summaryrefslogtreecommitdiff
path: root/source3/rpc_server
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2006-02-10 23:52:53 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:10:03 -0500
commit06cf1e18e562cf350e657c69e38a40b7f2bbf697 (patch)
tree728e0d51cd0000205a45ec7a86174734bcdc8416 /source3/rpc_server
parenta48f4e832f09550b84beab39a97d2568fddfe20a (diff)
downloadsamba-06cf1e18e562cf350e657c69e38a40b7f2bbf697.tar.gz
samba-06cf1e18e562cf350e657c69e38a40b7f2bbf697.tar.bz2
samba-06cf1e18e562cf350e657c69e38a40b7f2bbf697.zip
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3.
Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
Diffstat (limited to 'source3/rpc_server')
-rw-r--r--source3/rpc_server/srv_lsa.c64
-rw-r--r--source3/rpc_server/srv_lsa_nt.c298
-rw-r--r--source3/rpc_server/srv_netlog_nt.c6
3 files changed, 301 insertions, 67 deletions
diff --git a/source3/rpc_server/srv_lsa.c b/source3/rpc_server/srv_lsa.c
index fc84dbe923..0818ba3eac 100644
--- a/source3/rpc_server/srv_lsa.c
+++ b/source3/rpc_server/srv_lsa.c
@@ -916,6 +916,66 @@ static BOOL api_lsa_delete_object(pipes_struct *p)
return True;
}
+/***************************************************************************
+ api_lsa_lookup_sids2
+ ***************************************************************************/
+
+static BOOL api_lsa_lookup_sids2(pipes_struct *p)
+{
+ LSA_Q_LOOKUP_SIDS2 q_u;
+ LSA_R_LOOKUP_SIDS2 r_u;
+ prs_struct *data = &p->in_data.data;
+ prs_struct *rdata = &p->out_data.rdata;
+
+ ZERO_STRUCT(q_u);
+ ZERO_STRUCT(r_u);
+
+ /* grab the info class and policy handle */
+ if(!lsa_io_q_lookup_sids2("", &q_u, data, 0)) {
+ DEBUG(0,("api_lsa_lookup_sids2: failed to unmarshall LSA_Q_LOOKUP_SIDS2.\n"));
+ return False;
+ }
+
+ r_u.status = _lsa_lookup_sids2(p, &q_u, &r_u);
+
+ if(!lsa_io_r_lookup_sids2("", &r_u, rdata, 0)) {
+ DEBUG(0,("api_lsa_lookup_sids2: Failed to marshall LSA_R_LOOKUP_SIDS2.\n"));
+ return False;
+ }
+
+ return True;
+}
+
+/***************************************************************************
+ api_lsa_lookup_sids3
+ ***************************************************************************/
+
+static BOOL api_lsa_lookup_sids3(pipes_struct *p)
+{
+ LSA_Q_LOOKUP_SIDS3 q_u;
+ LSA_R_LOOKUP_SIDS3 r_u;
+ prs_struct *data = &p->in_data.data;
+ prs_struct *rdata = &p->out_data.rdata;
+
+ ZERO_STRUCT(q_u);
+ ZERO_STRUCT(r_u);
+
+ /* grab the info class and policy handle */
+ if(!lsa_io_q_lookup_sids3("", &q_u, data, 0)) {
+ DEBUG(0,("api_lsa_lookup_sids3: failed to unmarshall LSA_Q_LOOKUP_SIDS3.\n"));
+ return False;
+ }
+
+ r_u.status = _lsa_lookup_sids3(p, &q_u, &r_u);
+
+ if(!lsa_io_r_lookup_sids3("", &r_u, rdata, 0)) {
+ DEBUG(0,("api_lsa_lookup_sids3: Failed to marshall LSA_R_LOOKUP_SIDS3.\n"));
+ return False;
+ }
+
+ return True;
+}
+
#if 0 /* AD DC work in ongoing in Samba 4 */
/***************************************************************************
@@ -984,7 +1044,9 @@ static struct api_struct api_lsa_cmds[] =
{ "LSA_CREATETRUSTDOM" , LSA_CREATETRUSTDOM , api_lsa_create_trust_dom },
{ "LSA_CREATSECRET" , LSA_CREATESECRET , api_lsa_create_secret },
{ "LSA_SETSECRET" , LSA_SETSECRET , api_lsa_set_secret },
- { "LSA_DELETEOBJECT" , LSA_DELETEOBJECT , api_lsa_delete_object }
+ { "LSA_DELETEOBJECT" , LSA_DELETEOBJECT , api_lsa_delete_object },
+ { "LSA_LOOKUPSIDS2" , LSA_LOOKUPSIDS2 , api_lsa_lookup_sids2 },
+ { "LSA_LOOKUPSIDS3" , LSA_LOOKUPSIDS3 , api_lsa_lookup_sids3 }
#if 0 /* AD DC work in ongoing in Samba 4 */
/* be careful of the adding of new RPC's. See commentrs below about
ADS DC capabilities */
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index c93107cec4..d13ddf387a 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -229,9 +229,10 @@ static void init_reply_lookup_names(LSA_R_LOOKUP_NAMES *r_l,
Init_reply_lookup_sids.
***************************************************************************/
-static void init_reply_lookup_sids(LSA_R_LOOKUP_SIDS *r_l,
- DOM_R_REF *ref, LSA_TRANS_NAME_ENUM *names,
- uint32 mapped_count)
+static void init_reply_lookup_sids2(LSA_R_LOOKUP_SIDS2 *r_l,
+ DOM_R_REF *ref,
+ LSA_TRANS_NAME_ENUM2 *names,
+ uint32 mapped_count)
{
r_l->ptr_dom_ref = ref ? 1 : 0;
r_l->dom_ref = ref;
@@ -239,6 +240,64 @@ static void init_reply_lookup_sids(LSA_R_LOOKUP_SIDS *r_l,
r_l->mapped_count = mapped_count;
}
+/***************************************************************************
+ Init_reply_lookup_sids.
+ ***************************************************************************/
+
+static void init_reply_lookup_sids3(LSA_R_LOOKUP_SIDS3 *r_l,
+ DOM_R_REF *ref,
+ LSA_TRANS_NAME_ENUM2 *names,
+ uint32 mapped_count)
+{
+ r_l->ptr_dom_ref = ref ? 1 : 0;
+ r_l->dom_ref = ref;
+ r_l->names = names;
+ r_l->mapped_count = mapped_count;
+}
+
+/***************************************************************************
+ Init_reply_lookup_sids.
+ ***************************************************************************/
+
+static NTSTATUS init_reply_lookup_sids(TALLOC_CTX *mem_ctx,
+ LSA_R_LOOKUP_SIDS *r_l,
+ DOM_R_REF *ref,
+ LSA_TRANS_NAME_ENUM2 *names,
+ uint32 mapped_count)
+{
+ LSA_TRANS_NAME_ENUM *oldnames = TALLOC_ZERO_P(mem_ctx, LSA_TRANS_NAME_ENUM);
+
+ if (!oldnames) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ oldnames->num_entries = names->num_entries;
+ oldnames->ptr_trans_names = names->ptr_trans_names;
+ oldnames->num_entries2 = names->num_entries2;
+ oldnames->uni_name = names->uni_name;
+
+ if (names->num_entries) {
+ int i;
+
+ oldnames->name = TALLOC_ARRAY(oldnames, LSA_TRANS_NAME, names->num_entries);
+
+ if (!oldnames->name) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ for (i = 0; i < names->num_entries; i++) {
+ oldnames->name[i].sid_name_use = names->name[i].sid_name_use;
+ oldnames->name[i].hdr_name = names->name[i].hdr_name;
+ oldnames->name[i].domain_idx = names->name[i].domain_idx;
+ }
+ }
+
+ r_l->ptr_dom_ref = ref ? 1 : 0;
+ r_l->dom_ref = ref;
+ r_l->names = oldnames;
+ r_l->mapped_count = mapped_count;
+ return NT_STATUS_OK;
+}
+
static NTSTATUS lsa_get_generic_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size)
{
DOM_SID local_adm_sid;
@@ -583,77 +642,54 @@ NTSTATUS _lsa_query_info(pipes_struct *p, LSA_Q_QUERY_INFO *q_u, LSA_R_QUERY_INF
}
/***************************************************************************
- _lsa_lookup_sids
+ _lsa_lookup_sids_internal
***************************************************************************/
-NTSTATUS _lsa_lookup_sids(pipes_struct *p,
- LSA_Q_LOOKUP_SIDS *q_u,
- LSA_R_LOOKUP_SIDS *r_u)
+static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
+ uint16 level, /* input */
+ int num_sids, /* input */
+ const DOM_SID2 *sid, /* input */
+ DOM_R_REF **pp_ref, /* output */
+ LSA_TRANS_NAME_ENUM2 **pp_names, /* output */
+ uint32 *pp_mapped_count)
{
- struct lsa_info *handle;
-
- int i, num_sids;
- const DOM_SID **sids;
- uint32 mapped_count = 0;
-
- struct lsa_dom_info *dom_infos;
- struct lsa_name_info *name_infos;
-
+ NTSTATUS status;
+ int i;
+ const DOM_SID **sids = NULL;
+ LSA_TRANS_NAME_ENUM2 *names = NULL;
DOM_R_REF *ref = NULL;
- LSA_TRANS_NAME_ENUM *names = NULL;
-
- names = TALLOC_ZERO_P(p->mem_ctx, LSA_TRANS_NAME_ENUM);
-
- if ((q_u->level < 1) || (q_u->level > 6)) {
- r_u->status = NT_STATUS_INVALID_PARAMETER;
- goto done;
- }
-
- if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) {
- r_u->status = NT_STATUS_INVALID_HANDLE;
- goto done;
- }
-
- /* check if the user have enough rights */
- if (!(handle->access & POLICY_LOOKUP_NAMES)) {
- r_u->status = NT_STATUS_ACCESS_DENIED;
- goto done;
- }
-
- num_sids = q_u->sids.num_entries;
- if (num_sids > MAX_LOOKUP_SIDS) {
- DEBUG(5,("_lsa_lookup_sids: limit of %d exceeded, truncating "
- "SID lookup list to %d\n",
- MAX_LOOKUP_SIDS, num_sids));
- r_u->status = NT_STATUS_NONE_MAPPED;
- goto done;
- }
+ uint32 mapped_count = 0;
+ struct lsa_dom_info *dom_infos = NULL;
+ struct lsa_name_info *name_infos = NULL;
+ *pp_mapped_count = 0;
+ *pp_ref = NULL;
+ *pp_names = NULL;
+
+ names = TALLOC_ZERO_P(p->mem_ctx, LSA_TRANS_NAME_ENUM2);
+ sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF);
- sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
- if ((ref == NULL) || (names == NULL) || (sids == NULL)) {
- r_u->status = NT_STATUS_NO_MEMORY;
- goto done;
+ if (sids == NULL || names == NULL || ref == NULL) {
+ return NT_STATUS_NO_MEMORY;
}
for (i=0; i<num_sids; i++) {
- sids[i] = &q_u->sids.sid[i].sid;
+ sids[i] = &sid[i].sid;
}
- r_u->status = lookup_sids(p->mem_ctx, num_sids, sids, q_u->level,
+ status = lookup_sids(p->mem_ctx, num_sids, sids, level,
&dom_infos, &name_infos);
- if (!NT_STATUS_IS_OK(r_u->status)) {
- goto done;
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
if (num_sids > 0) {
- names->name = TALLOC_ARRAY(names, LSA_TRANS_NAME, num_sids);
+ names->name = TALLOC_ARRAY(names, LSA_TRANS_NAME2, num_sids);
names->uni_name = TALLOC_ARRAY(names, UNISTR2, num_sids);
if ((names->name == NULL) || (names->uni_name == NULL)) {
- r_u->status = NT_STATUS_NO_MEMORY;
- goto done;
+ return NT_STATUS_NO_MEMORY;
}
}
@@ -667,8 +703,7 @@ NTSTATUS _lsa_lookup_sids(pipes_struct *p,
&dom_infos[i].sid) != i) {
DEBUG(0, ("Domain %s mentioned twice??\n",
dom_infos[i].name));
- r_u->status = NT_STATUS_INTERNAL_ERROR;
- goto done;
+ return NT_STATUS_INTERNAL_ERROR;
}
}
@@ -680,13 +715,12 @@ NTSTATUS _lsa_lookup_sids(pipes_struct *p,
name->name = talloc_asprintf(p->mem_ctx, "%8.8x",
name->rid);
if (name->name == NULL) {
- r_u->status = NT_STATUS_NO_MEMORY;
- goto done;
+ return NT_STATUS_NO_MEMORY;
}
} else {
mapped_count += 1;
}
- init_lsa_trans_name(&names->name[i], &names->uni_name[i],
+ init_lsa_trans_name2(&names->name[i], &names->uni_name[i],
name->type, name->name, name->dom_idx);
}
@@ -694,18 +728,152 @@ NTSTATUS _lsa_lookup_sids(pipes_struct *p,
names->ptr_trans_names = 1;
names->num_entries2 = num_sids;
- r_u->status = NT_STATUS_NONE_MAPPED;
+ status = NT_STATUS_NONE_MAPPED;
if (mapped_count > 0) {
- r_u->status = (mapped_count < num_sids) ?
+ status = (mapped_count < num_sids) ?
STATUS_SOME_UNMAPPED : NT_STATUS_OK;
}
DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
- num_sids, mapped_count, nt_errstr(r_u->status)));
+ num_sids, mapped_count, nt_errstr(status)));
+
+ *pp_mapped_count = mapped_count;
+ *pp_ref = ref;
+ *pp_names = names;
+
+ return status;
+}
+
+/***************************************************************************
+ _lsa_lookup_sids
+ ***************************************************************************/
+
+NTSTATUS _lsa_lookup_sids(pipes_struct *p,
+ LSA_Q_LOOKUP_SIDS *q_u,
+ LSA_R_LOOKUP_SIDS *r_u)
+{
+ struct lsa_info *handle;
+ int num_sids = q_u->sids.num_entries;
+ uint32 mapped_count = 0;
+ DOM_R_REF *ref = NULL;
+ LSA_TRANS_NAME_ENUM2 *names = NULL;
+ NTSTATUS status;
+
+ if ((q_u->level < 1) || (q_u->level > 6)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) {
+ return NT_STATUS_INVALID_HANDLE;
+ }
+
+ /* check if the user has enough rights */
+ if (!(handle->access & POLICY_LOOKUP_NAMES)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ if (num_sids > MAX_LOOKUP_SIDS) {
+ DEBUG(5,("_lsa_lookup_sids: limit of %d exceeded, requested %d\n",
+ MAX_LOOKUP_SIDS, num_sids));
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ r_u->status = _lsa_lookup_sids_internal(p,
+ q_u->level,
+ num_sids,
+ q_u->sids.sid,
+ &ref,
+ &names,
+ &mapped_count);
+
+ /* Convert from LSA_TRANS_NAME_ENUM2 to LSA_TRANS_NAME_ENUM */
+
+ status = init_reply_lookup_sids(p->mem_ctx, r_u, ref, names, mapped_count);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ return r_u->status;
+}
+
+/***************************************************************************
+ _lsa_lookup_sids2
+ ***************************************************************************/
+
+NTSTATUS _lsa_lookup_sids2(pipes_struct *p,
+ LSA_Q_LOOKUP_SIDS2 *q_u,
+ LSA_R_LOOKUP_SIDS2 *r_u)
+{
+ struct lsa_info *handle;
+ int num_sids = q_u->sids.num_entries;
+ uint32 mapped_count = 0;
+ DOM_R_REF *ref = NULL;
+ LSA_TRANS_NAME_ENUM2 *names = NULL;
+
+ if ((q_u->level < 1) || (q_u->level > 6)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) {
+ return NT_STATUS_INVALID_HANDLE;
+ }
+
+ /* check if the user have enough rights */
+ if (!(handle->access & POLICY_LOOKUP_NAMES)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ if (num_sids > MAX_LOOKUP_SIDS) {
+ DEBUG(5,("_lsa_lookup_sids2: limit of %d exceeded, requested %d\n",
+ MAX_LOOKUP_SIDS, num_sids));
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ r_u->status = _lsa_lookup_sids_internal(p,
+ q_u->level,
+ num_sids,
+ q_u->sids.sid,
+ &ref,
+ &names,
+ &mapped_count);
+
+ init_reply_lookup_sids2(r_u, ref, names, mapped_count);
+ return r_u->status;
+}
+
+/***************************************************************************
+ _lsa_lookup_sida3
+ ***************************************************************************/
+
+NTSTATUS _lsa_lookup_sids3(pipes_struct *p,
+ LSA_Q_LOOKUP_SIDS3 *q_u,
+ LSA_R_LOOKUP_SIDS3 *r_u)
+{
+ int num_sids = q_u->sids.num_entries;
+ uint32 mapped_count = 0;
+ DOM_R_REF *ref = NULL;
+ LSA_TRANS_NAME_ENUM2 *names = NULL;
+
+ if ((q_u->level < 1) || (q_u->level > 6)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /* No policy handle on this call. Restrict to crypto connections. */
+
+ if (num_sids > MAX_LOOKUP_SIDS) {
+ DEBUG(5,("_lsa_lookup_sids3: limit of %d exceeded, requested %d\n",
+ MAX_LOOKUP_SIDS, num_sids));
+ return NT_STATUS_NONE_MAPPED;
+ }
- done:
- init_reply_lookup_sids(r_u, ref, names, mapped_count);
+ r_u->status = _lsa_lookup_sids_internal(p,
+ q_u->level,
+ num_sids,
+ q_u->sids.sid,
+ &ref,
+ &names,
+ &mapped_count);
+ init_reply_lookup_sids3(r_u, ref, names, mapped_count);
return r_u->status;
}
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index 9c7f17c14f..c21a72965d 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -935,7 +935,11 @@ NTSTATUS _net_sam_logon_ex(pipes_struct *p, NET_Q_SAM_LOGON_EX *q_u, NET_R_SAM_L
ZERO_STRUCT(r);
/* Only allow this if the pipe is protected. */
- /* FIXME ! */
+ if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
+ DEBUG(0,("_net_sam_logon_ex: client %s not using schannel for netlogon\n",
+ p->dc->remote_machine ));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
/* Map a NET_Q_SAM_LOGON_EX to NET_Q_SAM_LOGON. */
q.validation_level = q_u->validation_level;