search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-samr: let set_user_info_16 and 20 follow the same pattern as all other levels.
[Samba/gbeck.git] / source3 / rpc_server / srv_samr_nt.c
blobe0ba51c68ac27e3d87263d40d88848e77d1ada68
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2008,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 * Copyright (C) Gerald (Jerry) Carter 2003-2004,
12 * Copyright (C) Simo Sorce 2003.
13 * Copyright (C) Volker Lendecke 2005.
14 * Copyright (C) Guenther Deschner 2008.
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
20 *
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
25 *
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
28 */
29
30 /*
31 * This is the implementation of the SAMR code.
32 */
33
34 #include "includes.h"
35 #include "../libcli/auth/libcli_auth.h"
36
37 #undef DBGC_CLASS
38 #define DBGC_CLASS DBGC_RPC_SRV
39
40 #define SAMR_USR_RIGHTS_WRITE_PW \
41 ( READ_CONTROL_ACCESS | \
42 SAMR_USER_ACCESS_CHANGE_PASSWORD | \
43 SAMR_USER_ACCESS_SET_LOC_COM)
44 #define SAMR_USR_RIGHTS_CANT_WRITE_PW \
45 ( READ_CONTROL_ACCESS | SAMR_USER_ACCESS_SET_LOC_COM )
46
47 #define DISP_INFO_CACHE_TIMEOUT 10
48
49 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
50 #define MAX_SAM_ENTRIES_W95 50
51
52 struct samr_connect_info {
53 uint8_t dummy;
54 };
55
56 struct samr_domain_info {
57 struct dom_sid sid;
58 struct disp_info *disp_info;
59 };
60
61 struct samr_user_info {
62 struct dom_sid sid;
63 };
64
65 struct samr_group_info {
66 struct dom_sid sid;
67 };
68
69 struct samr_alias_info {
70 struct dom_sid sid;
71 };
72
73 typedef struct disp_info {
74 DOM_SID sid; /* identify which domain this is. */
75 struct pdb_search *users; /* querydispinfo 1 and 4 */
76 struct pdb_search *machines; /* querydispinfo 2 */
77 struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */
78 struct pdb_search *aliases; /* enumaliases */
79
80 uint16 enum_acb_mask;
81 struct pdb_search *enum_users; /* enumusers with a mask */
82
83 struct timed_event *cache_timeout_event; /* cache idle timeout
84 * handler. */
85 } DISP_INFO;
86
87 static const struct generic_mapping sam_generic_mapping = {
88 GENERIC_RIGHTS_SAM_READ,
89 GENERIC_RIGHTS_SAM_WRITE,
90 GENERIC_RIGHTS_SAM_EXECUTE,
91 GENERIC_RIGHTS_SAM_ALL_ACCESS};
92 static const struct generic_mapping dom_generic_mapping = {
93 GENERIC_RIGHTS_DOMAIN_READ,
94 GENERIC_RIGHTS_DOMAIN_WRITE,
95 GENERIC_RIGHTS_DOMAIN_EXECUTE,
96 GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
97 static const struct generic_mapping usr_generic_mapping = {
98 GENERIC_RIGHTS_USER_READ,
99 GENERIC_RIGHTS_USER_WRITE,
100 GENERIC_RIGHTS_USER_EXECUTE,
101 GENERIC_RIGHTS_USER_ALL_ACCESS};
102 static const struct generic_mapping usr_nopwchange_generic_mapping = {
103 GENERIC_RIGHTS_USER_READ,
104 GENERIC_RIGHTS_USER_WRITE,
105 GENERIC_RIGHTS_USER_EXECUTE & ~SAMR_USER_ACCESS_CHANGE_PASSWORD,
106 GENERIC_RIGHTS_USER_ALL_ACCESS};
107 static const struct generic_mapping grp_generic_mapping = {
108 GENERIC_RIGHTS_GROUP_READ,
109 GENERIC_RIGHTS_GROUP_WRITE,
110 GENERIC_RIGHTS_GROUP_EXECUTE,
111 GENERIC_RIGHTS_GROUP_ALL_ACCESS};
112 static const struct generic_mapping ali_generic_mapping = {
113 GENERIC_RIGHTS_ALIAS_READ,
114 GENERIC_RIGHTS_ALIAS_WRITE,
115 GENERIC_RIGHTS_ALIAS_EXECUTE,
116 GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
117
118 /*******************************************************************
119 *******************************************************************/
120
121 static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size,
122 const struct generic_mapping *map,
123 DOM_SID *sid, uint32 sid_access )
124 {
125 DOM_SID domadmin_sid;
126 SEC_ACE ace[5]; /* at most 5 entries */
127 size_t i = 0;
128
129 SEC_ACL *psa = NULL;
130
131 /* basic access for Everyone */
132
133 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
134 map->generic_execute | map->generic_read, 0);
135
136 /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
137
138 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
139 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
140 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
141 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
142
143 /* Add Full Access for Domain Admins if we are a DC */
144
145 if ( IS_DC ) {
146 sid_copy( &domadmin_sid, get_global_sam_sid() );
147 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
148 init_sec_ace(&ace[i++], &domadmin_sid,
149 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
150 }
151
152 /* if we have a sid, give it some special access */
153
154 if ( sid ) {
155 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sid_access, 0);
156 }
157
158 /* create the security descriptor */
159
160 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL)
161 return NT_STATUS_NO_MEMORY;
162
163 if ((*psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
164 SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL,
165 psa, sd_size)) == NULL)
166 return NT_STATUS_NO_MEMORY;
167
168 return NT_STATUS_OK;
169 }
170
171 /*******************************************************************
172 Checks if access to an object should be granted, and returns that
173 level of access for further checks.
174 ********************************************************************/
175
176 static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
177 SE_PRIV *rights, uint32 rights_mask,
178 uint32 des_access, uint32 *acc_granted,
179 const char *debug )
180 {
181 NTSTATUS status = NT_STATUS_ACCESS_DENIED;
182 uint32 saved_mask = 0;
183
184 /* check privileges; certain SAM access bits should be overridden
185 by privileges (mostly having to do with creating/modifying/deleting
186 users and groups) */
187
188 if ( rights && user_has_any_privilege( token, rights ) ) {
189
190 saved_mask = (des_access & rights_mask);
191 des_access &= ~saved_mask;
192
193 DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
194 rights_mask));
195 }
196
197
198 /* check the security descriptor first */
199
200 status = se_access_check(psd, token, des_access, acc_granted);
201 if (NT_STATUS_IS_OK(status)) {
202 goto done;
203 }
204
205 /* give root a free pass */
206
207 if ( geteuid() == sec_initial_uid() ) {
208
209 DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access));
210 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
211
212 *acc_granted = des_access;
213
214 status = NT_STATUS_OK;
215 goto done;
216 }
217
218
219 done:
220 /* add in any bits saved during the privilege check (only
221 matters is status is ok) */
222
223 *acc_granted |= rights_mask;
224
225 DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
226 debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
227 des_access, *acc_granted));
228
229 return status;
230 }
231
232
233 /*******************************************************************
234 Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
235 ********************************************************************/
236
237 static void map_max_allowed_access(const NT_USER_TOKEN *token,
238 uint32_t *pacc_requested)
239 {
240 if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
241 return;
242 }
243 *pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
244
245 /* At least try for generic read. */
246 *pacc_requested = GENERIC_READ_ACCESS;
247
248 /* root gets anything. */
249 if (geteuid() == sec_initial_uid()) {
250 *pacc_requested |= GENERIC_ALL_ACCESS;
251 return;
252 }
253
254 /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
255
256 if (is_sid_in_token(token, &global_sid_Builtin_Administrators) ||
257 is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) {
258 *pacc_requested |= GENERIC_ALL_ACCESS;
259 return;
260 }
261
262 /* Full access for DOMAIN\Domain Admins. */
263 if ( IS_DC ) {
264 DOM_SID domadmin_sid;
265 sid_copy( &domadmin_sid, get_global_sam_sid() );
266 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
267 if (is_sid_in_token(token, &domadmin_sid)) {
268 *pacc_requested |= GENERIC_ALL_ACCESS;
269 return;
270 }
271 }
272 /* TODO ! Check privileges. */
273 }
274
275 /*******************************************************************
276 Fetch or create a dispinfo struct.
277 ********************************************************************/
278
279 static DISP_INFO *get_samr_dispinfo_by_sid(const struct dom_sid *psid)
280 {
281 /*
282 * We do a static cache for DISP_INFO's here. Explanation can be found
283 * in Jeremy's checkin message to r11793:
284 *
285 * Fix the SAMR cache so it works across completely insane
286 * client behaviour (ie.:
287 * open pipe/open SAMR handle/enumerate 0 - 1024
288 * close SAMR handle, close pipe.
289 * open pipe/open SAMR handle/enumerate 1024 - 2048...
290 * close SAMR handle, close pipe.
291 * And on ad-nausium. Amazing.... probably object-oriented
292 * client side programming in action yet again.
293 * This change should *massively* improve performance when
294 * enumerating users from an LDAP database.
295 * Jeremy.
296 *
297 * "Our" and the builtin domain are the only ones where we ever
298 * enumerate stuff, so just cache 2 entries.
299 */
300
301 static struct disp_info *builtin_dispinfo;
302 static struct disp_info *domain_dispinfo;
303
304 /* There are two cases to consider here:
305 1) The SID is a domain SID and we look for an equality match, or
306 2) This is an account SID and so we return the DISP_INFO* for our
307 domain */
308
309 if (psid == NULL) {
310 return NULL;
311 }
312
313 if (sid_check_is_builtin(psid) || sid_check_is_in_builtin(psid)) {
314 /*
315 * Necessary only once, but it does not really hurt.
316 */
317 if (builtin_dispinfo == NULL) {
318 builtin_dispinfo = talloc_zero(
319 talloc_autofree_context(), struct disp_info);
320 if (builtin_dispinfo == NULL) {
321 return NULL;
322 }
323 }
324 sid_copy(&builtin_dispinfo->sid, &global_sid_Builtin);
325
326 return builtin_dispinfo;
327 }
328
329 if (sid_check_is_domain(psid) || sid_check_is_in_our_domain(psid)) {
330 /*
331 * Necessary only once, but it does not really hurt.
332 */
333 if (domain_dispinfo == NULL) {
334 domain_dispinfo = talloc_zero(
335 talloc_autofree_context(), struct disp_info);
336 if (domain_dispinfo == NULL) {
337 return NULL;
338 }
339 }
340 sid_copy(&domain_dispinfo->sid, get_global_sam_sid());
341
342 return domain_dispinfo;
343 }
344
345 return NULL;
346 }
347
348 /*******************************************************************
349 Function to free the per SID data.
350 ********************************************************************/
351
352 static void free_samr_cache(DISP_INFO *disp_info)
353 {
354 DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n",
355 sid_string_dbg(&disp_info->sid)));
356
357 /* We need to become root here because the paged search might have to
358 * tell the LDAP server we're not interested in the rest anymore. */
359
360 become_root();
361
362 TALLOC_FREE(disp_info->users);
363 TALLOC_FREE(disp_info->machines);
364 TALLOC_FREE(disp_info->groups);
365 TALLOC_FREE(disp_info->aliases);
366 TALLOC_FREE(disp_info->enum_users);
367
368 unbecome_root();
369 }
370
371 /*******************************************************************
372 Idle event handler. Throw away the disp info cache.
373 ********************************************************************/
374
375 static void disp_info_cache_idle_timeout_handler(struct event_context *ev_ctx,
376 struct timed_event *te,
377 struct timeval now,
378 void *private_data)
379 {
380 DISP_INFO *disp_info = (DISP_INFO *)private_data;
381
382 TALLOC_FREE(disp_info->cache_timeout_event);
383
384 DEBUG(10, ("disp_info_cache_idle_timeout_handler: caching timed "
385 "out\n"));
386 free_samr_cache(disp_info);
387 }
388
389 /*******************************************************************
390 Setup cache removal idle event handler.
391 ********************************************************************/
392
393 static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromnow)
394 {
395 /* Remove any pending timeout and update. */
396
397 TALLOC_FREE(disp_info->cache_timeout_event);
398
399 DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for "
400 "SID %s for %u seconds\n", sid_string_dbg(&disp_info->sid),
401 (unsigned int)secs_fromnow ));
402
403 disp_info->cache_timeout_event = event_add_timed(
404 smbd_event_context(), NULL,
405 timeval_current_ofs(secs_fromnow, 0),
406 disp_info_cache_idle_timeout_handler, (void *)disp_info);
407 }
408
409 /*******************************************************************
410 Force flush any cache. We do this on any samr_set_xxx call.
411 We must also remove the timeout handler.
412 ********************************************************************/
413
414 static void force_flush_samr_cache(const struct dom_sid *sid)
415 {
416 struct disp_info *disp_info = get_samr_dispinfo_by_sid(sid);
417
418 if ((disp_info == NULL) || (disp_info->cache_timeout_event == NULL)) {
419 return;
420 }
421
422 DEBUG(10,("force_flush_samr_cache: clearing idle event\n"));
423 TALLOC_FREE(disp_info->cache_timeout_event);
424 free_samr_cache(disp_info);
425 }
426
427 /*******************************************************************
428 Ensure password info is never given out. Paranioa... JRA.
429 ********************************************************************/
430
431 static void samr_clear_sam_passwd(struct samu *sam_pass)
432 {
433
434 if (!sam_pass)
435 return;
436
437 /* These now zero out the old password */
438
439 pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT);
440 pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT);
441 }
442
443 static uint32 count_sam_users(struct disp_info *info, uint32 acct_flags)
444 {
445 struct samr_displayentry *entry;
446
447 if (sid_check_is_builtin(&info->sid)) {
448 /* No users in builtin. */
449 return 0;
450 }
451
452 if (info->users == NULL) {
453 info->users = pdb_search_users(info, acct_flags);
454 if (info->users == NULL) {
455 return 0;
456 }
457 }
458 /* Fetch the last possible entry, thus trigger an enumeration */
459 pdb_search_entries(info->users, 0xffffffff, 1, &entry);
460
461 /* Ensure we cache this enumeration. */
462 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
463
464 return info->users->num_entries;
465 }
466
467 static uint32 count_sam_groups(struct disp_info *info)
468 {
469 struct samr_displayentry *entry;
470
471 if (sid_check_is_builtin(&info->sid)) {
472 /* No groups in builtin. */
473 return 0;
474 }
475
476 if (info->groups == NULL) {
477 info->groups = pdb_search_groups(info);
478 if (info->groups == NULL) {
479 return 0;
480 }
481 }
482 /* Fetch the last possible entry, thus trigger an enumeration */
483 pdb_search_entries(info->groups, 0xffffffff, 1, &entry);
484
485 /* Ensure we cache this enumeration. */
486 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
487
488 return info->groups->num_entries;
489 }
490
491 static uint32 count_sam_aliases(struct disp_info *info)
492 {
493 struct samr_displayentry *entry;
494
495 if (info->aliases == NULL) {
496 info->aliases = pdb_search_aliases(info, &info->sid);
497 if (info->aliases == NULL) {
498 return 0;
499 }
500 }
501 /* Fetch the last possible entry, thus trigger an enumeration */
502 pdb_search_entries(info->aliases, 0xffffffff, 1, &entry);
503
504 /* Ensure we cache this enumeration. */
505 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
506
507 return info->aliases->num_entries;
508 }
509
510 /*******************************************************************
511 _samr_Close
512 ********************************************************************/
513
514 NTSTATUS _samr_Close(pipes_struct *p, struct samr_Close *r)
515 {
516 if (!close_policy_hnd(p, r->in.handle)) {
517 return NT_STATUS_INVALID_HANDLE;
518 }
519
520 ZERO_STRUCTP(r->out.handle);
521
522 return NT_STATUS_OK;
523 }
524
525 /*******************************************************************
526 _samr_OpenDomain
527 ********************************************************************/
528
529 NTSTATUS _samr_OpenDomain(pipes_struct *p,
530 struct samr_OpenDomain *r)
531 {
532 struct samr_connect_info *cinfo;
533 struct samr_domain_info *dinfo;
534 SEC_DESC *psd = NULL;
535 uint32 acc_granted;
536 uint32 des_access = r->in.access_mask;
537 NTSTATUS status;
538 size_t sd_size;
539 SE_PRIV se_rights;
540
541 /* find the connection policy handle. */
542
543 cinfo = policy_handle_find(p, r->in.connect_handle, 0, NULL,
544 struct samr_connect_info, &status);
545 if (!NT_STATUS_IS_OK(status)) {
546 return status;
547 }
548
549 /*check if access can be granted as requested by client. */
550 map_max_allowed_access(p->server_info->ptok, &des_access);
551
552 make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
553 se_map_generic( &des_access, &dom_generic_mapping );
554
555 se_priv_copy( &se_rights, &se_machine_account );
556 se_priv_add( &se_rights, &se_add_users );
557
558 status = access_check_samr_object( psd, p->server_info->ptok,
559 &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access,
560 &acc_granted, "_samr_OpenDomain" );
561
562 if ( !NT_STATUS_IS_OK(status) )
563 return status;
564
565 if (!sid_check_is_domain(r->in.sid) &&
566 !sid_check_is_builtin(r->in.sid)) {
567 return NT_STATUS_NO_SUCH_DOMAIN;
568 }
569
570 dinfo = policy_handle_create(p, r->out.domain_handle, acc_granted,
571 struct samr_domain_info, &status);
572 if (!NT_STATUS_IS_OK(status)) {
573 return status;
574 }
575 dinfo->sid = *r->in.sid;
576 dinfo->disp_info = get_samr_dispinfo_by_sid(r->in.sid);
577
578 DEBUG(5,("_samr_OpenDomain: %d\n", __LINE__));
579
580 return NT_STATUS_OK;
581 }
582
583 /*******************************************************************
584 _samr_GetUserPwInfo
585 ********************************************************************/
586
587 NTSTATUS _samr_GetUserPwInfo(pipes_struct *p,
588 struct samr_GetUserPwInfo *r)
589 {
590 struct samr_user_info *uinfo;
591 enum lsa_SidType sid_type;
592 uint32_t min_password_length = 0;
593 uint32_t password_properties = 0;
594 bool ret = false;
595 NTSTATUS status;
596
597 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
598
599 uinfo = policy_handle_find(p, r->in.user_handle,
600 SAMR_USER_ACCESS_GET_ATTRIBUTES, NULL,
601 struct samr_user_info, &status);
602 if (!NT_STATUS_IS_OK(status)) {
603 return status;
604 }
605
606 if (!sid_check_is_in_our_domain(&uinfo->sid)) {
607 return NT_STATUS_OBJECT_TYPE_MISMATCH;
608 }
609
610 become_root();
611 ret = lookup_sid(p->mem_ctx, &uinfo->sid, NULL, NULL, &sid_type);
612 unbecome_root();
613 if (ret == false) {
614 return NT_STATUS_NO_SUCH_USER;
615 }
616
617 switch (sid_type) {
618 case SID_NAME_USER:
619 become_root();
620 pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
621 &min_password_length);
622 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
623 &password_properties);
624 unbecome_root();
625
626 if (lp_check_password_script() && *lp_check_password_script()) {
627 password_properties |= DOMAIN_PASSWORD_COMPLEX;
628 }
629
630 break;
631 default:
632 break;
633 }
634
635 r->out.info->min_password_length = min_password_length;
636 r->out.info->password_properties = password_properties;
637
638 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
639
640 return NT_STATUS_OK;
641 }
642
643 /*******************************************************************
644 _samr_SetSecurity
645 ********************************************************************/
646
647 NTSTATUS _samr_SetSecurity(pipes_struct *p,
648 struct samr_SetSecurity *r)
649 {
650 struct samr_user_info *uinfo;
651 uint32 i;
652 SEC_ACL *dacl;
653 bool ret;
654 struct samu *sampass=NULL;
655 NTSTATUS status;
656
657 uinfo = policy_handle_find(p, r->in.handle,
658 SAMR_USER_ACCESS_SET_ATTRIBUTES, NULL,
659 struct samr_user_info, &status);
660 if (!NT_STATUS_IS_OK(status)) {
661 return status;
662 }
663
664 if (!(sampass = samu_new( p->mem_ctx))) {
665 DEBUG(0,("No memory!\n"));
666 return NT_STATUS_NO_MEMORY;
667 }
668
669 /* get the user record */
670 become_root();
671 ret = pdb_getsampwsid(sampass, &uinfo->sid);
672 unbecome_root();
673
674 if (!ret) {
675 DEBUG(4, ("User %s not found\n",
676 sid_string_dbg(&uinfo->sid)));
677 TALLOC_FREE(sampass);
678 return NT_STATUS_INVALID_HANDLE;
679 }
680
681 dacl = r->in.sdbuf->sd->dacl;
682 for (i=0; i < dacl->num_aces; i++) {
683 if (sid_equal(&uinfo->sid, &dacl->aces[i].trustee)) {
684 ret = pdb_set_pass_can_change(sampass,
685 (dacl->aces[i].access_mask &
686 SAMR_USER_ACCESS_CHANGE_PASSWORD) ?
687 True: False);
688 break;
689 }
690 }
691
692 if (!ret) {
693 TALLOC_FREE(sampass);
694 return NT_STATUS_ACCESS_DENIED;
695 }
696
697 become_root();
698 status = pdb_update_sam_account(sampass);
699 unbecome_root();
700
701 TALLOC_FREE(sampass);
702
703 return status;
704 }
705
706 /*******************************************************************
707 build correct perms based on policies and password times for _samr_query_sec_obj
708 *******************************************************************/
709 static bool check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid)
710 {
711 struct samu *sampass=NULL;
712 bool ret;
713
714 if ( !(sampass = samu_new( mem_ctx )) ) {
715 DEBUG(0,("No memory!\n"));
716 return False;
717 }
718
719 become_root();
720 ret = pdb_getsampwsid(sampass, user_sid);
721 unbecome_root();
722
723 if (ret == False) {
724 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
725 TALLOC_FREE(sampass);
726 return False;
727 }
728
729 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
730
731 if (pdb_get_pass_can_change(sampass)) {
732 TALLOC_FREE(sampass);
733 return True;
734 }
735 TALLOC_FREE(sampass);
736 return False;
737 }
738
739
740 /*******************************************************************
741 _samr_QuerySecurity
742 ********************************************************************/
743
744 NTSTATUS _samr_QuerySecurity(pipes_struct *p,
745 struct samr_QuerySecurity *r)
746 {
747 struct samr_connect_info *cinfo;
748 struct samr_domain_info *dinfo;
749 struct samr_user_info *uinfo;
750 struct samr_group_info *ginfo;
751 struct samr_alias_info *ainfo;
752 NTSTATUS status;
753 SEC_DESC * psd = NULL;
754 size_t sd_size;
755
756 cinfo = policy_handle_find(p, r->in.handle,
757 STD_RIGHT_READ_CONTROL_ACCESS, NULL,
758 struct samr_connect_info, &status);
759 if (NT_STATUS_IS_OK(status)) {
760 DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n"));
761 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size,
762 &sam_generic_mapping, NULL, 0);
763 goto done;
764 }
765
766 dinfo = policy_handle_find(p, r->in.handle,
767 STD_RIGHT_READ_CONTROL_ACCESS, NULL,
768 struct samr_domain_info, &status);
769 if (NT_STATUS_IS_OK(status)) {
770 DEBUG(5,("_samr_QuerySecurity: querying security on Domain "
771 "with SID: %s\n", sid_string_dbg(&dinfo->sid)));
772 /*
773 * TODO: Builtin probably needs a different SD with restricted
774 * write access
775 */
776 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size,
777 &dom_generic_mapping, NULL, 0);
778 goto done;
779 }
780
781 uinfo = policy_handle_find(p, r->in.handle,
782 STD_RIGHT_READ_CONTROL_ACCESS, NULL,
783 struct samr_user_info, &status);
784 if (NT_STATUS_IS_OK(status)) {
785 DEBUG(10,("_samr_QuerySecurity: querying security on user "
786 "Object with SID: %s\n",
787 sid_string_dbg(&uinfo->sid)));
788 if (check_change_pw_access(p->mem_ctx, &uinfo->sid)) {
789 status = make_samr_object_sd(
790 p->mem_ctx, &psd, &sd_size,
791 &usr_generic_mapping,
792 &uinfo->sid, SAMR_USR_RIGHTS_WRITE_PW);
793 } else {
794 status = make_samr_object_sd(
795 p->mem_ctx, &psd, &sd_size,
796 &usr_nopwchange_generic_mapping,
797 &uinfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
798 }
799 goto done;
800 }
801
802 ginfo = policy_handle_find(p, r->in.handle,
803 STD_RIGHT_READ_CONTROL_ACCESS, NULL,
804 struct samr_group_info, &status);
805 if (NT_STATUS_IS_OK(status)) {
806 /*
807 * TODO: different SDs have to be generated for aliases groups
808 * and users. Currently all three get a default user SD
809 */
810 DEBUG(10,("_samr_QuerySecurity: querying security on group "
811 "Object with SID: %s\n",
812 sid_string_dbg(&ginfo->sid)));
813 status = make_samr_object_sd(
814 p->mem_ctx, &psd, &sd_size,
815 &usr_nopwchange_generic_mapping,
816 &ginfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
817 goto done;
818 }
819
820 ainfo = policy_handle_find(p, r->in.handle,
821 STD_RIGHT_READ_CONTROL_ACCESS, NULL,
822 struct samr_alias_info, &status);
823 if (NT_STATUS_IS_OK(status)) {
824 /*
825 * TODO: different SDs have to be generated for aliases groups
826 * and users. Currently all three get a default user SD
827 */
828 DEBUG(10,("_samr_QuerySecurity: querying security on alias "
829 "Object with SID: %s\n",
830 sid_string_dbg(&ainfo->sid)));
831 status = make_samr_object_sd(
832 p->mem_ctx, &psd, &sd_size,
833 &usr_nopwchange_generic_mapping,
834 &ainfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
835 goto done;
836 }
837
838 return NT_STATUS_OBJECT_TYPE_MISMATCH;
839 done:
840 if ((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
841 return NT_STATUS_NO_MEMORY;
842
843 return status;
844 }
845
846 /*******************************************************************
847 makes a SAM_ENTRY / UNISTR2* structure from a user list.
848 ********************************************************************/
849
850 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx,
851 struct samr_SamEntry **sam_pp,
852 uint32_t num_entries,
853 uint32_t start_idx,
854 struct samr_displayentry *entries)
855 {
856 uint32_t i;
857 struct samr_SamEntry *sam;
858
859 *sam_pp = NULL;
860
861 if (num_entries == 0) {
862 return NT_STATUS_OK;
863 }
864
865 sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_entries);
866 if (sam == NULL) {
867 DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n"));
868 return NT_STATUS_NO_MEMORY;
869 }
870
871 for (i = 0; i < num_entries; i++) {
872 #if 0
873 /*
874 * usrmgr expects a non-NULL terminated string with
875 * trust relationships
876 */
877 if (entries[i].acct_flags & ACB_DOMTRUST) {
878 init_unistr2(&uni_temp_name, entries[i].account_name,
879 UNI_FLAGS_NONE);
880 } else {
881 init_unistr2(&uni_temp_name, entries[i].account_name,
882 UNI_STR_TERMINATE);
883 }
884 #endif
885 init_lsa_String(&sam[i].name, entries[i].account_name);
886 sam[i].idx = entries[i].rid;
887 }
888
889 *sam_pp = sam;
890
891 return NT_STATUS_OK;
892 }
893
894 #define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K
895
896 /*******************************************************************
897 _samr_EnumDomainUsers
898 ********************************************************************/
899
900 NTSTATUS _samr_EnumDomainUsers(pipes_struct *p,
901 struct samr_EnumDomainUsers *r)
902 {
903 NTSTATUS status;
904 struct samr_domain_info *dinfo;
905 int num_account;
906 uint32 enum_context = *r->in.resume_handle;
907 enum remote_arch_types ra_type = get_remote_arch();
908 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
909 uint32 max_entries = max_sam_entries;
910 struct samr_displayentry *entries = NULL;
911 struct samr_SamArray *samr_array = NULL;
912 struct samr_SamEntry *samr_entries = NULL;
913
914 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
915
916 dinfo = policy_handle_find(p, r->in.domain_handle,
917 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
918 struct samr_domain_info, &status);
919 if (!NT_STATUS_IS_OK(status)) {
920 return status;
921 }
922
923 if (sid_check_is_builtin(&dinfo->sid)) {
924 /* No users in builtin. */
925 *r->out.resume_handle = *r->in.resume_handle;
926 DEBUG(5,("_samr_EnumDomainUsers: No users in BUILTIN\n"));
927 return status;
928 }
929
930 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
931 if (!samr_array) {
932 return NT_STATUS_NO_MEMORY;
933 }
934 *r->out.sam = samr_array;
935
936 become_root();
937
938 /* AS ROOT !!!! */
939
940 if ((dinfo->disp_info->enum_users != NULL) &&
941 (dinfo->disp_info->enum_acb_mask != r->in.acct_flags)) {
942 TALLOC_FREE(dinfo->disp_info->enum_users);
943 }
944
945 if (dinfo->disp_info->enum_users == NULL) {
946 dinfo->disp_info->enum_users = pdb_search_users(
947 dinfo->disp_info, r->in.acct_flags);
948 dinfo->disp_info->enum_acb_mask = r->in.acct_flags;
949 }
950
951 if (dinfo->disp_info->enum_users == NULL) {
952 /* END AS ROOT !!!! */
953 unbecome_root();
954 return NT_STATUS_ACCESS_DENIED;
955 }
956
957 num_account = pdb_search_entries(dinfo->disp_info->enum_users,
958 enum_context, max_entries,
959 &entries);
960
961 /* END AS ROOT !!!! */
962
963 unbecome_root();
964
965 if (num_account == 0) {
966 DEBUG(5, ("_samr_EnumDomainUsers: enumeration handle over "
967 "total entries\n"));
968 *r->out.resume_handle = *r->in.resume_handle;
969 return NT_STATUS_OK;
970 }
971
972 status = make_user_sam_entry_list(p->mem_ctx, &samr_entries,
973 num_account, enum_context,
974 entries);
975 if (!NT_STATUS_IS_OK(status)) {
976 return status;
977 }
978
979 if (max_entries <= num_account) {
980 status = STATUS_MORE_ENTRIES;
981 } else {
982 status = NT_STATUS_OK;
983 }
984
985 /* Ensure we cache this enumeration. */
986 set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
987
988 DEBUG(5, ("_samr_EnumDomainUsers: %d\n", __LINE__));
989
990 samr_array->count = num_account;
991 samr_array->entries = samr_entries;
992
993 *r->out.resume_handle = *r->in.resume_handle + num_account;
994 *r->out.num_entries = num_account;
995
996 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
997
998 return status;
999 }
1000
1001 /*******************************************************************
1002 makes a SAM_ENTRY / UNISTR2* structure from a group list.
1003 ********************************************************************/
1004
1005 static void make_group_sam_entry_list(TALLOC_CTX *ctx,
1006 struct samr_SamEntry **sam_pp,
1007 uint32_t num_sam_entries,
1008 struct samr_displayentry *entries)
1009 {
1010 struct samr_SamEntry *sam;
1011 uint32_t i;
1012
1013 *sam_pp = NULL;
1014
1015 if (num_sam_entries == 0) {
1016 return;
1017 }
1018
1019 sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_sam_entries);
1020 if (sam == NULL) {
1021 return;
1022 }
1023
1024 for (i = 0; i < num_sam_entries; i++) {
1025 /*
1026 * JRA. I think this should include the null. TNG does not.
1027 */
1028 init_lsa_String(&sam[i].name, entries[i].account_name);
1029 sam[i].idx = entries[i].rid;
1030 }
1031
1032 *sam_pp = sam;
1033 }
1034
1035 /*******************************************************************
1036 _samr_EnumDomainGroups
1037 ********************************************************************/
1038
1039 NTSTATUS _samr_EnumDomainGroups(pipes_struct *p,
1040 struct samr_EnumDomainGroups *r)
1041 {
1042 NTSTATUS status;
1043 struct samr_domain_info *dinfo;
1044 struct samr_displayentry *groups;
1045 uint32 num_groups;
1046 struct samr_SamArray *samr_array = NULL;
1047 struct samr_SamEntry *samr_entries = NULL;
1048
1049 dinfo = policy_handle_find(p, r->in.domain_handle,
1050 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
1051 struct samr_domain_info, &status);
1052 if (!NT_STATUS_IS_OK(status)) {
1053 return status;
1054 }
1055
1056 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1057
1058 if (sid_check_is_builtin(&dinfo->sid)) {
1059 /* No groups in builtin. */
1060 *r->out.resume_handle = *r->in.resume_handle;
1061 DEBUG(5,("_samr_EnumDomainGroups: No groups in BUILTIN\n"));
1062 return status;
1063 }
1064
1065 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1066 if (!samr_array) {
1067 return NT_STATUS_NO_MEMORY;
1068 }
1069
1070 /* the domain group array is being allocated in the function below */
1071
1072 become_root();
1073
1074 if (dinfo->disp_info->groups == NULL) {
1075 dinfo->disp_info->groups = pdb_search_groups(dinfo->disp_info);
1076
1077 if (dinfo->disp_info->groups == NULL) {
1078 unbecome_root();
1079 return NT_STATUS_ACCESS_DENIED;
1080 }
1081 }
1082
1083 num_groups = pdb_search_entries(dinfo->disp_info->groups,
1084 *r->in.resume_handle,
1085 MAX_SAM_ENTRIES, &groups);
1086 unbecome_root();
1087
1088 /* Ensure we cache this enumeration. */
1089 set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
1090
1091 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1092 num_groups, groups);
1093
1094 samr_array->count = num_groups;
1095 samr_array->entries = samr_entries;
1096
1097 *r->out.sam = samr_array;
1098 *r->out.num_entries = num_groups;
1099 *r->out.resume_handle = num_groups + *r->in.resume_handle;
1100
1101 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1102
1103 return status;
1104 }
1105
1106 /*******************************************************************
1107 _samr_EnumDomainAliases
1108 ********************************************************************/
1109
1110 NTSTATUS _samr_EnumDomainAliases(pipes_struct *p,
1111 struct samr_EnumDomainAliases *r)
1112 {
1113 NTSTATUS status;
1114 struct samr_domain_info *dinfo;
1115 struct samr_displayentry *aliases;
1116 uint32 num_aliases = 0;
1117 struct samr_SamArray *samr_array = NULL;
1118 struct samr_SamEntry *samr_entries = NULL;
1119
1120 dinfo = policy_handle_find(p, r->in.domain_handle,
1121 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
1122 struct samr_domain_info, &status);
1123 if (!NT_STATUS_IS_OK(status)) {
1124 return status;
1125 }
1126
1127 DEBUG(5,("_samr_EnumDomainAliases: sid %s\n",
1128 sid_string_dbg(&dinfo->sid)));
1129
1130 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1131 if (!samr_array) {
1132 return NT_STATUS_NO_MEMORY;
1133 }
1134
1135 become_root();
1136
1137 if (dinfo->disp_info->aliases == NULL) {
1138 dinfo->disp_info->aliases = pdb_search_aliases(
1139 dinfo->disp_info, &dinfo->sid);
1140 if (dinfo->disp_info->aliases == NULL) {
1141 unbecome_root();
1142 return NT_STATUS_ACCESS_DENIED;
1143 }
1144 }
1145
1146 num_aliases = pdb_search_entries(dinfo->disp_info->aliases,
1147 *r->in.resume_handle,
1148 MAX_SAM_ENTRIES, &aliases);
1149 unbecome_root();
1150
1151 /* Ensure we cache this enumeration. */
1152 set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
1153
1154 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1155 num_aliases, aliases);
1156
1157 DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__));
1158
1159 samr_array->count = num_aliases;
1160 samr_array->entries = samr_entries;
1161
1162 *r->out.sam = samr_array;
1163 *r->out.num_entries = num_aliases;
1164 *r->out.resume_handle = num_aliases + *r->in.resume_handle;
1165
1166 return status;
1167 }
1168
1169 /*******************************************************************
1170 inits a samr_DispInfoGeneral structure.
1171 ********************************************************************/
1172
1173 static NTSTATUS init_samr_dispinfo_1(TALLOC_CTX *ctx,
1174 struct samr_DispInfoGeneral *r,
1175 uint32_t num_entries,
1176 uint32_t start_idx,
1177 struct samr_displayentry *entries)
1178 {
1179 uint32 i;
1180
1181 DEBUG(10, ("init_samr_dispinfo_1: num_entries: %d\n", num_entries));
1182
1183 if (num_entries == 0) {
1184 return NT_STATUS_OK;
1185 }
1186
1187 r->count = num_entries;
1188
1189 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryGeneral, num_entries);
1190 if (!r->entries) {
1191 return NT_STATUS_NO_MEMORY;
1192 }
1193
1194 for (i = 0; i < num_entries ; i++) {
1195
1196 init_lsa_String(&r->entries[i].account_name,
1197 entries[i].account_name);
1198
1199 init_lsa_String(&r->entries[i].description,
1200 entries[i].description);
1201
1202 init_lsa_String(&r->entries[i].full_name,
1203 entries[i].fullname);
1204
1205 r->entries[i].rid = entries[i].rid;
1206 r->entries[i].acct_flags = entries[i].acct_flags;
1207 r->entries[i].idx = start_idx+i+1;
1208 }
1209
1210 return NT_STATUS_OK;
1211 }
1212
1213 /*******************************************************************
1214 inits a samr_DispInfoFull structure.
1215 ********************************************************************/
1216
1217 static NTSTATUS init_samr_dispinfo_2(TALLOC_CTX *ctx,
1218 struct samr_DispInfoFull *r,
1219 uint32_t num_entries,
1220 uint32_t start_idx,
1221 struct samr_displayentry *entries)
1222 {
1223 uint32_t i;
1224
1225 DEBUG(10, ("init_samr_dispinfo_2: num_entries: %d\n", num_entries));
1226
1227 if (num_entries == 0) {
1228 return NT_STATUS_OK;
1229 }
1230
1231 r->count = num_entries;
1232
1233 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFull, num_entries);
1234 if (!r->entries) {
1235 return NT_STATUS_NO_MEMORY;
1236 }
1237
1238 for (i = 0; i < num_entries ; i++) {
1239
1240 init_lsa_String(&r->entries[i].account_name,
1241 entries[i].account_name);
1242
1243 init_lsa_String(&r->entries[i].description,
1244 entries[i].description);
1245
1246 r->entries[i].rid = entries[i].rid;
1247 r->entries[i].acct_flags = entries[i].acct_flags;
1248 r->entries[i].idx = start_idx+i+1;
1249 }
1250
1251 return NT_STATUS_OK;
1252 }
1253
1254 /*******************************************************************
1255 inits a samr_DispInfoFullGroups structure.
1256 ********************************************************************/
1257
1258 static NTSTATUS init_samr_dispinfo_3(TALLOC_CTX *ctx,
1259 struct samr_DispInfoFullGroups *r,
1260 uint32_t num_entries,
1261 uint32_t start_idx,
1262 struct samr_displayentry *entries)
1263 {
1264 uint32_t i;
1265
1266 DEBUG(5, ("init_samr_dispinfo_3: num_entries: %d\n", num_entries));
1267
1268 if (num_entries == 0) {
1269 return NT_STATUS_OK;
1270 }
1271
1272 r->count = num_entries;
1273
1274 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFullGroup, num_entries);
1275 if (!r->entries) {
1276 return NT_STATUS_NO_MEMORY;
1277 }
1278
1279 for (i = 0; i < num_entries ; i++) {
1280
1281 init_lsa_String(&r->entries[i].account_name,
1282 entries[i].account_name);
1283
1284 init_lsa_String(&r->entries[i].description,
1285 entries[i].description);
1286
1287 r->entries[i].rid = entries[i].rid;
1288 r->entries[i].acct_flags = entries[i].acct_flags;
1289 r->entries[i].idx = start_idx+i+1;
1290 }
1291
1292 return NT_STATUS_OK;
1293 }
1294
1295 /*******************************************************************
1296 inits a samr_DispInfoAscii structure.
1297 ********************************************************************/
1298
1299 static NTSTATUS init_samr_dispinfo_4(TALLOC_CTX *ctx,
1300 struct samr_DispInfoAscii *r,
1301 uint32_t num_entries,
1302 uint32_t start_idx,
1303 struct samr_displayentry *entries)
1304 {
1305 uint32_t i;
1306
1307 DEBUG(5, ("init_samr_dispinfo_4: num_entries: %d\n", num_entries));
1308
1309 if (num_entries == 0) {
1310 return NT_STATUS_OK;
1311 }
1312
1313 r->count = num_entries;
1314
1315 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1316 if (!r->entries) {
1317 return NT_STATUS_NO_MEMORY;
1318 }
1319
1320 for (i = 0; i < num_entries ; i++) {
1321
1322 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1323 entries[i].account_name);
1324
1325 r->entries[i].idx = start_idx+i+1;
1326 }
1327
1328 return NT_STATUS_OK;
1329 }
1330
1331 /*******************************************************************
1332 inits a samr_DispInfoAscii structure.
1333 ********************************************************************/
1334
1335 static NTSTATUS init_samr_dispinfo_5(TALLOC_CTX *ctx,
1336 struct samr_DispInfoAscii *r,
1337 uint32_t num_entries,
1338 uint32_t start_idx,
1339 struct samr_displayentry *entries)
1340 {
1341 uint32_t i;
1342
1343 DEBUG(5, ("init_samr_dispinfo_5: num_entries: %d\n", num_entries));
1344
1345 if (num_entries == 0) {
1346 return NT_STATUS_OK;
1347 }
1348
1349 r->count = num_entries;
1350
1351 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1352 if (!r->entries) {
1353 return NT_STATUS_NO_MEMORY;
1354 }
1355
1356 for (i = 0; i < num_entries ; i++) {
1357
1358 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1359 entries[i].account_name);
1360
1361 r->entries[i].idx = start_idx+i+1;
1362 }
1363
1364 return NT_STATUS_OK;
1365 }
1366
1367 /*******************************************************************
1368 _samr_QueryDisplayInfo
1369 ********************************************************************/
1370
1371 NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
1372 struct samr_QueryDisplayInfo *r)
1373 {
1374 NTSTATUS status;
1375 struct samr_domain_info *dinfo;
1376 uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
1377
1378 uint32 max_entries = r->in.max_entries;
1379 uint32 enum_context = r->in.start_idx;
1380 uint32 max_size = r->in.buf_size;
1381
1382 union samr_DispInfo *disp_info = r->out.info;
1383
1384 uint32 temp_size=0, total_data_size=0;
1385 NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL;
1386 uint32 num_account = 0;
1387 enum remote_arch_types ra_type = get_remote_arch();
1388 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
1389 struct samr_displayentry *entries = NULL;
1390
1391 DEBUG(5,("_samr_QueryDisplayInfo: %d\n", __LINE__));
1392
1393 dinfo = policy_handle_find(p, r->in.domain_handle,
1394 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
1395 struct samr_domain_info, &status);
1396 if (!NT_STATUS_IS_OK(status)) {
1397 return status;
1398 }
1399
1400 /*
1401 * calculate how many entries we will return.
1402 * based on
1403 * - the number of entries the client asked
1404 * - our limit on that
1405 * - the starting point (enumeration context)
1406 * - the buffer size the client will accept
1407 */
1408
1409 /*
1410 * We are a lot more like W2K. Instead of reading the SAM
1411 * each time to find the records we need to send back,
1412 * we read it once and link that copy to the sam handle.
1413 * For large user list (over the MAX_SAM_ENTRIES)
1414 * it's a definitive win.
1415 * second point to notice: between enumerations
1416 * our sam is now the same as it's a snapshoot.
1417 * third point: got rid of the static SAM_USER_21 struct
1418 * no more intermediate.
1419 * con: it uses much more memory, as a full copy is stored
1420 * in memory.
1421 *
1422 * If you want to change it, think twice and think
1423 * of the second point , that's really important.
1424 *
1425 * JFM, 12/20/2001
1426 */
1427
1428 if ((r->in.level < 1) || (r->in.level > 5)) {
1429 DEBUG(0,("_samr_QueryDisplayInfo: Unknown info level (%u)\n",
1430 (unsigned int)r->in.level ));
1431 return NT_STATUS_INVALID_INFO_CLASS;
1432 }
1433
1434 /* first limit the number of entries we will return */
1435 if(max_entries > max_sam_entries) {
1436 DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
1437 "entries, limiting to %d\n", max_entries,
1438 max_sam_entries));
1439 max_entries = max_sam_entries;
1440 }
1441
1442 /* calculate the size and limit on the number of entries we will
1443 * return */
1444
1445 temp_size=max_entries*struct_size;
1446
1447 if (temp_size>max_size) {
1448 max_entries=MIN((max_size/struct_size),max_entries);;
1449 DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
1450 "only %d entries\n", max_entries));
1451 }
1452
1453 become_root();
1454
1455 /* THe following done as ROOT. Don't return without unbecome_root(). */
1456
1457 switch (r->in.level) {
1458 case 0x1:
1459 case 0x4:
1460 if (dinfo->disp_info->users == NULL) {
1461 dinfo->disp_info->users = pdb_search_users(
1462 dinfo->disp_info, ACB_NORMAL);
1463 if (dinfo->disp_info->users == NULL) {
1464 unbecome_root();
1465 return NT_STATUS_ACCESS_DENIED;
1466 }
1467 DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
1468 (unsigned int)enum_context ));
1469 } else {
1470 DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
1471 (unsigned int)enum_context ));
1472 }
1473
1474 num_account = pdb_search_entries(dinfo->disp_info->users,
1475 enum_context, max_entries,
1476 &entries);
1477 break;
1478 case 0x2:
1479 if (dinfo->disp_info->machines == NULL) {
1480 dinfo->disp_info->machines = pdb_search_users(
1481 dinfo->disp_info, ACB_WSTRUST|ACB_SVRTRUST);
1482 if (dinfo->disp_info->machines == NULL) {
1483 unbecome_root();
1484 return NT_STATUS_ACCESS_DENIED;
1485 }
1486 DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
1487 (unsigned int)enum_context ));
1488 } else {
1489 DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
1490 (unsigned int)enum_context ));
1491 }
1492
1493 num_account = pdb_search_entries(dinfo->disp_info->machines,
1494 enum_context, max_entries,
1495 &entries);
1496 break;
1497 case 0x3:
1498 case 0x5:
1499 if (dinfo->disp_info->groups == NULL) {
1500 dinfo->disp_info->groups = pdb_search_groups(
1501 dinfo->disp_info);
1502 if (dinfo->disp_info->groups == NULL) {
1503 unbecome_root();
1504 return NT_STATUS_ACCESS_DENIED;
1505 }
1506 DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
1507 (unsigned int)enum_context ));
1508 } else {
1509 DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
1510 (unsigned int)enum_context ));
1511 }
1512
1513 num_account = pdb_search_entries(dinfo->disp_info->groups,
1514 enum_context, max_entries,
1515 &entries);
1516 break;
1517 default:
1518 unbecome_root();
1519 smb_panic("info class changed");
1520 break;
1521 }
1522 unbecome_root();
1523
1524
1525 /* Now create reply structure */
1526 switch (r->in.level) {
1527 case 0x1:
1528 disp_ret = init_samr_dispinfo_1(p->mem_ctx, &disp_info->info1,
1529 num_account, enum_context,
1530 entries);
1531 break;
1532 case 0x2:
1533 disp_ret = init_samr_dispinfo_2(p->mem_ctx, &disp_info->info2,
1534 num_account, enum_context,
1535 entries);
1536 break;
1537 case 0x3:
1538 disp_ret = init_samr_dispinfo_3(p->mem_ctx, &disp_info->info3,
1539 num_account, enum_context,
1540 entries);
1541 break;
1542 case 0x4:
1543 disp_ret = init_samr_dispinfo_4(p->mem_ctx, &disp_info->info4,
1544 num_account, enum_context,
1545 entries);
1546 break;
1547 case 0x5:
1548 disp_ret = init_samr_dispinfo_5(p->mem_ctx, &disp_info->info5,
1549 num_account, enum_context,
1550 entries);
1551 break;
1552 default:
1553 smb_panic("info class changed");
1554 break;
1555 }
1556
1557 if (!NT_STATUS_IS_OK(disp_ret))
1558 return disp_ret;
1559
1560 /* calculate the total size */
1561 total_data_size=num_account*struct_size;
1562
1563 if (max_entries <= num_account) {
1564 status = STATUS_MORE_ENTRIES;
1565 } else {
1566 status = NT_STATUS_OK;
1567 }
1568
1569 /* Ensure we cache this enumeration. */
1570 set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
1571
1572 DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__));
1573
1574 *r->out.total_size = total_data_size;
1575 *r->out.returned_size = temp_size;
1576
1577 return status;
1578 }
1579
1580 /****************************************************************
1581 _samr_QueryDisplayInfo2
1582 ****************************************************************/
1583
1584 NTSTATUS _samr_QueryDisplayInfo2(pipes_struct *p,
1585 struct samr_QueryDisplayInfo2 *r)
1586 {
1587 struct samr_QueryDisplayInfo q;
1588
1589 q.in.domain_handle = r->in.domain_handle;
1590 q.in.level = r->in.level;
1591 q.in.start_idx = r->in.start_idx;
1592 q.in.max_entries = r->in.max_entries;
1593 q.in.buf_size = r->in.buf_size;
1594
1595 q.out.total_size = r->out.total_size;
1596 q.out.returned_size = r->out.returned_size;
1597 q.out.info = r->out.info;
1598
1599 return _samr_QueryDisplayInfo(p, &q);
1600 }
1601
1602 /****************************************************************
1603 _samr_QueryDisplayInfo3
1604 ****************************************************************/
1605
1606 NTSTATUS _samr_QueryDisplayInfo3(pipes_struct *p,
1607 struct samr_QueryDisplayInfo3 *r)
1608 {
1609 struct samr_QueryDisplayInfo q;
1610
1611 q.in.domain_handle = r->in.domain_handle;
1612 q.in.level = r->in.level;
1613 q.in.start_idx = r->in.start_idx;
1614 q.in.max_entries = r->in.max_entries;
1615 q.in.buf_size = r->in.buf_size;
1616
1617 q.out.total_size = r->out.total_size;
1618 q.out.returned_size = r->out.returned_size;
1619 q.out.info = r->out.info;
1620
1621 return _samr_QueryDisplayInfo(p, &q);
1622 }
1623
1624 /*******************************************************************
1625 _samr_QueryAliasInfo
1626 ********************************************************************/
1627
1628 NTSTATUS _samr_QueryAliasInfo(pipes_struct *p,
1629 struct samr_QueryAliasInfo *r)
1630 {
1631 struct samr_alias_info *ainfo;
1632 struct acct_info info;
1633 NTSTATUS status;
1634 union samr_AliasInfo *alias_info = NULL;
1635 const char *alias_name = NULL;
1636 const char *alias_description = NULL;
1637
1638 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1639
1640 ainfo = policy_handle_find(p, r->in.alias_handle,
1641 SAMR_ALIAS_ACCESS_LOOKUP_INFO, NULL,
1642 struct samr_alias_info, &status);
1643 if (!NT_STATUS_IS_OK(status)) {
1644 return status;
1645 }
1646
1647 alias_info = TALLOC_ZERO_P(p->mem_ctx, union samr_AliasInfo);
1648 if (!alias_info) {
1649 return NT_STATUS_NO_MEMORY;
1650 }
1651
1652 become_root();
1653 status = pdb_get_aliasinfo(&ainfo->sid, &info);
1654 unbecome_root();
1655
1656 if ( !NT_STATUS_IS_OK(status))
1657 return status;
1658
1659 /* FIXME: info contains fstrings */
1660 alias_name = talloc_strdup(r, info.acct_name);
1661 alias_description = talloc_strdup(r, info.acct_desc);
1662
1663 switch (r->in.level) {
1664 case ALIASINFOALL:
1665 alias_info->all.name.string = alias_name;
1666 alias_info->all.num_members = 1; /* ??? */
1667 alias_info->all.description.string = alias_description;
1668 break;
1669 case ALIASINFODESCRIPTION:
1670 alias_info->description.string = alias_description;
1671 break;
1672 default:
1673 return NT_STATUS_INVALID_INFO_CLASS;
1674 }
1675
1676 *r->out.info = alias_info;
1677
1678 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1679
1680 return NT_STATUS_OK;
1681 }
1682
1683 /*******************************************************************
1684 _samr_LookupNames
1685 ********************************************************************/
1686
1687 NTSTATUS _samr_LookupNames(pipes_struct *p,
1688 struct samr_LookupNames *r)
1689 {
1690 struct samr_domain_info *dinfo;
1691 NTSTATUS status;
1692 uint32 *rid;
1693 enum lsa_SidType *type;
1694 int i;
1695 int num_rids = r->in.num_names;
1696 struct samr_Ids rids, types;
1697 uint32_t num_mapped = 0;
1698
1699 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1700
1701 dinfo = policy_handle_find(p, r->in.domain_handle,
1702 0 /* Don't know the acc_bits yet */, NULL,
1703 struct samr_domain_info, &status);
1704 if (!NT_STATUS_IS_OK(status)) {
1705 return status;
1706 }
1707
1708 if (num_rids > MAX_SAM_ENTRIES) {
1709 num_rids = MAX_SAM_ENTRIES;
1710 DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids));
1711 }
1712
1713 rid = talloc_array(p->mem_ctx, uint32, num_rids);
1714 NT_STATUS_HAVE_NO_MEMORY(rid);
1715
1716 type = talloc_array(p->mem_ctx, enum lsa_SidType, num_rids);
1717 NT_STATUS_HAVE_NO_MEMORY(type);
1718
1719 DEBUG(5,("_samr_LookupNames: looking name on SID %s\n",
1720 sid_string_dbg(&dinfo->sid)));
1721
1722 for (i = 0; i < num_rids; i++) {
1723
1724 status = NT_STATUS_NONE_MAPPED;
1725 type[i] = SID_NAME_UNKNOWN;
1726
1727 rid[i] = 0xffffffff;
1728
1729 if (sid_check_is_builtin(&dinfo->sid)) {
1730 if (lookup_builtin_name(r->in.names[i].string,
1731 &rid[i]))
1732 {
1733 type[i] = SID_NAME_ALIAS;
1734 }
1735 } else {
1736 lookup_global_sam_name(r->in.names[i].string, 0,
1737 &rid[i], &type[i]);
1738 }
1739
1740 if (type[i] != SID_NAME_UNKNOWN) {
1741 num_mapped++;
1742 }
1743 }
1744
1745 if (num_mapped == num_rids) {
1746 status = NT_STATUS_OK;
1747 } else if (num_mapped == 0) {
1748 status = NT_STATUS_NONE_MAPPED;
1749 } else {
1750 status = STATUS_SOME_UNMAPPED;
1751 }
1752
1753 rids.count = num_rids;
1754 rids.ids = rid;
1755
1756 types.count = num_rids;
1757 types.ids = type;
1758
1759 *r->out.rids = rids;
1760 *r->out.types = types;
1761
1762 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1763
1764 return status;
1765 }
1766
1767 /*******************************************************************
1768 _samr_ChangePasswordUser2
1769 ********************************************************************/
1770
1771 NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
1772 struct samr_ChangePasswordUser2 *r)
1773 {
1774 NTSTATUS status;
1775 fstring user_name;
1776 fstring wks;
1777
1778 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1779
1780 fstrcpy(user_name, r->in.account->string);
1781 fstrcpy(wks, r->in.server->string);
1782
1783 DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
1784
1785 /*
1786 * Pass the user through the NT -> unix user mapping
1787 * function.
1788 */
1789
1790 (void)map_username(user_name);
1791
1792 /*
1793 * UNIX username case mangling not required, pass_oem_change
1794 * is case insensitive.
1795 */
1796
1797 status = pass_oem_change(user_name,
1798 r->in.lm_password->data,
1799 r->in.lm_verifier->hash,
1800 r->in.nt_password->data,
1801 r->in.nt_verifier->hash,
1802 NULL);
1803
1804 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1805
1806 return status;
1807 }
1808
1809 /*******************************************************************
1810 _samr_ChangePasswordUser3
1811 ********************************************************************/
1812
1813 NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
1814 struct samr_ChangePasswordUser3 *r)
1815 {
1816 NTSTATUS status;
1817 fstring user_name;
1818 const char *wks = NULL;
1819 uint32 reject_reason;
1820 struct samr_DomInfo1 *dominfo = NULL;
1821 struct samr_ChangeReject *reject = NULL;
1822 uint32_t tmp;
1823
1824 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
1825
1826 fstrcpy(user_name, r->in.account->string);
1827 if (r->in.server && r->in.server->string) {
1828 wks = r->in.server->string;
1829 }
1830
1831 DEBUG(5,("_samr_ChangePasswordUser3: user: %s wks: %s\n", user_name, wks));
1832
1833 /*
1834 * Pass the user through the NT -> unix user mapping
1835 * function.
1836 */
1837
1838 (void)map_username(user_name);
1839
1840 /*
1841 * UNIX username case mangling not required, pass_oem_change
1842 * is case insensitive.
1843 */
1844
1845 status = pass_oem_change(user_name,
1846 r->in.lm_password->data,
1847 r->in.lm_verifier->hash,
1848 r->in.nt_password->data,
1849 r->in.nt_verifier->hash,
1850 &reject_reason);
1851
1852 if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) ||
1853 NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_RESTRICTION)) {
1854
1855 time_t u_expire, u_min_age;
1856 uint32 account_policy_temp;
1857
1858 dominfo = TALLOC_ZERO_P(p->mem_ctx, struct samr_DomInfo1);
1859 if (!dominfo) {
1860 return NT_STATUS_NO_MEMORY;
1861 }
1862
1863 reject = TALLOC_ZERO_P(p->mem_ctx, struct samr_ChangeReject);
1864 if (!reject) {
1865 return NT_STATUS_NO_MEMORY;
1866 }
1867
1868 become_root();
1869
1870 /* AS ROOT !!! */
1871
1872 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &tmp);
1873 dominfo->min_password_length = tmp;
1874
1875 pdb_get_account_policy(AP_PASSWORD_HISTORY, &tmp);
1876 dominfo->password_history_length = tmp;
1877
1878 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
1879 &dominfo->password_properties);
1880
1881 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
1882 u_expire = account_policy_temp;
1883
1884 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
1885 u_min_age = account_policy_temp;
1886
1887 /* !AS ROOT */
1888
1889 unbecome_root();
1890
1891 unix_to_nt_time_abs((NTTIME *)&dominfo->max_password_age, u_expire);
1892 unix_to_nt_time_abs((NTTIME *)&dominfo->min_password_age, u_min_age);
1893
1894 if (lp_check_password_script() && *lp_check_password_script()) {
1895 dominfo->password_properties |= DOMAIN_PASSWORD_COMPLEX;
1896 }
1897
1898 reject->reason = reject_reason;
1899
1900 *r->out.dominfo = dominfo;
1901 *r->out.reject = reject;
1902 }
1903
1904 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
1905
1906 return status;
1907 }
1908
1909 /*******************************************************************
1910 makes a SAMR_R_LOOKUP_RIDS structure.
1911 ********************************************************************/
1912
1913 static bool make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names,
1914 const char **names,
1915 struct lsa_String **lsa_name_array_p)
1916 {
1917 struct lsa_String *lsa_name_array = NULL;
1918 uint32_t i;
1919
1920 *lsa_name_array_p = NULL;
1921
1922 if (num_names != 0) {
1923 lsa_name_array = TALLOC_ZERO_ARRAY(ctx, struct lsa_String, num_names);
1924 if (!lsa_name_array) {
1925 return false;
1926 }
1927 }
1928
1929 for (i = 0; i < num_names; i++) {
1930 DEBUG(10, ("names[%d]:%s\n", i, names[i] && *names[i] ? names[i] : ""));
1931 init_lsa_String(&lsa_name_array[i], names[i]);
1932 }
1933
1934 *lsa_name_array_p = lsa_name_array;
1935
1936 return true;
1937 }
1938
1939 /*******************************************************************
1940 _samr_LookupRids
1941 ********************************************************************/
1942
1943 NTSTATUS _samr_LookupRids(pipes_struct *p,
1944 struct samr_LookupRids *r)
1945 {
1946 struct samr_domain_info *dinfo;
1947 NTSTATUS status;
1948 const char **names;
1949 enum lsa_SidType *attrs = NULL;
1950 uint32 *wire_attrs = NULL;
1951 int num_rids = (int)r->in.num_rids;
1952 int i;
1953 struct lsa_Strings names_array;
1954 struct samr_Ids types_array;
1955 struct lsa_String *lsa_names = NULL;
1956
1957 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
1958
1959 dinfo = policy_handle_find(p, r->in.domain_handle,
1960 0 /* Don't know the acc_bits yet */, NULL,
1961 struct samr_domain_info, &status);
1962 if (!NT_STATUS_IS_OK(status)) {
1963 return status;
1964 }
1965
1966 if (num_rids > 1000) {
1967 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
1968 "to samba4 idl this is not possible\n", num_rids));
1969 return NT_STATUS_UNSUCCESSFUL;
1970 }
1971
1972 if (num_rids) {
1973 names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids);
1974 attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum lsa_SidType, num_rids);
1975 wire_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids);
1976
1977 if ((names == NULL) || (attrs == NULL) || (wire_attrs==NULL))
1978 return NT_STATUS_NO_MEMORY;
1979 } else {
1980 names = NULL;
1981 attrs = NULL;
1982 wire_attrs = NULL;
1983 }
1984
1985 become_root(); /* lookup_sid can require root privs */
1986 status = pdb_lookup_rids(&dinfo->sid, num_rids, r->in.rids,
1987 names, attrs);
1988 unbecome_root();
1989
1990 if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) && (num_rids == 0)) {
1991 status = NT_STATUS_OK;
1992 }
1993
1994 if (!make_samr_lookup_rids(p->mem_ctx, num_rids, names,
1995 &lsa_names)) {
1996 return NT_STATUS_NO_MEMORY;
1997 }
1998
1999 /* Convert from enum lsa_SidType to uint32 for wire format. */
2000 for (i = 0; i < num_rids; i++) {
2001 wire_attrs[i] = (uint32)attrs[i];
2002 }
2003
2004 names_array.count = num_rids;
2005 names_array.names = lsa_names;
2006
2007 types_array.count = num_rids;
2008 types_array.ids = wire_attrs;
2009
2010 *r->out.names = names_array;
2011 *r->out.types = types_array;
2012
2013 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2014
2015 return status;
2016 }
2017
2018 /*******************************************************************
2019 _samr_OpenUser
2020 ********************************************************************/
2021
2022 NTSTATUS _samr_OpenUser(pipes_struct *p,
2023 struct samr_OpenUser *r)
2024 {
2025 struct samu *sampass=NULL;
2026 DOM_SID sid;
2027 struct samr_domain_info *dinfo;
2028 struct samr_user_info *uinfo;
2029 SEC_DESC *psd = NULL;
2030 uint32 acc_granted;
2031 uint32 des_access = r->in.access_mask;
2032 size_t sd_size;
2033 bool ret;
2034 NTSTATUS nt_status;
2035 SE_PRIV se_rights;
2036 NTSTATUS status;
2037
2038 dinfo = policy_handle_find(p, r->in.domain_handle,
2039 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT, NULL,
2040 struct samr_domain_info, &status);
2041 if (!NT_STATUS_IS_OK(status)) {
2042 return status;
2043 }
2044
2045 if ( !(sampass = samu_new( p->mem_ctx )) ) {
2046 return NT_STATUS_NO_MEMORY;
2047 }
2048
2049 /* append the user's RID to it */
2050
2051 if (!sid_compose(&sid, &dinfo->sid, r->in.rid))
2052 return NT_STATUS_NO_SUCH_USER;
2053
2054 /* check if access can be granted as requested by client. */
2055
2056 map_max_allowed_access(p->server_info->ptok, &des_access);
2057
2058 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
2059 se_map_generic(&des_access, &usr_generic_mapping);
2060
2061 se_priv_copy( &se_rights, &se_machine_account );
2062 se_priv_add( &se_rights, &se_add_users );
2063
2064 nt_status = access_check_samr_object(psd, p->server_info->ptok,
2065 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
2066 &acc_granted, "_samr_OpenUser");
2067
2068 if ( !NT_STATUS_IS_OK(nt_status) )
2069 return nt_status;
2070
2071 become_root();
2072 ret=pdb_getsampwsid(sampass, &sid);
2073 unbecome_root();
2074
2075 /* check that the SID exists in our domain. */
2076 if (ret == False) {
2077 return NT_STATUS_NO_SUCH_USER;
2078 }
2079
2080 TALLOC_FREE(sampass);
2081
2082 uinfo = policy_handle_create(p, r->out.user_handle, acc_granted,
2083 struct samr_user_info, &nt_status);
2084 if (!NT_STATUS_IS_OK(nt_status)) {
2085 return nt_status;
2086 }
2087 uinfo->sid = sid;
2088
2089 return NT_STATUS_OK;
2090 }
2091
2092 /*************************************************************************
2093 *************************************************************************/
2094
2095 static NTSTATUS init_samr_parameters_string(TALLOC_CTX *mem_ctx,
2096 DATA_BLOB *blob,
2097 struct lsa_BinaryString **_r)
2098 {
2099 struct lsa_BinaryString *r;
2100
2101 if (!blob || !_r) {
2102 return NT_STATUS_INVALID_PARAMETER;
2103 }
2104
2105 r = TALLOC_ZERO_P(mem_ctx, struct lsa_BinaryString);
2106 if (!r) {
2107 return NT_STATUS_NO_MEMORY;
2108 }
2109
2110 r->array = TALLOC_ZERO_ARRAY(mem_ctx, uint16_t, blob->length/2);
2111 if (!r->array) {
2112 return NT_STATUS_NO_MEMORY;
2113 }
2114 memcpy(r->array, blob->data, blob->length);
2115 r->size = blob->length;
2116 r->length = blob->length;
2117
2118 if (!r->array) {
2119 return NT_STATUS_NO_MEMORY;
2120 }
2121
2122 *_r = r;
2123
2124 return NT_STATUS_OK;
2125 }
2126
2127 /*************************************************************************
2128 get_user_info_1.
2129 *************************************************************************/
2130
2131 static NTSTATUS get_user_info_1(TALLOC_CTX *mem_ctx,
2132 struct samr_UserInfo1 *r,
2133 struct samu *pw,
2134 DOM_SID *domain_sid)
2135 {
2136 const DOM_SID *sid_group;
2137 uint32_t primary_gid;
2138
2139 become_root();
2140 sid_group = pdb_get_group_sid(pw);
2141 unbecome_root();
2142
2143 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2144 DEBUG(0, ("get_user_info_1: User %s has Primary Group SID %s, \n"
2145 "which conflicts with the domain sid %s. Failing operation.\n",
2146 pdb_get_username(pw), sid_string_dbg(sid_group),
2147 sid_string_dbg(domain_sid)));
2148 return NT_STATUS_UNSUCCESSFUL;
2149 }
2150
2151 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2152 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2153 r->primary_gid = primary_gid;
2154 r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2155 r->comment.string = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2156
2157 return NT_STATUS_OK;
2158 }
2159
2160 /*************************************************************************
2161 get_user_info_2.
2162 *************************************************************************/
2163
2164 static NTSTATUS get_user_info_2(TALLOC_CTX *mem_ctx,
2165 struct samr_UserInfo2 *r,
2166 struct samu *pw)
2167 {
2168 r->comment.string = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2169 r->unknown.string = NULL;
2170 r->country_code = 0;
2171 r->code_page = 0;
2172
2173 return NT_STATUS_OK;
2174 }
2175
2176 /*************************************************************************
2177 get_user_info_3.
2178 *************************************************************************/
2179
2180 static NTSTATUS get_user_info_3(TALLOC_CTX *mem_ctx,
2181 struct samr_UserInfo3 *r,
2182 struct samu *pw,
2183 DOM_SID *domain_sid)
2184 {
2185 const DOM_SID *sid_user, *sid_group;
2186 uint32_t rid, primary_gid;
2187
2188 sid_user = pdb_get_user_sid(pw);
2189
2190 if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2191 DEBUG(0, ("get_user_info_3: User %s has SID %s, \nwhich conflicts with "
2192 "the domain sid %s. Failing operation.\n",
2193 pdb_get_username(pw), sid_string_dbg(sid_user),
2194 sid_string_dbg(domain_sid)));
2195 return NT_STATUS_UNSUCCESSFUL;
2196 }
2197
2198 become_root();
2199 sid_group = pdb_get_group_sid(pw);
2200 unbecome_root();
2201
2202 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2203 DEBUG(0, ("get_user_info_3: User %s has Primary Group SID %s, \n"
2204 "which conflicts with the domain sid %s. Failing operation.\n",
2205 pdb_get_username(pw), sid_string_dbg(sid_group),
2206 sid_string_dbg(domain_sid)));
2207 return NT_STATUS_UNSUCCESSFUL;
2208 }
2209
2210 unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2211 unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2212 unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2213 unix_to_nt_time(&r->allow_password_change, pdb_get_pass_can_change_time(pw));
2214 unix_to_nt_time(&r->force_password_change, pdb_get_pass_must_change_time(pw));
2215
2216 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2217 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2218 r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2219 r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2220 r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2221 r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2222 r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2223
2224 r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2225 r->rid = rid;
2226 r->primary_gid = primary_gid;
2227 r->acct_flags = pdb_get_acct_ctrl(pw);
2228 r->bad_password_count = pdb_get_bad_password_count(pw);
2229 r->logon_count = pdb_get_logon_count(pw);
2230
2231 return NT_STATUS_OK;
2232 }
2233
2234 /*************************************************************************
2235 get_user_info_4.
2236 *************************************************************************/
2237
2238 static NTSTATUS get_user_info_4(TALLOC_CTX *mem_ctx,
2239 struct samr_UserInfo4 *r,
2240 struct samu *pw)
2241 {
2242 r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2243
2244 return NT_STATUS_OK;
2245 }
2246
2247 /*************************************************************************
2248 get_user_info_5.
2249 *************************************************************************/
2250
2251 static NTSTATUS get_user_info_5(TALLOC_CTX *mem_ctx,
2252 struct samr_UserInfo5 *r,
2253 struct samu *pw,
2254 DOM_SID *domain_sid)
2255 {
2256 const DOM_SID *sid_user, *sid_group;
2257 uint32_t rid, primary_gid;
2258
2259 sid_user = pdb_get_user_sid(pw);
2260
2261 if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2262 DEBUG(0, ("get_user_info_5: User %s has SID %s, \nwhich conflicts with "
2263 "the domain sid %s. Failing operation.\n",
2264 pdb_get_username(pw), sid_string_dbg(sid_user),
2265 sid_string_dbg(domain_sid)));
2266 return NT_STATUS_UNSUCCESSFUL;
2267 }
2268
2269 become_root();
2270 sid_group = pdb_get_group_sid(pw);
2271 unbecome_root();
2272
2273 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2274 DEBUG(0, ("get_user_info_5: User %s has Primary Group SID %s, \n"
2275 "which conflicts with the domain sid %s. Failing operation.\n",
2276 pdb_get_username(pw), sid_string_dbg(sid_group),
2277 sid_string_dbg(domain_sid)));
2278 return NT_STATUS_UNSUCCESSFUL;
2279 }
2280
2281 unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2282 unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2283 unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2284 unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2285
2286 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2287 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2288 r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2289 r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2290 r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2291 r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2292 r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2293 r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2294
2295 r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2296 r->rid = rid;
2297 r->primary_gid = primary_gid;
2298 r->acct_flags = pdb_get_acct_ctrl(pw);
2299 r->bad_password_count = pdb_get_bad_password_count(pw);
2300 r->logon_count = pdb_get_logon_count(pw);
2301
2302 return NT_STATUS_OK;
2303 }
2304
2305 /*************************************************************************
2306 get_user_info_6.
2307 *************************************************************************/
2308
2309 static NTSTATUS get_user_info_6(TALLOC_CTX *mem_ctx,
2310 struct samr_UserInfo6 *r,
2311 struct samu *pw)
2312 {
2313 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2314 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2315
2316 return NT_STATUS_OK;
2317 }
2318
2319 /*************************************************************************
2320 get_user_info_7. Safe. Only gives out account_name.
2321 *************************************************************************/
2322
2323 static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx,
2324 struct samr_UserInfo7 *r,
2325 struct samu *smbpass)
2326 {
2327 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(smbpass));
2328 if (!r->account_name.string) {
2329 return NT_STATUS_NO_MEMORY;
2330 }
2331
2332 return NT_STATUS_OK;
2333 }
2334
2335 /*************************************************************************
2336 get_user_info_8.
2337 *************************************************************************/
2338
2339 static NTSTATUS get_user_info_8(TALLOC_CTX *mem_ctx,
2340 struct samr_UserInfo8 *r,
2341 struct samu *pw)
2342 {
2343 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2344
2345 return NT_STATUS_OK;
2346 }
2347
2348 /*************************************************************************
2349 get_user_info_9. Only gives out primary group SID.
2350 *************************************************************************/
2351
2352 static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx,
2353 struct samr_UserInfo9 *r,
2354 struct samu *smbpass)
2355 {
2356 r->primary_gid = pdb_get_group_rid(smbpass);
2357
2358 return NT_STATUS_OK;
2359 }
2360
2361 /*************************************************************************
2362 get_user_info_10.
2363 *************************************************************************/
2364
2365 static NTSTATUS get_user_info_10(TALLOC_CTX *mem_ctx,
2366 struct samr_UserInfo10 *r,
2367 struct samu *pw)
2368 {
2369 r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2370 r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2371
2372 return NT_STATUS_OK;
2373 }
2374
2375 /*************************************************************************
2376 get_user_info_11.
2377 *************************************************************************/
2378
2379 static NTSTATUS get_user_info_11(TALLOC_CTX *mem_ctx,
2380 struct samr_UserInfo11 *r,
2381 struct samu *pw)
2382 {
2383 r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2384
2385 return NT_STATUS_OK;
2386 }
2387
2388 /*************************************************************************
2389 get_user_info_12.
2390 *************************************************************************/
2391
2392 static NTSTATUS get_user_info_12(TALLOC_CTX *mem_ctx,
2393 struct samr_UserInfo12 *r,
2394 struct samu *pw)
2395 {
2396 r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2397
2398 return NT_STATUS_OK;
2399 }
2400
2401 /*************************************************************************
2402 get_user_info_13.
2403 *************************************************************************/
2404
2405 static NTSTATUS get_user_info_13(TALLOC_CTX *mem_ctx,
2406 struct samr_UserInfo13 *r,
2407 struct samu *pw)
2408 {
2409 r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2410
2411 return NT_STATUS_OK;
2412 }
2413
2414 /*************************************************************************
2415 get_user_info_14.
2416 *************************************************************************/
2417
2418 static NTSTATUS get_user_info_14(TALLOC_CTX *mem_ctx,
2419 struct samr_UserInfo14 *r,
2420 struct samu *pw)
2421 {
2422 r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2423
2424 return NT_STATUS_OK;
2425 }
2426
2427 /*************************************************************************
2428 get_user_info_16. Safe. Only gives out acb bits.
2429 *************************************************************************/
2430
2431 static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx,
2432 struct samr_UserInfo16 *r,
2433 struct samu *smbpass)
2434 {
2435 r->acct_flags = pdb_get_acct_ctrl(smbpass);
2436
2437 return NT_STATUS_OK;
2438 }
2439
2440 /*************************************************************************
2441 get_user_info_17.
2442 *************************************************************************/
2443
2444 static NTSTATUS get_user_info_17(TALLOC_CTX *mem_ctx,
2445 struct samr_UserInfo17 *r,
2446 struct samu *pw)
2447 {
2448 unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2449
2450 return NT_STATUS_OK;
2451 }
2452
2453 /*************************************************************************
2454 get_user_info_18. OK - this is the killer as it gives out password info.
2455 Ensure that this is only allowed on an encrypted connection with a root
2456 user. JRA.
2457 *************************************************************************/
2458
2459 static NTSTATUS get_user_info_18(pipes_struct *p,
2460 TALLOC_CTX *mem_ctx,
2461 struct samr_UserInfo18 *r,
2462 DOM_SID *user_sid)
2463 {
2464 struct samu *smbpass=NULL;
2465 bool ret;
2466
2467 ZERO_STRUCTP(r);
2468
2469 if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
2470 return NT_STATUS_ACCESS_DENIED;
2471 }
2472
2473 if (p->auth.auth_level != PIPE_AUTH_LEVEL_PRIVACY) {
2474 return NT_STATUS_ACCESS_DENIED;
2475 }
2476
2477 /*
2478 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
2479 */
2480
2481 if ( !(smbpass = samu_new( mem_ctx )) ) {
2482 return NT_STATUS_NO_MEMORY;
2483 }
2484
2485 ret = pdb_getsampwsid(smbpass, user_sid);
2486
2487 if (ret == False) {
2488 DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid)));
2489 TALLOC_FREE(smbpass);
2490 return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
2491 }
2492
2493 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
2494
2495 if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) {
2496 TALLOC_FREE(smbpass);
2497 return NT_STATUS_ACCOUNT_DISABLED;
2498 }
2499
2500 r->lm_pwd_active = true;
2501 r->nt_pwd_active = true;
2502 memcpy(r->lm_pwd.hash, pdb_get_lanman_passwd(smbpass), 16);
2503 memcpy(r->nt_pwd.hash, pdb_get_nt_passwd(smbpass), 16);
2504 r->password_expired = 0; /* FIXME */
2505
2506 TALLOC_FREE(smbpass);
2507
2508 return NT_STATUS_OK;
2509 }
2510
2511 /*************************************************************************
2512 get_user_info_20
2513 *************************************************************************/
2514
2515 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx,
2516 struct samr_UserInfo20 *r,
2517 struct samu *sampass)
2518 {
2519 const char *munged_dial = NULL;
2520 DATA_BLOB blob;
2521 NTSTATUS status;
2522 struct lsa_BinaryString *parameters = NULL;
2523
2524 ZERO_STRUCTP(r);
2525
2526 munged_dial = pdb_get_munged_dial(sampass);
2527
2528 DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass),
2529 munged_dial, (int)strlen(munged_dial)));
2530
2531 if (munged_dial) {
2532 blob = base64_decode_data_blob(munged_dial);
2533 } else {
2534 blob = data_blob_string_const_null("");
2535 }
2536
2537 status = init_samr_parameters_string(mem_ctx, &blob, &parameters);
2538 data_blob_free(&blob);
2539 if (!NT_STATUS_IS_OK(status)) {
2540 return status;
2541 }
2542
2543 r->parameters = *parameters;
2544
2545 return NT_STATUS_OK;
2546 }
2547
2548
2549 /*************************************************************************
2550 get_user_info_21
2551 *************************************************************************/
2552
2553 static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx,
2554 struct samr_UserInfo21 *r,
2555 struct samu *pw,
2556 DOM_SID *domain_sid)
2557 {
2558 NTSTATUS status;
2559 const DOM_SID *sid_user, *sid_group;
2560 uint32_t rid, primary_gid;
2561 NTTIME force_password_change;
2562 time_t must_change_time;
2563 struct lsa_BinaryString *parameters = NULL;
2564 const char *munged_dial = NULL;
2565 DATA_BLOB blob;
2566
2567 ZERO_STRUCTP(r);
2568
2569 sid_user = pdb_get_user_sid(pw);
2570
2571 if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2572 DEBUG(0, ("get_user_info_21: User %s has SID %s, \nwhich conflicts with "
2573 "the domain sid %s. Failing operation.\n",
2574 pdb_get_username(pw), sid_string_dbg(sid_user),
2575 sid_string_dbg(domain_sid)));
2576 return NT_STATUS_UNSUCCESSFUL;
2577 }
2578
2579 become_root();
2580 sid_group = pdb_get_group_sid(pw);
2581 unbecome_root();
2582
2583 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2584 DEBUG(0, ("get_user_info_21: User %s has Primary Group SID %s, \n"
2585 "which conflicts with the domain sid %s. Failing operation.\n",
2586 pdb_get_username(pw), sid_string_dbg(sid_group),
2587 sid_string_dbg(domain_sid)));
2588 return NT_STATUS_UNSUCCESSFUL;
2589 }
2590
2591 unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2592 unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2593 unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2594 unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2595 unix_to_nt_time(&r->allow_password_change, pdb_get_pass_can_change_time(pw));
2596
2597 must_change_time = pdb_get_pass_must_change_time(pw);
2598 if (must_change_time == get_time_t_max()) {
2599 unix_to_nt_time_abs(&force_password_change, must_change_time);
2600 } else {
2601 unix_to_nt_time(&force_password_change, must_change_time);
2602 }
2603
2604 munged_dial = pdb_get_munged_dial(pw);
2605 if (munged_dial) {
2606 blob = base64_decode_data_blob(munged_dial);
2607 } else {
2608 blob = data_blob_string_const_null("");
2609 }
2610
2611 status = init_samr_parameters_string(mem_ctx, &blob, &parameters);
2612 data_blob_free(&blob);
2613 if (!NT_STATUS_IS_OK(status)) {
2614 return status;
2615 }
2616
2617 r->force_password_change = force_password_change;
2618
2619 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2620 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2621 r->home_directory.string = talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2622 r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2623 r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2624 r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2625 r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2626 r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2627 r->comment.string = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2628
2629 r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2630 r->parameters = *parameters;
2631 r->rid = rid;
2632 r->primary_gid = primary_gid;
2633 r->acct_flags = pdb_get_acct_ctrl(pw);
2634 r->bad_password_count = pdb_get_bad_password_count(pw);
2635 r->logon_count = pdb_get_logon_count(pw);
2636 r->fields_present = pdb_build_fields_present(pw);
2637 r->password_expired = (pdb_get_pass_must_change_time(pw) == 0) ?
2638 PASS_MUST_CHANGE_AT_NEXT_LOGON : 0;
2639 r->country_code = 0;
2640 r->code_page = 0;
2641 r->lm_password_set = 0;
2642 r->nt_password_set = 0;
2643
2644 #if 0
2645
2646 /*
2647 Look at a user on a real NT4 PDC with usrmgr, press
2648 'ok'. Then you will see that fields_present is set to
2649 0x08f827fa. Look at the user immediately after that again,
2650 and you will see that 0x00fffff is returned. This solves
2651 the problem that you get access denied after having looked
2652 at the user.
2653 -- Volker
2654 */
2655
2656 #endif
2657
2658
2659 return NT_STATUS_OK;
2660 }
2661
2662 /*******************************************************************
2663 _samr_QueryUserInfo
2664 ********************************************************************/
2665
2666 NTSTATUS _samr_QueryUserInfo(pipes_struct *p,
2667 struct samr_QueryUserInfo *r)
2668 {
2669 NTSTATUS status;
2670 union samr_UserInfo *user_info = NULL;
2671 struct samr_user_info *uinfo;
2672 DOM_SID domain_sid;
2673 uint32 rid;
2674 bool ret = false;
2675 struct samu *pwd = NULL;
2676
2677 uinfo = policy_handle_find(p, r->in.user_handle,
2678 SAMR_USER_ACCESS_GET_ATTRIBUTES, NULL,
2679 struct samr_user_info, &status);
2680 if (!NT_STATUS_IS_OK(status)) {
2681 return status;
2682 }
2683
2684 domain_sid = uinfo->sid;
2685
2686 sid_split_rid(&domain_sid, &rid);
2687
2688 if (!sid_check_is_in_our_domain(&uinfo->sid))
2689 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2690
2691 DEBUG(5,("_samr_QueryUserInfo: sid:%s\n",
2692 sid_string_dbg(&uinfo->sid)));
2693
2694 user_info = TALLOC_ZERO_P(p->mem_ctx, union samr_UserInfo);
2695 if (!user_info) {
2696 return NT_STATUS_NO_MEMORY;
2697 }
2698
2699 DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r->in.level));
2700
2701 if (!(pwd = samu_new(p->mem_ctx))) {
2702 return NT_STATUS_NO_MEMORY;
2703 }
2704
2705 become_root();
2706 ret = pdb_getsampwsid(pwd, &uinfo->sid);
2707 unbecome_root();
2708
2709 if (ret == false) {
2710 DEBUG(4,("User %s not found\n", sid_string_dbg(&uinfo->sid)));
2711 TALLOC_FREE(pwd);
2712 return NT_STATUS_NO_SUCH_USER;
2713 }
2714
2715 DEBUG(3,("User:[%s]\n", pdb_get_username(pwd)));
2716
2717 samr_clear_sam_passwd(pwd);
2718
2719 switch (r->in.level) {
2720 case 1:
2721 status = get_user_info_1(p->mem_ctx, &user_info->info1, pwd, &domain_sid);
2722 break;
2723 case 2:
2724 status = get_user_info_2(p->mem_ctx, &user_info->info2, pwd);
2725 break;
2726 case 3:
2727 status = get_user_info_3(p->mem_ctx, &user_info->info3, pwd, &domain_sid);
2728 break;
2729 case 4:
2730 status = get_user_info_4(p->mem_ctx, &user_info->info4, pwd);
2731 break;
2732 case 5:
2733 status = get_user_info_5(p->mem_ctx, &user_info->info5, pwd, &domain_sid);
2734 break;
2735 case 6:
2736 status = get_user_info_6(p->mem_ctx, &user_info->info6, pwd);
2737 break;
2738 case 7:
2739 status = get_user_info_7(p->mem_ctx, &user_info->info7, pwd);
2740 break;
2741 case 8:
2742 status = get_user_info_8(p->mem_ctx, &user_info->info8, pwd);
2743 break;
2744 case 9:
2745 status = get_user_info_9(p->mem_ctx, &user_info->info9, pwd);
2746 break;
2747 case 10:
2748 status = get_user_info_10(p->mem_ctx, &user_info->info10, pwd);
2749 break;
2750 case 11:
2751 status = get_user_info_11(p->mem_ctx, &user_info->info11, pwd);
2752 break;
2753 case 12:
2754 status = get_user_info_12(p->mem_ctx, &user_info->info12, pwd);
2755 break;
2756 case 13:
2757 status = get_user_info_13(p->mem_ctx, &user_info->info13, pwd);
2758 break;
2759 case 14:
2760 status = get_user_info_14(p->mem_ctx, &user_info->info14, pwd);
2761 break;
2762 case 16:
2763 status = get_user_info_16(p->mem_ctx, &user_info->info16, pwd);
2764 break;
2765 case 17:
2766 status = get_user_info_17(p->mem_ctx, &user_info->info17, pwd);
2767 break;
2768 case 18:
2769 /* level 18 is special */
2770 status = get_user_info_18(p, p->mem_ctx, &user_info->info18,
2771 &uinfo->sid);
2772 break;
2773 case 20:
2774 status = get_user_info_20(p->mem_ctx, &user_info->info20, pwd);
2775 break;
2776 case 21:
2777 status = get_user_info_21(p->mem_ctx, &user_info->info21, pwd, &domain_sid);
2778 break;
2779 default:
2780 status = NT_STATUS_INVALID_INFO_CLASS;
2781 break;
2782 }
2783
2784 TALLOC_FREE(pwd);
2785
2786 *r->out.info = user_info;
2787
2788 DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__));
2789
2790 return status;
2791 }
2792
2793 /****************************************************************
2794 ****************************************************************/
2795
2796 NTSTATUS _samr_QueryUserInfo2(pipes_struct *p,
2797 struct samr_QueryUserInfo2 *r)
2798 {
2799 struct samr_QueryUserInfo u;
2800
2801 u.in.user_handle = r->in.user_handle;
2802 u.in.level = r->in.level;
2803 u.out.info = r->out.info;
2804
2805 return _samr_QueryUserInfo(p, &u);
2806 }
2807
2808 /*******************************************************************
2809 _samr_GetGroupsForUser
2810 ********************************************************************/
2811
2812 NTSTATUS _samr_GetGroupsForUser(pipes_struct *p,
2813 struct samr_GetGroupsForUser *r)
2814 {
2815 struct samr_user_info *uinfo;
2816 struct samu *sam_pass=NULL;
2817 DOM_SID *sids;
2818 struct samr_RidWithAttribute dom_gid;
2819 struct samr_RidWithAttribute *gids = NULL;
2820 uint32 primary_group_rid;
2821 size_t num_groups = 0;
2822 gid_t *unix_gids;
2823 size_t i, num_gids;
2824 bool ret;
2825 NTSTATUS result;
2826 bool success = False;
2827
2828 struct samr_RidWithAttributeArray *rids = NULL;
2829
2830 /*
2831 * from the SID in the request:
2832 * we should send back the list of DOMAIN GROUPS
2833 * the user is a member of
2834 *
2835 * and only the DOMAIN GROUPS
2836 * no ALIASES !!! neither aliases of the domain
2837 * nor aliases of the builtin SID
2838 *
2839 * JFM, 12/2/2001
2840 */
2841
2842 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
2843
2844 uinfo = policy_handle_find(p, r->in.user_handle,
2845 SAMR_USER_ACCESS_GET_GROUPS, NULL,
2846 struct samr_user_info, &result);
2847 if (!NT_STATUS_IS_OK(result)) {
2848 return result;
2849 }
2850
2851 rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidWithAttributeArray);
2852 if (!rids) {
2853 return NT_STATUS_NO_MEMORY;
2854 }
2855
2856 if (!sid_check_is_in_our_domain(&uinfo->sid))
2857 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2858
2859 if ( !(sam_pass = samu_new( p->mem_ctx )) ) {
2860 return NT_STATUS_NO_MEMORY;
2861 }
2862
2863 become_root();
2864 ret = pdb_getsampwsid(sam_pass, &uinfo->sid);
2865 unbecome_root();
2866
2867 if (!ret) {
2868 DEBUG(10, ("pdb_getsampwsid failed for %s\n",
2869 sid_string_dbg(&uinfo->sid)));
2870 return NT_STATUS_NO_SUCH_USER;
2871 }
2872
2873 sids = NULL;
2874
2875 /* make both calls inside the root block */
2876 become_root();
2877 result = pdb_enum_group_memberships(p->mem_ctx, sam_pass,
2878 &sids, &unix_gids, &num_groups);
2879 if ( NT_STATUS_IS_OK(result) ) {
2880 success = sid_peek_check_rid(get_global_sam_sid(),
2881 pdb_get_group_sid(sam_pass),
2882 &primary_group_rid);
2883 }
2884 unbecome_root();
2885
2886 if (!NT_STATUS_IS_OK(result)) {
2887 DEBUG(10, ("pdb_enum_group_memberships failed for %s\n",
2888 sid_string_dbg(&uinfo->sid)));
2889 return result;
2890 }
2891
2892 if ( !success ) {
2893 DEBUG(5, ("Group sid %s for user %s not in our domain\n",
2894 sid_string_dbg(pdb_get_group_sid(sam_pass)),
2895 pdb_get_username(sam_pass)));
2896 TALLOC_FREE(sam_pass);
2897 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2898 }
2899
2900 gids = NULL;
2901 num_gids = 0;
2902
2903 dom_gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|
2904 SE_GROUP_ENABLED);
2905 dom_gid.rid = primary_group_rid;
2906 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
2907
2908 for (i=0; i<num_groups; i++) {
2909
2910 if (!sid_peek_check_rid(get_global_sam_sid(),
2911 &(sids[i]), &dom_gid.rid)) {
2912 DEBUG(10, ("Found sid %s not in our domain\n",
2913 sid_string_dbg(&sids[i])));
2914 continue;
2915 }
2916
2917 if (dom_gid.rid == primary_group_rid) {
2918 /* We added the primary group directly from the
2919 * sam_account. The other SIDs are unique from
2920 * enum_group_memberships */
2921 continue;
2922 }
2923
2924 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
2925 }
2926
2927 rids->count = num_gids;
2928 rids->rids = gids;
2929
2930 *r->out.rids = rids;
2931
2932 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
2933
2934 return result;
2935 }
2936
2937 /*******************************************************************
2938 _samr_QueryDomainInfo
2939 ********************************************************************/
2940
2941 NTSTATUS _samr_QueryDomainInfo(pipes_struct *p,
2942 struct samr_QueryDomainInfo *r)
2943 {
2944 NTSTATUS status = NT_STATUS_OK;
2945 struct samr_domain_info *dinfo;
2946 union samr_DomainInfo *dom_info;
2947 time_t u_expire, u_min_age;
2948
2949 time_t u_lock_duration, u_reset_time;
2950 uint32_t u_logout;
2951
2952 uint32 account_policy_temp;
2953
2954 time_t seq_num;
2955 uint32 server_role;
2956
2957 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
2958
2959 dinfo = policy_handle_find(p, r->in.domain_handle,
2960 SAMR_ACCESS_LOOKUP_DOMAIN, NULL,
2961 struct samr_domain_info, &status);
2962 if (!NT_STATUS_IS_OK(status)) {
2963 return status;
2964 }
2965
2966 dom_info = TALLOC_ZERO_P(p->mem_ctx, union samr_DomainInfo);
2967 if (!dom_info) {
2968 return NT_STATUS_NO_MEMORY;
2969 }
2970
2971 switch (r->in.level) {
2972 case 0x01:
2973
2974 become_root();
2975
2976 /* AS ROOT !!! */
2977
2978 pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
2979 &account_policy_temp);
2980 dom_info->info1.min_password_length = account_policy_temp;
2981
2982 pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
2983 dom_info->info1.password_history_length = account_policy_temp;
2984
2985 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
2986 &dom_info->info1.password_properties);
2987
2988 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
2989 u_expire = account_policy_temp;
2990
2991 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
2992 u_min_age = account_policy_temp;
2993
2994 /* !AS ROOT */
2995
2996 unbecome_root();
2997
2998 unix_to_nt_time_abs((NTTIME *)&dom_info->info1.max_password_age, u_expire);
2999 unix_to_nt_time_abs((NTTIME *)&dom_info->info1.min_password_age, u_min_age);
3000
3001 if (lp_check_password_script() && *lp_check_password_script()) {
3002 dom_info->info1.password_properties |= DOMAIN_PASSWORD_COMPLEX;
3003 }
3004
3005 break;
3006 case 0x02:
3007
3008 become_root();
3009
3010 /* AS ROOT !!! */
3011
3012 dom_info->general.num_users = count_sam_users(
3013 dinfo->disp_info, ACB_NORMAL);
3014 dom_info->general.num_groups = count_sam_groups(
3015 dinfo->disp_info);
3016 dom_info->general.num_aliases = count_sam_aliases(
3017 dinfo->disp_info);
3018
3019 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &u_logout);
3020
3021 unix_to_nt_time_abs(&dom_info->general.force_logoff_time, u_logout);
3022
3023 if (!pdb_get_seq_num(&seq_num))
3024 seq_num = time(NULL);
3025
3026 /* !AS ROOT */
3027
3028 unbecome_root();
3029
3030 server_role = ROLE_DOMAIN_PDC;
3031 if (lp_server_role() == ROLE_DOMAIN_BDC)
3032 server_role = ROLE_DOMAIN_BDC;
3033
3034 dom_info->general.oem_information.string = lp_serverstring();
3035 dom_info->general.domain_name.string = lp_workgroup();
3036 dom_info->general.primary.string = global_myname();
3037 dom_info->general.sequence_num = seq_num;
3038 dom_info->general.domain_server_state = DOMAIN_SERVER_ENABLED;
3039 dom_info->general.role = server_role;
3040 dom_info->general.unknown3 = 1;
3041
3042 break;
3043 case 0x03:
3044
3045 become_root();
3046
3047 /* AS ROOT !!! */
3048
3049 {
3050 uint32 ul;
3051 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &ul);
3052 u_logout = (time_t)ul;
3053 }
3054
3055 /* !AS ROOT */
3056
3057 unbecome_root();
3058
3059 unix_to_nt_time_abs(&dom_info->info3.force_logoff_time, u_logout);
3060
3061 break;
3062 case 0x04:
3063 dom_info->oem.oem_information.string = lp_serverstring();
3064 break;
3065 case 0x05:
3066 dom_info->info5.domain_name.string = get_global_sam_name();
3067 break;
3068 case 0x06:
3069 /* NT returns its own name when a PDC. win2k and later
3070 * only the name of the PDC if itself is a BDC (samba4
3071 * idl) */
3072 dom_info->info6.primary.string = global_myname();
3073 break;
3074 case 0x07:
3075 server_role = ROLE_DOMAIN_PDC;
3076 if (lp_server_role() == ROLE_DOMAIN_BDC)
3077 server_role = ROLE_DOMAIN_BDC;
3078
3079 dom_info->info7.role = server_role;
3080 break;
3081 case 0x08:
3082
3083 become_root();
3084
3085 /* AS ROOT !!! */
3086
3087 if (!pdb_get_seq_num(&seq_num)) {
3088 seq_num = time(NULL);
3089 }
3090
3091 /* !AS ROOT */
3092
3093 unbecome_root();
3094
3095 dom_info->info8.sequence_num = seq_num;
3096 dom_info->info8.domain_create_time = 0;
3097
3098 break;
3099 case 0x0c:
3100
3101 become_root();
3102
3103 /* AS ROOT !!! */
3104
3105 pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
3106 u_lock_duration = account_policy_temp;
3107 if (u_lock_duration != -1) {
3108 u_lock_duration *= 60;
3109 }
3110
3111 pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
3112 u_reset_time = account_policy_temp * 60;
3113
3114 pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT,
3115 &account_policy_temp);
3116 dom_info->info12.lockout_threshold = account_policy_temp;
3117
3118 /* !AS ROOT */
3119
3120 unbecome_root();
3121
3122 unix_to_nt_time_abs(&dom_info->info12.lockout_duration,
3123 u_lock_duration);
3124 unix_to_nt_time_abs(&dom_info->info12.lockout_window,
3125 u_reset_time);
3126
3127 break;
3128 default:
3129 return NT_STATUS_INVALID_INFO_CLASS;
3130 }
3131
3132 *r->out.info = dom_info;
3133
3134 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
3135
3136 return status;
3137 }
3138
3139 /* W2k3 seems to use the same check for all 3 objects that can be created via
3140 * SAMR, if you try to create for example "Dialup" as an alias it says
3141 * "NT_STATUS_USER_EXISTS". This is racy, but we can't really lock the user
3142 * database. */
3143
3144 static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name)
3145 {
3146 enum lsa_SidType type;
3147 bool result;
3148
3149 DEBUG(10, ("Checking whether [%s] can be created\n", new_name));
3150
3151 become_root();
3152 /* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
3153 * whether the name already exists */
3154 result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_LOCAL,
3155 NULL, NULL, NULL, &type);
3156 unbecome_root();
3157
3158 if (!result) {
3159 DEBUG(10, ("%s does not exist, can create it\n", new_name));
3160 return NT_STATUS_OK;
3161 }
3162
3163 DEBUG(5, ("trying to create %s, exists as %s\n",
3164 new_name, sid_type_lookup(type)));
3165
3166 if (type == SID_NAME_DOM_GRP) {
3167 return NT_STATUS_GROUP_EXISTS;
3168 }
3169 if (type == SID_NAME_ALIAS) {
3170 return NT_STATUS_ALIAS_EXISTS;
3171 }
3172
3173 /* Yes, the default is NT_STATUS_USER_EXISTS */
3174 return NT_STATUS_USER_EXISTS;
3175 }
3176
3177 /*******************************************************************
3178 _samr_CreateUser2
3179 ********************************************************************/
3180
3181 NTSTATUS _samr_CreateUser2(pipes_struct *p,
3182 struct samr_CreateUser2 *r)
3183 {
3184 const char *account = NULL;
3185 DOM_SID sid;
3186 uint32_t acb_info = r->in.acct_flags;
3187 struct samr_domain_info *dinfo;
3188 struct samr_user_info *uinfo;
3189 NTSTATUS nt_status;
3190 uint32 acc_granted;
3191 SEC_DESC *psd;
3192 size_t sd_size;
3193 /* check this, when giving away 'add computer to domain' privs */
3194 uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
3195 bool can_add_account = False;
3196 SE_PRIV se_rights;
3197
3198 dinfo = policy_handle_find(p, r->in.domain_handle,
3199 SAMR_DOMAIN_ACCESS_CREATE_USER, NULL,
3200 struct samr_domain_info, &nt_status);
3201 if (!NT_STATUS_IS_OK(nt_status)) {
3202 return nt_status;
3203 }
3204
3205 if (sid_check_is_builtin(&dinfo->sid)) {
3206 DEBUG(5,("_samr_CreateUser2: Refusing user create in BUILTIN\n"));
3207 return NT_STATUS_ACCESS_DENIED;
3208 }
3209
3210 if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST ||
3211 acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) {
3212 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
3213 this parameter is not an account type */
3214 return NT_STATUS_INVALID_PARAMETER;
3215 }
3216
3217 account = r->in.account_name->string;
3218 if (account == NULL) {
3219 return NT_STATUS_NO_MEMORY;
3220 }
3221
3222 nt_status = can_create(p->mem_ctx, account);
3223 if (!NT_STATUS_IS_OK(nt_status)) {
3224 return nt_status;
3225 }
3226
3227 /* determine which user right we need to check based on the acb_info */
3228
3229 if ( acb_info & ACB_WSTRUST )
3230 {
3231 se_priv_copy( &se_rights, &se_machine_account );
3232 can_add_account = user_has_privileges(
3233 p->server_info->ptok, &se_rights );
3234 }
3235 /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
3236 account for domain trusts and changes the ACB flags later */
3237 else if ( acb_info & ACB_NORMAL &&
3238 (account[strlen(account)-1] != '$') )
3239 {
3240 se_priv_copy( &se_rights, &se_add_users );
3241 can_add_account = user_has_privileges(
3242 p->server_info->ptok, &se_rights );
3243 }
3244 else /* implicit assumption of a BDC or domain trust account here
3245 * (we already check the flags earlier) */
3246 {
3247 if ( lp_enable_privileges() ) {
3248 /* only Domain Admins can add a BDC or domain trust */
3249 se_priv_copy( &se_rights, &se_priv_none );
3250 can_add_account = nt_token_check_domain_rid(
3251 p->server_info->ptok,
3252 DOMAIN_GROUP_RID_ADMINS );
3253 }
3254 }
3255
3256 DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
3257 uidtoname(p->server_info->utok.uid),
3258 can_add_account ? "True":"False" ));
3259
3260 /********** BEGIN Admin BLOCK **********/
3261
3262 if ( can_add_account )
3263 become_root();
3264
3265 nt_status = pdb_create_user(p->mem_ctx, account, acb_info,
3266 r->out.rid);
3267
3268 if ( can_add_account )
3269 unbecome_root();
3270
3271 /********** END Admin BLOCK **********/
3272
3273 /* now check for failure */
3274
3275 if ( !NT_STATUS_IS_OK(nt_status) )
3276 return nt_status;
3277
3278 /* Get the user's SID */
3279
3280 sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
3281
3282 map_max_allowed_access(p->server_info->ptok, &des_access);
3283
3284 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
3285 &sid, SAMR_USR_RIGHTS_WRITE_PW);
3286 se_map_generic(&des_access, &usr_generic_mapping);
3287
3288 nt_status = access_check_samr_object(psd, p->server_info->ptok,
3289 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
3290 &acc_granted, "_samr_CreateUser2");
3291
3292 if ( !NT_STATUS_IS_OK(nt_status) ) {
3293 return nt_status;
3294 }
3295
3296 uinfo = policy_handle_create(p, r->out.user_handle, acc_granted,
3297 struct samr_user_info, &nt_status);
3298 if (!NT_STATUS_IS_OK(nt_status)) {
3299 return nt_status;
3300 }
3301 uinfo->sid = sid;
3302
3303 /* After a "set" ensure we have no cached display info. */
3304 force_flush_samr_cache(&sid);
3305
3306 *r->out.access_granted = acc_granted;
3307
3308 return NT_STATUS_OK;
3309 }
3310
3311 /****************************************************************
3312 ****************************************************************/
3313
3314 NTSTATUS _samr_CreateUser(pipes_struct *p,
3315 struct samr_CreateUser *r)
3316 {
3317 struct samr_CreateUser2 c;
3318 uint32_t access_granted;
3319
3320 c.in.domain_handle = r->in.domain_handle;
3321 c.in.account_name = r->in.account_name;
3322 c.in.acct_flags = ACB_NORMAL;
3323 c.in.access_mask = r->in.access_mask;
3324 c.out.user_handle = r->out.user_handle;
3325 c.out.access_granted = &access_granted;
3326 c.out.rid = r->out.rid;
3327
3328 return _samr_CreateUser2(p, &c);
3329 }
3330
3331 /*******************************************************************
3332 _samr_Connect
3333 ********************************************************************/
3334
3335 NTSTATUS _samr_Connect(pipes_struct *p,
3336 struct samr_Connect *r)
3337 {
3338 struct samr_connect_info *info;
3339 uint32_t acc_granted;
3340 struct policy_handle hnd;
3341 uint32 des_access = r->in.access_mask;
3342 NTSTATUS status;
3343
3344 /* Access check */
3345
3346 if (!pipe_access_check(p)) {
3347 DEBUG(3, ("access denied to _samr_Connect\n"));
3348 return NT_STATUS_ACCESS_DENIED;
3349 }
3350
3351 /* don't give away the farm but this is probably ok. The SAMR_ACCESS_ENUM_DOMAINS
3352 was observed from a win98 client trying to enumerate users (when configured
3353 user level access control on shares) --jerry */
3354
3355 map_max_allowed_access(p->server_info->ptok, &des_access);
3356
3357 se_map_generic( &des_access, &sam_generic_mapping );
3358
3359 acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS
3360 |SAMR_ACCESS_LOOKUP_DOMAIN);
3361
3362 /* set up the SAMR connect_anon response */
3363
3364 info = policy_handle_create(p, &hnd, acc_granted,
3365 struct samr_connect_info,
3366 &status);
3367 if (!NT_STATUS_IS_OK(status)) {
3368 return status;
3369 }
3370
3371 *r->out.connect_handle = hnd;
3372 return NT_STATUS_OK;
3373 }
3374
3375 /*******************************************************************
3376 _samr_Connect2
3377 ********************************************************************/
3378
3379 NTSTATUS _samr_Connect2(pipes_struct *p,
3380 struct samr_Connect2 *r)
3381 {
3382 struct samr_connect_info *info = NULL;
3383 struct policy_handle hnd;
3384 SEC_DESC *psd = NULL;
3385 uint32 acc_granted;
3386 uint32 des_access = r->in.access_mask;
3387 NTSTATUS nt_status;
3388 size_t sd_size;
3389 const char *fn = "_samr_Connect2";
3390
3391 switch (p->hdr_req.opnum) {
3392 case NDR_SAMR_CONNECT2:
3393 fn = "_samr_Connect2";
3394 break;
3395 case NDR_SAMR_CONNECT3:
3396 fn = "_samr_Connect3";
3397 break;
3398 case NDR_SAMR_CONNECT4:
3399 fn = "_samr_Connect4";
3400 break;
3401 case NDR_SAMR_CONNECT5:
3402 fn = "_samr_Connect5";
3403 break;
3404 }
3405
3406 DEBUG(5,("%s: %d\n", fn, __LINE__));
3407
3408 /* Access check */
3409
3410 if (!pipe_access_check(p)) {
3411 DEBUG(3, ("access denied to %s\n", fn));
3412 return NT_STATUS_ACCESS_DENIED;
3413 }
3414
3415 map_max_allowed_access(p->server_info->ptok, &des_access);
3416
3417 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3418 se_map_generic(&des_access, &sam_generic_mapping);
3419
3420 nt_status = access_check_samr_object(psd, p->server_info->ptok,
3421 NULL, 0, des_access, &acc_granted, fn);
3422
3423 if ( !NT_STATUS_IS_OK(nt_status) )
3424 return nt_status;
3425
3426 info = policy_handle_create(p, &hnd, acc_granted,
3427 struct samr_connect_info, &nt_status);
3428 if (!NT_STATUS_IS_OK(nt_status)) {
3429 return nt_status;
3430 }
3431
3432 DEBUG(5,("%s: %d\n", fn, __LINE__));
3433
3434 *r->out.connect_handle = hnd;
3435 return NT_STATUS_OK;
3436 }
3437
3438 /****************************************************************
3439 _samr_Connect3
3440 ****************************************************************/
3441
3442 NTSTATUS _samr_Connect3(pipes_struct *p,
3443 struct samr_Connect3 *r)
3444 {
3445 struct samr_Connect2 c;
3446
3447 c.in.system_name = r->in.system_name;
3448 c.in.access_mask = r->in.access_mask;
3449 c.out.connect_handle = r->out.connect_handle;
3450
3451 return _samr_Connect2(p, &c);
3452 }
3453
3454 /*******************************************************************
3455 _samr_Connect4
3456 ********************************************************************/
3457
3458 NTSTATUS _samr_Connect4(pipes_struct *p,
3459 struct samr_Connect4 *r)
3460 {
3461 struct samr_Connect2 c;
3462
3463 c.in.system_name = r->in.system_name;
3464 c.in.access_mask = r->in.access_mask;
3465 c.out.connect_handle = r->out.connect_handle;
3466
3467 return _samr_Connect2(p, &c);
3468 }
3469
3470 /*******************************************************************
3471 _samr_Connect5
3472 ********************************************************************/
3473
3474 NTSTATUS _samr_Connect5(pipes_struct *p,
3475 struct samr_Connect5 *r)
3476 {
3477 NTSTATUS status;
3478 struct samr_Connect2 c;
3479 struct samr_ConnectInfo1 info1;
3480
3481 info1.client_version = SAMR_CONNECT_AFTER_W2K;
3482 info1.unknown2 = 0;
3483
3484 c.in.system_name = r->in.system_name;
3485 c.in.access_mask = r->in.access_mask;
3486 c.out.connect_handle = r->out.connect_handle;
3487
3488 *r->out.level_out = 1;
3489
3490 status = _samr_Connect2(p, &c);
3491 if (!NT_STATUS_IS_OK(status)) {
3492 return status;
3493 }
3494
3495 r->out.info_out->info1 = info1;
3496
3497 return NT_STATUS_OK;
3498 }
3499
3500 /**********************************************************************
3501 _samr_LookupDomain
3502 **********************************************************************/
3503
3504 NTSTATUS _samr_LookupDomain(pipes_struct *p,
3505 struct samr_LookupDomain *r)
3506 {
3507 NTSTATUS status;
3508 struct samr_connect_info *info;
3509 const char *domain_name;
3510 DOM_SID *sid = NULL;
3511
3512 /* win9x user manager likes to use SAMR_ACCESS_ENUM_DOMAINS here.
3513 Reverted that change so we will work with RAS servers again */
3514
3515 info = policy_handle_find(p, r->in.connect_handle,
3516 SAMR_ACCESS_LOOKUP_DOMAIN, NULL,
3517 struct samr_connect_info,
3518 &status);
3519 if (!NT_STATUS_IS_OK(status)) {
3520 return status;
3521 }
3522
3523 domain_name = r->in.domain_name->string;
3524 if (!domain_name) {
3525 return NT_STATUS_INVALID_PARAMETER;
3526 }
3527
3528 sid = TALLOC_ZERO_P(p->mem_ctx, struct dom_sid2);
3529 if (!sid) {
3530 return NT_STATUS_NO_MEMORY;
3531 }
3532
3533 if (strequal(domain_name, builtin_domain_name())) {
3534 sid_copy(sid, &global_sid_Builtin);
3535 } else {
3536 if (!secrets_fetch_domain_sid(domain_name, sid)) {
3537 status = NT_STATUS_NO_SUCH_DOMAIN;
3538 }
3539 }
3540
3541 DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name,
3542 sid_string_dbg(sid)));
3543
3544 *r->out.sid = sid;
3545
3546 return status;
3547 }
3548
3549 /**********************************************************************
3550 _samr_EnumDomains
3551 **********************************************************************/
3552
3553 NTSTATUS _samr_EnumDomains(pipes_struct *p,
3554 struct samr_EnumDomains *r)
3555 {
3556 NTSTATUS status;
3557 struct samr_connect_info *info;
3558 uint32_t num_entries = 2;
3559 struct samr_SamEntry *entry_array = NULL;
3560 struct samr_SamArray *sam;
3561
3562 info = policy_handle_find(p, r->in.connect_handle,
3563 SAMR_ACCESS_ENUM_DOMAINS, NULL,
3564 struct samr_connect_info, &status);
3565 if (!NT_STATUS_IS_OK(status)) {
3566 return status;
3567 }
3568
3569 sam = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
3570 if (!sam) {
3571 return NT_STATUS_NO_MEMORY;
3572 }
3573
3574 entry_array = TALLOC_ZERO_ARRAY(p->mem_ctx,
3575 struct samr_SamEntry,
3576 num_entries);
3577 if (!entry_array) {
3578 return NT_STATUS_NO_MEMORY;
3579 }
3580
3581 entry_array[0].idx = 0;
3582 init_lsa_String(&entry_array[0].name, get_global_sam_name());
3583
3584 entry_array[1].idx = 1;
3585 init_lsa_String(&entry_array[1].name, "Builtin");
3586
3587 sam->count = num_entries;
3588 sam->entries = entry_array;
3589
3590 *r->out.sam = sam;
3591 *r->out.num_entries = num_entries;
3592
3593 return status;
3594 }
3595
3596 /*******************************************************************
3597 _samr_OpenAlias
3598 ********************************************************************/
3599
3600 NTSTATUS _samr_OpenAlias(pipes_struct *p,
3601 struct samr_OpenAlias *r)
3602 {
3603 DOM_SID sid;
3604 uint32 alias_rid = r->in.rid;
3605 struct samr_alias_info *ainfo;
3606 struct samr_domain_info *dinfo;
3607 SEC_DESC *psd = NULL;
3608 uint32 acc_granted;
3609 uint32 des_access = r->in.access_mask;
3610 size_t sd_size;
3611 NTSTATUS status;
3612 SE_PRIV se_rights;
3613
3614 dinfo = policy_handle_find(p, r->in.domain_handle,
3615 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT, NULL,
3616 struct samr_domain_info, &status);
3617 if (!NT_STATUS_IS_OK(status)) {
3618 return status;
3619 }
3620
3621 /* append the alias' RID to it */
3622
3623 if (!sid_compose(&sid, &dinfo->sid, alias_rid))
3624 return NT_STATUS_NO_SUCH_ALIAS;
3625
3626 /*check if access can be granted as requested by client. */
3627
3628 map_max_allowed_access(p->server_info->ptok, &des_access);
3629
3630 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
3631 se_map_generic(&des_access,&ali_generic_mapping);
3632
3633 se_priv_copy( &se_rights, &se_add_users );
3634
3635
3636 status = access_check_samr_object(psd, p->server_info->ptok,
3637 &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access,
3638 &acc_granted, "_samr_OpenAlias");
3639
3640 if ( !NT_STATUS_IS_OK(status) )
3641 return status;
3642
3643 {
3644 /* Check we actually have the requested alias */
3645 enum lsa_SidType type;
3646 bool result;
3647 gid_t gid;
3648
3649 become_root();
3650 result = lookup_sid(NULL, &sid, NULL, NULL, &type);
3651 unbecome_root();
3652
3653 if (!result || (type != SID_NAME_ALIAS)) {
3654 return NT_STATUS_NO_SUCH_ALIAS;
3655 }
3656
3657 /* make sure there is a mapping */
3658
3659 if ( !sid_to_gid( &sid, &gid ) ) {
3660 return NT_STATUS_NO_SUCH_ALIAS;
3661 }
3662
3663 }
3664
3665 ainfo = policy_handle_create(p, r->out.alias_handle, acc_granted,
3666 struct samr_alias_info, &status);
3667 if (!NT_STATUS_IS_OK(status)) {
3668 return status;
3669 }
3670 ainfo->sid = sid;
3671
3672 return NT_STATUS_OK;
3673 }
3674
3675 /*******************************************************************
3676 set_user_info_2
3677 ********************************************************************/
3678
3679 static NTSTATUS set_user_info_2(TALLOC_CTX *mem_ctx,
3680 struct samr_UserInfo2 *id2,
3681 struct samu *pwd)
3682 {
3683 if (id2 == NULL) {
3684 DEBUG(5,("set_user_info_2: NULL id2\n"));
3685 return NT_STATUS_ACCESS_DENIED;
3686 }
3687
3688 copy_id2_to_sam_passwd(pwd, id2);
3689
3690 return pdb_update_sam_account(pwd);
3691 }
3692
3693 /*******************************************************************
3694 set_user_info_4
3695 ********************************************************************/
3696
3697 static NTSTATUS set_user_info_4(TALLOC_CTX *mem_ctx,
3698 struct samr_UserInfo4 *id4,
3699 struct samu *pwd)
3700 {
3701 if (id4 == NULL) {
3702 DEBUG(5,("set_user_info_2: NULL id4\n"));
3703 return NT_STATUS_ACCESS_DENIED;
3704 }
3705
3706 copy_id4_to_sam_passwd(pwd, id4);
3707
3708 return pdb_update_sam_account(pwd);
3709 }
3710
3711 /*******************************************************************
3712 set_user_info_6
3713 ********************************************************************/
3714
3715 static NTSTATUS set_user_info_6(TALLOC_CTX *mem_ctx,
3716 struct samr_UserInfo6 *id6,
3717 struct samu *pwd)
3718 {
3719 if (id6 == NULL) {
3720 DEBUG(5,("set_user_info_6: NULL id6\n"));
3721 return NT_STATUS_ACCESS_DENIED;
3722 }
3723
3724 copy_id6_to_sam_passwd(pwd, id6);
3725
3726 return pdb_update_sam_account(pwd);
3727 }
3728
3729 /*******************************************************************
3730 set_user_info_7
3731 ********************************************************************/
3732
3733 static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx,
3734 struct samr_UserInfo7 *id7,
3735 struct samu *pwd)
3736 {
3737 NTSTATUS rc;
3738
3739 if (id7 == NULL) {
3740 DEBUG(5, ("set_user_info_7: NULL id7\n"));
3741 return NT_STATUS_ACCESS_DENIED;
3742 }
3743
3744 if (!id7->account_name.string) {
3745 DEBUG(5, ("set_user_info_7: failed to get new username\n"));
3746 return NT_STATUS_ACCESS_DENIED;
3747 }
3748
3749 /* check to see if the new username already exists. Note: we can't
3750 reliably lock all backends, so there is potentially the
3751 possibility that a user can be created in between this check and
3752 the rename. The rename should fail, but may not get the
3753 exact same failure status code. I think this is small enough
3754 of a window for this type of operation and the results are
3755 simply that the rename fails with a slightly different status
3756 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
3757
3758 rc = can_create(mem_ctx, id7->account_name.string);
3759 if (!NT_STATUS_IS_OK(rc)) {
3760 return rc;
3761 }
3762
3763 rc = pdb_rename_sam_account(pwd, id7->account_name.string);
3764
3765 return rc;
3766 }
3767
3768 /*******************************************************************
3769 set_user_info_8
3770 ********************************************************************/
3771
3772 static NTSTATUS set_user_info_8(TALLOC_CTX *mem_ctx,
3773 struct samr_UserInfo8 *id8,
3774 struct samu *pwd)
3775 {
3776 if (id8 == NULL) {
3777 DEBUG(5,("set_user_info_8: NULL id8\n"));
3778 return NT_STATUS_ACCESS_DENIED;
3779 }
3780
3781 copy_id8_to_sam_passwd(pwd, id8);
3782
3783 return pdb_update_sam_account(pwd);
3784 }
3785
3786 /*******************************************************************
3787 set_user_info_10
3788 ********************************************************************/
3789
3790 static NTSTATUS set_user_info_10(TALLOC_CTX *mem_ctx,
3791 struct samr_UserInfo10 *id10,
3792 struct samu *pwd)
3793 {
3794 if (id10 == NULL) {
3795 DEBUG(5,("set_user_info_8: NULL id10\n"));
3796 return NT_STATUS_ACCESS_DENIED;
3797 }
3798
3799 copy_id10_to_sam_passwd(pwd, id10);
3800
3801 return pdb_update_sam_account(pwd);
3802 }
3803
3804 /*******************************************************************
3805 set_user_info_11
3806 ********************************************************************/
3807
3808 static NTSTATUS set_user_info_11(TALLOC_CTX *mem_ctx,
3809 struct samr_UserInfo11 *id11,
3810 struct samu *pwd)
3811 {
3812 if (id11 == NULL) {
3813 DEBUG(5,("set_user_info_11: NULL id11\n"));
3814 return NT_STATUS_ACCESS_DENIED;
3815 }
3816
3817 copy_id11_to_sam_passwd(pwd, id11);
3818
3819 return pdb_update_sam_account(pwd);
3820 }
3821
3822 /*******************************************************************
3823 set_user_info_12
3824 ********************************************************************/
3825
3826 static NTSTATUS set_user_info_12(TALLOC_CTX *mem_ctx,
3827 struct samr_UserInfo12 *id12,
3828 struct samu *pwd)
3829 {
3830 if (id12 == NULL) {
3831 DEBUG(5,("set_user_info_12: NULL id12\n"));
3832 return NT_STATUS_ACCESS_DENIED;
3833 }
3834
3835 copy_id12_to_sam_passwd(pwd, id12);
3836
3837 return pdb_update_sam_account(pwd);
3838 }
3839
3840 /*******************************************************************
3841 set_user_info_13
3842 ********************************************************************/
3843
3844 static NTSTATUS set_user_info_13(TALLOC_CTX *mem_ctx,
3845 struct samr_UserInfo13 *id13,
3846 struct samu *pwd)
3847 {
3848 if (id13 == NULL) {
3849 DEBUG(5,("set_user_info_13: NULL id13\n"));
3850 return NT_STATUS_ACCESS_DENIED;
3851 }
3852
3853 copy_id13_to_sam_passwd(pwd, id13);
3854
3855 return pdb_update_sam_account(pwd);
3856 }
3857
3858 /*******************************************************************
3859 set_user_info_14
3860 ********************************************************************/
3861
3862 static NTSTATUS set_user_info_14(TALLOC_CTX *mem_ctx,
3863 struct samr_UserInfo14 *id14,
3864 struct samu *pwd)
3865 {
3866 if (id14 == NULL) {
3867 DEBUG(5,("set_user_info_14: NULL id14\n"));
3868 return NT_STATUS_ACCESS_DENIED;
3869 }
3870
3871 copy_id14_to_sam_passwd(pwd, id14);
3872
3873 return pdb_update_sam_account(pwd);
3874 }
3875
3876 /*******************************************************************
3877 set_user_info_16
3878 ********************************************************************/
3879
3880 static NTSTATUS set_user_info_16(TALLOC_CTX *mem_ctx,
3881 struct samr_UserInfo16 *id16,
3882 struct samu *pwd)
3883 {
3884 if (id16 == NULL) {
3885 DEBUG(5,("set_user_info_16: NULL id16\n"));
3886 return NT_STATUS_ACCESS_DENIED;
3887 }
3888
3889 copy_id16_to_sam_passwd(pwd, id16);
3890
3891 return pdb_update_sam_account(pwd);
3892 }
3893
3894 /*******************************************************************
3895 set_user_info_17
3896 ********************************************************************/
3897
3898 static NTSTATUS set_user_info_17(TALLOC_CTX *mem_ctx,
3899 struct samr_UserInfo17 *id17,
3900 struct samu *pwd)
3901 {
3902 if (id17 == NULL) {
3903 DEBUG(5,("set_user_info_17: NULL id17\n"));
3904 return NT_STATUS_ACCESS_DENIED;
3905 }
3906
3907 copy_id17_to_sam_passwd(pwd, id17);
3908
3909 return pdb_update_sam_account(pwd);
3910 }
3911
3912 /*******************************************************************
3913 set_user_info_18
3914 ********************************************************************/
3915
3916 static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18,
3917 TALLOC_CTX *mem_ctx,
3918 DATA_BLOB *session_key,
3919 struct samu *pwd)
3920 {
3921 if (id18 == NULL) {
3922 DEBUG(2, ("set_user_info_18: id18 is NULL\n"));
3923 return NT_STATUS_INVALID_PARAMETER;
3924 }
3925
3926 if (id18->nt_pwd_active || id18->lm_pwd_active) {
3927 if (!session_key->length) {
3928 return NT_STATUS_NO_USER_SESSION_KEY;
3929 }
3930 }
3931
3932 if (id18->nt_pwd_active) {
3933
3934 DATA_BLOB in, out;
3935
3936 in = data_blob_const(id18->nt_pwd.hash, 16);
3937 out = data_blob_talloc_zero(mem_ctx, 16);
3938
3939 sess_crypt_blob(&out, &in, session_key, false);
3940
3941 if (!pdb_set_nt_passwd(pwd, out.data, PDB_CHANGED)) {
3942 return NT_STATUS_ACCESS_DENIED;
3943 }
3944
3945 pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
3946 }
3947
3948 if (id18->lm_pwd_active) {
3949
3950 DATA_BLOB in, out;
3951
3952 in = data_blob_const(id18->lm_pwd.hash, 16);
3953 out = data_blob_talloc_zero(mem_ctx, 16);
3954
3955 sess_crypt_blob(&out, &in, session_key, false);
3956
3957 if (!pdb_set_lanman_passwd(pwd, out.data, PDB_CHANGED)) {
3958 return NT_STATUS_ACCESS_DENIED;
3959 }
3960
3961 pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
3962 }
3963
3964 copy_id18_to_sam_passwd(pwd, id18);
3965
3966 return pdb_update_sam_account(pwd);
3967 }
3968
3969 /*******************************************************************
3970 set_user_info_20
3971 ********************************************************************/
3972
3973 static NTSTATUS set_user_info_20(TALLOC_CTX *mem_ctx,
3974 struct samr_UserInfo20 *id20,
3975 struct samu *pwd)
3976 {
3977 if (id20 == NULL) {
3978 DEBUG(5,("set_user_info_20: NULL id20\n"));
3979 return NT_STATUS_ACCESS_DENIED;
3980 }
3981
3982 copy_id20_to_sam_passwd(pwd, id20);
3983
3984 return pdb_update_sam_account(pwd);
3985 }
3986
3987 /*******************************************************************
3988 set_user_info_21
3989 ********************************************************************/
3990
3991 static NTSTATUS set_user_info_21(struct samr_UserInfo21 *id21,
3992 TALLOC_CTX *mem_ctx,
3993 DATA_BLOB *session_key,
3994 struct samu *pwd)
3995 {
3996 NTSTATUS status;
3997
3998 if (id21 == NULL) {
3999 DEBUG(5, ("set_user_info_21: NULL id21\n"));
4000 return NT_STATUS_INVALID_PARAMETER;
4001 }
4002
4003 if (id21->fields_present == 0) {
4004 return NT_STATUS_INVALID_PARAMETER;
4005 }
4006
4007 if (id21->fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
4008 return NT_STATUS_ACCESS_DENIED;
4009 }
4010
4011 if (id21->fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) {
4012 if (id21->nt_password_set) {
4013 DATA_BLOB in, out;
4014
4015 if ((id21->nt_owf_password.length != 16) ||
4016 (id21->nt_owf_password.size != 16)) {
4017 return NT_STATUS_INVALID_PARAMETER;
4018 }
4019
4020 if (!session_key->length) {
4021 return NT_STATUS_NO_USER_SESSION_KEY;
4022 }
4023
4024 in = data_blob_const(id21->nt_owf_password.array, 16);
4025 out = data_blob_talloc_zero(mem_ctx, 16);
4026
4027 sess_crypt_blob(&out, &in, session_key, false);
4028
4029 pdb_set_nt_passwd(pwd, out.data, PDB_CHANGED);
4030 pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
4031 }
4032 }
4033
4034 if (id21->fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT) {
4035 if (id21->lm_password_set) {
4036 DATA_BLOB in, out;
4037
4038 if ((id21->lm_owf_password.length != 16) ||
4039 (id21->lm_owf_password.size != 16)) {
4040 return NT_STATUS_INVALID_PARAMETER;
4041 }
4042
4043 if (!session_key->length) {
4044 return NT_STATUS_NO_USER_SESSION_KEY;
4045 }
4046
4047 in = data_blob_const(id21->lm_owf_password.array, 16);
4048 out = data_blob_talloc_zero(mem_ctx, 16);
4049
4050 sess_crypt_blob(&out, &in, session_key, false);
4051
4052 pdb_set_lanman_passwd(pwd, out.data, PDB_CHANGED);
4053 pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
4054 }
4055 }
4056
4057 /* we need to separately check for an account rename first */
4058
4059 if (id21->account_name.string &&
4060 (!strequal(id21->account_name.string, pdb_get_username(pwd))))
4061 {
4062
4063 /* check to see if the new username already exists. Note: we can't
4064 reliably lock all backends, so there is potentially the
4065 possibility that a user can be created in between this check and
4066 the rename. The rename should fail, but may not get the
4067 exact same failure status code. I think this is small enough
4068 of a window for this type of operation and the results are
4069 simply that the rename fails with a slightly different status
4070 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
4071
4072 status = can_create(mem_ctx, id21->account_name.string);
4073 if (!NT_STATUS_IS_OK(status)) {
4074 return status;
4075 }
4076
4077 status = pdb_rename_sam_account(pwd, id21->account_name.string);
4078
4079 if (!NT_STATUS_IS_OK(status)) {
4080 DEBUG(0,("set_user_info_21: failed to rename account: %s\n",
4081 nt_errstr(status)));
4082 return status;
4083 }
4084
4085 /* set the new username so that later
4086 functions can work on the new account */
4087 pdb_set_username(pwd, id21->account_name.string, PDB_SET);
4088 }
4089
4090 copy_id21_to_sam_passwd("INFO_21", pwd, id21);
4091
4092 /*
4093 * The funny part about the previous two calls is
4094 * that pwd still has the password hashes from the
4095 * passdb entry. These have not been updated from
4096 * id21. I don't know if they need to be set. --jerry
4097 */
4098
4099 if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
4100 status = pdb_set_unix_primary_group(mem_ctx, pwd);
4101 if ( !NT_STATUS_IS_OK(status) ) {
4102 return status;
4103 }
4104 }
4105
4106 /* Don't worry about writing out the user account since the
4107 primary group SID is generated solely from the user's Unix
4108 primary group. */
4109
4110 /* write the change out */
4111 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
4112 return status;
4113 }
4114
4115 return NT_STATUS_OK;
4116 }
4117
4118 /*******************************************************************
4119 set_user_info_23
4120 ********************************************************************/
4121
4122 static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx,
4123 struct samr_UserInfo23 *id23,
4124 struct samu *pwd)
4125 {
4126 char *plaintext_buf = NULL;
4127 size_t len = 0;
4128 uint32_t acct_ctrl;
4129 NTSTATUS status;
4130
4131 if (id23 == NULL) {
4132 DEBUG(5, ("set_user_info_23: NULL id23\n"));
4133 return NT_STATUS_INVALID_PARAMETER;
4134 }
4135
4136 if (id23->info.fields_present == 0) {
4137 return NT_STATUS_INVALID_PARAMETER;
4138 }
4139
4140 if (id23->info.fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
4141 return NT_STATUS_ACCESS_DENIED;
4142 }
4143
4144 if ((id23->info.fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
4145 (id23->info.fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT)) {
4146
4147 DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
4148 pdb_get_username(pwd)));
4149
4150 if (!decode_pw_buffer(mem_ctx,
4151 id23->password.data,
4152 &plaintext_buf,
4153 &len,
4154 CH_UTF16)) {
4155 return NT_STATUS_WRONG_PASSWORD;
4156 }
4157
4158 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
4159 return NT_STATUS_ACCESS_DENIED;
4160 }
4161 }
4162
4163 copy_id23_to_sam_passwd(pwd, id23);
4164
4165 acct_ctrl = pdb_get_acct_ctrl(pwd);
4166
4167 /* if it's a trust account, don't update /etc/passwd */
4168 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
4169 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
4170 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
4171 DEBUG(5, ("Changing trust account. Not updating /etc/passwd\n"));
4172 } else if (plaintext_buf) {
4173 /* update the UNIX password */
4174 if (lp_unix_password_sync() ) {
4175 struct passwd *passwd;
4176 if (pdb_get_username(pwd) == NULL) {
4177 DEBUG(1, ("chgpasswd: User without name???\n"));
4178 return NT_STATUS_ACCESS_DENIED;
4179 }
4180
4181 passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
4182 if (passwd == NULL) {
4183 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
4184 }
4185
4186 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
4187 return NT_STATUS_ACCESS_DENIED;
4188 }
4189 TALLOC_FREE(passwd);
4190 }
4191 }
4192
4193 if (plaintext_buf) {
4194 memset(plaintext_buf, '\0', strlen(plaintext_buf));
4195 }
4196
4197 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) &&
4198 (!NT_STATUS_IS_OK(status = pdb_set_unix_primary_group(mem_ctx,
4199 pwd)))) {
4200 return status;
4201 }
4202
4203 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
4204 return status;
4205 }
4206
4207 return NT_STATUS_OK;
4208 }
4209
4210 /*******************************************************************
4211 set_user_info_pw
4212 ********************************************************************/
4213
4214 static bool set_user_info_pw(uint8 *pass, struct samu *pwd)
4215 {
4216 size_t len = 0;
4217 char *plaintext_buf = NULL;
4218 uint32 acct_ctrl;
4219
4220 DEBUG(5, ("Attempting administrator password change for user %s\n",
4221 pdb_get_username(pwd)));
4222
4223 acct_ctrl = pdb_get_acct_ctrl(pwd);
4224
4225 if (!decode_pw_buffer(talloc_tos(),
4226 pass,
4227 &plaintext_buf,
4228 &len,
4229 CH_UTF16)) {
4230 return False;
4231 }
4232
4233 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
4234 return False;
4235 }
4236
4237 /* if it's a trust account, don't update /etc/passwd */
4238 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
4239 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
4240 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
4241 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
4242 } else {
4243 /* update the UNIX password */
4244 if (lp_unix_password_sync()) {
4245 struct passwd *passwd;
4246
4247 if (pdb_get_username(pwd) == NULL) {
4248 DEBUG(1, ("chgpasswd: User without name???\n"));
4249 return False;
4250 }
4251
4252 passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
4253 if (passwd == NULL) {
4254 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
4255 }
4256
4257 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
4258 return False;
4259 }
4260 TALLOC_FREE(passwd);
4261 }
4262 }
4263
4264 memset(plaintext_buf, '\0', strlen(plaintext_buf));
4265
4266 DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
4267
4268 return True;
4269 }
4270
4271 /*******************************************************************
4272 set_user_info_24
4273 ********************************************************************/
4274
4275 static NTSTATUS set_user_info_24(TALLOC_CTX *mem_ctx,
4276 struct samr_UserInfo24 *id24,
4277 struct samu *pwd)
4278 {
4279 NTSTATUS status;
4280
4281 if (id24 == NULL) {
4282 DEBUG(5, ("set_user_info_24: NULL id24\n"));
4283 return NT_STATUS_INVALID_PARAMETER;
4284 }
4285
4286 if (!set_user_info_pw(id24->password.data, pwd)) {
4287 return NT_STATUS_WRONG_PASSWORD;
4288 }
4289
4290 copy_id24_to_sam_passwd(pwd, id24);
4291
4292 status = pdb_update_sam_account(pwd);
4293 if (!NT_STATUS_IS_OK(status)) {
4294 return status;
4295 }
4296
4297 return NT_STATUS_OK;
4298 }
4299
4300 /*******************************************************************
4301 set_user_info_25
4302 ********************************************************************/
4303
4304 static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx,
4305 struct samr_UserInfo25 *id25,
4306 struct samu *pwd)
4307 {
4308 NTSTATUS status;
4309
4310 if (id25 == NULL) {
4311 DEBUG(5, ("set_user_info_25: NULL id25\n"));
4312 return NT_STATUS_INVALID_PARAMETER;
4313 }
4314
4315 if (id25->info.fields_present == 0) {
4316 return NT_STATUS_INVALID_PARAMETER;
4317 }
4318
4319 if (id25->info.fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
4320 return NT_STATUS_ACCESS_DENIED;
4321 }
4322
4323 if ((id25->info.fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
4324 (id25->info.fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT)) {
4325
4326 if (!set_user_info_pw(id25->password.data, pwd)) {
4327 return NT_STATUS_WRONG_PASSWORD;
4328 }
4329 }
4330
4331 copy_id25_to_sam_passwd(pwd, id25);
4332
4333 /* write the change out */
4334 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
4335 return status;
4336 }
4337
4338 /*
4339 * We need to "pdb_update_sam_account" before the unix primary group
4340 * is set, because the idealx scripts would also change the
4341 * sambaPrimaryGroupSid using the ldap replace method. pdb_ldap uses
4342 * the delete explicit / add explicit, which would then fail to find
4343 * the previous primaryGroupSid value.
4344 */
4345
4346 if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
4347 status = pdb_set_unix_primary_group(mem_ctx, pwd);
4348 if ( !NT_STATUS_IS_OK(status) ) {
4349 return status;
4350 }
4351 }
4352
4353 return NT_STATUS_OK;
4354 }
4355
4356 /*******************************************************************
4357 set_user_info_26
4358 ********************************************************************/
4359
4360 static NTSTATUS set_user_info_26(TALLOC_CTX *mem_ctx,
4361 struct samr_UserInfo26 *id26,
4362 struct samu *pwd)
4363 {
4364 NTSTATUS status;
4365
4366 if (id26 == NULL) {
4367 DEBUG(5, ("set_user_info_26: NULL id26\n"));
4368 return NT_STATUS_INVALID_PARAMETER;
4369 }
4370
4371 if (!set_user_info_pw(id26->password.data, pwd)) {
4372 return NT_STATUS_WRONG_PASSWORD;
4373 }
4374
4375 copy_id26_to_sam_passwd(pwd, id26);
4376
4377 status = pdb_update_sam_account(pwd);
4378 if (!NT_STATUS_IS_OK(status)) {
4379 return status;
4380 }
4381
4382 return NT_STATUS_OK;
4383 }
4384
4385
4386 /*******************************************************************
4387 samr_SetUserInfo
4388 ********************************************************************/
4389
4390 NTSTATUS _samr_SetUserInfo(pipes_struct *p,
4391 struct samr_SetUserInfo *r)
4392 {
4393 struct samr_user_info *uinfo;
4394 NTSTATUS status;
4395 struct samu *pwd = NULL;
4396 union samr_UserInfo *info = r->in.info;
4397 uint16_t switch_value = r->in.level;
4398 uint32_t acc_required;
4399 bool ret;
4400 bool has_enough_rights = False;
4401 uint32_t acb_info;
4402
4403 DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__));
4404
4405 /* This is tricky. A WinXP domain join sets
4406 (SAMR_USER_ACCESS_SET_PASSWORD|SAMR_USER_ACCESS_SET_ATTRIBUTES|SAMR_USER_ACCESS_GET_ATTRIBUTES)
4407 The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the
4408 standard Win32 API calls just ask for SAMR_USER_ACCESS_SET_PASSWORD in the SamrOpenUser().
4409 This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so
4410 we'll use the set from the WinXP join as the basis. */
4411
4412 switch (switch_value) {
4413 case 18:
4414 case 24:
4415 case 25:
4416 case 26:
4417 acc_required = SAMR_USER_ACCESS_SET_PASSWORD;
4418 break;
4419 default:
4420 acc_required = SAMR_USER_ACCESS_SET_PASSWORD |
4421 SAMR_USER_ACCESS_SET_ATTRIBUTES |
4422 SAMR_USER_ACCESS_GET_ATTRIBUTES;
4423 break;
4424 }
4425
4426 uinfo = policy_handle_find(p, r->in.user_handle, acc_required, NULL,
4427 struct samr_user_info, &status);
4428 if (!NT_STATUS_IS_OK(status)) {
4429 return status;
4430 }
4431
4432 DEBUG(5, ("_samr_SetUserInfo: sid:%s, level:%d\n",
4433 sid_string_dbg(&uinfo->sid), switch_value));
4434
4435 if (info == NULL) {
4436 DEBUG(5, ("_samr_SetUserInfo: NULL info level\n"));
4437 return NT_STATUS_INVALID_INFO_CLASS;
4438 }
4439
4440 if (!(pwd = samu_new(NULL))) {
4441 return NT_STATUS_NO_MEMORY;
4442 }
4443
4444 become_root();
4445 ret = pdb_getsampwsid(pwd, &uinfo->sid);
4446 unbecome_root();
4447
4448 if (!ret) {
4449 TALLOC_FREE(pwd);
4450 return NT_STATUS_NO_SUCH_USER;
4451 }
4452
4453 /* deal with machine password changes differently from userinfo changes */
4454 /* check to see if we have the sufficient rights */
4455
4456 acb_info = pdb_get_acct_ctrl(pwd);
4457 if (acb_info & ACB_WSTRUST)
4458 has_enough_rights = user_has_privileges(p->server_info->ptok,
4459 &se_machine_account);
4460 else if (acb_info & ACB_NORMAL)
4461 has_enough_rights = user_has_privileges(p->server_info->ptok,
4462 &se_add_users);
4463 else if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
4464 if (lp_enable_privileges()) {
4465 has_enough_rights = nt_token_check_domain_rid(p->server_info->ptok,
4466 DOMAIN_GROUP_RID_ADMINS);
4467 }
4468 }
4469
4470 DEBUG(5, ("_samr_SetUserInfo: %s does%s possess sufficient rights\n",
4471 uidtoname(p->server_info->utok.uid),
4472 has_enough_rights ? "" : " not"));
4473
4474 /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
4475
4476 if (has_enough_rights) {
4477 become_root();
4478 }
4479
4480 /* ok! user info levels (lots: see MSDEV help), off we go... */
4481
4482 switch (switch_value) {
4483
4484 case 2:
4485 status = set_user_info_2(p->mem_ctx,
4486 &info->info2, pwd);
4487 break;
4488
4489 case 4:
4490 status = set_user_info_4(p->mem_ctx,
4491 &info->info4, pwd);
4492 break;
4493
4494 case 6:
4495 status = set_user_info_6(p->mem_ctx,
4496 &info->info6, pwd);
4497 break;
4498
4499 case 7:
4500 status = set_user_info_7(p->mem_ctx,
4501 &info->info7, pwd);
4502 break;
4503
4504 case 8:
4505 status = set_user_info_8(p->mem_ctx,
4506 &info->info8, pwd);
4507 break;
4508
4509 case 10:
4510 status = set_user_info_10(p->mem_ctx,
4511 &info->info10, pwd);
4512 break;
4513
4514 case 11:
4515 status = set_user_info_11(p->mem_ctx,
4516 &info->info11, pwd);
4517 break;
4518
4519 case 12:
4520 status = set_user_info_12(p->mem_ctx,
4521 &info->info12, pwd);
4522 break;
4523
4524 case 13:
4525 status = set_user_info_13(p->mem_ctx,
4526 &info->info13, pwd);
4527 break;
4528
4529 case 14:
4530 status = set_user_info_14(p->mem_ctx,
4531 &info->info14, pwd);
4532 break;
4533
4534 case 16:
4535 status = set_user_info_16(p->mem_ctx,
4536 &info->info16, pwd);
4537 break;
4538
4539 case 17:
4540 status = set_user_info_17(p->mem_ctx,
4541 &info->info17, pwd);
4542 break;
4543
4544 case 18:
4545 /* Used by AS/U JRA. */
4546 status = set_user_info_18(&info->info18,
4547 p->mem_ctx,
4548 &p->server_info->user_session_key,
4549 pwd);
4550 break;
4551
4552 case 20:
4553 status = set_user_info_20(p->mem_ctx,
4554 &info->info20, pwd);
4555 break;
4556
4557 case 21:
4558 status = set_user_info_21(&info->info21,
4559 p->mem_ctx,
4560 &p->server_info->user_session_key,
4561 pwd);
4562 break;
4563
4564 case 23:
4565 if (!p->server_info->user_session_key.length) {
4566 status = NT_STATUS_NO_USER_SESSION_KEY;
4567 }
4568 arcfour_crypt_blob(info->info23.password.data, 516,
4569 &p->server_info->user_session_key);
4570
4571 dump_data(100, info->info23.password.data, 516);
4572
4573 status = set_user_info_23(p->mem_ctx,
4574 &info->info23, pwd);
4575 break;
4576
4577 case 24:
4578 if (!p->server_info->user_session_key.length) {
4579 status = NT_STATUS_NO_USER_SESSION_KEY;
4580 }
4581 arcfour_crypt_blob(info->info24.password.data,
4582 516,
4583 &p->server_info->user_session_key);
4584
4585 dump_data(100, info->info24.password.data, 516);
4586
4587 status = set_user_info_24(p->mem_ctx,
4588 &info->info24, pwd);
4589 break;
4590
4591 case 25:
4592 if (!p->server_info->user_session_key.length) {
4593 status = NT_STATUS_NO_USER_SESSION_KEY;
4594 }
4595 encode_or_decode_arc4_passwd_buffer(
4596 info->info25.password.data,
4597 &p->server_info->user_session_key);
4598
4599 dump_data(100, info->info25.password.data, 532);
4600
4601 status = set_user_info_25(p->mem_ctx,
4602 &info->info25, pwd);
4603 break;
4604
4605 case 26:
4606 if (!p->server_info->user_session_key.length) {
4607 status = NT_STATUS_NO_USER_SESSION_KEY;
4608 }
4609 encode_or_decode_arc4_passwd_buffer(
4610 info->info26.password.data,
4611 &p->server_info->user_session_key);
4612
4613 dump_data(100, info->info26.password.data, 516);
4614
4615 status = set_user_info_26(p->mem_ctx,
4616 &info->info26, pwd);
4617 break;
4618
4619 default:
4620 status = NT_STATUS_INVALID_INFO_CLASS;
4621 }
4622
4623 TALLOC_FREE(pwd);
4624
4625 if (has_enough_rights) {
4626 unbecome_root();
4627 }
4628
4629 /* ================ END SeMachineAccountPrivilege BLOCK ================ */
4630
4631 if (NT_STATUS_IS_OK(status)) {
4632 force_flush_samr_cache(&uinfo->sid);
4633 }
4634
4635 return status;
4636 }
4637
4638 /*******************************************************************
4639 _samr_SetUserInfo2
4640 ********************************************************************/
4641
4642 NTSTATUS _samr_SetUserInfo2(pipes_struct *p,
4643 struct samr_SetUserInfo2 *r)
4644 {
4645 struct samr_SetUserInfo q;
4646
4647 q.in.user_handle = r->in.user_handle;
4648 q.in.level = r->in.level;
4649 q.in.info = r->in.info;
4650
4651 return _samr_SetUserInfo(p, &q);
4652 }
4653
4654 /*********************************************************************
4655 _samr_GetAliasMembership
4656 *********************************************************************/
4657
4658 NTSTATUS _samr_GetAliasMembership(pipes_struct *p,
4659 struct samr_GetAliasMembership *r)
4660 {
4661 size_t num_alias_rids;
4662 uint32 *alias_rids;
4663 struct samr_domain_info *dinfo;
4664 size_t i;
4665
4666 NTSTATUS status;
4667
4668 DOM_SID *members;
4669
4670 DEBUG(5,("_samr_GetAliasMembership: %d\n", __LINE__));
4671
4672 dinfo = policy_handle_find(p, r->in.domain_handle,
4673 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
4674 | SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT, NULL,
4675 struct samr_domain_info, &status);
4676 if (!NT_STATUS_IS_OK(status)) {
4677 return status;
4678 }
4679
4680 if (!sid_check_is_domain(&dinfo->sid) &&
4681 !sid_check_is_builtin(&dinfo->sid))
4682 return NT_STATUS_OBJECT_TYPE_MISMATCH;
4683
4684 if (r->in.sids->num_sids) {
4685 members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, r->in.sids->num_sids);
4686
4687 if (members == NULL)
4688 return NT_STATUS_NO_MEMORY;
4689 } else {
4690 members = NULL;
4691 }
4692
4693 for (i=0; i<r->in.sids->num_sids; i++)
4694 sid_copy(&members[i], r->in.sids->sids[i].sid);
4695
4696 alias_rids = NULL;
4697 num_alias_rids = 0;
4698
4699 become_root();
4700 status = pdb_enum_alias_memberships(p->mem_ctx, &dinfo->sid, members,
4701 r->in.sids->num_sids,
4702 &alias_rids, &num_alias_rids);
4703 unbecome_root();
4704
4705 if (!NT_STATUS_IS_OK(status)) {
4706 return status;
4707 }
4708
4709 r->out.rids->count = num_alias_rids;
4710 r->out.rids->ids = alias_rids;
4711
4712 return NT_STATUS_OK;
4713 }
4714
4715 /*********************************************************************
4716 _samr_GetMembersInAlias
4717 *********************************************************************/
4718
4719 NTSTATUS _samr_GetMembersInAlias(pipes_struct *p,
4720 struct samr_GetMembersInAlias *r)
4721 {
4722 struct samr_alias_info *ainfo;
4723 NTSTATUS status;
4724 size_t i;
4725 size_t num_sids = 0;
4726 struct lsa_SidPtr *sids = NULL;
4727 DOM_SID *pdb_sids = NULL;
4728
4729 ainfo = policy_handle_find(p, r->in.alias_handle,
4730 SAMR_ALIAS_ACCESS_GET_MEMBERS, NULL,
4731 struct samr_alias_info, &status);
4732 if (!NT_STATUS_IS_OK(status)) {
4733 return status;
4734 }
4735
4736 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo->sid)));
4737
4738 become_root();
4739 status = pdb_enum_aliasmem(&ainfo->sid, &pdb_sids, &num_sids);
4740 unbecome_root();
4741
4742 if (!NT_STATUS_IS_OK(status)) {
4743 return status;
4744 }
4745
4746 if (num_sids) {
4747 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr, num_sids);
4748 if (sids == NULL) {
4749 TALLOC_FREE(pdb_sids);
4750 return NT_STATUS_NO_MEMORY;
4751 }
4752 }
4753
4754 for (i = 0; i < num_sids; i++) {
4755 sids[i].sid = sid_dup_talloc(p->mem_ctx, &pdb_sids[i]);
4756 if (!sids[i].sid) {
4757 TALLOC_FREE(pdb_sids);
4758 return NT_STATUS_NO_MEMORY;
4759 }
4760 }
4761
4762 r->out.sids->num_sids = num_sids;
4763 r->out.sids->sids = sids;
4764
4765 TALLOC_FREE(pdb_sids);
4766
4767 return NT_STATUS_OK;
4768 }
4769
4770 /*********************************************************************
4771 _samr_QueryGroupMember
4772 *********************************************************************/
4773
4774 NTSTATUS _samr_QueryGroupMember(pipes_struct *p,
4775 struct samr_QueryGroupMember *r)
4776 {
4777 struct samr_group_info *ginfo;
4778 size_t i, num_members;
4779
4780 uint32 *rid=NULL;
4781 uint32 *attr=NULL;
4782
4783 NTSTATUS status;
4784 struct samr_RidTypeArray *rids = NULL;
4785
4786 ginfo = policy_handle_find(p, r->in.group_handle,
4787 SAMR_GROUP_ACCESS_GET_MEMBERS, NULL,
4788 struct samr_group_info, &status);
4789 if (!NT_STATUS_IS_OK(status)) {
4790 return status;
4791 }
4792
4793 rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidTypeArray);
4794 if (!rids) {
4795 return NT_STATUS_NO_MEMORY;
4796 }
4797
4798 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ginfo->sid)));
4799
4800 if (!sid_check_is_in_our_domain(&ginfo->sid)) {
4801 DEBUG(3, ("sid %s is not in our domain\n",
4802 sid_string_dbg(&ginfo->sid)));
4803 return NT_STATUS_NO_SUCH_GROUP;
4804 }
4805
4806 DEBUG(10, ("lookup on Domain SID\n"));
4807
4808 become_root();
4809 status = pdb_enum_group_members(p->mem_ctx, &ginfo->sid,
4810 &rid, &num_members);
4811 unbecome_root();
4812
4813 if (!NT_STATUS_IS_OK(status))
4814 return status;
4815
4816 if (num_members) {
4817 attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members);
4818 if (attr == NULL) {
4819 return NT_STATUS_NO_MEMORY;
4820 }
4821 } else {
4822 attr = NULL;
4823 }
4824
4825 for (i=0; i<num_members; i++)
4826 attr[i] = SID_NAME_USER;
4827
4828 rids->count = num_members;
4829 rids->types = attr;
4830 rids->rids = rid;
4831
4832 *r->out.rids = rids;
4833
4834 return NT_STATUS_OK;
4835 }
4836
4837 /*********************************************************************
4838 _samr_AddAliasMember
4839 *********************************************************************/
4840
4841 NTSTATUS _samr_AddAliasMember(pipes_struct *p,
4842 struct samr_AddAliasMember *r)
4843 {
4844 struct samr_alias_info *ainfo;
4845 SE_PRIV se_rights;
4846 bool can_add_accounts;
4847 NTSTATUS status;
4848
4849 ainfo = policy_handle_find(p, r->in.alias_handle,
4850 SAMR_ALIAS_ACCESS_ADD_MEMBER, NULL,
4851 struct samr_alias_info, &status);
4852 if (!NT_STATUS_IS_OK(status)) {
4853 return status;
4854 }
4855
4856 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo->sid)));
4857
4858 se_priv_copy( &se_rights, &se_add_users );
4859 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
4860
4861 /******** BEGIN SeAddUsers BLOCK *********/
4862
4863 if ( can_add_accounts )
4864 become_root();
4865
4866 status = pdb_add_aliasmem(&ainfo->sid, r->in.sid);
4867
4868 if ( can_add_accounts )
4869 unbecome_root();
4870
4871 /******** END SeAddUsers BLOCK *********/
4872
4873 if (NT_STATUS_IS_OK(status)) {
4874 force_flush_samr_cache(&ainfo->sid);
4875 }
4876
4877 return status;
4878 }
4879
4880 /*********************************************************************
4881 _samr_DeleteAliasMember
4882 *********************************************************************/
4883
4884 NTSTATUS _samr_DeleteAliasMember(pipes_struct *p,
4885 struct samr_DeleteAliasMember *r)
4886 {
4887 struct samr_alias_info *ainfo;
4888 SE_PRIV se_rights;
4889 bool can_add_accounts;
4890 NTSTATUS status;
4891
4892 ainfo = policy_handle_find(p, r->in.alias_handle,
4893 SAMR_ALIAS_ACCESS_REMOVE_MEMBER, NULL,
4894 struct samr_alias_info, &status);
4895 if (!NT_STATUS_IS_OK(status)) {
4896 return status;
4897 }
4898
4899 DEBUG(10, ("_samr_del_aliasmem:sid is %s\n",
4900 sid_string_dbg(&ainfo->sid)));
4901
4902 se_priv_copy( &se_rights, &se_add_users );
4903 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
4904
4905 /******** BEGIN SeAddUsers BLOCK *********/
4906
4907 if ( can_add_accounts )
4908 become_root();
4909
4910 status = pdb_del_aliasmem(&ainfo->sid, r->in.sid);
4911
4912 if ( can_add_accounts )
4913 unbecome_root();
4914
4915 /******** END SeAddUsers BLOCK *********/
4916
4917 if (NT_STATUS_IS_OK(status)) {
4918 force_flush_samr_cache(&ainfo->sid);
4919 }
4920
4921 return status;
4922 }
4923
4924 /*********************************************************************
4925 _samr_AddGroupMember
4926 *********************************************************************/
4927
4928 NTSTATUS _samr_AddGroupMember(pipes_struct *p,
4929 struct samr_AddGroupMember *r)
4930 {
4931 struct samr_group_info *ginfo;
4932 NTSTATUS status;
4933 uint32 group_rid;
4934 SE_PRIV se_rights;
4935 bool can_add_accounts;
4936
4937 ginfo = policy_handle_find(p, r->in.group_handle,
4938 SAMR_GROUP_ACCESS_ADD_MEMBER, NULL,
4939 struct samr_group_info, &status);
4940 if (!NT_STATUS_IS_OK(status)) {
4941 return status;
4942 }
4943
4944 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ginfo->sid)));
4945
4946 if (!sid_peek_check_rid(get_global_sam_sid(), &ginfo->sid,
4947 &group_rid)) {
4948 return NT_STATUS_INVALID_HANDLE;
4949 }
4950
4951 se_priv_copy( &se_rights, &se_add_users );
4952 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
4953
4954 /******** BEGIN SeAddUsers BLOCK *********/
4955
4956 if ( can_add_accounts )
4957 become_root();
4958
4959 status = pdb_add_groupmem(p->mem_ctx, group_rid, r->in.rid);
4960
4961 if ( can_add_accounts )
4962 unbecome_root();
4963
4964 /******** END SeAddUsers BLOCK *********/
4965
4966 force_flush_samr_cache(&ginfo->sid);
4967
4968 return status;
4969 }
4970
4971 /*********************************************************************
4972 _samr_DeleteGroupMember
4973 *********************************************************************/
4974
4975 NTSTATUS _samr_DeleteGroupMember(pipes_struct *p,
4976 struct samr_DeleteGroupMember *r)
4977
4978 {
4979 struct samr_group_info *ginfo;
4980 NTSTATUS status;
4981 uint32 group_rid;
4982 SE_PRIV se_rights;
4983 bool can_add_accounts;
4984
4985 /*
4986 * delete the group member named r->in.rid
4987 * who is a member of the sid associated with the handle
4988 * the rid is a user's rid as the group is a domain group.
4989 */
4990
4991 ginfo = policy_handle_find(p, r->in.group_handle,
4992 SAMR_GROUP_ACCESS_REMOVE_MEMBER, NULL,
4993 struct samr_group_info, &status);
4994 if (!NT_STATUS_IS_OK(status)) {
4995 return status;
4996 }
4997
4998 if (!sid_peek_check_rid(get_global_sam_sid(), &ginfo->sid,
4999 &group_rid)) {
5000 return NT_STATUS_INVALID_HANDLE;
5001 }
5002
5003 se_priv_copy( &se_rights, &se_add_users );
5004 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
5005
5006 /******** BEGIN SeAddUsers BLOCK *********/
5007
5008 if ( can_add_accounts )
5009 become_root();
5010
5011 status = pdb_del_groupmem(p->mem_ctx, group_rid, r->in.rid);
5012
5013 if ( can_add_accounts )
5014 unbecome_root();
5015
5016 /******** END SeAddUsers BLOCK *********/
5017
5018 force_flush_samr_cache(&ginfo->sid);
5019
5020 return status;
5021 }
5022
5023 /*********************************************************************
5024 _samr_DeleteUser
5025 *********************************************************************/
5026
5027 NTSTATUS _samr_DeleteUser(pipes_struct *p,
5028 struct samr_DeleteUser *r)
5029 {
5030 struct samr_user_info *uinfo;
5031 NTSTATUS status;
5032 struct samu *sam_pass=NULL;
5033 bool can_add_accounts;
5034 uint32 acb_info;
5035 bool ret;
5036
5037 DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__));
5038
5039 uinfo = policy_handle_find(p, r->in.user_handle,
5040 STD_RIGHT_DELETE_ACCESS, NULL,
5041 struct samr_user_info, &status);
5042 if (!NT_STATUS_IS_OK(status)) {
5043 return status;
5044 }
5045
5046 if (!sid_check_is_in_our_domain(&uinfo->sid))
5047 return NT_STATUS_CANNOT_DELETE;
5048
5049 /* check if the user exists before trying to delete */
5050 if ( !(sam_pass = samu_new( NULL )) ) {
5051 return NT_STATUS_NO_MEMORY;
5052 }
5053
5054 become_root();
5055 ret = pdb_getsampwsid(sam_pass, &uinfo->sid);
5056 unbecome_root();
5057
5058 if( !ret ) {
5059 DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n",
5060 sid_string_dbg(&uinfo->sid)));
5061 TALLOC_FREE(sam_pass);
5062 return NT_STATUS_NO_SUCH_USER;
5063 }
5064
5065 acb_info = pdb_get_acct_ctrl(sam_pass);
5066
5067 /* For machine accounts it's the SeMachineAccountPrivilege that counts. */
5068 if ( acb_info & ACB_WSTRUST ) {
5069 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_machine_account );
5070 } else {
5071 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_add_users );
5072 }
5073
5074 /******** BEGIN SeAddUsers BLOCK *********/
5075
5076 if ( can_add_accounts )
5077 become_root();
5078
5079 status = pdb_delete_user(p->mem_ctx, sam_pass);
5080
5081 if ( can_add_accounts )
5082 unbecome_root();
5083
5084 /******** END SeAddUsers BLOCK *********/
5085
5086 if ( !NT_STATUS_IS_OK(status) ) {
5087 DEBUG(5,("_samr_DeleteUser: Failed to delete entry for "
5088 "user %s: %s.\n", pdb_get_username(sam_pass),
5089 nt_errstr(status)));
5090 TALLOC_FREE(sam_pass);
5091 return status;
5092 }
5093
5094
5095 TALLOC_FREE(sam_pass);
5096
5097 if (!close_policy_hnd(p, r->in.user_handle))
5098 return NT_STATUS_OBJECT_NAME_INVALID;
5099
5100 ZERO_STRUCTP(r->out.user_handle);
5101
5102 force_flush_samr_cache(&uinfo->sid);
5103
5104 return NT_STATUS_OK;
5105 }
5106
5107 /*********************************************************************
5108 _samr_DeleteDomainGroup
5109 *********************************************************************/
5110
5111 NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p,
5112 struct samr_DeleteDomainGroup *r)
5113 {
5114 struct samr_group_info *ginfo;
5115 NTSTATUS status;
5116 uint32 group_rid;
5117 SE_PRIV se_rights;
5118 bool can_add_accounts;
5119
5120 DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__));
5121
5122 ginfo = policy_handle_find(p, r->in.group_handle,
5123 STD_RIGHT_DELETE_ACCESS, NULL,
5124 struct samr_group_info, &status);
5125 if (!NT_STATUS_IS_OK(status)) {
5126 return status;
5127 }
5128
5129 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ginfo->sid)));
5130
5131 if (!sid_peek_check_rid(get_global_sam_sid(), &ginfo->sid,
5132 &group_rid)) {
5133 return NT_STATUS_NO_SUCH_GROUP;
5134 }
5135
5136 se_priv_copy( &se_rights, &se_add_users );
5137 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
5138
5139 /******** BEGIN SeAddUsers BLOCK *********/
5140
5141 if ( can_add_accounts )
5142 become_root();
5143
5144 status = pdb_delete_dom_group(p->mem_ctx, group_rid);
5145
5146 if ( can_add_accounts )
5147 unbecome_root();
5148
5149 /******** END SeAddUsers BLOCK *********/
5150
5151 if ( !NT_STATUS_IS_OK(status) ) {
5152 DEBUG(5,("_samr_DeleteDomainGroup: Failed to delete mapping "
5153 "entry for group %s: %s\n",
5154 sid_string_dbg(&ginfo->sid),
5155 nt_errstr(status)));
5156 return status;
5157 }
5158
5159 if (!close_policy_hnd(p, r->in.group_handle))
5160 return NT_STATUS_OBJECT_NAME_INVALID;
5161
5162 force_flush_samr_cache(&ginfo->sid);
5163
5164 return NT_STATUS_OK;
5165 }
5166
5167 /*********************************************************************
5168 _samr_DeleteDomAlias
5169 *********************************************************************/
5170
5171 NTSTATUS _samr_DeleteDomAlias(pipes_struct *p,
5172 struct samr_DeleteDomAlias *r)
5173 {
5174 struct samr_alias_info *ainfo;
5175 SE_PRIV se_rights;
5176 bool can_add_accounts;
5177 NTSTATUS status;
5178
5179 DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__));
5180
5181 ainfo = policy_handle_find(p, r->in.alias_handle,
5182 STD_RIGHT_DELETE_ACCESS, NULL,
5183 struct samr_alias_info, &status);
5184 if (!NT_STATUS_IS_OK(status)) {
5185 return status;
5186 }
5187
5188 DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo->sid)));
5189
5190 /* Don't let Windows delete builtin groups */
5191
5192 if ( sid_check_is_in_builtin( &ainfo->sid ) ) {
5193 return NT_STATUS_SPECIAL_ACCOUNT;
5194 }
5195
5196 if (!sid_check_is_in_our_domain(&ainfo->sid))
5197 return NT_STATUS_NO_SUCH_ALIAS;
5198
5199 DEBUG(10, ("lookup on Local SID\n"));
5200
5201 se_priv_copy( &se_rights, &se_add_users );
5202 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
5203
5204 /******** BEGIN SeAddUsers BLOCK *********/
5205
5206 if ( can_add_accounts )
5207 become_root();
5208
5209 /* Have passdb delete the alias */
5210 status = pdb_delete_alias(&ainfo->sid);
5211
5212 if ( can_add_accounts )
5213 unbecome_root();
5214
5215 /******** END SeAddUsers BLOCK *********/
5216
5217 if ( !NT_STATUS_IS_OK(status))
5218 return status;
5219
5220 if (!close_policy_hnd(p, r->in.alias_handle))
5221 return NT_STATUS_OBJECT_NAME_INVALID;
5222
5223 force_flush_samr_cache(&ainfo->sid);
5224
5225 return NT_STATUS_OK;
5226 }
5227
5228 /*********************************************************************
5229 _samr_CreateDomainGroup
5230 *********************************************************************/
5231
5232 NTSTATUS _samr_CreateDomainGroup(pipes_struct *p,
5233 struct samr_CreateDomainGroup *r)
5234
5235 {
5236 NTSTATUS status;
5237 const char *name;
5238 struct samr_domain_info *dinfo;
5239 struct samr_group_info *ginfo;
5240 SE_PRIV se_rights;
5241 bool can_add_accounts;
5242
5243 dinfo = policy_handle_find(p, r->in.domain_handle,
5244 SAMR_DOMAIN_ACCESS_CREATE_GROUP, NULL,
5245 struct samr_domain_info, &status);
5246 if (!NT_STATUS_IS_OK(status)) {
5247 return status;
5248 }
5249
5250 if (!sid_equal(&dinfo->sid, get_global_sam_sid()))
5251 return NT_STATUS_ACCESS_DENIED;
5252
5253 name = r->in.name->string;
5254 if (name == NULL) {
5255 return NT_STATUS_NO_MEMORY;
5256 }
5257
5258 status = can_create(p->mem_ctx, name);
5259 if (!NT_STATUS_IS_OK(status)) {
5260 return status;
5261 }
5262
5263 se_priv_copy( &se_rights, &se_add_users );
5264 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
5265
5266 /******** BEGIN SeAddUsers BLOCK *********/
5267
5268 if ( can_add_accounts )
5269 become_root();
5270
5271 /* check that we successfully create the UNIX group */
5272
5273 status = pdb_create_dom_group(p->mem_ctx, name, r->out.rid);
5274
5275 if ( can_add_accounts )
5276 unbecome_root();
5277
5278 /******** END SeAddUsers BLOCK *********/
5279
5280 /* check if we should bail out here */
5281
5282 if ( !NT_STATUS_IS_OK(status) )
5283 return status;
5284
5285 ginfo = policy_handle_create(p, r->out.group_handle,
5286 GENERIC_RIGHTS_GROUP_ALL_ACCESS,
5287 struct samr_group_info, &status);
5288 if (!NT_STATUS_IS_OK(status)) {
5289 return status;
5290 }
5291 sid_compose(&ginfo->sid, &dinfo->sid, *r->out.rid);
5292
5293 force_flush_samr_cache(&dinfo->sid);
5294
5295 return NT_STATUS_OK;
5296 }
5297
5298 /*********************************************************************
5299 _samr_CreateDomAlias
5300 *********************************************************************/
5301
5302 NTSTATUS _samr_CreateDomAlias(pipes_struct *p,
5303 struct samr_CreateDomAlias *r)
5304 {
5305 DOM_SID info_sid;
5306 const char *name = NULL;
5307 struct samr_domain_info *dinfo;
5308 struct samr_alias_info *ainfo;
5309 gid_t gid;
5310 NTSTATUS result;
5311 SE_PRIV se_rights;
5312 bool can_add_accounts;
5313
5314 dinfo = policy_handle_find(p, r->in.domain_handle,
5315 SAMR_DOMAIN_ACCESS_CREATE_ALIAS, NULL,
5316 struct samr_domain_info, &result);
5317 if (!NT_STATUS_IS_OK(result)) {
5318 return result;
5319 }
5320
5321 if (!sid_equal(&dinfo->sid, get_global_sam_sid()))
5322 return NT_STATUS_ACCESS_DENIED;
5323
5324 name = r->in.alias_name->string;
5325
5326 se_priv_copy( &se_rights, &se_add_users );
5327 can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
5328
5329 result = can_create(p->mem_ctx, name);
5330 if (!NT_STATUS_IS_OK(result)) {
5331 return result;
5332 }
5333
5334 /******** BEGIN SeAddUsers BLOCK *********/
5335
5336 if ( can_add_accounts )
5337 become_root();
5338
5339 /* Have passdb create the alias */
5340 result = pdb_create_alias(name, r->out.rid);
5341
5342 if ( can_add_accounts )
5343 unbecome_root();
5344
5345 /******** END SeAddUsers BLOCK *********/
5346
5347 if (!NT_STATUS_IS_OK(result)) {
5348 DEBUG(10, ("pdb_create_alias failed: %s\n",
5349 nt_errstr(result)));
5350 return result;
5351 }
5352
5353 sid_compose(&info_sid, &dinfo->sid, *r->out.rid);
5354
5355 if (!sid_to_gid(&info_sid, &gid)) {
5356 DEBUG(10, ("Could not find alias just created\n"));
5357 return NT_STATUS_ACCESS_DENIED;
5358 }
5359
5360 /* check if the group has been successfully created */
5361 if ( getgrgid(gid) == NULL ) {
5362 DEBUG(10, ("getgrgid(%d) of just created alias failed\n",
5363 gid));
5364 return NT_STATUS_ACCESS_DENIED;
5365 }
5366
5367 ainfo = policy_handle_create(p, r->out.alias_handle,
5368 GENERIC_RIGHTS_ALIAS_ALL_ACCESS,
5369 struct samr_alias_info, &result);
5370 if (!NT_STATUS_IS_OK(result)) {
5371 return result;
5372 }
5373 ainfo->sid = info_sid;
5374
5375 force_flush_samr_cache(&info_sid);
5376
5377 return NT_STATUS_OK;
5378 }
5379
5380 /*********************************************************************
5381 _samr_QueryGroupInfo
5382 *********************************************************************/
5383
5384 NTSTATUS _samr_QueryGroupInfo(pipes_struct *p,
5385 struct samr_QueryGroupInfo *r)
5386 {
5387 struct samr_group_info *ginfo;
5388 NTSTATUS status;
5389 GROUP_MAP map;
5390 union samr_GroupInfo *info = NULL;
5391 bool ret;
5392 uint32_t attributes = SE_GROUP_MANDATORY |
5393 SE_GROUP_ENABLED_BY_DEFAULT |
5394 SE_GROUP_ENABLED;
5395 const char *group_name = NULL;
5396 const char *group_description = NULL;
5397
5398 ginfo = policy_handle_find(p, r->in.group_handle,
5399 SAMR_GROUP_ACCESS_LOOKUP_INFO, NULL,
5400 struct samr_group_info, &status);
5401 if (!NT_STATUS_IS_OK(status)) {
5402 return status;
5403 }
5404
5405 become_root();
5406 ret = get_domain_group_from_sid(ginfo->sid, &map);
5407 unbecome_root();
5408 if (!ret)
5409 return NT_STATUS_INVALID_HANDLE;
5410
5411 /* FIXME: map contains fstrings */
5412 group_name = talloc_strdup(r, map.nt_name);
5413 group_description = talloc_strdup(r, map.comment);
5414
5415 info = TALLOC_ZERO_P(p->mem_ctx, union samr_GroupInfo);
5416 if (!info) {
5417 return NT_STATUS_NO_MEMORY;
5418 }
5419
5420 switch (r->in.level) {
5421 case 1: {
5422 uint32 *members;
5423 size_t num_members;
5424
5425 become_root();
5426 status = pdb_enum_group_members(
5427 p->mem_ctx, &ginfo->sid, &members,
5428 &num_members);
5429 unbecome_root();
5430
5431 if (!NT_STATUS_IS_OK(status)) {
5432 return status;
5433 }
5434
5435 info->all.name.string = group_name;
5436 info->all.attributes = attributes;
5437 info->all.num_members = num_members;
5438 info->all.description.string = group_description;
5439 break;
5440 }
5441 case 2:
5442 info->name.string = group_name;
5443 break;
5444 case 3:
5445 info->attributes.attributes = attributes;
5446 break;
5447 case 4:
5448 info->description.string = group_description;
5449 break;
5450 case 5: {
5451 /*
5452 uint32 *members;
5453 size_t num_members;
5454 */
5455
5456 /*
5457 become_root();
5458 status = pdb_enum_group_members(
5459 p->mem_ctx, &ginfo->sid, &members,
5460 &num_members);
5461 unbecome_root();
5462
5463 if (!NT_STATUS_IS_OK(status)) {
5464 return status;
5465 }
5466 */
5467 info->all2.name.string = group_name;
5468 info->all2.attributes = attributes;
5469 info->all2.num_members = 0; /* num_members - in w2k3 this is always 0 */
5470 info->all2.description.string = group_description;
5471
5472 break;
5473 }
5474 default:
5475 return NT_STATUS_INVALID_INFO_CLASS;
5476 }
5477
5478 *r->out.info = info;
5479
5480 return NT_STATUS_OK;
5481 }
5482
5483 /*********************************************************************
5484 _samr_SetGroupInfo
5485 *********************************************************************/
5486
5487 NTSTATUS _samr_SetGroupInfo(pipes_struct *p,
5488 struct samr_SetGroupInfo *r)
5489 {
5490 struct samr_group_info *ginfo;
5491 GROUP_MAP map;
5492 NTSTATUS status;
5493 bool ret;
5494 bool can_mod_accounts;
5495
5496 ginfo = policy_handle_find(p, r->in.group_handle,
5497 SAMR_GROUP_ACCESS_SET_INFO, NULL,
5498 struct samr_group_info, &status);
5499 if (!NT_STATUS_IS_OK(status)) {
5500 return status;
5501 }
5502
5503 become_root();
5504 ret = get_domain_group_from_sid(ginfo->sid, &map);
5505 unbecome_root();
5506 if (!ret)
5507 return NT_STATUS_NO_SUCH_GROUP;
5508
5509 switch (r->in.level) {
5510 case 1:
5511 fstrcpy(map.comment, r->in.info->all.description.string);
5512 break;
5513 case 2:
5514 /* group rename is not supported yet */
5515 return NT_STATUS_NOT_SUPPORTED;
5516 case 4:
5517 fstrcpy(map.comment, r->in.info->description.string);
5518 break;
5519 default:
5520 return NT_STATUS_INVALID_INFO_CLASS;
5521 }
5522
5523 can_mod_accounts = user_has_privileges( p->server_info->ptok, &se_add_users );
5524
5525 /******** BEGIN SeAddUsers BLOCK *********/
5526
5527 if ( can_mod_accounts )
5528 become_root();
5529
5530 status = pdb_update_group_mapping_entry(&map);
5531
5532 if ( can_mod_accounts )
5533 unbecome_root();
5534
5535 /******** End SeAddUsers BLOCK *********/
5536
5537 if (NT_STATUS_IS_OK(status)) {
5538 force_flush_samr_cache(&ginfo->sid);
5539 }
5540
5541 return status;
5542 }
5543
5544 /*********************************************************************
5545 _samr_SetAliasInfo
5546 *********************************************************************/
5547
5548 NTSTATUS _samr_SetAliasInfo(pipes_struct *p,
5549 struct samr_SetAliasInfo *r)
5550 {
5551 struct samr_alias_info *ainfo;
5552 struct acct_info info;
5553 bool can_mod_accounts;
5554 NTSTATUS status;
5555
5556 ainfo = policy_handle_find(p, r->in.alias_handle,
5557 SAMR_ALIAS_ACCESS_SET_INFO, NULL,
5558 struct samr_alias_info, &status);
5559 if (!NT_STATUS_IS_OK(status)) {
5560 return status;
5561 }
5562
5563 /* get the current group information */
5564
5565 become_root();
5566 status = pdb_get_aliasinfo( &ainfo->sid, &info );
5567 unbecome_root();
5568
5569 if ( !NT_STATUS_IS_OK(status))
5570 return status;
5571
5572 switch (r->in.level) {
5573 case ALIASINFONAME:
5574 {
5575 fstring group_name;
5576
5577 /* We currently do not support renaming groups in the
5578 the BUILTIN domain. Refer to util_builtin.c to understand
5579 why. The eventually needs to be fixed to be like Windows
5580 where you can rename builtin groups, just not delete them */
5581
5582 if ( sid_check_is_in_builtin( &ainfo->sid ) ) {
5583 return NT_STATUS_SPECIAL_ACCOUNT;
5584 }
5585
5586 /* There has to be a valid name (and it has to be different) */
5587
5588 if ( !r->in.info->name.string )
5589 return NT_STATUS_INVALID_PARAMETER;
5590
5591 /* If the name is the same just reply "ok". Yes this
5592 doesn't allow you to change the case of a group name. */
5593
5594 if ( strequal( r->in.info->name.string, info.acct_name ) )
5595 return NT_STATUS_OK;
5596
5597 fstrcpy( info.acct_name, r->in.info->name.string);
5598
5599 /* make sure the name doesn't already exist as a user
5600 or local group */
5601
5602 fstr_sprintf( group_name, "%s\\%s", global_myname(), info.acct_name );
5603 status = can_create( p->mem_ctx, group_name );
5604 if ( !NT_STATUS_IS_OK( status ) )
5605 return status;
5606 break;
5607 }
5608 case ALIASINFODESCRIPTION:
5609 if (r->in.info->description.string) {
5610 fstrcpy(info.acct_desc,
5611 r->in.info->description.string);
5612 } else {
5613 fstrcpy( info.acct_desc, "" );
5614 }
5615 break;
5616 default:
5617 return NT_STATUS_INVALID_INFO_CLASS;
5618 }
5619
5620 can_mod_accounts = user_has_privileges( p->server_info->ptok, &se_add_users );
5621
5622 /******** BEGIN SeAddUsers BLOCK *********/
5623
5624 if ( can_mod_accounts )
5625 become_root();
5626
5627 status = pdb_set_aliasinfo( &ainfo->sid, &info );
5628
5629 if ( can_mod_accounts )
5630 unbecome_root();
5631
5632 /******** End SeAddUsers BLOCK *********/
5633
5634 if (NT_STATUS_IS_OK(status))
5635 force_flush_samr_cache(&ainfo->sid);
5636
5637 return status;
5638 }
5639
5640 /****************************************************************
5641 _samr_GetDomPwInfo
5642 ****************************************************************/
5643
5644 NTSTATUS _samr_GetDomPwInfo(pipes_struct *p,
5645 struct samr_GetDomPwInfo *r)
5646 {
5647 uint32_t min_password_length = 0;
5648 uint32_t password_properties = 0;
5649
5650 /* Perform access check. Since this rpc does not require a
5651 policy handle it will not be caught by the access checks on
5652 SAMR_CONNECT or SAMR_CONNECT_ANON. */
5653
5654 if (!pipe_access_check(p)) {
5655 DEBUG(3, ("access denied to _samr_GetDomPwInfo\n"));
5656 return NT_STATUS_ACCESS_DENIED;
5657 }
5658
5659 become_root();
5660 pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
5661 &min_password_length);
5662 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
5663 &password_properties);
5664 unbecome_root();
5665
5666 if (lp_check_password_script() && *lp_check_password_script()) {
5667 password_properties |= DOMAIN_PASSWORD_COMPLEX;
5668 }
5669
5670 r->out.info->min_password_length = min_password_length;
5671 r->out.info->password_properties = password_properties;
5672
5673 return NT_STATUS_OK;
5674 }
5675
5676 /*********************************************************************
5677 _samr_OpenGroup
5678 *********************************************************************/
5679
5680 NTSTATUS _samr_OpenGroup(pipes_struct *p,
5681 struct samr_OpenGroup *r)
5682
5683 {
5684 DOM_SID info_sid;
5685 GROUP_MAP map;
5686 struct samr_domain_info *dinfo;
5687 struct samr_group_info *ginfo;
5688 SEC_DESC *psd = NULL;
5689 uint32 acc_granted;
5690 uint32 des_access = r->in.access_mask;
5691 size_t sd_size;
5692 NTSTATUS status;
5693 bool ret;
5694 SE_PRIV se_rights;
5695
5696 dinfo = policy_handle_find(p, r->in.domain_handle,
5697 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT, NULL,
5698 struct samr_domain_info, &status);
5699 if (!NT_STATUS_IS_OK(status)) {
5700 return status;
5701 }
5702
5703 /*check if access can be granted as requested by client. */
5704 map_max_allowed_access(p->server_info->ptok, &des_access);
5705
5706 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
5707 se_map_generic(&des_access,&grp_generic_mapping);
5708
5709 se_priv_copy( &se_rights, &se_add_users );
5710
5711 status = access_check_samr_object(psd, p->server_info->ptok,
5712 &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access,
5713 &acc_granted, "_samr_OpenGroup");
5714
5715 if ( !NT_STATUS_IS_OK(status) )
5716 return status;
5717
5718 /* this should not be hard-coded like this */
5719
5720 if (!sid_equal(&dinfo->sid, get_global_sam_sid()))
5721 return NT_STATUS_ACCESS_DENIED;
5722
5723 sid_compose(&info_sid, &dinfo->sid, r->in.rid);
5724
5725 DEBUG(10, ("_samr_OpenGroup:Opening SID: %s\n",
5726 sid_string_dbg(&info_sid)));
5727
5728 /* check if that group really exists */
5729 become_root();
5730 ret = get_domain_group_from_sid(info_sid, &map);
5731 unbecome_root();
5732 if (!ret)
5733 return NT_STATUS_NO_SUCH_GROUP;
5734
5735 ginfo = policy_handle_create(p, r->out.group_handle,
5736 GENERIC_RIGHTS_GROUP_ALL_ACCESS,
5737 struct samr_group_info, &status);
5738 if (!NT_STATUS_IS_OK(status)) {
5739 return status;
5740 }
5741 ginfo->sid = info_sid;
5742
5743 return NT_STATUS_OK;
5744 }
5745
5746 /*********************************************************************
5747 _samr_RemoveMemberFromForeignDomain
5748 *********************************************************************/
5749
5750 NTSTATUS _samr_RemoveMemberFromForeignDomain(pipes_struct *p,
5751 struct samr_RemoveMemberFromForeignDomain *r)
5752 {
5753 struct samr_domain_info *dinfo;
5754 NTSTATUS result;
5755
5756 DEBUG(5,("_samr_RemoveMemberFromForeignDomain: removing SID [%s]\n",
5757 sid_string_dbg(r->in.sid)));
5758
5759 /* Find the policy handle. Open a policy on it. */
5760
5761 dinfo = policy_handle_find(p, r->in.domain_handle,
5762 STD_RIGHT_DELETE_ACCESS, NULL,
5763 struct samr_domain_info, &result);
5764 if (!NT_STATUS_IS_OK(result)) {
5765 return result;
5766 }
5767
5768 DEBUG(8, ("_samr_RemoveMemberFromForeignDomain: sid is %s\n",
5769 sid_string_dbg(&dinfo->sid)));
5770
5771 /* we can only delete a user from a group since we don't have
5772 nested groups anyways. So in the latter case, just say OK */
5773
5774 /* TODO: The above comment nowadays is bogus. Since we have nested
5775 * groups now, and aliases members are never reported out of the unix
5776 * group membership, the "just say OK" makes this call a no-op. For
5777 * us. This needs fixing however. */
5778
5779 /* I've only ever seen this in the wild when deleting a user from
5780 * usrmgr.exe. domain_sid is the builtin domain, and the sid to delete
5781 * is the user about to be deleted. I very much suspect this is the
5782 * only application of this call. To verify this, let people report
5783 * other cases. */
5784
5785 if (!sid_check_is_builtin(&dinfo->sid)) {
5786 DEBUG(1,("_samr_RemoveMemberFromForeignDomain: domain_sid = %s, "
5787 "global_sam_sid() = %s\n",
5788 sid_string_dbg(&dinfo->sid),
5789 sid_string_dbg(get_global_sam_sid())));
5790 DEBUGADD(1,("please report to samba-technical@samba.org!\n"));
5791 return NT_STATUS_OK;
5792 }
5793
5794 force_flush_samr_cache(&dinfo->sid);
5795
5796 result = NT_STATUS_OK;
5797
5798 return result;
5799 }
5800
5801 /*******************************************************************
5802 _samr_QueryDomainInfo2
5803 ********************************************************************/
5804
5805 NTSTATUS _samr_QueryDomainInfo2(pipes_struct *p,
5806 struct samr_QueryDomainInfo2 *r)
5807 {
5808 struct samr_QueryDomainInfo q;
5809
5810 q.in.domain_handle = r->in.domain_handle;
5811 q.in.level = r->in.level;
5812
5813 q.out.info = r->out.info;
5814
5815 return _samr_QueryDomainInfo(p, &q);
5816 }
5817
5818 /*******************************************************************
5819 _samr_SetDomainInfo
5820 ********************************************************************/
5821
5822 NTSTATUS _samr_SetDomainInfo(pipes_struct *p,
5823 struct samr_SetDomainInfo *r)
5824 {
5825 struct samr_domain_info *dinfo;
5826 time_t u_expire, u_min_age;
5827 time_t u_logout;
5828 time_t u_lock_duration, u_reset_time;
5829 NTSTATUS result;
5830
5831 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
5832
5833 /* We do have different access bits for info
5834 * levels here, but we're really just looking for
5835 * GENERIC_RIGHTS_DOMAIN_WRITE access. Unfortunately
5836 * this maps to different specific bits. So
5837 * assume if we have SAMR_DOMAIN_ACCESS_SET_INFO_1
5838 * set we are ok. */
5839
5840 dinfo = policy_handle_find(p, r->in.domain_handle,
5841 SAMR_DOMAIN_ACCESS_SET_INFO_1, NULL,
5842 struct samr_domain_info, &result);
5843 if (!NT_STATUS_IS_OK(result)) {
5844 return result;
5845 }
5846
5847 DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r->in.level));
5848
5849 switch (r->in.level) {
5850 case 0x01:
5851 u_expire=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.max_password_age);
5852 u_min_age=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.min_password_age);
5853 pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)r->in.info->info1.min_password_length);
5854 pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)r->in.info->info1.password_history_length);
5855 pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)r->in.info->info1.password_properties);
5856 pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire);
5857 pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age);
5858 break;
5859 case 0x02:
5860 break;
5861 case 0x03:
5862 u_logout=nt_time_to_unix_abs((NTTIME *)&r->in.info->info3.force_logoff_time);
5863 pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout);
5864 break;
5865 case 0x05:
5866 break;
5867 case 0x06:
5868 break;
5869 case 0x07:
5870 break;
5871 case 0x0c:
5872 u_lock_duration=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_duration);
5873 if (u_lock_duration != -1)
5874 u_lock_duration /= 60;
5875
5876 u_reset_time=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_window)/60;
5877
5878 pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
5879 pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time);
5880 pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)r->in.info->info12.lockout_threshold);
5881 break;
5882 default:
5883 return NT_STATUS_INVALID_INFO_CLASS;
5884 }
5885
5886 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
5887
5888 return NT_STATUS_OK;
5889 }
5890
5891 /****************************************************************
5892 _samr_GetDisplayEnumerationIndex
5893 ****************************************************************/
5894
5895 NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p,
5896 struct samr_GetDisplayEnumerationIndex *r)
5897 {
5898 struct samr_domain_info *dinfo;
5899 uint32_t max_entries = (uint32_t) -1;
5900 uint32_t enum_context = 0;
5901 int i;
5902 uint32_t num_account = 0;
5903 struct samr_displayentry *entries = NULL;
5904 NTSTATUS status;
5905
5906 DEBUG(5,("_samr_GetDisplayEnumerationIndex: %d\n", __LINE__));
5907
5908 dinfo = policy_handle_find(p, r->in.domain_handle,
5909 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
5910 struct samr_domain_info, &status);
5911 if (!NT_STATUS_IS_OK(status)) {
5912 return status;
5913 }
5914
5915 if ((r->in.level < 1) || (r->in.level > 3)) {
5916 DEBUG(0,("_samr_GetDisplayEnumerationIndex: "
5917 "Unknown info level (%u)\n",
5918 r->in.level));
5919 return NT_STATUS_INVALID_INFO_CLASS;
5920 }
5921
5922 become_root();
5923
5924 /* The following done as ROOT. Don't return without unbecome_root(). */
5925
5926 switch (r->in.level) {
5927 case 1:
5928 if (dinfo->disp_info->users == NULL) {
5929 dinfo->disp_info->users = pdb_search_users(
5930 dinfo->disp_info, ACB_NORMAL);
5931 if (dinfo->disp_info->users == NULL) {
5932 unbecome_root();
5933 return NT_STATUS_ACCESS_DENIED;
5934 }
5935 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5936 "starting user enumeration at index %u\n",
5937 (unsigned int)enum_context));
5938 } else {
5939 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5940 "using cached user enumeration at index %u\n",
5941 (unsigned int)enum_context));
5942 }
5943 num_account = pdb_search_entries(dinfo->disp_info->users,
5944 enum_context, max_entries,
5945 &entries);
5946 break;
5947 case 2:
5948 if (dinfo->disp_info->machines == NULL) {
5949 dinfo->disp_info->machines = pdb_search_users(
5950 dinfo->disp_info, ACB_WSTRUST|ACB_SVRTRUST);
5951 if (dinfo->disp_info->machines == NULL) {
5952 unbecome_root();
5953 return NT_STATUS_ACCESS_DENIED;
5954 }
5955 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5956 "starting machine enumeration at index %u\n",
5957 (unsigned int)enum_context));
5958 } else {
5959 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5960 "using cached machine enumeration at index %u\n",
5961 (unsigned int)enum_context));
5962 }
5963 num_account = pdb_search_entries(dinfo->disp_info->machines,
5964 enum_context, max_entries,
5965 &entries);
5966 break;
5967 case 3:
5968 if (dinfo->disp_info->groups == NULL) {
5969 dinfo->disp_info->groups = pdb_search_groups(
5970 dinfo->disp_info);
5971 if (dinfo->disp_info->groups == NULL) {
5972 unbecome_root();
5973 return NT_STATUS_ACCESS_DENIED;
5974 }
5975 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5976 "starting group enumeration at index %u\n",
5977 (unsigned int)enum_context));
5978 } else {
5979 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5980 "using cached group enumeration at index %u\n",
5981 (unsigned int)enum_context));
5982 }
5983 num_account = pdb_search_entries(dinfo->disp_info->groups,
5984 enum_context, max_entries,
5985 &entries);
5986 break;
5987 default:
5988 unbecome_root();
5989 smb_panic("info class changed");
5990 break;
5991 }
5992
5993 unbecome_root();
5994
5995 /* Ensure we cache this enumeration. */
5996 set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
5997
5998 DEBUG(10,("_samr_GetDisplayEnumerationIndex: looking for :%s\n",
5999 r->in.name->string));
6000
6001 for (i=0; i<num_account; i++) {
6002 if (strequal(entries[i].account_name, r->in.name->string)) {
6003 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6004 "found %s at idx %d\n",
6005 r->in.name->string, i));
6006 *r->out.idx = i;
6007 return NT_STATUS_OK;
6008 }
6009 }
6010
6011 /* assuming account_name lives at the very end */
6012 *r->out.idx = num_account;
6013
6014 return NT_STATUS_NO_MORE_ENTRIES;
6015 }
6016
6017 /****************************************************************
6018 _samr_GetDisplayEnumerationIndex2
6019 ****************************************************************/
6020
6021 NTSTATUS _samr_GetDisplayEnumerationIndex2(pipes_struct *p,
6022 struct samr_GetDisplayEnumerationIndex2 *r)
6023 {
6024 struct samr_GetDisplayEnumerationIndex q;
6025
6026 q.in.domain_handle = r->in.domain_handle;
6027 q.in.level = r->in.level;
6028 q.in.name = r->in.name;
6029
6030 q.out.idx = r->out.idx;
6031
6032 return _samr_GetDisplayEnumerationIndex(p, &q);
6033 }
6034
6035 /****************************************************************
6036 ****************************************************************/
6037
6038 NTSTATUS _samr_Shutdown(pipes_struct *p,
6039 struct samr_Shutdown *r)
6040 {
6041 p->rng_fault_state = true;
6042 return NT_STATUS_NOT_IMPLEMENTED;
6043 }
6044
6045 /****************************************************************
6046 ****************************************************************/
6047
6048 NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p,
6049 struct samr_SetMemberAttributesOfGroup *r)
6050 {
6051 p->rng_fault_state = true;
6052 return NT_STATUS_NOT_IMPLEMENTED;
6053 }
6054
6055 /****************************************************************
6056 ****************************************************************/
6057
6058 NTSTATUS _samr_ChangePasswordUser(pipes_struct *p,
6059 struct samr_ChangePasswordUser *r)
6060 {
6061 p->rng_fault_state = true;
6062 return NT_STATUS_NOT_IMPLEMENTED;
6063 }
6064
6065 /****************************************************************
6066 ****************************************************************/
6067
6068 NTSTATUS _samr_TestPrivateFunctionsDomain(pipes_struct *p,
6069 struct samr_TestPrivateFunctionsDomain *r)
6070 {
6071 p->rng_fault_state = true;
6072 return NT_STATUS_NOT_IMPLEMENTED;
6073 }
6074
6075 /****************************************************************
6076 ****************************************************************/
6077
6078 NTSTATUS _samr_TestPrivateFunctionsUser(pipes_struct *p,
6079 struct samr_TestPrivateFunctionsUser *r)
6080 {
6081 p->rng_fault_state = true;
6082 return NT_STATUS_NOT_IMPLEMENTED;
6083 }
6084
6085 /****************************************************************
6086 ****************************************************************/
6087
6088 NTSTATUS _samr_AddMultipleMembersToAlias(pipes_struct *p,
6089 struct samr_AddMultipleMembersToAlias *r)
6090 {
6091 p->rng_fault_state = true;
6092 return NT_STATUS_NOT_IMPLEMENTED;
6093 }
6094
6095 /****************************************************************
6096 ****************************************************************/
6097
6098 NTSTATUS _samr_RemoveMultipleMembersFromAlias(pipes_struct *p,
6099 struct samr_RemoveMultipleMembersFromAlias *r)
6100 {
6101 p->rng_fault_state = true;
6102 return NT_STATUS_NOT_IMPLEMENTED;
6103 }
6104
6105 /****************************************************************
6106 ****************************************************************/
6107
6108 NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p,
6109 struct samr_OemChangePasswordUser2 *r)
6110 {
6111 p->rng_fault_state = true;
6112 return NT_STATUS_NOT_IMPLEMENTED;
6113 }
6114
6115 /****************************************************************
6116 ****************************************************************/
6117
6118 NTSTATUS _samr_SetBootKeyInformation(pipes_struct *p,
6119 struct samr_SetBootKeyInformation *r)
6120 {
6121 p->rng_fault_state = true;
6122 return NT_STATUS_NOT_IMPLEMENTED;
6123 }
6124
6125 /****************************************************************
6126 ****************************************************************/
6127
6128 NTSTATUS _samr_GetBootKeyInformation(pipes_struct *p,
6129 struct samr_GetBootKeyInformation *r)
6130 {
6131 p->rng_fault_state = true;
6132 return NT_STATUS_NOT_IMPLEMENTED;
6133 }
6134
6135 /****************************************************************
6136 ****************************************************************/
6137
6138 NTSTATUS _samr_RidToSid(pipes_struct *p,
6139 struct samr_RidToSid *r)
6140 {
6141 p->rng_fault_state = true;
6142 return NT_STATUS_NOT_IMPLEMENTED;
6143 }
6144
6145 /****************************************************************
6146 ****************************************************************/
6147
6148 NTSTATUS _samr_SetDsrmPassword(pipes_struct *p,
6149 struct samr_SetDsrmPassword *r)
6150 {
6151 p->rng_fault_state = true;
6152 return NT_STATUS_NOT_IMPLEMENTED;
6153 }
6154
6155 /****************************************************************
6156 ****************************************************************/
6157
6158 NTSTATUS _samr_ValidatePassword(pipes_struct *p,
6159 struct samr_ValidatePassword *r)
6160 {
6161 p->rng_fault_state = true;
6162 return NT_STATUS_NOT_IMPLEMENTED;
6163 }
WIP