source/samrd/srv_samr_als_nt5ldap.c

   1 /*
   2  *  Unix SMB/Netbios implementation.
   3  *  Version 1.9.
   4  *  RPC Pipe client / server routines
   5  *  Copyright (C) Andrew Tridgell              1992-2000,
   6  *  Copyright (C) Luke Kenneth Casson Leighton 1996-2000,
   7  *  Copyright (C) Sander Striker               2000
   8  *
   9  *  This program is free software; you can redistribute it and/or modify
  10  *  it under the terms of the GNU General Public License as published by
  11  *  the Free Software Foundation; either version 2 of the License, or
  12  *  (at your option) any later version.
  13  *
  14  *  This program is distributed in the hope that it will be useful,
  15  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  16  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17  *  GNU General Public License for more details.
  18  *
  19  *  You should have received a copy of the GNU General Public License
  20  *  along with this program; if not, write to the Free Software
  21  *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22  */
  23
  24
  25 #include "includes.h"
  26 #include "nterr.h"
  27 #include "sids.h"
  28
  29 extern int DEBUGLEVEL;
  30
  31 /*******************************************************************
  32  opens a samr group by rid, returns a policy handle.
  33  ********************************************************************/
  34 static uint32 samr_open_by_nt5ldapsid(LDAPDB *hds,
  35                                 const POLICY_HND *parent_pol,
  36                                 const DOM_SID *dom_sid,
  37                                 POLICY_HND *pol,
  38                                 uint32 access_mask,
  39                                 uint32 rid)
  40 {
  41         DOM_SID sid;
  42
  43         /* get a (unique) handle.  open a policy on it. */
  44         if (!open_policy_hnd_link(get_global_hnd_cache(),
  45                 parent_pol, pol, access_mask))
  46         {
  47                 return NT_STATUS_ACCESS_DENIED;
  48         }
  49
  50         DEBUG(0,("TODO: verify that the rid exists\n"));
  51
  52         /* associate a SID with the (unique) handle. */
  53         sid_copy(&sid, dom_sid);
  54         sid_append_rid(&sid, rid);
  55
  56         /* associate an group SID with the (unique) handle. */
  57         if (!set_nt5ldapsid(get_global_hnd_cache(), pol, hds, &sid))
  58         {
  59                 /* close the policy in case we can't associate a group SID */
  60                 close_policy_hnd(get_global_hnd_cache(), pol);
  61                 return NT_STATUS_ACCESS_DENIED;
  62         }
  63
  64         return NT_STATUS_NOPROBLEMO;
  65 }
  66
  67 /*******************************************************************
  68  samr_reply_add_aliasmem
  69  ********************************************************************/
  70 uint32 _samr_add_aliasmem(const POLICY_HND *alias_pol, const DOM_SID *sid)
  71 {
  72         DOM_SID alias_sid;
  73         uint32 alias_rid;
  74         fstring alias_sid_str;
  75         LDAPDB *hds = NULL;
  76
  77         /* find the policy handle.  open a policy on it. */
  78         if (!get_nt5ldapsid(get_global_hnd_cache(), alias_pol, &hds, &alias_sid))
  79         {
  80                 return NT_STATUS_INVALID_HANDLE;
  81         }
  82         sid_to_string(alias_sid_str, &alias_sid);
  83         sid_split_rid(&alias_sid, &alias_rid);
  84
  85         DEBUG(10,("sid is %s\n", alias_sid_str));
  86
  87         if (sid_equal(&alias_sid, &global_sam_sid))
  88         {
  89                 DEBUG(10,("add member on Domain SID\n"));
  90
  91 #if 0
  92                 if (!add_alias_member(alias_rid, sid))
  93 #endif
  94                 {
  95                         return NT_STATUS_ACCESS_DENIED;
  96                 }
  97         }
  98         else if (sid_equal(&alias_sid, &global_sid_S_1_5_20))
  99         {
 100                 DEBUG(10,("add member on BUILTIN SID\n"));
 101
 102 #if 0
 103                 if (!add_builtin_member(alias_rid, sid))
 104 #endif
 105                 {
 106                         return NT_STATUS_ACCESS_DENIED;
 107                 }
 108         }
 109         else
 110         {
 111                 return NT_STATUS_NO_SUCH_ALIAS;
 112         }
 113
 114         return NT_STATUS_NOPROBLEMO;
 115 }
 116
 117 /*******************************************************************
 118  samr_reply_del_aliasmem
 119  ********************************************************************/
 120 uint32 _samr_del_aliasmem(const POLICY_HND *alias_pol, const DOM_SID *sid)
 121 {
 122         DOM_SID alias_sid;
 123         uint32 alias_rid;
 124         fstring alias_sid_str;
 125         LDAPDB *hds = NULL;
 126
 127         /* find the policy handle.  open a policy on it. */
 128         if (!get_nt5ldapsid(get_global_hnd_cache(), alias_pol, &hds, &alias_sid))
 129         {
 130                 return NT_STATUS_INVALID_HANDLE;
 131         }
 132         sid_to_string(alias_sid_str, &alias_sid);
 133         sid_split_rid(&alias_sid, &alias_rid);
 134
 135         DEBUG(10,("sid is %s\n", alias_sid_str));
 136
 137         if (sid_equal(&alias_sid, &global_sam_sid))
 138         {
 139                 DEBUG(10,("del member on Domain SID\n"));
 140
 141 #if 0
 142                 if (!del_alias_member(alias_rid, sid))
 143 #endif
 144                 {
 145                         return NT_STATUS_ACCESS_DENIED;
 146                 }
 147         }
 148         else if (sid_equal(&alias_sid, &global_sid_S_1_5_20))
 149         {
 150                 DEBUG(10,("del member on BUILTIN SID\n"));
 151
 152 #if 0
 153                 if (!del_builtin_member(alias_rid, sid))
 154 #endif
 155                 {
 156                         return NT_STATUS_ACCESS_DENIED;
 157                 }
 158         }
 159         else
 160         {
 161                 return NT_STATUS_NO_SUCH_ALIAS;
 162         }
 163
 164         return NT_STATUS_NOPROBLEMO;
 165 }
 166
 167 /*******************************************************************
 168  samr_reply_query_aliasinfo
 169  ********************************************************************/
 170 uint32 _samr_query_aliasinfo(const POLICY_HND *alias_pol,
 171                                 uint16 switch_level,
 172                                 ALIAS_INFO_CTR *ctr)
 173 {
 174         /* find the policy handle.  open a policy on it. */
 175         if ((find_policy_by_hnd(get_global_hnd_cache(), alias_pol) == -1))
 176         {
 177                 return NT_STATUS_INVALID_HANDLE;
 178         }
 179
 180         switch (switch_level)
 181         {
 182                 case 3:
 183                 {
 184                         ctr->switch_value1 = 3;
 185                         make_samr_alias_info3(&ctr->alias.info3,
 186                                    "<fake account description>");
 187                         break;
 188                 }
 189                 default:
 190                 {
 191                         return NT_STATUS_INVALID_INFO_CLASS;
 192                 }
 193         }
 194
 195         return NT_STATUS_NOPROBLEMO;
 196 }
 197
 198
 199 /*******************************************************************
 200  samr_reply_delete_dom_alias
 201  ********************************************************************/
 202 uint32 _samr_delete_dom_alias(POLICY_HND *alias_pol)
 203 {
 204         LDAPDB *hds = NULL;
 205         DOM_SID alias_sid;
 206         uint32 alias_rid;
 207         fstring alias_sid_str;
 208
 209         DEBUG(5,("samr_delete_dom_alias: %d\n", __LINE__));
 210
 211         /* find the policy handle.  open a policy on it. */
 212         if (!get_nt5ldapsid(get_global_hnd_cache(), alias_pol, &hds, &alias_sid))
 213         {
 214                 return NT_STATUS_INVALID_HANDLE;
 215         }
 216
 217         sid_to_string(alias_sid_str, &alias_sid     );
 218         sid_split_rid(&alias_sid, &alias_rid);
 219
 220         DEBUG(10,("sid is %s\n", alias_sid_str));
 221
 222         if (!sid_equal(&alias_sid, &global_sam_sid))
 223         {
 224                 return NT_STATUS_NO_SUCH_ALIAS;
 225         }
 226
 227         DEBUG(10,("lookup on Domain SID\n"));
 228
 229 #if 0
 230         if (!del_alias_entry(alias_rid))
 231 #endif
 232         {
 233                 return NT_STATUS_NO_SUCH_ALIAS;
 234         }
 235
 236         return _samr_close(alias_pol);
 237 }
 238
 239
 240 /*******************************************************************
 241  samr_reply_query_aliasmem
 242  ********************************************************************/
 243 uint32 _samr_query_aliasmem(const POLICY_HND *alias_pol,
 244                                 uint32 *num_mem, DOM_SID2 **sid)
 245 {
 246         LDAPDB *hds = NULL;
 247         LOCAL_GRP_MEMBER *mem_grp = NULL;
 248         LOCAL_GRP *grp = NULL;
 249         int num_sids = 0;
 250         DOM_SID alias_sid;
 251         uint32 alias_rid;
 252         fstring alias_sid_str;
 253
 254         DEBUG(5,("samr_query_aliasmem: %d\n", __LINE__));
 255
 256         (*sid) = NULL;
 257         (*num_mem) = 0;
 258
 259         /* find the policy handle.  open a policy on it. */
 260         if (!get_nt5ldapsid(get_global_hnd_cache(), alias_pol, &hds, &alias_sid))
 261         {
 262                 return NT_STATUS_INVALID_HANDLE;
 263         }
 264         sid_to_string(alias_sid_str, &alias_sid     );
 265         sid_split_rid(&alias_sid, &alias_rid);
 266
 267         DEBUG(10,("sid is %s\n", alias_sid_str));
 268
 269         if (sid_equal(&alias_sid, &global_sid_S_1_5_20))
 270         {
 271                 DEBUG(10,("lookup on S-1-5-20\n"));
 272
 273                 become_root(True);
 274 #if 0
 275                 grp = getbuiltinrid(alias_rid, &mem_grp, &num_sids);
 276 #endif
 277                 unbecome_root(True);
 278         }
 279         else if (sid_equal(&alias_sid, &global_sam_sid))
 280         {
 281                 DEBUG(10,("lookup on Domain SID\n"));
 282
 283                 become_root(True);
 284 #if 0
 285                 grp = getaliasrid(alias_rid, &mem_grp, &num_sids);
 286 #endif
 287                 unbecome_root(True);
 288         }
 289         else
 290         {
 291                 return NT_STATUS_NO_SUCH_ALIAS;
 292         }
 293
 294         if (grp == NULL)
 295         {
 296                 return NT_STATUS_NO_SUCH_ALIAS;
 297         }
 298
 299         if (num_sids > 0)
 300         {
 301                 (*sid) = malloc(num_sids * sizeof(DOM_SID2));
 302                 if (mem_grp != NULL && sid != NULL)
 303                 {
 304                         int i;
 305                         for (i = 0; i < num_sids; i++)
 306                         {
 307                                 make_dom_sid2(&(*sid)[i], &mem_grp[i].sid);
 308                         }
 309                 }
 310         }
 311
 312         (*num_mem) = num_sids;
 313
 314         if (mem_grp != NULL)
 315         {
 316                 free(mem_grp);
 317         }
 318
 319         return NT_STATUS_NOPROBLEMO;
 320 }
 321
 322 /*******************************************************************
 323  _samr_create_dom_alias
 324  ********************************************************************/
 325 uint32 _samr_create_dom_alias(const POLICY_HND *domain_pol,
 326                                 const UNISTR2 *uni_acct_name,
 327                                 uint32 access_mask,
 328                                 POLICY_HND *alias_pol, uint32 *rid)
 329 {
 330         uint32 status;
 331         DOM_SID dom_sid;
 332         LOCAL_GRP grp;
 333         LDAPDB *hds = NULL;
 334
 335         ZERO_STRUCTP(alias_pol);
 336
 337         /* find the policy handle.  open a policy on it. */
 338         if (find_policy_by_hnd(get_global_hnd_cache(), domain_pol) == -1)
 339         {
 340                 return NT_STATUS_INVALID_HANDLE;
 341         }
 342
 343         /* find the domain sid */
 344         if (!get_nt5ldapsid(get_global_hnd_cache(), domain_pol, &hds))
 345         {
 346                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
 347         }
 348
 349         if (!sid_equal(&dom_sid, &global_sam_sid))
 350         {
 351                 return NT_STATUS_ACCESS_DENIED;
 352         }
 353
 354         unistr2_to_ascii(grp.name, uni_acct_name, sizeof(grp.name)-1);
 355         fstrcpy(grp.comment, "");
 356         *rid = grp.rid = 0xffffffff;
 357
 358         *rid = grp.rid;
 359         status = samr_open_by_nt5ldapsid(hds, domain_pol,
 360                             &dom_sid, alias_pol, access_mask, grp.rid);
 361
 362         if (status != NT_STATUS_NOPROBLEMO)
 363         {
 364                 return status;
 365         }
 366
 367 #if 0
 368         if (!add_alias_entry(&grp))
 369 #endif
 370         {
 371                 return NT_STATUS_ACCESS_DENIED;
 372         }
 373
 374         return NT_STATUS_NOPROBLEMO;
 375 }
 376
 377 /*******************************************************************
 378  _samr_open_alias
 379  ********************************************************************/
 380 uint32 _samr_open_alias(const POLICY_HND *domain_pol,
 381                                         uint32 access_mask, uint32 alias_rid,
 382                                         POLICY_HND *alias_pol)
 383 {
 384         DOM_SID sid;
 385         LDAPDB *hds = NULL;
 386
 387         /* find the domain sid associated with the policy handle */
 388         if (!get_nt5ldapsid(get_global_hnd_cache(), domain_pol, &hds, &sid))
 389         {
 390                 return NT_STATUS_INVALID_HANDLE;
 391         }
 392
 393         /* this should not be hard-coded like this */
 394         if (!sid_equal(&sid, &global_sam_sid) &&
 395             !sid_equal(&sid, &global_sid_S_1_5_20))
 396         {
 397                 return NT_STATUS_ACCESS_DENIED;
 398         }
 399
 400         return samr_open_by_nt5ldapsid(hds, domain_pol,
 401                             &sid, alias_pol, access_mask, alias_rid);
 402 }
 403