search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
CVE-2013-4496:s3-samr: Block attempts to crack passwords via repeated password changes
[Samba.git] / source3 / rpc_server / samr / srv_samr_nt.c
bloba7700c6bd60e2563995a76c8c3c1b84b8ff0a872
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2008,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 * Copyright (C) Gerald (Jerry) Carter 2003-2004,
12 * Copyright (C) Simo Sorce 2003.
13 * Copyright (C) Volker Lendecke 2005.
14 * Copyright (C) Guenther Deschner 2008.
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
20 *
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
25 *
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
28 */
29
30 /*
31 * This is the implementation of the SAMR code.
32 */
33
34 #include "includes.h"
35 #include "system/passwd.h"
36 #include "../libcli/auth/libcli_auth.h"
37 #include "ntdomain.h"
38 #include "../librpc/gen_ndr/srv_samr.h"
39 #include "rpc_server/samr/srv_samr_util.h"
40 #include "../lib/crypto/arcfour.h"
41 #include "secrets.h"
42 #include "rpc_client/init_lsa.h"
43 #include "../libcli/security/security.h"
44 #include "passdb.h"
45 #include "auth.h"
46 #include "rpc_server/srv_access_check.h"
47 #include "../lib/tsocket/tsocket.h"
48
49 #undef DBGC_CLASS
50 #define DBGC_CLASS DBGC_RPC_SRV
51
52 #define SAMR_USR_RIGHTS_WRITE_PW \
53 ( READ_CONTROL_ACCESS | \
54 SAMR_USER_ACCESS_CHANGE_PASSWORD | \
55 SAMR_USER_ACCESS_SET_LOC_COM)
56 #define SAMR_USR_RIGHTS_CANT_WRITE_PW \
57 ( READ_CONTROL_ACCESS | SAMR_USER_ACCESS_SET_LOC_COM )
58
59 #define DISP_INFO_CACHE_TIMEOUT 10
60
61 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
62 #define MAX_SAM_ENTRIES_W95 50
63
64 struct samr_connect_info {
65 uint8_t dummy;
66 };
67
68 struct samr_domain_info {
69 struct dom_sid sid;
70 struct disp_info *disp_info;
71 };
72
73 struct samr_user_info {
74 struct dom_sid sid;
75 };
76
77 struct samr_group_info {
78 struct dom_sid sid;
79 };
80
81 struct samr_alias_info {
82 struct dom_sid sid;
83 };
84
85 typedef struct disp_info {
86 struct dom_sid sid; /* identify which domain this is. */
87 struct pdb_search *users; /* querydispinfo 1 and 4 */
88 struct pdb_search *machines; /* querydispinfo 2 */
89 struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */
90 struct pdb_search *aliases; /* enumaliases */
91
92 uint32_t enum_acb_mask;
93 struct pdb_search *enum_users; /* enumusers with a mask */
94
95 struct tevent_timer *cache_timeout_event; /* cache idle timeout
96 * handler. */
97 } DISP_INFO;
98
99 static const struct generic_mapping sam_generic_mapping = {
100 GENERIC_RIGHTS_SAM_READ,
101 GENERIC_RIGHTS_SAM_WRITE,
102 GENERIC_RIGHTS_SAM_EXECUTE,
103 GENERIC_RIGHTS_SAM_ALL_ACCESS};
104 static const struct generic_mapping dom_generic_mapping = {
105 GENERIC_RIGHTS_DOMAIN_READ,
106 GENERIC_RIGHTS_DOMAIN_WRITE,
107 GENERIC_RIGHTS_DOMAIN_EXECUTE,
108 GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
109 static const struct generic_mapping usr_generic_mapping = {
110 GENERIC_RIGHTS_USER_READ,
111 GENERIC_RIGHTS_USER_WRITE,
112 GENERIC_RIGHTS_USER_EXECUTE,
113 GENERIC_RIGHTS_USER_ALL_ACCESS};
114 static const struct generic_mapping usr_nopwchange_generic_mapping = {
115 GENERIC_RIGHTS_USER_READ,
116 GENERIC_RIGHTS_USER_WRITE,
117 GENERIC_RIGHTS_USER_EXECUTE & ~SAMR_USER_ACCESS_CHANGE_PASSWORD,
118 GENERIC_RIGHTS_USER_ALL_ACCESS};
119 static const struct generic_mapping grp_generic_mapping = {
120 GENERIC_RIGHTS_GROUP_READ,
121 GENERIC_RIGHTS_GROUP_WRITE,
122 GENERIC_RIGHTS_GROUP_EXECUTE,
123 GENERIC_RIGHTS_GROUP_ALL_ACCESS};
124 static const struct generic_mapping ali_generic_mapping = {
125 GENERIC_RIGHTS_ALIAS_READ,
126 GENERIC_RIGHTS_ALIAS_WRITE,
127 GENERIC_RIGHTS_ALIAS_EXECUTE,
128 GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
129
130 /*******************************************************************
131 *******************************************************************/
132
133 static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, struct security_descriptor **psd, size_t *sd_size,
134 const struct generic_mapping *map,
135 struct dom_sid *sid, uint32 sid_access )
136 {
137 struct dom_sid domadmin_sid;
138 struct security_ace ace[5]; /* at most 5 entries */
139 size_t i = 0;
140
141 struct security_acl *psa = NULL;
142
143 /* basic access for Everyone */
144
145 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
146 map->generic_execute | map->generic_read, 0);
147
148 /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
149
150 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
151 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
152 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
153 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
154
155 /* Add Full Access for Domain Admins if we are a DC */
156
157 if ( IS_DC ) {
158 sid_compose(&domadmin_sid, get_global_sam_sid(),
159 DOMAIN_RID_ADMINS);
160 init_sec_ace(&ace[i++], &domadmin_sid,
161 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
162 }
163
164 /* if we have a sid, give it some special access */
165
166 if ( sid ) {
167 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sid_access, 0);
168 }
169
170 /* create the security descriptor */
171
172 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL)
173 return NT_STATUS_NO_MEMORY;
174
175 if ((*psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
176 SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL,
177 psa, sd_size)) == NULL)
178 return NT_STATUS_NO_MEMORY;
179
180 return NT_STATUS_OK;
181 }
182
183 /*******************************************************************
184 Fetch or create a dispinfo struct.
185 ********************************************************************/
186
187 static DISP_INFO *get_samr_dispinfo_by_sid(const struct dom_sid *psid)
188 {
189 /*
190 * We do a static cache for DISP_INFO's here. Explanation can be found
191 * in Jeremy's checkin message to r11793:
192 *
193 * Fix the SAMR cache so it works across completely insane
194 * client behaviour (ie.:
195 * open pipe/open SAMR handle/enumerate 0 - 1024
196 * close SAMR handle, close pipe.
197 * open pipe/open SAMR handle/enumerate 1024 - 2048...
198 * close SAMR handle, close pipe.
199 * And on ad-nausium. Amazing.... probably object-oriented
200 * client side programming in action yet again.
201 * This change should *massively* improve performance when
202 * enumerating users from an LDAP database.
203 * Jeremy.
204 *
205 * "Our" and the builtin domain are the only ones where we ever
206 * enumerate stuff, so just cache 2 entries.
207 */
208
209 static struct disp_info *builtin_dispinfo;
210 static struct disp_info *domain_dispinfo;
211
212 /* There are two cases to consider here:
213 1) The SID is a domain SID and we look for an equality match, or
214 2) This is an account SID and so we return the DISP_INFO* for our
215 domain */
216
217 if (psid == NULL) {
218 return NULL;
219 }
220
221 if (sid_check_is_builtin(psid) || sid_check_is_in_builtin(psid)) {
222 /*
223 * Necessary only once, but it does not really hurt.
224 */
225 if (builtin_dispinfo == NULL) {
226 builtin_dispinfo = talloc_zero(NULL, struct disp_info);
227 if (builtin_dispinfo == NULL) {
228 return NULL;
229 }
230 }
231 sid_copy(&builtin_dispinfo->sid, &global_sid_Builtin);
232
233 return builtin_dispinfo;
234 }
235
236 if (sid_check_is_our_sam(psid) || sid_check_is_in_our_sam(psid)) {
237 /*
238 * Necessary only once, but it does not really hurt.
239 */
240 if (domain_dispinfo == NULL) {
241 domain_dispinfo = talloc_zero(NULL, struct disp_info);
242 if (domain_dispinfo == NULL) {
243 return NULL;
244 }
245 }
246 sid_copy(&domain_dispinfo->sid, get_global_sam_sid());
247
248 return domain_dispinfo;
249 }
250
251 return NULL;
252 }
253
254 /*******************************************************************
255 Function to free the per SID data.
256 ********************************************************************/
257
258 static void free_samr_cache(DISP_INFO *disp_info)
259 {
260 DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n",
261 sid_string_dbg(&disp_info->sid)));
262
263 /* We need to become root here because the paged search might have to
264 * tell the LDAP server we're not interested in the rest anymore. */
265
266 become_root();
267
268 TALLOC_FREE(disp_info->users);
269 TALLOC_FREE(disp_info->machines);
270 TALLOC_FREE(disp_info->groups);
271 TALLOC_FREE(disp_info->aliases);
272 TALLOC_FREE(disp_info->enum_users);
273
274 unbecome_root();
275 }
276
277 /*******************************************************************
278 Idle event handler. Throw away the disp info cache.
279 ********************************************************************/
280
281 static void disp_info_cache_idle_timeout_handler(struct tevent_context *ev_ctx,
282 struct tevent_timer *te,
283 struct timeval now,
284 void *private_data)
285 {
286 DISP_INFO *disp_info = (DISP_INFO *)private_data;
287
288 TALLOC_FREE(disp_info->cache_timeout_event);
289
290 DEBUG(10, ("disp_info_cache_idle_timeout_handler: caching timed "
291 "out\n"));
292 free_samr_cache(disp_info);
293 }
294
295 /*******************************************************************
296 Setup cache removal idle event handler.
297 ********************************************************************/
298
299 static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromnow)
300 {
301 /* Remove any pending timeout and update. */
302
303 TALLOC_FREE(disp_info->cache_timeout_event);
304
305 DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for "
306 "SID %s for %u seconds\n", sid_string_dbg(&disp_info->sid),
307 (unsigned int)secs_fromnow ));
308
309 disp_info->cache_timeout_event = tevent_add_timer(
310 server_event_context(), NULL,
311 timeval_current_ofs(secs_fromnow, 0),
312 disp_info_cache_idle_timeout_handler, (void *)disp_info);
313 }
314
315 /*******************************************************************
316 Force flush any cache. We do this on any samr_set_xxx call.
317 We must also remove the timeout handler.
318 ********************************************************************/
319
320 static void force_flush_samr_cache(const struct dom_sid *sid)
321 {
322 struct disp_info *disp_info = get_samr_dispinfo_by_sid(sid);
323
324 if ((disp_info == NULL) || (disp_info->cache_timeout_event == NULL)) {
325 return;
326 }
327
328 DEBUG(10,("force_flush_samr_cache: clearing idle event\n"));
329 TALLOC_FREE(disp_info->cache_timeout_event);
330 free_samr_cache(disp_info);
331 }
332
333 /*******************************************************************
334 Ensure password info is never given out. Paranioa... JRA.
335 ********************************************************************/
336
337 static void samr_clear_sam_passwd(struct samu *sam_pass)
338 {
339
340 if (!sam_pass)
341 return;
342
343 /* These now zero out the old password */
344
345 pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT);
346 pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT);
347 }
348
349 static uint32 count_sam_users(struct disp_info *info, uint32 acct_flags)
350 {
351 struct samr_displayentry *entry;
352
353 if (sid_check_is_builtin(&info->sid)) {
354 /* No users in builtin. */
355 return 0;
356 }
357
358 if (info->users == NULL) {
359 info->users = pdb_search_users(info, acct_flags);
360 if (info->users == NULL) {
361 return 0;
362 }
363 }
364 /* Fetch the last possible entry, thus trigger an enumeration */
365 pdb_search_entries(info->users, 0xffffffff, 1, &entry);
366
367 /* Ensure we cache this enumeration. */
368 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
369
370 return info->users->num_entries;
371 }
372
373 static uint32 count_sam_groups(struct disp_info *info)
374 {
375 struct samr_displayentry *entry;
376
377 if (sid_check_is_builtin(&info->sid)) {
378 /* No groups in builtin. */
379 return 0;
380 }
381
382 if (info->groups == NULL) {
383 info->groups = pdb_search_groups(info);
384 if (info->groups == NULL) {
385 return 0;
386 }
387 }
388 /* Fetch the last possible entry, thus trigger an enumeration */
389 pdb_search_entries(info->groups, 0xffffffff, 1, &entry);
390
391 /* Ensure we cache this enumeration. */
392 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
393
394 return info->groups->num_entries;
395 }
396
397 static uint32 count_sam_aliases(struct disp_info *info)
398 {
399 struct samr_displayentry *entry;
400
401 if (info->aliases == NULL) {
402 info->aliases = pdb_search_aliases(info, &info->sid);
403 if (info->aliases == NULL) {
404 return 0;
405 }
406 }
407 /* Fetch the last possible entry, thus trigger an enumeration */
408 pdb_search_entries(info->aliases, 0xffffffff, 1, &entry);
409
410 /* Ensure we cache this enumeration. */
411 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
412
413 return info->aliases->num_entries;
414 }
415
416 /*******************************************************************
417 _samr_Close
418 ********************************************************************/
419
420 NTSTATUS _samr_Close(struct pipes_struct *p, struct samr_Close *r)
421 {
422 if (!close_policy_hnd(p, r->in.handle)) {
423 return NT_STATUS_INVALID_HANDLE;
424 }
425
426 ZERO_STRUCTP(r->out.handle);
427
428 return NT_STATUS_OK;
429 }
430
431 /*******************************************************************
432 _samr_OpenDomain
433 ********************************************************************/
434
435 NTSTATUS _samr_OpenDomain(struct pipes_struct *p,
436 struct samr_OpenDomain *r)
437 {
438 struct samr_domain_info *dinfo;
439 struct security_descriptor *psd = NULL;
440 uint32 acc_granted;
441 uint32 des_access = r->in.access_mask;
442 NTSTATUS status;
443 size_t sd_size;
444 uint32_t extra_access = SAMR_DOMAIN_ACCESS_CREATE_USER;
445
446 /* find the connection policy handle. */
447
448 (void)policy_handle_find(p, r->in.connect_handle, 0, NULL,
449 struct samr_connect_info, &status);
450 if (!NT_STATUS_IS_OK(status)) {
451 return status;
452 }
453
454 /*check if access can be granted as requested by client. */
455 map_max_allowed_access(p->session_info->security_token,
456 p->session_info->unix_token,
457 &des_access);
458
459 make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
460 se_map_generic( &des_access, &dom_generic_mapping );
461
462 /*
463 * Users with SeAddUser get the ability to manipulate groups
464 * and aliases.
465 */
466 if (security_token_has_privilege(p->session_info->security_token, SEC_PRIV_ADD_USERS)) {
467 extra_access |= (SAMR_DOMAIN_ACCESS_CREATE_GROUP |
468 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS |
469 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
470 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS |
471 SAMR_DOMAIN_ACCESS_CREATE_ALIAS);
472 }
473
474 /*
475 * Users with SeMachineAccount or SeAddUser get additional
476 * SAMR_DOMAIN_ACCESS_CREATE_USER access.
477 */
478
479 status = access_check_object( psd, p->session_info->security_token,
480 SEC_PRIV_MACHINE_ACCOUNT, SEC_PRIV_ADD_USERS,
481 extra_access, des_access,
482 &acc_granted, "_samr_OpenDomain" );
483
484 if ( !NT_STATUS_IS_OK(status) )
485 return status;
486
487 if (!sid_check_is_our_sam(r->in.sid) &&
488 !sid_check_is_builtin(r->in.sid)) {
489 return NT_STATUS_NO_SUCH_DOMAIN;
490 }
491
492 dinfo = policy_handle_create(p, r->out.domain_handle, acc_granted,
493 struct samr_domain_info, &status);
494 if (!NT_STATUS_IS_OK(status)) {
495 return status;
496 }
497 dinfo->sid = *r->in.sid;
498 dinfo->disp_info = get_samr_dispinfo_by_sid(r->in.sid);
499
500 DEBUG(5,("_samr_OpenDomain: %d\n", __LINE__));
501
502 return NT_STATUS_OK;
503 }
504
505 /*******************************************************************
506 _samr_GetUserPwInfo
507 ********************************************************************/
508
509 NTSTATUS _samr_GetUserPwInfo(struct pipes_struct *p,
510 struct samr_GetUserPwInfo *r)
511 {
512 struct samr_user_info *uinfo;
513 enum lsa_SidType sid_type;
514 uint32_t min_password_length = 0;
515 uint32_t password_properties = 0;
516 bool ret = false;
517 NTSTATUS status;
518
519 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
520
521 uinfo = policy_handle_find(p, r->in.user_handle,
522 SAMR_USER_ACCESS_GET_ATTRIBUTES, NULL,
523 struct samr_user_info, &status);
524 if (!NT_STATUS_IS_OK(status)) {
525 return status;
526 }
527
528 if (!sid_check_is_in_our_sam(&uinfo->sid)) {
529 return NT_STATUS_OBJECT_TYPE_MISMATCH;
530 }
531
532 become_root();
533 ret = lookup_sid(p->mem_ctx, &uinfo->sid, NULL, NULL, &sid_type);
534 unbecome_root();
535 if (ret == false) {
536 return NT_STATUS_NO_SUCH_USER;
537 }
538
539 switch (sid_type) {
540 case SID_NAME_USER:
541 become_root();
542 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN,
543 &min_password_length);
544 pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS,
545 &password_properties);
546 unbecome_root();
547
548 if (lp_check_password_script(talloc_tos())
549 && *lp_check_password_script(talloc_tos())) {
550 password_properties |= DOMAIN_PASSWORD_COMPLEX;
551 }
552
553 break;
554 default:
555 break;
556 }
557
558 r->out.info->min_password_length = min_password_length;
559 r->out.info->password_properties = password_properties;
560
561 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
562
563 return NT_STATUS_OK;
564 }
565
566 /*******************************************************************
567 _samr_SetSecurity
568 ********************************************************************/
569
570 NTSTATUS _samr_SetSecurity(struct pipes_struct *p,
571 struct samr_SetSecurity *r)
572 {
573 struct samr_user_info *uinfo;
574 uint32 i;
575 struct security_acl *dacl;
576 bool ret;
577 struct samu *sampass=NULL;
578 NTSTATUS status;
579
580 uinfo = policy_handle_find(p, r->in.handle,
581 SAMR_USER_ACCESS_SET_ATTRIBUTES, NULL,
582 struct samr_user_info, &status);
583 if (!NT_STATUS_IS_OK(status)) {
584 return status;
585 }
586
587 if (!(sampass = samu_new( p->mem_ctx))) {
588 DEBUG(0,("No memory!\n"));
589 return NT_STATUS_NO_MEMORY;
590 }
591
592 /* get the user record */
593 become_root();
594 ret = pdb_getsampwsid(sampass, &uinfo->sid);
595 unbecome_root();
596
597 if (!ret) {
598 DEBUG(4, ("User %s not found\n",
599 sid_string_dbg(&uinfo->sid)));
600 TALLOC_FREE(sampass);
601 return NT_STATUS_INVALID_HANDLE;
602 }
603
604 dacl = r->in.sdbuf->sd->dacl;
605 for (i=0; i < dacl->num_aces; i++) {
606 if (dom_sid_equal(&uinfo->sid, &dacl->aces[i].trustee)) {
607 ret = pdb_set_pass_can_change(sampass,
608 (dacl->aces[i].access_mask &
609 SAMR_USER_ACCESS_CHANGE_PASSWORD) ?
610 True: False);
611 break;
612 }
613 }
614
615 if (!ret) {
616 TALLOC_FREE(sampass);
617 return NT_STATUS_ACCESS_DENIED;
618 }
619
620 become_root();
621 status = pdb_update_sam_account(sampass);
622 unbecome_root();
623
624 TALLOC_FREE(sampass);
625
626 return status;
627 }
628
629 /*******************************************************************
630 build correct perms based on policies and password times for _samr_query_sec_obj
631 *******************************************************************/
632 static bool check_change_pw_access(TALLOC_CTX *mem_ctx, struct dom_sid *user_sid)
633 {
634 struct samu *sampass=NULL;
635 bool ret;
636
637 if ( !(sampass = samu_new( mem_ctx )) ) {
638 DEBUG(0,("No memory!\n"));
639 return False;
640 }
641
642 become_root();
643 ret = pdb_getsampwsid(sampass, user_sid);
644 unbecome_root();
645
646 if (ret == False) {
647 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
648 TALLOC_FREE(sampass);
649 return False;
650 }
651
652 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
653
654 if (pdb_get_pass_can_change(sampass)) {
655 TALLOC_FREE(sampass);
656 return True;
657 }
658 TALLOC_FREE(sampass);
659 return False;
660 }
661
662
663 /*******************************************************************
664 _samr_QuerySecurity
665 ********************************************************************/
666
667 NTSTATUS _samr_QuerySecurity(struct pipes_struct *p,
668 struct samr_QuerySecurity *r)
669 {
670 struct samr_domain_info *dinfo;
671 struct samr_user_info *uinfo;
672 struct samr_group_info *ginfo;
673 struct samr_alias_info *ainfo;
674 NTSTATUS status;
675 struct security_descriptor * psd = NULL;
676 size_t sd_size = 0;
677
678 (void)policy_handle_find(p, r->in.handle,
679 SEC_STD_READ_CONTROL, NULL,
680 struct samr_connect_info, &status);
681 if (NT_STATUS_IS_OK(status)) {
682 DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n"));
683 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size,
684 &sam_generic_mapping, NULL, 0);
685 goto done;
686 }
687
688 dinfo = policy_handle_find(p, r->in.handle,
689 SEC_STD_READ_CONTROL, NULL,
690 struct samr_domain_info, &status);
691 if (NT_STATUS_IS_OK(status)) {
692 DEBUG(5,("_samr_QuerySecurity: querying security on Domain "
693 "with SID: %s\n", sid_string_dbg(&dinfo->sid)));
694 /*
695 * TODO: Builtin probably needs a different SD with restricted
696 * write access
697 */
698 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size,
699 &dom_generic_mapping, NULL, 0);
700 goto done;
701 }
702
703 uinfo = policy_handle_find(p, r->in.handle,
704 SEC_STD_READ_CONTROL, NULL,
705 struct samr_user_info, &status);
706 if (NT_STATUS_IS_OK(status)) {
707 DEBUG(10,("_samr_QuerySecurity: querying security on user "
708 "Object with SID: %s\n",
709 sid_string_dbg(&uinfo->sid)));
710 if (check_change_pw_access(p->mem_ctx, &uinfo->sid)) {
711 status = make_samr_object_sd(
712 p->mem_ctx, &psd, &sd_size,
713 &usr_generic_mapping,
714 &uinfo->sid, SAMR_USR_RIGHTS_WRITE_PW);
715 } else {
716 status = make_samr_object_sd(
717 p->mem_ctx, &psd, &sd_size,
718 &usr_nopwchange_generic_mapping,
719 &uinfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
720 }
721 goto done;
722 }
723
724 ginfo = policy_handle_find(p, r->in.handle,
725 SEC_STD_READ_CONTROL, NULL,
726 struct samr_group_info, &status);
727 if (NT_STATUS_IS_OK(status)) {
728 /*
729 * TODO: different SDs have to be generated for aliases groups
730 * and users. Currently all three get a default user SD
731 */
732 DEBUG(10,("_samr_QuerySecurity: querying security on group "
733 "Object with SID: %s\n",
734 sid_string_dbg(&ginfo->sid)));
735 status = make_samr_object_sd(
736 p->mem_ctx, &psd, &sd_size,
737 &usr_nopwchange_generic_mapping,
738 &ginfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
739 goto done;
740 }
741
742 ainfo = policy_handle_find(p, r->in.handle,
743 SEC_STD_READ_CONTROL, NULL,
744 struct samr_alias_info, &status);
745 if (NT_STATUS_IS_OK(status)) {
746 /*
747 * TODO: different SDs have to be generated for aliases groups
748 * and users. Currently all three get a default user SD
749 */
750 DEBUG(10,("_samr_QuerySecurity: querying security on alias "
751 "Object with SID: %s\n",
752 sid_string_dbg(&ainfo->sid)));
753 status = make_samr_object_sd(
754 p->mem_ctx, &psd, &sd_size,
755 &usr_nopwchange_generic_mapping,
756 &ainfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
757 goto done;
758 }
759
760 return NT_STATUS_OBJECT_TYPE_MISMATCH;
761 done:
762 if ((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
763 return NT_STATUS_NO_MEMORY;
764
765 return status;
766 }
767
768 /*******************************************************************
769 makes a SAM_ENTRY / UNISTR2* structure from a user list.
770 ********************************************************************/
771
772 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx,
773 struct samr_SamEntry **sam_pp,
774 uint32_t num_entries,
775 uint32_t start_idx,
776 struct samr_displayentry *entries)
777 {
778 uint32_t i;
779 struct samr_SamEntry *sam;
780
781 *sam_pp = NULL;
782
783 if (num_entries == 0) {
784 return NT_STATUS_OK;
785 }
786
787 sam = talloc_zero_array(ctx, struct samr_SamEntry, num_entries);
788 if (sam == NULL) {
789 DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n"));
790 return NT_STATUS_NO_MEMORY;
791 }
792
793 for (i = 0; i < num_entries; i++) {
794 #if 0
795 /*
796 * usrmgr expects a non-NULL terminated string with
797 * trust relationships
798 */
799 if (entries[i].acct_flags & ACB_DOMTRUST) {
800 init_unistr2(&uni_temp_name, entries[i].account_name,
801 UNI_FLAGS_NONE);
802 } else {
803 init_unistr2(&uni_temp_name, entries[i].account_name,
804 UNI_STR_TERMINATE);
805 }
806 #endif
807 init_lsa_String(&sam[i].name, entries[i].account_name);
808 sam[i].idx = entries[i].rid;
809 }
810
811 *sam_pp = sam;
812
813 return NT_STATUS_OK;
814 }
815
816 #define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K
817
818 /*******************************************************************
819 _samr_EnumDomainUsers
820 ********************************************************************/
821
822 NTSTATUS _samr_EnumDomainUsers(struct pipes_struct *p,
823 struct samr_EnumDomainUsers *r)
824 {
825 NTSTATUS status;
826 struct samr_domain_info *dinfo;
827 int num_account;
828 uint32 enum_context = *r->in.resume_handle;
829 enum remote_arch_types ra_type = get_remote_arch();
830 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
831 uint32 max_entries = max_sam_entries;
832 struct samr_displayentry *entries = NULL;
833 struct samr_SamArray *samr_array = NULL;
834 struct samr_SamEntry *samr_entries = NULL;
835
836 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
837
838 dinfo = policy_handle_find(p, r->in.domain_handle,
839 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
840 struct samr_domain_info, &status);
841 if (!NT_STATUS_IS_OK(status)) {
842 return status;
843 }
844
845 samr_array = talloc_zero(p->mem_ctx, struct samr_SamArray);
846 if (!samr_array) {
847 return NT_STATUS_NO_MEMORY;
848 }
849 *r->out.sam = samr_array;
850
851 if (sid_check_is_builtin(&dinfo->sid)) {
852 /* No users in builtin. */
853 *r->out.resume_handle = *r->in.resume_handle;
854 DEBUG(5,("_samr_EnumDomainUsers: No users in BUILTIN\n"));
855 return status;
856 }
857
858 become_root();
859
860 /* AS ROOT !!!! */
861
862 if ((dinfo->disp_info->enum_users != NULL) &&
863 (dinfo->disp_info->enum_acb_mask != r->in.acct_flags)) {
864 TALLOC_FREE(dinfo->disp_info->enum_users);
865 }
866
867 if (dinfo->disp_info->enum_users == NULL) {
868 dinfo->disp_info->enum_users = pdb_search_users(
869 dinfo->disp_info, r->in.acct_flags);
870 dinfo->disp_info->enum_acb_mask = r->in.acct_flags;
871 }
872
873 if (dinfo->disp_info->enum_users == NULL) {
874 /* END AS ROOT !!!! */
875 unbecome_root();
876 return NT_STATUS_ACCESS_DENIED;
877 }
878
879 num_account = pdb_search_entries(dinfo->disp_info->enum_users,
880 enum_context, max_entries,
881 &entries);
882
883 /* END AS ROOT !!!! */
884
885 unbecome_root();
886
887 if (num_account == 0) {
888 DEBUG(5, ("_samr_EnumDomainUsers: enumeration handle over "
889 "total entries\n"));
890 *r->out.resume_handle = *r->in.resume_handle;
891 return NT_STATUS_OK;
892 }
893
894 status = make_user_sam_entry_list(p->mem_ctx, &samr_entries,
895 num_account, enum_context,
896 entries);
897 if (!NT_STATUS_IS_OK(status)) {
898 return status;
899 }
900
901 if (max_entries <= num_account) {
902 status = STATUS_MORE_ENTRIES;
903 } else {
904 status = NT_STATUS_OK;
905 }
906
907 /* Ensure we cache this enumeration. */
908 set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
909
910 DEBUG(5, ("_samr_EnumDomainUsers: %d\n", __LINE__));
911
912 samr_array->count = num_account;
913 samr_array->entries = samr_entries;
914
915 *r->out.resume_handle = *r->in.resume_handle + num_account;
916 *r->out.num_entries = num_account;
917
918 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
919
920 return status;
921 }
922
923 /*******************************************************************
924 makes a SAM_ENTRY / UNISTR2* structure from a group list.
925 ********************************************************************/
926
927 static void make_group_sam_entry_list(TALLOC_CTX *ctx,
928 struct samr_SamEntry **sam_pp,
929 uint32_t num_sam_entries,
930 struct samr_displayentry *entries)
931 {
932 struct samr_SamEntry *sam;
933 uint32_t i;
934
935 *sam_pp = NULL;
936
937 if (num_sam_entries == 0) {
938 return;
939 }
940
941 sam = talloc_zero_array(ctx, struct samr_SamEntry, num_sam_entries);
942 if (sam == NULL) {
943 return;
944 }
945
946 for (i = 0; i < num_sam_entries; i++) {
947 /*
948 * JRA. I think this should include the null. TNG does not.
949 */
950 init_lsa_String(&sam[i].name, entries[i].account_name);
951 sam[i].idx = entries[i].rid;
952 }
953
954 *sam_pp = sam;
955 }
956
957 /*******************************************************************
958 _samr_EnumDomainGroups
959 ********************************************************************/
960
961 NTSTATUS _samr_EnumDomainGroups(struct pipes_struct *p,
962 struct samr_EnumDomainGroups *r)
963 {
964 NTSTATUS status;
965 struct samr_domain_info *dinfo;
966 struct samr_displayentry *groups;
967 uint32 num_groups;
968 struct samr_SamArray *samr_array = NULL;
969 struct samr_SamEntry *samr_entries = NULL;
970
971 dinfo = policy_handle_find(p, r->in.domain_handle,
972 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
973 struct samr_domain_info, &status);
974 if (!NT_STATUS_IS_OK(status)) {
975 return status;
976 }
977
978 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
979
980 samr_array = talloc_zero(p->mem_ctx, struct samr_SamArray);
981 if (!samr_array) {
982 return NT_STATUS_NO_MEMORY;
983 }
984 *r->out.sam = samr_array;
985
986 if (sid_check_is_builtin(&dinfo->sid)) {
987 /* No groups in builtin. */
988 *r->out.resume_handle = *r->in.resume_handle;
989 DEBUG(5,("_samr_EnumDomainGroups: No groups in BUILTIN\n"));
990 return status;
991 }
992
993 /* the domain group array is being allocated in the function below */
994
995 become_root();
996
997 if (dinfo->disp_info->groups == NULL) {
998 dinfo->disp_info->groups = pdb_search_groups(dinfo->disp_info);
999
1000 if (dinfo->disp_info->groups == NULL) {
1001 unbecome_root();
1002 return NT_STATUS_ACCESS_DENIED;
1003 }
1004 }
1005
1006 num_groups = pdb_search_entries(dinfo->disp_info->groups,
1007 *r->in.resume_handle,
1008 MAX_SAM_ENTRIES, &groups);
1009 unbecome_root();
1010
1011 /* Ensure we cache this enumeration. */
1012 set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
1013
1014 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1015 num_groups, groups);
1016
1017 if (MAX_SAM_ENTRIES <= num_groups) {
1018 status = STATUS_MORE_ENTRIES;
1019 } else {
1020 status = NT_STATUS_OK;
1021 }
1022
1023 samr_array->count = num_groups;
1024 samr_array->entries = samr_entries;
1025
1026 *r->out.num_entries = num_groups;
1027 *r->out.resume_handle = num_groups + *r->in.resume_handle;
1028
1029 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1030
1031 return status;
1032 }
1033
1034 /*******************************************************************
1035 _samr_EnumDomainAliases
1036 ********************************************************************/
1037
1038 NTSTATUS _samr_EnumDomainAliases(struct pipes_struct *p,
1039 struct samr_EnumDomainAliases *r)
1040 {
1041 NTSTATUS status;
1042 struct samr_domain_info *dinfo;
1043 struct samr_displayentry *aliases;
1044 uint32 num_aliases = 0;
1045 struct samr_SamArray *samr_array = NULL;
1046 struct samr_SamEntry *samr_entries = NULL;
1047
1048 dinfo = policy_handle_find(p, r->in.domain_handle,
1049 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
1050 struct samr_domain_info, &status);
1051 if (!NT_STATUS_IS_OK(status)) {
1052 return status;
1053 }
1054
1055 DEBUG(5,("_samr_EnumDomainAliases: sid %s\n",
1056 sid_string_dbg(&dinfo->sid)));
1057
1058 samr_array = talloc_zero(p->mem_ctx, struct samr_SamArray);
1059 if (!samr_array) {
1060 return NT_STATUS_NO_MEMORY;
1061 }
1062
1063 become_root();
1064
1065 if (dinfo->disp_info->aliases == NULL) {
1066 dinfo->disp_info->aliases = pdb_search_aliases(
1067 dinfo->disp_info, &dinfo->sid);
1068 if (dinfo->disp_info->aliases == NULL) {
1069 unbecome_root();
1070 return NT_STATUS_ACCESS_DENIED;
1071 }
1072 }
1073
1074 num_aliases = pdb_search_entries(dinfo->disp_info->aliases,
1075 *r->in.resume_handle,
1076 MAX_SAM_ENTRIES, &aliases);
1077 unbecome_root();
1078
1079 /* Ensure we cache this enumeration. */
1080 set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
1081
1082 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1083 num_aliases, aliases);
1084
1085 DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__));
1086
1087 if (MAX_SAM_ENTRIES <= num_aliases) {
1088 status = STATUS_MORE_ENTRIES;
1089 } else {
1090 status = NT_STATUS_OK;
1091 }
1092
1093 samr_array->count = num_aliases;
1094 samr_array->entries = samr_entries;
1095
1096 *r->out.sam = samr_array;
1097 *r->out.num_entries = num_aliases;
1098 *r->out.resume_handle = num_aliases + *r->in.resume_handle;
1099
1100 return status;
1101 }
1102
1103 /*******************************************************************
1104 inits a samr_DispInfoGeneral structure.
1105 ********************************************************************/
1106
1107 static NTSTATUS init_samr_dispinfo_1(TALLOC_CTX *ctx,
1108 struct samr_DispInfoGeneral *r,
1109 uint32_t num_entries,
1110 uint32_t start_idx,
1111 struct samr_displayentry *entries)
1112 {
1113 uint32 i;
1114
1115 DEBUG(10, ("init_samr_dispinfo_1: num_entries: %d\n", num_entries));
1116
1117 if (num_entries == 0) {
1118 return NT_STATUS_OK;
1119 }
1120
1121 r->count = num_entries;
1122
1123 r->entries = talloc_zero_array(ctx, struct samr_DispEntryGeneral, num_entries);
1124 if (!r->entries) {
1125 return NT_STATUS_NO_MEMORY;
1126 }
1127
1128 for (i = 0; i < num_entries ; i++) {
1129
1130 init_lsa_String(&r->entries[i].account_name,
1131 entries[i].account_name);
1132
1133 init_lsa_String(&r->entries[i].description,
1134 entries[i].description);
1135
1136 init_lsa_String(&r->entries[i].full_name,
1137 entries[i].fullname);
1138
1139 r->entries[i].rid = entries[i].rid;
1140 r->entries[i].acct_flags = entries[i].acct_flags;
1141 r->entries[i].idx = start_idx+i+1;
1142 }
1143
1144 return NT_STATUS_OK;
1145 }
1146
1147 /*******************************************************************
1148 inits a samr_DispInfoFull structure.
1149 ********************************************************************/
1150
1151 static NTSTATUS init_samr_dispinfo_2(TALLOC_CTX *ctx,
1152 struct samr_DispInfoFull *r,
1153 uint32_t num_entries,
1154 uint32_t start_idx,
1155 struct samr_displayentry *entries)
1156 {
1157 uint32_t i;
1158
1159 DEBUG(10, ("init_samr_dispinfo_2: num_entries: %d\n", num_entries));
1160
1161 if (num_entries == 0) {
1162 return NT_STATUS_OK;
1163 }
1164
1165 r->count = num_entries;
1166
1167 r->entries = talloc_zero_array(ctx, struct samr_DispEntryFull, num_entries);
1168 if (!r->entries) {
1169 return NT_STATUS_NO_MEMORY;
1170 }
1171
1172 for (i = 0; i < num_entries ; i++) {
1173
1174 init_lsa_String(&r->entries[i].account_name,
1175 entries[i].account_name);
1176
1177 init_lsa_String(&r->entries[i].description,
1178 entries[i].description);
1179
1180 r->entries[i].rid = entries[i].rid;
1181 r->entries[i].acct_flags = entries[i].acct_flags;
1182 r->entries[i].idx = start_idx+i+1;
1183 }
1184
1185 return NT_STATUS_OK;
1186 }
1187
1188 /*******************************************************************
1189 inits a samr_DispInfoFullGroups structure.
1190 ********************************************************************/
1191
1192 static NTSTATUS init_samr_dispinfo_3(TALLOC_CTX *ctx,
1193 struct samr_DispInfoFullGroups *r,
1194 uint32_t num_entries,
1195 uint32_t start_idx,
1196 struct samr_displayentry *entries)
1197 {
1198 uint32_t i;
1199
1200 DEBUG(5, ("init_samr_dispinfo_3: num_entries: %d\n", num_entries));
1201
1202 if (num_entries == 0) {
1203 return NT_STATUS_OK;
1204 }
1205
1206 r->count = num_entries;
1207
1208 r->entries = talloc_zero_array(ctx, struct samr_DispEntryFullGroup, num_entries);
1209 if (!r->entries) {
1210 return NT_STATUS_NO_MEMORY;
1211 }
1212
1213 for (i = 0; i < num_entries ; i++) {
1214
1215 init_lsa_String(&r->entries[i].account_name,
1216 entries[i].account_name);
1217
1218 init_lsa_String(&r->entries[i].description,
1219 entries[i].description);
1220
1221 r->entries[i].rid = entries[i].rid;
1222 r->entries[i].acct_flags = entries[i].acct_flags;
1223 r->entries[i].idx = start_idx+i+1;
1224 }
1225
1226 return NT_STATUS_OK;
1227 }
1228
1229 /*******************************************************************
1230 inits a samr_DispInfoAscii structure.
1231 ********************************************************************/
1232
1233 static NTSTATUS init_samr_dispinfo_4(TALLOC_CTX *ctx,
1234 struct samr_DispInfoAscii *r,
1235 uint32_t num_entries,
1236 uint32_t start_idx,
1237 struct samr_displayentry *entries)
1238 {
1239 uint32_t i;
1240
1241 DEBUG(5, ("init_samr_dispinfo_4: num_entries: %d\n", num_entries));
1242
1243 if (num_entries == 0) {
1244 return NT_STATUS_OK;
1245 }
1246
1247 r->count = num_entries;
1248
1249 r->entries = talloc_zero_array(ctx, struct samr_DispEntryAscii, num_entries);
1250 if (!r->entries) {
1251 return NT_STATUS_NO_MEMORY;
1252 }
1253
1254 for (i = 0; i < num_entries ; i++) {
1255
1256 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1257 entries[i].account_name);
1258
1259 r->entries[i].idx = start_idx+i+1;
1260 }
1261
1262 return NT_STATUS_OK;
1263 }
1264
1265 /*******************************************************************
1266 inits a samr_DispInfoAscii structure.
1267 ********************************************************************/
1268
1269 static NTSTATUS init_samr_dispinfo_5(TALLOC_CTX *ctx,
1270 struct samr_DispInfoAscii *r,
1271 uint32_t num_entries,
1272 uint32_t start_idx,
1273 struct samr_displayentry *entries)
1274 {
1275 uint32_t i;
1276
1277 DEBUG(5, ("init_samr_dispinfo_5: num_entries: %d\n", num_entries));
1278
1279 if (num_entries == 0) {
1280 return NT_STATUS_OK;
1281 }
1282
1283 r->count = num_entries;
1284
1285 r->entries = talloc_zero_array(ctx, struct samr_DispEntryAscii, num_entries);
1286 if (!r->entries) {
1287 return NT_STATUS_NO_MEMORY;
1288 }
1289
1290 for (i = 0; i < num_entries ; i++) {
1291
1292 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1293 entries[i].account_name);
1294
1295 r->entries[i].idx = start_idx+i+1;
1296 }
1297
1298 return NT_STATUS_OK;
1299 }
1300
1301 /*******************************************************************
1302 _samr_QueryDisplayInfo
1303 ********************************************************************/
1304
1305 NTSTATUS _samr_QueryDisplayInfo(struct pipes_struct *p,
1306 struct samr_QueryDisplayInfo *r)
1307 {
1308 NTSTATUS status;
1309 struct samr_domain_info *dinfo;
1310 uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
1311
1312 uint32 max_entries = r->in.max_entries;
1313
1314 union samr_DispInfo *disp_info = r->out.info;
1315
1316 uint32 temp_size=0;
1317 NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL;
1318 uint32 num_account = 0;
1319 enum remote_arch_types ra_type = get_remote_arch();
1320 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
1321 struct samr_displayentry *entries = NULL;
1322
1323 DEBUG(5,("_samr_QueryDisplayInfo: %d\n", __LINE__));
1324
1325 dinfo = policy_handle_find(p, r->in.domain_handle,
1326 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
1327 struct samr_domain_info, &status);
1328 if (!NT_STATUS_IS_OK(status)) {
1329 return status;
1330 }
1331
1332 if (sid_check_is_builtin(&dinfo->sid)) {
1333 DEBUG(5,("_samr_QueryDisplayInfo: no users in BUILTIN\n"));
1334 return NT_STATUS_OK;
1335 }
1336
1337 /*
1338 * calculate how many entries we will return.
1339 * based on
1340 * - the number of entries the client asked
1341 * - our limit on that
1342 * - the starting point (enumeration context)
1343 * - the buffer size the client will accept
1344 */
1345
1346 /*
1347 * We are a lot more like W2K. Instead of reading the SAM
1348 * each time to find the records we need to send back,
1349 * we read it once and link that copy to the sam handle.
1350 * For large user list (over the MAX_SAM_ENTRIES)
1351 * it's a definitive win.
1352 * second point to notice: between enumerations
1353 * our sam is now the same as it's a snapshoot.
1354 * third point: got rid of the static SAM_USER_21 struct
1355 * no more intermediate.
1356 * con: it uses much more memory, as a full copy is stored
1357 * in memory.
1358 *
1359 * If you want to change it, think twice and think
1360 * of the second point , that's really important.
1361 *
1362 * JFM, 12/20/2001
1363 */
1364
1365 if ((r->in.level < 1) || (r->in.level > 5)) {
1366 DEBUG(0,("_samr_QueryDisplayInfo: Unknown info level (%u)\n",
1367 (unsigned int)r->in.level ));
1368 return NT_STATUS_INVALID_INFO_CLASS;
1369 }
1370
1371 /* first limit the number of entries we will return */
1372 if (r->in.max_entries > max_sam_entries) {
1373 DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
1374 "entries, limiting to %d\n", r->in.max_entries,
1375 max_sam_entries));
1376 max_entries = max_sam_entries;
1377 }
1378
1379 /* calculate the size and limit on the number of entries we will
1380 * return */
1381
1382 temp_size=max_entries*struct_size;
1383
1384 if (temp_size > r->in.buf_size) {
1385 max_entries = MIN((r->in.buf_size / struct_size),max_entries);
1386 DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
1387 "only %d entries\n", max_entries));
1388 }
1389
1390 become_root();
1391
1392 /* THe following done as ROOT. Don't return without unbecome_root(). */
1393
1394 switch (r->in.level) {
1395 case 1:
1396 case 4:
1397 if (dinfo->disp_info->users == NULL) {
1398 dinfo->disp_info->users = pdb_search_users(
1399 dinfo->disp_info, ACB_NORMAL);
1400 if (dinfo->disp_info->users == NULL) {
1401 unbecome_root();
1402 return NT_STATUS_ACCESS_DENIED;
1403 }
1404 DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
1405 (unsigned int)r->in.start_idx));
1406 } else {
1407 DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
1408 (unsigned int)r->in.start_idx));
1409 }
1410
1411 num_account = pdb_search_entries(dinfo->disp_info->users,
1412 r->in.start_idx, max_entries,
1413 &entries);
1414 break;
1415 case 2:
1416 if (dinfo->disp_info->machines == NULL) {
1417 dinfo->disp_info->machines = pdb_search_users(
1418 dinfo->disp_info, ACB_WSTRUST|ACB_SVRTRUST);
1419 if (dinfo->disp_info->machines == NULL) {
1420 unbecome_root();
1421 return NT_STATUS_ACCESS_DENIED;
1422 }
1423 DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
1424 (unsigned int)r->in.start_idx));
1425 } else {
1426 DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
1427 (unsigned int)r->in.start_idx));
1428 }
1429
1430 num_account = pdb_search_entries(dinfo->disp_info->machines,
1431 r->in.start_idx, max_entries,
1432 &entries);
1433 break;
1434 case 3:
1435 case 5:
1436 if (dinfo->disp_info->groups == NULL) {
1437 dinfo->disp_info->groups = pdb_search_groups(
1438 dinfo->disp_info);
1439 if (dinfo->disp_info->groups == NULL) {
1440 unbecome_root();
1441 return NT_STATUS_ACCESS_DENIED;
1442 }
1443 DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
1444 (unsigned int)r->in.start_idx));
1445 } else {
1446 DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
1447 (unsigned int)r->in.start_idx));
1448 }
1449
1450 num_account = pdb_search_entries(dinfo->disp_info->groups,
1451 r->in.start_idx, max_entries,
1452 &entries);
1453 break;
1454 default:
1455 unbecome_root();
1456 smb_panic("info class changed");
1457 break;
1458 }
1459 unbecome_root();
1460
1461
1462 /* Now create reply structure */
1463 switch (r->in.level) {
1464 case 1:
1465 disp_ret = init_samr_dispinfo_1(p->mem_ctx, &disp_info->info1,
1466 num_account, r->in.start_idx,
1467 entries);
1468 break;
1469 case 2:
1470 disp_ret = init_samr_dispinfo_2(p->mem_ctx, &disp_info->info2,
1471 num_account, r->in.start_idx,
1472 entries);
1473 break;
1474 case 3:
1475 disp_ret = init_samr_dispinfo_3(p->mem_ctx, &disp_info->info3,
1476 num_account, r->in.start_idx,
1477 entries);
1478 break;
1479 case 4:
1480 disp_ret = init_samr_dispinfo_4(p->mem_ctx, &disp_info->info4,
1481 num_account, r->in.start_idx,
1482 entries);
1483 break;
1484 case 5:
1485 disp_ret = init_samr_dispinfo_5(p->mem_ctx, &disp_info->info5,
1486 num_account, r->in.start_idx,
1487 entries);
1488 break;
1489 default:
1490 smb_panic("info class changed");
1491 break;
1492 }
1493
1494 if (!NT_STATUS_IS_OK(disp_ret))
1495 return disp_ret;
1496
1497 if (max_entries <= num_account) {
1498 status = STATUS_MORE_ENTRIES;
1499 } else {
1500 status = NT_STATUS_OK;
1501 }
1502
1503 /* Ensure we cache this enumeration. */
1504 set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
1505
1506 DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__));
1507
1508 *r->out.total_size = num_account * struct_size;
1509 *r->out.returned_size = num_account ? temp_size : 0;
1510
1511 return status;
1512 }
1513
1514 /****************************************************************
1515 _samr_QueryDisplayInfo2
1516 ****************************************************************/
1517
1518 NTSTATUS _samr_QueryDisplayInfo2(struct pipes_struct *p,
1519 struct samr_QueryDisplayInfo2 *r)
1520 {
1521 struct samr_QueryDisplayInfo q;
1522
1523 q.in.domain_handle = r->in.domain_handle;
1524 q.in.level = r->in.level;
1525 q.in.start_idx = r->in.start_idx;
1526 q.in.max_entries = r->in.max_entries;
1527 q.in.buf_size = r->in.buf_size;
1528
1529 q.out.total_size = r->out.total_size;
1530 q.out.returned_size = r->out.returned_size;
1531 q.out.info = r->out.info;
1532
1533 return _samr_QueryDisplayInfo(p, &q);
1534 }
1535
1536 /****************************************************************
1537 _samr_QueryDisplayInfo3
1538 ****************************************************************/
1539
1540 NTSTATUS _samr_QueryDisplayInfo3(struct pipes_struct *p,
1541 struct samr_QueryDisplayInfo3 *r)
1542 {
1543 struct samr_QueryDisplayInfo q;
1544
1545 q.in.domain_handle = r->in.domain_handle;
1546 q.in.level = r->in.level;
1547 q.in.start_idx = r->in.start_idx;
1548 q.in.max_entries = r->in.max_entries;
1549 q.in.buf_size = r->in.buf_size;
1550
1551 q.out.total_size = r->out.total_size;
1552 q.out.returned_size = r->out.returned_size;
1553 q.out.info = r->out.info;
1554
1555 return _samr_QueryDisplayInfo(p, &q);
1556 }
1557
1558 /*******************************************************************
1559 _samr_QueryAliasInfo
1560 ********************************************************************/
1561
1562 NTSTATUS _samr_QueryAliasInfo(struct pipes_struct *p,
1563 struct samr_QueryAliasInfo *r)
1564 {
1565 struct samr_alias_info *ainfo;
1566 struct acct_info *info;
1567 NTSTATUS status;
1568 union samr_AliasInfo *alias_info = NULL;
1569 const char *alias_name = NULL;
1570 const char *alias_description = NULL;
1571
1572 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1573
1574 ainfo = policy_handle_find(p, r->in.alias_handle,
1575 SAMR_ALIAS_ACCESS_LOOKUP_INFO, NULL,
1576 struct samr_alias_info, &status);
1577 if (!NT_STATUS_IS_OK(status)) {
1578 return status;
1579 }
1580
1581 alias_info = talloc_zero(p->mem_ctx, union samr_AliasInfo);
1582 if (!alias_info) {
1583 return NT_STATUS_NO_MEMORY;
1584 }
1585
1586 info = talloc_zero(p->mem_ctx, struct acct_info);
1587 if (!info) {
1588 return NT_STATUS_NO_MEMORY;
1589 }
1590
1591 become_root();
1592 status = pdb_get_aliasinfo(&ainfo->sid, info);
1593 unbecome_root();
1594
1595 if (!NT_STATUS_IS_OK(status)) {
1596 TALLOC_FREE(info);
1597 return status;
1598 }
1599
1600 alias_name = talloc_steal(r, info->acct_name);
1601 alias_description = talloc_steal(r, info->acct_desc);
1602 TALLOC_FREE(info);
1603
1604 switch (r->in.level) {
1605 case ALIASINFOALL:
1606 alias_info->all.name.string = alias_name;
1607 alias_info->all.num_members = 1; /* ??? */
1608 alias_info->all.description.string = alias_description;
1609 break;
1610 case ALIASINFONAME:
1611 alias_info->name.string = alias_name;
1612 break;
1613 case ALIASINFODESCRIPTION:
1614 alias_info->description.string = alias_description;
1615 break;
1616 default:
1617 return NT_STATUS_INVALID_INFO_CLASS;
1618 }
1619
1620 *r->out.info = alias_info;
1621
1622 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1623
1624 return NT_STATUS_OK;
1625 }
1626
1627 /*******************************************************************
1628 _samr_LookupNames
1629 ********************************************************************/
1630
1631 NTSTATUS _samr_LookupNames(struct pipes_struct *p,
1632 struct samr_LookupNames *r)
1633 {
1634 struct samr_domain_info *dinfo;
1635 NTSTATUS status;
1636 uint32 *rid;
1637 enum lsa_SidType *type;
1638 int i;
1639 int num_rids = r->in.num_names;
1640 struct samr_Ids rids, types;
1641 uint32_t num_mapped = 0;
1642
1643 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1644
1645 dinfo = policy_handle_find(p, r->in.domain_handle,
1646 0 /* Don't know the acc_bits yet */, NULL,
1647 struct samr_domain_info, &status);
1648 if (!NT_STATUS_IS_OK(status)) {
1649 return status;
1650 }
1651
1652 if (num_rids > MAX_SAM_ENTRIES) {
1653 num_rids = MAX_SAM_ENTRIES;
1654 DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids));
1655 }
1656
1657 rid = talloc_array(p->mem_ctx, uint32, num_rids);
1658 NT_STATUS_HAVE_NO_MEMORY(rid);
1659
1660 type = talloc_array(p->mem_ctx, enum lsa_SidType, num_rids);
1661 NT_STATUS_HAVE_NO_MEMORY(type);
1662
1663 DEBUG(5,("_samr_LookupNames: looking name on SID %s\n",
1664 sid_string_dbg(&dinfo->sid)));
1665
1666 for (i = 0; i < num_rids; i++) {
1667
1668 status = NT_STATUS_NONE_MAPPED;
1669 type[i] = SID_NAME_UNKNOWN;
1670
1671 rid[i] = 0xffffffff;
1672
1673 if (sid_check_is_builtin(&dinfo->sid)) {
1674 if (lookup_builtin_name(r->in.names[i].string,
1675 &rid[i]))
1676 {
1677 type[i] = SID_NAME_ALIAS;
1678 }
1679 } else {
1680 lookup_global_sam_name(r->in.names[i].string, 0,
1681 &rid[i], &type[i]);
1682 }
1683
1684 if (type[i] != SID_NAME_UNKNOWN) {
1685 num_mapped++;
1686 }
1687 }
1688
1689 if (num_mapped == num_rids) {
1690 status = NT_STATUS_OK;
1691 } else if (num_mapped == 0) {
1692 status = NT_STATUS_NONE_MAPPED;
1693 } else {
1694 status = STATUS_SOME_UNMAPPED;
1695 }
1696
1697 rids.count = num_rids;
1698 rids.ids = rid;
1699
1700 types.count = num_rids;
1701 types.ids = talloc_array(p->mem_ctx, uint32_t, num_rids);
1702 NT_STATUS_HAVE_NO_MEMORY(type);
1703 for (i = 0; i < num_rids; i++) {
1704 types.ids[i] = (type[i] & 0xffffffff);
1705 }
1706
1707 *r->out.rids = rids;
1708 *r->out.types = types;
1709
1710 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1711
1712 return status;
1713 }
1714
1715 /****************************************************************
1716 _samr_ChangePasswordUser
1717 ****************************************************************/
1718
1719 NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p,
1720 struct samr_ChangePasswordUser *r)
1721 {
1722 NTSTATUS status;
1723 bool ret = false;
1724 struct samr_user_info *uinfo;
1725 struct samu *pwd = NULL;
1726 struct samr_Password new_lmPwdHash, new_ntPwdHash, checkHash;
1727 struct samr_Password lm_pwd, nt_pwd;
1728 bool updated_badpw = false;
1729 NTSTATUS update_login_attempts_status;
1730
1731 uinfo = policy_handle_find(p, r->in.user_handle,
1732 SAMR_USER_ACCESS_SET_PASSWORD, NULL,
1733 struct samr_user_info, &status);
1734 if (!NT_STATUS_IS_OK(status)) {
1735 return status;
1736 }
1737
1738 DEBUG(5,("_samr_ChangePasswordUser: sid:%s\n",
1739 sid_string_dbg(&uinfo->sid)));
1740
1741 /* basic sanity checking on parameters. Do this before any database ops */
1742 if (!r->in.lm_present || !r->in.nt_present ||
1743 !r->in.old_lm_crypted || !r->in.new_lm_crypted ||
1744 !r->in.old_nt_crypted || !r->in.new_nt_crypted) {
1745 /* we should really handle a change with lm not
1746 present */
1747 return NT_STATUS_INVALID_PARAMETER_MIX;
1748 }
1749
1750 if (!(pwd = samu_new(NULL))) {
1751 return NT_STATUS_NO_MEMORY;
1752 }
1753
1754 become_root();
1755 ret = pdb_getsampwsid(pwd, &uinfo->sid);
1756 unbecome_root();
1757
1758 if (!ret) {
1759 TALLOC_FREE(pwd);
1760 return NT_STATUS_WRONG_PASSWORD;
1761 }
1762
1763 /* Quit if the account was locked out. */
1764 if (pdb_get_acct_ctrl(pwd) & ACB_AUTOLOCK) {
1765 DEBUG(3, ("Account for user %s was locked out.\n",
1766 pdb_get_username(pwd)));
1767 status = NT_STATUS_ACCOUNT_LOCKED_OUT;
1768 goto out;
1769 }
1770
1771 {
1772 const uint8_t *lm_pass, *nt_pass;
1773
1774 lm_pass = pdb_get_lanman_passwd(pwd);
1775 nt_pass = pdb_get_nt_passwd(pwd);
1776
1777 if (!lm_pass || !nt_pass) {
1778 status = NT_STATUS_WRONG_PASSWORD;
1779 goto update_login;
1780 }
1781
1782 memcpy(&lm_pwd.hash, lm_pass, sizeof(lm_pwd.hash));
1783 memcpy(&nt_pwd.hash, nt_pass, sizeof(nt_pwd.hash));
1784 }
1785
1786 /* decrypt and check the new lm hash */
1787 D_P16(lm_pwd.hash, r->in.new_lm_crypted->hash, new_lmPwdHash.hash);
1788 D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash, checkHash.hash);
1789 if (memcmp(checkHash.hash, lm_pwd.hash, 16) != 0) {
1790 status = NT_STATUS_WRONG_PASSWORD;
1791 goto update_login;
1792 }
1793
1794 /* decrypt and check the new nt hash */
1795 D_P16(nt_pwd.hash, r->in.new_nt_crypted->hash, new_ntPwdHash.hash);
1796 D_P16(new_ntPwdHash.hash, r->in.old_nt_crypted->hash, checkHash.hash);
1797 if (memcmp(checkHash.hash, nt_pwd.hash, 16) != 0) {
1798 status = NT_STATUS_WRONG_PASSWORD;
1799 goto update_login;
1800 }
1801
1802 /* The NT Cross is not required by Win2k3 R2, but if present
1803 check the nt cross hash */
1804 if (r->in.cross1_present && r->in.nt_cross) {
1805 D_P16(lm_pwd.hash, r->in.nt_cross->hash, checkHash.hash);
1806 if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
1807 status = NT_STATUS_WRONG_PASSWORD;
1808 goto update_login;
1809 }
1810 }
1811
1812 /* The LM Cross is not required by Win2k3 R2, but if present
1813 check the lm cross hash */
1814 if (r->in.cross2_present && r->in.lm_cross) {
1815 D_P16(nt_pwd.hash, r->in.lm_cross->hash, checkHash.hash);
1816 if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
1817 status = NT_STATUS_WRONG_PASSWORD;
1818 goto update_login;
1819 }
1820 }
1821
1822 if (!pdb_set_nt_passwd(pwd, new_ntPwdHash.hash, PDB_CHANGED) ||
1823 !pdb_set_lanman_passwd(pwd, new_lmPwdHash.hash, PDB_CHANGED)) {
1824 status = NT_STATUS_ACCESS_DENIED;
1825 goto out;
1826 }
1827
1828 status = pdb_update_sam_account(pwd);
1829
1830 update_login:
1831
1832 /*
1833 * Notify passdb backend of login success/failure. If not
1834 * NT_STATUS_OK the backend doesn't like the login
1835 */
1836 update_login_attempts_status = pdb_update_login_attempts(pwd,
1837 NT_STATUS_IS_OK(status));
1838
1839 if (!NT_STATUS_IS_OK(status)) {
1840 bool increment_bad_pw_count = false;
1841
1842 if (NT_STATUS_EQUAL(status,NT_STATUS_WRONG_PASSWORD) &&
1843 (pdb_get_acct_ctrl(pwd) & ACB_NORMAL) &&
1844 NT_STATUS_IS_OK(update_login_attempts_status))
1845 {
1846 increment_bad_pw_count = true;
1847 }
1848
1849 if (increment_bad_pw_count) {
1850 pdb_increment_bad_password_count(pwd);
1851 updated_badpw = true;
1852 } else {
1853 pdb_update_bad_password_count(pwd,
1854 &updated_badpw);
1855 }
1856 } else {
1857
1858 if ((pdb_get_acct_ctrl(pwd) & ACB_NORMAL) &&
1859 (pdb_get_bad_password_count(pwd) > 0)){
1860 pdb_set_bad_password_count(pwd, 0, PDB_CHANGED);
1861 pdb_set_bad_password_time(pwd, 0, PDB_CHANGED);
1862 updated_badpw = true;
1863 }
1864 }
1865
1866 if (updated_badpw) {
1867 NTSTATUS update_status;
1868 become_root();
1869 update_status = pdb_update_sam_account(pwd);
1870 unbecome_root();
1871
1872 if (!NT_STATUS_IS_OK(update_status)) {
1873 DEBUG(1, ("Failed to modify entry: %s\n",
1874 nt_errstr(update_status)));
1875 }
1876 }
1877
1878 out:
1879 TALLOC_FREE(pwd);
1880
1881 return status;
1882 }
1883
1884 /*******************************************************************
1885 _samr_ChangePasswordUser2
1886 ********************************************************************/
1887
1888 NTSTATUS _samr_ChangePasswordUser2(struct pipes_struct *p,
1889 struct samr_ChangePasswordUser2 *r)
1890 {
1891 NTSTATUS status;
1892 char *user_name = NULL;
1893 char *rhost;
1894 const char *wks = NULL;
1895
1896 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1897
1898 if (!r->in.account->string) {
1899 return NT_STATUS_INVALID_PARAMETER;
1900 }
1901 if (r->in.server && r->in.server->string) {
1902 wks = r->in.server->string;
1903 }
1904
1905 DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
1906
1907 /*
1908 * Pass the user through the NT -> unix user mapping
1909 * function.
1910 */
1911
1912 (void)map_username(talloc_tos(), r->in.account->string, &user_name);
1913 if (!user_name) {
1914 return NT_STATUS_NO_MEMORY;
1915 }
1916
1917 rhost = tsocket_address_inet_addr_string(p->remote_address,
1918 talloc_tos());
1919 if (rhost == NULL) {
1920 return NT_STATUS_NO_MEMORY;
1921 }
1922
1923 /*
1924 * UNIX username case mangling not required, pass_oem_change
1925 * is case insensitive.
1926 */
1927
1928 status = pass_oem_change(user_name,
1929 rhost,
1930 r->in.lm_password->data,
1931 r->in.lm_verifier->hash,
1932 r->in.nt_password->data,
1933 r->in.nt_verifier->hash,
1934 NULL);
1935
1936 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1937
1938 if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1939 return NT_STATUS_WRONG_PASSWORD;
1940 }
1941
1942 return status;
1943 }
1944
1945 /****************************************************************
1946 _samr_OemChangePasswordUser2
1947 ****************************************************************/
1948
1949 NTSTATUS _samr_OemChangePasswordUser2(struct pipes_struct *p,
1950 struct samr_OemChangePasswordUser2 *r)
1951 {
1952 NTSTATUS status;
1953 char *user_name = NULL;
1954 const char *wks = NULL;
1955 char *rhost;
1956
1957 DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__));
1958
1959 if (!r->in.account->string) {
1960 return NT_STATUS_INVALID_PARAMETER;
1961 }
1962 if (r->in.server && r->in.server->string) {
1963 wks = r->in.server->string;
1964 }
1965
1966 DEBUG(5,("_samr_OemChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
1967
1968 /*
1969 * Pass the user through the NT -> unix user mapping
1970 * function.
1971 */
1972
1973 (void)map_username(talloc_tos(), r->in.account->string, &user_name);
1974 if (!user_name) {
1975 return NT_STATUS_NO_MEMORY;
1976 }
1977
1978 /*
1979 * UNIX username case mangling not required, pass_oem_change
1980 * is case insensitive.
1981 */
1982
1983 if (!r->in.hash || !r->in.password) {
1984 return NT_STATUS_INVALID_PARAMETER;
1985 }
1986
1987 rhost = tsocket_address_inet_addr_string(p->remote_address,
1988 talloc_tos());
1989 if (rhost == NULL) {
1990 return NT_STATUS_NO_MEMORY;
1991 }
1992
1993 status = pass_oem_change(user_name,
1994 rhost,
1995 r->in.password->data,
1996 r->in.hash->hash,
1997 0,
1998 0,
1999 NULL);
2000
2001 if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
2002 return NT_STATUS_WRONG_PASSWORD;
2003 }
2004
2005 DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__));
2006
2007 return status;
2008 }
2009
2010 /*******************************************************************
2011 _samr_ChangePasswordUser3
2012 ********************************************************************/
2013
2014 NTSTATUS _samr_ChangePasswordUser3(struct pipes_struct *p,
2015 struct samr_ChangePasswordUser3 *r)
2016 {
2017 NTSTATUS status;
2018 char *user_name = NULL;
2019 const char *wks = NULL;
2020 enum samPwdChangeReason reject_reason;
2021 struct samr_DomInfo1 *dominfo = NULL;
2022 struct userPwdChangeFailureInformation *reject = NULL;
2023 uint32_t tmp;
2024 char *rhost;
2025
2026 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
2027
2028 if (!r->in.account->string) {
2029 return NT_STATUS_INVALID_PARAMETER;
2030 }
2031 if (r->in.server && r->in.server->string) {
2032 wks = r->in.server->string;
2033 }
2034
2035 DEBUG(5,("_samr_ChangePasswordUser3: user: %s wks: %s\n", user_name, wks));
2036
2037 /*
2038 * Pass the user through the NT -> unix user mapping
2039 * function.
2040 */
2041
2042 (void)map_username(talloc_tos(), r->in.account->string, &user_name);
2043 if (!user_name) {
2044 return NT_STATUS_NO_MEMORY;
2045 }
2046
2047 rhost = tsocket_address_inet_addr_string(p->remote_address,
2048 talloc_tos());
2049 if (rhost == NULL) {
2050 return NT_STATUS_NO_MEMORY;
2051 }
2052
2053 /*
2054 * UNIX username case mangling not required, pass_oem_change
2055 * is case insensitive.
2056 */
2057
2058 status = pass_oem_change(user_name,
2059 rhost,
2060 r->in.lm_password->data,
2061 r->in.lm_verifier->hash,
2062 r->in.nt_password->data,
2063 r->in.nt_verifier->hash,
2064 &reject_reason);
2065 if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
2066 return NT_STATUS_WRONG_PASSWORD;
2067 }
2068
2069 if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) ||
2070 NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_RESTRICTION)) {
2071
2072 time_t u_expire, u_min_age;
2073 uint32 account_policy_temp;
2074
2075 dominfo = talloc_zero(p->mem_ctx, struct samr_DomInfo1);
2076 if (!dominfo) {
2077 return NT_STATUS_NO_MEMORY;
2078 }
2079
2080 reject = talloc_zero(p->mem_ctx,
2081 struct userPwdChangeFailureInformation);
2082 if (!reject) {
2083 return NT_STATUS_NO_MEMORY;
2084 }
2085
2086 become_root();
2087
2088 /* AS ROOT !!! */
2089
2090 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN, &tmp);
2091 dominfo->min_password_length = tmp;
2092
2093 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &tmp);
2094 dominfo->password_history_length = tmp;
2095
2096 pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS,
2097 &dominfo->password_properties);
2098
2099 pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE, &account_policy_temp);
2100 u_expire = account_policy_temp;
2101
2102 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_AGE, &account_policy_temp);
2103 u_min_age = account_policy_temp;
2104
2105 /* !AS ROOT */
2106
2107 unbecome_root();
2108
2109 unix_to_nt_time_abs((NTTIME *)&dominfo->max_password_age, u_expire);
2110 unix_to_nt_time_abs((NTTIME *)&dominfo->min_password_age, u_min_age);
2111
2112 if (lp_check_password_script(talloc_tos())
2113 && *lp_check_password_script(talloc_tos())) {
2114 dominfo->password_properties |= DOMAIN_PASSWORD_COMPLEX;
2115 }
2116
2117 reject->extendedFailureReason = reject_reason;
2118
2119 *r->out.dominfo = dominfo;
2120 *r->out.reject = reject;
2121 }
2122
2123 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
2124
2125 return status;
2126 }
2127
2128 /*******************************************************************
2129 makes a SAMR_R_LOOKUP_RIDS structure.
2130 ********************************************************************/
2131
2132 static bool make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names,
2133 const char **names,
2134 struct lsa_String **lsa_name_array_p)
2135 {
2136 struct lsa_String *lsa_name_array = NULL;
2137 uint32_t i;
2138
2139 *lsa_name_array_p = NULL;
2140
2141 if (num_names != 0) {
2142 lsa_name_array = talloc_zero_array(ctx, struct lsa_String, num_names);
2143 if (!lsa_name_array) {
2144 return false;
2145 }
2146 }
2147
2148 for (i = 0; i < num_names; i++) {
2149 DEBUG(10, ("names[%d]:%s\n", i, names[i] && *names[i] ? names[i] : ""));
2150 init_lsa_String(&lsa_name_array[i], names[i]);
2151 }
2152
2153 *lsa_name_array_p = lsa_name_array;
2154
2155 return true;
2156 }
2157
2158 /*******************************************************************
2159 _samr_LookupRids
2160 ********************************************************************/
2161
2162 NTSTATUS _samr_LookupRids(struct pipes_struct *p,
2163 struct samr_LookupRids *r)
2164 {
2165 struct samr_domain_info *dinfo;
2166 NTSTATUS status;
2167 const char **names;
2168 enum lsa_SidType *attrs = NULL;
2169 uint32 *wire_attrs = NULL;
2170 int num_rids = (int)r->in.num_rids;
2171 int i;
2172 struct lsa_Strings names_array;
2173 struct samr_Ids types_array;
2174 struct lsa_String *lsa_names = NULL;
2175
2176 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2177
2178 dinfo = policy_handle_find(p, r->in.domain_handle,
2179 0 /* Don't know the acc_bits yet */, NULL,
2180 struct samr_domain_info, &status);
2181 if (!NT_STATUS_IS_OK(status)) {
2182 return status;
2183 }
2184
2185 if (num_rids > 1000) {
2186 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
2187 "to samba4 idl this is not possible\n", num_rids));
2188 return NT_STATUS_UNSUCCESSFUL;
2189 }
2190
2191 if (num_rids) {
2192 names = talloc_zero_array(p->mem_ctx, const char *, num_rids);
2193 attrs = talloc_zero_array(p->mem_ctx, enum lsa_SidType, num_rids);
2194 wire_attrs = talloc_zero_array(p->mem_ctx, uint32, num_rids);
2195
2196 if ((names == NULL) || (attrs == NULL) || (wire_attrs==NULL))
2197 return NT_STATUS_NO_MEMORY;
2198 } else {
2199 names = NULL;
2200 attrs = NULL;
2201 wire_attrs = NULL;
2202 }
2203
2204 become_root(); /* lookup_sid can require root privs */
2205 status = pdb_lookup_rids(&dinfo->sid, num_rids, r->in.rids,
2206 names, attrs);
2207 unbecome_root();
2208
2209 if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) && (num_rids == 0)) {
2210 status = NT_STATUS_OK;
2211 }
2212
2213 if (!make_samr_lookup_rids(p->mem_ctx, num_rids, names,
2214 &lsa_names)) {
2215 return NT_STATUS_NO_MEMORY;
2216 }
2217
2218 /* Convert from enum lsa_SidType to uint32 for wire format. */
2219 for (i = 0; i < num_rids; i++) {
2220 wire_attrs[i] = (uint32)attrs[i];
2221 }
2222
2223 names_array.count = num_rids;
2224 names_array.names = lsa_names;
2225
2226 types_array.count = num_rids;
2227 types_array.ids = wire_attrs;
2228
2229 *r->out.names = names_array;
2230 *r->out.types = types_array;
2231
2232 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2233
2234 return status;
2235 }
2236
2237 /*******************************************************************
2238 _samr_OpenUser
2239 ********************************************************************/
2240
2241 NTSTATUS _samr_OpenUser(struct pipes_struct *p,
2242 struct samr_OpenUser *r)
2243 {
2244 struct samu *sampass=NULL;
2245 struct dom_sid sid;
2246 struct samr_domain_info *dinfo;
2247 struct samr_user_info *uinfo;
2248 struct security_descriptor *psd = NULL;
2249 uint32 acc_granted;
2250 uint32 des_access = r->in.access_mask;
2251 uint32_t extra_access = 0;
2252 size_t sd_size;
2253 bool ret;
2254 NTSTATUS nt_status;
2255
2256 /* These two privileges, if != SEC_PRIV_INVALID, indicate
2257 * privileges that the user must have to complete this
2258 * operation in defience of the fixed ACL */
2259 enum sec_privilege needed_priv_1, needed_priv_2;
2260 NTSTATUS status;
2261
2262 dinfo = policy_handle_find(p, r->in.domain_handle,
2263 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT, NULL,
2264 struct samr_domain_info, &status);
2265 if (!NT_STATUS_IS_OK(status)) {
2266 return status;
2267 }
2268
2269 if ( !(sampass = samu_new( p->mem_ctx )) ) {
2270 return NT_STATUS_NO_MEMORY;
2271 }
2272
2273 /* append the user's RID to it */
2274
2275 if (!sid_compose(&sid, &dinfo->sid, r->in.rid))
2276 return NT_STATUS_NO_SUCH_USER;
2277
2278 /* check if access can be granted as requested by client. */
2279 map_max_allowed_access(p->session_info->security_token,
2280 p->session_info->unix_token,
2281 &des_access);
2282
2283 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
2284 se_map_generic(&des_access, &usr_generic_mapping);
2285
2286 /*
2287 * Get the sampass first as we need to check privileges
2288 * based on what kind of user object this is.
2289 * But don't reveal info too early if it didn't exist.
2290 */
2291
2292 become_root();
2293 ret=pdb_getsampwsid(sampass, &sid);
2294 unbecome_root();
2295
2296 needed_priv_1 = SEC_PRIV_INVALID;
2297 needed_priv_2 = SEC_PRIV_INVALID;
2298 /*
2299 * We do the override access checks on *open*, not at
2300 * SetUserInfo time.
2301 */
2302 if (ret) {
2303 uint32_t acb_info = pdb_get_acct_ctrl(sampass);
2304
2305 if (acb_info & ACB_WSTRUST) {
2306 /*
2307 * SeMachineAccount is needed to add
2308 * GENERIC_RIGHTS_USER_WRITE to a machine
2309 * account.
2310 */
2311 needed_priv_1 = SEC_PRIV_MACHINE_ACCOUNT;
2312 }
2313 if (acb_info & ACB_NORMAL) {
2314 /*
2315 * SeAddUsers is needed to add
2316 * GENERIC_RIGHTS_USER_WRITE to a normal
2317 * account.
2318 */
2319 needed_priv_1 = SEC_PRIV_ADD_USERS;
2320 }
2321 /*
2322 * Cheat - we have not set a specific privilege for
2323 * server (BDC) or domain trust account, so allow
2324 * GENERIC_RIGHTS_USER_WRITE if pipe user is in
2325 * DOMAIN_RID_ADMINS.
2326 */
2327 if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
2328 if (lp_enable_privileges() && nt_token_check_domain_rid(p->session_info->security_token,
2329 DOMAIN_RID_ADMINS)) {
2330 des_access &= ~GENERIC_RIGHTS_USER_WRITE;
2331 extra_access = GENERIC_RIGHTS_USER_WRITE;
2332 DEBUG(4,("_samr_OpenUser: Allowing "
2333 "GENERIC_RIGHTS_USER_WRITE for "
2334 "rid admins\n"));
2335 }
2336 }
2337 }
2338
2339 TALLOC_FREE(sampass);
2340
2341 nt_status = access_check_object(psd, p->session_info->security_token,
2342 needed_priv_1, needed_priv_2,
2343 GENERIC_RIGHTS_USER_WRITE, des_access,
2344 &acc_granted, "_samr_OpenUser");
2345
2346 if ( !NT_STATUS_IS_OK(nt_status) )
2347 return nt_status;
2348
2349 /* check that the SID exists in our domain. */
2350 if (ret == False) {
2351 return NT_STATUS_NO_SUCH_USER;
2352 }
2353
2354 /* If we did the rid admins hack above, allow access. */
2355 acc_granted |= extra_access;
2356
2357 uinfo = policy_handle_create(p, r->out.user_handle, acc_granted,
2358 struct samr_user_info, &nt_status);
2359 if (!NT_STATUS_IS_OK(nt_status)) {
2360 return nt_status;
2361 }
2362 uinfo->sid = sid;
2363
2364 return NT_STATUS_OK;
2365 }
2366
2367 /*************************************************************************
2368 *************************************************************************/
2369
2370 static NTSTATUS init_samr_parameters_string(TALLOC_CTX *mem_ctx,
2371 DATA_BLOB *blob,
2372 struct lsa_BinaryString **_r)
2373 {
2374 struct lsa_BinaryString *r;
2375
2376 if (!blob || !_r) {
2377 return NT_STATUS_INVALID_PARAMETER;
2378 }
2379
2380 r = talloc_zero(mem_ctx, struct lsa_BinaryString);
2381 if (!r) {
2382 return NT_STATUS_NO_MEMORY;
2383 }
2384
2385 r->array = talloc_zero_array(mem_ctx, uint16_t, blob->length/2);
2386 if (!r->array) {
2387 return NT_STATUS_NO_MEMORY;
2388 }
2389 memcpy(r->array, blob->data, blob->length);
2390 r->size = blob->length;
2391 r->length = blob->length;
2392
2393 if (!r->array) {
2394 return NT_STATUS_NO_MEMORY;
2395 }
2396
2397 *_r = r;
2398
2399 return NT_STATUS_OK;
2400 }
2401
2402 /*************************************************************************
2403 *************************************************************************/
2404
2405 static struct samr_LogonHours get_logon_hours_from_pdb(TALLOC_CTX *mem_ctx,
2406 struct samu *pw)
2407 {
2408 struct samr_LogonHours hours;
2409 const int units_per_week = 168;
2410
2411 ZERO_STRUCT(hours);
2412 hours.bits = talloc_array(mem_ctx, uint8_t, units_per_week);
2413 if (!hours.bits) {
2414 return hours;
2415 }
2416
2417 hours.units_per_week = units_per_week;
2418 memset(hours.bits, 0xFF, units_per_week);
2419
2420 if (pdb_get_hours(pw)) {
2421 memcpy(hours.bits, pdb_get_hours(pw),
2422 MIN(pdb_get_hours_len(pw), units_per_week));
2423 }
2424
2425 return hours;
2426 }
2427
2428 /*************************************************************************
2429 get_user_info_1.
2430 *************************************************************************/
2431
2432 static NTSTATUS get_user_info_1(TALLOC_CTX *mem_ctx,
2433 struct samr_UserInfo1 *r,
2434 struct samu *pw,
2435 struct dom_sid *domain_sid)
2436 {
2437 const struct dom_sid *sid_group;
2438 uint32_t primary_gid;
2439
2440 become_root();
2441 sid_group = pdb_get_group_sid(pw);
2442 unbecome_root();
2443
2444 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2445 DEBUG(0, ("get_user_info_1: User %s has Primary Group SID %s, \n"
2446 "which conflicts with the domain sid %s. Failing operation.\n",
2447 pdb_get_username(pw), sid_string_dbg(sid_group),
2448 sid_string_dbg(domain_sid)));
2449 return NT_STATUS_UNSUCCESSFUL;
2450 }
2451
2452 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2453 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2454 r->primary_gid = primary_gid;
2455 r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2456 r->comment.string = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2457
2458 return NT_STATUS_OK;
2459 }
2460
2461 /*************************************************************************
2462 get_user_info_2.
2463 *************************************************************************/
2464
2465 static NTSTATUS get_user_info_2(TALLOC_CTX *mem_ctx,
2466 struct samr_UserInfo2 *r,
2467 struct samu *pw)
2468 {
2469 r->comment.string = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2470 r->reserved.string = NULL;
2471 r->country_code = pdb_get_country_code(pw);
2472 r->code_page = pdb_get_code_page(pw);
2473
2474 return NT_STATUS_OK;
2475 }
2476
2477 /*************************************************************************
2478 get_user_info_3.
2479 *************************************************************************/
2480
2481 static NTSTATUS get_user_info_3(TALLOC_CTX *mem_ctx,
2482 struct samr_UserInfo3 *r,
2483 struct samu *pw,
2484 struct dom_sid *domain_sid)
2485 {
2486 const struct dom_sid *sid_user, *sid_group;
2487 uint32_t rid, primary_gid;
2488
2489 sid_user = pdb_get_user_sid(pw);
2490
2491 if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2492 DEBUG(0, ("get_user_info_3: User %s has SID %s, \nwhich conflicts with "
2493 "the domain sid %s. Failing operation.\n",
2494 pdb_get_username(pw), sid_string_dbg(sid_user),
2495 sid_string_dbg(domain_sid)));
2496 return NT_STATUS_UNSUCCESSFUL;
2497 }
2498
2499 become_root();
2500 sid_group = pdb_get_group_sid(pw);
2501 unbecome_root();
2502
2503 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2504 DEBUG(0, ("get_user_info_3: User %s has Primary Group SID %s, \n"
2505 "which conflicts with the domain sid %s. Failing operation.\n",
2506 pdb_get_username(pw), sid_string_dbg(sid_group),
2507 sid_string_dbg(domain_sid)));
2508 return NT_STATUS_UNSUCCESSFUL;
2509 }
2510
2511 unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2512 unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2513 unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2514 unix_to_nt_time(&r->allow_password_change, pdb_get_pass_can_change_time(pw));
2515 unix_to_nt_time(&r->force_password_change, pdb_get_pass_must_change_time(pw));
2516
2517 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2518 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2519 r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2520 r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2521 r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2522 r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2523 r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2524
2525 r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2526 r->rid = rid;
2527 r->primary_gid = primary_gid;
2528 r->acct_flags = pdb_get_acct_ctrl(pw);
2529 r->bad_password_count = pdb_get_bad_password_count(pw);
2530 r->logon_count = pdb_get_logon_count(pw);
2531
2532 return NT_STATUS_OK;
2533 }
2534
2535 /*************************************************************************
2536 get_user_info_4.
2537 *************************************************************************/
2538
2539 static NTSTATUS get_user_info_4(TALLOC_CTX *mem_ctx,
2540 struct samr_UserInfo4 *r,
2541 struct samu *pw)
2542 {
2543 r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2544
2545 return NT_STATUS_OK;
2546 }
2547
2548 /*************************************************************************
2549 get_user_info_5.
2550 *************************************************************************/
2551
2552 static NTSTATUS get_user_info_5(TALLOC_CTX *mem_ctx,
2553 struct samr_UserInfo5 *r,
2554 struct samu *pw,
2555 struct dom_sid *domain_sid)
2556 {
2557 const struct dom_sid *sid_user, *sid_group;
2558 uint32_t rid, primary_gid;
2559
2560 sid_user = pdb_get_user_sid(pw);
2561
2562 if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2563 DEBUG(0, ("get_user_info_5: User %s has SID %s, \nwhich conflicts with "
2564 "the domain sid %s. Failing operation.\n",
2565 pdb_get_username(pw), sid_string_dbg(sid_user),
2566 sid_string_dbg(domain_sid)));
2567 return NT_STATUS_UNSUCCESSFUL;
2568 }
2569
2570 become_root();
2571 sid_group = pdb_get_group_sid(pw);
2572 unbecome_root();
2573
2574 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2575 DEBUG(0, ("get_user_info_5: User %s has Primary Group SID %s, \n"
2576 "which conflicts with the domain sid %s. Failing operation.\n",
2577 pdb_get_username(pw), sid_string_dbg(sid_group),
2578 sid_string_dbg(domain_sid)));
2579 return NT_STATUS_UNSUCCESSFUL;
2580 }
2581
2582 unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2583 unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2584 unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2585 unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2586
2587 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2588 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2589 r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2590 r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2591 r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2592 r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2593 r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2594 r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2595
2596 r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2597 r->rid = rid;
2598 r->primary_gid = primary_gid;
2599 r->acct_flags = pdb_get_acct_ctrl(pw);
2600 r->bad_password_count = pdb_get_bad_password_count(pw);
2601 r->logon_count = pdb_get_logon_count(pw);
2602
2603 return NT_STATUS_OK;
2604 }
2605
2606 /*************************************************************************
2607 get_user_info_6.
2608 *************************************************************************/
2609
2610 static NTSTATUS get_user_info_6(TALLOC_CTX *mem_ctx,
2611 struct samr_UserInfo6 *r,
2612 struct samu *pw)
2613 {
2614 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2615 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2616
2617 return NT_STATUS_OK;
2618 }
2619
2620 /*************************************************************************
2621 get_user_info_7. Safe. Only gives out account_name.
2622 *************************************************************************/
2623
2624 static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx,
2625 struct samr_UserInfo7 *r,
2626 struct samu *smbpass)
2627 {
2628 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(smbpass));
2629 if (!r->account_name.string) {
2630 return NT_STATUS_NO_MEMORY;
2631 }
2632
2633 return NT_STATUS_OK;
2634 }
2635
2636 /*************************************************************************
2637 get_user_info_8.
2638 *************************************************************************/
2639
2640 static NTSTATUS get_user_info_8(TALLOC_CTX *mem_ctx,
2641 struct samr_UserInfo8 *r,
2642 struct samu *pw)
2643 {
2644 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2645
2646 return NT_STATUS_OK;
2647 }
2648
2649 /*************************************************************************
2650 get_user_info_9. Only gives out primary group SID.
2651 *************************************************************************/
2652
2653 static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx,
2654 struct samr_UserInfo9 *r,
2655 struct samu *smbpass)
2656 {
2657 r->primary_gid = pdb_get_group_rid(smbpass);
2658
2659 return NT_STATUS_OK;
2660 }
2661
2662 /*************************************************************************
2663 get_user_info_10.
2664 *************************************************************************/
2665
2666 static NTSTATUS get_user_info_10(TALLOC_CTX *mem_ctx,
2667 struct samr_UserInfo10 *r,
2668 struct samu *pw)
2669 {
2670 r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2671 r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2672
2673 return NT_STATUS_OK;
2674 }
2675
2676 /*************************************************************************
2677 get_user_info_11.
2678 *************************************************************************/
2679
2680 static NTSTATUS get_user_info_11(TALLOC_CTX *mem_ctx,
2681 struct samr_UserInfo11 *r,
2682 struct samu *pw)
2683 {
2684 r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2685
2686 return NT_STATUS_OK;
2687 }
2688
2689 /*************************************************************************
2690 get_user_info_12.
2691 *************************************************************************/
2692
2693 static NTSTATUS get_user_info_12(TALLOC_CTX *mem_ctx,
2694 struct samr_UserInfo12 *r,
2695 struct samu *pw)
2696 {
2697 r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2698
2699 return NT_STATUS_OK;
2700 }
2701
2702 /*************************************************************************
2703 get_user_info_13.
2704 *************************************************************************/
2705
2706 static NTSTATUS get_user_info_13(TALLOC_CTX *mem_ctx,
2707 struct samr_UserInfo13 *r,
2708 struct samu *pw)
2709 {
2710 r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2711
2712 return NT_STATUS_OK;
2713 }
2714
2715 /*************************************************************************
2716 get_user_info_14.
2717 *************************************************************************/
2718
2719 static NTSTATUS get_user_info_14(TALLOC_CTX *mem_ctx,
2720 struct samr_UserInfo14 *r,
2721 struct samu *pw)
2722 {
2723 r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2724
2725 return NT_STATUS_OK;
2726 }
2727
2728 /*************************************************************************
2729 get_user_info_16. Safe. Only gives out acb bits.
2730 *************************************************************************/
2731
2732 static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx,
2733 struct samr_UserInfo16 *r,
2734 struct samu *smbpass)
2735 {
2736 r->acct_flags = pdb_get_acct_ctrl(smbpass);
2737
2738 return NT_STATUS_OK;
2739 }
2740
2741 /*************************************************************************
2742 get_user_info_17.
2743 *************************************************************************/
2744
2745 static NTSTATUS get_user_info_17(TALLOC_CTX *mem_ctx,
2746 struct samr_UserInfo17 *r,
2747 struct samu *pw)
2748 {
2749 unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2750
2751 return NT_STATUS_OK;
2752 }
2753
2754 /*************************************************************************
2755 get_user_info_18. OK - this is the killer as it gives out password info.
2756 Ensure that this is only allowed on an encrypted connection with a root
2757 user. JRA.
2758 *************************************************************************/
2759
2760 static NTSTATUS get_user_info_18(struct pipes_struct *p,
2761 TALLOC_CTX *mem_ctx,
2762 struct samr_UserInfo18 *r,
2763 struct dom_sid *user_sid)
2764 {
2765 struct samu *smbpass=NULL;
2766 bool ret;
2767 const uint8_t *nt_pass = NULL;
2768 const uint8_t *lm_pass = NULL;
2769
2770 ZERO_STRUCTP(r);
2771
2772 if (security_token_is_system(p->session_info->security_token)) {
2773 goto query;
2774 }
2775
2776 if ((p->auth.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) ||
2777 (p->auth.auth_type != DCERPC_AUTH_TYPE_KRB5) ||
2778 (p->auth.auth_type != DCERPC_AUTH_TYPE_SPNEGO)) {
2779 return NT_STATUS_ACCESS_DENIED;
2780 }
2781
2782 if (p->auth.auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
2783 return NT_STATUS_ACCESS_DENIED;
2784 }
2785
2786 query:
2787 /*
2788 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
2789 */
2790
2791 if ( !(smbpass = samu_new( mem_ctx )) ) {
2792 return NT_STATUS_NO_MEMORY;
2793 }
2794
2795 ret = pdb_getsampwsid(smbpass, user_sid);
2796
2797 if (ret == False) {
2798 DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid)));
2799 TALLOC_FREE(smbpass);
2800 return (geteuid() == sec_initial_uid()) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
2801 }
2802
2803 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
2804
2805 if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) {
2806 TALLOC_FREE(smbpass);
2807 return NT_STATUS_ACCOUNT_DISABLED;
2808 }
2809
2810 lm_pass = pdb_get_lanman_passwd(smbpass);
2811 if (lm_pass != NULL) {
2812 memcpy(r->lm_pwd.hash, lm_pass, 16);
2813 r->lm_pwd_active = true;
2814 }
2815
2816 nt_pass = pdb_get_nt_passwd(smbpass);
2817 if (nt_pass != NULL) {
2818 memcpy(r->nt_pwd.hash, nt_pass, 16);
2819 r->nt_pwd_active = true;
2820 }
2821 r->password_expired = 0; /* FIXME */
2822
2823 TALLOC_FREE(smbpass);
2824
2825 return NT_STATUS_OK;
2826 }
2827
2828 /*************************************************************************
2829 get_user_info_20
2830 *************************************************************************/
2831
2832 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx,
2833 struct samr_UserInfo20 *r,
2834 struct samu *sampass)
2835 {
2836 const char *munged_dial = NULL;
2837 DATA_BLOB blob;
2838 NTSTATUS status;
2839 struct lsa_BinaryString *parameters = NULL;
2840
2841 ZERO_STRUCTP(r);
2842
2843 munged_dial = pdb_get_munged_dial(sampass);
2844
2845 DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass),
2846 munged_dial, (int)strlen(munged_dial)));
2847
2848 if (munged_dial) {
2849 blob = base64_decode_data_blob(munged_dial);
2850 } else {
2851 blob = data_blob_string_const_null("");
2852 }
2853
2854 status = init_samr_parameters_string(mem_ctx, &blob, &parameters);
2855 data_blob_free(&blob);
2856 if (!NT_STATUS_IS_OK(status)) {
2857 return status;
2858 }
2859
2860 r->parameters = *parameters;
2861
2862 return NT_STATUS_OK;
2863 }
2864
2865
2866 /*************************************************************************
2867 get_user_info_21
2868 *************************************************************************/
2869
2870 static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx,
2871 struct samr_UserInfo21 *r,
2872 struct samu *pw,
2873 struct dom_sid *domain_sid,
2874 uint32_t acc_granted)
2875 {
2876 NTSTATUS status;
2877 const struct dom_sid *sid_user, *sid_group;
2878 uint32_t rid, primary_gid;
2879 NTTIME force_password_change;
2880 time_t must_change_time;
2881 struct lsa_BinaryString *parameters = NULL;
2882 const char *munged_dial = NULL;
2883 DATA_BLOB blob;
2884
2885 ZERO_STRUCTP(r);
2886
2887 sid_user = pdb_get_user_sid(pw);
2888
2889 if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2890 DEBUG(0, ("get_user_info_21: User %s has SID %s, \nwhich conflicts with "
2891 "the domain sid %s. Failing operation.\n",
2892 pdb_get_username(pw), sid_string_dbg(sid_user),
2893 sid_string_dbg(domain_sid)));
2894 return NT_STATUS_UNSUCCESSFUL;
2895 }
2896
2897 become_root();
2898 sid_group = pdb_get_group_sid(pw);
2899 unbecome_root();
2900
2901 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2902 DEBUG(0, ("get_user_info_21: User %s has Primary Group SID %s, \n"
2903 "which conflicts with the domain sid %s. Failing operation.\n",
2904 pdb_get_username(pw), sid_string_dbg(sid_group),
2905 sid_string_dbg(domain_sid)));
2906 return NT_STATUS_UNSUCCESSFUL;
2907 }
2908
2909 unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2910 unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2911 unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2912 unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2913 unix_to_nt_time(&r->allow_password_change, pdb_get_pass_can_change_time(pw));
2914
2915 must_change_time = pdb_get_pass_must_change_time(pw);
2916 if (pdb_is_password_change_time_max(must_change_time)) {
2917 unix_to_nt_time_abs(&force_password_change, must_change_time);
2918 } else {
2919 unix_to_nt_time(&force_password_change, must_change_time);
2920 }
2921
2922 munged_dial = pdb_get_munged_dial(pw);
2923 if (munged_dial) {
2924 blob = base64_decode_data_blob(munged_dial);
2925 } else {
2926 blob = data_blob_string_const_null("");
2927 }
2928
2929 status = init_samr_parameters_string(mem_ctx, &blob, &parameters);
2930 data_blob_free(&blob);
2931 if (!NT_STATUS_IS_OK(status)) {
2932 return status;
2933 }
2934
2935 r->force_password_change = force_password_change;
2936
2937 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2938 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2939 r->home_directory.string = talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2940 r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2941 r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2942 r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2943 r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2944 r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2945 r->comment.string = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2946
2947 r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2948 r->parameters = *parameters;
2949 r->rid = rid;
2950 r->primary_gid = primary_gid;
2951 r->acct_flags = pdb_get_acct_ctrl(pw);
2952 r->bad_password_count = pdb_get_bad_password_count(pw);
2953 r->logon_count = pdb_get_logon_count(pw);
2954 r->fields_present = pdb_build_fields_present(pw);
2955 r->password_expired = (pdb_get_pass_must_change_time(pw) == 0) ?
2956 PASS_MUST_CHANGE_AT_NEXT_LOGON : 0;
2957 r->country_code = pdb_get_country_code(pw);
2958 r->code_page = pdb_get_code_page(pw);
2959 r->lm_password_set = 0;
2960 r->nt_password_set = 0;
2961
2962 #if 0
2963
2964 /*
2965 Look at a user on a real NT4 PDC with usrmgr, press
2966 'ok'. Then you will see that fields_present is set to
2967 0x08f827fa. Look at the user immediately after that again,
2968 and you will see that 0x00fffff is returned. This solves
2969 the problem that you get access denied after having looked
2970 at the user.
2971 -- Volker
2972 */
2973
2974 #endif
2975
2976
2977 return NT_STATUS_OK;
2978 }
2979
2980 /*******************************************************************
2981 _samr_QueryUserInfo
2982 ********************************************************************/
2983
2984 NTSTATUS _samr_QueryUserInfo(struct pipes_struct *p,
2985 struct samr_QueryUserInfo *r)
2986 {
2987 NTSTATUS status;
2988 union samr_UserInfo *user_info = NULL;
2989 struct samr_user_info *uinfo;
2990 struct dom_sid domain_sid;
2991 uint32 rid;
2992 bool ret = false;
2993 struct samu *pwd = NULL;
2994 uint32_t acc_required, acc_granted;
2995
2996 switch (r->in.level) {
2997 case 1: /* UserGeneralInformation */
2998 /* USER_READ_GENERAL */
2999 acc_required = SAMR_USER_ACCESS_GET_NAME_ETC;
3000 break;
3001 case 2: /* UserPreferencesInformation */
3002 /* USER_READ_PREFERENCES | USER_READ_GENERAL */
3003 acc_required = SAMR_USER_ACCESS_GET_LOCALE |
3004 SAMR_USER_ACCESS_GET_NAME_ETC;
3005 break;
3006 case 3: /* UserLogonInformation */
3007 /* USER_READ_GENERAL | USER_READ_PREFERENCES | USER_READ_LOGON | USER_READ_ACCOUNT */
3008 acc_required = SAMR_USER_ACCESS_GET_NAME_ETC |
3009 SAMR_USER_ACCESS_GET_LOCALE |
3010 SAMR_USER_ACCESS_GET_LOGONINFO |
3011 SAMR_USER_ACCESS_GET_ATTRIBUTES;
3012 break;
3013 case 4: /* UserLogonHoursInformation */
3014 /* USER_READ_LOGON */
3015 acc_required = SAMR_USER_ACCESS_GET_LOGONINFO;
3016 break;
3017 case 5: /* UserAccountInformation */
3018 /* USER_READ_GENERAL | USER_READ_PREFERENCES | USER_READ_LOGON | USER_READ_ACCOUNT */
3019 acc_required = SAMR_USER_ACCESS_GET_NAME_ETC |
3020 SAMR_USER_ACCESS_GET_LOCALE |
3021 SAMR_USER_ACCESS_GET_LOGONINFO |
3022 SAMR_USER_ACCESS_GET_ATTRIBUTES;
3023 break;
3024 case 6: /* UserNameInformation */
3025 case 7: /* UserAccountNameInformation */
3026 case 8: /* UserFullNameInformation */
3027 case 9: /* UserPrimaryGroupInformation */
3028 case 13: /* UserAdminCommentInformation */
3029 /* USER_READ_GENERAL */
3030 acc_required = SAMR_USER_ACCESS_GET_NAME_ETC;
3031 break;
3032 case 10: /* UserHomeInformation */
3033 case 11: /* UserScriptInformation */
3034 case 12: /* UserProfileInformation */
3035 case 14: /* UserWorkStationsInformation */
3036 /* USER_READ_LOGON */
3037 acc_required = SAMR_USER_ACCESS_GET_LOGONINFO;
3038 break;
3039 case 16: /* UserControlInformation */
3040 case 17: /* UserExpiresInformation */
3041 case 20: /* UserParametersInformation */
3042 /* USER_READ_ACCOUNT */
3043 acc_required = SAMR_USER_ACCESS_GET_ATTRIBUTES;
3044 break;
3045 case 21: /* UserAllInformation */
3046 /* FIXME! - gd */
3047 acc_required = SAMR_USER_ACCESS_GET_ATTRIBUTES;
3048 break;
3049 case 18: /* UserInternal1Information */
3050 /* FIXME! - gd */
3051 acc_required = SAMR_USER_ACCESS_GET_ATTRIBUTES;
3052 break;
3053 case 23: /* UserInternal4Information */
3054 case 24: /* UserInternal4InformationNew */
3055 case 25: /* UserInternal4InformationNew */
3056 case 26: /* UserInternal5InformationNew */
3057 default:
3058 return NT_STATUS_INVALID_INFO_CLASS;
3059 break;
3060 }
3061
3062 uinfo = policy_handle_find(p, r->in.user_handle,
3063 acc_required, &acc_granted,
3064 struct samr_user_info, &status);
3065 if (!NT_STATUS_IS_OK(status)) {
3066 return status;
3067 }
3068
3069 domain_sid = uinfo->sid;
3070
3071 sid_split_rid(&domain_sid, &rid);
3072
3073 if (!sid_check_is_in_our_sam(&uinfo->sid))
3074 return NT_STATUS_OBJECT_TYPE_MISMATCH;
3075
3076 DEBUG(5,("_samr_QueryUserInfo: sid:%s\n",
3077 sid_string_dbg(&uinfo->sid)));
3078
3079 user_info = talloc_zero(p->mem_ctx, union samr_UserInfo);
3080 if (!user_info) {
3081 return NT_STATUS_NO_MEMORY;
3082 }
3083
3084 DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r->in.level));
3085
3086 if (!(pwd = samu_new(p->mem_ctx))) {
3087 return NT_STATUS_NO_MEMORY;
3088 }
3089
3090 become_root();
3091 ret = pdb_getsampwsid(pwd, &uinfo->sid);
3092 unbecome_root();
3093
3094 if (ret == false) {
3095 DEBUG(4,("User %s not found\n", sid_string_dbg(&uinfo->sid)));
3096 TALLOC_FREE(pwd);
3097 return NT_STATUS_NO_SUCH_USER;
3098 }
3099
3100 DEBUG(3,("User:[%s]\n", pdb_get_username(pwd)));
3101
3102 samr_clear_sam_passwd(pwd);
3103
3104 switch (r->in.level) {
3105 case 1:
3106 status = get_user_info_1(p->mem_ctx, &user_info->info1, pwd, &domain_sid);
3107 break;
3108 case 2:
3109 status = get_user_info_2(p->mem_ctx, &user_info->info2, pwd);
3110 break;
3111 case 3:
3112 status = get_user_info_3(p->mem_ctx, &user_info->info3, pwd, &domain_sid);
3113 break;
3114 case 4:
3115 status = get_user_info_4(p->mem_ctx, &user_info->info4, pwd);
3116 break;
3117 case 5:
3118 status = get_user_info_5(p->mem_ctx, &user_info->info5, pwd, &domain_sid);
3119 break;
3120 case 6:
3121 status = get_user_info_6(p->mem_ctx, &user_info->info6, pwd);
3122 break;
3123 case 7:
3124 status = get_user_info_7(p->mem_ctx, &user_info->info7, pwd);
3125 break;
3126 case 8:
3127 status = get_user_info_8(p->mem_ctx, &user_info->info8, pwd);
3128 break;
3129 case 9:
3130 status = get_user_info_9(p->mem_ctx, &user_info->info9, pwd);
3131 break;
3132 case 10:
3133 status = get_user_info_10(p->mem_ctx, &user_info->info10, pwd);
3134 break;
3135 case 11:
3136 status = get_user_info_11(p->mem_ctx, &user_info->info11, pwd);
3137 break;
3138 case 12:
3139 status = get_user_info_12(p->mem_ctx, &user_info->info12, pwd);
3140 break;
3141 case 13:
3142 status = get_user_info_13(p->mem_ctx, &user_info->info13, pwd);
3143 break;
3144 case 14:
3145 status = get_user_info_14(p->mem_ctx, &user_info->info14, pwd);
3146 break;
3147 case 16:
3148 status = get_user_info_16(p->mem_ctx, &user_info->info16, pwd);
3149 break;
3150 case 17:
3151 status = get_user_info_17(p->mem_ctx, &user_info->info17, pwd);
3152 break;
3153 case 18:
3154 /* level 18 is special */
3155 status = get_user_info_18(p, p->mem_ctx, &user_info->info18,
3156 &uinfo->sid);
3157 break;
3158 case 20:
3159 status = get_user_info_20(p->mem_ctx, &user_info->info20, pwd);
3160 break;
3161 case 21:
3162 status = get_user_info_21(p->mem_ctx, &user_info->info21, pwd, &domain_sid, acc_granted);
3163 break;
3164 default:
3165 status = NT_STATUS_INVALID_INFO_CLASS;
3166 break;
3167 }
3168
3169 if (!NT_STATUS_IS_OK(status)) {
3170 goto done;
3171 }
3172
3173 *r->out.info = user_info;
3174
3175 done:
3176 TALLOC_FREE(pwd);
3177
3178 DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__));
3179
3180 return status;
3181 }
3182
3183 /****************************************************************
3184 ****************************************************************/
3185
3186 NTSTATUS _samr_QueryUserInfo2(struct pipes_struct *p,
3187 struct samr_QueryUserInfo2 *r)
3188 {
3189 struct samr_QueryUserInfo u;
3190
3191 u.in.user_handle = r->in.user_handle;
3192 u.in.level = r->in.level;
3193 u.out.info = r->out.info;
3194
3195 return _samr_QueryUserInfo(p, &u);
3196 }
3197
3198 /*******************************************************************
3199 _samr_GetGroupsForUser
3200 ********************************************************************/
3201
3202 NTSTATUS _samr_GetGroupsForUser(struct pipes_struct *p,
3203 struct samr_GetGroupsForUser *r)
3204 {
3205 struct samr_user_info *uinfo;
3206 struct samu *sam_pass=NULL;
3207 struct dom_sid *sids;
3208 struct samr_RidWithAttribute dom_gid;
3209 struct samr_RidWithAttribute *gids = NULL;
3210 uint32 primary_group_rid;
3211 uint32_t num_groups = 0;
3212 gid_t *unix_gids;
3213 uint32_t i, num_gids;
3214 bool ret;
3215 NTSTATUS result;
3216 bool success = False;
3217
3218 struct samr_RidWithAttributeArray *rids = NULL;
3219
3220 /*
3221 * from the SID in the request:
3222 * we should send back the list of DOMAIN GROUPS
3223 * the user is a member of
3224 *
3225 * and only the DOMAIN GROUPS
3226 * no ALIASES !!! neither aliases of the domain
3227 * nor aliases of the builtin SID
3228 *
3229 * JFM, 12/2/2001
3230 */
3231
3232 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
3233
3234 uinfo = policy_handle_find(p, r->in.user_handle,
3235 SAMR_USER_ACCESS_GET_GROUPS, NULL,
3236 struct samr_user_info, &result);
3237 if (!NT_STATUS_IS_OK(result)) {
3238 return result;
3239 }
3240
3241 rids = talloc_zero(p->mem_ctx, struct samr_RidWithAttributeArray);
3242 if (!rids) {
3243 return NT_STATUS_NO_MEMORY;
3244 }
3245
3246 if (!sid_check_is_in_our_sam(&uinfo->sid))
3247 return NT_STATUS_OBJECT_TYPE_MISMATCH;
3248
3249 if ( !(sam_pass = samu_new( p->mem_ctx )) ) {
3250 return NT_STATUS_NO_MEMORY;
3251 }
3252
3253 become_root();
3254 ret = pdb_getsampwsid(sam_pass, &uinfo->sid);
3255 unbecome_root();
3256
3257 if (!ret) {
3258 DEBUG(10, ("pdb_getsampwsid failed for %s\n",
3259 sid_string_dbg(&uinfo->sid)));
3260 return NT_STATUS_NO_SUCH_USER;
3261 }
3262
3263 sids = NULL;
3264
3265 /* make both calls inside the root block */
3266 become_root();
3267 result = pdb_enum_group_memberships(p->mem_ctx, sam_pass,
3268 &sids, &unix_gids, &num_groups);
3269 if ( NT_STATUS_IS_OK(result) ) {
3270 success = sid_peek_check_rid(get_global_sam_sid(),
3271 pdb_get_group_sid(sam_pass),
3272 &primary_group_rid);
3273 }
3274 unbecome_root();
3275
3276 if (!NT_STATUS_IS_OK(result)) {
3277 DEBUG(10, ("pdb_enum_group_memberships failed for %s\n",
3278 sid_string_dbg(&uinfo->sid)));
3279 return result;
3280 }
3281
3282 if ( !success ) {
3283 DEBUG(5, ("Group sid %s for user %s not in our domain\n",
3284 sid_string_dbg(pdb_get_group_sid(sam_pass)),
3285 pdb_get_username(sam_pass)));
3286 TALLOC_FREE(sam_pass);
3287 return NT_STATUS_INTERNAL_DB_CORRUPTION;
3288 }
3289
3290 gids = NULL;
3291 num_gids = 0;
3292
3293 dom_gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|
3294 SE_GROUP_ENABLED);
3295 dom_gid.rid = primary_group_rid;
3296 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
3297
3298 for (i=0; i<num_groups; i++) {
3299
3300 if (!sid_peek_check_rid(get_global_sam_sid(),
3301 &(sids[i]), &dom_gid.rid)) {
3302 DEBUG(10, ("Found sid %s not in our domain\n",
3303 sid_string_dbg(&sids[i])));
3304 continue;
3305 }
3306
3307 if (dom_gid.rid == primary_group_rid) {
3308 /* We added the primary group directly from the
3309 * sam_account. The other SIDs are unique from
3310 * enum_group_memberships */
3311 continue;
3312 }
3313
3314 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
3315 }
3316
3317 rids->count = num_gids;
3318 rids->rids = gids;
3319
3320 *r->out.rids = rids;
3321
3322 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
3323
3324 return result;
3325 }
3326
3327 /*******************************************************************
3328 ********************************************************************/
3329
3330 static uint32_t samr_get_server_role(void)
3331 {
3332 uint32_t role = ROLE_DOMAIN_PDC;
3333
3334 if (lp_server_role() == ROLE_DOMAIN_BDC) {
3335 role = ROLE_DOMAIN_BDC;
3336 }
3337
3338 return role;
3339 }
3340
3341 /*******************************************************************
3342 ********************************************************************/
3343
3344 static NTSTATUS query_dom_info_1(TALLOC_CTX *mem_ctx,
3345 struct samr_DomInfo1 *r)
3346 {
3347 uint32_t account_policy_temp;
3348 time_t u_expire, u_min_age;
3349
3350 become_root();
3351
3352 /* AS ROOT !!! */
3353
3354 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN, &account_policy_temp);
3355 r->min_password_length = account_policy_temp;
3356
3357 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &account_policy_temp);
3358 r->password_history_length = account_policy_temp;
3359
3360 pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS,
3361 &r->password_properties);
3362
3363 pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE, &account_policy_temp);
3364 u_expire = account_policy_temp;
3365
3366 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_AGE, &account_policy_temp);
3367 u_min_age = account_policy_temp;
3368
3369 /* !AS ROOT */
3370
3371 unbecome_root();
3372
3373 unix_to_nt_time_abs((NTTIME *)&r->max_password_age, u_expire);
3374 unix_to_nt_time_abs((NTTIME *)&r->min_password_age, u_min_age);
3375
3376 if (lp_check_password_script(talloc_tos()) && *lp_check_password_script(talloc_tos())) {
3377 r->password_properties |= DOMAIN_PASSWORD_COMPLEX;
3378 }
3379
3380 return NT_STATUS_OK;
3381 }
3382
3383 /*******************************************************************
3384 ********************************************************************/
3385
3386 static NTSTATUS query_dom_info_2(TALLOC_CTX *mem_ctx,
3387 struct samr_DomGeneralInformation *r,
3388 struct samr_domain_info *dinfo)
3389 {
3390 uint32_t u_logout;
3391 time_t seq_num;
3392
3393 become_root();
3394
3395 /* AS ROOT !!! */
3396
3397 r->num_users = count_sam_users(dinfo->disp_info, ACB_NORMAL);
3398 r->num_groups = count_sam_groups(dinfo->disp_info);
3399 r->num_aliases = count_sam_aliases(dinfo->disp_info);
3400
3401 pdb_get_account_policy(PDB_POLICY_TIME_TO_LOGOUT, &u_logout);
3402
3403 unix_to_nt_time_abs(&r->force_logoff_time, u_logout);
3404
3405 if (!pdb_get_seq_num(&seq_num)) {
3406 seq_num = time(NULL);
3407 }
3408
3409 /* !AS ROOT */
3410
3411 unbecome_root();
3412
3413 r->oem_information.string = lp_server_string(r);
3414 r->domain_name.string = lp_workgroup();
3415 r->primary.string = lp_netbios_name();
3416 r->sequence_num = seq_num;
3417 r->domain_server_state = DOMAIN_SERVER_ENABLED;
3418 r->role = (enum samr_Role) samr_get_server_role();
3419 r->unknown3 = 1;
3420
3421 return NT_STATUS_OK;
3422 }
3423
3424 /*******************************************************************
3425 ********************************************************************/
3426
3427 static NTSTATUS query_dom_info_3(TALLOC_CTX *mem_ctx,
3428 struct samr_DomInfo3 *r)
3429 {
3430 uint32_t u_logout;
3431
3432 become_root();
3433
3434 /* AS ROOT !!! */
3435
3436 {
3437 uint32_t ul;
3438 pdb_get_account_policy(PDB_POLICY_TIME_TO_LOGOUT, &ul);
3439 u_logout = (time_t)ul;
3440 }
3441
3442 /* !AS ROOT */
3443
3444 unbecome_root();
3445
3446 unix_to_nt_time_abs(&r->force_logoff_time, u_logout);
3447
3448 return NT_STATUS_OK;
3449 }
3450
3451 /*******************************************************************
3452 ********************************************************************/
3453
3454 static NTSTATUS query_dom_info_4(TALLOC_CTX *mem_ctx,
3455 struct samr_DomOEMInformation *r)
3456 {
3457 r->oem_information.string = lp_server_string(r);
3458
3459 return NT_STATUS_OK;
3460 }
3461
3462 /*******************************************************************
3463 ********************************************************************/
3464
3465 static NTSTATUS query_dom_info_5(TALLOC_CTX *mem_ctx,
3466 struct samr_DomInfo5 *r)
3467 {
3468 r->domain_name.string = get_global_sam_name();
3469
3470 return NT_STATUS_OK;
3471 }
3472
3473 /*******************************************************************
3474 ********************************************************************/
3475
3476 static NTSTATUS query_dom_info_6(TALLOC_CTX *mem_ctx,
3477 struct samr_DomInfo6 *r)
3478 {
3479 /* NT returns its own name when a PDC. win2k and later
3480 * only the name of the PDC if itself is a BDC (samba4
3481 * idl) */
3482 r->primary.string = lp_netbios_name();
3483
3484 return NT_STATUS_OK;
3485 }
3486
3487 /*******************************************************************
3488 ********************************************************************/
3489
3490 static NTSTATUS query_dom_info_7(TALLOC_CTX *mem_ctx,
3491 struct samr_DomInfo7 *r)
3492 {
3493 r->role = (enum samr_Role) samr_get_server_role();
3494
3495 return NT_STATUS_OK;
3496 }
3497
3498 /*******************************************************************
3499 ********************************************************************/
3500
3501 static NTSTATUS query_dom_info_8(TALLOC_CTX *mem_ctx,
3502 struct samr_DomInfo8 *r)
3503 {
3504 time_t seq_num;
3505
3506 become_root();
3507
3508 /* AS ROOT !!! */
3509
3510 if (!pdb_get_seq_num(&seq_num)) {
3511 seq_num = time(NULL);
3512 }
3513
3514 /* !AS ROOT */
3515
3516 unbecome_root();
3517
3518 r->sequence_num = seq_num;
3519 r->domain_create_time = 0;
3520
3521 return NT_STATUS_OK;
3522 }
3523
3524 /*******************************************************************
3525 ********************************************************************/
3526
3527 static NTSTATUS query_dom_info_9(TALLOC_CTX *mem_ctx,
3528 struct samr_DomInfo9 *r)
3529 {
3530 r->domain_server_state = DOMAIN_SERVER_ENABLED;
3531
3532 return NT_STATUS_OK;
3533 }
3534
3535 /*******************************************************************
3536 ********************************************************************/
3537
3538 static NTSTATUS query_dom_info_11(TALLOC_CTX *mem_ctx,
3539 struct samr_DomGeneralInformation2 *r,
3540 struct samr_domain_info *dinfo)
3541 {
3542 NTSTATUS status;
3543 uint32_t account_policy_temp;
3544 time_t u_lock_duration, u_reset_time;
3545
3546 status = query_dom_info_2(mem_ctx, &r->general, dinfo);
3547 if (!NT_STATUS_IS_OK(status)) {
3548 return status;
3549 }
3550
3551 /* AS ROOT !!! */
3552
3553 become_root();
3554
3555 pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION, &account_policy_temp);
3556 u_lock_duration = account_policy_temp;
3557 if (u_lock_duration != -1) {
3558 u_lock_duration *= 60;
3559 }
3560
3561 pdb_get_account_policy(PDB_POLICY_RESET_COUNT_TIME, &account_policy_temp);
3562 u_reset_time = account_policy_temp * 60;
3563
3564 pdb_get_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
3565 r->lockout_threshold = account_policy_temp;
3566
3567 /* !AS ROOT */
3568
3569 unbecome_root();
3570
3571 unix_to_nt_time_abs(&r->lockout_duration, u_lock_duration);
3572 unix_to_nt_time_abs(&r->lockout_window, u_reset_time);
3573
3574 return NT_STATUS_OK;
3575 }
3576
3577 /*******************************************************************
3578 ********************************************************************/
3579
3580 static NTSTATUS query_dom_info_12(TALLOC_CTX *mem_ctx,
3581 struct samr_DomInfo12 *r)
3582 {
3583 uint32_t account_policy_temp;
3584 time_t u_lock_duration, u_reset_time;
3585
3586 become_root();
3587
3588 /* AS ROOT !!! */
3589
3590 pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION, &account_policy_temp);
3591 u_lock_duration = account_policy_temp;
3592 if (u_lock_duration != -1) {
3593 u_lock_duration *= 60;
3594 }
3595
3596 pdb_get_account_policy(PDB_POLICY_RESET_COUNT_TIME, &account_policy_temp);
3597 u_reset_time = account_policy_temp * 60;
3598
3599 pdb_get_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
3600 r->lockout_threshold = account_policy_temp;
3601
3602 /* !AS ROOT */
3603
3604 unbecome_root();
3605
3606 unix_to_nt_time_abs(&r->lockout_duration, u_lock_duration);
3607 unix_to_nt_time_abs(&r->lockout_window, u_reset_time);
3608
3609 return NT_STATUS_OK;
3610 }
3611
3612 /*******************************************************************
3613 ********************************************************************/
3614
3615 static NTSTATUS query_dom_info_13(TALLOC_CTX *mem_ctx,
3616 struct samr_DomInfo13 *r)
3617 {
3618 time_t seq_num;
3619
3620 become_root();
3621
3622 /* AS ROOT !!! */
3623
3624 if (!pdb_get_seq_num(&seq_num)) {
3625 seq_num = time(NULL);
3626 }
3627
3628 /* !AS ROOT */
3629
3630 unbecome_root();
3631
3632 r->sequence_num = seq_num;
3633 r->domain_create_time = 0;
3634 r->modified_count_at_last_promotion = 0;
3635
3636 return NT_STATUS_OK;
3637 }
3638
3639 /*******************************************************************
3640 _samr_QueryDomainInfo
3641 ********************************************************************/
3642
3643 NTSTATUS _samr_QueryDomainInfo(struct pipes_struct *p,
3644 struct samr_QueryDomainInfo *r)
3645 {
3646 NTSTATUS status = NT_STATUS_OK;
3647 struct samr_domain_info *dinfo;
3648 union samr_DomainInfo *dom_info;
3649
3650 uint32_t acc_required;
3651
3652 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
3653
3654 switch (r->in.level) {
3655 case 1: /* DomainPasswordInformation */
3656 case 12: /* DomainLockoutInformation */
3657 /* DOMAIN_READ_PASSWORD_PARAMETERS */
3658 acc_required = SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1;
3659 break;
3660 case 11: /* DomainGeneralInformation2 */
3661 /* DOMAIN_READ_PASSWORD_PARAMETERS |
3662 * DOMAIN_READ_OTHER_PARAMETERS */
3663 acc_required = SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 |
3664 SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2;
3665 break;
3666 case 2: /* DomainGeneralInformation */
3667 case 3: /* DomainLogoffInformation */
3668 case 4: /* DomainOemInformation */
3669 case 5: /* DomainReplicationInformation */
3670 case 6: /* DomainReplicationInformation */
3671 case 7: /* DomainServerRoleInformation */
3672 case 8: /* DomainModifiedInformation */
3673 case 9: /* DomainStateInformation */
3674 case 10: /* DomainUasInformation */
3675 case 13: /* DomainModifiedInformation2 */
3676 /* DOMAIN_READ_OTHER_PARAMETERS */
3677 acc_required = SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2;
3678 break;
3679 default:
3680 return NT_STATUS_INVALID_INFO_CLASS;
3681 }
3682
3683 dinfo = policy_handle_find(p, r->in.domain_handle,
3684 acc_required, NULL,
3685 struct samr_domain_info, &status);
3686 if (!NT_STATUS_IS_OK(status)) {
3687 return status;
3688 }
3689
3690 dom_info = talloc_zero(p->mem_ctx, union samr_DomainInfo);
3691 if (!dom_info) {
3692 return NT_STATUS_NO_MEMORY;
3693 }
3694
3695 switch (r->in.level) {
3696 case 1:
3697 status = query_dom_info_1(p->mem_ctx, &dom_info->info1);
3698 break;
3699 case 2:
3700 status = query_dom_info_2(p->mem_ctx, &dom_info->general, dinfo);
3701 break;
3702 case 3:
3703 status = query_dom_info_3(p->mem_ctx, &dom_info->info3);
3704 break;
3705 case 4:
3706 status = query_dom_info_4(p->mem_ctx, &dom_info->oem);
3707 break;
3708 case 5:
3709 status = query_dom_info_5(p->mem_ctx, &dom_info->info5);
3710 break;
3711 case 6:
3712 status = query_dom_info_6(p->mem_ctx, &dom_info->info6);
3713 break;
3714 case 7:
3715 status = query_dom_info_7(p->mem_ctx, &dom_info->info7);
3716 break;
3717 case 8:
3718 status = query_dom_info_8(p->mem_ctx, &dom_info->info8);
3719 break;
3720 case 9:
3721 status = query_dom_info_9(p->mem_ctx, &dom_info->info9);
3722 break;
3723 case 11:
3724 status = query_dom_info_11(p->mem_ctx, &dom_info->general2, dinfo);
3725 break;
3726 case 12:
3727 status = query_dom_info_12(p->mem_ctx, &dom_info->info12);
3728 break;
3729 case 13:
3730 status = query_dom_info_13(p->mem_ctx, &dom_info->info13);
3731 break;
3732 default:
3733 return NT_STATUS_INVALID_INFO_CLASS;
3734 }
3735
3736 if (!NT_STATUS_IS_OK(status)) {
3737 return status;
3738 }
3739
3740 *r->out.info = dom_info;
3741
3742 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
3743
3744 return status;
3745 }
3746
3747 /* W2k3 seems to use the same check for all 3 objects that can be created via
3748 * SAMR, if you try to create for example "Dialup" as an alias it says
3749 * "NT_STATUS_USER_EXISTS". This is racy, but we can't really lock the user
3750 * database. */
3751
3752 static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name)
3753 {
3754 enum lsa_SidType type;
3755 bool result;
3756
3757 DEBUG(10, ("Checking whether [%s] can be created\n", new_name));
3758
3759 become_root();
3760 /* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
3761 * whether the name already exists */
3762 result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_LOCAL,
3763 NULL, NULL, NULL, &type);
3764 unbecome_root();
3765
3766 if (!result) {
3767 DEBUG(10, ("%s does not exist, can create it\n", new_name));
3768 return NT_STATUS_OK;
3769 }
3770
3771 DEBUG(5, ("trying to create %s, exists as %s\n",
3772 new_name, sid_type_lookup(type)));
3773
3774 if (type == SID_NAME_DOM_GRP) {
3775 return NT_STATUS_GROUP_EXISTS;
3776 }
3777 if (type == SID_NAME_ALIAS) {
3778 return NT_STATUS_ALIAS_EXISTS;
3779 }
3780
3781 /* Yes, the default is NT_STATUS_USER_EXISTS */
3782 return NT_STATUS_USER_EXISTS;
3783 }
3784
3785 /*******************************************************************
3786 _samr_CreateUser2
3787 ********************************************************************/
3788
3789 NTSTATUS _samr_CreateUser2(struct pipes_struct *p,
3790 struct samr_CreateUser2 *r)
3791 {
3792 const char *account = NULL;
3793 struct dom_sid sid;
3794 uint32_t acb_info = r->in.acct_flags;
3795 struct samr_domain_info *dinfo;
3796 struct samr_user_info *uinfo;
3797 NTSTATUS nt_status;
3798 uint32 acc_granted;
3799 struct security_descriptor *psd;
3800 size_t sd_size;
3801 /* check this, when giving away 'add computer to domain' privs */
3802 uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
3803 bool can_add_account = False;
3804
3805 /* Which privilege is needed to override the ACL? */
3806 enum sec_privilege needed_priv = SEC_PRIV_INVALID;
3807
3808 dinfo = policy_handle_find(p, r->in.domain_handle,
3809 SAMR_DOMAIN_ACCESS_CREATE_USER, NULL,
3810 struct samr_domain_info, &nt_status);
3811 if (!NT_STATUS_IS_OK(nt_status)) {
3812 return nt_status;
3813 }
3814
3815 if (sid_check_is_builtin(&dinfo->sid)) {
3816 DEBUG(5,("_samr_CreateUser2: Refusing user create in BUILTIN\n"));
3817 return NT_STATUS_ACCESS_DENIED;
3818 }
3819
3820 if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST ||
3821 acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) {
3822 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
3823 this parameter is not an account type */
3824 return NT_STATUS_INVALID_PARAMETER;
3825 }
3826
3827 account = r->in.account_name->string;
3828 if (account == NULL) {
3829 return NT_STATUS_NO_MEMORY;
3830 }
3831
3832 nt_status = can_create(p->mem_ctx, account);
3833 if (!NT_STATUS_IS_OK(nt_status)) {
3834 return nt_status;
3835 }
3836
3837 /* determine which user right we need to check based on the acb_info */
3838
3839 if (geteuid() == sec_initial_uid()) {
3840 can_add_account = true;
3841 } else if (acb_info & ACB_WSTRUST) {
3842 needed_priv = SEC_PRIV_MACHINE_ACCOUNT;
3843 can_add_account = security_token_has_privilege(p->session_info->security_token, SEC_PRIV_MACHINE_ACCOUNT);
3844 } else if (acb_info & ACB_NORMAL &&
3845 (account[strlen(account)-1] != '$')) {
3846 /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
3847 account for domain trusts and changes the ACB flags later */
3848 needed_priv = SEC_PRIV_ADD_USERS;
3849 can_add_account = security_token_has_privilege(p->session_info->security_token, SEC_PRIV_ADD_USERS);
3850 } else if (lp_enable_privileges()) {
3851 /* implicit assumption of a BDC or domain trust account here
3852 * (we already check the flags earlier) */
3853 /* only Domain Admins can add a BDC or domain trust */
3854 can_add_account = nt_token_check_domain_rid(
3855 p->session_info->security_token,
3856 DOMAIN_RID_ADMINS );
3857 }
3858
3859 DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
3860 uidtoname(p->session_info->unix_token->uid),
3861 can_add_account ? "True":"False" ));
3862
3863 if (!can_add_account) {
3864 return NT_STATUS_ACCESS_DENIED;
3865 }
3866
3867 /********** BEGIN Admin BLOCK **********/
3868
3869 become_root();
3870 nt_status = pdb_create_user(p->mem_ctx, account, acb_info,
3871 r->out.rid);
3872 unbecome_root();
3873
3874 /********** END Admin BLOCK **********/
3875
3876 /* now check for failure */
3877
3878 if ( !NT_STATUS_IS_OK(nt_status) )
3879 return nt_status;
3880
3881 /* Get the user's SID */
3882
3883 sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
3884
3885 map_max_allowed_access(p->session_info->security_token,
3886 p->session_info->unix_token,
3887 &des_access);
3888
3889 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
3890 &sid, SAMR_USR_RIGHTS_WRITE_PW);
3891 se_map_generic(&des_access, &usr_generic_mapping);
3892
3893 /*
3894 * JRA - TESTME. We just created this user so we
3895 * had rights to create them. Do we need to check
3896 * any further access on this object ? Can't we
3897 * just assume we have all the rights we need ?
3898 */
3899
3900 nt_status = access_check_object(psd, p->session_info->security_token,
3901 needed_priv, SEC_PRIV_INVALID,
3902 GENERIC_RIGHTS_USER_WRITE, des_access,
3903 &acc_granted, "_samr_CreateUser2");
3904
3905 if ( !NT_STATUS_IS_OK(nt_status) ) {
3906 return nt_status;
3907 }
3908
3909 uinfo = policy_handle_create(p, r->out.user_handle, acc_granted,
3910 struct samr_user_info, &nt_status);
3911 if (!NT_STATUS_IS_OK(nt_status)) {
3912 return nt_status;
3913 }
3914 uinfo->sid = sid;
3915
3916 /* After a "set" ensure we have no cached display info. */
3917 force_flush_samr_cache(&sid);
3918
3919 *r->out.access_granted = acc_granted;
3920
3921 return NT_STATUS_OK;
3922 }
3923
3924 /****************************************************************
3925 ****************************************************************/
3926
3927 NTSTATUS _samr_CreateUser(struct pipes_struct *p,
3928 struct samr_CreateUser *r)
3929 {
3930 struct samr_CreateUser2 c;
3931 uint32_t access_granted;
3932
3933 c.in.domain_handle = r->in.domain_handle;
3934 c.in.account_name = r->in.account_name;
3935 c.in.acct_flags = ACB_NORMAL;
3936 c.in.access_mask = r->in.access_mask;
3937 c.out.user_handle = r->out.user_handle;
3938 c.out.access_granted = &access_granted;
3939 c.out.rid = r->out.rid;
3940
3941 return _samr_CreateUser2(p, &c);
3942 }
3943
3944 /*******************************************************************
3945 _samr_Connect
3946 ********************************************************************/
3947
3948 NTSTATUS _samr_Connect(struct pipes_struct *p,
3949 struct samr_Connect *r)
3950 {
3951 uint32_t acc_granted;
3952 struct policy_handle hnd;
3953 uint32 des_access = r->in.access_mask;
3954 NTSTATUS status;
3955
3956 /* Access check */
3957
3958 if (!pipe_access_check(p)) {
3959 DEBUG(3, ("access denied to _samr_Connect\n"));
3960 return NT_STATUS_ACCESS_DENIED;
3961 }
3962
3963 /* don't give away the farm but this is probably ok. The SAMR_ACCESS_ENUM_DOMAINS
3964 was observed from a win98 client trying to enumerate users (when configured
3965 user level access control on shares) --jerry */
3966
3967 map_max_allowed_access(p->session_info->security_token,
3968 p->session_info->unix_token,
3969 &des_access);
3970
3971 se_map_generic( &des_access, &sam_generic_mapping );
3972
3973 acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS
3974 |SAMR_ACCESS_LOOKUP_DOMAIN);
3975
3976 /* set up the SAMR connect_anon response */
3977
3978 (void)policy_handle_create(p, &hnd, acc_granted,
3979 struct samr_connect_info,
3980 &status);
3981 if (!NT_STATUS_IS_OK(status)) {
3982 return status;
3983 }
3984
3985 *r->out.connect_handle = hnd;
3986 return NT_STATUS_OK;
3987 }
3988
3989 /*******************************************************************
3990 _samr_Connect2
3991 ********************************************************************/
3992
3993 NTSTATUS _samr_Connect2(struct pipes_struct *p,
3994 struct samr_Connect2 *r)
3995 {
3996 struct policy_handle hnd;
3997 struct security_descriptor *psd = NULL;
3998 uint32 acc_granted;
3999 uint32 des_access = r->in.access_mask;
4000 NTSTATUS nt_status;
4001 size_t sd_size;
4002 const char *fn = "_samr_Connect2";
4003
4004 switch (p->opnum) {
4005 case NDR_SAMR_CONNECT2:
4006 fn = "_samr_Connect2";
4007 break;
4008 case NDR_SAMR_CONNECT3:
4009 fn = "_samr_Connect3";
4010 break;
4011 case NDR_SAMR_CONNECT4:
4012 fn = "_samr_Connect4";
4013 break;
4014 case NDR_SAMR_CONNECT5:
4015 fn = "_samr_Connect5";
4016 break;
4017 }
4018
4019 DEBUG(5,("%s: %d\n", fn, __LINE__));
4020
4021 /* Access check */
4022
4023 if (!pipe_access_check(p)) {
4024 DEBUG(3, ("access denied to %s\n", fn));
4025 return NT_STATUS_ACCESS_DENIED;
4026 }
4027
4028 map_max_allowed_access(p->session_info->security_token,
4029 p->session_info->unix_token,
4030 &des_access);
4031
4032 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
4033 se_map_generic(&des_access, &sam_generic_mapping);
4034
4035 nt_status = access_check_object(psd, p->session_info->security_token,
4036 SEC_PRIV_INVALID, SEC_PRIV_INVALID,
4037 0, des_access, &acc_granted, fn);
4038
4039 if ( !NT_STATUS_IS_OK(nt_status) )
4040 return nt_status;
4041
4042 (void)policy_handle_create(p, &hnd, acc_granted,
4043 struct samr_connect_info, &nt_status);
4044 if (!NT_STATUS_IS_OK(nt_status)) {
4045 return nt_status;
4046 }
4047
4048 DEBUG(5,("%s: %d\n", fn, __LINE__));
4049
4050 *r->out.connect_handle = hnd;
4051 return NT_STATUS_OK;
4052 }
4053
4054 /****************************************************************
4055 _samr_Connect3
4056 ****************************************************************/
4057
4058 NTSTATUS _samr_Connect3(struct pipes_struct *p,
4059 struct samr_Connect3 *r)
4060 {
4061 struct samr_Connect2 c;
4062
4063 c.in.system_name = r->in.system_name;
4064 c.in.access_mask = r->in.access_mask;
4065 c.out.connect_handle = r->out.connect_handle;
4066
4067 return _samr_Connect2(p, &c);
4068 }
4069
4070 /*******************************************************************
4071 _samr_Connect4
4072 ********************************************************************/
4073
4074 NTSTATUS _samr_Connect4(struct pipes_struct *p,
4075 struct samr_Connect4 *r)
4076 {
4077 struct samr_Connect2 c;
4078
4079 c.in.system_name = r->in.system_name;
4080 c.in.access_mask = r->in.access_mask;
4081 c.out.connect_handle = r->out.connect_handle;
4082
4083 return _samr_Connect2(p, &c);
4084 }
4085
4086 /*******************************************************************
4087 _samr_Connect5
4088 ********************************************************************/
4089
4090 NTSTATUS _samr_Connect5(struct pipes_struct *p,
4091 struct samr_Connect5 *r)
4092 {
4093 NTSTATUS status;
4094 struct samr_Connect2 c;
4095 struct samr_ConnectInfo1 info1;
4096
4097 info1.client_version = SAMR_CONNECT_AFTER_W2K;
4098 info1.unknown2 = 0;
4099
4100 c.in.system_name = r->in.system_name;
4101 c.in.access_mask = r->in.access_mask;
4102 c.out.connect_handle = r->out.connect_handle;
4103
4104 *r->out.level_out = 1;
4105
4106 status = _samr_Connect2(p, &c);
4107 if (!NT_STATUS_IS_OK(status)) {
4108 return status;
4109 }
4110
4111 r->out.info_out->info1 = info1;
4112
4113 return NT_STATUS_OK;
4114 }
4115
4116 /**********************************************************************
4117 _samr_LookupDomain
4118 **********************************************************************/
4119
4120 NTSTATUS _samr_LookupDomain(struct pipes_struct *p,
4121 struct samr_LookupDomain *r)
4122 {
4123 NTSTATUS status;
4124 const char *domain_name;
4125 struct dom_sid *sid = NULL;
4126
4127 /* win9x user manager likes to use SAMR_ACCESS_ENUM_DOMAINS here.
4128 Reverted that change so we will work with RAS servers again */
4129
4130 (void)policy_handle_find(p, r->in.connect_handle,
4131 SAMR_ACCESS_LOOKUP_DOMAIN, NULL,
4132 struct samr_connect_info,
4133 &status);
4134 if (!NT_STATUS_IS_OK(status)) {
4135 return status;
4136 }
4137
4138 domain_name = r->in.domain_name->string;
4139 if (!domain_name) {
4140 return NT_STATUS_INVALID_PARAMETER;
4141 }
4142
4143 sid = talloc_zero(p->mem_ctx, struct dom_sid2);
4144 if (!sid) {
4145 return NT_STATUS_NO_MEMORY;
4146 }
4147
4148 if (strequal(domain_name, builtin_domain_name())) {
4149 sid_copy(sid, &global_sid_Builtin);
4150 } else {
4151 if (!secrets_fetch_domain_sid(domain_name, sid)) {
4152 status = NT_STATUS_NO_SUCH_DOMAIN;
4153 }
4154 }
4155
4156 DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name,
4157 sid_string_dbg(sid)));
4158
4159 *r->out.sid = sid;
4160
4161 return status;
4162 }
4163
4164 /**********************************************************************
4165 _samr_EnumDomains
4166 **********************************************************************/
4167
4168 NTSTATUS _samr_EnumDomains(struct pipes_struct *p,
4169 struct samr_EnumDomains *r)
4170 {
4171 NTSTATUS status;
4172 uint32_t num_entries = 2;
4173 struct samr_SamEntry *entry_array = NULL;
4174 struct samr_SamArray *sam;
4175
4176 (void)policy_handle_find(p, r->in.connect_handle,
4177 SAMR_ACCESS_ENUM_DOMAINS, NULL,
4178 struct samr_connect_info, &status);
4179 if (!NT_STATUS_IS_OK(status)) {
4180 return status;
4181 }
4182
4183 sam = talloc_zero(p->mem_ctx, struct samr_SamArray);
4184 if (!sam) {
4185 return NT_STATUS_NO_MEMORY;
4186 }
4187
4188 entry_array = talloc_zero_array(p->mem_ctx,
4189 struct samr_SamEntry,
4190 num_entries);
4191 if (!entry_array) {
4192 return NT_STATUS_NO_MEMORY;
4193 }
4194
4195 entry_array[0].idx = 0;
4196 init_lsa_String(&entry_array[0].name, get_global_sam_name());
4197
4198 entry_array[1].idx = 1;
4199 init_lsa_String(&entry_array[1].name, "Builtin");
4200
4201 sam->count = num_entries;
4202 sam->entries = entry_array;
4203
4204 *r->out.sam = sam;
4205 *r->out.num_entries = num_entries;
4206
4207 return status;
4208 }
4209
4210 /*******************************************************************
4211 _samr_OpenAlias
4212 ********************************************************************/
4213
4214 NTSTATUS _samr_OpenAlias(struct pipes_struct *p,
4215 struct samr_OpenAlias *r)
4216 {
4217 struct dom_sid sid;
4218 uint32 alias_rid = r->in.rid;
4219 struct samr_alias_info *ainfo;
4220 struct samr_domain_info *dinfo;
4221 struct security_descriptor *psd = NULL;
4222 uint32 acc_granted;
4223 uint32 des_access = r->in.access_mask;
4224 size_t sd_size;
4225 NTSTATUS status;
4226
4227 dinfo = policy_handle_find(p, r->in.domain_handle,
4228 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT, NULL,
4229 struct samr_domain_info, &status);
4230 if (!NT_STATUS_IS_OK(status)) {
4231 return status;
4232 }
4233
4234 /* append the alias' RID to it */
4235
4236 if (!sid_compose(&sid, &dinfo->sid, alias_rid))
4237 return NT_STATUS_NO_SUCH_ALIAS;
4238
4239 /*check if access can be granted as requested by client. */
4240
4241 map_max_allowed_access(p->session_info->security_token,
4242 p->session_info->unix_token,
4243 &des_access);
4244
4245 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
4246 se_map_generic(&des_access,&ali_generic_mapping);
4247
4248 status = access_check_object(psd, p->session_info->security_token,
4249 SEC_PRIV_ADD_USERS, SEC_PRIV_INVALID,
4250 GENERIC_RIGHTS_ALIAS_ALL_ACCESS,
4251 des_access, &acc_granted, "_samr_OpenAlias");
4252
4253 if ( !NT_STATUS_IS_OK(status) )
4254 return status;
4255
4256 {
4257 /* Check we actually have the requested alias */
4258 enum lsa_SidType type;
4259 bool result;
4260 gid_t gid;
4261
4262 become_root();
4263 result = lookup_sid(NULL, &sid, NULL, NULL, &type);
4264 unbecome_root();
4265
4266 if (!result || (type != SID_NAME_ALIAS)) {
4267 return NT_STATUS_NO_SUCH_ALIAS;
4268 }
4269
4270 /* make sure there is a mapping */
4271
4272 if ( !sid_to_gid( &sid, &gid ) ) {
4273 return NT_STATUS_NO_SUCH_ALIAS;
4274 }
4275
4276 }
4277
4278 ainfo = policy_handle_create(p, r->out.alias_handle, acc_granted,
4279 struct samr_alias_info, &status);
4280 if (!NT_STATUS_IS_OK(status)) {
4281 return status;
4282 }
4283 ainfo->sid = sid;
4284
4285 return NT_STATUS_OK;
4286 }
4287
4288 /*******************************************************************
4289 set_user_info_2
4290 ********************************************************************/
4291
4292 static NTSTATUS set_user_info_2(TALLOC_CTX *mem_ctx,
4293 struct samr_UserInfo2 *id2,
4294 struct samu *pwd)
4295 {
4296 if (id2 == NULL) {
4297 DEBUG(5,("set_user_info_2: NULL id2\n"));
4298 return NT_STATUS_ACCESS_DENIED;
4299 }
4300
4301 copy_id2_to_sam_passwd(pwd, id2);
4302
4303 return pdb_update_sam_account(pwd);
4304 }
4305
4306 /*******************************************************************
4307 set_user_info_4
4308 ********************************************************************/
4309
4310 static NTSTATUS set_user_info_4(TALLOC_CTX *mem_ctx,
4311 struct samr_UserInfo4 *id4,
4312 struct samu *pwd)
4313 {
4314 if (id4 == NULL) {
4315 DEBUG(5,("set_user_info_2: NULL id4\n"));
4316 return NT_STATUS_ACCESS_DENIED;
4317 }
4318
4319 copy_id4_to_sam_passwd(pwd, id4);
4320
4321 return pdb_update_sam_account(pwd);
4322 }
4323
4324 /*******************************************************************
4325 set_user_info_6
4326 ********************************************************************/
4327
4328 static NTSTATUS set_user_info_6(TALLOC_CTX *mem_ctx,
4329 struct samr_UserInfo6 *id6,
4330 struct samu *pwd)
4331 {
4332 if (id6 == NULL) {
4333 DEBUG(5,("set_user_info_6: NULL id6\n"));
4334 return NT_STATUS_ACCESS_DENIED;
4335 }
4336
4337 copy_id6_to_sam_passwd(pwd, id6);
4338
4339 return pdb_update_sam_account(pwd);
4340 }
4341
4342 /*******************************************************************
4343 set_user_info_7
4344 ********************************************************************/
4345
4346 static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx,
4347 struct samr_UserInfo7 *id7,
4348 struct samu *pwd)
4349 {
4350 NTSTATUS rc;
4351
4352 if (id7 == NULL) {
4353 DEBUG(5, ("set_user_info_7: NULL id7\n"));
4354 return NT_STATUS_ACCESS_DENIED;
4355 }
4356
4357 if (!id7->account_name.string) {
4358 DEBUG(5, ("set_user_info_7: failed to get new username\n"));
4359 return NT_STATUS_ACCESS_DENIED;
4360 }
4361
4362 /* check to see if the new username already exists. Note: we can't
4363 reliably lock all backends, so there is potentially the
4364 possibility that a user can be created in between this check and
4365 the rename. The rename should fail, but may not get the
4366 exact same failure status code. I think this is small enough
4367 of a window for this type of operation and the results are
4368 simply that the rename fails with a slightly different status
4369 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
4370
4371 rc = can_create(mem_ctx, id7->account_name.string);
4372
4373 /* when there is nothing to change, we're done here */
4374 if (NT_STATUS_EQUAL(rc, NT_STATUS_USER_EXISTS) &&
4375 strequal(id7->account_name.string, pdb_get_username(pwd))) {
4376 return NT_STATUS_OK;
4377 }
4378 if (!NT_STATUS_IS_OK(rc)) {
4379 return rc;
4380 }
4381
4382 rc = pdb_rename_sam_account(pwd, id7->account_name.string);
4383
4384 return rc;
4385 }
4386
4387 /*******************************************************************
4388 set_user_info_8
4389 ********************************************************************/
4390
4391 static NTSTATUS set_user_info_8(TALLOC_CTX *mem_ctx,
4392 struct samr_UserInfo8 *id8,
4393 struct samu *pwd)
4394 {
4395 if (id8 == NULL) {
4396 DEBUG(5,("set_user_info_8: NULL id8\n"));
4397 return NT_STATUS_ACCESS_DENIED;
4398 }
4399
4400 copy_id8_to_sam_passwd(pwd, id8);
4401
4402 return pdb_update_sam_account(pwd);
4403 }
4404
4405 /*******************************************************************
4406 set_user_info_10
4407 ********************************************************************/
4408
4409 static NTSTATUS set_user_info_10(TALLOC_CTX *mem_ctx,
4410 struct samr_UserInfo10 *id10,
4411 struct samu *pwd)
4412 {
4413 if (id10 == NULL) {
4414 DEBUG(5,("set_user_info_8: NULL id10\n"));
4415 return NT_STATUS_ACCESS_DENIED;
4416 }
4417
4418 copy_id10_to_sam_passwd(pwd, id10);
4419
4420 return pdb_update_sam_account(pwd);
4421 }
4422
4423 /*******************************************************************
4424 set_user_info_11
4425 ********************************************************************/
4426
4427 static NTSTATUS set_user_info_11(TALLOC_CTX *mem_ctx,
4428 struct samr_UserInfo11 *id11,
4429 struct samu *pwd)
4430 {
4431 if (id11 == NULL) {
4432 DEBUG(5,("set_user_info_11: NULL id11\n"));
4433 return NT_STATUS_ACCESS_DENIED;
4434 }
4435
4436 copy_id11_to_sam_passwd(pwd, id11);
4437
4438 return pdb_update_sam_account(pwd);
4439 }
4440
4441 /*******************************************************************
4442 set_user_info_12
4443 ********************************************************************/
4444
4445 static NTSTATUS set_user_info_12(TALLOC_CTX *mem_ctx,
4446 struct samr_UserInfo12 *id12,
4447 struct samu *pwd)
4448 {
4449 if (id12 == NULL) {
4450 DEBUG(5,("set_user_info_12: NULL id12\n"));
4451 return NT_STATUS_ACCESS_DENIED;
4452 }
4453
4454 copy_id12_to_sam_passwd(pwd, id12);
4455
4456 return pdb_update_sam_account(pwd);
4457 }
4458
4459 /*******************************************************************
4460 set_user_info_13
4461 ********************************************************************/
4462
4463 static NTSTATUS set_user_info_13(TALLOC_CTX *mem_ctx,
4464 struct samr_UserInfo13 *id13,
4465 struct samu *pwd)
4466 {
4467 if (id13 == NULL) {
4468 DEBUG(5,("set_user_info_13: NULL id13\n"));
4469 return NT_STATUS_ACCESS_DENIED;
4470 }
4471
4472 copy_id13_to_sam_passwd(pwd, id13);
4473
4474 return pdb_update_sam_account(pwd);
4475 }
4476
4477 /*******************************************************************
4478 set_user_info_14
4479 ********************************************************************/
4480
4481 static NTSTATUS set_user_info_14(TALLOC_CTX *mem_ctx,
4482 struct samr_UserInfo14 *id14,
4483 struct samu *pwd)
4484 {
4485 if (id14 == NULL) {
4486 DEBUG(5,("set_user_info_14: NULL id14\n"));
4487 return NT_STATUS_ACCESS_DENIED;
4488 }
4489
4490 copy_id14_to_sam_passwd(pwd, id14);
4491
4492 return pdb_update_sam_account(pwd);
4493 }
4494
4495 /*******************************************************************
4496 set_user_info_16
4497 ********************************************************************/
4498
4499 static NTSTATUS set_user_info_16(TALLOC_CTX *mem_ctx,
4500 struct samr_UserInfo16 *id16,
4501 struct samu *pwd)
4502 {
4503 if (id16 == NULL) {
4504 DEBUG(5,("set_user_info_16: NULL id16\n"));
4505 return NT_STATUS_ACCESS_DENIED;
4506 }
4507
4508 copy_id16_to_sam_passwd(pwd, id16);
4509
4510 return pdb_update_sam_account(pwd);
4511 }
4512
4513 /*******************************************************************
4514 set_user_info_17
4515 ********************************************************************/
4516
4517 static NTSTATUS set_user_info_17(TALLOC_CTX *mem_ctx,
4518 struct samr_UserInfo17 *id17,
4519 struct samu *pwd)
4520 {
4521 if (id17 == NULL) {
4522 DEBUG(5,("set_user_info_17: NULL id17\n"));
4523 return NT_STATUS_ACCESS_DENIED;
4524 }
4525
4526 copy_id17_to_sam_passwd(pwd, id17);
4527
4528 return pdb_update_sam_account(pwd);
4529 }
4530
4531 /*******************************************************************
4532 set_user_info_18
4533 ********************************************************************/
4534
4535 static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18,
4536 TALLOC_CTX *mem_ctx,
4537 DATA_BLOB *session_key,
4538 struct samu *pwd)
4539 {
4540 if (id18 == NULL) {
4541 DEBUG(2, ("set_user_info_18: id18 is NULL\n"));
4542 return NT_STATUS_INVALID_PARAMETER;
4543 }
4544
4545 if (id18->nt_pwd_active || id18->lm_pwd_active) {
4546 if (!session_key->length) {
4547 return NT_STATUS_NO_USER_SESSION_KEY;
4548 }
4549 }
4550
4551 if (id18->nt_pwd_active) {
4552
4553 DATA_BLOB in, out;
4554
4555 in = data_blob_const(id18->nt_pwd.hash, 16);
4556 out = data_blob_talloc_zero(mem_ctx, 16);
4557
4558 sess_crypt_blob(&out, &in, session_key, false);
4559
4560 if (!pdb_set_nt_passwd(pwd, out.data, PDB_CHANGED)) {
4561 return NT_STATUS_ACCESS_DENIED;
4562 }
4563
4564 pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
4565 }
4566
4567 if (id18->lm_pwd_active) {
4568
4569 DATA_BLOB in, out;
4570
4571 in = data_blob_const(id18->lm_pwd.hash, 16);
4572 out = data_blob_talloc_zero(mem_ctx, 16);
4573
4574 sess_crypt_blob(&out, &in, session_key, false);
4575
4576 if (!pdb_set_lanman_passwd(pwd, out.data, PDB_CHANGED)) {
4577 return NT_STATUS_ACCESS_DENIED;
4578 }
4579
4580 pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
4581 }
4582
4583 copy_id18_to_sam_passwd(pwd, id18);
4584
4585 return pdb_update_sam_account(pwd);
4586 }
4587
4588 /*******************************************************************
4589 set_user_info_20
4590 ********************************************************************/
4591
4592 static NTSTATUS set_user_info_20(TALLOC_CTX *mem_ctx,
4593 struct samr_UserInfo20 *id20,
4594 struct samu *pwd)
4595 {
4596 if (id20 == NULL) {
4597 DEBUG(5,("set_user_info_20: NULL id20\n"));
4598 return NT_STATUS_ACCESS_DENIED;
4599 }
4600
4601 copy_id20_to_sam_passwd(pwd, id20);
4602
4603 return pdb_update_sam_account(pwd);
4604 }
4605
4606 /*******************************************************************
4607 set_user_info_21
4608 ********************************************************************/
4609
4610 static NTSTATUS set_user_info_21(struct samr_UserInfo21 *id21,
4611 TALLOC_CTX *mem_ctx,
4612 DATA_BLOB *session_key,
4613 struct samu *pwd)
4614 {
4615 NTSTATUS status;
4616
4617 if (id21 == NULL) {
4618 DEBUG(5, ("set_user_info_21: NULL id21\n"));
4619 return NT_STATUS_INVALID_PARAMETER;
4620 }
4621
4622 if (id21->fields_present == 0) {
4623 return NT_STATUS_INVALID_PARAMETER;
4624 }
4625
4626 if (id21->fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
4627 return NT_STATUS_ACCESS_DENIED;
4628 }
4629
4630 if (id21->fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) {
4631 if (id21->nt_password_set) {
4632 DATA_BLOB in, out;
4633
4634 if ((id21->nt_owf_password.length != 16) ||
4635 (id21->nt_owf_password.size != 16)) {
4636 return NT_STATUS_INVALID_PARAMETER;
4637 }
4638
4639 if (!session_key->length) {
4640 return NT_STATUS_NO_USER_SESSION_KEY;
4641 }
4642
4643 in = data_blob_const(id21->nt_owf_password.array, 16);
4644 out = data_blob_talloc_zero(mem_ctx, 16);
4645
4646 sess_crypt_blob(&out, &in, session_key, false);
4647
4648 pdb_set_nt_passwd(pwd, out.data, PDB_CHANGED);
4649 pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
4650 }
4651 }
4652
4653 if (id21->fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT) {
4654 if (id21->lm_password_set) {
4655 DATA_BLOB in, out;
4656
4657 if ((id21->lm_owf_password.length != 16) ||
4658 (id21->lm_owf_password.size != 16)) {
4659 return NT_STATUS_INVALID_PARAMETER;
4660 }
4661
4662 if (!session_key->length) {
4663 return NT_STATUS_NO_USER_SESSION_KEY;
4664 }
4665
4666 in = data_blob_const(id21->lm_owf_password.array, 16);
4667 out = data_blob_talloc_zero(mem_ctx, 16);
4668
4669 sess_crypt_blob(&out, &in, session_key, false);
4670
4671 pdb_set_lanman_passwd(pwd, out.data, PDB_CHANGED);
4672 pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
4673 }
4674 }
4675
4676 /* we need to separately check for an account rename first */
4677
4678 if (id21->account_name.string &&
4679 (!strequal(id21->account_name.string, pdb_get_username(pwd))))
4680 {
4681
4682 /* check to see if the new username already exists. Note: we can't
4683 reliably lock all backends, so there is potentially the
4684 possibility that a user can be created in between this check and
4685 the rename. The rename should fail, but may not get the
4686 exact same failure status code. I think this is small enough
4687 of a window for this type of operation and the results are
4688 simply that the rename fails with a slightly different status
4689 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
4690
4691 status = can_create(mem_ctx, id21->account_name.string);
4692 if (!NT_STATUS_IS_OK(status)) {
4693 return status;
4694 }
4695
4696 status = pdb_rename_sam_account(pwd, id21->account_name.string);
4697
4698 if (!NT_STATUS_IS_OK(status)) {
4699 DEBUG(0,("set_user_info_21: failed to rename account: %s\n",
4700 nt_errstr(status)));
4701 return status;
4702 }
4703
4704 /* set the new username so that later
4705 functions can work on the new account */
4706 pdb_set_username(pwd, id21->account_name.string, PDB_SET);
4707 }
4708
4709 copy_id21_to_sam_passwd("INFO_21", pwd, id21);
4710
4711 /*
4712 * The funny part about the previous two calls is
4713 * that pwd still has the password hashes from the
4714 * passdb entry. These have not been updated from
4715 * id21. I don't know if they need to be set. --jerry
4716 */
4717
4718 if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
4719 status = pdb_set_unix_primary_group(mem_ctx, pwd);
4720 if ( !NT_STATUS_IS_OK(status) ) {
4721 return status;
4722 }
4723 }
4724
4725 /* Don't worry about writing out the user account since the
4726 primary group SID is generated solely from the user's Unix
4727 primary group. */
4728
4729 /* write the change out */
4730 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
4731 return status;
4732 }
4733
4734 return NT_STATUS_OK;
4735 }
4736
4737 /*******************************************************************
4738 set_user_info_23
4739 ********************************************************************/
4740
4741 static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx,
4742 struct samr_UserInfo23 *id23,
4743 const char *rhost,
4744 struct samu *pwd)
4745 {
4746 char *plaintext_buf = NULL;
4747 size_t len = 0;
4748 uint32_t acct_ctrl;
4749 NTSTATUS status;
4750
4751 if (id23 == NULL) {
4752 DEBUG(5, ("set_user_info_23: NULL id23\n"));
4753 return NT_STATUS_INVALID_PARAMETER;
4754 }
4755
4756 if (id23->info.fields_present == 0) {
4757 return NT_STATUS_INVALID_PARAMETER;
4758 }
4759
4760 if (id23->info.fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
4761 return NT_STATUS_ACCESS_DENIED;
4762 }
4763
4764 if ((id23->info.fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
4765 (id23->info.fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT)) {
4766
4767 DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
4768 pdb_get_username(pwd)));
4769
4770 if (!decode_pw_buffer(mem_ctx,
4771 id23->password.data,
4772 &plaintext_buf,
4773 &len,
4774 CH_UTF16)) {
4775 return NT_STATUS_WRONG_PASSWORD;
4776 }
4777
4778 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
4779 return NT_STATUS_ACCESS_DENIED;
4780 }
4781 }
4782
4783 copy_id23_to_sam_passwd(pwd, id23);
4784
4785 acct_ctrl = pdb_get_acct_ctrl(pwd);
4786
4787 /* if it's a trust account, don't update /etc/passwd */
4788 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
4789 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
4790 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
4791 DEBUG(5, ("Changing trust account. Not updating /etc/passwd\n"));
4792 } else if (plaintext_buf) {
4793 /* update the UNIX password */
4794 if (lp_unix_password_sync() ) {
4795 struct passwd *passwd;
4796 if (pdb_get_username(pwd) == NULL) {
4797 DEBUG(1, ("chgpasswd: User without name???\n"));
4798 return NT_STATUS_ACCESS_DENIED;
4799 }
4800
4801 passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
4802 if (passwd == NULL) {
4803 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
4804 }
4805
4806 if(!chgpasswd(pdb_get_username(pwd), rhost,
4807 passwd, "", plaintext_buf, True)) {
4808 return NT_STATUS_ACCESS_DENIED;
4809 }
4810 TALLOC_FREE(passwd);
4811 }
4812 }
4813
4814 if (plaintext_buf) {
4815 memset(plaintext_buf, '\0', strlen(plaintext_buf));
4816 }
4817
4818 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) &&
4819 (!NT_STATUS_IS_OK(status = pdb_set_unix_primary_group(mem_ctx,
4820 pwd)))) {
4821 return status;
4822 }
4823
4824 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
4825 return status;
4826 }
4827
4828 return NT_STATUS_OK;
4829 }
4830
4831 /*******************************************************************
4832 set_user_info_pw
4833 ********************************************************************/
4834
4835 static bool set_user_info_pw(uint8 *pass, const char *rhost, struct samu *pwd)
4836 {
4837 size_t len = 0;
4838 char *plaintext_buf = NULL;
4839 uint32 acct_ctrl;
4840
4841 DEBUG(5, ("Attempting administrator password change for user %s\n",
4842 pdb_get_username(pwd)));
4843
4844 acct_ctrl = pdb_get_acct_ctrl(pwd);
4845
4846 if (!decode_pw_buffer(talloc_tos(),
4847 pass,
4848 &plaintext_buf,
4849 &len,
4850 CH_UTF16)) {
4851 return False;
4852 }
4853
4854 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
4855 return False;
4856 }
4857
4858 /* if it's a trust account, don't update /etc/passwd */
4859 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
4860 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
4861 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
4862 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
4863 } else {
4864 /* update the UNIX password */
4865 if (lp_unix_password_sync()) {
4866 struct passwd *passwd;
4867
4868 if (pdb_get_username(pwd) == NULL) {
4869 DEBUG(1, ("chgpasswd: User without name???\n"));
4870 return False;
4871 }
4872
4873 passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
4874 if (passwd == NULL) {
4875 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
4876 }
4877
4878 if(!chgpasswd(pdb_get_username(pwd), rhost, passwd,
4879 "", plaintext_buf, True)) {
4880 return False;
4881 }
4882 TALLOC_FREE(passwd);
4883 }
4884 }
4885
4886 memset(plaintext_buf, '\0', strlen(plaintext_buf));
4887
4888 DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
4889
4890 return True;
4891 }
4892
4893 /*******************************************************************
4894 set_user_info_24
4895 ********************************************************************/
4896
4897 static NTSTATUS set_user_info_24(TALLOC_CTX *mem_ctx,
4898 const char *rhost,
4899 struct samr_UserInfo24 *id24,
4900 struct samu *pwd)
4901 {
4902 NTSTATUS status;
4903
4904 if (id24 == NULL) {
4905 DEBUG(5, ("set_user_info_24: NULL id24\n"));
4906 return NT_STATUS_INVALID_PARAMETER;
4907 }
4908
4909 if (!set_user_info_pw(id24->password.data, rhost, pwd)) {
4910 return NT_STATUS_WRONG_PASSWORD;
4911 }
4912
4913 copy_id24_to_sam_passwd(pwd, id24);
4914
4915 status = pdb_update_sam_account(pwd);
4916 if (!NT_STATUS_IS_OK(status)) {
4917 return status;
4918 }
4919
4920 return NT_STATUS_OK;
4921 }
4922
4923 /*******************************************************************
4924 set_user_info_25
4925 ********************************************************************/
4926
4927 static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx,
4928 const char *rhost,
4929 struct samr_UserInfo25 *id25,
4930 struct samu *pwd)
4931 {
4932 NTSTATUS status;
4933
4934 if (id25 == NULL) {
4935 DEBUG(5, ("set_user_info_25: NULL id25\n"));
4936 return NT_STATUS_INVALID_PARAMETER;
4937 }
4938
4939 if (id25->info.fields_present == 0) {
4940 return NT_STATUS_INVALID_PARAMETER;
4941 }
4942
4943 if (id25->info.fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
4944 return NT_STATUS_ACCESS_DENIED;
4945 }
4946
4947 if ((id25->info.fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
4948 (id25->info.fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT)) {
4949
4950 if (!set_user_info_pw(id25->password.data, rhost, pwd)) {
4951 return NT_STATUS_WRONG_PASSWORD;
4952 }
4953 }
4954
4955 copy_id25_to_sam_passwd(pwd, id25);
4956
4957 /* write the change out */
4958 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
4959 return status;
4960 }
4961
4962 /*
4963 * We need to "pdb_update_sam_account" before the unix primary group
4964 * is set, because the idealx scripts would also change the
4965 * sambaPrimaryGroupSid using the ldap replace method. pdb_ldap uses
4966 * the delete explicit / add explicit, which would then fail to find
4967 * the previous primaryGroupSid value.
4968 */
4969
4970 if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
4971 status = pdb_set_unix_primary_group(mem_ctx, pwd);
4972 if ( !NT_STATUS_IS_OK(status) ) {
4973 return status;
4974 }
4975 }
4976
4977 return NT_STATUS_OK;
4978 }
4979
4980 /*******************************************************************
4981 set_user_info_26
4982 ********************************************************************/
4983
4984 static NTSTATUS set_user_info_26(TALLOC_CTX *mem_ctx,
4985 const char *rhost,
4986 struct samr_UserInfo26 *id26,
4987 struct samu *pwd)
4988 {
4989 NTSTATUS status;
4990
4991 if (id26 == NULL) {
4992 DEBUG(5, ("set_user_info_26: NULL id26\n"));
4993 return NT_STATUS_INVALID_PARAMETER;
4994 }
4995
4996 if (!set_user_info_pw(id26->password.data, rhost, pwd)) {
4997 return NT_STATUS_WRONG_PASSWORD;
4998 }
4999
5000 copy_id26_to_sam_passwd(pwd, id26);
5001
5002 status = pdb_update_sam_account(pwd);
5003 if (!NT_STATUS_IS_OK(status)) {
5004 return status;
5005 }
5006
5007 return NT_STATUS_OK;
5008 }
5009
5010 /*************************************************************
5011 **************************************************************/
5012
5013 static uint32_t samr_set_user_info_map_fields_to_access_mask(uint32_t fields)
5014 {
5015 uint32_t acc_required = 0;
5016
5017 /* USER_ALL_USERNAME */
5018 if (fields & SAMR_FIELD_ACCOUNT_NAME)
5019 acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
5020 /* USER_ALL_FULLNAME */
5021 if (fields & SAMR_FIELD_FULL_NAME)
5022 acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
5023 /* USER_ALL_PRIMARYGROUPID */
5024 if (fields & SAMR_FIELD_PRIMARY_GID)
5025 acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
5026 /* USER_ALL_HOMEDIRECTORY */
5027 if (fields & SAMR_FIELD_HOME_DIRECTORY)
5028 acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
5029 /* USER_ALL_HOMEDIRECTORYDRIVE */
5030 if (fields & SAMR_FIELD_HOME_DRIVE)
5031 acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
5032 /* USER_ALL_SCRIPTPATH */
5033 if (fields & SAMR_FIELD_LOGON_SCRIPT)
5034 acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
5035 /* USER_ALL_PROFILEPATH */
5036 if (fields & SAMR_FIELD_PROFILE_PATH)
5037 acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
5038 /* USER_ALL_ADMINCOMMENT */
5039 if (fields & SAMR_FIELD_COMMENT)
5040 acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
5041 /* USER_ALL_WORKSTATIONS */
5042 if (fields & SAMR_FIELD_WORKSTATIONS)
5043 acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
5044 /* USER_ALL_LOGONHOURS */
5045 if (fields & SAMR_FIELD_LOGON_HOURS)
5046 acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
5047 /* USER_ALL_ACCOUNTEXPIRES */
5048 if (fields & SAMR_FIELD_ACCT_EXPIRY)
5049 acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
5050 /* USER_ALL_USERACCOUNTCONTROL */
5051 if (fields & SAMR_FIELD_ACCT_FLAGS)
5052 acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
5053 /* USER_ALL_PARAMETERS */
5054 if (fields & SAMR_FIELD_PARAMETERS)
5055 acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
5056 /* USER_ALL_USERCOMMENT */
5057 if (fields & SAMR_FIELD_COMMENT)
5058 acc_required |= SAMR_USER_ACCESS_SET_LOC_COM;
5059 /* USER_ALL_COUNTRYCODE */
5060 if (fields & SAMR_FIELD_COUNTRY_CODE)
5061 acc_required |= SAMR_USER_ACCESS_SET_LOC_COM;
5062 /* USER_ALL_CODEPAGE */
5063 if (fields & SAMR_FIELD_CODE_PAGE)
5064 acc_required |= SAMR_USER_ACCESS_SET_LOC_COM;
5065 /* USER_ALL_NTPASSWORDPRESENT */
5066 if (fields & SAMR_FIELD_NT_PASSWORD_PRESENT)
5067 acc_required |= SAMR_USER_ACCESS_SET_PASSWORD;
5068 /* USER_ALL_LMPASSWORDPRESENT */
5069 if (fields & SAMR_FIELD_LM_PASSWORD_PRESENT)
5070 acc_required |= SAMR_USER_ACCESS_SET_PASSWORD;
5071 /* USER_ALL_PASSWORDEXPIRED */
5072 if (fields & SAMR_FIELD_EXPIRED_FLAG)
5073 acc_required |= SAMR_USER_ACCESS_SET_PASSWORD;
5074
5075 return acc_required;
5076 }
5077
5078 /*******************************************************************
5079 samr_SetUserInfo
5080 ********************************************************************/
5081
5082 NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
5083 struct samr_SetUserInfo *r)
5084 {
5085 struct samr_user_info *uinfo;
5086 NTSTATUS status;
5087 struct samu *pwd = NULL;
5088 union samr_UserInfo *info = r->in.info;
5089 uint32_t acc_required = 0;
5090 uint32_t fields = 0;
5091 bool ret;
5092 char *rhost;
5093 DATA_BLOB session_key;
5094
5095 DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__));
5096
5097 /* This is tricky. A WinXP domain join sets
5098 (SAMR_USER_ACCESS_SET_PASSWORD|SAMR_USER_ACCESS_SET_ATTRIBUTES|SAMR_USER_ACCESS_GET_ATTRIBUTES)
5099 The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the
5100 standard Win32 API calls just ask for SAMR_USER_ACCESS_SET_PASSWORD in the SamrOpenUser().
5101 This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so
5102 we'll use the set from the WinXP join as the basis. */
5103
5104 switch (r->in.level) {
5105 case 2: /* UserPreferencesInformation */
5106 /* USER_WRITE_ACCOUNT | USER_WRITE_PREFERENCES */
5107 acc_required = SAMR_USER_ACCESS_SET_ATTRIBUTES | SAMR_USER_ACCESS_SET_LOC_COM;
5108 break;
5109 case 4: /* UserLogonHoursInformation */
5110 case 6: /* UserNameInformation */
5111 case 7: /* UserAccountNameInformation */
5112 case 8: /* UserFullNameInformation */
5113 case 9: /* UserPrimaryGroupInformation */
5114 case 10: /* UserHomeInformation */
5115 case 11: /* UserScriptInformation */
5116 case 12: /* UserProfileInformation */
5117 case 13: /* UserAdminCommentInformation */
5118 case 14: /* UserWorkStationsInformation */
5119 case 16: /* UserControlInformation */
5120 case 17: /* UserExpiresInformation */
5121 case 20: /* UserParametersInformation */
5122 /* USER_WRITE_ACCOUNT */
5123 acc_required = SAMR_USER_ACCESS_SET_ATTRIBUTES;
5124 break;
5125 case 18: /* UserInternal1Information */
5126 /* FIXME: gd, this is a guess */
5127 acc_required = SAMR_USER_ACCESS_SET_PASSWORD;
5128 break;
5129 case 21: /* UserAllInformation */
5130 fields = info->info21.fields_present;
5131 acc_required = samr_set_user_info_map_fields_to_access_mask(fields);
5132 break;
5133 case 23: /* UserInternal4Information */
5134 fields = info->info23.info.fields_present;
5135 acc_required = samr_set_user_info_map_fields_to_access_mask(fields);
5136 break;
5137 case 25: /* UserInternal4InformationNew */
5138 fields = info->info25.info.fields_present;
5139 acc_required = samr_set_user_info_map_fields_to_access_mask(fields);
5140 break;
5141 case 24: /* UserInternal5Information */
5142 case 26: /* UserInternal5InformationNew */
5143 acc_required = SAMR_USER_ACCESS_SET_PASSWORD;
5144 break;
5145 default:
5146 return NT_STATUS_INVALID_INFO_CLASS;
5147 }
5148
5149 uinfo = policy_handle_find(p, r->in.user_handle, acc_required, NULL,
5150 struct samr_user_info, &status);
5151 if (!NT_STATUS_IS_OK(status)) {
5152 return status;
5153 }
5154
5155 DEBUG(5, ("_samr_SetUserInfo: sid:%s, level:%d\n",
5156 sid_string_dbg(&uinfo->sid), r->in.level));
5157
5158 if (info == NULL) {
5159 DEBUG(5, ("_samr_SetUserInfo: NULL info level\n"));
5160 return NT_STATUS_INVALID_INFO_CLASS;
5161 }
5162
5163 if (!(pwd = samu_new(NULL))) {
5164 return NT_STATUS_NO_MEMORY;
5165 }
5166
5167 become_root();
5168 ret = pdb_getsampwsid(pwd, &uinfo->sid);
5169 unbecome_root();
5170
5171 if (!ret) {
5172 TALLOC_FREE(pwd);
5173 return NT_STATUS_NO_SUCH_USER;
5174 }
5175
5176 rhost = tsocket_address_inet_addr_string(p->remote_address,
5177 talloc_tos());
5178 if (rhost == NULL) {
5179 return NT_STATUS_NO_MEMORY;
5180 }
5181
5182 /* ================ BEGIN Privilege BLOCK ================ */
5183
5184 become_root();
5185
5186 /* ok! user info levels (lots: see MSDEV help), off we go... */
5187
5188 switch (r->in.level) {
5189
5190 case 2:
5191 status = set_user_info_2(p->mem_ctx,
5192 &info->info2, pwd);
5193 break;
5194
5195 case 4:
5196 status = set_user_info_4(p->mem_ctx,
5197 &info->info4, pwd);
5198 break;
5199
5200 case 6:
5201 status = set_user_info_6(p->mem_ctx,
5202 &info->info6, pwd);
5203 break;
5204
5205 case 7:
5206 status = set_user_info_7(p->mem_ctx,
5207 &info->info7, pwd);
5208 break;
5209
5210 case 8:
5211 status = set_user_info_8(p->mem_ctx,
5212 &info->info8, pwd);
5213 break;
5214
5215 case 10:
5216 status = set_user_info_10(p->mem_ctx,
5217 &info->info10, pwd);
5218 break;
5219
5220 case 11:
5221 status = set_user_info_11(p->mem_ctx,
5222 &info->info11, pwd);
5223 break;
5224
5225 case 12:
5226 status = set_user_info_12(p->mem_ctx,
5227 &info->info12, pwd);
5228 break;
5229
5230 case 13:
5231 status = set_user_info_13(p->mem_ctx,
5232 &info->info13, pwd);
5233 break;
5234
5235 case 14:
5236 status = set_user_info_14(p->mem_ctx,
5237 &info->info14, pwd);
5238 break;
5239
5240 case 16:
5241 status = set_user_info_16(p->mem_ctx,
5242 &info->info16, pwd);
5243 break;
5244
5245 case 17:
5246 status = set_user_info_17(p->mem_ctx,
5247 &info->info17, pwd);
5248 break;
5249
5250 case 18:
5251 status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
5252 if(!NT_STATUS_IS_OK(status)) {
5253 return status;
5254 }
5255 /* Used by AS/U JRA. */
5256 status = set_user_info_18(&info->info18,
5257 p->mem_ctx,
5258 &session_key,
5259 pwd);
5260 break;
5261
5262 case 20:
5263 status = set_user_info_20(p->mem_ctx,
5264 &info->info20, pwd);
5265 break;
5266
5267 case 21:
5268 status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
5269 if(!NT_STATUS_IS_OK(status)) {
5270 return status;
5271 }
5272 status = set_user_info_21(&info->info21,
5273 p->mem_ctx,
5274 &session_key,
5275 pwd);
5276 break;
5277
5278 case 23:
5279 status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
5280 arcfour_crypt_blob(info->info23.password.data, 516,
5281 &session_key);
5282
5283 dump_data(100, info->info23.password.data, 516);
5284
5285 status = set_user_info_23(p->mem_ctx,
5286 &info->info23,
5287 rhost,
5288 pwd);
5289 break;
5290
5291 case 24:
5292 status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
5293 arcfour_crypt_blob(info->info24.password.data,
5294 516,
5295 &session_key);
5296
5297 dump_data(100, info->info24.password.data, 516);
5298
5299 status = set_user_info_24(p->mem_ctx,
5300 rhost,
5301 &info->info24, pwd);
5302 break;
5303
5304 case 25:
5305 status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
5306 encode_or_decode_arc4_passwd_buffer(
5307 info->info25.password.data,
5308 &session_key);
5309
5310 dump_data(100, info->info25.password.data, 532);
5311
5312 status = set_user_info_25(p->mem_ctx,
5313 rhost,
5314 &info->info25, pwd);
5315 break;
5316
5317 case 26:
5318 status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
5319 encode_or_decode_arc4_passwd_buffer(
5320 info->info26.password.data,
5321 &session_key);
5322
5323 dump_data(100, info->info26.password.data, 516);
5324
5325 status = set_user_info_26(p->mem_ctx,
5326 rhost,
5327 &info->info26, pwd);
5328 break;
5329
5330 default:
5331 status = NT_STATUS_INVALID_INFO_CLASS;
5332 }
5333
5334 TALLOC_FREE(pwd);
5335
5336 unbecome_root();
5337
5338 /* ================ END Privilege BLOCK ================ */
5339
5340 if (NT_STATUS_IS_OK(status)) {
5341 force_flush_samr_cache(&uinfo->sid);
5342 }
5343
5344 return status;
5345 }
5346
5347 /*******************************************************************
5348 _samr_SetUserInfo2
5349 ********************************************************************/
5350
5351 NTSTATUS _samr_SetUserInfo2(struct pipes_struct *p,
5352 struct samr_SetUserInfo2 *r)
5353 {
5354 struct samr_SetUserInfo q;
5355
5356 q.in.user_handle = r->in.user_handle;
5357 q.in.level = r->in.level;
5358 q.in.info = r->in.info;
5359
5360 return _samr_SetUserInfo(p, &q);
5361 }
5362
5363 /*********************************************************************
5364 _samr_GetAliasMembership
5365 *********************************************************************/
5366
5367 NTSTATUS _samr_GetAliasMembership(struct pipes_struct *p,
5368 struct samr_GetAliasMembership *r)
5369 {
5370 size_t num_alias_rids;
5371 uint32 *alias_rids;
5372 struct samr_domain_info *dinfo;
5373 size_t i;
5374
5375 NTSTATUS status;
5376
5377 struct dom_sid *members;
5378
5379 DEBUG(5,("_samr_GetAliasMembership: %d\n", __LINE__));
5380
5381 dinfo = policy_handle_find(p, r->in.domain_handle,
5382 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
5383 | SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT, NULL,
5384 struct samr_domain_info, &status);
5385 if (!NT_STATUS_IS_OK(status)) {
5386 return status;
5387 }
5388
5389 if (!sid_check_is_our_sam(&dinfo->sid) &&
5390 !sid_check_is_builtin(&dinfo->sid))
5391 return NT_STATUS_OBJECT_TYPE_MISMATCH;
5392
5393 if (r->in.sids->num_sids) {
5394 members = talloc_array(p->mem_ctx, struct dom_sid, r->in.sids->num_sids);
5395
5396 if (members == NULL)
5397 return NT_STATUS_NO_MEMORY;
5398 } else {
5399 members = NULL;
5400 }
5401
5402 for (i=0; i<r->in.sids->num_sids; i++)
5403 sid_copy(&members[i], r->in.sids->sids[i].sid);
5404
5405 alias_rids = NULL;
5406 num_alias_rids = 0;
5407
5408 become_root();
5409 status = pdb_enum_alias_memberships(p->mem_ctx, &dinfo->sid, members,
5410 r->in.sids->num_sids,
5411 &alias_rids, &num_alias_rids);
5412 unbecome_root();
5413
5414 if (!NT_STATUS_IS_OK(status)) {
5415 return status;
5416 }
5417
5418 r->out.rids->count = num_alias_rids;
5419 r->out.rids->ids = alias_rids;
5420
5421 if (r->out.rids->ids == NULL) {
5422 /* Windows domain clients don't accept a NULL ptr here */
5423 r->out.rids->ids = talloc_zero(p->mem_ctx, uint32_t);
5424 }
5425 if (r->out.rids->ids == NULL) {
5426 return NT_STATUS_NO_MEMORY;
5427 }
5428
5429 return NT_STATUS_OK;
5430 }
5431
5432 /*********************************************************************
5433 _samr_GetMembersInAlias
5434 *********************************************************************/
5435
5436 NTSTATUS _samr_GetMembersInAlias(struct pipes_struct *p,
5437 struct samr_GetMembersInAlias *r)
5438 {
5439 struct samr_alias_info *ainfo;
5440 NTSTATUS status;
5441 size_t i;
5442 size_t num_sids = 0;
5443 struct lsa_SidPtr *sids = NULL;
5444 struct dom_sid *pdb_sids = NULL;
5445
5446 ainfo = policy_handle_find(p, r->in.alias_handle,
5447 SAMR_ALIAS_ACCESS_GET_MEMBERS, NULL,
5448 struct samr_alias_info, &status);
5449 if (!NT_STATUS_IS_OK(status)) {
5450 return status;
5451 }
5452
5453 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo->sid)));
5454
5455 become_root();
5456 status = pdb_enum_aliasmem(&ainfo->sid, talloc_tos(), &pdb_sids,
5457 &num_sids);
5458 unbecome_root();
5459
5460 if (!NT_STATUS_IS_OK(status)) {
5461 return status;
5462 }
5463
5464 if (num_sids) {
5465 sids = talloc_zero_array(p->mem_ctx, struct lsa_SidPtr, num_sids);
5466 if (sids == NULL) {
5467 TALLOC_FREE(pdb_sids);
5468 return NT_STATUS_NO_MEMORY;
5469 }
5470 }
5471
5472 for (i = 0; i < num_sids; i++) {
5473 sids[i].sid = dom_sid_dup(p->mem_ctx, &pdb_sids[i]);
5474 if (!sids[i].sid) {
5475 TALLOC_FREE(pdb_sids);
5476 return NT_STATUS_NO_MEMORY;
5477 }
5478 }
5479
5480 r->out.sids->num_sids = num_sids;
5481 r->out.sids->sids = sids;
5482
5483 TALLOC_FREE(pdb_sids);
5484
5485 return NT_STATUS_OK;
5486 }
5487
5488 /*********************************************************************
5489 _samr_QueryGroupMember
5490 *********************************************************************/
5491
5492 NTSTATUS _samr_QueryGroupMember(struct pipes_struct *p,
5493 struct samr_QueryGroupMember *r)
5494 {
5495 struct samr_group_info *ginfo;
5496 size_t i, num_members;
5497
5498 uint32 *rid=NULL;
5499 uint32 *attr=NULL;
5500
5501 NTSTATUS status;
5502 struct samr_RidAttrArray *rids = NULL;
5503
5504 ginfo = policy_handle_find(p, r->in.group_handle,
5505 SAMR_GROUP_ACCESS_GET_MEMBERS, NULL,
5506 struct samr_group_info, &status);
5507 if (!NT_STATUS_IS_OK(status)) {
5508 return status;
5509 }
5510
5511 rids = talloc_zero(p->mem_ctx, struct samr_RidAttrArray);
5512 if (!rids) {
5513 return NT_STATUS_NO_MEMORY;
5514 }
5515
5516 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ginfo->sid)));
5517
5518 if (!sid_check_is_in_our_sam(&ginfo->sid)) {
5519 DEBUG(3, ("sid %s is not in our domain\n",
5520 sid_string_dbg(&ginfo->sid)));
5521 return NT_STATUS_NO_SUCH_GROUP;
5522 }
5523
5524 DEBUG(10, ("lookup on Domain SID\n"));
5525
5526 become_root();
5527 status = pdb_enum_group_members(p->mem_ctx, &ginfo->sid,
5528 &rid, &num_members);
5529 unbecome_root();
5530
5531 if (!NT_STATUS_IS_OK(status))
5532 return status;
5533
5534 if (num_members) {
5535 attr=talloc_zero_array(p->mem_ctx, uint32, num_members);
5536 if (attr == NULL) {
5537 return NT_STATUS_NO_MEMORY;
5538 }
5539 } else {
5540 attr = NULL;
5541 }
5542
5543 for (i=0; i<num_members; i++) {
5544 attr[i] = SE_GROUP_MANDATORY |
5545 SE_GROUP_ENABLED_BY_DEFAULT |
5546 SE_GROUP_ENABLED;
5547 }
5548
5549 rids->count = num_members;
5550 rids->attributes = attr;
5551 rids->rids = rid;
5552
5553 *r->out.rids = rids;
5554
5555 return NT_STATUS_OK;
5556 }
5557
5558 /*********************************************************************
5559 _samr_AddAliasMember
5560 *********************************************************************/
5561
5562 NTSTATUS _samr_AddAliasMember(struct pipes_struct *p,
5563 struct samr_AddAliasMember *r)
5564 {
5565 struct samr_alias_info *ainfo;
5566 NTSTATUS status;
5567
5568 ainfo = policy_handle_find(p, r->in.alias_handle,
5569 SAMR_ALIAS_ACCESS_ADD_MEMBER, NULL,
5570 struct samr_alias_info, &status);
5571 if (!NT_STATUS_IS_OK(status)) {
5572 return status;
5573 }
5574
5575 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo->sid)));
5576
5577 /******** BEGIN SeAddUsers BLOCK *********/
5578
5579 become_root();
5580 status = pdb_add_aliasmem(&ainfo->sid, r->in.sid);
5581 unbecome_root();
5582
5583 /******** END SeAddUsers BLOCK *********/
5584
5585 if (NT_STATUS_IS_OK(status)) {
5586 force_flush_samr_cache(&ainfo->sid);
5587 }
5588
5589 return status;
5590 }
5591
5592 /*********************************************************************
5593 _samr_DeleteAliasMember
5594 *********************************************************************/
5595
5596 NTSTATUS _samr_DeleteAliasMember(struct pipes_struct *p,
5597 struct samr_DeleteAliasMember *r)
5598 {
5599 struct samr_alias_info *ainfo;
5600 NTSTATUS status;
5601
5602 ainfo = policy_handle_find(p, r->in.alias_handle,
5603 SAMR_ALIAS_ACCESS_REMOVE_MEMBER, NULL,
5604 struct samr_alias_info, &status);
5605 if (!NT_STATUS_IS_OK(status)) {
5606 return status;
5607 }
5608
5609 DEBUG(10, ("_samr_del_aliasmem:sid is %s\n",
5610 sid_string_dbg(&ainfo->sid)));
5611
5612 /******** BEGIN SeAddUsers BLOCK *********/
5613
5614 become_root();
5615 status = pdb_del_aliasmem(&ainfo->sid, r->in.sid);
5616 unbecome_root();
5617
5618 /******** END SeAddUsers BLOCK *********/
5619
5620 if (NT_STATUS_IS_OK(status)) {
5621 force_flush_samr_cache(&ainfo->sid);
5622 }
5623
5624 return status;
5625 }
5626
5627 /*********************************************************************
5628 _samr_AddGroupMember
5629 *********************************************************************/
5630
5631 NTSTATUS _samr_AddGroupMember(struct pipes_struct *p,
5632 struct samr_AddGroupMember *r)
5633 {
5634 struct samr_group_info *ginfo;
5635 NTSTATUS status;
5636 uint32 group_rid;
5637
5638 ginfo = policy_handle_find(p, r->in.group_handle,
5639 SAMR_GROUP_ACCESS_ADD_MEMBER, NULL,
5640 struct samr_group_info, &status);
5641 if (!NT_STATUS_IS_OK(status)) {
5642 return status;
5643 }
5644
5645 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ginfo->sid)));
5646
5647 if (!sid_peek_check_rid(get_global_sam_sid(), &ginfo->sid,
5648 &group_rid)) {
5649 return NT_STATUS_INVALID_HANDLE;
5650 }
5651
5652 /******** BEGIN SeAddUsers BLOCK *********/
5653
5654 become_root();
5655 status = pdb_add_groupmem(p->mem_ctx, group_rid, r->in.rid);
5656 unbecome_root();
5657
5658 /******** END SeAddUsers BLOCK *********/
5659
5660 force_flush_samr_cache(&ginfo->sid);
5661
5662 return status;
5663 }
5664
5665 /*********************************************************************
5666 _samr_DeleteGroupMember
5667 *********************************************************************/
5668
5669 NTSTATUS _samr_DeleteGroupMember(struct pipes_struct *p,
5670 struct samr_DeleteGroupMember *r)
5671
5672 {
5673 struct samr_group_info *ginfo;
5674 NTSTATUS status;
5675 uint32 group_rid;
5676
5677 /*
5678 * delete the group member named r->in.rid
5679 * who is a member of the sid associated with the handle
5680 * the rid is a user's rid as the group is a domain group.
5681 */
5682
5683 ginfo = policy_handle_find(p, r->in.group_handle,
5684 SAMR_GROUP_ACCESS_REMOVE_MEMBER, NULL,
5685 struct samr_group_info, &status);
5686 if (!NT_STATUS_IS_OK(status)) {
5687 return status;
5688 }
5689
5690 if (!sid_peek_check_rid(get_global_sam_sid(), &ginfo->sid,
5691 &group_rid)) {
5692 return NT_STATUS_INVALID_HANDLE;
5693 }
5694
5695 /******** BEGIN SeAddUsers BLOCK *********/
5696
5697 become_root();
5698 status = pdb_del_groupmem(p->mem_ctx, group_rid, r->in.rid);
5699 unbecome_root();
5700
5701 /******** END SeAddUsers BLOCK *********/
5702
5703 force_flush_samr_cache(&ginfo->sid);
5704
5705 return status;
5706 }
5707
5708 /*********************************************************************
5709 _samr_DeleteUser
5710 *********************************************************************/
5711
5712 NTSTATUS _samr_DeleteUser(struct pipes_struct *p,
5713 struct samr_DeleteUser *r)
5714 {
5715 struct samr_user_info *uinfo;
5716 NTSTATUS status;
5717 struct samu *sam_pass=NULL;
5718 bool ret;
5719
5720 DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__));
5721
5722 uinfo = policy_handle_find(p, r->in.user_handle,
5723 SEC_STD_DELETE, NULL,
5724 struct samr_user_info, &status);
5725 if (!NT_STATUS_IS_OK(status)) {
5726 return status;
5727 }
5728
5729 if (!sid_check_is_in_our_sam(&uinfo->sid))
5730 return NT_STATUS_CANNOT_DELETE;
5731
5732 /* check if the user exists before trying to delete */
5733 if ( !(sam_pass = samu_new( NULL )) ) {
5734 return NT_STATUS_NO_MEMORY;
5735 }
5736
5737 become_root();
5738 ret = pdb_getsampwsid(sam_pass, &uinfo->sid);
5739 unbecome_root();
5740
5741 if(!ret) {
5742 DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n",
5743 sid_string_dbg(&uinfo->sid)));
5744 TALLOC_FREE(sam_pass);
5745 return NT_STATUS_NO_SUCH_USER;
5746 }
5747
5748 /******** BEGIN SeAddUsers BLOCK *********/
5749
5750 become_root();
5751 status = pdb_delete_user(p->mem_ctx, sam_pass);
5752 unbecome_root();
5753
5754 /******** END SeAddUsers BLOCK *********/
5755
5756 if ( !NT_STATUS_IS_OK(status) ) {
5757 DEBUG(5,("_samr_DeleteUser: Failed to delete entry for "
5758 "user %s: %s.\n", pdb_get_username(sam_pass),
5759 nt_errstr(status)));
5760 TALLOC_FREE(sam_pass);
5761 return status;
5762 }
5763
5764
5765 TALLOC_FREE(sam_pass);
5766
5767 force_flush_samr_cache(&uinfo->sid);
5768
5769 if (!close_policy_hnd(p, r->in.user_handle))
5770 return NT_STATUS_OBJECT_NAME_INVALID;
5771
5772 ZERO_STRUCTP(r->out.user_handle);
5773
5774 return NT_STATUS_OK;
5775 }
5776
5777 /*********************************************************************
5778 _samr_DeleteDomainGroup
5779 *********************************************************************/
5780
5781 NTSTATUS _samr_DeleteDomainGroup(struct pipes_struct *p,
5782 struct samr_DeleteDomainGroup *r)
5783 {
5784 struct samr_group_info *ginfo;
5785 NTSTATUS status;
5786 uint32 group_rid;
5787
5788 DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__));
5789
5790 ginfo = policy_handle_find(p, r->in.group_handle,
5791 SEC_STD_DELETE, NULL,
5792 struct samr_group_info, &status);
5793 if (!NT_STATUS_IS_OK(status)) {
5794 return status;
5795 }
5796
5797 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ginfo->sid)));
5798
5799 if (!sid_peek_check_rid(get_global_sam_sid(), &ginfo->sid,
5800 &group_rid)) {
5801 return NT_STATUS_NO_SUCH_GROUP;
5802 }
5803
5804 /******** BEGIN SeAddUsers BLOCK *********/
5805
5806 become_root();
5807 status = pdb_delete_dom_group(p->mem_ctx, group_rid);
5808 unbecome_root();
5809
5810 /******** END SeAddUsers BLOCK *********/
5811
5812 if ( !NT_STATUS_IS_OK(status) ) {
5813 DEBUG(5,("_samr_DeleteDomainGroup: Failed to delete mapping "
5814 "entry for group %s: %s\n",
5815 sid_string_dbg(&ginfo->sid),
5816 nt_errstr(status)));
5817 return status;
5818 }
5819
5820 force_flush_samr_cache(&ginfo->sid);
5821
5822 if (!close_policy_hnd(p, r->in.group_handle))
5823 return NT_STATUS_OBJECT_NAME_INVALID;
5824
5825 return NT_STATUS_OK;
5826 }
5827
5828 /*********************************************************************
5829 _samr_DeleteDomAlias
5830 *********************************************************************/
5831
5832 NTSTATUS _samr_DeleteDomAlias(struct pipes_struct *p,
5833 struct samr_DeleteDomAlias *r)
5834 {
5835 struct samr_alias_info *ainfo;
5836 NTSTATUS status;
5837
5838 DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__));
5839
5840 ainfo = policy_handle_find(p, r->in.alias_handle,
5841 SEC_STD_DELETE, NULL,
5842 struct samr_alias_info, &status);
5843 if (!NT_STATUS_IS_OK(status)) {
5844 return status;
5845 }
5846
5847 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo->sid)));
5848
5849 /* Don't let Windows delete builtin groups */
5850
5851 if ( sid_check_is_in_builtin( &ainfo->sid ) ) {
5852 return NT_STATUS_SPECIAL_ACCOUNT;
5853 }
5854
5855 if (!sid_check_is_in_our_sam(&ainfo->sid))
5856 return NT_STATUS_NO_SUCH_ALIAS;
5857
5858 DEBUG(10, ("lookup on Local SID\n"));
5859
5860 /******** BEGIN SeAddUsers BLOCK *********/
5861
5862 become_root();
5863 /* Have passdb delete the alias */
5864 status = pdb_delete_alias(&ainfo->sid);
5865 unbecome_root();
5866
5867 /******** END SeAddUsers BLOCK *********/
5868
5869 if ( !NT_STATUS_IS_OK(status))
5870 return status;
5871
5872 force_flush_samr_cache(&ainfo->sid);
5873
5874 if (!close_policy_hnd(p, r->in.alias_handle))
5875 return NT_STATUS_OBJECT_NAME_INVALID;
5876
5877 return NT_STATUS_OK;
5878 }
5879
5880 /*********************************************************************
5881 _samr_CreateDomainGroup
5882 *********************************************************************/
5883
5884 NTSTATUS _samr_CreateDomainGroup(struct pipes_struct *p,
5885 struct samr_CreateDomainGroup *r)
5886
5887 {
5888 NTSTATUS status;
5889 const char *name;
5890 struct samr_domain_info *dinfo;
5891 struct samr_group_info *ginfo;
5892
5893 dinfo = policy_handle_find(p, r->in.domain_handle,
5894 SAMR_DOMAIN_ACCESS_CREATE_GROUP, NULL,
5895 struct samr_domain_info, &status);
5896 if (!NT_STATUS_IS_OK(status)) {
5897 return status;
5898 }
5899
5900 if (!sid_check_is_our_sam(&dinfo->sid)) {
5901 return NT_STATUS_ACCESS_DENIED;
5902 }
5903
5904 name = r->in.name->string;
5905 if (name == NULL) {
5906 return NT_STATUS_NO_MEMORY;
5907 }
5908
5909 status = can_create(p->mem_ctx, name);
5910 if (!NT_STATUS_IS_OK(status)) {
5911 return status;
5912 }
5913
5914 /******** BEGIN SeAddUsers BLOCK *********/
5915
5916 become_root();
5917 /* check that we successfully create the UNIX group */
5918 status = pdb_create_dom_group(p->mem_ctx, name, r->out.rid);
5919 unbecome_root();
5920
5921 /******** END SeAddUsers BLOCK *********/
5922
5923 /* check if we should bail out here */
5924
5925 if ( !NT_STATUS_IS_OK(status) )
5926 return status;
5927
5928 ginfo = policy_handle_create(p, r->out.group_handle,
5929 GENERIC_RIGHTS_GROUP_ALL_ACCESS,
5930 struct samr_group_info, &status);
5931 if (!NT_STATUS_IS_OK(status)) {
5932 return status;
5933 }
5934 sid_compose(&ginfo->sid, &dinfo->sid, *r->out.rid);
5935
5936 force_flush_samr_cache(&dinfo->sid);
5937
5938 return NT_STATUS_OK;
5939 }
5940
5941 /*********************************************************************
5942 _samr_CreateDomAlias
5943 *********************************************************************/
5944
5945 NTSTATUS _samr_CreateDomAlias(struct pipes_struct *p,
5946 struct samr_CreateDomAlias *r)
5947 {
5948 struct dom_sid info_sid;
5949 const char *name = NULL;
5950 struct samr_domain_info *dinfo;
5951 struct samr_alias_info *ainfo;
5952 gid_t gid;
5953 NTSTATUS result;
5954
5955 dinfo = policy_handle_find(p, r->in.domain_handle,
5956 SAMR_DOMAIN_ACCESS_CREATE_ALIAS, NULL,
5957 struct samr_domain_info, &result);
5958 if (!NT_STATUS_IS_OK(result)) {
5959 return result;
5960 }
5961
5962 if (!sid_check_is_our_sam(&dinfo->sid)) {
5963 return NT_STATUS_ACCESS_DENIED;
5964 }
5965
5966 name = r->in.alias_name->string;
5967
5968 result = can_create(p->mem_ctx, name);
5969 if (!NT_STATUS_IS_OK(result)) {
5970 return result;
5971 }
5972
5973 /******** BEGIN SeAddUsers BLOCK *********/
5974
5975 become_root();
5976 /* Have passdb create the alias */
5977 result = pdb_create_alias(name, r->out.rid);
5978 unbecome_root();
5979
5980 /******** END SeAddUsers BLOCK *********/
5981
5982 if (!NT_STATUS_IS_OK(result)) {
5983 DEBUG(10, ("pdb_create_alias failed: %s\n",
5984 nt_errstr(result)));
5985 return result;
5986 }
5987
5988 sid_compose(&info_sid, &dinfo->sid, *r->out.rid);
5989
5990 if (!sid_to_gid(&info_sid, &gid)) {
5991 DEBUG(10, ("Could not find alias just created\n"));
5992 return NT_STATUS_ACCESS_DENIED;
5993 }
5994
5995 /* check if the group has been successfully created */
5996 if ( getgrgid(gid) == NULL ) {
5997 DEBUG(1, ("getgrgid(%u) of just created alias failed\n",
5998 (unsigned int)gid));
5999 return NT_STATUS_ACCESS_DENIED;
6000 }
6001
6002 ainfo = policy_handle_create(p, r->out.alias_handle,
6003 GENERIC_RIGHTS_ALIAS_ALL_ACCESS,
6004 struct samr_alias_info, &result);
6005 if (!NT_STATUS_IS_OK(result)) {
6006 return result;
6007 }
6008 ainfo->sid = info_sid;
6009
6010 force_flush_samr_cache(&info_sid);
6011
6012 return NT_STATUS_OK;
6013 }
6014
6015 /*********************************************************************
6016 _samr_QueryGroupInfo
6017 *********************************************************************/
6018
6019 NTSTATUS _samr_QueryGroupInfo(struct pipes_struct *p,
6020 struct samr_QueryGroupInfo *r)
6021 {
6022 struct samr_group_info *ginfo;
6023 NTSTATUS status;
6024 GROUP_MAP *map;
6025 union samr_GroupInfo *info = NULL;
6026 bool ret;
6027 uint32_t attributes = SE_GROUP_MANDATORY |
6028 SE_GROUP_ENABLED_BY_DEFAULT |
6029 SE_GROUP_ENABLED;
6030 const char *group_name = NULL;
6031 const char *group_description = NULL;
6032
6033 ginfo = policy_handle_find(p, r->in.group_handle,
6034 SAMR_GROUP_ACCESS_LOOKUP_INFO, NULL,
6035 struct samr_group_info, &status);
6036 if (!NT_STATUS_IS_OK(status)) {
6037 return status;
6038 }
6039
6040 map = talloc_zero(p->mem_ctx, GROUP_MAP);
6041 if (!map) {
6042 return NT_STATUS_NO_MEMORY;
6043 }
6044
6045 become_root();
6046 ret = get_domain_group_from_sid(ginfo->sid, map);
6047 unbecome_root();
6048 if (!ret)
6049 return NT_STATUS_INVALID_HANDLE;
6050
6051 group_name = talloc_move(r, &map->nt_name);
6052 group_description = talloc_move(r, &map->comment);
6053
6054 TALLOC_FREE(map);
6055
6056 info = talloc_zero(p->mem_ctx, union samr_GroupInfo);
6057 if (!info) {
6058 return NT_STATUS_NO_MEMORY;
6059 }
6060
6061 switch (r->in.level) {
6062 case 1: {
6063 uint32 *members;
6064 size_t num_members;
6065
6066 become_root();
6067 status = pdb_enum_group_members(
6068 p->mem_ctx, &ginfo->sid, &members,
6069 &num_members);
6070 unbecome_root();
6071
6072 if (!NT_STATUS_IS_OK(status)) {
6073 return status;
6074 }
6075
6076 info->all.name.string = group_name;
6077 info->all.attributes = attributes;
6078 info->all.num_members = num_members;
6079 info->all.description.string = group_description;
6080 break;
6081 }
6082 case 2:
6083 info->name.string = group_name;
6084 break;
6085 case 3:
6086 info->attributes.attributes = attributes;
6087 break;
6088 case 4:
6089 info->description.string = group_description;
6090 break;
6091 case 5: {
6092 /*
6093 uint32 *members;
6094 size_t num_members;
6095 */
6096
6097 /*
6098 become_root();
6099 status = pdb_enum_group_members(
6100 p->mem_ctx, &ginfo->sid, &members,
6101 &num_members);
6102 unbecome_root();
6103
6104 if (!NT_STATUS_IS_OK(status)) {
6105 return status;
6106 }
6107 */
6108 info->all2.name.string = group_name;
6109 info->all2.attributes = attributes;
6110 info->all2.num_members = 0; /* num_members - in w2k3 this is always 0 */
6111 info->all2.description.string = group_description;
6112
6113 break;
6114 }
6115 default:
6116 return NT_STATUS_INVALID_INFO_CLASS;
6117 }
6118
6119 *r->out.info = info;
6120
6121 return NT_STATUS_OK;
6122 }
6123
6124 /*********************************************************************
6125 _samr_SetGroupInfo
6126 *********************************************************************/
6127
6128 NTSTATUS _samr_SetGroupInfo(struct pipes_struct *p,
6129 struct samr_SetGroupInfo *r)
6130 {
6131 struct samr_group_info *ginfo;
6132 GROUP_MAP *map;
6133 NTSTATUS status;
6134 bool ret;
6135
6136 ginfo = policy_handle_find(p, r->in.group_handle,
6137 SAMR_GROUP_ACCESS_SET_INFO, NULL,
6138 struct samr_group_info, &status);
6139 if (!NT_STATUS_IS_OK(status)) {
6140 return status;
6141 }
6142
6143 map = talloc_zero(p->mem_ctx, GROUP_MAP);
6144 if (!map) {
6145 return NT_STATUS_NO_MEMORY;
6146 }
6147
6148 become_root();
6149 ret = get_domain_group_from_sid(ginfo->sid, map);
6150 unbecome_root();
6151 if (!ret)
6152 return NT_STATUS_NO_SUCH_GROUP;
6153
6154 switch (r->in.level) {
6155 case 2:
6156 map->nt_name = talloc_strdup(map,
6157 r->in.info->name.string);
6158 if (!map->nt_name) {
6159 return NT_STATUS_NO_MEMORY;
6160 }
6161 break;
6162 case 3:
6163 break;
6164 case 4:
6165 map->comment = talloc_strdup(map,
6166 r->in.info->description.string);
6167 if (!map->comment) {
6168 return NT_STATUS_NO_MEMORY;
6169 }
6170 break;
6171 default:
6172 return NT_STATUS_INVALID_INFO_CLASS;
6173 }
6174
6175 /******** BEGIN SeAddUsers BLOCK *********/
6176
6177 become_root();
6178 status = pdb_update_group_mapping_entry(map);
6179 unbecome_root();
6180
6181 /******** End SeAddUsers BLOCK *********/
6182
6183 TALLOC_FREE(map);
6184
6185 if (NT_STATUS_IS_OK(status)) {
6186 force_flush_samr_cache(&ginfo->sid);
6187 }
6188
6189 return status;
6190 }
6191
6192 /*********************************************************************
6193 _samr_SetAliasInfo
6194 *********************************************************************/
6195
6196 NTSTATUS _samr_SetAliasInfo(struct pipes_struct *p,
6197 struct samr_SetAliasInfo *r)
6198 {
6199 struct samr_alias_info *ainfo;
6200 struct acct_info *info;
6201 NTSTATUS status;
6202
6203 ainfo = policy_handle_find(p, r->in.alias_handle,
6204 SAMR_ALIAS_ACCESS_SET_INFO, NULL,
6205 struct samr_alias_info, &status);
6206 if (!NT_STATUS_IS_OK(status)) {
6207 return status;
6208 }
6209
6210 info = talloc_zero(p->mem_ctx, struct acct_info);
6211 if (!info) {
6212 return NT_STATUS_NO_MEMORY;
6213 }
6214
6215 /* get the current group information */
6216
6217 become_root();
6218 status = pdb_get_aliasinfo(&ainfo->sid, info);
6219 unbecome_root();
6220
6221 if ( !NT_STATUS_IS_OK(status))
6222 return status;
6223
6224 switch (r->in.level) {
6225 case ALIASINFONAME:
6226 {
6227 char *group_name;
6228
6229 /* We currently do not support renaming groups in the
6230 the BUILTIN domain. Refer to util_builtin.c to understand
6231 why. The eventually needs to be fixed to be like Windows
6232 where you can rename builtin groups, just not delete them */
6233
6234 if ( sid_check_is_in_builtin( &ainfo->sid ) ) {
6235 return NT_STATUS_SPECIAL_ACCOUNT;
6236 }
6237
6238 /* There has to be a valid name (and it has to be different) */
6239
6240 if ( !r->in.info->name.string )
6241 return NT_STATUS_INVALID_PARAMETER;
6242
6243 /* If the name is the same just reply "ok". Yes this
6244 doesn't allow you to change the case of a group name. */
6245
6246 if (strequal(r->in.info->name.string, info->acct_name)) {
6247 return NT_STATUS_OK;
6248 }
6249
6250 talloc_free(info->acct_name);
6251 info->acct_name = talloc_strdup(info, r->in.info->name.string);
6252 if (!info->acct_name) {
6253 return NT_STATUS_NO_MEMORY;
6254 }
6255
6256 /* make sure the name doesn't already exist as a user
6257 or local group */
6258
6259 group_name = talloc_asprintf(p->mem_ctx,
6260 "%s\\%s",
6261 lp_netbios_name(),
6262 info->acct_name);
6263 if (group_name == NULL) {
6264 return NT_STATUS_NO_MEMORY;
6265 }
6266
6267 status = can_create( p->mem_ctx, group_name );
6268 talloc_free(group_name);
6269 if ( !NT_STATUS_IS_OK( status ) )
6270 return status;
6271 break;
6272 }
6273 case ALIASINFODESCRIPTION:
6274 TALLOC_FREE(info->acct_desc);
6275 if (r->in.info->description.string) {
6276 info->acct_desc = talloc_strdup(info,
6277 r->in.info->description.string);
6278 } else {
6279 info->acct_desc = talloc_strdup(info, "");
6280 }
6281 if (!info->acct_desc) {
6282 return NT_STATUS_NO_MEMORY;
6283 }
6284 break;
6285 default:
6286 return NT_STATUS_INVALID_INFO_CLASS;
6287 }
6288
6289 /******** BEGIN SeAddUsers BLOCK *********/
6290
6291 become_root();
6292 status = pdb_set_aliasinfo(&ainfo->sid, info);
6293 unbecome_root();
6294
6295 /******** End SeAddUsers BLOCK *********/
6296
6297 if (NT_STATUS_IS_OK(status))
6298 force_flush_samr_cache(&ainfo->sid);
6299
6300 return status;
6301 }
6302
6303 /****************************************************************
6304 _samr_GetDomPwInfo
6305 ****************************************************************/
6306
6307 NTSTATUS _samr_GetDomPwInfo(struct pipes_struct *p,
6308 struct samr_GetDomPwInfo *r)
6309 {
6310 uint32_t min_password_length = 0;
6311 uint32_t password_properties = 0;
6312
6313 /* Perform access check. Since this rpc does not require a
6314 policy handle it will not be caught by the access checks on
6315 SAMR_CONNECT or SAMR_CONNECT_ANON. */
6316
6317 if (!pipe_access_check(p)) {
6318 DEBUG(3, ("access denied to _samr_GetDomPwInfo\n"));
6319 return NT_STATUS_ACCESS_DENIED;
6320 }
6321
6322 become_root();
6323 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN,
6324 &min_password_length);
6325 pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS,
6326 &password_properties);
6327 unbecome_root();
6328
6329 if (lp_check_password_script(talloc_tos()) && *lp_check_password_script(talloc_tos())) {
6330 password_properties |= DOMAIN_PASSWORD_COMPLEX;
6331 }
6332
6333 r->out.info->min_password_length = min_password_length;
6334 r->out.info->password_properties = password_properties;
6335
6336 return NT_STATUS_OK;
6337 }
6338
6339 /*********************************************************************
6340 _samr_OpenGroup
6341 *********************************************************************/
6342
6343 NTSTATUS _samr_OpenGroup(struct pipes_struct *p,
6344 struct samr_OpenGroup *r)
6345
6346 {
6347 struct dom_sid info_sid;
6348 GROUP_MAP *map;
6349 struct samr_domain_info *dinfo;
6350 struct samr_group_info *ginfo;
6351 struct security_descriptor *psd = NULL;
6352 uint32 acc_granted;
6353 uint32 des_access = r->in.access_mask;
6354 size_t sd_size;
6355 NTSTATUS status;
6356 bool ret;
6357
6358 dinfo = policy_handle_find(p, r->in.domain_handle,
6359 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT, NULL,
6360 struct samr_domain_info, &status);
6361 if (!NT_STATUS_IS_OK(status)) {
6362 return status;
6363 }
6364
6365 /*check if access can be granted as requested by client. */
6366 map_max_allowed_access(p->session_info->security_token,
6367 p->session_info->unix_token,
6368 &des_access);
6369
6370 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
6371 se_map_generic(&des_access,&grp_generic_mapping);
6372
6373 status = access_check_object(psd, p->session_info->security_token,
6374 SEC_PRIV_ADD_USERS, SEC_PRIV_INVALID, GENERIC_RIGHTS_GROUP_ALL_ACCESS,
6375 des_access, &acc_granted, "_samr_OpenGroup");
6376
6377 if ( !NT_STATUS_IS_OK(status) )
6378 return status;
6379
6380 /* this should not be hard-coded like this */
6381
6382 if (!sid_check_is_our_sam(&dinfo->sid)) {
6383 return NT_STATUS_ACCESS_DENIED;
6384 }
6385
6386 sid_compose(&info_sid, &dinfo->sid, r->in.rid);
6387
6388 DEBUG(10, ("_samr_OpenGroup:Opening SID: %s\n",
6389 sid_string_dbg(&info_sid)));
6390
6391 map = talloc_zero(p->mem_ctx, GROUP_MAP);
6392 if (!map) {
6393 return NT_STATUS_NO_MEMORY;
6394 }
6395
6396 /* check if that group really exists */
6397 become_root();
6398 ret = get_domain_group_from_sid(info_sid, map);
6399 unbecome_root();
6400 if (!ret)
6401 return NT_STATUS_NO_SUCH_GROUP;
6402
6403 TALLOC_FREE(map);
6404
6405 ginfo = policy_handle_create(p, r->out.group_handle,
6406 acc_granted,
6407 struct samr_group_info, &status);
6408 if (!NT_STATUS_IS_OK(status)) {
6409 return status;
6410 }
6411 ginfo->sid = info_sid;
6412
6413 return NT_STATUS_OK;
6414 }
6415
6416 /*********************************************************************
6417 _samr_RemoveMemberFromForeignDomain
6418 *********************************************************************/
6419
6420 NTSTATUS _samr_RemoveMemberFromForeignDomain(struct pipes_struct *p,
6421 struct samr_RemoveMemberFromForeignDomain *r)
6422 {
6423 struct samr_domain_info *dinfo;
6424 NTSTATUS result;
6425
6426 DEBUG(5,("_samr_RemoveMemberFromForeignDomain: removing SID [%s]\n",
6427 sid_string_dbg(r->in.sid)));
6428
6429 /* Find the policy handle. Open a policy on it. */
6430
6431 dinfo = policy_handle_find(p, r->in.domain_handle,
6432 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT, NULL,
6433 struct samr_domain_info, &result);
6434 if (!NT_STATUS_IS_OK(result)) {
6435 return result;
6436 }
6437
6438 DEBUG(8, ("_samr_RemoveMemberFromForeignDomain: sid is %s\n",
6439 sid_string_dbg(&dinfo->sid)));
6440
6441 /* we can only delete a user from a group since we don't have
6442 nested groups anyways. So in the latter case, just say OK */
6443
6444 /* TODO: The above comment nowadays is bogus. Since we have nested
6445 * groups now, and aliases members are never reported out of the unix
6446 * group membership, the "just say OK" makes this call a no-op. For
6447 * us. This needs fixing however. */
6448
6449 /* I've only ever seen this in the wild when deleting a user from
6450 * usrmgr.exe. domain_sid is the builtin domain, and the sid to delete
6451 * is the user about to be deleted. I very much suspect this is the
6452 * only application of this call. To verify this, let people report
6453 * other cases. */
6454
6455 if (!sid_check_is_builtin(&dinfo->sid)) {
6456 DEBUG(1,("_samr_RemoveMemberFromForeignDomain: domain_sid = %s, "
6457 "global_sam_sid() = %s\n",
6458 sid_string_dbg(&dinfo->sid),
6459 sid_string_dbg(get_global_sam_sid())));
6460 DEBUGADD(1,("please report to samba-technical@samba.org!\n"));
6461 return NT_STATUS_OK;
6462 }
6463
6464 force_flush_samr_cache(&dinfo->sid);
6465
6466 result = NT_STATUS_OK;
6467
6468 return result;
6469 }
6470
6471 /*******************************************************************
6472 _samr_QueryDomainInfo2
6473 ********************************************************************/
6474
6475 NTSTATUS _samr_QueryDomainInfo2(struct pipes_struct *p,
6476 struct samr_QueryDomainInfo2 *r)
6477 {
6478 struct samr_QueryDomainInfo q;
6479
6480 q.in.domain_handle = r->in.domain_handle;
6481 q.in.level = r->in.level;
6482
6483 q.out.info = r->out.info;
6484
6485 return _samr_QueryDomainInfo(p, &q);
6486 }
6487
6488 /*******************************************************************
6489 ********************************************************************/
6490
6491 static NTSTATUS set_dom_info_1(TALLOC_CTX *mem_ctx,
6492 struct samr_DomInfo1 *r)
6493 {
6494 time_t u_expire, u_min_age;
6495
6496 u_expire = nt_time_to_unix_abs((NTTIME *)&r->max_password_age);
6497 u_min_age = nt_time_to_unix_abs((NTTIME *)&r->min_password_age);
6498
6499 pdb_set_account_policy(PDB_POLICY_MIN_PASSWORD_LEN,
6500 (uint32_t)r->min_password_length);
6501 pdb_set_account_policy(PDB_POLICY_PASSWORD_HISTORY,
6502 (uint32_t)r->password_history_length);
6503 pdb_set_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS,
6504 (uint32_t)r->password_properties);
6505 pdb_set_account_policy(PDB_POLICY_MAX_PASSWORD_AGE, (int)u_expire);
6506 pdb_set_account_policy(PDB_POLICY_MIN_PASSWORD_AGE, (int)u_min_age);
6507
6508 return NT_STATUS_OK;
6509 }
6510
6511 /*******************************************************************
6512 ********************************************************************/
6513
6514 static NTSTATUS set_dom_info_3(TALLOC_CTX *mem_ctx,
6515 struct samr_DomInfo3 *r)
6516 {
6517 time_t u_logout;
6518
6519 u_logout = nt_time_to_unix_abs((NTTIME *)&r->force_logoff_time);
6520
6521 pdb_set_account_policy(PDB_POLICY_TIME_TO_LOGOUT, (int)u_logout);
6522
6523 return NT_STATUS_OK;
6524 }
6525
6526 /*******************************************************************
6527 ********************************************************************/
6528
6529 static NTSTATUS set_dom_info_12(TALLOC_CTX *mem_ctx,
6530 struct samr_DomInfo12 *r)
6531 {
6532 time_t u_lock_duration, u_reset_time;
6533
6534 u_lock_duration = nt_time_to_unix_abs((NTTIME *)&r->lockout_duration);
6535 if (u_lock_duration != -1) {
6536 u_lock_duration /= 60;
6537 }
6538
6539 u_reset_time = nt_time_to_unix_abs((NTTIME *)&r->lockout_window)/60;
6540
6541 pdb_set_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
6542 pdb_set_account_policy(PDB_POLICY_RESET_COUNT_TIME, (int)u_reset_time);
6543 pdb_set_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT,
6544 (uint32_t)r->lockout_threshold);
6545
6546 return NT_STATUS_OK;
6547 }
6548
6549 /*******************************************************************
6550 _samr_SetDomainInfo
6551 ********************************************************************/
6552
6553 NTSTATUS _samr_SetDomainInfo(struct pipes_struct *p,
6554 struct samr_SetDomainInfo *r)
6555 {
6556 NTSTATUS status;
6557 uint32_t acc_required = 0;
6558
6559 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
6560
6561 switch (r->in.level) {
6562 case 1: /* DomainPasswordInformation */
6563 case 12: /* DomainLockoutInformation */
6564 /* DOMAIN_WRITE_PASSWORD_PARAMETERS */
6565 acc_required = SAMR_DOMAIN_ACCESS_SET_INFO_1;
6566 break;
6567 case 3: /* DomainLogoffInformation */
6568 case 4: /* DomainOemInformation */
6569 /* DOMAIN_WRITE_OTHER_PARAMETERS */
6570 acc_required = SAMR_DOMAIN_ACCESS_SET_INFO_2;
6571 break;
6572 case 6: /* DomainReplicationInformation */
6573 case 9: /* DomainStateInformation */
6574 case 7: /* DomainServerRoleInformation */
6575 /* DOMAIN_ADMINISTER_SERVER */
6576 acc_required = SAMR_DOMAIN_ACCESS_SET_INFO_3;
6577 break;
6578 default:
6579 return NT_STATUS_INVALID_INFO_CLASS;
6580 }
6581
6582 (void)policy_handle_find(p, r->in.domain_handle,
6583 acc_required, NULL,
6584 struct samr_domain_info, &status);
6585 if (!NT_STATUS_IS_OK(status)) {
6586 return status;
6587 }
6588
6589 DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r->in.level));
6590
6591 switch (r->in.level) {
6592 case 1:
6593 status = set_dom_info_1(p->mem_ctx, &r->in.info->info1);
6594 break;
6595 case 3:
6596 status = set_dom_info_3(p->mem_ctx, &r->in.info->info3);
6597 break;
6598 case 4:
6599 break;
6600 case 6:
6601 break;
6602 case 7:
6603 break;
6604 case 9:
6605 break;
6606 case 12:
6607 status = set_dom_info_12(p->mem_ctx, &r->in.info->info12);
6608 break;
6609 default:
6610 return NT_STATUS_INVALID_INFO_CLASS;
6611 }
6612
6613 if (!NT_STATUS_IS_OK(status)) {
6614 return status;
6615 }
6616
6617 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
6618
6619 return NT_STATUS_OK;
6620 }
6621
6622 /****************************************************************
6623 _samr_GetDisplayEnumerationIndex
6624 ****************************************************************/
6625
6626 NTSTATUS _samr_GetDisplayEnumerationIndex(struct pipes_struct *p,
6627 struct samr_GetDisplayEnumerationIndex *r)
6628 {
6629 struct samr_domain_info *dinfo;
6630 uint32_t max_entries = (uint32_t) -1;
6631 uint32_t enum_context = 0;
6632 int i;
6633 uint32_t num_account = 0;
6634 struct samr_displayentry *entries = NULL;
6635 NTSTATUS status;
6636
6637 DEBUG(5,("_samr_GetDisplayEnumerationIndex: %d\n", __LINE__));
6638
6639 dinfo = policy_handle_find(p, r->in.domain_handle,
6640 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
6641 struct samr_domain_info, &status);
6642 if (!NT_STATUS_IS_OK(status)) {
6643 return status;
6644 }
6645
6646 if ((r->in.level < 1) || (r->in.level > 3)) {
6647 DEBUG(0,("_samr_GetDisplayEnumerationIndex: "
6648 "Unknown info level (%u)\n",
6649 r->in.level));
6650 return NT_STATUS_INVALID_INFO_CLASS;
6651 }
6652
6653 become_root();
6654
6655 /* The following done as ROOT. Don't return without unbecome_root(). */
6656
6657 switch (r->in.level) {
6658 case 1:
6659 if (dinfo->disp_info->users == NULL) {
6660 dinfo->disp_info->users = pdb_search_users(
6661 dinfo->disp_info, ACB_NORMAL);
6662 if (dinfo->disp_info->users == NULL) {
6663 unbecome_root();
6664 return NT_STATUS_ACCESS_DENIED;
6665 }
6666 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6667 "starting user enumeration at index %u\n",
6668 (unsigned int)enum_context));
6669 } else {
6670 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6671 "using cached user enumeration at index %u\n",
6672 (unsigned int)enum_context));
6673 }
6674 num_account = pdb_search_entries(dinfo->disp_info->users,
6675 enum_context, max_entries,
6676 &entries);
6677 break;
6678 case 2:
6679 if (dinfo->disp_info->machines == NULL) {
6680 dinfo->disp_info->machines = pdb_search_users(
6681 dinfo->disp_info, ACB_WSTRUST|ACB_SVRTRUST);
6682 if (dinfo->disp_info->machines == NULL) {
6683 unbecome_root();
6684 return NT_STATUS_ACCESS_DENIED;
6685 }
6686 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6687 "starting machine enumeration at index %u\n",
6688 (unsigned int)enum_context));
6689 } else {
6690 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6691 "using cached machine enumeration at index %u\n",
6692 (unsigned int)enum_context));
6693 }
6694 num_account = pdb_search_entries(dinfo->disp_info->machines,
6695 enum_context, max_entries,
6696 &entries);
6697 break;
6698 case 3:
6699 if (dinfo->disp_info->groups == NULL) {
6700 dinfo->disp_info->groups = pdb_search_groups(
6701 dinfo->disp_info);
6702 if (dinfo->disp_info->groups == NULL) {
6703 unbecome_root();
6704 return NT_STATUS_ACCESS_DENIED;
6705 }
6706 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6707 "starting group enumeration at index %u\n",
6708 (unsigned int)enum_context));
6709 } else {
6710 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6711 "using cached group enumeration at index %u\n",
6712 (unsigned int)enum_context));
6713 }
6714 num_account = pdb_search_entries(dinfo->disp_info->groups,
6715 enum_context, max_entries,
6716 &entries);
6717 break;
6718 default:
6719 unbecome_root();
6720 smb_panic("info class changed");
6721 break;
6722 }
6723
6724 unbecome_root();
6725
6726 /* Ensure we cache this enumeration. */
6727 set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
6728
6729 DEBUG(10,("_samr_GetDisplayEnumerationIndex: looking for :%s\n",
6730 r->in.name->string));
6731
6732 for (i=0; i<num_account; i++) {
6733 if (strequal(entries[i].account_name, r->in.name->string)) {
6734 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6735 "found %s at idx %d\n",
6736 r->in.name->string, i));
6737 *r->out.idx = i;
6738 return NT_STATUS_OK;
6739 }
6740 }
6741
6742 /* assuming account_name lives at the very end */
6743 *r->out.idx = num_account;
6744
6745 return NT_STATUS_NO_MORE_ENTRIES;
6746 }
6747
6748 /****************************************************************
6749 _samr_GetDisplayEnumerationIndex2
6750 ****************************************************************/
6751
6752 NTSTATUS _samr_GetDisplayEnumerationIndex2(struct pipes_struct *p,
6753 struct samr_GetDisplayEnumerationIndex2 *r)
6754 {
6755 struct samr_GetDisplayEnumerationIndex q;
6756
6757 q.in.domain_handle = r->in.domain_handle;
6758 q.in.level = r->in.level;
6759 q.in.name = r->in.name;
6760
6761 q.out.idx = r->out.idx;
6762
6763 return _samr_GetDisplayEnumerationIndex(p, &q);
6764 }
6765
6766 /****************************************************************
6767 _samr_RidToSid
6768 ****************************************************************/
6769
6770 NTSTATUS _samr_RidToSid(struct pipes_struct *p,
6771 struct samr_RidToSid *r)
6772 {
6773 struct samr_domain_info *dinfo;
6774 NTSTATUS status;
6775 struct dom_sid sid;
6776
6777 dinfo = policy_handle_find(p, r->in.domain_handle,
6778 0, NULL,
6779 struct samr_domain_info, &status);
6780 if (!NT_STATUS_IS_OK(status)) {
6781 return status;
6782 }
6783
6784 if (!sid_compose(&sid, &dinfo->sid, r->in.rid)) {
6785 return NT_STATUS_NO_MEMORY;
6786 }
6787
6788 *r->out.sid = dom_sid_dup(p->mem_ctx, &sid);
6789 if (!*r->out.sid) {
6790 return NT_STATUS_NO_MEMORY;
6791 }
6792
6793 return NT_STATUS_OK;
6794 }
6795
6796 /****************************************************************
6797 ****************************************************************/
6798
6799 static enum samr_ValidationStatus samr_ValidatePassword_Change(TALLOC_CTX *mem_ctx,
6800 const struct samr_PwInfo *dom_pw_info,
6801 const struct samr_ValidatePasswordReq2 *req,
6802 struct samr_ValidatePasswordRepCtr *rep)
6803 {
6804 NTSTATUS status;
6805
6806 if (req->password.string == NULL) {
6807 return SAMR_VALIDATION_STATUS_SUCCESS;
6808 }
6809 if (strlen(req->password.string) < dom_pw_info->min_password_length) {
6810 ZERO_STRUCT(rep->info);
6811 return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT;
6812 }
6813 if (dom_pw_info->password_properties & DOMAIN_PASSWORD_COMPLEX) {
6814 status = check_password_complexity(req->account.string,
6815 req->password.string,
6816 NULL);
6817 if (!NT_STATUS_IS_OK(status)) {
6818 ZERO_STRUCT(rep->info);
6819 return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
6820 }
6821 }
6822
6823 return SAMR_VALIDATION_STATUS_SUCCESS;
6824 }
6825
6826 /****************************************************************
6827 ****************************************************************/
6828
6829 static enum samr_ValidationStatus samr_ValidatePassword_Reset(TALLOC_CTX *mem_ctx,
6830 const struct samr_PwInfo *dom_pw_info,
6831 const struct samr_ValidatePasswordReq3 *req,
6832 struct samr_ValidatePasswordRepCtr *rep)
6833 {
6834 NTSTATUS status;
6835
6836 if (req->password.string == NULL) {
6837 return SAMR_VALIDATION_STATUS_SUCCESS;
6838 }
6839 if (strlen(req->password.string) < dom_pw_info->min_password_length) {
6840 ZERO_STRUCT(rep->info);
6841 return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT;
6842 }
6843 if (dom_pw_info->password_properties & DOMAIN_PASSWORD_COMPLEX) {
6844 status = check_password_complexity(req->account.string,
6845 req->password.string,
6846 NULL);
6847 if (!NT_STATUS_IS_OK(status)) {
6848 ZERO_STRUCT(rep->info);
6849 return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
6850 }
6851 }
6852
6853 return SAMR_VALIDATION_STATUS_SUCCESS;
6854 }
6855
6856 /****************************************************************
6857 _samr_ValidatePassword
6858 ****************************************************************/
6859
6860 NTSTATUS _samr_ValidatePassword(struct pipes_struct *p,
6861 struct samr_ValidatePassword *r)
6862 {
6863 union samr_ValidatePasswordRep *rep;
6864 NTSTATUS status;
6865 struct samr_GetDomPwInfo pw;
6866 struct samr_PwInfo dom_pw_info;
6867
6868 if (p->transport != NCACN_IP_TCP && p->transport != NCALRPC) {
6869 p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
6870 return NT_STATUS_ACCESS_DENIED;
6871 }
6872
6873 if (r->in.level < 1 || r->in.level > 3) {
6874 return NT_STATUS_INVALID_INFO_CLASS;
6875 }
6876
6877 pw.in.domain_name = NULL;
6878 pw.out.info = &dom_pw_info;
6879
6880 status = _samr_GetDomPwInfo(p, &pw);
6881 if (!NT_STATUS_IS_OK(status)) {
6882 return status;
6883 }
6884
6885 rep = talloc_zero(p->mem_ctx, union samr_ValidatePasswordRep);
6886 if (!rep) {
6887 return NT_STATUS_NO_MEMORY;
6888 }
6889
6890 switch (r->in.level) {
6891 case 1:
6892 status = NT_STATUS_NOT_SUPPORTED;
6893 break;
6894 case 2:
6895 rep->ctr2.status = samr_ValidatePassword_Change(p->mem_ctx,
6896 &dom_pw_info,
6897 &r->in.req->req2,
6898 &rep->ctr2);
6899 break;
6900 case 3:
6901 rep->ctr3.status = samr_ValidatePassword_Reset(p->mem_ctx,
6902 &dom_pw_info,
6903 &r->in.req->req3,
6904 &rep->ctr3);
6905 break;
6906 default:
6907 status = NT_STATUS_INVALID_INFO_CLASS;
6908 break;
6909 }
6910
6911 if (!NT_STATUS_IS_OK(status)) {
6912 talloc_free(rep);
6913 return status;
6914 }
6915
6916 *r->out.rep = rep;
6917
6918 return NT_STATUS_OK;
6919 }
6920
6921 /****************************************************************
6922 ****************************************************************/
6923
6924 NTSTATUS _samr_Shutdown(struct pipes_struct *p,
6925 struct samr_Shutdown *r)
6926 {
6927 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
6928 return NT_STATUS_NOT_IMPLEMENTED;
6929 }
6930
6931 /****************************************************************
6932 ****************************************************************/
6933
6934 NTSTATUS _samr_SetMemberAttributesOfGroup(struct pipes_struct *p,
6935 struct samr_SetMemberAttributesOfGroup *r)
6936 {
6937 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
6938 return NT_STATUS_NOT_IMPLEMENTED;
6939 }
6940
6941 /****************************************************************
6942 ****************************************************************/
6943
6944 NTSTATUS _samr_TestPrivateFunctionsDomain(struct pipes_struct *p,
6945 struct samr_TestPrivateFunctionsDomain *r)
6946 {
6947 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
6948 return NT_STATUS_NOT_IMPLEMENTED;
6949 }
6950
6951 /****************************************************************
6952 ****************************************************************/
6953
6954 NTSTATUS _samr_TestPrivateFunctionsUser(struct pipes_struct *p,
6955 struct samr_TestPrivateFunctionsUser *r)
6956 {
6957 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
6958 return NT_STATUS_NOT_IMPLEMENTED;
6959 }
6960
6961 /****************************************************************
6962 ****************************************************************/
6963
6964 NTSTATUS _samr_AddMultipleMembersToAlias(struct pipes_struct *p,
6965 struct samr_AddMultipleMembersToAlias *r)
6966 {
6967 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
6968 return NT_STATUS_NOT_IMPLEMENTED;
6969 }
6970
6971 /****************************************************************
6972 ****************************************************************/
6973
6974 NTSTATUS _samr_RemoveMultipleMembersFromAlias(struct pipes_struct *p,
6975 struct samr_RemoveMultipleMembersFromAlias *r)
6976 {
6977 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
6978 return NT_STATUS_NOT_IMPLEMENTED;
6979 }
6980
6981 /****************************************************************
6982 ****************************************************************/
6983
6984 NTSTATUS _samr_SetBootKeyInformation(struct pipes_struct *p,
6985 struct samr_SetBootKeyInformation *r)
6986 {
6987 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
6988 return NT_STATUS_NOT_IMPLEMENTED;
6989 }
6990
6991 /****************************************************************
6992 ****************************************************************/
6993
6994 NTSTATUS _samr_GetBootKeyInformation(struct pipes_struct *p,
6995 struct samr_GetBootKeyInformation *r)
6996 {
6997 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
6998 return NT_STATUS_NOT_IMPLEMENTED;
6999 }
7000
7001 /****************************************************************
7002 ****************************************************************/
7003
7004 NTSTATUS _samr_SetDsrmPassword(struct pipes_struct *p,
7005 struct samr_SetDsrmPassword *r)
7006 {
7007 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
7008 return NT_STATUS_NOT_IMPLEMENTED;
7009 }
Samba GIT mirror