2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2008,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 * Copyright (C) Gerald (Jerry) Carter 2003-2004,
12 * Copyright (C) Simo Sorce 2003.
13 * Copyright (C) Volker Lendecke 2005.
14 * Copyright (C) Guenther Deschner 2008.
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
31 * This is the implementation of the SAMR code.
37 #define DBGC_CLASS DBGC_RPC_SRV
39 #define SAMR_USR_RIGHTS_WRITE_PW \
40 ( READ_CONTROL_ACCESS | \
41 SAMR_USER_ACCESS_CHANGE_PASSWORD | \
42 SAMR_USER_ACCESS_SET_LOC_COM)
43 #define SAMR_USR_RIGHTS_CANT_WRITE_PW \
44 ( READ_CONTROL_ACCESS | SAMR_USER_ACCESS_SET_LOC_COM )
46 #define DISP_INFO_CACHE_TIMEOUT 10
48 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
49 #define MAX_SAM_ENTRIES_W95 50
51 typedef struct disp_info
{
52 DOM_SID sid
; /* identify which domain this is. */
53 bool builtin_domain
; /* Quick flag to check if this is the builtin domain. */
54 struct pdb_search
*users
; /* querydispinfo 1 and 4 */
55 struct pdb_search
*machines
; /* querydispinfo 2 */
56 struct pdb_search
*groups
; /* querydispinfo 3 and 5, enumgroups */
57 struct pdb_search
*aliases
; /* enumaliases */
60 struct pdb_search
*enum_users
; /* enumusers with a mask */
62 struct timed_event
*cache_timeout_event
; /* cache idle timeout
66 /* We keep a static list of these by SID as modern clients close down
67 all resources between each request in a complete enumeration. */
70 /* for use by the \PIPE\samr policy */
72 bool builtin_domain
; /* Quick flag to check if this is the builtin domain. */
73 uint32 status
; /* some sort of flag. best to record it. comes from opnum 0x39 */
78 static const struct generic_mapping sam_generic_mapping
= {
79 GENERIC_RIGHTS_SAM_READ
,
80 GENERIC_RIGHTS_SAM_WRITE
,
81 GENERIC_RIGHTS_SAM_EXECUTE
,
82 GENERIC_RIGHTS_SAM_ALL_ACCESS
};
83 static const struct generic_mapping dom_generic_mapping
= {
84 GENERIC_RIGHTS_DOMAIN_READ
,
85 GENERIC_RIGHTS_DOMAIN_WRITE
,
86 GENERIC_RIGHTS_DOMAIN_EXECUTE
,
87 GENERIC_RIGHTS_DOMAIN_ALL_ACCESS
};
88 static const struct generic_mapping usr_generic_mapping
= {
89 GENERIC_RIGHTS_USER_READ
,
90 GENERIC_RIGHTS_USER_WRITE
,
91 GENERIC_RIGHTS_USER_EXECUTE
,
92 GENERIC_RIGHTS_USER_ALL_ACCESS
};
93 static const struct generic_mapping usr_nopwchange_generic_mapping
= {
94 GENERIC_RIGHTS_USER_READ
,
95 GENERIC_RIGHTS_USER_WRITE
,
96 GENERIC_RIGHTS_USER_EXECUTE
& ~SAMR_USER_ACCESS_CHANGE_PASSWORD
,
97 GENERIC_RIGHTS_USER_ALL_ACCESS
};
98 static const struct generic_mapping grp_generic_mapping
= {
99 GENERIC_RIGHTS_GROUP_READ
,
100 GENERIC_RIGHTS_GROUP_WRITE
,
101 GENERIC_RIGHTS_GROUP_EXECUTE
,
102 GENERIC_RIGHTS_GROUP_ALL_ACCESS
};
103 static const struct generic_mapping ali_generic_mapping
= {
104 GENERIC_RIGHTS_ALIAS_READ
,
105 GENERIC_RIGHTS_ALIAS_WRITE
,
106 GENERIC_RIGHTS_ALIAS_EXECUTE
,
107 GENERIC_RIGHTS_ALIAS_ALL_ACCESS
};
109 /*******************************************************************
110 *******************************************************************/
112 static NTSTATUS
make_samr_object_sd( TALLOC_CTX
*ctx
, SEC_DESC
**psd
, size_t *sd_size
,
113 const struct generic_mapping
*map
,
114 DOM_SID
*sid
, uint32 sid_access
)
116 DOM_SID domadmin_sid
;
117 SEC_ACE ace
[5]; /* at most 5 entries */
122 /* basic access for Everyone */
124 init_sec_ace(&ace
[i
++], &global_sid_World
, SEC_ACE_TYPE_ACCESS_ALLOWED
,
125 map
->generic_execute
| map
->generic_read
, 0);
127 /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
129 init_sec_ace(&ace
[i
++], &global_sid_Builtin_Administrators
,
130 SEC_ACE_TYPE_ACCESS_ALLOWED
, map
->generic_all
, 0);
131 init_sec_ace(&ace
[i
++], &global_sid_Builtin_Account_Operators
,
132 SEC_ACE_TYPE_ACCESS_ALLOWED
, map
->generic_all
, 0);
134 /* Add Full Access for Domain Admins if we are a DC */
137 sid_copy( &domadmin_sid
, get_global_sam_sid() );
138 sid_append_rid( &domadmin_sid
, DOMAIN_GROUP_RID_ADMINS
);
139 init_sec_ace(&ace
[i
++], &domadmin_sid
,
140 SEC_ACE_TYPE_ACCESS_ALLOWED
, map
->generic_all
, 0);
143 /* if we have a sid, give it some special access */
146 init_sec_ace(&ace
[i
++], sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, sid_access
, 0);
149 /* create the security descriptor */
151 if ((psa
= make_sec_acl(ctx
, NT4_ACL_REVISION
, i
, ace
)) == NULL
)
152 return NT_STATUS_NO_MEMORY
;
154 if ((*psd
= make_sec_desc(ctx
, SECURITY_DESCRIPTOR_REVISION_1
,
155 SEC_DESC_SELF_RELATIVE
, NULL
, NULL
, NULL
,
156 psa
, sd_size
)) == NULL
)
157 return NT_STATUS_NO_MEMORY
;
162 /*******************************************************************
163 Checks if access to an object should be granted, and returns that
164 level of access for further checks.
165 ********************************************************************/
167 static NTSTATUS
access_check_samr_object( SEC_DESC
*psd
, NT_USER_TOKEN
*token
,
168 SE_PRIV
*rights
, uint32 rights_mask
,
169 uint32 des_access
, uint32
*acc_granted
,
172 NTSTATUS status
= NT_STATUS_ACCESS_DENIED
;
173 uint32 saved_mask
= 0;
175 /* check privileges; certain SAM access bits should be overridden
176 by privileges (mostly having to do with creating/modifying/deleting
179 if ( rights
&& user_has_any_privilege( token
, rights
) ) {
181 saved_mask
= (des_access
& rights_mask
);
182 des_access
&= ~saved_mask
;
184 DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
189 /* check the security descriptor first */
191 status
= se_access_check(psd
, token
, des_access
, acc_granted
);
192 if (NT_STATUS_IS_OK(status
)) {
196 /* give root a free pass */
198 if ( geteuid() == sec_initial_uid() ) {
200 DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug
, des_access
));
201 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
203 *acc_granted
= des_access
;
205 status
= NT_STATUS_OK
;
211 /* add in any bits saved during the privilege check (only
212 matters is status is ok) */
214 *acc_granted
|= rights_mask
;
216 DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
217 debug
, NT_STATUS_IS_OK(status
) ? "GRANTED" : "DENIED",
218 des_access
, *acc_granted
));
223 /*******************************************************************
224 Checks if access to a function can be granted
225 ********************************************************************/
227 static NTSTATUS
access_check_samr_function(uint32 acc_granted
, uint32 acc_required
, const char *debug
)
229 DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n",
230 debug
, acc_granted
, acc_required
));
232 /* check the security descriptor first */
234 if ( (acc_granted
&acc_required
) == acc_required
)
237 /* give root a free pass */
239 if (geteuid() == sec_initial_uid()) {
241 DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
242 debug
, acc_granted
, acc_required
));
243 DEBUGADD(4,("but overwritten by euid == 0\n"));
248 DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n",
249 debug
, acc_granted
, acc_required
));
251 return NT_STATUS_ACCESS_DENIED
;
254 /*******************************************************************
255 Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
256 ********************************************************************/
258 static void map_max_allowed_access(const NT_USER_TOKEN
*token
,
259 uint32_t *pacc_requested
)
261 if (!((*pacc_requested
) & MAXIMUM_ALLOWED_ACCESS
)) {
264 *pacc_requested
&= ~MAXIMUM_ALLOWED_ACCESS
;
266 /* At least try for generic read. */
267 *pacc_requested
= GENERIC_READ_ACCESS
;
269 /* root gets anything. */
270 if (geteuid() == sec_initial_uid()) {
271 *pacc_requested
|= GENERIC_ALL_ACCESS
;
275 /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
277 if (is_sid_in_token(token
, &global_sid_Builtin_Administrators
) ||
278 is_sid_in_token(token
, &global_sid_Builtin_Account_Operators
)) {
279 *pacc_requested
|= GENERIC_ALL_ACCESS
;
283 /* Full access for DOMAIN\Domain Admins. */
285 DOM_SID domadmin_sid
;
286 sid_copy( &domadmin_sid
, get_global_sam_sid() );
287 sid_append_rid( &domadmin_sid
, DOMAIN_GROUP_RID_ADMINS
);
288 if (is_sid_in_token(token
, &domadmin_sid
)) {
289 *pacc_requested
|= GENERIC_ALL_ACCESS
;
293 /* TODO ! Check privileges. */
296 /*******************************************************************
297 Fetch or create a dispinfo struct.
298 ********************************************************************/
300 static DISP_INFO
*get_samr_dispinfo_by_sid(DOM_SID
*psid
)
303 * We do a static cache for DISP_INFO's here. Explanation can be found
304 * in Jeremy's checkin message to r11793:
306 * Fix the SAMR cache so it works across completely insane
307 * client behaviour (ie.:
308 * open pipe/open SAMR handle/enumerate 0 - 1024
309 * close SAMR handle, close pipe.
310 * open pipe/open SAMR handle/enumerate 1024 - 2048...
311 * close SAMR handle, close pipe.
312 * And on ad-nausium. Amazing.... probably object-oriented
313 * client side programming in action yet again.
314 * This change should *massively* improve performance when
315 * enumerating users from an LDAP database.
318 * "Our" and the builtin domain are the only ones where we ever
319 * enumerate stuff, so just cache 2 entries.
322 static struct disp_info
*builtin_dispinfo
;
323 static struct disp_info
*domain_dispinfo
;
325 /* There are two cases to consider here:
326 1) The SID is a domain SID and we look for an equality match, or
327 2) This is an account SID and so we return the DISP_INFO* for our
334 if (sid_check_is_builtin(psid
) || sid_check_is_in_builtin(psid
)) {
336 * Necessary only once, but it does not really hurt.
338 if (builtin_dispinfo
== NULL
) {
339 builtin_dispinfo
= talloc_zero(
340 talloc_autofree_context(), struct disp_info
);
341 if (builtin_dispinfo
== NULL
) {
345 sid_copy(&builtin_dispinfo
->sid
, &global_sid_Builtin
);
346 builtin_dispinfo
->builtin_domain
= true;
348 return builtin_dispinfo
;
351 if (sid_check_is_domain(psid
) || sid_check_is_in_our_domain(psid
)) {
353 * Necessary only once, but it does not really hurt.
355 if (domain_dispinfo
== NULL
) {
356 domain_dispinfo
= talloc_zero(
357 talloc_autofree_context(), struct disp_info
);
358 if (domain_dispinfo
== NULL
) {
362 sid_copy(&domain_dispinfo
->sid
, get_global_sam_sid());
363 domain_dispinfo
->builtin_domain
= false;
365 return domain_dispinfo
;
371 /*******************************************************************
372 Create a samr_info struct.
373 ********************************************************************/
375 static int samr_info_destructor(struct samr_info
*info
);
377 static struct samr_info
*get_samr_info_by_sid(TALLOC_CTX
*mem_ctx
,
380 struct samr_info
*info
;
384 sid_to_fstring(sid_str
, psid
);
386 fstrcpy(sid_str
,"(NULL)");
389 if ((info
= TALLOC_ZERO_P(mem_ctx
, struct samr_info
)) == NULL
) {
392 talloc_set_destructor(info
, samr_info_destructor
);
394 DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str
));
396 sid_copy( &info
->sid
, psid
);
397 info
->builtin_domain
= sid_check_is_builtin(psid
);
399 DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n"));
400 info
->builtin_domain
= False
;
403 info
->disp_info
= get_samr_dispinfo_by_sid(psid
);
408 /*******************************************************************
409 Function to free the per SID data.
410 ********************************************************************/
412 static void free_samr_cache(DISP_INFO
*disp_info
)
414 DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n",
415 sid_string_dbg(&disp_info
->sid
)));
417 /* We need to become root here because the paged search might have to
418 * tell the LDAP server we're not interested in the rest anymore. */
422 TALLOC_FREE(disp_info
->users
);
423 TALLOC_FREE(disp_info
->machines
);
424 TALLOC_FREE(disp_info
->groups
);
425 TALLOC_FREE(disp_info
->aliases
);
426 TALLOC_FREE(disp_info
->enum_users
);
431 static int samr_info_destructor(struct samr_info
*info
)
433 /* Only free the dispinfo cache if no one bothered to set up
436 if (info
->disp_info
&& info
->disp_info
->cache_timeout_event
== NULL
) {
437 free_samr_cache(info
->disp_info
);
442 /*******************************************************************
443 Idle event handler. Throw away the disp info cache.
444 ********************************************************************/
446 static void disp_info_cache_idle_timeout_handler(struct event_context
*ev_ctx
,
447 struct timed_event
*te
,
451 DISP_INFO
*disp_info
= (DISP_INFO
*)private_data
;
453 TALLOC_FREE(disp_info
->cache_timeout_event
);
455 DEBUG(10, ("disp_info_cache_idle_timeout_handler: caching timed "
457 free_samr_cache(disp_info
);
460 /*******************************************************************
461 Setup cache removal idle event handler.
462 ********************************************************************/
464 static void set_disp_info_cache_timeout(DISP_INFO
*disp_info
, time_t secs_fromnow
)
466 /* Remove any pending timeout and update. */
468 TALLOC_FREE(disp_info
->cache_timeout_event
);
470 DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for "
471 "SID %s for %u seconds\n", sid_string_dbg(&disp_info
->sid
),
472 (unsigned int)secs_fromnow
));
474 disp_info
->cache_timeout_event
= event_add_timed(
475 smbd_event_context(), NULL
,
476 timeval_current_ofs(secs_fromnow
, 0),
477 disp_info_cache_idle_timeout_handler
, (void *)disp_info
);
480 /*******************************************************************
481 Force flush any cache. We do this on any samr_set_xxx call.
482 We must also remove the timeout handler.
483 ********************************************************************/
485 static void force_flush_samr_cache(DISP_INFO
*disp_info
)
487 if ((disp_info
== NULL
) || (disp_info
->cache_timeout_event
== NULL
)) {
491 DEBUG(10,("force_flush_samr_cache: clearing idle event\n"));
492 TALLOC_FREE(disp_info
->cache_timeout_event
);
493 free_samr_cache(disp_info
);
496 /*******************************************************************
497 Ensure password info is never given out. Paranioa... JRA.
498 ********************************************************************/
500 static void samr_clear_sam_passwd(struct samu
*sam_pass
)
506 /* These now zero out the old password */
508 pdb_set_lanman_passwd(sam_pass
, NULL
, PDB_DEFAULT
);
509 pdb_set_nt_passwd(sam_pass
, NULL
, PDB_DEFAULT
);
512 static uint32
count_sam_users(struct disp_info
*info
, uint32 acct_flags
)
514 struct samr_displayentry
*entry
;
516 if (info
->builtin_domain
) {
517 /* No users in builtin. */
521 if (info
->users
== NULL
) {
522 info
->users
= pdb_search_users(info
, acct_flags
);
523 if (info
->users
== NULL
) {
527 /* Fetch the last possible entry, thus trigger an enumeration */
528 pdb_search_entries(info
->users
, 0xffffffff, 1, &entry
);
530 /* Ensure we cache this enumeration. */
531 set_disp_info_cache_timeout(info
, DISP_INFO_CACHE_TIMEOUT
);
533 return info
->users
->num_entries
;
536 static uint32
count_sam_groups(struct disp_info
*info
)
538 struct samr_displayentry
*entry
;
540 if (info
->builtin_domain
) {
541 /* No groups in builtin. */
545 if (info
->groups
== NULL
) {
546 info
->groups
= pdb_search_groups(info
);
547 if (info
->groups
== NULL
) {
551 /* Fetch the last possible entry, thus trigger an enumeration */
552 pdb_search_entries(info
->groups
, 0xffffffff, 1, &entry
);
554 /* Ensure we cache this enumeration. */
555 set_disp_info_cache_timeout(info
, DISP_INFO_CACHE_TIMEOUT
);
557 return info
->groups
->num_entries
;
560 static uint32
count_sam_aliases(struct disp_info
*info
)
562 struct samr_displayentry
*entry
;
564 if (info
->aliases
== NULL
) {
565 info
->aliases
= pdb_search_aliases(info
, &info
->sid
);
566 if (info
->aliases
== NULL
) {
570 /* Fetch the last possible entry, thus trigger an enumeration */
571 pdb_search_entries(info
->aliases
, 0xffffffff, 1, &entry
);
573 /* Ensure we cache this enumeration. */
574 set_disp_info_cache_timeout(info
, DISP_INFO_CACHE_TIMEOUT
);
576 return info
->aliases
->num_entries
;
579 /*******************************************************************
581 ********************************************************************/
583 NTSTATUS
_samr_Close(pipes_struct
*p
, struct samr_Close
*r
)
585 if (!close_policy_hnd(p
, r
->in
.handle
)) {
586 return NT_STATUS_INVALID_HANDLE
;
589 ZERO_STRUCTP(r
->out
.handle
);
594 /*******************************************************************
596 ********************************************************************/
598 NTSTATUS
_samr_OpenDomain(pipes_struct
*p
,
599 struct samr_OpenDomain
*r
)
601 struct samr_info
*info
;
602 SEC_DESC
*psd
= NULL
;
604 uint32 des_access
= r
->in
.access_mask
;
609 /* find the connection policy handle. */
611 if ( !find_policy_by_hnd(p
, r
->in
.connect_handle
, (void**)(void *)&info
) )
612 return NT_STATUS_INVALID_HANDLE
;
614 /*check if access can be granted as requested by client. */
615 map_max_allowed_access(p
->server_info
->ptok
, &des_access
);
617 make_samr_object_sd( p
->mem_ctx
, &psd
, &sd_size
, &dom_generic_mapping
, NULL
, 0 );
618 se_map_generic( &des_access
, &dom_generic_mapping
);
620 se_priv_copy( &se_rights
, &se_machine_account
);
621 se_priv_add( &se_rights
, &se_add_users
);
623 status
= access_check_samr_object( psd
, p
->server_info
->ptok
,
624 &se_rights
, GENERIC_RIGHTS_DOMAIN_WRITE
, des_access
,
625 &acc_granted
, "_samr_OpenDomain" );
627 if ( !NT_STATUS_IS_OK(status
) )
630 if (!sid_check_is_domain(r
->in
.sid
) &&
631 !sid_check_is_builtin(r
->in
.sid
)) {
632 return NT_STATUS_NO_SUCH_DOMAIN
;
635 /* associate the domain SID with the (unique) handle. */
636 if ((info
= get_samr_info_by_sid(p
->mem_ctx
, r
->in
.sid
))==NULL
)
637 return NT_STATUS_NO_MEMORY
;
638 info
->acc_granted
= acc_granted
;
640 /* get a (unique) handle. open a policy on it. */
641 if (!create_policy_hnd(p
, r
->out
.domain_handle
, info
))
642 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
644 DEBUG(5,("_samr_OpenDomain: %d\n", __LINE__
));
649 /*******************************************************************
651 ********************************************************************/
653 NTSTATUS
_samr_GetUserPwInfo(pipes_struct
*p
,
654 struct samr_GetUserPwInfo
*r
)
656 struct samr_info
*info
= NULL
;
657 enum lsa_SidType sid_type
;
658 uint32_t min_password_length
= 0;
659 uint32_t password_properties
= 0;
663 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__
));
665 /* find the policy handle. open a policy on it. */
666 if (!find_policy_by_hnd(p
, r
->in
.user_handle
, (void **)(void *)&info
)) {
667 return NT_STATUS_INVALID_HANDLE
;
670 status
= access_check_samr_function(info
->acc_granted
,
671 SAMR_USER_ACCESS_GET_ATTRIBUTES
,
672 "_samr_GetUserPwInfo" );
673 if (!NT_STATUS_IS_OK(status
)) {
677 if (!sid_check_is_in_our_domain(&info
->sid
)) {
678 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
682 ret
= lookup_sid(p
->mem_ctx
, &info
->sid
, NULL
, NULL
, &sid_type
);
685 return NT_STATUS_NO_SUCH_USER
;
691 pdb_get_account_policy(AP_MIN_PASSWORD_LEN
,
692 &min_password_length
);
693 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS
,
694 &password_properties
);
697 if (lp_check_password_script() && *lp_check_password_script()) {
698 password_properties
|= DOMAIN_PASSWORD_COMPLEX
;
706 r
->out
.info
->min_password_length
= min_password_length
;
707 r
->out
.info
->password_properties
= password_properties
;
709 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__
));
714 /*******************************************************************
715 ********************************************************************/
717 static bool get_lsa_policy_samr_sid( pipes_struct
*p
, struct policy_handle
*pol
,
718 DOM_SID
*sid
, uint32
*acc_granted
,
719 DISP_INFO
**ppdisp_info
)
721 struct samr_info
*info
= NULL
;
723 /* find the policy handle. open a policy on it. */
724 if (!find_policy_by_hnd(p
, pol
, (void **)(void *)&info
))
731 *acc_granted
= info
->acc_granted
;
733 *ppdisp_info
= info
->disp_info
;
739 /*******************************************************************
741 ********************************************************************/
743 NTSTATUS
_samr_SetSecurity(pipes_struct
*p
,
744 struct samr_SetSecurity
*r
)
747 uint32 acc_granted
, i
;
750 struct samu
*sampass
=NULL
;
753 if (!get_lsa_policy_samr_sid(p
, r
->in
.handle
, &pol_sid
, &acc_granted
, NULL
))
754 return NT_STATUS_INVALID_HANDLE
;
756 if (!(sampass
= samu_new( p
->mem_ctx
))) {
757 DEBUG(0,("No memory!\n"));
758 return NT_STATUS_NO_MEMORY
;
761 /* get the user record */
763 ret
= pdb_getsampwsid(sampass
, &pol_sid
);
767 DEBUG(4, ("User %s not found\n", sid_string_dbg(&pol_sid
)));
768 TALLOC_FREE(sampass
);
769 return NT_STATUS_INVALID_HANDLE
;
772 dacl
= r
->in
.sdbuf
->sd
->dacl
;
773 for (i
=0; i
< dacl
->num_aces
; i
++) {
774 if (sid_equal(&pol_sid
, &dacl
->aces
[i
].trustee
)) {
775 ret
= pdb_set_pass_can_change(sampass
,
776 (dacl
->aces
[i
].access_mask
&
777 SAMR_USER_ACCESS_CHANGE_PASSWORD
) ?
784 TALLOC_FREE(sampass
);
785 return NT_STATUS_ACCESS_DENIED
;
788 status
= access_check_samr_function(acc_granted
,
789 SAMR_USER_ACCESS_SET_ATTRIBUTES
,
790 "_samr_SetSecurity");
791 if (NT_STATUS_IS_OK(status
)) {
793 status
= pdb_update_sam_account(sampass
);
797 TALLOC_FREE(sampass
);
802 /*******************************************************************
803 build correct perms based on policies and password times for _samr_query_sec_obj
804 *******************************************************************/
805 static bool check_change_pw_access(TALLOC_CTX
*mem_ctx
, DOM_SID
*user_sid
)
807 struct samu
*sampass
=NULL
;
810 if ( !(sampass
= samu_new( mem_ctx
)) ) {
811 DEBUG(0,("No memory!\n"));
816 ret
= pdb_getsampwsid(sampass
, user_sid
);
820 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid
)));
821 TALLOC_FREE(sampass
);
825 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass
) ));
827 if (pdb_get_pass_can_change(sampass
)) {
828 TALLOC_FREE(sampass
);
831 TALLOC_FREE(sampass
);
836 /*******************************************************************
838 ********************************************************************/
840 NTSTATUS
_samr_QuerySecurity(pipes_struct
*p
,
841 struct samr_QuerySecurity
*r
)
845 SEC_DESC
* psd
= NULL
;
850 if (!get_lsa_policy_samr_sid(p
, r
->in
.handle
, &pol_sid
, &acc_granted
, NULL
))
851 return NT_STATUS_INVALID_HANDLE
;
853 DEBUG(10,("_samr_QuerySecurity: querying security on SID: %s\n",
854 sid_string_dbg(&pol_sid
)));
856 status
= access_check_samr_function(acc_granted
,
857 STD_RIGHT_READ_CONTROL_ACCESS
,
858 "_samr_QuerySecurity");
859 if (!NT_STATUS_IS_OK(status
)) {
863 /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
865 /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */
866 if (pol_sid
.sid_rev_num
== 0) {
867 DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n"));
868 status
= make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &sam_generic_mapping
, NULL
, 0);
869 } else if (sid_equal(&pol_sid
,get_global_sam_sid())) {
870 /* check if it is our domain SID */
871 DEBUG(5,("_samr_QuerySecurity: querying security on Domain "
872 "with SID: %s\n", sid_string_dbg(&pol_sid
)));
873 status
= make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &dom_generic_mapping
, NULL
, 0);
874 } else if (sid_equal(&pol_sid
,&global_sid_Builtin
)) {
875 /* check if it is the Builtin Domain */
876 /* TODO: Builtin probably needs a different SD with restricted write access*/
877 DEBUG(5,("_samr_QuerySecurity: querying security on Builtin "
878 "Domain with SID: %s\n", sid_string_dbg(&pol_sid
)));
879 status
= make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &dom_generic_mapping
, NULL
, 0);
880 } else if (sid_check_is_in_our_domain(&pol_sid
) ||
881 sid_check_is_in_builtin(&pol_sid
)) {
882 /* TODO: different SDs have to be generated for aliases groups and users.
883 Currently all three get a default user SD */
884 DEBUG(10,("_samr_QuerySecurity: querying security on Object "
885 "with SID: %s\n", sid_string_dbg(&pol_sid
)));
886 if (check_change_pw_access(p
->mem_ctx
, &pol_sid
)) {
887 status
= make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &usr_generic_mapping
,
888 &pol_sid
, SAMR_USR_RIGHTS_WRITE_PW
);
890 status
= make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &usr_nopwchange_generic_mapping
,
891 &pol_sid
, SAMR_USR_RIGHTS_CANT_WRITE_PW
);
894 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
897 if ((*r
->out
.sdbuf
= make_sec_desc_buf(p
->mem_ctx
, sd_size
, psd
)) == NULL
)
898 return NT_STATUS_NO_MEMORY
;
903 /*******************************************************************
904 makes a SAM_ENTRY / UNISTR2* structure from a user list.
905 ********************************************************************/
907 static NTSTATUS
make_user_sam_entry_list(TALLOC_CTX
*ctx
,
908 struct samr_SamEntry
**sam_pp
,
909 uint32_t num_entries
,
911 struct samr_displayentry
*entries
)
914 struct samr_SamEntry
*sam
;
918 if (num_entries
== 0) {
922 sam
= TALLOC_ZERO_ARRAY(ctx
, struct samr_SamEntry
, num_entries
);
924 DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n"));
925 return NT_STATUS_NO_MEMORY
;
928 for (i
= 0; i
< num_entries
; i
++) {
931 * usrmgr expects a non-NULL terminated string with
932 * trust relationships
934 if (entries
[i
].acct_flags
& ACB_DOMTRUST
) {
935 init_unistr2(&uni_temp_name
, entries
[i
].account_name
,
938 init_unistr2(&uni_temp_name
, entries
[i
].account_name
,
942 init_lsa_String(&sam
[i
].name
, entries
[i
].account_name
);
943 sam
[i
].idx
= entries
[i
].rid
;
951 #define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K
953 /*******************************************************************
954 _samr_EnumDomainUsers
955 ********************************************************************/
957 NTSTATUS
_samr_EnumDomainUsers(pipes_struct
*p
,
958 struct samr_EnumDomainUsers
*r
)
961 struct samr_info
*info
= NULL
;
963 uint32 enum_context
= *r
->in
.resume_handle
;
964 enum remote_arch_types ra_type
= get_remote_arch();
965 int max_sam_entries
= (ra_type
== RA_WIN95
) ? MAX_SAM_ENTRIES_W95
: MAX_SAM_ENTRIES_W2K
;
966 uint32 max_entries
= max_sam_entries
;
967 struct samr_displayentry
*entries
= NULL
;
968 struct samr_SamArray
*samr_array
= NULL
;
969 struct samr_SamEntry
*samr_entries
= NULL
;
971 /* find the policy handle. open a policy on it. */
972 if (!find_policy_by_hnd(p
, r
->in
.domain_handle
, (void **)(void *)&info
))
973 return NT_STATUS_INVALID_HANDLE
;
975 status
= access_check_samr_function(info
->acc_granted
,
976 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
,
977 "_samr_EnumDomainUsers");
978 if (!NT_STATUS_IS_OK(status
)) {
982 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__
));
984 if (info
->builtin_domain
) {
985 /* No users in builtin. */
986 *r
->out
.resume_handle
= *r
->in
.resume_handle
;
987 DEBUG(5,("_samr_EnumDomainUsers: No users in BUILTIN\n"));
991 samr_array
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_SamArray
);
993 return NT_STATUS_NO_MEMORY
;
995 *r
->out
.sam
= samr_array
;
1001 if ((info
->disp_info
->enum_users
!= NULL
) &&
1002 (info
->disp_info
->enum_acb_mask
!= r
->in
.acct_flags
)) {
1003 TALLOC_FREE(info
->disp_info
->enum_users
);
1006 if (info
->disp_info
->enum_users
== NULL
) {
1007 info
->disp_info
->enum_users
= pdb_search_users(
1008 info
->disp_info
, r
->in
.acct_flags
);
1009 info
->disp_info
->enum_acb_mask
= r
->in
.acct_flags
;
1012 if (info
->disp_info
->enum_users
== NULL
) {
1013 /* END AS ROOT !!!! */
1015 return NT_STATUS_ACCESS_DENIED
;
1018 num_account
= pdb_search_entries(info
->disp_info
->enum_users
,
1019 enum_context
, max_entries
,
1022 /* END AS ROOT !!!! */
1026 if (num_account
== 0) {
1027 DEBUG(5, ("_samr_EnumDomainUsers: enumeration handle over "
1028 "total entries\n"));
1029 *r
->out
.resume_handle
= *r
->in
.resume_handle
;
1030 return NT_STATUS_OK
;
1033 status
= make_user_sam_entry_list(p
->mem_ctx
, &samr_entries
,
1034 num_account
, enum_context
,
1036 if (!NT_STATUS_IS_OK(status
)) {
1040 if (max_entries
<= num_account
) {
1041 status
= STATUS_MORE_ENTRIES
;
1043 status
= NT_STATUS_OK
;
1046 /* Ensure we cache this enumeration. */
1047 set_disp_info_cache_timeout(info
->disp_info
, DISP_INFO_CACHE_TIMEOUT
);
1049 DEBUG(5, ("_samr_EnumDomainUsers: %d\n", __LINE__
));
1051 samr_array
->count
= num_account
;
1052 samr_array
->entries
= samr_entries
;
1054 *r
->out
.resume_handle
= *r
->in
.resume_handle
+ num_account
;
1055 *r
->out
.num_entries
= num_account
;
1057 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__
));
1062 /*******************************************************************
1063 makes a SAM_ENTRY / UNISTR2* structure from a group list.
1064 ********************************************************************/
1066 static void make_group_sam_entry_list(TALLOC_CTX
*ctx
,
1067 struct samr_SamEntry
**sam_pp
,
1068 uint32_t num_sam_entries
,
1069 struct samr_displayentry
*entries
)
1071 struct samr_SamEntry
*sam
;
1076 if (num_sam_entries
== 0) {
1080 sam
= TALLOC_ZERO_ARRAY(ctx
, struct samr_SamEntry
, num_sam_entries
);
1085 for (i
= 0; i
< num_sam_entries
; i
++) {
1087 * JRA. I think this should include the null. TNG does not.
1089 init_lsa_String(&sam
[i
].name
, entries
[i
].account_name
);
1090 sam
[i
].idx
= entries
[i
].rid
;
1096 /*******************************************************************
1097 _samr_EnumDomainGroups
1098 ********************************************************************/
1100 NTSTATUS
_samr_EnumDomainGroups(pipes_struct
*p
,
1101 struct samr_EnumDomainGroups
*r
)
1104 struct samr_info
*info
= NULL
;
1105 struct samr_displayentry
*groups
;
1107 struct samr_SamArray
*samr_array
= NULL
;
1108 struct samr_SamEntry
*samr_entries
= NULL
;
1110 /* find the policy handle. open a policy on it. */
1111 if (!find_policy_by_hnd(p
, r
->in
.domain_handle
, (void **)(void *)&info
))
1112 return NT_STATUS_INVALID_HANDLE
;
1114 status
= access_check_samr_function(info
->acc_granted
,
1115 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
,
1116 "_samr_EnumDomainGroups");
1117 if (!NT_STATUS_IS_OK(status
)) {
1121 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__
));
1123 if (info
->builtin_domain
) {
1124 /* No groups in builtin. */
1125 *r
->out
.resume_handle
= *r
->in
.resume_handle
;
1126 DEBUG(5,("_samr_EnumDomainGroups: No groups in BUILTIN\n"));
1130 samr_array
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_SamArray
);
1132 return NT_STATUS_NO_MEMORY
;
1135 /* the domain group array is being allocated in the function below */
1139 if (info
->disp_info
->groups
== NULL
) {
1140 info
->disp_info
->groups
= pdb_search_groups(info
->disp_info
);
1142 if (info
->disp_info
->groups
== NULL
) {
1144 return NT_STATUS_ACCESS_DENIED
;
1148 num_groups
= pdb_search_entries(info
->disp_info
->groups
,
1149 *r
->in
.resume_handle
,
1150 MAX_SAM_ENTRIES
, &groups
);
1153 /* Ensure we cache this enumeration. */
1154 set_disp_info_cache_timeout(info
->disp_info
, DISP_INFO_CACHE_TIMEOUT
);
1156 make_group_sam_entry_list(p
->mem_ctx
, &samr_entries
,
1157 num_groups
, groups
);
1159 samr_array
->count
= num_groups
;
1160 samr_array
->entries
= samr_entries
;
1162 *r
->out
.sam
= samr_array
;
1163 *r
->out
.num_entries
= num_groups
;
1164 *r
->out
.resume_handle
= num_groups
+ *r
->in
.resume_handle
;
1166 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__
));
1171 /*******************************************************************
1172 _samr_EnumDomainAliases
1173 ********************************************************************/
1175 NTSTATUS
_samr_EnumDomainAliases(pipes_struct
*p
,
1176 struct samr_EnumDomainAliases
*r
)
1179 struct samr_info
*info
;
1180 struct samr_displayentry
*aliases
;
1181 uint32 num_aliases
= 0;
1182 struct samr_SamArray
*samr_array
= NULL
;
1183 struct samr_SamEntry
*samr_entries
= NULL
;
1185 /* find the policy handle. open a policy on it. */
1186 if (!find_policy_by_hnd(p
, r
->in
.domain_handle
, (void **)(void *)&info
))
1187 return NT_STATUS_INVALID_HANDLE
;
1189 DEBUG(5,("_samr_EnumDomainAliases: sid %s\n",
1190 sid_string_dbg(&info
->sid
)));
1192 status
= access_check_samr_function(info
->acc_granted
,
1193 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
,
1194 "_samr_EnumDomainAliases");
1195 if (!NT_STATUS_IS_OK(status
)) {
1199 samr_array
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_SamArray
);
1201 return NT_STATUS_NO_MEMORY
;
1206 if (info
->disp_info
->aliases
== NULL
) {
1207 info
->disp_info
->aliases
= pdb_search_aliases(
1208 info
->disp_info
, &info
->sid
);
1209 if (info
->disp_info
->aliases
== NULL
) {
1211 return NT_STATUS_ACCESS_DENIED
;
1215 num_aliases
= pdb_search_entries(info
->disp_info
->aliases
,
1216 *r
->in
.resume_handle
,
1217 MAX_SAM_ENTRIES
, &aliases
);
1220 /* Ensure we cache this enumeration. */
1221 set_disp_info_cache_timeout(info
->disp_info
, DISP_INFO_CACHE_TIMEOUT
);
1223 make_group_sam_entry_list(p
->mem_ctx
, &samr_entries
,
1224 num_aliases
, aliases
);
1226 DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__
));
1228 samr_array
->count
= num_aliases
;
1229 samr_array
->entries
= samr_entries
;
1231 *r
->out
.sam
= samr_array
;
1232 *r
->out
.num_entries
= num_aliases
;
1233 *r
->out
.resume_handle
= num_aliases
+ *r
->in
.resume_handle
;
1238 /*******************************************************************
1239 inits a samr_DispInfoGeneral structure.
1240 ********************************************************************/
1242 static NTSTATUS
init_samr_dispinfo_1(TALLOC_CTX
*ctx
,
1243 struct samr_DispInfoGeneral
*r
,
1244 uint32_t num_entries
,
1246 struct samr_displayentry
*entries
)
1250 DEBUG(10, ("init_samr_dispinfo_1: num_entries: %d\n", num_entries
));
1252 if (num_entries
== 0) {
1253 return NT_STATUS_OK
;
1256 r
->count
= num_entries
;
1258 r
->entries
= TALLOC_ZERO_ARRAY(ctx
, struct samr_DispEntryGeneral
, num_entries
);
1260 return NT_STATUS_NO_MEMORY
;
1263 for (i
= 0; i
< num_entries
; i
++) {
1265 init_lsa_String(&r
->entries
[i
].account_name
,
1266 entries
[i
].account_name
);
1268 init_lsa_String(&r
->entries
[i
].description
,
1269 entries
[i
].description
);
1271 init_lsa_String(&r
->entries
[i
].full_name
,
1272 entries
[i
].fullname
);
1274 r
->entries
[i
].rid
= entries
[i
].rid
;
1275 r
->entries
[i
].acct_flags
= entries
[i
].acct_flags
;
1276 r
->entries
[i
].idx
= start_idx
+i
+1;
1279 return NT_STATUS_OK
;
1282 /*******************************************************************
1283 inits a samr_DispInfoFull structure.
1284 ********************************************************************/
1286 static NTSTATUS
init_samr_dispinfo_2(TALLOC_CTX
*ctx
,
1287 struct samr_DispInfoFull
*r
,
1288 uint32_t num_entries
,
1290 struct samr_displayentry
*entries
)
1294 DEBUG(10, ("init_samr_dispinfo_2: num_entries: %d\n", num_entries
));
1296 if (num_entries
== 0) {
1297 return NT_STATUS_OK
;
1300 r
->count
= num_entries
;
1302 r
->entries
= TALLOC_ZERO_ARRAY(ctx
, struct samr_DispEntryFull
, num_entries
);
1304 return NT_STATUS_NO_MEMORY
;
1307 for (i
= 0; i
< num_entries
; i
++) {
1309 init_lsa_String(&r
->entries
[i
].account_name
,
1310 entries
[i
].account_name
);
1312 init_lsa_String(&r
->entries
[i
].description
,
1313 entries
[i
].description
);
1315 r
->entries
[i
].rid
= entries
[i
].rid
;
1316 r
->entries
[i
].acct_flags
= entries
[i
].acct_flags
;
1317 r
->entries
[i
].idx
= start_idx
+i
+1;
1320 return NT_STATUS_OK
;
1323 /*******************************************************************
1324 inits a samr_DispInfoFullGroups structure.
1325 ********************************************************************/
1327 static NTSTATUS
init_samr_dispinfo_3(TALLOC_CTX
*ctx
,
1328 struct samr_DispInfoFullGroups
*r
,
1329 uint32_t num_entries
,
1331 struct samr_displayentry
*entries
)
1335 DEBUG(5, ("init_samr_dispinfo_3: num_entries: %d\n", num_entries
));
1337 if (num_entries
== 0) {
1338 return NT_STATUS_OK
;
1341 r
->count
= num_entries
;
1343 r
->entries
= TALLOC_ZERO_ARRAY(ctx
, struct samr_DispEntryFullGroup
, num_entries
);
1345 return NT_STATUS_NO_MEMORY
;
1348 for (i
= 0; i
< num_entries
; i
++) {
1350 init_lsa_String(&r
->entries
[i
].account_name
,
1351 entries
[i
].account_name
);
1353 init_lsa_String(&r
->entries
[i
].description
,
1354 entries
[i
].description
);
1356 r
->entries
[i
].rid
= entries
[i
].rid
;
1357 r
->entries
[i
].acct_flags
= entries
[i
].acct_flags
;
1358 r
->entries
[i
].idx
= start_idx
+i
+1;
1361 return NT_STATUS_OK
;
1364 /*******************************************************************
1365 inits a samr_DispInfoAscii structure.
1366 ********************************************************************/
1368 static NTSTATUS
init_samr_dispinfo_4(TALLOC_CTX
*ctx
,
1369 struct samr_DispInfoAscii
*r
,
1370 uint32_t num_entries
,
1372 struct samr_displayentry
*entries
)
1376 DEBUG(5, ("init_samr_dispinfo_4: num_entries: %d\n", num_entries
));
1378 if (num_entries
== 0) {
1379 return NT_STATUS_OK
;
1382 r
->count
= num_entries
;
1384 r
->entries
= TALLOC_ZERO_ARRAY(ctx
, struct samr_DispEntryAscii
, num_entries
);
1386 return NT_STATUS_NO_MEMORY
;
1389 for (i
= 0; i
< num_entries
; i
++) {
1391 init_lsa_AsciiStringLarge(&r
->entries
[i
].account_name
,
1392 entries
[i
].account_name
);
1394 r
->entries
[i
].idx
= start_idx
+i
+1;
1397 return NT_STATUS_OK
;
1400 /*******************************************************************
1401 inits a samr_DispInfoAscii structure.
1402 ********************************************************************/
1404 static NTSTATUS
init_samr_dispinfo_5(TALLOC_CTX
*ctx
,
1405 struct samr_DispInfoAscii
*r
,
1406 uint32_t num_entries
,
1408 struct samr_displayentry
*entries
)
1412 DEBUG(5, ("init_samr_dispinfo_5: num_entries: %d\n", num_entries
));
1414 if (num_entries
== 0) {
1415 return NT_STATUS_OK
;
1418 r
->count
= num_entries
;
1420 r
->entries
= TALLOC_ZERO_ARRAY(ctx
, struct samr_DispEntryAscii
, num_entries
);
1422 return NT_STATUS_NO_MEMORY
;
1425 for (i
= 0; i
< num_entries
; i
++) {
1427 init_lsa_AsciiStringLarge(&r
->entries
[i
].account_name
,
1428 entries
[i
].account_name
);
1430 r
->entries
[i
].idx
= start_idx
+i
+1;
1433 return NT_STATUS_OK
;
1436 /*******************************************************************
1437 _samr_QueryDisplayInfo
1438 ********************************************************************/
1440 NTSTATUS
_samr_QueryDisplayInfo(pipes_struct
*p
,
1441 struct samr_QueryDisplayInfo
*r
)
1444 struct samr_info
*info
= NULL
;
1445 uint32 struct_size
=0x20; /* W2K always reply that, client doesn't care */
1447 uint32 max_entries
= r
->in
.max_entries
;
1448 uint32 enum_context
= r
->in
.start_idx
;
1449 uint32 max_size
= r
->in
.buf_size
;
1451 union samr_DispInfo
*disp_info
= r
->out
.info
;
1453 uint32 temp_size
=0, total_data_size
=0;
1454 NTSTATUS disp_ret
= NT_STATUS_UNSUCCESSFUL
;
1455 uint32 num_account
= 0;
1456 enum remote_arch_types ra_type
= get_remote_arch();
1457 int max_sam_entries
= (ra_type
== RA_WIN95
) ? MAX_SAM_ENTRIES_W95
: MAX_SAM_ENTRIES_W2K
;
1458 struct samr_displayentry
*entries
= NULL
;
1460 DEBUG(5,("_samr_QueryDisplayInfo: %d\n", __LINE__
));
1462 /* find the policy handle. open a policy on it. */
1463 if (!find_policy_by_hnd(p
, r
->in
.domain_handle
, (void **)(void *)&info
))
1464 return NT_STATUS_INVALID_HANDLE
;
1466 if (info
->builtin_domain
) {
1467 DEBUG(5,("_samr_QueryDisplayInfo: Nothing in BUILTIN\n"));
1468 return NT_STATUS_OK
;
1471 status
= access_check_samr_function(info
->acc_granted
,
1472 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
,
1473 "_samr_QueryDisplayInfo");
1474 if (!NT_STATUS_IS_OK(status
)) {
1479 * calculate how many entries we will return.
1481 * - the number of entries the client asked
1482 * - our limit on that
1483 * - the starting point (enumeration context)
1484 * - the buffer size the client will accept
1488 * We are a lot more like W2K. Instead of reading the SAM
1489 * each time to find the records we need to send back,
1490 * we read it once and link that copy to the sam handle.
1491 * For large user list (over the MAX_SAM_ENTRIES)
1492 * it's a definitive win.
1493 * second point to notice: between enumerations
1494 * our sam is now the same as it's a snapshoot.
1495 * third point: got rid of the static SAM_USER_21 struct
1496 * no more intermediate.
1497 * con: it uses much more memory, as a full copy is stored
1500 * If you want to change it, think twice and think
1501 * of the second point , that's really important.
1506 if ((r
->in
.level
< 1) || (r
->in
.level
> 5)) {
1507 DEBUG(0,("_samr_QueryDisplayInfo: Unknown info level (%u)\n",
1508 (unsigned int)r
->in
.level
));
1509 return NT_STATUS_INVALID_INFO_CLASS
;
1512 /* first limit the number of entries we will return */
1513 if(max_entries
> max_sam_entries
) {
1514 DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
1515 "entries, limiting to %d\n", max_entries
,
1517 max_entries
= max_sam_entries
;
1520 /* calculate the size and limit on the number of entries we will
1523 temp_size
=max_entries
*struct_size
;
1525 if (temp_size
>max_size
) {
1526 max_entries
=MIN((max_size
/struct_size
),max_entries
);;
1527 DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
1528 "only %d entries\n", max_entries
));
1533 /* THe following done as ROOT. Don't return without unbecome_root(). */
1535 switch (r
->in
.level
) {
1538 if (info
->disp_info
->users
== NULL
) {
1539 info
->disp_info
->users
= pdb_search_users(
1540 info
->disp_info
, ACB_NORMAL
);
1541 if (info
->disp_info
->users
== NULL
) {
1543 return NT_STATUS_ACCESS_DENIED
;
1545 DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
1546 (unsigned int)enum_context
));
1548 DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
1549 (unsigned int)enum_context
));
1552 num_account
= pdb_search_entries(info
->disp_info
->users
,
1553 enum_context
, max_entries
,
1557 if (info
->disp_info
->machines
== NULL
) {
1558 info
->disp_info
->machines
= pdb_search_users(
1559 info
->disp_info
, ACB_WSTRUST
|ACB_SVRTRUST
);
1560 if (info
->disp_info
->machines
== NULL
) {
1562 return NT_STATUS_ACCESS_DENIED
;
1564 DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
1565 (unsigned int)enum_context
));
1567 DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
1568 (unsigned int)enum_context
));
1571 num_account
= pdb_search_entries(info
->disp_info
->machines
,
1572 enum_context
, max_entries
,
1577 if (info
->disp_info
->groups
== NULL
) {
1578 info
->disp_info
->groups
= pdb_search_groups(
1580 if (info
->disp_info
->groups
== NULL
) {
1582 return NT_STATUS_ACCESS_DENIED
;
1584 DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
1585 (unsigned int)enum_context
));
1587 DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
1588 (unsigned int)enum_context
));
1591 num_account
= pdb_search_entries(info
->disp_info
->groups
,
1592 enum_context
, max_entries
,
1597 smb_panic("info class changed");
1603 /* Now create reply structure */
1604 switch (r
->in
.level
) {
1606 disp_ret
= init_samr_dispinfo_1(p
->mem_ctx
, &disp_info
->info1
,
1607 num_account
, enum_context
,
1611 disp_ret
= init_samr_dispinfo_2(p
->mem_ctx
, &disp_info
->info2
,
1612 num_account
, enum_context
,
1616 disp_ret
= init_samr_dispinfo_3(p
->mem_ctx
, &disp_info
->info3
,
1617 num_account
, enum_context
,
1621 disp_ret
= init_samr_dispinfo_4(p
->mem_ctx
, &disp_info
->info4
,
1622 num_account
, enum_context
,
1626 disp_ret
= init_samr_dispinfo_5(p
->mem_ctx
, &disp_info
->info5
,
1627 num_account
, enum_context
,
1631 smb_panic("info class changed");
1635 if (!NT_STATUS_IS_OK(disp_ret
))
1638 /* calculate the total size */
1639 total_data_size
=num_account
*struct_size
;
1641 if (max_entries
<= num_account
) {
1642 status
= STATUS_MORE_ENTRIES
;
1644 status
= NT_STATUS_OK
;
1647 /* Ensure we cache this enumeration. */
1648 set_disp_info_cache_timeout(info
->disp_info
, DISP_INFO_CACHE_TIMEOUT
);
1650 DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__
));
1652 *r
->out
.total_size
= total_data_size
;
1653 *r
->out
.returned_size
= temp_size
;
1658 /****************************************************************
1659 _samr_QueryDisplayInfo2
1660 ****************************************************************/
1662 NTSTATUS
_samr_QueryDisplayInfo2(pipes_struct
*p
,
1663 struct samr_QueryDisplayInfo2
*r
)
1665 struct samr_QueryDisplayInfo q
;
1667 q
.in
.domain_handle
= r
->in
.domain_handle
;
1668 q
.in
.level
= r
->in
.level
;
1669 q
.in
.start_idx
= r
->in
.start_idx
;
1670 q
.in
.max_entries
= r
->in
.max_entries
;
1671 q
.in
.buf_size
= r
->in
.buf_size
;
1673 q
.out
.total_size
= r
->out
.total_size
;
1674 q
.out
.returned_size
= r
->out
.returned_size
;
1675 q
.out
.info
= r
->out
.info
;
1677 return _samr_QueryDisplayInfo(p
, &q
);
1680 /****************************************************************
1681 _samr_QueryDisplayInfo3
1682 ****************************************************************/
1684 NTSTATUS
_samr_QueryDisplayInfo3(pipes_struct
*p
,
1685 struct samr_QueryDisplayInfo3
*r
)
1687 struct samr_QueryDisplayInfo q
;
1689 q
.in
.domain_handle
= r
->in
.domain_handle
;
1690 q
.in
.level
= r
->in
.level
;
1691 q
.in
.start_idx
= r
->in
.start_idx
;
1692 q
.in
.max_entries
= r
->in
.max_entries
;
1693 q
.in
.buf_size
= r
->in
.buf_size
;
1695 q
.out
.total_size
= r
->out
.total_size
;
1696 q
.out
.returned_size
= r
->out
.returned_size
;
1697 q
.out
.info
= r
->out
.info
;
1699 return _samr_QueryDisplayInfo(p
, &q
);
1702 /*******************************************************************
1703 _samr_QueryAliasInfo
1704 ********************************************************************/
1706 NTSTATUS
_samr_QueryAliasInfo(pipes_struct
*p
,
1707 struct samr_QueryAliasInfo
*r
)
1710 struct acct_info info
;
1713 union samr_AliasInfo
*alias_info
= NULL
;
1714 const char *alias_name
= NULL
;
1715 const char *alias_description
= NULL
;
1717 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__
));
1719 alias_info
= TALLOC_ZERO_P(p
->mem_ctx
, union samr_AliasInfo
);
1721 return NT_STATUS_NO_MEMORY
;
1724 /* find the policy handle. open a policy on it. */
1725 if (!get_lsa_policy_samr_sid(p
, r
->in
.alias_handle
, &sid
, &acc_granted
, NULL
))
1726 return NT_STATUS_INVALID_HANDLE
;
1728 status
= access_check_samr_function(acc_granted
,
1729 SAMR_ALIAS_ACCESS_LOOKUP_INFO
,
1730 "_samr_QueryAliasInfo");
1731 if (!NT_STATUS_IS_OK(status
)) {
1736 status
= pdb_get_aliasinfo(&sid
, &info
);
1739 if ( !NT_STATUS_IS_OK(status
))
1742 /* FIXME: info contains fstrings */
1743 alias_name
= talloc_strdup(r
, info
.acct_name
);
1744 alias_description
= talloc_strdup(r
, info
.acct_desc
);
1746 switch (r
->in
.level
) {
1748 alias_info
->all
.name
.string
= alias_name
;
1749 alias_info
->all
.num_members
= 1; /* ??? */
1750 alias_info
->all
.description
.string
= alias_description
;
1752 case ALIASINFODESCRIPTION
:
1753 alias_info
->description
.string
= alias_description
;
1756 return NT_STATUS_INVALID_INFO_CLASS
;
1759 *r
->out
.info
= alias_info
;
1761 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__
));
1763 return NT_STATUS_OK
;
1766 /*******************************************************************
1768 ********************************************************************/
1770 NTSTATUS
_samr_LookupNames(pipes_struct
*p
,
1771 struct samr_LookupNames
*r
)
1775 enum lsa_SidType
*type
;
1777 int num_rids
= r
->in
.num_names
;
1780 struct samr_Ids rids
, types
;
1781 uint32_t num_mapped
= 0;
1783 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__
));
1785 if (!get_lsa_policy_samr_sid(p
, r
->in
.domain_handle
, &pol_sid
, &acc_granted
, NULL
)) {
1786 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
1789 status
= access_check_samr_function(acc_granted
,
1790 0, /* Don't know the acc_bits yet */
1791 "_samr_LookupNames");
1792 if (!NT_STATUS_IS_OK(status
)) {
1796 if (num_rids
> MAX_SAM_ENTRIES
) {
1797 num_rids
= MAX_SAM_ENTRIES
;
1798 DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids
));
1801 rid
= talloc_array(p
->mem_ctx
, uint32
, num_rids
);
1802 NT_STATUS_HAVE_NO_MEMORY(rid
);
1804 type
= talloc_array(p
->mem_ctx
, enum lsa_SidType
, num_rids
);
1805 NT_STATUS_HAVE_NO_MEMORY(type
);
1807 DEBUG(5,("_samr_LookupNames: looking name on SID %s\n",
1808 sid_string_dbg(&pol_sid
)));
1810 for (i
= 0; i
< num_rids
; i
++) {
1812 status
= NT_STATUS_NONE_MAPPED
;
1813 type
[i
] = SID_NAME_UNKNOWN
;
1815 rid
[i
] = 0xffffffff;
1817 if (sid_check_is_builtin(&pol_sid
)) {
1818 if (lookup_builtin_name(r
->in
.names
[i
].string
,
1821 type
[i
] = SID_NAME_ALIAS
;
1824 lookup_global_sam_name(r
->in
.names
[i
].string
, 0,
1828 if (type
[i
] != SID_NAME_UNKNOWN
) {
1833 if (num_mapped
== num_rids
) {
1834 status
= NT_STATUS_OK
;
1835 } else if (num_mapped
== 0) {
1836 status
= NT_STATUS_NONE_MAPPED
;
1838 status
= STATUS_SOME_UNMAPPED
;
1841 rids
.count
= num_rids
;
1844 types
.count
= num_rids
;
1847 *r
->out
.rids
= rids
;
1848 *r
->out
.types
= types
;
1850 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__
));
1855 /*******************************************************************
1856 _samr_ChangePasswordUser2
1857 ********************************************************************/
1859 NTSTATUS
_samr_ChangePasswordUser2(pipes_struct
*p
,
1860 struct samr_ChangePasswordUser2
*r
)
1866 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__
));
1868 fstrcpy(user_name
, r
->in
.account
->string
);
1869 fstrcpy(wks
, r
->in
.server
->string
);
1871 DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name
, wks
));
1874 * Pass the user through the NT -> unix user mapping
1878 (void)map_username(user_name
);
1881 * UNIX username case mangling not required, pass_oem_change
1882 * is case insensitive.
1885 status
= pass_oem_change(user_name
,
1886 r
->in
.lm_password
->data
,
1887 r
->in
.lm_verifier
->hash
,
1888 r
->in
.nt_password
->data
,
1889 r
->in
.nt_verifier
->hash
,
1892 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__
));
1897 /*******************************************************************
1898 _samr_ChangePasswordUser3
1899 ********************************************************************/
1901 NTSTATUS
_samr_ChangePasswordUser3(pipes_struct
*p
,
1902 struct samr_ChangePasswordUser3
*r
)
1906 const char *wks
= NULL
;
1907 uint32 reject_reason
;
1908 struct samr_DomInfo1
*dominfo
= NULL
;
1909 struct samr_ChangeReject
*reject
= NULL
;
1912 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__
));
1914 fstrcpy(user_name
, r
->in
.account
->string
);
1915 if (r
->in
.server
&& r
->in
.server
->string
) {
1916 wks
= r
->in
.server
->string
;
1919 DEBUG(5,("_samr_ChangePasswordUser3: user: %s wks: %s\n", user_name
, wks
));
1922 * Pass the user through the NT -> unix user mapping
1926 (void)map_username(user_name
);
1929 * UNIX username case mangling not required, pass_oem_change
1930 * is case insensitive.
1933 status
= pass_oem_change(user_name
,
1934 r
->in
.lm_password
->data
,
1935 r
->in
.lm_verifier
->hash
,
1936 r
->in
.nt_password
->data
,
1937 r
->in
.nt_verifier
->hash
,
1940 if (NT_STATUS_EQUAL(status
, NT_STATUS_PASSWORD_RESTRICTION
) ||
1941 NT_STATUS_EQUAL(status
, NT_STATUS_ACCOUNT_RESTRICTION
)) {
1943 time_t u_expire
, u_min_age
;
1944 uint32 account_policy_temp
;
1946 dominfo
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_DomInfo1
);
1948 return NT_STATUS_NO_MEMORY
;
1951 reject
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_ChangeReject
);
1953 return NT_STATUS_NO_MEMORY
;
1960 pdb_get_account_policy(AP_MIN_PASSWORD_LEN
, &tmp
);
1961 dominfo
->min_password_length
= tmp
;
1963 pdb_get_account_policy(AP_PASSWORD_HISTORY
, &tmp
);
1964 dominfo
->password_history_length
= tmp
;
1966 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS
,
1967 &dominfo
->password_properties
);
1969 pdb_get_account_policy(AP_MAX_PASSWORD_AGE
, &account_policy_temp
);
1970 u_expire
= account_policy_temp
;
1972 pdb_get_account_policy(AP_MIN_PASSWORD_AGE
, &account_policy_temp
);
1973 u_min_age
= account_policy_temp
;
1979 unix_to_nt_time_abs((NTTIME
*)&dominfo
->max_password_age
, u_expire
);
1980 unix_to_nt_time_abs((NTTIME
*)&dominfo
->min_password_age
, u_min_age
);
1982 if (lp_check_password_script() && *lp_check_password_script()) {
1983 dominfo
->password_properties
|= DOMAIN_PASSWORD_COMPLEX
;
1986 reject
->reason
= reject_reason
;
1988 *r
->out
.dominfo
= dominfo
;
1989 *r
->out
.reject
= reject
;
1992 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__
));
1997 /*******************************************************************
1998 makes a SAMR_R_LOOKUP_RIDS structure.
1999 ********************************************************************/
2001 static bool make_samr_lookup_rids(TALLOC_CTX
*ctx
, uint32 num_names
,
2003 struct lsa_String
**lsa_name_array_p
)
2005 struct lsa_String
*lsa_name_array
= NULL
;
2008 *lsa_name_array_p
= NULL
;
2010 if (num_names
!= 0) {
2011 lsa_name_array
= TALLOC_ZERO_ARRAY(ctx
, struct lsa_String
, num_names
);
2012 if (!lsa_name_array
) {
2017 for (i
= 0; i
< num_names
; i
++) {
2018 DEBUG(10, ("names[%d]:%s\n", i
, names
[i
] && *names
[i
] ? names
[i
] : ""));
2019 init_lsa_String(&lsa_name_array
[i
], names
[i
]);
2022 *lsa_name_array_p
= lsa_name_array
;
2027 /*******************************************************************
2029 ********************************************************************/
2031 NTSTATUS
_samr_LookupRids(pipes_struct
*p
,
2032 struct samr_LookupRids
*r
)
2036 enum lsa_SidType
*attrs
= NULL
;
2037 uint32
*wire_attrs
= NULL
;
2039 int num_rids
= (int)r
->in
.num_rids
;
2042 struct lsa_Strings names_array
;
2043 struct samr_Ids types_array
;
2044 struct lsa_String
*lsa_names
= NULL
;
2046 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__
));
2048 /* find the policy handle. open a policy on it. */
2049 if (!get_lsa_policy_samr_sid(p
, r
->in
.domain_handle
, &pol_sid
, &acc_granted
, NULL
))
2050 return NT_STATUS_INVALID_HANDLE
;
2052 status
= access_check_samr_function(acc_granted
,
2053 0, /* Don't know the acc_bits yet */
2054 "_samr_LookupRids");
2055 if (!NT_STATUS_IS_OK(status
)) {
2059 if (num_rids
> 1000) {
2060 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
2061 "to samba4 idl this is not possible\n", num_rids
));
2062 return NT_STATUS_UNSUCCESSFUL
;
2066 names
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, const char *, num_rids
);
2067 attrs
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, enum lsa_SidType
, num_rids
);
2068 wire_attrs
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, uint32
, num_rids
);
2070 if ((names
== NULL
) || (attrs
== NULL
) || (wire_attrs
==NULL
))
2071 return NT_STATUS_NO_MEMORY
;
2078 become_root(); /* lookup_sid can require root privs */
2079 status
= pdb_lookup_rids(&pol_sid
, num_rids
, r
->in
.rids
,
2083 if (NT_STATUS_EQUAL(status
, NT_STATUS_NONE_MAPPED
) && (num_rids
== 0)) {
2084 status
= NT_STATUS_OK
;
2087 if (!make_samr_lookup_rids(p
->mem_ctx
, num_rids
, names
,
2089 return NT_STATUS_NO_MEMORY
;
2092 /* Convert from enum lsa_SidType to uint32 for wire format. */
2093 for (i
= 0; i
< num_rids
; i
++) {
2094 wire_attrs
[i
] = (uint32
)attrs
[i
];
2097 names_array
.count
= num_rids
;
2098 names_array
.names
= lsa_names
;
2100 types_array
.count
= num_rids
;
2101 types_array
.ids
= wire_attrs
;
2103 *r
->out
.names
= names_array
;
2104 *r
->out
.types
= types_array
;
2106 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__
));
2111 /*******************************************************************
2113 ********************************************************************/
2115 NTSTATUS
_samr_OpenUser(pipes_struct
*p
,
2116 struct samr_OpenUser
*r
)
2118 struct samu
*sampass
=NULL
;
2120 struct samr_info
*info
= NULL
;
2121 SEC_DESC
*psd
= NULL
;
2123 uint32 des_access
= r
->in
.access_mask
;
2129 /* find the domain policy handle and get domain SID / access bits in the domain policy. */
2131 if ( !get_lsa_policy_samr_sid(p
, r
->in
.domain_handle
, &sid
, &acc_granted
, NULL
) )
2132 return NT_STATUS_INVALID_HANDLE
;
2134 nt_status
= access_check_samr_function(acc_granted
,
2135 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
,
2138 if ( !NT_STATUS_IS_OK(nt_status
) )
2141 if ( !(sampass
= samu_new( p
->mem_ctx
)) ) {
2142 return NT_STATUS_NO_MEMORY
;
2145 /* append the user's RID to it */
2147 if (!sid_append_rid(&sid
, r
->in
.rid
))
2148 return NT_STATUS_NO_SUCH_USER
;
2150 /* check if access can be granted as requested by client. */
2152 map_max_allowed_access(p
->server_info
->ptok
, &des_access
);
2154 make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &usr_generic_mapping
, &sid
, SAMR_USR_RIGHTS_WRITE_PW
);
2155 se_map_generic(&des_access
, &usr_generic_mapping
);
2157 se_priv_copy( &se_rights
, &se_machine_account
);
2158 se_priv_add( &se_rights
, &se_add_users
);
2160 nt_status
= access_check_samr_object(psd
, p
->server_info
->ptok
,
2161 &se_rights
, GENERIC_RIGHTS_USER_WRITE
, des_access
,
2162 &acc_granted
, "_samr_OpenUser");
2164 if ( !NT_STATUS_IS_OK(nt_status
) )
2168 ret
=pdb_getsampwsid(sampass
, &sid
);
2171 /* check that the SID exists in our domain. */
2173 return NT_STATUS_NO_SUCH_USER
;
2176 TALLOC_FREE(sampass
);
2178 /* associate the user's SID and access bits with the new handle. */
2179 if ((info
= get_samr_info_by_sid(p
->mem_ctx
, &sid
)) == NULL
)
2180 return NT_STATUS_NO_MEMORY
;
2181 info
->acc_granted
= acc_granted
;
2183 /* get a (unique) handle. open a policy on it. */
2184 if (!create_policy_hnd(p
, r
->out
.user_handle
, info
))
2185 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
2187 return NT_STATUS_OK
;
2190 /*************************************************************************
2191 *************************************************************************/
2193 static NTSTATUS
init_samr_parameters_string(TALLOC_CTX
*mem_ctx
,
2195 struct lsa_BinaryString
**_r
)
2197 struct lsa_BinaryString
*r
;
2200 return NT_STATUS_INVALID_PARAMETER
;
2203 r
= TALLOC_ZERO_P(mem_ctx
, struct lsa_BinaryString
);
2205 return NT_STATUS_NO_MEMORY
;
2208 r
->array
= TALLOC_ZERO_ARRAY(mem_ctx
, uint16_t, blob
->length
/2);
2210 return NT_STATUS_NO_MEMORY
;
2212 memcpy(r
->array
, blob
->data
, blob
->length
);
2213 r
->size
= blob
->length
;
2214 r
->length
= blob
->length
;
2217 return NT_STATUS_NO_MEMORY
;
2222 return NT_STATUS_OK
;
2225 static NTSTATUS
get_user_info_5(TALLOC_CTX
*mem_ctx
,
2226 struct samr_UserInfo5
*r
,
2228 DOM_SID
*domain_sid
)
2230 const DOM_SID
*sid_user
, *sid_group
;
2231 uint32_t rid
, primary_gid
;
2233 sid_user
= pdb_get_user_sid(pw
);
2235 if (!sid_peek_check_rid(domain_sid
, sid_user
, &rid
)) {
2236 DEBUG(0, ("get_user_info_5: User %s has SID %s, \nwhich conflicts with "
2237 "the domain sid %s. Failing operation.\n",
2238 pdb_get_username(pw
), sid_string_dbg(sid_user
),
2239 sid_string_dbg(domain_sid
)));
2240 return NT_STATUS_UNSUCCESSFUL
;
2244 sid_group
= pdb_get_group_sid(pw
);
2247 if (!sid_peek_check_rid(domain_sid
, sid_group
, &primary_gid
)) {
2248 DEBUG(0, ("get_user_info_5: User %s has Primary Group SID %s, \n"
2249 "which conflicts with the domain sid %s. Failing operation.\n",
2250 pdb_get_username(pw
), sid_string_dbg(sid_group
),
2251 sid_string_dbg(domain_sid
)));
2252 return NT_STATUS_UNSUCCESSFUL
;
2255 unix_to_nt_time(&r
->last_logon
, pdb_get_logon_time(pw
));
2256 unix_to_nt_time(&r
->last_logoff
, pdb_get_logoff_time(pw
));
2257 unix_to_nt_time(&r
->acct_expiry
, pdb_get_kickoff_time(pw
));
2258 unix_to_nt_time(&r
->last_password_change
, pdb_get_pass_last_set_time(pw
));
2260 r
->account_name
.string
= talloc_strdup(mem_ctx
, pdb_get_username(pw
));
2261 r
->full_name
.string
= talloc_strdup(mem_ctx
, pdb_get_fullname(pw
));
2262 r
->home_directory
.string
= talloc_strdup(mem_ctx
, pdb_get_homedir(pw
));
2263 r
->home_drive
.string
= talloc_strdup(mem_ctx
, pdb_get_dir_drive(pw
));
2264 r
->logon_script
.string
= talloc_strdup(mem_ctx
, pdb_get_logon_script(pw
));
2265 r
->profile_path
.string
= talloc_strdup(mem_ctx
, pdb_get_profile_path(pw
));
2266 r
->description
.string
= talloc_strdup(mem_ctx
, pdb_get_acct_desc(pw
));
2267 r
->workstations
.string
= talloc_strdup(mem_ctx
, pdb_get_workstations(pw
));
2269 r
->logon_hours
= get_logon_hours_from_pdb(mem_ctx
, pw
);
2271 r
->primary_gid
= primary_gid
;
2272 r
->acct_flags
= pdb_get_acct_ctrl(pw
);
2273 r
->bad_password_count
= pdb_get_bad_password_count(pw
);
2274 r
->logon_count
= pdb_get_logon_count(pw
);
2276 return NT_STATUS_OK
;
2279 /*************************************************************************
2280 get_user_info_7. Safe. Only gives out account_name.
2281 *************************************************************************/
2283 static NTSTATUS
get_user_info_7(TALLOC_CTX
*mem_ctx
,
2284 struct samr_UserInfo7
*r
,
2285 struct samu
*smbpass
)
2287 r
->account_name
.string
= talloc_strdup(mem_ctx
, pdb_get_username(smbpass
));
2288 if (!r
->account_name
.string
) {
2289 return NT_STATUS_NO_MEMORY
;
2292 return NT_STATUS_OK
;
2295 /*************************************************************************
2296 get_user_info_9. Only gives out primary group SID.
2297 *************************************************************************/
2299 static NTSTATUS
get_user_info_9(TALLOC_CTX
*mem_ctx
,
2300 struct samr_UserInfo9
*r
,
2301 struct samu
*smbpass
)
2303 r
->primary_gid
= pdb_get_group_rid(smbpass
);
2305 return NT_STATUS_OK
;
2308 /*************************************************************************
2309 get_user_info_16. Safe. Only gives out acb bits.
2310 *************************************************************************/
2312 static NTSTATUS
get_user_info_16(TALLOC_CTX
*mem_ctx
,
2313 struct samr_UserInfo16
*r
,
2314 struct samu
*smbpass
)
2316 r
->acct_flags
= pdb_get_acct_ctrl(smbpass
);
2318 return NT_STATUS_OK
;
2321 /*************************************************************************
2322 get_user_info_18. OK - this is the killer as it gives out password info.
2323 Ensure that this is only allowed on an encrypted connection with a root
2325 *************************************************************************/
2327 static NTSTATUS
get_user_info_18(pipes_struct
*p
,
2328 TALLOC_CTX
*mem_ctx
,
2329 struct samr_UserInfo18
*r
,
2332 struct samu
*smbpass
=NULL
;
2337 if (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_NTLMSSP
|| p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SPNEGO_NTLMSSP
) {
2338 return NT_STATUS_ACCESS_DENIED
;
2341 if (p
->auth
.auth_level
!= PIPE_AUTH_LEVEL_PRIVACY
) {
2342 return NT_STATUS_ACCESS_DENIED
;
2346 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
2349 if ( !(smbpass
= samu_new( mem_ctx
)) ) {
2350 return NT_STATUS_NO_MEMORY
;
2353 ret
= pdb_getsampwsid(smbpass
, user_sid
);
2356 DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid
)));
2357 TALLOC_FREE(smbpass
);
2358 return (geteuid() == (uid_t
)0) ? NT_STATUS_NO_SUCH_USER
: NT_STATUS_ACCESS_DENIED
;
2361 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass
), pdb_get_acct_ctrl(smbpass
) ));
2363 if ( pdb_get_acct_ctrl(smbpass
) & ACB_DISABLED
) {
2364 TALLOC_FREE(smbpass
);
2365 return NT_STATUS_ACCOUNT_DISABLED
;
2368 r
->lm_pwd_active
= true;
2369 r
->nt_pwd_active
= true;
2370 memcpy(r
->lm_pwd
.hash
, pdb_get_lanman_passwd(smbpass
), 16);
2371 memcpy(r
->nt_pwd
.hash
, pdb_get_nt_passwd(smbpass
), 16);
2372 r
->password_expired
= 0; /* FIXME */
2374 TALLOC_FREE(smbpass
);
2376 return NT_STATUS_OK
;
2379 /*************************************************************************
2381 *************************************************************************/
2383 static NTSTATUS
get_user_info_20(TALLOC_CTX
*mem_ctx
,
2384 struct samr_UserInfo20
*r
,
2385 struct samu
*sampass
)
2387 const char *munged_dial
= NULL
;
2390 struct lsa_BinaryString
*parameters
= NULL
;
2394 munged_dial
= pdb_get_munged_dial(sampass
);
2396 DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass
),
2397 munged_dial
, (int)strlen(munged_dial
)));
2400 blob
= base64_decode_data_blob(munged_dial
);
2402 blob
= data_blob_string_const_null("");
2405 status
= init_samr_parameters_string(mem_ctx
, &blob
, ¶meters
);
2406 data_blob_free(&blob
);
2407 if (!NT_STATUS_IS_OK(status
)) {
2411 r
->parameters
= *parameters
;
2413 return NT_STATUS_OK
;
2417 /*************************************************************************
2419 *************************************************************************/
2421 static NTSTATUS
get_user_info_21(TALLOC_CTX
*mem_ctx
,
2422 struct samr_UserInfo21
*r
,
2424 DOM_SID
*domain_sid
)
2427 const DOM_SID
*sid_user
, *sid_group
;
2428 uint32_t rid
, primary_gid
;
2429 NTTIME force_password_change
;
2430 time_t must_change_time
;
2431 struct lsa_BinaryString
*parameters
= NULL
;
2432 const char *munged_dial
= NULL
;
2437 sid_user
= pdb_get_user_sid(pw
);
2439 if (!sid_peek_check_rid(domain_sid
, sid_user
, &rid
)) {
2440 DEBUG(0, ("get_user_info_21: User %s has SID %s, \nwhich conflicts with "
2441 "the domain sid %s. Failing operation.\n",
2442 pdb_get_username(pw
), sid_string_dbg(sid_user
),
2443 sid_string_dbg(domain_sid
)));
2444 return NT_STATUS_UNSUCCESSFUL
;
2448 sid_group
= pdb_get_group_sid(pw
);
2451 if (!sid_peek_check_rid(domain_sid
, sid_group
, &primary_gid
)) {
2452 DEBUG(0, ("get_user_info_21: User %s has Primary Group SID %s, \n"
2453 "which conflicts with the domain sid %s. Failing operation.\n",
2454 pdb_get_username(pw
), sid_string_dbg(sid_group
),
2455 sid_string_dbg(domain_sid
)));
2456 return NT_STATUS_UNSUCCESSFUL
;
2459 unix_to_nt_time(&r
->last_logon
, pdb_get_logon_time(pw
));
2460 unix_to_nt_time(&r
->last_logoff
, pdb_get_logoff_time(pw
));
2461 unix_to_nt_time(&r
->acct_expiry
, pdb_get_kickoff_time(pw
));
2462 unix_to_nt_time(&r
->last_password_change
, pdb_get_pass_last_set_time(pw
));
2463 unix_to_nt_time(&r
->allow_password_change
, pdb_get_pass_can_change_time(pw
));
2465 must_change_time
= pdb_get_pass_must_change_time(pw
);
2466 if (must_change_time
== get_time_t_max()) {
2467 unix_to_nt_time_abs(&force_password_change
, must_change_time
);
2469 unix_to_nt_time(&force_password_change
, must_change_time
);
2472 munged_dial
= pdb_get_munged_dial(pw
);
2474 blob
= base64_decode_data_blob(munged_dial
);
2476 blob
= data_blob_string_const_null("");
2479 status
= init_samr_parameters_string(mem_ctx
, &blob
, ¶meters
);
2480 data_blob_free(&blob
);
2481 if (!NT_STATUS_IS_OK(status
)) {
2485 r
->force_password_change
= force_password_change
;
2487 r
->account_name
.string
= talloc_strdup(mem_ctx
, pdb_get_username(pw
));
2488 r
->full_name
.string
= talloc_strdup(mem_ctx
, pdb_get_fullname(pw
));
2489 r
->home_directory
.string
= talloc_strdup(mem_ctx
, pdb_get_homedir(pw
));
2490 r
->home_drive
.string
= talloc_strdup(mem_ctx
, pdb_get_dir_drive(pw
));
2491 r
->logon_script
.string
= talloc_strdup(mem_ctx
, pdb_get_logon_script(pw
));
2492 r
->profile_path
.string
= talloc_strdup(mem_ctx
, pdb_get_profile_path(pw
));
2493 r
->description
.string
= talloc_strdup(mem_ctx
, pdb_get_acct_desc(pw
));
2494 r
->workstations
.string
= talloc_strdup(mem_ctx
, pdb_get_workstations(pw
));
2495 r
->comment
.string
= talloc_strdup(mem_ctx
, pdb_get_comment(pw
));
2497 r
->logon_hours
= get_logon_hours_from_pdb(mem_ctx
, pw
);
2498 r
->parameters
= *parameters
;
2500 r
->primary_gid
= primary_gid
;
2501 r
->acct_flags
= pdb_get_acct_ctrl(pw
);
2502 r
->bad_password_count
= pdb_get_bad_password_count(pw
);
2503 r
->logon_count
= pdb_get_logon_count(pw
);
2504 r
->fields_present
= pdb_build_fields_present(pw
);
2505 r
->password_expired
= (pdb_get_pass_must_change_time(pw
) == 0) ?
2506 PASS_MUST_CHANGE_AT_NEXT_LOGON
: 0;
2507 r
->country_code
= 0;
2509 r
->lm_password_set
= 0;
2510 r
->nt_password_set
= 0;
2515 Look at a user on a real NT4 PDC with usrmgr, press
2516 'ok'. Then you will see that fields_present is set to
2517 0x08f827fa. Look at the user immediately after that again,
2518 and you will see that 0x00fffff is returned. This solves
2519 the problem that you get access denied after having looked
2527 return NT_STATUS_OK
;
2530 /*******************************************************************
2532 ********************************************************************/
2534 NTSTATUS
_samr_QueryUserInfo(pipes_struct
*p
,
2535 struct samr_QueryUserInfo
*r
)
2538 union samr_UserInfo
*user_info
= NULL
;
2539 struct samr_info
*info
= NULL
;
2543 struct samu
*pwd
= NULL
;
2545 /* search for the handle */
2546 if (!find_policy_by_hnd(p
, r
->in
.user_handle
, (void **)(void *)&info
))
2547 return NT_STATUS_INVALID_HANDLE
;
2549 status
= access_check_samr_function(info
->acc_granted
,
2550 SAMR_USER_ACCESS_GET_ATTRIBUTES
,
2551 "_samr_QueryUserInfo");
2552 if (!NT_STATUS_IS_OK(status
)) {
2556 domain_sid
= info
->sid
;
2558 sid_split_rid(&domain_sid
, &rid
);
2560 if (!sid_check_is_in_our_domain(&info
->sid
))
2561 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
2563 DEBUG(5,("_samr_QueryUserInfo: sid:%s\n",
2564 sid_string_dbg(&info
->sid
)));
2566 user_info
= TALLOC_ZERO_P(p
->mem_ctx
, union samr_UserInfo
);
2568 return NT_STATUS_NO_MEMORY
;
2571 DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r
->in
.level
));
2573 if (!(pwd
= samu_new(p
->mem_ctx
))) {
2574 return NT_STATUS_NO_MEMORY
;
2578 ret
= pdb_getsampwsid(pwd
, &info
->sid
);
2582 DEBUG(4,("User %s not found\n", sid_string_dbg(&info
->sid
)));
2584 return NT_STATUS_NO_SUCH_USER
;
2587 DEBUG(3,("User:[%s]\n", pdb_get_username(pwd
)));
2589 samr_clear_sam_passwd(pwd
);
2591 switch (r
->in
.level
) {
2593 status
= get_user_info_5(p
->mem_ctx
, &user_info
->info5
, pwd
, &domain_sid
);
2596 status
= get_user_info_7(p
->mem_ctx
, &user_info
->info7
, pwd
);
2599 status
= get_user_info_9(p
->mem_ctx
, &user_info
->info9
, pwd
);
2602 status
= get_user_info_16(p
->mem_ctx
, &user_info
->info16
, pwd
);
2605 /* level 18 is special */
2606 status
= get_user_info_18(p
, p
->mem_ctx
, &user_info
->info18
, &info
->sid
);
2609 status
= get_user_info_20(p
->mem_ctx
, &user_info
->info20
, pwd
);
2612 status
= get_user_info_21(p
->mem_ctx
, &user_info
->info21
, pwd
, &domain_sid
);
2615 status
= NT_STATUS_INVALID_INFO_CLASS
;
2621 *r
->out
.info
= user_info
;
2623 DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__
));
2628 /****************************************************************
2629 ****************************************************************/
2631 NTSTATUS
_samr_QueryUserInfo2(pipes_struct
*p
,
2632 struct samr_QueryUserInfo2
*r
)
2634 struct samr_QueryUserInfo u
;
2636 u
.in
.user_handle
= r
->in
.user_handle
;
2637 u
.in
.level
= r
->in
.level
;
2638 u
.out
.info
= r
->out
.info
;
2640 return _samr_QueryUserInfo(p
, &u
);
2643 /*******************************************************************
2644 _samr_GetGroupsForUser
2645 ********************************************************************/
2647 NTSTATUS
_samr_GetGroupsForUser(pipes_struct
*p
,
2648 struct samr_GetGroupsForUser
*r
)
2650 struct samu
*sam_pass
=NULL
;
2653 struct samr_RidWithAttribute dom_gid
;
2654 struct samr_RidWithAttribute
*gids
= NULL
;
2655 uint32 primary_group_rid
;
2656 size_t num_groups
= 0;
2662 bool success
= False
;
2664 struct samr_RidWithAttributeArray
*rids
= NULL
;
2667 * from the SID in the request:
2668 * we should send back the list of DOMAIN GROUPS
2669 * the user is a member of
2671 * and only the DOMAIN GROUPS
2672 * no ALIASES !!! neither aliases of the domain
2673 * nor aliases of the builtin SID
2678 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__
));
2680 rids
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_RidWithAttributeArray
);
2682 return NT_STATUS_NO_MEMORY
;
2685 /* find the policy handle. open a policy on it. */
2686 if (!get_lsa_policy_samr_sid(p
, r
->in
.user_handle
, &sid
, &acc_granted
, NULL
))
2687 return NT_STATUS_INVALID_HANDLE
;
2689 result
= access_check_samr_function(acc_granted
,
2690 SAMR_USER_ACCESS_GET_GROUPS
,
2691 "_samr_GetGroupsForUser");
2692 if (!NT_STATUS_IS_OK(result
)) {
2696 if (!sid_check_is_in_our_domain(&sid
))
2697 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
2699 if ( !(sam_pass
= samu_new( p
->mem_ctx
)) ) {
2700 return NT_STATUS_NO_MEMORY
;
2704 ret
= pdb_getsampwsid(sam_pass
, &sid
);
2708 DEBUG(10, ("pdb_getsampwsid failed for %s\n",
2709 sid_string_dbg(&sid
)));
2710 return NT_STATUS_NO_SUCH_USER
;
2715 /* make both calls inside the root block */
2717 result
= pdb_enum_group_memberships(p
->mem_ctx
, sam_pass
,
2718 &sids
, &unix_gids
, &num_groups
);
2719 if ( NT_STATUS_IS_OK(result
) ) {
2720 success
= sid_peek_check_rid(get_global_sam_sid(),
2721 pdb_get_group_sid(sam_pass
),
2722 &primary_group_rid
);
2726 if (!NT_STATUS_IS_OK(result
)) {
2727 DEBUG(10, ("pdb_enum_group_memberships failed for %s\n",
2728 sid_string_dbg(&sid
)));
2733 DEBUG(5, ("Group sid %s for user %s not in our domain\n",
2734 sid_string_dbg(pdb_get_group_sid(sam_pass
)),
2735 pdb_get_username(sam_pass
)));
2736 TALLOC_FREE(sam_pass
);
2737 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
2743 dom_gid
.attributes
= (SE_GROUP_MANDATORY
|SE_GROUP_ENABLED_BY_DEFAULT
|
2745 dom_gid
.rid
= primary_group_rid
;
2746 ADD_TO_ARRAY(p
->mem_ctx
, struct samr_RidWithAttribute
, dom_gid
, &gids
, &num_gids
);
2748 for (i
=0; i
<num_groups
; i
++) {
2750 if (!sid_peek_check_rid(get_global_sam_sid(),
2751 &(sids
[i
]), &dom_gid
.rid
)) {
2752 DEBUG(10, ("Found sid %s not in our domain\n",
2753 sid_string_dbg(&sids
[i
])));
2757 if (dom_gid
.rid
== primary_group_rid
) {
2758 /* We added the primary group directly from the
2759 * sam_account. The other SIDs are unique from
2760 * enum_group_memberships */
2764 ADD_TO_ARRAY(p
->mem_ctx
, struct samr_RidWithAttribute
, dom_gid
, &gids
, &num_gids
);
2767 rids
->count
= num_gids
;
2770 *r
->out
.rids
= rids
;
2772 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__
));
2777 /*******************************************************************
2778 _samr_QueryDomainInfo
2779 ********************************************************************/
2781 NTSTATUS
_samr_QueryDomainInfo(pipes_struct
*p
,
2782 struct samr_QueryDomainInfo
*r
)
2784 NTSTATUS status
= NT_STATUS_OK
;
2785 struct samr_info
*info
= NULL
;
2786 union samr_DomainInfo
*dom_info
;
2787 time_t u_expire
, u_min_age
;
2789 time_t u_lock_duration
, u_reset_time
;
2792 uint32 account_policy_temp
;
2797 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__
));
2799 dom_info
= TALLOC_ZERO_P(p
->mem_ctx
, union samr_DomainInfo
);
2801 return NT_STATUS_NO_MEMORY
;
2804 /* find the policy handle. open a policy on it. */
2805 if (!find_policy_by_hnd(p
, r
->in
.domain_handle
, (void **)(void *)&info
)) {
2806 return NT_STATUS_INVALID_HANDLE
;
2809 status
= access_check_samr_function(info
->acc_granted
,
2810 SAMR_ACCESS_LOOKUP_DOMAIN
,
2811 "_samr_QueryDomainInfo" );
2813 if ( !NT_STATUS_IS_OK(status
) )
2816 switch (r
->in
.level
) {
2823 pdb_get_account_policy(AP_MIN_PASSWORD_LEN
,
2824 &account_policy_temp
);
2825 dom_info
->info1
.min_password_length
= account_policy_temp
;
2827 pdb_get_account_policy(AP_PASSWORD_HISTORY
, &account_policy_temp
);
2828 dom_info
->info1
.password_history_length
= account_policy_temp
;
2830 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS
,
2831 &dom_info
->info1
.password_properties
);
2833 pdb_get_account_policy(AP_MAX_PASSWORD_AGE
, &account_policy_temp
);
2834 u_expire
= account_policy_temp
;
2836 pdb_get_account_policy(AP_MIN_PASSWORD_AGE
, &account_policy_temp
);
2837 u_min_age
= account_policy_temp
;
2843 unix_to_nt_time_abs((NTTIME
*)&dom_info
->info1
.max_password_age
, u_expire
);
2844 unix_to_nt_time_abs((NTTIME
*)&dom_info
->info1
.min_password_age
, u_min_age
);
2846 if (lp_check_password_script() && *lp_check_password_script()) {
2847 dom_info
->info1
.password_properties
|= DOMAIN_PASSWORD_COMPLEX
;
2857 dom_info
->general
.num_users
= count_sam_users(info
->disp_info
, ACB_NORMAL
);
2858 dom_info
->general
.num_groups
= count_sam_groups(info
->disp_info
);
2859 dom_info
->general
.num_aliases
= count_sam_aliases(info
->disp_info
);
2861 pdb_get_account_policy(AP_TIME_TO_LOGOUT
, &u_logout
);
2863 unix_to_nt_time_abs(&dom_info
->general
.force_logoff_time
, u_logout
);
2865 if (!pdb_get_seq_num(&seq_num
))
2866 seq_num
= time(NULL
);
2872 server_role
= ROLE_DOMAIN_PDC
;
2873 if (lp_server_role() == ROLE_DOMAIN_BDC
)
2874 server_role
= ROLE_DOMAIN_BDC
;
2876 dom_info
->general
.oem_information
.string
= lp_serverstring();
2877 dom_info
->general
.domain_name
.string
= lp_workgroup();
2878 dom_info
->general
.primary
.string
= global_myname();
2879 dom_info
->general
.sequence_num
= seq_num
;
2880 dom_info
->general
.domain_server_state
= DOMAIN_SERVER_ENABLED
;
2881 dom_info
->general
.role
= server_role
;
2882 dom_info
->general
.unknown3
= 1;
2893 pdb_get_account_policy(AP_TIME_TO_LOGOUT
, &ul
);
2894 u_logout
= (time_t)ul
;
2901 unix_to_nt_time_abs(&dom_info
->info3
.force_logoff_time
, u_logout
);
2905 dom_info
->oem
.oem_information
.string
= lp_serverstring();
2908 dom_info
->info5
.domain_name
.string
= get_global_sam_name();
2911 /* NT returns its own name when a PDC. win2k and later
2912 * only the name of the PDC if itself is a BDC (samba4
2914 dom_info
->info6
.primary
.string
= global_myname();
2917 server_role
= ROLE_DOMAIN_PDC
;
2918 if (lp_server_role() == ROLE_DOMAIN_BDC
)
2919 server_role
= ROLE_DOMAIN_BDC
;
2921 dom_info
->info7
.role
= server_role
;
2929 if (!pdb_get_seq_num(&seq_num
)) {
2930 seq_num
= time(NULL
);
2937 dom_info
->info8
.sequence_num
= seq_num
;
2938 dom_info
->info8
.domain_create_time
= 0;
2947 pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION
, &account_policy_temp
);
2948 u_lock_duration
= account_policy_temp
;
2949 if (u_lock_duration
!= -1) {
2950 u_lock_duration
*= 60;
2953 pdb_get_account_policy(AP_RESET_COUNT_TIME
, &account_policy_temp
);
2954 u_reset_time
= account_policy_temp
* 60;
2956 pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT
,
2957 &account_policy_temp
);
2958 dom_info
->info12
.lockout_threshold
= account_policy_temp
;
2964 unix_to_nt_time_abs(&dom_info
->info12
.lockout_duration
,
2966 unix_to_nt_time_abs(&dom_info
->info12
.lockout_window
,
2971 return NT_STATUS_INVALID_INFO_CLASS
;
2974 *r
->out
.info
= dom_info
;
2976 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__
));
2981 /* W2k3 seems to use the same check for all 3 objects that can be created via
2982 * SAMR, if you try to create for example "Dialup" as an alias it says
2983 * "NT_STATUS_USER_EXISTS". This is racy, but we can't really lock the user
2986 static NTSTATUS
can_create(TALLOC_CTX
*mem_ctx
, const char *new_name
)
2988 enum lsa_SidType type
;
2991 DEBUG(10, ("Checking whether [%s] can be created\n", new_name
));
2994 /* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
2995 * whether the name already exists */
2996 result
= lookup_name(mem_ctx
, new_name
, LOOKUP_NAME_LOCAL
,
2997 NULL
, NULL
, NULL
, &type
);
3001 DEBUG(10, ("%s does not exist, can create it\n", new_name
));
3002 return NT_STATUS_OK
;
3005 DEBUG(5, ("trying to create %s, exists as %s\n",
3006 new_name
, sid_type_lookup(type
)));
3008 if (type
== SID_NAME_DOM_GRP
) {
3009 return NT_STATUS_GROUP_EXISTS
;
3011 if (type
== SID_NAME_ALIAS
) {
3012 return NT_STATUS_ALIAS_EXISTS
;
3015 /* Yes, the default is NT_STATUS_USER_EXISTS */
3016 return NT_STATUS_USER_EXISTS
;
3019 /*******************************************************************
3021 ********************************************************************/
3023 NTSTATUS
_samr_CreateUser2(pipes_struct
*p
,
3024 struct samr_CreateUser2
*r
)
3026 const char *account
= NULL
;
3028 uint32_t acb_info
= r
->in
.acct_flags
;
3029 struct samr_info
*info
= NULL
;
3034 /* check this, when giving away 'add computer to domain' privs */
3035 uint32 des_access
= GENERIC_RIGHTS_USER_ALL_ACCESS
;
3036 bool can_add_account
= False
;
3038 DISP_INFO
*disp_info
= NULL
;
3040 /* Get the domain SID stored in the domain policy */
3041 if (!get_lsa_policy_samr_sid(p
, r
->in
.domain_handle
, &sid
, &acc_granted
,
3043 return NT_STATUS_INVALID_HANDLE
;
3045 if (disp_info
->builtin_domain
) {
3046 DEBUG(5,("_samr_CreateUser2: Refusing user create in BUILTIN\n"));
3047 return NT_STATUS_ACCESS_DENIED
;
3050 nt_status
= access_check_samr_function(acc_granted
,
3051 SAMR_DOMAIN_ACCESS_CREATE_USER
,
3052 "_samr_CreateUser2");
3053 if (!NT_STATUS_IS_OK(nt_status
)) {
3057 if (!(acb_info
== ACB_NORMAL
|| acb_info
== ACB_DOMTRUST
||
3058 acb_info
== ACB_WSTRUST
|| acb_info
== ACB_SVRTRUST
)) {
3059 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
3060 this parameter is not an account type */
3061 return NT_STATUS_INVALID_PARAMETER
;
3064 account
= r
->in
.account_name
->string
;
3065 if (account
== NULL
) {
3066 return NT_STATUS_NO_MEMORY
;
3069 nt_status
= can_create(p
->mem_ctx
, account
);
3070 if (!NT_STATUS_IS_OK(nt_status
)) {
3074 /* determine which user right we need to check based on the acb_info */
3076 if ( acb_info
& ACB_WSTRUST
)
3078 se_priv_copy( &se_rights
, &se_machine_account
);
3079 can_add_account
= user_has_privileges(
3080 p
->server_info
->ptok
, &se_rights
);
3082 /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
3083 account for domain trusts and changes the ACB flags later */
3084 else if ( acb_info
& ACB_NORMAL
&&
3085 (account
[strlen(account
)-1] != '$') )
3087 se_priv_copy( &se_rights
, &se_add_users
);
3088 can_add_account
= user_has_privileges(
3089 p
->server_info
->ptok
, &se_rights
);
3091 else /* implicit assumption of a BDC or domain trust account here
3092 * (we already check the flags earlier) */
3094 if ( lp_enable_privileges() ) {
3095 /* only Domain Admins can add a BDC or domain trust */
3096 se_priv_copy( &se_rights
, &se_priv_none
);
3097 can_add_account
= nt_token_check_domain_rid(
3098 p
->server_info
->ptok
,
3099 DOMAIN_GROUP_RID_ADMINS
);
3103 DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
3104 uidtoname(p
->server_info
->utok
.uid
),
3105 can_add_account
? "True":"False" ));
3107 /********** BEGIN Admin BLOCK **********/
3109 if ( can_add_account
)
3112 nt_status
= pdb_create_user(p
->mem_ctx
, account
, acb_info
,
3115 if ( can_add_account
)
3118 /********** END Admin BLOCK **********/
3120 /* now check for failure */
3122 if ( !NT_STATUS_IS_OK(nt_status
) )
3125 /* Get the user's SID */
3127 sid_compose(&sid
, get_global_sam_sid(), *r
->out
.rid
);
3129 map_max_allowed_access(p
->server_info
->ptok
, &des_access
);
3131 make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &usr_generic_mapping
,
3132 &sid
, SAMR_USR_RIGHTS_WRITE_PW
);
3133 se_map_generic(&des_access
, &usr_generic_mapping
);
3135 nt_status
= access_check_samr_object(psd
, p
->server_info
->ptok
,
3136 &se_rights
, GENERIC_RIGHTS_USER_WRITE
, des_access
,
3137 &acc_granted
, "_samr_CreateUser2");
3139 if ( !NT_STATUS_IS_OK(nt_status
) ) {
3143 /* associate the user's SID with the new handle. */
3144 if ((info
= get_samr_info_by_sid(p
->mem_ctx
, &sid
)) == NULL
) {
3145 return NT_STATUS_NO_MEMORY
;
3150 info
->acc_granted
= acc_granted
;
3152 /* get a (unique) handle. open a policy on it. */
3153 if (!create_policy_hnd(p
, r
->out
.user_handle
, info
)) {
3154 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
3157 /* After a "set" ensure we have no cached display info. */
3158 force_flush_samr_cache(info
->disp_info
);
3160 *r
->out
.access_granted
= acc_granted
;
3162 return NT_STATUS_OK
;
3165 /****************************************************************
3166 ****************************************************************/
3168 NTSTATUS
_samr_CreateUser(pipes_struct
*p
,
3169 struct samr_CreateUser
*r
)
3171 struct samr_CreateUser2 c
;
3172 uint32_t access_granted
;
3174 c
.in
.domain_handle
= r
->in
.domain_handle
;
3175 c
.in
.account_name
= r
->in
.account_name
;
3176 c
.in
.acct_flags
= ACB_NORMAL
;
3177 c
.in
.access_mask
= r
->in
.access_mask
;
3178 c
.out
.user_handle
= r
->out
.user_handle
;
3179 c
.out
.access_granted
= &access_granted
;
3180 c
.out
.rid
= r
->out
.rid
;
3182 return _samr_CreateUser2(p
, &c
);
3185 /*******************************************************************
3187 ********************************************************************/
3189 NTSTATUS
_samr_Connect(pipes_struct
*p
,
3190 struct samr_Connect
*r
)
3192 struct samr_info
*info
= NULL
;
3193 uint32 des_access
= r
->in
.access_mask
;
3197 if (!pipe_access_check(p
)) {
3198 DEBUG(3, ("access denied to _samr_Connect\n"));
3199 return NT_STATUS_ACCESS_DENIED
;
3202 /* set up the SAMR connect_anon response */
3204 /* associate the user's SID with the new handle. */
3205 if ((info
= get_samr_info_by_sid(p
->mem_ctx
, NULL
)) == NULL
)
3206 return NT_STATUS_NO_MEMORY
;
3208 /* don't give away the farm but this is probably ok. The SAMR_ACCESS_ENUM_DOMAINS
3209 was observed from a win98 client trying to enumerate users (when configured
3210 user level access control on shares) --jerry */
3212 map_max_allowed_access(p
->server_info
->ptok
, &des_access
);
3214 se_map_generic( &des_access
, &sam_generic_mapping
);
3215 info
->acc_granted
= des_access
& (SAMR_ACCESS_ENUM_DOMAINS
|SAMR_ACCESS_LOOKUP_DOMAIN
);
3217 /* get a (unique) handle. open a policy on it. */
3218 if (!create_policy_hnd(p
, r
->out
.connect_handle
, info
))
3219 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
3221 return NT_STATUS_OK
;
3224 /*******************************************************************
3226 ********************************************************************/
3228 NTSTATUS
_samr_Connect2(pipes_struct
*p
,
3229 struct samr_Connect2
*r
)
3231 struct samr_info
*info
= NULL
;
3232 SEC_DESC
*psd
= NULL
;
3234 uint32 des_access
= r
->in
.access_mask
;
3237 const char *fn
= "_samr_Connect2";
3239 switch (p
->hdr_req
.opnum
) {
3240 case NDR_SAMR_CONNECT2
:
3241 fn
= "_samr_Connect2";
3243 case NDR_SAMR_CONNECT3
:
3244 fn
= "_samr_Connect3";
3246 case NDR_SAMR_CONNECT4
:
3247 fn
= "_samr_Connect4";
3249 case NDR_SAMR_CONNECT5
:
3250 fn
= "_samr_Connect5";
3254 DEBUG(5,("%s: %d\n", fn
, __LINE__
));
3258 if (!pipe_access_check(p
)) {
3259 DEBUG(3, ("access denied to %s\n", fn
));
3260 return NT_STATUS_ACCESS_DENIED
;
3263 map_max_allowed_access(p
->server_info
->ptok
, &des_access
);
3265 make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &sam_generic_mapping
, NULL
, 0);
3266 se_map_generic(&des_access
, &sam_generic_mapping
);
3268 nt_status
= access_check_samr_object(psd
, p
->server_info
->ptok
,
3269 NULL
, 0, des_access
, &acc_granted
, fn
);
3271 if ( !NT_STATUS_IS_OK(nt_status
) )
3274 /* associate the user's SID and access granted with the new handle. */
3275 if ((info
= get_samr_info_by_sid(p
->mem_ctx
, NULL
)) == NULL
)
3276 return NT_STATUS_NO_MEMORY
;
3278 info
->acc_granted
= acc_granted
;
3279 info
->status
= r
->in
.access_mask
; /* this looks so wrong... - gd */
3281 /* get a (unique) handle. open a policy on it. */
3282 if (!create_policy_hnd(p
, r
->out
.connect_handle
, info
))
3283 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
3285 DEBUG(5,("%s: %d\n", fn
, __LINE__
));
3290 /****************************************************************
3292 ****************************************************************/
3294 NTSTATUS
_samr_Connect3(pipes_struct
*p
,
3295 struct samr_Connect3
*r
)
3297 struct samr_Connect2 c
;
3299 c
.in
.system_name
= r
->in
.system_name
;
3300 c
.in
.access_mask
= r
->in
.access_mask
;
3301 c
.out
.connect_handle
= r
->out
.connect_handle
;
3303 return _samr_Connect2(p
, &c
);
3306 /*******************************************************************
3308 ********************************************************************/
3310 NTSTATUS
_samr_Connect4(pipes_struct
*p
,
3311 struct samr_Connect4
*r
)
3313 struct samr_Connect2 c
;
3315 c
.in
.system_name
= r
->in
.system_name
;
3316 c
.in
.access_mask
= r
->in
.access_mask
;
3317 c
.out
.connect_handle
= r
->out
.connect_handle
;
3319 return _samr_Connect2(p
, &c
);
3322 /*******************************************************************
3324 ********************************************************************/
3326 NTSTATUS
_samr_Connect5(pipes_struct
*p
,
3327 struct samr_Connect5
*r
)
3330 struct samr_Connect2 c
;
3331 struct samr_ConnectInfo1 info1
;
3333 info1
.client_version
= SAMR_CONNECT_AFTER_W2K
;
3336 c
.in
.system_name
= r
->in
.system_name
;
3337 c
.in
.access_mask
= r
->in
.access_mask
;
3338 c
.out
.connect_handle
= r
->out
.connect_handle
;
3340 status
= _samr_Connect2(p
, &c
);
3341 if (!NT_STATUS_IS_OK(status
)) {
3345 *r
->out
.level_out
= 1;
3346 r
->out
.info_out
->info1
= info1
;
3348 return NT_STATUS_OK
;
3351 /**********************************************************************
3353 **********************************************************************/
3355 NTSTATUS
_samr_LookupDomain(pipes_struct
*p
,
3356 struct samr_LookupDomain
*r
)
3358 NTSTATUS status
= NT_STATUS_OK
;
3359 struct samr_info
*info
;
3360 const char *domain_name
;
3361 DOM_SID
*sid
= NULL
;
3363 if (!find_policy_by_hnd(p
, r
->in
.connect_handle
, (void**)(void *)&info
))
3364 return NT_STATUS_INVALID_HANDLE
;
3366 /* win9x user manager likes to use SAMR_ACCESS_ENUM_DOMAINS here.
3367 Reverted that change so we will work with RAS servers again */
3369 status
= access_check_samr_function(info
->acc_granted
,
3370 SAMR_ACCESS_LOOKUP_DOMAIN
,
3371 "_samr_LookupDomain");
3372 if (!NT_STATUS_IS_OK(status
)) {
3376 domain_name
= r
->in
.domain_name
->string
;
3378 return NT_STATUS_INVALID_PARAMETER
;
3381 sid
= TALLOC_ZERO_P(p
->mem_ctx
, struct dom_sid2
);
3383 return NT_STATUS_NO_MEMORY
;
3386 if (strequal(domain_name
, builtin_domain_name())) {
3387 sid_copy(sid
, &global_sid_Builtin
);
3389 if (!secrets_fetch_domain_sid(domain_name
, sid
)) {
3390 status
= NT_STATUS_NO_SUCH_DOMAIN
;
3394 DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name
,
3395 sid_string_dbg(sid
)));
3402 /**********************************************************************
3404 **********************************************************************/
3406 NTSTATUS
_samr_EnumDomains(pipes_struct
*p
,
3407 struct samr_EnumDomains
*r
)
3410 struct samr_info
*info
;
3411 uint32_t num_entries
= 2;
3412 struct samr_SamEntry
*entry_array
= NULL
;
3413 struct samr_SamArray
*sam
;
3415 if (!find_policy_by_hnd(p
, r
->in
.connect_handle
, (void**)(void *)&info
))
3416 return NT_STATUS_INVALID_HANDLE
;
3418 status
= access_check_samr_function(info
->acc_granted
,
3419 SAMR_ACCESS_ENUM_DOMAINS
,
3420 "_samr_EnumDomains");
3421 if (!NT_STATUS_IS_OK(status
)) {
3425 sam
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_SamArray
);
3427 return NT_STATUS_NO_MEMORY
;
3430 entry_array
= TALLOC_ZERO_ARRAY(p
->mem_ctx
,
3431 struct samr_SamEntry
,
3434 return NT_STATUS_NO_MEMORY
;
3437 entry_array
[0].idx
= 0;
3438 init_lsa_String(&entry_array
[0].name
, get_global_sam_name());
3440 entry_array
[1].idx
= 1;
3441 init_lsa_String(&entry_array
[1].name
, "Builtin");
3443 sam
->count
= num_entries
;
3444 sam
->entries
= entry_array
;
3447 *r
->out
.num_entries
= num_entries
;
3452 /*******************************************************************
3454 ********************************************************************/
3456 NTSTATUS
_samr_OpenAlias(pipes_struct
*p
,
3457 struct samr_OpenAlias
*r
)
3460 uint32 alias_rid
= r
->in
.rid
;
3461 struct samr_info
*info
= NULL
;
3462 SEC_DESC
*psd
= NULL
;
3464 uint32 des_access
= r
->in
.access_mask
;
3469 /* find the domain policy and get the SID / access bits stored in the domain policy */
3471 if ( !get_lsa_policy_samr_sid(p
, r
->in
.domain_handle
, &sid
, &acc_granted
, NULL
) )
3472 return NT_STATUS_INVALID_HANDLE
;
3474 status
= access_check_samr_function(acc_granted
,
3475 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
,
3478 if ( !NT_STATUS_IS_OK(status
) )
3481 /* append the alias' RID to it */
3483 if (!sid_append_rid(&sid
, alias_rid
))
3484 return NT_STATUS_NO_SUCH_ALIAS
;
3486 /*check if access can be granted as requested by client. */
3488 map_max_allowed_access(p
->server_info
->ptok
, &des_access
);
3490 make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &ali_generic_mapping
, NULL
, 0);
3491 se_map_generic(&des_access
,&ali_generic_mapping
);
3493 se_priv_copy( &se_rights
, &se_add_users
);
3496 status
= access_check_samr_object(psd
, p
->server_info
->ptok
,
3497 &se_rights
, GENERIC_RIGHTS_ALIAS_WRITE
, des_access
,
3498 &acc_granted
, "_samr_OpenAlias");
3500 if ( !NT_STATUS_IS_OK(status
) )
3504 /* Check we actually have the requested alias */
3505 enum lsa_SidType type
;
3510 result
= lookup_sid(NULL
, &sid
, NULL
, NULL
, &type
);
3513 if (!result
|| (type
!= SID_NAME_ALIAS
)) {
3514 return NT_STATUS_NO_SUCH_ALIAS
;
3517 /* make sure there is a mapping */
3519 if ( !sid_to_gid( &sid
, &gid
) ) {
3520 return NT_STATUS_NO_SUCH_ALIAS
;
3525 /* associate the alias SID with the new handle. */
3526 if ((info
= get_samr_info_by_sid(p
->mem_ctx
, &sid
)) == NULL
)
3527 return NT_STATUS_NO_MEMORY
;
3529 info
->acc_granted
= acc_granted
;
3531 /* get a (unique) handle. open a policy on it. */
3532 if (!create_policy_hnd(p
, r
->out
.alias_handle
, info
))
3533 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
3535 return NT_STATUS_OK
;
3538 /*******************************************************************
3540 ********************************************************************/
3542 static NTSTATUS
set_user_info_7(TALLOC_CTX
*mem_ctx
,
3543 struct samr_UserInfo7
*id7
,
3549 DEBUG(5, ("set_user_info_7: NULL id7\n"));
3550 return NT_STATUS_ACCESS_DENIED
;
3553 if (!id7
->account_name
.string
) {
3554 DEBUG(5, ("set_user_info_7: failed to get new username\n"));
3555 return NT_STATUS_ACCESS_DENIED
;
3558 /* check to see if the new username already exists. Note: we can't
3559 reliably lock all backends, so there is potentially the
3560 possibility that a user can be created in between this check and
3561 the rename. The rename should fail, but may not get the
3562 exact same failure status code. I think this is small enough
3563 of a window for this type of operation and the results are
3564 simply that the rename fails with a slightly different status
3565 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
3567 rc
= can_create(mem_ctx
, id7
->account_name
.string
);
3568 if (!NT_STATUS_IS_OK(rc
)) {
3572 rc
= pdb_rename_sam_account(pwd
, id7
->account_name
.string
);
3577 /*******************************************************************
3579 ********************************************************************/
3581 static bool set_user_info_16(struct samr_UserInfo16
*id16
,
3585 DEBUG(5, ("set_user_info_16: NULL id16\n"));
3589 /* FIX ME: check if the value is really changed --metze */
3590 if (!pdb_set_acct_ctrl(pwd
, id16
->acct_flags
, PDB_CHANGED
)) {
3594 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd
))) {
3601 /*******************************************************************
3603 ********************************************************************/
3605 static NTSTATUS
set_user_info_18(struct samr_UserInfo18
*id18
,
3606 TALLOC_CTX
*mem_ctx
,
3607 DATA_BLOB
*session_key
,
3611 DEBUG(2, ("set_user_info_18: id18 is NULL\n"));
3612 return NT_STATUS_INVALID_PARAMETER
;
3615 if (id18
->nt_pwd_active
|| id18
->lm_pwd_active
) {
3616 if (!session_key
->length
) {
3617 return NT_STATUS_NO_USER_SESSION_KEY
;
3621 if (id18
->nt_pwd_active
) {
3625 in
= data_blob_const(id18
->nt_pwd
.hash
, 16);
3626 out
= data_blob_talloc_zero(mem_ctx
, 16);
3628 sess_crypt_blob(&out
, &in
, session_key
, false);
3630 if (!pdb_set_nt_passwd(pwd
, out
.data
, PDB_CHANGED
)) {
3631 return NT_STATUS_ACCESS_DENIED
;
3634 pdb_set_pass_last_set_time(pwd
, time(NULL
), PDB_CHANGED
);
3637 if (id18
->lm_pwd_active
) {
3641 in
= data_blob_const(id18
->lm_pwd
.hash
, 16);
3642 out
= data_blob_talloc_zero(mem_ctx
, 16);
3644 sess_crypt_blob(&out
, &in
, session_key
, false);
3646 if (!pdb_set_lanman_passwd(pwd
, out
.data
, PDB_CHANGED
)) {
3647 return NT_STATUS_ACCESS_DENIED
;
3650 pdb_set_pass_last_set_time(pwd
, time(NULL
), PDB_CHANGED
);
3653 copy_id18_to_sam_passwd(pwd
, id18
);
3655 return pdb_update_sam_account(pwd
);
3658 /*******************************************************************
3660 ********************************************************************/
3662 static bool set_user_info_20(struct samr_UserInfo20
*id20
,
3666 DEBUG(5, ("set_user_info_20: NULL id20\n"));
3670 copy_id20_to_sam_passwd(pwd
, id20
);
3672 /* write the change out */
3673 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd
))) {
3680 /*******************************************************************
3682 ********************************************************************/
3684 static NTSTATUS
set_user_info_21(struct samr_UserInfo21
*id21
,
3685 TALLOC_CTX
*mem_ctx
,
3686 DATA_BLOB
*session_key
,
3692 DEBUG(5, ("set_user_info_21: NULL id21\n"));
3693 return NT_STATUS_INVALID_PARAMETER
;
3696 if (id21
->fields_present
== 0) {
3697 return NT_STATUS_INVALID_PARAMETER
;
3700 if (id21
->fields_present
& SAMR_FIELD_LAST_PWD_CHANGE
) {
3701 return NT_STATUS_ACCESS_DENIED
;
3704 if (id21
->fields_present
& SAMR_FIELD_NT_PASSWORD_PRESENT
) {
3705 if (id21
->nt_password_set
) {
3708 if ((id21
->nt_owf_password
.length
!= 16) ||
3709 (id21
->nt_owf_password
.size
!= 16)) {
3710 return NT_STATUS_INVALID_PARAMETER
;
3713 if (!session_key
->length
) {
3714 return NT_STATUS_NO_USER_SESSION_KEY
;
3717 in
= data_blob_const(id21
->nt_owf_password
.array
, 16);
3718 out
= data_blob_talloc_zero(mem_ctx
, 16);
3720 sess_crypt_blob(&out
, &in
, session_key
, false);
3722 pdb_set_nt_passwd(pwd
, out
.data
, PDB_CHANGED
);
3723 pdb_set_pass_last_set_time(pwd
, time(NULL
), PDB_CHANGED
);
3727 if (id21
->fields_present
& SAMR_FIELD_LM_PASSWORD_PRESENT
) {
3728 if (id21
->lm_password_set
) {
3731 if ((id21
->lm_owf_password
.length
!= 16) ||
3732 (id21
->lm_owf_password
.size
!= 16)) {
3733 return NT_STATUS_INVALID_PARAMETER
;
3736 if (!session_key
->length
) {
3737 return NT_STATUS_NO_USER_SESSION_KEY
;
3740 in
= data_blob_const(id21
->lm_owf_password
.array
, 16);
3741 out
= data_blob_talloc_zero(mem_ctx
, 16);
3743 sess_crypt_blob(&out
, &in
, session_key
, false);
3745 pdb_set_lanman_passwd(pwd
, out
.data
, PDB_CHANGED
);
3746 pdb_set_pass_last_set_time(pwd
, time(NULL
), PDB_CHANGED
);
3750 /* we need to separately check for an account rename first */
3752 if (id21
->account_name
.string
&&
3753 (!strequal(id21
->account_name
.string
, pdb_get_username(pwd
))))
3756 /* check to see if the new username already exists. Note: we can't
3757 reliably lock all backends, so there is potentially the
3758 possibility that a user can be created in between this check and
3759 the rename. The rename should fail, but may not get the
3760 exact same failure status code. I think this is small enough
3761 of a window for this type of operation and the results are
3762 simply that the rename fails with a slightly different status
3763 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
3765 status
= can_create(mem_ctx
, id21
->account_name
.string
);
3766 if (!NT_STATUS_IS_OK(status
)) {
3770 status
= pdb_rename_sam_account(pwd
, id21
->account_name
.string
);
3772 if (!NT_STATUS_IS_OK(status
)) {
3773 DEBUG(0,("set_user_info_21: failed to rename account: %s\n",
3774 nt_errstr(status
)));
3778 /* set the new username so that later
3779 functions can work on the new account */
3780 pdb_set_username(pwd
, id21
->account_name
.string
, PDB_SET
);
3783 copy_id21_to_sam_passwd("INFO_21", pwd
, id21
);
3786 * The funny part about the previous two calls is
3787 * that pwd still has the password hashes from the
3788 * passdb entry. These have not been updated from
3789 * id21. I don't know if they need to be set. --jerry
3792 if ( IS_SAM_CHANGED(pwd
, PDB_GROUPSID
) ) {
3793 status
= pdb_set_unix_primary_group(mem_ctx
, pwd
);
3794 if ( !NT_STATUS_IS_OK(status
) ) {
3799 /* Don't worry about writing out the user account since the
3800 primary group SID is generated solely from the user's Unix
3803 /* write the change out */
3804 if(!NT_STATUS_IS_OK(status
= pdb_update_sam_account(pwd
))) {
3808 return NT_STATUS_OK
;
3811 /*******************************************************************
3813 ********************************************************************/
3815 static NTSTATUS
set_user_info_23(TALLOC_CTX
*mem_ctx
,
3816 struct samr_UserInfo23
*id23
,
3819 char *plaintext_buf
= NULL
;
3825 DEBUG(5, ("set_user_info_23: NULL id23\n"));
3826 return NT_STATUS_INVALID_PARAMETER
;
3829 if (id23
->info
.fields_present
== 0) {
3830 return NT_STATUS_INVALID_PARAMETER
;
3833 if (id23
->info
.fields_present
& SAMR_FIELD_LAST_PWD_CHANGE
) {
3834 return NT_STATUS_ACCESS_DENIED
;
3837 if ((id23
->info
.fields_present
& SAMR_FIELD_NT_PASSWORD_PRESENT
) ||
3838 (id23
->info
.fields_present
& SAMR_FIELD_LM_PASSWORD_PRESENT
)) {
3840 DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
3841 pdb_get_username(pwd
)));
3843 if (!decode_pw_buffer(mem_ctx
,
3844 id23
->password
.data
,
3848 return NT_STATUS_WRONG_PASSWORD
;
3851 if (!pdb_set_plaintext_passwd (pwd
, plaintext_buf
)) {
3852 return NT_STATUS_ACCESS_DENIED
;
3856 copy_id23_to_sam_passwd(pwd
, id23
);
3858 acct_ctrl
= pdb_get_acct_ctrl(pwd
);
3860 /* if it's a trust account, don't update /etc/passwd */
3861 if ( ( (acct_ctrl
& ACB_DOMTRUST
) == ACB_DOMTRUST
) ||
3862 ( (acct_ctrl
& ACB_WSTRUST
) == ACB_WSTRUST
) ||
3863 ( (acct_ctrl
& ACB_SVRTRUST
) == ACB_SVRTRUST
) ) {
3864 DEBUG(5, ("Changing trust account. Not updating /etc/passwd\n"));
3865 } else if (plaintext_buf
) {
3866 /* update the UNIX password */
3867 if (lp_unix_password_sync() ) {
3868 struct passwd
*passwd
;
3869 if (pdb_get_username(pwd
) == NULL
) {
3870 DEBUG(1, ("chgpasswd: User without name???\n"));
3871 return NT_STATUS_ACCESS_DENIED
;
3874 passwd
= Get_Pwnam_alloc(pwd
, pdb_get_username(pwd
));
3875 if (passwd
== NULL
) {
3876 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
3879 if(!chgpasswd(pdb_get_username(pwd
), passwd
, "", plaintext_buf
, True
)) {
3880 return NT_STATUS_ACCESS_DENIED
;
3882 TALLOC_FREE(passwd
);
3886 if (plaintext_buf
) {
3887 memset(plaintext_buf
, '\0', strlen(plaintext_buf
));
3890 if (IS_SAM_CHANGED(pwd
, PDB_GROUPSID
) &&
3891 (!NT_STATUS_IS_OK(status
= pdb_set_unix_primary_group(mem_ctx
,
3896 if(!NT_STATUS_IS_OK(status
= pdb_update_sam_account(pwd
))) {
3900 return NT_STATUS_OK
;
3903 /*******************************************************************
3905 ********************************************************************/
3907 static bool set_user_info_pw(uint8
*pass
, struct samu
*pwd
)
3910 char *plaintext_buf
= NULL
;
3913 DEBUG(5, ("Attempting administrator password change for user %s\n",
3914 pdb_get_username(pwd
)));
3916 acct_ctrl
= pdb_get_acct_ctrl(pwd
);
3918 if (!decode_pw_buffer(talloc_tos(),
3926 if (!pdb_set_plaintext_passwd (pwd
, plaintext_buf
)) {
3930 /* if it's a trust account, don't update /etc/passwd */
3931 if ( ( (acct_ctrl
& ACB_DOMTRUST
) == ACB_DOMTRUST
) ||
3932 ( (acct_ctrl
& ACB_WSTRUST
) == ACB_WSTRUST
) ||
3933 ( (acct_ctrl
& ACB_SVRTRUST
) == ACB_SVRTRUST
) ) {
3934 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
3936 /* update the UNIX password */
3937 if (lp_unix_password_sync()) {
3938 struct passwd
*passwd
;
3940 if (pdb_get_username(pwd
) == NULL
) {
3941 DEBUG(1, ("chgpasswd: User without name???\n"));
3945 passwd
= Get_Pwnam_alloc(pwd
, pdb_get_username(pwd
));
3946 if (passwd
== NULL
) {
3947 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
3950 if(!chgpasswd(pdb_get_username(pwd
), passwd
, "", plaintext_buf
, True
)) {
3953 TALLOC_FREE(passwd
);
3957 memset(plaintext_buf
, '\0', strlen(plaintext_buf
));
3959 DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
3964 /*******************************************************************
3966 ********************************************************************/
3968 static NTSTATUS
set_user_info_24(TALLOC_CTX
*mem_ctx
,
3969 struct samr_UserInfo24
*id24
,
3975 DEBUG(5, ("set_user_info_24: NULL id24\n"));
3976 return NT_STATUS_INVALID_PARAMETER
;
3979 if (!set_user_info_pw(id24
->password
.data
, pwd
)) {
3980 return NT_STATUS_WRONG_PASSWORD
;
3983 copy_id24_to_sam_passwd(pwd
, id24
);
3985 status
= pdb_update_sam_account(pwd
);
3986 if (!NT_STATUS_IS_OK(status
)) {
3990 return NT_STATUS_OK
;
3993 /*******************************************************************
3995 ********************************************************************/
3997 static NTSTATUS
set_user_info_25(TALLOC_CTX
*mem_ctx
,
3998 struct samr_UserInfo25
*id25
,
4004 DEBUG(5, ("set_user_info_25: NULL id25\n"));
4005 return NT_STATUS_INVALID_PARAMETER
;
4008 if (id25
->info
.fields_present
== 0) {
4009 return NT_STATUS_INVALID_PARAMETER
;
4012 if (id25
->info
.fields_present
& SAMR_FIELD_LAST_PWD_CHANGE
) {
4013 return NT_STATUS_ACCESS_DENIED
;
4016 if ((id25
->info
.fields_present
& SAMR_FIELD_NT_PASSWORD_PRESENT
) ||
4017 (id25
->info
.fields_present
& SAMR_FIELD_LM_PASSWORD_PRESENT
)) {
4019 if (!set_user_info_pw(id25
->password
.data
, pwd
)) {
4020 return NT_STATUS_WRONG_PASSWORD
;
4024 copy_id25_to_sam_passwd(pwd
, id25
);
4026 /* write the change out */
4027 if(!NT_STATUS_IS_OK(status
= pdb_update_sam_account(pwd
))) {
4032 * We need to "pdb_update_sam_account" before the unix primary group
4033 * is set, because the idealx scripts would also change the
4034 * sambaPrimaryGroupSid using the ldap replace method. pdb_ldap uses
4035 * the delete explicit / add explicit, which would then fail to find
4036 * the previous primaryGroupSid value.
4039 if ( IS_SAM_CHANGED(pwd
, PDB_GROUPSID
) ) {
4040 status
= pdb_set_unix_primary_group(mem_ctx
, pwd
);
4041 if ( !NT_STATUS_IS_OK(status
) ) {
4046 return NT_STATUS_OK
;
4049 /*******************************************************************
4051 ********************************************************************/
4053 static NTSTATUS
set_user_info_26(TALLOC_CTX
*mem_ctx
,
4054 struct samr_UserInfo26
*id26
,
4060 DEBUG(5, ("set_user_info_26: NULL id26\n"));
4061 return NT_STATUS_INVALID_PARAMETER
;
4064 if (!set_user_info_pw(id26
->password
.data
, pwd
)) {
4065 return NT_STATUS_WRONG_PASSWORD
;
4068 copy_id26_to_sam_passwd(pwd
, id26
);
4070 status
= pdb_update_sam_account(pwd
);
4071 if (!NT_STATUS_IS_OK(status
)) {
4075 return NT_STATUS_OK
;
4079 /*******************************************************************
4081 ********************************************************************/
4083 NTSTATUS
_samr_SetUserInfo(pipes_struct
*p
,
4084 struct samr_SetUserInfo
*r
)
4087 struct samu
*pwd
= NULL
;
4089 union samr_UserInfo
*info
= r
->in
.info
;
4090 uint16_t switch_value
= r
->in
.level
;
4091 uint32_t acc_granted
;
4092 uint32_t acc_required
;
4094 bool has_enough_rights
= False
;
4096 DISP_INFO
*disp_info
= NULL
;
4098 DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__
));
4100 /* find the policy handle. open a policy on it. */
4101 if (!get_lsa_policy_samr_sid(p
, r
->in
.user_handle
, &sid
, &acc_granted
, &disp_info
)) {
4102 return NT_STATUS_INVALID_HANDLE
;
4105 /* This is tricky. A WinXP domain join sets
4106 (SAMR_USER_ACCESS_SET_PASSWORD|SAMR_USER_ACCESS_SET_ATTRIBUTES|SAMR_USER_ACCESS_GET_ATTRIBUTES)
4107 The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the
4108 standard Win32 API calls just ask for SAMR_USER_ACCESS_SET_PASSWORD in the SamrOpenUser().
4109 This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so
4110 we'll use the set from the WinXP join as the basis. */
4112 switch (switch_value
) {
4117 acc_required
= SAMR_USER_ACCESS_SET_PASSWORD
;
4120 acc_required
= SAMR_USER_ACCESS_SET_PASSWORD
|
4121 SAMR_USER_ACCESS_SET_ATTRIBUTES
|
4122 SAMR_USER_ACCESS_GET_ATTRIBUTES
;
4126 status
= access_check_samr_function(acc_granted
,
4128 "_samr_SetUserInfo");
4129 if (!NT_STATUS_IS_OK(status
)) {
4133 DEBUG(5, ("_samr_SetUserInfo: sid:%s, level:%d\n",
4134 sid_string_dbg(&sid
), switch_value
));
4137 DEBUG(5, ("_samr_SetUserInfo: NULL info level\n"));
4138 return NT_STATUS_INVALID_INFO_CLASS
;
4141 if (!(pwd
= samu_new(NULL
))) {
4142 return NT_STATUS_NO_MEMORY
;
4146 ret
= pdb_getsampwsid(pwd
, &sid
);
4151 return NT_STATUS_NO_SUCH_USER
;
4154 /* deal with machine password changes differently from userinfo changes */
4155 /* check to see if we have the sufficient rights */
4157 acb_info
= pdb_get_acct_ctrl(pwd
);
4158 if (acb_info
& ACB_WSTRUST
)
4159 has_enough_rights
= user_has_privileges(p
->server_info
->ptok
,
4160 &se_machine_account
);
4161 else if (acb_info
& ACB_NORMAL
)
4162 has_enough_rights
= user_has_privileges(p
->server_info
->ptok
,
4164 else if (acb_info
& (ACB_SVRTRUST
|ACB_DOMTRUST
)) {
4165 if (lp_enable_privileges()) {
4166 has_enough_rights
= nt_token_check_domain_rid(p
->server_info
->ptok
,
4167 DOMAIN_GROUP_RID_ADMINS
);
4171 DEBUG(5, ("_samr_SetUserInfo: %s does%s possess sufficient rights\n",
4172 uidtoname(p
->server_info
->utok
.uid
),
4173 has_enough_rights
? "" : " not"));
4175 /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
4177 if (has_enough_rights
) {
4181 /* ok! user info levels (lots: see MSDEV help), off we go... */
4183 switch (switch_value
) {
4186 status
= set_user_info_7(p
->mem_ctx
,
4191 if (!set_user_info_16(&info
->info16
, pwd
)) {
4192 status
= NT_STATUS_ACCESS_DENIED
;
4197 /* Used by AS/U JRA. */
4198 status
= set_user_info_18(&info
->info18
,
4200 &p
->server_info
->user_session_key
,
4205 if (!set_user_info_20(&info
->info20
, pwd
)) {
4206 status
= NT_STATUS_ACCESS_DENIED
;
4211 status
= set_user_info_21(&info
->info21
,
4213 &p
->server_info
->user_session_key
,
4218 if (!p
->server_info
->user_session_key
.length
) {
4219 status
= NT_STATUS_NO_USER_SESSION_KEY
;
4221 SamOEMhashBlob(info
->info23
.password
.data
, 516,
4222 &p
->server_info
->user_session_key
);
4224 dump_data(100, info
->info23
.password
.data
, 516);
4226 status
= set_user_info_23(p
->mem_ctx
,
4227 &info
->info23
, pwd
);
4231 if (!p
->server_info
->user_session_key
.length
) {
4232 status
= NT_STATUS_NO_USER_SESSION_KEY
;
4234 SamOEMhashBlob(info
->info24
.password
.data
,
4236 &p
->server_info
->user_session_key
);
4238 dump_data(100, info
->info24
.password
.data
, 516);
4240 status
= set_user_info_24(p
->mem_ctx
,
4241 &info
->info24
, pwd
);
4245 if (!p
->server_info
->user_session_key
.length
) {
4246 status
= NT_STATUS_NO_USER_SESSION_KEY
;
4248 encode_or_decode_arc4_passwd_buffer(
4249 info
->info25
.password
.data
,
4250 &p
->server_info
->user_session_key
);
4252 dump_data(100, info
->info25
.password
.data
, 532);
4254 status
= set_user_info_25(p
->mem_ctx
,
4255 &info
->info25
, pwd
);
4259 if (!p
->server_info
->user_session_key
.length
) {
4260 status
= NT_STATUS_NO_USER_SESSION_KEY
;
4262 encode_or_decode_arc4_passwd_buffer(
4263 info
->info26
.password
.data
,
4264 &p
->server_info
->user_session_key
);
4266 dump_data(100, info
->info26
.password
.data
, 516);
4268 status
= set_user_info_26(p
->mem_ctx
,
4269 &info
->info26
, pwd
);
4273 status
= NT_STATUS_INVALID_INFO_CLASS
;
4278 if (has_enough_rights
) {
4282 /* ================ END SeMachineAccountPrivilege BLOCK ================ */
4284 if (NT_STATUS_IS_OK(status
)) {
4285 force_flush_samr_cache(disp_info
);
4291 /*******************************************************************
4293 ********************************************************************/
4295 NTSTATUS
_samr_SetUserInfo2(pipes_struct
*p
,
4296 struct samr_SetUserInfo2
*r
)
4298 struct samr_SetUserInfo q
;
4300 q
.in
.user_handle
= r
->in
.user_handle
;
4301 q
.in
.level
= r
->in
.level
;
4302 q
.in
.info
= r
->in
.info
;
4304 return _samr_SetUserInfo(p
, &q
);
4307 /*********************************************************************
4308 _samr_GetAliasMembership
4309 *********************************************************************/
4311 NTSTATUS
_samr_GetAliasMembership(pipes_struct
*p
,
4312 struct samr_GetAliasMembership
*r
)
4314 size_t num_alias_rids
;
4316 struct samr_info
*info
= NULL
;
4324 DEBUG(5,("_samr_GetAliasMembership: %d\n", __LINE__
));
4326 /* find the policy handle. open a policy on it. */
4327 if (!find_policy_by_hnd(p
, r
->in
.domain_handle
, (void **)(void *)&info
))
4328 return NT_STATUS_INVALID_HANDLE
;
4330 ntstatus1
= access_check_samr_function(info
->acc_granted
,
4331 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
,
4332 "_samr_GetAliasMembership");
4333 ntstatus2
= access_check_samr_function(info
->acc_granted
,
4334 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
,
4335 "_samr_GetAliasMembership");
4337 if (!NT_STATUS_IS_OK(ntstatus1
) || !NT_STATUS_IS_OK(ntstatus2
)) {
4338 if (!(NT_STATUS_EQUAL(ntstatus1
,NT_STATUS_ACCESS_DENIED
) && NT_STATUS_IS_OK(ntstatus2
)) &&
4339 !(NT_STATUS_EQUAL(ntstatus1
,NT_STATUS_ACCESS_DENIED
) && NT_STATUS_IS_OK(ntstatus1
))) {
4340 return (NT_STATUS_IS_OK(ntstatus1
)) ? ntstatus2
: ntstatus1
;
4344 if (!sid_check_is_domain(&info
->sid
) &&
4345 !sid_check_is_builtin(&info
->sid
))
4346 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
4348 if (r
->in
.sids
->num_sids
) {
4349 members
= TALLOC_ARRAY(p
->mem_ctx
, DOM_SID
, r
->in
.sids
->num_sids
);
4351 if (members
== NULL
)
4352 return NT_STATUS_NO_MEMORY
;
4357 for (i
=0; i
<r
->in
.sids
->num_sids
; i
++)
4358 sid_copy(&members
[i
], r
->in
.sids
->sids
[i
].sid
);
4364 ntstatus1
= pdb_enum_alias_memberships(p
->mem_ctx
, &info
->sid
, members
,
4365 r
->in
.sids
->num_sids
,
4366 &alias_rids
, &num_alias_rids
);
4369 if (!NT_STATUS_IS_OK(ntstatus1
)) {
4373 r
->out
.rids
->count
= num_alias_rids
;
4374 r
->out
.rids
->ids
= alias_rids
;
4376 return NT_STATUS_OK
;
4379 /*********************************************************************
4380 _samr_GetMembersInAlias
4381 *********************************************************************/
4383 NTSTATUS
_samr_GetMembersInAlias(pipes_struct
*p
,
4384 struct samr_GetMembersInAlias
*r
)
4388 size_t num_sids
= 0;
4389 struct lsa_SidPtr
*sids
= NULL
;
4390 DOM_SID
*pdb_sids
= NULL
;
4396 /* find the policy handle. open a policy on it. */
4397 if (!get_lsa_policy_samr_sid(p
, r
->in
.alias_handle
, &alias_sid
, &acc_granted
, NULL
))
4398 return NT_STATUS_INVALID_HANDLE
;
4400 status
= access_check_samr_function(acc_granted
,
4401 SAMR_ALIAS_ACCESS_GET_MEMBERS
,
4402 "_samr_GetMembersInAlias");
4403 if (!NT_STATUS_IS_OK(status
)) {
4407 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid
)));
4410 status
= pdb_enum_aliasmem(&alias_sid
, &pdb_sids
, &num_sids
);
4413 if (!NT_STATUS_IS_OK(status
)) {
4418 sids
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_SidPtr
, num_sids
);
4420 TALLOC_FREE(pdb_sids
);
4421 return NT_STATUS_NO_MEMORY
;
4425 for (i
= 0; i
< num_sids
; i
++) {
4426 sids
[i
].sid
= sid_dup_talloc(p
->mem_ctx
, &pdb_sids
[i
]);
4428 TALLOC_FREE(pdb_sids
);
4429 return NT_STATUS_NO_MEMORY
;
4433 r
->out
.sids
->num_sids
= num_sids
;
4434 r
->out
.sids
->sids
= sids
;
4436 TALLOC_FREE(pdb_sids
);
4438 return NT_STATUS_OK
;
4441 /*********************************************************************
4442 _samr_QueryGroupMember
4443 *********************************************************************/
4445 NTSTATUS
_samr_QueryGroupMember(pipes_struct
*p
,
4446 struct samr_QueryGroupMember
*r
)
4449 size_t i
, num_members
;
4457 struct samr_RidTypeArray
*rids
= NULL
;
4459 rids
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_RidTypeArray
);
4461 return NT_STATUS_NO_MEMORY
;
4464 /* find the policy handle. open a policy on it. */
4465 if (!get_lsa_policy_samr_sid(p
, r
->in
.group_handle
, &group_sid
, &acc_granted
, NULL
))
4466 return NT_STATUS_INVALID_HANDLE
;
4468 status
= access_check_samr_function(acc_granted
,
4469 SAMR_GROUP_ACCESS_GET_MEMBERS
,
4470 "_samr_QueryGroupMember");
4471 if (!NT_STATUS_IS_OK(status
)) {
4475 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid
)));
4477 if (!sid_check_is_in_our_domain(&group_sid
)) {
4478 DEBUG(3, ("sid %s is not in our domain\n",
4479 sid_string_dbg(&group_sid
)));
4480 return NT_STATUS_NO_SUCH_GROUP
;
4483 DEBUG(10, ("lookup on Domain SID\n"));
4486 status
= pdb_enum_group_members(p
->mem_ctx
, &group_sid
,
4487 &rid
, &num_members
);
4490 if (!NT_STATUS_IS_OK(status
))
4494 attr
=TALLOC_ZERO_ARRAY(p
->mem_ctx
, uint32
, num_members
);
4496 return NT_STATUS_NO_MEMORY
;
4502 for (i
=0; i
<num_members
; i
++)
4503 attr
[i
] = SID_NAME_USER
;
4505 rids
->count
= num_members
;
4509 *r
->out
.rids
= rids
;
4511 return NT_STATUS_OK
;
4514 /*********************************************************************
4515 _samr_AddAliasMember
4516 *********************************************************************/
4518 NTSTATUS
_samr_AddAliasMember(pipes_struct
*p
,
4519 struct samr_AddAliasMember
*r
)
4524 bool can_add_accounts
;
4526 DISP_INFO
*disp_info
= NULL
;
4528 /* Find the policy handle. Open a policy on it. */
4529 if (!get_lsa_policy_samr_sid(p
, r
->in
.alias_handle
, &alias_sid
, &acc_granted
, &disp_info
))
4530 return NT_STATUS_INVALID_HANDLE
;
4532 status
= access_check_samr_function(acc_granted
,
4533 SAMR_ALIAS_ACCESS_ADD_MEMBER
,
4534 "_samr_AddAliasMember");
4535 if (!NT_STATUS_IS_OK(status
)) {
4539 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid
)));
4541 se_priv_copy( &se_rights
, &se_add_users
);
4542 can_add_accounts
= user_has_privileges( p
->server_info
->ptok
, &se_rights
);
4544 /******** BEGIN SeAddUsers BLOCK *********/
4546 if ( can_add_accounts
)
4549 status
= pdb_add_aliasmem(&alias_sid
, r
->in
.sid
);
4551 if ( can_add_accounts
)
4554 /******** END SeAddUsers BLOCK *********/
4556 if (NT_STATUS_IS_OK(status
)) {
4557 force_flush_samr_cache(disp_info
);
4563 /*********************************************************************
4564 _samr_DeleteAliasMember
4565 *********************************************************************/
4567 NTSTATUS
_samr_DeleteAliasMember(pipes_struct
*p
,
4568 struct samr_DeleteAliasMember
*r
)
4573 bool can_add_accounts
;
4575 DISP_INFO
*disp_info
= NULL
;
4577 /* Find the policy handle. Open a policy on it. */
4578 if (!get_lsa_policy_samr_sid(p
, r
->in
.alias_handle
, &alias_sid
, &acc_granted
, &disp_info
))
4579 return NT_STATUS_INVALID_HANDLE
;
4581 status
= access_check_samr_function(acc_granted
,
4582 SAMR_ALIAS_ACCESS_REMOVE_MEMBER
,
4583 "_samr_DeleteAliasMember");
4584 if (!NT_STATUS_IS_OK(status
)) {
4588 DEBUG(10, ("_samr_del_aliasmem:sid is %s\n",
4589 sid_string_dbg(&alias_sid
)));
4591 se_priv_copy( &se_rights
, &se_add_users
);
4592 can_add_accounts
= user_has_privileges( p
->server_info
->ptok
, &se_rights
);
4594 /******** BEGIN SeAddUsers BLOCK *********/
4596 if ( can_add_accounts
)
4599 status
= pdb_del_aliasmem(&alias_sid
, r
->in
.sid
);
4601 if ( can_add_accounts
)
4604 /******** END SeAddUsers BLOCK *********/
4606 if (NT_STATUS_IS_OK(status
)) {
4607 force_flush_samr_cache(disp_info
);
4613 /*********************************************************************
4614 _samr_AddGroupMember
4615 *********************************************************************/
4617 NTSTATUS
_samr_AddGroupMember(pipes_struct
*p
,
4618 struct samr_AddGroupMember
*r
)
4625 bool can_add_accounts
;
4626 DISP_INFO
*disp_info
= NULL
;
4628 /* Find the policy handle. Open a policy on it. */
4629 if (!get_lsa_policy_samr_sid(p
, r
->in
.group_handle
, &group_sid
, &acc_granted
, &disp_info
))
4630 return NT_STATUS_INVALID_HANDLE
;
4632 status
= access_check_samr_function(acc_granted
,
4633 SAMR_GROUP_ACCESS_ADD_MEMBER
,
4634 "_samr_AddGroupMember");
4635 if (!NT_STATUS_IS_OK(status
)) {
4639 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid
)));
4641 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid
,
4643 return NT_STATUS_INVALID_HANDLE
;
4646 se_priv_copy( &se_rights
, &se_add_users
);
4647 can_add_accounts
= user_has_privileges( p
->server_info
->ptok
, &se_rights
);
4649 /******** BEGIN SeAddUsers BLOCK *********/
4651 if ( can_add_accounts
)
4654 status
= pdb_add_groupmem(p
->mem_ctx
, group_rid
, r
->in
.rid
);
4656 if ( can_add_accounts
)
4659 /******** END SeAddUsers BLOCK *********/
4661 force_flush_samr_cache(disp_info
);
4666 /*********************************************************************
4667 _samr_DeleteGroupMember
4668 *********************************************************************/
4670 NTSTATUS
_samr_DeleteGroupMember(pipes_struct
*p
,
4671 struct samr_DeleteGroupMember
*r
)
4679 bool can_add_accounts
;
4680 DISP_INFO
*disp_info
= NULL
;
4683 * delete the group member named r->in.rid
4684 * who is a member of the sid associated with the handle
4685 * the rid is a user's rid as the group is a domain group.
4688 /* Find the policy handle. Open a policy on it. */
4689 if (!get_lsa_policy_samr_sid(p
, r
->in
.group_handle
, &group_sid
, &acc_granted
, &disp_info
))
4690 return NT_STATUS_INVALID_HANDLE
;
4692 status
= access_check_samr_function(acc_granted
,
4693 SAMR_GROUP_ACCESS_REMOVE_MEMBER
,
4694 "_samr_DeleteGroupMember");
4695 if (!NT_STATUS_IS_OK(status
)) {
4699 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid
,
4701 return NT_STATUS_INVALID_HANDLE
;
4704 se_priv_copy( &se_rights
, &se_add_users
);
4705 can_add_accounts
= user_has_privileges( p
->server_info
->ptok
, &se_rights
);
4707 /******** BEGIN SeAddUsers BLOCK *********/
4709 if ( can_add_accounts
)
4712 status
= pdb_del_groupmem(p
->mem_ctx
, group_rid
, r
->in
.rid
);
4714 if ( can_add_accounts
)
4717 /******** END SeAddUsers BLOCK *********/
4719 force_flush_samr_cache(disp_info
);
4724 /*********************************************************************
4726 *********************************************************************/
4728 NTSTATUS
_samr_DeleteUser(pipes_struct
*p
,
4729 struct samr_DeleteUser
*r
)
4733 struct samu
*sam_pass
=NULL
;
4735 bool can_add_accounts
;
4737 DISP_INFO
*disp_info
= NULL
;
4740 DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__
));
4742 /* Find the policy handle. Open a policy on it. */
4743 if (!get_lsa_policy_samr_sid(p
, r
->in
.user_handle
, &user_sid
, &acc_granted
, &disp_info
))
4744 return NT_STATUS_INVALID_HANDLE
;
4746 status
= access_check_samr_function(acc_granted
,
4747 STD_RIGHT_DELETE_ACCESS
,
4748 "_samr_DeleteUser");
4749 if (!NT_STATUS_IS_OK(status
)) {
4753 if (!sid_check_is_in_our_domain(&user_sid
))
4754 return NT_STATUS_CANNOT_DELETE
;
4756 /* check if the user exists before trying to delete */
4757 if ( !(sam_pass
= samu_new( NULL
)) ) {
4758 return NT_STATUS_NO_MEMORY
;
4762 ret
= pdb_getsampwsid(sam_pass
, &user_sid
);
4766 DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n",
4767 sid_string_dbg(&user_sid
)));
4768 TALLOC_FREE(sam_pass
);
4769 return NT_STATUS_NO_SUCH_USER
;
4772 acb_info
= pdb_get_acct_ctrl(sam_pass
);
4774 /* For machine accounts it's the SeMachineAccountPrivilege that counts. */
4775 if ( acb_info
& ACB_WSTRUST
) {
4776 can_add_accounts
= user_has_privileges( p
->server_info
->ptok
, &se_machine_account
);
4778 can_add_accounts
= user_has_privileges( p
->server_info
->ptok
, &se_add_users
);
4781 /******** BEGIN SeAddUsers BLOCK *********/
4783 if ( can_add_accounts
)
4786 status
= pdb_delete_user(p
->mem_ctx
, sam_pass
);
4788 if ( can_add_accounts
)
4791 /******** END SeAddUsers BLOCK *********/
4793 if ( !NT_STATUS_IS_OK(status
) ) {
4794 DEBUG(5,("_samr_DeleteUser: Failed to delete entry for "
4795 "user %s: %s.\n", pdb_get_username(sam_pass
),
4796 nt_errstr(status
)));
4797 TALLOC_FREE(sam_pass
);
4802 TALLOC_FREE(sam_pass
);
4804 if (!close_policy_hnd(p
, r
->in
.user_handle
))
4805 return NT_STATUS_OBJECT_NAME_INVALID
;
4807 ZERO_STRUCTP(r
->out
.user_handle
);
4809 force_flush_samr_cache(disp_info
);
4811 return NT_STATUS_OK
;
4814 /*********************************************************************
4815 _samr_DeleteDomainGroup
4816 *********************************************************************/
4818 NTSTATUS
_samr_DeleteDomainGroup(pipes_struct
*p
,
4819 struct samr_DeleteDomainGroup
*r
)
4826 bool can_add_accounts
;
4827 DISP_INFO
*disp_info
= NULL
;
4829 DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__
));
4831 /* Find the policy handle. Open a policy on it. */
4832 if (!get_lsa_policy_samr_sid(p
, r
->in
.group_handle
, &group_sid
, &acc_granted
, &disp_info
))
4833 return NT_STATUS_INVALID_HANDLE
;
4835 status
= access_check_samr_function(acc_granted
,
4836 STD_RIGHT_DELETE_ACCESS
,
4837 "_samr_DeleteDomainGroup");
4838 if (!NT_STATUS_IS_OK(status
)) {
4842 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid
)));
4844 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid
,
4846 return NT_STATUS_NO_SUCH_GROUP
;
4849 se_priv_copy( &se_rights
, &se_add_users
);
4850 can_add_accounts
= user_has_privileges( p
->server_info
->ptok
, &se_rights
);
4852 /******** BEGIN SeAddUsers BLOCK *********/
4854 if ( can_add_accounts
)
4857 status
= pdb_delete_dom_group(p
->mem_ctx
, group_rid
);
4859 if ( can_add_accounts
)
4862 /******** END SeAddUsers BLOCK *********/
4864 if ( !NT_STATUS_IS_OK(status
) ) {
4865 DEBUG(5,("_samr_DeleteDomainGroup: Failed to delete mapping "
4866 "entry for group %s: %s\n",
4867 sid_string_dbg(&group_sid
),
4868 nt_errstr(status
)));
4872 if (!close_policy_hnd(p
, r
->in
.group_handle
))
4873 return NT_STATUS_OBJECT_NAME_INVALID
;
4875 force_flush_samr_cache(disp_info
);
4877 return NT_STATUS_OK
;
4880 /*********************************************************************
4881 _samr_DeleteDomAlias
4882 *********************************************************************/
4884 NTSTATUS
_samr_DeleteDomAlias(pipes_struct
*p
,
4885 struct samr_DeleteDomAlias
*r
)
4890 bool can_add_accounts
;
4892 DISP_INFO
*disp_info
= NULL
;
4894 DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__
));
4896 /* Find the policy handle. Open a policy on it. */
4897 if (!get_lsa_policy_samr_sid(p
, r
->in
.alias_handle
, &alias_sid
, &acc_granted
, &disp_info
))
4898 return NT_STATUS_INVALID_HANDLE
;
4900 /* copy the handle to the outgoing reply */
4902 memcpy(r
->out
.alias_handle
, r
->in
.alias_handle
, sizeof(r
->out
.alias_handle
));
4904 status
= access_check_samr_function(acc_granted
,
4905 STD_RIGHT_DELETE_ACCESS
,
4906 "_samr_DeleteDomAlias");
4907 if (!NT_STATUS_IS_OK(status
)) {
4911 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid
)));
4913 /* Don't let Windows delete builtin groups */
4915 if ( sid_check_is_in_builtin( &alias_sid
) ) {
4916 return NT_STATUS_SPECIAL_ACCOUNT
;
4919 if (!sid_check_is_in_our_domain(&alias_sid
))
4920 return NT_STATUS_NO_SUCH_ALIAS
;
4922 DEBUG(10, ("lookup on Local SID\n"));
4924 se_priv_copy( &se_rights
, &se_add_users
);
4925 can_add_accounts
= user_has_privileges( p
->server_info
->ptok
, &se_rights
);
4927 /******** BEGIN SeAddUsers BLOCK *********/
4929 if ( can_add_accounts
)
4932 /* Have passdb delete the alias */
4933 status
= pdb_delete_alias(&alias_sid
);
4935 if ( can_add_accounts
)
4938 /******** END SeAddUsers BLOCK *********/
4940 if ( !NT_STATUS_IS_OK(status
))
4943 if (!close_policy_hnd(p
, r
->in
.alias_handle
))
4944 return NT_STATUS_OBJECT_NAME_INVALID
;
4946 force_flush_samr_cache(disp_info
);
4948 return NT_STATUS_OK
;
4951 /*********************************************************************
4952 _samr_CreateDomainGroup
4953 *********************************************************************/
4955 NTSTATUS
_samr_CreateDomainGroup(pipes_struct
*p
,
4956 struct samr_CreateDomainGroup
*r
)
4963 struct samr_info
*info
;
4966 bool can_add_accounts
;
4967 DISP_INFO
*disp_info
= NULL
;
4969 /* Find the policy handle. Open a policy on it. */
4970 if (!get_lsa_policy_samr_sid(p
, r
->in
.domain_handle
, &dom_sid
, &acc_granted
, &disp_info
))
4971 return NT_STATUS_INVALID_HANDLE
;
4973 status
= access_check_samr_function(acc_granted
,
4974 SAMR_DOMAIN_ACCESS_CREATE_GROUP
,
4975 "_samr_CreateDomainGroup");
4976 if (!NT_STATUS_IS_OK(status
)) {
4980 if (!sid_equal(&dom_sid
, get_global_sam_sid()))
4981 return NT_STATUS_ACCESS_DENIED
;
4983 name
= r
->in
.name
->string
;
4985 return NT_STATUS_NO_MEMORY
;
4988 status
= can_create(p
->mem_ctx
, name
);
4989 if (!NT_STATUS_IS_OK(status
)) {
4993 se_priv_copy( &se_rights
, &se_add_users
);
4994 can_add_accounts
= user_has_privileges( p
->server_info
->ptok
, &se_rights
);
4996 /******** BEGIN SeAddUsers BLOCK *********/
4998 if ( can_add_accounts
)
5001 /* check that we successfully create the UNIX group */
5003 status
= pdb_create_dom_group(p
->mem_ctx
, name
, r
->out
.rid
);
5005 if ( can_add_accounts
)
5008 /******** END SeAddUsers BLOCK *********/
5010 /* check if we should bail out here */
5012 if ( !NT_STATUS_IS_OK(status
) )
5015 sid_compose(&info_sid
, get_global_sam_sid(), *r
->out
.rid
);
5017 if ((info
= get_samr_info_by_sid(p
->mem_ctx
, &info_sid
)) == NULL
)
5018 return NT_STATUS_NO_MEMORY
;
5020 /* they created it; let the user do what he wants with it */
5022 info
->acc_granted
= GENERIC_RIGHTS_GROUP_ALL_ACCESS
;
5024 /* get a (unique) handle. open a policy on it. */
5025 if (!create_policy_hnd(p
, r
->out
.group_handle
, info
))
5026 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
5028 force_flush_samr_cache(disp_info
);
5030 return NT_STATUS_OK
;
5033 /*********************************************************************
5034 _samr_CreateDomAlias
5035 *********************************************************************/
5037 NTSTATUS
_samr_CreateDomAlias(pipes_struct
*p
,
5038 struct samr_CreateDomAlias
*r
)
5042 const char *name
= NULL
;
5043 struct samr_info
*info
;
5048 bool can_add_accounts
;
5049 DISP_INFO
*disp_info
= NULL
;
5051 /* Find the policy handle. Open a policy on it. */
5052 if (!get_lsa_policy_samr_sid(p
, r
->in
.domain_handle
, &dom_sid
, &acc_granted
, &disp_info
))
5053 return NT_STATUS_INVALID_HANDLE
;
5055 result
= access_check_samr_function(acc_granted
,
5056 SAMR_DOMAIN_ACCESS_CREATE_ALIAS
,
5057 "_samr_CreateDomAlias");
5058 if (!NT_STATUS_IS_OK(result
)) {
5062 if (!sid_equal(&dom_sid
, get_global_sam_sid()))
5063 return NT_STATUS_ACCESS_DENIED
;
5065 name
= r
->in
.alias_name
->string
;
5067 se_priv_copy( &se_rights
, &se_add_users
);
5068 can_add_accounts
= user_has_privileges( p
->server_info
->ptok
, &se_rights
);
5070 result
= can_create(p
->mem_ctx
, name
);
5071 if (!NT_STATUS_IS_OK(result
)) {
5075 /******** BEGIN SeAddUsers BLOCK *********/
5077 if ( can_add_accounts
)
5080 /* Have passdb create the alias */
5081 result
= pdb_create_alias(name
, r
->out
.rid
);
5083 if ( can_add_accounts
)
5086 /******** END SeAddUsers BLOCK *********/
5088 if (!NT_STATUS_IS_OK(result
)) {
5089 DEBUG(10, ("pdb_create_alias failed: %s\n",
5090 nt_errstr(result
)));
5094 sid_copy(&info_sid
, get_global_sam_sid());
5095 sid_append_rid(&info_sid
, *r
->out
.rid
);
5097 if (!sid_to_gid(&info_sid
, &gid
)) {
5098 DEBUG(10, ("Could not find alias just created\n"));
5099 return NT_STATUS_ACCESS_DENIED
;
5102 /* check if the group has been successfully created */
5103 if ( getgrgid(gid
) == NULL
) {
5104 DEBUG(10, ("getgrgid(%d) of just created alias failed\n",
5106 return NT_STATUS_ACCESS_DENIED
;
5109 if ((info
= get_samr_info_by_sid(p
->mem_ctx
, &info_sid
)) == NULL
)
5110 return NT_STATUS_NO_MEMORY
;
5112 /* they created it; let the user do what he wants with it */
5114 info
->acc_granted
= GENERIC_RIGHTS_ALIAS_ALL_ACCESS
;
5116 /* get a (unique) handle. open a policy on it. */
5117 if (!create_policy_hnd(p
, r
->out
.alias_handle
, info
))
5118 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
5120 force_flush_samr_cache(disp_info
);
5122 return NT_STATUS_OK
;
5125 /*********************************************************************
5126 _samr_QueryGroupInfo
5127 *********************************************************************/
5129 NTSTATUS
_samr_QueryGroupInfo(pipes_struct
*p
,
5130 struct samr_QueryGroupInfo
*r
)
5135 union samr_GroupInfo
*info
= NULL
;
5138 uint32_t attributes
= SE_GROUP_MANDATORY
|
5139 SE_GROUP_ENABLED_BY_DEFAULT
|
5141 const char *group_name
= NULL
;
5142 const char *group_description
= NULL
;
5144 if (!get_lsa_policy_samr_sid(p
, r
->in
.group_handle
, &group_sid
, &acc_granted
, NULL
))
5145 return NT_STATUS_INVALID_HANDLE
;
5147 status
= access_check_samr_function(acc_granted
,
5148 SAMR_GROUP_ACCESS_LOOKUP_INFO
,
5149 "_samr_QueryGroupInfo");
5150 if (!NT_STATUS_IS_OK(status
)) {
5155 ret
= get_domain_group_from_sid(group_sid
, &map
);
5158 return NT_STATUS_INVALID_HANDLE
;
5160 /* FIXME: map contains fstrings */
5161 group_name
= talloc_strdup(r
, map
.nt_name
);
5162 group_description
= talloc_strdup(r
, map
.comment
);
5164 info
= TALLOC_ZERO_P(p
->mem_ctx
, union samr_GroupInfo
);
5166 return NT_STATUS_NO_MEMORY
;
5169 switch (r
->in
.level
) {
5175 status
= pdb_enum_group_members(
5176 p
->mem_ctx
, &group_sid
, &members
, &num_members
);
5179 if (!NT_STATUS_IS_OK(status
)) {
5183 info
->all
.name
.string
= group_name
;
5184 info
->all
.attributes
= attributes
;
5185 info
->all
.num_members
= num_members
;
5186 info
->all
.description
.string
= group_description
;
5190 info
->name
.string
= group_name
;
5193 info
->attributes
.attributes
= attributes
;
5196 info
->description
.string
= group_description
;
5206 status = pdb_enum_group_members(
5207 p->mem_ctx, &group_sid, &members, &num_members);
5210 if (!NT_STATUS_IS_OK(status)) {
5214 info
->all2
.name
.string
= group_name
;
5215 info
->all2
.attributes
= attributes
;
5216 info
->all2
.num_members
= 0; /* num_members - in w2k3 this is always 0 */
5217 info
->all2
.description
.string
= group_description
;
5222 return NT_STATUS_INVALID_INFO_CLASS
;
5225 *r
->out
.info
= info
;
5227 return NT_STATUS_OK
;
5230 /*********************************************************************
5232 *********************************************************************/
5234 NTSTATUS
_samr_SetGroupInfo(pipes_struct
*p
,
5235 struct samr_SetGroupInfo
*r
)
5242 bool can_mod_accounts
;
5243 DISP_INFO
*disp_info
= NULL
;
5245 if (!get_lsa_policy_samr_sid(p
, r
->in
.group_handle
, &group_sid
, &acc_granted
, &disp_info
))
5246 return NT_STATUS_INVALID_HANDLE
;
5248 status
= access_check_samr_function(acc_granted
,
5249 SAMR_GROUP_ACCESS_SET_INFO
,
5250 "_samr_SetGroupInfo");
5251 if (!NT_STATUS_IS_OK(status
)) {
5256 ret
= get_domain_group_from_sid(group_sid
, &map
);
5259 return NT_STATUS_NO_SUCH_GROUP
;
5261 switch (r
->in
.level
) {
5263 fstrcpy(map
.comment
, r
->in
.info
->all
.description
.string
);
5266 /* group rename is not supported yet */
5267 return NT_STATUS_NOT_SUPPORTED
;
5269 fstrcpy(map
.comment
, r
->in
.info
->description
.string
);
5272 return NT_STATUS_INVALID_INFO_CLASS
;
5275 can_mod_accounts
= user_has_privileges( p
->server_info
->ptok
, &se_add_users
);
5277 /******** BEGIN SeAddUsers BLOCK *********/
5279 if ( can_mod_accounts
)
5282 status
= pdb_update_group_mapping_entry(&map
);
5284 if ( can_mod_accounts
)
5287 /******** End SeAddUsers BLOCK *********/
5289 if (NT_STATUS_IS_OK(status
)) {
5290 force_flush_samr_cache(disp_info
);
5296 /*********************************************************************
5298 *********************************************************************/
5300 NTSTATUS
_samr_SetAliasInfo(pipes_struct
*p
,
5301 struct samr_SetAliasInfo
*r
)
5304 struct acct_info info
;
5306 bool can_mod_accounts
;
5308 DISP_INFO
*disp_info
= NULL
;
5310 if (!get_lsa_policy_samr_sid(p
, r
->in
.alias_handle
, &group_sid
, &acc_granted
, &disp_info
))
5311 return NT_STATUS_INVALID_HANDLE
;
5313 status
= access_check_samr_function(acc_granted
,
5314 SAMR_ALIAS_ACCESS_SET_INFO
,
5315 "_samr_SetAliasInfo");
5316 if (!NT_STATUS_IS_OK(status
)) {
5320 /* get the current group information */
5323 status
= pdb_get_aliasinfo( &group_sid
, &info
);
5326 if ( !NT_STATUS_IS_OK(status
))
5329 switch (r
->in
.level
) {
5334 /* We currently do not support renaming groups in the
5335 the BUILTIN domain. Refer to util_builtin.c to understand
5336 why. The eventually needs to be fixed to be like Windows
5337 where you can rename builtin groups, just not delete them */
5339 if ( sid_check_is_in_builtin( &group_sid
) ) {
5340 return NT_STATUS_SPECIAL_ACCOUNT
;
5343 /* There has to be a valid name (and it has to be different) */
5345 if ( !r
->in
.info
->name
.string
)
5346 return NT_STATUS_INVALID_PARAMETER
;
5348 /* If the name is the same just reply "ok". Yes this
5349 doesn't allow you to change the case of a group name. */
5351 if ( strequal( r
->in
.info
->name
.string
, info
.acct_name
) )
5352 return NT_STATUS_OK
;
5354 fstrcpy( info
.acct_name
, r
->in
.info
->name
.string
);
5356 /* make sure the name doesn't already exist as a user
5359 fstr_sprintf( group_name
, "%s\\%s", global_myname(), info
.acct_name
);
5360 status
= can_create( p
->mem_ctx
, group_name
);
5361 if ( !NT_STATUS_IS_OK( status
) )
5365 case ALIASINFODESCRIPTION
:
5366 if (r
->in
.info
->description
.string
) {
5367 fstrcpy(info
.acct_desc
,
5368 r
->in
.info
->description
.string
);
5370 fstrcpy( info
.acct_desc
, "" );
5374 return NT_STATUS_INVALID_INFO_CLASS
;
5377 can_mod_accounts
= user_has_privileges( p
->server_info
->ptok
, &se_add_users
);
5379 /******** BEGIN SeAddUsers BLOCK *********/
5381 if ( can_mod_accounts
)
5384 status
= pdb_set_aliasinfo( &group_sid
, &info
);
5386 if ( can_mod_accounts
)
5389 /******** End SeAddUsers BLOCK *********/
5391 if (NT_STATUS_IS_OK(status
))
5392 force_flush_samr_cache(disp_info
);
5397 /****************************************************************
5399 ****************************************************************/
5401 NTSTATUS
_samr_GetDomPwInfo(pipes_struct
*p
,
5402 struct samr_GetDomPwInfo
*r
)
5404 uint32_t min_password_length
= 0;
5405 uint32_t password_properties
= 0;
5407 /* Perform access check. Since this rpc does not require a
5408 policy handle it will not be caught by the access checks on
5409 SAMR_CONNECT or SAMR_CONNECT_ANON. */
5411 if (!pipe_access_check(p
)) {
5412 DEBUG(3, ("access denied to _samr_GetDomPwInfo\n"));
5413 return NT_STATUS_ACCESS_DENIED
;
5417 pdb_get_account_policy(AP_MIN_PASSWORD_LEN
,
5418 &min_password_length
);
5419 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS
,
5420 &password_properties
);
5423 if (lp_check_password_script() && *lp_check_password_script()) {
5424 password_properties
|= DOMAIN_PASSWORD_COMPLEX
;
5427 r
->out
.info
->min_password_length
= min_password_length
;
5428 r
->out
.info
->password_properties
= password_properties
;
5430 return NT_STATUS_OK
;
5433 /*********************************************************************
5435 *********************************************************************/
5437 NTSTATUS
_samr_OpenGroup(pipes_struct
*p
,
5438 struct samr_OpenGroup
*r
)
5444 struct samr_info
*info
;
5445 SEC_DESC
*psd
= NULL
;
5447 uint32 des_access
= r
->in
.access_mask
;
5454 if (!get_lsa_policy_samr_sid(p
, r
->in
.domain_handle
, &sid
, &acc_granted
, NULL
))
5455 return NT_STATUS_INVALID_HANDLE
;
5457 status
= access_check_samr_function(acc_granted
,
5458 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
,
5461 if ( !NT_STATUS_IS_OK(status
) )
5464 /*check if access can be granted as requested by client. */
5465 map_max_allowed_access(p
->server_info
->ptok
, &des_access
);
5467 make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &grp_generic_mapping
, NULL
, 0);
5468 se_map_generic(&des_access
,&grp_generic_mapping
);
5470 se_priv_copy( &se_rights
, &se_add_users
);
5472 status
= access_check_samr_object(psd
, p
->server_info
->ptok
,
5473 &se_rights
, GENERIC_RIGHTS_GROUP_WRITE
, des_access
,
5474 &acc_granted
, "_samr_OpenGroup");
5476 if ( !NT_STATUS_IS_OK(status
) )
5479 /* this should not be hard-coded like this */
5481 if (!sid_equal(&sid
, get_global_sam_sid()))
5482 return NT_STATUS_ACCESS_DENIED
;
5484 sid_copy(&info_sid
, get_global_sam_sid());
5485 sid_append_rid(&info_sid
, r
->in
.rid
);
5486 sid_to_fstring(sid_string
, &info_sid
);
5488 if ((info
= get_samr_info_by_sid(p
->mem_ctx
, &info_sid
)) == NULL
)
5489 return NT_STATUS_NO_MEMORY
;
5491 info
->acc_granted
= acc_granted
;
5493 DEBUG(10, ("_samr_OpenGroup:Opening SID: %s\n", sid_string
));
5495 /* check if that group really exists */
5497 ret
= get_domain_group_from_sid(info
->sid
, &map
);
5500 return NT_STATUS_NO_SUCH_GROUP
;
5502 /* get a (unique) handle. open a policy on it. */
5503 if (!create_policy_hnd(p
, r
->out
.group_handle
, info
))
5504 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
5506 return NT_STATUS_OK
;
5509 /*********************************************************************
5510 _samr_RemoveMemberFromForeignDomain
5511 *********************************************************************/
5513 NTSTATUS
_samr_RemoveMemberFromForeignDomain(pipes_struct
*p
,
5514 struct samr_RemoveMemberFromForeignDomain
*r
)
5516 DOM_SID delete_sid
, domain_sid
;
5519 DISP_INFO
*disp_info
= NULL
;
5521 sid_copy( &delete_sid
, r
->in
.sid
);
5523 DEBUG(5,("_samr_RemoveMemberFromForeignDomain: removing SID [%s]\n",
5524 sid_string_dbg(&delete_sid
)));
5526 /* Find the policy handle. Open a policy on it. */
5528 if (!get_lsa_policy_samr_sid(p
, r
->in
.domain_handle
, &domain_sid
,
5529 &acc_granted
, &disp_info
))
5530 return NT_STATUS_INVALID_HANDLE
;
5532 result
= access_check_samr_function(acc_granted
,
5533 STD_RIGHT_DELETE_ACCESS
,
5534 "_samr_RemoveMemberFromForeignDomain");
5536 if (!NT_STATUS_IS_OK(result
))
5539 DEBUG(8, ("_samr_RemoveMemberFromForeignDomain: sid is %s\n",
5540 sid_string_dbg(&domain_sid
)));
5542 /* we can only delete a user from a group since we don't have
5543 nested groups anyways. So in the latter case, just say OK */
5545 /* TODO: The above comment nowadays is bogus. Since we have nested
5546 * groups now, and aliases members are never reported out of the unix
5547 * group membership, the "just say OK" makes this call a no-op. For
5548 * us. This needs fixing however. */
5550 /* I've only ever seen this in the wild when deleting a user from
5551 * usrmgr.exe. domain_sid is the builtin domain, and the sid to delete
5552 * is the user about to be deleted. I very much suspect this is the
5553 * only application of this call. To verify this, let people report
5556 if (!sid_check_is_builtin(&domain_sid
)) {
5557 DEBUG(1,("_samr_RemoveMemberFromForeignDomain: domain_sid = %s, "
5558 "global_sam_sid() = %s\n",
5559 sid_string_dbg(&domain_sid
),
5560 sid_string_dbg(get_global_sam_sid())));
5561 DEBUGADD(1,("please report to samba-technical@samba.org!\n"));
5562 return NT_STATUS_OK
;
5565 force_flush_samr_cache(disp_info
);
5567 result
= NT_STATUS_OK
;
5572 /*******************************************************************
5573 _samr_QueryDomainInfo2
5574 ********************************************************************/
5576 NTSTATUS
_samr_QueryDomainInfo2(pipes_struct
*p
,
5577 struct samr_QueryDomainInfo2
*r
)
5579 struct samr_QueryDomainInfo q
;
5581 q
.in
.domain_handle
= r
->in
.domain_handle
;
5582 q
.in
.level
= r
->in
.level
;
5584 q
.out
.info
= r
->out
.info
;
5586 return _samr_QueryDomainInfo(p
, &q
);
5589 /*******************************************************************
5591 ********************************************************************/
5593 NTSTATUS
_samr_SetDomainInfo(pipes_struct
*p
,
5594 struct samr_SetDomainInfo
*r
)
5596 struct samr_info
*info
= NULL
;
5597 time_t u_expire
, u_min_age
;
5599 time_t u_lock_duration
, u_reset_time
;
5602 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__
));
5604 /* find the policy handle. open a policy on it. */
5605 if (!find_policy_by_hnd(p
, r
->in
.domain_handle
, (void **)(void *)&info
))
5606 return NT_STATUS_INVALID_HANDLE
;
5608 /* We do have different access bits for info
5609 * levels here, but we're really just looking for
5610 * GENERIC_RIGHTS_DOMAIN_WRITE access. Unfortunately
5611 * this maps to different specific bits. So
5612 * assume if we have SAMR_DOMAIN_ACCESS_SET_INFO_1
5615 result
= access_check_samr_function(info
->acc_granted
,
5616 SAMR_DOMAIN_ACCESS_SET_INFO_1
,
5617 "_samr_SetDomainInfo");
5619 if (!NT_STATUS_IS_OK(result
))
5622 DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r
->in
.level
));
5624 switch (r
->in
.level
) {
5626 u_expire
=nt_time_to_unix_abs((NTTIME
*)&r
->in
.info
->info1
.max_password_age
);
5627 u_min_age
=nt_time_to_unix_abs((NTTIME
*)&r
->in
.info
->info1
.min_password_age
);
5628 pdb_set_account_policy(AP_MIN_PASSWORD_LEN
, (uint32
)r
->in
.info
->info1
.min_password_length
);
5629 pdb_set_account_policy(AP_PASSWORD_HISTORY
, (uint32
)r
->in
.info
->info1
.password_history_length
);
5630 pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS
, (uint32
)r
->in
.info
->info1
.password_properties
);
5631 pdb_set_account_policy(AP_MAX_PASSWORD_AGE
, (int)u_expire
);
5632 pdb_set_account_policy(AP_MIN_PASSWORD_AGE
, (int)u_min_age
);
5637 u_logout
=nt_time_to_unix_abs((NTTIME
*)&r
->in
.info
->info3
.force_logoff_time
);
5638 pdb_set_account_policy(AP_TIME_TO_LOGOUT
, (int)u_logout
);
5647 u_lock_duration
=nt_time_to_unix_abs((NTTIME
*)&r
->in
.info
->info12
.lockout_duration
);
5648 if (u_lock_duration
!= -1)
5649 u_lock_duration
/= 60;
5651 u_reset_time
=nt_time_to_unix_abs((NTTIME
*)&r
->in
.info
->info12
.lockout_window
)/60;
5653 pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION
, (int)u_lock_duration
);
5654 pdb_set_account_policy(AP_RESET_COUNT_TIME
, (int)u_reset_time
);
5655 pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT
, (uint32
)r
->in
.info
->info12
.lockout_threshold
);
5658 return NT_STATUS_INVALID_INFO_CLASS
;
5661 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__
));
5663 return NT_STATUS_OK
;
5666 /****************************************************************
5667 _samr_GetDisplayEnumerationIndex
5668 ****************************************************************/
5670 NTSTATUS
_samr_GetDisplayEnumerationIndex(pipes_struct
*p
,
5671 struct samr_GetDisplayEnumerationIndex
*r
)
5673 struct samr_info
*info
= NULL
;
5674 uint32_t max_entries
= (uint32_t) -1;
5675 uint32_t enum_context
= 0;
5677 uint32_t num_account
= 0;
5678 struct samr_displayentry
*entries
= NULL
;
5681 DEBUG(5,("_samr_GetDisplayEnumerationIndex: %d\n", __LINE__
));
5683 /* find the policy handle. open a policy on it. */
5684 if (!find_policy_by_hnd(p
, r
->in
.domain_handle
, (void **)(void *)&info
)) {
5685 return NT_STATUS_INVALID_HANDLE
;
5688 status
= access_check_samr_function(info
->acc_granted
,
5689 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
,
5690 "_samr_GetDisplayEnumerationIndex");
5691 if (!NT_STATUS_IS_OK(status
)) {
5695 if ((r
->in
.level
< 1) || (r
->in
.level
> 3)) {
5696 DEBUG(0,("_samr_GetDisplayEnumerationIndex: "
5697 "Unknown info level (%u)\n",
5699 return NT_STATUS_INVALID_INFO_CLASS
;
5704 /* The following done as ROOT. Don't return without unbecome_root(). */
5706 switch (r
->in
.level
) {
5708 if (info
->disp_info
->users
== NULL
) {
5709 info
->disp_info
->users
= pdb_search_users(
5710 info
->disp_info
, ACB_NORMAL
);
5711 if (info
->disp_info
->users
== NULL
) {
5713 return NT_STATUS_ACCESS_DENIED
;
5715 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5716 "starting user enumeration at index %u\n",
5717 (unsigned int)enum_context
));
5719 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5720 "using cached user enumeration at index %u\n",
5721 (unsigned int)enum_context
));
5723 num_account
= pdb_search_entries(info
->disp_info
->users
,
5724 enum_context
, max_entries
,
5728 if (info
->disp_info
->machines
== NULL
) {
5729 info
->disp_info
->machines
= pdb_search_users(
5730 info
->disp_info
, ACB_WSTRUST
|ACB_SVRTRUST
);
5731 if (info
->disp_info
->machines
== NULL
) {
5733 return NT_STATUS_ACCESS_DENIED
;
5735 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5736 "starting machine enumeration at index %u\n",
5737 (unsigned int)enum_context
));
5739 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5740 "using cached machine enumeration at index %u\n",
5741 (unsigned int)enum_context
));
5743 num_account
= pdb_search_entries(info
->disp_info
->machines
,
5744 enum_context
, max_entries
,
5748 if (info
->disp_info
->groups
== NULL
) {
5749 info
->disp_info
->groups
= pdb_search_groups(
5751 if (info
->disp_info
->groups
== NULL
) {
5753 return NT_STATUS_ACCESS_DENIED
;
5755 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5756 "starting group enumeration at index %u\n",
5757 (unsigned int)enum_context
));
5759 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5760 "using cached group enumeration at index %u\n",
5761 (unsigned int)enum_context
));
5763 num_account
= pdb_search_entries(info
->disp_info
->groups
,
5764 enum_context
, max_entries
,
5769 smb_panic("info class changed");
5775 /* Ensure we cache this enumeration. */
5776 set_disp_info_cache_timeout(info
->disp_info
, DISP_INFO_CACHE_TIMEOUT
);
5778 DEBUG(10,("_samr_GetDisplayEnumerationIndex: looking for :%s\n",
5779 r
->in
.name
->string
));
5781 for (i
=0; i
<num_account
; i
++) {
5782 if (strequal(entries
[i
].account_name
, r
->in
.name
->string
)) {
5783 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5784 "found %s at idx %d\n",
5785 r
->in
.name
->string
, i
));
5787 return NT_STATUS_OK
;
5791 /* assuming account_name lives at the very end */
5792 *r
->out
.idx
= num_account
;
5794 return NT_STATUS_NO_MORE_ENTRIES
;
5797 /****************************************************************
5798 _samr_GetDisplayEnumerationIndex2
5799 ****************************************************************/
5801 NTSTATUS
_samr_GetDisplayEnumerationIndex2(pipes_struct
*p
,
5802 struct samr_GetDisplayEnumerationIndex2
*r
)
5804 struct samr_GetDisplayEnumerationIndex q
;
5806 q
.in
.domain_handle
= r
->in
.domain_handle
;
5807 q
.in
.level
= r
->in
.level
;
5808 q
.in
.name
= r
->in
.name
;
5810 q
.out
.idx
= r
->out
.idx
;
5812 return _samr_GetDisplayEnumerationIndex(p
, &q
);
5815 /****************************************************************
5816 ****************************************************************/
5818 NTSTATUS
_samr_Shutdown(pipes_struct
*p
,
5819 struct samr_Shutdown
*r
)
5821 p
->rng_fault_state
= true;
5822 return NT_STATUS_NOT_IMPLEMENTED
;
5825 /****************************************************************
5826 ****************************************************************/
5828 NTSTATUS
_samr_SetMemberAttributesOfGroup(pipes_struct
*p
,
5829 struct samr_SetMemberAttributesOfGroup
*r
)
5831 p
->rng_fault_state
= true;
5832 return NT_STATUS_NOT_IMPLEMENTED
;
5835 /****************************************************************
5836 ****************************************************************/
5838 NTSTATUS
_samr_ChangePasswordUser(pipes_struct
*p
,
5839 struct samr_ChangePasswordUser
*r
)
5841 p
->rng_fault_state
= true;
5842 return NT_STATUS_NOT_IMPLEMENTED
;
5845 /****************************************************************
5846 ****************************************************************/
5848 NTSTATUS
_samr_TestPrivateFunctionsDomain(pipes_struct
*p
,
5849 struct samr_TestPrivateFunctionsDomain
*r
)
5851 p
->rng_fault_state
= true;
5852 return NT_STATUS_NOT_IMPLEMENTED
;
5855 /****************************************************************
5856 ****************************************************************/
5858 NTSTATUS
_samr_TestPrivateFunctionsUser(pipes_struct
*p
,
5859 struct samr_TestPrivateFunctionsUser
*r
)
5861 p
->rng_fault_state
= true;
5862 return NT_STATUS_NOT_IMPLEMENTED
;
5865 /****************************************************************
5866 ****************************************************************/
5868 NTSTATUS
_samr_AddMultipleMembersToAlias(pipes_struct
*p
,
5869 struct samr_AddMultipleMembersToAlias
*r
)
5871 p
->rng_fault_state
= true;
5872 return NT_STATUS_NOT_IMPLEMENTED
;
5875 /****************************************************************
5876 ****************************************************************/
5878 NTSTATUS
_samr_RemoveMultipleMembersFromAlias(pipes_struct
*p
,
5879 struct samr_RemoveMultipleMembersFromAlias
*r
)
5881 p
->rng_fault_state
= true;
5882 return NT_STATUS_NOT_IMPLEMENTED
;
5885 /****************************************************************
5886 ****************************************************************/
5888 NTSTATUS
_samr_OemChangePasswordUser2(pipes_struct
*p
,
5889 struct samr_OemChangePasswordUser2
*r
)
5891 p
->rng_fault_state
= true;
5892 return NT_STATUS_NOT_IMPLEMENTED
;
5895 /****************************************************************
5896 ****************************************************************/
5898 NTSTATUS
_samr_SetBootKeyInformation(pipes_struct
*p
,
5899 struct samr_SetBootKeyInformation
*r
)
5901 p
->rng_fault_state
= true;
5902 return NT_STATUS_NOT_IMPLEMENTED
;
5905 /****************************************************************
5906 ****************************************************************/
5908 NTSTATUS
_samr_GetBootKeyInformation(pipes_struct
*p
,
5909 struct samr_GetBootKeyInformation
*r
)
5911 p
->rng_fault_state
= true;
5912 return NT_STATUS_NOT_IMPLEMENTED
;
5915 /****************************************************************
5916 ****************************************************************/
5918 NTSTATUS
_samr_RidToSid(pipes_struct
*p
,
5919 struct samr_RidToSid
*r
)
5921 p
->rng_fault_state
= true;
5922 return NT_STATUS_NOT_IMPLEMENTED
;
5925 /****************************************************************
5926 ****************************************************************/
5928 NTSTATUS
_samr_SetDsrmPassword(pipes_struct
*p
,
5929 struct samr_SetDsrmPassword
*r
)
5931 p
->rng_fault_state
= true;
5932 return NT_STATUS_NOT_IMPLEMENTED
;
5935 /****************************************************************
5936 ****************************************************************/
5938 NTSTATUS
_samr_ValidatePassword(pipes_struct
*p
,
5939 struct samr_ValidatePassword
*r
)
5941 p
->rng_fault_state
= true;
5942 return NT_STATUS_NOT_IMPLEMENTED
;