search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-samr-server: _samr_DeleteUser needs to wipe out the user_handle on success.
[Samba.git] / source / rpc_server / srv_samr_nt.c
bloba32d35f4081a68f31bf94d19f02d14ca475d54eb
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2008,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 * Copyright (C) Gerald (Jerry) Carter 2003-2004,
12 * Copyright (C) Simo Sorce 2003.
13 * Copyright (C) Volker Lendecke 2005.
14 * Copyright (C) Guenther Deschner 2008.
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
20 *
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
25 *
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
28 */
29
30 /*
31 * This is the implementation of the SAMR code.
32 */
33
34 #include "includes.h"
35
36 #undef DBGC_CLASS
37 #define DBGC_CLASS DBGC_RPC_SRV
38
39 #define SAMR_USR_RIGHTS_WRITE_PW \
40 ( READ_CONTROL_ACCESS | \
41 SA_RIGHT_USER_CHANGE_PASSWORD | \
42 SA_RIGHT_USER_SET_LOC_COM )
43 #define SAMR_USR_RIGHTS_CANT_WRITE_PW \
44 ( READ_CONTROL_ACCESS | SA_RIGHT_USER_SET_LOC_COM )
45
46 #define DISP_INFO_CACHE_TIMEOUT 10
47
48 typedef struct disp_info {
49 DOM_SID sid; /* identify which domain this is. */
50 bool builtin_domain; /* Quick flag to check if this is the builtin domain. */
51 struct pdb_search *users; /* querydispinfo 1 and 4 */
52 struct pdb_search *machines; /* querydispinfo 2 */
53 struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */
54 struct pdb_search *aliases; /* enumaliases */
55
56 uint16 enum_acb_mask;
57 struct pdb_search *enum_users; /* enumusers with a mask */
58
59 struct timed_event *cache_timeout_event; /* cache idle timeout
60 * handler. */
61 } DISP_INFO;
62
63 /* We keep a static list of these by SID as modern clients close down
64 all resources between each request in a complete enumeration. */
65
66 struct samr_info {
67 /* for use by the \PIPE\samr policy */
68 DOM_SID sid;
69 bool builtin_domain; /* Quick flag to check if this is the builtin domain. */
70 uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */
71 uint32 acc_granted;
72 DISP_INFO *disp_info;
73 TALLOC_CTX *mem_ctx;
74 };
75
76 static const struct generic_mapping sam_generic_mapping = {
77 GENERIC_RIGHTS_SAM_READ,
78 GENERIC_RIGHTS_SAM_WRITE,
79 GENERIC_RIGHTS_SAM_EXECUTE,
80 GENERIC_RIGHTS_SAM_ALL_ACCESS};
81 static const struct generic_mapping dom_generic_mapping = {
82 GENERIC_RIGHTS_DOMAIN_READ,
83 GENERIC_RIGHTS_DOMAIN_WRITE,
84 GENERIC_RIGHTS_DOMAIN_EXECUTE,
85 GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
86 static const struct generic_mapping usr_generic_mapping = {
87 GENERIC_RIGHTS_USER_READ,
88 GENERIC_RIGHTS_USER_WRITE,
89 GENERIC_RIGHTS_USER_EXECUTE,
90 GENERIC_RIGHTS_USER_ALL_ACCESS};
91 static const struct generic_mapping usr_nopwchange_generic_mapping = {
92 GENERIC_RIGHTS_USER_READ,
93 GENERIC_RIGHTS_USER_WRITE,
94 GENERIC_RIGHTS_USER_EXECUTE & ~SA_RIGHT_USER_CHANGE_PASSWORD,
95 GENERIC_RIGHTS_USER_ALL_ACCESS};
96 static const struct generic_mapping grp_generic_mapping = {
97 GENERIC_RIGHTS_GROUP_READ,
98 GENERIC_RIGHTS_GROUP_WRITE,
99 GENERIC_RIGHTS_GROUP_EXECUTE,
100 GENERIC_RIGHTS_GROUP_ALL_ACCESS};
101 static const struct generic_mapping ali_generic_mapping = {
102 GENERIC_RIGHTS_ALIAS_READ,
103 GENERIC_RIGHTS_ALIAS_WRITE,
104 GENERIC_RIGHTS_ALIAS_EXECUTE,
105 GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
106
107 /*******************************************************************
108 *******************************************************************/
109
110 static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size,
111 const struct generic_mapping *map,
112 DOM_SID *sid, uint32 sid_access )
113 {
114 DOM_SID domadmin_sid;
115 SEC_ACE ace[5]; /* at most 5 entries */
116 SEC_ACCESS mask;
117 size_t i = 0;
118
119 SEC_ACL *psa = NULL;
120
121 /* basic access for Everyone */
122
123 init_sec_access(&mask, map->generic_execute | map->generic_read );
124 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
125
126 /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
127
128 init_sec_access(&mask, map->generic_all);
129
130 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
131 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
132
133 /* Add Full Access for Domain Admins if we are a DC */
134
135 if ( IS_DC ) {
136 sid_copy( &domadmin_sid, get_global_sam_sid() );
137 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
138 init_sec_ace(&ace[i++], &domadmin_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
139 }
140
141 /* if we have a sid, give it some special access */
142
143 if ( sid ) {
144 init_sec_access( &mask, sid_access );
145 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
146 }
147
148 /* create the security descriptor */
149
150 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL)
151 return NT_STATUS_NO_MEMORY;
152
153 if ((*psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
154 SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL,
155 psa, sd_size)) == NULL)
156 return NT_STATUS_NO_MEMORY;
157
158 return NT_STATUS_OK;
159 }
160
161 /*******************************************************************
162 Checks if access to an object should be granted, and returns that
163 level of access for further checks.
164 ********************************************************************/
165
166 static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
167 SE_PRIV *rights, uint32 rights_mask,
168 uint32 des_access, uint32 *acc_granted,
169 const char *debug )
170 {
171 NTSTATUS status = NT_STATUS_ACCESS_DENIED;
172 uint32 saved_mask = 0;
173
174 /* check privileges; certain SAM access bits should be overridden
175 by privileges (mostly having to do with creating/modifying/deleting
176 users and groups) */
177
178 if ( rights && user_has_any_privilege( token, rights ) ) {
179
180 saved_mask = (des_access & rights_mask);
181 des_access &= ~saved_mask;
182
183 DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
184 rights_mask));
185 }
186
187
188 /* check the security descriptor first */
189
190 if ( se_access_check(psd, token, des_access, acc_granted, &status) )
191 goto done;
192
193 /* give root a free pass */
194
195 if ( geteuid() == sec_initial_uid() ) {
196
197 DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access));
198 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
199
200 *acc_granted = des_access;
201
202 status = NT_STATUS_OK;
203 goto done;
204 }
205
206
207 done:
208 /* add in any bits saved during the privilege check (only
209 matters is status is ok) */
210
211 *acc_granted |= rights_mask;
212
213 DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
214 debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
215 des_access, *acc_granted));
216
217 return status;
218 }
219
220 /*******************************************************************
221 Checks if access to a function can be granted
222 ********************************************************************/
223
224 static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug)
225 {
226 DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n",
227 debug, acc_granted, acc_required));
228
229 /* check the security descriptor first */
230
231 if ( (acc_granted&acc_required) == acc_required )
232 return NT_STATUS_OK;
233
234 /* give root a free pass */
235
236 if (geteuid() == sec_initial_uid()) {
237
238 DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
239 debug, acc_granted, acc_required));
240 DEBUGADD(4,("but overwritten by euid == 0\n"));
241
242 return NT_STATUS_OK;
243 }
244
245 DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n",
246 debug, acc_granted, acc_required));
247
248 return NT_STATUS_ACCESS_DENIED;
249 }
250
251 /*******************************************************************
252 Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
253 ********************************************************************/
254
255 static void map_max_allowed_access(const NT_USER_TOKEN *token,
256 uint32_t *pacc_requested)
257 {
258 if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
259 return;
260 }
261 *pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
262
263 /* At least try for generic read. */
264 *pacc_requested = GENERIC_READ_ACCESS;
265
266 /* root gets anything. */
267 if (geteuid() == sec_initial_uid()) {
268 *pacc_requested |= GENERIC_ALL_ACCESS;
269 return;
270 }
271
272 /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
273
274 if (is_sid_in_token(token, &global_sid_Builtin_Administrators) ||
275 is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) {
276 *pacc_requested |= GENERIC_ALL_ACCESS;
277 return;
278 }
279
280 /* Full access for DOMAIN\Domain Admins. */
281 if ( IS_DC ) {
282 DOM_SID domadmin_sid;
283 sid_copy( &domadmin_sid, get_global_sam_sid() );
284 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
285 if (is_sid_in_token(token, &domadmin_sid)) {
286 *pacc_requested |= GENERIC_ALL_ACCESS;
287 return;
288 }
289 }
290 /* TODO ! Check privileges. */
291 }
292
293 /*******************************************************************
294 Fetch or create a dispinfo struct.
295 ********************************************************************/
296
297 static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid)
298 {
299 /*
300 * We do a static cache for DISP_INFO's here. Explanation can be found
301 * in Jeremy's checkin message to r11793:
302 *
303 * Fix the SAMR cache so it works across completely insane
304 * client behaviour (ie.:
305 * open pipe/open SAMR handle/enumerate 0 - 1024
306 * close SAMR handle, close pipe.
307 * open pipe/open SAMR handle/enumerate 1024 - 2048...
308 * close SAMR handle, close pipe.
309 * And on ad-nausium. Amazing.... probably object-oriented
310 * client side programming in action yet again.
311 * This change should *massively* improve performance when
312 * enumerating users from an LDAP database.
313 * Jeremy.
314 *
315 * "Our" and the builtin domain are the only ones where we ever
316 * enumerate stuff, so just cache 2 entries.
317 */
318
319 static struct disp_info builtin_dispinfo;
320 static struct disp_info domain_dispinfo;
321
322 /* There are two cases to consider here:
323 1) The SID is a domain SID and we look for an equality match, or
324 2) This is an account SID and so we return the DISP_INFO* for our
325 domain */
326
327 if (psid == NULL) {
328 return NULL;
329 }
330
331 if (sid_check_is_builtin(psid) || sid_check_is_in_builtin(psid)) {
332 /*
333 * Necessary only once, but it does not really hurt.
334 */
335 sid_copy(&builtin_dispinfo.sid, &global_sid_Builtin);
336
337 return &builtin_dispinfo;
338 }
339
340 if (sid_check_is_domain(psid) || sid_check_is_in_our_domain(psid)) {
341 /*
342 * Necessary only once, but it does not really hurt.
343 */
344 sid_copy(&domain_dispinfo.sid, get_global_sam_sid());
345
346 return &domain_dispinfo;
347 }
348
349 return NULL;
350 }
351
352 /*******************************************************************
353 Create a samr_info struct.
354 ********************************************************************/
355
356 static struct samr_info *get_samr_info_by_sid(DOM_SID *psid)
357 {
358 struct samr_info *info;
359 fstring sid_str;
360 TALLOC_CTX *mem_ctx;
361
362 if (psid) {
363 sid_to_fstring(sid_str, psid);
364 } else {
365 fstrcpy(sid_str,"(NULL)");
366 }
367
368 mem_ctx = talloc_init("samr_info for domain sid %s", sid_str);
369
370 if ((info = TALLOC_ZERO_P(mem_ctx, struct samr_info)) == NULL)
371 return NULL;
372
373 DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str));
374 if (psid) {
375 sid_copy( &info->sid, psid);
376 info->builtin_domain = sid_check_is_builtin(psid);
377 } else {
378 DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n"));
379 info->builtin_domain = False;
380 }
381 info->mem_ctx = mem_ctx;
382
383 info->disp_info = get_samr_dispinfo_by_sid(psid);
384
385 return info;
386 }
387
388 /*******************************************************************
389 Function to free the per SID data.
390 ********************************************************************/
391
392 static void free_samr_cache(DISP_INFO *disp_info)
393 {
394 DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n",
395 sid_string_dbg(&disp_info->sid)));
396
397 /* We need to become root here because the paged search might have to
398 * tell the LDAP server we're not interested in the rest anymore. */
399
400 become_root();
401
402 if (disp_info->users) {
403 DEBUG(10,("free_samr_cache: deleting users cache\n"));
404 pdb_search_destroy(disp_info->users);
405 disp_info->users = NULL;
406 }
407 if (disp_info->machines) {
408 DEBUG(10,("free_samr_cache: deleting machines cache\n"));
409 pdb_search_destroy(disp_info->machines);
410 disp_info->machines = NULL;
411 }
412 if (disp_info->groups) {
413 DEBUG(10,("free_samr_cache: deleting groups cache\n"));
414 pdb_search_destroy(disp_info->groups);
415 disp_info->groups = NULL;
416 }
417 if (disp_info->aliases) {
418 DEBUG(10,("free_samr_cache: deleting aliases cache\n"));
419 pdb_search_destroy(disp_info->aliases);
420 disp_info->aliases = NULL;
421 }
422 if (disp_info->enum_users) {
423 DEBUG(10,("free_samr_cache: deleting enum_users cache\n"));
424 pdb_search_destroy(disp_info->enum_users);
425 disp_info->enum_users = NULL;
426 }
427 disp_info->enum_acb_mask = 0;
428
429 unbecome_root();
430 }
431
432 /*******************************************************************
433 Function to free the per handle data.
434 ********************************************************************/
435
436 static void free_samr_info(void *ptr)
437 {
438 struct samr_info *info=(struct samr_info *) ptr;
439
440 /* Only free the dispinfo cache if no one bothered to set up
441 a timeout. */
442
443 if (info->disp_info && info->disp_info->cache_timeout_event == NULL) {
444 free_samr_cache(info->disp_info);
445 }
446
447 talloc_destroy(info->mem_ctx);
448 }
449
450 /*******************************************************************
451 Idle event handler. Throw away the disp info cache.
452 ********************************************************************/
453
454 static void disp_info_cache_idle_timeout_handler(struct event_context *ev_ctx,
455 struct timed_event *te,
456 const struct timeval *now,
457 void *private_data)
458 {
459 DISP_INFO *disp_info = (DISP_INFO *)private_data;
460
461 TALLOC_FREE(disp_info->cache_timeout_event);
462
463 DEBUG(10, ("disp_info_cache_idle_timeout_handler: caching timed "
464 "out\n"));
465 free_samr_cache(disp_info);
466 }
467
468 /*******************************************************************
469 Setup cache removal idle event handler.
470 ********************************************************************/
471
472 static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromnow)
473 {
474 /* Remove any pending timeout and update. */
475
476 TALLOC_FREE(disp_info->cache_timeout_event);
477
478 DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for "
479 "SID %s for %u seconds\n", sid_string_dbg(&disp_info->sid),
480 (unsigned int)secs_fromnow ));
481
482 disp_info->cache_timeout_event = event_add_timed(
483 smbd_event_context(), NULL,
484 timeval_current_ofs(secs_fromnow, 0),
485 "disp_info_cache_idle_timeout_handler",
486 disp_info_cache_idle_timeout_handler, (void *)disp_info);
487 }
488
489 /*******************************************************************
490 Force flush any cache. We do this on any samr_set_xxx call.
491 We must also remove the timeout handler.
492 ********************************************************************/
493
494 static void force_flush_samr_cache(DISP_INFO *disp_info)
495 {
496 if ((disp_info == NULL) || (disp_info->cache_timeout_event == NULL)) {
497 return;
498 }
499
500 DEBUG(10,("force_flush_samr_cache: clearing idle event\n"));
501 TALLOC_FREE(disp_info->cache_timeout_event);
502 free_samr_cache(disp_info);
503 }
504
505 /*******************************************************************
506 Ensure password info is never given out. Paranioa... JRA.
507 ********************************************************************/
508
509 static void samr_clear_sam_passwd(struct samu *sam_pass)
510 {
511
512 if (!sam_pass)
513 return;
514
515 /* These now zero out the old password */
516
517 pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT);
518 pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT);
519 }
520
521 static uint32 count_sam_users(struct disp_info *info, uint32 acct_flags)
522 {
523 struct samr_displayentry *entry;
524
525 if (info->builtin_domain) {
526 /* No users in builtin. */
527 return 0;
528 }
529
530 if (info->users == NULL) {
531 info->users = pdb_search_users(acct_flags);
532 if (info->users == NULL) {
533 return 0;
534 }
535 }
536 /* Fetch the last possible entry, thus trigger an enumeration */
537 pdb_search_entries(info->users, 0xffffffff, 1, &entry);
538
539 /* Ensure we cache this enumeration. */
540 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
541
542 return info->users->num_entries;
543 }
544
545 static uint32 count_sam_groups(struct disp_info *info)
546 {
547 struct samr_displayentry *entry;
548
549 if (info->builtin_domain) {
550 /* No groups in builtin. */
551 return 0;
552 }
553
554 if (info->groups == NULL) {
555 info->groups = pdb_search_groups();
556 if (info->groups == NULL) {
557 return 0;
558 }
559 }
560 /* Fetch the last possible entry, thus trigger an enumeration */
561 pdb_search_entries(info->groups, 0xffffffff, 1, &entry);
562
563 /* Ensure we cache this enumeration. */
564 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
565
566 return info->groups->num_entries;
567 }
568
569 static uint32 count_sam_aliases(struct disp_info *info)
570 {
571 struct samr_displayentry *entry;
572
573 if (info->aliases == NULL) {
574 info->aliases = pdb_search_aliases(&info->sid);
575 if (info->aliases == NULL) {
576 return 0;
577 }
578 }
579 /* Fetch the last possible entry, thus trigger an enumeration */
580 pdb_search_entries(info->aliases, 0xffffffff, 1, &entry);
581
582 /* Ensure we cache this enumeration. */
583 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
584
585 return info->aliases->num_entries;
586 }
587
588 /*******************************************************************
589 _samr_Close
590 ********************************************************************/
591
592 NTSTATUS _samr_Close(pipes_struct *p, struct samr_Close *r)
593 {
594 if (!close_policy_hnd(p, r->in.handle)) {
595 return NT_STATUS_INVALID_HANDLE;
596 }
597
598 ZERO_STRUCTP(r->out.handle);
599
600 return NT_STATUS_OK;
601 }
602
603 /*******************************************************************
604 _samr_OpenDomain
605 ********************************************************************/
606
607 NTSTATUS _samr_OpenDomain(pipes_struct *p,
608 struct samr_OpenDomain *r)
609 {
610 struct samr_info *info;
611 SEC_DESC *psd = NULL;
612 uint32 acc_granted;
613 uint32 des_access = r->in.access_mask;
614 NTSTATUS status;
615 size_t sd_size;
616 SE_PRIV se_rights;
617
618 /* find the connection policy handle. */
619
620 if ( !find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info) )
621 return NT_STATUS_INVALID_HANDLE;
622
623 status = access_check_samr_function(info->acc_granted,
624 SA_RIGHT_SAM_OPEN_DOMAIN,
625 "_samr_OpenDomain" );
626
627 if ( !NT_STATUS_IS_OK(status) )
628 return status;
629
630 /*check if access can be granted as requested by client. */
631 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
632
633 make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
634 se_map_generic( &des_access, &dom_generic_mapping );
635
636 se_priv_copy( &se_rights, &se_machine_account );
637 se_priv_add( &se_rights, &se_add_users );
638
639 status = access_check_samr_object( psd, p->pipe_user.nt_user_token,
640 &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access,
641 &acc_granted, "_samr_OpenDomain" );
642
643 if ( !NT_STATUS_IS_OK(status) )
644 return status;
645
646 if (!sid_check_is_domain(r->in.sid) &&
647 !sid_check_is_builtin(r->in.sid)) {
648 return NT_STATUS_NO_SUCH_DOMAIN;
649 }
650
651 /* associate the domain SID with the (unique) handle. */
652 if ((info = get_samr_info_by_sid(r->in.sid))==NULL)
653 return NT_STATUS_NO_MEMORY;
654 info->acc_granted = acc_granted;
655
656 /* get a (unique) handle. open a policy on it. */
657 if (!create_policy_hnd(p, r->out.domain_handle, free_samr_info, (void *)info))
658 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
659
660 DEBUG(5,("_samr_OpenDomain: %d\n", __LINE__));
661
662 return NT_STATUS_OK;
663 }
664
665 /*******************************************************************
666 _samr_GetUserPwInfo
667 ********************************************************************/
668
669 NTSTATUS _samr_GetUserPwInfo(pipes_struct *p,
670 struct samr_GetUserPwInfo *r)
671 {
672 struct samr_info *info = NULL;
673 enum lsa_SidType sid_type;
674 uint32_t min_password_length = 0;
675 uint32_t password_properties = 0;
676 bool ret = false;
677 NTSTATUS status;
678
679 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
680
681 /* find the policy handle. open a policy on it. */
682 if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info)) {
683 return NT_STATUS_INVALID_HANDLE;
684 }
685
686 status = access_check_samr_function(info->acc_granted,
687 SAMR_USER_ACCESS_GET_ATTRIBUTES,
688 "_samr_GetUserPwInfo" );
689 if (!NT_STATUS_IS_OK(status)) {
690 return status;
691 }
692
693 if (!sid_check_is_in_our_domain(&info->sid)) {
694 return NT_STATUS_OBJECT_TYPE_MISMATCH;
695 }
696
697 become_root();
698 ret = lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, &sid_type);
699 unbecome_root();
700 if (ret == false) {
701 return NT_STATUS_NO_SUCH_USER;
702 }
703
704 switch (sid_type) {
705 case SID_NAME_USER:
706 become_root();
707 pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
708 &min_password_length);
709 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
710 &password_properties);
711 unbecome_root();
712
713 if (lp_check_password_script() && *lp_check_password_script()) {
714 password_properties |= DOMAIN_PASSWORD_COMPLEX;
715 }
716
717 break;
718 default:
719 break;
720 }
721
722 r->out.info->min_password_length = min_password_length;
723 r->out.info->password_properties = password_properties;
724
725 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
726
727 return NT_STATUS_OK;
728 }
729
730 /*******************************************************************
731 ********************************************************************/
732
733 static bool get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol,
734 DOM_SID *sid, uint32 *acc_granted,
735 DISP_INFO **ppdisp_info)
736 {
737 struct samr_info *info = NULL;
738
739 /* find the policy handle. open a policy on it. */
740 if (!find_policy_by_hnd(p, pol, (void **)(void *)&info))
741 return False;
742
743 if (!info)
744 return False;
745
746 *sid = info->sid;
747 *acc_granted = info->acc_granted;
748 if (ppdisp_info) {
749 *ppdisp_info = info->disp_info;
750 }
751
752 return True;
753 }
754
755 /*******************************************************************
756 _samr_SetSecurity
757 ********************************************************************/
758
759 NTSTATUS _samr_SetSecurity(pipes_struct *p,
760 struct samr_SetSecurity *r)
761 {
762 DOM_SID pol_sid;
763 uint32 acc_granted, i;
764 SEC_ACL *dacl;
765 bool ret;
766 struct samu *sampass=NULL;
767 NTSTATUS status;
768
769 if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL))
770 return NT_STATUS_INVALID_HANDLE;
771
772 if (!(sampass = samu_new( p->mem_ctx))) {
773 DEBUG(0,("No memory!\n"));
774 return NT_STATUS_NO_MEMORY;
775 }
776
777 /* get the user record */
778 become_root();
779 ret = pdb_getsampwsid(sampass, &pol_sid);
780 unbecome_root();
781
782 if (!ret) {
783 DEBUG(4, ("User %s not found\n", sid_string_dbg(&pol_sid)));
784 TALLOC_FREE(sampass);
785 return NT_STATUS_INVALID_HANDLE;
786 }
787
788 dacl = r->in.sdbuf->sd->dacl;
789 for (i=0; i < dacl->num_aces; i++) {
790 if (sid_equal(&pol_sid, &dacl->aces[i].trustee)) {
791 ret = pdb_set_pass_can_change(sampass,
792 (dacl->aces[i].access_mask &
793 SA_RIGHT_USER_CHANGE_PASSWORD) ?
794 True: False);
795 break;
796 }
797 }
798
799 if (!ret) {
800 TALLOC_FREE(sampass);
801 return NT_STATUS_ACCESS_DENIED;
802 }
803
804 status = access_check_samr_function(acc_granted,
805 SA_RIGHT_USER_SET_ATTRIBUTES,
806 "_samr_SetSecurity");
807 if (NT_STATUS_IS_OK(status)) {
808 become_root();
809 status = pdb_update_sam_account(sampass);
810 unbecome_root();
811 }
812
813 TALLOC_FREE(sampass);
814
815 return status;
816 }
817
818 /*******************************************************************
819 build correct perms based on policies and password times for _samr_query_sec_obj
820 *******************************************************************/
821 static bool check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid)
822 {
823 struct samu *sampass=NULL;
824 bool ret;
825
826 if ( !(sampass = samu_new( mem_ctx )) ) {
827 DEBUG(0,("No memory!\n"));
828 return False;
829 }
830
831 become_root();
832 ret = pdb_getsampwsid(sampass, user_sid);
833 unbecome_root();
834
835 if (ret == False) {
836 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
837 TALLOC_FREE(sampass);
838 return False;
839 }
840
841 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
842
843 if (pdb_get_pass_can_change(sampass)) {
844 TALLOC_FREE(sampass);
845 return True;
846 }
847 TALLOC_FREE(sampass);
848 return False;
849 }
850
851
852 /*******************************************************************
853 _samr_QuerySecurity
854 ********************************************************************/
855
856 NTSTATUS _samr_QuerySecurity(pipes_struct *p,
857 struct samr_QuerySecurity *r)
858 {
859 NTSTATUS status;
860 DOM_SID pol_sid;
861 SEC_DESC * psd = NULL;
862 uint32 acc_granted;
863 size_t sd_size;
864
865 /* Get the SID. */
866 if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL))
867 return NT_STATUS_INVALID_HANDLE;
868
869 DEBUG(10,("_samr_QuerySecurity: querying security on SID: %s\n",
870 sid_string_dbg(&pol_sid)));
871
872 /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
873
874 /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */
875 if (pol_sid.sid_rev_num == 0) {
876 DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n"));
877 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
878 } else if (sid_equal(&pol_sid,get_global_sam_sid())) {
879 /* check if it is our domain SID */
880 DEBUG(5,("_samr_QuerySecurity: querying security on Domain "
881 "with SID: %s\n", sid_string_dbg(&pol_sid)));
882 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
883 } else if (sid_equal(&pol_sid,&global_sid_Builtin)) {
884 /* check if it is the Builtin Domain */
885 /* TODO: Builtin probably needs a different SD with restricted write access*/
886 DEBUG(5,("_samr_QuerySecurity: querying security on Builtin "
887 "Domain with SID: %s\n", sid_string_dbg(&pol_sid)));
888 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
889 } else if (sid_check_is_in_our_domain(&pol_sid) ||
890 sid_check_is_in_builtin(&pol_sid)) {
891 /* TODO: different SDs have to be generated for aliases groups and users.
892 Currently all three get a default user SD */
893 DEBUG(10,("_samr_QuerySecurity: querying security on Object "
894 "with SID: %s\n", sid_string_dbg(&pol_sid)));
895 if (check_change_pw_access(p->mem_ctx, &pol_sid)) {
896 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
897 &pol_sid, SAMR_USR_RIGHTS_WRITE_PW);
898 } else {
899 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_nopwchange_generic_mapping,
900 &pol_sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
901 }
902 } else {
903 return NT_STATUS_OBJECT_TYPE_MISMATCH;
904 }
905
906 if ((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
907 return NT_STATUS_NO_MEMORY;
908
909 return status;
910 }
911
912 /*******************************************************************
913 makes a SAM_ENTRY / UNISTR2* structure from a user list.
914 ********************************************************************/
915
916 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx,
917 struct samr_SamEntry **sam_pp,
918 uint32_t num_entries,
919 uint32_t start_idx,
920 struct samr_displayentry *entries)
921 {
922 uint32_t i;
923 struct samr_SamEntry *sam;
924
925 *sam_pp = NULL;
926
927 if (num_entries == 0) {
928 return NT_STATUS_OK;
929 }
930
931 sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_entries);
932 if (sam == NULL) {
933 DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n"));
934 return NT_STATUS_NO_MEMORY;
935 }
936
937 for (i = 0; i < num_entries; i++) {
938 #if 0
939 /*
940 * usrmgr expects a non-NULL terminated string with
941 * trust relationships
942 */
943 if (entries[i].acct_flags & ACB_DOMTRUST) {
944 init_unistr2(&uni_temp_name, entries[i].account_name,
945 UNI_FLAGS_NONE);
946 } else {
947 init_unistr2(&uni_temp_name, entries[i].account_name,
948 UNI_STR_TERMINATE);
949 }
950 #endif
951 init_lsa_String(&sam[i].name, entries[i].account_name);
952 sam[i].idx = entries[i].rid;
953 }
954
955 *sam_pp = sam;
956
957 return NT_STATUS_OK;
958 }
959
960 #define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K
961
962 /*******************************************************************
963 _samr_EnumDomainUsers
964 ********************************************************************/
965
966 NTSTATUS _samr_EnumDomainUsers(pipes_struct *p,
967 struct samr_EnumDomainUsers *r)
968 {
969 NTSTATUS status;
970 struct samr_info *info = NULL;
971 int num_account;
972 uint32 enum_context = *r->in.resume_handle;
973 enum remote_arch_types ra_type = get_remote_arch();
974 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
975 uint32 max_entries = max_sam_entries;
976 struct samr_displayentry *entries = NULL;
977 struct samr_SamArray *samr_array = NULL;
978 struct samr_SamEntry *samr_entries = NULL;
979
980 /* find the policy handle. open a policy on it. */
981 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
982 return NT_STATUS_INVALID_HANDLE;
983
984 status = access_check_samr_function(info->acc_granted,
985 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
986 "_samr_EnumDomainUsers");
987 if (!NT_STATUS_IS_OK(status)) {
988 return status;
989 }
990
991 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
992
993 if (info->builtin_domain) {
994 /* No users in builtin. */
995 *r->out.resume_handle = *r->in.resume_handle;
996 DEBUG(5,("_samr_EnumDomainUsers: No users in BUILTIN\n"));
997 return status;
998 }
999
1000 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1001 if (!samr_array) {
1002 return NT_STATUS_NO_MEMORY;
1003 }
1004
1005 become_root();
1006
1007 /* AS ROOT !!!! */
1008
1009 if ((info->disp_info->enum_users != NULL) &&
1010 (info->disp_info->enum_acb_mask != r->in.acct_flags)) {
1011 pdb_search_destroy(info->disp_info->enum_users);
1012 info->disp_info->enum_users = NULL;
1013 }
1014
1015 if (info->disp_info->enum_users == NULL) {
1016 info->disp_info->enum_users = pdb_search_users(r->in.acct_flags);
1017 info->disp_info->enum_acb_mask = r->in.acct_flags;
1018 }
1019
1020 if (info->disp_info->enum_users == NULL) {
1021 /* END AS ROOT !!!! */
1022 unbecome_root();
1023 return NT_STATUS_ACCESS_DENIED;
1024 }
1025
1026 num_account = pdb_search_entries(info->disp_info->enum_users,
1027 enum_context, max_entries,
1028 &entries);
1029
1030 /* END AS ROOT !!!! */
1031
1032 unbecome_root();
1033
1034 if (num_account == 0) {
1035 DEBUG(5, ("_samr_EnumDomainUsers: enumeration handle over "
1036 "total entries\n"));
1037 *r->out.resume_handle = *r->in.resume_handle;
1038 return NT_STATUS_OK;
1039 }
1040
1041 status = make_user_sam_entry_list(p->mem_ctx, &samr_entries,
1042 num_account, enum_context,
1043 entries);
1044 if (!NT_STATUS_IS_OK(status)) {
1045 return status;
1046 }
1047
1048 if (max_entries <= num_account) {
1049 status = STATUS_MORE_ENTRIES;
1050 } else {
1051 status = NT_STATUS_OK;
1052 }
1053
1054 /* Ensure we cache this enumeration. */
1055 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1056
1057 DEBUG(5, ("_samr_EnumDomainUsers: %d\n", __LINE__));
1058
1059 samr_array->count = num_account;
1060 samr_array->entries = samr_entries;
1061
1062 *r->out.resume_handle = *r->in.resume_handle + num_account;
1063 *r->out.sam = samr_array;
1064 *r->out.num_entries = num_account;
1065
1066 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
1067
1068 return status;
1069 }
1070
1071 /*******************************************************************
1072 makes a SAM_ENTRY / UNISTR2* structure from a group list.
1073 ********************************************************************/
1074
1075 static void make_group_sam_entry_list(TALLOC_CTX *ctx,
1076 struct samr_SamEntry **sam_pp,
1077 uint32_t num_sam_entries,
1078 struct samr_displayentry *entries)
1079 {
1080 struct samr_SamEntry *sam;
1081 uint32_t i;
1082
1083 *sam_pp = NULL;
1084
1085 if (num_sam_entries == 0) {
1086 return;
1087 }
1088
1089 sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_sam_entries);
1090 if (sam == NULL) {
1091 return;
1092 }
1093
1094 for (i = 0; i < num_sam_entries; i++) {
1095 /*
1096 * JRA. I think this should include the null. TNG does not.
1097 */
1098 init_lsa_String(&sam[i].name, entries[i].account_name);
1099 sam[i].idx = entries[i].rid;
1100 }
1101
1102 *sam_pp = sam;
1103 }
1104
1105 /*******************************************************************
1106 _samr_EnumDomainGroups
1107 ********************************************************************/
1108
1109 NTSTATUS _samr_EnumDomainGroups(pipes_struct *p,
1110 struct samr_EnumDomainGroups *r)
1111 {
1112 NTSTATUS status;
1113 struct samr_info *info = NULL;
1114 struct samr_displayentry *groups;
1115 uint32 num_groups;
1116 struct samr_SamArray *samr_array = NULL;
1117 struct samr_SamEntry *samr_entries = NULL;
1118
1119 /* find the policy handle. open a policy on it. */
1120 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1121 return NT_STATUS_INVALID_HANDLE;
1122
1123 status = access_check_samr_function(info->acc_granted,
1124 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
1125 "_samr_EnumDomainGroups");
1126 if (!NT_STATUS_IS_OK(status)) {
1127 return status;
1128 }
1129
1130 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1131
1132 if (info->builtin_domain) {
1133 /* No groups in builtin. */
1134 *r->out.resume_handle = *r->in.resume_handle;
1135 DEBUG(5,("_samr_EnumDomainGroups: No groups in BUILTIN\n"));
1136 return status;
1137 }
1138
1139 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1140 if (!samr_array) {
1141 return NT_STATUS_NO_MEMORY;
1142 }
1143
1144 /* the domain group array is being allocated in the function below */
1145
1146 become_root();
1147
1148 if (info->disp_info->groups == NULL) {
1149 info->disp_info->groups = pdb_search_groups();
1150
1151 if (info->disp_info->groups == NULL) {
1152 unbecome_root();
1153 return NT_STATUS_ACCESS_DENIED;
1154 }
1155 }
1156
1157 num_groups = pdb_search_entries(info->disp_info->groups,
1158 *r->in.resume_handle,
1159 MAX_SAM_ENTRIES, &groups);
1160 unbecome_root();
1161
1162 /* Ensure we cache this enumeration. */
1163 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1164
1165 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1166 num_groups, groups);
1167
1168 samr_array->count = num_groups;
1169 samr_array->entries = samr_entries;
1170
1171 *r->out.sam = samr_array;
1172 *r->out.num_entries = num_groups;
1173 /* this was missing, IMHO:
1174 *r->out.resume_handle = num_groups + *r->in.resume_handle;
1175 */
1176
1177 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1178
1179 return status;
1180 }
1181
1182 /*******************************************************************
1183 _samr_EnumDomainAliases
1184 ********************************************************************/
1185
1186 NTSTATUS _samr_EnumDomainAliases(pipes_struct *p,
1187 struct samr_EnumDomainAliases *r)
1188 {
1189 NTSTATUS status;
1190 struct samr_info *info;
1191 struct samr_displayentry *aliases;
1192 uint32 num_aliases = 0;
1193 struct samr_SamArray *samr_array = NULL;
1194 struct samr_SamEntry *samr_entries = NULL;
1195
1196 /* find the policy handle. open a policy on it. */
1197 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1198 return NT_STATUS_INVALID_HANDLE;
1199
1200 status = access_check_samr_function(info->acc_granted,
1201 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
1202 "_samr_EnumDomainAliases");
1203 if (!NT_STATUS_IS_OK(status)) {
1204 return status;
1205 }
1206
1207 DEBUG(5,("_samr_EnumDomainAliases: sid %s\n",
1208 sid_string_dbg(&info->sid)));
1209
1210 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1211 if (!samr_array) {
1212 return NT_STATUS_NO_MEMORY;
1213 }
1214
1215 become_root();
1216
1217 if (info->disp_info->aliases == NULL) {
1218 info->disp_info->aliases = pdb_search_aliases(&info->sid);
1219 if (info->disp_info->aliases == NULL) {
1220 unbecome_root();
1221 return NT_STATUS_ACCESS_DENIED;
1222 }
1223 }
1224
1225 num_aliases = pdb_search_entries(info->disp_info->aliases,
1226 *r->in.resume_handle,
1227 MAX_SAM_ENTRIES, &aliases);
1228 unbecome_root();
1229
1230 /* Ensure we cache this enumeration. */
1231 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1232
1233 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1234 num_aliases, aliases);
1235
1236 DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__));
1237
1238 samr_array->count = num_aliases;
1239 samr_array->entries = samr_entries;
1240
1241 *r->out.sam = samr_array;
1242 *r->out.num_entries = num_aliases;
1243 *r->out.resume_handle = num_aliases + *r->in.resume_handle;
1244
1245 return status;
1246 }
1247
1248 /*******************************************************************
1249 inits a samr_DispInfoGeneral structure.
1250 ********************************************************************/
1251
1252 static NTSTATUS init_samr_dispinfo_1(TALLOC_CTX *ctx,
1253 struct samr_DispInfoGeneral *r,
1254 uint32_t num_entries,
1255 uint32_t start_idx,
1256 struct samr_displayentry *entries)
1257 {
1258 uint32 i;
1259
1260 DEBUG(10, ("init_samr_dispinfo_1: num_entries: %d\n", num_entries));
1261
1262 if (num_entries == 0) {
1263 return NT_STATUS_OK;
1264 }
1265
1266 r->count = num_entries;
1267
1268 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryGeneral, num_entries);
1269 if (!r->entries) {
1270 return NT_STATUS_NO_MEMORY;
1271 }
1272
1273 for (i = 0; i < num_entries ; i++) {
1274
1275 init_lsa_String(&r->entries[i].account_name,
1276 entries[i].account_name);
1277
1278 init_lsa_String(&r->entries[i].description,
1279 entries[i].description);
1280
1281 init_lsa_String(&r->entries[i].full_name,
1282 entries[i].fullname);
1283
1284 r->entries[i].rid = entries[i].rid;
1285 r->entries[i].acct_flags = entries[i].acct_flags;
1286 r->entries[i].idx = start_idx+i+1;
1287 }
1288
1289 return NT_STATUS_OK;
1290 }
1291
1292 /*******************************************************************
1293 inits a samr_DispInfoFull structure.
1294 ********************************************************************/
1295
1296 static NTSTATUS init_samr_dispinfo_2(TALLOC_CTX *ctx,
1297 struct samr_DispInfoFull *r,
1298 uint32_t num_entries,
1299 uint32_t start_idx,
1300 struct samr_displayentry *entries)
1301 {
1302 uint32_t i;
1303
1304 DEBUG(10, ("init_samr_dispinfo_2: num_entries: %d\n", num_entries));
1305
1306 if (num_entries == 0) {
1307 return NT_STATUS_OK;
1308 }
1309
1310 r->count = num_entries;
1311
1312 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFull, num_entries);
1313 if (!r->entries) {
1314 return NT_STATUS_NO_MEMORY;
1315 }
1316
1317 for (i = 0; i < num_entries ; i++) {
1318
1319 init_lsa_String(&r->entries[i].account_name,
1320 entries[i].account_name);
1321
1322 init_lsa_String(&r->entries[i].description,
1323 entries[i].description);
1324
1325 r->entries[i].rid = entries[i].rid;
1326 r->entries[i].acct_flags = entries[i].acct_flags;
1327 r->entries[i].idx = start_idx+i+1;
1328 }
1329
1330 return NT_STATUS_OK;
1331 }
1332
1333 /*******************************************************************
1334 inits a samr_DispInfoFullGroups structure.
1335 ********************************************************************/
1336
1337 static NTSTATUS init_samr_dispinfo_3(TALLOC_CTX *ctx,
1338 struct samr_DispInfoFullGroups *r,
1339 uint32_t num_entries,
1340 uint32_t start_idx,
1341 struct samr_displayentry *entries)
1342 {
1343 uint32_t i;
1344
1345 DEBUG(5, ("init_samr_dispinfo_3: num_entries: %d\n", num_entries));
1346
1347 if (num_entries == 0) {
1348 return NT_STATUS_OK;
1349 }
1350
1351 r->count = num_entries;
1352
1353 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFullGroup, num_entries);
1354 if (!r->entries) {
1355 return NT_STATUS_NO_MEMORY;
1356 }
1357
1358 for (i = 0; i < num_entries ; i++) {
1359
1360 init_lsa_String(&r->entries[i].account_name,
1361 entries[i].account_name);
1362
1363 init_lsa_String(&r->entries[i].description,
1364 entries[i].description);
1365
1366 r->entries[i].rid = entries[i].rid;
1367 r->entries[i].acct_flags = entries[i].acct_flags;
1368 r->entries[i].idx = start_idx+i+1;
1369 }
1370
1371 return NT_STATUS_OK;
1372 }
1373
1374 /*******************************************************************
1375 inits a samr_DispInfoAscii structure.
1376 ********************************************************************/
1377
1378 static NTSTATUS init_samr_dispinfo_4(TALLOC_CTX *ctx,
1379 struct samr_DispInfoAscii *r,
1380 uint32_t num_entries,
1381 uint32_t start_idx,
1382 struct samr_displayentry *entries)
1383 {
1384 uint32_t i;
1385
1386 DEBUG(5, ("init_samr_dispinfo_4: num_entries: %d\n", num_entries));
1387
1388 if (num_entries == 0) {
1389 return NT_STATUS_OK;
1390 }
1391
1392 r->count = num_entries;
1393
1394 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1395 if (!r->entries) {
1396 return NT_STATUS_NO_MEMORY;
1397 }
1398
1399 for (i = 0; i < num_entries ; i++) {
1400
1401 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1402 entries[i].account_name);
1403
1404 r->entries[i].idx = start_idx+i+1;
1405 }
1406
1407 return NT_STATUS_OK;
1408 }
1409
1410 /*******************************************************************
1411 inits a samr_DispInfoAscii structure.
1412 ********************************************************************/
1413
1414 static NTSTATUS init_samr_dispinfo_5(TALLOC_CTX *ctx,
1415 struct samr_DispInfoAscii *r,
1416 uint32_t num_entries,
1417 uint32_t start_idx,
1418 struct samr_displayentry *entries)
1419 {
1420 uint32_t i;
1421
1422 DEBUG(5, ("init_samr_dispinfo_5: num_entries: %d\n", num_entries));
1423
1424 if (num_entries == 0) {
1425 return NT_STATUS_OK;
1426 }
1427
1428 r->count = num_entries;
1429
1430 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1431 if (!r->entries) {
1432 return NT_STATUS_NO_MEMORY;
1433 }
1434
1435 for (i = 0; i < num_entries ; i++) {
1436
1437 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1438 entries[i].account_name);
1439
1440 r->entries[i].idx = start_idx+i+1;
1441 }
1442
1443 return NT_STATUS_OK;
1444 }
1445
1446 /*******************************************************************
1447 _samr_QueryDisplayInfo
1448 ********************************************************************/
1449
1450 NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
1451 struct samr_QueryDisplayInfo *r)
1452 {
1453 NTSTATUS status;
1454 struct samr_info *info = NULL;
1455 uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
1456
1457 uint32 max_entries = r->in.max_entries;
1458 uint32 enum_context = r->in.start_idx;
1459 uint32 max_size = r->in.buf_size;
1460
1461 union samr_DispInfo *disp_info = r->out.info;
1462
1463 uint32 temp_size=0, total_data_size=0;
1464 NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL;
1465 uint32 num_account = 0;
1466 enum remote_arch_types ra_type = get_remote_arch();
1467 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
1468 struct samr_displayentry *entries = NULL;
1469
1470 DEBUG(5,("_samr_QueryDisplayInfo: %d\n", __LINE__));
1471
1472 /* find the policy handle. open a policy on it. */
1473 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1474 return NT_STATUS_INVALID_HANDLE;
1475
1476 /*
1477 * calculate how many entries we will return.
1478 * based on
1479 * - the number of entries the client asked
1480 * - our limit on that
1481 * - the starting point (enumeration context)
1482 * - the buffer size the client will accept
1483 */
1484
1485 /*
1486 * We are a lot more like W2K. Instead of reading the SAM
1487 * each time to find the records we need to send back,
1488 * we read it once and link that copy to the sam handle.
1489 * For large user list (over the MAX_SAM_ENTRIES)
1490 * it's a definitive win.
1491 * second point to notice: between enumerations
1492 * our sam is now the same as it's a snapshoot.
1493 * third point: got rid of the static SAM_USER_21 struct
1494 * no more intermediate.
1495 * con: it uses much more memory, as a full copy is stored
1496 * in memory.
1497 *
1498 * If you want to change it, think twice and think
1499 * of the second point , that's really important.
1500 *
1501 * JFM, 12/20/2001
1502 */
1503
1504 if ((r->in.level < 1) || (r->in.level > 5)) {
1505 DEBUG(0,("_samr_QueryDisplayInfo: Unknown info level (%u)\n",
1506 (unsigned int)r->in.level ));
1507 return NT_STATUS_INVALID_INFO_CLASS;
1508 }
1509
1510 /* first limit the number of entries we will return */
1511 if(max_entries > max_sam_entries) {
1512 DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
1513 "entries, limiting to %d\n", max_entries,
1514 max_sam_entries));
1515 max_entries = max_sam_entries;
1516 }
1517
1518 /* calculate the size and limit on the number of entries we will
1519 * return */
1520
1521 temp_size=max_entries*struct_size;
1522
1523 if (temp_size>max_size) {
1524 max_entries=MIN((max_size/struct_size),max_entries);;
1525 DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
1526 "only %d entries\n", max_entries));
1527 }
1528
1529 become_root();
1530
1531 /* THe following done as ROOT. Don't return without unbecome_root(). */
1532
1533 switch (r->in.level) {
1534 case 0x1:
1535 case 0x4:
1536 if (info->disp_info->users == NULL) {
1537 info->disp_info->users = pdb_search_users(ACB_NORMAL);
1538 if (info->disp_info->users == NULL) {
1539 unbecome_root();
1540 return NT_STATUS_ACCESS_DENIED;
1541 }
1542 DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
1543 (unsigned int)enum_context ));
1544 } else {
1545 DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
1546 (unsigned int)enum_context ));
1547 }
1548
1549 num_account = pdb_search_entries(info->disp_info->users,
1550 enum_context, max_entries,
1551 &entries);
1552 break;
1553 case 0x2:
1554 if (info->disp_info->machines == NULL) {
1555 info->disp_info->machines =
1556 pdb_search_users(ACB_WSTRUST|ACB_SVRTRUST);
1557 if (info->disp_info->machines == NULL) {
1558 unbecome_root();
1559 return NT_STATUS_ACCESS_DENIED;
1560 }
1561 DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
1562 (unsigned int)enum_context ));
1563 } else {
1564 DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
1565 (unsigned int)enum_context ));
1566 }
1567
1568 num_account = pdb_search_entries(info->disp_info->machines,
1569 enum_context, max_entries,
1570 &entries);
1571 break;
1572 case 0x3:
1573 case 0x5:
1574 if (info->disp_info->groups == NULL) {
1575 info->disp_info->groups = pdb_search_groups();
1576 if (info->disp_info->groups == NULL) {
1577 unbecome_root();
1578 return NT_STATUS_ACCESS_DENIED;
1579 }
1580 DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
1581 (unsigned int)enum_context ));
1582 } else {
1583 DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
1584 (unsigned int)enum_context ));
1585 }
1586
1587 num_account = pdb_search_entries(info->disp_info->groups,
1588 enum_context, max_entries,
1589 &entries);
1590 break;
1591 default:
1592 unbecome_root();
1593 smb_panic("info class changed");
1594 break;
1595 }
1596 unbecome_root();
1597
1598
1599 /* Now create reply structure */
1600 switch (r->in.level) {
1601 case 0x1:
1602 disp_ret = init_samr_dispinfo_1(p->mem_ctx, &disp_info->info1,
1603 num_account, enum_context,
1604 entries);
1605 break;
1606 case 0x2:
1607 disp_ret = init_samr_dispinfo_2(p->mem_ctx, &disp_info->info2,
1608 num_account, enum_context,
1609 entries);
1610 break;
1611 case 0x3:
1612 disp_ret = init_samr_dispinfo_3(p->mem_ctx, &disp_info->info3,
1613 num_account, enum_context,
1614 entries);
1615 break;
1616 case 0x4:
1617 disp_ret = init_samr_dispinfo_4(p->mem_ctx, &disp_info->info4,
1618 num_account, enum_context,
1619 entries);
1620 break;
1621 case 0x5:
1622 disp_ret = init_samr_dispinfo_5(p->mem_ctx, &disp_info->info5,
1623 num_account, enum_context,
1624 entries);
1625 break;
1626 default:
1627 smb_panic("info class changed");
1628 break;
1629 }
1630
1631 if (!NT_STATUS_IS_OK(disp_ret))
1632 return disp_ret;
1633
1634 /* calculate the total size */
1635 total_data_size=num_account*struct_size;
1636
1637 if (num_account) {
1638 status = STATUS_MORE_ENTRIES;
1639 } else {
1640 status = NT_STATUS_OK;
1641 }
1642
1643 /* Ensure we cache this enumeration. */
1644 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1645
1646 DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__));
1647
1648 *r->out.total_size = total_data_size;
1649 *r->out.returned_size = temp_size;
1650
1651 return status;
1652 }
1653
1654 /****************************************************************
1655 _samr_QueryDisplayInfo2
1656 ****************************************************************/
1657
1658 NTSTATUS _samr_QueryDisplayInfo2(pipes_struct *p,
1659 struct samr_QueryDisplayInfo2 *r)
1660 {
1661 struct samr_QueryDisplayInfo q;
1662
1663 q.in.domain_handle = r->in.domain_handle;
1664 q.in.level = r->in.level;
1665 q.in.start_idx = r->in.start_idx;
1666 q.in.max_entries = r->in.max_entries;
1667 q.in.buf_size = r->in.buf_size;
1668
1669 q.out.total_size = r->out.total_size;
1670 q.out.returned_size = r->out.returned_size;
1671 q.out.info = r->out.info;
1672
1673 return _samr_QueryDisplayInfo(p, &q);
1674 }
1675
1676 /****************************************************************
1677 _samr_QueryDisplayInfo3
1678 ****************************************************************/
1679
1680 NTSTATUS _samr_QueryDisplayInfo3(pipes_struct *p,
1681 struct samr_QueryDisplayInfo3 *r)
1682 {
1683 struct samr_QueryDisplayInfo q;
1684
1685 q.in.domain_handle = r->in.domain_handle;
1686 q.in.level = r->in.level;
1687 q.in.start_idx = r->in.start_idx;
1688 q.in.max_entries = r->in.max_entries;
1689 q.in.buf_size = r->in.buf_size;
1690
1691 q.out.total_size = r->out.total_size;
1692 q.out.returned_size = r->out.returned_size;
1693 q.out.info = r->out.info;
1694
1695 return _samr_QueryDisplayInfo(p, &q);
1696 }
1697
1698 /*******************************************************************
1699 _samr_QueryAliasInfo
1700 ********************************************************************/
1701
1702 NTSTATUS _samr_QueryAliasInfo(pipes_struct *p,
1703 struct samr_QueryAliasInfo *r)
1704 {
1705 DOM_SID sid;
1706 struct acct_info info;
1707 uint32 acc_granted;
1708 NTSTATUS status;
1709 union samr_AliasInfo *alias_info = NULL;
1710 const char *alias_name = NULL;
1711 const char *alias_description = NULL;
1712
1713 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1714
1715 alias_info = TALLOC_ZERO_P(p->mem_ctx, union samr_AliasInfo);
1716 if (!alias_info) {
1717 return NT_STATUS_NO_MEMORY;
1718 }
1719
1720 /* find the policy handle. open a policy on it. */
1721 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &sid, &acc_granted, NULL))
1722 return NT_STATUS_INVALID_HANDLE;
1723
1724 status = access_check_samr_function(acc_granted,
1725 SA_RIGHT_ALIAS_LOOKUP_INFO,
1726 "_samr_QueryAliasInfo");
1727 if (!NT_STATUS_IS_OK(status)) {
1728 return status;
1729 }
1730
1731 become_root();
1732 status = pdb_get_aliasinfo(&sid, &info);
1733 unbecome_root();
1734
1735 if ( !NT_STATUS_IS_OK(status))
1736 return status;
1737
1738 /* FIXME: info contains fstrings */
1739 alias_name = talloc_strdup(r, info.acct_name);
1740 alias_description = talloc_strdup(r, info.acct_desc);
1741
1742 switch (r->in.level) {
1743 case ALIASINFOALL:
1744 init_samr_alias_info1(&alias_info->all,
1745 alias_name,
1746 1,
1747 alias_description);
1748 break;
1749 case ALIASINFODESCRIPTION:
1750 init_samr_alias_info3(&alias_info->description,
1751 alias_description);
1752 break;
1753 default:
1754 return NT_STATUS_INVALID_INFO_CLASS;
1755 }
1756
1757 *r->out.info = alias_info;
1758
1759 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1760
1761 return NT_STATUS_OK;
1762 }
1763
1764 #if 0
1765 /*******************************************************************
1766 samr_reply_lookup_ids
1767 ********************************************************************/
1768
1769 uint32 _samr_lookup_ids(pipes_struct *p, SAMR_Q_LOOKUP_IDS *q_u, SAMR_R_LOOKUP_IDS *r_u)
1770 {
1771 uint32 rid[MAX_SAM_ENTRIES];
1772 int num_rids = q_u->num_sids1;
1773
1774 r_u->status = NT_STATUS_OK;
1775
1776 DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__));
1777
1778 if (num_rids > MAX_SAM_ENTRIES) {
1779 num_rids = MAX_SAM_ENTRIES;
1780 DEBUG(5,("_samr_lookup_ids: truncating entries to %d\n", num_rids));
1781 }
1782
1783 #if 0
1784 int i;
1785 SMB_ASSERT_ARRAY(q_u->uni_user_name, num_rids);
1786
1787 for (i = 0; i < num_rids && status == 0; i++)
1788 {
1789 struct sam_passwd *sam_pass;
1790 fstring user_name;
1791
1792
1793 fstrcpy(user_name, unistrn2(q_u->uni_user_name[i].buffer,
1794 q_u->uni_user_name[i].uni_str_len));
1795
1796 /* find the user account */
1797 become_root();
1798 sam_pass = get_smb21pwd_entry(user_name, 0);
1799 unbecome_root();
1800
1801 if (sam_pass == NULL)
1802 {
1803 status = 0xC0000000 | NT_STATUS_NO_SUCH_USER;
1804 rid[i] = 0;
1805 }
1806 else
1807 {
1808 rid[i] = sam_pass->user_rid;
1809 }
1810 }
1811 #endif
1812
1813 num_rids = 1;
1814 rid[0] = BUILTIN_ALIAS_RID_USERS;
1815
1816 init_samr_r_lookup_ids(&r_u, num_rids, rid, NT_STATUS_OK);
1817
1818 DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__));
1819
1820 return r_u->status;
1821 }
1822 #endif
1823
1824 /*******************************************************************
1825 _samr_LookupNames
1826 ********************************************************************/
1827
1828 NTSTATUS _samr_LookupNames(pipes_struct *p,
1829 struct samr_LookupNames *r)
1830 {
1831 NTSTATUS status;
1832 uint32 *rid;
1833 enum lsa_SidType *type;
1834 int i;
1835 int num_rids = r->in.num_names;
1836 DOM_SID pol_sid;
1837 uint32 acc_granted;
1838 struct samr_Ids rids, types;
1839
1840 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1841
1842 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL)) {
1843 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1844 }
1845
1846 status = access_check_samr_function(acc_granted,
1847 0, /* Don't know the acc_bits yet */
1848 "_samr_LookupNames");
1849 if (!NT_STATUS_IS_OK(status)) {
1850 return status;
1851 }
1852
1853 if (num_rids > MAX_SAM_ENTRIES) {
1854 num_rids = MAX_SAM_ENTRIES;
1855 DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids));
1856 }
1857
1858 rid = talloc_array(p->mem_ctx, uint32, num_rids);
1859 NT_STATUS_HAVE_NO_MEMORY(rid);
1860
1861 type = talloc_array(p->mem_ctx, enum lsa_SidType, num_rids);
1862 NT_STATUS_HAVE_NO_MEMORY(type);
1863
1864 DEBUG(5,("_samr_LookupNames: looking name on SID %s\n",
1865 sid_string_dbg(&pol_sid)));
1866
1867 for (i = 0; i < num_rids; i++) {
1868
1869 status = NT_STATUS_NONE_MAPPED;
1870 type[i] = SID_NAME_UNKNOWN;
1871
1872 rid[i] = 0xffffffff;
1873
1874 if (sid_check_is_builtin(&pol_sid)) {
1875 if (lookup_builtin_name(r->in.names[i].string,
1876 &rid[i]))
1877 {
1878 type[i] = SID_NAME_ALIAS;
1879 }
1880 } else {
1881 lookup_global_sam_name(r->in.names[i].string, 0,
1882 &rid[i], &type[i]);
1883 }
1884
1885 if (type[i] != SID_NAME_UNKNOWN) {
1886 status = NT_STATUS_OK;
1887 }
1888 }
1889
1890 rids.count = num_rids;
1891 rids.ids = rid;
1892
1893 types.count = num_rids;
1894 types.ids = type;
1895
1896 *r->out.rids = rids;
1897 *r->out.types = types;
1898
1899 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1900
1901 return status;
1902 }
1903
1904 /*******************************************************************
1905 _samr_ChangePasswordUser2
1906 ********************************************************************/
1907
1908 NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
1909 struct samr_ChangePasswordUser2 *r)
1910 {
1911 NTSTATUS status;
1912 fstring user_name;
1913 fstring wks;
1914
1915 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1916
1917 fstrcpy(user_name, r->in.account->string);
1918 fstrcpy(wks, r->in.server->string);
1919
1920 DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
1921
1922 /*
1923 * Pass the user through the NT -> unix user mapping
1924 * function.
1925 */
1926
1927 (void)map_username(user_name);
1928
1929 /*
1930 * UNIX username case mangling not required, pass_oem_change
1931 * is case insensitive.
1932 */
1933
1934 status = pass_oem_change(user_name,
1935 r->in.lm_password->data,
1936 r->in.lm_verifier->hash,
1937 r->in.nt_password->data,
1938 r->in.nt_verifier->hash,
1939 NULL);
1940
1941 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1942
1943 return status;
1944 }
1945
1946 /*******************************************************************
1947 _samr_ChangePasswordUser3
1948 ********************************************************************/
1949
1950 NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
1951 struct samr_ChangePasswordUser3 *r)
1952 {
1953 NTSTATUS status;
1954 fstring user_name;
1955 const char *wks = NULL;
1956 uint32 reject_reason;
1957 struct samr_DomInfo1 *dominfo = NULL;
1958 struct samr_ChangeReject *reject = NULL;
1959
1960 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
1961
1962 fstrcpy(user_name, r->in.account->string);
1963 if (r->in.server && r->in.server->string) {
1964 wks = r->in.server->string;
1965 }
1966
1967 DEBUG(5,("_samr_ChangePasswordUser3: user: %s wks: %s\n", user_name, wks));
1968
1969 /*
1970 * Pass the user through the NT -> unix user mapping
1971 * function.
1972 */
1973
1974 (void)map_username(user_name);
1975
1976 /*
1977 * UNIX username case mangling not required, pass_oem_change
1978 * is case insensitive.
1979 */
1980
1981 status = pass_oem_change(user_name,
1982 r->in.lm_password->data,
1983 r->in.lm_verifier->hash,
1984 r->in.nt_password->data,
1985 r->in.nt_verifier->hash,
1986 &reject_reason);
1987
1988 if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) ||
1989 NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_RESTRICTION)) {
1990
1991 uint32 min_pass_len,pass_hist,password_properties;
1992 time_t u_expire, u_min_age;
1993 NTTIME nt_expire, nt_min_age;
1994 uint32 account_policy_temp;
1995
1996 dominfo = TALLOC_ZERO_P(p->mem_ctx, struct samr_DomInfo1);
1997 if (!dominfo) {
1998 return NT_STATUS_NO_MEMORY;
1999 }
2000
2001 reject = TALLOC_ZERO_P(p->mem_ctx, struct samr_ChangeReject);
2002 if (!reject) {
2003 return NT_STATUS_NO_MEMORY;
2004 }
2005
2006 become_root();
2007
2008 /* AS ROOT !!! */
2009
2010 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
2011 min_pass_len = account_policy_temp;
2012
2013 pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
2014 pass_hist = account_policy_temp;
2015
2016 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
2017 password_properties = account_policy_temp;
2018
2019 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
2020 u_expire = account_policy_temp;
2021
2022 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
2023 u_min_age = account_policy_temp;
2024
2025 /* !AS ROOT */
2026
2027 unbecome_root();
2028
2029 unix_to_nt_time_abs(&nt_expire, u_expire);
2030 unix_to_nt_time_abs(&nt_min_age, u_min_age);
2031
2032 if (lp_check_password_script() && *lp_check_password_script()) {
2033 password_properties |= DOMAIN_PASSWORD_COMPLEX;
2034 }
2035
2036 init_samr_DomInfo1(dominfo,
2037 min_pass_len,
2038 pass_hist,
2039 password_properties,
2040 u_expire,
2041 u_min_age);
2042
2043 reject->reason = reject_reason;
2044
2045 *r->out.dominfo = dominfo;
2046 *r->out.reject = reject;
2047 }
2048
2049 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
2050
2051 return status;
2052 }
2053
2054 /*******************************************************************
2055 makes a SAMR_R_LOOKUP_RIDS structure.
2056 ********************************************************************/
2057
2058 static bool make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names,
2059 const char **names,
2060 struct lsa_String **lsa_name_array_p)
2061 {
2062 struct lsa_String *lsa_name_array = NULL;
2063 uint32_t i;
2064
2065 *lsa_name_array_p = NULL;
2066
2067 if (num_names != 0) {
2068 lsa_name_array = TALLOC_ZERO_ARRAY(ctx, struct lsa_String, num_names);
2069 if (!lsa_name_array) {
2070 return false;
2071 }
2072 }
2073
2074 for (i = 0; i < num_names; i++) {
2075 DEBUG(10, ("names[%d]:%s\n", i, names[i] && *names[i] ? names[i] : ""));
2076 init_lsa_String(&lsa_name_array[i], names[i]);
2077 }
2078
2079 *lsa_name_array_p = lsa_name_array;
2080
2081 return true;
2082 }
2083
2084 /*******************************************************************
2085 _samr_LookupRids
2086 ********************************************************************/
2087
2088 NTSTATUS _samr_LookupRids(pipes_struct *p,
2089 struct samr_LookupRids *r)
2090 {
2091 NTSTATUS status;
2092 const char **names;
2093 enum lsa_SidType *attrs = NULL;
2094 uint32 *wire_attrs = NULL;
2095 DOM_SID pol_sid;
2096 int num_rids = (int)r->in.num_rids;
2097 uint32 acc_granted;
2098 int i;
2099 struct lsa_Strings names_array;
2100 struct samr_Ids types_array;
2101 struct lsa_String *lsa_names = NULL;
2102
2103 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2104
2105 /* find the policy handle. open a policy on it. */
2106 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL))
2107 return NT_STATUS_INVALID_HANDLE;
2108
2109 if (num_rids > 1000) {
2110 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
2111 "to samba4 idl this is not possible\n", num_rids));
2112 return NT_STATUS_UNSUCCESSFUL;
2113 }
2114
2115 if (num_rids) {
2116 names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids);
2117 attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum lsa_SidType, num_rids);
2118 wire_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids);
2119
2120 if ((names == NULL) || (attrs == NULL) || (wire_attrs==NULL))
2121 return NT_STATUS_NO_MEMORY;
2122 } else {
2123 names = NULL;
2124 attrs = NULL;
2125 wire_attrs = NULL;
2126 }
2127
2128 become_root(); /* lookup_sid can require root privs */
2129 status = pdb_lookup_rids(&pol_sid, num_rids, r->in.rids,
2130 names, attrs);
2131 unbecome_root();
2132
2133 if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) && (num_rids == 0)) {
2134 status = NT_STATUS_OK;
2135 }
2136
2137 if (!make_samr_lookup_rids(p->mem_ctx, num_rids, names,
2138 &lsa_names)) {
2139 return NT_STATUS_NO_MEMORY;
2140 }
2141
2142 /* Convert from enum lsa_SidType to uint32 for wire format. */
2143 for (i = 0; i < num_rids; i++) {
2144 wire_attrs[i] = (uint32)attrs[i];
2145 }
2146
2147 names_array.count = num_rids;
2148 names_array.names = lsa_names;
2149
2150 types_array.count = num_rids;
2151 types_array.ids = wire_attrs;
2152
2153 *r->out.names = names_array;
2154 *r->out.types = types_array;
2155
2156 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2157
2158 return status;
2159 }
2160
2161 /*******************************************************************
2162 _samr_OpenUser
2163 ********************************************************************/
2164
2165 NTSTATUS _samr_OpenUser(pipes_struct *p,
2166 struct samr_OpenUser *r)
2167 {
2168 struct samu *sampass=NULL;
2169 DOM_SID sid;
2170 POLICY_HND domain_pol = *r->in.domain_handle;
2171 POLICY_HND *user_pol = r->out.user_handle;
2172 struct samr_info *info = NULL;
2173 SEC_DESC *psd = NULL;
2174 uint32 acc_granted;
2175 uint32 des_access = r->in.access_mask;
2176 size_t sd_size;
2177 bool ret;
2178 NTSTATUS nt_status;
2179 SE_PRIV se_rights;
2180
2181 /* find the domain policy handle and get domain SID / access bits in the domain policy. */
2182
2183 if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) )
2184 return NT_STATUS_INVALID_HANDLE;
2185
2186 nt_status = access_check_samr_function(acc_granted,
2187 SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
2188 "_samr_OpenUser" );
2189
2190 if ( !NT_STATUS_IS_OK(nt_status) )
2191 return nt_status;
2192
2193 if ( !(sampass = samu_new( p->mem_ctx )) ) {
2194 return NT_STATUS_NO_MEMORY;
2195 }
2196
2197 /* append the user's RID to it */
2198
2199 if (!sid_append_rid(&sid, r->in.rid))
2200 return NT_STATUS_NO_SUCH_USER;
2201
2202 /* check if access can be granted as requested by client. */
2203
2204 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
2205
2206 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
2207 se_map_generic(&des_access, &usr_generic_mapping);
2208
2209 se_priv_copy( &se_rights, &se_machine_account );
2210 se_priv_add( &se_rights, &se_add_users );
2211
2212 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
2213 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
2214 &acc_granted, "_samr_OpenUser");
2215
2216 if ( !NT_STATUS_IS_OK(nt_status) )
2217 return nt_status;
2218
2219 become_root();
2220 ret=pdb_getsampwsid(sampass, &sid);
2221 unbecome_root();
2222
2223 /* check that the SID exists in our domain. */
2224 if (ret == False) {
2225 return NT_STATUS_NO_SUCH_USER;
2226 }
2227
2228 TALLOC_FREE(sampass);
2229
2230 /* associate the user's SID and access bits with the new handle. */
2231 if ((info = get_samr_info_by_sid(&sid)) == NULL)
2232 return NT_STATUS_NO_MEMORY;
2233 info->acc_granted = acc_granted;
2234
2235 /* get a (unique) handle. open a policy on it. */
2236 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info))
2237 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2238
2239 return NT_STATUS_OK;
2240 }
2241
2242 /*************************************************************************
2243 *************************************************************************/
2244
2245 static NTSTATUS init_samr_parameters_string(TALLOC_CTX *mem_ctx,
2246 DATA_BLOB *blob,
2247 struct lsa_BinaryString **_r)
2248 {
2249 struct lsa_BinaryString *r;
2250
2251 if (!blob || !_r) {
2252 return NT_STATUS_INVALID_PARAMETER;
2253 }
2254
2255 r = TALLOC_ZERO_P(mem_ctx, struct lsa_BinaryString);
2256 if (!r) {
2257 return NT_STATUS_NO_MEMORY;
2258 }
2259
2260 r->array = TALLOC_ZERO_ARRAY(mem_ctx, uint16_t, blob->length/2);
2261 if (!r->array) {
2262 return NT_STATUS_NO_MEMORY;
2263 }
2264 memcpy(r->array, blob->data, blob->length);
2265 r->size = blob->length;
2266 r->length = blob->length;
2267
2268 if (!r->array) {
2269 return NT_STATUS_NO_MEMORY;
2270 }
2271
2272 *_r = r;
2273
2274 return NT_STATUS_OK;
2275 }
2276
2277 /*************************************************************************
2278 get_user_info_7. Safe. Only gives out account_name.
2279 *************************************************************************/
2280
2281 static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx,
2282 struct samr_UserInfo7 *r,
2283 DOM_SID *user_sid)
2284 {
2285 struct samu *smbpass=NULL;
2286 bool ret;
2287 const char *account_name = NULL;
2288
2289 ZERO_STRUCTP(r);
2290
2291 if ( !(smbpass = samu_new( mem_ctx )) ) {
2292 return NT_STATUS_NO_MEMORY;
2293 }
2294
2295 become_root();
2296 ret = pdb_getsampwsid(smbpass, user_sid);
2297 unbecome_root();
2298
2299 if ( !ret ) {
2300 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2301 return NT_STATUS_NO_SUCH_USER;
2302 }
2303
2304 account_name = talloc_strdup(mem_ctx, pdb_get_username(smbpass));
2305 if (!account_name) {
2306 TALLOC_FREE(smbpass);
2307 return NT_STATUS_NO_MEMORY;
2308 }
2309 TALLOC_FREE(smbpass);
2310
2311 DEBUG(3,("User:[%s]\n", account_name));
2312
2313 init_samr_user_info7(r, account_name);
2314
2315 return NT_STATUS_OK;
2316 }
2317
2318 /*************************************************************************
2319 get_user_info_9. Only gives out primary group SID.
2320 *************************************************************************/
2321
2322 static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx,
2323 struct samr_UserInfo9 *r,
2324 DOM_SID *user_sid)
2325 {
2326 struct samu *smbpass=NULL;
2327 bool ret;
2328
2329 ZERO_STRUCTP(r);
2330
2331 if ( !(smbpass = samu_new( mem_ctx )) ) {
2332 return NT_STATUS_NO_MEMORY;
2333 }
2334
2335 become_root();
2336 ret = pdb_getsampwsid(smbpass, user_sid);
2337 unbecome_root();
2338
2339 if (ret==False) {
2340 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2341 TALLOC_FREE(smbpass);
2342 return NT_STATUS_NO_SUCH_USER;
2343 }
2344
2345 DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) ));
2346
2347 init_samr_user_info9(r, pdb_get_group_rid(smbpass));
2348
2349 TALLOC_FREE(smbpass);
2350
2351 return NT_STATUS_OK;
2352 }
2353
2354 /*************************************************************************
2355 get_user_info_16. Safe. Only gives out acb bits.
2356 *************************************************************************/
2357
2358 static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx,
2359 struct samr_UserInfo16 *r,
2360 DOM_SID *user_sid)
2361 {
2362 struct samu *smbpass=NULL;
2363 bool ret;
2364
2365 ZERO_STRUCTP(r);
2366
2367 if ( !(smbpass = samu_new( mem_ctx )) ) {
2368 return NT_STATUS_NO_MEMORY;
2369 }
2370
2371 become_root();
2372 ret = pdb_getsampwsid(smbpass, user_sid);
2373 unbecome_root();
2374
2375 if (ret==False) {
2376 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2377 TALLOC_FREE(smbpass);
2378 return NT_STATUS_NO_SUCH_USER;
2379 }
2380
2381 DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) ));
2382
2383 init_samr_user_info16(r, pdb_get_acct_ctrl(smbpass));
2384
2385 TALLOC_FREE(smbpass);
2386
2387 return NT_STATUS_OK;
2388 }
2389
2390 /*************************************************************************
2391 get_user_info_18. OK - this is the killer as it gives out password info.
2392 Ensure that this is only allowed on an encrypted connection with a root
2393 user. JRA.
2394 *************************************************************************/
2395
2396 static NTSTATUS get_user_info_18(pipes_struct *p,
2397 TALLOC_CTX *mem_ctx,
2398 struct samr_UserInfo18 *r,
2399 DOM_SID *user_sid)
2400 {
2401 struct samu *smbpass=NULL;
2402 bool ret;
2403
2404 ZERO_STRUCTP(r);
2405
2406 if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
2407 return NT_STATUS_ACCESS_DENIED;
2408 }
2409
2410 if (p->auth.auth_level != PIPE_AUTH_LEVEL_PRIVACY) {
2411 return NT_STATUS_ACCESS_DENIED;
2412 }
2413
2414 /*
2415 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
2416 */
2417
2418 if ( !(smbpass = samu_new( mem_ctx )) ) {
2419 return NT_STATUS_NO_MEMORY;
2420 }
2421
2422 ret = pdb_getsampwsid(smbpass, user_sid);
2423
2424 if (ret == False) {
2425 DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid)));
2426 TALLOC_FREE(smbpass);
2427 return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
2428 }
2429
2430 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
2431
2432 if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) {
2433 TALLOC_FREE(smbpass);
2434 return NT_STATUS_ACCOUNT_DISABLED;
2435 }
2436
2437 init_samr_user_info18(r, pdb_get_lanman_passwd(smbpass),
2438 pdb_get_nt_passwd(smbpass));
2439
2440 TALLOC_FREE(smbpass);
2441
2442 return NT_STATUS_OK;
2443 }
2444
2445 /*************************************************************************
2446 get_user_info_20
2447 *************************************************************************/
2448
2449 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx,
2450 struct samr_UserInfo20 *r,
2451 DOM_SID *user_sid)
2452 {
2453 struct samu *sampass=NULL;
2454 bool ret;
2455 const char *munged_dial = NULL;
2456 DATA_BLOB blob;
2457 NTSTATUS status;
2458 struct lsa_BinaryString *parameters = NULL;
2459
2460 ZERO_STRUCTP(r);
2461
2462 if ( !(sampass = samu_new( mem_ctx )) ) {
2463 return NT_STATUS_NO_MEMORY;
2464 }
2465
2466 become_root();
2467 ret = pdb_getsampwsid(sampass, user_sid);
2468 unbecome_root();
2469
2470 if (ret == False) {
2471 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2472 TALLOC_FREE(sampass);
2473 return NT_STATUS_NO_SUCH_USER;
2474 }
2475
2476 munged_dial = pdb_get_munged_dial(sampass);
2477
2478 samr_clear_sam_passwd(sampass);
2479
2480 DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass),
2481 munged_dial, (int)strlen(munged_dial)));
2482
2483 if (munged_dial) {
2484 blob = base64_decode_data_blob(munged_dial);
2485 } else {
2486 blob = data_blob_string_const("");
2487 }
2488
2489 status = init_samr_parameters_string(mem_ctx, &blob, &parameters);
2490 data_blob_free(&blob);
2491 TALLOC_FREE(sampass);
2492 if (!NT_STATUS_IS_OK(status)) {
2493 return status;
2494 }
2495
2496 init_samr_user_info20(r, parameters);
2497
2498 return NT_STATUS_OK;
2499 }
2500
2501
2502 /*************************************************************************
2503 get_user_info_21
2504 *************************************************************************/
2505
2506 static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx,
2507 struct samr_UserInfo21 *r,
2508 DOM_SID *user_sid,
2509 DOM_SID *domain_sid)
2510 {
2511 NTSTATUS status;
2512 struct samu *pw = NULL;
2513 bool ret;
2514 const DOM_SID *sid_user, *sid_group;
2515 uint32_t rid, primary_gid;
2516 NTTIME last_logon, last_logoff, last_password_change,
2517 acct_expiry, allow_password_change, force_password_change;
2518 time_t must_change_time;
2519 uint8_t password_expired;
2520 const char *account_name, *full_name, *home_directory, *home_drive,
2521 *logon_script, *profile_path, *description,
2522 *workstations, *comment;
2523 struct samr_LogonHours logon_hours;
2524 struct lsa_BinaryString *parameters = NULL;
2525 const char *munged_dial = NULL;
2526 DATA_BLOB blob;
2527
2528 ZERO_STRUCTP(r);
2529
2530 if (!(pw = samu_new(mem_ctx))) {
2531 return NT_STATUS_NO_MEMORY;
2532 }
2533
2534 become_root();
2535 ret = pdb_getsampwsid(pw, user_sid);
2536 unbecome_root();
2537
2538 if (ret == False) {
2539 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2540 TALLOC_FREE(pw);
2541 return NT_STATUS_NO_SUCH_USER;
2542 }
2543
2544 samr_clear_sam_passwd(pw);
2545
2546 DEBUG(3,("User:[%s]\n", pdb_get_username(pw)));
2547
2548 sid_user = pdb_get_user_sid(pw);
2549
2550 if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2551 DEBUG(0, ("get_user_info_21: User %s has SID %s, \nwhich conflicts with "
2552 "the domain sid %s. Failing operation.\n",
2553 pdb_get_username(pw), sid_string_dbg(sid_user),
2554 sid_string_dbg(domain_sid)));
2555 TALLOC_FREE(pw);
2556 return NT_STATUS_UNSUCCESSFUL;
2557 }
2558
2559 become_root();
2560 sid_group = pdb_get_group_sid(pw);
2561 unbecome_root();
2562
2563 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2564 DEBUG(0, ("get_user_info_21: User %s has Primary Group SID %s, \n"
2565 "which conflicts with the domain sid %s. Failing operation.\n",
2566 pdb_get_username(pw), sid_string_dbg(sid_group),
2567 sid_string_dbg(domain_sid)));
2568 TALLOC_FREE(pw);
2569 return NT_STATUS_UNSUCCESSFUL;
2570 }
2571
2572 unix_to_nt_time(&last_logon, pdb_get_logon_time(pw));
2573 unix_to_nt_time(&last_logoff, pdb_get_logoff_time(pw));
2574 unix_to_nt_time(&acct_expiry, pdb_get_kickoff_time(pw));
2575 unix_to_nt_time(&last_password_change, pdb_get_pass_last_set_time(pw));
2576 unix_to_nt_time(&allow_password_change, pdb_get_pass_can_change_time(pw));
2577
2578 must_change_time = pdb_get_pass_must_change_time(pw);
2579 if (must_change_time == get_time_t_max()) {
2580 unix_to_nt_time_abs(&force_password_change, must_change_time);
2581 } else {
2582 unix_to_nt_time(&force_password_change, must_change_time);
2583 }
2584
2585 if (pdb_get_pass_must_change_time(pw) == 0) {
2586 password_expired = PASS_MUST_CHANGE_AT_NEXT_LOGON;
2587 } else {
2588 password_expired = 0;
2589 }
2590
2591 munged_dial = pdb_get_munged_dial(pw);
2592 if (munged_dial) {
2593 blob = base64_decode_data_blob(munged_dial);
2594 } else {
2595 blob = data_blob_string_const("");
2596 }
2597
2598 status = init_samr_parameters_string(mem_ctx, &blob, &parameters);
2599 data_blob_free(&blob);
2600 if (!NT_STATUS_IS_OK(status)) {
2601 TALLOC_FREE(pw);
2602 return status;
2603 }
2604
2605 account_name = talloc_strdup(mem_ctx, pdb_get_username(pw));
2606 full_name = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2607 home_directory = talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2608 home_drive = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2609 logon_script = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2610 profile_path = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2611 description = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2612 workstations = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2613 comment = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2614
2615 logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2616 #if 0
2617
2618 /*
2619 Look at a user on a real NT4 PDC with usrmgr, press
2620 'ok'. Then you will see that fields_present is set to
2621 0x08f827fa. Look at the user immediately after that again,
2622 and you will see that 0x00fffff is returned. This solves
2623 the problem that you get access denied after having looked
2624 at the user.
2625 -- Volker
2626 */
2627
2628 #endif
2629
2630 init_samr_user_info21(r,
2631 last_logon,
2632 last_logoff,
2633 last_password_change,
2634 acct_expiry,
2635 allow_password_change,
2636 force_password_change,
2637 account_name,
2638 full_name,
2639 home_directory,
2640 home_drive,
2641 logon_script,
2642 profile_path,
2643 description,
2644 workstations,
2645 comment,
2646 parameters,
2647 rid,
2648 primary_gid,
2649 pdb_get_acct_ctrl(pw),
2650 pdb_build_fields_present(pw),
2651 logon_hours,
2652 pdb_get_bad_password_count(pw),
2653 pdb_get_logon_count(pw),
2654 0, /* country_code */
2655 0, /* code_page */
2656 0, /* nt_password_set */
2657 0, /* lm_password_set */
2658 password_expired);
2659 TALLOC_FREE(pw);
2660
2661 return NT_STATUS_OK;
2662 }
2663
2664 /*******************************************************************
2665 _samr_QueryUserInfo
2666 ********************************************************************/
2667
2668 NTSTATUS _samr_QueryUserInfo(pipes_struct *p,
2669 struct samr_QueryUserInfo *r)
2670 {
2671 NTSTATUS status;
2672 union samr_UserInfo *user_info = NULL;
2673 struct samr_info *info = NULL;
2674 DOM_SID domain_sid;
2675 uint32 rid;
2676
2677 /* search for the handle */
2678 if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info))
2679 return NT_STATUS_INVALID_HANDLE;
2680
2681 domain_sid = info->sid;
2682
2683 sid_split_rid(&domain_sid, &rid);
2684
2685 if (!sid_check_is_in_our_domain(&info->sid))
2686 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2687
2688 DEBUG(5,("_samr_QueryUserInfo: sid:%s\n",
2689 sid_string_dbg(&info->sid)));
2690
2691 user_info = TALLOC_ZERO_P(p->mem_ctx, union samr_UserInfo);
2692 if (!user_info) {
2693 return NT_STATUS_NO_MEMORY;
2694 }
2695
2696 DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r->in.level));
2697
2698 switch (r->in.level) {
2699 case 7:
2700 status = get_user_info_7(p->mem_ctx, &user_info->info7, &info->sid);
2701 if (!NT_STATUS_IS_OK(status)) {
2702 return status;
2703 }
2704 break;
2705 case 9:
2706 status = get_user_info_9(p->mem_ctx, &user_info->info9, &info->sid);
2707 if (!NT_STATUS_IS_OK(status)) {
2708 return status;
2709 }
2710 break;
2711 case 16:
2712 status = get_user_info_16(p->mem_ctx, &user_info->info16, &info->sid);
2713 if (!NT_STATUS_IS_OK(status)) {
2714 return status;
2715 }
2716 break;
2717
2718 case 18:
2719 status = get_user_info_18(p, p->mem_ctx, &user_info->info18, &info->sid);
2720 if (!NT_STATUS_IS_OK(status)) {
2721 return status;
2722 }
2723 break;
2724
2725 case 20:
2726 status = get_user_info_20(p->mem_ctx, &user_info->info20, &info->sid);
2727 if (!NT_STATUS_IS_OK(status)) {
2728 return status;
2729 }
2730 break;
2731
2732 case 21:
2733 status = get_user_info_21(p->mem_ctx, &user_info->info21,
2734 &info->sid, &domain_sid);
2735 if (!NT_STATUS_IS_OK(status)) {
2736 return status;
2737 }
2738 break;
2739
2740 default:
2741 return NT_STATUS_INVALID_INFO_CLASS;
2742 }
2743
2744 *r->out.info = user_info;
2745
2746 DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__));
2747
2748 return status;
2749 }
2750
2751 /*******************************************************************
2752 _samr_GetGroupsForUser
2753 ********************************************************************/
2754
2755 NTSTATUS _samr_GetGroupsForUser(pipes_struct *p,
2756 struct samr_GetGroupsForUser *r)
2757 {
2758 struct samu *sam_pass=NULL;
2759 DOM_SID sid;
2760 DOM_SID *sids;
2761 struct samr_RidWithAttribute dom_gid;
2762 struct samr_RidWithAttribute *gids = NULL;
2763 uint32 primary_group_rid;
2764 size_t num_groups = 0;
2765 gid_t *unix_gids;
2766 size_t i, num_gids;
2767 uint32 acc_granted;
2768 bool ret;
2769 NTSTATUS result;
2770 bool success = False;
2771
2772 struct samr_RidWithAttributeArray *rids = NULL;
2773
2774 /*
2775 * from the SID in the request:
2776 * we should send back the list of DOMAIN GROUPS
2777 * the user is a member of
2778 *
2779 * and only the DOMAIN GROUPS
2780 * no ALIASES !!! neither aliases of the domain
2781 * nor aliases of the builtin SID
2782 *
2783 * JFM, 12/2/2001
2784 */
2785
2786 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
2787
2788 rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidWithAttributeArray);
2789 if (!rids) {
2790 return NT_STATUS_NO_MEMORY;
2791 }
2792
2793 /* find the policy handle. open a policy on it. */
2794 if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &sid, &acc_granted, NULL))
2795 return NT_STATUS_INVALID_HANDLE;
2796
2797 result = access_check_samr_function(acc_granted,
2798 SA_RIGHT_USER_GET_GROUPS,
2799 "_samr_GetGroupsForUser");
2800 if (!NT_STATUS_IS_OK(result)) {
2801 return result;
2802 }
2803
2804 if (!sid_check_is_in_our_domain(&sid))
2805 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2806
2807 if ( !(sam_pass = samu_new( p->mem_ctx )) ) {
2808 return NT_STATUS_NO_MEMORY;
2809 }
2810
2811 become_root();
2812 ret = pdb_getsampwsid(sam_pass, &sid);
2813 unbecome_root();
2814
2815 if (!ret) {
2816 DEBUG(10, ("pdb_getsampwsid failed for %s\n",
2817 sid_string_dbg(&sid)));
2818 return NT_STATUS_NO_SUCH_USER;
2819 }
2820
2821 sids = NULL;
2822
2823 /* make both calls inside the root block */
2824 become_root();
2825 result = pdb_enum_group_memberships(p->mem_ctx, sam_pass,
2826 &sids, &unix_gids, &num_groups);
2827 if ( NT_STATUS_IS_OK(result) ) {
2828 success = sid_peek_check_rid(get_global_sam_sid(),
2829 pdb_get_group_sid(sam_pass),
2830 &primary_group_rid);
2831 }
2832 unbecome_root();
2833
2834 if (!NT_STATUS_IS_OK(result)) {
2835 DEBUG(10, ("pdb_enum_group_memberships failed for %s\n",
2836 sid_string_dbg(&sid)));
2837 return result;
2838 }
2839
2840 if ( !success ) {
2841 DEBUG(5, ("Group sid %s for user %s not in our domain\n",
2842 sid_string_dbg(pdb_get_group_sid(sam_pass)),
2843 pdb_get_username(sam_pass)));
2844 TALLOC_FREE(sam_pass);
2845 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2846 }
2847
2848 gids = NULL;
2849 num_gids = 0;
2850
2851 dom_gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|
2852 SE_GROUP_ENABLED);
2853 dom_gid.rid = primary_group_rid;
2854 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
2855
2856 for (i=0; i<num_groups; i++) {
2857
2858 if (!sid_peek_check_rid(get_global_sam_sid(),
2859 &(sids[i]), &dom_gid.rid)) {
2860 DEBUG(10, ("Found sid %s not in our domain\n",
2861 sid_string_dbg(&sids[i])));
2862 continue;
2863 }
2864
2865 if (dom_gid.rid == primary_group_rid) {
2866 /* We added the primary group directly from the
2867 * sam_account. The other SIDs are unique from
2868 * enum_group_memberships */
2869 continue;
2870 }
2871
2872 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
2873 }
2874
2875 rids->count = num_gids;
2876 rids->rids = gids;
2877
2878 *r->out.rids = rids;
2879
2880 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
2881
2882 return result;
2883 }
2884
2885 /*******************************************************************
2886 samr_QueryDomainInfo_internal
2887 ********************************************************************/
2888
2889 static NTSTATUS samr_QueryDomainInfo_internal(const char *fn_name,
2890 pipes_struct *p,
2891 struct policy_handle *handle,
2892 uint32_t level,
2893 union samr_DomainInfo **dom_info_ptr)
2894 {
2895 NTSTATUS status = NT_STATUS_OK;
2896 struct samr_info *info = NULL;
2897 union samr_DomainInfo *dom_info;
2898 uint32 min_pass_len,pass_hist,password_properties;
2899 time_t u_expire, u_min_age;
2900 NTTIME nt_expire, nt_min_age;
2901
2902 time_t u_lock_duration, u_reset_time;
2903 NTTIME nt_lock_duration, nt_reset_time;
2904 uint32 lockout;
2905 time_t u_logout;
2906 NTTIME nt_logout;
2907
2908 uint32 account_policy_temp;
2909
2910 time_t seq_num;
2911 uint32 server_role;
2912
2913 uint32 num_users=0, num_groups=0, num_aliases=0;
2914
2915 DEBUG(5,("%s: %d\n", fn_name, __LINE__));
2916
2917 dom_info = TALLOC_ZERO_P(p->mem_ctx, union samr_DomainInfo);
2918 if (!dom_info) {
2919 return NT_STATUS_NO_MEMORY;
2920 }
2921
2922 *dom_info_ptr = dom_info;
2923
2924 /* find the policy handle. open a policy on it. */
2925 if (!find_policy_by_hnd(p, handle, (void **)(void *)&info)) {
2926 return NT_STATUS_INVALID_HANDLE;
2927 }
2928
2929 switch (level) {
2930 case 0x01:
2931
2932 become_root();
2933
2934 /* AS ROOT !!! */
2935
2936 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
2937 min_pass_len = account_policy_temp;
2938
2939 pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
2940 pass_hist = account_policy_temp;
2941
2942 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
2943 password_properties = account_policy_temp;
2944
2945 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
2946 u_expire = account_policy_temp;
2947
2948 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
2949 u_min_age = account_policy_temp;
2950
2951 /* !AS ROOT */
2952
2953 unbecome_root();
2954
2955 unix_to_nt_time_abs(&nt_expire, u_expire);
2956 unix_to_nt_time_abs(&nt_min_age, u_min_age);
2957
2958 if (lp_check_password_script() && *lp_check_password_script()) {
2959 password_properties |= DOMAIN_PASSWORD_COMPLEX;
2960 }
2961
2962 init_samr_DomInfo1(&dom_info->info1,
2963 (uint16)min_pass_len,
2964 (uint16)pass_hist,
2965 password_properties,
2966 nt_expire,
2967 nt_min_age);
2968 break;
2969 case 0x02:
2970
2971 become_root();
2972
2973 /* AS ROOT !!! */
2974
2975 num_users = count_sam_users(info->disp_info, ACB_NORMAL);
2976 num_groups = count_sam_groups(info->disp_info);
2977 num_aliases = count_sam_aliases(info->disp_info);
2978
2979 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp);
2980 u_logout = account_policy_temp;
2981
2982 unix_to_nt_time_abs(&nt_logout, u_logout);
2983
2984 if (!pdb_get_seq_num(&seq_num))
2985 seq_num = time(NULL);
2986
2987 /* !AS ROOT */
2988
2989 unbecome_root();
2990
2991 server_role = ROLE_DOMAIN_PDC;
2992 if (lp_server_role() == ROLE_DOMAIN_BDC)
2993 server_role = ROLE_DOMAIN_BDC;
2994
2995 init_samr_DomInfo2(&dom_info->info2,
2996 nt_logout,
2997 lp_serverstring(),
2998 lp_workgroup(),
2999 global_myname(),
3000 seq_num,
3001 1,
3002 server_role,
3003 1,
3004 num_users,
3005 num_groups,
3006 num_aliases);
3007 break;
3008 case 0x03:
3009
3010 become_root();
3011
3012 /* AS ROOT !!! */
3013
3014 {
3015 uint32 ul;
3016 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &ul);
3017 u_logout = (time_t)ul;
3018 }
3019
3020 /* !AS ROOT */
3021
3022 unbecome_root();
3023
3024 unix_to_nt_time_abs(&nt_logout, u_logout);
3025
3026 init_samr_DomInfo3(&dom_info->info3,
3027 nt_logout);
3028
3029 break;
3030 case 0x04:
3031 init_samr_DomInfo4(&dom_info->info4,
3032 lp_serverstring());
3033 break;
3034 case 0x05:
3035 init_samr_DomInfo5(&dom_info->info5,
3036 get_global_sam_name());
3037 break;
3038 case 0x06:
3039 /* NT returns its own name when a PDC. win2k and later
3040 * only the name of the PDC if itself is a BDC (samba4
3041 * idl) */
3042 init_samr_DomInfo6(&dom_info->info6,
3043 global_myname());
3044 break;
3045 case 0x07:
3046 server_role = ROLE_DOMAIN_PDC;
3047 if (lp_server_role() == ROLE_DOMAIN_BDC)
3048 server_role = ROLE_DOMAIN_BDC;
3049
3050 init_samr_DomInfo7(&dom_info->info7,
3051 server_role);
3052 break;
3053 case 0x08:
3054
3055 become_root();
3056
3057 /* AS ROOT !!! */
3058
3059 if (!pdb_get_seq_num(&seq_num)) {
3060 seq_num = time(NULL);
3061 }
3062
3063 /* !AS ROOT */
3064
3065 unbecome_root();
3066
3067 init_samr_DomInfo8(&dom_info->info8,
3068 seq_num,
3069 0);
3070 break;
3071 case 0x0c:
3072
3073 become_root();
3074
3075 /* AS ROOT !!! */
3076
3077 pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
3078 u_lock_duration = account_policy_temp;
3079 if (u_lock_duration != -1) {
3080 u_lock_duration *= 60;
3081 }
3082
3083 pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
3084 u_reset_time = account_policy_temp * 60;
3085
3086 pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
3087 lockout = account_policy_temp;
3088
3089 /* !AS ROOT */
3090
3091 unbecome_root();
3092
3093 unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
3094 unix_to_nt_time_abs(&nt_reset_time, u_reset_time);
3095
3096 init_samr_DomInfo12(&dom_info->info12,
3097 nt_lock_duration,
3098 nt_reset_time,
3099 (uint16)lockout);
3100 break;
3101 default:
3102 return NT_STATUS_INVALID_INFO_CLASS;
3103 }
3104
3105 DEBUG(5,("%s: %d\n", fn_name, __LINE__));
3106
3107 return status;
3108 }
3109
3110 /*******************************************************************
3111 _samr_QueryDomainInfo
3112 ********************************************************************/
3113
3114 NTSTATUS _samr_QueryDomainInfo(pipes_struct *p,
3115 struct samr_QueryDomainInfo *r)
3116 {
3117 return samr_QueryDomainInfo_internal("_samr_QueryDomainInfo",
3118 p,
3119 r->in.domain_handle,
3120 r->in.level,
3121 r->out.info);
3122 }
3123
3124 /* W2k3 seems to use the same check for all 3 objects that can be created via
3125 * SAMR, if you try to create for example "Dialup" as an alias it says
3126 * "NT_STATUS_USER_EXISTS". This is racy, but we can't really lock the user
3127 * database. */
3128
3129 static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name)
3130 {
3131 enum lsa_SidType type;
3132 bool result;
3133
3134 DEBUG(10, ("Checking whether [%s] can be created\n", new_name));
3135
3136 become_root();
3137 /* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
3138 * whether the name already exists */
3139 result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_LOCAL,
3140 NULL, NULL, NULL, &type);
3141 unbecome_root();
3142
3143 if (!result) {
3144 DEBUG(10, ("%s does not exist, can create it\n", new_name));
3145 return NT_STATUS_OK;
3146 }
3147
3148 DEBUG(5, ("trying to create %s, exists as %s\n",
3149 new_name, sid_type_lookup(type)));
3150
3151 if (type == SID_NAME_DOM_GRP) {
3152 return NT_STATUS_GROUP_EXISTS;
3153 }
3154 if (type == SID_NAME_ALIAS) {
3155 return NT_STATUS_ALIAS_EXISTS;
3156 }
3157
3158 /* Yes, the default is NT_STATUS_USER_EXISTS */
3159 return NT_STATUS_USER_EXISTS;
3160 }
3161
3162 /*******************************************************************
3163 _samr_CreateUser2
3164 ********************************************************************/
3165
3166 NTSTATUS _samr_CreateUser2(pipes_struct *p,
3167 struct samr_CreateUser2 *r)
3168 {
3169 const char *account = NULL;
3170 DOM_SID sid;
3171 POLICY_HND dom_pol = *r->in.domain_handle;
3172 uint32_t acb_info = r->in.acct_flags;
3173 POLICY_HND *user_pol = r->out.user_handle;
3174 struct samr_info *info = NULL;
3175 NTSTATUS nt_status;
3176 uint32 acc_granted;
3177 SEC_DESC *psd;
3178 size_t sd_size;
3179 /* check this, when giving away 'add computer to domain' privs */
3180 uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
3181 bool can_add_account = False;
3182 SE_PRIV se_rights;
3183 DISP_INFO *disp_info = NULL;
3184
3185 /* Get the domain SID stored in the domain policy */
3186 if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted,
3187 &disp_info))
3188 return NT_STATUS_INVALID_HANDLE;
3189
3190 nt_status = access_check_samr_function(acc_granted,
3191 SA_RIGHT_DOMAIN_CREATE_USER,
3192 "_samr_CreateUser2");
3193 if (!NT_STATUS_IS_OK(nt_status)) {
3194 return nt_status;
3195 }
3196
3197 if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST ||
3198 acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) {
3199 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
3200 this parameter is not an account type */
3201 return NT_STATUS_INVALID_PARAMETER;
3202 }
3203
3204 account = r->in.account_name->string;
3205 if (account == NULL) {
3206 return NT_STATUS_NO_MEMORY;
3207 }
3208
3209 nt_status = can_create(p->mem_ctx, account);
3210 if (!NT_STATUS_IS_OK(nt_status)) {
3211 return nt_status;
3212 }
3213
3214 /* determine which user right we need to check based on the acb_info */
3215
3216 if ( acb_info & ACB_WSTRUST )
3217 {
3218 se_priv_copy( &se_rights, &se_machine_account );
3219 can_add_account = user_has_privileges(
3220 p->pipe_user.nt_user_token, &se_rights );
3221 }
3222 /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
3223 account for domain trusts and changes the ACB flags later */
3224 else if ( acb_info & ACB_NORMAL &&
3225 (account[strlen(account)-1] != '$') )
3226 {
3227 se_priv_copy( &se_rights, &se_add_users );
3228 can_add_account = user_has_privileges(
3229 p->pipe_user.nt_user_token, &se_rights );
3230 }
3231 else /* implicit assumption of a BDC or domain trust account here
3232 * (we already check the flags earlier) */
3233 {
3234 if ( lp_enable_privileges() ) {
3235 /* only Domain Admins can add a BDC or domain trust */
3236 se_priv_copy( &se_rights, &se_priv_none );
3237 can_add_account = nt_token_check_domain_rid(
3238 p->pipe_user.nt_user_token,
3239 DOMAIN_GROUP_RID_ADMINS );
3240 }
3241 }
3242
3243 DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
3244 uidtoname(p->pipe_user.ut.uid),
3245 can_add_account ? "True":"False" ));
3246
3247 /********** BEGIN Admin BLOCK **********/
3248
3249 if ( can_add_account )
3250 become_root();
3251
3252 nt_status = pdb_create_user(p->mem_ctx, account, acb_info,
3253 r->out.rid);
3254
3255 if ( can_add_account )
3256 unbecome_root();
3257
3258 /********** END Admin BLOCK **********/
3259
3260 /* now check for failure */
3261
3262 if ( !NT_STATUS_IS_OK(nt_status) )
3263 return nt_status;
3264
3265 /* Get the user's SID */
3266
3267 sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
3268
3269 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3270
3271 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
3272 &sid, SAMR_USR_RIGHTS_WRITE_PW);
3273 se_map_generic(&des_access, &usr_generic_mapping);
3274
3275 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3276 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
3277 &acc_granted, "_samr_CreateUser2");
3278
3279 if ( !NT_STATUS_IS_OK(nt_status) ) {
3280 return nt_status;
3281 }
3282
3283 /* associate the user's SID with the new handle. */
3284 if ((info = get_samr_info_by_sid(&sid)) == NULL) {
3285 return NT_STATUS_NO_MEMORY;
3286 }
3287
3288 ZERO_STRUCTP(info);
3289 info->sid = sid;
3290 info->acc_granted = acc_granted;
3291
3292 /* get a (unique) handle. open a policy on it. */
3293 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) {
3294 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3295 }
3296
3297 /* After a "set" ensure we have no cached display info. */
3298 force_flush_samr_cache(info->disp_info);
3299
3300 *r->out.access_granted = acc_granted;
3301
3302 return NT_STATUS_OK;
3303 }
3304
3305 /*******************************************************************
3306 _samr_Connect
3307 ********************************************************************/
3308
3309 NTSTATUS _samr_Connect(pipes_struct *p,
3310 struct samr_Connect *r)
3311 {
3312 struct samr_info *info = NULL;
3313 uint32 des_access = r->in.access_mask;
3314
3315 /* Access check */
3316
3317 if (!pipe_access_check(p)) {
3318 DEBUG(3, ("access denied to _samr_Connect\n"));
3319 return NT_STATUS_ACCESS_DENIED;
3320 }
3321
3322 /* set up the SAMR connect_anon response */
3323
3324 /* associate the user's SID with the new handle. */
3325 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3326 return NT_STATUS_NO_MEMORY;
3327
3328 /* don't give away the farm but this is probably ok. The SA_RIGHT_SAM_ENUM_DOMAINS
3329 was observed from a win98 client trying to enumerate users (when configured
3330 user level access control on shares) --jerry */
3331
3332 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3333
3334 se_map_generic( &des_access, &sam_generic_mapping );
3335 info->acc_granted = des_access & (SA_RIGHT_SAM_ENUM_DOMAINS|SA_RIGHT_SAM_OPEN_DOMAIN);
3336
3337 /* get a (unique) handle. open a policy on it. */
3338 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3339 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3340
3341 return NT_STATUS_OK;
3342 }
3343
3344 /*******************************************************************
3345 _samr_Connect2
3346 ********************************************************************/
3347
3348 NTSTATUS _samr_Connect2(pipes_struct *p,
3349 struct samr_Connect2 *r)
3350 {
3351 struct samr_info *info = NULL;
3352 SEC_DESC *psd = NULL;
3353 uint32 acc_granted;
3354 uint32 des_access = r->in.access_mask;
3355 NTSTATUS nt_status;
3356 size_t sd_size;
3357
3358
3359 DEBUG(5,("_samr_Connect2: %d\n", __LINE__));
3360
3361 /* Access check */
3362
3363 if (!pipe_access_check(p)) {
3364 DEBUG(3, ("access denied to _samr_Connect2\n"));
3365 return NT_STATUS_ACCESS_DENIED;
3366 }
3367
3368 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3369
3370 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3371 se_map_generic(&des_access, &sam_generic_mapping);
3372
3373 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3374 NULL, 0, des_access, &acc_granted, "_samr_Connect2");
3375
3376 if ( !NT_STATUS_IS_OK(nt_status) )
3377 return nt_status;
3378
3379 /* associate the user's SID and access granted with the new handle. */
3380 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3381 return NT_STATUS_NO_MEMORY;
3382
3383 info->acc_granted = acc_granted;
3384 info->status = r->in.access_mask; /* this looks so wrong... - gd */
3385
3386 /* get a (unique) handle. open a policy on it. */
3387 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3388 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3389
3390 DEBUG(5,("_samr_Connect2: %d\n", __LINE__));
3391
3392 return nt_status;
3393 }
3394
3395 /*******************************************************************
3396 _samr_Connect4
3397 ********************************************************************/
3398
3399 NTSTATUS _samr_Connect4(pipes_struct *p,
3400 struct samr_Connect4 *r)
3401 {
3402 struct samr_info *info = NULL;
3403 SEC_DESC *psd = NULL;
3404 uint32 acc_granted;
3405 uint32 des_access = r->in.access_mask;
3406 NTSTATUS nt_status;
3407 size_t sd_size;
3408
3409
3410 DEBUG(5,("_samr_Connect4: %d\n", __LINE__));
3411
3412 /* Access check */
3413
3414 if (!pipe_access_check(p)) {
3415 DEBUG(3, ("access denied to samr_Connect4\n"));
3416 return NT_STATUS_ACCESS_DENIED;
3417 }
3418
3419 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3420
3421 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3422 se_map_generic(&des_access, &sam_generic_mapping);
3423
3424 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3425 NULL, 0, des_access, &acc_granted, "_samr_Connect4");
3426
3427 if ( !NT_STATUS_IS_OK(nt_status) )
3428 return nt_status;
3429
3430 /* associate the user's SID and access granted with the new handle. */
3431 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3432 return NT_STATUS_NO_MEMORY;
3433
3434 info->acc_granted = acc_granted;
3435 info->status = r->in.access_mask; /* ??? */
3436
3437 /* get a (unique) handle. open a policy on it. */
3438 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3439 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3440
3441 DEBUG(5,("_samr_Connect4: %d\n", __LINE__));
3442
3443 return NT_STATUS_OK;
3444 }
3445
3446 /*******************************************************************
3447 _samr_Connect5
3448 ********************************************************************/
3449
3450 NTSTATUS _samr_Connect5(pipes_struct *p,
3451 struct samr_Connect5 *r)
3452 {
3453 struct samr_info *info = NULL;
3454 SEC_DESC *psd = NULL;
3455 uint32 acc_granted;
3456 uint32 des_access = r->in.access_mask;
3457 NTSTATUS nt_status;
3458 size_t sd_size;
3459 struct samr_ConnectInfo1 info1;
3460
3461 DEBUG(5,("_samr_Connect5: %d\n", __LINE__));
3462
3463 /* Access check */
3464
3465 if (!pipe_access_check(p)) {
3466 DEBUG(3, ("access denied to samr_Connect5\n"));
3467 return NT_STATUS_ACCESS_DENIED;
3468 }
3469
3470 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3471
3472 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3473 se_map_generic(&des_access, &sam_generic_mapping);
3474
3475 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3476 NULL, 0, des_access, &acc_granted, "_samr_Connect5");
3477
3478 if ( !NT_STATUS_IS_OK(nt_status) )
3479 return nt_status;
3480
3481 /* associate the user's SID and access granted with the new handle. */
3482 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3483 return NT_STATUS_NO_MEMORY;
3484
3485 info->acc_granted = acc_granted;
3486 info->status = r->in.access_mask; /* ??? */
3487
3488 /* get a (unique) handle. open a policy on it. */
3489 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3490 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3491
3492 DEBUG(5,("_samr_Connect5: %d\n", __LINE__));
3493
3494 info1.client_version = SAMR_CONNECT_AFTER_W2K;
3495 info1.unknown2 = 0;
3496
3497 *r->out.level_out = 1;
3498 r->out.info_out->info1 = info1;
3499
3500 return NT_STATUS_OK;
3501 }
3502
3503 /**********************************************************************
3504 _samr_LookupDomain
3505 **********************************************************************/
3506
3507 NTSTATUS _samr_LookupDomain(pipes_struct *p,
3508 struct samr_LookupDomain *r)
3509 {
3510 NTSTATUS status = NT_STATUS_OK;
3511 struct samr_info *info;
3512 const char *domain_name;
3513 DOM_SID *sid = NULL;
3514
3515 if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info))
3516 return NT_STATUS_INVALID_HANDLE;
3517
3518 /* win9x user manager likes to use SA_RIGHT_SAM_ENUM_DOMAINS here.
3519 Reverted that change so we will work with RAS servers again */
3520
3521 status = access_check_samr_function(info->acc_granted,
3522 SA_RIGHT_SAM_OPEN_DOMAIN,
3523 "_samr_LookupDomain");
3524 if (!NT_STATUS_IS_OK(status)) {
3525 return status;
3526 }
3527
3528 domain_name = r->in.domain_name->string;
3529
3530 sid = TALLOC_ZERO_P(p->mem_ctx, struct dom_sid2);
3531 if (!sid) {
3532 return NT_STATUS_NO_MEMORY;
3533 }
3534
3535 if (strequal(domain_name, builtin_domain_name())) {
3536 sid_copy(sid, &global_sid_Builtin);
3537 } else {
3538 if (!secrets_fetch_domain_sid(domain_name, sid)) {
3539 status = NT_STATUS_NO_SUCH_DOMAIN;
3540 }
3541 }
3542
3543 DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name,
3544 sid_string_dbg(sid)));
3545
3546 *r->out.sid = sid;
3547
3548 return status;
3549 }
3550
3551 /**********************************************************************
3552 _samr_EnumDomains
3553 **********************************************************************/
3554
3555 NTSTATUS _samr_EnumDomains(pipes_struct *p,
3556 struct samr_EnumDomains *r)
3557 {
3558 NTSTATUS status;
3559 struct samr_info *info;
3560 uint32_t num_entries = 2;
3561 struct samr_SamEntry *entry_array = NULL;
3562 struct samr_SamArray *sam;
3563
3564 if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info))
3565 return NT_STATUS_INVALID_HANDLE;
3566
3567 status = access_check_samr_function(info->acc_granted,
3568 SA_RIGHT_SAM_ENUM_DOMAINS,
3569 "_samr_EnumDomains");
3570 if (!NT_STATUS_IS_OK(status)) {
3571 return status;
3572 }
3573
3574 sam = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
3575 if (!sam) {
3576 return NT_STATUS_NO_MEMORY;
3577 }
3578
3579 entry_array = TALLOC_ZERO_ARRAY(p->mem_ctx,
3580 struct samr_SamEntry,
3581 num_entries);
3582 if (!entry_array) {
3583 return NT_STATUS_NO_MEMORY;
3584 }
3585
3586 entry_array[0].idx = 0;
3587 init_lsa_String(&entry_array[0].name, get_global_sam_name());
3588
3589 entry_array[1].idx = 1;
3590 init_lsa_String(&entry_array[1].name, "Builtin");
3591
3592 sam->count = num_entries;
3593 sam->entries = entry_array;
3594
3595 *r->out.sam = sam;
3596 *r->out.num_entries = num_entries;
3597
3598 return status;
3599 }
3600
3601 /*******************************************************************
3602 _samr_OpenAlias
3603 ********************************************************************/
3604
3605 NTSTATUS _samr_OpenAlias(pipes_struct *p,
3606 struct samr_OpenAlias *r)
3607 {
3608 DOM_SID sid;
3609 POLICY_HND domain_pol = *r->in.domain_handle;
3610 uint32 alias_rid = r->in.rid;
3611 POLICY_HND *alias_pol = r->out.alias_handle;
3612 struct samr_info *info = NULL;
3613 SEC_DESC *psd = NULL;
3614 uint32 acc_granted;
3615 uint32 des_access = r->in.access_mask;
3616 size_t sd_size;
3617 NTSTATUS status;
3618 SE_PRIV se_rights;
3619
3620 /* find the domain policy and get the SID / access bits stored in the domain policy */
3621
3622 if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) )
3623 return NT_STATUS_INVALID_HANDLE;
3624
3625 status = access_check_samr_function(acc_granted,
3626 SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
3627 "_samr_OpenAlias");
3628
3629 if ( !NT_STATUS_IS_OK(status) )
3630 return status;
3631
3632 /* append the alias' RID to it */
3633
3634 if (!sid_append_rid(&sid, alias_rid))
3635 return NT_STATUS_NO_SUCH_ALIAS;
3636
3637 /*check if access can be granted as requested by client. */
3638
3639 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3640
3641 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
3642 se_map_generic(&des_access,&ali_generic_mapping);
3643
3644 se_priv_copy( &se_rights, &se_add_users );
3645
3646
3647 status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3648 &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access,
3649 &acc_granted, "_samr_OpenAlias");
3650
3651 if ( !NT_STATUS_IS_OK(status) )
3652 return status;
3653
3654 {
3655 /* Check we actually have the requested alias */
3656 enum lsa_SidType type;
3657 bool result;
3658 gid_t gid;
3659
3660 become_root();
3661 result = lookup_sid(NULL, &sid, NULL, NULL, &type);
3662 unbecome_root();
3663
3664 if (!result || (type != SID_NAME_ALIAS)) {
3665 return NT_STATUS_NO_SUCH_ALIAS;
3666 }
3667
3668 /* make sure there is a mapping */
3669
3670 if ( !sid_to_gid( &sid, &gid ) ) {
3671 return NT_STATUS_NO_SUCH_ALIAS;
3672 }
3673
3674 }
3675
3676 /* associate the alias SID with the new handle. */
3677 if ((info = get_samr_info_by_sid(&sid)) == NULL)
3678 return NT_STATUS_NO_MEMORY;
3679
3680 info->acc_granted = acc_granted;
3681
3682 /* get a (unique) handle. open a policy on it. */
3683 if (!create_policy_hnd(p, alias_pol, free_samr_info, (void *)info))
3684 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3685
3686 return NT_STATUS_OK;
3687 }
3688
3689 /*******************************************************************
3690 set_user_info_7
3691 ********************************************************************/
3692
3693 static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx,
3694 struct samr_UserInfo7 *id7,
3695 struct samu *pwd)
3696 {
3697 NTSTATUS rc;
3698
3699 if (id7 == NULL) {
3700 DEBUG(5, ("set_user_info_7: NULL id7\n"));
3701 TALLOC_FREE(pwd);
3702 return NT_STATUS_ACCESS_DENIED;
3703 }
3704
3705 if (!id7->account_name.string) {
3706 DEBUG(5, ("set_user_info_7: failed to get new username\n"));
3707 TALLOC_FREE(pwd);
3708 return NT_STATUS_ACCESS_DENIED;
3709 }
3710
3711 /* check to see if the new username already exists. Note: we can't
3712 reliably lock all backends, so there is potentially the
3713 possibility that a user can be created in between this check and
3714 the rename. The rename should fail, but may not get the
3715 exact same failure status code. I think this is small enough
3716 of a window for this type of operation and the results are
3717 simply that the rename fails with a slightly different status
3718 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
3719
3720 rc = can_create(mem_ctx, id7->account_name.string);
3721 if (!NT_STATUS_IS_OK(rc)) {
3722 return rc;
3723 }
3724
3725 rc = pdb_rename_sam_account(pwd, id7->account_name.string);
3726
3727 TALLOC_FREE(pwd);
3728 return rc;
3729 }
3730
3731 /*******************************************************************
3732 set_user_info_16
3733 ********************************************************************/
3734
3735 static bool set_user_info_16(struct samr_UserInfo16 *id16,
3736 struct samu *pwd)
3737 {
3738 if (id16 == NULL) {
3739 DEBUG(5, ("set_user_info_16: NULL id16\n"));
3740 TALLOC_FREE(pwd);
3741 return False;
3742 }
3743
3744 /* FIX ME: check if the value is really changed --metze */
3745 if (!pdb_set_acct_ctrl(pwd, id16->acct_flags, PDB_CHANGED)) {
3746 TALLOC_FREE(pwd);
3747 return False;
3748 }
3749
3750 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3751 TALLOC_FREE(pwd);
3752 return False;
3753 }
3754
3755 TALLOC_FREE(pwd);
3756
3757 return True;
3758 }
3759
3760 /*******************************************************************
3761 set_user_info_18
3762 ********************************************************************/
3763
3764 static bool set_user_info_18(struct samr_UserInfo18 *id18,
3765 struct samu *pwd)
3766 {
3767 if (id18 == NULL) {
3768 DEBUG(2, ("set_user_info_18: id18 is NULL\n"));
3769 TALLOC_FREE(pwd);
3770 return False;
3771 }
3772
3773 if (!pdb_set_lanman_passwd (pwd, id18->lm_pwd.hash, PDB_CHANGED)) {
3774 TALLOC_FREE(pwd);
3775 return False;
3776 }
3777 if (!pdb_set_nt_passwd (pwd, id18->nt_pwd.hash, PDB_CHANGED)) {
3778 TALLOC_FREE(pwd);
3779 return False;
3780 }
3781 if (!pdb_set_pass_last_set_time (pwd, time(NULL), PDB_CHANGED)) {
3782 TALLOC_FREE(pwd);
3783 return False;
3784 }
3785
3786 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3787 TALLOC_FREE(pwd);
3788 return False;
3789 }
3790
3791 TALLOC_FREE(pwd);
3792 return True;
3793 }
3794
3795 /*******************************************************************
3796 set_user_info_20
3797 ********************************************************************/
3798
3799 static bool set_user_info_20(struct samr_UserInfo20 *id20,
3800 struct samu *pwd)
3801 {
3802 if (id20 == NULL) {
3803 DEBUG(5, ("set_user_info_20: NULL id20\n"));
3804 return False;
3805 }
3806
3807 copy_id20_to_sam_passwd(pwd, id20);
3808
3809 /* write the change out */
3810 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3811 TALLOC_FREE(pwd);
3812 return False;
3813 }
3814
3815 TALLOC_FREE(pwd);
3816
3817 return True;
3818 }
3819
3820 /*******************************************************************
3821 set_user_info_21
3822 ********************************************************************/
3823
3824 static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx,
3825 struct samr_UserInfo21 *id21,
3826 struct samu *pwd)
3827 {
3828 NTSTATUS status;
3829
3830 if (id21 == NULL) {
3831 DEBUG(5, ("set_user_info_21: NULL id21\n"));
3832 return NT_STATUS_INVALID_PARAMETER;
3833 }
3834
3835 /* we need to separately check for an account rename first */
3836
3837 if (id21->account_name.string &&
3838 (!strequal(id21->account_name.string, pdb_get_username(pwd))))
3839 {
3840
3841 /* check to see if the new username already exists. Note: we can't
3842 reliably lock all backends, so there is potentially the
3843 possibility that a user can be created in between this check and
3844 the rename. The rename should fail, but may not get the
3845 exact same failure status code. I think this is small enough
3846 of a window for this type of operation and the results are
3847 simply that the rename fails with a slightly different status
3848 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
3849
3850 status = can_create(mem_ctx, id21->account_name.string);
3851 if (!NT_STATUS_IS_OK(status)) {
3852 return status;
3853 }
3854
3855 status = pdb_rename_sam_account(pwd, id21->account_name.string);
3856
3857 if (!NT_STATUS_IS_OK(status)) {
3858 DEBUG(0,("set_user_info_21: failed to rename account: %s\n",
3859 nt_errstr(status)));
3860 TALLOC_FREE(pwd);
3861 return status;
3862 }
3863
3864 /* set the new username so that later
3865 functions can work on the new account */
3866 pdb_set_username(pwd, id21->account_name.string, PDB_SET);
3867 }
3868
3869 copy_id21_to_sam_passwd("INFO_21", pwd, id21);
3870
3871 /*
3872 * The funny part about the previous two calls is
3873 * that pwd still has the password hashes from the
3874 * passdb entry. These have not been updated from
3875 * id21. I don't know if they need to be set. --jerry
3876 */
3877
3878 if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
3879 status = pdb_set_unix_primary_group(mem_ctx, pwd);
3880 if ( !NT_STATUS_IS_OK(status) ) {
3881 return status;
3882 }
3883 }
3884
3885 /* Don't worry about writing out the user account since the
3886 primary group SID is generated solely from the user's Unix
3887 primary group. */
3888
3889 /* write the change out */
3890 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
3891 TALLOC_FREE(pwd);
3892 return status;
3893 }
3894
3895 TALLOC_FREE(pwd);
3896
3897 return NT_STATUS_OK;
3898 }
3899
3900 /*******************************************************************
3901 set_user_info_23
3902 ********************************************************************/
3903
3904 static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx,
3905 struct samr_UserInfo23 *id23,
3906 struct samu *pwd)
3907 {
3908 char *plaintext_buf = NULL;
3909 uint32 len = 0;
3910 uint16 acct_ctrl;
3911 NTSTATUS status;
3912
3913 if (id23 == NULL) {
3914 DEBUG(5, ("set_user_info_23: NULL id23\n"));
3915 return NT_STATUS_INVALID_PARAMETER;
3916 }
3917
3918 DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
3919 pdb_get_username(pwd)));
3920
3921 acct_ctrl = pdb_get_acct_ctrl(pwd);
3922
3923 if (!decode_pw_buffer(mem_ctx,
3924 id23->password.data,
3925 &plaintext_buf,
3926 &len,
3927 STR_UNICODE)) {
3928 TALLOC_FREE(pwd);
3929 return NT_STATUS_INVALID_PARAMETER;
3930 }
3931
3932 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
3933 TALLOC_FREE(pwd);
3934 return NT_STATUS_ACCESS_DENIED;
3935 }
3936
3937 copy_id23_to_sam_passwd(pwd, id23);
3938
3939 /* if it's a trust account, don't update /etc/passwd */
3940 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
3941 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
3942 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
3943 DEBUG(5, ("Changing trust account. Not updating /etc/passwd\n"));
3944 } else {
3945 /* update the UNIX password */
3946 if (lp_unix_password_sync() ) {
3947 struct passwd *passwd;
3948 if (pdb_get_username(pwd) == NULL) {
3949 DEBUG(1, ("chgpasswd: User without name???\n"));
3950 TALLOC_FREE(pwd);
3951 return NT_STATUS_ACCESS_DENIED;
3952 }
3953
3954 passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
3955 if (passwd == NULL) {
3956 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
3957 }
3958
3959 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
3960 TALLOC_FREE(pwd);
3961 return NT_STATUS_ACCESS_DENIED;
3962 }
3963 TALLOC_FREE(passwd);
3964 }
3965 }
3966
3967 memset(plaintext_buf, '\0', strlen(plaintext_buf));
3968
3969 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) &&
3970 (!NT_STATUS_IS_OK(status = pdb_set_unix_primary_group(mem_ctx,
3971 pwd)))) {
3972 TALLOC_FREE(pwd);
3973 return status;
3974 }
3975
3976 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
3977 TALLOC_FREE(pwd);
3978 return status;
3979 }
3980
3981 TALLOC_FREE(pwd);
3982
3983 return NT_STATUS_OK;
3984 }
3985
3986 /*******************************************************************
3987 set_user_info_pw
3988 ********************************************************************/
3989
3990 static bool set_user_info_pw(uint8 *pass, struct samu *pwd,
3991 int level)
3992 {
3993 uint32 len = 0;
3994 char *plaintext_buf = NULL;
3995 uint32 acct_ctrl;
3996 time_t last_set_time;
3997 enum pdb_value_state last_set_state;
3998
3999 DEBUG(5, ("Attempting administrator password change for user %s\n",
4000 pdb_get_username(pwd)));
4001
4002 acct_ctrl = pdb_get_acct_ctrl(pwd);
4003 /* we need to know if it's expired, because this is an admin change, not a
4004 user change, so it's still expired when we're done */
4005 last_set_state = pdb_get_init_flags(pwd, PDB_PASSLASTSET);
4006 last_set_time = pdb_get_pass_last_set_time(pwd);
4007
4008 if (!decode_pw_buffer(talloc_tos(),
4009 pass,
4010 &plaintext_buf,
4011 &len,
4012 STR_UNICODE)) {
4013 TALLOC_FREE(pwd);
4014 return False;
4015 }
4016
4017 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
4018 TALLOC_FREE(pwd);
4019 return False;
4020 }
4021
4022 /* if it's a trust account, don't update /etc/passwd */
4023 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
4024 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
4025 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
4026 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
4027 } else {
4028 /* update the UNIX password */
4029 if (lp_unix_password_sync()) {
4030 struct passwd *passwd;
4031
4032 if (pdb_get_username(pwd) == NULL) {
4033 DEBUG(1, ("chgpasswd: User without name???\n"));
4034 TALLOC_FREE(pwd);
4035 return False;
4036 }
4037
4038 passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
4039 if (passwd == NULL) {
4040 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
4041 }
4042
4043 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
4044 TALLOC_FREE(pwd);
4045 return False;
4046 }
4047 TALLOC_FREE(passwd);
4048 }
4049 }
4050
4051 memset(plaintext_buf, '\0', strlen(plaintext_buf));
4052
4053 /*
4054 * A level 25 change does reset the pwdlastset field, a level 24
4055 * change does not. I know this is probably not the full story, but
4056 * it is needed to make XP join LDAP correctly, without it the later
4057 * auth2 check can fail with PWD_MUST_CHANGE.
4058 */
4059 if (level != 25) {
4060 /*
4061 * restore last set time as this is an admin change, not a
4062 * user pw change
4063 */
4064 pdb_set_pass_last_set_time (pwd, last_set_time,
4065 last_set_state);
4066 }
4067
4068 DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
4069
4070 /* update the SAMBA password */
4071 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
4072 TALLOC_FREE(pwd);
4073 return False;
4074 }
4075
4076 TALLOC_FREE(pwd);
4077
4078 return True;
4079 }
4080
4081 /*******************************************************************
4082 set_user_info_25
4083 ********************************************************************/
4084
4085 static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx,
4086 struct samr_UserInfo25 *id25,
4087 struct samu *pwd)
4088 {
4089 NTSTATUS status;
4090
4091 if (id25 == NULL) {
4092 DEBUG(5, ("set_user_info_25: NULL id25\n"));
4093 return NT_STATUS_INVALID_PARAMETER;
4094 }
4095
4096 copy_id25_to_sam_passwd(pwd, id25);
4097
4098 /* write the change out */
4099 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
4100 TALLOC_FREE(pwd);
4101 return status;
4102 }
4103
4104 /*
4105 * We need to "pdb_update_sam_account" before the unix primary group
4106 * is set, because the idealx scripts would also change the
4107 * sambaPrimaryGroupSid using the ldap replace method. pdb_ldap uses
4108 * the delete explicit / add explicit, which would then fail to find
4109 * the previous primaryGroupSid value.
4110 */
4111
4112 if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
4113 status = pdb_set_unix_primary_group(mem_ctx, pwd);
4114 if ( !NT_STATUS_IS_OK(status) ) {
4115 return status;
4116 }
4117 }
4118
4119 /* WARNING: No TALLOC_FREE(pwd), we are about to set the password
4120 * hereafter! */
4121
4122 return NT_STATUS_OK;
4123 }
4124
4125 /*******************************************************************
4126 samr_SetUserInfo_internal
4127 ********************************************************************/
4128
4129 static NTSTATUS samr_SetUserInfo_internal(const char *fn_name,
4130 pipes_struct *p,
4131 struct policy_handle *user_handle,
4132 uint16_t level,
4133 union samr_UserInfo *info)
4134 {
4135 NTSTATUS status;
4136 struct samu *pwd = NULL;
4137 DOM_SID sid;
4138 POLICY_HND *pol = user_handle;
4139 uint16_t switch_value = level;
4140 uint32_t acc_granted;
4141 uint32_t acc_required;
4142 bool ret;
4143 bool has_enough_rights = False;
4144 uint32_t acb_info;
4145 DISP_INFO *disp_info = NULL;
4146
4147 DEBUG(5,("%s: %d\n", fn_name, __LINE__));
4148
4149 /* find the policy handle. open a policy on it. */
4150 if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info)) {
4151 return NT_STATUS_INVALID_HANDLE;
4152 }
4153
4154 /* This is tricky. A WinXP domain join sets
4155 (SA_RIGHT_USER_SET_PASSWORD|SA_RIGHT_USER_SET_ATTRIBUTES|SA_RIGHT_USER_ACCT_FLAGS_EXPIRY)
4156 The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the
4157 standard Win32 API calls just ask for SA_RIGHT_USER_SET_PASSWORD in the SamrOpenUser().
4158 This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so
4159 we'll use the set from the WinXP join as the basis. */
4160
4161 switch (switch_value) {
4162 case 18:
4163 case 24:
4164 case 25:
4165 case 26:
4166 acc_required = SA_RIGHT_USER_SET_PASSWORD;
4167 break;
4168 default:
4169 acc_required = SA_RIGHT_USER_SET_PASSWORD |
4170 SA_RIGHT_USER_SET_ATTRIBUTES |
4171 SA_RIGHT_USER_ACCT_FLAGS_EXPIRY;
4172 break;
4173 }
4174
4175 status = access_check_samr_function(acc_granted,
4176 acc_required,
4177 fn_name);
4178 if (!NT_STATUS_IS_OK(status)) {
4179 return status;
4180 }
4181
4182 DEBUG(5, ("%s: sid:%s, level:%d\n",
4183 fn_name, sid_string_dbg(&sid), switch_value));
4184
4185 if (info == NULL) {
4186 DEBUG(5, ("%s: NULL info level\n", fn_name));
4187 return NT_STATUS_INVALID_INFO_CLASS;
4188 }
4189
4190 if (!(pwd = samu_new(NULL))) {
4191 return NT_STATUS_NO_MEMORY;
4192 }
4193
4194 become_root();
4195 ret = pdb_getsampwsid(pwd, &sid);
4196 unbecome_root();
4197
4198 if (!ret) {
4199 TALLOC_FREE(pwd);
4200 return NT_STATUS_NO_SUCH_USER;
4201 }
4202
4203 /* deal with machine password changes differently from userinfo changes */
4204 /* check to see if we have the sufficient rights */
4205
4206 acb_info = pdb_get_acct_ctrl(pwd);
4207 if (acb_info & ACB_WSTRUST)
4208 has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token,
4209 &se_machine_account);
4210 else if (acb_info & ACB_NORMAL)
4211 has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token,
4212 &se_add_users);
4213 else if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
4214 if (lp_enable_privileges()) {
4215 has_enough_rights = nt_token_check_domain_rid(p->pipe_user.nt_user_token,
4216 DOMAIN_GROUP_RID_ADMINS);
4217 }
4218 }
4219
4220 DEBUG(5, ("%s: %s does%s possess sufficient rights\n",
4221 fn_name,
4222 uidtoname(p->pipe_user.ut.uid),
4223 has_enough_rights ? "" : " not"));
4224
4225 /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
4226
4227 if (has_enough_rights) {
4228 become_root();
4229 }
4230
4231 /* ok! user info levels (lots: see MSDEV help), off we go... */
4232
4233 switch (switch_value) {
4234
4235 case 7:
4236 status = set_user_info_7(p->mem_ctx,
4237 &info->info7, pwd);
4238 break;
4239
4240 case 16:
4241 if (!set_user_info_16(&info->info16, pwd)) {
4242 status = NT_STATUS_ACCESS_DENIED;
4243 }
4244 break;
4245
4246 case 18:
4247 /* Used by AS/U JRA. */
4248 if (!set_user_info_18(&info->info18, pwd)) {
4249 status = NT_STATUS_ACCESS_DENIED;
4250 }
4251 break;
4252
4253 case 20:
4254 if (!set_user_info_20(&info->info20, pwd)) {
4255 status = NT_STATUS_ACCESS_DENIED;
4256 }
4257 break;
4258
4259 case 21:
4260 status = set_user_info_21(p->mem_ctx,
4261 &info->info21, pwd);
4262 break;
4263
4264 case 23:
4265 if (!p->session_key.length) {
4266 status = NT_STATUS_NO_USER_SESSION_KEY;
4267 }
4268 SamOEMhashBlob(info->info23.password.data, 516,
4269 &p->session_key);
4270
4271 dump_data(100, info->info23.password.data, 516);
4272
4273 status = set_user_info_23(p->mem_ctx,
4274 &info->info23, pwd);
4275 break;
4276
4277 case 24:
4278 if (!p->session_key.length) {
4279 status = NT_STATUS_NO_USER_SESSION_KEY;
4280 }
4281 SamOEMhashBlob(info->info24.password.data,
4282 516,
4283 &p->session_key);
4284
4285 dump_data(100, info->info24.password.data, 516);
4286
4287 if (!set_user_info_pw(info->info24.password.data, pwd,
4288 switch_value)) {
4289 status = NT_STATUS_ACCESS_DENIED;
4290 }
4291 break;
4292
4293 case 25:
4294 if (!p->session_key.length) {
4295 status = NT_STATUS_NO_USER_SESSION_KEY;
4296 }
4297 encode_or_decode_arc4_passwd_buffer(info->info25.password.data,
4298 &p->session_key);
4299
4300 dump_data(100, info->info25.password.data, 532);
4301
4302 status = set_user_info_25(p->mem_ctx,
4303 &info->info25, pwd);
4304 if (!NT_STATUS_IS_OK(status)) {
4305 goto done;
4306 }
4307 if (!set_user_info_pw(info->info25.password.data, pwd,
4308 switch_value)) {
4309 status = NT_STATUS_ACCESS_DENIED;
4310 }
4311 break;
4312
4313 case 26:
4314 if (!p->session_key.length) {
4315 status = NT_STATUS_NO_USER_SESSION_KEY;
4316 }
4317 encode_or_decode_arc4_passwd_buffer(info->info26.password.data,
4318 &p->session_key);
4319
4320 dump_data(100, info->info26.password.data, 516);
4321
4322 if (!set_user_info_pw(info->info26.password.data, pwd,
4323 switch_value)) {
4324 status = NT_STATUS_ACCESS_DENIED;
4325 }
4326 break;
4327
4328 default:
4329 status = NT_STATUS_INVALID_INFO_CLASS;
4330 }
4331
4332 done:
4333
4334 if (has_enough_rights) {
4335 unbecome_root();
4336 }
4337
4338 /* ================ END SeMachineAccountPrivilege BLOCK ================ */
4339
4340 if (NT_STATUS_IS_OK(status)) {
4341 force_flush_samr_cache(disp_info);
4342 }
4343
4344 return status;
4345 }
4346
4347 /*******************************************************************
4348 _samr_SetUserInfo
4349 ********************************************************************/
4350
4351 NTSTATUS _samr_SetUserInfo(pipes_struct *p,
4352 struct samr_SetUserInfo *r)
4353 {
4354 return samr_SetUserInfo_internal("_samr_SetUserInfo",
4355 p,
4356 r->in.user_handle,
4357 r->in.level,
4358 r->in.info);
4359 }
4360
4361 /*******************************************************************
4362 _samr_SetUserInfo2
4363 ********************************************************************/
4364
4365 NTSTATUS _samr_SetUserInfo2(pipes_struct *p,
4366 struct samr_SetUserInfo2 *r)
4367 {
4368 return samr_SetUserInfo_internal("_samr_SetUserInfo2",
4369 p,
4370 r->in.user_handle,
4371 r->in.level,
4372 r->in.info);
4373 }
4374
4375 /*********************************************************************
4376 _samr_GetAliasMembership
4377 *********************************************************************/
4378
4379 NTSTATUS _samr_GetAliasMembership(pipes_struct *p,
4380 struct samr_GetAliasMembership *r)
4381 {
4382 size_t num_alias_rids;
4383 uint32 *alias_rids;
4384 struct samr_info *info = NULL;
4385 size_t i;
4386
4387 NTSTATUS ntstatus1;
4388 NTSTATUS ntstatus2;
4389
4390 DOM_SID *members;
4391
4392 DEBUG(5,("_samr_GetAliasMembership: %d\n", __LINE__));
4393
4394 /* find the policy handle. open a policy on it. */
4395 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
4396 return NT_STATUS_INVALID_HANDLE;
4397
4398 ntstatus1 = access_check_samr_function(info->acc_granted,
4399 SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM,
4400 "_samr_GetAliasMembership");
4401 ntstatus2 = access_check_samr_function(info->acc_granted,
4402 SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
4403 "_samr_GetAliasMembership");
4404
4405 if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) {
4406 if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) &&
4407 !(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) {
4408 return (NT_STATUS_IS_OK(ntstatus1)) ? ntstatus2 : ntstatus1;
4409 }
4410 }
4411
4412 if (!sid_check_is_domain(&info->sid) &&
4413 !sid_check_is_builtin(&info->sid))
4414 return NT_STATUS_OBJECT_TYPE_MISMATCH;
4415
4416 if (r->in.sids->num_sids) {
4417 members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, r->in.sids->num_sids);
4418
4419 if (members == NULL)
4420 return NT_STATUS_NO_MEMORY;
4421 } else {
4422 members = NULL;
4423 }
4424
4425 for (i=0; i<r->in.sids->num_sids; i++)
4426 sid_copy(&members[i], r->in.sids->sids[i].sid);
4427
4428 alias_rids = NULL;
4429 num_alias_rids = 0;
4430
4431 become_root();
4432 ntstatus1 = pdb_enum_alias_memberships(p->mem_ctx, &info->sid, members,
4433 r->in.sids->num_sids,
4434 &alias_rids, &num_alias_rids);
4435 unbecome_root();
4436
4437 if (!NT_STATUS_IS_OK(ntstatus1)) {
4438 return ntstatus1;
4439 }
4440
4441 r->out.rids->count = num_alias_rids;
4442 r->out.rids->ids = alias_rids;
4443
4444 return NT_STATUS_OK;
4445 }
4446
4447 /*********************************************************************
4448 _samr_GetMembersInAlias
4449 *********************************************************************/
4450
4451 NTSTATUS _samr_GetMembersInAlias(pipes_struct *p,
4452 struct samr_GetMembersInAlias *r)
4453 {
4454 NTSTATUS status;
4455 size_t i;
4456 size_t num_sids = 0;
4457 struct lsa_SidPtr *sids = NULL;
4458 DOM_SID *pdb_sids = NULL;
4459
4460 DOM_SID alias_sid;
4461
4462 uint32 acc_granted;
4463
4464 /* find the policy handle. open a policy on it. */
4465 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, NULL))
4466 return NT_STATUS_INVALID_HANDLE;
4467
4468 status = access_check_samr_function(acc_granted,
4469 SA_RIGHT_ALIAS_GET_MEMBERS,
4470 "_samr_GetMembersInAlias");
4471 if (!NT_STATUS_IS_OK(status)) {
4472 return status;
4473 }
4474
4475 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
4476
4477 become_root();
4478 status = pdb_enum_aliasmem(&alias_sid, &pdb_sids, &num_sids);
4479 unbecome_root();
4480
4481 if (!NT_STATUS_IS_OK(status)) {
4482 return status;
4483 }
4484
4485 if (num_sids) {
4486 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr, num_sids);
4487 if (sids == NULL) {
4488 TALLOC_FREE(pdb_sids);
4489 return NT_STATUS_NO_MEMORY;
4490 }
4491 }
4492
4493 for (i = 0; i < num_sids; i++) {
4494 sids[i].sid = sid_dup_talloc(p->mem_ctx, &pdb_sids[i]);
4495 if (!sids[i].sid) {
4496 TALLOC_FREE(pdb_sids);
4497 return NT_STATUS_NO_MEMORY;
4498 }
4499 }
4500
4501 r->out.sids->num_sids = num_sids;
4502 r->out.sids->sids = sids;
4503
4504 TALLOC_FREE(pdb_sids);
4505
4506 return NT_STATUS_OK;
4507 }
4508
4509 /*********************************************************************
4510 _samr_QueryGroupMember
4511 *********************************************************************/
4512
4513 NTSTATUS _samr_QueryGroupMember(pipes_struct *p,
4514 struct samr_QueryGroupMember *r)
4515 {
4516 DOM_SID group_sid;
4517 size_t i, num_members;
4518
4519 uint32 *rid=NULL;
4520 uint32 *attr=NULL;
4521
4522 uint32 acc_granted;
4523
4524 NTSTATUS status;
4525 struct samr_RidTypeArray *rids = NULL;
4526
4527 rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidTypeArray);
4528 if (!rids) {
4529 return NT_STATUS_NO_MEMORY;
4530 }
4531
4532 /* find the policy handle. open a policy on it. */
4533 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL))
4534 return NT_STATUS_INVALID_HANDLE;
4535
4536 status = access_check_samr_function(acc_granted,
4537 SA_RIGHT_GROUP_GET_MEMBERS,
4538 "_samr_QueryGroupMember");
4539 if (!NT_STATUS_IS_OK(status)) {
4540 return status;
4541 }
4542
4543 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4544
4545 if (!sid_check_is_in_our_domain(&group_sid)) {
4546 DEBUG(3, ("sid %s is not in our domain\n",
4547 sid_string_dbg(&group_sid)));
4548 return NT_STATUS_NO_SUCH_GROUP;
4549 }
4550
4551 DEBUG(10, ("lookup on Domain SID\n"));
4552
4553 become_root();
4554 status = pdb_enum_group_members(p->mem_ctx, &group_sid,
4555 &rid, &num_members);
4556 unbecome_root();
4557
4558 if (!NT_STATUS_IS_OK(status))
4559 return status;
4560
4561 if (num_members) {
4562 attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members);
4563 if (attr == NULL) {
4564 return NT_STATUS_NO_MEMORY;
4565 }
4566 } else {
4567 attr = NULL;
4568 }
4569
4570 for (i=0; i<num_members; i++)
4571 attr[i] = SID_NAME_USER;
4572
4573 rids->count = num_members;
4574 rids->types = attr;
4575 rids->rids = rid;
4576
4577 *r->out.rids = rids;
4578
4579 return NT_STATUS_OK;
4580 }
4581
4582 /*********************************************************************
4583 _samr_AddAliasMember
4584 *********************************************************************/
4585
4586 NTSTATUS _samr_AddAliasMember(pipes_struct *p,
4587 struct samr_AddAliasMember *r)
4588 {
4589 DOM_SID alias_sid;
4590 uint32 acc_granted;
4591 SE_PRIV se_rights;
4592 bool can_add_accounts;
4593 NTSTATUS status;
4594 DISP_INFO *disp_info = NULL;
4595
4596 /* Find the policy handle. Open a policy on it. */
4597 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
4598 return NT_STATUS_INVALID_HANDLE;
4599
4600 status = access_check_samr_function(acc_granted,
4601 SA_RIGHT_ALIAS_ADD_MEMBER,
4602 "_samr_AddAliasMember");
4603 if (!NT_STATUS_IS_OK(status)) {
4604 return status;
4605 }
4606
4607 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
4608
4609 se_priv_copy( &se_rights, &se_add_users );
4610 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4611
4612 /******** BEGIN SeAddUsers BLOCK *********/
4613
4614 if ( can_add_accounts )
4615 become_root();
4616
4617 status = pdb_add_aliasmem(&alias_sid, r->in.sid);
4618
4619 if ( can_add_accounts )
4620 unbecome_root();
4621
4622 /******** END SeAddUsers BLOCK *********/
4623
4624 if (NT_STATUS_IS_OK(status)) {
4625 force_flush_samr_cache(disp_info);
4626 }
4627
4628 return status;
4629 }
4630
4631 /*********************************************************************
4632 _samr_DeleteAliasMember
4633 *********************************************************************/
4634
4635 NTSTATUS _samr_DeleteAliasMember(pipes_struct *p,
4636 struct samr_DeleteAliasMember *r)
4637 {
4638 DOM_SID alias_sid;
4639 uint32 acc_granted;
4640 SE_PRIV se_rights;
4641 bool can_add_accounts;
4642 NTSTATUS status;
4643 DISP_INFO *disp_info = NULL;
4644
4645 /* Find the policy handle. Open a policy on it. */
4646 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
4647 return NT_STATUS_INVALID_HANDLE;
4648
4649 status = access_check_samr_function(acc_granted,
4650 SA_RIGHT_ALIAS_REMOVE_MEMBER,
4651 "_samr_DeleteAliasMember");
4652 if (!NT_STATUS_IS_OK(status)) {
4653 return status;
4654 }
4655
4656 DEBUG(10, ("_samr_del_aliasmem:sid is %s\n",
4657 sid_string_dbg(&alias_sid)));
4658
4659 se_priv_copy( &se_rights, &se_add_users );
4660 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4661
4662 /******** BEGIN SeAddUsers BLOCK *********/
4663
4664 if ( can_add_accounts )
4665 become_root();
4666
4667 status = pdb_del_aliasmem(&alias_sid, r->in.sid);
4668
4669 if ( can_add_accounts )
4670 unbecome_root();
4671
4672 /******** END SeAddUsers BLOCK *********/
4673
4674 if (NT_STATUS_IS_OK(status)) {
4675 force_flush_samr_cache(disp_info);
4676 }
4677
4678 return status;
4679 }
4680
4681 /*********************************************************************
4682 _samr_AddGroupMember
4683 *********************************************************************/
4684
4685 NTSTATUS _samr_AddGroupMember(pipes_struct *p,
4686 struct samr_AddGroupMember *r)
4687 {
4688 NTSTATUS status;
4689 DOM_SID group_sid;
4690 uint32 group_rid;
4691 uint32 acc_granted;
4692 SE_PRIV se_rights;
4693 bool can_add_accounts;
4694 DISP_INFO *disp_info = NULL;
4695
4696 /* Find the policy handle. Open a policy on it. */
4697 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
4698 return NT_STATUS_INVALID_HANDLE;
4699
4700 status = access_check_samr_function(acc_granted,
4701 SA_RIGHT_GROUP_ADD_MEMBER,
4702 "_samr_AddGroupMember");
4703 if (!NT_STATUS_IS_OK(status)) {
4704 return status;
4705 }
4706
4707 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4708
4709 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
4710 &group_rid)) {
4711 return NT_STATUS_INVALID_HANDLE;
4712 }
4713
4714 se_priv_copy( &se_rights, &se_add_users );
4715 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4716
4717 /******** BEGIN SeAddUsers BLOCK *********/
4718
4719 if ( can_add_accounts )
4720 become_root();
4721
4722 status = pdb_add_groupmem(p->mem_ctx, group_rid, r->in.rid);
4723
4724 if ( can_add_accounts )
4725 unbecome_root();
4726
4727 /******** END SeAddUsers BLOCK *********/
4728
4729 force_flush_samr_cache(disp_info);
4730
4731 return status;
4732 }
4733
4734 /*********************************************************************
4735 _samr_DeleteGroupMember
4736 *********************************************************************/
4737
4738 NTSTATUS _samr_DeleteGroupMember(pipes_struct *p,
4739 struct samr_DeleteGroupMember *r)
4740
4741 {
4742 NTSTATUS status;
4743 DOM_SID group_sid;
4744 uint32 group_rid;
4745 uint32 acc_granted;
4746 SE_PRIV se_rights;
4747 bool can_add_accounts;
4748 DISP_INFO *disp_info = NULL;
4749
4750 /*
4751 * delete the group member named r->in.rid
4752 * who is a member of the sid associated with the handle
4753 * the rid is a user's rid as the group is a domain group.
4754 */
4755
4756 /* Find the policy handle. Open a policy on it. */
4757 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
4758 return NT_STATUS_INVALID_HANDLE;
4759
4760 status = access_check_samr_function(acc_granted,
4761 SA_RIGHT_GROUP_REMOVE_MEMBER,
4762 "_samr_DeleteGroupMember");
4763 if (!NT_STATUS_IS_OK(status)) {
4764 return status;
4765 }
4766
4767 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
4768 &group_rid)) {
4769 return NT_STATUS_INVALID_HANDLE;
4770 }
4771
4772 se_priv_copy( &se_rights, &se_add_users );
4773 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4774
4775 /******** BEGIN SeAddUsers BLOCK *********/
4776
4777 if ( can_add_accounts )
4778 become_root();
4779
4780 status = pdb_del_groupmem(p->mem_ctx, group_rid, r->in.rid);
4781
4782 if ( can_add_accounts )
4783 unbecome_root();
4784
4785 /******** END SeAddUsers BLOCK *********/
4786
4787 force_flush_samr_cache(disp_info);
4788
4789 return status;
4790 }
4791
4792 /*********************************************************************
4793 _samr_DeleteUser
4794 *********************************************************************/
4795
4796 NTSTATUS _samr_DeleteUser(pipes_struct *p,
4797 struct samr_DeleteUser *r)
4798 {
4799 NTSTATUS status;
4800 DOM_SID user_sid;
4801 struct samu *sam_pass=NULL;
4802 uint32 acc_granted;
4803 bool can_add_accounts;
4804 uint32 acb_info;
4805 DISP_INFO *disp_info = NULL;
4806 bool ret;
4807
4808 DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__));
4809
4810 /* Find the policy handle. Open a policy on it. */
4811 if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &user_sid, &acc_granted, &disp_info))
4812 return NT_STATUS_INVALID_HANDLE;
4813
4814 status = access_check_samr_function(acc_granted,
4815 STD_RIGHT_DELETE_ACCESS,
4816 "_samr_DeleteUser");
4817 if (!NT_STATUS_IS_OK(status)) {
4818 return status;
4819 }
4820
4821 if (!sid_check_is_in_our_domain(&user_sid))
4822 return NT_STATUS_CANNOT_DELETE;
4823
4824 /* check if the user exists before trying to delete */
4825 if ( !(sam_pass = samu_new( NULL )) ) {
4826 return NT_STATUS_NO_MEMORY;
4827 }
4828
4829 become_root();
4830 ret = pdb_getsampwsid(sam_pass, &user_sid);
4831 unbecome_root();
4832
4833 if( !ret ) {
4834 DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n",
4835 sid_string_dbg(&user_sid)));
4836 TALLOC_FREE(sam_pass);
4837 return NT_STATUS_NO_SUCH_USER;
4838 }
4839
4840 acb_info = pdb_get_acct_ctrl(sam_pass);
4841
4842 /* For machine accounts it's the SeMachineAccountPrivilege that counts. */
4843 if ( acb_info & ACB_WSTRUST ) {
4844 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account );
4845 } else {
4846 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
4847 }
4848
4849 /******** BEGIN SeAddUsers BLOCK *********/
4850
4851 if ( can_add_accounts )
4852 become_root();
4853
4854 status = pdb_delete_user(p->mem_ctx, sam_pass);
4855
4856 if ( can_add_accounts )
4857 unbecome_root();
4858
4859 /******** END SeAddUsers BLOCK *********/
4860
4861 if ( !NT_STATUS_IS_OK(status) ) {
4862 DEBUG(5,("_samr_DeleteUser: Failed to delete entry for "
4863 "user %s: %s.\n", pdb_get_username(sam_pass),
4864 nt_errstr(status)));
4865 TALLOC_FREE(sam_pass);
4866 return status;
4867 }
4868
4869
4870 TALLOC_FREE(sam_pass);
4871
4872 if (!close_policy_hnd(p, r->in.user_handle))
4873 return NT_STATUS_OBJECT_NAME_INVALID;
4874
4875 ZERO_STRUCTP(r->out.user_handle);
4876
4877 force_flush_samr_cache(disp_info);
4878
4879 return NT_STATUS_OK;
4880 }
4881
4882 /*********************************************************************
4883 _samr_DeleteDomainGroup
4884 *********************************************************************/
4885
4886 NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p,
4887 struct samr_DeleteDomainGroup *r)
4888 {
4889 NTSTATUS status;
4890 DOM_SID group_sid;
4891 uint32 group_rid;
4892 uint32 acc_granted;
4893 SE_PRIV se_rights;
4894 bool can_add_accounts;
4895 DISP_INFO *disp_info = NULL;
4896
4897 DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__));
4898
4899 /* Find the policy handle. Open a policy on it. */
4900 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
4901 return NT_STATUS_INVALID_HANDLE;
4902
4903 status = access_check_samr_function(acc_granted,
4904 STD_RIGHT_DELETE_ACCESS,
4905 "_samr_DeleteDomainGroup");
4906 if (!NT_STATUS_IS_OK(status)) {
4907 return status;
4908 }
4909
4910 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4911
4912 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
4913 &group_rid)) {
4914 return NT_STATUS_NO_SUCH_GROUP;
4915 }
4916
4917 se_priv_copy( &se_rights, &se_add_users );
4918 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4919
4920 /******** BEGIN SeAddUsers BLOCK *********/
4921
4922 if ( can_add_accounts )
4923 become_root();
4924
4925 status = pdb_delete_dom_group(p->mem_ctx, group_rid);
4926
4927 if ( can_add_accounts )
4928 unbecome_root();
4929
4930 /******** END SeAddUsers BLOCK *********/
4931
4932 if ( !NT_STATUS_IS_OK(status) ) {
4933 DEBUG(5,("_samr_DeleteDomainGroup: Failed to delete mapping "
4934 "entry for group %s: %s\n",
4935 sid_string_dbg(&group_sid),
4936 nt_errstr(status)));
4937 return status;
4938 }
4939
4940 if (!close_policy_hnd(p, r->in.group_handle))
4941 return NT_STATUS_OBJECT_NAME_INVALID;
4942
4943 force_flush_samr_cache(disp_info);
4944
4945 return NT_STATUS_OK;
4946 }
4947
4948 /*********************************************************************
4949 _samr_DeleteDomAlias
4950 *********************************************************************/
4951
4952 NTSTATUS _samr_DeleteDomAlias(pipes_struct *p,
4953 struct samr_DeleteDomAlias *r)
4954 {
4955 DOM_SID alias_sid;
4956 uint32 acc_granted;
4957 SE_PRIV se_rights;
4958 bool can_add_accounts;
4959 NTSTATUS status;
4960 DISP_INFO *disp_info = NULL;
4961
4962 DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__));
4963
4964 /* Find the policy handle. Open a policy on it. */
4965 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
4966 return NT_STATUS_INVALID_HANDLE;
4967
4968 /* copy the handle to the outgoing reply */
4969
4970 memcpy(r->out.alias_handle, r->in.alias_handle, sizeof(r->out.alias_handle));
4971
4972 status = access_check_samr_function(acc_granted,
4973 STD_RIGHT_DELETE_ACCESS,
4974 "_samr_DeleteDomAlias");
4975 if (!NT_STATUS_IS_OK(status)) {
4976 return status;
4977 }
4978
4979 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
4980
4981 /* Don't let Windows delete builtin groups */
4982
4983 if ( sid_check_is_in_builtin( &alias_sid ) ) {
4984 return NT_STATUS_SPECIAL_ACCOUNT;
4985 }
4986
4987 if (!sid_check_is_in_our_domain(&alias_sid))
4988 return NT_STATUS_NO_SUCH_ALIAS;
4989
4990 DEBUG(10, ("lookup on Local SID\n"));
4991
4992 se_priv_copy( &se_rights, &se_add_users );
4993 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4994
4995 /******** BEGIN SeAddUsers BLOCK *********/
4996
4997 if ( can_add_accounts )
4998 become_root();
4999
5000 /* Have passdb delete the alias */
5001 status = pdb_delete_alias(&alias_sid);
5002
5003 if ( can_add_accounts )
5004 unbecome_root();
5005
5006 /******** END SeAddUsers BLOCK *********/
5007
5008 if ( !NT_STATUS_IS_OK(status))
5009 return status;
5010
5011 if (!close_policy_hnd(p, r->in.alias_handle))
5012 return NT_STATUS_OBJECT_NAME_INVALID;
5013
5014 force_flush_samr_cache(disp_info);
5015
5016 return NT_STATUS_OK;
5017 }
5018
5019 /*********************************************************************
5020 _samr_CreateDomainGroup
5021 *********************************************************************/
5022
5023 NTSTATUS _samr_CreateDomainGroup(pipes_struct *p,
5024 struct samr_CreateDomainGroup *r)
5025
5026 {
5027 NTSTATUS status;
5028 DOM_SID dom_sid;
5029 DOM_SID info_sid;
5030 const char *name;
5031 struct samr_info *info;
5032 uint32 acc_granted;
5033 SE_PRIV se_rights;
5034 bool can_add_accounts;
5035 DISP_INFO *disp_info = NULL;
5036
5037 /* Find the policy handle. Open a policy on it. */
5038 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info))
5039 return NT_STATUS_INVALID_HANDLE;
5040
5041 status = access_check_samr_function(acc_granted,
5042 SA_RIGHT_DOMAIN_CREATE_GROUP,
5043 "_samr_CreateDomainGroup");
5044 if (!NT_STATUS_IS_OK(status)) {
5045 return status;
5046 }
5047
5048 if (!sid_equal(&dom_sid, get_global_sam_sid()))
5049 return NT_STATUS_ACCESS_DENIED;
5050
5051 name = r->in.name->string;
5052 if (name == NULL) {
5053 return NT_STATUS_NO_MEMORY;
5054 }
5055
5056 status = can_create(p->mem_ctx, name);
5057 if (!NT_STATUS_IS_OK(status)) {
5058 return status;
5059 }
5060
5061 se_priv_copy( &se_rights, &se_add_users );
5062 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
5063
5064 /******** BEGIN SeAddUsers BLOCK *********/
5065
5066 if ( can_add_accounts )
5067 become_root();
5068
5069 /* check that we successfully create the UNIX group */
5070
5071 status = pdb_create_dom_group(p->mem_ctx, name, r->out.rid);
5072
5073 if ( can_add_accounts )
5074 unbecome_root();
5075
5076 /******** END SeAddUsers BLOCK *********/
5077
5078 /* check if we should bail out here */
5079
5080 if ( !NT_STATUS_IS_OK(status) )
5081 return status;
5082
5083 sid_compose(&info_sid, get_global_sam_sid(), *r->out.rid);
5084
5085 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
5086 return NT_STATUS_NO_MEMORY;
5087
5088 /* they created it; let the user do what he wants with it */
5089
5090 info->acc_granted = GENERIC_RIGHTS_GROUP_ALL_ACCESS;
5091
5092 /* get a (unique) handle. open a policy on it. */
5093 if (!create_policy_hnd(p, r->out.group_handle, free_samr_info, (void *)info))
5094 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5095
5096 force_flush_samr_cache(disp_info);
5097
5098 return NT_STATUS_OK;
5099 }
5100
5101 /*********************************************************************
5102 _samr_CreateDomAlias
5103 *********************************************************************/
5104
5105 NTSTATUS _samr_CreateDomAlias(pipes_struct *p,
5106 struct samr_CreateDomAlias *r)
5107 {
5108 DOM_SID dom_sid;
5109 DOM_SID info_sid;
5110 const char *name = NULL;
5111 struct samr_info *info;
5112 uint32 acc_granted;
5113 gid_t gid;
5114 NTSTATUS result;
5115 SE_PRIV se_rights;
5116 bool can_add_accounts;
5117 DISP_INFO *disp_info = NULL;
5118
5119 /* Find the policy handle. Open a policy on it. */
5120 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info))
5121 return NT_STATUS_INVALID_HANDLE;
5122
5123 result = access_check_samr_function(acc_granted,
5124 SA_RIGHT_DOMAIN_CREATE_ALIAS,
5125 "_samr_CreateDomAlias");
5126 if (!NT_STATUS_IS_OK(result)) {
5127 return result;
5128 }
5129
5130 if (!sid_equal(&dom_sid, get_global_sam_sid()))
5131 return NT_STATUS_ACCESS_DENIED;
5132
5133 name = r->in.alias_name->string;
5134
5135 se_priv_copy( &se_rights, &se_add_users );
5136 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
5137
5138 result = can_create(p->mem_ctx, name);
5139 if (!NT_STATUS_IS_OK(result)) {
5140 return result;
5141 }
5142
5143 /******** BEGIN SeAddUsers BLOCK *********/
5144
5145 if ( can_add_accounts )
5146 become_root();
5147
5148 /* Have passdb create the alias */
5149 result = pdb_create_alias(name, r->out.rid);
5150
5151 if ( can_add_accounts )
5152 unbecome_root();
5153
5154 /******** END SeAddUsers BLOCK *********/
5155
5156 if (!NT_STATUS_IS_OK(result)) {
5157 DEBUG(10, ("pdb_create_alias failed: %s\n",
5158 nt_errstr(result)));
5159 return result;
5160 }
5161
5162 sid_copy(&info_sid, get_global_sam_sid());
5163 sid_append_rid(&info_sid, *r->out.rid);
5164
5165 if (!sid_to_gid(&info_sid, &gid)) {
5166 DEBUG(10, ("Could not find alias just created\n"));
5167 return NT_STATUS_ACCESS_DENIED;
5168 }
5169
5170 /* check if the group has been successfully created */
5171 if ( getgrgid(gid) == NULL ) {
5172 DEBUG(10, ("getgrgid(%d) of just created alias failed\n",
5173 gid));
5174 return NT_STATUS_ACCESS_DENIED;
5175 }
5176
5177 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
5178 return NT_STATUS_NO_MEMORY;
5179
5180 /* they created it; let the user do what he wants with it */
5181
5182 info->acc_granted = GENERIC_RIGHTS_ALIAS_ALL_ACCESS;
5183
5184 /* get a (unique) handle. open a policy on it. */
5185 if (!create_policy_hnd(p, r->out.alias_handle, free_samr_info, (void *)info))
5186 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5187
5188 force_flush_samr_cache(disp_info);
5189
5190 return NT_STATUS_OK;
5191 }
5192
5193 /*********************************************************************
5194 _samr_QueryGroupInfo
5195 *********************************************************************/
5196
5197 NTSTATUS _samr_QueryGroupInfo(pipes_struct *p,
5198 struct samr_QueryGroupInfo *r)
5199 {
5200 NTSTATUS status;
5201 DOM_SID group_sid;
5202 GROUP_MAP map;
5203 union samr_GroupInfo *info = NULL;
5204 uint32 acc_granted;
5205 bool ret;
5206 uint32_t attributes = SE_GROUP_MANDATORY |
5207 SE_GROUP_ENABLED_BY_DEFAULT |
5208 SE_GROUP_ENABLED;
5209 const char *group_name = NULL;
5210 const char *group_description = NULL;
5211
5212 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL))
5213 return NT_STATUS_INVALID_HANDLE;
5214
5215 status = access_check_samr_function(acc_granted,
5216 SA_RIGHT_GROUP_LOOKUP_INFO,
5217 "_samr_QueryGroupInfo");
5218 if (!NT_STATUS_IS_OK(status)) {
5219 return status;
5220 }
5221
5222 become_root();
5223 ret = get_domain_group_from_sid(group_sid, &map);
5224 unbecome_root();
5225 if (!ret)
5226 return NT_STATUS_INVALID_HANDLE;
5227
5228 /* FIXME: map contains fstrings */
5229 group_name = talloc_strdup(r, map.nt_name);
5230 group_description = talloc_strdup(r, map.comment);
5231
5232 info = TALLOC_ZERO_P(p->mem_ctx, union samr_GroupInfo);
5233 if (!info) {
5234 return NT_STATUS_NO_MEMORY;
5235 }
5236
5237 switch (r->in.level) {
5238 case 1: {
5239 uint32 *members;
5240 size_t num_members;
5241
5242 become_root();
5243 status = pdb_enum_group_members(
5244 p->mem_ctx, &group_sid, &members, &num_members);
5245 unbecome_root();
5246
5247 if (!NT_STATUS_IS_OK(status)) {
5248 return status;
5249 }
5250
5251 init_samr_group_info1(&info->all,
5252 group_name,
5253 attributes,
5254 num_members,
5255 group_description);
5256 break;
5257 }
5258 case 2:
5259 init_samr_group_info2(&info->name,
5260 group_name);
5261 break;
5262 case 3:
5263 init_samr_group_info3(&info->attributes,
5264 attributes);
5265 break;
5266 case 4:
5267 init_samr_group_info4(&info->description,
5268 group_description);
5269 break;
5270 case 5: {
5271 /*
5272 uint32 *members;
5273 size_t num_members;
5274 */
5275
5276 /*
5277 become_root();
5278 status = pdb_enum_group_members(
5279 p->mem_ctx, &group_sid, &members, &num_members);
5280 unbecome_root();
5281
5282 if (!NT_STATUS_IS_OK(status)) {
5283 return status;
5284 }
5285 */
5286 init_samr_group_info5(&info->all2,
5287 group_name,
5288 attributes,
5289 0, /* num_members - in w2k3 this is always 0 */
5290 group_description);
5291
5292 break;
5293 }
5294 default:
5295 return NT_STATUS_INVALID_INFO_CLASS;
5296 }
5297
5298 *r->out.info = info;
5299
5300 return NT_STATUS_OK;
5301 }
5302
5303 /*********************************************************************
5304 _samr_SetGroupInfo
5305 *********************************************************************/
5306
5307 NTSTATUS _samr_SetGroupInfo(pipes_struct *p,
5308 struct samr_SetGroupInfo *r)
5309 {
5310 DOM_SID group_sid;
5311 GROUP_MAP map;
5312 uint32 acc_granted;
5313 NTSTATUS status;
5314 bool ret;
5315 bool can_mod_accounts;
5316 DISP_INFO *disp_info = NULL;
5317
5318 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
5319 return NT_STATUS_INVALID_HANDLE;
5320
5321 status = access_check_samr_function(acc_granted,
5322 SA_RIGHT_GROUP_SET_INFO,
5323 "_samr_SetGroupInfo");
5324 if (!NT_STATUS_IS_OK(status)) {
5325 return status;
5326 }
5327
5328 become_root();
5329 ret = get_domain_group_from_sid(group_sid, &map);
5330 unbecome_root();
5331 if (!ret)
5332 return NT_STATUS_NO_SUCH_GROUP;
5333
5334 switch (r->in.level) {
5335 case 1:
5336 fstrcpy(map.comment, r->in.info->all.description.string);
5337 break;
5338 case 4:
5339 fstrcpy(map.comment, r->in.info->description.string);
5340 break;
5341 default:
5342 return NT_STATUS_INVALID_INFO_CLASS;
5343 }
5344
5345 can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
5346
5347 /******** BEGIN SeAddUsers BLOCK *********/
5348
5349 if ( can_mod_accounts )
5350 become_root();
5351
5352 status = pdb_update_group_mapping_entry(&map);
5353
5354 if ( can_mod_accounts )
5355 unbecome_root();
5356
5357 /******** End SeAddUsers BLOCK *********/
5358
5359 if (NT_STATUS_IS_OK(status)) {
5360 force_flush_samr_cache(disp_info);
5361 }
5362
5363 return status;
5364 }
5365
5366 /*********************************************************************
5367 _samr_SetAliasInfo
5368 *********************************************************************/
5369
5370 NTSTATUS _samr_SetAliasInfo(pipes_struct *p,
5371 struct samr_SetAliasInfo *r)
5372 {
5373 DOM_SID group_sid;
5374 struct acct_info info;
5375 uint32 acc_granted;
5376 bool can_mod_accounts;
5377 NTSTATUS status;
5378 DISP_INFO *disp_info = NULL;
5379
5380 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &group_sid, &acc_granted, &disp_info))
5381 return NT_STATUS_INVALID_HANDLE;
5382
5383 status = access_check_samr_function(acc_granted,
5384 SA_RIGHT_ALIAS_SET_INFO,
5385 "_samr_SetAliasInfo");
5386 if (!NT_STATUS_IS_OK(status)) {
5387 return status;
5388 }
5389
5390 /* get the current group information */
5391
5392 become_root();
5393 status = pdb_get_aliasinfo( &group_sid, &info );
5394 unbecome_root();
5395
5396 if ( !NT_STATUS_IS_OK(status))
5397 return status;
5398
5399 switch (r->in.level) {
5400 case ALIASINFONAME:
5401 {
5402 fstring group_name;
5403
5404 /* We currently do not support renaming groups in the
5405 the BUILTIN domain. Refer to util_builtin.c to understand
5406 why. The eventually needs to be fixed to be like Windows
5407 where you can rename builtin groups, just not delete them */
5408
5409 if ( sid_check_is_in_builtin( &group_sid ) ) {
5410 return NT_STATUS_SPECIAL_ACCOUNT;
5411 }
5412
5413 /* There has to be a valid name (and it has to be different) */
5414
5415 if ( !r->in.info->name.string )
5416 return NT_STATUS_INVALID_PARAMETER;
5417
5418 /* If the name is the same just reply "ok". Yes this
5419 doesn't allow you to change the case of a group name. */
5420
5421 if ( strequal( r->in.info->name.string, info.acct_name ) )
5422 return NT_STATUS_OK;
5423
5424 fstrcpy( info.acct_name, r->in.info->name.string);
5425
5426 /* make sure the name doesn't already exist as a user
5427 or local group */
5428
5429 fstr_sprintf( group_name, "%s\\%s", global_myname(), info.acct_name );
5430 status = can_create( p->mem_ctx, group_name );
5431 if ( !NT_STATUS_IS_OK( status ) )
5432 return status;
5433 break;
5434 }
5435 case ALIASINFODESCRIPTION:
5436 if (r->in.info->description.string) {
5437 fstrcpy(info.acct_desc,
5438 r->in.info->description.string);
5439 } else {
5440 fstrcpy( info.acct_desc, "" );
5441 }
5442 break;
5443 default:
5444 return NT_STATUS_INVALID_INFO_CLASS;
5445 }
5446
5447 can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
5448
5449 /******** BEGIN SeAddUsers BLOCK *********/
5450
5451 if ( can_mod_accounts )
5452 become_root();
5453
5454 status = pdb_set_aliasinfo( &group_sid, &info );
5455
5456 if ( can_mod_accounts )
5457 unbecome_root();
5458
5459 /******** End SeAddUsers BLOCK *********/
5460
5461 if (NT_STATUS_IS_OK(status))
5462 force_flush_samr_cache(disp_info);
5463
5464 return status;
5465 }
5466
5467 /****************************************************************
5468 _samr_GetDomPwInfo
5469 ****************************************************************/
5470
5471 NTSTATUS _samr_GetDomPwInfo(pipes_struct *p,
5472 struct samr_GetDomPwInfo *r)
5473 {
5474 uint32_t min_password_length = 0;
5475 uint32_t password_properties = 0;
5476
5477 /* Perform access check. Since this rpc does not require a
5478 policy handle it will not be caught by the access checks on
5479 SAMR_CONNECT or SAMR_CONNECT_ANON. */
5480
5481 if (!pipe_access_check(p)) {
5482 DEBUG(3, ("access denied to _samr_GetDomPwInfo\n"));
5483 return NT_STATUS_ACCESS_DENIED;
5484 }
5485
5486 become_root();
5487 pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
5488 &min_password_length);
5489 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
5490 &password_properties);
5491 unbecome_root();
5492
5493 if (lp_check_password_script() && *lp_check_password_script()) {
5494 password_properties |= DOMAIN_PASSWORD_COMPLEX;
5495 }
5496
5497 r->out.info->min_password_length = min_password_length;
5498 r->out.info->password_properties = password_properties;
5499
5500 return NT_STATUS_OK;
5501 }
5502
5503 /*********************************************************************
5504 _samr_OpenGroup
5505 *********************************************************************/
5506
5507 NTSTATUS _samr_OpenGroup(pipes_struct *p,
5508 struct samr_OpenGroup *r)
5509
5510 {
5511 DOM_SID sid;
5512 DOM_SID info_sid;
5513 GROUP_MAP map;
5514 struct samr_info *info;
5515 SEC_DESC *psd = NULL;
5516 uint32 acc_granted;
5517 uint32 des_access = r->in.access_mask;
5518 size_t sd_size;
5519 NTSTATUS status;
5520 fstring sid_string;
5521 bool ret;
5522 SE_PRIV se_rights;
5523
5524 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted, NULL))
5525 return NT_STATUS_INVALID_HANDLE;
5526
5527 status = access_check_samr_function(acc_granted,
5528 SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
5529 "_samr_OpenGroup");
5530
5531 if ( !NT_STATUS_IS_OK(status) )
5532 return status;
5533
5534 /*check if access can be granted as requested by client. */
5535 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
5536
5537 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
5538 se_map_generic(&des_access,&grp_generic_mapping);
5539
5540 se_priv_copy( &se_rights, &se_add_users );
5541
5542 status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
5543 &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access,
5544 &acc_granted, "_samr_OpenGroup");
5545
5546 if ( !NT_STATUS_IS_OK(status) )
5547 return status;
5548
5549 /* this should not be hard-coded like this */
5550
5551 if (!sid_equal(&sid, get_global_sam_sid()))
5552 return NT_STATUS_ACCESS_DENIED;
5553
5554 sid_copy(&info_sid, get_global_sam_sid());
5555 sid_append_rid(&info_sid, r->in.rid);
5556 sid_to_fstring(sid_string, &info_sid);
5557
5558 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
5559 return NT_STATUS_NO_MEMORY;
5560
5561 info->acc_granted = acc_granted;
5562
5563 DEBUG(10, ("_samr_OpenGroup:Opening SID: %s\n", sid_string));
5564
5565 /* check if that group really exists */
5566 become_root();
5567 ret = get_domain_group_from_sid(info->sid, &map);
5568 unbecome_root();
5569 if (!ret)
5570 return NT_STATUS_NO_SUCH_GROUP;
5571
5572 /* get a (unique) handle. open a policy on it. */
5573 if (!create_policy_hnd(p, r->out.group_handle, free_samr_info, (void *)info))
5574 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5575
5576 return NT_STATUS_OK;
5577 }
5578
5579 /*********************************************************************
5580 _samr_RemoveMemberFromForeignDomain
5581 *********************************************************************/
5582
5583 NTSTATUS _samr_RemoveMemberFromForeignDomain(pipes_struct *p,
5584 struct samr_RemoveMemberFromForeignDomain *r)
5585 {
5586 DOM_SID delete_sid, domain_sid;
5587 uint32 acc_granted;
5588 NTSTATUS result;
5589 DISP_INFO *disp_info = NULL;
5590
5591 sid_copy( &delete_sid, r->in.sid );
5592
5593 DEBUG(5,("_samr_RemoveMemberFromForeignDomain: removing SID [%s]\n",
5594 sid_string_dbg(&delete_sid)));
5595
5596 /* Find the policy handle. Open a policy on it. */
5597
5598 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &domain_sid,
5599 &acc_granted, &disp_info))
5600 return NT_STATUS_INVALID_HANDLE;
5601
5602 result = access_check_samr_function(acc_granted,
5603 STD_RIGHT_DELETE_ACCESS,
5604 "_samr_RemoveMemberFromForeignDomain");
5605
5606 if (!NT_STATUS_IS_OK(result))
5607 return result;
5608
5609 DEBUG(8, ("_samr_RemoveMemberFromForeignDomain: sid is %s\n",
5610 sid_string_dbg(&domain_sid)));
5611
5612 /* we can only delete a user from a group since we don't have
5613 nested groups anyways. So in the latter case, just say OK */
5614
5615 /* TODO: The above comment nowadays is bogus. Since we have nested
5616 * groups now, and aliases members are never reported out of the unix
5617 * group membership, the "just say OK" makes this call a no-op. For
5618 * us. This needs fixing however. */
5619
5620 /* I've only ever seen this in the wild when deleting a user from
5621 * usrmgr.exe. domain_sid is the builtin domain, and the sid to delete
5622 * is the user about to be deleted. I very much suspect this is the
5623 * only application of this call. To verify this, let people report
5624 * other cases. */
5625
5626 if (!sid_check_is_builtin(&domain_sid)) {
5627 DEBUG(1,("_samr_RemoveMemberFromForeignDomain: domain_sid = %s, "
5628 "global_sam_sid() = %s\n",
5629 sid_string_dbg(&domain_sid),
5630 sid_string_dbg(get_global_sam_sid())));
5631 DEBUGADD(1,("please report to samba-technical@samba.org!\n"));
5632 return NT_STATUS_OK;
5633 }
5634
5635 force_flush_samr_cache(disp_info);
5636
5637 result = NT_STATUS_OK;
5638
5639 return result;
5640 }
5641
5642 /*******************************************************************
5643 _samr_QueryDomainInfo2
5644 ********************************************************************/
5645
5646 NTSTATUS _samr_QueryDomainInfo2(pipes_struct *p,
5647 struct samr_QueryDomainInfo2 *r)
5648 {
5649 return samr_QueryDomainInfo_internal("_samr_QueryDomainInfo2",
5650 p,
5651 r->in.domain_handle,
5652 r->in.level,
5653 r->out.info);
5654 }
5655
5656 /*******************************************************************
5657 _samr_SetDomainInfo
5658 ********************************************************************/
5659
5660 NTSTATUS _samr_SetDomainInfo(pipes_struct *p,
5661 struct samr_SetDomainInfo *r)
5662 {
5663 time_t u_expire, u_min_age;
5664 time_t u_logout;
5665 time_t u_lock_duration, u_reset_time;
5666
5667 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
5668
5669 /* find the policy handle. open a policy on it. */
5670 if (!find_policy_by_hnd(p, r->in.domain_handle, NULL))
5671 return NT_STATUS_INVALID_HANDLE;
5672
5673 DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r->in.level));
5674
5675 switch (r->in.level) {
5676 case 0x01:
5677 u_expire=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.max_password_age);
5678 u_min_age=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.min_password_age);
5679 pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)r->in.info->info1.min_password_length);
5680 pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)r->in.info->info1.password_history_length);
5681 pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)r->in.info->info1.password_properties);
5682 pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire);
5683 pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age);
5684 break;
5685 case 0x02:
5686 break;
5687 case 0x03:
5688 u_logout=nt_time_to_unix_abs((NTTIME *)&r->in.info->info3.force_logoff_time);
5689 pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout);
5690 break;
5691 case 0x05:
5692 break;
5693 case 0x06:
5694 break;
5695 case 0x07:
5696 break;
5697 case 0x0c:
5698 u_lock_duration=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_duration);
5699 if (u_lock_duration != -1)
5700 u_lock_duration /= 60;
5701
5702 u_reset_time=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_window)/60;
5703
5704 pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
5705 pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time);
5706 pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)r->in.info->info12.lockout_threshold);
5707 break;
5708 default:
5709 return NT_STATUS_INVALID_INFO_CLASS;
5710 }
5711
5712 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
5713
5714 return NT_STATUS_OK;
5715 }
5716
5717 /****************************************************************
5718 _samr_GetDisplayEnumerationIndex
5719 ****************************************************************/
5720
5721 NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p,
5722 struct samr_GetDisplayEnumerationIndex *r)
5723 {
5724 struct samr_info *info = NULL;
5725 uint32_t max_entries = (uint32_t) -1;
5726 uint32_t enum_context = 0;
5727 int i;
5728 uint32_t num_account = 0;
5729 struct samr_displayentry *entries = NULL;
5730
5731 DEBUG(5,("_samr_GetDisplayEnumerationIndex: %d\n", __LINE__));
5732
5733 /* find the policy handle. open a policy on it. */
5734 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) {
5735 return NT_STATUS_INVALID_HANDLE;
5736 }
5737
5738 if ((r->in.level < 1) || (r->in.level > 3)) {
5739 DEBUG(0,("_samr_GetDisplayEnumerationIndex: "
5740 "Unknown info level (%u)\n",
5741 r->in.level));
5742 return NT_STATUS_INVALID_INFO_CLASS;
5743 }
5744
5745 become_root();
5746
5747 /* The following done as ROOT. Don't return without unbecome_root(). */
5748
5749 switch (r->in.level) {
5750 case 1:
5751 if (info->disp_info->users == NULL) {
5752 info->disp_info->users = pdb_search_users(ACB_NORMAL);
5753 if (info->disp_info->users == NULL) {
5754 unbecome_root();
5755 return NT_STATUS_ACCESS_DENIED;
5756 }
5757 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5758 "starting user enumeration at index %u\n",
5759 (unsigned int)enum_context));
5760 } else {
5761 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5762 "using cached user enumeration at index %u\n",
5763 (unsigned int)enum_context));
5764 }
5765 num_account = pdb_search_entries(info->disp_info->users,
5766 enum_context, max_entries,
5767 &entries);
5768 break;
5769 case 2:
5770 if (info->disp_info->machines == NULL) {
5771 info->disp_info->machines =
5772 pdb_search_users(ACB_WSTRUST|ACB_SVRTRUST);
5773 if (info->disp_info->machines == NULL) {
5774 unbecome_root();
5775 return NT_STATUS_ACCESS_DENIED;
5776 }
5777 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5778 "starting machine enumeration at index %u\n",
5779 (unsigned int)enum_context));
5780 } else {
5781 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5782 "using cached machine enumeration at index %u\n",
5783 (unsigned int)enum_context));
5784 }
5785 num_account = pdb_search_entries(info->disp_info->machines,
5786 enum_context, max_entries,
5787 &entries);
5788 break;
5789 case 3:
5790 if (info->disp_info->groups == NULL) {
5791 info->disp_info->groups = pdb_search_groups();
5792 if (info->disp_info->groups == NULL) {
5793 unbecome_root();
5794 return NT_STATUS_ACCESS_DENIED;
5795 }
5796 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5797 "starting group enumeration at index %u\n",
5798 (unsigned int)enum_context));
5799 } else {
5800 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5801 "using cached group enumeration at index %u\n",
5802 (unsigned int)enum_context));
5803 }
5804 num_account = pdb_search_entries(info->disp_info->groups,
5805 enum_context, max_entries,
5806 &entries);
5807 break;
5808 default:
5809 unbecome_root();
5810 smb_panic("info class changed");
5811 break;
5812 }
5813
5814 unbecome_root();
5815
5816 /* Ensure we cache this enumeration. */
5817 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
5818
5819 DEBUG(10,("_samr_GetDisplayEnumerationIndex: looking for :%s\n",
5820 r->in.name->string));
5821
5822 for (i=0; i<num_account; i++) {
5823 if (strequal(entries[i].account_name, r->in.name->string)) {
5824 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5825 "found %s at idx %d\n",
5826 r->in.name->string, i));
5827 *r->out.idx = i;
5828 return NT_STATUS_OK;
5829 }
5830 }
5831
5832 /* assuming account_name lives at the very end */
5833 *r->out.idx = num_account;
5834
5835 return NT_STATUS_NO_MORE_ENTRIES;
5836 }
5837
5838 /****************************************************************
5839 _samr_GetDisplayEnumerationIndex2
5840 ****************************************************************/
5841
5842 NTSTATUS _samr_GetDisplayEnumerationIndex2(pipes_struct *p,
5843 struct samr_GetDisplayEnumerationIndex2 *r)
5844 {
5845 struct samr_GetDisplayEnumerationIndex q;
5846
5847 q.in.domain_handle = r->in.domain_handle;
5848 q.in.level = r->in.level;
5849 q.in.name = r->in.name;
5850
5851 q.out.idx = r->out.idx;
5852
5853 return _samr_GetDisplayEnumerationIndex(p, &q);
5854 }
5855
5856 /****************************************************************
5857 ****************************************************************/
5858
5859 NTSTATUS _samr_Shutdown(pipes_struct *p,
5860 struct samr_Shutdown *r)
5861 {
5862 p->rng_fault_state = true;
5863 return NT_STATUS_NOT_IMPLEMENTED;
5864 }
5865
5866 /****************************************************************
5867 ****************************************************************/
5868
5869 NTSTATUS _samr_CreateUser(pipes_struct *p,
5870 struct samr_CreateUser *r)
5871 {
5872 p->rng_fault_state = true;
5873 return NT_STATUS_NOT_IMPLEMENTED;
5874 }
5875
5876 /****************************************************************
5877 ****************************************************************/
5878
5879 NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p,
5880 struct samr_SetMemberAttributesOfGroup *r)
5881 {
5882 p->rng_fault_state = true;
5883 return NT_STATUS_NOT_IMPLEMENTED;
5884 }
5885
5886 /****************************************************************
5887 ****************************************************************/
5888
5889 NTSTATUS _samr_ChangePasswordUser(pipes_struct *p,
5890 struct samr_ChangePasswordUser *r)
5891 {
5892 p->rng_fault_state = true;
5893 return NT_STATUS_NOT_IMPLEMENTED;
5894 }
5895
5896 /****************************************************************
5897 ****************************************************************/
5898
5899 NTSTATUS _samr_TestPrivateFunctionsDomain(pipes_struct *p,
5900 struct samr_TestPrivateFunctionsDomain *r)
5901 {
5902 p->rng_fault_state = true;
5903 return NT_STATUS_NOT_IMPLEMENTED;
5904 }
5905
5906 /****************************************************************
5907 ****************************************************************/
5908
5909 NTSTATUS _samr_TestPrivateFunctionsUser(pipes_struct *p,
5910 struct samr_TestPrivateFunctionsUser *r)
5911 {
5912 p->rng_fault_state = true;
5913 return NT_STATUS_NOT_IMPLEMENTED;
5914 }
5915
5916 /****************************************************************
5917 ****************************************************************/
5918
5919 NTSTATUS _samr_QueryUserInfo2(pipes_struct *p,
5920 struct samr_QueryUserInfo2 *r)
5921 {
5922 p->rng_fault_state = true;
5923 return NT_STATUS_NOT_IMPLEMENTED;
5924 }
5925
5926 /****************************************************************
5927 ****************************************************************/
5928
5929 NTSTATUS _samr_AddMultipleMembersToAlias(pipes_struct *p,
5930 struct samr_AddMultipleMembersToAlias *r)
5931 {
5932 p->rng_fault_state = true;
5933 return NT_STATUS_NOT_IMPLEMENTED;
5934 }
5935
5936 /****************************************************************
5937 ****************************************************************/
5938
5939 NTSTATUS _samr_RemoveMultipleMembersFromAlias(pipes_struct *p,
5940 struct samr_RemoveMultipleMembersFromAlias *r)
5941 {
5942 p->rng_fault_state = true;
5943 return NT_STATUS_NOT_IMPLEMENTED;
5944 }
5945
5946 /****************************************************************
5947 ****************************************************************/
5948
5949 NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p,
5950 struct samr_OemChangePasswordUser2 *r)
5951 {
5952 p->rng_fault_state = true;
5953 return NT_STATUS_NOT_IMPLEMENTED;
5954 }
5955
5956 /****************************************************************
5957 ****************************************************************/
5958
5959 NTSTATUS _samr_SetBootKeyInformation(pipes_struct *p,
5960 struct samr_SetBootKeyInformation *r)
5961 {
5962 p->rng_fault_state = true;
5963 return NT_STATUS_NOT_IMPLEMENTED;
5964 }
5965
5966 /****************************************************************
5967 ****************************************************************/
5968
5969 NTSTATUS _samr_GetBootKeyInformation(pipes_struct *p,
5970 struct samr_GetBootKeyInformation *r)
5971 {
5972 p->rng_fault_state = true;
5973 return NT_STATUS_NOT_IMPLEMENTED;
5974 }
5975
5976 /****************************************************************
5977 ****************************************************************/
5978
5979 NTSTATUS _samr_Connect3(pipes_struct *p,
5980 struct samr_Connect3 *r)
5981 {
5982 p->rng_fault_state = true;
5983 return NT_STATUS_NOT_IMPLEMENTED;
5984 }
5985
5986 /****************************************************************
5987 ****************************************************************/
5988
5989 NTSTATUS _samr_RidToSid(pipes_struct *p,
5990 struct samr_RidToSid *r)
5991 {
5992 p->rng_fault_state = true;
5993 return NT_STATUS_NOT_IMPLEMENTED;
5994 }
5995
5996 /****************************************************************
5997 ****************************************************************/
5998
5999 NTSTATUS _samr_SetDsrmPassword(pipes_struct *p,
6000 struct samr_SetDsrmPassword *r)
6001 {
6002 p->rng_fault_state = true;
6003 return NT_STATUS_NOT_IMPLEMENTED;
6004 }
6005
6006 /****************************************************************
6007 ****************************************************************/
6008
6009 NTSTATUS _samr_ValidatePassword(pipes_struct *p,
6010 struct samr_ValidatePassword *r)
6011 {
6012 p->rng_fault_state = true;
6013 return NT_STATUS_NOT_IMPLEMENTED;
6014 }
Samba GIT mirror