2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2008,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 * Copyright (C) Gerald (Jerry) Carter 2003-2004,
12 * Copyright (C) Simo Sorce 2003.
13 * Copyright (C) Volker Lendecke 2005.
14 * Copyright (C) Guenther Deschner 2008.
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
31 * This is the implementation of the SAMR code.
35 #include "smbd/globals.h"
36 #include "../libcli/auth/libcli_auth.h"
37 #include "../librpc/gen_ndr/srv_samr.h"
40 #define DBGC_CLASS DBGC_RPC_SRV
42 #define SAMR_USR_RIGHTS_WRITE_PW \
43 ( READ_CONTROL_ACCESS | \
44 SAMR_USER_ACCESS_CHANGE_PASSWORD | \
45 SAMR_USER_ACCESS_SET_LOC_COM)
46 #define SAMR_USR_RIGHTS_CANT_WRITE_PW \
47 ( READ_CONTROL_ACCESS | SAMR_USER_ACCESS_SET_LOC_COM )
49 #define DISP_INFO_CACHE_TIMEOUT 10
51 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
52 #define MAX_SAM_ENTRIES_W95 50
54 struct samr_connect_info
{
58 struct samr_domain_info
{
60 struct disp_info
*disp_info
;
63 struct samr_user_info
{
67 struct samr_group_info
{
71 struct samr_alias_info
{
75 typedef struct disp_info
{
76 DOM_SID sid
; /* identify which domain this is. */
77 struct pdb_search
*users
; /* querydispinfo 1 and 4 */
78 struct pdb_search
*machines
; /* querydispinfo 2 */
79 struct pdb_search
*groups
; /* querydispinfo 3 and 5, enumgroups */
80 struct pdb_search
*aliases
; /* enumaliases */
82 uint32_t enum_acb_mask
;
83 struct pdb_search
*enum_users
; /* enumusers with a mask */
85 struct timed_event
*cache_timeout_event
; /* cache idle timeout
89 static const struct generic_mapping sam_generic_mapping
= {
90 GENERIC_RIGHTS_SAM_READ
,
91 GENERIC_RIGHTS_SAM_WRITE
,
92 GENERIC_RIGHTS_SAM_EXECUTE
,
93 GENERIC_RIGHTS_SAM_ALL_ACCESS
};
94 static const struct generic_mapping dom_generic_mapping
= {
95 GENERIC_RIGHTS_DOMAIN_READ
,
96 GENERIC_RIGHTS_DOMAIN_WRITE
,
97 GENERIC_RIGHTS_DOMAIN_EXECUTE
,
98 GENERIC_RIGHTS_DOMAIN_ALL_ACCESS
};
99 static const struct generic_mapping usr_generic_mapping
= {
100 GENERIC_RIGHTS_USER_READ
,
101 GENERIC_RIGHTS_USER_WRITE
,
102 GENERIC_RIGHTS_USER_EXECUTE
,
103 GENERIC_RIGHTS_USER_ALL_ACCESS
};
104 static const struct generic_mapping usr_nopwchange_generic_mapping
= {
105 GENERIC_RIGHTS_USER_READ
,
106 GENERIC_RIGHTS_USER_WRITE
,
107 GENERIC_RIGHTS_USER_EXECUTE
& ~SAMR_USER_ACCESS_CHANGE_PASSWORD
,
108 GENERIC_RIGHTS_USER_ALL_ACCESS
};
109 static const struct generic_mapping grp_generic_mapping
= {
110 GENERIC_RIGHTS_GROUP_READ
,
111 GENERIC_RIGHTS_GROUP_WRITE
,
112 GENERIC_RIGHTS_GROUP_EXECUTE
,
113 GENERIC_RIGHTS_GROUP_ALL_ACCESS
};
114 static const struct generic_mapping ali_generic_mapping
= {
115 GENERIC_RIGHTS_ALIAS_READ
,
116 GENERIC_RIGHTS_ALIAS_WRITE
,
117 GENERIC_RIGHTS_ALIAS_EXECUTE
,
118 GENERIC_RIGHTS_ALIAS_ALL_ACCESS
};
120 /*******************************************************************
121 *******************************************************************/
123 static NTSTATUS
make_samr_object_sd( TALLOC_CTX
*ctx
, SEC_DESC
**psd
, size_t *sd_size
,
124 const struct generic_mapping
*map
,
125 DOM_SID
*sid
, uint32 sid_access
)
127 DOM_SID domadmin_sid
;
128 SEC_ACE ace
[5]; /* at most 5 entries */
133 /* basic access for Everyone */
135 init_sec_ace(&ace
[i
++], &global_sid_World
, SEC_ACE_TYPE_ACCESS_ALLOWED
,
136 map
->generic_execute
| map
->generic_read
, 0);
138 /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
140 init_sec_ace(&ace
[i
++], &global_sid_Builtin_Administrators
,
141 SEC_ACE_TYPE_ACCESS_ALLOWED
, map
->generic_all
, 0);
142 init_sec_ace(&ace
[i
++], &global_sid_Builtin_Account_Operators
,
143 SEC_ACE_TYPE_ACCESS_ALLOWED
, map
->generic_all
, 0);
145 /* Add Full Access for Domain Admins if we are a DC */
148 sid_copy( &domadmin_sid
, get_global_sam_sid() );
149 sid_append_rid( &domadmin_sid
, DOMAIN_GROUP_RID_ADMINS
);
150 init_sec_ace(&ace
[i
++], &domadmin_sid
,
151 SEC_ACE_TYPE_ACCESS_ALLOWED
, map
->generic_all
, 0);
154 /* if we have a sid, give it some special access */
157 init_sec_ace(&ace
[i
++], sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, sid_access
, 0);
160 /* create the security descriptor */
162 if ((psa
= make_sec_acl(ctx
, NT4_ACL_REVISION
, i
, ace
)) == NULL
)
163 return NT_STATUS_NO_MEMORY
;
165 if ((*psd
= make_sec_desc(ctx
, SECURITY_DESCRIPTOR_REVISION_1
,
166 SEC_DESC_SELF_RELATIVE
, NULL
, NULL
, NULL
,
167 psa
, sd_size
)) == NULL
)
168 return NT_STATUS_NO_MEMORY
;
173 /*******************************************************************
174 Checks if access to an object should be granted, and returns that
175 level of access for further checks.
176 ********************************************************************/
178 NTSTATUS
access_check_object( SEC_DESC
*psd
, NT_USER_TOKEN
*token
,
179 SE_PRIV
*rights
, uint32 rights_mask
,
180 uint32 des_access
, uint32
*acc_granted
,
183 NTSTATUS status
= NT_STATUS_ACCESS_DENIED
;
184 uint32 saved_mask
= 0;
186 /* check privileges; certain SAM access bits should be overridden
187 by privileges (mostly having to do with creating/modifying/deleting
190 if (rights
&& !se_priv_equal(rights
, &se_priv_none
) &&
191 user_has_any_privilege(token
, rights
)) {
193 saved_mask
= (des_access
& rights_mask
);
194 des_access
&= ~saved_mask
;
196 DEBUG(4,("access_check_object: user rights access mask [0x%x]\n",
201 /* check the security descriptor first */
203 status
= se_access_check(psd
, token
, des_access
, acc_granted
);
204 if (NT_STATUS_IS_OK(status
)) {
208 /* give root a free pass */
210 if ( geteuid() == sec_initial_uid() ) {
212 DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug
, des_access
));
213 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
215 *acc_granted
= des_access
;
217 status
= NT_STATUS_OK
;
223 /* add in any bits saved during the privilege check (only
224 matters is status is ok) */
226 *acc_granted
|= rights_mask
;
228 DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
229 debug
, NT_STATUS_IS_OK(status
) ? "GRANTED" : "DENIED",
230 des_access
, *acc_granted
));
236 /*******************************************************************
237 Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
238 ********************************************************************/
240 void map_max_allowed_access(const NT_USER_TOKEN
*nt_token
,
241 const struct unix_user_token
*unix_token
,
242 uint32_t *pacc_requested
)
244 if (!((*pacc_requested
) & MAXIMUM_ALLOWED_ACCESS
)) {
247 *pacc_requested
&= ~MAXIMUM_ALLOWED_ACCESS
;
249 /* At least try for generic read|execute - Everyone gets that. */
250 *pacc_requested
= GENERIC_READ_ACCESS
|GENERIC_EXECUTE_ACCESS
;
252 /* root gets anything. */
253 if (unix_token
->uid
== sec_initial_uid()) {
254 *pacc_requested
|= GENERIC_ALL_ACCESS
;
258 /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
260 if (is_sid_in_token(nt_token
, &global_sid_Builtin_Administrators
) ||
261 is_sid_in_token(nt_token
, &global_sid_Builtin_Account_Operators
)) {
262 *pacc_requested
|= GENERIC_ALL_ACCESS
;
266 /* Full access for DOMAIN\Domain Admins. */
268 DOM_SID domadmin_sid
;
269 sid_copy( &domadmin_sid
, get_global_sam_sid() );
270 sid_append_rid( &domadmin_sid
, DOMAIN_GROUP_RID_ADMINS
);
271 if (is_sid_in_token(nt_token
, &domadmin_sid
)) {
272 *pacc_requested
|= GENERIC_ALL_ACCESS
;
276 /* TODO ! Check privileges. */
279 /*******************************************************************
280 Fetch or create a dispinfo struct.
281 ********************************************************************/
283 static DISP_INFO
*get_samr_dispinfo_by_sid(const struct dom_sid
*psid
)
286 * We do a static cache for DISP_INFO's here. Explanation can be found
287 * in Jeremy's checkin message to r11793:
289 * Fix the SAMR cache so it works across completely insane
290 * client behaviour (ie.:
291 * open pipe/open SAMR handle/enumerate 0 - 1024
292 * close SAMR handle, close pipe.
293 * open pipe/open SAMR handle/enumerate 1024 - 2048...
294 * close SAMR handle, close pipe.
295 * And on ad-nausium. Amazing.... probably object-oriented
296 * client side programming in action yet again.
297 * This change should *massively* improve performance when
298 * enumerating users from an LDAP database.
301 * "Our" and the builtin domain are the only ones where we ever
302 * enumerate stuff, so just cache 2 entries.
305 static struct disp_info
*builtin_dispinfo
;
306 static struct disp_info
*domain_dispinfo
;
308 /* There are two cases to consider here:
309 1) The SID is a domain SID and we look for an equality match, or
310 2) This is an account SID and so we return the DISP_INFO* for our
317 if (sid_check_is_builtin(psid
) || sid_check_is_in_builtin(psid
)) {
319 * Necessary only once, but it does not really hurt.
321 if (builtin_dispinfo
== NULL
) {
322 builtin_dispinfo
= talloc_zero(
323 talloc_autofree_context(), struct disp_info
);
324 if (builtin_dispinfo
== NULL
) {
328 sid_copy(&builtin_dispinfo
->sid
, &global_sid_Builtin
);
330 return builtin_dispinfo
;
333 if (sid_check_is_domain(psid
) || sid_check_is_in_our_domain(psid
)) {
335 * Necessary only once, but it does not really hurt.
337 if (domain_dispinfo
== NULL
) {
338 domain_dispinfo
= talloc_zero(
339 talloc_autofree_context(), struct disp_info
);
340 if (domain_dispinfo
== NULL
) {
344 sid_copy(&domain_dispinfo
->sid
, get_global_sam_sid());
346 return domain_dispinfo
;
352 /*******************************************************************
353 Function to free the per SID data.
354 ********************************************************************/
356 static void free_samr_cache(DISP_INFO
*disp_info
)
358 DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n",
359 sid_string_dbg(&disp_info
->sid
)));
361 /* We need to become root here because the paged search might have to
362 * tell the LDAP server we're not interested in the rest anymore. */
366 TALLOC_FREE(disp_info
->users
);
367 TALLOC_FREE(disp_info
->machines
);
368 TALLOC_FREE(disp_info
->groups
);
369 TALLOC_FREE(disp_info
->aliases
);
370 TALLOC_FREE(disp_info
->enum_users
);
375 /*******************************************************************
376 Idle event handler. Throw away the disp info cache.
377 ********************************************************************/
379 static void disp_info_cache_idle_timeout_handler(struct event_context
*ev_ctx
,
380 struct timed_event
*te
,
384 DISP_INFO
*disp_info
= (DISP_INFO
*)private_data
;
386 TALLOC_FREE(disp_info
->cache_timeout_event
);
388 DEBUG(10, ("disp_info_cache_idle_timeout_handler: caching timed "
390 free_samr_cache(disp_info
);
393 /*******************************************************************
394 Setup cache removal idle event handler.
395 ********************************************************************/
397 static void set_disp_info_cache_timeout(DISP_INFO
*disp_info
, time_t secs_fromnow
)
399 /* Remove any pending timeout and update. */
401 TALLOC_FREE(disp_info
->cache_timeout_event
);
403 DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for "
404 "SID %s for %u seconds\n", sid_string_dbg(&disp_info
->sid
),
405 (unsigned int)secs_fromnow
));
407 disp_info
->cache_timeout_event
= event_add_timed(
408 smbd_event_context(), NULL
,
409 timeval_current_ofs(secs_fromnow
, 0),
410 disp_info_cache_idle_timeout_handler
, (void *)disp_info
);
413 /*******************************************************************
414 Force flush any cache. We do this on any samr_set_xxx call.
415 We must also remove the timeout handler.
416 ********************************************************************/
418 static void force_flush_samr_cache(const struct dom_sid
*sid
)
420 struct disp_info
*disp_info
= get_samr_dispinfo_by_sid(sid
);
422 if ((disp_info
== NULL
) || (disp_info
->cache_timeout_event
== NULL
)) {
426 DEBUG(10,("force_flush_samr_cache: clearing idle event\n"));
427 TALLOC_FREE(disp_info
->cache_timeout_event
);
428 free_samr_cache(disp_info
);
431 /*******************************************************************
432 Ensure password info is never given out. Paranioa... JRA.
433 ********************************************************************/
435 static void samr_clear_sam_passwd(struct samu
*sam_pass
)
441 /* These now zero out the old password */
443 pdb_set_lanman_passwd(sam_pass
, NULL
, PDB_DEFAULT
);
444 pdb_set_nt_passwd(sam_pass
, NULL
, PDB_DEFAULT
);
447 static uint32
count_sam_users(struct disp_info
*info
, uint32 acct_flags
)
449 struct samr_displayentry
*entry
;
451 if (sid_check_is_builtin(&info
->sid
)) {
452 /* No users in builtin. */
456 if (info
->users
== NULL
) {
457 info
->users
= pdb_search_users(info
, acct_flags
);
458 if (info
->users
== NULL
) {
462 /* Fetch the last possible entry, thus trigger an enumeration */
463 pdb_search_entries(info
->users
, 0xffffffff, 1, &entry
);
465 /* Ensure we cache this enumeration. */
466 set_disp_info_cache_timeout(info
, DISP_INFO_CACHE_TIMEOUT
);
468 return info
->users
->num_entries
;
471 static uint32
count_sam_groups(struct disp_info
*info
)
473 struct samr_displayentry
*entry
;
475 if (sid_check_is_builtin(&info
->sid
)) {
476 /* No groups in builtin. */
480 if (info
->groups
== NULL
) {
481 info
->groups
= pdb_search_groups(info
);
482 if (info
->groups
== NULL
) {
486 /* Fetch the last possible entry, thus trigger an enumeration */
487 pdb_search_entries(info
->groups
, 0xffffffff, 1, &entry
);
489 /* Ensure we cache this enumeration. */
490 set_disp_info_cache_timeout(info
, DISP_INFO_CACHE_TIMEOUT
);
492 return info
->groups
->num_entries
;
495 static uint32
count_sam_aliases(struct disp_info
*info
)
497 struct samr_displayentry
*entry
;
499 if (info
->aliases
== NULL
) {
500 info
->aliases
= pdb_search_aliases(info
, &info
->sid
);
501 if (info
->aliases
== NULL
) {
505 /* Fetch the last possible entry, thus trigger an enumeration */
506 pdb_search_entries(info
->aliases
, 0xffffffff, 1, &entry
);
508 /* Ensure we cache this enumeration. */
509 set_disp_info_cache_timeout(info
, DISP_INFO_CACHE_TIMEOUT
);
511 return info
->aliases
->num_entries
;
514 /*******************************************************************
516 ********************************************************************/
518 NTSTATUS
_samr_Close(pipes_struct
*p
, struct samr_Close
*r
)
520 if (!close_policy_hnd(p
, r
->in
.handle
)) {
521 return NT_STATUS_INVALID_HANDLE
;
524 ZERO_STRUCTP(r
->out
.handle
);
529 /*******************************************************************
531 ********************************************************************/
533 NTSTATUS
_samr_OpenDomain(pipes_struct
*p
,
534 struct samr_OpenDomain
*r
)
536 struct samr_connect_info
*cinfo
;
537 struct samr_domain_info
*dinfo
;
538 SEC_DESC
*psd
= NULL
;
540 uint32 des_access
= r
->in
.access_mask
;
543 uint32_t extra_access
= SAMR_DOMAIN_ACCESS_CREATE_USER
;
546 /* find the connection policy handle. */
548 cinfo
= policy_handle_find(p
, r
->in
.connect_handle
, 0, NULL
,
549 struct samr_connect_info
, &status
);
550 if (!NT_STATUS_IS_OK(status
)) {
554 /*check if access can be granted as requested by client. */
555 map_max_allowed_access(p
->server_info
->ptok
,
556 &p
->server_info
->utok
,
559 make_samr_object_sd( p
->mem_ctx
, &psd
, &sd_size
, &dom_generic_mapping
, NULL
, 0 );
560 se_map_generic( &des_access
, &dom_generic_mapping
);
563 * Users with SeMachineAccount or SeAddUser get additional
564 * SAMR_DOMAIN_ACCESS_CREATE_USER access.
566 se_priv_copy( &se_rights
, &se_machine_account
);
567 se_priv_add( &se_rights
, &se_add_users
);
570 * Users with SeAddUser get the ability to manipulate groups
573 if (user_has_any_privilege(p
->server_info
->ptok
, &se_add_users
)) {
574 extra_access
|= (SAMR_DOMAIN_ACCESS_CREATE_GROUP
|
575 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
|
576 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
|
577 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
|
578 SAMR_DOMAIN_ACCESS_CREATE_ALIAS
);
581 status
= access_check_object( psd
, p
->server_info
->ptok
,
582 &se_rights
, extra_access
, des_access
,
583 &acc_granted
, "_samr_OpenDomain" );
585 if ( !NT_STATUS_IS_OK(status
) )
588 if (!sid_check_is_domain(r
->in
.sid
) &&
589 !sid_check_is_builtin(r
->in
.sid
)) {
590 return NT_STATUS_NO_SUCH_DOMAIN
;
593 dinfo
= policy_handle_create(p
, r
->out
.domain_handle
, acc_granted
,
594 struct samr_domain_info
, &status
);
595 if (!NT_STATUS_IS_OK(status
)) {
598 dinfo
->sid
= *r
->in
.sid
;
599 dinfo
->disp_info
= get_samr_dispinfo_by_sid(r
->in
.sid
);
601 DEBUG(5,("_samr_OpenDomain: %d\n", __LINE__
));
606 /*******************************************************************
608 ********************************************************************/
610 NTSTATUS
_samr_GetUserPwInfo(pipes_struct
*p
,
611 struct samr_GetUserPwInfo
*r
)
613 struct samr_user_info
*uinfo
;
614 enum lsa_SidType sid_type
;
615 uint32_t min_password_length
= 0;
616 uint32_t password_properties
= 0;
620 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__
));
622 uinfo
= policy_handle_find(p
, r
->in
.user_handle
,
623 SAMR_USER_ACCESS_GET_ATTRIBUTES
, NULL
,
624 struct samr_user_info
, &status
);
625 if (!NT_STATUS_IS_OK(status
)) {
629 if (!sid_check_is_in_our_domain(&uinfo
->sid
)) {
630 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
634 ret
= lookup_sid(p
->mem_ctx
, &uinfo
->sid
, NULL
, NULL
, &sid_type
);
637 return NT_STATUS_NO_SUCH_USER
;
643 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN
,
644 &min_password_length
);
645 pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS
,
646 &password_properties
);
649 if (lp_check_password_script() && *lp_check_password_script()) {
650 password_properties
|= DOMAIN_PASSWORD_COMPLEX
;
658 r
->out
.info
->min_password_length
= min_password_length
;
659 r
->out
.info
->password_properties
= password_properties
;
661 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__
));
666 /*******************************************************************
668 ********************************************************************/
670 NTSTATUS
_samr_SetSecurity(pipes_struct
*p
,
671 struct samr_SetSecurity
*r
)
673 struct samr_user_info
*uinfo
;
677 struct samu
*sampass
=NULL
;
680 uinfo
= policy_handle_find(p
, r
->in
.handle
,
681 SAMR_USER_ACCESS_SET_ATTRIBUTES
, NULL
,
682 struct samr_user_info
, &status
);
683 if (!NT_STATUS_IS_OK(status
)) {
687 if (!(sampass
= samu_new( p
->mem_ctx
))) {
688 DEBUG(0,("No memory!\n"));
689 return NT_STATUS_NO_MEMORY
;
692 /* get the user record */
694 ret
= pdb_getsampwsid(sampass
, &uinfo
->sid
);
698 DEBUG(4, ("User %s not found\n",
699 sid_string_dbg(&uinfo
->sid
)));
700 TALLOC_FREE(sampass
);
701 return NT_STATUS_INVALID_HANDLE
;
704 dacl
= r
->in
.sdbuf
->sd
->dacl
;
705 for (i
=0; i
< dacl
->num_aces
; i
++) {
706 if (sid_equal(&uinfo
->sid
, &dacl
->aces
[i
].trustee
)) {
707 ret
= pdb_set_pass_can_change(sampass
,
708 (dacl
->aces
[i
].access_mask
&
709 SAMR_USER_ACCESS_CHANGE_PASSWORD
) ?
716 TALLOC_FREE(sampass
);
717 return NT_STATUS_ACCESS_DENIED
;
721 status
= pdb_update_sam_account(sampass
);
724 TALLOC_FREE(sampass
);
729 /*******************************************************************
730 build correct perms based on policies and password times for _samr_query_sec_obj
731 *******************************************************************/
732 static bool check_change_pw_access(TALLOC_CTX
*mem_ctx
, DOM_SID
*user_sid
)
734 struct samu
*sampass
=NULL
;
737 if ( !(sampass
= samu_new( mem_ctx
)) ) {
738 DEBUG(0,("No memory!\n"));
743 ret
= pdb_getsampwsid(sampass
, user_sid
);
747 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid
)));
748 TALLOC_FREE(sampass
);
752 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass
) ));
754 if (pdb_get_pass_can_change(sampass
)) {
755 TALLOC_FREE(sampass
);
758 TALLOC_FREE(sampass
);
763 /*******************************************************************
765 ********************************************************************/
767 NTSTATUS
_samr_QuerySecurity(pipes_struct
*p
,
768 struct samr_QuerySecurity
*r
)
770 struct samr_connect_info
*cinfo
;
771 struct samr_domain_info
*dinfo
;
772 struct samr_user_info
*uinfo
;
773 struct samr_group_info
*ginfo
;
774 struct samr_alias_info
*ainfo
;
776 SEC_DESC
* psd
= NULL
;
779 cinfo
= policy_handle_find(p
, r
->in
.handle
,
780 STD_RIGHT_READ_CONTROL_ACCESS
, NULL
,
781 struct samr_connect_info
, &status
);
782 if (NT_STATUS_IS_OK(status
)) {
783 DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n"));
784 status
= make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
785 &sam_generic_mapping
, NULL
, 0);
789 dinfo
= policy_handle_find(p
, r
->in
.handle
,
790 STD_RIGHT_READ_CONTROL_ACCESS
, NULL
,
791 struct samr_domain_info
, &status
);
792 if (NT_STATUS_IS_OK(status
)) {
793 DEBUG(5,("_samr_QuerySecurity: querying security on Domain "
794 "with SID: %s\n", sid_string_dbg(&dinfo
->sid
)));
796 * TODO: Builtin probably needs a different SD with restricted
799 status
= make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
800 &dom_generic_mapping
, NULL
, 0);
804 uinfo
= policy_handle_find(p
, r
->in
.handle
,
805 STD_RIGHT_READ_CONTROL_ACCESS
, NULL
,
806 struct samr_user_info
, &status
);
807 if (NT_STATUS_IS_OK(status
)) {
808 DEBUG(10,("_samr_QuerySecurity: querying security on user "
809 "Object with SID: %s\n",
810 sid_string_dbg(&uinfo
->sid
)));
811 if (check_change_pw_access(p
->mem_ctx
, &uinfo
->sid
)) {
812 status
= make_samr_object_sd(
813 p
->mem_ctx
, &psd
, &sd_size
,
814 &usr_generic_mapping
,
815 &uinfo
->sid
, SAMR_USR_RIGHTS_WRITE_PW
);
817 status
= make_samr_object_sd(
818 p
->mem_ctx
, &psd
, &sd_size
,
819 &usr_nopwchange_generic_mapping
,
820 &uinfo
->sid
, SAMR_USR_RIGHTS_CANT_WRITE_PW
);
825 ginfo
= policy_handle_find(p
, r
->in
.handle
,
826 STD_RIGHT_READ_CONTROL_ACCESS
, NULL
,
827 struct samr_group_info
, &status
);
828 if (NT_STATUS_IS_OK(status
)) {
830 * TODO: different SDs have to be generated for aliases groups
831 * and users. Currently all three get a default user SD
833 DEBUG(10,("_samr_QuerySecurity: querying security on group "
834 "Object with SID: %s\n",
835 sid_string_dbg(&ginfo
->sid
)));
836 status
= make_samr_object_sd(
837 p
->mem_ctx
, &psd
, &sd_size
,
838 &usr_nopwchange_generic_mapping
,
839 &ginfo
->sid
, SAMR_USR_RIGHTS_CANT_WRITE_PW
);
843 ainfo
= policy_handle_find(p
, r
->in
.handle
,
844 STD_RIGHT_READ_CONTROL_ACCESS
, NULL
,
845 struct samr_alias_info
, &status
);
846 if (NT_STATUS_IS_OK(status
)) {
848 * TODO: different SDs have to be generated for aliases groups
849 * and users. Currently all three get a default user SD
851 DEBUG(10,("_samr_QuerySecurity: querying security on alias "
852 "Object with SID: %s\n",
853 sid_string_dbg(&ainfo
->sid
)));
854 status
= make_samr_object_sd(
855 p
->mem_ctx
, &psd
, &sd_size
,
856 &usr_nopwchange_generic_mapping
,
857 &ainfo
->sid
, SAMR_USR_RIGHTS_CANT_WRITE_PW
);
861 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
863 if ((*r
->out
.sdbuf
= make_sec_desc_buf(p
->mem_ctx
, sd_size
, psd
)) == NULL
)
864 return NT_STATUS_NO_MEMORY
;
869 /*******************************************************************
870 makes a SAM_ENTRY / UNISTR2* structure from a user list.
871 ********************************************************************/
873 static NTSTATUS
make_user_sam_entry_list(TALLOC_CTX
*ctx
,
874 struct samr_SamEntry
**sam_pp
,
875 uint32_t num_entries
,
877 struct samr_displayentry
*entries
)
880 struct samr_SamEntry
*sam
;
884 if (num_entries
== 0) {
888 sam
= TALLOC_ZERO_ARRAY(ctx
, struct samr_SamEntry
, num_entries
);
890 DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n"));
891 return NT_STATUS_NO_MEMORY
;
894 for (i
= 0; i
< num_entries
; i
++) {
897 * usrmgr expects a non-NULL terminated string with
898 * trust relationships
900 if (entries
[i
].acct_flags
& ACB_DOMTRUST
) {
901 init_unistr2(&uni_temp_name
, entries
[i
].account_name
,
904 init_unistr2(&uni_temp_name
, entries
[i
].account_name
,
908 init_lsa_String(&sam
[i
].name
, entries
[i
].account_name
);
909 sam
[i
].idx
= entries
[i
].rid
;
917 #define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K
919 /*******************************************************************
920 _samr_EnumDomainUsers
921 ********************************************************************/
923 NTSTATUS
_samr_EnumDomainUsers(pipes_struct
*p
,
924 struct samr_EnumDomainUsers
*r
)
927 struct samr_domain_info
*dinfo
;
929 uint32 enum_context
= *r
->in
.resume_handle
;
930 enum remote_arch_types ra_type
= get_remote_arch();
931 int max_sam_entries
= (ra_type
== RA_WIN95
) ? MAX_SAM_ENTRIES_W95
: MAX_SAM_ENTRIES_W2K
;
932 uint32 max_entries
= max_sam_entries
;
933 struct samr_displayentry
*entries
= NULL
;
934 struct samr_SamArray
*samr_array
= NULL
;
935 struct samr_SamEntry
*samr_entries
= NULL
;
937 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__
));
939 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
940 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
, NULL
,
941 struct samr_domain_info
, &status
);
942 if (!NT_STATUS_IS_OK(status
)) {
946 samr_array
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_SamArray
);
948 return NT_STATUS_NO_MEMORY
;
950 *r
->out
.sam
= samr_array
;
952 if (sid_check_is_builtin(&dinfo
->sid
)) {
953 /* No users in builtin. */
954 *r
->out
.resume_handle
= *r
->in
.resume_handle
;
955 DEBUG(5,("_samr_EnumDomainUsers: No users in BUILTIN\n"));
963 if ((dinfo
->disp_info
->enum_users
!= NULL
) &&
964 (dinfo
->disp_info
->enum_acb_mask
!= r
->in
.acct_flags
)) {
965 TALLOC_FREE(dinfo
->disp_info
->enum_users
);
968 if (dinfo
->disp_info
->enum_users
== NULL
) {
969 dinfo
->disp_info
->enum_users
= pdb_search_users(
970 dinfo
->disp_info
, r
->in
.acct_flags
);
971 dinfo
->disp_info
->enum_acb_mask
= r
->in
.acct_flags
;
974 if (dinfo
->disp_info
->enum_users
== NULL
) {
975 /* END AS ROOT !!!! */
977 return NT_STATUS_ACCESS_DENIED
;
980 num_account
= pdb_search_entries(dinfo
->disp_info
->enum_users
,
981 enum_context
, max_entries
,
984 /* END AS ROOT !!!! */
988 if (num_account
== 0) {
989 DEBUG(5, ("_samr_EnumDomainUsers: enumeration handle over "
991 *r
->out
.resume_handle
= *r
->in
.resume_handle
;
995 status
= make_user_sam_entry_list(p
->mem_ctx
, &samr_entries
,
996 num_account
, enum_context
,
998 if (!NT_STATUS_IS_OK(status
)) {
1002 if (max_entries
<= num_account
) {
1003 status
= STATUS_MORE_ENTRIES
;
1005 status
= NT_STATUS_OK
;
1008 /* Ensure we cache this enumeration. */
1009 set_disp_info_cache_timeout(dinfo
->disp_info
, DISP_INFO_CACHE_TIMEOUT
);
1011 DEBUG(5, ("_samr_EnumDomainUsers: %d\n", __LINE__
));
1013 samr_array
->count
= num_account
;
1014 samr_array
->entries
= samr_entries
;
1016 *r
->out
.resume_handle
= *r
->in
.resume_handle
+ num_account
;
1017 *r
->out
.num_entries
= num_account
;
1019 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__
));
1024 /*******************************************************************
1025 makes a SAM_ENTRY / UNISTR2* structure from a group list.
1026 ********************************************************************/
1028 static void make_group_sam_entry_list(TALLOC_CTX
*ctx
,
1029 struct samr_SamEntry
**sam_pp
,
1030 uint32_t num_sam_entries
,
1031 struct samr_displayentry
*entries
)
1033 struct samr_SamEntry
*sam
;
1038 if (num_sam_entries
== 0) {
1042 sam
= TALLOC_ZERO_ARRAY(ctx
, struct samr_SamEntry
, num_sam_entries
);
1047 for (i
= 0; i
< num_sam_entries
; i
++) {
1049 * JRA. I think this should include the null. TNG does not.
1051 init_lsa_String(&sam
[i
].name
, entries
[i
].account_name
);
1052 sam
[i
].idx
= entries
[i
].rid
;
1058 /*******************************************************************
1059 _samr_EnumDomainGroups
1060 ********************************************************************/
1062 NTSTATUS
_samr_EnumDomainGroups(pipes_struct
*p
,
1063 struct samr_EnumDomainGroups
*r
)
1066 struct samr_domain_info
*dinfo
;
1067 struct samr_displayentry
*groups
;
1069 struct samr_SamArray
*samr_array
= NULL
;
1070 struct samr_SamEntry
*samr_entries
= NULL
;
1072 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
1073 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
, NULL
,
1074 struct samr_domain_info
, &status
);
1075 if (!NT_STATUS_IS_OK(status
)) {
1079 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__
));
1081 samr_array
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_SamArray
);
1083 return NT_STATUS_NO_MEMORY
;
1085 *r
->out
.sam
= samr_array
;
1087 if (sid_check_is_builtin(&dinfo
->sid
)) {
1088 /* No groups in builtin. */
1089 *r
->out
.resume_handle
= *r
->in
.resume_handle
;
1090 DEBUG(5,("_samr_EnumDomainGroups: No groups in BUILTIN\n"));
1094 /* the domain group array is being allocated in the function below */
1098 if (dinfo
->disp_info
->groups
== NULL
) {
1099 dinfo
->disp_info
->groups
= pdb_search_groups(dinfo
->disp_info
);
1101 if (dinfo
->disp_info
->groups
== NULL
) {
1103 return NT_STATUS_ACCESS_DENIED
;
1107 num_groups
= pdb_search_entries(dinfo
->disp_info
->groups
,
1108 *r
->in
.resume_handle
,
1109 MAX_SAM_ENTRIES
, &groups
);
1112 /* Ensure we cache this enumeration. */
1113 set_disp_info_cache_timeout(dinfo
->disp_info
, DISP_INFO_CACHE_TIMEOUT
);
1115 make_group_sam_entry_list(p
->mem_ctx
, &samr_entries
,
1116 num_groups
, groups
);
1118 if (MAX_SAM_ENTRIES
<= num_groups
) {
1119 status
= STATUS_MORE_ENTRIES
;
1121 status
= NT_STATUS_OK
;
1124 samr_array
->count
= num_groups
;
1125 samr_array
->entries
= samr_entries
;
1127 *r
->out
.num_entries
= num_groups
;
1128 *r
->out
.resume_handle
= num_groups
+ *r
->in
.resume_handle
;
1130 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__
));
1135 /*******************************************************************
1136 _samr_EnumDomainAliases
1137 ********************************************************************/
1139 NTSTATUS
_samr_EnumDomainAliases(pipes_struct
*p
,
1140 struct samr_EnumDomainAliases
*r
)
1143 struct samr_domain_info
*dinfo
;
1144 struct samr_displayentry
*aliases
;
1145 uint32 num_aliases
= 0;
1146 struct samr_SamArray
*samr_array
= NULL
;
1147 struct samr_SamEntry
*samr_entries
= NULL
;
1149 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
1150 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
, NULL
,
1151 struct samr_domain_info
, &status
);
1152 if (!NT_STATUS_IS_OK(status
)) {
1156 DEBUG(5,("_samr_EnumDomainAliases: sid %s\n",
1157 sid_string_dbg(&dinfo
->sid
)));
1159 samr_array
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_SamArray
);
1161 return NT_STATUS_NO_MEMORY
;
1166 if (dinfo
->disp_info
->aliases
== NULL
) {
1167 dinfo
->disp_info
->aliases
= pdb_search_aliases(
1168 dinfo
->disp_info
, &dinfo
->sid
);
1169 if (dinfo
->disp_info
->aliases
== NULL
) {
1171 return NT_STATUS_ACCESS_DENIED
;
1175 num_aliases
= pdb_search_entries(dinfo
->disp_info
->aliases
,
1176 *r
->in
.resume_handle
,
1177 MAX_SAM_ENTRIES
, &aliases
);
1180 /* Ensure we cache this enumeration. */
1181 set_disp_info_cache_timeout(dinfo
->disp_info
, DISP_INFO_CACHE_TIMEOUT
);
1183 make_group_sam_entry_list(p
->mem_ctx
, &samr_entries
,
1184 num_aliases
, aliases
);
1186 DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__
));
1188 if (MAX_SAM_ENTRIES
<= num_aliases
) {
1189 status
= STATUS_MORE_ENTRIES
;
1191 status
= NT_STATUS_OK
;
1194 samr_array
->count
= num_aliases
;
1195 samr_array
->entries
= samr_entries
;
1197 *r
->out
.sam
= samr_array
;
1198 *r
->out
.num_entries
= num_aliases
;
1199 *r
->out
.resume_handle
= num_aliases
+ *r
->in
.resume_handle
;
1204 /*******************************************************************
1205 inits a samr_DispInfoGeneral structure.
1206 ********************************************************************/
1208 static NTSTATUS
init_samr_dispinfo_1(TALLOC_CTX
*ctx
,
1209 struct samr_DispInfoGeneral
*r
,
1210 uint32_t num_entries
,
1212 struct samr_displayentry
*entries
)
1216 DEBUG(10, ("init_samr_dispinfo_1: num_entries: %d\n", num_entries
));
1218 if (num_entries
== 0) {
1219 return NT_STATUS_OK
;
1222 r
->count
= num_entries
;
1224 r
->entries
= TALLOC_ZERO_ARRAY(ctx
, struct samr_DispEntryGeneral
, num_entries
);
1226 return NT_STATUS_NO_MEMORY
;
1229 for (i
= 0; i
< num_entries
; i
++) {
1231 init_lsa_String(&r
->entries
[i
].account_name
,
1232 entries
[i
].account_name
);
1234 init_lsa_String(&r
->entries
[i
].description
,
1235 entries
[i
].description
);
1237 init_lsa_String(&r
->entries
[i
].full_name
,
1238 entries
[i
].fullname
);
1240 r
->entries
[i
].rid
= entries
[i
].rid
;
1241 r
->entries
[i
].acct_flags
= entries
[i
].acct_flags
;
1242 r
->entries
[i
].idx
= start_idx
+i
+1;
1245 return NT_STATUS_OK
;
1248 /*******************************************************************
1249 inits a samr_DispInfoFull structure.
1250 ********************************************************************/
1252 static NTSTATUS
init_samr_dispinfo_2(TALLOC_CTX
*ctx
,
1253 struct samr_DispInfoFull
*r
,
1254 uint32_t num_entries
,
1256 struct samr_displayentry
*entries
)
1260 DEBUG(10, ("init_samr_dispinfo_2: num_entries: %d\n", num_entries
));
1262 if (num_entries
== 0) {
1263 return NT_STATUS_OK
;
1266 r
->count
= num_entries
;
1268 r
->entries
= TALLOC_ZERO_ARRAY(ctx
, struct samr_DispEntryFull
, num_entries
);
1270 return NT_STATUS_NO_MEMORY
;
1273 for (i
= 0; i
< num_entries
; i
++) {
1275 init_lsa_String(&r
->entries
[i
].account_name
,
1276 entries
[i
].account_name
);
1278 init_lsa_String(&r
->entries
[i
].description
,
1279 entries
[i
].description
);
1281 r
->entries
[i
].rid
= entries
[i
].rid
;
1282 r
->entries
[i
].acct_flags
= entries
[i
].acct_flags
;
1283 r
->entries
[i
].idx
= start_idx
+i
+1;
1286 return NT_STATUS_OK
;
1289 /*******************************************************************
1290 inits a samr_DispInfoFullGroups structure.
1291 ********************************************************************/
1293 static NTSTATUS
init_samr_dispinfo_3(TALLOC_CTX
*ctx
,
1294 struct samr_DispInfoFullGroups
*r
,
1295 uint32_t num_entries
,
1297 struct samr_displayentry
*entries
)
1301 DEBUG(5, ("init_samr_dispinfo_3: num_entries: %d\n", num_entries
));
1303 if (num_entries
== 0) {
1304 return NT_STATUS_OK
;
1307 r
->count
= num_entries
;
1309 r
->entries
= TALLOC_ZERO_ARRAY(ctx
, struct samr_DispEntryFullGroup
, num_entries
);
1311 return NT_STATUS_NO_MEMORY
;
1314 for (i
= 0; i
< num_entries
; i
++) {
1316 init_lsa_String(&r
->entries
[i
].account_name
,
1317 entries
[i
].account_name
);
1319 init_lsa_String(&r
->entries
[i
].description
,
1320 entries
[i
].description
);
1322 r
->entries
[i
].rid
= entries
[i
].rid
;
1323 r
->entries
[i
].acct_flags
= entries
[i
].acct_flags
;
1324 r
->entries
[i
].idx
= start_idx
+i
+1;
1327 return NT_STATUS_OK
;
1330 /*******************************************************************
1331 inits a samr_DispInfoAscii structure.
1332 ********************************************************************/
1334 static NTSTATUS
init_samr_dispinfo_4(TALLOC_CTX
*ctx
,
1335 struct samr_DispInfoAscii
*r
,
1336 uint32_t num_entries
,
1338 struct samr_displayentry
*entries
)
1342 DEBUG(5, ("init_samr_dispinfo_4: num_entries: %d\n", num_entries
));
1344 if (num_entries
== 0) {
1345 return NT_STATUS_OK
;
1348 r
->count
= num_entries
;
1350 r
->entries
= TALLOC_ZERO_ARRAY(ctx
, struct samr_DispEntryAscii
, num_entries
);
1352 return NT_STATUS_NO_MEMORY
;
1355 for (i
= 0; i
< num_entries
; i
++) {
1357 init_lsa_AsciiStringLarge(&r
->entries
[i
].account_name
,
1358 entries
[i
].account_name
);
1360 r
->entries
[i
].idx
= start_idx
+i
+1;
1363 return NT_STATUS_OK
;
1366 /*******************************************************************
1367 inits a samr_DispInfoAscii structure.
1368 ********************************************************************/
1370 static NTSTATUS
init_samr_dispinfo_5(TALLOC_CTX
*ctx
,
1371 struct samr_DispInfoAscii
*r
,
1372 uint32_t num_entries
,
1374 struct samr_displayentry
*entries
)
1378 DEBUG(5, ("init_samr_dispinfo_5: num_entries: %d\n", num_entries
));
1380 if (num_entries
== 0) {
1381 return NT_STATUS_OK
;
1384 r
->count
= num_entries
;
1386 r
->entries
= TALLOC_ZERO_ARRAY(ctx
, struct samr_DispEntryAscii
, num_entries
);
1388 return NT_STATUS_NO_MEMORY
;
1391 for (i
= 0; i
< num_entries
; i
++) {
1393 init_lsa_AsciiStringLarge(&r
->entries
[i
].account_name
,
1394 entries
[i
].account_name
);
1396 r
->entries
[i
].idx
= start_idx
+i
+1;
1399 return NT_STATUS_OK
;
1402 /*******************************************************************
1403 _samr_QueryDisplayInfo
1404 ********************************************************************/
1406 NTSTATUS
_samr_QueryDisplayInfo(pipes_struct
*p
,
1407 struct samr_QueryDisplayInfo
*r
)
1410 struct samr_domain_info
*dinfo
;
1411 uint32 struct_size
=0x20; /* W2K always reply that, client doesn't care */
1413 uint32 max_entries
= r
->in
.max_entries
;
1415 union samr_DispInfo
*disp_info
= r
->out
.info
;
1418 NTSTATUS disp_ret
= NT_STATUS_UNSUCCESSFUL
;
1419 uint32 num_account
= 0;
1420 enum remote_arch_types ra_type
= get_remote_arch();
1421 int max_sam_entries
= (ra_type
== RA_WIN95
) ? MAX_SAM_ENTRIES_W95
: MAX_SAM_ENTRIES_W2K
;
1422 struct samr_displayentry
*entries
= NULL
;
1424 DEBUG(5,("_samr_QueryDisplayInfo: %d\n", __LINE__
));
1426 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
1427 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
, NULL
,
1428 struct samr_domain_info
, &status
);
1429 if (!NT_STATUS_IS_OK(status
)) {
1433 if (sid_check_is_builtin(&dinfo
->sid
)) {
1434 DEBUG(5,("_samr_QueryDisplayInfo: no users in BUILTIN\n"));
1435 return NT_STATUS_OK
;
1439 * calculate how many entries we will return.
1441 * - the number of entries the client asked
1442 * - our limit on that
1443 * - the starting point (enumeration context)
1444 * - the buffer size the client will accept
1448 * We are a lot more like W2K. Instead of reading the SAM
1449 * each time to find the records we need to send back,
1450 * we read it once and link that copy to the sam handle.
1451 * For large user list (over the MAX_SAM_ENTRIES)
1452 * it's a definitive win.
1453 * second point to notice: between enumerations
1454 * our sam is now the same as it's a snapshoot.
1455 * third point: got rid of the static SAM_USER_21 struct
1456 * no more intermediate.
1457 * con: it uses much more memory, as a full copy is stored
1460 * If you want to change it, think twice and think
1461 * of the second point , that's really important.
1466 if ((r
->in
.level
< 1) || (r
->in
.level
> 5)) {
1467 DEBUG(0,("_samr_QueryDisplayInfo: Unknown info level (%u)\n",
1468 (unsigned int)r
->in
.level
));
1469 return NT_STATUS_INVALID_INFO_CLASS
;
1472 /* first limit the number of entries we will return */
1473 if (r
->in
.max_entries
> max_sam_entries
) {
1474 DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
1475 "entries, limiting to %d\n", r
->in
.max_entries
,
1477 max_entries
= max_sam_entries
;
1480 /* calculate the size and limit on the number of entries we will
1483 temp_size
=max_entries
*struct_size
;
1485 if (temp_size
> r
->in
.buf_size
) {
1486 max_entries
= MIN((r
->in
.buf_size
/ struct_size
),max_entries
);;
1487 DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
1488 "only %d entries\n", max_entries
));
1493 /* THe following done as ROOT. Don't return without unbecome_root(). */
1495 switch (r
->in
.level
) {
1498 if (dinfo
->disp_info
->users
== NULL
) {
1499 dinfo
->disp_info
->users
= pdb_search_users(
1500 dinfo
->disp_info
, ACB_NORMAL
);
1501 if (dinfo
->disp_info
->users
== NULL
) {
1503 return NT_STATUS_ACCESS_DENIED
;
1505 DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
1506 (unsigned int)r
->in
.start_idx
));
1508 DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
1509 (unsigned int)r
->in
.start_idx
));
1512 num_account
= pdb_search_entries(dinfo
->disp_info
->users
,
1513 r
->in
.start_idx
, max_entries
,
1517 if (dinfo
->disp_info
->machines
== NULL
) {
1518 dinfo
->disp_info
->machines
= pdb_search_users(
1519 dinfo
->disp_info
, ACB_WSTRUST
|ACB_SVRTRUST
);
1520 if (dinfo
->disp_info
->machines
== NULL
) {
1522 return NT_STATUS_ACCESS_DENIED
;
1524 DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
1525 (unsigned int)r
->in
.start_idx
));
1527 DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
1528 (unsigned int)r
->in
.start_idx
));
1531 num_account
= pdb_search_entries(dinfo
->disp_info
->machines
,
1532 r
->in
.start_idx
, max_entries
,
1537 if (dinfo
->disp_info
->groups
== NULL
) {
1538 dinfo
->disp_info
->groups
= pdb_search_groups(
1540 if (dinfo
->disp_info
->groups
== NULL
) {
1542 return NT_STATUS_ACCESS_DENIED
;
1544 DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
1545 (unsigned int)r
->in
.start_idx
));
1547 DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
1548 (unsigned int)r
->in
.start_idx
));
1551 num_account
= pdb_search_entries(dinfo
->disp_info
->groups
,
1552 r
->in
.start_idx
, max_entries
,
1557 smb_panic("info class changed");
1563 /* Now create reply structure */
1564 switch (r
->in
.level
) {
1566 disp_ret
= init_samr_dispinfo_1(p
->mem_ctx
, &disp_info
->info1
,
1567 num_account
, r
->in
.start_idx
,
1571 disp_ret
= init_samr_dispinfo_2(p
->mem_ctx
, &disp_info
->info2
,
1572 num_account
, r
->in
.start_idx
,
1576 disp_ret
= init_samr_dispinfo_3(p
->mem_ctx
, &disp_info
->info3
,
1577 num_account
, r
->in
.start_idx
,
1581 disp_ret
= init_samr_dispinfo_4(p
->mem_ctx
, &disp_info
->info4
,
1582 num_account
, r
->in
.start_idx
,
1586 disp_ret
= init_samr_dispinfo_5(p
->mem_ctx
, &disp_info
->info5
,
1587 num_account
, r
->in
.start_idx
,
1591 smb_panic("info class changed");
1595 if (!NT_STATUS_IS_OK(disp_ret
))
1598 if (max_entries
<= num_account
) {
1599 status
= STATUS_MORE_ENTRIES
;
1601 status
= NT_STATUS_OK
;
1604 /* Ensure we cache this enumeration. */
1605 set_disp_info_cache_timeout(dinfo
->disp_info
, DISP_INFO_CACHE_TIMEOUT
);
1607 DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__
));
1609 *r
->out
.total_size
= num_account
* struct_size
;
1610 *r
->out
.returned_size
= num_account
? temp_size
: 0;
1615 /****************************************************************
1616 _samr_QueryDisplayInfo2
1617 ****************************************************************/
1619 NTSTATUS
_samr_QueryDisplayInfo2(pipes_struct
*p
,
1620 struct samr_QueryDisplayInfo2
*r
)
1622 struct samr_QueryDisplayInfo q
;
1624 q
.in
.domain_handle
= r
->in
.domain_handle
;
1625 q
.in
.level
= r
->in
.level
;
1626 q
.in
.start_idx
= r
->in
.start_idx
;
1627 q
.in
.max_entries
= r
->in
.max_entries
;
1628 q
.in
.buf_size
= r
->in
.buf_size
;
1630 q
.out
.total_size
= r
->out
.total_size
;
1631 q
.out
.returned_size
= r
->out
.returned_size
;
1632 q
.out
.info
= r
->out
.info
;
1634 return _samr_QueryDisplayInfo(p
, &q
);
1637 /****************************************************************
1638 _samr_QueryDisplayInfo3
1639 ****************************************************************/
1641 NTSTATUS
_samr_QueryDisplayInfo3(pipes_struct
*p
,
1642 struct samr_QueryDisplayInfo3
*r
)
1644 struct samr_QueryDisplayInfo q
;
1646 q
.in
.domain_handle
= r
->in
.domain_handle
;
1647 q
.in
.level
= r
->in
.level
;
1648 q
.in
.start_idx
= r
->in
.start_idx
;
1649 q
.in
.max_entries
= r
->in
.max_entries
;
1650 q
.in
.buf_size
= r
->in
.buf_size
;
1652 q
.out
.total_size
= r
->out
.total_size
;
1653 q
.out
.returned_size
= r
->out
.returned_size
;
1654 q
.out
.info
= r
->out
.info
;
1656 return _samr_QueryDisplayInfo(p
, &q
);
1659 /*******************************************************************
1660 _samr_QueryAliasInfo
1661 ********************************************************************/
1663 NTSTATUS
_samr_QueryAliasInfo(pipes_struct
*p
,
1664 struct samr_QueryAliasInfo
*r
)
1666 struct samr_alias_info
*ainfo
;
1667 struct acct_info info
;
1669 union samr_AliasInfo
*alias_info
= NULL
;
1670 const char *alias_name
= NULL
;
1671 const char *alias_description
= NULL
;
1673 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__
));
1675 ainfo
= policy_handle_find(p
, r
->in
.alias_handle
,
1676 SAMR_ALIAS_ACCESS_LOOKUP_INFO
, NULL
,
1677 struct samr_alias_info
, &status
);
1678 if (!NT_STATUS_IS_OK(status
)) {
1682 alias_info
= TALLOC_ZERO_P(p
->mem_ctx
, union samr_AliasInfo
);
1684 return NT_STATUS_NO_MEMORY
;
1688 status
= pdb_get_aliasinfo(&ainfo
->sid
, &info
);
1691 if ( !NT_STATUS_IS_OK(status
))
1694 /* FIXME: info contains fstrings */
1695 alias_name
= talloc_strdup(r
, info
.acct_name
);
1696 alias_description
= talloc_strdup(r
, info
.acct_desc
);
1698 switch (r
->in
.level
) {
1700 alias_info
->all
.name
.string
= alias_name
;
1701 alias_info
->all
.num_members
= 1; /* ??? */
1702 alias_info
->all
.description
.string
= alias_description
;
1705 alias_info
->name
.string
= alias_name
;
1707 case ALIASINFODESCRIPTION
:
1708 alias_info
->description
.string
= alias_description
;
1711 return NT_STATUS_INVALID_INFO_CLASS
;
1714 *r
->out
.info
= alias_info
;
1716 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__
));
1718 return NT_STATUS_OK
;
1721 /*******************************************************************
1723 ********************************************************************/
1725 NTSTATUS
_samr_LookupNames(pipes_struct
*p
,
1726 struct samr_LookupNames
*r
)
1728 struct samr_domain_info
*dinfo
;
1731 enum lsa_SidType
*type
;
1733 int num_rids
= r
->in
.num_names
;
1734 struct samr_Ids rids
, types
;
1735 uint32_t num_mapped
= 0;
1737 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__
));
1739 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
1740 0 /* Don't know the acc_bits yet */, NULL
,
1741 struct samr_domain_info
, &status
);
1742 if (!NT_STATUS_IS_OK(status
)) {
1746 if (num_rids
> MAX_SAM_ENTRIES
) {
1747 num_rids
= MAX_SAM_ENTRIES
;
1748 DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids
));
1751 rid
= talloc_array(p
->mem_ctx
, uint32
, num_rids
);
1752 NT_STATUS_HAVE_NO_MEMORY(rid
);
1754 type
= talloc_array(p
->mem_ctx
, enum lsa_SidType
, num_rids
);
1755 NT_STATUS_HAVE_NO_MEMORY(type
);
1757 DEBUG(5,("_samr_LookupNames: looking name on SID %s\n",
1758 sid_string_dbg(&dinfo
->sid
)));
1760 for (i
= 0; i
< num_rids
; i
++) {
1762 status
= NT_STATUS_NONE_MAPPED
;
1763 type
[i
] = SID_NAME_UNKNOWN
;
1765 rid
[i
] = 0xffffffff;
1767 if (sid_check_is_builtin(&dinfo
->sid
)) {
1768 if (lookup_builtin_name(r
->in
.names
[i
].string
,
1771 type
[i
] = SID_NAME_ALIAS
;
1774 lookup_global_sam_name(r
->in
.names
[i
].string
, 0,
1778 if (type
[i
] != SID_NAME_UNKNOWN
) {
1783 if (num_mapped
== num_rids
) {
1784 status
= NT_STATUS_OK
;
1785 } else if (num_mapped
== 0) {
1786 status
= NT_STATUS_NONE_MAPPED
;
1788 status
= STATUS_SOME_UNMAPPED
;
1791 rids
.count
= num_rids
;
1794 types
.count
= num_rids
;
1797 *r
->out
.rids
= rids
;
1798 *r
->out
.types
= types
;
1800 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__
));
1805 /****************************************************************
1806 _samr_ChangePasswordUser
1807 ****************************************************************/
1809 NTSTATUS
_samr_ChangePasswordUser(pipes_struct
*p
,
1810 struct samr_ChangePasswordUser
*r
)
1814 struct samr_user_info
*uinfo
;
1816 struct samr_Password new_lmPwdHash
, new_ntPwdHash
, checkHash
;
1817 struct samr_Password lm_pwd
, nt_pwd
;
1819 uinfo
= policy_handle_find(p
, r
->in
.user_handle
,
1820 SAMR_USER_ACCESS_SET_PASSWORD
, NULL
,
1821 struct samr_user_info
, &status
);
1822 if (!NT_STATUS_IS_OK(status
)) {
1826 DEBUG(5,("_samr_ChangePasswordUser: sid:%s\n",
1827 sid_string_dbg(&uinfo
->sid
)));
1829 if (!(pwd
= samu_new(NULL
))) {
1830 return NT_STATUS_NO_MEMORY
;
1834 ret
= pdb_getsampwsid(pwd
, &uinfo
->sid
);
1839 return NT_STATUS_WRONG_PASSWORD
;
1843 const uint8_t *lm_pass
, *nt_pass
;
1845 lm_pass
= pdb_get_lanman_passwd(pwd
);
1846 nt_pass
= pdb_get_nt_passwd(pwd
);
1848 if (!lm_pass
|| !nt_pass
) {
1849 status
= NT_STATUS_WRONG_PASSWORD
;
1853 memcpy(&lm_pwd
.hash
, lm_pass
, sizeof(lm_pwd
.hash
));
1854 memcpy(&nt_pwd
.hash
, nt_pass
, sizeof(nt_pwd
.hash
));
1857 /* basic sanity checking on parameters. Do this before any database ops */
1858 if (!r
->in
.lm_present
|| !r
->in
.nt_present
||
1859 !r
->in
.old_lm_crypted
|| !r
->in
.new_lm_crypted
||
1860 !r
->in
.old_nt_crypted
|| !r
->in
.new_nt_crypted
) {
1861 /* we should really handle a change with lm not
1863 status
= NT_STATUS_INVALID_PARAMETER_MIX
;
1867 /* decrypt and check the new lm hash */
1868 D_P16(lm_pwd
.hash
, r
->in
.new_lm_crypted
->hash
, new_lmPwdHash
.hash
);
1869 D_P16(new_lmPwdHash
.hash
, r
->in
.old_lm_crypted
->hash
, checkHash
.hash
);
1870 if (memcmp(checkHash
.hash
, lm_pwd
.hash
, 16) != 0) {
1871 status
= NT_STATUS_WRONG_PASSWORD
;
1875 /* decrypt and check the new nt hash */
1876 D_P16(nt_pwd
.hash
, r
->in
.new_nt_crypted
->hash
, new_ntPwdHash
.hash
);
1877 D_P16(new_ntPwdHash
.hash
, r
->in
.old_nt_crypted
->hash
, checkHash
.hash
);
1878 if (memcmp(checkHash
.hash
, nt_pwd
.hash
, 16) != 0) {
1879 status
= NT_STATUS_WRONG_PASSWORD
;
1883 /* The NT Cross is not required by Win2k3 R2, but if present
1884 check the nt cross hash */
1885 if (r
->in
.cross1_present
&& r
->in
.nt_cross
) {
1886 D_P16(lm_pwd
.hash
, r
->in
.nt_cross
->hash
, checkHash
.hash
);
1887 if (memcmp(checkHash
.hash
, new_ntPwdHash
.hash
, 16) != 0) {
1888 status
= NT_STATUS_WRONG_PASSWORD
;
1893 /* The LM Cross is not required by Win2k3 R2, but if present
1894 check the lm cross hash */
1895 if (r
->in
.cross2_present
&& r
->in
.lm_cross
) {
1896 D_P16(nt_pwd
.hash
, r
->in
.lm_cross
->hash
, checkHash
.hash
);
1897 if (memcmp(checkHash
.hash
, new_lmPwdHash
.hash
, 16) != 0) {
1898 status
= NT_STATUS_WRONG_PASSWORD
;
1903 if (!pdb_set_nt_passwd(pwd
, new_ntPwdHash
.hash
, PDB_CHANGED
) ||
1904 !pdb_set_lanman_passwd(pwd
, new_lmPwdHash
.hash
, PDB_CHANGED
)) {
1905 status
= NT_STATUS_ACCESS_DENIED
;
1909 status
= pdb_update_sam_account(pwd
);
1916 /*******************************************************************
1917 _samr_ChangePasswordUser2
1918 ********************************************************************/
1920 NTSTATUS
_samr_ChangePasswordUser2(pipes_struct
*p
,
1921 struct samr_ChangePasswordUser2
*r
)
1923 struct smbd_server_connection
*sconn
= smbd_server_conn
;
1928 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__
));
1930 fstrcpy(user_name
, r
->in
.account
->string
);
1931 fstrcpy(wks
, r
->in
.server
->string
);
1933 DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name
, wks
));
1936 * Pass the user through the NT -> unix user mapping
1940 (void)map_username(sconn
, user_name
);
1943 * UNIX username case mangling not required, pass_oem_change
1944 * is case insensitive.
1947 status
= pass_oem_change(user_name
,
1948 r
->in
.lm_password
->data
,
1949 r
->in
.lm_verifier
->hash
,
1950 r
->in
.nt_password
->data
,
1951 r
->in
.nt_verifier
->hash
,
1954 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__
));
1956 if (NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)) {
1957 return NT_STATUS_WRONG_PASSWORD
;
1963 /****************************************************************
1964 _samr_OemChangePasswordUser2
1965 ****************************************************************/
1967 NTSTATUS
_samr_OemChangePasswordUser2(pipes_struct
*p
,
1968 struct samr_OemChangePasswordUser2
*r
)
1970 struct smbd_server_connection
*sconn
= smbd_server_conn
;
1973 const char *wks
= NULL
;
1975 DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__
));
1977 fstrcpy(user_name
, r
->in
.account
->string
);
1978 if (r
->in
.server
&& r
->in
.server
->string
) {
1979 wks
= r
->in
.server
->string
;
1982 DEBUG(5,("_samr_OemChangePasswordUser2: user: %s wks: %s\n", user_name
, wks
));
1985 * Pass the user through the NT -> unix user mapping
1989 (void)map_username(sconn
, user_name
);
1992 * UNIX username case mangling not required, pass_oem_change
1993 * is case insensitive.
1996 if (!r
->in
.hash
|| !r
->in
.password
) {
1997 return NT_STATUS_INVALID_PARAMETER
;
2000 status
= pass_oem_change(user_name
,
2001 r
->in
.password
->data
,
2007 if (NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)) {
2008 return NT_STATUS_WRONG_PASSWORD
;
2011 DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__
));
2016 /*******************************************************************
2017 _samr_ChangePasswordUser3
2018 ********************************************************************/
2020 NTSTATUS
_samr_ChangePasswordUser3(pipes_struct
*p
,
2021 struct samr_ChangePasswordUser3
*r
)
2023 struct smbd_server_connection
*sconn
= smbd_server_conn
;
2026 const char *wks
= NULL
;
2027 uint32 reject_reason
;
2028 struct samr_DomInfo1
*dominfo
= NULL
;
2029 struct samr_ChangeReject
*reject
= NULL
;
2032 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__
));
2034 fstrcpy(user_name
, r
->in
.account
->string
);
2035 if (r
->in
.server
&& r
->in
.server
->string
) {
2036 wks
= r
->in
.server
->string
;
2039 DEBUG(5,("_samr_ChangePasswordUser3: user: %s wks: %s\n", user_name
, wks
));
2042 * Pass the user through the NT -> unix user mapping
2046 (void)map_username(sconn
, user_name
);
2049 * UNIX username case mangling not required, pass_oem_change
2050 * is case insensitive.
2053 status
= pass_oem_change(user_name
,
2054 r
->in
.lm_password
->data
,
2055 r
->in
.lm_verifier
->hash
,
2056 r
->in
.nt_password
->data
,
2057 r
->in
.nt_verifier
->hash
,
2059 if (NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)) {
2060 return NT_STATUS_WRONG_PASSWORD
;
2063 if (NT_STATUS_EQUAL(status
, NT_STATUS_PASSWORD_RESTRICTION
) ||
2064 NT_STATUS_EQUAL(status
, NT_STATUS_ACCOUNT_RESTRICTION
)) {
2066 time_t u_expire
, u_min_age
;
2067 uint32 account_policy_temp
;
2069 dominfo
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_DomInfo1
);
2071 return NT_STATUS_NO_MEMORY
;
2074 reject
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_ChangeReject
);
2076 return NT_STATUS_NO_MEMORY
;
2083 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN
, &tmp
);
2084 dominfo
->min_password_length
= tmp
;
2086 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY
, &tmp
);
2087 dominfo
->password_history_length
= tmp
;
2089 pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS
,
2090 &dominfo
->password_properties
);
2092 pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE
, &account_policy_temp
);
2093 u_expire
= account_policy_temp
;
2095 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_AGE
, &account_policy_temp
);
2096 u_min_age
= account_policy_temp
;
2102 unix_to_nt_time_abs((NTTIME
*)&dominfo
->max_password_age
, u_expire
);
2103 unix_to_nt_time_abs((NTTIME
*)&dominfo
->min_password_age
, u_min_age
);
2105 if (lp_check_password_script() && *lp_check_password_script()) {
2106 dominfo
->password_properties
|= DOMAIN_PASSWORD_COMPLEX
;
2109 reject
->reason
= reject_reason
;
2111 *r
->out
.dominfo
= dominfo
;
2112 *r
->out
.reject
= reject
;
2115 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__
));
2120 /*******************************************************************
2121 makes a SAMR_R_LOOKUP_RIDS structure.
2122 ********************************************************************/
2124 static bool make_samr_lookup_rids(TALLOC_CTX
*ctx
, uint32 num_names
,
2126 struct lsa_String
**lsa_name_array_p
)
2128 struct lsa_String
*lsa_name_array
= NULL
;
2131 *lsa_name_array_p
= NULL
;
2133 if (num_names
!= 0) {
2134 lsa_name_array
= TALLOC_ZERO_ARRAY(ctx
, struct lsa_String
, num_names
);
2135 if (!lsa_name_array
) {
2140 for (i
= 0; i
< num_names
; i
++) {
2141 DEBUG(10, ("names[%d]:%s\n", i
, names
[i
] && *names
[i
] ? names
[i
] : ""));
2142 init_lsa_String(&lsa_name_array
[i
], names
[i
]);
2145 *lsa_name_array_p
= lsa_name_array
;
2150 /*******************************************************************
2152 ********************************************************************/
2154 NTSTATUS
_samr_LookupRids(pipes_struct
*p
,
2155 struct samr_LookupRids
*r
)
2157 struct samr_domain_info
*dinfo
;
2160 enum lsa_SidType
*attrs
= NULL
;
2161 uint32
*wire_attrs
= NULL
;
2162 int num_rids
= (int)r
->in
.num_rids
;
2164 struct lsa_Strings names_array
;
2165 struct samr_Ids types_array
;
2166 struct lsa_String
*lsa_names
= NULL
;
2168 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__
));
2170 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
2171 0 /* Don't know the acc_bits yet */, NULL
,
2172 struct samr_domain_info
, &status
);
2173 if (!NT_STATUS_IS_OK(status
)) {
2177 if (num_rids
> 1000) {
2178 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
2179 "to samba4 idl this is not possible\n", num_rids
));
2180 return NT_STATUS_UNSUCCESSFUL
;
2184 names
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, const char *, num_rids
);
2185 attrs
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, enum lsa_SidType
, num_rids
);
2186 wire_attrs
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, uint32
, num_rids
);
2188 if ((names
== NULL
) || (attrs
== NULL
) || (wire_attrs
==NULL
))
2189 return NT_STATUS_NO_MEMORY
;
2196 become_root(); /* lookup_sid can require root privs */
2197 status
= pdb_lookup_rids(&dinfo
->sid
, num_rids
, r
->in
.rids
,
2201 if (NT_STATUS_EQUAL(status
, NT_STATUS_NONE_MAPPED
) && (num_rids
== 0)) {
2202 status
= NT_STATUS_OK
;
2205 if (!make_samr_lookup_rids(p
->mem_ctx
, num_rids
, names
,
2207 return NT_STATUS_NO_MEMORY
;
2210 /* Convert from enum lsa_SidType to uint32 for wire format. */
2211 for (i
= 0; i
< num_rids
; i
++) {
2212 wire_attrs
[i
] = (uint32
)attrs
[i
];
2215 names_array
.count
= num_rids
;
2216 names_array
.names
= lsa_names
;
2218 types_array
.count
= num_rids
;
2219 types_array
.ids
= wire_attrs
;
2221 *r
->out
.names
= names_array
;
2222 *r
->out
.types
= types_array
;
2224 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__
));
2229 /*******************************************************************
2231 ********************************************************************/
2233 NTSTATUS
_samr_OpenUser(pipes_struct
*p
,
2234 struct samr_OpenUser
*r
)
2236 struct samu
*sampass
=NULL
;
2238 struct samr_domain_info
*dinfo
;
2239 struct samr_user_info
*uinfo
;
2240 SEC_DESC
*psd
= NULL
;
2242 uint32 des_access
= r
->in
.access_mask
;
2243 uint32_t extra_access
= 0;
2250 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
2251 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
, NULL
,
2252 struct samr_domain_info
, &status
);
2253 if (!NT_STATUS_IS_OK(status
)) {
2257 if ( !(sampass
= samu_new( p
->mem_ctx
)) ) {
2258 return NT_STATUS_NO_MEMORY
;
2261 /* append the user's RID to it */
2263 if (!sid_compose(&sid
, &dinfo
->sid
, r
->in
.rid
))
2264 return NT_STATUS_NO_SUCH_USER
;
2266 /* check if access can be granted as requested by client. */
2267 map_max_allowed_access(p
->server_info
->ptok
,
2268 &p
->server_info
->utok
,
2271 make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &usr_generic_mapping
, &sid
, SAMR_USR_RIGHTS_WRITE_PW
);
2272 se_map_generic(&des_access
, &usr_generic_mapping
);
2275 * Get the sampass first as we need to check privileges
2276 * based on what kind of user object this is.
2277 * But don't reveal info too early if it didn't exist.
2281 ret
=pdb_getsampwsid(sampass
, &sid
);
2284 se_priv_copy(&se_rights
, &se_priv_none
);
2287 * We do the override access checks on *open*, not at
2291 uint32_t acb_info
= pdb_get_acct_ctrl(sampass
);
2293 if ((acb_info
& ACB_WSTRUST
) &&
2294 user_has_any_privilege(p
->server_info
->ptok
,
2295 &se_machine_account
)) {
2297 * SeMachineAccount is needed to add
2298 * GENERIC_RIGHTS_USER_WRITE to a machine
2301 se_priv_add(&se_rights
, &se_machine_account
);
2302 DEBUG(10,("_samr_OpenUser: adding machine account "
2303 "rights to handle for user %s\n",
2304 pdb_get_username(sampass
) ));
2306 if ((acb_info
& ACB_NORMAL
) &&
2307 user_has_any_privilege(p
->server_info
->ptok
,
2310 * SeAddUsers is needed to add
2311 * GENERIC_RIGHTS_USER_WRITE to a normal
2314 se_priv_add(&se_rights
, &se_add_users
);
2315 DEBUG(10,("_samr_OpenUser: adding add user "
2316 "rights to handle for user %s\n",
2317 pdb_get_username(sampass
) ));
2320 * Cheat - allow GENERIC_RIGHTS_USER_WRITE if pipe user is
2321 * in DOMAIN_GROUP_RID_ADMINS. This is almost certainly not
2322 * what Windows does but is a hack for people who haven't
2323 * set up privileges on groups in Samba.
2325 if (acb_info
& (ACB_SVRTRUST
|ACB_DOMTRUST
)) {
2326 if (lp_enable_privileges() && nt_token_check_domain_rid(p
->server_info
->ptok
,
2327 DOMAIN_GROUP_RID_ADMINS
)) {
2328 des_access
&= ~GENERIC_RIGHTS_USER_WRITE
;
2329 extra_access
= GENERIC_RIGHTS_USER_WRITE
;
2330 DEBUG(4,("_samr_OpenUser: Allowing "
2331 "GENERIC_RIGHTS_USER_WRITE for "
2337 TALLOC_FREE(sampass
);
2339 nt_status
= access_check_object(psd
, p
->server_info
->ptok
,
2340 &se_rights
, GENERIC_RIGHTS_USER_WRITE
, des_access
,
2341 &acc_granted
, "_samr_OpenUser");
2343 if ( !NT_STATUS_IS_OK(nt_status
) )
2346 /* check that the SID exists in our domain. */
2348 return NT_STATUS_NO_SUCH_USER
;
2351 /* If we did the rid admins hack above, allow access. */
2352 acc_granted
|= extra_access
;
2354 uinfo
= policy_handle_create(p
, r
->out
.user_handle
, acc_granted
,
2355 struct samr_user_info
, &nt_status
);
2356 if (!NT_STATUS_IS_OK(nt_status
)) {
2361 return NT_STATUS_OK
;
2364 /*************************************************************************
2365 *************************************************************************/
2367 static NTSTATUS
init_samr_parameters_string(TALLOC_CTX
*mem_ctx
,
2369 struct lsa_BinaryString
**_r
)
2371 struct lsa_BinaryString
*r
;
2374 return NT_STATUS_INVALID_PARAMETER
;
2377 r
= TALLOC_ZERO_P(mem_ctx
, struct lsa_BinaryString
);
2379 return NT_STATUS_NO_MEMORY
;
2382 r
->array
= TALLOC_ZERO_ARRAY(mem_ctx
, uint16_t, blob
->length
/2);
2384 return NT_STATUS_NO_MEMORY
;
2386 memcpy(r
->array
, blob
->data
, blob
->length
);
2387 r
->size
= blob
->length
;
2388 r
->length
= blob
->length
;
2391 return NT_STATUS_NO_MEMORY
;
2396 return NT_STATUS_OK
;
2399 /*************************************************************************
2401 *************************************************************************/
2403 static NTSTATUS
get_user_info_1(TALLOC_CTX
*mem_ctx
,
2404 struct samr_UserInfo1
*r
,
2406 DOM_SID
*domain_sid
)
2408 const DOM_SID
*sid_group
;
2409 uint32_t primary_gid
;
2412 sid_group
= pdb_get_group_sid(pw
);
2415 if (!sid_peek_check_rid(domain_sid
, sid_group
, &primary_gid
)) {
2416 DEBUG(0, ("get_user_info_1: User %s has Primary Group SID %s, \n"
2417 "which conflicts with the domain sid %s. Failing operation.\n",
2418 pdb_get_username(pw
), sid_string_dbg(sid_group
),
2419 sid_string_dbg(domain_sid
)));
2420 return NT_STATUS_UNSUCCESSFUL
;
2423 r
->account_name
.string
= talloc_strdup(mem_ctx
, pdb_get_username(pw
));
2424 r
->full_name
.string
= talloc_strdup(mem_ctx
, pdb_get_fullname(pw
));
2425 r
->primary_gid
= primary_gid
;
2426 r
->description
.string
= talloc_strdup(mem_ctx
, pdb_get_acct_desc(pw
));
2427 r
->comment
.string
= talloc_strdup(mem_ctx
, pdb_get_comment(pw
));
2429 return NT_STATUS_OK
;
2432 /*************************************************************************
2434 *************************************************************************/
2436 static NTSTATUS
get_user_info_2(TALLOC_CTX
*mem_ctx
,
2437 struct samr_UserInfo2
*r
,
2440 r
->comment
.string
= talloc_strdup(mem_ctx
, pdb_get_comment(pw
));
2441 r
->unknown
.string
= NULL
;
2442 r
->country_code
= 0;
2445 return NT_STATUS_OK
;
2448 /*************************************************************************
2450 *************************************************************************/
2452 static NTSTATUS
get_user_info_3(TALLOC_CTX
*mem_ctx
,
2453 struct samr_UserInfo3
*r
,
2455 DOM_SID
*domain_sid
)
2457 const DOM_SID
*sid_user
, *sid_group
;
2458 uint32_t rid
, primary_gid
;
2460 sid_user
= pdb_get_user_sid(pw
);
2462 if (!sid_peek_check_rid(domain_sid
, sid_user
, &rid
)) {
2463 DEBUG(0, ("get_user_info_3: User %s has SID %s, \nwhich conflicts with "
2464 "the domain sid %s. Failing operation.\n",
2465 pdb_get_username(pw
), sid_string_dbg(sid_user
),
2466 sid_string_dbg(domain_sid
)));
2467 return NT_STATUS_UNSUCCESSFUL
;
2471 sid_group
= pdb_get_group_sid(pw
);
2474 if (!sid_peek_check_rid(domain_sid
, sid_group
, &primary_gid
)) {
2475 DEBUG(0, ("get_user_info_3: User %s has Primary Group SID %s, \n"
2476 "which conflicts with the domain sid %s. Failing operation.\n",
2477 pdb_get_username(pw
), sid_string_dbg(sid_group
),
2478 sid_string_dbg(domain_sid
)));
2479 return NT_STATUS_UNSUCCESSFUL
;
2482 unix_to_nt_time(&r
->last_logon
, pdb_get_logon_time(pw
));
2483 unix_to_nt_time(&r
->last_logoff
, pdb_get_logoff_time(pw
));
2484 unix_to_nt_time(&r
->last_password_change
, pdb_get_pass_last_set_time(pw
));
2485 unix_to_nt_time(&r
->allow_password_change
, pdb_get_pass_can_change_time(pw
));
2486 unix_to_nt_time(&r
->force_password_change
, pdb_get_pass_must_change_time(pw
));
2488 r
->account_name
.string
= talloc_strdup(mem_ctx
, pdb_get_username(pw
));
2489 r
->full_name
.string
= talloc_strdup(mem_ctx
, pdb_get_fullname(pw
));
2490 r
->home_directory
.string
= talloc_strdup(mem_ctx
, pdb_get_homedir(pw
));
2491 r
->home_drive
.string
= talloc_strdup(mem_ctx
, pdb_get_dir_drive(pw
));
2492 r
->logon_script
.string
= talloc_strdup(mem_ctx
, pdb_get_logon_script(pw
));
2493 r
->profile_path
.string
= talloc_strdup(mem_ctx
, pdb_get_profile_path(pw
));
2494 r
->workstations
.string
= talloc_strdup(mem_ctx
, pdb_get_workstations(pw
));
2496 r
->logon_hours
= get_logon_hours_from_pdb(mem_ctx
, pw
);
2498 r
->primary_gid
= primary_gid
;
2499 r
->acct_flags
= pdb_get_acct_ctrl(pw
);
2500 r
->bad_password_count
= pdb_get_bad_password_count(pw
);
2501 r
->logon_count
= pdb_get_logon_count(pw
);
2503 return NT_STATUS_OK
;
2506 /*************************************************************************
2508 *************************************************************************/
2510 static NTSTATUS
get_user_info_4(TALLOC_CTX
*mem_ctx
,
2511 struct samr_UserInfo4
*r
,
2514 r
->logon_hours
= get_logon_hours_from_pdb(mem_ctx
, pw
);
2516 return NT_STATUS_OK
;
2519 /*************************************************************************
2521 *************************************************************************/
2523 static NTSTATUS
get_user_info_5(TALLOC_CTX
*mem_ctx
,
2524 struct samr_UserInfo5
*r
,
2526 DOM_SID
*domain_sid
)
2528 const DOM_SID
*sid_user
, *sid_group
;
2529 uint32_t rid
, primary_gid
;
2531 sid_user
= pdb_get_user_sid(pw
);
2533 if (!sid_peek_check_rid(domain_sid
, sid_user
, &rid
)) {
2534 DEBUG(0, ("get_user_info_5: User %s has SID %s, \nwhich conflicts with "
2535 "the domain sid %s. Failing operation.\n",
2536 pdb_get_username(pw
), sid_string_dbg(sid_user
),
2537 sid_string_dbg(domain_sid
)));
2538 return NT_STATUS_UNSUCCESSFUL
;
2542 sid_group
= pdb_get_group_sid(pw
);
2545 if (!sid_peek_check_rid(domain_sid
, sid_group
, &primary_gid
)) {
2546 DEBUG(0, ("get_user_info_5: User %s has Primary Group SID %s, \n"
2547 "which conflicts with the domain sid %s. Failing operation.\n",
2548 pdb_get_username(pw
), sid_string_dbg(sid_group
),
2549 sid_string_dbg(domain_sid
)));
2550 return NT_STATUS_UNSUCCESSFUL
;
2553 unix_to_nt_time(&r
->last_logon
, pdb_get_logon_time(pw
));
2554 unix_to_nt_time(&r
->last_logoff
, pdb_get_logoff_time(pw
));
2555 unix_to_nt_time(&r
->acct_expiry
, pdb_get_kickoff_time(pw
));
2556 unix_to_nt_time(&r
->last_password_change
, pdb_get_pass_last_set_time(pw
));
2558 r
->account_name
.string
= talloc_strdup(mem_ctx
, pdb_get_username(pw
));
2559 r
->full_name
.string
= talloc_strdup(mem_ctx
, pdb_get_fullname(pw
));
2560 r
->home_directory
.string
= talloc_strdup(mem_ctx
, pdb_get_homedir(pw
));
2561 r
->home_drive
.string
= talloc_strdup(mem_ctx
, pdb_get_dir_drive(pw
));
2562 r
->logon_script
.string
= talloc_strdup(mem_ctx
, pdb_get_logon_script(pw
));
2563 r
->profile_path
.string
= talloc_strdup(mem_ctx
, pdb_get_profile_path(pw
));
2564 r
->description
.string
= talloc_strdup(mem_ctx
, pdb_get_acct_desc(pw
));
2565 r
->workstations
.string
= talloc_strdup(mem_ctx
, pdb_get_workstations(pw
));
2567 r
->logon_hours
= get_logon_hours_from_pdb(mem_ctx
, pw
);
2569 r
->primary_gid
= primary_gid
;
2570 r
->acct_flags
= pdb_get_acct_ctrl(pw
);
2571 r
->bad_password_count
= pdb_get_bad_password_count(pw
);
2572 r
->logon_count
= pdb_get_logon_count(pw
);
2574 return NT_STATUS_OK
;
2577 /*************************************************************************
2579 *************************************************************************/
2581 static NTSTATUS
get_user_info_6(TALLOC_CTX
*mem_ctx
,
2582 struct samr_UserInfo6
*r
,
2585 r
->account_name
.string
= talloc_strdup(mem_ctx
, pdb_get_username(pw
));
2586 r
->full_name
.string
= talloc_strdup(mem_ctx
, pdb_get_fullname(pw
));
2588 return NT_STATUS_OK
;
2591 /*************************************************************************
2592 get_user_info_7. Safe. Only gives out account_name.
2593 *************************************************************************/
2595 static NTSTATUS
get_user_info_7(TALLOC_CTX
*mem_ctx
,
2596 struct samr_UserInfo7
*r
,
2597 struct samu
*smbpass
)
2599 r
->account_name
.string
= talloc_strdup(mem_ctx
, pdb_get_username(smbpass
));
2600 if (!r
->account_name
.string
) {
2601 return NT_STATUS_NO_MEMORY
;
2604 return NT_STATUS_OK
;
2607 /*************************************************************************
2609 *************************************************************************/
2611 static NTSTATUS
get_user_info_8(TALLOC_CTX
*mem_ctx
,
2612 struct samr_UserInfo8
*r
,
2615 r
->full_name
.string
= talloc_strdup(mem_ctx
, pdb_get_fullname(pw
));
2617 return NT_STATUS_OK
;
2620 /*************************************************************************
2621 get_user_info_9. Only gives out primary group SID.
2622 *************************************************************************/
2624 static NTSTATUS
get_user_info_9(TALLOC_CTX
*mem_ctx
,
2625 struct samr_UserInfo9
*r
,
2626 struct samu
*smbpass
)
2628 r
->primary_gid
= pdb_get_group_rid(smbpass
);
2630 return NT_STATUS_OK
;
2633 /*************************************************************************
2635 *************************************************************************/
2637 static NTSTATUS
get_user_info_10(TALLOC_CTX
*mem_ctx
,
2638 struct samr_UserInfo10
*r
,
2641 r
->home_directory
.string
= talloc_strdup(mem_ctx
, pdb_get_homedir(pw
));
2642 r
->home_drive
.string
= talloc_strdup(mem_ctx
, pdb_get_dir_drive(pw
));
2644 return NT_STATUS_OK
;
2647 /*************************************************************************
2649 *************************************************************************/
2651 static NTSTATUS
get_user_info_11(TALLOC_CTX
*mem_ctx
,
2652 struct samr_UserInfo11
*r
,
2655 r
->logon_script
.string
= talloc_strdup(mem_ctx
, pdb_get_logon_script(pw
));
2657 return NT_STATUS_OK
;
2660 /*************************************************************************
2662 *************************************************************************/
2664 static NTSTATUS
get_user_info_12(TALLOC_CTX
*mem_ctx
,
2665 struct samr_UserInfo12
*r
,
2668 r
->profile_path
.string
= talloc_strdup(mem_ctx
, pdb_get_profile_path(pw
));
2670 return NT_STATUS_OK
;
2673 /*************************************************************************
2675 *************************************************************************/
2677 static NTSTATUS
get_user_info_13(TALLOC_CTX
*mem_ctx
,
2678 struct samr_UserInfo13
*r
,
2681 r
->description
.string
= talloc_strdup(mem_ctx
, pdb_get_acct_desc(pw
));
2683 return NT_STATUS_OK
;
2686 /*************************************************************************
2688 *************************************************************************/
2690 static NTSTATUS
get_user_info_14(TALLOC_CTX
*mem_ctx
,
2691 struct samr_UserInfo14
*r
,
2694 r
->workstations
.string
= talloc_strdup(mem_ctx
, pdb_get_workstations(pw
));
2696 return NT_STATUS_OK
;
2699 /*************************************************************************
2700 get_user_info_16. Safe. Only gives out acb bits.
2701 *************************************************************************/
2703 static NTSTATUS
get_user_info_16(TALLOC_CTX
*mem_ctx
,
2704 struct samr_UserInfo16
*r
,
2705 struct samu
*smbpass
)
2707 r
->acct_flags
= pdb_get_acct_ctrl(smbpass
);
2709 return NT_STATUS_OK
;
2712 /*************************************************************************
2714 *************************************************************************/
2716 static NTSTATUS
get_user_info_17(TALLOC_CTX
*mem_ctx
,
2717 struct samr_UserInfo17
*r
,
2720 unix_to_nt_time(&r
->acct_expiry
, pdb_get_kickoff_time(pw
));
2722 return NT_STATUS_OK
;
2725 /*************************************************************************
2726 get_user_info_18. OK - this is the killer as it gives out password info.
2727 Ensure that this is only allowed on an encrypted connection with a root
2729 *************************************************************************/
2731 static NTSTATUS
get_user_info_18(pipes_struct
*p
,
2732 TALLOC_CTX
*mem_ctx
,
2733 struct samr_UserInfo18
*r
,
2736 struct samu
*smbpass
=NULL
;
2741 if (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_NTLMSSP
|| p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SPNEGO_NTLMSSP
) {
2742 return NT_STATUS_ACCESS_DENIED
;
2745 if (p
->auth
.auth_level
!= DCERPC_AUTH_LEVEL_PRIVACY
) {
2746 return NT_STATUS_ACCESS_DENIED
;
2750 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
2753 if ( !(smbpass
= samu_new( mem_ctx
)) ) {
2754 return NT_STATUS_NO_MEMORY
;
2757 ret
= pdb_getsampwsid(smbpass
, user_sid
);
2760 DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid
)));
2761 TALLOC_FREE(smbpass
);
2762 return (geteuid() == sec_initial_uid()) ? NT_STATUS_NO_SUCH_USER
: NT_STATUS_ACCESS_DENIED
;
2765 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass
), pdb_get_acct_ctrl(smbpass
) ));
2767 if ( pdb_get_acct_ctrl(smbpass
) & ACB_DISABLED
) {
2768 TALLOC_FREE(smbpass
);
2769 return NT_STATUS_ACCOUNT_DISABLED
;
2772 r
->lm_pwd_active
= true;
2773 r
->nt_pwd_active
= true;
2774 memcpy(r
->lm_pwd
.hash
, pdb_get_lanman_passwd(smbpass
), 16);
2775 memcpy(r
->nt_pwd
.hash
, pdb_get_nt_passwd(smbpass
), 16);
2776 r
->password_expired
= 0; /* FIXME */
2778 TALLOC_FREE(smbpass
);
2780 return NT_STATUS_OK
;
2783 /*************************************************************************
2785 *************************************************************************/
2787 static NTSTATUS
get_user_info_20(TALLOC_CTX
*mem_ctx
,
2788 struct samr_UserInfo20
*r
,
2789 struct samu
*sampass
)
2791 const char *munged_dial
= NULL
;
2794 struct lsa_BinaryString
*parameters
= NULL
;
2798 munged_dial
= pdb_get_munged_dial(sampass
);
2800 DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass
),
2801 munged_dial
, (int)strlen(munged_dial
)));
2804 blob
= base64_decode_data_blob(munged_dial
);
2806 blob
= data_blob_string_const_null("");
2809 status
= init_samr_parameters_string(mem_ctx
, &blob
, ¶meters
);
2810 data_blob_free(&blob
);
2811 if (!NT_STATUS_IS_OK(status
)) {
2815 r
->parameters
= *parameters
;
2817 return NT_STATUS_OK
;
2821 /*************************************************************************
2823 *************************************************************************/
2825 static NTSTATUS
get_user_info_21(TALLOC_CTX
*mem_ctx
,
2826 struct samr_UserInfo21
*r
,
2828 DOM_SID
*domain_sid
,
2829 uint32_t acc_granted
)
2832 const DOM_SID
*sid_user
, *sid_group
;
2833 uint32_t rid
, primary_gid
;
2834 NTTIME force_password_change
;
2835 time_t must_change_time
;
2836 struct lsa_BinaryString
*parameters
= NULL
;
2837 const char *munged_dial
= NULL
;
2842 sid_user
= pdb_get_user_sid(pw
);
2844 if (!sid_peek_check_rid(domain_sid
, sid_user
, &rid
)) {
2845 DEBUG(0, ("get_user_info_21: User %s has SID %s, \nwhich conflicts with "
2846 "the domain sid %s. Failing operation.\n",
2847 pdb_get_username(pw
), sid_string_dbg(sid_user
),
2848 sid_string_dbg(domain_sid
)));
2849 return NT_STATUS_UNSUCCESSFUL
;
2853 sid_group
= pdb_get_group_sid(pw
);
2856 if (!sid_peek_check_rid(domain_sid
, sid_group
, &primary_gid
)) {
2857 DEBUG(0, ("get_user_info_21: User %s has Primary Group SID %s, \n"
2858 "which conflicts with the domain sid %s. Failing operation.\n",
2859 pdb_get_username(pw
), sid_string_dbg(sid_group
),
2860 sid_string_dbg(domain_sid
)));
2861 return NT_STATUS_UNSUCCESSFUL
;
2864 unix_to_nt_time(&r
->last_logon
, pdb_get_logon_time(pw
));
2865 unix_to_nt_time(&r
->last_logoff
, pdb_get_logoff_time(pw
));
2866 unix_to_nt_time(&r
->acct_expiry
, pdb_get_kickoff_time(pw
));
2867 unix_to_nt_time(&r
->last_password_change
, pdb_get_pass_last_set_time(pw
));
2868 unix_to_nt_time(&r
->allow_password_change
, pdb_get_pass_can_change_time(pw
));
2870 must_change_time
= pdb_get_pass_must_change_time(pw
);
2871 if (must_change_time
== get_time_t_max()) {
2872 unix_to_nt_time_abs(&force_password_change
, must_change_time
);
2874 unix_to_nt_time(&force_password_change
, must_change_time
);
2877 munged_dial
= pdb_get_munged_dial(pw
);
2879 blob
= base64_decode_data_blob(munged_dial
);
2881 blob
= data_blob_string_const_null("");
2884 status
= init_samr_parameters_string(mem_ctx
, &blob
, ¶meters
);
2885 data_blob_free(&blob
);
2886 if (!NT_STATUS_IS_OK(status
)) {
2890 r
->force_password_change
= force_password_change
;
2892 r
->account_name
.string
= talloc_strdup(mem_ctx
, pdb_get_username(pw
));
2893 r
->full_name
.string
= talloc_strdup(mem_ctx
, pdb_get_fullname(pw
));
2894 r
->home_directory
.string
= talloc_strdup(mem_ctx
, pdb_get_homedir(pw
));
2895 r
->home_drive
.string
= talloc_strdup(mem_ctx
, pdb_get_dir_drive(pw
));
2896 r
->logon_script
.string
= talloc_strdup(mem_ctx
, pdb_get_logon_script(pw
));
2897 r
->profile_path
.string
= talloc_strdup(mem_ctx
, pdb_get_profile_path(pw
));
2898 r
->description
.string
= talloc_strdup(mem_ctx
, pdb_get_acct_desc(pw
));
2899 r
->workstations
.string
= talloc_strdup(mem_ctx
, pdb_get_workstations(pw
));
2900 r
->comment
.string
= talloc_strdup(mem_ctx
, pdb_get_comment(pw
));
2902 r
->logon_hours
= get_logon_hours_from_pdb(mem_ctx
, pw
);
2903 r
->parameters
= *parameters
;
2905 r
->primary_gid
= primary_gid
;
2906 r
->acct_flags
= pdb_get_acct_ctrl(pw
);
2907 r
->bad_password_count
= pdb_get_bad_password_count(pw
);
2908 r
->logon_count
= pdb_get_logon_count(pw
);
2909 r
->fields_present
= pdb_build_fields_present(pw
);
2910 r
->password_expired
= (pdb_get_pass_must_change_time(pw
) == 0) ?
2911 PASS_MUST_CHANGE_AT_NEXT_LOGON
: 0;
2912 r
->country_code
= 0;
2914 r
->lm_password_set
= 0;
2915 r
->nt_password_set
= 0;
2920 Look at a user on a real NT4 PDC with usrmgr, press
2921 'ok'. Then you will see that fields_present is set to
2922 0x08f827fa. Look at the user immediately after that again,
2923 and you will see that 0x00fffff is returned. This solves
2924 the problem that you get access denied after having looked
2932 return NT_STATUS_OK
;
2935 /*******************************************************************
2937 ********************************************************************/
2939 NTSTATUS
_samr_QueryUserInfo(pipes_struct
*p
,
2940 struct samr_QueryUserInfo
*r
)
2943 union samr_UserInfo
*user_info
= NULL
;
2944 struct samr_user_info
*uinfo
;
2948 struct samu
*pwd
= NULL
;
2949 uint32_t acc_required
, acc_granted
;
2951 switch (r
->in
.level
) {
2952 case 1: /* UserGeneralInformation */
2953 /* USER_READ_GENERAL */
2954 acc_required
= SAMR_USER_ACCESS_GET_NAME_ETC
;
2956 case 2: /* UserPreferencesInformation */
2957 /* USER_READ_PREFERENCES | USER_READ_GENERAL */
2958 acc_required
= SAMR_USER_ACCESS_GET_LOCALE
|
2959 SAMR_USER_ACCESS_GET_NAME_ETC
;
2961 case 3: /* UserLogonInformation */
2962 /* USER_READ_GENERAL | USER_READ_PREFERENCES | USER_READ_LOGON | USER_READ_ACCOUNT */
2963 acc_required
= SAMR_USER_ACCESS_GET_NAME_ETC
|
2964 SAMR_USER_ACCESS_GET_LOCALE
|
2965 SAMR_USER_ACCESS_GET_LOGONINFO
|
2966 SAMR_USER_ACCESS_GET_ATTRIBUTES
;
2968 case 4: /* UserLogonHoursInformation */
2969 /* USER_READ_LOGON */
2970 acc_required
= SAMR_USER_ACCESS_GET_LOGONINFO
;
2972 case 5: /* UserAccountInformation */
2973 /* USER_READ_GENERAL | USER_READ_PREFERENCES | USER_READ_LOGON | USER_READ_ACCOUNT */
2974 acc_required
= SAMR_USER_ACCESS_GET_NAME_ETC
|
2975 SAMR_USER_ACCESS_GET_LOCALE
|
2976 SAMR_USER_ACCESS_GET_LOGONINFO
|
2977 SAMR_USER_ACCESS_GET_ATTRIBUTES
;
2979 case 6: /* UserNameInformation */
2980 case 7: /* UserAccountNameInformation */
2981 case 8: /* UserFullNameInformation */
2982 case 9: /* UserPrimaryGroupInformation */
2983 case 13: /* UserAdminCommentInformation */
2984 /* USER_READ_GENERAL */
2985 acc_required
= SAMR_USER_ACCESS_GET_NAME_ETC
;
2987 case 10: /* UserHomeInformation */
2988 case 11: /* UserScriptInformation */
2989 case 12: /* UserProfileInformation */
2990 case 14: /* UserWorkStationsInformation */
2991 /* USER_READ_LOGON */
2992 acc_required
= SAMR_USER_ACCESS_GET_LOGONINFO
;
2994 case 16: /* UserControlInformation */
2995 case 17: /* UserExpiresInformation */
2996 case 20: /* UserParametersInformation */
2997 /* USER_READ_ACCOUNT */
2998 acc_required
= SAMR_USER_ACCESS_GET_ATTRIBUTES
;
3000 case 21: /* UserAllInformation */
3002 acc_required
= SAMR_USER_ACCESS_GET_ATTRIBUTES
;
3004 case 18: /* UserInternal1Information */
3006 acc_required
= SAMR_USER_ACCESS_GET_ATTRIBUTES
;
3008 case 23: /* UserInternal4Information */
3009 case 24: /* UserInternal4InformationNew */
3010 case 25: /* UserInternal4InformationNew */
3011 case 26: /* UserInternal5InformationNew */
3013 return NT_STATUS_INVALID_INFO_CLASS
;
3017 uinfo
= policy_handle_find(p
, r
->in
.user_handle
,
3018 acc_required
, &acc_granted
,
3019 struct samr_user_info
, &status
);
3020 if (!NT_STATUS_IS_OK(status
)) {
3024 domain_sid
= uinfo
->sid
;
3026 sid_split_rid(&domain_sid
, &rid
);
3028 if (!sid_check_is_in_our_domain(&uinfo
->sid
))
3029 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
3031 DEBUG(5,("_samr_QueryUserInfo: sid:%s\n",
3032 sid_string_dbg(&uinfo
->sid
)));
3034 user_info
= TALLOC_ZERO_P(p
->mem_ctx
, union samr_UserInfo
);
3036 return NT_STATUS_NO_MEMORY
;
3039 DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r
->in
.level
));
3041 if (!(pwd
= samu_new(p
->mem_ctx
))) {
3042 return NT_STATUS_NO_MEMORY
;
3046 ret
= pdb_getsampwsid(pwd
, &uinfo
->sid
);
3050 DEBUG(4,("User %s not found\n", sid_string_dbg(&uinfo
->sid
)));
3052 return NT_STATUS_NO_SUCH_USER
;
3055 DEBUG(3,("User:[%s]\n", pdb_get_username(pwd
)));
3057 samr_clear_sam_passwd(pwd
);
3059 switch (r
->in
.level
) {
3061 status
= get_user_info_1(p
->mem_ctx
, &user_info
->info1
, pwd
, &domain_sid
);
3064 status
= get_user_info_2(p
->mem_ctx
, &user_info
->info2
, pwd
);
3067 status
= get_user_info_3(p
->mem_ctx
, &user_info
->info3
, pwd
, &domain_sid
);
3070 status
= get_user_info_4(p
->mem_ctx
, &user_info
->info4
, pwd
);
3073 status
= get_user_info_5(p
->mem_ctx
, &user_info
->info5
, pwd
, &domain_sid
);
3076 status
= get_user_info_6(p
->mem_ctx
, &user_info
->info6
, pwd
);
3079 status
= get_user_info_7(p
->mem_ctx
, &user_info
->info7
, pwd
);
3082 status
= get_user_info_8(p
->mem_ctx
, &user_info
->info8
, pwd
);
3085 status
= get_user_info_9(p
->mem_ctx
, &user_info
->info9
, pwd
);
3088 status
= get_user_info_10(p
->mem_ctx
, &user_info
->info10
, pwd
);
3091 status
= get_user_info_11(p
->mem_ctx
, &user_info
->info11
, pwd
);
3094 status
= get_user_info_12(p
->mem_ctx
, &user_info
->info12
, pwd
);
3097 status
= get_user_info_13(p
->mem_ctx
, &user_info
->info13
, pwd
);
3100 status
= get_user_info_14(p
->mem_ctx
, &user_info
->info14
, pwd
);
3103 status
= get_user_info_16(p
->mem_ctx
, &user_info
->info16
, pwd
);
3106 status
= get_user_info_17(p
->mem_ctx
, &user_info
->info17
, pwd
);
3109 /* level 18 is special */
3110 status
= get_user_info_18(p
, p
->mem_ctx
, &user_info
->info18
,
3114 status
= get_user_info_20(p
->mem_ctx
, &user_info
->info20
, pwd
);
3117 status
= get_user_info_21(p
->mem_ctx
, &user_info
->info21
, pwd
, &domain_sid
, acc_granted
);
3120 status
= NT_STATUS_INVALID_INFO_CLASS
;
3124 if (!NT_STATUS_IS_OK(status
)) {
3128 *r
->out
.info
= user_info
;
3133 DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__
));
3138 /****************************************************************
3139 ****************************************************************/
3141 NTSTATUS
_samr_QueryUserInfo2(pipes_struct
*p
,
3142 struct samr_QueryUserInfo2
*r
)
3144 struct samr_QueryUserInfo u
;
3146 u
.in
.user_handle
= r
->in
.user_handle
;
3147 u
.in
.level
= r
->in
.level
;
3148 u
.out
.info
= r
->out
.info
;
3150 return _samr_QueryUserInfo(p
, &u
);
3153 /*******************************************************************
3154 _samr_GetGroupsForUser
3155 ********************************************************************/
3157 NTSTATUS
_samr_GetGroupsForUser(pipes_struct
*p
,
3158 struct samr_GetGroupsForUser
*r
)
3160 struct samr_user_info
*uinfo
;
3161 struct samu
*sam_pass
=NULL
;
3163 struct samr_RidWithAttribute dom_gid
;
3164 struct samr_RidWithAttribute
*gids
= NULL
;
3165 uint32 primary_group_rid
;
3166 size_t num_groups
= 0;
3171 bool success
= False
;
3173 struct samr_RidWithAttributeArray
*rids
= NULL
;
3176 * from the SID in the request:
3177 * we should send back the list of DOMAIN GROUPS
3178 * the user is a member of
3180 * and only the DOMAIN GROUPS
3181 * no ALIASES !!! neither aliases of the domain
3182 * nor aliases of the builtin SID
3187 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__
));
3189 uinfo
= policy_handle_find(p
, r
->in
.user_handle
,
3190 SAMR_USER_ACCESS_GET_GROUPS
, NULL
,
3191 struct samr_user_info
, &result
);
3192 if (!NT_STATUS_IS_OK(result
)) {
3196 rids
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_RidWithAttributeArray
);
3198 return NT_STATUS_NO_MEMORY
;
3201 if (!sid_check_is_in_our_domain(&uinfo
->sid
))
3202 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
3204 if ( !(sam_pass
= samu_new( p
->mem_ctx
)) ) {
3205 return NT_STATUS_NO_MEMORY
;
3209 ret
= pdb_getsampwsid(sam_pass
, &uinfo
->sid
);
3213 DEBUG(10, ("pdb_getsampwsid failed for %s\n",
3214 sid_string_dbg(&uinfo
->sid
)));
3215 return NT_STATUS_NO_SUCH_USER
;
3220 /* make both calls inside the root block */
3222 result
= pdb_enum_group_memberships(p
->mem_ctx
, sam_pass
,
3223 &sids
, &unix_gids
, &num_groups
);
3224 if ( NT_STATUS_IS_OK(result
) ) {
3225 success
= sid_peek_check_rid(get_global_sam_sid(),
3226 pdb_get_group_sid(sam_pass
),
3227 &primary_group_rid
);
3231 if (!NT_STATUS_IS_OK(result
)) {
3232 DEBUG(10, ("pdb_enum_group_memberships failed for %s\n",
3233 sid_string_dbg(&uinfo
->sid
)));
3238 DEBUG(5, ("Group sid %s for user %s not in our domain\n",
3239 sid_string_dbg(pdb_get_group_sid(sam_pass
)),
3240 pdb_get_username(sam_pass
)));
3241 TALLOC_FREE(sam_pass
);
3242 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
3248 dom_gid
.attributes
= (SE_GROUP_MANDATORY
|SE_GROUP_ENABLED_BY_DEFAULT
|
3250 dom_gid
.rid
= primary_group_rid
;
3251 ADD_TO_ARRAY(p
->mem_ctx
, struct samr_RidWithAttribute
, dom_gid
, &gids
, &num_gids
);
3253 for (i
=0; i
<num_groups
; i
++) {
3255 if (!sid_peek_check_rid(get_global_sam_sid(),
3256 &(sids
[i
]), &dom_gid
.rid
)) {
3257 DEBUG(10, ("Found sid %s not in our domain\n",
3258 sid_string_dbg(&sids
[i
])));
3262 if (dom_gid
.rid
== primary_group_rid
) {
3263 /* We added the primary group directly from the
3264 * sam_account. The other SIDs are unique from
3265 * enum_group_memberships */
3269 ADD_TO_ARRAY(p
->mem_ctx
, struct samr_RidWithAttribute
, dom_gid
, &gids
, &num_gids
);
3272 rids
->count
= num_gids
;
3275 *r
->out
.rids
= rids
;
3277 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__
));
3282 /*******************************************************************
3283 ********************************************************************/
3285 static uint32_t samr_get_server_role(void)
3287 uint32_t role
= ROLE_DOMAIN_PDC
;
3289 if (lp_server_role() == ROLE_DOMAIN_BDC
) {
3290 role
= ROLE_DOMAIN_BDC
;
3296 /*******************************************************************
3297 ********************************************************************/
3299 static NTSTATUS
query_dom_info_1(TALLOC_CTX
*mem_ctx
,
3300 struct samr_DomInfo1
*r
)
3302 uint32_t account_policy_temp
;
3303 time_t u_expire
, u_min_age
;
3309 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN
, &account_policy_temp
);
3310 r
->min_password_length
= account_policy_temp
;
3312 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY
, &account_policy_temp
);
3313 r
->password_history_length
= account_policy_temp
;
3315 pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS
,
3316 &r
->password_properties
);
3318 pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE
, &account_policy_temp
);
3319 u_expire
= account_policy_temp
;
3321 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_AGE
, &account_policy_temp
);
3322 u_min_age
= account_policy_temp
;
3328 unix_to_nt_time_abs((NTTIME
*)&r
->max_password_age
, u_expire
);
3329 unix_to_nt_time_abs((NTTIME
*)&r
->min_password_age
, u_min_age
);
3331 if (lp_check_password_script() && *lp_check_password_script()) {
3332 r
->password_properties
|= DOMAIN_PASSWORD_COMPLEX
;
3335 return NT_STATUS_OK
;
3338 /*******************************************************************
3339 ********************************************************************/
3341 static NTSTATUS
query_dom_info_2(TALLOC_CTX
*mem_ctx
,
3342 struct samr_DomGeneralInformation
*r
,
3343 struct samr_domain_info
*dinfo
)
3352 r
->num_users
= count_sam_users(dinfo
->disp_info
, ACB_NORMAL
);
3353 r
->num_groups
= count_sam_groups(dinfo
->disp_info
);
3354 r
->num_aliases
= count_sam_aliases(dinfo
->disp_info
);
3356 pdb_get_account_policy(PDB_POLICY_TIME_TO_LOGOUT
, &u_logout
);
3358 unix_to_nt_time_abs(&r
->force_logoff_time
, u_logout
);
3360 if (!pdb_get_seq_num(&seq_num
)) {
3361 seq_num
= time(NULL
);
3368 r
->oem_information
.string
= lp_serverstring();
3369 r
->domain_name
.string
= lp_workgroup();
3370 r
->primary
.string
= global_myname();
3371 r
->sequence_num
= seq_num
;
3372 r
->domain_server_state
= DOMAIN_SERVER_ENABLED
;
3373 r
->role
= samr_get_server_role();
3376 return NT_STATUS_OK
;
3379 /*******************************************************************
3380 ********************************************************************/
3382 static NTSTATUS
query_dom_info_3(TALLOC_CTX
*mem_ctx
,
3383 struct samr_DomInfo3
*r
)
3393 pdb_get_account_policy(PDB_POLICY_TIME_TO_LOGOUT
, &ul
);
3394 u_logout
= (time_t)ul
;
3401 unix_to_nt_time_abs(&r
->force_logoff_time
, u_logout
);
3403 return NT_STATUS_OK
;
3406 /*******************************************************************
3407 ********************************************************************/
3409 static NTSTATUS
query_dom_info_4(TALLOC_CTX
*mem_ctx
,
3410 struct samr_DomOEMInformation
*r
)
3412 r
->oem_information
.string
= lp_serverstring();
3414 return NT_STATUS_OK
;
3417 /*******************************************************************
3418 ********************************************************************/
3420 static NTSTATUS
query_dom_info_5(TALLOC_CTX
*mem_ctx
,
3421 struct samr_DomInfo5
*r
)
3423 r
->domain_name
.string
= get_global_sam_name();
3425 return NT_STATUS_OK
;
3428 /*******************************************************************
3429 ********************************************************************/
3431 static NTSTATUS
query_dom_info_6(TALLOC_CTX
*mem_ctx
,
3432 struct samr_DomInfo6
*r
)
3434 /* NT returns its own name when a PDC. win2k and later
3435 * only the name of the PDC if itself is a BDC (samba4
3437 r
->primary
.string
= global_myname();
3439 return NT_STATUS_OK
;
3442 /*******************************************************************
3443 ********************************************************************/
3445 static NTSTATUS
query_dom_info_7(TALLOC_CTX
*mem_ctx
,
3446 struct samr_DomInfo7
*r
)
3448 r
->role
= samr_get_server_role();
3450 return NT_STATUS_OK
;
3453 /*******************************************************************
3454 ********************************************************************/
3456 static NTSTATUS
query_dom_info_8(TALLOC_CTX
*mem_ctx
,
3457 struct samr_DomInfo8
*r
)
3465 if (!pdb_get_seq_num(&seq_num
)) {
3466 seq_num
= time(NULL
);
3473 r
->sequence_num
= seq_num
;
3474 r
->domain_create_time
= 0;
3476 return NT_STATUS_OK
;
3479 /*******************************************************************
3480 ********************************************************************/
3482 static NTSTATUS
query_dom_info_9(TALLOC_CTX
*mem_ctx
,
3483 struct samr_DomInfo9
*r
)
3485 r
->domain_server_state
= DOMAIN_SERVER_ENABLED
;
3487 return NT_STATUS_OK
;
3490 /*******************************************************************
3491 ********************************************************************/
3493 static NTSTATUS
query_dom_info_11(TALLOC_CTX
*mem_ctx
,
3494 struct samr_DomGeneralInformation2
*r
,
3495 struct samr_domain_info
*dinfo
)
3498 uint32_t account_policy_temp
;
3499 time_t u_lock_duration
, u_reset_time
;
3501 status
= query_dom_info_2(mem_ctx
, &r
->general
, dinfo
);
3502 if (!NT_STATUS_IS_OK(status
)) {
3510 pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION
, &account_policy_temp
);
3511 u_lock_duration
= account_policy_temp
;
3512 if (u_lock_duration
!= -1) {
3513 u_lock_duration
*= 60;
3516 pdb_get_account_policy(PDB_POLICY_RESET_COUNT_TIME
, &account_policy_temp
);
3517 u_reset_time
= account_policy_temp
* 60;
3519 pdb_get_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT
, &account_policy_temp
);
3520 r
->lockout_threshold
= account_policy_temp
;
3526 unix_to_nt_time_abs(&r
->lockout_duration
, u_lock_duration
);
3527 unix_to_nt_time_abs(&r
->lockout_window
, u_reset_time
);
3529 return NT_STATUS_OK
;
3532 /*******************************************************************
3533 ********************************************************************/
3535 static NTSTATUS
query_dom_info_12(TALLOC_CTX
*mem_ctx
,
3536 struct samr_DomInfo12
*r
)
3538 uint32_t account_policy_temp
;
3539 time_t u_lock_duration
, u_reset_time
;
3545 pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION
, &account_policy_temp
);
3546 u_lock_duration
= account_policy_temp
;
3547 if (u_lock_duration
!= -1) {
3548 u_lock_duration
*= 60;
3551 pdb_get_account_policy(PDB_POLICY_RESET_COUNT_TIME
, &account_policy_temp
);
3552 u_reset_time
= account_policy_temp
* 60;
3554 pdb_get_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT
, &account_policy_temp
);
3555 r
->lockout_threshold
= account_policy_temp
;
3561 unix_to_nt_time_abs(&r
->lockout_duration
, u_lock_duration
);
3562 unix_to_nt_time_abs(&r
->lockout_window
, u_reset_time
);
3564 return NT_STATUS_OK
;
3567 /*******************************************************************
3568 ********************************************************************/
3570 static NTSTATUS
query_dom_info_13(TALLOC_CTX
*mem_ctx
,
3571 struct samr_DomInfo13
*r
)
3579 if (!pdb_get_seq_num(&seq_num
)) {
3580 seq_num
= time(NULL
);
3587 r
->sequence_num
= seq_num
;
3588 r
->domain_create_time
= 0;
3589 r
->modified_count_at_last_promotion
= 0;
3591 return NT_STATUS_OK
;
3594 /*******************************************************************
3595 _samr_QueryDomainInfo
3596 ********************************************************************/
3598 NTSTATUS
_samr_QueryDomainInfo(pipes_struct
*p
,
3599 struct samr_QueryDomainInfo
*r
)
3601 NTSTATUS status
= NT_STATUS_OK
;
3602 struct samr_domain_info
*dinfo
;
3603 union samr_DomainInfo
*dom_info
;
3605 uint32_t acc_required
;
3607 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__
));
3609 switch (r
->in
.level
) {
3610 case 1: /* DomainPasswordInformation */
3611 case 12: /* DomainLockoutInformation */
3612 /* DOMAIN_READ_PASSWORD_PARAMETERS */
3613 acc_required
= SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
;
3615 case 11: /* DomainGeneralInformation2 */
3616 /* DOMAIN_READ_PASSWORD_PARAMETERS |
3617 * DOMAIN_READ_OTHER_PARAMETERS */
3618 acc_required
= SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
|
3619 SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2
;
3621 case 2: /* DomainGeneralInformation */
3622 case 3: /* DomainLogoffInformation */
3623 case 4: /* DomainOemInformation */
3624 case 5: /* DomainReplicationInformation */
3625 case 6: /* DomainReplicationInformation */
3626 case 7: /* DomainServerRoleInformation */
3627 case 8: /* DomainModifiedInformation */
3628 case 9: /* DomainStateInformation */
3629 case 10: /* DomainUasInformation */
3630 case 13: /* DomainModifiedInformation2 */
3631 /* DOMAIN_READ_OTHER_PARAMETERS */
3632 acc_required
= SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2
;
3635 return NT_STATUS_INVALID_INFO_CLASS
;
3638 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
3640 struct samr_domain_info
, &status
);
3641 if (!NT_STATUS_IS_OK(status
)) {
3645 dom_info
= TALLOC_ZERO_P(p
->mem_ctx
, union samr_DomainInfo
);
3647 return NT_STATUS_NO_MEMORY
;
3650 switch (r
->in
.level
) {
3652 status
= query_dom_info_1(p
->mem_ctx
, &dom_info
->info1
);
3655 status
= query_dom_info_2(p
->mem_ctx
, &dom_info
->general
, dinfo
);
3658 status
= query_dom_info_3(p
->mem_ctx
, &dom_info
->info3
);
3661 status
= query_dom_info_4(p
->mem_ctx
, &dom_info
->oem
);
3664 status
= query_dom_info_5(p
->mem_ctx
, &dom_info
->info5
);
3667 status
= query_dom_info_6(p
->mem_ctx
, &dom_info
->info6
);
3670 status
= query_dom_info_7(p
->mem_ctx
, &dom_info
->info7
);
3673 status
= query_dom_info_8(p
->mem_ctx
, &dom_info
->info8
);
3676 status
= query_dom_info_9(p
->mem_ctx
, &dom_info
->info9
);
3679 status
= query_dom_info_11(p
->mem_ctx
, &dom_info
->general2
, dinfo
);
3682 status
= query_dom_info_12(p
->mem_ctx
, &dom_info
->info12
);
3685 status
= query_dom_info_13(p
->mem_ctx
, &dom_info
->info13
);
3688 return NT_STATUS_INVALID_INFO_CLASS
;
3691 if (!NT_STATUS_IS_OK(status
)) {
3695 *r
->out
.info
= dom_info
;
3697 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__
));
3702 /* W2k3 seems to use the same check for all 3 objects that can be created via
3703 * SAMR, if you try to create for example "Dialup" as an alias it says
3704 * "NT_STATUS_USER_EXISTS". This is racy, but we can't really lock the user
3707 static NTSTATUS
can_create(TALLOC_CTX
*mem_ctx
, const char *new_name
)
3709 enum lsa_SidType type
;
3712 DEBUG(10, ("Checking whether [%s] can be created\n", new_name
));
3715 /* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
3716 * whether the name already exists */
3717 result
= lookup_name(mem_ctx
, new_name
, LOOKUP_NAME_LOCAL
,
3718 NULL
, NULL
, NULL
, &type
);
3722 DEBUG(10, ("%s does not exist, can create it\n", new_name
));
3723 return NT_STATUS_OK
;
3726 DEBUG(5, ("trying to create %s, exists as %s\n",
3727 new_name
, sid_type_lookup(type
)));
3729 if (type
== SID_NAME_DOM_GRP
) {
3730 return NT_STATUS_GROUP_EXISTS
;
3732 if (type
== SID_NAME_ALIAS
) {
3733 return NT_STATUS_ALIAS_EXISTS
;
3736 /* Yes, the default is NT_STATUS_USER_EXISTS */
3737 return NT_STATUS_USER_EXISTS
;
3740 /*******************************************************************
3742 ********************************************************************/
3744 NTSTATUS
_samr_CreateUser2(pipes_struct
*p
,
3745 struct samr_CreateUser2
*r
)
3747 const char *account
= NULL
;
3749 uint32_t acb_info
= r
->in
.acct_flags
;
3750 struct samr_domain_info
*dinfo
;
3751 struct samr_user_info
*uinfo
;
3756 /* check this, when giving away 'add computer to domain' privs */
3757 uint32 des_access
= GENERIC_RIGHTS_USER_ALL_ACCESS
;
3758 bool can_add_account
= False
;
3761 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
3762 SAMR_DOMAIN_ACCESS_CREATE_USER
, NULL
,
3763 struct samr_domain_info
, &nt_status
);
3764 if (!NT_STATUS_IS_OK(nt_status
)) {
3768 if (sid_check_is_builtin(&dinfo
->sid
)) {
3769 DEBUG(5,("_samr_CreateUser2: Refusing user create in BUILTIN\n"));
3770 return NT_STATUS_ACCESS_DENIED
;
3773 if (!(acb_info
== ACB_NORMAL
|| acb_info
== ACB_DOMTRUST
||
3774 acb_info
== ACB_WSTRUST
|| acb_info
== ACB_SVRTRUST
)) {
3775 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
3776 this parameter is not an account type */
3777 return NT_STATUS_INVALID_PARAMETER
;
3780 account
= r
->in
.account_name
->string
;
3781 if (account
== NULL
) {
3782 return NT_STATUS_NO_MEMORY
;
3785 nt_status
= can_create(p
->mem_ctx
, account
);
3786 if (!NT_STATUS_IS_OK(nt_status
)) {
3790 /* determine which user right we need to check based on the acb_info */
3792 if (geteuid() == sec_initial_uid()) {
3793 se_priv_copy(&se_rights
, &se_priv_none
);
3794 can_add_account
= true;
3795 } else if (acb_info
& ACB_WSTRUST
) {
3796 se_priv_copy(&se_rights
, &se_machine_account
);
3797 can_add_account
= user_has_privileges(
3798 p
->server_info
->ptok
, &se_rights
);
3799 } else if (acb_info
& ACB_NORMAL
&&
3800 (account
[strlen(account
)-1] != '$')) {
3801 /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
3802 account for domain trusts and changes the ACB flags later */
3803 se_priv_copy(&se_rights
, &se_add_users
);
3804 can_add_account
= user_has_privileges(
3805 p
->server_info
->ptok
, &se_rights
);
3806 } else if (lp_enable_privileges()) {
3807 /* implicit assumption of a BDC or domain trust account here
3808 * (we already check the flags earlier) */
3809 /* only Domain Admins can add a BDC or domain trust */
3810 se_priv_copy(&se_rights
, &se_priv_none
);
3811 can_add_account
= nt_token_check_domain_rid(
3812 p
->server_info
->ptok
,
3813 DOMAIN_GROUP_RID_ADMINS
);
3816 DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
3817 uidtoname(p
->server_info
->utok
.uid
),
3818 can_add_account
? "True":"False" ));
3820 if (!can_add_account
) {
3821 return NT_STATUS_ACCESS_DENIED
;
3824 /********** BEGIN Admin BLOCK **********/
3827 nt_status
= pdb_create_user(p
->mem_ctx
, account
, acb_info
,
3831 /********** END Admin BLOCK **********/
3833 /* now check for failure */
3835 if ( !NT_STATUS_IS_OK(nt_status
) )
3838 /* Get the user's SID */
3840 sid_compose(&sid
, get_global_sam_sid(), *r
->out
.rid
);
3842 map_max_allowed_access(p
->server_info
->ptok
,
3843 &p
->server_info
->utok
,
3846 make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &usr_generic_mapping
,
3847 &sid
, SAMR_USR_RIGHTS_WRITE_PW
);
3848 se_map_generic(&des_access
, &usr_generic_mapping
);
3851 * JRA - TESTME. We just created this user so we
3852 * had rights to create them. Do we need to check
3853 * any further access on this object ? Can't we
3854 * just assume we have all the rights we need ?
3857 nt_status
= access_check_object(psd
, p
->server_info
->ptok
,
3858 &se_rights
, GENERIC_RIGHTS_USER_WRITE
, des_access
,
3859 &acc_granted
, "_samr_CreateUser2");
3861 if ( !NT_STATUS_IS_OK(nt_status
) ) {
3865 uinfo
= policy_handle_create(p
, r
->out
.user_handle
, acc_granted
,
3866 struct samr_user_info
, &nt_status
);
3867 if (!NT_STATUS_IS_OK(nt_status
)) {
3872 /* After a "set" ensure we have no cached display info. */
3873 force_flush_samr_cache(&sid
);
3875 *r
->out
.access_granted
= acc_granted
;
3877 return NT_STATUS_OK
;
3880 /****************************************************************
3881 ****************************************************************/
3883 NTSTATUS
_samr_CreateUser(pipes_struct
*p
,
3884 struct samr_CreateUser
*r
)
3886 struct samr_CreateUser2 c
;
3887 uint32_t access_granted
;
3889 c
.in
.domain_handle
= r
->in
.domain_handle
;
3890 c
.in
.account_name
= r
->in
.account_name
;
3891 c
.in
.acct_flags
= ACB_NORMAL
;
3892 c
.in
.access_mask
= r
->in
.access_mask
;
3893 c
.out
.user_handle
= r
->out
.user_handle
;
3894 c
.out
.access_granted
= &access_granted
;
3895 c
.out
.rid
= r
->out
.rid
;
3897 return _samr_CreateUser2(p
, &c
);
3900 /*******************************************************************
3902 ********************************************************************/
3904 NTSTATUS
_samr_Connect(pipes_struct
*p
,
3905 struct samr_Connect
*r
)
3907 struct samr_connect_info
*info
;
3908 uint32_t acc_granted
;
3909 struct policy_handle hnd
;
3910 uint32 des_access
= r
->in
.access_mask
;
3915 if (!pipe_access_check(p
)) {
3916 DEBUG(3, ("access denied to _samr_Connect\n"));
3917 return NT_STATUS_ACCESS_DENIED
;
3920 /* don't give away the farm but this is probably ok. The SAMR_ACCESS_ENUM_DOMAINS
3921 was observed from a win98 client trying to enumerate users (when configured
3922 user level access control on shares) --jerry */
3924 map_max_allowed_access(p
->server_info
->ptok
,
3925 &p
->server_info
->utok
,
3928 se_map_generic( &des_access
, &sam_generic_mapping
);
3930 acc_granted
= des_access
& (SAMR_ACCESS_ENUM_DOMAINS
3931 |SAMR_ACCESS_LOOKUP_DOMAIN
);
3933 /* set up the SAMR connect_anon response */
3935 info
= policy_handle_create(p
, &hnd
, acc_granted
,
3936 struct samr_connect_info
,
3938 if (!NT_STATUS_IS_OK(status
)) {
3942 *r
->out
.connect_handle
= hnd
;
3943 return NT_STATUS_OK
;
3946 /*******************************************************************
3948 ********************************************************************/
3950 NTSTATUS
_samr_Connect2(pipes_struct
*p
,
3951 struct samr_Connect2
*r
)
3953 struct samr_connect_info
*info
= NULL
;
3954 struct policy_handle hnd
;
3955 SEC_DESC
*psd
= NULL
;
3957 uint32 des_access
= r
->in
.access_mask
;
3960 const char *fn
= "_samr_Connect2";
3962 switch (p
->hdr_req
.opnum
) {
3963 case NDR_SAMR_CONNECT2
:
3964 fn
= "_samr_Connect2";
3966 case NDR_SAMR_CONNECT3
:
3967 fn
= "_samr_Connect3";
3969 case NDR_SAMR_CONNECT4
:
3970 fn
= "_samr_Connect4";
3972 case NDR_SAMR_CONNECT5
:
3973 fn
= "_samr_Connect5";
3977 DEBUG(5,("%s: %d\n", fn
, __LINE__
));
3981 if (!pipe_access_check(p
)) {
3982 DEBUG(3, ("access denied to %s\n", fn
));
3983 return NT_STATUS_ACCESS_DENIED
;
3986 map_max_allowed_access(p
->server_info
->ptok
,
3987 &p
->server_info
->utok
,
3990 make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &sam_generic_mapping
, NULL
, 0);
3991 se_map_generic(&des_access
, &sam_generic_mapping
);
3993 nt_status
= access_check_object(psd
, p
->server_info
->ptok
,
3994 NULL
, 0, des_access
, &acc_granted
, fn
);
3996 if ( !NT_STATUS_IS_OK(nt_status
) )
3999 info
= policy_handle_create(p
, &hnd
, acc_granted
,
4000 struct samr_connect_info
, &nt_status
);
4001 if (!NT_STATUS_IS_OK(nt_status
)) {
4005 DEBUG(5,("%s: %d\n", fn
, __LINE__
));
4007 *r
->out
.connect_handle
= hnd
;
4008 return NT_STATUS_OK
;
4011 /****************************************************************
4013 ****************************************************************/
4015 NTSTATUS
_samr_Connect3(pipes_struct
*p
,
4016 struct samr_Connect3
*r
)
4018 struct samr_Connect2 c
;
4020 c
.in
.system_name
= r
->in
.system_name
;
4021 c
.in
.access_mask
= r
->in
.access_mask
;
4022 c
.out
.connect_handle
= r
->out
.connect_handle
;
4024 return _samr_Connect2(p
, &c
);
4027 /*******************************************************************
4029 ********************************************************************/
4031 NTSTATUS
_samr_Connect4(pipes_struct
*p
,
4032 struct samr_Connect4
*r
)
4034 struct samr_Connect2 c
;
4036 c
.in
.system_name
= r
->in
.system_name
;
4037 c
.in
.access_mask
= r
->in
.access_mask
;
4038 c
.out
.connect_handle
= r
->out
.connect_handle
;
4040 return _samr_Connect2(p
, &c
);
4043 /*******************************************************************
4045 ********************************************************************/
4047 NTSTATUS
_samr_Connect5(pipes_struct
*p
,
4048 struct samr_Connect5
*r
)
4051 struct samr_Connect2 c
;
4052 struct samr_ConnectInfo1 info1
;
4054 info1
.client_version
= SAMR_CONNECT_AFTER_W2K
;
4057 c
.in
.system_name
= r
->in
.system_name
;
4058 c
.in
.access_mask
= r
->in
.access_mask
;
4059 c
.out
.connect_handle
= r
->out
.connect_handle
;
4061 *r
->out
.level_out
= 1;
4063 status
= _samr_Connect2(p
, &c
);
4064 if (!NT_STATUS_IS_OK(status
)) {
4068 r
->out
.info_out
->info1
= info1
;
4070 return NT_STATUS_OK
;
4073 /**********************************************************************
4075 **********************************************************************/
4077 NTSTATUS
_samr_LookupDomain(pipes_struct
*p
,
4078 struct samr_LookupDomain
*r
)
4081 struct samr_connect_info
*info
;
4082 const char *domain_name
;
4083 DOM_SID
*sid
= NULL
;
4085 /* win9x user manager likes to use SAMR_ACCESS_ENUM_DOMAINS here.
4086 Reverted that change so we will work with RAS servers again */
4088 info
= policy_handle_find(p
, r
->in
.connect_handle
,
4089 SAMR_ACCESS_LOOKUP_DOMAIN
, NULL
,
4090 struct samr_connect_info
,
4092 if (!NT_STATUS_IS_OK(status
)) {
4096 domain_name
= r
->in
.domain_name
->string
;
4098 return NT_STATUS_INVALID_PARAMETER
;
4101 sid
= TALLOC_ZERO_P(p
->mem_ctx
, struct dom_sid2
);
4103 return NT_STATUS_NO_MEMORY
;
4106 if (strequal(domain_name
, builtin_domain_name())) {
4107 sid_copy(sid
, &global_sid_Builtin
);
4109 if (!secrets_fetch_domain_sid(domain_name
, sid
)) {
4110 status
= NT_STATUS_NO_SUCH_DOMAIN
;
4114 DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name
,
4115 sid_string_dbg(sid
)));
4122 /**********************************************************************
4124 **********************************************************************/
4126 NTSTATUS
_samr_EnumDomains(pipes_struct
*p
,
4127 struct samr_EnumDomains
*r
)
4130 struct samr_connect_info
*info
;
4131 uint32_t num_entries
= 2;
4132 struct samr_SamEntry
*entry_array
= NULL
;
4133 struct samr_SamArray
*sam
;
4135 info
= policy_handle_find(p
, r
->in
.connect_handle
,
4136 SAMR_ACCESS_ENUM_DOMAINS
, NULL
,
4137 struct samr_connect_info
, &status
);
4138 if (!NT_STATUS_IS_OK(status
)) {
4142 sam
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_SamArray
);
4144 return NT_STATUS_NO_MEMORY
;
4147 entry_array
= TALLOC_ZERO_ARRAY(p
->mem_ctx
,
4148 struct samr_SamEntry
,
4151 return NT_STATUS_NO_MEMORY
;
4154 entry_array
[0].idx
= 0;
4155 init_lsa_String(&entry_array
[0].name
, get_global_sam_name());
4157 entry_array
[1].idx
= 1;
4158 init_lsa_String(&entry_array
[1].name
, "Builtin");
4160 sam
->count
= num_entries
;
4161 sam
->entries
= entry_array
;
4164 *r
->out
.num_entries
= num_entries
;
4169 /*******************************************************************
4171 ********************************************************************/
4173 NTSTATUS
_samr_OpenAlias(pipes_struct
*p
,
4174 struct samr_OpenAlias
*r
)
4177 uint32 alias_rid
= r
->in
.rid
;
4178 struct samr_alias_info
*ainfo
;
4179 struct samr_domain_info
*dinfo
;
4180 SEC_DESC
*psd
= NULL
;
4182 uint32 des_access
= r
->in
.access_mask
;
4187 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
4188 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
, NULL
,
4189 struct samr_domain_info
, &status
);
4190 if (!NT_STATUS_IS_OK(status
)) {
4194 /* append the alias' RID to it */
4196 if (!sid_compose(&sid
, &dinfo
->sid
, alias_rid
))
4197 return NT_STATUS_NO_SUCH_ALIAS
;
4199 /*check if access can be granted as requested by client. */
4201 map_max_allowed_access(p
->server_info
->ptok
,
4202 &p
->server_info
->utok
,
4205 make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &ali_generic_mapping
, NULL
, 0);
4206 se_map_generic(&des_access
,&ali_generic_mapping
);
4208 se_priv_copy( &se_rights
, &se_add_users
);
4210 status
= access_check_object(psd
, p
->server_info
->ptok
,
4211 &se_rights
, GENERIC_RIGHTS_ALIAS_ALL_ACCESS
,
4212 des_access
, &acc_granted
, "_samr_OpenAlias");
4214 if ( !NT_STATUS_IS_OK(status
) )
4218 /* Check we actually have the requested alias */
4219 enum lsa_SidType type
;
4224 result
= lookup_sid(NULL
, &sid
, NULL
, NULL
, &type
);
4227 if (!result
|| (type
!= SID_NAME_ALIAS
)) {
4228 return NT_STATUS_NO_SUCH_ALIAS
;
4231 /* make sure there is a mapping */
4233 if ( !sid_to_gid( &sid
, &gid
) ) {
4234 return NT_STATUS_NO_SUCH_ALIAS
;
4239 ainfo
= policy_handle_create(p
, r
->out
.alias_handle
, acc_granted
,
4240 struct samr_alias_info
, &status
);
4241 if (!NT_STATUS_IS_OK(status
)) {
4246 return NT_STATUS_OK
;
4249 /*******************************************************************
4251 ********************************************************************/
4253 static NTSTATUS
set_user_info_2(TALLOC_CTX
*mem_ctx
,
4254 struct samr_UserInfo2
*id2
,
4258 DEBUG(5,("set_user_info_2: NULL id2\n"));
4259 return NT_STATUS_ACCESS_DENIED
;
4262 copy_id2_to_sam_passwd(pwd
, id2
);
4264 return pdb_update_sam_account(pwd
);
4267 /*******************************************************************
4269 ********************************************************************/
4271 static NTSTATUS
set_user_info_4(TALLOC_CTX
*mem_ctx
,
4272 struct samr_UserInfo4
*id4
,
4276 DEBUG(5,("set_user_info_2: NULL id4\n"));
4277 return NT_STATUS_ACCESS_DENIED
;
4280 copy_id4_to_sam_passwd(pwd
, id4
);
4282 return pdb_update_sam_account(pwd
);
4285 /*******************************************************************
4287 ********************************************************************/
4289 static NTSTATUS
set_user_info_6(TALLOC_CTX
*mem_ctx
,
4290 struct samr_UserInfo6
*id6
,
4294 DEBUG(5,("set_user_info_6: NULL id6\n"));
4295 return NT_STATUS_ACCESS_DENIED
;
4298 copy_id6_to_sam_passwd(pwd
, id6
);
4300 return pdb_update_sam_account(pwd
);
4303 /*******************************************************************
4305 ********************************************************************/
4307 static NTSTATUS
set_user_info_7(TALLOC_CTX
*mem_ctx
,
4308 struct samr_UserInfo7
*id7
,
4314 DEBUG(5, ("set_user_info_7: NULL id7\n"));
4315 return NT_STATUS_ACCESS_DENIED
;
4318 if (!id7
->account_name
.string
) {
4319 DEBUG(5, ("set_user_info_7: failed to get new username\n"));
4320 return NT_STATUS_ACCESS_DENIED
;
4323 /* check to see if the new username already exists. Note: we can't
4324 reliably lock all backends, so there is potentially the
4325 possibility that a user can be created in between this check and
4326 the rename. The rename should fail, but may not get the
4327 exact same failure status code. I think this is small enough
4328 of a window for this type of operation and the results are
4329 simply that the rename fails with a slightly different status
4330 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
4332 rc
= can_create(mem_ctx
, id7
->account_name
.string
);
4334 /* when there is nothing to change, we're done here */
4335 if (NT_STATUS_EQUAL(rc
, NT_STATUS_USER_EXISTS
) &&
4336 strequal(id7
->account_name
.string
, pdb_get_username(pwd
))) {
4337 return NT_STATUS_OK
;
4339 if (!NT_STATUS_IS_OK(rc
)) {
4343 rc
= pdb_rename_sam_account(pwd
, id7
->account_name
.string
);
4348 /*******************************************************************
4350 ********************************************************************/
4352 static NTSTATUS
set_user_info_8(TALLOC_CTX
*mem_ctx
,
4353 struct samr_UserInfo8
*id8
,
4357 DEBUG(5,("set_user_info_8: NULL id8\n"));
4358 return NT_STATUS_ACCESS_DENIED
;
4361 copy_id8_to_sam_passwd(pwd
, id8
);
4363 return pdb_update_sam_account(pwd
);
4366 /*******************************************************************
4368 ********************************************************************/
4370 static NTSTATUS
set_user_info_10(TALLOC_CTX
*mem_ctx
,
4371 struct samr_UserInfo10
*id10
,
4375 DEBUG(5,("set_user_info_8: NULL id10\n"));
4376 return NT_STATUS_ACCESS_DENIED
;
4379 copy_id10_to_sam_passwd(pwd
, id10
);
4381 return pdb_update_sam_account(pwd
);
4384 /*******************************************************************
4386 ********************************************************************/
4388 static NTSTATUS
set_user_info_11(TALLOC_CTX
*mem_ctx
,
4389 struct samr_UserInfo11
*id11
,
4393 DEBUG(5,("set_user_info_11: NULL id11\n"));
4394 return NT_STATUS_ACCESS_DENIED
;
4397 copy_id11_to_sam_passwd(pwd
, id11
);
4399 return pdb_update_sam_account(pwd
);
4402 /*******************************************************************
4404 ********************************************************************/
4406 static NTSTATUS
set_user_info_12(TALLOC_CTX
*mem_ctx
,
4407 struct samr_UserInfo12
*id12
,
4411 DEBUG(5,("set_user_info_12: NULL id12\n"));
4412 return NT_STATUS_ACCESS_DENIED
;
4415 copy_id12_to_sam_passwd(pwd
, id12
);
4417 return pdb_update_sam_account(pwd
);
4420 /*******************************************************************
4422 ********************************************************************/
4424 static NTSTATUS
set_user_info_13(TALLOC_CTX
*mem_ctx
,
4425 struct samr_UserInfo13
*id13
,
4429 DEBUG(5,("set_user_info_13: NULL id13\n"));
4430 return NT_STATUS_ACCESS_DENIED
;
4433 copy_id13_to_sam_passwd(pwd
, id13
);
4435 return pdb_update_sam_account(pwd
);
4438 /*******************************************************************
4440 ********************************************************************/
4442 static NTSTATUS
set_user_info_14(TALLOC_CTX
*mem_ctx
,
4443 struct samr_UserInfo14
*id14
,
4447 DEBUG(5,("set_user_info_14: NULL id14\n"));
4448 return NT_STATUS_ACCESS_DENIED
;
4451 copy_id14_to_sam_passwd(pwd
, id14
);
4453 return pdb_update_sam_account(pwd
);
4456 /*******************************************************************
4458 ********************************************************************/
4460 static NTSTATUS
set_user_info_16(TALLOC_CTX
*mem_ctx
,
4461 struct samr_UserInfo16
*id16
,
4465 DEBUG(5,("set_user_info_16: NULL id16\n"));
4466 return NT_STATUS_ACCESS_DENIED
;
4469 copy_id16_to_sam_passwd(pwd
, id16
);
4471 return pdb_update_sam_account(pwd
);
4474 /*******************************************************************
4476 ********************************************************************/
4478 static NTSTATUS
set_user_info_17(TALLOC_CTX
*mem_ctx
,
4479 struct samr_UserInfo17
*id17
,
4483 DEBUG(5,("set_user_info_17: NULL id17\n"));
4484 return NT_STATUS_ACCESS_DENIED
;
4487 copy_id17_to_sam_passwd(pwd
, id17
);
4489 return pdb_update_sam_account(pwd
);
4492 /*******************************************************************
4494 ********************************************************************/
4496 static NTSTATUS
set_user_info_18(struct samr_UserInfo18
*id18
,
4497 TALLOC_CTX
*mem_ctx
,
4498 DATA_BLOB
*session_key
,
4502 DEBUG(2, ("set_user_info_18: id18 is NULL\n"));
4503 return NT_STATUS_INVALID_PARAMETER
;
4506 if (id18
->nt_pwd_active
|| id18
->lm_pwd_active
) {
4507 if (!session_key
->length
) {
4508 return NT_STATUS_NO_USER_SESSION_KEY
;
4512 if (id18
->nt_pwd_active
) {
4516 in
= data_blob_const(id18
->nt_pwd
.hash
, 16);
4517 out
= data_blob_talloc_zero(mem_ctx
, 16);
4519 sess_crypt_blob(&out
, &in
, session_key
, false);
4521 if (!pdb_set_nt_passwd(pwd
, out
.data
, PDB_CHANGED
)) {
4522 return NT_STATUS_ACCESS_DENIED
;
4525 pdb_set_pass_last_set_time(pwd
, time(NULL
), PDB_CHANGED
);
4528 if (id18
->lm_pwd_active
) {
4532 in
= data_blob_const(id18
->lm_pwd
.hash
, 16);
4533 out
= data_blob_talloc_zero(mem_ctx
, 16);
4535 sess_crypt_blob(&out
, &in
, session_key
, false);
4537 if (!pdb_set_lanman_passwd(pwd
, out
.data
, PDB_CHANGED
)) {
4538 return NT_STATUS_ACCESS_DENIED
;
4541 pdb_set_pass_last_set_time(pwd
, time(NULL
), PDB_CHANGED
);
4544 copy_id18_to_sam_passwd(pwd
, id18
);
4546 return pdb_update_sam_account(pwd
);
4549 /*******************************************************************
4551 ********************************************************************/
4553 static NTSTATUS
set_user_info_20(TALLOC_CTX
*mem_ctx
,
4554 struct samr_UserInfo20
*id20
,
4558 DEBUG(5,("set_user_info_20: NULL id20\n"));
4559 return NT_STATUS_ACCESS_DENIED
;
4562 copy_id20_to_sam_passwd(pwd
, id20
);
4564 return pdb_update_sam_account(pwd
);
4567 /*******************************************************************
4569 ********************************************************************/
4571 static NTSTATUS
set_user_info_21(struct samr_UserInfo21
*id21
,
4572 TALLOC_CTX
*mem_ctx
,
4573 DATA_BLOB
*session_key
,
4579 DEBUG(5, ("set_user_info_21: NULL id21\n"));
4580 return NT_STATUS_INVALID_PARAMETER
;
4583 if (id21
->fields_present
== 0) {
4584 return NT_STATUS_INVALID_PARAMETER
;
4587 if (id21
->fields_present
& SAMR_FIELD_LAST_PWD_CHANGE
) {
4588 return NT_STATUS_ACCESS_DENIED
;
4591 if (id21
->fields_present
& SAMR_FIELD_NT_PASSWORD_PRESENT
) {
4592 if (id21
->nt_password_set
) {
4595 if ((id21
->nt_owf_password
.length
!= 16) ||
4596 (id21
->nt_owf_password
.size
!= 16)) {
4597 return NT_STATUS_INVALID_PARAMETER
;
4600 if (!session_key
->length
) {
4601 return NT_STATUS_NO_USER_SESSION_KEY
;
4604 in
= data_blob_const(id21
->nt_owf_password
.array
, 16);
4605 out
= data_blob_talloc_zero(mem_ctx
, 16);
4607 sess_crypt_blob(&out
, &in
, session_key
, false);
4609 pdb_set_nt_passwd(pwd
, out
.data
, PDB_CHANGED
);
4610 pdb_set_pass_last_set_time(pwd
, time(NULL
), PDB_CHANGED
);
4614 if (id21
->fields_present
& SAMR_FIELD_LM_PASSWORD_PRESENT
) {
4615 if (id21
->lm_password_set
) {
4618 if ((id21
->lm_owf_password
.length
!= 16) ||
4619 (id21
->lm_owf_password
.size
!= 16)) {
4620 return NT_STATUS_INVALID_PARAMETER
;
4623 if (!session_key
->length
) {
4624 return NT_STATUS_NO_USER_SESSION_KEY
;
4627 in
= data_blob_const(id21
->lm_owf_password
.array
, 16);
4628 out
= data_blob_talloc_zero(mem_ctx
, 16);
4630 sess_crypt_blob(&out
, &in
, session_key
, false);
4632 pdb_set_lanman_passwd(pwd
, out
.data
, PDB_CHANGED
);
4633 pdb_set_pass_last_set_time(pwd
, time(NULL
), PDB_CHANGED
);
4637 /* we need to separately check for an account rename first */
4639 if (id21
->account_name
.string
&&
4640 (!strequal(id21
->account_name
.string
, pdb_get_username(pwd
))))
4643 /* check to see if the new username already exists. Note: we can't
4644 reliably lock all backends, so there is potentially the
4645 possibility that a user can be created in between this check and
4646 the rename. The rename should fail, but may not get the
4647 exact same failure status code. I think this is small enough
4648 of a window for this type of operation and the results are
4649 simply that the rename fails with a slightly different status
4650 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
4652 status
= can_create(mem_ctx
, id21
->account_name
.string
);
4653 if (!NT_STATUS_IS_OK(status
)) {
4657 status
= pdb_rename_sam_account(pwd
, id21
->account_name
.string
);
4659 if (!NT_STATUS_IS_OK(status
)) {
4660 DEBUG(0,("set_user_info_21: failed to rename account: %s\n",
4661 nt_errstr(status
)));
4665 /* set the new username so that later
4666 functions can work on the new account */
4667 pdb_set_username(pwd
, id21
->account_name
.string
, PDB_SET
);
4670 copy_id21_to_sam_passwd("INFO_21", pwd
, id21
);
4673 * The funny part about the previous two calls is
4674 * that pwd still has the password hashes from the
4675 * passdb entry. These have not been updated from
4676 * id21. I don't know if they need to be set. --jerry
4679 if ( IS_SAM_CHANGED(pwd
, PDB_GROUPSID
) ) {
4680 status
= pdb_set_unix_primary_group(mem_ctx
, pwd
);
4681 if ( !NT_STATUS_IS_OK(status
) ) {
4686 /* Don't worry about writing out the user account since the
4687 primary group SID is generated solely from the user's Unix
4690 /* write the change out */
4691 if(!NT_STATUS_IS_OK(status
= pdb_update_sam_account(pwd
))) {
4695 return NT_STATUS_OK
;
4698 /*******************************************************************
4700 ********************************************************************/
4702 static NTSTATUS
set_user_info_23(TALLOC_CTX
*mem_ctx
,
4703 struct samr_UserInfo23
*id23
,
4706 char *plaintext_buf
= NULL
;
4712 DEBUG(5, ("set_user_info_23: NULL id23\n"));
4713 return NT_STATUS_INVALID_PARAMETER
;
4716 if (id23
->info
.fields_present
== 0) {
4717 return NT_STATUS_INVALID_PARAMETER
;
4720 if (id23
->info
.fields_present
& SAMR_FIELD_LAST_PWD_CHANGE
) {
4721 return NT_STATUS_ACCESS_DENIED
;
4724 if ((id23
->info
.fields_present
& SAMR_FIELD_NT_PASSWORD_PRESENT
) ||
4725 (id23
->info
.fields_present
& SAMR_FIELD_LM_PASSWORD_PRESENT
)) {
4727 DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
4728 pdb_get_username(pwd
)));
4730 if (!decode_pw_buffer(mem_ctx
,
4731 id23
->password
.data
,
4735 return NT_STATUS_WRONG_PASSWORD
;
4738 if (!pdb_set_plaintext_passwd (pwd
, plaintext_buf
)) {
4739 return NT_STATUS_ACCESS_DENIED
;
4743 copy_id23_to_sam_passwd(pwd
, id23
);
4745 acct_ctrl
= pdb_get_acct_ctrl(pwd
);
4747 /* if it's a trust account, don't update /etc/passwd */
4748 if ( ( (acct_ctrl
& ACB_DOMTRUST
) == ACB_DOMTRUST
) ||
4749 ( (acct_ctrl
& ACB_WSTRUST
) == ACB_WSTRUST
) ||
4750 ( (acct_ctrl
& ACB_SVRTRUST
) == ACB_SVRTRUST
) ) {
4751 DEBUG(5, ("Changing trust account. Not updating /etc/passwd\n"));
4752 } else if (plaintext_buf
) {
4753 /* update the UNIX password */
4754 if (lp_unix_password_sync() ) {
4755 struct passwd
*passwd
;
4756 if (pdb_get_username(pwd
) == NULL
) {
4757 DEBUG(1, ("chgpasswd: User without name???\n"));
4758 return NT_STATUS_ACCESS_DENIED
;
4761 passwd
= Get_Pwnam_alloc(pwd
, pdb_get_username(pwd
));
4762 if (passwd
== NULL
) {
4763 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
4766 if(!chgpasswd(pdb_get_username(pwd
), passwd
, "", plaintext_buf
, True
)) {
4767 return NT_STATUS_ACCESS_DENIED
;
4769 TALLOC_FREE(passwd
);
4773 if (plaintext_buf
) {
4774 memset(plaintext_buf
, '\0', strlen(plaintext_buf
));
4777 if (IS_SAM_CHANGED(pwd
, PDB_GROUPSID
) &&
4778 (!NT_STATUS_IS_OK(status
= pdb_set_unix_primary_group(mem_ctx
,
4783 if(!NT_STATUS_IS_OK(status
= pdb_update_sam_account(pwd
))) {
4787 return NT_STATUS_OK
;
4790 /*******************************************************************
4792 ********************************************************************/
4794 static bool set_user_info_pw(uint8
*pass
, struct samu
*pwd
)
4797 char *plaintext_buf
= NULL
;
4800 DEBUG(5, ("Attempting administrator password change for user %s\n",
4801 pdb_get_username(pwd
)));
4803 acct_ctrl
= pdb_get_acct_ctrl(pwd
);
4805 if (!decode_pw_buffer(talloc_tos(),
4813 if (!pdb_set_plaintext_passwd (pwd
, plaintext_buf
)) {
4817 /* if it's a trust account, don't update /etc/passwd */
4818 if ( ( (acct_ctrl
& ACB_DOMTRUST
) == ACB_DOMTRUST
) ||
4819 ( (acct_ctrl
& ACB_WSTRUST
) == ACB_WSTRUST
) ||
4820 ( (acct_ctrl
& ACB_SVRTRUST
) == ACB_SVRTRUST
) ) {
4821 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
4823 /* update the UNIX password */
4824 if (lp_unix_password_sync()) {
4825 struct passwd
*passwd
;
4827 if (pdb_get_username(pwd
) == NULL
) {
4828 DEBUG(1, ("chgpasswd: User without name???\n"));
4832 passwd
= Get_Pwnam_alloc(pwd
, pdb_get_username(pwd
));
4833 if (passwd
== NULL
) {
4834 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
4837 if(!chgpasswd(pdb_get_username(pwd
), passwd
, "", plaintext_buf
, True
)) {
4840 TALLOC_FREE(passwd
);
4844 memset(plaintext_buf
, '\0', strlen(plaintext_buf
));
4846 DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
4851 /*******************************************************************
4853 ********************************************************************/
4855 static NTSTATUS
set_user_info_24(TALLOC_CTX
*mem_ctx
,
4856 struct samr_UserInfo24
*id24
,
4862 DEBUG(5, ("set_user_info_24: NULL id24\n"));
4863 return NT_STATUS_INVALID_PARAMETER
;
4866 if (!set_user_info_pw(id24
->password
.data
, pwd
)) {
4867 return NT_STATUS_WRONG_PASSWORD
;
4870 copy_id24_to_sam_passwd(pwd
, id24
);
4872 status
= pdb_update_sam_account(pwd
);
4873 if (!NT_STATUS_IS_OK(status
)) {
4877 return NT_STATUS_OK
;
4880 /*******************************************************************
4882 ********************************************************************/
4884 static NTSTATUS
set_user_info_25(TALLOC_CTX
*mem_ctx
,
4885 struct samr_UserInfo25
*id25
,
4891 DEBUG(5, ("set_user_info_25: NULL id25\n"));
4892 return NT_STATUS_INVALID_PARAMETER
;
4895 if (id25
->info
.fields_present
== 0) {
4896 return NT_STATUS_INVALID_PARAMETER
;
4899 if (id25
->info
.fields_present
& SAMR_FIELD_LAST_PWD_CHANGE
) {
4900 return NT_STATUS_ACCESS_DENIED
;
4903 if ((id25
->info
.fields_present
& SAMR_FIELD_NT_PASSWORD_PRESENT
) ||
4904 (id25
->info
.fields_present
& SAMR_FIELD_LM_PASSWORD_PRESENT
)) {
4906 if (!set_user_info_pw(id25
->password
.data
, pwd
)) {
4907 return NT_STATUS_WRONG_PASSWORD
;
4911 copy_id25_to_sam_passwd(pwd
, id25
);
4913 /* write the change out */
4914 if(!NT_STATUS_IS_OK(status
= pdb_update_sam_account(pwd
))) {
4919 * We need to "pdb_update_sam_account" before the unix primary group
4920 * is set, because the idealx scripts would also change the
4921 * sambaPrimaryGroupSid using the ldap replace method. pdb_ldap uses
4922 * the delete explicit / add explicit, which would then fail to find
4923 * the previous primaryGroupSid value.
4926 if ( IS_SAM_CHANGED(pwd
, PDB_GROUPSID
) ) {
4927 status
= pdb_set_unix_primary_group(mem_ctx
, pwd
);
4928 if ( !NT_STATUS_IS_OK(status
) ) {
4933 return NT_STATUS_OK
;
4936 /*******************************************************************
4938 ********************************************************************/
4940 static NTSTATUS
set_user_info_26(TALLOC_CTX
*mem_ctx
,
4941 struct samr_UserInfo26
*id26
,
4947 DEBUG(5, ("set_user_info_26: NULL id26\n"));
4948 return NT_STATUS_INVALID_PARAMETER
;
4951 if (!set_user_info_pw(id26
->password
.data
, pwd
)) {
4952 return NT_STATUS_WRONG_PASSWORD
;
4955 copy_id26_to_sam_passwd(pwd
, id26
);
4957 status
= pdb_update_sam_account(pwd
);
4958 if (!NT_STATUS_IS_OK(status
)) {
4962 return NT_STATUS_OK
;
4965 /*************************************************************
4966 **************************************************************/
4968 static uint32_t samr_set_user_info_map_fields_to_access_mask(uint32_t fields
)
4970 uint32_t acc_required
= 0;
4972 /* USER_ALL_USERNAME */
4973 if (fields
& SAMR_FIELD_ACCOUNT_NAME
)
4974 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4975 /* USER_ALL_FULLNAME */
4976 if (fields
& SAMR_FIELD_FULL_NAME
)
4977 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4978 /* USER_ALL_PRIMARYGROUPID */
4979 if (fields
& SAMR_FIELD_PRIMARY_GID
)
4980 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4981 /* USER_ALL_HOMEDIRECTORY */
4982 if (fields
& SAMR_FIELD_HOME_DIRECTORY
)
4983 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4984 /* USER_ALL_HOMEDIRECTORYDRIVE */
4985 if (fields
& SAMR_FIELD_HOME_DRIVE
)
4986 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4987 /* USER_ALL_SCRIPTPATH */
4988 if (fields
& SAMR_FIELD_LOGON_SCRIPT
)
4989 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4990 /* USER_ALL_PROFILEPATH */
4991 if (fields
& SAMR_FIELD_PROFILE_PATH
)
4992 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4993 /* USER_ALL_ADMINCOMMENT */
4994 if (fields
& SAMR_FIELD_COMMENT
)
4995 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4996 /* USER_ALL_WORKSTATIONS */
4997 if (fields
& SAMR_FIELD_WORKSTATIONS
)
4998 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
4999 /* USER_ALL_LOGONHOURS */
5000 if (fields
& SAMR_FIELD_LOGON_HOURS
)
5001 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
5002 /* USER_ALL_ACCOUNTEXPIRES */
5003 if (fields
& SAMR_FIELD_ACCT_EXPIRY
)
5004 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
5005 /* USER_ALL_USERACCOUNTCONTROL */
5006 if (fields
& SAMR_FIELD_ACCT_FLAGS
)
5007 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
5008 /* USER_ALL_PARAMETERS */
5009 if (fields
& SAMR_FIELD_PARAMETERS
)
5010 acc_required
|= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
5011 /* USER_ALL_USERCOMMENT */
5012 if (fields
& SAMR_FIELD_COMMENT
)
5013 acc_required
|= SAMR_USER_ACCESS_SET_LOC_COM
;
5014 /* USER_ALL_COUNTRYCODE */
5015 if (fields
& SAMR_FIELD_COUNTRY_CODE
)
5016 acc_required
|= SAMR_USER_ACCESS_SET_LOC_COM
;
5017 /* USER_ALL_CODEPAGE */
5018 if (fields
& SAMR_FIELD_CODE_PAGE
)
5019 acc_required
|= SAMR_USER_ACCESS_SET_LOC_COM
;
5020 /* USER_ALL_NTPASSWORDPRESENT */
5021 if (fields
& SAMR_FIELD_NT_PASSWORD_PRESENT
)
5022 acc_required
|= SAMR_USER_ACCESS_SET_PASSWORD
;
5023 /* USER_ALL_LMPASSWORDPRESENT */
5024 if (fields
& SAMR_FIELD_LM_PASSWORD_PRESENT
)
5025 acc_required
|= SAMR_USER_ACCESS_SET_PASSWORD
;
5026 /* USER_ALL_PASSWORDEXPIRED */
5027 if (fields
& SAMR_FIELD_EXPIRED_FLAG
)
5028 acc_required
|= SAMR_USER_ACCESS_SET_PASSWORD
;
5030 return acc_required
;
5033 /*******************************************************************
5035 ********************************************************************/
5037 NTSTATUS
_samr_SetUserInfo(pipes_struct
*p
,
5038 struct samr_SetUserInfo
*r
)
5040 struct samr_user_info
*uinfo
;
5042 struct samu
*pwd
= NULL
;
5043 union samr_UserInfo
*info
= r
->in
.info
;
5044 uint32_t acc_required
= 0;
5045 uint32_t fields
= 0;
5048 DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__
));
5050 /* This is tricky. A WinXP domain join sets
5051 (SAMR_USER_ACCESS_SET_PASSWORD|SAMR_USER_ACCESS_SET_ATTRIBUTES|SAMR_USER_ACCESS_GET_ATTRIBUTES)
5052 The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the
5053 standard Win32 API calls just ask for SAMR_USER_ACCESS_SET_PASSWORD in the SamrOpenUser().
5054 This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so
5055 we'll use the set from the WinXP join as the basis. */
5057 switch (r
->in
.level
) {
5058 case 2: /* UserPreferencesInformation */
5059 /* USER_WRITE_ACCOUNT | USER_WRITE_PREFERENCES */
5060 acc_required
= SAMR_USER_ACCESS_SET_ATTRIBUTES
| SAMR_USER_ACCESS_SET_LOC_COM
;
5062 case 4: /* UserLogonHoursInformation */
5063 case 6: /* UserNameInformation */
5064 case 7: /* UserAccountNameInformation */
5065 case 8: /* UserFullNameInformation */
5066 case 9: /* UserPrimaryGroupInformation */
5067 case 10: /* UserHomeInformation */
5068 case 11: /* UserScriptInformation */
5069 case 12: /* UserProfileInformation */
5070 case 13: /* UserAdminCommentInformation */
5071 case 14: /* UserWorkStationsInformation */
5072 case 16: /* UserControlInformation */
5073 case 17: /* UserExpiresInformation */
5074 case 20: /* UserParametersInformation */
5075 /* USER_WRITE_ACCOUNT */
5076 acc_required
= SAMR_USER_ACCESS_SET_ATTRIBUTES
;
5078 case 18: /* UserInternal1Information */
5079 /* FIXME: gd, this is a guess */
5080 acc_required
= SAMR_USER_ACCESS_SET_PASSWORD
;
5082 case 21: /* UserAllInformation */
5083 fields
= info
->info21
.fields_present
;
5084 acc_required
= samr_set_user_info_map_fields_to_access_mask(fields
);
5086 case 23: /* UserInternal4Information */
5087 fields
= info
->info23
.info
.fields_present
;
5088 acc_required
= samr_set_user_info_map_fields_to_access_mask(fields
);
5090 case 25: /* UserInternal4InformationNew */
5091 fields
= info
->info25
.info
.fields_present
;
5092 acc_required
= samr_set_user_info_map_fields_to_access_mask(fields
);
5094 case 24: /* UserInternal5Information */
5095 case 26: /* UserInternal5InformationNew */
5096 acc_required
= SAMR_USER_ACCESS_SET_PASSWORD
;
5099 return NT_STATUS_INVALID_INFO_CLASS
;
5102 uinfo
= policy_handle_find(p
, r
->in
.user_handle
, acc_required
, NULL
,
5103 struct samr_user_info
, &status
);
5104 if (!NT_STATUS_IS_OK(status
)) {
5108 DEBUG(5, ("_samr_SetUserInfo: sid:%s, level:%d\n",
5109 sid_string_dbg(&uinfo
->sid
), r
->in
.level
));
5112 DEBUG(5, ("_samr_SetUserInfo: NULL info level\n"));
5113 return NT_STATUS_INVALID_INFO_CLASS
;
5116 if (!(pwd
= samu_new(NULL
))) {
5117 return NT_STATUS_NO_MEMORY
;
5121 ret
= pdb_getsampwsid(pwd
, &uinfo
->sid
);
5126 return NT_STATUS_NO_SUCH_USER
;
5129 /* ================ BEGIN Privilege BLOCK ================ */
5133 /* ok! user info levels (lots: see MSDEV help), off we go... */
5135 switch (r
->in
.level
) {
5138 status
= set_user_info_2(p
->mem_ctx
,
5143 status
= set_user_info_4(p
->mem_ctx
,
5148 status
= set_user_info_6(p
->mem_ctx
,
5153 status
= set_user_info_7(p
->mem_ctx
,
5158 status
= set_user_info_8(p
->mem_ctx
,
5163 status
= set_user_info_10(p
->mem_ctx
,
5164 &info
->info10
, pwd
);
5168 status
= set_user_info_11(p
->mem_ctx
,
5169 &info
->info11
, pwd
);
5173 status
= set_user_info_12(p
->mem_ctx
,
5174 &info
->info12
, pwd
);
5178 status
= set_user_info_13(p
->mem_ctx
,
5179 &info
->info13
, pwd
);
5183 status
= set_user_info_14(p
->mem_ctx
,
5184 &info
->info14
, pwd
);
5188 status
= set_user_info_16(p
->mem_ctx
,
5189 &info
->info16
, pwd
);
5193 status
= set_user_info_17(p
->mem_ctx
,
5194 &info
->info17
, pwd
);
5198 /* Used by AS/U JRA. */
5199 status
= set_user_info_18(&info
->info18
,
5201 &p
->server_info
->user_session_key
,
5206 status
= set_user_info_20(p
->mem_ctx
,
5207 &info
->info20
, pwd
);
5211 status
= set_user_info_21(&info
->info21
,
5213 &p
->server_info
->user_session_key
,
5218 if (!p
->server_info
->user_session_key
.length
) {
5219 status
= NT_STATUS_NO_USER_SESSION_KEY
;
5221 arcfour_crypt_blob(info
->info23
.password
.data
, 516,
5222 &p
->server_info
->user_session_key
);
5224 dump_data(100, info
->info23
.password
.data
, 516);
5226 status
= set_user_info_23(p
->mem_ctx
,
5227 &info
->info23
, pwd
);
5231 if (!p
->server_info
->user_session_key
.length
) {
5232 status
= NT_STATUS_NO_USER_SESSION_KEY
;
5234 arcfour_crypt_blob(info
->info24
.password
.data
,
5236 &p
->server_info
->user_session_key
);
5238 dump_data(100, info
->info24
.password
.data
, 516);
5240 status
= set_user_info_24(p
->mem_ctx
,
5241 &info
->info24
, pwd
);
5245 if (!p
->server_info
->user_session_key
.length
) {
5246 status
= NT_STATUS_NO_USER_SESSION_KEY
;
5248 encode_or_decode_arc4_passwd_buffer(
5249 info
->info25
.password
.data
,
5250 &p
->server_info
->user_session_key
);
5252 dump_data(100, info
->info25
.password
.data
, 532);
5254 status
= set_user_info_25(p
->mem_ctx
,
5255 &info
->info25
, pwd
);
5259 if (!p
->server_info
->user_session_key
.length
) {
5260 status
= NT_STATUS_NO_USER_SESSION_KEY
;
5262 encode_or_decode_arc4_passwd_buffer(
5263 info
->info26
.password
.data
,
5264 &p
->server_info
->user_session_key
);
5266 dump_data(100, info
->info26
.password
.data
, 516);
5268 status
= set_user_info_26(p
->mem_ctx
,
5269 &info
->info26
, pwd
);
5273 status
= NT_STATUS_INVALID_INFO_CLASS
;
5280 /* ================ END Privilege BLOCK ================ */
5282 if (NT_STATUS_IS_OK(status
)) {
5283 force_flush_samr_cache(&uinfo
->sid
);
5289 /*******************************************************************
5291 ********************************************************************/
5293 NTSTATUS
_samr_SetUserInfo2(pipes_struct
*p
,
5294 struct samr_SetUserInfo2
*r
)
5296 struct samr_SetUserInfo q
;
5298 q
.in
.user_handle
= r
->in
.user_handle
;
5299 q
.in
.level
= r
->in
.level
;
5300 q
.in
.info
= r
->in
.info
;
5302 return _samr_SetUserInfo(p
, &q
);
5305 /*********************************************************************
5306 _samr_GetAliasMembership
5307 *********************************************************************/
5309 NTSTATUS
_samr_GetAliasMembership(pipes_struct
*p
,
5310 struct samr_GetAliasMembership
*r
)
5312 size_t num_alias_rids
;
5314 struct samr_domain_info
*dinfo
;
5321 DEBUG(5,("_samr_GetAliasMembership: %d\n", __LINE__
));
5323 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
5324 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
5325 | SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
, NULL
,
5326 struct samr_domain_info
, &status
);
5327 if (!NT_STATUS_IS_OK(status
)) {
5331 if (!sid_check_is_domain(&dinfo
->sid
) &&
5332 !sid_check_is_builtin(&dinfo
->sid
))
5333 return NT_STATUS_OBJECT_TYPE_MISMATCH
;
5335 if (r
->in
.sids
->num_sids
) {
5336 members
= TALLOC_ARRAY(p
->mem_ctx
, DOM_SID
, r
->in
.sids
->num_sids
);
5338 if (members
== NULL
)
5339 return NT_STATUS_NO_MEMORY
;
5344 for (i
=0; i
<r
->in
.sids
->num_sids
; i
++)
5345 sid_copy(&members
[i
], r
->in
.sids
->sids
[i
].sid
);
5351 status
= pdb_enum_alias_memberships(p
->mem_ctx
, &dinfo
->sid
, members
,
5352 r
->in
.sids
->num_sids
,
5353 &alias_rids
, &num_alias_rids
);
5356 if (!NT_STATUS_IS_OK(status
)) {
5360 r
->out
.rids
->count
= num_alias_rids
;
5361 r
->out
.rids
->ids
= alias_rids
;
5363 if (r
->out
.rids
->ids
== NULL
) {
5364 /* Windows domain clients don't accept a NULL ptr here */
5365 r
->out
.rids
->ids
= talloc_zero(p
->mem_ctx
, uint32_t);
5367 if (r
->out
.rids
->ids
== NULL
) {
5368 return NT_STATUS_NO_MEMORY
;
5371 return NT_STATUS_OK
;
5374 /*********************************************************************
5375 _samr_GetMembersInAlias
5376 *********************************************************************/
5378 NTSTATUS
_samr_GetMembersInAlias(pipes_struct
*p
,
5379 struct samr_GetMembersInAlias
*r
)
5381 struct samr_alias_info
*ainfo
;
5384 size_t num_sids
= 0;
5385 struct lsa_SidPtr
*sids
= NULL
;
5386 DOM_SID
*pdb_sids
= NULL
;
5388 ainfo
= policy_handle_find(p
, r
->in
.alias_handle
,
5389 SAMR_ALIAS_ACCESS_GET_MEMBERS
, NULL
,
5390 struct samr_alias_info
, &status
);
5391 if (!NT_STATUS_IS_OK(status
)) {
5395 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo
->sid
)));
5398 status
= pdb_enum_aliasmem(&ainfo
->sid
, talloc_tos(), &pdb_sids
,
5402 if (!NT_STATUS_IS_OK(status
)) {
5407 sids
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_SidPtr
, num_sids
);
5409 TALLOC_FREE(pdb_sids
);
5410 return NT_STATUS_NO_MEMORY
;
5414 for (i
= 0; i
< num_sids
; i
++) {
5415 sids
[i
].sid
= sid_dup_talloc(p
->mem_ctx
, &pdb_sids
[i
]);
5417 TALLOC_FREE(pdb_sids
);
5418 return NT_STATUS_NO_MEMORY
;
5422 r
->out
.sids
->num_sids
= num_sids
;
5423 r
->out
.sids
->sids
= sids
;
5425 TALLOC_FREE(pdb_sids
);
5427 return NT_STATUS_OK
;
5430 /*********************************************************************
5431 _samr_QueryGroupMember
5432 *********************************************************************/
5434 NTSTATUS
_samr_QueryGroupMember(pipes_struct
*p
,
5435 struct samr_QueryGroupMember
*r
)
5437 struct samr_group_info
*ginfo
;
5438 size_t i
, num_members
;
5444 struct samr_RidTypeArray
*rids
= NULL
;
5446 ginfo
= policy_handle_find(p
, r
->in
.group_handle
,
5447 SAMR_GROUP_ACCESS_GET_MEMBERS
, NULL
,
5448 struct samr_group_info
, &status
);
5449 if (!NT_STATUS_IS_OK(status
)) {
5453 rids
= TALLOC_ZERO_P(p
->mem_ctx
, struct samr_RidTypeArray
);
5455 return NT_STATUS_NO_MEMORY
;
5458 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ginfo
->sid
)));
5460 if (!sid_check_is_in_our_domain(&ginfo
->sid
)) {
5461 DEBUG(3, ("sid %s is not in our domain\n",
5462 sid_string_dbg(&ginfo
->sid
)));
5463 return NT_STATUS_NO_SUCH_GROUP
;
5466 DEBUG(10, ("lookup on Domain SID\n"));
5469 status
= pdb_enum_group_members(p
->mem_ctx
, &ginfo
->sid
,
5470 &rid
, &num_members
);
5473 if (!NT_STATUS_IS_OK(status
))
5477 attr
=TALLOC_ZERO_ARRAY(p
->mem_ctx
, uint32
, num_members
);
5479 return NT_STATUS_NO_MEMORY
;
5485 for (i
=0; i
<num_members
; i
++)
5486 attr
[i
] = SID_NAME_USER
;
5488 rids
->count
= num_members
;
5492 *r
->out
.rids
= rids
;
5494 return NT_STATUS_OK
;
5497 /*********************************************************************
5498 _samr_AddAliasMember
5499 *********************************************************************/
5501 NTSTATUS
_samr_AddAliasMember(pipes_struct
*p
,
5502 struct samr_AddAliasMember
*r
)
5504 struct samr_alias_info
*ainfo
;
5507 ainfo
= policy_handle_find(p
, r
->in
.alias_handle
,
5508 SAMR_ALIAS_ACCESS_ADD_MEMBER
, NULL
,
5509 struct samr_alias_info
, &status
);
5510 if (!NT_STATUS_IS_OK(status
)) {
5514 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo
->sid
)));
5516 /******** BEGIN SeAddUsers BLOCK *********/
5519 status
= pdb_add_aliasmem(&ainfo
->sid
, r
->in
.sid
);
5522 /******** END SeAddUsers BLOCK *********/
5524 if (NT_STATUS_IS_OK(status
)) {
5525 force_flush_samr_cache(&ainfo
->sid
);
5531 /*********************************************************************
5532 _samr_DeleteAliasMember
5533 *********************************************************************/
5535 NTSTATUS
_samr_DeleteAliasMember(pipes_struct
*p
,
5536 struct samr_DeleteAliasMember
*r
)
5538 struct samr_alias_info
*ainfo
;
5541 ainfo
= policy_handle_find(p
, r
->in
.alias_handle
,
5542 SAMR_ALIAS_ACCESS_REMOVE_MEMBER
, NULL
,
5543 struct samr_alias_info
, &status
);
5544 if (!NT_STATUS_IS_OK(status
)) {
5548 DEBUG(10, ("_samr_del_aliasmem:sid is %s\n",
5549 sid_string_dbg(&ainfo
->sid
)));
5551 /******** BEGIN SeAddUsers BLOCK *********/
5554 status
= pdb_del_aliasmem(&ainfo
->sid
, r
->in
.sid
);
5557 /******** END SeAddUsers BLOCK *********/
5559 if (NT_STATUS_IS_OK(status
)) {
5560 force_flush_samr_cache(&ainfo
->sid
);
5566 /*********************************************************************
5567 _samr_AddGroupMember
5568 *********************************************************************/
5570 NTSTATUS
_samr_AddGroupMember(pipes_struct
*p
,
5571 struct samr_AddGroupMember
*r
)
5573 struct samr_group_info
*ginfo
;
5577 ginfo
= policy_handle_find(p
, r
->in
.group_handle
,
5578 SAMR_GROUP_ACCESS_ADD_MEMBER
, NULL
,
5579 struct samr_group_info
, &status
);
5580 if (!NT_STATUS_IS_OK(status
)) {
5584 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ginfo
->sid
)));
5586 if (!sid_peek_check_rid(get_global_sam_sid(), &ginfo
->sid
,
5588 return NT_STATUS_INVALID_HANDLE
;
5591 /******** BEGIN SeAddUsers BLOCK *********/
5594 status
= pdb_add_groupmem(p
->mem_ctx
, group_rid
, r
->in
.rid
);
5597 /******** END SeAddUsers BLOCK *********/
5599 force_flush_samr_cache(&ginfo
->sid
);
5604 /*********************************************************************
5605 _samr_DeleteGroupMember
5606 *********************************************************************/
5608 NTSTATUS
_samr_DeleteGroupMember(pipes_struct
*p
,
5609 struct samr_DeleteGroupMember
*r
)
5612 struct samr_group_info
*ginfo
;
5617 * delete the group member named r->in.rid
5618 * who is a member of the sid associated with the handle
5619 * the rid is a user's rid as the group is a domain group.
5622 ginfo
= policy_handle_find(p
, r
->in
.group_handle
,
5623 SAMR_GROUP_ACCESS_REMOVE_MEMBER
, NULL
,
5624 struct samr_group_info
, &status
);
5625 if (!NT_STATUS_IS_OK(status
)) {
5629 if (!sid_peek_check_rid(get_global_sam_sid(), &ginfo
->sid
,
5631 return NT_STATUS_INVALID_HANDLE
;
5634 /******** BEGIN SeAddUsers BLOCK *********/
5637 status
= pdb_del_groupmem(p
->mem_ctx
, group_rid
, r
->in
.rid
);
5640 /******** END SeAddUsers BLOCK *********/
5642 force_flush_samr_cache(&ginfo
->sid
);
5647 /*********************************************************************
5649 *********************************************************************/
5651 NTSTATUS
_samr_DeleteUser(pipes_struct
*p
,
5652 struct samr_DeleteUser
*r
)
5654 struct samr_user_info
*uinfo
;
5656 struct samu
*sam_pass
=NULL
;
5659 DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__
));
5661 uinfo
= policy_handle_find(p
, r
->in
.user_handle
,
5662 STD_RIGHT_DELETE_ACCESS
, NULL
,
5663 struct samr_user_info
, &status
);
5664 if (!NT_STATUS_IS_OK(status
)) {
5668 if (!sid_check_is_in_our_domain(&uinfo
->sid
))
5669 return NT_STATUS_CANNOT_DELETE
;
5671 /* check if the user exists before trying to delete */
5672 if ( !(sam_pass
= samu_new( NULL
)) ) {
5673 return NT_STATUS_NO_MEMORY
;
5677 ret
= pdb_getsampwsid(sam_pass
, &uinfo
->sid
);
5681 DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n",
5682 sid_string_dbg(&uinfo
->sid
)));
5683 TALLOC_FREE(sam_pass
);
5684 return NT_STATUS_NO_SUCH_USER
;
5687 /******** BEGIN SeAddUsers BLOCK *********/
5690 status
= pdb_delete_user(p
->mem_ctx
, sam_pass
);
5693 /******** END SeAddUsers BLOCK *********/
5695 if ( !NT_STATUS_IS_OK(status
) ) {
5696 DEBUG(5,("_samr_DeleteUser: Failed to delete entry for "
5697 "user %s: %s.\n", pdb_get_username(sam_pass
),
5698 nt_errstr(status
)));
5699 TALLOC_FREE(sam_pass
);
5704 TALLOC_FREE(sam_pass
);
5706 force_flush_samr_cache(&uinfo
->sid
);
5708 if (!close_policy_hnd(p
, r
->in
.user_handle
))
5709 return NT_STATUS_OBJECT_NAME_INVALID
;
5711 ZERO_STRUCTP(r
->out
.user_handle
);
5713 return NT_STATUS_OK
;
5716 /*********************************************************************
5717 _samr_DeleteDomainGroup
5718 *********************************************************************/
5720 NTSTATUS
_samr_DeleteDomainGroup(pipes_struct
*p
,
5721 struct samr_DeleteDomainGroup
*r
)
5723 struct samr_group_info
*ginfo
;
5727 DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__
));
5729 ginfo
= policy_handle_find(p
, r
->in
.group_handle
,
5730 STD_RIGHT_DELETE_ACCESS
, NULL
,
5731 struct samr_group_info
, &status
);
5732 if (!NT_STATUS_IS_OK(status
)) {
5736 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ginfo
->sid
)));
5738 if (!sid_peek_check_rid(get_global_sam_sid(), &ginfo
->sid
,
5740 return NT_STATUS_NO_SUCH_GROUP
;
5743 /******** BEGIN SeAddUsers BLOCK *********/
5746 status
= pdb_delete_dom_group(p
->mem_ctx
, group_rid
);
5749 /******** END SeAddUsers BLOCK *********/
5751 if ( !NT_STATUS_IS_OK(status
) ) {
5752 DEBUG(5,("_samr_DeleteDomainGroup: Failed to delete mapping "
5753 "entry for group %s: %s\n",
5754 sid_string_dbg(&ginfo
->sid
),
5755 nt_errstr(status
)));
5759 force_flush_samr_cache(&ginfo
->sid
);
5761 if (!close_policy_hnd(p
, r
->in
.group_handle
))
5762 return NT_STATUS_OBJECT_NAME_INVALID
;
5764 return NT_STATUS_OK
;
5767 /*********************************************************************
5768 _samr_DeleteDomAlias
5769 *********************************************************************/
5771 NTSTATUS
_samr_DeleteDomAlias(pipes_struct
*p
,
5772 struct samr_DeleteDomAlias
*r
)
5774 struct samr_alias_info
*ainfo
;
5777 DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__
));
5779 ainfo
= policy_handle_find(p
, r
->in
.alias_handle
,
5780 STD_RIGHT_DELETE_ACCESS
, NULL
,
5781 struct samr_alias_info
, &status
);
5782 if (!NT_STATUS_IS_OK(status
)) {
5786 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo
->sid
)));
5788 /* Don't let Windows delete builtin groups */
5790 if ( sid_check_is_in_builtin( &ainfo
->sid
) ) {
5791 return NT_STATUS_SPECIAL_ACCOUNT
;
5794 if (!sid_check_is_in_our_domain(&ainfo
->sid
))
5795 return NT_STATUS_NO_SUCH_ALIAS
;
5797 DEBUG(10, ("lookup on Local SID\n"));
5799 /******** BEGIN SeAddUsers BLOCK *********/
5802 /* Have passdb delete the alias */
5803 status
= pdb_delete_alias(&ainfo
->sid
);
5806 /******** END SeAddUsers BLOCK *********/
5808 if ( !NT_STATUS_IS_OK(status
))
5811 force_flush_samr_cache(&ainfo
->sid
);
5813 if (!close_policy_hnd(p
, r
->in
.alias_handle
))
5814 return NT_STATUS_OBJECT_NAME_INVALID
;
5816 return NT_STATUS_OK
;
5819 /*********************************************************************
5820 _samr_CreateDomainGroup
5821 *********************************************************************/
5823 NTSTATUS
_samr_CreateDomainGroup(pipes_struct
*p
,
5824 struct samr_CreateDomainGroup
*r
)
5829 struct samr_domain_info
*dinfo
;
5830 struct samr_group_info
*ginfo
;
5832 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
5833 SAMR_DOMAIN_ACCESS_CREATE_GROUP
, NULL
,
5834 struct samr_domain_info
, &status
);
5835 if (!NT_STATUS_IS_OK(status
)) {
5839 if (!sid_equal(&dinfo
->sid
, get_global_sam_sid()))
5840 return NT_STATUS_ACCESS_DENIED
;
5842 name
= r
->in
.name
->string
;
5844 return NT_STATUS_NO_MEMORY
;
5847 status
= can_create(p
->mem_ctx
, name
);
5848 if (!NT_STATUS_IS_OK(status
)) {
5852 /******** BEGIN SeAddUsers BLOCK *********/
5855 /* check that we successfully create the UNIX group */
5856 status
= pdb_create_dom_group(p
->mem_ctx
, name
, r
->out
.rid
);
5859 /******** END SeAddUsers BLOCK *********/
5861 /* check if we should bail out here */
5863 if ( !NT_STATUS_IS_OK(status
) )
5866 ginfo
= policy_handle_create(p
, r
->out
.group_handle
,
5867 GENERIC_RIGHTS_GROUP_ALL_ACCESS
,
5868 struct samr_group_info
, &status
);
5869 if (!NT_STATUS_IS_OK(status
)) {
5872 sid_compose(&ginfo
->sid
, &dinfo
->sid
, *r
->out
.rid
);
5874 force_flush_samr_cache(&dinfo
->sid
);
5876 return NT_STATUS_OK
;
5879 /*********************************************************************
5880 _samr_CreateDomAlias
5881 *********************************************************************/
5883 NTSTATUS
_samr_CreateDomAlias(pipes_struct
*p
,
5884 struct samr_CreateDomAlias
*r
)
5887 const char *name
= NULL
;
5888 struct samr_domain_info
*dinfo
;
5889 struct samr_alias_info
*ainfo
;
5893 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
5894 SAMR_DOMAIN_ACCESS_CREATE_ALIAS
, NULL
,
5895 struct samr_domain_info
, &result
);
5896 if (!NT_STATUS_IS_OK(result
)) {
5900 if (!sid_equal(&dinfo
->sid
, get_global_sam_sid()))
5901 return NT_STATUS_ACCESS_DENIED
;
5903 name
= r
->in
.alias_name
->string
;
5905 result
= can_create(p
->mem_ctx
, name
);
5906 if (!NT_STATUS_IS_OK(result
)) {
5910 /******** BEGIN SeAddUsers BLOCK *********/
5913 /* Have passdb create the alias */
5914 result
= pdb_create_alias(name
, r
->out
.rid
);
5917 /******** END SeAddUsers BLOCK *********/
5919 if (!NT_STATUS_IS_OK(result
)) {
5920 DEBUG(10, ("pdb_create_alias failed: %s\n",
5921 nt_errstr(result
)));
5925 sid_compose(&info_sid
, &dinfo
->sid
, *r
->out
.rid
);
5927 if (!sid_to_gid(&info_sid
, &gid
)) {
5928 DEBUG(10, ("Could not find alias just created\n"));
5929 return NT_STATUS_ACCESS_DENIED
;
5932 /* check if the group has been successfully created */
5933 if ( getgrgid(gid
) == NULL
) {
5934 DEBUG(10, ("getgrgid(%u) of just created alias failed\n",
5935 (unsigned int)gid
));
5936 return NT_STATUS_ACCESS_DENIED
;
5939 ainfo
= policy_handle_create(p
, r
->out
.alias_handle
,
5940 GENERIC_RIGHTS_ALIAS_ALL_ACCESS
,
5941 struct samr_alias_info
, &result
);
5942 if (!NT_STATUS_IS_OK(result
)) {
5945 ainfo
->sid
= info_sid
;
5947 force_flush_samr_cache(&info_sid
);
5949 return NT_STATUS_OK
;
5952 /*********************************************************************
5953 _samr_QueryGroupInfo
5954 *********************************************************************/
5956 NTSTATUS
_samr_QueryGroupInfo(pipes_struct
*p
,
5957 struct samr_QueryGroupInfo
*r
)
5959 struct samr_group_info
*ginfo
;
5962 union samr_GroupInfo
*info
= NULL
;
5964 uint32_t attributes
= SE_GROUP_MANDATORY
|
5965 SE_GROUP_ENABLED_BY_DEFAULT
|
5967 const char *group_name
= NULL
;
5968 const char *group_description
= NULL
;
5970 ginfo
= policy_handle_find(p
, r
->in
.group_handle
,
5971 SAMR_GROUP_ACCESS_LOOKUP_INFO
, NULL
,
5972 struct samr_group_info
, &status
);
5973 if (!NT_STATUS_IS_OK(status
)) {
5978 ret
= get_domain_group_from_sid(ginfo
->sid
, &map
);
5981 return NT_STATUS_INVALID_HANDLE
;
5983 /* FIXME: map contains fstrings */
5984 group_name
= talloc_strdup(r
, map
.nt_name
);
5985 group_description
= talloc_strdup(r
, map
.comment
);
5987 info
= TALLOC_ZERO_P(p
->mem_ctx
, union samr_GroupInfo
);
5989 return NT_STATUS_NO_MEMORY
;
5992 switch (r
->in
.level
) {
5998 status
= pdb_enum_group_members(
5999 p
->mem_ctx
, &ginfo
->sid
, &members
,
6003 if (!NT_STATUS_IS_OK(status
)) {
6007 info
->all
.name
.string
= group_name
;
6008 info
->all
.attributes
= attributes
;
6009 info
->all
.num_members
= num_members
;
6010 info
->all
.description
.string
= group_description
;
6014 info
->name
.string
= group_name
;
6017 info
->attributes
.attributes
= attributes
;
6020 info
->description
.string
= group_description
;
6030 status = pdb_enum_group_members(
6031 p->mem_ctx, &ginfo->sid, &members,
6035 if (!NT_STATUS_IS_OK(status)) {
6039 info
->all2
.name
.string
= group_name
;
6040 info
->all2
.attributes
= attributes
;
6041 info
->all2
.num_members
= 0; /* num_members - in w2k3 this is always 0 */
6042 info
->all2
.description
.string
= group_description
;
6047 return NT_STATUS_INVALID_INFO_CLASS
;
6050 *r
->out
.info
= info
;
6052 return NT_STATUS_OK
;
6055 /*********************************************************************
6057 *********************************************************************/
6059 NTSTATUS
_samr_SetGroupInfo(pipes_struct
*p
,
6060 struct samr_SetGroupInfo
*r
)
6062 struct samr_group_info
*ginfo
;
6067 ginfo
= policy_handle_find(p
, r
->in
.group_handle
,
6068 SAMR_GROUP_ACCESS_SET_INFO
, NULL
,
6069 struct samr_group_info
, &status
);
6070 if (!NT_STATUS_IS_OK(status
)) {
6075 ret
= get_domain_group_from_sid(ginfo
->sid
, &map
);
6078 return NT_STATUS_NO_SUCH_GROUP
;
6080 switch (r
->in
.level
) {
6082 fstrcpy(map
.nt_name
, r
->in
.info
->name
.string
);
6087 fstrcpy(map
.comment
, r
->in
.info
->description
.string
);
6090 return NT_STATUS_INVALID_INFO_CLASS
;
6093 /******** BEGIN SeAddUsers BLOCK *********/
6096 status
= pdb_update_group_mapping_entry(&map
);
6099 /******** End SeAddUsers BLOCK *********/
6101 if (NT_STATUS_IS_OK(status
)) {
6102 force_flush_samr_cache(&ginfo
->sid
);
6108 /*********************************************************************
6110 *********************************************************************/
6112 NTSTATUS
_samr_SetAliasInfo(pipes_struct
*p
,
6113 struct samr_SetAliasInfo
*r
)
6115 struct samr_alias_info
*ainfo
;
6116 struct acct_info info
;
6119 ainfo
= policy_handle_find(p
, r
->in
.alias_handle
,
6120 SAMR_ALIAS_ACCESS_SET_INFO
, NULL
,
6121 struct samr_alias_info
, &status
);
6122 if (!NT_STATUS_IS_OK(status
)) {
6126 /* get the current group information */
6129 status
= pdb_get_aliasinfo( &ainfo
->sid
, &info
);
6132 if ( !NT_STATUS_IS_OK(status
))
6135 switch (r
->in
.level
) {
6140 /* We currently do not support renaming groups in the
6141 the BUILTIN domain. Refer to util_builtin.c to understand
6142 why. The eventually needs to be fixed to be like Windows
6143 where you can rename builtin groups, just not delete them */
6145 if ( sid_check_is_in_builtin( &ainfo
->sid
) ) {
6146 return NT_STATUS_SPECIAL_ACCOUNT
;
6149 /* There has to be a valid name (and it has to be different) */
6151 if ( !r
->in
.info
->name
.string
)
6152 return NT_STATUS_INVALID_PARAMETER
;
6154 /* If the name is the same just reply "ok". Yes this
6155 doesn't allow you to change the case of a group name. */
6157 if ( strequal( r
->in
.info
->name
.string
, info
.acct_name
) )
6158 return NT_STATUS_OK
;
6160 fstrcpy( info
.acct_name
, r
->in
.info
->name
.string
);
6162 /* make sure the name doesn't already exist as a user
6165 fstr_sprintf( group_name
, "%s\\%s", global_myname(), info
.acct_name
);
6166 status
= can_create( p
->mem_ctx
, group_name
);
6167 if ( !NT_STATUS_IS_OK( status
) )
6171 case ALIASINFODESCRIPTION
:
6172 if (r
->in
.info
->description
.string
) {
6173 fstrcpy(info
.acct_desc
,
6174 r
->in
.info
->description
.string
);
6176 fstrcpy( info
.acct_desc
, "" );
6180 return NT_STATUS_INVALID_INFO_CLASS
;
6183 /******** BEGIN SeAddUsers BLOCK *********/
6186 status
= pdb_set_aliasinfo( &ainfo
->sid
, &info
);
6189 /******** End SeAddUsers BLOCK *********/
6191 if (NT_STATUS_IS_OK(status
))
6192 force_flush_samr_cache(&ainfo
->sid
);
6197 /****************************************************************
6199 ****************************************************************/
6201 NTSTATUS
_samr_GetDomPwInfo(pipes_struct
*p
,
6202 struct samr_GetDomPwInfo
*r
)
6204 uint32_t min_password_length
= 0;
6205 uint32_t password_properties
= 0;
6207 /* Perform access check. Since this rpc does not require a
6208 policy handle it will not be caught by the access checks on
6209 SAMR_CONNECT or SAMR_CONNECT_ANON. */
6211 if (!pipe_access_check(p
)) {
6212 DEBUG(3, ("access denied to _samr_GetDomPwInfo\n"));
6213 return NT_STATUS_ACCESS_DENIED
;
6217 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN
,
6218 &min_password_length
);
6219 pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS
,
6220 &password_properties
);
6223 if (lp_check_password_script() && *lp_check_password_script()) {
6224 password_properties
|= DOMAIN_PASSWORD_COMPLEX
;
6227 r
->out
.info
->min_password_length
= min_password_length
;
6228 r
->out
.info
->password_properties
= password_properties
;
6230 return NT_STATUS_OK
;
6233 /*********************************************************************
6235 *********************************************************************/
6237 NTSTATUS
_samr_OpenGroup(pipes_struct
*p
,
6238 struct samr_OpenGroup
*r
)
6243 struct samr_domain_info
*dinfo
;
6244 struct samr_group_info
*ginfo
;
6245 SEC_DESC
*psd
= NULL
;
6247 uint32 des_access
= r
->in
.access_mask
;
6253 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
6254 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
, NULL
,
6255 struct samr_domain_info
, &status
);
6256 if (!NT_STATUS_IS_OK(status
)) {
6260 /*check if access can be granted as requested by client. */
6261 map_max_allowed_access(p
->server_info
->ptok
,
6262 &p
->server_info
->utok
,
6265 make_samr_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &grp_generic_mapping
, NULL
, 0);
6266 se_map_generic(&des_access
,&grp_generic_mapping
);
6268 se_priv_copy( &se_rights
, &se_add_users
);
6270 status
= access_check_object(psd
, p
->server_info
->ptok
,
6271 &se_rights
, GENERIC_RIGHTS_GROUP_ALL_ACCESS
,
6272 des_access
, &acc_granted
, "_samr_OpenGroup");
6274 if ( !NT_STATUS_IS_OK(status
) )
6277 /* this should not be hard-coded like this */
6279 if (!sid_equal(&dinfo
->sid
, get_global_sam_sid()))
6280 return NT_STATUS_ACCESS_DENIED
;
6282 sid_compose(&info_sid
, &dinfo
->sid
, r
->in
.rid
);
6284 DEBUG(10, ("_samr_OpenGroup:Opening SID: %s\n",
6285 sid_string_dbg(&info_sid
)));
6287 /* check if that group really exists */
6289 ret
= get_domain_group_from_sid(info_sid
, &map
);
6292 return NT_STATUS_NO_SUCH_GROUP
;
6294 ginfo
= policy_handle_create(p
, r
->out
.group_handle
,
6296 struct samr_group_info
, &status
);
6297 if (!NT_STATUS_IS_OK(status
)) {
6300 ginfo
->sid
= info_sid
;
6302 return NT_STATUS_OK
;
6305 /*********************************************************************
6306 _samr_RemoveMemberFromForeignDomain
6307 *********************************************************************/
6309 NTSTATUS
_samr_RemoveMemberFromForeignDomain(pipes_struct
*p
,
6310 struct samr_RemoveMemberFromForeignDomain
*r
)
6312 struct samr_domain_info
*dinfo
;
6315 DEBUG(5,("_samr_RemoveMemberFromForeignDomain: removing SID [%s]\n",
6316 sid_string_dbg(r
->in
.sid
)));
6318 /* Find the policy handle. Open a policy on it. */
6320 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
6321 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
, NULL
,
6322 struct samr_domain_info
, &result
);
6323 if (!NT_STATUS_IS_OK(result
)) {
6327 DEBUG(8, ("_samr_RemoveMemberFromForeignDomain: sid is %s\n",
6328 sid_string_dbg(&dinfo
->sid
)));
6330 /* we can only delete a user from a group since we don't have
6331 nested groups anyways. So in the latter case, just say OK */
6333 /* TODO: The above comment nowadays is bogus. Since we have nested
6334 * groups now, and aliases members are never reported out of the unix
6335 * group membership, the "just say OK" makes this call a no-op. For
6336 * us. This needs fixing however. */
6338 /* I've only ever seen this in the wild when deleting a user from
6339 * usrmgr.exe. domain_sid is the builtin domain, and the sid to delete
6340 * is the user about to be deleted. I very much suspect this is the
6341 * only application of this call. To verify this, let people report
6344 if (!sid_check_is_builtin(&dinfo
->sid
)) {
6345 DEBUG(1,("_samr_RemoveMemberFromForeignDomain: domain_sid = %s, "
6346 "global_sam_sid() = %s\n",
6347 sid_string_dbg(&dinfo
->sid
),
6348 sid_string_dbg(get_global_sam_sid())));
6349 DEBUGADD(1,("please report to samba-technical@samba.org!\n"));
6350 return NT_STATUS_OK
;
6353 force_flush_samr_cache(&dinfo
->sid
);
6355 result
= NT_STATUS_OK
;
6360 /*******************************************************************
6361 _samr_QueryDomainInfo2
6362 ********************************************************************/
6364 NTSTATUS
_samr_QueryDomainInfo2(pipes_struct
*p
,
6365 struct samr_QueryDomainInfo2
*r
)
6367 struct samr_QueryDomainInfo q
;
6369 q
.in
.domain_handle
= r
->in
.domain_handle
;
6370 q
.in
.level
= r
->in
.level
;
6372 q
.out
.info
= r
->out
.info
;
6374 return _samr_QueryDomainInfo(p
, &q
);
6377 /*******************************************************************
6378 ********************************************************************/
6380 static NTSTATUS
set_dom_info_1(TALLOC_CTX
*mem_ctx
,
6381 struct samr_DomInfo1
*r
)
6383 time_t u_expire
, u_min_age
;
6385 u_expire
= nt_time_to_unix_abs((NTTIME
*)&r
->max_password_age
);
6386 u_min_age
= nt_time_to_unix_abs((NTTIME
*)&r
->min_password_age
);
6388 pdb_set_account_policy(PDB_POLICY_MIN_PASSWORD_LEN
,
6389 (uint32_t)r
->min_password_length
);
6390 pdb_set_account_policy(PDB_POLICY_PASSWORD_HISTORY
,
6391 (uint32_t)r
->password_history_length
);
6392 pdb_set_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS
,
6393 (uint32_t)r
->password_properties
);
6394 pdb_set_account_policy(PDB_POLICY_MAX_PASSWORD_AGE
, (int)u_expire
);
6395 pdb_set_account_policy(PDB_POLICY_MIN_PASSWORD_AGE
, (int)u_min_age
);
6397 return NT_STATUS_OK
;
6400 /*******************************************************************
6401 ********************************************************************/
6403 static NTSTATUS
set_dom_info_3(TALLOC_CTX
*mem_ctx
,
6404 struct samr_DomInfo3
*r
)
6408 u_logout
= nt_time_to_unix_abs((NTTIME
*)&r
->force_logoff_time
);
6410 pdb_set_account_policy(PDB_POLICY_TIME_TO_LOGOUT
, (int)u_logout
);
6412 return NT_STATUS_OK
;
6415 /*******************************************************************
6416 ********************************************************************/
6418 static NTSTATUS
set_dom_info_12(TALLOC_CTX
*mem_ctx
,
6419 struct samr_DomInfo12
*r
)
6421 time_t u_lock_duration
, u_reset_time
;
6423 u_lock_duration
= nt_time_to_unix_abs((NTTIME
*)&r
->lockout_duration
);
6424 if (u_lock_duration
!= -1) {
6425 u_lock_duration
/= 60;
6428 u_reset_time
= nt_time_to_unix_abs((NTTIME
*)&r
->lockout_window
)/60;
6430 pdb_set_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION
, (int)u_lock_duration
);
6431 pdb_set_account_policy(PDB_POLICY_RESET_COUNT_TIME
, (int)u_reset_time
);
6432 pdb_set_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT
,
6433 (uint32_t)r
->lockout_threshold
);
6435 return NT_STATUS_OK
;
6438 /*******************************************************************
6440 ********************************************************************/
6442 NTSTATUS
_samr_SetDomainInfo(pipes_struct
*p
,
6443 struct samr_SetDomainInfo
*r
)
6445 struct samr_domain_info
*dinfo
;
6447 uint32_t acc_required
= 0;
6449 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__
));
6451 switch (r
->in
.level
) {
6452 case 1: /* DomainPasswordInformation */
6453 case 12: /* DomainLockoutInformation */
6454 /* DOMAIN_WRITE_PASSWORD_PARAMETERS */
6455 acc_required
= SAMR_DOMAIN_ACCESS_SET_INFO_1
;
6457 case 3: /* DomainLogoffInformation */
6458 case 4: /* DomainOemInformation */
6459 /* DOMAIN_WRITE_OTHER_PARAMETERS */
6460 acc_required
= SAMR_DOMAIN_ACCESS_SET_INFO_2
;
6462 case 6: /* DomainReplicationInformation */
6463 case 9: /* DomainStateInformation */
6464 case 7: /* DomainServerRoleInformation */
6465 /* DOMAIN_ADMINISTER_SERVER */
6466 acc_required
= SAMR_DOMAIN_ACCESS_SET_INFO_3
;
6469 return NT_STATUS_INVALID_INFO_CLASS
;
6472 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
6474 struct samr_domain_info
, &status
);
6475 if (!NT_STATUS_IS_OK(status
)) {
6479 DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r
->in
.level
));
6481 switch (r
->in
.level
) {
6483 status
= set_dom_info_1(p
->mem_ctx
, &r
->in
.info
->info1
);
6486 status
= set_dom_info_3(p
->mem_ctx
, &r
->in
.info
->info3
);
6497 status
= set_dom_info_12(p
->mem_ctx
, &r
->in
.info
->info12
);
6500 return NT_STATUS_INVALID_INFO_CLASS
;
6503 if (!NT_STATUS_IS_OK(status
)) {
6507 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__
));
6509 return NT_STATUS_OK
;
6512 /****************************************************************
6513 _samr_GetDisplayEnumerationIndex
6514 ****************************************************************/
6516 NTSTATUS
_samr_GetDisplayEnumerationIndex(pipes_struct
*p
,
6517 struct samr_GetDisplayEnumerationIndex
*r
)
6519 struct samr_domain_info
*dinfo
;
6520 uint32_t max_entries
= (uint32_t) -1;
6521 uint32_t enum_context
= 0;
6523 uint32_t num_account
= 0;
6524 struct samr_displayentry
*entries
= NULL
;
6527 DEBUG(5,("_samr_GetDisplayEnumerationIndex: %d\n", __LINE__
));
6529 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
6530 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
, NULL
,
6531 struct samr_domain_info
, &status
);
6532 if (!NT_STATUS_IS_OK(status
)) {
6536 if ((r
->in
.level
< 1) || (r
->in
.level
> 3)) {
6537 DEBUG(0,("_samr_GetDisplayEnumerationIndex: "
6538 "Unknown info level (%u)\n",
6540 return NT_STATUS_INVALID_INFO_CLASS
;
6545 /* The following done as ROOT. Don't return without unbecome_root(). */
6547 switch (r
->in
.level
) {
6549 if (dinfo
->disp_info
->users
== NULL
) {
6550 dinfo
->disp_info
->users
= pdb_search_users(
6551 dinfo
->disp_info
, ACB_NORMAL
);
6552 if (dinfo
->disp_info
->users
== NULL
) {
6554 return NT_STATUS_ACCESS_DENIED
;
6556 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6557 "starting user enumeration at index %u\n",
6558 (unsigned int)enum_context
));
6560 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6561 "using cached user enumeration at index %u\n",
6562 (unsigned int)enum_context
));
6564 num_account
= pdb_search_entries(dinfo
->disp_info
->users
,
6565 enum_context
, max_entries
,
6569 if (dinfo
->disp_info
->machines
== NULL
) {
6570 dinfo
->disp_info
->machines
= pdb_search_users(
6571 dinfo
->disp_info
, ACB_WSTRUST
|ACB_SVRTRUST
);
6572 if (dinfo
->disp_info
->machines
== NULL
) {
6574 return NT_STATUS_ACCESS_DENIED
;
6576 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6577 "starting machine enumeration at index %u\n",
6578 (unsigned int)enum_context
));
6580 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6581 "using cached machine enumeration at index %u\n",
6582 (unsigned int)enum_context
));
6584 num_account
= pdb_search_entries(dinfo
->disp_info
->machines
,
6585 enum_context
, max_entries
,
6589 if (dinfo
->disp_info
->groups
== NULL
) {
6590 dinfo
->disp_info
->groups
= pdb_search_groups(
6592 if (dinfo
->disp_info
->groups
== NULL
) {
6594 return NT_STATUS_ACCESS_DENIED
;
6596 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6597 "starting group enumeration at index %u\n",
6598 (unsigned int)enum_context
));
6600 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6601 "using cached group enumeration at index %u\n",
6602 (unsigned int)enum_context
));
6604 num_account
= pdb_search_entries(dinfo
->disp_info
->groups
,
6605 enum_context
, max_entries
,
6610 smb_panic("info class changed");
6616 /* Ensure we cache this enumeration. */
6617 set_disp_info_cache_timeout(dinfo
->disp_info
, DISP_INFO_CACHE_TIMEOUT
);
6619 DEBUG(10,("_samr_GetDisplayEnumerationIndex: looking for :%s\n",
6620 r
->in
.name
->string
));
6622 for (i
=0; i
<num_account
; i
++) {
6623 if (strequal(entries
[i
].account_name
, r
->in
.name
->string
)) {
6624 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6625 "found %s at idx %d\n",
6626 r
->in
.name
->string
, i
));
6628 return NT_STATUS_OK
;
6632 /* assuming account_name lives at the very end */
6633 *r
->out
.idx
= num_account
;
6635 return NT_STATUS_NO_MORE_ENTRIES
;
6638 /****************************************************************
6639 _samr_GetDisplayEnumerationIndex2
6640 ****************************************************************/
6642 NTSTATUS
_samr_GetDisplayEnumerationIndex2(pipes_struct
*p
,
6643 struct samr_GetDisplayEnumerationIndex2
*r
)
6645 struct samr_GetDisplayEnumerationIndex q
;
6647 q
.in
.domain_handle
= r
->in
.domain_handle
;
6648 q
.in
.level
= r
->in
.level
;
6649 q
.in
.name
= r
->in
.name
;
6651 q
.out
.idx
= r
->out
.idx
;
6653 return _samr_GetDisplayEnumerationIndex(p
, &q
);
6656 /****************************************************************
6658 ****************************************************************/
6660 NTSTATUS
_samr_RidToSid(pipes_struct
*p
,
6661 struct samr_RidToSid
*r
)
6663 struct samr_domain_info
*dinfo
;
6667 dinfo
= policy_handle_find(p
, r
->in
.domain_handle
,
6669 struct samr_domain_info
, &status
);
6670 if (!NT_STATUS_IS_OK(status
)) {
6674 if (!sid_compose(&sid
, &dinfo
->sid
, r
->in
.rid
)) {
6675 return NT_STATUS_NO_MEMORY
;
6678 *r
->out
.sid
= sid_dup_talloc(p
->mem_ctx
, &sid
);
6680 return NT_STATUS_NO_MEMORY
;
6683 return NT_STATUS_OK
;
6686 /****************************************************************
6687 ****************************************************************/
6689 NTSTATUS
_samr_Shutdown(pipes_struct
*p
,
6690 struct samr_Shutdown
*r
)
6692 p
->rng_fault_state
= true;
6693 return NT_STATUS_NOT_IMPLEMENTED
;
6696 /****************************************************************
6697 ****************************************************************/
6699 NTSTATUS
_samr_SetMemberAttributesOfGroup(pipes_struct
*p
,
6700 struct samr_SetMemberAttributesOfGroup
*r
)
6702 p
->rng_fault_state
= true;
6703 return NT_STATUS_NOT_IMPLEMENTED
;
6706 /****************************************************************
6707 ****************************************************************/
6709 NTSTATUS
_samr_TestPrivateFunctionsDomain(pipes_struct
*p
,
6710 struct samr_TestPrivateFunctionsDomain
*r
)
6712 return NT_STATUS_NOT_IMPLEMENTED
;
6715 /****************************************************************
6716 ****************************************************************/
6718 NTSTATUS
_samr_TestPrivateFunctionsUser(pipes_struct
*p
,
6719 struct samr_TestPrivateFunctionsUser
*r
)
6721 return NT_STATUS_NOT_IMPLEMENTED
;
6724 /****************************************************************
6725 ****************************************************************/
6727 NTSTATUS
_samr_AddMultipleMembersToAlias(pipes_struct
*p
,
6728 struct samr_AddMultipleMembersToAlias
*r
)
6730 p
->rng_fault_state
= true;
6731 return NT_STATUS_NOT_IMPLEMENTED
;
6734 /****************************************************************
6735 ****************************************************************/
6737 NTSTATUS
_samr_RemoveMultipleMembersFromAlias(pipes_struct
*p
,
6738 struct samr_RemoveMultipleMembersFromAlias
*r
)
6740 p
->rng_fault_state
= true;
6741 return NT_STATUS_NOT_IMPLEMENTED
;
6744 /****************************************************************
6745 ****************************************************************/
6747 NTSTATUS
_samr_SetBootKeyInformation(pipes_struct
*p
,
6748 struct samr_SetBootKeyInformation
*r
)
6750 p
->rng_fault_state
= true;
6751 return NT_STATUS_NOT_IMPLEMENTED
;
6754 /****************************************************************
6755 ****************************************************************/
6757 NTSTATUS
_samr_GetBootKeyInformation(pipes_struct
*p
,
6758 struct samr_GetBootKeyInformation
*r
)
6760 p
->rng_fault_state
= true;
6761 return NT_STATUS_NOT_IMPLEMENTED
;
6764 /****************************************************************
6765 ****************************************************************/
6767 NTSTATUS
_samr_SetDsrmPassword(pipes_struct
*p
,
6768 struct samr_SetDsrmPassword
*r
)
6770 p
->rng_fault_state
= true;
6771 return NT_STATUS_NOT_IMPLEMENTED
;
6774 /****************************************************************
6775 ****************************************************************/
6777 NTSTATUS
_samr_ValidatePassword(pipes_struct
*p
,
6778 struct samr_ValidatePassword
*r
)
6780 p
->rng_fault_state
= true;
6781 return NT_STATUS_NOT_IMPLEMENTED
;