search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r7581: fix bad merge
[Samba.git] / source3 / rpc_server / srv_samr_nt.c
blobe510f69cc8e8baf7a4ca368c475f753c872aaf59
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2002,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 * Copyright (C) Gerald (Jerry) Carter 2003-2004,
12 * Copyright (C) Simo Sorce 2003.
13 *
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
18 *
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
23 *
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 */
28
29 /*
30 * This is the implementation of the SAMR code.
31 */
32
33 #include "includes.h"
34
35 #undef DBGC_CLASS
36 #define DBGC_CLASS DBGC_RPC_SRV
37
38 #define SAMR_USR_RIGHTS_WRITE_PW \
39 ( READ_CONTROL_ACCESS | \
40 SA_RIGHT_USER_CHANGE_PASSWORD | \
41 SA_RIGHT_USER_SET_LOC_COM )
42
43 extern rid_name domain_group_rids[];
44 extern rid_name domain_alias_rids[];
45 extern rid_name builtin_alias_rids[];
46
47 typedef struct disp_info {
48 struct pdb_search *users;
49 struct pdb_search *machines;
50 struct pdb_search *groups;
51 struct pdb_search *aliases;
52 struct pdb_search *builtins;
53 } DISP_INFO;
54
55 struct samr_info {
56 /* for use by the \PIPE\samr policy */
57 DOM_SID sid;
58 uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */
59 uint32 acc_granted;
60 uint16 acb_mask;
61 BOOL only_machines;
62 DISP_INFO disp_info;
63
64 TALLOC_CTX *mem_ctx;
65 };
66
67 struct generic_mapping sam_generic_mapping = {GENERIC_RIGHTS_SAM_READ, GENERIC_RIGHTS_SAM_WRITE, GENERIC_RIGHTS_SAM_EXECUTE, GENERIC_RIGHTS_SAM_ALL_ACCESS};
68 struct generic_mapping dom_generic_mapping = {GENERIC_RIGHTS_DOMAIN_READ, GENERIC_RIGHTS_DOMAIN_WRITE, GENERIC_RIGHTS_DOMAIN_EXECUTE, GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
69 struct generic_mapping usr_generic_mapping = {GENERIC_RIGHTS_USER_READ, GENERIC_RIGHTS_USER_WRITE, GENERIC_RIGHTS_USER_EXECUTE, GENERIC_RIGHTS_USER_ALL_ACCESS};
70 struct generic_mapping grp_generic_mapping = {GENERIC_RIGHTS_GROUP_READ, GENERIC_RIGHTS_GROUP_WRITE, GENERIC_RIGHTS_GROUP_EXECUTE, GENERIC_RIGHTS_GROUP_ALL_ACCESS};
71 struct generic_mapping ali_generic_mapping = {GENERIC_RIGHTS_ALIAS_READ, GENERIC_RIGHTS_ALIAS_WRITE, GENERIC_RIGHTS_ALIAS_EXECUTE, GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
72
73 /*******************************************************************
74 *******************************************************************/
75
76 static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size,
77 struct generic_mapping *map,
78 DOM_SID *sid, uint32 sid_access )
79 {
80 DOM_SID domadmin_sid;
81 SEC_ACE ace[5]; /* at most 5 entries */
82 SEC_ACCESS mask;
83 size_t i = 0;
84
85 SEC_ACL *psa = NULL;
86
87 /* basic access for Everyone */
88
89 init_sec_access(&mask, map->generic_execute | map->generic_read );
90 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
91
92 /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
93
94 init_sec_access(&mask, map->generic_all);
95
96 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
97 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
98
99 /* Add Full Access for Domain Admins if we are a DC */
100
101 if ( IS_DC ) {
102 sid_copy( &domadmin_sid, get_global_sam_sid() );
103 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
104 init_sec_ace(&ace[i++], &domadmin_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
105 }
106
107 /* if we have a sid, give it some special access */
108
109 if ( sid ) {
110 init_sec_access( &mask, sid_access );
111 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
112 }
113
114 /* create the security descriptor */
115
116 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL)
117 return NT_STATUS_NO_MEMORY;
118
119 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
120 return NT_STATUS_NO_MEMORY;
121
122 return NT_STATUS_OK;
123 }
124
125 /*******************************************************************
126 Checks if access to an object should be granted, and returns that
127 level of access for further checks.
128 ********************************************************************/
129
130 static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
131 SE_PRIV *rights, uint32 rights_mask,
132 uint32 des_access, uint32 *acc_granted,
133 const char *debug )
134 {
135 NTSTATUS status = NT_STATUS_ACCESS_DENIED;
136 uint32 saved_mask = 0;
137
138 /* check privileges; certain SAM access bits should be overridden
139 by privileges (mostly having to do with creating/modifying/deleting
140 users and groups) */
141
142 if ( rights && user_has_any_privilege( token, rights ) ) {
143
144 saved_mask = (des_access & rights_mask);
145 des_access &= ~saved_mask;
146
147 DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
148 rights_mask));
149 }
150
151
152 /* check the security descriptor first */
153
154 if ( se_access_check(psd, token, des_access, acc_granted, &status) )
155 goto done;
156
157 /* give root a free pass */
158
159 if ( geteuid() == sec_initial_uid() ) {
160
161 DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access));
162 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
163
164 *acc_granted = des_access;
165
166 status = NT_STATUS_OK;
167 goto done;
168 }
169
170
171 done:
172 /* add in any bits saved during the privilege check (only
173 matters is status is ok) */
174
175 *acc_granted |= rights_mask;
176
177 DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
178 debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
179 des_access, *acc_granted));
180
181 return status;
182 }
183
184 /*******************************************************************
185 Checks if access to a function can be granted
186 ********************************************************************/
187
188 static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug)
189 {
190 DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n",
191 debug, acc_granted, acc_required));
192
193 /* check the security descriptor first */
194
195 if ( (acc_granted&acc_required) == acc_required )
196 return NT_STATUS_OK;
197
198 /* give root a free pass */
199
200 if (geteuid() == sec_initial_uid()) {
201
202 DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
203 debug, acc_granted, acc_required));
204 DEBUGADD(4,("but overwritten by euid == 0\n"));
205
206 return NT_STATUS_OK;
207 }
208
209 DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n",
210 debug, acc_granted, acc_required));
211
212 return NT_STATUS_ACCESS_DENIED;
213 }
214
215
216 /*******************************************************************
217 Create a samr_info struct.
218 ********************************************************************/
219
220 static struct samr_info *get_samr_info_by_sid(DOM_SID *psid)
221 {
222 struct samr_info *info;
223 fstring sid_str;
224 TALLOC_CTX *mem_ctx;
225
226 if (psid) {
227 sid_to_string(sid_str, psid);
228 } else {
229 fstrcpy(sid_str,"(NULL)");
230 }
231
232 mem_ctx = talloc_init("samr_info for domain sid %s", sid_str);
233
234 if ((info = TALLOC_ZERO_P(mem_ctx, struct samr_info)) == NULL)
235 return NULL;
236
237 DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str));
238 if (psid) {
239 sid_copy( &info->sid, psid);
240 } else {
241 DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n"));
242 }
243 info->mem_ctx = mem_ctx;
244 return info;
245 }
246
247 /*******************************************************************
248 Function to free the per handle data.
249 ********************************************************************/
250
251 /*******************************************************************
252 Function to free the per handle data.
253 ********************************************************************/
254
255 static void free_samr_db(struct samr_info *info)
256 {
257 pdb_search_destroy(info->disp_info.users);
258 info->disp_info.users = NULL;
259 pdb_search_destroy(info->disp_info.machines);
260 info->disp_info.machines = NULL;
261 pdb_search_destroy(info->disp_info.groups);
262 info->disp_info.groups = NULL;
263 pdb_search_destroy(info->disp_info.aliases);
264 info->disp_info.aliases = NULL;
265 pdb_search_destroy(info->disp_info.builtins);
266 info->disp_info.builtins = NULL;
267 }
268
269 static void free_samr_info(void *ptr)
270 {
271 struct samr_info *info=(struct samr_info *) ptr;
272
273 free_samr_db(info);
274 talloc_destroy(info->mem_ctx);
275 }
276
277 /*******************************************************************
278 Ensure password info is never given out. Paranioa... JRA.
279 ********************************************************************/
280
281 static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass)
282 {
283
284 if (!sam_pass)
285 return;
286
287 /* These now zero out the old password */
288
289 pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT);
290 pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT);
291 }
292
293 static uint32 count_sam_users(struct disp_info *info, uint16 acct_flags)
294 {
295 struct samr_displayentry *entry;
296 if (info->users == NULL)
297 info->users = pdb_search_users(acct_flags);
298 if (info->users == NULL)
299 return 0;
300 /* Fetch the last possible entry, thus trigger an enumeration */
301 pdb_search_entries(info->users, 0xffffffff, 1, &entry);
302 return info->users->num_entries;
303 }
304
305 static uint32 count_sam_groups(struct disp_info *info)
306 {
307 struct samr_displayentry *entry;
308 if (info->groups == NULL)
309 info->groups = pdb_search_groups();
310 if (info->groups == NULL)
311 return 0;
312 /* Fetch the last possible entry, thus trigger an enumeration */
313 pdb_search_entries(info->groups, 0xffffffff, 1, &entry);
314 return info->groups->num_entries;
315 }
316
317 /*******************************************************************
318 _samr_close_hnd
319 ********************************************************************/
320
321 NTSTATUS _samr_close_hnd(pipes_struct *p, SAMR_Q_CLOSE_HND *q_u, SAMR_R_CLOSE_HND *r_u)
322 {
323 r_u->status = NT_STATUS_OK;
324
325 /* close the policy handle */
326 if (!close_policy_hnd(p, &q_u->pol))
327 return NT_STATUS_OBJECT_NAME_INVALID;
328
329 DEBUG(5,("samr_reply_close_hnd: %d\n", __LINE__));
330
331 return r_u->status;
332 }
333
334 /*******************************************************************
335 samr_reply_open_domain
336 ********************************************************************/
337
338 NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN_DOMAIN *r_u)
339 {
340 struct samr_info *info;
341 SEC_DESC *psd = NULL;
342 uint32 acc_granted;
343 uint32 des_access = q_u->flags;
344 NTSTATUS status;
345 size_t sd_size;
346 SE_PRIV se_rights;
347
348 r_u->status = NT_STATUS_OK;
349
350 /* find the connection policy handle. */
351
352 if ( !find_policy_by_hnd(p, &q_u->pol, (void**)&info) )
353 return NT_STATUS_INVALID_HANDLE;
354
355 status = access_check_samr_function( info->acc_granted,
356 SA_RIGHT_SAM_OPEN_DOMAIN, "_samr_open_domain" );
357
358 if ( !NT_STATUS_IS_OK(status) )
359 return status;
360
361 /*check if access can be granted as requested by client. */
362
363 make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
364 se_map_generic( &des_access, &dom_generic_mapping );
365
366 se_priv_copy( &se_rights, &se_machine_account );
367 se_priv_add( &se_rights, &se_add_users );
368
369 status = access_check_samr_object( psd, p->pipe_user.nt_user_token,
370 &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access,
371 &acc_granted, "_samr_open_domain" );
372
373 if ( !NT_STATUS_IS_OK(status) )
374 return status;
375
376 /* associate the domain SID with the (unique) handle. */
377 if ((info = get_samr_info_by_sid(&q_u->dom_sid.sid))==NULL)
378 return NT_STATUS_NO_MEMORY;
379 info->acc_granted = acc_granted;
380
381 /* get a (unique) handle. open a policy on it. */
382 if (!create_policy_hnd(p, &r_u->domain_pol, free_samr_info, (void *)info))
383 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
384
385 DEBUG(5,("samr_open_domain: %d\n", __LINE__));
386
387 return r_u->status;
388 }
389
390 /*******************************************************************
391 _samr_get_usrdom_pwinfo
392 ********************************************************************/
393
394 NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, SAMR_R_GET_USRDOM_PWINFO *r_u)
395 {
396 struct samr_info *info = NULL;
397
398 r_u->status = NT_STATUS_OK;
399
400 /* find the policy handle. open a policy on it. */
401 if (!find_policy_by_hnd(p, &q_u->user_pol, (void **)&info))
402 return NT_STATUS_INVALID_HANDLE;
403
404 if (!sid_check_is_in_our_domain(&info->sid))
405 return NT_STATUS_OBJECT_TYPE_MISMATCH;
406
407 init_samr_r_get_usrdom_pwinfo(r_u, NT_STATUS_OK);
408
409 DEBUG(5,("_samr_get_usrdom_pwinfo: %d\n", __LINE__));
410
411 /*
412 * NT sometimes return NT_STATUS_ACCESS_DENIED
413 * I don't know yet why.
414 */
415
416 return r_u->status;
417 }
418
419
420 /*******************************************************************
421 _samr_set_sec_obj
422 ********************************************************************/
423
424 NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_SEC_OBJ *r_u)
425 {
426 DEBUG(0,("_samr_set_sec_obj: Not yet implemented!\n"));
427 return NT_STATUS_NOT_IMPLEMENTED;
428 }
429
430
431 /*******************************************************************
432 ********************************************************************/
433
434 static BOOL get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol,
435 DOM_SID *sid, uint32 *acc_granted)
436 {
437 struct samr_info *info = NULL;
438
439 /* find the policy handle. open a policy on it. */
440 if (!find_policy_by_hnd(p, pol, (void **)&info))
441 return False;
442
443 if (!info)
444 return False;
445
446 *sid = info->sid;
447 *acc_granted = info->acc_granted;
448 return True;
449 }
450
451 /*******************************************************************
452 _samr_query_sec_obj
453 ********************************************************************/
454
455 NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_QUERY_SEC_OBJ *r_u)
456 {
457 DOM_SID pol_sid;
458 fstring str_sid;
459 SEC_DESC * psd = NULL;
460 uint32 acc_granted;
461 size_t sd_size;
462
463 r_u->status = NT_STATUS_OK;
464
465 /* Get the SID. */
466 if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &pol_sid, &acc_granted))
467 return NT_STATUS_INVALID_HANDLE;
468
469
470
471 DEBUG(10,("_samr_query_sec_obj: querying security on SID: %s\n", sid_to_string(str_sid, &pol_sid)));
472
473 /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
474
475 /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */
476 if (pol_sid.sid_rev_num == 0)
477 {
478 DEBUG(5,("_samr_query_sec_obj: querying security on SAM\n"));
479 r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
480 }
481 else if (sid_equal(&pol_sid,get_global_sam_sid())) /* check if it is our domain SID */
482
483 {
484 DEBUG(5,("_samr_query_sec_obj: querying security on Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
485 r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
486 }
487 else if (sid_equal(&pol_sid,&global_sid_Builtin)) /* check if it is the Builtin Domain */
488 {
489 /* TODO: Builtin probably needs a different SD with restricted write access*/
490 DEBUG(5,("_samr_query_sec_obj: querying security on Builtin Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
491 r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
492 }
493 else if (sid_check_is_in_our_domain(&pol_sid) ||
494 sid_check_is_in_builtin(&pol_sid))
495 {
496 /* TODO: different SDs have to be generated for aliases groups and users.
497 Currently all three get a default user SD */
498 DEBUG(10,("_samr_query_sec_obj: querying security on Object with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
499 r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &pol_sid, SAMR_USR_RIGHTS_WRITE_PW);
500 }
501 else return NT_STATUS_OBJECT_TYPE_MISMATCH;
502
503 if ((r_u->buf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
504 return NT_STATUS_NO_MEMORY;
505
506 if (NT_STATUS_IS_OK(r_u->status))
507 r_u->ptr = 1;
508
509 return r_u->status;
510 }
511
512 /*******************************************************************
513 makes a SAM_ENTRY / UNISTR2* structure from a user list.
514 ********************************************************************/
515
516 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp,
517 UNISTR2 **uni_name_pp,
518 uint32 num_entries, uint32 start_idx,
519 struct samr_displayentry *entries)
520 {
521 uint32 i;
522 SAM_ENTRY *sam;
523 UNISTR2 *uni_name;
524
525 *sam_pp = NULL;
526 *uni_name_pp = NULL;
527
528 if (num_entries == 0)
529 return NT_STATUS_OK;
530
531 sam = TALLOC_ZERO_ARRAY(ctx, SAM_ENTRY, num_entries);
532
533 uni_name = TALLOC_ZERO_ARRAY(ctx, UNISTR2, num_entries);
534
535 if (sam == NULL || uni_name == NULL) {
536 DEBUG(0, ("make_user_sam_entry_list: talloc_zero failed!\n"));
537 return NT_STATUS_NO_MEMORY;
538 }
539
540 for (i = 0; i < num_entries; i++) {
541 UNISTR2 uni_temp_name;
542 /*
543 * usrmgr expects a non-NULL terminated string with
544 * trust relationships
545 */
546 if (entries[i].acct_flags & ACB_DOMTRUST) {
547 init_unistr2(&uni_temp_name, entries[i].account_name,
548 UNI_FLAGS_NONE);
549 } else {
550 init_unistr2(&uni_temp_name, entries[i].account_name,
551 UNI_STR_TERMINATE);
552 }
553
554 init_sam_entry(&sam[i], &uni_temp_name, entries[i].rid);
555 copy_unistr2(&uni_name[i], &uni_temp_name);
556 }
557
558 *sam_pp = sam;
559 *uni_name_pp = uni_name;
560 return NT_STATUS_OK;
561 }
562
563 /*******************************************************************
564 samr_reply_enum_dom_users
565 ********************************************************************/
566
567 NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u,
568 SAMR_R_ENUM_DOM_USERS *r_u)
569 {
570 struct samr_info *info = NULL;
571 int num_account;
572 uint32 enum_context=q_u->start_idx;
573 enum remote_arch_types ra_type = get_remote_arch();
574 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
575 uint32 max_entries = max_sam_entries;
576 struct samr_displayentry *entries = NULL;
577
578 r_u->status = NT_STATUS_OK;
579
580 /* find the policy handle. open a policy on it. */
581 if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
582 return NT_STATUS_INVALID_HANDLE;
583
584 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted,
585 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
586 "_samr_enum_dom_users"))) {
587 return r_u->status;
588 }
589
590 DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__));
591
592 become_root();
593 if (info->disp_info.users == NULL)
594 info->disp_info.users = pdb_search_users(q_u->acb_mask);
595 if (info->disp_info.users == NULL)
596 return NT_STATUS_ACCESS_DENIED;
597 num_account = pdb_search_entries(info->disp_info.users,
598 enum_context, max_entries,
599 &entries);
600 unbecome_root();
601
602 if (num_account == 0) {
603 DEBUG(5, ("_samr_enum_dom_users: enumeration handle over "
604 "total entries\n"));
605 return NT_STATUS_OK;
606 }
607
608 r_u->status = make_user_sam_entry_list(p->mem_ctx, &r_u->sam,
609 &r_u->uni_acct_name,
610 num_account, enum_context,
611 entries);
612
613 if (!NT_STATUS_IS_OK(r_u->status))
614 return r_u->status;
615
616 if (max_entries <= num_account)
617 r_u->status = STATUS_MORE_ENTRIES;
618
619 DEBUG(5, ("_samr_enum_dom_users: %d\n", __LINE__));
620
621 init_samr_r_enum_dom_users(r_u, q_u->start_idx + num_account,
622 num_account);
623
624 DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__));
625
626 return r_u->status;
627 }
628
629 /*******************************************************************
630 makes a SAM_ENTRY / UNISTR2* structure from a group list.
631 ********************************************************************/
632
633 static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp,
634 UNISTR2 **uni_name_pp,
635 uint32 num_sam_entries,
636 struct samr_displayentry *entries)
637 {
638 uint32 i;
639 SAM_ENTRY *sam;
640 UNISTR2 *uni_name;
641
642 *sam_pp = NULL;
643 *uni_name_pp = NULL;
644
645 if (num_sam_entries == 0)
646 return;
647
648 sam = TALLOC_ZERO_ARRAY(ctx, SAM_ENTRY, num_sam_entries);
649 uni_name = TALLOC_ZERO_ARRAY(ctx, UNISTR2, num_sam_entries);
650
651 if (sam == NULL || uni_name == NULL) {
652 DEBUG(0, ("NULL pointers in SAMR_R_QUERY_DISPINFO\n"));
653 return;
654 }
655
656 for (i = 0; i < num_sam_entries; i++) {
657 /*
658 * JRA. I think this should include the null. TNG does not.
659 */
660 init_unistr2(&uni_name[i], entries[i].account_name,
661 UNI_STR_TERMINATE);
662 init_sam_entry(&sam[i], &uni_name[i], entries[i].rid);
663 }
664
665 *sam_pp = sam;
666 *uni_name_pp = uni_name;
667 }
668
669 /*******************************************************************
670 samr_reply_enum_dom_groups
671 ********************************************************************/
672
673 NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAMR_R_ENUM_DOM_GROUPS *r_u)
674 {
675 struct samr_info *info = NULL;
676 struct samr_displayentry *groups;
677 uint32 num_groups;
678
679 r_u->status = NT_STATUS_OK;
680
681 /* find the policy handle. open a policy on it. */
682 if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
683 return NT_STATUS_INVALID_HANDLE;
684
685 r_u->status = access_check_samr_function(info->acc_granted,
686 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
687 "_samr_enum_dom_groups");
688 if (!NT_STATUS_IS_OK(r_u->status))
689 return r_u->status;
690
691 DEBUG(5,("samr_reply_enum_dom_groups: %d\n", __LINE__));
692
693 /* the domain group array is being allocated in the function below */
694
695 become_root();
696 if (info->disp_info.groups == NULL)
697 info->disp_info.groups = pdb_search_groups();
698 unbecome_root();
699
700 if (info->disp_info.groups == NULL)
701 return NT_STATUS_ACCESS_DENIED;
702
703 become_root();
704 num_groups = pdb_search_entries(info->disp_info.groups, q_u->start_idx,
705 MAX_SAM_ENTRIES, &groups);
706 unbecome_root();
707
708 make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name,
709 num_groups, groups);
710
711 init_samr_r_enum_dom_groups(r_u, q_u->start_idx, num_groups);
712
713 DEBUG(5,("samr_enum_dom_groups: %d\n", __LINE__));
714
715 return r_u->status;
716 }
717
718 /*******************************************************************
719 samr_reply_enum_dom_aliases
720 ********************************************************************/
721
722 NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAMR_R_ENUM_DOM_ALIASES *r_u)
723 {
724 struct samr_info *info;
725 struct samr_displayentry *aliases;
726 struct pdb_search **search = NULL;
727 uint32 num_aliases = 0;
728
729 /* find the policy handle. open a policy on it. */
730 if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
731 return NT_STATUS_INVALID_HANDLE;
732
733 r_u->status = access_check_samr_function(info->acc_granted,
734 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
735 "_samr_enum_dom_aliases");
736 if (!NT_STATUS_IS_OK(r_u->status))
737 return r_u->status;
738
739 DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n",
740 sid_string_static(&info->sid)));
741
742 if (sid_check_is_domain(&info->sid))
743 search = &info->disp_info.aliases;
744 if (sid_check_is_builtin(&info->sid))
745 search = &info->disp_info.builtins;
746
747 if (search == NULL)
748 return NT_STATUS_INVALID_HANDLE;
749
750 become_root();
751 if (*search == NULL)
752 *search = pdb_search_aliases(&info->sid);
753 unbecome_root();
754
755 if (*search == NULL)
756 return NT_STATUS_ACCESS_DENIED;
757
758 become_root();
759 num_aliases = pdb_search_entries(*search, q_u->start_idx,
760 MAX_SAM_ENTRIES, &aliases);
761 unbecome_root();
762
763 make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name,
764 num_aliases, aliases);
765
766 init_samr_r_enum_dom_aliases(r_u, q_u->start_idx + num_aliases,
767 num_aliases);
768
769 DEBUG(5,("samr_enum_dom_aliases: %d\n", __LINE__));
770
771 return r_u->status;
772 }
773
774 /*******************************************************************
775 samr_reply_query_dispinfo
776 ********************************************************************/
777
778 NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u,
779 SAMR_R_QUERY_DISPINFO *r_u)
780 {
781 struct samr_info *info = NULL;
782 uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
783
784 uint32 max_entries=q_u->max_entries;
785 uint32 enum_context=q_u->start_idx;
786 uint32 max_size=q_u->max_size;
787
788 SAM_DISPINFO_CTR *ctr;
789 uint32 temp_size=0, total_data_size=0;
790 NTSTATUS disp_ret;
791 uint32 num_account = 0;
792 enum remote_arch_types ra_type = get_remote_arch();
793 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
794 DOM_SID domain_sid;
795 struct samr_displayentry *entries = NULL;
796
797 DEBUG(5, ("samr_reply_query_dispinfo: %d\n", __LINE__));
798 r_u->status = NT_STATUS_OK;
799
800 /* find the policy handle. open a policy on it. */
801 if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info))
802 return NT_STATUS_INVALID_HANDLE;
803
804 domain_sid = info->sid;
805
806 /*
807 * calculate how many entries we will return.
808 * based on
809 * - the number of entries the client asked
810 * - our limit on that
811 * - the starting point (enumeration context)
812 * - the buffer size the client will accept
813 */
814
815 /*
816 * We are a lot more like W2K. Instead of reading the SAM
817 * each time to find the records we need to send back,
818 * we read it once and link that copy to the sam handle.
819 * For large user list (over the MAX_SAM_ENTRIES)
820 * it's a definitive win.
821 * second point to notice: between enumerations
822 * our sam is now the same as it's a snapshoot.
823 * third point: got rid of the static SAM_USER_21 struct
824 * no more intermediate.
825 * con: it uses much more memory, as a full copy is stored
826 * in memory.
827 *
828 * If you want to change it, think twice and think
829 * of the second point , that's really important.
830 *
831 * JFM, 12/20/2001
832 */
833
834 if ((q_u->switch_level < 1) || (q_u->switch_level > 5)) {
835 DEBUG(0,("_samr_query_dispinfo: Unknown info level (%u)\n",
836 (unsigned int)q_u->switch_level ));
837 return NT_STATUS_INVALID_INFO_CLASS;
838 }
839
840 /* first limit the number of entries we will return */
841 if(max_entries > max_sam_entries) {
842 DEBUG(5, ("samr_reply_query_dispinfo: client requested %d "
843 "entries, limiting to %d\n", max_entries,
844 max_sam_entries));
845 max_entries = max_sam_entries;
846 }
847
848 /* calculate the size and limit on the number of entries we will
849 * return */
850
851 temp_size=max_entries*struct_size;
852
853 if (temp_size>max_size) {
854 max_entries=MIN((max_size/struct_size),max_entries);;
855 DEBUG(5, ("samr_reply_query_dispinfo: buffer size limits to "
856 "only %d entries\n", max_entries));
857 }
858
859 if (!(ctr = TALLOC_ZERO_P(p->mem_ctx,SAM_DISPINFO_CTR)))
860 return NT_STATUS_NO_MEMORY;
861
862 ZERO_STRUCTP(ctr);
863
864 become_root();
865
866 switch (q_u->switch_level) {
867 case 0x1:
868 case 0x4:
869 if (info->disp_info.users == NULL)
870 info->disp_info.users = pdb_search_users(ACB_NORMAL);
871 if (info->disp_info.users == NULL)
872 return NT_STATUS_ACCESS_DENIED;
873 num_account = pdb_search_entries(info->disp_info.users,
874 enum_context, max_entries,
875 &entries);
876 break;
877 case 0x2:
878 if (info->disp_info.machines == NULL)
879 info->disp_info.machines =
880 pdb_search_users(ACB_WSTRUST|ACB_SVRTRUST);
881 if (info->disp_info.machines == NULL)
882 return NT_STATUS_ACCESS_DENIED;
883 num_account = pdb_search_entries(info->disp_info.machines,
884 enum_context, max_entries,
885 &entries);
886 break;
887 case 0x3:
888 case 0x5:
889 if (info->disp_info.groups == NULL)
890 info->disp_info.groups = pdb_search_groups();
891 if (info->disp_info.groups == NULL)
892 return NT_STATUS_ACCESS_DENIED;
893 num_account = pdb_search_entries(info->disp_info.groups,
894 enum_context, max_entries,
895 &entries);
896 break;
897 default:
898 smb_panic("info class changed");
899 break;
900 }
901 unbecome_root();
902
903 /* Now create reply structure */
904 switch (q_u->switch_level) {
905 case 0x1:
906 disp_ret = init_sam_dispinfo_1(p->mem_ctx, &ctr->sam.info1,
907 num_account, enum_context,
908 entries);
909 break;
910 case 0x2:
911 disp_ret = init_sam_dispinfo_2(p->mem_ctx, &ctr->sam.info2,
912 num_account, enum_context,
913 entries);
914 break;
915 case 0x3:
916 disp_ret = init_sam_dispinfo_3(p->mem_ctx, &ctr->sam.info3,
917 num_account, enum_context,
918 entries);
919 break;
920 case 0x4:
921 disp_ret = init_sam_dispinfo_4(p->mem_ctx, &ctr->sam.info4,
922 num_account, enum_context,
923 entries);
924 break;
925 case 0x5:
926 disp_ret = init_sam_dispinfo_5(p->mem_ctx, &ctr->sam.info5,
927 num_account, enum_context,
928 entries);
929 break;
930 default:
931 smb_panic("info class changed");
932 break;
933 }
934
935 if (!NT_STATUS_IS_OK(disp_ret))
936 return disp_ret;
937
938 /* calculate the total size */
939 total_data_size=num_account*struct_size;
940
941 if (enum_context+max_entries < num_account)
942 r_u->status = STATUS_MORE_ENTRIES;
943
944 DEBUG(5, ("_samr_query_dispinfo: %d\n", __LINE__));
945
946 init_samr_r_query_dispinfo(r_u, num_account, total_data_size,
947 temp_size, q_u->switch_level, ctr,
948 r_u->status);
949
950 return r_u->status;
951
952 }
953
954 /*******************************************************************
955 samr_reply_query_aliasinfo
956 ********************************************************************/
957
958 NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_R_QUERY_ALIASINFO *r_u)
959 {
960 DOM_SID sid;
961 struct acct_info info;
962 uint32 acc_granted;
963 BOOL ret;
964
965 r_u->status = NT_STATUS_OK;
966
967 DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__));
968
969 /* find the policy handle. open a policy on it. */
970 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted))
971 return NT_STATUS_INVALID_HANDLE;
972 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_LOOKUP_INFO, "_samr_query_aliasinfo"))) {
973 return r_u->status;
974 }
975
976 become_root();
977 ret = pdb_get_aliasinfo(&sid, &info);
978 unbecome_root();
979
980 if ( !ret )
981 return NT_STATUS_NO_SUCH_ALIAS;
982
983 if ( !(r_u->ctr = TALLOC_ZERO_P( p->mem_ctx, ALIAS_INFO_CTR )) )
984 return NT_STATUS_NO_MEMORY;
985
986
987 switch (q_u->level ) {
988 case 1:
989 r_u->ctr->level = 1;
990 init_samr_alias_info1(&r_u->ctr->alias.info1, info.acct_name, 1, info.acct_desc);
991 break;
992 case 3:
993 r_u->ctr->level = 3;
994 init_samr_alias_info3(&r_u->ctr->alias.info3, info.acct_desc);
995 break;
996 default:
997 return NT_STATUS_INVALID_INFO_CLASS;
998 }
999
1000 DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__));
1001
1002 return r_u->status;
1003 }
1004
1005 #if 0
1006 /*******************************************************************
1007 samr_reply_lookup_ids
1008 ********************************************************************/
1009
1010 uint32 _samr_lookup_ids(pipes_struct *p, SAMR_Q_LOOKUP_IDS *q_u, SAMR_R_LOOKUP_IDS *r_u)
1011 {
1012 uint32 rid[MAX_SAM_ENTRIES];
1013 int num_rids = q_u->num_sids1;
1014
1015 r_u->status = NT_STATUS_OK;
1016
1017 DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__));
1018
1019 if (num_rids > MAX_SAM_ENTRIES) {
1020 num_rids = MAX_SAM_ENTRIES;
1021 DEBUG(5,("_samr_lookup_ids: truncating entries to %d\n", num_rids));
1022 }
1023
1024 #if 0
1025 int i;
1026 SMB_ASSERT_ARRAY(q_u->uni_user_name, num_rids);
1027
1028 for (i = 0; i < num_rids && status == 0; i++)
1029 {
1030 struct sam_passwd *sam_pass;
1031 fstring user_name;
1032
1033
1034 fstrcpy(user_name, unistrn2(q_u->uni_user_name[i].buffer,
1035 q_u->uni_user_name[i].uni_str_len));
1036
1037 /* find the user account */
1038 become_root();
1039 sam_pass = get_smb21pwd_entry(user_name, 0);
1040 unbecome_root();
1041
1042 if (sam_pass == NULL)
1043 {
1044 status = 0xC0000000 | NT_STATUS_NO_SUCH_USER;
1045 rid[i] = 0;
1046 }
1047 else
1048 {
1049 rid[i] = sam_pass->user_rid;
1050 }
1051 }
1052 #endif
1053
1054 num_rids = 1;
1055 rid[0] = BUILTIN_ALIAS_RID_USERS;
1056
1057 init_samr_r_lookup_ids(&r_u, num_rids, rid, NT_STATUS_OK);
1058
1059 DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__));
1060
1061 return r_u->status;
1062 }
1063 #endif
1064
1065 /*******************************************************************
1066 _samr_lookup_names
1067 ********************************************************************/
1068
1069 NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOKUP_NAMES *r_u)
1070 {
1071 uint32 rid[MAX_SAM_ENTRIES];
1072 uint32 local_rid;
1073 enum SID_NAME_USE type[MAX_SAM_ENTRIES];
1074 enum SID_NAME_USE local_type;
1075 int i;
1076 int num_rids = q_u->num_names2;
1077 DOM_SID pol_sid;
1078 fstring sid_str;
1079 uint32 acc_granted;
1080
1081 r_u->status = NT_STATUS_OK;
1082
1083 DEBUG(5,("_samr_lookup_names: %d\n", __LINE__));
1084
1085 ZERO_ARRAY(rid);
1086 ZERO_ARRAY(type);
1087
1088 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted)) {
1089 init_samr_r_lookup_names(p->mem_ctx, r_u, 0, NULL, NULL, NT_STATUS_OBJECT_TYPE_MISMATCH);
1090 return r_u->status;
1091 }
1092
1093 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, 0, "_samr_lookup_names"))) { /* Don't know the acc_bits yet */
1094 return r_u->status;
1095 }
1096
1097 if (num_rids > MAX_SAM_ENTRIES) {
1098 num_rids = MAX_SAM_ENTRIES;
1099 DEBUG(5,("_samr_lookup_names: truncating entries to %d\n", num_rids));
1100 }
1101
1102 DEBUG(5,("_samr_lookup_names: looking name on SID %s\n", sid_to_string(sid_str, &pol_sid)));
1103
1104 for (i = 0; i < num_rids; i++) {
1105 fstring name;
1106 DOM_SID sid;
1107 int ret;
1108
1109 r_u->status = NT_STATUS_NONE_MAPPED;
1110
1111 rid [i] = 0xffffffff;
1112 type[i] = SID_NAME_UNKNOWN;
1113
1114 ret = rpcstr_pull(name, q_u->uni_name[i].buffer, sizeof(name), q_u->uni_name[i].uni_str_len*2, 0);
1115
1116 /*
1117 * we are only looking for a name
1118 * the SID we get back can be outside
1119 * the scope of the pol_sid
1120 *
1121 * in clear: it prevents to reply to domain\group: yes
1122 * when only builtin\group exists.
1123 *
1124 * a cleaner code is to add the sid of the domain we're looking in
1125 * to the local_lookup_name function.
1126 */
1127
1128 if ((ret > 0) && local_lookup_name(name, &sid, &local_type)) {
1129 sid_split_rid(&sid, &local_rid);
1130
1131 if (sid_equal(&sid, &pol_sid)) {
1132 rid[i]=local_rid;
1133
1134 /* Windows does not return WKN_GRP here, even
1135 * on lookups in builtin */
1136 type[i] = (local_type == SID_NAME_WKN_GRP) ?
1137 SID_NAME_ALIAS : local_type;
1138
1139 r_u->status = NT_STATUS_OK;
1140 }
1141 }
1142 }
1143
1144 init_samr_r_lookup_names(p->mem_ctx, r_u, num_rids, rid, (uint32 *)type, r_u->status);
1145
1146 DEBUG(5,("_samr_lookup_names: %d\n", __LINE__));
1147
1148 return r_u->status;
1149 }
1150
1151 /*******************************************************************
1152 _samr_chgpasswd_user
1153 ********************************************************************/
1154
1155 NTSTATUS _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_R_CHGPASSWD_USER *r_u)
1156 {
1157 fstring user_name;
1158 fstring wks;
1159
1160 DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__));
1161
1162 r_u->status = NT_STATUS_OK;
1163
1164 rpcstr_pull(user_name, q_u->uni_user_name.buffer, sizeof(user_name), q_u->uni_user_name.uni_str_len*2, 0);
1165 rpcstr_pull(wks, q_u->uni_dest_host.buffer, sizeof(wks), q_u->uni_dest_host.uni_str_len*2,0);
1166
1167 DEBUG(5,("samr_chgpasswd_user: user: %s wks: %s\n", user_name, wks));
1168
1169 /*
1170 * Pass the user through the NT -> unix user mapping
1171 * function.
1172 */
1173
1174 (void)map_username(user_name);
1175
1176 /*
1177 * UNIX username case mangling not required, pass_oem_change
1178 * is case insensitive.
1179 */
1180
1181 r_u->status = pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash,
1182 q_u->nt_newpass.pass, q_u->nt_oldhash.hash);
1183
1184 init_samr_r_chgpasswd_user(r_u, r_u->status);
1185
1186 DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__));
1187
1188 return r_u->status;
1189 }
1190
1191 /*******************************************************************
1192 makes a SAMR_R_LOOKUP_RIDS structure.
1193 ********************************************************************/
1194
1195 static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names,
1196 const char **names, UNIHDR **pp_hdr_name,
1197 UNISTR2 **pp_uni_name)
1198 {
1199 uint32 i;
1200 UNIHDR *hdr_name=NULL;
1201 UNISTR2 *uni_name=NULL;
1202
1203 *pp_uni_name = NULL;
1204 *pp_hdr_name = NULL;
1205
1206 if (num_names != 0) {
1207 hdr_name = TALLOC_ZERO_ARRAY(ctx, UNIHDR, num_names);
1208 if (hdr_name == NULL)
1209 return False;
1210
1211 uni_name = TALLOC_ZERO_ARRAY(ctx,UNISTR2, num_names);
1212 if (uni_name == NULL)
1213 return False;
1214 }
1215
1216 for (i = 0; i < num_names; i++) {
1217 DEBUG(10, ("names[%d]:%s\n", i, *names[i] ? names[i] : ""));
1218 init_unistr2(&uni_name[i], names[i], UNI_FLAGS_NONE);
1219 init_uni_hdr(&hdr_name[i], &uni_name[i]);
1220 }
1221
1222 *pp_uni_name = uni_name;
1223 *pp_hdr_name = hdr_name;
1224
1225 return True;
1226 }
1227
1228 /*******************************************************************
1229 _samr_lookup_rids
1230 ********************************************************************/
1231
1232 NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP_RIDS *r_u)
1233 {
1234 const char **names;
1235 uint32 *attrs = NULL;
1236 UNIHDR *hdr_name = NULL;
1237 UNISTR2 *uni_name = NULL;
1238 DOM_SID pol_sid;
1239 int num_rids = q_u->num_rids1;
1240 uint32 acc_granted;
1241
1242 r_u->status = NT_STATUS_OK;
1243
1244 DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__));
1245
1246 /* find the policy handle. open a policy on it. */
1247 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted))
1248 return NT_STATUS_INVALID_HANDLE;
1249
1250 if (num_rids > 1000) {
1251 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
1252 "to samba4 idl this is not possible\n", num_rids));
1253 return NT_STATUS_UNSUCCESSFUL;
1254 }
1255
1256 names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids);
1257 attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids);
1258
1259 if ((num_rids != 0) && ((names == NULL) || (attrs == NULL)))
1260 return NT_STATUS_NO_MEMORY;
1261
1262 if (!sid_equal(&pol_sid, get_global_sam_sid())) {
1263 /* TODO: Sooner or later we need to look up BUILTIN rids as
1264 * well. -- vl */
1265 goto done;
1266 }
1267
1268 become_root(); /* lookup_sid can require root privs */
1269 r_u->status = pdb_lookup_rids(p->mem_ctx, &pol_sid, num_rids, q_u->rid,
1270 &names, &attrs);
1271 unbecome_root();
1272
1273 done:
1274
1275 if(!make_samr_lookup_rids(p->mem_ctx, num_rids, names,
1276 &hdr_name, &uni_name))
1277 return NT_STATUS_NO_MEMORY;
1278
1279 init_samr_r_lookup_rids(r_u, num_rids, hdr_name, uni_name, attrs);
1280
1281 DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__));
1282
1283 return r_u->status;
1284 }
1285
1286 /*******************************************************************
1287 _samr_open_user. Safe - gives out no passwd info.
1288 ********************************************************************/
1289
1290 NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USER *r_u)
1291 {
1292 SAM_ACCOUNT *sampass=NULL;
1293 DOM_SID sid;
1294 POLICY_HND domain_pol = q_u->domain_pol;
1295 POLICY_HND *user_pol = &r_u->user_pol;
1296 struct samr_info *info = NULL;
1297 SEC_DESC *psd = NULL;
1298 uint32 acc_granted;
1299 uint32 des_access = q_u->access_mask;
1300 size_t sd_size;
1301 BOOL ret;
1302 NTSTATUS nt_status;
1303 SE_PRIV se_rights;
1304
1305 r_u->status = NT_STATUS_OK;
1306
1307 /* find the domain policy handle and get domain SID / access bits in the domain policy. */
1308
1309 if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted) )
1310 return NT_STATUS_INVALID_HANDLE;
1311
1312 nt_status = access_check_samr_function( acc_granted,
1313 SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_user" );
1314
1315 if ( !NT_STATUS_IS_OK(nt_status) )
1316 return nt_status;
1317
1318 nt_status = pdb_init_sam_talloc(p->mem_ctx, &sampass);
1319
1320 if (!NT_STATUS_IS_OK(nt_status))
1321 return nt_status;
1322
1323 /* append the user's RID to it */
1324
1325 if (!sid_append_rid(&sid, q_u->user_rid))
1326 return NT_STATUS_NO_SUCH_USER;
1327
1328 /* check if access can be granted as requested by client. */
1329
1330 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
1331 se_map_generic(&des_access, &usr_generic_mapping);
1332
1333 se_priv_copy( &se_rights, &se_machine_account );
1334 se_priv_add( &se_rights, &se_add_users );
1335
1336 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
1337 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
1338 &acc_granted, "_samr_open_user");
1339
1340 if ( !NT_STATUS_IS_OK(nt_status) )
1341 return nt_status;
1342
1343 become_root();
1344 ret=pdb_getsampwsid(sampass, &sid);
1345 unbecome_root();
1346
1347 /* check that the SID exists in our domain. */
1348 if (ret == False) {
1349 return NT_STATUS_NO_SUCH_USER;
1350 }
1351
1352 pdb_free_sam(&sampass);
1353
1354 /* associate the user's SID and access bits with the new handle. */
1355 if ((info = get_samr_info_by_sid(&sid)) == NULL)
1356 return NT_STATUS_NO_MEMORY;
1357 info->acc_granted = acc_granted;
1358
1359 /* get a (unique) handle. open a policy on it. */
1360 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info))
1361 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1362
1363 return r_u->status;
1364 }
1365
1366 /*************************************************************************
1367 get_user_info_7. Safe. Only gives out account_name.
1368 *************************************************************************/
1369
1370 static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, SAM_USER_INFO_7 *id7, DOM_SID *user_sid)
1371 {
1372 SAM_ACCOUNT *smbpass=NULL;
1373 BOOL ret;
1374 NTSTATUS nt_status;
1375
1376 nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass);
1377
1378 if (!NT_STATUS_IS_OK(nt_status)) {
1379 return nt_status;
1380 }
1381
1382 become_root();
1383 ret = pdb_getsampwsid(smbpass, user_sid);
1384 unbecome_root();
1385
1386 if (ret==False) {
1387 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1388 return NT_STATUS_NO_SUCH_USER;
1389 }
1390
1391 DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) ));
1392
1393 ZERO_STRUCTP(id7);
1394 init_sam_user_info7(id7, pdb_get_username(smbpass) );
1395
1396 pdb_free_sam(&smbpass);
1397
1398 return NT_STATUS_OK;
1399 }
1400 /*************************************************************************
1401 get_user_info_10. Safe. Only gives out acb bits.
1402 *************************************************************************/
1403
1404 static NTSTATUS get_user_info_10(TALLOC_CTX *mem_ctx, SAM_USER_INFO_10 *id10, DOM_SID *user_sid)
1405 {
1406 SAM_ACCOUNT *smbpass=NULL;
1407 BOOL ret;
1408 NTSTATUS nt_status;
1409
1410 nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass);
1411
1412 if (!NT_STATUS_IS_OK(nt_status)) {
1413 return nt_status;
1414 }
1415
1416 become_root();
1417 ret = pdb_getsampwsid(smbpass, user_sid);
1418 unbecome_root();
1419
1420 if (ret==False) {
1421 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1422 return NT_STATUS_NO_SUCH_USER;
1423 }
1424
1425 DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) ));
1426
1427 ZERO_STRUCTP(id10);
1428 init_sam_user_info10(id10, pdb_get_acct_ctrl(smbpass) );
1429
1430 pdb_free_sam(&smbpass);
1431
1432 return NT_STATUS_OK;
1433 }
1434
1435 /*************************************************************************
1436 get_user_info_12. OK - this is the killer as it gives out password info.
1437 Ensure that this is only allowed on an encrypted connection with a root
1438 user. JRA.
1439 *************************************************************************/
1440
1441 static NTSTATUS get_user_info_12(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_INFO_12 * id12, DOM_SID *user_sid)
1442 {
1443 SAM_ACCOUNT *smbpass=NULL;
1444 BOOL ret;
1445 NTSTATUS nt_status;
1446
1447 if (!p->ntlmssp_auth_validated)
1448 return NT_STATUS_ACCESS_DENIED;
1449
1450 if (!(p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) || !(p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL))
1451 return NT_STATUS_ACCESS_DENIED;
1452
1453 /*
1454 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
1455 */
1456
1457 nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass);
1458
1459 if (!NT_STATUS_IS_OK(nt_status)) {
1460 return nt_status;
1461 }
1462
1463 ret = pdb_getsampwsid(smbpass, user_sid);
1464
1465 if (ret == False) {
1466 DEBUG(4, ("User %s not found\n", sid_string_static(user_sid)));
1467 pdb_free_sam(&smbpass);
1468 return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
1469 }
1470
1471 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
1472
1473 if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) {
1474 pdb_free_sam(&smbpass);
1475 return NT_STATUS_ACCOUNT_DISABLED;
1476 }
1477
1478 ZERO_STRUCTP(id12);
1479 init_sam_user_info12(id12, pdb_get_lanman_passwd(smbpass), pdb_get_nt_passwd(smbpass));
1480
1481 pdb_free_sam(&smbpass);
1482
1483 return NT_STATUS_OK;
1484 }
1485
1486 /*************************************************************************
1487 get_user_info_20
1488 *************************************************************************/
1489
1490 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DOM_SID *user_sid)
1491 {
1492 SAM_ACCOUNT *sampass=NULL;
1493 BOOL ret;
1494
1495 pdb_init_sam_talloc(mem_ctx, &sampass);
1496
1497 become_root();
1498 ret = pdb_getsampwsid(sampass, user_sid);
1499 unbecome_root();
1500
1501 if (ret == False) {
1502 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1503 return NT_STATUS_NO_SUCH_USER;
1504 }
1505
1506 samr_clear_sam_passwd(sampass);
1507
1508 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
1509
1510 ZERO_STRUCTP(id20);
1511 init_sam_user_info20A(id20, sampass);
1512
1513 pdb_free_sam(&sampass);
1514
1515 return NT_STATUS_OK;
1516 }
1517
1518 /*************************************************************************
1519 get_user_info_21
1520 *************************************************************************/
1521
1522 static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21,
1523 DOM_SID *user_sid, DOM_SID *domain_sid)
1524 {
1525 SAM_ACCOUNT *sampass=NULL;
1526 BOOL ret;
1527 NTSTATUS nt_status;
1528
1529 nt_status = pdb_init_sam_talloc(mem_ctx, &sampass);
1530 if (!NT_STATUS_IS_OK(nt_status)) {
1531 return nt_status;
1532 }
1533
1534 become_root();
1535 ret = pdb_getsampwsid(sampass, user_sid);
1536 unbecome_root();
1537
1538 if (ret == False) {
1539 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1540 return NT_STATUS_NO_SUCH_USER;
1541 }
1542
1543 samr_clear_sam_passwd(sampass);
1544
1545 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
1546
1547 ZERO_STRUCTP(id21);
1548 nt_status = init_sam_user_info21A(id21, sampass, domain_sid);
1549
1550 pdb_free_sam(&sampass);
1551
1552 return NT_STATUS_OK;
1553 }
1554
1555 /*******************************************************************
1556 _samr_query_userinfo
1557 ********************************************************************/
1558
1559 NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_QUERY_USERINFO *r_u)
1560 {
1561 SAM_USERINFO_CTR *ctr;
1562 struct samr_info *info = NULL;
1563 DOM_SID domain_sid;
1564 uint32 rid;
1565
1566 r_u->status=NT_STATUS_OK;
1567
1568 /* search for the handle */
1569 if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
1570 return NT_STATUS_INVALID_HANDLE;
1571
1572 domain_sid = info->sid;
1573
1574 sid_split_rid(&domain_sid, &rid);
1575
1576 if (!sid_check_is_in_our_domain(&info->sid))
1577 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1578
1579 DEBUG(5,("_samr_query_userinfo: sid:%s\n", sid_string_static(&info->sid)));
1580
1581 ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_USERINFO_CTR);
1582 if (!ctr)
1583 return NT_STATUS_NO_MEMORY;
1584
1585 ZERO_STRUCTP(ctr);
1586
1587 /* ok! user info levels (lots: see MSDEV help), off we go... */
1588 ctr->switch_value = q_u->switch_value;
1589
1590 switch (q_u->switch_value) {
1591 case 0x07:
1592 ctr->info.id7 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_7);
1593 if (ctr->info.id7 == NULL)
1594 return NT_STATUS_NO_MEMORY;
1595
1596 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_7(p->mem_ctx, ctr->info.id7, &info->sid)))
1597 return r_u->status;
1598 break;
1599 case 0x10:
1600 ctr->info.id10 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_10);
1601 if (ctr->info.id10 == NULL)
1602 return NT_STATUS_NO_MEMORY;
1603
1604 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_10(p->mem_ctx, ctr->info.id10, &info->sid)))
1605 return r_u->status;
1606 break;
1607
1608 #if 0
1609 /* whoops - got this wrong. i think. or don't understand what's happening. */
1610 case 0x11:
1611 {
1612 NTTIME expire;
1613 info = (void *)&id11;
1614
1615 expire.low = 0xffffffff;
1616 expire.high = 0x7fffffff;
1617
1618 ctr->info.id = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_11));
1619 ZERO_STRUCTP(ctr->info.id11);
1620 init_sam_user_info11(ctr->info.id11, &expire,
1621 "BROOKFIELDS$", /* name */
1622 0x03ef, /* user rid */
1623 0x201, /* group rid */
1624 0x0080); /* acb info */
1625
1626 break;
1627 }
1628 #endif
1629
1630 case 0x12:
1631 ctr->info.id12 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_12);
1632 if (ctr->info.id12 == NULL)
1633 return NT_STATUS_NO_MEMORY;
1634
1635 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_12(p, p->mem_ctx, ctr->info.id12, &info->sid)))
1636 return r_u->status;
1637 break;
1638
1639 case 20:
1640 ctr->info.id20 = TALLOC_ZERO_P(p->mem_ctx,SAM_USER_INFO_20);
1641 if (ctr->info.id20 == NULL)
1642 return NT_STATUS_NO_MEMORY;
1643 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_20(p->mem_ctx, ctr->info.id20, &info->sid)))
1644 return r_u->status;
1645 break;
1646
1647 case 21:
1648 ctr->info.id21 = TALLOC_ZERO_P(p->mem_ctx,SAM_USER_INFO_21);
1649 if (ctr->info.id21 == NULL)
1650 return NT_STATUS_NO_MEMORY;
1651 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_21(p->mem_ctx, ctr->info.id21,
1652 &info->sid, &domain_sid)))
1653 return r_u->status;
1654 break;
1655
1656 default:
1657 return NT_STATUS_INVALID_INFO_CLASS;
1658 }
1659
1660 init_samr_r_query_userinfo(r_u, ctr, r_u->status);
1661
1662 DEBUG(5,("_samr_query_userinfo: %d\n", __LINE__));
1663
1664 return r_u->status;
1665 }
1666
1667 /*******************************************************************
1668 samr_reply_query_usergroups
1669 ********************************************************************/
1670
1671 NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u)
1672 {
1673 SAM_ACCOUNT *sam_pass=NULL;
1674 struct passwd *passwd;
1675 DOM_SID sid;
1676 DOM_SID *sids;
1677 DOM_GID *gids = NULL;
1678 int num_groups = 0;
1679 gid_t *unix_gids;
1680 int i, num_gids;
1681 uint32 acc_granted;
1682 BOOL ret;
1683 NTSTATUS result;
1684
1685 /*
1686 * from the SID in the request:
1687 * we should send back the list of DOMAIN GROUPS
1688 * the user is a member of
1689 *
1690 * and only the DOMAIN GROUPS
1691 * no ALIASES !!! neither aliases of the domain
1692 * nor aliases of the builtin SID
1693 *
1694 * JFM, 12/2/2001
1695 */
1696
1697 r_u->status = NT_STATUS_OK;
1698
1699 DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__));
1700
1701 /* find the policy handle. open a policy on it. */
1702 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted))
1703 return NT_STATUS_INVALID_HANDLE;
1704
1705 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_USER_GET_GROUPS, "_samr_query_usergroups"))) {
1706 return r_u->status;
1707 }
1708
1709 if (!sid_check_is_in_our_domain(&sid))
1710 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1711
1712 pdb_init_sam(&sam_pass);
1713
1714 become_root();
1715 ret = pdb_getsampwsid(sam_pass, &sid);
1716 unbecome_root();
1717
1718 if (ret == False) {
1719 pdb_free_sam(&sam_pass);
1720 return NT_STATUS_NO_SUCH_USER;
1721 }
1722
1723 passwd = getpwnam_alloc(pdb_get_username(sam_pass));
1724 if (passwd == NULL) {
1725 pdb_free_sam(&sam_pass);
1726 return NT_STATUS_NO_SUCH_USER;
1727 }
1728
1729 sids = NULL;
1730
1731 become_root();
1732 result = pdb_enum_group_memberships(pdb_get_username(sam_pass),
1733 passwd->pw_gid,
1734 &sids, &unix_gids, &num_groups);
1735 unbecome_root();
1736
1737 pdb_free_sam(&sam_pass);
1738 passwd_free(&passwd);
1739
1740 if (!NT_STATUS_IS_OK(result))
1741 return result;
1742
1743 SAFE_FREE(unix_gids);
1744
1745 gids = NULL;
1746 num_gids = 0;
1747
1748 for (i=0; i<num_groups; i++) {
1749 uint32 rid;
1750
1751 if (!sid_peek_check_rid(get_global_sam_sid(),
1752 &(sids[i]), &rid))
1753 continue;
1754
1755 gids = TALLOC_REALLOC_ARRAY(p->mem_ctx, gids, DOM_GID, num_gids+1);
1756 gids[num_gids].attr=7;
1757 gids[num_gids].g_rid = rid;
1758 num_gids += 1;
1759 }
1760 SAFE_FREE(sids);
1761
1762 /* construct the response. lkclXXXX: gids are not copied! */
1763 init_samr_r_query_usergroups(r_u, num_groups, gids, r_u->status);
1764
1765 DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__));
1766
1767 return r_u->status;
1768 }
1769
1770 /*******************************************************************
1771 _samr_query_dom_info
1772 ********************************************************************/
1773
1774 NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR_R_QUERY_DOMAIN_INFO *r_u)
1775 {
1776 struct samr_info *info = NULL;
1777 SAM_UNK_CTR *ctr;
1778 uint32 min_pass_len,pass_hist,flag;
1779 time_t u_expire, u_min_age;
1780 NTTIME nt_expire, nt_min_age;
1781
1782 time_t u_lock_duration, u_reset_time;
1783 NTTIME nt_lock_duration, nt_reset_time;
1784 uint32 lockout;
1785
1786 time_t u_logout;
1787 NTTIME nt_logout;
1788
1789 uint32 account_policy_temp;
1790 uint32 server_role;
1791
1792 uint32 num_users=0, num_groups=0, num_aliases=0;
1793
1794 if ((ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_UNK_CTR)) == NULL)
1795 return NT_STATUS_NO_MEMORY;
1796
1797 ZERO_STRUCTP(ctr);
1798
1799 r_u->status = NT_STATUS_OK;
1800
1801 DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__));
1802
1803 /* find the policy handle. open a policy on it. */
1804 if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info))
1805 return NT_STATUS_INVALID_HANDLE;
1806
1807 switch (q_u->switch_value) {
1808 case 0x01:
1809
1810 account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp);
1811 min_pass_len = account_policy_temp;
1812
1813 account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp);
1814 pass_hist = account_policy_temp;
1815
1816 account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
1817 flag = account_policy_temp;
1818
1819 account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp);
1820 u_expire = account_policy_temp;
1821
1822 account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp);
1823 u_min_age = account_policy_temp;
1824
1825 unix_to_nt_time_abs(&nt_expire, u_expire);
1826 unix_to_nt_time_abs(&nt_min_age, u_min_age);
1827
1828 init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist,
1829 flag, nt_expire, nt_min_age);
1830 break;
1831 case 0x02:
1832 become_root();
1833 num_users=count_sam_users(&info->disp_info,
1834 ACB_NORMAL);
1835 num_groups=count_sam_groups(&info->disp_info);
1836 unbecome_root();
1837
1838 account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp);
1839 u_logout = account_policy_temp;
1840
1841 unix_to_nt_time_abs(&nt_logout, u_logout);
1842
1843 server_role = ROLE_DOMAIN_PDC;
1844 if (lp_server_role() == ROLE_DOMAIN_BDC)
1845 server_role = ROLE_DOMAIN_BDC;
1846
1847 /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */
1848 init_unk_info2(&ctr->info.inf2, lp_serverstring(), lp_workgroup(), global_myname(), time(NULL),
1849 num_users, num_groups, num_aliases, nt_logout, server_role);
1850 break;
1851 case 0x03:
1852 account_policy_get(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout);
1853 unix_to_nt_time_abs(&nt_logout, u_logout);
1854
1855 init_unk_info3(&ctr->info.inf3, nt_logout);
1856 break;
1857 case 0x05:
1858 init_unk_info5(&ctr->info.inf5, global_myname());
1859 break;
1860 case 0x06:
1861 init_unk_info6(&ctr->info.inf6);
1862 break;
1863 case 0x07:
1864 server_role = ROLE_DOMAIN_PDC;
1865 if (lp_server_role() == ROLE_DOMAIN_BDC)
1866 server_role = ROLE_DOMAIN_BDC;
1867
1868 init_unk_info7(&ctr->info.inf7, server_role);
1869 break;
1870 case 0x08:
1871 init_unk_info8(&ctr->info.inf8, (uint32) time(NULL));
1872 break;
1873 case 0x0c:
1874 account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
1875 u_lock_duration = account_policy_temp;
1876 if (u_lock_duration != -1)
1877 u_lock_duration *= 60;
1878
1879 account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp);
1880 u_reset_time = account_policy_temp * 60;
1881
1882 account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
1883 lockout = account_policy_temp;
1884
1885 unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
1886 unix_to_nt_time_abs(&nt_reset_time, u_reset_time);
1887
1888 init_unk_info12(&ctr->info.inf12, nt_lock_duration, nt_reset_time, (uint16)lockout);
1889 break;
1890 default:
1891 return NT_STATUS_INVALID_INFO_CLASS;
1892 }
1893
1894 init_samr_r_query_dom_info(r_u, q_u->switch_value, ctr, NT_STATUS_OK);
1895
1896 DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__));
1897
1898 return r_u->status;
1899 }
1900
1901 /*******************************************************************
1902 _samr_create_user
1903 Create an account, can be either a normal user or a machine.
1904 This funcion will need to be updated for bdc/domain trusts.
1905 ********************************************************************/
1906
1907 NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREATE_USER *r_u)
1908 {
1909 SAM_ACCOUNT *sam_pass=NULL;
1910 fstring account;
1911 DOM_SID sid;
1912 pstring add_script;
1913 POLICY_HND dom_pol = q_u->domain_pol;
1914 UNISTR2 user_account = q_u->uni_name;
1915 uint16 acb_info = q_u->acb_info;
1916 POLICY_HND *user_pol = &r_u->user_pol;
1917 struct samr_info *info = NULL;
1918 BOOL ret;
1919 NTSTATUS nt_status;
1920 struct passwd *pw;
1921 uint32 acc_granted;
1922 SEC_DESC *psd;
1923 size_t sd_size;
1924 uint32 new_rid = 0;
1925 /* check this, when giving away 'add computer to domain' privs */
1926 uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
1927 BOOL can_add_account = False;
1928 SE_PRIV se_rights;
1929
1930 /* Get the domain SID stored in the domain policy */
1931 if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted))
1932 return NT_STATUS_INVALID_HANDLE;
1933
1934 if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_USER, "_samr_create_user"))) {
1935 return nt_status;
1936 }
1937
1938 if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST || acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) {
1939 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
1940 this parameter is not an account type */
1941 return NT_STATUS_INVALID_PARAMETER;
1942 }
1943
1944 rpcstr_pull(account, user_account.buffer, sizeof(account), user_account.uni_str_len*2, 0);
1945 strlower_m(account);
1946
1947 pdb_init_sam(&sam_pass);
1948
1949 become_root();
1950 ret = pdb_getsampwnam(sam_pass, account);
1951 unbecome_root();
1952 if (ret == True) {
1953 /* this account exists: say so */
1954 pdb_free_sam(&sam_pass);
1955 return NT_STATUS_USER_EXISTS;
1956 }
1957
1958 pdb_free_sam(&sam_pass);
1959
1960 /*********************************************************************
1961 * HEADS UP! If we have to create a new user account, we have to get
1962 * a new RID from somewhere. This used to be done by the passdb
1963 * backend. It has been moved into idmap now. Since idmap is now
1964 * wrapped up behind winbind, this means you have to run winbindd if you
1965 * want new accounts to get a new RID when "enable rid algorithm = no".
1966 * Tough. We now have a uniform way of allocating RIDs regardless
1967 * of what ever passdb backend people may use.
1968 * --jerry (2003-07-10)
1969 *********************************************************************/
1970
1971 pw = Get_Pwnam(account);
1972
1973 /* determine which user right we need to check based on the acb_info */
1974
1975 if ( acb_info & ACB_WSTRUST )
1976 {
1977 pstrcpy(add_script, lp_addmachine_script());
1978 se_priv_copy( &se_rights, &se_machine_account );
1979 can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
1980 }
1981 /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
1982 account for domain trusts and changes the ACB flags later */
1983 else if ( acb_info & ACB_NORMAL && (account[strlen(account)-1] != '$') )
1984 {
1985 pstrcpy(add_script, lp_adduser_script());
1986 se_priv_copy( &se_rights, &se_add_users );
1987 can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
1988 }
1989 else /* implicit assumption of a BDC or domain trust account here (we already check the flags earlier) */
1990 {
1991 pstrcpy(add_script, lp_addmachine_script());
1992 if ( lp_enable_privileges() ) {
1993 /* only Domain Admins can add a BDC or domain trust */
1994 se_priv_copy( &se_rights, &se_priv_none );
1995 can_add_account = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS );
1996 }
1997 }
1998
1999 DEBUG(5, ("_samr_create_user: %s can add this account : %s\n",
2000 p->pipe_user_name, can_add_account ? "True":"False" ));
2001
2002 /********** BEGIN Admin BLOCK **********/
2003
2004 if ( can_add_account )
2005 become_root();
2006
2007 if ( !pw ) {
2008 if (*add_script) {
2009 int add_ret;
2010
2011 all_string_sub(add_script, "%u", account, sizeof(add_script));
2012 add_ret = smbrun(add_script,NULL);
2013 DEBUG(add_ret ? 0 : 3,("_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret));
2014 }
2015 }
2016
2017 /* implicit call to getpwnam() next. we have a valid SID coming out of this call */
2018
2019 flush_pwnam_cache();
2020 nt_status = pdb_init_sam_new(&sam_pass, account, new_rid);
2021
2022 /* this code is order such that we have no unnecessary retuns
2023 out of the admin block of code */
2024
2025 if ( NT_STATUS_IS_OK(nt_status) ) {
2026 pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED);
2027
2028 if ( !(ret = pdb_add_sam_account(sam_pass)) ) {
2029 pdb_free_sam(&sam_pass);
2030 DEBUG(0, ("could not add user/computer %s to passdb. Check permissions?\n",
2031 account));
2032 nt_status = NT_STATUS_ACCESS_DENIED;
2033 }
2034 }
2035
2036 if ( can_add_account )
2037 unbecome_root();
2038
2039 /********** END Admin BLOCK **********/
2040
2041 /* now check for failure */
2042
2043 if ( !NT_STATUS_IS_OK(nt_status) )
2044 return nt_status;
2045
2046 /* Get the user's SID */
2047
2048 sid_copy(&sid, pdb_get_user_sid(sam_pass));
2049
2050 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
2051 se_map_generic(&des_access, &usr_generic_mapping);
2052
2053 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
2054 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
2055 &acc_granted, "_samr_create_user");
2056
2057 if ( !NT_STATUS_IS_OK(nt_status) ) {
2058 return nt_status;
2059 }
2060
2061 /* associate the user's SID with the new handle. */
2062 if ((info = get_samr_info_by_sid(&sid)) == NULL) {
2063 pdb_free_sam(&sam_pass);
2064 return NT_STATUS_NO_MEMORY;
2065 }
2066
2067 ZERO_STRUCTP(info);
2068 info->sid = sid;
2069 info->acc_granted = acc_granted;
2070
2071 /* get a (unique) handle. open a policy on it. */
2072 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) {
2073 pdb_free_sam(&sam_pass);
2074 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2075 }
2076
2077 r_u->user_rid=pdb_get_user_rid(sam_pass);
2078
2079 r_u->access_granted = acc_granted;
2080
2081 pdb_free_sam(&sam_pass);
2082
2083 return NT_STATUS_OK;
2084 }
2085
2086 /*******************************************************************
2087 samr_reply_connect_anon
2088 ********************************************************************/
2089
2090 NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CONNECT_ANON *r_u)
2091 {
2092 struct samr_info *info = NULL;
2093 uint32 des_access = q_u->access_mask;
2094
2095 /* Access check */
2096
2097 if (!pipe_access_check(p)) {
2098 DEBUG(3, ("access denied to samr_connect_anon\n"));
2099 r_u->status = NT_STATUS_ACCESS_DENIED;
2100 return r_u->status;
2101 }
2102
2103 /* set up the SAMR connect_anon response */
2104
2105 r_u->status = NT_STATUS_OK;
2106
2107 /* associate the user's SID with the new handle. */
2108 if ((info = get_samr_info_by_sid(NULL)) == NULL)
2109 return NT_STATUS_NO_MEMORY;
2110
2111 /* don't give away the farm but this is probably ok. The SA_RIGHT_SAM_ENUM_DOMAINS
2112 was observed from a win98 client trying to enumerate users (when configured
2113 user level access control on shares) --jerry */
2114
2115 se_map_generic( &des_access, &sam_generic_mapping );
2116 info->acc_granted = des_access & (SA_RIGHT_SAM_ENUM_DOMAINS|SA_RIGHT_SAM_OPEN_DOMAIN);
2117
2118 info->status = q_u->unknown_0;
2119
2120 /* get a (unique) handle. open a policy on it. */
2121 if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info))
2122 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2123
2124 return r_u->status;
2125 }
2126
2127 /*******************************************************************
2128 samr_reply_connect
2129 ********************************************************************/
2130
2131 NTSTATUS _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u)
2132 {
2133 struct samr_info *info = NULL;
2134 SEC_DESC *psd = NULL;
2135 uint32 acc_granted;
2136 uint32 des_access = q_u->access_mask;
2137 NTSTATUS nt_status;
2138 size_t sd_size;
2139
2140
2141 DEBUG(5,("_samr_connect: %d\n", __LINE__));
2142
2143 /* Access check */
2144
2145 if (!pipe_access_check(p)) {
2146 DEBUG(3, ("access denied to samr_connect\n"));
2147 r_u->status = NT_STATUS_ACCESS_DENIED;
2148 return r_u->status;
2149 }
2150
2151 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
2152 se_map_generic(&des_access, &sam_generic_mapping);
2153
2154 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
2155 NULL, 0, des_access, &acc_granted, "_samr_connect");
2156
2157 if ( !NT_STATUS_IS_OK(nt_status) )
2158 return nt_status;
2159
2160 r_u->status = NT_STATUS_OK;
2161
2162 /* associate the user's SID and access granted with the new handle. */
2163 if ((info = get_samr_info_by_sid(NULL)) == NULL)
2164 return NT_STATUS_NO_MEMORY;
2165
2166 info->acc_granted = acc_granted;
2167 info->status = q_u->access_mask;
2168
2169 /* get a (unique) handle. open a policy on it. */
2170 if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info))
2171 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2172
2173 DEBUG(5,("_samr_connect: %d\n", __LINE__));
2174
2175 return r_u->status;
2176 }
2177
2178 /*******************************************************************
2179 samr_connect4
2180 ********************************************************************/
2181
2182 NTSTATUS _samr_connect4(pipes_struct *p, SAMR_Q_CONNECT4 *q_u, SAMR_R_CONNECT4 *r_u)
2183 {
2184 struct samr_info *info = NULL;
2185 SEC_DESC *psd = NULL;
2186 uint32 acc_granted;
2187 uint32 des_access = q_u->access_mask;
2188 NTSTATUS nt_status;
2189 size_t sd_size;
2190
2191
2192 DEBUG(5,("_samr_connect4: %d\n", __LINE__));
2193
2194 /* Access check */
2195
2196 if (!pipe_access_check(p)) {
2197 DEBUG(3, ("access denied to samr_connect4\n"));
2198 r_u->status = NT_STATUS_ACCESS_DENIED;
2199 return r_u->status;
2200 }
2201
2202 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
2203 se_map_generic(&des_access, &sam_generic_mapping);
2204
2205 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
2206 NULL, 0, des_access, &acc_granted, "_samr_connect4");
2207
2208 if ( !NT_STATUS_IS_OK(nt_status) )
2209 return nt_status;
2210
2211 r_u->status = NT_STATUS_OK;
2212
2213 /* associate the user's SID and access granted with the new handle. */
2214 if ((info = get_samr_info_by_sid(NULL)) == NULL)
2215 return NT_STATUS_NO_MEMORY;
2216
2217 info->acc_granted = acc_granted;
2218 info->status = q_u->access_mask;
2219
2220 /* get a (unique) handle. open a policy on it. */
2221 if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info))
2222 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2223
2224 DEBUG(5,("_samr_connect: %d\n", __LINE__));
2225
2226 return r_u->status;
2227 }
2228
2229 /**********************************************************************
2230 api_samr_lookup_domain
2231 **********************************************************************/
2232
2233 NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_LOOKUP_DOMAIN *r_u)
2234 {
2235 struct samr_info *info;
2236 fstring domain_name;
2237 DOM_SID sid;
2238
2239 r_u->status = NT_STATUS_OK;
2240
2241 if (!find_policy_by_hnd(p, &q_u->connect_pol, (void**)&info))
2242 return NT_STATUS_INVALID_HANDLE;
2243
2244 /* win9x user manager likes to use SA_RIGHT_SAM_ENUM_DOMAINS here.
2245 Reverted that change so we will work with RAS servers again */
2246
2247 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted,
2248 SA_RIGHT_SAM_OPEN_DOMAIN, "_samr_lookup_domain")))
2249 {
2250 return r_u->status;
2251 }
2252
2253 rpcstr_pull(domain_name, q_u->uni_domain.buffer, sizeof(domain_name), q_u->uni_domain.uni_str_len*2, 0);
2254
2255 ZERO_STRUCT(sid);
2256
2257 if (!secrets_fetch_domain_sid(domain_name, &sid)) {
2258 r_u->status = NT_STATUS_NO_SUCH_DOMAIN;
2259 }
2260
2261 DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name, sid_string_static(&sid)));
2262
2263 init_samr_r_lookup_domain(r_u, &sid, r_u->status);
2264
2265 return r_u->status;
2266 }
2267
2268 /******************************************************************
2269 makes a SAMR_R_ENUM_DOMAINS structure.
2270 ********************************************************************/
2271
2272 static BOOL make_enum_domains(TALLOC_CTX *ctx, SAM_ENTRY **pp_sam,
2273 UNISTR2 **pp_uni_name, uint32 num_sam_entries, fstring doms[])
2274 {
2275 uint32 i;
2276 SAM_ENTRY *sam;
2277 UNISTR2 *uni_name;
2278
2279 DEBUG(5, ("make_enum_domains\n"));
2280
2281 *pp_sam = NULL;
2282 *pp_uni_name = NULL;
2283
2284 if (num_sam_entries == 0)
2285 return True;
2286
2287 sam = TALLOC_ZERO_ARRAY(ctx, SAM_ENTRY, num_sam_entries);
2288 uni_name = TALLOC_ZERO_ARRAY(ctx, UNISTR2, num_sam_entries);
2289
2290 if (sam == NULL || uni_name == NULL)
2291 return False;
2292
2293 for (i = 0; i < num_sam_entries; i++) {
2294 init_unistr2(&uni_name[i], doms[i], UNI_FLAGS_NONE);
2295 init_sam_entry(&sam[i], &uni_name[i], 0);
2296 }
2297
2298 *pp_sam = sam;
2299 *pp_uni_name = uni_name;
2300
2301 return True;
2302 }
2303
2304 /**********************************************************************
2305 api_samr_enum_domains
2306 **********************************************************************/
2307
2308 NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_ENUM_DOMAINS *r_u)
2309 {
2310 struct samr_info *info;
2311 uint32 num_entries = 2;
2312 fstring dom[2];
2313 const char *name;
2314
2315 r_u->status = NT_STATUS_OK;
2316
2317 if (!find_policy_by_hnd(p, &q_u->pol, (void**)&info))
2318 return NT_STATUS_INVALID_HANDLE;
2319
2320 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_ENUM_DOMAINS, "_samr_enum_domains"))) {
2321 return r_u->status;
2322 }
2323
2324 name = get_global_sam_name();
2325
2326 fstrcpy(dom[0],name);
2327 strupper_m(dom[0]);
2328 fstrcpy(dom[1],"Builtin");
2329
2330 if (!make_enum_domains(p->mem_ctx, &r_u->sam, &r_u->uni_dom_name, num_entries, dom))
2331 return NT_STATUS_NO_MEMORY;
2332
2333 init_samr_r_enum_domains(r_u, q_u->start_idx + num_entries, num_entries);
2334
2335 return r_u->status;
2336 }
2337
2338 /*******************************************************************
2339 api_samr_open_alias
2340 ********************************************************************/
2341
2342 NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_ALIAS *r_u)
2343 {
2344 DOM_SID sid;
2345 POLICY_HND domain_pol = q_u->dom_pol;
2346 uint32 alias_rid = q_u->rid_alias;
2347 POLICY_HND *alias_pol = &r_u->pol;
2348 struct samr_info *info = NULL;
2349 SEC_DESC *psd = NULL;
2350 uint32 acc_granted;
2351 uint32 des_access = q_u->access_mask;
2352 size_t sd_size;
2353 NTSTATUS status;
2354 SE_PRIV se_rights;
2355
2356 r_u->status = NT_STATUS_OK;
2357
2358 /* find the domain policy and get the SID / access bits stored in the domain policy */
2359
2360 if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted) )
2361 return NT_STATUS_INVALID_HANDLE;
2362
2363 status = access_check_samr_function(acc_granted,
2364 SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_alias");
2365
2366 if ( !NT_STATUS_IS_OK(status) )
2367 return status;
2368
2369 /* append the alias' RID to it */
2370
2371 if (!sid_append_rid(&sid, alias_rid))
2372 return NT_STATUS_NO_SUCH_USER;
2373
2374 /*check if access can be granted as requested by client. */
2375
2376 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
2377 se_map_generic(&des_access,&ali_generic_mapping);
2378
2379 se_priv_copy( &se_rights, &se_add_users );
2380
2381
2382 status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
2383 &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access,
2384 &acc_granted, "_samr_open_alias");
2385
2386 if ( !NT_STATUS_IS_OK(status) )
2387 return status;
2388
2389 /*
2390 * we should check if the rid really exist !!!
2391 * JFM.
2392 */
2393
2394 /* associate the user's SID with the new handle. */
2395 if ((info = get_samr_info_by_sid(&sid)) == NULL)
2396 return NT_STATUS_NO_MEMORY;
2397
2398 info->acc_granted = acc_granted;
2399
2400 /* get a (unique) handle. open a policy on it. */
2401 if (!create_policy_hnd(p, alias_pol, free_samr_info, (void *)info))
2402 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2403
2404 return r_u->status;
2405 }
2406
2407 /*******************************************************************
2408 set_user_info_10
2409 ********************************************************************/
2410
2411 static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, SAM_ACCOUNT *pwd)
2412 {
2413 if (id10 == NULL) {
2414 DEBUG(5, ("set_user_info_10: NULL id10\n"));
2415 pdb_free_sam(&pwd);
2416 return False;
2417 }
2418
2419 /* FIX ME: check if the value is really changed --metze */
2420 if (!pdb_set_acct_ctrl(pwd, id10->acb_info, PDB_CHANGED)) {
2421 pdb_free_sam(&pwd);
2422 return False;
2423 }
2424
2425 if(!pdb_update_sam_account(pwd)) {
2426 pdb_free_sam(&pwd);
2427 return False;
2428 }
2429
2430 pdb_free_sam(&pwd);
2431
2432 return True;
2433 }
2434
2435 /*******************************************************************
2436 set_user_info_12
2437 ********************************************************************/
2438
2439 static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, SAM_ACCOUNT *pwd)
2440 {
2441
2442 if (id12 == NULL) {
2443 DEBUG(2, ("set_user_info_12: id12 is NULL\n"));
2444 pdb_free_sam(&pwd);
2445 return False;
2446 }
2447
2448 if (!pdb_set_lanman_passwd (pwd, id12->lm_pwd, PDB_CHANGED)) {
2449 pdb_free_sam(&pwd);
2450 return False;
2451 }
2452 if (!pdb_set_nt_passwd (pwd, id12->nt_pwd, PDB_CHANGED)) {
2453 pdb_free_sam(&pwd);
2454 return False;
2455 }
2456 if (!pdb_set_pass_changed_now (pwd)) {
2457 pdb_free_sam(&pwd);
2458 return False;
2459 }
2460
2461 if(!pdb_update_sam_account(pwd)) {
2462 pdb_free_sam(&pwd);
2463 return False;
2464 }
2465
2466 pdb_free_sam(&pwd);
2467 return True;
2468 }
2469
2470 /*******************************************************************
2471 The GROUPSID field in the SAM_ACCOUNT changed. Try to tell unix.
2472 ********************************************************************/
2473 static BOOL set_unix_primary_group(SAM_ACCOUNT *sampass)
2474 {
2475 struct group *grp;
2476 gid_t gid;
2477
2478 if (!NT_STATUS_IS_OK(sid_to_gid(pdb_get_group_sid(sampass),
2479 &gid))) {
2480 DEBUG(2,("Could not get gid for primary group of "
2481 "user %s\n", pdb_get_username(sampass)));
2482 return False;
2483 }
2484
2485 grp = getgrgid(gid);
2486
2487 if (grp == NULL) {
2488 DEBUG(2,("Could not find primary group %lu for "
2489 "user %s\n", (unsigned long)gid,
2490 pdb_get_username(sampass)));
2491 return False;
2492 }
2493
2494 if (smb_set_primary_group(grp->gr_name,
2495 pdb_get_username(sampass)) != 0) {
2496 DEBUG(2,("Could not set primary group for user %s to "
2497 "%s\n",
2498 pdb_get_username(sampass), grp->gr_name));
2499 return False;
2500 }
2501
2502 return True;
2503 }
2504
2505
2506 /*******************************************************************
2507 set_user_info_20
2508 ********************************************************************/
2509
2510 static BOOL set_user_info_20(SAM_USER_INFO_20 *id20, SAM_ACCOUNT *pwd)
2511 {
2512 if (id20 == NULL) {
2513 DEBUG(5, ("set_user_info_20: NULL id20\n"));
2514 return False;
2515 }
2516
2517 copy_id20_to_sam_passwd(pwd, id20);
2518
2519 /* write the change out */
2520 if(!pdb_update_sam_account(pwd)) {
2521 pdb_free_sam(&pwd);
2522 return False;
2523 }
2524
2525 pdb_free_sam(&pwd);
2526
2527 return True;
2528 }
2529 /*******************************************************************
2530 set_user_info_21
2531 ********************************************************************/
2532
2533 static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, SAM_ACCOUNT *pwd)
2534 {
2535
2536 if (id21 == NULL) {
2537 DEBUG(5, ("set_user_info_21: NULL id21\n"));
2538 return False;
2539 }
2540
2541 copy_id21_to_sam_passwd(pwd, id21);
2542
2543 /*
2544 * The funny part about the previous two calls is
2545 * that pwd still has the password hashes from the
2546 * passdb entry. These have not been updated from
2547 * id21. I don't know if they need to be set. --jerry
2548 */
2549
2550 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID))
2551 set_unix_primary_group(pwd);
2552
2553 /* write the change out */
2554 if(!pdb_update_sam_account(pwd)) {
2555 pdb_free_sam(&pwd);
2556 return False;
2557 }
2558
2559 pdb_free_sam(&pwd);
2560
2561 return True;
2562 }
2563
2564 /*******************************************************************
2565 set_user_info_23
2566 ********************************************************************/
2567
2568 static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, SAM_ACCOUNT *pwd)
2569 {
2570 pstring plaintext_buf;
2571 uint32 len;
2572 uint16 acct_ctrl;
2573
2574 if (id23 == NULL) {
2575 DEBUG(5, ("set_user_info_23: NULL id23\n"));
2576 return False;
2577 }
2578
2579 DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
2580 pdb_get_username(pwd)));
2581
2582 acct_ctrl = pdb_get_acct_ctrl(pwd);
2583
2584 if (!decode_pw_buffer(id23->pass, plaintext_buf, 256, &len, STR_UNICODE)) {
2585 pdb_free_sam(&pwd);
2586 return False;
2587 }
2588
2589 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
2590 pdb_free_sam(&pwd);
2591 return False;
2592 }
2593
2594 copy_id23_to_sam_passwd(pwd, id23);
2595
2596 /* if it's a trust account, don't update /etc/passwd */
2597 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
2598 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
2599 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
2600 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
2601 } else {
2602 /* update the UNIX password */
2603 if (lp_unix_password_sync() ) {
2604 struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd));
2605 if (!passwd) {
2606 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
2607 }
2608
2609 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
2610 pdb_free_sam(&pwd);
2611 return False;
2612 }
2613 }
2614 }
2615
2616 ZERO_STRUCT(plaintext_buf);
2617
2618 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID))
2619 set_unix_primary_group(pwd);
2620
2621 if(!pdb_update_sam_account(pwd)) {
2622 pdb_free_sam(&pwd);
2623 return False;
2624 }
2625
2626 pdb_free_sam(&pwd);
2627
2628 return True;
2629 }
2630
2631 /*******************************************************************
2632 set_user_info_pw
2633 ********************************************************************/
2634
2635 static BOOL set_user_info_pw(uint8 *pass, SAM_ACCOUNT *pwd)
2636 {
2637 uint32 len;
2638 pstring plaintext_buf;
2639 uint16 acct_ctrl;
2640
2641 DEBUG(5, ("Attempting administrator password change for user %s\n",
2642 pdb_get_username(pwd)));
2643
2644 acct_ctrl = pdb_get_acct_ctrl(pwd);
2645
2646 ZERO_STRUCT(plaintext_buf);
2647
2648 if (!decode_pw_buffer(pass, plaintext_buf, 256, &len, STR_UNICODE)) {
2649 pdb_free_sam(&pwd);
2650 return False;
2651 }
2652
2653 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
2654 pdb_free_sam(&pwd);
2655 return False;
2656 }
2657
2658 /* if it's a trust account, don't update /etc/passwd */
2659 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
2660 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
2661 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
2662 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
2663 } else {
2664 /* update the UNIX password */
2665 if (lp_unix_password_sync()) {
2666 struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd));
2667 if (!passwd) {
2668 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
2669 }
2670
2671 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
2672 pdb_free_sam(&pwd);
2673 return False;
2674 }
2675 }
2676 }
2677
2678 ZERO_STRUCT(plaintext_buf);
2679
2680 DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
2681
2682 /* update the SAMBA password */
2683 if(!pdb_update_sam_account(pwd)) {
2684 pdb_free_sam(&pwd);
2685 return False;
2686 }
2687
2688 pdb_free_sam(&pwd);
2689
2690 return True;
2691 }
2692
2693 /*******************************************************************
2694 samr_reply_set_userinfo
2695 ********************************************************************/
2696
2697 NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_USERINFO *r_u)
2698 {
2699 SAM_ACCOUNT *pwd = NULL;
2700 DOM_SID sid;
2701 POLICY_HND *pol = &q_u->pol;
2702 uint16 switch_value = q_u->switch_value;
2703 SAM_USERINFO_CTR *ctr = q_u->ctr;
2704 uint32 acc_granted;
2705 uint32 acc_required;
2706 BOOL ret;
2707 BOOL has_enough_rights = False;
2708 uint32 acb_info;
2709
2710 DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__));
2711
2712 r_u->status = NT_STATUS_OK;
2713
2714 /* find the policy handle. open a policy on it. */
2715 if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted))
2716 return NT_STATUS_INVALID_HANDLE;
2717
2718 /* observed when joining an XP client to a Samba domain */
2719
2720 acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY;
2721
2722 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo"))) {
2723 return r_u->status;
2724 }
2725
2726 DEBUG(5, ("_samr_set_userinfo: sid:%s, level:%d\n", sid_string_static(&sid), switch_value));
2727
2728 if (ctr == NULL) {
2729 DEBUG(5, ("_samr_set_userinfo: NULL info level\n"));
2730 return NT_STATUS_INVALID_INFO_CLASS;
2731 }
2732
2733 pdb_init_sam(&pwd);
2734
2735 become_root();
2736 ret = pdb_getsampwsid(pwd, &sid);
2737 unbecome_root();
2738
2739 if ( !ret ) {
2740 pdb_free_sam(&pwd);
2741 return NT_STATUS_NO_SUCH_USER;
2742 }
2743
2744 /* deal with machine password changes differently from userinfo changes */
2745 /* check to see if we have the sufficient rights */
2746
2747 acb_info = pdb_get_acct_ctrl(pwd);
2748 if ( acb_info & ACB_WSTRUST )
2749 has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account);
2750 else if ( acb_info & ACB_NORMAL )
2751 has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
2752 else if ( acb_info & (ACB_SVRTRUST|ACB_DOMTRUST) ) {
2753 if ( lp_enable_privileges() )
2754 has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS );
2755 }
2756
2757 DEBUG(5, ("_samr_set_userinfo: %s does%s possess sufficient rights\n",
2758 p->pipe_user_name, has_enough_rights ? "" : " not"));
2759
2760 /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
2761
2762 if ( has_enough_rights )
2763 become_root();
2764
2765 /* ok! user info levels (lots: see MSDEV help), off we go... */
2766
2767 switch (switch_value) {
2768 case 18:
2769 if (!set_user_info_12(ctr->info.id12, pwd))
2770 r_u->status = NT_STATUS_ACCESS_DENIED;
2771 break;
2772
2773 case 24:
2774 if (!p->session_key.length) {
2775 r_u->status = NT_STATUS_NO_USER_SESSION_KEY;
2776 }
2777 SamOEMhashBlob(ctr->info.id24->pass, 516, &p->session_key);
2778
2779 dump_data(100, (char *)ctr->info.id24->pass, 516);
2780
2781 if (!set_user_info_pw(ctr->info.id24->pass, pwd))
2782 r_u->status = NT_STATUS_ACCESS_DENIED;
2783 break;
2784
2785 case 25:
2786 #if 0
2787 /*
2788 * Currently we don't really know how to unmarshall
2789 * the level 25 struct, and the password encryption
2790 * is different. This is a placeholder for when we
2791 * do understand it. In the meantime just return INVALID
2792 * info level and W2K SP2 drops down to level 23... JRA.
2793 */
2794
2795 if (!p->session_key.length) {
2796 r_u->status = NT_STATUS_NO_USER_SESSION_KEY;
2797 }
2798 SamOEMhashBlob(ctr->info.id25->pass, 532, &p->session_key);
2799
2800 dump_data(100, (char *)ctr->info.id25->pass, 532);
2801
2802 if (!set_user_info_pw(ctr->info.id25->pass, &sid))
2803 r_u->status = NT_STATUS_ACCESS_DENIED;
2804 break;
2805 #endif
2806 r_u->status = NT_STATUS_INVALID_INFO_CLASS;
2807 break;
2808
2809 case 23:
2810 if (!p->session_key.length) {
2811 r_u->status = NT_STATUS_NO_USER_SESSION_KEY;
2812 }
2813 SamOEMhashBlob(ctr->info.id23->pass, 516, &p->session_key);
2814
2815 dump_data(100, (char *)ctr->info.id23->pass, 516);
2816
2817 if (!set_user_info_23(ctr->info.id23, pwd))
2818 r_u->status = NT_STATUS_ACCESS_DENIED;
2819 break;
2820
2821 default:
2822 r_u->status = NT_STATUS_INVALID_INFO_CLASS;
2823 }
2824
2825
2826 if ( has_enough_rights )
2827 unbecome_root();
2828
2829 /* ================ END SeMachineAccountPrivilege BLOCK ================ */
2830
2831 return r_u->status;
2832 }
2833
2834 /*******************************************************************
2835 samr_reply_set_userinfo2
2836 ********************************************************************/
2837
2838 NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SET_USERINFO2 *r_u)
2839 {
2840 SAM_ACCOUNT *pwd = NULL;
2841 DOM_SID sid;
2842 SAM_USERINFO_CTR *ctr = q_u->ctr;
2843 POLICY_HND *pol = &q_u->pol;
2844 uint16 switch_value = q_u->switch_value;
2845 uint32 acc_granted;
2846 uint32 acc_required;
2847 BOOL ret;
2848 BOOL has_enough_rights = False;
2849 uint32 acb_info;
2850
2851 DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__));
2852
2853 r_u->status = NT_STATUS_OK;
2854
2855 /* find the policy handle. open a policy on it. */
2856 if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted))
2857 return NT_STATUS_INVALID_HANDLE;
2858
2859 /* observed when joining XP client to Samba domain */
2860
2861 acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY;
2862
2863 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo2"))) {
2864 return r_u->status;
2865 }
2866
2867 DEBUG(5, ("samr_reply_set_userinfo2: sid:%s\n", sid_string_static(&sid)));
2868
2869 if (ctr == NULL) {
2870 DEBUG(5, ("samr_reply_set_userinfo2: NULL info level\n"));
2871 return NT_STATUS_INVALID_INFO_CLASS;
2872 }
2873
2874 switch_value=ctr->switch_value;
2875
2876 pdb_init_sam(&pwd);
2877
2878 become_root();
2879 ret = pdb_getsampwsid(pwd, &sid);
2880 unbecome_root();
2881
2882 if ( !ret ) {
2883 pdb_free_sam(&pwd);
2884 return NT_STATUS_NO_SUCH_USER;
2885 }
2886
2887 acb_info = pdb_get_acct_ctrl(pwd);
2888 if ( acb_info & ACB_WSTRUST )
2889 has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account);
2890 else if ( acb_info & ACB_NORMAL )
2891 has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
2892 else if ( acb_info & (ACB_SVRTRUST|ACB_DOMTRUST) ) {
2893 if ( lp_enable_privileges() )
2894 has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS );
2895 }
2896
2897 DEBUG(5, ("_samr_set_userinfo: %s does%s possess sufficient rights\n",
2898 p->pipe_user_name, has_enough_rights ? "" : " not"));
2899
2900 /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
2901
2902 if ( has_enough_rights )
2903 become_root();
2904
2905 /* ok! user info levels (lots: see MSDEV help), off we go... */
2906
2907 switch (switch_value) {
2908 case 16:
2909 if (!set_user_info_10(ctr->info.id10, pwd))
2910 r_u->status = NT_STATUS_ACCESS_DENIED;
2911 break;
2912 case 18:
2913 /* Used by AS/U JRA. */
2914 if (!set_user_info_12(ctr->info.id12, pwd))
2915 r_u->status = NT_STATUS_ACCESS_DENIED;
2916 break;
2917 case 20:
2918 if (!set_user_info_20(ctr->info.id20, pwd))
2919 r_u->status = NT_STATUS_ACCESS_DENIED;
2920 break;
2921 case 21:
2922 if (!set_user_info_21(ctr->info.id21, pwd))
2923 return NT_STATUS_ACCESS_DENIED;
2924 break;
2925 default:
2926 r_u->status = NT_STATUS_INVALID_INFO_CLASS;
2927 }
2928
2929 if ( has_enough_rights )
2930 unbecome_root();
2931
2932 /* ================ END SeMachineAccountPrivilege BLOCK ================ */
2933
2934 return r_u->status;
2935 }
2936
2937 /*********************************************************************
2938 _samr_query_aliasmem
2939 *********************************************************************/
2940
2941 NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, SAMR_R_QUERY_USERALIASES *r_u)
2942 {
2943 int num_alias_rids;
2944 uint32 *alias_rids;
2945 struct samr_info *info = NULL;
2946 int i;
2947
2948 NTSTATUS ntstatus1;
2949 NTSTATUS ntstatus2;
2950
2951 DOM_SID *members;
2952 BOOL res;
2953
2954 r_u->status = NT_STATUS_OK;
2955
2956 DEBUG(5,("_samr_query_useraliases: %d\n", __LINE__));
2957
2958 /* find the policy handle. open a policy on it. */
2959 if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
2960 return NT_STATUS_INVALID_HANDLE;
2961
2962 ntstatus1 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM, "_samr_query_useraliases");
2963 ntstatus2 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_query_useraliases");
2964
2965 if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) {
2966 if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) &&
2967 !(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) {
2968 return (NT_STATUS_IS_OK(ntstatus1)) ? ntstatus2 : ntstatus1;
2969 }
2970 }
2971
2972 if (!sid_check_is_domain(&info->sid) &&
2973 !sid_check_is_builtin(&info->sid))
2974 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2975
2976 members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, q_u->num_sids1);
2977
2978 if (members == NULL)
2979 return NT_STATUS_NO_MEMORY;
2980
2981 for (i=0; i<q_u->num_sids1; i++)
2982 sid_copy(&members[i], &q_u->sid[i].sid);
2983
2984 alias_rids = NULL;
2985 num_alias_rids = 0;
2986
2987 become_root();
2988 res = pdb_enum_alias_memberships(p->mem_ctx, &info->sid, members,
2989 q_u->num_sids1,
2990 &alias_rids, &num_alias_rids);
2991 unbecome_root();
2992
2993 if (!res)
2994 return NT_STATUS_UNSUCCESSFUL;
2995
2996 init_samr_r_query_useraliases(r_u, num_alias_rids, alias_rids,
2997 NT_STATUS_OK);
2998 return NT_STATUS_OK;
2999 }
3000
3001 /*********************************************************************
3002 _samr_query_aliasmem
3003 *********************************************************************/
3004
3005 NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_R_QUERY_ALIASMEM *r_u)
3006 {
3007 int i;
3008
3009 int num_sids = 0;
3010 DOM_SID2 *sid;
3011 DOM_SID *sids=NULL;
3012
3013 DOM_SID alias_sid;
3014
3015 uint32 acc_granted;
3016
3017 /* find the policy handle. open a policy on it. */
3018 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted))
3019 return NT_STATUS_INVALID_HANDLE;
3020
3021 if (!NT_STATUS_IS_OK(r_u->status =
3022 access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_GET_MEMBERS, "_samr_query_aliasmem"))) {
3023 return r_u->status;
3024 }
3025
3026 DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid)));
3027
3028 if (!pdb_enum_aliasmem(&alias_sid, &sids, &num_sids))
3029 return NT_STATUS_NO_SUCH_ALIAS;
3030
3031 sid = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_SID2, num_sids);
3032 if (num_sids!=0 && sid == NULL) {
3033 SAFE_FREE(sids);
3034 return NT_STATUS_NO_MEMORY;
3035 }
3036
3037 for (i = 0; i < num_sids; i++) {
3038 init_dom_sid2(&sid[i], &sids[i]);
3039 }
3040
3041 init_samr_r_query_aliasmem(r_u, num_sids, sid, NT_STATUS_OK);
3042
3043 SAFE_FREE(sids);
3044
3045 return NT_STATUS_OK;
3046 }
3047
3048 static void add_uid_to_array_unique(uid_t uid, uid_t **uids, int *num)
3049 {
3050 int i;
3051
3052 for (i=0; i<*num; i++) {
3053 if ((*uids)[i] == uid)
3054 return;
3055 }
3056
3057 *uids = SMB_REALLOC_ARRAY(*uids, uid_t, *num+1);
3058
3059 if (*uids == NULL)
3060 return;
3061
3062 (*uids)[*num] = uid;
3063 *num += 1;
3064 }
3065
3066
3067 static BOOL get_memberuids(gid_t gid, uid_t **uids, int *num)
3068 {
3069 struct group *grp;
3070 char **gr;
3071 struct sys_pwent *userlist, *user;
3072
3073 *uids = NULL;
3074 *num = 0;
3075
3076 /* We only look at our own sam, so don't care about imported stuff */
3077
3078 winbind_off();
3079
3080 if ((grp = getgrgid(gid)) == NULL) {
3081 winbind_on();
3082 return False;
3083 }
3084
3085 /* Primary group members */
3086
3087 userlist = getpwent_list();
3088
3089 for (user = userlist; user != NULL; user = user->next) {
3090 if (user->pw_gid != gid)
3091 continue;
3092 add_uid_to_array_unique(user->pw_uid, uids, num);
3093 }
3094
3095 pwent_free(userlist);
3096
3097 /* Secondary group members */
3098
3099 for (gr = grp->gr_mem; (*gr != NULL) && ((*gr)[0] != '\0'); gr += 1) {
3100 struct passwd *pw = getpwnam(*gr);
3101
3102 if (pw == NULL)
3103 continue;
3104 add_uid_to_array_unique(pw->pw_uid, uids, num);
3105 }
3106
3107 winbind_on();
3108
3109 return True;
3110 }
3111
3112 /*********************************************************************
3113 _samr_query_groupmem
3114 *********************************************************************/
3115
3116 NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_QUERY_GROUPMEM *r_u)
3117 {
3118 DOM_SID group_sid;
3119 fstring group_sid_str;
3120 int i, num_members;
3121
3122 uint32 *rid=NULL;
3123 uint32 *attr=NULL;
3124
3125 uint32 acc_granted;
3126
3127 NTSTATUS result;
3128
3129 /* find the policy handle. open a policy on it. */
3130 if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted))
3131 return NT_STATUS_INVALID_HANDLE;
3132
3133 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_GET_MEMBERS, "_samr_query_groupmem"))) {
3134 return r_u->status;
3135 }
3136
3137 sid_to_string(group_sid_str, &group_sid);
3138 DEBUG(10, ("sid is %s\n", group_sid_str));
3139
3140 if (!sid_check_is_in_our_domain(&group_sid)) {
3141 DEBUG(3, ("sid %s is not in our domain\n", group_sid_str));
3142 return NT_STATUS_NO_SUCH_GROUP;
3143 }
3144
3145 DEBUG(10, ("lookup on Domain SID\n"));
3146
3147 become_root();
3148 result = pdb_enum_group_members(p->mem_ctx, &group_sid,
3149 &rid, &num_members);
3150 unbecome_root();
3151
3152 if (!NT_STATUS_IS_OK(result))
3153 return result;
3154
3155 attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members);
3156
3157 if ((num_members!=0) && (rid==NULL))
3158 return NT_STATUS_NO_MEMORY;
3159
3160 for (i=0; i<num_members; i++)
3161 attr[i] = SID_NAME_USER;
3162
3163 init_samr_r_query_groupmem(r_u, num_members, rid, attr, NT_STATUS_OK);
3164
3165 return NT_STATUS_OK;
3166 }
3167
3168 /*********************************************************************
3169 _samr_add_aliasmem
3170 *********************************************************************/
3171
3172 NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_ADD_ALIASMEM *r_u)
3173 {
3174 DOM_SID alias_sid;
3175 uint32 acc_granted;
3176 SE_PRIV se_rights;
3177 BOOL can_add_accounts;
3178 BOOL ret;
3179
3180
3181 /* Find the policy handle. Open a policy on it. */
3182 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted))
3183 return NT_STATUS_INVALID_HANDLE;
3184
3185 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_ADD_MEMBER, "_samr_add_aliasmem"))) {
3186 return r_u->status;
3187 }
3188
3189 DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid)));
3190
3191 se_priv_copy( &se_rights, &se_add_users );
3192 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
3193
3194 /******** BEGIN SeAddUsers BLOCK *********/
3195
3196 if ( can_add_accounts )
3197 become_root();
3198
3199 ret = pdb_add_aliasmem(&alias_sid, &q_u->sid.sid);
3200
3201 if ( can_add_accounts )
3202 unbecome_root();
3203
3204 /******** END SeAddUsers BLOCK *********/
3205
3206 return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
3207 }
3208
3209 /*********************************************************************
3210 _samr_del_aliasmem
3211 *********************************************************************/
3212
3213 NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DEL_ALIASMEM *r_u)
3214 {
3215 DOM_SID alias_sid;
3216 uint32 acc_granted;
3217 SE_PRIV se_rights;
3218 BOOL can_add_accounts;
3219 BOOL ret;
3220
3221 /* Find the policy handle. Open a policy on it. */
3222 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted))
3223 return NT_STATUS_INVALID_HANDLE;
3224
3225 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_REMOVE_MEMBER, "_samr_del_aliasmem"))) {
3226 return r_u->status;
3227 }
3228
3229 DEBUG(10, ("_samr_del_aliasmem:sid is %s\n",
3230 sid_string_static(&alias_sid)));
3231
3232 se_priv_copy( &se_rights, &se_add_users );
3233 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
3234
3235 /******** BEGIN SeAddUsers BLOCK *********/
3236
3237 if ( can_add_accounts )
3238 become_root();
3239
3240 ret = pdb_del_aliasmem(&alias_sid, &q_u->sid.sid);
3241
3242 if ( can_add_accounts )
3243 unbecome_root();
3244
3245 /******** END SeAddUsers BLOCK *********/
3246
3247 return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
3248 }
3249
3250 /*********************************************************************
3251 _samr_add_groupmem
3252 *********************************************************************/
3253
3254 NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_ADD_GROUPMEM *r_u)
3255 {
3256 DOM_SID group_sid;
3257 DOM_SID user_sid;
3258 fstring group_sid_str;
3259 uid_t uid;
3260 struct passwd *pwd;
3261 struct group *grp;
3262 fstring grp_name;
3263 GROUP_MAP map;
3264 NTSTATUS ret;
3265 SAM_ACCOUNT *sam_user=NULL;
3266 BOOL check;
3267 uint32 acc_granted;
3268 SE_PRIV se_rights;
3269 BOOL can_add_accounts;
3270
3271 /* Find the policy handle. Open a policy on it. */
3272 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
3273 return NT_STATUS_INVALID_HANDLE;
3274
3275 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_ADD_MEMBER, "_samr_add_groupmem"))) {
3276 return r_u->status;
3277 }
3278
3279 sid_to_string(group_sid_str, &group_sid);
3280 DEBUG(10, ("sid is %s\n", group_sid_str));
3281
3282 if (sid_compare(&group_sid, get_global_sam_sid())<=0)
3283 return NT_STATUS_NO_SUCH_GROUP;
3284
3285 DEBUG(10, ("lookup on Domain SID\n"));
3286
3287 if(!get_domain_group_from_sid(group_sid, &map))
3288 return NT_STATUS_NO_SUCH_GROUP;
3289
3290 sid_copy(&user_sid, get_global_sam_sid());
3291 sid_append_rid(&user_sid, q_u->rid);
3292
3293 ret = pdb_init_sam(&sam_user);
3294 if (!NT_STATUS_IS_OK(ret))
3295 return ret;
3296
3297 check = pdb_getsampwsid(sam_user, &user_sid);
3298
3299 if (check != True) {
3300 pdb_free_sam(&sam_user);
3301 return NT_STATUS_NO_SUCH_USER;
3302 }
3303
3304 /* check a real user exist before we run the script to add a user to a group */
3305 if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(sam_user), &uid))) {
3306 pdb_free_sam(&sam_user);
3307 return NT_STATUS_NO_SUCH_USER;
3308 }
3309
3310 pdb_free_sam(&sam_user);
3311
3312 if ((pwd=getpwuid_alloc(uid)) == NULL) {
3313 return NT_STATUS_NO_SUCH_USER;
3314 }
3315
3316 if ((grp=getgrgid(map.gid)) == NULL) {
3317 passwd_free(&pwd);
3318 return NT_STATUS_NO_SUCH_GROUP;
3319 }
3320
3321 /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */
3322 fstrcpy(grp_name, grp->gr_name);
3323
3324 /* if the user is already in the group */
3325 if(user_in_unix_group_list(pwd->pw_name, grp_name)) {
3326 passwd_free(&pwd);
3327 return NT_STATUS_MEMBER_IN_GROUP;
3328 }
3329
3330 se_priv_copy( &se_rights, &se_add_users );
3331 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
3332
3333 /******** BEGIN SeAddUsers BLOCK *********/
3334
3335 if ( can_add_accounts )
3336 become_root();
3337
3338 /*
3339 * ok, the group exist, the user exist, the user is not in the group,
3340 *
3341 * we can (finally) add it to the group !
3342 */
3343
3344 smb_add_user_group(grp_name, pwd->pw_name);
3345
3346 if ( can_add_accounts )
3347 unbecome_root();
3348
3349 /******** END SeAddUsers BLOCK *********/
3350
3351 /* check if the user has been added then ... */
3352 if(!user_in_unix_group_list(pwd->pw_name, grp_name)) {
3353 passwd_free(&pwd);
3354 return NT_STATUS_MEMBER_NOT_IN_GROUP; /* don't know what to reply else */
3355 }
3356
3357 passwd_free(&pwd);
3358 return NT_STATUS_OK;
3359 }
3360
3361 /*********************************************************************
3362 _samr_del_groupmem
3363 *********************************************************************/
3364
3365 NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DEL_GROUPMEM *r_u)
3366 {
3367 DOM_SID group_sid;
3368 DOM_SID user_sid;
3369 SAM_ACCOUNT *sam_pass=NULL;
3370 GROUP_MAP map;
3371 fstring grp_name;
3372 struct group *grp;
3373 uint32 acc_granted;
3374 SE_PRIV se_rights;
3375 BOOL can_add_accounts;
3376
3377 /*
3378 * delete the group member named q_u->rid
3379 * who is a member of the sid associated with the handle
3380 * the rid is a user's rid as the group is a domain group.
3381 */
3382
3383 /* Find the policy handle. Open a policy on it. */
3384 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
3385 return NT_STATUS_INVALID_HANDLE;
3386
3387 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_REMOVE_MEMBER, "_samr_del_groupmem"))) {
3388 return r_u->status;
3389 }
3390
3391 if (!sid_check_is_in_our_domain(&group_sid))
3392 return NT_STATUS_NO_SUCH_GROUP;
3393
3394 sid_copy(&user_sid, get_global_sam_sid());
3395 sid_append_rid(&user_sid, q_u->rid);
3396
3397 if (!get_domain_group_from_sid(group_sid, &map))
3398 return NT_STATUS_NO_SUCH_GROUP;
3399
3400 if ((grp=getgrgid(map.gid)) == NULL)
3401 return NT_STATUS_NO_SUCH_GROUP;
3402
3403 /* we need to copy the name otherwise it's overloaded in user_in_group_list */
3404 fstrcpy(grp_name, grp->gr_name);
3405
3406 /* check if the user exists before trying to remove it from the group */
3407 pdb_init_sam(&sam_pass);
3408 if (!pdb_getsampwsid(sam_pass, &user_sid)) {
3409 DEBUG(5,("User %s doesn't exist.\n", pdb_get_username(sam_pass)));
3410 pdb_free_sam(&sam_pass);
3411 return NT_STATUS_NO_SUCH_USER;
3412 }
3413
3414 /* if the user is not in the group */
3415 if (!user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
3416 pdb_free_sam(&sam_pass);
3417 return NT_STATUS_MEMBER_NOT_IN_GROUP;
3418 }
3419
3420
3421 se_priv_copy( &se_rights, &se_add_users );
3422 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
3423
3424 /******** BEGIN SeAddUsers BLOCK *********/
3425
3426 if ( can_add_accounts )
3427 become_root();
3428
3429 smb_delete_user_group(grp_name, pdb_get_username(sam_pass));
3430
3431 if ( can_add_accounts )
3432 unbecome_root();
3433
3434 /******** END SeAddUsers BLOCK *********/
3435
3436 /* check if the user has been removed then ... */
3437 if (user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
3438 pdb_free_sam(&sam_pass);
3439 return NT_STATUS_ACCESS_DENIED; /* don't know what to reply else */
3440 }
3441
3442 pdb_free_sam(&sam_pass);
3443 return NT_STATUS_OK;
3444
3445 }
3446
3447 /****************************************************************************
3448 Delete a UNIX user on demand.
3449 ****************************************************************************/
3450
3451 static int smb_delete_user(const char *unix_user)
3452 {
3453 pstring del_script;
3454 int ret;
3455
3456 pstrcpy(del_script, lp_deluser_script());
3457 if (! *del_script)
3458 return -1;
3459 all_string_sub(del_script, "%u", unix_user, sizeof(del_script));
3460 ret = smbrun(del_script,NULL);
3461 flush_pwnam_cache();
3462 DEBUG(ret ? 0 : 3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret));
3463
3464 return ret;
3465 }
3466
3467 /*********************************************************************
3468 _samr_delete_dom_user
3469 *********************************************************************/
3470
3471 NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAMR_R_DELETE_DOM_USER *r_u )
3472 {
3473 DOM_SID user_sid;
3474 SAM_ACCOUNT *sam_pass=NULL;
3475 uint32 acc_granted;
3476 BOOL can_add_accounts;
3477 BOOL ret;
3478
3479 DEBUG(5, ("_samr_delete_dom_user: %d\n", __LINE__));
3480
3481 /* Find the policy handle. Open a policy on it. */
3482 if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &user_sid, &acc_granted))
3483 return NT_STATUS_INVALID_HANDLE;
3484
3485 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_user"))) {
3486 return r_u->status;
3487 }
3488
3489 if (!sid_check_is_in_our_domain(&user_sid))
3490 return NT_STATUS_CANNOT_DELETE;
3491
3492 /* check if the user exists before trying to delete */
3493 pdb_init_sam(&sam_pass);
3494 if(!pdb_getsampwsid(sam_pass, &user_sid)) {
3495 DEBUG(5,("_samr_delete_dom_user:User %s doesn't exist.\n",
3496 sid_string_static(&user_sid)));
3497 pdb_free_sam(&sam_pass);
3498 return NT_STATUS_NO_SUCH_USER;
3499 }
3500
3501 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
3502
3503 /******** BEGIN SeAddUsers BLOCK *********/
3504
3505 if ( can_add_accounts )
3506 become_root();
3507
3508 /* First delete the samba side....
3509 code is order to prevent unnecessary returns out of the admin
3510 block of code */
3511
3512 if ( (ret = pdb_delete_sam_account(sam_pass)) == True ) {
3513 /*
3514 * Now delete the unix side ....
3515 * note: we don't check if the delete really happened
3516 * as the script is not necessary present
3517 * and maybe the sysadmin doesn't want to delete the unix side
3518 */
3519 smb_delete_user( pdb_get_username(sam_pass) );
3520 }
3521
3522 if ( can_add_accounts )
3523 unbecome_root();
3524
3525 /******** END SeAddUsers BLOCK *********/
3526
3527 if ( !ret ) {
3528 DEBUG(5,("_samr_delete_dom_user:Failed to delete entry for user %s.\n", pdb_get_username(sam_pass)));
3529 pdb_free_sam(&sam_pass);
3530 return NT_STATUS_CANNOT_DELETE;
3531 }
3532
3533
3534 pdb_free_sam(&sam_pass);
3535
3536 if (!close_policy_hnd(p, &q_u->user_pol))
3537 return NT_STATUS_OBJECT_NAME_INVALID;
3538
3539 return NT_STATUS_OK;
3540 }
3541
3542 /*********************************************************************
3543 _samr_delete_dom_group
3544 *********************************************************************/
3545
3546 NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, SAMR_R_DELETE_DOM_GROUP *r_u)
3547 {
3548 DOM_SID group_sid;
3549 DOM_SID dom_sid;
3550 uint32 group_rid;
3551 fstring group_sid_str;
3552 gid_t gid;
3553 struct group *grp;
3554 GROUP_MAP map;
3555 uint32 acc_granted;
3556 SE_PRIV se_rights;
3557 BOOL can_add_accounts;
3558 BOOL ret;
3559
3560 DEBUG(5, ("samr_delete_dom_group: %d\n", __LINE__));
3561
3562 /* Find the policy handle. Open a policy on it. */
3563 if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted))
3564 return NT_STATUS_INVALID_HANDLE;
3565
3566 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_group"))) {
3567 return r_u->status;
3568 }
3569
3570 sid_copy(&dom_sid, &group_sid);
3571 sid_to_string(group_sid_str, &dom_sid);
3572 sid_split_rid(&dom_sid, &group_rid);
3573
3574 DEBUG(10, ("sid is %s\n", group_sid_str));
3575
3576 /* we check if it's our SID before deleting */
3577 if (!sid_equal(&dom_sid, get_global_sam_sid()))
3578 return NT_STATUS_NO_SUCH_GROUP;
3579
3580 DEBUG(10, ("lookup on Domain SID\n"));
3581
3582 if(!get_domain_group_from_sid(group_sid, &map))
3583 return NT_STATUS_NO_SUCH_GROUP;
3584
3585 gid=map.gid;
3586
3587 /* check if group really exists */
3588 if ( (grp=getgrgid(gid)) == NULL)
3589 return NT_STATUS_NO_SUCH_GROUP;
3590
3591 se_priv_copy( &se_rights, &se_add_users );
3592 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
3593
3594 /******** BEGIN SeAddUsers BLOCK *********/
3595
3596 if ( can_add_accounts )
3597 become_root();
3598
3599 /* delete mapping first */
3600
3601 if ( (ret = pdb_delete_group_mapping_entry(group_sid)) == True ) {
3602 smb_delete_group( grp->gr_name );
3603 }
3604
3605 if ( can_add_accounts )
3606 unbecome_root();
3607
3608 /******** END SeAddUsers BLOCK *********/
3609
3610 if ( !ret ) {
3611 DEBUG(5,("_samr_delete_dom_group: Failed to delete mapping entry for group %s.\n",
3612 group_sid_str));
3613 return NT_STATUS_ACCESS_DENIED;
3614 }
3615
3616 /* don't check that the unix group has been deleted. Work like
3617 _samr_delet_dom_user() */
3618
3619 if (!close_policy_hnd(p, &q_u->group_pol))
3620 return NT_STATUS_OBJECT_NAME_INVALID;
3621
3622 return NT_STATUS_OK;
3623 }
3624
3625 /*********************************************************************
3626 _samr_delete_dom_alias
3627 *********************************************************************/
3628
3629 NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, SAMR_R_DELETE_DOM_ALIAS *r_u)
3630 {
3631 DOM_SID alias_sid;
3632 uint32 acc_granted;
3633 SE_PRIV se_rights;
3634 BOOL can_add_accounts;
3635 BOOL ret;
3636
3637 DEBUG(5, ("_samr_delete_dom_alias: %d\n", __LINE__));
3638
3639 /* Find the policy handle. Open a policy on it. */
3640 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted))
3641 return NT_STATUS_INVALID_HANDLE;
3642
3643 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_alias"))) {
3644 return r_u->status;
3645 }
3646
3647 DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid)));
3648
3649 if (!sid_check_is_in_our_domain(&alias_sid))
3650 return NT_STATUS_NO_SUCH_ALIAS;
3651
3652 DEBUG(10, ("lookup on Local SID\n"));
3653
3654 se_priv_copy( &se_rights, &se_add_users );
3655 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
3656
3657 /******** BEGIN SeAddUsers BLOCK *********/
3658
3659 if ( can_add_accounts )
3660 become_root();
3661
3662 /* Have passdb delete the alias */
3663 ret = pdb_delete_alias(&alias_sid);
3664
3665 if ( can_add_accounts )
3666 unbecome_root();
3667
3668 /******** END SeAddUsers BLOCK *********/
3669
3670 if ( !ret )
3671 return NT_STATUS_ACCESS_DENIED;
3672
3673 if (!close_policy_hnd(p, &q_u->alias_pol))
3674 return NT_STATUS_OBJECT_NAME_INVALID;
3675
3676 return NT_STATUS_OK;
3677 }
3678
3679 /*********************************************************************
3680 _samr_create_dom_group
3681 *********************************************************************/
3682
3683 NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, SAMR_R_CREATE_DOM_GROUP *r_u)
3684 {
3685 DOM_SID dom_sid;
3686 DOM_SID info_sid;
3687 fstring name;
3688 fstring sid_string;
3689 struct group *grp;
3690 struct samr_info *info;
3691 uint32 acc_granted;
3692 gid_t gid;
3693 SE_PRIV se_rights;
3694 BOOL can_add_accounts;
3695 NTSTATUS result;
3696
3697 /* Find the policy handle. Open a policy on it. */
3698 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid, &acc_granted))
3699 return NT_STATUS_INVALID_HANDLE;
3700
3701 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_GROUP, "_samr_create_dom_group"))) {
3702 return r_u->status;
3703 }
3704
3705 if (!sid_equal(&dom_sid, get_global_sam_sid()))
3706 return NT_STATUS_ACCESS_DENIED;
3707
3708 unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1);
3709
3710 /* check if group already exist */
3711 if ((grp=getgrnam(name)) != NULL)
3712 return NT_STATUS_GROUP_EXISTS;
3713
3714 se_priv_copy( &se_rights, &se_add_users );
3715 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
3716
3717 /******** BEGIN SeAddUsers BLOCK *********/
3718
3719 if ( can_add_accounts )
3720 become_root();
3721
3722 /* check that we successfully create the UNIX group */
3723
3724 result = NT_STATUS_ACCESS_DENIED;
3725 if ( (smb_create_group(name, &gid) == 0) && ((grp=getgrgid(gid)) != NULL) ) {
3726
3727 /* so far, so good */
3728
3729 result = NT_STATUS_OK;
3730
3731 r_u->rid = pdb_gid_to_group_rid( grp->gr_gid );
3732
3733 /* add the group to the mapping table */
3734
3735 sid_copy( &info_sid, get_global_sam_sid() );
3736 sid_append_rid( &info_sid, r_u->rid );
3737 sid_to_string( sid_string, &info_sid );
3738
3739 /* reset the error code if we fail to add the mapping entry */
3740
3741 if ( !add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL) )
3742 result = NT_STATUS_ACCESS_DENIED;
3743 }
3744
3745 if ( can_add_accounts )
3746 unbecome_root();
3747
3748 /******** END SeAddUsers BLOCK *********/
3749
3750 /* check if we should bail out here */
3751
3752 if ( !NT_STATUS_IS_OK(result) )
3753 return result;
3754
3755 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
3756 return NT_STATUS_NO_MEMORY;
3757
3758
3759 /* they created it; let the user do what he wants with it */
3760
3761 info->acc_granted = GENERIC_RIGHTS_GROUP_ALL_ACCESS;
3762
3763 /* get a (unique) handle. open a policy on it. */
3764 if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info))
3765 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3766
3767 return NT_STATUS_OK;
3768 }
3769
3770 /*********************************************************************
3771 _samr_create_dom_alias
3772 *********************************************************************/
3773
3774 NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, SAMR_R_CREATE_DOM_ALIAS *r_u)
3775 {
3776 DOM_SID dom_sid;
3777 DOM_SID info_sid;
3778 fstring name;
3779 struct samr_info *info;
3780 uint32 acc_granted;
3781 gid_t gid;
3782 NTSTATUS result;
3783 SE_PRIV se_rights;
3784 BOOL can_add_accounts;
3785
3786 /* Find the policy handle. Open a policy on it. */
3787 if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted))
3788 return NT_STATUS_INVALID_HANDLE;
3789
3790 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_ALIAS, "_samr_create_alias"))) {
3791 return r_u->status;
3792 }
3793
3794 if (!sid_equal(&dom_sid, get_global_sam_sid()))
3795 return NT_STATUS_ACCESS_DENIED;
3796
3797 unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1);
3798
3799 se_priv_copy( &se_rights, &se_add_users );
3800 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
3801
3802 /******** BEGIN SeAddUsers BLOCK *********/
3803
3804 if ( can_add_accounts )
3805 become_root();
3806
3807 /* Have passdb create the alias */
3808 result = pdb_create_alias(name, &r_u->rid);
3809
3810 if ( can_add_accounts )
3811 unbecome_root();
3812
3813 /******** END SeAddUsers BLOCK *********/
3814
3815 if (!NT_STATUS_IS_OK(result))
3816 return result;
3817
3818 sid_copy(&info_sid, get_global_sam_sid());
3819 sid_append_rid(&info_sid, r_u->rid);
3820
3821 if (!NT_STATUS_IS_OK(sid_to_gid(&info_sid, &gid)))
3822 return NT_STATUS_ACCESS_DENIED;
3823
3824 /* check if the group has been successfully created */
3825 if ( getgrgid(gid) == NULL )
3826 return NT_STATUS_ACCESS_DENIED;
3827
3828 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
3829 return NT_STATUS_NO_MEMORY;
3830
3831 /* they created it; let the user do what he wants with it */
3832
3833 info->acc_granted = GENERIC_RIGHTS_ALIAS_ALL_ACCESS;
3834
3835 /* get a (unique) handle. open a policy on it. */
3836 if (!create_policy_hnd(p, &r_u->alias_pol, free_samr_info, (void *)info))
3837 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3838
3839 return NT_STATUS_OK;
3840 }
3841
3842 /*********************************************************************
3843 _samr_query_groupinfo
3844
3845 sends the name/comment pair of a domain group
3846 level 1 send also the number of users of that group
3847 *********************************************************************/
3848
3849 NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAMR_R_QUERY_GROUPINFO *r_u)
3850 {
3851 DOM_SID group_sid;
3852 GROUP_MAP map;
3853 DOM_SID *sids=NULL;
3854 uid_t *uids;
3855 int num=0;
3856 GROUP_INFO_CTR *ctr;
3857 uint32 acc_granted;
3858 BOOL ret;
3859
3860 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
3861 return NT_STATUS_INVALID_HANDLE;
3862
3863 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_LOOKUP_INFO, "_samr_query_groupinfo"))) {
3864 return r_u->status;
3865 }
3866
3867 become_root();
3868 ret = get_domain_group_from_sid(group_sid, &map);
3869 unbecome_root();
3870 if (!ret)
3871 return NT_STATUS_INVALID_HANDLE;
3872
3873 ctr=TALLOC_ZERO_P(p->mem_ctx, GROUP_INFO_CTR);
3874 if (ctr==NULL)
3875 return NT_STATUS_NO_MEMORY;
3876
3877 switch (q_u->switch_level) {
3878 case 1:
3879 ctr->switch_value1 = 1;
3880 if(!get_memberuids(map.gid, &uids, &num))
3881 return NT_STATUS_NO_SUCH_GROUP;
3882 SAFE_FREE(uids);
3883 init_samr_group_info1(&ctr->group.info1, map.nt_name, map.comment, num);
3884 SAFE_FREE(sids);
3885 break;
3886 case 3:
3887 ctr->switch_value1 = 3;
3888 init_samr_group_info3(&ctr->group.info3);
3889 break;
3890 case 4:
3891 ctr->switch_value1 = 4;
3892 init_samr_group_info4(&ctr->group.info4, map.comment);
3893 break;
3894 default:
3895 return NT_STATUS_INVALID_INFO_CLASS;
3896 }
3897
3898 init_samr_r_query_groupinfo(r_u, ctr, NT_STATUS_OK);
3899
3900 return NT_STATUS_OK;
3901 }
3902
3903 /*********************************************************************
3904 _samr_set_groupinfo
3905
3906 update a domain group's comment.
3907 *********************************************************************/
3908
3909 NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_SET_GROUPINFO *r_u)
3910 {
3911 DOM_SID group_sid;
3912 GROUP_MAP map;
3913 GROUP_INFO_CTR *ctr;
3914 uint32 acc_granted;
3915
3916 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
3917 return NT_STATUS_INVALID_HANDLE;
3918
3919 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_SET_INFO, "_samr_set_groupinfo"))) {
3920 return r_u->status;
3921 }
3922
3923 if (!get_domain_group_from_sid(group_sid, &map))
3924 return NT_STATUS_NO_SUCH_GROUP;
3925
3926 ctr=q_u->ctr;
3927
3928 switch (ctr->switch_value1) {
3929 case 1:
3930 unistr2_to_ascii(map.comment, &(ctr->group.info1.uni_acct_desc), sizeof(map.comment)-1);
3931 break;
3932 case 4:
3933 unistr2_to_ascii(map.comment, &(ctr->group.info4.uni_acct_desc), sizeof(map.comment)-1);
3934 break;
3935 default:
3936 return NT_STATUS_INVALID_INFO_CLASS;
3937 }
3938
3939 if(!pdb_update_group_mapping_entry(&map)) {
3940 return NT_STATUS_NO_SUCH_GROUP;
3941 }
3942
3943 return NT_STATUS_OK;
3944 }
3945
3946 /*********************************************************************
3947 _samr_set_aliasinfo
3948
3949 update an alias's comment.
3950 *********************************************************************/
3951
3952 NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_SET_ALIASINFO *r_u)
3953 {
3954 DOM_SID group_sid;
3955 struct acct_info info;
3956 ALIAS_INFO_CTR *ctr;
3957 uint32 acc_granted;
3958
3959 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted))
3960 return NT_STATUS_INVALID_HANDLE;
3961
3962 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_SET_INFO, "_samr_set_aliasinfo"))) {
3963 return r_u->status;
3964 }
3965
3966 ctr=&q_u->ctr;
3967
3968 switch (ctr->level) {
3969 case 3:
3970 if ( ctr->alias.info3.description.string ) {
3971 unistr2_to_ascii( info.acct_desc,
3972 ctr->alias.info3.description.string,
3973 sizeof(info.acct_desc)-1 );
3974 }
3975 break;
3976 default:
3977 return NT_STATUS_INVALID_INFO_CLASS;
3978 }
3979
3980 if(!pdb_set_aliasinfo(&group_sid, &info)) {
3981 return NT_STATUS_ACCESS_DENIED;
3982 }
3983
3984 return NT_STATUS_OK;
3985 }
3986
3987 /*********************************************************************
3988 _samr_get_dom_pwinfo
3989 *********************************************************************/
3990
3991 NTSTATUS _samr_get_dom_pwinfo(pipes_struct *p, SAMR_Q_GET_DOM_PWINFO *q_u, SAMR_R_GET_DOM_PWINFO *r_u)
3992 {
3993 /* Perform access check. Since this rpc does not require a
3994 policy handle it will not be caught by the access checks on
3995 SAMR_CONNECT or SAMR_CONNECT_ANON. */
3996
3997 if (!pipe_access_check(p)) {
3998 DEBUG(3, ("access denied to samr_get_dom_pwinfo\n"));
3999 r_u->status = NT_STATUS_ACCESS_DENIED;
4000 return r_u->status;
4001 }
4002
4003 /* Actually, returning zeros here works quite well :-). */
4004
4005 return NT_STATUS_OK;
4006 }
4007
4008 /*********************************************************************
4009 _samr_open_group
4010 *********************************************************************/
4011
4012 NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_GROUP *r_u)
4013 {
4014 DOM_SID sid;
4015 DOM_SID info_sid;
4016 GROUP_MAP map;
4017 struct samr_info *info;
4018 SEC_DESC *psd = NULL;
4019 uint32 acc_granted;
4020 uint32 des_access = q_u->access_mask;
4021 size_t sd_size;
4022 NTSTATUS status;
4023 fstring sid_string;
4024 BOOL ret;
4025 SE_PRIV se_rights;
4026
4027 if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid, &acc_granted))
4028 return NT_STATUS_INVALID_HANDLE;
4029
4030 status = access_check_samr_function(acc_granted,
4031 SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_group");
4032
4033 if ( !NT_STATUS_IS_OK(status) )
4034 return status;
4035
4036 /*check if access can be granted as requested by client. */
4037 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
4038 se_map_generic(&des_access,&grp_generic_mapping);
4039
4040 se_priv_copy( &se_rights, &se_add_users );
4041
4042 status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
4043 &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access,
4044 &acc_granted, "_samr_open_group");
4045
4046 if ( !NT_STATUS_IS_OK(status) )
4047 return status;
4048
4049 /* this should not be hard-coded like this */
4050
4051 if (!sid_equal(&sid, get_global_sam_sid()))
4052 return NT_STATUS_ACCESS_DENIED;
4053
4054 sid_copy(&info_sid, get_global_sam_sid());
4055 sid_append_rid(&info_sid, q_u->rid_group);
4056 sid_to_string(sid_string, &info_sid);
4057
4058 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
4059 return NT_STATUS_NO_MEMORY;
4060
4061 info->acc_granted = acc_granted;
4062
4063 DEBUG(10, ("_samr_open_group:Opening SID: %s\n", sid_string));
4064
4065 /* check if that group really exists */
4066 become_root();
4067 ret = get_domain_group_from_sid(info->sid, &map);
4068 unbecome_root();
4069 if (!ret)
4070 return NT_STATUS_NO_SUCH_GROUP;
4071
4072 /* get a (unique) handle. open a policy on it. */
4073 if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info))
4074 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
4075
4076 return NT_STATUS_OK;
4077 }
4078
4079 /*********************************************************************
4080 _samr_remove_sid_foreign_domain
4081 *********************************************************************/
4082
4083 NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p,
4084 SAMR_Q_REMOVE_SID_FOREIGN_DOMAIN *q_u,
4085 SAMR_R_REMOVE_SID_FOREIGN_DOMAIN *r_u)
4086 {
4087 DOM_SID delete_sid, domain_sid;
4088 uint32 acc_granted;
4089 NTSTATUS result;
4090
4091 sid_copy( &delete_sid, &q_u->sid.sid );
4092
4093 DEBUG(5,("_samr_remove_sid_foreign_domain: removing SID [%s]\n",
4094 sid_string_static(&delete_sid)));
4095
4096 /* Find the policy handle. Open a policy on it. */
4097
4098 if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &domain_sid,
4099 &acc_granted))
4100 return NT_STATUS_INVALID_HANDLE;
4101
4102 result = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS,
4103 "_samr_remove_sid_foreign_domain");
4104
4105 if (!NT_STATUS_IS_OK(result))
4106 return result;
4107
4108 DEBUG(8, ("_samr_remove_sid_foreign_domain:sid is %s\n",
4109 sid_string_static(&domain_sid)));
4110
4111 /* we can only delete a user from a group since we don't have
4112 nested groups anyways. So in the latter case, just say OK */
4113
4114 /* TODO: The above comment nowadays is bogus. Since we have nested
4115 * groups now, and aliases members are never reported out of the unix
4116 * group membership, the "just say OK" makes this call a no-op. For
4117 * us. This needs fixing however. */
4118
4119 /* I've only ever seen this in the wild when deleting a user from
4120 * usrmgr.exe. domain_sid is the builtin domain, and the sid to delete
4121 * is the user about to be deleted. I very much suspect this is the
4122 * only application of this call. To verify this, let people report
4123 * other cases. */
4124
4125 if (!sid_check_is_builtin(&domain_sid)) {
4126 DEBUG(1,("_samr_remove_sid_foreign_domain: domain_sid = %s, "
4127 "global_sam_sid() = %s\n",
4128 sid_string_static(&domain_sid),
4129 sid_string_static(get_global_sam_sid())));
4130 DEBUGADD(1,("please report to samba-technical@samba.org!\n"));
4131 return NT_STATUS_OK;
4132 }
4133
4134
4135 result = NT_STATUS_OK;
4136
4137 return result;
4138 }
4139
4140 /*******************************************************************
4141 _samr_unknown_2e
4142 ********************************************************************/
4143
4144 NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOWN_2E *r_u)
4145 {
4146 struct samr_info *info = NULL;
4147 SAM_UNK_CTR *ctr;
4148 uint32 min_pass_len,pass_hist,flag;
4149 time_t u_expire, u_min_age;
4150 NTTIME nt_expire, nt_min_age;
4151
4152 time_t u_lock_duration, u_reset_time;
4153 NTTIME nt_lock_duration, nt_reset_time;
4154 uint32 lockout;
4155
4156 time_t u_logout;
4157 NTTIME nt_logout;
4158
4159 uint32 num_users=0, num_groups=0, num_aliases=0;
4160
4161 uint32 account_policy_temp;
4162 uint32 server_role;
4163
4164 if ((ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_UNK_CTR)) == NULL)
4165 return NT_STATUS_NO_MEMORY;
4166
4167 ZERO_STRUCTP(ctr);
4168
4169 r_u->status = NT_STATUS_OK;
4170
4171 DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__));
4172
4173 /* find the policy handle. open a policy on it. */
4174 if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info))
4175 return NT_STATUS_INVALID_HANDLE;
4176
4177 switch (q_u->switch_value) {
4178 case 0x01:
4179 account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp);
4180 min_pass_len = account_policy_temp;
4181
4182 account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp);
4183 pass_hist = account_policy_temp;
4184
4185 account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
4186 flag = account_policy_temp;
4187
4188 account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp);
4189 u_expire = account_policy_temp;
4190
4191 account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp);
4192 u_min_age = account_policy_temp;
4193
4194 unix_to_nt_time_abs(&nt_expire, u_expire);
4195 unix_to_nt_time_abs(&nt_min_age, u_min_age);
4196
4197 init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist,
4198 flag, nt_expire, nt_min_age);
4199 break;
4200 case 0x02:
4201 become_root();
4202 num_users = count_sam_users(&info->disp_info,
4203 ACB_NORMAL);
4204 num_groups = count_sam_groups(&info->disp_info);
4205 unbecome_root();
4206
4207 free_samr_db(info);
4208
4209 account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp);
4210 u_logout = account_policy_temp;
4211
4212 unix_to_nt_time_abs(&nt_logout, u_logout);
4213
4214 server_role = ROLE_DOMAIN_PDC;
4215 if (lp_server_role() == ROLE_DOMAIN_BDC)
4216 server_role = ROLE_DOMAIN_BDC;
4217
4218 /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */
4219 init_unk_info2(&ctr->info.inf2, lp_serverstring(), lp_workgroup(), global_myname(), time(NULL),
4220 num_users, num_groups, num_aliases, nt_logout, server_role);
4221 break;
4222 case 0x03:
4223 account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp);
4224 u_logout = account_policy_temp;
4225
4226 unix_to_nt_time_abs(&nt_logout, u_logout);
4227
4228 init_unk_info3(&ctr->info.inf3, nt_logout);
4229 break;
4230 case 0x05:
4231 init_unk_info5(&ctr->info.inf5, global_myname());
4232 break;
4233 case 0x06:
4234 init_unk_info6(&ctr->info.inf6);
4235 break;
4236 case 0x07:
4237 server_role = ROLE_DOMAIN_PDC;
4238 if (lp_server_role() == ROLE_DOMAIN_BDC)
4239 server_role = ROLE_DOMAIN_BDC;
4240 init_unk_info7(&ctr->info.inf7, server_role);
4241 break;
4242 case 0x08:
4243 init_unk_info8(&ctr->info.inf8, (uint32) time(NULL));
4244 break;
4245 case 0x0c:
4246 account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
4247 u_lock_duration = account_policy_temp;
4248 if (u_lock_duration != -1)
4249 u_lock_duration *= 60;
4250
4251 account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp);
4252 u_reset_time = account_policy_temp * 60;
4253
4254 account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
4255 lockout = account_policy_temp;
4256
4257 unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
4258 unix_to_nt_time_abs(&nt_reset_time, u_reset_time);
4259
4260 init_unk_info12(&ctr->info.inf12, nt_lock_duration, nt_reset_time, (uint16)lockout);
4261 break;
4262 default:
4263 return NT_STATUS_INVALID_INFO_CLASS;
4264 }
4265
4266 init_samr_r_samr_unknown_2e(r_u, q_u->switch_value, ctr, NT_STATUS_OK);
4267
4268 DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__));
4269
4270 return r_u->status;
4271 }
4272
4273 /*******************************************************************
4274 _samr_
4275 ********************************************************************/
4276
4277 NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R_SET_DOMAIN_INFO *r_u)
4278 {
4279 time_t u_expire, u_min_age;
4280 time_t u_logout;
4281 time_t u_lock_duration, u_reset_time;
4282
4283 r_u->status = NT_STATUS_OK;
4284
4285 DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__));
4286
4287 /* find the policy handle. open a policy on it. */
4288 if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL))
4289 return NT_STATUS_INVALID_HANDLE;
4290
4291 DEBUG(5,("_samr_set_dom_info: switch_value: %d\n", q_u->switch_value));
4292
4293 switch (q_u->switch_value) {
4294 case 0x01:
4295 u_expire=nt_time_to_unix_abs(&q_u->ctr->info.inf1.expire);
4296 u_min_age=nt_time_to_unix_abs(&q_u->ctr->info.inf1.min_passwordage);
4297
4298 account_policy_set(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password);
4299 account_policy_set(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history);
4300 account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag);
4301 account_policy_set(AP_MAX_PASSWORD_AGE, (int)u_expire);
4302 account_policy_set(AP_MIN_PASSWORD_AGE, (int)u_min_age);
4303 break;
4304 case 0x02:
4305 break;
4306 case 0x03:
4307 u_logout=nt_time_to_unix_abs(&q_u->ctr->info.inf3.logout);
4308 account_policy_set(AP_TIME_TO_LOGOUT, (int)u_logout);
4309 break;
4310 case 0x05:
4311 break;
4312 case 0x06:
4313 break;
4314 case 0x07:
4315 break;
4316 case 0x0c:
4317 u_lock_duration=nt_time_to_unix_abs(&q_u->ctr->info.inf12.duration);
4318 if (u_lock_duration != -1)
4319 u_lock_duration /= 60;
4320
4321 u_reset_time=nt_time_to_unix_abs(&q_u->ctr->info.inf12.reset_count)/60;
4322
4323 account_policy_set(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
4324 account_policy_set(AP_RESET_COUNT_TIME, (int)u_reset_time);
4325 account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout);
4326 break;
4327 default:
4328 return NT_STATUS_INVALID_INFO_CLASS;
4329 }
4330
4331 init_samr_r_set_domain_info(r_u, NT_STATUS_OK);
4332
4333 DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__));
4334
4335 return r_u->status;
4336 }
Samba GIT mirror