search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Samba 3: added Samba 3.0.24 sources
[tomato.git] / release / src / router / samba3 / source / rpc_server / srv_lsa_nt.c
blob010c35e3fffae5c8ae0a5bd1b73674cbd2552c47
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 *
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
18 *
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
23 *
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 */
28
29 /* This is the implementation of the lsa server code. */
30
31 #include "includes.h"
32
33 #undef DBGC_CLASS
34 #define DBGC_CLASS DBGC_RPC_SRV
35
36 extern PRIVS privs[];
37
38 struct lsa_info {
39 DOM_SID sid;
40 uint32 access;
41 };
42
43 struct generic_mapping lsa_generic_mapping = {
44 POLICY_READ,
45 POLICY_WRITE,
46 POLICY_EXECUTE,
47 POLICY_ALL_ACCESS
48 };
49
50 /*******************************************************************
51 Function to free the per handle data.
52 ********************************************************************/
53
54 static void free_lsa_info(void *ptr)
55 {
56 struct lsa_info *lsa = (struct lsa_info *)ptr;
57
58 SAFE_FREE(lsa);
59 }
60
61 /***************************************************************************
62 Init dom_query
63 ***************************************************************************/
64
65 static void init_dom_query_3(DOM_QUERY_3 *d_q, const char *dom_name, DOM_SID *dom_sid)
66 {
67 d_q->buffer_dom_name = (dom_name != NULL) ? 1 : 0; /* domain buffer pointer */
68 d_q->buffer_dom_sid = (dom_sid != NULL) ? 1 : 0; /* domain sid pointer */
69
70 /* this string is supposed to be non-null terminated. */
71 /* But the maxlen in this UNISTR2 must include the terminating null. */
72 init_unistr2(&d_q->uni_domain_name, dom_name, UNI_BROKEN_NON_NULL);
73
74 /*
75 * I'm not sure why this really odd combination of length
76 * values works, but it does appear to. I need to look at
77 * this *much* more closely - but at the moment leave alone
78 * until it's understood. This allows a W2k client to join
79 * a domain with both odd and even length names... JRA.
80 */
81
82 /*
83 * IMPORTANT NOTE !!!!
84 * The two fields below probably are reversed in meaning, ie.
85 * the first field is probably the str_len, the second the max
86 * len. Both are measured in bytes anyway.
87 */
88
89 d_q->uni_dom_str_len = d_q->uni_domain_name.uni_max_len * 2;
90 d_q->uni_dom_max_len = d_q->uni_domain_name.uni_str_len * 2;
91
92 if (dom_sid != NULL)
93 init_dom_sid2(&d_q->dom_sid, dom_sid);
94 }
95
96 /***************************************************************************
97 Init dom_query
98 ***************************************************************************/
99
100 static void init_dom_query_5(DOM_QUERY_5 *d_q, const char *dom_name, DOM_SID *dom_sid)
101 {
102 init_dom_query_3(d_q, dom_name, dom_sid);
103 }
104
105 /***************************************************************************
106 init_dom_ref - adds a domain if it's not already in, returns the index.
107 ***************************************************************************/
108
109 static int init_dom_ref(DOM_R_REF *ref, const char *dom_name, DOM_SID *dom_sid)
110 {
111 int num = 0;
112
113 if (dom_name != NULL) {
114 for (num = 0; num < ref->num_ref_doms_1; num++) {
115 if (sid_equal(dom_sid, &ref->ref_dom[num].ref_dom.sid))
116 return num;
117 }
118 } else {
119 num = ref->num_ref_doms_1;
120 }
121
122 if (num >= MAX_REF_DOMAINS) {
123 /* index not found, already at maximum domain limit */
124 return -1;
125 }
126
127 ref->num_ref_doms_1 = num+1;
128 ref->ptr_ref_dom = 1;
129 ref->max_entries = MAX_REF_DOMAINS;
130 ref->num_ref_doms_2 = num+1;
131
132 ref->hdr_ref_dom[num].ptr_dom_sid = 1; /* dom sid cannot be NULL. */
133
134 init_unistr2(&ref->ref_dom[num].uni_dom_name, dom_name, UNI_FLAGS_NONE);
135 init_uni_hdr(&ref->hdr_ref_dom[num].hdr_dom_name, &ref->ref_dom[num].uni_dom_name);
136
137 init_dom_sid2(&ref->ref_dom[num].ref_dom, dom_sid );
138
139 return num;
140 }
141
142 /***************************************************************************
143 lookup_lsa_rids. Must be called as root for lookup_name to work.
144 ***************************************************************************/
145
146 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
147 DOM_R_REF *ref,
148 DOM_RID *prid,
149 uint32 num_entries,
150 const UNISTR2 *name,
151 int flags,
152 uint32 *pmapped_count)
153 {
154 uint32 mapped_count, i;
155
156 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
157
158 mapped_count = 0;
159 *pmapped_count = 0;
160
161 for (i = 0; i < num_entries; i++) {
162 DOM_SID sid;
163 uint32 rid;
164 int dom_idx;
165 char *full_name;
166 const char *domain;
167 enum SID_NAME_USE type = SID_NAME_UNKNOWN;
168
169 /* Split name into domain and user component */
170
171 full_name = rpcstr_pull_unistr2_talloc(mem_ctx, &name[i]);
172 if (full_name == NULL) {
173 DEBUG(0, ("pull_ucs2_talloc failed\n"));
174 return NT_STATUS_NO_MEMORY;
175 }
176
177 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
178
179 /* We can ignore the result of lookup_name, it will not touch
180 "type" if it's not successful */
181
182 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
183 &sid, &type);
184
185 switch (type) {
186 case SID_NAME_USER:
187 case SID_NAME_DOM_GRP:
188 case SID_NAME_DOMAIN:
189 case SID_NAME_ALIAS:
190 case SID_NAME_WKN_GRP:
191 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
192 /* Leave these unchanged */
193 break;
194 default:
195 /* Don't hand out anything but the list above */
196 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
197 type = SID_NAME_UNKNOWN;
198 break;
199 }
200
201 rid = 0;
202 dom_idx = -1;
203
204 if (type != SID_NAME_UNKNOWN) {
205 sid_split_rid(&sid, &rid);
206 dom_idx = init_dom_ref(ref, domain, &sid);
207 mapped_count++;
208 }
209
210 init_dom_rid(&prid[i], rid, type, dom_idx);
211 }
212
213 *pmapped_count = mapped_count;
214 return NT_STATUS_OK;
215 }
216
217 /***************************************************************************
218 lookup_lsa_sids. Must be called as root for lookup_name to work.
219 ***************************************************************************/
220
221 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
222 DOM_R_REF *ref,
223 LSA_TRANSLATED_SID3 *trans_sids,
224 uint32 num_entries,
225 const UNISTR2 *name,
226 int flags,
227 uint32 *pmapped_count)
228 {
229 uint32 mapped_count, i;
230
231 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
232
233 mapped_count = 0;
234 *pmapped_count = 0;
235
236 for (i = 0; i < num_entries; i++) {
237 DOM_SID sid;
238 uint32 rid;
239 int dom_idx;
240 char *full_name;
241 const char *domain;
242 enum SID_NAME_USE type = SID_NAME_UNKNOWN;
243
244 /* Split name into domain and user component */
245
246 full_name = rpcstr_pull_unistr2_talloc(mem_ctx, &name[i]);
247 if (full_name == NULL) {
248 DEBUG(0, ("pull_ucs2_talloc failed\n"));
249 return NT_STATUS_NO_MEMORY;
250 }
251
252 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
253
254 /* We can ignore the result of lookup_name, it will not touch
255 "type" if it's not successful */
256
257 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
258 &sid, &type);
259
260 switch (type) {
261 case SID_NAME_USER:
262 case SID_NAME_DOM_GRP:
263 case SID_NAME_DOMAIN:
264 case SID_NAME_ALIAS:
265 case SID_NAME_WKN_GRP:
266 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
267 /* Leave these unchanged */
268 break;
269 default:
270 /* Don't hand out anything but the list above */
271 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
272 type = SID_NAME_UNKNOWN;
273 break;
274 }
275
276 rid = 0;
277 dom_idx = -1;
278
279 if (type != SID_NAME_UNKNOWN) {
280 DOM_SID domain_sid;
281 sid_copy(&domain_sid, &sid);
282 sid_split_rid(&domain_sid, &rid);
283 dom_idx = init_dom_ref(ref, domain, &domain_sid);
284 mapped_count++;
285 }
286
287 /* Initialize the LSA_TRANSLATED_SID3 return. */
288 trans_sids[i].sid_type = type;
289 trans_sids[i].sid2 = TALLOC_P(mem_ctx, DOM_SID2);
290 if (trans_sids[i].sid2 == NULL) {
291 return NT_STATUS_NO_MEMORY;
292 }
293 init_dom_sid2(trans_sids[i].sid2, &sid);
294 trans_sids[i].sid_idx = dom_idx;
295 }
296
297 *pmapped_count = mapped_count;
298 return NT_STATUS_OK;
299 }
300
301 /***************************************************************************
302 init_reply_lookup_names
303 ***************************************************************************/
304
305 static void init_reply_lookup_names(LSA_R_LOOKUP_NAMES *r_l,
306 DOM_R_REF *ref, uint32 num_entries,
307 DOM_RID *rid, uint32 mapped_count)
308 {
309 r_l->ptr_dom_ref = 1;
310 r_l->dom_ref = ref;
311
312 r_l->num_entries = num_entries;
313 r_l->ptr_entries = 1;
314 r_l->num_entries2 = num_entries;
315 r_l->dom_rid = rid;
316
317 r_l->mapped_count = mapped_count;
318 }
319
320 /***************************************************************************
321 init_reply_lookup_names2
322 ***************************************************************************/
323
324 static void init_reply_lookup_names2(LSA_R_LOOKUP_NAMES2 *r_l,
325 DOM_R_REF *ref, uint32 num_entries,
326 DOM_RID2 *rid, uint32 mapped_count)
327 {
328 r_l->ptr_dom_ref = 1;
329 r_l->dom_ref = ref;
330
331 r_l->num_entries = num_entries;
332 r_l->ptr_entries = 1;
333 r_l->num_entries2 = num_entries;
334 r_l->dom_rid = rid;
335
336 r_l->mapped_count = mapped_count;
337 }
338
339 /***************************************************************************
340 init_reply_lookup_names3
341 ***************************************************************************/
342
343 static void init_reply_lookup_names3(LSA_R_LOOKUP_NAMES3 *r_l,
344 DOM_R_REF *ref, uint32 num_entries,
345 LSA_TRANSLATED_SID3 *trans_sids, uint32 mapped_count)
346 {
347 r_l->ptr_dom_ref = 1;
348 r_l->dom_ref = ref;
349
350 r_l->num_entries = num_entries;
351 r_l->ptr_entries = 1;
352 r_l->num_entries2 = num_entries;
353 r_l->trans_sids = trans_sids;
354
355 r_l->mapped_count = mapped_count;
356 }
357
358 /***************************************************************************
359 init_reply_lookup_names4
360 ***************************************************************************/
361
362 static void init_reply_lookup_names4(LSA_R_LOOKUP_NAMES4 *r_l,
363 DOM_R_REF *ref, uint32 num_entries,
364 LSA_TRANSLATED_SID3 *trans_sids, uint32 mapped_count)
365 {
366 r_l->ptr_dom_ref = 1;
367 r_l->dom_ref = ref;
368
369 r_l->num_entries = num_entries;
370 r_l->ptr_entries = 1;
371 r_l->num_entries2 = num_entries;
372 r_l->trans_sids = trans_sids;
373
374 r_l->mapped_count = mapped_count;
375 }
376
377 /***************************************************************************
378 Init_reply_lookup_sids.
379 ***************************************************************************/
380
381 static void init_reply_lookup_sids2(LSA_R_LOOKUP_SIDS2 *r_l,
382 DOM_R_REF *ref,
383 LSA_TRANS_NAME_ENUM2 *names,
384 uint32 mapped_count)
385 {
386 r_l->ptr_dom_ref = ref ? 1 : 0;
387 r_l->dom_ref = ref;
388 r_l->names = names;
389 r_l->mapped_count = mapped_count;
390 }
391
392 /***************************************************************************
393 Init_reply_lookup_sids.
394 ***************************************************************************/
395
396 static void init_reply_lookup_sids3(LSA_R_LOOKUP_SIDS3 *r_l,
397 DOM_R_REF *ref,
398 LSA_TRANS_NAME_ENUM2 *names,
399 uint32 mapped_count)
400 {
401 r_l->ptr_dom_ref = ref ? 1 : 0;
402 r_l->dom_ref = ref;
403 r_l->names = names;
404 r_l->mapped_count = mapped_count;
405 }
406
407 /***************************************************************************
408 Init_reply_lookup_sids.
409 ***************************************************************************/
410
411 static NTSTATUS init_reply_lookup_sids(TALLOC_CTX *mem_ctx,
412 LSA_R_LOOKUP_SIDS *r_l,
413 DOM_R_REF *ref,
414 LSA_TRANS_NAME_ENUM2 *names,
415 uint32 mapped_count)
416 {
417 LSA_TRANS_NAME_ENUM *oldnames = TALLOC_ZERO_P(mem_ctx, LSA_TRANS_NAME_ENUM);
418
419 if (!oldnames) {
420 return NT_STATUS_NO_MEMORY;
421 }
422
423 oldnames->num_entries = names->num_entries;
424 oldnames->ptr_trans_names = names->ptr_trans_names;
425 oldnames->num_entries2 = names->num_entries2;
426 oldnames->uni_name = names->uni_name;
427
428 if (names->num_entries) {
429 int i;
430
431 oldnames->name = TALLOC_ARRAY(oldnames, LSA_TRANS_NAME, names->num_entries);
432
433 if (!oldnames->name) {
434 return NT_STATUS_NO_MEMORY;
435 }
436 for (i = 0; i < names->num_entries; i++) {
437 oldnames->name[i].sid_name_use = names->name[i].sid_name_use;
438 oldnames->name[i].hdr_name = names->name[i].hdr_name;
439 oldnames->name[i].domain_idx = names->name[i].domain_idx;
440 }
441 }
442
443 r_l->ptr_dom_ref = ref ? 1 : 0;
444 r_l->dom_ref = ref;
445 r_l->names = oldnames;
446 r_l->mapped_count = mapped_count;
447 return NT_STATUS_OK;
448 }
449
450 static NTSTATUS lsa_get_generic_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size)
451 {
452 DOM_SID local_adm_sid;
453 DOM_SID adm_sid;
454
455 SEC_ACE ace[3];
456 SEC_ACCESS mask;
457
458 SEC_ACL *psa = NULL;
459
460 init_sec_access(&mask, POLICY_EXECUTE);
461 init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
462
463 sid_copy(&adm_sid, get_global_sam_sid());
464 sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
465 init_sec_access(&mask, POLICY_ALL_ACCESS);
466 init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
467
468 sid_copy(&local_adm_sid, &global_sid_Builtin);
469 sid_append_rid(&local_adm_sid, BUILTIN_ALIAS_RID_ADMINS);
470 init_sec_access(&mask, POLICY_ALL_ACCESS);
471 init_sec_ace(&ace[2], &local_adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
472
473 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, 3, ace)) == NULL)
474 return NT_STATUS_NO_MEMORY;
475
476 if((*sd = make_sec_desc(mem_ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL, psa, sd_size)) == NULL)
477 return NT_STATUS_NO_MEMORY;
478
479 return NT_STATUS_OK;
480 }
481
482 #if 0 /* AD DC work in ongoing in Samba 4 */
483
484 /***************************************************************************
485 Init_dns_dom_info.
486 ***************************************************************************/
487
488 static void init_dns_dom_info(LSA_DNS_DOM_INFO *r_l, const char *nb_name,
489 const char *dns_name, const char *forest_name,
490 struct uuid *dom_guid, DOM_SID *dom_sid)
491 {
492 if (nb_name && *nb_name) {
493 init_unistr2(&r_l->uni_nb_dom_name, nb_name, UNI_FLAGS_NONE);
494 init_uni_hdr(&r_l->hdr_nb_dom_name, &r_l->uni_nb_dom_name);
495 r_l->hdr_nb_dom_name.uni_max_len += 2;
496 r_l->uni_nb_dom_name.uni_max_len += 1;
497 }
498
499 if (dns_name && *dns_name) {
500 init_unistr2(&r_l->uni_dns_dom_name, dns_name, UNI_FLAGS_NONE);
501 init_uni_hdr(&r_l->hdr_dns_dom_name, &r_l->uni_dns_dom_name);
502 r_l->hdr_dns_dom_name.uni_max_len += 2;
503 r_l->uni_dns_dom_name.uni_max_len += 1;
504 }
505
506 if (forest_name && *forest_name) {
507 init_unistr2(&r_l->uni_forest_name, forest_name, UNI_FLAGS_NONE);
508 init_uni_hdr(&r_l->hdr_forest_name, &r_l->uni_forest_name);
509 r_l->hdr_forest_name.uni_max_len += 2;
510 r_l->uni_forest_name.uni_max_len += 1;
511 }
512
513 /* how do we init the guid ? probably should write an init fn */
514 if (dom_guid) {
515 memcpy(&r_l->dom_guid, dom_guid, sizeof(struct uuid));
516 }
517
518 if (dom_sid) {
519 r_l->ptr_dom_sid = 1;
520 init_dom_sid2(&r_l->dom_sid, dom_sid);
521 }
522 }
523 #endif /* AD DC work in ongoing in Samba 4 */
524
525
526 /***************************************************************************
527 _lsa_open_policy2.
528 ***************************************************************************/
529
530 NTSTATUS _lsa_open_policy2(pipes_struct *p, LSA_Q_OPEN_POL2 *q_u, LSA_R_OPEN_POL2 *r_u)
531 {
532 struct lsa_info *info;
533 SEC_DESC *psd = NULL;
534 size_t sd_size;
535 uint32 des_access=q_u->des_access;
536 uint32 acc_granted;
537 NTSTATUS status;
538
539
540 /* map the generic bits to the lsa policy ones */
541 se_map_generic(&des_access, &lsa_generic_mapping);
542
543 /* get the generic lsa policy SD until we store it */
544 lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
545
546 if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
547 if (geteuid() != 0) {
548 return status;
549 }
550 DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
551 acc_granted, des_access));
552 DEBUGADD(4,("but overwritten by euid == 0\n"));
553 }
554
555 /* This is needed for lsa_open_account and rpcclient .... :-) */
556
557 if (geteuid() == 0)
558 acc_granted = POLICY_ALL_ACCESS;
559
560 /* associate the domain SID with the (unique) handle. */
561 if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
562 return NT_STATUS_NO_MEMORY;
563
564 ZERO_STRUCTP(info);
565 sid_copy(&info->sid,get_global_sam_sid());
566 info->access = acc_granted;
567
568 /* set up the LSA QUERY INFO response */
569 if (!create_policy_hnd(p, &r_u->pol, free_lsa_info, (void *)info))
570 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
571
572 return NT_STATUS_OK;
573 }
574
575 /***************************************************************************
576 _lsa_open_policy
577 ***************************************************************************/
578
579 NTSTATUS _lsa_open_policy(pipes_struct *p, LSA_Q_OPEN_POL *q_u, LSA_R_OPEN_POL *r_u)
580 {
581 struct lsa_info *info;
582 SEC_DESC *psd = NULL;
583 size_t sd_size;
584 uint32 des_access=q_u->des_access;
585 uint32 acc_granted;
586 NTSTATUS status;
587
588
589 /* map the generic bits to the lsa policy ones */
590 se_map_generic(&des_access, &lsa_generic_mapping);
591
592 /* get the generic lsa policy SD until we store it */
593 lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
594
595 if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
596 if (geteuid() != 0) {
597 return status;
598 }
599 DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
600 acc_granted, des_access));
601 DEBUGADD(4,("but overwritten by euid == 0\n"));
602 acc_granted = des_access;
603 }
604
605 /* associate the domain SID with the (unique) handle. */
606 if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
607 return NT_STATUS_NO_MEMORY;
608
609 ZERO_STRUCTP(info);
610 sid_copy(&info->sid,get_global_sam_sid());
611 info->access = acc_granted;
612
613 /* set up the LSA QUERY INFO response */
614 if (!create_policy_hnd(p, &r_u->pol, free_lsa_info, (void *)info))
615 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
616
617 return NT_STATUS_OK;
618 }
619
620 /***************************************************************************
621 _lsa_enum_trust_dom - this needs fixing to do more than return NULL ! JRA.
622 ufff, done :) mimir
623 ***************************************************************************/
624
625 NTSTATUS _lsa_enum_trust_dom(pipes_struct *p, LSA_Q_ENUM_TRUST_DOM *q_u,
626 LSA_R_ENUM_TRUST_DOM *r_u)
627 {
628 struct lsa_info *info;
629 uint32 next_idx;
630 struct trustdom_info **domains;
631
632 /*
633 * preferred length is set to 5 as a "our" preferred length
634 * nt sets this parameter to 2
635 * update (20.08.2002): it's not preferred length, but preferred size!
636 * it needs further investigation how to optimally choose this value
637 */
638 uint32 max_num_domains =
639 q_u->preferred_len < 5 ? q_u->preferred_len : 10;
640 uint32 num_domains;
641 NTSTATUS nt_status;
642 uint32 num_thistime;
643
644 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
645 return NT_STATUS_INVALID_HANDLE;
646
647 /* check if the user have enough rights */
648 if (!(info->access & POLICY_VIEW_LOCAL_INFORMATION))
649 return NT_STATUS_ACCESS_DENIED;
650
651 nt_status = secrets_trusted_domains(p->mem_ctx, &num_domains,
652 &domains);
653
654 if (!NT_STATUS_IS_OK(nt_status)) {
655 return nt_status;
656 }
657
658 if (q_u->enum_context < num_domains) {
659 num_thistime = MIN(num_domains, max_num_domains);
660
661 r_u->status = STATUS_MORE_ENTRIES;
662
663 if (q_u->enum_context + num_thistime > num_domains) {
664 num_thistime = num_domains - q_u->enum_context;
665 r_u->status = NT_STATUS_OK;
666 }
667
668 next_idx = q_u->enum_context + num_thistime;
669 } else {
670 num_thistime = 0;
671 next_idx = 0xffffffff;
672 r_u->status = NT_STATUS_NO_MORE_ENTRIES;
673 }
674
675 /* set up the lsa_enum_trust_dom response */
676
677 init_r_enum_trust_dom(p->mem_ctx, r_u, next_idx,
678 num_thistime, domains+q_u->enum_context);
679
680 return r_u->status;
681 }
682
683 /***************************************************************************
684 _lsa_query_info. See the POLICY_INFOMATION_CLASS docs at msdn.
685 ***************************************************************************/
686
687 NTSTATUS _lsa_query_info(pipes_struct *p, LSA_Q_QUERY_INFO *q_u, LSA_R_QUERY_INFO *r_u)
688 {
689 struct lsa_info *handle;
690 LSA_INFO_CTR *ctr = &r_u->ctr;
691 DOM_SID domain_sid;
692 const char *name;
693 DOM_SID *sid = NULL;
694
695 r_u->status = NT_STATUS_OK;
696
697 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle))
698 return NT_STATUS_INVALID_HANDLE;
699
700 switch (q_u->info_class) {
701 case 0x02:
702 {
703
704 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
705
706 /* check if the user have enough rights */
707 if (!(handle->access & POLICY_VIEW_AUDIT_INFORMATION)) {
708 DEBUG(10,("_lsa_query_info: insufficient access rights\n"));
709 return NT_STATUS_ACCESS_DENIED;
710 }
711
712 /* fake info: We audit everything. ;) */
713 ctr->info.id2.ptr = 1;
714 ctr->info.id2.auditing_enabled = True;
715 ctr->info.id2.count1 = ctr->info.id2.count2 = LSA_AUDIT_NUM_CATEGORIES;
716
717 if ((ctr->info.id2.auditsettings = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, LSA_AUDIT_NUM_CATEGORIES)) == NULL)
718 return NT_STATUS_NO_MEMORY;
719
720 ctr->info.id2.auditsettings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
721 ctr->info.id2.auditsettings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
722 ctr->info.id2.auditsettings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
723 ctr->info.id2.auditsettings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
724 ctr->info.id2.auditsettings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
725 ctr->info.id2.auditsettings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
726 ctr->info.id2.auditsettings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
727
728 break;
729 }
730 case 0x03:
731 /* check if the user have enough rights */
732 if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
733 return NT_STATUS_ACCESS_DENIED;
734
735 /* Request PolicyPrimaryDomainInformation. */
736 switch (lp_server_role()) {
737 case ROLE_DOMAIN_PDC:
738 case ROLE_DOMAIN_BDC:
739 name = get_global_sam_name();
740 sid = get_global_sam_sid();
741 break;
742 case ROLE_DOMAIN_MEMBER:
743 name = lp_workgroup();
744 /* We need to return the Domain SID here. */
745 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid))
746 sid = &domain_sid;
747 else
748 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
749 break;
750 case ROLE_STANDALONE:
751 name = lp_workgroup();
752 sid = NULL;
753 break;
754 default:
755 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
756 }
757 init_dom_query_3(&r_u->ctr.info.id3, name, sid);
758 break;
759 case 0x05:
760 /* check if the user have enough rights */
761 if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
762 return NT_STATUS_ACCESS_DENIED;
763
764 /* Request PolicyAccountDomainInformation. */
765 name = get_global_sam_name();
766 sid = get_global_sam_sid();
767 init_dom_query_5(&r_u->ctr.info.id5, name, sid);
768 break;
769 case 0x06:
770 /* check if the user have enough rights */
771 if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
772 return NT_STATUS_ACCESS_DENIED;
773
774 switch (lp_server_role()) {
775 case ROLE_DOMAIN_BDC:
776 /*
777 * only a BDC is a backup controller
778 * of the domain, it controls.
779 */
780 ctr->info.id6.server_role = 2;
781 break;
782 default:
783 /*
784 * any other role is a primary
785 * of the domain, it controls.
786 */
787 ctr->info.id6.server_role = 3;
788 break;
789 }
790 break;
791 default:
792 DEBUG(0,("_lsa_query_info: unknown info level in Lsa Query: %d\n", q_u->info_class));
793 r_u->status = NT_STATUS_INVALID_INFO_CLASS;
794 break;
795 }
796
797 if (NT_STATUS_IS_OK(r_u->status)) {
798 r_u->dom_ptr = 0x22000000; /* bizarre */
799 ctr->info_class = q_u->info_class;
800 }
801
802 return r_u->status;
803 }
804
805 /***************************************************************************
806 _lsa_lookup_sids_internal
807 ***************************************************************************/
808
809 static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
810 uint16 level, /* input */
811 int num_sids, /* input */
812 const DOM_SID2 *sid, /* input */
813 DOM_R_REF **pp_ref, /* output */
814 LSA_TRANS_NAME_ENUM2 **pp_names, /* output */
815 uint32 *pp_mapped_count)
816 {
817 NTSTATUS status;
818 int i;
819 const DOM_SID **sids = NULL;
820 LSA_TRANS_NAME_ENUM2 *names = NULL;
821 DOM_R_REF *ref = NULL;
822 uint32 mapped_count = 0;
823 struct lsa_dom_info *dom_infos = NULL;
824 struct lsa_name_info *name_infos = NULL;
825
826 *pp_mapped_count = 0;
827 *pp_ref = NULL;
828 *pp_names = NULL;
829
830 names = TALLOC_ZERO_P(p->mem_ctx, LSA_TRANS_NAME_ENUM2);
831 sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
832 ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF);
833
834 if (sids == NULL || names == NULL || ref == NULL) {
835 return NT_STATUS_NO_MEMORY;
836 }
837
838 for (i=0; i<num_sids; i++) {
839 sids[i] = &sid[i].sid;
840 }
841
842 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
843 &dom_infos, &name_infos);
844
845 if (!NT_STATUS_IS_OK(status)) {
846 return status;
847 }
848
849 if (num_sids > 0) {
850 names->name = TALLOC_ARRAY(names, LSA_TRANS_NAME2, num_sids);
851 names->uni_name = TALLOC_ARRAY(names, UNISTR2, num_sids);
852 if ((names->name == NULL) || (names->uni_name == NULL)) {
853 return NT_STATUS_NO_MEMORY;
854 }
855 }
856
857 for (i=0; i<MAX_REF_DOMAINS; i++) {
858
859 if (!dom_infos[i].valid) {
860 break;
861 }
862
863 if (init_dom_ref(ref, dom_infos[i].name,
864 &dom_infos[i].sid) != i) {
865 DEBUG(0, ("Domain %s mentioned twice??\n",
866 dom_infos[i].name));
867 return NT_STATUS_INTERNAL_ERROR;
868 }
869 }
870
871 for (i=0; i<num_sids; i++) {
872 struct lsa_name_info *name = &name_infos[i];
873
874 if (name->type == SID_NAME_UNKNOWN) {
875 name->dom_idx = -1;
876 /* unknown sids should return the string representation of the SID */
877 name->name = talloc_asprintf(p->mem_ctx, "%s",
878 sid_string_static(sids[i]));
879 if (name->name == NULL) {
880 return NT_STATUS_NO_MEMORY;
881 }
882 } else {
883 mapped_count += 1;
884 }
885 init_lsa_trans_name2(&names->name[i], &names->uni_name[i],
886 name->type, name->name, name->dom_idx);
887 }
888
889 names->num_entries = num_sids;
890 names->ptr_trans_names = 1;
891 names->num_entries2 = num_sids;
892
893 status = NT_STATUS_NONE_MAPPED;
894 if (mapped_count > 0) {
895 status = (mapped_count < num_sids) ?
896 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
897 }
898
899 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
900 num_sids, mapped_count, nt_errstr(status)));
901
902 *pp_mapped_count = mapped_count;
903 *pp_ref = ref;
904 *pp_names = names;
905
906 return status;
907 }
908
909 /***************************************************************************
910 _lsa_lookup_sids
911 ***************************************************************************/
912
913 NTSTATUS _lsa_lookup_sids(pipes_struct *p,
914 LSA_Q_LOOKUP_SIDS *q_u,
915 LSA_R_LOOKUP_SIDS *r_u)
916 {
917 struct lsa_info *handle;
918 int num_sids = q_u->sids.num_entries;
919 uint32 mapped_count = 0;
920 DOM_R_REF *ref = NULL;
921 LSA_TRANS_NAME_ENUM2 *names = NULL;
922 NTSTATUS status;
923
924 if ((q_u->level < 1) || (q_u->level > 6)) {
925 return NT_STATUS_INVALID_PARAMETER;
926 }
927
928 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) {
929 return NT_STATUS_INVALID_HANDLE;
930 }
931
932 /* check if the user has enough rights */
933 if (!(handle->access & POLICY_LOOKUP_NAMES)) {
934 return NT_STATUS_ACCESS_DENIED;
935 }
936
937 if (num_sids > MAX_LOOKUP_SIDS) {
938 DEBUG(5,("_lsa_lookup_sids: limit of %d exceeded, requested %d\n",
939 MAX_LOOKUP_SIDS, num_sids));
940 return NT_STATUS_NONE_MAPPED;
941 }
942
943 r_u->status = _lsa_lookup_sids_internal(p,
944 q_u->level,
945 num_sids,
946 q_u->sids.sid,
947 &ref,
948 &names,
949 &mapped_count);
950
951 /* Convert from LSA_TRANS_NAME_ENUM2 to LSA_TRANS_NAME_ENUM */
952
953 status = init_reply_lookup_sids(p->mem_ctx, r_u, ref, names, mapped_count);
954 if (!NT_STATUS_IS_OK(status)) {
955 return status;
956 }
957 return r_u->status;
958 }
959
960 /***************************************************************************
961 _lsa_lookup_sids2
962 ***************************************************************************/
963
964 NTSTATUS _lsa_lookup_sids2(pipes_struct *p,
965 LSA_Q_LOOKUP_SIDS2 *q_u,
966 LSA_R_LOOKUP_SIDS2 *r_u)
967 {
968 struct lsa_info *handle;
969 int num_sids = q_u->sids.num_entries;
970 uint32 mapped_count = 0;
971 DOM_R_REF *ref = NULL;
972 LSA_TRANS_NAME_ENUM2 *names = NULL;
973
974 if ((q_u->level < 1) || (q_u->level > 6)) {
975 return NT_STATUS_INVALID_PARAMETER;
976 }
977
978 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) {
979 return NT_STATUS_INVALID_HANDLE;
980 }
981
982 /* check if the user have enough rights */
983 if (!(handle->access & POLICY_LOOKUP_NAMES)) {
984 return NT_STATUS_ACCESS_DENIED;
985 }
986
987 if (num_sids > MAX_LOOKUP_SIDS) {
988 DEBUG(5,("_lsa_lookup_sids2: limit of %d exceeded, requested %d\n",
989 MAX_LOOKUP_SIDS, num_sids));
990 return NT_STATUS_NONE_MAPPED;
991 }
992
993 r_u->status = _lsa_lookup_sids_internal(p,
994 q_u->level,
995 num_sids,
996 q_u->sids.sid,
997 &ref,
998 &names,
999 &mapped_count);
1000
1001 init_reply_lookup_sids2(r_u, ref, names, mapped_count);
1002 return r_u->status;
1003 }
1004
1005 /***************************************************************************
1006 _lsa_lookup_sida3
1007 ***************************************************************************/
1008
1009 NTSTATUS _lsa_lookup_sids3(pipes_struct *p,
1010 LSA_Q_LOOKUP_SIDS3 *q_u,
1011 LSA_R_LOOKUP_SIDS3 *r_u)
1012 {
1013 int num_sids = q_u->sids.num_entries;
1014 uint32 mapped_count = 0;
1015 DOM_R_REF *ref = NULL;
1016 LSA_TRANS_NAME_ENUM2 *names = NULL;
1017
1018 if ((q_u->level < 1) || (q_u->level > 6)) {
1019 return NT_STATUS_INVALID_PARAMETER;
1020 }
1021
1022 /* No policy handle on this call. Restrict to crypto connections. */
1023 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1024 DEBUG(0,("_lsa_lookup_sids3: client %s not using schannel for netlogon\n",
1025 get_remote_machine_name() ));
1026 return NT_STATUS_INVALID_PARAMETER;
1027 }
1028
1029 if (num_sids > MAX_LOOKUP_SIDS) {
1030 DEBUG(5,("_lsa_lookup_sids3: limit of %d exceeded, requested %d\n",
1031 MAX_LOOKUP_SIDS, num_sids));
1032 return NT_STATUS_NONE_MAPPED;
1033 }
1034
1035 r_u->status = _lsa_lookup_sids_internal(p,
1036 q_u->level,
1037 num_sids,
1038 q_u->sids.sid,
1039 &ref,
1040 &names,
1041 &mapped_count);
1042
1043 init_reply_lookup_sids3(r_u, ref, names, mapped_count);
1044 return r_u->status;
1045 }
1046
1047 /***************************************************************************
1048 lsa_reply_lookup_names
1049 ***************************************************************************/
1050
1051 NTSTATUS _lsa_lookup_names(pipes_struct *p,LSA_Q_LOOKUP_NAMES *q_u, LSA_R_LOOKUP_NAMES *r_u)
1052 {
1053 struct lsa_info *handle;
1054 UNISTR2 *names = q_u->uni_name;
1055 uint32 num_entries = q_u->num_entries;
1056 DOM_R_REF *ref;
1057 DOM_RID *rids;
1058 uint32 mapped_count = 0;
1059 int flags = 0;
1060
1061 if (num_entries > MAX_LOOKUP_SIDS) {
1062 num_entries = MAX_LOOKUP_SIDS;
1063 DEBUG(5,("_lsa_lookup_names: truncating name lookup list to %d\n", num_entries));
1064 }
1065
1066 /* Probably the lookup_level is some sort of bitmask. */
1067 if (q_u->lookup_level == 1) {
1068 flags = LOOKUP_NAME_ALL;
1069 }
1070
1071 ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF);
1072 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_RID, num_entries);
1073
1074 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) {
1075 r_u->status = NT_STATUS_INVALID_HANDLE;
1076 goto done;
1077 }
1078
1079 /* check if the user have enough rights */
1080 if (!(handle->access & POLICY_LOOKUP_NAMES)) {
1081 r_u->status = NT_STATUS_ACCESS_DENIED;
1082 goto done;
1083 }
1084
1085 if (!ref || !rids)
1086 return NT_STATUS_NO_MEMORY;
1087
1088 /* set up the LSA Lookup RIDs response */
1089 become_root(); /* lookup_name can require root privs */
1090 r_u->status = lookup_lsa_rids(p->mem_ctx, ref, rids, num_entries,
1091 names, flags, &mapped_count);
1092 unbecome_root();
1093
1094 done:
1095
1096 if (NT_STATUS_IS_OK(r_u->status) && (num_entries != 0) ) {
1097 if (mapped_count == 0)
1098 r_u->status = NT_STATUS_NONE_MAPPED;
1099 else if (mapped_count != num_entries)
1100 r_u->status = STATUS_SOME_UNMAPPED;
1101 }
1102
1103 init_reply_lookup_names(r_u, ref, num_entries, rids, mapped_count);
1104 return r_u->status;
1105 }
1106
1107 /***************************************************************************
1108 lsa_reply_lookup_names2
1109 ***************************************************************************/
1110
1111 NTSTATUS _lsa_lookup_names2(pipes_struct *p, LSA_Q_LOOKUP_NAMES2 *q_u, LSA_R_LOOKUP_NAMES2 *r_u)
1112 {
1113 struct lsa_info *handle;
1114 UNISTR2 *names = q_u->uni_name;
1115 uint32 num_entries = q_u->num_entries;
1116 DOM_R_REF *ref;
1117 DOM_RID *rids;
1118 DOM_RID2 *rids2;
1119 int i;
1120 uint32 mapped_count = 0;
1121 int flags = 0;
1122
1123 if (num_entries > MAX_LOOKUP_SIDS) {
1124 num_entries = MAX_LOOKUP_SIDS;
1125 DEBUG(5,("_lsa_lookup_names2: truncating name lookup list to %d\n", num_entries));
1126 }
1127
1128 /* Probably the lookup_level is some sort of bitmask. */
1129 if (q_u->lookup_level == 1) {
1130 flags = LOOKUP_NAME_ALL;
1131 }
1132
1133 ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF);
1134 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_RID, num_entries);
1135 rids2 = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_RID2, num_entries);
1136
1137 if ((ref == NULL) || (rids == NULL) || (rids2 == NULL)) {
1138 r_u->status = NT_STATUS_NO_MEMORY;
1139 return NT_STATUS_NO_MEMORY;
1140 }
1141
1142 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) {
1143 r_u->status = NT_STATUS_INVALID_HANDLE;
1144 goto done;
1145 }
1146
1147 /* check if the user have enough rights */
1148 if (!(handle->access & POLICY_LOOKUP_NAMES)) {
1149 r_u->status = NT_STATUS_ACCESS_DENIED;
1150 goto done;
1151 }
1152
1153 /* set up the LSA Lookup RIDs response */
1154 become_root(); /* lookup_name can require root privs */
1155 r_u->status = lookup_lsa_rids(p->mem_ctx, ref, rids, num_entries,
1156 names, flags, &mapped_count);
1157 unbecome_root();
1158
1159 done:
1160
1161 if (NT_STATUS_IS_OK(r_u->status)) {
1162 if (mapped_count == 0) {
1163 r_u->status = NT_STATUS_NONE_MAPPED;
1164 } else if (mapped_count != num_entries) {
1165 r_u->status = STATUS_SOME_UNMAPPED;
1166 }
1167 }
1168
1169 /* Convert the rids array to rids2. */
1170 for (i = 0; i < num_entries; i++) {
1171 rids2[i].type = rids[i].type;
1172 rids2[i].rid = rids[i].rid;
1173 rids2[i].rid_idx = rids[i].rid_idx;
1174 rids2[i].unknown = 0;
1175 }
1176
1177 init_reply_lookup_names2(r_u, ref, num_entries, rids2, mapped_count);
1178 return r_u->status;
1179 }
1180
1181 /***************************************************************************
1182 lsa_reply_lookup_names3.
1183 ***************************************************************************/
1184
1185 NTSTATUS _lsa_lookup_names3(pipes_struct *p, LSA_Q_LOOKUP_NAMES3 *q_u, LSA_R_LOOKUP_NAMES3 *r_u)
1186 {
1187 struct lsa_info *handle;
1188 UNISTR2 *names = q_u->uni_name;
1189 uint32 num_entries = q_u->num_entries;
1190 DOM_R_REF *ref = NULL;
1191 LSA_TRANSLATED_SID3 *trans_sids = NULL;
1192 uint32 mapped_count = 0;
1193 int flags = 0;
1194
1195 if (num_entries > MAX_LOOKUP_SIDS) {
1196 num_entries = MAX_LOOKUP_SIDS;
1197 DEBUG(5,("_lsa_lookup_names3: truncating name lookup list to %d\n", num_entries));
1198 }
1199
1200 /* Probably the lookup_level is some sort of bitmask. */
1201 if (q_u->lookup_level == 1) {
1202 flags = LOOKUP_NAME_ALL;
1203 }
1204
1205 ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF);
1206 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, LSA_TRANSLATED_SID3, num_entries);
1207
1208 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) {
1209 r_u->status = NT_STATUS_INVALID_HANDLE;
1210 goto done;
1211 }
1212
1213 /* check if the user have enough rights */
1214 if (!(handle->access & POLICY_LOOKUP_NAMES)) {
1215 r_u->status = NT_STATUS_ACCESS_DENIED;
1216 goto done;
1217 }
1218
1219 if (!ref || !trans_sids) {
1220 return NT_STATUS_NO_MEMORY;
1221 }
1222
1223 /* set up the LSA Lookup SIDs response */
1224 become_root(); /* lookup_name can require root privs */
1225 r_u->status = lookup_lsa_sids(p->mem_ctx, ref, trans_sids, num_entries,
1226 names, flags, &mapped_count);
1227 unbecome_root();
1228
1229 done:
1230
1231 if (NT_STATUS_IS_OK(r_u->status)) {
1232 if (mapped_count == 0) {
1233 r_u->status = NT_STATUS_NONE_MAPPED;
1234 } else if (mapped_count != num_entries) {
1235 r_u->status = STATUS_SOME_UNMAPPED;
1236 }
1237 }
1238
1239 init_reply_lookup_names3(r_u, ref, num_entries, trans_sids, mapped_count);
1240 return r_u->status;
1241 }
1242
1243 /***************************************************************************
1244 lsa_reply_lookup_names4.
1245 ***************************************************************************/
1246
1247 NTSTATUS _lsa_lookup_names4(pipes_struct *p, LSA_Q_LOOKUP_NAMES4 *q_u, LSA_R_LOOKUP_NAMES4 *r_u)
1248 {
1249 UNISTR2 *names = q_u->uni_name;
1250 uint32 num_entries = q_u->num_entries;
1251 DOM_R_REF *ref = NULL;
1252 LSA_TRANSLATED_SID3 *trans_sids = NULL;
1253 uint32 mapped_count = 0;
1254 int flags = 0;
1255
1256 if (num_entries > MAX_LOOKUP_SIDS) {
1257 num_entries = MAX_LOOKUP_SIDS;
1258 DEBUG(5,("_lsa_lookup_names4: truncating name lookup list to %d\n", num_entries));
1259 }
1260
1261 /* Probably the lookup_level is some sort of bitmask. */
1262 if (q_u->lookup_level == 1) {
1263 flags = LOOKUP_NAME_ALL;
1264 }
1265
1266 /* No policy handle on this call. Restrict to crypto connections. */
1267 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1268 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1269 get_remote_machine_name() ));
1270 return NT_STATUS_INVALID_PARAMETER;
1271 }
1272
1273 ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF);
1274 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, LSA_TRANSLATED_SID3, num_entries);
1275
1276 if (!ref || !trans_sids) {
1277 return NT_STATUS_NO_MEMORY;
1278 }
1279
1280 /* set up the LSA Lookup SIDs response */
1281 become_root(); /* lookup_name can require root privs */
1282 r_u->status = lookup_lsa_sids(p->mem_ctx, ref, trans_sids, num_entries,
1283 names, flags, &mapped_count);
1284 unbecome_root();
1285
1286 if (NT_STATUS_IS_OK(r_u->status)) {
1287 if (mapped_count == 0) {
1288 r_u->status = NT_STATUS_NONE_MAPPED;
1289 } else if (mapped_count != num_entries) {
1290 r_u->status = STATUS_SOME_UNMAPPED;
1291 }
1292 }
1293
1294 init_reply_lookup_names4(r_u, ref, num_entries, trans_sids, mapped_count);
1295 return r_u->status;
1296 }
1297
1298 /***************************************************************************
1299 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1300 ***************************************************************************/
1301
1302 NTSTATUS _lsa_close(pipes_struct *p, LSA_Q_CLOSE *q_u, LSA_R_CLOSE *r_u)
1303 {
1304 if (!find_policy_by_hnd(p, &q_u->pol, NULL)) {
1305 return NT_STATUS_INVALID_HANDLE;
1306 }
1307
1308 close_policy_hnd(p, &q_u->pol);
1309 return NT_STATUS_OK;
1310 }
1311
1312 /***************************************************************************
1313 ***************************************************************************/
1314
1315 NTSTATUS _lsa_open_secret(pipes_struct *p, LSA_Q_OPEN_SECRET *q_u, LSA_R_OPEN_SECRET *r_u)
1316 {
1317 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1318 }
1319
1320 /***************************************************************************
1321 ***************************************************************************/
1322
1323 NTSTATUS _lsa_open_trusted_domain(pipes_struct *p, LSA_Q_OPEN_TRUSTED_DOMAIN *q_u, LSA_R_OPEN_TRUSTED_DOMAIN *r_u)
1324 {
1325 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1326 }
1327
1328 /***************************************************************************
1329 ***************************************************************************/
1330
1331 NTSTATUS _lsa_create_trusted_domain(pipes_struct *p, LSA_Q_CREATE_TRUSTED_DOMAIN *q_u, LSA_R_CREATE_TRUSTED_DOMAIN *r_u)
1332 {
1333 return NT_STATUS_ACCESS_DENIED;
1334 }
1335
1336 /***************************************************************************
1337 ***************************************************************************/
1338
1339 NTSTATUS _lsa_create_secret(pipes_struct *p, LSA_Q_CREATE_SECRET *q_u, LSA_R_CREATE_SECRET *r_u)
1340 {
1341 return NT_STATUS_ACCESS_DENIED;
1342 }
1343
1344 /***************************************************************************
1345 ***************************************************************************/
1346
1347 NTSTATUS _lsa_set_secret(pipes_struct *p, LSA_Q_SET_SECRET *q_u, LSA_R_SET_SECRET *r_u)
1348 {
1349 return NT_STATUS_ACCESS_DENIED;
1350 }
1351
1352 /***************************************************************************
1353 ***************************************************************************/
1354
1355 NTSTATUS _lsa_delete_object(pipes_struct *p, LSA_Q_DELETE_OBJECT *q_u, LSA_R_DELETE_OBJECT *r_u)
1356 {
1357 return NT_STATUS_ACCESS_DENIED;
1358 }
1359
1360 /***************************************************************************
1361 _lsa_enum_privs.
1362 ***************************************************************************/
1363
1364 NTSTATUS _lsa_enum_privs(pipes_struct *p, LSA_Q_ENUM_PRIVS *q_u, LSA_R_ENUM_PRIVS *r_u)
1365 {
1366 struct lsa_info *handle;
1367 uint32 i;
1368 uint32 enum_context = q_u->enum_context;
1369 int num_privs = count_all_privileges();
1370 LSA_PRIV_ENTRY *entries = NULL;
1371 LUID_ATTR luid;
1372
1373 /* remember that the enum_context starts at 0 and not 1 */
1374
1375 if ( enum_context >= num_privs )
1376 return NT_STATUS_NO_MORE_ENTRIES;
1377
1378 DEBUG(10,("_lsa_enum_privs: enum_context:%d total entries:%d\n",
1379 enum_context, num_privs));
1380
1381 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle))
1382 return NT_STATUS_INVALID_HANDLE;
1383
1384 /* check if the user have enough rights
1385 I don't know if it's the right one. not documented. */
1386
1387 if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
1388 return NT_STATUS_ACCESS_DENIED;
1389
1390 if ( !(entries = TALLOC_ZERO_ARRAY(p->mem_ctx, LSA_PRIV_ENTRY, num_privs )) )
1391 return NT_STATUS_NO_MEMORY;
1392
1393 for (i = 0; i < num_privs; i++) {
1394 if( i < enum_context) {
1395 init_unistr2(&entries[i].name, NULL, UNI_FLAGS_NONE);
1396 init_uni_hdr(&entries[i].hdr_name, &entries[i].name);
1397
1398 entries[i].luid_low = 0;
1399 entries[i].luid_high = 0;
1400 } else {
1401 init_unistr2(&entries[i].name, privs[i].name, UNI_FLAGS_NONE);
1402 init_uni_hdr(&entries[i].hdr_name, &entries[i].name);
1403
1404 luid = get_privilege_luid( &privs[i].se_priv );
1405
1406 entries[i].luid_low = luid.luid.low;
1407 entries[i].luid_high = luid.luid.high;
1408 }
1409 }
1410
1411 enum_context = num_privs;
1412
1413 init_lsa_r_enum_privs(r_u, enum_context, num_privs, entries);
1414
1415 return NT_STATUS_OK;
1416 }
1417
1418 /***************************************************************************
1419 _lsa_priv_get_dispname.
1420 ***************************************************************************/
1421
1422 NTSTATUS _lsa_priv_get_dispname(pipes_struct *p, LSA_Q_PRIV_GET_DISPNAME *q_u, LSA_R_PRIV_GET_DISPNAME *r_u)
1423 {
1424 struct lsa_info *handle;
1425 fstring name_asc;
1426 const char *description;
1427
1428 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle))
1429 return NT_STATUS_INVALID_HANDLE;
1430
1431 /* check if the user have enough rights */
1432
1433 /*
1434 * I don't know if it's the right one. not documented.
1435 */
1436 if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
1437 return NT_STATUS_ACCESS_DENIED;
1438
1439 unistr2_to_ascii(name_asc, &q_u->name, sizeof(name_asc));
1440
1441 DEBUG(10,("_lsa_priv_get_dispname: name = %s\n", name_asc));
1442
1443 description = get_privilege_dispname( name_asc );
1444
1445 if ( description ) {
1446 DEBUG(10,("_lsa_priv_get_dispname: display name = %s\n", description));
1447
1448 init_unistr2(&r_u->desc, description, UNI_FLAGS_NONE);
1449 init_uni_hdr(&r_u->hdr_desc, &r_u->desc);
1450
1451 r_u->ptr_info = 0xdeadbeef;
1452 r_u->lang_id = q_u->lang_id;
1453
1454 return NT_STATUS_OK;
1455 } else {
1456 DEBUG(10,("_lsa_priv_get_dispname: doesn't exist\n"));
1457
1458 r_u->ptr_info = 0;
1459
1460 return NT_STATUS_NO_SUCH_PRIVILEGE;
1461 }
1462 }
1463
1464 /***************************************************************************
1465 _lsa_enum_accounts.
1466 ***************************************************************************/
1467
1468 NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENUM_ACCOUNTS *r_u)
1469 {
1470 struct lsa_info *handle;
1471 DOM_SID *sid_list;
1472 int i, j, num_entries;
1473 LSA_SID_ENUM *sids=&r_u->sids;
1474 NTSTATUS ret;
1475
1476 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle))
1477 return NT_STATUS_INVALID_HANDLE;
1478
1479 if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
1480 return NT_STATUS_ACCESS_DENIED;
1481
1482 sid_list = NULL;
1483 num_entries = 0;
1484
1485 /* The only way we can currently find out all the SIDs that have been
1486 privileged is to scan all privileges */
1487
1488 if (!NT_STATUS_IS_OK(ret = privilege_enumerate_accounts(&sid_list, &num_entries))) {
1489 return ret;
1490 }
1491
1492 if (q_u->enum_context >= num_entries)
1493 return NT_STATUS_NO_MORE_ENTRIES;
1494
1495 sids->ptr_sid = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_entries-q_u->enum_context);
1496 sids->sid = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_SID2, num_entries-q_u->enum_context);
1497
1498 if (sids->ptr_sid==NULL || sids->sid==NULL) {
1499 SAFE_FREE(sid_list);
1500 return NT_STATUS_NO_MEMORY;
1501 }
1502
1503 for (i = q_u->enum_context, j = 0; i < num_entries; i++, j++) {
1504 init_dom_sid2(&(*sids).sid[j], &sid_list[i]);
1505 (*sids).ptr_sid[j] = 1;
1506 }
1507
1508 SAFE_FREE(sid_list);
1509
1510 init_lsa_r_enum_accounts(r_u, num_entries);
1511
1512 return NT_STATUS_OK;
1513 }
1514
1515
1516 NTSTATUS _lsa_unk_get_connuser(pipes_struct *p, LSA_Q_UNK_GET_CONNUSER *q_u, LSA_R_UNK_GET_CONNUSER *r_u)
1517 {
1518 fstring username, domname;
1519 user_struct *vuser = get_valid_user_struct(p->vuid);
1520
1521 if (vuser == NULL)
1522 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1523
1524 fstrcpy(username, vuser->user.smb_name);
1525 fstrcpy(domname, vuser->user.domain);
1526
1527 r_u->ptr_user_name = 1;
1528 init_unistr2(&r_u->uni2_user_name, username, UNI_STR_TERMINATE);
1529 init_uni_hdr(&r_u->hdr_user_name, &r_u->uni2_user_name);
1530
1531 r_u->unk1 = 1;
1532
1533 r_u->ptr_dom_name = 1;
1534 init_unistr2(&r_u->uni2_dom_name, domname, UNI_STR_TERMINATE);
1535 init_uni_hdr(&r_u->hdr_dom_name, &r_u->uni2_dom_name);
1536
1537 r_u->status = NT_STATUS_OK;
1538
1539 return r_u->status;
1540 }
1541
1542 /***************************************************************************
1543 Lsa Create Account
1544 ***************************************************************************/
1545
1546 NTSTATUS _lsa_create_account(pipes_struct *p, LSA_Q_CREATEACCOUNT *q_u, LSA_R_CREATEACCOUNT *r_u)
1547 {
1548 struct lsa_info *handle;
1549 struct lsa_info *info;
1550
1551 /* find the connection policy handle. */
1552 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle))
1553 return NT_STATUS_INVALID_HANDLE;
1554
1555 /* check if the user have enough rights */
1556
1557 /*
1558 * I don't know if it's the right one. not documented.
1559 * but guessed with rpcclient.
1560 */
1561 if (!(handle->access & POLICY_GET_PRIVATE_INFORMATION))
1562 return NT_STATUS_ACCESS_DENIED;
1563
1564 /* check to see if the pipe_user is a Domain Admin since
1565 account_pol.tdb was already opened as root, this is all we have */
1566
1567 if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
1568 return NT_STATUS_ACCESS_DENIED;
1569
1570 if ( is_privileged_sid( &q_u->sid.sid ) )
1571 return NT_STATUS_OBJECT_NAME_COLLISION;
1572
1573 /* associate the user/group SID with the (unique) handle. */
1574
1575 if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
1576 return NT_STATUS_NO_MEMORY;
1577
1578 ZERO_STRUCTP(info);
1579 info->sid = q_u->sid.sid;
1580 info->access = q_u->access;
1581
1582 /* get a (unique) handle. open a policy on it. */
1583 if (!create_policy_hnd(p, &r_u->pol, free_lsa_info, (void *)info))
1584 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1585
1586 return privilege_create_account( &info->sid );
1587 }
1588
1589
1590 /***************************************************************************
1591 Lsa Open Account
1592 ***************************************************************************/
1593
1594 NTSTATUS _lsa_open_account(pipes_struct *p, LSA_Q_OPENACCOUNT *q_u, LSA_R_OPENACCOUNT *r_u)
1595 {
1596 struct lsa_info *handle;
1597 struct lsa_info *info;
1598
1599 /* find the connection policy handle. */
1600 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle))
1601 return NT_STATUS_INVALID_HANDLE;
1602
1603 /* check if the user have enough rights */
1604
1605 /*
1606 * I don't know if it's the right one. not documented.
1607 * but guessed with rpcclient.
1608 */
1609 if (!(handle->access & POLICY_GET_PRIVATE_INFORMATION))
1610 return NT_STATUS_ACCESS_DENIED;
1611
1612 /* TODO: Fis the parsing routine before reenabling this check! */
1613 #if 0
1614 if (!lookup_sid(&handle->sid, dom_name, name, &type))
1615 return NT_STATUS_ACCESS_DENIED;
1616 #endif
1617 /* associate the user/group SID with the (unique) handle. */
1618 if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
1619 return NT_STATUS_NO_MEMORY;
1620
1621 ZERO_STRUCTP(info);
1622 info->sid = q_u->sid.sid;
1623 info->access = q_u->access;
1624
1625 /* get a (unique) handle. open a policy on it. */
1626 if (!create_policy_hnd(p, &r_u->pol, free_lsa_info, (void *)info))
1627 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1628
1629 return NT_STATUS_OK;
1630 }
1631
1632 /***************************************************************************
1633 For a given SID, enumerate all the privilege this account has.
1634 ***************************************************************************/
1635
1636 NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, prs_struct *ps, LSA_Q_ENUMPRIVSACCOUNT *q_u, LSA_R_ENUMPRIVSACCOUNT *r_u)
1637 {
1638 struct lsa_info *info=NULL;
1639 SE_PRIV mask;
1640 PRIVILEGE_SET privileges;
1641
1642 /* find the connection policy handle. */
1643 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
1644 return NT_STATUS_INVALID_HANDLE;
1645
1646 if ( !get_privileges_for_sids( &mask, &info->sid, 1 ) )
1647 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1648
1649 privilege_set_init( &privileges );
1650
1651 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1652
1653 DEBUG(10,("_lsa_enum_privsaccount: %s has %d privileges\n",
1654 sid_string_static(&info->sid), privileges.count));
1655
1656 r_u->status = init_lsa_r_enum_privsaccount(ps->mem_ctx, r_u, privileges.set, privileges.count, 0);
1657 }
1658 else
1659 r_u->status = NT_STATUS_NO_SUCH_PRIVILEGE;
1660
1661 privilege_set_free( &privileges );
1662
1663 return r_u->status;
1664 }
1665
1666 /***************************************************************************
1667
1668 ***************************************************************************/
1669
1670 NTSTATUS _lsa_getsystemaccount(pipes_struct *p, LSA_Q_GETSYSTEMACCOUNT *q_u, LSA_R_GETSYSTEMACCOUNT *r_u)
1671 {
1672 struct lsa_info *info=NULL;
1673
1674 /* find the connection policy handle. */
1675
1676 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
1677 return NT_STATUS_INVALID_HANDLE;
1678
1679 if (!lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, NULL))
1680 return NT_STATUS_ACCESS_DENIED;
1681
1682 /*
1683 0x01 -> Log on locally
1684 0x02 -> Access this computer from network
1685 0x04 -> Log on as a batch job
1686 0x10 -> Log on as a service
1687
1688 they can be ORed together
1689 */
1690
1691 r_u->access = PR_LOG_ON_LOCALLY | PR_ACCESS_FROM_NETWORK;
1692
1693 return NT_STATUS_OK;
1694 }
1695
1696 /***************************************************************************
1697 update the systemaccount information
1698 ***************************************************************************/
1699
1700 NTSTATUS _lsa_setsystemaccount(pipes_struct *p, LSA_Q_SETSYSTEMACCOUNT *q_u, LSA_R_SETSYSTEMACCOUNT *r_u)
1701 {
1702 struct lsa_info *info=NULL;
1703 GROUP_MAP map;
1704 r_u->status = NT_STATUS_OK;
1705
1706 /* find the connection policy handle. */
1707 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
1708 return NT_STATUS_INVALID_HANDLE;
1709
1710 /* check to see if the pipe_user is a Domain Admin since
1711 account_pol.tdb was already opened as root, this is all we have */
1712
1713 if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
1714 return NT_STATUS_ACCESS_DENIED;
1715
1716 if (!pdb_getgrsid(&map, info->sid))
1717 return NT_STATUS_NO_SUCH_GROUP;
1718
1719 return pdb_update_group_mapping_entry(&map);
1720 }
1721
1722 /***************************************************************************
1723 For a given SID, add some privileges.
1724 ***************************************************************************/
1725
1726 NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u)
1727 {
1728 struct lsa_info *info = NULL;
1729 SE_PRIV mask;
1730 PRIVILEGE_SET *set = NULL;
1731 struct current_user user;
1732
1733 /* find the connection policy handle. */
1734 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
1735 return NT_STATUS_INVALID_HANDLE;
1736
1737 /* check to see if the pipe_user is root or a Domain Admin since
1738 account_pol.tdb was already opened as root, this is all we have */
1739
1740 get_current_user( &user, p );
1741 if ( user.ut.uid != sec_initial_uid()
1742 && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
1743 {
1744 return NT_STATUS_ACCESS_DENIED;
1745 }
1746
1747 set = &q_u->set;
1748
1749 if ( !privilege_set_to_se_priv( &mask, set ) )
1750 return NT_STATUS_NO_SUCH_PRIVILEGE;
1751
1752 if ( !grant_privilege( &info->sid, &mask ) ) {
1753 DEBUG(3,("_lsa_addprivs: grant_privilege(%s) failed!\n",
1754 sid_string_static(&info->sid) ));
1755 DEBUG(3,("Privilege mask:\n"));
1756 dump_se_priv( DBGC_ALL, 3, &mask );
1757 return NT_STATUS_NO_SUCH_PRIVILEGE;
1758 }
1759
1760 return NT_STATUS_OK;
1761 }
1762
1763 /***************************************************************************
1764 For a given SID, remove some privileges.
1765 ***************************************************************************/
1766
1767 NTSTATUS _lsa_removeprivs(pipes_struct *p, LSA_Q_REMOVEPRIVS *q_u, LSA_R_REMOVEPRIVS *r_u)
1768 {
1769 struct lsa_info *info = NULL;
1770 SE_PRIV mask;
1771 PRIVILEGE_SET *set = NULL;
1772 struct current_user user;
1773
1774 /* find the connection policy handle. */
1775 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
1776 return NT_STATUS_INVALID_HANDLE;
1777
1778 /* check to see if the pipe_user is root or a Domain Admin since
1779 account_pol.tdb was already opened as root, this is all we have */
1780
1781 get_current_user( &user, p );
1782 if ( user.ut.uid != sec_initial_uid()
1783 && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
1784 {
1785 return NT_STATUS_ACCESS_DENIED;
1786 }
1787
1788 set = &q_u->set;
1789
1790 if ( !privilege_set_to_se_priv( &mask, set ) )
1791 return NT_STATUS_NO_SUCH_PRIVILEGE;
1792
1793 if ( !revoke_privilege( &info->sid, &mask ) ) {
1794 DEBUG(3,("_lsa_removeprivs: revoke_privilege(%s) failed!\n",
1795 sid_string_static(&info->sid) ));
1796 DEBUG(3,("Privilege mask:\n"));
1797 dump_se_priv( DBGC_ALL, 3, &mask );
1798 return NT_STATUS_NO_SUCH_PRIVILEGE;
1799 }
1800
1801 return NT_STATUS_OK;
1802 }
1803
1804 /***************************************************************************
1805 For a given SID, remove some privileges.
1806 ***************************************************************************/
1807
1808 NTSTATUS _lsa_query_secobj(pipes_struct *p, LSA_Q_QUERY_SEC_OBJ *q_u, LSA_R_QUERY_SEC_OBJ *r_u)
1809 {
1810 struct lsa_info *handle=NULL;
1811 SEC_DESC *psd = NULL;
1812 size_t sd_size;
1813 NTSTATUS status;
1814
1815 r_u->status = NT_STATUS_OK;
1816
1817 /* find the connection policy handle. */
1818 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle))
1819 return NT_STATUS_INVALID_HANDLE;
1820
1821 /* check if the user have enough rights */
1822 if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
1823 return NT_STATUS_ACCESS_DENIED;
1824
1825
1826 switch (q_u->sec_info) {
1827 case 1:
1828 /* SD contains only the owner */
1829
1830 status=lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
1831 if(!NT_STATUS_IS_OK(status))
1832 return NT_STATUS_NO_MEMORY;
1833
1834
1835 if((r_u->buf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
1836 return NT_STATUS_NO_MEMORY;
1837 break;
1838 case 4:
1839 /* SD contains only the ACL */
1840
1841 status=lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
1842 if(!NT_STATUS_IS_OK(status))
1843 return NT_STATUS_NO_MEMORY;
1844
1845 if((r_u->buf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
1846 return NT_STATUS_NO_MEMORY;
1847 break;
1848 default:
1849 return NT_STATUS_INVALID_LEVEL;
1850 }
1851
1852 r_u->ptr=1;
1853
1854 return r_u->status;
1855 }
1856
1857 #if 0 /* AD DC work in ongoing in Samba 4 */
1858
1859 /***************************************************************************
1860 ***************************************************************************/
1861
1862 NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_INFO2 *r_u)
1863 {
1864 struct lsa_info *handle;
1865 const char *nb_name;
1866 char *dns_name = NULL;
1867 char *forest_name = NULL;
1868 DOM_SID *sid = NULL;
1869 struct uuid guid;
1870 fstring dnsdomname;
1871
1872 ZERO_STRUCT(guid);
1873 r_u->status = NT_STATUS_OK;
1874
1875 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle))
1876 return NT_STATUS_INVALID_HANDLE;
1877
1878 switch (q_u->info_class) {
1879 case 0x0c:
1880 /* check if the user have enough rights */
1881 if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
1882 return NT_STATUS_ACCESS_DENIED;
1883
1884 /* Request PolicyPrimaryDomainInformation. */
1885 switch (lp_server_role()) {
1886 case ROLE_DOMAIN_PDC:
1887 case ROLE_DOMAIN_BDC:
1888 nb_name = get_global_sam_name();
1889 /* ugly temp hack for these next two */
1890
1891 /* This should be a 'netbios domain -> DNS domain' mapping */
1892 dnsdomname[0] = '\0';
1893 get_mydnsdomname(dnsdomname);
1894 strlower_m(dnsdomname);
1895
1896 dns_name = dnsdomname;
1897 forest_name = dnsdomname;
1898
1899 sid = get_global_sam_sid();
1900 secrets_fetch_domain_guid(lp_workgroup(), &guid);
1901 break;
1902 default:
1903 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1904 }
1905 init_dns_dom_info(&r_u->info.dns_dom_info, nb_name, dns_name,
1906 forest_name,&guid,sid);
1907 break;
1908 default:
1909 DEBUG(0,("_lsa_query_info2: unknown info level in Lsa Query: %d\n", q_u->info_class));
1910 r_u->status = NT_STATUS_INVALID_INFO_CLASS;
1911 break;
1912 }
1913
1914 if (NT_STATUS_IS_OK(r_u->status)) {
1915 r_u->ptr = 0x1;
1916 r_u->info_class = q_u->info_class;
1917 }
1918
1919 return r_u->status;
1920 }
1921 #endif /* AD DC work in ongoing in Samba 4 */
1922
1923 /***************************************************************************
1924 ***************************************************************************/
1925
1926 NTSTATUS _lsa_add_acct_rights(pipes_struct *p, LSA_Q_ADD_ACCT_RIGHTS *q_u, LSA_R_ADD_ACCT_RIGHTS *r_u)
1927 {
1928 struct lsa_info *info = NULL;
1929 int i = 0;
1930 DOM_SID sid;
1931 fstring privname;
1932 UNISTR4_ARRAY *uni_privnames = q_u->rights;
1933 struct current_user user;
1934
1935
1936 /* find the connection policy handle. */
1937 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
1938 return NT_STATUS_INVALID_HANDLE;
1939
1940 /* check to see if the pipe_user is a Domain Admin since
1941 account_pol.tdb was already opened as root, this is all we have */
1942
1943 get_current_user( &user, p );
1944 if ( user.ut.uid != sec_initial_uid()
1945 && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
1946 {
1947 return NT_STATUS_ACCESS_DENIED;
1948 }
1949
1950 /* according to an NT4 PDC, you can add privileges to SIDs even without
1951 call_lsa_create_account() first. And you can use any arbitrary SID. */
1952
1953 sid_copy( &sid, &q_u->sid.sid );
1954
1955 /* just a little sanity check */
1956
1957 if ( q_u->count != uni_privnames->count ) {
1958 DEBUG(0,("_lsa_add_acct_rights: count != number of UNISTR2 elements!\n"));
1959 return NT_STATUS_INVALID_HANDLE;
1960 }
1961
1962 for ( i=0; i<q_u->count; i++ ) {
1963 UNISTR4 *uni4_str = &uni_privnames->strings[i];
1964
1965 /* only try to add non-null strings */
1966
1967 if ( !uni4_str->string )
1968 continue;
1969
1970 rpcstr_pull( privname, uni4_str->string->buffer, sizeof(privname), -1, STR_TERMINATE );
1971
1972 if ( !grant_privilege_by_name( &sid, privname ) ) {
1973 DEBUG(2,("_lsa_add_acct_rights: Failed to add privilege [%s]\n", privname ));
1974 return NT_STATUS_NO_SUCH_PRIVILEGE;
1975 }
1976 }
1977
1978 return NT_STATUS_OK;
1979 }
1980
1981 /***************************************************************************
1982 ***************************************************************************/
1983
1984 NTSTATUS _lsa_remove_acct_rights(pipes_struct *p, LSA_Q_REMOVE_ACCT_RIGHTS *q_u, LSA_R_REMOVE_ACCT_RIGHTS *r_u)
1985 {
1986 struct lsa_info *info = NULL;
1987 int i = 0;
1988 DOM_SID sid;
1989 fstring privname;
1990 UNISTR4_ARRAY *uni_privnames = q_u->rights;
1991 struct current_user user;
1992
1993
1994 /* find the connection policy handle. */
1995 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
1996 return NT_STATUS_INVALID_HANDLE;
1997
1998 /* check to see if the pipe_user is a Domain Admin since
1999 account_pol.tdb was already opened as root, this is all we have */
2000
2001 get_current_user( &user, p );
2002 if ( user.ut.uid != sec_initial_uid()
2003 && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
2004 {
2005 return NT_STATUS_ACCESS_DENIED;
2006 }
2007
2008 sid_copy( &sid, &q_u->sid.sid );
2009
2010 if ( q_u->removeall ) {
2011 if ( !revoke_all_privileges( &sid ) )
2012 return NT_STATUS_ACCESS_DENIED;
2013
2014 return NT_STATUS_OK;
2015 }
2016
2017 /* just a little sanity check */
2018
2019 if ( q_u->count != uni_privnames->count ) {
2020 DEBUG(0,("_lsa_add_acct_rights: count != number of UNISTR2 elements!\n"));
2021 return NT_STATUS_INVALID_HANDLE;
2022 }
2023
2024 for ( i=0; i<q_u->count; i++ ) {
2025 UNISTR4 *uni4_str = &uni_privnames->strings[i];
2026
2027 /* only try to add non-null strings */
2028
2029 if ( !uni4_str->string )
2030 continue;
2031
2032 rpcstr_pull( privname, uni4_str->string->buffer, sizeof(privname), -1, STR_TERMINATE );
2033
2034 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2035 DEBUG(2,("_lsa_remove_acct_rights: Failed to revoke privilege [%s]\n", privname ));
2036 return NT_STATUS_NO_SUCH_PRIVILEGE;
2037 }
2038 }
2039
2040 return NT_STATUS_OK;
2041 }
2042
2043
2044 /***************************************************************************
2045 ***************************************************************************/
2046
2047 NTSTATUS _lsa_enum_acct_rights(pipes_struct *p, LSA_Q_ENUM_ACCT_RIGHTS *q_u, LSA_R_ENUM_ACCT_RIGHTS *r_u)
2048 {
2049 struct lsa_info *info = NULL;
2050 DOM_SID sid;
2051 PRIVILEGE_SET privileges;
2052 SE_PRIV mask;
2053
2054
2055 /* find the connection policy handle. */
2056
2057 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
2058 return NT_STATUS_INVALID_HANDLE;
2059
2060 /* according to an NT4 PDC, you can add privileges to SIDs even without
2061 call_lsa_create_account() first. And you can use any arbitrary SID. */
2062
2063 sid_copy( &sid, &q_u->sid.sid );
2064
2065 if ( !get_privileges_for_sids( &mask, &sid, 1 ) )
2066 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2067
2068 privilege_set_init( &privileges );
2069
2070 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
2071
2072 DEBUG(10,("_lsa_enum_acct_rights: %s has %d privileges\n",
2073 sid_string_static(&sid), privileges.count));
2074
2075 r_u->status = init_r_enum_acct_rights( r_u, &privileges );
2076 }
2077 else
2078 r_u->status = NT_STATUS_NO_SUCH_PRIVILEGE;
2079
2080 privilege_set_free( &privileges );
2081
2082 return r_u->status;
2083 }
2084
2085
2086 /***************************************************************************
2087 ***************************************************************************/
2088
2089 NTSTATUS _lsa_lookup_priv_value(pipes_struct *p, LSA_Q_LOOKUP_PRIV_VALUE *q_u, LSA_R_LOOKUP_PRIV_VALUE *r_u)
2090 {
2091 struct lsa_info *info = NULL;
2092 fstring name;
2093 LUID_ATTR priv_luid;
2094 SE_PRIV mask;
2095
2096 /* find the connection policy handle. */
2097
2098 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
2099 return NT_STATUS_INVALID_HANDLE;
2100
2101 unistr2_to_ascii(name, &q_u->privname.unistring, sizeof(name));
2102
2103 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2104
2105 if ( !se_priv_from_name( name, &mask ) )
2106 return NT_STATUS_NO_SUCH_PRIVILEGE;
2107
2108 priv_luid = get_privilege_luid( &mask );
2109
2110 r_u->luid.low = priv_luid.luid.low;
2111 r_u->luid.high = priv_luid.luid.high;
2112
2113
2114 return NT_STATUS_OK;
2115 }
Tomato firmware and modifications.