r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3.

Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
author: Jeremy Allison <jra@samba.org> 2006-02-10 23:52:53 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 11:10:03 -0500
commit: 06cf1e18e562cf350e657c69e38a40b7f2bbf697 (patch)
tree: 728e0d51cd0000205a45ec7a86174734bcdc8416 /source3/rpc_server
parent: a48f4e832f09550b84beab39a97d2568fddfe20a (diff)
download: samba-06cf1e18e562cf350e657c69e38a40b7f2bbf697.tar.gz
samba-06cf1e18e562cf350e657c69e38a40b7f2bbf697.tar.bz2
samba-06cf1e18e562cf350e657c69e38a40b7f2bbf697.zip
3 files changed, 301 insertions, 67 deletions
diff --git a/source3/rpc_server/srv_lsa.c b/source3/rpc_server/srv_lsa.c
index fc84dbe923..0818ba3eac 100644
--- a/source3/rpc_server/srv_lsa.c
+++ b/source3/rpc_server/srv_lsa.c
@@ -916,6 +916,66 @@ static BOOL api_lsa_delete_object(pipes_struct *p)
 	return True;
 }
 
+/***************************************************************************
+ api_lsa_lookup_sids2
+ ***************************************************************************/
+
+static BOOL api_lsa_lookup_sids2(pipes_struct *p)
+{
+	LSA_Q_LOOKUP_SIDS2 q_u;
+	LSA_R_LOOKUP_SIDS2 r_u;
+	prs_struct *data = &p->in_data.data;
+	prs_struct *rdata = &p->out_data.rdata;
+
+	ZERO_STRUCT(q_u);
+	ZERO_STRUCT(r_u);
+
+	/* grab the info class and policy handle */
+	if(!lsa_io_q_lookup_sids2("", &q_u, data, 0)) {
+		DEBUG(0,("api_lsa_lookup_sids2: failed to unmarshall LSA_Q_LOOKUP_SIDS2.\n"));
+		return False;
+	}
+
+	r_u.status = _lsa_lookup_sids2(p, &q_u, &r_u);
+
+	if(!lsa_io_r_lookup_sids2("", &r_u, rdata, 0)) {
+		DEBUG(0,("api_lsa_lookup_sids2: Failed to marshall LSA_R_LOOKUP_SIDS2.\n"));
+		return False;
+	}
+
+	return True;
+}
+
+/***************************************************************************
+ api_lsa_lookup_sids3
+ ***************************************************************************/
+
+static BOOL api_lsa_lookup_sids3(pipes_struct *p)
+{
+	LSA_Q_LOOKUP_SIDS3 q_u;
+	LSA_R_LOOKUP_SIDS3 r_u;
+	prs_struct *data = &p->in_data.data;
+	prs_struct *rdata = &p->out_data.rdata;
+
+	ZERO_STRUCT(q_u);
+	ZERO_STRUCT(r_u);
+
+	/* grab the info class and policy handle */
+	if(!lsa_io_q_lookup_sids3("", &q_u, data, 0)) {
+		DEBUG(0,("api_lsa_lookup_sids3: failed to unmarshall LSA_Q_LOOKUP_SIDS3.\n"));
+		return False;
+	}
+
+	r_u.status = _lsa_lookup_sids3(p, &q_u, &r_u);
+
+	if(!lsa_io_r_lookup_sids3("", &r_u, rdata, 0)) {
+		DEBUG(0,("api_lsa_lookup_sids3: Failed to marshall LSA_R_LOOKUP_SIDS3.\n"));
+		return False;
+	}
+
+	return True;
+}
+
 #if 0	/* AD DC work in ongoing in Samba 4 */
 
 /***************************************************************************
@@ -984,7 +1044,9 @@ static struct api_struct api_lsa_cmds[] =
 	{ "LSA_CREATETRUSTDOM"  , LSA_CREATETRUSTDOM  , api_lsa_create_trust_dom },
 	{ "LSA_CREATSECRET"     , LSA_CREATESECRET    , api_lsa_create_secret },
 	{ "LSA_SETSECRET"       , LSA_SETSECRET       , api_lsa_set_secret },
-	{ "LSA_DELETEOBJECT"    , LSA_DELETEOBJECT    , api_lsa_delete_object }
+	{ "LSA_DELETEOBJECT"    , LSA_DELETEOBJECT    , api_lsa_delete_object },
+	{ "LSA_LOOKUPSIDS2"     , LSA_LOOKUPSIDS2     , api_lsa_lookup_sids2 },
+	{ "LSA_LOOKUPSIDS3"     , LSA_LOOKUPSIDS3     , api_lsa_lookup_sids3 }
 #if 0	/* AD DC work in ongoing in Samba 4 */
 	/* be careful of the adding of new RPC's.  See commentrs below about
 	   ADS DC capabilities                                               */
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index c93107cec4..d13ddf387a 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -229,9 +229,10 @@ static void init_reply_lookup_names(LSA_R_LOOKUP_NAMES *r_l,
  Init_reply_lookup_sids.
  ***************************************************************************/
 
-static void init_reply_lookup_sids(LSA_R_LOOKUP_SIDS *r_l,
-                DOM_R_REF *ref, LSA_TRANS_NAME_ENUM *names,
-                uint32 mapped_count)
+static void init_reply_lookup_sids2(LSA_R_LOOKUP_SIDS2 *r_l,
+				DOM_R_REF *ref,
+				LSA_TRANS_NAME_ENUM2 *names,
+				uint32 mapped_count)
 {
 	r_l->ptr_dom_ref  = ref ? 1 : 0;
 	r_l->dom_ref      = ref;
@@ -239,6 +240,64 @@ static void init_reply_lookup_sids(LSA_R_LOOKUP_SIDS *r_l,
 	r_l->mapped_count = mapped_count;
 }
 
+/***************************************************************************
+ Init_reply_lookup_sids.
+ ***************************************************************************/
+
+static void init_reply_lookup_sids3(LSA_R_LOOKUP_SIDS3 *r_l,
+				DOM_R_REF *ref,
+				LSA_TRANS_NAME_ENUM2 *names,
+				uint32 mapped_count)
+{
+	r_l->ptr_dom_ref  = ref ? 1 : 0;
+	r_l->dom_ref      = ref;
+	r_l->names        = names;
+	r_l->mapped_count = mapped_count;
+}
+
+/***************************************************************************
+ Init_reply_lookup_sids.
+ ***************************************************************************/
+
+static NTSTATUS init_reply_lookup_sids(TALLOC_CTX *mem_ctx,
+				LSA_R_LOOKUP_SIDS *r_l,
+				DOM_R_REF *ref,
+				LSA_TRANS_NAME_ENUM2 *names,
+				uint32 mapped_count)
+{
+	LSA_TRANS_NAME_ENUM *oldnames = TALLOC_ZERO_P(mem_ctx, LSA_TRANS_NAME_ENUM);
+
+	if (!oldnames) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	oldnames->num_entries = names->num_entries;
+	oldnames->ptr_trans_names = names->ptr_trans_names;
+	oldnames->num_entries2 = names->num_entries2;
+	oldnames->uni_name = names->uni_name;
+
+	if (names->num_entries) {
+		int i;
+
+		oldnames->name = TALLOC_ARRAY(oldnames, LSA_TRANS_NAME, names->num_entries);
+
+		if (!oldnames->name) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		for (i = 0; i < names->num_entries; i++) {
+			oldnames->name[i].sid_name_use = names->name[i].sid_name_use;
+			oldnames->name[i].hdr_name = names->name[i].hdr_name;
+			oldnames->name[i].domain_idx = names->name[i].domain_idx;
+		}
+	}
+
+	r_l->ptr_dom_ref  = ref ? 1 : 0;
+	r_l->dom_ref      = ref;
+	r_l->names        = oldnames;
+	r_l->mapped_count = mapped_count;
+	return NT_STATUS_OK;
+}
+
 static NTSTATUS lsa_get_generic_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size)
 {
 	DOM_SID local_adm_sid;
@@ -583,77 +642,54 @@ NTSTATUS _lsa_query_info(pipes_struct *p, LSA_Q_QUERY_INFO *q_u, LSA_R_QUERY_INF
 }
 
 /***************************************************************************
- _lsa_lookup_sids
+ _lsa_lookup_sids_internal
  ***************************************************************************/
 
-NTSTATUS _lsa_lookup_sids(pipes_struct *p,
-			  LSA_Q_LOOKUP_SIDS *q_u,
-			  LSA_R_LOOKUP_SIDS *r_u)
+static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
+				uint16 level,				/* input */
+				int num_sids,				/* input */
+				const DOM_SID2 *sid,			/* input */
+				DOM_R_REF **pp_ref,			/* output */
+				LSA_TRANS_NAME_ENUM2 **pp_names,	/* output */
+				uint32 *pp_mapped_count)
 {
-	struct lsa_info *handle;
-
-	int i, num_sids;
-	const DOM_SID **sids;
-	uint32 mapped_count = 0;
-
-	struct lsa_dom_info *dom_infos;
-	struct lsa_name_info *name_infos;
-
+	NTSTATUS status;
+	int i;
+	const DOM_SID **sids = NULL;
+	LSA_TRANS_NAME_ENUM2 *names = NULL;
 	DOM_R_REF *ref = NULL;
-	LSA_TRANS_NAME_ENUM *names = NULL;
-
-	names = TALLOC_ZERO_P(p->mem_ctx, LSA_TRANS_NAME_ENUM);
-
-	if ((q_u->level < 1) || (q_u->level > 6)) {
-		r_u->status = NT_STATUS_INVALID_PARAMETER;
-		goto done;
-	}
-
-	if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) {
-		r_u->status = NT_STATUS_INVALID_HANDLE;
-		goto done;
-	}
-
-	/* check if the user have enough rights */
-	if (!(handle->access & POLICY_LOOKUP_NAMES)) {
-		r_u->status = NT_STATUS_ACCESS_DENIED;
-		goto done;
-	}
-
-	num_sids = q_u->sids.num_entries;
-	if (num_sids >  MAX_LOOKUP_SIDS) {
-		DEBUG(5,("_lsa_lookup_sids: limit of %d exceeded, truncating "
-			 "SID lookup list to %d\n",
-			 MAX_LOOKUP_SIDS, num_sids));
-		r_u->status = NT_STATUS_NONE_MAPPED;
-		goto done;
-	}
+	uint32 mapped_count = 0;
+	struct lsa_dom_info *dom_infos = NULL;
+	struct lsa_name_info *name_infos = NULL;
 
+	*pp_mapped_count = 0;
+	*pp_ref = NULL;
+	*pp_names = NULL;
+	
+	names = TALLOC_ZERO_P(p->mem_ctx, LSA_TRANS_NAME_ENUM2);
+	sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
 	ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF);
 
-	sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
-	if ((ref == NULL) || (names == NULL) || (sids == NULL)) {
-		r_u->status = NT_STATUS_NO_MEMORY;
-		goto done;
+	if (sids == NULL || names == NULL || ref == NULL) {
+		return NT_STATUS_NO_MEMORY;
 	}
 
 	for (i=0; i<num_sids; i++) {
-		sids[i] = &q_u->sids.sid[i].sid;
+		sids[i] = &sid[i].sid;
 	}
 
-	r_u->status = lookup_sids(p->mem_ctx, num_sids, sids, q_u->level,
+	status = lookup_sids(p->mem_ctx, num_sids, sids, level,
 				  &dom_infos, &name_infos);
 
-	if (!NT_STATUS_IS_OK(r_u->status)) {
-		goto done;
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
 	}
 
 	if (num_sids > 0) {
-		names->name = TALLOC_ARRAY(names, LSA_TRANS_NAME, num_sids);
+		names->name = TALLOC_ARRAY(names, LSA_TRANS_NAME2, num_sids);
 		names->uni_name = TALLOC_ARRAY(names, UNISTR2, num_sids);
 		if ((names->name == NULL) || (names->uni_name == NULL)) {
-			r_u->status = NT_STATUS_NO_MEMORY;
-			goto done;
+			return NT_STATUS_NO_MEMORY;
 		}
 	}
 
@@ -667,8 +703,7 @@ NTSTATUS _lsa_lookup_sids(pipes_struct *p,
 				 &dom_infos[i].sid) != i) {
 			DEBUG(0, ("Domain %s mentioned twice??\n",
 				  dom_infos[i].name));
-			r_u->status = NT_STATUS_INTERNAL_ERROR;
-			goto done;
+			return NT_STATUS_INTERNAL_ERROR;
 		}
 	}
 
@@ -680,13 +715,12 @@ NTSTATUS _lsa_lookup_sids(pipes_struct *p,
 			name->name = talloc_asprintf(p->mem_ctx, "%8.8x",
 						     name->rid);
 			if (name->name == NULL) {
-				r_u->status = NT_STATUS_NO_MEMORY;
-				goto done;
+				return NT_STATUS_NO_MEMORY;
 			}
 		} else {
 			mapped_count += 1;
 		}
-		init_lsa_trans_name(&names->name[i], &names->uni_name[i],
+		init_lsa_trans_name2(&names->name[i], &names->uni_name[i],
 				    name->type, name->name, name->dom_idx);
 	}
 
@@ -694,18 +728,152 @@ NTSTATUS _lsa_lookup_sids(pipes_struct *p,
 	names->ptr_trans_names = 1;
 	names->num_entries2 = num_sids;
 
-	r_u->status = NT_STATUS_NONE_MAPPED;
+	status = NT_STATUS_NONE_MAPPED;
 	if (mapped_count > 0) {
-		r_u->status = (mapped_count < num_sids) ?
+		status = (mapped_count < num_sids) ?
 			STATUS_SOME_UNMAPPED : NT_STATUS_OK;
 	}
 
 	DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
-		   num_sids, mapped_count, nt_errstr(r_u->status)));
+		   num_sids, mapped_count, nt_errstr(status)));
+
+	*pp_mapped_count = mapped_count;
+	*pp_ref = ref;
+	*pp_names = names;
+
+	return status;
+}
+
+/***************************************************************************
+ _lsa_lookup_sids
+ ***************************************************************************/
+
+NTSTATUS _lsa_lookup_sids(pipes_struct *p,
+			  LSA_Q_LOOKUP_SIDS *q_u,
+			  LSA_R_LOOKUP_SIDS *r_u)
+{
+	struct lsa_info *handle;
+	int num_sids = q_u->sids.num_entries;
+	uint32 mapped_count = 0;
+	DOM_R_REF *ref = NULL;
+	LSA_TRANS_NAME_ENUM2 *names = NULL;
+	NTSTATUS status;
+
+	if ((q_u->level < 1) || (q_u->level > 6)) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) {
+		return NT_STATUS_INVALID_HANDLE;
+	}
+
+	/* check if the user has enough rights */
+	if (!(handle->access & POLICY_LOOKUP_NAMES)) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	if (num_sids >  MAX_LOOKUP_SIDS) {
+		DEBUG(5,("_lsa_lookup_sids: limit of %d exceeded, requested %d\n",
+			 MAX_LOOKUP_SIDS, num_sids));
+		return NT_STATUS_NONE_MAPPED;
+	}
+
+	r_u->status = _lsa_lookup_sids_internal(p,
+						q_u->level,
+						num_sids, 
+						q_u->sids.sid,
+						&ref,
+						&names,
+						&mapped_count);
+
+	/* Convert from LSA_TRANS_NAME_ENUM2 to LSA_TRANS_NAME_ENUM */
+
+	status = init_reply_lookup_sids(p->mem_ctx, r_u, ref, names, mapped_count);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+	return r_u->status;
+}
+
+/***************************************************************************
+ _lsa_lookup_sids2
+ ***************************************************************************/
+
+NTSTATUS _lsa_lookup_sids2(pipes_struct *p,
+			  LSA_Q_LOOKUP_SIDS2 *q_u,
+			  LSA_R_LOOKUP_SIDS2 *r_u)
+{
+	struct lsa_info *handle;
+	int num_sids = q_u->sids.num_entries;
+	uint32 mapped_count = 0;
+	DOM_R_REF *ref = NULL;
+	LSA_TRANS_NAME_ENUM2 *names = NULL;
+
+	if ((q_u->level < 1) || (q_u->level > 6)) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) {
+		return NT_STATUS_INVALID_HANDLE;
+	}
+
+	/* check if the user have enough rights */
+	if (!(handle->access & POLICY_LOOKUP_NAMES)) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	if (num_sids >  MAX_LOOKUP_SIDS) {
+		DEBUG(5,("_lsa_lookup_sids2: limit of %d exceeded, requested %d\n",
+			 MAX_LOOKUP_SIDS, num_sids));
+		return NT_STATUS_NONE_MAPPED;
+	}
+
+	r_u->status = _lsa_lookup_sids_internal(p,
+						q_u->level,
+						num_sids, 
+						q_u->sids.sid,
+						&ref,
+						&names,
+						&mapped_count);
+
+	init_reply_lookup_sids2(r_u, ref, names, mapped_count);
+	return r_u->status;
+}
+
+/***************************************************************************
+ _lsa_lookup_sida3
+ ***************************************************************************/
+
+NTSTATUS _lsa_lookup_sids3(pipes_struct *p,
+			  LSA_Q_LOOKUP_SIDS3 *q_u,
+			  LSA_R_LOOKUP_SIDS3 *r_u)
+{
+	int num_sids = q_u->sids.num_entries;
+	uint32 mapped_count = 0;
+	DOM_R_REF *ref = NULL;
+	LSA_TRANS_NAME_ENUM2 *names = NULL;
+
+	if ((q_u->level < 1) || (q_u->level > 6)) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	/* No policy handle on this call. Restrict to crypto connections. */
+
+	if (num_sids >  MAX_LOOKUP_SIDS) {
+		DEBUG(5,("_lsa_lookup_sids3: limit of %d exceeded, requested %d\n",
+			 MAX_LOOKUP_SIDS, num_sids));
+		return NT_STATUS_NONE_MAPPED;
+	}
 
- done:
-	init_reply_lookup_sids(r_u, ref, names, mapped_count);
+	r_u->status = _lsa_lookup_sids_internal(p,
+						q_u->level,
+						num_sids, 
+						q_u->sids.sid,
+						&ref,
+						&names,
+						&mapped_count);
 
+	init_reply_lookup_sids3(r_u, ref, names, mapped_count);
 	return r_u->status;
 }
 
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index 9c7f17c14f..c21a72965d 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -935,7 +935,11 @@ NTSTATUS _net_sam_logon_ex(pipes_struct *p, NET_Q_SAM_LOGON_EX *q_u, NET_R_SAM_L
 	ZERO_STRUCT(r);
 
 	/* Only allow this if the pipe is protected. */
-	/* FIXME ! */
+	if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
+		DEBUG(0,("_net_sam_logon_ex: client %s not using schannel for netlogon\n",
+			p->dc->remote_machine ));
+		return NT_STATUS_INVALID_PARAMETER;
+        }
 
 	/* Map a NET_Q_SAM_LOGON_EX to NET_Q_SAM_LOGON. */
 	q.validation_level = q_u->validation_level;
author	Jeremy Allison <jra@samba.org>	2006-02-10 23:52:53 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 11:10:03 -0500
commit	06cf1e18e562cf350e657c69e38a40b7f2bbf697 (patch)
tree	728e0d51cd0000205a45ec7a86174734bcdc8416 /source3/rpc_server
parent	a48f4e832f09550b84beab39a97d2568fddfe20a (diff)
download	samba-06cf1e18e562cf350e657c69e38a40b7f2bbf697.tar.gz samba-06cf1e18e562cf350e657c69e38a40b7f2bbf697.tar.bz2 samba-06cf1e18e562cf350e657c69e38a40b7f2bbf697.zip