2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2008,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 * Copyright (C) Gerald (Jerry) Carter 2003-2004,
12 * Copyright (C) Simo Sorce 2003.
13 * Copyright (C) Volker Lendecke 2005.
14 * Copyright (C) Guenther Deschner 2008.
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
31 * This is the implementation of the SAMR code.
35 #include "system/passwd.h"
36 #include "../libcli/auth/libcli_auth.h"
38 #include "../librpc/gen_ndr/srv_samr.h"
39 #include "rpc_server/samr/srv_samr_util.h"
40 #include "../lib/crypto/arcfour.h"
42 #include "rpc_client/init_lsa.h"
43 #include "../libcli/security/security.h"
46 #include "rpc_server/srv_access_check.h"
47 #include "../lib/tsocket/tsocket.h"
50 #define DBGC_CLASS DBGC_RPC_SRV
52 #define SAMR_USR_RIGHTS_WRITE_PW \
53 ( READ_CONTROL_ACCESS | \
54 SAMR_USER_ACCESS_CHANGE_PASSWORD | \
55 SAMR_USER_ACCESS_SET_LOC_COM)
56 #define SAMR_USR_RIGHTS_CANT_WRITE_PW \
57 ( READ_CONTROL_ACCESS | SAMR_USER_ACCESS_SET_LOC_COM )
59 #define DISP_INFO_CACHE_TIMEOUT 10
61 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
62 #define MAX_SAM_ENTRIES_W95 50
64 struct samr_connect_info
{
68 struct samr_domain_info
{
70 struct disp_info
*disp_info
;
73 struct samr_user_info
{
77 struct samr_group_info
{
81 struct samr_alias_info
{
85 typedef struct disp_info
{
86 struct dom_sid sid
; /* identify which domain this is. */
87 struct pdb_search
*users
; /* querydispinfo 1 and 4 */
88 struct pdb_search
*machines
; /* querydispinfo 2 */
89 struct pdb_search
*groups
; /* querydispinfo 3 and 5, enumgroups */
90 struct pdb_search
*aliases
; /* enumaliases */
92 uint32_t enum_acb_mask
;
93 struct pdb_search
*enum_users
; /* enumusers with a mask */
95 struct tevent_timer
*cache_timeout_event
; /* cache idle timeout
99 static const struct generic_mapping sam_generic_mapping
= {
100 GENERIC_RIGHTS_SAM_READ
,
101 GENERIC_RIGHTS_SAM_WRITE
,
102 GENERIC_RIGHTS_SAM_EXECUTE
,
103 GENERIC_RIGHTS_SAM_ALL_ACCESS
};
104 static const struct generic_mapping dom_generic_mapping
= {
105 GENERIC_RIGHTS_DOMAIN_READ
,
106 GENERIC_RIGHTS_DOMAIN_WRITE
,
107 GENERIC_RIGHTS_DOMAIN_EXECUTE
,
108 GENERIC_RIGHTS_DOMAIN_ALL_ACCESS
};
109 static const struct generic_mapping usr_generic_mapping
= {
110 GENERIC_RIGHTS_USER_READ
,
111 GENERIC_RIGHTS_USER_WRITE
,
112 GENERIC_RIGHTS_USER_EXECUTE
,
113 GENERIC_RIGHTS_USER_ALL_ACCESS
};
114 static const struct generic_mapping usr_nopwchange_generic_mapping
= {
115 GENERIC_RIGHTS_USER_READ
,
116 GENERIC_RIGHTS_USER_WRITE
,
117 GENERIC_RIGHTS_USER_EXECUTE
& ~SAMR_USER_ACCESS_CHANGE_PASSWORD
,
118 GENERIC_RIGHTS_USER_ALL_ACCESS
};
119 static const struct generic_mapping grp_generic_mapping
= {
120 GENERIC_RIGHTS_GROUP_READ
,
121 GENERIC_RIGHTS_GROUP_WRITE
,
122 GENERIC_RIGHTS_GROUP_EXECUTE
,
123 GENERIC_RIGHTS_GROUP_ALL_ACCESS
};
124 static const struct generic_mapping ali_generic_mapping
= {
125 GENERIC_RIGHTS_ALIAS_READ
,
126 GENERIC_RIGHTS_ALIAS_WRITE
,
127 GENERIC_RIGHTS_ALIAS_EXECUTE
,
128 GENERIC_RIGHTS_ALIAS_ALL_ACCESS
};
130 /*******************************************************************
131 *******************************************************************/
133 static NTSTATUS
make_samr_object_sd( TALLOC_CTX
*ctx
, struct security_descriptor
**psd
, size_t *sd_size
,
134 const struct generic_mapping
*map
,
135 struct dom_sid
*sid
, uint32 sid_access
)
137 struct dom_sid domadmin_sid
;
138 struct security_ace ace
[5]; /* at most 5 entries */
141 struct security_acl
*psa
= NULL
;
143 /* basic access for Everyone */
145 init_sec_ace(&ace
[i
++], &global_sid_World
, SEC_ACE_TYPE_ACCESS_ALLOWED
,
146 map
->generic_execute
| map
->generic_read
, 0);
148 /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
150 init_sec_ace(&ace
[i
++], &global_sid_Builtin_Administrators
,
151 SEC_ACE_TYPE_ACCESS_ALLOWED
, map
->generic_all
, 0);
152 init_sec_ace(&ace
[i
++], &global_sid_Builtin_Account_Operators
,
153 SEC_ACE_TYPE_ACCESS_ALLOWED
, map
->generic_all
, 0);
155 /* Add Full Access for Domain Admins if we are a DC */
158 sid_compose(&domadmin_sid
, get_global_sam_sid(),
160 init_sec_ace(&ace
[i
++], &domadmin_sid
,
161 SEC_ACE_TYPE_ACCESS_ALLOWED
, map
->generic_all
, 0);
164 /* if we have a sid, give it some special access */
167 init_sec_ace(&ace
[i
++], sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, sid_access
, 0);
170 /* create the security descriptor */
172 if ((psa
= make_sec_acl(ctx
, NT4_ACL_REVISION
, i
, ace
)) == NULL
)
173 return NT_STATUS_NO_MEMORY
;
175 if ((*psd
= make_sec_desc(ctx
, SECURITY_DESCRIPTOR_REVISION_1
,
176 SEC_DESC_SELF_RELATIVE
, NULL
, NULL
, NULL
,
177 psa
, sd_size
)) == NULL
)
178 return NT_STATUS_NO_MEMORY
;
183 /*******************************************************************
184 Fetch or create a dispinfo struct.
185 ********************************************************************/
187 static DISP_INFO
*get_samr_dispinfo_by_sid(const struct dom_sid
*psid
)
190 * We do a static cache for DISP_INFO's here. Explanation can be found
191 * in Jeremy's checkin message to r11793:
193 * Fix the SAMR cache so it works across completely insane
194 * client behaviour (ie.:
195 * open pipe/open SAMR handle/enumerate 0 - 1024
196 * close SAMR handle, close pipe.
197 * open pipe/open SAMR handle/enumerate 1024 - 2048...
198 * close SAMR handle, close pipe.
199 * And on ad-nausium. Amazing.... probably object-oriented
200 * client side programming in action yet again.
201 * This change should *massively* improve performance when
202 * enumerating users from an LDAP database.
205 * "Our" and the builtin domain are the only ones where we ever
206 * enumerate stuff, so just cache 2 entries.
209 static struct disp_info
*builtin_dispinfo
;
210 static struct disp_info
*domain_dispinfo
;
212 /* There are two cases to consider here:
213 1) The SID is a domain SID and we look for an equality match, or
214 2) This is an account SID and so we return the DISP_INFO* for our
221 if (sid_check_is_builtin(psid
) || sid_check_is_in_builtin(psid
)) {
223 * Necessary only once, but it does not really hurt.
225 if (builtin_dispinfo
== NULL
) {
226 builtin_dispinfo
= talloc_zero(NULL
, struct disp_info
);
227 if (builtin_dispinfo
== NULL
) {
231 sid_copy(&builtin_dispinfo
->sid
, &global_sid_Builtin
);
233 return builtin_dispinfo
;
236 if (sid_check_is_our_sam(psid
) || sid_check_is_in_our_sam(psid
)) {
238 * Necessary only once, but it does not really hurt.
240 if (domain_dispinfo
== NULL
) {
241 domain_dispinfo
= talloc_zero(NULL
, struct disp_info
);
242 if (domain_dispinfo
== NULL
) {
246 sid_copy(&domain_dispinfo
->sid
, get_global_sam_sid());
248 return domain_dispinfo
;
254 /*******************************************************************
255 Function to free the per SID data.
256 ********************************************************************/
258 static void free_samr_cache(DISP_INFO
*disp_info
)
260 DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n",
261 sid_string_dbg(&disp_info
->sid
)));
263 /* We need to become root here because the paged search might have to
264 * tell the LDAP server we're not interested in the rest anymore. */
268 TALLOC_FREE(disp_info
->users
);
269 TALLOC_FREE(disp_info
->machines
);
270 TALLOC_FREE(disp_info
->groups
);
271 TALLOC_FREE(disp_info
->aliases
);
272 TALLOC_FREE(disp_info
->enum_users
);
277 /*******************************************************************
278 Idle event handler. Throw away the disp info cache.
279 ********************************************************************/
281 static void disp_info_cache_idle_timeout_handler(struct tevent_context
*ev_ctx
,
282 struct tevent_timer
*te
,
286 DISP_INFO
*disp_info
= (DISP_INFO
*)private_data
;
288 TALLOC_FREE(disp_info
->cache_timeout_event
);
290 DEBUG(10, ("disp_info_cache_idle_timeout_handler: caching timed "
292 free_samr_cache(disp_info
);
295 /*******************************************************************
296 Setup cache removal idle event handler.
297 ********************************************************************/
299 static void set_disp_info_cache_timeout(DISP_INFO
*disp_info
, time_t secs_fromnow
)
301 /* Remove any pending timeout and update. */
303 TALLOC_FREE(disp_info
->cache_timeout_event
);
305 DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for "
306 "SID %s for %u seconds\n", sid_string_dbg(&disp_info
->sid
),
307 (unsigned int)secs_fromnow
));
309 disp_info
->cache_timeout_event
= tevent_add_timer(
310 server_event_context(), NULL
,
311 timeval_current_ofs(secs_fromnow
, 0),
312 disp_info_cache_idle_timeout_handler
, (void *)disp_info
);
315 /*******************************************************************
316 Force flush any cache. We do this on any samr_set_xxx call.
317 We must also remove the timeout handler.
318 ********************************************************************/
320 static void force_flush_samr_cache(const struct dom_sid
*sid
)
322 struct disp_info
*disp_info
= get_samr_dispinfo_by_sid(sid
);
324 if ((disp_info
== NULL
) || (disp_info
->cache_timeout_event
== NULL
)) {
328 DEBUG(10,("force_flush_samr_cache: clearing idle event\n"));
329 TALLOC_FREE(disp_info
->cache_timeout_event
);
330 free_samr_cache(disp_info
);
333 /*******************************************************************
334 Ensure password info is never given out. Paranioa... JRA.
335 ********************************************************************/
337 static void samr_clear_sam_passwd(struct samu
*sam_pass
)
343 /* These now zero out the old password */
345 pdb_set_lanman_passwd(sam_pass
, NULL
, PDB_DEFAULT
);
346 pdb_set_nt_passwd(sam_pass
, NULL
, PDB_DEFAULT
);
349 static uint32
count_sam_users(struct disp_info
*info
, uint32 acct_flags
)
351 struct samr_displayentry
*entry
;
353 if (sid_check_is_builtin(&info
->sid
)) {
354 /* No users in builtin. */
358 if (info
->users
== NULL
) {
359 info
->users
= pdb_search_users(info
, acct_flags
);
360 if (info
->users
== NULL
) {
364 /* Fetch the last possible entry, thus trigger an enumeration */
365 pdb_search_entries(info
->users
, 0xffffffff, 1, &entry
);
367 /* Ensure we cache this enumeration. */
368 set_disp_info_cache_timeout(info
, DISP_INFO_CACHE_TIMEOUT
);
370 return info
->users
->num_entries
;
373 static uint32
count_sam_groups(struct disp_info
*info
)
375 struct samr_displayentry
*entry
;
377 if (sid_check_is_builtin(&info
->sid
)) {
378 /* No groups in builtin. */
382 if (info
->groups
== NULL
) {
383 info
->groups
= pdb_search_groups(info
);
384 if (info
->groups
== NULL
) {
388 /* Fetch the last possible entry, thus trigger an enumeration */
389 pdb_search_entries(info
->groups
, 0xffffffff, 1, &entry
);
391 /* Ensure we cache this enumeration. */
392 set_disp_info_cache_timeout(info
, DISP_INFO_CACHE_TIMEOUT
);
394 return info
->groups
->num_entries
;
397 static uint32
count_sam_aliases(struct disp_info
*info
)
399 struct samr_displayentry
*entry
;
401 if (info
->aliases
== NULL
) {
402 info
->aliases
= pdb_search_aliases(info
, &info
->sid
);
403 if (info
->aliases
== NULL
) {
407 /* Fetch the last possible entry, thus trigger an enumeration */
408 pdb_search_entries(info
->aliases
, 0xffffffff, 1, &entry
);
410 /* Ensure we cache this enumeration. */
411 set_disp_info_cache_timeout(info
, DISP_INFO_CACHE_TIMEOUT
);
413 return info
->aliases
->num_entries
;
416 /*******************************************************************
418 ********************************************************************/
420 NTSTATUS
_samr_Close(struct pipes_struct
*p
, struct samr_Close
*r
)
422 if (!close_policy_hnd(p
, r
->in
.handle
)) {
423 return NT_STATUS_INVALID_HANDLE
;
426 ZERO_STRUCTP(r
->out
.handle
);
431 /*******************************************************************
433 ********************************************************************/
435 NTSTATUS
_samr_OpenDomain(struct pipes_struct
*p
,
436 struct samr_OpenDomain
*r
)
438 struct samr_domain_info
*dinfo
;
439 struct security_descriptor
*psd
= NULL
;
441 uint32 des_access
= r
->in
.access_mask
;
444 uint32_t extra_access
= SAMR_DOMAIN_ACCESS_CREATE_USER
;
446 /* find the connection policy handle. */
448 (void)policy_handle_find(p
, r
->in
.connect_handle
, 0, NULL
,
449 struct samr_connect_info
, &status
);
450 if (!NT_STATUS_IS_OK(status
)) {
454 /*check if access can be granted as requested by client. */
455 map_max_allowed_access(p
->session_info
->security_token
,
456 p
->session_info
->unix_token
,
459 make_samr_object_sd( p
->mem_ctx
, &psd
, &sd_size
, &dom_generic_mapping
, NULL
, 0 );
460 se_map_generic( &des_access
, &dom_generic_mapping
);
463 * Users with SeAddUser get the ability to manipulate groups
466 if (security_token_has_privilege(p
->session_info
->security_token
, SEC_PRIV_ADD_USERS
)) {
467 extra_access
|= (SAMR_DOMAIN_ACCESS_CREATE_GROUP
|
468 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
|
469 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
|
470 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
|
471 SAMR_DOMAIN_ACCESS_CREATE_ALIAS
);
475 * Users with SeMachineAccount or SeAddUser get additional
476 * SAMR_DOMAIN_ACCESS_CREATE_USER access.
479 status
= access_check_object( psd
, p
->session_info
->security_token
,
480 SEC_PRIV_MACHINE_ACCOUNT
, SEC_PRIV_ADD_USERS
,
481 extra_access
, des_access
,
482 &acc_granted
, "_samr_OpenDomain" );
484 if ( !NT_STATUS_IS_OK(status
) )
487 if (!sid_check_is_our_sam(r
->in
.sid
) &&
488 !sid_check_is_builtin(r
->in
.sid
)) {
489 return NT_STATUS_NO_SUCH_DOMAIN
;
492 dinfo
= policy_handle_create(p
, r
->out
.domain_handle
, acc_granted
,
493 struct samr_domain_info
, &status
);
494 if (!NT_STATUS_IS_OK(status
)) {
497 dinfo
->sid
= *r
->in
.sid
;
498 dinfo
->disp_info
= get_samr_dispinfo_by_sid(r
->in
.sid
);
500 DEBUG(5,("_samr_OpenDomain: %d\n", __LINE__
));
505 /*******************************************************************
507 ********************************************************************/
509 NTSTATUS
_samr_GetUserPwInfo(struct pipes_struct
*p
,
510 struct samr_GetUserPwInfo
*r
)
512 struct samr_user_info
*uinfo
;
513 enum lsa_SidType sid_type
;
514 uint32_t min_password_length
= 0;
515 uint32_t password_properties
= 0;
519 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__
));
521 uinfo
= policy_handle_find(p
, r
->in
.user_handle
,
522 SAMR_USER_ACCESS_GET_ATTRIBUTES
, NULL
,
523 struct samr_user_info
, &status
);
524 if (!NT_STATUS_IS_OK(status
)) {
528 if (!sid_check_is_in_our_sam(&uinfo
->sid
)) {
529 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
533 ret
= lookup_sid(p
->mem_ctx
, &uinfo
->sid
, NULL
, NULL
, &sid_type
);
536 return NT_STATUS_NO_SUCH_USER
;
542 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN
,
543 &min_password_length
);
544 pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS
,
545 &password_properties
);
548 if (lp_check_password_script(talloc_tos())
549 && *lp_check_password_script(talloc_tos())) {
550 password_properties
|= DOMAIN_PASSWORD_COMPLEX
;
558 r
->out
.info
->min_password_length
= min_password_length
;
559 r
->out
.info
->password_properties
= password_properties
;
561 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__
));
566 /*******************************************************************
568 ********************************************************************/
570 NTSTATUS
_samr_SetSecurity(struct pipes_struct
*p
,
571 struct samr_SetSecurity
*r
)
573 struct samr_user_info
*uinfo
;
575 struct security_acl
*dacl
;
577 struct samu
*sampass
=NULL
;
580 uinfo
= policy_handle_find(p
, r
->in
.handle
,
581 SAMR_USER_ACCESS_SET_ATTRIBUTES
, NULL
,
582 struct samr_user_info
, &status
);
583 if (!NT_STATUS_IS_OK(status
)) {
587 if (!(sampass
= samu_new( p
->mem_ctx
))) {
588 DEBUG(0,("No memory!\n"));
589 return NT_STATUS_NO_MEMORY
;
592 /* get the user record */
594 ret
= pdb_getsampwsid(sampass
, &uinfo
->sid
);
598 DEBUG(4, ("User %s not found\n",
599 sid_string_dbg(&uinfo
->sid
)));
600 TALLOC_FREE(sampass
);
601 return NT_STATUS_INVALID_HANDLE
;
604 dacl
= r
->in
.sdbuf
->sd
->dacl
;
605 for (i
=0; i
< dacl
->num_aces
; i
++) {
606 if (dom_sid_equal(&uinfo
->sid
, &dacl
->aces
[i
].trustee
)) {
607 ret
= pdb_set_pass_can_change(sampass
,
608 (dacl
->aces
[i
].access_mask
&
609 SAMR_USER_ACCESS_CHANGE_PASSWORD
) ?
616 TALLOC_FREE(sampass
);
617 return NT_STATUS_ACCESS_DENIED
;
621 status
= pdb_update_sam_account(sampass
);
624 TALLOC_FREE(sampass
);
629 /*******************************************************************
630 build correct perms based on policies and password times for _samr_query_sec_obj
631 *******************************************************************/
632 static bool check_change_pw_access(TALLOC_CTX
*mem_ctx
, struct dom_sid
*user_sid
)
634 struct samu
*sampass
=NULL
;
637 if ( !(sampass
= samu_new( mem_ctx
)) ) {
638 DEBUG(0,("No memory!\n"));
643 ret
= pdb_getsampwsid(sampass
, user_sid
);
647 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid
)));
648 TALLOC_FREE(sampass
);
652 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass
) ));
654 if (pdb_get_pass_can_change(sampass
)) {
655 TALLOC_FREE(sampass
);
658 TALLOC_FREE(sampass
);
663 /*******************************************************************
665 ********************************************************************/
667 NTSTATUS
_samr_QuerySecurity(struct pipes_struct
*p
,
668 struct samr_QuerySecurity
*r
)
670 struct samr_domain_info
*dinfo
;
671 struct samr_user_info
*uinfo
;
672 struct samr_group_info
*ginfo
;
673 struct samr_alias_info
*ainfo
;
675 struct security_descriptor
* psd
= NULL
;
678 (void)policy_handle_find(p
, r
->in
.handle
,
679 SEC_STD_READ_CONTROL
, NULL
,
680 struct samr_connect_info
, &status
);
681 if (NT_STATUS_IS_OK(status
)) {
682 DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n"));
683 status
= make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
684 &sam_generic_mapping
, NULL
, 0);
688 dinfo
= policy_handle_find(p
, r
->in
.handle
,
689 SEC_STD_READ_CONTROL
, NULL
,
690 struct samr_domain_info
, &status
);
691 if (NT_STATUS_IS_OK(status
)) {
692 DEBUG(5,("_samr_QuerySecurity: querying security on Domain "
693 "with SID: %s\n", sid_string_dbg(&dinfo
->sid
)));
695 * TODO: Builtin probably needs a different SD with restricted
698 status
= make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
699 &dom_generic_mapping
, NULL
, 0);
703 uinfo
= policy_handle_find(p
, r
->in
.handle
,
704 SEC_STD_READ_CONTROL
, NULL
,
705 struct samr_user_info
, &status
);
706 if (NT_STATUS_IS_OK(status
)) {
707 DEBUG(10,("_samr_QuerySecurity: querying security on user "
708 "Object with SID: %s\n",
709 sid_string_dbg(&uinfo
->sid
)));
710 if (check_change_pw_access(p
->mem_ctx
, &uinfo
->sid
)) {
711 status
= make_samr_object_sd(
712 p
->mem_ctx
, &psd
, &sd_size
,
713 &usr_generic_mapping
,
714 &uinfo
->sid
, SAMR_USR_RIGHTS_WRITE_PW
);
716 status
= make_samr_object_sd(
717 p
->mem_ctx
, &psd
, &sd_size
,
718 &usr_nopwchange_generic_mapping
,
719 &uinfo
->sid
, SAMR_USR_RIGHTS_CANT_WRITE_PW
);
724 ginfo
= policy_handle_find(p
, r
->in
.handle
,
725 SEC_STD_READ_CONTROL
, NULL
,
726 struct samr_group_info
, &status
);
727 if (NT_STATUS_IS_OK(status
)) {
729 * TODO: different SDs have to be generated for aliases groups
730 * and users. Currently all three get a default user SD
732 DEBUG(10,("_samr_QuerySecurity: querying security on group "
733 "Object with SID: %s\n",
734 sid_string_dbg(&ginfo
->sid
)));
735 status
= make_samr_object_sd(
736 p
->mem_ctx
, &psd
, &sd_size
,
737 &usr_nopwchange_generic_mapping
,
738 &ginfo
->sid
, SAMR_USR_RIGHTS_CANT_WRITE_PW
);
742 ainfo
= policy_handle_find(p
, r
->in
.handle
,
743 SEC_STD_READ_CONTROL
, NULL
,
744 struct samr_alias_info
, &status
);
745 if (NT_STATUS_IS_OK(status
)) {
747 * TODO: different SDs have to be generated for aliases groups
748 * and users. Currently all three get a default user SD
750 DEBUG(10,("_samr_QuerySecurity: querying security on alias "
751 "Object with SID: %s\n",
752 sid_string_dbg(&ainfo
->sid
)));
753 status
= make_samr_object_sd(
754 p
->mem_ctx
, &psd
, &sd_size
,
755 &usr_nopwchange_generic_mapping
,
756 &ainfo
->sid
, SAMR_USR_RIGHTS_CANT_WRITE_PW
);
760 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
762 if ((*r
->out
.sdbuf
= make_sec_desc_buf(p
->mem_ctx
, sd_size
, psd
)) == NULL
)
763 return NT_STATUS_NO_MEMORY
;
768 /*******************************************************************
769 makes a SAM_ENTRY / UNISTR2* structure from a user list.
770 ********************************************************************/
772 static NTSTATUS
make_user_sam_entry_list(TALLOC_CTX
*ctx
,
773 struct samr_SamEntry
**sam_pp
,
774 uint32_t num_entries
,
776 struct samr_displayentry
*entries
)
779 struct samr_SamEntry
*sam
;
783 if (num_entries
== 0) {
787 sam
= talloc_zero_array(ctx
, struct samr_SamEntry
, num_entries
);
789 DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n"));
790 return NT_STATUS_NO_MEMORY
;
793 for (i
= 0; i
< num_entries
; i
++) {
796 * usrmgr expects a non-NULL terminated string with
797 * trust relationships
799 if (entries
[i
].acct_flags
& ACB_DOMTRUST
) {
800 init_unistr2(&uni_temp_name
, entries
[i
].account_name
,
803 init_unistr2(&uni_temp_name
, entries
[i
].account_name
,
807 init_lsa_String(&sam
[i
].name
, entries
[i
].account_name
);
808 sam
[i
].idx
= entries
[i
].rid
;
816 #define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K
818 /*******************************************************************
819 _samr_EnumDomainUsers
820 ********************************************************************/
822 NTSTATUS
_samr_EnumDomainUsers(struct pipes_struct
*p
,
823 struct samr_EnumDomainUsers
*r
)
826 struct samr_domain_info
*dinfo
;
828 uint32 enum_context
= *r
->in
.resume_handle
;
829 enum remote_arch_types ra_type
= get_remote_arch();
830 int max_sam_entries
= (ra_type
== RA_WIN95
) ? MAX_SAM_ENTRIES_W95
: MAX_SAM_ENTRIES_W2K
;
831 uint32 max_entries
= max_sam_entries
;
832 struct samr_displayentry
*entries
= NULL
;
833 struct samr_SamArray
*samr_array
= NULL
;
834 struct samr_SamEntry
*samr_entries
= NULL
;
836 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__
));
838 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
839 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
, NULL
,
840 struct samr_domain_info
, &status
);
841 if (!NT_STATUS_IS_OK(status
)) {
845 samr_array
= talloc_zero(p
->mem_ctx
, struct samr_SamArray
);
847 return NT_STATUS_NO_MEMORY
;
849 *r
->out
.sam
= samr_array
;
851 if (sid_check_is_builtin(&dinfo
->sid
)) {
852 /* No users in builtin. */
853 *r
->out
.resume_handle
= *r
->in
.resume_handle
;
854 DEBUG(5,("_samr_EnumDomainUsers: No users in BUILTIN\n"));
862 if ((dinfo
->disp_info
->enum_users
!= NULL
) &&
863 (dinfo
->disp_info
->enum_acb_mask
!= r
->in
.acct_flags
)) {
864 TALLOC_FREE(dinfo
->disp_info
->enum_users
);
867 if (dinfo
->disp_info
->enum_users
== NULL
) {
868 dinfo
->disp_info
->enum_users
= pdb_search_users(
869 dinfo
->disp_info
, r
->in
.acct_flags
);
870 dinfo
->disp_info
->enum_acb_mask
= r
->in
.acct_flags
;
873 if (dinfo
->disp_info
->enum_users
== NULL
) {
874 /* END AS ROOT !!!! */
876 return NT_STATUS_ACCESS_DENIED
;
879 num_account
= pdb_search_entries(dinfo
->disp_info
->enum_users
,
880 enum_context
, max_entries
,
883 /* END AS ROOT !!!! */
887 if (num_account
== 0) {
888 DEBUG(5, ("_samr_EnumDomainUsers: enumeration handle over "
890 *r
->out
.resume_handle
= *r
->in
.resume_handle
;
894 status
= make_user_sam_entry_list(p
->mem_ctx
, &samr_entries
,
895 num_account
, enum_context
,
897 if (!NT_STATUS_IS_OK(status
)) {
901 if (max_entries
<= num_account
) {
902 status
= STATUS_MORE_ENTRIES
;
904 status
= NT_STATUS_OK
;
907 /* Ensure we cache this enumeration. */
908 set_disp_info_cache_timeout(dinfo
->disp_info
, DISP_INFO_CACHE_TIMEOUT
);
910 DEBUG(5, ("_samr_EnumDomainUsers: %d\n", __LINE__
));
912 samr_array
->count
= num_account
;
913 samr_array
->entries
= samr_entries
;
915 *r
->out
.resume_handle
= *r
->in
.resume_handle
+ num_account
;
916 *r
->out
.num_entries
= num_account
;
918 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__
));
923 /*******************************************************************
924 makes a SAM_ENTRY / UNISTR2* structure from a group list.
925 ********************************************************************/
927 static void make_group_sam_entry_list(TALLOC_CTX
*ctx
,
928 struct samr_SamEntry
**sam_pp
,
929 uint32_t num_sam_entries
,
930 struct samr_displayentry
*entries
)
932 struct samr_SamEntry
*sam
;
937 if (num_sam_entries
== 0) {
941 sam
= talloc_zero_array(ctx
, struct samr_SamEntry
, num_sam_entries
);
946 for (i
= 0; i
< num_sam_entries
; i
++) {
948 * JRA. I think this should include the null. TNG does not.
950 init_lsa_String(&sam
[i
].name
, entries
[i
].account_name
);
951 sam
[i
].idx
= entries
[i
].rid
;
957 /*******************************************************************
958 _samr_EnumDomainGroups
959 ********************************************************************/
961 NTSTATUS
_samr_EnumDomainGroups(struct pipes_struct
*p
,
962 struct samr_EnumDomainGroups
*r
)
965 struct samr_domain_info
*dinfo
;
966 struct samr_displayentry
*groups
;
968 struct samr_SamArray
*samr_array
= NULL
;
969 struct samr_SamEntry
*samr_entries
= NULL
;
971 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
972 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
, NULL
,
973 struct samr_domain_info
, &status
);
974 if (!NT_STATUS_IS_OK(status
)) {
978 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__
));
980 samr_array
= talloc_zero(p
->mem_ctx
, struct samr_SamArray
);
982 return NT_STATUS_NO_MEMORY
;
984 *r
->out
.sam
= samr_array
;
986 if (sid_check_is_builtin(&dinfo
->sid
)) {
987 /* No groups in builtin. */
988 *r
->out
.resume_handle
= *r
->in
.resume_handle
;
989 DEBUG(5,("_samr_EnumDomainGroups: No groups in BUILTIN\n"));
993 /* the domain group array is being allocated in the function below */
997 if (dinfo
->disp_info
->groups
== NULL
) {
998 dinfo
->disp_info
->groups
= pdb_search_groups(dinfo
->disp_info
);
1000 if (dinfo
->disp_info
->groups
== NULL
) {
1002 return NT_STATUS_ACCESS_DENIED
;
1006 num_groups
= pdb_search_entries(dinfo
->disp_info
->groups
,
1007 *r
->in
.resume_handle
,
1008 MAX_SAM_ENTRIES
, &groups
);
1011 /* Ensure we cache this enumeration. */
1012 set_disp_info_cache_timeout(dinfo
->disp_info
, DISP_INFO_CACHE_TIMEOUT
);
1014 make_group_sam_entry_list(p
->mem_ctx
, &samr_entries
,
1015 num_groups
, groups
);
1017 if (MAX_SAM_ENTRIES
<= num_groups
) {
1018 status
= STATUS_MORE_ENTRIES
;
1020 status
= NT_STATUS_OK
;
1023 samr_array
->count
= num_groups
;
1024 samr_array
->entries
= samr_entries
;
1026 *r
->out
.num_entries
= num_groups
;
1027 *r
->out
.resume_handle
= num_groups
+ *r
->in
.resume_handle
;
1029 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__
));
1034 /*******************************************************************
1035 _samr_EnumDomainAliases
1036 ********************************************************************/
1038 NTSTATUS
_samr_EnumDomainAliases(struct pipes_struct
*p
,
1039 struct samr_EnumDomainAliases
*r
)
1042 struct samr_domain_info
*dinfo
;
1043 struct samr_displayentry
*aliases
;
1044 uint32 num_aliases
= 0;
1045 struct samr_SamArray
*samr_array
= NULL
;
1046 struct samr_SamEntry
*samr_entries
= NULL
;
1048 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
1049 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
, NULL
,
1050 struct samr_domain_info
, &status
);
1051 if (!NT_STATUS_IS_OK(status
)) {
1055 DEBUG(5,("_samr_EnumDomainAliases: sid %s\n",
1056 sid_string_dbg(&dinfo
->sid
)));
1058 samr_array
= talloc_zero(p
->mem_ctx
, struct samr_SamArray
);
1060 return NT_STATUS_NO_MEMORY
;
1065 if (dinfo
->disp_info
->aliases
== NULL
) {
1066 dinfo
->disp_info
->aliases
= pdb_search_aliases(
1067 dinfo
->disp_info
, &dinfo
->sid
);
1068 if (dinfo
->disp_info
->aliases
== NULL
) {
1070 return NT_STATUS_ACCESS_DENIED
;
1074 num_aliases
= pdb_search_entries(dinfo
->disp_info
->aliases
,
1075 *r
->in
.resume_handle
,
1076 MAX_SAM_ENTRIES
, &aliases
);
1079 /* Ensure we cache this enumeration. */
1080 set_disp_info_cache_timeout(dinfo
->disp_info
, DISP_INFO_CACHE_TIMEOUT
);
1082 make_group_sam_entry_list(p
->mem_ctx
, &samr_entries
,
1083 num_aliases
, aliases
);
1085 DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__
));
1087 if (MAX_SAM_ENTRIES
<= num_aliases
) {
1088 status
= STATUS_MORE_ENTRIES
;
1090 status
= NT_STATUS_OK
;
1093 samr_array
->count
= num_aliases
;
1094 samr_array
->entries
= samr_entries
;
1096 *r
->out
.sam
= samr_array
;
1097 *r
->out
.num_entries
= num_aliases
;
1098 *r
->out
.resume_handle
= num_aliases
+ *r
->in
.resume_handle
;
1103 /*******************************************************************
1104 inits a samr_DispInfoGeneral structure.
1105 ********************************************************************/
1107 static NTSTATUS
init_samr_dispinfo_1(TALLOC_CTX
*ctx
,
1108 struct samr_DispInfoGeneral
*r
,
1109 uint32_t num_entries
,
1111 struct samr_displayentry
*entries
)
1115 DEBUG(10, ("init_samr_dispinfo_1: num_entries: %d\n", num_entries
));
1117 if (num_entries
== 0) {
1118 return NT_STATUS_OK
;
1121 r
->count
= num_entries
;
1123 r
->entries
= talloc_zero_array(ctx
, struct samr_DispEntryGeneral
, num_entries
);
1125 return NT_STATUS_NO_MEMORY
;
1128 for (i
= 0; i
< num_entries
; i
++) {
1130 init_lsa_String(&r
->entries
[i
].account_name
,
1131 entries
[i
].account_name
);
1133 init_lsa_String(&r
->entries
[i
].description
,
1134 entries
[i
].description
);
1136 init_lsa_String(&r
->entries
[i
].full_name
,
1137 entries
[i
].fullname
);
1139 r
->entries
[i
].rid
= entries
[i
].rid
;
1140 r
->entries
[i
].acct_flags
= entries
[i
].acct_flags
;
1141 r
->entries
[i
].idx
= start_idx
+i
+1;
1144 return NT_STATUS_OK
;
1147 /*******************************************************************
1148 inits a samr_DispInfoFull structure.
1149 ********************************************************************/
1151 static NTSTATUS
init_samr_dispinfo_2(TALLOC_CTX
*ctx
,
1152 struct samr_DispInfoFull
*r
,
1153 uint32_t num_entries
,
1155 struct samr_displayentry
*entries
)
1159 DEBUG(10, ("init_samr_dispinfo_2: num_entries: %d\n", num_entries
));
1161 if (num_entries
== 0) {
1162 return NT_STATUS_OK
;
1165 r
->count
= num_entries
;
1167 r
->entries
= talloc_zero_array(ctx
, struct samr_DispEntryFull
, num_entries
);
1169 return NT_STATUS_NO_MEMORY
;
1172 for (i
= 0; i
< num_entries
; i
++) {
1174 init_lsa_String(&r
->entries
[i
].account_name
,
1175 entries
[i
].account_name
);
1177 init_lsa_String(&r
->entries
[i
].description
,
1178 entries
[i
].description
);
1180 r
->entries
[i
].rid
= entries
[i
].rid
;
1181 r
->entries
[i
].acct_flags
= entries
[i
].acct_flags
;
1182 r
->entries
[i
].idx
= start_idx
+i
+1;
1185 return NT_STATUS_OK
;
1188 /*******************************************************************
1189 inits a samr_DispInfoFullGroups structure.
1190 ********************************************************************/
1192 static NTSTATUS
init_samr_dispinfo_3(TALLOC_CTX
*ctx
,
1193 struct samr_DispInfoFullGroups
*r
,
1194 uint32_t num_entries
,
1196 struct samr_displayentry
*entries
)
1200 DEBUG(5, ("init_samr_dispinfo_3: num_entries: %d\n", num_entries
));
1202 if (num_entries
== 0) {
1203 return NT_STATUS_OK
;
1206 r
->count
= num_entries
;
1208 r
->entries
= talloc_zero_array(ctx
, struct samr_DispEntryFullGroup
, num_entries
);
1210 return NT_STATUS_NO_MEMORY
;
1213 for (i
= 0; i
< num_entries
; i
++) {
1215 init_lsa_String(&r
->entries
[i
].account_name
,
1216 entries
[i
].account_name
);
1218 init_lsa_String(&r
->entries
[i
].description
,
1219 entries
[i
].description
);
1221 r
->entries
[i
].rid
= entries
[i
].rid
;
1222 r
->entries
[i
].acct_flags
= entries
[i
].acct_flags
;
1223 r
->entries
[i
].idx
= start_idx
+i
+1;
1226 return NT_STATUS_OK
;
1229 /*******************************************************************
1230 inits a samr_DispInfoAscii structure.
1231 ********************************************************************/
1233 static NTSTATUS
init_samr_dispinfo_4(TALLOC_CTX
*ctx
,
1234 struct samr_DispInfoAscii
*r
,
1235 uint32_t num_entries
,
1237 struct samr_displayentry
*entries
)
1241 DEBUG(5, ("init_samr_dispinfo_4: num_entries: %d\n", num_entries
));
1243 if (num_entries
== 0) {
1244 return NT_STATUS_OK
;
1247 r
->count
= num_entries
;
1249 r
->entries
= talloc_zero_array(ctx
, struct samr_DispEntryAscii
, num_entries
);
1251 return NT_STATUS_NO_MEMORY
;
1254 for (i
= 0; i
< num_entries
; i
++) {
1256 init_lsa_AsciiStringLarge(&r
->entries
[i
].account_name
,
1257 entries
[i
].account_name
);
1259 r
->entries
[i
].idx
= start_idx
+i
+1;
1262 return NT_STATUS_OK
;
1265 /*******************************************************************
1266 inits a samr_DispInfoAscii structure.
1267 ********************************************************************/
1269 static NTSTATUS
init_samr_dispinfo_5(TALLOC_CTX
*ctx
,
1270 struct samr_DispInfoAscii
*r
,
1271 uint32_t num_entries
,
1273 struct samr_displayentry
*entries
)
1277 DEBUG(5, ("init_samr_dispinfo_5: num_entries: %d\n", num_entries
));
1279 if (num_entries
== 0) {
1280 return NT_STATUS_OK
;
1283 r
->count
= num_entries
;
1285 r
->entries
= talloc_zero_array(ctx
, struct samr_DispEntryAscii
, num_entries
);
1287 return NT_STATUS_NO_MEMORY
;
1290 for (i
= 0; i
< num_entries
; i
++) {
1292 init_lsa_AsciiStringLarge(&r
->entries
[i
].account_name
,
1293 entries
[i
].account_name
);
1295 r
->entries
[i
].idx
= start_idx
+i
+1;
1298 return NT_STATUS_OK
;
1301 /*******************************************************************
1302 _samr_QueryDisplayInfo
1303 ********************************************************************/
1305 NTSTATUS
_samr_QueryDisplayInfo(struct pipes_struct
*p
,
1306 struct samr_QueryDisplayInfo
*r
)
1309 struct samr_domain_info
*dinfo
;
1310 uint32 struct_size
=0x20; /* W2K always reply that, client doesn't care */
1312 uint32 max_entries
= r
->in
.max_entries
;
1314 union samr_DispInfo
*disp_info
= r
->out
.info
;
1317 NTSTATUS disp_ret
= NT_STATUS_UNSUCCESSFUL
;
1318 uint32 num_account
= 0;
1319 enum remote_arch_types ra_type
= get_remote_arch();
1320 int max_sam_entries
= (ra_type
== RA_WIN95
) ? MAX_SAM_ENTRIES_W95
: MAX_SAM_ENTRIES_W2K
;
1321 struct samr_displayentry
*entries
= NULL
;
1323 DEBUG(5,("_samr_QueryDisplayInfo: %d\n", __LINE__
));
1325 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
1326 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
, NULL
,
1327 struct samr_domain_info
, &status
);
1328 if (!NT_STATUS_IS_OK(status
)) {
1332 if (sid_check_is_builtin(&dinfo
->sid
)) {
1333 DEBUG(5,("_samr_QueryDisplayInfo: no users in BUILTIN\n"));
1334 return NT_STATUS_OK
;
1338 * calculate how many entries we will return.
1340 * - the number of entries the client asked
1341 * - our limit on that
1342 * - the starting point (enumeration context)
1343 * - the buffer size the client will accept
1347 * We are a lot more like W2K. Instead of reading the SAM
1348 * each time to find the records we need to send back,
1349 * we read it once and link that copy to the sam handle.
1350 * For large user list (over the MAX_SAM_ENTRIES)
1351 * it's a definitive win.
1352 * second point to notice: between enumerations
1353 * our sam is now the same as it's a snapshoot.
1354 * third point: got rid of the static SAM_USER_21 struct
1355 * no more intermediate.
1356 * con: it uses much more memory, as a full copy is stored
1359 * If you want to change it, think twice and think
1360 * of the second point , that's really important.
1365 if ((r
->in
.level
< 1) || (r
->in
.level
> 5)) {
1366 DEBUG(0,("_samr_QueryDisplayInfo: Unknown info level (%u)\n",
1367 (unsigned int)r
->in
.level
));
1368 return NT_STATUS_INVALID_INFO_CLASS
;
1371 /* first limit the number of entries we will return */
1372 if (r
->in
.max_entries
> max_sam_entries
) {
1373 DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
1374 "entries, limiting to %d\n", r
->in
.max_entries
,
1376 max_entries
= max_sam_entries
;
1379 /* calculate the size and limit on the number of entries we will
1382 temp_size
=max_entries
*struct_size
;
1384 if (temp_size
> r
->in
.buf_size
) {
1385 max_entries
= MIN((r
->in
.buf_size
/ struct_size
),max_entries
);
1386 DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
1387 "only %d entries\n", max_entries
));
1392 /* THe following done as ROOT. Don't return without unbecome_root(). */
1394 switch (r
->in
.level
) {
1397 if (dinfo
->disp_info
->users
== NULL
) {
1398 dinfo
->disp_info
->users
= pdb_search_users(
1399 dinfo
->disp_info
, ACB_NORMAL
);
1400 if (dinfo
->disp_info
->users
== NULL
) {
1402 return NT_STATUS_ACCESS_DENIED
;
1404 DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
1405 (unsigned int)r
->in
.start_idx
));
1407 DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
1408 (unsigned int)r
->in
.start_idx
));
1411 num_account
= pdb_search_entries(dinfo
->disp_info
->users
,
1412 r
->in
.start_idx
, max_entries
,
1416 if (dinfo
->disp_info
->machines
== NULL
) {
1417 dinfo
->disp_info
->machines
= pdb_search_users(
1418 dinfo
->disp_info
, ACB_WSTRUST
|ACB_SVRTRUST
);
1419 if (dinfo
->disp_info
->machines
== NULL
) {
1421 return NT_STATUS_ACCESS_DENIED
;
1423 DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
1424 (unsigned int)r
->in
.start_idx
));
1426 DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
1427 (unsigned int)r
->in
.start_idx
));
1430 num_account
= pdb_search_entries(dinfo
->disp_info
->machines
,
1431 r
->in
.start_idx
, max_entries
,
1436 if (dinfo
->disp_info
->groups
== NULL
) {
1437 dinfo
->disp_info
->groups
= pdb_search_groups(
1439 if (dinfo
->disp_info
->groups
== NULL
) {
1441 return NT_STATUS_ACCESS_DENIED
;
1443 DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
1444 (unsigned int)r
->in
.start_idx
));
1446 DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
1447 (unsigned int)r
->in
.start_idx
));
1450 num_account
= pdb_search_entries(dinfo
->disp_info
->groups
,
1451 r
->in
.start_idx
, max_entries
,
1456 smb_panic("info class changed");
1462 /* Now create reply structure */
1463 switch (r
->in
.level
) {
1465 disp_ret
= init_samr_dispinfo_1(p
->mem_ctx
, &disp_info
->info1
,
1466 num_account
, r
->in
.start_idx
,
1470 disp_ret
= init_samr_dispinfo_2(p
->mem_ctx
, &disp_info
->info2
,
1471 num_account
, r
->in
.start_idx
,
1475 disp_ret
= init_samr_dispinfo_3(p
->mem_ctx
, &disp_info
->info3
,
1476 num_account
, r
->in
.start_idx
,
1480 disp_ret
= init_samr_dispinfo_4(p
->mem_ctx
, &disp_info
->info4
,
1481 num_account
, r
->in
.start_idx
,
1485 disp_ret
= init_samr_dispinfo_5(p
->mem_ctx
, &disp_info
->info5
,
1486 num_account
, r
->in
.start_idx
,
1490 smb_panic("info class changed");
1494 if (!NT_STATUS_IS_OK(disp_ret
))
1497 if (max_entries
<= num_account
) {
1498 status
= STATUS_MORE_ENTRIES
;
1500 status
= NT_STATUS_OK
;
1503 /* Ensure we cache this enumeration. */
1504 set_disp_info_cache_timeout(dinfo
->disp_info
, DISP_INFO_CACHE_TIMEOUT
);
1506 DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__
));
1508 *r
->out
.total_size
= num_account
* struct_size
;
1509 *r
->out
.returned_size
= num_account
? temp_size
: 0;
1514 /****************************************************************
1515 _samr_QueryDisplayInfo2
1516 ****************************************************************/
1518 NTSTATUS
_samr_QueryDisplayInfo2(struct pipes_struct
*p
,
1519 struct samr_QueryDisplayInfo2
*r
)
1521 struct samr_QueryDisplayInfo q
;
1523 q
.in
.domain_handle
= r
->in
.domain_handle
;
1524 q
.in
.level
= r
->in
.level
;
1525 q
.in
.start_idx
= r
->in
.start_idx
;
1526 q
.in
.max_entries
= r
->in
.max_entries
;
1527 q
.in
.buf_size
= r
->in
.buf_size
;
1529 q
.out
.total_size
= r
->out
.total_size
;
1530 q
.out
.returned_size
= r
->out
.returned_size
;
1531 q
.out
.info
= r
->out
.info
;
1533 return _samr_QueryDisplayInfo(p
, &q
);
1536 /****************************************************************
1537 _samr_QueryDisplayInfo3
1538 ****************************************************************/
1540 NTSTATUS
_samr_QueryDisplayInfo3(struct pipes_struct
*p
,
1541 struct samr_QueryDisplayInfo3
*r
)
1543 struct samr_QueryDisplayInfo q
;
1545 q
.in
.domain_handle
= r
->in
.domain_handle
;
1546 q
.in
.level
= r
->in
.level
;
1547 q
.in
.start_idx
= r
->in
.start_idx
;
1548 q
.in
.max_entries
= r
->in
.max_entries
;
1549 q
.in
.buf_size
= r
->in
.buf_size
;
1551 q
.out
.total_size
= r
->out
.total_size
;
1552 q
.out
.returned_size
= r
->out
.returned_size
;
1553 q
.out
.info
= r
->out
.info
;
1555 return _samr_QueryDisplayInfo(p
, &q
);
1558 /*******************************************************************
1559 _samr_QueryAliasInfo
1560 ********************************************************************/
1562 NTSTATUS
_samr_QueryAliasInfo(struct pipes_struct
*p
,
1563 struct samr_QueryAliasInfo
*r
)
1565 struct samr_alias_info
*ainfo
;
1566 struct acct_info
*info
;
1568 union samr_AliasInfo
*alias_info
= NULL
;
1569 const char *alias_name
= NULL
;
1570 const char *alias_description
= NULL
;
1572 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__
));
1574 ainfo
= policy_handle_find(p
, r
->in
.alias_handle
,
1575 SAMR_ALIAS_ACCESS_LOOKUP_INFO
, NULL
,
1576 struct samr_alias_info
, &status
);
1577 if (!NT_STATUS_IS_OK(status
)) {
1581 alias_info
= talloc_zero(p
->mem_ctx
, union samr_AliasInfo
);
1583 return NT_STATUS_NO_MEMORY
;
1586 info
= talloc_zero(p
->mem_ctx
, struct acct_info
);
1588 return NT_STATUS_NO_MEMORY
;
1592 status
= pdb_get_aliasinfo(&ainfo
->sid
, info
);
1595 if (!NT_STATUS_IS_OK(status
)) {
1600 alias_name
= talloc_steal(r
, info
->acct_name
);
1601 alias_description
= talloc_steal(r
, info
->acct_desc
);
1604 switch (r
->in
.level
) {
1606 alias_info
->all
.name
.string
= alias_name
;
1607 alias_info
->all
.num_members
= 1; /* ??? */
1608 alias_info
->all
.description
.string
= alias_description
;
1611 alias_info
->name
.string
= alias_name
;
1613 case ALIASINFODESCRIPTION
:
1614 alias_info
->description
.string
= alias_description
;
1617 return NT_STATUS_INVALID_INFO_CLASS
;
1620 *r
->out
.info
= alias_info
;
1622 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__
));
1624 return NT_STATUS_OK
;
1627 /*******************************************************************
1629 ********************************************************************/
1631 NTSTATUS
_samr_LookupNames(struct pipes_struct
*p
,
1632 struct samr_LookupNames
*r
)
1634 struct samr_domain_info
*dinfo
;
1637 enum lsa_SidType
*type
;
1639 int num_rids
= r
->in
.num_names
;
1640 struct samr_Ids rids
, types
;
1641 uint32_t num_mapped
= 0;
1643 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__
));
1645 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
1646 0 /* Don't know the acc_bits yet */, NULL
,
1647 struct samr_domain_info
, &status
);
1648 if (!NT_STATUS_IS_OK(status
)) {
1652 if (num_rids
> MAX_SAM_ENTRIES
) {
1653 num_rids
= MAX_SAM_ENTRIES
;
1654 DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids
));
1657 rid
= talloc_array(p
->mem_ctx
, uint32
, num_rids
);
1658 NT_STATUS_HAVE_NO_MEMORY(rid
);
1660 type
= talloc_array(p
->mem_ctx
, enum lsa_SidType
, num_rids
);
1661 NT_STATUS_HAVE_NO_MEMORY(type
);
1663 DEBUG(5,("_samr_LookupNames: looking name on SID %s\n",
1664 sid_string_dbg(&dinfo
->sid
)));
1666 for (i
= 0; i
< num_rids
; i
++) {
1668 status
= NT_STATUS_NONE_MAPPED
;
1669 type
[i
] = SID_NAME_UNKNOWN
;
1671 rid
[i
] = 0xffffffff;
1673 if (sid_check_is_builtin(&dinfo
->sid
)) {
1674 if (lookup_builtin_name(r
->in
.names
[i
].string
,
1677 type
[i
] = SID_NAME_ALIAS
;
1680 lookup_global_sam_name(r
->in
.names
[i
].string
, 0,
1684 if (type
[i
] != SID_NAME_UNKNOWN
) {
1689 if (num_mapped
== num_rids
) {
1690 status
= NT_STATUS_OK
;
1691 } else if (num_mapped
== 0) {
1692 status
= NT_STATUS_NONE_MAPPED
;
1694 status
= STATUS_SOME_UNMAPPED
;
1697 rids
.count
= num_rids
;
1700 types
.count
= num_rids
;
1701 types
.ids
= talloc_array(p
->mem_ctx
, uint32_t, num_rids
);
1702 NT_STATUS_HAVE_NO_MEMORY(type
);
1703 for (i
= 0; i
< num_rids
; i
++) {
1704 types
.ids
[i
] = (type
[i
] & 0xffffffff);
1707 *r
->out
.rids
= rids
;
1708 *r
->out
.types
= types
;
1710 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__
));
1715 /****************************************************************
1716 _samr_ChangePasswordUser
1717 ****************************************************************/
1719 NTSTATUS
_samr_ChangePasswordUser(struct pipes_struct
*p
,
1720 struct samr_ChangePasswordUser
*r
)
1724 struct samr_user_info
*uinfo
;
1725 struct samu
*pwd
= NULL
;
1726 struct samr_Password new_lmPwdHash
, new_ntPwdHash
, checkHash
;
1727 struct samr_Password lm_pwd
, nt_pwd
;
1728 bool updated_badpw
= false;
1729 NTSTATUS update_login_attempts_status
;
1731 uinfo
= policy_handle_find(p
, r
->in
.user_handle
,
1732 SAMR_USER_ACCESS_SET_PASSWORD
, NULL
,
1733 struct samr_user_info
, &status
);
1734 if (!NT_STATUS_IS_OK(status
)) {
1738 DEBUG(5,("_samr_ChangePasswordUser: sid:%s\n",
1739 sid_string_dbg(&uinfo
->sid
)));
1741 /* basic sanity checking on parameters. Do this before any database ops */
1742 if (!r
->in
.lm_present
|| !r
->in
.nt_present
||
1743 !r
->in
.old_lm_crypted
|| !r
->in
.new_lm_crypted
||
1744 !r
->in
.old_nt_crypted
|| !r
->in
.new_nt_crypted
) {
1745 /* we should really handle a change with lm not
1747 return NT_STATUS_INVALID_PARAMETER_MIX
;
1750 if (!(pwd
= samu_new(NULL
))) {
1751 return NT_STATUS_NO_MEMORY
;
1755 ret
= pdb_getsampwsid(pwd
, &uinfo
->sid
);
1760 return NT_STATUS_WRONG_PASSWORD
;
1763 /* Quit if the account was locked out. */
1764 if (pdb_get_acct_ctrl(pwd
) & ACB_AUTOLOCK
) {
1765 DEBUG(3, ("Account for user %s was locked out.\n",
1766 pdb_get_username(pwd
)));
1767 status
= NT_STATUS_ACCOUNT_LOCKED_OUT
;
1772 const uint8_t *lm_pass
, *nt_pass
;
1774 lm_pass
= pdb_get_lanman_passwd(pwd
);
1775 nt_pass
= pdb_get_nt_passwd(pwd
);
1777 if (!lm_pass
|| !nt_pass
) {
1778 status
= NT_STATUS_WRONG_PASSWORD
;
1782 memcpy(&lm_pwd
.hash
, lm_pass
, sizeof(lm_pwd
.hash
));
1783 memcpy(&nt_pwd
.hash
, nt_pass
, sizeof(nt_pwd
.hash
));
1786 /* decrypt and check the new lm hash */
1787 D_P16(lm_pwd
.hash
, r
->in
.new_lm_crypted
->hash
, new_lmPwdHash
.hash
);
1788 D_P16(new_lmPwdHash
.hash
, r
->in
.old_lm_crypted
->hash
, checkHash
.hash
);
1789 if (memcmp(checkHash
.hash
, lm_pwd
.hash
, 16) != 0) {
1790 status
= NT_STATUS_WRONG_PASSWORD
;
1794 /* decrypt and check the new nt hash */
1795 D_P16(nt_pwd
.hash
, r
->in
.new_nt_crypted
->hash
, new_ntPwdHash
.hash
);
1796 D_P16(new_ntPwdHash
.hash
, r
->in
.old_nt_crypted
->hash
, checkHash
.hash
);
1797 if (memcmp(checkHash
.hash
, nt_pwd
.hash
, 16) != 0) {
1798 status
= NT_STATUS_WRONG_PASSWORD
;
1802 /* The NT Cross is not required by Win2k3 R2, but if present
1803 check the nt cross hash */
1804 if (r
->in
.cross1_present
&& r
->in
.nt_cross
) {
1805 D_P16(lm_pwd
.hash
, r
->in
.nt_cross
->hash
, checkHash
.hash
);
1806 if (memcmp(checkHash
.hash
, new_ntPwdHash
.hash
, 16) != 0) {
1807 status
= NT_STATUS_WRONG_PASSWORD
;
1812 /* The LM Cross is not required by Win2k3 R2, but if present
1813 check the lm cross hash */
1814 if (r
->in
.cross2_present
&& r
->in
.lm_cross
) {
1815 D_P16(nt_pwd
.hash
, r
->in
.lm_cross
->hash
, checkHash
.hash
);
1816 if (memcmp(checkHash
.hash
, new_lmPwdHash
.hash
, 16) != 0) {
1817 status
= NT_STATUS_WRONG_PASSWORD
;
1822 if (!pdb_set_nt_passwd(pwd
, new_ntPwdHash
.hash
, PDB_CHANGED
) ||
1823 !pdb_set_lanman_passwd(pwd
, new_lmPwdHash
.hash
, PDB_CHANGED
)) {
1824 status
= NT_STATUS_ACCESS_DENIED
;
1828 status
= pdb_update_sam_account(pwd
);
1833 * Notify passdb backend of login success/failure. If not
1834 * NT_STATUS_OK the backend doesn't like the login
1836 update_login_attempts_status
= pdb_update_login_attempts(pwd
,
1837 NT_STATUS_IS_OK(status
));
1839 if (!NT_STATUS_IS_OK(status
)) {
1840 bool increment_bad_pw_count
= false;
1842 if (NT_STATUS_EQUAL(status
,NT_STATUS_WRONG_PASSWORD
) &&
1843 (pdb_get_acct_ctrl(pwd
) & ACB_NORMAL
) &&
1844 NT_STATUS_IS_OK(update_login_attempts_status
))
1846 increment_bad_pw_count
= true;
1849 if (increment_bad_pw_count
) {
1850 pdb_increment_bad_password_count(pwd
);
1851 updated_badpw
= true;
1853 pdb_update_bad_password_count(pwd
,
1858 if ((pdb_get_acct_ctrl(pwd
) & ACB_NORMAL
) &&
1859 (pdb_get_bad_password_count(pwd
) > 0)){
1860 pdb_set_bad_password_count(pwd
, 0, PDB_CHANGED
);
1861 pdb_set_bad_password_time(pwd
, 0, PDB_CHANGED
);
1862 updated_badpw
= true;
1866 if (updated_badpw
) {
1867 NTSTATUS update_status
;
1869 update_status
= pdb_update_sam_account(pwd
);
1872 if (!NT_STATUS_IS_OK(update_status
)) {
1873 DEBUG(1, ("Failed to modify entry: %s\n",
1874 nt_errstr(update_status
)));
1884 /*******************************************************************
1885 _samr_ChangePasswordUser2
1886 ********************************************************************/
1888 NTSTATUS
_samr_ChangePasswordUser2(struct pipes_struct
*p
,
1889 struct samr_ChangePasswordUser2
*r
)
1892 char *user_name
= NULL
;
1894 const char *wks
= NULL
;
1896 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__
));
1898 if (!r
->in
.account
->string
) {
1899 return NT_STATUS_INVALID_PARAMETER
;
1901 if (r
->in
.server
&& r
->in
.server
->string
) {
1902 wks
= r
->in
.server
->string
;
1905 DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name
, wks
));
1908 * Pass the user through the NT -> unix user mapping
1912 (void)map_username(talloc_tos(), r
->in
.account
->string
, &user_name
);
1914 return NT_STATUS_NO_MEMORY
;
1917 rhost
= tsocket_address_inet_addr_string(p
->remote_address
,
1919 if (rhost
== NULL
) {
1920 return NT_STATUS_NO_MEMORY
;
1924 * UNIX username case mangling not required, pass_oem_change
1925 * is case insensitive.
1928 status
= pass_oem_change(user_name
,
1930 r
->in
.lm_password
->data
,
1931 r
->in
.lm_verifier
->hash
,
1932 r
->in
.nt_password
->data
,
1933 r
->in
.nt_verifier
->hash
,
1936 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__
));
1938 if (NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)) {
1939 return NT_STATUS_WRONG_PASSWORD
;
1945 /****************************************************************
1946 _samr_OemChangePasswordUser2
1947 ****************************************************************/
1949 NTSTATUS
_samr_OemChangePasswordUser2(struct pipes_struct
*p
,
1950 struct samr_OemChangePasswordUser2
*r
)
1953 char *user_name
= NULL
;
1954 const char *wks
= NULL
;
1957 DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__
));
1959 if (!r
->in
.account
->string
) {
1960 return NT_STATUS_INVALID_PARAMETER
;
1962 if (r
->in
.server
&& r
->in
.server
->string
) {
1963 wks
= r
->in
.server
->string
;
1966 DEBUG(5,("_samr_OemChangePasswordUser2: user: %s wks: %s\n", user_name
, wks
));
1969 * Pass the user through the NT -> unix user mapping
1973 (void)map_username(talloc_tos(), r
->in
.account
->string
, &user_name
);
1975 return NT_STATUS_NO_MEMORY
;
1979 * UNIX username case mangling not required, pass_oem_change
1980 * is case insensitive.
1983 if (!r
->in
.hash
|| !r
->in
.password
) {
1984 return NT_STATUS_INVALID_PARAMETER
;
1987 rhost
= tsocket_address_inet_addr_string(p
->remote_address
,
1989 if (rhost
== NULL
) {
1990 return NT_STATUS_NO_MEMORY
;
1993 status
= pass_oem_change(user_name
,
1995 r
->in
.password
->data
,
2001 if (NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)) {
2002 return NT_STATUS_WRONG_PASSWORD
;
2005 DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__
));
2010 /*******************************************************************
2011 _samr_ChangePasswordUser3
2012 ********************************************************************/
2014 NTSTATUS
_samr_ChangePasswordUser3(struct pipes_struct
*p
,
2015 struct samr_ChangePasswordUser3
*r
)
2018 char *user_name
= NULL
;
2019 const char *wks
= NULL
;
2020 enum samPwdChangeReason reject_reason
;
2021 struct samr_DomInfo1
*dominfo
= NULL
;
2022 struct userPwdChangeFailureInformation
*reject
= NULL
;
2026 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__
));
2028 if (!r
->in
.account
->string
) {
2029 return NT_STATUS_INVALID_PARAMETER
;
2031 if (r
->in
.server
&& r
->in
.server
->string
) {
2032 wks
= r
->in
.server
->string
;
2035 DEBUG(5,("_samr_ChangePasswordUser3: user: %s wks: %s\n", user_name
, wks
));
2038 * Pass the user through the NT -> unix user mapping
2042 (void)map_username(talloc_tos(), r
->in
.account
->string
, &user_name
);
2044 return NT_STATUS_NO_MEMORY
;
2047 rhost
= tsocket_address_inet_addr_string(p
->remote_address
,
2049 if (rhost
== NULL
) {
2050 return NT_STATUS_NO_MEMORY
;
2054 * UNIX username case mangling not required, pass_oem_change
2055 * is case insensitive.
2058 status
= pass_oem_change(user_name
,
2060 r
->in
.lm_password
->data
,
2061 r
->in
.lm_verifier
->hash
,
2062 r
->in
.nt_password
->data
,
2063 r
->in
.nt_verifier
->hash
,
2065 if (NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)) {
2066 return NT_STATUS_WRONG_PASSWORD
;
2069 if (NT_STATUS_EQUAL(status
, NT_STATUS_PASSWORD_RESTRICTION
) ||
2070 NT_STATUS_EQUAL(status
, NT_STATUS_ACCOUNT_RESTRICTION
)) {
2072 time_t u_expire
, u_min_age
;
2073 uint32 account_policy_temp
;
2075 dominfo
= talloc_zero(p
->mem_ctx
, struct samr_DomInfo1
);
2077 return NT_STATUS_NO_MEMORY
;
2080 reject
= talloc_zero(p
->mem_ctx
,
2081 struct userPwdChangeFailureInformation
);
2083 return NT_STATUS_NO_MEMORY
;
2090 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN
, &tmp
);
2091 dominfo
->min_password_length
= tmp
;
2093 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY
, &tmp
);
2094 dominfo
->password_history_length
= tmp
;
2096 pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS
,
2097 &dominfo
->password_properties
);
2099 pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE
, &account_policy_temp
);
2100 u_expire
= account_policy_temp
;
2102 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_AGE
, &account_policy_temp
);
2103 u_min_age
= account_policy_temp
;
2109 unix_to_nt_time_abs((NTTIME
*)&dominfo
->max_password_age
, u_expire
);
2110 unix_to_nt_time_abs((NTTIME
*)&dominfo
->min_password_age
, u_min_age
);
2112 if (lp_check_password_script(talloc_tos())
2113 && *lp_check_password_script(talloc_tos())) {
2114 dominfo
->password_properties
|= DOMAIN_PASSWORD_COMPLEX
;
2117 reject
->extendedFailureReason
= reject_reason
;
2119 *r
->out
.dominfo
= dominfo
;
2120 *r
->out
.reject
= reject
;
2123 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__
));
2128 /*******************************************************************
2129 makes a SAMR_R_LOOKUP_RIDS structure.
2130 ********************************************************************/
2132 static bool make_samr_lookup_rids(TALLOC_CTX
*ctx
, uint32 num_names
,
2134 struct lsa_String
**lsa_name_array_p
)
2136 struct lsa_String
*lsa_name_array
= NULL
;
2139 *lsa_name_array_p
= NULL
;
2141 if (num_names
!= 0) {
2142 lsa_name_array
= talloc_zero_array(ctx
, struct lsa_String
, num_names
);
2143 if (!lsa_name_array
) {
2148 for (i
= 0; i
< num_names
; i
++) {
2149 DEBUG(10, ("names[%d]:%s\n", i
, names
[i
] && *names
[i
] ? names
[i
] : ""));
2150 init_lsa_String(&lsa_name_array
[i
], names
[i
]);
2153 *lsa_name_array_p
= lsa_name_array
;
2158 /*******************************************************************
2160 ********************************************************************/
2162 NTSTATUS
_samr_LookupRids(struct pipes_struct
*p
,
2163 struct samr_LookupRids
*r
)
2165 struct samr_domain_info
*dinfo
;
2168 enum lsa_SidType
*attrs
= NULL
;
2169 uint32
*wire_attrs
= NULL
;
2170 int num_rids
= (int)r
->in
.num_rids
;
2172 struct lsa_Strings names_array
;
2173 struct samr_Ids types_array
;
2174 struct lsa_String
*lsa_names
= NULL
;
2176 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__
));
2178 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
2179 0 /* Don't know the acc_bits yet */, NULL
,
2180 struct samr_domain_info
, &status
);
2181 if (!NT_STATUS_IS_OK(status
)) {
2185 if (num_rids
> 1000) {
2186 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
2187 "to samba4 idl this is not possible\n", num_rids
));
2188 return NT_STATUS_UNSUCCESSFUL
;
2192 names
= talloc_zero_array(p
->mem_ctx
, const char *, num_rids
);
2193 attrs
= talloc_zero_array(p
->mem_ctx
, enum lsa_SidType
, num_rids
);
2194 wire_attrs
= talloc_zero_array(p
->mem_ctx
, uint32
, num_rids
);
2196 if ((names
== NULL
) || (attrs
== NULL
) || (wire_attrs
==NULL
))
2197 return NT_STATUS_NO_MEMORY
;
2204 become_root(); /* lookup_sid can require root privs */
2205 status
= pdb_lookup_rids(&dinfo
->sid
, num_rids
, r
->in
.rids
,
2209 if (NT_STATUS_EQUAL(status
, NT_STATUS_NONE_MAPPED
) && (num_rids
== 0)) {
2210 status
= NT_STATUS_OK
;
2213 if (!make_samr_lookup_rids(p
->mem_ctx
, num_rids
, names
,
2215 return NT_STATUS_NO_MEMORY
;
2218 /* Convert from enum lsa_SidType to uint32 for wire format. */
2219 for (i
= 0; i
< num_rids
; i
++) {
2220 wire_attrs
[i
] = (uint32
)attrs
[i
];
2223 names_array
.count
= num_rids
;
2224 names_array
.names
= lsa_names
;
2226 types_array
.count
= num_rids
;
2227 types_array
.ids
= wire_attrs
;
2229 *r
->out
.names
= names_array
;
2230 *r
->out
.types
= types_array
;
2232 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__
));
2237 /*******************************************************************
2239 ********************************************************************/
2241 NTSTATUS
_samr_OpenUser(struct pipes_struct
*p
,
2242 struct samr_OpenUser
*r
)
2244 struct samu
*sampass
=NULL
;
2246 struct samr_domain_info
*dinfo
;
2247 struct samr_user_info
*uinfo
;
2248 struct security_descriptor
*psd
= NULL
;
2250 uint32 des_access
= r
->in
.access_mask
;
2251 uint32_t extra_access
= 0;
2256 /* These two privileges, if != SEC_PRIV_INVALID, indicate
2257 * privileges that the user must have to complete this
2258 * operation in defience of the fixed ACL */
2259 enum sec_privilege needed_priv_1
, needed_priv_2
;
2262 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
2263 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
, NULL
,
2264 struct samr_domain_info
, &status
);
2265 if (!NT_STATUS_IS_OK(status
)) {
2269 if ( !(sampass
= samu_new( p
->mem_ctx
)) ) {
2270 return NT_STATUS_NO_MEMORY
;
2273 /* append the user's RID to it */
2275 if (!sid_compose(&sid
, &dinfo
->sid
, r
->in
.rid
))
2276 return NT_STATUS_NO_SUCH_USER
;
2278 /* check if access can be granted as requested by client. */
2279 map_max_allowed_access(p
->session_info
->security_token
,
2280 p
->session_info
->unix_token
,
2283 make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &usr_generic_mapping
, &sid
, SAMR_USR_RIGHTS_WRITE_PW
);
2284 se_map_generic(&des_access
, &usr_generic_mapping
);
2287 * Get the sampass first as we need to check privileges
2288 * based on what kind of user object this is.
2289 * But don't reveal info too early if it didn't exist.
2293 ret
=pdb_getsampwsid(sampass
, &sid
);
2296 needed_priv_1
= SEC_PRIV_INVALID
;
2297 needed_priv_2
= SEC_PRIV_INVALID
;
2299 * We do the override access checks on *open*, not at
2303 uint32_t acb_info
= pdb_get_acct_ctrl(sampass
);
2305 if (acb_info
& ACB_WSTRUST
) {
2307 * SeMachineAccount is needed to add
2308 * GENERIC_RIGHTS_USER_WRITE to a machine
2311 needed_priv_1
= SEC_PRIV_MACHINE_ACCOUNT
;
2313 if (acb_info
& ACB_NORMAL
) {
2315 * SeAddUsers is needed to add
2316 * GENERIC_RIGHTS_USER_WRITE to a normal
2319 needed_priv_1
= SEC_PRIV_ADD_USERS
;
2322 * Cheat - we have not set a specific privilege for
2323 * server (BDC) or domain trust account, so allow
2324 * GENERIC_RIGHTS_USER_WRITE if pipe user is in
2325 * DOMAIN_RID_ADMINS.
2327 if (acb_info
& (ACB_SVRTRUST
|ACB_DOMTRUST
)) {
2328 if (lp_enable_privileges() && nt_token_check_domain_rid(p
->session_info
->security_token
,
2329 DOMAIN_RID_ADMINS
)) {
2330 des_access
&= ~GENERIC_RIGHTS_USER_WRITE
;
2331 extra_access
= GENERIC_RIGHTS_USER_WRITE
;
2332 DEBUG(4,("_samr_OpenUser: Allowing "
2333 "GENERIC_RIGHTS_USER_WRITE for "
2339 TALLOC_FREE(sampass
);
2341 nt_status
= access_check_object(psd
, p
->session_info
->security_token
,
2342 needed_priv_1
, needed_priv_2
,
2343 GENERIC_RIGHTS_USER_WRITE
, des_access
,
2344 &acc_granted
, "_samr_OpenUser");
2346 if ( !NT_STATUS_IS_OK(nt_status
) )
2349 /* check that the SID exists in our domain. */
2351 return NT_STATUS_NO_SUCH_USER
;
2354 /* If we did the rid admins hack above, allow access. */
2355 acc_granted
|= extra_access
;
2357 uinfo
= policy_handle_create(p
, r
->out
.user_handle
, acc_granted
,
2358 struct samr_user_info
, &nt_status
);
2359 if (!NT_STATUS_IS_OK(nt_status
)) {
2364 return NT_STATUS_OK
;
2367 /*************************************************************************
2368 *************************************************************************/
2370 static NTSTATUS
init_samr_parameters_string(TALLOC_CTX
*mem_ctx
,
2372 struct lsa_BinaryString
**_r
)
2374 struct lsa_BinaryString
*r
;
2377 return NT_STATUS_INVALID_PARAMETER
;
2380 r
= talloc_zero(mem_ctx
, struct lsa_BinaryString
);
2382 return NT_STATUS_NO_MEMORY
;
2385 r
->array
= talloc_zero_array(mem_ctx
, uint16_t, blob
->length
/2);
2387 return NT_STATUS_NO_MEMORY
;
2389 memcpy(r
->array
, blob
->data
, blob
->length
);
2390 r
->size
= blob
->length
;
2391 r
->length
= blob
->length
;
2394 return NT_STATUS_NO_MEMORY
;
2399 return NT_STATUS_OK
;
2402 /*************************************************************************
2403 *************************************************************************/
2405 static struct samr_LogonHours
get_logon_hours_from_pdb(TALLOC_CTX
*mem_ctx
,
2408 struct samr_LogonHours hours
;
2409 const int units_per_week
= 168;
2412 hours
.bits
= talloc_array(mem_ctx
, uint8_t, units_per_week
);
2417 hours
.units_per_week
= units_per_week
;
2418 memset(hours
.bits
, 0xFF, units_per_week
);
2420 if (pdb_get_hours(pw
)) {
2421 memcpy(hours
.bits
, pdb_get_hours(pw
),
2422 MIN(pdb_get_hours_len(pw
), units_per_week
));
2428 /*************************************************************************
2430 *************************************************************************/
2432 static NTSTATUS
get_user_info_1(TALLOC_CTX
*mem_ctx
,
2433 struct samr_UserInfo1
*r
,
2435 struct dom_sid
*domain_sid
)
2437 const struct dom_sid
*sid_group
;
2438 uint32_t primary_gid
;
2441 sid_group
= pdb_get_group_sid(pw
);
2444 if (!sid_peek_check_rid(domain_sid
, sid_group
, &primary_gid
)) {
2445 DEBUG(0, ("get_user_info_1: User %s has Primary Group SID %s, \n"
2446 "which conflicts with the domain sid %s. Failing operation.\n",
2447 pdb_get_username(pw
), sid_string_dbg(sid_group
),
2448 sid_string_dbg(domain_sid
)));
2449 return NT_STATUS_UNSUCCESSFUL
;
2452 r
->account_name
.string
= talloc_strdup(mem_ctx
, pdb_get_username(pw
));
2453 r
->full_name
.string
= talloc_strdup(mem_ctx
, pdb_get_fullname(pw
));
2454 r
->primary_gid
= primary_gid
;
2455 r
->description
.string
= talloc_strdup(mem_ctx
, pdb_get_acct_desc(pw
));
2456 r
->comment
.string
= talloc_strdup(mem_ctx
, pdb_get_comment(pw
));
2458 return NT_STATUS_OK
;
2461 /*************************************************************************
2463 *************************************************************************/
2465 static NTSTATUS
get_user_info_2(TALLOC_CTX
*mem_ctx
,
2466 struct samr_UserInfo2
*r
,
2469 r
->comment
.string
= talloc_strdup(mem_ctx
, pdb_get_comment(pw
));
2470 r
->reserved
.string
= NULL
;
2471 r
->country_code
= pdb_get_country_code(pw
);
2472 r
->code_page
= pdb_get_code_page(pw
);
2474 return NT_STATUS_OK
;
2477 /*************************************************************************
2479 *************************************************************************/
2481 static NTSTATUS
get_user_info_3(TALLOC_CTX
*mem_ctx
,
2482 struct samr_UserInfo3
*r
,
2484 struct dom_sid
*domain_sid
)
2486 const struct dom_sid
*sid_user
, *sid_group
;
2487 uint32_t rid
, primary_gid
;
2489 sid_user
= pdb_get_user_sid(pw
);
2491 if (!sid_peek_check_rid(domain_sid
, sid_user
, &rid
)) {
2492 DEBUG(0, ("get_user_info_3: User %s has SID %s, \nwhich conflicts with "
2493 "the domain sid %s. Failing operation.\n",
2494 pdb_get_username(pw
), sid_string_dbg(sid_user
),
2495 sid_string_dbg(domain_sid
)));
2496 return NT_STATUS_UNSUCCESSFUL
;
2500 sid_group
= pdb_get_group_sid(pw
);
2503 if (!sid_peek_check_rid(domain_sid
, sid_group
, &primary_gid
)) {
2504 DEBUG(0, ("get_user_info_3: User %s has Primary Group SID %s, \n"
2505 "which conflicts with the domain sid %s. Failing operation.\n",
2506 pdb_get_username(pw
), sid_string_dbg(sid_group
),
2507 sid_string_dbg(domain_sid
)));
2508 return NT_STATUS_UNSUCCESSFUL
;
2511 unix_to_nt_time(&r
->last_logon
, pdb_get_logon_time(pw
));
2512 unix_to_nt_time(&r
->last_logoff
, pdb_get_logoff_time(pw
));
2513 unix_to_nt_time(&r
->last_password_change
, pdb_get_pass_last_set_time(pw
));
2514 unix_to_nt_time(&r
->allow_password_change
, pdb_get_pass_can_change_time(pw
));
2515 unix_to_nt_time(&r
->force_password_change
, pdb_get_pass_must_change_time(pw
));
2517 r
->account_name
.string
= talloc_strdup(mem_ctx
, pdb_get_username(pw
));
2518 r
->full_name
.string
= talloc_strdup(mem_ctx
, pdb_get_fullname(pw
));
2519 r
->home_directory
.string
= talloc_strdup(mem_ctx
, pdb_get_homedir(pw
));
2520 r
->home_drive
.string
= talloc_strdup(mem_ctx
, pdb_get_dir_drive(pw
));
2521 r
->logon_script
.string
= talloc_strdup(mem_ctx
, pdb_get_logon_script(pw
));
2522 r
->profile_path
.string
= talloc_strdup(mem_ctx
, pdb_get_profile_path(pw
));
2523 r
->workstations
.string
= talloc_strdup(mem_ctx
, pdb_get_workstations(pw
));
2525 r
->logon_hours
= get_logon_hours_from_pdb(mem_ctx
, pw
);
2527 r
->primary_gid
= primary_gid
;
2528 r
->acct_flags
= pdb_get_acct_ctrl(pw
);
2529 r
->bad_password_count
= pdb_get_bad_password_count(pw
);
2530 r
->logon_count
= pdb_get_logon_count(pw
);
2532 return NT_STATUS_OK
;
2535 /*************************************************************************
2537 *************************************************************************/
2539 static NTSTATUS
get_user_info_4(TALLOC_CTX
*mem_ctx
,
2540 struct samr_UserInfo4
*r
,
2543 r
->logon_hours
= get_logon_hours_from_pdb(mem_ctx
, pw
);
2545 return NT_STATUS_OK
;
2548 /*************************************************************************
2550 *************************************************************************/
2552 static NTSTATUS
get_user_info_5(TALLOC_CTX
*mem_ctx
,
2553 struct samr_UserInfo5
*r
,
2555 struct dom_sid
*domain_sid
)
2557 const struct dom_sid
*sid_user
, *sid_group
;
2558 uint32_t rid
, primary_gid
;
2560 sid_user
= pdb_get_user_sid(pw
);
2562 if (!sid_peek_check_rid(domain_sid
, sid_user
, &rid
)) {
2563 DEBUG(0, ("get_user_info_5: User %s has SID %s, \nwhich conflicts with "
2564 "the domain sid %s. Failing operation.\n",
2565 pdb_get_username(pw
), sid_string_dbg(sid_user
),
2566 sid_string_dbg(domain_sid
)));
2567 return NT_STATUS_UNSUCCESSFUL
;
2571 sid_group
= pdb_get_group_sid(pw
);
2574 if (!sid_peek_check_rid(domain_sid
, sid_group
, &primary_gid
)) {
2575 DEBUG(0, ("get_user_info_5: User %s has Primary Group SID %s, \n"
2576 "which conflicts with the domain sid %s. Failing operation.\n",
2577 pdb_get_username(pw
), sid_string_dbg(sid_group
),
2578 sid_string_dbg(domain_sid
)));
2579 return NT_STATUS_UNSUCCESSFUL
;
2582 unix_to_nt_time(&r
->last_logon
, pdb_get_logon_time(pw
));
2583 unix_to_nt_time(&r
->last_logoff
, pdb_get_logoff_time(pw
));
2584 unix_to_nt_time(&r
->acct_expiry
, pdb_get_kickoff_time(pw
));
2585 unix_to_nt_time(&r
->last_password_change
, pdb_get_pass_last_set_time(pw
));
2587 r
->account_name
.string
= talloc_strdup(mem_ctx
, pdb_get_username(pw
));
2588 r
->full_name
.string
= talloc_strdup(mem_ctx
, pdb_get_fullname(pw
));
2589 r
->home_directory
.string
= talloc_strdup(mem_ctx
, pdb_get_homedir(pw
));
2590 r
->home_drive
.string
= talloc_strdup(mem_ctx
, pdb_get_dir_drive(pw
));
2591 r
->logon_script
.string
= talloc_strdup(mem_ctx
, pdb_get_logon_script(pw
));
2592 r
->profile_path
.string
= talloc_strdup(mem_ctx
, pdb_get_profile_path(pw
));
2593 r
->description
.string
= talloc_strdup(mem_ctx
, pdb_get_acct_desc(pw
));
2594 r
->workstations
.string
= talloc_strdup(mem_ctx
, pdb_get_workstations(pw
));
2596 r
->logon_hours
= get_logon_hours_from_pdb(mem_ctx
, pw
);
2598 r
->primary_gid
= primary_gid
;
2599 r
->acct_flags
= pdb_get_acct_ctrl(pw
);
2600 r
->bad_password_count
= pdb_get_bad_password_count(pw
);
2601 r
->logon_count
= pdb_get_logon_count(pw
);
2603 return NT_STATUS_OK
;
2606 /*************************************************************************
2608 *************************************************************************/
2610 static NTSTATUS
get_user_info_6(TALLOC_CTX
*mem_ctx
,
2611 struct samr_UserInfo6
*r
,
2614 r
->account_name
.string
= talloc_strdup(mem_ctx
, pdb_get_username(pw
));
2615 r
->full_name
.string
= talloc_strdup(mem_ctx
, pdb_get_fullname(pw
));
2617 return NT_STATUS_OK
;
2620 /*************************************************************************
2621 get_user_info_7. Safe. Only gives out account_name.
2622 *************************************************************************/
2624 static NTSTATUS
get_user_info_7(TALLOC_CTX
*mem_ctx
,
2625 struct samr_UserInfo7
*r
,
2626 struct samu
*smbpass
)
2628 r
->account_name
.string
= talloc_strdup(mem_ctx
, pdb_get_username(smbpass
));
2629 if (!r
->account_name
.string
) {
2630 return NT_STATUS_NO_MEMORY
;
2633 return NT_STATUS_OK
;
2636 /*************************************************************************
2638 *************************************************************************/
2640 static NTSTATUS
get_user_info_8(TALLOC_CTX
*mem_ctx
,
2641 struct samr_UserInfo8
*r
,
2644 r
->full_name
.string
= talloc_strdup(mem_ctx
, pdb_get_fullname(pw
));
2646 return NT_STATUS_OK
;
2649 /*************************************************************************
2650 get_user_info_9. Only gives out primary group SID.
2651 *************************************************************************/
2653 static NTSTATUS
get_user_info_9(TALLOC_CTX
*mem_ctx
,
2654 struct samr_UserInfo9
*r
,
2655 struct samu
*smbpass
)
2657 r
->primary_gid
= pdb_get_group_rid(smbpass
);
2659 return NT_STATUS_OK
;
2662 /*************************************************************************
2664 *************************************************************************/
2666 static NTSTATUS
get_user_info_10(TALLOC_CTX
*mem_ctx
,
2667 struct samr_UserInfo10
*r
,
2670 r
->home_directory
.string
= talloc_strdup(mem_ctx
, pdb_get_homedir(pw
));
2671 r
->home_drive
.string
= talloc_strdup(mem_ctx
, pdb_get_dir_drive(pw
));
2673 return NT_STATUS_OK
;
2676 /*************************************************************************
2678 *************************************************************************/
2680 static NTSTATUS
get_user_info_11(TALLOC_CTX
*mem_ctx
,
2681 struct samr_UserInfo11
*r
,
2684 r
->logon_script
.string
= talloc_strdup(mem_ctx
, pdb_get_logon_script(pw
));
2686 return NT_STATUS_OK
;
2689 /*************************************************************************
2691 *************************************************************************/
2693 static NTSTATUS
get_user_info_12(TALLOC_CTX
*mem_ctx
,
2694 struct samr_UserInfo12
*r
,
2697 r
->profile_path
.string
= talloc_strdup(mem_ctx
, pdb_get_profile_path(pw
));
2699 return NT_STATUS_OK
;
2702 /*************************************************************************
2704 *************************************************************************/
2706 static NTSTATUS
get_user_info_13(TALLOC_CTX
*mem_ctx
,
2707 struct samr_UserInfo13
*r
,
2710 r
->description
.string
= talloc_strdup(mem_ctx
, pdb_get_acct_desc(pw
));
2712 return NT_STATUS_OK
;
2715 /*************************************************************************
2717 *************************************************************************/
2719 static NTSTATUS
get_user_info_14(TALLOC_CTX
*mem_ctx
,
2720 struct samr_UserInfo14
*r
,
2723 r
->workstations
.string
= talloc_strdup(mem_ctx
, pdb_get_workstations(pw
));
2725 return NT_STATUS_OK
;
2728 /*************************************************************************
2729 get_user_info_16. Safe. Only gives out acb bits.
2730 *************************************************************************/
2732 static NTSTATUS
get_user_info_16(TALLOC_CTX
*mem_ctx
,
2733 struct samr_UserInfo16
*r
,
2734 struct samu
*smbpass
)
2736 r
->acct_flags
= pdb_get_acct_ctrl(smbpass
);
2738 return NT_STATUS_OK
;
2741 /*************************************************************************
2743 *************************************************************************/
2745 static NTSTATUS
get_user_info_17(TALLOC_CTX
*mem_ctx
,
2746 struct samr_UserInfo17
*r
,
2749 unix_to_nt_time(&r
->acct_expiry
, pdb_get_kickoff_time(pw
));
2751 return NT_STATUS_OK
;
2754 /*************************************************************************
2755 get_user_info_18. OK - this is the killer as it gives out password info.
2756 Ensure that this is only allowed on an encrypted connection with a root
2758 *************************************************************************/
2760 static NTSTATUS
get_user_info_18(struct pipes_struct
*p
,
2761 TALLOC_CTX
*mem_ctx
,
2762 struct samr_UserInfo18
*r
,
2763 struct dom_sid
*user_sid
)
2765 struct samu
*smbpass
=NULL
;
2767 const uint8_t *nt_pass
= NULL
;
2768 const uint8_t *lm_pass
= NULL
;
2772 if (security_token_is_system(p
->session_info
->security_token
)) {
2776 if ((p
->auth
.auth_type
!= DCERPC_AUTH_TYPE_NTLMSSP
) ||
2777 (p
->auth
.auth_type
!= DCERPC_AUTH_TYPE_KRB5
) ||
2778 (p
->auth
.auth_type
!= DCERPC_AUTH_TYPE_SPNEGO
)) {
2779 return NT_STATUS_ACCESS_DENIED
;
2782 if (p
->auth
.auth_level
!= DCERPC_AUTH_LEVEL_PRIVACY
) {
2783 return NT_STATUS_ACCESS_DENIED
;
2788 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
2791 if ( !(smbpass
= samu_new( mem_ctx
)) ) {
2792 return NT_STATUS_NO_MEMORY
;
2795 ret
= pdb_getsampwsid(smbpass
, user_sid
);
2798 DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid
)));
2799 TALLOC_FREE(smbpass
);
2800 return (geteuid() == sec_initial_uid()) ? NT_STATUS_NO_SUCH_USER
: NT_STATUS_ACCESS_DENIED
;
2803 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass
), pdb_get_acct_ctrl(smbpass
) ));
2805 if ( pdb_get_acct_ctrl(smbpass
) & ACB_DISABLED
) {
2806 TALLOC_FREE(smbpass
);
2807 return NT_STATUS_ACCOUNT_DISABLED
;
2810 lm_pass
= pdb_get_lanman_passwd(smbpass
);
2811 if (lm_pass
!= NULL
) {
2812 memcpy(r
->lm_pwd
.hash
, lm_pass
, 16);
2813 r
->lm_pwd_active
= true;
2816 nt_pass
= pdb_get_nt_passwd(smbpass
);
2817 if (nt_pass
!= NULL
) {
2818 memcpy(r
->nt_pwd
.hash
, nt_pass
, 16);
2819 r
->nt_pwd_active
= true;
2821 r
->password_expired
= 0; /* FIXME */
2823 TALLOC_FREE(smbpass
);
2825 return NT_STATUS_OK
;
2828 /*************************************************************************
2830 *************************************************************************/
2832 static NTSTATUS
get_user_info_20(TALLOC_CTX
*mem_ctx
,
2833 struct samr_UserInfo20
*r
,
2834 struct samu
*sampass
)
2836 const char *munged_dial
= NULL
;
2839 struct lsa_BinaryString
*parameters
= NULL
;
2843 munged_dial
= pdb_get_munged_dial(sampass
);
2845 DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass
),
2846 munged_dial
, (int)strlen(munged_dial
)));
2849 blob
= base64_decode_data_blob(munged_dial
);
2851 blob
= data_blob_string_const_null("");
2854 status
= init_samr_parameters_string(mem_ctx
, &blob
, ¶meters
);
2855 data_blob_free(&blob
);
2856 if (!NT_STATUS_IS_OK(status
)) {
2860 r
->parameters
= *parameters
;
2862 return NT_STATUS_OK
;
2866 /*************************************************************************
2868 *************************************************************************/
2870 static NTSTATUS
get_user_info_21(TALLOC_CTX
*mem_ctx
,
2871 struct samr_UserInfo21
*r
,
2873 struct dom_sid
*domain_sid
,
2874 uint32_t acc_granted
)
2877 const struct dom_sid
*sid_user
, *sid_group
;
2878 uint32_t rid
, primary_gid
;
2879 NTTIME force_password_change
;
2880 time_t must_change_time
;
2881 struct lsa_BinaryString
*parameters
= NULL
;
2882 const char *munged_dial
= NULL
;
2887 sid_user
= pdb_get_user_sid(pw
);
2889 if (!sid_peek_check_rid(domain_sid
, sid_user
, &rid
)) {
2890 DEBUG(0, ("get_user_info_21: User %s has SID %s, \nwhich conflicts with "
2891 "the domain sid %s. Failing operation.\n",
2892 pdb_get_username(pw
), sid_string_dbg(sid_user
),
2893 sid_string_dbg(domain_sid
)));
2894 return NT_STATUS_UNSUCCESSFUL
;
2898 sid_group
= pdb_get_group_sid(pw
);
2901 if (!sid_peek_check_rid(domain_sid
, sid_group
, &primary_gid
)) {
2902 DEBUG(0, ("get_user_info_21: User %s has Primary Group SID %s, \n"
2903 "which conflicts with the domain sid %s. Failing operation.\n",
2904 pdb_get_username(pw
), sid_string_dbg(sid_group
),
2905 sid_string_dbg(domain_sid
)));
2906 return NT_STATUS_UNSUCCESSFUL
;
2909 unix_to_nt_time(&r
->last_logon
, pdb_get_logon_time(pw
));
2910 unix_to_nt_time(&r
->last_logoff
, pdb_get_logoff_time(pw
));
2911 unix_to_nt_time(&r
->acct_expiry
, pdb_get_kickoff_time(pw
));
2912 unix_to_nt_time(&r
->last_password_change
, pdb_get_pass_last_set_time(pw
));
2913 unix_to_nt_time(&r
->allow_password_change
, pdb_get_pass_can_change_time(pw
));
2915 must_change_time
= pdb_get_pass_must_change_time(pw
);
2916 if (pdb_is_password_change_time_max(must_change_time
)) {
2917 unix_to_nt_time_abs(&force_password_change
, must_change_time
);
2919 unix_to_nt_time(&force_password_change
, must_change_time
);
2922 munged_dial
= pdb_get_munged_dial(pw
);
2924 blob
= base64_decode_data_blob(munged_dial
);
2926 blob
= data_blob_string_const_null("");
2929 status
= init_samr_parameters_string(mem_ctx
, &blob
, ¶meters
);
2930 data_blob_free(&blob
);
2931 if (!NT_STATUS_IS_OK(status
)) {
2935 r
->force_password_change
= force_password_change
;
2937 r
->account_name
.string
= talloc_strdup(mem_ctx
, pdb_get_username(pw
));
2938 r
->full_name
.string
= talloc_strdup(mem_ctx
, pdb_get_fullname(pw
));
2939 r
->home_directory
.string
= talloc_strdup(mem_ctx
, pdb_get_homedir(pw
));
2940 r
->home_drive
.string
= talloc_strdup(mem_ctx
, pdb_get_dir_drive(pw
));
2941 r
->logon_script
.string
= talloc_strdup(mem_ctx
, pdb_get_logon_script(pw
));
2942 r
->profile_path
.string
= talloc_strdup(mem_ctx
, pdb_get_profile_path(pw
));
2943 r
->description
.string
= talloc_strdup(mem_ctx
, pdb_get_acct_desc(pw
));
2944 r
->workstations
.string
= talloc_strdup(mem_ctx
, pdb_get_workstations(pw
));
2945 r
->comment
.string
= talloc_strdup(mem_ctx
, pdb_get_comment(pw
));
2947 r
->logon_hours
= get_logon_hours_from_pdb(mem_ctx
, pw
);
2948 r
->parameters
= *parameters
;
2950 r
->primary_gid
= primary_gid
;
2951 r
->acct_flags
= pdb_get_acct_ctrl(pw
);
2952 r
->bad_password_count
= pdb_get_bad_password_count(pw
);
2953 r
->logon_count
= pdb_get_logon_count(pw
);
2954 r
->fields_present
= pdb_build_fields_present(pw
);
2955 r
->password_expired
= (pdb_get_pass_must_change_time(pw
) == 0) ?
2956 PASS_MUST_CHANGE_AT_NEXT_LOGON
: 0;
2957 r
->country_code
= pdb_get_country_code(pw
);
2958 r
->code_page
= pdb_get_code_page(pw
);
2959 r
->lm_password_set
= 0;
2960 r
->nt_password_set
= 0;
2965 Look at a user on a real NT4 PDC with usrmgr, press
2966 'ok'. Then you will see that fields_present is set to
2967 0x08f827fa. Look at the user immediately after that again,
2968 and you will see that 0x00fffff is returned. This solves
2969 the problem that you get access denied after having looked
2977 return NT_STATUS_OK
;
2980 /*******************************************************************
2982 ********************************************************************/
2984 NTSTATUS
_samr_QueryUserInfo(struct pipes_struct
*p
,
2985 struct samr_QueryUserInfo
*r
)
2988 union samr_UserInfo
*user_info
= NULL
;
2989 struct samr_user_info
*uinfo
;
2990 struct dom_sid domain_sid
;
2993 struct samu
*pwd
= NULL
;
2994 uint32_t acc_required
, acc_granted
;
2996 switch (r
->in
.level
) {
2997 case 1: /* UserGeneralInformation */
2998 /* USER_READ_GENERAL */
2999 acc_required
= SAMR_USER_ACCESS_GET_NAME_ETC
;
3001 case 2: /* UserPreferencesInformation */
3002 /* USER_READ_PREFERENCES | USER_READ_GENERAL */
3003 acc_required
= SAMR_USER_ACCESS_GET_LOCALE
|
3004 SAMR_USER_ACCESS_GET_NAME_ETC
;
3006 case 3: /* UserLogonInformation */
3007 /* USER_READ_GENERAL | USER_READ_PREFERENCES | USER_READ_LOGON | USER_READ_ACCOUNT */
3008 acc_required
= SAMR_USER_ACCESS_GET_NAME_ETC
|
3009 SAMR_USER_ACCESS_GET_LOCALE
|
3010 SAMR_USER_ACCESS_GET_LOGONINFO
|
3011 SAMR_USER_ACCESS_GET_ATTRIBUTES
;
3013 case 4: /* UserLogonHoursInformation */
3014 /* USER_READ_LOGON */
3015 acc_required
= SAMR_USER_ACCESS_GET_LOGONINFO
;
3017 case 5: /* UserAccountInformation */
3018 /* USER_READ_GENERAL | USER_READ_PREFERENCES | USER_READ_LOGON | USER_READ_ACCOUNT */
3019 acc_required
= SAMR_USER_ACCESS_GET_NAME_ETC
|
3020 SAMR_USER_ACCESS_GET_LOCALE
|
3021 SAMR_USER_ACCESS_GET_LOGONINFO
|
3022 SAMR_USER_ACCESS_GET_ATTRIBUTES
;
3024 case 6: /* UserNameInformation */
3025 case 7: /* UserAccountNameInformation */
3026 case 8: /* UserFullNameInformation */
3027 case 9: /* UserPrimaryGroupInformation */
3028 case 13: /* UserAdminCommentInformation */
3029 /* USER_READ_GENERAL */
3030 acc_required
= SAMR_USER_ACCESS_GET_NAME_ETC
;
3032 case 10: /* UserHomeInformation */
3033 case 11: /* UserScriptInformation */
3034 case 12: /* UserProfileInformation */
3035 case 14: /* UserWorkStationsInformation */
3036 /* USER_READ_LOGON */
3037 acc_required
= SAMR_USER_ACCESS_GET_LOGONINFO
;
3039 case 16: /* UserControlInformation */
3040 case 17: /* UserExpiresInformation */
3041 case 20: /* UserParametersInformation */
3042 /* USER_READ_ACCOUNT */
3043 acc_required
= SAMR_USER_ACCESS_GET_ATTRIBUTES
;
3045 case 21: /* UserAllInformation */
3047 acc_required
= SAMR_USER_ACCESS_GET_ATTRIBUTES
;
3049 case 18: /* UserInternal1Information */
3051 acc_required
= SAMR_USER_ACCESS_GET_ATTRIBUTES
;
3053 case 23: /* UserInternal4Information */
3054 case 24: /* UserInternal4InformationNew */
3055 case 25: /* UserInternal4InformationNew */
3056 case 26: /* UserInternal5InformationNew */
3058 return NT_STATUS_INVALID_INFO_CLASS
;
3062 uinfo
= policy_handle_find(p
, r
->in
.user_handle
,
3063 acc_required
, &acc_granted
,
3064 struct samr_user_info
, &status
);
3065 if (!NT_STATUS_IS_OK(status
)) {
3069 domain_sid
= uinfo
->sid
;
3071 sid_split_rid(&domain_sid
, &rid
);
3073 if (!sid_check_is_in_our_sam(&uinfo
->sid
))
3074 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
3076 DEBUG(5,("_samr_QueryUserInfo: sid:%s\n",
3077 sid_string_dbg(&uinfo
->sid
)));
3079 user_info
= talloc_zero(p
->mem_ctx
, union samr_UserInfo
);
3081 return NT_STATUS_NO_MEMORY
;
3084 DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r
->in
.level
));
3086 if (!(pwd
= samu_new(p
->mem_ctx
))) {
3087 return NT_STATUS_NO_MEMORY
;
3091 ret
= pdb_getsampwsid(pwd
, &uinfo
->sid
);
3095 DEBUG(4,("User %s not found\n", sid_string_dbg(&uinfo
->sid
)));
3097 return NT_STATUS_NO_SUCH_USER
;
3100 DEBUG(3,("User:[%s]\n", pdb_get_username(pwd
)));
3102 samr_clear_sam_passwd(pwd
);
3104 switch (r
->in
.level
) {
3106 status
= get_user_info_1(p
->mem_ctx
, &user_info
->info1
, pwd
, &domain_sid
);
3109 status
= get_user_info_2(p
->mem_ctx
, &user_info
->info2
, pwd
);
3112 status
= get_user_info_3(p
->mem_ctx
, &user_info
->info3
, pwd
, &domain_sid
);
3115 status
= get_user_info_4(p
->mem_ctx
, &user_info
->info4
, pwd
);
3118 status
= get_user_info_5(p
->mem_ctx
, &user_info
->info5
, pwd
, &domain_sid
);
3121 status
= get_user_info_6(p
->mem_ctx
, &user_info
->info6
, pwd
);
3124 status
= get_user_info_7(p
->mem_ctx
, &user_info
->info7
, pwd
);
3127 status
= get_user_info_8(p
->mem_ctx
, &user_info
->info8
, pwd
);
3130 status
= get_user_info_9(p
->mem_ctx
, &user_info
->info9
, pwd
);
3133 status
= get_user_info_10(p
->mem_ctx
, &user_info
->info10
, pwd
);
3136 status
= get_user_info_11(p
->mem_ctx
, &user_info
->info11
, pwd
);
3139 status
= get_user_info_12(p
->mem_ctx
, &user_info
->info12
, pwd
);
3142 status
= get_user_info_13(p
->mem_ctx
, &user_info
->info13
, pwd
);
3145 status
= get_user_info_14(p
->mem_ctx
, &user_info
->info14
, pwd
);
3148 status
= get_user_info_16(p
->mem_ctx
, &user_info
->info16
, pwd
);
3151 status
= get_user_info_17(p
->mem_ctx
, &user_info
->info17
, pwd
);
3154 /* level 18 is special */
3155 status
= get_user_info_18(p
, p
->mem_ctx
, &user_info
->info18
,
3159 status
= get_user_info_20(p
->mem_ctx
, &user_info
->info20
, pwd
);
3162 status
= get_user_info_21(p
->mem_ctx
, &user_info
->info21
, pwd
, &domain_sid
, acc_granted
);
3165 status
= NT_STATUS_INVALID_INFO_CLASS
;
3169 if (!NT_STATUS_IS_OK(status
)) {
3173 *r
->out
.info
= user_info
;
3178 DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__
));
3183 /****************************************************************
3184 ****************************************************************/
3186 NTSTATUS
_samr_QueryUserInfo2(struct pipes_struct
*p
,
3187 struct samr_QueryUserInfo2
*r
)
3189 struct samr_QueryUserInfo u
;
3191 u
.in
.user_handle
= r
->in
.user_handle
;
3192 u
.in
.level
= r
->in
.level
;
3193 u
.out
.info
= r
->out
.info
;
3195 return _samr_QueryUserInfo(p
, &u
);
3198 /*******************************************************************
3199 _samr_GetGroupsForUser
3200 ********************************************************************/
3202 NTSTATUS
_samr_GetGroupsForUser(struct pipes_struct
*p
,
3203 struct samr_GetGroupsForUser
*r
)
3205 struct samr_user_info
*uinfo
;
3206 struct samu
*sam_pass
=NULL
;
3207 struct dom_sid
*sids
;
3208 struct samr_RidWithAttribute dom_gid
;
3209 struct samr_RidWithAttribute
*gids
= NULL
;
3210 uint32 primary_group_rid
;
3211 uint32_t num_groups
= 0;
3213 uint32_t i
, num_gids
;
3216 bool success
= False
;
3218 struct samr_RidWithAttributeArray
*rids
= NULL
;
3221 * from the SID in the request:
3222 * we should send back the list of DOMAIN GROUPS
3223 * the user is a member of
3225 * and only the DOMAIN GROUPS
3226 * no ALIASES !!! neither aliases of the domain
3227 * nor aliases of the builtin SID
3232 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__
));
3234 uinfo
= policy_handle_find(p
, r
->in
.user_handle
,
3235 SAMR_USER_ACCESS_GET_GROUPS
, NULL
,
3236 struct samr_user_info
, &result
);
3237 if (!NT_STATUS_IS_OK(result
)) {
3241 rids
= talloc_zero(p
->mem_ctx
, struct samr_RidWithAttributeArray
);
3243 return NT_STATUS_NO_MEMORY
;
3246 if (!sid_check_is_in_our_sam(&uinfo
->sid
))
3247 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
3249 if ( !(sam_pass
= samu_new( p
->mem_ctx
)) ) {
3250 return NT_STATUS_NO_MEMORY
;
3254 ret
= pdb_getsampwsid(sam_pass
, &uinfo
->sid
);
3258 DEBUG(10, ("pdb_getsampwsid failed for %s\n",
3259 sid_string_dbg(&uinfo
->sid
)));
3260 return NT_STATUS_NO_SUCH_USER
;
3265 /* make both calls inside the root block */
3267 result
= pdb_enum_group_memberships(p
->mem_ctx
, sam_pass
,
3268 &sids
, &unix_gids
, &num_groups
);
3269 if ( NT_STATUS_IS_OK(result
) ) {
3270 success
= sid_peek_check_rid(get_global_sam_sid(),
3271 pdb_get_group_sid(sam_pass
),
3272 &primary_group_rid
);
3276 if (!NT_STATUS_IS_OK(result
)) {
3277 DEBUG(10, ("pdb_enum_group_memberships failed for %s\n",
3278 sid_string_dbg(&uinfo
->sid
)));
3283 DEBUG(5, ("Group sid %s for user %s not in our domain\n",
3284 sid_string_dbg(pdb_get_group_sid(sam_pass
)),
3285 pdb_get_username(sam_pass
)));
3286 TALLOC_FREE(sam_pass
);
3287 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
3293 dom_gid
.attributes
= (SE_GROUP_MANDATORY
|SE_GROUP_ENABLED_BY_DEFAULT
|
3295 dom_gid
.rid
= primary_group_rid
;
3296 ADD_TO_ARRAY(p
->mem_ctx
, struct samr_RidWithAttribute
, dom_gid
, &gids
, &num_gids
);
3298 for (i
=0; i
<num_groups
; i
++) {
3300 if (!sid_peek_check_rid(get_global_sam_sid(),
3301 &(sids
[i
]), &dom_gid
.rid
)) {
3302 DEBUG(10, ("Found sid %s not in our domain\n",
3303 sid_string_dbg(&sids
[i
])));
3307 if (dom_gid
.rid
== primary_group_rid
) {
3308 /* We added the primary group directly from the
3309 * sam_account. The other SIDs are unique from
3310 * enum_group_memberships */
3314 ADD_TO_ARRAY(p
->mem_ctx
, struct samr_RidWithAttribute
, dom_gid
, &gids
, &num_gids
);
3317 rids
->count
= num_gids
;
3320 *r
->out
.rids
= rids
;
3322 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__
));
3327 /*******************************************************************
3328 ********************************************************************/
3330 static uint32_t samr_get_server_role(void)
3332 uint32_t role
= ROLE_DOMAIN_PDC
;
3334 if (lp_server_role() == ROLE_DOMAIN_BDC
) {
3335 role
= ROLE_DOMAIN_BDC
;
3341 /*******************************************************************
3342 ********************************************************************/
3344 static NTSTATUS
query_dom_info_1(TALLOC_CTX
*mem_ctx
,
3345 struct samr_DomInfo1
*r
)
3347 uint32_t account_policy_temp
;
3348 time_t u_expire
, u_min_age
;
3354 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN
, &account_policy_temp
);
3355 r
->min_password_length
= account_policy_temp
;
3357 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY
, &account_policy_temp
);
3358 r
->password_history_length
= account_policy_temp
;
3360 pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS
,
3361 &r
->password_properties
);
3363 pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE
, &account_policy_temp
);
3364 u_expire
= account_policy_temp
;
3366 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_AGE
, &account_policy_temp
);
3367 u_min_age
= account_policy_temp
;
3373 unix_to_nt_time_abs((NTTIME
*)&r
->max_password_age
, u_expire
);
3374 unix_to_nt_time_abs((NTTIME
*)&r
->min_password_age
, u_min_age
);
3376 if (lp_check_password_script(talloc_tos()) && *lp_check_password_script(talloc_tos())) {
3377 r
->password_properties
|= DOMAIN_PASSWORD_COMPLEX
;
3380 return NT_STATUS_OK
;
3383 /*******************************************************************
3384 ********************************************************************/
3386 static NTSTATUS
query_dom_info_2(TALLOC_CTX
*mem_ctx
,
3387 struct samr_DomGeneralInformation
*r
,
3388 struct samr_domain_info
*dinfo
)
3397 r
->num_users
= count_sam_users(dinfo
->disp_info
, ACB_NORMAL
);
3398 r
->num_groups
= count_sam_groups(dinfo
->disp_info
);
3399 r
->num_aliases
= count_sam_aliases(dinfo
->disp_info
);
3401 pdb_get_account_policy(PDB_POLICY_TIME_TO_LOGOUT
, &u_logout
);
3403 unix_to_nt_time_abs(&r
->force_logoff_time
, u_logout
);
3405 if (!pdb_get_seq_num(&seq_num
)) {
3406 seq_num
= time(NULL
);
3413 r
->oem_information
.string
= lp_server_string(r
);
3414 r
->domain_name
.string
= lp_workgroup();
3415 r
->primary
.string
= lp_netbios_name();
3416 r
->sequence_num
= seq_num
;
3417 r
->domain_server_state
= DOMAIN_SERVER_ENABLED
;
3418 r
->role
= (enum samr_Role
) samr_get_server_role();
3421 return NT_STATUS_OK
;
3424 /*******************************************************************
3425 ********************************************************************/
3427 static NTSTATUS
query_dom_info_3(TALLOC_CTX
*mem_ctx
,
3428 struct samr_DomInfo3
*r
)
3438 pdb_get_account_policy(PDB_POLICY_TIME_TO_LOGOUT
, &ul
);
3439 u_logout
= (time_t)ul
;
3446 unix_to_nt_time_abs(&r
->force_logoff_time
, u_logout
);
3448 return NT_STATUS_OK
;
3451 /*******************************************************************
3452 ********************************************************************/
3454 static NTSTATUS
query_dom_info_4(TALLOC_CTX
*mem_ctx
,
3455 struct samr_DomOEMInformation
*r
)
3457 r
->oem_information
.string
= lp_server_string(r
);
3459 return NT_STATUS_OK
;
3462 /*******************************************************************
3463 ********************************************************************/
3465 static NTSTATUS
query_dom_info_5(TALLOC_CTX
*mem_ctx
,
3466 struct samr_DomInfo5
*r
)
3468 r
->domain_name
.string
= get_global_sam_name();
3470 return NT_STATUS_OK
;
3473 /*******************************************************************
3474 ********************************************************************/
3476 static NTSTATUS
query_dom_info_6(TALLOC_CTX
*mem_ctx
,
3477 struct samr_DomInfo6
*r
)
3479 /* NT returns its own name when a PDC. win2k and later
3480 * only the name of the PDC if itself is a BDC (samba4
3482 r
->primary
.string
= lp_netbios_name();
3484 return NT_STATUS_OK
;
3487 /*******************************************************************
3488 ********************************************************************/
3490 static NTSTATUS
query_dom_info_7(TALLOC_CTX
*mem_ctx
,
3491 struct samr_DomInfo7
*r
)
3493 r
->role
= (enum samr_Role
) samr_get_server_role();
3495 return NT_STATUS_OK
;
3498 /*******************************************************************
3499 ********************************************************************/
3501 static NTSTATUS
query_dom_info_8(TALLOC_CTX
*mem_ctx
,
3502 struct samr_DomInfo8
*r
)
3510 if (!pdb_get_seq_num(&seq_num
)) {
3511 seq_num
= time(NULL
);
3518 r
->sequence_num
= seq_num
;
3519 r
->domain_create_time
= 0;
3521 return NT_STATUS_OK
;
3524 /*******************************************************************
3525 ********************************************************************/
3527 static NTSTATUS
query_dom_info_9(TALLOC_CTX
*mem_ctx
,
3528 struct samr_DomInfo9
*r
)
3530 r
->domain_server_state
= DOMAIN_SERVER_ENABLED
;
3532 return NT_STATUS_OK
;
3535 /*******************************************************************
3536 ********************************************************************/
3538 static NTSTATUS
query_dom_info_11(TALLOC_CTX
*mem_ctx
,
3539 struct samr_DomGeneralInformation2
*r
,
3540 struct samr_domain_info
*dinfo
)
3543 uint32_t account_policy_temp
;
3544 time_t u_lock_duration
, u_reset_time
;
3546 status
= query_dom_info_2(mem_ctx
, &r
->general
, dinfo
);
3547 if (!NT_STATUS_IS_OK(status
)) {
3555 pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION
, &account_policy_temp
);
3556 u_lock_duration
= account_policy_temp
;
3557 if (u_lock_duration
!= -1) {
3558 u_lock_duration
*= 60;
3561 pdb_get_account_policy(PDB_POLICY_RESET_COUNT_TIME
, &account_policy_temp
);
3562 u_reset_time
= account_policy_temp
* 60;
3564 pdb_get_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT
, &account_policy_temp
);
3565 r
->lockout_threshold
= account_policy_temp
;
3571 unix_to_nt_time_abs(&r
->lockout_duration
, u_lock_duration
);
3572 unix_to_nt_time_abs(&r
->lockout_window
, u_reset_time
);
3574 return NT_STATUS_OK
;
3577 /*******************************************************************
3578 ********************************************************************/
3580 static NTSTATUS
query_dom_info_12(TALLOC_CTX
*mem_ctx
,
3581 struct samr_DomInfo12
*r
)
3583 uint32_t account_policy_temp
;
3584 time_t u_lock_duration
, u_reset_time
;
3590 pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION
, &account_policy_temp
);
3591 u_lock_duration
= account_policy_temp
;
3592 if (u_lock_duration
!= -1) {
3593 u_lock_duration
*= 60;
3596 pdb_get_account_policy(PDB_POLICY_RESET_COUNT_TIME
, &account_policy_temp
);
3597 u_reset_time
= account_policy_temp
* 60;
3599 pdb_get_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT
, &account_policy_temp
);
3600 r
->lockout_threshold
= account_policy_temp
;
3606 unix_to_nt_time_abs(&r
->lockout_duration
, u_lock_duration
);
3607 unix_to_nt_time_abs(&r
->lockout_window
, u_reset_time
);
3609 return NT_STATUS_OK
;
3612 /*******************************************************************
3613 ********************************************************************/
3615 static NTSTATUS
query_dom_info_13(TALLOC_CTX
*mem_ctx
,
3616 struct samr_DomInfo13
*r
)
3624 if (!pdb_get_seq_num(&seq_num
)) {
3625 seq_num
= time(NULL
);
3632 r
->sequence_num
= seq_num
;
3633 r
->domain_create_time
= 0;
3634 r
->modified_count_at_last_promotion
= 0;
3636 return NT_STATUS_OK
;
3639 /*******************************************************************
3640 _samr_QueryDomainInfo
3641 ********************************************************************/
3643 NTSTATUS
_samr_QueryDomainInfo(struct pipes_struct
*p
,
3644 struct samr_QueryDomainInfo
*r
)
3646 NTSTATUS status
= NT_STATUS_OK
;
3647 struct samr_domain_info
*dinfo
;
3648 union samr_DomainInfo
*dom_info
;
3650 uint32_t acc_required
;
3652 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__
));
3654 switch (r
->in
.level
) {
3655 case 1: /* DomainPasswordInformation */
3656 case 12: /* DomainLockoutInformation */
3657 /* DOMAIN_READ_PASSWORD_PARAMETERS */
3658 acc_required
= SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
;
3660 case 11: /* DomainGeneralInformation2 */
3661 /* DOMAIN_READ_PASSWORD_PARAMETERS |
3662 * DOMAIN_READ_OTHER_PARAMETERS */
3663 acc_required
= SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
|
3664 SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2
;
3666 case 2: /* DomainGeneralInformation */
3667 case 3: /* DomainLogoffInformation */
3668 case 4: /* DomainOemInformation */
3669 case 5: /* DomainReplicationInformation */
3670 case 6: /* DomainReplicationInformation */
3671 case 7: /* DomainServerRoleInformation */
3672 case 8: /* DomainModifiedInformation */
3673 case 9: /* DomainStateInformation */
3674 case 10: /* DomainUasInformation */
3675 case 13: /* DomainModifiedInformation2 */
3676 /* DOMAIN_READ_OTHER_PARAMETERS */
3677 acc_required
= SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2
;
3680 return NT_STATUS_INVALID_INFO_CLASS
;
3683 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
3685 struct samr_domain_info
, &status
);
3686 if (!NT_STATUS_IS_OK(status
)) {
3690 dom_info
= talloc_zero(p
->mem_ctx
, union samr_DomainInfo
);
3692 return NT_STATUS_NO_MEMORY
;
3695 switch (r
->in
.level
) {
3697 status
= query_dom_info_1(p
->mem_ctx
, &dom_info
->info1
);
3700 status
= query_dom_info_2(p
->mem_ctx
, &dom_info
->general
, dinfo
);
3703 status
= query_dom_info_3(p
->mem_ctx
, &dom_info
->info3
);
3706 status
= query_dom_info_4(p
->mem_ctx
, &dom_info
->oem
);
3709 status
= query_dom_info_5(p
->mem_ctx
, &dom_info
->info5
);
3712 status
= query_dom_info_6(p
->mem_ctx
, &dom_info
->info6
);
3715 status
= query_dom_info_7(p
->mem_ctx
, &dom_info
->info7
);
3718 status
= query_dom_info_8(p
->mem_ctx
, &dom_info
->info8
);
3721 status
= query_dom_info_9(p
->mem_ctx
, &dom_info
->info9
);
3724 status
= query_dom_info_11(p
->mem_ctx
, &dom_info
->general2
, dinfo
);
3727 status
= query_dom_info_12(p
->mem_ctx
, &dom_info
->info12
);
3730 status
= query_dom_info_13(p
->mem_ctx
, &dom_info
->info13
);
3733 return NT_STATUS_INVALID_INFO_CLASS
;
3736 if (!NT_STATUS_IS_OK(status
)) {
3740 *r
->out
.info
= dom_info
;
3742 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__
));
3747 /* W2k3 seems to use the same check for all 3 objects that can be created via
3748 * SAMR, if you try to create for example "Dialup" as an alias it says
3749 * "NT_STATUS_USER_EXISTS". This is racy, but we can't really lock the user
3752 static NTSTATUS
can_create(TALLOC_CTX
*mem_ctx
, const char *new_name
)
3754 enum lsa_SidType type
;
3757 DEBUG(10, ("Checking whether [%s] can be created\n", new_name
));
3760 /* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
3761 * whether the name already exists */
3762 result
= lookup_name(mem_ctx
, new_name
, LOOKUP_NAME_LOCAL
,
3763 NULL
, NULL
, NULL
, &type
);
3767 DEBUG(10, ("%s does not exist, can create it\n", new_name
));
3768 return NT_STATUS_OK
;
3771 DEBUG(5, ("trying to create %s, exists as %s\n",
3772 new_name
, sid_type_lookup(type
)));
3774 if (type
== SID_NAME_DOM_GRP
) {
3775 return NT_STATUS_GROUP_EXISTS
;
3777 if (type
== SID_NAME_ALIAS
) {
3778 return NT_STATUS_ALIAS_EXISTS
;
3781 /* Yes, the default is NT_STATUS_USER_EXISTS */
3782 return NT_STATUS_USER_EXISTS
;
3785 /*******************************************************************
3787 ********************************************************************/
3789 NTSTATUS
_samr_CreateUser2(struct pipes_struct
*p
,
3790 struct samr_CreateUser2
*r
)
3792 const char *account
= NULL
;
3794 uint32_t acb_info
= r
->in
.acct_flags
;
3795 struct samr_domain_info
*dinfo
;
3796 struct samr_user_info
*uinfo
;
3799 struct security_descriptor
*psd
;
3801 /* check this, when giving away 'add computer to domain' privs */
3802 uint32 des_access
= GENERIC_RIGHTS_USER_ALL_ACCESS
;
3803 bool can_add_account
= False
;
3805 /* Which privilege is needed to override the ACL? */
3806 enum sec_privilege needed_priv
= SEC_PRIV_INVALID
;
3808 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
3809 SAMR_DOMAIN_ACCESS_CREATE_USER
, NULL
,
3810 struct samr_domain_info
, &nt_status
);
3811 if (!NT_STATUS_IS_OK(nt_status
)) {
3815 if (sid_check_is_builtin(&dinfo
->sid
)) {
3816 DEBUG(5,("_samr_CreateUser2: Refusing user create in BUILTIN\n"));
3817 return NT_STATUS_ACCESS_DENIED
;
3820 if (!(acb_info
== ACB_NORMAL
|| acb_info
== ACB_DOMTRUST
||
3821 acb_info
== ACB_WSTRUST
|| acb_info
== ACB_SVRTRUST
)) {
3822 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
3823 this parameter is not an account type */
3824 return NT_STATUS_INVALID_PARAMETER
;
3827 account
= r
->in
.account_name
->string
;
3828 if (account
== NULL
) {
3829 return NT_STATUS_NO_MEMORY
;
3832 nt_status
= can_create(p
->mem_ctx
, account
);
3833 if (!NT_STATUS_IS_OK(nt_status
)) {
3837 /* determine which user right we need to check based on the acb_info */
3839 if (geteuid() == sec_initial_uid()) {
3840 can_add_account
= true;
3841 } else if (acb_info
& ACB_WSTRUST
) {
3842 needed_priv
= SEC_PRIV_MACHINE_ACCOUNT
;
3843 can_add_account
= security_token_has_privilege(p
->session_info
->security_token
, SEC_PRIV_MACHINE_ACCOUNT
);
3844 } else if (acb_info
& ACB_NORMAL
&&
3845 (account
[strlen(account
)-1] != '$')) {
3846 /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
3847 account for domain trusts and changes the ACB flags later */
3848 needed_priv
= SEC_PRIV_ADD_USERS
;
3849 can_add_account
= security_token_has_privilege(p
->session_info
->security_token
, SEC_PRIV_ADD_USERS
);
3850 } else if (lp_enable_privileges()) {
3851 /* implicit assumption of a BDC or domain trust account here
3852 * (we already check the flags earlier) */
3853 /* only Domain Admins can add a BDC or domain trust */
3854 can_add_account
= nt_token_check_domain_rid(
3855 p
->session_info
->security_token
,
3856 DOMAIN_RID_ADMINS
);
3859 DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
3860 uidtoname(p
->session_info
->unix_token
->uid
),
3861 can_add_account
? "True":"False" ));
3863 if (!can_add_account
) {
3864 return NT_STATUS_ACCESS_DENIED
;
3867 /********** BEGIN Admin BLOCK **********/
3870 nt_status
= pdb_create_user(p
->mem_ctx
, account
, acb_info
,
3874 /********** END Admin BLOCK **********/
3876 /* now check for failure */
3878 if ( !NT_STATUS_IS_OK(nt_status
) )
3881 /* Get the user's SID */
3883 sid_compose(&sid
, get_global_sam_sid(), *r
->out
.rid
);
3885 map_max_allowed_access(p
->session_info
->security_token
,
3886 p
->session_info
->unix_token
,
3889 make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &usr_generic_mapping
,
3890 &sid
, SAMR_USR_RIGHTS_WRITE_PW
);
3891 se_map_generic(&des_access
, &usr_generic_mapping
);
3894 * JRA - TESTME. We just created this user so we
3895 * had rights to create them. Do we need to check
3896 * any further access on this object ? Can't we
3897 * just assume we have all the rights we need ?
3900 nt_status
= access_check_object(psd
, p
->session_info
->security_token
,
3901 needed_priv
, SEC_PRIV_INVALID
,
3902 GENERIC_RIGHTS_USER_WRITE
, des_access
,
3903 &acc_granted
, "_samr_CreateUser2");
3905 if ( !NT_STATUS_IS_OK(nt_status
) ) {
3909 uinfo
= policy_handle_create(p
, r
->out
.user_handle
, acc_granted
,
3910 struct samr_user_info
, &nt_status
);
3911 if (!NT_STATUS_IS_OK(nt_status
)) {
3916 /* After a "set" ensure we have no cached display info. */
3917 force_flush_samr_cache(&sid
);
3919 *r
->out
.access_granted
= acc_granted
;
3921 return NT_STATUS_OK
;
3924 /****************************************************************
3925 ****************************************************************/
3927 NTSTATUS
_samr_CreateUser(struct pipes_struct
*p
,
3928 struct samr_CreateUser
*r
)
3930 struct samr_CreateUser2 c
;
3931 uint32_t access_granted
;
3933 c
.in
.domain_handle
= r
->in
.domain_handle
;
3934 c
.in
.account_name
= r
->in
.account_name
;
3935 c
.in
.acct_flags
= ACB_NORMAL
;
3936 c
.in
.access_mask
= r
->in
.access_mask
;
3937 c
.out
.user_handle
= r
->out
.user_handle
;
3938 c
.out
.access_granted
= &access_granted
;
3939 c
.out
.rid
= r
->out
.rid
;
3941 return _samr_CreateUser2(p
, &c
);
3944 /*******************************************************************
3946 ********************************************************************/
3948 NTSTATUS
_samr_Connect(struct pipes_struct
*p
,
3949 struct samr_Connect
*r
)
3951 uint32_t acc_granted
;
3952 struct policy_handle hnd
;
3953 uint32 des_access
= r
->in
.access_mask
;
3958 if (!pipe_access_check(p
)) {
3959 DEBUG(3, ("access denied to _samr_Connect\n"));
3960 return NT_STATUS_ACCESS_DENIED
;
3963 /* don't give away the farm but this is probably ok. The SAMR_ACCESS_ENUM_DOMAINS
3964 was observed from a win98 client trying to enumerate users (when configured
3965 user level access control on shares) --jerry */
3967 map_max_allowed_access(p
->session_info
->security_token
,
3968 p
->session_info
->unix_token
,
3971 se_map_generic( &des_access
, &sam_generic_mapping
);
3973 acc_granted
= des_access
& (SAMR_ACCESS_ENUM_DOMAINS
3974 |SAMR_ACCESS_LOOKUP_DOMAIN
);
3976 /* set up the SAMR connect_anon response */
3978 (void)policy_handle_create(p
, &hnd
, acc_granted
,
3979 struct samr_connect_info
,
3981 if (!NT_STATUS_IS_OK(status
)) {
3985 *r
->out
.connect_handle
= hnd
;
3986 return NT_STATUS_OK
;
3989 /*******************************************************************
3991 ********************************************************************/
3993 NTSTATUS
_samr_Connect2(struct pipes_struct
*p
,
3994 struct samr_Connect2
*r
)
3996 struct policy_handle hnd
;
3997 struct security_descriptor
*psd
= NULL
;
3999 uint32 des_access
= r
->in
.access_mask
;
4002 const char *fn
= "_samr_Connect2";
4005 case NDR_SAMR_CONNECT2
:
4006 fn
= "_samr_Connect2";
4008 case NDR_SAMR_CONNECT3
:
4009 fn
= "_samr_Connect3";
4011 case NDR_SAMR_CONNECT4
:
4012 fn
= "_samr_Connect4";
4014 case NDR_SAMR_CONNECT5
:
4015 fn
= "_samr_Connect5";
4019 DEBUG(5,("%s: %d\n", fn
, __LINE__
));
4023 if (!pipe_access_check(p
)) {
4024 DEBUG(3, ("access denied to %s\n", fn
));
4025 return NT_STATUS_ACCESS_DENIED
;
4028 map_max_allowed_access(p
->session_info
->security_token
,
4029 p
->session_info
->unix_token
,
4032 make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &sam_generic_mapping
, NULL
, 0);
4033 se_map_generic(&des_access
, &sam_generic_mapping
);
4035 nt_status
= access_check_object(psd
, p
->session_info
->security_token
,
4036 SEC_PRIV_INVALID
, SEC_PRIV_INVALID
,
4037 0, des_access
, &acc_granted
, fn
);
4039 if ( !NT_STATUS_IS_OK(nt_status
) )
4042 (void)policy_handle_create(p
, &hnd
, acc_granted
,
4043 struct samr_connect_info
, &nt_status
);
4044 if (!NT_STATUS_IS_OK(nt_status
)) {
4048 DEBUG(5,("%s: %d\n", fn
, __LINE__
));
4050 *r
->out
.connect_handle
= hnd
;
4051 return NT_STATUS_OK
;
4054 /****************************************************************
4056 ****************************************************************/
4058 NTSTATUS
_samr_Connect3(struct pipes_struct
*p
,
4059 struct samr_Connect3
*r
)
4061 struct samr_Connect2 c
;
4063 c
.in
.system_name
= r
->in
.system_name
;
4064 c
.in
.access_mask
= r
->in
.access_mask
;
4065 c
.out
.connect_handle
= r
->out
.connect_handle
;
4067 return _samr_Connect2(p
, &c
);
4070 /*******************************************************************
4072 ********************************************************************/
4074 NTSTATUS
_samr_Connect4(struct pipes_struct
*p
,
4075 struct samr_Connect4
*r
)
4077 struct samr_Connect2 c
;
4079 c
.in
.system_name
= r
->in
.system_name
;
4080 c
.in
.access_mask
= r
->in
.access_mask
;
4081 c
.out
.connect_handle
= r
->out
.connect_handle
;
4083 return _samr_Connect2(p
, &c
);
4086 /*******************************************************************
4088 ********************************************************************/
4090 NTSTATUS
_samr_Connect5(struct pipes_struct
*p
,
4091 struct samr_Connect5
*r
)
4094 struct samr_Connect2 c
;
4095 struct samr_ConnectInfo1 info1
;
4097 info1
.client_version
= SAMR_CONNECT_AFTER_W2K
;
4100 c
.in
.system_name
= r
->in
.system_name
;
4101 c
.in
.access_mask
= r
->in
.access_mask
;
4102 c
.out
.connect_handle
= r
->out
.connect_handle
;
4104 *r
->out
.level_out
= 1;
4106 status
= _samr_Connect2(p
, &c
);
4107 if (!NT_STATUS_IS_OK(status
)) {
4111 r
->out
.info_out
->info1
= info1
;
4113 return NT_STATUS_OK
;
4116 /**********************************************************************
4118 **********************************************************************/
4120 NTSTATUS
_samr_LookupDomain(struct pipes_struct
*p
,
4121 struct samr_LookupDomain
*r
)
4124 const char *domain_name
;
4125 struct dom_sid
*sid
= NULL
;
4127 /* win9x user manager likes to use SAMR_ACCESS_ENUM_DOMAINS here.
4128 Reverted that change so we will work with RAS servers again */
4130 (void)policy_handle_find(p
, r
->in
.connect_handle
,
4131 SAMR_ACCESS_LOOKUP_DOMAIN
, NULL
,
4132 struct samr_connect_info
,
4134 if (!NT_STATUS_IS_OK(status
)) {
4138 domain_name
= r
->in
.domain_name
->string
;
4140 return NT_STATUS_INVALID_PARAMETER
;
4143 sid
= talloc_zero(p
->mem_ctx
, struct dom_sid2
);
4145 return NT_STATUS_NO_MEMORY
;
4148 if (strequal(domain_name
, builtin_domain_name())) {
4149 sid_copy(sid
, &global_sid_Builtin
);
4151 if (!secrets_fetch_domain_sid(domain_name
, sid
)) {
4152 status
= NT_STATUS_NO_SUCH_DOMAIN
;
4156 DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name
,
4157 sid_string_dbg(sid
)));
4164 /**********************************************************************
4166 **********************************************************************/
4168 NTSTATUS
_samr_EnumDomains(struct pipes_struct
*p
,
4169 struct samr_EnumDomains
*r
)
4172 uint32_t num_entries
= 2;
4173 struct samr_SamEntry
*entry_array
= NULL
;
4174 struct samr_SamArray
*sam
;
4176 (void)policy_handle_find(p
, r
->in
.connect_handle
,
4177 SAMR_ACCESS_ENUM_DOMAINS
, NULL
,
4178 struct samr_connect_info
, &status
);
4179 if (!NT_STATUS_IS_OK(status
)) {
4183 sam
= talloc_zero(p
->mem_ctx
, struct samr_SamArray
);
4185 return NT_STATUS_NO_MEMORY
;
4188 entry_array
= talloc_zero_array(p
->mem_ctx
,
4189 struct samr_SamEntry
,
4192 return NT_STATUS_NO_MEMORY
;
4195 entry_array
[0].idx
= 0;
4196 init_lsa_String(&entry_array
[0].name
, get_global_sam_name());
4198 entry_array
[1].idx
= 1;
4199 init_lsa_String(&entry_array
[1].name
, "Builtin");
4201 sam
->count
= num_entries
;
4202 sam
->entries
= entry_array
;
4205 *r
->out
.num_entries
= num_entries
;
4210 /*******************************************************************
4212 ********************************************************************/
4214 NTSTATUS
_samr_OpenAlias(struct pipes_struct
*p
,
4215 struct samr_OpenAlias
*r
)
4218 uint32 alias_rid
= r
->in
.rid
;
4219 struct samr_alias_info
*ainfo
;
4220 struct samr_domain_info
*dinfo
;
4221 struct security_descriptor
*psd
= NULL
;
4223 uint32 des_access
= r
->in
.access_mask
;
4227 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
4228 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
, NULL
,
4229 struct samr_domain_info
, &status
);
4230 if (!NT_STATUS_IS_OK(status
)) {
4234 /* append the alias' RID to it */
4236 if (!sid_compose(&sid
, &dinfo
->sid
, alias_rid
))
4237 return NT_STATUS_NO_SUCH_ALIAS
;
4239 /*check if access can be granted as requested by client. */
4241 map_max_allowed_access(p
->session_info
->security_token
,
4242 p
->session_info
->unix_token
,
4245 make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &ali_generic_mapping
, NULL
, 0);
4246 se_map_generic(&des_access
,&ali_generic_mapping
);
4248 status
= access_check_object(psd
, p
->session_info
->security_token
,
4249 SEC_PRIV_ADD_USERS
, SEC_PRIV_INVALID
,
4250 GENERIC_RIGHTS_ALIAS_ALL_ACCESS
,
4251 des_access
, &acc_granted
, "_samr_OpenAlias");
4253 if ( !NT_STATUS_IS_OK(status
) )
4257 /* Check we actually have the requested alias */
4258 enum lsa_SidType type
;
4263 result
= lookup_sid(NULL
, &sid
, NULL
, NULL
, &type
);
4266 if (!result
|| (type
!= SID_NAME_ALIAS
)) {
4267 return NT_STATUS_NO_SUCH_ALIAS
;
4270 /* make sure there is a mapping */
4272 if ( !sid_to_gid( &sid
, &gid
) ) {
4273 return NT_STATUS_NO_SUCH_ALIAS
;
4278 ainfo
= policy_handle_create(p
, r
->out
.alias_handle
, acc_granted
,
4279 struct samr_alias_info
, &status
);
4280 if (!NT_STATUS_IS_OK(status
)) {
4285 return NT_STATUS_OK
;
4288 /*******************************************************************
4290 ********************************************************************/
4292 static NTSTATUS
set_user_info_2(TALLOC_CTX
*mem_ctx
,
4293 struct samr_UserInfo2
*id2
,
4297 DEBUG(5,("set_user_info_2: NULL id2\n"));
4298 return NT_STATUS_ACCESS_DENIED
;
4301 copy_id2_to_sam_passwd(pwd
, id2
);
4303 return pdb_update_sam_account(pwd
);
4306 /*******************************************************************
4308 ********************************************************************/
4310 static NTSTATUS
set_user_info_4(TALLOC_CTX
*mem_ctx
,
4311 struct samr_UserInfo4
*id4
,
4315 DEBUG(5,("set_user_info_2: NULL id4\n"));
4316 return NT_STATUS_ACCESS_DENIED
;
4319 copy_id4_to_sam_passwd(pwd
, id4
);
4321 return pdb_update_sam_account(pwd
);
4324 /*******************************************************************
4326 ********************************************************************/
4328 static NTSTATUS
set_user_info_6(TALLOC_CTX
*mem_ctx
,
4329 struct samr_UserInfo6
*id6
,
4333 DEBUG(5,("set_user_info_6: NULL id6\n"));
4334 return NT_STATUS_ACCESS_DENIED
;
4337 copy_id6_to_sam_passwd(pwd
, id6
);
4339 return pdb_update_sam_account(pwd
);
4342 /*******************************************************************
4344 ********************************************************************/
4346 static NTSTATUS
set_user_info_7(TALLOC_CTX
*mem_ctx
,
4347 struct samr_UserInfo7
*id7
,
4353 DEBUG(5, ("set_user_info_7: NULL id7\n"));
4354 return NT_STATUS_ACCESS_DENIED
;
4357 if (!id7
->account_name
.string
) {
4358 DEBUG(5, ("set_user_info_7: failed to get new username\n"));
4359 return NT_STATUS_ACCESS_DENIED
;
4362 /* check to see if the new username already exists. Note: we can't
4363 reliably lock all backends, so there is potentially the
4364 possibility that a user can be created in between this check and
4365 the rename. The rename should fail, but may not get the
4366 exact same failure status code. I think this is small enough
4367 of a window for this type of operation and the results are
4368 simply that the rename fails with a slightly different status
4369 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
4371 rc
= can_create(mem_ctx
, id7
->account_name
.string
);
4373 /* when there is nothing to change, we're done here */
4374 if (NT_STATUS_EQUAL(rc
, NT_STATUS_USER_EXISTS
) &&
4375 strequal(id7
->account_name
.string
, pdb_get_username(pwd
))) {
4376 return NT_STATUS_OK
;
4378 if (!NT_STATUS_IS_OK(rc
)) {
4382 rc
= pdb_rename_sam_account(pwd
, id7
->account_name
.string
);
4387 /*******************************************************************
4389 ********************************************************************/
4391 static NTSTATUS
set_user_info_8(TALLOC_CTX
*mem_ctx
,
4392 struct samr_UserInfo8
*id8
,
4396 DEBUG(5,("set_user_info_8: NULL id8\n"));
4397 return NT_STATUS_ACCESS_DENIED
;
4400 copy_id8_to_sam_passwd(pwd
, id8
);
4402 return pdb_update_sam_account(pwd
);
4405 /*******************************************************************
4407 ********************************************************************/
4409 static NTSTATUS
set_user_info_10(TALLOC_CTX
*mem_ctx
,
4410 struct samr_UserInfo10
*id10
,
4414 DEBUG(5,("set_user_info_8: NULL id10\n"));
4415 return NT_STATUS_ACCESS_DENIED
;
4418 copy_id10_to_sam_passwd(pwd
, id10
);
4420 return pdb_update_sam_account(pwd
);
4423 /*******************************************************************
4425 ********************************************************************/
4427 static NTSTATUS
set_user_info_11(TALLOC_CTX
*mem_ctx
,
4428 struct samr_UserInfo11
*id11
,
4432 DEBUG(5,("set_user_info_11: NULL id11\n"));
4433 return NT_STATUS_ACCESS_DENIED
;
4436 copy_id11_to_sam_passwd(pwd
, id11
);
4438 return pdb_update_sam_account(pwd
);
4441 /*******************************************************************
4443 ********************************************************************/
4445 static NTSTATUS
set_user_info_12(TALLOC_CTX
*mem_ctx
,
4446 struct samr_UserInfo12
*id12
,
4450 DEBUG(5,("set_user_info_12: NULL id12\n"));
4451 return NT_STATUS_ACCESS_DENIED
;
4454 copy_id12_to_sam_passwd(pwd
, id12
);
4456 return pdb_update_sam_account(pwd
);
4459 /*******************************************************************
4461 ********************************************************************/
4463 static NTSTATUS
set_user_info_13(TALLOC_CTX
*mem_ctx
,
4464 struct samr_UserInfo13
*id13
,
4468 DEBUG(5,("set_user_info_13: NULL id13\n"));
4469 return NT_STATUS_ACCESS_DENIED
;
4472 copy_id13_to_sam_passwd(pwd
, id13
);
4474 return pdb_update_sam_account(pwd
);
4477 /*******************************************************************
4479 ********************************************************************/
4481 static NTSTATUS
set_user_info_14(TALLOC_CTX
*mem_ctx
,
4482 struct samr_UserInfo14
*id14
,
4486 DEBUG(5,("set_user_info_14: NULL id14\n"));
4487 return NT_STATUS_ACCESS_DENIED
;
4490 copy_id14_to_sam_passwd(pwd
, id14
);
4492 return pdb_update_sam_account(pwd
);
4495 /*******************************************************************
4497 ********************************************************************/
4499 static NTSTATUS
set_user_info_16(TALLOC_CTX
*mem_ctx
,
4500 struct samr_UserInfo16
*id16
,
4504 DEBUG(5,("set_user_info_16: NULL id16\n"));
4505 return NT_STATUS_ACCESS_DENIED
;
4508 copy_id16_to_sam_passwd(pwd
, id16
);
4510 return pdb_update_sam_account(pwd
);
4513 /*******************************************************************
4515 ********************************************************************/
4517 static NTSTATUS
set_user_info_17(TALLOC_CTX
*mem_ctx
,
4518 struct samr_UserInfo17
*id17
,
4522 DEBUG(5,("set_user_info_17: NULL id17\n"));
4523 return NT_STATUS_ACCESS_DENIED
;
4526 copy_id17_to_sam_passwd(pwd
, id17
);
4528 return pdb_update_sam_account(pwd
);
4531 /*******************************************************************
4533 ********************************************************************/
4535 static NTSTATUS
set_user_info_18(struct samr_UserInfo18
*id18
,
4536 TALLOC_CTX
*mem_ctx
,
4537 DATA_BLOB
*session_key
,
4541 DEBUG(2, ("set_user_info_18: id18 is NULL\n"));
4542 return NT_STATUS_INVALID_PARAMETER
;
4545 if (id18
->nt_pwd_active
|| id18
->lm_pwd_active
) {
4546 if (!session_key
->length
) {
4547 return NT_STATUS_NO_USER_SESSION_KEY
;
4551 if (id18
->nt_pwd_active
) {
4555 in
= data_blob_const(id18
->nt_pwd
.hash
, 16);
4556 out
= data_blob_talloc_zero(mem_ctx
, 16);
4558 sess_crypt_blob(&out
, &in
, session_key
, false);
4560 if (!pdb_set_nt_passwd(pwd
, out
.data
, PDB_CHANGED
)) {
4561 return NT_STATUS_ACCESS_DENIED
;
4564 pdb_set_pass_last_set_time(pwd
, time(NULL
), PDB_CHANGED
);
4567 if (id18
->lm_pwd_active
) {
4571 in
= data_blob_const(id18
->lm_pwd
.hash
, 16);
4572 out
= data_blob_talloc_zero(mem_ctx
, 16);
4574 sess_crypt_blob(&out
, &in
, session_key
, false);
4576 if (!pdb_set_lanman_passwd(pwd
, out
.data
, PDB_CHANGED
)) {
4577 return NT_STATUS_ACCESS_DENIED
;
4580 pdb_set_pass_last_set_time(pwd
, time(NULL
), PDB_CHANGED
);
4583 copy_id18_to_sam_passwd(pwd
, id18
);
4585 return pdb_update_sam_account(pwd
);
4588 /*******************************************************************
4590 ********************************************************************/
4592 static NTSTATUS
set_user_info_20(TALLOC_CTX
*mem_ctx
,
4593 struct samr_UserInfo20
*id20
,
4597 DEBUG(5,("set_user_info_20: NULL id20\n"));
4598 return NT_STATUS_ACCESS_DENIED
;
4601 copy_id20_to_sam_passwd(pwd
, id20
);
4603 return pdb_update_sam_account(pwd
);
4606 /*******************************************************************
4608 ********************************************************************/
4610 static NTSTATUS
set_user_info_21(struct samr_UserInfo21
*id21
,
4611 TALLOC_CTX
*mem_ctx
,
4612 DATA_BLOB
*session_key
,
4618 DEBUG(5, ("set_user_info_21: NULL id21\n"));
4619 return NT_STATUS_INVALID_PARAMETER
;
4622 if (id21
->fields_present
== 0) {
4623 return NT_STATUS_INVALID_PARAMETER
;
4626 if (id21
->fields_present
& SAMR_FIELD_LAST_PWD_CHANGE
) {
4627 return NT_STATUS_ACCESS_DENIED
;
4630 if (id21
->fields_present
& SAMR_FIELD_NT_PASSWORD_PRESENT
) {
4631 if (id21
->nt_password_set
) {
4634 if ((id21
->nt_owf_password
.length
!= 16) ||
4635 (id21
->nt_owf_password
.size
!= 16)) {
4636 return NT_STATUS_INVALID_PARAMETER
;
4639 if (!session_key
->length
) {
4640 return NT_STATUS_NO_USER_SESSION_KEY
;
4643 in
= data_blob_const(id21
->nt_owf_password
.array
, 16);
4644 out
= data_blob_talloc_zero(mem_ctx
, 16);
4646 sess_crypt_blob(&out
, &in
, session_key
, false);
4648 pdb_set_nt_passwd(pwd
, out
.data
, PDB_CHANGED
);
4649 pdb_set_pass_last_set_time(pwd
, time(NULL
), PDB_CHANGED
);
4653 if (id21
->fields_present
& SAMR_FIELD_LM_PASSWORD_PRESENT
) {
4654 if (id21
->lm_password_set
) {
4657 if ((id21
->lm_owf_password
.length
!= 16) ||
4658 (id21
->lm_owf_password
.size
!= 16)) {
4659 return NT_STATUS_INVALID_PARAMETER
;
4662 if (!session_key
->length
) {
4663 return NT_STATUS_NO_USER_SESSION_KEY
;
4666 in
= data_blob_const(id21
->lm_owf_password
.array
, 16);
4667 out
= data_blob_talloc_zero(mem_ctx
, 16);
4669 sess_crypt_blob(&out
, &in
, session_key
, false);
4671 pdb_set_lanman_passwd(pwd
, out
.data
, PDB_CHANGED
);
4672 pdb_set_pass_last_set_time(pwd
, time(NULL
), PDB_CHANGED
);
4676 /* we need to separately check for an account rename first */
4678 if (id21
->account_name
.string
&&
4679 (!strequal(id21
->account_name
.string
, pdb_get_username(pwd
))))
4682 /* check to see if the new username already exists. Note: we can't
4683 reliably lock all backends, so there is potentially the
4684 possibility that a user can be created in between this check and
4685 the rename. The rename should fail, but may not get the
4686 exact same failure status code. I think this is small enough
4687 of a window for this type of operation and the results are
4688 simply that the rename fails with a slightly different status
4689 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
4691 status
= can_create(mem_ctx
, id21
->account_name
.string
);
4692 if (!NT_STATUS_IS_OK(status
)) {
4696 status
= pdb_rename_sam_account(pwd
, id21
->account_name
.string
);
4698 if (!NT_STATUS_IS_OK(status
)) {
4699 DEBUG(0,("set_user_info_21: failed to rename account: %s\n",
4700 nt_errstr(status
)));
4704 /* set the new username so that later
4705 functions can work on the new account */
4706 pdb_set_username(pwd
, id21
->account_name
.string
, PDB_SET
);
4709 copy_id21_to_sam_passwd("INFO_21", pwd
, id21
);
4712 * The funny part about the previous two calls is
4713 * that pwd still has the password hashes from the
4714 * passdb entry. These have not been updated from
4715 * id21. I don't know if they need to be set. --jerry
4718 if ( IS_SAM_CHANGED(pwd
, PDB_GROUPSID
) ) {
4719 status
= pdb_set_unix_primary_group(mem_ctx
, pwd
);
4720 if ( !NT_STATUS_IS_OK(status
) ) {
4725 /* Don't worry about writing out the user account since the
4726 primary group SID is generated solely from the user's Unix
4729 /* write the change out */
4730 if(!NT_STATUS_IS_OK(status
= pdb_update_sam_account(pwd
))) {
4734 return NT_STATUS_OK
;
4737 /*******************************************************************
4739 ********************************************************************/
4741 static NTSTATUS
set_user_info_23(TALLOC_CTX
*mem_ctx
,
4742 struct samr_UserInfo23
*id23
,
4746 char *plaintext_buf
= NULL
;
4752 DEBUG(5, ("set_user_info_23: NULL id23\n"));
4753 return NT_STATUS_INVALID_PARAMETER
;
4756 if (id23
->info
.fields_present
== 0) {
4757 return NT_STATUS_INVALID_PARAMETER
;
4760 if (id23
->info
.fields_present
& SAMR_FIELD_LAST_PWD_CHANGE
) {
4761 return NT_STATUS_ACCESS_DENIED
;
4764 if ((id23
->info
.fields_present
& SAMR_FIELD_NT_PASSWORD_PRESENT
) ||
4765 (id23
->info
.fields_present
& SAMR_FIELD_LM_PASSWORD_PRESENT
)) {
4767 DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
4768 pdb_get_username(pwd
)));
4770 if (!decode_pw_buffer(mem_ctx
,
4771 id23
->password
.data
,
4775 return NT_STATUS_WRONG_PASSWORD
;
4778 if (!pdb_set_plaintext_passwd (pwd
, plaintext_buf
)) {
4779 return NT_STATUS_ACCESS_DENIED
;
4783 copy_id23_to_sam_passwd(pwd
, id23
);
4785 acct_ctrl
= pdb_get_acct_ctrl(pwd
);
4787 /* if it's a trust account, don't update /etc/passwd */
4788 if ( ( (acct_ctrl
& ACB_DOMTRUST
) == ACB_DOMTRUST
) ||
4789 ( (acct_ctrl
& ACB_WSTRUST
) == ACB_WSTRUST
) ||
4790 ( (acct_ctrl
& ACB_SVRTRUST
) == ACB_SVRTRUST
) ) {
4791 DEBUG(5, ("Changing trust account. Not updating /etc/passwd\n"));
4792 } else if (plaintext_buf
) {
4793 /* update the UNIX password */
4794 if (lp_unix_password_sync() ) {
4795 struct passwd
*passwd
;
4796 if (pdb_get_username(pwd
) == NULL
) {
4797 DEBUG(1, ("chgpasswd: User without name???\n"));
4798 return NT_STATUS_ACCESS_DENIED
;
4801 passwd
= Get_Pwnam_alloc(pwd
, pdb_get_username(pwd
));
4802 if (passwd
== NULL
) {
4803 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
4806 if(!chgpasswd(pdb_get_username(pwd
), rhost
,
4807 passwd
, "", plaintext_buf
, True
)) {
4808 return NT_STATUS_ACCESS_DENIED
;
4810 TALLOC_FREE(passwd
);
4814 if (plaintext_buf
) {
4815 memset(plaintext_buf
, '\0', strlen(plaintext_buf
));
4818 if (IS_SAM_CHANGED(pwd
, PDB_GROUPSID
) &&
4819 (!NT_STATUS_IS_OK(status
= pdb_set_unix_primary_group(mem_ctx
,
4824 if(!NT_STATUS_IS_OK(status
= pdb_update_sam_account(pwd
))) {
4828 return NT_STATUS_OK
;
4831 /*******************************************************************
4833 ********************************************************************/
4835 static bool set_user_info_pw(uint8
*pass
, const char *rhost
, struct samu
*pwd
)
4838 char *plaintext_buf
= NULL
;
4841 DEBUG(5, ("Attempting administrator password change for user %s\n",
4842 pdb_get_username(pwd
)));
4844 acct_ctrl
= pdb_get_acct_ctrl(pwd
);
4846 if (!decode_pw_buffer(talloc_tos(),
4854 if (!pdb_set_plaintext_passwd (pwd
, plaintext_buf
)) {
4858 /* if it's a trust account, don't update /etc/passwd */
4859 if ( ( (acct_ctrl
& ACB_DOMTRUST
) == ACB_DOMTRUST
) ||
4860 ( (acct_ctrl
& ACB_WSTRUST
) == ACB_WSTRUST
) ||
4861 ( (acct_ctrl
& ACB_SVRTRUST
) == ACB_SVRTRUST
) ) {
4862 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
4864 /* update the UNIX password */
4865 if (lp_unix_password_sync()) {
4866 struct passwd
*passwd
;
4868 if (pdb_get_username(pwd
) == NULL
) {
4869 DEBUG(1, ("chgpasswd: User without name???\n"));
4873 passwd
= Get_Pwnam_alloc(pwd
, pdb_get_username(pwd
));
4874 if (passwd
== NULL
) {
4875 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
4878 if(!chgpasswd(pdb_get_username(pwd
), rhost
, passwd
,
4879 "", plaintext_buf
, True
)) {
4882 TALLOC_FREE(passwd
);
4886 memset(plaintext_buf
, '\0', strlen(plaintext_buf
));
4888 DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
4893 /*******************************************************************
4895 ********************************************************************/
4897 static NTSTATUS
set_user_info_24(TALLOC_CTX
*mem_ctx
,
4899 struct samr_UserInfo24
*id24
,
4905 DEBUG(5, ("set_user_info_24: NULL id24\n"));
4906 return NT_STATUS_INVALID_PARAMETER
;
4909 if (!set_user_info_pw(id24
->password
.data
, rhost
, pwd
)) {
4910 return NT_STATUS_WRONG_PASSWORD
;
4913 copy_id24_to_sam_passwd(pwd
, id24
);
4915 status
= pdb_update_sam_account(pwd
);
4916 if (!NT_STATUS_IS_OK(status
)) {
4920 return NT_STATUS_OK
;
4923 /*******************************************************************
4925 ********************************************************************/
4927 static NTSTATUS
set_user_info_25(TALLOC_CTX
*mem_ctx
,
4929 struct samr_UserInfo25
*id25
,
4935 DEBUG(5, ("set_user_info_25: NULL id25\n"));
4936 return NT_STATUS_INVALID_PARAMETER
;
4939 if (id25
->info
.fields_present
== 0) {
4940 return NT_STATUS_INVALID_PARAMETER
;
4943 if (id25
->info
.fields_present
& SAMR_FIELD_LAST_PWD_CHANGE
) {
4944 return NT_STATUS_ACCESS_DENIED
;
4947 if ((id25
->info
.fields_present
& SAMR_FIELD_NT_PASSWORD_PRESENT
) ||
4948 (id25
->info
.fields_present
& SAMR_FIELD_LM_PASSWORD_PRESENT
)) {
4950 if (!set_user_info_pw(id25
->password
.data
, rhost
, pwd
)) {
4951 return NT_STATUS_WRONG_PASSWORD
;
4955 copy_id25_to_sam_passwd(pwd
, id25
);
4957 /* write the change out */
4958 if(!NT_STATUS_IS_OK(status
= pdb_update_sam_account(pwd
))) {
4963 * We need to "pdb_update_sam_account" before the unix primary group
4964 * is set, because the idealx scripts would also change the
4965 * sambaPrimaryGroupSid using the ldap replace method. pdb_ldap uses
4966 * the delete explicit / add explicit, which would then fail to find
4967 * the previous primaryGroupSid value.
4970 if ( IS_SAM_CHANGED(pwd
, PDB_GROUPSID
) ) {
4971 status
= pdb_set_unix_primary_group(mem_ctx
, pwd
);
4972 if ( !NT_STATUS_IS_OK(status
) ) {
4977 return NT_STATUS_OK
;
4980 /*******************************************************************
4982 ********************************************************************/
4984 static NTSTATUS
set_user_info_26(TALLOC_CTX
*mem_ctx
,
4986 struct samr_UserInfo26
*id26
,
4992 DEBUG(5, ("set_user_info_26: NULL id26\n"));
4993 return NT_STATUS_INVALID_PARAMETER
;
4996 if (!set_user_info_pw(id26
->password
.data
, rhost
, pwd
)) {
4997 return NT_STATUS_WRONG_PASSWORD
;
5000 copy_id26_to_sam_passwd(pwd
, id26
);
5002 status
= pdb_update_sam_account(pwd
);
5003 if (!NT_STATUS_IS_OK(status
)) {
5007 return NT_STATUS_OK
;
5010 /*************************************************************
5011 **************************************************************/
5013 static uint32_t samr_set_user_info_map_fields_to_access_mask(uint32_t fields
)
5015 uint32_t acc_required
= 0;
5017 /* USER_ALL_USERNAME */
5018 if (fields
& SAMR_FIELD_ACCOUNT_NAME
)
5019 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
5020 /* USER_ALL_FULLNAME */
5021 if (fields
& SAMR_FIELD_FULL_NAME
)
5022 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
5023 /* USER_ALL_PRIMARYGROUPID */
5024 if (fields
& SAMR_FIELD_PRIMARY_GID
)
5025 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
5026 /* USER_ALL_HOMEDIRECTORY */
5027 if (fields
& SAMR_FIELD_HOME_DIRECTORY
)
5028 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
5029 /* USER_ALL_HOMEDIRECTORYDRIVE */
5030 if (fields
& SAMR_FIELD_HOME_DRIVE
)
5031 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
5032 /* USER_ALL_SCRIPTPATH */
5033 if (fields
& SAMR_FIELD_LOGON_SCRIPT
)
5034 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
5035 /* USER_ALL_PROFILEPATH */
5036 if (fields
& SAMR_FIELD_PROFILE_PATH
)
5037 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
5038 /* USER_ALL_ADMINCOMMENT */
5039 if (fields
& SAMR_FIELD_COMMENT
)
5040 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
5041 /* USER_ALL_WORKSTATIONS */
5042 if (fields
& SAMR_FIELD_WORKSTATIONS
)
5043 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
5044 /* USER_ALL_LOGONHOURS */
5045 if (fields
& SAMR_FIELD_LOGON_HOURS
)
5046 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
5047 /* USER_ALL_ACCOUNTEXPIRES */
5048 if (fields
& SAMR_FIELD_ACCT_EXPIRY
)
5049 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
5050 /* USER_ALL_USERACCOUNTCONTROL */
5051 if (fields
& SAMR_FIELD_ACCT_FLAGS
)
5052 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
5053 /* USER_ALL_PARAMETERS */
5054 if (fields
& SAMR_FIELD_PARAMETERS
)
5055 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
5056 /* USER_ALL_USERCOMMENT */
5057 if (fields
& SAMR_FIELD_COMMENT
)
5058 acc_required
|= SAMR_USER_ACCESS_SET_LOC_COM
;
5059 /* USER_ALL_COUNTRYCODE */
5060 if (fields
& SAMR_FIELD_COUNTRY_CODE
)
5061 acc_required
|= SAMR_USER_ACCESS_SET_LOC_COM
;
5062 /* USER_ALL_CODEPAGE */
5063 if (fields
& SAMR_FIELD_CODE_PAGE
)
5064 acc_required
|= SAMR_USER_ACCESS_SET_LOC_COM
;
5065 /* USER_ALL_NTPASSWORDPRESENT */
5066 if (fields
& SAMR_FIELD_NT_PASSWORD_PRESENT
)
5067 acc_required
|= SAMR_USER_ACCESS_SET_PASSWORD
;
5068 /* USER_ALL_LMPASSWORDPRESENT */
5069 if (fields
& SAMR_FIELD_LM_PASSWORD_PRESENT
)
5070 acc_required
|= SAMR_USER_ACCESS_SET_PASSWORD
;
5071 /* USER_ALL_PASSWORDEXPIRED */
5072 if (fields
& SAMR_FIELD_EXPIRED_FLAG
)
5073 acc_required
|= SAMR_USER_ACCESS_SET_PASSWORD
;
5075 return acc_required
;
5078 /*******************************************************************
5080 ********************************************************************/
5082 NTSTATUS
_samr_SetUserInfo(struct pipes_struct
*p
,
5083 struct samr_SetUserInfo
*r
)
5085 struct samr_user_info
*uinfo
;
5087 struct samu
*pwd
= NULL
;
5088 union samr_UserInfo
*info
= r
->in
.info
;
5089 uint32_t acc_required
= 0;
5090 uint32_t fields
= 0;
5093 DATA_BLOB session_key
;
5095 DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__
));
5097 /* This is tricky. A WinXP domain join sets
5098 (SAMR_USER_ACCESS_SET_PASSWORD|SAMR_USER_ACCESS_SET_ATTRIBUTES|SAMR_USER_ACCESS_GET_ATTRIBUTES)
5099 The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the
5100 standard Win32 API calls just ask for SAMR_USER_ACCESS_SET_PASSWORD in the SamrOpenUser().
5101 This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so
5102 we'll use the set from the WinXP join as the basis. */
5104 switch (r
->in
.level
) {
5105 case 2: /* UserPreferencesInformation */
5106 /* USER_WRITE_ACCOUNT | USER_WRITE_PREFERENCES */
5107 acc_required
= SAMR_USER_ACCESS_SET_ATTRIBUTES
| SAMR_USER_ACCESS_SET_LOC_COM
;
5109 case 4: /* UserLogonHoursInformation */
5110 case 6: /* UserNameInformation */
5111 case 7: /* UserAccountNameInformation */
5112 case 8: /* UserFullNameInformation */
5113 case 9: /* UserPrimaryGroupInformation */
5114 case 10: /* UserHomeInformation */
5115 case 11: /* UserScriptInformation */
5116 case 12: /* UserProfileInformation */
5117 case 13: /* UserAdminCommentInformation */
5118 case 14: /* UserWorkStationsInformation */
5119 case 16: /* UserControlInformation */
5120 case 17: /* UserExpiresInformation */
5121 case 20: /* UserParametersInformation */
5122 /* USER_WRITE_ACCOUNT */
5123 acc_required
= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
5125 case 18: /* UserInternal1Information */
5126 /* FIXME: gd, this is a guess */
5127 acc_required
= SAMR_USER_ACCESS_SET_PASSWORD
;
5129 case 21: /* UserAllInformation */
5130 fields
= info
->info21
.fields_present
;
5131 acc_required
= samr_set_user_info_map_fields_to_access_mask(fields
);
5133 case 23: /* UserInternal4Information */
5134 fields
= info
->info23
.info
.fields_present
;
5135 acc_required
= samr_set_user_info_map_fields_to_access_mask(fields
);
5137 case 25: /* UserInternal4InformationNew */
5138 fields
= info
->info25
.info
.fields_present
;
5139 acc_required
= samr_set_user_info_map_fields_to_access_mask(fields
);
5141 case 24: /* UserInternal5Information */
5142 case 26: /* UserInternal5InformationNew */
5143 acc_required
= SAMR_USER_ACCESS_SET_PASSWORD
;
5146 return NT_STATUS_INVALID_INFO_CLASS
;
5149 uinfo
= policy_handle_find(p
, r
->in
.user_handle
, acc_required
, NULL
,
5150 struct samr_user_info
, &status
);
5151 if (!NT_STATUS_IS_OK(status
)) {
5155 DEBUG(5, ("_samr_SetUserInfo: sid:%s, level:%d\n",
5156 sid_string_dbg(&uinfo
->sid
), r
->in
.level
));
5159 DEBUG(5, ("_samr_SetUserInfo: NULL info level\n"));
5160 return NT_STATUS_INVALID_INFO_CLASS
;
5163 if (!(pwd
= samu_new(NULL
))) {
5164 return NT_STATUS_NO_MEMORY
;
5168 ret
= pdb_getsampwsid(pwd
, &uinfo
->sid
);
5173 return NT_STATUS_NO_SUCH_USER
;
5176 rhost
= tsocket_address_inet_addr_string(p
->remote_address
,
5178 if (rhost
== NULL
) {
5179 return NT_STATUS_NO_MEMORY
;
5182 /* ================ BEGIN Privilege BLOCK ================ */
5186 /* ok! user info levels (lots: see MSDEV help), off we go... */
5188 switch (r
->in
.level
) {
5191 status
= set_user_info_2(p
->mem_ctx
,
5196 status
= set_user_info_4(p
->mem_ctx
,
5201 status
= set_user_info_6(p
->mem_ctx
,
5206 status
= set_user_info_7(p
->mem_ctx
,
5211 status
= set_user_info_8(p
->mem_ctx
,
5216 status
= set_user_info_10(p
->mem_ctx
,
5217 &info
->info10
, pwd
);
5221 status
= set_user_info_11(p
->mem_ctx
,
5222 &info
->info11
, pwd
);
5226 status
= set_user_info_12(p
->mem_ctx
,
5227 &info
->info12
, pwd
);
5231 status
= set_user_info_13(p
->mem_ctx
,
5232 &info
->info13
, pwd
);
5236 status
= set_user_info_14(p
->mem_ctx
,
5237 &info
->info14
, pwd
);
5241 status
= set_user_info_16(p
->mem_ctx
,
5242 &info
->info16
, pwd
);
5246 status
= set_user_info_17(p
->mem_ctx
,
5247 &info
->info17
, pwd
);
5251 status
= session_extract_session_key(p
->session_info
, &session_key
, KEY_USE_16BYTES
);
5252 if(!NT_STATUS_IS_OK(status
)) {
5255 /* Used by AS/U JRA. */
5256 status
= set_user_info_18(&info
->info18
,
5263 status
= set_user_info_20(p
->mem_ctx
,
5264 &info
->info20
, pwd
);
5268 status
= session_extract_session_key(p
->session_info
, &session_key
, KEY_USE_16BYTES
);
5269 if(!NT_STATUS_IS_OK(status
)) {
5272 status
= set_user_info_21(&info
->info21
,
5279 status
= session_extract_session_key(p
->session_info
, &session_key
, KEY_USE_16BYTES
);
5280 arcfour_crypt_blob(info
->info23
.password
.data
, 516,
5283 dump_data(100, info
->info23
.password
.data
, 516);
5285 status
= set_user_info_23(p
->mem_ctx
,
5292 status
= session_extract_session_key(p
->session_info
, &session_key
, KEY_USE_16BYTES
);
5293 arcfour_crypt_blob(info
->info24
.password
.data
,
5297 dump_data(100, info
->info24
.password
.data
, 516);
5299 status
= set_user_info_24(p
->mem_ctx
,
5301 &info
->info24
, pwd
);
5305 status
= session_extract_session_key(p
->session_info
, &session_key
, KEY_USE_16BYTES
);
5306 encode_or_decode_arc4_passwd_buffer(
5307 info
->info25
.password
.data
,
5310 dump_data(100, info
->info25
.password
.data
, 532);
5312 status
= set_user_info_25(p
->mem_ctx
,
5314 &info
->info25
, pwd
);
5318 status
= session_extract_session_key(p
->session_info
, &session_key
, KEY_USE_16BYTES
);
5319 encode_or_decode_arc4_passwd_buffer(
5320 info
->info26
.password
.data
,
5323 dump_data(100, info
->info26
.password
.data
, 516);
5325 status
= set_user_info_26(p
->mem_ctx
,
5327 &info
->info26
, pwd
);
5331 status
= NT_STATUS_INVALID_INFO_CLASS
;
5338 /* ================ END Privilege BLOCK ================ */
5340 if (NT_STATUS_IS_OK(status
)) {
5341 force_flush_samr_cache(&uinfo
->sid
);
5347 /*******************************************************************
5349 ********************************************************************/
5351 NTSTATUS
_samr_SetUserInfo2(struct pipes_struct
*p
,
5352 struct samr_SetUserInfo2
*r
)
5354 struct samr_SetUserInfo q
;
5356 q
.in
.user_handle
= r
->in
.user_handle
;
5357 q
.in
.level
= r
->in
.level
;
5358 q
.in
.info
= r
->in
.info
;
5360 return _samr_SetUserInfo(p
, &q
);
5363 /*********************************************************************
5364 _samr_GetAliasMembership
5365 *********************************************************************/
5367 NTSTATUS
_samr_GetAliasMembership(struct pipes_struct
*p
,
5368 struct samr_GetAliasMembership
*r
)
5370 size_t num_alias_rids
;
5372 struct samr_domain_info
*dinfo
;
5377 struct dom_sid
*members
;
5379 DEBUG(5,("_samr_GetAliasMembership: %d\n", __LINE__
));
5381 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
5382 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
5383 | SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
, NULL
,
5384 struct samr_domain_info
, &status
);
5385 if (!NT_STATUS_IS_OK(status
)) {
5389 if (!sid_check_is_our_sam(&dinfo
->sid
) &&
5390 !sid_check_is_builtin(&dinfo
->sid
))
5391 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
5393 if (r
->in
.sids
->num_sids
) {
5394 members
= talloc_array(p
->mem_ctx
, struct dom_sid
, r
->in
.sids
->num_sids
);
5396 if (members
== NULL
)
5397 return NT_STATUS_NO_MEMORY
;
5402 for (i
=0; i
<r
->in
.sids
->num_sids
; i
++)
5403 sid_copy(&members
[i
], r
->in
.sids
->sids
[i
].sid
);
5409 status
= pdb_enum_alias_memberships(p
->mem_ctx
, &dinfo
->sid
, members
,
5410 r
->in
.sids
->num_sids
,
5411 &alias_rids
, &num_alias_rids
);
5414 if (!NT_STATUS_IS_OK(status
)) {
5418 r
->out
.rids
->count
= num_alias_rids
;
5419 r
->out
.rids
->ids
= alias_rids
;
5421 if (r
->out
.rids
->ids
== NULL
) {
5422 /* Windows domain clients don't accept a NULL ptr here */
5423 r
->out
.rids
->ids
= talloc_zero(p
->mem_ctx
, uint32_t);
5425 if (r
->out
.rids
->ids
== NULL
) {
5426 return NT_STATUS_NO_MEMORY
;
5429 return NT_STATUS_OK
;
5432 /*********************************************************************
5433 _samr_GetMembersInAlias
5434 *********************************************************************/
5436 NTSTATUS
_samr_GetMembersInAlias(struct pipes_struct
*p
,
5437 struct samr_GetMembersInAlias
*r
)
5439 struct samr_alias_info
*ainfo
;
5442 size_t num_sids
= 0;
5443 struct lsa_SidPtr
*sids
= NULL
;
5444 struct dom_sid
*pdb_sids
= NULL
;
5446 ainfo
= policy_handle_find(p
, r
->in
.alias_handle
,
5447 SAMR_ALIAS_ACCESS_GET_MEMBERS
, NULL
,
5448 struct samr_alias_info
, &status
);
5449 if (!NT_STATUS_IS_OK(status
)) {
5453 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo
->sid
)));
5456 status
= pdb_enum_aliasmem(&ainfo
->sid
, talloc_tos(), &pdb_sids
,
5460 if (!NT_STATUS_IS_OK(status
)) {
5465 sids
= talloc_zero_array(p
->mem_ctx
, struct lsa_SidPtr
, num_sids
);
5467 TALLOC_FREE(pdb_sids
);
5468 return NT_STATUS_NO_MEMORY
;
5472 for (i
= 0; i
< num_sids
; i
++) {
5473 sids
[i
].sid
= dom_sid_dup(p
->mem_ctx
, &pdb_sids
[i
]);
5475 TALLOC_FREE(pdb_sids
);
5476 return NT_STATUS_NO_MEMORY
;
5480 r
->out
.sids
->num_sids
= num_sids
;
5481 r
->out
.sids
->sids
= sids
;
5483 TALLOC_FREE(pdb_sids
);
5485 return NT_STATUS_OK
;
5488 /*********************************************************************
5489 _samr_QueryGroupMember
5490 *********************************************************************/
5492 NTSTATUS
_samr_QueryGroupMember(struct pipes_struct
*p
,
5493 struct samr_QueryGroupMember
*r
)
5495 struct samr_group_info
*ginfo
;
5496 size_t i
, num_members
;
5502 struct samr_RidAttrArray
*rids
= NULL
;
5504 ginfo
= policy_handle_find(p
, r
->in
.group_handle
,
5505 SAMR_GROUP_ACCESS_GET_MEMBERS
, NULL
,
5506 struct samr_group_info
, &status
);
5507 if (!NT_STATUS_IS_OK(status
)) {
5511 rids
= talloc_zero(p
->mem_ctx
, struct samr_RidAttrArray
);
5513 return NT_STATUS_NO_MEMORY
;
5516 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ginfo
->sid
)));
5518 if (!sid_check_is_in_our_sam(&ginfo
->sid
)) {
5519 DEBUG(3, ("sid %s is not in our domain\n",
5520 sid_string_dbg(&ginfo
->sid
)));
5521 return NT_STATUS_NO_SUCH_GROUP
;
5524 DEBUG(10, ("lookup on Domain SID\n"));
5527 status
= pdb_enum_group_members(p
->mem_ctx
, &ginfo
->sid
,
5528 &rid
, &num_members
);
5531 if (!NT_STATUS_IS_OK(status
))
5535 attr
=talloc_zero_array(p
->mem_ctx
, uint32
, num_members
);
5537 return NT_STATUS_NO_MEMORY
;
5543 for (i
=0; i
<num_members
; i
++) {
5544 attr
[i
] = SE_GROUP_MANDATORY
|
5545 SE_GROUP_ENABLED_BY_DEFAULT
|
5549 rids
->count
= num_members
;
5550 rids
->attributes
= attr
;
5553 *r
->out
.rids
= rids
;
5555 return NT_STATUS_OK
;
5558 /*********************************************************************
5559 _samr_AddAliasMember
5560 *********************************************************************/
5562 NTSTATUS
_samr_AddAliasMember(struct pipes_struct
*p
,
5563 struct samr_AddAliasMember
*r
)
5565 struct samr_alias_info
*ainfo
;
5568 ainfo
= policy_handle_find(p
, r
->in
.alias_handle
,
5569 SAMR_ALIAS_ACCESS_ADD_MEMBER
, NULL
,
5570 struct samr_alias_info
, &status
);
5571 if (!NT_STATUS_IS_OK(status
)) {
5575 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo
->sid
)));
5577 /******** BEGIN SeAddUsers BLOCK *********/
5580 status
= pdb_add_aliasmem(&ainfo
->sid
, r
->in
.sid
);
5583 /******** END SeAddUsers BLOCK *********/
5585 if (NT_STATUS_IS_OK(status
)) {
5586 force_flush_samr_cache(&ainfo
->sid
);
5592 /*********************************************************************
5593 _samr_DeleteAliasMember
5594 *********************************************************************/
5596 NTSTATUS
_samr_DeleteAliasMember(struct pipes_struct
*p
,
5597 struct samr_DeleteAliasMember
*r
)
5599 struct samr_alias_info
*ainfo
;
5602 ainfo
= policy_handle_find(p
, r
->in
.alias_handle
,
5603 SAMR_ALIAS_ACCESS_REMOVE_MEMBER
, NULL
,
5604 struct samr_alias_info
, &status
);
5605 if (!NT_STATUS_IS_OK(status
)) {
5609 DEBUG(10, ("_samr_del_aliasmem:sid is %s\n",
5610 sid_string_dbg(&ainfo
->sid
)));
5612 /******** BEGIN SeAddUsers BLOCK *********/
5615 status
= pdb_del_aliasmem(&ainfo
->sid
, r
->in
.sid
);
5618 /******** END SeAddUsers BLOCK *********/
5620 if (NT_STATUS_IS_OK(status
)) {
5621 force_flush_samr_cache(&ainfo
->sid
);
5627 /*********************************************************************
5628 _samr_AddGroupMember
5629 *********************************************************************/
5631 NTSTATUS
_samr_AddGroupMember(struct pipes_struct
*p
,
5632 struct samr_AddGroupMember
*r
)
5634 struct samr_group_info
*ginfo
;
5638 ginfo
= policy_handle_find(p
, r
->in
.group_handle
,
5639 SAMR_GROUP_ACCESS_ADD_MEMBER
, NULL
,
5640 struct samr_group_info
, &status
);
5641 if (!NT_STATUS_IS_OK(status
)) {
5645 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ginfo
->sid
)));
5647 if (!sid_peek_check_rid(get_global_sam_sid(), &ginfo
->sid
,
5649 return NT_STATUS_INVALID_HANDLE
;
5652 /******** BEGIN SeAddUsers BLOCK *********/
5655 status
= pdb_add_groupmem(p
->mem_ctx
, group_rid
, r
->in
.rid
);
5658 /******** END SeAddUsers BLOCK *********/
5660 force_flush_samr_cache(&ginfo
->sid
);
5665 /*********************************************************************
5666 _samr_DeleteGroupMember
5667 *********************************************************************/
5669 NTSTATUS
_samr_DeleteGroupMember(struct pipes_struct
*p
,
5670 struct samr_DeleteGroupMember
*r
)
5673 struct samr_group_info
*ginfo
;
5678 * delete the group member named r->in.rid
5679 * who is a member of the sid associated with the handle
5680 * the rid is a user's rid as the group is a domain group.
5683 ginfo
= policy_handle_find(p
, r
->in
.group_handle
,
5684 SAMR_GROUP_ACCESS_REMOVE_MEMBER
, NULL
,
5685 struct samr_group_info
, &status
);
5686 if (!NT_STATUS_IS_OK(status
)) {
5690 if (!sid_peek_check_rid(get_global_sam_sid(), &ginfo
->sid
,
5692 return NT_STATUS_INVALID_HANDLE
;
5695 /******** BEGIN SeAddUsers BLOCK *********/
5698 status
= pdb_del_groupmem(p
->mem_ctx
, group_rid
, r
->in
.rid
);
5701 /******** END SeAddUsers BLOCK *********/
5703 force_flush_samr_cache(&ginfo
->sid
);
5708 /*********************************************************************
5710 *********************************************************************/
5712 NTSTATUS
_samr_DeleteUser(struct pipes_struct
*p
,
5713 struct samr_DeleteUser
*r
)
5715 struct samr_user_info
*uinfo
;
5717 struct samu
*sam_pass
=NULL
;
5720 DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__
));
5722 uinfo
= policy_handle_find(p
, r
->in
.user_handle
,
5723 SEC_STD_DELETE
, NULL
,
5724 struct samr_user_info
, &status
);
5725 if (!NT_STATUS_IS_OK(status
)) {
5729 if (!sid_check_is_in_our_sam(&uinfo
->sid
))
5730 return NT_STATUS_CANNOT_DELETE
;
5732 /* check if the user exists before trying to delete */
5733 if ( !(sam_pass
= samu_new( NULL
)) ) {
5734 return NT_STATUS_NO_MEMORY
;
5738 ret
= pdb_getsampwsid(sam_pass
, &uinfo
->sid
);
5742 DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n",
5743 sid_string_dbg(&uinfo
->sid
)));
5744 TALLOC_FREE(sam_pass
);
5745 return NT_STATUS_NO_SUCH_USER
;
5748 /******** BEGIN SeAddUsers BLOCK *********/
5751 status
= pdb_delete_user(p
->mem_ctx
, sam_pass
);
5754 /******** END SeAddUsers BLOCK *********/
5756 if ( !NT_STATUS_IS_OK(status
) ) {
5757 DEBUG(5,("_samr_DeleteUser: Failed to delete entry for "
5758 "user %s: %s.\n", pdb_get_username(sam_pass
),
5759 nt_errstr(status
)));
5760 TALLOC_FREE(sam_pass
);
5765 TALLOC_FREE(sam_pass
);
5767 force_flush_samr_cache(&uinfo
->sid
);
5769 if (!close_policy_hnd(p
, r
->in
.user_handle
))
5770 return NT_STATUS_OBJECT_NAME_INVALID
;
5772 ZERO_STRUCTP(r
->out
.user_handle
);
5774 return NT_STATUS_OK
;
5777 /*********************************************************************
5778 _samr_DeleteDomainGroup
5779 *********************************************************************/
5781 NTSTATUS
_samr_DeleteDomainGroup(struct pipes_struct
*p
,
5782 struct samr_DeleteDomainGroup
*r
)
5784 struct samr_group_info
*ginfo
;
5788 DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__
));
5790 ginfo
= policy_handle_find(p
, r
->in
.group_handle
,
5791 SEC_STD_DELETE
, NULL
,
5792 struct samr_group_info
, &status
);
5793 if (!NT_STATUS_IS_OK(status
)) {
5797 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ginfo
->sid
)));
5799 if (!sid_peek_check_rid(get_global_sam_sid(), &ginfo
->sid
,
5801 return NT_STATUS_NO_SUCH_GROUP
;
5804 /******** BEGIN SeAddUsers BLOCK *********/
5807 status
= pdb_delete_dom_group(p
->mem_ctx
, group_rid
);
5810 /******** END SeAddUsers BLOCK *********/
5812 if ( !NT_STATUS_IS_OK(status
) ) {
5813 DEBUG(5,("_samr_DeleteDomainGroup: Failed to delete mapping "
5814 "entry for group %s: %s\n",
5815 sid_string_dbg(&ginfo
->sid
),
5816 nt_errstr(status
)));
5820 force_flush_samr_cache(&ginfo
->sid
);
5822 if (!close_policy_hnd(p
, r
->in
.group_handle
))
5823 return NT_STATUS_OBJECT_NAME_INVALID
;
5825 return NT_STATUS_OK
;
5828 /*********************************************************************
5829 _samr_DeleteDomAlias
5830 *********************************************************************/
5832 NTSTATUS
_samr_DeleteDomAlias(struct pipes_struct
*p
,
5833 struct samr_DeleteDomAlias
*r
)
5835 struct samr_alias_info
*ainfo
;
5838 DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__
));
5840 ainfo
= policy_handle_find(p
, r
->in
.alias_handle
,
5841 SEC_STD_DELETE
, NULL
,
5842 struct samr_alias_info
, &status
);
5843 if (!NT_STATUS_IS_OK(status
)) {
5847 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo
->sid
)));
5849 /* Don't let Windows delete builtin groups */
5851 if ( sid_check_is_in_builtin( &ainfo
->sid
) ) {
5852 return NT_STATUS_SPECIAL_ACCOUNT
;
5855 if (!sid_check_is_in_our_sam(&ainfo
->sid
))
5856 return NT_STATUS_NO_SUCH_ALIAS
;
5858 DEBUG(10, ("lookup on Local SID\n"));
5860 /******** BEGIN SeAddUsers BLOCK *********/
5863 /* Have passdb delete the alias */
5864 status
= pdb_delete_alias(&ainfo
->sid
);
5867 /******** END SeAddUsers BLOCK *********/
5869 if ( !NT_STATUS_IS_OK(status
))
5872 force_flush_samr_cache(&ainfo
->sid
);
5874 if (!close_policy_hnd(p
, r
->in
.alias_handle
))
5875 return NT_STATUS_OBJECT_NAME_INVALID
;
5877 return NT_STATUS_OK
;
5880 /*********************************************************************
5881 _samr_CreateDomainGroup
5882 *********************************************************************/
5884 NTSTATUS
_samr_CreateDomainGroup(struct pipes_struct
*p
,
5885 struct samr_CreateDomainGroup
*r
)
5890 struct samr_domain_info
*dinfo
;
5891 struct samr_group_info
*ginfo
;
5893 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
5894 SAMR_DOMAIN_ACCESS_CREATE_GROUP
, NULL
,
5895 struct samr_domain_info
, &status
);
5896 if (!NT_STATUS_IS_OK(status
)) {
5900 if (!sid_check_is_our_sam(&dinfo
->sid
)) {
5901 return NT_STATUS_ACCESS_DENIED
;
5904 name
= r
->in
.name
->string
;
5906 return NT_STATUS_NO_MEMORY
;
5909 status
= can_create(p
->mem_ctx
, name
);
5910 if (!NT_STATUS_IS_OK(status
)) {
5914 /******** BEGIN SeAddUsers BLOCK *********/
5917 /* check that we successfully create the UNIX group */
5918 status
= pdb_create_dom_group(p
->mem_ctx
, name
, r
->out
.rid
);
5921 /******** END SeAddUsers BLOCK *********/
5923 /* check if we should bail out here */
5925 if ( !NT_STATUS_IS_OK(status
) )
5928 ginfo
= policy_handle_create(p
, r
->out
.group_handle
,
5929 GENERIC_RIGHTS_GROUP_ALL_ACCESS
,
5930 struct samr_group_info
, &status
);
5931 if (!NT_STATUS_IS_OK(status
)) {
5934 sid_compose(&ginfo
->sid
, &dinfo
->sid
, *r
->out
.rid
);
5936 force_flush_samr_cache(&dinfo
->sid
);
5938 return NT_STATUS_OK
;
5941 /*********************************************************************
5942 _samr_CreateDomAlias
5943 *********************************************************************/
5945 NTSTATUS
_samr_CreateDomAlias(struct pipes_struct
*p
,
5946 struct samr_CreateDomAlias
*r
)
5948 struct dom_sid info_sid
;
5949 const char *name
= NULL
;
5950 struct samr_domain_info
*dinfo
;
5951 struct samr_alias_info
*ainfo
;
5955 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
5956 SAMR_DOMAIN_ACCESS_CREATE_ALIAS
, NULL
,
5957 struct samr_domain_info
, &result
);
5958 if (!NT_STATUS_IS_OK(result
)) {
5962 if (!sid_check_is_our_sam(&dinfo
->sid
)) {
5963 return NT_STATUS_ACCESS_DENIED
;
5966 name
= r
->in
.alias_name
->string
;
5968 result
= can_create(p
->mem_ctx
, name
);
5969 if (!NT_STATUS_IS_OK(result
)) {
5973 /******** BEGIN SeAddUsers BLOCK *********/
5976 /* Have passdb create the alias */
5977 result
= pdb_create_alias(name
, r
->out
.rid
);
5980 /******** END SeAddUsers BLOCK *********/
5982 if (!NT_STATUS_IS_OK(result
)) {
5983 DEBUG(10, ("pdb_create_alias failed: %s\n",
5984 nt_errstr(result
)));
5988 sid_compose(&info_sid
, &dinfo
->sid
, *r
->out
.rid
);
5990 if (!sid_to_gid(&info_sid
, &gid
)) {
5991 DEBUG(10, ("Could not find alias just created\n"));
5992 return NT_STATUS_ACCESS_DENIED
;
5995 /* check if the group has been successfully created */
5996 if ( getgrgid(gid
) == NULL
) {
5997 DEBUG(1, ("getgrgid(%u) of just created alias failed\n",
5998 (unsigned int)gid
));
5999 return NT_STATUS_ACCESS_DENIED
;
6002 ainfo
= policy_handle_create(p
, r
->out
.alias_handle
,
6003 GENERIC_RIGHTS_ALIAS_ALL_ACCESS
,
6004 struct samr_alias_info
, &result
);
6005 if (!NT_STATUS_IS_OK(result
)) {
6008 ainfo
->sid
= info_sid
;
6010 force_flush_samr_cache(&info_sid
);
6012 return NT_STATUS_OK
;
6015 /*********************************************************************
6016 _samr_QueryGroupInfo
6017 *********************************************************************/
6019 NTSTATUS
_samr_QueryGroupInfo(struct pipes_struct
*p
,
6020 struct samr_QueryGroupInfo
*r
)
6022 struct samr_group_info
*ginfo
;
6025 union samr_GroupInfo
*info
= NULL
;
6027 uint32_t attributes
= SE_GROUP_MANDATORY
|
6028 SE_GROUP_ENABLED_BY_DEFAULT
|
6030 const char *group_name
= NULL
;
6031 const char *group_description
= NULL
;
6033 ginfo
= policy_handle_find(p
, r
->in
.group_handle
,
6034 SAMR_GROUP_ACCESS_LOOKUP_INFO
, NULL
,
6035 struct samr_group_info
, &status
);
6036 if (!NT_STATUS_IS_OK(status
)) {
6040 map
= talloc_zero(p
->mem_ctx
, GROUP_MAP
);
6042 return NT_STATUS_NO_MEMORY
;
6046 ret
= get_domain_group_from_sid(ginfo
->sid
, map
);
6049 return NT_STATUS_INVALID_HANDLE
;
6051 group_name
= talloc_move(r
, &map
->nt_name
);
6052 group_description
= talloc_move(r
, &map
->comment
);
6056 info
= talloc_zero(p
->mem_ctx
, union samr_GroupInfo
);
6058 return NT_STATUS_NO_MEMORY
;
6061 switch (r
->in
.level
) {
6067 status
= pdb_enum_group_members(
6068 p
->mem_ctx
, &ginfo
->sid
, &members
,
6072 if (!NT_STATUS_IS_OK(status
)) {
6076 info
->all
.name
.string
= group_name
;
6077 info
->all
.attributes
= attributes
;
6078 info
->all
.num_members
= num_members
;
6079 info
->all
.description
.string
= group_description
;
6083 info
->name
.string
= group_name
;
6086 info
->attributes
.attributes
= attributes
;
6089 info
->description
.string
= group_description
;
6099 status = pdb_enum_group_members(
6100 p->mem_ctx, &ginfo->sid, &members,
6104 if (!NT_STATUS_IS_OK(status)) {
6108 info
->all2
.name
.string
= group_name
;
6109 info
->all2
.attributes
= attributes
;
6110 info
->all2
.num_members
= 0; /* num_members - in w2k3 this is always 0 */
6111 info
->all2
.description
.string
= group_description
;
6116 return NT_STATUS_INVALID_INFO_CLASS
;
6119 *r
->out
.info
= info
;
6121 return NT_STATUS_OK
;
6124 /*********************************************************************
6126 *********************************************************************/
6128 NTSTATUS
_samr_SetGroupInfo(struct pipes_struct
*p
,
6129 struct samr_SetGroupInfo
*r
)
6131 struct samr_group_info
*ginfo
;
6136 ginfo
= policy_handle_find(p
, r
->in
.group_handle
,
6137 SAMR_GROUP_ACCESS_SET_INFO
, NULL
,
6138 struct samr_group_info
, &status
);
6139 if (!NT_STATUS_IS_OK(status
)) {
6143 map
= talloc_zero(p
->mem_ctx
, GROUP_MAP
);
6145 return NT_STATUS_NO_MEMORY
;
6149 ret
= get_domain_group_from_sid(ginfo
->sid
, map
);
6152 return NT_STATUS_NO_SUCH_GROUP
;
6154 switch (r
->in
.level
) {
6156 map
->nt_name
= talloc_strdup(map
,
6157 r
->in
.info
->name
.string
);
6158 if (!map
->nt_name
) {
6159 return NT_STATUS_NO_MEMORY
;
6165 map
->comment
= talloc_strdup(map
,
6166 r
->in
.info
->description
.string
);
6167 if (!map
->comment
) {
6168 return NT_STATUS_NO_MEMORY
;
6172 return NT_STATUS_INVALID_INFO_CLASS
;
6175 /******** BEGIN SeAddUsers BLOCK *********/
6178 status
= pdb_update_group_mapping_entry(map
);
6181 /******** End SeAddUsers BLOCK *********/
6185 if (NT_STATUS_IS_OK(status
)) {
6186 force_flush_samr_cache(&ginfo
->sid
);
6192 /*********************************************************************
6194 *********************************************************************/
6196 NTSTATUS
_samr_SetAliasInfo(struct pipes_struct
*p
,
6197 struct samr_SetAliasInfo
*r
)
6199 struct samr_alias_info
*ainfo
;
6200 struct acct_info
*info
;
6203 ainfo
= policy_handle_find(p
, r
->in
.alias_handle
,
6204 SAMR_ALIAS_ACCESS_SET_INFO
, NULL
,
6205 struct samr_alias_info
, &status
);
6206 if (!NT_STATUS_IS_OK(status
)) {
6210 info
= talloc_zero(p
->mem_ctx
, struct acct_info
);
6212 return NT_STATUS_NO_MEMORY
;
6215 /* get the current group information */
6218 status
= pdb_get_aliasinfo(&ainfo
->sid
, info
);
6221 if ( !NT_STATUS_IS_OK(status
))
6224 switch (r
->in
.level
) {
6229 /* We currently do not support renaming groups in the
6230 the BUILTIN domain. Refer to util_builtin.c to understand
6231 why. The eventually needs to be fixed to be like Windows
6232 where you can rename builtin groups, just not delete them */
6234 if ( sid_check_is_in_builtin( &ainfo
->sid
) ) {
6235 return NT_STATUS_SPECIAL_ACCOUNT
;
6238 /* There has to be a valid name (and it has to be different) */
6240 if ( !r
->in
.info
->name
.string
)
6241 return NT_STATUS_INVALID_PARAMETER
;
6243 /* If the name is the same just reply "ok". Yes this
6244 doesn't allow you to change the case of a group name. */
6246 if (strequal(r
->in
.info
->name
.string
, info
->acct_name
)) {
6247 return NT_STATUS_OK
;
6250 talloc_free(info
->acct_name
);
6251 info
->acct_name
= talloc_strdup(info
, r
->in
.info
->name
.string
);
6252 if (!info
->acct_name
) {
6253 return NT_STATUS_NO_MEMORY
;
6256 /* make sure the name doesn't already exist as a user
6259 group_name
= talloc_asprintf(p
->mem_ctx
,
6263 if (group_name
== NULL
) {
6264 return NT_STATUS_NO_MEMORY
;
6267 status
= can_create( p
->mem_ctx
, group_name
);
6268 talloc_free(group_name
);
6269 if ( !NT_STATUS_IS_OK( status
) )
6273 case ALIASINFODESCRIPTION
:
6274 TALLOC_FREE(info
->acct_desc
);
6275 if (r
->in
.info
->description
.string
) {
6276 info
->acct_desc
= talloc_strdup(info
,
6277 r
->in
.info
->description
.string
);
6279 info
->acct_desc
= talloc_strdup(info
, "");
6281 if (!info
->acct_desc
) {
6282 return NT_STATUS_NO_MEMORY
;
6286 return NT_STATUS_INVALID_INFO_CLASS
;
6289 /******** BEGIN SeAddUsers BLOCK *********/
6292 status
= pdb_set_aliasinfo(&ainfo
->sid
, info
);
6295 /******** End SeAddUsers BLOCK *********/
6297 if (NT_STATUS_IS_OK(status
))
6298 force_flush_samr_cache(&ainfo
->sid
);
6303 /****************************************************************
6305 ****************************************************************/
6307 NTSTATUS
_samr_GetDomPwInfo(struct pipes_struct
*p
,
6308 struct samr_GetDomPwInfo
*r
)
6310 uint32_t min_password_length
= 0;
6311 uint32_t password_properties
= 0;
6313 /* Perform access check. Since this rpc does not require a
6314 policy handle it will not be caught by the access checks on
6315 SAMR_CONNECT or SAMR_CONNECT_ANON. */
6317 if (!pipe_access_check(p
)) {
6318 DEBUG(3, ("access denied to _samr_GetDomPwInfo\n"));
6319 return NT_STATUS_ACCESS_DENIED
;
6323 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN
,
6324 &min_password_length
);
6325 pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS
,
6326 &password_properties
);
6329 if (lp_check_password_script(talloc_tos()) && *lp_check_password_script(talloc_tos())) {
6330 password_properties
|= DOMAIN_PASSWORD_COMPLEX
;
6333 r
->out
.info
->min_password_length
= min_password_length
;
6334 r
->out
.info
->password_properties
= password_properties
;
6336 return NT_STATUS_OK
;
6339 /*********************************************************************
6341 *********************************************************************/
6343 NTSTATUS
_samr_OpenGroup(struct pipes_struct
*p
,
6344 struct samr_OpenGroup
*r
)
6347 struct dom_sid info_sid
;
6349 struct samr_domain_info
*dinfo
;
6350 struct samr_group_info
*ginfo
;
6351 struct security_descriptor
*psd
= NULL
;
6353 uint32 des_access
= r
->in
.access_mask
;
6358 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
6359 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
, NULL
,
6360 struct samr_domain_info
, &status
);
6361 if (!NT_STATUS_IS_OK(status
)) {
6365 /*check if access can be granted as requested by client. */
6366 map_max_allowed_access(p
->session_info
->security_token
,
6367 p
->session_info
->unix_token
,
6370 make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &grp_generic_mapping
, NULL
, 0);
6371 se_map_generic(&des_access
,&grp_generic_mapping
);
6373 status
= access_check_object(psd
, p
->session_info
->security_token
,
6374 SEC_PRIV_ADD_USERS
, SEC_PRIV_INVALID
, GENERIC_RIGHTS_GROUP_ALL_ACCESS
,
6375 des_access
, &acc_granted
, "_samr_OpenGroup");
6377 if ( !NT_STATUS_IS_OK(status
) )
6380 /* this should not be hard-coded like this */
6382 if (!sid_check_is_our_sam(&dinfo
->sid
)) {
6383 return NT_STATUS_ACCESS_DENIED
;
6386 sid_compose(&info_sid
, &dinfo
->sid
, r
->in
.rid
);
6388 DEBUG(10, ("_samr_OpenGroup:Opening SID: %s\n",
6389 sid_string_dbg(&info_sid
)));
6391 map
= talloc_zero(p
->mem_ctx
, GROUP_MAP
);
6393 return NT_STATUS_NO_MEMORY
;
6396 /* check if that group really exists */
6398 ret
= get_domain_group_from_sid(info_sid
, map
);
6401 return NT_STATUS_NO_SUCH_GROUP
;
6405 ginfo
= policy_handle_create(p
, r
->out
.group_handle
,
6407 struct samr_group_info
, &status
);
6408 if (!NT_STATUS_IS_OK(status
)) {
6411 ginfo
->sid
= info_sid
;
6413 return NT_STATUS_OK
;
6416 /*********************************************************************
6417 _samr_RemoveMemberFromForeignDomain
6418 *********************************************************************/
6420 NTSTATUS
_samr_RemoveMemberFromForeignDomain(struct pipes_struct
*p
,
6421 struct samr_RemoveMemberFromForeignDomain
*r
)
6423 struct samr_domain_info
*dinfo
;
6426 DEBUG(5,("_samr_RemoveMemberFromForeignDomain: removing SID [%s]\n",
6427 sid_string_dbg(r
->in
.sid
)));
6429 /* Find the policy handle. Open a policy on it. */
6431 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
6432 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
, NULL
,
6433 struct samr_domain_info
, &result
);
6434 if (!NT_STATUS_IS_OK(result
)) {
6438 DEBUG(8, ("_samr_RemoveMemberFromForeignDomain: sid is %s\n",
6439 sid_string_dbg(&dinfo
->sid
)));
6441 /* we can only delete a user from a group since we don't have
6442 nested groups anyways. So in the latter case, just say OK */
6444 /* TODO: The above comment nowadays is bogus. Since we have nested
6445 * groups now, and aliases members are never reported out of the unix
6446 * group membership, the "just say OK" makes this call a no-op. For
6447 * us. This needs fixing however. */
6449 /* I've only ever seen this in the wild when deleting a user from
6450 * usrmgr.exe. domain_sid is the builtin domain, and the sid to delete
6451 * is the user about to be deleted. I very much suspect this is the
6452 * only application of this call. To verify this, let people report
6455 if (!sid_check_is_builtin(&dinfo
->sid
)) {
6456 DEBUG(1,("_samr_RemoveMemberFromForeignDomain: domain_sid = %s, "
6457 "global_sam_sid() = %s\n",
6458 sid_string_dbg(&dinfo
->sid
),
6459 sid_string_dbg(get_global_sam_sid())));
6460 DEBUGADD(1,("please report to samba-technical@samba.org!\n"));
6461 return NT_STATUS_OK
;
6464 force_flush_samr_cache(&dinfo
->sid
);
6466 result
= NT_STATUS_OK
;
6471 /*******************************************************************
6472 _samr_QueryDomainInfo2
6473 ********************************************************************/
6475 NTSTATUS
_samr_QueryDomainInfo2(struct pipes_struct
*p
,
6476 struct samr_QueryDomainInfo2
*r
)
6478 struct samr_QueryDomainInfo q
;
6480 q
.in
.domain_handle
= r
->in
.domain_handle
;
6481 q
.in
.level
= r
->in
.level
;
6483 q
.out
.info
= r
->out
.info
;
6485 return _samr_QueryDomainInfo(p
, &q
);
6488 /*******************************************************************
6489 ********************************************************************/
6491 static NTSTATUS
set_dom_info_1(TALLOC_CTX
*mem_ctx
,
6492 struct samr_DomInfo1
*r
)
6494 time_t u_expire
, u_min_age
;
6496 u_expire
= nt_time_to_unix_abs((NTTIME
*)&r
->max_password_age
);
6497 u_min_age
= nt_time_to_unix_abs((NTTIME
*)&r
->min_password_age
);
6499 pdb_set_account_policy(PDB_POLICY_MIN_PASSWORD_LEN
,
6500 (uint32_t)r
->min_password_length
);
6501 pdb_set_account_policy(PDB_POLICY_PASSWORD_HISTORY
,
6502 (uint32_t)r
->password_history_length
);
6503 pdb_set_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS
,
6504 (uint32_t)r
->password_properties
);
6505 pdb_set_account_policy(PDB_POLICY_MAX_PASSWORD_AGE
, (int)u_expire
);
6506 pdb_set_account_policy(PDB_POLICY_MIN_PASSWORD_AGE
, (int)u_min_age
);
6508 return NT_STATUS_OK
;
6511 /*******************************************************************
6512 ********************************************************************/
6514 static NTSTATUS
set_dom_info_3(TALLOC_CTX
*mem_ctx
,
6515 struct samr_DomInfo3
*r
)
6519 u_logout
= nt_time_to_unix_abs((NTTIME
*)&r
->force_logoff_time
);
6521 pdb_set_account_policy(PDB_POLICY_TIME_TO_LOGOUT
, (int)u_logout
);
6523 return NT_STATUS_OK
;
6526 /*******************************************************************
6527 ********************************************************************/
6529 static NTSTATUS
set_dom_info_12(TALLOC_CTX
*mem_ctx
,
6530 struct samr_DomInfo12
*r
)
6532 time_t u_lock_duration
, u_reset_time
;
6534 u_lock_duration
= nt_time_to_unix_abs((NTTIME
*)&r
->lockout_duration
);
6535 if (u_lock_duration
!= -1) {
6536 u_lock_duration
/= 60;
6539 u_reset_time
= nt_time_to_unix_abs((NTTIME
*)&r
->lockout_window
)/60;
6541 pdb_set_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION
, (int)u_lock_duration
);
6542 pdb_set_account_policy(PDB_POLICY_RESET_COUNT_TIME
, (int)u_reset_time
);
6543 pdb_set_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT
,
6544 (uint32_t)r
->lockout_threshold
);
6546 return NT_STATUS_OK
;
6549 /*******************************************************************
6551 ********************************************************************/
6553 NTSTATUS
_samr_SetDomainInfo(struct pipes_struct
*p
,
6554 struct samr_SetDomainInfo
*r
)
6557 uint32_t acc_required
= 0;
6559 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__
));
6561 switch (r
->in
.level
) {
6562 case 1: /* DomainPasswordInformation */
6563 case 12: /* DomainLockoutInformation */
6564 /* DOMAIN_WRITE_PASSWORD_PARAMETERS */
6565 acc_required
= SAMR_DOMAIN_ACCESS_SET_INFO_1
;
6567 case 3: /* DomainLogoffInformation */
6568 case 4: /* DomainOemInformation */
6569 /* DOMAIN_WRITE_OTHER_PARAMETERS */
6570 acc_required
= SAMR_DOMAIN_ACCESS_SET_INFO_2
;
6572 case 6: /* DomainReplicationInformation */
6573 case 9: /* DomainStateInformation */
6574 case 7: /* DomainServerRoleInformation */
6575 /* DOMAIN_ADMINISTER_SERVER */
6576 acc_required
= SAMR_DOMAIN_ACCESS_SET_INFO_3
;
6579 return NT_STATUS_INVALID_INFO_CLASS
;
6582 (void)policy_handle_find(p
, r
->in
.domain_handle
,
6584 struct samr_domain_info
, &status
);
6585 if (!NT_STATUS_IS_OK(status
)) {
6589 DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r
->in
.level
));
6591 switch (r
->in
.level
) {
6593 status
= set_dom_info_1(p
->mem_ctx
, &r
->in
.info
->info1
);
6596 status
= set_dom_info_3(p
->mem_ctx
, &r
->in
.info
->info3
);
6607 status
= set_dom_info_12(p
->mem_ctx
, &r
->in
.info
->info12
);
6610 return NT_STATUS_INVALID_INFO_CLASS
;
6613 if (!NT_STATUS_IS_OK(status
)) {
6617 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__
));
6619 return NT_STATUS_OK
;
6622 /****************************************************************
6623 _samr_GetDisplayEnumerationIndex
6624 ****************************************************************/
6626 NTSTATUS
_samr_GetDisplayEnumerationIndex(struct pipes_struct
*p
,
6627 struct samr_GetDisplayEnumerationIndex
*r
)
6629 struct samr_domain_info
*dinfo
;
6630 uint32_t max_entries
= (uint32_t) -1;
6631 uint32_t enum_context
= 0;
6633 uint32_t num_account
= 0;
6634 struct samr_displayentry
*entries
= NULL
;
6637 DEBUG(5,("_samr_GetDisplayEnumerationIndex: %d\n", __LINE__
));
6639 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
6640 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
, NULL
,
6641 struct samr_domain_info
, &status
);
6642 if (!NT_STATUS_IS_OK(status
)) {
6646 if ((r
->in
.level
< 1) || (r
->in
.level
> 3)) {
6647 DEBUG(0,("_samr_GetDisplayEnumerationIndex: "
6648 "Unknown info level (%u)\n",
6650 return NT_STATUS_INVALID_INFO_CLASS
;
6655 /* The following done as ROOT. Don't return without unbecome_root(). */
6657 switch (r
->in
.level
) {
6659 if (dinfo
->disp_info
->users
== NULL
) {
6660 dinfo
->disp_info
->users
= pdb_search_users(
6661 dinfo
->disp_info
, ACB_NORMAL
);
6662 if (dinfo
->disp_info
->users
== NULL
) {
6664 return NT_STATUS_ACCESS_DENIED
;
6666 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6667 "starting user enumeration at index %u\n",
6668 (unsigned int)enum_context
));
6670 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6671 "using cached user enumeration at index %u\n",
6672 (unsigned int)enum_context
));
6674 num_account
= pdb_search_entries(dinfo
->disp_info
->users
,
6675 enum_context
, max_entries
,
6679 if (dinfo
->disp_info
->machines
== NULL
) {
6680 dinfo
->disp_info
->machines
= pdb_search_users(
6681 dinfo
->disp_info
, ACB_WSTRUST
|ACB_SVRTRUST
);
6682 if (dinfo
->disp_info
->machines
== NULL
) {
6684 return NT_STATUS_ACCESS_DENIED
;
6686 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6687 "starting machine enumeration at index %u\n",
6688 (unsigned int)enum_context
));
6690 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6691 "using cached machine enumeration at index %u\n",
6692 (unsigned int)enum_context
));
6694 num_account
= pdb_search_entries(dinfo
->disp_info
->machines
,
6695 enum_context
, max_entries
,
6699 if (dinfo
->disp_info
->groups
== NULL
) {
6700 dinfo
->disp_info
->groups
= pdb_search_groups(
6702 if (dinfo
->disp_info
->groups
== NULL
) {
6704 return NT_STATUS_ACCESS_DENIED
;
6706 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6707 "starting group enumeration at index %u\n",
6708 (unsigned int)enum_context
));
6710 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6711 "using cached group enumeration at index %u\n",
6712 (unsigned int)enum_context
));
6714 num_account
= pdb_search_entries(dinfo
->disp_info
->groups
,
6715 enum_context
, max_entries
,
6720 smb_panic("info class changed");
6726 /* Ensure we cache this enumeration. */
6727 set_disp_info_cache_timeout(dinfo
->disp_info
, DISP_INFO_CACHE_TIMEOUT
);
6729 DEBUG(10,("_samr_GetDisplayEnumerationIndex: looking for :%s\n",
6730 r
->in
.name
->string
));
6732 for (i
=0; i
<num_account
; i
++) {
6733 if (strequal(entries
[i
].account_name
, r
->in
.name
->string
)) {
6734 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6735 "found %s at idx %d\n",
6736 r
->in
.name
->string
, i
));
6738 return NT_STATUS_OK
;
6742 /* assuming account_name lives at the very end */
6743 *r
->out
.idx
= num_account
;
6745 return NT_STATUS_NO_MORE_ENTRIES
;
6748 /****************************************************************
6749 _samr_GetDisplayEnumerationIndex2
6750 ****************************************************************/
6752 NTSTATUS
_samr_GetDisplayEnumerationIndex2(struct pipes_struct
*p
,
6753 struct samr_GetDisplayEnumerationIndex2
*r
)
6755 struct samr_GetDisplayEnumerationIndex q
;
6757 q
.in
.domain_handle
= r
->in
.domain_handle
;
6758 q
.in
.level
= r
->in
.level
;
6759 q
.in
.name
= r
->in
.name
;
6761 q
.out
.idx
= r
->out
.idx
;
6763 return _samr_GetDisplayEnumerationIndex(p
, &q
);
6766 /****************************************************************
6768 ****************************************************************/
6770 NTSTATUS
_samr_RidToSid(struct pipes_struct
*p
,
6771 struct samr_RidToSid
*r
)
6773 struct samr_domain_info
*dinfo
;
6777 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
6779 struct samr_domain_info
, &status
);
6780 if (!NT_STATUS_IS_OK(status
)) {
6784 if (!sid_compose(&sid
, &dinfo
->sid
, r
->in
.rid
)) {
6785 return NT_STATUS_NO_MEMORY
;
6788 *r
->out
.sid
= dom_sid_dup(p
->mem_ctx
, &sid
);
6790 return NT_STATUS_NO_MEMORY
;
6793 return NT_STATUS_OK
;
6796 /****************************************************************
6797 ****************************************************************/
6799 static enum samr_ValidationStatus
samr_ValidatePassword_Change(TALLOC_CTX
*mem_ctx
,
6800 const struct samr_PwInfo
*dom_pw_info
,
6801 const struct samr_ValidatePasswordReq2
*req
,
6802 struct samr_ValidatePasswordRepCtr
*rep
)
6806 if (req
->password
.string
== NULL
) {
6807 return SAMR_VALIDATION_STATUS_SUCCESS
;
6809 if (strlen(req
->password
.string
) < dom_pw_info
->min_password_length
) {
6810 ZERO_STRUCT(rep
->info
);
6811 return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT
;
6813 if (dom_pw_info
->password_properties
& DOMAIN_PASSWORD_COMPLEX
) {
6814 status
= check_password_complexity(req
->account
.string
,
6815 req
->password
.string
,
6817 if (!NT_STATUS_IS_OK(status
)) {
6818 ZERO_STRUCT(rep
->info
);
6819 return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH
;
6823 return SAMR_VALIDATION_STATUS_SUCCESS
;
6826 /****************************************************************
6827 ****************************************************************/
6829 static enum samr_ValidationStatus
samr_ValidatePassword_Reset(TALLOC_CTX
*mem_ctx
,
6830 const struct samr_PwInfo
*dom_pw_info
,
6831 const struct samr_ValidatePasswordReq3
*req
,
6832 struct samr_ValidatePasswordRepCtr
*rep
)
6836 if (req
->password
.string
== NULL
) {
6837 return SAMR_VALIDATION_STATUS_SUCCESS
;
6839 if (strlen(req
->password
.string
) < dom_pw_info
->min_password_length
) {
6840 ZERO_STRUCT(rep
->info
);
6841 return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT
;
6843 if (dom_pw_info
->password_properties
& DOMAIN_PASSWORD_COMPLEX
) {
6844 status
= check_password_complexity(req
->account
.string
,
6845 req
->password
.string
,
6847 if (!NT_STATUS_IS_OK(status
)) {
6848 ZERO_STRUCT(rep
->info
);
6849 return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH
;
6853 return SAMR_VALIDATION_STATUS_SUCCESS
;
6856 /****************************************************************
6857 _samr_ValidatePassword
6858 ****************************************************************/
6860 NTSTATUS
_samr_ValidatePassword(struct pipes_struct
*p
,
6861 struct samr_ValidatePassword
*r
)
6863 union samr_ValidatePasswordRep
*rep
;
6865 struct samr_GetDomPwInfo pw
;
6866 struct samr_PwInfo dom_pw_info
;
6868 if (p
->transport
!= NCACN_IP_TCP
&& p
->transport
!= NCALRPC
) {
6869 p
->fault_state
= DCERPC_FAULT_ACCESS_DENIED
;
6870 return NT_STATUS_ACCESS_DENIED
;
6873 if (r
->in
.level
< 1 || r
->in
.level
> 3) {
6874 return NT_STATUS_INVALID_INFO_CLASS
;
6877 pw
.in
.domain_name
= NULL
;
6878 pw
.out
.info
= &dom_pw_info
;
6880 status
= _samr_GetDomPwInfo(p
, &pw
);
6881 if (!NT_STATUS_IS_OK(status
)) {
6885 rep
= talloc_zero(p
->mem_ctx
, union samr_ValidatePasswordRep
);
6887 return NT_STATUS_NO_MEMORY
;
6890 switch (r
->in
.level
) {
6892 status
= NT_STATUS_NOT_SUPPORTED
;
6895 rep
->ctr2
.status
= samr_ValidatePassword_Change(p
->mem_ctx
,
6901 rep
->ctr3
.status
= samr_ValidatePassword_Reset(p
->mem_ctx
,
6907 status
= NT_STATUS_INVALID_INFO_CLASS
;
6911 if (!NT_STATUS_IS_OK(status
)) {
6918 return NT_STATUS_OK
;
6921 /****************************************************************
6922 ****************************************************************/
6924 NTSTATUS
_samr_Shutdown(struct pipes_struct
*p
,
6925 struct samr_Shutdown
*r
)
6927 p
->fault_state
= DCERPC_FAULT_OP_RNG_ERROR
;
6928 return NT_STATUS_NOT_IMPLEMENTED
;
6931 /****************************************************************
6932 ****************************************************************/
6934 NTSTATUS
_samr_SetMemberAttributesOfGroup(struct pipes_struct
*p
,
6935 struct samr_SetMemberAttributesOfGroup
*r
)
6937 p
->fault_state
= DCERPC_FAULT_OP_RNG_ERROR
;
6938 return NT_STATUS_NOT_IMPLEMENTED
;
6941 /****************************************************************
6942 ****************************************************************/
6944 NTSTATUS
_samr_TestPrivateFunctionsDomain(struct pipes_struct
*p
,
6945 struct samr_TestPrivateFunctionsDomain
*r
)
6947 p
->fault_state
= DCERPC_FAULT_OP_RNG_ERROR
;
6948 return NT_STATUS_NOT_IMPLEMENTED
;
6951 /****************************************************************
6952 ****************************************************************/
6954 NTSTATUS
_samr_TestPrivateFunctionsUser(struct pipes_struct
*p
,
6955 struct samr_TestPrivateFunctionsUser
*r
)
6957 p
->fault_state
= DCERPC_FAULT_OP_RNG_ERROR
;
6958 return NT_STATUS_NOT_IMPLEMENTED
;
6961 /****************************************************************
6962 ****************************************************************/
6964 NTSTATUS
_samr_AddMultipleMembersToAlias(struct pipes_struct
*p
,
6965 struct samr_AddMultipleMembersToAlias
*r
)
6967 p
->fault_state
= DCERPC_FAULT_OP_RNG_ERROR
;
6968 return NT_STATUS_NOT_IMPLEMENTED
;
6971 /****************************************************************
6972 ****************************************************************/
6974 NTSTATUS
_samr_RemoveMultipleMembersFromAlias(struct pipes_struct
*p
,
6975 struct samr_RemoveMultipleMembersFromAlias
*r
)
6977 p
->fault_state
= DCERPC_FAULT_OP_RNG_ERROR
;
6978 return NT_STATUS_NOT_IMPLEMENTED
;
6981 /****************************************************************
6982 ****************************************************************/
6984 NTSTATUS
_samr_SetBootKeyInformation(struct pipes_struct
*p
,
6985 struct samr_SetBootKeyInformation
*r
)
6987 p
->fault_state
= DCERPC_FAULT_OP_RNG_ERROR
;
6988 return NT_STATUS_NOT_IMPLEMENTED
;
6991 /****************************************************************
6992 ****************************************************************/
6994 NTSTATUS
_samr_GetBootKeyInformation(struct pipes_struct
*p
,
6995 struct samr_GetBootKeyInformation
*r
)
6997 p
->fault_state
= DCERPC_FAULT_OP_RNG_ERROR
;
6998 return NT_STATUS_NOT_IMPLEMENTED
;
7001 /****************************************************************
7002 ****************************************************************/
7004 NTSTATUS
_samr_SetDsrmPassword(struct pipes_struct
*p
,
7005 struct samr_SetDsrmPassword
*r
)
7007 p
->fault_state
= DCERPC_FAULT_OP_RNG_ERROR
;
7008 return NT_STATUS_NOT_IMPLEMENTED
;