search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:rpc_server/lsa: rename 'state' variable to 'policy_state' in dcesrv_lsa_LookupSids2()
[Samba.git] / source4 / rpc_server / lsa / lsa_lookup.c
blob65c664ebfb8d670d1fc4baad3258c8e92656f24e
1 /*
2 Unix SMB/CIFS implementation.
3
4 endpoint server for the lsarpc pipe
5
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2007
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "rpc_server/lsa/lsa.h"
24 #include "libds/common/flag_mapping.h"
25
26 static const struct {
27 const char *domain;
28 const char *name;
29 const char *sid;
30 enum lsa_SidType rtype;
31 } well_known[] = {
32 {
33 .name = "EVERYONE",
34 .sid = SID_WORLD,
35 .rtype = SID_NAME_WKN_GRP,
36 },
37 {
38 .name = "CREATOR OWNER",
39 .sid = SID_CREATOR_OWNER,
40 .rtype = SID_NAME_WKN_GRP,
41 },
42 {
43 .name = "CREATOR GROUP",
44 .sid = SID_CREATOR_GROUP,
45 .rtype = SID_NAME_WKN_GRP,
46 },
47 {
48 .name = "Owner Rights",
49 .sid = SID_OWNER_RIGHTS,
50 .rtype = SID_NAME_WKN_GRP,
51 },
52 {
53 .domain = "NT AUTHORITY",
54 .name = "Dialup",
55 .sid = SID_NT_DIALUP,
56 .rtype = SID_NAME_WKN_GRP,
57 },
58 {
59 .domain = "NT AUTHORITY",
60 .name = "Network",
61 .sid = SID_NT_NETWORK,
62 .rtype = SID_NAME_WKN_GRP,
63 },
64 {
65 .domain = "NT AUTHORITY",
66 .name = "Batch",
67 .sid = SID_NT_BATCH,
68 .rtype = SID_NAME_WKN_GRP,
69 },
70 {
71 .domain = "NT AUTHORITY",
72 .name = "Interactive",
73 .sid = SID_NT_INTERACTIVE,
74 .rtype = SID_NAME_WKN_GRP,
75 },
76 {
77 .domain = "NT AUTHORITY",
78 .name = "Service",
79 .sid = SID_NT_SERVICE,
80 .rtype = SID_NAME_WKN_GRP,
81 },
82 {
83 .domain = "NT AUTHORITY",
84 .name = "ANONYMOUS LOGON",
85 .sid = SID_NT_ANONYMOUS,
86 .rtype = SID_NAME_WKN_GRP,
87 },
88 {
89 .domain = "NT AUTHORITY",
90 .name = "Proxy",
91 .sid = SID_NT_PROXY,
92 .rtype = SID_NAME_WKN_GRP,
93 },
94 {
95 .domain = "NT AUTHORITY",
96 .name = "ServerLogon",
97 .sid = SID_NT_ENTERPRISE_DCS,
98 .rtype = SID_NAME_WKN_GRP,
99 },
100 {
101 .domain = "NT AUTHORITY",
102 .name = "Self",
103 .sid = SID_NT_SELF,
104 .rtype = SID_NAME_WKN_GRP,
105 },
106 {
107 .domain = "NT AUTHORITY",
108 .name = "Authenticated Users",
109 .sid = SID_NT_AUTHENTICATED_USERS,
110 .rtype = SID_NAME_WKN_GRP,
111 },
112 {
113 .domain = "NT AUTHORITY",
114 .name = "Restricted",
115 .sid = SID_NT_RESTRICTED,
116 .rtype = SID_NAME_WKN_GRP,
117 },
118 {
119 .domain = "NT AUTHORITY",
120 .name = "Terminal Server User",
121 .sid = SID_NT_TERMINAL_SERVER_USERS,
122 .rtype = SID_NAME_WKN_GRP,
123 },
124 {
125 .domain = "NT AUTHORITY",
126 .name = "Remote Interactive Logon",
127 .sid = SID_NT_REMOTE_INTERACTIVE,
128 .rtype = SID_NAME_WKN_GRP,
129 },
130 {
131 .domain = "NT AUTHORITY",
132 .name = "This Organization",
133 .sid = SID_NT_THIS_ORGANISATION,
134 .rtype = SID_NAME_WKN_GRP,
135 },
136 {
137 .domain = "NT AUTHORITY",
138 .name = "SYSTEM",
139 .sid = SID_NT_SYSTEM,
140 .rtype = SID_NAME_WKN_GRP,
141 },
142 {
143 .domain = "NT AUTHORITY",
144 .name = "Local Service",
145 .sid = SID_NT_LOCAL_SERVICE,
146 .rtype = SID_NAME_WKN_GRP,
147 },
148 {
149 .domain = "NT AUTHORITY",
150 .name = "Network Service",
151 .sid = SID_NT_NETWORK_SERVICE,
152 .rtype = SID_NAME_WKN_GRP,
153 },
154 {
155 .domain = "NT AUTHORITY",
156 .name = "Digest Authentication",
157 .sid = SID_NT_DIGEST_AUTHENTICATION,
158 .rtype = SID_NAME_WKN_GRP,
159 },
160 {
161 .domain = "NT AUTHORITY",
162 .name = "Enterprise Domain Controllers",
163 .sid = SID_NT_ENTERPRISE_DCS,
164 .rtype = SID_NAME_WKN_GRP,
165 },
166 {
167 .domain = "NT AUTHORITY",
168 .name = "NTLM Authentication",
169 .sid = SID_NT_NTLM_AUTHENTICATION,
170 .rtype = SID_NAME_WKN_GRP,
171 },
172 {
173 .domain = "NT AUTHORITY",
174 .name = "Other Organization",
175 .sid = SID_NT_OTHER_ORGANISATION,
176 .rtype = SID_NAME_WKN_GRP,
177 },
178 {
179 .domain = "NT AUTHORITY",
180 .name = "SChannel Authentication",
181 .sid = SID_NT_SCHANNEL_AUTHENTICATION,
182 .rtype = SID_NAME_WKN_GRP,
183 },
184 {
185 .domain = "NT AUTHORITY",
186 .name = "IUSR",
187 .sid = SID_NT_IUSR,
188 .rtype = SID_NAME_WKN_GRP,
189 },
190 {
191 .sid = NULL,
192 }
193 };
194
195 static NTSTATUS lookup_well_known_names(TALLOC_CTX *mem_ctx, const char *domain,
196 const char *name, const char **authority_name,
197 struct dom_sid **sid, enum lsa_SidType *rtype)
198 {
199 unsigned int i;
200 for (i=0; well_known[i].sid; i++) {
201 if (domain) {
202 if (strcasecmp_m(domain, well_known[i].domain) == 0
203 && strcasecmp_m(name, well_known[i].name) == 0) {
204 *authority_name = well_known[i].domain;
205 *sid = dom_sid_parse_talloc(mem_ctx, well_known[i].sid);
206 *rtype = well_known[i].rtype;
207 return NT_STATUS_OK;
208 }
209 } else {
210 if (strcasecmp_m(name, well_known[i].name) == 0) {
211 *authority_name = well_known[i].domain;
212 *sid = dom_sid_parse_talloc(mem_ctx, well_known[i].sid);
213 *rtype = well_known[i].rtype;
214 return NT_STATUS_OK;
215 }
216 }
217 }
218 return NT_STATUS_NOT_FOUND;
219 }
220
221 static NTSTATUS lookup_well_known_sids(TALLOC_CTX *mem_ctx,
222 const char *sid_str, const char **authority_name,
223 const char **name, enum lsa_SidType *rtype)
224 {
225 unsigned int i;
226 for (i=0; well_known[i].sid; i++) {
227 if (strcasecmp_m(sid_str, well_known[i].sid) == 0) {
228 *authority_name = well_known[i].domain;
229 *name = well_known[i].name;
230 *rtype = well_known[i].rtype;
231 return NT_STATUS_OK;
232 }
233 }
234 return NT_STATUS_NOT_FOUND;
235 }
236
237 /*
238 lookup a SID for 1 name
239 */
240 static NTSTATUS dcesrv_lsa_lookup_name(struct tevent_context *ev_ctx,
241 struct loadparm_context *lp_ctx,
242 struct lsa_policy_state *state, TALLOC_CTX *mem_ctx,
243 const char *name, const char **authority_name,
244 struct dom_sid **sid, enum lsa_SidType *rtype,
245 uint32_t *rid)
246 {
247 int ret, i;
248 uint32_t atype;
249 struct ldb_message **res;
250 const char * const attrs[] = { "objectSid", "sAMAccountType", NULL};
251 const char *p;
252 const char *domain;
253 const char *username;
254 struct ldb_dn *domain_dn;
255 struct dom_sid *domain_sid;
256 NTSTATUS status;
257
258 p = strchr_m(name, '\\');
259 if (p != NULL) {
260 domain = talloc_strndup(mem_ctx, name, p-name);
261 if (!domain) {
262 return NT_STATUS_NO_MEMORY;
263 }
264 username = p + 1;
265 } else if (strchr_m(name, '@')) {
266 status = crack_name_to_nt4_name(mem_ctx,
267 state->sam_ldb,
268 DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
269 name, &domain, &username);
270 if (!NT_STATUS_IS_OK(status)) {
271 DEBUG(3, ("Failed to crack name %s into an NT4 name: %s\n", name, nt_errstr(status)));
272 return status;
273 }
274 } else {
275 domain = NULL;
276 username = name;
277 }
278
279 if (!domain) {
280 /* Look up table of well known names */
281 status = lookup_well_known_names(mem_ctx, NULL, username, authority_name, sid, rtype);
282 if (NT_STATUS_IS_OK(status)) {
283 dom_sid_split_rid(NULL, *sid, NULL, rid);
284 return NT_STATUS_OK;
285 }
286
287 if (username == NULL) {
288 *authority_name = NAME_BUILTIN;
289 *sid = dom_sid_parse_talloc(mem_ctx, SID_BUILTIN);
290 if (*sid == NULL) {
291 return NT_STATUS_NO_MEMORY;
292 }
293 *rtype = SID_NAME_DOMAIN;
294 *rid = 0xFFFFFFFF;
295 return NT_STATUS_OK;
296 }
297
298 if (strcasecmp_m(username, NAME_NT_AUTHORITY) == 0) {
299 *authority_name = NAME_NT_AUTHORITY;
300 *sid = dom_sid_parse_talloc(mem_ctx, SID_NT_AUTHORITY);
301 if (*sid == NULL) {
302 return NT_STATUS_NO_MEMORY;
303 }
304 *rtype = SID_NAME_DOMAIN;
305 dom_sid_split_rid(NULL, *sid, NULL, rid);
306 return NT_STATUS_OK;
307 }
308 if (strcasecmp_m(username, NAME_BUILTIN) == 0) {
309 *authority_name = NAME_BUILTIN;
310 *sid = dom_sid_parse_talloc(mem_ctx, SID_BUILTIN);
311 if (*sid == NULL) {
312 return NT_STATUS_NO_MEMORY;
313 }
314 *rtype = SID_NAME_DOMAIN;
315 *rid = 0xFFFFFFFF;
316 return NT_STATUS_OK;
317 }
318 if (strcasecmp_m(username, state->domain_dns) == 0) {
319 *authority_name = talloc_strdup(mem_ctx,
320 state->domain_name);
321 if (*authority_name == NULL) {
322 return NT_STATUS_NO_MEMORY;
323 }
324 *sid = dom_sid_dup(mem_ctx, state->domain_sid);
325 if (*sid == NULL) {
326 return NT_STATUS_NO_MEMORY;
327 }
328 *rtype = SID_NAME_DOMAIN;
329 *rid = 0xFFFFFFFF;
330 return NT_STATUS_OK;
331 }
332 if (strcasecmp_m(username, state->domain_name) == 0) {
333 *authority_name = talloc_strdup(mem_ctx,
334 state->domain_name);
335 if (*authority_name == NULL) {
336 return NT_STATUS_NO_MEMORY;
337 }
338 *sid = dom_sid_dup(mem_ctx, state->domain_sid);
339 if (*sid == NULL) {
340 return NT_STATUS_NO_MEMORY;
341 }
342 *rtype = SID_NAME_DOMAIN;
343 *rid = 0xFFFFFFFF;
344 return NT_STATUS_OK;
345 }
346
347 /* Perhaps this is a well known user? */
348 name = talloc_asprintf(mem_ctx, "%s\\%s", NAME_NT_AUTHORITY, username);
349 if (!name) {
350 return NT_STATUS_NO_MEMORY;
351 }
352 status = dcesrv_lsa_lookup_name(ev_ctx, lp_ctx, state, mem_ctx, name, authority_name, sid, rtype, rid);
353 if (NT_STATUS_IS_OK(status)) {
354 return status;
355 }
356
357 /* Perhaps this is a BUILTIN user? */
358 name = talloc_asprintf(mem_ctx, "%s\\%s", NAME_BUILTIN, username);
359 if (!name) {
360 return NT_STATUS_NO_MEMORY;
361 }
362 status = dcesrv_lsa_lookup_name(ev_ctx, lp_ctx, state, mem_ctx, name, authority_name, sid, rtype, rid);
363 if (NT_STATUS_IS_OK(status)) {
364 return status;
365 }
366
367 /* OK, I give up - perhaps we need to assume the user is in our domain? */
368 name = talloc_asprintf(mem_ctx, "%s\\%s", state->domain_name, username);
369 if (!name) {
370 return NT_STATUS_NO_MEMORY;
371 }
372 status = dcesrv_lsa_lookup_name(ev_ctx, lp_ctx, state, mem_ctx, name, authority_name, sid, rtype, rid);
373 if (NT_STATUS_IS_OK(status)) {
374 return status;
375 }
376
377 return STATUS_SOME_UNMAPPED;
378 } else if (strcasecmp_m(domain, NAME_NT_AUTHORITY) == 0) {
379 if (!*username) {
380 *authority_name = NAME_NT_AUTHORITY;
381 *sid = dom_sid_parse_talloc(mem_ctx, SID_NT_AUTHORITY);
382 if (*sid == NULL) {
383 return NT_STATUS_NO_MEMORY;
384 }
385 *rtype = SID_NAME_DOMAIN;
386 dom_sid_split_rid(NULL, *sid, NULL, rid);
387 return NT_STATUS_OK;
388 }
389
390 /* Look up table of well known names */
391 status = lookup_well_known_names(mem_ctx, domain, username, authority_name,
392 sid, rtype);
393 if (NT_STATUS_IS_OK(status)) {
394 dom_sid_split_rid(NULL, *sid, NULL, rid);
395 }
396 return status;
397 } else if (strcasecmp_m(domain, NAME_BUILTIN) == 0) {
398 *authority_name = NAME_BUILTIN;
399 domain_dn = state->builtin_dn;
400 } else if (strcasecmp_m(domain, state->domain_dns) == 0) {
401 *authority_name = talloc_strdup(mem_ctx,
402 state->domain_name);
403 if (*authority_name == NULL) {
404 return NT_STATUS_NO_MEMORY;
405 }
406 domain_dn = state->domain_dn;
407 } else if (strcasecmp_m(domain, state->domain_name) == 0) {
408 *authority_name = talloc_strdup(mem_ctx,
409 state->domain_name);
410 if (*authority_name == NULL) {
411 return NT_STATUS_NO_MEMORY;
412 }
413 domain_dn = state->domain_dn;
414 } else {
415 /* Not local, need to ask winbind in future */
416 return STATUS_SOME_UNMAPPED;
417 }
418
419 ret = gendb_search_dn(state->sam_ldb, mem_ctx, domain_dn, &res, attrs);
420 if (ret != 1) {
421 return NT_STATUS_INTERNAL_DB_CORRUPTION;
422 }
423 domain_sid = samdb_result_dom_sid(mem_ctx, res[0], "objectSid");
424 if (domain_sid == NULL) {
425 return NT_STATUS_INVALID_SID;
426 }
427
428 if (!*username) {
429 *sid = domain_sid;
430 *rtype = SID_NAME_DOMAIN;
431 *rid = 0xFFFFFFFF;
432 return NT_STATUS_OK;
433 }
434
435 ret = gendb_search(state->sam_ldb, mem_ctx, domain_dn, &res, attrs,
436 "(&(sAMAccountName=%s)(objectSid=*))",
437 ldb_binary_encode_string(mem_ctx, username));
438 if (ret < 0) {
439 return NT_STATUS_INTERNAL_DB_CORRUPTION;
440 }
441
442 for (i=0; i < ret; i++) {
443 *sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid");
444 if (*sid == NULL) {
445 return NT_STATUS_INVALID_SID;
446 }
447
448 /* Check that this is in the domain */
449 if (!dom_sid_in_domain(domain_sid, *sid)) {
450 continue;
451 }
452
453 atype = ldb_msg_find_attr_as_uint(res[i], "sAMAccountType", 0);
454
455 *rtype = ds_atype_map(atype);
456 if (*rtype == SID_NAME_UNKNOWN) {
457 return STATUS_SOME_UNMAPPED;
458 }
459
460 dom_sid_split_rid(NULL, *sid, NULL, rid);
461 return NT_STATUS_OK;
462 }
463
464 /* need to check for an allocated sid */
465
466 return NT_STATUS_INVALID_SID;
467 }
468
469
470 /*
471 add to the lsa_RefDomainList for LookupSids and LookupNames
472 */
473 static NTSTATUS dcesrv_lsa_authority_list(struct lsa_policy_state *state, TALLOC_CTX *mem_ctx,
474 enum lsa_SidType rtype,
475 const char *authority_name,
476 struct dom_sid *sid,
477 struct lsa_RefDomainList *domains,
478 uint32_t *sid_index)
479 {
480 struct dom_sid *authority_sid;
481 uint32_t i;
482
483 if (rtype != SID_NAME_DOMAIN) {
484 authority_sid = dom_sid_dup(mem_ctx, sid);
485 if (authority_sid == NULL) {
486 return NT_STATUS_NO_MEMORY;
487 }
488 authority_sid->num_auths--;
489 } else {
490 authority_sid = sid;
491 }
492
493 /* see if we've already done this authority name */
494 for (i=0;i<domains->count;i++) {
495 if (strcasecmp_m(authority_name, domains->domains[i].name.string) == 0) {
496 *sid_index = i;
497 return NT_STATUS_OK;
498 }
499 }
500
501 domains->domains = talloc_realloc(domains,
502 domains->domains,
503 struct lsa_DomainInfo,
504 domains->count+1);
505 if (domains->domains == NULL) {
506 return NT_STATUS_NO_MEMORY;
507 }
508 domains->domains[i].name.string = authority_name;
509 domains->domains[i].sid = authority_sid;
510 domains->count++;
511 domains->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER * domains->count;
512 *sid_index = i;
513
514 return NT_STATUS_OK;
515 }
516
517 /*
518 lookup a name for 1 SID
519 */
520 static NTSTATUS dcesrv_lsa_lookup_sid(struct lsa_policy_state *state, TALLOC_CTX *mem_ctx,
521 struct dom_sid *sid, const char *sid_str,
522 const char **authority_name,
523 const char **name, enum lsa_SidType *rtype)
524 {
525 NTSTATUS status;
526 int ret;
527 uint32_t atype;
528 struct ldb_message **res;
529 struct ldb_dn *domain_dn;
530 const char * const attrs[] = { "sAMAccountName", "sAMAccountType", "cn", NULL};
531
532 status = lookup_well_known_sids(mem_ctx, sid_str, authority_name, name, rtype);
533 if (NT_STATUS_IS_OK(status)) {
534 return status;
535 }
536
537 if (dom_sid_equal(state->domain_sid, sid)) {
538 *authority_name = talloc_strdup(mem_ctx, state->domain_name);
539 if (*authority_name == NULL) {
540 return NT_STATUS_NO_MEMORY;
541 }
542 *name = NULL;
543 *rtype = SID_NAME_DOMAIN;
544 return NT_STATUS_OK;
545 }
546
547 if (dom_sid_in_domain(state->domain_sid, sid)) {
548 *authority_name = talloc_strdup(mem_ctx, state->domain_name);
549 if (*authority_name == NULL) {
550 return NT_STATUS_NO_MEMORY;
551 }
552 domain_dn = state->domain_dn;
553 } else if (dom_sid_in_domain(state->builtin_sid, sid)) {
554 *authority_name = NAME_BUILTIN;
555 domain_dn = state->builtin_dn;
556 } else {
557 /* Not well known, our domain or built in */
558
559 /* In future, we must look at SID histories, and at trusted domains via winbind */
560
561 return NT_STATUS_NOT_FOUND;
562 }
563
564 /* need to re-add a check for an allocated sid */
565
566 ret = gendb_search(state->sam_ldb, mem_ctx, domain_dn, &res, attrs,
567 "objectSid=%s", ldap_encode_ndr_dom_sid(mem_ctx, sid));
568 if ((ret < 0) || (ret > 1)) {
569 return NT_STATUS_INTERNAL_DB_CORRUPTION;
570 }
571 if (ret == 0) {
572 return NT_STATUS_NOT_FOUND;
573 }
574
575 *name = ldb_msg_find_attr_as_string(res[0], "sAMAccountName", NULL);
576 if (!*name) {
577 *name = ldb_msg_find_attr_as_string(res[0], "cn", NULL);
578 if (!*name) {
579 *name = talloc_strdup(mem_ctx, sid_str);
580 NT_STATUS_HAVE_NO_MEMORY(*name);
581 }
582 }
583
584 atype = ldb_msg_find_attr_as_uint(res[0], "sAMAccountType", 0);
585 *rtype = ds_atype_map(atype);
586
587 return NT_STATUS_OK;
588 }
589
590 static NTSTATUS dcesrv_lsa_LookupSids_common(struct dcesrv_call_state *dce_call,
591 TALLOC_CTX *mem_ctx,
592 struct lsa_policy_state *policy_state,
593 struct lsa_LookupSids2 *r)
594 {
595 struct lsa_RefDomainList *domains = NULL;
596 uint32_t i;
597
598 *r->out.domains = NULL;
599 r->out.names->count = 0;
600 r->out.names->names = NULL;
601 *r->out.count = 0;
602
603 if (r->in.level < LSA_LOOKUP_NAMES_ALL ||
604 r->in.level > LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC) {
605 return NT_STATUS_INVALID_PARAMETER;
606 }
607
608 /* NOTE: the WSPP test suite tries SIDs with invalid revision numbers,
609 and expects NT_STATUS_INVALID_PARAMETER back - we just treat it as
610 an unknown SID. We could add a SID validator here. (tridge)
611 MS-DTYP 2.4.2
612 */
613
614 domains = talloc_zero(r->out.domains, struct lsa_RefDomainList);
615 if (domains == NULL) {
616 return NT_STATUS_NO_MEMORY;
617 }
618 *r->out.domains = domains;
619
620 r->out.names->names = talloc_array(r->out.names, struct lsa_TranslatedName2,
621 r->in.sids->num_sids);
622 if (r->out.names->names == NULL) {
623 return NT_STATUS_NO_MEMORY;
624 }
625
626 for (i=0;i<r->in.sids->num_sids;i++) {
627 struct dom_sid *sid = r->in.sids->sids[i].sid;
628 char *sid_str = dom_sid_string(mem_ctx, sid);
629 const char *name, *authority_name;
630 enum lsa_SidType rtype;
631 uint32_t sid_index;
632 NTSTATUS status2;
633
634 r->out.names->count++;
635
636 r->out.names->names[i].sid_type = SID_NAME_UNKNOWN;
637 r->out.names->names[i].name.string = sid_str;
638 r->out.names->names[i].sid_index = 0xFFFFFFFF;
639 r->out.names->names[i].unknown = 0;
640
641 if (sid_str == NULL) {
642 r->out.names->names[i].name.string = "(SIDERROR)";
643 continue;
644 }
645
646 status2 = dcesrv_lsa_lookup_sid(policy_state, mem_ctx, sid, sid_str,
647 &authority_name, &name, &rtype);
648 if (!NT_STATUS_IS_OK(status2)) {
649 continue;
650 }
651
652 /* set up the authority table */
653 status2 = dcesrv_lsa_authority_list(policy_state, mem_ctx, rtype,
654 authority_name, sid,
655 domains, &sid_index);
656 if (!NT_STATUS_IS_OK(status2)) {
657 continue;
658 }
659
660 r->out.names->names[i].sid_type = rtype;
661 r->out.names->names[i].name.string = name;
662 r->out.names->names[i].sid_index = sid_index;
663 r->out.names->names[i].unknown = 0;
664
665 (*r->out.count)++;
666 }
667
668 if (*r->out.count == 0) {
669 return NT_STATUS_NONE_MAPPED;
670 }
671 if (*r->out.count != r->in.sids->num_sids) {
672 return STATUS_SOME_UNMAPPED;
673 }
674
675 return NT_STATUS_OK;
676 }
677
678 /*
679 lsa_LookupSids2
680 */
681 NTSTATUS dcesrv_lsa_LookupSids2(struct dcesrv_call_state *dce_call,
682 TALLOC_CTX *mem_ctx,
683 struct lsa_LookupSids2 *r)
684 {
685 enum dcerpc_transport_t transport =
686 dcerpc_binding_get_transport(dce_call->conn->endpoint->ep_description);
687 struct lsa_policy_state *policy_state = NULL;
688 struct dcesrv_handle *policy_handle = NULL;
689
690 if (transport != NCACN_NP && transport != NCALRPC) {
691 DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
692 }
693
694 DCESRV_PULL_HANDLE(policy_handle, r->in.handle, LSA_HANDLE_POLICY);
695
696 policy_state = policy_handle->data;
697
698 return dcesrv_lsa_LookupSids_common(dce_call,
699 mem_ctx,
700 policy_state,
701 r);
702 }
703
704
705 /*
706 lsa_LookupSids3
707
708 Identical to LookupSids2, but doesn't take a policy handle
709
710 */
711 NTSTATUS dcesrv_lsa_LookupSids3(struct dcesrv_call_state *dce_call,
712 TALLOC_CTX *mem_ctx,
713 struct lsa_LookupSids3 *r)
714 {
715 enum dcerpc_transport_t transport =
716 dcerpc_binding_get_transport(dce_call->conn->endpoint->ep_description);
717 const struct dcesrv_auth *auth = &dce_call->conn->auth_state;
718 struct lsa_policy_state *policy_state;
719 struct lsa_LookupSids2 q;
720 NTSTATUS status;
721
722 if (transport != NCACN_IP_TCP) {
723 DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
724 }
725
726 /*
727 * We don't have policy handles on this call. So this must be restricted
728 * to crypto connections only.
729 */
730 if (auth->auth_type != DCERPC_AUTH_TYPE_SCHANNEL ||
731 auth->auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
732 DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
733 }
734
735 *r->out.domains = NULL;
736 r->out.names->count = 0;
737 r->out.names->names = NULL;
738 *r->out.count = 0;
739
740 status = dcesrv_lsa_get_policy_state(dce_call, mem_ctx,
741 0, /* we skip access checks */
742 &policy_state);
743 if (!NT_STATUS_IS_OK(status)) {
744 return status;
745 }
746
747 ZERO_STRUCT(q);
748
749 q.in.handle = NULL;
750 q.in.sids = r->in.sids;
751 q.in.names = r->in.names;
752 q.in.level = r->in.level;
753 q.in.count = r->in.count;
754 q.in.lookup_options = r->in.lookup_options;
755 q.in.client_revision = r->in.client_revision;
756 q.out.count = r->out.count;
757 q.out.names = r->out.names;
758 q.out.domains = r->out.domains;
759
760 status = dcesrv_lsa_LookupSids_common(dce_call,
761 mem_ctx,
762 policy_state,
763 &q);
764
765 talloc_free(policy_state);
766
767 r->out.count = q.out.count;
768 r->out.names = q.out.names;
769 r->out.domains = q.out.domains;
770
771 return status;
772 }
773
774
775 /*
776 lsa_LookupSids
777 */
778 NTSTATUS dcesrv_lsa_LookupSids(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
779 struct lsa_LookupSids *r)
780 {
781 enum dcerpc_transport_t transport =
782 dcerpc_binding_get_transport(dce_call->conn->endpoint->ep_description);
783 struct lsa_LookupSids2 r2;
784 NTSTATUS status;
785 uint32_t i;
786
787 if (transport != NCACN_NP && transport != NCALRPC) {
788 DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
789 }
790
791 *r->out.domains = NULL;
792 r->out.names->count = 0;
793 r->out.names->names = NULL;
794 *r->out.count = 0;
795
796 r->out.names->names = talloc_zero_array(r->out.names,
797 struct lsa_TranslatedName,
798 r->in.sids->num_sids);
799 if (r->out.names->names == NULL) {
800 return NT_STATUS_NO_MEMORY;
801 }
802
803 ZERO_STRUCT(r2);
804
805 r2.in.handle = r->in.handle;
806 r2.in.sids = r->in.sids;
807 r2.in.names = talloc_zero(mem_ctx, struct lsa_TransNameArray2);
808 if (r2.in.names == NULL) {
809 return NT_STATUS_NO_MEMORY;
810 }
811 r2.in.level = r->in.level;
812 r2.in.count = r->in.count;
813 r2.in.lookup_options = LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES;
814 r2.in.client_revision = LSA_CLIENT_REVISION_1;
815 r2.out.count = r->out.count;
816 r2.out.names = talloc_zero(mem_ctx, struct lsa_TransNameArray2);
817 if (r2.out.names == NULL) {
818 return NT_STATUS_NO_MEMORY;
819 }
820 r2.out.domains = r->out.domains;
821
822 status = dcesrv_lsa_LookupSids2(dce_call, mem_ctx, &r2);
823 /* we deliberately don't check for error from the above,
824 as even on error we are supposed to return the names */
825
826 SMB_ASSERT(r2.out.names->count <= r->in.sids->num_sids);
827 for (i=0;i<r2.out.names->count;i++) {
828 r->out.names->names[i].sid_type = r2.out.names->names[i].sid_type;
829 r->out.names->names[i].name.string = r2.out.names->names[i].name.string;
830 r->out.names->names[i].sid_index = r2.out.names->names[i].sid_index;
831 }
832 r->out.names->count = r2.out.names->count;
833
834 return status;
835 }
836
837 static NTSTATUS dcesrv_lsa_LookupNames_common(struct dcesrv_call_state *dce_call,
838 TALLOC_CTX *mem_ctx,
839 struct lsa_policy_state *policy_state,
840 struct lsa_LookupNames3 *r)
841 {
842 struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
843 struct lsa_RefDomainList *domains;
844 uint32_t i;
845
846 *r->out.domains = NULL;
847 r->out.sids->count = 0;
848 r->out.sids->sids = NULL;
849 *r->out.count = 0;
850
851 if (r->in.level < LSA_LOOKUP_NAMES_ALL ||
852 r->in.level > LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC) {
853 return NT_STATUS_INVALID_PARAMETER;
854 }
855
856 domains = talloc_zero(r->out.domains, struct lsa_RefDomainList);
857 if (domains == NULL) {
858 return NT_STATUS_NO_MEMORY;
859 }
860 *r->out.domains = domains;
861
862 r->out.sids->sids = talloc_array(r->out.sids, struct lsa_TranslatedSid3,
863 r->in.num_names);
864 if (r->out.sids->sids == NULL) {
865 return NT_STATUS_NO_MEMORY;
866 }
867
868 for (i=0;i<r->in.num_names;i++) {
869 const char *name = r->in.names[i].string;
870 const char *authority_name;
871 struct dom_sid *sid;
872 uint32_t sid_index, rid;
873 enum lsa_SidType rtype;
874 NTSTATUS status2;
875
876 r->out.sids->count++;
877
878 r->out.sids->sids[i].sid_type = SID_NAME_UNKNOWN;
879 r->out.sids->sids[i].sid = NULL;
880 r->out.sids->sids[i].sid_index = 0xFFFFFFFF;
881 r->out.sids->sids[i].flags = 0;
882
883 status2 = dcesrv_lsa_lookup_name(dce_call->event_ctx, lp_ctx, policy_state, mem_ctx, name,
884 &authority_name, &sid, &rtype, &rid);
885 if (!NT_STATUS_IS_OK(status2) || sid->num_auths == 0) {
886 continue;
887 }
888
889 status2 = dcesrv_lsa_authority_list(policy_state, mem_ctx, rtype, authority_name,
890 sid, domains, &sid_index);
891 if (!NT_STATUS_IS_OK(status2)) {
892 continue;
893 }
894
895 r->out.sids->sids[i].sid_type = rtype;
896 r->out.sids->sids[i].sid = sid;
897 r->out.sids->sids[i].sid_index = sid_index;
898 r->out.sids->sids[i].flags = 0;
899
900 (*r->out.count)++;
901 }
902
903 if (*r->out.count == 0) {
904 return NT_STATUS_NONE_MAPPED;
905 }
906 if (*r->out.count != r->in.num_names) {
907 return STATUS_SOME_UNMAPPED;
908 }
909
910 return NT_STATUS_OK;
911 }
912
913 /*
914 lsa_LookupNames3
915 */
916 NTSTATUS dcesrv_lsa_LookupNames3(struct dcesrv_call_state *dce_call,
917 TALLOC_CTX *mem_ctx,
918 struct lsa_LookupNames3 *r)
919 {
920 enum dcerpc_transport_t transport =
921 dcerpc_binding_get_transport(dce_call->conn->endpoint->ep_description);
922 struct lsa_policy_state *policy_state;
923 struct dcesrv_handle *policy_handle;
924
925 if (transport != NCACN_NP && transport != NCALRPC) {
926 DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
927 }
928
929 DCESRV_PULL_HANDLE(policy_handle, r->in.handle, LSA_HANDLE_POLICY);
930
931 policy_state = policy_handle->data;
932
933 return dcesrv_lsa_LookupNames_common(dce_call,
934 mem_ctx,
935 policy_state,
936 r);
937 }
938
939 /*
940 lsa_LookupNames4
941
942 Identical to LookupNames3, but doesn't take a policy handle
943
944 */
945 NTSTATUS dcesrv_lsa_LookupNames4(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
946 struct lsa_LookupNames4 *r)
947 {
948 enum dcerpc_transport_t transport =
949 dcerpc_binding_get_transport(dce_call->conn->endpoint->ep_description);
950 const struct dcesrv_auth *auth = &dce_call->conn->auth_state;
951 struct lsa_policy_state *policy_state;
952 struct lsa_LookupNames3 q;
953 NTSTATUS status;
954
955 if (transport != NCACN_IP_TCP) {
956 DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
957 }
958
959 /*
960 * We don't have policy handles on this call. So this must be restricted
961 * to crypto connections only.
962 */
963 if (auth->auth_type != DCERPC_AUTH_TYPE_SCHANNEL ||
964 auth->auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
965 DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
966 }
967
968 *r->out.domains = NULL;
969 r->out.sids->count = 0;
970 r->out.sids->sids = NULL;
971 *r->out.count = 0;
972
973 status = dcesrv_lsa_get_policy_state(dce_call, mem_ctx,
974 0, /* we skip access checks */
975 &policy_state);
976 if (!NT_STATUS_IS_OK(status)) {
977 return status;
978 }
979
980 ZERO_STRUCT(q);
981
982 q.in.handle = NULL;
983 q.in.num_names = r->in.num_names;
984 q.in.names = r->in.names;
985 q.in.level = r->in.level;
986 q.in.sids = r->in.sids;
987 q.in.count = r->in.count;
988 q.in.lookup_options = r->in.lookup_options;
989 q.in.client_revision = r->in.client_revision;
990
991 q.out.count = r->out.count;
992 q.out.sids = r->out.sids;
993 q.out.domains = r->out.domains;
994
995 status = dcesrv_lsa_LookupNames_common(dce_call,
996 mem_ctx,
997 policy_state,
998 &q);
999
1000 talloc_free(policy_state);
1001
1002 r->out.count = q.out.count;
1003 r->out.sids = q.out.sids;
1004 r->out.domains = q.out.domains;
1005
1006 return status;
1007 }
1008
1009 /*
1010 lsa_LookupNames2
1011 */
1012 NTSTATUS dcesrv_lsa_LookupNames2(struct dcesrv_call_state *dce_call,
1013 TALLOC_CTX *mem_ctx,
1014 struct lsa_LookupNames2 *r)
1015 {
1016 enum dcerpc_transport_t transport =
1017 dcerpc_binding_get_transport(dce_call->conn->endpoint->ep_description);
1018 struct lsa_policy_state *state;
1019 struct dcesrv_handle *h;
1020 uint32_t i;
1021 struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
1022 struct lsa_RefDomainList *domains;
1023
1024 if (transport != NCACN_NP && transport != NCALRPC) {
1025 DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
1026 }
1027
1028 DCESRV_PULL_HANDLE(h, r->in.handle, LSA_HANDLE_POLICY);
1029
1030 *r->out.domains = NULL;
1031 r->out.sids->count = 0;
1032 r->out.sids->sids = NULL;
1033 *r->out.count = 0;
1034
1035 if (r->in.level < LSA_LOOKUP_NAMES_ALL ||
1036 r->in.level > LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC) {
1037 return NT_STATUS_INVALID_PARAMETER;
1038 }
1039
1040 state = h->data;
1041
1042 domains = talloc_zero(r->out.domains, struct lsa_RefDomainList);
1043 if (domains == NULL) {
1044 return NT_STATUS_NO_MEMORY;
1045 }
1046 *r->out.domains = domains;
1047
1048 r->out.sids->sids = talloc_array(r->out.sids, struct lsa_TranslatedSid2,
1049 r->in.num_names);
1050 if (r->out.sids->sids == NULL) {
1051 return NT_STATUS_NO_MEMORY;
1052 }
1053
1054 for (i=0;i<r->in.num_names;i++) {
1055 const char *name = r->in.names[i].string;
1056 const char *authority_name;
1057 struct dom_sid *sid;
1058 uint32_t sid_index, rid=0;
1059 enum lsa_SidType rtype;
1060 NTSTATUS status2;
1061
1062 r->out.sids->count++;
1063
1064 r->out.sids->sids[i].sid_type = SID_NAME_UNKNOWN;
1065 /* MS-LSAT 3.1.4.7 - rid zero is considered equivalent
1066 to sid NULL - so we should return 0 rid for
1067 unmapped entries */
1068 r->out.sids->sids[i].rid = 0;
1069 r->out.sids->sids[i].sid_index = 0xFFFFFFFF;
1070 r->out.sids->sids[i].unknown = 0;
1071
1072 status2 = dcesrv_lsa_lookup_name(dce_call->event_ctx, lp_ctx, state, mem_ctx, name,
1073 &authority_name, &sid, &rtype, &rid);
1074 if (!NT_STATUS_IS_OK(status2)) {
1075 continue;
1076 }
1077
1078 status2 = dcesrv_lsa_authority_list(state, mem_ctx, rtype, authority_name,
1079 sid, domains, &sid_index);
1080 if (!NT_STATUS_IS_OK(status2)) {
1081 continue;
1082 }
1083
1084 r->out.sids->sids[i].sid_type = rtype;
1085 r->out.sids->sids[i].rid = rid;
1086 r->out.sids->sids[i].sid_index = sid_index;
1087 r->out.sids->sids[i].unknown = 0;
1088
1089 (*r->out.count)++;
1090 }
1091
1092 if (*r->out.count == 0) {
1093 return NT_STATUS_NONE_MAPPED;
1094 }
1095 if (*r->out.count != r->in.num_names) {
1096 return STATUS_SOME_UNMAPPED;
1097 }
1098
1099 return NT_STATUS_OK;
1100 }
1101
1102 /*
1103 lsa_LookupNames
1104 */
1105 NTSTATUS dcesrv_lsa_LookupNames(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1106 struct lsa_LookupNames *r)
1107 {
1108 enum dcerpc_transport_t transport =
1109 dcerpc_binding_get_transport(dce_call->conn->endpoint->ep_description);
1110 struct lsa_LookupNames2 r2;
1111 NTSTATUS status;
1112 uint32_t i;
1113
1114 if (transport != NCACN_NP && transport != NCALRPC) {
1115 DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
1116 }
1117
1118 *r->out.domains = NULL;
1119 r->out.sids->count = 0;
1120 r->out.sids->sids = NULL;
1121 *r->out.count = 0;
1122
1123 r->out.sids->sids = talloc_zero_array(r->out.sids,
1124 struct lsa_TranslatedSid,
1125 r->in.num_names);
1126 if (r->out.sids->sids == NULL) {
1127 return NT_STATUS_NO_MEMORY;
1128 }
1129
1130 ZERO_STRUCT(r2);
1131
1132 r2.in.handle = r->in.handle;
1133 r2.in.num_names = r->in.num_names;
1134 r2.in.names = r->in.names;
1135 r2.in.sids = talloc_zero(mem_ctx, struct lsa_TransSidArray2);
1136 if (r2.in.sids == NULL) {
1137 return NT_STATUS_NO_MEMORY;
1138 }
1139 r2.in.level = r->in.level;
1140 r2.in.count = r->in.count;
1141 r2.in.lookup_options = LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES;
1142 r2.in.client_revision = LSA_CLIENT_REVISION_1;
1143 r2.out.count = r->out.count;
1144 r2.out.sids = talloc_zero(mem_ctx, struct lsa_TransSidArray2);
1145 if (r2.out.sids == NULL) {
1146 return NT_STATUS_NO_MEMORY;
1147 }
1148 r2.out.domains = r->out.domains;
1149
1150 status = dcesrv_lsa_LookupNames2(dce_call, mem_ctx, &r2);
1151
1152 SMB_ASSERT(r2.out.sids->count <= r->in.num_names);
1153 for (i=0;i<r2.out.sids->count;i++) {
1154 r->out.sids->sids[i].sid_type = r2.out.sids->sids[i].sid_type;
1155 r->out.sids->sids[i].rid = r2.out.sids->sids[i].rid;
1156 r->out.sids->sids[i].sid_index = r2.out.sids->sids[i].sid_index;
1157 }
1158 r->out.sids->count = r2.out.sids->count;
1159
1160 return status;
1161 }
1162
Samba GIT mirror