search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-samr: let set_user_info_16 and 20 follow the same pattern as all other levels.
[Samba.git] / source3 / rpc_server / srv_samr_nt.c
blob25a84c5c968b3e0f10499f6ca1dc5b05a7df5f34
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2008,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 * Copyright (C) Gerald (Jerry) Carter 2003-2004,
12 * Copyright (C) Simo Sorce 2003.
13 * Copyright (C) Volker Lendecke 2005.
14 * Copyright (C) Guenther Deschner 2008.
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
20 *
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
25 *
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
28 */
29
30 /*
31 * This is the implementation of the SAMR code.
32 */
33
34 #include "includes.h"
35
36 #undef DBGC_CLASS
37 #define DBGC_CLASS DBGC_RPC_SRV
38
39 #define SAMR_USR_RIGHTS_WRITE_PW \
40 ( READ_CONTROL_ACCESS | \
41 SAMR_USER_ACCESS_CHANGE_PASSWORD | \
42 SAMR_USER_ACCESS_SET_LOC_COM)
43 #define SAMR_USR_RIGHTS_CANT_WRITE_PW \
44 ( READ_CONTROL_ACCESS | SAMR_USER_ACCESS_SET_LOC_COM )
45
46 #define DISP_INFO_CACHE_TIMEOUT 10
47
48 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
49 #define MAX_SAM_ENTRIES_W95 50
50
51 typedef struct disp_info {
52 DOM_SID sid; /* identify which domain this is. */
53 bool builtin_domain; /* Quick flag to check if this is the builtin domain. */
54 struct pdb_search *users; /* querydispinfo 1 and 4 */
55 struct pdb_search *machines; /* querydispinfo 2 */
56 struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */
57 struct pdb_search *aliases; /* enumaliases */
58
59 uint16 enum_acb_mask;
60 struct pdb_search *enum_users; /* enumusers with a mask */
61
62 struct timed_event *cache_timeout_event; /* cache idle timeout
63 * handler. */
64 } DISP_INFO;
65
66 /* We keep a static list of these by SID as modern clients close down
67 all resources between each request in a complete enumeration. */
68
69 struct samr_info {
70 /* for use by the \PIPE\samr policy */
71 DOM_SID sid;
72 bool builtin_domain; /* Quick flag to check if this is the builtin domain. */
73 uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */
74 uint32 acc_granted;
75 DISP_INFO *disp_info;
76 };
77
78 static const struct generic_mapping sam_generic_mapping = {
79 GENERIC_RIGHTS_SAM_READ,
80 GENERIC_RIGHTS_SAM_WRITE,
81 GENERIC_RIGHTS_SAM_EXECUTE,
82 GENERIC_RIGHTS_SAM_ALL_ACCESS};
83 static const struct generic_mapping dom_generic_mapping = {
84 GENERIC_RIGHTS_DOMAIN_READ,
85 GENERIC_RIGHTS_DOMAIN_WRITE,
86 GENERIC_RIGHTS_DOMAIN_EXECUTE,
87 GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
88 static const struct generic_mapping usr_generic_mapping = {
89 GENERIC_RIGHTS_USER_READ,
90 GENERIC_RIGHTS_USER_WRITE,
91 GENERIC_RIGHTS_USER_EXECUTE,
92 GENERIC_RIGHTS_USER_ALL_ACCESS};
93 static const struct generic_mapping usr_nopwchange_generic_mapping = {
94 GENERIC_RIGHTS_USER_READ,
95 GENERIC_RIGHTS_USER_WRITE,
96 GENERIC_RIGHTS_USER_EXECUTE & ~SAMR_USER_ACCESS_CHANGE_PASSWORD,
97 GENERIC_RIGHTS_USER_ALL_ACCESS};
98 static const struct generic_mapping grp_generic_mapping = {
99 GENERIC_RIGHTS_GROUP_READ,
100 GENERIC_RIGHTS_GROUP_WRITE,
101 GENERIC_RIGHTS_GROUP_EXECUTE,
102 GENERIC_RIGHTS_GROUP_ALL_ACCESS};
103 static const struct generic_mapping ali_generic_mapping = {
104 GENERIC_RIGHTS_ALIAS_READ,
105 GENERIC_RIGHTS_ALIAS_WRITE,
106 GENERIC_RIGHTS_ALIAS_EXECUTE,
107 GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
108
109 /*******************************************************************
110 *******************************************************************/
111
112 static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size,
113 const struct generic_mapping *map,
114 DOM_SID *sid, uint32 sid_access )
115 {
116 DOM_SID domadmin_sid;
117 SEC_ACE ace[5]; /* at most 5 entries */
118 size_t i = 0;
119
120 SEC_ACL *psa = NULL;
121
122 /* basic access for Everyone */
123
124 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
125 map->generic_execute | map->generic_read, 0);
126
127 /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
128
129 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
130 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
131 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
132 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
133
134 /* Add Full Access for Domain Admins if we are a DC */
135
136 if ( IS_DC ) {
137 sid_copy( &domadmin_sid, get_global_sam_sid() );
138 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
139 init_sec_ace(&ace[i++], &domadmin_sid,
140 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
141 }
142
143 /* if we have a sid, give it some special access */
144
145 if ( sid ) {
146 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sid_access, 0);
147 }
148
149 /* create the security descriptor */
150
151 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL)
152 return NT_STATUS_NO_MEMORY;
153
154 if ((*psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
155 SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL,
156 psa, sd_size)) == NULL)
157 return NT_STATUS_NO_MEMORY;
158
159 return NT_STATUS_OK;
160 }
161
162 /*******************************************************************
163 Checks if access to an object should be granted, and returns that
164 level of access for further checks.
165 ********************************************************************/
166
167 static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
168 SE_PRIV *rights, uint32 rights_mask,
169 uint32 des_access, uint32 *acc_granted,
170 const char *debug )
171 {
172 NTSTATUS status = NT_STATUS_ACCESS_DENIED;
173 uint32 saved_mask = 0;
174
175 /* check privileges; certain SAM access bits should be overridden
176 by privileges (mostly having to do with creating/modifying/deleting
177 users and groups) */
178
179 if ( rights && user_has_any_privilege( token, rights ) ) {
180
181 saved_mask = (des_access & rights_mask);
182 des_access &= ~saved_mask;
183
184 DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
185 rights_mask));
186 }
187
188
189 /* check the security descriptor first */
190
191 status = se_access_check(psd, token, des_access, acc_granted);
192 if (NT_STATUS_IS_OK(status)) {
193 goto done;
194 }
195
196 /* give root a free pass */
197
198 if ( geteuid() == sec_initial_uid() ) {
199
200 DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access));
201 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
202
203 *acc_granted = des_access;
204
205 status = NT_STATUS_OK;
206 goto done;
207 }
208
209
210 done:
211 /* add in any bits saved during the privilege check (only
212 matters is status is ok) */
213
214 *acc_granted |= rights_mask;
215
216 DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
217 debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
218 des_access, *acc_granted));
219
220 return status;
221 }
222
223 /*******************************************************************
224 Checks if access to a function can be granted
225 ********************************************************************/
226
227 static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug)
228 {
229 DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n",
230 debug, acc_granted, acc_required));
231
232 /* check the security descriptor first */
233
234 if ( (acc_granted&acc_required) == acc_required )
235 return NT_STATUS_OK;
236
237 /* give root a free pass */
238
239 if (geteuid() == sec_initial_uid()) {
240
241 DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
242 debug, acc_granted, acc_required));
243 DEBUGADD(4,("but overwritten by euid == 0\n"));
244
245 return NT_STATUS_OK;
246 }
247
248 DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n",
249 debug, acc_granted, acc_required));
250
251 return NT_STATUS_ACCESS_DENIED;
252 }
253
254 /*******************************************************************
255 Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
256 ********************************************************************/
257
258 static void map_max_allowed_access(const NT_USER_TOKEN *token,
259 uint32_t *pacc_requested)
260 {
261 if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
262 return;
263 }
264 *pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
265
266 /* At least try for generic read. */
267 *pacc_requested = GENERIC_READ_ACCESS;
268
269 /* root gets anything. */
270 if (geteuid() == sec_initial_uid()) {
271 *pacc_requested |= GENERIC_ALL_ACCESS;
272 return;
273 }
274
275 /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
276
277 if (is_sid_in_token(token, &global_sid_Builtin_Administrators) ||
278 is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) {
279 *pacc_requested |= GENERIC_ALL_ACCESS;
280 return;
281 }
282
283 /* Full access for DOMAIN\Domain Admins. */
284 if ( IS_DC ) {
285 DOM_SID domadmin_sid;
286 sid_copy( &domadmin_sid, get_global_sam_sid() );
287 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
288 if (is_sid_in_token(token, &domadmin_sid)) {
289 *pacc_requested |= GENERIC_ALL_ACCESS;
290 return;
291 }
292 }
293 /* TODO ! Check privileges. */
294 }
295
296 /*******************************************************************
297 Fetch or create a dispinfo struct.
298 ********************************************************************/
299
300 static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid)
301 {
302 /*
303 * We do a static cache for DISP_INFO's here. Explanation can be found
304 * in Jeremy's checkin message to r11793:
305 *
306 * Fix the SAMR cache so it works across completely insane
307 * client behaviour (ie.:
308 * open pipe/open SAMR handle/enumerate 0 - 1024
309 * close SAMR handle, close pipe.
310 * open pipe/open SAMR handle/enumerate 1024 - 2048...
311 * close SAMR handle, close pipe.
312 * And on ad-nausium. Amazing.... probably object-oriented
313 * client side programming in action yet again.
314 * This change should *massively* improve performance when
315 * enumerating users from an LDAP database.
316 * Jeremy.
317 *
318 * "Our" and the builtin domain are the only ones where we ever
319 * enumerate stuff, so just cache 2 entries.
320 */
321
322 static struct disp_info *builtin_dispinfo;
323 static struct disp_info *domain_dispinfo;
324
325 /* There are two cases to consider here:
326 1) The SID is a domain SID and we look for an equality match, or
327 2) This is an account SID and so we return the DISP_INFO* for our
328 domain */
329
330 if (psid == NULL) {
331 return NULL;
332 }
333
334 if (sid_check_is_builtin(psid) || sid_check_is_in_builtin(psid)) {
335 /*
336 * Necessary only once, but it does not really hurt.
337 */
338 if (builtin_dispinfo == NULL) {
339 builtin_dispinfo = talloc_zero(
340 talloc_autofree_context(), struct disp_info);
341 if (builtin_dispinfo == NULL) {
342 return NULL;
343 }
344 }
345 sid_copy(&builtin_dispinfo->sid, &global_sid_Builtin);
346 builtin_dispinfo->builtin_domain = true;
347
348 return builtin_dispinfo;
349 }
350
351 if (sid_check_is_domain(psid) || sid_check_is_in_our_domain(psid)) {
352 /*
353 * Necessary only once, but it does not really hurt.
354 */
355 if (domain_dispinfo == NULL) {
356 domain_dispinfo = talloc_zero(
357 talloc_autofree_context(), struct disp_info);
358 if (domain_dispinfo == NULL) {
359 return NULL;
360 }
361 }
362 sid_copy(&domain_dispinfo->sid, get_global_sam_sid());
363 domain_dispinfo->builtin_domain = false;
364
365 return domain_dispinfo;
366 }
367
368 return NULL;
369 }
370
371 /*******************************************************************
372 Create a samr_info struct.
373 ********************************************************************/
374
375 static int samr_info_destructor(struct samr_info *info);
376
377 static struct samr_info *get_samr_info_by_sid(TALLOC_CTX *mem_ctx,
378 DOM_SID *psid)
379 {
380 struct samr_info *info;
381 fstring sid_str;
382
383 if (psid) {
384 sid_to_fstring(sid_str, psid);
385 } else {
386 fstrcpy(sid_str,"(NULL)");
387 }
388
389 if ((info = TALLOC_ZERO_P(mem_ctx, struct samr_info)) == NULL) {
390 return NULL;
391 }
392 talloc_set_destructor(info, samr_info_destructor);
393
394 DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str));
395 if (psid) {
396 sid_copy( &info->sid, psid);
397 info->builtin_domain = sid_check_is_builtin(psid);
398 } else {
399 DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n"));
400 info->builtin_domain = False;
401 }
402
403 info->disp_info = get_samr_dispinfo_by_sid(psid);
404
405 return info;
406 }
407
408 /*******************************************************************
409 Function to free the per SID data.
410 ********************************************************************/
411
412 static void free_samr_cache(DISP_INFO *disp_info)
413 {
414 DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n",
415 sid_string_dbg(&disp_info->sid)));
416
417 /* We need to become root here because the paged search might have to
418 * tell the LDAP server we're not interested in the rest anymore. */
419
420 become_root();
421
422 TALLOC_FREE(disp_info->users);
423 TALLOC_FREE(disp_info->machines);
424 TALLOC_FREE(disp_info->groups);
425 TALLOC_FREE(disp_info->aliases);
426 TALLOC_FREE(disp_info->enum_users);
427
428 unbecome_root();
429 }
430
431 static int samr_info_destructor(struct samr_info *info)
432 {
433 /* Only free the dispinfo cache if no one bothered to set up
434 a timeout. */
435
436 if (info->disp_info && info->disp_info->cache_timeout_event == NULL) {
437 free_samr_cache(info->disp_info);
438 }
439 return 0;
440 }
441
442 /*******************************************************************
443 Idle event handler. Throw away the disp info cache.
444 ********************************************************************/
445
446 static void disp_info_cache_idle_timeout_handler(struct event_context *ev_ctx,
447 struct timed_event *te,
448 struct timeval now,
449 void *private_data)
450 {
451 DISP_INFO *disp_info = (DISP_INFO *)private_data;
452
453 TALLOC_FREE(disp_info->cache_timeout_event);
454
455 DEBUG(10, ("disp_info_cache_idle_timeout_handler: caching timed "
456 "out\n"));
457 free_samr_cache(disp_info);
458 }
459
460 /*******************************************************************
461 Setup cache removal idle event handler.
462 ********************************************************************/
463
464 static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromnow)
465 {
466 /* Remove any pending timeout and update. */
467
468 TALLOC_FREE(disp_info->cache_timeout_event);
469
470 DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for "
471 "SID %s for %u seconds\n", sid_string_dbg(&disp_info->sid),
472 (unsigned int)secs_fromnow ));
473
474 disp_info->cache_timeout_event = event_add_timed(
475 smbd_event_context(), NULL,
476 timeval_current_ofs(secs_fromnow, 0),
477 disp_info_cache_idle_timeout_handler, (void *)disp_info);
478 }
479
480 /*******************************************************************
481 Force flush any cache. We do this on any samr_set_xxx call.
482 We must also remove the timeout handler.
483 ********************************************************************/
484
485 static void force_flush_samr_cache(DISP_INFO *disp_info)
486 {
487 if ((disp_info == NULL) || (disp_info->cache_timeout_event == NULL)) {
488 return;
489 }
490
491 DEBUG(10,("force_flush_samr_cache: clearing idle event\n"));
492 TALLOC_FREE(disp_info->cache_timeout_event);
493 free_samr_cache(disp_info);
494 }
495
496 /*******************************************************************
497 Ensure password info is never given out. Paranioa... JRA.
498 ********************************************************************/
499
500 static void samr_clear_sam_passwd(struct samu *sam_pass)
501 {
502
503 if (!sam_pass)
504 return;
505
506 /* These now zero out the old password */
507
508 pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT);
509 pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT);
510 }
511
512 static uint32 count_sam_users(struct disp_info *info, uint32 acct_flags)
513 {
514 struct samr_displayentry *entry;
515
516 if (info->builtin_domain) {
517 /* No users in builtin. */
518 return 0;
519 }
520
521 if (info->users == NULL) {
522 info->users = pdb_search_users(info, acct_flags);
523 if (info->users == NULL) {
524 return 0;
525 }
526 }
527 /* Fetch the last possible entry, thus trigger an enumeration */
528 pdb_search_entries(info->users, 0xffffffff, 1, &entry);
529
530 /* Ensure we cache this enumeration. */
531 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
532
533 return info->users->num_entries;
534 }
535
536 static uint32 count_sam_groups(struct disp_info *info)
537 {
538 struct samr_displayentry *entry;
539
540 if (info->builtin_domain) {
541 /* No groups in builtin. */
542 return 0;
543 }
544
545 if (info->groups == NULL) {
546 info->groups = pdb_search_groups(info);
547 if (info->groups == NULL) {
548 return 0;
549 }
550 }
551 /* Fetch the last possible entry, thus trigger an enumeration */
552 pdb_search_entries(info->groups, 0xffffffff, 1, &entry);
553
554 /* Ensure we cache this enumeration. */
555 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
556
557 return info->groups->num_entries;
558 }
559
560 static uint32 count_sam_aliases(struct disp_info *info)
561 {
562 struct samr_displayentry *entry;
563
564 if (info->aliases == NULL) {
565 info->aliases = pdb_search_aliases(info, &info->sid);
566 if (info->aliases == NULL) {
567 return 0;
568 }
569 }
570 /* Fetch the last possible entry, thus trigger an enumeration */
571 pdb_search_entries(info->aliases, 0xffffffff, 1, &entry);
572
573 /* Ensure we cache this enumeration. */
574 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
575
576 return info->aliases->num_entries;
577 }
578
579 /*******************************************************************
580 _samr_Close
581 ********************************************************************/
582
583 NTSTATUS _samr_Close(pipes_struct *p, struct samr_Close *r)
584 {
585 if (!close_policy_hnd(p, r->in.handle)) {
586 return NT_STATUS_INVALID_HANDLE;
587 }
588
589 ZERO_STRUCTP(r->out.handle);
590
591 return NT_STATUS_OK;
592 }
593
594 /*******************************************************************
595 _samr_OpenDomain
596 ********************************************************************/
597
598 NTSTATUS _samr_OpenDomain(pipes_struct *p,
599 struct samr_OpenDomain *r)
600 {
601 struct samr_info *info;
602 SEC_DESC *psd = NULL;
603 uint32 acc_granted;
604 uint32 des_access = r->in.access_mask;
605 NTSTATUS status;
606 size_t sd_size;
607 SE_PRIV se_rights;
608
609 /* find the connection policy handle. */
610
611 if ( !find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info) )
612 return NT_STATUS_INVALID_HANDLE;
613
614 /*check if access can be granted as requested by client. */
615 map_max_allowed_access(p->server_info->ptok, &des_access);
616
617 make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
618 se_map_generic( &des_access, &dom_generic_mapping );
619
620 se_priv_copy( &se_rights, &se_machine_account );
621 se_priv_add( &se_rights, &se_add_users );
622
623 status = access_check_samr_object( psd, p->server_info->ptok,
624 &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access,
625 &acc_granted, "_samr_OpenDomain" );
626
627 if ( !NT_STATUS_IS_OK(status) )
628 return status;
629
630 if (!sid_check_is_domain(r->in.sid) &&
631 !sid_check_is_builtin(r->in.sid)) {
632 return NT_STATUS_NO_SUCH_DOMAIN;
633 }
634
635 /* associate the domain SID with the (unique) handle. */
636 if ((info = get_samr_info_by_sid(p->mem_ctx, r->in.sid))==NULL)
637 return NT_STATUS_NO_MEMORY;
638 info->acc_granted = acc_granted;
639
640 /* get a (unique) handle. open a policy on it. */
641 if (!create_policy_hnd(p, r->out.domain_handle, info))
642 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
643
644 DEBUG(5,("_samr_OpenDomain: %d\n", __LINE__));
645
646 return NT_STATUS_OK;
647 }
648
649 /*******************************************************************
650 _samr_GetUserPwInfo
651 ********************************************************************/
652
653 NTSTATUS _samr_GetUserPwInfo(pipes_struct *p,
654 struct samr_GetUserPwInfo *r)
655 {
656 struct samr_info *info = NULL;
657 enum lsa_SidType sid_type;
658 uint32_t min_password_length = 0;
659 uint32_t password_properties = 0;
660 bool ret = false;
661 NTSTATUS status;
662
663 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
664
665 /* find the policy handle. open a policy on it. */
666 if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info)) {
667 return NT_STATUS_INVALID_HANDLE;
668 }
669
670 status = access_check_samr_function(info->acc_granted,
671 SAMR_USER_ACCESS_GET_ATTRIBUTES,
672 "_samr_GetUserPwInfo" );
673 if (!NT_STATUS_IS_OK(status)) {
674 return status;
675 }
676
677 if (!sid_check_is_in_our_domain(&info->sid)) {
678 return NT_STATUS_OBJECT_TYPE_MISMATCH;
679 }
680
681 become_root();
682 ret = lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, &sid_type);
683 unbecome_root();
684 if (ret == false) {
685 return NT_STATUS_NO_SUCH_USER;
686 }
687
688 switch (sid_type) {
689 case SID_NAME_USER:
690 become_root();
691 pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
692 &min_password_length);
693 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
694 &password_properties);
695 unbecome_root();
696
697 if (lp_check_password_script() && *lp_check_password_script()) {
698 password_properties |= DOMAIN_PASSWORD_COMPLEX;
699 }
700
701 break;
702 default:
703 break;
704 }
705
706 r->out.info->min_password_length = min_password_length;
707 r->out.info->password_properties = password_properties;
708
709 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
710
711 return NT_STATUS_OK;
712 }
713
714 /*******************************************************************
715 ********************************************************************/
716
717 static bool get_lsa_policy_samr_sid( pipes_struct *p, struct policy_handle *pol,
718 DOM_SID *sid, uint32 *acc_granted,
719 DISP_INFO **ppdisp_info)
720 {
721 struct samr_info *info = NULL;
722
723 /* find the policy handle. open a policy on it. */
724 if (!find_policy_by_hnd(p, pol, (void **)(void *)&info))
725 return False;
726
727 if (!info)
728 return False;
729
730 *sid = info->sid;
731 *acc_granted = info->acc_granted;
732 if (ppdisp_info) {
733 *ppdisp_info = info->disp_info;
734 }
735
736 return True;
737 }
738
739 /*******************************************************************
740 _samr_SetSecurity
741 ********************************************************************/
742
743 NTSTATUS _samr_SetSecurity(pipes_struct *p,
744 struct samr_SetSecurity *r)
745 {
746 DOM_SID pol_sid;
747 uint32 acc_granted, i;
748 SEC_ACL *dacl;
749 bool ret;
750 struct samu *sampass=NULL;
751 NTSTATUS status;
752
753 if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL))
754 return NT_STATUS_INVALID_HANDLE;
755
756 if (!(sampass = samu_new( p->mem_ctx))) {
757 DEBUG(0,("No memory!\n"));
758 return NT_STATUS_NO_MEMORY;
759 }
760
761 /* get the user record */
762 become_root();
763 ret = pdb_getsampwsid(sampass, &pol_sid);
764 unbecome_root();
765
766 if (!ret) {
767 DEBUG(4, ("User %s not found\n", sid_string_dbg(&pol_sid)));
768 TALLOC_FREE(sampass);
769 return NT_STATUS_INVALID_HANDLE;
770 }
771
772 dacl = r->in.sdbuf->sd->dacl;
773 for (i=0; i < dacl->num_aces; i++) {
774 if (sid_equal(&pol_sid, &dacl->aces[i].trustee)) {
775 ret = pdb_set_pass_can_change(sampass,
776 (dacl->aces[i].access_mask &
777 SAMR_USER_ACCESS_CHANGE_PASSWORD) ?
778 True: False);
779 break;
780 }
781 }
782
783 if (!ret) {
784 TALLOC_FREE(sampass);
785 return NT_STATUS_ACCESS_DENIED;
786 }
787
788 status = access_check_samr_function(acc_granted,
789 SAMR_USER_ACCESS_SET_ATTRIBUTES,
790 "_samr_SetSecurity");
791 if (NT_STATUS_IS_OK(status)) {
792 become_root();
793 status = pdb_update_sam_account(sampass);
794 unbecome_root();
795 }
796
797 TALLOC_FREE(sampass);
798
799 return status;
800 }
801
802 /*******************************************************************
803 build correct perms based on policies and password times for _samr_query_sec_obj
804 *******************************************************************/
805 static bool check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid)
806 {
807 struct samu *sampass=NULL;
808 bool ret;
809
810 if ( !(sampass = samu_new( mem_ctx )) ) {
811 DEBUG(0,("No memory!\n"));
812 return False;
813 }
814
815 become_root();
816 ret = pdb_getsampwsid(sampass, user_sid);
817 unbecome_root();
818
819 if (ret == False) {
820 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
821 TALLOC_FREE(sampass);
822 return False;
823 }
824
825 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
826
827 if (pdb_get_pass_can_change(sampass)) {
828 TALLOC_FREE(sampass);
829 return True;
830 }
831 TALLOC_FREE(sampass);
832 return False;
833 }
834
835
836 /*******************************************************************
837 _samr_QuerySecurity
838 ********************************************************************/
839
840 NTSTATUS _samr_QuerySecurity(pipes_struct *p,
841 struct samr_QuerySecurity *r)
842 {
843 NTSTATUS status;
844 DOM_SID pol_sid;
845 SEC_DESC * psd = NULL;
846 uint32 acc_granted;
847 size_t sd_size;
848
849 /* Get the SID. */
850 if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL))
851 return NT_STATUS_INVALID_HANDLE;
852
853 DEBUG(10,("_samr_QuerySecurity: querying security on SID: %s\n",
854 sid_string_dbg(&pol_sid)));
855
856 status = access_check_samr_function(acc_granted,
857 STD_RIGHT_READ_CONTROL_ACCESS,
858 "_samr_QuerySecurity");
859 if (!NT_STATUS_IS_OK(status)) {
860 return status;
861 }
862
863 /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
864
865 /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */
866 if (pol_sid.sid_rev_num == 0) {
867 DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n"));
868 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
869 } else if (sid_equal(&pol_sid,get_global_sam_sid())) {
870 /* check if it is our domain SID */
871 DEBUG(5,("_samr_QuerySecurity: querying security on Domain "
872 "with SID: %s\n", sid_string_dbg(&pol_sid)));
873 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
874 } else if (sid_equal(&pol_sid,&global_sid_Builtin)) {
875 /* check if it is the Builtin Domain */
876 /* TODO: Builtin probably needs a different SD with restricted write access*/
877 DEBUG(5,("_samr_QuerySecurity: querying security on Builtin "
878 "Domain with SID: %s\n", sid_string_dbg(&pol_sid)));
879 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
880 } else if (sid_check_is_in_our_domain(&pol_sid) ||
881 sid_check_is_in_builtin(&pol_sid)) {
882 /* TODO: different SDs have to be generated for aliases groups and users.
883 Currently all three get a default user SD */
884 DEBUG(10,("_samr_QuerySecurity: querying security on Object "
885 "with SID: %s\n", sid_string_dbg(&pol_sid)));
886 if (check_change_pw_access(p->mem_ctx, &pol_sid)) {
887 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
888 &pol_sid, SAMR_USR_RIGHTS_WRITE_PW);
889 } else {
890 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_nopwchange_generic_mapping,
891 &pol_sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
892 }
893 } else {
894 return NT_STATUS_OBJECT_TYPE_MISMATCH;
895 }
896
897 if ((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
898 return NT_STATUS_NO_MEMORY;
899
900 return status;
901 }
902
903 /*******************************************************************
904 makes a SAM_ENTRY / UNISTR2* structure from a user list.
905 ********************************************************************/
906
907 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx,
908 struct samr_SamEntry **sam_pp,
909 uint32_t num_entries,
910 uint32_t start_idx,
911 struct samr_displayentry *entries)
912 {
913 uint32_t i;
914 struct samr_SamEntry *sam;
915
916 *sam_pp = NULL;
917
918 if (num_entries == 0) {
919 return NT_STATUS_OK;
920 }
921
922 sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_entries);
923 if (sam == NULL) {
924 DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n"));
925 return NT_STATUS_NO_MEMORY;
926 }
927
928 for (i = 0; i < num_entries; i++) {
929 #if 0
930 /*
931 * usrmgr expects a non-NULL terminated string with
932 * trust relationships
933 */
934 if (entries[i].acct_flags & ACB_DOMTRUST) {
935 init_unistr2(&uni_temp_name, entries[i].account_name,
936 UNI_FLAGS_NONE);
937 } else {
938 init_unistr2(&uni_temp_name, entries[i].account_name,
939 UNI_STR_TERMINATE);
940 }
941 #endif
942 init_lsa_String(&sam[i].name, entries[i].account_name);
943 sam[i].idx = entries[i].rid;
944 }
945
946 *sam_pp = sam;
947
948 return NT_STATUS_OK;
949 }
950
951 #define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K
952
953 /*******************************************************************
954 _samr_EnumDomainUsers
955 ********************************************************************/
956
957 NTSTATUS _samr_EnumDomainUsers(pipes_struct *p,
958 struct samr_EnumDomainUsers *r)
959 {
960 NTSTATUS status;
961 struct samr_info *info = NULL;
962 int num_account;
963 uint32 enum_context = *r->in.resume_handle;
964 enum remote_arch_types ra_type = get_remote_arch();
965 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
966 uint32 max_entries = max_sam_entries;
967 struct samr_displayentry *entries = NULL;
968 struct samr_SamArray *samr_array = NULL;
969 struct samr_SamEntry *samr_entries = NULL;
970
971 /* find the policy handle. open a policy on it. */
972 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
973 return NT_STATUS_INVALID_HANDLE;
974
975 status = access_check_samr_function(info->acc_granted,
976 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
977 "_samr_EnumDomainUsers");
978 if (!NT_STATUS_IS_OK(status)) {
979 return status;
980 }
981
982 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
983
984 if (info->builtin_domain) {
985 /* No users in builtin. */
986 *r->out.resume_handle = *r->in.resume_handle;
987 DEBUG(5,("_samr_EnumDomainUsers: No users in BUILTIN\n"));
988 return status;
989 }
990
991 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
992 if (!samr_array) {
993 return NT_STATUS_NO_MEMORY;
994 }
995 *r->out.sam = samr_array;
996
997 become_root();
998
999 /* AS ROOT !!!! */
1000
1001 if ((info->disp_info->enum_users != NULL) &&
1002 (info->disp_info->enum_acb_mask != r->in.acct_flags)) {
1003 TALLOC_FREE(info->disp_info->enum_users);
1004 }
1005
1006 if (info->disp_info->enum_users == NULL) {
1007 info->disp_info->enum_users = pdb_search_users(
1008 info->disp_info, r->in.acct_flags);
1009 info->disp_info->enum_acb_mask = r->in.acct_flags;
1010 }
1011
1012 if (info->disp_info->enum_users == NULL) {
1013 /* END AS ROOT !!!! */
1014 unbecome_root();
1015 return NT_STATUS_ACCESS_DENIED;
1016 }
1017
1018 num_account = pdb_search_entries(info->disp_info->enum_users,
1019 enum_context, max_entries,
1020 &entries);
1021
1022 /* END AS ROOT !!!! */
1023
1024 unbecome_root();
1025
1026 if (num_account == 0) {
1027 DEBUG(5, ("_samr_EnumDomainUsers: enumeration handle over "
1028 "total entries\n"));
1029 *r->out.resume_handle = *r->in.resume_handle;
1030 return NT_STATUS_OK;
1031 }
1032
1033 status = make_user_sam_entry_list(p->mem_ctx, &samr_entries,
1034 num_account, enum_context,
1035 entries);
1036 if (!NT_STATUS_IS_OK(status)) {
1037 return status;
1038 }
1039
1040 if (max_entries <= num_account) {
1041 status = STATUS_MORE_ENTRIES;
1042 } else {
1043 status = NT_STATUS_OK;
1044 }
1045
1046 /* Ensure we cache this enumeration. */
1047 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1048
1049 DEBUG(5, ("_samr_EnumDomainUsers: %d\n", __LINE__));
1050
1051 samr_array->count = num_account;
1052 samr_array->entries = samr_entries;
1053
1054 *r->out.resume_handle = *r->in.resume_handle + num_account;
1055 *r->out.num_entries = num_account;
1056
1057 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
1058
1059 return status;
1060 }
1061
1062 /*******************************************************************
1063 makes a SAM_ENTRY / UNISTR2* structure from a group list.
1064 ********************************************************************/
1065
1066 static void make_group_sam_entry_list(TALLOC_CTX *ctx,
1067 struct samr_SamEntry **sam_pp,
1068 uint32_t num_sam_entries,
1069 struct samr_displayentry *entries)
1070 {
1071 struct samr_SamEntry *sam;
1072 uint32_t i;
1073
1074 *sam_pp = NULL;
1075
1076 if (num_sam_entries == 0) {
1077 return;
1078 }
1079
1080 sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_sam_entries);
1081 if (sam == NULL) {
1082 return;
1083 }
1084
1085 for (i = 0; i < num_sam_entries; i++) {
1086 /*
1087 * JRA. I think this should include the null. TNG does not.
1088 */
1089 init_lsa_String(&sam[i].name, entries[i].account_name);
1090 sam[i].idx = entries[i].rid;
1091 }
1092
1093 *sam_pp = sam;
1094 }
1095
1096 /*******************************************************************
1097 _samr_EnumDomainGroups
1098 ********************************************************************/
1099
1100 NTSTATUS _samr_EnumDomainGroups(pipes_struct *p,
1101 struct samr_EnumDomainGroups *r)
1102 {
1103 NTSTATUS status;
1104 struct samr_info *info = NULL;
1105 struct samr_displayentry *groups;
1106 uint32 num_groups;
1107 struct samr_SamArray *samr_array = NULL;
1108 struct samr_SamEntry *samr_entries = NULL;
1109
1110 /* find the policy handle. open a policy on it. */
1111 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1112 return NT_STATUS_INVALID_HANDLE;
1113
1114 status = access_check_samr_function(info->acc_granted,
1115 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
1116 "_samr_EnumDomainGroups");
1117 if (!NT_STATUS_IS_OK(status)) {
1118 return status;
1119 }
1120
1121 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1122
1123 if (info->builtin_domain) {
1124 /* No groups in builtin. */
1125 *r->out.resume_handle = *r->in.resume_handle;
1126 DEBUG(5,("_samr_EnumDomainGroups: No groups in BUILTIN\n"));
1127 return status;
1128 }
1129
1130 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1131 if (!samr_array) {
1132 return NT_STATUS_NO_MEMORY;
1133 }
1134
1135 /* the domain group array is being allocated in the function below */
1136
1137 become_root();
1138
1139 if (info->disp_info->groups == NULL) {
1140 info->disp_info->groups = pdb_search_groups(info->disp_info);
1141
1142 if (info->disp_info->groups == NULL) {
1143 unbecome_root();
1144 return NT_STATUS_ACCESS_DENIED;
1145 }
1146 }
1147
1148 num_groups = pdb_search_entries(info->disp_info->groups,
1149 *r->in.resume_handle,
1150 MAX_SAM_ENTRIES, &groups);
1151 unbecome_root();
1152
1153 /* Ensure we cache this enumeration. */
1154 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1155
1156 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1157 num_groups, groups);
1158
1159 samr_array->count = num_groups;
1160 samr_array->entries = samr_entries;
1161
1162 *r->out.sam = samr_array;
1163 *r->out.num_entries = num_groups;
1164 *r->out.resume_handle = num_groups + *r->in.resume_handle;
1165
1166 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1167
1168 return status;
1169 }
1170
1171 /*******************************************************************
1172 _samr_EnumDomainAliases
1173 ********************************************************************/
1174
1175 NTSTATUS _samr_EnumDomainAliases(pipes_struct *p,
1176 struct samr_EnumDomainAliases *r)
1177 {
1178 NTSTATUS status;
1179 struct samr_info *info;
1180 struct samr_displayentry *aliases;
1181 uint32 num_aliases = 0;
1182 struct samr_SamArray *samr_array = NULL;
1183 struct samr_SamEntry *samr_entries = NULL;
1184
1185 /* find the policy handle. open a policy on it. */
1186 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1187 return NT_STATUS_INVALID_HANDLE;
1188
1189 DEBUG(5,("_samr_EnumDomainAliases: sid %s\n",
1190 sid_string_dbg(&info->sid)));
1191
1192 status = access_check_samr_function(info->acc_granted,
1193 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
1194 "_samr_EnumDomainAliases");
1195 if (!NT_STATUS_IS_OK(status)) {
1196 return status;
1197 }
1198
1199 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1200 if (!samr_array) {
1201 return NT_STATUS_NO_MEMORY;
1202 }
1203
1204 become_root();
1205
1206 if (info->disp_info->aliases == NULL) {
1207 info->disp_info->aliases = pdb_search_aliases(
1208 info->disp_info, &info->sid);
1209 if (info->disp_info->aliases == NULL) {
1210 unbecome_root();
1211 return NT_STATUS_ACCESS_DENIED;
1212 }
1213 }
1214
1215 num_aliases = pdb_search_entries(info->disp_info->aliases,
1216 *r->in.resume_handle,
1217 MAX_SAM_ENTRIES, &aliases);
1218 unbecome_root();
1219
1220 /* Ensure we cache this enumeration. */
1221 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1222
1223 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1224 num_aliases, aliases);
1225
1226 DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__));
1227
1228 samr_array->count = num_aliases;
1229 samr_array->entries = samr_entries;
1230
1231 *r->out.sam = samr_array;
1232 *r->out.num_entries = num_aliases;
1233 *r->out.resume_handle = num_aliases + *r->in.resume_handle;
1234
1235 return status;
1236 }
1237
1238 /*******************************************************************
1239 inits a samr_DispInfoGeneral structure.
1240 ********************************************************************/
1241
1242 static NTSTATUS init_samr_dispinfo_1(TALLOC_CTX *ctx,
1243 struct samr_DispInfoGeneral *r,
1244 uint32_t num_entries,
1245 uint32_t start_idx,
1246 struct samr_displayentry *entries)
1247 {
1248 uint32 i;
1249
1250 DEBUG(10, ("init_samr_dispinfo_1: num_entries: %d\n", num_entries));
1251
1252 if (num_entries == 0) {
1253 return NT_STATUS_OK;
1254 }
1255
1256 r->count = num_entries;
1257
1258 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryGeneral, num_entries);
1259 if (!r->entries) {
1260 return NT_STATUS_NO_MEMORY;
1261 }
1262
1263 for (i = 0; i < num_entries ; i++) {
1264
1265 init_lsa_String(&r->entries[i].account_name,
1266 entries[i].account_name);
1267
1268 init_lsa_String(&r->entries[i].description,
1269 entries[i].description);
1270
1271 init_lsa_String(&r->entries[i].full_name,
1272 entries[i].fullname);
1273
1274 r->entries[i].rid = entries[i].rid;
1275 r->entries[i].acct_flags = entries[i].acct_flags;
1276 r->entries[i].idx = start_idx+i+1;
1277 }
1278
1279 return NT_STATUS_OK;
1280 }
1281
1282 /*******************************************************************
1283 inits a samr_DispInfoFull structure.
1284 ********************************************************************/
1285
1286 static NTSTATUS init_samr_dispinfo_2(TALLOC_CTX *ctx,
1287 struct samr_DispInfoFull *r,
1288 uint32_t num_entries,
1289 uint32_t start_idx,
1290 struct samr_displayentry *entries)
1291 {
1292 uint32_t i;
1293
1294 DEBUG(10, ("init_samr_dispinfo_2: num_entries: %d\n", num_entries));
1295
1296 if (num_entries == 0) {
1297 return NT_STATUS_OK;
1298 }
1299
1300 r->count = num_entries;
1301
1302 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFull, num_entries);
1303 if (!r->entries) {
1304 return NT_STATUS_NO_MEMORY;
1305 }
1306
1307 for (i = 0; i < num_entries ; i++) {
1308
1309 init_lsa_String(&r->entries[i].account_name,
1310 entries[i].account_name);
1311
1312 init_lsa_String(&r->entries[i].description,
1313 entries[i].description);
1314
1315 r->entries[i].rid = entries[i].rid;
1316 r->entries[i].acct_flags = entries[i].acct_flags;
1317 r->entries[i].idx = start_idx+i+1;
1318 }
1319
1320 return NT_STATUS_OK;
1321 }
1322
1323 /*******************************************************************
1324 inits a samr_DispInfoFullGroups structure.
1325 ********************************************************************/
1326
1327 static NTSTATUS init_samr_dispinfo_3(TALLOC_CTX *ctx,
1328 struct samr_DispInfoFullGroups *r,
1329 uint32_t num_entries,
1330 uint32_t start_idx,
1331 struct samr_displayentry *entries)
1332 {
1333 uint32_t i;
1334
1335 DEBUG(5, ("init_samr_dispinfo_3: num_entries: %d\n", num_entries));
1336
1337 if (num_entries == 0) {
1338 return NT_STATUS_OK;
1339 }
1340
1341 r->count = num_entries;
1342
1343 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFullGroup, num_entries);
1344 if (!r->entries) {
1345 return NT_STATUS_NO_MEMORY;
1346 }
1347
1348 for (i = 0; i < num_entries ; i++) {
1349
1350 init_lsa_String(&r->entries[i].account_name,
1351 entries[i].account_name);
1352
1353 init_lsa_String(&r->entries[i].description,
1354 entries[i].description);
1355
1356 r->entries[i].rid = entries[i].rid;
1357 r->entries[i].acct_flags = entries[i].acct_flags;
1358 r->entries[i].idx = start_idx+i+1;
1359 }
1360
1361 return NT_STATUS_OK;
1362 }
1363
1364 /*******************************************************************
1365 inits a samr_DispInfoAscii structure.
1366 ********************************************************************/
1367
1368 static NTSTATUS init_samr_dispinfo_4(TALLOC_CTX *ctx,
1369 struct samr_DispInfoAscii *r,
1370 uint32_t num_entries,
1371 uint32_t start_idx,
1372 struct samr_displayentry *entries)
1373 {
1374 uint32_t i;
1375
1376 DEBUG(5, ("init_samr_dispinfo_4: num_entries: %d\n", num_entries));
1377
1378 if (num_entries == 0) {
1379 return NT_STATUS_OK;
1380 }
1381
1382 r->count = num_entries;
1383
1384 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1385 if (!r->entries) {
1386 return NT_STATUS_NO_MEMORY;
1387 }
1388
1389 for (i = 0; i < num_entries ; i++) {
1390
1391 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1392 entries[i].account_name);
1393
1394 r->entries[i].idx = start_idx+i+1;
1395 }
1396
1397 return NT_STATUS_OK;
1398 }
1399
1400 /*******************************************************************
1401 inits a samr_DispInfoAscii structure.
1402 ********************************************************************/
1403
1404 static NTSTATUS init_samr_dispinfo_5(TALLOC_CTX *ctx,
1405 struct samr_DispInfoAscii *r,
1406 uint32_t num_entries,
1407 uint32_t start_idx,
1408 struct samr_displayentry *entries)
1409 {
1410 uint32_t i;
1411
1412 DEBUG(5, ("init_samr_dispinfo_5: num_entries: %d\n", num_entries));
1413
1414 if (num_entries == 0) {
1415 return NT_STATUS_OK;
1416 }
1417
1418 r->count = num_entries;
1419
1420 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1421 if (!r->entries) {
1422 return NT_STATUS_NO_MEMORY;
1423 }
1424
1425 for (i = 0; i < num_entries ; i++) {
1426
1427 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1428 entries[i].account_name);
1429
1430 r->entries[i].idx = start_idx+i+1;
1431 }
1432
1433 return NT_STATUS_OK;
1434 }
1435
1436 /*******************************************************************
1437 _samr_QueryDisplayInfo
1438 ********************************************************************/
1439
1440 NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
1441 struct samr_QueryDisplayInfo *r)
1442 {
1443 NTSTATUS status;
1444 struct samr_info *info = NULL;
1445 uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
1446
1447 uint32 max_entries = r->in.max_entries;
1448 uint32 enum_context = r->in.start_idx;
1449 uint32 max_size = r->in.buf_size;
1450
1451 union samr_DispInfo *disp_info = r->out.info;
1452
1453 uint32 temp_size=0, total_data_size=0;
1454 NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL;
1455 uint32 num_account = 0;
1456 enum remote_arch_types ra_type = get_remote_arch();
1457 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
1458 struct samr_displayentry *entries = NULL;
1459
1460 DEBUG(5,("_samr_QueryDisplayInfo: %d\n", __LINE__));
1461
1462 /* find the policy handle. open a policy on it. */
1463 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1464 return NT_STATUS_INVALID_HANDLE;
1465
1466 if (info->builtin_domain) {
1467 DEBUG(5,("_samr_QueryDisplayInfo: Nothing in BUILTIN\n"));
1468 return NT_STATUS_OK;
1469 }
1470
1471 status = access_check_samr_function(info->acc_granted,
1472 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
1473 "_samr_QueryDisplayInfo");
1474 if (!NT_STATUS_IS_OK(status)) {
1475 return status;
1476 }
1477
1478 /*
1479 * calculate how many entries we will return.
1480 * based on
1481 * - the number of entries the client asked
1482 * - our limit on that
1483 * - the starting point (enumeration context)
1484 * - the buffer size the client will accept
1485 */
1486
1487 /*
1488 * We are a lot more like W2K. Instead of reading the SAM
1489 * each time to find the records we need to send back,
1490 * we read it once and link that copy to the sam handle.
1491 * For large user list (over the MAX_SAM_ENTRIES)
1492 * it's a definitive win.
1493 * second point to notice: between enumerations
1494 * our sam is now the same as it's a snapshoot.
1495 * third point: got rid of the static SAM_USER_21 struct
1496 * no more intermediate.
1497 * con: it uses much more memory, as a full copy is stored
1498 * in memory.
1499 *
1500 * If you want to change it, think twice and think
1501 * of the second point , that's really important.
1502 *
1503 * JFM, 12/20/2001
1504 */
1505
1506 if ((r->in.level < 1) || (r->in.level > 5)) {
1507 DEBUG(0,("_samr_QueryDisplayInfo: Unknown info level (%u)\n",
1508 (unsigned int)r->in.level ));
1509 return NT_STATUS_INVALID_INFO_CLASS;
1510 }
1511
1512 /* first limit the number of entries we will return */
1513 if(max_entries > max_sam_entries) {
1514 DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
1515 "entries, limiting to %d\n", max_entries,
1516 max_sam_entries));
1517 max_entries = max_sam_entries;
1518 }
1519
1520 /* calculate the size and limit on the number of entries we will
1521 * return */
1522
1523 temp_size=max_entries*struct_size;
1524
1525 if (temp_size>max_size) {
1526 max_entries=MIN((max_size/struct_size),max_entries);;
1527 DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
1528 "only %d entries\n", max_entries));
1529 }
1530
1531 become_root();
1532
1533 /* THe following done as ROOT. Don't return without unbecome_root(). */
1534
1535 switch (r->in.level) {
1536 case 0x1:
1537 case 0x4:
1538 if (info->disp_info->users == NULL) {
1539 info->disp_info->users = pdb_search_users(
1540 info->disp_info, ACB_NORMAL);
1541 if (info->disp_info->users == NULL) {
1542 unbecome_root();
1543 return NT_STATUS_ACCESS_DENIED;
1544 }
1545 DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
1546 (unsigned int)enum_context ));
1547 } else {
1548 DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
1549 (unsigned int)enum_context ));
1550 }
1551
1552 num_account = pdb_search_entries(info->disp_info->users,
1553 enum_context, max_entries,
1554 &entries);
1555 break;
1556 case 0x2:
1557 if (info->disp_info->machines == NULL) {
1558 info->disp_info->machines = pdb_search_users(
1559 info->disp_info, ACB_WSTRUST|ACB_SVRTRUST);
1560 if (info->disp_info->machines == NULL) {
1561 unbecome_root();
1562 return NT_STATUS_ACCESS_DENIED;
1563 }
1564 DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
1565 (unsigned int)enum_context ));
1566 } else {
1567 DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
1568 (unsigned int)enum_context ));
1569 }
1570
1571 num_account = pdb_search_entries(info->disp_info->machines,
1572 enum_context, max_entries,
1573 &entries);
1574 break;
1575 case 0x3:
1576 case 0x5:
1577 if (info->disp_info->groups == NULL) {
1578 info->disp_info->groups = pdb_search_groups(
1579 info->disp_info);
1580 if (info->disp_info->groups == NULL) {
1581 unbecome_root();
1582 return NT_STATUS_ACCESS_DENIED;
1583 }
1584 DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
1585 (unsigned int)enum_context ));
1586 } else {
1587 DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
1588 (unsigned int)enum_context ));
1589 }
1590
1591 num_account = pdb_search_entries(info->disp_info->groups,
1592 enum_context, max_entries,
1593 &entries);
1594 break;
1595 default:
1596 unbecome_root();
1597 smb_panic("info class changed");
1598 break;
1599 }
1600 unbecome_root();
1601
1602
1603 /* Now create reply structure */
1604 switch (r->in.level) {
1605 case 0x1:
1606 disp_ret = init_samr_dispinfo_1(p->mem_ctx, &disp_info->info1,
1607 num_account, enum_context,
1608 entries);
1609 break;
1610 case 0x2:
1611 disp_ret = init_samr_dispinfo_2(p->mem_ctx, &disp_info->info2,
1612 num_account, enum_context,
1613 entries);
1614 break;
1615 case 0x3:
1616 disp_ret = init_samr_dispinfo_3(p->mem_ctx, &disp_info->info3,
1617 num_account, enum_context,
1618 entries);
1619 break;
1620 case 0x4:
1621 disp_ret = init_samr_dispinfo_4(p->mem_ctx, &disp_info->info4,
1622 num_account, enum_context,
1623 entries);
1624 break;
1625 case 0x5:
1626 disp_ret = init_samr_dispinfo_5(p->mem_ctx, &disp_info->info5,
1627 num_account, enum_context,
1628 entries);
1629 break;
1630 default:
1631 smb_panic("info class changed");
1632 break;
1633 }
1634
1635 if (!NT_STATUS_IS_OK(disp_ret))
1636 return disp_ret;
1637
1638 /* calculate the total size */
1639 total_data_size=num_account*struct_size;
1640
1641 if (max_entries <= num_account) {
1642 status = STATUS_MORE_ENTRIES;
1643 } else {
1644 status = NT_STATUS_OK;
1645 }
1646
1647 /* Ensure we cache this enumeration. */
1648 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1649
1650 DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__));
1651
1652 *r->out.total_size = total_data_size;
1653 *r->out.returned_size = temp_size;
1654
1655 return status;
1656 }
1657
1658 /****************************************************************
1659 _samr_QueryDisplayInfo2
1660 ****************************************************************/
1661
1662 NTSTATUS _samr_QueryDisplayInfo2(pipes_struct *p,
1663 struct samr_QueryDisplayInfo2 *r)
1664 {
1665 struct samr_QueryDisplayInfo q;
1666
1667 q.in.domain_handle = r->in.domain_handle;
1668 q.in.level = r->in.level;
1669 q.in.start_idx = r->in.start_idx;
1670 q.in.max_entries = r->in.max_entries;
1671 q.in.buf_size = r->in.buf_size;
1672
1673 q.out.total_size = r->out.total_size;
1674 q.out.returned_size = r->out.returned_size;
1675 q.out.info = r->out.info;
1676
1677 return _samr_QueryDisplayInfo(p, &q);
1678 }
1679
1680 /****************************************************************
1681 _samr_QueryDisplayInfo3
1682 ****************************************************************/
1683
1684 NTSTATUS _samr_QueryDisplayInfo3(pipes_struct *p,
1685 struct samr_QueryDisplayInfo3 *r)
1686 {
1687 struct samr_QueryDisplayInfo q;
1688
1689 q.in.domain_handle = r->in.domain_handle;
1690 q.in.level = r->in.level;
1691 q.in.start_idx = r->in.start_idx;
1692 q.in.max_entries = r->in.max_entries;
1693 q.in.buf_size = r->in.buf_size;
1694
1695 q.out.total_size = r->out.total_size;
1696 q.out.returned_size = r->out.returned_size;
1697 q.out.info = r->out.info;
1698
1699 return _samr_QueryDisplayInfo(p, &q);
1700 }
1701
1702 /*******************************************************************
1703 _samr_QueryAliasInfo
1704 ********************************************************************/
1705
1706 NTSTATUS _samr_QueryAliasInfo(pipes_struct *p,
1707 struct samr_QueryAliasInfo *r)
1708 {
1709 DOM_SID sid;
1710 struct acct_info info;
1711 uint32 acc_granted;
1712 NTSTATUS status;
1713 union samr_AliasInfo *alias_info = NULL;
1714 const char *alias_name = NULL;
1715 const char *alias_description = NULL;
1716
1717 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1718
1719 alias_info = TALLOC_ZERO_P(p->mem_ctx, union samr_AliasInfo);
1720 if (!alias_info) {
1721 return NT_STATUS_NO_MEMORY;
1722 }
1723
1724 /* find the policy handle. open a policy on it. */
1725 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &sid, &acc_granted, NULL))
1726 return NT_STATUS_INVALID_HANDLE;
1727
1728 status = access_check_samr_function(acc_granted,
1729 SAMR_ALIAS_ACCESS_LOOKUP_INFO,
1730 "_samr_QueryAliasInfo");
1731 if (!NT_STATUS_IS_OK(status)) {
1732 return status;
1733 }
1734
1735 become_root();
1736 status = pdb_get_aliasinfo(&sid, &info);
1737 unbecome_root();
1738
1739 if ( !NT_STATUS_IS_OK(status))
1740 return status;
1741
1742 /* FIXME: info contains fstrings */
1743 alias_name = talloc_strdup(r, info.acct_name);
1744 alias_description = talloc_strdup(r, info.acct_desc);
1745
1746 switch (r->in.level) {
1747 case ALIASINFOALL:
1748 alias_info->all.name.string = alias_name;
1749 alias_info->all.num_members = 1; /* ??? */
1750 alias_info->all.description.string = alias_description;
1751 break;
1752 case ALIASINFODESCRIPTION:
1753 alias_info->description.string = alias_description;
1754 break;
1755 default:
1756 return NT_STATUS_INVALID_INFO_CLASS;
1757 }
1758
1759 *r->out.info = alias_info;
1760
1761 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1762
1763 return NT_STATUS_OK;
1764 }
1765
1766 /*******************************************************************
1767 _samr_LookupNames
1768 ********************************************************************/
1769
1770 NTSTATUS _samr_LookupNames(pipes_struct *p,
1771 struct samr_LookupNames *r)
1772 {
1773 NTSTATUS status;
1774 uint32 *rid;
1775 enum lsa_SidType *type;
1776 int i;
1777 int num_rids = r->in.num_names;
1778 DOM_SID pol_sid;
1779 uint32 acc_granted;
1780 struct samr_Ids rids, types;
1781 uint32_t num_mapped = 0;
1782
1783 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1784
1785 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL)) {
1786 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1787 }
1788
1789 status = access_check_samr_function(acc_granted,
1790 0, /* Don't know the acc_bits yet */
1791 "_samr_LookupNames");
1792 if (!NT_STATUS_IS_OK(status)) {
1793 return status;
1794 }
1795
1796 if (num_rids > MAX_SAM_ENTRIES) {
1797 num_rids = MAX_SAM_ENTRIES;
1798 DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids));
1799 }
1800
1801 rid = talloc_array(p->mem_ctx, uint32, num_rids);
1802 NT_STATUS_HAVE_NO_MEMORY(rid);
1803
1804 type = talloc_array(p->mem_ctx, enum lsa_SidType, num_rids);
1805 NT_STATUS_HAVE_NO_MEMORY(type);
1806
1807 DEBUG(5,("_samr_LookupNames: looking name on SID %s\n",
1808 sid_string_dbg(&pol_sid)));
1809
1810 for (i = 0; i < num_rids; i++) {
1811
1812 status = NT_STATUS_NONE_MAPPED;
1813 type[i] = SID_NAME_UNKNOWN;
1814
1815 rid[i] = 0xffffffff;
1816
1817 if (sid_check_is_builtin(&pol_sid)) {
1818 if (lookup_builtin_name(r->in.names[i].string,
1819 &rid[i]))
1820 {
1821 type[i] = SID_NAME_ALIAS;
1822 }
1823 } else {
1824 lookup_global_sam_name(r->in.names[i].string, 0,
1825 &rid[i], &type[i]);
1826 }
1827
1828 if (type[i] != SID_NAME_UNKNOWN) {
1829 num_mapped++;
1830 }
1831 }
1832
1833 if (num_mapped == num_rids) {
1834 status = NT_STATUS_OK;
1835 } else if (num_mapped == 0) {
1836 status = NT_STATUS_NONE_MAPPED;
1837 } else {
1838 status = STATUS_SOME_UNMAPPED;
1839 }
1840
1841 rids.count = num_rids;
1842 rids.ids = rid;
1843
1844 types.count = num_rids;
1845 types.ids = type;
1846
1847 *r->out.rids = rids;
1848 *r->out.types = types;
1849
1850 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1851
1852 return status;
1853 }
1854
1855 /*******************************************************************
1856 _samr_ChangePasswordUser2
1857 ********************************************************************/
1858
1859 NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
1860 struct samr_ChangePasswordUser2 *r)
1861 {
1862 NTSTATUS status;
1863 fstring user_name;
1864 fstring wks;
1865
1866 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1867
1868 fstrcpy(user_name, r->in.account->string);
1869 fstrcpy(wks, r->in.server->string);
1870
1871 DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
1872
1873 /*
1874 * Pass the user through the NT -> unix user mapping
1875 * function.
1876 */
1877
1878 (void)map_username(user_name);
1879
1880 /*
1881 * UNIX username case mangling not required, pass_oem_change
1882 * is case insensitive.
1883 */
1884
1885 status = pass_oem_change(user_name,
1886 r->in.lm_password->data,
1887 r->in.lm_verifier->hash,
1888 r->in.nt_password->data,
1889 r->in.nt_verifier->hash,
1890 NULL);
1891
1892 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1893
1894 return status;
1895 }
1896
1897 /*******************************************************************
1898 _samr_ChangePasswordUser3
1899 ********************************************************************/
1900
1901 NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
1902 struct samr_ChangePasswordUser3 *r)
1903 {
1904 NTSTATUS status;
1905 fstring user_name;
1906 const char *wks = NULL;
1907 uint32 reject_reason;
1908 struct samr_DomInfo1 *dominfo = NULL;
1909 struct samr_ChangeReject *reject = NULL;
1910 uint32_t tmp;
1911
1912 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
1913
1914 fstrcpy(user_name, r->in.account->string);
1915 if (r->in.server && r->in.server->string) {
1916 wks = r->in.server->string;
1917 }
1918
1919 DEBUG(5,("_samr_ChangePasswordUser3: user: %s wks: %s\n", user_name, wks));
1920
1921 /*
1922 * Pass the user through the NT -> unix user mapping
1923 * function.
1924 */
1925
1926 (void)map_username(user_name);
1927
1928 /*
1929 * UNIX username case mangling not required, pass_oem_change
1930 * is case insensitive.
1931 */
1932
1933 status = pass_oem_change(user_name,
1934 r->in.lm_password->data,
1935 r->in.lm_verifier->hash,
1936 r->in.nt_password->data,
1937 r->in.nt_verifier->hash,
1938 &reject_reason);
1939
1940 if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) ||
1941 NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_RESTRICTION)) {
1942
1943 time_t u_expire, u_min_age;
1944 uint32 account_policy_temp;
1945
1946 dominfo = TALLOC_ZERO_P(p->mem_ctx, struct samr_DomInfo1);
1947 if (!dominfo) {
1948 return NT_STATUS_NO_MEMORY;
1949 }
1950
1951 reject = TALLOC_ZERO_P(p->mem_ctx, struct samr_ChangeReject);
1952 if (!reject) {
1953 return NT_STATUS_NO_MEMORY;
1954 }
1955
1956 become_root();
1957
1958 /* AS ROOT !!! */
1959
1960 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &tmp);
1961 dominfo->min_password_length = tmp;
1962
1963 pdb_get_account_policy(AP_PASSWORD_HISTORY, &tmp);
1964 dominfo->password_history_length = tmp;
1965
1966 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
1967 &dominfo->password_properties);
1968
1969 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
1970 u_expire = account_policy_temp;
1971
1972 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
1973 u_min_age = account_policy_temp;
1974
1975 /* !AS ROOT */
1976
1977 unbecome_root();
1978
1979 unix_to_nt_time_abs((NTTIME *)&dominfo->max_password_age, u_expire);
1980 unix_to_nt_time_abs((NTTIME *)&dominfo->min_password_age, u_min_age);
1981
1982 if (lp_check_password_script() && *lp_check_password_script()) {
1983 dominfo->password_properties |= DOMAIN_PASSWORD_COMPLEX;
1984 }
1985
1986 reject->reason = reject_reason;
1987
1988 *r->out.dominfo = dominfo;
1989 *r->out.reject = reject;
1990 }
1991
1992 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
1993
1994 return status;
1995 }
1996
1997 /*******************************************************************
1998 makes a SAMR_R_LOOKUP_RIDS structure.
1999 ********************************************************************/
2000
2001 static bool make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names,
2002 const char **names,
2003 struct lsa_String **lsa_name_array_p)
2004 {
2005 struct lsa_String *lsa_name_array = NULL;
2006 uint32_t i;
2007
2008 *lsa_name_array_p = NULL;
2009
2010 if (num_names != 0) {
2011 lsa_name_array = TALLOC_ZERO_ARRAY(ctx, struct lsa_String, num_names);
2012 if (!lsa_name_array) {
2013 return false;
2014 }
2015 }
2016
2017 for (i = 0; i < num_names; i++) {
2018 DEBUG(10, ("names[%d]:%s\n", i, names[i] && *names[i] ? names[i] : ""));
2019 init_lsa_String(&lsa_name_array[i], names[i]);
2020 }
2021
2022 *lsa_name_array_p = lsa_name_array;
2023
2024 return true;
2025 }
2026
2027 /*******************************************************************
2028 _samr_LookupRids
2029 ********************************************************************/
2030
2031 NTSTATUS _samr_LookupRids(pipes_struct *p,
2032 struct samr_LookupRids *r)
2033 {
2034 NTSTATUS status;
2035 const char **names;
2036 enum lsa_SidType *attrs = NULL;
2037 uint32 *wire_attrs = NULL;
2038 DOM_SID pol_sid;
2039 int num_rids = (int)r->in.num_rids;
2040 uint32 acc_granted;
2041 int i;
2042 struct lsa_Strings names_array;
2043 struct samr_Ids types_array;
2044 struct lsa_String *lsa_names = NULL;
2045
2046 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2047
2048 /* find the policy handle. open a policy on it. */
2049 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL))
2050 return NT_STATUS_INVALID_HANDLE;
2051
2052 status = access_check_samr_function(acc_granted,
2053 0, /* Don't know the acc_bits yet */
2054 "_samr_LookupRids");
2055 if (!NT_STATUS_IS_OK(status)) {
2056 return status;
2057 }
2058
2059 if (num_rids > 1000) {
2060 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
2061 "to samba4 idl this is not possible\n", num_rids));
2062 return NT_STATUS_UNSUCCESSFUL;
2063 }
2064
2065 if (num_rids) {
2066 names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids);
2067 attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum lsa_SidType, num_rids);
2068 wire_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids);
2069
2070 if ((names == NULL) || (attrs == NULL) || (wire_attrs==NULL))
2071 return NT_STATUS_NO_MEMORY;
2072 } else {
2073 names = NULL;
2074 attrs = NULL;
2075 wire_attrs = NULL;
2076 }
2077
2078 become_root(); /* lookup_sid can require root privs */
2079 status = pdb_lookup_rids(&pol_sid, num_rids, r->in.rids,
2080 names, attrs);
2081 unbecome_root();
2082
2083 if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) && (num_rids == 0)) {
2084 status = NT_STATUS_OK;
2085 }
2086
2087 if (!make_samr_lookup_rids(p->mem_ctx, num_rids, names,
2088 &lsa_names)) {
2089 return NT_STATUS_NO_MEMORY;
2090 }
2091
2092 /* Convert from enum lsa_SidType to uint32 for wire format. */
2093 for (i = 0; i < num_rids; i++) {
2094 wire_attrs[i] = (uint32)attrs[i];
2095 }
2096
2097 names_array.count = num_rids;
2098 names_array.names = lsa_names;
2099
2100 types_array.count = num_rids;
2101 types_array.ids = wire_attrs;
2102
2103 *r->out.names = names_array;
2104 *r->out.types = types_array;
2105
2106 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2107
2108 return status;
2109 }
2110
2111 /*******************************************************************
2112 _samr_OpenUser
2113 ********************************************************************/
2114
2115 NTSTATUS _samr_OpenUser(pipes_struct *p,
2116 struct samr_OpenUser *r)
2117 {
2118 struct samu *sampass=NULL;
2119 DOM_SID sid;
2120 struct samr_info *info = NULL;
2121 SEC_DESC *psd = NULL;
2122 uint32 acc_granted;
2123 uint32 des_access = r->in.access_mask;
2124 size_t sd_size;
2125 bool ret;
2126 NTSTATUS nt_status;
2127 SE_PRIV se_rights;
2128
2129 /* find the domain policy handle and get domain SID / access bits in the domain policy. */
2130
2131 if ( !get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted, NULL) )
2132 return NT_STATUS_INVALID_HANDLE;
2133
2134 nt_status = access_check_samr_function(acc_granted,
2135 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
2136 "_samr_OpenUser" );
2137
2138 if ( !NT_STATUS_IS_OK(nt_status) )
2139 return nt_status;
2140
2141 if ( !(sampass = samu_new( p->mem_ctx )) ) {
2142 return NT_STATUS_NO_MEMORY;
2143 }
2144
2145 /* append the user's RID to it */
2146
2147 if (!sid_append_rid(&sid, r->in.rid))
2148 return NT_STATUS_NO_SUCH_USER;
2149
2150 /* check if access can be granted as requested by client. */
2151
2152 map_max_allowed_access(p->server_info->ptok, &des_access);
2153
2154 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
2155 se_map_generic(&des_access, &usr_generic_mapping);
2156
2157 se_priv_copy( &se_rights, &se_machine_account );
2158 se_priv_add( &se_rights, &se_add_users );
2159
2160 nt_status = access_check_samr_object(psd, p->server_info->ptok,
2161 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
2162 &acc_granted, "_samr_OpenUser");
2163
2164 if ( !NT_STATUS_IS_OK(nt_status) )
2165 return nt_status;
2166
2167 become_root();
2168 ret=pdb_getsampwsid(sampass, &sid);
2169 unbecome_root();
2170
2171 /* check that the SID exists in our domain. */
2172 if (ret == False) {
2173 return NT_STATUS_NO_SUCH_USER;
2174 }
2175
2176 TALLOC_FREE(sampass);
2177
2178 /* associate the user's SID and access bits with the new handle. */
2179 if ((info = get_samr_info_by_sid(p->mem_ctx, &sid)) == NULL)
2180 return NT_STATUS_NO_MEMORY;
2181 info->acc_granted = acc_granted;
2182
2183 /* get a (unique) handle. open a policy on it. */
2184 if (!create_policy_hnd(p, r->out.user_handle, info))
2185 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2186
2187 return NT_STATUS_OK;
2188 }
2189
2190 /*************************************************************************
2191 *************************************************************************/
2192
2193 static NTSTATUS init_samr_parameters_string(TALLOC_CTX *mem_ctx,
2194 DATA_BLOB *blob,
2195 struct lsa_BinaryString **_r)
2196 {
2197 struct lsa_BinaryString *r;
2198
2199 if (!blob || !_r) {
2200 return NT_STATUS_INVALID_PARAMETER;
2201 }
2202
2203 r = TALLOC_ZERO_P(mem_ctx, struct lsa_BinaryString);
2204 if (!r) {
2205 return NT_STATUS_NO_MEMORY;
2206 }
2207
2208 r->array = TALLOC_ZERO_ARRAY(mem_ctx, uint16_t, blob->length/2);
2209 if (!r->array) {
2210 return NT_STATUS_NO_MEMORY;
2211 }
2212 memcpy(r->array, blob->data, blob->length);
2213 r->size = blob->length;
2214 r->length = blob->length;
2215
2216 if (!r->array) {
2217 return NT_STATUS_NO_MEMORY;
2218 }
2219
2220 *_r = r;
2221
2222 return NT_STATUS_OK;
2223 }
2224
2225 /*************************************************************************
2226 get_user_info_1.
2227 *************************************************************************/
2228
2229 static NTSTATUS get_user_info_1(TALLOC_CTX *mem_ctx,
2230 struct samr_UserInfo1 *r,
2231 struct samu *pw,
2232 DOM_SID *domain_sid)
2233 {
2234 const DOM_SID *sid_group;
2235 uint32_t primary_gid;
2236
2237 become_root();
2238 sid_group = pdb_get_group_sid(pw);
2239 unbecome_root();
2240
2241 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2242 DEBUG(0, ("get_user_info_1: User %s has Primary Group SID %s, \n"
2243 "which conflicts with the domain sid %s. Failing operation.\n",
2244 pdb_get_username(pw), sid_string_dbg(sid_group),
2245 sid_string_dbg(domain_sid)));
2246 return NT_STATUS_UNSUCCESSFUL;
2247 }
2248
2249 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2250 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2251 r->primary_gid = primary_gid;
2252 r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2253 r->comment.string = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2254
2255 return NT_STATUS_OK;
2256 }
2257
2258 /*************************************************************************
2259 get_user_info_2.
2260 *************************************************************************/
2261
2262 static NTSTATUS get_user_info_2(TALLOC_CTX *mem_ctx,
2263 struct samr_UserInfo2 *r,
2264 struct samu *pw)
2265 {
2266 r->comment.string = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2267 r->unknown.string = NULL;
2268 r->country_code = 0;
2269 r->code_page = 0;
2270
2271 return NT_STATUS_OK;
2272 }
2273
2274 /*************************************************************************
2275 get_user_info_3.
2276 *************************************************************************/
2277
2278 static NTSTATUS get_user_info_3(TALLOC_CTX *mem_ctx,
2279 struct samr_UserInfo3 *r,
2280 struct samu *pw,
2281 DOM_SID *domain_sid)
2282 {
2283 const DOM_SID *sid_user, *sid_group;
2284 uint32_t rid, primary_gid;
2285
2286 sid_user = pdb_get_user_sid(pw);
2287
2288 if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2289 DEBUG(0, ("get_user_info_3: User %s has SID %s, \nwhich conflicts with "
2290 "the domain sid %s. Failing operation.\n",
2291 pdb_get_username(pw), sid_string_dbg(sid_user),
2292 sid_string_dbg(domain_sid)));
2293 return NT_STATUS_UNSUCCESSFUL;
2294 }
2295
2296 become_root();
2297 sid_group = pdb_get_group_sid(pw);
2298 unbecome_root();
2299
2300 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2301 DEBUG(0, ("get_user_info_3: User %s has Primary Group SID %s, \n"
2302 "which conflicts with the domain sid %s. Failing operation.\n",
2303 pdb_get_username(pw), sid_string_dbg(sid_group),
2304 sid_string_dbg(domain_sid)));
2305 return NT_STATUS_UNSUCCESSFUL;
2306 }
2307
2308 unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2309 unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2310 unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2311 unix_to_nt_time(&r->allow_password_change, pdb_get_pass_can_change_time(pw));
2312 unix_to_nt_time(&r->force_password_change, pdb_get_pass_must_change_time(pw));
2313
2314 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2315 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2316 r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2317 r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2318 r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2319 r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2320 r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2321
2322 r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2323 r->rid = rid;
2324 r->primary_gid = primary_gid;
2325 r->acct_flags = pdb_get_acct_ctrl(pw);
2326 r->bad_password_count = pdb_get_bad_password_count(pw);
2327 r->logon_count = pdb_get_logon_count(pw);
2328
2329 return NT_STATUS_OK;
2330 }
2331
2332 /*************************************************************************
2333 get_user_info_4.
2334 *************************************************************************/
2335
2336 static NTSTATUS get_user_info_4(TALLOC_CTX *mem_ctx,
2337 struct samr_UserInfo4 *r,
2338 struct samu *pw)
2339 {
2340 r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2341
2342 return NT_STATUS_OK;
2343 }
2344
2345 /*************************************************************************
2346 get_user_info_5.
2347 *************************************************************************/
2348
2349 static NTSTATUS get_user_info_5(TALLOC_CTX *mem_ctx,
2350 struct samr_UserInfo5 *r,
2351 struct samu *pw,
2352 DOM_SID *domain_sid)
2353 {
2354 const DOM_SID *sid_user, *sid_group;
2355 uint32_t rid, primary_gid;
2356
2357 sid_user = pdb_get_user_sid(pw);
2358
2359 if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2360 DEBUG(0, ("get_user_info_5: User %s has SID %s, \nwhich conflicts with "
2361 "the domain sid %s. Failing operation.\n",
2362 pdb_get_username(pw), sid_string_dbg(sid_user),
2363 sid_string_dbg(domain_sid)));
2364 return NT_STATUS_UNSUCCESSFUL;
2365 }
2366
2367 become_root();
2368 sid_group = pdb_get_group_sid(pw);
2369 unbecome_root();
2370
2371 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2372 DEBUG(0, ("get_user_info_5: User %s has Primary Group SID %s, \n"
2373 "which conflicts with the domain sid %s. Failing operation.\n",
2374 pdb_get_username(pw), sid_string_dbg(sid_group),
2375 sid_string_dbg(domain_sid)));
2376 return NT_STATUS_UNSUCCESSFUL;
2377 }
2378
2379 unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2380 unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2381 unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2382 unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2383
2384 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2385 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2386 r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2387 r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2388 r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2389 r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2390 r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2391 r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2392
2393 r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2394 r->rid = rid;
2395 r->primary_gid = primary_gid;
2396 r->acct_flags = pdb_get_acct_ctrl(pw);
2397 r->bad_password_count = pdb_get_bad_password_count(pw);
2398 r->logon_count = pdb_get_logon_count(pw);
2399
2400 return NT_STATUS_OK;
2401 }
2402
2403 /*************************************************************************
2404 get_user_info_6.
2405 *************************************************************************/
2406
2407 static NTSTATUS get_user_info_6(TALLOC_CTX *mem_ctx,
2408 struct samr_UserInfo6 *r,
2409 struct samu *pw)
2410 {
2411 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2412 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2413
2414 return NT_STATUS_OK;
2415 }
2416
2417 /*************************************************************************
2418 get_user_info_7. Safe. Only gives out account_name.
2419 *************************************************************************/
2420
2421 static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx,
2422 struct samr_UserInfo7 *r,
2423 struct samu *smbpass)
2424 {
2425 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(smbpass));
2426 if (!r->account_name.string) {
2427 return NT_STATUS_NO_MEMORY;
2428 }
2429
2430 return NT_STATUS_OK;
2431 }
2432
2433 /*************************************************************************
2434 get_user_info_8.
2435 *************************************************************************/
2436
2437 static NTSTATUS get_user_info_8(TALLOC_CTX *mem_ctx,
2438 struct samr_UserInfo8 *r,
2439 struct samu *pw)
2440 {
2441 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2442
2443 return NT_STATUS_OK;
2444 }
2445
2446 /*************************************************************************
2447 get_user_info_9. Only gives out primary group SID.
2448 *************************************************************************/
2449
2450 static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx,
2451 struct samr_UserInfo9 *r,
2452 struct samu *smbpass)
2453 {
2454 r->primary_gid = pdb_get_group_rid(smbpass);
2455
2456 return NT_STATUS_OK;
2457 }
2458
2459 /*************************************************************************
2460 get_user_info_10.
2461 *************************************************************************/
2462
2463 static NTSTATUS get_user_info_10(TALLOC_CTX *mem_ctx,
2464 struct samr_UserInfo10 *r,
2465 struct samu *pw)
2466 {
2467 r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2468 r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2469
2470 return NT_STATUS_OK;
2471 }
2472
2473 /*************************************************************************
2474 get_user_info_11.
2475 *************************************************************************/
2476
2477 static NTSTATUS get_user_info_11(TALLOC_CTX *mem_ctx,
2478 struct samr_UserInfo11 *r,
2479 struct samu *pw)
2480 {
2481 r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2482
2483 return NT_STATUS_OK;
2484 }
2485
2486 /*************************************************************************
2487 get_user_info_12.
2488 *************************************************************************/
2489
2490 static NTSTATUS get_user_info_12(TALLOC_CTX *mem_ctx,
2491 struct samr_UserInfo12 *r,
2492 struct samu *pw)
2493 {
2494 r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2495
2496 return NT_STATUS_OK;
2497 }
2498
2499 /*************************************************************************
2500 get_user_info_13.
2501 *************************************************************************/
2502
2503 static NTSTATUS get_user_info_13(TALLOC_CTX *mem_ctx,
2504 struct samr_UserInfo13 *r,
2505 struct samu *pw)
2506 {
2507 r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2508
2509 return NT_STATUS_OK;
2510 }
2511
2512 /*************************************************************************
2513 get_user_info_14.
2514 *************************************************************************/
2515
2516 static NTSTATUS get_user_info_14(TALLOC_CTX *mem_ctx,
2517 struct samr_UserInfo14 *r,
2518 struct samu *pw)
2519 {
2520 r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2521
2522 return NT_STATUS_OK;
2523 }
2524
2525 /*************************************************************************
2526 get_user_info_16. Safe. Only gives out acb bits.
2527 *************************************************************************/
2528
2529 static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx,
2530 struct samr_UserInfo16 *r,
2531 struct samu *smbpass)
2532 {
2533 r->acct_flags = pdb_get_acct_ctrl(smbpass);
2534
2535 return NT_STATUS_OK;
2536 }
2537
2538 /*************************************************************************
2539 get_user_info_17.
2540 *************************************************************************/
2541
2542 static NTSTATUS get_user_info_17(TALLOC_CTX *mem_ctx,
2543 struct samr_UserInfo17 *r,
2544 struct samu *pw)
2545 {
2546 unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2547
2548 return NT_STATUS_OK;
2549 }
2550
2551 /*************************************************************************
2552 get_user_info_18. OK - this is the killer as it gives out password info.
2553 Ensure that this is only allowed on an encrypted connection with a root
2554 user. JRA.
2555 *************************************************************************/
2556
2557 static NTSTATUS get_user_info_18(pipes_struct *p,
2558 TALLOC_CTX *mem_ctx,
2559 struct samr_UserInfo18 *r,
2560 DOM_SID *user_sid)
2561 {
2562 struct samu *smbpass=NULL;
2563 bool ret;
2564
2565 ZERO_STRUCTP(r);
2566
2567 if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
2568 return NT_STATUS_ACCESS_DENIED;
2569 }
2570
2571 if (p->auth.auth_level != PIPE_AUTH_LEVEL_PRIVACY) {
2572 return NT_STATUS_ACCESS_DENIED;
2573 }
2574
2575 /*
2576 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
2577 */
2578
2579 if ( !(smbpass = samu_new( mem_ctx )) ) {
2580 return NT_STATUS_NO_MEMORY;
2581 }
2582
2583 ret = pdb_getsampwsid(smbpass, user_sid);
2584
2585 if (ret == False) {
2586 DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid)));
2587 TALLOC_FREE(smbpass);
2588 return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
2589 }
2590
2591 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
2592
2593 if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) {
2594 TALLOC_FREE(smbpass);
2595 return NT_STATUS_ACCOUNT_DISABLED;
2596 }
2597
2598 r->lm_pwd_active = true;
2599 r->nt_pwd_active = true;
2600 memcpy(r->lm_pwd.hash, pdb_get_lanman_passwd(smbpass), 16);
2601 memcpy(r->nt_pwd.hash, pdb_get_nt_passwd(smbpass), 16);
2602 r->password_expired = 0; /* FIXME */
2603
2604 TALLOC_FREE(smbpass);
2605
2606 return NT_STATUS_OK;
2607 }
2608
2609 /*************************************************************************
2610 get_user_info_20
2611 *************************************************************************/
2612
2613 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx,
2614 struct samr_UserInfo20 *r,
2615 struct samu *sampass)
2616 {
2617 const char *munged_dial = NULL;
2618 DATA_BLOB blob;
2619 NTSTATUS status;
2620 struct lsa_BinaryString *parameters = NULL;
2621
2622 ZERO_STRUCTP(r);
2623
2624 munged_dial = pdb_get_munged_dial(sampass);
2625
2626 DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass),
2627 munged_dial, (int)strlen(munged_dial)));
2628
2629 if (munged_dial) {
2630 blob = base64_decode_data_blob(munged_dial);
2631 } else {
2632 blob = data_blob_string_const_null("");
2633 }
2634
2635 status = init_samr_parameters_string(mem_ctx, &blob, &parameters);
2636 data_blob_free(&blob);
2637 if (!NT_STATUS_IS_OK(status)) {
2638 return status;
2639 }
2640
2641 r->parameters = *parameters;
2642
2643 return NT_STATUS_OK;
2644 }
2645
2646
2647 /*************************************************************************
2648 get_user_info_21
2649 *************************************************************************/
2650
2651 static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx,
2652 struct samr_UserInfo21 *r,
2653 struct samu *pw,
2654 DOM_SID *domain_sid)
2655 {
2656 NTSTATUS status;
2657 const DOM_SID *sid_user, *sid_group;
2658 uint32_t rid, primary_gid;
2659 NTTIME force_password_change;
2660 time_t must_change_time;
2661 struct lsa_BinaryString *parameters = NULL;
2662 const char *munged_dial = NULL;
2663 DATA_BLOB blob;
2664
2665 ZERO_STRUCTP(r);
2666
2667 sid_user = pdb_get_user_sid(pw);
2668
2669 if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2670 DEBUG(0, ("get_user_info_21: User %s has SID %s, \nwhich conflicts with "
2671 "the domain sid %s. Failing operation.\n",
2672 pdb_get_username(pw), sid_string_dbg(sid_user),
2673 sid_string_dbg(domain_sid)));
2674 return NT_STATUS_UNSUCCESSFUL;
2675 }
2676
2677 become_root();
2678 sid_group = pdb_get_group_sid(pw);
2679 unbecome_root();
2680
2681 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2682 DEBUG(0, ("get_user_info_21: User %s has Primary Group SID %s, \n"
2683 "which conflicts with the domain sid %s. Failing operation.\n",
2684 pdb_get_username(pw), sid_string_dbg(sid_group),
2685 sid_string_dbg(domain_sid)));
2686 return NT_STATUS_UNSUCCESSFUL;
2687 }
2688
2689 unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2690 unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2691 unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2692 unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2693 unix_to_nt_time(&r->allow_password_change, pdb_get_pass_can_change_time(pw));
2694
2695 must_change_time = pdb_get_pass_must_change_time(pw);
2696 if (must_change_time == get_time_t_max()) {
2697 unix_to_nt_time_abs(&force_password_change, must_change_time);
2698 } else {
2699 unix_to_nt_time(&force_password_change, must_change_time);
2700 }
2701
2702 munged_dial = pdb_get_munged_dial(pw);
2703 if (munged_dial) {
2704 blob = base64_decode_data_blob(munged_dial);
2705 } else {
2706 blob = data_blob_string_const_null("");
2707 }
2708
2709 status = init_samr_parameters_string(mem_ctx, &blob, &parameters);
2710 data_blob_free(&blob);
2711 if (!NT_STATUS_IS_OK(status)) {
2712 return status;
2713 }
2714
2715 r->force_password_change = force_password_change;
2716
2717 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2718 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2719 r->home_directory.string = talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2720 r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2721 r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2722 r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2723 r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2724 r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2725 r->comment.string = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2726
2727 r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2728 r->parameters = *parameters;
2729 r->rid = rid;
2730 r->primary_gid = primary_gid;
2731 r->acct_flags = pdb_get_acct_ctrl(pw);
2732 r->bad_password_count = pdb_get_bad_password_count(pw);
2733 r->logon_count = pdb_get_logon_count(pw);
2734 r->fields_present = pdb_build_fields_present(pw);
2735 r->password_expired = (pdb_get_pass_must_change_time(pw) == 0) ?
2736 PASS_MUST_CHANGE_AT_NEXT_LOGON : 0;
2737 r->country_code = 0;
2738 r->code_page = 0;
2739 r->lm_password_set = 0;
2740 r->nt_password_set = 0;
2741
2742 #if 0
2743
2744 /*
2745 Look at a user on a real NT4 PDC with usrmgr, press
2746 'ok'. Then you will see that fields_present is set to
2747 0x08f827fa. Look at the user immediately after that again,
2748 and you will see that 0x00fffff is returned. This solves
2749 the problem that you get access denied after having looked
2750 at the user.
2751 -- Volker
2752 */
2753
2754 #endif
2755
2756
2757 return NT_STATUS_OK;
2758 }
2759
2760 /*******************************************************************
2761 _samr_QueryUserInfo
2762 ********************************************************************/
2763
2764 NTSTATUS _samr_QueryUserInfo(pipes_struct *p,
2765 struct samr_QueryUserInfo *r)
2766 {
2767 NTSTATUS status;
2768 union samr_UserInfo *user_info = NULL;
2769 struct samr_info *info = NULL;
2770 DOM_SID domain_sid;
2771 uint32 rid;
2772 bool ret = false;
2773 struct samu *pwd = NULL;
2774
2775 /* search for the handle */
2776 if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info))
2777 return NT_STATUS_INVALID_HANDLE;
2778
2779 status = access_check_samr_function(info->acc_granted,
2780 SAMR_USER_ACCESS_GET_ATTRIBUTES,
2781 "_samr_QueryUserInfo");
2782 if (!NT_STATUS_IS_OK(status)) {
2783 return status;
2784 }
2785
2786 domain_sid = info->sid;
2787
2788 sid_split_rid(&domain_sid, &rid);
2789
2790 if (!sid_check_is_in_our_domain(&info->sid))
2791 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2792
2793 DEBUG(5,("_samr_QueryUserInfo: sid:%s\n",
2794 sid_string_dbg(&info->sid)));
2795
2796 user_info = TALLOC_ZERO_P(p->mem_ctx, union samr_UserInfo);
2797 if (!user_info) {
2798 return NT_STATUS_NO_MEMORY;
2799 }
2800
2801 DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r->in.level));
2802
2803 if (!(pwd = samu_new(p->mem_ctx))) {
2804 return NT_STATUS_NO_MEMORY;
2805 }
2806
2807 become_root();
2808 ret = pdb_getsampwsid(pwd, &info->sid);
2809 unbecome_root();
2810
2811 if (ret == false) {
2812 DEBUG(4,("User %s not found\n", sid_string_dbg(&info->sid)));
2813 TALLOC_FREE(pwd);
2814 return NT_STATUS_NO_SUCH_USER;
2815 }
2816
2817 DEBUG(3,("User:[%s]\n", pdb_get_username(pwd)));
2818
2819 samr_clear_sam_passwd(pwd);
2820
2821 switch (r->in.level) {
2822 case 1:
2823 status = get_user_info_1(p->mem_ctx, &user_info->info1, pwd, &domain_sid);
2824 break;
2825 case 2:
2826 status = get_user_info_2(p->mem_ctx, &user_info->info2, pwd);
2827 break;
2828 case 3:
2829 status = get_user_info_3(p->mem_ctx, &user_info->info3, pwd, &domain_sid);
2830 break;
2831 case 4:
2832 status = get_user_info_4(p->mem_ctx, &user_info->info4, pwd);
2833 break;
2834 case 5:
2835 status = get_user_info_5(p->mem_ctx, &user_info->info5, pwd, &domain_sid);
2836 break;
2837 case 6:
2838 status = get_user_info_6(p->mem_ctx, &user_info->info6, pwd);
2839 break;
2840 case 7:
2841 status = get_user_info_7(p->mem_ctx, &user_info->info7, pwd);
2842 break;
2843 case 8:
2844 status = get_user_info_8(p->mem_ctx, &user_info->info8, pwd);
2845 break;
2846 case 9:
2847 status = get_user_info_9(p->mem_ctx, &user_info->info9, pwd);
2848 break;
2849 case 10:
2850 status = get_user_info_10(p->mem_ctx, &user_info->info10, pwd);
2851 break;
2852 case 11:
2853 status = get_user_info_11(p->mem_ctx, &user_info->info11, pwd);
2854 break;
2855 case 12:
2856 status = get_user_info_12(p->mem_ctx, &user_info->info12, pwd);
2857 break;
2858 case 13:
2859 status = get_user_info_13(p->mem_ctx, &user_info->info13, pwd);
2860 break;
2861 case 14:
2862 status = get_user_info_14(p->mem_ctx, &user_info->info14, pwd);
2863 break;
2864 case 16:
2865 status = get_user_info_16(p->mem_ctx, &user_info->info16, pwd);
2866 break;
2867 case 17:
2868 status = get_user_info_17(p->mem_ctx, &user_info->info17, pwd);
2869 break;
2870 case 18:
2871 /* level 18 is special */
2872 status = get_user_info_18(p, p->mem_ctx, &user_info->info18, &info->sid);
2873 break;
2874 case 20:
2875 status = get_user_info_20(p->mem_ctx, &user_info->info20, pwd);
2876 break;
2877 case 21:
2878 status = get_user_info_21(p->mem_ctx, &user_info->info21, pwd, &domain_sid);
2879 break;
2880 default:
2881 status = NT_STATUS_INVALID_INFO_CLASS;
2882 break;
2883 }
2884
2885 TALLOC_FREE(pwd);
2886
2887 *r->out.info = user_info;
2888
2889 DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__));
2890
2891 return status;
2892 }
2893
2894 /****************************************************************
2895 ****************************************************************/
2896
2897 NTSTATUS _samr_QueryUserInfo2(pipes_struct *p,
2898 struct samr_QueryUserInfo2 *r)
2899 {
2900 struct samr_QueryUserInfo u;
2901
2902 u.in.user_handle = r->in.user_handle;
2903 u.in.level = r->in.level;
2904 u.out.info = r->out.info;
2905
2906 return _samr_QueryUserInfo(p, &u);
2907 }
2908
2909 /*******************************************************************
2910 _samr_GetGroupsForUser
2911 ********************************************************************/
2912
2913 NTSTATUS _samr_GetGroupsForUser(pipes_struct *p,
2914 struct samr_GetGroupsForUser *r)
2915 {
2916 struct samu *sam_pass=NULL;
2917 DOM_SID sid;
2918 DOM_SID *sids;
2919 struct samr_RidWithAttribute dom_gid;
2920 struct samr_RidWithAttribute *gids = NULL;
2921 uint32 primary_group_rid;
2922 size_t num_groups = 0;
2923 gid_t *unix_gids;
2924 size_t i, num_gids;
2925 uint32 acc_granted;
2926 bool ret;
2927 NTSTATUS result;
2928 bool success = False;
2929
2930 struct samr_RidWithAttributeArray *rids = NULL;
2931
2932 /*
2933 * from the SID in the request:
2934 * we should send back the list of DOMAIN GROUPS
2935 * the user is a member of
2936 *
2937 * and only the DOMAIN GROUPS
2938 * no ALIASES !!! neither aliases of the domain
2939 * nor aliases of the builtin SID
2940 *
2941 * JFM, 12/2/2001
2942 */
2943
2944 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
2945
2946 rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidWithAttributeArray);
2947 if (!rids) {
2948 return NT_STATUS_NO_MEMORY;
2949 }
2950
2951 /* find the policy handle. open a policy on it. */
2952 if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &sid, &acc_granted, NULL))
2953 return NT_STATUS_INVALID_HANDLE;
2954
2955 result = access_check_samr_function(acc_granted,
2956 SAMR_USER_ACCESS_GET_GROUPS,
2957 "_samr_GetGroupsForUser");
2958 if (!NT_STATUS_IS_OK(result)) {
2959 return result;
2960 }
2961
2962 if (!sid_check_is_in_our_domain(&sid))
2963 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2964
2965 if ( !(sam_pass = samu_new( p->mem_ctx )) ) {
2966 return NT_STATUS_NO_MEMORY;
2967 }
2968
2969 become_root();
2970 ret = pdb_getsampwsid(sam_pass, &sid);
2971 unbecome_root();
2972
2973 if (!ret) {
2974 DEBUG(10, ("pdb_getsampwsid failed for %s\n",
2975 sid_string_dbg(&sid)));
2976 return NT_STATUS_NO_SUCH_USER;
2977 }
2978
2979 sids = NULL;
2980
2981 /* make both calls inside the root block */
2982 become_root();
2983 result = pdb_enum_group_memberships(p->mem_ctx, sam_pass,
2984 &sids, &unix_gids, &num_groups);
2985 if ( NT_STATUS_IS_OK(result) ) {
2986 success = sid_peek_check_rid(get_global_sam_sid(),
2987 pdb_get_group_sid(sam_pass),
2988 &primary_group_rid);
2989 }
2990 unbecome_root();
2991
2992 if (!NT_STATUS_IS_OK(result)) {
2993 DEBUG(10, ("pdb_enum_group_memberships failed for %s\n",
2994 sid_string_dbg(&sid)));
2995 return result;
2996 }
2997
2998 if ( !success ) {
2999 DEBUG(5, ("Group sid %s for user %s not in our domain\n",
3000 sid_string_dbg(pdb_get_group_sid(sam_pass)),
3001 pdb_get_username(sam_pass)));
3002 TALLOC_FREE(sam_pass);
3003 return NT_STATUS_INTERNAL_DB_CORRUPTION;
3004 }
3005
3006 gids = NULL;
3007 num_gids = 0;
3008
3009 dom_gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|
3010 SE_GROUP_ENABLED);
3011 dom_gid.rid = primary_group_rid;
3012 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
3013
3014 for (i=0; i<num_groups; i++) {
3015
3016 if (!sid_peek_check_rid(get_global_sam_sid(),
3017 &(sids[i]), &dom_gid.rid)) {
3018 DEBUG(10, ("Found sid %s not in our domain\n",
3019 sid_string_dbg(&sids[i])));
3020 continue;
3021 }
3022
3023 if (dom_gid.rid == primary_group_rid) {
3024 /* We added the primary group directly from the
3025 * sam_account. The other SIDs are unique from
3026 * enum_group_memberships */
3027 continue;
3028 }
3029
3030 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
3031 }
3032
3033 rids->count = num_gids;
3034 rids->rids = gids;
3035
3036 *r->out.rids = rids;
3037
3038 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
3039
3040 return result;
3041 }
3042
3043 /*******************************************************************
3044 _samr_QueryDomainInfo
3045 ********************************************************************/
3046
3047 NTSTATUS _samr_QueryDomainInfo(pipes_struct *p,
3048 struct samr_QueryDomainInfo *r)
3049 {
3050 NTSTATUS status = NT_STATUS_OK;
3051 struct samr_info *info = NULL;
3052 union samr_DomainInfo *dom_info;
3053 time_t u_expire, u_min_age;
3054
3055 time_t u_lock_duration, u_reset_time;
3056 uint32_t u_logout;
3057
3058 uint32 account_policy_temp;
3059
3060 time_t seq_num;
3061 uint32 server_role;
3062
3063 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
3064
3065 dom_info = TALLOC_ZERO_P(p->mem_ctx, union samr_DomainInfo);
3066 if (!dom_info) {
3067 return NT_STATUS_NO_MEMORY;
3068 }
3069
3070 /* find the policy handle. open a policy on it. */
3071 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) {
3072 return NT_STATUS_INVALID_HANDLE;
3073 }
3074
3075 status = access_check_samr_function(info->acc_granted,
3076 SAMR_ACCESS_LOOKUP_DOMAIN,
3077 "_samr_QueryDomainInfo" );
3078
3079 if ( !NT_STATUS_IS_OK(status) )
3080 return status;
3081
3082 switch (r->in.level) {
3083 case 0x01:
3084
3085 become_root();
3086
3087 /* AS ROOT !!! */
3088
3089 pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
3090 &account_policy_temp);
3091 dom_info->info1.min_password_length = account_policy_temp;
3092
3093 pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
3094 dom_info->info1.password_history_length = account_policy_temp;
3095
3096 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
3097 &dom_info->info1.password_properties);
3098
3099 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
3100 u_expire = account_policy_temp;
3101
3102 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
3103 u_min_age = account_policy_temp;
3104
3105 /* !AS ROOT */
3106
3107 unbecome_root();
3108
3109 unix_to_nt_time_abs((NTTIME *)&dom_info->info1.max_password_age, u_expire);
3110 unix_to_nt_time_abs((NTTIME *)&dom_info->info1.min_password_age, u_min_age);
3111
3112 if (lp_check_password_script() && *lp_check_password_script()) {
3113 dom_info->info1.password_properties |= DOMAIN_PASSWORD_COMPLEX;
3114 }
3115
3116 break;
3117 case 0x02:
3118
3119 become_root();
3120
3121 /* AS ROOT !!! */
3122
3123 dom_info->general.num_users = count_sam_users(info->disp_info, ACB_NORMAL);
3124 dom_info->general.num_groups = count_sam_groups(info->disp_info);
3125 dom_info->general.num_aliases = count_sam_aliases(info->disp_info);
3126
3127 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &u_logout);
3128
3129 unix_to_nt_time_abs(&dom_info->general.force_logoff_time, u_logout);
3130
3131 if (!pdb_get_seq_num(&seq_num))
3132 seq_num = time(NULL);
3133
3134 /* !AS ROOT */
3135
3136 unbecome_root();
3137
3138 server_role = ROLE_DOMAIN_PDC;
3139 if (lp_server_role() == ROLE_DOMAIN_BDC)
3140 server_role = ROLE_DOMAIN_BDC;
3141
3142 dom_info->general.oem_information.string = lp_serverstring();
3143 dom_info->general.domain_name.string = lp_workgroup();
3144 dom_info->general.primary.string = global_myname();
3145 dom_info->general.sequence_num = seq_num;
3146 dom_info->general.domain_server_state = DOMAIN_SERVER_ENABLED;
3147 dom_info->general.role = server_role;
3148 dom_info->general.unknown3 = 1;
3149
3150 break;
3151 case 0x03:
3152
3153 become_root();
3154
3155 /* AS ROOT !!! */
3156
3157 {
3158 uint32 ul;
3159 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &ul);
3160 u_logout = (time_t)ul;
3161 }
3162
3163 /* !AS ROOT */
3164
3165 unbecome_root();
3166
3167 unix_to_nt_time_abs(&dom_info->info3.force_logoff_time, u_logout);
3168
3169 break;
3170 case 0x04:
3171 dom_info->oem.oem_information.string = lp_serverstring();
3172 break;
3173 case 0x05:
3174 dom_info->info5.domain_name.string = get_global_sam_name();
3175 break;
3176 case 0x06:
3177 /* NT returns its own name when a PDC. win2k and later
3178 * only the name of the PDC if itself is a BDC (samba4
3179 * idl) */
3180 dom_info->info6.primary.string = global_myname();
3181 break;
3182 case 0x07:
3183 server_role = ROLE_DOMAIN_PDC;
3184 if (lp_server_role() == ROLE_DOMAIN_BDC)
3185 server_role = ROLE_DOMAIN_BDC;
3186
3187 dom_info->info7.role = server_role;
3188 break;
3189 case 0x08:
3190
3191 become_root();
3192
3193 /* AS ROOT !!! */
3194
3195 if (!pdb_get_seq_num(&seq_num)) {
3196 seq_num = time(NULL);
3197 }
3198
3199 /* !AS ROOT */
3200
3201 unbecome_root();
3202
3203 dom_info->info8.sequence_num = seq_num;
3204 dom_info->info8.domain_create_time = 0;
3205
3206 break;
3207 case 0x0c:
3208
3209 become_root();
3210
3211 /* AS ROOT !!! */
3212
3213 pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
3214 u_lock_duration = account_policy_temp;
3215 if (u_lock_duration != -1) {
3216 u_lock_duration *= 60;
3217 }
3218
3219 pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
3220 u_reset_time = account_policy_temp * 60;
3221
3222 pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT,
3223 &account_policy_temp);
3224 dom_info->info12.lockout_threshold = account_policy_temp;
3225
3226 /* !AS ROOT */
3227
3228 unbecome_root();
3229
3230 unix_to_nt_time_abs(&dom_info->info12.lockout_duration,
3231 u_lock_duration);
3232 unix_to_nt_time_abs(&dom_info->info12.lockout_window,
3233 u_reset_time);
3234
3235 break;
3236 default:
3237 return NT_STATUS_INVALID_INFO_CLASS;
3238 }
3239
3240 *r->out.info = dom_info;
3241
3242 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
3243
3244 return status;
3245 }
3246
3247 /* W2k3 seems to use the same check for all 3 objects that can be created via
3248 * SAMR, if you try to create for example "Dialup" as an alias it says
3249 * "NT_STATUS_USER_EXISTS". This is racy, but we can't really lock the user
3250 * database. */
3251
3252 static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name)
3253 {
3254 enum lsa_SidType type;
3255 bool result;
3256
3257 DEBUG(10, ("Checking whether [%s] can be created\n", new_name));
3258
3259 become_root();
3260 /* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
3261 * whether the name already exists */
3262 result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_LOCAL,
3263 NULL, NULL, NULL, &type);
3264 unbecome_root();
3265
3266 if (!result) {
3267 DEBUG(10, ("%s does not exist, can create it\n", new_name));
3268 return NT_STATUS_OK;
3269 }
3270
3271 DEBUG(5, ("trying to create %s, exists as %s\n",
3272 new_name, sid_type_lookup(type)));
3273
3274 if (type == SID_NAME_DOM_GRP) {
3275 return NT_STATUS_GROUP_EXISTS;
3276 }
3277 if (type == SID_NAME_ALIAS) {
3278 return NT_STATUS_ALIAS_EXISTS;
3279 }
3280
3281 /* Yes, the default is NT_STATUS_USER_EXISTS */
3282 return NT_STATUS_USER_EXISTS;
3283 }
3284
3285 /*******************************************************************
3286 _samr_CreateUser2
3287 ********************************************************************/
3288
3289 NTSTATUS _samr_CreateUser2(pipes_struct *p,
3290 struct samr_CreateUser2 *r)
3291 {
3292 const char *account = NULL;
3293 DOM_SID sid;
3294 uint32_t acb_info = r->in.acct_flags;
3295 struct samr_info *info = NULL;
3296 NTSTATUS nt_status;
3297 uint32 acc_granted;
3298 SEC_DESC *psd;
3299 size_t sd_size;
3300 /* check this, when giving away 'add computer to domain' privs */
3301 uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
3302 bool can_add_account = False;
3303 SE_PRIV se_rights;
3304 DISP_INFO *disp_info = NULL;
3305
3306 /* Get the domain SID stored in the domain policy */
3307 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted,
3308 &disp_info))
3309 return NT_STATUS_INVALID_HANDLE;
3310
3311 if (disp_info->builtin_domain) {
3312 DEBUG(5,("_samr_CreateUser2: Refusing user create in BUILTIN\n"));
3313 return NT_STATUS_ACCESS_DENIED;
3314 }
3315
3316 nt_status = access_check_samr_function(acc_granted,
3317 SAMR_DOMAIN_ACCESS_CREATE_USER,
3318 "_samr_CreateUser2");
3319 if (!NT_STATUS_IS_OK(nt_status)) {
3320 return nt_status;
3321 }
3322
3323 if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST ||
3324 acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) {
3325 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
3326 this parameter is not an account type */
3327 return NT_STATUS_INVALID_PARAMETER;
3328 }
3329
3330 account = r->in.account_name->string;
3331 if (account == NULL) {
3332 return NT_STATUS_NO_MEMORY;
3333 }
3334
3335 nt_status = can_create(p->mem_ctx, account);
3336 if (!NT_STATUS_IS_OK(nt_status)) {
3337 return nt_status;
3338 }
3339
3340 /* determine which user right we need to check based on the acb_info */
3341
3342 if ( acb_info & ACB_WSTRUST )
3343 {
3344 se_priv_copy( &se_rights, &se_machine_account );
3345 can_add_account = user_has_privileges(
3346 p->server_info->ptok, &se_rights );
3347 }
3348 /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
3349 account for domain trusts and changes the ACB flags later */
3350 else if ( acb_info & ACB_NORMAL &&
3351 (account[strlen(account)-1] != '$') )
3352 {
3353 se_priv_copy( &se_rights, &se_add_users );
3354 can_add_account = user_has_privileges(
3355 p->server_info->ptok, &se_rights );
3356 }
3357 else /* implicit assumption of a BDC or domain trust account here
3358 * (we already check the flags earlier) */
3359 {
3360 if ( lp_enable_privileges() ) {
3361 /* only Domain Admins can add a BDC or domain trust */
3362 se_priv_copy( &se_rights, &se_priv_none );
3363 can_add_account = nt_token_check_domain_rid(
3364 p->server_info->ptok,
3365 DOMAIN_GROUP_RID_ADMINS );
3366 }
3367 }
3368
3369 DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
3370 uidtoname(p->server_info->utok.uid),
3371 can_add_account ? "True":"False" ));
3372
3373 /********** BEGIN Admin BLOCK **********/
3374
3375 if ( can_add_account )
3376 become_root();
3377
3378 nt_status = pdb_create_user(p->mem_ctx, account, acb_info,
3379 r->out.rid);
3380
3381 if ( can_add_account )
3382 unbecome_root();
3383
3384 /********** END Admin BLOCK **********/
3385
3386 /* now check for failure */
3387
3388 if ( !NT_STATUS_IS_OK(nt_status) )
3389 return nt_status;
3390
3391 /* Get the user's SID */
3392
3393 sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
3394
3395 map_max_allowed_access(p->server_info->ptok, &des_access);
3396
3397 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
3398 &sid, SAMR_USR_RIGHTS_WRITE_PW);
3399 se_map_generic(&des_access, &usr_generic_mapping);
3400
3401 nt_status = access_check_samr_object(psd, p->server_info->ptok,
3402 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
3403 &acc_granted, "_samr_CreateUser2");
3404
3405 if ( !NT_STATUS_IS_OK(nt_status) ) {
3406 return nt_status;
3407 }
3408
3409 /* associate the user's SID with the new handle. */
3410 if ((info = get_samr_info_by_sid(p->mem_ctx, &sid)) == NULL) {
3411 return NT_STATUS_NO_MEMORY;
3412 }
3413
3414 ZERO_STRUCTP(info);
3415 info->sid = sid;
3416 info->acc_granted = acc_granted;
3417
3418 /* get a (unique) handle. open a policy on it. */
3419 if (!create_policy_hnd(p, r->out.user_handle, info)) {
3420 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3421 }
3422
3423 /* After a "set" ensure we have no cached display info. */
3424 force_flush_samr_cache(info->disp_info);
3425
3426 *r->out.access_granted = acc_granted;
3427
3428 return NT_STATUS_OK;
3429 }
3430
3431 /****************************************************************
3432 ****************************************************************/
3433
3434 NTSTATUS _samr_CreateUser(pipes_struct *p,
3435 struct samr_CreateUser *r)
3436 {
3437 struct samr_CreateUser2 c;
3438 uint32_t access_granted;
3439
3440 c.in.domain_handle = r->in.domain_handle;
3441 c.in.account_name = r->in.account_name;
3442 c.in.acct_flags = ACB_NORMAL;
3443 c.in.access_mask = r->in.access_mask;
3444 c.out.user_handle = r->out.user_handle;
3445 c.out.access_granted = &access_granted;
3446 c.out.rid = r->out.rid;
3447
3448 return _samr_CreateUser2(p, &c);
3449 }
3450
3451 /*******************************************************************
3452 _samr_Connect
3453 ********************************************************************/
3454
3455 NTSTATUS _samr_Connect(pipes_struct *p,
3456 struct samr_Connect *r)
3457 {
3458 struct samr_info *info = NULL;
3459 uint32 des_access = r->in.access_mask;
3460
3461 /* Access check */
3462
3463 if (!pipe_access_check(p)) {
3464 DEBUG(3, ("access denied to _samr_Connect\n"));
3465 return NT_STATUS_ACCESS_DENIED;
3466 }
3467
3468 /* set up the SAMR connect_anon response */
3469
3470 /* associate the user's SID with the new handle. */
3471 if ((info = get_samr_info_by_sid(p->mem_ctx, NULL)) == NULL)
3472 return NT_STATUS_NO_MEMORY;
3473
3474 /* don't give away the farm but this is probably ok. The SAMR_ACCESS_ENUM_DOMAINS
3475 was observed from a win98 client trying to enumerate users (when configured
3476 user level access control on shares) --jerry */
3477
3478 map_max_allowed_access(p->server_info->ptok, &des_access);
3479
3480 se_map_generic( &des_access, &sam_generic_mapping );
3481 info->acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS|SAMR_ACCESS_LOOKUP_DOMAIN);
3482
3483 /* get a (unique) handle. open a policy on it. */
3484 if (!create_policy_hnd(p, r->out.connect_handle, info))
3485 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3486
3487 return NT_STATUS_OK;
3488 }
3489
3490 /*******************************************************************
3491 _samr_Connect2
3492 ********************************************************************/
3493
3494 NTSTATUS _samr_Connect2(pipes_struct *p,
3495 struct samr_Connect2 *r)
3496 {
3497 struct samr_info *info = NULL;
3498 SEC_DESC *psd = NULL;
3499 uint32 acc_granted;
3500 uint32 des_access = r->in.access_mask;
3501 NTSTATUS nt_status;
3502 size_t sd_size;
3503 const char *fn = "_samr_Connect2";
3504
3505 switch (p->hdr_req.opnum) {
3506 case NDR_SAMR_CONNECT2:
3507 fn = "_samr_Connect2";
3508 break;
3509 case NDR_SAMR_CONNECT3:
3510 fn = "_samr_Connect3";
3511 break;
3512 case NDR_SAMR_CONNECT4:
3513 fn = "_samr_Connect4";
3514 break;
3515 case NDR_SAMR_CONNECT5:
3516 fn = "_samr_Connect5";
3517 break;
3518 }
3519
3520 DEBUG(5,("%s: %d\n", fn, __LINE__));
3521
3522 /* Access check */
3523
3524 if (!pipe_access_check(p)) {
3525 DEBUG(3, ("access denied to %s\n", fn));
3526 return NT_STATUS_ACCESS_DENIED;
3527 }
3528
3529 map_max_allowed_access(p->server_info->ptok, &des_access);
3530
3531 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3532 se_map_generic(&des_access, &sam_generic_mapping);
3533
3534 nt_status = access_check_samr_object(psd, p->server_info->ptok,
3535 NULL, 0, des_access, &acc_granted, fn);
3536
3537 if ( !NT_STATUS_IS_OK(nt_status) )
3538 return nt_status;
3539
3540 /* associate the user's SID and access granted with the new handle. */
3541 if ((info = get_samr_info_by_sid(p->mem_ctx, NULL)) == NULL)
3542 return NT_STATUS_NO_MEMORY;
3543
3544 info->acc_granted = acc_granted;
3545 info->status = r->in.access_mask; /* this looks so wrong... - gd */
3546
3547 /* get a (unique) handle. open a policy on it. */
3548 if (!create_policy_hnd(p, r->out.connect_handle, info))
3549 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3550
3551 DEBUG(5,("%s: %d\n", fn, __LINE__));
3552
3553 return nt_status;
3554 }
3555
3556 /****************************************************************
3557 _samr_Connect3
3558 ****************************************************************/
3559
3560 NTSTATUS _samr_Connect3(pipes_struct *p,
3561 struct samr_Connect3 *r)
3562 {
3563 struct samr_Connect2 c;
3564
3565 c.in.system_name = r->in.system_name;
3566 c.in.access_mask = r->in.access_mask;
3567 c.out.connect_handle = r->out.connect_handle;
3568
3569 return _samr_Connect2(p, &c);
3570 }
3571
3572 /*******************************************************************
3573 _samr_Connect4
3574 ********************************************************************/
3575
3576 NTSTATUS _samr_Connect4(pipes_struct *p,
3577 struct samr_Connect4 *r)
3578 {
3579 struct samr_Connect2 c;
3580
3581 c.in.system_name = r->in.system_name;
3582 c.in.access_mask = r->in.access_mask;
3583 c.out.connect_handle = r->out.connect_handle;
3584
3585 return _samr_Connect2(p, &c);
3586 }
3587
3588 /*******************************************************************
3589 _samr_Connect5
3590 ********************************************************************/
3591
3592 NTSTATUS _samr_Connect5(pipes_struct *p,
3593 struct samr_Connect5 *r)
3594 {
3595 NTSTATUS status;
3596 struct samr_Connect2 c;
3597 struct samr_ConnectInfo1 info1;
3598
3599 info1.client_version = SAMR_CONNECT_AFTER_W2K;
3600 info1.unknown2 = 0;
3601
3602 c.in.system_name = r->in.system_name;
3603 c.in.access_mask = r->in.access_mask;
3604 c.out.connect_handle = r->out.connect_handle;
3605
3606 *r->out.level_out = 1;
3607
3608 status = _samr_Connect2(p, &c);
3609 if (!NT_STATUS_IS_OK(status)) {
3610 return status;
3611 }
3612
3613 r->out.info_out->info1 = info1;
3614
3615 return NT_STATUS_OK;
3616 }
3617
3618 /**********************************************************************
3619 _samr_LookupDomain
3620 **********************************************************************/
3621
3622 NTSTATUS _samr_LookupDomain(pipes_struct *p,
3623 struct samr_LookupDomain *r)
3624 {
3625 NTSTATUS status = NT_STATUS_OK;
3626 struct samr_info *info;
3627 const char *domain_name;
3628 DOM_SID *sid = NULL;
3629
3630 if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info))
3631 return NT_STATUS_INVALID_HANDLE;
3632
3633 /* win9x user manager likes to use SAMR_ACCESS_ENUM_DOMAINS here.
3634 Reverted that change so we will work with RAS servers again */
3635
3636 status = access_check_samr_function(info->acc_granted,
3637 SAMR_ACCESS_LOOKUP_DOMAIN,
3638 "_samr_LookupDomain");
3639 if (!NT_STATUS_IS_OK(status)) {
3640 return status;
3641 }
3642
3643 domain_name = r->in.domain_name->string;
3644 if (!domain_name) {
3645 return NT_STATUS_INVALID_PARAMETER;
3646 }
3647
3648 sid = TALLOC_ZERO_P(p->mem_ctx, struct dom_sid2);
3649 if (!sid) {
3650 return NT_STATUS_NO_MEMORY;
3651 }
3652
3653 if (strequal(domain_name, builtin_domain_name())) {
3654 sid_copy(sid, &global_sid_Builtin);
3655 } else {
3656 if (!secrets_fetch_domain_sid(domain_name, sid)) {
3657 status = NT_STATUS_NO_SUCH_DOMAIN;
3658 }
3659 }
3660
3661 DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name,
3662 sid_string_dbg(sid)));
3663
3664 *r->out.sid = sid;
3665
3666 return status;
3667 }
3668
3669 /**********************************************************************
3670 _samr_EnumDomains
3671 **********************************************************************/
3672
3673 NTSTATUS _samr_EnumDomains(pipes_struct *p,
3674 struct samr_EnumDomains *r)
3675 {
3676 NTSTATUS status;
3677 struct samr_info *info;
3678 uint32_t num_entries = 2;
3679 struct samr_SamEntry *entry_array = NULL;
3680 struct samr_SamArray *sam;
3681
3682 if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info))
3683 return NT_STATUS_INVALID_HANDLE;
3684
3685 status = access_check_samr_function(info->acc_granted,
3686 SAMR_ACCESS_ENUM_DOMAINS,
3687 "_samr_EnumDomains");
3688 if (!NT_STATUS_IS_OK(status)) {
3689 return status;
3690 }
3691
3692 sam = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
3693 if (!sam) {
3694 return NT_STATUS_NO_MEMORY;
3695 }
3696
3697 entry_array = TALLOC_ZERO_ARRAY(p->mem_ctx,
3698 struct samr_SamEntry,
3699 num_entries);
3700 if (!entry_array) {
3701 return NT_STATUS_NO_MEMORY;
3702 }
3703
3704 entry_array[0].idx = 0;
3705 init_lsa_String(&entry_array[0].name, get_global_sam_name());
3706
3707 entry_array[1].idx = 1;
3708 init_lsa_String(&entry_array[1].name, "Builtin");
3709
3710 sam->count = num_entries;
3711 sam->entries = entry_array;
3712
3713 *r->out.sam = sam;
3714 *r->out.num_entries = num_entries;
3715
3716 return status;
3717 }
3718
3719 /*******************************************************************
3720 _samr_OpenAlias
3721 ********************************************************************/
3722
3723 NTSTATUS _samr_OpenAlias(pipes_struct *p,
3724 struct samr_OpenAlias *r)
3725 {
3726 DOM_SID sid;
3727 uint32 alias_rid = r->in.rid;
3728 struct samr_info *info = NULL;
3729 SEC_DESC *psd = NULL;
3730 uint32 acc_granted;
3731 uint32 des_access = r->in.access_mask;
3732 size_t sd_size;
3733 NTSTATUS status;
3734 SE_PRIV se_rights;
3735
3736 /* find the domain policy and get the SID / access bits stored in the domain policy */
3737
3738 if ( !get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted, NULL) )
3739 return NT_STATUS_INVALID_HANDLE;
3740
3741 status = access_check_samr_function(acc_granted,
3742 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
3743 "_samr_OpenAlias");
3744
3745 if ( !NT_STATUS_IS_OK(status) )
3746 return status;
3747
3748 /* append the alias' RID to it */
3749
3750 if (!sid_append_rid(&sid, alias_rid))
3751 return NT_STATUS_NO_SUCH_ALIAS;
3752
3753 /*check if access can be granted as requested by client. */
3754
3755 map_max_allowed_access(p->server_info->ptok, &des_access);
3756
3757 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
3758 se_map_generic(&des_access,&ali_generic_mapping);
3759
3760 se_priv_copy( &se_rights, &se_add_users );
3761
3762
3763 status = access_check_samr_object(psd, p->server_info->ptok,
3764 &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access,
3765 &acc_granted, "_samr_OpenAlias");
3766
3767 if ( !NT_STATUS_IS_OK(status) )
3768 return status;
3769
3770 {
3771 /* Check we actually have the requested alias */
3772 enum lsa_SidType type;
3773 bool result;
3774 gid_t gid;
3775
3776 become_root();
3777 result = lookup_sid(NULL, &sid, NULL, NULL, &type);
3778 unbecome_root();
3779
3780 if (!result || (type != SID_NAME_ALIAS)) {
3781 return NT_STATUS_NO_SUCH_ALIAS;
3782 }
3783
3784 /* make sure there is a mapping */
3785
3786 if ( !sid_to_gid( &sid, &gid ) ) {
3787 return NT_STATUS_NO_SUCH_ALIAS;
3788 }
3789
3790 }
3791
3792 /* associate the alias SID with the new handle. */
3793 if ((info = get_samr_info_by_sid(p->mem_ctx, &sid)) == NULL)
3794 return NT_STATUS_NO_MEMORY;
3795
3796 info->acc_granted = acc_granted;
3797
3798 /* get a (unique) handle. open a policy on it. */
3799 if (!create_policy_hnd(p, r->out.alias_handle, info))
3800 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3801
3802 return NT_STATUS_OK;
3803 }
3804
3805 /*******************************************************************
3806 set_user_info_2
3807 ********************************************************************/
3808
3809 static NTSTATUS set_user_info_2(TALLOC_CTX *mem_ctx,
3810 struct samr_UserInfo2 *id2,
3811 struct samu *pwd)
3812 {
3813 if (id2 == NULL) {
3814 DEBUG(5,("set_user_info_2: NULL id2\n"));
3815 return NT_STATUS_ACCESS_DENIED;
3816 }
3817
3818 copy_id2_to_sam_passwd(pwd, id2);
3819
3820 return pdb_update_sam_account(pwd);
3821 }
3822
3823 /*******************************************************************
3824 set_user_info_4
3825 ********************************************************************/
3826
3827 static NTSTATUS set_user_info_4(TALLOC_CTX *mem_ctx,
3828 struct samr_UserInfo4 *id4,
3829 struct samu *pwd)
3830 {
3831 if (id4 == NULL) {
3832 DEBUG(5,("set_user_info_2: NULL id4\n"));
3833 return NT_STATUS_ACCESS_DENIED;
3834 }
3835
3836 copy_id4_to_sam_passwd(pwd, id4);
3837
3838 return pdb_update_sam_account(pwd);
3839 }
3840
3841 /*******************************************************************
3842 set_user_info_6
3843 ********************************************************************/
3844
3845 static NTSTATUS set_user_info_6(TALLOC_CTX *mem_ctx,
3846 struct samr_UserInfo6 *id6,
3847 struct samu *pwd)
3848 {
3849 if (id6 == NULL) {
3850 DEBUG(5,("set_user_info_6: NULL id6\n"));
3851 return NT_STATUS_ACCESS_DENIED;
3852 }
3853
3854 copy_id6_to_sam_passwd(pwd, id6);
3855
3856 return pdb_update_sam_account(pwd);
3857 }
3858
3859 /*******************************************************************
3860 set_user_info_7
3861 ********************************************************************/
3862
3863 static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx,
3864 struct samr_UserInfo7 *id7,
3865 struct samu *pwd)
3866 {
3867 NTSTATUS rc;
3868
3869 if (id7 == NULL) {
3870 DEBUG(5, ("set_user_info_7: NULL id7\n"));
3871 return NT_STATUS_ACCESS_DENIED;
3872 }
3873
3874 if (!id7->account_name.string) {
3875 DEBUG(5, ("set_user_info_7: failed to get new username\n"));
3876 return NT_STATUS_ACCESS_DENIED;
3877 }
3878
3879 /* check to see if the new username already exists. Note: we can't
3880 reliably lock all backends, so there is potentially the
3881 possibility that a user can be created in between this check and
3882 the rename. The rename should fail, but may not get the
3883 exact same failure status code. I think this is small enough
3884 of a window for this type of operation and the results are
3885 simply that the rename fails with a slightly different status
3886 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
3887
3888 rc = can_create(mem_ctx, id7->account_name.string);
3889 if (!NT_STATUS_IS_OK(rc)) {
3890 return rc;
3891 }
3892
3893 rc = pdb_rename_sam_account(pwd, id7->account_name.string);
3894
3895 return rc;
3896 }
3897
3898 /*******************************************************************
3899 set_user_info_8
3900 ********************************************************************/
3901
3902 static NTSTATUS set_user_info_8(TALLOC_CTX *mem_ctx,
3903 struct samr_UserInfo8 *id8,
3904 struct samu *pwd)
3905 {
3906 if (id8 == NULL) {
3907 DEBUG(5,("set_user_info_8: NULL id8\n"));
3908 return NT_STATUS_ACCESS_DENIED;
3909 }
3910
3911 copy_id8_to_sam_passwd(pwd, id8);
3912
3913 return pdb_update_sam_account(pwd);
3914 }
3915
3916 /*******************************************************************
3917 set_user_info_10
3918 ********************************************************************/
3919
3920 static NTSTATUS set_user_info_10(TALLOC_CTX *mem_ctx,
3921 struct samr_UserInfo10 *id10,
3922 struct samu *pwd)
3923 {
3924 if (id10 == NULL) {
3925 DEBUG(5,("set_user_info_8: NULL id10\n"));
3926 return NT_STATUS_ACCESS_DENIED;
3927 }
3928
3929 copy_id10_to_sam_passwd(pwd, id10);
3930
3931 return pdb_update_sam_account(pwd);
3932 }
3933
3934 /*******************************************************************
3935 set_user_info_11
3936 ********************************************************************/
3937
3938 static NTSTATUS set_user_info_11(TALLOC_CTX *mem_ctx,
3939 struct samr_UserInfo11 *id11,
3940 struct samu *pwd)
3941 {
3942 if (id11 == NULL) {
3943 DEBUG(5,("set_user_info_11: NULL id11\n"));
3944 return NT_STATUS_ACCESS_DENIED;
3945 }
3946
3947 copy_id11_to_sam_passwd(pwd, id11);
3948
3949 return pdb_update_sam_account(pwd);
3950 }
3951
3952 /*******************************************************************
3953 set_user_info_12
3954 ********************************************************************/
3955
3956 static NTSTATUS set_user_info_12(TALLOC_CTX *mem_ctx,
3957 struct samr_UserInfo12 *id12,
3958 struct samu *pwd)
3959 {
3960 if (id12 == NULL) {
3961 DEBUG(5,("set_user_info_12: NULL id12\n"));
3962 return NT_STATUS_ACCESS_DENIED;
3963 }
3964
3965 copy_id12_to_sam_passwd(pwd, id12);
3966
3967 return pdb_update_sam_account(pwd);
3968 }
3969
3970 /*******************************************************************
3971 set_user_info_13
3972 ********************************************************************/
3973
3974 static NTSTATUS set_user_info_13(TALLOC_CTX *mem_ctx,
3975 struct samr_UserInfo13 *id13,
3976 struct samu *pwd)
3977 {
3978 if (id13 == NULL) {
3979 DEBUG(5,("set_user_info_13: NULL id13\n"));
3980 return NT_STATUS_ACCESS_DENIED;
3981 }
3982
3983 copy_id13_to_sam_passwd(pwd, id13);
3984
3985 return pdb_update_sam_account(pwd);
3986 }
3987
3988 /*******************************************************************
3989 set_user_info_14
3990 ********************************************************************/
3991
3992 static NTSTATUS set_user_info_14(TALLOC_CTX *mem_ctx,
3993 struct samr_UserInfo14 *id14,
3994 struct samu *pwd)
3995 {
3996 if (id14 == NULL) {
3997 DEBUG(5,("set_user_info_14: NULL id14\n"));
3998 return NT_STATUS_ACCESS_DENIED;
3999 }
4000
4001 copy_id14_to_sam_passwd(pwd, id14);
4002
4003 return pdb_update_sam_account(pwd);
4004 }
4005
4006 /*******************************************************************
4007 set_user_info_16
4008 ********************************************************************/
4009
4010 static NTSTATUS set_user_info_16(TALLOC_CTX *mem_ctx,
4011 struct samr_UserInfo16 *id16,
4012 struct samu *pwd)
4013 {
4014 if (id16 == NULL) {
4015 DEBUG(5,("set_user_info_16: NULL id16\n"));
4016 return NT_STATUS_ACCESS_DENIED;
4017 }
4018
4019 copy_id16_to_sam_passwd(pwd, id16);
4020
4021 return pdb_update_sam_account(pwd);
4022 }
4023
4024 /*******************************************************************
4025 set_user_info_17
4026 ********************************************************************/
4027
4028 static NTSTATUS set_user_info_17(TALLOC_CTX *mem_ctx,
4029 struct samr_UserInfo17 *id17,
4030 struct samu *pwd)
4031 {
4032 if (id17 == NULL) {
4033 DEBUG(5,("set_user_info_17: NULL id17\n"));
4034 return NT_STATUS_ACCESS_DENIED;
4035 }
4036
4037 copy_id17_to_sam_passwd(pwd, id17);
4038
4039 return pdb_update_sam_account(pwd);
4040 }
4041
4042 /*******************************************************************
4043 set_user_info_18
4044 ********************************************************************/
4045
4046 static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18,
4047 TALLOC_CTX *mem_ctx,
4048 DATA_BLOB *session_key,
4049 struct samu *pwd)
4050 {
4051 if (id18 == NULL) {
4052 DEBUG(2, ("set_user_info_18: id18 is NULL\n"));
4053 return NT_STATUS_INVALID_PARAMETER;
4054 }
4055
4056 if (id18->nt_pwd_active || id18->lm_pwd_active) {
4057 if (!session_key->length) {
4058 return NT_STATUS_NO_USER_SESSION_KEY;
4059 }
4060 }
4061
4062 if (id18->nt_pwd_active) {
4063
4064 DATA_BLOB in, out;
4065
4066 in = data_blob_const(id18->nt_pwd.hash, 16);
4067 out = data_blob_talloc_zero(mem_ctx, 16);
4068
4069 sess_crypt_blob(&out, &in, session_key, false);
4070
4071 if (!pdb_set_nt_passwd(pwd, out.data, PDB_CHANGED)) {
4072 return NT_STATUS_ACCESS_DENIED;
4073 }
4074
4075 pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
4076 }
4077
4078 if (id18->lm_pwd_active) {
4079
4080 DATA_BLOB in, out;
4081
4082 in = data_blob_const(id18->lm_pwd.hash, 16);
4083 out = data_blob_talloc_zero(mem_ctx, 16);
4084
4085 sess_crypt_blob(&out, &in, session_key, false);
4086
4087 if (!pdb_set_lanman_passwd(pwd, out.data, PDB_CHANGED)) {
4088 return NT_STATUS_ACCESS_DENIED;
4089 }
4090
4091 pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
4092 }
4093
4094 copy_id18_to_sam_passwd(pwd, id18);
4095
4096 return pdb_update_sam_account(pwd);
4097 }
4098
4099 /*******************************************************************
4100 set_user_info_20
4101 ********************************************************************/
4102
4103 static NTSTATUS set_user_info_20(TALLOC_CTX *mem_ctx,
4104 struct samr_UserInfo20 *id20,
4105 struct samu *pwd)
4106 {
4107 if (id20 == NULL) {
4108 DEBUG(5,("set_user_info_20: NULL id20\n"));
4109 return NT_STATUS_ACCESS_DENIED;
4110 }
4111
4112 copy_id20_to_sam_passwd(pwd, id20);
4113
4114 return pdb_update_sam_account(pwd);
4115 }
4116
4117 /*******************************************************************
4118 set_user_info_21
4119 ********************************************************************/
4120
4121 static NTSTATUS set_user_info_21(struct samr_UserInfo21 *id21,
4122 TALLOC_CTX *mem_ctx,
4123 DATA_BLOB *session_key,
4124 struct samu *pwd)
4125 {
4126 NTSTATUS status;
4127
4128 if (id21 == NULL) {
4129 DEBUG(5, ("set_user_info_21: NULL id21\n"));
4130 return NT_STATUS_INVALID_PARAMETER;
4131 }
4132
4133 if (id21->fields_present == 0) {
4134 return NT_STATUS_INVALID_PARAMETER;
4135 }
4136
4137 if (id21->fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
4138 return NT_STATUS_ACCESS_DENIED;
4139 }
4140
4141 if (id21->fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) {
4142 if (id21->nt_password_set) {
4143 DATA_BLOB in, out;
4144
4145 if ((id21->nt_owf_password.length != 16) ||
4146 (id21->nt_owf_password.size != 16)) {
4147 return NT_STATUS_INVALID_PARAMETER;
4148 }
4149
4150 if (!session_key->length) {
4151 return NT_STATUS_NO_USER_SESSION_KEY;
4152 }
4153
4154 in = data_blob_const(id21->nt_owf_password.array, 16);
4155 out = data_blob_talloc_zero(mem_ctx, 16);
4156
4157 sess_crypt_blob(&out, &in, session_key, false);
4158
4159 pdb_set_nt_passwd(pwd, out.data, PDB_CHANGED);
4160 pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
4161 }
4162 }
4163
4164 if (id21->fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT) {
4165 if (id21->lm_password_set) {
4166 DATA_BLOB in, out;
4167
4168 if ((id21->lm_owf_password.length != 16) ||
4169 (id21->lm_owf_password.size != 16)) {
4170 return NT_STATUS_INVALID_PARAMETER;
4171 }
4172
4173 if (!session_key->length) {
4174 return NT_STATUS_NO_USER_SESSION_KEY;
4175 }
4176
4177 in = data_blob_const(id21->lm_owf_password.array, 16);
4178 out = data_blob_talloc_zero(mem_ctx, 16);
4179
4180 sess_crypt_blob(&out, &in, session_key, false);
4181
4182 pdb_set_lanman_passwd(pwd, out.data, PDB_CHANGED);
4183 pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
4184 }
4185 }
4186
4187 /* we need to separately check for an account rename first */
4188
4189 if (id21->account_name.string &&
4190 (!strequal(id21->account_name.string, pdb_get_username(pwd))))
4191 {
4192
4193 /* check to see if the new username already exists. Note: we can't
4194 reliably lock all backends, so there is potentially the
4195 possibility that a user can be created in between this check and
4196 the rename. The rename should fail, but may not get the
4197 exact same failure status code. I think this is small enough
4198 of a window for this type of operation and the results are
4199 simply that the rename fails with a slightly different status
4200 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
4201
4202 status = can_create(mem_ctx, id21->account_name.string);
4203 if (!NT_STATUS_IS_OK(status)) {
4204 return status;
4205 }
4206
4207 status = pdb_rename_sam_account(pwd, id21->account_name.string);
4208
4209 if (!NT_STATUS_IS_OK(status)) {
4210 DEBUG(0,("set_user_info_21: failed to rename account: %s\n",
4211 nt_errstr(status)));
4212 return status;
4213 }
4214
4215 /* set the new username so that later
4216 functions can work on the new account */
4217 pdb_set_username(pwd, id21->account_name.string, PDB_SET);
4218 }
4219
4220 copy_id21_to_sam_passwd("INFO_21", pwd, id21);
4221
4222 /*
4223 * The funny part about the previous two calls is
4224 * that pwd still has the password hashes from the
4225 * passdb entry. These have not been updated from
4226 * id21. I don't know if they need to be set. --jerry
4227 */
4228
4229 if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
4230 status = pdb_set_unix_primary_group(mem_ctx, pwd);
4231 if ( !NT_STATUS_IS_OK(status) ) {
4232 return status;
4233 }
4234 }
4235
4236 /* Don't worry about writing out the user account since the
4237 primary group SID is generated solely from the user's Unix
4238 primary group. */
4239
4240 /* write the change out */
4241 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
4242 return status;
4243 }
4244
4245 return NT_STATUS_OK;
4246 }
4247
4248 /*******************************************************************
4249 set_user_info_23
4250 ********************************************************************/
4251
4252 static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx,
4253 struct samr_UserInfo23 *id23,
4254 struct samu *pwd)
4255 {
4256 char *plaintext_buf = NULL;
4257 uint32 len = 0;
4258 uint32_t acct_ctrl;
4259 NTSTATUS status;
4260
4261 if (id23 == NULL) {
4262 DEBUG(5, ("set_user_info_23: NULL id23\n"));
4263 return NT_STATUS_INVALID_PARAMETER;
4264 }
4265
4266 if (id23->info.fields_present == 0) {
4267 return NT_STATUS_INVALID_PARAMETER;
4268 }
4269
4270 if (id23->info.fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
4271 return NT_STATUS_ACCESS_DENIED;
4272 }
4273
4274 if ((id23->info.fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
4275 (id23->info.fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT)) {
4276
4277 DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
4278 pdb_get_username(pwd)));
4279
4280 if (!decode_pw_buffer(mem_ctx,
4281 id23->password.data,
4282 &plaintext_buf,
4283 &len,
4284 STR_UNICODE)) {
4285 return NT_STATUS_WRONG_PASSWORD;
4286 }
4287
4288 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
4289 return NT_STATUS_ACCESS_DENIED;
4290 }
4291 }
4292
4293 copy_id23_to_sam_passwd(pwd, id23);
4294
4295 acct_ctrl = pdb_get_acct_ctrl(pwd);
4296
4297 /* if it's a trust account, don't update /etc/passwd */
4298 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
4299 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
4300 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
4301 DEBUG(5, ("Changing trust account. Not updating /etc/passwd\n"));
4302 } else if (plaintext_buf) {
4303 /* update the UNIX password */
4304 if (lp_unix_password_sync() ) {
4305 struct passwd *passwd;
4306 if (pdb_get_username(pwd) == NULL) {
4307 DEBUG(1, ("chgpasswd: User without name???\n"));
4308 return NT_STATUS_ACCESS_DENIED;
4309 }
4310
4311 passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
4312 if (passwd == NULL) {
4313 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
4314 }
4315
4316 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
4317 return NT_STATUS_ACCESS_DENIED;
4318 }
4319 TALLOC_FREE(passwd);
4320 }
4321 }
4322
4323 if (plaintext_buf) {
4324 memset(plaintext_buf, '\0', strlen(plaintext_buf));
4325 }
4326
4327 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) &&
4328 (!NT_STATUS_IS_OK(status = pdb_set_unix_primary_group(mem_ctx,
4329 pwd)))) {
4330 return status;
4331 }
4332
4333 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
4334 return status;
4335 }
4336
4337 return NT_STATUS_OK;
4338 }
4339
4340 /*******************************************************************
4341 set_user_info_pw
4342 ********************************************************************/
4343
4344 static bool set_user_info_pw(uint8 *pass, struct samu *pwd)
4345 {
4346 uint32 len = 0;
4347 char *plaintext_buf = NULL;
4348 uint32 acct_ctrl;
4349
4350 DEBUG(5, ("Attempting administrator password change for user %s\n",
4351 pdb_get_username(pwd)));
4352
4353 acct_ctrl = pdb_get_acct_ctrl(pwd);
4354
4355 if (!decode_pw_buffer(talloc_tos(),
4356 pass,
4357 &plaintext_buf,
4358 &len,
4359 STR_UNICODE)) {
4360 return False;
4361 }
4362
4363 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
4364 return False;
4365 }
4366
4367 /* if it's a trust account, don't update /etc/passwd */
4368 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
4369 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
4370 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
4371 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
4372 } else {
4373 /* update the UNIX password */
4374 if (lp_unix_password_sync()) {
4375 struct passwd *passwd;
4376
4377 if (pdb_get_username(pwd) == NULL) {
4378 DEBUG(1, ("chgpasswd: User without name???\n"));
4379 return False;
4380 }
4381
4382 passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
4383 if (passwd == NULL) {
4384 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
4385 }
4386
4387 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
4388 return False;
4389 }
4390 TALLOC_FREE(passwd);
4391 }
4392 }
4393
4394 memset(plaintext_buf, '\0', strlen(plaintext_buf));
4395
4396 DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
4397
4398 return True;
4399 }
4400
4401 /*******************************************************************
4402 set_user_info_24
4403 ********************************************************************/
4404
4405 static NTSTATUS set_user_info_24(TALLOC_CTX *mem_ctx,
4406 struct samr_UserInfo24 *id24,
4407 struct samu *pwd)
4408 {
4409 NTSTATUS status;
4410
4411 if (id24 == NULL) {
4412 DEBUG(5, ("set_user_info_24: NULL id24\n"));
4413 return NT_STATUS_INVALID_PARAMETER;
4414 }
4415
4416 if (!set_user_info_pw(id24->password.data, pwd)) {
4417 return NT_STATUS_WRONG_PASSWORD;
4418 }
4419
4420 copy_id24_to_sam_passwd(pwd, id24);
4421
4422 status = pdb_update_sam_account(pwd);
4423 if (!NT_STATUS_IS_OK(status)) {
4424 return status;
4425 }
4426
4427 return NT_STATUS_OK;
4428 }
4429
4430 /*******************************************************************
4431 set_user_info_25
4432 ********************************************************************/
4433
4434 static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx,
4435 struct samr_UserInfo25 *id25,
4436 struct samu *pwd)
4437 {
4438 NTSTATUS status;
4439
4440 if (id25 == NULL) {
4441 DEBUG(5, ("set_user_info_25: NULL id25\n"));
4442 return NT_STATUS_INVALID_PARAMETER;
4443 }
4444
4445 if (id25->info.fields_present == 0) {
4446 return NT_STATUS_INVALID_PARAMETER;
4447 }
4448
4449 if (id25->info.fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
4450 return NT_STATUS_ACCESS_DENIED;
4451 }
4452
4453 if ((id25->info.fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
4454 (id25->info.fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT)) {
4455
4456 if (!set_user_info_pw(id25->password.data, pwd)) {
4457 return NT_STATUS_WRONG_PASSWORD;
4458 }
4459 }
4460
4461 copy_id25_to_sam_passwd(pwd, id25);
4462
4463 /* write the change out */
4464 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
4465 return status;
4466 }
4467
4468 /*
4469 * We need to "pdb_update_sam_account" before the unix primary group
4470 * is set, because the idealx scripts would also change the
4471 * sambaPrimaryGroupSid using the ldap replace method. pdb_ldap uses
4472 * the delete explicit / add explicit, which would then fail to find
4473 * the previous primaryGroupSid value.
4474 */
4475
4476 if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
4477 status = pdb_set_unix_primary_group(mem_ctx, pwd);
4478 if ( !NT_STATUS_IS_OK(status) ) {
4479 return status;
4480 }
4481 }
4482
4483 return NT_STATUS_OK;
4484 }
4485
4486 /*******************************************************************
4487 set_user_info_26
4488 ********************************************************************/
4489
4490 static NTSTATUS set_user_info_26(TALLOC_CTX *mem_ctx,
4491 struct samr_UserInfo26 *id26,
4492 struct samu *pwd)
4493 {
4494 NTSTATUS status;
4495
4496 if (id26 == NULL) {
4497 DEBUG(5, ("set_user_info_26: NULL id26\n"));
4498 return NT_STATUS_INVALID_PARAMETER;
4499 }
4500
4501 if (!set_user_info_pw(id26->password.data, pwd)) {
4502 return NT_STATUS_WRONG_PASSWORD;
4503 }
4504
4505 copy_id26_to_sam_passwd(pwd, id26);
4506
4507 status = pdb_update_sam_account(pwd);
4508 if (!NT_STATUS_IS_OK(status)) {
4509 return status;
4510 }
4511
4512 return NT_STATUS_OK;
4513 }
4514
4515
4516 /*******************************************************************
4517 samr_SetUserInfo
4518 ********************************************************************/
4519
4520 NTSTATUS _samr_SetUserInfo(pipes_struct *p,
4521 struct samr_SetUserInfo *r)
4522 {
4523 NTSTATUS status;
4524 struct samu *pwd = NULL;
4525 DOM_SID sid;
4526 union samr_UserInfo *info = r->in.info;
4527 uint16_t switch_value = r->in.level;
4528 uint32_t acc_granted;
4529 uint32_t acc_required;
4530 bool ret;
4531 bool has_enough_rights = False;
4532 uint32_t acb_info;
4533 DISP_INFO *disp_info = NULL;
4534
4535 DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__));
4536
4537 /* find the policy handle. open a policy on it. */
4538 if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &sid, &acc_granted, &disp_info)) {
4539 return NT_STATUS_INVALID_HANDLE;
4540 }
4541
4542 /* This is tricky. A WinXP domain join sets
4543 (SAMR_USER_ACCESS_SET_PASSWORD|SAMR_USER_ACCESS_SET_ATTRIBUTES|SAMR_USER_ACCESS_GET_ATTRIBUTES)
4544 The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the
4545 standard Win32 API calls just ask for SAMR_USER_ACCESS_SET_PASSWORD in the SamrOpenUser().
4546 This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so
4547 we'll use the set from the WinXP join as the basis. */
4548
4549 switch (switch_value) {
4550 case 18:
4551 case 24:
4552 case 25:
4553 case 26:
4554 acc_required = SAMR_USER_ACCESS_SET_PASSWORD;
4555 break;
4556 default:
4557 acc_required = SAMR_USER_ACCESS_SET_PASSWORD |
4558 SAMR_USER_ACCESS_SET_ATTRIBUTES |
4559 SAMR_USER_ACCESS_GET_ATTRIBUTES;
4560 break;
4561 }
4562
4563 status = access_check_samr_function(acc_granted,
4564 acc_required,
4565 "_samr_SetUserInfo");
4566 if (!NT_STATUS_IS_OK(status)) {
4567 return status;
4568 }
4569
4570 DEBUG(5, ("_samr_SetUserInfo: sid:%s, level:%d\n",
4571 sid_string_dbg(&sid), switch_value));
4572
4573 if (info == NULL) {
4574 DEBUG(5, ("_samr_SetUserInfo: NULL info level\n"));
4575 return NT_STATUS_INVALID_INFO_CLASS;
4576 }
4577
4578 if (!(pwd = samu_new(NULL))) {
4579 return NT_STATUS_NO_MEMORY;
4580 }
4581
4582 become_root();
4583 ret = pdb_getsampwsid(pwd, &sid);
4584 unbecome_root();
4585
4586 if (!ret) {
4587 TALLOC_FREE(pwd);
4588 return NT_STATUS_NO_SUCH_USER;
4589 }
4590
4591 /* deal with machine password changes differently from userinfo changes */
4592 /* check to see if we have the sufficient rights */
4593
4594 acb_info = pdb_get_acct_ctrl(pwd);
4595 if (acb_info & ACB_WSTRUST)
4596 has_enough_rights = user_has_privileges(p->server_info->ptok,
4597 &se_machine_account);
4598 else if (acb_info & ACB_NORMAL)
4599 has_enough_rights = user_has_privileges(p->server_info->ptok,
4600 &se_add_users);
4601 else if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
4602 if (lp_enable_privileges()) {
4603 has_enough_rights = nt_token_check_domain_rid(p->server_info->ptok,
4604 DOMAIN_GROUP_RID_ADMINS);
4605 }
4606 }
4607
4608 DEBUG(5, ("_samr_SetUserInfo: %s does%s possess sufficient rights\n",
4609 uidtoname(p->server_info->utok.uid),
4610 has_enough_rights ? "" : " not"));
4611
4612 /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
4613
4614 if (has_enough_rights) {
4615 become_root();
4616 }
4617
4618 /* ok! user info levels (lots: see MSDEV help), off we go... */
4619
4620 switch (switch_value) {
4621
4622 case 2:
4623 status = set_user_info_2(p->mem_ctx,
4624 &info->info2, pwd);
4625 break;
4626
4627 case 4:
4628 status = set_user_info_4(p->mem_ctx,
4629 &info->info4, pwd);
4630 break;
4631
4632 case 6:
4633 status = set_user_info_6(p->mem_ctx,
4634 &info->info6, pwd);
4635 break;
4636
4637 case 7:
4638 status = set_user_info_7(p->mem_ctx,
4639 &info->info7, pwd);
4640 break;
4641
4642 case 8:
4643 status = set_user_info_8(p->mem_ctx,
4644 &info->info8, pwd);
4645 break;
4646
4647 case 10:
4648 status = set_user_info_10(p->mem_ctx,
4649 &info->info10, pwd);
4650 break;
4651
4652 case 11:
4653 status = set_user_info_11(p->mem_ctx,
4654 &info->info11, pwd);
4655 break;
4656
4657 case 12:
4658 status = set_user_info_12(p->mem_ctx,
4659 &info->info12, pwd);
4660 break;
4661
4662 case 13:
4663 status = set_user_info_13(p->mem_ctx,
4664 &info->info13, pwd);
4665 break;
4666
4667 case 14:
4668 status = set_user_info_14(p->mem_ctx,
4669 &info->info14, pwd);
4670 break;
4671
4672 case 16:
4673 status = set_user_info_16(p->mem_ctx,
4674 &info->info16, pwd);
4675 break;
4676
4677 case 17:
4678 status = set_user_info_17(p->mem_ctx,
4679 &info->info17, pwd);
4680 break;
4681
4682 case 18:
4683 /* Used by AS/U JRA. */
4684 status = set_user_info_18(&info->info18,
4685 p->mem_ctx,
4686 &p->server_info->user_session_key,
4687 pwd);
4688 break;
4689
4690 case 20:
4691 status = set_user_info_20(p->mem_ctx,
4692 &info->info20, pwd);
4693 break;
4694
4695 case 21:
4696 status = set_user_info_21(&info->info21,
4697 p->mem_ctx,
4698 &p->server_info->user_session_key,
4699 pwd);
4700 break;
4701
4702 case 23:
4703 if (!p->server_info->user_session_key.length) {
4704 status = NT_STATUS_NO_USER_SESSION_KEY;
4705 }
4706 SamOEMhashBlob(info->info23.password.data, 516,
4707 &p->server_info->user_session_key);
4708
4709 dump_data(100, info->info23.password.data, 516);
4710
4711 status = set_user_info_23(p->mem_ctx,
4712 &info->info23, pwd);
4713 break;
4714
4715 case 24:
4716 if (!p->server_info->user_session_key.length) {
4717 status = NT_STATUS_NO_USER_SESSION_KEY;
4718 }
4719 SamOEMhashBlob(info->info24.password.data,
4720 516,
4721 &p->server_info->user_session_key);
4722
4723 dump_data(100, info->info24.password.data, 516);
4724
4725 status = set_user_info_24(p->mem_ctx,
4726 &info->info24, pwd);
4727 break;
4728
4729 case 25:
4730 if (!p->server_info->user_session_key.length) {
4731 status = NT_STATUS_NO_USER_SESSION_KEY;
4732 }
4733 encode_or_decode_arc4_passwd_buffer(
4734 info->info25.password.data,
4735 &p->server_info->user_session_key);
4736
4737 dump_data(100, info->info25.password.data, 532);
4738
4739 status = set_user_info_25(p->mem_ctx,
4740 &info->info25, pwd);
4741 break;
4742
4743 case 26:
4744 if (!p->server_info->user_session_key.length) {
4745 status = NT_STATUS_NO_USER_SESSION_KEY;
4746 }
4747 encode_or_decode_arc4_passwd_buffer(
4748 info->info26.password.data,
4749 &p->server_info->user_session_key);
4750
4751 dump_data(100, info->info26.password.data, 516);
4752
4753 status = set_user_info_26(p->mem_ctx,
4754 &info->info26, pwd);
4755 break;
4756
4757 default:
4758 status = NT_STATUS_INVALID_INFO_CLASS;
4759 }
4760
4761 TALLOC_FREE(pwd);
4762
4763 if (has_enough_rights) {
4764 unbecome_root();
4765 }
4766
4767 /* ================ END SeMachineAccountPrivilege BLOCK ================ */
4768
4769 if (NT_STATUS_IS_OK(status)) {
4770 force_flush_samr_cache(disp_info);
4771 }
4772
4773 return status;
4774 }
4775
4776 /*******************************************************************
4777 _samr_SetUserInfo2
4778 ********************************************************************/
4779
4780 NTSTATUS _samr_SetUserInfo2(pipes_struct *p,
4781 struct samr_SetUserInfo2 *r)
4782 {
4783 struct samr_SetUserInfo q;
4784
4785 q.in.user_handle = r->in.user_handle;
4786 q.in.level = r->in.level;
4787 q.in.info = r->in.info;
4788
4789 return _samr_SetUserInfo(p, &q);
4790 }
4791
4792 /*********************************************************************
4793 _samr_GetAliasMembership
4794 *********************************************************************/
4795
4796 NTSTATUS _samr_GetAliasMembership(pipes_struct *p,
4797 struct samr_GetAliasMembership *r)
4798 {
4799 size_t num_alias_rids;
4800 uint32 *alias_rids;
4801 struct samr_info *info = NULL;
4802 size_t i;
4803
4804 NTSTATUS ntstatus1;
4805 NTSTATUS ntstatus2;
4806
4807 DOM_SID *members;
4808
4809 DEBUG(5,("_samr_GetAliasMembership: %d\n", __LINE__));
4810
4811 /* find the policy handle. open a policy on it. */
4812 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
4813 return NT_STATUS_INVALID_HANDLE;
4814
4815 ntstatus1 = access_check_samr_function(info->acc_granted,
4816 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS,
4817 "_samr_GetAliasMembership");
4818 ntstatus2 = access_check_samr_function(info->acc_granted,
4819 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
4820 "_samr_GetAliasMembership");
4821
4822 if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) {
4823 if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) &&
4824 !(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) {
4825 return (NT_STATUS_IS_OK(ntstatus1)) ? ntstatus2 : ntstatus1;
4826 }
4827 }
4828
4829 if (!sid_check_is_domain(&info->sid) &&
4830 !sid_check_is_builtin(&info->sid))
4831 return NT_STATUS_OBJECT_TYPE_MISMATCH;
4832
4833 if (r->in.sids->num_sids) {
4834 members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, r->in.sids->num_sids);
4835
4836 if (members == NULL)
4837 return NT_STATUS_NO_MEMORY;
4838 } else {
4839 members = NULL;
4840 }
4841
4842 for (i=0; i<r->in.sids->num_sids; i++)
4843 sid_copy(&members[i], r->in.sids->sids[i].sid);
4844
4845 alias_rids = NULL;
4846 num_alias_rids = 0;
4847
4848 become_root();
4849 ntstatus1 = pdb_enum_alias_memberships(p->mem_ctx, &info->sid, members,
4850 r->in.sids->num_sids,
4851 &alias_rids, &num_alias_rids);
4852 unbecome_root();
4853
4854 if (!NT_STATUS_IS_OK(ntstatus1)) {
4855 return ntstatus1;
4856 }
4857
4858 r->out.rids->count = num_alias_rids;
4859 r->out.rids->ids = alias_rids;
4860
4861 return NT_STATUS_OK;
4862 }
4863
4864 /*********************************************************************
4865 _samr_GetMembersInAlias
4866 *********************************************************************/
4867
4868 NTSTATUS _samr_GetMembersInAlias(pipes_struct *p,
4869 struct samr_GetMembersInAlias *r)
4870 {
4871 NTSTATUS status;
4872 size_t i;
4873 size_t num_sids = 0;
4874 struct lsa_SidPtr *sids = NULL;
4875 DOM_SID *pdb_sids = NULL;
4876
4877 DOM_SID alias_sid;
4878
4879 uint32 acc_granted;
4880
4881 /* find the policy handle. open a policy on it. */
4882 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, NULL))
4883 return NT_STATUS_INVALID_HANDLE;
4884
4885 status = access_check_samr_function(acc_granted,
4886 SAMR_ALIAS_ACCESS_GET_MEMBERS,
4887 "_samr_GetMembersInAlias");
4888 if (!NT_STATUS_IS_OK(status)) {
4889 return status;
4890 }
4891
4892 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
4893
4894 become_root();
4895 status = pdb_enum_aliasmem(&alias_sid, &pdb_sids, &num_sids);
4896 unbecome_root();
4897
4898 if (!NT_STATUS_IS_OK(status)) {
4899 return status;
4900 }
4901
4902 if (num_sids) {
4903 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr, num_sids);
4904 if (sids == NULL) {
4905 TALLOC_FREE(pdb_sids);
4906 return NT_STATUS_NO_MEMORY;
4907 }
4908 }
4909
4910 for (i = 0; i < num_sids; i++) {
4911 sids[i].sid = sid_dup_talloc(p->mem_ctx, &pdb_sids[i]);
4912 if (!sids[i].sid) {
4913 TALLOC_FREE(pdb_sids);
4914 return NT_STATUS_NO_MEMORY;
4915 }
4916 }
4917
4918 r->out.sids->num_sids = num_sids;
4919 r->out.sids->sids = sids;
4920
4921 TALLOC_FREE(pdb_sids);
4922
4923 return NT_STATUS_OK;
4924 }
4925
4926 /*********************************************************************
4927 _samr_QueryGroupMember
4928 *********************************************************************/
4929
4930 NTSTATUS _samr_QueryGroupMember(pipes_struct *p,
4931 struct samr_QueryGroupMember *r)
4932 {
4933 DOM_SID group_sid;
4934 size_t i, num_members;
4935
4936 uint32 *rid=NULL;
4937 uint32 *attr=NULL;
4938
4939 uint32 acc_granted;
4940
4941 NTSTATUS status;
4942 struct samr_RidTypeArray *rids = NULL;
4943
4944 rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidTypeArray);
4945 if (!rids) {
4946 return NT_STATUS_NO_MEMORY;
4947 }
4948
4949 /* find the policy handle. open a policy on it. */
4950 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL))
4951 return NT_STATUS_INVALID_HANDLE;
4952
4953 status = access_check_samr_function(acc_granted,
4954 SAMR_GROUP_ACCESS_GET_MEMBERS,
4955 "_samr_QueryGroupMember");
4956 if (!NT_STATUS_IS_OK(status)) {
4957 return status;
4958 }
4959
4960 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4961
4962 if (!sid_check_is_in_our_domain(&group_sid)) {
4963 DEBUG(3, ("sid %s is not in our domain\n",
4964 sid_string_dbg(&group_sid)));
4965 return NT_STATUS_NO_SUCH_GROUP;
4966 }
4967
4968 DEBUG(10, ("lookup on Domain SID\n"));
4969
4970 become_root();
4971 status = pdb_enum_group_members(p->mem_ctx, &group_sid,
4972 &rid, &num_members);
4973 unbecome_root();
4974
4975 if (!NT_STATUS_IS_OK(status))
4976 return status;
4977
4978 if (num_members) {
4979 attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members);
4980 if (attr == NULL) {
4981 return NT_STATUS_NO_MEMORY;
4982 }
4983 } else {
4984 attr = NULL;
4985 }
4986
4987 for (i=0; i<num_members; i++)
4988 attr[i] = SID_NAME_USER;
4989
4990 rids->count = num_members;
4991 rids->types = attr;
4992 rids->rids = rid;
4993
4994 *r->out.rids = rids;
4995
4996 return NT_STATUS_OK;
4997 }
4998
4999 /*********************************************************************
5000 _samr_AddAliasMember
5001 *********************************************************************/
5002
5003 NTSTATUS _samr_AddAliasMember(pipes_struct *p,
5004 struct samr_AddAliasMember *r)
5005 {
5006 DOM_SID alias_sid;
5007 uint32 acc_granted;
5008 SE_PRIV se_rights;
5009 bool can_add_accounts;
5010 NTSTATUS status;
5011 DISP_INFO *disp_info = NULL;
5012
5013 /* Find the policy handle. Open a policy on it. */
5014 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
5015 return NT_STATUS_INVALID_HANDLE;
5016
5017 status = access_check_samr_function(acc_granted,
5018 SAMR_ALIAS_ACCESS_ADD_MEMBER,
5019 "_samr_AddAliasMember");
5020 if (!NT_STATUS_IS_OK(status)) {
5021 return status;
5022 }
5023
5024 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
5025
5026 se_priv_copy( &se_rights, &se_add_users );
5027 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
5028
5029 /******** BEGIN SeAddUsers BLOCK *********/
5030
5031 if ( can_add_accounts )
5032 become_root();
5033
5034 status = pdb_add_aliasmem(&alias_sid, r->in.sid);
5035
5036 if ( can_add_accounts )
5037 unbecome_root();
5038
5039 /******** END SeAddUsers BLOCK *********/
5040
5041 if (NT_STATUS_IS_OK(status)) {
5042 force_flush_samr_cache(disp_info);
5043 }
5044
5045 return status;
5046 }
5047
5048 /*********************************************************************
5049 _samr_DeleteAliasMember
5050 *********************************************************************/
5051
5052 NTSTATUS _samr_DeleteAliasMember(pipes_struct *p,
5053 struct samr_DeleteAliasMember *r)
5054 {
5055 DOM_SID alias_sid;
5056 uint32 acc_granted;
5057 SE_PRIV se_rights;
5058 bool can_add_accounts;
5059 NTSTATUS status;
5060 DISP_INFO *disp_info = NULL;
5061
5062 /* Find the policy handle. Open a policy on it. */
5063 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
5064 return NT_STATUS_INVALID_HANDLE;
5065
5066 status = access_check_samr_function(acc_granted,
5067 SAMR_ALIAS_ACCESS_REMOVE_MEMBER,
5068 "_samr_DeleteAliasMember");
5069 if (!NT_STATUS_IS_OK(status)) {
5070 return status;
5071 }
5072
5073 DEBUG(10, ("_samr_del_aliasmem:sid is %s\n",
5074 sid_string_dbg(&alias_sid)));
5075
5076 se_priv_copy( &se_rights, &se_add_users );
5077 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
5078
5079 /******** BEGIN SeAddUsers BLOCK *********/
5080
5081 if ( can_add_accounts )
5082 become_root();
5083
5084 status = pdb_del_aliasmem(&alias_sid, r->in.sid);
5085
5086 if ( can_add_accounts )
5087 unbecome_root();
5088
5089 /******** END SeAddUsers BLOCK *********/
5090
5091 if (NT_STATUS_IS_OK(status)) {
5092 force_flush_samr_cache(disp_info);
5093 }
5094
5095 return status;
5096 }
5097
5098 /*********************************************************************
5099 _samr_AddGroupMember
5100 *********************************************************************/
5101
5102 NTSTATUS _samr_AddGroupMember(pipes_struct *p,
5103 struct samr_AddGroupMember *r)
5104 {
5105 NTSTATUS status;
5106 DOM_SID group_sid;
5107 uint32 group_rid;
5108 uint32 acc_granted;
5109 SE_PRIV se_rights;
5110 bool can_add_accounts;
5111 DISP_INFO *disp_info = NULL;
5112
5113 /* Find the policy handle. Open a policy on it. */
5114 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
5115 return NT_STATUS_INVALID_HANDLE;
5116
5117 status = access_check_samr_function(acc_granted,
5118 SAMR_GROUP_ACCESS_ADD_MEMBER,
5119 "_samr_AddGroupMember");
5120 if (!NT_STATUS_IS_OK(status)) {
5121 return status;
5122 }
5123
5124 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
5125
5126 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
5127 &group_rid)) {
5128 return NT_STATUS_INVALID_HANDLE;
5129 }
5130
5131 se_priv_copy( &se_rights, &se_add_users );
5132 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
5133
5134 /******** BEGIN SeAddUsers BLOCK *********/
5135
5136 if ( can_add_accounts )
5137 become_root();
5138
5139 status = pdb_add_groupmem(p->mem_ctx, group_rid, r->in.rid);
5140
5141 if ( can_add_accounts )
5142 unbecome_root();
5143
5144 /******** END SeAddUsers BLOCK *********/
5145
5146 force_flush_samr_cache(disp_info);
5147
5148 return status;
5149 }
5150
5151 /*********************************************************************
5152 _samr_DeleteGroupMember
5153 *********************************************************************/
5154
5155 NTSTATUS _samr_DeleteGroupMember(pipes_struct *p,
5156 struct samr_DeleteGroupMember *r)
5157
5158 {
5159 NTSTATUS status;
5160 DOM_SID group_sid;
5161 uint32 group_rid;
5162 uint32 acc_granted;
5163 SE_PRIV se_rights;
5164 bool can_add_accounts;
5165 DISP_INFO *disp_info = NULL;
5166
5167 /*
5168 * delete the group member named r->in.rid
5169 * who is a member of the sid associated with the handle
5170 * the rid is a user's rid as the group is a domain group.
5171 */
5172
5173 /* Find the policy handle. Open a policy on it. */
5174 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
5175 return NT_STATUS_INVALID_HANDLE;
5176
5177 status = access_check_samr_function(acc_granted,
5178 SAMR_GROUP_ACCESS_REMOVE_MEMBER,
5179 "_samr_DeleteGroupMember");
5180 if (!NT_STATUS_IS_OK(status)) {
5181 return status;
5182 }
5183
5184 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
5185 &group_rid)) {
5186 return NT_STATUS_INVALID_HANDLE;
5187 }
5188
5189 se_priv_copy( &se_rights, &se_add_users );
5190 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
5191
5192 /******** BEGIN SeAddUsers BLOCK *********/
5193
5194 if ( can_add_accounts )
5195 become_root();
5196
5197 status = pdb_del_groupmem(p->mem_ctx, group_rid, r->in.rid);
5198
5199 if ( can_add_accounts )
5200 unbecome_root();
5201
5202 /******** END SeAddUsers BLOCK *********/
5203
5204 force_flush_samr_cache(disp_info);
5205
5206 return status;
5207 }
5208
5209 /*********************************************************************
5210 _samr_DeleteUser
5211 *********************************************************************/
5212
5213 NTSTATUS _samr_DeleteUser(pipes_struct *p,
5214 struct samr_DeleteUser *r)
5215 {
5216 NTSTATUS status;
5217 DOM_SID user_sid;
5218 struct samu *sam_pass=NULL;
5219 uint32 acc_granted;
5220 bool can_add_accounts;
5221 uint32 acb_info;
5222 DISP_INFO *disp_info = NULL;
5223 bool ret;
5224
5225 DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__));
5226
5227 /* Find the policy handle. Open a policy on it. */
5228 if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &user_sid, &acc_granted, &disp_info))
5229 return NT_STATUS_INVALID_HANDLE;
5230
5231 status = access_check_samr_function(acc_granted,
5232 STD_RIGHT_DELETE_ACCESS,
5233 "_samr_DeleteUser");
5234 if (!NT_STATUS_IS_OK(status)) {
5235 return status;
5236 }
5237
5238 if (!sid_check_is_in_our_domain(&user_sid))
5239 return NT_STATUS_CANNOT_DELETE;
5240
5241 /* check if the user exists before trying to delete */
5242 if ( !(sam_pass = samu_new( NULL )) ) {
5243 return NT_STATUS_NO_MEMORY;
5244 }
5245
5246 become_root();
5247 ret = pdb_getsampwsid(sam_pass, &user_sid);
5248 unbecome_root();
5249
5250 if( !ret ) {
5251 DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n",
5252 sid_string_dbg(&user_sid)));
5253 TALLOC_FREE(sam_pass);
5254 return NT_STATUS_NO_SUCH_USER;
5255 }
5256
5257 acb_info = pdb_get_acct_ctrl(sam_pass);
5258
5259 /* For machine accounts it's the SeMachineAccountPrivilege that counts. */
5260 if ( acb_info & ACB_WSTRUST ) {
5261 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_machine_account );
5262 } else {
5263 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_add_users );
5264 }
5265
5266 /******** BEGIN SeAddUsers BLOCK *********/
5267
5268 if ( can_add_accounts )
5269 become_root();
5270
5271 status = pdb_delete_user(p->mem_ctx, sam_pass);
5272
5273 if ( can_add_accounts )
5274 unbecome_root();
5275
5276 /******** END SeAddUsers BLOCK *********/
5277
5278 if ( !NT_STATUS_IS_OK(status) ) {
5279 DEBUG(5,("_samr_DeleteUser: Failed to delete entry for "
5280 "user %s: %s.\n", pdb_get_username(sam_pass),
5281 nt_errstr(status)));
5282 TALLOC_FREE(sam_pass);
5283 return status;
5284 }
5285
5286
5287 TALLOC_FREE(sam_pass);
5288
5289 if (!close_policy_hnd(p, r->in.user_handle))
5290 return NT_STATUS_OBJECT_NAME_INVALID;
5291
5292 ZERO_STRUCTP(r->out.user_handle);
5293
5294 force_flush_samr_cache(disp_info);
5295
5296 return NT_STATUS_OK;
5297 }
5298
5299 /*********************************************************************
5300 _samr_DeleteDomainGroup
5301 *********************************************************************/
5302
5303 NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p,
5304 struct samr_DeleteDomainGroup *r)
5305 {
5306 NTSTATUS status;
5307 DOM_SID group_sid;
5308 uint32 group_rid;
5309 uint32 acc_granted;
5310 SE_PRIV se_rights;
5311 bool can_add_accounts;
5312 DISP_INFO *disp_info = NULL;
5313
5314 DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__));
5315
5316 /* Find the policy handle. Open a policy on it. */
5317 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
5318 return NT_STATUS_INVALID_HANDLE;
5319
5320 status = access_check_samr_function(acc_granted,
5321 STD_RIGHT_DELETE_ACCESS,
5322 "_samr_DeleteDomainGroup");
5323 if (!NT_STATUS_IS_OK(status)) {
5324 return status;
5325 }
5326
5327 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
5328
5329 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
5330 &group_rid)) {
5331 return NT_STATUS_NO_SUCH_GROUP;
5332 }
5333
5334 se_priv_copy( &se_rights, &se_add_users );
5335 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
5336
5337 /******** BEGIN SeAddUsers BLOCK *********/
5338
5339 if ( can_add_accounts )
5340 become_root();
5341
5342 status = pdb_delete_dom_group(p->mem_ctx, group_rid);
5343
5344 if ( can_add_accounts )
5345 unbecome_root();
5346
5347 /******** END SeAddUsers BLOCK *********/
5348
5349 if ( !NT_STATUS_IS_OK(status) ) {
5350 DEBUG(5,("_samr_DeleteDomainGroup: Failed to delete mapping "
5351 "entry for group %s: %s\n",
5352 sid_string_dbg(&group_sid),
5353 nt_errstr(status)));
5354 return status;
5355 }
5356
5357 if (!close_policy_hnd(p, r->in.group_handle))
5358 return NT_STATUS_OBJECT_NAME_INVALID;
5359
5360 force_flush_samr_cache(disp_info);
5361
5362 return NT_STATUS_OK;
5363 }
5364
5365 /*********************************************************************
5366 _samr_DeleteDomAlias
5367 *********************************************************************/
5368
5369 NTSTATUS _samr_DeleteDomAlias(pipes_struct *p,
5370 struct samr_DeleteDomAlias *r)
5371 {
5372 DOM_SID alias_sid;
5373 uint32 acc_granted;
5374 SE_PRIV se_rights;
5375 bool can_add_accounts;
5376 NTSTATUS status;
5377 DISP_INFO *disp_info = NULL;
5378
5379 DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__));
5380
5381 /* Find the policy handle. Open a policy on it. */
5382 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
5383 return NT_STATUS_INVALID_HANDLE;
5384
5385 /* copy the handle to the outgoing reply */
5386
5387 memcpy(r->out.alias_handle, r->in.alias_handle, sizeof(r->out.alias_handle));
5388
5389 status = access_check_samr_function(acc_granted,
5390 STD_RIGHT_DELETE_ACCESS,
5391 "_samr_DeleteDomAlias");
5392 if (!NT_STATUS_IS_OK(status)) {
5393 return status;
5394 }
5395
5396 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
5397
5398 /* Don't let Windows delete builtin groups */
5399
5400 if ( sid_check_is_in_builtin( &alias_sid ) ) {
5401 return NT_STATUS_SPECIAL_ACCOUNT;
5402 }
5403
5404 if (!sid_check_is_in_our_domain(&alias_sid))
5405 return NT_STATUS_NO_SUCH_ALIAS;
5406
5407 DEBUG(10, ("lookup on Local SID\n"));
5408
5409 se_priv_copy( &se_rights, &se_add_users );
5410 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
5411
5412 /******** BEGIN SeAddUsers BLOCK *********/
5413
5414 if ( can_add_accounts )
5415 become_root();
5416
5417 /* Have passdb delete the alias */
5418 status = pdb_delete_alias(&alias_sid);
5419
5420 if ( can_add_accounts )
5421 unbecome_root();
5422
5423 /******** END SeAddUsers BLOCK *********/
5424
5425 if ( !NT_STATUS_IS_OK(status))
5426 return status;
5427
5428 if (!close_policy_hnd(p, r->in.alias_handle))
5429 return NT_STATUS_OBJECT_NAME_INVALID;
5430
5431 force_flush_samr_cache(disp_info);
5432
5433 return NT_STATUS_OK;
5434 }
5435
5436 /*********************************************************************
5437 _samr_CreateDomainGroup
5438 *********************************************************************/
5439
5440 NTSTATUS _samr_CreateDomainGroup(pipes_struct *p,
5441 struct samr_CreateDomainGroup *r)
5442
5443 {
5444 NTSTATUS status;
5445 DOM_SID dom_sid;
5446 DOM_SID info_sid;
5447 const char *name;
5448 struct samr_info *info;
5449 uint32 acc_granted;
5450 SE_PRIV se_rights;
5451 bool can_add_accounts;
5452 DISP_INFO *disp_info = NULL;
5453
5454 /* Find the policy handle. Open a policy on it. */
5455 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info))
5456 return NT_STATUS_INVALID_HANDLE;
5457
5458 status = access_check_samr_function(acc_granted,
5459 SAMR_DOMAIN_ACCESS_CREATE_GROUP,
5460 "_samr_CreateDomainGroup");
5461 if (!NT_STATUS_IS_OK(status)) {
5462 return status;
5463 }
5464
5465 if (!sid_equal(&dom_sid, get_global_sam_sid()))
5466 return NT_STATUS_ACCESS_DENIED;
5467
5468 name = r->in.name->string;
5469 if (name == NULL) {
5470 return NT_STATUS_NO_MEMORY;
5471 }
5472
5473 status = can_create(p->mem_ctx, name);
5474 if (!NT_STATUS_IS_OK(status)) {
5475 return status;
5476 }
5477
5478 se_priv_copy( &se_rights, &se_add_users );
5479 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
5480
5481 /******** BEGIN SeAddUsers BLOCK *********/
5482
5483 if ( can_add_accounts )
5484 become_root();
5485
5486 /* check that we successfully create the UNIX group */
5487
5488 status = pdb_create_dom_group(p->mem_ctx, name, r->out.rid);
5489
5490 if ( can_add_accounts )
5491 unbecome_root();
5492
5493 /******** END SeAddUsers BLOCK *********/
5494
5495 /* check if we should bail out here */
5496
5497 if ( !NT_STATUS_IS_OK(status) )
5498 return status;
5499
5500 sid_compose(&info_sid, get_global_sam_sid(), *r->out.rid);
5501
5502 if ((info = get_samr_info_by_sid(p->mem_ctx, &info_sid)) == NULL)
5503 return NT_STATUS_NO_MEMORY;
5504
5505 /* they created it; let the user do what he wants with it */
5506
5507 info->acc_granted = GENERIC_RIGHTS_GROUP_ALL_ACCESS;
5508
5509 /* get a (unique) handle. open a policy on it. */
5510 if (!create_policy_hnd(p, r->out.group_handle, info))
5511 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5512
5513 force_flush_samr_cache(disp_info);
5514
5515 return NT_STATUS_OK;
5516 }
5517
5518 /*********************************************************************
5519 _samr_CreateDomAlias
5520 *********************************************************************/
5521
5522 NTSTATUS _samr_CreateDomAlias(pipes_struct *p,
5523 struct samr_CreateDomAlias *r)
5524 {
5525 DOM_SID dom_sid;
5526 DOM_SID info_sid;
5527 const char *name = NULL;
5528 struct samr_info *info;
5529 uint32 acc_granted;
5530 gid_t gid;
5531 NTSTATUS result;
5532 SE_PRIV se_rights;
5533 bool can_add_accounts;
5534 DISP_INFO *disp_info = NULL;
5535
5536 /* Find the policy handle. Open a policy on it. */
5537 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info))
5538 return NT_STATUS_INVALID_HANDLE;
5539
5540 result = access_check_samr_function(acc_granted,
5541 SAMR_DOMAIN_ACCESS_CREATE_ALIAS,
5542 "_samr_CreateDomAlias");
5543 if (!NT_STATUS_IS_OK(result)) {
5544 return result;
5545 }
5546
5547 if (!sid_equal(&dom_sid, get_global_sam_sid()))
5548 return NT_STATUS_ACCESS_DENIED;
5549
5550 name = r->in.alias_name->string;
5551
5552 se_priv_copy( &se_rights, &se_add_users );
5553 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
5554
5555 result = can_create(p->mem_ctx, name);
5556 if (!NT_STATUS_IS_OK(result)) {
5557 return result;
5558 }
5559
5560 /******** BEGIN SeAddUsers BLOCK *********/
5561
5562 if ( can_add_accounts )
5563 become_root();
5564
5565 /* Have passdb create the alias */
5566 result = pdb_create_alias(name, r->out.rid);
5567
5568 if ( can_add_accounts )
5569 unbecome_root();
5570
5571 /******** END SeAddUsers BLOCK *********/
5572
5573 if (!NT_STATUS_IS_OK(result)) {
5574 DEBUG(10, ("pdb_create_alias failed: %s\n",
5575 nt_errstr(result)));
5576 return result;
5577 }
5578
5579 sid_copy(&info_sid, get_global_sam_sid());
5580 sid_append_rid(&info_sid, *r->out.rid);
5581
5582 if (!sid_to_gid(&info_sid, &gid)) {
5583 DEBUG(10, ("Could not find alias just created\n"));
5584 return NT_STATUS_ACCESS_DENIED;
5585 }
5586
5587 /* check if the group has been successfully created */
5588 if ( getgrgid(gid) == NULL ) {
5589 DEBUG(10, ("getgrgid(%d) of just created alias failed\n",
5590 gid));
5591 return NT_STATUS_ACCESS_DENIED;
5592 }
5593
5594 if ((info = get_samr_info_by_sid(p->mem_ctx, &info_sid)) == NULL)
5595 return NT_STATUS_NO_MEMORY;
5596
5597 /* they created it; let the user do what he wants with it */
5598
5599 info->acc_granted = GENERIC_RIGHTS_ALIAS_ALL_ACCESS;
5600
5601 /* get a (unique) handle. open a policy on it. */
5602 if (!create_policy_hnd(p, r->out.alias_handle, info))
5603 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5604
5605 force_flush_samr_cache(disp_info);
5606
5607 return NT_STATUS_OK;
5608 }
5609
5610 /*********************************************************************
5611 _samr_QueryGroupInfo
5612 *********************************************************************/
5613
5614 NTSTATUS _samr_QueryGroupInfo(pipes_struct *p,
5615 struct samr_QueryGroupInfo *r)
5616 {
5617 NTSTATUS status;
5618 DOM_SID group_sid;
5619 GROUP_MAP map;
5620 union samr_GroupInfo *info = NULL;
5621 uint32 acc_granted;
5622 bool ret;
5623 uint32_t attributes = SE_GROUP_MANDATORY |
5624 SE_GROUP_ENABLED_BY_DEFAULT |
5625 SE_GROUP_ENABLED;
5626 const char *group_name = NULL;
5627 const char *group_description = NULL;
5628
5629 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL))
5630 return NT_STATUS_INVALID_HANDLE;
5631
5632 status = access_check_samr_function(acc_granted,
5633 SAMR_GROUP_ACCESS_LOOKUP_INFO,
5634 "_samr_QueryGroupInfo");
5635 if (!NT_STATUS_IS_OK(status)) {
5636 return status;
5637 }
5638
5639 become_root();
5640 ret = get_domain_group_from_sid(group_sid, &map);
5641 unbecome_root();
5642 if (!ret)
5643 return NT_STATUS_INVALID_HANDLE;
5644
5645 /* FIXME: map contains fstrings */
5646 group_name = talloc_strdup(r, map.nt_name);
5647 group_description = talloc_strdup(r, map.comment);
5648
5649 info = TALLOC_ZERO_P(p->mem_ctx, union samr_GroupInfo);
5650 if (!info) {
5651 return NT_STATUS_NO_MEMORY;
5652 }
5653
5654 switch (r->in.level) {
5655 case 1: {
5656 uint32 *members;
5657 size_t num_members;
5658
5659 become_root();
5660 status = pdb_enum_group_members(
5661 p->mem_ctx, &group_sid, &members, &num_members);
5662 unbecome_root();
5663
5664 if (!NT_STATUS_IS_OK(status)) {
5665 return status;
5666 }
5667
5668 info->all.name.string = group_name;
5669 info->all.attributes = attributes;
5670 info->all.num_members = num_members;
5671 info->all.description.string = group_description;
5672 break;
5673 }
5674 case 2:
5675 info->name.string = group_name;
5676 break;
5677 case 3:
5678 info->attributes.attributes = attributes;
5679 break;
5680 case 4:
5681 info->description.string = group_description;
5682 break;
5683 case 5: {
5684 /*
5685 uint32 *members;
5686 size_t num_members;
5687 */
5688
5689 /*
5690 become_root();
5691 status = pdb_enum_group_members(
5692 p->mem_ctx, &group_sid, &members, &num_members);
5693 unbecome_root();
5694
5695 if (!NT_STATUS_IS_OK(status)) {
5696 return status;
5697 }
5698 */
5699 info->all2.name.string = group_name;
5700 info->all2.attributes = attributes;
5701 info->all2.num_members = 0; /* num_members - in w2k3 this is always 0 */
5702 info->all2.description.string = group_description;
5703
5704 break;
5705 }
5706 default:
5707 return NT_STATUS_INVALID_INFO_CLASS;
5708 }
5709
5710 *r->out.info = info;
5711
5712 return NT_STATUS_OK;
5713 }
5714
5715 /*********************************************************************
5716 _samr_SetGroupInfo
5717 *********************************************************************/
5718
5719 NTSTATUS _samr_SetGroupInfo(pipes_struct *p,
5720 struct samr_SetGroupInfo *r)
5721 {
5722 DOM_SID group_sid;
5723 GROUP_MAP map;
5724 uint32 acc_granted;
5725 NTSTATUS status;
5726 bool ret;
5727 bool can_mod_accounts;
5728 DISP_INFO *disp_info = NULL;
5729
5730 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
5731 return NT_STATUS_INVALID_HANDLE;
5732
5733 status = access_check_samr_function(acc_granted,
5734 SAMR_GROUP_ACCESS_SET_INFO,
5735 "_samr_SetGroupInfo");
5736 if (!NT_STATUS_IS_OK(status)) {
5737 return status;
5738 }
5739
5740 become_root();
5741 ret = get_domain_group_from_sid(group_sid, &map);
5742 unbecome_root();
5743 if (!ret)
5744 return NT_STATUS_NO_SUCH_GROUP;
5745
5746 switch (r->in.level) {
5747 case 1:
5748 fstrcpy(map.comment, r->in.info->all.description.string);
5749 break;
5750 case 2:
5751 /* group rename is not supported yet */
5752 return NT_STATUS_NOT_SUPPORTED;
5753 case 4:
5754 fstrcpy(map.comment, r->in.info->description.string);
5755 break;
5756 default:
5757 return NT_STATUS_INVALID_INFO_CLASS;
5758 }
5759
5760 can_mod_accounts = user_has_privileges( p->server_info->ptok, &se_add_users );
5761
5762 /******** BEGIN SeAddUsers BLOCK *********/
5763
5764 if ( can_mod_accounts )
5765 become_root();
5766
5767 status = pdb_update_group_mapping_entry(&map);
5768
5769 if ( can_mod_accounts )
5770 unbecome_root();
5771
5772 /******** End SeAddUsers BLOCK *********/
5773
5774 if (NT_STATUS_IS_OK(status)) {
5775 force_flush_samr_cache(disp_info);
5776 }
5777
5778 return status;
5779 }
5780
5781 /*********************************************************************
5782 _samr_SetAliasInfo
5783 *********************************************************************/
5784
5785 NTSTATUS _samr_SetAliasInfo(pipes_struct *p,
5786 struct samr_SetAliasInfo *r)
5787 {
5788 DOM_SID group_sid;
5789 struct acct_info info;
5790 uint32 acc_granted;
5791 bool can_mod_accounts;
5792 NTSTATUS status;
5793 DISP_INFO *disp_info = NULL;
5794
5795 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &group_sid, &acc_granted, &disp_info))
5796 return NT_STATUS_INVALID_HANDLE;
5797
5798 status = access_check_samr_function(acc_granted,
5799 SAMR_ALIAS_ACCESS_SET_INFO,
5800 "_samr_SetAliasInfo");
5801 if (!NT_STATUS_IS_OK(status)) {
5802 return status;
5803 }
5804
5805 /* get the current group information */
5806
5807 become_root();
5808 status = pdb_get_aliasinfo( &group_sid, &info );
5809 unbecome_root();
5810
5811 if ( !NT_STATUS_IS_OK(status))
5812 return status;
5813
5814 switch (r->in.level) {
5815 case ALIASINFONAME:
5816 {
5817 fstring group_name;
5818
5819 /* We currently do not support renaming groups in the
5820 the BUILTIN domain. Refer to util_builtin.c to understand
5821 why. The eventually needs to be fixed to be like Windows
5822 where you can rename builtin groups, just not delete them */
5823
5824 if ( sid_check_is_in_builtin( &group_sid ) ) {
5825 return NT_STATUS_SPECIAL_ACCOUNT;
5826 }
5827
5828 /* There has to be a valid name (and it has to be different) */
5829
5830 if ( !r->in.info->name.string )
5831 return NT_STATUS_INVALID_PARAMETER;
5832
5833 /* If the name is the same just reply "ok". Yes this
5834 doesn't allow you to change the case of a group name. */
5835
5836 if ( strequal( r->in.info->name.string, info.acct_name ) )
5837 return NT_STATUS_OK;
5838
5839 fstrcpy( info.acct_name, r->in.info->name.string);
5840
5841 /* make sure the name doesn't already exist as a user
5842 or local group */
5843
5844 fstr_sprintf( group_name, "%s\\%s", global_myname(), info.acct_name );
5845 status = can_create( p->mem_ctx, group_name );
5846 if ( !NT_STATUS_IS_OK( status ) )
5847 return status;
5848 break;
5849 }
5850 case ALIASINFODESCRIPTION:
5851 if (r->in.info->description.string) {
5852 fstrcpy(info.acct_desc,
5853 r->in.info->description.string);
5854 } else {
5855 fstrcpy( info.acct_desc, "" );
5856 }
5857 break;
5858 default:
5859 return NT_STATUS_INVALID_INFO_CLASS;
5860 }
5861
5862 can_mod_accounts = user_has_privileges( p->server_info->ptok, &se_add_users );
5863
5864 /******** BEGIN SeAddUsers BLOCK *********/
5865
5866 if ( can_mod_accounts )
5867 become_root();
5868
5869 status = pdb_set_aliasinfo( &group_sid, &info );
5870
5871 if ( can_mod_accounts )
5872 unbecome_root();
5873
5874 /******** End SeAddUsers BLOCK *********/
5875
5876 if (NT_STATUS_IS_OK(status))
5877 force_flush_samr_cache(disp_info);
5878
5879 return status;
5880 }
5881
5882 /****************************************************************
5883 _samr_GetDomPwInfo
5884 ****************************************************************/
5885
5886 NTSTATUS _samr_GetDomPwInfo(pipes_struct *p,
5887 struct samr_GetDomPwInfo *r)
5888 {
5889 uint32_t min_password_length = 0;
5890 uint32_t password_properties = 0;
5891
5892 /* Perform access check. Since this rpc does not require a
5893 policy handle it will not be caught by the access checks on
5894 SAMR_CONNECT or SAMR_CONNECT_ANON. */
5895
5896 if (!pipe_access_check(p)) {
5897 DEBUG(3, ("access denied to _samr_GetDomPwInfo\n"));
5898 return NT_STATUS_ACCESS_DENIED;
5899 }
5900
5901 become_root();
5902 pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
5903 &min_password_length);
5904 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
5905 &password_properties);
5906 unbecome_root();
5907
5908 if (lp_check_password_script() && *lp_check_password_script()) {
5909 password_properties |= DOMAIN_PASSWORD_COMPLEX;
5910 }
5911
5912 r->out.info->min_password_length = min_password_length;
5913 r->out.info->password_properties = password_properties;
5914
5915 return NT_STATUS_OK;
5916 }
5917
5918 /*********************************************************************
5919 _samr_OpenGroup
5920 *********************************************************************/
5921
5922 NTSTATUS _samr_OpenGroup(pipes_struct *p,
5923 struct samr_OpenGroup *r)
5924
5925 {
5926 DOM_SID sid;
5927 DOM_SID info_sid;
5928 GROUP_MAP map;
5929 struct samr_info *info;
5930 SEC_DESC *psd = NULL;
5931 uint32 acc_granted;
5932 uint32 des_access = r->in.access_mask;
5933 size_t sd_size;
5934 NTSTATUS status;
5935 fstring sid_string;
5936 bool ret;
5937 SE_PRIV se_rights;
5938
5939 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted, NULL))
5940 return NT_STATUS_INVALID_HANDLE;
5941
5942 status = access_check_samr_function(acc_granted,
5943 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
5944 "_samr_OpenGroup");
5945
5946 if ( !NT_STATUS_IS_OK(status) )
5947 return status;
5948
5949 /*check if access can be granted as requested by client. */
5950 map_max_allowed_access(p->server_info->ptok, &des_access);
5951
5952 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
5953 se_map_generic(&des_access,&grp_generic_mapping);
5954
5955 se_priv_copy( &se_rights, &se_add_users );
5956
5957 status = access_check_samr_object(psd, p->server_info->ptok,
5958 &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access,
5959 &acc_granted, "_samr_OpenGroup");
5960
5961 if ( !NT_STATUS_IS_OK(status) )
5962 return status;
5963
5964 /* this should not be hard-coded like this */
5965
5966 if (!sid_equal(&sid, get_global_sam_sid()))
5967 return NT_STATUS_ACCESS_DENIED;
5968
5969 sid_copy(&info_sid, get_global_sam_sid());
5970 sid_append_rid(&info_sid, r->in.rid);
5971 sid_to_fstring(sid_string, &info_sid);
5972
5973 if ((info = get_samr_info_by_sid(p->mem_ctx, &info_sid)) == NULL)
5974 return NT_STATUS_NO_MEMORY;
5975
5976 info->acc_granted = acc_granted;
5977
5978 DEBUG(10, ("_samr_OpenGroup:Opening SID: %s\n", sid_string));
5979
5980 /* check if that group really exists */
5981 become_root();
5982 ret = get_domain_group_from_sid(info->sid, &map);
5983 unbecome_root();
5984 if (!ret)
5985 return NT_STATUS_NO_SUCH_GROUP;
5986
5987 /* get a (unique) handle. open a policy on it. */
5988 if (!create_policy_hnd(p, r->out.group_handle, info))
5989 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5990
5991 return NT_STATUS_OK;
5992 }
5993
5994 /*********************************************************************
5995 _samr_RemoveMemberFromForeignDomain
5996 *********************************************************************/
5997
5998 NTSTATUS _samr_RemoveMemberFromForeignDomain(pipes_struct *p,
5999 struct samr_RemoveMemberFromForeignDomain *r)
6000 {
6001 DOM_SID delete_sid, domain_sid;
6002 uint32 acc_granted;
6003 NTSTATUS result;
6004 DISP_INFO *disp_info = NULL;
6005
6006 sid_copy( &delete_sid, r->in.sid );
6007
6008 DEBUG(5,("_samr_RemoveMemberFromForeignDomain: removing SID [%s]\n",
6009 sid_string_dbg(&delete_sid)));
6010
6011 /* Find the policy handle. Open a policy on it. */
6012
6013 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &domain_sid,
6014 &acc_granted, &disp_info))
6015 return NT_STATUS_INVALID_HANDLE;
6016
6017 result = access_check_samr_function(acc_granted,
6018 STD_RIGHT_DELETE_ACCESS,
6019 "_samr_RemoveMemberFromForeignDomain");
6020
6021 if (!NT_STATUS_IS_OK(result))
6022 return result;
6023
6024 DEBUG(8, ("_samr_RemoveMemberFromForeignDomain: sid is %s\n",
6025 sid_string_dbg(&domain_sid)));
6026
6027 /* we can only delete a user from a group since we don't have
6028 nested groups anyways. So in the latter case, just say OK */
6029
6030 /* TODO: The above comment nowadays is bogus. Since we have nested
6031 * groups now, and aliases members are never reported out of the unix
6032 * group membership, the "just say OK" makes this call a no-op. For
6033 * us. This needs fixing however. */
6034
6035 /* I've only ever seen this in the wild when deleting a user from
6036 * usrmgr.exe. domain_sid is the builtin domain, and the sid to delete
6037 * is the user about to be deleted. I very much suspect this is the
6038 * only application of this call. To verify this, let people report
6039 * other cases. */
6040
6041 if (!sid_check_is_builtin(&domain_sid)) {
6042 DEBUG(1,("_samr_RemoveMemberFromForeignDomain: domain_sid = %s, "
6043 "global_sam_sid() = %s\n",
6044 sid_string_dbg(&domain_sid),
6045 sid_string_dbg(get_global_sam_sid())));
6046 DEBUGADD(1,("please report to samba-technical@samba.org!\n"));
6047 return NT_STATUS_OK;
6048 }
6049
6050 force_flush_samr_cache(disp_info);
6051
6052 result = NT_STATUS_OK;
6053
6054 return result;
6055 }
6056
6057 /*******************************************************************
6058 _samr_QueryDomainInfo2
6059 ********************************************************************/
6060
6061 NTSTATUS _samr_QueryDomainInfo2(pipes_struct *p,
6062 struct samr_QueryDomainInfo2 *r)
6063 {
6064 struct samr_QueryDomainInfo q;
6065
6066 q.in.domain_handle = r->in.domain_handle;
6067 q.in.level = r->in.level;
6068
6069 q.out.info = r->out.info;
6070
6071 return _samr_QueryDomainInfo(p, &q);
6072 }
6073
6074 /*******************************************************************
6075 _samr_SetDomainInfo
6076 ********************************************************************/
6077
6078 NTSTATUS _samr_SetDomainInfo(pipes_struct *p,
6079 struct samr_SetDomainInfo *r)
6080 {
6081 struct samr_info *info = NULL;
6082 time_t u_expire, u_min_age;
6083 time_t u_logout;
6084 time_t u_lock_duration, u_reset_time;
6085 NTSTATUS result;
6086
6087 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
6088
6089 /* find the policy handle. open a policy on it. */
6090 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
6091 return NT_STATUS_INVALID_HANDLE;
6092
6093 /* We do have different access bits for info
6094 * levels here, but we're really just looking for
6095 * GENERIC_RIGHTS_DOMAIN_WRITE access. Unfortunately
6096 * this maps to different specific bits. So
6097 * assume if we have SAMR_DOMAIN_ACCESS_SET_INFO_1
6098 * set we are ok. */
6099
6100 result = access_check_samr_function(info->acc_granted,
6101 SAMR_DOMAIN_ACCESS_SET_INFO_1,
6102 "_samr_SetDomainInfo");
6103
6104 if (!NT_STATUS_IS_OK(result))
6105 return result;
6106
6107 DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r->in.level));
6108
6109 switch (r->in.level) {
6110 case 0x01:
6111 u_expire=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.max_password_age);
6112 u_min_age=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.min_password_age);
6113 pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)r->in.info->info1.min_password_length);
6114 pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)r->in.info->info1.password_history_length);
6115 pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)r->in.info->info1.password_properties);
6116 pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire);
6117 pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age);
6118 break;
6119 case 0x02:
6120 break;
6121 case 0x03:
6122 u_logout=nt_time_to_unix_abs((NTTIME *)&r->in.info->info3.force_logoff_time);
6123 pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout);
6124 break;
6125 case 0x05:
6126 break;
6127 case 0x06:
6128 break;
6129 case 0x07:
6130 break;
6131 case 0x0c:
6132 u_lock_duration=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_duration);
6133 if (u_lock_duration != -1)
6134 u_lock_duration /= 60;
6135
6136 u_reset_time=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_window)/60;
6137
6138 pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
6139 pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time);
6140 pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)r->in.info->info12.lockout_threshold);
6141 break;
6142 default:
6143 return NT_STATUS_INVALID_INFO_CLASS;
6144 }
6145
6146 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
6147
6148 return NT_STATUS_OK;
6149 }
6150
6151 /****************************************************************
6152 _samr_GetDisplayEnumerationIndex
6153 ****************************************************************/
6154
6155 NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p,
6156 struct samr_GetDisplayEnumerationIndex *r)
6157 {
6158 struct samr_info *info = NULL;
6159 uint32_t max_entries = (uint32_t) -1;
6160 uint32_t enum_context = 0;
6161 int i;
6162 uint32_t num_account = 0;
6163 struct samr_displayentry *entries = NULL;
6164 NTSTATUS status;
6165
6166 DEBUG(5,("_samr_GetDisplayEnumerationIndex: %d\n", __LINE__));
6167
6168 /* find the policy handle. open a policy on it. */
6169 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) {
6170 return NT_STATUS_INVALID_HANDLE;
6171 }
6172
6173 status = access_check_samr_function(info->acc_granted,
6174 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
6175 "_samr_GetDisplayEnumerationIndex");
6176 if (!NT_STATUS_IS_OK(status)) {
6177 return status;
6178 }
6179
6180 if ((r->in.level < 1) || (r->in.level > 3)) {
6181 DEBUG(0,("_samr_GetDisplayEnumerationIndex: "
6182 "Unknown info level (%u)\n",
6183 r->in.level));
6184 return NT_STATUS_INVALID_INFO_CLASS;
6185 }
6186
6187 become_root();
6188
6189 /* The following done as ROOT. Don't return without unbecome_root(). */
6190
6191 switch (r->in.level) {
6192 case 1:
6193 if (info->disp_info->users == NULL) {
6194 info->disp_info->users = pdb_search_users(
6195 info->disp_info, ACB_NORMAL);
6196 if (info->disp_info->users == NULL) {
6197 unbecome_root();
6198 return NT_STATUS_ACCESS_DENIED;
6199 }
6200 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6201 "starting user enumeration at index %u\n",
6202 (unsigned int)enum_context));
6203 } else {
6204 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6205 "using cached user enumeration at index %u\n",
6206 (unsigned int)enum_context));
6207 }
6208 num_account = pdb_search_entries(info->disp_info->users,
6209 enum_context, max_entries,
6210 &entries);
6211 break;
6212 case 2:
6213 if (info->disp_info->machines == NULL) {
6214 info->disp_info->machines = pdb_search_users(
6215 info->disp_info, ACB_WSTRUST|ACB_SVRTRUST);
6216 if (info->disp_info->machines == NULL) {
6217 unbecome_root();
6218 return NT_STATUS_ACCESS_DENIED;
6219 }
6220 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6221 "starting machine enumeration at index %u\n",
6222 (unsigned int)enum_context));
6223 } else {
6224 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6225 "using cached machine enumeration at index %u\n",
6226 (unsigned int)enum_context));
6227 }
6228 num_account = pdb_search_entries(info->disp_info->machines,
6229 enum_context, max_entries,
6230 &entries);
6231 break;
6232 case 3:
6233 if (info->disp_info->groups == NULL) {
6234 info->disp_info->groups = pdb_search_groups(
6235 info->disp_info);
6236 if (info->disp_info->groups == NULL) {
6237 unbecome_root();
6238 return NT_STATUS_ACCESS_DENIED;
6239 }
6240 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6241 "starting group enumeration at index %u\n",
6242 (unsigned int)enum_context));
6243 } else {
6244 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6245 "using cached group enumeration at index %u\n",
6246 (unsigned int)enum_context));
6247 }
6248 num_account = pdb_search_entries(info->disp_info->groups,
6249 enum_context, max_entries,
6250 &entries);
6251 break;
6252 default:
6253 unbecome_root();
6254 smb_panic("info class changed");
6255 break;
6256 }
6257
6258 unbecome_root();
6259
6260 /* Ensure we cache this enumeration. */
6261 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
6262
6263 DEBUG(10,("_samr_GetDisplayEnumerationIndex: looking for :%s\n",
6264 r->in.name->string));
6265
6266 for (i=0; i<num_account; i++) {
6267 if (strequal(entries[i].account_name, r->in.name->string)) {
6268 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6269 "found %s at idx %d\n",
6270 r->in.name->string, i));
6271 *r->out.idx = i;
6272 return NT_STATUS_OK;
6273 }
6274 }
6275
6276 /* assuming account_name lives at the very end */
6277 *r->out.idx = num_account;
6278
6279 return NT_STATUS_NO_MORE_ENTRIES;
6280 }
6281
6282 /****************************************************************
6283 _samr_GetDisplayEnumerationIndex2
6284 ****************************************************************/
6285
6286 NTSTATUS _samr_GetDisplayEnumerationIndex2(pipes_struct *p,
6287 struct samr_GetDisplayEnumerationIndex2 *r)
6288 {
6289 struct samr_GetDisplayEnumerationIndex q;
6290
6291 q.in.domain_handle = r->in.domain_handle;
6292 q.in.level = r->in.level;
6293 q.in.name = r->in.name;
6294
6295 q.out.idx = r->out.idx;
6296
6297 return _samr_GetDisplayEnumerationIndex(p, &q);
6298 }
6299
6300 /****************************************************************
6301 ****************************************************************/
6302
6303 NTSTATUS _samr_Shutdown(pipes_struct *p,
6304 struct samr_Shutdown *r)
6305 {
6306 p->rng_fault_state = true;
6307 return NT_STATUS_NOT_IMPLEMENTED;
6308 }
6309
6310 /****************************************************************
6311 ****************************************************************/
6312
6313 NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p,
6314 struct samr_SetMemberAttributesOfGroup *r)
6315 {
6316 p->rng_fault_state = true;
6317 return NT_STATUS_NOT_IMPLEMENTED;
6318 }
6319
6320 /****************************************************************
6321 ****************************************************************/
6322
6323 NTSTATUS _samr_ChangePasswordUser(pipes_struct *p,
6324 struct samr_ChangePasswordUser *r)
6325 {
6326 p->rng_fault_state = true;
6327 return NT_STATUS_NOT_IMPLEMENTED;
6328 }
6329
6330 /****************************************************************
6331 ****************************************************************/
6332
6333 NTSTATUS _samr_TestPrivateFunctionsDomain(pipes_struct *p,
6334 struct samr_TestPrivateFunctionsDomain *r)
6335 {
6336 p->rng_fault_state = true;
6337 return NT_STATUS_NOT_IMPLEMENTED;
6338 }
6339
6340 /****************************************************************
6341 ****************************************************************/
6342
6343 NTSTATUS _samr_TestPrivateFunctionsUser(pipes_struct *p,
6344 struct samr_TestPrivateFunctionsUser *r)
6345 {
6346 p->rng_fault_state = true;
6347 return NT_STATUS_NOT_IMPLEMENTED;
6348 }
6349
6350 /****************************************************************
6351 ****************************************************************/
6352
6353 NTSTATUS _samr_AddMultipleMembersToAlias(pipes_struct *p,
6354 struct samr_AddMultipleMembersToAlias *r)
6355 {
6356 p->rng_fault_state = true;
6357 return NT_STATUS_NOT_IMPLEMENTED;
6358 }
6359
6360 /****************************************************************
6361 ****************************************************************/
6362
6363 NTSTATUS _samr_RemoveMultipleMembersFromAlias(pipes_struct *p,
6364 struct samr_RemoveMultipleMembersFromAlias *r)
6365 {
6366 p->rng_fault_state = true;
6367 return NT_STATUS_NOT_IMPLEMENTED;
6368 }
6369
6370 /****************************************************************
6371 ****************************************************************/
6372
6373 NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p,
6374 struct samr_OemChangePasswordUser2 *r)
6375 {
6376 p->rng_fault_state = true;
6377 return NT_STATUS_NOT_IMPLEMENTED;
6378 }
6379
6380 /****************************************************************
6381 ****************************************************************/
6382
6383 NTSTATUS _samr_SetBootKeyInformation(pipes_struct *p,
6384 struct samr_SetBootKeyInformation *r)
6385 {
6386 p->rng_fault_state = true;
6387 return NT_STATUS_NOT_IMPLEMENTED;
6388 }
6389
6390 /****************************************************************
6391 ****************************************************************/
6392
6393 NTSTATUS _samr_GetBootKeyInformation(pipes_struct *p,
6394 struct samr_GetBootKeyInformation *r)
6395 {
6396 p->rng_fault_state = true;
6397 return NT_STATUS_NOT_IMPLEMENTED;
6398 }
6399
6400 /****************************************************************
6401 ****************************************************************/
6402
6403 NTSTATUS _samr_RidToSid(pipes_struct *p,
6404 struct samr_RidToSid *r)
6405 {
6406 p->rng_fault_state = true;
6407 return NT_STATUS_NOT_IMPLEMENTED;
6408 }
6409
6410 /****************************************************************
6411 ****************************************************************/
6412
6413 NTSTATUS _samr_SetDsrmPassword(pipes_struct *p,
6414 struct samr_SetDsrmPassword *r)
6415 {
6416 p->rng_fault_state = true;
6417 return NT_STATUS_NOT_IMPLEMENTED;
6418 }
6419
6420 /****************************************************************
6421 ****************************************************************/
6422
6423 NTSTATUS _samr_ValidatePassword(pipes_struct *p,
6424 struct samr_ValidatePassword *r)
6425 {
6426 p->rng_fault_state = true;
6427 return NT_STATUS_NOT_IMPLEMENTED;
6428 }
Samba GIT mirror