2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001,
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough 2002.
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 /* This is the implementation of the lsa server code. */
31 #define DBGC_CLASS DBGC_RPC_SRV
33 extern fstring global_myworkgroup
;
34 extern pstring global_myname
;
42 struct generic_mapping lsa_generic_mapping
= {
49 /*******************************************************************
50 Function to free the per handle data.
51 ********************************************************************/
53 static void free_lsa_info(void *ptr
)
55 struct lsa_info
*lsa
= (struct lsa_info
*)ptr
;
60 /***************************************************************************
62 ***************************************************************************/
64 static void init_dom_query(DOM_QUERY
*d_q
, char *dom_name
, DOM_SID
*dom_sid
)
66 int domlen
= (dom_name
!= NULL
) ? strlen(dom_name
) : 0;
69 * I'm not sure why this really odd combination of length
70 * values works, but it does appear to. I need to look at
71 * this *much* more closely - but at the moment leave alone
72 * until it's understood. This allows a W2k client to join
73 * a domain with both odd and even length names... JRA.
76 d_q
->uni_dom_str_len
= domlen
? ((domlen
+ 1) * 2) : 0;
77 d_q
->uni_dom_max_len
= domlen
* 2;
78 d_q
->buffer_dom_name
= domlen
!= 0 ? 1 : 0; /* domain buffer pointer */
79 d_q
->buffer_dom_sid
= dom_sid
!= NULL
? 1 : 0; /* domain sid pointer */
81 /* this string is supposed to be character short */
82 init_unistr2(&d_q
->uni_domain_name
, dom_name
, domlen
);
83 d_q
->uni_domain_name
.uni_max_len
++;
86 init_dom_sid2(&d_q
->dom_sid
, dom_sid
);
89 /***************************************************************************
90 init_dom_ref - adds a domain if it's not already in, returns the index.
91 ***************************************************************************/
93 static int init_dom_ref(DOM_R_REF
*ref
, char *dom_name
, DOM_SID
*dom_sid
)
98 if (dom_name
!= NULL
) {
99 for (num
= 0; num
< ref
->num_ref_doms_1
; num
++) {
101 rpcstr_pull(domname
, &ref
->ref_dom
[num
].uni_dom_name
, sizeof(domname
), -1, 0);
102 if (strequal(domname
, dom_name
))
106 num
= ref
->num_ref_doms_1
;
109 if (num
>= MAX_REF_DOMAINS
) {
110 /* index not found, already at maximum domain limit */
114 ref
->num_ref_doms_1
= num
+1;
115 ref
->ptr_ref_dom
= 1;
116 ref
->max_entries
= MAX_REF_DOMAINS
;
117 ref
->num_ref_doms_2
= num
+1;
119 len
= (dom_name
!= NULL
) ? strlen(dom_name
) : 0;
120 if(dom_name
!= NULL
&& len
== 0)
123 init_uni_hdr(&ref
->hdr_ref_dom
[num
].hdr_dom_name
, len
);
124 ref
->hdr_ref_dom
[num
].ptr_dom_sid
= dom_sid
!= NULL
? 1 : 0;
126 init_unistr2(&ref
->ref_dom
[num
].uni_dom_name
, dom_name
, len
);
127 init_dom_sid2(&ref
->ref_dom
[num
].ref_dom
, dom_sid
);
132 /***************************************************************************
134 ***************************************************************************/
136 static void init_lsa_rid2s(DOM_R_REF
*ref
, DOM_RID2
*rid2
,
137 int num_entries
, UNISTR2
*name
,
138 uint32
*mapped_count
, BOOL endian
)
144 SMB_ASSERT(num_entries
<= MAX_LOOKUP_SIDS
);
146 become_root(); /* lookup_name can require root privs */
148 for (i
= 0; i
< num_entries
; i
++) {
151 uint32 rid
= 0xffffffff;
154 fstring dom_name
, user
;
155 enum SID_NAME_USE name_type
= SID_NAME_UNKNOWN
;
157 /* Split name into domain and user component */
159 unistr2_to_ascii(full_name
, &name
[i
], sizeof(full_name
));
160 split_domain_name(full_name
, dom_name
, user
);
164 DEBUG(5, ("init_lsa_rid2s: looking up name %s\n", full_name
));
166 status
= lookup_name(dom_name
, user
, &sid
, &name_type
);
168 DEBUG(5, ("init_lsa_rid2s: %s\n", status
? "found" :
171 if (status
&& name_type
!= SID_NAME_UNKNOWN
) {
172 sid_split_rid(&sid
, &rid
);
173 dom_idx
= init_dom_ref(ref
, dom_name
, &sid
);
178 name_type
= SID_NAME_UNKNOWN
;
181 init_dom_rid2(&rid2
[total
], rid
, name_type
, dom_idx
);
188 /***************************************************************************
189 init_reply_lookup_names
190 ***************************************************************************/
192 static void init_reply_lookup_names(LSA_R_LOOKUP_NAMES
*r_l
,
193 DOM_R_REF
*ref
, uint32 num_entries
,
194 DOM_RID2
*rid2
, uint32 mapped_count
)
196 r_l
->ptr_dom_ref
= 1;
199 r_l
->num_entries
= num_entries
;
200 r_l
->ptr_entries
= 1;
201 r_l
->num_entries2
= num_entries
;
204 r_l
->mapped_count
= mapped_count
;
206 if (mapped_count
== 0)
207 r_l
->status
= NT_STATUS_NONE_MAPPED
;
209 r_l
->status
= NT_STATUS_OK
;
212 /***************************************************************************
213 Init lsa_trans_names.
214 ***************************************************************************/
216 static void init_lsa_trans_names(TALLOC_CTX
*ctx
, DOM_R_REF
*ref
, LSA_TRANS_NAME_ENUM
*trn
,
217 int num_entries
, DOM_SID2
*sid
,
218 uint32
*mapped_count
)
224 /* Allocate memory for list of names */
226 if (num_entries
> 0) {
227 if (!(trn
->name
= (LSA_TRANS_NAME
*)talloc(ctx
, sizeof(LSA_TRANS_NAME
) *
229 DEBUG(0, ("init_lsa_trans_names(): out of memory\n"));
233 if (!(trn
->uni_name
= (UNISTR2
*)talloc(ctx
, sizeof(UNISTR2
) *
235 DEBUG(0, ("init_lsa_trans_names(): out of memory\n"));
240 become_root(); /* Need root to get to passdb to for local sids */
242 for (i
= 0; i
< num_entries
; i
++) {
244 DOM_SID find_sid
= sid
[i
].sid
;
245 uint32 rid
= 0xffffffff;
247 fstring name
, dom_name
;
248 enum SID_NAME_USE sid_name_use
= (enum SID_NAME_USE
)0;
250 sid_to_string(name
, &find_sid
);
251 DEBUG(5, ("init_lsa_trans_names: looking up sid %s\n", name
));
253 /* Lookup sid from winbindd */
255 memset(dom_name
, '\0', sizeof(dom_name
));
256 memset(name
, '\0', sizeof(name
));
258 status
= lookup_sid(&find_sid
, dom_name
, name
, &sid_name_use
);
260 DEBUG(5, ("init_lsa_trans_names: %s\n", status
? "found" :
264 sid_name_use
= SID_NAME_UNKNOWN
;
269 /* Store domain sid in ref array */
271 if (find_sid
.num_auths
== 5) {
272 sid_split_rid(&find_sid
, &rid
);
275 dom_idx
= init_dom_ref(ref
, dom_name
, &find_sid
);
277 DEBUG(10,("init_lsa_trans_names: added user '%s\\%s' to "
278 "referenced list.\n", dom_name
, name
));
280 init_lsa_trans_name(&trn
->name
[total
], &trn
->uni_name
[total
],
281 sid_name_use
, name
, dom_idx
);
287 trn
->num_entries
= total
;
288 trn
->ptr_trans_names
= 1;
289 trn
->num_entries2
= total
;
292 /***************************************************************************
293 Init_reply_lookup_sids.
294 ***************************************************************************/
296 static void init_reply_lookup_sids(LSA_R_LOOKUP_SIDS
*r_l
,
297 DOM_R_REF
*ref
, LSA_TRANS_NAME_ENUM
*names
,
300 r_l
->ptr_dom_ref
= 1;
303 r_l
->mapped_count
= mapped_count
;
305 if (mapped_count
== 0)
306 r_l
->status
= NT_STATUS_NONE_MAPPED
;
308 r_l
->status
= NT_STATUS_OK
;
311 static NTSTATUS
lsa_get_generic_sd(TALLOC_CTX
*mem_ctx
, SEC_DESC
**sd
, size_t *sd_size
)
313 extern DOM_SID global_sid_World
;
314 extern DOM_SID global_sid_Builtin
;
315 DOM_SID local_adm_sid
;
323 init_sec_access(&mask
, POLICY_EXECUTE
);
324 init_sec_ace(&ace
[0], &global_sid_World
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
326 sid_copy(&adm_sid
, get_global_sam_sid());
327 sid_append_rid(&adm_sid
, DOMAIN_GROUP_RID_ADMINS
);
328 init_sec_access(&mask
, POLICY_ALL_ACCESS
);
329 init_sec_ace(&ace
[1], &adm_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
331 sid_copy(&local_adm_sid
, &global_sid_Builtin
);
332 sid_append_rid(&local_adm_sid
, BUILTIN_ALIAS_RID_ADMINS
);
333 init_sec_access(&mask
, POLICY_ALL_ACCESS
);
334 init_sec_ace(&ace
[2], &local_adm_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
336 if((psa
= make_sec_acl(mem_ctx
, NT4_ACL_REVISION
, 3, ace
)) == NULL
)
337 return NT_STATUS_NO_MEMORY
;
339 if((*sd
= make_sec_desc(mem_ctx
, SEC_DESC_REVISION
, &adm_sid
, NULL
, NULL
, psa
, sd_size
)) == NULL
)
340 return NT_STATUS_NO_MEMORY
;
345 /***************************************************************************
347 ***************************************************************************/
348 static void init_dns_dom_info(LSA_DNS_DOM_INFO
*r_l
, char *nb_name
,
349 char *dns_name
, char *forest_name
,
350 GUID
*dom_guid
, DOM_SID
*dom_sid
)
352 if (nb_name
&& *nb_name
) {
353 init_uni_hdr(&r_l
->hdr_nb_dom_name
, strlen(nb_name
));
354 init_unistr2(&r_l
->uni_nb_dom_name
, nb_name
,
356 r_l
->hdr_nb_dom_name
.uni_max_len
+= 2;
357 r_l
->uni_nb_dom_name
.uni_max_len
+= 1;
360 if (dns_name
&& *dns_name
) {
361 init_uni_hdr(&r_l
->hdr_dns_dom_name
, strlen(dns_name
));
362 init_unistr2(&r_l
->uni_dns_dom_name
, dns_name
,
364 r_l
->hdr_dns_dom_name
.uni_max_len
+= 2;
365 r_l
->uni_dns_dom_name
.uni_max_len
+= 1;
368 if (forest_name
&& *forest_name
) {
369 init_uni_hdr(&r_l
->hdr_forest_name
, strlen(forest_name
));
370 init_unistr2(&r_l
->uni_forest_name
, forest_name
,
371 strlen(forest_name
));
372 r_l
->hdr_forest_name
.uni_max_len
+= 2;
373 r_l
->uni_forest_name
.uni_max_len
+= 1;
376 /* how do we init the guid ? probably should write an init fn */
378 memcpy(&r_l
->dom_guid
, dom_guid
, sizeof(GUID
));
382 r_l
->ptr_dom_sid
= 1;
383 init_dom_sid2(&r_l
->dom_sid
, dom_sid
);
387 /***************************************************************************
389 ***************************************************************************/
391 NTSTATUS
_lsa_open_policy2(pipes_struct
*p
, LSA_Q_OPEN_POL2
*q_u
, LSA_R_OPEN_POL2
*r_u
)
393 struct lsa_info
*info
;
394 SEC_DESC
*psd
= NULL
;
396 uint32 des_access
=q_u
->des_access
;
401 /* map the generic bits to the lsa policy ones */
402 se_map_generic(&des_access
, &lsa_generic_mapping
);
404 /* get the generic lsa policy SD until we store it */
405 lsa_get_generic_sd(p
->mem_ctx
, &psd
, &sd_size
);
407 if(!se_access_check(psd
, p
->pipe_user
.nt_user_token
, des_access
, &acc_granted
, &status
))
410 /* associate the domain SID with the (unique) handle. */
411 if ((info
= (struct lsa_info
*)malloc(sizeof(struct lsa_info
))) == NULL
)
412 return NT_STATUS_NO_MEMORY
;
415 sid_copy(&info
->sid
,get_global_sam_sid());
416 info
->access
= acc_granted
;
418 /* set up the LSA QUERY INFO response */
419 if (!create_policy_hnd(p
, &r_u
->pol
, free_lsa_info
, (void *)info
))
420 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
425 /***************************************************************************
427 ***************************************************************************/
429 NTSTATUS
_lsa_open_policy(pipes_struct
*p
, LSA_Q_OPEN_POL
*q_u
, LSA_R_OPEN_POL
*r_u
)
431 struct lsa_info
*info
;
432 SEC_DESC
*psd
= NULL
;
434 uint32 des_access
=q_u
->des_access
;
439 /* map the generic bits to the lsa policy ones */
440 se_map_generic(&des_access
, &lsa_generic_mapping
);
442 /* get the generic lsa policy SD until we store it */
443 lsa_get_generic_sd(p
->mem_ctx
, &psd
, &sd_size
);
445 if(!se_access_check(psd
, p
->pipe_user
.nt_user_token
, des_access
, &acc_granted
, &status
))
448 /* associate the domain SID with the (unique) handle. */
449 if ((info
= (struct lsa_info
*)malloc(sizeof(struct lsa_info
))) == NULL
)
450 return NT_STATUS_NO_MEMORY
;
453 sid_copy(&info
->sid
,get_global_sam_sid());
454 info
->access
= acc_granted
;
456 /* set up the LSA QUERY INFO response */
457 if (!create_policy_hnd(p
, &r_u
->pol
, free_lsa_info
, (void *)info
))
458 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
463 /***************************************************************************
464 _lsa_enum_trust_dom - this needs fixing to do more than return NULL ! JRA.
466 ***************************************************************************/
468 NTSTATUS
_lsa_enum_trust_dom(pipes_struct
*p
, LSA_Q_ENUM_TRUST_DOM
*q_u
, LSA_R_ENUM_TRUST_DOM
*r_u
)
470 struct lsa_info
*info
;
471 uint32 enum_context
= q_u
->enum_context
;
474 * preferred length is set to 5 as a "our" preferred length
475 * nt sets this parameter to 2
477 uint32 max_num_domains
= q_u
->preferred_len
< 5 ? q_u
->preferred_len
: 10;
478 TRUSTDOM
**trust_doms
;
482 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&info
))
483 return NT_STATUS_INVALID_HANDLE
;
485 /* check if the user have enough rights */
486 if (!(info
->access
& POLICY_VIEW_LOCAL_INFORMATION
))
487 return NT_STATUS_ACCESS_DENIED
;
489 nt_status
= secrets_get_trusted_domains(p
->mem_ctx
, &enum_context
, max_num_domains
, &num_domains
, &trust_doms
);
491 if (!NT_STATUS_IS_OK(nt_status
) &&
492 !NT_STATUS_EQUAL(nt_status
, STATUS_MORE_ENTRIES
) &&
493 !NT_STATUS_EQUAL(nt_status
, NT_STATUS_NO_MORE_ENTRIES
)) {
496 r_u
->status
= nt_status
;
499 /* set up the lsa_enum_trust_dom response */
500 init_r_enum_trust_dom(p
->mem_ctx
, r_u
, enum_context
, max_num_domains
, num_domains
, trust_doms
);
505 /***************************************************************************
506 _lsa_query_info. See the POLICY_INFOMATION_CLASS docs at msdn.
507 ***************************************************************************/
509 NTSTATUS
_lsa_query_info(pipes_struct
*p
, LSA_Q_QUERY_INFO
*q_u
, LSA_R_QUERY_INFO
*r_u
)
511 struct lsa_info
*handle
;
512 LSA_INFO_UNION
*info
= &r_u
->dom
;
517 r_u
->status
= NT_STATUS_OK
;
519 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&handle
))
520 return NT_STATUS_INVALID_HANDLE
;
522 switch (q_u
->info_class
) {
526 /* check if the user have enough rights */
527 if (!(handle
->access
& POLICY_VIEW_AUDIT_INFORMATION
))
528 return NT_STATUS_ACCESS_DENIED
;
530 /* fake info: We audit everything. ;) */
531 info
->id2
.auditing_enabled
= 1;
532 info
->id2
.count1
= 7;
533 info
->id2
.count2
= 7;
534 if ((info
->id2
.auditsettings
= (uint32
*)talloc(p
->mem_ctx
,7*sizeof(uint32
))) == NULL
)
535 return NT_STATUS_NO_MEMORY
;
536 for (i
= 0; i
< 7; i
++)
537 info
->id2
.auditsettings
[i
] = 3;
541 /* check if the user have enough rights */
542 if (!(handle
->access
& POLICY_VIEW_LOCAL_INFORMATION
))
543 return NT_STATUS_ACCESS_DENIED
;
545 /* Request PolicyPrimaryDomainInformation. */
546 switch (lp_server_role()) {
547 case ROLE_DOMAIN_PDC
:
548 case ROLE_DOMAIN_BDC
:
549 name
= global_myworkgroup
;
550 sid
= get_global_sam_sid();
552 case ROLE_DOMAIN_MEMBER
:
553 name
= global_myworkgroup
;
554 /* We need to return the Domain SID here. */
555 if (secrets_fetch_domain_sid(global_myworkgroup
,
559 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
561 case ROLE_STANDALONE
:
562 name
= global_myworkgroup
;
566 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
568 init_dom_query(&r_u
->dom
.id3
, name
, sid
);
571 /* check if the user have enough rights */
572 if (!(handle
->access
& POLICY_VIEW_LOCAL_INFORMATION
))
573 return NT_STATUS_ACCESS_DENIED
;
575 /* Request PolicyAccountDomainInformation. */
576 switch (lp_server_role()) {
577 case ROLE_DOMAIN_PDC
:
578 case ROLE_DOMAIN_BDC
:
579 name
= global_myworkgroup
;
580 sid
= get_global_sam_sid();
582 case ROLE_DOMAIN_MEMBER
:
583 name
= global_myname
;
584 sid
= get_global_sam_sid();
586 case ROLE_STANDALONE
:
587 name
= global_myname
;
588 sid
= get_global_sam_sid();
591 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
593 init_dom_query(&r_u
->dom
.id5
, name
, sid
);
596 /* check if the user have enough rights */
597 if (!(handle
->access
& POLICY_VIEW_LOCAL_INFORMATION
))
598 return NT_STATUS_ACCESS_DENIED
;
600 switch (lp_server_role()) {
601 case ROLE_DOMAIN_BDC
:
603 * only a BDC is a backup controller
604 * of the domain, it controls.
606 info
->id6
.server_role
= 2;
610 * any other role is a primary
611 * of the domain, it controls.
613 info
->id6
.server_role
= 3;
618 DEBUG(0,("_lsa_query_info: unknown info level in Lsa Query: %d\n", q_u
->info_class
));
619 r_u
->status
= NT_STATUS_INVALID_INFO_CLASS
;
623 if (NT_STATUS_IS_OK(r_u
->status
)) {
624 r_u
->undoc_buffer
= 0x22000000; /* bizarre */
625 r_u
->info_class
= q_u
->info_class
;
631 /***************************************************************************
633 ***************************************************************************/
635 NTSTATUS
_lsa_lookup_sids(pipes_struct
*p
, LSA_Q_LOOKUP_SIDS
*q_u
, LSA_R_LOOKUP_SIDS
*r_u
)
637 struct lsa_info
*handle
;
638 DOM_SID2
*sid
= q_u
->sids
.sid
;
639 int num_entries
= q_u
->sids
.num_entries
;
640 DOM_R_REF
*ref
= NULL
;
641 LSA_TRANS_NAME_ENUM
*names
= NULL
;
642 uint32 mapped_count
= 0;
644 ref
= (DOM_R_REF
*)talloc_zero(p
->mem_ctx
, sizeof(DOM_R_REF
));
645 names
= (LSA_TRANS_NAME_ENUM
*)talloc_zero(p
->mem_ctx
, sizeof(LSA_TRANS_NAME_ENUM
));
647 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&handle
)) {
648 r_u
->status
= NT_STATUS_INVALID_HANDLE
;
652 /* check if the user have enough rights */
653 if (!(handle
->access
& POLICY_LOOKUP_NAMES
)) {
654 r_u
->status
= NT_STATUS_ACCESS_DENIED
;
658 return NT_STATUS_NO_MEMORY
;
662 /* set up the LSA Lookup SIDs response */
663 init_lsa_trans_names(p
->mem_ctx
, ref
, names
, num_entries
, sid
, &mapped_count
);
664 init_reply_lookup_sids(r_u
, ref
, names
, mapped_count
);
669 /***************************************************************************
670 lsa_reply_lookup_names
671 ***************************************************************************/
673 NTSTATUS
_lsa_lookup_names(pipes_struct
*p
,LSA_Q_LOOKUP_NAMES
*q_u
, LSA_R_LOOKUP_NAMES
*r_u
)
675 struct lsa_info
*handle
;
676 UNISTR2
*names
= q_u
->uni_name
;
677 int num_entries
= q_u
->num_entries
;
680 uint32 mapped_count
= 0;
682 if (num_entries
> MAX_LOOKUP_SIDS
) {
683 num_entries
= MAX_LOOKUP_SIDS
;
684 DEBUG(5,("_lsa_lookup_names: truncating name lookup list to %d\n", num_entries
));
687 ref
= (DOM_R_REF
*)talloc_zero(p
->mem_ctx
, sizeof(DOM_R_REF
));
688 rids
= (DOM_RID2
*)talloc_zero(p
->mem_ctx
, sizeof(DOM_RID2
)*num_entries
);
690 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&handle
)) {
691 r_u
->status
= NT_STATUS_INVALID_HANDLE
;
695 /* check if the user have enough rights */
696 if (!(handle
->access
& POLICY_LOOKUP_NAMES
)) {
697 r_u
->status
= NT_STATUS_ACCESS_DENIED
;
702 return NT_STATUS_NO_MEMORY
;
706 /* set up the LSA Lookup RIDs response */
707 init_lsa_rid2s(ref
, rids
, num_entries
, names
, &mapped_count
, p
->endian
);
708 init_reply_lookup_names(r_u
, ref
, num_entries
, rids
, mapped_count
);
713 /***************************************************************************
714 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
715 ***************************************************************************/
717 NTSTATUS
_lsa_close(pipes_struct
*p
, LSA_Q_CLOSE
*q_u
, LSA_R_CLOSE
*r_u
)
719 if (!find_policy_by_hnd(p
, &q_u
->pol
, NULL
))
720 return NT_STATUS_INVALID_HANDLE
;
722 close_policy_hnd(p
, &q_u
->pol
);
726 /***************************************************************************
727 "No more secrets Marty...." :-).
728 ***************************************************************************/
730 NTSTATUS
_lsa_open_secret(pipes_struct
*p
, LSA_Q_OPEN_SECRET
*q_u
, LSA_R_OPEN_SECRET
*r_u
)
732 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
735 /***************************************************************************
737 ***************************************************************************/
739 NTSTATUS
_lsa_enum_privs(pipes_struct
*p
, LSA_Q_ENUM_PRIVS
*q_u
, LSA_R_ENUM_PRIVS
*r_u
)
741 struct lsa_info
*handle
;
744 uint32 enum_context
=q_u
->enum_context
;
745 LSA_PRIV_ENTRY
*entry
;
746 LSA_PRIV_ENTRY
*entries
=NULL
;
748 if (enum_context
>= PRIV_ALL_INDEX
)
749 return NT_STATUS_NO_MORE_ENTRIES
;
751 entries
= (LSA_PRIV_ENTRY
*)talloc_zero(p
->mem_ctx
, sizeof(LSA_PRIV_ENTRY
) * (PRIV_ALL_INDEX
));
753 return NT_STATUS_NO_MEMORY
;
755 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&handle
))
756 return NT_STATUS_INVALID_HANDLE
;
758 /* check if the user have enough rights */
761 * I don't know if it's the right one. not documented.
763 if (!(handle
->access
& POLICY_VIEW_LOCAL_INFORMATION
))
764 return NT_STATUS_ACCESS_DENIED
;
768 DEBUG(10,("_lsa_enum_privs: enum_context:%d total entries:%d\n", enum_context
, PRIV_ALL_INDEX
));
770 for (i
= 0; i
< PRIV_ALL_INDEX
; i
++, entry
++) {
771 if( i
<enum_context
) {
772 init_uni_hdr(&entry
->hdr_name
, 0);
773 init_unistr2(&entry
->name
, NULL
, 0 );
775 entry
->luid_high
= 0;
777 init_uni_hdr(&entry
->hdr_name
, strlen(privs
[i
+1].priv
));
778 init_unistr2(&entry
->name
, privs
[i
+1].priv
, strlen(privs
[i
+1].priv
) );
779 entry
->luid_low
= privs
[i
+1].se_priv
;
780 entry
->luid_high
= 0;
784 enum_context
= PRIV_ALL_INDEX
;
785 init_lsa_r_enum_privs(r_u
, enum_context
, PRIV_ALL_INDEX
, entries
);
790 /***************************************************************************
791 _lsa_priv_get_dispname.
792 ***************************************************************************/
794 NTSTATUS
_lsa_priv_get_dispname(pipes_struct
*p
, LSA_Q_PRIV_GET_DISPNAME
*q_u
, LSA_R_PRIV_GET_DISPNAME
*r_u
)
796 struct lsa_info
*handle
;
800 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&handle
))
801 return NT_STATUS_INVALID_HANDLE
;
803 /* check if the user have enough rights */
806 * I don't know if it's the right one. not documented.
808 if (!(handle
->access
& POLICY_VIEW_LOCAL_INFORMATION
))
809 return NT_STATUS_ACCESS_DENIED
;
811 unistr2_to_ascii(name_asc
, &q_u
->name
, sizeof(name_asc
));
813 DEBUG(10,("_lsa_priv_get_dispname: %s", name_asc
));
815 while (privs
[i
].se_priv
!=SE_PRIV_ALL
&& strcmp(name_asc
, privs
[i
].priv
))
818 if (privs
[i
].se_priv
!=SE_PRIV_ALL
) {
819 DEBUG(10,(": %s\n", privs
[i
].description
));
820 init_uni_hdr(&r_u
->hdr_desc
, strlen(privs
[i
].description
));
821 init_unistr2(&r_u
->desc
, privs
[i
].description
, strlen(privs
[i
].description
) );
823 r_u
->ptr_info
=0xdeadbeef;
824 r_u
->lang_id
=q_u
->lang_id
;
827 DEBUG(10,("_lsa_priv_get_dispname: doesn't exist\n"));
829 return NT_STATUS_NO_SUCH_PRIVILEGE
;
833 /***************************************************************************
835 ***************************************************************************/
837 NTSTATUS
_lsa_enum_accounts(pipes_struct
*p
, LSA_Q_ENUM_ACCOUNTS
*q_u
, LSA_R_ENUM_ACCOUNTS
*r_u
)
839 struct lsa_info
*handle
;
842 LSA_SID_ENUM
*sids
=&r_u
->sids
;
845 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&handle
))
846 return NT_STATUS_INVALID_HANDLE
;
848 /* check if the user have enough rights */
851 * I don't know if it's the right one. not documented.
853 if (!(handle
->access
& POLICY_VIEW_LOCAL_INFORMATION
))
854 return NT_STATUS_ACCESS_DENIED
;
856 /* get the list of mapped groups (domain, local, builtin) */
857 if(!enum_group_mapping(SID_NAME_UNKNOWN
, &map
, &num_entries
, ENUM_ONLY_MAPPED
, MAPPING_WITHOUT_PRIV
))
860 if (q_u
->enum_context
>= num_entries
)
861 return NT_STATUS_NO_MORE_ENTRIES
;
863 sids
->ptr_sid
= (uint32
*)talloc_zero(p
->mem_ctx
, (num_entries
-q_u
->enum_context
)*sizeof(uint32
));
864 sids
->sid
= (DOM_SID2
*)talloc_zero(p
->mem_ctx
, (num_entries
-q_u
->enum_context
)*sizeof(DOM_SID2
));
866 if (sids
->ptr_sid
==NULL
|| sids
->sid
==NULL
) {
868 return NT_STATUS_NO_MEMORY
;
871 for (i
=q_u
->enum_context
, j
=0; i
<num_entries
; i
++) {
872 init_dom_sid2( &(*sids
).sid
[j
], &map
[i
].sid
);
873 (*sids
).ptr_sid
[j
]=1;
879 init_lsa_r_enum_accounts(r_u
, j
);
885 NTSTATUS
_lsa_unk_get_connuser(pipes_struct
*p
, LSA_Q_UNK_GET_CONNUSER
*q_u
, LSA_R_UNK_GET_CONNUSER
*r_u
)
887 fstring username
, domname
;
889 user_struct
*vuser
= get_valid_user_struct(p
->vuid
);
892 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
894 fstrcpy(username
, vuser
->user
.smb_name
);
895 fstrcpy(domname
, vuser
->user
.domain
);
897 ulen
= strlen(username
) + 1;
898 dlen
= strlen(domname
) + 1;
900 init_uni_hdr(&r_u
->hdr_user_name
, ulen
);
901 r_u
->ptr_user_name
= 1;
902 init_unistr2(&r_u
->uni2_user_name
, username
, ulen
);
906 init_uni_hdr(&r_u
->hdr_dom_name
, dlen
);
907 r_u
->ptr_dom_name
= 1;
908 init_unistr2(&r_u
->uni2_dom_name
, domname
, dlen
);
910 r_u
->status
= NT_STATUS_OK
;
915 /***************************************************************************
917 ***************************************************************************/
919 NTSTATUS
_lsa_open_account(pipes_struct
*p
, LSA_Q_OPENACCOUNT
*q_u
, LSA_R_OPENACCOUNT
*r_u
)
921 struct lsa_info
*handle
;
922 struct lsa_info
*info
;
924 r_u
->status
= NT_STATUS_OK
;
926 /* find the connection policy handle. */
927 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&handle
))
928 return NT_STATUS_INVALID_HANDLE
;
930 /* check if the user have enough rights */
933 * I don't know if it's the right one. not documented.
934 * but guessed with rpcclient.
936 if (!(handle
->access
& POLICY_GET_PRIVATE_INFORMATION
))
937 return NT_STATUS_ACCESS_DENIED
;
939 /* associate the user/group SID with the (unique) handle. */
940 if ((info
= (struct lsa_info
*)malloc(sizeof(struct lsa_info
))) == NULL
)
941 return NT_STATUS_NO_MEMORY
;
944 info
->sid
= q_u
->sid
.sid
;
945 info
->access
= q_u
->access
;
947 /* get a (unique) handle. open a policy on it. */
948 if (!create_policy_hnd(p
, &r_u
->pol
, free_lsa_info
, (void *)info
))
949 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
954 /***************************************************************************
955 For a given SID, enumerate all the privilege this account has.
956 ***************************************************************************/
958 NTSTATUS
_lsa_enum_privsaccount(pipes_struct
*p
, LSA_Q_ENUMPRIVSACCOUNT
*q_u
, LSA_R_ENUMPRIVSACCOUNT
*r_u
)
960 struct lsa_info
*info
=NULL
;
966 r_u
->status
= NT_STATUS_OK
;
968 /* find the connection policy handle. */
969 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&info
))
970 return NT_STATUS_INVALID_HANDLE
;
972 if (!get_group_map_from_sid(info
->sid
, &map
, MAPPING_WITH_PRIV
))
973 return NT_STATUS_NO_SUCH_GROUP
;
975 DEBUG(10,("_lsa_enum_privsaccount: %d privileges\n", map
.priv_set
.count
));
976 if (map
.priv_set
.count
!=0) {
978 set
=(LUID_ATTR
*)talloc(p
->mem_ctx
, map
.priv_set
.count
*sizeof(LUID_ATTR
));
980 free_privilege(&map
.priv_set
);
981 return NT_STATUS_NO_MEMORY
;
984 for (i
=0; i
<map
.priv_set
.count
; i
++) {
985 set
[i
].luid
.low
=map
.priv_set
.set
[i
].luid
.low
;
986 set
[i
].luid
.high
=map
.priv_set
.set
[i
].luid
.high
;
987 set
[i
].attr
=map
.priv_set
.set
[i
].attr
;
988 DEBUG(10,("_lsa_enum_privsaccount: priv %d: %d:%d:%d\n", i
,
989 set
[i
].luid
.high
, set
[i
].luid
.low
, set
[i
].attr
));
993 init_lsa_r_enum_privsaccount(r_u
, set
, map
.priv_set
.count
, 0);
994 free_privilege(&map
.priv_set
);
999 /***************************************************************************
1001 ***************************************************************************/
1003 NTSTATUS
_lsa_getsystemaccount(pipes_struct
*p
, LSA_Q_GETSYSTEMACCOUNT
*q_u
, LSA_R_GETSYSTEMACCOUNT
*r_u
)
1005 struct lsa_info
*info
=NULL
;
1007 r_u
->status
= NT_STATUS_OK
;
1009 /* find the connection policy handle. */
1010 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&info
))
1011 return NT_STATUS_INVALID_HANDLE
;
1013 if (!get_group_map_from_sid(info
->sid
, &map
, MAPPING_WITHOUT_PRIV
))
1014 return NT_STATUS_NO_SUCH_GROUP
;
1017 0x01 -> Log on locally
1018 0x02 -> Access this computer from network
1019 0x04 -> Log on as a batch job
1020 0x10 -> Log on as a service
1022 they can be ORed together
1025 r_u
->access
=map
.systemaccount
;
1030 /***************************************************************************
1031 update the systemaccount information
1032 ***************************************************************************/
1034 NTSTATUS
_lsa_setsystemaccount(pipes_struct
*p
, LSA_Q_SETSYSTEMACCOUNT
*q_u
, LSA_R_SETSYSTEMACCOUNT
*r_u
)
1036 struct lsa_info
*info
=NULL
;
1038 r_u
->status
= NT_STATUS_OK
;
1040 /* find the connection policy handle. */
1041 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&info
))
1042 return NT_STATUS_INVALID_HANDLE
;
1044 if (!get_group_map_from_sid(info
->sid
, &map
, MAPPING_WITH_PRIV
))
1045 return NT_STATUS_NO_SUCH_GROUP
;
1047 map
.systemaccount
=q_u
->access
;
1049 if(!add_mapping_entry(&map
, TDB_REPLACE
))
1050 return NT_STATUS_NO_SUCH_GROUP
;
1052 free_privilege(&map
.priv_set
);
1057 /***************************************************************************
1058 For a given SID, add some privileges.
1059 ***************************************************************************/
1061 NTSTATUS
_lsa_addprivs(pipes_struct
*p
, LSA_Q_ADDPRIVS
*q_u
, LSA_R_ADDPRIVS
*r_u
)
1063 struct lsa_info
*info
=NULL
;
1067 LUID_ATTR
*luid_attr
=NULL
;
1068 PRIVILEGE_SET
*set
=NULL
;
1070 r_u
->status
= NT_STATUS_OK
;
1072 /* find the connection policy handle. */
1073 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&info
))
1074 return NT_STATUS_INVALID_HANDLE
;
1076 if (!get_group_map_from_sid(info
->sid
, &map
, MAPPING_WITH_PRIV
))
1077 return NT_STATUS_NO_SUCH_GROUP
;
1081 for (i
=0; i
<set
->count
; i
++) {
1082 luid_attr
=&set
->set
[i
];
1084 /* check if the privilege is already there */
1085 if (check_priv_in_privilege(&map
.priv_set
, *luid_attr
)){
1086 free_privilege(&map
.priv_set
);
1087 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1090 add_privilege(&map
.priv_set
, *luid_attr
);
1093 if(!add_mapping_entry(&map
, TDB_REPLACE
))
1094 return NT_STATUS_NO_SUCH_GROUP
;
1096 free_privilege(&map
.priv_set
);
1101 /***************************************************************************
1102 For a given SID, remove some privileges.
1103 ***************************************************************************/
1105 NTSTATUS
_lsa_removeprivs(pipes_struct
*p
, LSA_Q_REMOVEPRIVS
*q_u
, LSA_R_REMOVEPRIVS
*r_u
)
1107 struct lsa_info
*info
=NULL
;
1111 LUID_ATTR
*luid_attr
=NULL
;
1112 PRIVILEGE_SET
*set
=NULL
;
1114 r_u
->status
= NT_STATUS_OK
;
1116 /* find the connection policy handle. */
1117 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&info
))
1118 return NT_STATUS_INVALID_HANDLE
;
1120 if (!get_group_map_from_sid(info
->sid
, &map
, MAPPING_WITH_PRIV
))
1121 return NT_STATUS_NO_SUCH_GROUP
;
1123 if (q_u
->allrights
!=0) {
1124 /* log it and return, until I see one myself don't do anything */
1125 DEBUG(5,("_lsa_removeprivs: trying to remove all privileges ?\n"));
1126 return NT_STATUS_OK
;
1130 /* log it and return, until I see one myself don't do anything */
1131 DEBUG(5,("_lsa_removeprivs: no privileges to remove ?\n"));
1132 return NT_STATUS_OK
;
1137 for (i
=0; i
<set
->count
; i
++) {
1138 luid_attr
=&set
->set
[i
];
1140 /* if we don't have the privilege, we're trying to remove, give up */
1141 /* what else can we do ??? JFM. */
1142 if (!check_priv_in_privilege(&map
.priv_set
, *luid_attr
)){
1143 free_privilege(&map
.priv_set
);
1144 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1147 remove_privilege(&map
.priv_set
, *luid_attr
);
1150 if(!add_mapping_entry(&map
, TDB_REPLACE
))
1151 return NT_STATUS_NO_SUCH_GROUP
;
1153 free_privilege(&map
.priv_set
);
1158 /***************************************************************************
1159 For a given SID, remove some privileges.
1160 ***************************************************************************/
1162 NTSTATUS
_lsa_query_secobj(pipes_struct
*p
, LSA_Q_QUERY_SEC_OBJ
*q_u
, LSA_R_QUERY_SEC_OBJ
*r_u
)
1164 struct lsa_info
*handle
=NULL
;
1165 SEC_DESC
*psd
= NULL
;
1169 r_u
->status
= NT_STATUS_OK
;
1171 /* find the connection policy handle. */
1172 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&handle
))
1173 return NT_STATUS_INVALID_HANDLE
;
1175 /* check if the user have enough rights */
1176 if (!(handle
->access
& POLICY_VIEW_LOCAL_INFORMATION
))
1177 return NT_STATUS_ACCESS_DENIED
;
1180 switch (q_u
->sec_info
) {
1182 /* SD contains only the owner */
1184 status
=lsa_get_generic_sd(p
->mem_ctx
, &psd
, &sd_size
);
1185 if(!NT_STATUS_IS_OK(status
))
1186 return NT_STATUS_NO_MEMORY
;
1189 if((r_u
->buf
= make_sec_desc_buf(p
->mem_ctx
, sd_size
, psd
)) == NULL
)
1190 return NT_STATUS_NO_MEMORY
;
1193 /* SD contains only the ACL */
1195 status
=lsa_get_generic_sd(p
->mem_ctx
, &psd
, &sd_size
);
1196 if(!NT_STATUS_IS_OK(status
))
1197 return NT_STATUS_NO_MEMORY
;
1199 if((r_u
->buf
= make_sec_desc_buf(p
->mem_ctx
, sd_size
, psd
)) == NULL
)
1200 return NT_STATUS_NO_MEMORY
;
1203 return NT_STATUS_INVALID_LEVEL
;
1212 NTSTATUS
_lsa_query_info2(pipes_struct
*p
, LSA_Q_QUERY_INFO2
*q_u
, LSA_R_QUERY_INFO2
*r_u
)
1214 struct lsa_info
*handle
;
1215 char *nb_name
= NULL
;
1216 char *dns_name
= NULL
;
1217 char *forest_name
= NULL
;
1218 DOM_SID
*sid
= NULL
;
1222 r_u
->status
= NT_STATUS_OK
;
1224 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&handle
))
1225 return NT_STATUS_INVALID_HANDLE
;
1227 switch (q_u
->info_class
) {
1229 /* check if the user have enough rights */
1230 if (!(handle
->access
& POLICY_VIEW_LOCAL_INFORMATION
))
1231 return NT_STATUS_ACCESS_DENIED
;
1233 /* Request PolicyPrimaryDomainInformation. */
1234 switch (lp_server_role()) {
1235 case ROLE_DOMAIN_PDC
:
1236 case ROLE_DOMAIN_BDC
:
1237 nb_name
= global_myworkgroup
;
1238 /* ugly temp hack for these next two */
1239 dns_name
= lp_realm();
1240 forest_name
= lp_realm();
1241 sid
= get_global_sam_sid();
1242 secrets_fetch_domain_guid(global_myworkgroup
,
1246 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
1248 init_dns_dom_info(&r_u
->info
.dns_dom_info
, nb_name
, dns_name
,
1249 forest_name
,&guid
,sid
);
1252 DEBUG(0,("_lsa_query_info2: unknown info level in Lsa Query: %d\n", q_u
->info_class
));
1253 r_u
->status
= NT_STATUS_INVALID_INFO_CLASS
;
1257 if (NT_STATUS_IS_OK(r_u
->status
)) {
1259 r_u
->info_class
= q_u
->info_class
;