librpc: Shorten dcerpc_binding_handle_call a bit
[Samba/gebeck_regimport.git] / source3 / rpc_server / samr / srv_samr_nt.c
blobb366eda2dd8dd05f64c84d4c49f5431bc2697901
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2008,
9 * Copyright (C) Jean Fran├žois Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 * Copyright (C) Gerald (Jerry) Carter 2003-2004,
12 * Copyright (C) Simo Sorce 2003.
13 * Copyright (C) Volker Lendecke 2005.
14 * Copyright (C) Guenther Deschner 2008.
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
31 * This is the implementation of the SAMR code.
34 #include "includes.h"
35 #include "system/passwd.h"
36 #include "../libcli/auth/libcli_auth.h"
37 #include "ntdomain.h"
38 #include "../librpc/gen_ndr/srv_samr.h"
39 #include "rpc_server/samr/srv_samr_util.h"
40 #include "../lib/crypto/arcfour.h"
41 #include "secrets.h"
42 #include "rpc_client/init_lsa.h"
43 #include "../libcli/security/security.h"
44 #include "passdb.h"
45 #include "auth.h"
46 #include "rpc_server/srv_access_check.h"
47 #include "../lib/tsocket/tsocket.h"
49 #undef DBGC_CLASS
50 #define DBGC_CLASS DBGC_RPC_SRV
52 #define SAMR_USR_RIGHTS_WRITE_PW \
53 ( READ_CONTROL_ACCESS | \
54 SAMR_USER_ACCESS_CHANGE_PASSWORD | \
55 SAMR_USER_ACCESS_SET_LOC_COM)
56 #define SAMR_USR_RIGHTS_CANT_WRITE_PW \
57 ( READ_CONTROL_ACCESS | SAMR_USER_ACCESS_SET_LOC_COM )
59 #define DISP_INFO_CACHE_TIMEOUT 10
61 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
62 #define MAX_SAM_ENTRIES_W95 50
64 struct samr_connect_info {
65 uint8_t dummy;
68 struct samr_domain_info {
69 struct dom_sid sid;
70 struct disp_info *disp_info;
73 struct samr_user_info {
74 struct dom_sid sid;
77 struct samr_group_info {
78 struct dom_sid sid;
81 struct samr_alias_info {
82 struct dom_sid sid;
85 typedef struct disp_info {
86 struct dom_sid sid; /* identify which domain this is. */
87 struct pdb_search *users; /* querydispinfo 1 and 4 */
88 struct pdb_search *machines; /* querydispinfo 2 */
89 struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */
90 struct pdb_search *aliases; /* enumaliases */
92 uint32_t enum_acb_mask;
93 struct pdb_search *enum_users; /* enumusers with a mask */
95 struct tevent_timer *cache_timeout_event; /* cache idle timeout
96 * handler. */
97 } DISP_INFO;
99 static const struct generic_mapping sam_generic_mapping = {
100 GENERIC_RIGHTS_SAM_READ,
101 GENERIC_RIGHTS_SAM_WRITE,
102 GENERIC_RIGHTS_SAM_EXECUTE,
103 GENERIC_RIGHTS_SAM_ALL_ACCESS};
104 static const struct generic_mapping dom_generic_mapping = {
105 GENERIC_RIGHTS_DOMAIN_READ,
106 GENERIC_RIGHTS_DOMAIN_WRITE,
107 GENERIC_RIGHTS_DOMAIN_EXECUTE,
108 GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
109 static const struct generic_mapping usr_generic_mapping = {
110 GENERIC_RIGHTS_USER_READ,
111 GENERIC_RIGHTS_USER_WRITE,
112 GENERIC_RIGHTS_USER_EXECUTE,
113 GENERIC_RIGHTS_USER_ALL_ACCESS};
114 static const struct generic_mapping usr_nopwchange_generic_mapping = {
115 GENERIC_RIGHTS_USER_READ,
116 GENERIC_RIGHTS_USER_WRITE,
117 GENERIC_RIGHTS_USER_EXECUTE & ~SAMR_USER_ACCESS_CHANGE_PASSWORD,
118 GENERIC_RIGHTS_USER_ALL_ACCESS};
119 static const struct generic_mapping grp_generic_mapping = {
120 GENERIC_RIGHTS_GROUP_READ,
121 GENERIC_RIGHTS_GROUP_WRITE,
122 GENERIC_RIGHTS_GROUP_EXECUTE,
123 GENERIC_RIGHTS_GROUP_ALL_ACCESS};
124 static const struct generic_mapping ali_generic_mapping = {
125 GENERIC_RIGHTS_ALIAS_READ,
126 GENERIC_RIGHTS_ALIAS_WRITE,
127 GENERIC_RIGHTS_ALIAS_EXECUTE,
128 GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
130 /*******************************************************************
131 *******************************************************************/
133 static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, struct security_descriptor **psd, size_t *sd_size,
134 const struct generic_mapping *map,
135 struct dom_sid *sid, uint32 sid_access )
137 struct dom_sid domadmin_sid;
138 struct security_ace ace[5]; /* at most 5 entries */
139 size_t i = 0;
141 struct security_acl *psa = NULL;
143 /* basic access for Everyone */
145 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
146 map->generic_execute | map->generic_read, 0);
148 /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
150 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
151 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
152 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
153 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
155 /* Add Full Access for Domain Admins if we are a DC */
157 if ( IS_DC ) {
158 sid_compose(&domadmin_sid, get_global_sam_sid(),
159 DOMAIN_RID_ADMINS);
160 init_sec_ace(&ace[i++], &domadmin_sid,
161 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
164 /* if we have a sid, give it some special access */
166 if ( sid ) {
167 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sid_access, 0);
170 /* create the security descriptor */
172 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL)
173 return NT_STATUS_NO_MEMORY;
175 if ((*psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
176 SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL,
177 psa, sd_size)) == NULL)
178 return NT_STATUS_NO_MEMORY;
180 return NT_STATUS_OK;
183 /*******************************************************************
184 Fetch or create a dispinfo struct.
185 ********************************************************************/
187 static DISP_INFO *get_samr_dispinfo_by_sid(const struct dom_sid *psid)
190 * We do a static cache for DISP_INFO's here. Explanation can be found
191 * in Jeremy's checkin message to r11793:
193 * Fix the SAMR cache so it works across completely insane
194 * client behaviour (ie.:
195 * open pipe/open SAMR handle/enumerate 0 - 1024
196 * close SAMR handle, close pipe.
197 * open pipe/open SAMR handle/enumerate 1024 - 2048...
198 * close SAMR handle, close pipe.
199 * And on ad-nausium. Amazing.... probably object-oriented
200 * client side programming in action yet again.
201 * This change should *massively* improve performance when
202 * enumerating users from an LDAP database.
203 * Jeremy.
205 * "Our" and the builtin domain are the only ones where we ever
206 * enumerate stuff, so just cache 2 entries.
209 static struct disp_info *builtin_dispinfo;
210 static struct disp_info *domain_dispinfo;
212 /* There are two cases to consider here:
213 1) The SID is a domain SID and we look for an equality match, or
214 2) This is an account SID and so we return the DISP_INFO* for our
215 domain */
217 if (psid == NULL) {
218 return NULL;
221 if (sid_check_is_builtin(psid) || sid_check_is_in_builtin(psid)) {
223 * Necessary only once, but it does not really hurt.
225 if (builtin_dispinfo == NULL) {
226 builtin_dispinfo = talloc_zero(NULL, struct disp_info);
227 if (builtin_dispinfo == NULL) {
228 return NULL;
231 sid_copy(&builtin_dispinfo->sid, &global_sid_Builtin);
233 return builtin_dispinfo;
236 if (sid_check_is_our_sam(psid) || sid_check_is_in_our_sam(psid)) {
238 * Necessary only once, but it does not really hurt.
240 if (domain_dispinfo == NULL) {
241 domain_dispinfo = talloc_zero(NULL, struct disp_info);
242 if (domain_dispinfo == NULL) {
243 return NULL;
246 sid_copy(&domain_dispinfo->sid, get_global_sam_sid());
248 return domain_dispinfo;
251 return NULL;
254 /*******************************************************************
255 Function to free the per SID data.
256 ********************************************************************/
258 static void free_samr_cache(DISP_INFO *disp_info)
260 DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n",
261 sid_string_dbg(&disp_info->sid)));
263 /* We need to become root here because the paged search might have to
264 * tell the LDAP server we're not interested in the rest anymore. */
266 become_root();
268 TALLOC_FREE(disp_info->users);
269 TALLOC_FREE(disp_info->machines);
270 TALLOC_FREE(disp_info->groups);
271 TALLOC_FREE(disp_info->aliases);
272 TALLOC_FREE(disp_info->enum_users);
274 unbecome_root();
277 /*******************************************************************
278 Idle event handler. Throw away the disp info cache.
279 ********************************************************************/
281 static void disp_info_cache_idle_timeout_handler(struct tevent_context *ev_ctx,
282 struct tevent_timer *te,
283 struct timeval now,
284 void *private_data)
286 DISP_INFO *disp_info = (DISP_INFO *)private_data;
288 TALLOC_FREE(disp_info->cache_timeout_event);
290 DEBUG(10, ("disp_info_cache_idle_timeout_handler: caching timed "
291 "out\n"));
292 free_samr_cache(disp_info);
295 /*******************************************************************
296 Setup cache removal idle event handler.
297 ********************************************************************/
299 static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromnow)
301 /* Remove any pending timeout and update. */
303 TALLOC_FREE(disp_info->cache_timeout_event);
305 DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for "
306 "SID %s for %u seconds\n", sid_string_dbg(&disp_info->sid),
307 (unsigned int)secs_fromnow ));
309 disp_info->cache_timeout_event = tevent_add_timer(
310 server_event_context(), NULL,
311 timeval_current_ofs(secs_fromnow, 0),
312 disp_info_cache_idle_timeout_handler, (void *)disp_info);
315 /*******************************************************************
316 Force flush any cache. We do this on any samr_set_xxx call.
317 We must also remove the timeout handler.
318 ********************************************************************/
320 static void force_flush_samr_cache(const struct dom_sid *sid)
322 struct disp_info *disp_info = get_samr_dispinfo_by_sid(sid);
324 if ((disp_info == NULL) || (disp_info->cache_timeout_event == NULL)) {
325 return;
328 DEBUG(10,("force_flush_samr_cache: clearing idle event\n"));
329 TALLOC_FREE(disp_info->cache_timeout_event);
330 free_samr_cache(disp_info);
333 /*******************************************************************
334 Ensure password info is never given out. Paranioa... JRA.
335 ********************************************************************/
337 static void samr_clear_sam_passwd(struct samu *sam_pass)
340 if (!sam_pass)
341 return;
343 /* These now zero out the old password */
345 pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT);
346 pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT);
349 static uint32 count_sam_users(struct disp_info *info, uint32 acct_flags)
351 struct samr_displayentry *entry;
353 if (sid_check_is_builtin(&info->sid)) {
354 /* No users in builtin. */
355 return 0;
358 if (info->users == NULL) {
359 info->users = pdb_search_users(info, acct_flags);
360 if (info->users == NULL) {
361 return 0;
364 /* Fetch the last possible entry, thus trigger an enumeration */
365 pdb_search_entries(info->users, 0xffffffff, 1, &entry);
367 /* Ensure we cache this enumeration. */
368 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
370 return info->users->num_entries;
373 static uint32 count_sam_groups(struct disp_info *info)
375 struct samr_displayentry *entry;
377 if (sid_check_is_builtin(&info->sid)) {
378 /* No groups in builtin. */
379 return 0;
382 if (info->groups == NULL) {
383 info->groups = pdb_search_groups(info);
384 if (info->groups == NULL) {
385 return 0;
388 /* Fetch the last possible entry, thus trigger an enumeration */
389 pdb_search_entries(info->groups, 0xffffffff, 1, &entry);
391 /* Ensure we cache this enumeration. */
392 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
394 return info->groups->num_entries;
397 static uint32 count_sam_aliases(struct disp_info *info)
399 struct samr_displayentry *entry;
401 if (info->aliases == NULL) {
402 info->aliases = pdb_search_aliases(info, &info->sid);
403 if (info->aliases == NULL) {
404 return 0;
407 /* Fetch the last possible entry, thus trigger an enumeration */
408 pdb_search_entries(info->aliases, 0xffffffff, 1, &entry);
410 /* Ensure we cache this enumeration. */
411 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
413 return info->aliases->num_entries;
416 /*******************************************************************
417 _samr_Close
418 ********************************************************************/
420 NTSTATUS _samr_Close(struct pipes_struct *p, struct samr_Close *r)
422 if (!close_policy_hnd(p, r->in.handle)) {
423 return NT_STATUS_INVALID_HANDLE;
426 ZERO_STRUCTP(r->out.handle);
428 return NT_STATUS_OK;
431 /*******************************************************************
432 _samr_OpenDomain
433 ********************************************************************/
435 NTSTATUS _samr_OpenDomain(struct pipes_struct *p,
436 struct samr_OpenDomain *r)
438 struct samr_domain_info *dinfo;
439 struct security_descriptor *psd = NULL;
440 uint32 acc_granted;
441 uint32 des_access = r->in.access_mask;
442 NTSTATUS status;
443 size_t sd_size;
444 uint32_t extra_access = SAMR_DOMAIN_ACCESS_CREATE_USER;
446 /* find the connection policy handle. */
448 (void)policy_handle_find(p, r->in.connect_handle, 0, NULL,
449 struct samr_connect_info, &status);
450 if (!NT_STATUS_IS_OK(status)) {
451 return status;
454 /*check if access can be granted as requested by client. */
455 map_max_allowed_access(p->session_info->security_token,
456 p->session_info->unix_token,
457 &des_access);
459 make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
460 se_map_generic( &des_access, &dom_generic_mapping );
463 * Users with SeAddUser get the ability to manipulate groups
464 * and aliases.
466 if (security_token_has_privilege(p->session_info->security_token, SEC_PRIV_ADD_USERS)) {
467 extra_access |= (SAMR_DOMAIN_ACCESS_CREATE_GROUP |
468 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS |
469 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
470 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS |
471 SAMR_DOMAIN_ACCESS_CREATE_ALIAS);
475 * Users with SeMachineAccount or SeAddUser get additional
476 * SAMR_DOMAIN_ACCESS_CREATE_USER access.
479 status = access_check_object( psd, p->session_info->security_token,
480 SEC_PRIV_MACHINE_ACCOUNT, SEC_PRIV_ADD_USERS,
481 extra_access, des_access,
482 &acc_granted, "_samr_OpenDomain" );
484 if ( !NT_STATUS_IS_OK(status) )
485 return status;
487 if (!sid_check_is_our_sam(r->in.sid) &&
488 !sid_check_is_builtin(r->in.sid)) {
489 return NT_STATUS_NO_SUCH_DOMAIN;
492 dinfo = policy_handle_create(p, r->out.domain_handle, acc_granted,
493 struct samr_domain_info, &status);
494 if (!NT_STATUS_IS_OK(status)) {
495 return status;
497 dinfo->sid = *r->in.sid;
498 dinfo->disp_info = get_samr_dispinfo_by_sid(r->in.sid);
500 DEBUG(5,("_samr_OpenDomain: %d\n", __LINE__));
502 return NT_STATUS_OK;
505 /*******************************************************************
506 _samr_GetUserPwInfo
507 ********************************************************************/
509 NTSTATUS _samr_GetUserPwInfo(struct pipes_struct *p,
510 struct samr_GetUserPwInfo *r)
512 struct samr_user_info *uinfo;
513 enum lsa_SidType sid_type;
514 uint32_t min_password_length = 0;
515 uint32_t password_properties = 0;
516 bool ret = false;
517 NTSTATUS status;
519 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
521 uinfo = policy_handle_find(p, r->in.user_handle,
522 SAMR_USER_ACCESS_GET_ATTRIBUTES, NULL,
523 struct samr_user_info, &status);
524 if (!NT_STATUS_IS_OK(status)) {
525 return status;
528 if (!sid_check_is_in_our_sam(&uinfo->sid)) {
529 return NT_STATUS_OBJECT_TYPE_MISMATCH;
532 become_root();
533 ret = lookup_sid(p->mem_ctx, &uinfo->sid, NULL, NULL, &sid_type);
534 unbecome_root();
535 if (ret == false) {
536 return NT_STATUS_NO_SUCH_USER;
539 switch (sid_type) {
540 case SID_NAME_USER:
541 become_root();
542 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN,
543 &min_password_length);
544 pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS,
545 &password_properties);
546 unbecome_root();
548 if (lp_check_password_script(talloc_tos())
549 && *lp_check_password_script(talloc_tos())) {
550 password_properties |= DOMAIN_PASSWORD_COMPLEX;
553 break;
554 default:
555 break;
558 r->out.info->min_password_length = min_password_length;
559 r->out.info->password_properties = password_properties;
561 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
563 return NT_STATUS_OK;
566 /*******************************************************************
567 _samr_SetSecurity
568 ********************************************************************/
570 NTSTATUS _samr_SetSecurity(struct pipes_struct *p,
571 struct samr_SetSecurity *r)
573 struct samr_user_info *uinfo;
574 uint32 i;
575 struct security_acl *dacl;
576 bool ret;
577 struct samu *sampass=NULL;
578 NTSTATUS status;
580 uinfo = policy_handle_find(p, r->in.handle,
581 SAMR_USER_ACCESS_SET_ATTRIBUTES, NULL,
582 struct samr_user_info, &status);
583 if (!NT_STATUS_IS_OK(status)) {
584 return status;
587 if (!(sampass = samu_new( p->mem_ctx))) {
588 DEBUG(0,("No memory!\n"));
589 return NT_STATUS_NO_MEMORY;
592 /* get the user record */
593 become_root();
594 ret = pdb_getsampwsid(sampass, &uinfo->sid);
595 unbecome_root();
597 if (!ret) {
598 DEBUG(4, ("User %s not found\n",
599 sid_string_dbg(&uinfo->sid)));
600 TALLOC_FREE(sampass);
601 return NT_STATUS_INVALID_HANDLE;
604 dacl = r->in.sdbuf->sd->dacl;
605 for (i=0; i < dacl->num_aces; i++) {
606 if (dom_sid_equal(&uinfo->sid, &dacl->aces[i].trustee)) {
607 ret = pdb_set_pass_can_change(sampass,
608 (dacl->aces[i].access_mask &
609 SAMR_USER_ACCESS_CHANGE_PASSWORD) ?
610 True: False);
611 break;
615 if (!ret) {
616 TALLOC_FREE(sampass);
617 return NT_STATUS_ACCESS_DENIED;
620 become_root();
621 status = pdb_update_sam_account(sampass);
622 unbecome_root();
624 TALLOC_FREE(sampass);
626 return status;
629 /*******************************************************************
630 build correct perms based on policies and password times for _samr_query_sec_obj
631 *******************************************************************/
632 static bool check_change_pw_access(TALLOC_CTX *mem_ctx, struct dom_sid *user_sid)
634 struct samu *sampass=NULL;
635 bool ret;
637 if ( !(sampass = samu_new( mem_ctx )) ) {
638 DEBUG(0,("No memory!\n"));
639 return False;
642 become_root();
643 ret = pdb_getsampwsid(sampass, user_sid);
644 unbecome_root();
646 if (ret == False) {
647 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
648 TALLOC_FREE(sampass);
649 return False;
652 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
654 if (pdb_get_pass_can_change(sampass)) {
655 TALLOC_FREE(sampass);
656 return True;
658 TALLOC_FREE(sampass);
659 return False;
663 /*******************************************************************
664 _samr_QuerySecurity
665 ********************************************************************/
667 NTSTATUS _samr_QuerySecurity(struct pipes_struct *p,
668 struct samr_QuerySecurity *r)
670 struct samr_domain_info *dinfo;
671 struct samr_user_info *uinfo;
672 struct samr_group_info *ginfo;
673 struct samr_alias_info *ainfo;
674 NTSTATUS status;
675 struct security_descriptor * psd = NULL;
676 size_t sd_size = 0;
678 (void)policy_handle_find(p, r->in.handle,
679 SEC_STD_READ_CONTROL, NULL,
680 struct samr_connect_info, &status);
681 if (NT_STATUS_IS_OK(status)) {
682 DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n"));
683 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size,
684 &sam_generic_mapping, NULL, 0);
685 goto done;
688 dinfo = policy_handle_find(p, r->in.handle,
689 SEC_STD_READ_CONTROL, NULL,
690 struct samr_domain_info, &status);
691 if (NT_STATUS_IS_OK(status)) {
692 DEBUG(5,("_samr_QuerySecurity: querying security on Domain "
693 "with SID: %s\n", sid_string_dbg(&dinfo->sid)));
695 * TODO: Builtin probably needs a different SD with restricted
696 * write access
698 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size,
699 &dom_generic_mapping, NULL, 0);
700 goto done;
703 uinfo = policy_handle_find(p, r->in.handle,
704 SEC_STD_READ_CONTROL, NULL,
705 struct samr_user_info, &status);
706 if (NT_STATUS_IS_OK(status)) {
707 DEBUG(10,("_samr_QuerySecurity: querying security on user "
708 "Object with SID: %s\n",
709 sid_string_dbg(&uinfo->sid)));
710 if (check_change_pw_access(p->mem_ctx, &uinfo->sid)) {
711 status = make_samr_object_sd(
712 p->mem_ctx, &psd, &sd_size,
713 &usr_generic_mapping,
714 &uinfo->sid, SAMR_USR_RIGHTS_WRITE_PW);
715 } else {
716 status = make_samr_object_sd(
717 p->mem_ctx, &psd, &sd_size,
718 &usr_nopwchange_generic_mapping,
719 &uinfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
721 goto done;
724 ginfo = policy_handle_find(p, r->in.handle,
725 SEC_STD_READ_CONTROL, NULL,
726 struct samr_group_info, &status);
727 if (NT_STATUS_IS_OK(status)) {
729 * TODO: different SDs have to be generated for aliases groups
730 * and users. Currently all three get a default user SD
732 DEBUG(10,("_samr_QuerySecurity: querying security on group "
733 "Object with SID: %s\n",
734 sid_string_dbg(&ginfo->sid)));
735 status = make_samr_object_sd(
736 p->mem_ctx, &psd, &sd_size,
737 &usr_nopwchange_generic_mapping,
738 &ginfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
739 goto done;
742 ainfo = policy_handle_find(p, r->in.handle,
743 SEC_STD_READ_CONTROL, NULL,
744 struct samr_alias_info, &status);
745 if (NT_STATUS_IS_OK(status)) {
747 * TODO: different SDs have to be generated for aliases groups
748 * and users. Currently all three get a default user SD
750 DEBUG(10,("_samr_QuerySecurity: querying security on alias "
751 "Object with SID: %s\n",
752 sid_string_dbg(&ainfo->sid)));
753 status = make_samr_object_sd(
754 p->mem_ctx, &psd, &sd_size,
755 &usr_nopwchange_generic_mapping,
756 &ainfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
757 goto done;
760 return NT_STATUS_OBJECT_TYPE_MISMATCH;
761 done:
762 if ((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
763 return NT_STATUS_NO_MEMORY;
765 return status;
768 /*******************************************************************
769 makes a SAM_ENTRY / UNISTR2* structure from a user list.
770 ********************************************************************/
772 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx,
773 struct samr_SamEntry **sam_pp,
774 uint32_t num_entries,
775 uint32_t start_idx,
776 struct samr_displayentry *entries)
778 uint32_t i;
779 struct samr_SamEntry *sam;
781 *sam_pp = NULL;
783 if (num_entries == 0) {
784 return NT_STATUS_OK;
787 sam = talloc_zero_array(ctx, struct samr_SamEntry, num_entries);
788 if (sam == NULL) {
789 DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n"));
790 return NT_STATUS_NO_MEMORY;
793 for (i = 0; i < num_entries; i++) {
794 #if 0
796 * usrmgr expects a non-NULL terminated string with
797 * trust relationships
799 if (entries[i].acct_flags & ACB_DOMTRUST) {
800 init_unistr2(&uni_temp_name, entries[i].account_name,
801 UNI_FLAGS_NONE);
802 } else {
803 init_unistr2(&uni_temp_name, entries[i].account_name,
804 UNI_STR_TERMINATE);
806 #endif
807 init_lsa_String(&sam[i].name, entries[i].account_name);
808 sam[i].idx = entries[i].rid;
811 *sam_pp = sam;
813 return NT_STATUS_OK;
816 #define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K
818 /*******************************************************************
819 _samr_EnumDomainUsers
820 ********************************************************************/
822 NTSTATUS _samr_EnumDomainUsers(struct pipes_struct *p,
823 struct samr_EnumDomainUsers *r)
825 NTSTATUS status;
826 struct samr_domain_info *dinfo;
827 int num_account;
828 uint32 enum_context = *r->in.resume_handle;
829 enum remote_arch_types ra_type = get_remote_arch();
830 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
831 uint32 max_entries = max_sam_entries;
832 struct samr_displayentry *entries = NULL;
833 struct samr_SamArray *samr_array = NULL;
834 struct samr_SamEntry *samr_entries = NULL;
836 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
838 dinfo = policy_handle_find(p, r->in.domain_handle,
839 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
840 struct samr_domain_info, &status);
841 if (!NT_STATUS_IS_OK(status)) {
842 return status;
845 samr_array = talloc_zero(p->mem_ctx, struct samr_SamArray);
846 if (!samr_array) {
847 return NT_STATUS_NO_MEMORY;
849 *r->out.sam = samr_array;
851 if (sid_check_is_builtin(&dinfo->sid)) {
852 /* No users in builtin. */
853 *r->out.resume_handle = *r->in.resume_handle;
854 DEBUG(5,("_samr_EnumDomainUsers: No users in BUILTIN\n"));
855 return status;
858 become_root();
860 /* AS ROOT !!!! */
862 if ((dinfo->disp_info->enum_users != NULL) &&
863 (dinfo->disp_info->enum_acb_mask != r->in.acct_flags)) {
864 TALLOC_FREE(dinfo->disp_info->enum_users);
867 if (dinfo->disp_info->enum_users == NULL) {
868 dinfo->disp_info->enum_users = pdb_search_users(
869 dinfo->disp_info, r->in.acct_flags);
870 dinfo->disp_info->enum_acb_mask = r->in.acct_flags;
873 if (dinfo->disp_info->enum_users == NULL) {
874 /* END AS ROOT !!!! */
875 unbecome_root();
876 return NT_STATUS_ACCESS_DENIED;
879 num_account = pdb_search_entries(dinfo->disp_info->enum_users,
880 enum_context, max_entries,
881 &entries);
883 /* END AS ROOT !!!! */
885 unbecome_root();
887 if (num_account == 0) {
888 DEBUG(5, ("_samr_EnumDomainUsers: enumeration handle over "
889 "total entries\n"));
890 *r->out.resume_handle = *r->in.resume_handle;
891 return NT_STATUS_OK;
894 status = make_user_sam_entry_list(p->mem_ctx, &samr_entries,
895 num_account, enum_context,
896 entries);
897 if (!NT_STATUS_IS_OK(status)) {
898 return status;
901 if (max_entries <= num_account) {
902 status = STATUS_MORE_ENTRIES;
903 } else {
904 status = NT_STATUS_OK;
907 /* Ensure we cache this enumeration. */
908 set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
910 DEBUG(5, ("_samr_EnumDomainUsers: %d\n", __LINE__));
912 samr_array->count = num_account;
913 samr_array->entries = samr_entries;
915 *r->out.resume_handle = *r->in.resume_handle + num_account;
916 *r->out.num_entries = num_account;
918 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
920 return status;
923 /*******************************************************************
924 makes a SAM_ENTRY / UNISTR2* structure from a group list.
925 ********************************************************************/
927 static void make_group_sam_entry_list(TALLOC_CTX *ctx,
928 struct samr_SamEntry **sam_pp,
929 uint32_t num_sam_entries,
930 struct samr_displayentry *entries)
932 struct samr_SamEntry *sam;
933 uint32_t i;
935 *sam_pp = NULL;
937 if (num_sam_entries == 0) {
938 return;
941 sam = talloc_zero_array(ctx, struct samr_SamEntry, num_sam_entries);
942 if (sam == NULL) {
943 return;
946 for (i = 0; i < num_sam_entries; i++) {
948 * JRA. I think this should include the null. TNG does not.
950 init_lsa_String(&sam[i].name, entries[i].account_name);
951 sam[i].idx = entries[i].rid;
954 *sam_pp = sam;
957 /*******************************************************************
958 _samr_EnumDomainGroups
959 ********************************************************************/
961 NTSTATUS _samr_EnumDomainGroups(struct pipes_struct *p,
962 struct samr_EnumDomainGroups *r)
964 NTSTATUS status;
965 struct samr_domain_info *dinfo;
966 struct samr_displayentry *groups;
967 uint32 num_groups;
968 struct samr_SamArray *samr_array = NULL;
969 struct samr_SamEntry *samr_entries = NULL;
971 dinfo = policy_handle_find(p, r->in.domain_handle,
972 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
973 struct samr_domain_info, &status);
974 if (!NT_STATUS_IS_OK(status)) {
975 return status;
978 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
980 samr_array = talloc_zero(p->mem_ctx, struct samr_SamArray);
981 if (!samr_array) {
982 return NT_STATUS_NO_MEMORY;
984 *r->out.sam = samr_array;
986 if (sid_check_is_builtin(&dinfo->sid)) {
987 /* No groups in builtin. */
988 *r->out.resume_handle = *r->in.resume_handle;
989 DEBUG(5,("_samr_EnumDomainGroups: No groups in BUILTIN\n"));
990 return status;
993 /* the domain group array is being allocated in the function below */
995 become_root();
997 if (dinfo->disp_info->groups == NULL) {
998 dinfo->disp_info->groups = pdb_search_groups(dinfo->disp_info);
1000 if (dinfo->disp_info->groups == NULL) {
1001 unbecome_root();
1002 return NT_STATUS_ACCESS_DENIED;
1006 num_groups = pdb_search_entries(dinfo->disp_info->groups,
1007 *r->in.resume_handle,
1008 MAX_SAM_ENTRIES, &groups);
1009 unbecome_root();
1011 /* Ensure we cache this enumeration. */
1012 set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
1014 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1015 num_groups, groups);
1017 if (MAX_SAM_ENTRIES <= num_groups) {
1018 status = STATUS_MORE_ENTRIES;
1019 } else {
1020 status = NT_STATUS_OK;
1023 samr_array->count = num_groups;
1024 samr_array->entries = samr_entries;
1026 *r->out.num_entries = num_groups;
1027 *r->out.resume_handle = num_groups + *r->in.resume_handle;
1029 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1031 return status;
1034 /*******************************************************************
1035 _samr_EnumDomainAliases
1036 ********************************************************************/
1038 NTSTATUS _samr_EnumDomainAliases(struct pipes_struct *p,
1039 struct samr_EnumDomainAliases *r)
1041 NTSTATUS status;
1042 struct samr_domain_info *dinfo;
1043 struct samr_displayentry *aliases;
1044 uint32 num_aliases = 0;
1045 struct samr_SamArray *samr_array = NULL;
1046 struct samr_SamEntry *samr_entries = NULL;
1048 dinfo = policy_handle_find(p, r->in.domain_handle,
1049 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
1050 struct samr_domain_info, &status);
1051 if (!NT_STATUS_IS_OK(status)) {
1052 return status;
1055 DEBUG(5,("_samr_EnumDomainAliases: sid %s\n",
1056 sid_string_dbg(&dinfo->sid)));
1058 samr_array = talloc_zero(p->mem_ctx, struct samr_SamArray);
1059 if (!samr_array) {
1060 return NT_STATUS_NO_MEMORY;
1063 become_root();
1065 if (dinfo->disp_info->aliases == NULL) {
1066 dinfo->disp_info->aliases = pdb_search_aliases(
1067 dinfo->disp_info, &dinfo->sid);
1068 if (dinfo->disp_info->aliases == NULL) {
1069 unbecome_root();
1070 return NT_STATUS_ACCESS_DENIED;
1074 num_aliases = pdb_search_entries(dinfo->disp_info->aliases,
1075 *r->in.resume_handle,
1076 MAX_SAM_ENTRIES, &aliases);
1077 unbecome_root();
1079 /* Ensure we cache this enumeration. */
1080 set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
1082 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1083 num_aliases, aliases);
1085 DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__));
1087 if (MAX_SAM_ENTRIES <= num_aliases) {
1088 status = STATUS_MORE_ENTRIES;
1089 } else {
1090 status = NT_STATUS_OK;
1093 samr_array->count = num_aliases;
1094 samr_array->entries = samr_entries;
1096 *r->out.sam = samr_array;
1097 *r->out.num_entries = num_aliases;
1098 *r->out.resume_handle = num_aliases + *r->in.resume_handle;
1100 return status;
1103 /*******************************************************************
1104 inits a samr_DispInfoGeneral structure.
1105 ********************************************************************/
1107 static NTSTATUS init_samr_dispinfo_1(TALLOC_CTX *ctx,
1108 struct samr_DispInfoGeneral *r,
1109 uint32_t num_entries,
1110 uint32_t start_idx,
1111 struct samr_displayentry *entries)
1113 uint32 i;
1115 DEBUG(10, ("init_samr_dispinfo_1: num_entries: %d\n", num_entries));
1117 if (num_entries == 0) {
1118 return NT_STATUS_OK;
1121 r->count = num_entries;
1123 r->entries = talloc_zero_array(ctx, struct samr_DispEntryGeneral, num_entries);
1124 if (!r->entries) {
1125 return NT_STATUS_NO_MEMORY;
1128 for (i = 0; i < num_entries ; i++) {
1130 init_lsa_String(&r->entries[i].account_name,
1131 entries[i].account_name);
1133 init_lsa_String(&r->entries[i].description,
1134 entries[i].description);
1136 init_lsa_String(&r->entries[i].full_name,
1137 entries[i].fullname);
1139 r->entries[i].rid = entries[i].rid;
1140 r->entries[i].acct_flags = entries[i].acct_flags;
1141 r->entries[i].idx = start_idx+i+1;
1144 return NT_STATUS_OK;
1147 /*******************************************************************
1148 inits a samr_DispInfoFull structure.
1149 ********************************************************************/
1151 static NTSTATUS init_samr_dispinfo_2(TALLOC_CTX *ctx,
1152 struct samr_DispInfoFull *r,
1153 uint32_t num_entries,
1154 uint32_t start_idx,
1155 struct samr_displayentry *entries)
1157 uint32_t i;
1159 DEBUG(10, ("init_samr_dispinfo_2: num_entries: %d\n", num_entries));
1161 if (num_entries == 0) {
1162 return NT_STATUS_OK;
1165 r->count = num_entries;
1167 r->entries = talloc_zero_array(ctx, struct samr_DispEntryFull, num_entries);
1168 if (!r->entries) {
1169 return NT_STATUS_NO_MEMORY;
1172 for (i = 0; i < num_entries ; i++) {
1174 init_lsa_String(&r->entries[i].account_name,
1175 entries[i].account_name);
1177 init_lsa_String(&r->entries[i].description,
1178 entries[i].description);
1180 r->entries[i].rid = entries[i].rid;
1181 r->entries[i].acct_flags = entries[i].acct_flags;
1182 r->entries[i].idx = start_idx+i+1;
1185 return NT_STATUS_OK;
1188 /*******************************************************************
1189 inits a samr_DispInfoFullGroups structure.
1190 ********************************************************************/
1192 static NTSTATUS init_samr_dispinfo_3(TALLOC_CTX *ctx,
1193 struct samr_DispInfoFullGroups *r,
1194 uint32_t num_entries,
1195 uint32_t start_idx,
1196 struct samr_displayentry *entries)
1198 uint32_t i;
1200 DEBUG(5, ("init_samr_dispinfo_3: num_entries: %d\n", num_entries));
1202 if (num_entries == 0) {
1203 return NT_STATUS_OK;
1206 r->count = num_entries;
1208 r->entries = talloc_zero_array(ctx, struct samr_DispEntryFullGroup, num_entries);
1209 if (!r->entries) {
1210 return NT_STATUS_NO_MEMORY;
1213 for (i = 0; i < num_entries ; i++) {
1215 init_lsa_String(&r->entries[i].account_name,
1216 entries[i].account_name);
1218 init_lsa_String(&r->entries[i].description,
1219 entries[i].description);
1221 r->entries[i].rid = entries[i].rid;
1222 r->entries[i].acct_flags = entries[i].acct_flags;
1223 r->entries[i].idx = start_idx+i+1;
1226 return NT_STATUS_OK;
1229 /*******************************************************************
1230 inits a samr_DispInfoAscii structure.
1231 ********************************************************************/
1233 static NTSTATUS init_samr_dispinfo_4(TALLOC_CTX *ctx,
1234 struct samr_DispInfoAscii *r,
1235 uint32_t num_entries,
1236 uint32_t start_idx,
1237 struct samr_displayentry *entries)
1239 uint32_t i;
1241 DEBUG(5, ("init_samr_dispinfo_4: num_entries: %d\n", num_entries));
1243 if (num_entries == 0) {
1244 return NT_STATUS_OK;
1247 r->count = num_entries;
1249 r->entries = talloc_zero_array(ctx, struct samr_DispEntryAscii, num_entries);
1250 if (!r->entries) {
1251 return NT_STATUS_NO_MEMORY;
1254 for (i = 0; i < num_entries ; i++) {
1256 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1257 entries[i].account_name);
1259 r->entries[i].idx = start_idx+i+1;
1262 return NT_STATUS_OK;
1265 /*******************************************************************
1266 inits a samr_DispInfoAscii structure.
1267 ********************************************************************/
1269 static NTSTATUS init_samr_dispinfo_5(TALLOC_CTX *ctx,
1270 struct samr_DispInfoAscii *r,
1271 uint32_t num_entries,
1272 uint32_t start_idx,
1273 struct samr_displayentry *entries)
1275 uint32_t i;
1277 DEBUG(5, ("init_samr_dispinfo_5: num_entries: %d\n", num_entries));
1279 if (num_entries == 0) {
1280 return NT_STATUS_OK;
1283 r->count = num_entries;
1285 r->entries = talloc_zero_array(ctx, struct samr_DispEntryAscii, num_entries);
1286 if (!r->entries) {
1287 return NT_STATUS_NO_MEMORY;
1290 for (i = 0; i < num_entries ; i++) {
1292 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1293 entries[i].account_name);
1295 r->entries[i].idx = start_idx+i+1;
1298 return NT_STATUS_OK;
1301 /*******************************************************************
1302 _samr_QueryDisplayInfo
1303 ********************************************************************/
1305 NTSTATUS _samr_QueryDisplayInfo(struct pipes_struct *p,
1306 struct samr_QueryDisplayInfo *r)
1308 NTSTATUS status;
1309 struct samr_domain_info *dinfo;
1310 uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
1312 uint32 max_entries = r->in.max_entries;
1314 union samr_DispInfo *disp_info = r->out.info;
1316 uint32 temp_size=0;
1317 NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL;
1318 uint32 num_account = 0;
1319 enum remote_arch_types ra_type = get_remote_arch();
1320 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
1321 struct samr_displayentry *entries = NULL;
1323 DEBUG(5,("_samr_QueryDisplayInfo: %d\n", __LINE__));
1325 dinfo = policy_handle_find(p, r->in.domain_handle,
1326 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
1327 struct samr_domain_info, &status);
1328 if (!NT_STATUS_IS_OK(status)) {
1329 return status;
1332 if (sid_check_is_builtin(&dinfo->sid)) {
1333 DEBUG(5,("_samr_QueryDisplayInfo: no users in BUILTIN\n"));
1334 return NT_STATUS_OK;
1338 * calculate how many entries we will return.
1339 * based on
1340 * - the number of entries the client asked
1341 * - our limit on that
1342 * - the starting point (enumeration context)
1343 * - the buffer size the client will accept
1347 * We are a lot more like W2K. Instead of reading the SAM
1348 * each time to find the records we need to send back,
1349 * we read it once and link that copy to the sam handle.
1350 * For large user list (over the MAX_SAM_ENTRIES)
1351 * it's a definitive win.
1352 * second point to notice: between enumerations
1353 * our sam is now the same as it's a snapshoot.
1354 * third point: got rid of the static SAM_USER_21 struct
1355 * no more intermediate.
1356 * con: it uses much more memory, as a full copy is stored
1357 * in memory.
1359 * If you want to change it, think twice and think
1360 * of the second point , that's really important.
1362 * JFM, 12/20/2001
1365 if ((r->in.level < 1) || (r->in.level > 5)) {
1366 DEBUG(0,("_samr_QueryDisplayInfo: Unknown info level (%u)\n",
1367 (unsigned int)r->in.level ));
1368 return NT_STATUS_INVALID_INFO_CLASS;
1371 /* first limit the number of entries we will return */
1372 if (r->in.max_entries > max_sam_entries) {
1373 DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
1374 "entries, limiting to %d\n", r->in.max_entries,
1375 max_sam_entries));
1376 max_entries = max_sam_entries;
1379 /* calculate the size and limit on the number of entries we will
1380 * return */
1382 temp_size=max_entries*struct_size;
1384 if (temp_size > r->in.buf_size) {
1385 max_entries = MIN((r->in.buf_size / struct_size),max_entries);
1386 DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
1387 "only %d entries\n", max_entries));
1390 become_root();
1392 /* THe following done as ROOT. Don't return without unbecome_root(). */
1394 switch (r->in.level) {
1395 case 1:
1396 case 4:
1397 if (dinfo->disp_info->users == NULL) {
1398 dinfo->disp_info->users = pdb_search_users(
1399 dinfo->disp_info, ACB_NORMAL);
1400 if (dinfo->disp_info->users == NULL) {
1401 unbecome_root();
1402 return NT_STATUS_ACCESS_DENIED;
1404 DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
1405 (unsigned int)r->in.start_idx));
1406 } else {
1407 DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
1408 (unsigned int)r->in.start_idx));
1411 num_account = pdb_search_entries(dinfo->disp_info->users,
1412 r->in.start_idx, max_entries,
1413 &entries);
1414 break;
1415 case 2:
1416 if (dinfo->disp_info->machines == NULL) {
1417 dinfo->disp_info->machines = pdb_search_users(
1418 dinfo->disp_info, ACB_WSTRUST|ACB_SVRTRUST);
1419 if (dinfo->disp_info->machines == NULL) {
1420 unbecome_root();
1421 return NT_STATUS_ACCESS_DENIED;
1423 DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
1424 (unsigned int)r->in.start_idx));
1425 } else {
1426 DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
1427 (unsigned int)r->in.start_idx));
1430 num_account = pdb_search_entries(dinfo->disp_info->machines,
1431 r->in.start_idx, max_entries,
1432 &entries);
1433 break;
1434 case 3:
1435 case 5:
1436 if (dinfo->disp_info->groups == NULL) {
1437 dinfo->disp_info->groups = pdb_search_groups(
1438 dinfo->disp_info);
1439 if (dinfo->disp_info->groups == NULL) {
1440 unbecome_root();
1441 return NT_STATUS_ACCESS_DENIED;
1443 DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
1444 (unsigned int)r->in.start_idx));
1445 } else {
1446 DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
1447 (unsigned int)r->in.start_idx));
1450 num_account = pdb_search_entries(dinfo->disp_info->groups,
1451 r->in.start_idx, max_entries,
1452 &entries);
1453 break;
1454 default:
1455 unbecome_root();
1456 smb_panic("info class changed");
1457 break;
1459 unbecome_root();
1462 /* Now create reply structure */
1463 switch (r->in.level) {
1464 case 1:
1465 disp_ret = init_samr_dispinfo_1(p->mem_ctx, &disp_info->info1,
1466 num_account, r->in.start_idx,
1467 entries);
1468 break;
1469 case 2:
1470 disp_ret = init_samr_dispinfo_2(p->mem_ctx, &disp_info->info2,
1471 num_account, r->in.start_idx,
1472 entries);
1473 break;
1474 case 3:
1475 disp_ret = init_samr_dispinfo_3(p->mem_ctx, &disp_info->info3,
1476 num_account, r->in.start_idx,
1477 entries);
1478 break;
1479 case 4:
1480 disp_ret = init_samr_dispinfo_4(p->mem_ctx, &disp_info->info4,
1481 num_account, r->in.start_idx,
1482 entries);
1483 break;
1484 case 5:
1485 disp_ret = init_samr_dispinfo_5(p->mem_ctx, &disp_info->info5,
1486 num_account, r->in.start_idx,
1487 entries);
1488 break;
1489 default:
1490 smb_panic("info class changed");
1491 break;
1494 if (!NT_STATUS_IS_OK(disp_ret))
1495 return disp_ret;
1497 if (max_entries <= num_account) {
1498 status = STATUS_MORE_ENTRIES;
1499 } else {
1500 status = NT_STATUS_OK;
1503 /* Ensure we cache this enumeration. */
1504 set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
1506 DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__));
1508 *r->out.total_size = num_account * struct_size;
1509 *r->out.returned_size = num_account ? temp_size : 0;
1511 return status;
1514 /****************************************************************
1515 _samr_QueryDisplayInfo2
1516 ****************************************************************/
1518 NTSTATUS _samr_QueryDisplayInfo2(struct pipes_struct *p,
1519 struct samr_QueryDisplayInfo2 *r)
1521 struct samr_QueryDisplayInfo q;
1523 q.in.domain_handle = r->in.domain_handle;
1524 q.in.level = r->in.level;
1525 q.in.start_idx = r->in.start_idx;
1526 q.in.max_entries = r->in.max_entries;
1527 q.in.buf_size = r->in.buf_size;
1529 q.out.total_size = r->out.total_size;
1530 q.out.returned_size = r->out.returned_size;
1531 q.out.info = r->out.info;
1533 return _samr_QueryDisplayInfo(p, &q);
1536 /****************************************************************
1537 _samr_QueryDisplayInfo3
1538 ****************************************************************/
1540 NTSTATUS _samr_QueryDisplayInfo3(struct pipes_struct *p,
1541 struct samr_QueryDisplayInfo3 *r)
1543 struct samr_QueryDisplayInfo q;
1545 q.in.domain_handle = r->in.domain_handle;
1546 q.in.level = r->in.level;
1547 q.in.start_idx = r->in.start_idx;
1548 q.in.max_entries = r->in.max_entries;
1549 q.in.buf_size = r->in.buf_size;
1551 q.out.total_size = r->out.total_size;
1552 q.out.returned_size = r->out.returned_size;
1553 q.out.info = r->out.info;
1555 return _samr_QueryDisplayInfo(p, &q);
1558 /*******************************************************************
1559 _samr_QueryAliasInfo
1560 ********************************************************************/
1562 NTSTATUS _samr_QueryAliasInfo(struct pipes_struct *p,
1563 struct samr_QueryAliasInfo *r)
1565 struct samr_alias_info *ainfo;
1566 struct acct_info *info;
1567 NTSTATUS status;
1568 union samr_AliasInfo *alias_info = NULL;
1569 const char *alias_name = NULL;
1570 const char *alias_description = NULL;
1572 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1574 ainfo = policy_handle_find(p, r->in.alias_handle,
1575 SAMR_ALIAS_ACCESS_LOOKUP_INFO, NULL,
1576 struct samr_alias_info, &status);
1577 if (!NT_STATUS_IS_OK(status)) {
1578 return status;
1581 alias_info = talloc_zero(p->mem_ctx, union samr_AliasInfo);
1582 if (!alias_info) {
1583 return NT_STATUS_NO_MEMORY;
1586 info = talloc_zero(p->mem_ctx, struct acct_info);
1587 if (!info) {
1588 return NT_STATUS_NO_MEMORY;
1591 become_root();
1592 status = pdb_get_aliasinfo(&ainfo->sid, info);
1593 unbecome_root();
1595 if (!NT_STATUS_IS_OK(status)) {
1596 TALLOC_FREE(info);
1597 return status;
1600 alias_name = talloc_steal(r, info->acct_name);
1601 alias_description = talloc_steal(r, info->acct_desc);
1602 TALLOC_FREE(info);
1604 switch (r->in.level) {
1605 case ALIASINFOALL:
1606 alias_info->all.name.string = alias_name;
1607 alias_info->all.num_members = 1; /* ??? */
1608 alias_info->all.description.string = alias_description;
1609 break;
1610 case ALIASINFONAME:
1611 alias_info->name.string = alias_name;
1612 break;
1613 case ALIASINFODESCRIPTION:
1614 alias_info->description.string = alias_description;
1615 break;
1616 default:
1617 return NT_STATUS_INVALID_INFO_CLASS;
1620 *r->out.info = alias_info;
1622 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1624 return NT_STATUS_OK;
1627 /*******************************************************************
1628 _samr_LookupNames
1629 ********************************************************************/
1631 NTSTATUS _samr_LookupNames(struct pipes_struct *p,
1632 struct samr_LookupNames *r)
1634 struct samr_domain_info *dinfo;
1635 NTSTATUS status;
1636 uint32 *rid;
1637 enum lsa_SidType *type;
1638 int i;
1639 int num_rids = r->in.num_names;
1640 struct samr_Ids rids, types;
1641 uint32_t num_mapped = 0;
1643 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1645 dinfo = policy_handle_find(p, r->in.domain_handle,
1646 0 /* Don't know the acc_bits yet */, NULL,
1647 struct samr_domain_info, &status);
1648 if (!NT_STATUS_IS_OK(status)) {
1649 return status;
1652 if (num_rids > MAX_SAM_ENTRIES) {
1653 num_rids = MAX_SAM_ENTRIES;
1654 DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids));
1657 rid = talloc_array(p->mem_ctx, uint32, num_rids);
1658 NT_STATUS_HAVE_NO_MEMORY(rid);
1660 type = talloc_array(p->mem_ctx, enum lsa_SidType, num_rids);
1661 NT_STATUS_HAVE_NO_MEMORY(type);
1663 DEBUG(5,("_samr_LookupNames: looking name on SID %s\n",
1664 sid_string_dbg(&dinfo->sid)));
1666 for (i = 0; i < num_rids; i++) {
1668 status = NT_STATUS_NONE_MAPPED;
1669 type[i] = SID_NAME_UNKNOWN;
1671 rid[i] = 0xffffffff;
1673 if (sid_check_is_builtin(&dinfo->sid)) {
1674 if (lookup_builtin_name(r->in.names[i].string,
1675 &rid[i]))
1677 type[i] = SID_NAME_ALIAS;
1679 } else {
1680 lookup_global_sam_name(r->in.names[i].string, 0,
1681 &rid[i], &type[i]);
1684 if (type[i] != SID_NAME_UNKNOWN) {
1685 num_mapped++;
1689 if (num_mapped == num_rids) {
1690 status = NT_STATUS_OK;
1691 } else if (num_mapped == 0) {
1692 status = NT_STATUS_NONE_MAPPED;
1693 } else {
1694 status = STATUS_SOME_UNMAPPED;
1697 rids.count = num_rids;
1698 rids.ids = rid;
1700 types.count = num_rids;
1701 types.ids = talloc_array(p->mem_ctx, uint32_t, num_rids);
1702 NT_STATUS_HAVE_NO_MEMORY(type);
1703 for (i = 0; i < num_rids; i++) {
1704 types.ids[i] = (type[i] & 0xffffffff);
1707 *r->out.rids = rids;
1708 *r->out.types = types;
1710 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1712 return status;
1715 /****************************************************************
1716 _samr_ChangePasswordUser
1717 ****************************************************************/
1719 NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p,
1720 struct samr_ChangePasswordUser *r)
1722 NTSTATUS status;
1723 bool ret = false;
1724 struct samr_user_info *uinfo;
1725 struct samu *pwd;
1726 struct samr_Password new_lmPwdHash, new_ntPwdHash, checkHash;
1727 struct samr_Password lm_pwd, nt_pwd;
1729 uinfo = policy_handle_find(p, r->in.user_handle,
1730 SAMR_USER_ACCESS_SET_PASSWORD, NULL,
1731 struct samr_user_info, &status);
1732 if (!NT_STATUS_IS_OK(status)) {
1733 return status;
1736 DEBUG(5,("_samr_ChangePasswordUser: sid:%s\n",
1737 sid_string_dbg(&uinfo->sid)));
1739 if (!(pwd = samu_new(NULL))) {
1740 return NT_STATUS_NO_MEMORY;
1743 become_root();
1744 ret = pdb_getsampwsid(pwd, &uinfo->sid);
1745 unbecome_root();
1747 if (!ret) {
1748 TALLOC_FREE(pwd);
1749 return NT_STATUS_WRONG_PASSWORD;
1753 const uint8_t *lm_pass, *nt_pass;
1755 lm_pass = pdb_get_lanman_passwd(pwd);
1756 nt_pass = pdb_get_nt_passwd(pwd);
1758 if (!lm_pass || !nt_pass) {
1759 status = NT_STATUS_WRONG_PASSWORD;
1760 goto out;
1763 memcpy(&lm_pwd.hash, lm_pass, sizeof(lm_pwd.hash));
1764 memcpy(&nt_pwd.hash, nt_pass, sizeof(nt_pwd.hash));
1767 /* basic sanity checking on parameters. Do this before any database ops */
1768 if (!r->in.lm_present || !r->in.nt_present ||
1769 !r->in.old_lm_crypted || !r->in.new_lm_crypted ||
1770 !r->in.old_nt_crypted || !r->in.new_nt_crypted) {
1771 /* we should really handle a change with lm not
1772 present */
1773 status = NT_STATUS_INVALID_PARAMETER_MIX;
1774 goto out;
1777 /* decrypt and check the new lm hash */
1778 D_P16(lm_pwd.hash, r->in.new_lm_crypted->hash, new_lmPwdHash.hash);
1779 D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash, checkHash.hash);
1780 if (memcmp(checkHash.hash, lm_pwd.hash, 16) != 0) {
1781 status = NT_STATUS_WRONG_PASSWORD;
1782 goto out;
1785 /* decrypt and check the new nt hash */
1786 D_P16(nt_pwd.hash, r->in.new_nt_crypted->hash, new_ntPwdHash.hash);
1787 D_P16(new_ntPwdHash.hash, r->in.old_nt_crypted->hash, checkHash.hash);
1788 if (memcmp(checkHash.hash, nt_pwd.hash, 16) != 0) {
1789 status = NT_STATUS_WRONG_PASSWORD;
1790 goto out;
1793 /* The NT Cross is not required by Win2k3 R2, but if present
1794 check the nt cross hash */
1795 if (r->in.cross1_present && r->in.nt_cross) {
1796 D_P16(lm_pwd.hash, r->in.nt_cross->hash, checkHash.hash);
1797 if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
1798 status = NT_STATUS_WRONG_PASSWORD;
1799 goto out;
1803 /* The LM Cross is not required by Win2k3 R2, but if present
1804 check the lm cross hash */
1805 if (r->in.cross2_present && r->in.lm_cross) {
1806 D_P16(nt_pwd.hash, r->in.lm_cross->hash, checkHash.hash);
1807 if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
1808 status = NT_STATUS_WRONG_PASSWORD;
1809 goto out;
1813 if (!pdb_set_nt_passwd(pwd, new_ntPwdHash.hash, PDB_CHANGED) ||
1814 !pdb_set_lanman_passwd(pwd, new_lmPwdHash.hash, PDB_CHANGED)) {
1815 status = NT_STATUS_ACCESS_DENIED;
1816 goto out;
1819 status = pdb_update_sam_account(pwd);
1820 out:
1821 TALLOC_FREE(pwd);
1823 return status;
1826 /*******************************************************************
1827 _samr_ChangePasswordUser2
1828 ********************************************************************/
1830 NTSTATUS _samr_ChangePasswordUser2(struct pipes_struct *p,
1831 struct samr_ChangePasswordUser2 *r)
1833 NTSTATUS status;
1834 char *user_name = NULL;
1835 char *rhost;
1836 const char *wks = NULL;
1838 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1840 if (!r->in.account->string) {
1841 return NT_STATUS_INVALID_PARAMETER;
1843 if (r->in.server && r->in.server->string) {
1844 wks = r->in.server->string;
1847 DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
1850 * Pass the user through the NT -> unix user mapping
1851 * function.
1854 (void)map_username(talloc_tos(), r->in.account->string, &user_name);
1855 if (!user_name) {
1856 return NT_STATUS_NO_MEMORY;
1859 rhost = tsocket_address_inet_addr_string(p->remote_address,
1860 talloc_tos());
1861 if (rhost == NULL) {
1862 return NT_STATUS_NO_MEMORY;
1866 * UNIX username case mangling not required, pass_oem_change
1867 * is case insensitive.
1870 status = pass_oem_change(user_name,
1871 rhost,
1872 r->in.lm_password->data,
1873 r->in.lm_verifier->hash,
1874 r->in.nt_password->data,
1875 r->in.nt_verifier->hash,
1876 NULL);
1878 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1880 if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1881 return NT_STATUS_WRONG_PASSWORD;
1884 return status;
1887 /****************************************************************
1888 _samr_OemChangePasswordUser2
1889 ****************************************************************/
1891 NTSTATUS _samr_OemChangePasswordUser2(struct pipes_struct *p,
1892 struct samr_OemChangePasswordUser2 *r)
1894 NTSTATUS status;
1895 char *user_name = NULL;
1896 const char *wks = NULL;
1897 char *rhost;
1899 DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__));
1901 if (!r->in.account->string) {
1902 return NT_STATUS_INVALID_PARAMETER;
1904 if (r->in.server && r->in.server->string) {
1905 wks = r->in.server->string;
1908 DEBUG(5,("_samr_OemChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
1911 * Pass the user through the NT -> unix user mapping
1912 * function.
1915 (void)map_username(talloc_tos(), r->in.account->string, &user_name);
1916 if (!user_name) {
1917 return NT_STATUS_NO_MEMORY;
1921 * UNIX username case mangling not required, pass_oem_change
1922 * is case insensitive.
1925 if (!r->in.hash || !r->in.password) {
1926 return NT_STATUS_INVALID_PARAMETER;
1929 rhost = tsocket_address_inet_addr_string(p->remote_address,
1930 talloc_tos());
1931 if (rhost == NULL) {
1932 return NT_STATUS_NO_MEMORY;
1935 status = pass_oem_change(user_name,
1936 rhost,
1937 r->in.password->data,
1938 r->in.hash->hash,
1941 NULL);
1943 if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1944 return NT_STATUS_WRONG_PASSWORD;
1947 DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__));
1949 return status;
1952 /*******************************************************************
1953 _samr_ChangePasswordUser3
1954 ********************************************************************/
1956 NTSTATUS _samr_ChangePasswordUser3(struct pipes_struct *p,
1957 struct samr_ChangePasswordUser3 *r)
1959 NTSTATUS status;
1960 char *user_name = NULL;
1961 const char *wks = NULL;
1962 enum samPwdChangeReason reject_reason;
1963 struct samr_DomInfo1 *dominfo = NULL;
1964 struct userPwdChangeFailureInformation *reject = NULL;
1965 uint32_t tmp;
1966 char *rhost;
1968 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
1970 if (!r->in.account->string) {
1971 return NT_STATUS_INVALID_PARAMETER;
1973 if (r->in.server && r->in.server->string) {
1974 wks = r->in.server->string;
1977 DEBUG(5,("_samr_ChangePasswordUser3: user: %s wks: %s\n", user_name, wks));
1980 * Pass the user through the NT -> unix user mapping
1981 * function.
1984 (void)map_username(talloc_tos(), r->in.account->string, &user_name);
1985 if (!user_name) {
1986 return NT_STATUS_NO_MEMORY;
1989 rhost = tsocket_address_inet_addr_string(p->remote_address,
1990 talloc_tos());
1991 if (rhost == NULL) {
1992 return NT_STATUS_NO_MEMORY;
1996 * UNIX username case mangling not required, pass_oem_change
1997 * is case insensitive.
2000 status = pass_oem_change(user_name,
2001 rhost,
2002 r->in.lm_password->data,
2003 r->in.lm_verifier->hash,
2004 r->in.nt_password->data,
2005 r->in.nt_verifier->hash,
2006 &reject_reason);
2007 if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
2008 return NT_STATUS_WRONG_PASSWORD;
2011 if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) ||
2012 NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_RESTRICTION)) {
2014 time_t u_expire, u_min_age;
2015 uint32 account_policy_temp;
2017 dominfo = talloc_zero(p->mem_ctx, struct samr_DomInfo1);
2018 if (!dominfo) {
2019 return NT_STATUS_NO_MEMORY;
2022 reject = talloc_zero(p->mem_ctx,
2023 struct userPwdChangeFailureInformation);
2024 if (!reject) {
2025 return NT_STATUS_NO_MEMORY;
2028 become_root();
2030 /* AS ROOT !!! */
2032 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN, &tmp);
2033 dominfo->min_password_length = tmp;
2035 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &tmp);
2036 dominfo->password_history_length = tmp;
2038 pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS,
2039 &dominfo->password_properties);
2041 pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE, &account_policy_temp);
2042 u_expire = account_policy_temp;
2044 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_AGE, &account_policy_temp);
2045 u_min_age = account_policy_temp;
2047 /* !AS ROOT */
2049 unbecome_root();
2051 unix_to_nt_time_abs((NTTIME *)&dominfo->max_password_age, u_expire);
2052 unix_to_nt_time_abs((NTTIME *)&dominfo->min_password_age, u_min_age);
2054 if (lp_check_password_script(talloc_tos())
2055 && *lp_check_password_script(talloc_tos())) {
2056 dominfo->password_properties |= DOMAIN_PASSWORD_COMPLEX;
2059 reject->extendedFailureReason = reject_reason;
2061 *r->out.dominfo = dominfo;
2062 *r->out.reject = reject;
2065 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
2067 return status;
2070 /*******************************************************************
2071 makes a SAMR_R_LOOKUP_RIDS structure.
2072 ********************************************************************/
2074 static bool make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names,
2075 const char **names,
2076 struct lsa_String **lsa_name_array_p)
2078 struct lsa_String *lsa_name_array = NULL;
2079 uint32_t i;
2081 *lsa_name_array_p = NULL;
2083 if (num_names != 0) {
2084 lsa_name_array = talloc_zero_array(ctx, struct lsa_String, num_names);
2085 if (!lsa_name_array) {
2086 return false;
2090 for (i = 0; i < num_names; i++) {
2091 DEBUG(10, ("names[%d]:%s\n", i, names[i] && *names[i] ? names[i] : ""));
2092 init_lsa_String(&lsa_name_array[i], names[i]);
2095 *lsa_name_array_p = lsa_name_array;
2097 return true;
2100 /*******************************************************************
2101 _samr_LookupRids
2102 ********************************************************************/
2104 NTSTATUS _samr_LookupRids(struct pipes_struct *p,
2105 struct samr_LookupRids *r)
2107 struct samr_domain_info *dinfo;
2108 NTSTATUS status;
2109 const char **names;
2110 enum lsa_SidType *attrs = NULL;
2111 uint32 *wire_attrs = NULL;
2112 int num_rids = (int)r->in.num_rids;
2113 int i;
2114 struct lsa_Strings names_array;
2115 struct samr_Ids types_array;
2116 struct lsa_String *lsa_names = NULL;
2118 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2120 dinfo = policy_handle_find(p, r->in.domain_handle,
2121 0 /* Don't know the acc_bits yet */, NULL,
2122 struct samr_domain_info, &status);
2123 if (!NT_STATUS_IS_OK(status)) {
2124 return status;
2127 if (num_rids > 1000) {
2128 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
2129 "to samba4 idl this is not possible\n", num_rids));
2130 return NT_STATUS_UNSUCCESSFUL;
2133 if (num_rids) {
2134 names = talloc_zero_array(p->mem_ctx, const char *, num_rids);
2135 attrs = talloc_zero_array(p->mem_ctx, enum lsa_SidType, num_rids);
2136 wire_attrs = talloc_zero_array(p->mem_ctx, uint32, num_rids);
2138 if ((names == NULL) || (attrs == NULL) || (wire_attrs==NULL))
2139 return NT_STATUS_NO_MEMORY;
2140 } else {
2141 names = NULL;
2142 attrs = NULL;
2143 wire_attrs = NULL;
2146 become_root(); /* lookup_sid can require root privs */
2147 status = pdb_lookup_rids(&dinfo->sid, num_rids, r->in.rids,
2148 names, attrs);
2149 unbecome_root();
2151 if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) && (num_rids == 0)) {
2152 status = NT_STATUS_OK;
2155 if (!make_samr_lookup_rids(p->mem_ctx, num_rids, names,
2156 &lsa_names)) {
2157 return NT_STATUS_NO_MEMORY;
2160 /* Convert from enum lsa_SidType to uint32 for wire format. */
2161 for (i = 0; i < num_rids; i++) {
2162 wire_attrs[i] = (uint32)attrs[i];
2165 names_array.count = num_rids;
2166 names_array.names = lsa_names;
2168 types_array.count = num_rids;
2169 types_array.ids = wire_attrs;
2171 *r->out.names = names_array;
2172 *r->out.types = types_array;
2174 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2176 return status;
2179 /*******************************************************************
2180 _samr_OpenUser
2181 ********************************************************************/
2183 NTSTATUS _samr_OpenUser(struct pipes_struct *p,
2184 struct samr_OpenUser *r)
2186 struct samu *sampass=NULL;
2187 struct dom_sid sid;
2188 struct samr_domain_info *dinfo;
2189 struct samr_user_info *uinfo;
2190 struct security_descriptor *psd = NULL;
2191 uint32 acc_granted;
2192 uint32 des_access = r->in.access_mask;
2193 uint32_t extra_access = 0;
2194 size_t sd_size;
2195 bool ret;
2196 NTSTATUS nt_status;
2198 /* These two privileges, if != SEC_PRIV_INVALID, indicate
2199 * privileges that the user must have to complete this
2200 * operation in defience of the fixed ACL */
2201 enum sec_privilege needed_priv_1, needed_priv_2;
2202 NTSTATUS status;
2204 dinfo = policy_handle_find(p, r->in.domain_handle,
2205 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT, NULL,
2206 struct samr_domain_info, &status);
2207 if (!NT_STATUS_IS_OK(status)) {
2208 return status;
2211 if ( !(sampass = samu_new( p->mem_ctx )) ) {
2212 return NT_STATUS_NO_MEMORY;
2215 /* append the user's RID to it */
2217 if (!sid_compose(&sid, &dinfo->sid, r->in.rid))
2218 return NT_STATUS_NO_SUCH_USER;
2220 /* check if access can be granted as requested by client. */
2221 map_max_allowed_access(p->session_info->security_token,
2222 p->session_info->unix_token,
2223 &des_access);
2225 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
2226 se_map_generic(&des_access, &usr_generic_mapping);
2229 * Get the sampass first as we need to check privileges
2230 * based on what kind of user object this is.
2231 * But don't reveal info too early if it didn't exist.
2234 become_root();
2235 ret=pdb_getsampwsid(sampass, &sid);
2236 unbecome_root();
2238 needed_priv_1 = SEC_PRIV_INVALID;
2239 needed_priv_2 = SEC_PRIV_INVALID;
2241 * We do the override access checks on *open*, not at
2242 * SetUserInfo time.
2244 if (ret) {
2245 uint32_t acb_info = pdb_get_acct_ctrl(sampass);
2247 if (acb_info & ACB_WSTRUST) {
2249 * SeMachineAccount is needed to add
2250 * GENERIC_RIGHTS_USER_WRITE to a machine
2251 * account.
2253 needed_priv_1 = SEC_PRIV_MACHINE_ACCOUNT;
2255 if (acb_info & ACB_NORMAL) {
2257 * SeAddUsers is needed to add
2258 * GENERIC_RIGHTS_USER_WRITE to a normal
2259 * account.
2261 needed_priv_1 = SEC_PRIV_ADD_USERS;
2264 * Cheat - we have not set a specific privilege for
2265 * server (BDC) or domain trust account, so allow
2266 * GENERIC_RIGHTS_USER_WRITE if pipe user is in
2267 * DOMAIN_RID_ADMINS.
2269 if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
2270 if (lp_enable_privileges() && nt_token_check_domain_rid(p->session_info->security_token,
2271 DOMAIN_RID_ADMINS)) {
2272 des_access &= ~GENERIC_RIGHTS_USER_WRITE;
2273 extra_access = GENERIC_RIGHTS_USER_WRITE;
2274 DEBUG(4,("_samr_OpenUser: Allowing "
2275 "GENERIC_RIGHTS_USER_WRITE for "
2276 "rid admins\n"));
2281 TALLOC_FREE(sampass);
2283 nt_status = access_check_object(psd, p->session_info->security_token,
2284 needed_priv_1, needed_priv_2,
2285 GENERIC_RIGHTS_USER_WRITE, des_access,
2286 &acc_granted, "_samr_OpenUser");
2288 if ( !NT_STATUS_IS_OK(nt_status) )
2289 return nt_status;
2291 /* check that the SID exists in our domain. */
2292 if (ret == False) {
2293 return NT_STATUS_NO_SUCH_USER;
2296 /* If we did the rid admins hack above, allow access. */
2297 acc_granted |= extra_access;
2299 uinfo = policy_handle_create(p, r->out.user_handle, acc_granted,
2300 struct samr_user_info, &nt_status);
2301 if (!NT_STATUS_IS_OK(nt_status)) {
2302 return nt_status;
2304 uinfo->sid = sid;
2306 return NT_STATUS_OK;
2309 /*************************************************************************
2310 *************************************************************************/
2312 static NTSTATUS init_samr_parameters_string(TALLOC_CTX *mem_ctx,
2313 DATA_BLOB *blob,
2314 struct lsa_BinaryString **_r)
2316 struct lsa_BinaryString *r;
2318 if (!blob || !_r) {
2319 return NT_STATUS_INVALID_PARAMETER;
2322 r = talloc_zero(mem_ctx, struct lsa_BinaryString);
2323 if (!r) {
2324 return NT_STATUS_NO_MEMORY;
2327 r->array = talloc_zero_array(mem_ctx, uint16_t, blob->length/2);
2328 if (!r->array) {
2329 return NT_STATUS_NO_MEMORY;
2331 memcpy(r->array, blob->data, blob->length);
2332 r->size = blob->length;
2333 r->length = blob->length;
2335 if (!r->array) {
2336 return NT_STATUS_NO_MEMORY;
2339 *_r = r;
2341 return NT_STATUS_OK;
2344 /*************************************************************************
2345 *************************************************************************/
2347 static struct samr_LogonHours get_logon_hours_from_pdb(TALLOC_CTX *mem_ctx,
2348 struct samu *pw)
2350 struct samr_LogonHours hours;
2351 const int units_per_week = 168;
2353 ZERO_STRUCT(hours);
2354 hours.bits = talloc_array(mem_ctx, uint8_t, units_per_week);
2355 if (!hours.bits) {
2356 return hours;
2359 hours.units_per_week = units_per_week;
2360 memset(hours.bits, 0xFF, units_per_week);
2362 if (pdb_get_hours(pw)) {
2363 memcpy(hours.bits, pdb_get_hours(pw),
2364 MIN(pdb_get_hours_len(pw), units_per_week));
2367 return hours;
2370 /*************************************************************************
2371 get_user_info_1.
2372 *************************************************************************/
2374 static NTSTATUS get_user_info_1(TALLOC_CTX *mem_ctx,
2375 struct samr_UserInfo1 *r,
2376 struct samu *pw,
2377 struct dom_sid *domain_sid)
2379 const struct dom_sid *sid_group;
2380 uint32_t primary_gid;
2382 become_root();
2383 sid_group = pdb_get_group_sid(pw);
2384 unbecome_root();
2386 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2387 DEBUG(0, ("get_user_info_1: User %s has Primary Group SID %s, \n"
2388 "which conflicts with the domain sid %s. Failing operation.\n",
2389 pdb_get_username(pw), sid_string_dbg(sid_group),
2390 sid_string_dbg(domain_sid)));
2391 return NT_STATUS_UNSUCCESSFUL;
2394 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2395 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2396 r->primary_gid = primary_gid;
2397 r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2398 r->comment.string = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2400 return NT_STATUS_OK;
2403 /*************************************************************************
2404 get_user_info_2.
2405 *************************************************************************/
2407 static NTSTATUS get_user_info_2(TALLOC_CTX *mem_ctx,
2408 struct samr_UserInfo2 *r,
2409 struct samu *pw)
2411 r->comment.string = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2412 r->reserved.string = NULL;
2413 r->country_code = pdb_get_country_code(pw);
2414 r->code_page = pdb_get_code_page(pw);
2416 return NT_STATUS_OK;
2419 /*************************************************************************
2420 get_user_info_3.
2421 *************************************************************************/
2423 static NTSTATUS get_user_info_3(TALLOC_CTX *mem_ctx,
2424 struct samr_UserInfo3 *r,
2425 struct samu *pw,
2426 struct dom_sid *domain_sid)
2428 const struct dom_sid *sid_user, *sid_group;
2429 uint32_t rid, primary_gid;
2431 sid_user = pdb_get_user_sid(pw);
2433 if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2434 DEBUG(0, ("get_user_info_3: User %s has SID %s, \nwhich conflicts with "
2435 "the domain sid %s. Failing operation.\n",
2436 pdb_get_username(pw), sid_string_dbg(sid_user),
2437 sid_string_dbg(domain_sid)));
2438 return NT_STATUS_UNSUCCESSFUL;
2441 become_root();
2442 sid_group = pdb_get_group_sid(pw);
2443 unbecome_root();
2445 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2446 DEBUG(0, ("get_user_info_3: User %s has Primary Group SID %s, \n"
2447 "which conflicts with the domain sid %s. Failing operation.\n",
2448 pdb_get_username(pw), sid_string_dbg(sid_group),
2449 sid_string_dbg(domain_sid)));
2450 return NT_STATUS_UNSUCCESSFUL;
2453 unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2454 unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2455 unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2456 unix_to_nt_time(&r->allow_password_change, pdb_get_pass_can_change_time(pw));
2457 unix_to_nt_time(&r->force_password_change, pdb_get_pass_must_change_time(pw));
2459 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2460 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2461 r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2462 r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2463 r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2464 r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2465 r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2467 r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2468 r->rid = rid;
2469 r->primary_gid = primary_gid;
2470 r->acct_flags = pdb_get_acct_ctrl(pw);
2471 r->bad_password_count = pdb_get_bad_password_count(pw);
2472 r->logon_count = pdb_get_logon_count(pw);
2474 return NT_STATUS_OK;
2477 /*************************************************************************
2478 get_user_info_4.
2479 *************************************************************************/
2481 static NTSTATUS get_user_info_4(TALLOC_CTX *mem_ctx,
2482 struct samr_UserInfo4 *r,
2483 struct samu *pw)
2485 r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2487 return NT_STATUS_OK;
2490 /*************************************************************************
2491 get_user_info_5.
2492 *************************************************************************/
2494 static NTSTATUS get_user_info_5(TALLOC_CTX *mem_ctx,
2495 struct samr_UserInfo5 *r,
2496 struct samu *pw,
2497 struct dom_sid *domain_sid)
2499 const struct dom_sid *sid_user, *sid_group;
2500 uint32_t rid, primary_gid;
2502 sid_user = pdb_get_user_sid(pw);
2504 if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2505 DEBUG(0, ("get_user_info_5: User %s has SID %s, \nwhich conflicts with "
2506 "the domain sid %s. Failing operation.\n",
2507 pdb_get_username(pw), sid_string_dbg(sid_user),
2508 sid_string_dbg(domain_sid)));
2509 return NT_STATUS_UNSUCCESSFUL;
2512 become_root();
2513 sid_group = pdb_get_group_sid(pw);
2514 unbecome_root();
2516 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2517 DEBUG(0, ("get_user_info_5: User %s has Primary Group SID %s, \n"
2518 "which conflicts with the domain sid %s. Failing operation.\n",
2519 pdb_get_username(pw), sid_string_dbg(sid_group),
2520 sid_string_dbg(domain_sid)));
2521 return NT_STATUS_UNSUCCESSFUL;
2524 unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2525 unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2526 unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2527 unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2529 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2530 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2531 r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2532 r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2533 r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2534 r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2535 r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2536 r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2538 r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2539 r->rid = rid;
2540 r->primary_gid = primary_gid;
2541 r->acct_flags = pdb_get_acct_ctrl(pw);
2542 r->bad_password_count = pdb_get_bad_password_count(pw);
2543 r->logon_count = pdb_get_logon_count(pw);
2545 return NT_STATUS_OK;
2548 /*************************************************************************
2549 get_user_info_6.
2550 *************************************************************************/
2552 static NTSTATUS get_user_info_6(TALLOC_CTX *mem_ctx,
2553 struct samr_UserInfo6 *r,
2554 struct samu *pw)
2556 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2557 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2559 return NT_STATUS_OK;
2562 /*************************************************************************
2563 get_user_info_7. Safe. Only gives out account_name.
2564 *************************************************************************/
2566 static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx,
2567 struct samr_UserInfo7 *r,
2568 struct samu *smbpass)
2570 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(smbpass));
2571 if (!r->account_name.string) {
2572 return NT_STATUS_NO_MEMORY;
2575 return NT_STATUS_OK;
2578 /*************************************************************************
2579 get_user_info_8.
2580 *************************************************************************/
2582 static NTSTATUS get_user_info_8(TALLOC_CTX *mem_ctx,
2583 struct samr_UserInfo8 *r,
2584 struct samu *pw)
2586 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2588 return NT_STATUS_OK;
2591 /*************************************************************************
2592 get_user_info_9. Only gives out primary group SID.
2593 *************************************************************************/
2595 static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx,
2596 struct samr_UserInfo9 *r,
2597 struct samu *smbpass)
2599 r->primary_gid = pdb_get_group_rid(smbpass);
2601 return NT_STATUS_OK;
2604 /*************************************************************************
2605 get_user_info_10.
2606 *************************************************************************/
2608 static NTSTATUS get_user_info_10(TALLOC_CTX *mem_ctx,
2609 struct samr_UserInfo10 *r,
2610 struct samu *pw)
2612 r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2613 r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2615 return NT_STATUS_OK;
2618 /*************************************************************************
2619 get_user_info_11.
2620 *************************************************************************/
2622 static NTSTATUS get_user_info_11(TALLOC_CTX *mem_ctx,
2623 struct samr_UserInfo11 *r,
2624 struct samu *pw)
2626 r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2628 return NT_STATUS_OK;
2631 /*************************************************************************
2632 get_user_info_12.
2633 *************************************************************************/
2635 static NTSTATUS get_user_info_12(TALLOC_CTX *mem_ctx,
2636 struct samr_UserInfo12 *r,
2637 struct samu *pw)
2639 r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2641 return NT_STATUS_OK;
2644 /*************************************************************************
2645 get_user_info_13.
2646 *************************************************************************/
2648 static NTSTATUS get_user_info_13(TALLOC_CTX *mem_ctx,
2649 struct samr_UserInfo13 *r,
2650 struct samu *pw)
2652 r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2654 return NT_STATUS_OK;
2657 /*************************************************************************
2658 get_user_info_14.
2659 *************************************************************************/
2661 static NTSTATUS get_user_info_14(TALLOC_CTX *mem_ctx,
2662 struct samr_UserInfo14 *r,
2663 struct samu *pw)
2665 r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2667 return NT_STATUS_OK;
2670 /*************************************************************************
2671 get_user_info_16. Safe. Only gives out acb bits.
2672 *************************************************************************/
2674 static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx,
2675 struct samr_UserInfo16 *r,
2676 struct samu *smbpass)
2678 r->acct_flags = pdb_get_acct_ctrl(smbpass);
2680 return NT_STATUS_OK;
2683 /*************************************************************************
2684 get_user_info_17.
2685 *************************************************************************/
2687 static NTSTATUS get_user_info_17(TALLOC_CTX *mem_ctx,
2688 struct samr_UserInfo17 *r,
2689 struct samu *pw)
2691 unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2693 return NT_STATUS_OK;
2696 /*************************************************************************
2697 get_user_info_18. OK - this is the killer as it gives out password info.
2698 Ensure that this is only allowed on an encrypted connection with a root
2699 user. JRA.
2700 *************************************************************************/
2702 static NTSTATUS get_user_info_18(struct pipes_struct *p,
2703 TALLOC_CTX *mem_ctx,
2704 struct samr_UserInfo18 *r,
2705 struct dom_sid *user_sid)
2707 struct samu *smbpass=NULL;
2708 bool ret;
2709 const uint8_t *nt_pass = NULL;
2710 const uint8_t *lm_pass = NULL;
2712 ZERO_STRUCTP(r);
2714 if (security_token_is_system(p->session_info->security_token)) {
2715 goto query;
2718 if ((p->auth.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) ||
2719 (p->auth.auth_type != DCERPC_AUTH_TYPE_KRB5) ||
2720 (p->auth.auth_type != DCERPC_AUTH_TYPE_SPNEGO)) {
2721 return NT_STATUS_ACCESS_DENIED;
2724 if (p->auth.auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
2725 return NT_STATUS_ACCESS_DENIED;
2728 query:
2730 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
2733 if ( !(smbpass = samu_new( mem_ctx )) ) {
2734 return NT_STATUS_NO_MEMORY;
2737 ret = pdb_getsampwsid(smbpass, user_sid);
2739 if (ret == False) {
2740 DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid)));
2741 TALLOC_FREE(smbpass);
2742 return (geteuid() == sec_initial_uid()) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
2745 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
2747 if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) {
2748 TALLOC_FREE(smbpass);
2749 return NT_STATUS_ACCOUNT_DISABLED;
2752 lm_pass = pdb_get_lanman_passwd(smbpass);
2753 if (lm_pass != NULL) {
2754 memcpy(r->lm_pwd.hash, lm_pass, 16);
2755 r->lm_pwd_active = true;
2758 nt_pass = pdb_get_nt_passwd(smbpass);
2759 if (nt_pass != NULL) {
2760 memcpy(r->nt_pwd.hash, nt_pass, 16);
2761 r->nt_pwd_active = true;
2763 r->password_expired = 0; /* FIXME */
2765 TALLOC_FREE(smbpass);
2767 return NT_STATUS_OK;
2770 /*************************************************************************
2771 get_user_info_20
2772 *************************************************************************/
2774 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx,
2775 struct samr_UserInfo20 *r,
2776 struct samu *sampass)
2778 const char *munged_dial = NULL;
2779 DATA_BLOB blob;
2780 NTSTATUS status;
2781 struct lsa_BinaryString *parameters = NULL;
2783 ZERO_STRUCTP(r);
2785 munged_dial = pdb_get_munged_dial(sampass);
2787 DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass),
2788 munged_dial, (int)strlen(munged_dial)));
2790 if (munged_dial) {
2791 blob = base64_decode_data_blob(munged_dial);
2792 } else {
2793 blob = data_blob_string_const_null("");
2796 status = init_samr_parameters_string(mem_ctx, &blob, &parameters);
2797 data_blob_free(&blob);
2798 if (!NT_STATUS_IS_OK(status)) {
2799 return status;
2802 r->parameters = *parameters;
2804 return NT_STATUS_OK;
2808 /*************************************************************************
2809 get_user_info_21
2810 *************************************************************************/
2812 static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx,
2813 struct samr_UserInfo21 *r,
2814 struct samu *pw,
2815 struct dom_sid *domain_sid,
2816 uint32_t acc_granted)
2818 NTSTATUS status;
2819 const struct dom_sid *sid_user, *sid_group;
2820 uint32_t rid, primary_gid;
2821 NTTIME force_password_change;
2822 time_t must_change_time;
2823 struct lsa_BinaryString *parameters = NULL;
2824 const char *munged_dial = NULL;
2825 DATA_BLOB blob;
2827 ZERO_STRUCTP(r);
2829 sid_user = pdb_get_user_sid(pw);
2831 if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2832 DEBUG(0, ("get_user_info_21: User %s has SID %s, \nwhich conflicts with "
2833 "the domain sid %s. Failing operation.\n",
2834 pdb_get_username(pw), sid_string_dbg(sid_user),
2835 sid_string_dbg(domain_sid)));
2836 return NT_STATUS_UNSUCCESSFUL;
2839 become_root();
2840 sid_group = pdb_get_group_sid(pw);
2841 unbecome_root();
2843 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2844 DEBUG(0, ("get_user_info_21: User %s has Primary Group SID %s, \n"
2845 "which conflicts with the domain sid %s. Failing operation.\n",
2846 pdb_get_username(pw), sid_string_dbg(sid_group),
2847 sid_string_dbg(domain_sid)));
2848 return NT_STATUS_UNSUCCESSFUL;
2851 unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2852 unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2853 unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2854 unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2855 unix_to_nt_time(&r->allow_password_change, pdb_get_pass_can_change_time(pw));
2857 must_change_time = pdb_get_pass_must_change_time(pw);
2858 if (pdb_is_password_change_time_max(must_change_time)) {
2859 unix_to_nt_time_abs(&force_password_change, must_change_time);
2860 } else {
2861 unix_to_nt_time(&force_password_change, must_change_time);
2864 munged_dial = pdb_get_munged_dial(pw);
2865 if (munged_dial) {
2866 blob = base64_decode_data_blob(munged_dial);
2867 } else {
2868 blob = data_blob_string_const_null("");
2871 status = init_samr_parameters_string(mem_ctx, &blob, &parameters);
2872 data_blob_free(&blob);
2873 if (!NT_STATUS_IS_OK(status)) {
2874 return status;
2877 r->force_password_change = force_password_change;
2879 r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2880 r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2881 r->home_directory.string = talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2882 r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2883 r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2884 r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2885 r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2886 r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2887 r->comment.string = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2889 r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2890 r->parameters = *parameters;
2891 r->rid = rid;
2892 r->primary_gid = primary_gid;
2893 r->acct_flags = pdb_get_acct_ctrl(pw);
2894 r->bad_password_count = pdb_get_bad_password_count(pw);
2895 r->logon_count = pdb_get_logon_count(pw);
2896 r->fields_present = pdb_build_fields_present(pw);
2897 r->password_expired = (pdb_get_pass_must_change_time(pw) == 0) ?
2898 PASS_MUST_CHANGE_AT_NEXT_LOGON : 0;
2899 r->country_code = pdb_get_country_code(pw);
2900 r->code_page = pdb_get_code_page(pw);
2901 r->lm_password_set = 0;
2902 r->nt_password_set = 0;
2904 #if 0
2907 Look at a user on a real NT4 PDC with usrmgr, press
2908 'ok'. Then you will see that fields_present is set to
2909 0x08f827fa. Look at the user immediately after that again,
2910 and you will see that 0x00fffff is returned. This solves
2911 the problem that you get access denied after having looked
2912 at the user.
2913 -- Volker
2916 #endif
2919 return NT_STATUS_OK;
2922 /*******************************************************************
2923 _samr_QueryUserInfo
2924 ********************************************************************/
2926 NTSTATUS _samr_QueryUserInfo(struct pipes_struct *p,
2927 struct samr_QueryUserInfo *r)
2929 NTSTATUS status;
2930 union samr_UserInfo *user_info = NULL;
2931 struct samr_user_info *uinfo;
2932 struct dom_sid domain_sid;
2933 uint32 rid;
2934 bool ret = false;
2935 struct samu *pwd = NULL;
2936 uint32_t acc_required, acc_granted;
2938 switch (r->in.level) {
2939 case 1: /* UserGeneralInformation */
2940 /* USER_READ_GENERAL */
2941 acc_required = SAMR_USER_ACCESS_GET_NAME_ETC;
2942 break;
2943 case 2: /* UserPreferencesInformation */
2944 /* USER_READ_PREFERENCES | USER_READ_GENERAL */
2945 acc_required = SAMR_USER_ACCESS_GET_LOCALE |
2946 SAMR_USER_ACCESS_GET_NAME_ETC;
2947 break;
2948 case 3: /* UserLogonInformation */
2949 /* USER_READ_GENERAL | USER_READ_PREFERENCES | USER_READ_LOGON | USER_READ_ACCOUNT */
2950 acc_required = SAMR_USER_ACCESS_GET_NAME_ETC |
2951 SAMR_USER_ACCESS_GET_LOCALE |
2952 SAMR_USER_ACCESS_GET_LOGONINFO |
2953 SAMR_USER_ACCESS_GET_ATTRIBUTES;
2954 break;
2955 case 4: /* UserLogonHoursInformation */
2956 /* USER_READ_LOGON */
2957 acc_required = SAMR_USER_ACCESS_GET_LOGONINFO;
2958 break;
2959 case 5: /* UserAccountInformation */
2960 /* USER_READ_GENERAL | USER_READ_PREFERENCES | USER_READ_LOGON | USER_READ_ACCOUNT */
2961 acc_required = SAMR_USER_ACCESS_GET_NAME_ETC |
2962 SAMR_USER_ACCESS_GET_LOCALE |
2963 SAMR_USER_ACCESS_GET_LOGONINFO |
2964 SAMR_USER_ACCESS_GET_ATTRIBUTES;
2965 break;
2966 case 6: /* UserNameInformation */
2967 case 7: /* UserAccountNameInformation */
2968 case 8: /* UserFullNameInformation */
2969 case 9: /* UserPrimaryGroupInformation */
2970 case 13: /* UserAdminCommentInformation */
2971 /* USER_READ_GENERAL */
2972 acc_required = SAMR_USER_ACCESS_GET_NAME_ETC;
2973 break;
2974 case 10: /* UserHomeInformation */
2975 case 11: /* UserScriptInformation */
2976 case 12: /* UserProfileInformation */
2977 case 14: /* UserWorkStationsInformation */
2978 /* USER_READ_LOGON */
2979 acc_required = SAMR_USER_ACCESS_GET_LOGONINFO;
2980 break;
2981 case 16: /* UserControlInformation */
2982 case 17: /* UserExpiresInformation */
2983 case 20: /* UserParametersInformation */
2984 /* USER_READ_ACCOUNT */
2985 acc_required = SAMR_USER_ACCESS_GET_ATTRIBUTES;
2986 break;
2987 case 21: /* UserAllInformation */
2988 /* FIXME! - gd */
2989 acc_required = SAMR_USER_ACCESS_GET_ATTRIBUTES;
2990 break;
2991 case 18: /* UserInternal1Information */
2992 /* FIXME! - gd */
2993 acc_required = SAMR_USER_ACCESS_GET_ATTRIBUTES;
2994 break;
2995 case 23: /* UserInternal4Information */
2996 case 24: /* UserInternal4InformationNew */
2997 case 25: /* UserInternal4InformationNew */
2998 case 26: /* UserInternal5InformationNew */
2999 default:
3000 return NT_STATUS_INVALID_INFO_CLASS;
3001 break;
3004 uinfo = policy_handle_find(p, r->in.user_handle,
3005 acc_required, &acc_granted,
3006 struct samr_user_info, &status);
3007 if (!NT_STATUS_IS_OK(status)) {
3008 return status;
3011 domain_sid = uinfo->sid;
3013 sid_split_rid(&domain_sid, &rid);
3015 if (!sid_check_is_in_our_sam(&uinfo->sid))
3016 return NT_STATUS_OBJECT_TYPE_MISMATCH;
3018 DEBUG(5,("_samr_QueryUserInfo: sid:%s\n",
3019 sid_string_dbg(&uinfo->sid)));
3021 user_info = talloc_zero(p->mem_ctx, union samr_UserInfo);
3022 if (!user_info) {
3023 return NT_STATUS_NO_MEMORY;
3026 DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r->in.level));
3028 if (!(pwd = samu_new(p->mem_ctx))) {
3029 return NT_STATUS_NO_MEMORY;
3032 become_root();
3033 ret = pdb_getsampwsid(pwd, &uinfo->sid);
3034 unbecome_root();
3036 if (ret == false) {
3037 DEBUG(4,("User %s not found\n", sid_string_dbg(&uinfo->sid)));
3038 TALLOC_FREE(pwd);
3039 return NT_STATUS_NO_SUCH_USER;
3042 DEBUG(3,("User:[%s]\n", pdb_get_username(pwd)));
3044 samr_clear_sam_passwd(pwd);
3046 switch (r->in.level) {
3047 case 1:
3048 status = get_user_info_1(p->mem_ctx, &user_info->info1, pwd, &domain_sid);
3049 break;
3050 case 2:
3051 status = get_user_info_2(p->mem_ctx, &user_info->info2, pwd);
3052 break;
3053 case 3:
3054 status = get_user_info_3(p->mem_ctx, &user_info->info3, pwd, &domain_sid);
3055 break;
3056 case 4:
3057 status = get_user_info_4(p->mem_ctx, &user_info->info4, pwd);
3058 break;
3059 case 5:
3060 status = get_user_info_5(p->mem_ctx, &user_info->info5, pwd, &domain_sid);
3061 break;
3062 case 6:
3063 status = get_user_info_6(p->mem_ctx, &user_info->info6, pwd);
3064 break;
3065 case 7:
3066 status = get_user_info_7(p->mem_ctx, &user_info->info7, pwd);
3067 break;
3068 case 8:
3069 status = get_user_info_8(p->mem_ctx, &user_info->info8, pwd);
3070 break;
3071 case 9:
3072 status = get_user_info_9(p->mem_ctx, &user_info->info9, pwd);
3073 break;
3074 case 10:
3075 status = get_user_info_10(p->mem_ctx, &user_info->info10, pwd);
3076 break;
3077 case 11:
3078 status = get_user_info_11(p->mem_ctx, &user_info->info11, pwd);
3079 break;
3080 case 12:
3081 status = get_user_info_12(p->mem_ctx, &user_info->info12, pwd);
3082 break;
3083 case 13:
3084 status = get_user_info_13(p->mem_ctx, &user_info->info13, pwd);
3085 break;
3086 case 14:
3087 status = get_user_info_14(p->mem_ctx, &user_info->info14, pwd);
3088 break;
3089 case 16:
3090 status = get_user_info_16(p->mem_ctx, &user_info->info16, pwd);
3091 break;
3092 case 17:
3093 status = get_user_info_17(p->mem_ctx, &user_info->info17, pwd);
3094 break;
3095 case 18:
3096 /* level 18 is special */
3097 status = get_user_info_18(p, p->mem_ctx, &user_info->info18,
3098 &uinfo->sid);
3099 break;
3100 case 20:
3101 status = get_user_info_20(p->mem_ctx, &user_info->info20, pwd);
3102 break;
3103 case 21:
3104 status = get_user_info_21(p->mem_ctx, &user_info->info21, pwd, &domain_sid, acc_granted);
3105 break;
3106 default:
3107 status = NT_STATUS_INVALID_INFO_CLASS;
3108 break;
3111 if (!NT_STATUS_IS_OK(status)) {
3112 goto done;
3115 *r->out.info = user_info;
3117 done:
3118 TALLOC_FREE(pwd);
3120 DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__));
3122 return status;
3125 /****************************************************************
3126 ****************************************************************/
3128 NTSTATUS _samr_QueryUserInfo2(struct pipes_struct *p,
3129 struct samr_QueryUserInfo2 *r)
3131 struct samr_QueryUserInfo u;
3133 u.in.user_handle = r->in.user_handle;
3134 u.in.level = r->in.level;
3135 u.out.info = r->out.info;
3137 return _samr_QueryUserInfo(p, &u);
3140 /*******************************************************************
3141 _samr_GetGroupsForUser
3142 ********************************************************************/
3144 NTSTATUS _samr_GetGroupsForUser(struct pipes_struct *p,
3145 struct samr_GetGroupsForUser *r)
3147 struct samr_user_info *uinfo;
3148 struct samu *sam_pass=NULL;
3149 struct dom_sid *sids;
3150 struct samr_RidWithAttribute dom_gid;
3151 struct samr_RidWithAttribute *gids = NULL;
3152 uint32 primary_group_rid;
3153 uint32_t num_groups = 0;
3154 gid_t *unix_gids;
3155 uint32_t i, num_gids;
3156 bool ret;
3157 NTSTATUS result;
3158 bool success = False;
3160 struct samr_RidWithAttributeArray *rids = NULL;
3163 * from the SID in the request:
3164 * we should send back the list of DOMAIN GROUPS
3165 * the user is a member of
3167 * and only the DOMAIN GROUPS
3168 * no ALIASES !!! neither aliases of the domain
3169 * nor aliases of the builtin SID
3171 * JFM, 12/2/2001
3174 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
3176 uinfo = policy_handle_find(p, r->in.user_handle,
3177 SAMR_USER_ACCESS_GET_GROUPS, NULL,
3178 struct samr_user_info, &result);
3179 if (!NT_STATUS_IS_OK(result)) {
3180 return result;
3183 rids = talloc_zero(p->mem_ctx, struct samr_RidWithAttributeArray);
3184 if (!rids) {
3185 return NT_STATUS_NO_MEMORY;
3188 if (!sid_check_is_in_our_sam(&uinfo->sid))
3189 return NT_STATUS_OBJECT_TYPE_MISMATCH;
3191 if ( !(sam_pass = samu_new( p->mem_ctx )) ) {
3192 return NT_STATUS_NO_MEMORY;
3195 become_root();
3196 ret = pdb_getsampwsid(sam_pass, &uinfo->sid);
3197 unbecome_root();
3199 if (!ret) {
3200 DEBUG(10, ("pdb_getsampwsid failed for %s\n",
3201 sid_string_dbg(&uinfo->sid)));
3202 return NT_STATUS_NO_SUCH_USER;
3205 sids = NULL;
3207 /* make both calls inside the root block */
3208 become_root();
3209 result = pdb_enum_group_memberships(p->mem_ctx, sam_pass,
3210 &sids, &unix_gids, &num_groups);
3211 if ( NT_STATUS_IS_OK(result) ) {
3212 success = sid_peek_check_rid(get_global_sam_sid(),
3213 pdb_get_group_sid(sam_pass),
3214 &primary_group_rid);
3216 unbecome_root();
3218 if (!NT_STATUS_IS_OK(result)) {
3219 DEBUG(10, ("pdb_enum_group_memberships failed for %s\n",
3220 sid_string_dbg(&uinfo->sid)));
3221 return result;
3224 if ( !success ) {
3225 DEBUG(5, ("Group sid %s for user %s not in our domain\n",
3226 sid_string_dbg(pdb_get_group_sid(sam_pass)),
3227 pdb_get_username(sam_pass)));
3228 TALLOC_FREE(sam_pass);
3229 return NT_STATUS_INTERNAL_DB_CORRUPTION;
3232 gids = NULL;
3233 num_gids = 0;
3235 dom_gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|
3236 SE_GROUP_ENABLED);
3237 dom_gid.rid = primary_group_rid;
3238 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
3240 for (i=0; i<num_groups; i++) {
3242 if (!sid_peek_check_rid(get_global_sam_sid(),
3243 &(sids[i]), &dom_gid.rid)) {
3244 DEBUG(10, ("Found sid %s not in our domain\n",
3245 sid_string_dbg(&sids[i])));
3246 continue;
3249 if (dom_gid.rid == primary_group_rid) {
3250 /* We added the primary group directly from the
3251 * sam_account. The other SIDs are unique from
3252 * enum_group_memberships */
3253 continue;
3256 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
3259 rids->count = num_gids;
3260 rids->rids = gids;
3262 *r->out.rids = rids;
3264 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
3266 return result;
3269 /*******************************************************************
3270 ********************************************************************/
3272 static uint32_t samr_get_server_role(void)
3274 uint32_t role = ROLE_DOMAIN_PDC;
3276 if (lp_server_role() == ROLE_DOMAIN_BDC) {
3277 role = ROLE_DOMAIN_BDC;
3280 return role;
3283 /*******************************************************************
3284 ********************************************************************/
3286 static NTSTATUS query_dom_info_1(TALLOC_CTX *mem_ctx,
3287 struct samr_DomInfo1 *r)
3289 uint32_t account_policy_temp;
3290 time_t u_expire, u_min_age;
3292 become_root();
3294 /* AS ROOT !!! */
3296 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN, &account_policy_temp);
3297 r->min_password_length = account_policy_temp;
3299 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &account_policy_temp);
3300 r->password_history_length = account_policy_temp;
3302 pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS,
3303 &r->password_properties);
3305 pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE, &account_policy_temp);
3306 u_expire = account_policy_temp;
3308 pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_AGE, &account_policy_temp);
3309 u_min_age = account_policy_temp;
3311 /* !AS ROOT */
3313 unbecome_root();
3315 unix_to_nt_time_abs((NTTIME *)&r->max_password_age, u_expire);
3316 unix_to_nt_time_abs((NTTIME *)&r->min_password_age, u_min_age);
3318 if (lp_check_password_script(talloc_tos()) && *lp_check_password_script(talloc_tos())) {
3319 r->password_properties |= DOMAIN_PASSWORD_COMPLEX;
3322 return NT_STATUS_OK;
3325 /*******************************************************************
3326 ********************************************************************/
3328 static NTSTATUS query_dom_info_2(TALLOC_CTX *mem_ctx,
3329 struct samr_DomGeneralInformation *r,
3330 struct samr_domain_info *dinfo)
3332 uint32_t u_logout;
3333 time_t seq_num;
3335 become_root();
3337 /* AS ROOT !!! */
3339 r->num_users = count_sam_users(dinfo->disp_info, ACB_NORMAL);
3340 r->num_groups = count_sam_groups(dinfo->disp_info);
3341 r->num_aliases = count_sam_aliases(dinfo->disp_info);
3343 pdb_get_account_policy(PDB_POLICY_TIME_TO_LOGOUT, &u_logout);
3345 unix_to_nt_time_abs(&r->force_logoff_time, u_logout);
3347 if (!pdb_get_seq_num(&seq_num)) {
3348 seq_num = time(NULL);
3351 /* !AS ROOT */
3353 unbecome_root();
3355 r->oem_information.string = lp_serverstring(r);
3356 r->domain_name.string = lp_workgroup();
3357 r->primary.string = lp_netbios_name();
3358 r->sequence_num = seq_num;
3359 r->domain_server_state = DOMAIN_SERVER_ENABLED;
3360 r->role = (enum samr_Role) samr_get_server_role();
3361 r->unknown3 = 1;
3363 return NT_STATUS_OK;
3366 /*******************************************************************
3367 ********************************************************************/
3369 static NTSTATUS query_dom_info_3(TALLOC_CTX *mem_ctx,
3370 struct samr_DomInfo3 *r)
3372 uint32_t u_logout;
3374 become_root();
3376 /* AS ROOT !!! */
3379 uint32_t ul;
3380 pdb_get_account_policy(PDB_POLICY_TIME_TO_LOGOUT, &ul);
3381 u_logout = (time_t)ul;
3384 /* !AS ROOT */
3386 unbecome_root();
3388 unix_to_nt_time_abs(&r->force_logoff_time, u_logout);
3390 return NT_STATUS_OK;
3393 /*******************************************************************
3394 ********************************************************************/
3396 static NTSTATUS query_dom_info_4(TALLOC_CTX *mem_ctx,
3397 struct samr_DomOEMInformation *r)
3399 r->oem_information.string = lp_serverstring(r);
3401 return NT_STATUS_OK;
3404 /*******************************************************************
3405 ********************************************************************/
3407 static NTSTATUS query_dom_info_5(TALLOC_CTX *mem_ctx,
3408 struct samr_DomInfo5 *r)
3410 r->domain_name.string = get_global_sam_name();
3412 return NT_STATUS_OK;
3415 /*******************************************************************
3416 ********************************************************************/
3418 static NTSTATUS query_dom_info_6(TALLOC_CTX *mem_ctx,
3419 struct samr_DomInfo6 *r)
3421 /* NT returns its own name when a PDC. win2k and later
3422 * only the name of the PDC if itself is a BDC (samba4
3423 * idl) */
3424 r->primary.string = lp_netbios_name();
3426 return NT_STATUS_OK;
3429 /*******************************************************************
3430 ********************************************************************/
3432 static NTSTATUS query_dom_info_7(TALLOC_CTX *mem_ctx,
3433 struct samr_DomInfo7 *r)
3435 r->role = (enum samr_Role) samr_get_server_role();
3437 return NT_STATUS_OK;
3440 /*******************************************************************
3441 ********************************************************************/
3443 static NTSTATUS query_dom_info_8(TALLOC_CTX *mem_ctx,
3444 struct samr_DomInfo8 *r)
3446 time_t seq_num;
3448 become_root();
3450 /* AS ROOT !!! */
3452 if (!pdb_get_seq_num(&seq_num)) {
3453 seq_num = time(NULL);
3456 /* !AS ROOT */
3458 unbecome_root();
3460 r->sequence_num = seq_num;
3461 r->domain_create_time = 0;
3463 return NT_STATUS_OK;
3466 /*******************************************************************
3467 ********************************************************************/
3469 static NTSTATUS query_dom_info_9(TALLOC_CTX *mem_ctx,
3470 struct samr_DomInfo9 *r)
3472 r->domain_server_state = DOMAIN_SERVER_ENABLED;
3474 return NT_STATUS_OK;
3477 /*******************************************************************
3478 ********************************************************************/
3480 static NTSTATUS query_dom_info_11(TALLOC_CTX *mem_ctx,
3481 struct samr_DomGeneralInformation2 *r,
3482 struct samr_domain_info *dinfo)
3484 NTSTATUS status;
3485 uint32_t account_policy_temp;
3486 time_t u_lock_duration, u_reset_time;
3488 status = query_dom_info_2(mem_ctx, &r->general, dinfo);
3489 if (!NT_STATUS_IS_OK(status)) {
3490 return status;
3493 /* AS ROOT !!! */
3495 become_root();
3497 pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION, &account_policy_temp);
3498 u_lock_duration = account_policy_temp;
3499 if (u_lock_duration != -1) {
3500 u_lock_duration *= 60;
3503 pdb_get_account_policy(PDB_POLICY_RESET_COUNT_TIME, &account_policy_temp);
3504 u_reset_time = account_policy_temp * 60;
3506 pdb_get_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
3507 r->lockout_threshold = account_policy_temp;
3509 /* !AS ROOT */
3511 unbecome_root();
3513 unix_to_nt_time_abs(&r->lockout_duration, u_lock_duration);
3514 unix_to_nt_time_abs(&r->lockout_window, u_reset_time);
3516 return NT_STATUS_OK;
3519 /*******************************************************************
3520 ********************************************************************/
3522 static NTSTATUS query_dom_info_12(TALLOC_CTX *mem_ctx,
3523 struct samr_DomInfo12 *r)
3525 uint32_t account_policy_temp;
3526 time_t u_lock_duration, u_reset_time;
3528 become_root();
3530 /* AS ROOT !!! */
3532 pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION, &account_policy_temp);
3533 u_lock_duration = account_policy_temp;
3534 if (u_lock_duration != -1) {
3535 u_lock_duration *= 60;
3538 pdb_get_account_policy(PDB_POLICY_RESET_COUNT_TIME, &account_policy_temp);
3539 u_reset_time = account_policy_temp * 60;
3541 pdb_get_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
3542 r->lockout_threshold = account_policy_temp;
3544 /* !AS ROOT */
3546 unbecome_root();
3548 unix_to_nt_time_abs(&r->lockout_duration, u_lock_duration);
3549 unix_to_nt_time_abs(&r->lockout_window, u_reset_time);
3551 return NT_STATUS_OK;
3554 /*******************************************************************
3555 ********************************************************************/
3557 static NTSTATUS query_dom_info_13(TALLOC_CTX *mem_ctx,
3558 struct samr_DomInfo13 *r)
3560 time_t seq_num;
3562 become_root();
3564 /* AS ROOT !!! */
3566 if (!pdb_get_seq_num(&seq_num)) {
3567 seq_num = time(NULL);
3570 /* !AS ROOT */
3572 unbecome_root();
3574 r->sequence_num = seq_num;
3575 r->domain_create_time = 0;
3576 r->modified_count_at_last_promotion = 0;
3578 return NT_STATUS_OK;
3581 /*******************************************************************
3582 _samr_QueryDomainInfo
3583 ********************************************************************/
3585 NTSTATUS _samr_QueryDomainInfo(struct pipes_struct *p,
3586 struct samr_QueryDomainInfo *r)
3588 NTSTATUS status = NT_STATUS_OK;
3589 struct samr_domain_info *dinfo;
3590 union samr_DomainInfo *dom_info;
3592 uint32_t acc_required;
3594 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
3596 switch (r->in.level) {
3597 case 1: /* DomainPasswordInformation */
3598 case 12: /* DomainLockoutInformation */
3599 /* DOMAIN_READ_PASSWORD_PARAMETERS */
3600 acc_required = SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1;
3601 break;
3602 case 11: /* DomainGeneralInformation2 */
3603 /* DOMAIN_READ_PASSWORD_PARAMETERS |
3604 * DOMAIN_READ_OTHER_PARAMETERS */
3605 acc_required = SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 |
3606 SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2;
3607 break;
3608 case 2: /* DomainGeneralInformation */
3609 case 3: /* DomainLogoffInformation */
3610 case 4: /* DomainOemInformation */
3611 case 5: /* DomainReplicationInformation */
3612 case 6: /* DomainReplicationInformation */
3613 case 7: /* DomainServerRoleInformation */
3614 case 8: /* DomainModifiedInformation */
3615 case 9: /* DomainStateInformation */
3616 case 10: /* DomainUasInformation */
3617 case 13: /* DomainModifiedInformation2 */
3618 /* DOMAIN_READ_OTHER_PARAMETERS */
3619 acc_required = SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2;
3620 break;
3621 default:
3622 return NT_STATUS_INVALID_INFO_CLASS;
3625 dinfo = policy_handle_find(p, r->in.domain_handle,
3626 acc_required, NULL,
3627 struct samr_domain_info, &status);
3628 if (!NT_STATUS_IS_OK(status)) {
3629 return status;
3632 dom_info = talloc_zero(p->mem_ctx, union samr_DomainInfo);
3633 if (!dom_info) {
3634 return NT_STATUS_NO_MEMORY;
3637 switch (r->in.level) {
3638 case 1:
3639 status = query_dom_info_1(p->mem_ctx, &dom_info->info1);
3640 break;
3641 case 2:
3642 status = query_dom_info_2(p->mem_ctx, &dom_info->general, dinfo);
3643 break;
3644 case 3:
3645 status = query_dom_info_3(p->mem_ctx, &dom_info->info3);
3646 break;
3647 case 4:
3648 status = query_dom_info_4(p->mem_ctx, &dom_info->oem);
3649 break;
3650 case 5:
3651 status = query_dom_info_5(p->mem_ctx, &dom_info->info5);
3652 break;
3653 case 6:
3654 status = query_dom_info_6(p->mem_ctx, &dom_info->info6);
3655 break;
3656 case 7:
3657 status = query_dom_info_7(p->mem_ctx, &dom_info->info7);
3658 break;
3659 case 8:
3660 status = query_dom_info_8(p->mem_ctx, &dom_info->info8);
3661 break;
3662 case 9:
3663 status = query_dom_info_9(p->mem_ctx, &dom_info->info9);
3664 break;
3665 case 11:
3666 status = query_dom_info_11(p->mem_ctx, &dom_info->general2, dinfo);
3667 break;
3668 case 12:
3669 status = query_dom_info_12(p->mem_ctx, &dom_info->info12);
3670 break;
3671 case 13:
3672 status = query_dom_info_13(p->mem_ctx, &dom_info->info13);
3673 break;
3674 default:
3675 return NT_STATUS_INVALID_INFO_CLASS;
3678 if (!NT_STATUS_IS_OK(status)) {
3679 return status;
3682 *r->out.info = dom_info;
3684 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
3686 return status;
3689 /* W2k3 seems to use the same check for all 3 objects that can be created via
3690 * SAMR, if you try to create for example "Dialup" as an alias it says
3691 * "NT_STATUS_USER_EXISTS". This is racy, but we can't really lock the user
3692 * database. */
3694 static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name)
3696 enum lsa_SidType type;
3697 bool result;
3699 DEBUG(10, ("Checking whether [%s] can be created\n", new_name));
3701 become_root();
3702 /* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
3703 * whether the name already exists */
3704 result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_LOCAL,
3705 NULL, NULL, NULL, &type);
3706 unbecome_root();
3708 if (!result) {
3709 DEBUG(10, ("%s does not exist, can create it\n", new_name));
3710 return NT_STATUS_OK;
3713 DEBUG(5, ("trying to create %s, exists as %s\n",
3714 new_name, sid_type_lookup(type)));
3716 if (type == SID_NAME_DOM_GRP) {
3717 return NT_STATUS_GROUP_EXISTS;
3719 if (type == SID_NAME_ALIAS) {
3720 return NT_STATUS_ALIAS_EXISTS;
3723 /* Yes, the default is NT_STATUS_USER_EXISTS */
3724 return NT_STATUS_USER_EXISTS;
3727 /*******************************************************************
3728 _samr_CreateUser2
3729 ********************************************************************/
3731 NTSTATUS _samr_CreateUser2(struct pipes_struct *p,
3732 struct samr_CreateUser2 *r)
3734 const char *account = NULL;
3735 struct dom_sid sid;
3736 uint32_t acb_info = r->in.acct_flags;
3737 struct samr_domain_info *dinfo;
3738 struct samr_user_info *uinfo;
3739 NTSTATUS nt_status;
3740 uint32 acc_granted;
3741 struct security_descriptor *psd;
3742 size_t sd_size;
3743 /* check this, when giving away 'add computer to domain' privs */
3744 uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
3745 bool can_add_account = False;
3747 /* Which privilege is needed to override the ACL? */
3748 enum sec_privilege needed_priv = SEC_PRIV_INVALID;
3750 dinfo = policy_handle_find(p, r->in.domain_handle,
3751 SAMR_DOMAIN_ACCESS_CREATE_USER, NULL,
3752 struct samr_domain_info, &nt_status);
3753 if (!NT_STATUS_IS_OK(nt_status)) {
3754 return nt_status;
3757 if (sid_check_is_builtin(&dinfo->sid)) {
3758 DEBUG(5,("_samr_CreateUser2: Refusing user create in BUILTIN\n"));
3759 return NT_STATUS_ACCESS_DENIED;
3762 if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST ||
3763 acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) {
3764 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
3765 this parameter is not an account type */
3766 return NT_STATUS_INVALID_PARAMETER;
3769 account = r->in.account_name->string;
3770 if (account == NULL) {
3771 return NT_STATUS_NO_MEMORY;
3774 nt_status = can_create(p->mem_ctx, account);
3775 if (!NT_STATUS_IS_OK(nt_status)) {
3776 return nt_status;
3779 /* determine which user right we need to check based on the acb_info */
3781 if (geteuid() == sec_initial_uid()) {
3782 can_add_account = true;
3783 } else if (acb_info & ACB_WSTRUST) {
3784 needed_priv = SEC_PRIV_MACHINE_ACCOUNT;
3785 can_add_account = security_token_has_privilege(p->session_info->security_token, SEC_PRIV_MACHINE_ACCOUNT);
3786 } else if (acb_info & ACB_NORMAL &&
3787 (account[strlen(account)-1] != '$')) {
3788 /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
3789 account for domain trusts and changes the ACB flags later */
3790 needed_priv = SEC_PRIV_ADD_USERS;
3791 can_add_account = security_token_has_privilege(p->session_info->security_token, SEC_PRIV_ADD_USERS);
3792 } else if (lp_enable_privileges()) {
3793 /* implicit assumption of a BDC or domain trust account here
3794 * (we already check the flags earlier) */
3795 /* only Domain Admins can add a BDC or domain trust */
3796 can_add_account = nt_token_check_domain_rid(
3797 p->session_info->security_token,
3798 DOMAIN_RID_ADMINS );
3801 DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
3802 uidtoname(p->session_info->unix_token->uid),
3803 can_add_account ? "True":"False" ));
3805 if (!can_add_account) {
3806 return NT_STATUS_ACCESS_DENIED;
3809 /********** BEGIN Admin BLOCK **********/
3811 become_root();
3812 nt_status = pdb_create_user(p->mem_ctx, account, acb_info,
3813 r->out.rid);
3814 unbecome_root();
3816 /********** END Admin BLOCK **********/
3818 /* now check for failure */
3820 if ( !NT_STATUS_IS_OK(nt_status) )
3821 return nt_status;
3823 /* Get the user's SID */
3825 sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
3827 map_max_allowed_access(p->session_info->security_token,
3828 p->session_info->unix_token,
3829 &des_access);
3831 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
3832 &sid, SAMR_USR_RIGHTS_WRITE_PW);
3833 se_map_generic(&des_access, &usr_generic_mapping);
3836 * JRA - TESTME. We just created this user so we
3837 * had rights to create them. Do we need to check
3838 * any further access on this object ? Can't we
3839 * just assume we have all the rights we need ?
3842 nt_status = access_check_object(psd, p->session_info->security_token,
3843 needed_priv, SEC_PRIV_INVALID,
3844 GENERIC_RIGHTS_USER_WRITE, des_access,
3845 &acc_granted, "_samr_CreateUser2");
3847 if ( !NT_STATUS_IS_OK(nt_status) ) {
3848 return nt_status;
3851 uinfo = policy_handle_create(p, r->out.user_handle, acc_granted,
3852 struct samr_user_info, &nt_status);
3853 if (!NT_STATUS_IS_OK(nt_status)) {
3854 return nt_status;
3856 uinfo->sid = sid;
3858 /* After a "set" ensure we have no cached display info. */
3859 force_flush_samr_cache(&sid);
3861 *r->out.access_granted = acc_granted;
3863 return NT_STATUS_OK;
3866 /****************************************************************
3867 ****************************************************************/
3869 NTSTATUS _samr_CreateUser(struct pipes_struct *p,
3870 struct samr_CreateUser *r)
3872 struct samr_CreateUser2 c;
3873 uint32_t access_granted;
3875 c.in.domain_handle = r->in.domain_handle;
3876 c.in.account_name = r->in.account_name;
3877 c.in.acct_flags = ACB_NORMAL;
3878 c.in.access_mask = r->in.access_mask;
3879 c.out.user_handle = r->out.user_handle;
3880 c.out.access_granted = &access_granted;
3881 c.out.rid = r->out.rid;
3883 return _samr_CreateUser2(p, &c);
3886 /*******************************************************************
3887 _samr_Connect
3888 ********************************************************************/
3890 NTSTATUS _samr_Connect(struct pipes_struct *p,
3891 struct samr_Connect *r)
3893 uint32_t acc_granted;
3894 struct policy_handle hnd;
3895 uint32 des_access = r->in.access_mask;
3896 NTSTATUS status;
3898 /* Access check */
3900 if (!pipe_access_check(p)) {
3901 DEBUG(3, ("access denied to _samr_Connect\n"));
3902 return NT_STATUS_ACCESS_DENIED;
3905 /* don't give away the farm but this is probably ok. The SAMR_ACCESS_ENUM_DOMAINS
3906 was observed from a win98 client trying to enumerate users (when configured
3907 user level access control on shares) --jerry */
3909 map_max_allowed_access(p->session_info->security_token,
3910 p->session_info->unix_token,
3911 &des_access);
3913 se_map_generic( &des_access, &sam_generic_mapping );
3915 acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS
3916 |SAMR_ACCESS_LOOKUP_DOMAIN);
3918 /* set up the SAMR connect_anon response */
3920 (void)policy_handle_create(p, &hnd, acc_granted,
3921 struct samr_connect_info,
3922 &status);
3923 if (!NT_STATUS_IS_OK(status)) {
3924 return status;
3927 *r->out.connect_handle = hnd;
3928 return NT_STATUS_OK;
3931 /*******************************************************************
3932 _samr_Connect2
3933 ********************************************************************/
3935 NTSTATUS _samr_Connect2(struct pipes_struct *p,
3936 struct samr_Connect2 *r)
3938 struct policy_handle hnd;
3939 struct security_descriptor *psd = NULL;
3940 uint32 acc_granted;
3941 uint32 des_access = r->in.access_mask;
3942 NTSTATUS nt_status;
3943 size_t sd_size;
3944 const char *fn = "_samr_Connect2";
3946 switch (p->opnum) {
3947 case NDR_SAMR_CONNECT2:
3948 fn = "_samr_Connect2";
3949 break;
3950 case NDR_SAMR_CONNECT3:
3951 fn = "_samr_Connect3";
3952 break;
3953 case NDR_SAMR_CONNECT4:
3954 fn = "_samr_Connect4";
3955 break;
3956 case NDR_SAMR_CONNECT5:
3957 fn = "_samr_Connect5";
3958 break;
3961 DEBUG(5,("%s: %d\n", fn, __LINE__));
3963 /* Access check */
3965 if (!pipe_access_check(p)) {
3966 DEBUG(3, ("access denied to %s\n", fn));
3967 return NT_STATUS_ACCESS_DENIED;
3970 map_max_allowed_access(p->session_info->security_token,
3971 p->session_info->unix_token,
3972 &des_access);
3974 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3975 se_map_generic(&des_access, &sam_generic_mapping);
3977 nt_status = access_check_object(psd, p->session_info->security_token,
3978 SEC_PRIV_INVALID, SEC_PRIV_INVALID,
3979 0, des_access, &acc_granted, fn);
3981 if ( !NT_STATUS_IS_OK(nt_status) )
3982 return nt_status;
3984 (void)policy_handle_create(p, &hnd, acc_granted,
3985 struct samr_connect_info, &nt_status);
3986 if (!NT_STATUS_IS_OK(nt_status)) {
3987 return nt_status;
3990 DEBUG(5,("%s: %d\n", fn, __LINE__));
3992 *r->out.connect_handle = hnd;
3993 return NT_STATUS_OK;
3996 /****************************************************************
3997 _samr_Connect3
3998 ****************************************************************/
4000 NTSTATUS _samr_Connect3(struct pipes_struct *p,
4001 struct samr_Connect3 *r)
4003 struct samr_Connect2 c;
4005 c.in.system_name = r->in.system_name;
4006 c.in.access_mask = r->in.access_mask;
4007 c.out.connect_handle = r->out.connect_handle;
4009 return _samr_Connect2(p, &c);
4012 /*******************************************************************
4013 _samr_Connect4
4014 ********************************************************************/
4016 NTSTATUS _samr_Connect4(struct pipes_struct *p,
4017 struct samr_Connect4 *r)
4019 struct samr_Connect2 c;
4021 c.in.system_name = r->in.system_name;
4022 c.in.access_mask = r->in.access_mask;
4023 c.out.connect_handle = r->out.connect_handle;
4025 return _samr_Connect2(p, &c);