search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Added ability to revert to old modules for make revert.
[Samba.git] / source3 / rpc_server / srv_samr_nt.c
blob165fb1729cf9ea9db07fd5ef8ff99cc41ccf49c1
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2008,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 * Copyright (C) Gerald (Jerry) Carter 2003-2004,
12 * Copyright (C) Simo Sorce 2003.
13 * Copyright (C) Volker Lendecke 2005.
14 * Copyright (C) Guenther Deschner 2008.
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
20 *
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
25 *
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
28 */
29
30 /*
31 * This is the implementation of the SAMR code.
32 */
33
34 #include "includes.h"
35
36 #undef DBGC_CLASS
37 #define DBGC_CLASS DBGC_RPC_SRV
38
39 #define SAMR_USR_RIGHTS_WRITE_PW \
40 ( READ_CONTROL_ACCESS | \
41 SAMR_USER_ACCESS_CHANGE_PASSWORD | \
42 SAMR_USER_ACCESS_SET_LOC_COM)
43 #define SAMR_USR_RIGHTS_CANT_WRITE_PW \
44 ( READ_CONTROL_ACCESS | SAMR_USER_ACCESS_SET_LOC_COM )
45
46 #define DISP_INFO_CACHE_TIMEOUT 10
47
48 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
49 #define MAX_SAM_ENTRIES_W95 50
50
51 typedef struct disp_info {
52 DOM_SID sid; /* identify which domain this is. */
53 bool builtin_domain; /* Quick flag to check if this is the builtin domain. */
54 struct pdb_search *users; /* querydispinfo 1 and 4 */
55 struct pdb_search *machines; /* querydispinfo 2 */
56 struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */
57 struct pdb_search *aliases; /* enumaliases */
58
59 uint16 enum_acb_mask;
60 struct pdb_search *enum_users; /* enumusers with a mask */
61
62 struct timed_event *cache_timeout_event; /* cache idle timeout
63 * handler. */
64 } DISP_INFO;
65
66 /* We keep a static list of these by SID as modern clients close down
67 all resources between each request in a complete enumeration. */
68
69 struct samr_info {
70 /* for use by the \PIPE\samr policy */
71 DOM_SID sid;
72 bool builtin_domain; /* Quick flag to check if this is the builtin domain. */
73 uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */
74 uint32 acc_granted;
75 DISP_INFO *disp_info;
76 };
77
78 static const struct generic_mapping sam_generic_mapping = {
79 GENERIC_RIGHTS_SAM_READ,
80 GENERIC_RIGHTS_SAM_WRITE,
81 GENERIC_RIGHTS_SAM_EXECUTE,
82 GENERIC_RIGHTS_SAM_ALL_ACCESS};
83 static const struct generic_mapping dom_generic_mapping = {
84 GENERIC_RIGHTS_DOMAIN_READ,
85 GENERIC_RIGHTS_DOMAIN_WRITE,
86 GENERIC_RIGHTS_DOMAIN_EXECUTE,
87 GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
88 static const struct generic_mapping usr_generic_mapping = {
89 GENERIC_RIGHTS_USER_READ,
90 GENERIC_RIGHTS_USER_WRITE,
91 GENERIC_RIGHTS_USER_EXECUTE,
92 GENERIC_RIGHTS_USER_ALL_ACCESS};
93 static const struct generic_mapping usr_nopwchange_generic_mapping = {
94 GENERIC_RIGHTS_USER_READ,
95 GENERIC_RIGHTS_USER_WRITE,
96 GENERIC_RIGHTS_USER_EXECUTE & ~SAMR_USER_ACCESS_CHANGE_PASSWORD,
97 GENERIC_RIGHTS_USER_ALL_ACCESS};
98 static const struct generic_mapping grp_generic_mapping = {
99 GENERIC_RIGHTS_GROUP_READ,
100 GENERIC_RIGHTS_GROUP_WRITE,
101 GENERIC_RIGHTS_GROUP_EXECUTE,
102 GENERIC_RIGHTS_GROUP_ALL_ACCESS};
103 static const struct generic_mapping ali_generic_mapping = {
104 GENERIC_RIGHTS_ALIAS_READ,
105 GENERIC_RIGHTS_ALIAS_WRITE,
106 GENERIC_RIGHTS_ALIAS_EXECUTE,
107 GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
108
109 /*******************************************************************
110 *******************************************************************/
111
112 static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size,
113 const struct generic_mapping *map,
114 DOM_SID *sid, uint32 sid_access )
115 {
116 DOM_SID domadmin_sid;
117 SEC_ACE ace[5]; /* at most 5 entries */
118 size_t i = 0;
119
120 SEC_ACL *psa = NULL;
121
122 /* basic access for Everyone */
123
124 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
125 map->generic_execute | map->generic_read, 0);
126
127 /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
128
129 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
130 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
131 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
132 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
133
134 /* Add Full Access for Domain Admins if we are a DC */
135
136 if ( IS_DC ) {
137 sid_copy( &domadmin_sid, get_global_sam_sid() );
138 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
139 init_sec_ace(&ace[i++], &domadmin_sid,
140 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
141 }
142
143 /* if we have a sid, give it some special access */
144
145 if ( sid ) {
146 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sid_access, 0);
147 }
148
149 /* create the security descriptor */
150
151 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL)
152 return NT_STATUS_NO_MEMORY;
153
154 if ((*psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
155 SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL,
156 psa, sd_size)) == NULL)
157 return NT_STATUS_NO_MEMORY;
158
159 return NT_STATUS_OK;
160 }
161
162 /*******************************************************************
163 Checks if access to an object should be granted, and returns that
164 level of access for further checks.
165 ********************************************************************/
166
167 static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
168 SE_PRIV *rights, uint32 rights_mask,
169 uint32 des_access, uint32 *acc_granted,
170 const char *debug )
171 {
172 NTSTATUS status = NT_STATUS_ACCESS_DENIED;
173 uint32 saved_mask = 0;
174
175 /* check privileges; certain SAM access bits should be overridden
176 by privileges (mostly having to do with creating/modifying/deleting
177 users and groups) */
178
179 if ( rights && user_has_any_privilege( token, rights ) ) {
180
181 saved_mask = (des_access & rights_mask);
182 des_access &= ~saved_mask;
183
184 DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
185 rights_mask));
186 }
187
188
189 /* check the security descriptor first */
190
191 status = se_access_check(psd, token, des_access, acc_granted);
192 if (NT_STATUS_IS_OK(status)) {
193 goto done;
194 }
195
196 /* give root a free pass */
197
198 if ( geteuid() == sec_initial_uid() ) {
199
200 DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access));
201 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
202
203 *acc_granted = des_access;
204
205 status = NT_STATUS_OK;
206 goto done;
207 }
208
209
210 done:
211 /* add in any bits saved during the privilege check (only
212 matters is status is ok) */
213
214 *acc_granted |= rights_mask;
215
216 DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
217 debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
218 des_access, *acc_granted));
219
220 return status;
221 }
222
223 /*******************************************************************
224 Checks if access to a function can be granted
225 ********************************************************************/
226
227 static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug)
228 {
229 DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n",
230 debug, acc_granted, acc_required));
231
232 /* check the security descriptor first */
233
234 if ( (acc_granted&acc_required) == acc_required )
235 return NT_STATUS_OK;
236
237 /* give root a free pass */
238
239 if (geteuid() == sec_initial_uid()) {
240
241 DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
242 debug, acc_granted, acc_required));
243 DEBUGADD(4,("but overwritten by euid == 0\n"));
244
245 return NT_STATUS_OK;
246 }
247
248 DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n",
249 debug, acc_granted, acc_required));
250
251 return NT_STATUS_ACCESS_DENIED;
252 }
253
254 /*******************************************************************
255 Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
256 ********************************************************************/
257
258 static void map_max_allowed_access(const NT_USER_TOKEN *token,
259 uint32_t *pacc_requested)
260 {
261 if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
262 return;
263 }
264 *pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
265
266 /* At least try for generic read. */
267 *pacc_requested = GENERIC_READ_ACCESS;
268
269 /* root gets anything. */
270 if (geteuid() == sec_initial_uid()) {
271 *pacc_requested |= GENERIC_ALL_ACCESS;
272 return;
273 }
274
275 /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
276
277 if (is_sid_in_token(token, &global_sid_Builtin_Administrators) ||
278 is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) {
279 *pacc_requested |= GENERIC_ALL_ACCESS;
280 return;
281 }
282
283 /* Full access for DOMAIN\Domain Admins. */
284 if ( IS_DC ) {
285 DOM_SID domadmin_sid;
286 sid_copy( &domadmin_sid, get_global_sam_sid() );
287 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
288 if (is_sid_in_token(token, &domadmin_sid)) {
289 *pacc_requested |= GENERIC_ALL_ACCESS;
290 return;
291 }
292 }
293 /* TODO ! Check privileges. */
294 }
295
296 /*******************************************************************
297 Fetch or create a dispinfo struct.
298 ********************************************************************/
299
300 static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid)
301 {
302 /*
303 * We do a static cache for DISP_INFO's here. Explanation can be found
304 * in Jeremy's checkin message to r11793:
305 *
306 * Fix the SAMR cache so it works across completely insane
307 * client behaviour (ie.:
308 * open pipe/open SAMR handle/enumerate 0 - 1024
309 * close SAMR handle, close pipe.
310 * open pipe/open SAMR handle/enumerate 1024 - 2048...
311 * close SAMR handle, close pipe.
312 * And on ad-nausium. Amazing.... probably object-oriented
313 * client side programming in action yet again.
314 * This change should *massively* improve performance when
315 * enumerating users from an LDAP database.
316 * Jeremy.
317 *
318 * "Our" and the builtin domain are the only ones where we ever
319 * enumerate stuff, so just cache 2 entries.
320 */
321
322 static struct disp_info *builtin_dispinfo;
323 static struct disp_info *domain_dispinfo;
324
325 /* There are two cases to consider here:
326 1) The SID is a domain SID and we look for an equality match, or
327 2) This is an account SID and so we return the DISP_INFO* for our
328 domain */
329
330 if (psid == NULL) {
331 return NULL;
332 }
333
334 if (sid_check_is_builtin(psid) || sid_check_is_in_builtin(psid)) {
335 /*
336 * Necessary only once, but it does not really hurt.
337 */
338 if (builtin_dispinfo == NULL) {
339 builtin_dispinfo = talloc_zero(
340 talloc_autofree_context(), struct disp_info);
341 if (builtin_dispinfo == NULL) {
342 return NULL;
343 }
344 }
345 sid_copy(&builtin_dispinfo->sid, &global_sid_Builtin);
346 builtin_dispinfo->builtin_domain = true;
347
348 return builtin_dispinfo;
349 }
350
351 if (sid_check_is_domain(psid) || sid_check_is_in_our_domain(psid)) {
352 /*
353 * Necessary only once, but it does not really hurt.
354 */
355 if (domain_dispinfo == NULL) {
356 domain_dispinfo = talloc_zero(
357 talloc_autofree_context(), struct disp_info);
358 if (domain_dispinfo == NULL) {
359 return NULL;
360 }
361 }
362 sid_copy(&domain_dispinfo->sid, get_global_sam_sid());
363 domain_dispinfo->builtin_domain = false;
364
365 return domain_dispinfo;
366 }
367
368 return NULL;
369 }
370
371 /*******************************************************************
372 Create a samr_info struct.
373 ********************************************************************/
374
375 static int samr_info_destructor(struct samr_info *info);
376
377 static struct samr_info *get_samr_info_by_sid(TALLOC_CTX *mem_ctx,
378 DOM_SID *psid)
379 {
380 struct samr_info *info;
381 fstring sid_str;
382
383 if (psid) {
384 sid_to_fstring(sid_str, psid);
385 } else {
386 fstrcpy(sid_str,"(NULL)");
387 }
388
389 if ((info = TALLOC_ZERO_P(mem_ctx, struct samr_info)) == NULL) {
390 return NULL;
391 }
392 talloc_set_destructor(info, samr_info_destructor);
393
394 DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str));
395 if (psid) {
396 sid_copy( &info->sid, psid);
397 info->builtin_domain = sid_check_is_builtin(psid);
398 } else {
399 DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n"));
400 info->builtin_domain = False;
401 }
402
403 info->disp_info = get_samr_dispinfo_by_sid(psid);
404
405 return info;
406 }
407
408 /*******************************************************************
409 Function to free the per SID data.
410 ********************************************************************/
411
412 static void free_samr_cache(DISP_INFO *disp_info)
413 {
414 DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n",
415 sid_string_dbg(&disp_info->sid)));
416
417 /* We need to become root here because the paged search might have to
418 * tell the LDAP server we're not interested in the rest anymore. */
419
420 become_root();
421
422 TALLOC_FREE(disp_info->users);
423 TALLOC_FREE(disp_info->machines);
424 TALLOC_FREE(disp_info->groups);
425 TALLOC_FREE(disp_info->aliases);
426 TALLOC_FREE(disp_info->enum_users);
427
428 unbecome_root();
429 }
430
431 static int samr_info_destructor(struct samr_info *info)
432 {
433 /* Only free the dispinfo cache if no one bothered to set up
434 a timeout. */
435
436 if (info->disp_info && info->disp_info->cache_timeout_event == NULL) {
437 free_samr_cache(info->disp_info);
438 }
439 return 0;
440 }
441
442 /*******************************************************************
443 Idle event handler. Throw away the disp info cache.
444 ********************************************************************/
445
446 static void disp_info_cache_idle_timeout_handler(struct event_context *ev_ctx,
447 struct timed_event *te,
448 struct timeval now,
449 void *private_data)
450 {
451 DISP_INFO *disp_info = (DISP_INFO *)private_data;
452
453 TALLOC_FREE(disp_info->cache_timeout_event);
454
455 DEBUG(10, ("disp_info_cache_idle_timeout_handler: caching timed "
456 "out\n"));
457 free_samr_cache(disp_info);
458 }
459
460 /*******************************************************************
461 Setup cache removal idle event handler.
462 ********************************************************************/
463
464 static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromnow)
465 {
466 /* Remove any pending timeout and update. */
467
468 TALLOC_FREE(disp_info->cache_timeout_event);
469
470 DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for "
471 "SID %s for %u seconds\n", sid_string_dbg(&disp_info->sid),
472 (unsigned int)secs_fromnow ));
473
474 disp_info->cache_timeout_event = event_add_timed(
475 smbd_event_context(), NULL,
476 timeval_current_ofs(secs_fromnow, 0),
477 disp_info_cache_idle_timeout_handler, (void *)disp_info);
478 }
479
480 /*******************************************************************
481 Force flush any cache. We do this on any samr_set_xxx call.
482 We must also remove the timeout handler.
483 ********************************************************************/
484
485 static void force_flush_samr_cache(DISP_INFO *disp_info)
486 {
487 if ((disp_info == NULL) || (disp_info->cache_timeout_event == NULL)) {
488 return;
489 }
490
491 DEBUG(10,("force_flush_samr_cache: clearing idle event\n"));
492 TALLOC_FREE(disp_info->cache_timeout_event);
493 free_samr_cache(disp_info);
494 }
495
496 /*******************************************************************
497 Ensure password info is never given out. Paranioa... JRA.
498 ********************************************************************/
499
500 static void samr_clear_sam_passwd(struct samu *sam_pass)
501 {
502
503 if (!sam_pass)
504 return;
505
506 /* These now zero out the old password */
507
508 pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT);
509 pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT);
510 }
511
512 static uint32 count_sam_users(struct disp_info *info, uint32 acct_flags)
513 {
514 struct samr_displayentry *entry;
515
516 if (info->builtin_domain) {
517 /* No users in builtin. */
518 return 0;
519 }
520
521 if (info->users == NULL) {
522 info->users = pdb_search_users(info, acct_flags);
523 if (info->users == NULL) {
524 return 0;
525 }
526 }
527 /* Fetch the last possible entry, thus trigger an enumeration */
528 pdb_search_entries(info->users, 0xffffffff, 1, &entry);
529
530 /* Ensure we cache this enumeration. */
531 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
532
533 return info->users->num_entries;
534 }
535
536 static uint32 count_sam_groups(struct disp_info *info)
537 {
538 struct samr_displayentry *entry;
539
540 if (info->builtin_domain) {
541 /* No groups in builtin. */
542 return 0;
543 }
544
545 if (info->groups == NULL) {
546 info->groups = pdb_search_groups(info);
547 if (info->groups == NULL) {
548 return 0;
549 }
550 }
551 /* Fetch the last possible entry, thus trigger an enumeration */
552 pdb_search_entries(info->groups, 0xffffffff, 1, &entry);
553
554 /* Ensure we cache this enumeration. */
555 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
556
557 return info->groups->num_entries;
558 }
559
560 static uint32 count_sam_aliases(struct disp_info *info)
561 {
562 struct samr_displayentry *entry;
563
564 if (info->aliases == NULL) {
565 info->aliases = pdb_search_aliases(info, &info->sid);
566 if (info->aliases == NULL) {
567 return 0;
568 }
569 }
570 /* Fetch the last possible entry, thus trigger an enumeration */
571 pdb_search_entries(info->aliases, 0xffffffff, 1, &entry);
572
573 /* Ensure we cache this enumeration. */
574 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
575
576 return info->aliases->num_entries;
577 }
578
579 /*******************************************************************
580 _samr_Close
581 ********************************************************************/
582
583 NTSTATUS _samr_Close(pipes_struct *p, struct samr_Close *r)
584 {
585 if (!close_policy_hnd(p, r->in.handle)) {
586 return NT_STATUS_INVALID_HANDLE;
587 }
588
589 ZERO_STRUCTP(r->out.handle);
590
591 return NT_STATUS_OK;
592 }
593
594 /*******************************************************************
595 _samr_OpenDomain
596 ********************************************************************/
597
598 NTSTATUS _samr_OpenDomain(pipes_struct *p,
599 struct samr_OpenDomain *r)
600 {
601 struct samr_info *info;
602 SEC_DESC *psd = NULL;
603 uint32 acc_granted;
604 uint32 des_access = r->in.access_mask;
605 NTSTATUS status;
606 size_t sd_size;
607 SE_PRIV se_rights;
608
609 /* find the connection policy handle. */
610
611 if ( !find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info) )
612 return NT_STATUS_INVALID_HANDLE;
613
614 /*check if access can be granted as requested by client. */
615 map_max_allowed_access(p->server_info->ptok, &des_access);
616
617 make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
618 se_map_generic( &des_access, &dom_generic_mapping );
619
620 se_priv_copy( &se_rights, &se_machine_account );
621 se_priv_add( &se_rights, &se_add_users );
622
623 status = access_check_samr_object( psd, p->server_info->ptok,
624 &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access,
625 &acc_granted, "_samr_OpenDomain" );
626
627 if ( !NT_STATUS_IS_OK(status) )
628 return status;
629
630 if (!sid_check_is_domain(r->in.sid) &&
631 !sid_check_is_builtin(r->in.sid)) {
632 return NT_STATUS_NO_SUCH_DOMAIN;
633 }
634
635 /* associate the domain SID with the (unique) handle. */
636 if ((info = get_samr_info_by_sid(p->mem_ctx, r->in.sid))==NULL)
637 return NT_STATUS_NO_MEMORY;
638 info->acc_granted = acc_granted;
639
640 /* get a (unique) handle. open a policy on it. */
641 if (!create_policy_hnd(p, r->out.domain_handle, info))
642 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
643
644 DEBUG(5,("_samr_OpenDomain: %d\n", __LINE__));
645
646 return NT_STATUS_OK;
647 }
648
649 /*******************************************************************
650 _samr_GetUserPwInfo
651 ********************************************************************/
652
653 NTSTATUS _samr_GetUserPwInfo(pipes_struct *p,
654 struct samr_GetUserPwInfo *r)
655 {
656 struct samr_info *info = NULL;
657 enum lsa_SidType sid_type;
658 uint32_t min_password_length = 0;
659 uint32_t password_properties = 0;
660 bool ret = false;
661 NTSTATUS status;
662
663 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
664
665 /* find the policy handle. open a policy on it. */
666 if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info)) {
667 return NT_STATUS_INVALID_HANDLE;
668 }
669
670 status = access_check_samr_function(info->acc_granted,
671 SAMR_USER_ACCESS_GET_ATTRIBUTES,
672 "_samr_GetUserPwInfo" );
673 if (!NT_STATUS_IS_OK(status)) {
674 return status;
675 }
676
677 if (!sid_check_is_in_our_domain(&info->sid)) {
678 return NT_STATUS_OBJECT_TYPE_MISMATCH;
679 }
680
681 become_root();
682 ret = lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, &sid_type);
683 unbecome_root();
684 if (ret == false) {
685 return NT_STATUS_NO_SUCH_USER;
686 }
687
688 switch (sid_type) {
689 case SID_NAME_USER:
690 become_root();
691 pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
692 &min_password_length);
693 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
694 &password_properties);
695 unbecome_root();
696
697 if (lp_check_password_script() && *lp_check_password_script()) {
698 password_properties |= DOMAIN_PASSWORD_COMPLEX;
699 }
700
701 break;
702 default:
703 break;
704 }
705
706 r->out.info->min_password_length = min_password_length;
707 r->out.info->password_properties = password_properties;
708
709 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
710
711 return NT_STATUS_OK;
712 }
713
714 /*******************************************************************
715 ********************************************************************/
716
717 static bool get_lsa_policy_samr_sid( pipes_struct *p, struct policy_handle *pol,
718 DOM_SID *sid, uint32 *acc_granted,
719 DISP_INFO **ppdisp_info)
720 {
721 struct samr_info *info = NULL;
722
723 /* find the policy handle. open a policy on it. */
724 if (!find_policy_by_hnd(p, pol, (void **)(void *)&info))
725 return False;
726
727 if (!info)
728 return False;
729
730 *sid = info->sid;
731 *acc_granted = info->acc_granted;
732 if (ppdisp_info) {
733 *ppdisp_info = info->disp_info;
734 }
735
736 return True;
737 }
738
739 /*******************************************************************
740 _samr_SetSecurity
741 ********************************************************************/
742
743 NTSTATUS _samr_SetSecurity(pipes_struct *p,
744 struct samr_SetSecurity *r)
745 {
746 DOM_SID pol_sid;
747 uint32 acc_granted, i;
748 SEC_ACL *dacl;
749 bool ret;
750 struct samu *sampass=NULL;
751 NTSTATUS status;
752
753 if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL))
754 return NT_STATUS_INVALID_HANDLE;
755
756 if (!(sampass = samu_new( p->mem_ctx))) {
757 DEBUG(0,("No memory!\n"));
758 return NT_STATUS_NO_MEMORY;
759 }
760
761 /* get the user record */
762 become_root();
763 ret = pdb_getsampwsid(sampass, &pol_sid);
764 unbecome_root();
765
766 if (!ret) {
767 DEBUG(4, ("User %s not found\n", sid_string_dbg(&pol_sid)));
768 TALLOC_FREE(sampass);
769 return NT_STATUS_INVALID_HANDLE;
770 }
771
772 dacl = r->in.sdbuf->sd->dacl;
773 for (i=0; i < dacl->num_aces; i++) {
774 if (sid_equal(&pol_sid, &dacl->aces[i].trustee)) {
775 ret = pdb_set_pass_can_change(sampass,
776 (dacl->aces[i].access_mask &
777 SAMR_USER_ACCESS_CHANGE_PASSWORD) ?
778 True: False);
779 break;
780 }
781 }
782
783 if (!ret) {
784 TALLOC_FREE(sampass);
785 return NT_STATUS_ACCESS_DENIED;
786 }
787
788 status = access_check_samr_function(acc_granted,
789 SAMR_USER_ACCESS_SET_ATTRIBUTES,
790 "_samr_SetSecurity");
791 if (NT_STATUS_IS_OK(status)) {
792 become_root();
793 status = pdb_update_sam_account(sampass);
794 unbecome_root();
795 }
796
797 TALLOC_FREE(sampass);
798
799 return status;
800 }
801
802 /*******************************************************************
803 build correct perms based on policies and password times for _samr_query_sec_obj
804 *******************************************************************/
805 static bool check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid)
806 {
807 struct samu *sampass=NULL;
808 bool ret;
809
810 if ( !(sampass = samu_new( mem_ctx )) ) {
811 DEBUG(0,("No memory!\n"));
812 return False;
813 }
814
815 become_root();
816 ret = pdb_getsampwsid(sampass, user_sid);
817 unbecome_root();
818
819 if (ret == False) {
820 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
821 TALLOC_FREE(sampass);
822 return False;
823 }
824
825 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
826
827 if (pdb_get_pass_can_change(sampass)) {
828 TALLOC_FREE(sampass);
829 return True;
830 }
831 TALLOC_FREE(sampass);
832 return False;
833 }
834
835
836 /*******************************************************************
837 _samr_QuerySecurity
838 ********************************************************************/
839
840 NTSTATUS _samr_QuerySecurity(pipes_struct *p,
841 struct samr_QuerySecurity *r)
842 {
843 NTSTATUS status;
844 DOM_SID pol_sid;
845 SEC_DESC * psd = NULL;
846 uint32 acc_granted;
847 size_t sd_size;
848
849 /* Get the SID. */
850 if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL))
851 return NT_STATUS_INVALID_HANDLE;
852
853 DEBUG(10,("_samr_QuerySecurity: querying security on SID: %s\n",
854 sid_string_dbg(&pol_sid)));
855
856 status = access_check_samr_function(acc_granted,
857 STD_RIGHT_READ_CONTROL_ACCESS,
858 "_samr_QuerySecurity");
859 if (!NT_STATUS_IS_OK(status)) {
860 return status;
861 }
862
863 /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
864
865 /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */
866 if (pol_sid.sid_rev_num == 0) {
867 DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n"));
868 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
869 } else if (sid_equal(&pol_sid,get_global_sam_sid())) {
870 /* check if it is our domain SID */
871 DEBUG(5,("_samr_QuerySecurity: querying security on Domain "
872 "with SID: %s\n", sid_string_dbg(&pol_sid)));
873 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
874 } else if (sid_equal(&pol_sid,&global_sid_Builtin)) {
875 /* check if it is the Builtin Domain */
876 /* TODO: Builtin probably needs a different SD with restricted write access*/
877 DEBUG(5,("_samr_QuerySecurity: querying security on Builtin "
878 "Domain with SID: %s\n", sid_string_dbg(&pol_sid)));
879 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
880 } else if (sid_check_is_in_our_domain(&pol_sid) ||
881 sid_check_is_in_builtin(&pol_sid)) {
882 /* TODO: different SDs have to be generated for aliases groups and users.
883 Currently all three get a default user SD */
884 DEBUG(10,("_samr_QuerySecurity: querying security on Object "
885 "with SID: %s\n", sid_string_dbg(&pol_sid)));
886 if (check_change_pw_access(p->mem_ctx, &pol_sid)) {
887 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
888 &pol_sid, SAMR_USR_RIGHTS_WRITE_PW);
889 } else {
890 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_nopwchange_generic_mapping,
891 &pol_sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
892 }
893 } else {
894 return NT_STATUS_OBJECT_TYPE_MISMATCH;
895 }
896
897 if ((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
898 return NT_STATUS_NO_MEMORY;
899
900 return status;
901 }
902
903 /*******************************************************************
904 makes a SAM_ENTRY / UNISTR2* structure from a user list.
905 ********************************************************************/
906
907 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx,
908 struct samr_SamEntry **sam_pp,
909 uint32_t num_entries,
910 uint32_t start_idx,
911 struct samr_displayentry *entries)
912 {
913 uint32_t i;
914 struct samr_SamEntry *sam;
915
916 *sam_pp = NULL;
917
918 if (num_entries == 0) {
919 return NT_STATUS_OK;
920 }
921
922 sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_entries);
923 if (sam == NULL) {
924 DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n"));
925 return NT_STATUS_NO_MEMORY;
926 }
927
928 for (i = 0; i < num_entries; i++) {
929 #if 0
930 /*
931 * usrmgr expects a non-NULL terminated string with
932 * trust relationships
933 */
934 if (entries[i].acct_flags & ACB_DOMTRUST) {
935 init_unistr2(&uni_temp_name, entries[i].account_name,
936 UNI_FLAGS_NONE);
937 } else {
938 init_unistr2(&uni_temp_name, entries[i].account_name,
939 UNI_STR_TERMINATE);
940 }
941 #endif
942 init_lsa_String(&sam[i].name, entries[i].account_name);
943 sam[i].idx = entries[i].rid;
944 }
945
946 *sam_pp = sam;
947
948 return NT_STATUS_OK;
949 }
950
951 #define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K
952
953 /*******************************************************************
954 _samr_EnumDomainUsers
955 ********************************************************************/
956
957 NTSTATUS _samr_EnumDomainUsers(pipes_struct *p,
958 struct samr_EnumDomainUsers *r)
959 {
960 NTSTATUS status;
961 struct samr_info *info = NULL;
962 int num_account;
963 uint32 enum_context = *r->in.resume_handle;
964 enum remote_arch_types ra_type = get_remote_arch();
965 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
966 uint32 max_entries = max_sam_entries;
967 struct samr_displayentry *entries = NULL;
968 struct samr_SamArray *samr_array = NULL;
969 struct samr_SamEntry *samr_entries = NULL;
970
971 /* find the policy handle. open a policy on it. */
972 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
973 return NT_STATUS_INVALID_HANDLE;
974
975 status = access_check_samr_function(info->acc_granted,
976 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
977 "_samr_EnumDomainUsers");
978 if (!NT_STATUS_IS_OK(status)) {
979 return status;
980 }
981
982 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
983
984 if (info->builtin_domain) {
985 /* No users in builtin. */
986 *r->out.resume_handle = *r->in.resume_handle;
987 DEBUG(5,("_samr_EnumDomainUsers: No users in BUILTIN\n"));
988 return status;
989 }
990
991 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
992 if (!samr_array) {
993 return NT_STATUS_NO_MEMORY;
994 }
995 *r->out.sam = samr_array;
996
997 become_root();
998
999 /* AS ROOT !!!! */
1000
1001 if ((info->disp_info->enum_users != NULL) &&
1002 (info->disp_info->enum_acb_mask != r->in.acct_flags)) {
1003 TALLOC_FREE(info->disp_info->enum_users);
1004 }
1005
1006 if (info->disp_info->enum_users == NULL) {
1007 info->disp_info->enum_users = pdb_search_users(
1008 info->disp_info, r->in.acct_flags);
1009 info->disp_info->enum_acb_mask = r->in.acct_flags;
1010 }
1011
1012 if (info->disp_info->enum_users == NULL) {
1013 /* END AS ROOT !!!! */
1014 unbecome_root();
1015 return NT_STATUS_ACCESS_DENIED;
1016 }
1017
1018 num_account = pdb_search_entries(info->disp_info->enum_users,
1019 enum_context, max_entries,
1020 &entries);
1021
1022 /* END AS ROOT !!!! */
1023
1024 unbecome_root();
1025
1026 if (num_account == 0) {
1027 DEBUG(5, ("_samr_EnumDomainUsers: enumeration handle over "
1028 "total entries\n"));
1029 *r->out.resume_handle = *r->in.resume_handle;
1030 return NT_STATUS_OK;
1031 }
1032
1033 status = make_user_sam_entry_list(p->mem_ctx, &samr_entries,
1034 num_account, enum_context,
1035 entries);
1036 if (!NT_STATUS_IS_OK(status)) {
1037 return status;
1038 }
1039
1040 if (max_entries <= num_account) {
1041 status = STATUS_MORE_ENTRIES;
1042 } else {
1043 status = NT_STATUS_OK;
1044 }
1045
1046 /* Ensure we cache this enumeration. */
1047 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1048
1049 DEBUG(5, ("_samr_EnumDomainUsers: %d\n", __LINE__));
1050
1051 samr_array->count = num_account;
1052 samr_array->entries = samr_entries;
1053
1054 *r->out.resume_handle = *r->in.resume_handle + num_account;
1055 *r->out.num_entries = num_account;
1056
1057 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
1058
1059 return status;
1060 }
1061
1062 /*******************************************************************
1063 makes a SAM_ENTRY / UNISTR2* structure from a group list.
1064 ********************************************************************/
1065
1066 static void make_group_sam_entry_list(TALLOC_CTX *ctx,
1067 struct samr_SamEntry **sam_pp,
1068 uint32_t num_sam_entries,
1069 struct samr_displayentry *entries)
1070 {
1071 struct samr_SamEntry *sam;
1072 uint32_t i;
1073
1074 *sam_pp = NULL;
1075
1076 if (num_sam_entries == 0) {
1077 return;
1078 }
1079
1080 sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_sam_entries);
1081 if (sam == NULL) {
1082 return;
1083 }
1084
1085 for (i = 0; i < num_sam_entries; i++) {
1086 /*
1087 * JRA. I think this should include the null. TNG does not.
1088 */
1089 init_lsa_String(&sam[i].name, entries[i].account_name);
1090 sam[i].idx = entries[i].rid;
1091 }
1092
1093 *sam_pp = sam;
1094 }
1095
1096 /*******************************************************************
1097 _samr_EnumDomainGroups
1098 ********************************************************************/
1099
1100 NTSTATUS _samr_EnumDomainGroups(pipes_struct *p,
1101 struct samr_EnumDomainGroups *r)
1102 {
1103 NTSTATUS status;
1104 struct samr_info *info = NULL;
1105 struct samr_displayentry *groups;
1106 uint32 num_groups;
1107 struct samr_SamArray *samr_array = NULL;
1108 struct samr_SamEntry *samr_entries = NULL;
1109
1110 /* find the policy handle. open a policy on it. */
1111 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1112 return NT_STATUS_INVALID_HANDLE;
1113
1114 status = access_check_samr_function(info->acc_granted,
1115 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
1116 "_samr_EnumDomainGroups");
1117 if (!NT_STATUS_IS_OK(status)) {
1118 return status;
1119 }
1120
1121 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1122
1123 if (info->builtin_domain) {
1124 /* No groups in builtin. */
1125 *r->out.resume_handle = *r->in.resume_handle;
1126 DEBUG(5,("_samr_EnumDomainGroups: No groups in BUILTIN\n"));
1127 return status;
1128 }
1129
1130 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1131 if (!samr_array) {
1132 return NT_STATUS_NO_MEMORY;
1133 }
1134
1135 /* the domain group array is being allocated in the function below */
1136
1137 become_root();
1138
1139 if (info->disp_info->groups == NULL) {
1140 info->disp_info->groups = pdb_search_groups(info->disp_info);
1141
1142 if (info->disp_info->groups == NULL) {
1143 unbecome_root();
1144 return NT_STATUS_ACCESS_DENIED;
1145 }
1146 }
1147
1148 num_groups = pdb_search_entries(info->disp_info->groups,
1149 *r->in.resume_handle,
1150 MAX_SAM_ENTRIES, &groups);
1151 unbecome_root();
1152
1153 /* Ensure we cache this enumeration. */
1154 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1155
1156 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1157 num_groups, groups);
1158
1159 samr_array->count = num_groups;
1160 samr_array->entries = samr_entries;
1161
1162 *r->out.sam = samr_array;
1163 *r->out.num_entries = num_groups;
1164 *r->out.resume_handle = num_groups + *r->in.resume_handle;
1165
1166 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1167
1168 return status;
1169 }
1170
1171 /*******************************************************************
1172 _samr_EnumDomainAliases
1173 ********************************************************************/
1174
1175 NTSTATUS _samr_EnumDomainAliases(pipes_struct *p,
1176 struct samr_EnumDomainAliases *r)
1177 {
1178 NTSTATUS status;
1179 struct samr_info *info;
1180 struct samr_displayentry *aliases;
1181 uint32 num_aliases = 0;
1182 struct samr_SamArray *samr_array = NULL;
1183 struct samr_SamEntry *samr_entries = NULL;
1184
1185 /* find the policy handle. open a policy on it. */
1186 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1187 return NT_STATUS_INVALID_HANDLE;
1188
1189 DEBUG(5,("_samr_EnumDomainAliases: sid %s\n",
1190 sid_string_dbg(&info->sid)));
1191
1192 status = access_check_samr_function(info->acc_granted,
1193 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
1194 "_samr_EnumDomainAliases");
1195 if (!NT_STATUS_IS_OK(status)) {
1196 return status;
1197 }
1198
1199 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1200 if (!samr_array) {
1201 return NT_STATUS_NO_MEMORY;
1202 }
1203
1204 become_root();
1205
1206 if (info->disp_info->aliases == NULL) {
1207 info->disp_info->aliases = pdb_search_aliases(
1208 info->disp_info, &info->sid);
1209 if (info->disp_info->aliases == NULL) {
1210 unbecome_root();
1211 return NT_STATUS_ACCESS_DENIED;
1212 }
1213 }
1214
1215 num_aliases = pdb_search_entries(info->disp_info->aliases,
1216 *r->in.resume_handle,
1217 MAX_SAM_ENTRIES, &aliases);
1218 unbecome_root();
1219
1220 /* Ensure we cache this enumeration. */
1221 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1222
1223 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1224 num_aliases, aliases);
1225
1226 DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__));
1227
1228 samr_array->count = num_aliases;
1229 samr_array->entries = samr_entries;
1230
1231 *r->out.sam = samr_array;
1232 *r->out.num_entries = num_aliases;
1233 *r->out.resume_handle = num_aliases + *r->in.resume_handle;
1234
1235 return status;
1236 }
1237
1238 /*******************************************************************
1239 inits a samr_DispInfoGeneral structure.
1240 ********************************************************************/
1241
1242 static NTSTATUS init_samr_dispinfo_1(TALLOC_CTX *ctx,
1243 struct samr_DispInfoGeneral *r,
1244 uint32_t num_entries,
1245 uint32_t start_idx,
1246 struct samr_displayentry *entries)
1247 {
1248 uint32 i;
1249
1250 DEBUG(10, ("init_samr_dispinfo_1: num_entries: %d\n", num_entries));
1251
1252 if (num_entries == 0) {
1253 return NT_STATUS_OK;
1254 }
1255
1256 r->count = num_entries;
1257
1258 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryGeneral, num_entries);
1259 if (!r->entries) {
1260 return NT_STATUS_NO_MEMORY;
1261 }
1262
1263 for (i = 0; i < num_entries ; i++) {
1264
1265 init_lsa_String(&r->entries[i].account_name,
1266 entries[i].account_name);
1267
1268 init_lsa_String(&r->entries[i].description,
1269 entries[i].description);
1270
1271 init_lsa_String(&r->entries[i].full_name,
1272 entries[i].fullname);
1273
1274 r->entries[i].rid = entries[i].rid;
1275 r->entries[i].acct_flags = entries[i].acct_flags;
1276 r->entries[i].idx = start_idx+i+1;
1277 }
1278
1279 return NT_STATUS_OK;
1280 }
1281
1282 /*******************************************************************
1283 inits a samr_DispInfoFull structure.
1284 ********************************************************************/
1285
1286 static NTSTATUS init_samr_dispinfo_2(TALLOC_CTX *ctx,
1287 struct samr_DispInfoFull *r,
1288 uint32_t num_entries,
1289 uint32_t start_idx,
1290 struct samr_displayentry *entries)
1291 {
1292 uint32_t i;
1293
1294 DEBUG(10, ("init_samr_dispinfo_2: num_entries: %d\n", num_entries));
1295
1296 if (num_entries == 0) {
1297 return NT_STATUS_OK;
1298 }
1299
1300 r->count = num_entries;
1301
1302 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFull, num_entries);
1303 if (!r->entries) {
1304 return NT_STATUS_NO_MEMORY;
1305 }
1306
1307 for (i = 0; i < num_entries ; i++) {
1308
1309 init_lsa_String(&r->entries[i].account_name,
1310 entries[i].account_name);
1311
1312 init_lsa_String(&r->entries[i].description,
1313 entries[i].description);
1314
1315 r->entries[i].rid = entries[i].rid;
1316 r->entries[i].acct_flags = entries[i].acct_flags;
1317 r->entries[i].idx = start_idx+i+1;
1318 }
1319
1320 return NT_STATUS_OK;
1321 }
1322
1323 /*******************************************************************
1324 inits a samr_DispInfoFullGroups structure.
1325 ********************************************************************/
1326
1327 static NTSTATUS init_samr_dispinfo_3(TALLOC_CTX *ctx,
1328 struct samr_DispInfoFullGroups *r,
1329 uint32_t num_entries,
1330 uint32_t start_idx,
1331 struct samr_displayentry *entries)
1332 {
1333 uint32_t i;
1334
1335 DEBUG(5, ("init_samr_dispinfo_3: num_entries: %d\n", num_entries));
1336
1337 if (num_entries == 0) {
1338 return NT_STATUS_OK;
1339 }
1340
1341 r->count = num_entries;
1342
1343 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFullGroup, num_entries);
1344 if (!r->entries) {
1345 return NT_STATUS_NO_MEMORY;
1346 }
1347
1348 for (i = 0; i < num_entries ; i++) {
1349
1350 init_lsa_String(&r->entries[i].account_name,
1351 entries[i].account_name);
1352
1353 init_lsa_String(&r->entries[i].description,
1354 entries[i].description);
1355
1356 r->entries[i].rid = entries[i].rid;
1357 r->entries[i].acct_flags = entries[i].acct_flags;
1358 r->entries[i].idx = start_idx+i+1;
1359 }
1360
1361 return NT_STATUS_OK;
1362 }
1363
1364 /*******************************************************************
1365 inits a samr_DispInfoAscii structure.
1366 ********************************************************************/
1367
1368 static NTSTATUS init_samr_dispinfo_4(TALLOC_CTX *ctx,
1369 struct samr_DispInfoAscii *r,
1370 uint32_t num_entries,
1371 uint32_t start_idx,
1372 struct samr_displayentry *entries)
1373 {
1374 uint32_t i;
1375
1376 DEBUG(5, ("init_samr_dispinfo_4: num_entries: %d\n", num_entries));
1377
1378 if (num_entries == 0) {
1379 return NT_STATUS_OK;
1380 }
1381
1382 r->count = num_entries;
1383
1384 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1385 if (!r->entries) {
1386 return NT_STATUS_NO_MEMORY;
1387 }
1388
1389 for (i = 0; i < num_entries ; i++) {
1390
1391 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1392 entries[i].account_name);
1393
1394 r->entries[i].idx = start_idx+i+1;
1395 }
1396
1397 return NT_STATUS_OK;
1398 }
1399
1400 /*******************************************************************
1401 inits a samr_DispInfoAscii structure.
1402 ********************************************************************/
1403
1404 static NTSTATUS init_samr_dispinfo_5(TALLOC_CTX *ctx,
1405 struct samr_DispInfoAscii *r,
1406 uint32_t num_entries,
1407 uint32_t start_idx,
1408 struct samr_displayentry *entries)
1409 {
1410 uint32_t i;
1411
1412 DEBUG(5, ("init_samr_dispinfo_5: num_entries: %d\n", num_entries));
1413
1414 if (num_entries == 0) {
1415 return NT_STATUS_OK;
1416 }
1417
1418 r->count = num_entries;
1419
1420 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1421 if (!r->entries) {
1422 return NT_STATUS_NO_MEMORY;
1423 }
1424
1425 for (i = 0; i < num_entries ; i++) {
1426
1427 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1428 entries[i].account_name);
1429
1430 r->entries[i].idx = start_idx+i+1;
1431 }
1432
1433 return NT_STATUS_OK;
1434 }
1435
1436 /*******************************************************************
1437 _samr_QueryDisplayInfo
1438 ********************************************************************/
1439
1440 NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
1441 struct samr_QueryDisplayInfo *r)
1442 {
1443 NTSTATUS status;
1444 struct samr_info *info = NULL;
1445 uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
1446
1447 uint32 max_entries = r->in.max_entries;
1448 uint32 enum_context = r->in.start_idx;
1449 uint32 max_size = r->in.buf_size;
1450
1451 union samr_DispInfo *disp_info = r->out.info;
1452
1453 uint32 temp_size=0, total_data_size=0;
1454 NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL;
1455 uint32 num_account = 0;
1456 enum remote_arch_types ra_type = get_remote_arch();
1457 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
1458 struct samr_displayentry *entries = NULL;
1459
1460 DEBUG(5,("_samr_QueryDisplayInfo: %d\n", __LINE__));
1461
1462 /* find the policy handle. open a policy on it. */
1463 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1464 return NT_STATUS_INVALID_HANDLE;
1465
1466 if (info->builtin_domain) {
1467 DEBUG(5,("_samr_QueryDisplayInfo: Nothing in BUILTIN\n"));
1468 return NT_STATUS_OK;
1469 }
1470
1471 status = access_check_samr_function(info->acc_granted,
1472 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
1473 "_samr_QueryDisplayInfo");
1474 if (!NT_STATUS_IS_OK(status)) {
1475 return status;
1476 }
1477
1478 /*
1479 * calculate how many entries we will return.
1480 * based on
1481 * - the number of entries the client asked
1482 * - our limit on that
1483 * - the starting point (enumeration context)
1484 * - the buffer size the client will accept
1485 */
1486
1487 /*
1488 * We are a lot more like W2K. Instead of reading the SAM
1489 * each time to find the records we need to send back,
1490 * we read it once and link that copy to the sam handle.
1491 * For large user list (over the MAX_SAM_ENTRIES)
1492 * it's a definitive win.
1493 * second point to notice: between enumerations
1494 * our sam is now the same as it's a snapshoot.
1495 * third point: got rid of the static SAM_USER_21 struct
1496 * no more intermediate.
1497 * con: it uses much more memory, as a full copy is stored
1498 * in memory.
1499 *
1500 * If you want to change it, think twice and think
1501 * of the second point , that's really important.
1502 *
1503 * JFM, 12/20/2001
1504 */
1505
1506 if ((r->in.level < 1) || (r->in.level > 5)) {
1507 DEBUG(0,("_samr_QueryDisplayInfo: Unknown info level (%u)\n",
1508 (unsigned int)r->in.level ));
1509 return NT_STATUS_INVALID_INFO_CLASS;
1510 }
1511
1512 /* first limit the number of entries we will return */
1513 if(max_entries > max_sam_entries) {
1514 DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
1515 "entries, limiting to %d\n", max_entries,
1516 max_sam_entries));
1517 max_entries = max_sam_entries;
1518 }
1519
1520 /* calculate the size and limit on the number of entries we will
1521 * return */
1522
1523 temp_size=max_entries*struct_size;
1524
1525 if (temp_size>max_size) {
1526 max_entries=MIN((max_size/struct_size),max_entries);;
1527 DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
1528 "only %d entries\n", max_entries));
1529 }
1530
1531 become_root();
1532
1533 /* THe following done as ROOT. Don't return without unbecome_root(). */
1534
1535 switch (r->in.level) {
1536 case 0x1:
1537 case 0x4:
1538 if (info->disp_info->users == NULL) {
1539 info->disp_info->users = pdb_search_users(
1540 info->disp_info, ACB_NORMAL);
1541 if (info->disp_info->users == NULL) {
1542 unbecome_root();
1543 return NT_STATUS_ACCESS_DENIED;
1544 }
1545 DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
1546 (unsigned int)enum_context ));
1547 } else {
1548 DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
1549 (unsigned int)enum_context ));
1550 }
1551
1552 num_account = pdb_search_entries(info->disp_info->users,
1553 enum_context, max_entries,
1554 &entries);
1555 break;
1556 case 0x2:
1557 if (info->disp_info->machines == NULL) {
1558 info->disp_info->machines = pdb_search_users(
1559 info->disp_info, ACB_WSTRUST|ACB_SVRTRUST);
1560 if (info->disp_info->machines == NULL) {
1561 unbecome_root();
1562 return NT_STATUS_ACCESS_DENIED;
1563 }
1564 DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
1565 (unsigned int)enum_context ));
1566 } else {
1567 DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
1568 (unsigned int)enum_context ));
1569 }
1570
1571 num_account = pdb_search_entries(info->disp_info->machines,
1572 enum_context, max_entries,
1573 &entries);
1574 break;
1575 case 0x3:
1576 case 0x5:
1577 if (info->disp_info->groups == NULL) {
1578 info->disp_info->groups = pdb_search_groups(
1579 info->disp_info);
1580 if (info->disp_info->groups == NULL) {
1581 unbecome_root();
1582 return NT_STATUS_ACCESS_DENIED;
1583 }
1584 DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
1585 (unsigned int)enum_context ));
1586 } else {
1587 DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
1588 (unsigned int)enum_context ));
1589 }
1590
1591 num_account = pdb_search_entries(info->disp_info->groups,
1592 enum_context, max_entries,
1593 &entries);
1594 break;
1595 default:
1596 unbecome_root();
1597 smb_panic("info class changed");
1598 break;
1599 }
1600 unbecome_root();
1601
1602
1603 /* Now create reply structure */
1604 switch (r->in.level) {
1605 case 0x1:
1606 disp_ret = init_samr_dispinfo_1(p->mem_ctx, &disp_info->info1,
1607 num_account, enum_context,
1608 entries);
1609 break;
1610 case 0x2:
1611 disp_ret = init_samr_dispinfo_2(p->mem_ctx, &disp_info->info2,
1612 num_account, enum_context,
1613 entries);
1614 break;
1615 case 0x3:
1616 disp_ret = init_samr_dispinfo_3(p->mem_ctx, &disp_info->info3,
1617 num_account, enum_context,
1618 entries);
1619 break;
1620 case 0x4:
1621 disp_ret = init_samr_dispinfo_4(p->mem_ctx, &disp_info->info4,
1622 num_account, enum_context,
1623 entries);
1624 break;
1625 case 0x5:
1626 disp_ret = init_samr_dispinfo_5(p->mem_ctx, &disp_info->info5,
1627 num_account, enum_context,
1628 entries);
1629 break;
1630 default:
1631 smb_panic("info class changed");
1632 break;
1633 }
1634
1635 if (!NT_STATUS_IS_OK(disp_ret))
1636 return disp_ret;
1637
1638 /* calculate the total size */
1639 total_data_size=num_account*struct_size;
1640
1641 if (max_entries <= num_account) {
1642 status = STATUS_MORE_ENTRIES;
1643 } else {
1644 status = NT_STATUS_OK;
1645 }
1646
1647 /* Ensure we cache this enumeration. */
1648 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1649
1650 DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__));
1651
1652 *r->out.total_size = total_data_size;
1653 *r->out.returned_size = temp_size;
1654
1655 return status;
1656 }
1657
1658 /****************************************************************
1659 _samr_QueryDisplayInfo2
1660 ****************************************************************/
1661
1662 NTSTATUS _samr_QueryDisplayInfo2(pipes_struct *p,
1663 struct samr_QueryDisplayInfo2 *r)
1664 {
1665 struct samr_QueryDisplayInfo q;
1666
1667 q.in.domain_handle = r->in.domain_handle;
1668 q.in.level = r->in.level;
1669 q.in.start_idx = r->in.start_idx;
1670 q.in.max_entries = r->in.max_entries;
1671 q.in.buf_size = r->in.buf_size;
1672
1673 q.out.total_size = r->out.total_size;
1674 q.out.returned_size = r->out.returned_size;
1675 q.out.info = r->out.info;
1676
1677 return _samr_QueryDisplayInfo(p, &q);
1678 }
1679
1680 /****************************************************************
1681 _samr_QueryDisplayInfo3
1682 ****************************************************************/
1683
1684 NTSTATUS _samr_QueryDisplayInfo3(pipes_struct *p,
1685 struct samr_QueryDisplayInfo3 *r)
1686 {
1687 struct samr_QueryDisplayInfo q;
1688
1689 q.in.domain_handle = r->in.domain_handle;
1690 q.in.level = r->in.level;
1691 q.in.start_idx = r->in.start_idx;
1692 q.in.max_entries = r->in.max_entries;
1693 q.in.buf_size = r->in.buf_size;
1694
1695 q.out.total_size = r->out.total_size;
1696 q.out.returned_size = r->out.returned_size;
1697 q.out.info = r->out.info;
1698
1699 return _samr_QueryDisplayInfo(p, &q);
1700 }
1701
1702 /*******************************************************************
1703 _samr_QueryAliasInfo
1704 ********************************************************************/
1705
1706 NTSTATUS _samr_QueryAliasInfo(pipes_struct *p,
1707 struct samr_QueryAliasInfo *r)
1708 {
1709 DOM_SID sid;
1710 struct acct_info info;
1711 uint32 acc_granted;
1712 NTSTATUS status;
1713 union samr_AliasInfo *alias_info = NULL;
1714 const char *alias_name = NULL;
1715 const char *alias_description = NULL;
1716
1717 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1718
1719 alias_info = TALLOC_ZERO_P(p->mem_ctx, union samr_AliasInfo);
1720 if (!alias_info) {
1721 return NT_STATUS_NO_MEMORY;
1722 }
1723
1724 /* find the policy handle. open a policy on it. */
1725 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &sid, &acc_granted, NULL))
1726 return NT_STATUS_INVALID_HANDLE;
1727
1728 status = access_check_samr_function(acc_granted,
1729 SAMR_ALIAS_ACCESS_LOOKUP_INFO,
1730 "_samr_QueryAliasInfo");
1731 if (!NT_STATUS_IS_OK(status)) {
1732 return status;
1733 }
1734
1735 become_root();
1736 status = pdb_get_aliasinfo(&sid, &info);
1737 unbecome_root();
1738
1739 if ( !NT_STATUS_IS_OK(status))
1740 return status;
1741
1742 /* FIXME: info contains fstrings */
1743 alias_name = talloc_strdup(r, info.acct_name);
1744 alias_description = talloc_strdup(r, info.acct_desc);
1745
1746 switch (r->in.level) {
1747 case ALIASINFOALL:
1748 alias_info->all.name.string = alias_name;
1749 alias_info->all.num_members = 1; /* ??? */
1750 alias_info->all.description.string = alias_description;
1751 break;
1752 case ALIASINFODESCRIPTION:
1753 alias_info->description.string = alias_description;
1754 break;
1755 default:
1756 return NT_STATUS_INVALID_INFO_CLASS;
1757 }
1758
1759 *r->out.info = alias_info;
1760
1761 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1762
1763 return NT_STATUS_OK;
1764 }
1765
1766 /*******************************************************************
1767 _samr_LookupNames
1768 ********************************************************************/
1769
1770 NTSTATUS _samr_LookupNames(pipes_struct *p,
1771 struct samr_LookupNames *r)
1772 {
1773 NTSTATUS status;
1774 uint32 *rid;
1775 enum lsa_SidType *type;
1776 int i;
1777 int num_rids = r->in.num_names;
1778 DOM_SID pol_sid;
1779 uint32 acc_granted;
1780 struct samr_Ids rids, types;
1781 uint32_t num_mapped = 0;
1782
1783 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1784
1785 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL)) {
1786 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1787 }
1788
1789 status = access_check_samr_function(acc_granted,
1790 0, /* Don't know the acc_bits yet */
1791 "_samr_LookupNames");
1792 if (!NT_STATUS_IS_OK(status)) {
1793 return status;
1794 }
1795
1796 if (num_rids > MAX_SAM_ENTRIES) {
1797 num_rids = MAX_SAM_ENTRIES;
1798 DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids));
1799 }
1800
1801 rid = talloc_array(p->mem_ctx, uint32, num_rids);
1802 NT_STATUS_HAVE_NO_MEMORY(rid);
1803
1804 type = talloc_array(p->mem_ctx, enum lsa_SidType, num_rids);
1805 NT_STATUS_HAVE_NO_MEMORY(type);
1806
1807 DEBUG(5,("_samr_LookupNames: looking name on SID %s\n",
1808 sid_string_dbg(&pol_sid)));
1809
1810 for (i = 0; i < num_rids; i++) {
1811
1812 status = NT_STATUS_NONE_MAPPED;
1813 type[i] = SID_NAME_UNKNOWN;
1814
1815 rid[i] = 0xffffffff;
1816
1817 if (sid_check_is_builtin(&pol_sid)) {
1818 if (lookup_builtin_name(r->in.names[i].string,
1819 &rid[i]))
1820 {
1821 type[i] = SID_NAME_ALIAS;
1822 }
1823 } else {
1824 lookup_global_sam_name(r->in.names[i].string, 0,
1825 &rid[i], &type[i]);
1826 }
1827
1828 if (type[i] != SID_NAME_UNKNOWN) {
1829 num_mapped++;
1830 }
1831 }
1832
1833 if (num_mapped == num_rids) {
1834 status = NT_STATUS_OK;
1835 } else if (num_mapped == 0) {
1836 status = NT_STATUS_NONE_MAPPED;
1837 } else {
1838 status = STATUS_SOME_UNMAPPED;
1839 }
1840
1841 rids.count = num_rids;
1842 rids.ids = rid;
1843
1844 types.count = num_rids;
1845 types.ids = type;
1846
1847 *r->out.rids = rids;
1848 *r->out.types = types;
1849
1850 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1851
1852 return status;
1853 }
1854
1855 /*******************************************************************
1856 _samr_ChangePasswordUser2
1857 ********************************************************************/
1858
1859 NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
1860 struct samr_ChangePasswordUser2 *r)
1861 {
1862 NTSTATUS status;
1863 fstring user_name;
1864 fstring wks;
1865
1866 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1867
1868 fstrcpy(user_name, r->in.account->string);
1869 fstrcpy(wks, r->in.server->string);
1870
1871 DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
1872
1873 /*
1874 * Pass the user through the NT -> unix user mapping
1875 * function.
1876 */
1877
1878 (void)map_username(user_name);
1879
1880 /*
1881 * UNIX username case mangling not required, pass_oem_change
1882 * is case insensitive.
1883 */
1884
1885 status = pass_oem_change(user_name,
1886 r->in.lm_password->data,
1887 r->in.lm_verifier->hash,
1888 r->in.nt_password->data,
1889 r->in.nt_verifier->hash,
1890 NULL);
1891
1892 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1893
1894 return status;
1895 }
1896
1897 /*******************************************************************
1898 _samr_ChangePasswordUser3
1899 ********************************************************************/
1900
1901 NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
1902 struct samr_ChangePasswordUser3 *r)
1903 {
1904 NTSTATUS status;
1905 fstring user_name;
1906 const char *wks = NULL;
1907 uint32 reject_reason;
1908 struct samr_DomInfo1 *dominfo = NULL;
1909 struct samr_ChangeReject *reject = NULL;
1910 uint32_t tmp;
1911
1912 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
1913
1914 fstrcpy(user_name, r->in.account->string);
1915 if (r->in.server && r->in.server->string) {
1916 wks = r->in.server->string;
1917 }
1918
1919 DEBUG(5,("_samr_ChangePasswordUser3: user: %s wks: %s\n", user_name, wks));
1920
1921 /*
1922 * Pass the user through the NT -> unix user mapping
1923 * function.
1924 */
1925
1926 (void)map_username(user_name);
1927
1928 /*
1929 * UNIX username case mangling not required, pass_oem_change
1930 * is case insensitive.
1931 */
1932
1933 status = pass_oem_change(user_name,
1934 r->in.lm_password->data,
1935 r->in.lm_verifier->hash,
1936 r->in.nt_password->data,
1937 r->in.nt_verifier->hash,
1938 &reject_reason);
1939
1940 if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) ||
1941 NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_RESTRICTION)) {
1942
1943 time_t u_expire, u_min_age;
1944 uint32 account_policy_temp;
1945
1946 dominfo = TALLOC_ZERO_P(p->mem_ctx, struct samr_DomInfo1);
1947 if (!dominfo) {
1948 return NT_STATUS_NO_MEMORY;
1949 }
1950
1951 reject = TALLOC_ZERO_P(p->mem_ctx, struct samr_ChangeReject);
1952 if (!reject) {
1953 return NT_STATUS_NO_MEMORY;
1954 }
1955
1956 become_root();
1957
1958 /* AS ROOT !!! */
1959
1960 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &tmp);
1961 dominfo->min_password_length = tmp;
1962
1963 pdb_get_account_policy(AP_PASSWORD_HISTORY, &tmp);
1964 dominfo->password_history_length = tmp;
1965
1966 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
1967 &dominfo->password_properties);
1968
1969 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
1970 u_expire = account_policy_temp;
1971
1972 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
1973 u_min_age = account_policy_temp;
1974
1975 /* !AS ROOT */
1976
1977 unbecome_root();
1978
1979 unix_to_nt_time_abs((NTTIME *)&dominfo->max_password_age, u_expire);
1980 unix_to_nt_time_abs((NTTIME *)&dominfo->min_password_age, u_min_age);
1981
1982 if (lp_check_password_script() && *lp_check_password_script()) {
1983 dominfo->password_properties |= DOMAIN_PASSWORD_COMPLEX;
1984 }
1985
1986 reject->reason = reject_reason;
1987
1988 *r->out.dominfo = dominfo;
1989 *r->out.reject = reject;
1990 }
1991
1992 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
1993
1994 return status;
1995 }
1996
1997 /*******************************************************************
1998 makes a SAMR_R_LOOKUP_RIDS structure.
1999 ********************************************************************/
2000
2001 static bool make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names,
2002 const char **names,
2003 struct lsa_String **lsa_name_array_p)
2004 {
2005 struct lsa_String *lsa_name_array = NULL;
2006 uint32_t i;
2007
2008 *lsa_name_array_p = NULL;
2009
2010 if (num_names != 0) {
2011 lsa_name_array = TALLOC_ZERO_ARRAY(ctx, struct lsa_String, num_names);
2012 if (!lsa_name_array) {
2013 return false;
2014 }
2015 }
2016
2017 for (i = 0; i < num_names; i++) {
2018 DEBUG(10, ("names[%d]:%s\n", i, names[i] && *names[i] ? names[i] : ""));
2019 init_lsa_String(&lsa_name_array[i], names[i]);
2020 }
2021
2022 *lsa_name_array_p = lsa_name_array;
2023
2024 return true;
2025 }
2026
2027 /*******************************************************************
2028 _samr_LookupRids
2029 ********************************************************************/
2030
2031 NTSTATUS _samr_LookupRids(pipes_struct *p,
2032 struct samr_LookupRids *r)
2033 {
2034 NTSTATUS status;
2035 const char **names;
2036 enum lsa_SidType *attrs = NULL;
2037 uint32 *wire_attrs = NULL;
2038 DOM_SID pol_sid;
2039 int num_rids = (int)r->in.num_rids;
2040 uint32 acc_granted;
2041 int i;
2042 struct lsa_Strings names_array;
2043 struct samr_Ids types_array;
2044 struct lsa_String *lsa_names = NULL;
2045
2046 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2047
2048 /* find the policy handle. open a policy on it. */
2049 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL))
2050 return NT_STATUS_INVALID_HANDLE;
2051
2052 status = access_check_samr_function(acc_granted,
2053 0, /* Don't know the acc_bits yet */
2054 "_samr_LookupRids");
2055 if (!NT_STATUS_IS_OK(status)) {
2056 return status;
2057 }
2058
2059 if (num_rids > 1000) {
2060 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
2061 "to samba4 idl this is not possible\n", num_rids));
2062 return NT_STATUS_UNSUCCESSFUL;
2063 }
2064
2065 if (num_rids) {
2066 names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids);
2067 attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum lsa_SidType, num_rids);
2068 wire_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids);
2069
2070 if ((names == NULL) || (attrs == NULL) || (wire_attrs==NULL))
2071 return NT_STATUS_NO_MEMORY;
2072 } else {
2073 names = NULL;
2074 attrs = NULL;
2075 wire_attrs = NULL;
2076 }
2077
2078 become_root(); /* lookup_sid can require root privs */
2079 status = pdb_lookup_rids(&pol_sid, num_rids, r->in.rids,
2080 names, attrs);
2081 unbecome_root();
2082
2083 if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) && (num_rids == 0)) {
2084 status = NT_STATUS_OK;
2085 }
2086
2087 if (!make_samr_lookup_rids(p->mem_ctx, num_rids, names,
2088 &lsa_names)) {
2089 return NT_STATUS_NO_MEMORY;
2090 }
2091
2092 /* Convert from enum lsa_SidType to uint32 for wire format. */
2093 for (i = 0; i < num_rids; i++) {
2094 wire_attrs[i] = (uint32)attrs[i];
2095 }
2096
2097 names_array.count = num_rids;
2098 names_array.names = lsa_names;
2099
2100 types_array.count = num_rids;
2101 types_array.ids = wire_attrs;
2102
2103 *r->out.names = names_array;
2104 *r->out.types = types_array;
2105
2106 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2107
2108 return status;
2109 }
2110
2111 /*******************************************************************
2112 _samr_OpenUser
2113 ********************************************************************/
2114
2115 NTSTATUS _samr_OpenUser(pipes_struct *p,
2116 struct samr_OpenUser *r)
2117 {
2118 struct samu *sampass=NULL;
2119 DOM_SID sid;
2120 struct samr_info *info = NULL;
2121 SEC_DESC *psd = NULL;
2122 uint32 acc_granted;
2123 uint32 des_access = r->in.access_mask;
2124 size_t sd_size;
2125 bool ret;
2126 NTSTATUS nt_status;
2127 SE_PRIV se_rights;
2128
2129 /* find the domain policy handle and get domain SID / access bits in the domain policy. */
2130
2131 if ( !get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted, NULL) )
2132 return NT_STATUS_INVALID_HANDLE;
2133
2134 nt_status = access_check_samr_function(acc_granted,
2135 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
2136 "_samr_OpenUser" );
2137
2138 if ( !NT_STATUS_IS_OK(nt_status) )
2139 return nt_status;
2140
2141 if ( !(sampass = samu_new( p->mem_ctx )) ) {
2142 return NT_STATUS_NO_MEMORY;
2143 }
2144
2145 /* append the user's RID to it */
2146
2147 if (!sid_append_rid(&sid, r->in.rid))
2148 return NT_STATUS_NO_SUCH_USER;
2149
2150 /* check if access can be granted as requested by client. */
2151
2152 map_max_allowed_access(p->server_info->ptok, &des_access);
2153
2154 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
2155 se_map_generic(&des_access, &usr_generic_mapping);
2156
2157 se_priv_copy( &se_rights, &se_machine_account );
2158 se_priv_add( &se_rights, &se_add_users );
2159
2160 nt_status = access_check_samr_object(psd, p->server_info->ptok,
2161 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
2162 &acc_granted, "_samr_OpenUser");
2163
2164 if ( !NT_STATUS_IS_OK(nt_status) )
2165 return nt_status;
2166
2167 become_root();
2168 ret=pdb_getsampwsid(sampass, &sid);
2169 unbecome_root();
2170
2171 /* check that the SID exists in our domain. */
2172 if (ret == False) {
2173 return NT_STATUS_NO_SUCH_USER;
2174 }
2175
2176 TALLOC_FREE(sampass);
2177
2178 /* associate the user's SID and access bits with the new handle. */
2179 if ((info = get_samr_info_by_sid(p->mem_ctx, &sid)) == NULL)
2180 return NT_STATUS_NO_MEMORY;
2181 info->acc_granted = acc_granted;
2182
2183 /* get a (unique) handle. open a policy on it. */
2184 if (!create_policy_hnd(p, r->out.user_handle, info))
2185 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2186
2187 return NT_STATUS_OK;
2188 }
2189
2190 /*************************************************************************
2191 *************************************************************************/
2192
2193 static NTSTATUS init_samr_parameters_string(TALLOC_CTX *mem_ctx,
2194 DATA_BLOB *blob,
2195 struct lsa_BinaryString **_r)
2196 {
2197 struct lsa_BinaryString *r;
2198
2199 if (!blob || !_r) {
2200 return NT_STATUS_INVALID_PARAMETER;
2201 }
2202
2203 r = TALLOC_ZERO_P(mem_ctx, struct lsa_BinaryString);
2204 if (!r) {
2205 return NT_STATUS_NO_MEMORY;
2206 }
2207
2208 r->array = TALLOC_ZERO_ARRAY(mem_ctx, uint16_t, blob->length/2);
2209 if (!r->array) {
2210 return NT_STATUS_NO_MEMORY;
2211 }
2212 memcpy(r->array, blob->data, blob->length);
2213 r->size = blob->length;
2214 r->length = blob->length;
2215
2216 if (!r->array) {
2217 return NT_STATUS_NO_MEMORY;
2218 }
2219
2220 *_r = r;
2221
2222 return NT_STATUS_OK;
2223 }
2224
2225 static NTSTATUS get_user_info_5(TALLOC_CTX *mem_ctx,
2226 struct samr_UserInfo5 *r,
2227 struct samu *pw,
2228 DOM_SID *domain_sid)
2229 {
2230 const DOM_SID *sid_user, *sid_group;
2231 uint32_t rid, primary_gid;
2232
2233 sid_user = pdb_get_user_sid(pw);
2234
2235 if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2236 DEBUG(0, ("get_user_info_5: User %s has SID %s, \nwhich conflicts with "
2237 "the domain sid %s. Failing operation.\n",
2238 pdb_get_username(pw), sid_string_dbg(sid_user),
2239 sid_string_dbg(domain_sid)));
2240 return NT_STATUS_UNSUCCESSFUL;
2241 }
2242
2243 become_root();
2244 sid_group = pdb_get_group_sid(pw);
2245 unbecome_root();
2246
2247 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2248 DEBUG(0, ("get_user_info_5: User %s has Primary Group SID %s, \n"
2249 "which conflicts with the domain sid %s. Failing operation.\n",
2250 pdb_get_username(pw), sid_string_dbg(sid_group),
2251 sid_string_dbg(domain_sid)));
2252 return NT_STATUS_UNSUCCESSFUL;
2253 }
2254
2255 unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2256 unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2257 unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2258 unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2259
2260 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2261 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2262 r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2263 r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2264 r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2265 r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2266 r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2267 r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2268
2269 r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2270 r->rid = rid;
2271 r->primary_gid = primary_gid;
2272 r->acct_flags = pdb_get_acct_ctrl(pw);
2273 r->bad_password_count = pdb_get_bad_password_count(pw);
2274 r->logon_count = pdb_get_logon_count(pw);
2275
2276 return NT_STATUS_OK;
2277 }
2278
2279 /*************************************************************************
2280 get_user_info_7. Safe. Only gives out account_name.
2281 *************************************************************************/
2282
2283 static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx,
2284 struct samr_UserInfo7 *r,
2285 struct samu *smbpass)
2286 {
2287 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(smbpass));
2288 if (!r->account_name.string) {
2289 return NT_STATUS_NO_MEMORY;
2290 }
2291
2292 return NT_STATUS_OK;
2293 }
2294
2295 /*************************************************************************
2296 get_user_info_9. Only gives out primary group SID.
2297 *************************************************************************/
2298
2299 static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx,
2300 struct samr_UserInfo9 *r,
2301 struct samu *smbpass)
2302 {
2303 r->primary_gid = pdb_get_group_rid(smbpass);
2304
2305 return NT_STATUS_OK;
2306 }
2307
2308 /*************************************************************************
2309 get_user_info_16. Safe. Only gives out acb bits.
2310 *************************************************************************/
2311
2312 static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx,
2313 struct samr_UserInfo16 *r,
2314 struct samu *smbpass)
2315 {
2316 r->acct_flags = pdb_get_acct_ctrl(smbpass);
2317
2318 return NT_STATUS_OK;
2319 }
2320
2321 /*************************************************************************
2322 get_user_info_18. OK - this is the killer as it gives out password info.
2323 Ensure that this is only allowed on an encrypted connection with a root
2324 user. JRA.
2325 *************************************************************************/
2326
2327 static NTSTATUS get_user_info_18(pipes_struct *p,
2328 TALLOC_CTX *mem_ctx,
2329 struct samr_UserInfo18 *r,
2330 DOM_SID *user_sid)
2331 {
2332 struct samu *smbpass=NULL;
2333 bool ret;
2334
2335 ZERO_STRUCTP(r);
2336
2337 if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
2338 return NT_STATUS_ACCESS_DENIED;
2339 }
2340
2341 if (p->auth.auth_level != PIPE_AUTH_LEVEL_PRIVACY) {
2342 return NT_STATUS_ACCESS_DENIED;
2343 }
2344
2345 /*
2346 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
2347 */
2348
2349 if ( !(smbpass = samu_new( mem_ctx )) ) {
2350 return NT_STATUS_NO_MEMORY;
2351 }
2352
2353 ret = pdb_getsampwsid(smbpass, user_sid);
2354
2355 if (ret == False) {
2356 DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid)));
2357 TALLOC_FREE(smbpass);
2358 return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
2359 }
2360
2361 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
2362
2363 if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) {
2364 TALLOC_FREE(smbpass);
2365 return NT_STATUS_ACCOUNT_DISABLED;
2366 }
2367
2368 r->lm_pwd_active = true;
2369 r->nt_pwd_active = true;
2370 memcpy(r->lm_pwd.hash, pdb_get_lanman_passwd(smbpass), 16);
2371 memcpy(r->nt_pwd.hash, pdb_get_nt_passwd(smbpass), 16);
2372 r->password_expired = 0; /* FIXME */
2373
2374 TALLOC_FREE(smbpass);
2375
2376 return NT_STATUS_OK;
2377 }
2378
2379 /*************************************************************************
2380 get_user_info_20
2381 *************************************************************************/
2382
2383 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx,
2384 struct samr_UserInfo20 *r,
2385 struct samu *sampass)
2386 {
2387 const char *munged_dial = NULL;
2388 DATA_BLOB blob;
2389 NTSTATUS status;
2390 struct lsa_BinaryString *parameters = NULL;
2391
2392 ZERO_STRUCTP(r);
2393
2394 munged_dial = pdb_get_munged_dial(sampass);
2395
2396 DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass),
2397 munged_dial, (int)strlen(munged_dial)));
2398
2399 if (munged_dial) {
2400 blob = base64_decode_data_blob(munged_dial);
2401 } else {
2402 blob = data_blob_string_const_null("");
2403 }
2404
2405 status = init_samr_parameters_string(mem_ctx, &blob, &parameters);
2406 data_blob_free(&blob);
2407 if (!NT_STATUS_IS_OK(status)) {
2408 return status;
2409 }
2410
2411 r->parameters = *parameters;
2412
2413 return NT_STATUS_OK;
2414 }
2415
2416
2417 /*************************************************************************
2418 get_user_info_21
2419 *************************************************************************/
2420
2421 static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx,
2422 struct samr_UserInfo21 *r,
2423 struct samu *pw,
2424 DOM_SID *domain_sid)
2425 {
2426 NTSTATUS status;
2427 const DOM_SID *sid_user, *sid_group;
2428 uint32_t rid, primary_gid;
2429 NTTIME force_password_change;
2430 time_t must_change_time;
2431 struct lsa_BinaryString *parameters = NULL;
2432 const char *munged_dial = NULL;
2433 DATA_BLOB blob;
2434
2435 ZERO_STRUCTP(r);
2436
2437 sid_user = pdb_get_user_sid(pw);
2438
2439 if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2440 DEBUG(0, ("get_user_info_21: User %s has SID %s, \nwhich conflicts with "
2441 "the domain sid %s. Failing operation.\n",
2442 pdb_get_username(pw), sid_string_dbg(sid_user),
2443 sid_string_dbg(domain_sid)));
2444 return NT_STATUS_UNSUCCESSFUL;
2445 }
2446
2447 become_root();
2448 sid_group = pdb_get_group_sid(pw);
2449 unbecome_root();
2450
2451 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2452 DEBUG(0, ("get_user_info_21: User %s has Primary Group SID %s, \n"
2453 "which conflicts with the domain sid %s. Failing operation.\n",
2454 pdb_get_username(pw), sid_string_dbg(sid_group),
2455 sid_string_dbg(domain_sid)));
2456 return NT_STATUS_UNSUCCESSFUL;
2457 }
2458
2459 unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2460 unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2461 unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2462 unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2463 unix_to_nt_time(&r->allow_password_change, pdb_get_pass_can_change_time(pw));
2464
2465 must_change_time = pdb_get_pass_must_change_time(pw);
2466 if (must_change_time == get_time_t_max()) {
2467 unix_to_nt_time_abs(&force_password_change, must_change_time);
2468 } else {
2469 unix_to_nt_time(&force_password_change, must_change_time);
2470 }
2471
2472 munged_dial = pdb_get_munged_dial(pw);
2473 if (munged_dial) {
2474 blob = base64_decode_data_blob(munged_dial);
2475 } else {
2476 blob = data_blob_string_const_null("");
2477 }
2478
2479 status = init_samr_parameters_string(mem_ctx, &blob, &parameters);
2480 data_blob_free(&blob);
2481 if (!NT_STATUS_IS_OK(status)) {
2482 return status;
2483 }
2484
2485 r->force_password_change = force_password_change;
2486
2487 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2488 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2489 r->home_directory.string = talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2490 r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2491 r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2492 r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2493 r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2494 r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2495 r->comment.string = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2496
2497 r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2498 r->parameters = *parameters;
2499 r->rid = rid;
2500 r->primary_gid = primary_gid;
2501 r->acct_flags = pdb_get_acct_ctrl(pw);
2502 r->bad_password_count = pdb_get_bad_password_count(pw);
2503 r->logon_count = pdb_get_logon_count(pw);
2504 r->fields_present = pdb_build_fields_present(pw);
2505 r->password_expired = (pdb_get_pass_must_change_time(pw) == 0) ?
2506 PASS_MUST_CHANGE_AT_NEXT_LOGON : 0;
2507 r->country_code = 0;
2508 r->code_page = 0;
2509 r->lm_password_set = 0;
2510 r->nt_password_set = 0;
2511
2512 #if 0
2513
2514 /*
2515 Look at a user on a real NT4 PDC with usrmgr, press
2516 'ok'. Then you will see that fields_present is set to
2517 0x08f827fa. Look at the user immediately after that again,
2518 and you will see that 0x00fffff is returned. This solves
2519 the problem that you get access denied after having looked
2520 at the user.
2521 -- Volker
2522 */
2523
2524 #endif
2525
2526
2527 return NT_STATUS_OK;
2528 }
2529
2530 /*******************************************************************
2531 _samr_QueryUserInfo
2532 ********************************************************************/
2533
2534 NTSTATUS _samr_QueryUserInfo(pipes_struct *p,
2535 struct samr_QueryUserInfo *r)
2536 {
2537 NTSTATUS status;
2538 union samr_UserInfo *user_info = NULL;
2539 struct samr_info *info = NULL;
2540 DOM_SID domain_sid;
2541 uint32 rid;
2542 bool ret = false;
2543 struct samu *pwd = NULL;
2544
2545 /* search for the handle */
2546 if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info))
2547 return NT_STATUS_INVALID_HANDLE;
2548
2549 status = access_check_samr_function(info->acc_granted,
2550 SAMR_USER_ACCESS_GET_ATTRIBUTES,
2551 "_samr_QueryUserInfo");
2552 if (!NT_STATUS_IS_OK(status)) {
2553 return status;
2554 }
2555
2556 domain_sid = info->sid;
2557
2558 sid_split_rid(&domain_sid, &rid);
2559
2560 if (!sid_check_is_in_our_domain(&info->sid))
2561 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2562
2563 DEBUG(5,("_samr_QueryUserInfo: sid:%s\n",
2564 sid_string_dbg(&info->sid)));
2565
2566 user_info = TALLOC_ZERO_P(p->mem_ctx, union samr_UserInfo);
2567 if (!user_info) {
2568 return NT_STATUS_NO_MEMORY;
2569 }
2570
2571 DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r->in.level));
2572
2573 if (!(pwd = samu_new(p->mem_ctx))) {
2574 return NT_STATUS_NO_MEMORY;
2575 }
2576
2577 become_root();
2578 ret = pdb_getsampwsid(pwd, &info->sid);
2579 unbecome_root();
2580
2581 if (ret == false) {
2582 DEBUG(4,("User %s not found\n", sid_string_dbg(&info->sid)));
2583 TALLOC_FREE(pwd);
2584 return NT_STATUS_NO_SUCH_USER;
2585 }
2586
2587 DEBUG(3,("User:[%s]\n", pdb_get_username(pwd)));
2588
2589 samr_clear_sam_passwd(pwd);
2590
2591 switch (r->in.level) {
2592 case 5:
2593 status = get_user_info_5(p->mem_ctx, &user_info->info5, pwd, &domain_sid);
2594 break;
2595 case 7:
2596 status = get_user_info_7(p->mem_ctx, &user_info->info7, pwd);
2597 break;
2598 case 9:
2599 status = get_user_info_9(p->mem_ctx, &user_info->info9, pwd);
2600 break;
2601 case 16:
2602 status = get_user_info_16(p->mem_ctx, &user_info->info16, pwd);
2603 break;
2604 case 18:
2605 /* level 18 is special */
2606 status = get_user_info_18(p, p->mem_ctx, &user_info->info18, &info->sid);
2607 break;
2608 case 20:
2609 status = get_user_info_20(p->mem_ctx, &user_info->info20, pwd);
2610 break;
2611 case 21:
2612 status = get_user_info_21(p->mem_ctx, &user_info->info21, pwd, &domain_sid);
2613 break;
2614 default:
2615 status = NT_STATUS_INVALID_INFO_CLASS;
2616 break;
2617 }
2618
2619 TALLOC_FREE(pwd);
2620
2621 *r->out.info = user_info;
2622
2623 DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__));
2624
2625 return status;
2626 }
2627
2628 /****************************************************************
2629 ****************************************************************/
2630
2631 NTSTATUS _samr_QueryUserInfo2(pipes_struct *p,
2632 struct samr_QueryUserInfo2 *r)
2633 {
2634 struct samr_QueryUserInfo u;
2635
2636 u.in.user_handle = r->in.user_handle;
2637 u.in.level = r->in.level;
2638 u.out.info = r->out.info;
2639
2640 return _samr_QueryUserInfo(p, &u);
2641 }
2642
2643 /*******************************************************************
2644 _samr_GetGroupsForUser
2645 ********************************************************************/
2646
2647 NTSTATUS _samr_GetGroupsForUser(pipes_struct *p,
2648 struct samr_GetGroupsForUser *r)
2649 {
2650 struct samu *sam_pass=NULL;
2651 DOM_SID sid;
2652 DOM_SID *sids;
2653 struct samr_RidWithAttribute dom_gid;
2654 struct samr_RidWithAttribute *gids = NULL;
2655 uint32 primary_group_rid;
2656 size_t num_groups = 0;
2657 gid_t *unix_gids;
2658 size_t i, num_gids;
2659 uint32 acc_granted;
2660 bool ret;
2661 NTSTATUS result;
2662 bool success = False;
2663
2664 struct samr_RidWithAttributeArray *rids = NULL;
2665
2666 /*
2667 * from the SID in the request:
2668 * we should send back the list of DOMAIN GROUPS
2669 * the user is a member of
2670 *
2671 * and only the DOMAIN GROUPS
2672 * no ALIASES !!! neither aliases of the domain
2673 * nor aliases of the builtin SID
2674 *
2675 * JFM, 12/2/2001
2676 */
2677
2678 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
2679
2680 rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidWithAttributeArray);
2681 if (!rids) {
2682 return NT_STATUS_NO_MEMORY;
2683 }
2684
2685 /* find the policy handle. open a policy on it. */
2686 if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &sid, &acc_granted, NULL))
2687 return NT_STATUS_INVALID_HANDLE;
2688
2689 result = access_check_samr_function(acc_granted,
2690 SAMR_USER_ACCESS_GET_GROUPS,
2691 "_samr_GetGroupsForUser");
2692 if (!NT_STATUS_IS_OK(result)) {
2693 return result;
2694 }
2695
2696 if (!sid_check_is_in_our_domain(&sid))
2697 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2698
2699 if ( !(sam_pass = samu_new( p->mem_ctx )) ) {
2700 return NT_STATUS_NO_MEMORY;
2701 }
2702
2703 become_root();
2704 ret = pdb_getsampwsid(sam_pass, &sid);
2705 unbecome_root();
2706
2707 if (!ret) {
2708 DEBUG(10, ("pdb_getsampwsid failed for %s\n",
2709 sid_string_dbg(&sid)));
2710 return NT_STATUS_NO_SUCH_USER;
2711 }
2712
2713 sids = NULL;
2714
2715 /* make both calls inside the root block */
2716 become_root();
2717 result = pdb_enum_group_memberships(p->mem_ctx, sam_pass,
2718 &sids, &unix_gids, &num_groups);
2719 if ( NT_STATUS_IS_OK(result) ) {
2720 success = sid_peek_check_rid(get_global_sam_sid(),
2721 pdb_get_group_sid(sam_pass),
2722 &primary_group_rid);
2723 }
2724 unbecome_root();
2725
2726 if (!NT_STATUS_IS_OK(result)) {
2727 DEBUG(10, ("pdb_enum_group_memberships failed for %s\n",
2728 sid_string_dbg(&sid)));
2729 return result;
2730 }
2731
2732 if ( !success ) {
2733 DEBUG(5, ("Group sid %s for user %s not in our domain\n",
2734 sid_string_dbg(pdb_get_group_sid(sam_pass)),
2735 pdb_get_username(sam_pass)));
2736 TALLOC_FREE(sam_pass);
2737 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2738 }
2739
2740 gids = NULL;
2741 num_gids = 0;
2742
2743 dom_gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|
2744 SE_GROUP_ENABLED);
2745 dom_gid.rid = primary_group_rid;
2746 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
2747
2748 for (i=0; i<num_groups; i++) {
2749
2750 if (!sid_peek_check_rid(get_global_sam_sid(),
2751 &(sids[i]), &dom_gid.rid)) {
2752 DEBUG(10, ("Found sid %s not in our domain\n",
2753 sid_string_dbg(&sids[i])));
2754 continue;
2755 }
2756
2757 if (dom_gid.rid == primary_group_rid) {
2758 /* We added the primary group directly from the
2759 * sam_account. The other SIDs are unique from
2760 * enum_group_memberships */
2761 continue;
2762 }
2763
2764 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
2765 }
2766
2767 rids->count = num_gids;
2768 rids->rids = gids;
2769
2770 *r->out.rids = rids;
2771
2772 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
2773
2774 return result;
2775 }
2776
2777 /*******************************************************************
2778 _samr_QueryDomainInfo
2779 ********************************************************************/
2780
2781 NTSTATUS _samr_QueryDomainInfo(pipes_struct *p,
2782 struct samr_QueryDomainInfo *r)
2783 {
2784 NTSTATUS status = NT_STATUS_OK;
2785 struct samr_info *info = NULL;
2786 union samr_DomainInfo *dom_info;
2787 time_t u_expire, u_min_age;
2788
2789 time_t u_lock_duration, u_reset_time;
2790 uint32_t u_logout;
2791
2792 uint32 account_policy_temp;
2793
2794 time_t seq_num;
2795 uint32 server_role;
2796
2797 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
2798
2799 dom_info = TALLOC_ZERO_P(p->mem_ctx, union samr_DomainInfo);
2800 if (!dom_info) {
2801 return NT_STATUS_NO_MEMORY;
2802 }
2803
2804 /* find the policy handle. open a policy on it. */
2805 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) {
2806 return NT_STATUS_INVALID_HANDLE;
2807 }
2808
2809 status = access_check_samr_function(info->acc_granted,
2810 SAMR_ACCESS_LOOKUP_DOMAIN,
2811 "_samr_QueryDomainInfo" );
2812
2813 if ( !NT_STATUS_IS_OK(status) )
2814 return status;
2815
2816 switch (r->in.level) {
2817 case 0x01:
2818
2819 become_root();
2820
2821 /* AS ROOT !!! */
2822
2823 pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
2824 &account_policy_temp);
2825 dom_info->info1.min_password_length = account_policy_temp;
2826
2827 pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
2828 dom_info->info1.password_history_length = account_policy_temp;
2829
2830 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
2831 &dom_info->info1.password_properties);
2832
2833 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
2834 u_expire = account_policy_temp;
2835
2836 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
2837 u_min_age = account_policy_temp;
2838
2839 /* !AS ROOT */
2840
2841 unbecome_root();
2842
2843 unix_to_nt_time_abs((NTTIME *)&dom_info->info1.max_password_age, u_expire);
2844 unix_to_nt_time_abs((NTTIME *)&dom_info->info1.min_password_age, u_min_age);
2845
2846 if (lp_check_password_script() && *lp_check_password_script()) {
2847 dom_info->info1.password_properties |= DOMAIN_PASSWORD_COMPLEX;
2848 }
2849
2850 break;
2851 case 0x02:
2852
2853 become_root();
2854
2855 /* AS ROOT !!! */
2856
2857 dom_info->general.num_users = count_sam_users(info->disp_info, ACB_NORMAL);
2858 dom_info->general.num_groups = count_sam_groups(info->disp_info);
2859 dom_info->general.num_aliases = count_sam_aliases(info->disp_info);
2860
2861 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &u_logout);
2862
2863 unix_to_nt_time_abs(&dom_info->general.force_logoff_time, u_logout);
2864
2865 if (!pdb_get_seq_num(&seq_num))
2866 seq_num = time(NULL);
2867
2868 /* !AS ROOT */
2869
2870 unbecome_root();
2871
2872 server_role = ROLE_DOMAIN_PDC;
2873 if (lp_server_role() == ROLE_DOMAIN_BDC)
2874 server_role = ROLE_DOMAIN_BDC;
2875
2876 dom_info->general.oem_information.string = lp_serverstring();
2877 dom_info->general.domain_name.string = lp_workgroup();
2878 dom_info->general.primary.string = global_myname();
2879 dom_info->general.sequence_num = seq_num;
2880 dom_info->general.domain_server_state = DOMAIN_SERVER_ENABLED;
2881 dom_info->general.role = server_role;
2882 dom_info->general.unknown3 = 1;
2883
2884 break;
2885 case 0x03:
2886
2887 become_root();
2888
2889 /* AS ROOT !!! */
2890
2891 {
2892 uint32 ul;
2893 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &ul);
2894 u_logout = (time_t)ul;
2895 }
2896
2897 /* !AS ROOT */
2898
2899 unbecome_root();
2900
2901 unix_to_nt_time_abs(&dom_info->info3.force_logoff_time, u_logout);
2902
2903 break;
2904 case 0x04:
2905 dom_info->oem.oem_information.string = lp_serverstring();
2906 break;
2907 case 0x05:
2908 dom_info->info5.domain_name.string = get_global_sam_name();
2909 break;
2910 case 0x06:
2911 /* NT returns its own name when a PDC. win2k and later
2912 * only the name of the PDC if itself is a BDC (samba4
2913 * idl) */
2914 dom_info->info6.primary.string = global_myname();
2915 break;
2916 case 0x07:
2917 server_role = ROLE_DOMAIN_PDC;
2918 if (lp_server_role() == ROLE_DOMAIN_BDC)
2919 server_role = ROLE_DOMAIN_BDC;
2920
2921 dom_info->info7.role = server_role;
2922 break;
2923 case 0x08:
2924
2925 become_root();
2926
2927 /* AS ROOT !!! */
2928
2929 if (!pdb_get_seq_num(&seq_num)) {
2930 seq_num = time(NULL);
2931 }
2932
2933 /* !AS ROOT */
2934
2935 unbecome_root();
2936
2937 dom_info->info8.sequence_num = seq_num;
2938 dom_info->info8.domain_create_time = 0;
2939
2940 break;
2941 case 0x0c:
2942
2943 become_root();
2944
2945 /* AS ROOT !!! */
2946
2947 pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
2948 u_lock_duration = account_policy_temp;
2949 if (u_lock_duration != -1) {
2950 u_lock_duration *= 60;
2951 }
2952
2953 pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
2954 u_reset_time = account_policy_temp * 60;
2955
2956 pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT,
2957 &account_policy_temp);
2958 dom_info->info12.lockout_threshold = account_policy_temp;
2959
2960 /* !AS ROOT */
2961
2962 unbecome_root();
2963
2964 unix_to_nt_time_abs(&dom_info->info12.lockout_duration,
2965 u_lock_duration);
2966 unix_to_nt_time_abs(&dom_info->info12.lockout_window,
2967 u_reset_time);
2968
2969 break;
2970 default:
2971 return NT_STATUS_INVALID_INFO_CLASS;
2972 }
2973
2974 *r->out.info = dom_info;
2975
2976 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
2977
2978 return status;
2979 }
2980
2981 /* W2k3 seems to use the same check for all 3 objects that can be created via
2982 * SAMR, if you try to create for example "Dialup" as an alias it says
2983 * "NT_STATUS_USER_EXISTS". This is racy, but we can't really lock the user
2984 * database. */
2985
2986 static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name)
2987 {
2988 enum lsa_SidType type;
2989 bool result;
2990
2991 DEBUG(10, ("Checking whether [%s] can be created\n", new_name));
2992
2993 become_root();
2994 /* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
2995 * whether the name already exists */
2996 result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_LOCAL,
2997 NULL, NULL, NULL, &type);
2998 unbecome_root();
2999
3000 if (!result) {
3001 DEBUG(10, ("%s does not exist, can create it\n", new_name));
3002 return NT_STATUS_OK;
3003 }
3004
3005 DEBUG(5, ("trying to create %s, exists as %s\n",
3006 new_name, sid_type_lookup(type)));
3007
3008 if (type == SID_NAME_DOM_GRP) {
3009 return NT_STATUS_GROUP_EXISTS;
3010 }
3011 if (type == SID_NAME_ALIAS) {
3012 return NT_STATUS_ALIAS_EXISTS;
3013 }
3014
3015 /* Yes, the default is NT_STATUS_USER_EXISTS */
3016 return NT_STATUS_USER_EXISTS;
3017 }
3018
3019 /*******************************************************************
3020 _samr_CreateUser2
3021 ********************************************************************/
3022
3023 NTSTATUS _samr_CreateUser2(pipes_struct *p,
3024 struct samr_CreateUser2 *r)
3025 {
3026 const char *account = NULL;
3027 DOM_SID sid;
3028 uint32_t acb_info = r->in.acct_flags;
3029 struct samr_info *info = NULL;
3030 NTSTATUS nt_status;
3031 uint32 acc_granted;
3032 SEC_DESC *psd;
3033 size_t sd_size;
3034 /* check this, when giving away 'add computer to domain' privs */
3035 uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
3036 bool can_add_account = False;
3037 SE_PRIV se_rights;
3038 DISP_INFO *disp_info = NULL;
3039
3040 /* Get the domain SID stored in the domain policy */
3041 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted,
3042 &disp_info))
3043 return NT_STATUS_INVALID_HANDLE;
3044
3045 if (disp_info->builtin_domain) {
3046 DEBUG(5,("_samr_CreateUser2: Refusing user create in BUILTIN\n"));
3047 return NT_STATUS_ACCESS_DENIED;
3048 }
3049
3050 nt_status = access_check_samr_function(acc_granted,
3051 SAMR_DOMAIN_ACCESS_CREATE_USER,
3052 "_samr_CreateUser2");
3053 if (!NT_STATUS_IS_OK(nt_status)) {
3054 return nt_status;
3055 }
3056
3057 if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST ||
3058 acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) {
3059 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
3060 this parameter is not an account type */
3061 return NT_STATUS_INVALID_PARAMETER;
3062 }
3063
3064 account = r->in.account_name->string;
3065 if (account == NULL) {
3066 return NT_STATUS_NO_MEMORY;
3067 }
3068
3069 nt_status = can_create(p->mem_ctx, account);
3070 if (!NT_STATUS_IS_OK(nt_status)) {
3071 return nt_status;
3072 }
3073
3074 /* determine which user right we need to check based on the acb_info */
3075
3076 if ( acb_info & ACB_WSTRUST )
3077 {
3078 se_priv_copy( &se_rights, &se_machine_account );
3079 can_add_account = user_has_privileges(
3080 p->server_info->ptok, &se_rights );
3081 }
3082 /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
3083 account for domain trusts and changes the ACB flags later */
3084 else if ( acb_info & ACB_NORMAL &&
3085 (account[strlen(account)-1] != '$') )
3086 {
3087 se_priv_copy( &se_rights, &se_add_users );
3088 can_add_account = user_has_privileges(
3089 p->server_info->ptok, &se_rights );
3090 }
3091 else /* implicit assumption of a BDC or domain trust account here
3092 * (we already check the flags earlier) */
3093 {
3094 if ( lp_enable_privileges() ) {
3095 /* only Domain Admins can add a BDC or domain trust */
3096 se_priv_copy( &se_rights, &se_priv_none );
3097 can_add_account = nt_token_check_domain_rid(
3098 p->server_info->ptok,
3099 DOMAIN_GROUP_RID_ADMINS );
3100 }
3101 }
3102
3103 DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
3104 uidtoname(p->server_info->utok.uid),
3105 can_add_account ? "True":"False" ));
3106
3107 /********** BEGIN Admin BLOCK **********/
3108
3109 if ( can_add_account )
3110 become_root();
3111
3112 nt_status = pdb_create_user(p->mem_ctx, account, acb_info,
3113 r->out.rid);
3114
3115 if ( can_add_account )
3116 unbecome_root();
3117
3118 /********** END Admin BLOCK **********/
3119
3120 /* now check for failure */
3121
3122 if ( !NT_STATUS_IS_OK(nt_status) )
3123 return nt_status;
3124
3125 /* Get the user's SID */
3126
3127 sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
3128
3129 map_max_allowed_access(p->server_info->ptok, &des_access);
3130
3131 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
3132 &sid, SAMR_USR_RIGHTS_WRITE_PW);
3133 se_map_generic(&des_access, &usr_generic_mapping);
3134
3135 nt_status = access_check_samr_object(psd, p->server_info->ptok,
3136 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
3137 &acc_granted, "_samr_CreateUser2");
3138
3139 if ( !NT_STATUS_IS_OK(nt_status) ) {
3140 return nt_status;
3141 }
3142
3143 /* associate the user's SID with the new handle. */
3144 if ((info = get_samr_info_by_sid(p->mem_ctx, &sid)) == NULL) {
3145 return NT_STATUS_NO_MEMORY;
3146 }
3147
3148 ZERO_STRUCTP(info);
3149 info->sid = sid;
3150 info->acc_granted = acc_granted;
3151
3152 /* get a (unique) handle. open a policy on it. */
3153 if (!create_policy_hnd(p, r->out.user_handle, info)) {
3154 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3155 }
3156
3157 /* After a "set" ensure we have no cached display info. */
3158 force_flush_samr_cache(info->disp_info);
3159
3160 *r->out.access_granted = acc_granted;
3161
3162 return NT_STATUS_OK;
3163 }
3164
3165 /****************************************************************
3166 ****************************************************************/
3167
3168 NTSTATUS _samr_CreateUser(pipes_struct *p,
3169 struct samr_CreateUser *r)
3170 {
3171 struct samr_CreateUser2 c;
3172 uint32_t access_granted;
3173
3174 c.in.domain_handle = r->in.domain_handle;
3175 c.in.account_name = r->in.account_name;
3176 c.in.acct_flags = ACB_NORMAL;
3177 c.in.access_mask = r->in.access_mask;
3178 c.out.user_handle = r->out.user_handle;
3179 c.out.access_granted = &access_granted;
3180 c.out.rid = r->out.rid;
3181
3182 return _samr_CreateUser2(p, &c);
3183 }
3184
3185 /*******************************************************************
3186 _samr_Connect
3187 ********************************************************************/
3188
3189 NTSTATUS _samr_Connect(pipes_struct *p,
3190 struct samr_Connect *r)
3191 {
3192 struct samr_info *info = NULL;
3193 uint32 des_access = r->in.access_mask;
3194
3195 /* Access check */
3196
3197 if (!pipe_access_check(p)) {
3198 DEBUG(3, ("access denied to _samr_Connect\n"));
3199 return NT_STATUS_ACCESS_DENIED;
3200 }
3201
3202 /* set up the SAMR connect_anon response */
3203
3204 /* associate the user's SID with the new handle. */
3205 if ((info = get_samr_info_by_sid(p->mem_ctx, NULL)) == NULL)
3206 return NT_STATUS_NO_MEMORY;
3207
3208 /* don't give away the farm but this is probably ok. The SAMR_ACCESS_ENUM_DOMAINS
3209 was observed from a win98 client trying to enumerate users (when configured
3210 user level access control on shares) --jerry */
3211
3212 map_max_allowed_access(p->server_info->ptok, &des_access);
3213
3214 se_map_generic( &des_access, &sam_generic_mapping );
3215 info->acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS|SAMR_ACCESS_LOOKUP_DOMAIN);
3216
3217 /* get a (unique) handle. open a policy on it. */
3218 if (!create_policy_hnd(p, r->out.connect_handle, info))
3219 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3220
3221 return NT_STATUS_OK;
3222 }
3223
3224 /*******************************************************************
3225 _samr_Connect2
3226 ********************************************************************/
3227
3228 NTSTATUS _samr_Connect2(pipes_struct *p,
3229 struct samr_Connect2 *r)
3230 {
3231 struct samr_info *info = NULL;
3232 SEC_DESC *psd = NULL;
3233 uint32 acc_granted;
3234 uint32 des_access = r->in.access_mask;
3235 NTSTATUS nt_status;
3236 size_t sd_size;
3237 const char *fn = "_samr_Connect2";
3238
3239 switch (p->hdr_req.opnum) {
3240 case NDR_SAMR_CONNECT2:
3241 fn = "_samr_Connect2";
3242 break;
3243 case NDR_SAMR_CONNECT3:
3244 fn = "_samr_Connect3";
3245 break;
3246 case NDR_SAMR_CONNECT4:
3247 fn = "_samr_Connect4";
3248 break;
3249 case NDR_SAMR_CONNECT5:
3250 fn = "_samr_Connect5";
3251 break;
3252 }
3253
3254 DEBUG(5,("%s: %d\n", fn, __LINE__));
3255
3256 /* Access check */
3257
3258 if (!pipe_access_check(p)) {
3259 DEBUG(3, ("access denied to %s\n", fn));
3260 return NT_STATUS_ACCESS_DENIED;
3261 }
3262
3263 map_max_allowed_access(p->server_info->ptok, &des_access);
3264
3265 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3266 se_map_generic(&des_access, &sam_generic_mapping);
3267
3268 nt_status = access_check_samr_object(psd, p->server_info->ptok,
3269 NULL, 0, des_access, &acc_granted, fn);
3270
3271 if ( !NT_STATUS_IS_OK(nt_status) )
3272 return nt_status;
3273
3274 /* associate the user's SID and access granted with the new handle. */
3275 if ((info = get_samr_info_by_sid(p->mem_ctx, NULL)) == NULL)
3276 return NT_STATUS_NO_MEMORY;
3277
3278 info->acc_granted = acc_granted;
3279 info->status = r->in.access_mask; /* this looks so wrong... - gd */
3280
3281 /* get a (unique) handle. open a policy on it. */
3282 if (!create_policy_hnd(p, r->out.connect_handle, info))
3283 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3284
3285 DEBUG(5,("%s: %d\n", fn, __LINE__));
3286
3287 return nt_status;
3288 }
3289
3290 /****************************************************************
3291 _samr_Connect3
3292 ****************************************************************/
3293
3294 NTSTATUS _samr_Connect3(pipes_struct *p,
3295 struct samr_Connect3 *r)
3296 {
3297 struct samr_Connect2 c;
3298
3299 c.in.system_name = r->in.system_name;
3300 c.in.access_mask = r->in.access_mask;
3301 c.out.connect_handle = r->out.connect_handle;
3302
3303 return _samr_Connect2(p, &c);
3304 }
3305
3306 /*******************************************************************
3307 _samr_Connect4
3308 ********************************************************************/
3309
3310 NTSTATUS _samr_Connect4(pipes_struct *p,
3311 struct samr_Connect4 *r)
3312 {
3313 struct samr_Connect2 c;
3314
3315 c.in.system_name = r->in.system_name;
3316 c.in.access_mask = r->in.access_mask;
3317 c.out.connect_handle = r->out.connect_handle;
3318
3319 return _samr_Connect2(p, &c);
3320 }
3321
3322 /*******************************************************************
3323 _samr_Connect5
3324 ********************************************************************/
3325
3326 NTSTATUS _samr_Connect5(pipes_struct *p,
3327 struct samr_Connect5 *r)
3328 {
3329 NTSTATUS status;
3330 struct samr_Connect2 c;
3331 struct samr_ConnectInfo1 info1;
3332
3333 info1.client_version = SAMR_CONNECT_AFTER_W2K;
3334 info1.unknown2 = 0;
3335
3336 c.in.system_name = r->in.system_name;
3337 c.in.access_mask = r->in.access_mask;
3338 c.out.connect_handle = r->out.connect_handle;
3339
3340 status = _samr_Connect2(p, &c);
3341 if (!NT_STATUS_IS_OK(status)) {
3342 return status;
3343 }
3344
3345 *r->out.level_out = 1;
3346 r->out.info_out->info1 = info1;
3347
3348 return NT_STATUS_OK;
3349 }
3350
3351 /**********************************************************************
3352 _samr_LookupDomain
3353 **********************************************************************/
3354
3355 NTSTATUS _samr_LookupDomain(pipes_struct *p,
3356 struct samr_LookupDomain *r)
3357 {
3358 NTSTATUS status = NT_STATUS_OK;
3359 struct samr_info *info;
3360 const char *domain_name;
3361 DOM_SID *sid = NULL;
3362
3363 if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info))
3364 return NT_STATUS_INVALID_HANDLE;
3365
3366 /* win9x user manager likes to use SAMR_ACCESS_ENUM_DOMAINS here.
3367 Reverted that change so we will work with RAS servers again */
3368
3369 status = access_check_samr_function(info->acc_granted,
3370 SAMR_ACCESS_LOOKUP_DOMAIN,
3371 "_samr_LookupDomain");
3372 if (!NT_STATUS_IS_OK(status)) {
3373 return status;
3374 }
3375
3376 domain_name = r->in.domain_name->string;
3377 if (!domain_name) {
3378 return NT_STATUS_INVALID_PARAMETER;
3379 }
3380
3381 sid = TALLOC_ZERO_P(p->mem_ctx, struct dom_sid2);
3382 if (!sid) {
3383 return NT_STATUS_NO_MEMORY;
3384 }
3385
3386 if (strequal(domain_name, builtin_domain_name())) {
3387 sid_copy(sid, &global_sid_Builtin);
3388 } else {
3389 if (!secrets_fetch_domain_sid(domain_name, sid)) {
3390 status = NT_STATUS_NO_SUCH_DOMAIN;
3391 }
3392 }
3393
3394 DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name,
3395 sid_string_dbg(sid)));
3396
3397 *r->out.sid = sid;
3398
3399 return status;
3400 }
3401
3402 /**********************************************************************
3403 _samr_EnumDomains
3404 **********************************************************************/
3405
3406 NTSTATUS _samr_EnumDomains(pipes_struct *p,
3407 struct samr_EnumDomains *r)
3408 {
3409 NTSTATUS status;
3410 struct samr_info *info;
3411 uint32_t num_entries = 2;
3412 struct samr_SamEntry *entry_array = NULL;
3413 struct samr_SamArray *sam;
3414
3415 if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info))
3416 return NT_STATUS_INVALID_HANDLE;
3417
3418 status = access_check_samr_function(info->acc_granted,
3419 SAMR_ACCESS_ENUM_DOMAINS,
3420 "_samr_EnumDomains");
3421 if (!NT_STATUS_IS_OK(status)) {
3422 return status;
3423 }
3424
3425 sam = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
3426 if (!sam) {
3427 return NT_STATUS_NO_MEMORY;
3428 }
3429
3430 entry_array = TALLOC_ZERO_ARRAY(p->mem_ctx,
3431 struct samr_SamEntry,
3432 num_entries);
3433 if (!entry_array) {
3434 return NT_STATUS_NO_MEMORY;
3435 }
3436
3437 entry_array[0].idx = 0;
3438 init_lsa_String(&entry_array[0].name, get_global_sam_name());
3439
3440 entry_array[1].idx = 1;
3441 init_lsa_String(&entry_array[1].name, "Builtin");
3442
3443 sam->count = num_entries;
3444 sam->entries = entry_array;
3445
3446 *r->out.sam = sam;
3447 *r->out.num_entries = num_entries;
3448
3449 return status;
3450 }
3451
3452 /*******************************************************************
3453 _samr_OpenAlias
3454 ********************************************************************/
3455
3456 NTSTATUS _samr_OpenAlias(pipes_struct *p,
3457 struct samr_OpenAlias *r)
3458 {
3459 DOM_SID sid;
3460 uint32 alias_rid = r->in.rid;
3461 struct samr_info *info = NULL;
3462 SEC_DESC *psd = NULL;
3463 uint32 acc_granted;
3464 uint32 des_access = r->in.access_mask;
3465 size_t sd_size;
3466 NTSTATUS status;
3467 SE_PRIV se_rights;
3468
3469 /* find the domain policy and get the SID / access bits stored in the domain policy */
3470
3471 if ( !get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted, NULL) )
3472 return NT_STATUS_INVALID_HANDLE;
3473
3474 status = access_check_samr_function(acc_granted,
3475 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
3476 "_samr_OpenAlias");
3477
3478 if ( !NT_STATUS_IS_OK(status) )
3479 return status;
3480
3481 /* append the alias' RID to it */
3482
3483 if (!sid_append_rid(&sid, alias_rid))
3484 return NT_STATUS_NO_SUCH_ALIAS;
3485
3486 /*check if access can be granted as requested by client. */
3487
3488 map_max_allowed_access(p->server_info->ptok, &des_access);
3489
3490 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
3491 se_map_generic(&des_access,&ali_generic_mapping);
3492
3493 se_priv_copy( &se_rights, &se_add_users );
3494
3495
3496 status = access_check_samr_object(psd, p->server_info->ptok,
3497 &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access,
3498 &acc_granted, "_samr_OpenAlias");
3499
3500 if ( !NT_STATUS_IS_OK(status) )
3501 return status;
3502
3503 {
3504 /* Check we actually have the requested alias */
3505 enum lsa_SidType type;
3506 bool result;
3507 gid_t gid;
3508
3509 become_root();
3510 result = lookup_sid(NULL, &sid, NULL, NULL, &type);
3511 unbecome_root();
3512
3513 if (!result || (type != SID_NAME_ALIAS)) {
3514 return NT_STATUS_NO_SUCH_ALIAS;
3515 }
3516
3517 /* make sure there is a mapping */
3518
3519 if ( !sid_to_gid( &sid, &gid ) ) {
3520 return NT_STATUS_NO_SUCH_ALIAS;
3521 }
3522
3523 }
3524
3525 /* associate the alias SID with the new handle. */
3526 if ((info = get_samr_info_by_sid(p->mem_ctx, &sid)) == NULL)
3527 return NT_STATUS_NO_MEMORY;
3528
3529 info->acc_granted = acc_granted;
3530
3531 /* get a (unique) handle. open a policy on it. */
3532 if (!create_policy_hnd(p, r->out.alias_handle, info))
3533 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3534
3535 return NT_STATUS_OK;
3536 }
3537
3538 /*******************************************************************
3539 set_user_info_7
3540 ********************************************************************/
3541
3542 static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx,
3543 struct samr_UserInfo7 *id7,
3544 struct samu *pwd)
3545 {
3546 NTSTATUS rc;
3547
3548 if (id7 == NULL) {
3549 DEBUG(5, ("set_user_info_7: NULL id7\n"));
3550 return NT_STATUS_ACCESS_DENIED;
3551 }
3552
3553 if (!id7->account_name.string) {
3554 DEBUG(5, ("set_user_info_7: failed to get new username\n"));
3555 return NT_STATUS_ACCESS_DENIED;
3556 }
3557
3558 /* check to see if the new username already exists. Note: we can't
3559 reliably lock all backends, so there is potentially the
3560 possibility that a user can be created in between this check and
3561 the rename. The rename should fail, but may not get the
3562 exact same failure status code. I think this is small enough
3563 of a window for this type of operation and the results are
3564 simply that the rename fails with a slightly different status
3565 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
3566
3567 rc = can_create(mem_ctx, id7->account_name.string);
3568 if (!NT_STATUS_IS_OK(rc)) {
3569 return rc;
3570 }
3571
3572 rc = pdb_rename_sam_account(pwd, id7->account_name.string);
3573
3574 return rc;
3575 }
3576
3577 /*******************************************************************
3578 set_user_info_16
3579 ********************************************************************/
3580
3581 static bool set_user_info_16(struct samr_UserInfo16 *id16,
3582 struct samu *pwd)
3583 {
3584 if (id16 == NULL) {
3585 DEBUG(5, ("set_user_info_16: NULL id16\n"));
3586 return False;
3587 }
3588
3589 /* FIX ME: check if the value is really changed --metze */
3590 if (!pdb_set_acct_ctrl(pwd, id16->acct_flags, PDB_CHANGED)) {
3591 return False;
3592 }
3593
3594 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3595 return False;
3596 }
3597
3598 return True;
3599 }
3600
3601 /*******************************************************************
3602 set_user_info_18
3603 ********************************************************************/
3604
3605 static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18,
3606 TALLOC_CTX *mem_ctx,
3607 DATA_BLOB *session_key,
3608 struct samu *pwd)
3609 {
3610 if (id18 == NULL) {
3611 DEBUG(2, ("set_user_info_18: id18 is NULL\n"));
3612 return NT_STATUS_INVALID_PARAMETER;
3613 }
3614
3615 if (id18->nt_pwd_active || id18->lm_pwd_active) {
3616 if (!session_key->length) {
3617 return NT_STATUS_NO_USER_SESSION_KEY;
3618 }
3619 }
3620
3621 if (id18->nt_pwd_active) {
3622
3623 DATA_BLOB in, out;
3624
3625 in = data_blob_const(id18->nt_pwd.hash, 16);
3626 out = data_blob_talloc_zero(mem_ctx, 16);
3627
3628 sess_crypt_blob(&out, &in, session_key, false);
3629
3630 if (!pdb_set_nt_passwd(pwd, out.data, PDB_CHANGED)) {
3631 return NT_STATUS_ACCESS_DENIED;
3632 }
3633
3634 pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
3635 }
3636
3637 if (id18->lm_pwd_active) {
3638
3639 DATA_BLOB in, out;
3640
3641 in = data_blob_const(id18->lm_pwd.hash, 16);
3642 out = data_blob_talloc_zero(mem_ctx, 16);
3643
3644 sess_crypt_blob(&out, &in, session_key, false);
3645
3646 if (!pdb_set_lanman_passwd(pwd, out.data, PDB_CHANGED)) {
3647 return NT_STATUS_ACCESS_DENIED;
3648 }
3649
3650 pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
3651 }
3652
3653 copy_id18_to_sam_passwd(pwd, id18);
3654
3655 return pdb_update_sam_account(pwd);
3656 }
3657
3658 /*******************************************************************
3659 set_user_info_20
3660 ********************************************************************/
3661
3662 static bool set_user_info_20(struct samr_UserInfo20 *id20,
3663 struct samu *pwd)
3664 {
3665 if (id20 == NULL) {
3666 DEBUG(5, ("set_user_info_20: NULL id20\n"));
3667 return False;
3668 }
3669
3670 copy_id20_to_sam_passwd(pwd, id20);
3671
3672 /* write the change out */
3673 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3674 return False;
3675 }
3676
3677 return True;
3678 }
3679
3680 /*******************************************************************
3681 set_user_info_21
3682 ********************************************************************/
3683
3684 static NTSTATUS set_user_info_21(struct samr_UserInfo21 *id21,
3685 TALLOC_CTX *mem_ctx,
3686 DATA_BLOB *session_key,
3687 struct samu *pwd)
3688 {
3689 NTSTATUS status;
3690
3691 if (id21 == NULL) {
3692 DEBUG(5, ("set_user_info_21: NULL id21\n"));
3693 return NT_STATUS_INVALID_PARAMETER;
3694 }
3695
3696 if (id21->fields_present == 0) {
3697 return NT_STATUS_INVALID_PARAMETER;
3698 }
3699
3700 if (id21->fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
3701 return NT_STATUS_ACCESS_DENIED;
3702 }
3703
3704 if (id21->fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) {
3705 if (id21->nt_password_set) {
3706 DATA_BLOB in, out;
3707
3708 if ((id21->nt_owf_password.length != 16) ||
3709 (id21->nt_owf_password.size != 16)) {
3710 return NT_STATUS_INVALID_PARAMETER;
3711 }
3712
3713 if (!session_key->length) {
3714 return NT_STATUS_NO_USER_SESSION_KEY;
3715 }
3716
3717 in = data_blob_const(id21->nt_owf_password.array, 16);
3718 out = data_blob_talloc_zero(mem_ctx, 16);
3719
3720 sess_crypt_blob(&out, &in, session_key, false);
3721
3722 pdb_set_nt_passwd(pwd, out.data, PDB_CHANGED);
3723 pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
3724 }
3725 }
3726
3727 if (id21->fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT) {
3728 if (id21->lm_password_set) {
3729 DATA_BLOB in, out;
3730
3731 if ((id21->lm_owf_password.length != 16) ||
3732 (id21->lm_owf_password.size != 16)) {
3733 return NT_STATUS_INVALID_PARAMETER;
3734 }
3735
3736 if (!session_key->length) {
3737 return NT_STATUS_NO_USER_SESSION_KEY;
3738 }
3739
3740 in = data_blob_const(id21->lm_owf_password.array, 16);
3741 out = data_blob_talloc_zero(mem_ctx, 16);
3742
3743 sess_crypt_blob(&out, &in, session_key, false);
3744
3745 pdb_set_lanman_passwd(pwd, out.data, PDB_CHANGED);
3746 pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
3747 }
3748 }
3749
3750 /* we need to separately check for an account rename first */
3751
3752 if (id21->account_name.string &&
3753 (!strequal(id21->account_name.string, pdb_get_username(pwd))))
3754 {
3755
3756 /* check to see if the new username already exists. Note: we can't
3757 reliably lock all backends, so there is potentially the
3758 possibility that a user can be created in between this check and
3759 the rename. The rename should fail, but may not get the
3760 exact same failure status code. I think this is small enough
3761 of a window for this type of operation and the results are
3762 simply that the rename fails with a slightly different status
3763 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
3764
3765 status = can_create(mem_ctx, id21->account_name.string);
3766 if (!NT_STATUS_IS_OK(status)) {
3767 return status;
3768 }
3769
3770 status = pdb_rename_sam_account(pwd, id21->account_name.string);
3771
3772 if (!NT_STATUS_IS_OK(status)) {
3773 DEBUG(0,("set_user_info_21: failed to rename account: %s\n",
3774 nt_errstr(status)));
3775 return status;
3776 }
3777
3778 /* set the new username so that later
3779 functions can work on the new account */
3780 pdb_set_username(pwd, id21->account_name.string, PDB_SET);
3781 }
3782
3783 copy_id21_to_sam_passwd("INFO_21", pwd, id21);
3784
3785 /*
3786 * The funny part about the previous two calls is
3787 * that pwd still has the password hashes from the
3788 * passdb entry. These have not been updated from
3789 * id21. I don't know if they need to be set. --jerry
3790 */
3791
3792 if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
3793 status = pdb_set_unix_primary_group(mem_ctx, pwd);
3794 if ( !NT_STATUS_IS_OK(status) ) {
3795 return status;
3796 }
3797 }
3798
3799 /* Don't worry about writing out the user account since the
3800 primary group SID is generated solely from the user's Unix
3801 primary group. */
3802
3803 /* write the change out */
3804 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
3805 return status;
3806 }
3807
3808 return NT_STATUS_OK;
3809 }
3810
3811 /*******************************************************************
3812 set_user_info_23
3813 ********************************************************************/
3814
3815 static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx,
3816 struct samr_UserInfo23 *id23,
3817 struct samu *pwd)
3818 {
3819 char *plaintext_buf = NULL;
3820 uint32 len = 0;
3821 uint32_t acct_ctrl;
3822 NTSTATUS status;
3823
3824 if (id23 == NULL) {
3825 DEBUG(5, ("set_user_info_23: NULL id23\n"));
3826 return NT_STATUS_INVALID_PARAMETER;
3827 }
3828
3829 if (id23->info.fields_present == 0) {
3830 return NT_STATUS_INVALID_PARAMETER;
3831 }
3832
3833 if (id23->info.fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
3834 return NT_STATUS_ACCESS_DENIED;
3835 }
3836
3837 if ((id23->info.fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
3838 (id23->info.fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT)) {
3839
3840 DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
3841 pdb_get_username(pwd)));
3842
3843 if (!decode_pw_buffer(mem_ctx,
3844 id23->password.data,
3845 &plaintext_buf,
3846 &len,
3847 STR_UNICODE)) {
3848 return NT_STATUS_WRONG_PASSWORD;
3849 }
3850
3851 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
3852 return NT_STATUS_ACCESS_DENIED;
3853 }
3854 }
3855
3856 copy_id23_to_sam_passwd(pwd, id23);
3857
3858 acct_ctrl = pdb_get_acct_ctrl(pwd);
3859
3860 /* if it's a trust account, don't update /etc/passwd */
3861 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
3862 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
3863 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
3864 DEBUG(5, ("Changing trust account. Not updating /etc/passwd\n"));
3865 } else if (plaintext_buf) {
3866 /* update the UNIX password */
3867 if (lp_unix_password_sync() ) {
3868 struct passwd *passwd;
3869 if (pdb_get_username(pwd) == NULL) {
3870 DEBUG(1, ("chgpasswd: User without name???\n"));
3871 return NT_STATUS_ACCESS_DENIED;
3872 }
3873
3874 passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
3875 if (passwd == NULL) {
3876 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
3877 }
3878
3879 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
3880 return NT_STATUS_ACCESS_DENIED;
3881 }
3882 TALLOC_FREE(passwd);
3883 }
3884 }
3885
3886 if (plaintext_buf) {
3887 memset(plaintext_buf, '\0', strlen(plaintext_buf));
3888 }
3889
3890 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) &&
3891 (!NT_STATUS_IS_OK(status = pdb_set_unix_primary_group(mem_ctx,
3892 pwd)))) {
3893 return status;
3894 }
3895
3896 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
3897 return status;
3898 }
3899
3900 return NT_STATUS_OK;
3901 }
3902
3903 /*******************************************************************
3904 set_user_info_pw
3905 ********************************************************************/
3906
3907 static bool set_user_info_pw(uint8 *pass, struct samu *pwd)
3908 {
3909 uint32 len = 0;
3910 char *plaintext_buf = NULL;
3911 uint32 acct_ctrl;
3912
3913 DEBUG(5, ("Attempting administrator password change for user %s\n",
3914 pdb_get_username(pwd)));
3915
3916 acct_ctrl = pdb_get_acct_ctrl(pwd);
3917
3918 if (!decode_pw_buffer(talloc_tos(),
3919 pass,
3920 &plaintext_buf,
3921 &len,
3922 STR_UNICODE)) {
3923 return False;
3924 }
3925
3926 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
3927 return False;
3928 }
3929
3930 /* if it's a trust account, don't update /etc/passwd */
3931 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
3932 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
3933 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
3934 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
3935 } else {
3936 /* update the UNIX password */
3937 if (lp_unix_password_sync()) {
3938 struct passwd *passwd;
3939
3940 if (pdb_get_username(pwd) == NULL) {
3941 DEBUG(1, ("chgpasswd: User without name???\n"));
3942 return False;
3943 }
3944
3945 passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
3946 if (passwd == NULL) {
3947 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
3948 }
3949
3950 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
3951 return False;
3952 }
3953 TALLOC_FREE(passwd);
3954 }
3955 }
3956
3957 memset(plaintext_buf, '\0', strlen(plaintext_buf));
3958
3959 DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
3960
3961 return True;
3962 }
3963
3964 /*******************************************************************
3965 set_user_info_24
3966 ********************************************************************/
3967
3968 static NTSTATUS set_user_info_24(TALLOC_CTX *mem_ctx,
3969 struct samr_UserInfo24 *id24,
3970 struct samu *pwd)
3971 {
3972 NTSTATUS status;
3973
3974 if (id24 == NULL) {
3975 DEBUG(5, ("set_user_info_24: NULL id24\n"));
3976 return NT_STATUS_INVALID_PARAMETER;
3977 }
3978
3979 if (!set_user_info_pw(id24->password.data, pwd)) {
3980 return NT_STATUS_WRONG_PASSWORD;
3981 }
3982
3983 copy_id24_to_sam_passwd(pwd, id24);
3984
3985 status = pdb_update_sam_account(pwd);
3986 if (!NT_STATUS_IS_OK(status)) {
3987 return status;
3988 }
3989
3990 return NT_STATUS_OK;
3991 }
3992
3993 /*******************************************************************
3994 set_user_info_25
3995 ********************************************************************/
3996
3997 static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx,
3998 struct samr_UserInfo25 *id25,
3999 struct samu *pwd)
4000 {
4001 NTSTATUS status;
4002
4003 if (id25 == NULL) {
4004 DEBUG(5, ("set_user_info_25: NULL id25\n"));
4005 return NT_STATUS_INVALID_PARAMETER;
4006 }
4007
4008 if (id25->info.fields_present == 0) {
4009 return NT_STATUS_INVALID_PARAMETER;
4010 }
4011
4012 if (id25->info.fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
4013 return NT_STATUS_ACCESS_DENIED;
4014 }
4015
4016 if ((id25->info.fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
4017 (id25->info.fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT)) {
4018
4019 if (!set_user_info_pw(id25->password.data, pwd)) {
4020 return NT_STATUS_WRONG_PASSWORD;
4021 }
4022 }
4023
4024 copy_id25_to_sam_passwd(pwd, id25);
4025
4026 /* write the change out */
4027 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
4028 return status;
4029 }
4030
4031 /*
4032 * We need to "pdb_update_sam_account" before the unix primary group
4033 * is set, because the idealx scripts would also change the
4034 * sambaPrimaryGroupSid using the ldap replace method. pdb_ldap uses
4035 * the delete explicit / add explicit, which would then fail to find
4036 * the previous primaryGroupSid value.
4037 */
4038
4039 if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
4040 status = pdb_set_unix_primary_group(mem_ctx, pwd);
4041 if ( !NT_STATUS_IS_OK(status) ) {
4042 return status;
4043 }
4044 }
4045
4046 return NT_STATUS_OK;
4047 }
4048
4049 /*******************************************************************
4050 set_user_info_26
4051 ********************************************************************/
4052
4053 static NTSTATUS set_user_info_26(TALLOC_CTX *mem_ctx,
4054 struct samr_UserInfo26 *id26,
4055 struct samu *pwd)
4056 {
4057 NTSTATUS status;
4058
4059 if (id26 == NULL) {
4060 DEBUG(5, ("set_user_info_26: NULL id26\n"));
4061 return NT_STATUS_INVALID_PARAMETER;
4062 }
4063
4064 if (!set_user_info_pw(id26->password.data, pwd)) {
4065 return NT_STATUS_WRONG_PASSWORD;
4066 }
4067
4068 copy_id26_to_sam_passwd(pwd, id26);
4069
4070 status = pdb_update_sam_account(pwd);
4071 if (!NT_STATUS_IS_OK(status)) {
4072 return status;
4073 }
4074
4075 return NT_STATUS_OK;
4076 }
4077
4078
4079 /*******************************************************************
4080 samr_SetUserInfo
4081 ********************************************************************/
4082
4083 NTSTATUS _samr_SetUserInfo(pipes_struct *p,
4084 struct samr_SetUserInfo *r)
4085 {
4086 NTSTATUS status;
4087 struct samu *pwd = NULL;
4088 DOM_SID sid;
4089 union samr_UserInfo *info = r->in.info;
4090 uint16_t switch_value = r->in.level;
4091 uint32_t acc_granted;
4092 uint32_t acc_required;
4093 bool ret;
4094 bool has_enough_rights = False;
4095 uint32_t acb_info;
4096 DISP_INFO *disp_info = NULL;
4097
4098 DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__));
4099
4100 /* find the policy handle. open a policy on it. */
4101 if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &sid, &acc_granted, &disp_info)) {
4102 return NT_STATUS_INVALID_HANDLE;
4103 }
4104
4105 /* This is tricky. A WinXP domain join sets
4106 (SAMR_USER_ACCESS_SET_PASSWORD|SAMR_USER_ACCESS_SET_ATTRIBUTES|SAMR_USER_ACCESS_GET_ATTRIBUTES)
4107 The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the
4108 standard Win32 API calls just ask for SAMR_USER_ACCESS_SET_PASSWORD in the SamrOpenUser().
4109 This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so
4110 we'll use the set from the WinXP join as the basis. */
4111
4112 switch (switch_value) {
4113 case 18:
4114 case 24:
4115 case 25:
4116 case 26:
4117 acc_required = SAMR_USER_ACCESS_SET_PASSWORD;
4118 break;
4119 default:
4120 acc_required = SAMR_USER_ACCESS_SET_PASSWORD |
4121 SAMR_USER_ACCESS_SET_ATTRIBUTES |
4122 SAMR_USER_ACCESS_GET_ATTRIBUTES;
4123 break;
4124 }
4125
4126 status = access_check_samr_function(acc_granted,
4127 acc_required,
4128 "_samr_SetUserInfo");
4129 if (!NT_STATUS_IS_OK(status)) {
4130 return status;
4131 }
4132
4133 DEBUG(5, ("_samr_SetUserInfo: sid:%s, level:%d\n",
4134 sid_string_dbg(&sid), switch_value));
4135
4136 if (info == NULL) {
4137 DEBUG(5, ("_samr_SetUserInfo: NULL info level\n"));
4138 return NT_STATUS_INVALID_INFO_CLASS;
4139 }
4140
4141 if (!(pwd = samu_new(NULL))) {
4142 return NT_STATUS_NO_MEMORY;
4143 }
4144
4145 become_root();
4146 ret = pdb_getsampwsid(pwd, &sid);
4147 unbecome_root();
4148
4149 if (!ret) {
4150 TALLOC_FREE(pwd);
4151 return NT_STATUS_NO_SUCH_USER;
4152 }
4153
4154 /* deal with machine password changes differently from userinfo changes */
4155 /* check to see if we have the sufficient rights */
4156
4157 acb_info = pdb_get_acct_ctrl(pwd);
4158 if (acb_info & ACB_WSTRUST)
4159 has_enough_rights = user_has_privileges(p->server_info->ptok,
4160 &se_machine_account);
4161 else if (acb_info & ACB_NORMAL)
4162 has_enough_rights = user_has_privileges(p->server_info->ptok,
4163 &se_add_users);
4164 else if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
4165 if (lp_enable_privileges()) {
4166 has_enough_rights = nt_token_check_domain_rid(p->server_info->ptok,
4167 DOMAIN_GROUP_RID_ADMINS);
4168 }
4169 }
4170
4171 DEBUG(5, ("_samr_SetUserInfo: %s does%s possess sufficient rights\n",
4172 uidtoname(p->server_info->utok.uid),
4173 has_enough_rights ? "" : " not"));
4174
4175 /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
4176
4177 if (has_enough_rights) {
4178 become_root();
4179 }
4180
4181 /* ok! user info levels (lots: see MSDEV help), off we go... */
4182
4183 switch (switch_value) {
4184
4185 case 7:
4186 status = set_user_info_7(p->mem_ctx,
4187 &info->info7, pwd);
4188 break;
4189
4190 case 16:
4191 if (!set_user_info_16(&info->info16, pwd)) {
4192 status = NT_STATUS_ACCESS_DENIED;
4193 }
4194 break;
4195
4196 case 18:
4197 /* Used by AS/U JRA. */
4198 status = set_user_info_18(&info->info18,
4199 p->mem_ctx,
4200 &p->server_info->user_session_key,
4201 pwd);
4202 break;
4203
4204 case 20:
4205 if (!set_user_info_20(&info->info20, pwd)) {
4206 status = NT_STATUS_ACCESS_DENIED;
4207 }
4208 break;
4209
4210 case 21:
4211 status = set_user_info_21(&info->info21,
4212 p->mem_ctx,
4213 &p->server_info->user_session_key,
4214 pwd);
4215 break;
4216
4217 case 23:
4218 if (!p->server_info->user_session_key.length) {
4219 status = NT_STATUS_NO_USER_SESSION_KEY;
4220 }
4221 SamOEMhashBlob(info->info23.password.data, 516,
4222 &p->server_info->user_session_key);
4223
4224 dump_data(100, info->info23.password.data, 516);
4225
4226 status = set_user_info_23(p->mem_ctx,
4227 &info->info23, pwd);
4228 break;
4229
4230 case 24:
4231 if (!p->server_info->user_session_key.length) {
4232 status = NT_STATUS_NO_USER_SESSION_KEY;
4233 }
4234 SamOEMhashBlob(info->info24.password.data,
4235 516,
4236 &p->server_info->user_session_key);
4237
4238 dump_data(100, info->info24.password.data, 516);
4239
4240 status = set_user_info_24(p->mem_ctx,
4241 &info->info24, pwd);
4242 break;
4243
4244 case 25:
4245 if (!p->server_info->user_session_key.length) {
4246 status = NT_STATUS_NO_USER_SESSION_KEY;
4247 }
4248 encode_or_decode_arc4_passwd_buffer(
4249 info->info25.password.data,
4250 &p->server_info->user_session_key);
4251
4252 dump_data(100, info->info25.password.data, 532);
4253
4254 status = set_user_info_25(p->mem_ctx,
4255 &info->info25, pwd);
4256 break;
4257
4258 case 26:
4259 if (!p->server_info->user_session_key.length) {
4260 status = NT_STATUS_NO_USER_SESSION_KEY;
4261 }
4262 encode_or_decode_arc4_passwd_buffer(
4263 info->info26.password.data,
4264 &p->server_info->user_session_key);
4265
4266 dump_data(100, info->info26.password.data, 516);
4267
4268 status = set_user_info_26(p->mem_ctx,
4269 &info->info26, pwd);
4270 break;
4271
4272 default:
4273 status = NT_STATUS_INVALID_INFO_CLASS;
4274 }
4275
4276 TALLOC_FREE(pwd);
4277
4278 if (has_enough_rights) {
4279 unbecome_root();
4280 }
4281
4282 /* ================ END SeMachineAccountPrivilege BLOCK ================ */
4283
4284 if (NT_STATUS_IS_OK(status)) {
4285 force_flush_samr_cache(disp_info);
4286 }
4287
4288 return status;
4289 }
4290
4291 /*******************************************************************
4292 _samr_SetUserInfo2
4293 ********************************************************************/
4294
4295 NTSTATUS _samr_SetUserInfo2(pipes_struct *p,
4296 struct samr_SetUserInfo2 *r)
4297 {
4298 struct samr_SetUserInfo q;
4299
4300 q.in.user_handle = r->in.user_handle;
4301 q.in.level = r->in.level;
4302 q.in.info = r->in.info;
4303
4304 return _samr_SetUserInfo(p, &q);
4305 }
4306
4307 /*********************************************************************
4308 _samr_GetAliasMembership
4309 *********************************************************************/
4310
4311 NTSTATUS _samr_GetAliasMembership(pipes_struct *p,
4312 struct samr_GetAliasMembership *r)
4313 {
4314 size_t num_alias_rids;
4315 uint32 *alias_rids;
4316 struct samr_info *info = NULL;
4317 size_t i;
4318
4319 NTSTATUS ntstatus1;
4320 NTSTATUS ntstatus2;
4321
4322 DOM_SID *members;
4323
4324 DEBUG(5,("_samr_GetAliasMembership: %d\n", __LINE__));
4325
4326 /* find the policy handle. open a policy on it. */
4327 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
4328 return NT_STATUS_INVALID_HANDLE;
4329
4330 ntstatus1 = access_check_samr_function(info->acc_granted,
4331 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS,
4332 "_samr_GetAliasMembership");
4333 ntstatus2 = access_check_samr_function(info->acc_granted,
4334 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
4335 "_samr_GetAliasMembership");
4336
4337 if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) {
4338 if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) &&
4339 !(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) {
4340 return (NT_STATUS_IS_OK(ntstatus1)) ? ntstatus2 : ntstatus1;
4341 }
4342 }
4343
4344 if (!sid_check_is_domain(&info->sid) &&
4345 !sid_check_is_builtin(&info->sid))
4346 return NT_STATUS_OBJECT_TYPE_MISMATCH;
4347
4348 if (r->in.sids->num_sids) {
4349 members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, r->in.sids->num_sids);
4350
4351 if (members == NULL)
4352 return NT_STATUS_NO_MEMORY;
4353 } else {
4354 members = NULL;
4355 }
4356
4357 for (i=0; i<r->in.sids->num_sids; i++)
4358 sid_copy(&members[i], r->in.sids->sids[i].sid);
4359
4360 alias_rids = NULL;
4361 num_alias_rids = 0;
4362
4363 become_root();
4364 ntstatus1 = pdb_enum_alias_memberships(p->mem_ctx, &info->sid, members,
4365 r->in.sids->num_sids,
4366 &alias_rids, &num_alias_rids);
4367 unbecome_root();
4368
4369 if (!NT_STATUS_IS_OK(ntstatus1)) {
4370 return ntstatus1;
4371 }
4372
4373 r->out.rids->count = num_alias_rids;
4374 r->out.rids->ids = alias_rids;
4375
4376 return NT_STATUS_OK;
4377 }
4378
4379 /*********************************************************************
4380 _samr_GetMembersInAlias
4381 *********************************************************************/
4382
4383 NTSTATUS _samr_GetMembersInAlias(pipes_struct *p,
4384 struct samr_GetMembersInAlias *r)
4385 {
4386 NTSTATUS status;
4387 size_t i;
4388 size_t num_sids = 0;
4389 struct lsa_SidPtr *sids = NULL;
4390 DOM_SID *pdb_sids = NULL;
4391
4392 DOM_SID alias_sid;
4393
4394 uint32 acc_granted;
4395
4396 /* find the policy handle. open a policy on it. */
4397 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, NULL))
4398 return NT_STATUS_INVALID_HANDLE;
4399
4400 status = access_check_samr_function(acc_granted,
4401 SAMR_ALIAS_ACCESS_GET_MEMBERS,
4402 "_samr_GetMembersInAlias");
4403 if (!NT_STATUS_IS_OK(status)) {
4404 return status;
4405 }
4406
4407 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
4408
4409 become_root();
4410 status = pdb_enum_aliasmem(&alias_sid, &pdb_sids, &num_sids);
4411 unbecome_root();
4412
4413 if (!NT_STATUS_IS_OK(status)) {
4414 return status;
4415 }
4416
4417 if (num_sids) {
4418 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr, num_sids);
4419 if (sids == NULL) {
4420 TALLOC_FREE(pdb_sids);
4421 return NT_STATUS_NO_MEMORY;
4422 }
4423 }
4424
4425 for (i = 0; i < num_sids; i++) {
4426 sids[i].sid = sid_dup_talloc(p->mem_ctx, &pdb_sids[i]);
4427 if (!sids[i].sid) {
4428 TALLOC_FREE(pdb_sids);
4429 return NT_STATUS_NO_MEMORY;
4430 }
4431 }
4432
4433 r->out.sids->num_sids = num_sids;
4434 r->out.sids->sids = sids;
4435
4436 TALLOC_FREE(pdb_sids);
4437
4438 return NT_STATUS_OK;
4439 }
4440
4441 /*********************************************************************
4442 _samr_QueryGroupMember
4443 *********************************************************************/
4444
4445 NTSTATUS _samr_QueryGroupMember(pipes_struct *p,
4446 struct samr_QueryGroupMember *r)
4447 {
4448 DOM_SID group_sid;
4449 size_t i, num_members;
4450
4451 uint32 *rid=NULL;
4452 uint32 *attr=NULL;
4453
4454 uint32 acc_granted;
4455
4456 NTSTATUS status;
4457 struct samr_RidTypeArray *rids = NULL;
4458
4459 rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidTypeArray);
4460 if (!rids) {
4461 return NT_STATUS_NO_MEMORY;
4462 }
4463
4464 /* find the policy handle. open a policy on it. */
4465 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL))
4466 return NT_STATUS_INVALID_HANDLE;
4467
4468 status = access_check_samr_function(acc_granted,
4469 SAMR_GROUP_ACCESS_GET_MEMBERS,
4470 "_samr_QueryGroupMember");
4471 if (!NT_STATUS_IS_OK(status)) {
4472 return status;
4473 }
4474
4475 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4476
4477 if (!sid_check_is_in_our_domain(&group_sid)) {
4478 DEBUG(3, ("sid %s is not in our domain\n",
4479 sid_string_dbg(&group_sid)));
4480 return NT_STATUS_NO_SUCH_GROUP;
4481 }
4482
4483 DEBUG(10, ("lookup on Domain SID\n"));
4484
4485 become_root();
4486 status = pdb_enum_group_members(p->mem_ctx, &group_sid,
4487 &rid, &num_members);
4488 unbecome_root();
4489
4490 if (!NT_STATUS_IS_OK(status))
4491 return status;
4492
4493 if (num_members) {
4494 attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members);
4495 if (attr == NULL) {
4496 return NT_STATUS_NO_MEMORY;
4497 }
4498 } else {
4499 attr = NULL;
4500 }
4501
4502 for (i=0; i<num_members; i++)
4503 attr[i] = SID_NAME_USER;
4504
4505 rids->count = num_members;
4506 rids->types = attr;
4507 rids->rids = rid;
4508
4509 *r->out.rids = rids;
4510
4511 return NT_STATUS_OK;
4512 }
4513
4514 /*********************************************************************
4515 _samr_AddAliasMember
4516 *********************************************************************/
4517
4518 NTSTATUS _samr_AddAliasMember(pipes_struct *p,
4519 struct samr_AddAliasMember *r)
4520 {
4521 DOM_SID alias_sid;
4522 uint32 acc_granted;
4523 SE_PRIV se_rights;
4524 bool can_add_accounts;
4525 NTSTATUS status;
4526 DISP_INFO *disp_info = NULL;
4527
4528 /* Find the policy handle. Open a policy on it. */
4529 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
4530 return NT_STATUS_INVALID_HANDLE;
4531
4532 status = access_check_samr_function(acc_granted,
4533 SAMR_ALIAS_ACCESS_ADD_MEMBER,
4534 "_samr_AddAliasMember");
4535 if (!NT_STATUS_IS_OK(status)) {
4536 return status;
4537 }
4538
4539 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
4540
4541 se_priv_copy( &se_rights, &se_add_users );
4542 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
4543
4544 /******** BEGIN SeAddUsers BLOCK *********/
4545
4546 if ( can_add_accounts )
4547 become_root();
4548
4549 status = pdb_add_aliasmem(&alias_sid, r->in.sid);
4550
4551 if ( can_add_accounts )
4552 unbecome_root();
4553
4554 /******** END SeAddUsers BLOCK *********/
4555
4556 if (NT_STATUS_IS_OK(status)) {
4557 force_flush_samr_cache(disp_info);
4558 }
4559
4560 return status;
4561 }
4562
4563 /*********************************************************************
4564 _samr_DeleteAliasMember
4565 *********************************************************************/
4566
4567 NTSTATUS _samr_DeleteAliasMember(pipes_struct *p,
4568 struct samr_DeleteAliasMember *r)
4569 {
4570 DOM_SID alias_sid;
4571 uint32 acc_granted;
4572 SE_PRIV se_rights;
4573 bool can_add_accounts;
4574 NTSTATUS status;
4575 DISP_INFO *disp_info = NULL;
4576
4577 /* Find the policy handle. Open a policy on it. */
4578 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
4579 return NT_STATUS_INVALID_HANDLE;
4580
4581 status = access_check_samr_function(acc_granted,
4582 SAMR_ALIAS_ACCESS_REMOVE_MEMBER,
4583 "_samr_DeleteAliasMember");
4584 if (!NT_STATUS_IS_OK(status)) {
4585 return status;
4586 }
4587
4588 DEBUG(10, ("_samr_del_aliasmem:sid is %s\n",
4589 sid_string_dbg(&alias_sid)));
4590
4591 se_priv_copy( &se_rights, &se_add_users );
4592 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
4593
4594 /******** BEGIN SeAddUsers BLOCK *********/
4595
4596 if ( can_add_accounts )
4597 become_root();
4598
4599 status = pdb_del_aliasmem(&alias_sid, r->in.sid);
4600
4601 if ( can_add_accounts )
4602 unbecome_root();
4603
4604 /******** END SeAddUsers BLOCK *********/
4605
4606 if (NT_STATUS_IS_OK(status)) {
4607 force_flush_samr_cache(disp_info);
4608 }
4609
4610 return status;
4611 }
4612
4613 /*********************************************************************
4614 _samr_AddGroupMember
4615 *********************************************************************/
4616
4617 NTSTATUS _samr_AddGroupMember(pipes_struct *p,
4618 struct samr_AddGroupMember *r)
4619 {
4620 NTSTATUS status;
4621 DOM_SID group_sid;
4622 uint32 group_rid;
4623 uint32 acc_granted;
4624 SE_PRIV se_rights;
4625 bool can_add_accounts;
4626 DISP_INFO *disp_info = NULL;
4627
4628 /* Find the policy handle. Open a policy on it. */
4629 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
4630 return NT_STATUS_INVALID_HANDLE;
4631
4632 status = access_check_samr_function(acc_granted,
4633 SAMR_GROUP_ACCESS_ADD_MEMBER,
4634 "_samr_AddGroupMember");
4635 if (!NT_STATUS_IS_OK(status)) {
4636 return status;
4637 }
4638
4639 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4640
4641 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
4642 &group_rid)) {
4643 return NT_STATUS_INVALID_HANDLE;
4644 }
4645
4646 se_priv_copy( &se_rights, &se_add_users );
4647 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
4648
4649 /******** BEGIN SeAddUsers BLOCK *********/
4650
4651 if ( can_add_accounts )
4652 become_root();
4653
4654 status = pdb_add_groupmem(p->mem_ctx, group_rid, r->in.rid);
4655
4656 if ( can_add_accounts )
4657 unbecome_root();
4658
4659 /******** END SeAddUsers BLOCK *********/
4660
4661 force_flush_samr_cache(disp_info);
4662
4663 return status;
4664 }
4665
4666 /*********************************************************************
4667 _samr_DeleteGroupMember
4668 *********************************************************************/
4669
4670 NTSTATUS _samr_DeleteGroupMember(pipes_struct *p,
4671 struct samr_DeleteGroupMember *r)
4672
4673 {
4674 NTSTATUS status;
4675 DOM_SID group_sid;
4676 uint32 group_rid;
4677 uint32 acc_granted;
4678 SE_PRIV se_rights;
4679 bool can_add_accounts;
4680 DISP_INFO *disp_info = NULL;
4681
4682 /*
4683 * delete the group member named r->in.rid
4684 * who is a member of the sid associated with the handle
4685 * the rid is a user's rid as the group is a domain group.
4686 */
4687
4688 /* Find the policy handle. Open a policy on it. */
4689 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
4690 return NT_STATUS_INVALID_HANDLE;
4691
4692 status = access_check_samr_function(acc_granted,
4693 SAMR_GROUP_ACCESS_REMOVE_MEMBER,
4694 "_samr_DeleteGroupMember");
4695 if (!NT_STATUS_IS_OK(status)) {
4696 return status;
4697 }
4698
4699 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
4700 &group_rid)) {
4701 return NT_STATUS_INVALID_HANDLE;
4702 }
4703
4704 se_priv_copy( &se_rights, &se_add_users );
4705 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
4706
4707 /******** BEGIN SeAddUsers BLOCK *********/
4708
4709 if ( can_add_accounts )
4710 become_root();
4711
4712 status = pdb_del_groupmem(p->mem_ctx, group_rid, r->in.rid);
4713
4714 if ( can_add_accounts )
4715 unbecome_root();
4716
4717 /******** END SeAddUsers BLOCK *********/
4718
4719 force_flush_samr_cache(disp_info);
4720
4721 return status;
4722 }
4723
4724 /*********************************************************************
4725 _samr_DeleteUser
4726 *********************************************************************/
4727
4728 NTSTATUS _samr_DeleteUser(pipes_struct *p,
4729 struct samr_DeleteUser *r)
4730 {
4731 NTSTATUS status;
4732 DOM_SID user_sid;
4733 struct samu *sam_pass=NULL;
4734 uint32 acc_granted;
4735 bool can_add_accounts;
4736 uint32 acb_info;
4737 DISP_INFO *disp_info = NULL;
4738 bool ret;
4739
4740 DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__));
4741
4742 /* Find the policy handle. Open a policy on it. */
4743 if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &user_sid, &acc_granted, &disp_info))
4744 return NT_STATUS_INVALID_HANDLE;
4745
4746 status = access_check_samr_function(acc_granted,
4747 STD_RIGHT_DELETE_ACCESS,
4748 "_samr_DeleteUser");
4749 if (!NT_STATUS_IS_OK(status)) {
4750 return status;
4751 }
4752
4753 if (!sid_check_is_in_our_domain(&user_sid))
4754 return NT_STATUS_CANNOT_DELETE;
4755
4756 /* check if the user exists before trying to delete */
4757 if ( !(sam_pass = samu_new( NULL )) ) {
4758 return NT_STATUS_NO_MEMORY;
4759 }
4760
4761 become_root();
4762 ret = pdb_getsampwsid(sam_pass, &user_sid);
4763 unbecome_root();
4764
4765 if( !ret ) {
4766 DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n",
4767 sid_string_dbg(&user_sid)));
4768 TALLOC_FREE(sam_pass);
4769 return NT_STATUS_NO_SUCH_USER;
4770 }
4771
4772 acb_info = pdb_get_acct_ctrl(sam_pass);
4773
4774 /* For machine accounts it's the SeMachineAccountPrivilege that counts. */
4775 if ( acb_info & ACB_WSTRUST ) {
4776 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_machine_account );
4777 } else {
4778 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_add_users );
4779 }
4780
4781 /******** BEGIN SeAddUsers BLOCK *********/
4782
4783 if ( can_add_accounts )
4784 become_root();
4785
4786 status = pdb_delete_user(p->mem_ctx, sam_pass);
4787
4788 if ( can_add_accounts )
4789 unbecome_root();
4790
4791 /******** END SeAddUsers BLOCK *********/
4792
4793 if ( !NT_STATUS_IS_OK(status) ) {
4794 DEBUG(5,("_samr_DeleteUser: Failed to delete entry for "
4795 "user %s: %s.\n", pdb_get_username(sam_pass),
4796 nt_errstr(status)));
4797 TALLOC_FREE(sam_pass);
4798 return status;
4799 }
4800
4801
4802 TALLOC_FREE(sam_pass);
4803
4804 if (!close_policy_hnd(p, r->in.user_handle))
4805 return NT_STATUS_OBJECT_NAME_INVALID;
4806
4807 ZERO_STRUCTP(r->out.user_handle);
4808
4809 force_flush_samr_cache(disp_info);
4810
4811 return NT_STATUS_OK;
4812 }
4813
4814 /*********************************************************************
4815 _samr_DeleteDomainGroup
4816 *********************************************************************/
4817
4818 NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p,
4819 struct samr_DeleteDomainGroup *r)
4820 {
4821 NTSTATUS status;
4822 DOM_SID group_sid;
4823 uint32 group_rid;
4824 uint32 acc_granted;
4825 SE_PRIV se_rights;
4826 bool can_add_accounts;
4827 DISP_INFO *disp_info = NULL;
4828
4829 DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__));
4830
4831 /* Find the policy handle. Open a policy on it. */
4832 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
4833 return NT_STATUS_INVALID_HANDLE;
4834
4835 status = access_check_samr_function(acc_granted,
4836 STD_RIGHT_DELETE_ACCESS,
4837 "_samr_DeleteDomainGroup");
4838 if (!NT_STATUS_IS_OK(status)) {
4839 return status;
4840 }
4841
4842 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4843
4844 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
4845 &group_rid)) {
4846 return NT_STATUS_NO_SUCH_GROUP;
4847 }
4848
4849 se_priv_copy( &se_rights, &se_add_users );
4850 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
4851
4852 /******** BEGIN SeAddUsers BLOCK *********/
4853
4854 if ( can_add_accounts )
4855 become_root();
4856
4857 status = pdb_delete_dom_group(p->mem_ctx, group_rid);
4858
4859 if ( can_add_accounts )
4860 unbecome_root();
4861
4862 /******** END SeAddUsers BLOCK *********/
4863
4864 if ( !NT_STATUS_IS_OK(status) ) {
4865 DEBUG(5,("_samr_DeleteDomainGroup: Failed to delete mapping "
4866 "entry for group %s: %s\n",
4867 sid_string_dbg(&group_sid),
4868 nt_errstr(status)));
4869 return status;
4870 }
4871
4872 if (!close_policy_hnd(p, r->in.group_handle))
4873 return NT_STATUS_OBJECT_NAME_INVALID;
4874
4875 force_flush_samr_cache(disp_info);
4876
4877 return NT_STATUS_OK;
4878 }
4879
4880 /*********************************************************************
4881 _samr_DeleteDomAlias
4882 *********************************************************************/
4883
4884 NTSTATUS _samr_DeleteDomAlias(pipes_struct *p,
4885 struct samr_DeleteDomAlias *r)
4886 {
4887 DOM_SID alias_sid;
4888 uint32 acc_granted;
4889 SE_PRIV se_rights;
4890 bool can_add_accounts;
4891 NTSTATUS status;
4892 DISP_INFO *disp_info = NULL;
4893
4894 DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__));
4895
4896 /* Find the policy handle. Open a policy on it. */
4897 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
4898 return NT_STATUS_INVALID_HANDLE;
4899
4900 /* copy the handle to the outgoing reply */
4901
4902 memcpy(r->out.alias_handle, r->in.alias_handle, sizeof(r->out.alias_handle));
4903
4904 status = access_check_samr_function(acc_granted,
4905 STD_RIGHT_DELETE_ACCESS,
4906 "_samr_DeleteDomAlias");
4907 if (!NT_STATUS_IS_OK(status)) {
4908 return status;
4909 }
4910
4911 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
4912
4913 /* Don't let Windows delete builtin groups */
4914
4915 if ( sid_check_is_in_builtin( &alias_sid ) ) {
4916 return NT_STATUS_SPECIAL_ACCOUNT;
4917 }
4918
4919 if (!sid_check_is_in_our_domain(&alias_sid))
4920 return NT_STATUS_NO_SUCH_ALIAS;
4921
4922 DEBUG(10, ("lookup on Local SID\n"));
4923
4924 se_priv_copy( &se_rights, &se_add_users );
4925 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
4926
4927 /******** BEGIN SeAddUsers BLOCK *********/
4928
4929 if ( can_add_accounts )
4930 become_root();
4931
4932 /* Have passdb delete the alias */
4933 status = pdb_delete_alias(&alias_sid);
4934
4935 if ( can_add_accounts )
4936 unbecome_root();
4937
4938 /******** END SeAddUsers BLOCK *********/
4939
4940 if ( !NT_STATUS_IS_OK(status))
4941 return status;
4942
4943 if (!close_policy_hnd(p, r->in.alias_handle))
4944 return NT_STATUS_OBJECT_NAME_INVALID;
4945
4946 force_flush_samr_cache(disp_info);
4947
4948 return NT_STATUS_OK;
4949 }
4950
4951 /*********************************************************************
4952 _samr_CreateDomainGroup
4953 *********************************************************************/
4954
4955 NTSTATUS _samr_CreateDomainGroup(pipes_struct *p,
4956 struct samr_CreateDomainGroup *r)
4957
4958 {
4959 NTSTATUS status;
4960 DOM_SID dom_sid;
4961 DOM_SID info_sid;
4962 const char *name;
4963 struct samr_info *info;
4964 uint32 acc_granted;
4965 SE_PRIV se_rights;
4966 bool can_add_accounts;
4967 DISP_INFO *disp_info = NULL;
4968
4969 /* Find the policy handle. Open a policy on it. */
4970 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info))
4971 return NT_STATUS_INVALID_HANDLE;
4972
4973 status = access_check_samr_function(acc_granted,
4974 SAMR_DOMAIN_ACCESS_CREATE_GROUP,
4975 "_samr_CreateDomainGroup");
4976 if (!NT_STATUS_IS_OK(status)) {
4977 return status;
4978 }
4979
4980 if (!sid_equal(&dom_sid, get_global_sam_sid()))
4981 return NT_STATUS_ACCESS_DENIED;
4982
4983 name = r->in.name->string;
4984 if (name == NULL) {
4985 return NT_STATUS_NO_MEMORY;
4986 }
4987
4988 status = can_create(p->mem_ctx, name);
4989 if (!NT_STATUS_IS_OK(status)) {
4990 return status;
4991 }
4992
4993 se_priv_copy( &se_rights, &se_add_users );
4994 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
4995
4996 /******** BEGIN SeAddUsers BLOCK *********/
4997
4998 if ( can_add_accounts )
4999 become_root();
5000
5001 /* check that we successfully create the UNIX group */
5002
5003 status = pdb_create_dom_group(p->mem_ctx, name, r->out.rid);
5004
5005 if ( can_add_accounts )
5006 unbecome_root();
5007
5008 /******** END SeAddUsers BLOCK *********/
5009
5010 /* check if we should bail out here */
5011
5012 if ( !NT_STATUS_IS_OK(status) )
5013 return status;
5014
5015 sid_compose(&info_sid, get_global_sam_sid(), *r->out.rid);
5016
5017 if ((info = get_samr_info_by_sid(p->mem_ctx, &info_sid)) == NULL)
5018 return NT_STATUS_NO_MEMORY;
5019
5020 /* they created it; let the user do what he wants with it */
5021
5022 info->acc_granted = GENERIC_RIGHTS_GROUP_ALL_ACCESS;
5023
5024 /* get a (unique) handle. open a policy on it. */
5025 if (!create_policy_hnd(p, r->out.group_handle, info))
5026 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5027
5028 force_flush_samr_cache(disp_info);
5029
5030 return NT_STATUS_OK;
5031 }
5032
5033 /*********************************************************************
5034 _samr_CreateDomAlias
5035 *********************************************************************/
5036
5037 NTSTATUS _samr_CreateDomAlias(pipes_struct *p,
5038 struct samr_CreateDomAlias *r)
5039 {
5040 DOM_SID dom_sid;
5041 DOM_SID info_sid;
5042 const char *name = NULL;
5043 struct samr_info *info;
5044 uint32 acc_granted;
5045 gid_t gid;
5046 NTSTATUS result;
5047 SE_PRIV se_rights;
5048 bool can_add_accounts;
5049 DISP_INFO *disp_info = NULL;
5050
5051 /* Find the policy handle. Open a policy on it. */
5052 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info))
5053 return NT_STATUS_INVALID_HANDLE;
5054
5055 result = access_check_samr_function(acc_granted,
5056 SAMR_DOMAIN_ACCESS_CREATE_ALIAS,
5057 "_samr_CreateDomAlias");
5058 if (!NT_STATUS_IS_OK(result)) {
5059 return result;
5060 }
5061
5062 if (!sid_equal(&dom_sid, get_global_sam_sid()))
5063 return NT_STATUS_ACCESS_DENIED;
5064
5065 name = r->in.alias_name->string;
5066
5067 se_priv_copy( &se_rights, &se_add_users );
5068 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
5069
5070 result = can_create(p->mem_ctx, name);
5071 if (!NT_STATUS_IS_OK(result)) {
5072 return result;
5073 }
5074
5075 /******** BEGIN SeAddUsers BLOCK *********/
5076
5077 if ( can_add_accounts )
5078 become_root();
5079
5080 /* Have passdb create the alias */
5081 result = pdb_create_alias(name, r->out.rid);
5082
5083 if ( can_add_accounts )
5084 unbecome_root();
5085
5086 /******** END SeAddUsers BLOCK *********/
5087
5088 if (!NT_STATUS_IS_OK(result)) {
5089 DEBUG(10, ("pdb_create_alias failed: %s\n",
5090 nt_errstr(result)));
5091 return result;
5092 }
5093
5094 sid_copy(&info_sid, get_global_sam_sid());
5095 sid_append_rid(&info_sid, *r->out.rid);
5096
5097 if (!sid_to_gid(&info_sid, &gid)) {
5098 DEBUG(10, ("Could not find alias just created\n"));
5099 return NT_STATUS_ACCESS_DENIED;
5100 }
5101
5102 /* check if the group has been successfully created */
5103 if ( getgrgid(gid) == NULL ) {
5104 DEBUG(10, ("getgrgid(%d) of just created alias failed\n",
5105 gid));
5106 return NT_STATUS_ACCESS_DENIED;
5107 }
5108
5109 if ((info = get_samr_info_by_sid(p->mem_ctx, &info_sid)) == NULL)
5110 return NT_STATUS_NO_MEMORY;
5111
5112 /* they created it; let the user do what he wants with it */
5113
5114 info->acc_granted = GENERIC_RIGHTS_ALIAS_ALL_ACCESS;
5115
5116 /* get a (unique) handle. open a policy on it. */
5117 if (!create_policy_hnd(p, r->out.alias_handle, info))
5118 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5119
5120 force_flush_samr_cache(disp_info);
5121
5122 return NT_STATUS_OK;
5123 }
5124
5125 /*********************************************************************
5126 _samr_QueryGroupInfo
5127 *********************************************************************/
5128
5129 NTSTATUS _samr_QueryGroupInfo(pipes_struct *p,
5130 struct samr_QueryGroupInfo *r)
5131 {
5132 NTSTATUS status;
5133 DOM_SID group_sid;
5134 GROUP_MAP map;
5135 union samr_GroupInfo *info = NULL;
5136 uint32 acc_granted;
5137 bool ret;
5138 uint32_t attributes = SE_GROUP_MANDATORY |
5139 SE_GROUP_ENABLED_BY_DEFAULT |
5140 SE_GROUP_ENABLED;
5141 const char *group_name = NULL;
5142 const char *group_description = NULL;
5143
5144 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL))
5145 return NT_STATUS_INVALID_HANDLE;
5146
5147 status = access_check_samr_function(acc_granted,
5148 SAMR_GROUP_ACCESS_LOOKUP_INFO,
5149 "_samr_QueryGroupInfo");
5150 if (!NT_STATUS_IS_OK(status)) {
5151 return status;
5152 }
5153
5154 become_root();
5155 ret = get_domain_group_from_sid(group_sid, &map);
5156 unbecome_root();
5157 if (!ret)
5158 return NT_STATUS_INVALID_HANDLE;
5159
5160 /* FIXME: map contains fstrings */
5161 group_name = talloc_strdup(r, map.nt_name);
5162 group_description = talloc_strdup(r, map.comment);
5163
5164 info = TALLOC_ZERO_P(p->mem_ctx, union samr_GroupInfo);
5165 if (!info) {
5166 return NT_STATUS_NO_MEMORY;
5167 }
5168
5169 switch (r->in.level) {
5170 case 1: {
5171 uint32 *members;
5172 size_t num_members;
5173
5174 become_root();
5175 status = pdb_enum_group_members(
5176 p->mem_ctx, &group_sid, &members, &num_members);
5177 unbecome_root();
5178
5179 if (!NT_STATUS_IS_OK(status)) {
5180 return status;
5181 }
5182
5183 info->all.name.string = group_name;
5184 info->all.attributes = attributes;
5185 info->all.num_members = num_members;
5186 info->all.description.string = group_description;
5187 break;
5188 }
5189 case 2:
5190 info->name.string = group_name;
5191 break;
5192 case 3:
5193 info->attributes.attributes = attributes;
5194 break;
5195 case 4:
5196 info->description.string = group_description;
5197 break;
5198 case 5: {
5199 /*
5200 uint32 *members;
5201 size_t num_members;
5202 */
5203
5204 /*
5205 become_root();
5206 status = pdb_enum_group_members(
5207 p->mem_ctx, &group_sid, &members, &num_members);
5208 unbecome_root();
5209
5210 if (!NT_STATUS_IS_OK(status)) {
5211 return status;
5212 }
5213 */
5214 info->all2.name.string = group_name;
5215 info->all2.attributes = attributes;
5216 info->all2.num_members = 0; /* num_members - in w2k3 this is always 0 */
5217 info->all2.description.string = group_description;
5218
5219 break;
5220 }
5221 default:
5222 return NT_STATUS_INVALID_INFO_CLASS;
5223 }
5224
5225 *r->out.info = info;
5226
5227 return NT_STATUS_OK;
5228 }
5229
5230 /*********************************************************************
5231 _samr_SetGroupInfo
5232 *********************************************************************/
5233
5234 NTSTATUS _samr_SetGroupInfo(pipes_struct *p,
5235 struct samr_SetGroupInfo *r)
5236 {
5237 DOM_SID group_sid;
5238 GROUP_MAP map;
5239 uint32 acc_granted;
5240 NTSTATUS status;
5241 bool ret;
5242 bool can_mod_accounts;
5243 DISP_INFO *disp_info = NULL;
5244
5245 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
5246 return NT_STATUS_INVALID_HANDLE;
5247
5248 status = access_check_samr_function(acc_granted,
5249 SAMR_GROUP_ACCESS_SET_INFO,
5250 "_samr_SetGroupInfo");
5251 if (!NT_STATUS_IS_OK(status)) {
5252 return status;
5253 }
5254
5255 become_root();
5256 ret = get_domain_group_from_sid(group_sid, &map);
5257 unbecome_root();
5258 if (!ret)
5259 return NT_STATUS_NO_SUCH_GROUP;
5260
5261 switch (r->in.level) {
5262 case 1:
5263 fstrcpy(map.comment, r->in.info->all.description.string);
5264 break;
5265 case 2:
5266 /* group rename is not supported yet */
5267 return NT_STATUS_NOT_SUPPORTED;
5268 case 4:
5269 fstrcpy(map.comment, r->in.info->description.string);
5270 break;
5271 default:
5272 return NT_STATUS_INVALID_INFO_CLASS;
5273 }
5274
5275 can_mod_accounts = user_has_privileges( p->server_info->ptok, &se_add_users );
5276
5277 /******** BEGIN SeAddUsers BLOCK *********/
5278
5279 if ( can_mod_accounts )
5280 become_root();
5281
5282 status = pdb_update_group_mapping_entry(&map);
5283
5284 if ( can_mod_accounts )
5285 unbecome_root();
5286
5287 /******** End SeAddUsers BLOCK *********/
5288
5289 if (NT_STATUS_IS_OK(status)) {
5290 force_flush_samr_cache(disp_info);
5291 }
5292
5293 return status;
5294 }
5295
5296 /*********************************************************************
5297 _samr_SetAliasInfo
5298 *********************************************************************/
5299
5300 NTSTATUS _samr_SetAliasInfo(pipes_struct *p,
5301 struct samr_SetAliasInfo *r)
5302 {
5303 DOM_SID group_sid;
5304 struct acct_info info;
5305 uint32 acc_granted;
5306 bool can_mod_accounts;
5307 NTSTATUS status;
5308 DISP_INFO *disp_info = NULL;
5309
5310 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &group_sid, &acc_granted, &disp_info))
5311 return NT_STATUS_INVALID_HANDLE;
5312
5313 status = access_check_samr_function(acc_granted,
5314 SAMR_ALIAS_ACCESS_SET_INFO,
5315 "_samr_SetAliasInfo");
5316 if (!NT_STATUS_IS_OK(status)) {
5317 return status;
5318 }
5319
5320 /* get the current group information */
5321
5322 become_root();
5323 status = pdb_get_aliasinfo( &group_sid, &info );
5324 unbecome_root();
5325
5326 if ( !NT_STATUS_IS_OK(status))
5327 return status;
5328
5329 switch (r->in.level) {
5330 case ALIASINFONAME:
5331 {
5332 fstring group_name;
5333
5334 /* We currently do not support renaming groups in the
5335 the BUILTIN domain. Refer to util_builtin.c to understand
5336 why. The eventually needs to be fixed to be like Windows
5337 where you can rename builtin groups, just not delete them */
5338
5339 if ( sid_check_is_in_builtin( &group_sid ) ) {
5340 return NT_STATUS_SPECIAL_ACCOUNT;
5341 }
5342
5343 /* There has to be a valid name (and it has to be different) */
5344
5345 if ( !r->in.info->name.string )
5346 return NT_STATUS_INVALID_PARAMETER;
5347
5348 /* If the name is the same just reply "ok". Yes this
5349 doesn't allow you to change the case of a group name. */
5350
5351 if ( strequal( r->in.info->name.string, info.acct_name ) )
5352 return NT_STATUS_OK;
5353
5354 fstrcpy( info.acct_name, r->in.info->name.string);
5355
5356 /* make sure the name doesn't already exist as a user
5357 or local group */
5358
5359 fstr_sprintf( group_name, "%s\\%s", global_myname(), info.acct_name );
5360 status = can_create( p->mem_ctx, group_name );
5361 if ( !NT_STATUS_IS_OK( status ) )
5362 return status;
5363 break;
5364 }
5365 case ALIASINFODESCRIPTION:
5366 if (r->in.info->description.string) {
5367 fstrcpy(info.acct_desc,
5368 r->in.info->description.string);
5369 } else {
5370 fstrcpy( info.acct_desc, "" );
5371 }
5372 break;
5373 default:
5374 return NT_STATUS_INVALID_INFO_CLASS;
5375 }
5376
5377 can_mod_accounts = user_has_privileges( p->server_info->ptok, &se_add_users );
5378
5379 /******** BEGIN SeAddUsers BLOCK *********/
5380
5381 if ( can_mod_accounts )
5382 become_root();
5383
5384 status = pdb_set_aliasinfo( &group_sid, &info );
5385
5386 if ( can_mod_accounts )
5387 unbecome_root();
5388
5389 /******** End SeAddUsers BLOCK *********/
5390
5391 if (NT_STATUS_IS_OK(status))
5392 force_flush_samr_cache(disp_info);
5393
5394 return status;
5395 }
5396
5397 /****************************************************************
5398 _samr_GetDomPwInfo
5399 ****************************************************************/
5400
5401 NTSTATUS _samr_GetDomPwInfo(pipes_struct *p,
5402 struct samr_GetDomPwInfo *r)
5403 {
5404 uint32_t min_password_length = 0;
5405 uint32_t password_properties = 0;
5406
5407 /* Perform access check. Since this rpc does not require a
5408 policy handle it will not be caught by the access checks on
5409 SAMR_CONNECT or SAMR_CONNECT_ANON. */
5410
5411 if (!pipe_access_check(p)) {
5412 DEBUG(3, ("access denied to _samr_GetDomPwInfo\n"));
5413 return NT_STATUS_ACCESS_DENIED;
5414 }
5415
5416 become_root();
5417 pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
5418 &min_password_length);
5419 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
5420 &password_properties);
5421 unbecome_root();
5422
5423 if (lp_check_password_script() && *lp_check_password_script()) {
5424 password_properties |= DOMAIN_PASSWORD_COMPLEX;
5425 }
5426
5427 r->out.info->min_password_length = min_password_length;
5428 r->out.info->password_properties = password_properties;
5429
5430 return NT_STATUS_OK;
5431 }
5432
5433 /*********************************************************************
5434 _samr_OpenGroup
5435 *********************************************************************/
5436
5437 NTSTATUS _samr_OpenGroup(pipes_struct *p,
5438 struct samr_OpenGroup *r)
5439
5440 {
5441 DOM_SID sid;
5442 DOM_SID info_sid;
5443 GROUP_MAP map;
5444 struct samr_info *info;
5445 SEC_DESC *psd = NULL;
5446 uint32 acc_granted;
5447 uint32 des_access = r->in.access_mask;
5448 size_t sd_size;
5449 NTSTATUS status;
5450 fstring sid_string;
5451 bool ret;
5452 SE_PRIV se_rights;
5453
5454 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted, NULL))
5455 return NT_STATUS_INVALID_HANDLE;
5456
5457 status = access_check_samr_function(acc_granted,
5458 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
5459 "_samr_OpenGroup");
5460
5461 if ( !NT_STATUS_IS_OK(status) )
5462 return status;
5463
5464 /*check if access can be granted as requested by client. */
5465 map_max_allowed_access(p->server_info->ptok, &des_access);
5466
5467 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
5468 se_map_generic(&des_access,&grp_generic_mapping);
5469
5470 se_priv_copy( &se_rights, &se_add_users );
5471
5472 status = access_check_samr_object(psd, p->server_info->ptok,
5473 &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access,
5474 &acc_granted, "_samr_OpenGroup");
5475
5476 if ( !NT_STATUS_IS_OK(status) )
5477 return status;
5478
5479 /* this should not be hard-coded like this */
5480
5481 if (!sid_equal(&sid, get_global_sam_sid()))
5482 return NT_STATUS_ACCESS_DENIED;
5483
5484 sid_copy(&info_sid, get_global_sam_sid());
5485 sid_append_rid(&info_sid, r->in.rid);
5486 sid_to_fstring(sid_string, &info_sid);
5487
5488 if ((info = get_samr_info_by_sid(p->mem_ctx, &info_sid)) == NULL)
5489 return NT_STATUS_NO_MEMORY;
5490
5491 info->acc_granted = acc_granted;
5492
5493 DEBUG(10, ("_samr_OpenGroup:Opening SID: %s\n", sid_string));
5494
5495 /* check if that group really exists */
5496 become_root();
5497 ret = get_domain_group_from_sid(info->sid, &map);
5498 unbecome_root();
5499 if (!ret)
5500 return NT_STATUS_NO_SUCH_GROUP;
5501
5502 /* get a (unique) handle. open a policy on it. */
5503 if (!create_policy_hnd(p, r->out.group_handle, info))
5504 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5505
5506 return NT_STATUS_OK;
5507 }
5508
5509 /*********************************************************************
5510 _samr_RemoveMemberFromForeignDomain
5511 *********************************************************************/
5512
5513 NTSTATUS _samr_RemoveMemberFromForeignDomain(pipes_struct *p,
5514 struct samr_RemoveMemberFromForeignDomain *r)
5515 {
5516 DOM_SID delete_sid, domain_sid;
5517 uint32 acc_granted;
5518 NTSTATUS result;
5519 DISP_INFO *disp_info = NULL;
5520
5521 sid_copy( &delete_sid, r->in.sid );
5522
5523 DEBUG(5,("_samr_RemoveMemberFromForeignDomain: removing SID [%s]\n",
5524 sid_string_dbg(&delete_sid)));
5525
5526 /* Find the policy handle. Open a policy on it. */
5527
5528 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &domain_sid,
5529 &acc_granted, &disp_info))
5530 return NT_STATUS_INVALID_HANDLE;
5531
5532 result = access_check_samr_function(acc_granted,
5533 STD_RIGHT_DELETE_ACCESS,
5534 "_samr_RemoveMemberFromForeignDomain");
5535
5536 if (!NT_STATUS_IS_OK(result))
5537 return result;
5538
5539 DEBUG(8, ("_samr_RemoveMemberFromForeignDomain: sid is %s\n",
5540 sid_string_dbg(&domain_sid)));
5541
5542 /* we can only delete a user from a group since we don't have
5543 nested groups anyways. So in the latter case, just say OK */
5544
5545 /* TODO: The above comment nowadays is bogus. Since we have nested
5546 * groups now, and aliases members are never reported out of the unix
5547 * group membership, the "just say OK" makes this call a no-op. For
5548 * us. This needs fixing however. */
5549
5550 /* I've only ever seen this in the wild when deleting a user from
5551 * usrmgr.exe. domain_sid is the builtin domain, and the sid to delete
5552 * is the user about to be deleted. I very much suspect this is the
5553 * only application of this call. To verify this, let people report
5554 * other cases. */
5555
5556 if (!sid_check_is_builtin(&domain_sid)) {
5557 DEBUG(1,("_samr_RemoveMemberFromForeignDomain: domain_sid = %s, "
5558 "global_sam_sid() = %s\n",
5559 sid_string_dbg(&domain_sid),
5560 sid_string_dbg(get_global_sam_sid())));
5561 DEBUGADD(1,("please report to samba-technical@samba.org!\n"));
5562 return NT_STATUS_OK;
5563 }
5564
5565 force_flush_samr_cache(disp_info);
5566
5567 result = NT_STATUS_OK;
5568
5569 return result;
5570 }
5571
5572 /*******************************************************************
5573 _samr_QueryDomainInfo2
5574 ********************************************************************/
5575
5576 NTSTATUS _samr_QueryDomainInfo2(pipes_struct *p,
5577 struct samr_QueryDomainInfo2 *r)
5578 {
5579 struct samr_QueryDomainInfo q;
5580
5581 q.in.domain_handle = r->in.domain_handle;
5582 q.in.level = r->in.level;
5583
5584 q.out.info = r->out.info;
5585
5586 return _samr_QueryDomainInfo(p, &q);
5587 }
5588
5589 /*******************************************************************
5590 _samr_SetDomainInfo
5591 ********************************************************************/
5592
5593 NTSTATUS _samr_SetDomainInfo(pipes_struct *p,
5594 struct samr_SetDomainInfo *r)
5595 {
5596 struct samr_info *info = NULL;
5597 time_t u_expire, u_min_age;
5598 time_t u_logout;
5599 time_t u_lock_duration, u_reset_time;
5600 NTSTATUS result;
5601
5602 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
5603
5604 /* find the policy handle. open a policy on it. */
5605 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
5606 return NT_STATUS_INVALID_HANDLE;
5607
5608 /* We do have different access bits for info
5609 * levels here, but we're really just looking for
5610 * GENERIC_RIGHTS_DOMAIN_WRITE access. Unfortunately
5611 * this maps to different specific bits. So
5612 * assume if we have SAMR_DOMAIN_ACCESS_SET_INFO_1
5613 * set we are ok. */
5614
5615 result = access_check_samr_function(info->acc_granted,
5616 SAMR_DOMAIN_ACCESS_SET_INFO_1,
5617 "_samr_SetDomainInfo");
5618
5619 if (!NT_STATUS_IS_OK(result))
5620 return result;
5621
5622 DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r->in.level));
5623
5624 switch (r->in.level) {
5625 case 0x01:
5626 u_expire=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.max_password_age);
5627 u_min_age=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.min_password_age);
5628 pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)r->in.info->info1.min_password_length);
5629 pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)r->in.info->info1.password_history_length);
5630 pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)r->in.info->info1.password_properties);
5631 pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire);
5632 pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age);
5633 break;
5634 case 0x02:
5635 break;
5636 case 0x03:
5637 u_logout=nt_time_to_unix_abs((NTTIME *)&r->in.info->info3.force_logoff_time);
5638 pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout);
5639 break;
5640 case 0x05:
5641 break;
5642 case 0x06:
5643 break;
5644 case 0x07:
5645 break;
5646 case 0x0c:
5647 u_lock_duration=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_duration);
5648 if (u_lock_duration != -1)
5649 u_lock_duration /= 60;
5650
5651 u_reset_time=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_window)/60;
5652
5653 pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
5654 pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time);
5655 pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)r->in.info->info12.lockout_threshold);
5656 break;
5657 default:
5658 return NT_STATUS_INVALID_INFO_CLASS;
5659 }
5660
5661 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
5662
5663 return NT_STATUS_OK;
5664 }
5665
5666 /****************************************************************
5667 _samr_GetDisplayEnumerationIndex
5668 ****************************************************************/
5669
5670 NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p,
5671 struct samr_GetDisplayEnumerationIndex *r)
5672 {
5673 struct samr_info *info = NULL;
5674 uint32_t max_entries = (uint32_t) -1;
5675 uint32_t enum_context = 0;
5676 int i;
5677 uint32_t num_account = 0;
5678 struct samr_displayentry *entries = NULL;
5679 NTSTATUS status;
5680
5681 DEBUG(5,("_samr_GetDisplayEnumerationIndex: %d\n", __LINE__));
5682
5683 /* find the policy handle. open a policy on it. */
5684 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) {
5685 return NT_STATUS_INVALID_HANDLE;
5686 }
5687
5688 status = access_check_samr_function(info->acc_granted,
5689 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
5690 "_samr_GetDisplayEnumerationIndex");
5691 if (!NT_STATUS_IS_OK(status)) {
5692 return status;
5693 }
5694
5695 if ((r->in.level < 1) || (r->in.level > 3)) {
5696 DEBUG(0,("_samr_GetDisplayEnumerationIndex: "
5697 "Unknown info level (%u)\n",
5698 r->in.level));
5699 return NT_STATUS_INVALID_INFO_CLASS;
5700 }
5701
5702 become_root();
5703
5704 /* The following done as ROOT. Don't return without unbecome_root(). */
5705
5706 switch (r->in.level) {
5707 case 1:
5708 if (info->disp_info->users == NULL) {
5709 info->disp_info->users = pdb_search_users(
5710 info->disp_info, ACB_NORMAL);
5711 if (info->disp_info->users == NULL) {
5712 unbecome_root();
5713 return NT_STATUS_ACCESS_DENIED;
5714 }
5715 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5716 "starting user enumeration at index %u\n",
5717 (unsigned int)enum_context));
5718 } else {
5719 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5720 "using cached user enumeration at index %u\n",
5721 (unsigned int)enum_context));
5722 }
5723 num_account = pdb_search_entries(info->disp_info->users,
5724 enum_context, max_entries,
5725 &entries);
5726 break;
5727 case 2:
5728 if (info->disp_info->machines == NULL) {
5729 info->disp_info->machines = pdb_search_users(
5730 info->disp_info, ACB_WSTRUST|ACB_SVRTRUST);
5731 if (info->disp_info->machines == NULL) {
5732 unbecome_root();
5733 return NT_STATUS_ACCESS_DENIED;
5734 }
5735 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5736 "starting machine enumeration at index %u\n",
5737 (unsigned int)enum_context));
5738 } else {
5739 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5740 "using cached machine enumeration at index %u\n",
5741 (unsigned int)enum_context));
5742 }
5743 num_account = pdb_search_entries(info->disp_info->machines,
5744 enum_context, max_entries,
5745 &entries);
5746 break;
5747 case 3:
5748 if (info->disp_info->groups == NULL) {
5749 info->disp_info->groups = pdb_search_groups(
5750 info->disp_info);
5751 if (info->disp_info->groups == NULL) {
5752 unbecome_root();
5753 return NT_STATUS_ACCESS_DENIED;
5754 }
5755 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5756 "starting group enumeration at index %u\n",
5757 (unsigned int)enum_context));
5758 } else {
5759 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5760 "using cached group enumeration at index %u\n",
5761 (unsigned int)enum_context));
5762 }
5763 num_account = pdb_search_entries(info->disp_info->groups,
5764 enum_context, max_entries,
5765 &entries);
5766 break;
5767 default:
5768 unbecome_root();
5769 smb_panic("info class changed");
5770 break;
5771 }
5772
5773 unbecome_root();
5774
5775 /* Ensure we cache this enumeration. */
5776 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
5777
5778 DEBUG(10,("_samr_GetDisplayEnumerationIndex: looking for :%s\n",
5779 r->in.name->string));
5780
5781 for (i=0; i<num_account; i++) {
5782 if (strequal(entries[i].account_name, r->in.name->string)) {
5783 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5784 "found %s at idx %d\n",
5785 r->in.name->string, i));
5786 *r->out.idx = i;
5787 return NT_STATUS_OK;
5788 }
5789 }
5790
5791 /* assuming account_name lives at the very end */
5792 *r->out.idx = num_account;
5793
5794 return NT_STATUS_NO_MORE_ENTRIES;
5795 }
5796
5797 /****************************************************************
5798 _samr_GetDisplayEnumerationIndex2
5799 ****************************************************************/
5800
5801 NTSTATUS _samr_GetDisplayEnumerationIndex2(pipes_struct *p,
5802 struct samr_GetDisplayEnumerationIndex2 *r)
5803 {
5804 struct samr_GetDisplayEnumerationIndex q;
5805
5806 q.in.domain_handle = r->in.domain_handle;
5807 q.in.level = r->in.level;
5808 q.in.name = r->in.name;
5809
5810 q.out.idx = r->out.idx;
5811
5812 return _samr_GetDisplayEnumerationIndex(p, &q);
5813 }
5814
5815 /****************************************************************
5816 ****************************************************************/
5817
5818 NTSTATUS _samr_Shutdown(pipes_struct *p,
5819 struct samr_Shutdown *r)
5820 {
5821 p->rng_fault_state = true;
5822 return NT_STATUS_NOT_IMPLEMENTED;
5823 }
5824
5825 /****************************************************************
5826 ****************************************************************/
5827
5828 NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p,
5829 struct samr_SetMemberAttributesOfGroup *r)
5830 {
5831 p->rng_fault_state = true;
5832 return NT_STATUS_NOT_IMPLEMENTED;
5833 }
5834
5835 /****************************************************************
5836 ****************************************************************/
5837
5838 NTSTATUS _samr_ChangePasswordUser(pipes_struct *p,
5839 struct samr_ChangePasswordUser *r)
5840 {
5841 p->rng_fault_state = true;
5842 return NT_STATUS_NOT_IMPLEMENTED;
5843 }
5844
5845 /****************************************************************
5846 ****************************************************************/
5847
5848 NTSTATUS _samr_TestPrivateFunctionsDomain(pipes_struct *p,
5849 struct samr_TestPrivateFunctionsDomain *r)
5850 {
5851 p->rng_fault_state = true;
5852 return NT_STATUS_NOT_IMPLEMENTED;
5853 }
5854
5855 /****************************************************************
5856 ****************************************************************/
5857
5858 NTSTATUS _samr_TestPrivateFunctionsUser(pipes_struct *p,
5859 struct samr_TestPrivateFunctionsUser *r)
5860 {
5861 p->rng_fault_state = true;
5862 return NT_STATUS_NOT_IMPLEMENTED;
5863 }
5864
5865 /****************************************************************
5866 ****************************************************************/
5867
5868 NTSTATUS _samr_AddMultipleMembersToAlias(pipes_struct *p,
5869 struct samr_AddMultipleMembersToAlias *r)
5870 {
5871 p->rng_fault_state = true;
5872 return NT_STATUS_NOT_IMPLEMENTED;
5873 }
5874
5875 /****************************************************************
5876 ****************************************************************/
5877
5878 NTSTATUS _samr_RemoveMultipleMembersFromAlias(pipes_struct *p,
5879 struct samr_RemoveMultipleMembersFromAlias *r)
5880 {
5881 p->rng_fault_state = true;
5882 return NT_STATUS_NOT_IMPLEMENTED;
5883 }
5884
5885 /****************************************************************
5886 ****************************************************************/
5887
5888 NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p,
5889 struct samr_OemChangePasswordUser2 *r)
5890 {
5891 p->rng_fault_state = true;
5892 return NT_STATUS_NOT_IMPLEMENTED;
5893 }
5894
5895 /****************************************************************
5896 ****************************************************************/
5897
5898 NTSTATUS _samr_SetBootKeyInformation(pipes_struct *p,
5899 struct samr_SetBootKeyInformation *r)
5900 {
5901 p->rng_fault_state = true;
5902 return NT_STATUS_NOT_IMPLEMENTED;
5903 }
5904
5905 /****************************************************************
5906 ****************************************************************/
5907
5908 NTSTATUS _samr_GetBootKeyInformation(pipes_struct *p,
5909 struct samr_GetBootKeyInformation *r)
5910 {
5911 p->rng_fault_state = true;
5912 return NT_STATUS_NOT_IMPLEMENTED;
5913 }
5914
5915 /****************************************************************
5916 ****************************************************************/
5917
5918 NTSTATUS _samr_RidToSid(pipes_struct *p,
5919 struct samr_RidToSid *r)
5920 {
5921 p->rng_fault_state = true;
5922 return NT_STATUS_NOT_IMPLEMENTED;
5923 }
5924
5925 /****************************************************************
5926 ****************************************************************/
5927
5928 NTSTATUS _samr_SetDsrmPassword(pipes_struct *p,
5929 struct samr_SetDsrmPassword *r)
5930 {
5931 p->rng_fault_state = true;
5932 return NT_STATUS_NOT_IMPLEMENTED;
5933 }
5934
5935 /****************************************************************
5936 ****************************************************************/
5937
5938 NTSTATUS _samr_ValidatePassword(pipes_struct *p,
5939 struct samr_ValidatePassword *r)
5940 {
5941 p->rng_fault_state = true;
5942 return NT_STATUS_NOT_IMPLEMENTED;
5943 }
Samba GIT mirror