2
* Unix SMB/CIFS implementation.
3
* RPC Pipe client / server routines
4
* Copyright (C) Andrew Tridgell 1992-1997,
5
* Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6
* Copyright (C) Paul Ashton 1997,
7
* Copyright (C) Marc Jacobsen 1999,
8
* Copyright (C) Jeremy Allison 2001-2008,
9
* Copyright (C) Jean François Micouleau 1998-2001,
10
* Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11
* Copyright (C) Gerald (Jerry) Carter 2003-2004,
12
* Copyright (C) Simo Sorce 2003.
13
* Copyright (C) Volker Lendecke 2005.
14
* Copyright (C) Guenther Deschner 2008.
16
* This program is free software; you can redistribute it and/or modify
17
* it under the terms of the GNU General Public License as published by
18
* the Free Software Foundation; either version 3 of the License, or
19
* (at your option) any later version.
21
* This program is distributed in the hope that it will be useful,
22
* but WITHOUT ANY WARRANTY; without even the implied warranty of
23
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24
* GNU General Public License for more details.
26
* You should have received a copy of the GNU General Public License
27
* along with this program; if not, see <http://www.gnu.org/licenses/>.
31
* This is the implementation of the SAMR code.
37
#define DBGC_CLASS DBGC_RPC_SRV
39
#define SAMR_USR_RIGHTS_WRITE_PW \
40
( READ_CONTROL_ACCESS | \
41
SAMR_USER_ACCESS_CHANGE_PASSWORD | \
42
SAMR_USER_ACCESS_SET_LOC_COM)
43
#define SAMR_USR_RIGHTS_CANT_WRITE_PW \
44
( READ_CONTROL_ACCESS | SAMR_USER_ACCESS_SET_LOC_COM )
46
#define DISP_INFO_CACHE_TIMEOUT 10
48
#define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
49
#define MAX_SAM_ENTRIES_W95 50
51
typedef struct disp_info {
52
DOM_SID sid; /* identify which domain this is. */
53
bool builtin_domain; /* Quick flag to check if this is the builtin domain. */
54
struct pdb_search *users; /* querydispinfo 1 and 4 */
55
struct pdb_search *machines; /* querydispinfo 2 */
56
struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */
57
struct pdb_search *aliases; /* enumaliases */
60
struct pdb_search *enum_users; /* enumusers with a mask */
62
struct timed_event *cache_timeout_event; /* cache idle timeout
66
/* We keep a static list of these by SID as modern clients close down
67
all resources between each request in a complete enumeration. */
70
/* for use by the \PIPE\samr policy */
72
bool builtin_domain; /* Quick flag to check if this is the builtin domain. */
73
uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */
78
static const struct generic_mapping sam_generic_mapping = {
79
GENERIC_RIGHTS_SAM_READ,
80
GENERIC_RIGHTS_SAM_WRITE,
81
GENERIC_RIGHTS_SAM_EXECUTE,
82
GENERIC_RIGHTS_SAM_ALL_ACCESS};
83
static const struct generic_mapping dom_generic_mapping = {
84
GENERIC_RIGHTS_DOMAIN_READ,
85
GENERIC_RIGHTS_DOMAIN_WRITE,
86
GENERIC_RIGHTS_DOMAIN_EXECUTE,
87
GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
88
static const struct generic_mapping usr_generic_mapping = {
89
GENERIC_RIGHTS_USER_READ,
90
GENERIC_RIGHTS_USER_WRITE,
91
GENERIC_RIGHTS_USER_EXECUTE,
92
GENERIC_RIGHTS_USER_ALL_ACCESS};
93
static const struct generic_mapping usr_nopwchange_generic_mapping = {
94
GENERIC_RIGHTS_USER_READ,
95
GENERIC_RIGHTS_USER_WRITE,
96
GENERIC_RIGHTS_USER_EXECUTE & ~SAMR_USER_ACCESS_CHANGE_PASSWORD,
97
GENERIC_RIGHTS_USER_ALL_ACCESS};
98
static const struct generic_mapping grp_generic_mapping = {
99
GENERIC_RIGHTS_GROUP_READ,
100
GENERIC_RIGHTS_GROUP_WRITE,
101
GENERIC_RIGHTS_GROUP_EXECUTE,
102
GENERIC_RIGHTS_GROUP_ALL_ACCESS};
103
static const struct generic_mapping ali_generic_mapping = {
104
GENERIC_RIGHTS_ALIAS_READ,
105
GENERIC_RIGHTS_ALIAS_WRITE,
106
GENERIC_RIGHTS_ALIAS_EXECUTE,
107
GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
109
/*******************************************************************
110
*******************************************************************/
112
static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size,
113
const struct generic_mapping *map,
114
DOM_SID *sid, uint32 sid_access )
116
DOM_SID domadmin_sid;
117
SEC_ACE ace[5]; /* at most 5 entries */
122
/* basic access for Everyone */
124
init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
125
map->generic_execute | map->generic_read, 0);
127
/* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
129
init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
130
SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
131
init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
132
SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
134
/* Add Full Access for Domain Admins if we are a DC */
137
sid_copy( &domadmin_sid, get_global_sam_sid() );
138
sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
139
init_sec_ace(&ace[i++], &domadmin_sid,
140
SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
143
/* if we have a sid, give it some special access */
146
init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sid_access, 0);
149
/* create the security descriptor */
151
if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL)
152
return NT_STATUS_NO_MEMORY;
154
if ((*psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
155
SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL,
156
psa, sd_size)) == NULL)
157
return NT_STATUS_NO_MEMORY;
162
/*******************************************************************
163
Checks if access to an object should be granted, and returns that
164
level of access for further checks.
165
********************************************************************/
167
NTSTATUS access_check_object( SEC_DESC *psd, NT_USER_TOKEN *token,
168
SE_PRIV *rights, uint32 rights_mask,
169
uint32 des_access, uint32 *acc_granted,
172
NTSTATUS status = NT_STATUS_ACCESS_DENIED;
173
uint32 saved_mask = 0;
175
/* check privileges; certain SAM access bits should be overridden
176
by privileges (mostly having to do with creating/modifying/deleting
179
if (rights && !se_priv_equal(rights, &se_priv_none) &&
180
user_has_any_privilege(token, rights)) {
182
saved_mask = (des_access & rights_mask);
183
des_access &= ~saved_mask;
185
DEBUG(4,("access_check_object: user rights access mask [0x%x]\n",
190
/* check the security descriptor first */
192
status = se_access_check(psd, token, des_access, acc_granted);
193
if (NT_STATUS_IS_OK(status)) {
197
/* give root a free pass */
199
if ( geteuid() == sec_initial_uid() ) {
201
DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access));
202
DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
204
*acc_granted = des_access;
206
status = NT_STATUS_OK;
212
/* add in any bits saved during the privilege check (only
213
matters is status is ok) */
215
*acc_granted |= rights_mask;
217
DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
218
debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
219
des_access, *acc_granted));
224
/*******************************************************************
225
Checks if access to a function can be granted
226
********************************************************************/
228
static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug)
230
DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n",
231
debug, acc_granted, acc_required));
233
/* check the security descriptor first */
235
if ( (acc_granted&acc_required) == acc_required )
238
/* give root a free pass */
240
if (geteuid() == sec_initial_uid()) {
242
DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
243
debug, acc_granted, acc_required));
244
DEBUGADD(4,("but overwritten by euid == 0\n"));
249
DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n",
250
debug, acc_granted, acc_required));
252
return NT_STATUS_ACCESS_DENIED;
255
/*******************************************************************
256
Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
257
********************************************************************/
259
void map_max_allowed_access(const NT_USER_TOKEN *token,
260
uint32_t *pacc_requested)
262
if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
265
*pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
267
/* At least try for generic read|execute - Everyone gets that. */
268
*pacc_requested = GENERIC_READ_ACCESS|GENERIC_EXECUTE_ACCESS;
270
/* root gets anything. */
271
if (geteuid() == sec_initial_uid()) {
272
*pacc_requested |= GENERIC_ALL_ACCESS;
276
/* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
278
if (is_sid_in_token(token, &global_sid_Builtin_Administrators) ||
279
is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) {
280
*pacc_requested |= GENERIC_ALL_ACCESS;
284
/* Full access for DOMAIN\Domain Admins. */
286
DOM_SID domadmin_sid;
287
sid_copy( &domadmin_sid, get_global_sam_sid() );
288
sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
289
if (is_sid_in_token(token, &domadmin_sid)) {
290
*pacc_requested |= GENERIC_ALL_ACCESS;
294
/* TODO ! Check privileges. */
297
/*******************************************************************
298
Fetch or create a dispinfo struct.
299
********************************************************************/
301
static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid)
304
* We do a static cache for DISP_INFO's here. Explanation can be found
305
* in Jeremy's checkin message to r11793:
307
* Fix the SAMR cache so it works across completely insane
308
* client behaviour (ie.:
309
* open pipe/open SAMR handle/enumerate 0 - 1024
310
* close SAMR handle, close pipe.
311
* open pipe/open SAMR handle/enumerate 1024 - 2048...
312
* close SAMR handle, close pipe.
313
* And on ad-nausium. Amazing.... probably object-oriented
314
* client side programming in action yet again.
315
* This change should *massively* improve performance when
316
* enumerating users from an LDAP database.
319
* "Our" and the builtin domain are the only ones where we ever
320
* enumerate stuff, so just cache 2 entries.
323
static struct disp_info *builtin_dispinfo;
324
static struct disp_info *domain_dispinfo;
326
/* There are two cases to consider here:
327
1) The SID is a domain SID and we look for an equality match, or
328
2) This is an account SID and so we return the DISP_INFO* for our
335
if (sid_check_is_builtin(psid) || sid_check_is_in_builtin(psid)) {
337
* Necessary only once, but it does not really hurt.
339
if (builtin_dispinfo == NULL) {
340
builtin_dispinfo = talloc_zero(
341
talloc_autofree_context(), struct disp_info);
342
if (builtin_dispinfo == NULL) {
346
sid_copy(&builtin_dispinfo->sid, &global_sid_Builtin);
347
builtin_dispinfo->builtin_domain = true;
349
return builtin_dispinfo;
352
if (sid_check_is_domain(psid) || sid_check_is_in_our_domain(psid)) {
354
* Necessary only once, but it does not really hurt.
356
if (domain_dispinfo == NULL) {
357
domain_dispinfo = talloc_zero(
358
talloc_autofree_context(), struct disp_info);
359
if (domain_dispinfo == NULL) {
363
sid_copy(&domain_dispinfo->sid, get_global_sam_sid());
364
domain_dispinfo->builtin_domain = false;
366
return domain_dispinfo;
372
/*******************************************************************
373
Create a samr_info struct.
374
********************************************************************/
376
static int samr_info_destructor(struct samr_info *info);
378
static struct samr_info *get_samr_info_by_sid(TALLOC_CTX *mem_ctx,
381
struct samr_info *info;
385
sid_to_fstring(sid_str, psid);
387
fstrcpy(sid_str,"(NULL)");
390
if ((info = TALLOC_ZERO_P(mem_ctx, struct samr_info)) == NULL) {
393
talloc_set_destructor(info, samr_info_destructor);
395
DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str));
397
sid_copy( &info->sid, psid);
398
info->builtin_domain = sid_check_is_builtin(psid);
400
DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n"));
401
info->builtin_domain = False;
404
info->disp_info = get_samr_dispinfo_by_sid(psid);
409
/*******************************************************************
410
Function to free the per SID data.
411
********************************************************************/
413
static void free_samr_cache(DISP_INFO *disp_info)
415
DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n",
416
sid_string_dbg(&disp_info->sid)));
418
/* We need to become root here because the paged search might have to
419
* tell the LDAP server we're not interested in the rest anymore. */
423
TALLOC_FREE(disp_info->users);
424
TALLOC_FREE(disp_info->machines);
425
TALLOC_FREE(disp_info->groups);
426
TALLOC_FREE(disp_info->aliases);
427
TALLOC_FREE(disp_info->enum_users);
432
static int samr_info_destructor(struct samr_info *info)
434
/* Only free the dispinfo cache if no one bothered to set up
437
if (info->disp_info && info->disp_info->cache_timeout_event == NULL) {
438
free_samr_cache(info->disp_info);
443
/*******************************************************************
444
Idle event handler. Throw away the disp info cache.
445
********************************************************************/
447
static void disp_info_cache_idle_timeout_handler(struct event_context *ev_ctx,
448
struct timed_event *te,
452
DISP_INFO *disp_info = (DISP_INFO *)private_data;
454
TALLOC_FREE(disp_info->cache_timeout_event);
456
DEBUG(10, ("disp_info_cache_idle_timeout_handler: caching timed "
458
free_samr_cache(disp_info);
461
/*******************************************************************
462
Setup cache removal idle event handler.
463
********************************************************************/
465
static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromnow)
467
/* Remove any pending timeout and update. */
469
TALLOC_FREE(disp_info->cache_timeout_event);
471
DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for "
472
"SID %s for %u seconds\n", sid_string_dbg(&disp_info->sid),
473
(unsigned int)secs_fromnow ));
475
disp_info->cache_timeout_event = event_add_timed(
476
smbd_event_context(), NULL,
477
timeval_current_ofs(secs_fromnow, 0),
478
disp_info_cache_idle_timeout_handler, (void *)disp_info);
481
/*******************************************************************
482
Force flush any cache. We do this on any samr_set_xxx call.
483
We must also remove the timeout handler.
484
********************************************************************/
486
static void force_flush_samr_cache(DISP_INFO *disp_info)
488
if ((disp_info == NULL) || (disp_info->cache_timeout_event == NULL)) {
492
DEBUG(10,("force_flush_samr_cache: clearing idle event\n"));
493
TALLOC_FREE(disp_info->cache_timeout_event);
494
free_samr_cache(disp_info);
497
/*******************************************************************
498
Ensure password info is never given out. Paranioa... JRA.
499
********************************************************************/
501
static void samr_clear_sam_passwd(struct samu *sam_pass)
507
/* These now zero out the old password */
509
pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT);
510
pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT);
513
static uint32 count_sam_users(struct disp_info *info, uint32 acct_flags)
515
struct samr_displayentry *entry;
517
if (info->builtin_domain) {
518
/* No users in builtin. */
522
if (info->users == NULL) {
523
info->users = pdb_search_users(info, acct_flags);
524
if (info->users == NULL) {
528
/* Fetch the last possible entry, thus trigger an enumeration */
529
pdb_search_entries(info->users, 0xffffffff, 1, &entry);
531
/* Ensure we cache this enumeration. */
532
set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
534
return info->users->num_entries;
537
static uint32 count_sam_groups(struct disp_info *info)
539
struct samr_displayentry *entry;
541
if (info->builtin_domain) {
542
/* No groups in builtin. */
546
if (info->groups == NULL) {
547
info->groups = pdb_search_groups(info);
548
if (info->groups == NULL) {
552
/* Fetch the last possible entry, thus trigger an enumeration */
553
pdb_search_entries(info->groups, 0xffffffff, 1, &entry);
555
/* Ensure we cache this enumeration. */
556
set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
558
return info->groups->num_entries;
561
static uint32 count_sam_aliases(struct disp_info *info)
563
struct samr_displayentry *entry;
565
if (info->aliases == NULL) {
566
info->aliases = pdb_search_aliases(info, &info->sid);
567
if (info->aliases == NULL) {
571
/* Fetch the last possible entry, thus trigger an enumeration */
572
pdb_search_entries(info->aliases, 0xffffffff, 1, &entry);
574
/* Ensure we cache this enumeration. */
575
set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
577
return info->aliases->num_entries;
580
/*******************************************************************
582
********************************************************************/
584
NTSTATUS _samr_Close(pipes_struct *p, struct samr_Close *r)
586
if (!close_policy_hnd(p, r->in.handle)) {
587
return NT_STATUS_INVALID_HANDLE;
590
ZERO_STRUCTP(r->out.handle);
595
/*******************************************************************
597
********************************************************************/
599
NTSTATUS _samr_OpenDomain(pipes_struct *p,
600
struct samr_OpenDomain *r)
602
struct samr_info *info;
603
SEC_DESC *psd = NULL;
605
uint32 des_access = r->in.access_mask;
608
uint32_t extra_access = SAMR_DOMAIN_ACCESS_CREATE_USER;
611
/* find the connection policy handle. */
613
if ( !find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info) )
614
return NT_STATUS_INVALID_HANDLE;
616
/*check if access can be granted as requested by client. */
617
map_max_allowed_access(p->server_info->ptok, &des_access);
619
make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
620
se_map_generic( &des_access, &dom_generic_mapping );
623
* Users with SeMachineAccount or SeAddUser get additional
624
* SAMR_DOMAIN_ACCESS_CREATE_USER access.
626
se_priv_copy( &se_rights, &se_machine_account );
627
se_priv_add( &se_rights, &se_add_users );
630
* Users with SeAddUser get the ability to manipulate groups
633
if (user_has_any_privilege(p->server_info->ptok, &se_add_users)) {
634
extra_access |= (SAMR_DOMAIN_ACCESS_CREATE_GROUP |
635
SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS |
636
SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
637
SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS |
638
SAMR_DOMAIN_ACCESS_CREATE_ALIAS);
641
status = access_check_object( psd, p->server_info->ptok,
642
&se_rights, extra_access, des_access,
643
&acc_granted, "_samr_OpenDomain" );
645
if ( !NT_STATUS_IS_OK(status) )
648
if (!sid_check_is_domain(r->in.sid) &&
649
!sid_check_is_builtin(r->in.sid)) {
650
return NT_STATUS_NO_SUCH_DOMAIN;
653
/* associate the domain SID with the (unique) handle. */
654
if ((info = get_samr_info_by_sid(p->mem_ctx, r->in.sid))==NULL)
655
return NT_STATUS_NO_MEMORY;
656
info->acc_granted = acc_granted;
658
/* get a (unique) handle. open a policy on it. */
659
if (!create_policy_hnd(p, r->out.domain_handle, info))
660
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
662
DEBUG(5,("_samr_OpenDomain: %d\n", __LINE__));
667
/*******************************************************************
669
********************************************************************/
671
NTSTATUS _samr_GetUserPwInfo(pipes_struct *p,
672
struct samr_GetUserPwInfo *r)
674
struct samr_info *info = NULL;
675
enum lsa_SidType sid_type;
676
uint32_t min_password_length = 0;
677
uint32_t password_properties = 0;
681
DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
683
/* find the policy handle. open a policy on it. */
684
if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info)) {
685
return NT_STATUS_INVALID_HANDLE;
688
status = access_check_samr_function(info->acc_granted,
689
SAMR_USER_ACCESS_GET_ATTRIBUTES,
690
"_samr_GetUserPwInfo" );
691
if (!NT_STATUS_IS_OK(status)) {
695
if (!sid_check_is_in_our_domain(&info->sid)) {
696
return NT_STATUS_OBJECT_TYPE_MISMATCH;
700
ret = lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, &sid_type);
703
return NT_STATUS_NO_SUCH_USER;
709
pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
710
&min_password_length);
711
pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
712
&password_properties);
715
if (lp_check_password_script() && *lp_check_password_script()) {
716
password_properties |= DOMAIN_PASSWORD_COMPLEX;
724
r->out.info->min_password_length = min_password_length;
725
r->out.info->password_properties = password_properties;
727
DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
732
/*******************************************************************
733
********************************************************************/
735
static bool get_lsa_policy_samr_sid( pipes_struct *p, struct policy_handle *pol,
736
DOM_SID *sid, uint32 *acc_granted,
737
DISP_INFO **ppdisp_info)
739
struct samr_info *info = NULL;
741
/* find the policy handle. open a policy on it. */
742
if (!find_policy_by_hnd(p, pol, (void **)(void *)&info))
749
*acc_granted = info->acc_granted;
751
*ppdisp_info = info->disp_info;
757
/*******************************************************************
759
********************************************************************/
761
NTSTATUS _samr_SetSecurity(pipes_struct *p,
762
struct samr_SetSecurity *r)
765
uint32 acc_granted, i;
768
struct samu *sampass=NULL;
771
if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL))
772
return NT_STATUS_INVALID_HANDLE;
774
if (!(sampass = samu_new( p->mem_ctx))) {
775
DEBUG(0,("No memory!\n"));
776
return NT_STATUS_NO_MEMORY;
779
/* get the user record */
781
ret = pdb_getsampwsid(sampass, &pol_sid);
785
DEBUG(4, ("User %s not found\n", sid_string_dbg(&pol_sid)));
786
TALLOC_FREE(sampass);
787
return NT_STATUS_INVALID_HANDLE;
790
dacl = r->in.sdbuf->sd->dacl;
791
for (i=0; i < dacl->num_aces; i++) {
792
if (sid_equal(&pol_sid, &dacl->aces[i].trustee)) {
793
ret = pdb_set_pass_can_change(sampass,
794
(dacl->aces[i].access_mask &
795
SAMR_USER_ACCESS_CHANGE_PASSWORD) ?
802
TALLOC_FREE(sampass);
803
return NT_STATUS_ACCESS_DENIED;
806
status = access_check_samr_function(acc_granted,
807
SAMR_USER_ACCESS_SET_ATTRIBUTES,
808
"_samr_SetSecurity");
809
if (NT_STATUS_IS_OK(status)) {
811
status = pdb_update_sam_account(sampass);
815
TALLOC_FREE(sampass);
820
/*******************************************************************
821
build correct perms based on policies and password times for _samr_query_sec_obj
822
*******************************************************************/
823
static bool check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid)
825
struct samu *sampass=NULL;
828
if ( !(sampass = samu_new( mem_ctx )) ) {
829
DEBUG(0,("No memory!\n"));
834
ret = pdb_getsampwsid(sampass, user_sid);
838
DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
839
TALLOC_FREE(sampass);
843
DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
845
if (pdb_get_pass_can_change(sampass)) {
846
TALLOC_FREE(sampass);
849
TALLOC_FREE(sampass);
854
/*******************************************************************
856
********************************************************************/
858
NTSTATUS _samr_QuerySecurity(pipes_struct *p,
859
struct samr_QuerySecurity *r)
863
SEC_DESC * psd = NULL;
868
if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL))
869
return NT_STATUS_INVALID_HANDLE;
871
DEBUG(10,("_samr_QuerySecurity: querying security on SID: %s\n",
872
sid_string_dbg(&pol_sid)));
874
status = access_check_samr_function(acc_granted,
875
STD_RIGHT_READ_CONTROL_ACCESS,
876
"_samr_QuerySecurity");
877
if (!NT_STATUS_IS_OK(status)) {
881
/* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
883
/* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */
884
if (pol_sid.sid_rev_num == 0) {
885
DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n"));
886
status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
887
} else if (sid_equal(&pol_sid,get_global_sam_sid())) {
888
/* check if it is our domain SID */
889
DEBUG(5,("_samr_QuerySecurity: querying security on Domain "
890
"with SID: %s\n", sid_string_dbg(&pol_sid)));
891
status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
892
} else if (sid_equal(&pol_sid,&global_sid_Builtin)) {
893
/* check if it is the Builtin Domain */
894
/* TODO: Builtin probably needs a different SD with restricted write access*/
895
DEBUG(5,("_samr_QuerySecurity: querying security on Builtin "
896
"Domain with SID: %s\n", sid_string_dbg(&pol_sid)));
897
status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
898
} else if (sid_check_is_in_our_domain(&pol_sid) ||
899
sid_check_is_in_builtin(&pol_sid)) {
900
/* TODO: different SDs have to be generated for aliases groups and users.
901
Currently all three get a default user SD */
902
DEBUG(10,("_samr_QuerySecurity: querying security on Object "
903
"with SID: %s\n", sid_string_dbg(&pol_sid)));
904
if (check_change_pw_access(p->mem_ctx, &pol_sid)) {
905
status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
906
&pol_sid, SAMR_USR_RIGHTS_WRITE_PW);
908
status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_nopwchange_generic_mapping,
909
&pol_sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
912
return NT_STATUS_OBJECT_TYPE_MISMATCH;
915
if ((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
916
return NT_STATUS_NO_MEMORY;
921
/*******************************************************************
922
makes a SAM_ENTRY / UNISTR2* structure from a user list.
923
********************************************************************/
925
static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx,
926
struct samr_SamEntry **sam_pp,
927
uint32_t num_entries,
929
struct samr_displayentry *entries)
932
struct samr_SamEntry *sam;
936
if (num_entries == 0) {
940
sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_entries);
942
DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n"));
943
return NT_STATUS_NO_MEMORY;
946
for (i = 0; i < num_entries; i++) {
949
* usrmgr expects a non-NULL terminated string with
950
* trust relationships
952
if (entries[i].acct_flags & ACB_DOMTRUST) {
953
init_unistr2(&uni_temp_name, entries[i].account_name,
956
init_unistr2(&uni_temp_name, entries[i].account_name,
960
init_lsa_String(&sam[i].name, entries[i].account_name);
961
sam[i].idx = entries[i].rid;
969
#define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K
971
/*******************************************************************
972
_samr_EnumDomainUsers
973
********************************************************************/
975
NTSTATUS _samr_EnumDomainUsers(pipes_struct *p,
976
struct samr_EnumDomainUsers *r)
979
struct samr_info *info = NULL;
981
uint32 enum_context = *r->in.resume_handle;
982
enum remote_arch_types ra_type = get_remote_arch();
983
int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
984
uint32 max_entries = max_sam_entries;
985
struct samr_displayentry *entries = NULL;
986
struct samr_SamArray *samr_array = NULL;
987
struct samr_SamEntry *samr_entries = NULL;
989
/* find the policy handle. open a policy on it. */
990
if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
991
return NT_STATUS_INVALID_HANDLE;
993
status = access_check_samr_function(info->acc_granted,
994
SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
995
"_samr_EnumDomainUsers");
996
if (!NT_STATUS_IS_OK(status)) {
1000
DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
1002
if (info->builtin_domain) {
1003
/* No users in builtin. */
1004
*r->out.resume_handle = *r->in.resume_handle;
1005
DEBUG(5,("_samr_EnumDomainUsers: No users in BUILTIN\n"));
1009
samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1011
return NT_STATUS_NO_MEMORY;
1013
*r->out.sam = samr_array;
1019
if ((info->disp_info->enum_users != NULL) &&
1020
(info->disp_info->enum_acb_mask != r->in.acct_flags)) {
1021
TALLOC_FREE(info->disp_info->enum_users);
1024
if (info->disp_info->enum_users == NULL) {
1025
info->disp_info->enum_users = pdb_search_users(
1026
info->disp_info, r->in.acct_flags);
1027
info->disp_info->enum_acb_mask = r->in.acct_flags;
1030
if (info->disp_info->enum_users == NULL) {
1031
/* END AS ROOT !!!! */
1033
return NT_STATUS_ACCESS_DENIED;
1036
num_account = pdb_search_entries(info->disp_info->enum_users,
1037
enum_context, max_entries,
1040
/* END AS ROOT !!!! */
1044
if (num_account == 0) {
1045
DEBUG(5, ("_samr_EnumDomainUsers: enumeration handle over "
1046
"total entries\n"));
1047
*r->out.resume_handle = *r->in.resume_handle;
1048
return NT_STATUS_OK;
1051
status = make_user_sam_entry_list(p->mem_ctx, &samr_entries,
1052
num_account, enum_context,
1054
if (!NT_STATUS_IS_OK(status)) {
1058
if (max_entries <= num_account) {
1059
status = STATUS_MORE_ENTRIES;
1061
status = NT_STATUS_OK;
1064
/* Ensure we cache this enumeration. */
1065
set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1067
DEBUG(5, ("_samr_EnumDomainUsers: %d\n", __LINE__));
1069
samr_array->count = num_account;
1070
samr_array->entries = samr_entries;
1072
*r->out.resume_handle = *r->in.resume_handle + num_account;
1073
*r->out.num_entries = num_account;
1075
DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
1080
/*******************************************************************
1081
makes a SAM_ENTRY / UNISTR2* structure from a group list.
1082
********************************************************************/
1084
static void make_group_sam_entry_list(TALLOC_CTX *ctx,
1085
struct samr_SamEntry **sam_pp,
1086
uint32_t num_sam_entries,
1087
struct samr_displayentry *entries)
1089
struct samr_SamEntry *sam;
1094
if (num_sam_entries == 0) {
1098
sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_sam_entries);
1103
for (i = 0; i < num_sam_entries; i++) {
1105
* JRA. I think this should include the null. TNG does not.
1107
init_lsa_String(&sam[i].name, entries[i].account_name);
1108
sam[i].idx = entries[i].rid;
1114
/*******************************************************************
1115
_samr_EnumDomainGroups
1116
********************************************************************/
1118
NTSTATUS _samr_EnumDomainGroups(pipes_struct *p,
1119
struct samr_EnumDomainGroups *r)
1122
struct samr_info *info = NULL;
1123
struct samr_displayentry *groups;
1125
struct samr_SamArray *samr_array = NULL;
1126
struct samr_SamEntry *samr_entries = NULL;
1128
/* find the policy handle. open a policy on it. */
1129
if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1130
return NT_STATUS_INVALID_HANDLE;
1132
status = access_check_samr_function(info->acc_granted,
1133
SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
1134
"_samr_EnumDomainGroups");
1135
if (!NT_STATUS_IS_OK(status)) {
1139
DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1141
if (info->builtin_domain) {
1142
/* No groups in builtin. */
1143
*r->out.resume_handle = *r->in.resume_handle;
1144
DEBUG(5,("_samr_EnumDomainGroups: No groups in BUILTIN\n"));
1148
samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1150
return NT_STATUS_NO_MEMORY;
1153
/* the domain group array is being allocated in the function below */
1157
if (info->disp_info->groups == NULL) {
1158
info->disp_info->groups = pdb_search_groups(info->disp_info);
1160
if (info->disp_info->groups == NULL) {
1162
return NT_STATUS_ACCESS_DENIED;
1166
num_groups = pdb_search_entries(info->disp_info->groups,
1167
*r->in.resume_handle,
1168
MAX_SAM_ENTRIES, &groups);
1171
/* Ensure we cache this enumeration. */
1172
set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1174
make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1175
num_groups, groups);
1177
if (MAX_SAM_ENTRIES <= num_groups) {
1178
status = STATUS_MORE_ENTRIES;
1180
status = NT_STATUS_OK;
1183
samr_array->count = num_groups;
1184
samr_array->entries = samr_entries;
1186
*r->out.sam = samr_array;
1187
*r->out.num_entries = num_groups;
1188
*r->out.resume_handle = num_groups + *r->in.resume_handle;
1190
DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1195
/*******************************************************************
1196
_samr_EnumDomainAliases
1197
********************************************************************/
1199
NTSTATUS _samr_EnumDomainAliases(pipes_struct *p,
1200
struct samr_EnumDomainAliases *r)
1203
struct samr_info *info;
1204
struct samr_displayentry *aliases;
1205
uint32 num_aliases = 0;
1206
struct samr_SamArray *samr_array = NULL;
1207
struct samr_SamEntry *samr_entries = NULL;
1209
/* find the policy handle. open a policy on it. */
1210
if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1211
return NT_STATUS_INVALID_HANDLE;
1213
DEBUG(5,("_samr_EnumDomainAliases: sid %s\n",
1214
sid_string_dbg(&info->sid)));
1216
status = access_check_samr_function(info->acc_granted,
1217
SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
1218
"_samr_EnumDomainAliases");
1219
if (!NT_STATUS_IS_OK(status)) {
1223
samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1225
return NT_STATUS_NO_MEMORY;
1230
if (info->disp_info->aliases == NULL) {
1231
info->disp_info->aliases = pdb_search_aliases(
1232
info->disp_info, &info->sid);
1233
if (info->disp_info->aliases == NULL) {
1235
return NT_STATUS_ACCESS_DENIED;
1239
num_aliases = pdb_search_entries(info->disp_info->aliases,
1240
*r->in.resume_handle,
1241
MAX_SAM_ENTRIES, &aliases);
1244
/* Ensure we cache this enumeration. */
1245
set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1247
make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1248
num_aliases, aliases);
1250
DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__));
1252
if (MAX_SAM_ENTRIES <= num_aliases) {
1253
status = STATUS_MORE_ENTRIES;
1255
status = NT_STATUS_OK;
1258
samr_array->count = num_aliases;
1259
samr_array->entries = samr_entries;
1261
*r->out.sam = samr_array;
1262
*r->out.num_entries = num_aliases;
1263
*r->out.resume_handle = num_aliases + *r->in.resume_handle;
1268
/*******************************************************************
1269
inits a samr_DispInfoGeneral structure.
1270
********************************************************************/
1272
static NTSTATUS init_samr_dispinfo_1(TALLOC_CTX *ctx,
1273
struct samr_DispInfoGeneral *r,
1274
uint32_t num_entries,
1276
struct samr_displayentry *entries)
1280
DEBUG(10, ("init_samr_dispinfo_1: num_entries: %d\n", num_entries));
1282
if (num_entries == 0) {
1283
return NT_STATUS_OK;
1286
r->count = num_entries;
1288
r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryGeneral, num_entries);
1290
return NT_STATUS_NO_MEMORY;
1293
for (i = 0; i < num_entries ; i++) {
1295
init_lsa_String(&r->entries[i].account_name,
1296
entries[i].account_name);
1298
init_lsa_String(&r->entries[i].description,
1299
entries[i].description);
1301
init_lsa_String(&r->entries[i].full_name,
1302
entries[i].fullname);
1304
r->entries[i].rid = entries[i].rid;
1305
r->entries[i].acct_flags = entries[i].acct_flags;
1306
r->entries[i].idx = start_idx+i+1;
1309
return NT_STATUS_OK;
1312
/*******************************************************************
1313
inits a samr_DispInfoFull structure.
1314
********************************************************************/
1316
static NTSTATUS init_samr_dispinfo_2(TALLOC_CTX *ctx,
1317
struct samr_DispInfoFull *r,
1318
uint32_t num_entries,
1320
struct samr_displayentry *entries)
1324
DEBUG(10, ("init_samr_dispinfo_2: num_entries: %d\n", num_entries));
1326
if (num_entries == 0) {
1327
return NT_STATUS_OK;
1330
r->count = num_entries;
1332
r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFull, num_entries);
1334
return NT_STATUS_NO_MEMORY;
1337
for (i = 0; i < num_entries ; i++) {
1339
init_lsa_String(&r->entries[i].account_name,
1340
entries[i].account_name);
1342
init_lsa_String(&r->entries[i].description,
1343
entries[i].description);
1345
r->entries[i].rid = entries[i].rid;
1346
r->entries[i].acct_flags = entries[i].acct_flags;
1347
r->entries[i].idx = start_idx+i+1;
1350
return NT_STATUS_OK;
1353
/*******************************************************************
1354
inits a samr_DispInfoFullGroups structure.
1355
********************************************************************/
1357
static NTSTATUS init_samr_dispinfo_3(TALLOC_CTX *ctx,
1358
struct samr_DispInfoFullGroups *r,
1359
uint32_t num_entries,
1361
struct samr_displayentry *entries)
1365
DEBUG(5, ("init_samr_dispinfo_3: num_entries: %d\n", num_entries));
1367
if (num_entries == 0) {
1368
return NT_STATUS_OK;
1371
r->count = num_entries;
1373
r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFullGroup, num_entries);
1375
return NT_STATUS_NO_MEMORY;
1378
for (i = 0; i < num_entries ; i++) {
1380
init_lsa_String(&r->entries[i].account_name,
1381
entries[i].account_name);
1383
init_lsa_String(&r->entries[i].description,
1384
entries[i].description);
1386
r->entries[i].rid = entries[i].rid;
1387
r->entries[i].acct_flags = entries[i].acct_flags;
1388
r->entries[i].idx = start_idx+i+1;
1391
return NT_STATUS_OK;
1394
/*******************************************************************
1395
inits a samr_DispInfoAscii structure.
1396
********************************************************************/
1398
static NTSTATUS init_samr_dispinfo_4(TALLOC_CTX *ctx,
1399
struct samr_DispInfoAscii *r,
1400
uint32_t num_entries,
1402
struct samr_displayentry *entries)
1406
DEBUG(5, ("init_samr_dispinfo_4: num_entries: %d\n", num_entries));
1408
if (num_entries == 0) {
1409
return NT_STATUS_OK;
1412
r->count = num_entries;
1414
r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1416
return NT_STATUS_NO_MEMORY;
1419
for (i = 0; i < num_entries ; i++) {
1421
init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1422
entries[i].account_name);
1424
r->entries[i].idx = start_idx+i+1;
1427
return NT_STATUS_OK;
1430
/*******************************************************************
1431
inits a samr_DispInfoAscii structure.
1432
********************************************************************/
1434
static NTSTATUS init_samr_dispinfo_5(TALLOC_CTX *ctx,
1435
struct samr_DispInfoAscii *r,
1436
uint32_t num_entries,
1438
struct samr_displayentry *entries)
1442
DEBUG(5, ("init_samr_dispinfo_5: num_entries: %d\n", num_entries));
1444
if (num_entries == 0) {
1445
return NT_STATUS_OK;
1448
r->count = num_entries;
1450
r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1452
return NT_STATUS_NO_MEMORY;
1455
for (i = 0; i < num_entries ; i++) {
1457
init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1458
entries[i].account_name);
1460
r->entries[i].idx = start_idx+i+1;
1463
return NT_STATUS_OK;
1466
/*******************************************************************
1467
_samr_QueryDisplayInfo
1468
********************************************************************/
1470
NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
1471
struct samr_QueryDisplayInfo *r)
1474
struct samr_info *info = NULL;
1475
uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
1477
uint32 max_entries = r->in.max_entries;
1478
uint32 enum_context = r->in.start_idx;
1479
uint32 max_size = r->in.buf_size;
1481
union samr_DispInfo *disp_info = r->out.info;
1483
uint32 temp_size=0, total_data_size=0;
1484
NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL;
1485
uint32 num_account = 0;
1486
enum remote_arch_types ra_type = get_remote_arch();
1487
int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
1488
struct samr_displayentry *entries = NULL;
1490
DEBUG(5,("_samr_QueryDisplayInfo: %d\n", __LINE__));
1492
/* find the policy handle. open a policy on it. */
1493
if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1494
return NT_STATUS_INVALID_HANDLE;
1496
if (info->builtin_domain) {
1497
DEBUG(5,("_samr_QueryDisplayInfo: Nothing in BUILTIN\n"));
1498
return NT_STATUS_OK;
1501
status = access_check_samr_function(info->acc_granted,
1502
SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
1503
"_samr_QueryDisplayInfo");
1504
if (!NT_STATUS_IS_OK(status)) {
1509
* calculate how many entries we will return.
1511
* - the number of entries the client asked
1512
* - our limit on that
1513
* - the starting point (enumeration context)
1514
* - the buffer size the client will accept
1518
* We are a lot more like W2K. Instead of reading the SAM
1519
* each time to find the records we need to send back,
1520
* we read it once and link that copy to the sam handle.
1521
* For large user list (over the MAX_SAM_ENTRIES)
1522
* it's a definitive win.
1523
* second point to notice: between enumerations
1524
* our sam is now the same as it's a snapshoot.
1525
* third point: got rid of the static SAM_USER_21 struct
1526
* no more intermediate.
1527
* con: it uses much more memory, as a full copy is stored
1530
* If you want to change it, think twice and think
1531
* of the second point , that's really important.
1536
if ((r->in.level < 1) || (r->in.level > 5)) {
1537
DEBUG(0,("_samr_QueryDisplayInfo: Unknown info level (%u)\n",
1538
(unsigned int)r->in.level ));
1539
return NT_STATUS_INVALID_INFO_CLASS;
1542
/* first limit the number of entries we will return */
1543
if(max_entries > max_sam_entries) {
1544
DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
1545
"entries, limiting to %d\n", max_entries,
1547
max_entries = max_sam_entries;
1550
/* calculate the size and limit on the number of entries we will
1553
temp_size=max_entries*struct_size;
1555
if (temp_size>max_size) {
1556
max_entries=MIN((max_size/struct_size),max_entries);;
1557
DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
1558
"only %d entries\n", max_entries));
1563
/* THe following done as ROOT. Don't return without unbecome_root(). */
1565
switch (r->in.level) {
1568
if (info->disp_info->users == NULL) {
1569
info->disp_info->users = pdb_search_users(
1570
info->disp_info, ACB_NORMAL);
1571
if (info->disp_info->users == NULL) {
1573
return NT_STATUS_ACCESS_DENIED;
1575
DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
1576
(unsigned int)enum_context ));
1578
DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
1579
(unsigned int)enum_context ));
1582
num_account = pdb_search_entries(info->disp_info->users,
1583
enum_context, max_entries,
1587
if (info->disp_info->machines == NULL) {
1588
info->disp_info->machines = pdb_search_users(
1589
info->disp_info, ACB_WSTRUST|ACB_SVRTRUST);
1590
if (info->disp_info->machines == NULL) {
1592
return NT_STATUS_ACCESS_DENIED;
1594
DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
1595
(unsigned int)enum_context ));
1597
DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
1598
(unsigned int)enum_context ));
1601
num_account = pdb_search_entries(info->disp_info->machines,
1602
enum_context, max_entries,
1607
if (info->disp_info->groups == NULL) {
1608
info->disp_info->groups = pdb_search_groups(
1610
if (info->disp_info->groups == NULL) {
1612
return NT_STATUS_ACCESS_DENIED;
1614
DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
1615
(unsigned int)enum_context ));
1617
DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
1618
(unsigned int)enum_context ));
1621
num_account = pdb_search_entries(info->disp_info->groups,
1622
enum_context, max_entries,
1627
smb_panic("info class changed");
1633
/* Now create reply structure */
1634
switch (r->in.level) {
1636
disp_ret = init_samr_dispinfo_1(p->mem_ctx, &disp_info->info1,
1637
num_account, enum_context,
1641
disp_ret = init_samr_dispinfo_2(p->mem_ctx, &disp_info->info2,
1642
num_account, enum_context,
1646
disp_ret = init_samr_dispinfo_3(p->mem_ctx, &disp_info->info3,
1647
num_account, enum_context,
1651
disp_ret = init_samr_dispinfo_4(p->mem_ctx, &disp_info->info4,
1652
num_account, enum_context,
1656
disp_ret = init_samr_dispinfo_5(p->mem_ctx, &disp_info->info5,
1657
num_account, enum_context,
1661
smb_panic("info class changed");
1665
if (!NT_STATUS_IS_OK(disp_ret))
1668
/* calculate the total size */
1669
total_data_size=num_account*struct_size;
1671
if (max_entries <= num_account) {
1672
status = STATUS_MORE_ENTRIES;
1674
status = NT_STATUS_OK;
1677
/* Ensure we cache this enumeration. */
1678
set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1680
DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__));
1682
*r->out.total_size = total_data_size;
1683
*r->out.returned_size = temp_size;
1688
/****************************************************************
1689
_samr_QueryDisplayInfo2
1690
****************************************************************/
1692
NTSTATUS _samr_QueryDisplayInfo2(pipes_struct *p,
1693
struct samr_QueryDisplayInfo2 *r)
1695
struct samr_QueryDisplayInfo q;
1697
q.in.domain_handle = r->in.domain_handle;
1698
q.in.level = r->in.level;
1699
q.in.start_idx = r->in.start_idx;
1700
q.in.max_entries = r->in.max_entries;
1701
q.in.buf_size = r->in.buf_size;
1703
q.out.total_size = r->out.total_size;
1704
q.out.returned_size = r->out.returned_size;
1705
q.out.info = r->out.info;
1707
return _samr_QueryDisplayInfo(p, &q);
1710
/****************************************************************
1711
_samr_QueryDisplayInfo3
1712
****************************************************************/
1714
NTSTATUS _samr_QueryDisplayInfo3(pipes_struct *p,
1715
struct samr_QueryDisplayInfo3 *r)
1717
struct samr_QueryDisplayInfo q;
1719
q.in.domain_handle = r->in.domain_handle;
1720
q.in.level = r->in.level;
1721
q.in.start_idx = r->in.start_idx;
1722
q.in.max_entries = r->in.max_entries;
1723
q.in.buf_size = r->in.buf_size;
1725
q.out.total_size = r->out.total_size;
1726
q.out.returned_size = r->out.returned_size;
1727
q.out.info = r->out.info;
1729
return _samr_QueryDisplayInfo(p, &q);
1732
/*******************************************************************
1733
_samr_QueryAliasInfo
1734
********************************************************************/
1736
NTSTATUS _samr_QueryAliasInfo(pipes_struct *p,
1737
struct samr_QueryAliasInfo *r)
1740
struct acct_info info;
1743
union samr_AliasInfo *alias_info = NULL;
1744
const char *alias_name = NULL;
1745
const char *alias_description = NULL;
1747
DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1749
alias_info = TALLOC_ZERO_P(p->mem_ctx, union samr_AliasInfo);
1751
return NT_STATUS_NO_MEMORY;
1754
/* find the policy handle. open a policy on it. */
1755
if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &sid, &acc_granted, NULL))
1756
return NT_STATUS_INVALID_HANDLE;
1758
status = access_check_samr_function(acc_granted,
1759
SAMR_ALIAS_ACCESS_LOOKUP_INFO,
1760
"_samr_QueryAliasInfo");
1761
if (!NT_STATUS_IS_OK(status)) {
1766
status = pdb_get_aliasinfo(&sid, &info);
1769
if ( !NT_STATUS_IS_OK(status))
1772
/* FIXME: info contains fstrings */
1773
alias_name = talloc_strdup(r, info.acct_name);
1774
alias_description = talloc_strdup(r, info.acct_desc);
1776
switch (r->in.level) {
1778
alias_info->all.name.string = alias_name;
1779
alias_info->all.num_members = 1; /* ??? */
1780
alias_info->all.description.string = alias_description;
1783
alias_info->name.string = alias_name;
1785
case ALIASINFODESCRIPTION:
1786
alias_info->description.string = alias_description;
1789
return NT_STATUS_INVALID_INFO_CLASS;
1792
*r->out.info = alias_info;
1794
DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1796
return NT_STATUS_OK;
1799
/*******************************************************************
1801
********************************************************************/
1803
NTSTATUS _samr_LookupNames(pipes_struct *p,
1804
struct samr_LookupNames *r)
1808
enum lsa_SidType *type;
1810
int num_rids = r->in.num_names;
1813
struct samr_Ids rids, types;
1814
uint32_t num_mapped = 0;
1816
DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1818
if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL)) {
1819
return NT_STATUS_OBJECT_TYPE_MISMATCH;
1822
status = access_check_samr_function(acc_granted,
1823
0, /* Don't know the acc_bits yet */
1824
"_samr_LookupNames");
1825
if (!NT_STATUS_IS_OK(status)) {
1829
if (num_rids > MAX_SAM_ENTRIES) {
1830
num_rids = MAX_SAM_ENTRIES;
1831
DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids));
1834
rid = talloc_array(p->mem_ctx, uint32, num_rids);
1835
NT_STATUS_HAVE_NO_MEMORY(rid);
1837
type = talloc_array(p->mem_ctx, enum lsa_SidType, num_rids);
1838
NT_STATUS_HAVE_NO_MEMORY(type);
1840
DEBUG(5,("_samr_LookupNames: looking name on SID %s\n",
1841
sid_string_dbg(&pol_sid)));
1843
for (i = 0; i < num_rids; i++) {
1845
status = NT_STATUS_NONE_MAPPED;
1846
type[i] = SID_NAME_UNKNOWN;
1848
rid[i] = 0xffffffff;
1850
if (sid_check_is_builtin(&pol_sid)) {
1851
if (lookup_builtin_name(r->in.names[i].string,
1854
type[i] = SID_NAME_ALIAS;
1857
lookup_global_sam_name(r->in.names[i].string, 0,
1861
if (type[i] != SID_NAME_UNKNOWN) {
1866
if (num_mapped == num_rids) {
1867
status = NT_STATUS_OK;
1868
} else if (num_mapped == 0) {
1869
status = NT_STATUS_NONE_MAPPED;
1871
status = STATUS_SOME_UNMAPPED;
1874
rids.count = num_rids;
1877
types.count = num_rids;
1880
*r->out.rids = rids;
1881
*r->out.types = types;
1883
DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1888
/****************************************************************
1889
_samr_ChangePasswordUser
1890
****************************************************************/
1892
NTSTATUS _samr_ChangePasswordUser(pipes_struct *p,
1893
struct samr_ChangePasswordUser *r)
1898
struct samr_Password new_lmPwdHash, new_ntPwdHash, checkHash;
1899
struct samr_Password lm_pwd, nt_pwd;
1900
uint32_t acc_granted;
1903
DISP_INFO *disp_info = NULL;
1905
if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &sid, &acc_granted, &disp_info)) {
1906
return NT_STATUS_INVALID_HANDLE;
1909
status = access_check_samr_function(acc_granted,
1910
SAMR_USER_ACCESS_SET_PASSWORD,
1911
"_samr_ChangePasswordUser");
1912
if (!NT_STATUS_IS_OK(status)) {
1916
DEBUG(5,("_samr_ChangePasswordUser: sid:%s\n",
1917
sid_string_dbg(&sid)));
1919
if (!(pwd = samu_new(NULL))) {
1920
return NT_STATUS_NO_MEMORY;
1924
ret = pdb_getsampwsid(pwd, &sid);
1929
return NT_STATUS_WRONG_PASSWORD;
1933
const uint8_t *lm_pass, *nt_pass;
1935
lm_pass = pdb_get_lanman_passwd(pwd);
1936
nt_pass = pdb_get_nt_passwd(pwd);
1938
if (!lm_pass || !nt_pass) {
1939
status = NT_STATUS_WRONG_PASSWORD;
1943
memcpy(&lm_pwd.hash, lm_pass, sizeof(lm_pwd.hash));
1944
memcpy(&nt_pwd.hash, nt_pass, sizeof(nt_pwd.hash));
1947
/* basic sanity checking on parameters. Do this before any database ops */
1948
if (!r->in.lm_present || !r->in.nt_present ||
1949
!r->in.old_lm_crypted || !r->in.new_lm_crypted ||
1950
!r->in.old_nt_crypted || !r->in.new_nt_crypted) {
1951
/* we should really handle a change with lm not
1953
status = NT_STATUS_INVALID_PARAMETER_MIX;
1957
/* decrypt and check the new lm hash */
1958
D_P16(lm_pwd.hash, r->in.new_lm_crypted->hash, new_lmPwdHash.hash);
1959
D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash, checkHash.hash);
1960
if (memcmp(checkHash.hash, lm_pwd.hash, 16) != 0) {
1961
status = NT_STATUS_WRONG_PASSWORD;
1965
/* decrypt and check the new nt hash */
1966
D_P16(nt_pwd.hash, r->in.new_nt_crypted->hash, new_ntPwdHash.hash);
1967
D_P16(new_ntPwdHash.hash, r->in.old_nt_crypted->hash, checkHash.hash);
1968
if (memcmp(checkHash.hash, nt_pwd.hash, 16) != 0) {
1969
status = NT_STATUS_WRONG_PASSWORD;
1973
/* The NT Cross is not required by Win2k3 R2, but if present
1974
check the nt cross hash */
1975
if (r->in.cross1_present && r->in.nt_cross) {
1976
D_P16(lm_pwd.hash, r->in.nt_cross->hash, checkHash.hash);
1977
if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
1978
status = NT_STATUS_WRONG_PASSWORD;
1983
/* The LM Cross is not required by Win2k3 R2, but if present
1984
check the lm cross hash */
1985
if (r->in.cross2_present && r->in.lm_cross) {
1986
D_P16(nt_pwd.hash, r->in.lm_cross->hash, checkHash.hash);
1987
if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
1988
status = NT_STATUS_WRONG_PASSWORD;
1993
if (!pdb_set_nt_passwd(pwd, new_ntPwdHash.hash, PDB_CHANGED) ||
1994
!pdb_set_lanman_passwd(pwd, new_lmPwdHash.hash, PDB_CHANGED)) {
1995
status = NT_STATUS_ACCESS_DENIED;
1999
status = pdb_update_sam_account(pwd);
2006
/*******************************************************************
2007
_samr_ChangePasswordUser2
2008
********************************************************************/
2010
NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
2011
struct samr_ChangePasswordUser2 *r)
2017
DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
2019
fstrcpy(user_name, r->in.account->string);
2020
fstrcpy(wks, r->in.server->string);
2022
DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
2025
* Pass the user through the NT -> unix user mapping
2029
(void)map_username(user_name);
2032
* UNIX username case mangling not required, pass_oem_change
2033
* is case insensitive.
2036
status = pass_oem_change(user_name,
2037
r->in.lm_password->data,
2038
r->in.lm_verifier->hash,
2039
r->in.nt_password->data,
2040
r->in.nt_verifier->hash,
2043
DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
2045
if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
2046
return NT_STATUS_WRONG_PASSWORD;
2052
/****************************************************************
2053
_samr_OemChangePasswordUser2
2054
****************************************************************/
2056
NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p,
2057
struct samr_OemChangePasswordUser2 *r)
2061
const char *wks = NULL;
2063
DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__));
2065
fstrcpy(user_name, r->in.account->string);
2066
if (r->in.server && r->in.server->string) {
2067
wks = r->in.server->string;
2070
DEBUG(5,("_samr_OemChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
2073
* Pass the user through the NT -> unix user mapping
2077
(void)map_username(user_name);
2080
* UNIX username case mangling not required, pass_oem_change
2081
* is case insensitive.
2084
if (!r->in.hash || !r->in.password) {
2085
return NT_STATUS_INVALID_PARAMETER;
2088
status = pass_oem_change(user_name,
2089
r->in.password->data,
2095
if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
2096
return NT_STATUS_WRONG_PASSWORD;
2099
DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__));
2104
/*******************************************************************
2105
_samr_ChangePasswordUser3
2106
********************************************************************/
2108
NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
2109
struct samr_ChangePasswordUser3 *r)
2113
const char *wks = NULL;
2114
uint32 reject_reason;
2115
struct samr_DomInfo1 *dominfo = NULL;
2116
struct samr_ChangeReject *reject = NULL;
2119
DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
2121
fstrcpy(user_name, r->in.account->string);
2122
if (r->in.server && r->in.server->string) {
2123
wks = r->in.server->string;
2126
DEBUG(5,("_samr_ChangePasswordUser3: user: %s wks: %s\n", user_name, wks));
2129
* Pass the user through the NT -> unix user mapping
2133
(void)map_username(user_name);
2136
* UNIX username case mangling not required, pass_oem_change
2137
* is case insensitive.
2140
status = pass_oem_change(user_name,
2141
r->in.lm_password->data,
2142
r->in.lm_verifier->hash,
2143
r->in.nt_password->data,
2144
r->in.nt_verifier->hash,
2146
if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
2147
return NT_STATUS_WRONG_PASSWORD;
2150
if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) ||
2151
NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_RESTRICTION)) {
2153
time_t u_expire, u_min_age;
2154
uint32 account_policy_temp;
2156
dominfo = TALLOC_ZERO_P(p->mem_ctx, struct samr_DomInfo1);
2158
return NT_STATUS_NO_MEMORY;
2161
reject = TALLOC_ZERO_P(p->mem_ctx, struct samr_ChangeReject);
2163
return NT_STATUS_NO_MEMORY;
2170
pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &tmp);
2171
dominfo->min_password_length = tmp;
2173
pdb_get_account_policy(AP_PASSWORD_HISTORY, &tmp);
2174
dominfo->password_history_length = tmp;
2176
pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
2177
&dominfo->password_properties);
2179
pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
2180
u_expire = account_policy_temp;
2182
pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
2183
u_min_age = account_policy_temp;
2189
unix_to_nt_time_abs((NTTIME *)&dominfo->max_password_age, u_expire);
2190
unix_to_nt_time_abs((NTTIME *)&dominfo->min_password_age, u_min_age);
2192
if (lp_check_password_script() && *lp_check_password_script()) {
2193
dominfo->password_properties |= DOMAIN_PASSWORD_COMPLEX;
2196
reject->reason = reject_reason;
2198
*r->out.dominfo = dominfo;
2199
*r->out.reject = reject;
2202
DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
2207
/*******************************************************************
2208
makes a SAMR_R_LOOKUP_RIDS structure.
2209
********************************************************************/
2211
static bool make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names,
2213
struct lsa_String **lsa_name_array_p)
2215
struct lsa_String *lsa_name_array = NULL;
2218
*lsa_name_array_p = NULL;
2220
if (num_names != 0) {
2221
lsa_name_array = TALLOC_ZERO_ARRAY(ctx, struct lsa_String, num_names);
2222
if (!lsa_name_array) {
2227
for (i = 0; i < num_names; i++) {
2228
DEBUG(10, ("names[%d]:%s\n", i, names[i] && *names[i] ? names[i] : ""));
2229
init_lsa_String(&lsa_name_array[i], names[i]);
2232
*lsa_name_array_p = lsa_name_array;
2237
/*******************************************************************
2239
********************************************************************/
2241
NTSTATUS _samr_LookupRids(pipes_struct *p,
2242
struct samr_LookupRids *r)
2246
enum lsa_SidType *attrs = NULL;
2247
uint32 *wire_attrs = NULL;
2249
int num_rids = (int)r->in.num_rids;
2252
struct lsa_Strings names_array;
2253
struct samr_Ids types_array;
2254
struct lsa_String *lsa_names = NULL;
2256
DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2258
/* find the policy handle. open a policy on it. */
2259
if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL))
2260
return NT_STATUS_INVALID_HANDLE;
2262
status = access_check_samr_function(acc_granted,
2263
0, /* Don't know the acc_bits yet */
2264
"_samr_LookupRids");
2265
if (!NT_STATUS_IS_OK(status)) {
2269
if (num_rids > 1000) {
2270
DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
2271
"to samba4 idl this is not possible\n", num_rids));
2272
return NT_STATUS_UNSUCCESSFUL;
2276
names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids);
2277
attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum lsa_SidType, num_rids);
2278
wire_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids);
2280
if ((names == NULL) || (attrs == NULL) || (wire_attrs==NULL))
2281
return NT_STATUS_NO_MEMORY;
2288
become_root(); /* lookup_sid can require root privs */
2289
status = pdb_lookup_rids(&pol_sid, num_rids, r->in.rids,
2293
if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) && (num_rids == 0)) {
2294
status = NT_STATUS_OK;
2297
if (!make_samr_lookup_rids(p->mem_ctx, num_rids, names,
2299
return NT_STATUS_NO_MEMORY;
2302
/* Convert from enum lsa_SidType to uint32 for wire format. */
2303
for (i = 0; i < num_rids; i++) {
2304
wire_attrs[i] = (uint32)attrs[i];
2307
names_array.count = num_rids;
2308
names_array.names = lsa_names;
2310
types_array.count = num_rids;
2311
types_array.ids = wire_attrs;
2313
*r->out.names = names_array;
2314
*r->out.types = types_array;
2316
DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2321
/*******************************************************************
2323
********************************************************************/
2325
NTSTATUS _samr_OpenUser(pipes_struct *p,
2326
struct samr_OpenUser *r)
2328
struct samu *sampass=NULL;
2330
struct samr_info *info = NULL;
2331
SEC_DESC *psd = NULL;
2333
uint32 des_access = r->in.access_mask;
2334
uint32_t extra_access = 0;
2340
/* find the domain policy handle and get domain SID / access bits in the domain policy. */
2342
if ( !get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted, NULL) )
2343
return NT_STATUS_INVALID_HANDLE;
2345
nt_status = access_check_samr_function(acc_granted,
2346
SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
2349
if ( !NT_STATUS_IS_OK(nt_status) )
2352
if ( !(sampass = samu_new( p->mem_ctx )) ) {
2353
return NT_STATUS_NO_MEMORY;
2356
/* append the user's RID to it */
2358
if (!sid_append_rid(&sid, r->in.rid))
2359
return NT_STATUS_NO_SUCH_USER;
2361
/* check if access can be granted as requested by client. */
2363
map_max_allowed_access(p->server_info->ptok, &des_access);
2365
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
2366
se_map_generic(&des_access, &usr_generic_mapping);
2369
* Get the sampass first as we need to check privilages
2370
* based on what kind of user object this is.
2371
* But don't reveal info too early if it didn't exist.
2375
ret=pdb_getsampwsid(sampass, &sid);
2378
se_priv_copy(&se_rights, &se_priv_none);
2381
* We do the override access checks on *open*, not at
2385
uint32_t acb_info = pdb_get_acct_ctrl(sampass);
2387
if ((acb_info & ACB_WSTRUST) &&
2388
user_has_any_privilege(p->server_info->ptok,
2389
&se_machine_account)) {
2391
* SeMachineAccount is needed to add
2392
* GENERIC_RIGHTS_USER_WRITE to a machine
2395
se_priv_add(&se_rights, &se_machine_account);
2396
DEBUG(10,("_samr_OpenUser: adding machine account "
2397
"rights to handle for user %s\n",
2398
pdb_get_username(sampass) ));
2400
if ((acb_info & ACB_NORMAL) &&
2401
user_has_any_privilege(p->server_info->ptok,
2404
* SeAddUsers is needed to add
2405
* GENERIC_RIGHTS_USER_WRITE to a normal
2408
se_priv_add(&se_rights, &se_add_users);
2409
DEBUG(10,("_samr_OpenUser: adding add user "
2410
"rights to handle for user %s\n",
2411
pdb_get_username(sampass) ));
2414
* Cheat - allow GENERIC_RIGHTS_USER_WRITE if pipe user is
2415
* in DOMAIN_GROUP_RID_ADMINS. This is almost certainly not
2416
* what Windows does but is a hack for people who haven't
2417
* set up privilages on groups in Samba.
2419
if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
2420
if (lp_enable_privileges() && nt_token_check_domain_rid(p->server_info->ptok,
2421
DOMAIN_GROUP_RID_ADMINS)) {
2422
des_access &= ~GENERIC_RIGHTS_USER_WRITE;
2423
extra_access = GENERIC_RIGHTS_USER_WRITE;
2424
DEBUG(4,("_samr_OpenUser: Allowing "
2425
"GENERIC_RIGHTS_USER_WRITE for "
2431
TALLOC_FREE(sampass);
2433
nt_status = access_check_object(psd, p->server_info->ptok,
2434
&se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
2435
&acc_granted, "_samr_OpenUser");
2437
if ( !NT_STATUS_IS_OK(nt_status) )
2440
/* check that the SID exists in our domain. */
2442
return NT_STATUS_NO_SUCH_USER;
2445
/* If we did the rid admins hack above, allow access. */
2446
acc_granted |= extra_access;
2448
/* associate the user's SID and access bits with the new handle. */
2449
if ((info = get_samr_info_by_sid(p->mem_ctx, &sid)) == NULL)
2450
return NT_STATUS_NO_MEMORY;
2451
info->acc_granted = acc_granted;
2453
/* get a (unique) handle. open a policy on it. */
2454
if (!create_policy_hnd(p, r->out.user_handle, info))
2455
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2457
return NT_STATUS_OK;
2460
/*************************************************************************
2461
*************************************************************************/
2463
static NTSTATUS init_samr_parameters_string(TALLOC_CTX *mem_ctx,
2465
struct lsa_BinaryString **_r)
2467
struct lsa_BinaryString *r;
2470
return NT_STATUS_INVALID_PARAMETER;
2473
r = TALLOC_ZERO_P(mem_ctx, struct lsa_BinaryString);
2475
return NT_STATUS_NO_MEMORY;
2478
r->array = TALLOC_ZERO_ARRAY(mem_ctx, uint16_t, blob->length/2);
2480
return NT_STATUS_NO_MEMORY;
2482
memcpy(r->array, blob->data, blob->length);
2483
r->size = blob->length;
2484
r->length = blob->length;
2487
return NT_STATUS_NO_MEMORY;
2492
return NT_STATUS_OK;
2495
/*************************************************************************
2497
*************************************************************************/
2499
static NTSTATUS get_user_info_1(TALLOC_CTX *mem_ctx,
2500
struct samr_UserInfo1 *r,
2502
DOM_SID *domain_sid)
2504
const DOM_SID *sid_group;
2505
uint32_t primary_gid;
2508
sid_group = pdb_get_group_sid(pw);
2511
if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2512
DEBUG(0, ("get_user_info_1: User %s has Primary Group SID %s, \n"
2513
"which conflicts with the domain sid %s. Failing operation.\n",
2514
pdb_get_username(pw), sid_string_dbg(sid_group),
2515
sid_string_dbg(domain_sid)));
2516
return NT_STATUS_UNSUCCESSFUL;
2519
r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2520
r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2521
r->primary_gid = primary_gid;
2522
r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2523
r->comment.string = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2525
return NT_STATUS_OK;
2528
/*************************************************************************
2530
*************************************************************************/
2532
static NTSTATUS get_user_info_2(TALLOC_CTX *mem_ctx,
2533
struct samr_UserInfo2 *r,
2536
r->comment.string = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2537
r->unknown.string = NULL;
2538
r->country_code = 0;
2541
return NT_STATUS_OK;
2544
/*************************************************************************
2546
*************************************************************************/
2548
static NTSTATUS get_user_info_3(TALLOC_CTX *mem_ctx,
2549
struct samr_UserInfo3 *r,
2551
DOM_SID *domain_sid)
2553
const DOM_SID *sid_user, *sid_group;
2554
uint32_t rid, primary_gid;
2556
sid_user = pdb_get_user_sid(pw);
2558
if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2559
DEBUG(0, ("get_user_info_3: User %s has SID %s, \nwhich conflicts with "
2560
"the domain sid %s. Failing operation.\n",
2561
pdb_get_username(pw), sid_string_dbg(sid_user),
2562
sid_string_dbg(domain_sid)));
2563
return NT_STATUS_UNSUCCESSFUL;
2567
sid_group = pdb_get_group_sid(pw);
2570
if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2571
DEBUG(0, ("get_user_info_3: User %s has Primary Group SID %s, \n"
2572
"which conflicts with the domain sid %s. Failing operation.\n",
2573
pdb_get_username(pw), sid_string_dbg(sid_group),
2574
sid_string_dbg(domain_sid)));
2575
return NT_STATUS_UNSUCCESSFUL;
2578
unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2579
unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2580
unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2581
unix_to_nt_time(&r->allow_password_change, pdb_get_pass_can_change_time(pw));
2582
unix_to_nt_time(&r->force_password_change, pdb_get_pass_must_change_time(pw));
2584
r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2585
r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2586
r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2587
r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2588
r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2589
r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2590
r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2592
r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2594
r->primary_gid = primary_gid;
2595
r->acct_flags = pdb_get_acct_ctrl(pw);
2596
r->bad_password_count = pdb_get_bad_password_count(pw);
2597
r->logon_count = pdb_get_logon_count(pw);
2599
return NT_STATUS_OK;
2602
/*************************************************************************
2604
*************************************************************************/
2606
static NTSTATUS get_user_info_4(TALLOC_CTX *mem_ctx,
2607
struct samr_UserInfo4 *r,
2610
r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2612
return NT_STATUS_OK;
2615
/*************************************************************************
2617
*************************************************************************/
2619
static NTSTATUS get_user_info_5(TALLOC_CTX *mem_ctx,
2620
struct samr_UserInfo5 *r,
2622
DOM_SID *domain_sid)
2624
const DOM_SID *sid_user, *sid_group;
2625
uint32_t rid, primary_gid;
2627
sid_user = pdb_get_user_sid(pw);
2629
if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2630
DEBUG(0, ("get_user_info_5: User %s has SID %s, \nwhich conflicts with "
2631
"the domain sid %s. Failing operation.\n",
2632
pdb_get_username(pw), sid_string_dbg(sid_user),
2633
sid_string_dbg(domain_sid)));
2634
return NT_STATUS_UNSUCCESSFUL;
2638
sid_group = pdb_get_group_sid(pw);
2641
if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2642
DEBUG(0, ("get_user_info_5: User %s has Primary Group SID %s, \n"
2643
"which conflicts with the domain sid %s. Failing operation.\n",
2644
pdb_get_username(pw), sid_string_dbg(sid_group),
2645
sid_string_dbg(domain_sid)));
2646
return NT_STATUS_UNSUCCESSFUL;
2649
unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2650
unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2651
unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2652
unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2654
r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2655
r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2656
r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2657
r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2658
r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2659
r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2660
r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2661
r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2663
r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2665
r->primary_gid = primary_gid;
2666
r->acct_flags = pdb_get_acct_ctrl(pw);
2667
r->bad_password_count = pdb_get_bad_password_count(pw);
2668
r->logon_count = pdb_get_logon_count(pw);
2670
return NT_STATUS_OK;
2673
/*************************************************************************
2675
*************************************************************************/
2677
static NTSTATUS get_user_info_6(TALLOC_CTX *mem_ctx,
2678
struct samr_UserInfo6 *r,
2681
r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2682
r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2684
return NT_STATUS_OK;
2687
/*************************************************************************
2688
get_user_info_7. Safe. Only gives out account_name.
2689
*************************************************************************/
2691
static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx,
2692
struct samr_UserInfo7 *r,
2693
struct samu *smbpass)
2695
r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(smbpass));
2696
if (!r->account_name.string) {
2697
return NT_STATUS_NO_MEMORY;
2700
return NT_STATUS_OK;
2703
/*************************************************************************
2705
*************************************************************************/
2707
static NTSTATUS get_user_info_8(TALLOC_CTX *mem_ctx,
2708
struct samr_UserInfo8 *r,
2711
r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2713
return NT_STATUS_OK;
2716
/*************************************************************************
2717
get_user_info_9. Only gives out primary group SID.
2718
*************************************************************************/
2720
static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx,
2721
struct samr_UserInfo9 *r,
2722
struct samu *smbpass)
2724
r->primary_gid = pdb_get_group_rid(smbpass);
2726
return NT_STATUS_OK;
2729
/*************************************************************************
2731
*************************************************************************/
2733
static NTSTATUS get_user_info_10(TALLOC_CTX *mem_ctx,
2734
struct samr_UserInfo10 *r,
2737
r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2738
r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2740
return NT_STATUS_OK;
2743
/*************************************************************************
2745
*************************************************************************/
2747
static NTSTATUS get_user_info_11(TALLOC_CTX *mem_ctx,
2748
struct samr_UserInfo11 *r,
2751
r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2753
return NT_STATUS_OK;
2756
/*************************************************************************
2758
*************************************************************************/
2760
static NTSTATUS get_user_info_12(TALLOC_CTX *mem_ctx,
2761
struct samr_UserInfo12 *r,
2764
r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2766
return NT_STATUS_OK;
2769
/*************************************************************************
2771
*************************************************************************/
2773
static NTSTATUS get_user_info_13(TALLOC_CTX *mem_ctx,
2774
struct samr_UserInfo13 *r,
2777
r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2779
return NT_STATUS_OK;
2782
/*************************************************************************
2784
*************************************************************************/
2786
static NTSTATUS get_user_info_14(TALLOC_CTX *mem_ctx,
2787
struct samr_UserInfo14 *r,
2790
r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2792
return NT_STATUS_OK;
2795
/*************************************************************************
2796
get_user_info_16. Safe. Only gives out acb bits.
2797
*************************************************************************/
2799
static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx,
2800
struct samr_UserInfo16 *r,
2801
struct samu *smbpass)
2803
r->acct_flags = pdb_get_acct_ctrl(smbpass);
2805
return NT_STATUS_OK;
2808
/*************************************************************************
2810
*************************************************************************/
2812
static NTSTATUS get_user_info_17(TALLOC_CTX *mem_ctx,
2813
struct samr_UserInfo17 *r,
2816
unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2818
return NT_STATUS_OK;
2821
/*************************************************************************
2822
get_user_info_18. OK - this is the killer as it gives out password info.
2823
Ensure that this is only allowed on an encrypted connection with a root
2825
*************************************************************************/
2827
static NTSTATUS get_user_info_18(pipes_struct *p,
2828
TALLOC_CTX *mem_ctx,
2829
struct samr_UserInfo18 *r,
2832
struct samu *smbpass=NULL;
2837
if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
2838
return NT_STATUS_ACCESS_DENIED;
2841
if (p->auth.auth_level != PIPE_AUTH_LEVEL_PRIVACY) {
2842
return NT_STATUS_ACCESS_DENIED;
2846
* Do *NOT* do become_root()/unbecome_root() here ! JRA.
2849
if ( !(smbpass = samu_new( mem_ctx )) ) {
2850
return NT_STATUS_NO_MEMORY;
2853
ret = pdb_getsampwsid(smbpass, user_sid);
2856
DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid)));
2857
TALLOC_FREE(smbpass);
2858
return (geteuid() == sec_initial_uid()) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
2861
DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
2863
if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) {
2864
TALLOC_FREE(smbpass);
2865
return NT_STATUS_ACCOUNT_DISABLED;
2868
r->lm_pwd_active = true;
2869
r->nt_pwd_active = true;
2870
memcpy(r->lm_pwd.hash, pdb_get_lanman_passwd(smbpass), 16);
2871
memcpy(r->nt_pwd.hash, pdb_get_nt_passwd(smbpass), 16);
2872
r->password_expired = 0; /* FIXME */
2874
TALLOC_FREE(smbpass);
2876
return NT_STATUS_OK;
2879
/*************************************************************************
2881
*************************************************************************/
2883
static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx,
2884
struct samr_UserInfo20 *r,
2885
struct samu *sampass)
2887
const char *munged_dial = NULL;
2890
struct lsa_BinaryString *parameters = NULL;
2894
munged_dial = pdb_get_munged_dial(sampass);
2896
DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass),
2897
munged_dial, (int)strlen(munged_dial)));
2900
blob = base64_decode_data_blob(munged_dial);
2902
blob = data_blob_string_const_null("");
2905
status = init_samr_parameters_string(mem_ctx, &blob, ¶meters);
2906
data_blob_free(&blob);
2907
if (!NT_STATUS_IS_OK(status)) {
2911
r->parameters = *parameters;
2913
return NT_STATUS_OK;
2917
/*************************************************************************
2919
*************************************************************************/
2921
static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx,
2922
struct samr_UserInfo21 *r,
2924
DOM_SID *domain_sid,
2925
uint32_t acc_granted)
2928
const DOM_SID *sid_user, *sid_group;
2929
uint32_t rid, primary_gid;
2930
NTTIME force_password_change;
2931
time_t must_change_time;
2932
struct lsa_BinaryString *parameters = NULL;
2933
const char *munged_dial = NULL;
2938
sid_user = pdb_get_user_sid(pw);
2940
if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2941
DEBUG(0, ("get_user_info_21: User %s has SID %s, \nwhich conflicts with "
2942
"the domain sid %s. Failing operation.\n",
2943
pdb_get_username(pw), sid_string_dbg(sid_user),
2944
sid_string_dbg(domain_sid)));
2945
return NT_STATUS_UNSUCCESSFUL;
2949
sid_group = pdb_get_group_sid(pw);
2952
if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2953
DEBUG(0, ("get_user_info_21: User %s has Primary Group SID %s, \n"
2954
"which conflicts with the domain sid %s. Failing operation.\n",
2955
pdb_get_username(pw), sid_string_dbg(sid_group),
2956
sid_string_dbg(domain_sid)));
2957
return NT_STATUS_UNSUCCESSFUL;
2960
unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2961
unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2962
unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2963
unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2964
unix_to_nt_time(&r->allow_password_change, pdb_get_pass_can_change_time(pw));
2966
must_change_time = pdb_get_pass_must_change_time(pw);
2967
if (must_change_time == get_time_t_max()) {
2968
unix_to_nt_time_abs(&force_password_change, must_change_time);
2970
unix_to_nt_time(&force_password_change, must_change_time);
2973
munged_dial = pdb_get_munged_dial(pw);
2975
blob = base64_decode_data_blob(munged_dial);
2977
blob = data_blob_string_const_null("");
2980
status = init_samr_parameters_string(mem_ctx, &blob, ¶meters);
2981
data_blob_free(&blob);
2982
if (!NT_STATUS_IS_OK(status)) {
2986
r->force_password_change = force_password_change;
2988
r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(pw));
2989
r->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2990
r->home_directory.string = talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2991
r->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2992
r->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2993
r->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2994
r->description.string = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2995
r->workstations.string = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2996
r->comment.string = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2998
r->logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2999
r->parameters = *parameters;
3001
r->primary_gid = primary_gid;
3002
r->acct_flags = pdb_get_acct_ctrl(pw);
3003
r->bad_password_count = pdb_get_bad_password_count(pw);
3004
r->logon_count = pdb_get_logon_count(pw);
3005
r->fields_present = pdb_build_fields_present(pw);
3006
r->password_expired = (pdb_get_pass_must_change_time(pw) == 0) ?
3007
PASS_MUST_CHANGE_AT_NEXT_LOGON : 0;
3008
r->country_code = 0;
3010
r->lm_password_set = 0;
3011
r->nt_password_set = 0;
3016
Look at a user on a real NT4 PDC with usrmgr, press
3017
'ok'. Then you will see that fields_present is set to
3018
0x08f827fa. Look at the user immediately after that again,
3019
and you will see that 0x00fffff is returned. This solves
3020
the problem that you get access denied after having looked
3028
return NT_STATUS_OK;
3031
/*******************************************************************
3033
********************************************************************/
3035
NTSTATUS _samr_QueryUserInfo(pipes_struct *p,
3036
struct samr_QueryUserInfo *r)
3039
union samr_UserInfo *user_info = NULL;
3040
struct samr_info *info = NULL;
3044
struct samu *pwd = NULL;
3045
uint32_t acc_required, acc_granted = 0;
3047
/* search for the handle */
3048
if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info))
3049
return NT_STATUS_INVALID_HANDLE;
3051
switch (r->in.level) {
3052
case 1: /* UserGeneralInformation */
3053
/* USER_READ_GENERAL */
3054
acc_required = SAMR_USER_ACCESS_GET_NAME_ETC;
3056
case 2: /* UserPreferencesInformation */
3057
/* USER_READ_PREFERENCES | USER_READ_GENERAL */
3058
acc_required = SAMR_USER_ACCESS_GET_LOCALE |
3059
SAMR_USER_ACCESS_GET_NAME_ETC;
3061
case 3: /* UserLogonInformation */
3062
/* USER_READ_GENERAL | USER_READ_PREFERENCES | USER_READ_LOGON | USER_READ_ACCOUNT */
3063
acc_required = SAMR_USER_ACCESS_GET_NAME_ETC |
3064
SAMR_USER_ACCESS_GET_LOCALE |
3065
SAMR_USER_ACCESS_GET_LOGONINFO |
3066
SAMR_USER_ACCESS_GET_ATTRIBUTES;
3068
case 4: /* UserLogonHoursInformation */
3069
/* USER_READ_LOGON */
3070
acc_required = SAMR_USER_ACCESS_GET_LOGONINFO;
3072
case 5: /* UserAccountInformation */
3073
/* USER_READ_GENERAL | USER_READ_PREFERENCES | USER_READ_LOGON | USER_READ_ACCOUNT */
3074
acc_required = SAMR_USER_ACCESS_GET_NAME_ETC |
3075
SAMR_USER_ACCESS_GET_LOCALE |
3076
SAMR_USER_ACCESS_GET_LOGONINFO |
3077
SAMR_USER_ACCESS_GET_ATTRIBUTES;
3079
case 6: /* UserNameInformation */
3080
case 7: /* UserAccountNameInformation */
3081
case 8: /* UserFullNameInformation */
3082
case 9: /* UserPrimaryGroupInformation */
3083
case 13: /* UserAdminCommentInformation */
3084
/* USER_READ_GENERAL */
3085
acc_required = SAMR_USER_ACCESS_GET_NAME_ETC;
3087
case 10: /* UserHomeInformation */
3088
case 11: /* UserScriptInformation */
3089
case 12: /* UserProfileInformation */
3090
case 14: /* UserWorkStationsInformation */
3091
/* USER_READ_LOGON */
3092
acc_required = SAMR_USER_ACCESS_GET_LOGONINFO;
3094
case 16: /* UserControlInformation */
3095
case 17: /* UserExpiresInformation */
3096
case 20: /* UserParametersInformation */
3097
/* USER_READ_ACCOUNT */
3098
acc_required = SAMR_USER_ACCESS_GET_ATTRIBUTES;
3100
case 21: /* UserAllInformation */
3102
acc_required = SAMR_USER_ACCESS_GET_ATTRIBUTES;
3104
case 18: /* UserInternal1Information */
3106
acc_required = SAMR_USER_ACCESS_GET_ATTRIBUTES;
3108
case 23: /* UserInternal4Information */
3109
case 24: /* UserInternal4InformationNew */
3110
case 25: /* UserInternal4InformationNew */
3111
case 26: /* UserInternal5InformationNew */
3113
return NT_STATUS_INVALID_INFO_CLASS;
3117
status = access_check_samr_function(info->acc_granted,
3119
"_samr_QueryUserInfo");
3120
if (!NT_STATUS_IS_OK(status)) {
3124
domain_sid = info->sid;
3126
sid_split_rid(&domain_sid, &rid);
3128
if (!sid_check_is_in_our_domain(&info->sid))
3129
return NT_STATUS_OBJECT_TYPE_MISMATCH;
3131
DEBUG(5,("_samr_QueryUserInfo: sid:%s\n",
3132
sid_string_dbg(&info->sid)));
3134
user_info = TALLOC_ZERO_P(p->mem_ctx, union samr_UserInfo);
3136
return NT_STATUS_NO_MEMORY;
3139
DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r->in.level));
3141
if (!(pwd = samu_new(p->mem_ctx))) {
3142
return NT_STATUS_NO_MEMORY;
3146
ret = pdb_getsampwsid(pwd, &info->sid);
3150
DEBUG(4,("User %s not found\n", sid_string_dbg(&info->sid)));
3152
return NT_STATUS_NO_SUCH_USER;
3155
DEBUG(3,("User:[%s]\n", pdb_get_username(pwd)));
3157
samr_clear_sam_passwd(pwd);
3159
switch (r->in.level) {
3161
status = get_user_info_1(p->mem_ctx, &user_info->info1, pwd, &domain_sid);
3164
status = get_user_info_2(p->mem_ctx, &user_info->info2, pwd);
3167
status = get_user_info_3(p->mem_ctx, &user_info->info3, pwd, &domain_sid);
3170
status = get_user_info_4(p->mem_ctx, &user_info->info4, pwd);
3173
status = get_user_info_5(p->mem_ctx, &user_info->info5, pwd, &domain_sid);
3176
status = get_user_info_6(p->mem_ctx, &user_info->info6, pwd);
3179
status = get_user_info_7(p->mem_ctx, &user_info->info7, pwd);
3182
status = get_user_info_8(p->mem_ctx, &user_info->info8, pwd);
3185
status = get_user_info_9(p->mem_ctx, &user_info->info9, pwd);
3188
status = get_user_info_10(p->mem_ctx, &user_info->info10, pwd);
3191
status = get_user_info_11(p->mem_ctx, &user_info->info11, pwd);
3194
status = get_user_info_12(p->mem_ctx, &user_info->info12, pwd);
3197
status = get_user_info_13(p->mem_ctx, &user_info->info13, pwd);
3200
status = get_user_info_14(p->mem_ctx, &user_info->info14, pwd);
3203
status = get_user_info_16(p->mem_ctx, &user_info->info16, pwd);
3206
status = get_user_info_17(p->mem_ctx, &user_info->info17, pwd);
3209
/* level 18 is special */
3210
status = get_user_info_18(p, p->mem_ctx, &user_info->info18, &info->sid);
3213
status = get_user_info_20(p->mem_ctx, &user_info->info20, pwd);
3216
status = get_user_info_21(p->mem_ctx, &user_info->info21, pwd, &domain_sid, acc_granted);
3219
status = NT_STATUS_INVALID_INFO_CLASS;
3223
if (!NT_STATUS_IS_OK(status)) {
3227
*r->out.info = user_info;
3232
DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__));
3237
/****************************************************************
3238
****************************************************************/
3240
NTSTATUS _samr_QueryUserInfo2(pipes_struct *p,
3241
struct samr_QueryUserInfo2 *r)
3243
struct samr_QueryUserInfo u;
3245
u.in.user_handle = r->in.user_handle;
3246
u.in.level = r->in.level;
3247
u.out.info = r->out.info;
3249
return _samr_QueryUserInfo(p, &u);
3252
/*******************************************************************
3253
_samr_GetGroupsForUser
3254
********************************************************************/
3256
NTSTATUS _samr_GetGroupsForUser(pipes_struct *p,
3257
struct samr_GetGroupsForUser *r)
3259
struct samu *sam_pass=NULL;
3262
struct samr_RidWithAttribute dom_gid;
3263
struct samr_RidWithAttribute *gids = NULL;
3264
uint32 primary_group_rid;
3265
size_t num_groups = 0;
3271
bool success = False;
3273
struct samr_RidWithAttributeArray *rids = NULL;
3276
* from the SID in the request:
3277
* we should send back the list of DOMAIN GROUPS
3278
* the user is a member of
3280
* and only the DOMAIN GROUPS
3281
* no ALIASES !!! neither aliases of the domain
3282
* nor aliases of the builtin SID
3287
DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
3289
rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidWithAttributeArray);
3291
return NT_STATUS_NO_MEMORY;
3294
/* find the policy handle. open a policy on it. */
3295
if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &sid, &acc_granted, NULL))
3296
return NT_STATUS_INVALID_HANDLE;
3298
result = access_check_samr_function(acc_granted,
3299
SAMR_USER_ACCESS_GET_GROUPS,
3300
"_samr_GetGroupsForUser");
3301
if (!NT_STATUS_IS_OK(result)) {
3305
if (!sid_check_is_in_our_domain(&sid))
3306
return NT_STATUS_OBJECT_TYPE_MISMATCH;
3308
if ( !(sam_pass = samu_new( p->mem_ctx )) ) {
3309
return NT_STATUS_NO_MEMORY;
3313
ret = pdb_getsampwsid(sam_pass, &sid);
3317
DEBUG(10, ("pdb_getsampwsid failed for %s\n",
3318
sid_string_dbg(&sid)));
3319
return NT_STATUS_NO_SUCH_USER;
3324
/* make both calls inside the root block */
3326
result = pdb_enum_group_memberships(p->mem_ctx, sam_pass,
3327
&sids, &unix_gids, &num_groups);
3328
if ( NT_STATUS_IS_OK(result) ) {
3329
success = sid_peek_check_rid(get_global_sam_sid(),
3330
pdb_get_group_sid(sam_pass),
3331
&primary_group_rid);
3335
if (!NT_STATUS_IS_OK(result)) {
3336
DEBUG(10, ("pdb_enum_group_memberships failed for %s\n",
3337
sid_string_dbg(&sid)));
3342
DEBUG(5, ("Group sid %s for user %s not in our domain\n",
3343
sid_string_dbg(pdb_get_group_sid(sam_pass)),
3344
pdb_get_username(sam_pass)));
3345
TALLOC_FREE(sam_pass);
3346
return NT_STATUS_INTERNAL_DB_CORRUPTION;
3352
dom_gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|
3354
dom_gid.rid = primary_group_rid;
3355
ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
3357
for (i=0; i<num_groups; i++) {
3359
if (!sid_peek_check_rid(get_global_sam_sid(),
3360
&(sids[i]), &dom_gid.rid)) {
3361
DEBUG(10, ("Found sid %s not in our domain\n",
3362
sid_string_dbg(&sids[i])));
3366
if (dom_gid.rid == primary_group_rid) {
3367
/* We added the primary group directly from the
3368
* sam_account. The other SIDs are unique from
3369
* enum_group_memberships */
3373
ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
3376
rids->count = num_gids;
3379
*r->out.rids = rids;
3381
DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
3386
/*******************************************************************
3387
_samr_QueryDomainInfo
3388
********************************************************************/
3390
NTSTATUS _samr_QueryDomainInfo(pipes_struct *p,
3391
struct samr_QueryDomainInfo *r)
3393
NTSTATUS status = NT_STATUS_OK;
3394
struct samr_info *info = NULL;
3395
union samr_DomainInfo *dom_info;
3396
time_t u_expire, u_min_age;
3398
time_t u_lock_duration, u_reset_time;
3401
uint32 account_policy_temp;
3405
uint32_t acc_required;
3407
DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
3409
switch (r->in.level) {
3410
case 1: /* DomainPasswordInformation */
3411
case 12: /* DomainLockoutInformation */
3412
/* DOMAIN_READ_PASSWORD_PARAMETERS */
3413
acc_required = SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1;
3415
case 11: /* DomainGeneralInformation2 */
3416
/* DOMAIN_READ_PASSWORD_PARAMETERS |
3417
* DOMAIN_READ_OTHER_PARAMETERS */
3418
acc_required = SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 |
3419
SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2;
3421
case 2: /* DomainGeneralInformation */
3422
case 3: /* DomainLogoffInformation */
3423
case 4: /* DomainOemInformation */
3424
case 5: /* DomainReplicationInformation */
3425
case 6: /* DomainReplicationInformation */
3426
case 7: /* DomainServerRoleInformation */
3427
case 8: /* DomainModifiedInformation */
3428
case 9: /* DomainStateInformation */
3429
case 10: /* DomainUasInformation */
3430
case 13: /* DomainModifiedInformation2 */
3431
/* DOMAIN_READ_OTHER_PARAMETERS */
3432
acc_required = SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2;
3435
return NT_STATUS_INVALID_INFO_CLASS;
3438
dom_info = TALLOC_ZERO_P(p->mem_ctx, union samr_DomainInfo);
3440
return NT_STATUS_NO_MEMORY;
3443
/* find the policy handle. open a policy on it. */
3444
if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) {
3445
return NT_STATUS_INVALID_HANDLE;
3448
status = access_check_samr_function(info->acc_granted,
3450
"_samr_QueryDomainInfo" );
3452
if ( !NT_STATUS_IS_OK(status) )
3455
switch (r->in.level) {
3462
pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
3463
&account_policy_temp);
3464
dom_info->info1.min_password_length = account_policy_temp;
3466
pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
3467
dom_info->info1.password_history_length = account_policy_temp;
3469
pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
3470
&dom_info->info1.password_properties);
3472
pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
3473
u_expire = account_policy_temp;
3475
pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
3476
u_min_age = account_policy_temp;
3482
unix_to_nt_time_abs((NTTIME *)&dom_info->info1.max_password_age, u_expire);
3483
unix_to_nt_time_abs((NTTIME *)&dom_info->info1.min_password_age, u_min_age);
3485
if (lp_check_password_script() && *lp_check_password_script()) {
3486
dom_info->info1.password_properties |= DOMAIN_PASSWORD_COMPLEX;
3496
dom_info->general.num_users = count_sam_users(info->disp_info, ACB_NORMAL);
3497
dom_info->general.num_groups = count_sam_groups(info->disp_info);
3498
dom_info->general.num_aliases = count_sam_aliases(info->disp_info);
3500
pdb_get_account_policy(AP_TIME_TO_LOGOUT, &u_logout);
3502
unix_to_nt_time_abs(&dom_info->general.force_logoff_time, u_logout);
3504
if (!pdb_get_seq_num(&seq_num))
3505
seq_num = time(NULL);
3511
server_role = ROLE_DOMAIN_PDC;
3512
if (lp_server_role() == ROLE_DOMAIN_BDC)
3513
server_role = ROLE_DOMAIN_BDC;
3515
dom_info->general.oem_information.string = lp_serverstring();
3516
dom_info->general.domain_name.string = lp_workgroup();
3517
dom_info->general.primary.string = global_myname();
3518
dom_info->general.sequence_num = seq_num;
3519
dom_info->general.domain_server_state = DOMAIN_SERVER_ENABLED;
3520
dom_info->general.role = server_role;
3521
dom_info->general.unknown3 = 1;
3532
pdb_get_account_policy(AP_TIME_TO_LOGOUT, &ul);
3533
u_logout = (time_t)ul;
3540
unix_to_nt_time_abs(&dom_info->info3.force_logoff_time, u_logout);
3544
dom_info->oem.oem_information.string = lp_serverstring();
3547
dom_info->info5.domain_name.string = get_global_sam_name();
3550
/* NT returns its own name when a PDC. win2k and later
3551
* only the name of the PDC if itself is a BDC (samba4
3553
dom_info->info6.primary.string = global_myname();
3556
server_role = ROLE_DOMAIN_PDC;
3557
if (lp_server_role() == ROLE_DOMAIN_BDC)
3558
server_role = ROLE_DOMAIN_BDC;
3560
dom_info->info7.role = server_role;
3568
if (!pdb_get_seq_num(&seq_num)) {
3569
seq_num = time(NULL);
3576
dom_info->info8.sequence_num = seq_num;
3577
dom_info->info8.domain_create_time = 0;
3582
dom_info->info9.domain_server_state = DOMAIN_SERVER_ENABLED;
3591
dom_info->general2.general.num_users = count_sam_users(
3592
info->disp_info, ACB_NORMAL);
3593
dom_info->general2.general.num_groups = count_sam_groups(
3595
dom_info->general2.general.num_aliases = count_sam_aliases(
3598
pdb_get_account_policy(AP_TIME_TO_LOGOUT, &u_logout);
3600
unix_to_nt_time_abs(&dom_info->general2.general.force_logoff_time, u_logout);
3602
if (!pdb_get_seq_num(&seq_num))
3603
seq_num = time(NULL);
3605
pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
3606
u_lock_duration = account_policy_temp;
3607
if (u_lock_duration != -1) {
3608
u_lock_duration *= 60;
3611
pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
3612
u_reset_time = account_policy_temp * 60;
3614
pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT,
3615
&account_policy_temp);
3616
dom_info->general2.lockout_threshold = account_policy_temp;
3622
server_role = ROLE_DOMAIN_PDC;
3623
if (lp_server_role() == ROLE_DOMAIN_BDC)
3624
server_role = ROLE_DOMAIN_BDC;
3626
dom_info->general2.general.oem_information.string = lp_serverstring();
3627
dom_info->general2.general.domain_name.string = lp_workgroup();
3628
dom_info->general2.general.primary.string = global_myname();
3629
dom_info->general2.general.sequence_num = seq_num;
3630
dom_info->general2.general.domain_server_state = DOMAIN_SERVER_ENABLED;
3631
dom_info->general2.general.role = server_role;
3632
dom_info->general2.general.unknown3 = 1;
3634
unix_to_nt_time_abs(&dom_info->general2.lockout_duration,
3636
unix_to_nt_time_abs(&dom_info->general2.lockout_window,
3646
pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
3647
u_lock_duration = account_policy_temp;
3648
if (u_lock_duration != -1) {
3649
u_lock_duration *= 60;
3652
pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
3653
u_reset_time = account_policy_temp * 60;
3655
pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT,
3656
&account_policy_temp);
3657
dom_info->info12.lockout_threshold = account_policy_temp;
3663
unix_to_nt_time_abs(&dom_info->info12.lockout_duration,
3665
unix_to_nt_time_abs(&dom_info->info12.lockout_window,
3675
if (!pdb_get_seq_num(&seq_num)) {
3676
seq_num = time(NULL);
3683
dom_info->info13.sequence_num = seq_num;
3684
dom_info->info13.domain_create_time = 0;
3685
dom_info->info13.modified_count_at_last_promotion = 0;
3689
return NT_STATUS_INVALID_INFO_CLASS;
3692
*r->out.info = dom_info;
3694
DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
3699
/* W2k3 seems to use the same check for all 3 objects that can be created via
3700
* SAMR, if you try to create for example "Dialup" as an alias it says
3701
* "NT_STATUS_USER_EXISTS". This is racy, but we can't really lock the user
3704
static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name)
3706
enum lsa_SidType type;
3709
DEBUG(10, ("Checking whether [%s] can be created\n", new_name));
3712
/* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
3713
* whether the name already exists */
3714
result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_LOCAL,
3715
NULL, NULL, NULL, &type);
3719
DEBUG(10, ("%s does not exist, can create it\n", new_name));
3720
return NT_STATUS_OK;
3723
DEBUG(5, ("trying to create %s, exists as %s\n",
3724
new_name, sid_type_lookup(type)));
3726
if (type == SID_NAME_DOM_GRP) {
3727
return NT_STATUS_GROUP_EXISTS;
3729
if (type == SID_NAME_ALIAS) {
3730
return NT_STATUS_ALIAS_EXISTS;
3733
/* Yes, the default is NT_STATUS_USER_EXISTS */
3734
return NT_STATUS_USER_EXISTS;
3737
/*******************************************************************
3739
********************************************************************/
3741
NTSTATUS _samr_CreateUser2(pipes_struct *p,
3742
struct samr_CreateUser2 *r)
3744
const char *account = NULL;
3746
uint32_t acb_info = r->in.acct_flags;
3747
struct samr_info *info = NULL;
3752
/* check this, when giving away 'add computer to domain' privs */
3753
uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
3754
bool can_add_account = False;
3756
DISP_INFO *disp_info = NULL;
3758
/* Get the domain SID stored in the domain policy */
3759
if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted,
3761
return NT_STATUS_INVALID_HANDLE;
3763
if (disp_info->builtin_domain) {
3764
DEBUG(5,("_samr_CreateUser2: Refusing user create in BUILTIN\n"));
3765
return NT_STATUS_ACCESS_DENIED;
3768
nt_status = access_check_samr_function(acc_granted,
3769
SAMR_DOMAIN_ACCESS_CREATE_USER,
3770
"_samr_CreateUser2");
3771
if (!NT_STATUS_IS_OK(nt_status)) {
3775
if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST ||
3776
acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) {
3777
/* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
3778
this parameter is not an account type */
3779
return NT_STATUS_INVALID_PARAMETER;
3782
account = r->in.account_name->string;
3783
if (account == NULL) {
3784
return NT_STATUS_NO_MEMORY;
3787
nt_status = can_create(p->mem_ctx, account);
3788
if (!NT_STATUS_IS_OK(nt_status)) {
3792
/* determine which user right we need to check based on the acb_info */
3794
if (geteuid() == sec_initial_uid()) {
3795
se_priv_copy(&se_rights, &se_priv_none);
3796
can_add_account = true;
3797
} else if (acb_info & ACB_WSTRUST) {
3798
se_priv_copy(&se_rights, &se_machine_account);
3799
can_add_account = user_has_privileges(
3800
p->server_info->ptok, &se_rights );
3801
} else if (acb_info & ACB_NORMAL &&
3802
(account[strlen(account)-1] != '$')) {
3803
/* usrmgr.exe (and net rpc trustdom grant) creates a normal user
3804
account for domain trusts and changes the ACB flags later */
3805
se_priv_copy(&se_rights, &se_add_users);
3806
can_add_account = user_has_privileges(
3807
p->server_info->ptok, &se_rights );
3808
} else if (lp_enable_privileges()) {
3809
/* implicit assumption of a BDC or domain trust account here
3810
* (we already check the flags earlier) */
3811
/* only Domain Admins can add a BDC or domain trust */
3812
se_priv_copy(&se_rights, &se_priv_none);
3813
can_add_account = nt_token_check_domain_rid(
3814
p->server_info->ptok,
3815
DOMAIN_GROUP_RID_ADMINS );
3818
DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
3819
uidtoname(p->server_info->utok.uid),
3820
can_add_account ? "True":"False" ));
3822
if (!can_add_account) {
3823
return NT_STATUS_ACCESS_DENIED;
3826
/********** BEGIN Admin BLOCK **********/
3829
nt_status = pdb_create_user(p->mem_ctx, account, acb_info,
3833
/********** END Admin BLOCK **********/
3835
/* now check for failure */
3837
if ( !NT_STATUS_IS_OK(nt_status) )
3840
/* Get the user's SID */
3842
sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
3844
map_max_allowed_access(p->server_info->ptok, &des_access);
3846
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
3847
&sid, SAMR_USR_RIGHTS_WRITE_PW);
3848
se_map_generic(&des_access, &usr_generic_mapping);
3851
* JRA - TESTME. We just created this user so we
3852
* had rights to create them. Do we need to check
3853
* any further access on this object ? Can't we
3854
* just assume we have all the rights we need ?
3857
nt_status = access_check_object(psd, p->server_info->ptok,
3858
&se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
3859
&acc_granted, "_samr_CreateUser2");
3861
if ( !NT_STATUS_IS_OK(nt_status) ) {
3865
/* associate the user's SID with the new handle. */
3866
if ((info = get_samr_info_by_sid(p->mem_ctx, &sid)) == NULL) {
3867
return NT_STATUS_NO_MEMORY;
3872
info->acc_granted = acc_granted;
3874
/* get a (unique) handle. open a policy on it. */
3875
if (!create_policy_hnd(p, r->out.user_handle, info)) {
3876
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3879
/* After a "set" ensure we have no cached display info. */
3880
force_flush_samr_cache(info->disp_info);
3882
*r->out.access_granted = acc_granted;
3884
return NT_STATUS_OK;
3887
/****************************************************************
3888
****************************************************************/
3890
NTSTATUS _samr_CreateUser(pipes_struct *p,
3891
struct samr_CreateUser *r)
3893
struct samr_CreateUser2 c;
3894
uint32_t access_granted;
3896
c.in.domain_handle = r->in.domain_handle;
3897
c.in.account_name = r->in.account_name;
3898
c.in.acct_flags = ACB_NORMAL;
3899
c.in.access_mask = r->in.access_mask;
3900
c.out.user_handle = r->out.user_handle;
3901
c.out.access_granted = &access_granted;
3902
c.out.rid = r->out.rid;
3904
return _samr_CreateUser2(p, &c);
3907
/*******************************************************************
3909
********************************************************************/
3911
NTSTATUS _samr_Connect(pipes_struct *p,
3912
struct samr_Connect *r)
3914
struct samr_info *info = NULL;
3915
uint32 des_access = r->in.access_mask;
3919
if (!pipe_access_check(p)) {
3920
DEBUG(3, ("access denied to _samr_Connect\n"));
3921
return NT_STATUS_ACCESS_DENIED;
3924
/* set up the SAMR connect_anon response */
3926
/* associate the user's SID with the new handle. */
3927
if ((info = get_samr_info_by_sid(p->mem_ctx, NULL)) == NULL)
3928
return NT_STATUS_NO_MEMORY;
3930
/* don't give away the farm but this is probably ok. The SAMR_ACCESS_ENUM_DOMAINS
3931
was observed from a win98 client trying to enumerate users (when configured
3932
user level access control on shares) --jerry */
3934
map_max_allowed_access(p->server_info->ptok, &des_access);
3936
se_map_generic( &des_access, &sam_generic_mapping );
3937
info->acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS|SAMR_ACCESS_LOOKUP_DOMAIN);
3939
/* get a (unique) handle. open a policy on it. */
3940
if (!create_policy_hnd(p, r->out.connect_handle, info))
3941
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3943
return NT_STATUS_OK;
3946
/*******************************************************************
3948
********************************************************************/
3950
NTSTATUS _samr_Connect2(pipes_struct *p,
3951
struct samr_Connect2 *r)
3953
struct samr_info *info = NULL;
3954
SEC_DESC *psd = NULL;
3956
uint32 des_access = r->in.access_mask;
3959
const char *fn = "_samr_Connect2";
3961
switch (p->hdr_req.opnum) {
3962
case NDR_SAMR_CONNECT2:
3963
fn = "_samr_Connect2";
3965
case NDR_SAMR_CONNECT3:
3966
fn = "_samr_Connect3";
3968
case NDR_SAMR_CONNECT4:
3969
fn = "_samr_Connect4";
3971
case NDR_SAMR_CONNECT5:
3972
fn = "_samr_Connect5";
3976
DEBUG(5,("%s: %d\n", fn, __LINE__));
3980
if (!pipe_access_check(p)) {
3981
DEBUG(3, ("access denied to %s\n", fn));
3982
return NT_STATUS_ACCESS_DENIED;
3985
map_max_allowed_access(p->server_info->ptok, &des_access);
3987
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3988
se_map_generic(&des_access, &sam_generic_mapping);
3990
nt_status = access_check_object(psd, p->server_info->ptok,
3991
NULL, 0, des_access, &acc_granted, fn);
3993
if ( !NT_STATUS_IS_OK(nt_status) )
3996
/* associate the user's SID and access granted with the new handle. */
3997
if ((info = get_samr_info_by_sid(p->mem_ctx, NULL)) == NULL)
3998
return NT_STATUS_NO_MEMORY;
4000
info->acc_granted = acc_granted;
4001
info->status = r->in.access_mask; /* this looks so wrong... - gd */
4003
/* get a (unique) handle. open a policy on it. */
4004
if (!create_policy_hnd(p, r->out.connect_handle, info))
4005
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
4007
DEBUG(5,("%s: %d\n", fn, __LINE__));
4012
/****************************************************************
4014
****************************************************************/
4016
NTSTATUS _samr_Connect3(pipes_struct *p,
4017
struct samr_Connect3 *r)
4019
struct samr_Connect2 c;
4021
c.in.system_name = r->in.system_name;
4022
c.in.access_mask = r->in.access_mask;
4023
c.out.connect_handle = r->out.connect_handle;
4025
return _samr_Connect2(p, &c);
4028
/*******************************************************************
4030
********************************************************************/
4032
NTSTATUS _samr_Connect4(pipes_struct *p,
4033
struct samr_Connect4 *r)
4035
struct samr_Connect2 c;
4037
c.in.system_name = r->in.system_name;
4038
c.in.access_mask = r->in.access_mask;
4039
c.out.connect_handle = r->out.connect_handle;
4041
return _samr_Connect2(p, &c);
4044
/*******************************************************************
4046
********************************************************************/
4048
NTSTATUS _samr_Connect5(pipes_struct *p,
4049
struct samr_Connect5 *r)
4052
struct samr_Connect2 c;
4053
struct samr_ConnectInfo1 info1;
4055
info1.client_version = SAMR_CONNECT_AFTER_W2K;
4058
c.in.system_name = r->in.system_name;
4059
c.in.access_mask = r->in.access_mask;
4060
c.out.connect_handle = r->out.connect_handle;
4062
*r->out.level_out = 1;
4064
status = _samr_Connect2(p, &c);
4065
if (!NT_STATUS_IS_OK(status)) {
4069
r->out.info_out->info1 = info1;
4071
return NT_STATUS_OK;
4074
/**********************************************************************
4076
**********************************************************************/
4078
NTSTATUS _samr_LookupDomain(pipes_struct *p,
4079
struct samr_LookupDomain *r)
4081
NTSTATUS status = NT_STATUS_OK;
4082
struct samr_info *info;
4083
const char *domain_name;
4084
DOM_SID *sid = NULL;
4086
if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info))
4087
return NT_STATUS_INVALID_HANDLE;
4089
/* win9x user manager likes to use SAMR_ACCESS_ENUM_DOMAINS here.
4090
Reverted that change so we will work with RAS servers again */
4092
status = access_check_samr_function(info->acc_granted,
4093
SAMR_ACCESS_LOOKUP_DOMAIN,
4094
"_samr_LookupDomain");
4095
if (!NT_STATUS_IS_OK(status)) {
4099
domain_name = r->in.domain_name->string;
4101
return NT_STATUS_INVALID_PARAMETER;
4104
sid = TALLOC_ZERO_P(p->mem_ctx, struct dom_sid2);
4106
return NT_STATUS_NO_MEMORY;
4109
if (strequal(domain_name, builtin_domain_name())) {
4110
sid_copy(sid, &global_sid_Builtin);
4112
if (!secrets_fetch_domain_sid(domain_name, sid)) {
4113
status = NT_STATUS_NO_SUCH_DOMAIN;
4117
DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name,
4118
sid_string_dbg(sid)));
4125
/**********************************************************************
4127
**********************************************************************/
4129
NTSTATUS _samr_EnumDomains(pipes_struct *p,
4130
struct samr_EnumDomains *r)
4133
struct samr_info *info;
4134
uint32_t num_entries = 2;
4135
struct samr_SamEntry *entry_array = NULL;
4136
struct samr_SamArray *sam;
4138
if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info))
4139
return NT_STATUS_INVALID_HANDLE;
4141
status = access_check_samr_function(info->acc_granted,
4142
SAMR_ACCESS_ENUM_DOMAINS,
4143
"_samr_EnumDomains");
4144
if (!NT_STATUS_IS_OK(status)) {
4148
sam = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
4150
return NT_STATUS_NO_MEMORY;
4153
entry_array = TALLOC_ZERO_ARRAY(p->mem_ctx,
4154
struct samr_SamEntry,
4157
return NT_STATUS_NO_MEMORY;
4160
entry_array[0].idx = 0;
4161
init_lsa_String(&entry_array[0].name, get_global_sam_name());
4163
entry_array[1].idx = 1;
4164
init_lsa_String(&entry_array[1].name, "Builtin");
4166
sam->count = num_entries;
4167
sam->entries = entry_array;
4170
*r->out.num_entries = num_entries;
4175
/*******************************************************************
4177
********************************************************************/
4179
NTSTATUS _samr_OpenAlias(pipes_struct *p,
4180
struct samr_OpenAlias *r)
4183
uint32 alias_rid = r->in.rid;
4184
struct samr_info *info = NULL;
4185
SEC_DESC *psd = NULL;
4187
uint32 des_access = r->in.access_mask;
4192
/* find the domain policy and get the SID / access bits stored in the domain policy */
4194
if ( !get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted, NULL) )
4195
return NT_STATUS_INVALID_HANDLE;
4197
status = access_check_samr_function(acc_granted,
4198
SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
4201
if ( !NT_STATUS_IS_OK(status) )
4204
/* append the alias' RID to it */
4206
if (!sid_append_rid(&sid, alias_rid))
4207
return NT_STATUS_NO_SUCH_ALIAS;
4209
/*check if access can be granted as requested by client. */
4211
map_max_allowed_access(p->server_info->ptok, &des_access);
4213
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
4214
se_map_generic(&des_access,&ali_generic_mapping);
4216
se_priv_copy( &se_rights, &se_add_users );
4218
status = access_check_object(psd, p->server_info->ptok,
4219
&se_rights, GENERIC_RIGHTS_ALIAS_ALL_ACCESS,
4220
des_access, &acc_granted, "_samr_OpenAlias");
4222
if ( !NT_STATUS_IS_OK(status) )
4226
/* Check we actually have the requested alias */
4227
enum lsa_SidType type;
4232
result = lookup_sid(NULL, &sid, NULL, NULL, &type);
4235
if (!result || (type != SID_NAME_ALIAS)) {
4236
return NT_STATUS_NO_SUCH_ALIAS;
4239
/* make sure there is a mapping */
4241
if ( !sid_to_gid( &sid, &gid ) ) {
4242
return NT_STATUS_NO_SUCH_ALIAS;
4247
/* associate the alias SID with the new handle. */
4248
if ((info = get_samr_info_by_sid(p->mem_ctx, &sid)) == NULL)
4249
return NT_STATUS_NO_MEMORY;
4251
info->acc_granted = acc_granted;
4253
/* get a (unique) handle. open a policy on it. */
4254
if (!create_policy_hnd(p, r->out.alias_handle, info))
4255
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
4257
return NT_STATUS_OK;
4260
/*******************************************************************
4262
********************************************************************/
4264
static NTSTATUS set_user_info_2(TALLOC_CTX *mem_ctx,
4265
struct samr_UserInfo2 *id2,
4269
DEBUG(5,("set_user_info_2: NULL id2\n"));
4270
return NT_STATUS_ACCESS_DENIED;
4273
copy_id2_to_sam_passwd(pwd, id2);
4275
return pdb_update_sam_account(pwd);
4278
/*******************************************************************
4280
********************************************************************/
4282
static NTSTATUS set_user_info_4(TALLOC_CTX *mem_ctx,
4283
struct samr_UserInfo4 *id4,
4287
DEBUG(5,("set_user_info_2: NULL id4\n"));
4288
return NT_STATUS_ACCESS_DENIED;
4291
copy_id4_to_sam_passwd(pwd, id4);
4293
return pdb_update_sam_account(pwd);
4296
/*******************************************************************
4298
********************************************************************/
4300
static NTSTATUS set_user_info_6(TALLOC_CTX *mem_ctx,
4301
struct samr_UserInfo6 *id6,
4305
DEBUG(5,("set_user_info_6: NULL id6\n"));
4306
return NT_STATUS_ACCESS_DENIED;
4309
copy_id6_to_sam_passwd(pwd, id6);
4311
return pdb_update_sam_account(pwd);
4314
/*******************************************************************
4316
********************************************************************/
4318
static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx,
4319
struct samr_UserInfo7 *id7,
4325
DEBUG(5, ("set_user_info_7: NULL id7\n"));
4326
return NT_STATUS_ACCESS_DENIED;
4329
if (!id7->account_name.string) {
4330
DEBUG(5, ("set_user_info_7: failed to get new username\n"));
4331
return NT_STATUS_ACCESS_DENIED;
4334
/* check to see if the new username already exists. Note: we can't
4335
reliably lock all backends, so there is potentially the
4336
possibility that a user can be created in between this check and
4337
the rename. The rename should fail, but may not get the
4338
exact same failure status code. I think this is small enough
4339
of a window for this type of operation and the results are
4340
simply that the rename fails with a slightly different status
4341
code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
4343
rc = can_create(mem_ctx, id7->account_name.string);
4345
/* when there is nothing to change, we're done here */
4346
if (NT_STATUS_EQUAL(rc, NT_STATUS_USER_EXISTS) &&
4347
strequal(id7->account_name.string, pdb_get_username(pwd))) {
4348
return NT_STATUS_OK;
4350
if (!NT_STATUS_IS_OK(rc)) {
4354
rc = pdb_rename_sam_account(pwd, id7->account_name.string);
4359
/*******************************************************************
4361
********************************************************************/
4363
static NTSTATUS set_user_info_8(TALLOC_CTX *mem_ctx,
4364
struct samr_UserInfo8 *id8,
4368
DEBUG(5,("set_user_info_8: NULL id8\n"));
4369
return NT_STATUS_ACCESS_DENIED;
4372
copy_id8_to_sam_passwd(pwd, id8);
4374
return pdb_update_sam_account(pwd);
4377
/*******************************************************************
4379
********************************************************************/
4381
static NTSTATUS set_user_info_10(TALLOC_CTX *mem_ctx,
4382
struct samr_UserInfo10 *id10,
4386
DEBUG(5,("set_user_info_8: NULL id10\n"));
4387
return NT_STATUS_ACCESS_DENIED;
4390
copy_id10_to_sam_passwd(pwd, id10);
4392
return pdb_update_sam_account(pwd);
4395
/*******************************************************************
4397
********************************************************************/
4399
static NTSTATUS set_user_info_11(TALLOC_CTX *mem_ctx,
4400
struct samr_UserInfo11 *id11,
4404
DEBUG(5,("set_user_info_11: NULL id11\n"));
4405
return NT_STATUS_ACCESS_DENIED;
4408
copy_id11_to_sam_passwd(pwd, id11);
4410
return pdb_update_sam_account(pwd);
4413
/*******************************************************************
4415
********************************************************************/
4417
static NTSTATUS set_user_info_12(TALLOC_CTX *mem_ctx,
4418
struct samr_UserInfo12 *id12,
4422
DEBUG(5,("set_user_info_12: NULL id12\n"));
4423
return NT_STATUS_ACCESS_DENIED;
4426
copy_id12_to_sam_passwd(pwd, id12);
4428
return pdb_update_sam_account(pwd);
4431
/*******************************************************************
4433
********************************************************************/
4435
static NTSTATUS set_user_info_13(TALLOC_CTX *mem_ctx,
4436
struct samr_UserInfo13 *id13,
4440
DEBUG(5,("set_user_info_13: NULL id13\n"));
4441
return NT_STATUS_ACCESS_DENIED;
4444
copy_id13_to_sam_passwd(pwd, id13);
4446
return pdb_update_sam_account(pwd);
4449
/*******************************************************************
4451
********************************************************************/
4453
static NTSTATUS set_user_info_14(TALLOC_CTX *mem_ctx,
4454
struct samr_UserInfo14 *id14,
4458
DEBUG(5,("set_user_info_14: NULL id14\n"));
4459
return NT_STATUS_ACCESS_DENIED;
4462
copy_id14_to_sam_passwd(pwd, id14);
4464
return pdb_update_sam_account(pwd);
4467
/*******************************************************************
4469
********************************************************************/
4471
static NTSTATUS set_user_info_16(TALLOC_CTX *mem_ctx,
4472
struct samr_UserInfo16 *id16,
4476
DEBUG(5,("set_user_info_16: NULL id16\n"));
4477
return NT_STATUS_ACCESS_DENIED;
4480
copy_id16_to_sam_passwd(pwd, id16);
4482
return pdb_update_sam_account(pwd);
4485
/*******************************************************************
4487
********************************************************************/
4489
static NTSTATUS set_user_info_17(TALLOC_CTX *mem_ctx,
4490
struct samr_UserInfo17 *id17,
4494
DEBUG(5,("set_user_info_17: NULL id17\n"));
4495
return NT_STATUS_ACCESS_DENIED;
4498
copy_id17_to_sam_passwd(pwd, id17);
4500
return pdb_update_sam_account(pwd);
4503
/*******************************************************************
4505
********************************************************************/
4507
static NTSTATUS set_user_info_18(struct samr_UserInfo18 *id18,
4508
TALLOC_CTX *mem_ctx,
4509
DATA_BLOB *session_key,
4513
DEBUG(2, ("set_user_info_18: id18 is NULL\n"));
4514
return NT_STATUS_INVALID_PARAMETER;
4517
if (id18->nt_pwd_active || id18->lm_pwd_active) {
4518
if (!session_key->length) {
4519
return NT_STATUS_NO_USER_SESSION_KEY;
4523
if (id18->nt_pwd_active) {
4527
in = data_blob_const(id18->nt_pwd.hash, 16);
4528
out = data_blob_talloc_zero(mem_ctx, 16);
4530
sess_crypt_blob(&out, &in, session_key, false);
4532
if (!pdb_set_nt_passwd(pwd, out.data, PDB_CHANGED)) {
4533
return NT_STATUS_ACCESS_DENIED;
4536
pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
4539
if (id18->lm_pwd_active) {
4543
in = data_blob_const(id18->lm_pwd.hash, 16);
4544
out = data_blob_talloc_zero(mem_ctx, 16);
4546
sess_crypt_blob(&out, &in, session_key, false);
4548
if (!pdb_set_lanman_passwd(pwd, out.data, PDB_CHANGED)) {
4549
return NT_STATUS_ACCESS_DENIED;
4552
pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
4555
copy_id18_to_sam_passwd(pwd, id18);
4557
return pdb_update_sam_account(pwd);
4560
/*******************************************************************
4562
********************************************************************/
4564
static NTSTATUS set_user_info_20(TALLOC_CTX *mem_ctx,
4565
struct samr_UserInfo20 *id20,
4569
DEBUG(5,("set_user_info_20: NULL id20\n"));
4570
return NT_STATUS_ACCESS_DENIED;
4573
copy_id20_to_sam_passwd(pwd, id20);
4575
return pdb_update_sam_account(pwd);
4578
/*******************************************************************
4580
********************************************************************/
4582
static NTSTATUS set_user_info_21(struct samr_UserInfo21 *id21,
4583
TALLOC_CTX *mem_ctx,
4584
DATA_BLOB *session_key,
4590
DEBUG(5, ("set_user_info_21: NULL id21\n"));
4591
return NT_STATUS_INVALID_PARAMETER;
4594
if (id21->fields_present == 0) {
4595
return NT_STATUS_INVALID_PARAMETER;
4598
if (id21->fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
4599
return NT_STATUS_ACCESS_DENIED;
4602
if (id21->fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) {
4603
if (id21->nt_password_set) {
4606
if ((id21->nt_owf_password.length != 16) ||
4607
(id21->nt_owf_password.size != 16)) {
4608
return NT_STATUS_INVALID_PARAMETER;
4611
if (!session_key->length) {
4612
return NT_STATUS_NO_USER_SESSION_KEY;
4615
in = data_blob_const(id21->nt_owf_password.array, 16);
4616
out = data_blob_talloc_zero(mem_ctx, 16);
4618
sess_crypt_blob(&out, &in, session_key, false);
4620
pdb_set_nt_passwd(pwd, out.data, PDB_CHANGED);
4621
pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
4625
if (id21->fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT) {
4626
if (id21->lm_password_set) {
4629
if ((id21->lm_owf_password.length != 16) ||
4630
(id21->lm_owf_password.size != 16)) {
4631
return NT_STATUS_INVALID_PARAMETER;
4634
if (!session_key->length) {
4635
return NT_STATUS_NO_USER_SESSION_KEY;
4638
in = data_blob_const(id21->lm_owf_password.array, 16);
4639
out = data_blob_talloc_zero(mem_ctx, 16);
4641
sess_crypt_blob(&out, &in, session_key, false);
4643
pdb_set_lanman_passwd(pwd, out.data, PDB_CHANGED);
4644
pdb_set_pass_last_set_time(pwd, time(NULL), PDB_CHANGED);
4648
/* we need to separately check for an account rename first */
4650
if (id21->account_name.string &&
4651
(!strequal(id21->account_name.string, pdb_get_username(pwd))))
4654
/* check to see if the new username already exists. Note: we can't
4655
reliably lock all backends, so there is potentially the
4656
possibility that a user can be created in between this check and
4657
the rename. The rename should fail, but may not get the
4658
exact same failure status code. I think this is small enough
4659
of a window for this type of operation and the results are
4660
simply that the rename fails with a slightly different status
4661
code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
4663
status = can_create(mem_ctx, id21->account_name.string);
4664
if (!NT_STATUS_IS_OK(status)) {
4668
status = pdb_rename_sam_account(pwd, id21->account_name.string);
4670
if (!NT_STATUS_IS_OK(status)) {
4671
DEBUG(0,("set_user_info_21: failed to rename account: %s\n",
4672
nt_errstr(status)));
4676
/* set the new username so that later
4677
functions can work on the new account */
4678
pdb_set_username(pwd, id21->account_name.string, PDB_SET);
4681
copy_id21_to_sam_passwd("INFO_21", pwd, id21);
4684
* The funny part about the previous two calls is
4685
* that pwd still has the password hashes from the
4686
* passdb entry. These have not been updated from
4687
* id21. I don't know if they need to be set. --jerry
4690
if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
4691
status = pdb_set_unix_primary_group(mem_ctx, pwd);
4692
if ( !NT_STATUS_IS_OK(status) ) {
4697
/* Don't worry about writing out the user account since the
4698
primary group SID is generated solely from the user's Unix
4701
/* write the change out */
4702
if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
4706
return NT_STATUS_OK;
4709
/*******************************************************************
4711
********************************************************************/
4713
static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx,
4714
struct samr_UserInfo23 *id23,
4717
char *plaintext_buf = NULL;
4723
DEBUG(5, ("set_user_info_23: NULL id23\n"));
4724
return NT_STATUS_INVALID_PARAMETER;
4727
if (id23->info.fields_present == 0) {
4728
return NT_STATUS_INVALID_PARAMETER;
4731
if (id23->info.fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
4732
return NT_STATUS_ACCESS_DENIED;
4735
if ((id23->info.fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
4736
(id23->info.fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT)) {
4738
DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
4739
pdb_get_username(pwd)));
4741
if (!decode_pw_buffer(mem_ctx,
4742
id23->password.data,
4746
return NT_STATUS_WRONG_PASSWORD;
4749
if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
4750
return NT_STATUS_ACCESS_DENIED;
4754
copy_id23_to_sam_passwd(pwd, id23);
4756
acct_ctrl = pdb_get_acct_ctrl(pwd);
4758
/* if it's a trust account, don't update /etc/passwd */
4759
if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
4760
( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
4761
( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
4762
DEBUG(5, ("Changing trust account. Not updating /etc/passwd\n"));
4763
} else if (plaintext_buf) {
4764
/* update the UNIX password */
4765
if (lp_unix_password_sync() ) {
4766
struct passwd *passwd;
4767
if (pdb_get_username(pwd) == NULL) {
4768
DEBUG(1, ("chgpasswd: User without name???\n"));
4769
return NT_STATUS_ACCESS_DENIED;
4772
passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
4773
if (passwd == NULL) {
4774
DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
4777
if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
4778
return NT_STATUS_ACCESS_DENIED;
4780
TALLOC_FREE(passwd);
4784
if (plaintext_buf) {
4785
memset(plaintext_buf, '\0', strlen(plaintext_buf));
4788
if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) &&
4789
(!NT_STATUS_IS_OK(status = pdb_set_unix_primary_group(mem_ctx,
4794
if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
4798
return NT_STATUS_OK;
4801
/*******************************************************************
4803
********************************************************************/
4805
static bool set_user_info_pw(uint8 *pass, struct samu *pwd)
4808
char *plaintext_buf = NULL;
4811
DEBUG(5, ("Attempting administrator password change for user %s\n",
4812
pdb_get_username(pwd)));
4814
acct_ctrl = pdb_get_acct_ctrl(pwd);
4816
if (!decode_pw_buffer(talloc_tos(),
4824
if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
4828
/* if it's a trust account, don't update /etc/passwd */
4829
if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
4830
( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
4831
( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
4832
DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
4834
/* update the UNIX password */
4835
if (lp_unix_password_sync()) {
4836
struct passwd *passwd;
4838
if (pdb_get_username(pwd) == NULL) {
4839
DEBUG(1, ("chgpasswd: User without name???\n"));
4843
passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
4844
if (passwd == NULL) {
4845
DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
4848
if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
4851
TALLOC_FREE(passwd);
4855
memset(plaintext_buf, '\0', strlen(plaintext_buf));
4857
DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
4862
/*******************************************************************
4864
********************************************************************/
4866
static NTSTATUS set_user_info_24(TALLOC_CTX *mem_ctx,
4867
struct samr_UserInfo24 *id24,
4873
DEBUG(5, ("set_user_info_24: NULL id24\n"));
4874
return NT_STATUS_INVALID_PARAMETER;
4877
if (!set_user_info_pw(id24->password.data, pwd)) {
4878
return NT_STATUS_WRONG_PASSWORD;
4881
copy_id24_to_sam_passwd(pwd, id24);
4883
status = pdb_update_sam_account(pwd);
4884
if (!NT_STATUS_IS_OK(status)) {
4888
return NT_STATUS_OK;
4891
/*******************************************************************
4893
********************************************************************/
4895
static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx,
4896
struct samr_UserInfo25 *id25,
4902
DEBUG(5, ("set_user_info_25: NULL id25\n"));
4903
return NT_STATUS_INVALID_PARAMETER;
4906
if (id25->info.fields_present == 0) {
4907
return NT_STATUS_INVALID_PARAMETER;
4910
if (id25->info.fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
4911
return NT_STATUS_ACCESS_DENIED;
4914
if ((id25->info.fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
4915
(id25->info.fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT)) {
4917
if (!set_user_info_pw(id25->password.data, pwd)) {
4918
return NT_STATUS_WRONG_PASSWORD;
4922
copy_id25_to_sam_passwd(pwd, id25);
4924
/* write the change out */
4925
if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
4930
* We need to "pdb_update_sam_account" before the unix primary group
4931
* is set, because the idealx scripts would also change the
4932
* sambaPrimaryGroupSid using the ldap replace method. pdb_ldap uses
4933
* the delete explicit / add explicit, which would then fail to find
4934
* the previous primaryGroupSid value.
4937
if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
4938
status = pdb_set_unix_primary_group(mem_ctx, pwd);
4939
if ( !NT_STATUS_IS_OK(status) ) {
4944
return NT_STATUS_OK;
4947
/*******************************************************************
4949
********************************************************************/
4951
static NTSTATUS set_user_info_26(TALLOC_CTX *mem_ctx,
4952
struct samr_UserInfo26 *id26,
4958
DEBUG(5, ("set_user_info_26: NULL id26\n"));
4959
return NT_STATUS_INVALID_PARAMETER;
4962
if (!set_user_info_pw(id26->password.data, pwd)) {
4963
return NT_STATUS_WRONG_PASSWORD;
4966
copy_id26_to_sam_passwd(pwd, id26);
4968
status = pdb_update_sam_account(pwd);
4969
if (!NT_STATUS_IS_OK(status)) {
4973
return NT_STATUS_OK;
4976
/*************************************************************
4977
**************************************************************/
4979
static uint32_t samr_set_user_info_map_fields_to_access_mask(uint32_t fields)
4981
uint32_t acc_required = 0;
4983
/* USER_ALL_USERNAME */
4984
if (fields & SAMR_FIELD_ACCOUNT_NAME)
4985
acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
4986
/* USER_ALL_FULLNAME */
4987
if (fields & SAMR_FIELD_FULL_NAME)
4988
acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
4989
/* USER_ALL_PRIMARYGROUPID */
4990
if (fields & SAMR_FIELD_PRIMARY_GID)
4991
acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
4992
/* USER_ALL_HOMEDIRECTORY */
4993
if (fields & SAMR_FIELD_HOME_DIRECTORY)
4994
acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
4995
/* USER_ALL_HOMEDIRECTORYDRIVE */
4996
if (fields & SAMR_FIELD_HOME_DRIVE)
4997
acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
4998
/* USER_ALL_SCRIPTPATH */
4999
if (fields & SAMR_FIELD_LOGON_SCRIPT)
5000
acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
5001
/* USER_ALL_PROFILEPATH */
5002
if (fields & SAMR_FIELD_PROFILE_PATH)
5003
acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
5004
/* USER_ALL_ADMINCOMMENT */
5005
if (fields & SAMR_FIELD_COMMENT)
5006
acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
5007
/* USER_ALL_WORKSTATIONS */
5008
if (fields & SAMR_FIELD_WORKSTATIONS)
5009
acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
5010
/* USER_ALL_LOGONHOURS */
5011
if (fields & SAMR_FIELD_LOGON_HOURS)
5012
acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
5013
/* USER_ALL_ACCOUNTEXPIRES */
5014
if (fields & SAMR_FIELD_ACCT_EXPIRY)
5015
acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
5016
/* USER_ALL_USERACCOUNTCONTROL */
5017
if (fields & SAMR_FIELD_ACCT_FLAGS)
5018
acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
5019
/* USER_ALL_PARAMETERS */
5020
if (fields & SAMR_FIELD_PARAMETERS)
5021
acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
5022
/* USER_ALL_USERCOMMENT */
5023
if (fields & SAMR_FIELD_COMMENT)
5024
acc_required |= SAMR_USER_ACCESS_SET_LOC_COM;
5025
/* USER_ALL_COUNTRYCODE */
5026
if (fields & SAMR_FIELD_COUNTRY_CODE)
5027
acc_required |= SAMR_USER_ACCESS_SET_LOC_COM;
5028
/* USER_ALL_CODEPAGE */
5029
if (fields & SAMR_FIELD_CODE_PAGE)
5030
acc_required |= SAMR_USER_ACCESS_SET_LOC_COM;
5031
/* USER_ALL_NTPASSWORDPRESENT */
5032
if (fields & SAMR_FIELD_NT_PASSWORD_PRESENT)
5033
acc_required |= SAMR_USER_ACCESS_SET_PASSWORD;
5034
/* USER_ALL_LMPASSWORDPRESENT */
5035
if (fields & SAMR_FIELD_LM_PASSWORD_PRESENT)
5036
acc_required |= SAMR_USER_ACCESS_SET_PASSWORD;
5037
/* USER_ALL_PASSWORDEXPIRED */
5038
if (fields & SAMR_FIELD_EXPIRED_FLAG)
5039
acc_required |= SAMR_USER_ACCESS_SET_PASSWORD;
5041
return acc_required;
5044
/*******************************************************************
5046
********************************************************************/
5048
NTSTATUS _samr_SetUserInfo(pipes_struct *p,
5049
struct samr_SetUserInfo *r)
5052
struct samu *pwd = NULL;
5054
union samr_UserInfo *info = r->in.info;
5055
uint32_t acc_granted = 0;
5056
uint32_t acc_required = 0;
5057
uint32_t fields = 0;
5059
DISP_INFO *disp_info = NULL;
5061
DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__));
5063
/* find the policy handle. open a policy on it. */
5064
if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &sid, &acc_granted, &disp_info)) {
5065
return NT_STATUS_INVALID_HANDLE;
5068
/* This is tricky. A WinXP domain join sets
5069
(SAMR_USER_ACCESS_SET_PASSWORD|SAMR_USER_ACCESS_SET_ATTRIBUTES|SAMR_USER_ACCESS_GET_ATTRIBUTES)
5070
The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the
5071
standard Win32 API calls just ask for SAMR_USER_ACCESS_SET_PASSWORD in the SamrOpenUser().
5072
This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so
5073
we'll use the set from the WinXP join as the basis. */
5075
switch (r->in.level) {
5076
case 2: /* UserPreferencesInformation */
5077
/* USER_WRITE_ACCOUNT | USER_WRITE_PREFERENCES */
5078
acc_required = SAMR_USER_ACCESS_SET_ATTRIBUTES | SAMR_USER_ACCESS_SET_LOC_COM;
5080
case 4: /* UserLogonHoursInformation */
5081
case 6: /* UserNameInformation */
5082
case 7: /* UserAccountNameInformation */
5083
case 8: /* UserFullNameInformation */
5084
case 9: /* UserPrimaryGroupInformation */
5085
case 10: /* UserHomeInformation */
5086
case 11: /* UserScriptInformation */
5087
case 12: /* UserProfileInformation */
5088
case 13: /* UserAdminCommentInformation */
5089
case 14: /* UserWorkStationsInformation */
5090
case 16: /* UserControlInformation */
5091
case 17: /* UserExpiresInformation */
5092
case 20: /* UserParametersInformation */
5093
/* USER_WRITE_ACCOUNT */
5094
acc_required = SAMR_USER_ACCESS_SET_ATTRIBUTES;
5096
case 18: /* UserInternal1Information */
5097
/* FIXME: gd, this is a guess */
5098
acc_required = SAMR_USER_ACCESS_SET_PASSWORD;
5100
case 21: /* UserAllInformation */
5101
fields = info->info21.fields_present;
5102
acc_required = samr_set_user_info_map_fields_to_access_mask(fields);
5104
case 23: /* UserInternal4Information */
5105
fields = info->info23.info.fields_present;
5106
acc_required = samr_set_user_info_map_fields_to_access_mask(fields);
5108
case 25: /* UserInternal4InformationNew */
5109
fields = info->info25.info.fields_present;
5110
acc_required = samr_set_user_info_map_fields_to_access_mask(fields);
5112
case 24: /* UserInternal5Information */
5113
case 26: /* UserInternal5InformationNew */
5114
acc_required = SAMR_USER_ACCESS_SET_PASSWORD;
5117
return NT_STATUS_INVALID_INFO_CLASS;
5120
status = access_check_samr_function(acc_granted,
5122
"_samr_SetUserInfo");
5123
if (!NT_STATUS_IS_OK(status)) {
5127
DEBUG(5, ("_samr_SetUserInfo: sid:%s, level:%d\n",
5128
sid_string_dbg(&sid), r->in.level));
5131
DEBUG(5, ("_samr_SetUserInfo: NULL info level\n"));
5132
return NT_STATUS_INVALID_INFO_CLASS;
5135
if (!(pwd = samu_new(NULL))) {
5136
return NT_STATUS_NO_MEMORY;
5140
ret = pdb_getsampwsid(pwd, &sid);
5145
return NT_STATUS_NO_SUCH_USER;
5148
/* ================ BEGIN Privilege BLOCK ================ */
5152
/* ok! user info levels (lots: see MSDEV help), off we go... */
5154
switch (r->in.level) {
5157
status = set_user_info_2(p->mem_ctx,
5162
status = set_user_info_4(p->mem_ctx,
5167
status = set_user_info_6(p->mem_ctx,
5172
status = set_user_info_7(p->mem_ctx,
5177
status = set_user_info_8(p->mem_ctx,
5182
status = set_user_info_10(p->mem_ctx,
5183
&info->info10, pwd);
5187
status = set_user_info_11(p->mem_ctx,
5188
&info->info11, pwd);
5192
status = set_user_info_12(p->mem_ctx,
5193
&info->info12, pwd);
5197
status = set_user_info_13(p->mem_ctx,
5198
&info->info13, pwd);
5202
status = set_user_info_14(p->mem_ctx,
5203
&info->info14, pwd);
5207
status = set_user_info_16(p->mem_ctx,
5208
&info->info16, pwd);
5212
status = set_user_info_17(p->mem_ctx,
5213
&info->info17, pwd);
5217
/* Used by AS/U JRA. */
5218
status = set_user_info_18(&info->info18,
5220
&p->server_info->user_session_key,
5225
status = set_user_info_20(p->mem_ctx,
5226
&info->info20, pwd);
5230
status = set_user_info_21(&info->info21,
5232
&p->server_info->user_session_key,
5237
if (!p->server_info->user_session_key.length) {
5238
status = NT_STATUS_NO_USER_SESSION_KEY;
5240
SamOEMhashBlob(info->info23.password.data, 516,
5241
&p->server_info->user_session_key);
5243
dump_data(100, info->info23.password.data, 516);
5245
status = set_user_info_23(p->mem_ctx,
5246
&info->info23, pwd);
5250
if (!p->server_info->user_session_key.length) {
5251
status = NT_STATUS_NO_USER_SESSION_KEY;
5253
SamOEMhashBlob(info->info24.password.data,
5255
&p->server_info->user_session_key);
5257
dump_data(100, info->info24.password.data, 516);
5259
status = set_user_info_24(p->mem_ctx,
5260
&info->info24, pwd);
5264
if (!p->server_info->user_session_key.length) {
5265
status = NT_STATUS_NO_USER_SESSION_KEY;
5267
encode_or_decode_arc4_passwd_buffer(
5268
info->info25.password.data,
5269
&p->server_info->user_session_key);
5271
dump_data(100, info->info25.password.data, 532);
5273
status = set_user_info_25(p->mem_ctx,
5274
&info->info25, pwd);
5278
if (!p->server_info->user_session_key.length) {
5279
status = NT_STATUS_NO_USER_SESSION_KEY;
5281
encode_or_decode_arc4_passwd_buffer(
5282
info->info26.password.data,
5283
&p->server_info->user_session_key);
5285
dump_data(100, info->info26.password.data, 516);
5287
status = set_user_info_26(p->mem_ctx,
5288
&info->info26, pwd);
5292
status = NT_STATUS_INVALID_INFO_CLASS;
5299
/* ================ END Privilege BLOCK ================ */
5301
if (NT_STATUS_IS_OK(status)) {
5302
force_flush_samr_cache(disp_info);
5308
/*******************************************************************
5310
********************************************************************/
5312
NTSTATUS _samr_SetUserInfo2(pipes_struct *p,
5313
struct samr_SetUserInfo2 *r)
5315
struct samr_SetUserInfo q;
5317
q.in.user_handle = r->in.user_handle;
5318
q.in.level = r->in.level;
5319
q.in.info = r->in.info;
5321
return _samr_SetUserInfo(p, &q);
5324
/*********************************************************************
5325
_samr_GetAliasMembership
5326
*********************************************************************/
5328
NTSTATUS _samr_GetAliasMembership(pipes_struct *p,
5329
struct samr_GetAliasMembership *r)
5331
size_t num_alias_rids;
5333
struct samr_info *info = NULL;
5341
DEBUG(5,("_samr_GetAliasMembership: %d\n", __LINE__));
5343
/* find the policy handle. open a policy on it. */
5344
if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
5345
return NT_STATUS_INVALID_HANDLE;
5347
ntstatus1 = access_check_samr_function(info->acc_granted,
5348
SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS,
5349
"_samr_GetAliasMembership");
5350
ntstatus2 = access_check_samr_function(info->acc_granted,
5351
SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
5352
"_samr_GetAliasMembership");
5354
if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) {
5355
if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) &&
5356
!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) {
5357
return (NT_STATUS_IS_OK(ntstatus1)) ? ntstatus2 : ntstatus1;
5361
if (!sid_check_is_domain(&info->sid) &&
5362
!sid_check_is_builtin(&info->sid))
5363
return NT_STATUS_OBJECT_TYPE_MISMATCH;
5365
if (r->in.sids->num_sids) {
5366
members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, r->in.sids->num_sids);
5368
if (members == NULL)
5369
return NT_STATUS_NO_MEMORY;
5374
for (i=0; i<r->in.sids->num_sids; i++)
5375
sid_copy(&members[i], r->in.sids->sids[i].sid);
5381
ntstatus1 = pdb_enum_alias_memberships(p->mem_ctx, &info->sid, members,
5382
r->in.sids->num_sids,
5383
&alias_rids, &num_alias_rids);
5386
if (!NT_STATUS_IS_OK(ntstatus1)) {
5390
r->out.rids->count = num_alias_rids;
5391
r->out.rids->ids = alias_rids;
5393
if (r->out.rids->ids == NULL) {
5394
/* Windows domain clients don't accept a NULL ptr here */
5395
r->out.rids->ids = talloc_zero(p->mem_ctx, uint32_t);
5397
if (r->out.rids->ids == NULL) {
5398
return NT_STATUS_NO_MEMORY;
5401
return NT_STATUS_OK;
5404
/*********************************************************************
5405
_samr_GetMembersInAlias
5406
*********************************************************************/
5408
NTSTATUS _samr_GetMembersInAlias(pipes_struct *p,
5409
struct samr_GetMembersInAlias *r)
5413
size_t num_sids = 0;
5414
struct lsa_SidPtr *sids = NULL;
5415
DOM_SID *pdb_sids = NULL;
5421
/* find the policy handle. open a policy on it. */
5422
if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, NULL))
5423
return NT_STATUS_INVALID_HANDLE;
5425
status = access_check_samr_function(acc_granted,
5426
SAMR_ALIAS_ACCESS_GET_MEMBERS,
5427
"_samr_GetMembersInAlias");
5428
if (!NT_STATUS_IS_OK(status)) {
5432
DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
5435
status = pdb_enum_aliasmem(&alias_sid, &pdb_sids, &num_sids);
5438
if (!NT_STATUS_IS_OK(status)) {
5443
sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr, num_sids);
5445
TALLOC_FREE(pdb_sids);
5446
return NT_STATUS_NO_MEMORY;
5450
for (i = 0; i < num_sids; i++) {
5451
sids[i].sid = sid_dup_talloc(p->mem_ctx, &pdb_sids[i]);
5453
TALLOC_FREE(pdb_sids);
5454
return NT_STATUS_NO_MEMORY;
5458
r->out.sids->num_sids = num_sids;
5459
r->out.sids->sids = sids;
5461
TALLOC_FREE(pdb_sids);
5463
return NT_STATUS_OK;
5466
/*********************************************************************
5467
_samr_QueryGroupMember
5468
*********************************************************************/
5470
NTSTATUS _samr_QueryGroupMember(pipes_struct *p,
5471
struct samr_QueryGroupMember *r)
5474
size_t i, num_members;
5482
struct samr_RidTypeArray *rids = NULL;
5484
rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidTypeArray);
5486
return NT_STATUS_NO_MEMORY;
5489
/* find the policy handle. open a policy on it. */
5490
if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL))
5491
return NT_STATUS_INVALID_HANDLE;
5493
status = access_check_samr_function(acc_granted,
5494
SAMR_GROUP_ACCESS_GET_MEMBERS,
5495
"_samr_QueryGroupMember");
5496
if (!NT_STATUS_IS_OK(status)) {
5500
DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
5502
if (!sid_check_is_in_our_domain(&group_sid)) {
5503
DEBUG(3, ("sid %s is not in our domain\n",
5504
sid_string_dbg(&group_sid)));
5505
return NT_STATUS_NO_SUCH_GROUP;
5508
DEBUG(10, ("lookup on Domain SID\n"));
5511
status = pdb_enum_group_members(p->mem_ctx, &group_sid,
5512
&rid, &num_members);
5515
if (!NT_STATUS_IS_OK(status))
5519
attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members);
5521
return NT_STATUS_NO_MEMORY;
5527
for (i=0; i<num_members; i++)
5528
attr[i] = SID_NAME_USER;
5530
rids->count = num_members;
5534
*r->out.rids = rids;
5536
return NT_STATUS_OK;
5539
/*********************************************************************
5540
_samr_AddAliasMember
5541
*********************************************************************/
5543
NTSTATUS _samr_AddAliasMember(pipes_struct *p,
5544
struct samr_AddAliasMember *r)
5549
DISP_INFO *disp_info = NULL;
5551
/* Find the policy handle. Open a policy on it. */
5552
if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
5553
return NT_STATUS_INVALID_HANDLE;
5555
status = access_check_samr_function(acc_granted,
5556
SAMR_ALIAS_ACCESS_ADD_MEMBER,
5557
"_samr_AddAliasMember");
5558
if (!NT_STATUS_IS_OK(status)) {
5562
DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
5564
/******** BEGIN SeAddUsers BLOCK *********/
5567
status = pdb_add_aliasmem(&alias_sid, r->in.sid);
5570
/******** END SeAddUsers BLOCK *********/
5572
if (NT_STATUS_IS_OK(status)) {
5573
force_flush_samr_cache(disp_info);
5579
/*********************************************************************
5580
_samr_DeleteAliasMember
5581
*********************************************************************/
5583
NTSTATUS _samr_DeleteAliasMember(pipes_struct *p,
5584
struct samr_DeleteAliasMember *r)
5589
DISP_INFO *disp_info = NULL;
5591
/* Find the policy handle. Open a policy on it. */
5592
if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
5593
return NT_STATUS_INVALID_HANDLE;
5595
status = access_check_samr_function(acc_granted,
5596
SAMR_ALIAS_ACCESS_REMOVE_MEMBER,
5597
"_samr_DeleteAliasMember");
5598
if (!NT_STATUS_IS_OK(status)) {
5602
DEBUG(10, ("_samr_del_aliasmem:sid is %s\n",
5603
sid_string_dbg(&alias_sid)));
5605
/******** BEGIN SeAddUsers BLOCK *********/
5608
status = pdb_del_aliasmem(&alias_sid, r->in.sid);
5611
/******** END SeAddUsers BLOCK *********/
5613
if (NT_STATUS_IS_OK(status)) {
5614
force_flush_samr_cache(disp_info);
5620
/*********************************************************************
5621
_samr_AddGroupMember
5622
*********************************************************************/
5624
NTSTATUS _samr_AddGroupMember(pipes_struct *p,
5625
struct samr_AddGroupMember *r)
5631
DISP_INFO *disp_info = NULL;
5633
/* Find the policy handle. Open a policy on it. */
5634
if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
5635
return NT_STATUS_INVALID_HANDLE;
5637
status = access_check_samr_function(acc_granted,
5638
SAMR_GROUP_ACCESS_ADD_MEMBER,
5639
"_samr_AddGroupMember");
5640
if (!NT_STATUS_IS_OK(status)) {
5644
DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
5646
if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
5648
return NT_STATUS_INVALID_HANDLE;
5651
/******** BEGIN SeAddUsers BLOCK *********/
5654
status = pdb_add_groupmem(p->mem_ctx, group_rid, r->in.rid);
5657
/******** END SeAddUsers BLOCK *********/
5659
force_flush_samr_cache(disp_info);
5664
/*********************************************************************
5665
_samr_DeleteGroupMember
5666
*********************************************************************/
5668
NTSTATUS _samr_DeleteGroupMember(pipes_struct *p,
5669
struct samr_DeleteGroupMember *r)
5676
DISP_INFO *disp_info = NULL;
5679
* delete the group member named r->in.rid
5680
* who is a member of the sid associated with the handle
5681
* the rid is a user's rid as the group is a domain group.
5684
/* Find the policy handle. Open a policy on it. */
5685
if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
5686
return NT_STATUS_INVALID_HANDLE;
5688
status = access_check_samr_function(acc_granted,
5689
SAMR_GROUP_ACCESS_REMOVE_MEMBER,
5690
"_samr_DeleteGroupMember");
5691
if (!NT_STATUS_IS_OK(status)) {
5695
if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
5697
return NT_STATUS_INVALID_HANDLE;
5700
/******** BEGIN SeAddUsers BLOCK *********/
5703
status = pdb_del_groupmem(p->mem_ctx, group_rid, r->in.rid);
5706
/******** END SeAddUsers BLOCK *********/
5708
force_flush_samr_cache(disp_info);
5713
/*********************************************************************
5715
*********************************************************************/
5717
NTSTATUS _samr_DeleteUser(pipes_struct *p,
5718
struct samr_DeleteUser *r)
5722
struct samu *sam_pass=NULL;
5724
DISP_INFO *disp_info = NULL;
5727
DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__));
5729
/* Find the policy handle. Open a policy on it. */
5730
if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &user_sid, &acc_granted, &disp_info))
5731
return NT_STATUS_INVALID_HANDLE;
5733
status = access_check_samr_function(acc_granted,
5734
STD_RIGHT_DELETE_ACCESS,
5735
"_samr_DeleteUser");
5736
if (!NT_STATUS_IS_OK(status)) {
5740
if (!sid_check_is_in_our_domain(&user_sid))
5741
return NT_STATUS_CANNOT_DELETE;
5743
/* check if the user exists before trying to delete */
5744
if ( !(sam_pass = samu_new( NULL )) ) {
5745
return NT_STATUS_NO_MEMORY;
5749
ret = pdb_getsampwsid(sam_pass, &user_sid);
5753
DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n",
5754
sid_string_dbg(&user_sid)));
5755
TALLOC_FREE(sam_pass);
5756
return NT_STATUS_NO_SUCH_USER;
5759
/******** BEGIN SeAddUsers BLOCK *********/
5762
status = pdb_delete_user(p->mem_ctx, sam_pass);
5765
/******** END SeAddUsers BLOCK *********/
5767
if ( !NT_STATUS_IS_OK(status) ) {
5768
DEBUG(5,("_samr_DeleteUser: Failed to delete entry for "
5769
"user %s: %s.\n", pdb_get_username(sam_pass),
5770
nt_errstr(status)));
5771
TALLOC_FREE(sam_pass);
5776
TALLOC_FREE(sam_pass);
5778
if (!close_policy_hnd(p, r->in.user_handle))
5779
return NT_STATUS_OBJECT_NAME_INVALID;
5781
ZERO_STRUCTP(r->out.user_handle);
5783
force_flush_samr_cache(disp_info);
5785
return NT_STATUS_OK;
5788
/*********************************************************************
5789
_samr_DeleteDomainGroup
5790
*********************************************************************/
5792
NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p,
5793
struct samr_DeleteDomainGroup *r)
5799
DISP_INFO *disp_info = NULL;
5801
DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__));
5803
/* Find the policy handle. Open a policy on it. */
5804
if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
5805
return NT_STATUS_INVALID_HANDLE;
5807
status = access_check_samr_function(acc_granted,
5808
STD_RIGHT_DELETE_ACCESS,
5809
"_samr_DeleteDomainGroup");
5810
if (!NT_STATUS_IS_OK(status)) {
5814
DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
5816
if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
5818
return NT_STATUS_NO_SUCH_GROUP;
5821
/******** BEGIN SeAddUsers BLOCK *********/
5824
status = pdb_delete_dom_group(p->mem_ctx, group_rid);
5827
/******** END SeAddUsers BLOCK *********/
5829
if ( !NT_STATUS_IS_OK(status) ) {
5830
DEBUG(5,("_samr_DeleteDomainGroup: Failed to delete mapping "
5831
"entry for group %s: %s\n",
5832
sid_string_dbg(&group_sid),
5833
nt_errstr(status)));
5837
if (!close_policy_hnd(p, r->in.group_handle))
5838
return NT_STATUS_OBJECT_NAME_INVALID;
5840
force_flush_samr_cache(disp_info);
5842
return NT_STATUS_OK;
5845
/*********************************************************************
5846
_samr_DeleteDomAlias
5847
*********************************************************************/
5849
NTSTATUS _samr_DeleteDomAlias(pipes_struct *p,
5850
struct samr_DeleteDomAlias *r)
5855
DISP_INFO *disp_info = NULL;
5857
DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__));
5859
/* Find the policy handle. Open a policy on it. */
5860
if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
5861
return NT_STATUS_INVALID_HANDLE;
5863
/* copy the handle to the outgoing reply */
5865
memcpy(r->out.alias_handle, r->in.alias_handle, sizeof(r->out.alias_handle));
5867
status = access_check_samr_function(acc_granted,
5868
STD_RIGHT_DELETE_ACCESS,
5869
"_samr_DeleteDomAlias");
5870
if (!NT_STATUS_IS_OK(status)) {
5874
DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
5876
/* Don't let Windows delete builtin groups */
5878
if ( sid_check_is_in_builtin( &alias_sid ) ) {
5879
return NT_STATUS_SPECIAL_ACCOUNT;
5882
if (!sid_check_is_in_our_domain(&alias_sid))
5883
return NT_STATUS_NO_SUCH_ALIAS;
5885
DEBUG(10, ("lookup on Local SID\n"));
5887
/******** BEGIN SeAddUsers BLOCK *********/
5890
/* Have passdb delete the alias */
5891
status = pdb_delete_alias(&alias_sid);
5894
/******** END SeAddUsers BLOCK *********/
5896
if ( !NT_STATUS_IS_OK(status))
5899
if (!close_policy_hnd(p, r->in.alias_handle))
5900
return NT_STATUS_OBJECT_NAME_INVALID;
5902
force_flush_samr_cache(disp_info);
5904
return NT_STATUS_OK;
5907
/*********************************************************************
5908
_samr_CreateDomainGroup
5909
*********************************************************************/
5911
NTSTATUS _samr_CreateDomainGroup(pipes_struct *p,
5912
struct samr_CreateDomainGroup *r)
5919
struct samr_info *info;
5921
DISP_INFO *disp_info = NULL;
5923
/* Find the policy handle. Open a policy on it. */
5924
if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info))
5925
return NT_STATUS_INVALID_HANDLE;
5927
status = access_check_samr_function(acc_granted,
5928
SAMR_DOMAIN_ACCESS_CREATE_GROUP,
5929
"_samr_CreateDomainGroup");
5930
if (!NT_STATUS_IS_OK(status)) {
5934
if (!sid_equal(&dom_sid, get_global_sam_sid()))
5935
return NT_STATUS_ACCESS_DENIED;
5937
name = r->in.name->string;
5939
return NT_STATUS_NO_MEMORY;
5942
status = can_create(p->mem_ctx, name);
5943
if (!NT_STATUS_IS_OK(status)) {
5947
/******** BEGIN SeAddUsers BLOCK *********/
5950
/* check that we successfully create the UNIX group */
5951
status = pdb_create_dom_group(p->mem_ctx, name, r->out.rid);
5954
/******** END SeAddUsers BLOCK *********/
5956
/* check if we should bail out here */
5958
if ( !NT_STATUS_IS_OK(status) )
5961
sid_compose(&info_sid, get_global_sam_sid(), *r->out.rid);
5963
if ((info = get_samr_info_by_sid(p->mem_ctx, &info_sid)) == NULL)
5964
return NT_STATUS_NO_MEMORY;
5966
/* they created it; let the user do what he wants with it */
5968
info->acc_granted = GENERIC_RIGHTS_GROUP_ALL_ACCESS;
5970
/* get a (unique) handle. open a policy on it. */
5971
if (!create_policy_hnd(p, r->out.group_handle, info))
5972
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5974
force_flush_samr_cache(disp_info);
5976
return NT_STATUS_OK;
5979
/*********************************************************************
5980
_samr_CreateDomAlias
5981
*********************************************************************/
5983
NTSTATUS _samr_CreateDomAlias(pipes_struct *p,
5984
struct samr_CreateDomAlias *r)
5988
const char *name = NULL;
5989
struct samr_info *info;
5993
DISP_INFO *disp_info = NULL;
5995
/* Find the policy handle. Open a policy on it. */
5996
if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info))
5997
return NT_STATUS_INVALID_HANDLE;
5999
result = access_check_samr_function(acc_granted,
6000
SAMR_DOMAIN_ACCESS_CREATE_ALIAS,
6001
"_samr_CreateDomAlias");
6002
if (!NT_STATUS_IS_OK(result)) {
6006
if (!sid_equal(&dom_sid, get_global_sam_sid()))
6007
return NT_STATUS_ACCESS_DENIED;
6009
name = r->in.alias_name->string;
6011
result = can_create(p->mem_ctx, name);
6012
if (!NT_STATUS_IS_OK(result)) {
6016
/******** BEGIN SeAddUsers BLOCK *********/
6019
/* Have passdb create the alias */
6020
result = pdb_create_alias(name, r->out.rid);
6023
/******** END SeAddUsers BLOCK *********/
6025
if (!NT_STATUS_IS_OK(result)) {
6026
DEBUG(10, ("pdb_create_alias failed: %s\n",
6027
nt_errstr(result)));
6031
sid_copy(&info_sid, get_global_sam_sid());
6032
sid_append_rid(&info_sid, *r->out.rid);
6034
if (!sid_to_gid(&info_sid, &gid)) {
6035
DEBUG(10, ("Could not find alias just created\n"));
6036
return NT_STATUS_ACCESS_DENIED;
6039
/* check if the group has been successfully created */
6040
if ( getgrgid(gid) == NULL ) {
6041
DEBUG(10, ("getgrgid(%u) of just created alias failed\n",
6042
(unsigned int)gid));
6043
return NT_STATUS_ACCESS_DENIED;
6046
if ((info = get_samr_info_by_sid(p->mem_ctx, &info_sid)) == NULL)
6047
return NT_STATUS_NO_MEMORY;
6049
/* they created it; let the user do what he wants with it */
6051
info->acc_granted = GENERIC_RIGHTS_ALIAS_ALL_ACCESS;
6053
/* get a (unique) handle. open a policy on it. */
6054
if (!create_policy_hnd(p, r->out.alias_handle, info))
6055
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
6057
force_flush_samr_cache(disp_info);
6059
return NT_STATUS_OK;
6062
/*********************************************************************
6063
_samr_QueryGroupInfo
6064
*********************************************************************/
6066
NTSTATUS _samr_QueryGroupInfo(pipes_struct *p,
6067
struct samr_QueryGroupInfo *r)
6072
union samr_GroupInfo *info = NULL;
6075
uint32_t attributes = SE_GROUP_MANDATORY |
6076
SE_GROUP_ENABLED_BY_DEFAULT |
6078
const char *group_name = NULL;
6079
const char *group_description = NULL;
6081
if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL))
6082
return NT_STATUS_INVALID_HANDLE;
6084
status = access_check_samr_function(acc_granted,
6085
SAMR_GROUP_ACCESS_LOOKUP_INFO,
6086
"_samr_QueryGroupInfo");
6087
if (!NT_STATUS_IS_OK(status)) {
6092
ret = get_domain_group_from_sid(group_sid, &map);
6095
return NT_STATUS_INVALID_HANDLE;
6097
/* FIXME: map contains fstrings */
6098
group_name = talloc_strdup(r, map.nt_name);
6099
group_description = talloc_strdup(r, map.comment);
6101
info = TALLOC_ZERO_P(p->mem_ctx, union samr_GroupInfo);
6103
return NT_STATUS_NO_MEMORY;
6106
switch (r->in.level) {
6112
status = pdb_enum_group_members(
6113
p->mem_ctx, &group_sid, &members, &num_members);
6116
if (!NT_STATUS_IS_OK(status)) {
6120
info->all.name.string = group_name;
6121
info->all.attributes = attributes;
6122
info->all.num_members = num_members;
6123
info->all.description.string = group_description;
6127
info->name.string = group_name;
6130
info->attributes.attributes = attributes;
6133
info->description.string = group_description;
6143
status = pdb_enum_group_members(
6144
p->mem_ctx, &group_sid, &members, &num_members);
6147
if (!NT_STATUS_IS_OK(status)) {
6151
info->all2.name.string = group_name;
6152
info->all2.attributes = attributes;
6153
info->all2.num_members = 0; /* num_members - in w2k3 this is always 0 */
6154
info->all2.description.string = group_description;
6159
return NT_STATUS_INVALID_INFO_CLASS;
6162
*r->out.info = info;
6164
return NT_STATUS_OK;
6167
/*********************************************************************
6169
*********************************************************************/
6171
NTSTATUS _samr_SetGroupInfo(pipes_struct *p,
6172
struct samr_SetGroupInfo *r)
6179
DISP_INFO *disp_info = NULL;
6181
if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
6182
return NT_STATUS_INVALID_HANDLE;
6184
status = access_check_samr_function(acc_granted,
6185
SAMR_GROUP_ACCESS_SET_INFO,
6186
"_samr_SetGroupInfo");
6187
if (!NT_STATUS_IS_OK(status)) {
6192
ret = get_domain_group_from_sid(group_sid, &map);
6195
return NT_STATUS_NO_SUCH_GROUP;
6197
switch (r->in.level) {
6199
fstrcpy(map.comment, r->in.info->all.description.string);
6202
/* group rename is not supported yet */
6203
return NT_STATUS_NOT_SUPPORTED;
6205
fstrcpy(map.comment, r->in.info->description.string);
6208
return NT_STATUS_INVALID_INFO_CLASS;
6211
/******** BEGIN SeAddUsers BLOCK *********/
6214
status = pdb_update_group_mapping_entry(&map);
6217
/******** End SeAddUsers BLOCK *********/
6219
if (NT_STATUS_IS_OK(status)) {
6220
force_flush_samr_cache(disp_info);
6226
/*********************************************************************
6228
*********************************************************************/
6230
NTSTATUS _samr_SetAliasInfo(pipes_struct *p,
6231
struct samr_SetAliasInfo *r)
6234
struct acct_info info;
6237
DISP_INFO *disp_info = NULL;
6239
if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &group_sid, &acc_granted, &disp_info))
6240
return NT_STATUS_INVALID_HANDLE;
6242
status = access_check_samr_function(acc_granted,
6243
SAMR_ALIAS_ACCESS_SET_INFO,
6244
"_samr_SetAliasInfo");
6245
if (!NT_STATUS_IS_OK(status)) {
6249
/* get the current group information */
6252
status = pdb_get_aliasinfo( &group_sid, &info );
6255
if ( !NT_STATUS_IS_OK(status))
6258
switch (r->in.level) {
6263
/* We currently do not support renaming groups in the
6264
the BUILTIN domain. Refer to util_builtin.c to understand
6265
why. The eventually needs to be fixed to be like Windows
6266
where you can rename builtin groups, just not delete them */
6268
if ( sid_check_is_in_builtin( &group_sid ) ) {
6269
return NT_STATUS_SPECIAL_ACCOUNT;
6272
/* There has to be a valid name (and it has to be different) */
6274
if ( !r->in.info->name.string )
6275
return NT_STATUS_INVALID_PARAMETER;
6277
/* If the name is the same just reply "ok". Yes this
6278
doesn't allow you to change the case of a group name. */
6280
if ( strequal( r->in.info->name.string, info.acct_name ) )
6281
return NT_STATUS_OK;
6283
fstrcpy( info.acct_name, r->in.info->name.string);
6285
/* make sure the name doesn't already exist as a user
6288
fstr_sprintf( group_name, "%s\\%s", global_myname(), info.acct_name );
6289
status = can_create( p->mem_ctx, group_name );
6290
if ( !NT_STATUS_IS_OK( status ) )
6294
case ALIASINFODESCRIPTION:
6295
if (r->in.info->description.string) {
6296
fstrcpy(info.acct_desc,
6297
r->in.info->description.string);
6299
fstrcpy( info.acct_desc, "" );
6303
return NT_STATUS_INVALID_INFO_CLASS;
6306
/******** BEGIN SeAddUsers BLOCK *********/
6309
status = pdb_set_aliasinfo( &group_sid, &info );
6312
/******** End SeAddUsers BLOCK *********/
6314
if (NT_STATUS_IS_OK(status))
6315
force_flush_samr_cache(disp_info);
6320
/****************************************************************
6322
****************************************************************/
6324
NTSTATUS _samr_GetDomPwInfo(pipes_struct *p,
6325
struct samr_GetDomPwInfo *r)
6327
uint32_t min_password_length = 0;
6328
uint32_t password_properties = 0;
6330
/* Perform access check. Since this rpc does not require a
6331
policy handle it will not be caught by the access checks on
6332
SAMR_CONNECT or SAMR_CONNECT_ANON. */
6334
if (!pipe_access_check(p)) {
6335
DEBUG(3, ("access denied to _samr_GetDomPwInfo\n"));
6336
return NT_STATUS_ACCESS_DENIED;
6340
pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
6341
&min_password_length);
6342
pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
6343
&password_properties);
6346
if (lp_check_password_script() && *lp_check_password_script()) {
6347
password_properties |= DOMAIN_PASSWORD_COMPLEX;
6350
r->out.info->min_password_length = min_password_length;
6351
r->out.info->password_properties = password_properties;
6353
return NT_STATUS_OK;
6356
/*********************************************************************
6358
*********************************************************************/
6360
NTSTATUS _samr_OpenGroup(pipes_struct *p,
6361
struct samr_OpenGroup *r)
6367
struct samr_info *info;
6368
SEC_DESC *psd = NULL;
6370
uint32 des_access = r->in.access_mask;
6377
if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted, NULL))
6378
return NT_STATUS_INVALID_HANDLE;
6380
status = access_check_samr_function(acc_granted,
6381
SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
6384
if ( !NT_STATUS_IS_OK(status) )
6387
/*check if access can be granted as requested by client. */
6388
map_max_allowed_access(p->server_info->ptok, &des_access);
6390
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
6391
se_map_generic(&des_access,&grp_generic_mapping);
6393
se_priv_copy( &se_rights, &se_add_users );
6395
status = access_check_object(psd, p->server_info->ptok,
6396
&se_rights, GENERIC_RIGHTS_GROUP_ALL_ACCESS,
6397
des_access, &acc_granted, "_samr_OpenGroup");
6399
if ( !NT_STATUS_IS_OK(status) )
6402
/* this should not be hard-coded like this */
6404
if (!sid_equal(&sid, get_global_sam_sid()))
6405
return NT_STATUS_ACCESS_DENIED;
6407
sid_copy(&info_sid, get_global_sam_sid());
6408
sid_append_rid(&info_sid, r->in.rid);
6409
sid_to_fstring(sid_string, &info_sid);
6411
if ((info = get_samr_info_by_sid(p->mem_ctx, &info_sid)) == NULL)
6412
return NT_STATUS_NO_MEMORY;
6414
info->acc_granted = acc_granted;
6416
DEBUG(10, ("_samr_OpenGroup:Opening SID: %s\n", sid_string));
6418
/* check if that group really exists */
6420
ret = get_domain_group_from_sid(info->sid, &map);
6423
return NT_STATUS_NO_SUCH_GROUP;
6425
/* get a (unique) handle. open a policy on it. */
6426
if (!create_policy_hnd(p, r->out.group_handle, info))
6427
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
6429
return NT_STATUS_OK;
6432
/*********************************************************************
6433
_samr_RemoveMemberFromForeignDomain
6434
*********************************************************************/
6436
NTSTATUS _samr_RemoveMemberFromForeignDomain(pipes_struct *p,
6437
struct samr_RemoveMemberFromForeignDomain *r)
6439
DOM_SID delete_sid, domain_sid;
6442
DISP_INFO *disp_info = NULL;
6444
sid_copy( &delete_sid, r->in.sid );
6446
DEBUG(5,("_samr_RemoveMemberFromForeignDomain: removing SID [%s]\n",
6447
sid_string_dbg(&delete_sid)));
6449
/* Find the policy handle. Open a policy on it. */
6451
if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &domain_sid,
6452
&acc_granted, &disp_info))
6453
return NT_STATUS_INVALID_HANDLE;
6455
result = access_check_samr_function(acc_granted,
6456
SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
6457
"_samr_RemoveMemberFromForeignDomain");
6459
if (!NT_STATUS_IS_OK(result))
6462
DEBUG(8, ("_samr_RemoveMemberFromForeignDomain: sid is %s\n",
6463
sid_string_dbg(&domain_sid)));
6465
/* we can only delete a user from a group since we don't have
6466
nested groups anyways. So in the latter case, just say OK */
6468
/* TODO: The above comment nowadays is bogus. Since we have nested
6469
* groups now, and aliases members are never reported out of the unix
6470
* group membership, the "just say OK" makes this call a no-op. For
6471
* us. This needs fixing however. */
6473
/* I've only ever seen this in the wild when deleting a user from
6474
* usrmgr.exe. domain_sid is the builtin domain, and the sid to delete
6475
* is the user about to be deleted. I very much suspect this is the
6476
* only application of this call. To verify this, let people report
6479
if (!sid_check_is_builtin(&domain_sid)) {
6480
DEBUG(1,("_samr_RemoveMemberFromForeignDomain: domain_sid = %s, "
6481
"global_sam_sid() = %s\n",
6482
sid_string_dbg(&domain_sid),
6483
sid_string_dbg(get_global_sam_sid())));
6484
DEBUGADD(1,("please report to samba-technical@samba.org!\n"));
6485
return NT_STATUS_OK;
6488
force_flush_samr_cache(disp_info);
6490
result = NT_STATUS_OK;
6495
/*******************************************************************
6496
_samr_QueryDomainInfo2
6497
********************************************************************/
6499
NTSTATUS _samr_QueryDomainInfo2(pipes_struct *p,
6500
struct samr_QueryDomainInfo2 *r)
6502
struct samr_QueryDomainInfo q;
6504
q.in.domain_handle = r->in.domain_handle;
6505
q.in.level = r->in.level;
6507
q.out.info = r->out.info;
6509
return _samr_QueryDomainInfo(p, &q);
6512
/*******************************************************************
6514
********************************************************************/
6516
NTSTATUS _samr_SetDomainInfo(pipes_struct *p,
6517
struct samr_SetDomainInfo *r)
6519
struct samr_info *info = NULL;
6520
time_t u_expire, u_min_age;
6522
time_t u_lock_duration, u_reset_time;
6524
uint32_t acc_required = 0;
6526
DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
6528
/* find the policy handle. open a policy on it. */
6529
if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
6530
return NT_STATUS_INVALID_HANDLE;
6532
switch (r->in.level) {
6533
case 1: /* DomainPasswordInformation */
6534
case 12: /* DomainLockoutInformation */
6535
/* DOMAIN_WRITE_PASSWORD_PARAMETERS */
6536
acc_required = SAMR_DOMAIN_ACCESS_SET_INFO_1;
6538
case 3: /* DomainLogoffInformation */
6539
case 4: /* DomainOemInformation */
6540
/* DOMAIN_WRITE_OTHER_PARAMETERS */
6541
acc_required = SAMR_DOMAIN_ACCESS_SET_INFO_2;
6543
case 6: /* DomainReplicationInformation */
6544
case 9: /* DomainStateInformation */
6545
case 7: /* DomainServerRoleInformation */
6546
/* DOMAIN_ADMINISTER_SERVER */
6547
acc_required = SAMR_DOMAIN_ACCESS_SET_INFO_3;
6550
return NT_STATUS_INVALID_INFO_CLASS;
6553
result = access_check_samr_function(info->acc_granted,
6555
"_samr_SetDomainInfo");
6557
if (!NT_STATUS_IS_OK(result))
6560
DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r->in.level));
6562
switch (r->in.level) {
6564
u_expire=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.max_password_age);
6565
u_min_age=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.min_password_age);
6566
pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)r->in.info->info1.min_password_length);
6567
pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)r->in.info->info1.password_history_length);
6568
pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)r->in.info->info1.password_properties);
6569
pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire);
6570
pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age);
6573
u_logout=nt_time_to_unix_abs((NTTIME *)&r->in.info->info3.force_logoff_time);
6574
pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout);
6585
u_lock_duration=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_duration);
6586
if (u_lock_duration != -1)
6587
u_lock_duration /= 60;
6589
u_reset_time=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_window)/60;
6591
pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
6592
pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time);
6593
pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)r->in.info->info12.lockout_threshold);
6596
return NT_STATUS_INVALID_INFO_CLASS;
6599
DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
6601
return NT_STATUS_OK;
6604
/****************************************************************
6605
_samr_GetDisplayEnumerationIndex
6606
****************************************************************/
6608
NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p,
6609
struct samr_GetDisplayEnumerationIndex *r)
6611
struct samr_info *info = NULL;
6612
uint32_t max_entries = (uint32_t) -1;
6613
uint32_t enum_context = 0;
6615
uint32_t num_account = 0;
6616
struct samr_displayentry *entries = NULL;
6619
DEBUG(5,("_samr_GetDisplayEnumerationIndex: %d\n", __LINE__));
6621
/* find the policy handle. open a policy on it. */
6622
if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) {
6623
return NT_STATUS_INVALID_HANDLE;
6626
status = access_check_samr_function(info->acc_granted,
6627
SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
6628
"_samr_GetDisplayEnumerationIndex");
6629
if (!NT_STATUS_IS_OK(status)) {
6633
if ((r->in.level < 1) || (r->in.level > 3)) {
6634
DEBUG(0,("_samr_GetDisplayEnumerationIndex: "
6635
"Unknown info level (%u)\n",
6637
return NT_STATUS_INVALID_INFO_CLASS;
6642
/* The following done as ROOT. Don't return without unbecome_root(). */
6644
switch (r->in.level) {
6646
if (info->disp_info->users == NULL) {
6647
info->disp_info->users = pdb_search_users(
6648
info->disp_info, ACB_NORMAL);
6649
if (info->disp_info->users == NULL) {
6651
return NT_STATUS_ACCESS_DENIED;
6653
DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6654
"starting user enumeration at index %u\n",
6655
(unsigned int)enum_context));
6657
DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6658
"using cached user enumeration at index %u\n",
6659
(unsigned int)enum_context));
6661
num_account = pdb_search_entries(info->disp_info->users,
6662
enum_context, max_entries,
6666
if (info->disp_info->machines == NULL) {
6667
info->disp_info->machines = pdb_search_users(
6668
info->disp_info, ACB_WSTRUST|ACB_SVRTRUST);
6669
if (info->disp_info->machines == NULL) {
6671
return NT_STATUS_ACCESS_DENIED;
6673
DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6674
"starting machine enumeration at index %u\n",
6675
(unsigned int)enum_context));
6677
DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6678
"using cached machine enumeration at index %u\n",
6679
(unsigned int)enum_context));
6681
num_account = pdb_search_entries(info->disp_info->machines,
6682
enum_context, max_entries,
6686
if (info->disp_info->groups == NULL) {
6687
info->disp_info->groups = pdb_search_groups(
6689
if (info->disp_info->groups == NULL) {
6691
return NT_STATUS_ACCESS_DENIED;
6693
DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6694
"starting group enumeration at index %u\n",
6695
(unsigned int)enum_context));
6697
DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6698
"using cached group enumeration at index %u\n",
6699
(unsigned int)enum_context));
6701
num_account = pdb_search_entries(info->disp_info->groups,
6702
enum_context, max_entries,
6707
smb_panic("info class changed");
6713
/* Ensure we cache this enumeration. */
6714
set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
6716
DEBUG(10,("_samr_GetDisplayEnumerationIndex: looking for :%s\n",
6717
r->in.name->string));
6719
for (i=0; i<num_account; i++) {
6720
if (strequal(entries[i].account_name, r->in.name->string)) {
6721
DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
6722
"found %s at idx %d\n",
6723
r->in.name->string, i));
6725
return NT_STATUS_OK;
6729
/* assuming account_name lives at the very end */
6730
*r->out.idx = num_account;
6732
return NT_STATUS_NO_MORE_ENTRIES;
6735
/****************************************************************
6736
_samr_GetDisplayEnumerationIndex2
6737
****************************************************************/
6739
NTSTATUS _samr_GetDisplayEnumerationIndex2(pipes_struct *p,
6740
struct samr_GetDisplayEnumerationIndex2 *r)
6742
struct samr_GetDisplayEnumerationIndex q;
6744
q.in.domain_handle = r->in.domain_handle;
6745
q.in.level = r->in.level;
6746
q.in.name = r->in.name;
6748
q.out.idx = r->out.idx;
6750
return _samr_GetDisplayEnumerationIndex(p, &q);
6753
/****************************************************************
6755
****************************************************************/
6757
NTSTATUS _samr_RidToSid(pipes_struct *p,
6758
struct samr_RidToSid *r)
6760
struct samr_info *info = NULL;
6763
if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) {
6764
return NT_STATUS_INVALID_HANDLE;
6767
if (!sid_compose(&sid, &info->sid, r->in.rid)) {
6768
return NT_STATUS_NO_MEMORY;
6771
*r->out.sid = sid_dup_talloc(p->mem_ctx, &sid);
6773
return NT_STATUS_NO_MEMORY;
6776
return NT_STATUS_OK;
6779
/****************************************************************
6780
****************************************************************/
6782
NTSTATUS _samr_Shutdown(pipes_struct *p,
6783
struct samr_Shutdown *r)
6785
p->rng_fault_state = true;
6786
return NT_STATUS_NOT_IMPLEMENTED;
6789
/****************************************************************
6790
****************************************************************/
6792
NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p,
6793
struct samr_SetMemberAttributesOfGroup *r)
6795
p->rng_fault_state = true;
6796
return NT_STATUS_NOT_IMPLEMENTED;
6799
/****************************************************************
6800
****************************************************************/
6802
NTSTATUS _samr_TestPrivateFunctionsDomain(pipes_struct *p,
6803
struct samr_TestPrivateFunctionsDomain *r)
6805
return NT_STATUS_NOT_IMPLEMENTED;
6808
/****************************************************************
6809
****************************************************************/
6811
NTSTATUS _samr_TestPrivateFunctionsUser(pipes_struct *p,
6812
struct samr_TestPrivateFunctionsUser *r)
6814
return NT_STATUS_NOT_IMPLEMENTED;
6817
/****************************************************************
6818
****************************************************************/
6820
NTSTATUS _samr_AddMultipleMembersToAlias(pipes_struct *p,
6821
struct samr_AddMultipleMembersToAlias *r)
6823
p->rng_fault_state = true;
6824
return NT_STATUS_NOT_IMPLEMENTED;
6827
/****************************************************************
6828
****************************************************************/
6830
NTSTATUS _samr_RemoveMultipleMembersFromAlias(pipes_struct *p,
6831
struct samr_RemoveMultipleMembersFromAlias *r)
6833
p->rng_fault_state = true;
6834
return NT_STATUS_NOT_IMPLEMENTED;
6837
/****************************************************************
6838
****************************************************************/
6840
NTSTATUS _samr_SetBootKeyInformation(pipes_struct *p,
6841
struct samr_SetBootKeyInformation *r)
6843
p->rng_fault_state = true;
6844
return NT_STATUS_NOT_IMPLEMENTED;
6847
/****************************************************************
6848
****************************************************************/
6850
NTSTATUS _samr_GetBootKeyInformation(pipes_struct *p,
6851
struct samr_GetBootKeyInformation *r)
6853
p->rng_fault_state = true;
6854
return NT_STATUS_NOT_IMPLEMENTED;
6857
/****************************************************************
6858
****************************************************************/
6860
NTSTATUS _samr_SetDsrmPassword(pipes_struct *p,
6861
struct samr_SetDsrmPassword *r)
6863
p->rng_fault_state = true;
6864
return NT_STATUS_NOT_IMPLEMENTED;
6867
/****************************************************************
6868
****************************************************************/
6870
NTSTATUS _samr_ValidatePassword(pipes_struct *p,
6871
struct samr_ValidatePassword *r)
6873
p->rng_fault_state = true;
6874
return NT_STATUS_NOT_IMPLEMENTED;