| blob | 462a646329334a78be4369de91ff1dd2c6c4bb84 |
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2002,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 * Copyright (C) Gerald (Jerry) Carter 2003-2004,
12 *
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License as published by
15 * the Free Software Foundation; either version 2 of the License, or
16 * (at your option) any later version.
17 *
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
22 *
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 */
28 /*
29 * This is the implementation of the SAMR code.
30 */
34 #undef DBGC_CLASS
35 #define DBGC_CLASS DBGC_RPC_SRV
45 BOOL user_dbloaded;
46 uint32 num_user_account;
48 BOOL group_dbloaded;
49 uint32 num_group_account;
54 /* for use by the \PIPE\samr policy */
55 DOM_SID sid;
57 uint32 acc_granted;
58 uint16 acb_mask;
59 BOOL only_machines;
60 DISP_INFO disp_info;
63 };
65 struct generic_mapping sam_generic_mapping = {GENERIC_RIGHTS_SAM_READ, GENERIC_RIGHTS_SAM_WRITE, GENERIC_RIGHTS_SAM_EXECUTE, GENERIC_RIGHTS_SAM_ALL_ACCESS};
66 struct generic_mapping dom_generic_mapping = {GENERIC_RIGHTS_DOMAIN_READ, GENERIC_RIGHTS_DOMAIN_WRITE, GENERIC_RIGHTS_DOMAIN_EXECUTE, GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
67 struct generic_mapping usr_generic_mapping = {GENERIC_RIGHTS_USER_READ, GENERIC_RIGHTS_USER_WRITE, GENERIC_RIGHTS_USER_EXECUTE, GENERIC_RIGHTS_USER_ALL_ACCESS};
68 struct generic_mapping grp_generic_mapping = {GENERIC_RIGHTS_GROUP_READ, GENERIC_RIGHTS_GROUP_WRITE, GENERIC_RIGHTS_GROUP_EXECUTE, GENERIC_RIGHTS_GROUP_ALL_ACCESS};
69 struct generic_mapping ali_generic_mapping = {GENERIC_RIGHTS_ALIAS_READ, GENERIC_RIGHTS_ALIAS_WRITE, GENERIC_RIGHTS_ALIAS_EXECUTE, GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
73 /*******************************************************************
74 Checks if access to an object should be granted, and returns that
75 level of access for further checks.
76 ********************************************************************/
78 static NTSTATUS access_check_samr_object(SEC_DESC *psd, NT_USER_TOKEN *nt_user_token, uint32 des_access,
80 {
90 }
94 }
95 }
97 }
99 /*******************************************************************
100 Checks if access to a function can be granted
101 ********************************************************************/
103 static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug)
104 {
113 }
117 }
119 }
122 /*******************************************************************
123 Create a samr_info struct.
124 ********************************************************************/
127 {
129 fstring sid_str;
136 }
149 }
152 }
154 /*******************************************************************
155 Function to free the per handle data.
156 ********************************************************************/
159 {
165 /* Not really a free, actually a 'clear' */
167 }
168 }
171 }
173 /*******************************************************************
174 Function to free the per handle data.
175 ********************************************************************/
178 {
179 /* Groups are talloced */
185 }
188 {
193 }
195 /*******************************************************************
196 Ensure password info is never given out. Paranioa... JRA.
197 ********************************************************************/
200 {
205 /* These now zero out the old password */
209 }
212 static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask, BOOL only_machines)
213 {
222 /* if the snapshoot is already loaded, return */
228 }
235 }
240 }
248 DEBUG(5,("load_sampwd_entries: '%s' is not a machine account - ACB: %x - skipping\n", pdb_get_username(pwd), acb_mask));
251 }
257 }
258 }
260 /* Realloc some memory for the array of ptr to the SAM_ACCOUNT structs */
271 }
273 /* Copy the SAM_ACCOUNT into the array */
279 }
283 /* the snapshoot is in memory, we're ready to enumerate fast */
292 }
295 {
299 uint32 i;
301 BOOL ret;
305 /* if the snapshoot is already loaded, return */
309 }
312 /* No domain groups for now in the BUILTIN domain */
317 }
326 }
336 }
345 }
349 /* the snapshoot is in memory, we're ready to enumerate fast */
356 }
359 /*******************************************************************
360 _samr_close_hnd
361 ********************************************************************/
364 {
367 /* close the policy handle */
374 }
376 /*******************************************************************
377 samr_reply_open_domain
378 ********************************************************************/
381 {
384 uint32 acc_granted;
387 NTSTATUS status;
391 /* find the connection policy handle. */
395 if (!NT_STATUS_IS_OK(status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_OPEN_DOMAIN,"_samr_open_domain"))) {
397 }
399 /*check if access can be granted as requested by client. */
407 }
409 /* associate the domain SID with the (unique) handle. */
414 /* get a (unique) handle. open a policy on it. */
421 }
423 /*******************************************************************
424 _samr_get_usrdom_pwinfo
425 ********************************************************************/
427 NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, SAMR_R_GET_USRDOM_PWINFO *r_u)
428 {
433 /* find the policy handle. open a policy on it. */
444 /*
445 * NT sometimes return NT_STATUS_ACCESS_DENIED
446 * I don't know yet why.
447 */
450 }
452 /*******************************************************************
453 samr_make_dom_obj_sd
454 ********************************************************************/
457 {
461 SEC_ACCESS mask;
472 /*basic access for every one*/
476 /*full access for builtin aliases Administrators and Account Operators*/
483 /* add domain admins if we are a DC */
489 }
494 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
498 }
500 /*******************************************************************
501 samr_make_usr_obj_sd
502 ********************************************************************/
504 static NTSTATUS samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size, DOM_SID *usr_sid)
505 {
511 SEC_ACCESS mask;
521 /*basic access for every one*/
526 /*full access for builtin aliases Administrators and Account Operators*/
532 /* add domain admins if we are a DC */
538 }
540 /*extended access for the user*/
542 init_sec_access(&mask,READ_CONTROL_ACCESS | SA_RIGHT_USER_CHANGE_PASSWORD | SA_RIGHT_USER_SET_LOC_COM);
548 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
552 }
554 /*******************************************************************
555 samr_make_grp_obj_sd
556 ********************************************************************/
559 {
561 DOM_SID adm_sid;
562 DOM_SID act_sid;
565 SEC_ACCESS mask;
575 /*basic access for every one*/
579 /*full access for builtin aliases Administrators and Account Operators*/
587 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
591 }
593 /*******************************************************************
594 samr_make_ali_obj_sd
595 ********************************************************************/
598 {
600 DOM_SID adm_sid;
601 DOM_SID act_sid;
604 SEC_ACCESS mask;
614 /*basic access for every one*/
618 /*full access for builtin aliases Administrators and Account Operators*/
626 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
630 }
632 static BOOL get_lsa_policy_samr_sid(pipes_struct *p, POLICY_HND *pol, DOM_SID *sid, uint32 *acc_granted)
633 {
636 /* find the policy handle. open a policy on it. */
646 }
648 /*******************************************************************
649 _samr_set_sec_obj
650 ********************************************************************/
653 {
656 }
659 /*******************************************************************
660 _samr_query_sec_obj
661 ********************************************************************/
663 NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_QUERY_SEC_OBJ *r_u)
664 {
665 DOM_SID pol_sid;
666 fstring str_sid;
669 uint32 acc_granted;
673 /* Get the SID. */
679 DEBUG(10,("_samr_query_sec_obj: querying security on SID: %s\n", sid_to_string(str_sid, &pol_sid)));
681 /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
683 /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */
685 {
688 }
691 {
692 DEBUG(5,("_samr_query_sec_obj: querying security on Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
694 }
696 {
697 /* TODO: Builtin probably needs a different SD with restricted write access*/
698 DEBUG(5,("_samr_query_sec_obj: querying security on Builtin Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
700 }
703 {
704 /* TODO: different SDs have to be generated for aliases groups and users.
705 Currently all three get a default user SD */
706 DEBUG(10,("_samr_query_sec_obj: querying security on Object with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
708 }
718 }
720 /*******************************************************************
721 makes a SAM_ENTRY / UNISTR2* structure from a user list.
722 ********************************************************************/
724 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNISTR2 **uni_name_pp,
727 {
728 uint32 i;
732 UNISTR2 uni_temp_name;
735 uint32 user_rid;
736 fstring user_sid_string;
737 fstring domain_sid_string;
752 }
758 /*
759 * usrmgr expects a non-NULL terminated string with
760 * trust relationships
761 */
766 }
773 temp_name,
777 }
781 }
786 }
788 /*******************************************************************
789 samr_reply_enum_dom_users
790 ********************************************************************/
794 {
800 uint32 temp_size;
804 DOM_SID domain_sid;
808 /* find the policy handle. open a policy on it. */
815 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
818 }
834 }
836 /* verify we won't overflow */
840 }
842 /* calculate the size and limit on the number of entries we will return */
848 }
850 /*
851 * Note from JRA. total_entries is not being used here. Currently if there is a
852 * large user base then it looks like NT will enumerate until get_sampwd_entries
853 * returns False due to num_entries being zero. This will cause an access denied
854 * return. I don't think this is right and needs further investigation. Note that
855 * this is also the same in the TNG code (I don't think that has been tested with
856 * a very large user list as MAX_SAM_ENTRIES is set to 600).
857 *
858 * I also think that one of the 'num_entries' return parameters is probably
859 * the "max entries" parameter - but in the TNG code they're all currently set to the same
860 * value (again I think this is wrong).
861 */
881 }
883 /*******************************************************************
884 makes a SAM_ENTRY / UNISTR2* structure from a group list.
885 ********************************************************************/
887 static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNISTR2 **uni_name_pp,
889 {
890 uint32 i;
906 }
909 /*
910 * JRA. I think this should include the null. TNG does not.
911 */
914 }
918 }
920 /*******************************************************************
921 Get the group entries - similar to get_sampwd_entries().
922 ******************************************************************/
927 {
935 /* access checks for the users were performed higher up. become/unbecome_root()
936 needed for some passdb backends to enumerate groups */
940 ENUM_ONLY_MAPPED);
945 /* limit the number of entries */
949 }
955 }
962 }
972 }
974 /*******************************************************************
975 Wrapper for enumerating local groups
976 ******************************************************************/
981 {
984 BOOL res;
1002 }
1009 }
1013 }
1015 /*******************************************************************
1016 samr_reply_enum_dom_groups
1017 ********************************************************************/
1019 NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAMR_R_ENUM_DOM_GROUPS *r_u)
1020 {
1022 uint32 num_entries;
1023 DOM_SID sid;
1024 uint32 acc_granted;
1031 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_groups"))) {
1033 }
1037 /* the domain group array is being allocated in the function below */
1038 if (!NT_STATUS_IS_OK(r_u->status = get_group_domain_entries(p->mem_ctx, &grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES))) {
1040 }
1049 }
1052 /*******************************************************************
1053 samr_reply_enum_dom_aliases
1054 ********************************************************************/
1056 NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAMR_R_ENUM_DOM_ALIASES *r_u)
1057 {
1060 fstring sid_str;
1061 DOM_SID sid;
1062 NTSTATUS status;
1063 uint32 acc_granted;
1070 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_aliases"))) {
1072 }
1083 /*safe_free(grp);*/
1090 }
1092 /*******************************************************************
1093 samr_reply_query_dispinfo
1094 ********************************************************************/
1098 {
1108 NTSTATUS disp_ret;
1112 DOM_SID domain_sid;
1117 /* find the policy handle. open a policy on it. */
1123 /*
1124 * calculate how many entries we will return.
1125 * based on
1126 * - the number of entries the client asked
1127 * - our limit on that
1128 * - the starting point (enumeration context)
1129 * - the buffer size the client will accept
1130 */
1132 /*
1133 * We are a lot more like W2K. Instead of reading the SAM
1134 * each time to find the records we need to send back,
1135 * we read it once and link that copy to the sam handle.
1136 * For large user list (over the MAX_SAM_ENTRIES)
1137 * it's a definitive win.
1138 * second point to notice: between enumerations
1139 * our sam is now the same as it's a snapshoot.
1140 * third point: got rid of the static SAM_USER_21 struct
1141 * no more intermediate.
1142 * con: it uses much more memory, as a full copy is stored
1143 * in memory.
1144 *
1145 * If you want to change it, think twice and think
1146 * of the second point , that's really important.
1147 *
1148 * JFM, 12/20/2001
1149 */
1151 /* Get what we need from the password database */
1154 /* When playing with usrmgr, this is necessary
1155 if you want immediate refresh after editing
1156 a user. I would like to do this after the
1157 setuserinfo2, but we do not have access to
1158 the domain handle in that call, only to the
1159 user handle. Where else does this hurt?
1160 -- Volker
1161 */
1162 #if 0
1163 /* We cannot do this here - it kills performace. JRA. */
1165 #endif
1169 /* Level 2 is for all machines, otherwise only 'normal' users */
1175 }
1186 DEBUG(0,("_samr_query_dispinfo: Unknown info level (%u)\n", (unsigned int)q_u->switch_level ));
1188 }
1190 /* first limit the number of entries we will return */
1192 DEBUG(5, ("samr_reply_query_dispinfo: client requested %d entries, limiting to %d\n", max_entries, max_sam_entries));
1194 }
1199 }
1201 /* verify we won't overflow */
1205 }
1207 /* calculate the size and limit on the number of entries we will return */
1213 }
1220 /* Now create reply structure */
1226 }
1236 }
1246 }
1247 disp_ret = init_sam_dispinfo_3(p->mem_ctx, ctr->sam.info3, max_entries, enum_context, info->disp_info.disp_group_info);
1255 }
1256 disp_ret = init_sam_dispinfo_4(p->mem_ctx, ctr->sam.info4, max_entries, enum_context, info->disp_info.disp_user_info);
1264 }
1265 disp_ret = init_sam_dispinfo_5(p->mem_ctx, ctr->sam.info5, max_entries, enum_context, info->disp_info.disp_group_info);
1273 }
1275 /* calculate the total size */
1283 init_samr_r_query_dispinfo(r_u, max_entries, total_data_size, temp_size, q_u->switch_level, ctr, r_u->status);
1287 }
1289 /*******************************************************************
1290 samr_reply_query_aliasinfo
1291 ********************************************************************/
1293 NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_R_QUERY_ALIASINFO *r_u)
1294 {
1295 DOM_SID sid;
1297 uint32 acc_granted;
1298 BOOL ret;
1304 /* find the policy handle. open a policy on it. */
1307 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_LOOKUP_INFO, "_samr_query_aliasinfo"))) {
1309 }
1332 }
1337 }
1339 #if 0
1340 /*******************************************************************
1341 samr_reply_lookup_ids
1342 ********************************************************************/
1345 {
1356 }
1358 #if 0
1363 {
1365 fstring user_name;
1371 /* find the user account */
1377 {
1380 }
1381 else
1382 {
1384 }
1385 }
1386 #endif
1396 }
1397 #endif
1399 /*******************************************************************
1400 _samr_lookup_names
1401 ********************************************************************/
1403 NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOKUP_NAMES *r_u)
1404 {
1406 uint32 local_rid;
1411 DOM_SID pol_sid;
1412 fstring sid_str;
1413 uint32 acc_granted;
1425 }
1427 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, 0, "_samr_lookup_names"))) { /* Don't know the acc_bits yet */
1429 }
1434 }
1439 fstring name;
1440 DOM_SID sid;
1448 ret = rpcstr_pull(name, q_u->uni_name[i].buffer, sizeof(name), q_u->uni_name[i].uni_str_len*2, 0);
1450 /*
1451 * we are only looking for a name
1452 * the SID we get back can be outside
1453 * the scope of the pol_sid
1454 *
1455 * in clear: it prevents to reply to domain\group: yes
1456 * when only builtin\group exists.
1457 *
1458 * a cleaner code is to add the sid of the domain we're looking in
1459 * to the local_lookup_name function.
1460 */
1468 /* Windows does not return WKN_GRP here, even
1469 * on lookups in builtin */
1474 }
1475 }
1476 }
1483 }
1485 /*******************************************************************
1486 _samr_chgpasswd_user
1487 ********************************************************************/
1489 NTSTATUS _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_R_CHGPASSWD_USER *r_u)
1490 {
1491 fstring user_name;
1492 fstring wks;
1498 rpcstr_pull(user_name, q_u->uni_user_name.buffer, sizeof(user_name), q_u->uni_user_name.uni_str_len*2, 0);
1503 /*
1504 * Pass the user through the NT -> unix user mapping
1505 * function.
1506 */
1510 /*
1511 * UNIX username case mangling not required, pass_oem_change
1512 * is case insensitive.
1513 */
1523 }
1525 /*******************************************************************
1526 makes a SAMR_R_LOOKUP_RIDS structure.
1527 ********************************************************************/
1531 {
1532 uint32 i;
1547 }
1553 }
1559 }
1561 /*******************************************************************
1562 _samr_lookup_rids
1563 ********************************************************************/
1566 {
1571 DOM_SID pol_sid;
1574 uint32 acc_granted;
1580 /* find the policy handle. open a policy on it. */
1587 }
1592 }
1599 fstring tmpname;
1600 fstring domname;
1601 DOM_SID sid;
1616 }
1617 }
1618 }
1630 }
1632 /*******************************************************************
1633 _samr_open_user. Safe - gives out no passwd info.
1634 ********************************************************************/
1637 {
1639 DOM_SID sid;
1644 uint32 acc_granted;
1647 BOOL ret;
1648 NTSTATUS nt_status;
1652 /* find the domain policy handle and get domain SID / access bits in the domain policy. */
1656 if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_user"))) {
1658 }
1663 }
1665 /* append the user's RID to it */
1669 /* check if access can be granted as requested by client. */
1676 }
1682 /* check that the SID exists in our domain. */
1685 }
1689 /* associate the user's SID and access bits with the new handle. */
1694 /* get a (unique) handle. open a policy on it. */
1699 }
1701 /*************************************************************************
1702 get_user_info_10. Safe. Only gives out acb bits.
1703 *************************************************************************/
1705 static NTSTATUS get_user_info_10(TALLOC_CTX *mem_ctx, SAM_USER_INFO_10 *id10, DOM_SID *user_sid)
1706 {
1708 BOOL ret;
1709 NTSTATUS nt_status;
1715 }
1724 }
1734 }
1736 /*************************************************************************
1737 get_user_info_12. OK - this is the killer as it gives out password info.
1738 Ensure that this is only allowed on an encrypted connection with a root
1739 user. JRA.
1740 *************************************************************************/
1742 static NTSTATUS get_user_info_12(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_INFO_12 * id12, DOM_SID *user_sid)
1743 {
1745 BOOL ret;
1746 NTSTATUS nt_status;
1751 if (!(p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) || !(p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL))
1754 /*
1755 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
1756 */
1762 }
1770 }
1777 }
1785 }
1787 /*************************************************************************
1788 get_user_info_20
1789 *************************************************************************/
1791 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DOM_SID *user_sid)
1792 {
1794 BOOL ret;
1805 }
1817 }
1819 /*************************************************************************
1820 get_user_info_21
1821 *************************************************************************/
1825 {
1827 BOOL ret;
1828 NTSTATUS nt_status;
1833 }
1842 }
1854 }
1856 /*******************************************************************
1857 _samr_query_userinfo
1858 ********************************************************************/
1860 NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_QUERY_USERINFO *r_u)
1861 {
1864 DOM_SID domain_sid;
1865 uint32 rid;
1869 /* search for the handle */
1888 /* ok! user info levels (lots: see MSDEV help), off we go... */
1901 #if 0
1902 /* whoops - got this wrong. i think. or don't understand what's happening. */
1904 {
1905 NTTIME expire;
1920 }
1921 #endif
1928 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_12(p, p->mem_ctx, ctr->info.id12, &info->sid)))
1951 }
1958 }
1960 /*******************************************************************
1961 samr_reply_query_usergroups
1962 ********************************************************************/
1964 NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u)
1965 {
1968 DOM_SID sid;
1974 uint32 acc_granted;
1975 BOOL ret;
1976 NTSTATUS result;
1978 /*
1979 * from the SID in the request:
1980 * we should send back the list of DOMAIN GROUPS
1981 * the user is a member of
1982 *
1983 * and only the DOMAIN GROUPS
1984 * no ALIASES !!! neither aliases of the domain
1985 * nor aliases of the builtin SID
1986 *
1987 * JFM, 12/2/2001
1988 */
1994 /* find the policy handle. open a policy on it. */
1998 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_USER_GET_GROUPS, "_samr_query_usergroups"))) {
2000 }
2014 }
2020 }
2043 uint32 rid;
2053 }
2056 /* construct the response. lkclXXXX: gids are not copied! */
2062 }
2064 /*******************************************************************
2065 _samr_query_dom_info
2066 ********************************************************************/
2068 NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR_R_QUERY_DOMAIN_INFO *r_u)
2069 {
2078 uint32 lockout;
2081 NTTIME nt_logout;
2083 uint32 account_policy_temp;
2096 /* find the policy handle. open a policy on it. */
2131 }
2139 }
2148 /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */
2189 }
2196 }
2198 /*******************************************************************
2199 _samr_create_user
2200 Create an account, can be either a normal user or a machine.
2201 This funcion will need to be updated for bdc/domain trusts.
2202 ********************************************************************/
2205 {
2207 fstring account;
2208 DOM_SID sid;
2209 pstring add_script;
2215 BOOL ret;
2216 NTSTATUS nt_status;
2218 uint32 acc_granted;
2222 /* check this, when giving away 'add computer to domain' privs */
2224 BOOL can_add_account;
2225 SE_PRIV se_rights;
2227 /* Get the domain SID stored in the domain policy */
2231 if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_USER, "_samr_create_user"))) {
2233 }
2235 if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST || acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) {
2236 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
2237 this parameter is not an account type */
2239 }
2241 /* find the account: tell the caller if it exists.
2242 lkclXXXX i have *no* idea if this is a problem or not
2243 or even if you are supposed to construct a different
2244 reply if the account already exists...
2245 */
2256 /* this account exists: say so */
2259 }
2263 /*********************************************************************
2264 * HEADS UP! If we have to create a new user account, we have to get
2265 * a new RID from somewhere. This used to be done by the passdb
2266 * backend. It has been moved into idmap now. Since idmap is now
2267 * wrapped up behind winbind, this means you have to run winbindd if you
2268 * want new accounts to get a new RID when "enable rid algorithm = no".
2269 * Tough. We now have a uniform way of allocating RIDs regardless
2270 * of what ever passdb backend people may use.
2271 * --jerry (2003-07-10)
2272 *********************************************************************/
2276 /*
2277 * we can't check both the ending $ and the acb_info.
2278 *
2279 * UserManager creates trust accounts (ending in $,
2280 * normal that hidden accounts) with the acb_info equals to ACB_NORMAL.
2281 * JFM, 11/29/2001
2282 */
2287 }
2291 }
2298 /********** BEGIN Admin BLOCK **********/
2310 }
2312 {
2315 account));
2316 }
2317 }
2319 }
2321 /* implicit call to getpwnam() next. we have a valid SID coming out of this call */
2325 /* this code is order such that we have no unnecessary retuns
2326 out of the admin block of code */
2334 account));
2336 }
2337 }
2342 /********** END Admin BLOCK **********/
2344 /* now check for failure */
2349 /* Get the user's SID */
2361 }
2363 /* associate the user's SID with the new handle. */
2367 }
2373 /* get a (unique) handle. open a policy on it. */
2377 }
2386 }
2388 /*******************************************************************
2389 samr_reply_connect_anon
2390 ********************************************************************/
2392 NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CONNECT_ANON *r_u)
2393 {
2397 /* Access check */
2403 }
2405 /* set up the SAMR connect_anon response */
2409 /* associate the user's SID with the new handle. */
2413 /* don't give away the farm but this is probably ok. The SA_RIGHT_SAM_ENUM_DOMAINS
2414 was observed from a win98 client trying to enumerate users (when configured
2415 user level access control on shares) --jerry */
2422 /* get a (unique) handle. open a policy on it. */
2427 }
2429 /*******************************************************************
2430 samr_reply_connect
2431 ********************************************************************/
2434 {
2437 uint32 acc_granted;
2440 NTSTATUS nt_status;
2445 /* Access check */
2451 }
2459 }
2463 /* associate the user's SID and access granted with the new handle. */
2470 /* get a (unique) handle. open a policy on it. */
2477 }
2479 /*******************************************************************
2480 samr_connect4
2481 ********************************************************************/
2484 {
2487 uint32 acc_granted;
2490 NTSTATUS nt_status;
2495 /* Access check */
2501 }
2509 }
2513 /* associate the user's SID and access granted with the new handle. */
2520 /* get a (unique) handle. open a policy on it. */
2527 }
2529 /**********************************************************************
2530 api_samr_lookup_domain
2531 **********************************************************************/
2533 NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_LOOKUP_DOMAIN *r_u)
2534 {
2536 fstring domain_name;
2537 DOM_SID sid;
2544 /* win9x user manager likes to use SA_RIGHT_SAM_ENUM_DOMAINS here.
2545 Reverted that change so we will work with RAS servers again */
2549 {
2551 }
2553 rpcstr_pull(domain_name, q_u->uni_domain.buffer, sizeof(domain_name), q_u->uni_domain.uni_str_len*2, 0);
2559 }
2566 }
2568 /******************************************************************
2569 makes a SAMR_R_ENUM_DOMAINS structure.
2570 ********************************************************************/
2574 {
2575 uint32 i;
2596 }
2602 }
2604 /**********************************************************************
2605 api_samr_enum_domains
2606 **********************************************************************/
2608 NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_ENUM_DOMAINS *r_u)
2609 {
2620 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_ENUM_DOMAINS, "_samr_enum_domains"))) {
2622 }
2636 }
2638 /*******************************************************************
2639 api_samr_open_alias
2640 ********************************************************************/
2643 {
2644 DOM_SID sid;
2650 uint32 acc_granted;
2653 NTSTATUS status;
2657 /* find the domain policy and get the SID / access bits stored in the domain policy */
2661 if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_alias"))) {
2663 }
2665 /* append the alias' RID to it */
2669 /*check if access can be granted as requested by client. */
2676 }
2678 /*
2679 * we should check if the rid really exist !!!
2680 * JFM.
2681 */
2683 /* associate the user's SID with the new handle. */
2689 /* get a (unique) handle. open a policy on it. */
2694 }
2696 /*******************************************************************
2697 set_user_info_10
2698 ********************************************************************/
2701 {
2703 BOOL ret;
2712 }
2718 }
2720 /* FIX ME: check if the value is really changed --metze */
2724 }
2729 }
2734 }
2736 /*******************************************************************
2737 set_user_info_12
2738 ********************************************************************/
2741 {
2749 }
2755 }
2760 }
2764 }
2768 }
2773 }
2777 }
2779 /*******************************************************************
2780 The GROUPSID field in the SAM_ACCOUNT changed. Try to tell unix.
2781 ********************************************************************/
2783 {
2785 gid_t gid;
2792 }
2801 }
2809 }
2812 }
2815 /*******************************************************************
2816 set_user_info_20
2817 ********************************************************************/
2820 {
2826 }
2833 }
2837 /* write the change out */
2841 }
2846 }
2847 /*******************************************************************
2848 set_user_info_21
2849 ********************************************************************/
2852 {
2858 }
2865 }
2869 /*
2870 * The funny part about the previous two calls is
2871 * that pwd still has the password hashes from the
2872 * passdb entry. These have not been updated from
2873 * id21. I don't know if they need to be set. --jerry
2874 */
2879 /* write the change out */
2883 }
2888 }
2890 /*******************************************************************
2891 set_user_info_23
2892 ********************************************************************/
2895 {
2897 pstring plaintext_buf;
2898 uint32 len;
2899 uint16 acct_ctrl;
2904 }
2911 }
2921 }
2926 }
2930 /* if it's a trust account, don't update /etc/passwd */
2936 /* update the UNIX password */
2941 }
2946 }
2947 }
2948 }
2958 }
2963 }
2965 /*******************************************************************
2966 set_user_info_pw
2967 ********************************************************************/
2970 {
2972 uint32 len;
2973 pstring plaintext_buf;
2974 uint16 acct_ctrl;
2981 }
2993 }
2998 }
3000 /* if it's a trust account, don't update /etc/passwd */
3006 /* update the UNIX password */
3011 }
3016 }
3017 }
3018 }
3024 /* update the SAMBA password */
3028 }
3033 }
3035 /*******************************************************************
3036 samr_reply_set_userinfo
3037 ********************************************************************/
3039 NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_USERINFO *r_u)
3040 {
3041 DOM_SID sid;
3045 uint32 acc_granted;
3046 uint32 acc_required;
3047 BOOL can_add_machines;
3054 /* find the policy handle. open a policy on it. */
3058 /* the access mask depends on what the caller wants to do */
3062 acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY;
3065 acc_required = SA_RIGHT_USER_SET_LOC_COM | SA_RIGHT_USER_SET_ATTRIBUTES; /* This is probably wrong */
3067 }
3069 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo"))) {
3071 }
3078 }
3080 /* check to see if we are a domain admin */
3087 /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
3092 /* ok! user info levels (lots: see MSDEV help), off we go... */
3103 }
3113 #if 0
3114 /*
3115 * Currently we don't really know how to unmarshall
3116 * the level 25 struct, and the password encryption
3117 * is different. This is a placeholder for when we
3118 * do understand it. In the meantime just return INVALID
3119 * info level and W2K SP2 drops down to level 23... JRA.
3120 */
3124 }
3132 #endif
3139 }
3150 }
3156 /* ================ END SeMachineAccountPrivilege BLOCK ================ */
3159 }
3161 /*******************************************************************
3162 samr_reply_set_userinfo2
3163 ********************************************************************/
3165 NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SET_USERINFO2 *r_u)
3166 {
3167 DOM_SID sid;
3171 uint32 acc_granted;
3172 uint32 acc_required;
3173 BOOL can_add_machines;
3180 /* find the policy handle. open a policy on it. */
3184 acc_required = SA_RIGHT_USER_SET_LOC_COM | SA_RIGHT_USER_SET_ATTRIBUTES; /* This is probably wrong */
3185 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo2"))) {
3187 }
3194 }
3198 /* check to see if we are a domain admin */
3205 /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
3210 /* ok! user info levels (lots: see MSDEV help), off we go... */
3226 /* Used by AS/U JRA. */
3232 }
3237 /* ================ END SeMachineAccountPrivilege BLOCK ================ */
3240 }
3242 /*********************************************************************
3243 _samr_query_aliasmem
3244 *********************************************************************/
3246 NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, SAMR_R_QUERY_USERALIASES *r_u)
3247 {
3253 NTSTATUS ntstatus1;
3254 NTSTATUS ntstatus2;
3259 BOOL res;
3265 /* find the policy handle. open a policy on it. */
3269 ntstatus1 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM, "_samr_query_useraliases");
3270 ntstatus2 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_query_useraliases");
3276 }
3277 }
3304 uint32 rid;
3316 }
3321 }
3323 /*********************************************************************
3324 _samr_query_aliasmem
3325 *********************************************************************/
3327 NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_R_QUERY_ALIASMEM *r_u)
3328 {
3335 DOM_SID alias_sid;
3337 uint32 acc_granted;
3339 /* find the policy handle. open a policy on it. */
3344 access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_GET_MEMBERS, "_samr_query_aliasmem"))) {
3346 }
3357 }
3361 }
3368 }
3371 {
3377 }
3386 }
3390 {
3398 /* We only look at our own sam, so don't care about imported stuff */
3405 }
3407 /* Primary group members */
3415 }
3419 /* Secondary group members */
3427 }
3432 }
3434 /*********************************************************************
3435 _samr_query_groupmem
3436 *********************************************************************/
3438 NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_QUERY_GROUPMEM *r_u)
3439 {
3441 DOM_SID group_sid;
3442 fstring group_sid_str;
3445 gid_t gid;
3450 uint32 acc_granted;
3452 /* find the policy handle. open a policy on it. */
3456 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_GET_MEMBERS, "_samr_query_groupmem"))) {
3458 }
3466 }
3485 DOM_SID sid;
3490 }
3496 }
3500 /* Hmm. In a trace I got the constant 7 here from NT. */
3504 }
3509 NT_STATUS_OK);
3512 }
3514 /*********************************************************************
3515 _samr_add_aliasmem
3516 *********************************************************************/
3518 NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_ADD_ALIASMEM *r_u)
3519 {
3520 DOM_SID alias_sid;
3521 uint32 acc_granted;
3522 SE_PRIV se_rights;
3523 BOOL can_add_accounts;
3524 BOOL ret;
3527 /* Find the policy handle. Open a policy on it. */
3531 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_ADD_MEMBER, "_samr_add_aliasmem"))) {
3533 }
3540 /******** BEGIN SeAddUsers BLOCK *********/
3550 /******** END SeAddUsers BLOCK *********/
3553 }
3555 /*********************************************************************
3556 _samr_del_aliasmem
3557 *********************************************************************/
3559 NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DEL_ALIASMEM *r_u)
3560 {
3561 DOM_SID alias_sid;
3562 uint32 acc_granted;
3563 SE_PRIV se_rights;
3564 BOOL can_add_accounts;
3565 BOOL ret;
3567 /* Find the policy handle. Open a policy on it. */
3571 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_REMOVE_MEMBER, "_samr_del_aliasmem"))) {
3573 }
3581 /******** BEGIN SeAddUsers BLOCK *********/
3591 /******** END SeAddUsers BLOCK *********/
3594 }
3596 /*********************************************************************
3597 _samr_add_groupmem
3598 *********************************************************************/
3600 NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_ADD_GROUPMEM *r_u)
3601 {
3602 DOM_SID group_sid;
3603 DOM_SID user_sid;
3604 fstring group_sid_str;
3605 uid_t uid;
3608 fstring grp_name;
3609 GROUP_MAP map;
3610 NTSTATUS ret;
3612 BOOL check;
3613 uint32 acc_granted;
3614 SE_PRIV se_rights;
3615 BOOL can_add_accounts;
3617 /* Find the policy handle. Open a policy on it. */
3621 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_ADD_MEMBER, "_samr_add_groupmem"))) {
3623 }
3648 }
3650 /* check a real user exist before we run the script to add a user to a group */
3654 }
3660 }
3665 }
3667 /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */
3670 /* if the user is already in the group */
3674 }
3679 /******** BEGIN SeAddUsers BLOCK *********/
3684 /*
3685 * ok, the group exist, the user exist, the user is not in the group,
3686 *
3687 * we can (finally) add it to the group !
3688 */
3695 /******** END SeAddUsers BLOCK *********/
3697 /* check if the user has been added then ... */
3701 }
3705 }
3707 /*********************************************************************
3708 _samr_del_groupmem
3709 *********************************************************************/
3711 NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DEL_GROUPMEM *r_u)
3712 {
3713 DOM_SID group_sid;
3714 DOM_SID user_sid;
3716 GROUP_MAP map;
3717 fstring grp_name;
3719 uint32 acc_granted;
3720 SE_PRIV se_rights;
3721 BOOL can_add_accounts;
3723 /*
3724 * delete the group member named q_u->rid
3725 * who is a member of the sid associated with the handle
3726 * the rid is a user's rid as the group is a domain group.
3727 */
3729 /* Find the policy handle. Open a policy on it. */
3733 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_REMOVE_MEMBER, "_samr_del_groupmem"))) {
3735 }
3749 /* we need to copy the name otherwise it's overloaded in user_in_group_list */
3752 /* check if the user exists before trying to remove it from the group */
3758 }
3760 /* if the user is not in the group */
3764 }
3770 /******** BEGIN SeAddUsers BLOCK *********/
3780 /******** END SeAddUsers BLOCK *********/
3782 /* check if the user has been removed then ... */
3786 }
3791 }
3793 /****************************************************************************
3794 Delete a UNIX user on demand.
3795 ****************************************************************************/
3798 {
3799 pstring del_script;
3802 /* try winbindd first since it is impossible to determine where
3803 a user came from via NSS. Try the delete user script if this fails
3804 meaning the user did not exist in winbindd's list of accounts */
3809 }
3812 /* fall back to 'delete user script' */
3822 }
3824 /*********************************************************************
3825 _samr_delete_dom_user
3826 *********************************************************************/
3828 NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAMR_R_DELETE_DOM_USER *r_u )
3829 {
3830 DOM_SID user_sid;
3832 uint32 acc_granted;
3833 SE_PRIV se_rights;
3834 BOOL can_add_accounts;
3835 BOOL ret;
3839 /* Find the policy handle. Open a policy on it. */
3843 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_user"))) {
3845 }
3850 /* check if the user exists before trying to delete */
3857 }
3862 /******** BEGIN SeAddUsers BLOCK *********/
3867 /* First delete the samba side....
3868 code is order to prevent unnecessary returns out of the admin
3869 block of code */
3872 /*
3873 * Now delete the unix side ....
3874 * note: we don't check if the delete really happened
3875 * as the script is not necessary present
3876 * and maybe the sysadmin doesn't want to delete the unix side
3877 */
3879 }
3884 /******** END SeAddUsers BLOCK *********/
3887 DEBUG(5,("_samr_delete_dom_user:Failed to delete entry for user %s.\n", pdb_get_username(sam_pass)));
3890 }
3899 }
3901 /*********************************************************************
3902 _samr_delete_dom_group
3903 *********************************************************************/
3905 NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, SAMR_R_DELETE_DOM_GROUP *r_u)
3906 {
3907 DOM_SID group_sid;
3908 DOM_SID dom_sid;
3909 uint32 group_rid;
3910 fstring group_sid_str;
3911 gid_t gid;
3913 GROUP_MAP map;
3914 uint32 acc_granted;
3915 SE_PRIV se_rights;
3916 BOOL can_add_accounts;
3917 BOOL ret;
3921 /* Find the policy handle. Open a policy on it. */
3925 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_group"))) {
3927 }
3935 /* we check if it's our SID before deleting */
3946 /* check if group really exists */
3953 /******** BEGIN SeAddUsers BLOCK *********/
3958 /* delete mapping first */
3962 }
3967 /******** END SeAddUsers BLOCK *********/
3971 group_sid_str));
3973 }
3975 /* don't check that the unix group has been deleted. Work like
3976 _samr_delet_dom_user() */
3982 }
3984 /*********************************************************************
3985 _samr_delete_dom_alias
3986 *********************************************************************/
3988 NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, SAMR_R_DELETE_DOM_ALIAS *r_u)
3989 {
3990 DOM_SID alias_sid;
3991 uint32 acc_granted;
3992 SE_PRIV se_rights;
3993 BOOL can_add_accounts;
3994 BOOL ret;
3998 /* Find the policy handle. Open a policy on it. */
4002 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_alias"))) {
4004 }
4016 /******** BEGIN SeAddUsers BLOCK *********/
4021 /* Have passdb delete the alias */
4027 /******** END SeAddUsers BLOCK *********/
4036 }
4038 /*********************************************************************
4039 _samr_create_dom_group
4040 *********************************************************************/
4042 NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, SAMR_R_CREATE_DOM_GROUP *r_u)
4043 {
4044 DOM_SID dom_sid;
4045 DOM_SID info_sid;
4046 fstring name;
4047 fstring sid_string;
4050 uint32 acc_granted;
4051 gid_t gid;
4052 SE_PRIV se_rights;
4053 BOOL can_add_accounts;
4054 NTSTATUS result;
4056 /* Find the policy handle. Open a policy on it. */
4060 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_GROUP, "_samr_create_dom_group"))) {
4062 }
4069 /* check if group already exist */
4076 /******** BEGIN SeAddUsers BLOCK *********/
4081 /* check that we successfully create the UNIX group */
4086 /* so far, so good */
4092 /* add the group to the mapping table */
4098 /* reset the error code if we fail to add the mapping entry */
4102 }
4107 /******** END SeAddUsers BLOCK *********/
4109 /* check if we should bail out here */
4117 /* get a (unique) handle. open a policy on it. */
4122 }
4124 /*********************************************************************
4125 _samr_create_dom_alias
4126 *********************************************************************/
4128 NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, SAMR_R_CREATE_DOM_ALIAS *r_u)
4129 {
4130 DOM_SID dom_sid;
4131 DOM_SID info_sid;
4132 fstring name;
4135 uint32 acc_granted;
4136 gid_t gid;
4137 NTSTATUS result;
4138 SE_PRIV se_rights;
4139 BOOL can_add_accounts;
4141 /* Find the policy handle. Open a policy on it. */
4145 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_ALIAS, "_samr_create_alias"))) {
4147 }
4157 /******** BEGIN SeAddUsers BLOCK *********/
4162 /* Have passdb create the alias */
4168 /******** END SeAddUsers BLOCK *********/
4179 /* check if the group has been successfully created */
4186 /* get a (unique) handle. open a policy on it. */
4191 }
4193 /*********************************************************************
4194 _samr_query_groupinfo
4196 sends the name/comment pair of a domain group
4197 level 1 send also the number of users of that group
4198 *********************************************************************/
4200 NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAMR_R_QUERY_GROUPINFO *r_u)
4201 {
4202 DOM_SID group_sid;
4203 GROUP_MAP map;
4208 uint32 acc_granted;
4209 BOOL ret;
4214 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_LOOKUP_INFO, "_samr_query_groupinfo"))) {
4216 }
4247 }
4252 }
4254 /*********************************************************************
4255 _samr_set_groupinfo
4257 update a domain group's comment.
4258 *********************************************************************/
4260 NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_SET_GROUPINFO *r_u)
4261 {
4262 DOM_SID group_sid;
4263 GROUP_MAP map;
4265 uint32 acc_granted;
4270 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_SET_INFO, "_samr_set_groupinfo"))) {
4272 }
4288 }
4292 }
4295 }
4297 /*********************************************************************
4298 _samr_set_aliasinfo
4300 update an alias's comment.
4301 *********************************************************************/
4303 NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_SET_ALIASINFO *r_u)
4304 {
4305 DOM_SID group_sid;
4308 uint32 acc_granted;
4313 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_SET_INFO, "_samr_set_aliasinfo"))) {
4315 }
4327 }
4331 }
4334 }
4336 /*********************************************************************
4337 _samr_get_dom_pwinfo
4338 *********************************************************************/
4340 NTSTATUS _samr_get_dom_pwinfo(pipes_struct *p, SAMR_Q_GET_DOM_PWINFO *q_u, SAMR_R_GET_DOM_PWINFO *r_u)
4341 {
4342 /* Perform access check. Since this rpc does not require a
4343 policy handle it will not be caught by the access checks on
4344 SAMR_CONNECT or SAMR_CONNECT_ANON. */
4350 }
4352 /* Actually, returning zeros here works quite well :-). */
4355 }
4357 /*********************************************************************
4358 _samr_open_group
4359 *********************************************************************/
4362 {
4363 DOM_SID sid;
4364 DOM_SID info_sid;
4365 GROUP_MAP map;
4368 uint32 acc_granted;
4371 NTSTATUS status;
4372 fstring sid_string;
4373 BOOL ret;
4378 if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_group"))) {
4380 }
4382 /*check if access can be granted as requested by client. */
4389 }
4392 /* this should not be hard-coded like this */
4407 /* check if that group really exists */
4414 /* get a (unique) handle. open a policy on it. */
4419 }
4421 /*********************************************************************
4422 _samr_remove_sid_foreign_domain
4423 *********************************************************************/
4428 {
4431 uint32 acc_granted;
4432 GROUP_MAP map;
4434 NTSTATUS result;
4442 /* Find the policy handle. Open a policy on it. */
4456 /* make sure we can handle this */
4466 }
4468 /* check if the user exists before trying to delete */
4475 /* maybe it is a group */
4481 }
4482 }
4484 /* we can only delete a user from a group since we don't have
4485 nested groups anyways. So in the latter case, just say OK */
4494 /* interate over the groups */
4502 }
4510 /* should we fail here ? */
4514 }
4518 }
4521 }
4522 }
4525 done:
4530 }
4532 /*******************************************************************
4533 _samr_unknown_2e
4534 ********************************************************************/
4537 {
4546 uint32 lockout;
4549 NTTIME nt_logout;
4553 uint32 account_policy_temp;
4564 /* find the policy handle. open a policy on it. */
4598 }
4606 }
4615 /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */
4658 }
4665 }
4667 /*******************************************************************
4668 _samr_
4669 ********************************************************************/
4671 NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R_SET_DOMAIN_INFO *r_u)
4672 {
4681 /* find the policy handle. open a policy on it. */
4722 }
4729 }