search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r13444: Add REJECT_REASON_OTHER for samr_chgpasswd_user3
[Samba/bb.git] / source3 / rpc_server / srv_samr_nt.c
blobb3be0cccc1565fbcc4c4fbadab1c3f7361bb45bb
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2005,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 * Copyright (C) Gerald (Jerry) Carter 2003-2004,
12 * Copyright (C) Simo Sorce 2003.
13 * Copyright (C) Volker Lendecke 2005.
14 *
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or
18 * (at your option) any later version.
19 *
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
24 *
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, write to the Free Software
27 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 */
29
30 /*
31 * This is the implementation of the SAMR code.
32 */
33
34 #include "includes.h"
35
36 #undef DBGC_CLASS
37 #define DBGC_CLASS DBGC_RPC_SRV
38
39 #define SAMR_USR_RIGHTS_WRITE_PW \
40 ( READ_CONTROL_ACCESS | \
41 SA_RIGHT_USER_CHANGE_PASSWORD | \
42 SA_RIGHT_USER_SET_LOC_COM )
43
44 #define DISP_INFO_CACHE_TIMEOUT 10
45
46 typedef struct disp_info {
47 struct disp_info *next, *prev;
48 TALLOC_CTX *mem_ctx;
49 DOM_SID sid; /* identify which domain this is. */
50 BOOL builtin_domain; /* Quick flag to check if this is the builtin domain. */
51 struct pdb_search *users; /* querydispinfo 1 and 4 */
52 struct pdb_search *machines; /* querydispinfo 2 */
53 struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */
54 struct pdb_search *aliases; /* enumaliases */
55
56 uint16 enum_acb_mask;
57 struct pdb_search *enum_users; /* enumusers with a mask */
58
59
60 smb_event_id_t di_cache_timeout_event; /* cache idle timeout handler. */
61 } DISP_INFO;
62
63 /* We keep a static list of these by SID as modern clients close down
64 all resources between each request in a complete enumeration. */
65
66 static DISP_INFO *disp_info_list;
67
68 struct samr_info {
69 /* for use by the \PIPE\samr policy */
70 DOM_SID sid;
71 BOOL builtin_domain; /* Quick flag to check if this is the builtin domain. */
72 uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */
73 uint32 acc_granted;
74 DISP_INFO *disp_info;
75 TALLOC_CTX *mem_ctx;
76 };
77
78 static struct generic_mapping sam_generic_mapping = {
79 GENERIC_RIGHTS_SAM_READ,
80 GENERIC_RIGHTS_SAM_WRITE,
81 GENERIC_RIGHTS_SAM_EXECUTE,
82 GENERIC_RIGHTS_SAM_ALL_ACCESS};
83 static struct generic_mapping dom_generic_mapping = {
84 GENERIC_RIGHTS_DOMAIN_READ,
85 GENERIC_RIGHTS_DOMAIN_WRITE,
86 GENERIC_RIGHTS_DOMAIN_EXECUTE,
87 GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
88 static struct generic_mapping usr_generic_mapping = {
89 GENERIC_RIGHTS_USER_READ,
90 GENERIC_RIGHTS_USER_WRITE,
91 GENERIC_RIGHTS_USER_EXECUTE,
92 GENERIC_RIGHTS_USER_ALL_ACCESS};
93 static struct generic_mapping grp_generic_mapping = {
94 GENERIC_RIGHTS_GROUP_READ,
95 GENERIC_RIGHTS_GROUP_WRITE,
96 GENERIC_RIGHTS_GROUP_EXECUTE,
97 GENERIC_RIGHTS_GROUP_ALL_ACCESS};
98 static struct generic_mapping ali_generic_mapping = {
99 GENERIC_RIGHTS_ALIAS_READ,
100 GENERIC_RIGHTS_ALIAS_WRITE,
101 GENERIC_RIGHTS_ALIAS_EXECUTE,
102 GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
103
104 /*******************************************************************
105 *******************************************************************/
106
107 static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size,
108 struct generic_mapping *map,
109 DOM_SID *sid, uint32 sid_access )
110 {
111 DOM_SID domadmin_sid;
112 SEC_ACE ace[5]; /* at most 5 entries */
113 SEC_ACCESS mask;
114 size_t i = 0;
115
116 SEC_ACL *psa = NULL;
117
118 /* basic access for Everyone */
119
120 init_sec_access(&mask, map->generic_execute | map->generic_read );
121 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
122
123 /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
124
125 init_sec_access(&mask, map->generic_all);
126
127 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
128 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
129
130 /* Add Full Access for Domain Admins if we are a DC */
131
132 if ( IS_DC ) {
133 sid_copy( &domadmin_sid, get_global_sam_sid() );
134 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
135 init_sec_ace(&ace[i++], &domadmin_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
136 }
137
138 /* if we have a sid, give it some special access */
139
140 if ( sid ) {
141 init_sec_access( &mask, sid_access );
142 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
143 }
144
145 /* create the security descriptor */
146
147 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL)
148 return NT_STATUS_NO_MEMORY;
149
150 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
151 return NT_STATUS_NO_MEMORY;
152
153 return NT_STATUS_OK;
154 }
155
156 /*******************************************************************
157 Checks if access to an object should be granted, and returns that
158 level of access for further checks.
159 ********************************************************************/
160
161 static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
162 SE_PRIV *rights, uint32 rights_mask,
163 uint32 des_access, uint32 *acc_granted,
164 const char *debug )
165 {
166 NTSTATUS status = NT_STATUS_ACCESS_DENIED;
167 uint32 saved_mask = 0;
168
169 /* check privileges; certain SAM access bits should be overridden
170 by privileges (mostly having to do with creating/modifying/deleting
171 users and groups) */
172
173 if ( rights && user_has_any_privilege( token, rights ) ) {
174
175 saved_mask = (des_access & rights_mask);
176 des_access &= ~saved_mask;
177
178 DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
179 rights_mask));
180 }
181
182
183 /* check the security descriptor first */
184
185 if ( se_access_check(psd, token, des_access, acc_granted, &status) )
186 goto done;
187
188 /* give root a free pass */
189
190 if ( geteuid() == sec_initial_uid() ) {
191
192 DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access));
193 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
194
195 *acc_granted = des_access;
196
197 status = NT_STATUS_OK;
198 goto done;
199 }
200
201
202 done:
203 /* add in any bits saved during the privilege check (only
204 matters is status is ok) */
205
206 *acc_granted |= rights_mask;
207
208 DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
209 debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
210 des_access, *acc_granted));
211
212 return status;
213 }
214
215 /*******************************************************************
216 Checks if access to a function can be granted
217 ********************************************************************/
218
219 static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug)
220 {
221 DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n",
222 debug, acc_granted, acc_required));
223
224 /* check the security descriptor first */
225
226 if ( (acc_granted&acc_required) == acc_required )
227 return NT_STATUS_OK;
228
229 /* give root a free pass */
230
231 if (geteuid() == sec_initial_uid()) {
232
233 DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
234 debug, acc_granted, acc_required));
235 DEBUGADD(4,("but overwritten by euid == 0\n"));
236
237 return NT_STATUS_OK;
238 }
239
240 DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n",
241 debug, acc_granted, acc_required));
242
243 return NT_STATUS_ACCESS_DENIED;
244 }
245
246 /*******************************************************************
247 Fetch or create a dispinfo struct.
248 ********************************************************************/
249
250 static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid, const char *sid_str)
251 {
252 TALLOC_CTX *mem_ctx;
253 DISP_INFO *dpi;
254
255 for (dpi = disp_info_list; dpi; dpi = dpi->next) {
256 if (sid_equal(psid, &dpi->sid)) {
257 return dpi;
258 }
259 }
260
261 /* This struct is never free'd - I'm using talloc so we
262 can get a list out of smbd using smbcontrol. There will
263 be one of these per SID we're authorative for. JRA. */
264
265 mem_ctx = talloc_init("DISP_INFO for domain sid %s", sid_str);
266
267 if ((dpi = TALLOC_ZERO_P(mem_ctx, DISP_INFO)) == NULL)
268 return NULL;
269
270 dpi->mem_ctx = mem_ctx;
271
272 if (psid) {
273 sid_copy( &dpi->sid, psid);
274 dpi->builtin_domain = sid_check_is_builtin(psid);
275 } else {
276 dpi->builtin_domain = False;
277 }
278
279 DLIST_ADD(disp_info_list, dpi);
280
281 return dpi;
282 }
283
284 /*******************************************************************
285 Create a samr_info struct.
286 ********************************************************************/
287
288 static struct samr_info *get_samr_info_by_sid(DOM_SID *psid)
289 {
290 struct samr_info *info;
291 fstring sid_str;
292 TALLOC_CTX *mem_ctx;
293
294 if (psid) {
295 sid_to_string(sid_str, psid);
296 } else {
297 fstrcpy(sid_str,"(NULL)");
298 }
299
300 mem_ctx = talloc_init("samr_info for domain sid %s", sid_str);
301
302 if ((info = TALLOC_ZERO_P(mem_ctx, struct samr_info)) == NULL)
303 return NULL;
304
305 DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str));
306 if (psid) {
307 sid_copy( &info->sid, psid);
308 info->builtin_domain = sid_check_is_builtin(psid);
309 } else {
310 DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n"));
311 info->builtin_domain = False;
312 }
313 info->mem_ctx = mem_ctx;
314
315 info->disp_info = get_samr_dispinfo_by_sid(psid, sid_str);
316
317 if (!info->disp_info) {
318 talloc_destroy(mem_ctx);
319 return NULL;
320 }
321
322 return info;
323 }
324
325 /*******************************************************************
326 Function to free the per SID data.
327 ********************************************************************/
328
329 static void free_samr_cache(DISP_INFO *disp_info, const char *sid_str)
330 {
331 DEBUG(10,("free_samr_cache: deleting cache for SID %s\n", sid_str));
332
333 /* We need to become root here because the paged search might have to
334 * tell the LDAP server we're not interested in the rest anymore. */
335
336 become_root();
337
338 if (disp_info->users) {
339 DEBUG(10,("free_samr_cache: deleting users cache\n"));
340 pdb_search_destroy(disp_info->users);
341 disp_info->users = NULL;
342 }
343 if (disp_info->machines) {
344 DEBUG(10,("free_samr_cache: deleting machines cache\n"));
345 pdb_search_destroy(disp_info->machines);
346 disp_info->machines = NULL;
347 }
348 if (disp_info->groups) {
349 DEBUG(10,("free_samr_cache: deleting groups cache\n"));
350 pdb_search_destroy(disp_info->groups);
351 disp_info->groups = NULL;
352 }
353 if (disp_info->aliases) {
354 DEBUG(10,("free_samr_cache: deleting aliases cache\n"));
355 pdb_search_destroy(disp_info->aliases);
356 disp_info->aliases = NULL;
357 }
358 if (disp_info->enum_users) {
359 DEBUG(10,("free_samr_cache: deleting enum_users cache\n"));
360 pdb_search_destroy(disp_info->enum_users);
361 disp_info->enum_users = NULL;
362 }
363 disp_info->enum_acb_mask = 0;
364
365 unbecome_root();
366 }
367
368 /*******************************************************************
369 Function to free the per handle data.
370 ********************************************************************/
371
372 static void free_samr_info(void *ptr)
373 {
374 struct samr_info *info=(struct samr_info *) ptr;
375
376 /* Only free the dispinfo cache if no one bothered to set up
377 a timeout. */
378
379 if (info->disp_info && info->disp_info->di_cache_timeout_event == (smb_event_id_t)0) {
380 fstring sid_str;
381 sid_to_string(sid_str, &info->disp_info->sid);
382 free_samr_cache(info->disp_info, sid_str);
383 }
384
385 talloc_destroy(info->mem_ctx);
386 }
387
388 /*******************************************************************
389 Idle event handler. Throw away the disp info cache.
390 ********************************************************************/
391
392 static void disp_info_cache_idle_timeout_handler(void **private_data,
393 time_t *ev_interval,
394 time_t ev_now)
395 {
396 fstring sid_str;
397 DISP_INFO *disp_info = (DISP_INFO *)(*private_data);
398
399 sid_to_string(sid_str, &disp_info->sid);
400
401 free_samr_cache(disp_info, sid_str);
402
403 /* Remove the event. */
404 smb_unregister_idle_event(disp_info->di_cache_timeout_event);
405 disp_info->di_cache_timeout_event = (smb_event_id_t)0;
406
407 DEBUG(10,("disp_info_cache_idle_timeout_handler: caching timed out for SID %s at %u\n",
408 sid_str, (unsigned int)ev_now));
409 }
410
411 /*******************************************************************
412 Setup cache removal idle event handler.
413 ********************************************************************/
414
415 static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromnow)
416 {
417 fstring sid_str;
418
419 sid_to_string(sid_str, &disp_info->sid);
420
421 /* Remove any pending timeout and update. */
422
423 if (disp_info->di_cache_timeout_event) {
424 smb_unregister_idle_event(disp_info->di_cache_timeout_event);
425 disp_info->di_cache_timeout_event = (smb_event_id_t)0;
426 }
427
428 DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for SID %s for %u seconds\n",
429 sid_str, (unsigned int)secs_fromnow ));
430
431 disp_info->di_cache_timeout_event =
432 smb_register_idle_event(disp_info_cache_idle_timeout_handler,
433 disp_info,
434 secs_fromnow);
435 }
436
437 /*******************************************************************
438 Force flush any cache. We do this on any samr_set_xxx call.
439 We must also remove the timeout handler.
440 ********************************************************************/
441
442 static void force_flush_samr_cache(DISP_INFO *disp_info)
443 {
444 if (disp_info) {
445 fstring sid_str;
446
447 sid_to_string(sid_str, &disp_info->sid);
448 if (disp_info->di_cache_timeout_event) {
449 smb_unregister_idle_event(disp_info->di_cache_timeout_event);
450 disp_info->di_cache_timeout_event = (smb_event_id_t)0;
451 DEBUG(10,("force_flush_samr_cache: clearing idle event for SID %s\n",
452 sid_str));
453 }
454 free_samr_cache(disp_info, sid_str);
455 }
456 }
457
458 /*******************************************************************
459 Ensure password info is never given out. Paranioa... JRA.
460 ********************************************************************/
461
462 static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass)
463 {
464
465 if (!sam_pass)
466 return;
467
468 /* These now zero out the old password */
469
470 pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT);
471 pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT);
472 }
473
474 static uint32 count_sam_users(struct disp_info *info, uint16 acct_flags)
475 {
476 struct samr_displayentry *entry;
477
478 if (info->builtin_domain) {
479 /* No users in builtin. */
480 return 0;
481 }
482
483 if (info->users == NULL) {
484 info->users = pdb_search_users(acct_flags);
485 if (info->users == NULL) {
486 return 0;
487 }
488 }
489 /* Fetch the last possible entry, thus trigger an enumeration */
490 pdb_search_entries(info->users, 0xffffffff, 1, &entry);
491
492 /* Ensure we cache this enumeration. */
493 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
494
495 return info->users->num_entries;
496 }
497
498 static uint32 count_sam_groups(struct disp_info *info)
499 {
500 struct samr_displayentry *entry;
501
502 if (info->builtin_domain) {
503 /* No groups in builtin. */
504 return 0;
505 }
506
507 if (info->groups == NULL) {
508 info->groups = pdb_search_groups();
509 if (info->groups == NULL) {
510 return 0;
511 }
512 }
513 /* Fetch the last possible entry, thus trigger an enumeration */
514 pdb_search_entries(info->groups, 0xffffffff, 1, &entry);
515
516 /* Ensure we cache this enumeration. */
517 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
518
519 return info->groups->num_entries;
520 }
521
522 static uint32 count_sam_aliases(struct disp_info *info)
523 {
524 struct samr_displayentry *entry;
525
526 if (info->aliases == NULL) {
527 info->aliases = pdb_search_aliases(&info->sid);
528 if (info->aliases == NULL) {
529 return 0;
530 }
531 }
532 /* Fetch the last possible entry, thus trigger an enumeration */
533 pdb_search_entries(info->aliases, 0xffffffff, 1, &entry);
534
535 /* Ensure we cache this enumeration. */
536 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
537
538 return info->aliases->num_entries;
539 }
540
541 /*******************************************************************
542 _samr_close_hnd
543 ********************************************************************/
544
545 NTSTATUS _samr_close_hnd(pipes_struct *p, SAMR_Q_CLOSE_HND *q_u, SAMR_R_CLOSE_HND *r_u)
546 {
547 r_u->status = NT_STATUS_OK;
548
549 /* close the policy handle */
550 if (!close_policy_hnd(p, &q_u->pol))
551 return NT_STATUS_OBJECT_NAME_INVALID;
552
553 DEBUG(5,("samr_reply_close_hnd: %d\n", __LINE__));
554
555 return r_u->status;
556 }
557
558 /*******************************************************************
559 samr_reply_open_domain
560 ********************************************************************/
561
562 NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN_DOMAIN *r_u)
563 {
564 struct samr_info *info;
565 SEC_DESC *psd = NULL;
566 uint32 acc_granted;
567 uint32 des_access = q_u->flags;
568 NTSTATUS status;
569 size_t sd_size;
570 SE_PRIV se_rights;
571
572 r_u->status = NT_STATUS_OK;
573
574 /* find the connection policy handle. */
575
576 if ( !find_policy_by_hnd(p, &q_u->pol, (void**)(void *)&info) )
577 return NT_STATUS_INVALID_HANDLE;
578
579 status = access_check_samr_function( info->acc_granted,
580 SA_RIGHT_SAM_OPEN_DOMAIN, "_samr_open_domain" );
581
582 if ( !NT_STATUS_IS_OK(status) )
583 return status;
584
585 /*check if access can be granted as requested by client. */
586
587 make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
588 se_map_generic( &des_access, &dom_generic_mapping );
589
590 se_priv_copy( &se_rights, &se_machine_account );
591 se_priv_add( &se_rights, &se_add_users );
592
593 status = access_check_samr_object( psd, p->pipe_user.nt_user_token,
594 &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access,
595 &acc_granted, "_samr_open_domain" );
596
597 if ( !NT_STATUS_IS_OK(status) )
598 return status;
599
600 if (!sid_check_is_domain(&q_u->dom_sid.sid) &&
601 !sid_check_is_builtin(&q_u->dom_sid.sid)) {
602 return NT_STATUS_NO_SUCH_DOMAIN;
603 }
604
605 /* associate the domain SID with the (unique) handle. */
606 if ((info = get_samr_info_by_sid(&q_u->dom_sid.sid))==NULL)
607 return NT_STATUS_NO_MEMORY;
608 info->acc_granted = acc_granted;
609
610 /* get a (unique) handle. open a policy on it. */
611 if (!create_policy_hnd(p, &r_u->domain_pol, free_samr_info, (void *)info))
612 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
613
614 DEBUG(5,("samr_open_domain: %d\n", __LINE__));
615
616 return r_u->status;
617 }
618
619 /*******************************************************************
620 _samr_get_usrdom_pwinfo
621 ********************************************************************/
622
623 NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, SAMR_R_GET_USRDOM_PWINFO *r_u)
624 {
625 struct samr_info *info = NULL;
626
627 r_u->status = NT_STATUS_OK;
628
629 /* find the policy handle. open a policy on it. */
630 if (!find_policy_by_hnd(p, &q_u->user_pol, (void **)(void *)&info))
631 return NT_STATUS_INVALID_HANDLE;
632
633 if (!sid_check_is_in_our_domain(&info->sid))
634 return NT_STATUS_OBJECT_TYPE_MISMATCH;
635
636 init_samr_r_get_usrdom_pwinfo(r_u, NT_STATUS_OK);
637
638 DEBUG(5,("_samr_get_usrdom_pwinfo: %d\n", __LINE__));
639
640 /*
641 * NT sometimes return NT_STATUS_ACCESS_DENIED
642 * I don't know yet why.
643 */
644
645 return r_u->status;
646 }
647
648 /*******************************************************************
649 _samr_set_sec_obj
650 ********************************************************************/
651
652 NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_SEC_OBJ *r_u)
653 {
654 DEBUG(0,("_samr_set_sec_obj: Not yet implemented!\n"));
655 return NT_STATUS_NOT_IMPLEMENTED;
656 }
657
658 /*******************************************************************
659 ********************************************************************/
660
661 static BOOL get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol,
662 DOM_SID *sid, uint32 *acc_granted,
663 DISP_INFO **ppdisp_info)
664 {
665 struct samr_info *info = NULL;
666
667 /* find the policy handle. open a policy on it. */
668 if (!find_policy_by_hnd(p, pol, (void **)(void *)&info))
669 return False;
670
671 if (!info)
672 return False;
673
674 *sid = info->sid;
675 *acc_granted = info->acc_granted;
676 if (ppdisp_info) {
677 *ppdisp_info = info->disp_info;
678 }
679
680 return True;
681 }
682
683 /*******************************************************************
684 _samr_query_sec_obj
685 ********************************************************************/
686
687 NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_QUERY_SEC_OBJ *r_u)
688 {
689 DOM_SID pol_sid;
690 fstring str_sid;
691 SEC_DESC * psd = NULL;
692 uint32 acc_granted;
693 size_t sd_size;
694
695 r_u->status = NT_STATUS_OK;
696
697 /* Get the SID. */
698 if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &pol_sid, &acc_granted, NULL))
699 return NT_STATUS_INVALID_HANDLE;
700
701 DEBUG(10,("_samr_query_sec_obj: querying security on SID: %s\n", sid_to_string(str_sid, &pol_sid)));
702
703 /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
704
705 /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */
706 if (pol_sid.sid_rev_num == 0) {
707 DEBUG(5,("_samr_query_sec_obj: querying security on SAM\n"));
708 r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
709 } else if (sid_equal(&pol_sid,get_global_sam_sid())) {
710 /* check if it is our domain SID */
711 DEBUG(5,("_samr_query_sec_obj: querying security on Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
712 r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
713 } else if (sid_equal(&pol_sid,&global_sid_Builtin)) {
714 /* check if it is the Builtin Domain */
715 /* TODO: Builtin probably needs a different SD with restricted write access*/
716 DEBUG(5,("_samr_query_sec_obj: querying security on Builtin Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
717 r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
718 } else if (sid_check_is_in_our_domain(&pol_sid) ||
719 sid_check_is_in_builtin(&pol_sid)) {
720 /* TODO: different SDs have to be generated for aliases groups and users.
721 Currently all three get a default user SD */
722 DEBUG(10,("_samr_query_sec_obj: querying security on Object with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
723 r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &pol_sid, SAMR_USR_RIGHTS_WRITE_PW);
724 } else {
725 return NT_STATUS_OBJECT_TYPE_MISMATCH;
726 }
727
728 if ((r_u->buf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
729 return NT_STATUS_NO_MEMORY;
730
731 if (NT_STATUS_IS_OK(r_u->status))
732 r_u->ptr = 1;
733
734 return r_u->status;
735 }
736
737 /*******************************************************************
738 makes a SAM_ENTRY / UNISTR2* structure from a user list.
739 ********************************************************************/
740
741 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp,
742 UNISTR2 **uni_name_pp,
743 uint32 num_entries, uint32 start_idx,
744 struct samr_displayentry *entries)
745 {
746 uint32 i;
747 SAM_ENTRY *sam;
748 UNISTR2 *uni_name;
749
750 *sam_pp = NULL;
751 *uni_name_pp = NULL;
752
753 if (num_entries == 0)
754 return NT_STATUS_OK;
755
756 sam = TALLOC_ZERO_ARRAY(ctx, SAM_ENTRY, num_entries);
757
758 uni_name = TALLOC_ZERO_ARRAY(ctx, UNISTR2, num_entries);
759
760 if (sam == NULL || uni_name == NULL) {
761 DEBUG(0, ("make_user_sam_entry_list: talloc_zero failed!\n"));
762 return NT_STATUS_NO_MEMORY;
763 }
764
765 for (i = 0; i < num_entries; i++) {
766 UNISTR2 uni_temp_name;
767 /*
768 * usrmgr expects a non-NULL terminated string with
769 * trust relationships
770 */
771 if (entries[i].acct_flags & ACB_DOMTRUST) {
772 init_unistr2(&uni_temp_name, entries[i].account_name,
773 UNI_FLAGS_NONE);
774 } else {
775 init_unistr2(&uni_temp_name, entries[i].account_name,
776 UNI_STR_TERMINATE);
777 }
778
779 init_sam_entry(&sam[i], &uni_temp_name, entries[i].rid);
780 copy_unistr2(&uni_name[i], &uni_temp_name);
781 }
782
783 *sam_pp = sam;
784 *uni_name_pp = uni_name;
785 return NT_STATUS_OK;
786 }
787
788 /*******************************************************************
789 samr_reply_enum_dom_users
790 ********************************************************************/
791
792 NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u,
793 SAMR_R_ENUM_DOM_USERS *r_u)
794 {
795 struct samr_info *info = NULL;
796 int num_account;
797 uint32 enum_context=q_u->start_idx;
798 enum remote_arch_types ra_type = get_remote_arch();
799 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
800 uint32 max_entries = max_sam_entries;
801 struct samr_displayentry *entries = NULL;
802
803 r_u->status = NT_STATUS_OK;
804
805 /* find the policy handle. open a policy on it. */
806 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
807 return NT_STATUS_INVALID_HANDLE;
808
809 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted,
810 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
811 "_samr_enum_dom_users"))) {
812 return r_u->status;
813 }
814
815 DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__));
816
817 if (info->builtin_domain) {
818 /* No users in builtin. */
819 init_samr_r_enum_dom_users(r_u, q_u->start_idx, 0);
820 DEBUG(5,("_samr_enum_dom_users: No users in BUILTIN\n"));
821 return r_u->status;
822 }
823
824 become_root();
825
826 /* AS ROOT !!!! */
827
828 if ((info->disp_info->enum_users != NULL) &&
829 (info->disp_info->enum_acb_mask != q_u->acb_mask)) {
830 pdb_search_destroy(info->disp_info->enum_users);
831 info->disp_info->enum_users = NULL;
832 }
833
834 if (info->disp_info->enum_users == NULL) {
835 info->disp_info->enum_users = pdb_search_users(q_u->acb_mask);
836 info->disp_info->enum_acb_mask = q_u->acb_mask;
837 }
838
839 if (info->disp_info->enum_users == NULL) {
840 /* END AS ROOT !!!! */
841 unbecome_root();
842 return NT_STATUS_ACCESS_DENIED;
843 }
844
845 num_account = pdb_search_entries(info->disp_info->enum_users,
846 enum_context, max_entries,
847 &entries);
848
849 /* END AS ROOT !!!! */
850
851 unbecome_root();
852
853 if (num_account == 0) {
854 DEBUG(5, ("_samr_enum_dom_users: enumeration handle over "
855 "total entries\n"));
856 return NT_STATUS_OK;
857 }
858
859 r_u->status = make_user_sam_entry_list(p->mem_ctx, &r_u->sam,
860 &r_u->uni_acct_name,
861 num_account, enum_context,
862 entries);
863
864 if (!NT_STATUS_IS_OK(r_u->status))
865 return r_u->status;
866
867 if (max_entries <= num_account) {
868 r_u->status = STATUS_MORE_ENTRIES;
869 } else {
870 r_u->status = NT_STATUS_OK;
871 }
872
873 /* Ensure we cache this enumeration. */
874 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
875
876 DEBUG(5, ("_samr_enum_dom_users: %d\n", __LINE__));
877
878 init_samr_r_enum_dom_users(r_u, q_u->start_idx + num_account,
879 num_account);
880
881 DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__));
882
883 return r_u->status;
884 }
885
886 /*******************************************************************
887 makes a SAM_ENTRY / UNISTR2* structure from a group list.
888 ********************************************************************/
889
890 static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp,
891 UNISTR2 **uni_name_pp,
892 uint32 num_sam_entries,
893 struct samr_displayentry *entries)
894 {
895 uint32 i;
896 SAM_ENTRY *sam;
897 UNISTR2 *uni_name;
898
899 *sam_pp = NULL;
900 *uni_name_pp = NULL;
901
902 if (num_sam_entries == 0)
903 return;
904
905 sam = TALLOC_ZERO_ARRAY(ctx, SAM_ENTRY, num_sam_entries);
906 uni_name = TALLOC_ZERO_ARRAY(ctx, UNISTR2, num_sam_entries);
907
908 if (sam == NULL || uni_name == NULL) {
909 DEBUG(0, ("NULL pointers in SAMR_R_QUERY_DISPINFO\n"));
910 return;
911 }
912
913 for (i = 0; i < num_sam_entries; i++) {
914 /*
915 * JRA. I think this should include the null. TNG does not.
916 */
917 init_unistr2(&uni_name[i], entries[i].account_name,
918 UNI_STR_TERMINATE);
919 init_sam_entry(&sam[i], &uni_name[i], entries[i].rid);
920 }
921
922 *sam_pp = sam;
923 *uni_name_pp = uni_name;
924 }
925
926 /*******************************************************************
927 samr_reply_enum_dom_groups
928 ********************************************************************/
929
930 NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAMR_R_ENUM_DOM_GROUPS *r_u)
931 {
932 struct samr_info *info = NULL;
933 struct samr_displayentry *groups;
934 uint32 num_groups;
935
936 r_u->status = NT_STATUS_OK;
937
938 /* find the policy handle. open a policy on it. */
939 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
940 return NT_STATUS_INVALID_HANDLE;
941
942 r_u->status = access_check_samr_function(info->acc_granted,
943 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
944 "_samr_enum_dom_groups");
945 if (!NT_STATUS_IS_OK(r_u->status))
946 return r_u->status;
947
948 DEBUG(5,("samr_reply_enum_dom_groups: %d\n", __LINE__));
949
950 if (info->builtin_domain) {
951 /* No groups in builtin. */
952 init_samr_r_enum_dom_groups(r_u, q_u->start_idx, 0);
953 DEBUG(5,("_samr_enum_dom_users: No groups in BUILTIN\n"));
954 return r_u->status;
955 }
956
957 /* the domain group array is being allocated in the function below */
958
959 become_root();
960
961 if (info->disp_info->groups == NULL) {
962 info->disp_info->groups = pdb_search_groups();
963
964 if (info->disp_info->groups == NULL) {
965 unbecome_root();
966 return NT_STATUS_ACCESS_DENIED;
967 }
968 }
969
970 num_groups = pdb_search_entries(info->disp_info->groups, q_u->start_idx,
971 MAX_SAM_ENTRIES, &groups);
972 unbecome_root();
973
974 /* Ensure we cache this enumeration. */
975 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
976
977 make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name,
978 num_groups, groups);
979
980 init_samr_r_enum_dom_groups(r_u, q_u->start_idx, num_groups);
981
982 DEBUG(5,("samr_enum_dom_groups: %d\n", __LINE__));
983
984 return r_u->status;
985 }
986
987 /*******************************************************************
988 samr_reply_enum_dom_aliases
989 ********************************************************************/
990
991 NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAMR_R_ENUM_DOM_ALIASES *r_u)
992 {
993 struct samr_info *info;
994 struct samr_displayentry *aliases;
995 uint32 num_aliases = 0;
996
997 /* find the policy handle. open a policy on it. */
998 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
999 return NT_STATUS_INVALID_HANDLE;
1000
1001 r_u->status = access_check_samr_function(info->acc_granted,
1002 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
1003 "_samr_enum_dom_aliases");
1004 if (!NT_STATUS_IS_OK(r_u->status))
1005 return r_u->status;
1006
1007 DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n",
1008 sid_string_static(&info->sid)));
1009
1010 become_root();
1011
1012 if (info->disp_info->aliases == NULL) {
1013 info->disp_info->aliases = pdb_search_aliases(&info->sid);
1014 if (info->disp_info->aliases == NULL) {
1015 unbecome_root();
1016 return NT_STATUS_ACCESS_DENIED;
1017 }
1018 }
1019
1020 num_aliases = pdb_search_entries(info->disp_info->aliases, q_u->start_idx,
1021 MAX_SAM_ENTRIES, &aliases);
1022 unbecome_root();
1023
1024 /* Ensure we cache this enumeration. */
1025 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1026
1027 make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name,
1028 num_aliases, aliases);
1029
1030 init_samr_r_enum_dom_aliases(r_u, q_u->start_idx + num_aliases,
1031 num_aliases);
1032
1033 DEBUG(5,("samr_enum_dom_aliases: %d\n", __LINE__));
1034
1035 return r_u->status;
1036 }
1037
1038 /*******************************************************************
1039 samr_reply_query_dispinfo
1040 ********************************************************************/
1041
1042 NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u,
1043 SAMR_R_QUERY_DISPINFO *r_u)
1044 {
1045 struct samr_info *info = NULL;
1046 uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
1047
1048 uint32 max_entries=q_u->max_entries;
1049 uint32 enum_context=q_u->start_idx;
1050 uint32 max_size=q_u->max_size;
1051
1052 SAM_DISPINFO_CTR *ctr;
1053 uint32 temp_size=0, total_data_size=0;
1054 NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL;
1055 uint32 num_account = 0;
1056 enum remote_arch_types ra_type = get_remote_arch();
1057 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
1058 struct samr_displayentry *entries = NULL;
1059
1060 DEBUG(5, ("samr_reply_query_dispinfo: %d\n", __LINE__));
1061 r_u->status = NT_STATUS_UNSUCCESSFUL;
1062
1063 /* find the policy handle. open a policy on it. */
1064 if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)(void *)&info))
1065 return NT_STATUS_INVALID_HANDLE;
1066
1067 /*
1068 * calculate how many entries we will return.
1069 * based on
1070 * - the number of entries the client asked
1071 * - our limit on that
1072 * - the starting point (enumeration context)
1073 * - the buffer size the client will accept
1074 */
1075
1076 /*
1077 * We are a lot more like W2K. Instead of reading the SAM
1078 * each time to find the records we need to send back,
1079 * we read it once and link that copy to the sam handle.
1080 * For large user list (over the MAX_SAM_ENTRIES)
1081 * it's a definitive win.
1082 * second point to notice: between enumerations
1083 * our sam is now the same as it's a snapshoot.
1084 * third point: got rid of the static SAM_USER_21 struct
1085 * no more intermediate.
1086 * con: it uses much more memory, as a full copy is stored
1087 * in memory.
1088 *
1089 * If you want to change it, think twice and think
1090 * of the second point , that's really important.
1091 *
1092 * JFM, 12/20/2001
1093 */
1094
1095 if ((q_u->switch_level < 1) || (q_u->switch_level > 5)) {
1096 DEBUG(0,("_samr_query_dispinfo: Unknown info level (%u)\n",
1097 (unsigned int)q_u->switch_level ));
1098 return NT_STATUS_INVALID_INFO_CLASS;
1099 }
1100
1101 /* first limit the number of entries we will return */
1102 if(max_entries > max_sam_entries) {
1103 DEBUG(5, ("samr_reply_query_dispinfo: client requested %d "
1104 "entries, limiting to %d\n", max_entries,
1105 max_sam_entries));
1106 max_entries = max_sam_entries;
1107 }
1108
1109 /* calculate the size and limit on the number of entries we will
1110 * return */
1111
1112 temp_size=max_entries*struct_size;
1113
1114 if (temp_size>max_size) {
1115 max_entries=MIN((max_size/struct_size),max_entries);;
1116 DEBUG(5, ("samr_reply_query_dispinfo: buffer size limits to "
1117 "only %d entries\n", max_entries));
1118 }
1119
1120 if (!(ctr = TALLOC_ZERO_P(p->mem_ctx,SAM_DISPINFO_CTR)))
1121 return NT_STATUS_NO_MEMORY;
1122
1123 ZERO_STRUCTP(ctr);
1124
1125 become_root();
1126
1127 /* THe following done as ROOT. Don't return without unbecome_root(). */
1128
1129 switch (q_u->switch_level) {
1130 case 0x1:
1131 case 0x4:
1132 if (info->disp_info->users == NULL) {
1133 info->disp_info->users = pdb_search_users(ACB_NORMAL);
1134 if (info->disp_info->users == NULL) {
1135 unbecome_root();
1136 return NT_STATUS_ACCESS_DENIED;
1137 }
1138 DEBUG(10,("samr_reply_query_dispinfo: starting user enumeration at index %u\n",
1139 (unsigned int)enum_context ));
1140 } else {
1141 DEBUG(10,("samr_reply_query_dispinfo: using cached user enumeration at index %u\n",
1142 (unsigned int)enum_context ));
1143 }
1144
1145 num_account = pdb_search_entries(info->disp_info->users,
1146 enum_context, max_entries,
1147 &entries);
1148 break;
1149 case 0x2:
1150 if (info->disp_info->machines == NULL) {
1151 info->disp_info->machines =
1152 pdb_search_users(ACB_WSTRUST|ACB_SVRTRUST);
1153 if (info->disp_info->machines == NULL) {
1154 unbecome_root();
1155 return NT_STATUS_ACCESS_DENIED;
1156 }
1157 DEBUG(10,("samr_reply_query_dispinfo: starting machine enumeration at index %u\n",
1158 (unsigned int)enum_context ));
1159 } else {
1160 DEBUG(10,("samr_reply_query_dispinfo: using cached machine enumeration at index %u\n",
1161 (unsigned int)enum_context ));
1162 }
1163
1164 num_account = pdb_search_entries(info->disp_info->machines,
1165 enum_context, max_entries,
1166 &entries);
1167 break;
1168 case 0x3:
1169 case 0x5:
1170 if (info->disp_info->groups == NULL) {
1171 info->disp_info->groups = pdb_search_groups();
1172 if (info->disp_info->groups == NULL) {
1173 unbecome_root();
1174 return NT_STATUS_ACCESS_DENIED;
1175 }
1176 DEBUG(10,("samr_reply_query_dispinfo: starting group enumeration at index %u\n",
1177 (unsigned int)enum_context ));
1178 } else {
1179 DEBUG(10,("samr_reply_query_dispinfo: using cached group enumeration at index %u\n",
1180 (unsigned int)enum_context ));
1181 }
1182
1183 num_account = pdb_search_entries(info->disp_info->groups,
1184 enum_context, max_entries,
1185 &entries);
1186 break;
1187 default:
1188 unbecome_root();
1189 smb_panic("info class changed");
1190 break;
1191 }
1192 unbecome_root();
1193
1194 /* Now create reply structure */
1195 switch (q_u->switch_level) {
1196 case 0x1:
1197 disp_ret = init_sam_dispinfo_1(p->mem_ctx, &ctr->sam.info1,
1198 num_account, enum_context,
1199 entries);
1200 break;
1201 case 0x2:
1202 disp_ret = init_sam_dispinfo_2(p->mem_ctx, &ctr->sam.info2,
1203 num_account, enum_context,
1204 entries);
1205 break;
1206 case 0x3:
1207 disp_ret = init_sam_dispinfo_3(p->mem_ctx, &ctr->sam.info3,
1208 num_account, enum_context,
1209 entries);
1210 break;
1211 case 0x4:
1212 disp_ret = init_sam_dispinfo_4(p->mem_ctx, &ctr->sam.info4,
1213 num_account, enum_context,
1214 entries);
1215 break;
1216 case 0x5:
1217 disp_ret = init_sam_dispinfo_5(p->mem_ctx, &ctr->sam.info5,
1218 num_account, enum_context,
1219 entries);
1220 break;
1221 default:
1222 smb_panic("info class changed");
1223 break;
1224 }
1225
1226 if (!NT_STATUS_IS_OK(disp_ret))
1227 return disp_ret;
1228
1229 /* calculate the total size */
1230 total_data_size=num_account*struct_size;
1231
1232 if (num_account) {
1233 r_u->status = STATUS_MORE_ENTRIES;
1234 } else {
1235 r_u->status = NT_STATUS_OK;
1236 }
1237
1238 /* Ensure we cache this enumeration. */
1239 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1240
1241 DEBUG(5, ("_samr_query_dispinfo: %d\n", __LINE__));
1242
1243 init_samr_r_query_dispinfo(r_u, num_account, total_data_size,
1244 temp_size, q_u->switch_level, ctr,
1245 r_u->status);
1246
1247 return r_u->status;
1248
1249 }
1250
1251 /*******************************************************************
1252 samr_reply_query_aliasinfo
1253 ********************************************************************/
1254
1255 NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_R_QUERY_ALIASINFO *r_u)
1256 {
1257 DOM_SID sid;
1258 struct acct_info info;
1259 uint32 acc_granted;
1260 BOOL ret;
1261
1262 r_u->status = NT_STATUS_OK;
1263
1264 DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__));
1265
1266 /* find the policy handle. open a policy on it. */
1267 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted, NULL))
1268 return NT_STATUS_INVALID_HANDLE;
1269 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_LOOKUP_INFO, "_samr_query_aliasinfo"))) {
1270 return r_u->status;
1271 }
1272
1273 become_root();
1274 ret = pdb_get_aliasinfo(&sid, &info);
1275 unbecome_root();
1276
1277 if ( !ret )
1278 return NT_STATUS_NO_SUCH_ALIAS;
1279
1280 if ( !(r_u->ctr = TALLOC_ZERO_P( p->mem_ctx, ALIAS_INFO_CTR )) )
1281 return NT_STATUS_NO_MEMORY;
1282
1283
1284 switch (q_u->level ) {
1285 case 1:
1286 r_u->ctr->level = 1;
1287 init_samr_alias_info1(&r_u->ctr->alias.info1, info.acct_name, 1, info.acct_desc);
1288 break;
1289 case 3:
1290 r_u->ctr->level = 3;
1291 init_samr_alias_info3(&r_u->ctr->alias.info3, info.acct_desc);
1292 break;
1293 default:
1294 return NT_STATUS_INVALID_INFO_CLASS;
1295 }
1296
1297 DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__));
1298
1299 return r_u->status;
1300 }
1301
1302 #if 0
1303 /*******************************************************************
1304 samr_reply_lookup_ids
1305 ********************************************************************/
1306
1307 uint32 _samr_lookup_ids(pipes_struct *p, SAMR_Q_LOOKUP_IDS *q_u, SAMR_R_LOOKUP_IDS *r_u)
1308 {
1309 uint32 rid[MAX_SAM_ENTRIES];
1310 int num_rids = q_u->num_sids1;
1311
1312 r_u->status = NT_STATUS_OK;
1313
1314 DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__));
1315
1316 if (num_rids > MAX_SAM_ENTRIES) {
1317 num_rids = MAX_SAM_ENTRIES;
1318 DEBUG(5,("_samr_lookup_ids: truncating entries to %d\n", num_rids));
1319 }
1320
1321 #if 0
1322 int i;
1323 SMB_ASSERT_ARRAY(q_u->uni_user_name, num_rids);
1324
1325 for (i = 0; i < num_rids && status == 0; i++)
1326 {
1327 struct sam_passwd *sam_pass;
1328 fstring user_name;
1329
1330
1331 fstrcpy(user_name, unistrn2(q_u->uni_user_name[i].buffer,
1332 q_u->uni_user_name[i].uni_str_len));
1333
1334 /* find the user account */
1335 become_root();
1336 sam_pass = get_smb21pwd_entry(user_name, 0);
1337 unbecome_root();
1338
1339 if (sam_pass == NULL)
1340 {
1341 status = 0xC0000000 | NT_STATUS_NO_SUCH_USER;
1342 rid[i] = 0;
1343 }
1344 else
1345 {
1346 rid[i] = sam_pass->user_rid;
1347 }
1348 }
1349 #endif
1350
1351 num_rids = 1;
1352 rid[0] = BUILTIN_ALIAS_RID_USERS;
1353
1354 init_samr_r_lookup_ids(&r_u, num_rids, rid, NT_STATUS_OK);
1355
1356 DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__));
1357
1358 return r_u->status;
1359 }
1360 #endif
1361
1362 /*******************************************************************
1363 _samr_lookup_names
1364 ********************************************************************/
1365
1366 NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOKUP_NAMES *r_u)
1367 {
1368 uint32 rid[MAX_SAM_ENTRIES];
1369 enum SID_NAME_USE type[MAX_SAM_ENTRIES];
1370 int i;
1371 int num_rids = q_u->num_names2;
1372 DOM_SID pol_sid;
1373 fstring sid_str;
1374 uint32 acc_granted;
1375
1376 r_u->status = NT_STATUS_OK;
1377
1378 DEBUG(5,("_samr_lookup_names: %d\n", __LINE__));
1379
1380 ZERO_ARRAY(rid);
1381 ZERO_ARRAY(type);
1382
1383 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted, NULL)) {
1384 init_samr_r_lookup_names(p->mem_ctx, r_u, 0, NULL, NULL, NT_STATUS_OBJECT_TYPE_MISMATCH);
1385 return r_u->status;
1386 }
1387
1388 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, 0, "_samr_lookup_names"))) { /* Don't know the acc_bits yet */
1389 return r_u->status;
1390 }
1391
1392 if (num_rids > MAX_SAM_ENTRIES) {
1393 num_rids = MAX_SAM_ENTRIES;
1394 DEBUG(5,("_samr_lookup_names: truncating entries to %d\n", num_rids));
1395 }
1396
1397 DEBUG(5,("_samr_lookup_names: looking name on SID %s\n", sid_to_string(sid_str, &pol_sid)));
1398
1399 for (i = 0; i < num_rids; i++) {
1400 fstring name;
1401 int ret;
1402
1403 r_u->status = NT_STATUS_NONE_MAPPED;
1404 type[i] = SID_NAME_UNKNOWN;
1405
1406 rid [i] = 0xffffffff;
1407
1408 ret = rpcstr_pull(name, q_u->uni_name[i].buffer, sizeof(name), q_u->uni_name[i].uni_str_len*2, 0);
1409
1410 if (ret <= 0) {
1411 continue;
1412 }
1413
1414 if (sid_check_is_builtin(&pol_sid)) {
1415 if (lookup_builtin_name(name, &rid[i])) {
1416 type[i] = SID_NAME_ALIAS;
1417 }
1418 } else {
1419 lookup_global_sam_name(name, 0, &rid[i], &type[i]);
1420 }
1421
1422 if (type[i] != SID_NAME_UNKNOWN) {
1423 r_u->status = NT_STATUS_OK;
1424 }
1425 }
1426
1427 init_samr_r_lookup_names(p->mem_ctx, r_u, num_rids, rid, (uint32 *)type, r_u->status);
1428
1429 DEBUG(5,("_samr_lookup_names: %d\n", __LINE__));
1430
1431 return r_u->status;
1432 }
1433
1434 /*******************************************************************
1435 _samr_chgpasswd_user
1436 ********************************************************************/
1437
1438 NTSTATUS _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_R_CHGPASSWD_USER *r_u)
1439 {
1440 fstring user_name;
1441 fstring wks;
1442
1443 DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__));
1444
1445 r_u->status = NT_STATUS_OK;
1446
1447 rpcstr_pull(user_name, q_u->uni_user_name.buffer, sizeof(user_name), q_u->uni_user_name.uni_str_len*2, 0);
1448 rpcstr_pull(wks, q_u->uni_dest_host.buffer, sizeof(wks), q_u->uni_dest_host.uni_str_len*2,0);
1449
1450 DEBUG(5,("samr_chgpasswd_user: user: %s wks: %s\n", user_name, wks));
1451
1452 /*
1453 * Pass the user through the NT -> unix user mapping
1454 * function.
1455 */
1456
1457 (void)map_username(user_name);
1458
1459 /*
1460 * UNIX username case mangling not required, pass_oem_change
1461 * is case insensitive.
1462 */
1463
1464 r_u->status = pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash,
1465 q_u->nt_newpass.pass, q_u->nt_oldhash.hash, NULL);
1466
1467 init_samr_r_chgpasswd_user(r_u, r_u->status);
1468
1469 DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__));
1470
1471 return r_u->status;
1472 }
1473
1474 /*******************************************************************
1475 _samr_chgpasswd_user3
1476 ********************************************************************/
1477
1478 NTSTATUS _samr_chgpasswd_user3(pipes_struct *p, SAMR_Q_CHGPASSWD_USER3 *q_u, SAMR_R_CHGPASSWD_USER3 *r_u)
1479 {
1480 fstring user_name;
1481 fstring wks;
1482 uint32 reject_reason;
1483 SAM_UNK_INFO_1 *info = NULL;
1484 SAMR_CHANGE_REJECT *reject = NULL;
1485
1486 DEBUG(5,("_samr_chgpasswd_user3: %d\n", __LINE__));
1487
1488 rpcstr_pull(user_name, q_u->uni_user_name.buffer, sizeof(user_name), q_u->uni_user_name.uni_str_len*2, 0);
1489 rpcstr_pull(wks, q_u->uni_dest_host.buffer, sizeof(wks), q_u->uni_dest_host.uni_str_len*2,0);
1490
1491 DEBUG(5,("_samr_chgpasswd_user3: user: %s wks: %s\n", user_name, wks));
1492
1493 /*
1494 * Pass the user through the NT -> unix user mapping
1495 * function.
1496 */
1497
1498 (void)map_username(user_name);
1499
1500 /*
1501 * UNIX username case mangling not required, pass_oem_change
1502 * is case insensitive.
1503 */
1504
1505 r_u->status = pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash,
1506 q_u->nt_newpass.pass, q_u->nt_oldhash.hash, &reject_reason);
1507
1508 if (NT_STATUS_EQUAL(r_u->status, NT_STATUS_PASSWORD_RESTRICTION) ||
1509 NT_STATUS_EQUAL(r_u->status, NT_STATUS_ACCOUNT_RESTRICTION)) {
1510
1511 uint32 min_pass_len,pass_hist,password_properties;
1512 time_t u_expire, u_min_age;
1513 NTTIME nt_expire, nt_min_age;
1514 uint32 account_policy_temp;
1515
1516 if ((info = TALLOC_ZERO_P(p->mem_ctx, SAM_UNK_INFO_1)) == NULL) {
1517 return NT_STATUS_NO_MEMORY;
1518 }
1519
1520 if ((reject = TALLOC_ZERO_P(p->mem_ctx, SAMR_CHANGE_REJECT)) == NULL) {
1521 return NT_STATUS_NO_MEMORY;
1522 }
1523
1524 ZERO_STRUCTP(info);
1525 ZERO_STRUCTP(reject);
1526
1527 become_root();
1528
1529 /* AS ROOT !!! */
1530
1531 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
1532 min_pass_len = account_policy_temp;
1533
1534 pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
1535 pass_hist = account_policy_temp;
1536
1537 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
1538 password_properties = account_policy_temp;
1539
1540 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
1541 u_expire = account_policy_temp;
1542
1543 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
1544 u_min_age = account_policy_temp;
1545
1546 /* !AS ROOT */
1547
1548 unbecome_root();
1549
1550 unix_to_nt_time_abs(&nt_expire, u_expire);
1551 unix_to_nt_time_abs(&nt_min_age, u_min_age);
1552
1553 init_unk_info1(info, (uint16)min_pass_len, (uint16)pass_hist,
1554 password_properties, nt_expire, nt_min_age);
1555
1556 reject->reject_reason = reject_reason;
1557 }
1558
1559 init_samr_r_chgpasswd_user3(r_u, r_u->status, reject, info);
1560
1561 DEBUG(5,("_samr_chgpasswd_user3: %d\n", __LINE__));
1562
1563 return r_u->status;
1564 }
1565
1566 /*******************************************************************
1567 makes a SAMR_R_LOOKUP_RIDS structure.
1568 ********************************************************************/
1569
1570 static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names,
1571 const char **names, UNIHDR **pp_hdr_name,
1572 UNISTR2 **pp_uni_name)
1573 {
1574 uint32 i;
1575 UNIHDR *hdr_name=NULL;
1576 UNISTR2 *uni_name=NULL;
1577
1578 *pp_uni_name = NULL;
1579 *pp_hdr_name = NULL;
1580
1581 if (num_names != 0) {
1582 hdr_name = TALLOC_ZERO_ARRAY(ctx, UNIHDR, num_names);
1583 if (hdr_name == NULL)
1584 return False;
1585
1586 uni_name = TALLOC_ZERO_ARRAY(ctx,UNISTR2, num_names);
1587 if (uni_name == NULL)
1588 return False;
1589 }
1590
1591 for (i = 0; i < num_names; i++) {
1592 DEBUG(10, ("names[%d]:%s\n", i, names[i] && *names[i] ? names[i] : ""));
1593 init_unistr2(&uni_name[i], names[i], UNI_FLAGS_NONE);
1594 init_uni_hdr(&hdr_name[i], &uni_name[i]);
1595 }
1596
1597 *pp_uni_name = uni_name;
1598 *pp_hdr_name = hdr_name;
1599
1600 return True;
1601 }
1602
1603 /*******************************************************************
1604 _samr_lookup_rids
1605 ********************************************************************/
1606
1607 NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP_RIDS *r_u)
1608 {
1609 const char **names;
1610 uint32 *attrs = NULL;
1611 UNIHDR *hdr_name = NULL;
1612 UNISTR2 *uni_name = NULL;
1613 DOM_SID pol_sid;
1614 int num_rids = q_u->num_rids1;
1615 uint32 acc_granted;
1616
1617 r_u->status = NT_STATUS_OK;
1618
1619 DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__));
1620
1621 /* find the policy handle. open a policy on it. */
1622 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted, NULL))
1623 return NT_STATUS_INVALID_HANDLE;
1624
1625 if (num_rids > 1000) {
1626 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
1627 "to samba4 idl this is not possible\n", num_rids));
1628 return NT_STATUS_UNSUCCESSFUL;
1629 }
1630
1631 names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids);
1632 attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids);
1633
1634 if ((num_rids != 0) && ((names == NULL) || (attrs == NULL)))
1635 return NT_STATUS_NO_MEMORY;
1636
1637 become_root(); /* lookup_sid can require root privs */
1638 r_u->status = pdb_lookup_rids(&pol_sid, num_rids, q_u->rid,
1639 names, attrs);
1640 unbecome_root();
1641
1642 if(!make_samr_lookup_rids(p->mem_ctx, num_rids, names,
1643 &hdr_name, &uni_name))
1644 return NT_STATUS_NO_MEMORY;
1645
1646 init_samr_r_lookup_rids(r_u, num_rids, hdr_name, uni_name, attrs);
1647
1648 DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__));
1649
1650 return r_u->status;
1651 }
1652
1653 /*******************************************************************
1654 _samr_open_user. Safe - gives out no passwd info.
1655 ********************************************************************/
1656
1657 NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USER *r_u)
1658 {
1659 SAM_ACCOUNT *sampass=NULL;
1660 DOM_SID sid;
1661 POLICY_HND domain_pol = q_u->domain_pol;
1662 POLICY_HND *user_pol = &r_u->user_pol;
1663 struct samr_info *info = NULL;
1664 SEC_DESC *psd = NULL;
1665 uint32 acc_granted;
1666 uint32 des_access = q_u->access_mask;
1667 size_t sd_size;
1668 BOOL ret;
1669 NTSTATUS nt_status;
1670 SE_PRIV se_rights;
1671
1672 r_u->status = NT_STATUS_OK;
1673
1674 /* find the domain policy handle and get domain SID / access bits in the domain policy. */
1675
1676 if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) )
1677 return NT_STATUS_INVALID_HANDLE;
1678
1679 nt_status = access_check_samr_function( acc_granted,
1680 SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_user" );
1681
1682 if ( !NT_STATUS_IS_OK(nt_status) )
1683 return nt_status;
1684
1685 nt_status = pdb_init_sam_talloc(p->mem_ctx, &sampass);
1686
1687 if (!NT_STATUS_IS_OK(nt_status))
1688 return nt_status;
1689
1690 /* append the user's RID to it */
1691
1692 if (!sid_append_rid(&sid, q_u->user_rid))
1693 return NT_STATUS_NO_SUCH_USER;
1694
1695 /* check if access can be granted as requested by client. */
1696
1697 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
1698 se_map_generic(&des_access, &usr_generic_mapping);
1699
1700 se_priv_copy( &se_rights, &se_machine_account );
1701 se_priv_add( &se_rights, &se_add_users );
1702
1703 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
1704 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
1705 &acc_granted, "_samr_open_user");
1706
1707 if ( !NT_STATUS_IS_OK(nt_status) )
1708 return nt_status;
1709
1710 become_root();
1711 ret=pdb_getsampwsid(sampass, &sid);
1712 unbecome_root();
1713
1714 /* check that the SID exists in our domain. */
1715 if (ret == False) {
1716 return NT_STATUS_NO_SUCH_USER;
1717 }
1718
1719 pdb_free_sam(&sampass);
1720
1721 /* associate the user's SID and access bits with the new handle. */
1722 if ((info = get_samr_info_by_sid(&sid)) == NULL)
1723 return NT_STATUS_NO_MEMORY;
1724 info->acc_granted = acc_granted;
1725
1726 /* get a (unique) handle. open a policy on it. */
1727 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info))
1728 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1729
1730 return r_u->status;
1731 }
1732
1733 /*************************************************************************
1734 get_user_info_7. Safe. Only gives out account_name.
1735 *************************************************************************/
1736
1737 static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, SAM_USER_INFO_7 *id7, DOM_SID *user_sid)
1738 {
1739 SAM_ACCOUNT *smbpass=NULL;
1740 BOOL ret;
1741 NTSTATUS nt_status;
1742
1743 nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass);
1744
1745 if (!NT_STATUS_IS_OK(nt_status)) {
1746 return nt_status;
1747 }
1748
1749 become_root();
1750 ret = pdb_getsampwsid(smbpass, user_sid);
1751 unbecome_root();
1752
1753 if (ret==False) {
1754 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1755 return NT_STATUS_NO_SUCH_USER;
1756 }
1757
1758 DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) ));
1759
1760 ZERO_STRUCTP(id7);
1761 init_sam_user_info7(id7, pdb_get_username(smbpass) );
1762
1763 pdb_free_sam(&smbpass);
1764
1765 return NT_STATUS_OK;
1766 }
1767
1768 /*************************************************************************
1769 get_user_info_9. Only gives out primary group SID.
1770 *************************************************************************/
1771 static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx, SAM_USER_INFO_9 * id9, DOM_SID *user_sid)
1772 {
1773 SAM_ACCOUNT *smbpass=NULL;
1774 BOOL ret;
1775 NTSTATUS nt_status;
1776
1777 nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass);
1778
1779 if (!NT_STATUS_IS_OK(nt_status)) {
1780 return nt_status;
1781 }
1782
1783 become_root();
1784 ret = pdb_getsampwsid(smbpass, user_sid);
1785 unbecome_root();
1786
1787 if (ret==False) {
1788 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1789 return NT_STATUS_NO_SUCH_USER;
1790 }
1791
1792 DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) ));
1793
1794 ZERO_STRUCTP(id9);
1795 init_sam_user_info9(id9, pdb_get_group_rid(smbpass) );
1796
1797 pdb_free_sam(&smbpass);
1798
1799 return NT_STATUS_OK;
1800 }
1801
1802 /*************************************************************************
1803 get_user_info_16. Safe. Only gives out acb bits.
1804 *************************************************************************/
1805
1806 static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx, SAM_USER_INFO_16 *id16, DOM_SID *user_sid)
1807 {
1808 SAM_ACCOUNT *smbpass=NULL;
1809 BOOL ret;
1810 NTSTATUS nt_status;
1811
1812 nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass);
1813
1814 if (!NT_STATUS_IS_OK(nt_status)) {
1815 return nt_status;
1816 }
1817
1818 become_root();
1819 ret = pdb_getsampwsid(smbpass, user_sid);
1820 unbecome_root();
1821
1822 if (ret==False) {
1823 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1824 return NT_STATUS_NO_SUCH_USER;
1825 }
1826
1827 DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) ));
1828
1829 ZERO_STRUCTP(id16);
1830 init_sam_user_info16(id16, pdb_get_acct_ctrl(smbpass) );
1831
1832 pdb_free_sam(&smbpass);
1833
1834 return NT_STATUS_OK;
1835 }
1836
1837 /*************************************************************************
1838 get_user_info_18. OK - this is the killer as it gives out password info.
1839 Ensure that this is only allowed on an encrypted connection with a root
1840 user. JRA.
1841 *************************************************************************/
1842
1843 static NTSTATUS get_user_info_18(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_INFO_18 * id18, DOM_SID *user_sid)
1844 {
1845 SAM_ACCOUNT *smbpass=NULL;
1846 BOOL ret;
1847 NTSTATUS nt_status;
1848
1849 if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
1850 return NT_STATUS_ACCESS_DENIED;
1851 }
1852
1853 if (p->auth.auth_level != PIPE_AUTH_LEVEL_PRIVACY) {
1854 return NT_STATUS_ACCESS_DENIED;
1855 }
1856
1857 /*
1858 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
1859 */
1860
1861 nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass);
1862
1863 if (!NT_STATUS_IS_OK(nt_status)) {
1864 return nt_status;
1865 }
1866
1867 ret = pdb_getsampwsid(smbpass, user_sid);
1868
1869 if (ret == False) {
1870 DEBUG(4, ("User %s not found\n", sid_string_static(user_sid)));
1871 pdb_free_sam(&smbpass);
1872 return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
1873 }
1874
1875 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
1876
1877 if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) {
1878 pdb_free_sam(&smbpass);
1879 return NT_STATUS_ACCOUNT_DISABLED;
1880 }
1881
1882 ZERO_STRUCTP(id18);
1883 init_sam_user_info18(id18, pdb_get_lanman_passwd(smbpass), pdb_get_nt_passwd(smbpass));
1884
1885 pdb_free_sam(&smbpass);
1886
1887 return NT_STATUS_OK;
1888 }
1889
1890 /*************************************************************************
1891 get_user_info_20
1892 *************************************************************************/
1893
1894 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DOM_SID *user_sid)
1895 {
1896 SAM_ACCOUNT *sampass=NULL;
1897 BOOL ret;
1898
1899 pdb_init_sam_talloc(mem_ctx, &sampass);
1900
1901 become_root();
1902 ret = pdb_getsampwsid(sampass, user_sid);
1903 unbecome_root();
1904
1905 if (ret == False) {
1906 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1907 return NT_STATUS_NO_SUCH_USER;
1908 }
1909
1910 samr_clear_sam_passwd(sampass);
1911
1912 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
1913
1914 ZERO_STRUCTP(id20);
1915 init_sam_user_info20A(id20, sampass);
1916
1917 pdb_free_sam(&sampass);
1918
1919 return NT_STATUS_OK;
1920 }
1921
1922 /*************************************************************************
1923 get_user_info_21
1924 *************************************************************************/
1925
1926 static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21,
1927 DOM_SID *user_sid, DOM_SID *domain_sid)
1928 {
1929 SAM_ACCOUNT *sampass=NULL;
1930 BOOL ret;
1931 NTSTATUS nt_status;
1932
1933 nt_status = pdb_init_sam_talloc(mem_ctx, &sampass);
1934 if (!NT_STATUS_IS_OK(nt_status)) {
1935 return nt_status;
1936 }
1937
1938 become_root();
1939 ret = pdb_getsampwsid(sampass, user_sid);
1940 unbecome_root();
1941
1942 if (ret == False) {
1943 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1944 return NT_STATUS_NO_SUCH_USER;
1945 }
1946
1947 samr_clear_sam_passwd(sampass);
1948
1949 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
1950
1951 ZERO_STRUCTP(id21);
1952 nt_status = init_sam_user_info21A(id21, sampass, domain_sid);
1953
1954 pdb_free_sam(&sampass);
1955
1956 return NT_STATUS_OK;
1957 }
1958
1959 /*******************************************************************
1960 _samr_query_userinfo
1961 ********************************************************************/
1962
1963 NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_QUERY_USERINFO *r_u)
1964 {
1965 SAM_USERINFO_CTR *ctr;
1966 struct samr_info *info = NULL;
1967 DOM_SID domain_sid;
1968 uint32 rid;
1969
1970 r_u->status=NT_STATUS_OK;
1971
1972 /* search for the handle */
1973 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
1974 return NT_STATUS_INVALID_HANDLE;
1975
1976 domain_sid = info->sid;
1977
1978 sid_split_rid(&domain_sid, &rid);
1979
1980 if (!sid_check_is_in_our_domain(&info->sid))
1981 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1982
1983 DEBUG(5,("_samr_query_userinfo: sid:%s\n", sid_string_static(&info->sid)));
1984
1985 ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_USERINFO_CTR);
1986 if (!ctr)
1987 return NT_STATUS_NO_MEMORY;
1988
1989 ZERO_STRUCTP(ctr);
1990
1991 /* ok! user info levels (lots: see MSDEV help), off we go... */
1992 ctr->switch_value = q_u->switch_value;
1993
1994 DEBUG(5,("_samr_query_userinfo: user info level: %d\n", q_u->switch_value));
1995
1996 switch (q_u->switch_value) {
1997 case 7:
1998 ctr->info.id7 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_7);
1999 if (ctr->info.id7 == NULL)
2000 return NT_STATUS_NO_MEMORY;
2001
2002 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_7(p->mem_ctx, ctr->info.id7, &info->sid)))
2003 return r_u->status;
2004 break;
2005 case 9:
2006 ctr->info.id9 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_9);
2007 if (ctr->info.id9 == NULL)
2008 return NT_STATUS_NO_MEMORY;
2009
2010 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_9(p->mem_ctx, ctr->info.id9, &info->sid)))
2011 return r_u->status;
2012 break;
2013 case 16:
2014 ctr->info.id16 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_16);
2015 if (ctr->info.id16 == NULL)
2016 return NT_STATUS_NO_MEMORY;
2017
2018 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_16(p->mem_ctx, ctr->info.id16, &info->sid)))
2019 return r_u->status;
2020 break;
2021
2022 case 18:
2023 ctr->info.id18 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_18);
2024 if (ctr->info.id18 == NULL)
2025 return NT_STATUS_NO_MEMORY;
2026
2027 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_18(p, p->mem_ctx, ctr->info.id18, &info->sid)))
2028 return r_u->status;
2029 break;
2030
2031 case 20:
2032 ctr->info.id20 = TALLOC_ZERO_P(p->mem_ctx,SAM_USER_INFO_20);
2033 if (ctr->info.id20 == NULL)
2034 return NT_STATUS_NO_MEMORY;
2035 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_20(p->mem_ctx, ctr->info.id20, &info->sid)))
2036 return r_u->status;
2037 break;
2038
2039 case 21:
2040 ctr->info.id21 = TALLOC_ZERO_P(p->mem_ctx,SAM_USER_INFO_21);
2041 if (ctr->info.id21 == NULL)
2042 return NT_STATUS_NO_MEMORY;
2043 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_21(p->mem_ctx, ctr->info.id21,
2044 &info->sid, &domain_sid)))
2045 return r_u->status;
2046 break;
2047
2048 default:
2049 return NT_STATUS_INVALID_INFO_CLASS;
2050 }
2051
2052 init_samr_r_query_userinfo(r_u, ctr, r_u->status);
2053
2054 DEBUG(5,("_samr_query_userinfo: %d\n", __LINE__));
2055
2056 return r_u->status;
2057 }
2058
2059 /*******************************************************************
2060 samr_reply_query_usergroups
2061 ********************************************************************/
2062
2063 NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u)
2064 {
2065 SAM_ACCOUNT *sam_pass=NULL;
2066 DOM_SID sid;
2067 DOM_SID *sids;
2068 DOM_GID dom_gid;
2069 DOM_GID *gids = NULL;
2070 uint32 primary_group_rid;
2071 size_t num_groups = 0;
2072 gid_t *unix_gids;
2073 size_t i, num_gids;
2074 uint32 acc_granted;
2075 BOOL ret;
2076 NTSTATUS result;
2077
2078 /*
2079 * from the SID in the request:
2080 * we should send back the list of DOMAIN GROUPS
2081 * the user is a member of
2082 *
2083 * and only the DOMAIN GROUPS
2084 * no ALIASES !!! neither aliases of the domain
2085 * nor aliases of the builtin SID
2086 *
2087 * JFM, 12/2/2001
2088 */
2089
2090 r_u->status = NT_STATUS_OK;
2091
2092 DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__));
2093
2094 /* find the policy handle. open a policy on it. */
2095 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted, NULL))
2096 return NT_STATUS_INVALID_HANDLE;
2097
2098 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_USER_GET_GROUPS, "_samr_query_usergroups"))) {
2099 return r_u->status;
2100 }
2101
2102 if (!sid_check_is_in_our_domain(&sid))
2103 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2104
2105 pdb_init_sam_talloc(p->mem_ctx, &sam_pass);
2106
2107 become_root();
2108 ret = pdb_getsampwsid(sam_pass, &sid);
2109 unbecome_root();
2110
2111 if (!ret) {
2112 DEBUG(10, ("pdb_getsampwsid failed for %s\n",
2113 sid_string_static(&sid)));
2114 return NT_STATUS_NO_SUCH_USER;
2115 }
2116
2117 sids = NULL;
2118
2119 become_root();
2120 result = pdb_enum_group_memberships(p->mem_ctx, sam_pass,
2121 &sids, &unix_gids, &num_groups);
2122 unbecome_root();
2123
2124 if (!NT_STATUS_IS_OK(result)) {
2125 DEBUG(10, ("pdb_enum_group_memberships failed for %s\n",
2126 sid_string_static(&sid)));
2127 return result;
2128 }
2129
2130 gids = NULL;
2131 num_gids = 0;
2132
2133 dom_gid.attr = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|
2134 SE_GROUP_ENABLED);
2135
2136 if (!sid_peek_check_rid(get_global_sam_sid(),
2137 pdb_get_group_sid(sam_pass),
2138 &primary_group_rid)) {
2139 DEBUG(5, ("Group sid %s for user %s not in our domain\n",
2140 sid_string_static(pdb_get_group_sid(sam_pass)),
2141 pdb_get_username(sam_pass)));
2142 pdb_free_sam(&sam_pass);
2143 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2144 }
2145
2146 dom_gid.g_rid = primary_group_rid;
2147
2148 ADD_TO_ARRAY(p->mem_ctx, DOM_GID, dom_gid, &gids, &num_gids);
2149
2150 for (i=0; i<num_groups; i++) {
2151
2152 if (!sid_peek_check_rid(get_global_sam_sid(),
2153 &(sids[i]), &dom_gid.g_rid)) {
2154 DEBUG(10, ("Found sid %s not in our domain\n",
2155 sid_string_static(&sids[i])));
2156 continue;
2157 }
2158
2159 if (dom_gid.g_rid == primary_group_rid) {
2160 /* We added the primary group directly from the
2161 * sam_account. The other SIDs are unique from
2162 * enum_group_memberships */
2163 continue;
2164 }
2165
2166 ADD_TO_ARRAY(p->mem_ctx, DOM_GID, dom_gid, &gids, &num_gids);
2167 }
2168
2169 /* construct the response. lkclXXXX: gids are not copied! */
2170 init_samr_r_query_usergroups(r_u, num_gids, gids, r_u->status);
2171
2172 DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__));
2173
2174 return r_u->status;
2175 }
2176
2177 /*******************************************************************
2178 _samr_query_dom_info
2179 ********************************************************************/
2180
2181 NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR_R_QUERY_DOMAIN_INFO *r_u)
2182 {
2183 struct samr_info *info = NULL;
2184 SAM_UNK_CTR *ctr;
2185 uint32 min_pass_len,pass_hist,password_properties;
2186 time_t u_expire, u_min_age;
2187 NTTIME nt_expire, nt_min_age;
2188
2189 time_t u_lock_duration, u_reset_time;
2190 NTTIME nt_lock_duration, nt_reset_time;
2191 uint32 lockout;
2192 time_t u_logout;
2193 NTTIME nt_logout;
2194
2195 uint32 account_policy_temp;
2196
2197 time_t seq_num;
2198 uint32 server_role;
2199
2200 uint32 num_users=0, num_groups=0, num_aliases=0;
2201
2202 if ((ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_UNK_CTR)) == NULL) {
2203 return NT_STATUS_NO_MEMORY;
2204 }
2205
2206 ZERO_STRUCTP(ctr);
2207
2208 r_u->status = NT_STATUS_OK;
2209
2210 DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__));
2211
2212 /* find the policy handle. open a policy on it. */
2213 if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)(void *)&info)) {
2214 return NT_STATUS_INVALID_HANDLE;
2215 }
2216
2217 switch (q_u->switch_value) {
2218 case 0x01:
2219
2220 become_root();
2221
2222 /* AS ROOT !!! */
2223
2224 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
2225 min_pass_len = account_policy_temp;
2226
2227 pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
2228 pass_hist = account_policy_temp;
2229
2230 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
2231 password_properties = account_policy_temp;
2232
2233 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
2234 u_expire = account_policy_temp;
2235
2236 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
2237 u_min_age = account_policy_temp;
2238
2239 /* !AS ROOT */
2240
2241 unbecome_root();
2242
2243 unix_to_nt_time_abs(&nt_expire, u_expire);
2244 unix_to_nt_time_abs(&nt_min_age, u_min_age);
2245
2246 init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist,
2247 password_properties, nt_expire, nt_min_age);
2248 break;
2249 case 0x02:
2250
2251 become_root();
2252
2253 /* AS ROOT !!! */
2254
2255 num_users = count_sam_users(info->disp_info, ACB_NORMAL);
2256 num_groups = count_sam_groups(info->disp_info);
2257 num_aliases = count_sam_aliases(info->disp_info);
2258
2259 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp);
2260 u_logout = account_policy_temp;
2261
2262 unix_to_nt_time_abs(&nt_logout, u_logout);
2263
2264 if (!pdb_get_seq_num(&seq_num))
2265 seq_num = time(NULL);
2266
2267 /* !AS ROOT */
2268
2269 unbecome_root();
2270
2271 server_role = ROLE_DOMAIN_PDC;
2272 if (lp_server_role() == ROLE_DOMAIN_BDC)
2273 server_role = ROLE_DOMAIN_BDC;
2274
2275 init_unk_info2(&ctr->info.inf2, lp_serverstring(), lp_workgroup(), global_myname(), seq_num,
2276 num_users, num_groups, num_aliases, nt_logout, server_role);
2277 break;
2278 case 0x03:
2279
2280 become_root();
2281
2282 /* AS ROOT !!! */
2283
2284 {
2285 uint32 ul;
2286 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &ul);
2287 u_logout = (time_t)ul;
2288 }
2289
2290 /* !AS ROOT */
2291
2292 unbecome_root();
2293
2294 unix_to_nt_time_abs(&nt_logout, u_logout);
2295
2296 init_unk_info3(&ctr->info.inf3, nt_logout);
2297 break;
2298 case 0x05:
2299 init_unk_info5(&ctr->info.inf5, global_myname());
2300 break;
2301 case 0x06:
2302 init_unk_info6(&ctr->info.inf6);
2303 break;
2304 case 0x07:
2305 server_role = ROLE_DOMAIN_PDC;
2306 if (lp_server_role() == ROLE_DOMAIN_BDC)
2307 server_role = ROLE_DOMAIN_BDC;
2308
2309 init_unk_info7(&ctr->info.inf7, server_role);
2310 break;
2311 case 0x08:
2312
2313 become_root();
2314
2315 /* AS ROOT !!! */
2316
2317 if (!pdb_get_seq_num(&seq_num)) {
2318 seq_num = time(NULL);
2319 }
2320
2321 /* !AS ROOT */
2322
2323 unbecome_root();
2324
2325 init_unk_info8(&ctr->info.inf8, (uint32) seq_num);
2326 break;
2327 case 0x0c:
2328
2329 become_root();
2330
2331 /* AS ROOT !!! */
2332
2333 pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
2334 u_lock_duration = account_policy_temp;
2335 if (u_lock_duration != -1) {
2336 u_lock_duration *= 60;
2337 }
2338
2339 pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
2340 u_reset_time = account_policy_temp * 60;
2341
2342 pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
2343 lockout = account_policy_temp;
2344
2345 /* !AS ROOT */
2346
2347 unbecome_root();
2348
2349 unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
2350 unix_to_nt_time_abs(&nt_reset_time, u_reset_time);
2351
2352 init_unk_info12(&ctr->info.inf12, nt_lock_duration, nt_reset_time, (uint16)lockout);
2353 break;
2354 default:
2355 return NT_STATUS_INVALID_INFO_CLASS;
2356 }
2357
2358
2359 init_samr_r_query_dom_info(r_u, q_u->switch_value, ctr, NT_STATUS_OK);
2360
2361 DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__));
2362
2363 return r_u->status;
2364 }
2365
2366 /* W2k3 seems to use the same check for all 3 objects that can be created via
2367 * SAMR, if you try to create for example "Dialup" as an alias it says
2368 * "NT_STATUS_USER_EXISTS". This is racy, but we can't really lock the user
2369 * database. */
2370
2371 static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name)
2372 {
2373 enum SID_NAME_USE type;
2374 BOOL result;
2375
2376 DEBUG(10, ("Checking whether [%s] can be created\n", new_name));
2377
2378 become_root();
2379 /* Lookup in our local databases (only LOOKUP_NAME_ISOLATED set)
2380 * whether the name already exists */
2381 result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_ISOLATED,
2382 NULL, NULL, NULL, &type);
2383 unbecome_root();
2384
2385 if (!result) {
2386 DEBUG(10, ("%s does not exist, can create it\n", new_name));
2387 return NT_STATUS_OK;
2388 }
2389
2390 DEBUG(5, ("trying to create %s, exists as %s\n",
2391 new_name, sid_type_lookup(type)));
2392
2393 if (type == SID_NAME_DOM_GRP) {
2394 return NT_STATUS_GROUP_EXISTS;
2395 }
2396 if (type == SID_NAME_ALIAS) {
2397 return NT_STATUS_ALIAS_EXISTS;
2398 }
2399
2400 /* Yes, the default is NT_STATUS_USER_EXISTS */
2401 return NT_STATUS_USER_EXISTS;
2402 }
2403
2404 /*******************************************************************
2405 _samr_create_user
2406 Create an account, can be either a normal user or a machine.
2407 This funcion will need to be updated for bdc/domain trusts.
2408 ********************************************************************/
2409
2410 NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u,
2411 SAMR_R_CREATE_USER *r_u)
2412 {
2413 SAM_ACCOUNT *sam_pass=NULL;
2414 fstring account;
2415 DOM_SID sid;
2416 pstring add_script;
2417 POLICY_HND dom_pol = q_u->domain_pol;
2418 UNISTR2 user_account = q_u->uni_name;
2419 uint16 acb_info = q_u->acb_info;
2420 POLICY_HND *user_pol = &r_u->user_pol;
2421 struct samr_info *info = NULL;
2422 BOOL ret;
2423 NTSTATUS nt_status;
2424 struct passwd *pw;
2425 uint32 acc_granted;
2426 SEC_DESC *psd;
2427 size_t sd_size;
2428 /* check this, when giving away 'add computer to domain' privs */
2429 uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
2430 BOOL can_add_account = False;
2431 SE_PRIV se_rights;
2432 DISP_INFO *disp_info = NULL;
2433
2434 /* Get the domain SID stored in the domain policy */
2435 if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted,
2436 &disp_info))
2437 return NT_STATUS_INVALID_HANDLE;
2438
2439 nt_status = access_check_samr_function(acc_granted,
2440 SA_RIGHT_DOMAIN_CREATE_USER,
2441 "_samr_create_user");
2442 if (!NT_STATUS_IS_OK(nt_status)) {
2443 return nt_status;
2444 }
2445
2446 if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST ||
2447 acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) {
2448 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
2449 this parameter is not an account type */
2450 return NT_STATUS_INVALID_PARAMETER;
2451 }
2452
2453 rpcstr_pull(account, user_account.buffer, sizeof(account),
2454 user_account.uni_str_len*2, 0);
2455 strlower_m(account);
2456
2457 nt_status = can_create(p->mem_ctx, account);
2458 if (!NT_STATUS_IS_OK(nt_status)) {
2459 return nt_status;
2460 }
2461
2462 /*********************************************************************
2463 * HEADS UP! If we have to create a new user account, we have to get
2464 * a new RID from somewhere. This used to be done by the passdb
2465 * backend. It has been moved into idmap now. Since idmap is now
2466 * wrapped up behind winbind, this means you have to run winbindd if
2467 * you want new accounts to get a new RID when "enable rid algorithm =
2468 * no". Tough. We now have a uniform way of allocating RIDs
2469 * regardless of what ever passdb backend people may use. --jerry
2470 * (2003-07-10)
2471 *********************************************************************/
2472
2473 pw = Get_Pwnam(account);
2474
2475 /* determine which user right we need to check based on the acb_info */
2476
2477 if ( acb_info & ACB_WSTRUST )
2478 {
2479 pstrcpy(add_script, lp_addmachine_script());
2480 se_priv_copy( &se_rights, &se_machine_account );
2481 can_add_account = user_has_privileges(
2482 p->pipe_user.nt_user_token, &se_rights );
2483 }
2484 /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
2485 account for domain trusts and changes the ACB flags later */
2486 else if ( acb_info & ACB_NORMAL &&
2487 (account[strlen(account)-1] != '$') )
2488 {
2489 pstrcpy(add_script, lp_adduser_script());
2490 se_priv_copy( &se_rights, &se_add_users );
2491 can_add_account = user_has_privileges(
2492 p->pipe_user.nt_user_token, &se_rights );
2493 }
2494 else /* implicit assumption of a BDC or domain trust account here
2495 * (we already check the flags earlier) */
2496 {
2497 pstrcpy(add_script, lp_addmachine_script());
2498 if ( lp_enable_privileges() ) {
2499 /* only Domain Admins can add a BDC or domain trust */
2500 se_priv_copy( &se_rights, &se_priv_none );
2501 can_add_account = nt_token_check_domain_rid(
2502 p->pipe_user.nt_user_token,
2503 DOMAIN_GROUP_RID_ADMINS );
2504 }
2505 }
2506
2507 DEBUG(5, ("_samr_create_user: %s can add this account : %s\n",
2508 p->pipe_user_name, can_add_account ? "True":"False" ));
2509
2510 /********** BEGIN Admin BLOCK **********/
2511
2512 if ( can_add_account )
2513 become_root();
2514
2515 if ( !pw ) {
2516 if (*add_script) {
2517 int add_ret;
2518
2519 all_string_sub(add_script, "%u", account,
2520 sizeof(add_script));
2521 add_ret = smbrun(add_script,NULL);
2522 DEBUG(add_ret ? 0 : 3,("_samr_create_user: Running "
2523 "the command `%s' gave %d\n",
2524 add_script, add_ret));
2525 }
2526 }
2527
2528 /* implicit call to getpwnam() next. we have a valid SID coming out
2529 * of this call */
2530
2531 flush_pwnam_cache();
2532 nt_status = pdb_init_sam_new(&sam_pass, account);
2533
2534 /* this code is order such that we have no unnecessary retuns
2535 out of the admin block of code */
2536
2537 if ( NT_STATUS_IS_OK(nt_status) ) {
2538 pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED);
2539
2540 if ( !(ret = pdb_add_sam_account(sam_pass)) ) {
2541 pdb_free_sam(&sam_pass);
2542 DEBUG(0, ("could not add user/computer %s to passdb. "
2543 "Check permissions?\n",
2544 account));
2545 nt_status = NT_STATUS_ACCESS_DENIED;
2546 }
2547 }
2548
2549 if ( can_add_account )
2550 unbecome_root();
2551
2552 /********** END Admin BLOCK **********/
2553
2554 /* now check for failure */
2555
2556 if ( !NT_STATUS_IS_OK(nt_status) )
2557 return nt_status;
2558
2559 /* Get the user's SID */
2560
2561 sid_copy(&sid, pdb_get_user_sid(sam_pass));
2562
2563 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
2564 &sid, SAMR_USR_RIGHTS_WRITE_PW);
2565 se_map_generic(&des_access, &usr_generic_mapping);
2566
2567 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
2568 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
2569 &acc_granted, "_samr_create_user");
2570
2571 if ( !NT_STATUS_IS_OK(nt_status) ) {
2572 return nt_status;
2573 }
2574
2575 /* associate the user's SID with the new handle. */
2576 if ((info = get_samr_info_by_sid(&sid)) == NULL) {
2577 pdb_free_sam(&sam_pass);
2578 return NT_STATUS_NO_MEMORY;
2579 }
2580
2581 ZERO_STRUCTP(info);
2582 info->sid = sid;
2583 info->acc_granted = acc_granted;
2584
2585 /* get a (unique) handle. open a policy on it. */
2586 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) {
2587 pdb_free_sam(&sam_pass);
2588 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2589 }
2590
2591 /* After a "set" ensure we have no cached display info. */
2592 force_flush_samr_cache(info->disp_info);
2593
2594 r_u->user_rid=pdb_get_user_rid(sam_pass);
2595
2596 r_u->access_granted = acc_granted;
2597
2598 pdb_free_sam(&sam_pass);
2599
2600 return NT_STATUS_OK;
2601 }
2602
2603 /*******************************************************************
2604 samr_reply_connect_anon
2605 ********************************************************************/
2606
2607 NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CONNECT_ANON *r_u)
2608 {
2609 struct samr_info *info = NULL;
2610 uint32 des_access = q_u->access_mask;
2611
2612 /* Access check */
2613
2614 if (!pipe_access_check(p)) {
2615 DEBUG(3, ("access denied to samr_connect_anon\n"));
2616 r_u->status = NT_STATUS_ACCESS_DENIED;
2617 return r_u->status;
2618 }
2619
2620 /* set up the SAMR connect_anon response */
2621
2622 r_u->status = NT_STATUS_OK;
2623
2624 /* associate the user's SID with the new handle. */
2625 if ((info = get_samr_info_by_sid(NULL)) == NULL)
2626 return NT_STATUS_NO_MEMORY;
2627
2628 /* don't give away the farm but this is probably ok. The SA_RIGHT_SAM_ENUM_DOMAINS
2629 was observed from a win98 client trying to enumerate users (when configured
2630 user level access control on shares) --jerry */
2631
2632 if (des_access == MAXIMUM_ALLOWED_ACCESS) {
2633 /* Map to max possible knowing we're filtered below. */
2634 des_access = GENERIC_ALL_ACCESS;
2635 }
2636
2637 se_map_generic( &des_access, &sam_generic_mapping );
2638 info->acc_granted = des_access & (SA_RIGHT_SAM_ENUM_DOMAINS|SA_RIGHT_SAM_OPEN_DOMAIN);
2639
2640 info->status = q_u->unknown_0;
2641
2642 /* get a (unique) handle. open a policy on it. */
2643 if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info))
2644 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2645
2646 return r_u->status;
2647 }
2648
2649 /*******************************************************************
2650 samr_reply_connect
2651 ********************************************************************/
2652
2653 NTSTATUS _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u)
2654 {
2655 struct samr_info *info = NULL;
2656 SEC_DESC *psd = NULL;
2657 uint32 acc_granted;
2658 uint32 des_access = q_u->access_mask;
2659 NTSTATUS nt_status;
2660 size_t sd_size;
2661
2662
2663 DEBUG(5,("_samr_connect: %d\n", __LINE__));
2664
2665 /* Access check */
2666
2667 if (!pipe_access_check(p)) {
2668 DEBUG(3, ("access denied to samr_connect\n"));
2669 r_u->status = NT_STATUS_ACCESS_DENIED;
2670 return r_u->status;
2671 }
2672
2673 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
2674 se_map_generic(&des_access, &sam_generic_mapping);
2675
2676 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
2677 NULL, 0, des_access, &acc_granted, "_samr_connect");
2678
2679 if ( !NT_STATUS_IS_OK(nt_status) )
2680 return nt_status;
2681
2682 r_u->status = NT_STATUS_OK;
2683
2684 /* associate the user's SID and access granted with the new handle. */
2685 if ((info = get_samr_info_by_sid(NULL)) == NULL)
2686 return NT_STATUS_NO_MEMORY;
2687
2688 info->acc_granted = acc_granted;
2689 info->status = q_u->access_mask;
2690
2691 /* get a (unique) handle. open a policy on it. */
2692 if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info))
2693 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2694
2695 DEBUG(5,("_samr_connect: %d\n", __LINE__));
2696
2697 return r_u->status;
2698 }
2699
2700 /*******************************************************************
2701 samr_connect4
2702 ********************************************************************/
2703
2704 NTSTATUS _samr_connect4(pipes_struct *p, SAMR_Q_CONNECT4 *q_u, SAMR_R_CONNECT4 *r_u)
2705 {
2706 struct samr_info *info = NULL;
2707 SEC_DESC *psd = NULL;
2708 uint32 acc_granted;
2709 uint32 des_access = q_u->access_mask;
2710 NTSTATUS nt_status;
2711 size_t sd_size;
2712
2713
2714 DEBUG(5,("_samr_connect4: %d\n", __LINE__));
2715
2716 /* Access check */
2717
2718 if (!pipe_access_check(p)) {
2719 DEBUG(3, ("access denied to samr_connect4\n"));
2720 r_u->status = NT_STATUS_ACCESS_DENIED;
2721 return r_u->status;
2722 }
2723
2724 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
2725 se_map_generic(&des_access, &sam_generic_mapping);
2726
2727 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
2728 NULL, 0, des_access, &acc_granted, "_samr_connect4");
2729
2730 if ( !NT_STATUS_IS_OK(nt_status) )
2731 return nt_status;
2732
2733 r_u->status = NT_STATUS_OK;
2734
2735 /* associate the user's SID and access granted with the new handle. */
2736 if ((info = get_samr_info_by_sid(NULL)) == NULL)
2737 return NT_STATUS_NO_MEMORY;
2738
2739 info->acc_granted = acc_granted;
2740 info->status = q_u->access_mask;
2741
2742 /* get a (unique) handle. open a policy on it. */
2743 if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info))
2744 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2745
2746 DEBUG(5,("_samr_connect: %d\n", __LINE__));
2747
2748 return r_u->status;
2749 }
2750
2751 /*******************************************************************
2752 samr_connect5
2753 ********************************************************************/
2754
2755 NTSTATUS _samr_connect5(pipes_struct *p, SAMR_Q_CONNECT5 *q_u, SAMR_R_CONNECT5 *r_u)
2756 {
2757 struct samr_info *info = NULL;
2758 SEC_DESC *psd = NULL;
2759 uint32 acc_granted;
2760 uint32 des_access = q_u->access_mask;
2761 NTSTATUS nt_status;
2762 POLICY_HND pol;
2763 size_t sd_size;
2764
2765
2766 DEBUG(5,("_samr_connect5: %d\n", __LINE__));
2767
2768 ZERO_STRUCTP(r_u);
2769
2770 /* Access check */
2771
2772 if (!pipe_access_check(p)) {
2773 DEBUG(3, ("access denied to samr_connect5\n"));
2774 r_u->status = NT_STATUS_ACCESS_DENIED;
2775 return r_u->status;
2776 }
2777
2778 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
2779 se_map_generic(&des_access, &sam_generic_mapping);
2780
2781 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
2782 NULL, 0, des_access, &acc_granted, "_samr_connect5");
2783
2784 if ( !NT_STATUS_IS_OK(nt_status) )
2785 return nt_status;
2786
2787 /* associate the user's SID and access granted with the new handle. */
2788 if ((info = get_samr_info_by_sid(NULL)) == NULL)
2789 return NT_STATUS_NO_MEMORY;
2790
2791 info->acc_granted = acc_granted;
2792 info->status = q_u->access_mask;
2793
2794 /* get a (unique) handle. open a policy on it. */
2795 if (!create_policy_hnd(p, &pol, free_samr_info, (void *)info))
2796 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2797
2798 DEBUG(5,("_samr_connect: %d\n", __LINE__));
2799
2800 init_samr_r_connect5(r_u, &pol, NT_STATUS_OK);
2801
2802 return r_u->status;
2803 }
2804
2805 /**********************************************************************
2806 api_samr_lookup_domain
2807 **********************************************************************/
2808
2809 NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_LOOKUP_DOMAIN *r_u)
2810 {
2811 struct samr_info *info;
2812 fstring domain_name;
2813 DOM_SID sid;
2814
2815 r_u->status = NT_STATUS_OK;
2816
2817 if (!find_policy_by_hnd(p, &q_u->connect_pol, (void**)(void *)&info))
2818 return NT_STATUS_INVALID_HANDLE;
2819
2820 /* win9x user manager likes to use SA_RIGHT_SAM_ENUM_DOMAINS here.
2821 Reverted that change so we will work with RAS servers again */
2822
2823 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted,
2824 SA_RIGHT_SAM_OPEN_DOMAIN, "_samr_lookup_domain")))
2825 {
2826 return r_u->status;
2827 }
2828
2829 rpcstr_pull(domain_name, q_u->uni_domain.buffer, sizeof(domain_name), q_u->uni_domain.uni_str_len*2, 0);
2830
2831 ZERO_STRUCT(sid);
2832
2833 if (strequal(domain_name, builtin_domain_name())) {
2834 sid_copy(&sid, &global_sid_Builtin);
2835 } else {
2836 if (!secrets_fetch_domain_sid(domain_name, &sid)) {
2837 r_u->status = NT_STATUS_NO_SUCH_DOMAIN;
2838 }
2839 }
2840
2841 DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name, sid_string_static(&sid)));
2842
2843 init_samr_r_lookup_domain(r_u, &sid, r_u->status);
2844
2845 return r_u->status;
2846 }
2847
2848 /******************************************************************
2849 makes a SAMR_R_ENUM_DOMAINS structure.
2850 ********************************************************************/
2851
2852 static BOOL make_enum_domains(TALLOC_CTX *ctx, SAM_ENTRY **pp_sam,
2853 UNISTR2 **pp_uni_name, uint32 num_sam_entries, fstring doms[])
2854 {
2855 uint32 i;
2856 SAM_ENTRY *sam;
2857 UNISTR2 *uni_name;
2858
2859 DEBUG(5, ("make_enum_domains\n"));
2860
2861 *pp_sam = NULL;
2862 *pp_uni_name = NULL;
2863
2864 if (num_sam_entries == 0)
2865 return True;
2866
2867 sam = TALLOC_ZERO_ARRAY(ctx, SAM_ENTRY, num_sam_entries);
2868 uni_name = TALLOC_ZERO_ARRAY(ctx, UNISTR2, num_sam_entries);
2869
2870 if (sam == NULL || uni_name == NULL)
2871 return False;
2872
2873 for (i = 0; i < num_sam_entries; i++) {
2874 init_unistr2(&uni_name[i], doms[i], UNI_FLAGS_NONE);
2875 init_sam_entry(&sam[i], &uni_name[i], 0);
2876 }
2877
2878 *pp_sam = sam;
2879 *pp_uni_name = uni_name;
2880
2881 return True;
2882 }
2883
2884 /**********************************************************************
2885 api_samr_enum_domains
2886 **********************************************************************/
2887
2888 NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_ENUM_DOMAINS *r_u)
2889 {
2890 struct samr_info *info;
2891 uint32 num_entries = 2;
2892 fstring dom[2];
2893 const char *name;
2894
2895 r_u->status = NT_STATUS_OK;
2896
2897 if (!find_policy_by_hnd(p, &q_u->pol, (void**)(void *)&info))
2898 return NT_STATUS_INVALID_HANDLE;
2899
2900 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_ENUM_DOMAINS, "_samr_enum_domains"))) {
2901 return r_u->status;
2902 }
2903
2904 name = get_global_sam_name();
2905
2906 fstrcpy(dom[0],name);
2907 strupper_m(dom[0]);
2908 fstrcpy(dom[1],"Builtin");
2909
2910 if (!make_enum_domains(p->mem_ctx, &r_u->sam, &r_u->uni_dom_name, num_entries, dom))
2911 return NT_STATUS_NO_MEMORY;
2912
2913 init_samr_r_enum_domains(r_u, q_u->start_idx + num_entries, num_entries);
2914
2915 return r_u->status;
2916 }
2917
2918 /*******************************************************************
2919 api_samr_open_alias
2920 ********************************************************************/
2921
2922 NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_ALIAS *r_u)
2923 {
2924 DOM_SID sid;
2925 POLICY_HND domain_pol = q_u->dom_pol;
2926 uint32 alias_rid = q_u->rid_alias;
2927 POLICY_HND *alias_pol = &r_u->pol;
2928 struct samr_info *info = NULL;
2929 SEC_DESC *psd = NULL;
2930 uint32 acc_granted;
2931 uint32 des_access = q_u->access_mask;
2932 size_t sd_size;
2933 NTSTATUS status;
2934 SE_PRIV se_rights;
2935
2936 r_u->status = NT_STATUS_OK;
2937
2938 /* find the domain policy and get the SID / access bits stored in the domain policy */
2939
2940 if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) )
2941 return NT_STATUS_INVALID_HANDLE;
2942
2943 status = access_check_samr_function(acc_granted,
2944 SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_alias");
2945
2946 if ( !NT_STATUS_IS_OK(status) )
2947 return status;
2948
2949 /* append the alias' RID to it */
2950
2951 if (!sid_append_rid(&sid, alias_rid))
2952 return NT_STATUS_NO_SUCH_ALIAS;
2953
2954 /*check if access can be granted as requested by client. */
2955
2956 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
2957 se_map_generic(&des_access,&ali_generic_mapping);
2958
2959 se_priv_copy( &se_rights, &se_add_users );
2960
2961
2962 status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
2963 &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access,
2964 &acc_granted, "_samr_open_alias");
2965
2966 if ( !NT_STATUS_IS_OK(status) )
2967 return status;
2968
2969 {
2970 /* Check we actually have the requested alias */
2971 enum SID_NAME_USE type;
2972 BOOL result;
2973
2974 become_root();
2975 result = lookup_sid(NULL, &sid, NULL, NULL, &type);
2976 unbecome_root();
2977
2978 if (!result || (type != SID_NAME_ALIAS)) {
2979 return NT_STATUS_NO_SUCH_ALIAS;
2980 }
2981 }
2982
2983 /* associate the alias SID with the new handle. */
2984 if ((info = get_samr_info_by_sid(&sid)) == NULL)
2985 return NT_STATUS_NO_MEMORY;
2986
2987 info->acc_granted = acc_granted;
2988
2989 /* get a (unique) handle. open a policy on it. */
2990 if (!create_policy_hnd(p, alias_pol, free_samr_info, (void *)info))
2991 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2992
2993 return r_u->status;
2994 }
2995
2996 /*******************************************************************
2997 set_user_info_7
2998 ********************************************************************/
2999 static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx,
3000 const SAM_USER_INFO_7 *id7, SAM_ACCOUNT *pwd)
3001 {
3002 fstring new_name;
3003 NTSTATUS rc;
3004
3005 if (id7 == NULL) {
3006 DEBUG(5, ("set_user_info_7: NULL id7\n"));
3007 pdb_free_sam(&pwd);
3008 return NT_STATUS_ACCESS_DENIED;
3009 }
3010
3011 if(!rpcstr_pull(new_name, id7->uni_name.buffer, sizeof(new_name), id7->uni_name.uni_str_len*2, 0)) {
3012 DEBUG(5, ("set_user_info_7: failed to get new username\n"));
3013 pdb_free_sam(&pwd);
3014 return NT_STATUS_ACCESS_DENIED;
3015 }
3016
3017 /* check to see if the new username already exists. Note: we can't
3018 reliably lock all backends, so there is potentially the
3019 possibility that a user can be created in between this check and
3020 the rename. The rename should fail, but may not get the
3021 exact same failure status code. I think this is small enough
3022 of a window for this type of operation and the results are
3023 simply that the rename fails with a slightly different status
3024 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
3025
3026 rc = can_create(mem_ctx, new_name);
3027 if (!NT_STATUS_IS_OK(rc)) {
3028 return rc;
3029 }
3030
3031 rc = pdb_rename_sam_account(pwd, new_name);
3032
3033 pdb_free_sam(&pwd);
3034 return rc;
3035 }
3036
3037 /*******************************************************************
3038 set_user_info_16
3039 ********************************************************************/
3040
3041 static BOOL set_user_info_16(const SAM_USER_INFO_16 *id16, SAM_ACCOUNT *pwd)
3042 {
3043 if (id16 == NULL) {
3044 DEBUG(5, ("set_user_info_16: NULL id16\n"));
3045 pdb_free_sam(&pwd);
3046 return False;
3047 }
3048
3049 /* FIX ME: check if the value is really changed --metze */
3050 if (!pdb_set_acct_ctrl(pwd, id16->acb_info, PDB_CHANGED)) {
3051 pdb_free_sam(&pwd);
3052 return False;
3053 }
3054
3055 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3056 pdb_free_sam(&pwd);
3057 return False;
3058 }
3059
3060 pdb_free_sam(&pwd);
3061
3062 return True;
3063 }
3064
3065 /*******************************************************************
3066 set_user_info_18
3067 ********************************************************************/
3068
3069 static BOOL set_user_info_18(SAM_USER_INFO_18 *id18, SAM_ACCOUNT *pwd)
3070 {
3071
3072 if (id18 == NULL) {
3073 DEBUG(2, ("set_user_info_18: id18 is NULL\n"));
3074 pdb_free_sam(&pwd);
3075 return False;
3076 }
3077
3078 if (!pdb_set_lanman_passwd (pwd, id18->lm_pwd, PDB_CHANGED)) {
3079 pdb_free_sam(&pwd);
3080 return False;
3081 }
3082 if (!pdb_set_nt_passwd (pwd, id18->nt_pwd, PDB_CHANGED)) {
3083 pdb_free_sam(&pwd);
3084 return False;
3085 }
3086 if (!pdb_set_pass_changed_now (pwd)) {
3087 pdb_free_sam(&pwd);
3088 return False;
3089 }
3090
3091 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3092 pdb_free_sam(&pwd);
3093 return False;
3094 }
3095
3096 pdb_free_sam(&pwd);
3097 return True;
3098 }
3099
3100 /*******************************************************************
3101 The GROUPSID field in the SAM_ACCOUNT changed. Try to tell unix.
3102 ********************************************************************/
3103 static BOOL set_unix_primary_group(SAM_ACCOUNT *sampass)
3104 {
3105 struct group *grp;
3106 gid_t gid;
3107
3108 if (!sid_to_gid(pdb_get_group_sid(sampass), &gid)) {
3109 DEBUG(2,("Could not get gid for primary group of "
3110 "user %s\n", pdb_get_username(sampass)));
3111 return False;
3112 }
3113
3114 grp = getgrgid(gid);
3115
3116 if (grp == NULL) {
3117 DEBUG(2,("Could not find primary group %lu for "
3118 "user %s\n", (unsigned long)gid,
3119 pdb_get_username(sampass)));
3120 return False;
3121 }
3122
3123 if (smb_set_primary_group(grp->gr_name,
3124 pdb_get_username(sampass)) != 0) {
3125 DEBUG(2,("Could not set primary group for user %s to "
3126 "%s\n",
3127 pdb_get_username(sampass), grp->gr_name));
3128 return False;
3129 }
3130
3131 return True;
3132 }
3133
3134
3135 /*******************************************************************
3136 set_user_info_20
3137 ********************************************************************/
3138
3139 static BOOL set_user_info_20(SAM_USER_INFO_20 *id20, SAM_ACCOUNT *pwd)
3140 {
3141 if (id20 == NULL) {
3142 DEBUG(5, ("set_user_info_20: NULL id20\n"));
3143 return False;
3144 }
3145
3146 copy_id20_to_sam_passwd(pwd, id20);
3147
3148 /* write the change out */
3149 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3150 pdb_free_sam(&pwd);
3151 return False;
3152 }
3153
3154 pdb_free_sam(&pwd);
3155
3156 return True;
3157 }
3158 /*******************************************************************
3159 set_user_info_21
3160 ********************************************************************/
3161
3162 static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, SAM_ACCOUNT *pwd)
3163 {
3164
3165 if (id21 == NULL) {
3166 DEBUG(5, ("set_user_info_21: NULL id21\n"));
3167 return False;
3168 }
3169
3170 copy_id21_to_sam_passwd(pwd, id21);
3171
3172 /*
3173 * The funny part about the previous two calls is
3174 * that pwd still has the password hashes from the
3175 * passdb entry. These have not been updated from
3176 * id21. I don't know if they need to be set. --jerry
3177 */
3178
3179 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID))
3180 set_unix_primary_group(pwd);
3181
3182 /* write the change out */
3183 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3184 pdb_free_sam(&pwd);
3185 return False;
3186 }
3187
3188 pdb_free_sam(&pwd);
3189
3190 return True;
3191 }
3192
3193 /*******************************************************************
3194 set_user_info_23
3195 ********************************************************************/
3196
3197 static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, SAM_ACCOUNT *pwd)
3198 {
3199 pstring plaintext_buf;
3200 uint32 len;
3201 uint16 acct_ctrl;
3202
3203 if (id23 == NULL) {
3204 DEBUG(5, ("set_user_info_23: NULL id23\n"));
3205 return False;
3206 }
3207
3208 DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
3209 pdb_get_username(pwd)));
3210
3211 acct_ctrl = pdb_get_acct_ctrl(pwd);
3212
3213 if (!decode_pw_buffer(id23->pass, plaintext_buf, 256, &len, STR_UNICODE)) {
3214 pdb_free_sam(&pwd);
3215 return False;
3216 }
3217
3218 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
3219 pdb_free_sam(&pwd);
3220 return False;
3221 }
3222
3223 copy_id23_to_sam_passwd(pwd, id23);
3224
3225 /* if it's a trust account, don't update /etc/passwd */
3226 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
3227 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
3228 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
3229 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
3230 } else {
3231 /* update the UNIX password */
3232 if (lp_unix_password_sync() ) {
3233 struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd));
3234 if (!passwd) {
3235 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
3236 }
3237
3238 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
3239 pdb_free_sam(&pwd);
3240 return False;
3241 }
3242 }
3243 }
3244
3245 ZERO_STRUCT(plaintext_buf);
3246
3247 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID))
3248 set_unix_primary_group(pwd);
3249
3250 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3251 pdb_free_sam(&pwd);
3252 return False;
3253 }
3254
3255 pdb_free_sam(&pwd);
3256
3257 return True;
3258 }
3259
3260 /*******************************************************************
3261 set_user_info_pw
3262 ********************************************************************/
3263
3264 static BOOL set_user_info_pw(uint8 *pass, SAM_ACCOUNT *pwd)
3265 {
3266 uint32 len;
3267 pstring plaintext_buf;
3268 uint16 acct_ctrl;
3269
3270 DEBUG(5, ("Attempting administrator password change for user %s\n",
3271 pdb_get_username(pwd)));
3272
3273 acct_ctrl = pdb_get_acct_ctrl(pwd);
3274
3275 ZERO_STRUCT(plaintext_buf);
3276
3277 if (!decode_pw_buffer(pass, plaintext_buf, 256, &len, STR_UNICODE)) {
3278 pdb_free_sam(&pwd);
3279 return False;
3280 }
3281
3282 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
3283 pdb_free_sam(&pwd);
3284 return False;
3285 }
3286
3287 /* if it's a trust account, don't update /etc/passwd */
3288 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
3289 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
3290 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
3291 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
3292 } else {
3293 /* update the UNIX password */
3294 if (lp_unix_password_sync()) {
3295 struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd));
3296 if (!passwd) {
3297 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
3298 }
3299
3300 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
3301 pdb_free_sam(&pwd);
3302 return False;
3303 }
3304 }
3305 }
3306
3307 ZERO_STRUCT(plaintext_buf);
3308
3309 DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
3310
3311 /* update the SAMBA password */
3312 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3313 pdb_free_sam(&pwd);
3314 return False;
3315 }
3316
3317 pdb_free_sam(&pwd);
3318
3319 return True;
3320 }
3321
3322 /*******************************************************************
3323 samr_reply_set_userinfo
3324 ********************************************************************/
3325
3326 NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_USERINFO *r_u)
3327 {
3328 SAM_ACCOUNT *pwd = NULL;
3329 DOM_SID sid;
3330 POLICY_HND *pol = &q_u->pol;
3331 uint16 switch_value = q_u->switch_value;
3332 SAM_USERINFO_CTR *ctr = q_u->ctr;
3333 uint32 acc_granted;
3334 uint32 acc_required;
3335 BOOL ret;
3336 BOOL has_enough_rights = False;
3337 uint32 acb_info;
3338 DISP_INFO *disp_info = NULL;
3339
3340 DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__));
3341
3342 r_u->status = NT_STATUS_OK;
3343
3344 /* find the policy handle. open a policy on it. */
3345 if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info))
3346 return NT_STATUS_INVALID_HANDLE;
3347
3348 /* observed when joining an XP client to a Samba domain */
3349
3350 acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY;
3351
3352 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo"))) {
3353 return r_u->status;
3354 }
3355
3356 DEBUG(5, ("_samr_set_userinfo: sid:%s, level:%d\n", sid_string_static(&sid), switch_value));
3357
3358 if (ctr == NULL) {
3359 DEBUG(5, ("_samr_set_userinfo: NULL info level\n"));
3360 return NT_STATUS_INVALID_INFO_CLASS;
3361 }
3362
3363 pdb_init_sam(&pwd);
3364
3365 become_root();
3366 ret = pdb_getsampwsid(pwd, &sid);
3367 unbecome_root();
3368
3369 if ( !ret ) {
3370 pdb_free_sam(&pwd);
3371 return NT_STATUS_NO_SUCH_USER;
3372 }
3373
3374 /* deal with machine password changes differently from userinfo changes */
3375 /* check to see if we have the sufficient rights */
3376
3377 acb_info = pdb_get_acct_ctrl(pwd);
3378 if ( acb_info & ACB_WSTRUST )
3379 has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account);
3380 else if ( acb_info & ACB_NORMAL )
3381 has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
3382 else if ( acb_info & (ACB_SVRTRUST|ACB_DOMTRUST) ) {
3383 if ( lp_enable_privileges() )
3384 has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS );
3385 }
3386
3387 DEBUG(5, ("_samr_set_userinfo: %s does%s possess sufficient rights\n",
3388 p->pipe_user_name, has_enough_rights ? "" : " not"));
3389
3390 /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
3391
3392 if ( has_enough_rights )
3393 become_root();
3394
3395 /* ok! user info levels (lots: see MSDEV help), off we go... */
3396
3397 switch (switch_value) {
3398 case 18:
3399 if (!set_user_info_18(ctr->info.id18, pwd))
3400 r_u->status = NT_STATUS_ACCESS_DENIED;
3401 break;
3402
3403 case 24:
3404 if (!p->session_key.length) {
3405 r_u->status = NT_STATUS_NO_USER_SESSION_KEY;
3406 }
3407 SamOEMhashBlob(ctr->info.id24->pass, 516, &p->session_key);
3408
3409 dump_data(100, (char *)ctr->info.id24->pass, 516);
3410
3411 if (!set_user_info_pw(ctr->info.id24->pass, pwd))
3412 r_u->status = NT_STATUS_ACCESS_DENIED;
3413 break;
3414
3415 case 25:
3416 if (!p->session_key.length) {
3417 r_u->status = NT_STATUS_NO_USER_SESSION_KEY;
3418 }
3419 encode_or_decode_arc4_passwd_buffer(ctr->info.id25->pass, &p->session_key);
3420
3421 dump_data(100, (char *)ctr->info.id25->pass, 532);
3422
3423 if (!set_user_info_pw(ctr->info.id25->pass, pwd))
3424 r_u->status = NT_STATUS_ACCESS_DENIED;
3425 break;
3426
3427 case 26:
3428 if (!p->session_key.length) {
3429 r_u->status = NT_STATUS_NO_USER_SESSION_KEY;
3430 }
3431 encode_or_decode_arc4_passwd_buffer(ctr->info.id26->pass, &p->session_key);
3432
3433 dump_data(100, (char *)ctr->info.id26->pass, 516);
3434
3435 if (!set_user_info_pw(ctr->info.id26->pass, pwd))
3436 r_u->status = NT_STATUS_ACCESS_DENIED;
3437 break;
3438
3439 case 23:
3440 if (!p->session_key.length) {
3441 r_u->status = NT_STATUS_NO_USER_SESSION_KEY;
3442 }
3443 SamOEMhashBlob(ctr->info.id23->pass, 516, &p->session_key);
3444
3445 dump_data(100, (char *)ctr->info.id23->pass, 516);
3446
3447 if (!set_user_info_23(ctr->info.id23, pwd))
3448 r_u->status = NT_STATUS_ACCESS_DENIED;
3449 break;
3450
3451 default:
3452 r_u->status = NT_STATUS_INVALID_INFO_CLASS;
3453 }
3454
3455
3456 if ( has_enough_rights )
3457 unbecome_root();
3458
3459 /* ================ END SeMachineAccountPrivilege BLOCK ================ */
3460
3461 if (NT_STATUS_IS_OK(r_u->status)) {
3462 force_flush_samr_cache(disp_info);
3463 }
3464
3465 return r_u->status;
3466 }
3467
3468 /*******************************************************************
3469 samr_reply_set_userinfo2
3470 ********************************************************************/
3471
3472 NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SET_USERINFO2 *r_u)
3473 {
3474 SAM_ACCOUNT *pwd = NULL;
3475 DOM_SID sid;
3476 SAM_USERINFO_CTR *ctr = q_u->ctr;
3477 POLICY_HND *pol = &q_u->pol;
3478 uint16 switch_value = q_u->switch_value;
3479 uint32 acc_granted;
3480 uint32 acc_required;
3481 BOOL ret;
3482 BOOL has_enough_rights = False;
3483 uint32 acb_info;
3484 DISP_INFO *disp_info = NULL;
3485
3486 DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__));
3487
3488 r_u->status = NT_STATUS_OK;
3489
3490 /* find the policy handle. open a policy on it. */
3491 if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info))
3492 return NT_STATUS_INVALID_HANDLE;
3493
3494 /* observed when joining XP client to Samba domain */
3495
3496 acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY;
3497
3498 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo2"))) {
3499 return r_u->status;
3500 }
3501
3502 DEBUG(5, ("samr_reply_set_userinfo2: sid:%s\n", sid_string_static(&sid)));
3503
3504 if (ctr == NULL) {
3505 DEBUG(5, ("samr_reply_set_userinfo2: NULL info level\n"));
3506 return NT_STATUS_INVALID_INFO_CLASS;
3507 }
3508
3509 switch_value=ctr->switch_value;
3510
3511 pdb_init_sam(&pwd);
3512
3513 become_root();
3514 ret = pdb_getsampwsid(pwd, &sid);
3515 unbecome_root();
3516
3517 if ( !ret ) {
3518 pdb_free_sam(&pwd);
3519 return NT_STATUS_NO_SUCH_USER;
3520 }
3521
3522 acb_info = pdb_get_acct_ctrl(pwd);
3523 if ( acb_info & ACB_WSTRUST )
3524 has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account);
3525 else if ( acb_info & ACB_NORMAL )
3526 has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
3527 else if ( acb_info & (ACB_SVRTRUST|ACB_DOMTRUST) ) {
3528 if ( lp_enable_privileges() )
3529 has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS );
3530 }
3531
3532 DEBUG(5, ("_samr_set_userinfo2: %s does%s possess sufficient rights\n",
3533 p->pipe_user_name, has_enough_rights ? "" : " not"));
3534
3535 /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
3536
3537 if ( has_enough_rights )
3538 become_root();
3539
3540 /* ok! user info levels (lots: see MSDEV help), off we go... */
3541
3542 switch (switch_value) {
3543 case 7:
3544 r_u->status = set_user_info_7(p->mem_ctx,
3545 ctr->info.id7, pwd);
3546 break;
3547 case 16:
3548 if (!set_user_info_16(ctr->info.id16, pwd))
3549 r_u->status = NT_STATUS_ACCESS_DENIED;
3550 break;
3551 case 18:
3552 /* Used by AS/U JRA. */
3553 if (!set_user_info_18(ctr->info.id18, pwd))
3554 r_u->status = NT_STATUS_ACCESS_DENIED;
3555 break;
3556 case 20:
3557 if (!set_user_info_20(ctr->info.id20, pwd))
3558 r_u->status = NT_STATUS_ACCESS_DENIED;
3559 break;
3560 case 21:
3561 if (!set_user_info_21(ctr->info.id21, pwd))
3562 return NT_STATUS_ACCESS_DENIED;
3563 break;
3564 case 23:
3565 if (!p->session_key.length) {
3566 r_u->status = NT_STATUS_NO_USER_SESSION_KEY;
3567 }
3568 SamOEMhashBlob(ctr->info.id23->pass, 516, &p->session_key);
3569
3570 dump_data(100, (char *)ctr->info.id23->pass, 516);
3571
3572 if (!set_user_info_23(ctr->info.id23, pwd))
3573 r_u->status = NT_STATUS_ACCESS_DENIED;
3574 break;
3575 case 26:
3576 if (!p->session_key.length) {
3577 r_u->status = NT_STATUS_NO_USER_SESSION_KEY;
3578 }
3579 encode_or_decode_arc4_passwd_buffer(ctr->info.id26->pass, &p->session_key);
3580
3581 dump_data(100, (char *)ctr->info.id26->pass, 516);
3582
3583 if (!set_user_info_pw(ctr->info.id26->pass, pwd))
3584 r_u->status = NT_STATUS_ACCESS_DENIED;
3585 break;
3586 default:
3587 r_u->status = NT_STATUS_INVALID_INFO_CLASS;
3588 }
3589
3590 if ( has_enough_rights )
3591 unbecome_root();
3592
3593 /* ================ END SeMachineAccountPrivilege BLOCK ================ */
3594
3595 if (NT_STATUS_IS_OK(r_u->status)) {
3596 force_flush_samr_cache(disp_info);
3597 }
3598
3599 return r_u->status;
3600 }
3601
3602 /*********************************************************************
3603 _samr_query_aliasmem
3604 *********************************************************************/
3605
3606 NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, SAMR_R_QUERY_USERALIASES *r_u)
3607 {
3608 size_t num_alias_rids;
3609 uint32 *alias_rids;
3610 struct samr_info *info = NULL;
3611 size_t i;
3612
3613 NTSTATUS ntstatus1;
3614 NTSTATUS ntstatus2;
3615
3616 DOM_SID *members;
3617
3618 r_u->status = NT_STATUS_OK;
3619
3620 DEBUG(5,("_samr_query_useraliases: %d\n", __LINE__));
3621
3622 /* find the policy handle. open a policy on it. */
3623 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
3624 return NT_STATUS_INVALID_HANDLE;
3625
3626 ntstatus1 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM, "_samr_query_useraliases");
3627 ntstatus2 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_query_useraliases");
3628
3629 if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) {
3630 if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) &&
3631 !(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) {
3632 return (NT_STATUS_IS_OK(ntstatus1)) ? ntstatus2 : ntstatus1;
3633 }
3634 }
3635
3636 if (!sid_check_is_domain(&info->sid) &&
3637 !sid_check_is_builtin(&info->sid))
3638 return NT_STATUS_OBJECT_TYPE_MISMATCH;
3639
3640 members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, q_u->num_sids1);
3641
3642 if (members == NULL)
3643 return NT_STATUS_NO_MEMORY;
3644
3645 for (i=0; i<q_u->num_sids1; i++)
3646 sid_copy(&members[i], &q_u->sid[i].sid);
3647
3648 alias_rids = NULL;
3649 num_alias_rids = 0;
3650
3651 become_root();
3652 ntstatus1 = pdb_enum_alias_memberships(p->mem_ctx, &info->sid, members,
3653 q_u->num_sids1,
3654 &alias_rids, &num_alias_rids);
3655 unbecome_root();
3656
3657 if (!NT_STATUS_IS_OK(ntstatus1)) {
3658 return ntstatus1;
3659 }
3660
3661 init_samr_r_query_useraliases(r_u, num_alias_rids, alias_rids,
3662 NT_STATUS_OK);
3663 return NT_STATUS_OK;
3664 }
3665
3666 /*********************************************************************
3667 _samr_query_aliasmem
3668 *********************************************************************/
3669
3670 NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_R_QUERY_ALIASMEM *r_u)
3671 {
3672 NTSTATUS status;
3673 size_t i;
3674 size_t num_sids = 0;
3675 DOM_SID2 *sid;
3676 DOM_SID *sids=NULL;
3677
3678 DOM_SID alias_sid;
3679
3680 uint32 acc_granted;
3681
3682 /* find the policy handle. open a policy on it. */
3683 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted, NULL))
3684 return NT_STATUS_INVALID_HANDLE;
3685
3686 if (!NT_STATUS_IS_OK(r_u->status =
3687 access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_GET_MEMBERS, "_samr_query_aliasmem"))) {
3688 return r_u->status;
3689 }
3690
3691 DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid)));
3692
3693 status = pdb_enum_aliasmem(&alias_sid, &sids, &num_sids);
3694
3695 if (!NT_STATUS_IS_OK(status)) {
3696 return status;
3697 }
3698
3699 sid = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_SID2, num_sids);
3700 if (num_sids!=0 && sid == NULL) {
3701 SAFE_FREE(sids);
3702 return NT_STATUS_NO_MEMORY;
3703 }
3704
3705 for (i = 0; i < num_sids; i++) {
3706 init_dom_sid2(&sid[i], &sids[i]);
3707 }
3708
3709 init_samr_r_query_aliasmem(r_u, num_sids, sid, NT_STATUS_OK);
3710
3711 SAFE_FREE(sids);
3712
3713 return NT_STATUS_OK;
3714 }
3715
3716 static void add_uid_to_array_unique(uid_t uid, uid_t **uids, int *num)
3717 {
3718 int i;
3719
3720 for (i=0; i<*num; i++) {
3721 if ((*uids)[i] == uid)
3722 return;
3723 }
3724
3725 *uids = SMB_REALLOC_ARRAY(*uids, uid_t, *num+1);
3726
3727 if (*uids == NULL)
3728 return;
3729
3730 (*uids)[*num] = uid;
3731 *num += 1;
3732 }
3733
3734
3735 static BOOL get_memberuids(gid_t gid, uid_t **uids, int *num)
3736 {
3737 struct group *grp;
3738 char **gr;
3739 struct sys_pwent *userlist, *user;
3740
3741 *uids = NULL;
3742 *num = 0;
3743
3744 /* We only look at our own sam, so don't care about imported stuff */
3745
3746 winbind_off();
3747
3748 if ((grp = getgrgid(gid)) == NULL) {
3749 winbind_on();
3750 return False;
3751 }
3752
3753 /* Primary group members */
3754
3755 userlist = getpwent_list();
3756
3757 for (user = userlist; user != NULL; user = user->next) {
3758 if (user->pw_gid != gid)
3759 continue;
3760 add_uid_to_array_unique(user->pw_uid, uids, num);
3761 }
3762
3763 pwent_free(userlist);
3764
3765 /* Secondary group members */
3766
3767 for (gr = grp->gr_mem; (*gr != NULL) && ((*gr)[0] != '\0'); gr += 1) {
3768 struct passwd *pw = getpwnam(*gr);
3769
3770 if (pw == NULL)
3771 continue;
3772 add_uid_to_array_unique(pw->pw_uid, uids, num);
3773 }
3774
3775 winbind_on();
3776
3777 return True;
3778 }
3779
3780 /*********************************************************************
3781 _samr_query_groupmem
3782 *********************************************************************/
3783
3784 NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_QUERY_GROUPMEM *r_u)
3785 {
3786 DOM_SID group_sid;
3787 fstring group_sid_str;
3788 size_t i, num_members;
3789
3790 uint32 *rid=NULL;
3791 uint32 *attr=NULL;
3792
3793 uint32 acc_granted;
3794
3795 NTSTATUS result;
3796
3797 /* find the policy handle. open a policy on it. */
3798 if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted, NULL))
3799 return NT_STATUS_INVALID_HANDLE;
3800
3801 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_GET_MEMBERS, "_samr_query_groupmem"))) {
3802 return r_u->status;
3803 }
3804
3805 sid_to_string(group_sid_str, &group_sid);
3806 DEBUG(10, ("sid is %s\n", group_sid_str));
3807
3808 if (!sid_check_is_in_our_domain(&group_sid)) {
3809 DEBUG(3, ("sid %s is not in our domain\n", group_sid_str));
3810 return NT_STATUS_NO_SUCH_GROUP;
3811 }
3812
3813 DEBUG(10, ("lookup on Domain SID\n"));
3814
3815 become_root();
3816 result = pdb_enum_group_members(p->mem_ctx, &group_sid,
3817 &rid, &num_members);
3818 unbecome_root();
3819
3820 if (!NT_STATUS_IS_OK(result))
3821 return result;
3822
3823 attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members);
3824
3825 if ((num_members!=0) && (rid==NULL))
3826 return NT_STATUS_NO_MEMORY;
3827
3828 for (i=0; i<num_members; i++)
3829 attr[i] = SID_NAME_USER;
3830
3831 init_samr_r_query_groupmem(r_u, num_members, rid, attr, NT_STATUS_OK);
3832
3833 return NT_STATUS_OK;
3834 }
3835
3836 /*********************************************************************
3837 _samr_add_aliasmem
3838 *********************************************************************/
3839
3840 NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_ADD_ALIASMEM *r_u)
3841 {
3842 DOM_SID alias_sid;
3843 uint32 acc_granted;
3844 SE_PRIV se_rights;
3845 BOOL can_add_accounts;
3846 NTSTATUS ret;
3847 DISP_INFO *disp_info = NULL;
3848
3849 /* Find the policy handle. Open a policy on it. */
3850 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted, &disp_info))
3851 return NT_STATUS_INVALID_HANDLE;
3852
3853 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_ADD_MEMBER, "_samr_add_aliasmem"))) {
3854 return r_u->status;
3855 }
3856
3857 DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid)));
3858
3859 se_priv_copy( &se_rights, &se_add_users );
3860 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
3861
3862 /******** BEGIN SeAddUsers BLOCK *********/
3863
3864 if ( can_add_accounts )
3865 become_root();
3866
3867 ret = pdb_add_aliasmem(&alias_sid, &q_u->sid.sid);
3868
3869 if ( can_add_accounts )
3870 unbecome_root();
3871
3872 /******** END SeAddUsers BLOCK *********/
3873
3874 if (NT_STATUS_IS_OK(ret)) {
3875 force_flush_samr_cache(disp_info);
3876 }
3877
3878 return ret;
3879 }
3880
3881 /*********************************************************************
3882 _samr_del_aliasmem
3883 *********************************************************************/
3884
3885 NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DEL_ALIASMEM *r_u)
3886 {
3887 DOM_SID alias_sid;
3888 uint32 acc_granted;
3889 SE_PRIV se_rights;
3890 BOOL can_add_accounts;
3891 NTSTATUS ret;
3892 DISP_INFO *disp_info = NULL;
3893
3894 /* Find the policy handle. Open a policy on it. */
3895 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted, &disp_info))
3896 return NT_STATUS_INVALID_HANDLE;
3897
3898 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_REMOVE_MEMBER, "_samr_del_aliasmem"))) {
3899 return r_u->status;
3900 }
3901
3902 DEBUG(10, ("_samr_del_aliasmem:sid is %s\n",
3903 sid_string_static(&alias_sid)));
3904
3905 se_priv_copy( &se_rights, &se_add_users );
3906 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
3907
3908 /******** BEGIN SeAddUsers BLOCK *********/
3909
3910 if ( can_add_accounts )
3911 become_root();
3912
3913 ret = pdb_del_aliasmem(&alias_sid, &q_u->sid.sid);
3914
3915 if ( can_add_accounts )
3916 unbecome_root();
3917
3918 /******** END SeAddUsers BLOCK *********/
3919
3920 if (NT_STATUS_IS_OK(ret)) {
3921 force_flush_samr_cache(disp_info);
3922 }
3923
3924 return ret;
3925 }
3926
3927 /*********************************************************************
3928 _samr_add_groupmem
3929 *********************************************************************/
3930
3931 NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_ADD_GROUPMEM *r_u)
3932 {
3933 DOM_SID group_sid;
3934 DOM_SID user_sid;
3935 fstring group_sid_str;
3936 uid_t uid;
3937 struct passwd *pwd;
3938 struct group *grp;
3939 fstring grp_name;
3940 GROUP_MAP map;
3941 NTSTATUS ret;
3942 SAM_ACCOUNT *sam_user=NULL;
3943 BOOL check;
3944 uint32 acc_granted;
3945 SE_PRIV se_rights;
3946 BOOL can_add_accounts;
3947 DISP_INFO *disp_info = NULL;
3948
3949 /* Find the policy handle. Open a policy on it. */
3950 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, &disp_info))
3951 return NT_STATUS_INVALID_HANDLE;
3952
3953 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_ADD_MEMBER, "_samr_add_groupmem"))) {
3954 return r_u->status;
3955 }
3956
3957 sid_to_string(group_sid_str, &group_sid);
3958 DEBUG(10, ("sid is %s\n", group_sid_str));
3959
3960 if (sid_compare(&group_sid, get_global_sam_sid())<=0)
3961 return NT_STATUS_NO_SUCH_GROUP;
3962
3963 DEBUG(10, ("lookup on Domain SID\n"));
3964
3965 if(!get_domain_group_from_sid(group_sid, &map))
3966 return NT_STATUS_NO_SUCH_GROUP;
3967
3968 sid_copy(&user_sid, get_global_sam_sid());
3969 sid_append_rid(&user_sid, q_u->rid);
3970
3971 ret = pdb_init_sam(&sam_user);
3972 if (!NT_STATUS_IS_OK(ret))
3973 return ret;
3974
3975 check = pdb_getsampwsid(sam_user, &user_sid);
3976
3977 if (check != True) {
3978 pdb_free_sam(&sam_user);
3979 return NT_STATUS_NO_SUCH_USER;
3980 }
3981
3982 /* check a real user exist before we run the script to add a user to a group */
3983 if (!sid_to_uid(pdb_get_user_sid(sam_user), &uid)) {
3984 pdb_free_sam(&sam_user);
3985 return NT_STATUS_NO_SUCH_USER;
3986 }
3987
3988 pdb_free_sam(&sam_user);
3989
3990 if ((pwd=getpwuid_alloc(p->mem_ctx, uid)) == NULL) {
3991 return NT_STATUS_NO_SUCH_USER;
3992 }
3993
3994 if ((grp=getgrgid(map.gid)) == NULL) {
3995 return NT_STATUS_NO_SUCH_GROUP;
3996 }
3997
3998 /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */
3999 fstrcpy(grp_name, grp->gr_name);
4000
4001 /* if the user is already in the group */
4002 if(user_in_unix_group(pwd->pw_name, grp_name)) {
4003 return NT_STATUS_MEMBER_IN_GROUP;
4004 }
4005
4006 se_priv_copy( &se_rights, &se_add_users );
4007 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4008
4009 /******** BEGIN SeAddUsers BLOCK *********/
4010
4011 if ( can_add_accounts )
4012 become_root();
4013
4014 /*
4015 * ok, the group exist, the user exist, the user is not in the group,
4016 *
4017 * we can (finally) add it to the group !
4018 */
4019
4020 smb_add_user_group(grp_name, pwd->pw_name);
4021
4022 if ( can_add_accounts )
4023 unbecome_root();
4024
4025 /******** END SeAddUsers BLOCK *********/
4026
4027 /* check if the user has been added then ... */
4028 if(!user_in_unix_group(pwd->pw_name, grp_name)) {
4029 return NT_STATUS_MEMBER_NOT_IN_GROUP; /* don't know what to reply else */
4030 }
4031
4032 force_flush_samr_cache(disp_info);
4033
4034 return NT_STATUS_OK;
4035 }
4036
4037 /*********************************************************************
4038 _samr_del_groupmem
4039 *********************************************************************/
4040
4041 NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DEL_GROUPMEM *r_u)
4042 {
4043 DOM_SID group_sid;
4044 DOM_SID user_sid;
4045 SAM_ACCOUNT *sam_pass=NULL;
4046 GROUP_MAP map;
4047 fstring grp_name;
4048 struct group *grp;
4049 uint32 acc_granted;
4050 SE_PRIV se_rights;
4051 BOOL can_add_accounts;
4052 DISP_INFO *disp_info = NULL;
4053
4054 /*
4055 * delete the group member named q_u->rid
4056 * who is a member of the sid associated with the handle
4057 * the rid is a user's rid as the group is a domain group.
4058 */
4059
4060 /* Find the policy handle. Open a policy on it. */
4061 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, &disp_info))
4062 return NT_STATUS_INVALID_HANDLE;
4063
4064 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_REMOVE_MEMBER, "_samr_del_groupmem"))) {
4065 return r_u->status;
4066 }
4067
4068 if (!sid_check_is_in_our_domain(&group_sid))
4069 return NT_STATUS_NO_SUCH_GROUP;
4070
4071 sid_copy(&user_sid, get_global_sam_sid());
4072 sid_append_rid(&user_sid, q_u->rid);
4073
4074 if (!get_domain_group_from_sid(group_sid, &map))
4075 return NT_STATUS_NO_SUCH_GROUP;
4076
4077 if ((grp=getgrgid(map.gid)) == NULL)
4078 return NT_STATUS_NO_SUCH_GROUP;
4079
4080 /* we need to copy the name otherwise it's overloaded in user_in_group_list */
4081 fstrcpy(grp_name, grp->gr_name);
4082
4083 /* check if the user exists before trying to remove it from the group */
4084 pdb_init_sam(&sam_pass);
4085 if (!pdb_getsampwsid(sam_pass, &user_sid)) {
4086 DEBUG(5,("User %s doesn't exist.\n", pdb_get_username(sam_pass)));
4087 pdb_free_sam(&sam_pass);
4088 return NT_STATUS_NO_SUCH_USER;
4089 }
4090
4091 /* if the user is not in the group */
4092 if (!user_in_unix_group(pdb_get_username(sam_pass), grp_name)) {
4093 pdb_free_sam(&sam_pass);
4094 return NT_STATUS_MEMBER_NOT_IN_GROUP;
4095 }
4096
4097
4098 se_priv_copy( &se_rights, &se_add_users );
4099 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4100
4101 /******** BEGIN SeAddUsers BLOCK *********/
4102
4103 if ( can_add_accounts )
4104 become_root();
4105
4106 smb_delete_user_group(grp_name, pdb_get_username(sam_pass));
4107
4108 if ( can_add_accounts )
4109 unbecome_root();
4110
4111 /******** END SeAddUsers BLOCK *********/
4112
4113 /* check if the user has been removed then ... */
4114 if (user_in_unix_group(pdb_get_username(sam_pass), grp_name)) {
4115 pdb_free_sam(&sam_pass);
4116 return NT_STATUS_ACCESS_DENIED; /* don't know what to reply else */
4117 }
4118
4119 pdb_free_sam(&sam_pass);
4120
4121 force_flush_samr_cache(disp_info);
4122
4123 return NT_STATUS_OK;
4124
4125 }
4126
4127 /****************************************************************************
4128 Delete a UNIX user on demand.
4129 ****************************************************************************/
4130
4131 static int smb_delete_user(const char *unix_user)
4132 {
4133 pstring del_script;
4134 int ret;
4135
4136 pstrcpy(del_script, lp_deluser_script());
4137 if (! *del_script)
4138 return -1;
4139 all_string_sub(del_script, "%u", unix_user, sizeof(del_script));
4140 ret = smbrun(del_script,NULL);
4141 flush_pwnam_cache();
4142 DEBUG(ret ? 0 : 3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret));
4143
4144 return ret;
4145 }
4146
4147 /*********************************************************************
4148 _samr_delete_dom_user
4149 *********************************************************************/
4150
4151 NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAMR_R_DELETE_DOM_USER *r_u )
4152 {
4153 DOM_SID user_sid;
4154 SAM_ACCOUNT *sam_pass=NULL;
4155 uint32 acc_granted;
4156 BOOL can_add_accounts;
4157 BOOL ret;
4158 DISP_INFO *disp_info = NULL;
4159
4160 DEBUG(5, ("_samr_delete_dom_user: %d\n", __LINE__));
4161
4162 /* Find the policy handle. Open a policy on it. */
4163 if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &user_sid, &acc_granted, &disp_info))
4164 return NT_STATUS_INVALID_HANDLE;
4165
4166 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_user"))) {
4167 return r_u->status;
4168 }
4169
4170 if (!sid_check_is_in_our_domain(&user_sid))
4171 return NT_STATUS_CANNOT_DELETE;
4172
4173 /* check if the user exists before trying to delete */
4174 pdb_init_sam(&sam_pass);
4175 if(!pdb_getsampwsid(sam_pass, &user_sid)) {
4176 DEBUG(5,("_samr_delete_dom_user:User %s doesn't exist.\n",
4177 sid_string_static(&user_sid)));
4178 pdb_free_sam(&sam_pass);
4179 return NT_STATUS_NO_SUCH_USER;
4180 }
4181
4182 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
4183
4184 /******** BEGIN SeAddUsers BLOCK *********/
4185
4186 if ( can_add_accounts )
4187 become_root();
4188
4189 /* First delete the samba side....
4190 code is order to prevent unnecessary returns out of the admin
4191 block of code */
4192
4193 if ( (ret = pdb_delete_sam_account(sam_pass)) == True ) {
4194 /*
4195 * Now delete the unix side ....
4196 * note: we don't check if the delete really happened
4197 * as the script is not necessary present
4198 * and maybe the sysadmin doesn't want to delete the unix side
4199 */
4200 smb_delete_user( pdb_get_username(sam_pass) );
4201 }
4202
4203 if ( can_add_accounts )
4204 unbecome_root();
4205
4206 /******** END SeAddUsers BLOCK *********/
4207
4208 if ( !ret ) {
4209 DEBUG(5,("_samr_delete_dom_user:Failed to delete entry for user %s.\n", pdb_get_username(sam_pass)));
4210 pdb_free_sam(&sam_pass);
4211 return NT_STATUS_CANNOT_DELETE;
4212 }
4213
4214
4215 pdb_free_sam(&sam_pass);
4216
4217 if (!close_policy_hnd(p, &q_u->user_pol))
4218 return NT_STATUS_OBJECT_NAME_INVALID;
4219
4220 force_flush_samr_cache(disp_info);
4221
4222 return NT_STATUS_OK;
4223 }
4224
4225 /*********************************************************************
4226 _samr_delete_dom_group
4227 *********************************************************************/
4228
4229 NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, SAMR_R_DELETE_DOM_GROUP *r_u)
4230 {
4231 DOM_SID group_sid;
4232 DOM_SID dom_sid;
4233 uint32 group_rid;
4234 fstring group_sid_str;
4235 gid_t gid;
4236 struct group *grp;
4237 GROUP_MAP map;
4238 uint32 acc_granted;
4239 SE_PRIV se_rights;
4240 BOOL can_add_accounts;
4241 BOOL ret;
4242 DISP_INFO *disp_info = NULL;
4243
4244 DEBUG(5, ("samr_delete_dom_group: %d\n", __LINE__));
4245
4246 /* Find the policy handle. Open a policy on it. */
4247 if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted, &disp_info))
4248 return NT_STATUS_INVALID_HANDLE;
4249
4250 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_group"))) {
4251 return r_u->status;
4252 }
4253
4254 sid_copy(&dom_sid, &group_sid);
4255 sid_to_string(group_sid_str, &dom_sid);
4256 sid_split_rid(&dom_sid, &group_rid);
4257
4258 DEBUG(10, ("sid is %s\n", group_sid_str));
4259
4260 /* we check if it's our SID before deleting */
4261 if (!sid_equal(&dom_sid, get_global_sam_sid()))
4262 return NT_STATUS_NO_SUCH_GROUP;
4263
4264 DEBUG(10, ("lookup on Domain SID\n"));
4265
4266 if(!get_domain_group_from_sid(group_sid, &map))
4267 return NT_STATUS_NO_SUCH_GROUP;
4268
4269 gid=map.gid;
4270
4271 /* check if group really exists */
4272 if ( (grp=getgrgid(gid)) == NULL)
4273 return NT_STATUS_NO_SUCH_GROUP;
4274
4275 se_priv_copy( &se_rights, &se_add_users );
4276 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4277
4278 /******** BEGIN SeAddUsers BLOCK *********/
4279
4280 if ( can_add_accounts )
4281 become_root();
4282
4283 /* delete mapping first */
4284
4285 if ( (ret = pdb_delete_group_mapping_entry(group_sid)) == True ) {
4286 smb_delete_group( grp->gr_name );
4287 }
4288
4289 if ( can_add_accounts )
4290 unbecome_root();
4291
4292 /******** END SeAddUsers BLOCK *********/
4293
4294 if ( !ret ) {
4295 DEBUG(5,("_samr_delete_dom_group: Failed to delete mapping entry for group %s.\n",
4296 group_sid_str));
4297 return NT_STATUS_ACCESS_DENIED;
4298 }
4299
4300 /* don't check that the unix group has been deleted. Work like
4301 _samr_delet_dom_user() */
4302
4303 if (!close_policy_hnd(p, &q_u->group_pol))
4304 return NT_STATUS_OBJECT_NAME_INVALID;
4305
4306 force_flush_samr_cache(disp_info);
4307
4308 return NT_STATUS_OK;
4309 }
4310
4311 /*********************************************************************
4312 _samr_delete_dom_alias
4313 *********************************************************************/
4314
4315 NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, SAMR_R_DELETE_DOM_ALIAS *r_u)
4316 {
4317 DOM_SID alias_sid;
4318 uint32 acc_granted;
4319 SE_PRIV se_rights;
4320 BOOL can_add_accounts;
4321 BOOL ret;
4322 DISP_INFO *disp_info = NULL;
4323
4324 DEBUG(5, ("_samr_delete_dom_alias: %d\n", __LINE__));
4325
4326 /* Find the policy handle. Open a policy on it. */
4327 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted, &disp_info))
4328 return NT_STATUS_INVALID_HANDLE;
4329
4330 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_alias"))) {
4331 return r_u->status;
4332 }
4333
4334 DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid)));
4335
4336 if (!sid_check_is_in_our_domain(&alias_sid))
4337 return NT_STATUS_NO_SUCH_ALIAS;
4338
4339 DEBUG(10, ("lookup on Local SID\n"));
4340
4341 se_priv_copy( &se_rights, &se_add_users );
4342 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4343
4344 /******** BEGIN SeAddUsers BLOCK *********/
4345
4346 if ( can_add_accounts )
4347 become_root();
4348
4349 /* Have passdb delete the alias */
4350 ret = pdb_delete_alias(&alias_sid);
4351
4352 if ( can_add_accounts )
4353 unbecome_root();
4354
4355 /******** END SeAddUsers BLOCK *********/
4356
4357 if ( !ret )
4358 return NT_STATUS_ACCESS_DENIED;
4359
4360 if (!close_policy_hnd(p, &q_u->alias_pol))
4361 return NT_STATUS_OBJECT_NAME_INVALID;
4362
4363 force_flush_samr_cache(disp_info);
4364
4365 return NT_STATUS_OK;
4366 }
4367
4368 /*********************************************************************
4369 _samr_create_dom_group
4370 *********************************************************************/
4371
4372 NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, SAMR_R_CREATE_DOM_GROUP *r_u)
4373 {
4374 DOM_SID dom_sid;
4375 DOM_SID info_sid;
4376 fstring name;
4377 fstring sid_string;
4378 struct group *grp;
4379 struct samr_info *info;
4380 uint32 acc_granted;
4381 gid_t gid;
4382 SE_PRIV se_rights;
4383 BOOL can_add_accounts;
4384 NTSTATUS result;
4385 DISP_INFO *disp_info = NULL;
4386
4387 /* Find the policy handle. Open a policy on it. */
4388 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid, &acc_granted, &disp_info))
4389 return NT_STATUS_INVALID_HANDLE;
4390
4391 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_GROUP, "_samr_create_dom_group"))) {
4392 return r_u->status;
4393 }
4394
4395 if (!sid_equal(&dom_sid, get_global_sam_sid()))
4396 return NT_STATUS_ACCESS_DENIED;
4397
4398 unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1);
4399
4400 r_u->status = can_create(p->mem_ctx, name);
4401 if (!NT_STATUS_IS_OK(r_u->status)) {
4402 return r_u->status;
4403 }
4404
4405 se_priv_copy( &se_rights, &se_add_users );
4406 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4407
4408 /******** BEGIN SeAddUsers BLOCK *********/
4409
4410 if ( can_add_accounts )
4411 become_root();
4412
4413 /* check that we successfully create the UNIX group */
4414
4415 result = NT_STATUS_ACCESS_DENIED;
4416 if ( (smb_create_group(name, &gid) == 0) && ((grp=getgrgid(gid)) != NULL) ) {
4417
4418 /* so far, so good */
4419
4420 result = NT_STATUS_OK;
4421
4422 if (pdb_rid_algorithm()) {
4423 r_u->rid = pdb_gid_to_group_rid( grp->gr_gid );
4424 } else {
4425 if (!pdb_new_rid(&r_u->rid)) {
4426 result = NT_STATUS_ACCESS_DENIED;
4427 }
4428 }
4429
4430 if (NT_STATUS_IS_OK(result)) {
4431
4432 /* add the group to the mapping table */
4433
4434 sid_copy( &info_sid, get_global_sam_sid() );
4435 sid_append_rid( &info_sid, r_u->rid );
4436 sid_to_string( sid_string, &info_sid );
4437
4438 /* reset the error code if we fail to add the mapping entry */
4439
4440 if ( !add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL) )
4441 result = NT_STATUS_ACCESS_DENIED;
4442 }
4443 }
4444
4445 if ( can_add_accounts )
4446 unbecome_root();
4447
4448 /******** END SeAddUsers BLOCK *********/
4449
4450 /* check if we should bail out here */
4451
4452 if ( !NT_STATUS_IS_OK(result) )
4453 return result;
4454
4455 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
4456 return NT_STATUS_NO_MEMORY;
4457
4458
4459 /* they created it; let the user do what he wants with it */
4460
4461 info->acc_granted = GENERIC_RIGHTS_GROUP_ALL_ACCESS;
4462
4463 /* get a (unique) handle. open a policy on it. */
4464 if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info))
4465 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
4466
4467 force_flush_samr_cache(disp_info);
4468
4469 return NT_STATUS_OK;
4470 }
4471
4472 /*********************************************************************
4473 _samr_create_dom_alias
4474 *********************************************************************/
4475
4476 NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, SAMR_R_CREATE_DOM_ALIAS *r_u)
4477 {
4478 DOM_SID dom_sid;
4479 DOM_SID info_sid;
4480 fstring name;
4481 struct samr_info *info;
4482 uint32 acc_granted;
4483 gid_t gid;
4484 NTSTATUS result;
4485 SE_PRIV se_rights;
4486 BOOL can_add_accounts;
4487 DISP_INFO *disp_info = NULL;
4488
4489 /* Find the policy handle. Open a policy on it. */
4490 if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted, &disp_info))
4491 return NT_STATUS_INVALID_HANDLE;
4492
4493 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_ALIAS, "_samr_create_alias"))) {
4494 return r_u->status;
4495 }
4496
4497 if (!sid_equal(&dom_sid, get_global_sam_sid()))
4498 return NT_STATUS_ACCESS_DENIED;
4499
4500 unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1);
4501
4502 se_priv_copy( &se_rights, &se_add_users );
4503 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4504
4505 result = can_create(p->mem_ctx, name);
4506 if (!NT_STATUS_IS_OK(result)) {
4507 return result;
4508 }
4509
4510 /******** BEGIN SeAddUsers BLOCK *********/
4511
4512 if ( can_add_accounts )
4513 become_root();
4514
4515 /* Have passdb create the alias */
4516 result = pdb_create_alias(name, &r_u->rid);
4517
4518 if ( can_add_accounts )
4519 unbecome_root();
4520
4521 /******** END SeAddUsers BLOCK *********/
4522
4523 if (!NT_STATUS_IS_OK(result)) {
4524 DEBUG(10, ("pdb_create_alias failed: %s\n",
4525 nt_errstr(result)));
4526 return result;
4527 }
4528
4529 sid_copy(&info_sid, get_global_sam_sid());
4530 sid_append_rid(&info_sid, r_u->rid);
4531
4532 if (!sid_to_gid(&info_sid, &gid)) {
4533 DEBUG(10, ("Could not find alias just created\n"));
4534 return NT_STATUS_ACCESS_DENIED;
4535 }
4536
4537 /* check if the group has been successfully created */
4538 if ( getgrgid(gid) == NULL ) {
4539 DEBUG(10, ("getgrgid(%d) of just created alias failed\n",
4540 gid));
4541 return NT_STATUS_ACCESS_DENIED;
4542 }
4543
4544 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
4545 return NT_STATUS_NO_MEMORY;
4546
4547 /* they created it; let the user do what he wants with it */
4548
4549 info->acc_granted = GENERIC_RIGHTS_ALIAS_ALL_ACCESS;
4550
4551 /* get a (unique) handle. open a policy on it. */
4552 if (!create_policy_hnd(p, &r_u->alias_pol, free_samr_info, (void *)info))
4553 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
4554
4555 force_flush_samr_cache(disp_info);
4556
4557 return NT_STATUS_OK;
4558 }
4559
4560 /*********************************************************************
4561 _samr_query_groupinfo
4562
4563 sends the name/comment pair of a domain group
4564 level 1 send also the number of users of that group
4565 *********************************************************************/
4566
4567 NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAMR_R_QUERY_GROUPINFO *r_u)
4568 {
4569 DOM_SID group_sid;
4570 GROUP_MAP map;
4571 DOM_SID *sids=NULL;
4572 uid_t *uids;
4573 int num=0;
4574 GROUP_INFO_CTR *ctr;
4575 uint32 acc_granted;
4576 BOOL ret;
4577
4578 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, NULL))
4579 return NT_STATUS_INVALID_HANDLE;
4580
4581 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_LOOKUP_INFO, "_samr_query_groupinfo"))) {
4582 return r_u->status;
4583 }
4584
4585 become_root();
4586 ret = get_domain_group_from_sid(group_sid, &map);
4587 unbecome_root();
4588 if (!ret)
4589 return NT_STATUS_INVALID_HANDLE;
4590
4591 ctr=TALLOC_ZERO_P(p->mem_ctx, GROUP_INFO_CTR);
4592 if (ctr==NULL)
4593 return NT_STATUS_NO_MEMORY;
4594
4595 switch (q_u->switch_level) {
4596 case 1:
4597 ctr->switch_value1 = 1;
4598 if(!get_memberuids(map.gid, &uids, &num))
4599 return NT_STATUS_NO_SUCH_GROUP;
4600 SAFE_FREE(uids);
4601 init_samr_group_info1(&ctr->group.info1, map.nt_name, map.comment, num);
4602 SAFE_FREE(sids);
4603 break;
4604 case 3:
4605 ctr->switch_value1 = 3;
4606 init_samr_group_info3(&ctr->group.info3);
4607 break;
4608 case 4:
4609 ctr->switch_value1 = 4;
4610 init_samr_group_info4(&ctr->group.info4, map.comment);
4611 break;
4612 default:
4613 return NT_STATUS_INVALID_INFO_CLASS;
4614 }
4615
4616 init_samr_r_query_groupinfo(r_u, ctr, NT_STATUS_OK);
4617
4618 return NT_STATUS_OK;
4619 }
4620
4621 /*********************************************************************
4622 _samr_set_groupinfo
4623
4624 update a domain group's comment.
4625 *********************************************************************/
4626
4627 NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_SET_GROUPINFO *r_u)
4628 {
4629 DOM_SID group_sid;
4630 GROUP_MAP map;
4631 GROUP_INFO_CTR *ctr;
4632 uint32 acc_granted;
4633 NTSTATUS ret;
4634 BOOL result;
4635 BOOL can_mod_accounts;
4636 DISP_INFO *disp_info = NULL;
4637
4638 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, &disp_info))
4639 return NT_STATUS_INVALID_HANDLE;
4640
4641 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_SET_INFO, "_samr_set_groupinfo"))) {
4642 return r_u->status;
4643 }
4644
4645 become_root();
4646 result = get_domain_group_from_sid(group_sid, &map);
4647 unbecome_root();
4648 if (!result)
4649 return NT_STATUS_NO_SUCH_GROUP;
4650
4651 ctr=q_u->ctr;
4652
4653 switch (ctr->switch_value1) {
4654 case 1:
4655 unistr2_to_ascii(map.comment, &(ctr->group.info1.uni_acct_desc), sizeof(map.comment)-1);
4656 break;
4657 case 4:
4658 unistr2_to_ascii(map.comment, &(ctr->group.info4.uni_acct_desc), sizeof(map.comment)-1);
4659 break;
4660 default:
4661 return NT_STATUS_INVALID_INFO_CLASS;
4662 }
4663
4664 can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
4665
4666 /******** BEGIN SeAddUsers BLOCK *********/
4667
4668 if ( can_mod_accounts )
4669 become_root();
4670
4671 ret = pdb_update_group_mapping_entry(&map);
4672
4673 if ( can_mod_accounts )
4674 unbecome_root();
4675
4676 /******** End SeAddUsers BLOCK *********/
4677
4678 if (NT_STATUS_IS_OK(ret)) {
4679 force_flush_samr_cache(disp_info);
4680 }
4681
4682 return ret;
4683 }
4684
4685 /*********************************************************************
4686 _samr_set_aliasinfo
4687
4688 update an alias's comment.
4689 *********************************************************************/
4690
4691 NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_SET_ALIASINFO *r_u)
4692 {
4693 DOM_SID group_sid;
4694 struct acct_info info;
4695 ALIAS_INFO_CTR *ctr;
4696 uint32 acc_granted;
4697 BOOL ret;
4698 BOOL can_mod_accounts;
4699 DISP_INFO *disp_info = NULL;
4700
4701 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted, &disp_info))
4702 return NT_STATUS_INVALID_HANDLE;
4703
4704 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_SET_INFO, "_samr_set_aliasinfo"))) {
4705 return r_u->status;
4706 }
4707
4708 ctr=&q_u->ctr;
4709
4710 switch (ctr->level) {
4711 case 3:
4712 if ( ctr->alias.info3.description.string ) {
4713 unistr2_to_ascii( info.acct_desc,
4714 ctr->alias.info3.description.string,
4715 sizeof(info.acct_desc)-1 );
4716 }
4717 else
4718 fstrcpy( info.acct_desc, "" );
4719 break;
4720 default:
4721 return NT_STATUS_INVALID_INFO_CLASS;
4722 }
4723
4724 can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
4725
4726 /******** BEGIN SeAddUsers BLOCK *********/
4727
4728 if ( can_mod_accounts )
4729 become_root();
4730
4731 ret = pdb_set_aliasinfo( &group_sid, &info );
4732
4733 if ( can_mod_accounts )
4734 unbecome_root();
4735
4736 /******** End SeAddUsers BLOCK *********/
4737
4738 if (ret) {
4739 force_flush_samr_cache(disp_info);
4740 }
4741
4742 return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
4743 }
4744
4745 /*********************************************************************
4746 _samr_get_dom_pwinfo
4747 *********************************************************************/
4748
4749 NTSTATUS _samr_get_dom_pwinfo(pipes_struct *p, SAMR_Q_GET_DOM_PWINFO *q_u, SAMR_R_GET_DOM_PWINFO *r_u)
4750 {
4751 /* Perform access check. Since this rpc does not require a
4752 policy handle it will not be caught by the access checks on
4753 SAMR_CONNECT or SAMR_CONNECT_ANON. */
4754
4755 if (!pipe_access_check(p)) {
4756 DEBUG(3, ("access denied to samr_get_dom_pwinfo\n"));
4757 r_u->status = NT_STATUS_ACCESS_DENIED;
4758 return r_u->status;
4759 }
4760
4761 /* Actually, returning zeros here works quite well :-). */
4762
4763 return NT_STATUS_OK;
4764 }
4765
4766 /*********************************************************************
4767 _samr_open_group
4768 *********************************************************************/
4769
4770 NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_GROUP *r_u)
4771 {
4772 DOM_SID sid;
4773 DOM_SID info_sid;
4774 GROUP_MAP map;
4775 struct samr_info *info;
4776 SEC_DESC *psd = NULL;
4777 uint32 acc_granted;
4778 uint32 des_access = q_u->access_mask;
4779 size_t sd_size;
4780 NTSTATUS status;
4781 fstring sid_string;
4782 BOOL ret;
4783 SE_PRIV se_rights;
4784
4785 if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid, &acc_granted, NULL))
4786 return NT_STATUS_INVALID_HANDLE;
4787
4788 status = access_check_samr_function(acc_granted,
4789 SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_group");
4790
4791 if ( !NT_STATUS_IS_OK(status) )
4792 return status;
4793
4794 /*check if access can be granted as requested by client. */
4795 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
4796 se_map_generic(&des_access,&grp_generic_mapping);
4797
4798 se_priv_copy( &se_rights, &se_add_users );
4799
4800 status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
4801 &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access,
4802 &acc_granted, "_samr_open_group");
4803
4804 if ( !NT_STATUS_IS_OK(status) )
4805 return status;
4806
4807 /* this should not be hard-coded like this */
4808
4809 if (!sid_equal(&sid, get_global_sam_sid()))
4810 return NT_STATUS_ACCESS_DENIED;
4811
4812 sid_copy(&info_sid, get_global_sam_sid());
4813 sid_append_rid(&info_sid, q_u->rid_group);
4814 sid_to_string(sid_string, &info_sid);
4815
4816 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
4817 return NT_STATUS_NO_MEMORY;
4818
4819 info->acc_granted = acc_granted;
4820
4821 DEBUG(10, ("_samr_open_group:Opening SID: %s\n", sid_string));
4822
4823 /* check if that group really exists */
4824 become_root();
4825 ret = get_domain_group_from_sid(info->sid, &map);
4826 unbecome_root();
4827 if (!ret)
4828 return NT_STATUS_NO_SUCH_GROUP;
4829
4830 /* get a (unique) handle. open a policy on it. */
4831 if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info))
4832 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
4833
4834 return NT_STATUS_OK;
4835 }
4836
4837 /*********************************************************************
4838 _samr_remove_sid_foreign_domain
4839 *********************************************************************/
4840
4841 NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p,
4842 SAMR_Q_REMOVE_SID_FOREIGN_DOMAIN *q_u,
4843 SAMR_R_REMOVE_SID_FOREIGN_DOMAIN *r_u)
4844 {
4845 DOM_SID delete_sid, domain_sid;
4846 uint32 acc_granted;
4847 NTSTATUS result;
4848 DISP_INFO *disp_info = NULL;
4849
4850 sid_copy( &delete_sid, &q_u->sid.sid );
4851
4852 DEBUG(5,("_samr_remove_sid_foreign_domain: removing SID [%s]\n",
4853 sid_string_static(&delete_sid)));
4854
4855 /* Find the policy handle. Open a policy on it. */
4856
4857 if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &domain_sid,
4858 &acc_granted, &disp_info))
4859 return NT_STATUS_INVALID_HANDLE;
4860
4861 result = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS,
4862 "_samr_remove_sid_foreign_domain");
4863
4864 if (!NT_STATUS_IS_OK(result))
4865 return result;
4866
4867 DEBUG(8, ("_samr_remove_sid_foreign_domain:sid is %s\n",
4868 sid_string_static(&domain_sid)));
4869
4870 /* we can only delete a user from a group since we don't have
4871 nested groups anyways. So in the latter case, just say OK */
4872
4873 /* TODO: The above comment nowadays is bogus. Since we have nested
4874 * groups now, and aliases members are never reported out of the unix
4875 * group membership, the "just say OK" makes this call a no-op. For
4876 * us. This needs fixing however. */
4877
4878 /* I've only ever seen this in the wild when deleting a user from
4879 * usrmgr.exe. domain_sid is the builtin domain, and the sid to delete
4880 * is the user about to be deleted. I very much suspect this is the
4881 * only application of this call. To verify this, let people report
4882 * other cases. */
4883
4884 if (!sid_check_is_builtin(&domain_sid)) {
4885 DEBUG(1,("_samr_remove_sid_foreign_domain: domain_sid = %s, "
4886 "global_sam_sid() = %s\n",
4887 sid_string_static(&domain_sid),
4888 sid_string_static(get_global_sam_sid())));
4889 DEBUGADD(1,("please report to samba-technical@samba.org!\n"));
4890 return NT_STATUS_OK;
4891 }
4892
4893 force_flush_samr_cache(disp_info);
4894
4895 result = NT_STATUS_OK;
4896
4897 return result;
4898 }
4899
4900 /*******************************************************************
4901 _samr_query_domain_info2
4902 ********************************************************************/
4903
4904 NTSTATUS _samr_query_domain_info2(pipes_struct *p,
4905 SAMR_Q_QUERY_DOMAIN_INFO2 *q_u,
4906 SAMR_R_QUERY_DOMAIN_INFO2 *r_u)
4907 {
4908 struct samr_info *info = NULL;
4909 SAM_UNK_CTR *ctr;
4910 uint32 min_pass_len,pass_hist,password_properties;
4911 time_t u_expire, u_min_age;
4912 NTTIME nt_expire, nt_min_age;
4913
4914 time_t u_lock_duration, u_reset_time;
4915 NTTIME nt_lock_duration, nt_reset_time;
4916 uint32 lockout;
4917
4918 time_t u_logout;
4919 NTTIME nt_logout;
4920
4921 uint32 num_users=0, num_groups=0, num_aliases=0;
4922
4923 uint32 account_policy_temp;
4924
4925 time_t seq_num;
4926 uint32 server_role;
4927
4928 if ((ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_UNK_CTR)) == NULL)
4929 return NT_STATUS_NO_MEMORY;
4930
4931 ZERO_STRUCTP(ctr);
4932
4933 r_u->status = NT_STATUS_OK;
4934
4935 DEBUG(5,("_samr_query_domain_info2: %d\n", __LINE__));
4936
4937 /* find the policy handle. open a policy on it. */
4938 if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)(void *)&info))
4939 return NT_STATUS_INVALID_HANDLE;
4940
4941 switch (q_u->switch_value) {
4942 case 0x01:
4943 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
4944 min_pass_len = account_policy_temp;
4945
4946 pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
4947 pass_hist = account_policy_temp;
4948
4949 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
4950 password_properties = account_policy_temp;
4951
4952 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
4953 u_expire = account_policy_temp;
4954
4955 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
4956 u_min_age = account_policy_temp;
4957
4958 unix_to_nt_time_abs(&nt_expire, u_expire);
4959 unix_to_nt_time_abs(&nt_min_age, u_min_age);
4960
4961 init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist,
4962 password_properties, nt_expire, nt_min_age);
4963 break;
4964 case 0x02:
4965 become_root();
4966 num_users = count_sam_users(info->disp_info, ACB_NORMAL);
4967 num_groups = count_sam_groups(info->disp_info);
4968 num_aliases = count_sam_aliases(info->disp_info);
4969 unbecome_root();
4970
4971 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp);
4972 u_logout = account_policy_temp;
4973
4974 unix_to_nt_time_abs(&nt_logout, u_logout);
4975
4976 if (!pdb_get_seq_num(&seq_num))
4977 seq_num = time(NULL);
4978
4979 server_role = ROLE_DOMAIN_PDC;
4980 if (lp_server_role() == ROLE_DOMAIN_BDC)
4981 server_role = ROLE_DOMAIN_BDC;
4982
4983 init_unk_info2(&ctr->info.inf2, lp_serverstring(), lp_workgroup(), global_myname(), seq_num,
4984 num_users, num_groups, num_aliases, nt_logout, server_role);
4985 break;
4986 case 0x03:
4987 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp);
4988 u_logout = account_policy_temp;
4989
4990 unix_to_nt_time_abs(&nt_logout, u_logout);
4991
4992 init_unk_info3(&ctr->info.inf3, nt_logout);
4993 break;
4994 case 0x05:
4995 init_unk_info5(&ctr->info.inf5, global_myname());
4996 break;
4997 case 0x06:
4998 init_unk_info6(&ctr->info.inf6);
4999 break;
5000 case 0x07:
5001 server_role = ROLE_DOMAIN_PDC;
5002 if (lp_server_role() == ROLE_DOMAIN_BDC)
5003 server_role = ROLE_DOMAIN_BDC;
5004
5005 init_unk_info7(&ctr->info.inf7, server_role);
5006 break;
5007 case 0x08:
5008 if (!pdb_get_seq_num(&seq_num))
5009 seq_num = time(NULL);
5010
5011 init_unk_info8(&ctr->info.inf8, (uint32) seq_num);
5012 break;
5013 case 0x0c:
5014 pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
5015 u_lock_duration = account_policy_temp;
5016 if (u_lock_duration != -1)
5017 u_lock_duration *= 60;
5018
5019 pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
5020 u_reset_time = account_policy_temp * 60;
5021
5022 pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
5023 lockout = account_policy_temp;
5024
5025 unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
5026 unix_to_nt_time_abs(&nt_reset_time, u_reset_time);
5027
5028 init_unk_info12(&ctr->info.inf12, nt_lock_duration, nt_reset_time, (uint16)lockout);
5029 break;
5030 default:
5031 return NT_STATUS_INVALID_INFO_CLASS;
5032 }
5033
5034 init_samr_r_samr_query_domain_info2(r_u, q_u->switch_value, ctr, NT_STATUS_OK);
5035
5036 DEBUG(5,("_samr_query_domain_info2: %d\n", __LINE__));
5037
5038 return r_u->status;
5039 }
5040
5041 /*******************************************************************
5042 _samr_
5043 ********************************************************************/
5044
5045 NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R_SET_DOMAIN_INFO *r_u)
5046 {
5047 time_t u_expire, u_min_age;
5048 time_t u_logout;
5049 time_t u_lock_duration, u_reset_time;
5050
5051 r_u->status = NT_STATUS_OK;
5052
5053 DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__));
5054
5055 /* find the policy handle. open a policy on it. */
5056 if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL))
5057 return NT_STATUS_INVALID_HANDLE;
5058
5059 DEBUG(5,("_samr_set_dom_info: switch_value: %d\n", q_u->switch_value));
5060
5061 switch (q_u->switch_value) {
5062 case 0x01:
5063 u_expire=nt_time_to_unix_abs(&q_u->ctr->info.inf1.expire);
5064 u_min_age=nt_time_to_unix_abs(&q_u->ctr->info.inf1.min_passwordage);
5065
5066 pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password);
5067 pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history);
5068 pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.password_properties);
5069 pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire);
5070 pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age);
5071 break;
5072 case 0x02:
5073 break;
5074 case 0x03:
5075 u_logout=nt_time_to_unix_abs(&q_u->ctr->info.inf3.logout);
5076 pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout);
5077 break;
5078 case 0x05:
5079 break;
5080 case 0x06:
5081 break;
5082 case 0x07:
5083 break;
5084 case 0x0c:
5085 u_lock_duration=nt_time_to_unix_abs(&q_u->ctr->info.inf12.duration);
5086 if (u_lock_duration != -1)
5087 u_lock_duration /= 60;
5088
5089 u_reset_time=nt_time_to_unix_abs(&q_u->ctr->info.inf12.reset_count)/60;
5090
5091 pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
5092 pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time);
5093 pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout);
5094 break;
5095 default:
5096 return NT_STATUS_INVALID_INFO_CLASS;
5097 }
5098
5099 init_samr_r_set_domain_info(r_u, NT_STATUS_OK);
5100
5101 DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__));
5102
5103 return r_u->status;
5104 }