2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2008,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 * Copyright (C) Gerald (Jerry) Carter 2003-2004,
12 * Copyright (C) Simo Sorce 2003.
13 * Copyright (C) Volker Lendecke 2005.
14 * Copyright (C) Guenther Deschner 2008.
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
31 * This is the implementation of the SAMR code.
35 #include "smbd/globals.h"
36 #include "../libcli/auth/libcli_auth.h"
39 #define DBGC_CLASS DBGC_RPC_SRV
41 #define SAMR_USR_RIGHTS_WRITE_PW \
42 ( READ_CONTROL_ACCESS | \
43 SAMR_USER_ACCESS_CHANGE_PASSWORD | \
44 SAMR_USER_ACCESS_SET_LOC_COM)
45 #define SAMR_USR_RIGHTS_CANT_WRITE_PW \
46 ( READ_CONTROL_ACCESS | SAMR_USER_ACCESS_SET_LOC_COM )
48 #define DISP_INFO_CACHE_TIMEOUT 10
50 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
51 #define MAX_SAM_ENTRIES_W95 50
53 struct samr_connect_info
{
57 struct samr_domain_info
{
59 struct disp_info
*disp_info
;
62 struct samr_user_info
{
66 struct samr_group_info
{
70 struct samr_alias_info
{
74 typedef struct disp_info
{
75 DOM_SID sid
; /* identify which domain this is. */
76 struct pdb_search
*users
; /* querydispinfo 1 and 4 */
77 struct pdb_search
*machines
; /* querydispinfo 2 */
78 struct pdb_search
*groups
; /* querydispinfo 3 and 5, enumgroups */
79 struct pdb_search
*aliases
; /* enumaliases */
82 struct pdb_search
*enum_users
; /* enumusers with a mask */
84 struct timed_event
*cache_timeout_event
; /* cache idle timeout
88 static const struct generic_mapping sam_generic_mapping
= {
89 GENERIC_RIGHTS_SAM_READ
,
90 GENERIC_RIGHTS_SAM_WRITE
,
91 GENERIC_RIGHTS_SAM_EXECUTE
,
92 GENERIC_RIGHTS_SAM_ALL_ACCESS
};
93 static const struct generic_mapping dom_generic_mapping
= {
94 GENERIC_RIGHTS_DOMAIN_READ
,
95 GENERIC_RIGHTS_DOMAIN_WRITE
,
96 GENERIC_RIGHTS_DOMAIN_EXECUTE
,
97 GENERIC_RIGHTS_DOMAIN_ALL_ACCESS
};
98 static const struct generic_mapping usr_generic_mapping
= {
99 GENERIC_RIGHTS_USER_READ
,
100 GENERIC_RIGHTS_USER_WRITE
,
101 GENERIC_RIGHTS_USER_EXECUTE
,
102 GENERIC_RIGHTS_USER_ALL_ACCESS
};
103 static const struct generic_mapping usr_nopwchange_generic_mapping
= {
104 GENERIC_RIGHTS_USER_READ
,
105 GENERIC_RIGHTS_USER_WRITE
,
106 GENERIC_RIGHTS_USER_EXECUTE
& ~SAMR_USER_ACCESS_CHANGE_PASSWORD
,
107 GENERIC_RIGHTS_USER_ALL_ACCESS
};
108 static const struct generic_mapping grp_generic_mapping
= {
109 GENERIC_RIGHTS_GROUP_READ
,
110 GENERIC_RIGHTS_GROUP_WRITE
,
111 GENERIC_RIGHTS_GROUP_EXECUTE
,
112 GENERIC_RIGHTS_GROUP_ALL_ACCESS
};
113 static const struct generic_mapping ali_generic_mapping
= {
114 GENERIC_RIGHTS_ALIAS_READ
,
115 GENERIC_RIGHTS_ALIAS_WRITE
,
116 GENERIC_RIGHTS_ALIAS_EXECUTE
,
117 GENERIC_RIGHTS_ALIAS_ALL_ACCESS
};
119 /*******************************************************************
120 *******************************************************************/
122 static NTSTATUS
make_samr_object_sd( TALLOC_CTX
*ctx
, SEC_DESC
**psd
, size_t *sd_size
,
123 const struct generic_mapping
*map
,
124 DOM_SID
*sid
, uint32 sid_access
)
126 DOM_SID domadmin_sid
;
127 SEC_ACE ace
[5]; /* at most 5 entries */
132 /* basic access for Everyone */
134 init_sec_ace(&ace
[i
++], &global_sid_World
, SEC_ACE_TYPE_ACCESS_ALLOWED
,
135 map
->generic_execute
| map
->generic_read
, 0);
137 /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
139 init_sec_ace(&ace
[i
++], &global_sid_Builtin_Administrators
,
140 SEC_ACE_TYPE_ACCESS_ALLOWED
, map
->generic_all
, 0);
141 init_sec_ace(&ace
[i
++], &global_sid_Builtin_Account_Operators
,
142 SEC_ACE_TYPE_ACCESS_ALLOWED
, map
->generic_all
, 0);
144 /* Add Full Access for Domain Admins if we are a DC */
147 sid_copy( &domadmin_sid
, get_global_sam_sid() );
148 sid_append_rid( &domadmin_sid
, DOMAIN_GROUP_RID_ADMINS
);
149 init_sec_ace(&ace
[i
++], &domadmin_sid
,
150 SEC_ACE_TYPE_ACCESS_ALLOWED
, map
->generic_all
, 0);
153 /* if we have a sid, give it some special access */
156 init_sec_ace(&ace
[i
++], sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, sid_access
, 0);
159 /* create the security descriptor */
161 if ((psa
= make_sec_acl(ctx
, NT4_ACL_REVISION
, i
, ace
)) == NULL
)
162 return NT_STATUS_NO_MEMORY
;
164 if ((*psd
= make_sec_desc(ctx
, SECURITY_DESCRIPTOR_REVISION_1
,
165 SEC_DESC_SELF_RELATIVE
, NULL
, NULL
, NULL
,
166 psa
, sd_size
)) == NULL
)
167 return NT_STATUS_NO_MEMORY
;
172 /*******************************************************************
173 Checks if access to an object should be granted, and returns that
174 level of access for further checks.
175 ********************************************************************/
177 NTSTATUS
access_check_object( SEC_DESC
*psd
, NT_USER_TOKEN
*token
,
178 SE_PRIV
*rights
, uint32 rights_mask
,
179 uint32 des_access
, uint32
*acc_granted
,
182 NTSTATUS status
= NT_STATUS_ACCESS_DENIED
;
183 uint32 saved_mask
= 0;
185 /* check privileges; certain SAM access bits should be overridden
186 by privileges (mostly having to do with creating/modifying/deleting
189 if (rights
&& !se_priv_equal(rights
, &se_priv_none
) &&
190 user_has_any_privilege(token
, rights
)) {
192 saved_mask
= (des_access
& rights_mask
);
193 des_access
&= ~saved_mask
;
195 DEBUG(4,("access_check_object: user rights access mask [0x%x]\n",
200 /* check the security descriptor first */
202 status
= se_access_check(psd
, token
, des_access
, acc_granted
);
203 if (NT_STATUS_IS_OK(status
)) {
207 /* give root a free pass */
209 if ( geteuid() == sec_initial_uid() ) {
211 DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug
, des_access
));
212 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
214 *acc_granted
= des_access
;
216 status
= NT_STATUS_OK
;
222 /* add in any bits saved during the privilege check (only
223 matters is status is ok) */
225 *acc_granted
|= rights_mask
;
227 DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
228 debug
, NT_STATUS_IS_OK(status
) ? "GRANTED" : "DENIED",
229 des_access
, *acc_granted
));
235 /*******************************************************************
236 Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
237 ********************************************************************/
239 void map_max_allowed_access(const NT_USER_TOKEN
*token
,
240 uint32_t *pacc_requested
)
242 if (!((*pacc_requested
) & MAXIMUM_ALLOWED_ACCESS
)) {
245 *pacc_requested
&= ~MAXIMUM_ALLOWED_ACCESS
;
247 /* At least try for generic read|execute - Everyone gets that. */
248 *pacc_requested
= GENERIC_READ_ACCESS
|GENERIC_EXECUTE_ACCESS
;
250 /* root gets anything. */
251 if (geteuid() == sec_initial_uid()) {
252 *pacc_requested
|= GENERIC_ALL_ACCESS
;
256 /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
258 if (is_sid_in_token(token
, &global_sid_Builtin_Administrators
) ||
259 is_sid_in_token(token
, &global_sid_Builtin_Account_Operators
)) {
260 *pacc_requested
|= GENERIC_ALL_ACCESS
;
264 /* Full access for DOMAIN\Domain Admins. */
266 DOM_SID domadmin_sid
;
267 sid_copy( &domadmin_sid
, get_global_sam_sid() );
268 sid_append_rid( &domadmin_sid
, DOMAIN_GROUP_RID_ADMINS
);
269 if (is_sid_in_token(token
, &domadmin_sid
)) {
270 *pacc_requested
|= GENERIC_ALL_ACCESS
;
274 /* TODO ! Check privileges. */
277 /*******************************************************************
278 Fetch or create a dispinfo struct.
279 ********************************************************************/
281 static DISP_INFO
*get_samr_dispinfo_by_sid(const struct dom_sid
*psid
)
284 * We do a static cache for DISP_INFO's here. Explanation can be found
285 * in Jeremy's checkin message to r11793:
287 * Fix the SAMR cache so it works across completely insane
288 * client behaviour (ie.:
289 * open pipe/open SAMR handle/enumerate 0 - 1024
290 * close SAMR handle, close pipe.
291 * open pipe/open SAMR handle/enumerate 1024 - 2048...
292 * close SAMR handle, close pipe.
293 * And on ad-nausium. Amazing.... probably object-oriented
294 * client side programming in action yet again.
295 * This change should *massively* improve performance when
296 * enumerating users from an LDAP database.
299 * "Our" and the builtin domain are the only ones where we ever
300 * enumerate stuff, so just cache 2 entries.
303 static struct disp_info
*builtin_dispinfo
;
304 static struct disp_info
*domain_dispinfo
;
306 /* There are two cases to consider here:
307 1) The SID is a domain SID and we look for an equality match, or
308 2) This is an account SID and so we return the DISP_INFO* for our
315 if (sid_check_is_builtin(psid
) || sid_check_is_in_builtin(psid
)) {
317 * Necessary only once, but it does not really hurt.
319 if (builtin_dispinfo
== NULL
) {
320 builtin_dispinfo
= talloc_zero(
321 talloc_autofree_context(), struct disp_info
);
322 if (builtin_dispinfo
== NULL
) {
326 sid_copy(&builtin_dispinfo
->sid
, &global_sid_Builtin
);
328 return builtin_dispinfo
;
331 if (sid_check_is_domain(psid
) || sid_check_is_in_our_domain(psid
)) {
333 * Necessary only once, but it does not really hurt.
335 if (domain_dispinfo
== NULL
) {
336 domain_dispinfo
= talloc_zero(
337 talloc_autofree_context(), struct disp_info
);
338 if (domain_dispinfo
== NULL
) {
342 sid_copy(&domain_dispinfo
->sid
, get_global_sam_sid());
344 return domain_dispinfo
;
350 /*******************************************************************
351 Function to free the per SID data.
352 ********************************************************************/
354 static void free_samr_cache(DISP_INFO
*disp_info
)
356 DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n",
357 sid_string_dbg(&disp_info
->sid
)));
359 /* We need to become root here because the paged search might have to
360 * tell the LDAP server we're not interested in the rest anymore. */
364 TALLOC_FREE(disp_info
->users
);
365 TALLOC_FREE(disp_info
->machines
);
366 TALLOC_FREE(disp_info
->groups
);
367 TALLOC_FREE(disp_info
->aliases
);
368 TALLOC_FREE(disp_info
->enum_users
);
373 /*******************************************************************
374 Idle event handler. Throw away the disp info cache.
375 ********************************************************************/
377 static void disp_info_cache_idle_timeout_handler(struct event_context
*ev_ctx
,
378 struct timed_event
*te
,
382 DISP_INFO
*disp_info
= (DISP_INFO
*)private_data
;
384 TALLOC_FREE(disp_info
->cache_timeout_event
);
386 DEBUG(10, ("disp_info_cache_idle_timeout_handler: caching timed "
388 free_samr_cache(disp_info
);
391 /*******************************************************************
392 Setup cache removal idle event handler.
393 ********************************************************************/
395 static void set_disp_info_cache_timeout(DISP_INFO
*disp_info
, time_t secs_fromnow
)
397 /* Remove any pending timeout and update. */
399 TALLOC_FREE(disp_info
->cache_timeout_event
);
401 DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for "
402 "SID %s for %u seconds\n", sid_string_dbg(&disp_info
->sid
),
403 (unsigned int)secs_fromnow
));
405 disp_info
->cache_timeout_event
= event_add_timed(
406 smbd_event_context(), NULL
,
407 timeval_current_ofs(secs_fromnow
, 0),
408 disp_info_cache_idle_timeout_handler
, (void *)disp_info
);
411 /*******************************************************************
412 Force flush any cache. We do this on any samr_set_xxx call.
413 We must also remove the timeout handler.
414 ********************************************************************/
416 static void force_flush_samr_cache(const struct dom_sid
*sid
)
418 struct disp_info
*disp_info
= get_samr_dispinfo_by_sid(sid
);
420 if ((disp_info
== NULL
) || (disp_info
->cache_timeout_event
== NULL
)) {
424 DEBUG(10,("force_flush_samr_cache: clearing idle event\n"));
425 TALLOC_FREE(disp_info
->cache_timeout_event
);
426 free_samr_cache(disp_info
);
429 /*******************************************************************
430 Ensure password info is never given out. Paranioa... JRA.
431 ********************************************************************/
433 static void samr_clear_sam_passwd(struct samu
*sam_pass
)
439 /* These now zero out the old password */
441 pdb_set_lanman_passwd(sam_pass
, NULL
, PDB_DEFAULT
);
442 pdb_set_nt_passwd(sam_pass
, NULL
, PDB_DEFAULT
);
445 static uint32
count_sam_users(struct disp_info
*info
, uint32 acct_flags
)
447 struct samr_displayentry
*entry
;
449 if (sid_check_is_builtin(&info
->sid
)) {
450 /* No users in builtin. */
454 if (info
->users
== NULL
) {
455 info
->users
= pdb_search_users(info
, acct_flags
);
456 if (info
->users
== NULL
) {
460 /* Fetch the last possible entry, thus trigger an enumeration */
461 pdb_search_entries(info
->users
, 0xffffffff, 1, &entry
);
463 /* Ensure we cache this enumeration. */
464 set_disp_info_cache_timeout(info
, DISP_INFO_CACHE_TIMEOUT
);
466 return info
->users
->num_entries
;
469 static uint32
count_sam_groups(struct disp_info
*info
)
471 struct samr_displayentry
*entry
;
473 if (sid_check_is_builtin(&info
->sid
)) {
474 /* No groups in builtin. */
478 if (info
->groups
== NULL
) {
479 info
->groups
= pdb_search_groups(info
);
480 if (info
->groups
== NULL
) {
484 /* Fetch the last possible entry, thus trigger an enumeration */
485 pdb_search_entries(info
->groups
, 0xffffffff, 1, &entry
);
487 /* Ensure we cache this enumeration. */
488 set_disp_info_cache_timeout(info
, DISP_INFO_CACHE_TIMEOUT
);
490 return info
->groups
->num_entries
;
493 static uint32
count_sam_aliases(struct disp_info
*info
)
495 struct samr_displayentry
*entry
;
497 if (info
->aliases
== NULL
) {
498 info
->aliases
= pdb_search_aliases(info
, &info
->sid
);
499 if (info
->aliases
== NULL
) {
503 /* Fetch the last possible entry, thus trigger an enumeration */
504 pdb_search_entries(info
->aliases
, 0xffffffff, 1, &entry
);
506 /* Ensure we cache this enumeration. */
507 set_disp_info_cache_timeout(info
, DISP_INFO_CACHE_TIMEOUT
);
509 return info
->aliases
->num_entries
;
512 /*******************************************************************
514 ********************************************************************/
516 NTSTATUS
_samr_Close(pipes_struct
*p
, struct samr_Close
*r
)
518 if (!close_policy_hnd(p
, r
->in
.handle
)) {
519 return NT_STATUS_INVALID_HANDLE
;
522 ZERO_STRUCTP(r
->out
.handle
);
527 /*******************************************************************
529 ********************************************************************/
531 NTSTATUS
_samr_OpenDomain(pipes_struct
*p
,
532 struct samr_OpenDomain
*r
)
534 struct samr_connect_info
*cinfo
;
535 struct samr_domain_info
*dinfo
;
536 SEC_DESC
*psd
= NULL
;
538 uint32 des_access
= r
->in
.access_mask
;
541 uint32_t extra_access
= SAMR_DOMAIN_ACCESS_CREATE_USER
;
544 /* find the connection policy handle. */
546 cinfo
= policy_handle_find(p
, r
->in
.connect_handle
, 0, NULL
,
547 struct samr_connect_info
, &status
);
548 if (!NT_STATUS_IS_OK(status
)) {
552 /*check if access can be granted as requested by client. */
553 map_max_allowed_access(p
->server_info
->ptok
, &des_access
);
555 make_samr_object_sd( p
->mem_ctx
, &psd
, &sd_size
, &dom_generic_mapping
, NULL
, 0 );
556 se_map_generic( &des_access
, &dom_generic_mapping
);
559 * Users with SeMachineAccount or SeAddUser get additional
560 * SAMR_DOMAIN_ACCESS_CREATE_USER access.
562 se_priv_copy( &se_rights
, &se_machine_account
);
563 se_priv_add( &se_rights
, &se_add_users
);
566 * Users with SeAddUser get the ability to manipulate groups
569 if (user_has_any_privilege(p
->server_info
->ptok
, &se_add_users
)) {
570 extra_access
|= (SAMR_DOMAIN_ACCESS_CREATE_GROUP
|
571 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
|
572 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
|
573 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
|
574 SAMR_DOMAIN_ACCESS_CREATE_ALIAS
);
577 status
= access_check_object( psd
, p
->server_info
->ptok
,
578 &se_rights
, extra_access
, des_access
,
579 &acc_granted
, "_samr_OpenDomain" );
581 if ( !NT_STATUS_IS_OK(status
) )
584 if (!sid_check_is_domain(r
->in
.sid
) &&
585 !sid_check_is_builtin(r
->in
.sid
)) {
586 return NT_STATUS_NO_SUCH_DOMAIN
;
589 dinfo
= policy_handle_create(p
, r
->out
.domain_handle
, acc_granted
,
590 struct samr_domain_info
, &status
);
591 if (!NT_STATUS_IS_OK(status
)) {
594 dinfo
->sid
= *r
->in
.sid
;
595 dinfo
->disp_info
= get_samr_dispinfo_by_sid(r
->in
.sid
);
597 DEBUG(5,("_samr_OpenDomain: %d\n", __LINE__
));
602 /*******************************************************************
604 ********************************************************************/
606 NTSTATUS
_samr_GetUserPwInfo(pipes_struct
*p
,
607 struct samr_GetUserPwInfo
*r
)
609 struct samr_user_info
*uinfo
;
610 enum lsa_SidType sid_type
;
611 uint32_t min_password_length
= 0;
612 uint32_t password_properties
= 0;
616 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__
));
618 uinfo
= policy_handle_find(p
, r
->in
.user_handle
,
619 SAMR_USER_ACCESS_GET_ATTRIBUTES
, NULL
,
620 struct samr_user_info
, &status
);
621 if (!NT_STATUS_IS_OK(status
)) {
625 if (!sid_check_is_in_our_domain(&uinfo
->sid
)) {
626 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
630 ret
= lookup_sid(p
->mem_ctx
, &uinfo
->sid
, NULL
, NULL
, &sid_type
);
633 return NT_STATUS_NO_SUCH_USER
;
639 pdb_get_account_policy(AP_MIN_PASSWORD_LEN
,
640 &min_password_length
);
641 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS
,
642 &password_properties
);
645 if (lp_check_password_script() && *lp_check_password_script()) {
646 password_properties
|= DOMAIN_PASSWORD_COMPLEX
;
654 r
->out
.info
->min_password_length
= min_password_length
;
655 r
->out
.info
->password_properties
= password_properties
;
657 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__
));
662 /*******************************************************************
664 ********************************************************************/
666 NTSTATUS
_samr_SetSecurity(pipes_struct
*p
,
667 struct samr_SetSecurity
*r
)
669 struct samr_user_info
*uinfo
;
673 struct samu
*sampass
=NULL
;
676 uinfo
= policy_handle_find(p
, r
->in
.handle
,
677 SAMR_USER_ACCESS_SET_ATTRIBUTES
, NULL
,
678 struct samr_user_info
, &status
);
679 if (!NT_STATUS_IS_OK(status
)) {
683 if (!(sampass
= samu_new( p
->mem_ctx
))) {
684 DEBUG(0,("No memory!\n"));
685 return NT_STATUS_NO_MEMORY
;
688 /* get the user record */
690 ret
= pdb_getsampwsid(sampass
, &uinfo
->sid
);
694 DEBUG(4, ("User %s not found\n",
695 sid_string_dbg(&uinfo
->sid
)));
696 TALLOC_FREE(sampass
);
697 return NT_STATUS_INVALID_HANDLE
;
700 dacl
= r
->in
.sdbuf
->sd
->dacl
;
701 for (i
=0; i
< dacl
->num_aces
; i
++) {
702 if (sid_equal(&uinfo
->sid
, &dacl
->aces
[i
].trustee
)) {
703 ret
= pdb_set_pass_can_change(sampass
,
704 (dacl
->aces
[i
].access_mask
&
705 SAMR_USER_ACCESS_CHANGE_PASSWORD
) ?
712 TALLOC_FREE(sampass
);
713 return NT_STATUS_ACCESS_DENIED
;
717 status
= pdb_update_sam_account(sampass
);
720 TALLOC_FREE(sampass
);
725 /*******************************************************************
726 build correct perms based on policies and password times for _samr_query_sec_obj
727 *******************************************************************/
728 static bool check_change_pw_access(TALLOC_CTX
*mem_ctx
, DOM_SID
*user_sid
)
730 struct samu
*sampass
=NULL
;
733 if ( !(sampass
= samu_new( mem_ctx
)) ) {
734 DEBUG(0,("No memory!\n"));
739 ret
= pdb_getsampwsid(sampass
, user_sid
);
743 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid
)));
744 TALLOC_FREE(sampass
);
748 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass
) ));
750 if (pdb_get_pass_can_change(sampass
)) {
751 TALLOC_FREE(sampass
);
754 TALLOC_FREE(sampass
);
759 /*******************************************************************
761 ********************************************************************/
763 NTSTATUS
_samr_QuerySecurity(pipes_struct
*p
,
764 struct samr_QuerySecurity
*r
)
766 struct samr_connect_info
*cinfo
;
767 struct samr_domain_info
*dinfo
;
768 struct samr_user_info
*uinfo
;
769 struct samr_group_info
*ginfo
;
770 struct samr_alias_info
*ainfo
;
772 SEC_DESC
* psd
= NULL
;
775 cinfo
= policy_handle_find(p
, r
->in
.handle
,
776 STD_RIGHT_READ_CONTROL_ACCESS
, NULL
,
777 struct samr_connect_info
, &status
);
778 if (NT_STATUS_IS_OK(status
)) {
779 DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n"));
780 status
= make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
781 &sam_generic_mapping
, NULL
, 0);
785 dinfo
= policy_handle_find(p
, r
->in
.handle
,
786 STD_RIGHT_READ_CONTROL_ACCESS
, NULL
,
787 struct samr_domain_info
, &status
);
788 if (NT_STATUS_IS_OK(status
)) {
789 DEBUG(5,("_samr_QuerySecurity: querying security on Domain "
790 "with SID: %s\n", sid_string_dbg(&dinfo
->sid
)));
792 * TODO: Builtin probably needs a different SD with restricted
795 status
= make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
796 &dom_generic_mapping
, NULL
, 0);
800 uinfo
= policy_handle_find(p
, r
->in
.handle
,
801 STD_RIGHT_READ_CONTROL_ACCESS
, NULL
,
802 struct samr_user_info
, &status
);
803 if (NT_STATUS_IS_OK(status
)) {
804 DEBUG(10,("_samr_QuerySecurity: querying security on user "
805 "Object with SID: %s\n",
806 sid_string_dbg(&uinfo
->sid
)));
807 if (check_change_pw_access(p
->mem_ctx
, &uinfo
->sid
)) {
808 status
= make_samr_object_sd(
809 p
->mem_ctx
, &psd
, &sd_size
,
810 &usr_generic_mapping
,
811 &uinfo
->sid
, SAMR_USR_RIGHTS_WRITE_PW
);
813 status
= make_samr_object_sd(
814 p
->mem_ctx
, &psd
, &sd_size
,
815 &usr_nopwchange_generic_mapping
,
816 &uinfo
->sid
, SAMR_USR_RIGHTS_CANT_WRITE_PW
);
821 ginfo
= policy_handle_find(p
, r
->in
.handle
,
822 STD_RIGHT_READ_CONTROL_ACCESS
, NULL
,
823 struct samr_group_info
, &status
);
824 if (NT_STATUS_IS_OK(status
)) {
826 * TODO: different SDs have to be generated for aliases groups
827 * and users. Currently all three get a default user SD
829 DEBUG(10,("_samr_QuerySecurity: querying security on group "
830 "Object with SID: %s\n",
831 sid_string_dbg(&ginfo
->sid
)));
832 status
= make_samr_object_sd(
833 p
->mem_ctx
, &psd
, &sd_size
,
834 &usr_nopwchange_generic_mapping
,
835 &ginfo
->sid
, SAMR_USR_RIGHTS_CANT_WRITE_PW
);
839 ainfo
= policy_handle_find(p
, r
->in
.handle
,
840 STD_RIGHT_READ_CONTROL_ACCESS
, NULL
,
841 struct samr_alias_info
, &status
);
842 if (NT_STATUS_IS_OK(status
)) {
844 * TODO: different SDs have to be generated for aliases groups
845 * and users. Currently all three get a default user SD
847 DEBUG(10,("_samr_QuerySecurity: querying security on alias "
848 "Object with SID: %s\n",
849 sid_string_dbg(&ainfo
->sid
)));
850 status
= make_samr_object_sd(
851 p
->mem_ctx
, &psd
, &sd_size
,
852 &usr_nopwchange_generic_mapping
,
853 &ainfo
->sid
, SAMR_USR_RIGHTS_CANT_WRITE_PW
);
857 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
859 if ((*r
->out
.sdbuf
= make_sec_desc_buf(p
->mem_ctx
, sd_size
, psd
)) == NULL
)
860 return NT_STATUS_NO_MEMORY
;
865 /*******************************************************************
866 makes a SAM_ENTRY / UNISTR2* structure from a user list.
867 ********************************************************************/
869 static NTSTATUS
make_user_sam_entry_list(TALLOC_CTX
*ctx
,
870 struct samr_SamEntry
**sam_pp
,
871 uint32_t num_entries
,
873 struct samr_displayentry
*entries
)
876 struct samr_SamEntry
*sam
;
880 if (num_entries
== 0) {
884 sam
= TALLOC_ZERO_ARRAY(ctx
, struct samr_SamEntry
, num_entries
);
886 DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n"));
887 return NT_STATUS_NO_MEMORY
;
890 for (i
= 0; i
< num_entries
; i
++) {
893 * usrmgr expects a non-NULL terminated string with
894 * trust relationships
896 if (entries
[i
].acct_flags
& ACB_DOMTRUST
) {
897 init_unistr2(&uni_temp_name
, entries
[i
].account_name
,
900 init_unistr2(&uni_temp_name
, entries
[i
].account_name
,
904 init_lsa_String(&sam
[i
].name
, entries
[i
].account_name
);
905 sam
[i
].idx
= entries
[i
].rid
;
913 #define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K
915 /*******************************************************************
916 _samr_EnumDomainUsers
917 ********************************************************************/
919 NTSTATUS
_samr_EnumDomainUsers(pipes_struct
*p
,
920 struct samr_EnumDomainUsers
*r
)
923 struct samr_domain_info
*dinfo
;
925 uint32 enum_context
= *r
->in
.resume_handle
;
926 enum remote_arch_types ra_type
= get_remote_arch();
927 int max_sam_entries
= (ra_type
== RA_WIN95
) ? MAX_SAM_ENTRIES_W95
: MAX_SAM_ENTRIES_W2K
;
928 uint32 max_entries
= max_sam_entries
;
929 struct samr_displayentry
*entries
= NULL
;
930 struct samr_SamArray
*samr_array
= NULL
;
931 struct samr_SamEntry
*samr_entries
= NULL
;
933 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__
));
935 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
936 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
, NULL
,
937 struct samr_domain_info
, &status
);
938 if (!NT_STATUS_IS_OK(status
)) {
942 samr_array
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_SamArray
);
944 return NT_STATUS_NO_MEMORY
;
946 *r
->out
.sam
= samr_array
;
948 if (sid_check_is_builtin(&dinfo
->sid
)) {
949 /* No users in builtin. */
950 *r
->out
.resume_handle
= *r
->in
.resume_handle
;
951 DEBUG(5,("_samr_EnumDomainUsers: No users in BUILTIN\n"));
959 if ((dinfo
->disp_info
->enum_users
!= NULL
) &&
960 (dinfo
->disp_info
->enum_acb_mask
!= r
->in
.acct_flags
)) {
961 TALLOC_FREE(dinfo
->disp_info
->enum_users
);
964 if (dinfo
->disp_info
->enum_users
== NULL
) {
965 dinfo
->disp_info
->enum_users
= pdb_search_users(
966 dinfo
->disp_info
, r
->in
.acct_flags
);
967 dinfo
->disp_info
->enum_acb_mask
= r
->in
.acct_flags
;
970 if (dinfo
->disp_info
->enum_users
== NULL
) {
971 /* END AS ROOT !!!! */
973 return NT_STATUS_ACCESS_DENIED
;
976 num_account
= pdb_search_entries(dinfo
->disp_info
->enum_users
,
977 enum_context
, max_entries
,
980 /* END AS ROOT !!!! */
984 if (num_account
== 0) {
985 DEBUG(5, ("_samr_EnumDomainUsers: enumeration handle over "
987 *r
->out
.resume_handle
= *r
->in
.resume_handle
;
991 status
= make_user_sam_entry_list(p
->mem_ctx
, &samr_entries
,
992 num_account
, enum_context
,
994 if (!NT_STATUS_IS_OK(status
)) {
998 if (max_entries
<= num_account
) {
999 status
= STATUS_MORE_ENTRIES
;
1001 status
= NT_STATUS_OK
;
1004 /* Ensure we cache this enumeration. */
1005 set_disp_info_cache_timeout(dinfo
->disp_info
, DISP_INFO_CACHE_TIMEOUT
);
1007 DEBUG(5, ("_samr_EnumDomainUsers: %d\n", __LINE__
));
1009 samr_array
->count
= num_account
;
1010 samr_array
->entries
= samr_entries
;
1012 *r
->out
.resume_handle
= *r
->in
.resume_handle
+ num_account
;
1013 *r
->out
.num_entries
= num_account
;
1015 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__
));
1020 /*******************************************************************
1021 makes a SAM_ENTRY / UNISTR2* structure from a group list.
1022 ********************************************************************/
1024 static void make_group_sam_entry_list(TALLOC_CTX
*ctx
,
1025 struct samr_SamEntry
**sam_pp
,
1026 uint32_t num_sam_entries
,
1027 struct samr_displayentry
*entries
)
1029 struct samr_SamEntry
*sam
;
1034 if (num_sam_entries
== 0) {
1038 sam
= TALLOC_ZERO_ARRAY(ctx
, struct samr_SamEntry
, num_sam_entries
);
1043 for (i
= 0; i
< num_sam_entries
; i
++) {
1045 * JRA. I think this should include the null. TNG does not.
1047 init_lsa_String(&sam
[i
].name
, entries
[i
].account_name
);
1048 sam
[i
].idx
= entries
[i
].rid
;
1054 /*******************************************************************
1055 _samr_EnumDomainGroups
1056 ********************************************************************/
1058 NTSTATUS
_samr_EnumDomainGroups(pipes_struct
*p
,
1059 struct samr_EnumDomainGroups
*r
)
1062 struct samr_domain_info
*dinfo
;
1063 struct samr_displayentry
*groups
;
1065 struct samr_SamArray
*samr_array
= NULL
;
1066 struct samr_SamEntry
*samr_entries
= NULL
;
1068 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
1069 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
, NULL
,
1070 struct samr_domain_info
, &status
);
1071 if (!NT_STATUS_IS_OK(status
)) {
1075 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__
));
1077 samr_array
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_SamArray
);
1079 return NT_STATUS_NO_MEMORY
;
1081 *r
->out
.sam
= samr_array
;
1083 if (sid_check_is_builtin(&dinfo
->sid
)) {
1084 /* No groups in builtin. */
1085 *r
->out
.resume_handle
= *r
->in
.resume_handle
;
1086 DEBUG(5,("_samr_EnumDomainGroups: No groups in BUILTIN\n"));
1090 /* the domain group array is being allocated in the function below */
1094 if (dinfo
->disp_info
->groups
== NULL
) {
1095 dinfo
->disp_info
->groups
= pdb_search_groups(dinfo
->disp_info
);
1097 if (dinfo
->disp_info
->groups
== NULL
) {
1099 return NT_STATUS_ACCESS_DENIED
;
1103 num_groups
= pdb_search_entries(dinfo
->disp_info
->groups
,
1104 *r
->in
.resume_handle
,
1105 MAX_SAM_ENTRIES
, &groups
);
1108 /* Ensure we cache this enumeration. */
1109 set_disp_info_cache_timeout(dinfo
->disp_info
, DISP_INFO_CACHE_TIMEOUT
);
1111 make_group_sam_entry_list(p
->mem_ctx
, &samr_entries
,
1112 num_groups
, groups
);
1114 if (MAX_SAM_ENTRIES
<= num_groups
) {
1115 status
= STATUS_MORE_ENTRIES
;
1117 status
= NT_STATUS_OK
;
1120 samr_array
->count
= num_groups
;
1121 samr_array
->entries
= samr_entries
;
1123 *r
->out
.num_entries
= num_groups
;
1124 *r
->out
.resume_handle
= num_groups
+ *r
->in
.resume_handle
;
1126 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__
));
1131 /*******************************************************************
1132 _samr_EnumDomainAliases
1133 ********************************************************************/
1135 NTSTATUS
_samr_EnumDomainAliases(pipes_struct
*p
,
1136 struct samr_EnumDomainAliases
*r
)
1139 struct samr_domain_info
*dinfo
;
1140 struct samr_displayentry
*aliases
;
1141 uint32 num_aliases
= 0;
1142 struct samr_SamArray
*samr_array
= NULL
;
1143 struct samr_SamEntry
*samr_entries
= NULL
;
1145 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
1146 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
, NULL
,
1147 struct samr_domain_info
, &status
);
1148 if (!NT_STATUS_IS_OK(status
)) {
1152 DEBUG(5,("_samr_EnumDomainAliases: sid %s\n",
1153 sid_string_dbg(&dinfo
->sid
)));
1155 samr_array
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_SamArray
);
1157 return NT_STATUS_NO_MEMORY
;
1162 if (dinfo
->disp_info
->aliases
== NULL
) {
1163 dinfo
->disp_info
->aliases
= pdb_search_aliases(
1164 dinfo
->disp_info
, &dinfo
->sid
);
1165 if (dinfo
->disp_info
->aliases
== NULL
) {
1167 return NT_STATUS_ACCESS_DENIED
;
1171 num_aliases
= pdb_search_entries(dinfo
->disp_info
->aliases
,
1172 *r
->in
.resume_handle
,
1173 MAX_SAM_ENTRIES
, &aliases
);
1176 /* Ensure we cache this enumeration. */
1177 set_disp_info_cache_timeout(dinfo
->disp_info
, DISP_INFO_CACHE_TIMEOUT
);
1179 make_group_sam_entry_list(p
->mem_ctx
, &samr_entries
,
1180 num_aliases
, aliases
);
1182 DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__
));
1184 if (MAX_SAM_ENTRIES
<= num_aliases
) {
1185 status
= STATUS_MORE_ENTRIES
;
1187 status
= NT_STATUS_OK
;
1190 samr_array
->count
= num_aliases
;
1191 samr_array
->entries
= samr_entries
;
1193 *r
->out
.sam
= samr_array
;
1194 *r
->out
.num_entries
= num_aliases
;
1195 *r
->out
.resume_handle
= num_aliases
+ *r
->in
.resume_handle
;
1200 /*******************************************************************
1201 inits a samr_DispInfoGeneral structure.
1202 ********************************************************************/
1204 static NTSTATUS
init_samr_dispinfo_1(TALLOC_CTX
*ctx
,
1205 struct samr_DispInfoGeneral
*r
,
1206 uint32_t num_entries
,
1208 struct samr_displayentry
*entries
)
1212 DEBUG(10, ("init_samr_dispinfo_1: num_entries: %d\n", num_entries
));
1214 if (num_entries
== 0) {
1215 return NT_STATUS_OK
;
1218 r
->count
= num_entries
;
1220 r
->entries
= TALLOC_ZERO_ARRAY(ctx
, struct samr_DispEntryGeneral
, num_entries
);
1222 return NT_STATUS_NO_MEMORY
;
1225 for (i
= 0; i
< num_entries
; i
++) {
1227 init_lsa_String(&r
->entries
[i
].account_name
,
1228 entries
[i
].account_name
);
1230 init_lsa_String(&r
->entries
[i
].description
,
1231 entries
[i
].description
);
1233 init_lsa_String(&r
->entries
[i
].full_name
,
1234 entries
[i
].fullname
);
1236 r
->entries
[i
].rid
= entries
[i
].rid
;
1237 r
->entries
[i
].acct_flags
= entries
[i
].acct_flags
;
1238 r
->entries
[i
].idx
= start_idx
+i
+1;
1241 return NT_STATUS_OK
;
1244 /*******************************************************************
1245 inits a samr_DispInfoFull structure.
1246 ********************************************************************/
1248 static NTSTATUS
init_samr_dispinfo_2(TALLOC_CTX
*ctx
,
1249 struct samr_DispInfoFull
*r
,
1250 uint32_t num_entries
,
1252 struct samr_displayentry
*entries
)
1256 DEBUG(10, ("init_samr_dispinfo_2: num_entries: %d\n", num_entries
));
1258 if (num_entries
== 0) {
1259 return NT_STATUS_OK
;
1262 r
->count
= num_entries
;
1264 r
->entries
= TALLOC_ZERO_ARRAY(ctx
, struct samr_DispEntryFull
, num_entries
);
1266 return NT_STATUS_NO_MEMORY
;
1269 for (i
= 0; i
< num_entries
; i
++) {
1271 init_lsa_String(&r
->entries
[i
].account_name
,
1272 entries
[i
].account_name
);
1274 init_lsa_String(&r
->entries
[i
].description
,
1275 entries
[i
].description
);
1277 r
->entries
[i
].rid
= entries
[i
].rid
;
1278 r
->entries
[i
].acct_flags
= entries
[i
].acct_flags
;
1279 r
->entries
[i
].idx
= start_idx
+i
+1;
1282 return NT_STATUS_OK
;
1285 /*******************************************************************
1286 inits a samr_DispInfoFullGroups structure.
1287 ********************************************************************/
1289 static NTSTATUS
init_samr_dispinfo_3(TALLOC_CTX
*ctx
,
1290 struct samr_DispInfoFullGroups
*r
,
1291 uint32_t num_entries
,
1293 struct samr_displayentry
*entries
)
1297 DEBUG(5, ("init_samr_dispinfo_3: num_entries: %d\n", num_entries
));
1299 if (num_entries
== 0) {
1300 return NT_STATUS_OK
;
1303 r
->count
= num_entries
;
1305 r
->entries
= TALLOC_ZERO_ARRAY(ctx
, struct samr_DispEntryFullGroup
, num_entries
);
1307 return NT_STATUS_NO_MEMORY
;
1310 for (i
= 0; i
< num_entries
; i
++) {
1312 init_lsa_String(&r
->entries
[i
].account_name
,
1313 entries
[i
].account_name
);
1315 init_lsa_String(&r
->entries
[i
].description
,
1316 entries
[i
].description
);
1318 r
->entries
[i
].rid
= entries
[i
].rid
;
1319 r
->entries
[i
].acct_flags
= entries
[i
].acct_flags
;
1320 r
->entries
[i
].idx
= start_idx
+i
+1;
1323 return NT_STATUS_OK
;
1326 /*******************************************************************
1327 inits a samr_DispInfoAscii structure.
1328 ********************************************************************/
1330 static NTSTATUS
init_samr_dispinfo_4(TALLOC_CTX
*ctx
,
1331 struct samr_DispInfoAscii
*r
,
1332 uint32_t num_entries
,
1334 struct samr_displayentry
*entries
)
1338 DEBUG(5, ("init_samr_dispinfo_4: num_entries: %d\n", num_entries
));
1340 if (num_entries
== 0) {
1341 return NT_STATUS_OK
;
1344 r
->count
= num_entries
;
1346 r
->entries
= TALLOC_ZERO_ARRAY(ctx
, struct samr_DispEntryAscii
, num_entries
);
1348 return NT_STATUS_NO_MEMORY
;
1351 for (i
= 0; i
< num_entries
; i
++) {
1353 init_lsa_AsciiStringLarge(&r
->entries
[i
].account_name
,
1354 entries
[i
].account_name
);
1356 r
->entries
[i
].idx
= start_idx
+i
+1;
1359 return NT_STATUS_OK
;
1362 /*******************************************************************
1363 inits a samr_DispInfoAscii structure.
1364 ********************************************************************/
1366 static NTSTATUS
init_samr_dispinfo_5(TALLOC_CTX
*ctx
,
1367 struct samr_DispInfoAscii
*r
,
1368 uint32_t num_entries
,
1370 struct samr_displayentry
*entries
)
1374 DEBUG(5, ("init_samr_dispinfo_5: num_entries: %d\n", num_entries
));
1376 if (num_entries
== 0) {
1377 return NT_STATUS_OK
;
1380 r
->count
= num_entries
;
1382 r
->entries
= TALLOC_ZERO_ARRAY(ctx
, struct samr_DispEntryAscii
, num_entries
);
1384 return NT_STATUS_NO_MEMORY
;
1387 for (i
= 0; i
< num_entries
; i
++) {
1389 init_lsa_AsciiStringLarge(&r
->entries
[i
].account_name
,
1390 entries
[i
].account_name
);
1392 r
->entries
[i
].idx
= start_idx
+i
+1;
1395 return NT_STATUS_OK
;
1398 /*******************************************************************
1399 _samr_QueryDisplayInfo
1400 ********************************************************************/
1402 NTSTATUS
_samr_QueryDisplayInfo(pipes_struct
*p
,
1403 struct samr_QueryDisplayInfo
*r
)
1406 struct samr_domain_info
*dinfo
;
1407 uint32 struct_size
=0x20; /* W2K always reply that, client doesn't care */
1409 uint32 max_entries
= r
->in
.max_entries
;
1411 union samr_DispInfo
*disp_info
= r
->out
.info
;
1414 NTSTATUS disp_ret
= NT_STATUS_UNSUCCESSFUL
;
1415 uint32 num_account
= 0;
1416 enum remote_arch_types ra_type
= get_remote_arch();
1417 int max_sam_entries
= (ra_type
== RA_WIN95
) ? MAX_SAM_ENTRIES_W95
: MAX_SAM_ENTRIES_W2K
;
1418 struct samr_displayentry
*entries
= NULL
;
1420 DEBUG(5,("_samr_QueryDisplayInfo: %d\n", __LINE__
));
1422 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
1423 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
, NULL
,
1424 struct samr_domain_info
, &status
);
1425 if (!NT_STATUS_IS_OK(status
)) {
1429 if (sid_check_is_builtin(&dinfo
->sid
)) {
1430 DEBUG(5,("_samr_QueryDisplayInfo: no users in BUILTIN\n"));
1431 return NT_STATUS_OK
;
1435 * calculate how many entries we will return.
1437 * - the number of entries the client asked
1438 * - our limit on that
1439 * - the starting point (enumeration context)
1440 * - the buffer size the client will accept
1444 * We are a lot more like W2K. Instead of reading the SAM
1445 * each time to find the records we need to send back,
1446 * we read it once and link that copy to the sam handle.
1447 * For large user list (over the MAX_SAM_ENTRIES)
1448 * it's a definitive win.
1449 * second point to notice: between enumerations
1450 * our sam is now the same as it's a snapshoot.
1451 * third point: got rid of the static SAM_USER_21 struct
1452 * no more intermediate.
1453 * con: it uses much more memory, as a full copy is stored
1456 * If you want to change it, think twice and think
1457 * of the second point , that's really important.
1462 if ((r
->in
.level
< 1) || (r
->in
.level
> 5)) {
1463 DEBUG(0,("_samr_QueryDisplayInfo: Unknown info level (%u)\n",
1464 (unsigned int)r
->in
.level
));
1465 return NT_STATUS_INVALID_INFO_CLASS
;
1468 /* first limit the number of entries we will return */
1469 if (r
->in
.max_entries
> max_sam_entries
) {
1470 DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
1471 "entries, limiting to %d\n", r
->in
.max_entries
,
1473 max_entries
= max_sam_entries
;
1476 /* calculate the size and limit on the number of entries we will
1479 temp_size
=max_entries
*struct_size
;
1481 if (temp_size
> r
->in
.buf_size
) {
1482 max_entries
= MIN((r
->in
.buf_size
/ struct_size
),max_entries
);;
1483 DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
1484 "only %d entries\n", max_entries
));
1489 /* THe following done as ROOT. Don't return without unbecome_root(). */
1491 switch (r
->in
.level
) {
1494 if (dinfo
->disp_info
->users
== NULL
) {
1495 dinfo
->disp_info
->users
= pdb_search_users(
1496 dinfo
->disp_info
, ACB_NORMAL
);
1497 if (dinfo
->disp_info
->users
== NULL
) {
1499 return NT_STATUS_ACCESS_DENIED
;
1501 DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
1502 (unsigned int)r
->in
.start_idx
));
1504 DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
1505 (unsigned int)r
->in
.start_idx
));
1508 num_account
= pdb_search_entries(dinfo
->disp_info
->users
,
1509 r
->in
.start_idx
, max_entries
,
1513 if (dinfo
->disp_info
->machines
== NULL
) {
1514 dinfo
->disp_info
->machines
= pdb_search_users(
1515 dinfo
->disp_info
, ACB_WSTRUST
|ACB_SVRTRUST
);
1516 if (dinfo
->disp_info
->machines
== NULL
) {
1518 return NT_STATUS_ACCESS_DENIED
;
1520 DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
1521 (unsigned int)r
->in
.start_idx
));
1523 DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
1524 (unsigned int)r
->in
.start_idx
));
1527 num_account
= pdb_search_entries(dinfo
->disp_info
->machines
,
1528 r
->in
.start_idx
, max_entries
,
1533 if (dinfo
->disp_info
->groups
== NULL
) {
1534 dinfo
->disp_info
->groups
= pdb_search_groups(
1536 if (dinfo
->disp_info
->groups
== NULL
) {
1538 return NT_STATUS_ACCESS_DENIED
;
1540 DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
1541 (unsigned int)r
->in
.start_idx
));
1543 DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
1544 (unsigned int)r
->in
.start_idx
));
1547 num_account
= pdb_search_entries(dinfo
->disp_info
->groups
,
1548 r
->in
.start_idx
, max_entries
,
1553 smb_panic("info class changed");
1559 /* Now create reply structure */
1560 switch (r
->in
.level
) {
1562 disp_ret
= init_samr_dispinfo_1(p
->mem_ctx
, &disp_info
->info1
,
1563 num_account
, r
->in
.start_idx
,
1567 disp_ret
= init_samr_dispinfo_2(p
->mem_ctx
, &disp_info
->info2
,
1568 num_account
, r
->in
.start_idx
,
1572 disp_ret
= init_samr_dispinfo_3(p
->mem_ctx
, &disp_info
->info3
,
1573 num_account
, r
->in
.start_idx
,
1577 disp_ret
= init_samr_dispinfo_4(p
->mem_ctx
, &disp_info
->info4
,
1578 num_account
, r
->in
.start_idx
,
1582 disp_ret
= init_samr_dispinfo_5(p
->mem_ctx
, &disp_info
->info5
,
1583 num_account
, r
->in
.start_idx
,
1587 smb_panic("info class changed");
1591 if (!NT_STATUS_IS_OK(disp_ret
))
1594 if (max_entries
<= num_account
) {
1595 status
= STATUS_MORE_ENTRIES
;
1597 status
= NT_STATUS_OK
;
1600 /* Ensure we cache this enumeration. */
1601 set_disp_info_cache_timeout(dinfo
->disp_info
, DISP_INFO_CACHE_TIMEOUT
);
1603 DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__
));
1605 *r
->out
.total_size
= num_account
* struct_size
;
1606 *r
->out
.returned_size
= temp_size
;
1611 /****************************************************************
1612 _samr_QueryDisplayInfo2
1613 ****************************************************************/
1615 NTSTATUS
_samr_QueryDisplayInfo2(pipes_struct
*p
,
1616 struct samr_QueryDisplayInfo2
*r
)
1618 struct samr_QueryDisplayInfo q
;
1620 q
.in
.domain_handle
= r
->in
.domain_handle
;
1621 q
.in
.level
= r
->in
.level
;
1622 q
.in
.start_idx
= r
->in
.start_idx
;
1623 q
.in
.max_entries
= r
->in
.max_entries
;
1624 q
.in
.buf_size
= r
->in
.buf_size
;
1626 q
.out
.total_size
= r
->out
.total_size
;
1627 q
.out
.returned_size
= r
->out
.returned_size
;
1628 q
.out
.info
= r
->out
.info
;
1630 return _samr_QueryDisplayInfo(p
, &q
);
1633 /****************************************************************
1634 _samr_QueryDisplayInfo3
1635 ****************************************************************/
1637 NTSTATUS
_samr_QueryDisplayInfo3(pipes_struct
*p
,
1638 struct samr_QueryDisplayInfo3
*r
)
1640 struct samr_QueryDisplayInfo q
;
1642 q
.in
.domain_handle
= r
->in
.domain_handle
;
1643 q
.in
.level
= r
->in
.level
;
1644 q
.in
.start_idx
= r
->in
.start_idx
;
1645 q
.in
.max_entries
= r
->in
.max_entries
;
1646 q
.in
.buf_size
= r
->in
.buf_size
;
1648 q
.out
.total_size
= r
->out
.total_size
;
1649 q
.out
.returned_size
= r
->out
.returned_size
;
1650 q
.out
.info
= r
->out
.info
;
1652 return _samr_QueryDisplayInfo(p
, &q
);
1655 /*******************************************************************
1656 _samr_QueryAliasInfo
1657 ********************************************************************/
1659 NTSTATUS
_samr_QueryAliasInfo(pipes_struct
*p
,
1660 struct samr_QueryAliasInfo
*r
)
1662 struct samr_alias_info
*ainfo
;
1663 struct acct_info info
;
1665 union samr_AliasInfo
*alias_info
= NULL
;
1666 const char *alias_name
= NULL
;
1667 const char *alias_description
= NULL
;
1669 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__
));
1671 ainfo
= policy_handle_find(p
, r
->in
.alias_handle
,
1672 SAMR_ALIAS_ACCESS_LOOKUP_INFO
, NULL
,
1673 struct samr_alias_info
, &status
);
1674 if (!NT_STATUS_IS_OK(status
)) {
1678 alias_info
= TALLOC_ZERO_P(p
->mem_ctx
, union samr_AliasInfo
);
1680 return NT_STATUS_NO_MEMORY
;
1684 status
= pdb_get_aliasinfo(&ainfo
->sid
, &info
);
1687 if ( !NT_STATUS_IS_OK(status
))
1690 /* FIXME: info contains fstrings */
1691 alias_name
= talloc_strdup(r
, info
.acct_name
);
1692 alias_description
= talloc_strdup(r
, info
.acct_desc
);
1694 switch (r
->in
.level
) {
1696 alias_info
->all
.name
.string
= alias_name
;
1697 alias_info
->all
.num_members
= 1; /* ??? */
1698 alias_info
->all
.description
.string
= alias_description
;
1701 alias_info
->name
.string
= alias_name
;
1703 case ALIASINFODESCRIPTION
:
1704 alias_info
->description
.string
= alias_description
;
1707 return NT_STATUS_INVALID_INFO_CLASS
;
1710 *r
->out
.info
= alias_info
;
1712 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__
));
1714 return NT_STATUS_OK
;
1717 /*******************************************************************
1719 ********************************************************************/
1721 NTSTATUS
_samr_LookupNames(pipes_struct
*p
,
1722 struct samr_LookupNames
*r
)
1724 struct samr_domain_info
*dinfo
;
1727 enum lsa_SidType
*type
;
1729 int num_rids
= r
->in
.num_names
;
1730 struct samr_Ids rids
, types
;
1731 uint32_t num_mapped
= 0;
1733 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__
));
1735 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
1736 0 /* Don't know the acc_bits yet */, NULL
,
1737 struct samr_domain_info
, &status
);
1738 if (!NT_STATUS_IS_OK(status
)) {
1742 if (num_rids
> MAX_SAM_ENTRIES
) {
1743 num_rids
= MAX_SAM_ENTRIES
;
1744 DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids
));
1747 rid
= talloc_array(p
->mem_ctx
, uint32
, num_rids
);
1748 NT_STATUS_HAVE_NO_MEMORY(rid
);
1750 type
= talloc_array(p
->mem_ctx
, enum lsa_SidType
, num_rids
);
1751 NT_STATUS_HAVE_NO_MEMORY(type
);
1753 DEBUG(5,("_samr_LookupNames: looking name on SID %s\n",
1754 sid_string_dbg(&dinfo
->sid
)));
1756 for (i
= 0; i
< num_rids
; i
++) {
1758 status
= NT_STATUS_NONE_MAPPED
;
1759 type
[i
] = SID_NAME_UNKNOWN
;
1761 rid
[i
] = 0xffffffff;
1763 if (sid_check_is_builtin(&dinfo
->sid
)) {
1764 if (lookup_builtin_name(r
->in
.names
[i
].string
,
1767 type
[i
] = SID_NAME_ALIAS
;
1770 lookup_global_sam_name(r
->in
.names
[i
].string
, 0,
1774 if (type
[i
] != SID_NAME_UNKNOWN
) {
1779 if (num_mapped
== num_rids
) {
1780 status
= NT_STATUS_OK
;
1781 } else if (num_mapped
== 0) {
1782 status
= NT_STATUS_NONE_MAPPED
;
1784 status
= STATUS_SOME_UNMAPPED
;
1787 rids
.count
= num_rids
;
1790 types
.count
= num_rids
;
1793 *r
->out
.rids
= rids
;
1794 *r
->out
.types
= types
;
1796 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__
));
1801 /****************************************************************
1802 _samr_ChangePasswordUser
1803 ****************************************************************/
1805 NTSTATUS
_samr_ChangePasswordUser(pipes_struct
*p
,
1806 struct samr_ChangePasswordUser
*r
)
1810 struct samr_user_info
*uinfo
;
1812 struct samr_Password new_lmPwdHash
, new_ntPwdHash
, checkHash
;
1813 struct samr_Password lm_pwd
, nt_pwd
;
1815 uinfo
= policy_handle_find(p
, r
->in
.user_handle
,
1816 SAMR_USER_ACCESS_SET_PASSWORD
, NULL
,
1817 struct samr_user_info
, &status
);
1818 if (!NT_STATUS_IS_OK(status
)) {
1822 DEBUG(5,("_samr_ChangePasswordUser: sid:%s\n",
1823 sid_string_dbg(&uinfo
->sid
)));
1825 if (!(pwd
= samu_new(NULL
))) {
1826 return NT_STATUS_NO_MEMORY
;
1830 ret
= pdb_getsampwsid(pwd
, &uinfo
->sid
);
1835 return NT_STATUS_WRONG_PASSWORD
;
1839 const uint8_t *lm_pass
, *nt_pass
;
1841 lm_pass
= pdb_get_lanman_passwd(pwd
);
1842 nt_pass
= pdb_get_nt_passwd(pwd
);
1844 if (!lm_pass
|| !nt_pass
) {
1845 status
= NT_STATUS_WRONG_PASSWORD
;
1849 memcpy(&lm_pwd
.hash
, lm_pass
, sizeof(lm_pwd
.hash
));
1850 memcpy(&nt_pwd
.hash
, nt_pass
, sizeof(nt_pwd
.hash
));
1853 /* basic sanity checking on parameters. Do this before any database ops */
1854 if (!r
->in
.lm_present
|| !r
->in
.nt_present
||
1855 !r
->in
.old_lm_crypted
|| !r
->in
.new_lm_crypted
||
1856 !r
->in
.old_nt_crypted
|| !r
->in
.new_nt_crypted
) {
1857 /* we should really handle a change with lm not
1859 status
= NT_STATUS_INVALID_PARAMETER_MIX
;
1863 /* decrypt and check the new lm hash */
1864 D_P16(lm_pwd
.hash
, r
->in
.new_lm_crypted
->hash
, new_lmPwdHash
.hash
);
1865 D_P16(new_lmPwdHash
.hash
, r
->in
.old_lm_crypted
->hash
, checkHash
.hash
);
1866 if (memcmp(checkHash
.hash
, lm_pwd
.hash
, 16) != 0) {
1867 status
= NT_STATUS_WRONG_PASSWORD
;
1871 /* decrypt and check the new nt hash */
1872 D_P16(nt_pwd
.hash
, r
->in
.new_nt_crypted
->hash
, new_ntPwdHash
.hash
);
1873 D_P16(new_ntPwdHash
.hash
, r
->in
.old_nt_crypted
->hash
, checkHash
.hash
);
1874 if (memcmp(checkHash
.hash
, nt_pwd
.hash
, 16) != 0) {
1875 status
= NT_STATUS_WRONG_PASSWORD
;
1879 /* The NT Cross is not required by Win2k3 R2, but if present
1880 check the nt cross hash */
1881 if (r
->in
.cross1_present
&& r
->in
.nt_cross
) {
1882 D_P16(lm_pwd
.hash
, r
->in
.nt_cross
->hash
, checkHash
.hash
);
1883 if (memcmp(checkHash
.hash
, new_ntPwdHash
.hash
, 16) != 0) {
1884 status
= NT_STATUS_WRONG_PASSWORD
;
1889 /* The LM Cross is not required by Win2k3 R2, but if present
1890 check the lm cross hash */
1891 if (r
->in
.cross2_present
&& r
->in
.lm_cross
) {
1892 D_P16(nt_pwd
.hash
, r
->in
.lm_cross
->hash
, checkHash
.hash
);
1893 if (memcmp(checkHash
.hash
, new_lmPwdHash
.hash
, 16) != 0) {
1894 status
= NT_STATUS_WRONG_PASSWORD
;
1899 if (!pdb_set_nt_passwd(pwd
, new_ntPwdHash
.hash
, PDB_CHANGED
) ||
1900 !pdb_set_lanman_passwd(pwd
, new_lmPwdHash
.hash
, PDB_CHANGED
)) {
1901 status
= NT_STATUS_ACCESS_DENIED
;
1905 status
= pdb_update_sam_account(pwd
);
1912 /*******************************************************************
1913 _samr_ChangePasswordUser2
1914 ********************************************************************/
1916 NTSTATUS
_samr_ChangePasswordUser2(pipes_struct
*p
,
1917 struct samr_ChangePasswordUser2
*r
)
1919 struct smbd_server_connection
*sconn
= smbd_server_conn
;
1924 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__
));
1926 fstrcpy(user_name
, r
->in
.account
->string
);
1927 fstrcpy(wks
, r
->in
.server
->string
);
1929 DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name
, wks
));
1932 * Pass the user through the NT -> unix user mapping
1936 (void)map_username(sconn
, user_name
);
1939 * UNIX username case mangling not required, pass_oem_change
1940 * is case insensitive.
1943 status
= pass_oem_change(user_name
,
1944 r
->in
.lm_password
->data
,
1945 r
->in
.lm_verifier
->hash
,
1946 r
->in
.nt_password
->data
,
1947 r
->in
.nt_verifier
->hash
,
1950 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__
));
1952 if (NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)) {
1953 return NT_STATUS_WRONG_PASSWORD
;
1959 /****************************************************************
1960 _samr_OemChangePasswordUser2
1961 ****************************************************************/
1963 NTSTATUS
_samr_OemChangePasswordUser2(pipes_struct
*p
,
1964 struct samr_OemChangePasswordUser2
*r
)
1966 struct smbd_server_connection
*sconn
= smbd_server_conn
;
1969 const char *wks
= NULL
;
1971 DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__
));
1973 fstrcpy(user_name
, r
->in
.account
->string
);
1974 if (r
->in
.server
&& r
->in
.server
->string
) {
1975 wks
= r
->in
.server
->string
;
1978 DEBUG(5,("_samr_OemChangePasswordUser2: user: %s wks: %s\n", user_name
, wks
));
1981 * Pass the user through the NT -> unix user mapping
1985 (void)map_username(sconn
, user_name
);
1988 * UNIX username case mangling not required, pass_oem_change
1989 * is case insensitive.
1992 if (!r
->in
.hash
|| !r
->in
.password
) {
1993 return NT_STATUS_INVALID_PARAMETER
;
1996 status
= pass_oem_change(user_name
,
1997 r
->in
.password
->data
,
2003 if (NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)) {
2004 return NT_STATUS_WRONG_PASSWORD
;
2007 DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__
));
2012 /*******************************************************************
2013 _samr_ChangePasswordUser3
2014 ********************************************************************/
2016 NTSTATUS
_samr_ChangePasswordUser3(pipes_struct
*p
,
2017 struct samr_ChangePasswordUser3
*r
)
2019 struct smbd_server_connection
*sconn
= smbd_server_conn
;
2022 const char *wks
= NULL
;
2023 uint32 reject_reason
;
2024 struct samr_DomInfo1
*dominfo
= NULL
;
2025 struct samr_ChangeReject
*reject
= NULL
;
2028 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__
));
2030 fstrcpy(user_name
, r
->in
.account
->string
);
2031 if (r
->in
.server
&& r
->in
.server
->string
) {
2032 wks
= r
->in
.server
->string
;
2035 DEBUG(5,("_samr_ChangePasswordUser3: user: %s wks: %s\n", user_name
, wks
));
2038 * Pass the user through the NT -> unix user mapping
2042 (void)map_username(sconn
, user_name
);
2045 * UNIX username case mangling not required, pass_oem_change
2046 * is case insensitive.
2049 status
= pass_oem_change(user_name
,
2050 r
->in
.lm_password
->data
,
2051 r
->in
.lm_verifier
->hash
,
2052 r
->in
.nt_password
->data
,
2053 r
->in
.nt_verifier
->hash
,
2055 if (NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)) {
2056 return NT_STATUS_WRONG_PASSWORD
;
2059 if (NT_STATUS_EQUAL(status
, NT_STATUS_PASSWORD_RESTRICTION
) ||
2060 NT_STATUS_EQUAL(status
, NT_STATUS_ACCOUNT_RESTRICTION
)) {
2062 time_t u_expire
, u_min_age
;
2063 uint32 account_policy_temp
;
2065 dominfo
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_DomInfo1
);
2067 return NT_STATUS_NO_MEMORY
;
2070 reject
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_ChangeReject
);
2072 return NT_STATUS_NO_MEMORY
;
2079 pdb_get_account_policy(AP_MIN_PASSWORD_LEN
, &tmp
);
2080 dominfo
->min_password_length
= tmp
;
2082 pdb_get_account_policy(AP_PASSWORD_HISTORY
, &tmp
);
2083 dominfo
->password_history_length
= tmp
;
2085 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS
,
2086 &dominfo
->password_properties
);
2088 pdb_get_account_policy(AP_MAX_PASSWORD_AGE
, &account_policy_temp
);
2089 u_expire
= account_policy_temp
;
2091 pdb_get_account_policy(AP_MIN_PASSWORD_AGE
, &account_policy_temp
);
2092 u_min_age
= account_policy_temp
;
2098 unix_to_nt_time_abs((NTTIME
*)&dominfo
->max_password_age
, u_expire
);
2099 unix_to_nt_time_abs((NTTIME
*)&dominfo
->min_password_age
, u_min_age
);
2101 if (lp_check_password_script() && *lp_check_password_script()) {
2102 dominfo
->password_properties
|= DOMAIN_PASSWORD_COMPLEX
;
2105 reject
->reason
= reject_reason
;
2107 *r
->out
.dominfo
= dominfo
;
2108 *r
->out
.reject
= reject
;
2111 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__
));
2116 /*******************************************************************
2117 makes a SAMR_R_LOOKUP_RIDS structure.
2118 ********************************************************************/
2120 static bool make_samr_lookup_rids(TALLOC_CTX
*ctx
, uint32 num_names
,
2122 struct lsa_String
**lsa_name_array_p
)
2124 struct lsa_String
*lsa_name_array
= NULL
;
2127 *lsa_name_array_p
= NULL
;
2129 if (num_names
!= 0) {
2130 lsa_name_array
= TALLOC_ZERO_ARRAY(ctx
, struct lsa_String
, num_names
);
2131 if (!lsa_name_array
) {
2136 for (i
= 0; i
< num_names
; i
++) {
2137 DEBUG(10, ("names[%d]:%s\n", i
, names
[i
] && *names
[i
] ? names
[i
] : ""));
2138 init_lsa_String(&lsa_name_array
[i
], names
[i
]);
2141 *lsa_name_array_p
= lsa_name_array
;
2146 /*******************************************************************
2148 ********************************************************************/
2150 NTSTATUS
_samr_LookupRids(pipes_struct
*p
,
2151 struct samr_LookupRids
*r
)
2153 struct samr_domain_info
*dinfo
;
2156 enum lsa_SidType
*attrs
= NULL
;
2157 uint32
*wire_attrs
= NULL
;
2158 int num_rids
= (int)r
->in
.num_rids
;
2160 struct lsa_Strings names_array
;
2161 struct samr_Ids types_array
;
2162 struct lsa_String
*lsa_names
= NULL
;
2164 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__
));
2166 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
2167 0 /* Don't know the acc_bits yet */, NULL
,
2168 struct samr_domain_info
, &status
);
2169 if (!NT_STATUS_IS_OK(status
)) {
2173 if (num_rids
> 1000) {
2174 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
2175 "to samba4 idl this is not possible\n", num_rids
));
2176 return NT_STATUS_UNSUCCESSFUL
;
2180 names
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, const char *, num_rids
);
2181 attrs
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, enum lsa_SidType
, num_rids
);
2182 wire_attrs
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, uint32
, num_rids
);
2184 if ((names
== NULL
) || (attrs
== NULL
) || (wire_attrs
==NULL
))
2185 return NT_STATUS_NO_MEMORY
;
2192 become_root(); /* lookup_sid can require root privs */
2193 status
= pdb_lookup_rids(&dinfo
->sid
, num_rids
, r
->in
.rids
,
2197 if (NT_STATUS_EQUAL(status
, NT_STATUS_NONE_MAPPED
) && (num_rids
== 0)) {
2198 status
= NT_STATUS_OK
;
2201 if (!make_samr_lookup_rids(p
->mem_ctx
, num_rids
, names
,
2203 return NT_STATUS_NO_MEMORY
;
2206 /* Convert from enum lsa_SidType to uint32 for wire format. */
2207 for (i
= 0; i
< num_rids
; i
++) {
2208 wire_attrs
[i
] = (uint32
)attrs
[i
];
2211 names_array
.count
= num_rids
;
2212 names_array
.names
= lsa_names
;
2214 types_array
.count
= num_rids
;
2215 types_array
.ids
= wire_attrs
;
2217 *r
->out
.names
= names_array
;
2218 *r
->out
.types
= types_array
;
2220 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__
));
2225 /*******************************************************************
2227 ********************************************************************/
2229 NTSTATUS
_samr_OpenUser(pipes_struct
*p
,
2230 struct samr_OpenUser
*r
)
2232 struct samu
*sampass
=NULL
;
2234 struct samr_domain_info
*dinfo
;
2235 struct samr_user_info
*uinfo
;
2236 SEC_DESC
*psd
= NULL
;
2238 uint32 des_access
= r
->in
.access_mask
;
2239 uint32_t extra_access
= 0;
2246 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
2247 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
, NULL
,
2248 struct samr_domain_info
, &status
);
2249 if (!NT_STATUS_IS_OK(status
)) {
2253 if ( !(sampass
= samu_new( p
->mem_ctx
)) ) {
2254 return NT_STATUS_NO_MEMORY
;
2257 /* append the user's RID to it */
2259 if (!sid_compose(&sid
, &dinfo
->sid
, r
->in
.rid
))
2260 return NT_STATUS_NO_SUCH_USER
;
2262 /* check if access can be granted as requested by client. */
2264 map_max_allowed_access(p
->server_info
->ptok
, &des_access
);
2266 make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &usr_generic_mapping
, &sid
, SAMR_USR_RIGHTS_WRITE_PW
);
2267 se_map_generic(&des_access
, &usr_generic_mapping
);
2270 * Get the sampass first as we need to check privilages
2271 * based on what kind of user object this is.
2272 * But don't reveal info too early if it didn't exist.
2276 ret
=pdb_getsampwsid(sampass
, &sid
);
2279 se_priv_copy(&se_rights
, &se_priv_none
);
2282 * We do the override access checks on *open*, not at
2286 uint32_t acb_info
= pdb_get_acct_ctrl(sampass
);
2288 if ((acb_info
& ACB_WSTRUST
) &&
2289 user_has_any_privilege(p
->server_info
->ptok
,
2290 &se_machine_account
)) {
2292 * SeMachineAccount is needed to add
2293 * GENERIC_RIGHTS_USER_WRITE to a machine
2296 se_priv_add(&se_rights
, &se_machine_account
);
2297 DEBUG(10,("_samr_OpenUser: adding machine account "
2298 "rights to handle for user %s\n",
2299 pdb_get_username(sampass
) ));
2301 if ((acb_info
& ACB_NORMAL
) &&
2302 user_has_any_privilege(p
->server_info
->ptok
,
2305 * SeAddUsers is needed to add
2306 * GENERIC_RIGHTS_USER_WRITE to a normal
2309 se_priv_add(&se_rights
, &se_add_users
);
2310 DEBUG(10,("_samr_OpenUser: adding add user "
2311 "rights to handle for user %s\n",
2312 pdb_get_username(sampass
) ));
2315 * Cheat - allow GENERIC_RIGHTS_USER_WRITE if pipe user is
2316 * in DOMAIN_GROUP_RID_ADMINS. This is almost certainly not
2317 * what Windows does but is a hack for people who haven't
2318 * set up privilages on groups in Samba.
2320 if (acb_info
& (ACB_SVRTRUST
|ACB_DOMTRUST
)) {
2321 if (lp_enable_privileges() && nt_token_check_domain_rid(p
->server_info
->ptok
,
2322 DOMAIN_GROUP_RID_ADMINS
)) {
2323 des_access
&= ~GENERIC_RIGHTS_USER_WRITE
;
2324 extra_access
= GENERIC_RIGHTS_USER_WRITE
;
2325 DEBUG(4,("_samr_OpenUser: Allowing "
2326 "GENERIC_RIGHTS_USER_WRITE for "
2332 TALLOC_FREE(sampass
);
2334 nt_status
= access_check_object(psd
, p
->server_info
->ptok
,
2335 &se_rights
, GENERIC_RIGHTS_USER_WRITE
, des_access
,
2336 &acc_granted
, "_samr_OpenUser");
2338 if ( !NT_STATUS_IS_OK(nt_status
) )
2341 /* check that the SID exists in our domain. */
2343 return NT_STATUS_NO_SUCH_USER
;
2346 /* If we did the rid admins hack above, allow access. */
2347 acc_granted
|= extra_access
;
2349 uinfo
= policy_handle_create(p
, r
->out
.user_handle
, acc_granted
,
2350 struct samr_user_info
, &nt_status
);
2351 if (!NT_STATUS_IS_OK(nt_status
)) {
2356 return NT_STATUS_OK
;
2359 /*************************************************************************
2360 *************************************************************************/
2362 static NTSTATUS
init_samr_parameters_string(TALLOC_CTX
*mem_ctx
,
2364 struct lsa_BinaryString
**_r
)
2366 struct lsa_BinaryString
*r
;
2369 return NT_STATUS_INVALID_PARAMETER
;
2372 r
= TALLOC_ZERO_P(mem_ctx
, struct lsa_BinaryString
);
2374 return NT_STATUS_NO_MEMORY
;
2377 r
->array
= TALLOC_ZERO_ARRAY(mem_ctx
, uint16_t, blob
->length
/2);
2379 return NT_STATUS_NO_MEMORY
;
2381 memcpy(r
->array
, blob
->data
, blob
->length
);
2382 r
->size
= blob
->length
;
2383 r
->length
= blob
->length
;
2386 return NT_STATUS_NO_MEMORY
;
2391 return NT_STATUS_OK
;
2394 /*************************************************************************
2396 *************************************************************************/
2398 static NTSTATUS
get_user_info_1(TALLOC_CTX
*mem_ctx
,
2399 struct samr_UserInfo1
*r
,
2401 DOM_SID
*domain_sid
)
2403 const DOM_SID
*sid_group
;
2404 uint32_t primary_gid
;
2407 sid_group
= pdb_get_group_sid(pw
);
2410 if (!sid_peek_check_rid(domain_sid
, sid_group
, &primary_gid
)) {
2411 DEBUG(0, ("get_user_info_1: User %s has Primary Group SID %s, \n"
2412 "which conflicts with the domain sid %s. Failing operation.\n",
2413 pdb_get_username(pw
), sid_string_dbg(sid_group
),
2414 sid_string_dbg(domain_sid
)));
2415 return NT_STATUS_UNSUCCESSFUL
;
2418 r
->account_name
.string
= talloc_strdup(mem_ctx
, pdb_get_username(pw
));
2419 r
->full_name
.string
= talloc_strdup(mem_ctx
, pdb_get_fullname(pw
));
2420 r
->primary_gid
= primary_gid
;
2421 r
->description
.string
= talloc_strdup(mem_ctx
, pdb_get_acct_desc(pw
));
2422 r
->comment
.string
= talloc_strdup(mem_ctx
, pdb_get_comment(pw
));
2424 return NT_STATUS_OK
;
2427 /*************************************************************************
2429 *************************************************************************/
2431 static NTSTATUS
get_user_info_2(TALLOC_CTX
*mem_ctx
,
2432 struct samr_UserInfo2
*r
,
2435 r
->comment
.string
= talloc_strdup(mem_ctx
, pdb_get_comment(pw
));
2436 r
->unknown
.string
= NULL
;
2437 r
->country_code
= 0;
2440 return NT_STATUS_OK
;
2443 /*************************************************************************
2445 *************************************************************************/
2447 static NTSTATUS
get_user_info_3(TALLOC_CTX
*mem_ctx
,
2448 struct samr_UserInfo3
*r
,
2450 DOM_SID
*domain_sid
)
2452 const DOM_SID
*sid_user
, *sid_group
;
2453 uint32_t rid
, primary_gid
;
2455 sid_user
= pdb_get_user_sid(pw
);
2457 if (!sid_peek_check_rid(domain_sid
, sid_user
, &rid
)) {
2458 DEBUG(0, ("get_user_info_3: User %s has SID %s, \nwhich conflicts with "
2459 "the domain sid %s. Failing operation.\n",
2460 pdb_get_username(pw
), sid_string_dbg(sid_user
),
2461 sid_string_dbg(domain_sid
)));
2462 return NT_STATUS_UNSUCCESSFUL
;
2466 sid_group
= pdb_get_group_sid(pw
);
2469 if (!sid_peek_check_rid(domain_sid
, sid_group
, &primary_gid
)) {
2470 DEBUG(0, ("get_user_info_3: User %s has Primary Group SID %s, \n"
2471 "which conflicts with the domain sid %s. Failing operation.\n",
2472 pdb_get_username(pw
), sid_string_dbg(sid_group
),
2473 sid_string_dbg(domain_sid
)));
2474 return NT_STATUS_UNSUCCESSFUL
;
2477 unix_to_nt_time(&r
->last_logon
, pdb_get_logon_time(pw
));
2478 unix_to_nt_time(&r
->last_logoff
, pdb_get_logoff_time(pw
));
2479 unix_to_nt_time(&r
->last_password_change
, pdb_get_pass_last_set_time(pw
));
2480 unix_to_nt_time(&r
->allow_password_change
, pdb_get_pass_can_change_time(pw
));
2481 unix_to_nt_time(&r
->force_password_change
, pdb_get_pass_must_change_time(pw
));
2483 r
->account_name
.string
= talloc_strdup(mem_ctx
, pdb_get_username(pw
));
2484 r
->full_name
.string
= talloc_strdup(mem_ctx
, pdb_get_fullname(pw
));
2485 r
->home_directory
.string
= talloc_strdup(mem_ctx
, pdb_get_homedir(pw
));
2486 r
->home_drive
.string
= talloc_strdup(mem_ctx
, pdb_get_dir_drive(pw
));
2487 r
->logon_script
.string
= talloc_strdup(mem_ctx
, pdb_get_logon_script(pw
));
2488 r
->profile_path
.string
= talloc_strdup(mem_ctx
, pdb_get_profile_path(pw
));
2489 r
->workstations
.string
= talloc_strdup(mem_ctx
, pdb_get_workstations(pw
));
2491 r
->logon_hours
= get_logon_hours_from_pdb(mem_ctx
, pw
);
2493 r
->primary_gid
= primary_gid
;
2494 r
->acct_flags
= pdb_get_acct_ctrl(pw
);
2495 r
->bad_password_count
= pdb_get_bad_password_count(pw
);
2496 r
->logon_count
= pdb_get_logon_count(pw
);
2498 return NT_STATUS_OK
;
2501 /*************************************************************************
2503 *************************************************************************/
2505 static NTSTATUS
get_user_info_4(TALLOC_CTX
*mem_ctx
,
2506 struct samr_UserInfo4
*r
,
2509 r
->logon_hours
= get_logon_hours_from_pdb(mem_ctx
, pw
);
2511 return NT_STATUS_OK
;
2514 /*************************************************************************
2516 *************************************************************************/
2518 static NTSTATUS
get_user_info_5(TALLOC_CTX
*mem_ctx
,
2519 struct samr_UserInfo5
*r
,
2521 DOM_SID
*domain_sid
)
2523 const DOM_SID
*sid_user
, *sid_group
;
2524 uint32_t rid
, primary_gid
;
2526 sid_user
= pdb_get_user_sid(pw
);
2528 if (!sid_peek_check_rid(domain_sid
, sid_user
, &rid
)) {
2529 DEBUG(0, ("get_user_info_5: User %s has SID %s, \nwhich conflicts with "
2530 "the domain sid %s. Failing operation.\n",
2531 pdb_get_username(pw
), sid_string_dbg(sid_user
),
2532 sid_string_dbg(domain_sid
)));
2533 return NT_STATUS_UNSUCCESSFUL
;
2537 sid_group
= pdb_get_group_sid(pw
);
2540 if (!sid_peek_check_rid(domain_sid
, sid_group
, &primary_gid
)) {
2541 DEBUG(0, ("get_user_info_5: User %s has Primary Group SID %s, \n"
2542 "which conflicts with the domain sid %s. Failing operation.\n",
2543 pdb_get_username(pw
), sid_string_dbg(sid_group
),
2544 sid_string_dbg(domain_sid
)));
2545 return NT_STATUS_UNSUCCESSFUL
;
2548 unix_to_nt_time(&r
->last_logon
, pdb_get_logon_time(pw
));
2549 unix_to_nt_time(&r
->last_logoff
, pdb_get_logoff_time(pw
));
2550 unix_to_nt_time(&r
->acct_expiry
, pdb_get_kickoff_time(pw
));
2551 unix_to_nt_time(&r
->last_password_change
, pdb_get_pass_last_set_time(pw
));
2553 r
->account_name
.string
= talloc_strdup(mem_ctx
, pdb_get_username(pw
));
2554 r
->full_name
.string
= talloc_strdup(mem_ctx
, pdb_get_fullname(pw
));
2555 r
->home_directory
.string
= talloc_strdup(mem_ctx
, pdb_get_homedir(pw
));
2556 r
->home_drive
.string
= talloc_strdup(mem_ctx
, pdb_get_dir_drive(pw
));
2557 r
->logon_script
.string
= talloc_strdup(mem_ctx
, pdb_get_logon_script(pw
));
2558 r
->profile_path
.string
= talloc_strdup(mem_ctx
, pdb_get_profile_path(pw
));
2559 r
->description
.string
= talloc_strdup(mem_ctx
, pdb_get_acct_desc(pw
));
2560 r
->workstations
.string
= talloc_strdup(mem_ctx
, pdb_get_workstations(pw
));
2562 r
->logon_hours
= get_logon_hours_from_pdb(mem_ctx
, pw
);
2564 r
->primary_gid
= primary_gid
;
2565 r
->acct_flags
= pdb_get_acct_ctrl(pw
);
2566 r
->bad_password_count
= pdb_get_bad_password_count(pw
);
2567 r
->logon_count
= pdb_get_logon_count(pw
);
2569 return NT_STATUS_OK
;
2572 /*************************************************************************
2574 *************************************************************************/
2576 static NTSTATUS
get_user_info_6(TALLOC_CTX
*mem_ctx
,
2577 struct samr_UserInfo6
*r
,
2580 r
->account_name
.string
= talloc_strdup(mem_ctx
, pdb_get_username(pw
));
2581 r
->full_name
.string
= talloc_strdup(mem_ctx
, pdb_get_fullname(pw
));
2583 return NT_STATUS_OK
;
2586 /*************************************************************************
2587 get_user_info_7. Safe. Only gives out account_name.
2588 *************************************************************************/
2590 static NTSTATUS
get_user_info_7(TALLOC_CTX
*mem_ctx
,
2591 struct samr_UserInfo7
*r
,
2592 struct samu
*smbpass
)
2594 r
->account_name
.string
= talloc_strdup(mem_ctx
, pdb_get_username(smbpass
));
2595 if (!r
->account_name
.string
) {
2596 return NT_STATUS_NO_MEMORY
;
2599 return NT_STATUS_OK
;
2602 /*************************************************************************
2604 *************************************************************************/
2606 static NTSTATUS
get_user_info_8(TALLOC_CTX
*mem_ctx
,
2607 struct samr_UserInfo8
*r
,
2610 r
->full_name
.string
= talloc_strdup(mem_ctx
, pdb_get_fullname(pw
));
2612 return NT_STATUS_OK
;
2615 /*************************************************************************
2616 get_user_info_9. Only gives out primary group SID.
2617 *************************************************************************/
2619 static NTSTATUS
get_user_info_9(TALLOC_CTX
*mem_ctx
,
2620 struct samr_UserInfo9
*r
,
2621 struct samu
*smbpass
)
2623 r
->primary_gid
= pdb_get_group_rid(smbpass
);
2625 return NT_STATUS_OK
;
2628 /*************************************************************************
2630 *************************************************************************/
2632 static NTSTATUS
get_user_info_10(TALLOC_CTX
*mem_ctx
,
2633 struct samr_UserInfo10
*r
,
2636 r
->home_directory
.string
= talloc_strdup(mem_ctx
, pdb_get_homedir(pw
));
2637 r
->home_drive
.string
= talloc_strdup(mem_ctx
, pdb_get_dir_drive(pw
));
2639 return NT_STATUS_OK
;
2642 /*************************************************************************
2644 *************************************************************************/
2646 static NTSTATUS
get_user_info_11(TALLOC_CTX
*mem_ctx
,
2647 struct samr_UserInfo11
*r
,
2650 r
->logon_script
.string
= talloc_strdup(mem_ctx
, pdb_get_logon_script(pw
));
2652 return NT_STATUS_OK
;
2655 /*************************************************************************
2657 *************************************************************************/
2659 static NTSTATUS
get_user_info_12(TALLOC_CTX
*mem_ctx
,
2660 struct samr_UserInfo12
*r
,
2663 r
->profile_path
.string
= talloc_strdup(mem_ctx
, pdb_get_profile_path(pw
));
2665 return NT_STATUS_OK
;
2668 /*************************************************************************
2670 *************************************************************************/
2672 static NTSTATUS
get_user_info_13(TALLOC_CTX
*mem_ctx
,
2673 struct samr_UserInfo13
*r
,
2676 r
->description
.string
= talloc_strdup(mem_ctx
, pdb_get_acct_desc(pw
));
2678 return NT_STATUS_OK
;
2681 /*************************************************************************
2683 *************************************************************************/
2685 static NTSTATUS
get_user_info_14(TALLOC_CTX
*mem_ctx
,
2686 struct samr_UserInfo14
*r
,
2689 r
->workstations
.string
= talloc_strdup(mem_ctx
, pdb_get_workstations(pw
));
2691 return NT_STATUS_OK
;
2694 /*************************************************************************
2695 get_user_info_16. Safe. Only gives out acb bits.
2696 *************************************************************************/
2698 static NTSTATUS
get_user_info_16(TALLOC_CTX
*mem_ctx
,
2699 struct samr_UserInfo16
*r
,
2700 struct samu
*smbpass
)
2702 r
->acct_flags
= pdb_get_acct_ctrl(smbpass
);
2704 return NT_STATUS_OK
;
2707 /*************************************************************************
2709 *************************************************************************/
2711 static NTSTATUS
get_user_info_17(TALLOC_CTX
*mem_ctx
,
2712 struct samr_UserInfo17
*r
,
2715 unix_to_nt_time(&r
->acct_expiry
, pdb_get_kickoff_time(pw
));
2717 return NT_STATUS_OK
;
2720 /*************************************************************************
2721 get_user_info_18. OK - this is the killer as it gives out password info.
2722 Ensure that this is only allowed on an encrypted connection with a root
2724 *************************************************************************/
2726 static NTSTATUS
get_user_info_18(pipes_struct
*p
,
2727 TALLOC_CTX
*mem_ctx
,
2728 struct samr_UserInfo18
*r
,
2731 struct samu
*smbpass
=NULL
;
2736 if (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_NTLMSSP
|| p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SPNEGO_NTLMSSP
) {
2737 return NT_STATUS_ACCESS_DENIED
;
2740 if (p
->auth
.auth_level
!= PIPE_AUTH_LEVEL_PRIVACY
) {
2741 return NT_STATUS_ACCESS_DENIED
;
2745 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
2748 if ( !(smbpass
= samu_new( mem_ctx
)) ) {
2749 return NT_STATUS_NO_MEMORY
;
2752 ret
= pdb_getsampwsid(smbpass
, user_sid
);
2755 DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid
)));
2756 TALLOC_FREE(smbpass
);
2757 return (geteuid() == sec_initial_uid()) ? NT_STATUS_NO_SUCH_USER
: NT_STATUS_ACCESS_DENIED
;
2760 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass
), pdb_get_acct_ctrl(smbpass
) ));
2762 if ( pdb_get_acct_ctrl(smbpass
) & ACB_DISABLED
) {
2763 TALLOC_FREE(smbpass
);
2764 return NT_STATUS_ACCOUNT_DISABLED
;
2767 r
->lm_pwd_active
= true;
2768 r
->nt_pwd_active
= true;
2769 memcpy(r
->lm_pwd
.hash
, pdb_get_lanman_passwd(smbpass
), 16);
2770 memcpy(r
->nt_pwd
.hash
, pdb_get_nt_passwd(smbpass
), 16);
2771 r
->password_expired
= 0; /* FIXME */
2773 TALLOC_FREE(smbpass
);
2775 return NT_STATUS_OK
;
2778 /*************************************************************************
2780 *************************************************************************/
2782 static NTSTATUS
get_user_info_20(TALLOC_CTX
*mem_ctx
,
2783 struct samr_UserInfo20
*r
,
2784 struct samu
*sampass
)
2786 const char *munged_dial
= NULL
;
2789 struct lsa_BinaryString
*parameters
= NULL
;
2793 munged_dial
= pdb_get_munged_dial(sampass
);
2795 DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass
),
2796 munged_dial
, (int)strlen(munged_dial
)));
2799 blob
= base64_decode_data_blob(munged_dial
);
2801 blob
= data_blob_string_const_null("");
2804 status
= init_samr_parameters_string(mem_ctx
, &blob
, ¶meters
);
2805 data_blob_free(&blob
);
2806 if (!NT_STATUS_IS_OK(status
)) {
2810 r
->parameters
= *parameters
;
2812 return NT_STATUS_OK
;
2816 /*************************************************************************
2818 *************************************************************************/
2820 static NTSTATUS
get_user_info_21(TALLOC_CTX
*mem_ctx
,
2821 struct samr_UserInfo21
*r
,
2823 DOM_SID
*domain_sid
,
2824 uint32_t acc_granted
)
2827 const DOM_SID
*sid_user
, *sid_group
;
2828 uint32_t rid
, primary_gid
;
2829 NTTIME force_password_change
;
2830 time_t must_change_time
;
2831 struct lsa_BinaryString
*parameters
= NULL
;
2832 const char *munged_dial
= NULL
;
2837 sid_user
= pdb_get_user_sid(pw
);
2839 if (!sid_peek_check_rid(domain_sid
, sid_user
, &rid
)) {
2840 DEBUG(0, ("get_user_info_21: User %s has SID %s, \nwhich conflicts with "
2841 "the domain sid %s. Failing operation.\n",
2842 pdb_get_username(pw
), sid_string_dbg(sid_user
),
2843 sid_string_dbg(domain_sid
)));
2844 return NT_STATUS_UNSUCCESSFUL
;
2848 sid_group
= pdb_get_group_sid(pw
);
2851 if (!sid_peek_check_rid(domain_sid
, sid_group
, &primary_gid
)) {
2852 DEBUG(0, ("get_user_info_21: User %s has Primary Group SID %s, \n"
2853 "which conflicts with the domain sid %s. Failing operation.\n",
2854 pdb_get_username(pw
), sid_string_dbg(sid_group
),
2855 sid_string_dbg(domain_sid
)));
2856 return NT_STATUS_UNSUCCESSFUL
;
2859 unix_to_nt_time(&r
->last_logon
, pdb_get_logon_time(pw
));
2860 unix_to_nt_time(&r
->last_logoff
, pdb_get_logoff_time(pw
));
2861 unix_to_nt_time(&r
->acct_expiry
, pdb_get_kickoff_time(pw
));
2862 unix_to_nt_time(&r
->last_password_change
, pdb_get_pass_last_set_time(pw
));
2863 unix_to_nt_time(&r
->allow_password_change
, pdb_get_pass_can_change_time(pw
));
2865 must_change_time
= pdb_get_pass_must_change_time(pw
);
2866 if (must_change_time
== get_time_t_max()) {
2867 unix_to_nt_time_abs(&force_password_change
, must_change_time
);
2869 unix_to_nt_time(&force_password_change
, must_change_time
);
2872 munged_dial
= pdb_get_munged_dial(pw
);
2874 blob
= base64_decode_data_blob(munged_dial
);
2876 blob
= data_blob_string_const_null("");
2879 status
= init_samr_parameters_string(mem_ctx
, &blob
, ¶meters
);
2880 data_blob_free(&blob
);
2881 if (!NT_STATUS_IS_OK(status
)) {
2885 r
->force_password_change
= force_password_change
;
2887 r
->account_name
.string
= talloc_strdup(mem_ctx
, pdb_get_username(pw
));
2888 r
->full_name
.string
= talloc_strdup(mem_ctx
, pdb_get_fullname(pw
));
2889 r
->home_directory
.string
= talloc_strdup(mem_ctx
, pdb_get_homedir(pw
));
2890 r
->home_drive
.string
= talloc_strdup(mem_ctx
, pdb_get_dir_drive(pw
));
2891 r
->logon_script
.string
= talloc_strdup(mem_ctx
, pdb_get_logon_script(pw
));
2892 r
->profile_path
.string
= talloc_strdup(mem_ctx
, pdb_get_profile_path(pw
));
2893 r
->description
.string
= talloc_strdup(mem_ctx
, pdb_get_acct_desc(pw
));
2894 r
->workstations
.string
= talloc_strdup(mem_ctx
, pdb_get_workstations(pw
));
2895 r
->comment
.string
= talloc_strdup(mem_ctx
, pdb_get_comment(pw
));
2897 r
->logon_hours
= get_logon_hours_from_pdb(mem_ctx
, pw
);
2898 r
->parameters
= *parameters
;
2900 r
->primary_gid
= primary_gid
;
2901 r
->acct_flags
= pdb_get_acct_ctrl(pw
);
2902 r
->bad_password_count
= pdb_get_bad_password_count(pw
);
2903 r
->logon_count
= pdb_get_logon_count(pw
);
2904 r
->fields_present
= pdb_build_fields_present(pw
);
2905 r
->password_expired
= (pdb_get_pass_must_change_time(pw
) == 0) ?
2906 PASS_MUST_CHANGE_AT_NEXT_LOGON
: 0;
2907 r
->country_code
= 0;
2909 r
->lm_password_set
= 0;
2910 r
->nt_password_set
= 0;
2915 Look at a user on a real NT4 PDC with usrmgr, press
2916 'ok'. Then you will see that fields_present is set to
2917 0x08f827fa. Look at the user immediately after that again,
2918 and you will see that 0x00fffff is returned. This solves
2919 the problem that you get access denied after having looked
2927 return NT_STATUS_OK
;
2930 /*******************************************************************
2932 ********************************************************************/
2934 NTSTATUS
_samr_QueryUserInfo(pipes_struct
*p
,
2935 struct samr_QueryUserInfo
*r
)
2938 union samr_UserInfo
*user_info
= NULL
;
2939 struct samr_user_info
*uinfo
;
2943 struct samu
*pwd
= NULL
;
2944 uint32_t acc_required
, acc_granted
;
2946 switch (r
->in
.level
) {
2947 case 1: /* UserGeneralInformation */
2948 /* USER_READ_GENERAL */
2949 acc_required
= SAMR_USER_ACCESS_GET_NAME_ETC
;
2951 case 2: /* UserPreferencesInformation */
2952 /* USER_READ_PREFERENCES | USER_READ_GENERAL */
2953 acc_required
= SAMR_USER_ACCESS_GET_LOCALE
|
2954 SAMR_USER_ACCESS_GET_NAME_ETC
;
2956 case 3: /* UserLogonInformation */
2957 /* USER_READ_GENERAL | USER_READ_PREFERENCES | USER_READ_LOGON | USER_READ_ACCOUNT */
2958 acc_required
= SAMR_USER_ACCESS_GET_NAME_ETC
|
2959 SAMR_USER_ACCESS_GET_LOCALE
|
2960 SAMR_USER_ACCESS_GET_LOGONINFO
|
2961 SAMR_USER_ACCESS_GET_ATTRIBUTES
;
2963 case 4: /* UserLogonHoursInformation */
2964 /* USER_READ_LOGON */
2965 acc_required
= SAMR_USER_ACCESS_GET_LOGONINFO
;
2967 case 5: /* UserAccountInformation */
2968 /* USER_READ_GENERAL | USER_READ_PREFERENCES | USER_READ_LOGON | USER_READ_ACCOUNT */
2969 acc_required
= SAMR_USER_ACCESS_GET_NAME_ETC
|
2970 SAMR_USER_ACCESS_GET_LOCALE
|
2971 SAMR_USER_ACCESS_GET_LOGONINFO
|
2972 SAMR_USER_ACCESS_GET_ATTRIBUTES
;
2974 case 6: /* UserNameInformation */
2975 case 7: /* UserAccountNameInformation */
2976 case 8: /* UserFullNameInformation */
2977 case 9: /* UserPrimaryGroupInformation */
2978 case 13: /* UserAdminCommentInformation */
2979 /* USER_READ_GENERAL */
2980 acc_required
= SAMR_USER_ACCESS_GET_NAME_ETC
;
2982 case 10: /* UserHomeInformation */
2983 case 11: /* UserScriptInformation */
2984 case 12: /* UserProfileInformation */
2985 case 14: /* UserWorkStationsInformation */
2986 /* USER_READ_LOGON */
2987 acc_required
= SAMR_USER_ACCESS_GET_LOGONINFO
;
2989 case 16: /* UserControlInformation */
2990 case 17: /* UserExpiresInformation */
2991 case 20: /* UserParametersInformation */
2992 /* USER_READ_ACCOUNT */
2993 acc_required
= SAMR_USER_ACCESS_GET_ATTRIBUTES
;
2995 case 21: /* UserAllInformation */
2997 acc_required
= SAMR_USER_ACCESS_GET_ATTRIBUTES
;
2999 case 18: /* UserInternal1Information */
3001 acc_required
= SAMR_USER_ACCESS_GET_ATTRIBUTES
;
3003 case 23: /* UserInternal4Information */
3004 case 24: /* UserInternal4InformationNew */
3005 case 25: /* UserInternal4InformationNew */
3006 case 26: /* UserInternal5InformationNew */
3008 return NT_STATUS_INVALID_INFO_CLASS
;
3012 uinfo
= policy_handle_find(p
, r
->in
.user_handle
,
3013 acc_required
, &acc_granted
,
3014 struct samr_user_info
, &status
);
3015 if (!NT_STATUS_IS_OK(status
)) {
3019 domain_sid
= uinfo
->sid
;
3021 sid_split_rid(&domain_sid
, &rid
);
3023 if (!sid_check_is_in_our_domain(&uinfo
->sid
))
3024 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
3026 DEBUG(5,("_samr_QueryUserInfo: sid:%s\n",
3027 sid_string_dbg(&uinfo
->sid
)));
3029 user_info
= TALLOC_ZERO_P(p
->mem_ctx
, union samr_UserInfo
);
3031 return NT_STATUS_NO_MEMORY
;
3034 DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r
->in
.level
));
3036 if (!(pwd
= samu_new(p
->mem_ctx
))) {
3037 return NT_STATUS_NO_MEMORY
;
3041 ret
= pdb_getsampwsid(pwd
, &uinfo
->sid
);
3045 DEBUG(4,("User %s not found\n", sid_string_dbg(&uinfo
->sid
)));
3047 return NT_STATUS_NO_SUCH_USER
;
3050 DEBUG(3,("User:[%s]\n", pdb_get_username(pwd
)));
3052 samr_clear_sam_passwd(pwd
);
3054 switch (r
->in
.level
) {
3056 status
= get_user_info_1(p
->mem_ctx
, &user_info
->info1
, pwd
, &domain_sid
);
3059 status
= get_user_info_2(p
->mem_ctx
, &user_info
->info2
, pwd
);
3062 status
= get_user_info_3(p
->mem_ctx
, &user_info
->info3
, pwd
, &domain_sid
);
3065 status
= get_user_info_4(p
->mem_ctx
, &user_info
->info4
, pwd
);
3068 status
= get_user_info_5(p
->mem_ctx
, &user_info
->info5
, pwd
, &domain_sid
);
3071 status
= get_user_info_6(p
->mem_ctx
, &user_info
->info6
, pwd
);
3074 status
= get_user_info_7(p
->mem_ctx
, &user_info
->info7
, pwd
);
3077 status
= get_user_info_8(p
->mem_ctx
, &user_info
->info8
, pwd
);
3080 status
= get_user_info_9(p
->mem_ctx
, &user_info
->info9
, pwd
);
3083 status
= get_user_info_10(p
->mem_ctx
, &user_info
->info10
, pwd
);
3086 status
= get_user_info_11(p
->mem_ctx
, &user_info
->info11
, pwd
);
3089 status
= get_user_info_12(p
->mem_ctx
, &user_info
->info12
, pwd
);
3092 status
= get_user_info_13(p
->mem_ctx
, &user_info
->info13
, pwd
);
3095 status
= get_user_info_14(p
->mem_ctx
, &user_info
->info14
, pwd
);
3098 status
= get_user_info_16(p
->mem_ctx
, &user_info
->info16
, pwd
);
3101 status
= get_user_info_17(p
->mem_ctx
, &user_info
->info17
, pwd
);
3104 /* level 18 is special */
3105 status
= get_user_info_18(p
, p
->mem_ctx
, &user_info
->info18
,
3109 status
= get_user_info_20(p
->mem_ctx
, &user_info
->info20
, pwd
);
3112 status
= get_user_info_21(p
->mem_ctx
, &user_info
->info21
, pwd
, &domain_sid
, acc_granted
);
3115 status
= NT_STATUS_INVALID_INFO_CLASS
;
3119 if (!NT_STATUS_IS_OK(status
)) {
3123 *r
->out
.info
= user_info
;
3128 DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__
));
3133 /****************************************************************
3134 ****************************************************************/
3136 NTSTATUS
_samr_QueryUserInfo2(pipes_struct
*p
,
3137 struct samr_QueryUserInfo2
*r
)
3139 struct samr_QueryUserInfo u
;
3141 u
.in
.user_handle
= r
->in
.user_handle
;
3142 u
.in
.level
= r
->in
.level
;
3143 u
.out
.info
= r
->out
.info
;
3145 return _samr_QueryUserInfo(p
, &u
);
3148 /*******************************************************************
3149 _samr_GetGroupsForUser
3150 ********************************************************************/
3152 NTSTATUS
_samr_GetGroupsForUser(pipes_struct
*p
,
3153 struct samr_GetGroupsForUser
*r
)
3155 struct samr_user_info
*uinfo
;
3156 struct samu
*sam_pass
=NULL
;
3158 struct samr_RidWithAttribute dom_gid
;
3159 struct samr_RidWithAttribute
*gids
= NULL
;
3160 uint32 primary_group_rid
;
3161 size_t num_groups
= 0;
3166 bool success
= False
;
3168 struct samr_RidWithAttributeArray
*rids
= NULL
;
3171 * from the SID in the request:
3172 * we should send back the list of DOMAIN GROUPS
3173 * the user is a member of
3175 * and only the DOMAIN GROUPS
3176 * no ALIASES !!! neither aliases of the domain
3177 * nor aliases of the builtin SID
3182 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__
));
3184 uinfo
= policy_handle_find(p
, r
->in
.user_handle
,
3185 SAMR_USER_ACCESS_GET_GROUPS
, NULL
,
3186 struct samr_user_info
, &result
);
3187 if (!NT_STATUS_IS_OK(result
)) {
3191 rids
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_RidWithAttributeArray
);
3193 return NT_STATUS_NO_MEMORY
;
3196 if (!sid_check_is_in_our_domain(&uinfo
->sid
))
3197 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
3199 if ( !(sam_pass
= samu_new( p
->mem_ctx
)) ) {
3200 return NT_STATUS_NO_MEMORY
;
3204 ret
= pdb_getsampwsid(sam_pass
, &uinfo
->sid
);
3208 DEBUG(10, ("pdb_getsampwsid failed for %s\n",
3209 sid_string_dbg(&uinfo
->sid
)));
3210 return NT_STATUS_NO_SUCH_USER
;
3215 /* make both calls inside the root block */
3217 result
= pdb_enum_group_memberships(p
->mem_ctx
, sam_pass
,
3218 &sids
, &unix_gids
, &num_groups
);
3219 if ( NT_STATUS_IS_OK(result
) ) {
3220 success
= sid_peek_check_rid(get_global_sam_sid(),
3221 pdb_get_group_sid(sam_pass
),
3222 &primary_group_rid
);
3226 if (!NT_STATUS_IS_OK(result
)) {
3227 DEBUG(10, ("pdb_enum_group_memberships failed for %s\n",
3228 sid_string_dbg(&uinfo
->sid
)));
3233 DEBUG(5, ("Group sid %s for user %s not in our domain\n",
3234 sid_string_dbg(pdb_get_group_sid(sam_pass
)),
3235 pdb_get_username(sam_pass
)));
3236 TALLOC_FREE(sam_pass
);
3237 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
3243 dom_gid
.attributes
= (SE_GROUP_MANDATORY
|SE_GROUP_ENABLED_BY_DEFAULT
|
3245 dom_gid
.rid
= primary_group_rid
;
3246 ADD_TO_ARRAY(p
->mem_ctx
, struct samr_RidWithAttribute
, dom_gid
, &gids
, &num_gids
);
3248 for (i
=0; i
<num_groups
; i
++) {
3250 if (!sid_peek_check_rid(get_global_sam_sid(),
3251 &(sids
[i
]), &dom_gid
.rid
)) {
3252 DEBUG(10, ("Found sid %s not in our domain\n",
3253 sid_string_dbg(&sids
[i
])));
3257 if (dom_gid
.rid
== primary_group_rid
) {
3258 /* We added the primary group directly from the
3259 * sam_account. The other SIDs are unique from
3260 * enum_group_memberships */
3264 ADD_TO_ARRAY(p
->mem_ctx
, struct samr_RidWithAttribute
, dom_gid
, &gids
, &num_gids
);
3267 rids
->count
= num_gids
;
3270 *r
->out
.rids
= rids
;
3272 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__
));
3277 /*******************************************************************
3278 _samr_QueryDomainInfo
3279 ********************************************************************/
3281 NTSTATUS
_samr_QueryDomainInfo(pipes_struct
*p
,
3282 struct samr_QueryDomainInfo
*r
)
3284 NTSTATUS status
= NT_STATUS_OK
;
3285 struct samr_domain_info
*dinfo
;
3286 union samr_DomainInfo
*dom_info
;
3287 time_t u_expire
, u_min_age
;
3289 time_t u_lock_duration
, u_reset_time
;
3292 uint32 account_policy_temp
;
3296 uint32_t acc_required
;
3298 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__
));
3300 switch (r
->in
.level
) {
3301 case 1: /* DomainPasswordInformation */
3302 case 12: /* DomainLockoutInformation */
3303 /* DOMAIN_READ_PASSWORD_PARAMETERS */
3304 acc_required
= SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
;
3306 case 11: /* DomainGeneralInformation2 */
3307 /* DOMAIN_READ_PASSWORD_PARAMETERS |
3308 * DOMAIN_READ_OTHER_PARAMETERS */
3309 acc_required
= SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
|
3310 SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2
;
3312 case 2: /* DomainGeneralInformation */
3313 case 3: /* DomainLogoffInformation */
3314 case 4: /* DomainOemInformation */
3315 case 5: /* DomainReplicationInformation */
3316 case 6: /* DomainReplicationInformation */
3317 case 7: /* DomainServerRoleInformation */
3318 case 8: /* DomainModifiedInformation */
3319 case 9: /* DomainStateInformation */
3320 case 10: /* DomainUasInformation */
3321 case 13: /* DomainModifiedInformation2 */
3322 /* DOMAIN_READ_OTHER_PARAMETERS */
3323 acc_required
= SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2
;
3326 return NT_STATUS_INVALID_INFO_CLASS
;
3329 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
3331 struct samr_domain_info
, &status
);
3332 if (!NT_STATUS_IS_OK(status
)) {
3336 dom_info
= TALLOC_ZERO_P(p
->mem_ctx
, union samr_DomainInfo
);
3338 return NT_STATUS_NO_MEMORY
;
3341 switch (r
->in
.level
) {
3348 pdb_get_account_policy(AP_MIN_PASSWORD_LEN
,
3349 &account_policy_temp
);
3350 dom_info
->info1
.min_password_length
= account_policy_temp
;
3352 pdb_get_account_policy(AP_PASSWORD_HISTORY
, &account_policy_temp
);
3353 dom_info
->info1
.password_history_length
= account_policy_temp
;
3355 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS
,
3356 &dom_info
->info1
.password_properties
);
3358 pdb_get_account_policy(AP_MAX_PASSWORD_AGE
, &account_policy_temp
);
3359 u_expire
= account_policy_temp
;
3361 pdb_get_account_policy(AP_MIN_PASSWORD_AGE
, &account_policy_temp
);
3362 u_min_age
= account_policy_temp
;
3368 unix_to_nt_time_abs((NTTIME
*)&dom_info
->info1
.max_password_age
, u_expire
);
3369 unix_to_nt_time_abs((NTTIME
*)&dom_info
->info1
.min_password_age
, u_min_age
);
3371 if (lp_check_password_script() && *lp_check_password_script()) {
3372 dom_info
->info1
.password_properties
|= DOMAIN_PASSWORD_COMPLEX
;
3382 dom_info
->general
.num_users
= count_sam_users(
3383 dinfo
->disp_info
, ACB_NORMAL
);
3384 dom_info
->general
.num_groups
= count_sam_groups(
3386 dom_info
->general
.num_aliases
= count_sam_aliases(
3389 pdb_get_account_policy(AP_TIME_TO_LOGOUT
, &u_logout
);
3391 unix_to_nt_time_abs(&dom_info
->general
.force_logoff_time
, u_logout
);
3393 if (!pdb_get_seq_num(&seq_num
))
3394 seq_num
= time(NULL
);
3400 server_role
= ROLE_DOMAIN_PDC
;
3401 if (lp_server_role() == ROLE_DOMAIN_BDC
)
3402 server_role
= ROLE_DOMAIN_BDC
;
3404 dom_info
->general
.oem_information
.string
= lp_serverstring();
3405 dom_info
->general
.domain_name
.string
= lp_workgroup();
3406 dom_info
->general
.primary
.string
= global_myname();
3407 dom_info
->general
.sequence_num
= seq_num
;
3408 dom_info
->general
.domain_server_state
= DOMAIN_SERVER_ENABLED
;
3409 dom_info
->general
.role
= server_role
;
3410 dom_info
->general
.unknown3
= 1;
3421 pdb_get_account_policy(AP_TIME_TO_LOGOUT
, &ul
);
3422 u_logout
= (time_t)ul
;
3429 unix_to_nt_time_abs(&dom_info
->info3
.force_logoff_time
, u_logout
);
3433 dom_info
->oem
.oem_information
.string
= lp_serverstring();
3436 dom_info
->info5
.domain_name
.string
= get_global_sam_name();
3439 /* NT returns its own name when a PDC. win2k and later
3440 * only the name of the PDC if itself is a BDC (samba4
3442 dom_info
->info6
.primary
.string
= global_myname();
3445 server_role
= ROLE_DOMAIN_PDC
;
3446 if (lp_server_role() == ROLE_DOMAIN_BDC
)
3447 server_role
= ROLE_DOMAIN_BDC
;
3449 dom_info
->info7
.role
= server_role
;
3457 if (!pdb_get_seq_num(&seq_num
)) {
3458 seq_num
= time(NULL
);
3465 dom_info
->info8
.sequence_num
= seq_num
;
3466 dom_info
->info8
.domain_create_time
= 0;
3471 dom_info
->info9
.domain_server_state
= DOMAIN_SERVER_ENABLED
;
3480 dom_info
->general2
.general
.num_users
= count_sam_users(
3481 dinfo
->disp_info
, ACB_NORMAL
);
3482 dom_info
->general2
.general
.num_groups
= count_sam_groups(
3484 dom_info
->general2
.general
.num_aliases
= count_sam_aliases(
3487 pdb_get_account_policy(AP_TIME_TO_LOGOUT
, &u_logout
);
3489 unix_to_nt_time_abs(&dom_info
->general2
.general
.force_logoff_time
, u_logout
);
3491 if (!pdb_get_seq_num(&seq_num
))
3492 seq_num
= time(NULL
);
3494 pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION
, &account_policy_temp
);
3495 u_lock_duration
= account_policy_temp
;
3496 if (u_lock_duration
!= -1) {
3497 u_lock_duration
*= 60;
3500 pdb_get_account_policy(AP_RESET_COUNT_TIME
, &account_policy_temp
);
3501 u_reset_time
= account_policy_temp
* 60;
3503 pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT
,
3504 &account_policy_temp
);
3505 dom_info
->general2
.lockout_threshold
= account_policy_temp
;
3511 server_role
= ROLE_DOMAIN_PDC
;
3512 if (lp_server_role() == ROLE_DOMAIN_BDC
)
3513 server_role
= ROLE_DOMAIN_BDC
;
3515 dom_info
->general2
.general
.oem_information
.string
= lp_serverstring();
3516 dom_info
->general2
.general
.domain_name
.string
= lp_workgroup();
3517 dom_info
->general2
.general
.primary
.string
= global_myname();
3518 dom_info
->general2
.general
.sequence_num
= seq_num
;
3519 dom_info
->general2
.general
.domain_server_state
= DOMAIN_SERVER_ENABLED
;
3520 dom_info
->general2
.general
.role
= server_role
;
3521 dom_info
->general2
.general
.unknown3
= 1;
3523 unix_to_nt_time_abs(&dom_info
->general2
.lockout_duration
,
3525 unix_to_nt_time_abs(&dom_info
->general2
.lockout_window
,
3535 pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION
, &account_policy_temp
);
3536 u_lock_duration
= account_policy_temp
;
3537 if (u_lock_duration
!= -1) {
3538 u_lock_duration
*= 60;
3541 pdb_get_account_policy(AP_RESET_COUNT_TIME
, &account_policy_temp
);
3542 u_reset_time
= account_policy_temp
* 60;
3544 pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT
,
3545 &account_policy_temp
);
3546 dom_info
->info12
.lockout_threshold
= account_policy_temp
;
3552 unix_to_nt_time_abs(&dom_info
->info12
.lockout_duration
,
3554 unix_to_nt_time_abs(&dom_info
->info12
.lockout_window
,
3564 if (!pdb_get_seq_num(&seq_num
)) {
3565 seq_num
= time(NULL
);
3572 dom_info
->info13
.sequence_num
= seq_num
;
3573 dom_info
->info13
.domain_create_time
= 0;
3574 dom_info
->info13
.modified_count_at_last_promotion
= 0;
3578 return NT_STATUS_INVALID_INFO_CLASS
;
3581 *r
->out
.info
= dom_info
;
3583 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__
));
3588 /* W2k3 seems to use the same check for all 3 objects that can be created via
3589 * SAMR, if you try to create for example "Dialup" as an alias it says
3590 * "NT_STATUS_USER_EXISTS". This is racy, but we can't really lock the user
3593 static NTSTATUS
can_create(TALLOC_CTX
*mem_ctx
, const char *new_name
)
3595 enum lsa_SidType type
;
3598 DEBUG(10, ("Checking whether [%s] can be created\n", new_name
));
3601 /* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
3602 * whether the name already exists */
3603 result
= lookup_name(mem_ctx
, new_name
, LOOKUP_NAME_LOCAL
,
3604 NULL
, NULL
, NULL
, &type
);
3608 DEBUG(10, ("%s does not exist, can create it\n", new_name
));
3609 return NT_STATUS_OK
;
3612 DEBUG(5, ("trying to create %s, exists as %s\n",
3613 new_name
, sid_type_lookup(type
)));
3615 if (type
== SID_NAME_DOM_GRP
) {
3616 return NT_STATUS_GROUP_EXISTS
;
3618 if (type
== SID_NAME_ALIAS
) {
3619 return NT_STATUS_ALIAS_EXISTS
;
3622 /* Yes, the default is NT_STATUS_USER_EXISTS */
3623 return NT_STATUS_USER_EXISTS
;
3626 /*******************************************************************
3628 ********************************************************************/
3630 NTSTATUS
_samr_CreateUser2(pipes_struct
*p
,
3631 struct samr_CreateUser2
*r
)
3633 const char *account
= NULL
;
3635 uint32_t acb_info
= r
->in
.acct_flags
;
3636 struct samr_domain_info
*dinfo
;
3637 struct samr_user_info
*uinfo
;
3642 /* check this, when giving away 'add computer to domain' privs */
3643 uint32 des_access
= GENERIC_RIGHTS_USER_ALL_ACCESS
;
3644 bool can_add_account
= False
;
3647 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
3648 SAMR_DOMAIN_ACCESS_CREATE_USER
, NULL
,
3649 struct samr_domain_info
, &nt_status
);
3650 if (!NT_STATUS_IS_OK(nt_status
)) {
3654 if (sid_check_is_builtin(&dinfo
->sid
)) {
3655 DEBUG(5,("_samr_CreateUser2: Refusing user create in BUILTIN\n"));
3656 return NT_STATUS_ACCESS_DENIED
;
3659 if (!(acb_info
== ACB_NORMAL
|| acb_info
== ACB_DOMTRUST
||
3660 acb_info
== ACB_WSTRUST
|| acb_info
== ACB_SVRTRUST
)) {
3661 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
3662 this parameter is not an account type */
3663 return NT_STATUS_INVALID_PARAMETER
;
3666 account
= r
->in
.account_name
->string
;
3667 if (account
== NULL
) {
3668 return NT_STATUS_NO_MEMORY
;
3671 nt_status
= can_create(p
->mem_ctx
, account
);
3672 if (!NT_STATUS_IS_OK(nt_status
)) {
3676 /* determine which user right we need to check based on the acb_info */
3678 if (geteuid() == sec_initial_uid()) {
3679 se_priv_copy(&se_rights
, &se_priv_none
);
3680 can_add_account
= true;
3681 } else if (acb_info
& ACB_WSTRUST
) {
3682 se_priv_copy(&se_rights
, &se_machine_account
);
3683 can_add_account
= user_has_privileges(
3684 p
->server_info
->ptok
, &se_rights
);
3685 } else if (acb_info
& ACB_NORMAL
&&
3686 (account
[strlen(account
)-1] != '$')) {
3687 /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
3688 account for domain trusts and changes the ACB flags later */
3689 se_priv_copy(&se_rights
, &se_add_users
);
3690 can_add_account
= user_has_privileges(
3691 p
->server_info
->ptok
, &se_rights
);
3692 } else if (lp_enable_privileges()) {
3693 /* implicit assumption of a BDC or domain trust account here
3694 * (we already check the flags earlier) */
3695 /* only Domain Admins can add a BDC or domain trust */
3696 se_priv_copy(&se_rights
, &se_priv_none
);
3697 can_add_account
= nt_token_check_domain_rid(
3698 p
->server_info
->ptok
,
3699 DOMAIN_GROUP_RID_ADMINS
);
3702 DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
3703 uidtoname(p
->server_info
->utok
.uid
),
3704 can_add_account
? "True":"False" ));
3706 if (!can_add_account
) {
3707 return NT_STATUS_ACCESS_DENIED
;
3710 /********** BEGIN Admin BLOCK **********/
3713 nt_status
= pdb_create_user(p
->mem_ctx
, account
, acb_info
,
3717 /********** END Admin BLOCK **********/
3719 /* now check for failure */
3721 if ( !NT_STATUS_IS_OK(nt_status
) )
3724 /* Get the user's SID */
3726 sid_compose(&sid
, get_global_sam_sid(), *r
->out
.rid
);
3728 map_max_allowed_access(p
->server_info
->ptok
, &des_access
);
3730 make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &usr_generic_mapping
,
3731 &sid
, SAMR_USR_RIGHTS_WRITE_PW
);
3732 se_map_generic(&des_access
, &usr_generic_mapping
);
3735 * JRA - TESTME. We just created this user so we
3736 * had rights to create them. Do we need to check
3737 * any further access on this object ? Can't we
3738 * just assume we have all the rights we need ?
3741 nt_status
= access_check_object(psd
, p
->server_info
->ptok
,
3742 &se_rights
, GENERIC_RIGHTS_USER_WRITE
, des_access
,
3743 &acc_granted
, "_samr_CreateUser2");
3745 if ( !NT_STATUS_IS_OK(nt_status
) ) {
3749 uinfo
= policy_handle_create(p
, r
->out
.user_handle
, acc_granted
,
3750 struct samr_user_info
, &nt_status
);
3751 if (!NT_STATUS_IS_OK(nt_status
)) {
3756 /* After a "set" ensure we have no cached display info. */
3757 force_flush_samr_cache(&sid
);
3759 *r
->out
.access_granted
= acc_granted
;
3761 return NT_STATUS_OK
;
3764 /****************************************************************
3765 ****************************************************************/
3767 NTSTATUS
_samr_CreateUser(pipes_struct
*p
,
3768 struct samr_CreateUser
*r
)
3770 struct samr_CreateUser2 c
;
3771 uint32_t access_granted
;
3773 c
.in
.domain_handle
= r
->in
.domain_handle
;
3774 c
.in
.account_name
= r
->in
.account_name
;
3775 c
.in
.acct_flags
= ACB_NORMAL
;
3776 c
.in
.access_mask
= r
->in
.access_mask
;
3777 c
.out
.user_handle
= r
->out
.user_handle
;
3778 c
.out
.access_granted
= &access_granted
;
3779 c
.out
.rid
= r
->out
.rid
;
3781 return _samr_CreateUser2(p
, &c
);
3784 /*******************************************************************
3786 ********************************************************************/
3788 NTSTATUS
_samr_Connect(pipes_struct
*p
,
3789 struct samr_Connect
*r
)
3791 struct samr_connect_info
*info
;
3792 uint32_t acc_granted
;
3793 struct policy_handle hnd
;
3794 uint32 des_access
= r
->in
.access_mask
;
3799 if (!pipe_access_check(p
)) {
3800 DEBUG(3, ("access denied to _samr_Connect\n"));
3801 return NT_STATUS_ACCESS_DENIED
;
3804 /* don't give away the farm but this is probably ok. The SAMR_ACCESS_ENUM_DOMAINS
3805 was observed from a win98 client trying to enumerate users (when configured
3806 user level access control on shares) --jerry */
3808 map_max_allowed_access(p
->server_info
->ptok
, &des_access
);
3810 se_map_generic( &des_access
, &sam_generic_mapping
);
3812 acc_granted
= des_access
& (SAMR_ACCESS_ENUM_DOMAINS
3813 |SAMR_ACCESS_LOOKUP_DOMAIN
);
3815 /* set up the SAMR connect_anon response */
3817 info
= policy_handle_create(p
, &hnd
, acc_granted
,
3818 struct samr_connect_info
,
3820 if (!NT_STATUS_IS_OK(status
)) {
3824 *r
->out
.connect_handle
= hnd
;
3825 return NT_STATUS_OK
;
3828 /*******************************************************************
3830 ********************************************************************/
3832 NTSTATUS
_samr_Connect2(pipes_struct
*p
,
3833 struct samr_Connect2
*r
)
3835 struct samr_connect_info
*info
= NULL
;
3836 struct policy_handle hnd
;
3837 SEC_DESC
*psd
= NULL
;
3839 uint32 des_access
= r
->in
.access_mask
;
3842 const char *fn
= "_samr_Connect2";
3844 switch (p
->hdr_req
.opnum
) {
3845 case NDR_SAMR_CONNECT2
:
3846 fn
= "_samr_Connect2";
3848 case NDR_SAMR_CONNECT3
:
3849 fn
= "_samr_Connect3";
3851 case NDR_SAMR_CONNECT4
:
3852 fn
= "_samr_Connect4";
3854 case NDR_SAMR_CONNECT5
:
3855 fn
= "_samr_Connect5";
3859 DEBUG(5,("%s: %d\n", fn
, __LINE__
));
3863 if (!pipe_access_check(p
)) {
3864 DEBUG(3, ("access denied to %s\n", fn
));
3865 return NT_STATUS_ACCESS_DENIED
;
3868 map_max_allowed_access(p
->server_info
->ptok
, &des_access
);
3870 make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &sam_generic_mapping
, NULL
, 0);
3871 se_map_generic(&des_access
, &sam_generic_mapping
);
3873 nt_status
= access_check_object(psd
, p
->server_info
->ptok
,
3874 NULL
, 0, des_access
, &acc_granted
, fn
);
3876 if ( !NT_STATUS_IS_OK(nt_status
) )
3879 info
= policy_handle_create(p
, &hnd
, acc_granted
,
3880 struct samr_connect_info
, &nt_status
);
3881 if (!NT_STATUS_IS_OK(nt_status
)) {
3885 DEBUG(5,("%s: %d\n", fn
, __LINE__
));
3887 *r
->out
.connect_handle
= hnd
;
3888 return NT_STATUS_OK
;
3891 /****************************************************************
3893 ****************************************************************/
3895 NTSTATUS
_samr_Connect3(pipes_struct
*p
,
3896 struct samr_Connect3
*r
)
3898 struct samr_Connect2 c
;
3900 c
.in
.system_name
= r
->in
.system_name
;
3901 c
.in
.access_mask
= r
->in
.access_mask
;
3902 c
.out
.connect_handle
= r
->out
.connect_handle
;
3904 return _samr_Connect2(p
, &c
);
3907 /*******************************************************************
3909 ********************************************************************/
3911 NTSTATUS
_samr_Connect4(pipes_struct
*p
,
3912 struct samr_Connect4
*r
)
3914 struct samr_Connect2 c
;
3916 c
.in
.system_name
= r
->in
.system_name
;
3917 c
.in
.access_mask
= r
->in
.access_mask
;
3918 c
.out
.connect_handle
= r
->out
.connect_handle
;
3920 return _samr_Connect2(p
, &c
);
3923 /*******************************************************************
3925 ********************************************************************/
3927 NTSTATUS
_samr_Connect5(pipes_struct
*p
,
3928 struct samr_Connect5
*r
)
3931 struct samr_Connect2 c
;
3932 struct samr_ConnectInfo1 info1
;
3934 info1
.client_version
= SAMR_CONNECT_AFTER_W2K
;
3937 c
.in
.system_name
= r
->in
.system_name
;
3938 c
.in
.access_mask
= r
->in
.access_mask
;
3939 c
.out
.connect_handle
= r
->out
.connect_handle
;
3941 *r
->out
.level_out
= 1;
3943 status
= _samr_Connect2(p
, &c
);
3944 if (!NT_STATUS_IS_OK(status
)) {
3948 r
->out
.info_out
->info1
= info1
;
3950 return NT_STATUS_OK
;
3953 /**********************************************************************
3955 **********************************************************************/
3957 NTSTATUS
_samr_LookupDomain(pipes_struct
*p
,
3958 struct samr_LookupDomain
*r
)
3961 struct samr_connect_info
*info
;
3962 const char *domain_name
;
3963 DOM_SID
*sid
= NULL
;
3965 /* win9x user manager likes to use SAMR_ACCESS_ENUM_DOMAINS here.
3966 Reverted that change so we will work with RAS servers again */
3968 info
= policy_handle_find(p
, r
->in
.connect_handle
,
3969 SAMR_ACCESS_LOOKUP_DOMAIN
, NULL
,
3970 struct samr_connect_info
,
3972 if (!NT_STATUS_IS_OK(status
)) {
3976 domain_name
= r
->in
.domain_name
->string
;
3978 return NT_STATUS_INVALID_PARAMETER
;
3981 sid
= TALLOC_ZERO_P(p
->mem_ctx
, struct dom_sid2
);
3983 return NT_STATUS_NO_MEMORY
;
3986 if (strequal(domain_name
, builtin_domain_name())) {
3987 sid_copy(sid
, &global_sid_Builtin
);
3989 if (!secrets_fetch_domain_sid(domain_name
, sid
)) {
3990 status
= NT_STATUS_NO_SUCH_DOMAIN
;
3994 DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name
,
3995 sid_string_dbg(sid
)));
4002 /**********************************************************************
4004 **********************************************************************/
4006 NTSTATUS
_samr_EnumDomains(pipes_struct
*p
,
4007 struct samr_EnumDomains
*r
)
4010 struct samr_connect_info
*info
;
4011 uint32_t num_entries
= 2;
4012 struct samr_SamEntry
*entry_array
= NULL
;
4013 struct samr_SamArray
*sam
;
4015 info
= policy_handle_find(p
, r
->in
.connect_handle
,
4016 SAMR_ACCESS_ENUM_DOMAINS
, NULL
,
4017 struct samr_connect_info
, &status
);
4018 if (!NT_STATUS_IS_OK(status
)) {
4022 sam
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_SamArray
);
4024 return NT_STATUS_NO_MEMORY
;
4027 entry_array
= TALLOC_ZERO_ARRAY(p
->mem_ctx
,
4028 struct samr_SamEntry
,
4031 return NT_STATUS_NO_MEMORY
;
4034 entry_array
[0].idx
= 0;
4035 init_lsa_String(&entry_array
[0].name
, get_global_sam_name());
4037 entry_array
[1].idx
= 1;
4038 init_lsa_String(&entry_array
[1].name
, "Builtin");
4040 sam
->count
= num_entries
;
4041 sam
->entries
= entry_array
;
4044 *r
->out
.num_entries
= num_entries
;
4049 /*******************************************************************
4051 ********************************************************************/
4053 NTSTATUS
_samr_OpenAlias(pipes_struct
*p
,
4054 struct samr_OpenAlias
*r
)
4057 uint32 alias_rid
= r
->in
.rid
;
4058 struct samr_alias_info
*ainfo
;
4059 struct samr_domain_info
*dinfo
;
4060 SEC_DESC
*psd
= NULL
;
4062 uint32 des_access
= r
->in
.access_mask
;
4067 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
4068 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
, NULL
,
4069 struct samr_domain_info
, &status
);
4070 if (!NT_STATUS_IS_OK(status
)) {
4074 /* append the alias' RID to it */
4076 if (!sid_compose(&sid
, &dinfo
->sid
, alias_rid
))
4077 return NT_STATUS_NO_SUCH_ALIAS
;
4079 /*check if access can be granted as requested by client. */
4081 map_max_allowed_access(p
->server_info
->ptok
, &des_access
);
4083 make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &ali_generic_mapping
, NULL
, 0);
4084 se_map_generic(&des_access
,&ali_generic_mapping
);
4086 se_priv_copy( &se_rights
, &se_add_users
);
4088 status
= access_check_object(psd
, p
->server_info
->ptok
,
4089 &se_rights
, GENERIC_RIGHTS_ALIAS_ALL_ACCESS
,
4090 des_access
, &acc_granted
, "_samr_OpenAlias");
4092 if ( !NT_STATUS_IS_OK(status
) )
4096 /* Check we actually have the requested alias */
4097 enum lsa_SidType type
;
4102 result
= lookup_sid(NULL
, &sid
, NULL
, NULL
, &type
);
4105 if (!result
|| (type
!= SID_NAME_ALIAS
)) {
4106 return NT_STATUS_NO_SUCH_ALIAS
;
4109 /* make sure there is a mapping */
4111 if ( !sid_to_gid( &sid
, &gid
) ) {
4112 return NT_STATUS_NO_SUCH_ALIAS
;
4117 ainfo
= policy_handle_create(p
, r
->out
.alias_handle
, acc_granted
,
4118 struct samr_alias_info
, &status
);
4119 if (!NT_STATUS_IS_OK(status
)) {
4124 return NT_STATUS_OK
;
4127 /*******************************************************************
4129 ********************************************************************/
4131 static NTSTATUS
set_user_info_2(TALLOC_CTX
*mem_ctx
,
4132 struct samr_UserInfo2
*id2
,
4136 DEBUG(5,("set_user_info_2: NULL id2\n"));
4137 return NT_STATUS_ACCESS_DENIED
;
4140 copy_id2_to_sam_passwd(pwd
, id2
);
4142 return pdb_update_sam_account(pwd
);
4145 /*******************************************************************
4147 ********************************************************************/
4149 static NTSTATUS
set_user_info_4(TALLOC_CTX
*mem_ctx
,
4150 struct samr_UserInfo4
*id4
,
4154 DEBUG(5,("set_user_info_2: NULL id4\n"));
4155 return NT_STATUS_ACCESS_DENIED
;
4158 copy_id4_to_sam_passwd(pwd
, id4
);
4160 return pdb_update_sam_account(pwd
);
4163 /*******************************************************************
4165 ********************************************************************/
4167 static NTSTATUS
set_user_info_6(TALLOC_CTX
*mem_ctx
,
4168 struct samr_UserInfo6
*id6
,
4172 DEBUG(5,("set_user_info_6: NULL id6\n"));
4173 return NT_STATUS_ACCESS_DENIED
;
4176 copy_id6_to_sam_passwd(pwd
, id6
);
4178 return pdb_update_sam_account(pwd
);
4181 /*******************************************************************
4183 ********************************************************************/
4185 static NTSTATUS
set_user_info_7(TALLOC_CTX
*mem_ctx
,
4186 struct samr_UserInfo7
*id7
,
4192 DEBUG(5, ("set_user_info_7: NULL id7\n"));
4193 return NT_STATUS_ACCESS_DENIED
;
4196 if (!id7
->account_name
.string
) {
4197 DEBUG(5, ("set_user_info_7: failed to get new username\n"));
4198 return NT_STATUS_ACCESS_DENIED
;
4201 /* check to see if the new username already exists. Note: we can't
4202 reliably lock all backends, so there is potentially the
4203 possibility that a user can be created in between this check and
4204 the rename. The rename should fail, but may not get the
4205 exact same failure status code. I think this is small enough
4206 of a window for this type of operation and the results are
4207 simply that the rename fails with a slightly different status
4208 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
4210 rc
= can_create(mem_ctx
, id7
->account_name
.string
);
4212 /* when there is nothing to change, we're done here */
4213 if (NT_STATUS_EQUAL(rc
, NT_STATUS_USER_EXISTS
) &&
4214 strequal(id7
->account_name
.string
, pdb_get_username(pwd
))) {
4215 return NT_STATUS_OK
;
4217 if (!NT_STATUS_IS_OK(rc
)) {
4221 rc
= pdb_rename_sam_account(pwd
, id7
->account_name
.string
);
4226 /*******************************************************************
4228 ********************************************************************/
4230 static NTSTATUS
set_user_info_8(TALLOC_CTX
*mem_ctx
,
4231 struct samr_UserInfo8
*id8
,
4235 DEBUG(5,("set_user_info_8: NULL id8\n"));
4236 return NT_STATUS_ACCESS_DENIED
;
4239 copy_id8_to_sam_passwd(pwd
, id8
);
4241 return pdb_update_sam_account(pwd
);
4244 /*******************************************************************
4246 ********************************************************************/
4248 static NTSTATUS
set_user_info_10(TALLOC_CTX
*mem_ctx
,
4249 struct samr_UserInfo10
*id10
,
4253 DEBUG(5,("set_user_info_8: NULL id10\n"));
4254 return NT_STATUS_ACCESS_DENIED
;
4257 copy_id10_to_sam_passwd(pwd
, id10
);
4259 return pdb_update_sam_account(pwd
);
4262 /*******************************************************************
4264 ********************************************************************/
4266 static NTSTATUS
set_user_info_11(TALLOC_CTX
*mem_ctx
,
4267 struct samr_UserInfo11
*id11
,
4271 DEBUG(5,("set_user_info_11: NULL id11\n"));
4272 return NT_STATUS_ACCESS_DENIED
;
4275 copy_id11_to_sam_passwd(pwd
, id11
);
4277 return pdb_update_sam_account(pwd
);
4280 /*******************************************************************
4282 ********************************************************************/
4284 static NTSTATUS
set_user_info_12(TALLOC_CTX
*mem_ctx
,
4285 struct samr_UserInfo12
*id12
,
4289 DEBUG(5,("set_user_info_12: NULL id12\n"));
4290 return NT_STATUS_ACCESS_DENIED
;
4293 copy_id12_to_sam_passwd(pwd
, id12
);
4295 return pdb_update_sam_account(pwd
);
4298 /*******************************************************************
4300 ********************************************************************/
4302 static NTSTATUS
set_user_info_13(TALLOC_CTX
*mem_ctx
,
4303 struct samr_UserInfo13
*id13
,
4307 DEBUG(5,("set_user_info_13: NULL id13\n"));
4308 return NT_STATUS_ACCESS_DENIED
;
4311 copy_id13_to_sam_passwd(pwd
, id13
);
4313 return pdb_update_sam_account(pwd
);
4316 /*******************************************************************
4318 ********************************************************************/
4320 static NTSTATUS
set_user_info_14(TALLOC_CTX
*mem_ctx
,
4321 struct samr_UserInfo14
*id14
,
4325 DEBUG(5,("set_user_info_14: NULL id14\n"));
4326 return NT_STATUS_ACCESS_DENIED
;
4329 copy_id14_to_sam_passwd(pwd
, id14
);
4331 return pdb_update_sam_account(pwd
);
4334 /*******************************************************************
4336 ********************************************************************/
4338 static NTSTATUS
set_user_info_16(TALLOC_CTX
*mem_ctx
,
4339 struct samr_UserInfo16
*id16
,
4343 DEBUG(5,("set_user_info_16: NULL id16\n"));
4344 return NT_STATUS_ACCESS_DENIED
;
4347 copy_id16_to_sam_passwd(pwd
, id16
);
4349 return pdb_update_sam_account(pwd
);
4352 /*******************************************************************
4354 ********************************************************************/
4356 static NTSTATUS
set_user_info_17(TALLOC_CTX
*mem_ctx
,
4357 struct samr_UserInfo17
*id17
,
4361 DEBUG(5,("set_user_info_17: NULL id17\n"));
4362 return NT_STATUS_ACCESS_DENIED
;
4365 copy_id17_to_sam_passwd(pwd
, id17
);
4367 return pdb_update_sam_account(pwd
);
4370 /*******************************************************************
4372 ********************************************************************/
4374 static NTSTATUS
set_user_info_18(struct samr_UserInfo18
*id18
,
4375 TALLOC_CTX
*mem_ctx
,
4376 DATA_BLOB
*session_key
,
4380 DEBUG(2, ("set_user_info_18: id18 is NULL\n"));
4381 return NT_STATUS_INVALID_PARAMETER
;
4384 if (id18
->nt_pwd_active
|| id18
->lm_pwd_active
) {
4385 if (!session_key
->length
) {
4386 return NT_STATUS_NO_USER_SESSION_KEY
;
4390 if (id18
->nt_pwd_active
) {
4394 in
= data_blob_const(id18
->nt_pwd
.hash
, 16);
4395 out
= data_blob_talloc_zero(mem_ctx
, 16);
4397 sess_crypt_blob(&out
, &in
, session_key
, false);
4399 if (!pdb_set_nt_passwd(pwd
, out
.data
, PDB_CHANGED
)) {
4400 return NT_STATUS_ACCESS_DENIED
;
4403 pdb_set_pass_last_set_time(pwd
, time(NULL
), PDB_CHANGED
);
4406 if (id18
->lm_pwd_active
) {
4410 in
= data_blob_const(id18
->lm_pwd
.hash
, 16);
4411 out
= data_blob_talloc_zero(mem_ctx
, 16);
4413 sess_crypt_blob(&out
, &in
, session_key
, false);
4415 if (!pdb_set_lanman_passwd(pwd
, out
.data
, PDB_CHANGED
)) {
4416 return NT_STATUS_ACCESS_DENIED
;
4419 pdb_set_pass_last_set_time(pwd
, time(NULL
), PDB_CHANGED
);
4422 copy_id18_to_sam_passwd(pwd
, id18
);
4424 return pdb_update_sam_account(pwd
);
4427 /*******************************************************************
4429 ********************************************************************/
4431 static NTSTATUS
set_user_info_20(TALLOC_CTX
*mem_ctx
,
4432 struct samr_UserInfo20
*id20
,
4436 DEBUG(5,("set_user_info_20: NULL id20\n"));
4437 return NT_STATUS_ACCESS_DENIED
;
4440 copy_id20_to_sam_passwd(pwd
, id20
);
4442 return pdb_update_sam_account(pwd
);
4445 /*******************************************************************
4447 ********************************************************************/
4449 static NTSTATUS
set_user_info_21(struct samr_UserInfo21
*id21
,
4450 TALLOC_CTX
*mem_ctx
,
4451 DATA_BLOB
*session_key
,
4457 DEBUG(5, ("set_user_info_21: NULL id21\n"));
4458 return NT_STATUS_INVALID_PARAMETER
;
4461 if (id21
->fields_present
== 0) {
4462 return NT_STATUS_INVALID_PARAMETER
;
4465 if (id21
->fields_present
& SAMR_FIELD_LAST_PWD_CHANGE
) {
4466 return NT_STATUS_ACCESS_DENIED
;
4469 if (id21
->fields_present
& SAMR_FIELD_NT_PASSWORD_PRESENT
) {
4470 if (id21
->nt_password_set
) {
4473 if ((id21
->nt_owf_password
.length
!= 16) ||
4474 (id21
->nt_owf_password
.size
!= 16)) {
4475 return NT_STATUS_INVALID_PARAMETER
;
4478 if (!session_key
->length
) {
4479 return NT_STATUS_NO_USER_SESSION_KEY
;
4482 in
= data_blob_const(id21
->nt_owf_password
.array
, 16);
4483 out
= data_blob_talloc_zero(mem_ctx
, 16);
4485 sess_crypt_blob(&out
, &in
, session_key
, false);
4487 pdb_set_nt_passwd(pwd
, out
.data
, PDB_CHANGED
);
4488 pdb_set_pass_last_set_time(pwd
, time(NULL
), PDB_CHANGED
);
4492 if (id21
->fields_present
& SAMR_FIELD_LM_PASSWORD_PRESENT
) {
4493 if (id21
->lm_password_set
) {
4496 if ((id21
->lm_owf_password
.length
!= 16) ||
4497 (id21
->lm_owf_password
.size
!= 16)) {
4498 return NT_STATUS_INVALID_PARAMETER
;
4501 if (!session_key
->length
) {
4502 return NT_STATUS_NO_USER_SESSION_KEY
;
4505 in
= data_blob_const(id21
->lm_owf_password
.array
, 16);
4506 out
= data_blob_talloc_zero(mem_ctx
, 16);
4508 sess_crypt_blob(&out
, &in
, session_key
, false);
4510 pdb_set_lanman_passwd(pwd
, out
.data
, PDB_CHANGED
);
4511 pdb_set_pass_last_set_time(pwd
, time(NULL
), PDB_CHANGED
);
4515 /* we need to separately check for an account rename first */
4517 if (id21
->account_name
.string
&&
4518 (!strequal(id21
->account_name
.string
, pdb_get_username(pwd
))))
4521 /* check to see if the new username already exists. Note: we can't
4522 reliably lock all backends, so there is potentially the
4523 possibility that a user can be created in between this check and
4524 the rename. The rename should fail, but may not get the
4525 exact same failure status code. I think this is small enough
4526 of a window for this type of operation and the results are
4527 simply that the rename fails with a slightly different status
4528 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
4530 status
= can_create(mem_ctx
, id21
->account_name
.string
);
4531 if (!NT_STATUS_IS_OK(status
)) {
4535 status
= pdb_rename_sam_account(pwd
, id21
->account_name
.string
);
4537 if (!NT_STATUS_IS_OK(status
)) {
4538 DEBUG(0,("set_user_info_21: failed to rename account: %s\n",
4539 nt_errstr(status
)));
4543 /* set the new username so that later
4544 functions can work on the new account */
4545 pdb_set_username(pwd
, id21
->account_name
.string
, PDB_SET
);
4548 copy_id21_to_sam_passwd("INFO_21", pwd
, id21
);
4551 * The funny part about the previous two calls is
4552 * that pwd still has the password hashes from the
4553 * passdb entry. These have not been updated from
4554 * id21. I don't know if they need to be set. --jerry
4557 if ( IS_SAM_CHANGED(pwd
, PDB_GROUPSID
) ) {
4558 status
= pdb_set_unix_primary_group(mem_ctx
, pwd
);
4559 if ( !NT_STATUS_IS_OK(status
) ) {
4564 /* Don't worry about writing out the user account since the
4565 primary group SID is generated solely from the user's Unix
4568 /* write the change out */
4569 if(!NT_STATUS_IS_OK(status
= pdb_update_sam_account(pwd
))) {
4573 return NT_STATUS_OK
;
4576 /*******************************************************************
4578 ********************************************************************/
4580 static NTSTATUS
set_user_info_23(TALLOC_CTX
*mem_ctx
,
4581 struct samr_UserInfo23
*id23
,
4584 char *plaintext_buf
= NULL
;
4590 DEBUG(5, ("set_user_info_23: NULL id23\n"));
4591 return NT_STATUS_INVALID_PARAMETER
;
4594 if (id23
->info
.fields_present
== 0) {
4595 return NT_STATUS_INVALID_PARAMETER
;
4598 if (id23
->info
.fields_present
& SAMR_FIELD_LAST_PWD_CHANGE
) {
4599 return NT_STATUS_ACCESS_DENIED
;
4602 if ((id23
->info
.fields_present
& SAMR_FIELD_NT_PASSWORD_PRESENT
) ||
4603 (id23
->info
.fields_present
& SAMR_FIELD_LM_PASSWORD_PRESENT
)) {
4605 DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
4606 pdb_get_username(pwd
)));
4608 if (!decode_pw_buffer(mem_ctx
,
4609 id23
->password
.data
,
4613 return NT_STATUS_WRONG_PASSWORD
;
4616 if (!pdb_set_plaintext_passwd (pwd
, plaintext_buf
)) {
4617 return NT_STATUS_ACCESS_DENIED
;
4621 copy_id23_to_sam_passwd(pwd
, id23
);
4623 acct_ctrl
= pdb_get_acct_ctrl(pwd
);
4625 /* if it's a trust account, don't update /etc/passwd */
4626 if ( ( (acct_ctrl
& ACB_DOMTRUST
) == ACB_DOMTRUST
) ||
4627 ( (acct_ctrl
& ACB_WSTRUST
) == ACB_WSTRUST
) ||
4628 ( (acct_ctrl
& ACB_SVRTRUST
) == ACB_SVRTRUST
) ) {
4629 DEBUG(5, ("Changing trust account. Not updating /etc/passwd\n"));
4630 } else if (plaintext_buf
) {
4631 /* update the UNIX password */
4632 if (lp_unix_password_sync() ) {
4633 struct passwd
*passwd
;
4634 if (pdb_get_username(pwd
) == NULL
) {
4635 DEBUG(1, ("chgpasswd: User without name???\n"));
4636 return NT_STATUS_ACCESS_DENIED
;
4639 passwd
= Get_Pwnam_alloc(pwd
, pdb_get_username(pwd
));
4640 if (passwd
== NULL
) {
4641 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
4644 if(!chgpasswd(pdb_get_username(pwd
), passwd
, "", plaintext_buf
, True
)) {
4645 return NT_STATUS_ACCESS_DENIED
;
4647 TALLOC_FREE(passwd
);
4651 if (plaintext_buf
) {
4652 memset(plaintext_buf
, '\0', strlen(plaintext_buf
));
4655 if (IS_SAM_CHANGED(pwd
, PDB_GROUPSID
) &&
4656 (!NT_STATUS_IS_OK(status
= pdb_set_unix_primary_group(mem_ctx
,
4661 if(!NT_STATUS_IS_OK(status
= pdb_update_sam_account(pwd
))) {
4665 return NT_STATUS_OK
;
4668 /*******************************************************************
4670 ********************************************************************/
4672 static bool set_user_info_pw(uint8
*pass
, struct samu
*pwd
)
4675 char *plaintext_buf
= NULL
;
4678 DEBUG(5, ("Attempting administrator password change for user %s\n",
4679 pdb_get_username(pwd
)));
4681 acct_ctrl
= pdb_get_acct_ctrl(pwd
);
4683 if (!decode_pw_buffer(talloc_tos(),
4691 if (!pdb_set_plaintext_passwd (pwd
, plaintext_buf
)) {
4695 /* if it's a trust account, don't update /etc/passwd */
4696 if ( ( (acct_ctrl
& ACB_DOMTRUST
) == ACB_DOMTRUST
) ||
4697 ( (acct_ctrl
& ACB_WSTRUST
) == ACB_WSTRUST
) ||
4698 ( (acct_ctrl
& ACB_SVRTRUST
) == ACB_SVRTRUST
) ) {
4699 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
4701 /* update the UNIX password */
4702 if (lp_unix_password_sync()) {
4703 struct passwd
*passwd
;
4705 if (pdb_get_username(pwd
) == NULL
) {
4706 DEBUG(1, ("chgpasswd: User without name???\n"));
4710 passwd
= Get_Pwnam_alloc(pwd
, pdb_get_username(pwd
));
4711 if (passwd
== NULL
) {
4712 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
4715 if(!chgpasswd(pdb_get_username(pwd
), passwd
, "", plaintext_buf
, True
)) {
4718 TALLOC_FREE(passwd
);
4722 memset(plaintext_buf
, '\0', strlen(plaintext_buf
));
4724 DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
4729 /*******************************************************************
4731 ********************************************************************/
4733 static NTSTATUS
set_user_info_24(TALLOC_CTX
*mem_ctx
,
4734 struct samr_UserInfo24
*id24
,
4740 DEBUG(5, ("set_user_info_24: NULL id24\n"));
4741 return NT_STATUS_INVALID_PARAMETER
;
4744 if (!set_user_info_pw(id24
->password
.data
, pwd
)) {
4745 return NT_STATUS_WRONG_PASSWORD
;
4748 copy_id24_to_sam_passwd(pwd
, id24
);
4750 status
= pdb_update_sam_account(pwd
);
4751 if (!NT_STATUS_IS_OK(status
)) {
4755 return NT_STATUS_OK
;
4758 /*******************************************************************
4760 ********************************************************************/
4762 static NTSTATUS
set_user_info_25(TALLOC_CTX
*mem_ctx
,
4763 struct samr_UserInfo25
*id25
,
4769 DEBUG(5, ("set_user_info_25: NULL id25\n"));
4770 return NT_STATUS_INVALID_PARAMETER
;
4773 if (id25
->info
.fields_present
== 0) {
4774 return NT_STATUS_INVALID_PARAMETER
;
4777 if (id25
->info
.fields_present
& SAMR_FIELD_LAST_PWD_CHANGE
) {
4778 return NT_STATUS_ACCESS_DENIED
;
4781 if ((id25
->info
.fields_present
& SAMR_FIELD_NT_PASSWORD_PRESENT
) ||
4782 (id25
->info
.fields_present
& SAMR_FIELD_LM_PASSWORD_PRESENT
)) {
4784 if (!set_user_info_pw(id25
->password
.data
, pwd
)) {
4785 return NT_STATUS_WRONG_PASSWORD
;
4789 copy_id25_to_sam_passwd(pwd
, id25
);
4791 /* write the change out */
4792 if(!NT_STATUS_IS_OK(status
= pdb_update_sam_account(pwd
))) {
4797 * We need to "pdb_update_sam_account" before the unix primary group
4798 * is set, because the idealx scripts would also change the
4799 * sambaPrimaryGroupSid using the ldap replace method. pdb_ldap uses
4800 * the delete explicit / add explicit, which would then fail to find
4801 * the previous primaryGroupSid value.
4804 if ( IS_SAM_CHANGED(pwd
, PDB_GROUPSID
) ) {
4805 status
= pdb_set_unix_primary_group(mem_ctx
, pwd
);
4806 if ( !NT_STATUS_IS_OK(status
) ) {
4811 return NT_STATUS_OK
;
4814 /*******************************************************************
4816 ********************************************************************/
4818 static NTSTATUS
set_user_info_26(TALLOC_CTX
*mem_ctx
,
4819 struct samr_UserInfo26
*id26
,
4825 DEBUG(5, ("set_user_info_26: NULL id26\n"));
4826 return NT_STATUS_INVALID_PARAMETER
;
4829 if (!set_user_info_pw(id26
->password
.data
, pwd
)) {
4830 return NT_STATUS_WRONG_PASSWORD
;
4833 copy_id26_to_sam_passwd(pwd
, id26
);
4835 status
= pdb_update_sam_account(pwd
);
4836 if (!NT_STATUS_IS_OK(status
)) {
4840 return NT_STATUS_OK
;
4843 /*************************************************************
4844 **************************************************************/
4846 static uint32_t samr_set_user_info_map_fields_to_access_mask(uint32_t fields
)
4848 uint32_t acc_required
= 0;
4850 /* USER_ALL_USERNAME */
4851 if (fields
& SAMR_FIELD_ACCOUNT_NAME
)
4852 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4853 /* USER_ALL_FULLNAME */
4854 if (fields
& SAMR_FIELD_FULL_NAME
)
4855 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4856 /* USER_ALL_PRIMARYGROUPID */
4857 if (fields
& SAMR_FIELD_PRIMARY_GID
)
4858 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4859 /* USER_ALL_HOMEDIRECTORY */
4860 if (fields
& SAMR_FIELD_HOME_DIRECTORY
)
4861 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4862 /* USER_ALL_HOMEDIRECTORYDRIVE */
4863 if (fields
& SAMR_FIELD_HOME_DRIVE
)
4864 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4865 /* USER_ALL_SCRIPTPATH */
4866 if (fields
& SAMR_FIELD_LOGON_SCRIPT
)
4867 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4868 /* USER_ALL_PROFILEPATH */
4869 if (fields
& SAMR_FIELD_PROFILE_PATH
)
4870 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4871 /* USER_ALL_ADMINCOMMENT */
4872 if (fields
& SAMR_FIELD_COMMENT
)
4873 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4874 /* USER_ALL_WORKSTATIONS */
4875 if (fields
& SAMR_FIELD_WORKSTATIONS
)
4876 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4877 /* USER_ALL_LOGONHOURS */
4878 if (fields
& SAMR_FIELD_LOGON_HOURS
)
4879 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4880 /* USER_ALL_ACCOUNTEXPIRES */
4881 if (fields
& SAMR_FIELD_ACCT_EXPIRY
)
4882 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4883 /* USER_ALL_USERACCOUNTCONTROL */
4884 if (fields
& SAMR_FIELD_ACCT_FLAGS
)
4885 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4886 /* USER_ALL_PARAMETERS */
4887 if (fields
& SAMR_FIELD_PARAMETERS
)
4888 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4889 /* USER_ALL_USERCOMMENT */
4890 if (fields
& SAMR_FIELD_COMMENT
)
4891 acc_required
|= SAMR_USER_ACCESS_SET_LOC_COM
;
4892 /* USER_ALL_COUNTRYCODE */
4893 if (fields
& SAMR_FIELD_COUNTRY_CODE
)
4894 acc_required
|= SAMR_USER_ACCESS_SET_LOC_COM
;
4895 /* USER_ALL_CODEPAGE */
4896 if (fields
& SAMR_FIELD_CODE_PAGE
)
4897 acc_required
|= SAMR_USER_ACCESS_SET_LOC_COM
;
4898 /* USER_ALL_NTPASSWORDPRESENT */
4899 if (fields
& SAMR_FIELD_NT_PASSWORD_PRESENT
)
4900 acc_required
|= SAMR_USER_ACCESS_SET_PASSWORD
;
4901 /* USER_ALL_LMPASSWORDPRESENT */
4902 if (fields
& SAMR_FIELD_LM_PASSWORD_PRESENT
)
4903 acc_required
|= SAMR_USER_ACCESS_SET_PASSWORD
;
4904 /* USER_ALL_PASSWORDEXPIRED */
4905 if (fields
& SAMR_FIELD_EXPIRED_FLAG
)
4906 acc_required
|= SAMR_USER_ACCESS_SET_PASSWORD
;
4908 return acc_required
;
4911 /*******************************************************************
4913 ********************************************************************/
4915 NTSTATUS
_samr_SetUserInfo(pipes_struct
*p
,
4916 struct samr_SetUserInfo
*r
)
4918 struct samr_user_info
*uinfo
;
4920 struct samu
*pwd
= NULL
;
4921 union samr_UserInfo
*info
= r
->in
.info
;
4922 uint32_t acc_required
= 0;
4923 uint32_t fields
= 0;
4926 DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__
));
4928 /* This is tricky. A WinXP domain join sets
4929 (SAMR_USER_ACCESS_SET_PASSWORD|SAMR_USER_ACCESS_SET_ATTRIBUTES|SAMR_USER_ACCESS_GET_ATTRIBUTES)
4930 The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the
4931 standard Win32 API calls just ask for SAMR_USER_ACCESS_SET_PASSWORD in the SamrOpenUser().
4932 This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so
4933 we'll use the set from the WinXP join as the basis. */
4935 switch (r
->in
.level
) {
4936 case 2: /* UserPreferencesInformation */
4937 /* USER_WRITE_ACCOUNT | USER_WRITE_PREFERENCES */
4938 acc_required
= SAMR_USER_ACCESS_SET_ATTRIBUTES
| SAMR_USER_ACCESS_SET_LOC_COM
;
4940 case 4: /* UserLogonHoursInformation */
4941 case 6: /* UserNameInformation */
4942 case 7: /* UserAccountNameInformation */
4943 case 8: /* UserFullNameInformation */
4944 case 9: /* UserPrimaryGroupInformation */
4945 case 10: /* UserHomeInformation */
4946 case 11: /* UserScriptInformation */
4947 case 12: /* UserProfileInformation */
4948 case 13: /* UserAdminCommentInformation */
4949 case 14: /* UserWorkStationsInformation */
4950 case 16: /* UserControlInformation */
4951 case 17: /* UserExpiresInformation */
4952 case 20: /* UserParametersInformation */
4953 /* USER_WRITE_ACCOUNT */
4954 acc_required
= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4956 case 18: /* UserInternal1Information */
4957 /* FIXME: gd, this is a guess */
4958 acc_required
= SAMR_USER_ACCESS_SET_PASSWORD
;
4960 case 21: /* UserAllInformation */
4961 fields
= info
->info21
.fields_present
;
4962 acc_required
= samr_set_user_info_map_fields_to_access_mask(fields
);
4964 case 23: /* UserInternal4Information */
4965 fields
= info
->info23
.info
.fields_present
;
4966 acc_required
= samr_set_user_info_map_fields_to_access_mask(fields
);
4968 case 25: /* UserInternal4InformationNew */
4969 fields
= info
->info25
.info
.fields_present
;
4970 acc_required
= samr_set_user_info_map_fields_to_access_mask(fields
);
4972 case 24: /* UserInternal5Information */
4973 case 26: /* UserInternal5InformationNew */
4974 acc_required
= SAMR_USER_ACCESS_SET_PASSWORD
;
4977 return NT_STATUS_INVALID_INFO_CLASS
;
4980 uinfo
= policy_handle_find(p
, r
->in
.user_handle
, acc_required
, NULL
,
4981 struct samr_user_info
, &status
);
4982 if (!NT_STATUS_IS_OK(status
)) {
4986 DEBUG(5, ("_samr_SetUserInfo: sid:%s, level:%d\n",
4987 sid_string_dbg(&uinfo
->sid
), r
->in
.level
));
4990 DEBUG(5, ("_samr_SetUserInfo: NULL info level\n"));
4991 return NT_STATUS_INVALID_INFO_CLASS
;
4994 if (!(pwd
= samu_new(NULL
))) {
4995 return NT_STATUS_NO_MEMORY
;
4999 ret
= pdb_getsampwsid(pwd
, &uinfo
->sid
);
5004 return NT_STATUS_NO_SUCH_USER
;
5007 /* ================ BEGIN Privilege BLOCK ================ */
5011 /* ok! user info levels (lots: see MSDEV help), off we go... */
5013 switch (r
->in
.level
) {
5016 status
= set_user_info_2(p
->mem_ctx
,
5021 status
= set_user_info_4(p
->mem_ctx
,
5026 status
= set_user_info_6(p
->mem_ctx
,
5031 status
= set_user_info_7(p
->mem_ctx
,
5036 status
= set_user_info_8(p
->mem_ctx
,
5041 status
= set_user_info_10(p
->mem_ctx
,
5042 &info
->info10
, pwd
);
5046 status
= set_user_info_11(p
->mem_ctx
,
5047 &info
->info11
, pwd
);
5051 status
= set_user_info_12(p
->mem_ctx
,
5052 &info
->info12
, pwd
);
5056 status
= set_user_info_13(p
->mem_ctx
,
5057 &info
->info13
, pwd
);
5061 status
= set_user_info_14(p
->mem_ctx
,
5062 &info
->info14
, pwd
);
5066 status
= set_user_info_16(p
->mem_ctx
,
5067 &info
->info16
, pwd
);
5071 status
= set_user_info_17(p
->mem_ctx
,
5072 &info
->info17
, pwd
);
5076 /* Used by AS/U JRA. */
5077 status
= set_user_info_18(&info
->info18
,
5079 &p
->server_info
->user_session_key
,
5084 status
= set_user_info_20(p
->mem_ctx
,
5085 &info
->info20
, pwd
);
5089 status
= set_user_info_21(&info
->info21
,
5091 &p
->server_info
->user_session_key
,
5096 if (!p
->server_info
->user_session_key
.length
) {
5097 status
= NT_STATUS_NO_USER_SESSION_KEY
;
5099 arcfour_crypt_blob(info
->info23
.password
.data
, 516,
5100 &p
->server_info
->user_session_key
);
5102 dump_data(100, info
->info23
.password
.data
, 516);
5104 status
= set_user_info_23(p
->mem_ctx
,
5105 &info
->info23
, pwd
);
5109 if (!p
->server_info
->user_session_key
.length
) {
5110 status
= NT_STATUS_NO_USER_SESSION_KEY
;
5112 arcfour_crypt_blob(info
->info24
.password
.data
,
5114 &p
->server_info
->user_session_key
);
5116 dump_data(100, info
->info24
.password
.data
, 516);
5118 status
= set_user_info_24(p
->mem_ctx
,
5119 &info
->info24
, pwd
);
5123 if (!p
->server_info
->user_session_key
.length
) {
5124 status
= NT_STATUS_NO_USER_SESSION_KEY
;
5126 encode_or_decode_arc4_passwd_buffer(
5127 info
->info25
.password
.data
,
5128 &p
->server_info
->user_session_key
);
5130 dump_data(100, info
->info25
.password
.data
, 532);
5132 status
= set_user_info_25(p
->mem_ctx
,
5133 &info
->info25
, pwd
);
5137 if (!p
->server_info
->user_session_key
.length
) {
5138 status
= NT_STATUS_NO_USER_SESSION_KEY
;
5140 encode_or_decode_arc4_passwd_buffer(
5141 info
->info26
.password
.data
,
5142 &p
->server_info
->user_session_key
);
5144 dump_data(100, info
->info26
.password
.data
, 516);
5146 status
= set_user_info_26(p
->mem_ctx
,
5147 &info
->info26
, pwd
);
5151 status
= NT_STATUS_INVALID_INFO_CLASS
;
5158 /* ================ END Privilege BLOCK ================ */
5160 if (NT_STATUS_IS_OK(status
)) {
5161 force_flush_samr_cache(&uinfo
->sid
);
5167 /*******************************************************************
5169 ********************************************************************/
5171 NTSTATUS
_samr_SetUserInfo2(pipes_struct
*p
,
5172 struct samr_SetUserInfo2
*r
)
5174 struct samr_SetUserInfo q
;
5176 q
.in
.user_handle
= r
->in
.user_handle
;
5177 q
.in
.level
= r
->in
.level
;
5178 q
.in
.info
= r
->in
.info
;
5180 return _samr_SetUserInfo(p
, &q
);
5183 /*********************************************************************
5184 _samr_GetAliasMembership
5185 *********************************************************************/
5187 NTSTATUS
_samr_GetAliasMembership(pipes_struct
*p
,
5188 struct samr_GetAliasMembership
*r
)
5190 size_t num_alias_rids
;
5192 struct samr_domain_info
*dinfo
;
5199 DEBUG(5,("_samr_GetAliasMembership: %d\n", __LINE__
));
5201 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
5202 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
5203 | SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
, NULL
,
5204 struct samr_domain_info
, &status
);
5205 if (!NT_STATUS_IS_OK(status
)) {
5209 if (!sid_check_is_domain(&dinfo
->sid
) &&
5210 !sid_check_is_builtin(&dinfo
->sid
))
5211 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
5213 if (r
->in
.sids
->num_sids
) {
5214 members
= TALLOC_ARRAY(p
->mem_ctx
, DOM_SID
, r
->in
.sids
->num_sids
);
5216 if (members
== NULL
)
5217 return NT_STATUS_NO_MEMORY
;
5222 for (i
=0; i
<r
->in
.sids
->num_sids
; i
++)
5223 sid_copy(&members
[i
], r
->in
.sids
->sids
[i
].sid
);
5229 status
= pdb_enum_alias_memberships(p
->mem_ctx
, &dinfo
->sid
, members
,
5230 r
->in
.sids
->num_sids
,
5231 &alias_rids
, &num_alias_rids
);
5234 if (!NT_STATUS_IS_OK(status
)) {
5238 r
->out
.rids
->count
= num_alias_rids
;
5239 r
->out
.rids
->ids
= alias_rids
;
5241 return NT_STATUS_OK
;
5244 /*********************************************************************
5245 _samr_GetMembersInAlias
5246 *********************************************************************/
5248 NTSTATUS
_samr_GetMembersInAlias(pipes_struct
*p
,
5249 struct samr_GetMembersInAlias
*r
)
5251 struct samr_alias_info
*ainfo
;
5254 size_t num_sids
= 0;
5255 struct lsa_SidPtr
*sids
= NULL
;
5256 DOM_SID
*pdb_sids
= NULL
;
5258 ainfo
= policy_handle_find(p
, r
->in
.alias_handle
,
5259 SAMR_ALIAS_ACCESS_GET_MEMBERS
, NULL
,
5260 struct samr_alias_info
, &status
);
5261 if (!NT_STATUS_IS_OK(status
)) {
5265 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo
->sid
)));
5268 status
= pdb_enum_aliasmem(&ainfo
->sid
, &pdb_sids
, &num_sids
);
5271 if (!NT_STATUS_IS_OK(status
)) {
5276 sids
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_SidPtr
, num_sids
);
5278 TALLOC_FREE(pdb_sids
);
5279 return NT_STATUS_NO_MEMORY
;
5283 for (i
= 0; i
< num_sids
; i
++) {
5284 sids
[i
].sid
= sid_dup_talloc(p
->mem_ctx
, &pdb_sids
[i
]);
5286 TALLOC_FREE(pdb_sids
);
5287 return NT_STATUS_NO_MEMORY
;
5291 r
->out
.sids
->num_sids
= num_sids
;
5292 r
->out
.sids
->sids
= sids
;
5294 TALLOC_FREE(pdb_sids
);
5296 return NT_STATUS_OK
;
5299 /*********************************************************************
5300 _samr_QueryGroupMember
5301 *********************************************************************/
5303 NTSTATUS
_samr_QueryGroupMember(pipes_struct
*p
,
5304 struct samr_QueryGroupMember
*r
)
5306 struct samr_group_info
*ginfo
;
5307 size_t i
, num_members
;
5313 struct samr_RidTypeArray
*rids
= NULL
;
5315 ginfo
= policy_handle_find(p
, r
->in
.group_handle
,
5316 SAMR_GROUP_ACCESS_GET_MEMBERS
, NULL
,
5317 struct samr_group_info
, &status
);
5318 if (!NT_STATUS_IS_OK(status
)) {
5322 rids
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_RidTypeArray
);
5324 return NT_STATUS_NO_MEMORY
;
5327 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ginfo
->sid
)));
5329 if (!sid_check_is_in_our_domain(&ginfo
->sid
)) {
5330 DEBUG(3, ("sid %s is not in our domain\n",
5331 sid_string_dbg(&ginfo
->sid
)));
5332 return NT_STATUS_NO_SUCH_GROUP
;
5335 DEBUG(10, ("lookup on Domain SID\n"));
5338 status
= pdb_enum_group_members(p
->mem_ctx
, &ginfo
->sid
,
5339 &rid
, &num_members
);
5342 if (!NT_STATUS_IS_OK(status
))
5346 attr
=TALLOC_ZERO_ARRAY(p
->mem_ctx
, uint32
, num_members
);
5348 return NT_STATUS_NO_MEMORY
;
5354 for (i
=0; i
<num_members
; i
++)
5355 attr
[i
] = SID_NAME_USER
;
5357 rids
->count
= num_members
;
5361 *r
->out
.rids
= rids
;
5363 return NT_STATUS_OK
;
5366 /*********************************************************************
5367 _samr_AddAliasMember
5368 *********************************************************************/
5370 NTSTATUS
_samr_AddAliasMember(pipes_struct
*p
,
5371 struct samr_AddAliasMember
*r
)
5373 struct samr_alias_info
*ainfo
;
5376 ainfo
= policy_handle_find(p
, r
->in
.alias_handle
,
5377 SAMR_ALIAS_ACCESS_ADD_MEMBER
, NULL
,
5378 struct samr_alias_info
, &status
);
5379 if (!NT_STATUS_IS_OK(status
)) {
5383 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo
->sid
)));
5385 /******** BEGIN SeAddUsers BLOCK *********/
5388 status
= pdb_add_aliasmem(&ainfo
->sid
, r
->in
.sid
);
5391 /******** END SeAddUsers BLOCK *********/
5393 if (NT_STATUS_IS_OK(status
)) {
5394 force_flush_samr_cache(&ainfo
->sid
);
5400 /*********************************************************************
5401 _samr_DeleteAliasMember
5402 *********************************************************************/
5404 NTSTATUS
_samr_DeleteAliasMember(pipes_struct
*p
,
5405 struct samr_DeleteAliasMember
*r
)
5407 struct samr_alias_info
*ainfo
;
5410 ainfo
= policy_handle_find(p
, r
->in
.alias_handle
,
5411 SAMR_ALIAS_ACCESS_REMOVE_MEMBER
, NULL
,
5412 struct samr_alias_info
, &status
);
5413 if (!NT_STATUS_IS_OK(status
)) {
5417 DEBUG(10, ("_samr_del_aliasmem:sid is %s\n",
5418 sid_string_dbg(&ainfo
->sid
)));
5420 /******** BEGIN SeAddUsers BLOCK *********/
5423 status
= pdb_del_aliasmem(&ainfo
->sid
, r
->in
.sid
);
5426 /******** END SeAddUsers BLOCK *********/
5428 if (NT_STATUS_IS_OK(status
)) {
5429 force_flush_samr_cache(&ainfo
->sid
);
5435 /*********************************************************************
5436 _samr_AddGroupMember
5437 *********************************************************************/
5439 NTSTATUS
_samr_AddGroupMember(pipes_struct
*p
,
5440 struct samr_AddGroupMember
*r
)
5442 struct samr_group_info
*ginfo
;
5446 ginfo
= policy_handle_find(p
, r
->in
.group_handle
,
5447 SAMR_GROUP_ACCESS_ADD_MEMBER
, NULL
,
5448 struct samr_group_info
, &status
);
5449 if (!NT_STATUS_IS_OK(status
)) {
5453 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ginfo
->sid
)));
5455 if (!sid_peek_check_rid(get_global_sam_sid(), &ginfo
->sid
,
5457 return NT_STATUS_INVALID_HANDLE
;
5460 /******** BEGIN SeAddUsers BLOCK *********/
5463 status
= pdb_add_groupmem(p
->mem_ctx
, group_rid
, r
->in
.rid
);
5466 /******** END SeAddUsers BLOCK *********/
5468 force_flush_samr_cache(&ginfo
->sid
);
5473 /*********************************************************************
5474 _samr_DeleteGroupMember
5475 *********************************************************************/
5477 NTSTATUS
_samr_DeleteGroupMember(pipes_struct
*p
,
5478 struct samr_DeleteGroupMember
*r
)
5481 struct samr_group_info
*ginfo
;
5486 * delete the group member named r->in.rid
5487 * who is a member of the sid associated with the handle
5488 * the rid is a user's rid as the group is a domain group.
5491 ginfo
= policy_handle_find(p
, r
->in
.group_handle
,
5492 SAMR_GROUP_ACCESS_REMOVE_MEMBER
, NULL
,
5493 struct samr_group_info
, &status
);
5494 if (!NT_STATUS_IS_OK(status
)) {
5498 if (!sid_peek_check_rid(get_global_sam_sid(), &ginfo
->sid
,
5500 return NT_STATUS_INVALID_HANDLE
;
5503 /******** BEGIN SeAddUsers BLOCK *********/
5506 status
= pdb_del_groupmem(p
->mem_ctx
, group_rid
, r
->in
.rid
);
5509 /******** END SeAddUsers BLOCK *********/
5511 force_flush_samr_cache(&ginfo
->sid
);
5516 /*********************************************************************
5518 *********************************************************************/
5520 NTSTATUS
_samr_DeleteUser(pipes_struct
*p
,
5521 struct samr_DeleteUser
*r
)
5523 struct samr_user_info
*uinfo
;
5525 struct samu
*sam_pass
=NULL
;
5528 DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__
));
5530 uinfo
= policy_handle_find(p
, r
->in
.user_handle
,
5531 STD_RIGHT_DELETE_ACCESS
, NULL
,
5532 struct samr_user_info
, &status
);
5533 if (!NT_STATUS_IS_OK(status
)) {
5537 if (!sid_check_is_in_our_domain(&uinfo
->sid
))
5538 return NT_STATUS_CANNOT_DELETE
;
5540 /* check if the user exists before trying to delete */
5541 if ( !(sam_pass
= samu_new( NULL
)) ) {
5542 return NT_STATUS_NO_MEMORY
;
5546 ret
= pdb_getsampwsid(sam_pass
, &uinfo
->sid
);
5550 DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n",
5551 sid_string_dbg(&uinfo
->sid
)));
5552 TALLOC_FREE(sam_pass
);
5553 return NT_STATUS_NO_SUCH_USER
;
5556 /******** BEGIN SeAddUsers BLOCK *********/
5559 status
= pdb_delete_user(p
->mem_ctx
, sam_pass
);
5562 /******** END SeAddUsers BLOCK *********/
5564 if ( !NT_STATUS_IS_OK(status
) ) {
5565 DEBUG(5,("_samr_DeleteUser: Failed to delete entry for "
5566 "user %s: %s.\n", pdb_get_username(sam_pass
),
5567 nt_errstr(status
)));
5568 TALLOC_FREE(sam_pass
);
5573 TALLOC_FREE(sam_pass
);
5575 if (!close_policy_hnd(p
, r
->in
.user_handle
))
5576 return NT_STATUS_OBJECT_NAME_INVALID
;
5578 ZERO_STRUCTP(r
->out
.user_handle
);
5580 force_flush_samr_cache(&uinfo
->sid
);
5582 return NT_STATUS_OK
;
5585 /*********************************************************************
5586 _samr_DeleteDomainGroup
5587 *********************************************************************/
5589 NTSTATUS
_samr_DeleteDomainGroup(pipes_struct
*p
,
5590 struct samr_DeleteDomainGroup
*r
)
5592 struct samr_group_info
*ginfo
;
5596 DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__
));
5598 ginfo
= policy_handle_find(p
, r
->in
.group_handle
,
5599 STD_RIGHT_DELETE_ACCESS
, NULL
,
5600 struct samr_group_info
, &status
);
5601 if (!NT_STATUS_IS_OK(status
)) {
5605 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ginfo
->sid
)));
5607 if (!sid_peek_check_rid(get_global_sam_sid(), &ginfo
->sid
,
5609 return NT_STATUS_NO_SUCH_GROUP
;
5612 /******** BEGIN SeAddUsers BLOCK *********/
5615 status
= pdb_delete_dom_group(p
->mem_ctx
, group_rid
);
5618 /******** END SeAddUsers BLOCK *********/
5620 if ( !NT_STATUS_IS_OK(status
) ) {
5621 DEBUG(5,("_samr_DeleteDomainGroup: Failed to delete mapping "
5622 "entry for group %s: %s\n",
5623 sid_string_dbg(&ginfo
->sid
),
5624 nt_errstr(status
)));
5628 if (!close_policy_hnd(p
, r
->in
.group_handle
))
5629 return NT_STATUS_OBJECT_NAME_INVALID
;
5631 force_flush_samr_cache(&ginfo
->sid
);
5633 return NT_STATUS_OK
;
5636 /*********************************************************************
5637 _samr_DeleteDomAlias
5638 *********************************************************************/
5640 NTSTATUS
_samr_DeleteDomAlias(pipes_struct
*p
,
5641 struct samr_DeleteDomAlias
*r
)
5643 struct samr_alias_info
*ainfo
;
5646 DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__
));
5648 ainfo
= policy_handle_find(p
, r
->in
.alias_handle
,
5649 STD_RIGHT_DELETE_ACCESS
, NULL
,
5650 struct samr_alias_info
, &status
);
5651 if (!NT_STATUS_IS_OK(status
)) {
5655 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo
->sid
)));
5657 /* Don't let Windows delete builtin groups */
5659 if ( sid_check_is_in_builtin( &ainfo
->sid
) ) {
5660 return NT_STATUS_SPECIAL_ACCOUNT
;
5663 if (!sid_check_is_in_our_domain(&ainfo
->sid
))
5664 return NT_STATUS_NO_SUCH_ALIAS
;
5666 DEBUG(10, ("lookup on Local SID\n"));
5668 /******** BEGIN SeAddUsers BLOCK *********/
5671 /* Have passdb delete the alias */
5672 status
= pdb_delete_alias(&ainfo
->sid
);
5675 /******** END SeAddUsers BLOCK *********/
5677 if ( !NT_STATUS_IS_OK(status
))
5680 if (!close_policy_hnd(p
, r
->in
.alias_handle
))
5681 return NT_STATUS_OBJECT_NAME_INVALID
;
5683 force_flush_samr_cache(&ainfo
->sid
);
5685 return NT_STATUS_OK
;
5688 /*********************************************************************
5689 _samr_CreateDomainGroup
5690 *********************************************************************/
5692 NTSTATUS
_samr_CreateDomainGroup(pipes_struct
*p
,
5693 struct samr_CreateDomainGroup
*r
)
5698 struct samr_domain_info
*dinfo
;
5699 struct samr_group_info
*ginfo
;
5701 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
5702 SAMR_DOMAIN_ACCESS_CREATE_GROUP
, NULL
,
5703 struct samr_domain_info
, &status
);
5704 if (!NT_STATUS_IS_OK(status
)) {
5708 if (!sid_equal(&dinfo
->sid
, get_global_sam_sid()))
5709 return NT_STATUS_ACCESS_DENIED
;
5711 name
= r
->in
.name
->string
;
5713 return NT_STATUS_NO_MEMORY
;
5716 status
= can_create(p
->mem_ctx
, name
);
5717 if (!NT_STATUS_IS_OK(status
)) {
5721 /******** BEGIN SeAddUsers BLOCK *********/
5724 /* check that we successfully create the UNIX group */
5725 status
= pdb_create_dom_group(p
->mem_ctx
, name
, r
->out
.rid
);
5728 /******** END SeAddUsers BLOCK *********/
5730 /* check if we should bail out here */
5732 if ( !NT_STATUS_IS_OK(status
) )
5735 ginfo
= policy_handle_create(p
, r
->out
.group_handle
,
5736 GENERIC_RIGHTS_GROUP_ALL_ACCESS
,
5737 struct samr_group_info
, &status
);
5738 if (!NT_STATUS_IS_OK(status
)) {
5741 sid_compose(&ginfo
->sid
, &dinfo
->sid
, *r
->out
.rid
);
5743 force_flush_samr_cache(&dinfo
->sid
);
5745 return NT_STATUS_OK
;
5748 /*********************************************************************
5749 _samr_CreateDomAlias
5750 *********************************************************************/
5752 NTSTATUS
_samr_CreateDomAlias(pipes_struct
*p
,
5753 struct samr_CreateDomAlias
*r
)
5756 const char *name
= NULL
;
5757 struct samr_domain_info
*dinfo
;
5758 struct samr_alias_info
*ainfo
;
5762 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
5763 SAMR_DOMAIN_ACCESS_CREATE_ALIAS
, NULL
,
5764 struct samr_domain_info
, &result
);
5765 if (!NT_STATUS_IS_OK(result
)) {
5769 if (!sid_equal(&dinfo
->sid
, get_global_sam_sid()))
5770 return NT_STATUS_ACCESS_DENIED
;
5772 name
= r
->in
.alias_name
->string
;
5774 result
= can_create(p
->mem_ctx
, name
);
5775 if (!NT_STATUS_IS_OK(result
)) {
5779 /******** BEGIN SeAddUsers BLOCK *********/
5782 /* Have passdb create the alias */
5783 result
= pdb_create_alias(name
, r
->out
.rid
);
5786 /******** END SeAddUsers BLOCK *********/
5788 if (!NT_STATUS_IS_OK(result
)) {
5789 DEBUG(10, ("pdb_create_alias failed: %s\n",
5790 nt_errstr(result
)));
5794 sid_compose(&info_sid
, &dinfo
->sid
, *r
->out
.rid
);
5796 if (!sid_to_gid(&info_sid
, &gid
)) {
5797 DEBUG(10, ("Could not find alias just created\n"));
5798 return NT_STATUS_ACCESS_DENIED
;
5801 /* check if the group has been successfully created */
5802 if ( getgrgid(gid
) == NULL
) {
5803 DEBUG(10, ("getgrgid(%u) of just created alias failed\n",
5804 (unsigned int)gid
));
5805 return NT_STATUS_ACCESS_DENIED
;
5808 ainfo
= policy_handle_create(p
, r
->out
.alias_handle
,
5809 GENERIC_RIGHTS_ALIAS_ALL_ACCESS
,
5810 struct samr_alias_info
, &result
);
5811 if (!NT_STATUS_IS_OK(result
)) {
5814 ainfo
->sid
= info_sid
;
5816 force_flush_samr_cache(&info_sid
);
5818 return NT_STATUS_OK
;
5821 /*********************************************************************
5822 _samr_QueryGroupInfo
5823 *********************************************************************/
5825 NTSTATUS
_samr_QueryGroupInfo(pipes_struct
*p
,
5826 struct samr_QueryGroupInfo
*r
)
5828 struct samr_group_info
*ginfo
;
5831 union samr_GroupInfo
*info
= NULL
;
5833 uint32_t attributes
= SE_GROUP_MANDATORY
|
5834 SE_GROUP_ENABLED_BY_DEFAULT
|
5836 const char *group_name
= NULL
;
5837 const char *group_description
= NULL
;
5839 ginfo
= policy_handle_find(p
, r
->in
.group_handle
,
5840 SAMR_GROUP_ACCESS_LOOKUP_INFO
, NULL
,
5841 struct samr_group_info
, &status
);
5842 if (!NT_STATUS_IS_OK(status
)) {
5847 ret
= get_domain_group_from_sid(ginfo
->sid
, &map
);
5850 return NT_STATUS_INVALID_HANDLE
;
5852 /* FIXME: map contains fstrings */
5853 group_name
= talloc_strdup(r
, map
.nt_name
);
5854 group_description
= talloc_strdup(r
, map
.comment
);
5856 info
= TALLOC_ZERO_P(p
->mem_ctx
, union samr_GroupInfo
);
5858 return NT_STATUS_NO_MEMORY
;
5861 switch (r
->in
.level
) {
5867 status
= pdb_enum_group_members(
5868 p
->mem_ctx
, &ginfo
->sid
, &members
,
5872 if (!NT_STATUS_IS_OK(status
)) {
5876 info
->all
.name
.string
= group_name
;
5877 info
->all
.attributes
= attributes
;
5878 info
->all
.num_members
= num_members
;
5879 info
->all
.description
.string
= group_description
;
5883 info
->name
.string
= group_name
;
5886 info
->attributes
.attributes
= attributes
;
5889 info
->description
.string
= group_description
;
5899 status = pdb_enum_group_members(
5900 p->mem_ctx, &ginfo->sid, &members,
5904 if (!NT_STATUS_IS_OK(status)) {
5908 info
->all2
.name
.string
= group_name
;
5909 info
->all2
.attributes
= attributes
;
5910 info
->all2
.num_members
= 0; /* num_members - in w2k3 this is always 0 */
5911 info
->all2
.description
.string
= group_description
;
5916 return NT_STATUS_INVALID_INFO_CLASS
;
5919 *r
->out
.info
= info
;
5921 return NT_STATUS_OK
;
5924 /*********************************************************************
5926 *********************************************************************/
5928 NTSTATUS
_samr_SetGroupInfo(pipes_struct
*p
,
5929 struct samr_SetGroupInfo
*r
)
5931 struct samr_group_info
*ginfo
;
5936 ginfo
= policy_handle_find(p
, r
->in
.group_handle
,
5937 SAMR_GROUP_ACCESS_SET_INFO
, NULL
,
5938 struct samr_group_info
, &status
);
5939 if (!NT_STATUS_IS_OK(status
)) {
5944 ret
= get_domain_group_from_sid(ginfo
->sid
, &map
);
5947 return NT_STATUS_NO_SUCH_GROUP
;
5949 switch (r
->in
.level
) {
5951 fstrcpy(map
.comment
, r
->in
.info
->all
.description
.string
);
5954 /* group rename is not supported yet */
5955 return NT_STATUS_NOT_SUPPORTED
;
5959 fstrcpy(map
.comment
, r
->in
.info
->description
.string
);
5962 return NT_STATUS_INVALID_INFO_CLASS
;
5965 /******** BEGIN SeAddUsers BLOCK *********/
5968 status
= pdb_update_group_mapping_entry(&map
);
5971 /******** End SeAddUsers BLOCK *********/
5973 if (NT_STATUS_IS_OK(status
)) {
5974 force_flush_samr_cache(&ginfo
->sid
);
5980 /*********************************************************************
5982 *********************************************************************/
5984 NTSTATUS
_samr_SetAliasInfo(pipes_struct
*p
,
5985 struct samr_SetAliasInfo
*r
)
5987 struct samr_alias_info
*ainfo
;
5988 struct acct_info info
;
5991 ainfo
= policy_handle_find(p
, r
->in
.alias_handle
,
5992 SAMR_ALIAS_ACCESS_SET_INFO
, NULL
,
5993 struct samr_alias_info
, &status
);
5994 if (!NT_STATUS_IS_OK(status
)) {
5998 /* get the current group information */
6001 status
= pdb_get_aliasinfo( &ainfo
->sid
, &info
);
6004 if ( !NT_STATUS_IS_OK(status
))
6007 switch (r
->in
.level
) {
6012 /* We currently do not support renaming groups in the
6013 the BUILTIN domain. Refer to util_builtin.c to understand
6014 why. The eventually needs to be fixed to be like Windows
6015 where you can rename builtin groups, just not delete them */
6017 if ( sid_check_is_in_builtin( &ainfo
->sid
) ) {
6018 return NT_STATUS_SPECIAL_ACCOUNT
;
6021 /* There has to be a valid name (and it has to be different) */
6023 if ( !r
->in
.info
->name
.string
)
6024 return NT_STATUS_INVALID_PARAMETER
;
6026 /* If the name is the same just reply "ok". Yes this
6027 doesn't allow you to change the case of a group name. */
6029 if ( strequal( r
->in
.info
->name
.string
, info
.acct_name
) )
6030 return NT_STATUS_OK
;
6032 fstrcpy( info
.acct_name
, r
->in
.info
->name
.string
);
6034 /* make sure the name doesn't already exist as a user
6037 fstr_sprintf( group_name
, "%s\\%s", global_myname(), info
.acct_name
);
6038 status
= can_create( p
->mem_ctx
, group_name
);
6039 if ( !NT_STATUS_IS_OK( status
) )
6043 case ALIASINFODESCRIPTION
:
6044 if (r
->in
.info
->description
.string
) {
6045 fstrcpy(info
.acct_desc
,
6046 r
->in
.info
->description
.string
);
6048 fstrcpy( info
.acct_desc
, "" );
6052 return NT_STATUS_INVALID_INFO_CLASS
;
6055 /******** BEGIN SeAddUsers BLOCK *********/
6058 status
= pdb_set_aliasinfo( &ainfo
->sid
, &info
);
6061 /******** End SeAddUsers BLOCK *********/
6063 if (NT_STATUS_IS_OK(status
))
6064 force_flush_samr_cache(&ainfo
->sid
);
6069 /****************************************************************
6071 ****************************************************************/
6073 NTSTATUS
_samr_GetDomPwInfo(pipes_struct
*p
,
6074 struct samr_GetDomPwInfo
*r
)
6076 uint32_t min_password_length
= 0;
6077 uint32_t password_properties
= 0;
6079 /* Perform access check. Since this rpc does not require a
6080 policy handle it will not be caught by the access checks on
6081 SAMR_CONNECT or SAMR_CONNECT_ANON. */
6083 if (!pipe_access_check(p
)) {
6084 DEBUG(3, ("access denied to _samr_GetDomPwInfo\n"));
6085 return NT_STATUS_ACCESS_DENIED
;
6089 pdb_get_account_policy(AP_MIN_PASSWORD_LEN
,
6090 &min_password_length
);
6091 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS
,
6092 &password_properties
);
6095 if (lp_check_password_script() && *lp_check_password_script()) {
6096 password_properties
|= DOMAIN_PASSWORD_COMPLEX
;
6099 r
->out
.info
->min_password_length
= min_password_length
;
6100 r
->out
.info
->password_properties
= password_properties
;
6102 return NT_STATUS_OK
;
6105 /*********************************************************************
6107 *********************************************************************/
6109 NTSTATUS
_samr_OpenGroup(pipes_struct
*p
,
6110 struct samr_OpenGroup
*r
)
6115 struct samr_domain_info
*dinfo
;
6116 struct samr_group_info
*ginfo
;
6117 SEC_DESC
*psd
= NULL
;
6119 uint32 des_access
= r
->in
.access_mask
;
6125 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
6126 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
, NULL
,
6127 struct samr_domain_info
, &status
);
6128 if (!NT_STATUS_IS_OK(status
)) {
6132 /*check if access can be granted as requested by client. */
6133 map_max_allowed_access(p
->server_info
->ptok
, &des_access
);
6135 make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &grp_generic_mapping
, NULL
, 0);
6136 se_map_generic(&des_access
,&grp_generic_mapping
);
6138 se_priv_copy( &se_rights
, &se_add_users
);
6140 status
= access_check_object(psd
, p
->server_info
->ptok
,
6141 &se_rights
, GENERIC_RIGHTS_GROUP_ALL_ACCESS
,
6142 des_access
, &acc_granted
, "_samr_OpenGroup");
6144 if ( !NT_STATUS_IS_OK(status
) )
6147 /* this should not be hard-coded like this */
6149 if (!sid_equal(&dinfo
->sid
, get_global_sam_sid()))
6150 return NT_STATUS_ACCESS_DENIED
;
6152 sid_compose(&info_sid
, &dinfo
->sid
, r
->in
.rid
);
6154 DEBUG(10, ("_samr_OpenGroup:Opening SID: %s\n",
6155 sid_string_dbg(&info_sid
)));
6157 /* check if that group really exists */
6159 ret
= get_domain_group_from_sid(info_sid
, &map
);
6162 return NT_STATUS_NO_SUCH_GROUP
;
6164 ginfo
= policy_handle_create(p
, r
->out
.group_handle
,
6166 struct samr_group_info
, &status
);
6167 if (!NT_STATUS_IS_OK(status
)) {
6170 ginfo
->sid
= info_sid
;
6172 return NT_STATUS_OK
;
6175 /*********************************************************************
6176 _samr_RemoveMemberFromForeignDomain
6177 *********************************************************************/
6179 NTSTATUS
_samr_RemoveMemberFromForeignDomain(pipes_struct
*p
,
6180 struct samr_RemoveMemberFromForeignDomain
*r
)
6182 struct samr_domain_info
*dinfo
;
6185 DEBUG(5,("_samr_RemoveMemberFromForeignDomain: removing SID [%s]\n",
6186 sid_string_dbg(r
->in
.sid
)));
6188 /* Find the policy handle. Open a policy on it. */
6190 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
6191 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
, NULL
,
6192 struct samr_domain_info
, &result
);
6193 if (!NT_STATUS_IS_OK(result
)) {
6197 DEBUG(8, ("_samr_RemoveMemberFromForeignDomain: sid is %s\n",
6198 sid_string_dbg(&dinfo
->sid
)));
6200 /* we can only delete a user from a group since we don't have
6201 nested groups anyways. So in the latter case, just say OK */
6203 /* TODO: The above comment nowadays is bogus. Since we have nested
6204 * groups now, and aliases members are never reported out of the unix
6205 * group membership, the "just say OK" makes this call a no-op. For
6206 * us. This needs fixing however. */
6208 /* I've only ever seen this in the wild when deleting a user from
6209 * usrmgr.exe. domain_sid is the builtin domain, and the sid to delete
6210 * is the user about to be deleted. I very much suspect this is the
6211 * only application of this call. To verify this, let people report
6214 if (!sid_check_is_builtin(&dinfo
->sid
)) {
6215 DEBUG(1,("_samr_RemoveMemberFromForeignDomain: domain_sid = %s, "
6216 "global_sam_sid() = %s\n",
6217 sid_string_dbg(&dinfo
->sid
),
6218 sid_string_dbg(get_global_sam_sid())));
6219 DEBUGADD(1,("please report to samba-technical@samba.org!\n"));
6220 return NT_STATUS_OK
;
6223 force_flush_samr_cache(&dinfo
->sid
);
6225 result
= NT_STATUS_OK
;
6230 /*******************************************************************
6231 _samr_QueryDomainInfo2
6232 ********************************************************************/
6234 NTSTATUS
_samr_QueryDomainInfo2(pipes_struct
*p
,
6235 struct samr_QueryDomainInfo2
*r
)
6237 struct samr_QueryDomainInfo q
;
6239 q
.in
.domain_handle
= r
->in
.domain_handle
;
6240 q
.in
.level
= r
->in
.level
;
6242 q
.out
.info
= r
->out
.info
;
6244 return _samr_QueryDomainInfo(p
, &q
);
6247 /*******************************************************************
6249 ********************************************************************/
6251 NTSTATUS
_samr_SetDomainInfo(pipes_struct
*p
,
6252 struct samr_SetDomainInfo
*r
)
6254 struct samr_domain_info
*dinfo
;
6255 time_t u_expire
, u_min_age
;
6257 time_t u_lock_duration
, u_reset_time
;
6259 uint32_t acc_required
= 0;
6261 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__
));
6263 switch (r
->in
.level
) {
6264 case 1: /* DomainPasswordInformation */
6265 case 12: /* DomainLockoutInformation */
6266 /* DOMAIN_WRITE_PASSWORD_PARAMETERS */
6267 acc_required
= SAMR_DOMAIN_ACCESS_SET_INFO_1
;
6269 case 3: /* DomainLogoffInformation */
6270 case 4: /* DomainOemInformation */
6271 /* DOMAIN_WRITE_OTHER_PARAMETERS */
6272 acc_required
= SAMR_DOMAIN_ACCESS_SET_INFO_2
;
6274 case 6: /* DomainReplicationInformation */
6275 case 9: /* DomainStateInformation */
6276 case 7: /* DomainServerRoleInformation */
6277 /* DOMAIN_ADMINISTER_SERVER */
6278 acc_required
= SAMR_DOMAIN_ACCESS_SET_INFO_3
;
6281 return NT_STATUS_INVALID_INFO_CLASS
;
6284 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
6286 struct samr_domain_info
, &result
);
6287 if (!NT_STATUS_IS_OK(result
)) {
6291 DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r
->in
.level
));
6293 switch (r
->in
.level
) {
6295 u_expire
=nt_time_to_unix_abs((NTTIME
*)&r
->in
.info
->info1
.max_password_age
);
6296 u_min_age
=nt_time_to_unix_abs((NTTIME
*)&r
->in
.info
->info1
.min_password_age
);
6297 pdb_set_account_policy(AP_MIN_PASSWORD_LEN
, (uint32
)r
->in
.info
->info1
.min_password_length
);
6298 pdb_set_account_policy(AP_PASSWORD_HISTORY
, (uint32
)r
->in
.info
->info1
.password_history_length
);
6299 pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS
, (uint32
)r
->in
.info
->info1
.password_properties
);
6300 pdb_set_account_policy(AP_MAX_PASSWORD_AGE
, (int)u_expire
);
6301 pdb_set_account_policy(AP_MIN_PASSWORD_AGE
, (int)u_min_age
);
6304 u_logout
=nt_time_to_unix_abs((NTTIME
*)&r
->in
.info
->info3
.force_logoff_time
);
6305 pdb_set_account_policy(AP_TIME_TO_LOGOUT
, (int)u_logout
);
6316 u_lock_duration
=nt_time_to_unix_abs((NTTIME
*)&r
->in
.info
->info12
.lockout_duration
);
6317 if (u_lock_duration
!= -1)
6318 u_lock_duration
/= 60;
6320 u_reset_time
=nt_time_to_unix_abs((NTTIME
*)&r
->in
.info
->info12
.lockout_window
)/60;
6322 pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION
, (int)u_lock_duration
);
6323 pdb_set_account_policy(AP_RESET_COUNT_TIME
, (int)u_reset_time
);
6324 pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT
, (uint32
)r
->in
.info
->info12
.lockout_threshold
);
6327 return NT_STATUS_INVALID_INFO_CLASS
;
6330 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__
));
6332 return NT_STATUS_OK
;
6335 /****************************************************************
6336 _samr_GetDisplayEnumerationIndex
6337 ****************************************************************/
6339 NTSTATUS
_samr_GetDisplayEnumerationIndex(pipes_struct
*p
,
6340 struct samr_GetDisplayEnumerationIndex
*r
)
6342 struct samr_domain_info
*dinfo
;
6343 uint32_t max_entries
= (uint32_t) -1;
6344 uint32_t enum_context
= 0;
6346 uint32_t num_account
= 0;
6347 struct samr_displayentry
*entries
= NULL
;
6350 DEBUG(5,("_samr_GetDisplayEnumerationIndex: %d\n", __LINE__
));
6352 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
6353 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
, NULL
,
6354 struct samr_domain_info
, &status
);
6355 if (!NT_STATUS_IS_OK(status
)) {
6359 if ((r
->in
.level
< 1) || (r
->in
.level
> 3)) {
6360 DEBUG(0,("_samr_GetDisplayEnumerationIndex: "
6361 "Unknown info level (%u)\n",
6363 return NT_STATUS_INVALID_INFO_CLASS
;
6368 /* The following done as ROOT. Don't return without unbecome_root(). */
6370 switch (r
->in
.level
) {
6372 if (dinfo
->disp_info
->users
== NULL
) {
6373 dinfo
->disp_info
->users
= pdb_search_users(
6374 dinfo
->disp_info
, ACB_NORMAL
);
6375 if (dinfo
->disp_info
->users
== NULL
) {
6377 return NT_STATUS_ACCESS_DENIED
;
6379 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6380 "starting user enumeration at index %u\n",
6381 (unsigned int)enum_context
));
6383 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6384 "using cached user enumeration at index %u\n",
6385 (unsigned int)enum_context
));
6387 num_account
= pdb_search_entries(dinfo
->disp_info
->users
,
6388 enum_context
, max_entries
,
6392 if (dinfo
->disp_info
->machines
== NULL
) {
6393 dinfo
->disp_info
->machines
= pdb_search_users(
6394 dinfo
->disp_info
, ACB_WSTRUST
|ACB_SVRTRUST
);
6395 if (dinfo
->disp_info
->machines
== NULL
) {
6397 return NT_STATUS_ACCESS_DENIED
;
6399 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6400 "starting machine enumeration at index %u\n",
6401 (unsigned int)enum_context
));
6403 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6404 "using cached machine enumeration at index %u\n",
6405 (unsigned int)enum_context
));
6407 num_account
= pdb_search_entries(dinfo
->disp_info
->machines
,
6408 enum_context
, max_entries
,
6412 if (dinfo
->disp_info
->groups
== NULL
) {
6413 dinfo
->disp_info
->groups
= pdb_search_groups(
6415 if (dinfo
->disp_info
->groups
== NULL
) {
6417 return NT_STATUS_ACCESS_DENIED
;
6419 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6420 "starting group enumeration at index %u\n",
6421 (unsigned int)enum_context
));
6423 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6424 "using cached group enumeration at index %u\n",
6425 (unsigned int)enum_context
));
6427 num_account
= pdb_search_entries(dinfo
->disp_info
->groups
,
6428 enum_context
, max_entries
,
6433 smb_panic("info class changed");
6439 /* Ensure we cache this enumeration. */
6440 set_disp_info_cache_timeout(dinfo
->disp_info
, DISP_INFO_CACHE_TIMEOUT
);
6442 DEBUG(10,("_samr_GetDisplayEnumerationIndex: looking for :%s\n",
6443 r
->in
.name
->string
));
6445 for (i
=0; i
<num_account
; i
++) {
6446 if (strequal(entries
[i
].account_name
, r
->in
.name
->string
)) {
6447 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6448 "found %s at idx %d\n",
6449 r
->in
.name
->string
, i
));
6451 return NT_STATUS_OK
;
6455 /* assuming account_name lives at the very end */
6456 *r
->out
.idx
= num_account
;
6458 return NT_STATUS_NO_MORE_ENTRIES
;
6461 /****************************************************************
6462 _samr_GetDisplayEnumerationIndex2
6463 ****************************************************************/
6465 NTSTATUS
_samr_GetDisplayEnumerationIndex2(pipes_struct
*p
,
6466 struct samr_GetDisplayEnumerationIndex2
*r
)
6468 struct samr_GetDisplayEnumerationIndex q
;
6470 q
.in
.domain_handle
= r
->in
.domain_handle
;
6471 q
.in
.level
= r
->in
.level
;
6472 q
.in
.name
= r
->in
.name
;
6474 q
.out
.idx
= r
->out
.idx
;
6476 return _samr_GetDisplayEnumerationIndex(p
, &q
);
6479 /****************************************************************
6481 ****************************************************************/
6483 NTSTATUS
_samr_RidToSid(pipes_struct
*p
,
6484 struct samr_RidToSid
*r
)
6486 struct samr_domain_info
*dinfo
;
6490 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
6492 struct samr_domain_info
, &status
);
6493 if (!NT_STATUS_IS_OK(status
)) {
6497 if (!sid_compose(&sid
, &dinfo
->sid
, r
->in
.rid
)) {
6498 return NT_STATUS_NO_MEMORY
;
6501 *r
->out
.sid
= sid_dup_talloc(p
->mem_ctx
, &sid
);
6503 return NT_STATUS_NO_MEMORY
;
6506 return NT_STATUS_OK
;
6509 /****************************************************************
6510 ****************************************************************/
6512 NTSTATUS
_samr_Shutdown(pipes_struct
*p
,
6513 struct samr_Shutdown
*r
)
6515 p
->rng_fault_state
= true;
6516 return NT_STATUS_NOT_IMPLEMENTED
;
6519 /****************************************************************
6520 ****************************************************************/
6522 NTSTATUS
_samr_SetMemberAttributesOfGroup(pipes_struct
*p
,
6523 struct samr_SetMemberAttributesOfGroup
*r
)
6525 p
->rng_fault_state
= true;
6526 return NT_STATUS_NOT_IMPLEMENTED
;
6529 /****************************************************************
6530 ****************************************************************/
6532 NTSTATUS
_samr_TestPrivateFunctionsDomain(pipes_struct
*p
,
6533 struct samr_TestPrivateFunctionsDomain
*r
)
6535 return NT_STATUS_NOT_IMPLEMENTED
;
6538 /****************************************************************
6539 ****************************************************************/
6541 NTSTATUS
_samr_TestPrivateFunctionsUser(pipes_struct
*p
,
6542 struct samr_TestPrivateFunctionsUser
*r
)
6544 return NT_STATUS_NOT_IMPLEMENTED
;
6547 /****************************************************************
6548 ****************************************************************/
6550 NTSTATUS
_samr_AddMultipleMembersToAlias(pipes_struct
*p
,
6551 struct samr_AddMultipleMembersToAlias
*r
)
6553 p
->rng_fault_state
= true;
6554 return NT_STATUS_NOT_IMPLEMENTED
;
6557 /****************************************************************
6558 ****************************************************************/
6560 NTSTATUS
_samr_RemoveMultipleMembersFromAlias(pipes_struct
*p
,
6561 struct samr_RemoveMultipleMembersFromAlias
*r
)
6563 p
->rng_fault_state
= true;
6564 return NT_STATUS_NOT_IMPLEMENTED
;
6567 /****************************************************************
6568 ****************************************************************/
6570 NTSTATUS
_samr_SetBootKeyInformation(pipes_struct
*p
,
6571 struct samr_SetBootKeyInformation
*r
)
6573 p
->rng_fault_state
= true;
6574 return NT_STATUS_NOT_IMPLEMENTED
;
6577 /****************************************************************
6578 ****************************************************************/
6580 NTSTATUS
_samr_GetBootKeyInformation(pipes_struct
*p
,
6581 struct samr_GetBootKeyInformation
*r
)
6583 p
->rng_fault_state
= true;
6584 return NT_STATUS_NOT_IMPLEMENTED
;
6587 /****************************************************************
6588 ****************************************************************/
6590 NTSTATUS
_samr_SetDsrmPassword(pipes_struct
*p
,
6591 struct samr_SetDsrmPassword
*r
)
6593 p
->rng_fault_state
= true;
6594 return NT_STATUS_NOT_IMPLEMENTED
;
6597 /****************************************************************
6598 ****************************************************************/
6600 NTSTATUS
_samr_ValidatePassword(pipes_struct
*p
,
6601 struct samr_ValidatePassword
*r
)
6603 p
->rng_fault_state
= true;
6604 return NT_STATUS_NOT_IMPLEMENTED
;