2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001,
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 /* This is the implementation of the lsa server code. */
31 #define DBGC_CLASS DBGC_RPC_SRV
40 struct generic_mapping lsa_generic_mapping
= {
47 /*******************************************************************
48 Function to free the per handle data.
49 ********************************************************************/
51 static void free_lsa_info(void *ptr
)
53 struct lsa_info
*lsa
= (struct lsa_info
*)ptr
;
58 /***************************************************************************
60 ***************************************************************************/
62 static void init_dom_query(DOM_QUERY
*d_q
, const char *dom_name
, DOM_SID
*dom_sid
)
64 d_q
->buffer_dom_name
= (dom_name
!= NULL
) ? 1 : 0; /* domain buffer pointer */
65 d_q
->buffer_dom_sid
= (dom_sid
!= NULL
) ? 1 : 0; /* domain sid pointer */
67 /* this string is supposed to be non-null terminated. */
68 /* But the maxlen in this UNISTR2 must include the terminating null. */
69 init_unistr2(&d_q
->uni_domain_name
, dom_name
, UNI_BROKEN_NON_NULL
);
72 * I'm not sure why this really odd combination of length
73 * values works, but it does appear to. I need to look at
74 * this *much* more closely - but at the moment leave alone
75 * until it's understood. This allows a W2k client to join
76 * a domain with both odd and even length names... JRA.
81 * The two fields below probably are reversed in meaning, ie.
82 * the first field is probably the str_len, the second the max
83 * len. Both are measured in bytes anyway.
86 d_q
->uni_dom_str_len
= d_q
->uni_domain_name
.uni_max_len
* 2;
87 d_q
->uni_dom_max_len
= d_q
->uni_domain_name
.uni_str_len
* 2;
90 init_dom_sid2(&d_q
->dom_sid
, dom_sid
);
93 /***************************************************************************
94 init_dom_ref - adds a domain if it's not already in, returns the index.
95 ***************************************************************************/
97 static int init_dom_ref(DOM_R_REF
*ref
, char *dom_name
, DOM_SID
*dom_sid
)
101 if (dom_name
!= NULL
) {
102 for (num
= 0; num
< ref
->num_ref_doms_1
; num
++) {
104 rpcstr_pull(domname
, &ref
->ref_dom
[num
].uni_dom_name
, sizeof(domname
), -1, 0);
105 if (strequal(domname
, dom_name
))
109 num
= ref
->num_ref_doms_1
;
112 if (num
>= MAX_REF_DOMAINS
) {
113 /* index not found, already at maximum domain limit */
117 ref
->num_ref_doms_1
= num
+1;
118 ref
->ptr_ref_dom
= 1;
119 ref
->max_entries
= MAX_REF_DOMAINS
;
120 ref
->num_ref_doms_2
= num
+1;
122 ref
->hdr_ref_dom
[num
].ptr_dom_sid
= dom_sid
!= NULL
? 1 : 0;
124 init_unistr2(&ref
->ref_dom
[num
].uni_dom_name
, dom_name
, UNI_FLAGS_NONE
);
125 init_uni_hdr(&ref
->hdr_ref_dom
[num
].hdr_dom_name
, &ref
->ref_dom
[num
].uni_dom_name
);
127 init_dom_sid2(&ref
->ref_dom
[num
].ref_dom
, dom_sid
);
132 /***************************************************************************
134 ***************************************************************************/
136 static void init_lsa_rid2s(DOM_R_REF
*ref
, DOM_RID2
*rid2
,
137 int num_entries
, UNISTR2
*name
,
138 uint32
*mapped_count
, BOOL endian
)
144 SMB_ASSERT(num_entries
<= MAX_LOOKUP_SIDS
);
146 become_root(); /* lookup_name can require root privs */
148 for (i
= 0; i
< num_entries
; i
++) {
151 uint32 rid
= 0xffffffff;
154 fstring dom_name
, user
;
155 enum SID_NAME_USE name_type
= SID_NAME_UNKNOWN
;
157 /* Split name into domain and user component */
159 unistr2_to_ascii(full_name
, &name
[i
], sizeof(full_name
));
160 split_domain_name(full_name
, dom_name
, user
);
164 DEBUG(5, ("init_lsa_rid2s: looking up name %s\n", full_name
));
166 status
= lookup_name(dom_name
, user
, &sid
, &name_type
);
168 if((name_type
== SID_NAME_UNKNOWN
) && (lp_server_role() == ROLE_DOMAIN_MEMBER
) && (strncmp(dom_name
, full_name
, strlen(dom_name
)) != 0)) {
169 DEBUG(5, ("init_lsa_rid2s: domain name not provided and local account not found, using member domain\n"));
170 fstrcpy(dom_name
, lp_workgroup());
171 status
= lookup_name(dom_name
, user
, &sid
, &name_type
);
174 if (name_type
== SID_NAME_WKN_GRP
) {
175 /* BUILTIN aliases are still aliases :-) */
176 name_type
= SID_NAME_ALIAS
;
179 DEBUG(5, ("init_lsa_rid2s: %s\n", status
? "found" :
182 if (status
&& name_type
!= SID_NAME_UNKNOWN
) {
183 sid_split_rid(&sid
, &rid
);
184 dom_idx
= init_dom_ref(ref
, dom_name
, &sid
);
189 name_type
= SID_NAME_UNKNOWN
;
192 init_dom_rid2(&rid2
[total
], rid
, name_type
, dom_idx
);
199 /***************************************************************************
200 init_reply_lookup_names
201 ***************************************************************************/
203 static void init_reply_lookup_names(LSA_R_LOOKUP_NAMES
*r_l
,
204 DOM_R_REF
*ref
, uint32 num_entries
,
205 DOM_RID2
*rid2
, uint32 mapped_count
)
207 r_l
->ptr_dom_ref
= 1;
210 r_l
->num_entries
= num_entries
;
211 r_l
->ptr_entries
= 1;
212 r_l
->num_entries2
= num_entries
;
215 r_l
->mapped_count
= mapped_count
;
218 /***************************************************************************
219 Init lsa_trans_names.
220 ***************************************************************************/
222 static void init_lsa_trans_names(TALLOC_CTX
*ctx
, DOM_R_REF
*ref
, LSA_TRANS_NAME_ENUM
*trn
,
223 int num_entries
, DOM_SID2
*sid
,
224 uint32
*mapped_count
)
230 /* Allocate memory for list of names */
232 if (num_entries
> 0) {
233 if (!(trn
->name
= (LSA_TRANS_NAME
*)talloc(ctx
, sizeof(LSA_TRANS_NAME
) *
235 DEBUG(0, ("init_lsa_trans_names(): out of memory\n"));
239 if (!(trn
->uni_name
= (UNISTR2
*)talloc(ctx
, sizeof(UNISTR2
) *
241 DEBUG(0, ("init_lsa_trans_names(): out of memory\n"));
246 become_root(); /* Need root to get to passdb to for local sids */
248 for (i
= 0; i
< num_entries
; i
++) {
250 DOM_SID find_sid
= sid
[i
].sid
;
251 uint32 rid
= 0xffffffff;
253 fstring name
, dom_name
;
254 enum SID_NAME_USE sid_name_use
= (enum SID_NAME_USE
)0;
256 sid_to_string(name
, &find_sid
);
257 DEBUG(5, ("init_lsa_trans_names: looking up sid %s\n", name
));
259 /* Lookup sid from winbindd */
261 status
= lookup_sid(&find_sid
, dom_name
, name
, &sid_name_use
);
263 DEBUG(5, ("init_lsa_trans_names: %s\n", status
? "found" :
267 sid_name_use
= SID_NAME_UNKNOWN
;
268 memset(dom_name
, '\0', sizeof(dom_name
));
269 sid_to_string(name
, &find_sid
);
272 DEBUG(10,("init_lsa_trans_names: added unknown user '%s' to "
273 "referenced list.\n", name
));
276 /* Store domain sid in ref array */
277 if (find_sid
.num_auths
== 5) {
278 sid_split_rid(&find_sid
, &rid
);
280 dom_idx
= init_dom_ref(ref
, dom_name
, &find_sid
);
282 DEBUG(10,("init_lsa_trans_names: added user '%s\\%s' to "
283 "referenced list.\n", dom_name
, name
));
287 init_lsa_trans_name(&trn
->name
[total
], &trn
->uni_name
[total
],
288 sid_name_use
, name
, dom_idx
);
294 trn
->num_entries
= total
;
295 trn
->ptr_trans_names
= 1;
296 trn
->num_entries2
= total
;
299 /***************************************************************************
300 Init_reply_lookup_sids.
301 ***************************************************************************/
303 static void init_reply_lookup_sids(LSA_R_LOOKUP_SIDS
*r_l
,
304 DOM_R_REF
*ref
, LSA_TRANS_NAME_ENUM
*names
,
307 r_l
->ptr_dom_ref
= 1;
310 r_l
->mapped_count
= mapped_count
;
313 static NTSTATUS
lsa_get_generic_sd(TALLOC_CTX
*mem_ctx
, SEC_DESC
**sd
, size_t *sd_size
)
315 extern DOM_SID global_sid_World
;
316 extern DOM_SID global_sid_Builtin
;
317 DOM_SID local_adm_sid
;
325 init_sec_access(&mask
, POLICY_EXECUTE
);
326 init_sec_ace(&ace
[0], &global_sid_World
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
328 sid_copy(&adm_sid
, get_global_sam_sid());
329 sid_append_rid(&adm_sid
, DOMAIN_GROUP_RID_ADMINS
);
330 init_sec_access(&mask
, POLICY_ALL_ACCESS
);
331 init_sec_ace(&ace
[1], &adm_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
333 sid_copy(&local_adm_sid
, &global_sid_Builtin
);
334 sid_append_rid(&local_adm_sid
, BUILTIN_ALIAS_RID_ADMINS
);
335 init_sec_access(&mask
, POLICY_ALL_ACCESS
);
336 init_sec_ace(&ace
[2], &local_adm_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, 0);
338 if((psa
= make_sec_acl(mem_ctx
, NT4_ACL_REVISION
, 3, ace
)) == NULL
)
339 return NT_STATUS_NO_MEMORY
;
341 if((*sd
= make_sec_desc(mem_ctx
, SEC_DESC_REVISION
, SEC_DESC_SELF_RELATIVE
, &adm_sid
, NULL
, NULL
, psa
, sd_size
)) == NULL
)
342 return NT_STATUS_NO_MEMORY
;
347 /***************************************************************************
349 ***************************************************************************/
351 static void init_dns_dom_info(LSA_DNS_DOM_INFO
*r_l
, const char *nb_name
,
352 const char *dns_name
, const char *forest_name
,
353 struct uuid
*dom_guid
, DOM_SID
*dom_sid
)
355 if (nb_name
&& *nb_name
) {
356 init_unistr2(&r_l
->uni_nb_dom_name
, nb_name
, UNI_FLAGS_NONE
);
357 init_uni_hdr(&r_l
->hdr_nb_dom_name
, &r_l
->uni_nb_dom_name
);
358 r_l
->hdr_nb_dom_name
.uni_max_len
+= 2;
359 r_l
->uni_nb_dom_name
.uni_max_len
+= 1;
362 if (dns_name
&& *dns_name
) {
363 init_unistr2(&r_l
->uni_dns_dom_name
, dns_name
, UNI_FLAGS_NONE
);
364 init_uni_hdr(&r_l
->hdr_dns_dom_name
, &r_l
->uni_dns_dom_name
);
365 r_l
->hdr_dns_dom_name
.uni_max_len
+= 2;
366 r_l
->uni_dns_dom_name
.uni_max_len
+= 1;
369 if (forest_name
&& *forest_name
) {
370 init_unistr2(&r_l
->uni_forest_name
, forest_name
, UNI_FLAGS_NONE
);
371 init_uni_hdr(&r_l
->hdr_forest_name
, &r_l
->uni_forest_name
);
372 r_l
->hdr_forest_name
.uni_max_len
+= 2;
373 r_l
->uni_forest_name
.uni_max_len
+= 1;
376 /* how do we init the guid ? probably should write an init fn */
378 memcpy(&r_l
->dom_guid
, dom_guid
, sizeof(struct uuid
));
382 r_l
->ptr_dom_sid
= 1;
383 init_dom_sid2(&r_l
->dom_sid
, dom_sid
);
387 /***************************************************************************
389 ***************************************************************************/
391 NTSTATUS
_lsa_open_policy2(pipes_struct
*p
, LSA_Q_OPEN_POL2
*q_u
, LSA_R_OPEN_POL2
*r_u
)
393 struct lsa_info
*info
;
394 SEC_DESC
*psd
= NULL
;
396 uint32 des_access
=q_u
->des_access
;
401 /* map the generic bits to the lsa policy ones */
402 se_map_generic(&des_access
, &lsa_generic_mapping
);
404 /* get the generic lsa policy SD until we store it */
405 lsa_get_generic_sd(p
->mem_ctx
, &psd
, &sd_size
);
407 if(!se_access_check(psd
, p
->pipe_user
.nt_user_token
, des_access
, &acc_granted
, &status
)) {
408 if (geteuid() != 0) {
411 DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
412 acc_granted
, des_access
));
413 DEBUGADD(4,("but overwritten by euid == 0\n"));
414 acc_granted
= des_access
;
418 /* associate the domain SID with the (unique) handle. */
419 if ((info
= (struct lsa_info
*)malloc(sizeof(struct lsa_info
))) == NULL
)
420 return NT_STATUS_NO_MEMORY
;
423 sid_copy(&info
->sid
,get_global_sam_sid());
424 info
->access
= acc_granted
;
426 /* set up the LSA QUERY INFO response */
427 if (!create_policy_hnd(p
, &r_u
->pol
, free_lsa_info
, (void *)info
))
428 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
433 /***************************************************************************
435 ***************************************************************************/
437 NTSTATUS
_lsa_open_policy(pipes_struct
*p
, LSA_Q_OPEN_POL
*q_u
, LSA_R_OPEN_POL
*r_u
)
439 struct lsa_info
*info
;
440 SEC_DESC
*psd
= NULL
;
442 uint32 des_access
=q_u
->des_access
;
447 /* map the generic bits to the lsa policy ones */
448 se_map_generic(&des_access
, &lsa_generic_mapping
);
450 /* get the generic lsa policy SD until we store it */
451 lsa_get_generic_sd(p
->mem_ctx
, &psd
, &sd_size
);
453 if(!se_access_check(psd
, p
->pipe_user
.nt_user_token
, des_access
, &acc_granted
, &status
)) {
454 if (geteuid() != 0) {
457 DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
458 acc_granted
, des_access
));
459 DEBUGADD(4,("but overwritten by euid == 0\n"));
460 acc_granted
= des_access
;
463 /* associate the domain SID with the (unique) handle. */
464 if ((info
= (struct lsa_info
*)malloc(sizeof(struct lsa_info
))) == NULL
)
465 return NT_STATUS_NO_MEMORY
;
468 sid_copy(&info
->sid
,get_global_sam_sid());
469 info
->access
= acc_granted
;
471 /* set up the LSA QUERY INFO response */
472 if (!create_policy_hnd(p
, &r_u
->pol
, free_lsa_info
, (void *)info
))
473 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
478 /***************************************************************************
479 _lsa_enum_trust_dom - this needs fixing to do more than return NULL ! JRA.
481 ***************************************************************************/
483 NTSTATUS
_lsa_enum_trust_dom(pipes_struct
*p
, LSA_Q_ENUM_TRUST_DOM
*q_u
, LSA_R_ENUM_TRUST_DOM
*r_u
)
485 struct lsa_info
*info
;
486 uint32 enum_context
= q_u
->enum_context
;
489 * preferred length is set to 5 as a "our" preferred length
490 * nt sets this parameter to 2
491 * update (20.08.2002): it's not preferred length, but preferred size!
492 * it needs further investigation how to optimally choose this value
494 uint32 max_num_domains
= q_u
->preferred_len
< 5 ? q_u
->preferred_len
: 10;
495 TRUSTDOM
**trust_doms
;
499 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&info
))
500 return NT_STATUS_INVALID_HANDLE
;
502 /* check if the user have enough rights */
503 if (!(info
->access
& POLICY_VIEW_LOCAL_INFORMATION
))
504 return NT_STATUS_ACCESS_DENIED
;
506 nt_status
= secrets_get_trusted_domains(p
->mem_ctx
, (int *)&enum_context
, max_num_domains
, (int *)&num_domains
, &trust_doms
);
508 if (!NT_STATUS_IS_OK(nt_status
) &&
509 !NT_STATUS_EQUAL(nt_status
, STATUS_MORE_ENTRIES
) &&
510 !NT_STATUS_EQUAL(nt_status
, NT_STATUS_NO_MORE_ENTRIES
)) {
513 r_u
->status
= nt_status
;
516 /* set up the lsa_enum_trust_dom response */
517 init_r_enum_trust_dom(p
->mem_ctx
, r_u
, enum_context
, max_num_domains
, num_domains
, trust_doms
);
522 /***************************************************************************
523 _lsa_query_info. See the POLICY_INFOMATION_CLASS docs at msdn.
524 ***************************************************************************/
526 NTSTATUS
_lsa_query_info(pipes_struct
*p
, LSA_Q_QUERY_INFO
*q_u
, LSA_R_QUERY_INFO
*r_u
)
528 struct lsa_info
*handle
;
529 LSA_INFO_UNION
*info
= &r_u
->dom
;
534 r_u
->status
= NT_STATUS_OK
;
536 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&handle
))
537 return NT_STATUS_INVALID_HANDLE
;
539 switch (q_u
->info_class
) {
543 /* check if the user have enough rights */
544 if (!(handle
->access
& POLICY_VIEW_AUDIT_INFORMATION
))
545 return NT_STATUS_ACCESS_DENIED
;
547 /* fake info: We audit everything. ;) */
548 info
->id2
.auditing_enabled
= 1;
549 info
->id2
.count1
= 7;
550 info
->id2
.count2
= 7;
551 if ((info
->id2
.auditsettings
= (uint32
*)talloc(p
->mem_ctx
,7*sizeof(uint32
))) == NULL
)
552 return NT_STATUS_NO_MEMORY
;
553 for (i
= 0; i
< 7; i
++)
554 info
->id2
.auditsettings
[i
] = 3;
558 /* check if the user have enough rights */
559 if (!(handle
->access
& POLICY_VIEW_LOCAL_INFORMATION
))
560 return NT_STATUS_ACCESS_DENIED
;
562 /* Request PolicyPrimaryDomainInformation. */
563 switch (lp_server_role()) {
564 case ROLE_DOMAIN_PDC
:
565 case ROLE_DOMAIN_BDC
:
566 name
= get_global_sam_name();
567 sid
= get_global_sam_sid();
569 case ROLE_DOMAIN_MEMBER
:
570 name
= lp_workgroup();
571 /* We need to return the Domain SID here. */
572 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid
))
575 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
577 case ROLE_STANDALONE
:
578 name
= lp_workgroup();
582 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
584 init_dom_query(&r_u
->dom
.id3
, name
, sid
);
587 /* check if the user have enough rights */
588 if (!(handle
->access
& POLICY_VIEW_LOCAL_INFORMATION
))
589 return NT_STATUS_ACCESS_DENIED
;
591 /* Request PolicyAccountDomainInformation. */
592 name
= get_global_sam_name();
593 sid
= get_global_sam_sid();
594 init_dom_query(&r_u
->dom
.id5
, name
, sid
);
597 /* check if the user have enough rights */
598 if (!(handle
->access
& POLICY_VIEW_LOCAL_INFORMATION
))
599 return NT_STATUS_ACCESS_DENIED
;
601 switch (lp_server_role()) {
602 case ROLE_DOMAIN_BDC
:
604 * only a BDC is a backup controller
605 * of the domain, it controls.
607 info
->id6
.server_role
= 2;
611 * any other role is a primary
612 * of the domain, it controls.
614 info
->id6
.server_role
= 3;
619 DEBUG(0,("_lsa_query_info: unknown info level in Lsa Query: %d\n", q_u
->info_class
));
620 r_u
->status
= NT_STATUS_INVALID_INFO_CLASS
;
624 if (NT_STATUS_IS_OK(r_u
->status
)) {
625 r_u
->undoc_buffer
= 0x22000000; /* bizarre */
626 r_u
->info_class
= q_u
->info_class
;
632 /***************************************************************************
634 ***************************************************************************/
636 NTSTATUS
_lsa_lookup_sids(pipes_struct
*p
, LSA_Q_LOOKUP_SIDS
*q_u
, LSA_R_LOOKUP_SIDS
*r_u
)
638 struct lsa_info
*handle
;
639 DOM_SID2
*sid
= q_u
->sids
.sid
;
640 int num_entries
= q_u
->sids
.num_entries
;
641 DOM_R_REF
*ref
= NULL
;
642 LSA_TRANS_NAME_ENUM
*names
= NULL
;
643 uint32 mapped_count
= 0;
645 if (num_entries
> MAX_LOOKUP_SIDS
) {
646 num_entries
= MAX_LOOKUP_SIDS
;
647 DEBUG(5,("_lsa_lookup_sids: truncating SID lookup list to %d\n", num_entries
));
650 ref
= (DOM_R_REF
*)talloc_zero(p
->mem_ctx
, sizeof(DOM_R_REF
));
651 names
= (LSA_TRANS_NAME_ENUM
*)talloc_zero(p
->mem_ctx
, sizeof(LSA_TRANS_NAME_ENUM
));
653 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&handle
)) {
654 r_u
->status
= NT_STATUS_INVALID_HANDLE
;
658 /* check if the user have enough rights */
659 if (!(handle
->access
& POLICY_LOOKUP_NAMES
)) {
660 r_u
->status
= NT_STATUS_ACCESS_DENIED
;
664 return NT_STATUS_NO_MEMORY
;
668 /* set up the LSA Lookup SIDs response */
669 init_lsa_trans_names(p
->mem_ctx
, ref
, names
, num_entries
, sid
, &mapped_count
);
670 if (mapped_count
== 0)
671 r_u
->status
= NT_STATUS_NONE_MAPPED
;
672 else if (mapped_count
!= num_entries
)
673 r_u
->status
= STATUS_SOME_UNMAPPED
;
675 r_u
->status
= NT_STATUS_OK
;
676 init_reply_lookup_sids(r_u
, ref
, names
, mapped_count
);
681 /***************************************************************************
682 lsa_reply_lookup_names
683 ***************************************************************************/
685 NTSTATUS
_lsa_lookup_names(pipes_struct
*p
,LSA_Q_LOOKUP_NAMES
*q_u
, LSA_R_LOOKUP_NAMES
*r_u
)
687 struct lsa_info
*handle
;
688 UNISTR2
*names
= q_u
->uni_name
;
689 int num_entries
= q_u
->num_entries
;
692 uint32 mapped_count
= 0;
694 if (num_entries
> MAX_LOOKUP_SIDS
) {
695 num_entries
= MAX_LOOKUP_SIDS
;
696 DEBUG(5,("_lsa_lookup_names: truncating name lookup list to %d\n", num_entries
));
699 ref
= (DOM_R_REF
*)talloc_zero(p
->mem_ctx
, sizeof(DOM_R_REF
));
700 rids
= (DOM_RID2
*)talloc_zero(p
->mem_ctx
, sizeof(DOM_RID2
)*num_entries
);
702 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&handle
)) {
703 r_u
->status
= NT_STATUS_INVALID_HANDLE
;
707 /* check if the user have enough rights */
708 if (!(handle
->access
& POLICY_LOOKUP_NAMES
)) {
709 r_u
->status
= NT_STATUS_ACCESS_DENIED
;
714 return NT_STATUS_NO_MEMORY
;
718 /* set up the LSA Lookup RIDs response */
719 init_lsa_rid2s(ref
, rids
, num_entries
, names
, &mapped_count
, p
->endian
);
720 if (mapped_count
== 0)
721 r_u
->status
= NT_STATUS_NONE_MAPPED
;
722 else if (mapped_count
!= num_entries
)
723 r_u
->status
= STATUS_SOME_UNMAPPED
;
725 r_u
->status
= NT_STATUS_OK
;
726 init_reply_lookup_names(r_u
, ref
, num_entries
, rids
, mapped_count
);
731 /***************************************************************************
732 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
733 ***************************************************************************/
735 NTSTATUS
_lsa_close(pipes_struct
*p
, LSA_Q_CLOSE
*q_u
, LSA_R_CLOSE
*r_u
)
737 if (!find_policy_by_hnd(p
, &q_u
->pol
, NULL
))
738 return NT_STATUS_INVALID_HANDLE
;
740 close_policy_hnd(p
, &q_u
->pol
);
744 /***************************************************************************
745 "No more secrets Marty...." :-).
746 ***************************************************************************/
748 NTSTATUS
_lsa_open_secret(pipes_struct
*p
, LSA_Q_OPEN_SECRET
*q_u
, LSA_R_OPEN_SECRET
*r_u
)
750 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
753 /***************************************************************************
755 ***************************************************************************/
757 NTSTATUS
_lsa_enum_privs(pipes_struct
*p
, LSA_Q_ENUM_PRIVS
*q_u
, LSA_R_ENUM_PRIVS
*r_u
)
759 struct lsa_info
*handle
;
762 uint32 enum_context
=q_u
->enum_context
;
763 LSA_PRIV_ENTRY
*entry
;
764 LSA_PRIV_ENTRY
*entries
=NULL
;
766 if (enum_context
>= PRIV_ALL_INDEX
)
767 return NT_STATUS_NO_MORE_ENTRIES
;
769 entries
= (LSA_PRIV_ENTRY
*)talloc_zero(p
->mem_ctx
, sizeof(LSA_PRIV_ENTRY
) * (PRIV_ALL_INDEX
));
771 return NT_STATUS_NO_MEMORY
;
773 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&handle
))
774 return NT_STATUS_INVALID_HANDLE
;
776 /* check if the user have enough rights */
779 * I don't know if it's the right one. not documented.
781 if (!(handle
->access
& POLICY_VIEW_LOCAL_INFORMATION
))
782 return NT_STATUS_ACCESS_DENIED
;
786 DEBUG(10,("_lsa_enum_privs: enum_context:%d total entries:%d\n", enum_context
, PRIV_ALL_INDEX
));
788 for (i
= 0; i
< PRIV_ALL_INDEX
; i
++, entry
++) {
789 if( i
<enum_context
) {
790 init_unistr2(&entry
->name
, NULL
, UNI_FLAGS_NONE
);
791 init_uni_hdr(&entry
->hdr_name
, &entry
->name
);
793 entry
->luid_high
= 0;
795 init_unistr2(&entry
->name
, privs
[i
+1].priv
, UNI_FLAGS_NONE
);
796 init_uni_hdr(&entry
->hdr_name
, &entry
->name
);
797 entry
->luid_low
= privs
[i
+1].se_priv
;
798 entry
->luid_high
= 0;
802 enum_context
= PRIV_ALL_INDEX
;
803 init_lsa_r_enum_privs(r_u
, enum_context
, PRIV_ALL_INDEX
, entries
);
808 /***************************************************************************
809 _lsa_priv_get_dispname.
810 ***************************************************************************/
812 NTSTATUS
_lsa_priv_get_dispname(pipes_struct
*p
, LSA_Q_PRIV_GET_DISPNAME
*q_u
, LSA_R_PRIV_GET_DISPNAME
*r_u
)
814 struct lsa_info
*handle
;
818 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&handle
))
819 return NT_STATUS_INVALID_HANDLE
;
821 /* check if the user have enough rights */
824 * I don't know if it's the right one. not documented.
826 if (!(handle
->access
& POLICY_VIEW_LOCAL_INFORMATION
))
827 return NT_STATUS_ACCESS_DENIED
;
829 unistr2_to_ascii(name_asc
, &q_u
->name
, sizeof(name_asc
));
831 DEBUG(10,("_lsa_priv_get_dispname: %s", name_asc
));
833 while (privs
[i
].se_priv
!=SE_PRIV_ALL
&& strcmp(name_asc
, privs
[i
].priv
))
836 if (privs
[i
].se_priv
!=SE_PRIV_ALL
) {
837 DEBUG(10,(": %s\n", privs
[i
].description
));
838 init_unistr2(&r_u
->desc
, privs
[i
].description
, UNI_FLAGS_NONE
);
839 init_uni_hdr(&r_u
->hdr_desc
, &r_u
->desc
);
841 r_u
->ptr_info
=0xdeadbeef;
842 r_u
->lang_id
=q_u
->lang_id
;
845 DEBUG(10,("_lsa_priv_get_dispname: doesn't exist\n"));
847 return NT_STATUS_NO_SUCH_PRIVILEGE
;
851 /***************************************************************************
853 ***************************************************************************/
855 NTSTATUS
_lsa_enum_accounts(pipes_struct
*p
, LSA_Q_ENUM_ACCOUNTS
*q_u
, LSA_R_ENUM_ACCOUNTS
*r_u
)
857 struct lsa_info
*handle
;
860 LSA_SID_ENUM
*sids
=&r_u
->sids
;
864 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&handle
))
865 return NT_STATUS_INVALID_HANDLE
;
867 /* check if the user have enough rights */
870 * I don't know if it's the right one. not documented.
872 if (!(handle
->access
& POLICY_VIEW_LOCAL_INFORMATION
))
873 return NT_STATUS_ACCESS_DENIED
;
875 /* get the list of mapped groups (domain, local, builtin) */
877 ret
= pdb_enum_group_mapping(SID_NAME_UNKNOWN
, &map
, &num_entries
, ENUM_ONLY_MAPPED
);
880 DEBUG(3,("_lsa_enum_accounts: enumeration of groups failed!\n"));
885 if (q_u
->enum_context
>= num_entries
)
886 return NT_STATUS_NO_MORE_ENTRIES
;
888 sids
->ptr_sid
= (uint32
*)talloc_zero(p
->mem_ctx
, (num_entries
-q_u
->enum_context
)*sizeof(uint32
));
889 sids
->sid
= (DOM_SID2
*)talloc_zero(p
->mem_ctx
, (num_entries
-q_u
->enum_context
)*sizeof(DOM_SID2
));
891 if (sids
->ptr_sid
==NULL
|| sids
->sid
==NULL
) {
893 return NT_STATUS_NO_MEMORY
;
896 for (i
=q_u
->enum_context
, j
=0; i
<num_entries
; i
++) {
897 init_dom_sid2( &(*sids
).sid
[j
], &map
[i
].sid
);
898 (*sids
).ptr_sid
[j
]=1;
904 init_lsa_r_enum_accounts(r_u
, j
);
910 NTSTATUS
_lsa_unk_get_connuser(pipes_struct
*p
, LSA_Q_UNK_GET_CONNUSER
*q_u
, LSA_R_UNK_GET_CONNUSER
*r_u
)
912 fstring username
, domname
;
913 user_struct
*vuser
= get_valid_user_struct(p
->vuid
);
916 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
918 fstrcpy(username
, vuser
->user
.smb_name
);
919 fstrcpy(domname
, vuser
->user
.domain
);
921 r_u
->ptr_user_name
= 1;
922 init_unistr2(&r_u
->uni2_user_name
, username
, UNI_STR_TERMINATE
);
923 init_uni_hdr(&r_u
->hdr_user_name
, &r_u
->uni2_user_name
);
927 r_u
->ptr_dom_name
= 1;
928 init_unistr2(&r_u
->uni2_dom_name
, domname
, UNI_STR_TERMINATE
);
929 init_uni_hdr(&r_u
->hdr_dom_name
, &r_u
->uni2_dom_name
);
931 r_u
->status
= NT_STATUS_OK
;
936 /***************************************************************************
938 ***************************************************************************/
940 NTSTATUS
_lsa_open_account(pipes_struct
*p
, LSA_Q_OPENACCOUNT
*q_u
, LSA_R_OPENACCOUNT
*r_u
)
942 struct lsa_info
*handle
;
943 struct lsa_info
*info
;
945 r_u
->status
= NT_STATUS_OK
;
947 /* find the connection policy handle. */
948 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&handle
))
949 return NT_STATUS_INVALID_HANDLE
;
951 /* check if the user have enough rights */
954 * I don't know if it's the right one. not documented.
955 * but guessed with rpcclient.
957 if (!(handle
->access
& POLICY_GET_PRIVATE_INFORMATION
))
958 return NT_STATUS_ACCESS_DENIED
;
960 /* associate the user/group SID with the (unique) handle. */
961 if ((info
= (struct lsa_info
*)malloc(sizeof(struct lsa_info
))) == NULL
)
962 return NT_STATUS_NO_MEMORY
;
965 info
->sid
= q_u
->sid
.sid
;
966 info
->access
= q_u
->access
;
968 /* get a (unique) handle. open a policy on it. */
969 if (!create_policy_hnd(p
, &r_u
->pol
, free_lsa_info
, (void *)info
))
970 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
975 /***************************************************************************
976 For a given SID, enumerate all the privilege this account has.
977 ***************************************************************************/
979 NTSTATUS
_lsa_enum_privsaccount(pipes_struct
*p
, prs_struct
*ps
, LSA_Q_ENUMPRIVSACCOUNT
*q_u
, LSA_R_ENUMPRIVSACCOUNT
*r_u
)
981 struct lsa_info
*info
=NULL
;
985 r_u
->status
= NT_STATUS_OK
;
987 /* find the connection policy handle. */
988 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&info
))
989 return NT_STATUS_INVALID_HANDLE
;
991 if (!pdb_getgrsid(&map
, info
->sid
))
992 return NT_STATUS_NO_SUCH_GROUP
;
994 #if 0 /* privileges currently not implemented! */
995 DEBUG(10,("_lsa_enum_privsaccount: %d privileges\n", map
.priv_set
->count
));
996 if (map
.priv_set
->count
!=0) {
998 set
=(LUID_ATTR
*)talloc(map
.priv_set
->mem_ctx
, map
.priv_set
.count
*sizeof(LUID_ATTR
));
1000 destroy_privilege(&map
.priv_set
);
1001 return NT_STATUS_NO_MEMORY
;
1004 for (i
= 0; i
< map
.priv_set
.count
; i
++) {
1005 set
[i
].luid
.low
= map
.priv_set
->set
[i
].luid
.low
;
1006 set
[i
].luid
.high
= map
.priv_set
->set
[i
].luid
.high
;
1007 set
[i
].attr
= map
.priv_set
->set
[i
].attr
;
1008 DEBUG(10,("_lsa_enum_privsaccount: priv %d: %d:%d:%d\n", i
,
1009 set
[i
].luid
.high
, set
[i
].luid
.low
, set
[i
].attr
));
1013 init_lsa_r_enum_privsaccount(ps
->mem_ctx
, r_u
, set
, map
.priv_set
->count
, 0);
1014 destroy_privilege(&map
.priv_set
);
1017 init_lsa_r_enum_privsaccount(ps
->mem_ctx
, r_u
, set
, 0, 0);
1022 /***************************************************************************
1024 ***************************************************************************/
1026 NTSTATUS
_lsa_getsystemaccount(pipes_struct
*p
, LSA_Q_GETSYSTEMACCOUNT
*q_u
, LSA_R_GETSYSTEMACCOUNT
*r_u
)
1028 struct lsa_info
*info
=NULL
;
1030 r_u
->status
= NT_STATUS_OK
;
1032 /* find the connection policy handle. */
1033 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&info
))
1034 return NT_STATUS_INVALID_HANDLE
;
1036 if (!pdb_getgrsid(&map
, info
->sid
))
1037 return NT_STATUS_NO_SUCH_GROUP
;
1040 0x01 -> Log on locally
1041 0x02 -> Access this computer from network
1042 0x04 -> Log on as a batch job
1043 0x10 -> Log on as a service
1045 they can be ORed together
1048 r_u
->access
= PR_LOG_ON_LOCALLY
| PR_ACCESS_FROM_NETWORK
;
1053 /***************************************************************************
1054 update the systemaccount information
1055 ***************************************************************************/
1057 NTSTATUS
_lsa_setsystemaccount(pipes_struct
*p
, LSA_Q_SETSYSTEMACCOUNT
*q_u
, LSA_R_SETSYSTEMACCOUNT
*r_u
)
1059 struct lsa_info
*info
=NULL
;
1061 r_u
->status
= NT_STATUS_OK
;
1063 /* find the connection policy handle. */
1064 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&info
))
1065 return NT_STATUS_INVALID_HANDLE
;
1067 if (!pdb_getgrsid(&map
, info
->sid
))
1068 return NT_STATUS_NO_SUCH_GROUP
;
1070 if(!pdb_update_group_mapping_entry(&map
))
1071 return NT_STATUS_NO_SUCH_GROUP
;
1076 /***************************************************************************
1077 For a given SID, add some privileges.
1078 ***************************************************************************/
1080 NTSTATUS
_lsa_addprivs(pipes_struct
*p
, LSA_Q_ADDPRIVS
*q_u
, LSA_R_ADDPRIVS
*r_u
)
1083 struct lsa_info
*info
= NULL
;
1086 LUID_ATTR
*luid_attr
= NULL
;
1087 PRIVILEGE_SET
*set
= NULL
;
1090 r_u
->status
= NT_STATUS_OK
;
1092 #if 0 /* privileges are not implemented */
1093 /* find the connection policy handle. */
1094 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&info
))
1095 return NT_STATUS_INVALID_HANDLE
;
1097 if (!pdb_getgrsid(&map
, info
->sid
))
1098 return NT_STATUS_NO_SUCH_GROUP
;
1102 for (i
= 0; i
< set
->count
; i
++) {
1103 luid_attr
= &set
->set
[i
];
1105 /* check if the privilege is already there */
1106 if (check_priv_in_privilege(map
.priv_set
, *luid_attr
)){
1107 destroy_privilege(&map
.priv_set
);
1110 add_privilege(map
.priv_set
, *luid_attr
);
1113 if(!pdb_update_group_mapping_entry(&map
))
1114 return NT_STATUS_NO_SUCH_GROUP
;
1116 destroy_privilege(&map
.priv_set
);
1122 /***************************************************************************
1123 For a given SID, remove some privileges.
1124 ***************************************************************************/
1126 NTSTATUS
_lsa_removeprivs(pipes_struct
*p
, LSA_Q_REMOVEPRIVS
*q_u
, LSA_R_REMOVEPRIVS
*r_u
)
1129 struct lsa_info
*info
= NULL
;
1132 LUID_ATTR
*luid_attr
= NULL
;
1133 PRIVILEGE_SET
*set
= NULL
;
1136 r_u
->status
= NT_STATUS_OK
;
1138 #if 0 /* privileges are not implemented */
1139 /* find the connection policy handle. */
1140 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&info
))
1141 return NT_STATUS_INVALID_HANDLE
;
1143 if (!pdb_getgrsid(&map
, info
->sid
))
1144 return NT_STATUS_NO_SUCH_GROUP
;
1146 if (q_u
->allrights
!= 0) {
1147 /* log it and return, until I see one myself don't do anything */
1148 DEBUG(5,("_lsa_removeprivs: trying to remove all privileges ?\n"));
1149 return NT_STATUS_OK
;
1152 if (q_u
->ptr
== 0) {
1153 /* log it and return, until I see one myself don't do anything */
1154 DEBUG(5,("_lsa_removeprivs: no privileges to remove ?\n"));
1155 return NT_STATUS_OK
;
1160 for (i
= 0; i
< set
->count
; i
++) {
1161 luid_attr
= &set
->set
[i
];
1163 /* if we don't have the privilege, we're trying to remove, give up */
1164 /* what else can we do ??? JFM. */
1165 if (!check_priv_in_privilege(map
.priv_set
, *luid_attr
)){
1166 destroy_privilege(&map
.priv_set
);
1167 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1170 remove_privilege(map
.priv_set
, *luid_attr
);
1173 if(!pdb_update_group_mapping_entry(&map
))
1174 return NT_STATUS_NO_SUCH_GROUP
;
1176 destroy_privilege(&map
.priv_set
);
1181 /***************************************************************************
1182 For a given SID, remove some privileges.
1183 ***************************************************************************/
1185 NTSTATUS
_lsa_query_secobj(pipes_struct
*p
, LSA_Q_QUERY_SEC_OBJ
*q_u
, LSA_R_QUERY_SEC_OBJ
*r_u
)
1187 struct lsa_info
*handle
=NULL
;
1188 SEC_DESC
*psd
= NULL
;
1192 r_u
->status
= NT_STATUS_OK
;
1194 /* find the connection policy handle. */
1195 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&handle
))
1196 return NT_STATUS_INVALID_HANDLE
;
1198 /* check if the user have enough rights */
1199 if (!(handle
->access
& POLICY_VIEW_LOCAL_INFORMATION
))
1200 return NT_STATUS_ACCESS_DENIED
;
1203 switch (q_u
->sec_info
) {
1205 /* SD contains only the owner */
1207 status
=lsa_get_generic_sd(p
->mem_ctx
, &psd
, &sd_size
);
1208 if(!NT_STATUS_IS_OK(status
))
1209 return NT_STATUS_NO_MEMORY
;
1212 if((r_u
->buf
= make_sec_desc_buf(p
->mem_ctx
, sd_size
, psd
)) == NULL
)
1213 return NT_STATUS_NO_MEMORY
;
1216 /* SD contains only the ACL */
1218 status
=lsa_get_generic_sd(p
->mem_ctx
, &psd
, &sd_size
);
1219 if(!NT_STATUS_IS_OK(status
))
1220 return NT_STATUS_NO_MEMORY
;
1222 if((r_u
->buf
= make_sec_desc_buf(p
->mem_ctx
, sd_size
, psd
)) == NULL
)
1223 return NT_STATUS_NO_MEMORY
;
1226 return NT_STATUS_INVALID_LEVEL
;
1235 NTSTATUS
_lsa_query_info2(pipes_struct
*p
, LSA_Q_QUERY_INFO2
*q_u
, LSA_R_QUERY_INFO2
*r_u
)
1237 struct lsa_info
*handle
;
1238 const char *nb_name
;
1239 char *dns_name
= NULL
;
1240 char *forest_name
= NULL
;
1241 DOM_SID
*sid
= NULL
;
1246 r_u
->status
= NT_STATUS_OK
;
1248 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)&handle
))
1249 return NT_STATUS_INVALID_HANDLE
;
1251 switch (q_u
->info_class
) {
1253 /* check if the user have enough rights */
1254 if (!(handle
->access
& POLICY_VIEW_LOCAL_INFORMATION
))
1255 return NT_STATUS_ACCESS_DENIED
;
1257 /* Request PolicyPrimaryDomainInformation. */
1258 switch (lp_server_role()) {
1259 case ROLE_DOMAIN_PDC
:
1260 case ROLE_DOMAIN_BDC
:
1261 nb_name
= get_global_sam_name();
1262 /* ugly temp hack for these next two */
1264 /* This should be a 'netbios domain -> DNS domain' mapping */
1265 dnsdomname
[0] = '\0';
1266 get_mydnsdomname(dnsdomname
);
1267 strlower_m(dnsdomname
);
1269 dns_name
= dnsdomname
;
1270 forest_name
= dnsdomname
;
1272 sid
= get_global_sam_sid();
1273 secrets_fetch_domain_guid(lp_workgroup(), &guid
);
1276 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
1278 init_dns_dom_info(&r_u
->info
.dns_dom_info
, nb_name
, dns_name
,
1279 forest_name
,&guid
,sid
);
1282 DEBUG(0,("_lsa_query_info2: unknown info level in Lsa Query: %d\n", q_u
->info_class
));
1283 r_u
->status
= NT_STATUS_INVALID_INFO_CLASS
;
1287 if (NT_STATUS_IS_OK(r_u
->status
)) {
1289 r_u
->info_class
= q_u
->info_class
;