_token,
633 &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access,
634 &acc_granted, "_samr_OpenDomain" );
635
636 if ( !NT_STATUS_IS_OK(status) )
637 return status;
638
639 if (!sid_check_is_domain(r->in.sid) &&
640 !sid_check_is_builtin(r->in.sid)) {
641 return NT_STATUS_NO_SUCH_DOMAIN;
642 }
643
644 /* associate the domain SID with the (unique) handle. */
645 if ((info = get_samr_info_by_sid(r->in.sid))==NULL)
646 return NT_STATUS_NO_MEMORY;
647 info->acc_granted = acc_granted;
648
649 /* get a (unique) handle. open a policy on it. */
650 if (!create_policy_hnd(p, r->out.domain_handle, free_samr_info, (void *)info))
651 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
652
653 DEBUG(5,("_samr_OpenDomain: %d\n", __LINE__));
654
655 return NT_STATUS_OK;
656 }
657
658 /*******************************************************************
659 _samr_GetUserPwInfo
660 ********************************************************************/
661
662 NTSTATUS _samr_GetUserPwInfo(pipes_struct *p,
663 struct samr_GetUserPwInfo *r)
664 {
665 struct samr_info *info = NULL;
666 enum lsa_SidType sid_type;
667 uint32_t min_password_length = 0;
668 uint32_t password_properties = 0;
669 bool ret = false;
670 NTSTATUS status;
671
672 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
673
674 /* find the policy handle. open a policy on it. */
675 if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info)) {
676 return NT_STATUS_INVALID_HANDLE;
677 }
678
679 status = access_check_samr_function(info->acc_granted,
680 SAMR_USER_ACCESS_GET_ATTRIBUTES,
681 "_samr_GetUserPwInfo" );
682 if (!NT_STATUS_IS_OK(status)) {
683 return status;
684 }
685
686 if (!sid_check_is_in_our_domain(&info->sid)) {
687 return NT_STATUS_OBJECT_TYPE_MISMATCH;
688 }
689
690 become_root();
691 ret = lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, &sid_type);
692 unbecome_root();
693 if (ret == false) {
694 return NT_STATUS_NO_SUCH_USER;
695 }
696
697 switch (sid_type) {
698 case SID_NAME_USER:
699 become_root();
700 pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
701 &min_password_length);
702 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
703 &password_properties);
704 unbecome_root();
705
706 if (lp_check_password_script() && *lp_check_password_script()) {
707 password_properties |= DOMAIN_PASSWORD_COMPLEX;
708 }
709
710 break;
711 default:
712 break;
713 }
714
715 r->out.info->min_password_length = min_password_length;
716 r->out.info->password_properties = password_properties;
717
718 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
719
720 return NT_STATUS_OK;
721 }
722
723 /*******************************************************************
724 ********************************************************************/
725
726 static bool get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol,
727 DOM_SID *sid, uint32 *acc_granted,
728 DISP_INFO **ppdisp_info)
729 {
730 struct samr_info *info = NULL;
731
732 /* find the policy handle. open a policy on it. */
733 if (!find_policy_by_hnd(p, pol, (void **)(void *)&info))
734 return False;
735
736 if (!info)
737 return False;
738
739 *sid = info->sid;
740 *acc_granted = info->acc_granted;
741 if (ppdisp_info) {
742 *ppdisp_info = info->disp_info;
743 }
744
745 return True;
746 }
747
748 /*******************************************************************
749 _samr_SetSecurity
750 ********************************************************************/
751
752 NTSTATUS _samr_SetSecurity(pipes_struct *p,
753 struct samr_SetSecurity *r)
754 {
755 DOM_SID pol_sid;
756 uint32 acc_granted, i;
757 SEC_ACL *dacl;
758 bool ret;
759 struct samu *sampass=NULL;
760 NTSTATUS status;
761
762 if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL))
763 return NT_STATUS_INVALID_HANDLE;
764
765 if (!(sampass = samu_new( p->mem_ctx))) {
766 DEBUG(0,("No memory!\n"));
767 return NT_STATUS_NO_MEMORY;
768 }
769
770 /* get the user record */
771 become_root();
772 ret = pdb_getsampwsid(sampass, &pol_sid);
773 unbecome_root();
774
775 if (!ret) {
776 DEBUG(4, ("User %s not found\n", sid_string_dbg(&pol_sid)));
777 TALLOC_FREE(sampass);
778 return NT_STATUS_INVALID_HANDLE;
779 }
780
781 dacl = r->in.sdbuf->sd->dacl;
782 for (i=0; i < dacl->num_aces; i++) {
783 if (sid_equal(&pol_sid, &dacl->aces[i].trustee)) {
784 ret = pdb_set_pass_can_change(sampass,
785 (dacl->aces[i].access_mask &
786 SAMR_USER_ACCESS_CHANGE_PASSWORD) ?
787 True: False);
788 break;
789 }
790 }
791
792 if (!ret) {
793 TALLOC_FREE(sampass);
794 return NT_STATUS_ACCESS_DENIED;
795 }
796
797 status = access_check_samr_function(acc_granted,
798 SAMR_USER_ACCESS_SET_ATTRIBUTES,
799 "_samr_SetSecurity");
800 if (NT_STATUS_IS_OK(status)) {
801 become_root();
802 status = pdb_update_sam_account(sampass);
803 unbecome_root();
804 }
805
806 TALLOC_FREE(sampass);
807
808 return status;
809 }
810
811 /*******************************************************************
812 build correct perms based on policies and password times for _samr_query_sec_obj
813 *******************************************************************/
814 static bool check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid)
815 {
816 struct samu *sampass=NULL;
817 bool ret;
818
819 if ( !(sampass = samu_new( mem_ctx )) ) {
820 DEBUG(0,("No memory!\n"));
821 return False;
822 }
823
824 become_root();
825 ret = pdb_getsampwsid(sampass, user_sid);
826 unbecome_root();
827
828 if (ret == False) {
829 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
830 TALLOC_FREE(sampass);
831 return False;
832 }
833
834 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
835
836 if (pdb_get_pass_can_change(sampass)) {
837 TALLOC_FREE(sampass);
838 return True;
839 }
840 TALLOC_FREE(sampass);
841 return False;
842 }
843
844
845 /*******************************************************************
846 _samr_QuerySecurity
847 ********************************************************************/
848
849 NTSTATUS _samr_QuerySecurity(pipes_struct *p,
850 struct samr_QuerySecurity *r)
851 {
852 NTSTATUS status;
853 DOM_SID pol_sid;
854 SEC_DESC * psd = NULL;
855 uint32 acc_granted;
856 size_t sd_size;
857
858 /* Get the SID. */
859 if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL))
860 return NT_STATUS_INVALID_HANDLE;
861
862 DEBUG(10,("_samr_QuerySecurity: querying security on SID: %s\n",
863 sid_string_dbg(&pol_sid)));
864
865 /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
866
867 /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */
868 if (pol_sid.sid_rev_num == 0) {
869 DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n"));
870 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
871 } else if (sid_equal(&pol_sid,get_global_sam_sid())) {
872 /* check if it is our domain SID */
873 DEBUG(5,("_samr_QuerySecurity: querying security on Domain "
874 "with SID: %s\n", sid_string_dbg(&pol_sid)));
875 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
876 } else if (sid_equal(&pol_sid,&global_sid_Builtin)) {
877 /* check if it is the Builtin Domain */
878 /* TODO: Builtin probably needs a different SD with restricted write access*/
879 DEBUG(5,("_samr_QuerySecurity: querying security on Builtin "
880 "Domain with SID: %s\n", sid_string_dbg(&pol_sid)));
881 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
882 } else if (sid_check_is_in_our_domain(&pol_sid) ||
883 sid_check_is_in_builtin(&pol_sid)) {
884 /* TODO: different SDs have to be generated for aliases groups and users.
885 Currently all three get a default user SD */
886 DEBUG(10,("_samr_QuerySecurity: querying security on Object "
887 "with SID: %s\n", sid_string_dbg(&pol_sid)));
888 if (check_change_pw_access(p->mem_ctx, &pol_sid)) {
889 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
890 &pol_sid, SAMR_USR_RIGHTS_WRITE_PW);
891 } else {
892 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_nopwchange_generic_mapping,
893 &pol_sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
894 }
895 } else {
896 return NT_STATUS_OBJECT_TYPE_MISMATCH;
897 }
898
899 if ((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
900 return NT_STATUS_NO_MEMORY;
901
902 return status;
903 }
904
905 /*******************************************************************
906 makes a SAM_ENTRY / UNISTR2* structure from a user list.
907 ********************************************************************/
908
909 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx,
910 struct samr_SamEntry **sam_pp,
911 uint32_t num_entries,
912 uint32_t start_idx,
913 struct samr_displayentry *entries)
914 {
915 uint32_t i;
916 struct samr_SamEntry *sam;
917
918 *sam_pp = NULL;
919
920 if (num_entries == 0) {
921 return NT_STATUS_OK;
922 }
923
924 sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_entries);
925 if (sam == NULL) {
926 DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n"));
927 return NT_STATUS_NO_MEMORY;
928 }
929
930 for (i = 0; i < num_entries; i++) {
931 #if 0
932 /*
933 * usrmgr expects a non-NULL terminated string with
934 * trust relationships
935 */
936 if (entries[i].acct_flags & ACB_DOMTRUST) {
937 init_unistr2(&uni_temp_name, entries[i].account_name,
938 UNI_FLAGS_NONE);
939 } else {
940 init_unistr2(&uni_temp_name, entries[i].account_name,
941 UNI_STR_TERMINATE);
942 }
943 #endif
944 init_lsa_String(&sam[i].name, entries[i].account_name);
945 sam[i].idx = entries[i].rid;
946 }
947
948 *sam_pp = sam;
949
950 return NT_STATUS_OK;
951 }
952
953 #define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K
954
955 /*******************************************************************
956 _samr_EnumDomainUsers
957 ********************************************************************/
958
959 NTSTATUS _samr_EnumDomainUsers(pipes_struct *p,
960 struct samr_EnumDomainUsers *r)
961 {
962 NTSTATUS status;
963 struct samr_info *info = NULL;
964 int num_account;
965 uint32 enum_context = *r->in.resume_handle;
966 enum remote_arch_types ra_type = get_remote_arch();
967 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
968 uint32 max_entries = max_sam_entries;
969 struct samr_displayentry *entries = NULL;
970 struct samr_SamArray *samr_array = NULL;
971 struct samr_SamEntry *samr_entries = NULL;
972
973 /* find the policy handle. open a policy on it. */
974 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
975 return NT_STATUS_INVALID_HANDLE;
976
977 status = access_check_samr_function(info->acc_granted,
978 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
979 "_samr_EnumDomainUsers");
980 if (!NT_STATUS_IS_OK(status)) {
981 return status;
982 }
983
984 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
985
986 if (info->builtin_domain) {
987 /* No users in builtin. */
988 *r->out.resume_handle = *r->in.resume_handle;
989 DEBUG(5,("_samr_EnumDomainUsers: No users in BUILTIN\n"));
990 return status;
991 }
992
993 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
994 if (!samr_array) {
995 return NT_STATUS_NO_MEMORY;
996 }
997 *r->out.sam = samr_array;
998
999 become_root();
1000
1001 /* AS ROOT !!!! */
1002
1003 if ((info->disp_info->enum_users != NULL) &&
1004 (info->disp_info->enum_acb_mask != r->in.acct_flags)) {
1005 pdb_search_destroy(info->disp_info->enum_users);
1006 info->disp_info->enum_users = NULL;
1007 }
1008
1009 if (info->disp_info->enum_users == NULL) {
1010 info->disp_info->enum_users = pdb_search_users(r->in.acct_flags);
1011 info->disp_info->enum_acb_mask = r->in.acct_flags;
1012 }
1013
1014 if (info->disp_info->enum_users == NULL) {
1015 /* END AS ROOT !!!! */
1016 unbecome_root();
1017 return NT_STATUS_ACCESS_DENIED;
1018 }
1019
1020 num_account = pdb_search_entries(info->disp_info->enum_users,
1021 enum_context, max_entries,
1022 &entries);
1023
1024 /* END AS ROOT !!!! */
1025
1026 unbecome_root();
1027
1028 if (num_account == 0) {
1029 DEBUG(5, ("_samr_EnumDomainUsers: enumeration handle over "
1030 "total entries\n"));
1031 *r->out.resume_handle = *r->in.resume_handle;
1032 return NT_STATUS_OK;
1033 }
1034
1035 status = make_user_sam_entry_list(p->mem_ctx, &samr_entries,
1036 num_account, enum_context,
1037 entries);
1038 if (!NT_STATUS_IS_OK(status)) {
1039 return status;
1040 }
1041
1042 if (max_entries <= num_account) {
1043 status = STATUS_MORE_ENTRIES;
1044 } else {
1045 status = NT_STATUS_OK;
1046 }
1047
1048 /* Ensure we cache this enumeration. */
1049 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1050
1051 DEBUG(5, ("_samr_EnumDomainUsers: %d\n", __LINE__));
1052
1053 samr_array->count = num_account;
1054 samr_array->entries = samr_entries;
1055
1056 *r->out.resume_handle = *r->in.resume_handle + num_account;
1057 *r->out.num_entries = num_account;
1058
1059 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
1060
1061 return status;
1062 }
1063
1064 /*******************************************************************
1065 makes a SAM_ENTRY / UNISTR2* structure from a group list.
1066 ********************************************************************/
1067
1068 static void make_group_sam_entry_list(TALLOC_CTX *ctx,
1069 struct samr_SamEntry **sam_pp,
1070 uint32_t num_sam_entries,
1071 struct samr_displayentry *entries)
1072 {
1073 struct samr_SamEntry *sam;
1074 uint32_t i;
1075
1076 *sam_pp = NULL;
1077
1078 if (num_sam_entries == 0) {
1079 return;
1080 }
1081
1082 sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_sam_entries);
1083 if (sam == NULL) {
1084 return;
1085 }
1086
1087 for (i = 0; i < num_sam_entries; i++) {
1088 /*
1089 * JRA. I think this should include the null. TNG does not.
1090 */
1091 init_lsa_String(&sam[i].name, entries[i].account_name);
1092 sam[i].idx = entries[i].rid;
1093 }
1094
1095 *sam_pp = sam;
1096 }
1097
1098 /*******************************************************************
1099 _samr_EnumDomainGroups
1100 ********************************************************************/
1101
1102 NTSTATUS _samr_EnumDomainGroups(pipes_struct *p,
1103 struct samr_EnumDomainGroups *r)
1104 {
1105 NTSTATUS status;
1106 struct samr_info *info = NULL;
1107 struct samr_displayentry *groups;
1108 uint32 num_groups;
1109 struct samr_SamArray *samr_array = NULL;
1110 struct samr_SamEntry *samr_entries = NULL;
1111
1112 /* find the policy handle. open a policy on it. */
1113 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1114 return NT_STATUS_INVALID_HANDLE;
1115
1116 status = access_check_samr_function(info->acc_granted,
1117 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
1118 "_samr_EnumDomainGroups");
1119 if (!NT_STATUS_IS_OK(status)) {
1120 return status;
1121 }
1122
1123 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1124
1125 if (info->builtin_domain) {
1126 /* No groups in builtin. */
1127 *r->out.resume_handle = *r->in.resume_handle;
1128 DEBUG(5,("_samr_EnumDomainGroups: No groups in BUILTIN\n"));
1129 return status;
1130 }
1131
1132 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1133 if (!samr_array) {
1134 return NT_STATUS_NO_MEMORY;
1135 }
1136
1137 /* the domain group array is being allocated in the function below */
1138
1139 become_root();
1140
1141 if (info->disp_info->groups == NULL) {
1142 info->disp_info->groups = pdb_search_groups();
1143
1144 if (info->disp_info->groups == NULL) {
1145 unbecome_root();
1146 return NT_STATUS_ACCESS_DENIED;
1147 }
1148 }
1149
1150 num_groups = pdb_search_entries(info->disp_info->groups,
1151 *r->in.resume_handle,
1152 MAX_SAM_ENTRIES, &groups);
1153 unbecome_root();
1154
1155 /* Ensure we cache this enumeration. */
1156 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1157
1158 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1159 num_groups, groups);
1160
1161 if (MAX_SAM_ENTRIES <= num_groups) {
1162 status = STATUS_MORE_ENTRIES;
1163 } else {
1164 status = NT_STATUS_OK;
1165 }
1166
1167 samr_array->count = num_groups;
1168 samr_array->entries = samr_entries;
1169
1170 *r->out.sam = samr_array;
1171 *r->out.num_entries = num_groups;
1172 *r->out.resume_handle = num_groups + *r->in.resume_handle;
1173
1174 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1175
1176 return status;
1177 }
1178
1179 /*******************************************************************
1180 _samr_EnumDomainAliases
1181 ********************************************************************/
1182
1183 NTSTATUS _samr_EnumDomainAliases(pipes_struct *p,
1184 struct samr_EnumDomainAliases *r)
1185 {
1186 NTSTATUS status;
1187 struct samr_info *info;
1188 struct samr_displayentry *aliases;
1189 uint32 num_aliases = 0;
1190 struct samr_SamArray *samr_array = NULL;
1191 struct samr_SamEntry *samr_entries = NULL;
1192
1193 /* find the policy handle. open a policy on it. */
1194 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1195 return NT_STATUS_INVALID_HANDLE;
1196
1197 DEBUG(5,("_samr_EnumDomainAliases: sid %s\n",
1198 sid_string_dbg(&info->sid)));
1199
1200 status = access_check_samr_function(info->acc_granted,
1201 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
1202 "_samr_EnumDomainAliases");
1203 if (!NT_STATUS_IS_OK(status)) {
1204 return status;
1205 }
1206
1207 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1208 if (!samr_array) {
1209 return NT_STATUS_NO_MEMORY;
1210 }
1211
1212 become_root();
1213
1214 if (info->disp_info->aliases == NULL) {
1215 info->disp_info->aliases = pdb_search_aliases(&info->sid);
1216 if (info->disp_info->aliases == NULL) {
1217 unbecome_root();
1218 return NT_STATUS_ACCESS_DENIED;
1219 }
1220 }
1221
1222 num_aliases = pdb_search_entries(info->disp_info->aliases,
1223 *r->in.resume_handle,
1224 MAX_SAM_ENTRIES, &aliases);
1225 unbecome_root();
1226
1227 /* Ensure we cache this enumeration. */
1228 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1229
1230 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1231 num_aliases, aliases);
1232
1233 DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__));
1234
1235 if (MAX_SAM_ENTRIES <= num_aliases) {
1236 status = STATUS_MORE_ENTRIES;
1237 } else {
1238 status = NT_STATUS_OK;
1239 }
1240
1241 samr_array->count = num_aliases;
1242 samr_array->entries = samr_entries;
1243
1244 *r->out.sam = samr_array;
1245 *r->out.num_entries = num_aliases;
1246 *r->out.resume_handle = num_aliases + *r->in.resume_handle;
1247
1248 return status;
1249 }
1250
1251 /*******************************************************************
1252 inits a samr_DispInfoGeneral structure.
1253 ********************************************************************/
1254
1255 static NTSTATUS init_samr_dispinfo_1(TALLOC_CTX *ctx,
1256 struct samr_DispInfoGeneral *r,
1257 uint32_t num_entries,
1258 uint32_t start_idx,
1259 struct samr_displayentry *entries)
1260 {
1261 uint32 i;
1262
1263 DEBUG(10, ("init_samr_dispinfo_1: num_entries: %d\n", num_entries));
1264
1265 if (num_entries == 0) {
1266 return NT_STATUS_OK;
1267 }
1268
1269 r->count = num_entries;
1270
1271 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryGeneral, num_entries);
1272 if (!r->entries) {
1273 return NT_STATUS_NO_MEMORY;
1274 }
1275
1276 for (i = 0; i < num_entries ; i++) {
1277
1278 init_lsa_String(&r->entries[i].account_name,
1279 entries[i].account_name);
1280
1281 init_lsa_String(&r->entries[i].description,
1282 entries[i].description);
1283
1284 init_lsa_String(&r->entries[i].full_name,
1285 entries[i].fullname);
1286
1287 r->entries[i].rid = entries[i].rid;
1288 r->entries[i].acct_flags = entries[i].acct_flags;
1289 r->entries[i].idx = start_idx+i+1;
1290 }
1291
1292 return NT_STATUS_OK;
1293 }
1294
1295 /*******************************************************************
1296 inits a samr_DispInfoFull structure.
1297 ********************************************************************/
1298
1299 static NTSTATUS init_samr_dispinfo_2(TALLOC_CTX *ctx,
1300 struct samr_DispInfoFull *r,
1301 uint32_t num_entries,
1302 uint32_t start_idx,
1303 struct samr_displayentry *entries)
1304 {
1305 uint32_t i;
1306
1307 DEBUG(10, ("init_samr_dispinfo_2: num_entries: %d\n", num_entries));
1308
1309 if (num_entries == 0) {
1310 return NT_STATUS_OK;
1311 }
1312
1313 r->count = num_entries;
1314
1315 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFull, num_entries);
1316 if (!r->entries) {
1317 return NT_STATUS_NO_MEMORY;
1318 }
1319
1320 for (i = 0; i < num_entries ; i++) {
1321
1322 init_lsa_String(&r->entries[i].account_name,
1323 entries[i].account_name);
1324
1325 init_lsa_String(&r->entries[i].description,
1326 entries[i].description);
1327
1328 r->entries[i].rid = entries[i].rid;
1329 r->entries[i].acct_flags = entries[i].acct_flags;
1330 r->entries[i].idx = start_idx+i+1;
1331 }
1332
1333 return NT_STATUS_OK;
1334 }
1335
1336 /*******************************************************************
1337 inits a samr_DispInfoFullGroups structure.
1338 ********************************************************************/
1339
1340 static NTSTATUS init_samr_dispinfo_3(TALLOC_CTX *ctx,
1341 struct samr_DispInfoFullGroups *r,
1342 uint32_t num_entries,
1343 uint32_t start_idx,
1344 struct samr_displayentry *entries)
1345 {
1346 uint32_t i;
1347
1348 DEBUG(5, ("init_samr_dispinfo_3: num_entries: %d\n", num_entries));
1349
1350 if (num_entries == 0) {
1351 return NT_STATUS_OK;
1352 }
1353
1354 r->count = num_entries;
1355
1356 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFullGroup, num_entries);
1357 if (!r->entries) {
1358 return NT_STATUS_NO_MEMORY;
1359 }
1360
1361 for (i = 0; i < num_entries ; i++) {
1362
1363 init_lsa_String(&r->entries[i].account_name,
1364 entries[i].account_name);
1365
1366 init_lsa_String(&r->entries[i].description,
1367 entries[i].description);
1368
1369 r->entries[i].rid = entries[i].rid;
1370 r->entries[i].acct_flags = entries[i].acct_flags;
1371 r->entries[i].idx = start_idx+i+1;
1372 }
1373
1374 return NT_STATUS_OK;
1375 }
1376
1377 /*******************************************************************
1378 inits a samr_DispInfoAscii structure.
1379 ********************************************************************/
1380
1381 static NTSTATUS init_samr_dispinfo_4(TALLOC_CTX *ctx,
1382 struct samr_DispInfoAscii *r,
1383 uint32_t num_entries,
1384 uint32_t start_idx,
1385 struct samr_displayentry *entries)
1386 {
1387 uint32_t i;
1388
1389 DEBUG(5, ("init_samr_dispinfo_4: num_entries: %d\n", num_entries));
1390
1391 if (num_entries == 0) {
1392 return NT_STATUS_OK;
1393 }
1394
1395 r->count = num_entries;
1396
1397 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1398 if (!r->entries) {
1399 return NT_STATUS_NO_MEMORY;
1400 }
1401
1402 for (i = 0; i < num_entries ; i++) {
1403
1404 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1405 entries[i].account_name);
1406
1407 r->entries[i].idx = start_idx+i+1;
1408 }
1409
1410 return NT_STATUS_OK;
1411 }
1412
1413 /*******************************************************************
1414 inits a samr_DispInfoAscii structure.
1415 ********************************************************************/
1416
1417 static NTSTATUS init_samr_dispinfo_5(TALLOC_CTX *ctx,
1418 struct samr_DispInfoAscii *r,
1419 uint32_t num_entries,
1420 uint32_t start_idx,
1421 struct samr_displayentry *entries)
1422 {
1423 uint32_t i;
1424
1425 DEBUG(5, ("init_samr_dispinfo_5: num_entries: %d\n", num_entries));
1426
1427 if (num_entries == 0) {
1428 return NT_STATUS_OK;
1429 }
1430
1431 r->count = num_entries;
1432
1433 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1434 if (!r->entries) {
1435 return NT_STATUS_NO_MEMORY;
1436 }
1437
1438 for (i = 0; i < num_entries ; i++) {
1439
1440 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1441 entries[i].account_name);
1442
1443 r->entries[i].idx = start_idx+i+1;
1444 }
1445
1446 return NT_STATUS_OK;
1447 }
1448
1449 /*******************************************************************
1450 _samr_QueryDisplayInfo
1451 ********************************************************************/
1452
1453 NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
1454 struct samr_QueryDisplayInfo *r)
1455 {
1456 NTSTATUS status;
1457 struct samr_info *info = NULL;
1458 uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
1459
1460 uint32 max_entries = r->in.max_entries;
1461 uint32 enum_context = r->in.start_idx;
1462 uint32 max_size = r->in.buf_size;
1463
1464 union samr_DispInfo *disp_info = r->out.info;
1465
1466 uint32 temp_size=0, total_data_size=0;
1467 NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL;
1468 uint32 num_account = 0;
1469 enum remote_arch_types ra_type = get_remote_arch();
1470 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
1471 struct samr_displayentry *entries = NULL;
1472
1473 DEBUG(5,("_samr_QueryDisplayInfo: %d\n", __LINE__));
1474
1475 /* find the policy handle. open a policy on it. */
1476 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1477 return NT_STATUS_INVALID_HANDLE;
1478
1479 if (info->builtin_domain) {
1480 DEBUG(5,("_samr_QueryDisplayInfo: Nothing in BUILTIN\n"));
1481 return NT_STATUS_OK;
1482 }
1483
1484 /*
1485 * calculate how many entries we will return.
1486 * based on
1487 * - the number of entries the client asked
1488 * - our limit on that
1489 * - the starting point (enumeration context)
1490 * - the buffer size the client will accept
1491 */
1492
1493 /*
1494 * We are a lot more like W2K. Instead of reading the SAM
1495 * each time to find the records we need to send back,
1496 * we read it once and link that copy to the sam handle.
1497 * For large user list (over the MAX_SAM_ENTRIES)
1498 * it's a definitive win.
1499 * second point to notice: between enumerations
1500 * our sam is now the same as it's a snapshoot.
1501 * third point: got rid of the static SAM_USER_21 struct
1502 * no more intermediate.
1503 * con: it uses much more memory, as a full copy is stored
1504 * in memory.
1505 *
1506 * If you want to change it, think twice and think
1507 * of the second point , that's really important.
1508 *
1509 * JFM, 12/20/2001
1510 */
1511
1512 if ((r->in.level < 1) || (r->in.level > 5)) {
1513 DEBUG(0,("_samr_QueryDisplayInfo: Unknown info level (%u)\n",
1514 (unsigned int)r->in.level ));
1515 return NT_STATUS_INVALID_INFO_CLASS;
1516 }
1517
1518 /* first limit the number of entries we will return */
1519 if(max_entries > max_sam_entries) {
1520 DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
1521 "entries, limiting to %d\n", max_entries,
1522 max_sam_entries));
1523 max_entries = max_sam_entries;
1524 }
1525
1526 /* calculate the size and limit on the number of entries we will
1527 * return */
1528
1529 temp_size=max_entries*struct_size;
1530
1531 if (temp_size>max_size) {
1532 max_entries=MIN((max_size/struct_size),max_entries);;
1533 DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
1534 "only %d entries\n", max_entries));
1535 }
1536
1537 become_root();
1538
1539 /* THe following done as ROOT. Don't return without unbecome_root(). */
1540
1541 switch (r->in.level) {
1542 case 0x1:
1543 case 0x4:
1544 if (info->disp_info->users == NULL) {
1545 info->disp_info->users = pdb_search_users(ACB_NORMAL);
1546 if (info->disp_info->users == NULL) {
1547 unbecome_root();
1548 return NT_STATUS_ACCESS_DENIED;
1549 }
1550 DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
1551 (unsigned int)enum_context ));
1552 } else {
1553 DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
1554 (unsigned int)enum_context ));
1555 }
1556
1557 num_account = pdb_search_entries(info->disp_info->users,
1558 enum_context, max_entries,
1559 &entries);
1560 break;
1561 case 0x2:
1562 if (info->disp_info->machines == NULL) {
1563 info->disp_info->machines =
1564 pdb_search_users(ACB_WSTRUST|ACB_SVRTRUST);
1565 if (info->disp_info->machines == NULL) {
1566 unbecome_root();
1567 return NT_STATUS_ACCESS_DENIED;
1568 }
1569 DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
1570 (unsigned int)enum_context ));
1571 } else {
1572 DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
1573 (unsigned int)enum_context ));
1574 }
1575
1576 num_account = pdb_search_entries(info->disp_info->machines,
1577 enum_context, max_entries,
1578 &entries);
1579 break;
1580 case 0x3:
1581 case 0x5:
1582 if (info->disp_info->groups == NULL) {
1583 info->disp_info->groups = pdb_search_groups();
1584 if (info->disp_info->groups == NULL) {
1585 unbecome_root();
1586 return NT_STATUS_ACCESS_DENIED;
1587 }
1588 DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
1589 (unsigned int)enum_context ));
1590 } else {
1591 DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
1592 (unsigned int)enum_context ));
1593 }
1594
1595 num_account = pdb_search_entries(info->disp_info->groups,
1596 enum_context, max_entries,
1597 &entries);
1598 break;
1599 default:
1600 unbecome_root();
1601 smb_panic("info class changed");
1602 break;
1603 }
1604 unbecome_root();
1605
1606
1607 /* Now create reply structure */
1608 switch (r->in.level) {
1609 case 0x1:
1610 disp_ret = init_samr_dispinfo_1(p->mem_ctx, &disp_info->info1,
1611 num_account, enum_context,
1612 entries);
1613 break;
1614 case 0x2:
1615 disp_ret = init_samr_dispinfo_2(p->mem_ctx, &disp_info->info2,
1616 num_account, enum_context,
1617 entries);
1618 break;
1619 case 0x3:
1620 disp_ret = init_samr_dispinfo_3(p->mem_ctx, &disp_info->info3,
1621 num_account, enum_context,
1622 entries);
1623 break;
1624 case 0x4:
1625 disp_ret = init_samr_dispinfo_4(p->mem_ctx, &disp_info->info4,
1626 num_account, enum_context,
1627 entries);
1628 break;
1629 case 0x5:
1630 disp_ret = init_samr_dispinfo_5(p->mem_ctx, &disp_info->info5,
1631 num_account, enum_context,
1632 entries);
1633 break;
1634 default:
1635 smb_panic("info class changed");
1636 break;
1637 }
1638
1639 if (!NT_STATUS_IS_OK(disp_ret))
1640 return disp_ret;
1641
1642 /* calculate the total size */
1643 total_data_size=num_account*struct_size;
1644
1645 if (max_entries <= num_account) {
1646 status = STATUS_MORE_ENTRIES;
1647 } else {
1648 status = NT_STATUS_OK;
1649 }
1650
1651 /* Ensure we cache this enumeration. */
1652 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1653
1654 DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__));
1655
1656 *r->out.total_size = total_data_size;
1657 *r->out.returned_size = temp_size;
1658
1659 return status;
1660 }
1661
1662 /****************************************************************
1663 _samr_QueryDisplayInfo2
1664 ****************************************************************/
1665
1666 NTSTATUS _samr_QueryDisplayInfo2(pipes_struct *p,
1667 struct samr_QueryDisplayInfo2 *r)
1668 {
1669 struct samr_QueryDisplayInfo q;
1670
1671 q.in.domain_handle = r->in.domain_handle;
1672 q.in.level = r->in.level;
1673 q.in.start_idx = r->in.start_idx;
1674 q.in.max_entries = r->in.max_entries;
1675 q.in.buf_size = r->in.buf_size;
1676
1677 q.out.total_size = r->out.total_size;
1678 q.out.returned_size = r->out.returned_size;
1679 q.out.info = r->out.info;
1680
1681 return _samr_QueryDisplayInfo(p, &q);
1682 }
1683
1684 /****************************************************************
1685 _samr_QueryDisplayInfo3
1686 ****************************************************************/
1687
1688 NTSTATUS _samr_QueryDisplayInfo3(pipes_struct *p,
1689 struct samr_QueryDisplayInfo3 *r)
1690 {
1691 struct samr_QueryDisplayInfo q;
1692
1693 q.in.domain_handle = r->in.domain_handle;
1694 q.in.level = r->in.level;
1695 q.in.start_idx = r->in.start_idx;
1696 q.in.max_entries = r->in.max_entries;
1697 q.in.buf_size = r->in.buf_size;
1698
1699 q.out.total_size = r->out.total_size;
1700 q.out.returned_size = r->out.returned_size;
1701 q.out.info = r->out.info;
1702
1703 return _samr_QueryDisplayInfo(p, &q);
1704 }
1705
1706 /*******************************************************************
1707 _samr_QueryAliasInfo
1708 ********************************************************************/
1709
1710 NTSTATUS _samr_QueryAliasInfo(pipes_struct *p,
1711 struct samr_QueryAliasInfo *r)
1712 {
1713 DOM_SID sid;
1714 struct acct_info info;
1715 uint32 acc_granted;
1716 NTSTATUS status;
1717 union samr_AliasInfo *alias_info = NULL;
1718 const char *alias_name = NULL;
1719 const char *alias_description = NULL;
1720
1721 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1722
1723 alias_info = TALLOC_ZERO_P(p->mem_ctx, union samr_AliasInfo);
1724 if (!alias_info) {
1725 return NT_STATUS_NO_MEMORY;
1726 }
1727
1728 /* find the policy handle. open a policy on it. */
1729 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &sid, &acc_granted, NULL))
1730 return NT_STATUS_INVALID_HANDLE;
1731
1732 status = access_check_samr_function(acc_granted,
1733 SAMR_ALIAS_ACCESS_LOOKUP_INFO,
1734 "_samr_QueryAliasInfo");
1735 if (!NT_STATUS_IS_OK(status)) {
1736 return status;
1737 }
1738
1739 become_root();
1740 status = pdb_get_aliasinfo(&sid, &info);
1741 unbecome_root();
1742
1743 if ( !NT_STATUS_IS_OK(status))
1744 return status;
1745
1746 /* FIXME: info contains fstrings */
1747 alias_name = talloc_strdup(r, info.acct_name);
1748 alias_description = talloc_strdup(r, info.acct_desc);
1749
1750 switch (r->in.level) {
1751 case ALIASINFOALL:
1752 init_samr_alias_info1(&alias_info->all,
1753 alias_name,
1754 1,
1755 alias_description);
1756 break;
1757 case ALIASINFODESCRIPTION:
1758 init_samr_alias_info3(&alias_info->description,
1759 alias_description);
1760 break;
1761 default:
1762 return NT_STATUS_INVALID_INFO_CLASS;
1763 }
1764
1765 *r->out.info = alias_info;
1766
1767 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1768
1769 return NT_STATUS_OK;
1770 }
1771
1772 /*******************************************************************
1773 _samr_LookupNames
1774 ********************************************************************/
1775
1776 NTSTATUS _samr_LookupNames(pipes_struct *p,
1777 struct samr_LookupNames *r)
1778 {
1779 NTSTATUS status;
1780 uint32 *rid;
1781 enum lsa_SidType *type;
1782 int i;
1783 int num_rids = r->in.num_names;
1784 DOM_SID pol_sid;
1785 uint32 acc_granted;
1786 struct samr_Ids rids, types;
1787 uint32_t num_mapped = 0;
1788
1789 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1790
1791 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL)) {
1792 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1793 }
1794
1795 status = access_check_samr_function(acc_granted,
1796 0, /* Don't know the acc_bits yet */
1797 "_samr_LookupNames");
1798 if (!NT_STATUS_IS_OK(status)) {
1799 return status;
1800 }
1801
1802 if (num_rids > MAX_SAM_ENTRIES) {
1803 num_rids = MAX_SAM_ENTRIES;
1804 DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids));
1805 }
1806
1807 rid = talloc_array(p->mem_ctx, uint32, num_rids);
1808 NT_STATUS_HAVE_NO_MEMORY(rid);
1809
1810 type = talloc_array(p->mem_ctx, enum lsa_SidType, num_rids);
1811 NT_STATUS_HAVE_NO_MEMORY(type);
1812
1813 DEBUG(5,("_samr_LookupNames: looking name on SID %s\n",
1814 sid_string_dbg(&pol_sid)));
1815
1816 for (i = 0; i < num_rids; i++) {
1817
1818 status = NT_STATUS_NONE_MAPPED;
1819 type[i] = SID_NAME_UNKNOWN;
1820
1821 rid[i] = 0xffffffff;
1822
1823 if (sid_check_is_builtin(&pol_sid)) {
1824 if (lookup_builtin_name(r->in.names[i].string,
1825 &rid[i]))
1826 {
1827 type[i] = SID_NAME_ALIAS;
1828 }
1829 } else {
1830 lookup_global_sam_name(r->in.names[i].string, 0,
1831 &rid[i], &type[i]);
1832 }
1833
1834 if (type[i] != SID_NAME_UNKNOWN) {
1835 num_mapped++;
1836 }
1837 }
1838
1839 if (num_mapped == num_rids) {
1840 status = NT_STATUS_OK;
1841 } else if (num_mapped == 0) {
1842 status = NT_STATUS_NONE_MAPPED;
1843 } else {
1844 status = STATUS_SOME_UNMAPPED;
1845 }
1846
1847 rids.count = num_rids;
1848 rids.ids = rid;
1849
1850 types.count = num_rids;
1851 types.ids = type;
1852
1853 *r->out.rids = rids;
1854 *r->out.types = types;
1855
1856 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1857
1858 return status;
1859 }
1860
1861 /*******************************************************************
1862 _samr_ChangePasswordUser2
1863 ********************************************************************/
1864
1865 NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
1866 struct samr_ChangePasswordUser2 *r)
1867 {
1868 NTSTATUS status;
1869 fstring user_name;
1870 fstring wks;
1871
1872 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1873
1874 fstrcpy(user_name, r->in.account->string);
1875 fstrcpy(wks, r->in.server->string);
1876
1877 DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
1878
1879 /*
1880 * Pass the user through the NT -> unix user mapping
1881 * function.
1882 */
1883
1884 (void)map_username(user_name);
1885
1886 /*
1887 * UNIX username case mangling not required, pass_oem_change
1888 * is case insensitive.
1889 */
1890
1891 status = pass_oem_change(user_name,
1892 r->in.lm_password->data,
1893 r->in.lm_verifier->hash,
1894 r->in.nt_password->data,
1895 r->in.nt_verifier->hash,
1896 NULL);
1897
1898 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1899
1900 return status;
1901 }
1902
1903 /*******************************************************************
1904 _samr_ChangePasswordUser3
1905 ********************************************************************/
1906
1907 NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
1908 struct samr_ChangePasswordUser3 *r)
1909 {
1910 NTSTATUS status;
1911 fstring user_name;
1912 const char *wks = NULL;
1913 uint32 reject_reason;
1914 struct samr_DomInfo1 *dominfo = NULL;
1915 struct samr_ChangeReject *reject = NULL;
1916
1917 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
1918
1919 fstrcpy(user_name, r->in.account->string);
1920 if (r->in.server && r->in.server->string) {
1921 wks = r->in.server->string;
1922 }
1923
1924 DEBUG(5,("_samr_ChangePasswordUser3: user: %s wks: %s\n", user_name, wks));
1925
1926 /*
1927 * Pass the user through the NT -> unix user mapping
1928 * function.
1929 */
1930
1931 (void)map_username(user_name);
1932
1933 /*
1934 * UNIX username case mangling not required, pass_oem_change
1935 * is case insensitive.
1936 */
1937
1938 status = pass_oem_change(user_name,
1939 r->in.lm_password->data,
1940 r->in.lm_verifier->hash,
1941 r->in.nt_password->data,
1942 r->in.nt_verifier->hash,
1943 &reject_reason);
1944
1945 if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) ||
1946 NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_RESTRICTION)) {
1947
1948 uint32 min_pass_len,pass_hist,password_properties;
1949 time_t u_expire, u_min_age;
1950 NTTIME nt_expire, nt_min_age;
1951 uint32 account_policy_temp;
1952
1953 dominfo = TALLOC_ZERO_P(p->mem_ctx, struct samr_DomInfo1);
1954 if (!dominfo) {
1955 return NT_STATUS_NO_MEMORY;
1956 }
1957
1958 reject = TALLOC_ZERO_P(p->mem_ctx, struct samr_ChangeReject);
1959 if (!reject) {
1960 return NT_STATUS_NO_MEMORY;
1961 }
1962
1963 become_root();
1964
1965 /* AS ROOT !!! */
1966
1967 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
1968 min_pass_len = account_policy_temp;
1969
1970 pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
1971 pass_hist = account_policy_temp;
1972
1973 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
1974 password_properties = account_policy_temp;
1975
1976 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
1977 u_expire = account_policy_temp;
1978
1979 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
1980 u_min_age = account_policy_temp;
1981
1982 /* !AS ROOT */
1983
1984 unbecome_root();
1985
1986 unix_to_nt_time_abs(&nt_expire, u_expire);
1987 unix_to_nt_time_abs(&nt_min_age, u_min_age);
1988
1989 if (lp_check_password_script() && *lp_check_password_script()) {
1990 password_properties |= DOMAIN_PASSWORD_COMPLEX;
1991 }
1992
1993 init_samr_DomInfo1(dominfo,
1994 min_pass_len,
1995 pass_hist,
1996 password_properties,
1997 u_expire,
1998 u_min_age);
1999
2000 reject->reason = reject_reason;
2001
2002 *r->out.dominfo = dominfo;
2003 *r->out.reject = reject;
2004 }
2005
2006 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
2007
2008 return status;
2009 }
2010
2011 /*******************************************************************
2012 makes a SAMR_R_LOOKUP_RIDS structure.
2013 ********************************************************************/
2014
2015 static bool make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names,
2016 const char **names,
2017 struct lsa_String **lsa_name_array_p)
2018 {
2019 struct lsa_String *lsa_name_array = NULL;
2020 uint32_t i;
2021
2022 *lsa_name_array_p = NULL;
2023
2024 if (num_names != 0) {
2025 lsa_name_array = TALLOC_ZERO_ARRAY(ctx, struct lsa_String, num_names);
2026 if (!lsa_name_array) {
2027 return false;
2028 }
2029 }
2030
2031 for (i = 0; i < num_names; i++) {
2032 DEBUG(10, ("names[%d]:%s\n", i, names[i] && *names[i] ? names[i] : ""));
2033 init_lsa_String(&lsa_name_array[i], names[i]);
2034 }
2035
2036 *lsa_name_array_p = lsa_name_array;
2037
2038 return true;
2039 }
2040
2041 /*******************************************************************
2042 _samr_LookupRids
2043 ********************************************************************/
2044
2045 NTSTATUS _samr_LookupRids(pipes_struct *p,
2046 struct samr_LookupRids *r)
2047 {
2048 NTSTATUS status;
2049 const char **names;
2050 enum lsa_SidType *attrs = NULL;
2051 uint32 *wire_attrs = NULL;
2052 DOM_SID pol_sid;
2053 int num_rids = (int)r->in.num_rids;
2054 uint32 acc_granted;
2055 int i;
2056 struct lsa_Strings names_array;
2057 struct samr_Ids types_array;
2058 struct lsa_String *lsa_names = NULL;
2059
2060 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2061
2062 /* find the policy handle. open a policy on it. */
2063 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL))
2064 return NT_STATUS_INVALID_HANDLE;
2065
2066 if (num_rids > 1000) {
2067 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
2068 "to samba4 idl this is not possible\n", num_rids));
2069 return NT_STATUS_UNSUCCESSFUL;
2070 }
2071
2072 if (num_rids) {
2073 names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids);
2074 attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum lsa_SidType, num_rids);
2075 wire_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids);
2076
2077 if ((names == NULL) || (attrs == NULL) || (wire_attrs==NULL))
2078 return NT_STATUS_NO_MEMORY;
2079 } else {
2080 names = NULL;
2081 attrs = NULL;
2082 wire_attrs = NULL;
2083 }
2084
2085 become_root(); /* lookup_sid can require root privs */
2086 status = pdb_lookup_rids(&pol_sid, num_rids, r->in.rids,
2087 names, attrs);
2088 unbecome_root();
2089
2090 if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) && (num_rids == 0)) {
2091 status = NT_STATUS_OK;
2092 }
2093
2094 if (!make_samr_lookup_rids(p->mem_ctx, num_rids, names,
2095 &lsa_names)) {
2096 return NT_STATUS_NO_MEMORY;
2097 }
2098
2099 /* Convert from enum lsa_SidType to uint32 for wire format. */
2100 for (i = 0; i < num_rids; i++) {
2101 wire_attrs[i] = (uint32)attrs[i];
2102 }
2103
2104 names_array.count = num_rids;
2105 names_array.names = lsa_names;
2106
2107 types_array.count = num_rids;
2108 types_array.ids = wire_attrs;
2109
2110 *r->out.names = names_array;
2111 *r->out.types = types_array;
2112
2113 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2114
2115 return status;
2116 }
2117
2118 /*******************************************************************
2119 _samr_OpenUser
2120 ********************************************************************/
2121
2122 NTSTATUS _samr_OpenUser(pipes_struct *p,
2123 struct samr_OpenUser *r)
2124 {
2125 struct samu *sampass=NULL;
2126 DOM_SID sid;
2127 POLICY_HND domain_pol = *r->in.domain_handle;
2128 POLICY_HND *user_pol = r->out.user_handle;
2129 struct samr_info *info = NULL;
2130 SEC_DESC *psd = NULL;
2131 uint32 acc_granted;
2132 uint32 des_access = r->in.access_mask;
2133 size_t sd_size;
2134 bool ret;
2135 NTSTATUS nt_status;
2136 SE_PRIV se_rights;
2137
2138 /* find the domain policy handle and get domain SID / access bits in the domain policy. */
2139
2140 if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) )
2141 return NT_STATUS_INVALID_HANDLE;
2142
2143 nt_status = access_check_samr_function(acc_granted,
2144 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
2145 "_samr_OpenUser" );
2146
2147 if ( !NT_STATUS_IS_OK(nt_status) )
2148 return nt_status;
2149
2150 if ( !(sampass = samu_new( p->mem_ctx )) ) {
2151 return NT_STATUS_NO_MEMORY;
2152 }
2153
2154 /* append the user's RID to it */
2155
2156 if (!sid_append_rid(&sid, r->in.rid))
2157 return NT_STATUS_NO_SUCH_USER;
2158
2159 /* check if access can be granted as requested by client. */
2160
2161 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
2162
2163 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
2164 se_map_generic(&des_access, &usr_generic_mapping);
2165
2166 se_priv_copy( &se_rights, &se_machine_account );
2167 se_priv_add( &se_rights, &se_add_users );
2168
2169 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
2170 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
2171 &acc_granted, "_samr_OpenUser");
2172
2173 if ( !NT_STATUS_IS_OK(nt_status) )
2174 return nt_status;
2175
2176 become_root();
2177 ret=pdb_getsampwsid(sampass, &sid);
2178 unbecome_root();
2179
2180 /* check that the SID exists in our domain. */
2181 if (ret == False) {
2182 return NT_STATUS_NO_SUCH_USER;
2183 }
2184
2185 TALLOC_FREE(sampass);
2186
2187 /* associate the user's SID and access bits with the new handle. */
2188 if ((info = get_samr_info_by_sid(&sid)) == NULL)
2189 return NT_STATUS_NO_MEMORY;
2190 info->acc_granted = acc_granted;
2191
2192 /* get a (unique) handle. open a policy on it. */
2193 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info))
2194 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2195
2196 return NT_STATUS_OK;
2197 }
2198
2199 /*************************************************************************
2200 *************************************************************************/
2201
2202 static NTSTATUS init_samr_parameters_string(TALLOC_CTX *mem_ctx,
2203 DATA_BLOB *blob,
2204 struct lsa_BinaryString **_r)
2205 {
2206 struct lsa_BinaryString *r;
2207
2208 if (!blob || !_r) {
2209 return NT_STATUS_INVALID_PARAMETER;
2210 }
2211
2212 r = TALLOC_ZERO_P(mem_ctx, struct lsa_BinaryString);
2213 if (!r) {
2214 return NT_STATUS_NO_MEMORY;
2215 }
2216
2217 r->array = TALLOC_ZERO_ARRAY(mem_ctx, uint16_t, blob->length/2);
2218 if (!r->array) {
2219 return NT_STATUS_NO_MEMORY;
2220 }
2221 memcpy(r->array, blob->data, blob->length);
2222 r->size = blob->length;
2223 r->length = blob->length;
2224
2225 if (!r->array) {
2226 return NT_STATUS_NO_MEMORY;
2227 }
2228
2229 *_r = r;
2230
2231 return NT_STATUS_OK;
2232 }
2233
2234 static NTSTATUS get_user_info_5(TALLOC_CTX *mem_ctx,
2235 struct samr_UserInfo5 *r,
2236 struct samu *pw,
2237 DOM_SID *domain_sid)
2238 {
2239 const DOM_SID *sid_user, *sid_group;
2240 uint32_t rid, primary_gid;
2241 NTTIME last_logon, last_logoff, last_password_change,
2242 acct_expiry;
2243 const char *account_name, *full_name, *home_directory, *home_drive,
2244 *logon_script, *profile_path, *description,
2245 *workstations, *comment;
2246 struct samr_LogonHours logon_hours;
2247
2248 ZERO_STRUCTP(r);
2249
2250 sid_user = pdb_get_user_sid(pw);
2251
2252 if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2253 DEBUG(0, ("get_user_info_5: User %s has SID %s, \nwhich conflicts with "
2254 "the domain sid %s. Failing operation.\n",
2255 pdb_get_username(pw), sid_string_dbg(sid_user),
2256 sid_string_dbg(domain_sid)));
2257 return NT_STATUS_UNSUCCESSFUL;
2258 }
2259
2260 become_root();
2261 sid_group = pdb_get_group_sid(pw);
2262 unbecome_root();
2263
2264 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2265 DEBUG(0, ("get_user_info_5: User %s has Primary Group SID %s, \n"
2266 "which conflicts with the domain sid %s. Failing operation.\n",
2267 pdb_get_username(pw), sid_string_dbg(sid_group),
2268 sid_string_dbg(domain_sid)));
2269 return NT_STATUS_UNSUCCESSFUL;
2270 }
2271
2272 unix_to_nt_time(&last_logon, pdb_get_logon_time(pw));
2273 unix_to_nt_time(&last_logoff, pdb_get_logoff_time(pw));
2274 unix_to_nt_time(&acct_expiry, pdb_get_kickoff_time(pw));
2275 unix_to_nt_time(&last_password_change, pdb_get_pass_last_set_time(pw));
2276
2277 account_name = talloc_strdup(mem_ctx, pdb_get_username(pw));
2278 full_name = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2279 home_directory = talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2280 home_drive = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2281 logon_script = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2282 profile_path = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2283 description = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2284 workstations = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2285 comment = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2286
2287 logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2288
2289 init_samr_user_info5(r,
2290 account_name,
2291 full_name,
2292 rid,
2293 primary_gid,
2294 home_directory,
2295 home_drive,
2296 logon_script,
2297 profile_path,
2298 description,
2299 workstations,
2300 last_logon,
2301 last_logoff,
2302 logon_hours,
2303 pdb_get_bad_password_count(pw),
2304 pdb_get_logon_count(pw),
2305 last_password_change,
2306 acct_expiry,
2307 pdb_get_acct_ctrl(pw));
2308
2309 return NT_STATUS_OK;
2310 }
2311
2312 /*************************************************************************
2313 get_user_info_7. Safe. Only gives out account_name.
2314 *************************************************************************/
2315
2316 static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx,
2317 struct samr_UserInfo7 *r,
2318 struct samu *smbpass)
2319 {
2320 const char *account_name = NULL;
2321
2322 ZERO_STRUCTP(r);
2323
2324 account_name = talloc_strdup(mem_ctx, pdb_get_username(smbpass));
2325 if (!account_name) {
2326 return NT_STATUS_NO_MEMORY;
2327 }
2328
2329 init_samr_user_info7(r, account_name);
2330
2331 return NT_STATUS_OK;
2332 }
2333
2334 /*************************************************************************
2335 get_user_info_9. Only gives out primary group SID.
2336 *************************************************************************/
2337
2338 static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx,
2339 struct samr_UserInfo9 *r,
2340 struct samu *smbpass)
2341 {
2342 ZERO_STRUCTP(r);
2343
2344 init_samr_user_info9(r, pdb_get_group_rid(smbpass));
2345
2346 return NT_STATUS_OK;
2347 }
2348
2349 /*************************************************************************
2350 get_user_info_16. Safe. Only gives out acb bits.
2351 *************************************************************************/
2352
2353 static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx,
2354 struct samr_UserInfo16 *r,
2355 struct samu *smbpass)
2356 {
2357 ZERO_STRUCTP(r);
2358
2359 init_samr_user_info16(r, pdb_get_acct_ctrl(smbpass));
2360
2361 return NT_STATUS_OK;
2362 }
2363
2364 /*************************************************************************
2365 get_user_info_18. OK - this is the killer as it gives out password info.
2366 Ensure that this is only allowed on an encrypted connection with a root
2367 user. JRA.
2368 *************************************************************************/
2369
2370 static NTSTATUS get_user_info_18(pipes_struct *p,
2371 TALLOC_CTX *mem_ctx,
2372 struct samr_UserInfo18 *r,
2373 DOM_SID *user_sid)
2374 {
2375 struct samu *smbpass=NULL;
2376 bool ret;
2377
2378 ZERO_STRUCTP(r);
2379
2380 if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
2381 return NT_STATUS_ACCESS_DENIED;
2382 }
2383
2384 if (p->auth.auth_level != PIPE_AUTH_LEVEL_PRIVACY) {
2385 return NT_STATUS_ACCESS_DENIED;
2386 }
2387
2388 /*
2389 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
2390 */
2391
2392 if ( !(smbpass = samu_new( mem_ctx )) ) {
2393 return NT_STATUS_NO_MEMORY;
2394 }
2395
2396 ret = pdb_getsampwsid(smbpass, user_sid);
2397
2398 if (ret == False) {
2399 DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid)));
2400 TALLOC_FREE(smbpass);
2401 return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
2402 }
2403
2404 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
2405
2406 if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) {
2407 TALLOC_FREE(smbpass);
2408 return NT_STATUS_ACCOUNT_DISABLED;
2409 }
2410
2411 init_samr_user_info18(r,
2412 pdb_get_lanman_passwd(smbpass),
2413 pdb_get_nt_passwd(smbpass),
2414 0 /* FIXME */);
2415
2416 TALLOC_FREE(smbpass);
2417
2418 return NT_STATUS_OK;
2419 }
2420
2421 /*************************************************************************
2422 get_user_info_20
2423 *************************************************************************/
2424
2425 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx,
2426 struct samr_UserInfo20 *r,
2427 struct samu *sampass)
2428 {
2429 const char *munged_dial = NULL;
2430 DATA_BLOB blob;
2431 NTSTATUS status;
2432 struct lsa_BinaryString *parameters = NULL;
2433
2434 ZERO_STRUCTP(r);
2435
2436 munged_dial = pdb_get_munged_dial(sampass);
2437
2438 DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass),
2439 munged_dial, (int)strlen(munged_dial)));
2440
2441 if (munged_dial) {
2442 blob = base64_decode_data_blob(munged_dial);
2443 } else {
2444 blob = data_blob_string_const("");
2445 }
2446
2447 status = init_samr_parameters_string(mem_ctx, &blob, &parameters);
2448 data_blob_free(&blob);
2449 if (!NT_STATUS_IS_OK(status)) {
2450 return status;
2451 }
2452
2453 init_samr_user_info20(r, parameters);
2454
2455 return NT_STATUS_OK;
2456 }
2457
2458
2459 /*************************************************************************
2460 get_user_info_21
2461 *************************************************************************/
2462
2463 static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx,
2464 struct samr_UserInfo21 *r,
2465 struct samu *pw,
2466 DOM_SID *domain_sid)
2467 {
2468 NTSTATUS status;
2469 const DOM_SID *sid_user, *sid_group;
2470 uint32_t rid, primary_gid;
2471 NTTIME last_logon, last_logoff, last_password_change,
2472 acct_expiry, allow_password_change, force_password_change;
2473 time_t must_change_time;
2474 uint8_t password_expired;
2475 const char *account_name, *full_name, *home_directory, *home_drive,
2476 *logon_script, *profile_path, *description,
2477 *workstations, *comment;
2478 struct samr_LogonHours logon_hours;
2479 struct lsa_BinaryString *parameters = NULL;
2480 const char *munged_dial = NULL;
2481 DATA_BLOB blob;
2482
2483 ZERO_STRUCTP(r);
2484
2485 sid_user = pdb_get_user_sid(pw);
2486
2487 if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2488 DEBUG(0, ("get_user_info_21: User %s has SID %s, \nwhich conflicts with "
2489 "the domain sid %s. Failing operation.\n",
2490 pdb_get_username(pw), sid_string_dbg(sid_user),
2491 sid_string_dbg(domain_sid)));
2492 return NT_STATUS_UNSUCCESSFUL;
2493 }
2494
2495 become_root();
2496 sid_group = pdb_get_group_sid(pw);
2497 unbecome_root();
2498
2499 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2500 DEBUG(0, ("get_user_info_21: User %s has Primary Group SID %s, \n"
2501 "which conflicts with the domain sid %s. Failing operation.\n",
2502 pdb_get_username(pw), sid_string_dbg(sid_group),
2503 sid_string_dbg(domain_sid)));
2504 return NT_STATUS_UNSUCCESSFUL;
2505 }
2506
2507 unix_to_nt_time(&last_logon, pdb_get_logon_time(pw));
2508 unix_to_nt_time(&last_logoff, pdb_get_logoff_time(pw));
2509 unix_to_nt_time(&acct_expiry, pdb_get_kickoff_time(pw));
2510 unix_to_nt_time(&last_password_change, pdb_get_pass_last_set_time(pw));
2511 unix_to_nt_time(&allow_password_change, pdb_get_pass_can_change_time(pw));
2512
2513 must_change_time = pdb_get_pass_must_change_time(pw);
2514 if (must_change_time == get_time_t_max()) {
2515 unix_to_nt_time_abs(&force_password_change, must_change_time);
2516 } else {
2517 unix_to_nt_time(&force_password_change, must_change_time);
2518 }
2519
2520 if (pdb_get_pass_must_change_time(pw) == 0) {
2521 password_expired = PASS_MUST_CHANGE_AT_NEXT_LOGON;
2522 } else {
2523 password_expired = 0;
2524 }
2525
2526 munged_dial = pdb_get_munged_dial(pw);
2527 if (munged_dial) {
2528 blob = base64_decode_data_blob(munged_dial);
2529 } else {
2530 blob = data_blob_string_const("");
2531 }
2532
2533 status = init_samr_parameters_string(mem_ctx, &blob, &parameters);
2534 data_blob_free(&blob);
2535 if (!NT_STATUS_IS_OK(status)) {
2536 return status;
2537 }
2538
2539 account_name = talloc_strdup(mem_ctx, pdb_get_username(pw));
2540 full_name = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2541 home_directory = talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2542 home_drive = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2543 logon_script = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2544 profile_path = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2545 description = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2546 workstations = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2547 comment = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2548
2549 logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2550 #if 0
2551
2552 /*
2553 Look at a user on a real NT4 PDC with usrmgr, press
2554 'ok'. Then you will see that fields_present is set to
2555 0x08f827fa. Look at the user immediately after that again,
2556 and you will see that 0x00fffff is returned. This solves
2557 the problem that you get access denied after having looked
2558 at the user.
2559 -- Volker
2560 */
2561
2562 #endif
2563
2564 init_samr_user_info21(r,
2565 last_logon,
2566 last_logoff,
2567 last_password_change,
2568 acct_expiry,
2569 allow_password_change,
2570 force_password_change,
2571 account_name,
2572 full_name,
2573 home_directory,
2574 home_drive,
2575 logon_script,
2576 profile_path,
2577 description,
2578 workstations,
2579 comment,
2580 parameters,
2581 rid,
2582 primary_gid,
2583 pdb_get_acct_ctrl(pw),
2584 pdb_build_fields_present(pw),
2585 logon_hours,
2586 pdb_get_bad_password_count(pw),
2587 pdb_get_logon_count(pw),
2588 0, /* country_code */
2589 0, /* code_page */
2590 0, /* lm_password_set */
2591 0, /* nt_password_set */
2592 password_expired);
2593
2594 return NT_STATUS_OK;
2595 }
2596
2597 /*******************************************************************
2598 _samr_QueryUserInfo
2599 ********************************************************************/
2600
2601 NTSTATUS _samr_QueryUserInfo(pipes_struct *p,
2602 struct samr_QueryUserInfo *r)
2603 {
2604 NTSTATUS status;
2605 union samr_UserInfo *user_info = NULL;
2606 struct samr_info *info = NULL;
2607 DOM_SID domain_sid;
2608 uint32 rid;
2609 bool ret = false;
2610 struct samu *pwd = NULL;
2611
2612 /* search for the handle */
2613 if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info))
2614 return NT_STATUS_INVALID_HANDLE;
2615
2616 domain_sid = info->sid;
2617
2618 sid_split_rid(&domain_sid, &rid);
2619
2620 if (!sid_check_is_in_our_domain(&info->sid))
2621 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2622
2623 DEBUG(5,("_samr_QueryUserInfo: sid:%s\n",
2624 sid_string_dbg(&info->sid)));
2625
2626 user_info = TALLOC_ZERO_P(p->mem_ctx, union samr_UserInfo);
2627 if (!user_info) {
2628 return NT_STATUS_NO_MEMORY;
2629 }
2630
2631 DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r->in.level));
2632
2633 if (!(pwd = samu_new(p->mem_ctx))) {
2634 return NT_STATUS_NO_MEMORY;
2635 }
2636
2637 become_root();
2638 ret = pdb_getsampwsid(pwd, &info->sid);
2639 unbecome_root();
2640
2641 if (ret == false) {
2642 DEBUG(4,("User %s not found\n", sid_string_dbg(&info->sid)));
2643 TALLOC_FREE(pwd);
2644 return NT_STATUS_NO_SUCH_USER;
2645 }
2646
2647 DEBUG(3,("User:[%s]\n", pdb_get_username(pwd)));
2648
2649 samr_clear_sam_passwd(pwd);
2650
2651 switch (r->in.level) {
2652 case 5:
2653 status = get_user_info_5(p->mem_ctx, &user_info->info5, pwd, &domain_sid);
2654 break;
2655 case 7:
2656 status = get_user_info_7(p->mem_ctx, &user_info->info7, pwd);
2657 break;
2658 case 9:
2659 status = get_user_info_9(p->mem_ctx, &user_info->info9, pwd);
2660 break;
2661 case 16:
2662 status = get_user_info_16(p->mem_ctx, &user_info->info16, pwd);
2663 break;
2664 case 18:
2665 /* level 18 is special */
2666 status = get_user_info_18(p, p->mem_ctx, &user_info->info18, &info->sid);
2667 break;
2668 case 20:
2669 status = get_user_info_20(p->mem_ctx, &user_info->info20, pwd);
2670 break;
2671 case 21:
2672 status = get_user_info_21(p->mem_ctx, &user_info->info21, pwd, &domain_sid);
2673 break;
2674 default:
2675 status = NT_STATUS_INVALID_INFO_CLASS;
2676 break;
2677 }
2678
2679 TALLOC_FREE(pwd);
2680
2681 *r->out.info = user_info;
2682
2683 DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__));
2684
2685 return status;
2686 }
2687
2688 /****************************************************************
2689 ****************************************************************/
2690
2691 NTSTATUS _samr_QueryUserInfo2(pipes_struct *p,
2692 struct samr_QueryUserInfo2 *r)
2693 {
2694 struct samr_QueryUserInfo u;
2695
2696 u.in.user_handle = r->in.user_handle;
2697 u.in.level = r->in.level;
2698 u.out.info = r->out.info;
2699
2700 return _samr_QueryUserInfo(p, &u);
2701 }
2702
2703 /*******************************************************************
2704 _samr_GetGroupsForUser
2705 ********************************************************************/
2706
2707 NTSTATUS _samr_GetGroupsForUser(pipes_struct *p,
2708 struct samr_GetGroupsForUser *r)
2709 {
2710 struct samu *sam_pass=NULL;
2711 DOM_SID sid;
2712 DOM_SID *sids;
2713 struct samr_RidWithAttribute dom_gid;
2714 struct samr_RidWithAttribute *gids = NULL;
2715 uint32 primary_group_rid;
2716 size_t num_groups = 0;
2717 gid_t *unix_gids;
2718 size_t i, num_gids;
2719 uint32 acc_granted;
2720 bool ret;
2721 NTSTATUS result;
2722 bool success = False;
2723
2724 struct samr_RidWithAttributeArray *rids = NULL;
2725
2726 /*
2727 * from the SID in the request:
2728 * we should send back the list of DOMAIN GROUPS
2729 * the user is a member of
2730 *
2731 * and only the DOMAIN GROUPS
2732 * no ALIASES !!! neither aliases of the domain
2733 * nor aliases of the builtin SID
2734 *
2735 * JFM, 12/2/2001
2736 */
2737
2738 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
2739
2740 rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidWithAttributeArray);
2741 if (!rids) {
2742 return NT_STATUS_NO_MEMORY;
2743 }
2744
2745 /* find the policy handle. open a policy on it. */
2746 if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &sid, &acc_granted, NULL))
2747 return NT_STATUS_INVALID_HANDLE;
2748
2749 result = access_check_samr_function(acc_granted,
2750 SAMR_USER_ACCESS_GET_GROUPS,
2751 "_samr_GetGroupsForUser");
2752 if (!NT_STATUS_IS_OK(result)) {
2753 return result;
2754 }
2755
2756 if (!sid_check_is_in_our_domain(&sid))
2757 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2758
2759 if ( !(sam_pass = samu_new( p->mem_ctx )) ) {
2760 return NT_STATUS_NO_MEMORY;
2761 }
2762
2763 become_root();
2764 ret = pdb_getsampwsid(sam_pass, &sid);
2765 unbecome_root();
2766
2767 if (!ret) {
2768 DEBUG(10, ("pdb_getsampwsid failed for %s\n",
2769 sid_string_dbg(&sid)));
2770 return NT_STATUS_NO_SUCH_USER;
2771 }
2772
2773 sids = NULL;
2774
2775 /* make both calls inside the root block */
2776 become_root();
2777 result = pdb_enum_group_memberships(p->mem_ctx, sam_pass,
2778 &sids, &unix_gids, &num_groups);
2779 if ( NT_STATUS_IS_OK(result) ) {
2780 success = sid_peek_check_rid(get_global_sam_sid(),
2781 pdb_get_group_sid(sam_pass),
2782 &primary_group_rid);
2783 }
2784 unbecome_root();
2785
2786 if (!NT_STATUS_IS_OK(result)) {
2787 DEBUG(10, ("pdb_enum_group_memberships failed for %s\n",
2788 sid_string_dbg(&sid)));
2789 return result;
2790 }
2791
2792 if ( !success ) {
2793 DEBUG(5, ("Group sid %s for user %s not in our domain\n",
2794 sid_string_dbg(pdb_get_group_sid(sam_pass)),
2795 pdb_get_username(sam_pass)));
2796 TALLOC_FREE(sam_pass);
2797 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2798 }
2799
2800 gids = NULL;
2801 num_gids = 0;
2802
2803 dom_gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|
2804 SE_GROUP_ENABLED);
2805 dom_gid.rid = primary_group_rid;
2806 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
2807
2808 for (i=0; i<num_groups; i++) {
2809
2810 if (!sid_peek_check_rid(get_global_sam_sid(),
2811 &(sids[i]), &dom_gid.rid)) {
2812 DEBUG(10, ("Found sid %s not in our domain\n",
2813 sid_string_dbg(&sids[i])));
2814 continue;
2815 }
2816
2817 if (dom_gid.rid == primary_group_rid) {
2818 /* We added the primary group directly from the
2819 * sam_account. The other SIDs are unique from
2820 * enum_group_memberships */
2821 continue;
2822 }
2823
2824 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
2825 }
2826
2827 rids->count = num_gids;
2828 rids->rids = gids;
2829
2830 *r->out.rids = rids;
2831
2832 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
2833
2834 return result;
2835 }
2836
2837 /*******************************************************************
2838 _samr_QueryDomainInfo
2839 ********************************************************************/
2840
2841 NTSTATUS _samr_QueryDomainInfo(pipes_struct *p,
2842 struct samr_QueryDomainInfo *r)
2843 {
2844 NTSTATUS status = NT_STATUS_OK;
2845 struct samr_info *info = NULL;
2846 union samr_DomainInfo *dom_info;
2847 uint32 min_pass_len,pass_hist,password_properties;
2848 time_t u_expire, u_min_age;
2849 NTTIME nt_expire, nt_min_age;
2850
2851 time_t u_lock_duration, u_reset_time;
2852 NTTIME nt_lock_duration, nt_reset_time;
2853 uint32 lockout;
2854 time_t u_logout;
2855 NTTIME nt_logout;
2856
2857 uint32 account_policy_temp;
2858
2859 time_t seq_num;
2860 uint32 server_role;
2861
2862 uint32 num_users=0, num_groups=0, num_aliases=0;
2863
2864 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
2865
2866 dom_info = TALLOC_ZERO_P(p->mem_ctx, union samr_DomainInfo);
2867 if (!dom_info) {
2868 return NT_STATUS_NO_MEMORY;
2869 }
2870
2871 /* find the policy handle. open a policy on it. */
2872 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) {
2873 return NT_STATUS_INVALID_HANDLE;
2874 }
2875
2876 switch (r->in.level) {
2877 case 0x01:
2878
2879 become_root();
2880
2881 /* AS ROOT !!! */
2882
2883 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
2884 min_pass_len = account_policy_temp;
2885
2886 pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
2887 pass_hist = account_policy_temp;
2888
2889 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
2890 password_properties = account_policy_temp;
2891
2892 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
2893 u_expire = account_policy_temp;
2894
2895 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
2896 u_min_age = account_policy_temp;
2897
2898 /* !AS ROOT */
2899
2900 unbecome_root();
2901
2902 unix_to_nt_time_abs(&nt_expire, u_expire);
2903 unix_to_nt_time_abs(&nt_min_age, u_min_age);
2904
2905 if (lp_check_password_script() && *lp_check_password_script()) {
2906 password_properties |= DOMAIN_PASSWORD_COMPLEX;
2907 }
2908
2909 init_samr_DomInfo1(&dom_info->info1,
2910 (uint16)min_pass_len,
2911 (uint16)pass_hist,
2912 password_properties,
2913 nt_expire,
2914 nt_min_age);
2915 break;
2916 case 0x02:
2917
2918 become_root();
2919
2920 /* AS ROOT !!! */
2921
2922 num_users = count_sam_users(info->disp_info, ACB_NORMAL);
2923 num_groups = count_sam_groups(info->disp_info);
2924 num_aliases = count_sam_aliases(info->disp_info);
2925
2926 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp);
2927 u_logout = account_policy_temp;
2928
2929 unix_to_nt_time_abs(&nt_logout, u_logout);
2930
2931 if (!pdb_get_seq_num(&seq_num))
2932 seq_num = time(NULL);
2933
2934 /* !AS ROOT */
2935
2936 unbecome_root();
2937
2938 server_role = ROLE_DOMAIN_PDC;
2939 if (lp_server_role() == ROLE_DOMAIN_BDC)
2940 server_role = ROLE_DOMAIN_BDC;
2941
2942 init_samr_DomInfo2(&dom_info->info2,
2943 nt_logout,
2944 lp_serverstring(),
2945 lp_workgroup(),
2946 global_myname(),
2947 seq_num,
2948 1,
2949 server_role,
2950 1,
2951 num_users,
2952 num_groups,
2953 num_aliases);
2954 break;
2955 case 0x03:
2956
2957 become_root();
2958
2959 /* AS ROOT !!! */
2960
2961 {
2962 uint32 ul;
2963 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &ul);
2964 u_logout = (time_t)ul;
2965 }
2966
2967 /* !AS ROOT */
2968
2969 unbecome_root();
2970
2971 unix_to_nt_time_abs(&nt_logout, u_logout);
2972
2973 init_samr_DomInfo3(&dom_info->info3,
2974 nt_logout);
2975
2976 break;
2977 case 0x04:
2978 init_samr_DomInfo4(&dom_info->info4,
2979 lp_serverstring());
2980 break;
2981 case 0x05:
2982 init_samr_DomInfo5(&dom_info->info5,
2983 get_global_sam_name());
2984 break;
2985 case 0x06:
2986 /* NT returns its own name when a PDC. win2k and later
2987 * only the name of the PDC if itself is a BDC (samba4
2988 * idl) */
2989 init_samr_DomInfo6(&dom_info->info6,
2990 global_myname());
2991 break;
2992 case 0x07:
2993 server_role = ROLE_DOMAIN_PDC;
2994 if (lp_server_role() == ROLE_DOMAIN_BDC)
2995 server_role = ROLE_DOMAIN_BDC;
2996
2997 init_samr_DomInfo7(&dom_info->info7,
2998 server_role);
2999 break;
3000 case 0x08:
3001
3002 become_root();
3003
3004 /* AS ROOT !!! */
3005
3006 if (!pdb_get_seq_num(&seq_num)) {
3007 seq_num = time(NULL);
3008 }
3009
3010 /* !AS ROOT */
3011
3012 unbecome_root();
3013
3014 init_samr_DomInfo8(&dom_info->info8,
3015 seq_num,
3016 0);
3017 break;
3018 case 0x0c:
3019
3020 become_root();
3021
3022 /* AS ROOT !!! */
3023
3024 pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
3025 u_lock_duration = account_policy_temp;
3026 if (u_lock_duration != -1) {
3027 u_lock_duration *= 60;
3028 }
3029
3030 pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
3031 u_reset_time = account_policy_temp * 60;
3032
3033 pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
3034 lockout = account_policy_temp;
3035
3036 /* !AS ROOT */
3037
3038 unbecome_root();
3039
3040 unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
3041 unix_to_nt_time_abs(&nt_reset_time, u_reset_time);
3042
3043 init_samr_DomInfo12(&dom_info->info12,
3044 nt_lock_duration,
3045 nt_reset_time,
3046 (uint16)lockout);
3047 break;
3048 default:
3049 return NT_STATUS_INVALID_INFO_CLASS;
3050 }
3051
3052 *r->out.info = dom_info;
3053
3054 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
3055
3056 return status;
3057 }
3058
3059 /* W2k3 seems to use the same check for all 3 objects that can be created via
3060 * SAMR, if you try to create for example "Dialup" as an alias it says
3061 * "NT_STATUS_USER_EXISTS". This is racy, but we can't really lock the user
3062 * database. */
3063
3064 static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name)
3065 {
3066 enum lsa_SidType type;
3067 bool result;
3068
3069 DEBUG(10, ("Checking whether [%s] can be created\n", new_name));
3070
3071 become_root();
3072 /* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
3073 * whether the name already exists */
3074 result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_LOCAL,
3075 NULL, NULL, NULL, &type);
3076 unbecome_root();
3077
3078 if (!result) {
3079 DEBUG(10, ("%s does not exist, can create it\n", new_name));
3080 return NT_STATUS_OK;
3081 }
3082
3083 DEBUG(5, ("trying to create %s, exists as %s\n",
3084 new_name, sid_type_lookup(type)));
3085
3086 if (type == SID_NAME_DOM_GRP) {
3087 return NT_STATUS_GROUP_EXISTS;
3088 }
3089 if (type == SID_NAME_ALIAS) {
3090 return NT_STATUS_ALIAS_EXISTS;
3091 }
3092
3093 /* Yes, the default is NT_STATUS_USER_EXISTS */
3094 return NT_STATUS_USER_EXISTS;
3095 }
3096
3097 /*******************************************************************
3098 _samr_CreateUser2
3099 ********************************************************************/
3100
3101 NTSTATUS _samr_CreateUser2(pipes_struct *p,
3102 struct samr_CreateUser2 *r)
3103 {
3104 const char *account = NULL;
3105 DOM_SID sid;
3106 POLICY_HND dom_pol = *r->in.domain_handle;
3107 uint32_t acb_info = r->in.acct_flags;
3108 POLICY_HND *user_pol = r->out.user_handle;
3109 struct samr_info *info = NULL;
3110 NTSTATUS nt_status;
3111 uint32 acc_granted;
3112 SEC_DESC *psd;
3113 size_t sd_size;
3114 /* check this, when giving away 'add computer to domain' privs */
3115 uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
3116 bool can_add_account = False;
3117 SE_PRIV se_rights;
3118 DISP_INFO *disp_info = NULL;
3119
3120 /* Get the domain SID stored in the domain policy */
3121 if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted,
3122 &disp_info))
3123 return NT_STATUS_INVALID_HANDLE;
3124
3125 if (disp_info->builtin_domain) {
3126 DEBUG(5,("_samr_CreateUser2: Refusing user create in BUILTIN\n"));
3127 return NT_STATUS_ACCESS_DENIED;
3128 }
3129
3130 nt_status = access_check_samr_function(acc_granted,
3131 SAMR_DOMAIN_ACCESS_CREATE_USER,
3132 "_samr_CreateUser2");
3133 if (!NT_STATUS_IS_OK(nt_status)) {
3134 return nt_status;
3135 }
3136
3137 if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST ||
3138 acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) {
3139 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
3140 this parameter is not an account type */
3141 return NT_STATUS_INVALID_PARAMETER;
3142 }
3143
3144 account = r->in.account_name->string;
3145 if (account == NULL) {
3146 return NT_STATUS_NO_MEMORY;
3147 }
3148
3149 nt_status = can_create(p->mem_ctx, account);
3150 if (!NT_STATUS_IS_OK(nt_status)) {
3151 return nt_status;
3152 }
3153
3154 /* determine which user right we need to check based on the acb_info */
3155
3156 if ( acb_info & ACB_WSTRUST )
3157 {
3158 se_priv_copy( &se_rights, &se_machine_account );
3159 can_add_account = user_has_privileges(
3160 p->pipe_user.nt_user_token, &se_rights );
3161 }
3162 /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
3163 account for domain trusts and changes the ACB flags later */
3164 else if ( acb_info & ACB_NORMAL &&
3165 (account[strlen(account)-1] != '$') )
3166 {
3167 se_priv_copy( &se_rights, &se_add_users );
3168 can_add_account = user_has_privileges(
3169 p->pipe_user.nt_user_token, &se_rights );
3170 }
3171 else /* implicit assumption of a BDC or domain trust account here
3172 * (we already check the flags earlier) */
3173 {
3174 if ( lp_enable_privileges() ) {
3175 /* only Domain Admins can add a BDC or domain trust */
3176 se_priv_copy( &se_rights, &se_priv_none );
3177 can_add_account = nt_token_check_domain_rid(
3178 p->pipe_user.nt_user_token,
3179 DOMAIN_GROUP_RID_ADMINS );
3180 }
3181 }
3182
3183 DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
3184 uidtoname(p->pipe_user.ut.uid),
3185 can_add_account ? "True":"False" ));
3186
3187 /********** BEGIN Admin BLOCK **********/
3188
3189 if ( can_add_account )
3190 become_root();
3191
3192 nt_status = pdb_create_user(p->mem_ctx, account, acb_info,
3193 r->out.rid);
3194
3195 if ( can_add_account )
3196 unbecome_root();
3197
3198 /********** END Admin BLOCK **********/
3199
3200 /* now check for failure */
3201
3202 if ( !NT_STATUS_IS_OK(nt_status) )
3203 return nt_status;
3204
3205 /* Get the user's SID */
3206
3207 sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
3208
3209 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3210
3211 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
3212 &sid, SAMR_USR_RIGHTS_WRITE_PW);
3213 se_map_generic(&des_access, &usr_generic_mapping);
3214
3215 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3216 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
3217 &acc_granted, "_samr_CreateUser2");
3218
3219 if ( !NT_STATUS_IS_OK(nt_status) ) {
3220 return nt_status;
3221 }
3222
3223 /* associate the user's SID with the new handle. */
3224 if ((info = get_samr_info_by_sid(&sid)) == NULL) {
3225 return NT_STATUS_NO_MEMORY;
3226 }
3227
3228 ZERO_STRUCTP(info);
3229 info->sid = sid;
3230 info->acc_granted = acc_granted;
3231
3232 /* get a (unique) handle. open a policy on it. */
3233 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) {
3234 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3235 }
3236
3237 /* After a "set" ensure we have no cached display info. */
3238 force_flush_samr_cache(info->disp_info);
3239
3240 *r->out.access_granted = acc_granted;
3241
3242 return NT_STATUS_OK;
3243 }
3244
3245 /****************************************************************
3246 ****************************************************************/
3247
3248 NTSTATUS _samr_CreateUser(pipes_struct *p,
3249 struct samr_CreateUser *r)
3250 {
3251 struct samr_CreateUser2 c;
3252 uint32_t access_granted;
3253
3254 c.in.domain_handle = r->in.domain_handle;
3255 c.in.account_name = r->in.account_name;
3256 c.in.acct_flags = ACB_NORMAL;
3257 c.in.access_mask = r->in.access_mask;
3258 c.out.user_handle = r->out.user_handle;
3259 c.out.access_granted = &access_granted;
3260 c.out.rid = r->out.rid;
3261
3262 return _samr_CreateUser2(p, &c);
3263 }
3264
3265 /*******************************************************************
3266 _samr_Connect
3267 ********************************************************************/
3268
3269 NTSTATUS _samr_Connect(pipes_struct *p,
3270 struct samr_Connect *r)
3271 {
3272 struct samr_info *info = NULL;
3273 uint32 des_access = r->in.access_mask;
3274
3275 /* Access check */
3276
3277 if (!pipe_access_check(p)) {
3278 DEBUG(3, ("access denied to _samr_Connect\n"));
3279 return NT_STATUS_ACCESS_DENIED;
3280 }
3281
3282 /* set up the SAMR connect_anon response */
3283
3284 /* associate the user's SID with the new handle. */
3285 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3286 return NT_STATUS_NO_MEMORY;
3287
3288 /* don't give away the farm but this is probably ok. The SAMR_ACCESS_ENUM_DOMAINS
3289 was observed from a win98 client trying to enumerate users (when configured
3290 user level access control on shares) --jerry */
3291
3292 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3293
3294 se_map_generic( &des_access, &sam_generic_mapping );
3295 info->acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS|SAMR_ACCESS_LOOKUP_DOMAIN);
3296
3297 /* get a (unique) handle. open a policy on it. */
3298 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3299 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3300
3301 return NT_STATUS_OK;
3302 }
3303
3304 /*******************************************************************
3305 _samr_Connect2
3306 ********************************************************************/
3307
3308 NTSTATUS _samr_Connect2(pipes_struct *p,
3309 struct samr_Connect2 *r)
3310 {
3311 struct samr_info *info = NULL;
3312 SEC_DESC *psd = NULL;
3313 uint32 acc_granted;
3314 uint32 des_access = r->in.access_mask;
3315 NTSTATUS nt_status;
3316 size_t sd_size;
3317 const char *fn = "_samr_Connect2";
3318
3319 switch (p->hdr_req.opnum) {
3320 case NDR_SAMR_CONNECT2:
3321 fn = "_samr_Connect2";
3322 break;
3323 case NDR_SAMR_CONNECT4:
3324 fn = "_samr_Connect4";
3325 break;
3326 case NDR_SAMR_CONNECT5:
3327 fn = "_samr_Connect5";
3328 break;
3329 }
3330
3331 DEBUG(5,("%s: %d\n", fn, __LINE__));
3332
3333 /* Access check */
3334
3335 if (!pipe_access_check(p)) {
3336 DEBUG(3, ("access denied to %s\n", fn));
3337 return NT_STATUS_ACCESS_DENIED;
3338 }
3339
3340 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3341
3342 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3343 se_map_generic(&des_access, &sam_generic_mapping);
3344
3345 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3346 NULL, 0, des_access, &acc_granted, fn);
3347
3348 if ( !NT_STATUS_IS_OK(nt_status) )
3349 return nt_status;
3350
3351 /* associate the user's SID and access granted with the new handle. */
3352 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3353 return NT_STATUS_NO_MEMORY;
3354
3355 info->acc_granted = acc_granted;
3356 info->status = r->in.access_mask; /* this looks so wrong... - gd */
3357
3358 /* get a (unique) handle. open a policy on it. */
3359 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3360 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3361
3362 DEBUG(5,("%s: %d\n", fn, __LINE__));
3363
3364 return nt_status;
3365 }
3366
3367 /*******************************************************************
3368 _samr_Connect4
3369 ********************************************************************/
3370
3371 NTSTATUS _samr_Connect4(pipes_struct *p,
3372 struct samr_Connect4 *r)
3373 {
3374 struct samr_Connect2 c;
3375
3376 c.in.system_name = r->in.system_name;
3377 c.in.access_mask = r->in.access_mask;
3378 c.out.connect_handle = r->out.connect_handle;
3379
3380 return _samr_Connect2(p, &c);
3381 }
3382
3383 /*******************************************************************
3384 _samr_Connect5
3385 ********************************************************************/
3386
3387 NTSTATUS _samr_Connect5(pipes_struct *p,
3388 struct samr_Connect5 *r)
3389 {
3390 NTSTATUS status;
3391 struct samr_Connect2 c;
3392 struct samr_ConnectInfo1 info1;
3393
3394 info1.client_version = SAMR_CONNECT_AFTER_W2K;
3395 info1.unknown2 = 0;
3396
3397 c.in.system_name = r->in.system_name;
3398 c.in.access_mask = r->in.access_mask;
3399 c.out.connect_handle = r->out.connect_handle;
3400
3401 status = _samr_Connect2(p, &c);
3402 if (!NT_STATUS_IS_OK(status)) {
3403 return status;
3404 }
3405
3406 *r->out.level_out = 1;
3407 r->out.info_out->info1 = info1;
3408
3409 return NT_STATUS_OK;
3410 }
3411
3412 /**********************************************************************
3413 _samr_LookupDomain
3414 **********************************************************************/
3415
3416 NTSTATUS _samr_LookupDomain(pipes_struct *p,
3417 struct samr_LookupDomain *r)
3418 {
3419 NTSTATUS status = NT_STATUS_OK;
3420 struct samr_info *info;
3421 const char *domain_name;
3422 DOM_SID *sid = NULL;
3423
3424 if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info))
3425 return NT_STATUS_INVALID_HANDLE;
3426
3427 /* win9x user manager likes to use SAMR_ACCESS_ENUM_DOMAINS here.
3428 Reverted that change so we will work with RAS servers again */
3429
3430 status = access_check_samr_function(info->acc_granted,
3431 SAMR_ACCESS_LOOKUP_DOMAIN,
3432 "_samr_LookupDomain");
3433 if (!NT_STATUS_IS_OK(status)) {
3434 return status;
3435 }
3436
3437 domain_name = r->in.domain_name->string;
3438 if (!domain_name) {
3439 return NT_STATUS_INVALID_PARAMETER;
3440 }
3441
3442 sid = TALLOC_ZERO_P(p->mem_ctx, struct dom_sid2);
3443 if (!sid) {
3444 return NT_STATUS_NO_MEMORY;
3445 }
3446
3447 if (strequal(domain_name, builtin_domain_name())) {
3448 sid_copy(sid, &global_sid_Builtin);
3449 } else {
3450 if (!secrets_fetch_domain_sid(domain_name, sid)) {
3451 status = NT_STATUS_NO_SUCH_DOMAIN;
3452 }
3453 }
3454
3455 DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name,
3456 sid_string_dbg(sid)));
3457
3458 *r->out.sid = sid;
3459
3460 return status;
3461 }
3462
3463 /**********************************************************************
3464 _samr_EnumDomains
3465 **********************************************************************/
3466
3467 NTSTATUS _samr_EnumDomains(pipes_struct *p,
3468 struct samr_EnumDomains *r)
3469 {
3470 NTSTATUS status;
3471 struct samr_info *info;
3472 uint32_t num_entries = 2;
3473 struct samr_SamEntry *entry_array = NULL;
3474 struct samr_SamArray *sam;
3475
3476 if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info))
3477 return NT_STATUS_INVALID_HANDLE;
3478
3479 status = access_check_samr_function(info->acc_granted,
3480 SAMR_ACCESS_ENUM_DOMAINS,
3481 "_samr_EnumDomains");
3482 if (!NT_STATUS_IS_OK(status)) {
3483 return status;
3484 }
3485
3486 sam = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
3487 if (!sam) {
3488 return NT_STATUS_NO_MEMORY;
3489 }
3490
3491 entry_array = TALLOC_ZERO_ARRAY(p->mem_ctx,
3492 struct samr_SamEntry,
3493 num_entries);
3494 if (!entry_array) {
3495 return NT_STATUS_NO_MEMORY;
3496 }
3497
3498 entry_array[0].idx = 0;
3499 init_lsa_String(&entry_array[0].name, get_global_sam_name());
3500
3501 entry_array[1].idx = 1;
3502 init_lsa_String(&entry_array[1].name, "Builtin");
3503
3504 sam->count = num_entries;
3505 sam->entries = entry_array;
3506
3507 *r->out.sam = sam;
3508 *r->out.num_entries = num_entries;
3509
3510 return status;
3511 }
3512
3513 /*******************************************************************
3514 _samr_OpenAlias
3515 ********************************************************************/
3516
3517 NTSTATUS _samr_OpenAlias(pipes_struct *p,
3518 struct samr_OpenAlias *r)
3519 {
3520 DOM_SID sid;
3521 POLICY_HND domain_pol = *r->in.domain_handle;
3522 uint32 alias_rid = r->in.rid;
3523 POLICY_HND *alias_pol = r->out.alias_handle;
3524 struct samr_info *info = NULL;
3525 SEC_DESC *psd = NULL;
3526 uint32 acc_granted;
3527 uint32 des_access = r->in.access_mask;
3528 size_t sd_size;
3529 NTSTATUS status;
3530 SE_PRIV se_rights;
3531
3532 /* find the domain policy and get the SID / access bits stored in the domain policy */
3533
3534 if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) )
3535 return NT_STATUS_INVALID_HANDLE;
3536
3537 status = access_check_samr_function(acc_granted,
3538 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
3539 "_samr_OpenAlias");
3540
3541 if ( !NT_STATUS_IS_OK(status) )
3542 return status;
3543
3544 /* append the alias' RID to it */
3545
3546 if (!sid_append_rid(&sid, alias_rid))
3547 return NT_STATUS_NO_SUCH_ALIAS;
3548
3549 /*check if access can be granted as requested by client. */
3550
3551 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3552
3553 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
3554 se_map_generic(&des_access,&ali_generic_mapping);
3555
3556 se_priv_copy( &se_rights, &se_add_users );
3557
3558
3559 status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3560 &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access,
3561 &acc_granted, "_samr_OpenAlias");
3562
3563 if ( !NT_STATUS_IS_OK(status) )
3564 return status;
3565
3566 {
3567 /* Check we actually have the requested alias */
3568 enum lsa_SidType type;
3569 bool result;
3570 gid_t gid;
3571
3572 become_root();
3573 result = lookup_sid(NULL, &sid, NULL, NULL, &type);
3574 unbecome_root();
3575
3576 if (!result || (type != SID_NAME_ALIAS)) {
3577 return NT_STATUS_NO_SUCH_ALIAS;
3578 }
3579
3580 /* make sure there is a mapping */
3581
3582 if ( !sid_to_gid( &sid, &gid ) ) {
3583 return NT_STATUS_NO_SUCH_ALIAS;
3584 }
3585
3586 }
3587
3588 /* associate the alias SID with the new handle. */
3589 if ((info = get_samr_info_by_sid(&sid)) == NULL)
3590 return NT_STATUS_NO_MEMORY;
3591
3592 info->acc_granted = acc_granted;
3593
3594 /* get a (unique) handle. open a policy on it. */
3595 if (!create_policy_hnd(p, alias_pol, free_samr_info, (void *)info))
3596 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3597
3598 return NT_STATUS_OK;
3599 }
3600
3601 /*******************************************************************
3602 set_user_info_7
3603 ********************************************************************/
3604
3605 static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx,
3606 struct samr_UserInfo7 *id7,
3607 struct samu *pwd)
3608 {
3609 NTSTATUS rc;
3610
3611 if (id7 == NULL) {
3612 DEBUG(5, ("set_user_info_7: NULL id7\n"));
3613 return NT_STATUS_ACCESS_DENIED;
3614 }
3615
3616 if (!id7->account_name.string) {
3617 DEBUG(5, ("set_user_info_7: failed to get new username\n"));
3618 return NT_STATUS_ACCESS_DENIED;
3619 }
3620
3621 /* check to see if the new username already exists. Note: we can't
3622 reliably lock all backends, so there is potentially the
3623 possibility that a user can be created in between this check and
3624 the rename. The rename should fail, but may not get the
3625 exact same failure status code. I think this is small enough
3626 of a window for this type of operation and the results are
3627 simply that the rename fails with a slightly different status
3628 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
3629
3630 rc = can_create(mem_ctx, id7->account_name.string);
3631 if (!NT_STATUS_IS_OK(rc)) {
3632 return rc;
3633 }
3634
3635 rc = pdb_rename_sam_account(pwd, id7->account_name.string);
3636
3637 return rc;
3638 }
3639
3640 /*******************************************************************
3641 set_user_info_16
3642 ********************************************************************/
3643
3644 static bool set_user_info_16(struct samr_UserInfo16 *id16,
3645 struct samu *pwd)
3646 {
3647 if (id16 == NULL) {
3648 DEBUG(5, ("set_user_info_16: NULL id16\n"));
3649 return False;
3650 }
3651
3652 /* FIX ME: check if the value is really changed --metze */
3653 if (!pdb_set_acct_ctrl(pwd, id16->acct_flags, PDB_CHANGED)) {
3654 return False;
3655 }
3656
3657 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3658 return False;
3659 }
3660
3661 return True;
3662 }
3663
3664 /*******************************************************************
3665 set_user_info_18
3666 ********************************************************************/
3667
3668 static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18,
3669 TALLOC_CTX *mem_ctx,
3670 DATA_BLOB *session_key,
3671 struct samu *pwd)
3672 {
3673 if (id18 == NULL) {
3674 DEBUG(2, ("set_user_info_18: id18 is NULL\n"));
3675 return NT_STATUS_INVALID_PARAMETER;
3676 }
3677
3678 if (id18->nt_pwd_active || id18->lm_pwd_active) {
3679 if (!session_key->length) {
3680 return NT_STATUS_NO_USER_SESSION_KEY;
3681 }
3682 }
3683
3684 if (id18->nt_pwd_active) {
3685
3686 DATA_BLOB in, out;
3687
3688 in = data_blob_const(id18->nt_pwd.hash, 16);
3689 out = data_blob_talloc_zero(mem_ctx, 16);
3690
3691 sess_crypt_blob(&out, &in, session_key, false);
3692
3693 if (!pdb_set_nt_passwd(pwd, out.data, PDB_CHANGED)) {
3694 return NT_STATUS_ACCESS_DENIED;
3695 }
3696
3697 pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
3698 }
3699
3700 if (id18->lm_pwd_active) {
3701
3702 DATA_BLOB in, out;
3703
3704 in = data_blob_const(id18->lm_pwd.hash, 16);
3705 out = data_blob_talloc_zero(mem_ctx, 16);
3706
3707 sess_crypt_blob(&out, &in, session_key, false);
3708
3709 if (!pdb_set_lanman_passwd(pwd, out.data, PDB_CHANGED)) {
3710 return NT_STATUS_ACCESS_DENIED;
3711 }
3712
3713 pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
3714 }
3715
3716 copy_id18_to_sam_passwd(pwd, id18);
3717
3718 return pdb_update_sam_account(pwd);
3719 }
3720
3721 /*******************************************************************
3722 set_user_info_20
3723 ********************************************************************/
3724
3725 static bool set_user_info_20(struct samr_UserInfo20 *id20,
3726 struct samu *pwd)
3727 {
3728 if (id20 == NULL) {
3729 DEBUG(5, ("set_user_info_20: NULL id20\n"));
3730 return False;
3731 }
3732
3733 copy_id20_to_sam_passwd(pwd, id20);
3734
3735 /* write the change out */
3736 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3737 return False;
3738 }
3739
3740 return True;
3741 }
3742
3743 /*******************************************************************
3744 set_user_info_21
3745 ********************************************************************/
3746
3747 static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx,
3748 struct samr_UserInfo21 *id21,
3749 struct samu *pwd)
3750 {
3751 NTSTATUS status;
3752
3753 if (id21 == NULL) {
3754 DEBUG(5, ("set_user_info_21: NULL id21\n"));
3755 return NT_STATUS_INVALID_PARAMETER;
3756 }
3757
3758 if (id21->fields_present == 0) {
3759 return NT_STATUS_INVALID_PARAMETER;
3760 }
3761
3762 if (id21->fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
3763 return NT_STATUS_ACCESS_DENIED;
3764 }
3765
3766 /* we need to separately check for an account rename first */
3767
3768 if (id21->account_name.string &&
3769 (!strequal(id21->account_name.string, pdb_get_username(pwd))))
3770 {
3771
3772 /* check to see if the new username already exists. Note: we can't
3773 reliably lock all backends, so there is potentially the
3774 possibility that a user can be created in between this check and
3775 the rename. The rename should fail, but may not get the
3776 exact same failure status code. I think this is small enough
3777 of a window for this type of operation and the results are
3778 simply that the rename fails with a slightly different status
3779 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
3780
3781 status = can_create(mem_ctx, id21->account_name.string);
3782 if (!NT_STATUS_IS_OK(status)) {
3783 return status;
3784 }
3785
3786 status = pdb_rename_sam_account(pwd, id21->account_name.string);
3787
3788 if (!NT_STATUS_IS_OK(status)) {
3789 DEBUG(0,("set_user_info_21: failed to rename account: %s\n",
3790 nt_errstr(status)));
3791 return status;
3792 }
3793
3794 /* set the new username so that later
3795 functions can work on the new account */
3796 pdb_set_username(pwd, id21->account_name.string, PDB_SET);
3797 }
3798
3799 copy_id21_to_sam_passwd("INFO_21", pwd, id21);
3800
3801 /*
3802 * The funny part about the previous two calls is
3803 * that pwd still has the password hashes from the
3804 * passdb entry. These have not been updated from
3805 * id21. I don't know if they need to be set. --jerry
3806 */
3807
3808 if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
3809 status = pdb_set_unix_primary_group(mem_ctx, pwd);
3810 if ( !NT_STATUS_IS_OK(status) ) {
3811 return status;
3812 }
3813 }
3814
3815 /* Don't worry about writing out the user account since the
3816 primary group SID is generated solely from the user's Unix
3817 primary group. */
3818
3819 /* write the change out */
3820 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
3821 return status;
3822 }
3823
3824 return NT_STATUS_OK;
3825 }
3826
3827 /*******************************************************************
3828 set_user_info_23
3829 ********************************************************************/
3830
3831 static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx,
3832 struct samr_UserInfo23 *id23,
3833 struct samu *pwd)
3834 {
3835 char *plaintext_buf = NULL;
3836 uint32 len = 0;
3837 uint32_t acct_ctrl;
3838 NTSTATUS status;
3839
3840 if (id23 == NULL) {
3841 DEBUG(5, ("set_user_info_23: NULL id23\n"));
3842 return NT_STATUS_INVALID_PARAMETER;
3843 }
3844
3845 if (id23->info.fields_present == 0) {
3846 return NT_STATUS_INVALID_PARAMETER;
3847 }
3848
3849 if (id23->info.fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
3850 return NT_STATUS_ACCESS_DENIED;
3851 }
3852
3853 if ((id23->info.fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
3854 (id23->info.fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT)) {
3855
3856 DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
3857 pdb_get_username(pwd)));
3858
3859 if (!decode_pw_buffer(mem_ctx,
3860 id23->password.data,
3861 &plaintext_buf,
3862 &len,
3863 STR_UNICODE)) {
3864 return NT_STATUS_WRONG_PASSWORD;
3865 }
3866
3867 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
3868 return NT_STATUS_ACCESS_DENIED;
3869 }
3870 }
3871
3872 copy_id23_to_sam_passwd(pwd, id23);
3873
3874 acct_ctrl = pdb_get_acct_ctrl(pwd);
3875
3876 /* if it's a trust account, don't update /etc/passwd */
3877 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
3878 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
3879 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
3880 DEBUG(5, ("Changing trust account. Not updating /etc/passwd\n"));
3881 } else if (plaintext_buf) {
3882 /* update the UNIX password */
3883 if (lp_unix_password_sync() ) {
3884 struct passwd *passwd;
3885 if (pdb_get_username(pwd) == NULL) {
3886 DEBUG(1, ("chgpasswd: User without name???\n"));
3887 return NT_STATUS_ACCESS_DENIED;
3888 }
3889
3890 passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
3891 if (passwd == NULL) {
3892 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
3893 }
3894
3895 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
3896 return NT_STATUS_ACCESS_DENIED;
3897 }
3898 TALLOC_FREE(passwd);
3899 }
3900 }
3901
3902 if (plaintext_buf) {
3903 memset(plaintext_buf, '\0', strlen(plaintext_buf));
3904 }
3905
3906 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) &&
3907 (!NT_STATUS_IS_OK(status = pdb_set_unix_primary_group(mem_ctx,
3908 pwd)))) {
3909 return status;
3910 }
3911
3912 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
3913 return status;
3914 }
3915
3916 return NT_STATUS_OK;
3917 }
3918
3919 /*******************************************************************
3920 set_user_info_pw
3921 ********************************************************************/
3922
3923 static bool set_user_info_pw(uint8 *pass, struct samu *pwd)
3924 {
3925 uint32 len = 0;
3926 char *plaintext_buf = NULL;
3927 uint32 acct_ctrl;
3928
3929 DEBUG(5, ("Attempting administrator password change for user %s\n",
3930 pdb_get_username(pwd)));
3931
3932 acct_ctrl = pdb_get_acct_ctrl(pwd);
3933
3934 if (!decode_pw_buffer(talloc_tos(),
3935 pass,
3936 &plaintext_buf,
3937 &len,
3938 STR_UNICODE)) {
3939 return False;
3940 }
3941
3942 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
3943 return False;
3944 }
3945
3946 /* if it's a trust account, don't update /etc/passwd */
3947 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
3948 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
3949 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
3950 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
3951 } else {
3952 /* update the UNIX password */
3953 if (lp_unix_password_sync()) {
3954 struct passwd *passwd;
3955
3956 if (pdb_get_username(pwd) == NULL) {
3957 DEBUG(1, ("chgpasswd: User without name???\n"));
3958 return False;
3959 }
3960
3961 passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
3962 if (passwd == NULL) {
3963 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
3964 }
3965
3966 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
3967 return False;
3968 }
3969 TALLOC_FREE(passwd);
3970 }
3971 }
3972
3973 memset(plaintext_buf, '\0', strlen(plaintext_buf));
3974
3975 DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
3976
3977 return True;
3978 }
3979
3980 /*******************************************************************
3981 set_user_info_24
3982 ********************************************************************/
3983
3984 static NTSTATUS set_user_info_24(TALLOC_CTX *mem_ctx,
3985 struct samr_UserInfo24 *id24,
3986 struct samu *pwd)
3987 {
3988 NTSTATUS status;
3989
3990 if (id24 == NULL) {
3991 DEBUG(5, ("set_user_info_24: NULL id24\n"));
3992 return NT_STATUS_INVALID_PARAMETER;
3993 }
3994
3995 if (!set_user_info_pw(id24->password.data, pwd)) {
3996 return NT_STATUS_WRONG_PASSWORD;
3997 }
3998
3999 copy_id24_to_sam_passwd(pwd, id24);
4000
4001 status = pdb_update_sam_account(pwd);
4002 if (!NT_STATUS_IS_OK(status)) {
4003 return status;
4004 }
4005
4006 return NT_STATUS_OK;
4007 }
4008
4009 /*******************************************************************
4010 set_user_info_25
4011 ********************************************************************/
4012
4013 static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx,
4014 struct samr_UserInfo25 *id25,
4015 struct samu *pwd)
4016 {
4017 NTSTATUS status;
4018
4019 if (id25 == NULL) {
4020 DEBUG(5, ("set_user_info_25: NULL id25\n"));
4021 return NT_STATUS_INVALID_PARAMETER;
4022 }
4023
4024 if (id25->info.fields_present == 0) {
4025 return NT_STATUS_INVALID_PARAMETER;
4026 }
4027
4028 if (id25->info.fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
4029 return NT_STATUS_ACCESS_DENIED;
4030 }
4031
4032 if ((id25->info.fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
4033 (id25->info.fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT)) {
4034
4035 if (!set_user_info_pw(id25->password.data, pwd)) {
4036 return NT_STATUS_WRONG_PASSWORD;
4037 }
4038 }
4039
4040 copy_id25_to_sam_passwd(pwd, id25);
4041
4042 /* write the change out */
4043 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
4044 return status;
4045 }
4046
4047 /*
4048 * We need to "pdb_update_sam_account" before the unix primary group
4049 * is set, because the idealx scripts would also change the
4050 * sambaPrimaryGroupSid using the ldap replace method. pdb_ldap uses
4051 * the delete explicit / add explicit, which would then fail to find
4052 * the previous primaryGroupSid value.
4053 */
4054
4055 if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
4056 status = pdb_set_unix_primary_group(mem_ctx, pwd);
4057 if ( !NT_STATUS_IS_OK(status) ) {
4058 return status;
4059 }
4060 }
4061
4062 return NT_STATUS_OK;
4063 }
4064
4065 /*******************************************************************
4066 set_user_info_26
4067 ********************************************************************/
4068
4069 static NTSTATUS set_user_info_26(TALLOC_CTX *mem_ctx,
4070 struct samr_UserInfo26 *id26,
4071 struct samu *pwd)
4072 {
4073 NTSTATUS status;
4074
4075 if (id26 == NULL) {
4076 DEBUG(5, ("set_user_info_26: NULL id26\n"));
4077 return NT_STATUS_INVALID_PARAMETER;
4078 }
4079
4080 if (!set_user_info_pw(id26->password.data, pwd)) {
4081 return NT_STATUS_WRONG_PASSWORD;
4082 }
4083
4084 copy_id26_to_sam_passwd(pwd, id26);
4085
4086 status = pdb_update_sam_account(pwd);
4087 if (!NT_STATUS_IS_OK(status)) {
4088 return status;
4089 }
4090
4091 return NT_STATUS_OK;
4092 }
4093
4094
4095 /*******************************************************************
4096 samr_SetUserInfo
4097 ********************************************************************/
4098
4099 NTSTATUS _samr_SetUserInfo(pipes_struct *p,
4100 struct samr_SetUserInfo *r)
4101 {
4102 NTSTATUS status;
4103 struct samu *pwd = NULL;
4104 DOM_SID sid;
4105 POLICY_HND *pol = r->in.user_handle;
4106 union samr_UserInfo *info = r->in.info;
4107 uint16_t switch_value = r->in.level;
4108 uint32_t acc_granted;
4109 uint32_t acc_required;
4110 bool ret;
4111 bool has_enough_rights = False;
4112 uint32_t acb_info;
4113 DISP_INFO *disp_info = NULL;
4114
4115 DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__));
4116
4117 /* find the policy handle. open a policy on it. */
4118 if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info)) {
4119 return NT_STATUS_INVALID_HANDLE;
4120 }
4121
4122 /* This is tricky. A WinXP domain join sets
4123 (SAMR_USER_ACCESS_SET_PASSWORD|SAMR_USER_ACCESS_SET_ATTRIBUTES|SAMR_USER_ACCESS_GET_ATTRIBUTES)
4124 The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the
4125 standard Win32 API calls just ask for SAMR_USER_ACCESS_SET_PASSWORD in the SamrOpenUser().
4126 This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so
4127 we'll use the set from the WinXP join as the basis. */
4128
4129 switch (switch_value) {
4130 case 18:
4131 case 24:
4132 case 25:
4133 case 26:
4134 acc_required = SAMR_USER_ACCESS_SET_PASSWORD;
4135 break;
4136 default:
4137 acc_required = SAMR_USER_ACCESS_SET_PASSWORD |
4138 SAMR_USER_ACCESS_SET_ATTRIBUTES |
4139 SAMR_USER_ACCESS_GET_ATTRIBUTES;
4140 break;
4141 }
4142
4143 status = access_check_samr_function(acc_granted,
4144 acc_required,
4145 "_samr_SetUserInfo");
4146 if (!NT_STATUS_IS_OK(status)) {
4147 return status;
4148 }
4149
4150 DEBUG(5, ("_samr_SetUserInfo: sid:%s, level:%d\n",
4151 sid_string_dbg(&sid), switch_value));
4152
4153 if (info == NULL) {
4154 DEBUG(5, ("_samr_SetUserInfo: NULL info level\n"));
4155 return NT_STATUS_INVALID_INFO_CLASS;
4156 }
4157
4158 if (!(pwd = samu_new(NULL))) {
4159 return NT_STATUS_NO_MEMORY;
4160 }
4161
4162 become_root();
4163 ret = pdb_getsampwsid(pwd, &sid);
4164 unbecome_root();
4165
4166 if (!ret) {
4167 TALLOC_FREE(pwd);
4168 return NT_STATUS_NO_SUCH_USER;
4169 }
4170
4171 /* deal with machine password changes differently from userinfo changes */
4172 /* check to see if we have the sufficient rights */
4173
4174 acb_info = pdb_get_acct_ctrl(pwd);
4175 if (acb_info & ACB_WSTRUST)
4176 has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token,
4177 &se_machine_account);
4178 else if (acb_info & ACB_NORMAL)
4179 has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token,
4180 &se_add_users);
4181 else if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
4182 if (lp_enable_privileges()) {
4183 has_enough_rights = nt_token_check_domain_rid(p->pipe_user.nt_user_token,
4184 DOMAIN_GROUP_RID_ADMINS);
4185 }
4186 }
4187
4188 DEBUG(5, ("_samr_SetUserInfo: %s does%s possess sufficient rights\n",
4189 uidtoname(p->pipe_user.ut.uid),
4190 has_enough_rights ? "" : " not"));
4191
4192 /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
4193
4194 if (has_enough_rights) {
4195 become_root();
4196 }
4197
4198 /* ok! user info levels (lots: see MSDEV help), off we go... */
4199
4200 switch (switch_value) {
4201
4202 case 7:
4203 status = set_user_info_7(p->mem_ctx,
4204 &info->info7, pwd);
4205 break;
4206
4207 case 16:
4208 if (!set_user_info_16(&info->info16, pwd)) {
4209 status = NT_STATUS_ACCESS_DENIED;
4210 }
4211 break;
4212
4213 case 18:
4214 /* Used by AS/U JRA. */
4215 status = set_user_info_18(&info->info18,
4216 p->mem_ctx,
4217 &p->server_info->user_session_key,
4218 pwd);
4219 break;
4220
4221 case 20:
4222 if (!set_user_info_20(&info->info20, pwd)) {
4223 status = NT_STATUS_ACCESS_DENIED;
4224 }
4225 break;
4226
4227 case 21:
4228 status = set_user_info_21(p->mem_ctx,
4229 &info->info21, pwd);
4230 break;
4231
4232 case 23:
4233 if (!p->server_info->user_session_key.length) {
4234 status = NT_STATUS_NO_USER_SESSION_KEY;
4235 }
4236 SamOEMhashBlob(info->info23.password.data, 516,
4237 &p->server_info->user_session_key);
4238
4239 dump_data(100, info->info23.password.data, 516);
4240
4241 status = set_user_info_23(p->mem_ctx,
4242 &info->info23, pwd);
4243 break;
4244
4245 case 24:
4246 if (!p->server_info->user_session_key.length) {
4247 status = NT_STATUS_NO_USER_SESSION_KEY;
4248 }
4249 SamOEMhashBlob(info->info24.password.data,
4250 516,
4251 &p->server_info->user_session_key);
4252
4253 dump_data(100, info->info24.password.data, 516);
4254
4255 status = set_user_info_24(p->mem_ctx,
4256 &info->info24, pwd);
4257 break;
4258
4259 case 25:
4260 if (!p->server_info->user_session_key.length) {
4261 status = NT_STATUS_NO_USER_SESSION_KEY;
4262 }
4263 encode_or_decode_arc4_passwd_buffer(
4264 info->info25.password.data,
4265 &p->server_info->user_session_key);
4266
4267 dump_data(100, info->info25.password.data, 532);
4268
4269 status = set_user_info_25(p->mem_ctx,
4270 &info->info25, pwd);
4271 break;
4272
4273 case 26:
4274 if (!p->server_info->user_session_key.length) {
4275 status = NT_STATUS_NO_USER_SESSION_KEY;
4276 }
4277 encode_or_decode_arc4_passwd_buffer(
4278 info->info26.password.data,
4279 &p->server_info->user_session_key);
4280
4281 dump_data(100, info->info26.password.data, 516);
4282
4283 status = set_user_info_26(p->mem_ctx,
4284 &info->info26, pwd);
4285 break;
4286
4287 default:
4288 status = NT_STATUS_INVALID_INFO_CLASS;
4289 }
4290
4291 TALLOC_FREE(pwd);
4292
4293 if (has_enough_rights) {
4294 unbecome_root();
4295 }
4296
4297 /* ================ END SeMachineAccountPrivilege BLOCK ================ */
4298
4299 if (NT_STATUS_IS_OK(status)) {
4300 force_flush_samr_cache(disp_info);
4301 }
4302
4303 return status;
4304 }
4305
4306 /*******************************************************************
4307 _samr_SetUserInfo2
4308 ********************************************************************/
4309
4310 NTSTATUS _samr_SetUserInfo2(pipes_struct *p,
4311 struct samr_SetUserInfo2 *r)
4312 {
4313 struct samr_SetUserInfo q;
4314
4315 q.in.user_handle = r->in.user_handle;
4316 q.in.level = r->in.level;
4317 q.in.info = r->in.info;
4318
4319 return _samr_SetUserInfo(p, &q);
4320 }
4321
4322 /*********************************************************************
4323 _samr_GetAliasMembership
4324 *********************************************************************/
4325
4326 NTSTATUS _samr_GetAliasMembership(pipes_struct *p,
4327 struct samr_GetAliasMembership *r)
4328 {
4329 size_t num_alias_rids;
4330 uint32 *alias_rids;
4331 struct samr_info *info = NULL;
4332 size_t i;
4333
4334 NTSTATUS ntstatus1;
4335 NTSTATUS ntstatus2;
4336
4337 DOM_SID *members;
4338
4339 DEBUG(5,("_samr_GetAliasMembership: %d\n", __LINE__));
4340
4341 /* find the policy handle. open a policy on it. */
4342 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
4343 return NT_STATUS_INVALID_HANDLE;
4344
4345 ntstatus1 = access_check_samr_function(info->acc_granted,
4346 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS,
4347 "_samr_GetAliasMembership");
4348 ntstatus2 = access_check_samr_function(info->acc_granted,
4349 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
4350 "_samr_GetAliasMembership");
4351
4352 if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) {
4353 if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) &&
4354 !(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) {
4355 return (NT_STATUS_IS_OK(ntstatus1)) ? ntstatus2 : ntstatus1;
4356 }
4357 }
4358
4359 if (!sid_check_is_domain(&info->sid) &&
4360 !sid_check_is_builtin(&info->sid))
4361 return NT_STATUS_OBJECT_TYPE_MISMATCH;
4362
4363 if (r->in.sids->num_sids) {
4364 members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, r->in.sids->num_sids);
4365
4366 if (members == NULL)
4367 return NT_STATUS_NO_MEMORY;
4368 } else {
4369 members = NULL;
4370 }
4371
4372 for (i=0; i<r->in.sids->num_sids; i++)
4373 sid_copy(&members[i], r->in.sids->sids[i].sid);
4374
4375 alias_rids = NULL;
4376 num_alias_rids = 0;
4377
4378 become_root();
4379 ntstatus1 = pdb_enum_alias_memberships(p->mem_ctx, &info->sid, members,
4380 r->in.sids->num_sids,
4381 &alias_rids, &num_alias_rids);
4382 unbecome_root();
4383
4384 if (!NT_STATUS_IS_OK(ntstatus1)) {
4385 return ntstatus1;
4386 }
4387
4388 r->out.rids->count = num_alias_rids;
4389 r->out.rids->ids = alias_rids;
4390
4391 return NT_STATUS_OK;
4392 }
4393
4394 /*********************************************************************
4395 _samr_GetMembersInAlias
4396 *********************************************************************/
4397
4398 NTSTATUS _samr_GetMembersInAlias(pipes_struct *p,
4399 struct samr_GetMembersInAlias *r)
4400 {
4401 NTSTATUS status;
4402 size_t i;
4403 size_t num_sids = 0;
4404 struct lsa_SidPtr *sids = NULL;
4405 DOM_SID *pdb_sids = NULL;
4406
4407 DOM_SID alias_sid;
4408
4409 uint32 acc_granted;
4410
4411 /* find the policy handle. open a policy on it. */
4412 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, NULL))
4413 return NT_STATUS_INVALID_HANDLE;
4414
4415 status = access_check_samr_function(acc_granted,
4416 SAMR_ALIAS_ACCESS_GET_MEMBERS,
4417 "_samr_GetMembersInAlias");
4418 if (!NT_STATUS_IS_OK(status)) {
4419 return status;
4420 }
4421
4422 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
4423
4424 become_root();
4425 status = pdb_enum_aliasmem(&alias_sid, &pdb_sids, &num_sids);
4426 unbecome_root();
4427
4428 if (!NT_STATUS_IS_OK(status)) {
4429 return status;
4430 }
4431
4432 if (num_sids) {
4433 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr, num_sids);
4434 if (sids == NULL) {
4435 TALLOC_FREE(pdb_sids);
4436 return NT_STATUS_NO_MEMORY;
4437 }
4438 }
4439
4440 for (i = 0; i < num_sids; i++) {
4441 sids[i].sid = sid_dup_talloc(p->mem_ctx, &pdb_sids[i]);
4442 if (!sids[i].sid) {
4443 TALLOC_FREE(pdb_sids);
4444 return NT_STATUS_NO_MEMORY;
4445 }
4446 }
4447
4448 r->out.sids->num_sids = num_sids;
4449 r->out.sids->sids = sids;
4450
4451 TALLOC_FREE(pdb_sids);
4452
4453 return NT_STATUS_OK;
4454 }
4455
4456 /*********************************************************************
4457 _samr_QueryGroupMember
4458 *********************************************************************/
4459
4460 NTSTATUS _samr_QueryGroupMember(pipes_struct *p,
4461 struct samr_QueryGroupMember *r)
4462 {
4463 DOM_SID group_sid;
4464 size_t i, num_members;
4465
4466 uint32 *rid=NULL;
4467 uint32 *attr=NULL;
4468
4469 uint32 acc_granted;
4470
4471 NTSTATUS status;
4472 struct samr_RidTypeArray *rids = NULL;
4473
4474 rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidTypeArray);
4475 if (!rids) {
4476 return NT_STATUS_NO_MEMORY;
4477 }
4478
4479 /* find the policy handle. open a policy on it. */
4480 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL))
4481 return NT_STATUS_INVALID_HANDLE;
4482
4483 status = access_check_samr_function(acc_granted,
4484 SAMR_GROUP_ACCESS_GET_MEMBERS,
4485 "_samr_QueryGroupMember");
4486 if (!NT_STATUS_IS_OK(status)) {
4487 return status;
4488 }
4489
4490 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4491
4492 if (!sid_check_is_in_our_domain(&group_sid)) {
4493 DEBUG(3, ("sid %s is not in our domain\n",
4494 sid_string_dbg(&group_sid)));
4495 return NT_STATUS_NO_SUCH_GROUP;
4496 }
4497
4498 DEBUG(10, ("lookup on Domain SID\n"));
4499
4500 become_root();
4501 status = pdb_enum_group_members(p->mem_ctx, &group_sid,
4502 &rid, &num_members);
4503 unbecome_root();
4504
4505 if (!NT_STATUS_IS_OK(status))
4506 return status;
4507
4508 if (num_members) {
4509 attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members);
4510 if (attr == NULL) {
4511 return NT_STATUS_NO_MEMORY;
4512 }
4513 } else {
4514 attr = NULL;
4515 }
4516
4517 for (i=0; i<num_members; i++)
4518 attr[i] = SID_NAME_USER;
4519
4520 rids->count = num_members;
4521 rids->types = attr;
4522 rids->rids = rid;
4523
4524 *r->out.rids = rids;
4525
4526 return NT_STATUS_OK;
4527 }
4528
4529 /*********************************************************************
4530 _samr_AddAliasMember
4531 *********************************************************************/
4532
4533 NTSTATUS _samr_AddAliasMember(pipes_struct *p,
4534 struct samr_AddAliasMember *r)
4535 {
4536 DOM_SID alias_sid;
4537 uint32 acc_granted;
4538 SE_PRIV se_rights;
4539 bool can_add_accounts;
4540 NTSTATUS status;
4541 DISP_INFO *disp_info = NULL;
4542
4543 /* Find the policy handle. Open a policy on it. */
4544 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
4545 return NT_STATUS_INVALID_HANDLE;
4546
4547 status = access_check_samr_function(acc_granted,
4548 SAMR_ALIAS_ACCESS_ADD_MEMBER,
4549 "_samr_AddAliasMember");
4550 if (!NT_STATUS_IS_OK(status)) {
4551 return status;
4552 }
4553
4554 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
4555
4556 se_priv_copy( &se_rights, &se_add_users );
4557 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4558
4559 /******** BEGIN SeAddUsers BLOCK *********/
4560
4561 if ( can_add_accounts )
4562 become_root();
4563
4564 status = pdb_add_aliasmem(&alias_sid, r->in.sid);
4565
4566 if ( can_add_accounts )
4567 unbecome_root();
4568
4569 /******** END SeAddUsers BLOCK *********/
4570
4571 if (NT_STATUS_IS_OK(status)) {
4572 force_flush_samr_cache(disp_info);
4573 }
4574
4575 return status;
4576 }
4577
4578 /*********************************************************************
4579 _samr_DeleteAliasMember
4580 *********************************************************************/
4581
4582 NTSTATUS _samr_DeleteAliasMember(pipes_struct *p,
4583 struct samr_DeleteAliasMember *r)
4584 {
4585 DOM_SID alias_sid;
4586 uint32 acc_granted;
4587 SE_PRIV se_rights;
4588 bool can_add_accounts;
4589 NTSTATUS status;
4590 DISP_INFO *disp_info = NULL;
4591
4592 /* Find the policy handle. Open a policy on it. */
4593 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
4594 return NT_STATUS_INVALID_HANDLE;
4595
4596 status = access_check_samr_function(acc_granted,
4597 SAMR_ALIAS_ACCESS_REMOVE_MEMBER,
4598 "_samr_DeleteAliasMember");
4599 if (!NT_STATUS_IS_OK(status)) {
4600 return status;
4601 }
4602
4603 DEBUG(10, ("_samr_del_aliasmem:sid is %s\n",
4604 sid_string_dbg(&alias_sid)));
4605
4606 se_priv_copy( &se_rights, &se_add_users );
4607 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4608
4609 /******** BEGIN SeAddUsers BLOCK *********/
4610
4611 if ( can_add_accounts )
4612 become_root();
4613
4614 status = pdb_del_aliasmem(&alias_sid, r->in.sid);
4615
4616 if ( can_add_accounts )
4617 unbecome_root();
4618
4619 /******** END SeAddUsers BLOCK *********/
4620
4621 if (NT_STATUS_IS_OK(status)) {
4622 force_flush_samr_cache(disp_info);
4623 }
4624
4625 return status;
4626 }
4627
4628 /*********************************************************************
4629 _samr_AddGroupMember
4630 *********************************************************************/
4631
4632 NTSTATUS _samr_AddGroupMember(pipes_struct *p,
4633 struct samr_AddGroupMember *r)
4634 {
4635 NTSTATUS status;
4636 DOM_SID group_sid;
4637 uint32 group_rid;
4638 uint32 acc_granted;
4639 SE_PRIV se_rights;
4640 bool can_add_accounts;
4641 DISP_INFO *disp_info = NULL;
4642
4643 /* Find the policy handle. Open a policy on it. */
4644 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
4645 return NT_STATUS_INVALID_HANDLE;
4646
4647 status = access_check_samr_function(acc_granted,
4648 SAMR_GROUP_ACCESS_ADD_MEMBER,
4649 "_samr_AddGroupMember");
4650 if (!NT_STATUS_IS_OK(status)) {
4651 return status;
4652 }
4653
4654 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4655
4656 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
4657 &group_rid)) {
4658 return NT_STATUS_INVALID_HANDLE;
4659 }
4660
4661 se_priv_copy( &se_rights, &se_add_users );
4662 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4663
4664 /******** BEGIN SeAddUsers BLOCK *********/
4665
4666 if ( can_add_accounts )
4667 become_root();
4668
4669 status = pdb_add_groupmem(p->mem_ctx, group_rid, r->in.rid);
4670
4671 if ( can_add_accounts )
4672 unbecome_root();
4673
4674 /******** END SeAddUsers BLOCK *********/
4675
4676 force_flush_samr_cache(disp_info);
4677
4678 return status;
4679 }
4680
4681 /*********************************************************************
4682 _samr_DeleteGroupMember
4683 *********************************************************************/
4684
4685 NTSTATUS _samr_DeleteGroupMember(pipes_struct *p,
4686 struct samr_DeleteGroupMember *r)
4687
4688 {
4689 NTSTATUS status;
4690 DOM_SID group_sid;
4691 uint32 group_rid;
4692 uint32 acc_granted;
4693 SE_PRIV se_rights;
4694 bool can_add_accounts;
4695 DISP_INFO *disp_info = NULL;
4696
4697 /*
4698 * delete the group member named r->in.rid
4699 * who is a member of the sid associated with the handle
4700 * the rid is a user's rid as the group is a domain group.
4701 */
4702
4703 /* Find the policy handle. Open a policy on it. */
4704 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
4705 return NT_STATUS_INVALID_HANDLE;
4706
4707 status = access_check_samr_function(acc_granted,
4708 SAMR_GROUP_ACCESS_REMOVE_MEMBER,
4709 "_samr_DeleteGroupMember");
4710 if (!NT_STATUS_IS_OK(status)) {
4711 return status;
4712 }
4713
4714 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
4715 &group_rid)) {
4716 return NT_STATUS_INVALID_HANDLE;
4717 }
4718
4719 se_priv_copy( &se_rights, &se_add_users );
4720 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4721
4722 /******** BEGIN SeAddUsers BLOCK *********/
4723
4724 if ( can_add_accounts )
4725 become_root();
4726
4727 status = pdb_del_groupmem(p->mem_ctx, group_rid, r->in.rid);
4728
4729 if ( can_add_accounts )
4730 unbecome_root();
4731
4732 /******** END SeAddUsers BLOCK *********/
4733
4734 force_flush_samr_cache(disp_info);
4735
4736 return status;
4737 }
4738
4739 /*********************************************************************
4740 _samr_DeleteUser
4741 *********************************************************************/
4742
4743 NTSTATUS _samr_DeleteUser(pipes_struct *p,
4744 struct samr_DeleteUser *r)
4745 {
4746 NTSTATUS status;
4747 DOM_SID user_sid;
4748 struct samu *sam_pass=NULL;
4749 uint32 acc_granted;
4750 bool can_add_accounts;
4751 uint32 acb_info;
4752 DISP_INFO *disp_info = NULL;
4753 bool ret;
4754
4755 DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__));
4756
4757 /* Find the policy handle. Open a policy on it. */
4758 if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &user_sid, &acc_granted, &disp_info))
4759 return NT_STATUS_INVALID_HANDLE;
4760
4761 status = access_check_samr_function(acc_granted,
4762 STD_RIGHT_DELETE_ACCESS,
4763 "_samr_DeleteUser");
4764 if (!NT_STATUS_IS_OK(status)) {
4765 return status;
4766 }
4767
4768 if (!sid_check_is_in_our_domain(&user_sid))
4769 return NT_STATUS_CANNOT_DELETE;
4770
4771 /* check if the user exists before trying to delete */
4772 if ( !(sam_pass = samu_new( NULL )) ) {
4773 return NT_STATUS_NO_MEMORY;
4774 }
4775
4776 become_root();
4777 ret = pdb_getsampwsid(sam_pass, &user_sid);
4778 unbecome_root();
4779
4780 if( !ret ) {
4781 DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n",
4782 sid_string_dbg(&user_sid)));
4783 TALLOC_FREE(sam_pass);
4784 return NT_STATUS_NO_SUCH_USER;
4785 }
4786
4787 acb_info = pdb_get_acct_ctrl(sam_pass);
4788
4789 /* For machine accounts it's the SeMachineAccountPrivilege that counts. */
4790 if ( acb_info & ACB_WSTRUST ) {
4791 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account );
4792 } else {
4793 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
4794 }
4795
4796 /******** BEGIN SeAddUsers BLOCK *********/
4797
4798 if ( can_add_accounts )
4799 become_root();
4800
4801 status = pdb_delete_user(p->mem_ctx, sam_pass);
4802
4803 if ( can_add_accounts )
4804 unbecome_root();
4805
4806 /******** END SeAddUsers BLOCK *********/
4807
4808 if ( !NT_STATUS_IS_OK(status) ) {
4809 DEBUG(5,("_samr_DeleteUser: Failed to delete entry for "
4810 "user %s: %s.\n", pdb_get_username(sam_pass),
4811 nt_errstr(status)));
4812 TALLOC_FREE(sam_pass);
4813 return status;
4814 }
4815
4816
4817 TALLOC_FREE(sam_pass);
4818
4819 if (!close_policy_hnd(p, r->in.user_handle))
4820 return NT_STATUS_OBJECT_NAME_INVALID;
4821
4822 ZERO_STRUCTP(r->out.user_handle);
4823
4824 force_flush_samr_cache(disp_info);
4825
4826 return NT_STATUS_OK;
4827 }
4828
4829 /*********************************************************************
4830 _samr_DeleteDomainGroup
4831 *********************************************************************/
4832
4833 NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p,
4834 struct samr_DeleteDomainGroup *r)
4835 {
4836 NTSTATUS status;
4837 DOM_SID group_sid;
4838 uint32 group_rid;
4839 uint32 acc_granted;
4840 SE_PRIV se_rights;
4841 bool can_add_accounts;
4842 DISP_INFO *disp_info = NULL;
4843
4844 DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__));
4845
4846 /* Find the policy handle. Open a policy on it. */
4847 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
4848 return NT_STATUS_INVALID_HANDLE;
4849
4850 status = access_check_samr_function(acc_granted,
4851 STD_RIGHT_DELETE_ACCESS,
4852 "_samr_DeleteDomainGroup");
4853 if (!NT_STATUS_IS_OK(status)) {
4854 return status;
4855 }
4856
4857 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4858
4859 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
4860 &group_rid)) {
4861 return NT_STATUS_NO_SUCH_GROUP;
4862 }
4863
4864 se_priv_copy( &se_rights, &se_add_users );
4865 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4866
4867 /******** BEGIN SeAddUsers BLOCK *********/
4868
4869 if ( can_add_accounts )
4870 become_root();
4871
4872 status = pdb_delete_dom_group(p->mem_ctx, group_rid);
4873
4874 if ( can_add_accounts )
4875 unbecome_root();
4876
4877 /******** END SeAddUsers BLOCK *********/
4878
4879 if ( !NT_STATUS_IS_OK(status) ) {
4880 DEBUG(5,("_samr_DeleteDomainGroup: Failed to delete mapping "
4881 "entry for group %s: %s\n",
4882 sid_string_dbg(&group_sid),
4883 nt_errstr(status)));
4884 return status;
4885 }
4886
4887 if (!close_policy_hnd(p, r->in.group_handle))
4888 return NT_STATUS_OBJECT_NAME_INVALID;
4889
4890 force_flush_samr_cache(disp_info);
4891
4892 return NT_STATUS_OK;
4893 }
4894
4895 /*********************************************************************
4896 _samr_DeleteDomAlias
4897 *********************************************************************/
4898
4899 NTSTATUS _samr_DeleteDomAlias(pipes_struct *p,
4900 struct samr_DeleteDomAlias *r)
4901 {
4902 DOM_SID alias_sid;
4903 uint32 acc_granted;
4904 SE_PRIV se_rights;
4905 bool can_add_accounts;
4906 NTSTATUS status;
4907 DISP_INFO *disp_info = NULL;
4908
4909 DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__));
4910
4911 /* Find the policy handle. Open a policy on it. */
4912 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
4913 return NT_STATUS_INVALID_HANDLE;
4914
4915 /* copy the handle to the outgoing reply */
4916
4917 memcpy(r->out.alias_handle, r->in.alias_handle, sizeof(r->out.alias_handle));
4918
4919 status = access_check_samr_function(acc_granted,
4920 STD_RIGHT_DELETE_ACCESS,
4921 "_samr_DeleteDomAlias");
4922 if (!NT_STATUS_IS_OK(status)) {
4923 return status;
4924 }
4925
4926 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
4927
4928 /* Don't let Windows delete builtin groups */
4929
4930 if ( sid_check_is_in_builtin( &alias_sid ) ) {
4931 return NT_STATUS_SPECIAL_ACCOUNT;
4932 }
4933
4934 if (!sid_check_is_in_our_domain(&alias_sid))
4935 return NT_STATUS_NO_SUCH_ALIAS;
4936
4937 DEBUG(10, ("lookup on Local SID\n"));
4938
4939 se_priv_copy( &se_rights, &se_add_users );
4940 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4941
4942 /******** BEGIN SeAddUsers BLOCK *********/
4943
4944 if ( can_add_accounts )
4945 become_root();
4946
4947 /* Have passdb delete the alias */
4948 status = pdb_delete_alias(&alias_sid);
4949
4950 if ( can_add_accounts )
4951 unbecome_root();
4952
4953 /******** END SeAddUsers BLOCK *********/
4954
4955 if ( !NT_STATUS_IS_OK(status))
4956 return status;
4957
4958 if (!close_policy_hnd(p, r->in.alias_handle))
4959 return NT_STATUS_OBJECT_NAME_INVALID;
4960
4961 force_flush_samr_cache(disp_info);
4962
4963 return NT_STATUS_OK;
4964 }
4965
4966 /*********************************************************************
4967 _samr_CreateDomainGroup
4968 *********************************************************************/
4969
4970 NTSTATUS _samr_CreateDomainGroup(pipes_struct *p,
4971 struct samr_CreateDomainGroup *r)
4972
4973 {
4974 NTSTATUS status;
4975 DOM_SID dom_sid;
4976 DOM_SID info_sid;
4977 const char *name;
4978 struct samr_info *info;
4979 uint32 acc_granted;
4980 SE_PRIV se_rights;
4981 bool can_add_accounts;
4982 DISP_INFO *disp_info = NULL;
4983
4984 /* Find the policy handle. Open a policy on it. */
4985 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info))
4986 return NT_STATUS_INVALID_HANDLE;
4987
4988 status = access_check_samr_function(acc_granted,
4989 SAMR_DOMAIN_ACCESS_CREATE_GROUP,
4990 "_samr_CreateDomainGroup");
4991 if (!NT_STATUS_IS_OK(status)) {
4992 return status;
4993 }
4994
4995 if (!sid_equal(&dom_sid, get_global_sam_sid()))
4996 return NT_STATUS_ACCESS_DENIED;
4997
4998 name = r->in.name->string;
4999 if (name == NULL) {
5000 return NT_STATUS_NO_MEMORY;
5001 }
5002
5003 status = can_create(p->mem_ctx, name);
5004 if (!NT_STATUS_IS_OK(status)) {
5005 return status;
5006 }
5007
5008 se_priv_copy( &se_rights, &se_add_users );
5009 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
5010
5011 /******** BEGIN SeAddUsers BLOCK *********/
5012
5013 if ( can_add_accounts )
5014 become_root();
5015
5016 /* check that we successfully create the UNIX group */
5017
5018 status = pdb_create_dom_group(p->mem_ctx, name, r->out.rid);
5019
5020 if ( can_add_accounts )
5021 unbecome_root();
5022
5023 /******** END SeAddUsers BLOCK *********/
5024
5025 /* check if we should bail out here */
5026
5027 if ( !NT_STATUS_IS_OK(status) )
5028 return status;
5029
5030 sid_compose(&info_sid, get_global_sam_sid(), *r->out.rid);
5031
5032 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
5033 return NT_STATUS_NO_MEMORY;
5034
5035 /* they created it; let the user do what he wants with it */
5036
5037 info->acc_granted = GENERIC_RIGHTS_GROUP_ALL_ACCESS;
5038
5039 /* get a (unique) handle. open a policy on it. */
5040 if (!create_policy_hnd(p, r->out.group_handle, free_samr_info, (void *)info))
5041 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5042
5043 force_flush_samr_cache(disp_info);
5044
5045 return NT_STATUS_OK;
5046 }
5047
5048 /*********************************************************************
5049 _samr_CreateDomAlias
5050 *********************************************************************/
5051
5052 NTSTATUS _samr_CreateDomAlias(pipes_struct *p,
5053 struct samr_CreateDomAlias *r)
5054 {
5055 DOM_SID dom_sid;
5056 DOM_SID info_sid;
5057 const char *name = NULL;
5058 struct samr_info *info;
5059 uint32 acc_granted;
5060 gid_t gid;
5061 NTSTATUS result;
5062 SE_PRIV se_rights;
5063 bool can_add_accounts;
5064 DISP_INFO *disp_info = NULL;
5065
5066 /* Find the policy handle. Open a policy on it. */
5067 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info))
5068 return NT_STATUS_INVALID_HANDLE;
5069
5070 result = access_check_samr_function(acc_granted,
5071 SAMR_DOMAIN_ACCESS_CREATE_ALIAS,
5072 "_samr_CreateDomAlias");
5073 if (!NT_STATUS_IS_OK(result)) {
5074 return result;
5075 }
5076
5077 if (!sid_equal(&dom_sid, get_global_sam_sid()))
5078 return NT_STATUS_ACCESS_DENIED;
5079
5080 name = r->in.alias_name->string;
5081
5082 se_priv_copy( &se_rights, &se_add_users );
5083 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
5084
5085 result = can_create(p->mem_ctx, name);
5086 if (!NT_STATUS_IS_OK(result)) {
5087 return result;
5088 }
5089
5090 /******** BEGIN SeAddUsers BLOCK *********/
5091
5092 if ( can_add_accounts )
5093 become_root();
5094
5095 /* Have passdb create the alias */
5096 result = pdb_create_alias(name, r->out.rid);
5097
5098 if ( can_add_accounts )
5099 unbecome_root();
5100
5101 /******** END SeAddUsers BLOCK *********/
5102
5103 if (!NT_STATUS_IS_OK(result)) {
5104 DEBUG(10, ("pdb_create_alias failed: %s\n",
5105 nt_errstr(result)));
5106 return result;
5107 }
5108
5109 sid_copy(&info_sid, get_global_sam_sid());
5110 sid_append_rid(&info_sid, *r->out.rid);
5111
5112 if (!sid_to_gid(&info_sid, &gid)) {
5113 DEBUG(10, ("Could not find alias just created\n"));
5114 return NT_STATUS_ACCESS_DENIED;
5115 }
5116
5117 /* check if the group has been successfully created */
5118 if ( getgrgid(gid) == NULL ) {
5119 DEBUG(10, ("getgrgid(%d) of just created alias failed\n",
5120 gid));
5121 return NT_STATUS_ACCESS_DENIED;
5122 }
5123
5124 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
5125 return NT_STATUS_NO_MEMORY;
5126
5127 /* they created it; let the user do what he wants with it */
5128
5129 info->acc_granted = GENERIC_RIGHTS_ALIAS_ALL_ACCESS;
5130
5131 /* get a (unique) handle. open a policy on it. */
5132 if (!create_policy_hnd(p, r->out.alias_handle, free_samr_info, (void *)info))
5133 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5134
5135 force_flush_samr_cache(disp_info);
5136
5137 return NT_STATUS_OK;
5138 }
5139
5140 /*********************************************************************
5141 _samr_QueryGroupInfo
5142 *********************************************************************/
5143
5144 NTSTATUS _samr_QueryGroupInfo(pipes_struct *p,
5145 struct samr_QueryGroupInfo *r)
5146 {
5147 NTSTATUS status;
5148 DOM_SID group_sid;
5149 GROUP_MAP map;
5150 union samr_GroupInfo *info = NULL;
5151 uint32 acc_granted;
5152 bool ret;
5153 uint32_t attributes = SE_GROUP_MANDATORY |
5154 SE_GROUP_ENABLED_BY_DEFAULT |
5155 SE_GROUP_ENABLED;
5156 const char *group_name = NULL;
5157 const char *group_description = NULL;
5158
5159 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL))
5160 return NT_STATUS_INVALID_HANDLE;
5161
5162 status = access_check_samr_function(acc_granted,
5163 SAMR_GROUP_ACCESS_LOOKUP_INFO,
5164 "_samr_QueryGroupInfo");
5165 if (!NT_STATUS_IS_OK(status)) {
5166 return status;
5167 }
5168
5169 become_root();
5170 ret = get_domain_group_from_sid(group_sid, &map);
5171 unbecome_root();
5172 if (!ret)
5173 return NT_STATUS_INVALID_HANDLE;
5174
5175 /* FIXME: map contains fstrings */
5176 group_name = talloc_strdup(r, map.nt_name);
5177 group_description = talloc_strdup(r, map.comment);
5178
5179 info = TALLOC_ZERO_P(p->mem_ctx, union samr_GroupInfo);
5180 if (!info) {
5181 return NT_STATUS_NO_MEMORY;
5182 }
5183
5184 switch (r->in.level) {
5185 case 1: {
5186 uint32 *members;
5187 size_t num_members;
5188
5189 become_root();
5190 status = pdb_enum_group_members(
5191 p->mem_ctx, &group_sid, &members, &num_members);
5192 unbecome_root();
5193
5194 if (!NT_STATUS_IS_OK(status)) {
5195 return status;
5196 }
5197
5198 init_samr_group_info1(&info->all,
5199 group_name,
5200 attributes,
5201 num_members,
5202 group_description);
5203 break;
5204 }
5205 case 2:
5206 init_samr_group_info2(&info->name,
5207 group_name);
5208 break;
5209 case 3:
5210 init_samr_group_info3(&info->attributes,
5211 attributes);
5212 break;
5213 case 4:
5214 init_samr_group_info4(&info->description,
5215 group_description);
5216 break;
5217 case 5: {
5218 /*
5219 uint32 *members;
5220 size_t num_members;
5221 */
5222
5223 /*
5224 become_root();
5225 status = pdb_enum_group_members(
5226 p->mem_ctx, &group_sid, &members, &num_members);
5227 unbecome_root();
5228
5229 if (!NT_STATUS_IS_OK(status)) {
5230 return status;
5231 }
5232 */
5233 init_samr_group_info5(&info->all2,
5234 group_name,
5235 attributes,
5236 0, /* num_members - in w2k3 this is always 0 */
5237 group_description);
5238
5239 break;
5240 }
5241 default:
5242 return NT_STATUS_INVALID_INFO_CLASS;
5243 }
5244
5245 *r->out.info = info;
5246
5247 return NT_STATUS_OK;
5248 }
5249
5250 /*********************************************************************
5251 _samr_SetGroupInfo
5252 *********************************************************************/
5253
5254 NTSTATUS _samr_SetGroupInfo(pipes_struct *p,
5255 struct samr_SetGroupInfo *r)
5256 {
5257 DOM_SID group_sid;
5258 GROUP_MAP map;
5259 uint32 acc_granted;
5260 NTSTATUS status;
5261 bool ret;
5262 bool can_mod_accounts;
5263 DISP_INFO *disp_info = NULL;
5264
5265 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
5266 return NT_STATUS_INVALID_HANDLE;
5267
5268 status = access_check_samr_function(acc_granted,
5269 SAMR_GROUP_ACCESS_SET_INFO,
5270 "_samr_SetGroupInfo");
5271 if (!NT_STATUS_IS_OK(status)) {
5272 return status;
5273 }
5274
5275 become_root();
5276 ret = get_domain_group_from_sid(group_sid, &map);
5277 unbecome_root();
5278 if (!ret)
5279 return NT_STATUS_NO_SUCH_GROUP;
5280
5281 switch (r->in.level) {
5282 case 1:
5283 fstrcpy(map.comment, r->in.info->all.description.string);
5284 break;
5285 case 4:
5286 fstrcpy(map.comment, r->in.info->description.string);
5287 break;
5288 default:
5289 return NT_STATUS_INVALID_INFO_CLASS;
5290 }
5291
5292 can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
5293
5294 /******** BEGIN SeAddUsers BLOCK *********/
5295
5296 if ( can_mod_accounts )
5297 become_root();
5298
5299 status = pdb_update_group_mapping_entry(&map);
5300
5301 if ( can_mod_accounts )
5302 unbecome_root();
5303
5304 /******** End SeAddUsers BLOCK *********/
5305
5306 if (NT_STATUS_IS_OK(status)) {
5307 force_flush_samr_cache(disp_info);
5308 }
5309
5310 return status;
5311 }
5312
5313 /*********************************************************************
5314 _samr_SetAliasInfo
5315 *********************************************************************/
5316
5317 NTSTATUS _samr_SetAliasInfo(pipes_struct *p,
5318 struct samr_SetAliasInfo *r)
5319 {
5320 DOM_SID group_sid;
5321 struct acct_info info;
5322 uint32 acc_granted;
5323 bool can_mod_accounts;
5324 NTSTATUS status;
5325 DISP_INFO *disp_info = NULL;
5326
5327 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &group_sid, &acc_granted, &disp_info))
5328 return NT_STATUS_INVALID_HANDLE;
5329
5330 status = access_check_samr_function(acc_granted,
5331 SAMR_ALIAS_ACCESS_SET_INFO,
5332 "_samr_SetAliasInfo");
5333 if (!NT_STATUS_IS_OK(status)) {
5334 return status;
5335 }
5336
5337 /* get the current group information */
5338
5339 become_root();
5340 status = pdb_get_aliasinfo( &group_sid, &info );
5341 unbecome_root();
5342
5343 if ( !NT_STATUS_IS_OK(status))
5344 return status;
5345
5346 switch (r->in.level) {
5347 case ALIASINFONAME:
5348 {
5349 fstring group_name;
5350
5351 /* We currently do not support renaming groups in the
5352 the BUILTIN domain. Refer to util_builtin.c to understand
5353 why. The eventually needs to be fixed to be like Windows
5354 where you can rename builtin groups, just not delete them */
5355
5356 if ( sid_check_is_in_builtin( &group_sid ) ) {
5357 return NT_STATUS_SPECIAL_ACCOUNT;
5358 }
5359
5360 /* There has to be a valid name (and it has to be different) */
5361
5362 if ( !r->in.info->name.string )
5363 return NT_STATUS_INVALID_PARAMETER;
5364
5365 /* If the name is the same just reply "ok". Yes this
5366 doesn't allow you to change the case of a group name. */
5367
5368 if ( strequal( r->in.info->name.string, info.acct_name ) )
5369 return NT_STATUS_OK;
5370
5371 fstrcpy( info.acct_name, r->in.info->name.string);
5372
5373 /* make sure the name doesn't already exist as a user
5374 or local group */
5375
5376 fstr_sprintf( group_name, "%s\\%s", global_myname(), info.acct_name );
5377 status = can_create( p->mem_ctx, group_name );
5378 if ( !NT_STATUS_IS_OK( status ) )
5379 return status;
5380 break;
5381 }
5382 case ALIASINFODESCRIPTION:
5383 if (r->in.info->description.string) {
5384 fstrcpy(info.acct_desc,
5385 r->in.info->description.string);
5386 } else {
5387 fstrcpy( info.acct_desc, "" );
5388 }
5389 break;
5390 default:
5391 return NT_STATUS_INVALID_INFO_CLASS;
5392 }
5393
5394 can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
5395
5396 /******** BEGIN SeAddUsers BLOCK *********/
5397
5398 if ( can_mod_accounts )
5399 become_root();
5400
5401 status = pdb_set_aliasinfo( &group_sid, &info );
5402
5403 if ( can_mod_accounts )
5404 unbecome_root();
5405
5406 /******** End SeAddUsers BLOCK *********/
5407
5408 if (NT_STATUS_IS_OK(status))
5409 force_flush_samr_cache(disp_info);
5410
5411 return status;
5412 }
5413
5414 /****************************************************************
5415 _samr_GetDomPwInfo
5416 ****************************************************************/
5417
5418 NTSTATUS _samr_GetDomPwInfo(pipes_struct *p,
5419 struct samr_GetDomPwInfo *r)
5420 {
5421 uint32_t min_password_length = 0;
5422 uint32_t password_properties = 0;
5423
5424 /* Perform access check. Since this rpc does not require a
5425 policy handle it will not be caught by the access checks on
5426 SAMR_CONNECT or SAMR_CONNECT_ANON. */
5427
5428 if (!pipe_access_check(p)) {
5429 DEBUG(3, ("access denied to _samr_GetDomPwInfo\n"));
5430 return NT_STATUS_ACCESS_DENIED;
5431 }
5432
5433 become_root();
5434 pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
5435 &min_password_length);
5436 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
5437 &password_properties);
5438 unbecome_root();
5439
5440 if (lp_check_password_script() && *lp_check_password_script()) {
5441 password_properties |= DOMAIN_PASSWORD_COMPLEX;
5442 }
5443
5444 r->out.info->min_password_length = min_password_length;
5445 r->out.info->password_properties = password_properties;
5446
5447 return NT_STATUS_OK;
5448 }
5449
5450 /*********************************************************************
5451 _samr_OpenGroup
5452 *********************************************************************/
5453
5454 NTSTATUS _samr_OpenGroup(pipes_struct *p,
5455 struct samr_OpenGroup *r)
5456
5457 {
5458 DOM_SID sid;
5459 DOM_SID info_sid;
5460 GROUP_MAP map;
5461 struct samr_info *info;
5462 SEC_DESC *psd = NULL;
5463 uint32 acc_granted;
5464 uint32 des_access = r->in.access_mask;
5465 size_t sd_size;
5466 NTSTATUS status;
5467 fstring sid_string;
5468 bool ret;
5469 SE_PRIV se_rights;
5470
5471 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted, NULL))
5472 return NT_STATUS_INVALID_HANDLE;
5473
5474 status = access_check_samr_function(acc_granted,
5475 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
5476 "_samr_OpenGroup");
5477
5478 if ( !NT_STATUS_IS_OK(status) )
5479 return status;
5480
5481 /*check if access can be granted as requested by client. */
5482 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
5483
5484 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
5485 se_map_generic(&des_access,&grp_generic_mapping);
5486
5487 se_priv_copy( &se_rights, &se_add_users );
5488
5489 status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
5490 &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access,
5491 &acc_granted, "_samr_OpenGroup");
5492
5493 if ( !NT_STATUS_IS_OK(status) )
5494 return status;
5495
5496 /* this should not be hard-coded like this */
5497
5498 if (!sid_equal(&sid, get_global_sam_sid()))
5499 return NT_STATUS_ACCESS_DENIED;
5500
5501 sid_copy(&info_sid, get_global_sam_sid());
5502 sid_append_rid(&info_sid, r->in.rid);
5503 sid_to_fstring(sid_string, &info_sid);
5504
5505 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
5506 return NT_STATUS_NO_MEMORY;
5507
5508 info->acc_granted = acc_granted;
5509
5510 DEBUG(10, ("_samr_OpenGroup:Opening SID: %s\n", sid_string));
5511
5512 /* check if that group really exists */
5513 become_root();
5514 ret = get_domain_group_from_sid(info->sid, &map);
5515 unbecome_root();
5516 if (!ret)
5517 return NT_STATUS_NO_SUCH_GROUP;
5518
5519 /* get a (unique) handle. open a policy on it. */
5520 if (!create_policy_hnd(p, r->out.group_handle, free_samr_info, (void *)info))
5521 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5522
5523 return NT_STATUS_OK;
5524 }
5525
5526 /*********************************************************************
5527 _samr_RemoveMemberFromForeignDomain
5528 *********************************************************************/
5529
5530 NTSTATUS _samr_RemoveMemberFromForeignDomain(pipes_struct *p,
5531 struct samr_RemoveMemberFromForeignDomain *r)
5532 {
5533 DOM_SID delete_sid, domain_sid;
5534 uint32 acc_granted;
5535 NTSTATUS result;
5536 DISP_INFO *disp_info = NULL;
5537
5538 sid_copy( &delete_sid, r->in.sid );
5539
5540 DEBUG(5,("_samr_RemoveMemberFromForeignDomain: removing SID [%s]\n",
5541 sid_string_dbg(&delete_sid)));
5542
5543 /* Find the policy handle. Open a policy on it. */
5544
5545 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &domain_sid,
5546 &acc_granted, &disp_info))
5547 return NT_STATUS_INVALID_HANDLE;
5548
5549 result = access_check_samr_function(acc_granted,
5550 STD_RIGHT_DELETE_ACCESS,
5551 "_samr_RemoveMemberFromForeignDomain");
5552
5553 if (!NT_STATUS_IS_OK(result))
5554 return result;
5555
5556 DEBUG(8, ("_samr_RemoveMemberFromForeignDomain: sid is %s\n",
5557 sid_string_dbg(&domain_sid)));
5558
5559 /* we can only delete a user from a group since we don't have
5560 nested groups anyways. So in the latter case, just say OK */
5561
5562 /* TODO: The above comment nowadays is bogus. Since we have nested
5563 * groups now, and aliases members are never reported out of the unix
5564 * group membership, the "just say OK" makes this call a no-op. For
5565 * us. This needs fixing however. */
5566
5567 /* I've only ever seen this in the wild when deleting a user from
5568 * usrmgr.exe. domain_sid is the builtin domain, and the sid to delete
5569 * is the user about to be deleted. I very much suspect this is the
5570 * only application of this call. To verify this, let people report
5571 * other cases. */
5572
5573 if (!sid_check_is_builtin(&domain_sid)) {
5574 DEBUG(1,("_samr_RemoveMemberFromForeignDomain: domain_sid = %s, "
5575 "global_sam_sid() = %s\n",
5576 sid_string_dbg(&domain_sid),
5577 sid_string_dbg(get_global_sam_sid())));
5578 DEBUGADD(1,("please report to samba-technical@samba.org!\n"));
5579 return NT_STATUS_OK;
5580 }
5581
5582 force_flush_samr_cache(disp_info);
5583
5584 result = NT_STATUS_OK;
5585
5586 return result;
5587 }
5588
5589 /*******************************************************************
5590 _samr_QueryDomainInfo2
5591 ********************************************************************/
5592
5593 NTSTATUS _samr_QueryDomainInfo2(pipes_struct *p,
5594 struct samr_QueryDomainInfo2 *r)
5595 {
5596 struct samr_QueryDomainInfo q;
5597
5598 q.in.domain_handle = r->in.domain_handle;
5599 q.in.level = r->in.level;
5600
5601 q.out.info = r->out.info;
5602
5603 return _samr_QueryDomainInfo(p, &q);
5604 }
5605
5606 /*******************************************************************
5607 _samr_SetDomainInfo
5608 ********************************************************************/
5609
5610 NTSTATUS _samr_SetDomainInfo(pipes_struct *p,
5611 struct samr_SetDomainInfo *r)
5612 {
5613 struct samr_info *info = NULL;
5614 time_t u_expire, u_min_age;
5615 time_t u_logout;
5616 time_t u_lock_duration, u_reset_time;
5617
5618 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
5619
5620 /* find the policy handle. open a policy on it. */
5621 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
5622 return NT_STATUS_INVALID_HANDLE;
5623
5624 DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r->in.level));
5625
5626 switch (r->in.level) {
5627 case 0x01:
5628 u_expire=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.max_password_age);
5629 u_min_age=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.min_password_age);
5630 pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)r->in.info->info1.min_password_length);
5631 pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)r->in.info->info1.password_history_length);
5632 pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)r->in.info->info1.password_properties);
5633 pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire);
5634 pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age);
5635 break;
5636 case 0x02:
5637 break;
5638 case 0x03:
5639 u_logout=nt_time_to_unix_abs((NTTIME *)&r->in.info->info3.force_logoff_time);
5640 pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout);
5641 break;
5642 case 0x05:
5643 break;
5644 case 0x06:
5645 break;
5646 case 0x07:
5647 break;
5648 case 0x0c:
5649 u_lock_duration=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_duration);
5650 if (u_lock_duration != -1)
5651 u_lock_duration /= 60;
5652
5653 u_reset_time=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_window)/60;
5654
5655 pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
5656 pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time);
5657 pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)r->in.info->info12.lockout_threshold);
5658 break;
5659 default:
5660 return NT_STATUS_INVALID_INFO_CLASS;
5661 }
5662
5663 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
5664
5665 return NT_STATUS_OK;
5666 }
5667
5668 /****************************************************************
5669 _samr_GetDisplayEnumerationIndex
5670 ****************************************************************/
5671
5672 NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p,
5673 struct samr_GetDisplayEnumerationIndex *r)
5674 {
5675 struct samr_info *info = NULL;
5676 uint32_t max_entries = (uint32_t) -1;
5677 uint32_t enum_context = 0;
5678 int i;
5679 uint32_t num_account = 0;
5680 struct samr_displayentry *entries = NULL;
5681
5682 DEBUG(5,("_samr_GetDisplayEnumerationIndex: %d\n", __LINE__));
5683
5684 /* find the policy handle. open a policy on it. */
5685 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) {
5686 return NT_STATUS_INVALID_HANDLE;
5687 }
5688
5689 if ((r->in.level < 1) || (r->in.level > 3)) {
5690 DEBUG(0,("_samr_GetDisplayEnumerationIndex: "
5691 "Unknown info level (%u)\n",
5692 r->in.level));
5693 return NT_STATUS_INVALID_INFO_CLASS;
5694 }
5695
5696 become_root();
5697
5698 /* The following done as ROOT. Don't return without unbecome_root(). */
5699
5700 switch (r->in.level) {
5701 case 1:
5702 if (info->disp_info->users == NULL) {
5703 info->disp_info->users = pdb_search_users(ACB_NORMAL);
5704 if (info->disp_info->users == NULL) {
5705 unbecome_root();
5706 return NT_STATUS_ACCESS_DENIED;
5707 }
5708 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5709 "starting user enumeration at index %u\n",
5710 (unsigned int)enum_context));
5711 } else {
5712 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5713 "using cached user enumeration at index %u\n",
5714 (unsigned int)enum_context));
5715 }
5716 num_account = pdb_search_entries(info->disp_info->users,
5717 enum_context, max_entries,
5718 &entries);
5719 break;
5720 case 2:
5721 if (info->disp_info->machines == NULL) {
5722 info->disp_info->machines =
5723 pdb_search_users(ACB_WSTRUST|ACB_SVRTRUST);
5724 if (info->disp_info->machines == NULL) {
5725 unbecome_root();
5726 return NT_STATUS_ACCESS_DENIED;
5727 }
5728 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5729 "starting machine enumeration at index %u\n",
5730 (unsigned int)enum_context));
5731 } else {
5732 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5733 "using cached machine enumeration at index %u\n",
5734 (unsigned int)enum_context));
5735 }
5736 num_account = pdb_search_entries(info->disp_info->machines,
5737 enum_context, max_entries,
5738 &entries);
5739 break;
5740 case 3:
5741 if (info->disp_info->groups == NULL) {
5742 info->disp_info->groups = pdb_search_groups();
5743 if (info->disp_info->groups == NULL) {
5744 unbecome_root();
5745 return NT_STATUS_ACCESS_DENIED;
5746 }
5747 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5748 "starting group enumeration at index %u\n",
5749 (unsigned int)enum_context));
5750 } else {
5751 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5752 "using cached group enumeration at index %u\n",
5753 (unsigned int)enum_context));
5754 }
5755 num_account = pdb_search_entries(info->disp_info->groups,
5756 enum_context, max_entries,
5757 &entries);
5758 break;
5759 default:
5760 unbecome_root();
5761 smb_panic("info class changed");
5762 break;
5763 }
5764
5765 unbecome_root();
5766
5767 /* Ensure we cache this enumeration. */
5768 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
5769
5770 DEBUG(10,("_samr_GetDisplayEnumerationIndex: looking for :%s\n",
5771 r->in.name->string));
5772
5773 for (i=0; i<num_account; i++) {
5774 if (strequal(entries[i].account_name, r->in.name->string)) {
5775 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5776 "found %s at idx %d\n",
5777 r->in.name->string, i));
5778 *r->out.idx = i;
5779 return NT_STATUS_OK;
5780 }
5781 }
5782
5783 /* assuming account_name lives at the very end */
5784 *r->out.idx = num_account;
5785
5786 return NT_STATUS_NO_MORE_ENTRIES;
5787 }
5788
5789 /****************************************************************
5790 _samr_GetDisplayEnumerationIndex2
5791 ****************************************************************/
5792
5793 NTSTATUS _samr_GetDisplayEnumerationIndex2(pipes_struct *p,
5794 struct samr_GetDisplayEnumerationIndex2 *r)
5795 {
5796 struct samr_GetDisplayEnumerationIndex q;
5797
5798 q.in.domain_handle = r->in.domain_handle;
5799 q.in.level = r->in.level;
5800 q.in.name = r->in.name;
5801
5802 q.out.idx = r->out.idx;
5803
5804 return _samr_GetDisplayEnumerationIndex(p, &q);
5805 }
5806
5807 /****************************************************************
5808 ****************************************************************/
5809
5810 NTSTATUS _samr_Shutdown(pipes_struct *p,
5811 struct samr_Shutdown *r)
5812 {
5813 p->rng_fault_state = true;
5814 return NT_STATUS_NOT_IMPLEMENTED;
5815 }
5816
5817 /****************************************************************
5818 ****************************************************************/
5819
5820 NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p,
5821 struct samr_SetMemberAttributesOfGroup *r)
5822 {
5823 p->rng_fault_state = true;
5824 return NT_STATUS_NOT_IMPLEMENTED;
5825 }
5826
5827 /****************************************************************
5828 ****************************************************************/
5829
5830 NTSTATUS _samr_ChangePasswordUser(pipes_struct *p,
5831 struct samr_ChangePasswordUser *r)
5832 {
5833 p->rng_fault_state = true;
5834 return NT_STATUS_NOT_IMPLEMENTED;
5835 }
5836
5837 /****************************************************************
5838 ****************************************************************/
5839
5840 NTSTATUS _samr_TestPrivateFunctionsDomain(pipes_struct *p,
5841 struct samr_TestPrivateFunctionsDomain *r)
5842 {
5843 p->rng_fault_state = true;
5844 return NT_STATUS_NOT_IMPLEMENTED;
5845 }
5846
5847 /****************************************************************
5848 ****************************************************************/
5849
5850 NTSTATUS _samr_TestPrivateFunctionsUser(pipes_struct *p,
5851 struct samr_TestPrivateFunctionsUser *r)
5852 {
5853 p->rng_fault_state = true;
5854 return NT_STATUS_NOT_IMPLEMENTED;
5855 }
5856
5857 /****************************************************************
5858 ****************************************************************/
5859
5860 NTSTATUS _samr_AddMultipleMembersToAlias(pipes_struct *p,
5861 struct samr_AddMultipleMembersToAlias *r)
5862 {
5863 p->rng_fault_state = true;
5864 return NT_STATUS_NOT_IMPLEMENTED;
5865 }
5866
5867 /****************************************************************
5868 ****************************************************************/
5869
5870 NTSTATUS _samr_RemoveMultipleMembersFromAlias(pipes_struct *p,
5871 struct samr_RemoveMultipleMembersFromAlias *r)
5872 {
5873 p->rng_fault_state = true;
5874 return NT_STATUS_NOT_IMPLEMENTED;
5875 }
5876
5877 /****************************************************************
5878 ****************************************************************/
5879
5880 NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p,
5881 struct samr_OemChangePasswordUser2 *r)
5882 {
5883 p->rng_fault_state = true;
5884 return NT_STATUS_NOT_IMPLEMENTED;
5885 }
5886
5887 /****************************************************************
5888 ****************************************************************/
5889
5890 NTSTATUS _samr_SetBootKeyInformation(pipes_struct *p,
5891 struct samr_SetBootKeyInformation *r)
5892 {
5893 p->rng_fault_state = true;
5894 return NT_STATUS_NOT_IMPLEMENTED;
5895 }
5896
5897 /****************************************************************
5898 ****************************************************************/
5899
5900 NTSTATUS _samr_GetBootKeyInformation(pipes_struct *p,
5901 struct samr_GetBootKeyInformation *r)
5902 {
5903 p->rng_fault_state = true;
5904 return NT_STATUS_NOT_IMPLEMENTED;
5905 }
5906
5907 /****************************************************************
5908 ****************************************************************/
5909
5910 NTSTATUS _samr_Connect3(pipes_struct *p,
5911 struct samr_Connect3 *r)
5912 {
5913 p->rng_fault_state = true;
5914 return NT_STATUS_NOT_IMPLEMENTED;
5915 }
5916
5917 /****************************************************************
5918 ****************************************************************/
5919
5920 NTSTATUS _samr_RidToSid(pipes_struct *p,
5921 struct samr_RidToSid *r)
5922 {
5923 p->rng_fault_state = true;
5924 return NT_STATUS_NOT_IMPLEMENTED;
5925 }
5926
5927 /****************************************************************
5928 ****************************************************************/
5929
5930 NTSTATUS _samr_SetDsrmPassword(pipes_struct *p,
5931 struct samr_SetDsrmPassword *r)
5932 {
5933 p->rng_fault_state = true;
5934 return NT_STATUS_NOT_IMPLEMENTED;
5935 }
5936
5937 /****************************************************************
5938 ****************************************************************/
5939
5940 NTSTATUS _samr_ValidatePassword(pipes_struct *p,
5941 struct samr_ValidatePassword *r)
5942 {
5943 p->rng_fault_state = true;
5944 return NT_STATUS_NOT_IMPLEMENTED;
5945 }
Samba GIT mirror